- Email: [email protected]
Fault Detection and Isolation Sytem Design for a Refinery Unit
Copyright @ IF AC Fault Detection, Supervision and Safety for Technical Processes, Espoo, Finland, 1994
FAULT DETECTION AND ISOLATION SYTEM DESIGN UNIT
FOR A REFINERY
J. PH. CASSAR*, R. FERHATI** AND R. WOINET***
* LAIL (CRNS 1440), Universitc des Sciences et Technologie de Lille, Batiment P2, 59655 Villeneuve d'Ascq Cedex, France. ** AREMI, Universitc des Sciences et Technologie de Lille, Batiment EUDIL, 59655 Villeneuve d'Ascq Cedex, France. *** ELF France, Centre de recherche de Solaize, BP 22 69320 Saint Shimphorien d'Ozon, France. Abstract. This paper presents a Fault Detection and Isolation system developped for ELF France. ELF France has been using data reconciliation to sellle the global performances of a refinery unit. It was interested by using a supervision system in order to validate the data provided by sensors before using them . The application and its interest are first presented. Then the design of the FDI system is described and illustrated by an example. We focuse on the detection and isolation stages which are rarely treated in the classical approaches. The results are presented in the last part, by giving the global performances obtained with actual plant data. keywords. System failure and recovery, Petroleum industry, Structural analysis.
1. INTRODUCTION
redundancy relations to be implemented but didn't study thoroughly the decision stage (detection and isolation). The same structural approach is here used for the design of the FDI procedures in this application. It will be shown how this approach copes with the design of the three steps of such procedures, namely the residuals generation, the test of their coherence and finally the detection and isolation of faults and failures. The data processing which allows isolation of failures in the single failures cases is first described. It is a structured residuals based procedure.
Modern industrial systems become more and more complex and require more and more security and performances. Performances are obtained and checked from the information provided by the sensors . Checking their actual behaviour becomes of an increasing interest for the efficency and the security of such plants. The Fault Detection and Isolation systems aim at the validation of the data available from the data acquisition units. They use a reference model in order to characterize the state of the system (normal or failing) and, in the case of a failure occurence, use specific isolation procedure to isolate the cause of the failure.
This paper focuses on the detection and isolation steps because they are rarely treated in the classical approaches. These ones often focuse on the characterization stage (the generation of residuals) and related studies are the adaptative treshold (Clark,89, threshold selector (Ding,91; Seliger,93) and the analysis of the firing sequences (Gertler,92). A mullivalued thresholds based detection procedure is proposed which allows a finer isolation of the elements which are out of order (Cassar,92). The isolation procedure processes the result of the detection step to establish a list of elements whose failure can explain the fired thresholds. A classical procedure in diagnotic methods, the test of hypothesis, is applied in order to obtain the final isolation result.
ELF France has been using data reconciliation to settle the global performances of a refinery plant. The application constitutes a part of a refinery plant located at Grandpuits France. The battery of input heat exchangers (see the scheme at the end of the paper) in which the crude oil is warmed up by the hot refined products involves all the flows of products. So a data reconciliation carried out on it provides usef ull information to determine performances of the lotal refinery unit. ELF was interested by using a FDI system in order to validate the data provided by sensors before using them for data reconciliation.
The results obained from the heat exchangers unit are presented in the last part, by giving the global performances. A finer analysis shows the influence of the system topology on the capabilty of the isolation of a given element. The behaviour of the detection
The LAIL laboratory previously studied the possibility of implementing a FDI system on a gas dehydration unit (Cassar,91). The structural analysis approach (Staroswiecki,89; Declcrck,91) gave the 177
The measurement noises must also be estimated. In normal condition, they lead to false alarms whose probability is fixed to 0.001. Given the magnitude of the expected failure, the detection conditions specify the probability of misses to be lower than 0 .03. These two probabilities will be usefull to the design of the decision procedure.
and the isolation procedures is given on an actual case of failure (derived from plant data) .
2. THE APPLICATION The application constitutes a pan of a refinery plant situated at Grandpuits France. In this bauery of input heat exchangers the crude oil is warmed up by the hot refinered products. As this unit involves all the flows of products, a data reconciliation carried out on it provides uscfull information to determine performances of the total refinery unit. Indeed having more reliable data about the flows allows to calculate the efficency of the global process, as well as for each product. The leakages can also be evaluated. These information is used to act on the plant in order to improve its results.
4. SYSTEM CHARACTERIZATION Most approaches in fault detection are based on the comparison between the actual behaviour of the system and a reference behaviour describing its normal operation. The reference behaviour is derived from a model of the system. So, an operating model is used which describes the constraints between the evolutions of the variables the plant involves. This analytical model is consituted of two pans: - the first one expresses how the inputs of the system are transformed into the internal state which is associated to the process variables. - the second one describes the measurements which are available. It expresses the way by which the sensors transform the states into output signals.
The data reconciliation is performed using the DA TREC software. Its results are reliable when the sensors provide accurate enough information. When several important deviations arise, i.e. when several sensors are failing, the data reconciliation shares the discripancies between all the sensors values and thus provides wrong results. So, a fault detection and identification system must process the sensors data to detect and isolate single or multiple failures. It provides estimated values to replace the bad ones and then recovers a more realistic view of the system. The FDI system works, in fact, as a filter thanks to which DA TREC can work in better condition.
Input output models are a rewriting of the plant and measurement models in which only known variables (controls u and measurements y) intervene. In the linear case, they are named Parity equations, or Analytical Redundancy Relations (A.R.R.) in a more general case.
The system is entirely a passive one and doesn't involve any actuator.
Let z(t,t-p) be the values of z on a temporal window of size p : z(t,t-p)T =[z(t)T, z(t-1)T •... z(t-p)T] where T means transposition. An input output model expresses some invariance property of the system under the form : Cl>[u(t.t-p). y(t.t-p)] = 0 The equality to zero will in fact never hold since the system is never under ideal circumstances ; in that sense. the Analytical Redundancy based residual vector will take the form : r(t) = Cl>[u(t.t-p), y(t,t-p)]
3. SUPERVISION SPECIFICATION The design of the supervision system begins by listing the elemenL~ to be checked and by defining for each of them its failure conditions. In the presented application, all the sensors directly implemented on the exchangers have to be checked . Some physical parameters as the repartition of the flows into the couples of parallel exchangers are supposed to be known and have to be supervised if possible. Their change would indicate a clogging of one of the two exchangers.
Many specific schemes have been developped for residual generation (identification of continous time model parameters, Kalman filters. observers, structured residuals). Some equivalence properties have been proved (Patton, 93), and a great number of applications have been made for technological processes. However, the application of these methods to large scale non linear industrial processes is not straightforward.
An element is considered to be failing when the deviation between the actual and the available values of the variable associated with it is over a limit. This definition doesn't impose a type of failure. It can be a bias, a drift or a freeze of the sensor. In this last case, the process variable must vary to insure the discrepancy between the available and the actual value of the variable.
The battery of heat exchangers leads to a static bilinear model which is derived from the mass and thermal balances around each exchanger and from the description of the connections between them.
In the presented application, two classes of sensors are supervised : temperature and flow transmitters. The limit deviation was fixed to 9°C for the first and to about 8% of the operating range for the second ones, depending on the operating conditions.
Structural methods will use only a very poor model of the system, and are, in that sense, very usefull 178
when starting the design of the FDI system and coping with non linear systems. In order to illustrate this method. a little example will be introduced. This sub-system is composed by a pair of twinned exchangers as prescnted figure 1.
shown by the complete matching on the unknown variables expressed by the bold terms of the structure. According to this choice. the values of F3. F4 (respectively FS. F6) are estimated from the relations f3. fS (respectively f4. f6). The constraint relations fl and f2 have not been used for the determination of the values of the unknown variables but must be verified by these values. The considered system is overdetermined. Reponing the estimated or measured values into the relations fl and f2 leads to two analytical redundancy relations which express the enthalpic balances around the exchangers Eland E2 and only involve available informations (here the measurements). These relations are verified when the known variables values are consistent with the model. The values of the residuals. which are calculated by reponing the known variables values into the analytical redundancy relations. reflect the discrepancy between the model and the actual plant.
Figure 1 : Exchangers E I and E2
!
V
f2
From the very general point of view which is that of structural analysis. the model of the system is only considered as a set of constraints which apply to a set of variables.
lf3
rrl rr2 IT3 tr4 trs rr6 1"7 ITS FI ""2 iF3 F4lFS F6l 11
I !1 D 1 i
1
i
I
-11
lf4 !1 ~.? : f" ......~~ ;[6 l
tIT!
a
t!J1!
Z contains three subsets: U. y. X. U is the subset of the control variables. Y is the subset of the measured variables. U and Y constitute the set of the known variables while X is the subset of the unknown variables.
1
I
!
I
n
tIT4 !
:
tITs !
! !
iTTI! tIT8
1 11
T
11
!
1 !I
,
1 1
!
I
!
1 1
'11
1-+ 1 1 1 1 1 11 1
~,
:
i
!
I
ITn ! nT6 t
1
,
I 1
!I
1 1 1 l
i I
lFJ2 !
!
,1
l
fl!
Let F == { fl ,f2.f3 •... ,fm} be the set of the constraints which represent the system model and Z == {zl.z2.z3 .... zn} be the set of the variables.
1
,
,
1 1
! 11 !
1
,
; 1 FIgure 2 : The model structure.
The structure of the model is a digraph whose incidence matrix represents the links between the variables ( known and unknown) and the constrainl~. It is described by the following binary relation: S: F x Z ~ {O.l} (fi.zj) ~ S(fi.zj) == 1 iff the constraint fi applies to the va-riable zj . S(fi.zj) == 0 otherwise.
Each sensor failure influences one or both residuals values . The larger the value of the residual. the more it will be said to be sensitive to the failure. Remark: The structural analysis copes whith the residuals generation by supposing that all the subsystems have a full rank. This hypothesis implies that an analytical redundancy relation can only be deri ved from a structuraly over-determ inated subsystem. When this hypothesis does not hold some analytical redundancy relations can be found from a just- or under-determinated subsystem. Indeed. in this case. a combination of the primary relations leads to zero and constitutes thus a analytical redundancy relation. In our example. suppressing the measurements IT3. IT4. ITS and IT6 leads to a structurally under-determinated subsystem whose generic rank is not full. That leads to an analytical redundancy relation which expresses the global enthalpic balance around the both exchangers. Adding some assumption about the repartition of the flows F3.F4 (coefficient al) and FS.F6 (coefficient a2) allows to obtain two additional redundancy relations (R4.RS). the structure of which is given below. The knowledge on a I and a2 may come from their estimation under the assumption they are slowly varying .
The figure 2 presents the structure of the model of the example. The relations FTi and ITi express the flow and temperature measurement functions. fl and f2 express respectively the enthalpic balances araound respectively the exchangers E2 and El. f3 and f4 are thermal balances. while fS. f6 are mass balances which express the mixing of the flows at the outputs of the exchangers. A structural analysis isolates in the process model the parts which can be supervised. The generation of residuals uses the over-determination of some subsystems obtained using the canonical decomposition of the digraph which represents the structural incidence matrix of the system model. In our example. all the values of the process variables can be either measured or estimated. This point is
179
:
columns of which define the signatures of the causes of failure. A signature can also be seen as the value of the coherence vector when the fault occures and thp test of coherence procedure works correctly.
The figure s 3 and 4 present the residual values calculated from the actual measurements around the exchangers E2SA and E2SB . The last two points exhibit a failure occuring on the measurement FTI and TT4 which represents respectively 20% and 2% of the nominal value of the variable.
...
2
:I.."
..
Five residuals are obtained from the structural analysi s which make appear all the measurements implemented on the process. Their structure is given below . RI and R2 express the coherence of the information (measurement and model) around respectively the exchangers Eland E2. R3 is the additional residual derived from the global enthalpic balance. R4 ,RS are defined above.
-
:I.
0 . 5
o
la -0.5
t;:
r _ _ 1.dua1
1
r . . . .:LcSua1
2 3
r __ .1.d1..1 • .l..
11
! RI ! 0
Figure 3 Residuals evolution 1
0
-1
~
.. .. ..
.....
t
R2 ! 0 f_R3 i 0 , R4 ! 1 ! R5 i.....0 ......,..,_.4 I
..
...
.. .. .. +
:
--
+
OJ 1 ! O! 1 I 0 1 1 i 0 i Oj 1 10 1
T 1
1 1
1
1
1
0 0
0 0
1
T T
T T
4
5
6
1
1 j 1
T 'T 'T T !I T I T 2 l 3 1 ! 1 1 1 1 l 0 oJ 0 o! 1
.........
1
0 0 1
T T
T T
7 1 1 1 ! 1 0 0 1 1 I 1 0 i 0 1
8 1 1
o
1
1 0
The failing residuals of the figure 3 and 4 leads to coherence vectors [I 1 1 0 O)T and [I 1 0 0 l)T whose values correspond with the signatures of the associated failures.
+ r __ ..1..clua..l.. r __ .1..cSua.l..
F !F T T !T 1 i 2
FIgure 5, Structure of the ARR
-
a 2
4 5
Isolation . The aim of the isolation step is to provide the list of elements which are failing from the results of the characterization and test of coherence steps. It is composed of two procedures : the recognition procedure provides a list of elements whose deviation may explain the results of the detection procedure, a specialized procedure then filters this list in order to provide the final isolation result.
Figure 4 Residuals evolution It can be noticed that some inaccuracies lead 1O residuals deviation s even when the system is in normal operation. That obliges to increase the decision thresholds in order to avoid false alarms. The sensitivity of temperature sensors is much greater than the onc of the now sensors in the residuals rI , r2, r3 .
The recognition procedure compares the coherence vector with all the signatures and determines which of the signatures are the closest. In the single failure hypothesis case, which is the most frequent, all the information contained in the signature and in the coherence vector can be exploited : a distance between the coherence vector and the signatures can be calculated. The Hamming distance can be chosen in this case. The same distance is used to calculate the isolation ability of a set of ARR. Each pair of sensors are tested : the larger the distance between their signature, the better their isolation index .
5. DECISION PROCEDURES
5.1. Binary logic based procedures Coherence vector. The coherence of each residual is tested using a direct comparison between its value and a threshold . The value of the reference threshold is defined so as to cope with the false alarm probability constraint. It depends on the expected standard deviation of the residual whic h is a function of the sensitivities of the components involved by the analytical redundancy relation and of their statistical distribution. This test applied on the set of residuals leads to a binary coherence vector~ . Each component £i of £ is obtained using the following rule : if Ri> Ti £i = I el se £i = 0
The figure 6 gives the table of the distances between the signatures of each couple of causes of failure. The elements of three groups of sensors can't be isolated because the distance between their signature equals zero : (FTI, Ff2, TTl , TT2),(TT3, TT4) (TTS, TT6) From an initial set of analytical redundancy relations, many other relations can be obtained by combining the initial ones . Adding these new relations will improve the isolation ability . However , a compromi ze must be realized between the isolation ability and the number of redundancy relations to be processed by the fault detection and isolation system.
Struc ture of a residuals set. The structure of a residual expresses which of the measurements influence the residual value. The sel of the structures of individual residuals constitutes the structure of the residual s set. A binary matrix is associated with this structure 180
of view . That decreases the isolation ability and then the recognition procedure provides a set of elements which are potentialy failing . This list of elements focuses on the part of the system whose behaviour doesn't remain consistant with the model.
Processing the whole installation in our case allows to better isolate the measurements which are located at a connection between several equipements. The measurements FT1, TT1, FT2 , TT7 are here concerned.
iFT2 , 4 : 4 0 : 0 ! 010 [0 0: 0 10 0 lTf3 i 3 i 41 ! 1 ! l t _1lO ; ~_'-+--:'_;-"""""""" ....~._.r _..;.-...._ 1IT4 : 3 ! 4 I ! I : I I: () O ! I IT5 i 4 i 3 i I I ! I I ..L1.J1._.2.J !IT6 : 4 ! 3 I I ! 1 I 1 I : 2 l 2 10 ; 0
A filtering process uses a classical procedure in diagnotic methods, the test of hypothesis, in order to isolate the failing elements. The value of each potentially failing sensor is estimated from one subsystem . The measured value is substituted into the ARR which express the other subsystems. The evolution of the coherence vector allow to conclude wether the estimation is better than the sensor value. IN the case of an affirmative answer, the element is said to be out of order. This procedure must be carried out carefully in order to avoid error compensation in this test of hypothesis.
WI !4 14 lTf21"4t 4
i
. P.
j TI7 ~ 3 -.L~-t.~-p-u.~ ~L~ !ITS[3!311;1:111:3
.... ..~ ....!}. .~.L 3 i l :l
l
M _ _~
:
! .9~ ~...J
20 j
6. THE RESULTS
Figure 6. Isolauon ability. Discussion. As the sensitivity with respect to a cause of failure is different in each redundancy relation, an intermediate failure amplitude will leads to a coherence vector different from the expected signature. J. J. GERTLER et al (92) introduce the notion of firing sequence to express that an increasing fault leads to a sequence of the coherence vector values which can be associated as intermediate signatures to the considered failure . The binary logic based procedure may provide, in these cases, missed isolation because of the proximity between an intermidiate signature of the failure and the signature of an other cause of failure .
5.2 Multivalued logic isolation When isolation performances are considered, taking into account the different sensitivities of a given residual with respect to different Faults or Failures, imposes a multiple threshold based detection procedure. Each threshold is calculated to ensure that the probabilty of mis detection remains below a specified value when the deviation between the available and the actual values of the variable reaches the value which defines the limit between the failing and non failing case. Each residual is tested against as many thresholds as the number of causes of failure is its structure . The result of this procedure is a multivalued coherence vector which is compared with multivalued signtures and allows a finer isolation of the elements which arc out of order (Cassar, 92).
The FDI system derived from the proposed method has been implemented and is currently tested on the actual process . As the process does not include control loops, faults can be simulated by adding perturbations to the measurement values. 103 ARR amoung the 250 which are possible have been implemented. The tests showed the robustness of the design of the decision thresholds and of the test of hypothesis procedure. No false alarms occured from raw measurement values. The final isolation is obtained when the deviation is significantly larger than the specified limit which define the failure . That comes from the test of hypothesis procedure which filters the result of the isolation stage and needs a more important deviation to ensure that the estimated value is better than the measured one. As an example, for a deviation equal to 1.5 times the specified limit value, only 40 sensors can correctly be isolated. This result becomes 61 sensors isolated amoung 68 when the deviation equals 5 times the specified limit value. When a sensor is isolated, an estimated value of the process variable is provided to replace the faulty measurement. Some sensors can never be isolated because they are structuraly non isolable. They often correspond to measurements located at the external bound of the supervised system. In these cases a low level of redundancy is reached on these vaariables.
7. CONCLUSION. 5.3 Multiple failure s isolation . In the case of multiple failures, only missed detections (elements of the coherence vector lower than the corresponding element of the signature) are significant according to a given signature . So the distance calculation only takes into account this point 181
We have presented a structural analysis based design of a FDI system . This approach allows to quickly obtain fundamental results about the supervision capabilities as residuals generation, detection or isolation abilities . These basic results are used along whith the analytical model of the system in order to
actualy implement the residuals calculation and to design the decision procedures.
Declerck ,Po (1991) . Analyse structurale et fonctionnelle des grands systemes. Application une centrale PWR 900 MW. These de doctorat, Universite des Sciences et Technologies de Lille, Villeneuve d'Ascq, France, 20 decembre 1991. Ding X., P. M. Frank (1991). Frequency Domain Aproach and Threshold Selector for Robust Modelbased Fault Detection and Isolation. SA FE PROCESS'9I IFACIIMACS Symposium, Baden Baden, Germany, September 10-13, 1991, Vol 2, pp. 187-191 Gertler, J . L, D. Singer (1992). An evidential reasoning extension to quantitative model-based failure diagnosis. IEEE transactions on SMC, vol 22, n02, march/april 1992, pp 275-286 Patton, R. J., J. Chen (1991). A Re-examination of the relationship between Parity space and observer based approach in fault diagnosis Revue Europeenne Diagnostic et surete de fonctionnement, vol 1 ,n02, pp. 183-200 Seliger R., P. M. Frank (1993). Robust Residual Evaluation by Threshold Selection and a Performance Index for Non Linear Observer-based Fault Diagnosis. Tooldiag'93,April 5-7, 1993 , Toulouse, France. Staroswiecki, M. ,P. Declerck (1989). Analytical redundancy in non linear interconnected systems by means of structural analysis. AlPAC'89 IFAC Symposium on Advanced Information Processing in Automatic Control, Nancy, France, 3-5 july, 1989,R. Husson (ed.), Centre de recherche en automatique de Nancy, pp II 23-27 ..
a
All the design procedures are gathered into a software called D3. The implemented FDI system is derived from a standard module which is configurated by the results of the design activity. The results presented from actual plant data show that the expected performances are reached for deviations which are quite larger than those specified. However, the obtained results are sufficient for the purpose of filtering the information provided to the data reconciliation process.
8. REFERENCES . Cassar, 1. Ph, M. Staroswiecki, E. Herbault,C .T .Huynh, B . Cordier (1991) . Supervision system Design for a Petroleum Production application SAFE PROCESS'9I IFACIIMACS Symposium, Baden Baden, Germany, September 10-13, 1991, vol2, 289-294 Cassar, J. P., M. Staroswiecki, R. Ferhati, (1992) . Multivalued logic voting scheme for residual evaluation in Failure Detection and Isolation Systems. IFACIIFIPIIMACS Symposium on Artificial Intelligence in Real-Time Control, Delfl, The Netherlands, June 16-18 , 1992. Clark R. N. (1989). State estimation schemes for instrument fault detection, Chapter 2 in: Patton R . J. and aI., Fault diagnosis in dynamic systems, theory and applicalion, Prentice Hall, 1989.
HEAT EXCHANGERS
GRM'DPUlTS
RCI
··i'~"1i '. I.,. ··............''.. "]IOI
.a
•
' r ..
:
".0Cl·
::
•
.
la
•
' .e ·
ta
".,. ,m""
a _________ ...Ja
G BMG GSTAB
182
FAULT DETECTION AND ISOLATION SYTEM DESIGN UNIT
FOR A REFINERY
J. PH. CASSAR*, R. FERHATI** AND R. WOINET***
* LAIL (CRNS 1440), Universitc des Sciences et Technologie de Lille, Batiment P2, 59655 Villeneuve d'Ascq Cedex, France. ** AREMI, Universitc des Sciences et Technologie de Lille, Batiment EUDIL, 59655 Villeneuve d'Ascq Cedex, France. *** ELF France, Centre de recherche de Solaize, BP 22 69320 Saint Shimphorien d'Ozon, France. Abstract. This paper presents a Fault Detection and Isolation system developped for ELF France. ELF France has been using data reconciliation to sellle the global performances of a refinery unit. It was interested by using a supervision system in order to validate the data provided by sensors before using them . The application and its interest are first presented. Then the design of the FDI system is described and illustrated by an example. We focuse on the detection and isolation stages which are rarely treated in the classical approaches. The results are presented in the last part, by giving the global performances obtained with actual plant data. keywords. System failure and recovery, Petroleum industry, Structural analysis.
1. INTRODUCTION
redundancy relations to be implemented but didn't study thoroughly the decision stage (detection and isolation). The same structural approach is here used for the design of the FDI procedures in this application. It will be shown how this approach copes with the design of the three steps of such procedures, namely the residuals generation, the test of their coherence and finally the detection and isolation of faults and failures. The data processing which allows isolation of failures in the single failures cases is first described. It is a structured residuals based procedure.
Modern industrial systems become more and more complex and require more and more security and performances. Performances are obtained and checked from the information provided by the sensors . Checking their actual behaviour becomes of an increasing interest for the efficency and the security of such plants. The Fault Detection and Isolation systems aim at the validation of the data available from the data acquisition units. They use a reference model in order to characterize the state of the system (normal or failing) and, in the case of a failure occurence, use specific isolation procedure to isolate the cause of the failure.
This paper focuses on the detection and isolation steps because they are rarely treated in the classical approaches. These ones often focuse on the characterization stage (the generation of residuals) and related studies are the adaptative treshold (Clark,89, threshold selector (Ding,91; Seliger,93) and the analysis of the firing sequences (Gertler,92). A mullivalued thresholds based detection procedure is proposed which allows a finer isolation of the elements which are out of order (Cassar,92). The isolation procedure processes the result of the detection step to establish a list of elements whose failure can explain the fired thresholds. A classical procedure in diagnotic methods, the test of hypothesis, is applied in order to obtain the final isolation result.
ELF France has been using data reconciliation to settle the global performances of a refinery plant. The application constitutes a part of a refinery plant located at Grandpuits France. The battery of input heat exchangers (see the scheme at the end of the paper) in which the crude oil is warmed up by the hot refined products involves all the flows of products. So a data reconciliation carried out on it provides usef ull information to determine performances of the lotal refinery unit. ELF was interested by using a FDI system in order to validate the data provided by sensors before using them for data reconciliation.
The results obained from the heat exchangers unit are presented in the last part, by giving the global performances. A finer analysis shows the influence of the system topology on the capabilty of the isolation of a given element. The behaviour of the detection
The LAIL laboratory previously studied the possibility of implementing a FDI system on a gas dehydration unit (Cassar,91). The structural analysis approach (Staroswiecki,89; Declcrck,91) gave the 177
The measurement noises must also be estimated. In normal condition, they lead to false alarms whose probability is fixed to 0.001. Given the magnitude of the expected failure, the detection conditions specify the probability of misses to be lower than 0 .03. These two probabilities will be usefull to the design of the decision procedure.
and the isolation procedures is given on an actual case of failure (derived from plant data) .
2. THE APPLICATION The application constitutes a pan of a refinery plant situated at Grandpuits France. In this bauery of input heat exchangers the crude oil is warmed up by the hot refinered products. As this unit involves all the flows of products, a data reconciliation carried out on it provides uscfull information to determine performances of the total refinery unit. Indeed having more reliable data about the flows allows to calculate the efficency of the global process, as well as for each product. The leakages can also be evaluated. These information is used to act on the plant in order to improve its results.
4. SYSTEM CHARACTERIZATION Most approaches in fault detection are based on the comparison between the actual behaviour of the system and a reference behaviour describing its normal operation. The reference behaviour is derived from a model of the system. So, an operating model is used which describes the constraints between the evolutions of the variables the plant involves. This analytical model is consituted of two pans: - the first one expresses how the inputs of the system are transformed into the internal state which is associated to the process variables. - the second one describes the measurements which are available. It expresses the way by which the sensors transform the states into output signals.
The data reconciliation is performed using the DA TREC software. Its results are reliable when the sensors provide accurate enough information. When several important deviations arise, i.e. when several sensors are failing, the data reconciliation shares the discripancies between all the sensors values and thus provides wrong results. So, a fault detection and identification system must process the sensors data to detect and isolate single or multiple failures. It provides estimated values to replace the bad ones and then recovers a more realistic view of the system. The FDI system works, in fact, as a filter thanks to which DA TREC can work in better condition.
Input output models are a rewriting of the plant and measurement models in which only known variables (controls u and measurements y) intervene. In the linear case, they are named Parity equations, or Analytical Redundancy Relations (A.R.R.) in a more general case.
The system is entirely a passive one and doesn't involve any actuator.
Let z(t,t-p) be the values of z on a temporal window of size p : z(t,t-p)T =[z(t)T, z(t-1)T •... z(t-p)T] where T means transposition. An input output model expresses some invariance property of the system under the form : Cl>[u(t.t-p). y(t.t-p)] = 0 The equality to zero will in fact never hold since the system is never under ideal circumstances ; in that sense. the Analytical Redundancy based residual vector will take the form : r(t) = Cl>[u(t.t-p), y(t,t-p)]
3. SUPERVISION SPECIFICATION The design of the supervision system begins by listing the elemenL~ to be checked and by defining for each of them its failure conditions. In the presented application, all the sensors directly implemented on the exchangers have to be checked . Some physical parameters as the repartition of the flows into the couples of parallel exchangers are supposed to be known and have to be supervised if possible. Their change would indicate a clogging of one of the two exchangers.
Many specific schemes have been developped for residual generation (identification of continous time model parameters, Kalman filters. observers, structured residuals). Some equivalence properties have been proved (Patton, 93), and a great number of applications have been made for technological processes. However, the application of these methods to large scale non linear industrial processes is not straightforward.
An element is considered to be failing when the deviation between the actual and the available values of the variable associated with it is over a limit. This definition doesn't impose a type of failure. It can be a bias, a drift or a freeze of the sensor. In this last case, the process variable must vary to insure the discrepancy between the available and the actual value of the variable.
The battery of heat exchangers leads to a static bilinear model which is derived from the mass and thermal balances around each exchanger and from the description of the connections between them.
In the presented application, two classes of sensors are supervised : temperature and flow transmitters. The limit deviation was fixed to 9°C for the first and to about 8% of the operating range for the second ones, depending on the operating conditions.
Structural methods will use only a very poor model of the system, and are, in that sense, very usefull 178
when starting the design of the FDI system and coping with non linear systems. In order to illustrate this method. a little example will be introduced. This sub-system is composed by a pair of twinned exchangers as prescnted figure 1.
shown by the complete matching on the unknown variables expressed by the bold terms of the structure. According to this choice. the values of F3. F4 (respectively FS. F6) are estimated from the relations f3. fS (respectively f4. f6). The constraint relations fl and f2 have not been used for the determination of the values of the unknown variables but must be verified by these values. The considered system is overdetermined. Reponing the estimated or measured values into the relations fl and f2 leads to two analytical redundancy relations which express the enthalpic balances around the exchangers Eland E2 and only involve available informations (here the measurements). These relations are verified when the known variables values are consistent with the model. The values of the residuals. which are calculated by reponing the known variables values into the analytical redundancy relations. reflect the discrepancy between the model and the actual plant.
Figure 1 : Exchangers E I and E2
!
V
f2
From the very general point of view which is that of structural analysis. the model of the system is only considered as a set of constraints which apply to a set of variables.
lf3
rrl rr2 IT3 tr4 trs rr6 1"7 ITS FI ""2 iF3 F4lFS F6l 11
I !1 D 1 i
1
i
I
-11
lf4 !1 ~.? : f" ......~~ ;[6 l
tIT!
a
t!J1!
Z contains three subsets: U. y. X. U is the subset of the control variables. Y is the subset of the measured variables. U and Y constitute the set of the known variables while X is the subset of the unknown variables.
1
I
!
I
n
tIT4 !
:
tITs !
! !
iTTI! tIT8
1 11
T
11
!
1 !I
,
1 1
!
I
!
1 1
'11
1-+ 1 1 1 1 1 11 1
~,
:
i
!
I
ITn ! nT6 t
1
,
I 1
!I
1 1 1 l
i I
lFJ2 !
!
,1
l
fl!
Let F == { fl ,f2.f3 •... ,fm} be the set of the constraints which represent the system model and Z == {zl.z2.z3 .... zn} be the set of the variables.
1
,
,
1 1
! 11 !
1
,
; 1 FIgure 2 : The model structure.
The structure of the model is a digraph whose incidence matrix represents the links between the variables ( known and unknown) and the constrainl~. It is described by the following binary relation: S: F x Z ~ {O.l} (fi.zj) ~ S(fi.zj) == 1 iff the constraint fi applies to the va-riable zj . S(fi.zj) == 0 otherwise.
Each sensor failure influences one or both residuals values . The larger the value of the residual. the more it will be said to be sensitive to the failure. Remark: The structural analysis copes whith the residuals generation by supposing that all the subsystems have a full rank. This hypothesis implies that an analytical redundancy relation can only be deri ved from a structuraly over-determ inated subsystem. When this hypothesis does not hold some analytical redundancy relations can be found from a just- or under-determinated subsystem. Indeed. in this case. a combination of the primary relations leads to zero and constitutes thus a analytical redundancy relation. In our example. suppressing the measurements IT3. IT4. ITS and IT6 leads to a structurally under-determinated subsystem whose generic rank is not full. That leads to an analytical redundancy relation which expresses the global enthalpic balance around the both exchangers. Adding some assumption about the repartition of the flows F3.F4 (coefficient al) and FS.F6 (coefficient a2) allows to obtain two additional redundancy relations (R4.RS). the structure of which is given below. The knowledge on a I and a2 may come from their estimation under the assumption they are slowly varying .
The figure 2 presents the structure of the model of the example. The relations FTi and ITi express the flow and temperature measurement functions. fl and f2 express respectively the enthalpic balances araound respectively the exchangers E2 and El. f3 and f4 are thermal balances. while fS. f6 are mass balances which express the mixing of the flows at the outputs of the exchangers. A structural analysis isolates in the process model the parts which can be supervised. The generation of residuals uses the over-determination of some subsystems obtained using the canonical decomposition of the digraph which represents the structural incidence matrix of the system model. In our example. all the values of the process variables can be either measured or estimated. This point is
179
:
columns of which define the signatures of the causes of failure. A signature can also be seen as the value of the coherence vector when the fault occures and thp test of coherence procedure works correctly.
The figure s 3 and 4 present the residual values calculated from the actual measurements around the exchangers E2SA and E2SB . The last two points exhibit a failure occuring on the measurement FTI and TT4 which represents respectively 20% and 2% of the nominal value of the variable.
...
2
:I.."
..
Five residuals are obtained from the structural analysi s which make appear all the measurements implemented on the process. Their structure is given below . RI and R2 express the coherence of the information (measurement and model) around respectively the exchangers Eland E2. R3 is the additional residual derived from the global enthalpic balance. R4 ,RS are defined above.
-
:I.
0 . 5
o
la -0.5
t;:
r _ _ 1.dua1
1
r . . . .:LcSua1
2 3
r __ .1.d1..1 • .l..
11
! RI ! 0
Figure 3 Residuals evolution 1
0
-1
~
.. .. ..
.....
t
R2 ! 0 f_R3 i 0 , R4 ! 1 ! R5 i.....0 ......,..,_.4 I
..
...
.. .. .. +
:
--
+
OJ 1 ! O! 1 I 0 1 1 i 0 i Oj 1 10 1
T 1
1 1
1
1
1
0 0
0 0
1
T T
T T
4
5
6
1
1 j 1
T 'T 'T T !I T I T 2 l 3 1 ! 1 1 1 1 l 0 oJ 0 o! 1
.........
1
0 0 1
T T
T T
7 1 1 1 ! 1 0 0 1 1 I 1 0 i 0 1
8 1 1
o
1
1 0
The failing residuals of the figure 3 and 4 leads to coherence vectors [I 1 1 0 O)T and [I 1 0 0 l)T whose values correspond with the signatures of the associated failures.
+ r __ ..1..clua..l.. r __ .1..cSua.l..
F !F T T !T 1 i 2
FIgure 5, Structure of the ARR
-
a 2
4 5
Isolation . The aim of the isolation step is to provide the list of elements which are failing from the results of the characterization and test of coherence steps. It is composed of two procedures : the recognition procedure provides a list of elements whose deviation may explain the results of the detection procedure, a specialized procedure then filters this list in order to provide the final isolation result.
Figure 4 Residuals evolution It can be noticed that some inaccuracies lead 1O residuals deviation s even when the system is in normal operation. That obliges to increase the decision thresholds in order to avoid false alarms. The sensitivity of temperature sensors is much greater than the onc of the now sensors in the residuals rI , r2, r3 .
The recognition procedure compares the coherence vector with all the signatures and determines which of the signatures are the closest. In the single failure hypothesis case, which is the most frequent, all the information contained in the signature and in the coherence vector can be exploited : a distance between the coherence vector and the signatures can be calculated. The Hamming distance can be chosen in this case. The same distance is used to calculate the isolation ability of a set of ARR. Each pair of sensors are tested : the larger the distance between their signature, the better their isolation index .
5. DECISION PROCEDURES
5.1. Binary logic based procedures Coherence vector. The coherence of each residual is tested using a direct comparison between its value and a threshold . The value of the reference threshold is defined so as to cope with the false alarm probability constraint. It depends on the expected standard deviation of the residual whic h is a function of the sensitivities of the components involved by the analytical redundancy relation and of their statistical distribution. This test applied on the set of residuals leads to a binary coherence vector~ . Each component £i of £ is obtained using the following rule : if Ri> Ti £i = I el se £i = 0
The figure 6 gives the table of the distances between the signatures of each couple of causes of failure. The elements of three groups of sensors can't be isolated because the distance between their signature equals zero : (FTI, Ff2, TTl , TT2),(TT3, TT4) (TTS, TT6) From an initial set of analytical redundancy relations, many other relations can be obtained by combining the initial ones . Adding these new relations will improve the isolation ability . However , a compromi ze must be realized between the isolation ability and the number of redundancy relations to be processed by the fault detection and isolation system.
Struc ture of a residuals set. The structure of a residual expresses which of the measurements influence the residual value. The sel of the structures of individual residuals constitutes the structure of the residual s set. A binary matrix is associated with this structure 180
of view . That decreases the isolation ability and then the recognition procedure provides a set of elements which are potentialy failing . This list of elements focuses on the part of the system whose behaviour doesn't remain consistant with the model.
Processing the whole installation in our case allows to better isolate the measurements which are located at a connection between several equipements. The measurements FT1, TT1, FT2 , TT7 are here concerned.
iFT2 , 4 : 4 0 : 0 ! 010 [0 0: 0 10 0 lTf3 i 3 i 41 ! 1 ! l t _1lO ; ~_'-+--:'_;-"""""""" ....~._.r _..;.-...._ 1IT4 : 3 ! 4 I ! I : I I: () O ! I IT5 i 4 i 3 i I I ! I I ..L1.J1._.2.J !IT6 : 4 ! 3 I I ! 1 I 1 I : 2 l 2 10 ; 0
A filtering process uses a classical procedure in diagnotic methods, the test of hypothesis, in order to isolate the failing elements. The value of each potentially failing sensor is estimated from one subsystem . The measured value is substituted into the ARR which express the other subsystems. The evolution of the coherence vector allow to conclude wether the estimation is better than the sensor value. IN the case of an affirmative answer, the element is said to be out of order. This procedure must be carried out carefully in order to avoid error compensation in this test of hypothesis.
WI !4 14 lTf21"4t 4
i
. P.
j TI7 ~ 3 -.L~-t.~-p-u.~ ~L~ !ITS[3!311;1:111:3
.... ..~ ....!}. .~.L 3 i l :l
l
M _ _~
:
! .9~ ~...J
20 j
6. THE RESULTS
Figure 6. Isolauon ability. Discussion. As the sensitivity with respect to a cause of failure is different in each redundancy relation, an intermediate failure amplitude will leads to a coherence vector different from the expected signature. J. J. GERTLER et al (92) introduce the notion of firing sequence to express that an increasing fault leads to a sequence of the coherence vector values which can be associated as intermediate signatures to the considered failure . The binary logic based procedure may provide, in these cases, missed isolation because of the proximity between an intermidiate signature of the failure and the signature of an other cause of failure .
5.2 Multivalued logic isolation When isolation performances are considered, taking into account the different sensitivities of a given residual with respect to different Faults or Failures, imposes a multiple threshold based detection procedure. Each threshold is calculated to ensure that the probabilty of mis detection remains below a specified value when the deviation between the available and the actual values of the variable reaches the value which defines the limit between the failing and non failing case. Each residual is tested against as many thresholds as the number of causes of failure is its structure . The result of this procedure is a multivalued coherence vector which is compared with multivalued signtures and allows a finer isolation of the elements which arc out of order (Cassar, 92).
The FDI system derived from the proposed method has been implemented and is currently tested on the actual process . As the process does not include control loops, faults can be simulated by adding perturbations to the measurement values. 103 ARR amoung the 250 which are possible have been implemented. The tests showed the robustness of the design of the decision thresholds and of the test of hypothesis procedure. No false alarms occured from raw measurement values. The final isolation is obtained when the deviation is significantly larger than the specified limit which define the failure . That comes from the test of hypothesis procedure which filters the result of the isolation stage and needs a more important deviation to ensure that the estimated value is better than the measured one. As an example, for a deviation equal to 1.5 times the specified limit value, only 40 sensors can correctly be isolated. This result becomes 61 sensors isolated amoung 68 when the deviation equals 5 times the specified limit value. When a sensor is isolated, an estimated value of the process variable is provided to replace the faulty measurement. Some sensors can never be isolated because they are structuraly non isolable. They often correspond to measurements located at the external bound of the supervised system. In these cases a low level of redundancy is reached on these vaariables.
7. CONCLUSION. 5.3 Multiple failure s isolation . In the case of multiple failures, only missed detections (elements of the coherence vector lower than the corresponding element of the signature) are significant according to a given signature . So the distance calculation only takes into account this point 181
We have presented a structural analysis based design of a FDI system . This approach allows to quickly obtain fundamental results about the supervision capabilities as residuals generation, detection or isolation abilities . These basic results are used along whith the analytical model of the system in order to
actualy implement the residuals calculation and to design the decision procedures.
Declerck ,Po (1991) . Analyse structurale et fonctionnelle des grands systemes. Application une centrale PWR 900 MW. These de doctorat, Universite des Sciences et Technologies de Lille, Villeneuve d'Ascq, France, 20 decembre 1991. Ding X., P. M. Frank (1991). Frequency Domain Aproach and Threshold Selector for Robust Modelbased Fault Detection and Isolation. SA FE PROCESS'9I IFACIIMACS Symposium, Baden Baden, Germany, September 10-13, 1991, Vol 2, pp. 187-191 Gertler, J . L, D. Singer (1992). An evidential reasoning extension to quantitative model-based failure diagnosis. IEEE transactions on SMC, vol 22, n02, march/april 1992, pp 275-286 Patton, R. J., J. Chen (1991). A Re-examination of the relationship between Parity space and observer based approach in fault diagnosis Revue Europeenne Diagnostic et surete de fonctionnement, vol 1 ,n02, pp. 183-200 Seliger R., P. M. Frank (1993). Robust Residual Evaluation by Threshold Selection and a Performance Index for Non Linear Observer-based Fault Diagnosis. Tooldiag'93,April 5-7, 1993 , Toulouse, France. Staroswiecki, M. ,P. Declerck (1989). Analytical redundancy in non linear interconnected systems by means of structural analysis. AlPAC'89 IFAC Symposium on Advanced Information Processing in Automatic Control, Nancy, France, 3-5 july, 1989,R. Husson (ed.), Centre de recherche en automatique de Nancy, pp II 23-27 ..
a
All the design procedures are gathered into a software called D3. The implemented FDI system is derived from a standard module which is configurated by the results of the design activity. The results presented from actual plant data show that the expected performances are reached for deviations which are quite larger than those specified. However, the obtained results are sufficient for the purpose of filtering the information provided to the data reconciliation process.
8. REFERENCES . Cassar, 1. Ph, M. Staroswiecki, E. Herbault,C .T .Huynh, B . Cordier (1991) . Supervision system Design for a Petroleum Production application SAFE PROCESS'9I IFACIIMACS Symposium, Baden Baden, Germany, September 10-13, 1991, vol2, 289-294 Cassar, J. P., M. Staroswiecki, R. Ferhati, (1992) . Multivalued logic voting scheme for residual evaluation in Failure Detection and Isolation Systems. IFACIIFIPIIMACS Symposium on Artificial Intelligence in Real-Time Control, Delfl, The Netherlands, June 16-18 , 1992. Clark R. N. (1989). State estimation schemes for instrument fault detection, Chapter 2 in: Patton R . J. and aI., Fault diagnosis in dynamic systems, theory and applicalion, Prentice Hall, 1989.
HEAT EXCHANGERS
GRM'DPUlTS
RCI
··i'~"1i '. I.,. ··............''.. "]IOI
.a
•
' r ..
:
".0Cl·
::
•
.
la
•
' .e ·
ta
".,. ,m""
a _________ ...Ja
G BMG GSTAB
182