FAULT MONITORING IN THE PRESENCE OF FAULT-TOLERANT CONTROL1

FAULT MONITORING IN THE PRESENCE OF FAULT-TOLERANT CONTROL 1 Fahmida N. Chowdhury

∗

∗,2

and Wen Chen ∗

Department of Electrical and Computer Engineering, University of Louisiana at Lafayette, Lafayette, Louisiana, USA, 70504-3890. Email: {wchenc; fnchowdh}@louisiana.edu.

Abstract: This paper is concerned with timely and effective residual generation for systems with Fault-Tolerant Control (FTC). Contrary to the trend in current FTC, this paper proposes and demonstrates that fault monitoring is essential even if ideal FTC is available. Basic concepts of fault diagnosis and fault-tolerant control are first introduced and the problem regarding why a timely fault indicator is necessary is discussed. A linear system with a fault-tolerant controller, an adaptive controller, is used to motivate our main viewpoints on how to generate a timely and effective fault indicator. A simple fault indicator to monitor both controller and output residuals is developed, which is applicable to closed-loop systems regardless of the c 2006 IFAC. type of fault-tolerant controller. Copyright Keywords: Fault detection; fault-tolerant control; controller residual; output residual

1. INTRODUCTION Increased productivity requirements and stringent performance specifications have led to more demanding operating conditions in many modern engineering systems. Such conditions increase the possibility of system faults which are characterized by critical, unpredictable changes in the system dynamics. System faults can result in off-specification production, increased operating costs, and the possibility of detrimental environmental impacts. More importantly, from the safety point of view, a single fault can develop into multiple faults, which can 1

This work was supported by NASA under Award NCC5573 and NASA/LEQSF Contract 2001-04-1, and also by the Governor’s IT Initiative in the University of Louisiana. 2 Corresponding author: [email protected].

further lead to catastrophe. Therefore, in order to satisfy the needs for safety, reliability, and performance in the industrial processes, it is important to promptly detect system component faults, actuator faults, and sensor faults, and to accurately diagnose the source and severity of each malfunction so that corrective actions can be taken.

1.1 Basic concept of fault diagnosis A fault that tends to degrade overall system performance represents an undesired change in a system of interest, while a failure denotes a complete breakdown of a system component or function. The purpose of fault detection is to generate an alarm which informs the operations that there is at least one fault in the system. In general, a fault diagnostic system detects process abnor1252

malities by monitoring measurements and comparing them with their respective values during normal-mode operation. The differences between them are referred to as residuals which are used as the alarm for fault detection (Gertler, 1998). Early or swift fault alarm is one of the important requirements for fault detection. The goal for the early detection of fault is to have enough time for the operations to take necessary actions such as reconfiguration, maintenance or repair. The majority of existing fault-detection schemes is to use output estimation errors as residual signals (Chen and Patton, 1999).

1.2 Basic concept of fault-tolerant control A Fault-Tolerant Control (FTC) system is defined as a control system with fault-tolerant capability. The main objective of the FTC is to maintain the specified operations of a system under consideration, and to give operators (or automatic monitoring systems) enough time to repair the damage or take alternative measures to avoid catastrophe (Chen and Patton, 1999). Adaptive control and reconfigurable control are considered to be included in “active fault-tolerance” according to the extensive survey of FTC given in (Patton, 1997). It appears that if a very effective FTC is in operation, either in passive or active FTC, the presence of the faults can be ignored since the controller can handle (compensate for) them. This arises a very important issue in the research area of fault diagnosis: How to timely detect faults in a system with fault-tolerant control ? This paper proposes that, despite the best possible FTC, it is necessary to monitor faults so that they can be removed or repaired at the earliest possible time. The main contribution of this paper is to propose a technique to timely detect the occurrence of faults despite the existence of a fault-tolerant controller. This paper is organized as follows: In Section 2, the problem on why to propose a scheme for fault detection is stated. Both controller and output residuals are evaluated via a simulation example in Section 3. A generalized fault indicator is proposed in Section 4, and Section 5 concludes this work.

2. PROBLEM STATEMENT For introductory exposition, two different residuals are defined in a generic closed-loop system with a plant and a controller. Let the output of the nominal (fault-free) plant be yM (t) with suffix

“M” indicating “Model”; in the actual (possibly faulty) case, the output is y(t); the “output residual” is given by Ro (t) = y(t) − yM (t).

(1)

Suppose that the controller output under nominal fault-free condition is given by vM (t). In the real (possibly faulty) case, the controller output is v(t). The “controller residual” is then given by Rc (t) = v(t) − vM (t).

(2)

Remark 1. As the above discussion, system output residuals may be less sensitive to system faults due to the FTC. In addition, robust controllers are also able to provide fault-tolerant performance in a limited way (Hedrick et al., 2002). Clearly, the ultimate goal of an “ideal fault-tolerant controller” would be to keep the system output residual, Ro , identically zero despite possible existence of system faults. As a matter of fact, this has not yet been achieved in practice. Many of the already proposed FTC are able to maintain, to a large extent, desired system performance in the presence of faults, as pointed out in (Patton, 1997). In general, the more “effective” the FTC is, the less sensitive the system output will be to the presence of faults. The need to define a fault indicator for closedloop systems with effective controllers has been recognized by a few researchers; for example, in (Xu and Jiang, 2000), the authors conclude that the controller output is the optimal location to obtain the information about small parameter changes or faults in the actuator, feedback sensor and the plant. However, the results are derived under a very tough condition that cannot be satisfied by many practical systems. In addition, only faults are considered while failures are neglected. A similar issue was considered in (Chowdhury and Jiang, 2004) for the stochastic case. In this paper, a new fault indicator which can detect both faults and failures despite ideal FTC and possible controller saturation is proposed.

3. EVALUATION OF RESIDUALS IN A CLOSED-LOOP SYSTEM WITH FTC In order to discuss the issue of residual generation for systems with FTC, an adaptive controller that is an active fault-tolerant controller according to the above discussion will be designed in a linear time-invariant system because it can handle greater variations in system behaviors than other robust controllers do (Maciejowski and Jones, 2003). Its fault-tolerant capability will be 1253

where x ∈ Rn is the state, y(t) ∈ R is the output, B ∈ Rn×1 , C ∈ R1×n , u(t) ∈ R, system matrix A ∈ Rn×n , a stable matrix. The control objective of both nominal and faulty cases is to choose control input u(t) such that all signals in the closed-loop plant are bounded and system states x can follow the state xm of a reference model specified by x˙ m (t) = Am xm (t) + Bm r(t) ym = Cxm

(4)

where xm ∈ Rn is the state, Am ∈ Rn×n is Hurwitz, Bm ∈ Rn×1 , r(t) ∈ R is the reference input, and ym ∈ R is the reference model output. In what follows, an adaptive controller is designed for system (3) as a fault-tolerant controller. To simplify discussion, let Am = A, and consider actuator faults only. Two fault scenarios will be considered. One of them is sudden reduction of actuator gain. The other one a gradual reduction of actuator gain or so-called an incipient fault.

3.1 Adaptive Control and Stability An adaptive controller, u(t) = L∗ r(t) where L∗ is a positive constant, can be applied to the system for the purpose of model following. The closedloop plant is obtained as follows: x˙ = Ax + BL∗ r.

(5)

If L∗ is chosen such that BL∗ = Bm . Then, system state can follow reference model state for any bounded reference signal r(t). Assume that L∗ is unknown, an adaptive controller is proposed as u(t) = L(t)r(t) where L(t) is the estimate of L∗ to be generated by an adaptive law. In the sequel, the adaptive law will be derived and stability of the closed-loop system is proven. By adding and subtracting the desired control input, BL∗ r, to the system equation (3), ones obtain x(t) ˙ = Ax(t) + Bm r + B(u(t) − L∗ r).

(6)

Model tracking error e = x − xm can be shown as ˜ e(t) ˙ = Ae(t) + B Lr (7) ∗ ˜ where L = L(t) − L .

States 2 under nominal case

0.2

1

0.1

states 2

0.5

States 1

Consider a single-input single-output linear system x(t) ˙ = Ax(t) + Bu(t) (3) y(t) = Cx(t)

States 1 under nominal case 1.5

0 −0.5

0

−0.1

−1 −1.5

0

10

20 time

30

−0.2

40

System and reference model outputs under nominal case 1.5

10

20 time

30

40

Adaptive Controller

4

2

0.5

1

0

0

−0.5

−1

−1 −1.5

0

3

1

Outputs

explored, and both controller and output residuals will be inspected to see which one is more sensitive to actuator faults. The main viewpoints regarding how to generate a timely fault alarm is proposed.

−2

0

10

20 time

30

−3

40

0

10

20 time

30

40

Fig. 1. Model following under nominal case. Since BL∗ = Bm , then B = Bm /L∗ , and (7) becomes ˜ e(t) ˙ = Ae(t) + Bm /L∗ Lr.

(8)

A Lyapunov candidate is chosen as V = e> P e + ˜ 2 /L∗ , where P = P > > 0 satisfies Lyapunov L equation P A + A> P = −Q for some Q = Q> > 0. Then ˜ + 2L ˜˙ L/L ˜ ∗ . (9) V˙ = −e> Qe + 2e> P B /L∗ Lr m

˜˙ = L˙ = If an adaptive law is designed as L −e> P Bm r, then V˙ = −e> Qe < 0. This implies that, limt→∞ e(t) = 0, the system state can follow the reference-model state. The output y(t) will accordingly follow the desired one. That is, the adaptive controller is able to ensure accurate model-following. In what follow, simulations will be studied to investigate how the controller and output residuals respond to actuator faults with the designed > adaptive   controller by letting B = [1 0] , A = −1 1 , C = [1 0], Bm = [2 0]> , r(t) = sin t. 0 −2 Figure 1 describes model-following and systemoutput tracking, with the dash-lines indicating variables of the actual system, under nominal case. It has clearly exhibited that the designed adaptive controller can drive the fault-free system to follow the reference model very accurately.

3.2 Sudden reduction of actuator gain In this subsection, the fault of sudden reduction of gain B will be used to test the fault-tolerance ability of the designed adaptive controller. Output residual and controller residual will also be assessed to see how they will respond to this sort of actuator fault. 1254

States 1

1

2

−0.5

1

0

States 1

0

−0.1

0

10

20 time

30

−0.2

40

Controller gain

4

0 −1

−1 −1.5

States 1 under an actuator fault (gradual reduction of effectiveness)

3

0.1

0.5

states 2

States 1

States 2

0.2

1.5

0

10

20 time

30

−2

40

−3

Adaptive Controller

4

0

10

20

30

40

3

3

2

60

70

80

90

100

0.2

60

70

80

90

100

1

2

0

0.15 States 2

−1

1

−2 0

50 time States 2

0

10

20 time

30

−3

40

0

10

20 time

30

40

0.1

0.05

0

Fig. 2. System response under sudden reduction of actuator gain.

0

10

20

30

40

50 time

Fig. 4. Gradual reduction of actuator gain. Output Residual

1.5

3.3 An incipient fault: gradual reduction of the actuator gain,

1 0.5 0 −0.5 −1 −1.5

0

5

10

20

15

25

35

30

time Controller Residual

1.5 1 0.5 0 −0.5 −1 −1.5

0

5

10

20

15

25

30

time

Fig. 3. Controller and output residuals

Assume that original actuator gain B = [1 0]> reduces to B = [0.7 0]> at time 20 seconds. Figure 2 describes system responses under this sudden reduction of actuator gain where system state 1 (system output) deviates the reference model slightly at time 20 seconds. It quickly follows the reference model again after a very short period of transient. Therefore, Ro = 0. This is due to the adjustment of the adaptive controller, at 20 second, whose gain L(t) is increased from 2 to 2.7. Therefore, controller residual is Rc = 0.7 sin t. In spite of the insensitivity of the output residual as demonstrated in Fig. 3, the controller residual clearly indicates the occurrence and existence of the fault. Therefore, controller residual may be considered as a timely residual signal if an effective FTC is being applied to the system. If output residual Ro is used as a fault indicator, this will then result in a false conclusion that the system is perfectly working, and that no any fault exists in there. This is due to the result of the adaptivity of the designed controller that has handled the faults at the cost of supplying more controller output.

In this section, a fault of gradual reduction of actuator gain will be used to explore the faulttolerant ability of the above designed adaptive controller in spite of the fact that it is designed for sudden reduction of gain B, and to inspect which signal can be used as an effective fault alarm. The actuator gain has been 1 before 20 seconds. Starting from this time instant, it gradually reduces until zero. Figure 4 demonstrates that from time 20 seconds to about 30 seconds, system state 1 (system output) can still maintain accurate following of the reference state 1 despite the occurrence of the actuator fault. This is due to the controller’s capability of fault-tolerance that blinds the existence of the actuator fault. However, after 35 seconds, the system state 1 begins to deviate from the reference state 1, and gradually it cannot perform model-following at all as the actuator gain reduces further. Therefore, after 35 seconds, the output residual becomes significant and can be used as a residual. Nevertheless, the important and practical question is: How to detect a fault “immediately” after its occurrence for this system with an effective FTC ? Obviously, output residual (state error 1) is not a good choice for timely or swift fault detection because it has no significant response to the occurrence of the actuator fault between 20 − 35 seconds as shown in Figure 4. We have to resort to controller signal again as what we have done in last subsection. Figure 5 clearly shows that controller residual is able to sound a solid alarm immediately after the occurrence of the actuator fault despite that the system can still follow the reference model accurately. 1255

Output Residual under a gradual actuator fault

Output residual with controller saturation

4 2

2 1

0

0

−2

−1 −2

−4

0

5

10

15

time

20

25

30

−3

35

5

10

time

15

20

25

30

25

30

Controller residual with controller saturation

Controller Residual under a gradual actuator fault 4 2

2

1

0

0

−2

−1 −2

−4 −3

0

5

10

15

time

20

25

30

35

Fig. 5. Controller and output residuals

2 1

0 −1 −2

−3

0

10

20

30

40

time

50

60

70

80

90

100

70

80

90

100

Controller residual with controller saturation 3 2 1

0 −1 −2

−3

0

10

20

30

40

time

50

60

10

15 time

20

Fig. 7. Residuals before 30 seconds.

Output residual with controller saturation

3

5

Fig. 6. Residuals under saturated controller. In real-world applications, the controller output cannot increase its control effort infinitely due to physical limitations. It may become saturated if control signal exceeds a finite magnitude. This implies that the adaptive controller is no longer effective in maintaining model-following if controller output is saturated. Under this circumstance, both output and controller residuals can sound alarms as depicted in Fig. 6. However, before 30 seconds, output residual is useless compared with controller residual as shown in Fig. 7. So, it is not a good choice for timely fault detection.

3.4 Discussion Subsections 3.2 and 3.3 have described the faulttolerant feature of the designed adaptive controller, and have evaluated both output and controller residuals. Through this simulation example, the following conclusions can be drawn: (1) FTC is at some extra cost in the form of increased input energy.

(2) The FTC might keep specified system performance just for a short period of time if the fault situation is becoming worse. The example indicates that the performance can be maintained for about ten seconds. Afterward, it begins to degrade as the actuator gain further reduces. (3) Actuator or/and controller saturation make it impossible for FTC to achieve a complete performance maintenance. (4) Output residual is robust to actuator faults for a substantial period of time due to the fault-tolerant ability of the adaptive controller. (5) Controller residual is always sensitive to faults and is therefore an excellent candidate of residual signals. It is worth noting that it is the fault-tolerant controller that makes output residuals insensitive. If such a fault-tolerant controller does not exist in the considered system, output residual is still an excellent residual signal as have been studied in those observer-based fault detection approaches. In addition, output residual is also sensitive to actuator “failures” such as complete loss of an airplane’s aileron.

4. A GENERALIZED FAULT INDICATOR FOR CLOSED-LOOP SYSTEMS A new and very simple fault indicator that can be adapted to the level of intelligence or effectiveness of the controller is now proposed. As illustrated in the Section 3, fault-tolerant controller makes output residual insensitive to faults. Fault information, however, resides in the controller residual rather than in the output residual. On the other hand, the output residual is still sensitive to failures, such as actuator or sensor breakdown, 1256

use the square-root of the sum of RoT Ro and RcT Rc so that the fault indicator is a significant residual. Remark 2. It should be noted that this method can be applied on the residuals directly, regardless of how the residuals are created: by observers (for deterministic case) or Kalman filters (for stochastic case), if needed. Direct model-based residual generation has been used here simply for convenience and brevity. Fig. 8. Configuration of proposed fault indicator which has been proven in literatures. Based on the above consideration, the proposed fault indicator is to use information from both controlled and manipulated variables: it is a square-root of the norm sum of two residuals - the residual at the system output and the residual at the controller output, as shown in Figure 8. The proposed fault indicator can swiftly detect both faults and failures no matter whether an FTC exists or not, which is its main advantage. Denoting Ro and Rc as the vectors of output and controller residuals that are defined in Equations (1) and (2), the generalized fault indicator for arbitrary closed-loop systems is given by: q (10) Γ = Ro> Ro + Rc> Rc . This implies that an effective fault detection strategy is to monitor both controller residual and output residual. Clearly, a separate fault monitoring system in conjunction with FTC can make the entire system operation more reliable and safe. If a perfect FTC is applied to the system, the controller residual is then sensitive to faults while the output residual Ro is supposed to be robust to them. Under this circumstance, if an actuator fails (complete breakdown), the control signal, no matter how good it is, cannot be transferred to plant due to the failed actuator. The remaining actuators may not have the ability to compensate the effect of failed actuator due to their physical limitations. As a result, the output residual Ro is also an excellent fault residual according to literatures. Therefore, the proposed fault indicator is a very solid alarm signal and can work very well so that no faults and failures will be missed. For an open-loop system, the task of fault detection fully relies on output residual because the controller residual is not affected by the system faults at all. The norm forms RoT Ro and RcT Rc may reduce the actual size of residual Γ. If both Ro and Rc are less than 1, then RoT Ro and RcT Rc are much less than both Ro and Rc themselves. This is why we

5. CONCLUSIONS In this paper, it is contended that the use of FTC does not mean the presence of the fault in the system can be ignored. In order to supervise the fault, a new and simple fault indicator using both controller and output residuals has been proposed for closed-loop systems. This indicator works regardless of the level of effectiveness of the controller, including the ideal fault-tolerant controller. Its main feature is that it can monitor both faults and failures no matter whether an FTC exists or not.

REFERENCES Chen, J. and R. J. Patton (1999). Robust Modelbased Fault Diagnosis for Dynamic Systems. Kluwer. Academic Publishers, Boston. Chowdhury, F. N. and B. Jiang (2004). A new technique for fast detection of progressive faults. In: American Control Coneference. Boston. Gertler, J. J. (1998). Fault Detection and Diagnosis in Engineering Systems. Marcel Dekker. New York. Hedrick, K., A. Howell and B. Song (2002). Fault tolerant longitudinal control of transit buses: fault diagnostics and management. In: PATH Conference. Maciejowski, J. M. and C. N. Jones (2003). Mpc fault-tolerant flight control case study: flight 1862. In: IFAC SAFEPROCESS Conference. Washington DC. Patton, R. J. (1997). Fault tolerant control: the 1997 situation. In: IFAC Safeprocess Conference. Hull, UK. pp. 1033–1054. Wu, N. E., Y. Zhang and K. Zhou (2000). Detection, estimation, and accommodation of loss of control effectiveness.. International Journal of Adaptive Control and Signal Processing 14, 775–795. Xu, Y. H. and J. Jiang (2000). Optimal sensor location in closed-loop control systems for fault detection and isolation. In: American Control Coneference. Chicago. pp. 1195–1199. 1257