Fault-tolerant computer control of a time delay system: sensor failure tolerance by controller reconfiguration

Comput. &em. Engng, Vol. 11, No. 5, pp. 481488,

Printed

in Great Britain. All

1987

Copyright 0

rights n.wwd

0098.1354/87 $3.00 + 0.00 1987 Pcr@unon Journds Ltd

FAULT-TOLERANT COMPUTER CONTROL OF A TIME DELAY SYSTEM: SENSOR FAILURE TOLERANCE BY CONTROLLER RECONFIGURATION R. A. Mmrrxqt R. W. CHYLLAJR* and A. CINAR§ Department of Chemical Engineering, Illinois Institute of Technology, Chicago, IL 60616, U.S.A. (Receioed 29 October 1985; final revision received 16 January 1986; received for publication 11 February 1987)

Abstract-Tolerance to sensor failure is developed by creating functional redundancy in a computer controlled process with time delay. Functional redundancy is implemented by formulating time delay compensators and control laws a priori and by reconliguring the controller automatically when a sensor failure is detected. Experimental studies with a heat exchanger network illustrate the techniques proposed. Controller reconfiguration reduces the effect of sensor failures to process upsets similar to temporary process disturbances. ScowThe objective of this communication is to present fault-tolerant computer control techniques based on the functional redundancy of the control loop. The existence of the computer in the control loop creates the opportunity to preserve a functional redundancy of the control loop against hardware (i.e.

sensors, actuators) failures. This capability can be used to replace or to complement hardware redundancy such as duplication of sensors at a given measurement location. A multivariable, multiple time delay system is used to assess the fault-tolerance achieved by functional redundancy. New time delay compensation techniques have been used in the control of this system. The experimental results reported in this communication are the first application of these time delay compensation techniques in the presence of sensor failure. Conclnsiom and Signibnce--The fault-tolerant computer control system described in this communication provides an added level of protection against hardware failure. It enables the use of information received by the computer from other parts of a process for preventing degradation of process response because of hardware failure. Experimental studies conducted using a heat exchanger network illustrate that the effects of sensor failure are either eliminated completely or reduced to temporary process disturbances. The time delay compensation techniques used are very effective. Without time delay compensation the test system is often closed-loop unstable. The multivariable time delay compensators stabilize the systent and permit the use of controller settings which result in good closed-loop behavior.

INTRODUCTJON The

current trend in chemical plant control is to replace traditional analog controllers with digital controllers and computers. The introduction of the computer into the control loop creates the danger for loss of control due to computer failure but also provides new alternatives for achieving tolerance to failure of other hardware components in the control loop. New approaches for increasing fault tolerance to computer hardware and software errors by creating diversity have been presented [l]. The objective of this work is to develop sensor failure tolerance by creating functional redundancy in computer control systems and to investigate the fault-tolerant computer control of time delay systems. A heat exchanger network consisting of two heat exchangers in series and a long pipe section is used as the multivariable time delay system. tC!urrent affiliation: Dow Chemical Company, Midland, Michigan, U.S.A. $CurrnentUyl: S. C. Johnson & Son, Racine, Wiscon#Author to whom all correspondence should be addressed.

With computer based systems, the destruction of the one to one correspondence between the processing units and the functional units shifts the redundancy of the system from hardware duplication to “functional redundancy” [2]. Preservation of the functional redundancy of the control activities becomes the focal issue, rather than the fault-tolerance of hardware or software alone. Functional redundancy can be used to create tolerance to sensor failure. The computation capability of the computer can be used to gain redundance in sensors through the use of unlike components and analytic modelling [3]. Various control laws can be formulated for possible failures a priori and stored in the computer or algorithms for on-line control system design can be included within the control program. In this work the first strategy is adopted and control laws are formulated for regulating the water exit temperature from the second heat exchanger either by using measurements of this temperature or measurements of the downstream temperature at the end of a long pipe section. The structure of the paper is as follows: in the next section the experimental system and its models are

481

482

R. A. MARTINI et al.

described. The following section is devoted to time delay compensation and controller design. Controller reconfiguration is discussed in the third section. Experimental results in sensor failure re&very are presented in the last section.

yields the TFMs for the base system and for the reconfigured system:

EXPERIMENTAL SYSTEM AND MODEL

Heat exchanger network (HEN) The fault-tolerant control system was developed and tested using a Heat Exchanger Network (HEN) consisting of two pilot plant size shell and tube heat exchangers in series (Fig. 1). The exchangers are four U-tube models with a heat transfer area of 2.8 ft’ each. Condensing steam on the shell side is used to heat water flowing in the tube side. The water inlet temperature, the water exit temperature from each exchanger (Tl and T2, respectively) a downstream water temperature at the end of a loop of piping 23 ft long (T3) and the supply steam temperatures are measured by thermocouples, amplified and transmitted to the computer. The water flow rate (FL) is measured using an electronic flow sensor/indicator and is also sent to the computer. The water flow rate and the steam flow rate to each exchanger are regulated by pneumatic automatic control valves. Water flow rates can be varied from Ogal/min up to 6 gal/mm. Normal operating conditions are at 3.0-3.5 gal/min. The steam flow rate to each exchanger is at 25-30 psi pressure with a maximum flow rate of 2.75lb/min.

In order to construct the G(s), G’(s), G,,(s), and G;(s) matrices of (3), data was collected using the computer for several open-loop step changes. The program IDENT in the Computer-Aided Control System Design Package CONSYD [4] was then used to model each element of the TFM. Preliminary trials showed that all elements in the TFM are represented with enough accuracy by simple first-order-lag plus-time-delay models. TIME DEWY COMPENSATOR AND CONTROLLER DRSIGN

The water exit temperatures from the heat exchangers (T 1 and T2) are to be kept at their set-point values by regulating the steam flow rates (Sl and S2). To include functional redundancy against sensor failure, it is proposed that when a temperature sensor fails, the controller is reconfigured to use information from another temperature sensor. As an example, the failure of the outlet temperature sensor (T2) from the second heat exchanger (HE2) is used. When this thermocouple fails information from a downstream temperature sensor (T3) will be used in its place to regulate T2. This sensor is located at the end of a

The heat exchanger model In considering the dynamics of the HEN, the qprocess can be modelled with transfer function f matrices (TFM): y(s)=G(s)u(s)+G,(s)d(s)

(1)

where G(s) is an n x n matrix relating the manipulated variables u(s) to the system outputs, G,,(S) is an n x k matrix relating the disturbance variables d(s) to the system outputs and y is a vector of outputs. The HEN can be represented as a 2 x 2 system where the output variables are the water exit temperatures (Tl and T2), and the manipulated variables are the steam flow rates to each exchanger, Sl and S2. The water flow rate, FL, is regulated by a flow control loop and is used as the disturbance to the HEN. In the case where sensor T2 fails, sensor T3 will be used in its place. Define the deviation variables: y,=Tl-Tl, y’, = T3 - T3, u,=s2-s2,

y,=T2-T2, Steam

u,=Sl-Sl, d=FL-FL,,

(2)

where the subscript s represents the steady-state value of the variable and the prime denotes the alternate variable to be used in controller reconfiguration. This

Water

Flow sensor Pressure regulator PFR Steam knock-out drum SK0 cv

.ControlValve

HE1 HE2 T l-5

Heat exchanger 1 Heat exchanger 2 Steam trap Temperature sensors

Fig. 1. The heat exchanger network.

483

Control of a time delay system 23 ft long uninsulated pipe. The addition of a large time delay and heat losses to the surroundings makes the controller reconfiguration more complicated than the direct replacement of one measurement with another. In the HEN, the large thermal capacity of the heat exchangers and piping cause a significant delay from the time a disturbance enters the process until it is detected by the thermocouples. Furthermore, at a given steam flow rate, in order to have high outlet temperatures the water flow rate must be kept low. At smaller water flow rates time delays increase. Therefore, the addition of a time delay compensator will improve the closed-loop response of the HEN. When sensor T3 is used, time delay compensation is more crucial since additional delay is introduced due to water flow in the pipe before reaching sensor T3. Time delay compensators are designed for both (Tl, T2) and (Tl, T3) configurations. Control system design for the HEN includes the evaluation of process interaction and the design of a decoupler if needed, the design of time delay compensator and the tuning of PI controllers for the two control loops.

attention will be focused on the time delay compensators.

Interaction evaluation

Simulation studies by Jerome and Ray [Sl showed that the GMDC designed using this technique often provided the best performance. A procedure based on the IMC approach for unified design of the time delay

Interactions in the heat exchanger network are evaluated using the Relative Gain Array (RGA) and multivariable frequency domain analysis using Direct Nyquist Array (DNA) plots. The CONSYD program “RGA” calculates the RGA from a Laplace domain TFM. The program has the option of calculating the RGA for all possible loop pairings. The S 1-T 1, S2-T2 pairing is the most sensible choice and the corresponding RGA is given in Table 1. The magnitudes of the RGA elements indicate low levels of steady state interactions. The Gershgorin and Ostrowski bands developed using the program MFA in CONSYD show that diagnonal dominance is achieved without need for an interaction compensator. Since the interaction in this system is small, decouplers will not be used and

Time delay compensation The flow diagram of the Generalized Multidelay Compensator (GMDC) as used in this study is illustrated in Fig. 2. Following the approach in [fl, the D(s) matrix is defined as a diagonal matrix with each element di consisting only of a delay. The G,(s) matrix is identical to the process model G(s), except for the magnitude of its time delay tij. According to the procedure outlined in [Sl if G(s) cannot be rearranged such that the shortest time delay in each row appears on the major diagonal, time delays in D(s) are selected such that the “apparent” system S(s)D(s) will pass the rearrangement test. The delays in &(s) are selected according to the relationship: t,=bg--di,

(6)

where d, = min (bri), j b, = the time delay of the 0th element G(s)D(s) matrix.

d ---4(s)

I__________~

; D(s) 1 G(s)

E&g(s)

;__----__-_’

I

f *

G;‘(s)

L___________________

Y'

Fig. 2. Block diagram of the controlled system with time delay and heat loss’compensators.

”

3.0526;-” (1 + 9.3882 s)

s2 -0.5455 e-2 (I+ 24.993 s)

=’

2.8575 c-I” (1 + 18.564s)

3.5011 e-31 (1 + 6.0268 s)

Sl 3.0526 3-” (1 + 34.547 s)

s2 -0.5455 e-h (1 + 24.993 s)

2.6838 CC”’ (I+ 34.547 s)

3.4333 e-191 (1 + 19.081 s)

T3 T1

Y

S(S)-_GD(S)

+

Table 1. Transfer function matrices for the heat exchanger network and the RGA for the Tl-SI. T2-S2 miring _ Sl

of the

FL -3.6128e-” (1 + 7.8014 s)

I[ 1 I[ 1 -9.1368 e-b (1 + 11.070s

FL -3.6128 s--l‘ (1 + 7.8014 s) -9.8438 e-a (1+31.1%s)

RGA

,,]

0.1272 0.8727

484

R. A. MARTINI et

al.

Table 2. Time delay compensators for (a) (Tl, T2) configuration and (b) (Tl, T3) wnliguration

compensator

and controllers has also been proposed

b51. For the HEN the largest time delays of the TFM do not fall along the main diagonal. GMDCs are designed for the temperature control loops using the CONSYD program TDA. Generalized multidelay compensator for the heat exchanger network To implement the time delay compensator, the GMDC (Table 2) must be converted into time domain. The program RETD from CONSYD was used to convert the Laplace domain models with time delay into state-space representation. The realization of the GMDC is obtained by subtracting from the realization of Gr (denoted by x* and y *) the realization of G(s)&) (denoted by x and y). Hence, W(t)=Y*(t)-y(t) z(t) =X*(t)

-x(t),

(7)

and i,,(t)=

-0.1064z,,(t)+O.O324[u,(t)-u,(t

-4)]

i,*(t) = -0.0400 z,,(t) - 0.0022 [u*(t) - u2(t - 4)] i,,(t) = - 0.0538 z2, (t) + 0.0154 [u,(t - 10) - u*(t - 15)] z&t) = -O.l659z,,(t) + 0.0581 [z+(t) - uz(t - 5)],

(8)

z,,(t) = -0.1282 z,,(t) - 0.4631 [d(t) - d(t - l)] r&,(t) = - 0.0903 zU(t) - 0.8254 [d(t) - d(t - 2)] w1(t) = z11(t) + z,Xt) + z,,(t) w2(t) = z*1(t) + zzz(t) + z&t) *

(9)

The solution for a discrete system where the inputs u(t) are held constant for a time t, is given by the algebraic equations represented by [7]: x(t + At)@ = x(t) + Yj [u(t) - u(t - bj)] + r, Id(t) - d(t where @ = eA*’ ‘Pj=A-‘[e+-I]Bj l-,=A-‘[&*‘-IjD,

41,

(10)

in which A, Bj and Di are the coefficients of the realization matrix. To implement the dead-time compensator, the constants @, ‘P, r are calculated off-line for the (Tl, T2) system and the (Tl, T3) system and stored in memory. During the execution of the control program, the values for z are calculated using present and past values of the signals sent to the control valves (scaled from 0 to 100%). The values for w1and w, are then calculated and added to the measured variables to produce the predicted value of the measured variables. These values are used to calculate the error inputs to the PI controllers. Selection of controller settings Tuning the PI controllers for the system without time delay compensators could be done using several classical techniques. The selection of controller settings here are made using the recently published work of Rivera et al. [S] which uses the IMC framework to establish tuning guidelines. It has been shown that for virtually all models commonly used in industry, the IMC design procedure naturally results in PID controllers [S]. The advantage of using the IMC approach is that satisfaction of performance. requirements and robustness constraints is handled directly using essentially one tuning parameter. Rivera et al. [S] have shown that first order plus deadtime models result in PI controllers if a zero order Pade approximation is made. Using their “improved” PI rule the gain and integral constant are determined. When applied to the HEN rather conservative tuning is necessary because of the large unmeasured disturbances in steam pressure as well as the transmission noise in temperature measurements. For time delay compensated systems, the selection of controller settings is less clear. The controller cannot be tuned in the same manner as for the systems without delays when time delay compensation is used. For this reason, in HEN control the time delay compensated systems used the identical constants as the non-compensated systems to establish a base case for comparison. For step inputs, it has been shown [S] that making the gain as large as possible is optimal in the sense of ISE performance. If time delay compensation allows higher control gains to be used, then it can be expected to result in improved control.

Control of a time delay system Simulation studies

Using the CONSYD Program SMXPO, simulations of step changes in FL, Tl, and T2 for two PI controllers with and without time delay compensators are made as shown in Fig. 3. The measurement from the sensor for T2 is assumed faulty and T3 is used. In all three cases the response of T2 is unstable without dead-time compensation. In fact tuning procedures for the non-compensated reconfigured system indicates that the controller gain must be reduced by 60% and the integral action reduced by a factor of four for acceptable control, However, the addition of the time delay compensator in Table 2b stabilizes the response at the higher gain levels.

CONTROLLERRECONFIGURATION Functional redunabncy against sensor failure The first problem encountered in using sensor redundancy is detecting when the original sensor has failed. In our experimental system, the thermocouple amplification circuit is designed to output 0 V for an open thermocouple. However, this test is only good for detecting a “dead” sensor and cannot detect a “sick” sensor. For example, the thermocouple may be shorted in the extension wire or connecting hood. The thermocouple will then read the temperature of the ambient air. To detect a shorted thermocouple, a test is made to check that the exit temperature from the downstream heat exchanger (HE2) is always greater than the exit temperature from the first heat exchanger (HEl). Even with steam valve (S2) of HE2

2 ,

485

closed, enough steam leaks past to elevate the water temperature a few degrees. Controller configurations Direct sensor replacement. Once the fault is detected, the controller is contigured such that the auxiliary sensor, T3, directly replaces the original sensor, T2. This strategy would work well in a system where T2 and T3 are redundant sensors making the same measurement at the same point or in close proximity. However, since sensor T3 is downstream from the process, the measurement from T3 does not equal T2. The piping loop adds considerable velocity-distance lag to the measurement. This time delay causes the PI controller to become unstable, even with very conservative control parameters. Therefore, to assign T3 directly to T2 is a bad fault-tolerance policy. Sensor replacement and time delay compensation. In this case, a GMDC is added to the classic PI controller to remove the effects of time delay from the control loop. In order to realize the GMDC, the open loop response of Tl, T2, and T3 to step changes in S 1, S2 and flow disturbances are measured. From these responses, TFM are modelled for tbe (Tl, T2) system and the (Tl, T3) system. When the sensor failure is detected, the information from T3 is used in place of that from T2 and the TFM constants and time &lays from the (Tl, T3) system replace those of the (Tl, T2) system in the GMDC. This corrects for the additional time delay of the piping loop. In addition, the PI control parameters are replaced with those tuned for the (Tl, T3) system with time delay

8

15.0.

6_ 42O_ -2 _

C/td

Tl

k50

200

0

50

100

150

200

0

50

100

150

Simulation time (set)

Fig. 3. Simulations of outlet temperature transients in response to set-point changea in Tl (A), T2 (B), and FL (C) for tht (Tl, T3) cont&wation without (/wo) and with time delay compensation (/td).

200

486

R. A. MARTINS et al.

compensation. Since there is some heat loss from the piping loop into the surroundings, the temperature T3 is a few degrees lower than T2. This would cause an offset between the setpoint value for T2 and its actual value. Sensor replacement and compensation for time delay and heat loss. In order to make the reconfigurated system perform as well as the original system, the offset in T2 must be eliminated. To accomplish this an inferential approach is used. The heat loss in the piping loop is modelled by examining the response to T3 to a change in T2. The model is then inverted to give an estimate of T2 based on a known T3. This estimate is then used as the measured variable in the dead-time compensated PI controller. Note that while the temperature T3 reflects the variations in the original variable T2, the time delay is still that of the T3 sensor. The transfer function describing the change in T3 for a change in T2 without the time delay is:

‘,(‘)

0.8825 = (1 + 10.996 s)’

EXPERIMENTS IN SENSOR FAILURE RECOVERY

Time delay compensation Process responses for step changes in FL, Tl, and T2 using PI control and the original controller configuration are shown in Fig. 4 to serve as a base case. In Fig. 5 the effect of similar step changes on Tl and T2 is presented, with time delay compensation added to the PI controller having the same controller settings. In both cases, K, and T, were set to 0.95 and 3.0 for the flow loop, 0.32 and 7.0 for the Tl and T2 loops. The compensation for the time delay stabilizes the control loops and the process responses appear overdamped. This suggests that even higher values of the proportional gain, K, can be used to further improve the process response.

(11)

Therefore, the inverse, 6,-l, will describe the change in T2 for a change in T3. The inverse is simply: 6,-l Transforming yields:

(s) = 1.133 (1 + 10.996s).

(12)

this expression into the time domain

T2 = 1.133 T3 + (10.996 dT3/dt),

(13)

The block diagram for the reconfigured control system is shown in Fig. 2. Experiments have shown that a smaller value for the coefficient of dT3/dt gives better results, making the term more immune to, noise. The analysis of the TFMs yields the compensators listed in Table 2 which are obtained as outputs from the program TDA. The elements g, are the same as the original TFM.

251--

0

8,

40

80

Time (set)

Fig. 5. Process response to a +S”C step change in Tl set-point (A), and T2 set-point (B); PI control with time delay compensation.

--

, 40

.

I

80

,

I

120

1

Time (Set) Fig. 4. Process response to a + 5°C step change in Tl set-point (A), in T2 set point (B) and a +0.5 gal/mm step change in FL set-point (C); PI control.

Control of a time delay system

changes were made in FL. Tl and T2 setpoints. Response to changes in water flow rate is similar to the response in Fig. 4c. For the most part, the system remains stable to set point changes in Tl and T2 (Fig. 6). However, this model assumes that the value from sensor T3 is the same as the value from T2 delayed in time. But the heat loss in the long pipe causes an offset between the actual value of T2 and the setpoint. To correct for the offset, the long pipe was modelled as outlined and an expression to predict the value of T2 for a given T3 was obtained. This new configuration was then studied under the same step changes and disturbances. The system was stable under most cases and had a response (Fig. 7) similar to the original T2 controlled system.

307-‘a.7g-‘a.=q~"‘?J Tl

B

.O

40

80

487

120 ,=

Time (set)

Fig. 6. Fbcess response to a +5”C step change in Tl set-point (A) and T2 set-point (B) with T2 sensor failure; controller reconfiguration with time delay compensation.

T2

55

5or.

g I

Alternate control configurations In the experiments, the use of sensor T3 instead of T2 resulted in a closed-loop unstable system (with existing controller settings), a result which agrees with the conclusions of the simulations. Using the time delay compensator on the reconfigured control law stabilizes the controller using sensor T3. The control settings are changed in the control law reconfiguration to K, = 0.25, TI = 7.0 for the T3 loop. This change in settings alone is not sufficient to stabilize the T3 controller without time delay compensation. Using this control configuration step

z

30

e 25

120

80

Time (set)

Fig. 7. Process response to a +5”C step change in Tl set-point (A) and T2 set-point (B) with T2 sensor failure; controller reconfiguration with time delay and heat loss compensation.

B 20.,2'

3

z

40

0

Tl 25__,

0

e j

55-

60

20 55

’

’

’

’

20

*

6

-

55

T2

5

5

d

I

50 0

40

80

120

0

I.. 40

I 80

a 120

B

C

m 0.

40

80

120

Time (set)

Fig. 8. FWxess response to a controller recontiguration due to failure of T2 sensor while the process is at steady state (A), while in transition to a new T2 set-point (B) and while in transition to a new FL setpoint (C). C.A.C.E. I I/SO

488

R. A. MAR’IWIet al.

Controller reconfiguration

A 6nal set of experiments were conducted to observe the system behavior under on-line controller reconfiguration. Figure 8a shows the effect of a T2 sensor failure and controller reconfiguration when the process is at steady state. The transition has no noticeable effect on the outlet temperatures. Typical effects of a T2 failure and controller reconfiguration while the system was in transition to a new setpoint are shown in Figs 8b and c. In these tests a change in either water flow rate (Fig. 8b) or temperature set point (Fig. 8c) is made and 10 s later failure of sensor T2 is introduced. The results show that in general if the system with the T2 sensor is stable, the recon@ured system is also stable. The functional redundancy achieved by controller reconfiguration against sensor failure is quite successful if the key features of the additional process characteristics are incorporated in the new control law. For the heat exchanger system, accounting for the extra time delay and the heat loss were of critical value. Since this new controller is to be used until the original control loop is repaired some offset in the response may be tolerable. Consequently the new

controller can be simplified. For the heat exchanger system, the use of the steady state gain alone for estimating T2 from T3 measurements resulted in the offsets shown in Fig. 8. REFJBENCES

1. R. A. Martini and A. Cinar, Prevention of loss of control in chemical plants under commtter control. Proc. 1985 ACC, Boston, pp. 305-310 (iP85). 2. M. H. Gilbert and W. J. Quirk, Functional redundancy to achieve high reliability (R. Lauber, Ed.), Safety of Comparer Control Systems. Pergamon press (1980). 3. W. E. Vander Velde. Control svstem recontiauration. Proc. 1984 ACC, San Diego, pp. 1741-1745 fi984). 4. M. Morari and W. H. Ray, CONSYD User’s Manual. University of Wisconsin, Madison (1984). 5. N. F. Jerome and W. H. Ray, High performance multivariable control strategies for systems having time delays. AK%9 JZ 32, 914 (1986). 6. B. R. Holt, The assessment of dynamic resilience: the effect of non-minimum phase elements. Ph.D. Dissertation, University of Wisconsin, Madison (1984). 7. B. A. Ogunnaike and W. H. Ray, Computer-aided multivariable control system de&n for processes with time delays. Comput. &em. Engni 6, 31i (1982). 8. D. E. Rivera, M. Morari and S. Skogested, Internal model control. 4. PID controller design. Ind Engng Chem. Process Des. Dev. 25, 252 (1985).