- Email: [email protected]
From control to supervision
Annual Reviews in Control PERGAMON
Annual Reviews in Control 25 (2001) I-1 1 www.elsevier.comilocate/arcontrol
FROM CONTROL
Marcel Staroswiecki
TO SUPERVISION
and Anne-Lise
Gehin
LAIL-CNRS EUDIL, Universite’ des Sciences et Technologies 59655 Villeneuve d’Ascq cedex [email protected]
de Lille
Abstract : This paper is concerned with the terminology and fundamental problems of FTC and supervision. Based on the idea that at any level, engineers are concerned with the control (or at least the mastering) of a (healthy or faulty) system, successive extensions of the Standard Control Problem (SCP) are proposed in order to provide a clear definition of Fault tolerance and Supervision problems. Keywords
: Supervision,
Fault Tolerant Control.
1. INTRODUCTION Control engineers are faced with increasingly complex systems, for which dependability considerations are sometimes more important than performance. In fact, sensors, actuators or process failures may drastically change the system behavior, ranging from performance degradation to instability. Control theory, first developed for continuous systems in a linear framework, has to consider more and more general problem settings which arise from the consideration of complex models, of integrated automation, of implementation issues and of fault tolerance properties. Fault tolerance is highly required for modern complex control systems. Fault tolerant control systems are needed in order to preserve the ability of the system to achieve the objectives it has been assigned, or if this turns out to be impossible, to assign new (achievable) objectives so as to avoid catastrophic behaviors.
1367-5788/01/$20
0 2001 Published
PII: S1367-5788(01)00002-5
by Elsevier Science Ltd.
Fault Tolerant Control is an emerging field - see (Patton, 1997) for a recent review - , which has motivated many works, ranging from systematic analysis of fault propagation (Blanke, 1996) to the analysis of systems structural properties when faults occur, based either on state space models for recoverability (Frei et al, 1999), observability (Staroswiecki et al., 1999b) and controllability (Hoblos et al., 2000), or on symbolic and graphic approaches (Staroswiecki et al., 1999a) (Gehin and Staroswiecki, 1999). Many works have proposed specific FTC schemes based on predetermined design for accommodation (Rato and Lemos, 1999) predictive control (Mosca, 1995) (Maciejowski, objective 1997b), adaptation (Dardinier Maron et al., 1999), logic inference and qualitative models (Brown and Harris, 1994) (Askari et al. 1999). The implementation of FTC within control architectures often refers to some supervision level which answers the need for integrated automation, and implements control, FDI, FTC, advanced decision, man/machine interfaces,. . .
2
M. Siaroswiecki und A. -L. Gehin /Annual Reviews in Conlrol25 (2001) l--l I
However, what is meant by Supervision Problem is still vaguely defined : papers on supervision range from Diagnosis (Patton et al., 1989), (Hamsher et al. 1991) to Control and Fault Tolerant Control (Patton, 1997), (Maciejowski, Human/machine cooperation 1997a), and (Rasmussen, 1983) (Millot, 1988), (Gentil, 1995). The result is some difficulty to build a framework which would theoretical of proposed conceptualize the abundance approaches and methods. In this paper, we are concerned with the terminology and fundamental problems of FTC and supervision. Based on the idea that at any level, we are concerned with the control (or at least the mastering) of a (healthy or faulty) system, successive extensions of the Standard Control Problem (SCP) are proposed in order to provide a clear and rigorous definition of Fault tolerance and Supervision problems. The paper is organized as follows. The example of a two tank process, a part of the COSY Benchmark- (see Heiming and Lunze, 1999) is first presented (section 2) since every control level as introduced will be illustrated using this example. The standard control problem is introduced in section 3. Robustness and adaptation issues are discussed in section 4 as solutions to a more general control problem, in which parameters are uncertain or time varying. Further extension are given in sections 5 (hybrid control) and 6 (fault tolerant control), where not only the system parameters but also the system structure are subject to changes. This calls for fault tolerance, in which and reconfiguration accommodation both strategies are distinguished. Section 7 considers the case when fault tolerance cannot be achieved, and defines the supervision problem as the most general control one. Section 8 concludes the paper.
the valves are on/off valves. Tank T, is equipped with a continuous level sensor and tank T2 with three discrete level sensors, indicating if the liquid is above or below the sensor level. Liquid is led into tank T, by pump P, and from tank T, to tank Tz by valve V,, (V,, should always be closed). Four normal operating modes are considered: no operation, filling, regulation, and emptying. During the regulation operation mode, the main objectives are to keep the liquid levels at 50 cm in tank T, and at 10 cm in tank T3. The liquid being supposed dangerous, one system objective is not to pollute the environment (or to pollute as little as possible) whatever the system situation. The system variables are : - state vector x = (hl, hJ, - control vector u = (v, pos(V,,))’ - measurement vector y = (h,, d(h,))’ The parameter vector is 19= (A, k, k,, ko)’ where k, is the gain between the signal fed to the pump and the corresponding delivered flow and k, (resp. k,,) is a flow correction term depending on the characteristics of the valve V, (resp. V,).
I I
Tank T,
Tank TZ
Figure 1: Hardware process description. 2. EXAMPLE The chosen example is a part of a process which has been considered as a benchmark in the ESF funded COSY (Control of Complex Systems) network (Heiming and Lunze, 1999). It is composed of two identical connected tanks (see figure 1). Each tank is cylindrical of section A. by pump PI, The inflow Q, is provided (controlled by the signal v) filling tank T,. The pump is continuous on a specific range. The flows Qo, resp. Q,, between the two tanks are controlled by valves V,,, resp. V,,. Connecting pipes are at level 0 and 30 cm. Valve V, is an outlet valve, located at the bottom of tank Tz. All
The system measurement constraints:
model is given by the state and equations, along with two operative
The state equations x = f(x,u,B,t)
:
are in this example: h, =$Q,
& =+(Q,,
-Q,, -Q,)
with Q, = k, .v(t) and v E [O,l] and
(1)
M. Staroswiecki and A. -L. Gehin /Annual Reviews in Confrol25
(2001) 1-I I
3
Q, = 0 if h, < h and h, < h where h is the level of the connecting
pipe,
Q,, = k,, .,/m.pos(V,,
l
The objective y is defined with respect to the system trajectories, and consists in transferring the system from the initial state : vx,)l t,, = lx,= (0, o)‘, t, = 0) to the final one : V(xf; tjy)= {Xf = (50, IO)‘, t, > O}
.
Cl is a set of applications from [0, -) to [O, l]x{O, I}, defining the control inputs u,(t) = v(t) and u2(t) = pas(Y)(t), with v E C’, The constraints are (1) (2) and (3).
) if h, > h and
h, < h pos(vn)
Q,, = k,, .,/w.
if h, < h and
h, > h
Q,,= sign(h, - hz).k, .&&&&os(V,
)
l
ifh,>handh,>h Q,
= kO.dx
where
p is the density
of the
water and g is the gravity constant. .
The measurement
and the
A closed loop SCP should be considered during the regulation operation mode of the tank system (see fig. 2).
equation:
y = g(x, 4 0, t) is
Such a problem would have many solutions, a classical setting would be for example minimum time optimal control problem.
(2)
Y = (h,, d (h*))’
where
d(h,)
represents
the
output of the discrete level sensor. l
The operative constraints h(x, II, 0, t) 10
fig. 2. The closed loop SCP for the regulation level h,
(3)
are h, >h2 E IO, h,,,
3. STANDARD
1
CONTROL
.
PROBLEM
3. I. Definition . A Standard Control Problem SCP (Landau, 1988) is defined by three entities, first a class of controls II, second an objective y, and finally a set of constraints
I
I
:
of
The objective yis defined with respect to the regulation of the liquid level in tank T,, and consists in giving specific properties to the transfer between the perturbations and level h, : annihilate the permanent error, provide a good response time, set the closed loop system poles to chosen values. Suppose a PI controller is used. Then U, is a set of applications v E C’ depending on two parameters (k,, k,) which define the control input by:
C.
Solving the SCP consists in finding a member of II which achieves y while satisfying C. In some cases, several solutions exist, and choosing the best one (in the sense of a given criterion J) defines an optimal control problem. Objectives are expressed either with respect to the system trajectories or with respect to the system inputoutput transfer characteristics according to the use of state or transfer models.
3.2. Example The control problem setting during the filling operating mode could be the following :
v : R’x [0, 00 ) + [0, I] (set point, h,, t) -+ v(setpoint, .j.. =
.
h,, t) = .
I
sat&, E(t)+ 4 &(~)&I
with e(t) = set point saturation function in The constraints are equation (a part of which Q, is considered
- h,(t) and sat is the [0, I]. given by the system the state equation, in as a perturbation)
W)=-&(P)-Q,,(p) Y,(P)
=
h,(p)
where p is the Laplace operator.
’
4
M. Staroswiecki
and A. -L. Gehin /Annual
Reviews in Control 2j (2001) I-1 I
shown on fig. 3 (de Larminat,
3.3. The SCP quadruple Considering the SCP constraints, an important distinction is that of the constraints structure (s) - functionsJ g and h in the state space approach, function G(p) in the input / output transfer one and the constraints parameters (0). Note that the class U is given not only by its mathematical properties but also by its definition and image sets (resp. 6’, [0, -) and [0, I]x{O, I] in the first example). The definition set results from the engineer’s choice (open loop, closed loop for example) while the mathematical properties and the image set result from the constraints structure (namely the definition of the system actuators : how many actuators, what technology).
Figure 3 : Standard transfer representation RCP. As far as regulation is concerned, formulated as follows:
which represents the objective x the constraints C and the control class U (an optimal control problem is defined by the 5-uple < 3: s, 0, U, J > where J is the optimality criterion).
4. ROBUST AND ADAPTIVE
CONTROL
In the first SCP generalization, a set of quadruples < x s, 0, U > instead of a single one < 3: s, 19,U >,is considered. 0 stands for a set of possible values of the constraints parameters, and the SCP aims at finding a control u E U so as to achieve the objective y under constraints whose structure s is known and whose parameters 8 are unknown, but it is known that they belong to 0. The practical interpretation is obviously that 0 represents the set of the possible values of timevarying or uncertain parameters, or is a means to account for modeling errors. Robust and adaptive control are. two different approaches to solve this more general control problem.
4.1. Robust control Robust control is a passive approach, which aims at achieving the objective ywhatever the value of 8 in 0. In a more realistic formulation, robust control tries to minimize the discrepancy over 0 of the achieved results. A popular approach to the robust control problem (RCP) is to formulate the excursion of the system parameters as the result of input disturbances, as
of a
the RCP is
.
The’ objective is to annihilate, bound or minimize the deviation z (in the H, or H, sense for example),
.
The control class is defined regulators K(p),
.
The constraints are given by the system equations G(p) and by the definition of the observations y.
Note that for given engineering choices, the SCP is completely defined by the quadruple : -c 3: s, 0, lJ >
1996).
by the class of
Robust approaches have widely been developed in the literature. A very short reference list would include CRONE control (Oustaloup, 1993) mixed sensitivity optimisation (Verma, 1984), (Kwakernaak, 1985), robust pole assignment (Morari and Zafirio, 1989), (Landau et al., 1993) H, approaches (Doyle, 1992) (Kwakernaak, 1993).
4.2. Adaptive control In contrast to robust control which aims at achieving the objective ywhatever the value of 19 in 0, adaptive control is an active approach in which the actual value e^E 0 of the parameters is estimated in order to solve the SCP < 3: s, 6, U > (Astrom, 1983), (Goodwin and Sin, 1984). As far as regulation is concerned, some performance index can be defined and adaptive control would adjust the regulator parameters so as to track the desired value of the performance index (direct adaptive control, see (Dugard and 1988)). Figure 4 illustrates this Landau, approach.
A4. Siaroswiecki
and A. -L. Gehin /Annual
5
Reviews in Control 25 (2001) l-l 1
h,(p)
= G(P)
gizkp&i,l’
4~)
- Q,,(P) and Y,(P)
= h,(p).
5. HYBRID CONTROL
5.1. Definition
Figure 4 : Direct adaptive control (Dugard and Landau, 1988)
4.3. Example Let us consider the level regulation tank T,, using the PI controller of regulator produces the pump control obtain the pump flow Q, = k”.v(t) ,
problem in fig. 2. The v(t) so’ as to where k, is
In a second generalization level the CP is defined by < 3: S(A), o(A), U(A) > where S(A) and o(A) are respedtively a set of constraints structures and constraints parameters whose time evolution sequence is controlled by some deterministic automaton A, and U(A) is a set of control classes. The problem is here to find the control u E U(A) so as to achieve the objective yunder constraints (s, f3) E S(A)xo(A) whose succession is defined by the automaton A.
Example of robust control problem setting: find the regulator parameters k,, and k# so as to minimize the criterion maxs,K J(kJ
The simplest practical interpretation is that of hybrid systems (Antsaklis et Nerode, 1998) which present different configurations. Commutation from one configuration to another one is done under the control of some automaton A which models the discrete event part of the system. Thus different sets of constraints which differ both by their structures and their parameters have to be satisfied by the solution of the control problem. Most often, the objective itself is decomposed into a sequence of objectives each of which is specific to a given set of constraints so that the hybrid control problem can be formalized by < G(A), S(A), o(A), U(A) > where G(A) is the set of objectives. At each time, one single SCP < ‘): s, 8, U > where (x s, 6, U) E G(A)xS(A)xO(A)xU(A) is to be solved.
Example of direct adaptive control problem setting: find the regulator parameters k,, and k, so as to minimize the criterion
5.2. Example
the pump parameter which is supposed to be constant and known. When this is not true (k, is uncertain or it is time varying, e.g. there is a leakage which depends on the pump rotation speed), the output r,(t) will not have the desired characteristics. Let us suppose that we know the set K to which k, belongs, and that the objective is expressed using some predictive control criterion e.g. :
J(kJ=‘ji[ref I
J(ky)=
-h,(~):d~
The automaton
j[ref-Y,(r)fdZ’ r-7
presented in figure 5,
Example of indirect adaptive control problem setting: find the regulator parameters k,, and k, so as to minimize
the criterion
J([“)where
k^,, is
the estimate of the pump parameter. In all three problem settings, the control class is given by the regulator equation : u(p) = K(k,,,k, pJ 4pl where : 4~) = ref - Y,(P). The constraints are measurement equations
the :
system
state
and
Figure 5 : The tank system operating modes
6
h% Staroswiecki andA. -L. Gehin /Annual Reviews
with :
25 (2001)
I-l
1
6. FAULT TOLERANT
‘yr Transfer the system from : V, = {h,(t,) = 0, to = O} to V, = {h,(q) = hl: 9 E R) while minimizing tf (reach the level set point hl* in minimum ”
in Control
h, =+(a,
6.1. Definition
time
-Q,)
Ql = k, .v(t) Q, =0 ifh,
Q, = k, .,/?%$=&os(V, ifh,>handh,
handh,>h
0, = W@rl - hZ)k,.~~Wos(l/,) ifh,>handh,>h 01
A,ky>ka,k,
u,
[O, -) + lo, IIW, 1) u*(t) = v(t), v E co uz(t) = pos(V,)(t)
p
Regulate level h, to the set point h,*
CONTROL
Let us consider the problem < x S, 0, U >, and suppose that no knowledge at all is available about the evolution of the constraints (s, 0). The practical interpretation is that the objective y has to be achieved under constraints whose structure and parameters are unknown, and may belong to the sets S and 0. This is a generalization of the robust or adaptive control problem, in which not only the constraints parameters but also their structure may change. This is typically the case when the possible occurrence of faults is taken into account. Parametric (multiplicative) faults are obviously described by parameters changes while additive faults can be described by structural or parameter changes. Consider tank described by :
TI whose
normal
operation
h, = Q,(t) - Q,, 0) r2
-
k, (4 + k,,p)
=
h,(p)
Ap*
+ k,(k,
+ k,,p)
Q, .Then
‘2
QO Ap2 +k,(ki+kpP)
A, k, V(t)
=
the constraint
structure
value
is changed
into :
AP*
Y,(P) = hip) (Q,, is considered as a perturbation, and the system is linearized around its nominal operating point) 0,
(4)
and suppose there is a leak with unknown 6
is
hi = Ql (t> - Q,, 0) - Q,(t)
This is indeed a structural change, since normal operation is described by equations (5) and (6) :
Qdt) = 0
kpE(t) + ki $E(Z)dZ
E(t) = h*l - yj (t) ki, ktl E R
(it is supposed that the control does not saturate)
(5)
ift
(6)
while equation (6) disappears in faulty operation. On another hand, suppose that the leak is at the bottom of the tank. A leak model is: Q,(t) = kL=
K
s3
Transfer the system from Vo = /ht(to), to = 01 to V, = (h,@) = 0, 9 E R] while minimizing tf (empty the tank T, in a minimum same as s, same as e,
e, cr, v(t) = 0
pos(V,,) = I is an illustration
of a hybrid control.
and equation (5) is now: h, = Ql (t) - Q, (t) - kL$% time)
so that the leak appears as a change in the value of some parameter kL. Obviously, robust approaches which would try to achieve the objective y whatever the pair (s, 0) are unrealistic. Many works have been devoted in recent years to the problem < 3 S, 0, U > (see the recent review by Patton (1997)). Fault
M. Stavoswiecki and A. -L. Gehin /Annual Reviews in Control 25 (2001) l-11
control) and system accommodation (or reconfiguration are two basic strategies which can be distinguished. However, there is no clear and unanimous definition of what each strategy really covers. Since in all cases the problem which is faced is a control problem, we propose to distinguish them on the basis of the previously defined framework, according to the fact that fault tolerance is achieved through a passive approach (control the system under the actual constraints) or an active one (change the constraints and set a new control problem). As it will be seen, the choice between fault accomodation and system or control reconfiguration depends on the existence of a solution to the corresponding specific control problems. However, it should be emphasized that the actual setting of those control problems depends primarily on the amount of information the FDI system is able to provide to the fault tolerant control level.
I
When a fault occurs, for example
el, + 0, perfect
fault accommodation would change the nominal control into another one which solves < ‘): sd r3,, U > where (s,, 19,) is the actual (faulty) system. The objective would thus be achieved in spite of the fault, thanks to the change of the control law (this supposes that the control problem < x s., &,, U > has a solution). Obviously, the actual constraints (so, 0,) being unknown, fault accommodation needs FDI algorithms which provide an estimation of (su, 0,). When the FDI gives
a
unique
estimation
(i, 8) ,
fault
accommodation solves the control problem < y, ,:,e^,u > It cannot be applied when < y, ,Y,6, u > has no solution,
and other strategies
have to be developed. Example. Suppose that the leak in tank T, has been detected by the FDI algorithms, and its amplitude b, has been estimated. Then a fault accommodation strategy regulation problem:
would
solve
the
6.2. FDI information y Since the design of control solutions which are robust with respect to any fault is not realistic, FTC must be based on some knowledge about the faults. FDI algorithms are designed so as to provide this knowledge, and indeed isolation procedures are intended to identify the faulty system components. However, the question still arises of how the FDUFTC connection can be designed. Considering the control problem requirements provides a key for this analysis. Let us consider three classes of FDI algorithms : . the most powerful one provides data which allow the estimation (,;,e^) of the actual .
constraints (s,,, @,) of the control problem, the second class provides data which allow the estimation
.
of the constraints
but only of a set 6 constraints parameters, the last one only allows possible structures j each structure s of that parameters 6~~) .
which
structure contains
s^
to estimate a set of and eventually, for set, a set of possible
Definitian. Fault accommodation is the strategy which solves the control problem < y, i,e^, t/ > the (estimated)
control
problem
actual system.
S
It,
< y, ;,&r/ > ) of
=
Q,(t) - Q, @I - fir. 0)
0
Ak,,k,t,k,
u
Qdt, = &v(t) = satfk,, E(t) + ki id7)dT
1
0 E =h,‘-
h,(t)
Note that the problem might have no solution since v(t) E [0, 11 and the leak could be too large to be compensated by the pump. Also note that if the objective ywere defined by : 1)
the
6.3. Fault accommodation
(or the robust
Provide the input / output transfer with some desired property
2)
provide the input / output transfer with some desired property AND do not spoil the environment (or spoil as little as possible, the content of tank T, being dangerous)
then the control problem would again have no solution since the second objective could not be satisfied. In such cases, fault accommodation could not be a suitable strategy. When the FDI only gives an estimation then fault
accommodation
solves
(s^,@ ,
the problem
8
M. Staroswiecki
and A. -L. Gehin /Annual
< y, .?,6, u > which is a robust control one. This is the case, for example, when the FDI algorithm detects and isolates a change on the parameter k, of pump P, but instead of providing the actual value (which it is unable to identify), it provides some domain to which the actual value belongs. Finally, it should be noticed that even when a solution exists, its quality might be so low that fault accommodation is impractical. In fact, such a situation corresponds to system objectives in which the quality requirement should have been made explicit e.g. : 1) 2)
achieve y WITH some quality index at least equal to some given value.
Reviews in Control 25 (2001) 1-l I
from the FDI algorithms, since no estimation of the actual set of constraints is necessary. The main characteristics is on the contrary that the unknown set of constraints (s,, 9,) is replaced by a (feasible) known one (a z) and the set of admissible control U is replaced by another set V. The only data which is needed thus concerns the feasibility of (CJ z) and the existence of a set of controls V in the faulty situation. Example. Suppose that valve V, gets blocked and closed. Then, the level in tank T2 can no longer be regulated using valve V,. Valve Vh can be used instead of V, and as a consequence the system structure is modified. The previous regulation problem : regulate level hr and h2 with desired input/output properties hi = +(Qi -Q,,
6.4. System or control reconfiguration
Q, = k,.v(t) Definition. System or control reconfiguration is a strategy in which the actual faulty system is replaced by another one. The reconfigured control thus solves a new control problem replacing the original one < 3: s,, 0,) U > by a new one < x o, r, V > with the same objective.
Q,
Q, = 4, .,/i%?i?.wC’,) ifh,>handh,
Obviously for reconfiguration strategies to be clearly defined, one has to define admissible sets Z and E for the choice of the pair (a z) and the set of admissible controls U has to be replaced by another set V. Solutions are proposed in (Gehin, Staroswiecki, 1999) to automatically define Z description and Z from a system component based approach. Note that the reconfiguration strategy does not need any detailed information
1
handh,>h
Q, = +@I
Suppose that the FDI algorithm does not provide any estimation of the actual faulty system constraints (thus no accommodation problem can be formulated), or that it does provide such an estimation, but the accommodation problem has no solution. Thus, in the presence of a fault, no strategy can solve the problem < ‘): s,,, 0,, , U >. The reconfiguration strategy merely rests on the formulation of a new problem < 3: o, r, V > which has a solution, and thus allows to achieve the objective x by changing the system structure, parameters and control. This means that some kind of redundancy exists in the system. The new structure and parameters of the constraints thus result from the disconnection of the faulty components and their replacement by other (non faulty) ones.
ifh,
=0
- Wk, .~i&&4’a
1
ifh,>handh,>h Ai+,,&,,&, lo, -) --j [O,llxlO, u,(t)
=
v(t),
v E
uzftl
=
PO-v‘,)(t)
Il
c’
becomes : Y cr
regulate level hi and h2 with desired input/output properties 1 4 = ;(QI -Q/,1 Q, =
k, .v(t)
Qh =+@I
-M$,.,/~.P@‘~~
z
A,k,,k,sk,
v
[O, -) + [O,~lxlO, 11 u,(t) = v(t), v E c’ uz(tJ = Po~wtJt)
6.5. Remark the the In both accommodation and reconfiguration strategies, the problem of transient behaviors have to be considered, since
M. Staroswiecki
andA. -L. Gehin /Annual
commutations are present, from one control law to another one in fault accommodation and from one set of constraints to another one in system or control reconfiguration.
7. SUPERVISION
7.1. Definition The most general control problem is defined by the quadruple where G is a set of possible objectives, and SX@ is a set of possible constraints which contains the nominal system ones (sm 13,). In view of its practical this quadruple defines the interpretation, supervision problem. In fact the supervision problem differs from the fault tolerant control problem by the fact that the system objective is not fixed in advance, but is also to be determined taking into account the system possibilities at each time. At this decision level, human operators are most often necessary. Definition: a supervision problem is a fault tolerant control problem associated with an objective reconfiguration problem. Let an objective y be given. Obviously the control problem has a solution, which is the system nominal control for the objective 7 Nominal control can be applied as long as the actual constraints (s,, 0,) remain equal (or close) to the nominal ones (s,, e,,).
to modify the system objective (for example change the production objective into a “survival” one by moving from some regulation mode towards a fall back mode followed by a maintenance one). This is a decision problem which consists in finding an objective 77 E G, an admissible V and a feasible pair (s, 0) E SxO such that the problem has a solution. If no such quadruple exists, catastrophe seems unavoidable. This can be a design bug or a deliberate choice to accept certain failure scenarios, e.g. for reasons of cost/benefit or small likelihood for certain events. However in most cases at least one objective (to stop the system operation) is achievable and many others are possible. Unfortunately this is not always suitable, since the faulty system might loose the stability and controllability properties. Also, the choice of a new objective can be performed autonomously only in rare situations. The common case is that human intervention is needed using decision support from the diagnosis and taking into account the overall goals of the plant.
7.2. Example Suppose that the liquid contained in the tanks is a dangerous one. In the regulation mode, the control objectives are: 1)
2) Suppose now some fault(s) occur(s), and the actual constraints are different from the nominal ones. Depending on the information provided by the FDI algorithms, fault tolerant control could be achieved by fault accommodation or by Fault system/control reconfiguration. accommodation rests on the existence of a solution to the control problem <)! s,, e,,, U> (this problem is in practice approximated by < y, .?,6, I/ z or < y, .t,G,,u > when FDI algorithms provide estimations of the new constraints). System/control reconfiguration rests on the existence of an admissible V and a feasible pair (cr, Z) E SX@ such that the problem has a solution. When solutions exist neither for accommodation nor for reconfiguration strategies, this means that the objective ycannot be achieved by any fault tolerant control. The only possibility is therefore
9
Reviews in Control 25 (2001) I-1 1
provide the input/output transfer some desired property AND do not spoil the environment
with
Clearly, the regulation objective can no longer be fulfilled as soon as a leak appears and the system has to be provided with the new objective spoil the environment as little as possible so that the minimum time emptying of the leaking tank becomes the new control problem. An approach to the solution of such decision problems has been proposed in (Gehin, Staroswiecki, 1999). It consists in describing a system in terms of the missions it has to fulfill. Each mission rests on a set of services provided by the system components. The mission set is structured into Operating Modes. The condition to move from one Operating Mode to another one is defined according to the disponibility of the hardware and software resources (a faulty resource implies the non realization of one or several services and
consequently of one or several missions). Changing the operating mode can be proposed to the operator or automatically performed when some missions become impossible to fulfill. Control engineers have then to provide operators with decision making tools, since full automation seems unrealistic at the supervision decision level.
Askari J., B. Heiming, J; Lunze (1999), Controller Reconfiguration Based on a Qualitative Model : A solution of Three Tanks Benchmark Problem, In Proceedings o.f’ European Control Conference ECC’YY, Karlsruhe (Germany), CDROM ref : F 1039-3 Astrom, K. J. (1983). Theory and applications of adaptative control. A Survey. Automatica, vol. 19, N”5, pp. 47 l-486.
8. CONCLUSION The fundamental problem of Automatic Control is that of mastering the behavior of dynamic systems. This calls for the solution of different sub-problems, namely modeling, identification, estimation, filtering, control, FDI, FTC. This paper proposes an analysis of the supervision problem which is situated in the continuity of the control problem. The approach is based on successive generalizations of the standard control problem in order to take into account more and complex situations realistic and more uncertain knowledge. hybrid (perturbations, systems, failures). FDI algorithms are a fundamental tool designed in order to inform the operators about the actual state of the controlled system, i.e. about the constraints of the control problem they have to solve (with the help of automatic devices). It has been shown that fault tolerance strategies heavily depend on the amount of information that FDI algorithms are able to provide. In some cases, this information is detailed enough to define a fault accommodation problem (which may - OI not - have a solution), and in other cases only can be or control reconfiguration system considered. When neither of these two strategies can apply, the only possibility is to change the system operating mode by defining new control objectives. As the generality of the control problem increases, more and more information has to be provided to the operators since the complexity of the system behavior cannot be easily captured. Accordingly, full automation is less and less possible (and suitable) when moving from the standard control problem to the fault tolerant and the supervision ones.
REFERENCES Antsaklis, P. J. and A. Nerode (1998), Special Issue on Hybrid Control Systems, IEEETAC, Vol. 43,453-587.
Blanke M., (1996), Consistent Design qf Dependable Control Systems, Control Engineering Practice, Vol. 4. no 9, pp. 1305 1312. Brown M. and Harris C. J., (1994), Neurofuzzy Aduptutive Modelling and Control, Prentice Hall, New-York. Dardinier Maron, V., H. Noura and F. Hamehn (1999), Loi de commande tolkrante aux dCfauts majeurs d’actionneurs, In Proceedings qf JDA’YY, pp. 265-268, Nancy, France de Larminat P. (I 996), Automatiyue : commande ties systdmes lindaires, 2” edition, Hermks, Paris. Doyle, J. C., B. A. Francis, A. R. Tannebaum, Feedback Control Theory, (19921, Macmillan, New York Dugard, L and I. D. Landau (1988), Commande aduptative : me’thodologie et applications, Hen&s, Paris. Dvorak, D. and B. J. Kuipers (1989), Modelbased Monitoring of Dynamic Systems, In Proc. of the 11”~ Joint Con& on Artijicial Intelligence, 1238-1243, Detroit, also in in Model-based Diagnosis, Reudings Morgan Kaufman. Foulloy, L. and B. Zavidovique Towards Symbolic Process Automatica, 30(3), 379-390.
(1994), Control,
Frei, C. W., F. J. Kraus and M. Blanke (1999), Recoverability Viewed us n System Property, Conference, Proc. European Control (ECC’99), Karlsruhe, Germany. Gehin, A. L. and M. Staroswiecki (1999), A to Reconfigurability Formal Approach Analysis / Application to the Three Tank
I1
M. Staroswiecki and A. -L. Gehin /Annual Reviews in Control 23 (2001) I-l I
Bechmark, In Proceedings of European Control Conference ECC’99, Karlsruhe (Germany), CDROM ref : F 103914 Gentil, S. (1995), Systkmes d’aide B la Supervision, in Supervision de processus & l’aide du sys&+me expert G2TM, coord. N. Rakoto-Ravalontsalama et .I. AguilarMartin, Hermes, Paris. Goodwin C., Sin K. S. (1984), Adaptative Control, Prediction and Filtering Englewood Cliffs, Prentice Hall. Hamsher, W., L. Console and J. De Kleer, editors (199 l), Readings in Model Based Diagnosis, Morgan Kaufman. Heiming B. and J. Lunze ( 1999), Three-Tanks Problem of Controller Benchmark Reconfiguration, In Proceedings of European Control Conference ECC’99, Karlsruhe (Germany), CDROM ref : F 1039-2 Hoblos, G. , M. Staroswiecki and A. Aitouche (2000), Fault Tolerance with Respect to Actuator Failures in LTI Systems, IFAC Safeprocess 2000 (submitted), Budapest, Hungary. Kwakernaak H. (1985), Minimax Frequency Performance and Robutness Domain Optimization of Linear Feedback Systems, IEEE Trans. AC, Vol. 30, pp. 994-1004 Kwakernaak H. (1993), Robust Control and Tutorial Paper, Hm-optimization : Automatica, Vol. 29, pp. 255-273 Landau, I. D., Cyrot Ch., Rey D., (1993), Robust Control Design Using the Combined Pole Placement / Sensitivity Function Shaping Method, In proceedings of European Control Conference ECC’ 93, Groningen, Netherlands. Maciejowski J. M., (1997a), Reconfigurable Control Using Constrained Optimisation, In European Control Proceedings of Conference ECC’97, Brussels, Belgium, Plenary Lectures and Mini-Courses, 107 130. Maciejowki, J.M., (1997b), Modelling and Predictive Control : Enabling Technologies for Reconfiguration, In Proceedings of IFAC Symposium on System Structure and Control, Bucharest, Romania.
Millot, P. (1988), Supervision des pro&d& automatis&s et ergonomie, Hermks, Paris. Morari, M., Zafiriou E., (1989), Robust Process Prentice Control, Hall International, Englewood Cliffs, N. J. Mosca, E., (199.5), Optimal Predictive Adaptative Control, Prentice International, Englewood Cliffs, N. J.
and Hall
Oustaloup, A. (1993), The Great Principles of CRONE Control, In Proceedings of IEEE SMC’93, Le Touquet, France Patton, R. J., P. M. Frank and R. N Clark (1989), Fault Diagnosis in Dynamical Systems, Theory and Application, Prentice Hall. Patton, R. J. (1997), Fault Tolerant Control: the 1997 Situation, In Proceedings of IFAC Safeprocess, pp. 1033-1055, Hull, GB. Rasmussen, J. (1983), Skills, Rules and Knowledge: Signals, Signs and Symbols and Other Distinctions in Human Performance Models, IEEE Trans. SMC, 4,31 l-335. Rato, L. and J. M. Lemos (1999), Multimode1 Based Fault Tolerant Control of the 3-Tank System, In Proceedings of European Control Conference ECC’99, Karlsruhe, Germany Staroswiecki, M., S. Attouche and M. L. Assas, ( 1999a), A Graphic Approach for Reconfigurability Analysis, In Proceeding of lo”’ International Workshop on Principles of Diagnosis DX’99, Loch Awe, Scotland. Staroswiecki, M., G. Hoblos and A. Aitouche, (1999b), Fault Tolerance Analysis of Sensor Systems, In Proceedings of 38’” IEEE Conference on Decision and Control, Phoenix, AZ, USA. Verma, M., E. Jonkheere (1984), Lmcompensation with Mixed Sensitivity as a Broad-band Matching Problem, Systems and Control Letters 14, pp. 295-306.
,
Annual Reviews in Control 25 (2001) I-1 1 www.elsevier.comilocate/arcontrol
FROM CONTROL
Marcel Staroswiecki
TO SUPERVISION
and Anne-Lise
Gehin
LAIL-CNRS EUDIL, Universite’ des Sciences et Technologies 59655 Villeneuve d’Ascq cedex [email protected]
de Lille
Abstract : This paper is concerned with the terminology and fundamental problems of FTC and supervision. Based on the idea that at any level, engineers are concerned with the control (or at least the mastering) of a (healthy or faulty) system, successive extensions of the Standard Control Problem (SCP) are proposed in order to provide a clear definition of Fault tolerance and Supervision problems. Keywords
: Supervision,
Fault Tolerant Control.
1. INTRODUCTION Control engineers are faced with increasingly complex systems, for which dependability considerations are sometimes more important than performance. In fact, sensors, actuators or process failures may drastically change the system behavior, ranging from performance degradation to instability. Control theory, first developed for continuous systems in a linear framework, has to consider more and more general problem settings which arise from the consideration of complex models, of integrated automation, of implementation issues and of fault tolerance properties. Fault tolerance is highly required for modern complex control systems. Fault tolerant control systems are needed in order to preserve the ability of the system to achieve the objectives it has been assigned, or if this turns out to be impossible, to assign new (achievable) objectives so as to avoid catastrophic behaviors.
1367-5788/01/$20
0 2001 Published
PII: S1367-5788(01)00002-5
by Elsevier Science Ltd.
Fault Tolerant Control is an emerging field - see (Patton, 1997) for a recent review - , which has motivated many works, ranging from systematic analysis of fault propagation (Blanke, 1996) to the analysis of systems structural properties when faults occur, based either on state space models for recoverability (Frei et al, 1999), observability (Staroswiecki et al., 1999b) and controllability (Hoblos et al., 2000), or on symbolic and graphic approaches (Staroswiecki et al., 1999a) (Gehin and Staroswiecki, 1999). Many works have proposed specific FTC schemes based on predetermined design for accommodation (Rato and Lemos, 1999) predictive control (Mosca, 1995) (Maciejowski, objective 1997b), adaptation (Dardinier Maron et al., 1999), logic inference and qualitative models (Brown and Harris, 1994) (Askari et al. 1999). The implementation of FTC within control architectures often refers to some supervision level which answers the need for integrated automation, and implements control, FDI, FTC, advanced decision, man/machine interfaces,. . .
2
M. Siaroswiecki und A. -L. Gehin /Annual Reviews in Conlrol25 (2001) l--l I
However, what is meant by Supervision Problem is still vaguely defined : papers on supervision range from Diagnosis (Patton et al., 1989), (Hamsher et al. 1991) to Control and Fault Tolerant Control (Patton, 1997), (Maciejowski, Human/machine cooperation 1997a), and (Rasmussen, 1983) (Millot, 1988), (Gentil, 1995). The result is some difficulty to build a framework which would theoretical of proposed conceptualize the abundance approaches and methods. In this paper, we are concerned with the terminology and fundamental problems of FTC and supervision. Based on the idea that at any level, we are concerned with the control (or at least the mastering) of a (healthy or faulty) system, successive extensions of the Standard Control Problem (SCP) are proposed in order to provide a clear and rigorous definition of Fault tolerance and Supervision problems. The paper is organized as follows. The example of a two tank process, a part of the COSY Benchmark- (see Heiming and Lunze, 1999) is first presented (section 2) since every control level as introduced will be illustrated using this example. The standard control problem is introduced in section 3. Robustness and adaptation issues are discussed in section 4 as solutions to a more general control problem, in which parameters are uncertain or time varying. Further extension are given in sections 5 (hybrid control) and 6 (fault tolerant control), where not only the system parameters but also the system structure are subject to changes. This calls for fault tolerance, in which and reconfiguration accommodation both strategies are distinguished. Section 7 considers the case when fault tolerance cannot be achieved, and defines the supervision problem as the most general control one. Section 8 concludes the paper.
the valves are on/off valves. Tank T, is equipped with a continuous level sensor and tank T2 with three discrete level sensors, indicating if the liquid is above or below the sensor level. Liquid is led into tank T, by pump P, and from tank T, to tank Tz by valve V,, (V,, should always be closed). Four normal operating modes are considered: no operation, filling, regulation, and emptying. During the regulation operation mode, the main objectives are to keep the liquid levels at 50 cm in tank T, and at 10 cm in tank T3. The liquid being supposed dangerous, one system objective is not to pollute the environment (or to pollute as little as possible) whatever the system situation. The system variables are : - state vector x = (hl, hJ, - control vector u = (v, pos(V,,))’ - measurement vector y = (h,, d(h,))’ The parameter vector is 19= (A, k, k,, ko)’ where k, is the gain between the signal fed to the pump and the corresponding delivered flow and k, (resp. k,,) is a flow correction term depending on the characteristics of the valve V, (resp. V,).
I I
Tank T,
Tank TZ
Figure 1: Hardware process description. 2. EXAMPLE The chosen example is a part of a process which has been considered as a benchmark in the ESF funded COSY (Control of Complex Systems) network (Heiming and Lunze, 1999). It is composed of two identical connected tanks (see figure 1). Each tank is cylindrical of section A. by pump PI, The inflow Q, is provided (controlled by the signal v) filling tank T,. The pump is continuous on a specific range. The flows Qo, resp. Q,, between the two tanks are controlled by valves V,,, resp. V,,. Connecting pipes are at level 0 and 30 cm. Valve V, is an outlet valve, located at the bottom of tank Tz. All
The system measurement constraints:
model is given by the state and equations, along with two operative
The state equations x = f(x,u,B,t)
:
are in this example: h, =$Q,
& =+(Q,,
-Q,, -Q,)
with Q, = k, .v(t) and v E [O,l] and
(1)
M. Staroswiecki and A. -L. Gehin /Annual Reviews in Confrol25
(2001) 1-I I
3
Q, = 0 if h, < h and h, < h where h is the level of the connecting
pipe,
Q,, = k,, .,/m.pos(V,,
l
The objective y is defined with respect to the system trajectories, and consists in transferring the system from the initial state : vx,)l t,, = lx,= (0, o)‘, t, = 0) to the final one : V(xf; tjy)= {Xf = (50, IO)‘, t, > O}
.
Cl is a set of applications from [0, -) to [O, l]x{O, I}, defining the control inputs u,(t) = v(t) and u2(t) = pas(Y)(t), with v E C’, The constraints are (1) (2) and (3).
) if h, > h and
h, < h pos(vn)
Q,, = k,, .,/w.
if h, < h and
h, > h
Q,,= sign(h, - hz).k, .&&&&os(V,
)
l
ifh,>handh,>h Q,
= kO.dx
where
p is the density
of the
water and g is the gravity constant. .
The measurement
and the
A closed loop SCP should be considered during the regulation operation mode of the tank system (see fig. 2).
equation:
y = g(x, 4 0, t) is
Such a problem would have many solutions, a classical setting would be for example minimum time optimal control problem.
(2)
Y = (h,, d (h*))’
where
d(h,)
represents
the
output of the discrete level sensor. l
The operative constraints h(x, II, 0, t) 10
fig. 2. The closed loop SCP for the regulation level h,
(3)
are h, >h2 E IO, h,,,
3. STANDARD
1
CONTROL
.
PROBLEM
3. I. Definition . A Standard Control Problem SCP (Landau, 1988) is defined by three entities, first a class of controls II, second an objective y, and finally a set of constraints
I
I
:
of
The objective yis defined with respect to the regulation of the liquid level in tank T,, and consists in giving specific properties to the transfer between the perturbations and level h, : annihilate the permanent error, provide a good response time, set the closed loop system poles to chosen values. Suppose a PI controller is used. Then U, is a set of applications v E C’ depending on two parameters (k,, k,) which define the control input by:
C.
Solving the SCP consists in finding a member of II which achieves y while satisfying C. In some cases, several solutions exist, and choosing the best one (in the sense of a given criterion J) defines an optimal control problem. Objectives are expressed either with respect to the system trajectories or with respect to the system inputoutput transfer characteristics according to the use of state or transfer models.
3.2. Example The control problem setting during the filling operating mode could be the following :
v : R’x [0, 00 ) + [0, I] (set point, h,, t) -+ v(setpoint, .j.. =
.
h,, t) = .
I
sat&, E(t)+ 4 &(~)&I
with e(t) = set point saturation function in The constraints are equation (a part of which Q, is considered
- h,(t) and sat is the [0, I]. given by the system the state equation, in as a perturbation)
W)=-&(P)-Q,,(p) Y,(P)
=
h,(p)
where p is the Laplace operator.
’
4
M. Staroswiecki
and A. -L. Gehin /Annual
Reviews in Control 2j (2001) I-1 I
shown on fig. 3 (de Larminat,
3.3. The SCP quadruple Considering the SCP constraints, an important distinction is that of the constraints structure (s) - functionsJ g and h in the state space approach, function G(p) in the input / output transfer one and the constraints parameters (0). Note that the class U is given not only by its mathematical properties but also by its definition and image sets (resp. 6’, [0, -) and [0, I]x{O, I] in the first example). The definition set results from the engineer’s choice (open loop, closed loop for example) while the mathematical properties and the image set result from the constraints structure (namely the definition of the system actuators : how many actuators, what technology).
Figure 3 : Standard transfer representation RCP. As far as regulation is concerned, formulated as follows:
which represents the objective x the constraints C and the control class U (an optimal control problem is defined by the 5-uple < 3: s, 0, U, J > where J is the optimality criterion).
4. ROBUST AND ADAPTIVE
CONTROL
In the first SCP generalization, a set of quadruples < x s, 0, U > instead of a single one < 3: s, 19,U >,is considered. 0 stands for a set of possible values of the constraints parameters, and the SCP aims at finding a control u E U so as to achieve the objective y under constraints whose structure s is known and whose parameters 8 are unknown, but it is known that they belong to 0. The practical interpretation is obviously that 0 represents the set of the possible values of timevarying or uncertain parameters, or is a means to account for modeling errors. Robust and adaptive control are. two different approaches to solve this more general control problem.
4.1. Robust control Robust control is a passive approach, which aims at achieving the objective ywhatever the value of 8 in 0. In a more realistic formulation, robust control tries to minimize the discrepancy over 0 of the achieved results. A popular approach to the robust control problem (RCP) is to formulate the excursion of the system parameters as the result of input disturbances, as
of a
the RCP is
.
The’ objective is to annihilate, bound or minimize the deviation z (in the H, or H, sense for example),
.
The control class is defined regulators K(p),
.
The constraints are given by the system equations G(p) and by the definition of the observations y.
Note that for given engineering choices, the SCP is completely defined by the quadruple : -c 3: s, 0, lJ >
1996).
by the class of
Robust approaches have widely been developed in the literature. A very short reference list would include CRONE control (Oustaloup, 1993) mixed sensitivity optimisation (Verma, 1984), (Kwakernaak, 1985), robust pole assignment (Morari and Zafirio, 1989), (Landau et al., 1993) H, approaches (Doyle, 1992) (Kwakernaak, 1993).
4.2. Adaptive control In contrast to robust control which aims at achieving the objective ywhatever the value of 19 in 0, adaptive control is an active approach in which the actual value e^E 0 of the parameters is estimated in order to solve the SCP < 3: s, 6, U > (Astrom, 1983), (Goodwin and Sin, 1984). As far as regulation is concerned, some performance index can be defined and adaptive control would adjust the regulator parameters so as to track the desired value of the performance index (direct adaptive control, see (Dugard and 1988)). Figure 4 illustrates this Landau, approach.
A4. Siaroswiecki
and A. -L. Gehin /Annual
5
Reviews in Control 25 (2001) l-l 1
h,(p)
= G(P)
gizkp&i,l’
4~)
- Q,,(P) and Y,(P)
= h,(p).
5. HYBRID CONTROL
5.1. Definition
Figure 4 : Direct adaptive control (Dugard and Landau, 1988)
4.3. Example Let us consider the level regulation tank T,, using the PI controller of regulator produces the pump control obtain the pump flow Q, = k”.v(t) ,
problem in fig. 2. The v(t) so’ as to where k, is
In a second generalization level the CP is defined by < 3: S(A), o(A), U(A) > where S(A) and o(A) are respedtively a set of constraints structures and constraints parameters whose time evolution sequence is controlled by some deterministic automaton A, and U(A) is a set of control classes. The problem is here to find the control u E U(A) so as to achieve the objective yunder constraints (s, f3) E S(A)xo(A) whose succession is defined by the automaton A.
Example of robust control problem setting: find the regulator parameters k,, and k# so as to minimize the criterion maxs,K J(kJ
The simplest practical interpretation is that of hybrid systems (Antsaklis et Nerode, 1998) which present different configurations. Commutation from one configuration to another one is done under the control of some automaton A which models the discrete event part of the system. Thus different sets of constraints which differ both by their structures and their parameters have to be satisfied by the solution of the control problem. Most often, the objective itself is decomposed into a sequence of objectives each of which is specific to a given set of constraints so that the hybrid control problem can be formalized by < G(A), S(A), o(A), U(A) > where G(A) is the set of objectives. At each time, one single SCP < ‘): s, 8, U > where (x s, 6, U) E G(A)xS(A)xO(A)xU(A) is to be solved.
Example of direct adaptive control problem setting: find the regulator parameters k,, and k, so as to minimize the criterion
5.2. Example
the pump parameter which is supposed to be constant and known. When this is not true (k, is uncertain or it is time varying, e.g. there is a leakage which depends on the pump rotation speed), the output r,(t) will not have the desired characteristics. Let us suppose that we know the set K to which k, belongs, and that the objective is expressed using some predictive control criterion e.g. :
J(kJ=‘ji[ref I
J(ky)=
-h,(~):d~
The automaton
j[ref-Y,(r)fdZ’ r-7
presented in figure 5,
Example of indirect adaptive control problem setting: find the regulator parameters k,, and k, so as to minimize
the criterion
J([“)where
k^,, is
the estimate of the pump parameter. In all three problem settings, the control class is given by the regulator equation : u(p) = K(k,,,k, pJ 4pl where : 4~) = ref - Y,(P). The constraints are measurement equations
the :
system
state
and
Figure 5 : The tank system operating modes
6
h% Staroswiecki andA. -L. Gehin /Annual Reviews
with :
25 (2001)
I-l
1
6. FAULT TOLERANT
‘yr Transfer the system from : V, = {h,(t,) = 0, to = O} to V, = {h,(q) = hl: 9 E R) while minimizing tf (reach the level set point hl* in minimum ”
in Control
h, =+(a,
6.1. Definition
time
-Q,)
Ql = k, .v(t) Q, =0 ifh,
Q, = k, .,/?%$=&os(V, ifh,>handh,
handh,>h
0, = W@rl - hZ)k,.~~Wos(l/,) ifh,>handh,>h 01
A,ky>ka,k,
u,
[O, -) + lo, IIW, 1) u*(t) = v(t), v E co uz(t) = pos(V,)(t)
p
Regulate level h, to the set point h,*
CONTROL
Let us consider the problem < x S, 0, U >, and suppose that no knowledge at all is available about the evolution of the constraints (s, 0). The practical interpretation is that the objective y has to be achieved under constraints whose structure and parameters are unknown, and may belong to the sets S and 0. This is a generalization of the robust or adaptive control problem, in which not only the constraints parameters but also their structure may change. This is typically the case when the possible occurrence of faults is taken into account. Parametric (multiplicative) faults are obviously described by parameters changes while additive faults can be described by structural or parameter changes. Consider tank described by :
TI whose
normal
operation
h, = Q,(t) - Q,, 0) r2
-
k, (4 + k,,p)
=
h,(p)
Ap*
+ k,(k,
+ k,,p)
Q, .Then
‘2
QO Ap2 +k,(ki+kpP)
A, k, V(t)
=
the constraint
structure
value
is changed
into :
AP*
Y,(P) = hip) (Q,, is considered as a perturbation, and the system is linearized around its nominal operating point) 0,
(4)
and suppose there is a leak with unknown 6
is
hi = Ql (t> - Q,, 0) - Q,(t)
This is indeed a structural change, since normal operation is described by equations (5) and (6) :
Qdt) = 0
kpE(t) + ki $E(Z)dZ
E(t) = h*l - yj (t) ki, ktl E R
(it is supposed that the control does not saturate)
(5)
ift
(6)
while equation (6) disappears in faulty operation. On another hand, suppose that the leak is at the bottom of the tank. A leak model is: Q,(t) = kL=
K
s3
Transfer the system from Vo = /ht(to), to = 01 to V, = (h,@) = 0, 9 E R] while minimizing tf (empty the tank T, in a minimum same as s, same as e,
e, cr, v(t) = 0
pos(V,,) = I is an illustration
of a hybrid control.
and equation (5) is now: h, = Ql (t) - Q, (t) - kL$% time)
so that the leak appears as a change in the value of some parameter kL. Obviously, robust approaches which would try to achieve the objective y whatever the pair (s, 0) are unrealistic. Many works have been devoted in recent years to the problem < 3 S, 0, U > (see the recent review by Patton (1997)). Fault
M. Stavoswiecki and A. -L. Gehin /Annual Reviews in Control 25 (2001) l-11
control) and system accommodation (or reconfiguration are two basic strategies which can be distinguished. However, there is no clear and unanimous definition of what each strategy really covers. Since in all cases the problem which is faced is a control problem, we propose to distinguish them on the basis of the previously defined framework, according to the fact that fault tolerance is achieved through a passive approach (control the system under the actual constraints) or an active one (change the constraints and set a new control problem). As it will be seen, the choice between fault accomodation and system or control reconfiguration depends on the existence of a solution to the corresponding specific control problems. However, it should be emphasized that the actual setting of those control problems depends primarily on the amount of information the FDI system is able to provide to the fault tolerant control level.
I
When a fault occurs, for example
el, + 0, perfect
fault accommodation would change the nominal control into another one which solves < ‘): sd r3,, U > where (s,, 19,) is the actual (faulty) system. The objective would thus be achieved in spite of the fault, thanks to the change of the control law (this supposes that the control problem < x s., &,, U > has a solution). Obviously, the actual constraints (so, 0,) being unknown, fault accommodation needs FDI algorithms which provide an estimation of (su, 0,). When the FDI gives
a
unique
estimation
(i, 8) ,
fault
accommodation solves the control problem < y, ,:,e^,u > It cannot be applied when < y, ,Y,6, u > has no solution,
and other strategies
have to be developed. Example. Suppose that the leak in tank T, has been detected by the FDI algorithms, and its amplitude b, has been estimated. Then a fault accommodation strategy regulation problem:
would
solve
the
6.2. FDI information y Since the design of control solutions which are robust with respect to any fault is not realistic, FTC must be based on some knowledge about the faults. FDI algorithms are designed so as to provide this knowledge, and indeed isolation procedures are intended to identify the faulty system components. However, the question still arises of how the FDUFTC connection can be designed. Considering the control problem requirements provides a key for this analysis. Let us consider three classes of FDI algorithms : . the most powerful one provides data which allow the estimation (,;,e^) of the actual .
constraints (s,,, @,) of the control problem, the second class provides data which allow the estimation
.
of the constraints
but only of a set 6 constraints parameters, the last one only allows possible structures j each structure s of that parameters 6~~) .
which
structure contains
s^
to estimate a set of and eventually, for set, a set of possible
Definitian. Fault accommodation is the strategy which solves the control problem < y, i,e^, t/ > the (estimated)
control
problem
actual system.
S
It,
< y, ;,&r/ > ) of
=
Q,(t) - Q, @I - fir. 0)
0
Ak,,k,t,k,
u
Qdt, = &v(t) = satfk,, E(t) + ki id7)dT
1
0 E =h,‘-
h,(t)
Note that the problem might have no solution since v(t) E [0, 11 and the leak could be too large to be compensated by the pump. Also note that if the objective ywere defined by : 1)
the
6.3. Fault accommodation
(or the robust
Provide the input / output transfer with some desired property
2)
provide the input / output transfer with some desired property AND do not spoil the environment (or spoil as little as possible, the content of tank T, being dangerous)
then the control problem would again have no solution since the second objective could not be satisfied. In such cases, fault accommodation could not be a suitable strategy. When the FDI only gives an estimation then fault
accommodation
solves
(s^,@ ,
the problem
8
M. Staroswiecki
and A. -L. Gehin /Annual
< y, .?,6, u > which is a robust control one. This is the case, for example, when the FDI algorithm detects and isolates a change on the parameter k, of pump P, but instead of providing the actual value (which it is unable to identify), it provides some domain to which the actual value belongs. Finally, it should be noticed that even when a solution exists, its quality might be so low that fault accommodation is impractical. In fact, such a situation corresponds to system objectives in which the quality requirement should have been made explicit e.g. : 1) 2)
achieve y WITH some quality index at least equal to some given value.
Reviews in Control 25 (2001) 1-l I
from the FDI algorithms, since no estimation of the actual set of constraints is necessary. The main characteristics is on the contrary that the unknown set of constraints (s,, 9,) is replaced by a (feasible) known one (a z) and the set of admissible control U is replaced by another set V. The only data which is needed thus concerns the feasibility of (CJ z) and the existence of a set of controls V in the faulty situation. Example. Suppose that valve V, gets blocked and closed. Then, the level in tank T2 can no longer be regulated using valve V,. Valve Vh can be used instead of V, and as a consequence the system structure is modified. The previous regulation problem : regulate level hr and h2 with desired input/output properties hi = +(Qi -Q,,
6.4. System or control reconfiguration
Q, = k,.v(t) Definition. System or control reconfiguration is a strategy in which the actual faulty system is replaced by another one. The reconfigured control thus solves a new control problem replacing the original one < 3: s,, 0,) U > by a new one < x o, r, V > with the same objective.
Q,
Q, = 4, .,/i%?i?.wC’,) ifh,>handh,
Obviously for reconfiguration strategies to be clearly defined, one has to define admissible sets Z and E for the choice of the pair (a z) and the set of admissible controls U has to be replaced by another set V. Solutions are proposed in (Gehin, Staroswiecki, 1999) to automatically define Z description and Z from a system component based approach. Note that the reconfiguration strategy does not need any detailed information
1
handh,>h
Q, = +@I
Suppose that the FDI algorithm does not provide any estimation of the actual faulty system constraints (thus no accommodation problem can be formulated), or that it does provide such an estimation, but the accommodation problem has no solution. Thus, in the presence of a fault, no strategy can solve the problem < ‘): s,,, 0,, , U >. The reconfiguration strategy merely rests on the formulation of a new problem < 3: o, r, V > which has a solution, and thus allows to achieve the objective x by changing the system structure, parameters and control. This means that some kind of redundancy exists in the system. The new structure and parameters of the constraints thus result from the disconnection of the faulty components and their replacement by other (non faulty) ones.
ifh,
=0
- Wk, .~i&&4’a
1
ifh,>handh,>h Ai+,,&,,&, lo, -) --j [O,llxlO, u,(t)
=
v(t),
v E
uzftl
=
PO-v‘,)(t)
Il
c’
becomes : Y cr
regulate level hi and h2 with desired input/output properties 1 4 = ;(QI -Q/,1 Q, =
k, .v(t)
Qh =+@I
-M$,.,/~.P@‘~~
z
A,k,,k,sk,
v
[O, -) + [O,~lxlO, 11 u,(t) = v(t), v E c’ uz(tJ = Po~wtJt)
6.5. Remark the the In both accommodation and reconfiguration strategies, the problem of transient behaviors have to be considered, since
M. Staroswiecki
andA. -L. Gehin /Annual
commutations are present, from one control law to another one in fault accommodation and from one set of constraints to another one in system or control reconfiguration.
7. SUPERVISION
7.1. Definition The most general control problem is defined by the quadruple
to modify the system objective (for example change the production objective into a “survival” one by moving from some regulation mode towards a fall back mode followed by a maintenance one). This is a decision problem which consists in finding an objective 77 E G, an admissible V and a feasible pair (s, 0) E SxO such that the problem
7.2. Example Suppose that the liquid contained in the tanks is a dangerous one. In the regulation mode, the control objectives are: 1)
2) Suppose now some fault(s) occur(s), and the actual constraints are different from the nominal ones. Depending on the information provided by the FDI algorithms, fault tolerant control could be achieved by fault accommodation or by Fault system/control reconfiguration. accommodation rests on the existence of a solution to the control problem <)! s,, e,,, U> (this problem is in practice approximated by < y, .?,6, I/ z or < y, .t,G,,u > when FDI algorithms provide estimations of the new constraints). System/control reconfiguration rests on the existence of an admissible V and a feasible pair (cr, Z) E SX@ such that the problem
9
Reviews in Control 25 (2001) I-1 1
provide the input/output transfer some desired property AND do not spoil the environment
with
Clearly, the regulation objective can no longer be fulfilled as soon as a leak appears and the system has to be provided with the new objective spoil the environment as little as possible so that the minimum time emptying of the leaking tank becomes the new control problem. An approach to the solution of such decision problems has been proposed in (Gehin, Staroswiecki, 1999). It consists in describing a system in terms of the missions it has to fulfill. Each mission rests on a set of services provided by the system components. The mission set is structured into Operating Modes. The condition to move from one Operating Mode to another one is defined according to the disponibility of the hardware and software resources (a faulty resource implies the non realization of one or several services and
consequently of one or several missions). Changing the operating mode can be proposed to the operator or automatically performed when some missions become impossible to fulfill. Control engineers have then to provide operators with decision making tools, since full automation seems unrealistic at the supervision decision level.
Askari J., B. Heiming, J; Lunze (1999), Controller Reconfiguration Based on a Qualitative Model : A solution of Three Tanks Benchmark Problem, In Proceedings o.f’ European Control Conference ECC’YY, Karlsruhe (Germany), CDROM ref : F 1039-3 Astrom, K. J. (1983). Theory and applications of adaptative control. A Survey. Automatica, vol. 19, N”5, pp. 47 l-486.
8. CONCLUSION The fundamental problem of Automatic Control is that of mastering the behavior of dynamic systems. This calls for the solution of different sub-problems, namely modeling, identification, estimation, filtering, control, FDI, FTC. This paper proposes an analysis of the supervision problem which is situated in the continuity of the control problem. The approach is based on successive generalizations of the standard control problem in order to take into account more and complex situations realistic and more uncertain knowledge. hybrid (perturbations, systems, failures). FDI algorithms are a fundamental tool designed in order to inform the operators about the actual state of the controlled system, i.e. about the constraints of the control problem they have to solve (with the help of automatic devices). It has been shown that fault tolerance strategies heavily depend on the amount of information that FDI algorithms are able to provide. In some cases, this information is detailed enough to define a fault accommodation problem (which may - OI not - have a solution), and in other cases only can be or control reconfiguration system considered. When neither of these two strategies can apply, the only possibility is to change the system operating mode by defining new control objectives. As the generality of the control problem increases, more and more information has to be provided to the operators since the complexity of the system behavior cannot be easily captured. Accordingly, full automation is less and less possible (and suitable) when moving from the standard control problem to the fault tolerant and the supervision ones.
REFERENCES Antsaklis, P. J. and A. Nerode (1998), Special Issue on Hybrid Control Systems, IEEETAC, Vol. 43,453-587.
Blanke M., (1996), Consistent Design qf Dependable Control Systems, Control Engineering Practice, Vol. 4. no 9, pp. 1305 1312. Brown M. and Harris C. J., (1994), Neurofuzzy Aduptutive Modelling and Control, Prentice Hall, New-York. Dardinier Maron, V., H. Noura and F. Hamehn (1999), Loi de commande tolkrante aux dCfauts majeurs d’actionneurs, In Proceedings qf JDA’YY, pp. 265-268, Nancy, France de Larminat P. (I 996), Automatiyue : commande ties systdmes lindaires, 2” edition, Hermks, Paris. Doyle, J. C., B. A. Francis, A. R. Tannebaum, Feedback Control Theory, (19921, Macmillan, New York Dugard, L and I. D. Landau (1988), Commande aduptative : me’thodologie et applications, Hen&s, Paris. Dvorak, D. and B. J. Kuipers (1989), Modelbased Monitoring of Dynamic Systems, In Proc. of the 11”~ Joint Con& on Artijicial Intelligence, 1238-1243, Detroit, also in in Model-based Diagnosis, Reudings Morgan Kaufman. Foulloy, L. and B. Zavidovique Towards Symbolic Process Automatica, 30(3), 379-390.
(1994), Control,
Frei, C. W., F. J. Kraus and M. Blanke (1999), Recoverability Viewed us n System Property, Conference, Proc. European Control (ECC’99), Karlsruhe, Germany. Gehin, A. L. and M. Staroswiecki (1999), A to Reconfigurability Formal Approach Analysis / Application to the Three Tank
I1
M. Staroswiecki and A. -L. Gehin /Annual Reviews in Control 23 (2001) I-l I
Bechmark, In Proceedings of European Control Conference ECC’99, Karlsruhe (Germany), CDROM ref : F 103914 Gentil, S. (1995), Systkmes d’aide B la Supervision, in Supervision de processus & l’aide du sys&+me expert G2TM, coord. N. Rakoto-Ravalontsalama et .I. AguilarMartin, Hermes, Paris. Goodwin C., Sin K. S. (1984), Adaptative Control, Prediction and Filtering Englewood Cliffs, Prentice Hall. Hamsher, W., L. Console and J. De Kleer, editors (199 l), Readings in Model Based Diagnosis, Morgan Kaufman. Heiming B. and J. Lunze ( 1999), Three-Tanks Problem of Controller Benchmark Reconfiguration, In Proceedings of European Control Conference ECC’99, Karlsruhe (Germany), CDROM ref : F 1039-2 Hoblos, G. , M. Staroswiecki and A. Aitouche (2000), Fault Tolerance with Respect to Actuator Failures in LTI Systems, IFAC Safeprocess 2000 (submitted), Budapest, Hungary. Kwakernaak H. (1985), Minimax Frequency Performance and Robutness Domain Optimization of Linear Feedback Systems, IEEE Trans. AC, Vol. 30, pp. 994-1004 Kwakernaak H. (1993), Robust Control and Tutorial Paper, Hm-optimization : Automatica, Vol. 29, pp. 255-273 Landau, I. D., Cyrot Ch., Rey D., (1993), Robust Control Design Using the Combined Pole Placement / Sensitivity Function Shaping Method, In proceedings of European Control Conference ECC’ 93, Groningen, Netherlands. Maciejowski J. M., (1997a), Reconfigurable Control Using Constrained Optimisation, In European Control Proceedings of Conference ECC’97, Brussels, Belgium, Plenary Lectures and Mini-Courses, 107 130. Maciejowki, J.M., (1997b), Modelling and Predictive Control : Enabling Technologies for Reconfiguration, In Proceedings of IFAC Symposium on System Structure and Control, Bucharest, Romania.
Millot, P. (1988), Supervision des pro&d& automatis&s et ergonomie, Hermks, Paris. Morari, M., Zafiriou E., (1989), Robust Process Prentice Control, Hall International, Englewood Cliffs, N. J. Mosca, E., (199.5), Optimal Predictive Adaptative Control, Prentice International, Englewood Cliffs, N. J.
and Hall
Oustaloup, A. (1993), The Great Principles of CRONE Control, In Proceedings of IEEE SMC’93, Le Touquet, France Patton, R. J., P. M. Frank and R. N Clark (1989), Fault Diagnosis in Dynamical Systems, Theory and Application, Prentice Hall. Patton, R. J. (1997), Fault Tolerant Control: the 1997 Situation, In Proceedings of IFAC Safeprocess, pp. 1033-1055, Hull, GB. Rasmussen, J. (1983), Skills, Rules and Knowledge: Signals, Signs and Symbols and Other Distinctions in Human Performance Models, IEEE Trans. SMC, 4,31 l-335. Rato, L. and J. M. Lemos (1999), Multimode1 Based Fault Tolerant Control of the 3-Tank System, In Proceedings of European Control Conference ECC’99, Karlsruhe, Germany Staroswiecki, M., S. Attouche and M. L. Assas, ( 1999a), A Graphic Approach for Reconfigurability Analysis, In Proceeding of lo”’ International Workshop on Principles of Diagnosis DX’99, Loch Awe, Scotland. Staroswiecki, M., G. Hoblos and A. Aitouche, (1999b), Fault Tolerance Analysis of Sensor Systems, In Proceedings of 38’” IEEE Conference on Decision and Control, Phoenix, AZ, USA. Verma, M., E. Jonkheere (1984), Lmcompensation with Mixed Sensitivity as a Broad-band Matching Problem, Systems and Control Letters 14, pp. 295-306.
,