From Control to Supervision

Copyright @ IfAC Fault Detection. Supervision and Safety for Technical Processes, Budapest, Hungary. 2000

FROM CONTROL TO SUPERVISION

Marcel Staroswiecki and Anne-Lise Gehin

LA1L-CNRS

EUDIL, Universite des Sciences et Technologies de Lille 59655 Villeneuve d'Ascq cedex marcel.staroswiecki@univ-lillel jr

Abstract: This paper is concerned with the terminology and fundamental problems of FfC and supervision. Based on the idea that at any level, engineers are concerned with the control (or at least the mastering) of a (healthy or faulty) system, successive extensions of the Standard Control Problem (SCP) are proposed in order to provide a clear definition of Fault tolerance and Supervision problems. Copyright © 2000 lFAC Keywords: Supervision, Fault Tolerant Control.

1. INTRODUCTION

Fault Tolerant Control is an emerging field - see (Patton, 1997) for a recent review - , which has motivated many works, ranging from systematic analysis of fault propagation (Blanke, 1996) to the analysis of systems structural properties when fault.. occur, ba<;ed either on state space models for recoverability (Frei et ai, 1999), observability (Staroswiecki et al., 1999b) and controllability (Hoblos et al., 2000), or on symbolic and graphic approaches (Staroswiecki et aI., 1999a) (Gehin and Staroswiecki, 1999). Many works have proposed specific FfC schemes based on predetermined design for accommodation (Rato and Lemos, 1999), predictive control (Mosca, 1995), (Maciejowski, 1997b), objective adaptation (Dardinier Maron et aI., 1999), logic inference and qualitative models (Brown and Harris, 1994), (A<;kari et al. 1999). The implementation of FfC within control architectures often refers to some supervision level which answers the need for integrated automation, and implements control, FDI, FTC, advanced decision, man/machine interfaces, ....

Control engineers are faced with increasingly complex systems, for which dependability considerations are sometimes more important than performances. In fact, sensors, actuators or process failures may drastically change the system behavior, ranging from performance degradation to instability. Control theory, first developed for continuous systems ina linear framework, has to consider more and more general problem settings which arise from the consideration of complex models, of integrated automation, of implementation issues and of fault tolerance properties. Fault tolerance is highly required for modem complex control systems. Fault tolerant control systems are needed in order to preserve the ability of the system to achieve the objectives it ha<; been assigned, or if this turns to be impossible, to assign new (achievable) objectives so a<; to avoid cata<;trophic behaviors.

317

However. what is meant by Supervision Problem is still vaguely defined : papers on supervision range from Diagnosis (Patton et al., 1989), (Hamsher et al. 1991) to Control and Fault Tolerant Control (Patton, 1997), (Maciejowski, 1997a). and Human/machine cooperation (Ra~mussen. 1983). (Millot. 1988). (Gentil. 1995). The result is some difficulty to build a theoretical framework which would conceptualize the abundance of proposed approaches and methods.

outlet valve. located at the bottom of tank T2 • All the valves are on/off valves. Tank T, is equipped with a continuous level sensor and tank T2 with three discrete level sensors. indicating if the liquid is above or below the sensor level. Liquid is led into tank T, by pump P, and from tank T, to tank T2 by valve Va (Vb should always be closed). Four normal operating modes are considered: no operation. filling. regulation. and emptying. During the regulation operation mode. the main objectives are to keep the liquid levels to 50 cm in tank T, and to 10 cm in tank TJ . The liquid being supposed dangerous. one system objective is not to pollute the environment (or to pollute as few a~ possible) whatever the system situation.

In this paper. we are concerned with the terminology and fundamental problems of FIC and supervision. Ba~ed on the idea that at any level. we are concerned with the control (or at least the mastering) of a (healthy or faulty) system. successive extensions of the Standard Control Problem (SCP) are proposed in order to provide a clear and rigorous definition of Fault tolerance and Supervision problems. The paper is organized as follows. The example of a two tank process. a part of the COSY Benchmark- (see Heiming and Lunze. 1999). is first presented (section 2) since every introduced control level will be illustrated using this example. The standard control problem is introduced in section 3. Robustness and adaptation issues arc discussed in section 4 as solutions to a more general control problem, in which parameters are uncertain or time varying. Further extension are given in sections 5 (hybrid control) and 6 (fault tolerant control), where not only the system parameters but also the system structure are subject to changes. This calls for fault tolerance. in which both accommodation and reconfiguration strategies are distinguished. Section 7 considers the ca<;e when fault tolerance cannot be achieved. and defines the supervision problem as the most general control one. Section 8 concludes the paper.

The system variables are : - state vector x = (h" h2l. - control vector u = (v, pos(Va ))' - mea~urement vector y :: (h" d(h]»'

e

The parameter vector is = (A, k» k", 1<0)' where kv is the gain between the signal fed to the pump and the corresponding delivered flow and ka (resp. ko) is a flow correction term depending on the characteristics of the valve Va (resp. Vo)'

2. EXAMPLE

Figure I: Hardware process description.

The chosen example is a part of a process which ha<; been considered a~ a benchmark in the ESF funded COSY (Control of Complex Systems) network (Heiming and Lunze, 1999). It is composed of two identical connected tanks (see figure 1). Each tank is cylindrical of section A. The inflow Q, is provided by pump P" (controlled by the signal v) filling tank h The pump is continuous on a specific range. The flows Qa, resp. Qb between the twO tanks are controlled by valves Va' resp. Vb. Connecting pipes are at level 0 and 30 cm. Valve Vo is an

The system model is given by the state and measurement equations. along with two operative constraints: •

The state equations:

X = f(x,u,e,t) are in this example:

.

318

1

hI

= A (Ql -Q,,)

. h2

= A (Qa -

1

Qo)

(1)

Q, = k•. v(t) and VE rO,I] and Qa = 0 if hi < h and h, < h where h is the level

3.2. Example

of the connecting pipe,

The control problem setting during the filling operating mode could be the following :

Q" =k" ..JP.g.(h, -h) .pos(VJ if hi> hand h2 < h

•

The objective y is defined with respect to the in system trajectories. and consist~ transferring the system from the initial variety : V(x" t) = {xo= (0, 0)', 10 = o} to the final variety : veX} If) = {XI = (50, 10)', tf > O} in R',

•

V is a set of applications from [0, 00) to [0, ljx{O, l}, defining the control inputs ult) = vet) and uit) = pos(V)(t), with v E c!.

•

The constraint" arc (1) (2) and (3).

with

Q. =k...Jp.g.(h, -h).pos(VJ if hi < hand h2 > h

Q. = sign(h, - h., )k • ..J p.g~h, - h.,1·pos(V.) if hi > hand h, > h

Q. = ko ..J p .g .h, where p is the density of the water and g is the gravity constant •

The mea~urement equation:

Such a problem would have many solutions. and a classical setting would be for example the minimum time optimal control problem.

(2)

y = g(x, u, 9, t)

»,

=

is Y (hl' d (h 2 where d(h,) represents the output of the discrete level sensor. •

A closed loop SCP should be considered during the regulation operation mode of the tank system.

The operative constraints:

hex, u,

e, l) ~

°

(3)

•

The objective yis defined with respect to the regulation of the liquid level in tank TI , and consists in giving specific properties to the transfer between the perturbations and level hi : annihilate the permanent error, provide a good response time, set the closed loop system poles to chosen values.

•

Suppose a PI controller is used. Then VI is a set of applications v E c' depending on two parameters (kp> k) which define the control input by:

3. STANDARD CONTROL PROBLEM

3.1. Definition A Standard Control Problem SCP (Landau, 1988) is defined by three entities, first a class of controls V, second an objective y, and finally a set of constraints C.

v: Kx [0, 00) (set point, hi' t)

... = sat[k

Solving the SCP consists in finding a member of V which achieves ywhile satisfying C.

p

~ [0, l}

~

v(set point, hi' 1)

= ...

JE('r)d-r J r

£(t) + ki

o

with £(t) = set point - hit) and sat is the saturation function in [0, l}.

In some cases, several solutions exist, and choosing the best one (in the sense of a given criterion 1) defines an optimal control problem. Objectives are expressed either with respect to the system trajectories or with respect to the system input-output transfer characteristics according the using of state or transfer models.

•

The constraints are given by the system equation (a part of the state equation, in which Q. is considered a~ a perturbation) h, (p)

1

= Ap v (p) - Q'< p)

Y,(p) = h,(p)

319

where p is the Laplace operator. The control loop is illustrated on fig. 2.

1--1

K(P)=k.

~

H

qp)=fp

Robust and adaptive control are two different approaches 10 solve this more general control problem.

Q

4.1. Robust control

~

Robust control is a pa'>sive approach, which aims at achieving the objective ywhatever the value of () in e. In a more realistic formulation, robust control tries to minimize the discrepancy over e of the achieved result...

fig . 2. The closed loop SCP for the regulation of level hi

A popular approach to the robust control problem (RCP) is to formulate the excursion of the system parameters as the result of input disturbances, as shown on fig. 3 (de Larminat, 1996).

3.3. The SCP quadruple Considering the SCP constraints. an important distinction is that of the constraints structure (s) - functions f, g and h in the state space approach, function G(p) in the input / output transfer one and the constraints parameters (8). Note that the class U is given not only by it~ mathematical properties but also by it'> definition and image set'> (resp. c!, [0, 00) and [0, l]x{O, I} in the first example). The definition set result,> from the engineer's choice (open loop, closed loop for example) while the mathematical properties and the image set result from the constraint~ structure (namely the definition of the system actuators : how many actuators, what technology).

Disturbanoes : w

Deviltiom : Z

Figure 3 : Standard transfer representation of a RCP. As far a'> regulation is concerned, the RCP is formulated as follows :

Note that for given engineering choices, the SCP is completely defined by the quadruple:

< y, s, 8, U> which represent~ the objective y, the constraints C and the control cla'>s U (an optimal control problem is defined by the 5-uple < r. s, (), U, J > where J is the optimality criterion). 4. ROBUST AND ADAPTIVE CONTROL In the first SCP generalization, a set of quadruples < y, s, e, U > instead of a single one < r. s, 8, U >. is considered. e stand~ for a set of possible values of the constraint~ parameters, and the SCP aims at finding a control u E U so a'> to achieve the objective y under constraint~ whose structure s is known and whose parameters () are unknown. but it is known that they belong to e. The practical interpretation is obviously that e represent'> the set of the possible values of timevarying or uncertain parameters, or is a means to account for modeling errors.

•

The objective is to annihilate. bound or minimize the deviation z (in the H . or H~ sense for example). -

•

The control class is defined by the class of regulators K(p),

•

The constraints are given by the system equations G(p) and by the definition of the observations y.

Robust approaches have widely been developed in the literature. A very short reference list would include CRONE control (Oustaloup. 1993), mixt senSItIVIty optImIsation (Verma, 1984), (Kwakernaak. 1985), robust pole assignment (Morari and Zafirio. 1989), (Landau et al., 1993). H~ approaches (Doyle, 1992), (Kwakernaak. 1993). 4.2. Adaptive control In contra~t to robust control which aims at achieving the objective ywhatever the value of 8 in e, adaptive control is an active approach in

320

which the actual value

e

E

Example of indirect adaptive control problem setting: find the regulator parameters kp and ki so

E> of the parameters

e,

are estimaled in order to solve the SCP < y, s, V> (Astrom. 1983). (Goodwin and Sin. 1984).

as to minimize the criterion J «() where the estimate of the pump parameter.

As far a~ regulation is concerned. some performance index can be defined and adaptive control would adjust the regulator parameters so as to track the desired value of the performance index (direct adaptive control. see (Dugard and Landau. 1988). Figure 4 illustrates this approach.

In all three problem settings. the control given by the regulator equation:

kv

c1a~s

is

is

u(p) = K(k", k~ p) e(p) where: e(p) ref-y,(p)·

=

The constraint~ are the measurement equations:

system state

and

hip) = G(p) u(p) - Q.(p) and y/p) = hip).

5. HYBRID CONTROL

5.1. Definition In a second generalization level the CP is defined by < y, SeA), B(A), V(A) > where SeA) and B(A) are respectively a set of constraints structures and constraint') parameters whose time evolution sequence is controlled by some detenninistic automaton A. and V(A) is a set of control c1a~ses. The problem is here to find the control u E V(A) so as to achieve the objective yunder constraints (s, () E S(A)xB(A) whose succession is defined by the automaton A.

Figure 4 : Direct adaptive control (Dugard and Landau. 1988) 4.3. Example Let us consider the level regulation problem in tank T/. using the PI controller of fig. 2. The regulator produces the pump control \I( t) so a~ to obtain the pump flow Q, = k•. v(t), where kv is the pump parameter which is supposed to be constant and known. When this is not true (kv is uncertain or it is time varying, e.g. there is a leakage which depends on the pump rotation speed), the output y/t) will not have the desired characteristics. Let us suppose that we know the set K to which kv belongs, and that the objective is expressed using some predictive control criterion e.g. : , .. T

J (k.)

= J[ref -

The simplest practical interpretation is that of hybrid systems (AntsakIis et Nerode. 1998) which present different configurations. Commutation from one configuration to another one is done under the control of some automaton A which models the discrete event part of the system. Thus different set') of constraint') which differ both by their structures and their parameters have to be satisfied by the solution of the control problem.

2

Most often, the objective it~elf is decomposed into a sequence of objectives each of which is specific to a given set of constraint~ so that the hybrid control problem can be formalized by < G(A), SeA), B(A), V(A) > where G(A) is the set of objectives. At each time, one single SCP < y, s, 8, V> where (y, s, 8, V) E G(A)xS(A)x8(A)xV(A) is to be solved.

hJ-r)] d-r .

Example of robust control problem setting: find the regulator parameters kp and ki so a~ to

minimize the criterion max lyEK J(kV ) . Example of direct adaptive control problem selling: find the regulator parameters kp and ki so

as to minimize the criterion ,

J (k.)

=

2

J[ref - y, (-r)] d-r. ,- T

321

vet) = kp£(t) + kJ~£('r)d7:

U:

5.2. Example

£(t)=h'I-YI(/)

The automaton presented on figure 5.

k;, kp E R (it is supposed that the control does not saturate)

Y3 Transfer the system from

filling Request

S3

()3

U

Tank empty

j

Vo = (hdlo), 10 = OJ to Vf = (hllf ) = 0, IfE RJ while minimizing If (empty the tank TI in a minimum time) same as s same a<; ()I v(t) = 0 pos(V) = 1

is an illustration of a hybrid control.

Figure 5 : The tank system operating modes with : YI

SI

6. FAULT TOLERANT CONTROL

Transfer the system from : Vo = (hllo) = 0, 10 = OJ to Vf = (hllf ) = hi·, If E RJ while minimizing If (reach the level set point hi· in minimum time . 1 hi = A (QI -Q.)

6.1 . Definition Let us consider the problem < r. S, e, U >, and suppose that no knowledge at all is available about the evolution of the constraint<; (s, (). The practical interpretation is that the objective y has to be achieved under constraints whose structure and parameters are unknown, and may belong to the sets S and e. This is a generalization of the robust or adaptive control problem, in which not only the constraints parameters but also their structure may change. This is typically the ca<;e when the possible occurrence of faults is taken into account. Parametric (multiplicative) faults are obviously described by parameters changes while additive faults can be described by structural or parameter changes.

=kv·v(t) Q a = 0 if hi < hand h: < h

Qt

Qn =ka.~p.g.(~ -h) .pos(VJ if hi > h and hz < h Q. =k• .~p.g.(h~ -h) .pos(VJ if hi < h and h, > h

Q =sigr(h. -hJk"~ p·glh. -hJpo~) if h > h and h > h ()/

A,kv,k.,ko

UI {O, 00)

Consider tank T/ whose normal operation is descri bed by :

~

{O, Jjx{O, lJ udt) = v(t), v E (!J U2(t) = pos(Va)(t)

}2 S:

(4)

Regulate level hi to the set point hi* ky(k; +kpp)

hdp)= Ap 2

+ k y (k; + k pp)

Ap2

Ap

2

and suppose there is a leak with unknown value

h~

QL '

Then the constraint structure is changed

into:

Qa

+ky(k; +kpp)

ylp) = hlp) (Q. is considered a<; a perturbation, and the system is linearized around its nominal operatinj! pOint) ()2 A, kv

This is indeed a structural change. since normal operation is described by equations (5) and (6) :

322

QrJt) = 0

(6) •

the most powerful onc provides data which allow the estimation (s.B) of thc actual constraint<; (s", 8a ) of the control problem,

•

the second class provides data which allow the estimation of the constraints structure

while equation (6) disappears in faulty operation. On another hand. suppose that the leak is at the bottom of the tank. A leak model is:

s

but only of a set <3 which contains the constraint<; parameters.

and equation (5) is now: • so that the leak appears a<; a change in the value of some parameter kL• Obviously, robust approaches which would try to achieve the objective y whatever the pair (s, 8) are unrealistic. Many works have been devoted in recent years to the problem < y, S, e, U > (see Patton (1997) for a review). Fault accommodation and system (or control) reconfiguration are two basic strategies which can be distinguished. However, there is no clear and unanimous definition of what each strategy really covers.

the la<;t one only allows to estimate a set of possible structures S and eventually. for each structure s of that set, a set of possible parameters 6(s).

6.3. Fault accommodation Definition. Fault accommodation is the strategy which solves the control problem < r,s,O,U > (or the robust control problem < r. the (estimated) actual system.

s, 0. U »

of

When a fault occurs. for example Q L 7= 0, perfect fault accommodation would change the nominal control into another one which solves < y, so' 8f» U > where (so, 8a) is the actual (faulty) system. The objective would thus be achieved in spite of the fault, thanks to the change of the control law (this supposes that the control problem < y, s~ e", U > ha<; a solution). Obviously. the actual constraints (so, ea) being unknown, fault accommodation needs FDI algorithms which provide an estimation of (s~ ea). When the FOI gives a unique estimation (s,e) , fault accommodation solves the control

Since in all ca<;es the problem which is faced is a control problem, we propose to distinguish them on the basis of the previously defined framework, according to the fact that fault tolerance is achieved through a pa<;sive approach (control the system under the actual constraints) or an active one (change the constraint<; and settle a new control problem). As it will be seen. the choice between fault accomodation and system or control reconfiguration depends on the existence of a solution to the corresponding specific control problems. However, it should be emphasized that the actual setting of those control problems depends primarily on the amount of information the FOI system is able to provide to the fault tolerant control level.

problem < y,s.B.U >. It cannot be applied when

< y,s.e,U > ha<; no solution, strategies have to be developed.

and

other

Example. In our example, suppose that the leak

in tank T/ has been detected by the FOI algorithms. and its amplitude QL has been estimated. Then a fault accommodation strategy would solve the regulation problem:

6.2. FOI information Since the design of control solutions which are robust with respect to any fault is not realistic, FIC must be ba<;ed on some knowledge about the faults. FOI algorithms are designed so as to provide this knowledge, and indeed isolation procedures are intended to identify the faulty system components. However. the question still arises of how the FDIIFTC connection can be designed. Considering the control problem requirement<; provides a key for this analysis. Let us consider three c1a<;ses of FDI algorithms:

323

y

Provide the input / output transfer with some desired property

s

~

8

A,kv,k.,ko

•

A

=Q}(t)-Q.(t)-QL(t)

U

Qdt) = k.".. vet)

replacing the original one < y, Sa, Oa , U > by a new one < y, 0; r, V> with the same objective.

t

= sat{kp E(t) + k;

Je(r)dr J

Suppose that the FDI algorithm does not provide any estimation of the actual faulty system constraint~ (thus no accommodation problem can be formulated). or that it does provide such an estimation, but the accommodation problem has no solution. Thus, in the presence of a fault, no strategy can solve the problem < y, Sa, Oa , U >.

o

Note that the problem might have no solution since vet) E fO, 1] and the leak could be too large to be compensated by the pump. Also note that if the objective ywere defined by : 1)

The reconfiguration strategy merely rests on the formulation of a new problem < y, 0; r, V > which ha" a solution, and thus allows to achieve the objective y, by changing the system structure. parameters and control. This means that some kind of redundancy exist" in the system. The new structure and parameters of the constraints thus result from the disconnection of the faulty components and their replacement by other (non faulty) ones.

provide the input / output transfer with some desired property AND

2)

do not spoil the environment (or spoil as few as possible, the content of tank T, being dangerous)

then the control problem would again have no solution since the second objective could not be satisfied. In such ca~es, fault accommodation could not be a suitable strategy.

Obviously for reconfiguration strategies to be clearly defined. one has to define admissible set~ E and ~ for the choice of the pair (0; 't") and the set of admissible controls U ha" to be replaced by another set V. Solutions are proposed in (Gehin, Staroswiecki, 1999) to automatically define E and ~ from a system component description bac;ed approach. Note that the reconfiguration strategy does not need any detailed information from the FDI algorithms. since no estimation of the actual set of constraintc; is necessary. The main characteristics is on the contrary that the unknown set of constraints (sa, Oa) is replaced by a (fea"ible) known one (a, 't") and the set of admissible control U is replaced by another set V. The only data which is needed thus concerns the feasibility of (0; 't") and the existence of a set of controls V in the faulty situation.

When the FDI only gives an estimation (.~, 8) , then fault accommodation solves the problem < r, U > which is a robust control one. This is the ca~e, for example, when the FDI algorithm detects and isolates a change on the parameter kv of pump PI but instead of providing the actual value (which it is unable to identify), it provides some domain to which the actual value belongs.

s, e,

Finally. it should be noticed that even when a solution exists. its quality might be so low that fault accommodation is unpractical. In fact. such a situation corresponds to system objectives in which the quality requirement should have been expJicited e.g. : 1)

achieve

Example. Suppose that valve Va gets blocked and closed. Then, the level in tank T2 can no longer be regulated using valve Va' Valve Vb can be used instead of Va and ac; a consequence the system structure is modified. The previous regulation problem:

r

WITH 2)

some quality index at least equal to some given value.

r s

6.4. System or control reconfiguration

regulate level hi and h2 with desired input/output properties . 1 ~ = A (QI -Qa)

Ql = kv·v(t)

Definition. System or control reconfiguration is a strategy in which the actual faulty system is replaced by another one. The reconfigured control thus solves a new control problem

Qa

=0 if hi < hand h2 < h

Q. =k• ..JP.g.(hl-h) .pos(VO>

324

system possibilities at each timc. At this decision level, human operators are most often necessary.

ifh,>handho
Qu =ko'~ p.g.(h2 -h) .pos(Vo) if h, < hand hl > h

Definition: a supervision problem is a fault tolerant control problem associated with an objective reconfiguration problem.

Q, =sigr(h, -~)ko ~p.g~~ -~I·po.(~) if h > h and h, > h

8

A,ky,kO,kO

u

ro,

CX»

Let an objective y be given. Obviously the control problem hao; a solution, which is the system nominal control for the objective y. Nominal control can be applied as long as the actual constraints (sa, 8a) remain equal (or close) to the nominal ones (s,., en) ,

-+ro,l/x{O, I}

udr) = vet), v E Cl ult! = pos(Vo)(t)

becomes: y

a

regulate levcl hi and h2 with desired input/output properties .

Suppose now some fau!t(s) occur(s), and the actual constraints are different from the nominal ones. Depending on the information provided by the FDI algorithms, fault tolerant control could be achieved by fault accommodation or by system/control reconfiguration. Fault accommodation rests on the existence of a solution to the control problem (this problem is in practice approximated by < y,s,(},U > or < y,s,e ,u > when FDI algorithms provide estimations of the new constraint"). System/control reconfiguration rests on the existence of an admissible V and a feasible pair (a; 't') E sxe such that the problem ha" a solution.

1

~ = A (Ql - Qb)

Q1 = k y.v(t)

Q, =sigr(h, -~)kb~P.g~~ -~I·po.~) 't'

V

A,ky,kb , k o [0,

CX»

-+[O,Jjx{O, J}

udt) = vet), v E Cl uit) = oos(Vb)(t) 6.5. Remark In both the accommodation and the reconfiguration strategies, the problem of transient behaviors have to be considered, since commutations are present, from one control law to another one in fault accommodation and from one set of constraints to another one in system or control reconfiguration.

When solutions exist neither for accommodation nor for reconfiguration strategies. this means that the objective y cannot be achieved by any fault tolerant control. The only possibility is therefore to modify the system objective (for example change the production objective into a "survival" one by moving from some regulation mode towards a fall back mode followed by a maintenance one). This is a decision problem which consisto; in finding an objective 11 E G, an admissible V and a feasible pair (s, 8) E sxe such that the problem <11, s, 8, V> ha" a solution.

7. SUPERVISION

7.1. Definition

If no such quadruple existo;, cata"trophe seems

The most general control problem is defined by the triple where G is a set of possible objectives, and SxE> is a set of possible constrainto; which contains the nominal system ones (sm 8n ). In view of its practical interpretation, this quadruple defines the supervision problem.

unavoidable. This can be a design bug or a deliberate choice to accept certain failure scenarios, e.g. for reasons of cost/benefit or small likelihood for certain event". However in most ca"es at lea"t one objective (to stop the system operation) is achievable and many others are possible. Unfortunately this is not always suitable, since the faulty system might loose the stability and controllability properties. Also, the choice of a new objective can be perfonned autonomously only in rare situations. The common case is that human intervention is needed using decision support from the diagnosis

In fact the supervision problem differs from the fault tolerant control problem by the fact that the system objective is not fixed in advance, but is also to be determined taking into account the

325

and taking into account the overall goals of the plant.

continuity of the control problem. The approach is ba'ied on successive generalizations of the standard control problem in order to take into account more and more realistic and complex situations (perturbations, uncertain knowledge, hybrid systems, failures).

7.2. Example Suppose that the liquid contained in the tanks is a dangerous one. In the regulation mode. the control objectives are: 1)

FDI algorithms are a fundamental tool designed in order to inform the operators about the actual state of the controlled system. i.e. about the constraints of the control problem they have to solve (with the help of automatic devices). It has been shown that fault tolerance strategies heavily depend on the amount of information that FDI algorithms are able to provide. In some cases, this information is detailed enough to settle a fault accommodation problem (which may - or not - have a solution), and in other ca'ies only system or control reconfiguration can be considered. When neither of these two strategies can apply, the only possibility is to change the system operating mode by defining new control objectives.

provide the input/output transfer with some desired property AND

2)

do not spoil the environment

Clearly, the regulation objective can no longer be fulfilled a<; soon as a leak appears and the system has to be provided with the new objective spoil the environment as few as possible so that the minimum time emptying of the leaking tank becomes the new control problem.

As the generality of the control problem increa'ies, more and more information has to be provided to the operators since the complexity of the system behavior cannot be ea<;i1y captured. Accordingly, full automation is less and less possible (and suitable) when moving from the standard control problem to the fault tolerant and the supervision ones.

An approach to the solution of such decision problems has been proposed in (Gehin, Staroswiecki, 1999). It consists in describing a system in terms of the missions it has to fulfil!. Each mission rests on a set of services provided by the system components. The mission set is structured into Operating Modes. The condition to move from one Operating Mode to another one are defined according to the disponibility of the hardware and software resources (a faulty resource implies the non realization of one or several services and consequently of one or several missions). Changing the operating mode can be proposed to the operator or automatically performed when some missions become impossible to fulfil!.

REFERENCES Antsaklis, P. J. and A. Nerode (1998), Special Issue on Hybrid Control System'i, IEEETAC, Vol. 43, 453-587. Askari J., B. Heiming, J; Lunze (1999), Controller Reconfiguration Ba'ied on a Qualitative Model : A solution of Three Tanks Benchmark Problem. In Proceedings of European Control Conference ECC'99, Karlsruhe (Germany), COROM ref : F 1039-3

Control engineers have then to provide operators with decision making tools, since full automation seems unrealistic at the supervision decision level.

Astrom, K. J. (1983). Theory and application<; of adaptative control. A Survey. Automatica, vo!. 19, W5, pp. 471-486.

8. CONCLUSION The fundamental problem of Automatic Control is that of ma<;tering the behavior of dynamic systems. This calls for the solution of different sub-problems: modeling, identification, estimation. filtering, control, FDI, FfC.

Blanke M., (1996), Consistent Design of Dependable Control Systems, Control Engineering Practice, Vol. 4, n° 9, pp. 13051312.

This paper proposes an analysis of the supervision problem which is situated in the

326

Heiming B. and 1. Lunze (1999), Three-Tanks Benchmark Problem of Controller Proceedings of Reconfiguration. In European ControL Conference ECC'99. Karlsruhe (Germany), CDROM ref : F 1039-2

Brown M . and Harris C. J .• (1994). NeuroJul.....ry Adaptative Modelling and Control. Prentice Hall. New- York. Dardinier Maron. V .. H. Noura and F. Hamelin (1999). Loi de commande toh~rante aux dcfauts majeurs d·actionneurs. In Proceedings oJ JDA '99. pp. 265-268. Nancy. France

Hoblos, G. , M. Staroswiecki and A. AJtouche (2(XX), Fault Tolerance with Respect to Actuator Failures in LTI System". lFAC Safeprocess 2000 (submitted), Budapest, Hungary.

de Larminat p. (1996). Automatique : commande des systemes lineaires. 2d edition, Hermes. Paris.

Kwakemaak H. (1985), Minimax Frequency Domain Performance and Robutness Optimization of Linear Feedback Systems, IEEE Trans. AC, Vol. 30, pp. 994-1004

Doyle. 1. c.. B. A. Francis. A. R. Tannebaum, ( 1992). Feedback Control Theory, Macmillan. New York

Kwakernaak H. (1993), Robust Control and Hoo-optimization Tutorial Paper, Automatica, Vol. 29. pp. 255-273

Dugard. L and I. D. Landau (1988), Commande adaptative : methodologie et applications. Hcrmes. Paris.

Landau, I. D., Cyrot Ch., Rey D., (1993), Robust Control Design Using the Combined Pole Placement / Sensitivity Function Shaping Method. In proceedings of European Control Conference ECC' 93, Groningen, Netherlands.

Dvorak. D. and B. 1. Kuipers (1989). Modelbased Monitoring of Dynamic Systems. In Proc. of the 11th Joint Conf on Artificial Intelligence, 1238-1243, Detroit, also in Readings in Model-based Diagnosis, Morgan Kaufman.

Maciejowski 1. M., (1997a), Reconfigurable Control Using Constrained Optimisation, In Proceedings of European Control Conference ECC'97, Brussels, Belgium, Plenary Lectures and Mini-Courses, 107 130.

Foulloy, L. and B. Zavidovique (1994). Towards Symbolic Process Control, Automatica, 30(3), 379-390. Frei, C. W., F. 1. Kraus and M. Blanke (1999), Recoverability Viewed as a System Property, Proc. European Control Conference, {ECC'99}, Karlsruhe, Germany.

Maciejowki, 1.M., (1997b), Modelling and Predictive Control : Enabling Technologies for Reconfiguration, ln Proceedings of IFAC Symposium on System Structure and Control. Bucharest, Romania.

Gehin, A. L, and M. Staroswiecki (1999), A Formal Approach to Reconfigurability Analysis I Application to the Three Tank Bechmark, In Proceedings of European Control Conference ECC'99, Karlsruhe (Germany), COROM ref : F 1039-4

Millot, P. (1988), Supervision des procides automatises et ergonomie. Hermes, Paris. Morari, M .. Zafiriou E .• (1989), Robust Process Control. Prentice Hall International, Englewood Cliffs. N. 1.

Genul, S. (1995), Systemes d'aide a la Supervision, in Supervision de processus a l'aide du systeme expert G2TM. coord. N. Rakoto-Ravalont~alama et 1. AguilarMartin. Hermes, Paris.

Mosca. E.. (1995), Optimal Predictive and Adaptative Control, Prentice Hall International, Englewood Cliffs, N. 1.

Goodwin c.. Sin K. S. (1984). Adaptative FiLtering Prediction and Control. Englewood Cliffs, Prentice Hall.

Oustaloup, A. (1993). The Great Principles of CRONE Control. In Proceedings of IEEE SMC'93, Le Touquet. France

Hamsher. W .. L. Console and 1. De Kleer, editors (1991). Readings in Model Based Diagnosis, Morgan Kaufman.

Pauon, R. 1., P. M. Frank and R. N Cl ark (1989), Fault Diagnosis in Dynamical

327

Systems, Theory and Application, Prentice Hall. Patton, R. J. (1997). Fault Tolerant Control: the 1997 Situation, In Proceedings of IFAC Safeprocess, pp. 1033-1055, Hull. GB. Ra~mussen.

J. (1983). Skills. Rules and Knowledge: Signals, Signs and Symbols and Other Distinctions in Human Performance Models. IEEE Trans. SMC, 4, 311-335.

Rato. L. and J. M. Lemos (1999). Multimodel Ba<;ed Fault Tolerant Control of the 3-Tank System. In Proceedings of European Control Conference ECC'99. Karlsruhe. Germany Staroswiecki. M., S. Attouche and M. L. Assas. (1999a), A Graphic Approach for Reconfigurability Analysis. In Proceeding of 10" International Workshop on Principles of Diagnosis DX'99, Loch Awe, Scotland. Staroswiecki. M., G. Hoblos and A. Aitouche, (1999b), Fault Tolerance Analysis of Sensor Systems, In Proceedings of 38' IEEE Conference on Decision and Control. Phoenix, Az, USA. Verma, M., E. Jonkheere (1984), Loocompensation with Mixed Sensitivity as a Broad-band Matching Problem, Systems and Control Letters 14, pp. 295-306.

328