QUANTITATIVE AND QUALITATIVE MODELS FOR FAULT DETECTION AND ISOLATION

QUANTITATIVE AND QUALITATIVE MODELS FOR FAULT DETECTION AND ISOLATION

Mechanical Systems and Signal Processing (2000) 14(3), 301}325 doi:1006/mssp.2000.1293, available online at http://www.idealibrary.com on QUANTITATIV...

282KB Sizes 0 Downloads 92 Views

Mechanical Systems and Signal Processing (2000) 14(3), 301}325 doi:1006/mssp.2000.1293, available online at http://www.idealibrary.com on

QUANTITATIVE AND QUALITATIVE MODELS FOR FAULT DETECTION AND ISOLATION M. STAROSWIECKI LAIL } CNRS UPRESA 8021, UFR IEEA BaL t, P2, University Lille I, 59655 Villeneuve d+Ascq cedex. E-mail: [email protected] (Received 12 March 1999) This paper develops a uni"ed view of model-based approaches for fault detection and isolation (FDI), taking as a guideline the di!erent levels of the knowledge available about the monitored system. Two functions of the FDI process are distinguished, namely alarm generation and alarm interpretation. The numerical and the qualitative model-based approaches are discussed with respect to these two functions.  2000 Academic Press

1. INTRODUCTION

The increasing demand for safer and more reliable control systems calls for the consideration, at their very early design stage, of fault detection and isolation (FDI) and fault-tolerant control (FTC) issues. Fault detection procedures are intended, on the basis of realtime observations, to decide whether the system is in normal operating conditions or in faulty ones. FDI is intended to identify the kind of the fault (if present) among a given fault set. On-line (real time) procedures are necessary for FTC purpose, while o!-line procedures could be used for maintenance purpose. A large number of works have been devoted in recent years to the design of e$cient real-time FDI algorithms by both the control and the arti"cial intelligence communities (good introductions can be found in [1}4]). Model-based and non-model-based techniques have been developed, which all rest on some kind of redundancy in the information sources. Typically, the redundancy is obtained through the comparison of the data issued from the real-time system operation with some a priori knowledge on the system. According to the form under which the existing knowledge is expressed, system theory, signal processing or arti"cial intelligence approaches are used. The present paper is an attempt to develop a uni"ed view of model-based approaches for FDI, taking as a guideline the di!erent levels of the available knowledge. The di!erent approaches of the literature are not developed in detail, but for each of them, a simple formulation is given so as to illustrate its main lines, and the place it can be assigned in some overall FDI theory. The paper is organised as follows. First, the FDI problem statement is given to provide the design framework into which FDI engineers have to "t. In Section 3, the di!erent descriptions of the system's normal operation are presented. Section 4 develops di!erent approaches used for alarm generation, according to the knowledge available about the system's normal operation, while the alarm interpretation problem is addressed in Section 5. The last section develops the example of a simple electromechanical system, namely a DC motor used in axis control applications in order to illustrate some of the presented approaches. The paper ends with some concluding remarks. 0888}3270/00/050301#25 $35.00/0

 2000 Academic Press

302

M. STAROSWIECKI

2. FDI PROBLEM STATEMENT

2.1. INPUTS AND OUTPUTS OF THE FDI PROCEDURE Obviously, real-time FDI procedures can only make use of the system observables, which are the variables available to a computer program, i.e. the system inputs and outputs, along with their derivatives for a continuous-time model (let us ignore the di$culty of their e!ective calculation, which does not enter the scope of this paper) or along with their delayed (memorised) values on a given time horizon, for discretetime models. Using these observables, FDI algorithms provide a two-level procedure: E The "rst level is that of alarm generation, which consists of the fault detection step. The problem of the alarm generation level is to decide whether the system is in normal operating conditions or not. The set of observations along with the a priori knowledge constitute this level's inputs while a set of generated alarms are the outputs. E The second level is that of alarm interpretation. The problem of the alarm interpretation level is to decide which fault(s) is (are) present (fault isolation) among a pre-de"ned fault set, and which are its (their) characteristics (occurrence time, fault size, class, consequences, etc.). The input is a set of alarms while the output is the fault(s) isolation and characterisation. Note that some of the fault characteristics need fault models for their determination. These models have to be provided within the a priori knowledge. Further analysis could state whether the system is still able to carry on its mission, which is of prime importance as far as FTC is concerned. 2.2. FDI EVALUATION The second stage of the FDI problem statement concerns the evaluation of the FDI performances. Since at each of the two levels some decisions are taken (to generate an alarm, to isolate some fault, to compute some characteristic) the errors are connected, from a general point of view, with decision delays and decision mistakes. Errors arise from two causes: "rst, the system observables might be more or less sensitive to faults, while being sensitive to measurement noises and perturbations. Second, the knowledge we have about the system normal (and faulty) operation might be uncertain. Di!erent criteria are used for the characterisation of FDI procedures: E detection errors, namely false alarms, which can be evaluated either by their probability or by the (mean) delay between two successive occurrences, and missed detections, which are evaluated by their probability, E detection delay, E isolation errors, namely incomplete isolation, and false isolation which can be evaluated by the probability to decide fault n3i under fault n3j being present. 2.3. THE DESIGN TRADE-OFF In general, all these criteria cannot be simultaneously optimised. The FDI speci"cation leads to optimise one of them, while giving some limit values the others must not tresspass. In some cases, the speci"cations are not coherent, i.e. the set of the given faults cannot be detected and isolated with the required quality using the system observables and the a priori knowledge. Some of them have to be released: consider less faults, lower the quality requirements (accept more false alarms, missed detections, detection delays, isolation errors), consider more system observables (increase the number of sensors), develop more knowledge about the system.

MODELS FOR FAULT DETECTION AND ISOLATION

303

3. DESCRIBING THE NORMAL OPERATION

Alarms are generated when the system observables do not agree with the a priori knowledge which describes the normal operation of the system. According to the depth of this knowledge, alarms will be more or less closely linked to faults, making the future alarm interpretation task more or less easy. We restrict our attention to the class of physical processes, and we introduce the di!erent levels of the knowledge used for alarm generation, making use of the following two hypothesis: E the system may be described by a set of state variables: let x 3 RL be the state vector at time t, E the true behaviour obeys a set of di!erential equations: dx "u(x, u, v, h*) dt

(1)

where u 3 RK and v 3 RJ are, respectively, the control and the perturbation inputs, and h* 3 RO is a vector of &true' parameters. 3.1. THE THREE BASIC MODELS The description of the normal operation of the system calls for three models: (a) ¹he behavioural model describes the way the system state evolves in time, as a consequence of the system inputs (controls and perturbations). The state trajectory depends on the initial value x(0). The model closest to equation (1) would be a set of di!erential equations of the form dx "f (x, u, v, h) dt

(2)

where f is an approximation of u( f"u would be the case of a perfect knowledge model, but f could be completely di!erent, as for example in black-box models or as the result of linearisation) and h is the vector of the (previously identi"ed) model parameters. Other descriptions, namely Bond graphs [5], could be used to represent the physical phenomena which constraint the evolution of the system state variables. Bond graphs characterise the power and energy transfers between the di!erent components of a given system by means of two generalised variables (#ow and e!ort) and of an interconnection structure (0 or 1-junctions). In the case of linear models, there is some direct link between the graphical representation and the system of di!erential equations. However, when compared to equations, Bond graphs add the idea of system structure and of causality, which we will see later are of some interest. (b) The measurement model describes the measurements which are available. It expresses the way under which the sensors transform some states of the process into output signals which can be used for control or FDI purpose. A classical representation of the measurement model is given by y"g(x, u, v, h, e)

(3)

where y 3 RN is the output vector and e 3 RN is the measurement noise, for which the model e+N(0, &) is generally supposed. When Bond-graph models are used, the measurement model is simply the list of those #ows or e!orts which are measured. (c) The operating range model de"nes the values the system variables are allowed to take under normal operation. While the behavioural and the measurement models describe the

304

M. STAROSWIECKI

system, the operating range model describes the users' wishes. A direct representation is given by h(x, u))g

(4)

where g 3 RI. Equation (4) de"nes a domain in the state and control space in which the system operates safely. Leaving this domain could damage the system or be dangerous for the operators. This model could be re"ned de"ning two (or more) di!erent domains, for example a "rst one in which the system operates safely, and a second one in which the trajectories could move, but for a limited time before damage or danger. Notice that Bond-graph models do not directly allow to introduce the inequality constraints issued from the operating range limitations. 3.2. REMARKS R1: Classical FDI approaches do not consider the operating range model at all. However, FDI procedures should tackle not only with the monitoring of the equality constraints (2) and (3) but also with the monitoring of the inequality constraints (4). It should be noticed that healthy systems might violate the inequality constraints as the result of inadequate inputs or environment aggressions (strong perturbations for instance), while faulty systems might, on the contrary, remain within the permitted operation domain. Limit value checking, which is always presented as a (primitive) speci"c approach to FDI, enters the general FDI framework as soon as the operating range model is considered. R2: A well-known class of descriptions is given by input/output equations, which &condensate' equations (2) and (3) by eliminating the state, under the form u(cQ, uQ, vQ, h, eQ)"0

(5)

where, given a variable z, zQ stands for the vector built on z and its s "rst derivatives. In the linear case, such an input/output description directly leads to the use of transfer functions. R3: Up to now, we considered only real-valued variables, which led to numerical models. However, a coarser granularity could be used, leading to symbolic (qualitative)-valued variables, for which only the fact that they belong to a given interval is pertinent (e.g. x 3 +small, medium, large,). Fuzzy sets can be considered instead of intervals, thus enriching this coarse model. Equation (2) would then be replaced by a set of rules (or fuzzy rules) expressing a qualitative physics model [6], while equation (3) would de"ne the (fuzzy) output variables modalities, equation (4) would give the list of the modalities which belong to the allowed domain.

4. ALARM GENERATION

In this section, the di!erent alarm-generation procedures are classi"ed according to the di!erent levels of the a priori knowledge they need. Two kinds of alarms are distinguished, namely the alarms generated by monitoring the system operating range and the alarms generated by monitoring the system behaviour. 4.1. MONITORING THE SYSTEM OPERATING RANGE The well-known limit-checking procedure uses some minimal knowledge about the normal operation of a given system, which is expressed by Hy)g

(6)

MODELS FOR FAULT DETECTION AND ISOLATION

with H being a submatrix of



H*"

1

0

)

)

)

0

!1

0

)

)

)

0

1 0 )

)

)

0 !1 0 )

)

0 1

0

)

)

)

) 0

0

)

)

) 0 !1



305

.

Deciding if equation (6) holds for the observed values is simply done associating two residuals to each of the outputs, and testing their positivity: r (low)"y !g (low) G G G r (high)"g (high)!yi, i"1, 2 , p. (7) G G A more general setting of the operating range model would introduce the output and its derivatives: h(yQ))g

(8)

but the monitoring would obviously rest on the same kind of test. A more complex situation is that in which non-measured state variables are present in the operating range model (for example Hx)g). This situation calls for more knowledge about the system, since the question that arises is whether it is possible or not to estimate the non-measured states from the measured outputs. This problem is considered in [7, 8]. 4.2. MONITORING THE SYSTEM BEHAVIOUR Di!erent levels of the available knowledge are considered: E E E E

measurement equation (3), input}output relation (5), state}space equations (2) and (3) under the numerical form or di!erent qualitative ones, graphic models.

4.2.1. Measurement equation Suppose the a priori knowledge is given by the measurement equation y"Cx#e.

(9)

The monitoring of equation (9) is possible only if some redundancy is present. This is obviously the case when physical redundancy has been implemented, since several rows of the matrix C are then identical. This provides the classical redundancy tests r "y !y "e !e +N(0, R #R ) (10) GH G H G H G H where i and j are any indices of two identical sensors, r is called a residual, the "rst equality GH de"nes its computation form, the second equality de"nes its evaluation form, whose statistical distribution under non-faulty operation is given by the last member. The residual computation form tells how to compute it in real time, using the system observables (perform the di!erence between y and y in the present case). The evaluation form tells what its value G H should be in normal operation (or as will be seen later under some fault hypothesis). In the present case, the value should be zero using a deterministic model, or be distributed according to N(0, R #R ) using a stochastic one. Alarm generation rests on a decision G H

306

M. STAROSWIECKI

procedure which compares the actual residual value with the value it should have under normal operation. We do not develop decision procedures in this paper, for a good exposition see [9]. More generally, analytical redundancy is present as soon as the number of rows of the matrix C is larger than its rank [10]. For the sake of simplicity, suppose that C is full column rank (fcr) and m)n. Then, di!erent (equivalent) approaches can be used for the residuals design. Parity space: The parity space technique is based on the left multiplication of equation (9) by a matrix = whose rows constitute a basis of Ker CR [11]. The interpretation is that the unknown state is eliminated by a projection on Ker CR (called the parity space). One obtains r"=y"=Cx#=e"=e+N(0, =R=R).

(11)

Notice that the choice of = is not unique, so that any linear transformation o"Qr would also de"ne residuals, with statistical distribution N(0, Q=R=RQR) in normal operation. Output estimation: Since C is fcr, the unknown state x may be estimated from equation (9) (this is in fact another way of eliminating it). One has xL "(CRC)\CRy

(12)

where xL is the least-squares estimate of x. Let yL "CxL be the estimate of y. The residual is r"y!yL "[I!C(CRC)\CR]y

(13)

which can be compared with equation (11): is is easily seen that I!C(CCR)\CR is a parity space projection matrix since [I!C(CRC)\CR]C"0. 4.2.2. Input/output relation Suppose now we have a higher level of knowledge about the system, namely knowledge about its dynamical behaviour. As far as dynamics is concerned, we introduce both control (u) and perturbation (v) inputs. (a) Numerical transfer function. The normal operation of the system is described by the input/output relation >"G(h, p) ;#H(h, p)<#E

(14)

where capital letters stand for Laplace transforms, and G(h, p) and H(h, p) are the system transfer matrices. Parity space: The parity space residual vector is [12] R"=(h, p)>!=(h, p)G(h, p);"=(h, p)E

(15)

where =(h, p) is a transfer matrix (supposed to exist) such that =(h, p) H(h, p)"0, which ensures the strong decoupling of the residual with respect to the unknown perturbation inputs (when strong decoupling is not possible, weak decoupling* which tries to minimise the in#uence of the perturbations*has to be de"ned, see [12, 13]. The previous remarks are still valid: the "rst equality de"nes the residuals computation form while the second one de"nes the evaluation form. Moreover, any left multiplication by a polynomial matrix in the Laplace variable p creates another residual vector with di!erent statistical properties in normal operation. Output estimation: Suppose that some simulation program is available to compute an estimation of the output function Z"=(h, p)>: ZK "=(h, p)G(h, p);.

MODELS FOR FAULT DETECTION AND ISOLATION

307

Then, a direct means of generating a residual is to monitor the discrepancy between the actual output function and the value it should have, as provided by the simulation of the system in normal operation: R"=(h, p)>!ZK "=(h, p)E.

(16)

Identi,cation: The input/output relation (15) can be used for on-line identi"cation of the model parameters h (remember that h* are the &true' system parameters, while h is the model parameter vector, which is supposed to be known through previous analysis). Let f) be the estimation of some function of h obtained by some identi"cation procedure. Then, a residual vector is given by [1] r"fK !f"e +N(b, <) (17) D where e is the identi"cation error and N(b, < ) de"nes its statistics in normal operation (b is D the identi"cation bias and < is the variance). Identi"cation-based residuals are attractive since they are well connected with parametric faults, which makes the alarm interpretation task easier. They have been proven to be equivalent to parity space residuals [14, 15]. (b) Qualitative transfer function. The idea of qualitative transfer functions is that in the supervision task, only the overall shape of the output trajectories are of some interest for operators, who detect the discrepancies with respect to normal output ones. The approach is clearly an output estimation one, in which it is assumed that only rough estimates of the outputs are su$cient. Qualitative transfer functions (QTF) are used for such simulations [16]. A QTF describes the in#uence of a variable on another one using only a few dynamic features: time lag, response time, static gain. The overall model is an enrichment of the in#uence graph which is a classical qualitative model [17], expressing the causal links between the system variables. In the present case, each arc (x, y), where x and y are two system variables, is labelled by a QTF which gives the dynamic in#uence of x on y. Simulations are performed approximating the system trajectories by linear segments with respect to time and de"ning events as the change from one segment to another one [18]. Of course, only perturbation-free equations (sub-systems strongly decoupled from the unknown inputs) can be simulated. 4.2.3. State-space description We now consider di!erent forms of the state-space description of the system normal operation behaviour. The most classical one is given by di!erential algebraic equations. As previously, parity space, identi"cation or output estimation-based approaches are the di!erent ways to express the redundancy this model contains. Coarser models based on qualitative simulation can be used through the output estimation scheme. (a) Numerical equations. The classical (LTI) state-space equations are behaviour:

dx "Ax#Bu#¹v dt

measurement: y"Cx#e.

(18) (19)

Successive derivations of equation (19) along with the repeated use of equation (18) leads to yQ"O (A, C)x#K (A, B, C)uQ#K (A, ¹, C)vQ#eQ (20) Q Q Q where O (A, C) is the observability matrix of order s and K (A, B, C) (resp. K (A, ¹, C)) is Q Q Q the control matrix associated with the input u (resp. with the input v). Parity space: Premultiplying equation (20) by a matrix X orthogonal to O (A, C) results Q in the elimination of the unknown state by a projection procedure. Furthermore, if X is also

308

M. STAROSWIECKI

orthogonal to K (A, ¹, C), then the projection is strongly decoupled from the unknown Q inputs v. This is the parity space approach, producing the residual r"X[yQ!K (A, B, C)uQ]"XeQ. (21) Q As previously said, the left equality is the computation form, to right one is the evaluation form, and premultiplying equation (21) by any matrix Q provides another possible residual. Identi,cation: Writing equation (21) in the form X[yQ!K (A, B, C)uQ]!XeQ"0 (22) Q is nothing else but writing equation (15) in the time domain, the parameter vector h being present in the matrices A, B, C. The identi"cation-based approach for residual generation may thus be applied. Output estimation: The parity space as well as the identi"cation-based approaches eliminate the unknown state and perturbations using a projection procedure. Another means of getting rid of the state is to estimate it, as has already been done in the static situation. In the dynamic one, unknown input observers are used for such purpose [19]. Suppose the existence of some perturbation-free part of the state z"=x (this means that =¹"0). z obeys the following dynamics: dz "az#bu dt and there exist two matrices P and Q such that Py"Qz#Pe. The observer equation is given by dzL "azL #bu#c(z!zL ) dt

(23)

where c de"nes the output feedback which has to be chosen so as to stabilise the closed-loop matrix a!c. The estimation error e"z!zL obeys the equation de "(a!c)e dt

(24)

and the residual is de"ned as the di!erence between the actual and the estimated outputs: r"Py!QzL "Qe#Pe+N(0, PRPR) when tPR.

(25)

Remark. The general principle for generating residuals rests on the unknown state elimination. Projection on the parity space, observers, identi"cation are the three classical approaches, which are here illustrated in the case of linear systems. The three of them can be extended to non-linear ones [20}25]. (b) Qualitative models. Describing the system variables by a "nite number of modalities (which might be fuzzy ones) leads to speci"c simulators in order to solve the system equations, or calls for their modi"cation into sets of rules (which might also be fuzzy ones). Parity space or identi"cation-based approaches cannot be used in this frame. The general fault detection principle is that of output estimation: the (qualitative) residual vector is the &di!erence' between the estimated outputs and the actual ones, faults being detected as soon as some discrepancy occurs. Discrepancies have to be de"ned speci"cally, because of the qualitative nature of the variable modalities. Remember that as far as simulation is performed, only the perturbation-free part of the system can be used.

MODELS FOR FAULT DETECTION AND ISOLATION

309

Di!erent simulation schemes can be de"ned. QSIM [6, 26] is the most popular one. It is a non-causal simulator, based on constraint solving and qualitative calculus. Due to the non-determinism of qualitative calculus, a given state might have several successors, so that QSIM provides a tree of states, where each branch represents a possible behaviour of the physical system (this has also to be taken into account in the de"nition of discrepancies). The qualitative transfer function approach is a causal simulator (the mutual in#uences of the di!erent variables are explicitly de"ned) which has already been presented in section 4.2.2. 4.2.4. Graphic models Graphic models do not, truly speaking, constitute another level of the a priori knowledge, but merely another kind of description (a specialised one in Bond-graphs) or an abstraction of the state-space model (in structural graphs). (a) Bond-graph description. Bond-graphs make use of speci"c state variables which have a physical meaning: #ows and e!orts (whose product is a power). Each bond represents some power transmission in the system and the bonds are connected by means of junctions, which impose either equal #ows or equal e!orts, depending on the interconnexion structure of the system. Bonds orientation indicate the direction in which power is transmitted, this o!ers a representation of causal links between variables. Due to the general nature of the state variables, Bond graphs allow the representation of a wide variety of systems, which belong to di!erent "elds of physics (mechanical, thermal, electrical), under a uni"ed form [5]. As far as the alarm generation problem is concerned, Bond-graph models allow two kinds of techniques [27]: E Numerical equation-based techniques presented till now can be used because there is a direct possibility to transform Bond graphs into input/output or state-space models. Once these models have been obtained, the parity space, observer or identi"cation techniques can be applied, producing residuals for the system on line monitoring. E Graph analysis techniques can be used to build residuals, since residuals are combinations of system observables. The generation of such combinations resumes to the identi"cation of sub-graphs of the Bond graph such that all their outer vertices are either actuators (inputs) or detectors (outputs). Notice that strong decoupling with respect to unknown inputs occurs naturally since only sub-graphs with known outer vertices give rise to residuals. Each such sub-graph de"nes an analytical redundancy relation (i.e. a residual computation form), which is the equation the system observables it links has to obey. Di!erent techniques to "nd those speci"c sub-graphs have been proposed in [27]. All these techniques derive from the more general analysis of the system structure. (b) Structural analysis. The structure of a system is a qualitative model, namely a digraph whose incidence matrix represents the links between the system variables and parameters (known and unknown) and the constraints [28]. A constraint is any relation which links the whole or a subset of the system variables and parameters, whatever it represents (physical law, empirical knowledge, control algorithm) and whatever the form it takes (numerical, linear or not, qualitative or fuzzy rules, empirical tables). Let F"+ f , f , f , 2 , f , be the set of the constraints which represents the system    K model and Z"+z , z , z , 2 , z ,"K 6 X be the set of the variables and parameters (K is    L the subset of the known and X is the subset of the unknown ones). Note that Z is allowed to contain time derivatives, so that dynamic systems as well as static ones can be described by their structure. Of course, if z is the time derivative of z for example, then the constraint G H

310

M. STAROSWIECKI

z "dz /dt should be present among the set F. Bond graphs obviously are a special case of G H this model: constraints correspond to Bond graph components and junctions, while variables are the #ows and e!orts which label the bonds. Note that parameters are not explicitly considered in Bond graphs, nor are constraints which do not correspond to any physical law, like empirical knowledge or control algorithms. De5nitions D1: the structure of the system is a digraph (F, Z, A) where A-F;Z is de"ned by ( f , z )3A i! the constraint f applies to the variable or parameter z . G H G H D2: consider a given set E and P(E), the set of its subsets. The Z-structure associated with a subset of constraints is de"ned by the following application: Q : P(F)PP(Z) FPQ(F)"+z " f 3F such that ( f , z )3A,. H G G H D : a subsystem is a pair (F, Q(F)), where F is a subset of F.  Let Q(F)"Q (F) 6 Q (F), where Q (F) is the subset of the known variables and paraI V I meters in Q(F) while Q (F) is the subset of the unknown ones. The constraints which de"ne V the subsystem F may be written as True1F[Q (F), Q (F)]2. I V D : the subsystem F is compatible if, for any given value of Q (F), the set of the values of  I Q (F) which satisfy the constraints F is not empty. V F is under-determined if, for any given value of Q (F), the set of the values of Q (F) which I V satisfy the constraints F is of cardinal larger than one. It is determined if the cardinal is equal to one. D5: Let us consider a determined subsystem. It is said to be over-determined if ULF and UO(F) such that (1) Q (U)"Q (F), V V (2) for any value of Q (F) the values of Q (U) which satisfy the constraints U and those of I V Q (F) which statisfy the constraints F are the same. V A determined subsystem which is not over-determined is said to be just-determined. Redundancy analysis. The system redundancy properties can be exhibited from the analysis of the structural graph. Direct and deduced redundancy are distinguished. Direct redundancy: Let F be a maximal subset of F such that Q (F )"+ ,. Any ) V ) constraint in F applies only to known variables and parameters and thus constitutes ) a redundancy relation which can be checked on-line for FDI purpose. Direct redundancy corresponds to a sub-graph in which only known variables and parameters are present. Deduced redundancy: Consider the sub-graph G(F , X, A ). A unique canonical de6 6 composition into just-, under- and over-determined subsystems exists. It can be found using algorithms from the literature [29}31]. These subsystems can be analysed in the following way: E ;nder-determined subsystem: Since several solutions exist, Q (F) cannot be computed V using the known Q (F) and the constraints F. The existence of under-determined I subsystems is the consequence of an unsu$cient modelisation of the system, or of unobservable variables. Under-determined subsystems would be recognised in a Bond graph by the impossibility to de"ne a causality assignment to compute the subsystem variables. E Just-determined subsystem: Q (F) can be computed in a unique way using the known V values Q (F) and the constraints F. I E Over-determined subsystem: Q (F) can be computed in several ways using the known V values Q (F) and the constraints F (in fact, each subset ULF which satis"es the previous I

MODELS FOR FAULT DETECTION AND ISOLATION

311

de"nition gives a di!erent means for the computation of Q (F)). Deduced redundancy V relations are obtained writing that all these results have to be the same. So, the monitorable part of the system is given by the over-determined subsystems. Using the notion of alternated chain (which resembles the Bond graph causality assignment), it can be shown that the deduced redundancy relations correspond to sub-graphs in which all the outer variables and parameters are in K [32, 33]. Notice that strong decoupling with respect to unknown inputs and parameters is naturally and systematically obtained [34]. 4.2.5. Conclusion on alarm generation Two kinds of alarms have been considered, namely alarms which inform on the abnormal operating range (inequality constraints), and alarms which inform on the abnormal behaviour of the system (equality constraints). Numerical models can be considered at di!erent levels (operating range, measurement, behaviour). They are used for the design of fault-detection residuals through three general approaches, namely parity space, identi"cation, and output estimation. Qualitative descriptions considered at the level of behavioural knowledge can only be used through the output estimation approach. Two graphic models have been considered, which are of some interest, since they provide links between the numerical and the qualitative system representations. Structural models provide an abstraction of numerical ones, which can be used to generate all the three kinds of residuals. Bond graphs are widely used for the modelisation of physical phenomena, and can be extended to the design of parity-space-based faultdetection residuals.

5. ALARM INTERPRETATION

An alarm is an event which is generated by the fault detection procedure. Given a set of alarms the problem of the alarm interpretation level is to recognise the fault(s) which is (are) present (fault isolation), and if possible some of its (their) characteristics (fault characterisation). In the AI community, those steps are often referred to as &Diagnosis', the alarms being the observed symptoms. Alarm interpretation rests on two kinds of models, the fault model and the model of the relation between symptoms and faults. 5.1. FAULT MODELS Up to now, the a priori knowledge was limited to the description of the system normal operation. The outputs of the FDI procedure have been de"ned as a set of faults to be detected, isolated and characterised (eventually multiple faults have to be considered). To do this, faults have to be introduced into the FDI models. This can be done in di!erent ways, according to the di!erent possible system representations. 5.1.1. Numerical models Consider the most complete model composed of equality constraints (state and measurement equations) along with inequality constraints (operating range model). Faults can be classi"ed into two classes, namely system faults and environment aggressions. System faults are classically divided into sensors, actuators or process faults, while environment aggressions are perturbations and inadequate control inputs. Dealing now with alarm interpretation, no unknown input will appear in the models since strong decoupling techniques are supposed to have been applied to those perturbations one wishes to ignore (the perturbations one wants to detect are faults).

312

M. STAROSWIECKI

Measurement equations: Sensor faults can be introduced into the measurement equation as follows: y"(C#DC)x#f #e W (26) e+N(0, R ) or e+N(0, R )   where DC is a multiplicative fault which can be interpreted as some fault on the sensors gain, f is an additive fault which can be interpreted as sensors bias; N(0, R ) and N(0, R ) W   are, respectively, the normal and the faulty noise distributions, which can be interpreted as the model of some sensor connexion or data transmission problem. State equation: Actuator and process faults can be introduced into the state equations are follows: dx "(A#DA)x#(B#DB)(u#f )#Df S V dt

(27)

where DA and DB are unknown matrices, used to represent parameter deviations (multiplicative faults) while f and f are unknown vectors used to represent additive actuator and S V process faults. The in#uence matrix D is supposed to be known. Operating range constraint: Faults do not explicitly appear in the operating range constraints. The reason is that operating range models do not describe how the system behaves, but what the operator wishes. Faults (DA, DB, DC, f , f , f ) act on the system S V W through the state and measurement equations. They result in measurement and state deviations, described by equations (26) and (27), which eventually violate the inequality constraints. 5.1.2. Qualitative models In qualitative models, faults are described either by assertions about the state of the system components (valve blocked open, pump out of order, leak in the tank) or by deviations on the system variables which give them abnormal values. Measurement noise and sensor faults are in general not considered, i.e. the observations are trusted to be valid. In general, links can be established between the qualitative and the numerical fault models: E assertions can often be translated into values of system variables (leak in the tank"leak #ow di!erent from zero; valve blocked open"valve control variable equal to the maximum value whatever the actual computed control), E deviations on the system variables can obviously be translated into additive faults. 5.2. RELATION BETWEEN SYMPTOMS AND FAULTS The model of the relation between symptoms and faults is the key of alarm interpretation. The more knowledge the alarm generation puts at work, the easier the alarm interpretation will be. On the contrary, when alarm generation makes use of very simple models, alarm interpretation has to compensate, introducing the necessary knowledge at the relation between symptoms and faults level. Considering successively the di!erent alarm generation models, we will see how they eventually have to be complemented and how alarm interpretation is performed. 5.2.1. Operating range model Using operating range models, alarms are generated when some system variables (or variable combinations) tresspass some a priori given thresholds.

MODELS FOR FAULT DETECTION AND ISOLATION

313

Consider the simplest model (6) [or (8)] H )g [or h(yQ))g]. (28) W Since g 3 RI, the fault detection procedure based on this model is able to generate k di!erent alarms. Even when k is not &too large' (which is practice is seldom the case), the number of the symptoms is exponential when simultaneous (or sequences of) alarms occur. This might indeed be the case since in general alarms of this type are correlated, i.e. the same fault can cause several alarms "ring. This model gives no information on any link between alarms and faults, since it contains no knowledge about faults. Thus, alarm interpretation needs the whole model of the relation between the alarms and the faults to be introduced. Since alarms are events and faults are qualitatively de"ned, such models can only be qualitative ones. They have been extensively considered by the AI community, and can be classi"ed according to the following [35, 36]. (a) Causal graphs. A causal graph is a digraph (C, S, ¸). Two sets are considered, namely C, the set of the causes (faults) and S, the set of the observations or symptoms (alarms). A pair (c, s) 3 ¸ means that the cause c is responsible for the observation s. Composite causes may be used by means of logical formulas, like (c  c, s). The basis of alarm interpretation using causal graphs is the abductive reasoning, which can be formulated as True 1s2 and (c, s) 3 ¸ N Possible 1c2. As formalised in [4, 37], the model is a theory constituted by a set of relations between expected observations in case of abnormal behaviour, and the explanations which can be found for them. Symptoms are entities whose truth value can be decided observing the system (they are the alarms in our case). Diagnostics (or primary causes) are terms which have no cause within the theory. When dealing with dynamic systems, the introduction of time considerations is of primary importance. This can be done associating a date with each observation and adding time delays in the causal relations which express the dependency between the causes and the consequences [38]. (b) In-uence graphs. In#uence graphs express the causal links between the system variables [17]. Let IG"(Z, ¸) be an in#uence graph, where Z is the set of the considered variables. One has (z , z ) 3 ¸8z is in#uenced by z .     The arc (z , z ) may be valued by the sign of the in#uence or by other quantities (like   a QTF, as seen for residual generation by qualitative simulation). Remember that in this section, alarms are "red by the tresspassing of some inequality constraints, i.e. by some output variables leaving their authorised operating range. Then, the analysis of the in#uence graph is aimed at "nding out which variable(s) might be the origin of the observed alarms [39]. Such variables are called primary deviations. The use of this model for alarm interpretation supposes the faults to be modelised by variable deviations. The result of the analysis is a tree whose root is a minimal set of primary deviations, and whose branches show the propagation of the system variables deviations till the observed set of alarms. (c) Chronicles. A direct causal approach which takes time considerations into account is based on the chronicle concept. A chronicle is a pre-ordering of events (alarms) eventually enriched by the knowledge of more or less precisely given delays between them. This approach can be considered as a simpli"cation of the causal graph approach in which each fault is characterised by a partial ordering of the resulting alarms. The knowledge on the system behaviour is thus contained in the chronicle associated with each fault, and to isolate

314

M. STAROSWIECKI

the fault resumes to recognise its associated chronicle. Di!erent algorithms have been proposed for this [40, 41]. (d) Expert systems. Expert systems can be compared with the just-described chronicle approach. They provide a set of rules which link the observed phenomenon (a set of alarms, or a set of ordered alarms when time is considered) to the system situation (fault) which is to be recognised. (e) Comments. We have presented the most popular models for alarm interpretation, but other ones are also used (see [36] for a survey with application examples). Their common characteristic is that they describe in fact the faulty system behaviour, since the alarm generation model does not make the dependence of alarms upon faults appear explicitly. This description does not make use of equations, and is easily understandable by human operators. However, it does not take into account sensor faults and measurement noises, which might heavily corrupt the observations, and cause false alarms or missed detections. It obviously only applies to the perturbation-free part of the system. Building these models is a di$cult task which calls for human expertise. The problem of completeness and consistency is a classical one in this area, especially when simultaneous faults have to be considered. Model updating to follow the system evolution is generally costly and sometimes impossible, since the experts are no more available. Building qualitative alarm interpretation models from Bond graph models, from structural graphs or from sets of equations is possible, however, if such models were available, they should have been used at the alarm generation level. 5.2.2. Operating range and measurement models Using both operating range and measurement models generates two kinds of alarms. E violation of the inequality constraints, E violation of the equality constraints. Considering again the simplest possible models, one has Hy)g [or h(yQ))g] y"Cx#f #e W

(29)

(30) e+N(0, R ).  Applying the parity-space approach to equation (30), the evaluation form of the residual is now a function of the sensor fault vector f : W r"=y"=Cx#=f #=e (31) W so that r+N(0, =R=R) in the non-faulty situation, while r+N( f =R=R) in the faulty W one. Applying a statistical test on the residual vector r not only allows the detection of a sensor fault but also its isolation (it is easy to check which component of f is di!erent from W zero, by means of directional or structured residuals, specialised observer schemes, see [42, 43] for example). Moreover, the fault apparition time and the fault size may also be estimated [9]. It can be seen that using the operating range and the measurement equations, the dependence of alarms upon process and actuator faults remains implicit. Thus, the same qualitative models already presented in the preceding section have to be used. Their conclusions are now made sounder, since some sensor faults can be detected and isolated using the measurement equation, and thus separated from process and actuator ones.

MODELS FOR FAULT DETECTION AND ISOLATION

315

5.2.3. Operating range, measurement and behavioural model Using the three models allows to make the dependence of alarms upon sensor, actuator and process faults explicit. Let us consider their di!erent forms. (a) Numerical models. In the simplest formulation, the alarm generation model is given by dx "Ax#Bu#Df V dt y"Cx#f #e W e+N(0, R )  Hy)g [or h(yQ))g].

(32)

(33) (34)

Developing equation (32) by successive derivations provides yQ"O (A, C)x#K (A, B, C)uQ#K (A, B, D) f Q#f Q#eQ. Q Q Q V W The parity space approach (other ones could be used), produces the residual

(35)

r"X[yQ!K (A, B, C)uQ]"X[K (A, B, D) f Q#f Q#eQ]. (36) Q Q V W which is seen to depend in di!erent ways on the di!erent kinds of faults, giving thus a possibility to detect and isolate them. A detectability condition would of course be that the dependence is real; as a matter of fact, the non-detectability of a fault modelised by the ith component of f would result of V the ith column of K (A, B, D) as well as the columns which multiply the ith component Q derivatives belongs to Im O (A, C) so that they are eliminated along with the state vector Q x in the parity space projection procedure. Detectability results from the fact that the dependence of residuals upon faults is real. Isolability results from the fact that the dependence is di!erent for the di!erent faults. As an example, suppose Ker [O (A, C) K (A, B, D)]RO+ , and let X be a matrix whose rows form Q Q V one of its basis. Then, some residual r can be designed which would not depend on the fault V vector f , but only on the sensor faults. On the same principle one could design (when V possible) residuals which are sensitive to any subset of the faults. This technique is known as the structured residual design [13, 43]. Finally, under detectability and isolability conditions, all the kinds of faults could be recognised from the analysis of residuals designed from the state and measurement equations. The operating range conditions would then be used only to detect any excursion out of the normal operation domain which would result from inappropriate inputs or inadmissible perturbations. In this case, alarm generation and alarm interpretation would use the same models. (b) ¹ransfer functions. When the input/output behaviour of the system is described by transfer functions, the normal operation model can be extended to explicit representation of the faults, using speci"c transfer matrices. A possible extension of equation (14) is (remember we only consider the perturbation-free part of the system) >"G(h#Dh, p);#F #E W where Dh is a parameter deviation which represents process and actuator faults. The parity space residual vector is now

(37)

R">!G(h, p);"DG(h, Dh, p);#F #E (38) W which allows under some condition the detection and isolation of the di!erent kinds of faults [12], leading to the same conclusions as in the preceding section.

316

M. STAROSWIECKI

(c) Bond-graphs and structural models. These graphic representations allow, like their underlying numerical equations, the explicit introduction of faults and perturbations. In both cases, redundancy relations are represented by subgraphs in which alternated chains appear [28, 32, 33]. An alternated chain is a path in the digraph which successively crosses variables and constraints. It appears clearly that any subgraph containing either a deviated variable or a non-conform constraint (a faulty system component) will provide a residual whose value would be &False' (under some detectability conditions which express that there is no cancellation of the residual deviation). Structured residuals are built choosing, as far as possible, the variables and constraints the subgraph will contain [34]. This can be interpreted in terms of causal matchings, and provides a direct generation of the faults to alarms causal graph, as noticed in Section 5.2.1. (d) Qualitative models. Expressing the system behaviour with a qualitative model leads also to a qualitative approach to modelise the faults. However, the basic principle of those approaches rests on the use of simulations which generate residuals by output estimation. In contrast with the previous approaches in which the faults were unknown (only the way they act is supposed to be known: additive or multiplicative) simulation approaches need each fault to be speci"ed. The alarm interpretation procedure is then based on the comparison of the actual outputs of the system with the ones produced by the di!erent simulations which are performed under di!erent fault hypothesis [3].

6. APPLICATION EXAMPLE

A simple electromechanical system, namely a d.c. motor used in axis control applications will illustrate some of the presented approaches. The block diagram of the system is shown in Fig. 1. The power is supplied from a four-quadrant chopper, and two PI controllers are used as speed and current regulators. 6.1. FDI PROBLEM STATEMENT The system observables are the speed set-point X and the outputs of the two sensors,  namely the speed X* and the current i*. We suppose the two PI controllers to be implemented on some microcomputing device, so that in addition to these observables, the control variables i and b are also known. The a priori knowledge is provided by the laws  of electrotechnique, and by the controllers equations. The set of faults to be considered contains three faults: speed sensor and current sensor faults, power supply fault. We suppose faults not to occur simultaneously. Since we will not enter into computation details, neither for the fault sizes nor for the FDI criteria (false alarm, non-detection rates, etc.), we do not develop the FDI speci"cation part any more.

Figure 1. Block diagram of the d.c. motor.

317

MODELS FOR FAULT DETECTION AND ISOLATION

6.2. DESCRIBING THE NORMAL OPERATION 6.2.1. The behavioural model Choosing the speed and the current as state variables, the d.c. motor behaviour is described in the time domain by the following set of di!erential equations:

   dX dt

f ! J

K J

K ! ¸

R ! ¸

"

di dt

   

1 0 # J C # ; b * i 0 ¸

 X

(39)

while the control variables are solutions of the system (40): di  dt

0

   i

0

"

db dt

< 0 G



#

< <¹  # T T b <¹ < <¹ < ¹ G G T G G T T



  X  dX  dt

!< !< ¹ 0 0 T T T !¹ < < !¹ < ¹ < !< !¹ < G G T G G T T G G G





X* dX* dt . i* di* dt

In the symbolic domain, the transfer function can be obtained either through the Laplace transform of equation (39) and (40) or through the direct analysis of the system block diagram. The d.c. motor is described by



f#Jp K

      X

!K R#¸p

0

"

i

;

b#

1 0

C *

(41)

while the control equations are



p

0

!< (1#¹ p) p G G

   i

 " b





< (1#¹ p) !< (1#¹ p) T T X # T T  0 0

 

;

X* i*

.

0 !< (1#¹ p) G G

 (42)

The Bond-graph model of the d.c. motor and its connection with the control system is given by Fig. 2. 6.2.2. The measurement model The measurement model has the same form in the time and in the symbolic domains (read the values of the variables in the "rst case, and their Laplace transform in the second one):

       X*

e  . (43) i* 0 1 i e  In the Bond-graph representation, the measurements are the two #ow detectors D which D are connected on the two 1-junctions, measuring, respectively, the speed X* and the current i* (see Fig. 2). 1 0

"

X

#

318

M. STAROSWIECKI

Figure 2. Bond graph model of the d.c. motor.

6.2.3. The operating range model Realistic operating range constraints could be, in our example, ;*;



i)i



.

(44)

6.3. ALARM GENERATION 6.3.1. Monitoring the system operating range Since the current is measured, the constraint i)i can be monitored, using the residual

 r"i !i* and testing its positivity.

 Since ; is not measured, one has to estimate its value from the system outputs, in order to monitor the constraint ;*; . The estimation could be performed using the system

 behaviour description (39) as long as the system really operates without faults. Notice that the estimation equations should "rst be decoupled from the load torque C , which acts as * an unknown input. Under faulty conditions, the estimation could in some cases be continued. This would allow for example to maintain the system operation, even under degraded performances, as long as the operating range constraints are satis"ed [7, 8]. 6.3.2. Monitoring the system behaviour Monitoring the system behaviour is not possible using only the measurement equations, since no static redundancy is present. Redundancy can be obtained expanding the system equations over time, which calls for the knowledge of the behavioural model. (a) ¹ransfer function representation. Consider the transfer function representation (41), and use the measurement equation (42). One obtains

 

f#Jp K

               X*

!K

R#¸p

p

0

!< (1#¹ p) G G

p

0

i*

i

0

"

0 ;

 " b

i 1 f#Jp !K  # C # * b 0 K R#¸p

!< (1#¹ p) !< (1#¹ p) T T T T X #  0 0

;

X* i*

.

  e  e 

0 !< (1#¹ p) G G



(45)

This is a system of four residuals, which is not surprising since four variables are known. However, monitoring the two last residuals is nothing else than a redundant computation of the control variables i and b (this is already done in the control law). Putting the two last  equations into the two "rst ones give two residuals whose computation form depend on the known variables X , X* and i* and also on the unknown load torque. Should the load 

319

MODELS FOR FAULT DETECTION AND ISOLATION

torque be known, then the two residuals could be used for alarm generation, since the computation form (on the left-hand side) would only di!er from zero, in normal operation, under the in#uence of the measurement noises e and e (notice that the noise is derivated,   which is not a very pleasant feature). In our case (and in general) the load torque is unknown, and as indicated previously, strong decoupling techniques would exhibit that part of the system which is perturbation free. It would be obtained here using only the second row of the "rst equation system. This analytical redundancy relationship (ARR) could be used along with output estimation or parameter estimation procedures in order to develop the two other approaches given in Section 4.2.2. Notice that the qualitative simulation of the transfer equations could not be applied unless the C -free part of the * system has "rst been obtained. (b) State-space representation. Using the state-space equations under the numerical form directly gives four ARR (among which two of them just repeat the control algorithm):

  dX* dt

f ! J

K J

K ! ¸

R ! ¸

"

di* dt

        K J

de f 1  ! 0 dt J # J C # ; b! # * i* de K 0  ! ¸ ¸ dt

  X*

  di  dt

0

0

"

db dt



#

< 0 G

   i

< <¹  # T T b <¹ < <¹ < ¹ G G T G G T T



R ! ¸

 e e

 

(46)

  X  dX  dt

!< !< ¹ 0 0 T T T !¹ < < !¹ < ¹ < !< !¹ < G G T G G T T G G G





X* dX* dt . i* di* dt

Only the second one does not depend on the unknown input C . * In order to illustrate the observer-based approach, consider the following observer equations: dXK f K ! 0 dt J J XK a b X*!XK " # ; b# (47) diL K R iL c d i*!iL ! ! ¸ dt ¸ ¸

      

 



where a, b, c, d are design parameters. Using the notations e "XK !X, 

e "iL !i G

the error equation is

  deX dt

f ! !a J

K !b J

K ! !c ¸

R ! !d ¸

"

de G dt

 

1 a b J ! C # * e c d 0 G

 eX

   e e

 . 

(48)

320

M. STAROSWIECKI

Choose a"!K/¸ and !R/¸!d(0; then the second error equations is independent of the unknown load torque, and the current estimation converges towards the true value in normal operation, which provides the following residual: r"i*!nL . (c) Graphic models. The Bond graph model of the system is shown in Fig. 2. The three sub-graphs whose outer vertices correspond to known variables can directly be extracted and are shown in Fig. 3 (two of them are the control algorithm, one corresponds to the C -free part of the system). * The same result can be obtained using the structural graph approach. Consider the six system equations (F1}F6), from the block diagram, and the two measurement equations (M1, M2): e !X #X*"0 4  < (1#¹ p)e !pi "0 4 4 4  e !i #i*"0 G  < (1#¹ p)e !pb"0 G G G b;!KX!(R#¸p)i"0 C !Ki!( f#Jp)X"0 * X*"X#e  i*"i#e .  The incidence matrix of the structural graph is shown in Fig. 4 (zeros are omitted). The analysis of this graph allows to exhibit three ARR computation schemes which are independent of C (Fig. 5). *

F1 F2 F3 F4 F5 F6 M1 M2

Figure 3. The analytical redundancy relations obtained from the Bond graph description.

Figure 4. Structural graph incidence matrix of the d.c. motor system.

MODELS FOR FAULT DETECTION AND ISOLATION

321

Figure 5. ARR computation scheme issued from the analysis of the structural graph.

6.4. ALARM INTERPRETATION 6.4.1. Fault models The three faults we decided to consider in the FDI problem statement can be very easily modelised. The two sensor faults are represented by: speed sensor: X*")#fX current sensor: i*"i#f . G Notice that the fault vectors are deterministic and in general unknown. However, di!erent fault hypothesis can be represented by some appropriate choices: f "constant G would represent a bias, while f "!i would represent a blackout of the current sensor. The G power supply fault could also be represented by a deviation ;#f of the nominal value ;. 3 From equation (39) one sees that such a fault model is a multiplicative one. When graphic approaches are considered, the sensor fault models are qualitative one: the measurement constraints M1 and M2 are not satis"ed, the variable ; has improper values. Of course, if ARR should be deduced from the graphic chains, analytic component models would have to be used. 6.4.2. Relation between symptoms and faults (a)
Possible causes

i*'i

Fault on the current sensor Input voltage ; too high Speed X too low (could be a consequence of load torque too high)



Remember ;*; could not be supervised unless some speci"c sensor or identi"cation

 procedure was implemented. Suppose this has been done, an alarm on ; would have to be

322

M. STAROSWIECKI

explained introducing some knowledge which up to now is not present, for example: Symptom

Possible causes

;(;



Short circuit in the load Malfunction of the transformer

In-uence graph: The interpretation of a current alarm could also use the graph representing the di!erent in#uences on the current variable, which appear in Fig. 6. (b)
r o

f G

fX

f !*

f S

1 1

1 1

0 1

1 0

Figure 6. The in#uence graph of the current variable.

MODELS FOR FAULT DETECTION AND ISOLATION

323

Figure 7. Evolution of the C -free residual in the case of a speed sensor blackout. *

showing the possibility to isolate the three groups of faults + f , fX , with signature (1, 1), G + f , with signature (0, 1) and + f , with signature (1, 0). !* S 7. CONCLUSION

This paper has presented an attempt to integrate both numerical and qualitative modelbased approaches in a uni"ed view of model-based FDI. In order to keep the presentation focused on the FDI design procedure, only very simple mathematical developments have been presented. Many problems have not been addressed at all, or have not been developed (non-linear systems, residual optimisation, banks of observers, di!erent kinds of fault models, relation between the di!erent fault models, etc.). Further material can be found in the quoted references. Two functional levels of FDI procedures have been distinguished, namely alarm generation and alarm interpretation. Two levels of the available knowledge are also recognised, the "rst one describes what the operator wishes (operating range model), the second one describes what the system does (measurement and behavioural models). Faults and perturbations can only be introduced in the second one, this is why it can be used at both the alarm generation and the alarm interpretation levels. On the contrary, alarm-generation procedures based on the operating range model model need some extra knowledge for the interpretation task, which can only be qualitatively described. Numerical models are well suited to describe the two levels of knowledge; however they are di$cult to obtain and to identify in the case of large-scale systems, and they cannot be easily understood by operators. Qualitative models are of a more direct understanding but the only alarm generation approach they allow is the output estimation one. Bond graphs and structural graphs deserve a special attention since they are at the interface of both kinds of models, and can be easily understood. They both can be used for alarm-generation and for alarm-interpretation tasks.

REFERENCES 1. R. ISERMAN 1984 Automatica 20, 387}404. Process fault detection based on modeling and estimation methods*a survey. 2. R. J. PATTON, P. M. FRANK and R. N. CLARK 1989 Fault Diagnosis in Dynamical Systems. ¹heory and Application. Englewood Cli!s, NJ: Prentice-Hall. 3. D. DVORAK, and B. J. KUIPERS 1989 In Proceedings of the 11th Joint Conference on Arti,cial Intelligence, Detroit, 1238}1243; In Readings in Model-Based Diagnosis. Los Altos, CA: Morgan Kaufman. Model-based monitoring of dynamic systems.

324

M. STAROSWIECKI

4. W HAMSHER, L. CONSOLE and J. DE KLEER (eds.) 1991 Readings in Model Based Diagnosis. Los Altos, CA: Morgan Kaufman. 5. J. U THOMA 1975 Introduction to Bond-Graph and their Applications. New York: Pergamon Press. 6. B. J. KUIPERS 1994 Qualitative Reasoning2Modeling and Simulation with Incomplete Knowledge. Cambridge, MA: MIT Press. 7. M. STAROSWIECKI and D. GUERCHOUH 1999 In Proceedings of 14th IFAC =orld Congress, Beijing, Vol. P. 109}114. A Parity Space Approach for Monitoring Inequality Constraints, Part 1: Static Case. 8. D. GUERCHOUH and M. STAROSWIECKI 1999 In Proceedings of 14th IFAC =orld Congress, Beijing, Vol. P. 115}120. A Parity Space Approach for Monitoring Inequality Constraints, Part 2: Dynamic Case. 9. M. BASSEVILLE and I. V. NIKIFOROV 1993 Detection of Abrupt Changes2¹heory and Applications. Information and System Sciences Series. Englewood Cli!s, NJ: Prentice-Hall. 10. J. E. POTTER and M. C. SUMAN 1977 Electronic Flight Control Systems. Agadograph 224, 15}25. Tresholdless redundancy management with array of skewed instrument. 11. A. S. WILSKY, E. Y. CHOW, X. C. LOU and G. C. VERGHESE 1984 IEEE ¹ransactions on Automatic Control AC-29, 603}614. Analytical redundancy and the design of robust failure detection systems. 12. J. J. GERTLER 1991 In Proceedings of the Safeprocess191 IFAC/IMACS Symposium, Baden, vol. 1, 9}21. Analytical redundancy methods in fault detection and isolation*a survey and synthesis. 13. M. STAROSWIECKI, J. Ph. CASSAR and V. COCQUEMPOT 1993 In Proceedings of the 12th IFAC =orld Congress, Sydney. Generation of optimal structured residuals in the parity space. 14. G. DELMAIRE, J. Ph. CASSAR and M. STAROSWIECKI 1994 In Proceedings of the 33rd IEEE conference on Decision and Control (CDC194), Miami. Identi"cation and parity space techniques for failure detection in SISO systems including modelling errors. 15. G. DELMAIRE, J. Ph. CASSAR and M. STAROSWIECKI 1995 In Proceedings of the European Control Conference (ECC195), Rome. Comparison of generalised least square identi"cation and parity space techniques for FDI purpose in SISO systems. 16. L. LEYVAL 1991 Ph.D. thesis, INPG, Grenoble. Raisonnement causal pour la simulation de proceH deH s industriels continus. 17. V. BANDEKAR 1989 Arti,cial Intelligence in Engineering 4. Causal models for diagnostic reasoning. 18. S. GENTIL and J. MONTMAIN 1996 In Proceedings of IEEE/IMACS Conference in CESA196, Lille. Operation support for alarm "ltering. 19. P.M. FRANK 1993 In Proceedings of the International Conference on Fault Diagnosis (¹ooldiag 193), Toulouse. Advances in observer-based fault diagnosis. 20. H. HAMMOURI, M. KINNAERT and E. H. EI YAAGOUBI 1994 In Proceedings 33rd IEEE Conference on Decision and Control (CDC194), Orlando, 1548}1553. Residual generator synthesis for bilinear systems up to output injection. 21. D. N. YU and D. N. SHIELDS 1995 In Proceedings of the 3rd European Control Conference (ECC195), Rome, 360}366. Fault diagnosis in bilinear systems*a survey. 22. Q. ZHANG 1996 In Proceedings of the 35th IEEE Conference on Decision and Control (CDC196), Kobe. Using non-linear black-box models in fault detection. 23. G. COMTET-VARGA, J. Ph. CASSAR and M. STAROSWIECKI 1997 In Proceedings of the 4th European Control Conference (ECC191), Brussels. Analytic redundancy relations for state a$ne systems. 24. C. GUERNEZ, J. Ph. CASSAR and M. STAROSWIECKI 1997 In Proceedings of the Safeprocess197 IFAC Symposium, Hull. Extension of parity space to non-linear polynomial dynamic systems. 25. G. COMTET-VARGA, and M. STAROSWIECKI 1998 ¸AI¸ Internal Report, University Lille I. Analytic redundancy relations for fault detection and isolation in algebraic dynamic systems. 26. B. J. KUIPERS 1986 Arti,cial Intelligence 29, 289}338. In Readings in Qualitative Reasoning About Physical Systems. Los Altos, CA: Morgan Kaufmann. Qualitative simulation. 27. M. TAGINA, J. Ph. CASSAR, G. DAUPHIN-TANGUY, M. STAROSWIECKI 1998 JESA 31, 1489}1508. Localisation de deH faillances par l'approache Bond-graph. 28. M. STAROSWIECKI and Ph. DECLERCK 1989 In Proceedings of the IFAC Symposium on Advanced Information Processing in Automatic Control, (AIPAC189), Nancy, vol. II, 23}27. Analytical redundancy in non-linear interconnected systems by means of structural analysis. 29. A. L. DULMAGE, and N. S. MENDELSHON 1958 Canadian Journal of Mathematics 10, 517}534. Covering of biparite graphs.

MODELS FOR FAULT DETECTION AND ISOLATION

325

30. C. BERGE 1973 Graphes et hypergraphes. Paris: Dunod. 31. K. MUROTA 1987 System Analysis by Graphs and Matroids. Berlin: Springer-Verlag. 32. Ph. DECLERCK and M. STAROSWIECKI 1991 In Proceedings of the 9th IFAC/IFORS Symposium on Identi,cation and System Parameter Estimation, Budapest. Identi"cation of structurally solvable subsystems for the design of fault detection and isolation schemes, using the embedding procedure. 33. Ph. DECLERCK, and M. STAROSWIECKI 1991 In Proceedings of the European Control Conference (ECC191), Grenoble. Characterization of the canonical components of a structural graph for fault detection in large scale industrial plants. 34. V. COCQUEMPOT. J. Ph. CASSAR and M. STAROSWIECKI 1991 In Proceedings of the European Control Conference (ECC191), Grenoble, 309}314. Generation of robust analytical redundancy relations. 35. P. BOURSEAU, K. BOUSSON, Ph. DAGUE, J.-L. DORMOY, J-M. EVRARD, F. GUERRIN, L. LEYVAL, O. LHOMME, B. LUCAS, A. MISSIER, J. MONTMAIN, N. PIERA, N. RAKOTO-RAVALONTSALAMA, J-P. STEYER, J.-P. M. TOMASENA, L. TRAVED -MASSUYEE S, M. VESCOVI, S. XANTHAKIS and B. YANNOU 1995 AI Communications Journal (Special issue) 8, 119}192. Qualitative reasoning: a survey of techniques and applications. 36. S. CAUVIN, M.-O. CORDIER, C. DOUSSON, G. DEFLANDRE, P. LABORIE, F. LED VY, J. MONTMAIN, M. PORCHERON, I. SERVET and L. TRAVED -MASSUYEE S 1998 AI Communications 11, 139}173. Monitoring and alarm interpretation in industrial environments. 37. L. CONSOLE, THESEIDER DUPRE and P. TORASSO 1989 Methodologies for Intelligent Systems 4, 175}182. Abductive reasoning through direct deduction from completed domain models. 38. M. PORCHEON and B. RICARD 1997 In Proceedings of the International =orkshop on Principles of Diagnosis (DX197), Le Mont-St-Michel, 87}94. An application of abductive diagnostic methods to a real world problem. 39. M. OUASSIR 1997 Ph.D. thesis. ;niversity of Compie` gne. Contribution au diagnostic de syste`mes dynamiques par l'utilisation de graphes orienteH s signeH s. 40. D. FONTAINE 1994 Revue d1Intelligence Arti,cielle, 8+1. Reconnaissance de sceH narios temporels. 41. F. LED VY 1994 In Proceedings of the 5th International =orkshop on Principles of Diagnosis (DX194), New Paltz, 174}178. Recognising scenarios: a study. 42. P. M. FRANK 1990 Automatica 26, 459}474. Fault diagnosis in dynamic systems using analytical and knowledge-based redundancy*a survey. 43. J. J. GERTLER and D. SINGER 1990 Automatica 26, 381}388. A new structural framework for parity space equation based failure detection and isolation.