- Email: [email protected]
Robust Supervisory Control of a Spacecraft Propulsion System
20th IFAC Symposium on Automatic Control in Aerospace 20th IFAC Symposium on Automatic Control in Aerospace August 21-25, 2016. Sherbrooke, Quebec, Canada 20th IFAC IFAC Symposium on Automatic Automatic Control in Aerospace Aerospace 20th Symposium on Control in August 21-25, 2016. Sherbrooke, Quebec, Canada Available online at www.sciencedirect.com August Canada August 21-25, 21-25, 2016. 2016. Sherbrooke, Sherbrooke, Quebec, Quebec, Canada
ScienceDirect Robust Robust Robust
IFAC-PapersOnLine 49-17 (2016) 200–205
Supervisory Control of a Supervisory Supervisory Control Control of of a a Propulsion System Propulsion System Propulsion System
Spacecraft Spacecraft Spacecraft
Farid Farid Yari, Yari, Shahin Shahin Hashtrudi-Zad, Hashtrudi-Zad, Siamak Siamak Tafazoli Tafazoli Farid Farid Yari, Yari, Shahin Shahin Hashtrudi-Zad, Hashtrudi-Zad, Siamak Siamak Tafazoli Tafazoli Department of Electrical and Computer Engineering, Department of Electrical and Computer Engineering, Department of and Computer Engineering, Concordia University, Montr´ eeal, QC, H3G Department of Electrical Electrical and Engineering, Concordia University, Montr´ al,Computer QC, Canada Canada H3G 1M8 1M8 Concordia University, Montr´ e al, QC, Canada H3G ff [email protected], [email protected], [email protected] Concordia University, Montr´eal, QC, Canada H3G 1M8 1M8 [email protected], [email protected], [email protected] ff [email protected], [email protected], [email protected], [email protected], [email protected] [email protected] Abstract: Abstract: In In this this paper paper the the theory theory of of supervisory supervisory control control of of discrete-event discrete-event systems systems is is used used Abstract: In this paper the theory of supervisory control of discrete-event systems is to develop command sequences for turning on and off a spacecraft propulsion subsystem. The Abstract: In this paper the theory of supervisory control of discrete-event systems is used used to develop command sequences for turning on and off a spacecraft propulsion subsystem. The to develop command sequences for turning on and off aa spacecraft propulsion subsystem. The subsystem considered is a simplified version of the Propulsion Module Subsystem of the Cassini to develop command sequences for turning on and off spacecraft propulsion subsystem. The subsystem considered is a simplified version of the Propulsion Module Subsystem of the Cassini subsystem considered is a simplified version of the Propulsion Module Subsystem of the Cassini spacecraft. The supervisor controls the system in such a way that the design specifications subsystem considered is a simplified of theinPropulsion Module the Cassini spacecraft. The supervisor controls version the system such a way that Subsystem the design of specifications spacecraft. The supervisor controls the system system in operation. such aa way wayThe thatstudy the design design specifications are satisfied in normal and modes shows to spacecraft. supervisor the in such that the specifications are satisfiedThe in both both normalcontrols and faulty faulty modes of of operation. The study shows that that to meet meet are satisfied in both normal and faulty modes of operation. The study shows that to meet the specifications of both modes, the supervisor has to be a “robust” supervisor, and are satisfied in both normal and faulty modes of operation. The study shows that meetaa the specifications of both modes, the supervisor has to be a “robust” supervisor, andtothat that the specifications of both modes, the supervisor has to be aa “robust” supervisor, and that a conventional (non-robust) supervisor could lead to engine getting stuck in shutdown state. the specifications of both modes, the supervisor has to be “robust” supervisor, and that conventional (non-robust) supervisor could lead to engine getting stuck in shutdown state. a conventional (non-robust) supervisor could lead to engine getting stuck in shutdown state. conventional (non-robust) supervisor could lead to engine getting stuck in shutdown state. © 2016, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. Keywords: Keywords: Supervisory Supervisory control, control, Spacecraft Spacecraft propulsion, propulsion, Fault Fault recovery, recovery, Discrete-event Discrete-event systems, systems, Keywords: Supervisory control, Spacecraft propulsion, Fault recovery, Discrete-event Robust control. Keywords: Supervisory control, Spacecraft propulsion, Fault recovery, Discrete-event systems, systems, Robust control. Robust Robust control. control. 1. visory 1. INTRODUCTION INTRODUCTION visory control control of of discrete-event discrete-event systems systems (DES). (DES). In In [Lin [Lin 1. INTRODUCTION visory control of discrete-event systems (DES). In (1993)], the plant model belongs to a finite family of 1. INTRODUCTION This visory control of discrete-event systems (DES).family In [Lin [Lin the plant model belongs to a finite of This paper paper is is concerned concerned with with the the design design of of supervisory supervisory (1993)], (1993)], the plant model belongs to a finite family of DES models G ,...,G , and the objective is to design a This paper is concerned with the design of supervisory 1 n control system for spacecraft propulsion system. Specif(1993)], the plant model belongs to a finite family of This paper is concerned with the design of supervisory DES models G ,...,G , and the objective is to design a 1 n control system for spacecraft propulsion system. Specif- DES models G ,...,G , and the objective is to design a supervisor such that all plant models under supervision 1 n control system for spacecraft propulsion system. Specifically we seek to design a controller (supervisor) that DES models G ,...,G , and the objective is to design a 1 n controlwe system spacecraft propulsion(supervisor) system. Specifsuch that all plant models under supervision ically seek for to design a controller that supervisor supervisor such that all plant models under supervision satisfy a common design specification. [Bourdon et al. ically we seek to design aa sequences controller (supervisor) that issues appropriate command to turn on and off supervisor such that all plant models under supervision ically we seek to design controller (supervisor) that a common design specification. [Bourdon et al. issues appropriate command sequences to turn on and off satisfy satisfy a common design specification. [Bourdon et al. the results of to issues appropriate command sequences to and the engines of satisfy common et inal. issues appropriate commandspacecraft sequencespropulsion to turn turn on on system. and off off (2005)] (2005)] aextends extends the design results specification. of [Lin [Lin (1993)] (1993)][Bourdon to the the case case inthe engines of aa simplified simplified spacecraft propulsion system. (2005)] extends the results of [Lin (1993)] to the case involving separate design specifications for each plant model the engines of a simplified spacecraft propulsion system. The objective is to enhance spacecraft autonomy. The (2005)] extends the results of [Lin (1993)] to the case inthe engines of a simplified spacecraft propulsion system. volving separate design specifications for each plant model The objective is to enhance spacecraft autonomy. The volving separate design specifications for plant and the nonblocking property. The The is enhance autonomy. The subject of has by separate specifications for each each plant model model The objective objective is to to autonomy enhance spacecraft spacecraft autonomy. The volving and considers considers thedesign nonblocking property. The nonblocking nonblocking subject of spacecraft spacecraft autonomy has been been studied studied by many many and considers the nonblocking property. The nonblocking property is guaranteed through the (sufficient condition subject of spacecraft autonomy has been studied by many researchers. Notably, the diagnosis and recovery system, and considers the nonblocking property. The nonblocking subject of spacecraft autonomy has been studied by many is guaranteed through the (sufficient condition researchers. Notably, the diagnosis and recovery system, property property is through the condition of) property. [Saboori and Zad researchers. the diagnosis and recovery system, Livingstone, has designed based on probabilistic disis guaranteed guaranteed through the (sufficient (sufficient condition researchers. Notably, Notably, diagnosis system, of) nonconflicting nonconflicting property. [Saboori and Hashtrudi Hashtrudi Zad Livingstone, has been been the designed basedand on recovery probabilistic dis- property of) nonconflicting property. [Saboori and Hashtrudi Zad (2006)] extends the results of [Bourdon et al. (2005)] to Livingstone, has been designed based on probabilistic discrete models [Muscettola et al. (1998)]. Livingstone was of) nonconflicting property. [Saboori and Hashtrudi Livingstone, been designed on probabilistic dis- (2006)] extends the results of [Bourdon et al. (2005)]Zad to crete models has [Muscettola et al.based (1998)]. Livingstone was (2006)] extends the results of [Bourdon et al. (2005)] to the case of control under partial observation. Furthercrete models [Muscettola et al. (1998)]. Livingstone was tested on Deep Space 1 (1998) and its successor, Living(2006)] extends the results of [Bourdon et al. (2005)] to crete models [Muscettola et al. (1998)]. Livingstone was case of control under partial observation. Furthertested on Deep Space 1 (1998) and its successor, Living- the the case of control under partial observation. Furthermore, [Saboori and Hashtrudi Zad (2006)] replaces the tested on Deep Space 1 (1998) and its successor, Livingstone 2, was used on Earth Observing 1 (2000). In another the case of control under partial observation. Furthertested on Deep Space 1 (1998) and its successor, Living[Saboori and Hashtrudi Zad (2006)] replaces the stone 2, was used on Earth Observing 1 (2000). In another more, more, [Saboori [Saboori and and Hashtrudi Hashtrudi Zad (2006)] replaces replaces the nonconflicting with G property stone used on Observing 11 (2000). another approach, methods of formal have been more, (2006)] the stone 2, 2, was wasthe used on Earth Earth (2000). In In another nonconflicting property property with the theZad Gii -nonblocking -nonblocking property approach, the methods of Observing formal verification verification have been to nonconflicting property with the G -nonblocking property obtain a set of necessary and sufficient conditions i approach, the methods of formal verification have been used to verify if a given control logic satisfies the design nonconflicting property with the G -nonblocking property i approach, the ifmethods formallogic verification havedesign been to obtain a set of necessary and sufficient conditions for for used to verify a given of control satisfies the to obtain aa set of necessary and sufficient conditions the solvability of the robust control problem. used to verify if aa e.g. given control logic satisfies the design specifications (see, [Pekala et al. (2008)] and [Bensalem to obtain set of necessary and sufficient conditions for for used to verify if given control logic satisfies the design solvability of the robust control problem. specifications (see, e.g. [Pekala et al. (2008)] and [Bensalem the the solvability of the robust control problem. specifications (see, e.g. [Pekala et al. (2008)] and [Bensalem et al. (2010)]). the solvability of the robust control problem. specifications (see, e.g. [Pekala et al. (2008)] and [Bensalem Robust et al. (2010)]). Robust control control is is used used to to deal deal with with model model changes. changes. For For et (2010)]). et al. al. (2010)]). Robust control is used to deal with model changes. For instance, in some fault recovery problems, the plant In this paper we apply the Ramadge-Wonham theory of Robust control is used to deal with model For in some fault recovery problems, thechanges. plant starts starts In this paper we apply the Ramadge-Wonham theory of instance, instance, in some fault recovery problems, the plant starts in normal mode and may enter one of several faulty modes. In this paper we apply the Ramadge-Wonham theory of supervisory control ([Ramadge and Wonham (1987); Woninstance, in some fault recovery problems, the plant starts In this paper we apply the Ramadge-Wonham theory of in normal mode and may enter one of several faulty modes. supervisory control ([Ramadge and Wonham (1987); Won- Each in normal normal mode mode and and may may enter enterdesign one of of several several faulty and modes. specification set supervisory control ([Ramadge Wonham (1987); Wonham (2014)]) to design controller (supervione faulty modes. supervisory ([Ramadge and and Wonham (1987); Won- in Each mode mode can can have have its its own own design specification and set ham (2014)])control to systematically systematically design controller (superviEach mode can have its own design specification and set of marked states. This control and fault recovery problem ham (2014)]) to systematically design controller (supervisor) from the design specifications based on deterministic Each mode can have its own design specification and set ham from (2014)]) systematically design controller (supervi- of marked states. This control and fault recovery problem sor) the to design specifications based on deterministic of marked states. This control and fault recovery problem can be solved as a robust control problem [Saboori and sor) from the design specifications based on deterministic discrete-event models. The resulting supervisor (which will of marked states. This control and fault recovery problem sor) from the design specifications based on deterministic be solved as a robust control problem [Saboori and discrete-event models. The resulting supervisor (which will can can be as aa robust Zad (2005)]. discrete-event models. The supervisor (which will be in of is guaranteed to can be solved solved robust control control problem problem [Saboori [Saboori and and discrete-event The resulting resulting will Hashtrudi Hashtrudi Zad as (2005)]. be in the the form formmodels. of an an automaton) automaton) is supervisor guaranteed(which to satisfy satisfy Hashtrudi Zad (2005)]. be in the form of an automaton) is guaranteed to satisfy the specifications. We study a simplified version of the Hashtrudi Zad (2005)]. be in the form of an automaton) is guaranteed to satisfy [Yari and Hashtrudi Zad (2016)] develops automatonthe specifications. We study a simplified version of the [Yari and Hashtrudi Zad (2016)] develops automatonthe We study simplified version of the Propulsion Module Subsystem of Cassini spacethe specifications. specifications. study aa(PMS) simplified the based [Yari Hashtrudi Zad develops automatoncomputational for the of Propulsion Module We Subsystem (PMS) of the theversion Cassini of space[Yari and and Hashtrudi procedures Zad (2016)] (2016)] automatonbased computational procedures fordevelops the design design of robust robust Propulsion Module Subsystem (PMS) of the Cassini spacecraft. Our study shows that the application of conventional Propulsion Module Subsystem (PMS) of the Cassini spacebased computational computational procedures for the theZad design of robust robust supervisors of [Saboori and Hashtrudi (2006)]. The craft. Our study shows that the application of conventional based procedures for design of supervisors of [Saboori and Hashtrudi Zad (2006)]. The craft. Our study shows that the application of conventional (non-robust) supervisory control [Ramadge Wonham craft. Our study shows that the application conventional of [Saboori and Hashtrudi Zad (2006)]. The procedures have been implemented in MATLAB environ(non-robust) supervisory control [Ramadgeofand and Wonham supervisors supervisors of [Saboori and Hashtrudi Zad (2006)]. The procedures have been implemented in MATLAB environ(non-robust) supervisory control [Ramadge and Wonham (1987)] does not result in the appropriate command se(non-robust) supervisory control [Ramadge and Wonham procedures have been implemented in MATLAB environment using Discrete Event Control Kit (DECK) ([DECK (1987)] does not result in the appropriate command se- procedures have been implemented in MATLAB environusing Discrete Event Control Kit (DECK) ([DECK (1987)] not in command sequences. However, an of to (1987)] does does not result result in the the appropriate appropriate command se- ment ment using Discrete Event Control Kit ([DECK (2013)]). In this these procedures are to quences. However, an extension extension of this this approach approach to the the ment using Event Control Kit (DECK) (DECK) (2013)]). In Discrete this paper, paper, these procedures are used used ([DECK to solve solve quences. However, an extension of this approach to the Robust Supervisory Control ([Saboori and Hashtrudi Zad quences. However, an extension of this approach to the (2013)]). In and this fault paper,recovery these procedures procedures arethe used to solve solve the control problem for simplified Robust Supervisory Control ([Saboori and Hashtrudi Zad (2013)]). In this paper, these are used to the control and fault recovery problem for the simplified Robust Supervisory Control ([Saboori and Hashtrudi Zad (2006)]) produces desired solution. Robust Supervisory control and fault recovery problem for the simplified spacecraft propulsion system. Our study shows that (2006)]) produces the theControl desired([Saboori solution. and Hashtrudi Zad the the control and fault recovery problem for the simplified spacecraft propulsion system. Our study shows that to to (2006)]) produces the solution. (2006)]) produces the desired desired solution. spacecraft propulsion system. Our study shows that to arrive appropriate control logic satisfying design The concept of robust control arises in control theory system. showsall to arrive at at an anpropulsion appropriate controlOur logicstudy satisfying allthat design The concept of robust control arises in control theory spacecraft arrive at an appropriate control logic satisfying all design specifications, the supervisor has to be a robust supervisor. The concept of robust control arises in control theory in dealing with modeling uncertainties or model changes. arrive at an appropriate control logic satisfying all design The concept of robust control arises in control theory specifications, the supervisor has to be a robust supervisor. in dealing with modeling uncertainties or model changes. Furthermore, specifications, the the features supervisor has to be aa robust robust supervisor. of the system studied here in with uncertainties orformodel changes. Several approaches have explored robust superthe supervisor be in dealing dealing with modeling modeling uncertainties changes. Furthermore, the features of has the to system studiedsupervisor. here that that Several approaches have been been exploredor formodel robust super- specifications, Furthermore, the features of the system studied here that necessitate the use of robust supervisor seem to be present Several approaches have been explored for robust superFurthermore, the features of the system studied here that Several approaches have been explored for robust supernecessitate the use of robust supervisor seem to be present This work was supported in part by Natural Sciences and Enginecessitate the use of robust supervisor seem to be present in many other aerospace systems as well. This work was supported in part by Natural Sciences and Enginecessitate the use of robust supervisor seem to be present in many other aerospace systems as well. This work neering Research of Canada grantand RGPIN was supported in by Sciences Engiin many many other other aerospace aerospace systems systems as as well. well. This work was Council supported in part part (NSERC) by Natural Naturalunder Sciences Engineering Research Council of Canada (NSERC) under grantand RGPINin 227688-2011. neering Research Council Council of of Canada Canada (NSERC) (NSERC) under under grant grant RGPINRGPINneering Research 227688-2011. 227688-2011. 227688-2011. Copyright©©2016, 2016 IFAC (International Federation of Automatic Control) 200Hosting by Elsevier Ltd. All rights reserved. 2405-8963 Copyright © 2016IFAC IFAC 200 Copyright 2016 IFAC 200 Copyright ©under 2016responsibility IFAC 200Control. Peer review © of International Federation of Automatic
10.1016/j.ifacol.2016.09.035
IFAC ACA 2016 August 21-25, 2016. Quebec, Canada
Farid Yari et al. / IFAC-PapersOnLine 49-17 (2016) 200–205
201
This paper is organized as follows. Sec. 2 reviews some preliminaries of supervisory control. Sec. 3 formulates the supervisory control and fault recovery problem. Sec. 4 discusses the simplified propulsion system and the design of supervisor. Sec. 5 further analyzes the results and provides comments on the methodology and its relation to other approaches. The paper is concluded in Sec. 6.
for s ∈ Σ∗ (generated in G), S(s) is the set of events enabled by the supervisor. Let S/G represent the plant G under the supervision of S (or the closed-loop system). Thus the Supervisory Control Problem (SCP) is to find a supervisor S such that (1) Lm (S/G) ⊆ E, and (2) S/G is nonblocking. ((1) and (2) imply that all sequences in L(S/G) are legal.)
2. PRELIMINARIES
Next we consider the robust supervisory control problem which can be regarded as an extension of SCP. Problem 1. Robust Nonblocking Supervisory Control Problem (RNSCP) [Bourdon et al. (2005); Saboori and Hashtrudi Zad (2006)]. Consider the set of plant models G = {G1 , ..., Gn } with Gi = (Xi , Σi , ηi , x0,i , Xm,i ) where i ∈ I = {1, 2, ..., n}. Let the controllable and uncontrollable sets of events in Gi be denoted by Σc,i and Σuc,i respectively. It is assumed that all plant models agree on the controllability of events, that is Σc,i ∩ Σuc,j = ∅ for all i, j ∈ I. Furthermore, suppose language Ki denotes the design specification for plant model Gi and hence Ei = Ki ∩ Lm (Gi ) denotes the corresponding legal marked behavior. Design a supervisor S such that (1) Lm (S/Gi ) ⊆ Ei and (2) S/Gi is nonblocking, for all i ∈ I.
In this section, we briefly review the supervisory control of DES [Wonham (2014); Cassandras and Lafortune (2008)]. Languages and Automata. A finite set of symbols, Σ, is called an alphabet. A sequence of symbols σ1 σ2 ...σn (with σi ∈ Σ) is called a word or sequence. A sequence with no symbols is called the empty sequence and denoted by . Σ∗ denotes the set of all finite sequences. Any subset of Σ∗ is called a language. A deterministic automaton G = (X, Σ, η, x0 , Xm ) is a model for a discrete-event system with X the state set, Σ the finite set of events, η : X × Σ −→ X the partial transition function, x0 the initial state and Xm ⊆ X the set of marked states. The set of sequences that can be generated by automaton G (from initial state x0 ) is called the closed behavior of G: L(G) = {s ∈ Σ∗ | η(x0 , s) is defined}. The subset of L(G) consisting of sequences that end in a marked state is referred to as the marked behavior of G: Lm (G) = {s ∈ L(G) | η(x0 , s) ∈ Xm }.
A state x ∈ X is called reachable if there exists a sequence s ∈ L(G) from x0 to x. Also, a state x is called coreachable if there is a sequence, say s, from x to some marked state. A DES G is nonblocking if every reachable state of G is coreachable. A nonblocking automaton is free of deadlocks and livelocks. An automaton is trim if all of its states are reachable and coreachable. The product of automata G1 and G2 is denoted by G1 × G2 and generates L(G1 ) ∩ L(G2 ) and marks Lm (G1 ) ∩ Lm (G2 ). The synchronous product (parallel composition) of G1 and G2 is denoted by sync(G1 , G2 ) and can be used to model the joint operation of G1 and G2 . Supervisory Control. Consider a plant modeled by a DES G. Suppose a language E ⊆ Lm (G) represents the legal marked behavior ; i.e., the marked sequences that satisfy the design specifications. In the supervisory control theory, a supervisor S is to be designed to restrict the behavior of the plant G to the legal behavior E and to ensure that the resulting system is nonblocking (Fig. 1). It is assumed that the plant event set Σ can be partitioned
Thus in RNSCP we seek to find a supervisor S such that (for every i) S/Gi is nonblocking and satisfies its design specification. Let Σ = i∈I Σi and define E as (Ei ∪ (Σ∗ − Lm (Gi ))) ∩ ( Lm (Gi )) (1) E= i∈I
i∈I
The solutions of RNSCP can be characterized in terms of relative-closed, controllable and G-nonblocking sublanguages of E [Saboori and Hashtrudi Zad (2006)]. Let RCN b(E, G) denote the set of relative-closed, controllable and Gi -nonblocking sublanguages of E (for all Gi ∈ G). This set is nonempty and has a supremal element denoted by E ↑ = SupRCN b(E, G). Then E ↑ is the maximally permissive solution of RNSCP. A trim automaton S that marks E ↑ can be regarded as an implementation of a maximally permissive supervisor with S×Gi modeling the system under supervision S/Gi . [Yari and Hashtrudi Zad (2016)] provides a computational procedure to find an automaton to mark E ↑ . This algorithm has been implemented in MATLAB environment using DECK [DECK (2013)]. 3. SUPERVISORY CONTROL AND FAULT RECOVERY PROBLEM In this section we explain how a problem of control and fault recovery can be cast as a robust control problem. Consider a DES plant G that starts in normal mode N . The plant may enter a set of permanent failure modes. For simplicity we assume a single failure mode F (Fig. 2). Let
Fig. 1. Block Diagram of Supervisory control. into two disjoint subsets, Σc the set of controllable events, and Σuc the set of uncontrollable events. The supervisor is allowed to disable the controllable events only. A supervisory control for DES G can be designed as a map S : Σ∗ → ΓΣ where ΓΣ = {γ ∈ P wr(Σ) | Σuc ⊆ γ} denotes the set of all control patterns in Σ. In this context, 201
Fig. 2. DES G with a single failure mode.
IFAC ACA 2016 202 August 21-25, 2016. Quebec, Canada
Farid Yari et al. / IFAC-PapersOnLine 49-17 (2016) 200–205
GN denote the subautomaton of G with XN as its state set representing the normal mode, and GN F represent the behavior of the system in normal (N ) and faulty (F ) modes. In this case, since we have assumed one failure mode, GN F and G are the same. Furthermore, suppose in each mode we have multiple sets of marked states, say N N two, and denote them by Xm,1 (normal mode) and Xm,2 F F N N could and Xm,1 and Xm,2 (faulty mode). Xm,1 and Xm,2 for example represent the “off” states and “operational” F F could states in normal mode. Similarly, Xm,1 and Xm,2 represent “off” states and “operational” states in faulty N mode. We use GN,1 and GN,2 to represent GN with Xm,1 N and Xm,2 as their marked states. Automata GN F,1 and NF NF and Xm,2 GN F,2 similarly are copies of GN F with Xm,1 as marked states. The control and fault recovery problem is to find a supervisor S such that the system under supervision remains nonblocking in normal and faulty modes and satisfies the design specifications of each mode: Lm (S/GN,i ) ⊆ EN,i i = 1, 2
Fig. 3. Simplified spacecraft propulsion module subsystem. V3 and V4 are similar but without the failure event and faulty state (SO). The models of the normally-open pyro
S/GN,i is nonblocking
Lm (S/GN F,i ) ⊆ EN F,i i = 1, 2 S/GN F,i is nonblocking
(EN,i and EN F,i (i = 1, 2) are the legal behaviors.) The above problem can be solved as a robust nonblocking supervisory control problem for the family of models G = {GN,1 , GN,2 , GN F,1 , GN F,2 }.
Fig. 4. DES model of valve V1 . valves P V1 and P V2 are shown in Fig. 5. These valves can
Next we turn our attention to the simplified spacecraft propulsion system. 4. CONTROL AND FAULT RECOVERY IN SPACECRAFT PROPULSION SYSTEM
In this paper we study supervisory control of a simplified version of the Propulsion Module Subsystem (PMS) of the Cassini spacecraft [Leeds et al. (1996); Morgan (2010)]. Fig. 3 shows the simplified propulsion system which consists of two propellant tanks and two engines E1 and E2. The valve assembly for E1 includes valves V1 , V2 , normally-open pyro valves P V1 and P V2 , and normallyclosed pyro valves P V3 and P V4 . Two pressure sensors measure pressures P1 and P2 , and a temperature sensor T1 monitors chemical reactions and thrust generation in E1. The valve assembly for E2 is simpler consisting of valves V3 , V4 and pressure sensors P3 , P4 and temperature sensor T2 . When the fuel paths between the propellant tanks and engines are open, propellants can combine, ignite and produce thrust. In this example, we intend to design a supervisor that in response to high-level Master Controller commands, fires the engine in such a way that the design specifications (to be discussed later) are satisfied. Plant DES Model In our problem, for simplicity, only valve V1 is assumed prone to “stuck-open” failure and the other valves are assumed fault-free. Fig. 4 shows the DES model of valve V1 . (Marked states are shown with double circles.) We assume that the valves are initially closed. The “stuckopen” failure mode of V1 is permanent (state “SO”) and the valve never returns to normal mode. The models of V2 , 202
Fig. 5. Normally-open pyro valves P V1 and P V2 . be closed only once. The models of normally-closed valves P V3 and P V4 are similar but their initial states is “C” and their event P Vi − O. The models of the four pressure sensors and two sensors measuring temperature as well as the Master Controller are shown in Fig. 6. Start and stop commands can be generated at any time by the Master Controller (Fig. 6(c)). Valve events V i−O, V i−C, P Vi −O and P Vi −C are controllable. Failure event V 1−SO, sensor events (P iH, P iL, T iH and T iL) and Master Controller events (stop and start) are uncontrollable.
(a) Pressure sensors Pi (i = 1, 2, 3, 4).
(b) Temperature sensors T1 ,T2 .
Fig. 6. Sensors and Master Controller.
(c) Master Controller
IFAC ACA 2016 August 21-25, 2016. Quebec, Canada
Farid Yari et al. / IFAC-PapersOnLine 49-17 (2016) 200–205
To complete the model, we build DES models INT1 to INT4 to describe the effect of valve positions on the pressure sensors, and INT5 and INT6 to model the reading of the temperature (thrust) sensors as a function of the pressures measured by P1 , P2 , P3 and P4 . The reading of pressure sensor P1 depends on the state of V1 , P V1 and P V3 . Specifically the pressure goes high only when P V1 is open, and either V1 is open (or stuck-open) or P V3 is open. This dependency is represented by INT1. INT1 is formed by first constructing sync(P V1 , P V3 , V1 ). Next selfloops of P iH are added to those states of sync automaton where P V 1 is open, and either P V 3 is open, or V 1 is open or stuck-open. P iL selfloops are added to other states. INT2, INT3 and INT4 are constructed similarly for pressure sensors P2 , P3 and P4 . Now we proceed to model the interactions between pressure sensor readings and the thrust of engines. The thrust of an engine goes high only when the corresponding pressure sensors show high pressure reading. Fig. 7 shows these interactions for engine E1. INT6 (for engine E2) is built similarly. The plant model G is obtained by the synchronous product of all component models (V1 , ..., V4 , P V1 , ..., P V4 , P1 , ..., P4 , T1 , T2 ) and interaction models (INT1,..., INT6). The resulting plant model has 16384 states and 278528 transitions.
Fig. 7. INT5: Interactions between pressure sensors and temperature sensor for engine E1. Design Specifications Broadly speaking, the design specifications require the use of engine E1 for normal mode and E2 in case of valve V1 failure and prohibit simultaneous firing of E1 and E2. In normal (resp. faulty) mode, the supervisor must be able to turn on E1 (resp. E2) and turn off E1 (resp. E2). (Other requirements that deal with other issues such as fuel waste are not considered for brevity.) The detailed design specifications are as follows. In normal mode: (a) The system should wait for the start command to start firing engine E1; (b) After the start command is issued by the master controller, any start and stop command should be ignored during the start-up procedure until thrust is generated; (c) When the thrust is high, once the master controller issues the stop command, the shutdown procedure starts; (d) During the shutdown procedure, any start and stop command must be ignored. The automaton SP 1 that models the start-up and shutdown procedure in normal mode according to the design specifications is shown in Fig. 8. Engine 2 is a backup engine and must be used in case of engine 1 failure. When fault (i.e. valve V1 stuck-open) occurs, engine 1 shall no longer be used and the system must switch over to engine 2 based on the current state 203
203
Fig. 8. DES model for start-up and shutdown procedure in normal mode according to design specifications 1 . of the system. The design specifications for the faulty mode are: (a) If the fault occurs before a start command, the system should switch completely to engine 2 and wait for the start command. In other words, the procedure for starting and shutting down engine 2 should be followed; (b) If the fault occurs after the master controller issues a start command, engine 1 should continue firing until the master controller issues the stop command and engine E1 is turned off. Then the system must switch to engine E2 for future maneuvers; (c) If the fault occurs after the master controller issues a stop command but before engine E1 is turned off, the engine must be turned off and then the system should switch over to engine E2. The DES model of these specifications is shown in Fig. 11. Robust Supervisory Control This supervisory control problem is a problem of fault recovery with a normal and a faulty mode. In each mode there are two sets of marked states, one for thrust low (engine off) and another for thrust high (engine on). The problem can be solved as a robust control problem with four plant models GN,of f , GN,on , GN F,of f and GN F,on . GN,of f (resp. GN,on ) is the subautomaton of plant model G with states in normal mode GN with thrust low (resp. high) states marked. This marking can be done by the synchronous product of GN with automaton Marker N in Fig. 9 with state 1 (resp. state 2) of Marker N marked. Similarly GN F,of f (resp. GN F,on ) are obtained by the synchronous product of G with Marker F (Fig. 10) with state 3 (resp. state 4) marked.
Fig. 9. Mark state 1 for OFF and state 2 for ON.
Fig. 10. Mark state 3 for OFF and state 4 for ON. Automata for legal marked behaviors are obtained as E N,1 = SP 1 × GN,of f , E N,2 = SP 1 × GN,on E N F,1 = SP 2 × GN F,of f , E N F,2 = SP 2 × GN F,on
1 To each state of SP 1 selfloops for all events except “start”, “stop”,“T 1H” and “T 1L” are added. The selfloops are for events that are not restricted by design specification SP 1.
IFAC ACA 2016 204 August 21-25, 2016. Quebec, Canada
Farid Yari et al. / IFAC-PapersOnLine 49-17 (2016) 200–205
Fig. 11. DES model for start-up and shutdown procedure in faulty mode according to design specifications 2 . The solution of robust control problem (RNSCP) is obtained using the computer code. The solution is an automaton with 944 states and 11438 transitions. This automaton marks E ↑ and is a model of the supervisor. To illustrate what the robust supervisor does, consider a sample sequence from the system under supervision depicted in Fig. 12. Master Controller issues a start command. After valves V1 and V2 become open, pressures P1 and P2 become high. At this stage the thrust of E1 becomes high and the first engine fires. Next valve V1 becomes stuck-open (It is assumed the failure is diagnosed quickly and hence is treated an observable event.) Next when a stop command is issued, engine E1 is switched off. This is done by firing P V1 to shut the path between the oxidizer tank and engine E1 and by closing valve V2 which shuts off supply from the fuel tank. Following another start command from the Master Controller, the system switches to engine E2 and the start-up procedure for E2 opens valves V3 and V4 , the pressure sensors P3 and P4 show high pressure and E2 fires. Later, when a stop command comes from Master Controller, engine E2 is turned off by closing the corresponding valves V3 and V4 . When Master Controller issues another start command to generate thrust, engine E2 is being used and the same sequence happens to complete a thrust on and thrust off sequence.
Fig. 12. Sample start-up and shutdown sequences. Remark 1. It should be noted that it is necessary to ensure nonblocking with respect to multiple sets of marked states (and not just one set). Suppose we choose the E1 off states as the only marked state set for normal mode. Assume E1 is “on” in normal mode and Master Controller issues thrust shutoff command. The conventional (non-robust) 204
supervisory control solution allows the system to close P V1 to turn off the thrust of engine 1. But the supervisor will no longer be able to turn on E1 since the pyro valve cannot be opened again. The robust supervisor designed based on RNSCP however does not fire P V1 and P V2 unless a fault occurs. In the configuration shown in Fig. 3, pyro valves P V3 and P V4 are redundant. In fact, it can be validated that the RNSCP still has a solution even if P V3 and P V4 are removed from the propulsion system. This shows that the RNSCP and its maximally permissive solution can be used as a design tool to validate different valve configurations. Finally, it should be noted that the purpose of having P V3 and P V4 in Fig. 3 is to have the ability for handling stuckclosed failures of valves V1 and V2 (which have not been studied in this example). 5. DISCUSSION In this section, we discuss some issues related to the problem studied here and the approach used to solve it. Robustness: As mentioned in Remark 1 in the previous section, to solve the control and fault recovery problem for the propulsion system, the robust supervisory control problem, RNCSP, should be considered and that a nonrobust supervisor does not yield the desired solution. There are two problem and plant features that are the reasons for this result: • First we want nonblocking property with respect to more than one set of marked states. Also, the plant model changes as a result of fault. • Second, in the propulsion system studied, there were irreversible activities; in particular, the opening (resp. closing) of normally-closed (resp. normallyopen) pyro valves and the permanent failure event are irreversible. These two features are present in many aerospace systems that have to be able to accommodate permanent faults with limited onboard resources (such as pyro valves and non-resettable fuses). In such cases, a robust supervisor must be used instead of a conventional (non-robust) supervisor. It should be noted that the above two features may not be present in other categories of systems. For 2 Similar to SP 1, to each state of SP 2, selfloops of every event not present in Fig. 11 are added.
IFAC ACA 2016 August 21-25, 2016. Quebec, Canada
Farid Yari et al. / IFAC-PapersOnLine 49-17 (2016) 200–205
example, for manufacturing systems reversibility may be a very desirable property. Plant Model: In this paper we limited our attention to a single failure mode. This has been primarily due to the execution time of our computer code in MATLAB environment. With a compiled code, say in C, we would be able to study more complex problems. Furthermore, other theoretical developments in the theory of supervisory control, for instance, modular and decentralized control, and symbolic calculations allow much larger problems to be tackled (see, e.g. [Brandin and Charbonnier (1994)] and [Ma and Wonham (2006)]). The DES models used in this paper are untimed and assume full event observation. Robust control for timed DES models is discussed in [Bourdon et al. (2005)] and for partial event observation in [Saboori and Hashtrudi Zad (2006)]. We have developed computational algorithms for the case of partial event observation and will publish them in the future. Related Work: [Muscettola et al. (1998)] provides and overview of the model-based diagnosis and reconfiguration system, Livingstone. Livingstone uses probabilistic discrete models. Probabilistic models are used to focus on the more likely scenarios in order to reduce computational complexity. The result is a system that can work in real time. Livingstone was implemented on Deep Space 1. The drawback is that every now and then, the actual situation is not among the likely scenarios. Our work is based on deterministic models and can be regarded as a step in the direction of considering all possible scenarios. [Pekala et al. (2008)] and [Bensalem et al. (2010)] use model checking tools to verify the design of control logic. In [Bensalem et al. (2010)], for instance, the plant is modeled with discrete models in BIP framework. Next based on design specifications, the supervisor modules, called connectors, are represented in BIP framework. Then the safety and deadlock-freedom properties are verified using model checker D-finder. D-finder and similar tools, use symbolic calculations to handle problems far more complex than the one considered in this paper. The main difference between the approach used in this paper and that in [Pekala et al. (2008)] and [Bensalem et al. (2010)] is that here we start from the design specifications and systematically design a control logic (supervisor) that satisfies the specifications. [Pekala et al. (2008)] and [Bensalem et al. (2010)] however start with given supervisors (connectors) and verify that they satisfy the specifications. If the test fails, then the designer has to modify the supervisors till a satisfactory solution is obtained. 6. CONCLUSION In this paper the theory of supervisory control of discreteevent systems is used to develop command sequences for control and fault recovery of a spacecraft propulsion subsystem. The study shows that to meet the specifications of normal and faulty modes, the supervisor has to be a “robust” supervisor, and that a conventional (non-robust) supervisor could lead to engine getting stuck in shutdown state. The features of this system that necessitate the use of robust supervisor seem to be present in many aerospace systems. In addition to theoretical developments, we are 205
205
conducting lab tests on an experimental setup to evaluate the robust supervisory control methodology. REFERENCES Bensalem, S., de Silva, L., Gallien, M., Ingrand, F., and Yan, R. (2010). “Rock solid” software: a verifiable and correct-by-construction controller for rover and spacecraft functional levels. Int. Symp. on Artificial Intelligence, Robotics and Automation for Space (i-SAIRAS), Sapporo, Japan. Bourdon, S., Lawford, M., and Wonham, W. (2005). Robust nonblocking supervisory control of discrete-event systems. IEEE Trans. Autom. Control, 50(12), 2015– 2021. Brandin, B.A. and Charbonnier, F.E. (1994). The supervisory control of the automated manufacturing system of the aip. Proc. 4th Int. Conf. on Computer Integrated Manufacturing and Automation Technology, 319–324. Cassandras, C. and Lafortune, S. (2008). Introduction to Discrete Event Systems. Springer. DECK, Discrete Event Control Kit (DECK 1.2013.11). ECE Dept., Concordia University. http://www.ece.concordia.ca/~shz/deck. [Online]. Leeds, M., Eberhardt, R., and Berry, R. (1996). Development of the Cassini spacecraft propulsion subsystem. 32nd Joint Propulsion Conf. and Exhibit, paper 96-2864. Lake Buena Vista, FL. Lin, F. (1993). Robust and adaptive supervisory control of discrete event systems. IEEE Trans. Autom. Control, 38(12), 1848–1852. Ma, C. and Wonham, W.M. (2006). Nonblocking supervisory control of state tree structures. IEEE Trans. Autom. Control, 51(5), 782–793. Morgan, P. (2010). Cassini spacecraft’s in-flight fault protection redesign for unexpected regulator malfunction. Proc. IEEE Aerospace Conf., 1–14. Big Sky, MT. Muscettola, N., Nayak, P., Pell, B., and Williams, B.C. (1998). Remote agent: to boldly go where no AI system has gone before. Artificial Intelligence, 103(12), 5 – 47. Pekala, M., Cancro, G., and Moore, J. (2008). Verifying executable specifications of spacecraft autonomy. Int. Symp. on Artificial Intelligence, Robotics and Automation for Space (i-SAIRAS08), Pasadena, CA. Ramadge, P. and Wonham, W. (1987). Supervisory control of a class of discrete event processes. SIAM J. Control Optim., 25(1), 206–230. Saboori, A. and Hashtrudi Zad, S. (2005). Fault recovery in discrete event systems. Proc. ICSC Congr. on Computational Intelligence Methods and Applications. Istanbul, Turkey. Saboori, A. and Hashtrudi Zad, S. (2006). Robust nonblocking supervisory control of discrete-event systems under partial observation. Systems & Control Letters, 55(10), 839 – 848. Wonham, W. (2014). Supervisory Control of Discrete Event Systems. Systems Control Group, ECE Dept., University of Toronto, Canada, available at http://www.control.utoronto.ca/DES. Yari, F. and Hashtrudi Zad, S. (2016). Computational procedures for robust nonblocking supervisory control. Proc. Canadian Conf. on Electrical and Computer Eng., 274–278, Vancouver, Canada.
ScienceDirect Robust Robust Robust
IFAC-PapersOnLine 49-17 (2016) 200–205
Supervisory Control of a Supervisory Supervisory Control Control of of a a Propulsion System Propulsion System Propulsion System
Spacecraft Spacecraft Spacecraft
Farid Farid Yari, Yari, Shahin Shahin Hashtrudi-Zad, Hashtrudi-Zad, Siamak Siamak Tafazoli Tafazoli Farid Farid Yari, Yari, Shahin Shahin Hashtrudi-Zad, Hashtrudi-Zad, Siamak Siamak Tafazoli Tafazoli Department of Electrical and Computer Engineering, Department of Electrical and Computer Engineering, Department of and Computer Engineering, Concordia University, Montr´ eeal, QC, H3G Department of Electrical Electrical and Engineering, Concordia University, Montr´ al,Computer QC, Canada Canada H3G 1M8 1M8 Concordia University, Montr´ e al, QC, Canada H3G ff [email protected], [email protected], [email protected] Concordia University, Montr´eal, QC, Canada H3G 1M8 1M8 [email protected], [email protected], [email protected] ff [email protected], [email protected], [email protected], [email protected], [email protected] [email protected] Abstract: Abstract: In In this this paper paper the the theory theory of of supervisory supervisory control control of of discrete-event discrete-event systems systems is is used used Abstract: In this paper the theory of supervisory control of discrete-event systems is to develop command sequences for turning on and off a spacecraft propulsion subsystem. The Abstract: In this paper the theory of supervisory control of discrete-event systems is used used to develop command sequences for turning on and off a spacecraft propulsion subsystem. The to develop command sequences for turning on and off aa spacecraft propulsion subsystem. The subsystem considered is a simplified version of the Propulsion Module Subsystem of the Cassini to develop command sequences for turning on and off spacecraft propulsion subsystem. The subsystem considered is a simplified version of the Propulsion Module Subsystem of the Cassini subsystem considered is a simplified version of the Propulsion Module Subsystem of the Cassini spacecraft. The supervisor controls the system in such a way that the design specifications subsystem considered is a simplified of theinPropulsion Module the Cassini spacecraft. The supervisor controls version the system such a way that Subsystem the design of specifications spacecraft. The supervisor controls the system system in operation. such aa way wayThe thatstudy the design design specifications are satisfied in normal and modes shows to spacecraft. supervisor the in such that the specifications are satisfiedThe in both both normalcontrols and faulty faulty modes of of operation. The study shows that that to meet meet are satisfied in both normal and faulty modes of operation. The study shows that to meet the specifications of both modes, the supervisor has to be a “robust” supervisor, and are satisfied in both normal and faulty modes of operation. The study shows that meetaa the specifications of both modes, the supervisor has to be a “robust” supervisor, andtothat that the specifications of both modes, the supervisor has to be aa “robust” supervisor, and that a conventional (non-robust) supervisor could lead to engine getting stuck in shutdown state. the specifications of both modes, the supervisor has to be “robust” supervisor, and that conventional (non-robust) supervisor could lead to engine getting stuck in shutdown state. a conventional (non-robust) supervisor could lead to engine getting stuck in shutdown state. conventional (non-robust) supervisor could lead to engine getting stuck in shutdown state. © 2016, IFAC (International Federation of Automatic Control) Hosting by Elsevier Ltd. All rights reserved. Keywords: Keywords: Supervisory Supervisory control, control, Spacecraft Spacecraft propulsion, propulsion, Fault Fault recovery, recovery, Discrete-event Discrete-event systems, systems, Keywords: Supervisory control, Spacecraft propulsion, Fault recovery, Discrete-event Robust control. Keywords: Supervisory control, Spacecraft propulsion, Fault recovery, Discrete-event systems, systems, Robust control. Robust Robust control. control. 1. visory 1. INTRODUCTION INTRODUCTION visory control control of of discrete-event discrete-event systems systems (DES). (DES). In In [Lin [Lin 1. INTRODUCTION visory control of discrete-event systems (DES). In (1993)], the plant model belongs to a finite family of 1. INTRODUCTION This visory control of discrete-event systems (DES).family In [Lin [Lin the plant model belongs to a finite of This paper paper is is concerned concerned with with the the design design of of supervisory supervisory (1993)], (1993)], the plant model belongs to a finite family of DES models G ,...,G , and the objective is to design a This paper is concerned with the design of supervisory 1 n control system for spacecraft propulsion system. Specif(1993)], the plant model belongs to a finite family of This paper is concerned with the design of supervisory DES models G ,...,G , and the objective is to design a 1 n control system for spacecraft propulsion system. Specif- DES models G ,...,G , and the objective is to design a supervisor such that all plant models under supervision 1 n control system for spacecraft propulsion system. Specifically we seek to design a controller (supervisor) that DES models G ,...,G , and the objective is to design a 1 n controlwe system spacecraft propulsion(supervisor) system. Specifsuch that all plant models under supervision ically seek for to design a controller that supervisor supervisor such that all plant models under supervision satisfy a common design specification. [Bourdon et al. ically we seek to design aa sequences controller (supervisor) that issues appropriate command to turn on and off supervisor such that all plant models under supervision ically we seek to design controller (supervisor) that a common design specification. [Bourdon et al. issues appropriate command sequences to turn on and off satisfy satisfy a common design specification. [Bourdon et al. the results of to issues appropriate command sequences to and the engines of satisfy common et inal. issues appropriate commandspacecraft sequencespropulsion to turn turn on on system. and off off (2005)] (2005)] aextends extends the design results specification. of [Lin [Lin (1993)] (1993)][Bourdon to the the case case inthe engines of aa simplified simplified spacecraft propulsion system. (2005)] extends the results of [Lin (1993)] to the case involving separate design specifications for each plant model the engines of a simplified spacecraft propulsion system. The objective is to enhance spacecraft autonomy. The (2005)] extends the results of [Lin (1993)] to the case inthe engines of a simplified spacecraft propulsion system. volving separate design specifications for each plant model The objective is to enhance spacecraft autonomy. The volving separate design specifications for plant and the nonblocking property. The The is enhance autonomy. The subject of has by separate specifications for each each plant model model The objective objective is to to autonomy enhance spacecraft spacecraft autonomy. The volving and considers considers thedesign nonblocking property. The nonblocking nonblocking subject of spacecraft spacecraft autonomy has been been studied studied by many many and considers the nonblocking property. The nonblocking property is guaranteed through the (sufficient condition subject of spacecraft autonomy has been studied by many researchers. Notably, the diagnosis and recovery system, and considers the nonblocking property. The nonblocking subject of spacecraft autonomy has been studied by many is guaranteed through the (sufficient condition researchers. Notably, the diagnosis and recovery system, property property is through the condition of) property. [Saboori and Zad researchers. the diagnosis and recovery system, Livingstone, has designed based on probabilistic disis guaranteed guaranteed through the (sufficient (sufficient condition researchers. Notably, Notably, diagnosis system, of) nonconflicting nonconflicting property. [Saboori and Hashtrudi Hashtrudi Zad Livingstone, has been been the designed basedand on recovery probabilistic dis- property of) nonconflicting property. [Saboori and Hashtrudi Zad (2006)] extends the results of [Bourdon et al. (2005)] to Livingstone, has been designed based on probabilistic discrete models [Muscettola et al. (1998)]. Livingstone was of) nonconflicting property. [Saboori and Hashtrudi Livingstone, been designed on probabilistic dis- (2006)] extends the results of [Bourdon et al. (2005)]Zad to crete models has [Muscettola et al.based (1998)]. Livingstone was (2006)] extends the results of [Bourdon et al. (2005)] to the case of control under partial observation. Furthercrete models [Muscettola et al. (1998)]. Livingstone was tested on Deep Space 1 (1998) and its successor, Living(2006)] extends the results of [Bourdon et al. (2005)] to crete models [Muscettola et al. (1998)]. Livingstone was case of control under partial observation. Furthertested on Deep Space 1 (1998) and its successor, Living- the the case of control under partial observation. Furthermore, [Saboori and Hashtrudi Zad (2006)] replaces the tested on Deep Space 1 (1998) and its successor, Livingstone 2, was used on Earth Observing 1 (2000). In another the case of control under partial observation. Furthertested on Deep Space 1 (1998) and its successor, Living[Saboori and Hashtrudi Zad (2006)] replaces the stone 2, was used on Earth Observing 1 (2000). In another more, more, [Saboori [Saboori and and Hashtrudi Hashtrudi Zad (2006)] replaces replaces the nonconflicting with G property stone used on Observing 11 (2000). another approach, methods of formal have been more, (2006)] the stone 2, 2, was wasthe used on Earth Earth (2000). In In another nonconflicting property property with the theZad Gii -nonblocking -nonblocking property approach, the methods of Observing formal verification verification have been to nonconflicting property with the G -nonblocking property obtain a set of necessary and sufficient conditions i approach, the methods of formal verification have been used to verify if a given control logic satisfies the design nonconflicting property with the G -nonblocking property i approach, the ifmethods formallogic verification havedesign been to obtain a set of necessary and sufficient conditions for for used to verify a given of control satisfies the to obtain aa set of necessary and sufficient conditions the solvability of the robust control problem. used to verify if aa e.g. given control logic satisfies the design specifications (see, [Pekala et al. (2008)] and [Bensalem to obtain set of necessary and sufficient conditions for for used to verify if given control logic satisfies the design solvability of the robust control problem. specifications (see, e.g. [Pekala et al. (2008)] and [Bensalem the the solvability of the robust control problem. specifications (see, e.g. [Pekala et al. (2008)] and [Bensalem et al. (2010)]). the solvability of the robust control problem. specifications (see, e.g. [Pekala et al. (2008)] and [Bensalem Robust et al. (2010)]). Robust control control is is used used to to deal deal with with model model changes. changes. For For et (2010)]). et al. al. (2010)]). Robust control is used to deal with model changes. For instance, in some fault recovery problems, the plant In this paper we apply the Ramadge-Wonham theory of Robust control is used to deal with model For in some fault recovery problems, thechanges. plant starts starts In this paper we apply the Ramadge-Wonham theory of instance, instance, in some fault recovery problems, the plant starts in normal mode and may enter one of several faulty modes. In this paper we apply the Ramadge-Wonham theory of supervisory control ([Ramadge and Wonham (1987); Woninstance, in some fault recovery problems, the plant starts In this paper we apply the Ramadge-Wonham theory of in normal mode and may enter one of several faulty modes. supervisory control ([Ramadge and Wonham (1987); Won- Each in normal normal mode mode and and may may enter enterdesign one of of several several faulty and modes. specification set supervisory control ([Ramadge Wonham (1987); Wonham (2014)]) to design controller (supervione faulty modes. supervisory ([Ramadge and and Wonham (1987); Won- in Each mode mode can can have have its its own own design specification and set ham (2014)])control to systematically systematically design controller (superviEach mode can have its own design specification and set of marked states. This control and fault recovery problem ham (2014)]) to systematically design controller (supervisor) from the design specifications based on deterministic Each mode can have its own design specification and set ham from (2014)]) systematically design controller (supervi- of marked states. This control and fault recovery problem sor) the to design specifications based on deterministic of marked states. This control and fault recovery problem can be solved as a robust control problem [Saboori and sor) from the design specifications based on deterministic discrete-event models. The resulting supervisor (which will of marked states. This control and fault recovery problem sor) from the design specifications based on deterministic be solved as a robust control problem [Saboori and discrete-event models. The resulting supervisor (which will can can be as aa robust Zad (2005)]. discrete-event models. The supervisor (which will be in of is guaranteed to can be solved solved robust control control problem problem [Saboori [Saboori and and discrete-event The resulting resulting will Hashtrudi Hashtrudi Zad as (2005)]. be in the the form formmodels. of an an automaton) automaton) is supervisor guaranteed(which to satisfy satisfy Hashtrudi Zad (2005)]. be in the form of an automaton) is guaranteed to satisfy the specifications. We study a simplified version of the Hashtrudi Zad (2005)]. be in the form of an automaton) is guaranteed to satisfy [Yari and Hashtrudi Zad (2016)] develops automatonthe specifications. We study a simplified version of the [Yari and Hashtrudi Zad (2016)] develops automatonthe We study simplified version of the Propulsion Module Subsystem of Cassini spacethe specifications. specifications. study aa(PMS) simplified the based [Yari Hashtrudi Zad develops automatoncomputational for the of Propulsion Module We Subsystem (PMS) of the theversion Cassini of space[Yari and and Hashtrudi procedures Zad (2016)] (2016)] automatonbased computational procedures fordevelops the design design of robust robust Propulsion Module Subsystem (PMS) of the Cassini spacecraft. Our study shows that the application of conventional Propulsion Module Subsystem (PMS) of the Cassini spacebased computational computational procedures for the theZad design of robust robust supervisors of [Saboori and Hashtrudi (2006)]. The craft. Our study shows that the application of conventional based procedures for design of supervisors of [Saboori and Hashtrudi Zad (2006)]. The craft. Our study shows that the application of conventional (non-robust) supervisory control [Ramadge Wonham craft. Our study shows that the application conventional of [Saboori and Hashtrudi Zad (2006)]. The procedures have been implemented in MATLAB environ(non-robust) supervisory control [Ramadgeofand and Wonham supervisors supervisors of [Saboori and Hashtrudi Zad (2006)]. The procedures have been implemented in MATLAB environ(non-robust) supervisory control [Ramadge and Wonham (1987)] does not result in the appropriate command se(non-robust) supervisory control [Ramadge and Wonham procedures have been implemented in MATLAB environment using Discrete Event Control Kit (DECK) ([DECK (1987)] does not result in the appropriate command se- procedures have been implemented in MATLAB environusing Discrete Event Control Kit (DECK) ([DECK (1987)] not in command sequences. However, an of to (1987)] does does not result result in the the appropriate appropriate command se- ment ment using Discrete Event Control Kit ([DECK (2013)]). In this these procedures are to quences. However, an extension extension of this this approach approach to the the ment using Event Control Kit (DECK) (DECK) (2013)]). In Discrete this paper, paper, these procedures are used used ([DECK to solve solve quences. However, an extension of this approach to the Robust Supervisory Control ([Saboori and Hashtrudi Zad quences. However, an extension of this approach to the (2013)]). In and this fault paper,recovery these procedures procedures arethe used to solve solve the control problem for simplified Robust Supervisory Control ([Saboori and Hashtrudi Zad (2013)]). In this paper, these are used to the control and fault recovery problem for the simplified Robust Supervisory Control ([Saboori and Hashtrudi Zad (2006)]) produces desired solution. Robust Supervisory control and fault recovery problem for the simplified spacecraft propulsion system. Our study shows that (2006)]) produces the theControl desired([Saboori solution. and Hashtrudi Zad the the control and fault recovery problem for the simplified spacecraft propulsion system. Our study shows that to to (2006)]) produces the solution. (2006)]) produces the desired desired solution. spacecraft propulsion system. Our study shows that to arrive appropriate control logic satisfying design The concept of robust control arises in control theory system. showsall to arrive at at an anpropulsion appropriate controlOur logicstudy satisfying allthat design The concept of robust control arises in control theory spacecraft arrive at an appropriate control logic satisfying all design specifications, the supervisor has to be a robust supervisor. The concept of robust control arises in control theory in dealing with modeling uncertainties or model changes. arrive at an appropriate control logic satisfying all design The concept of robust control arises in control theory specifications, the supervisor has to be a robust supervisor. in dealing with modeling uncertainties or model changes. Furthermore, specifications, the the features supervisor has to be aa robust robust supervisor. of the system studied here in with uncertainties orformodel changes. Several approaches have explored robust superthe supervisor be in dealing dealing with modeling modeling uncertainties changes. Furthermore, the features of has the to system studiedsupervisor. here that that Several approaches have been been exploredor formodel robust super- specifications, Furthermore, the features of the system studied here that necessitate the use of robust supervisor seem to be present Several approaches have been explored for robust superFurthermore, the features of the system studied here that Several approaches have been explored for robust supernecessitate the use of robust supervisor seem to be present This work was supported in part by Natural Sciences and Enginecessitate the use of robust supervisor seem to be present in many other aerospace systems as well. This work was supported in part by Natural Sciences and Enginecessitate the use of robust supervisor seem to be present in many other aerospace systems as well. This work neering Research of Canada grantand RGPIN was supported in by Sciences Engiin many many other other aerospace aerospace systems systems as as well. well. This work was Council supported in part part (NSERC) by Natural Naturalunder Sciences Engineering Research Council of Canada (NSERC) under grantand RGPINin 227688-2011. neering Research Council Council of of Canada Canada (NSERC) (NSERC) under under grant grant RGPINRGPINneering Research 227688-2011. 227688-2011. 227688-2011. Copyright©©2016, 2016 IFAC (International Federation of Automatic Control) 200Hosting by Elsevier Ltd. All rights reserved. 2405-8963 Copyright © 2016IFAC IFAC 200 Copyright 2016 IFAC 200 Copyright ©under 2016responsibility IFAC 200Control. Peer review © of International Federation of Automatic
10.1016/j.ifacol.2016.09.035
IFAC ACA 2016 August 21-25, 2016. Quebec, Canada
Farid Yari et al. / IFAC-PapersOnLine 49-17 (2016) 200–205
201
This paper is organized as follows. Sec. 2 reviews some preliminaries of supervisory control. Sec. 3 formulates the supervisory control and fault recovery problem. Sec. 4 discusses the simplified propulsion system and the design of supervisor. Sec. 5 further analyzes the results and provides comments on the methodology and its relation to other approaches. The paper is concluded in Sec. 6.
for s ∈ Σ∗ (generated in G), S(s) is the set of events enabled by the supervisor. Let S/G represent the plant G under the supervision of S (or the closed-loop system). Thus the Supervisory Control Problem (SCP) is to find a supervisor S such that (1) Lm (S/G) ⊆ E, and (2) S/G is nonblocking. ((1) and (2) imply that all sequences in L(S/G) are legal.)
2. PRELIMINARIES
Next we consider the robust supervisory control problem which can be regarded as an extension of SCP. Problem 1. Robust Nonblocking Supervisory Control Problem (RNSCP) [Bourdon et al. (2005); Saboori and Hashtrudi Zad (2006)]. Consider the set of plant models G = {G1 , ..., Gn } with Gi = (Xi , Σi , ηi , x0,i , Xm,i ) where i ∈ I = {1, 2, ..., n}. Let the controllable and uncontrollable sets of events in Gi be denoted by Σc,i and Σuc,i respectively. It is assumed that all plant models agree on the controllability of events, that is Σc,i ∩ Σuc,j = ∅ for all i, j ∈ I. Furthermore, suppose language Ki denotes the design specification for plant model Gi and hence Ei = Ki ∩ Lm (Gi ) denotes the corresponding legal marked behavior. Design a supervisor S such that (1) Lm (S/Gi ) ⊆ Ei and (2) S/Gi is nonblocking, for all i ∈ I.
In this section, we briefly review the supervisory control of DES [Wonham (2014); Cassandras and Lafortune (2008)]. Languages and Automata. A finite set of symbols, Σ, is called an alphabet. A sequence of symbols σ1 σ2 ...σn (with σi ∈ Σ) is called a word or sequence. A sequence with no symbols is called the empty sequence and denoted by . Σ∗ denotes the set of all finite sequences. Any subset of Σ∗ is called a language. A deterministic automaton G = (X, Σ, η, x0 , Xm ) is a model for a discrete-event system with X the state set, Σ the finite set of events, η : X × Σ −→ X the partial transition function, x0 the initial state and Xm ⊆ X the set of marked states. The set of sequences that can be generated by automaton G (from initial state x0 ) is called the closed behavior of G: L(G) = {s ∈ Σ∗ | η(x0 , s) is defined}. The subset of L(G) consisting of sequences that end in a marked state is referred to as the marked behavior of G: Lm (G) = {s ∈ L(G) | η(x0 , s) ∈ Xm }.
A state x ∈ X is called reachable if there exists a sequence s ∈ L(G) from x0 to x. Also, a state x is called coreachable if there is a sequence, say s, from x to some marked state. A DES G is nonblocking if every reachable state of G is coreachable. A nonblocking automaton is free of deadlocks and livelocks. An automaton is trim if all of its states are reachable and coreachable. The product of automata G1 and G2 is denoted by G1 × G2 and generates L(G1 ) ∩ L(G2 ) and marks Lm (G1 ) ∩ Lm (G2 ). The synchronous product (parallel composition) of G1 and G2 is denoted by sync(G1 , G2 ) and can be used to model the joint operation of G1 and G2 . Supervisory Control. Consider a plant modeled by a DES G. Suppose a language E ⊆ Lm (G) represents the legal marked behavior ; i.e., the marked sequences that satisfy the design specifications. In the supervisory control theory, a supervisor S is to be designed to restrict the behavior of the plant G to the legal behavior E and to ensure that the resulting system is nonblocking (Fig. 1). It is assumed that the plant event set Σ can be partitioned
Thus in RNSCP we seek to find a supervisor S such that (for every i) S/Gi is nonblocking and satisfies its design specification. Let Σ = i∈I Σi and define E as (Ei ∪ (Σ∗ − Lm (Gi ))) ∩ ( Lm (Gi )) (1) E= i∈I
i∈I
The solutions of RNSCP can be characterized in terms of relative-closed, controllable and G-nonblocking sublanguages of E [Saboori and Hashtrudi Zad (2006)]. Let RCN b(E, G) denote the set of relative-closed, controllable and Gi -nonblocking sublanguages of E (for all Gi ∈ G). This set is nonempty and has a supremal element denoted by E ↑ = SupRCN b(E, G). Then E ↑ is the maximally permissive solution of RNSCP. A trim automaton S that marks E ↑ can be regarded as an implementation of a maximally permissive supervisor with S×Gi modeling the system under supervision S/Gi . [Yari and Hashtrudi Zad (2016)] provides a computational procedure to find an automaton to mark E ↑ . This algorithm has been implemented in MATLAB environment using DECK [DECK (2013)]. 3. SUPERVISORY CONTROL AND FAULT RECOVERY PROBLEM In this section we explain how a problem of control and fault recovery can be cast as a robust control problem. Consider a DES plant G that starts in normal mode N . The plant may enter a set of permanent failure modes. For simplicity we assume a single failure mode F (Fig. 2). Let
Fig. 1. Block Diagram of Supervisory control. into two disjoint subsets, Σc the set of controllable events, and Σuc the set of uncontrollable events. The supervisor is allowed to disable the controllable events only. A supervisory control for DES G can be designed as a map S : Σ∗ → ΓΣ where ΓΣ = {γ ∈ P wr(Σ) | Σuc ⊆ γ} denotes the set of all control patterns in Σ. In this context, 201
Fig. 2. DES G with a single failure mode.
IFAC ACA 2016 202 August 21-25, 2016. Quebec, Canada
Farid Yari et al. / IFAC-PapersOnLine 49-17 (2016) 200–205
GN denote the subautomaton of G with XN as its state set representing the normal mode, and GN F represent the behavior of the system in normal (N ) and faulty (F ) modes. In this case, since we have assumed one failure mode, GN F and G are the same. Furthermore, suppose in each mode we have multiple sets of marked states, say N N two, and denote them by Xm,1 (normal mode) and Xm,2 F F N N could and Xm,1 and Xm,2 (faulty mode). Xm,1 and Xm,2 for example represent the “off” states and “operational” F F could states in normal mode. Similarly, Xm,1 and Xm,2 represent “off” states and “operational” states in faulty N mode. We use GN,1 and GN,2 to represent GN with Xm,1 N and Xm,2 as their marked states. Automata GN F,1 and NF NF and Xm,2 GN F,2 similarly are copies of GN F with Xm,1 as marked states. The control and fault recovery problem is to find a supervisor S such that the system under supervision remains nonblocking in normal and faulty modes and satisfies the design specifications of each mode: Lm (S/GN,i ) ⊆ EN,i i = 1, 2
Fig. 3. Simplified spacecraft propulsion module subsystem. V3 and V4 are similar but without the failure event and faulty state (SO). The models of the normally-open pyro
S/GN,i is nonblocking
Lm (S/GN F,i ) ⊆ EN F,i i = 1, 2 S/GN F,i is nonblocking
(EN,i and EN F,i (i = 1, 2) are the legal behaviors.) The above problem can be solved as a robust nonblocking supervisory control problem for the family of models G = {GN,1 , GN,2 , GN F,1 , GN F,2 }.
Fig. 4. DES model of valve V1 . valves P V1 and P V2 are shown in Fig. 5. These valves can
Next we turn our attention to the simplified spacecraft propulsion system. 4. CONTROL AND FAULT RECOVERY IN SPACECRAFT PROPULSION SYSTEM
In this paper we study supervisory control of a simplified version of the Propulsion Module Subsystem (PMS) of the Cassini spacecraft [Leeds et al. (1996); Morgan (2010)]. Fig. 3 shows the simplified propulsion system which consists of two propellant tanks and two engines E1 and E2. The valve assembly for E1 includes valves V1 , V2 , normally-open pyro valves P V1 and P V2 , and normallyclosed pyro valves P V3 and P V4 . Two pressure sensors measure pressures P1 and P2 , and a temperature sensor T1 monitors chemical reactions and thrust generation in E1. The valve assembly for E2 is simpler consisting of valves V3 , V4 and pressure sensors P3 , P4 and temperature sensor T2 . When the fuel paths between the propellant tanks and engines are open, propellants can combine, ignite and produce thrust. In this example, we intend to design a supervisor that in response to high-level Master Controller commands, fires the engine in such a way that the design specifications (to be discussed later) are satisfied. Plant DES Model In our problem, for simplicity, only valve V1 is assumed prone to “stuck-open” failure and the other valves are assumed fault-free. Fig. 4 shows the DES model of valve V1 . (Marked states are shown with double circles.) We assume that the valves are initially closed. The “stuckopen” failure mode of V1 is permanent (state “SO”) and the valve never returns to normal mode. The models of V2 , 202
Fig. 5. Normally-open pyro valves P V1 and P V2 . be closed only once. The models of normally-closed valves P V3 and P V4 are similar but their initial states is “C” and their event P Vi − O. The models of the four pressure sensors and two sensors measuring temperature as well as the Master Controller are shown in Fig. 6. Start and stop commands can be generated at any time by the Master Controller (Fig. 6(c)). Valve events V i−O, V i−C, P Vi −O and P Vi −C are controllable. Failure event V 1−SO, sensor events (P iH, P iL, T iH and T iL) and Master Controller events (stop and start) are uncontrollable.
(a) Pressure sensors Pi (i = 1, 2, 3, 4).
(b) Temperature sensors T1 ,T2 .
Fig. 6. Sensors and Master Controller.
(c) Master Controller
IFAC ACA 2016 August 21-25, 2016. Quebec, Canada
Farid Yari et al. / IFAC-PapersOnLine 49-17 (2016) 200–205
To complete the model, we build DES models INT1 to INT4 to describe the effect of valve positions on the pressure sensors, and INT5 and INT6 to model the reading of the temperature (thrust) sensors as a function of the pressures measured by P1 , P2 , P3 and P4 . The reading of pressure sensor P1 depends on the state of V1 , P V1 and P V3 . Specifically the pressure goes high only when P V1 is open, and either V1 is open (or stuck-open) or P V3 is open. This dependency is represented by INT1. INT1 is formed by first constructing sync(P V1 , P V3 , V1 ). Next selfloops of P iH are added to those states of sync automaton where P V 1 is open, and either P V 3 is open, or V 1 is open or stuck-open. P iL selfloops are added to other states. INT2, INT3 and INT4 are constructed similarly for pressure sensors P2 , P3 and P4 . Now we proceed to model the interactions between pressure sensor readings and the thrust of engines. The thrust of an engine goes high only when the corresponding pressure sensors show high pressure reading. Fig. 7 shows these interactions for engine E1. INT6 (for engine E2) is built similarly. The plant model G is obtained by the synchronous product of all component models (V1 , ..., V4 , P V1 , ..., P V4 , P1 , ..., P4 , T1 , T2 ) and interaction models (INT1,..., INT6). The resulting plant model has 16384 states and 278528 transitions.
Fig. 7. INT5: Interactions between pressure sensors and temperature sensor for engine E1. Design Specifications Broadly speaking, the design specifications require the use of engine E1 for normal mode and E2 in case of valve V1 failure and prohibit simultaneous firing of E1 and E2. In normal (resp. faulty) mode, the supervisor must be able to turn on E1 (resp. E2) and turn off E1 (resp. E2). (Other requirements that deal with other issues such as fuel waste are not considered for brevity.) The detailed design specifications are as follows. In normal mode: (a) The system should wait for the start command to start firing engine E1; (b) After the start command is issued by the master controller, any start and stop command should be ignored during the start-up procedure until thrust is generated; (c) When the thrust is high, once the master controller issues the stop command, the shutdown procedure starts; (d) During the shutdown procedure, any start and stop command must be ignored. The automaton SP 1 that models the start-up and shutdown procedure in normal mode according to the design specifications is shown in Fig. 8. Engine 2 is a backup engine and must be used in case of engine 1 failure. When fault (i.e. valve V1 stuck-open) occurs, engine 1 shall no longer be used and the system must switch over to engine 2 based on the current state 203
203
Fig. 8. DES model for start-up and shutdown procedure in normal mode according to design specifications 1 . of the system. The design specifications for the faulty mode are: (a) If the fault occurs before a start command, the system should switch completely to engine 2 and wait for the start command. In other words, the procedure for starting and shutting down engine 2 should be followed; (b) If the fault occurs after the master controller issues a start command, engine 1 should continue firing until the master controller issues the stop command and engine E1 is turned off. Then the system must switch to engine E2 for future maneuvers; (c) If the fault occurs after the master controller issues a stop command but before engine E1 is turned off, the engine must be turned off and then the system should switch over to engine E2. The DES model of these specifications is shown in Fig. 11. Robust Supervisory Control This supervisory control problem is a problem of fault recovery with a normal and a faulty mode. In each mode there are two sets of marked states, one for thrust low (engine off) and another for thrust high (engine on). The problem can be solved as a robust control problem with four plant models GN,of f , GN,on , GN F,of f and GN F,on . GN,of f (resp. GN,on ) is the subautomaton of plant model G with states in normal mode GN with thrust low (resp. high) states marked. This marking can be done by the synchronous product of GN with automaton Marker N in Fig. 9 with state 1 (resp. state 2) of Marker N marked. Similarly GN F,of f (resp. GN F,on ) are obtained by the synchronous product of G with Marker F (Fig. 10) with state 3 (resp. state 4) marked.
Fig. 9. Mark state 1 for OFF and state 2 for ON.
Fig. 10. Mark state 3 for OFF and state 4 for ON. Automata for legal marked behaviors are obtained as E N,1 = SP 1 × GN,of f , E N,2 = SP 1 × GN,on E N F,1 = SP 2 × GN F,of f , E N F,2 = SP 2 × GN F,on
1 To each state of SP 1 selfloops for all events except “start”, “stop”,“T 1H” and “T 1L” are added. The selfloops are for events that are not restricted by design specification SP 1.
IFAC ACA 2016 204 August 21-25, 2016. Quebec, Canada
Farid Yari et al. / IFAC-PapersOnLine 49-17 (2016) 200–205
Fig. 11. DES model for start-up and shutdown procedure in faulty mode according to design specifications 2 . The solution of robust control problem (RNSCP) is obtained using the computer code. The solution is an automaton with 944 states and 11438 transitions. This automaton marks E ↑ and is a model of the supervisor. To illustrate what the robust supervisor does, consider a sample sequence from the system under supervision depicted in Fig. 12. Master Controller issues a start command. After valves V1 and V2 become open, pressures P1 and P2 become high. At this stage the thrust of E1 becomes high and the first engine fires. Next valve V1 becomes stuck-open (It is assumed the failure is diagnosed quickly and hence is treated an observable event.) Next when a stop command is issued, engine E1 is switched off. This is done by firing P V1 to shut the path between the oxidizer tank and engine E1 and by closing valve V2 which shuts off supply from the fuel tank. Following another start command from the Master Controller, the system switches to engine E2 and the start-up procedure for E2 opens valves V3 and V4 , the pressure sensors P3 and P4 show high pressure and E2 fires. Later, when a stop command comes from Master Controller, engine E2 is turned off by closing the corresponding valves V3 and V4 . When Master Controller issues another start command to generate thrust, engine E2 is being used and the same sequence happens to complete a thrust on and thrust off sequence.
Fig. 12. Sample start-up and shutdown sequences. Remark 1. It should be noted that it is necessary to ensure nonblocking with respect to multiple sets of marked states (and not just one set). Suppose we choose the E1 off states as the only marked state set for normal mode. Assume E1 is “on” in normal mode and Master Controller issues thrust shutoff command. The conventional (non-robust) 204
supervisory control solution allows the system to close P V1 to turn off the thrust of engine 1. But the supervisor will no longer be able to turn on E1 since the pyro valve cannot be opened again. The robust supervisor designed based on RNSCP however does not fire P V1 and P V2 unless a fault occurs. In the configuration shown in Fig. 3, pyro valves P V3 and P V4 are redundant. In fact, it can be validated that the RNSCP still has a solution even if P V3 and P V4 are removed from the propulsion system. This shows that the RNSCP and its maximally permissive solution can be used as a design tool to validate different valve configurations. Finally, it should be noted that the purpose of having P V3 and P V4 in Fig. 3 is to have the ability for handling stuckclosed failures of valves V1 and V2 (which have not been studied in this example). 5. DISCUSSION In this section, we discuss some issues related to the problem studied here and the approach used to solve it. Robustness: As mentioned in Remark 1 in the previous section, to solve the control and fault recovery problem for the propulsion system, the robust supervisory control problem, RNCSP, should be considered and that a nonrobust supervisor does not yield the desired solution. There are two problem and plant features that are the reasons for this result: • First we want nonblocking property with respect to more than one set of marked states. Also, the plant model changes as a result of fault. • Second, in the propulsion system studied, there were irreversible activities; in particular, the opening (resp. closing) of normally-closed (resp. normallyopen) pyro valves and the permanent failure event are irreversible. These two features are present in many aerospace systems that have to be able to accommodate permanent faults with limited onboard resources (such as pyro valves and non-resettable fuses). In such cases, a robust supervisor must be used instead of a conventional (non-robust) supervisor. It should be noted that the above two features may not be present in other categories of systems. For 2 Similar to SP 1, to each state of SP 2, selfloops of every event not present in Fig. 11 are added.
IFAC ACA 2016 August 21-25, 2016. Quebec, Canada
Farid Yari et al. / IFAC-PapersOnLine 49-17 (2016) 200–205
example, for manufacturing systems reversibility may be a very desirable property. Plant Model: In this paper we limited our attention to a single failure mode. This has been primarily due to the execution time of our computer code in MATLAB environment. With a compiled code, say in C, we would be able to study more complex problems. Furthermore, other theoretical developments in the theory of supervisory control, for instance, modular and decentralized control, and symbolic calculations allow much larger problems to be tackled (see, e.g. [Brandin and Charbonnier (1994)] and [Ma and Wonham (2006)]). The DES models used in this paper are untimed and assume full event observation. Robust control for timed DES models is discussed in [Bourdon et al. (2005)] and for partial event observation in [Saboori and Hashtrudi Zad (2006)]. We have developed computational algorithms for the case of partial event observation and will publish them in the future. Related Work: [Muscettola et al. (1998)] provides and overview of the model-based diagnosis and reconfiguration system, Livingstone. Livingstone uses probabilistic discrete models. Probabilistic models are used to focus on the more likely scenarios in order to reduce computational complexity. The result is a system that can work in real time. Livingstone was implemented on Deep Space 1. The drawback is that every now and then, the actual situation is not among the likely scenarios. Our work is based on deterministic models and can be regarded as a step in the direction of considering all possible scenarios. [Pekala et al. (2008)] and [Bensalem et al. (2010)] use model checking tools to verify the design of control logic. In [Bensalem et al. (2010)], for instance, the plant is modeled with discrete models in BIP framework. Next based on design specifications, the supervisor modules, called connectors, are represented in BIP framework. Then the safety and deadlock-freedom properties are verified using model checker D-finder. D-finder and similar tools, use symbolic calculations to handle problems far more complex than the one considered in this paper. The main difference between the approach used in this paper and that in [Pekala et al. (2008)] and [Bensalem et al. (2010)] is that here we start from the design specifications and systematically design a control logic (supervisor) that satisfies the specifications. [Pekala et al. (2008)] and [Bensalem et al. (2010)] however start with given supervisors (connectors) and verify that they satisfy the specifications. If the test fails, then the designer has to modify the supervisors till a satisfactory solution is obtained. 6. CONCLUSION In this paper the theory of supervisory control of discreteevent systems is used to develop command sequences for control and fault recovery of a spacecraft propulsion subsystem. The study shows that to meet the specifications of normal and faulty modes, the supervisor has to be a “robust” supervisor, and that a conventional (non-robust) supervisor could lead to engine getting stuck in shutdown state. The features of this system that necessitate the use of robust supervisor seem to be present in many aerospace systems. In addition to theoretical developments, we are 205
205
conducting lab tests on an experimental setup to evaluate the robust supervisory control methodology. REFERENCES Bensalem, S., de Silva, L., Gallien, M., Ingrand, F., and Yan, R. (2010). “Rock solid” software: a verifiable and correct-by-construction controller for rover and spacecraft functional levels. Int. Symp. on Artificial Intelligence, Robotics and Automation for Space (i-SAIRAS), Sapporo, Japan. Bourdon, S., Lawford, M., and Wonham, W. (2005). Robust nonblocking supervisory control of discrete-event systems. IEEE Trans. Autom. Control, 50(12), 2015– 2021. Brandin, B.A. and Charbonnier, F.E. (1994). The supervisory control of the automated manufacturing system of the aip. Proc. 4th Int. Conf. on Computer Integrated Manufacturing and Automation Technology, 319–324. Cassandras, C. and Lafortune, S. (2008). Introduction to Discrete Event Systems. Springer. DECK, Discrete Event Control Kit (DECK 1.2013.11). ECE Dept., Concordia University. http://www.ece.concordia.ca/~shz/deck. [Online]. Leeds, M., Eberhardt, R., and Berry, R. (1996). Development of the Cassini spacecraft propulsion subsystem. 32nd Joint Propulsion Conf. and Exhibit, paper 96-2864. Lake Buena Vista, FL. Lin, F. (1993). Robust and adaptive supervisory control of discrete event systems. IEEE Trans. Autom. Control, 38(12), 1848–1852. Ma, C. and Wonham, W.M. (2006). Nonblocking supervisory control of state tree structures. IEEE Trans. Autom. Control, 51(5), 782–793. Morgan, P. (2010). Cassini spacecraft’s in-flight fault protection redesign for unexpected regulator malfunction. Proc. IEEE Aerospace Conf., 1–14. Big Sky, MT. Muscettola, N., Nayak, P., Pell, B., and Williams, B.C. (1998). Remote agent: to boldly go where no AI system has gone before. Artificial Intelligence, 103(12), 5 – 47. Pekala, M., Cancro, G., and Moore, J. (2008). Verifying executable specifications of spacecraft autonomy. Int. Symp. on Artificial Intelligence, Robotics and Automation for Space (i-SAIRAS08), Pasadena, CA. Ramadge, P. and Wonham, W. (1987). Supervisory control of a class of discrete event processes. SIAM J. Control Optim., 25(1), 206–230. Saboori, A. and Hashtrudi Zad, S. (2005). Fault recovery in discrete event systems. Proc. ICSC Congr. on Computational Intelligence Methods and Applications. Istanbul, Turkey. Saboori, A. and Hashtrudi Zad, S. (2006). Robust nonblocking supervisory control of discrete-event systems under partial observation. Systems & Control Letters, 55(10), 839 – 848. Wonham, W. (2014). Supervisory Control of Discrete Event Systems. Systems Control Group, ECE Dept., University of Toronto, Canada, available at http://www.control.utoronto.ca/DES. Yari, F. and Hashtrudi Zad, S. (2016). Computational procedures for robust nonblocking supervisory control. Proc. Canadian Conf. on Electrical and Computer Eng., 274–278, Vancouver, Canada.