«by Benjamin Erik Walker A dissertation submitted to the faculty of The University of North Carolina at Charlotte in partial fulfillment of the ...»
DESIGN OF FAULT TOLERANT CONTROL SYSTEMS
Benjamin Erik Walker
A dissertation submitted to the faculty of
The University of North Carolina at Charlotte
in partial fulfillment of the requirements
for the degree of Doctor of Philosophy in
Dr. Bharat Joshi
Dr. Yogendra Kakad
Dr. James Conrad ______________________________
Dr. Mehdi Miri ______________________________
Dr. Edgar Munday ii ©2012 Benjamin Erik Walker
ALL RIGHTS RESERVEDiii
ABSTRACTBENJAMIN ERIK WALKER. Design of fault tolerant control systems.
(Under the direction of DR. BHARAT JOSHI) This research designs a Fault Tolerant Control (FTC) approach that compensates for both actuator and sensor faults by using multiple observers. This method is shown to work for both linear time-variant and linear time-invariant systems. This work takes advantage of sensor redundancy to compensate for sensor faults. A method to calculate the rank of available sensor redundancy is developed to determine how many independent sensors can fail without losing observability. This rank is the upper bound on the number of simultaneous sensor failures that the system can tolerate. Based on this rank, a series of reduced order Kalman observers are created to remove sensors presumed faulty from the internal feedback of the estimators.
Actuator redundancy is examined as a potential way to compensate for actuator faults. A method to calculate the available actuator redundancy is designed. This redundancy would allow for the correction of partial and full actuator failures, but few systems exhibit sufficient actuator redundancy. Actuator faults are instead tolerated by replacing the Kalman estimators with Augmented State Observers (ASO). The ASO adds estimates of the actuator faults as additional states of the system in order to isolate and estimate the actuator faults. Then a supervisor is designed to select the observer that correctly identifies the sensor fault set. From that observer, the supervisor collects state estimates and calculates estimates of the sensors and faults. These estimates are then used in feedback with a controller that
I wish to express my gratitude to Dr. Kakad who taught me the concepts of control theory and advised me throughout my MSEE and Ph.D.
I also want to thank my dissertation committee members, Drs. Joshi, Kakad, Miri, Conrad, and Munday for their comments and suggestions with respect to this work.
Lastly, I owe my greatest gratitude to my parents whose continued support made
1: Overview of the system, observers, supervisor, and controller. 23 FIGURE 5.2.1: Comparison of the first reduced observer and the full observer when 86 the first sensor is faulty.
1: Sensor estimates vs. measured sensors when no faults are occurring. 90 FIGURE 5.3.
2: Sensor estimates, measured sensors, and theoretical fault free first 91 sensor. The first sensor is suffering a ramp offset error at time zero.
3: Error between FTC system sensor estimates and fault free sensors. 91 FIGURE 5.3.
4: Unexpected error of each observer when the first sensor is faulty. 92 FIGURE 5.3.
5: Sensor estimation with white Gaussian noise on all sensors. 93
3: Fault tolerant system tracking the airplane outputs when there are no 107 faults in the system.
4: Fault tolerant system tracking the airplane outputs when there are no 108 faults in the system. Plots split to better see each sensor's dynamics.
5: Fault tolerant system tracking the airplane. An actuator fault occurs 109 at ten seconds.
6: Comparison of the actuator faults and their estimates. Actuator 110 faults occur after one second.
7: System’s estimate of the airplane’s sideslip angle. The first sensor 111 suffers an offset fault after three seconds.
FTC Fault Tolerant Control FDI Fault Detection and Isolation ASO Augmented State Observer r-ASO Reduced order Augmented State Observer
, Vectors that measure the rank of available sensor redundancy in the single fault and multiple fault cases respectively, Vectors that measure the rank of available actuator redundancy in the single fault and multiple fault cases respectively Rank of sensor/actuator redundancy being tested Rank of available sensor redundancy
A subset of the sensors that are presumed faulty A subset of the sensors that are presumed fault free The subscript signifies a matrix or vector that has been altered to correspond to an augmented state observer The subscript signifies a matrix or vector that only contains elements that correspond to the set, other elements are set to zero or removed The subscript signifies a matrix or vector that only contains elements that correspond to the set, other elements are set to zero or removed
The control system design process involves the use of feedback to modify the plant response so that the system closely tracks the reference input, minimizes the sensitivity of the system response to system parameter variations, and renders system response insensitive to any disturbance to the system. In order to implement feedback, the system response is conditioned in the feedback loop and compared with the desired signal. The system response is commonly referred to as output and is measured by sensors. The error signal generated from the comparison of the reference signal and the output signal is utilized in some cases as the actuating signal. However, further design process involves adding additional hardware to modify the error signal to generate the actuating signal for the actuator. This additional hardware is commonly called compensators or controllers. The layout of these elements is shown in Figure 1.1.1.
The primary function of a controller is to ensure stability of the closed loop system and meet performance needs. With the increase in the complexity of systems and the ever increasing need for more stringent performance requirements, the reliability of the actuators and sensors is of utmost importance. Thus, detecting faults in the sensors and actuators is an area of current research interest in the study of control systems.
Faults occur in many components of the system. Some of the common causes of faults in a system are plant model errors, sensor noise, and actuator wear. Some faults result in minor errors that are tolerable, but eventually faults will prevent a system from performing acceptably or cause it to undergo unstable behavior. To overcome this problem a fault tolerant control (FTC) system is designed.
Fault tolerant controllers must be able to handle multiple categories of faults and errors. There are fundamentally two ways to achieve this. Fault tolerant systems can be designed to be robust enough to perform correctly in the presence of faults. Robustness is a measure of a system's ability to meet performance needs in the presence of errors.
This type of method is known as passive FTC. Passive FTC requires less information about the system and the faults than other methods. This makes the design process easier, but it isn't able to handle strong faults. The systems designed by this method are rarely designed to estimate the faults; being only designed to tolerate them.
The simplest passive fault tolerant system is a unity feedback controller. Unity control uses comparative feedback to create a single closed loop. When the system's response fails to meet the desired level, feedback forces it to adjust proportional to the difference. This type of controller is one of the easiest to design. Unfortunately, it is
A more robust method is to design multiple controllers and multiple loops, so that if one of the controllers fails, the system can be corrected via the other controllers. This requires the controllers to be built to fail into the open state, rather than an unbounded failure. This type of failure is common in high stress environments.
However, smarter systems can detect the presence of a fault, identify it, and dynamically compensate for it. Thus they remove the faulty information. Fault detection and isolation (FDI) based methods are effective at achieving fault tolerance. These methods are known as active fault tolerant systems, as they estimate the fault signals or reconfigure themselves to compensate for the faults. While both active and passive methods are able to compensate for faults, active systems are known for performing the full trio of fault detection, fault identification, and fault isolation.
Active systems usually consist of multiple layers. One layer handles the normal operations of the system. Additional layers are added to handle fault detection and isolation. Some active methods rely on the fault information being fed into the controller which modifies its response accordingly. Other methods reconstruct fault-free information that they pass to the controller instead of the plant's faulty outputs. Most active methods produce fault estimates that are passed to other systems or to the user.
Having a measure of the faults is useful in many critical systems.
For these reasons, a passive FTC is considered quicker and easier to design, but is less powerful. An active FTC is stronger, but is more difficult to design. Most FDI methods rely heavily upon an accurate model of the plant. Without a complete model of the plant, FDI is complicated by the system improperly classifying un-modeled plant
order models with greater accuracy. Model imperfection is inevitable in any real world plant. Inaccuracies in measurements and imperfections in the fabrication process cause the actual dynamics to deviate from the model of the plant. FDI methods must accept this potential error and avoid improperly classifying it as a fault. To avoid this, some FDI methods do not directly construct a plant model.
FTC is a powerful field of work, bringing increased stability and performance as well as robustness and fault identification. A review of definitions of faults and errors is discussed in detail in section 1.2. Section 1.3 includes a review of various methods that
Modern plants are complicated and modeled as high order systems. Fault tolerant controllers are needed to maintain performance and stability in the presence of faults. To assist in this process, plant faults are classified into categories. Some faults are actual errors, while others are considered failures or disturbances. Each type is described to enable correction and tolerance. However, most methods of FTC are only able to handle certain subsets of fault types.
A type of fault present in nearly all systems is known as modeling error.
Modeling error refers to flaws in the design of the model, such as using a linear model to estimate a nonlinear plant. This type of error is regularly caused by using reduced order plants to deal with a high order system. Many systems are too complicated to model both efficiently and correctly. As such, many variables are often omitted to make for a simpler model. The difficulty in compensating for these errors is that the analytical model to represent the error is usually of very high order. This type of error causes a lot of difficulty with passive FTC systems. The errors caused by model estimation lead to faults that can adversely affect the stability of the system if left unchecked.
An alternative to model error that interferes with the effectiveness of the controller is drift error which is internal to the instrumentation. Drift errors are typically caused by the components of a system being subjugated to wear and subsequently not performing up to specification. These errors are often multiplicative in nature, although they are usually modeled as additive faults. The impact of this type of fault can be reduced with regular testing and maintenance of the system's equipment. It is also the
There are also faults caused by external sources. One type of external fault that is present in all real world systems is noise. Noise describes stochastic errors in the system.
Noise is typically associated with measurements, but every component suffers noise in some aspect. It is a high frequency error and not predictable by analytical representation.
Modern designs often classify modeling errors as noise to simplify the mathematics , . While noise is impossible to predict deterministically, its high frequency and low power makes it easy to compensate for with FTC methods.
Another external source of faults is disturbance. Disturbance is a low to mid frequency signal that is an unexpected input to the system. Disturbance signals are deterministic in nature, so unlike noise they can be modeled. An example of a disturbance for an airplane could be crosswind. Disturbances are typically an additive unknown fault. Many systems will lump all faults, from disturbances to model errors, into some form of unknown fault input. As systems can be designed to predict these faults, they can be designed to estimate and correct for them. There are a wide variety of methods to handle these additive and deterministic disturbances.