FAULT-TOLERANT CONTROL Is it possible? JAN MACIEJOWSKI Fault- - - PowerPoint PPT Presentation

FAULT-TOLERANT CONTROL

Is it possible? JAN MACIEJOWSKI

Fault-tolerant control. DPS’09, Gdańsk

Canonical Control Engineering Problem

• This problem is essentially solved
• For processes as well as single loops
• Demand now: Added value

2

Filter Controller Plant Sensor

Set-point Disturbance Noise Controlled

• utput

Added value: ‘Higher-level’ functionality

• Plant-wide control
• Coordinated control of multiple processes within single plant
• Enterprise-wide control
• Control of entire supply chain of an enterprise
• Asset management, safety
• Condition-monitoring, diagnostics
• Autonomy
• Fault-tolerant control
• Hybrid systems: discrete + continuous variables, logic + ODE’s, …

3

Drivers for fault-tolerant control: Safety

• Safety-critical system
• Needs safe back-up
• Physical duplication/triplication is expensive
• Fault-tolerant control is an alternative
• ABS: For service brakes on a vehicle equipped with one or more

antilock systems, in the event of any single functional failure in any such system, the service brake system shall continue to operate and shall stop the vehicle as specified in S7.8.3(a) or S7.8.3(b). (a) Stopping distance for 100 km/h test speed: ≤ 85 m (279 ft). (b) Stopping distance for reduced test speed: S ≤ 0.10V + 0.0075V2

4

Drivers for fault-tolerant control: Automotive safety

• Anti-Lock Braking (ABS) systems
• Anti-collision braking
• Automatic steering
• Automatic lane-changing and overtaking
• Can expect similar fault-tolerant requirements in each case
• Note: ‘any single failure’ – not specified which one

5

Drivers for fault-tolerant control: UAV safety

Unmanned Air Vehicles (UAVs)

• Many non-military uses

– eg traffic monitoring

• Operation over

densely-inhabited areas?

• Pilots handle many minor problems
• But if there is no pilot?
• Fault-tolerant control is enabler of

safe autonomous operation

6

Drivers for fault-tolerant control: Economic

• Cost of lost production/operation due to fault
• Oil exploration: $1M per day
• Cost of unnecessary energy consumption
• Illegality of excessive pollutant production
• Maintain operation until scheduled maintenance

7

Drivers for fault-tolerant control: Economic

• Space exploration
• Not human safety,

but very expensive – cannot fail !

• Outer solar system, Mars, etc

(eg ESA Aurora programme)

• Emphasis on autonomous operation

including fault-tolerant control

8

Successful fault-tolerant control: Process control

Hydrocracker distillation columns

• DMC predictive controller (c.1990)
• Controller operated previously

dormant valve

• Usual valve fouled, not effective
• An example of predictive control’s

inherent Daisy-chaining capability

9

Successful fault-tolerant control: Paper-making

Sensor failure

• Brightness sensor obscured by

congealed pulp

• State observer used for sensor fusion
• State estimate remained sufficiently

good to allow continued production (inferential control)

• Inherent robustness of feedback

10

Successful fault-tolerant control: Automotive - ABS

11

Wheel speed sensor failure Avoid rear wheels sliding while front has traction

ABS sensor failure – fault-tolerant strategy

• Avoid rear wheels sliding while front has traction
• If front sensor fails: keep ABS active on rear, lock front.
• If one rear sensor fails: use surviving rear sensor only,

apply ABS action on both rear wheels.

• If both rear sensors fail: lock front wheels,

disable ABS on rear wheels.

• Specific, simple action in the face of a specific fault
• Depends on very fast failure detection

12

ABS sensor – fault detection

• Failure detection algorithms:
• Loss of signal from sensor?
• Compare wheel deceleration with brake fluid pressure

at each wheel: Large deceleration & High pressure → wheel locked Large deceleration & Low pressure → sensor failure

• Noise-free signals. Logic-based fault detection.

Very fast – milliseconds

13

Successful fault-tolerant control: Aircraft

• DC-10, Sioux City, 1989
• Loss of all hydraulics and

rear engine (no.2)

• Only controls: engines 1,3
• Landing at 240 knots,

descent 600 m/min (normally 140kt, 100 m/min)

• 185 survivors, out of 296.

14

Consequences of Sioux City incident

• National Transportation Safety Board investigation:
• Reconstruction in flight simulators
• Training for similar event ‘not practical’
• Landing under these conditions ‘a highly random event’
• At least one academic study of ‘propulsion-only control’

(H∞ model-matching, Jonckheere et al, 1999)

15

Successful fault-tolerant control: Aircraft

• Airbus 300, 2003
• Total loss of hydraulics
• Crew learnt to fly it in

10 minutes

• Landed successfully
• Captain had studied

Sioux City incident

• NTSB too pessimistic?

16

Successful fault-tolerant control: Aircraft

• Israeli Air Force F-15, 1983
• Wing lost in mid-air collision
• Flew at very high speed and

very high roll angle to get vertical lift vector

• Some vectored thrust at tail
• No significant ‘learning time’
• Landed successfully

17

B-747, Schiphol, 1992

• Lost both engines on one side

while climbing at 1500m

• Pilot flew plane for 10 minutes,

then lost control

• Many studies of this incident.

Recent: GARTEUR Action Group and Springer book

18

B-747, Schiphol, 1992 – good example to study

• High-fidelity model of failed aircraft from flight data
• Only on-board data used
• It was possible to fly the aircraft – so fault-tolerant control possible
• Several minutes available – millisecond response not necessary
• Partial control recovery would have been a success – cargo aircraft
• Many control surfaces damaged or inoperative
• Reduced lift from one wing
• Rudder hard-over to counteract yaw torque

19

B-747, Schiphol, 1992 – the Cambridge solution

20

Reference model Fault detection & isolation (FDI) MPC (reconfiguration) Damaged plane Fault-tolerant controller Pilot commands Feedback to pilot 10 Hz 1 Hz

B-747, Schiphol, 1992 – the Cambridge solution

21

B-747, Schiphol, 1992 – the Cambridge solution

• We cheated! Our assumptions:
• We have a new model – instantly. (Instant FDI)
• We kept the speed high even at landing.
• We allowed individual control of each surface.
• But – in mitigation:
• Main problem was inoperative control surfaces.

Instant status feedback is available from surfaces.

• High speed was maintained in DC-10, Airbus 300 and F-15 incidents.

High speed allowed one linear model to be sufficient.

• Modern aircraft allow individual control of each surface.

22

Fault-tolerant control of aircraft: current status

• Control reallocation – on military aircraft?
• Flight control system computes forces and torques
• Control allocation module maps these to available surfaces
• Very fast FDI needed – open-loop unstable aircraft
• Only anecdotal reports.
• Barron Associates claim:
• First to fly a fault-tolerant controller (on F-16)
• To have implemented several fault-tolerant controllers
• Only on test flights – none is in regular use.

23

Fault-tolerant control: Spacecraft

Re-usable launch vehicle X38

• Control reconfiguration not enough.
• Need guidance adaptation and

trajectory re-planning.

• Control: dynamic inversion to find

forces and torques. Control re-allocation via LP optimisation.

• Trajectory re-planning: SQP.
• Execution speeds not reported.

24

Fault-tolerant control: Spacecraft

Spacecraft rendezvous – thruster failure with MPC – Daisy-chaining

25

Critique of Fault-Tolerant Control as academic subject

• Linear models
• Of limited use for major faults, as on the aircraft.
• Maybe OK for gradual faults, eg ageing bearings

– but is fault-tolerant control required in such cases?

• Actuator and sensor faults represented by additive disturbances
• No good for ‘hard-over’ faults – the most common kind.
• I think u=Mv+d is more reasonable model (M=I, d=0 normally).
• Objective: recover no-fault performance
• Crazy if a major fault has occurred.
• Major difference between adaptive and fault-tolerant control?
• Fault detection and Identification (FDI)
• Frequently assumes no noise, perfect model. Hence no delay.

26

Fault-Tolerant Control – What is possible?

• Anticipated faults
• One engine on aircraft, ABS speed sensor, etc
• Reduced thrust from gas-jet on spacecraft, etc
• We have examples of successful FTC for these.
• Unanticipated faults
• Combinatorially many possibilities
• We know it can be done – pilots can do it!
• We can probably devise FTC systems to work in

particular scenarios

27

Fault-Tolerant Control – goals for research

• In Control research we aim for guaranteed properties
• Stability, Robust performance, Invariant feasiblity, etc
• Can we hope to get these for unanticipated faults?
• At least we hope for some genericity of our solutions
• Can we get beyond individual ‘fixes’?
• We lack theory for:
• Performance relaxation in presence of faults
• Defining ‘sufficiently good’ control performance
• How good a model do we need / can we get?
• How much data do we need for FDI and re-modelling?
• How are these questions related to each other?

28

Fault-Tolerant Control – speculations

My speculations on a possible way forward

• Machine-learning and optimisation

– a powerful combination.

• Model Predictive Control – a good basis for building

systems based on online optimisation

• ‘Controller falsification’ (Safonov and Tsao 1997)

– feels right, but not successful yet

• A complete theory of FTC would be equivalent to complete

theory of epistemology – so don’t expect it soon!

29