WO2000062135A1 - Redondance de controleur numerique par detection de defaillance sur reseau neuronal - Google Patents

Redondance de controleur numerique par detection de defaillance sur reseau neuronal Download PDF

Info

Publication number
WO2000062135A1
WO2000062135A1 PCT/US2000/009126 US0009126W WO0062135A1 WO 2000062135 A1 WO2000062135 A1 WO 2000062135A1 US 0009126 W US0009126 W US 0009126W WO 0062135 A1 WO0062135 A1 WO 0062135A1
Authority
WO
WIPO (PCT)
Prior art keywords
controller
primary
backup
neural network
inputs
Prior art date
Application number
PCT/US2000/009126
Other languages
English (en)
Inventor
John P. Keyerleber
Original Assignee
Abb Automation Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Abb Automation Inc. filed Critical Abb Automation Inc.
Priority to AU42043/00A priority Critical patent/AU4204300A/en
Publication of WO2000062135A1 publication Critical patent/WO2000062135A1/fr

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems

Definitions

  • This invention relates to digital control systems and more particularly to those systems which include fault tolerant controllers.
  • the digital controller should be fault tolerant so that the digital control system is recoverable without adverse disruption to the process.
  • Hardware architectures include dual, triple, and even n-multiple redundant controller configurations, in which two or more controllers operate in tandem as master/slave pairs or voting clusters.
  • Software designs include active/standby operation in which the primary controller operates the control logic, while one or more backup controllers operate in a passive standby mode.
  • Fault diagnostic techniques proposed by the prior art include augmenting the conventional control logic with artificial neural networks or fuzzy logic (see Kim et al. Application of Neural Networks And Fuzzy Logic In Failure Detection And Fault Tolerant Control System Design, Ships Control Design Symposium, pp. 189-208, April 1997;
  • Campelo et al. and Tyrrell each describe the sta te checkpoint method of controller redundancy which is a fault tolerant control technique that is commonly used in industry.
  • a pair of identical digital controllers operate in tandem, one as primary and the other as backup, to provide fault tolerant control of the process.
  • the state of the primary controller is transmitted to the backup controller over a dedicated redundancy data link. This state transmission, called checkpointing, allows the backup controller to track the execution of the primary controller. Should the primary controller fail, the backup controller can rapidly take over control action without disruption to the process.
  • the popularity of the state checkpoint method is due primarily to the following:
  • Backup execution lag the primary controller periodically transmits its state to the backup controller after each control logic execution scan, thus the backup controller state always lags the primary controller state by one execution scan. In the event of a primary controller failure during an execution scan of the control logic, the backup controller will takeover and operate on old controller state information. This behavior may have undesirable side effects.
  • Backup takes over only on fatal primary failure: the backup controller monitors the status of the primary controller typically through hardware watchdog circuitry.
  • the primary controller software is responsible for periodically refreshing this watchdog circuitry, otherwise it will timeout and a failover occur. Thus the event required to initiate a failover is often only a catastrophic primary controller failure.
  • Various other primary controller failures which do not trip the watchdog circuitry but may require controller failover, are not considered. These types of failures can include control logic errors and plant operator mistakes.
  • Finite communications bandwidth the primary controller must transmit its state information to the backup controller every execution scan. This transmission occurs on a dedicated communications link between the primary and backup controllers.
  • the present invention presents an alternative method, known as the synchronous execution method, to the state checkpoint method of digital controller redundancy.
  • the primary and backup digital controllers operate in a lock step manner, in which they both compute the control algorithm.
  • the primary controller is responsible for reading the process inputs and driving the control outputs.
  • the backup controller receives the process inputs from the primary controller, and executes the control algorithm in parallel to the primary controller.
  • the present invention extends that implementation to redundant controller configurations by including a neural network in the backup controller. Since the backup controller receives its process inputs from the primary controller, during the time in which the primary controller is reading the process inputs and driving the control outputs, the backup controller is idle. This idle time is used by the backup controller to execute a neural network analysis on both the primary and backup controller process inputs and control outputs.
  • the synchronous execution method of controller redundancy coupled with the neural network analysis by the backup controller, provides a powerful redundant controller system, which has the following advantages:
  • Backup controller availability is known: since the backup controller is executing the control logic, its health and readiness can be reported to the operator.
  • Backup controller can takeover on a variety of faults: failover to the backup controller is no longer dependent on only a catastrophic failure of the primary controller.
  • a method for operating a primary digital controller and a backup digital controller that are connected in a redundant configuration has the step of operating the primary and backup digital controllers in a synchronous execution mode. The method also has the step of including in the backup digital controller a neural network.
  • a method for operating a primary digital controller and a backup digital controller that are connected in a redundant configuration has the step of operating the primary and backup digital controllers in a synchronous execution mode. In that mode the primary controller reads for a first predetermined period of time inputs from a process under control by the primary controller and provides for a second predetermined period of time driving control outputs to the process. In that mode the primary and backup controller both execute an algorithm to control the process.
  • the method also has the step of including in the backup digital controller a neural network.
  • a system for controlling a process has a primary controller for controlling the process.
  • the system also has a backup controller.
  • the primary and backup controllers are connected to each other in a synchronous execution mode.
  • the system further has a neural network included in the backup controller.
  • Fig. 2 shows the open loop step response of the discrete transfer function for the process of Fig. 1.
  • Fig. 3 shows a block diagram of a digital PI controller with unity gain feedback.
  • Fig. 4 shows the closed step response of the controller of Fig. 3.
  • Fig. 5 shows a block diagram of a commercial implementation of the controller of Fig. 3.
  • Fig. 6 shows two identical controllers implementing the state checkpoint redundancy technique.
  • Fig. 7 shows two identical controllers implementing the synchronous excitation redundancy technique.
  • Fig. 8 shows a block diagram of a neural network having a single computational element.
  • Fig. 9 shows the integration of a neural network into the control loop of the controller of Fig. 3.
  • Fig. 10 shows a two layer neural network.
  • Fig. 11 shows the simulation model for training the neural network of Fig. 10.
  • Fig. 12 shows in graphical form the sum-squared error resulting from the training of the neural network.
  • Fig. 13 shows in graphical form the learning rate versus epoch number resulting from the training of the neural network.
  • Fig. 14 shows the enhanced simulation model for training the neural network of Fig. 10.
  • Fig. 15 shows in graphical form the expected behavior of the enhanced neural network during a step change response of the process model of Fig. 1.
  • Fig. 16a shows in graphical form the response of the enhanced neural network to the first part of an incorrect controller input test.
  • Fig. 16b shows in graphical form the response of the enhanced neural network to the second part of an incorrect controller input test.
  • Fig. 17 shows in graphical form the response of the enhanced neural network to a simulation test representative of a stuck valve.
  • Fig. 18a shows in graphical form the response of the enhanced neural network to the first part of a simulation test representing a fault due to equipment failure.
  • Fig. 18a shows in graphical form the response of the enhanced neural network to the second part of a simulation test representing a fault due to equipment failure.
  • Fig. 19a shows in graphical form the response of the enhanced neural network to the first run of a simulation test representing the neural network exposed to disturbances in the process.
  • Fig. 19b shows in graphical form the response of the enhanced neural network to the second run of a simulation test representing the neural network exposed to disturbances in the process.
  • Fig. 19c shows in graphical form the response of the enhanced neural network to the third run of a simulation test representing the neural network exposed to disturbances in the process.
  • the temperature of a tank 12 of fluid with a constant flow rate in and out is to be controlled by adjusting the temperature of the incoming fluid.
  • the temperature of the incoming fluid is controlled by a mixing value 14 that adjusts the relative amounts of hot 16 and cold 18 supplies of the fluid. Because of the distance between the mixing valve 14 and the input point 20 of discharge of fluid into the tank 12, there is a time delay between the application of a change in the mixing valve position and the discharge of the flow with the changed temperature into the tank.
  • the sampling period T l second
  • the system time constant a l second
  • a flow delay Td 1.5 seconds
  • G(z) the discrete transfer function
  • Fig. 2 shows the open loop step response of G(z) .
  • This graph shows that the process transfer function contains unity gain to constant control, and thus there will be a steady-state error to a constant control setpoint. Therefore, closed loop control is required to realize a target control setpoint.
  • Controller Design
  • PID controller proportional, integral, and derivative controller.
  • the PID controller is used throughout modern control theory, and the general form of the digital PID controller is given as follows:
  • PID controller In practice, reduced variations of the PID controller are often used, including proportional only (P) control, and proportional and integral (PI) control.
  • P proportional only
  • PI proportional and integral
  • the process model 10 described in the Description of Process section is interesting due to the transportation delay.
  • the temperature of the fluid exiting the mixing valve 14 is not realized in the tank until a finite time period later.
  • Such delays are common in the chemical processing industry, and because there is no internal integrator in the process transfer function, good steady- state accuracy requires integral control.
  • proportional and integral (PI) control will be applied to that model.
  • the digital controller is reduced to:
  • Fig. 3 there is shown a general block diagram of a digital PI controller with unity gain feedback.
  • u is the control setpoint (input) to a summer 32
  • y is the process variable (output)
  • D (z) is the digital PI controller 34
  • G (z) is the transfer function of the process 36.
  • K the controller gain
  • using proportional and integral control the desired setpoint can be achieved within 15% overshoot and a reasonable amount of settling time, based on the overall dynamics of the process model 10.
  • the implementation of the digital PI controller 30 in a commercial digital control system will be described below in the section entitled "Controller Implementation.”
  • PI controller which was designed in the Controller Design section can be readily implemented in a commercial digital control system (DCS) .
  • DCS digital control system
  • Fig. 5 shows such a DCS 90 using by way of example but not of limitation the SYMPHONYTM DCS manufactured and sold by an operating unit of the assignee of the present invention.
  • analog signals are represented by solid interconnection lines
  • Boolean signals are represented by dashed interconnection lines.
  • the DCS 90 includes five blocks 100, 110, 120, 130 and 140 each of which represent a configured function of the DCS.
  • a function code is a module of software that is programmed to execute a specific algorithm or control function based on user configured information, such as control loop gain constants. Groups of function codes are connected together in sequences to create a wide variety of control strategies.
  • Analog Input from process supplies the controller logic with a sampled value of the process variable.
  • Proportional, Integral, and Derivative (PID) Control computes the PID algorithm using the SP (setpoint) and PV (process variable) inputs.
  • the TR and TS inputs are for manual mode operation.
  • TR is the track reference value and TS is the boolean track select signal.
  • the digital controller 90 executes the configured function codes in sequential block number order on a periodic basis. For the mixing process 10, every one second the controller will sample the process variable input, compute the PID algorithm, and drive the control output.
  • the Manual/Auto Station (function code 80 at block 130) is used to provide an operator interface to the process 10 to allow an operator to place the loop into manual control mode, during which time the PID control loop is overridden by an operator supplied value.
  • the DCS 90 includes as is shown in Fig. 6 two identical controllers 150 and 152 which are configured as a redundant pair to thereby implement the well known state checkpoint redundancy technique.
  • Controller 150 is the primary controller and the controller 152 is the backup controller.
  • the primary controller 150 samples process inputs, executes the function code configuration, and drives control outputs on a regular period known as an execution scan .
  • Each execution scan results in specific state information being computed by the control logic.
  • state information includes the process variable input and user setpoint values, intermediate computations of the PID algorithm, the mode of the control loop (auto or manual), and the process control output.
  • the data structures which contain this state information are transmitted (checkpointed) to the backup controller 152 over a high speed redundancy interface link 154.
  • special watchdog hardware on the backup controller 152 allows it to take over control action within a few milliseconds.
  • a typical DCS 90 can be configured to execute several thousand function code blocks, which may comprise several hundred control loops, in a single redundant controller pair 150, 152. This configuration results in a significant amount of information that is checkpointed from the primary controller 150 to the backup controller 152. The limitations of this configuration have been described previously.
  • Fig. 7 there is shown an embodiment for the synchronous execution method of controller redundancy of the present invention.
  • the method of the present invention overcomes the limitations of the state checkpoint method. In developing the redundancy technique of the present invention it was recognized that controller 152 of the state checkpoint redundancy method spends most of its execution time waiting for the primary controller 150 to execute its control logic.
  • the primary controller 160 reads the process variables (inputs) and send them to the backup controller 162 over a high speed redundancy interface link. Both the primary and the backup controllers 160, 162 execute the control logic in parallel, and the primary controller 160 drives the control outputs and sends them to the backup controller 162. During the time in which the primary controller 160 is reading the process inputs and driving the control outputs, the backup controller 162 executes a neural network analysis on the inputs and outputs of the primary as well as its own inputs and outputs.
  • Backup controller 162 availability is known: since the backup controller 162 is executing the control logic, its health and readiness can be reported to the operator.
  • Backup controller 162 can takeover on a variety of faults: failover to the backup controller 162 is no longer dependent on only a catastrophic failure of the primary controller 160. 4. Reduced load on redundancy link: since the backup controller 162 is executing the control logic, it is generating its own state information, thus the amount of information that is required to be exchanged between the primary and backup controllers 160, 162 is reduced to the process inputs and control outputs.
  • ANN artificial neural networks
  • Such networks have become useful engineering tools, which can be applied to a diverse set of complex problems, including pattern recognition, identification, and classification.
  • the basic idea is to assemble a large number of simple computational blocks, each of which may have the same internal computational function. These computational blocks are then interconnected by various pathways. By adjusting the "strength" of the interconnections, the resulting system can be used to map a set of inputs into a desired output.
  • Figure 8 depicts an example of a single computational element (neuron) 170 and its associated interconnections.
  • a neuron contains a set of inputs (p ) to a summing block 172, a set of weights Wi) for each input, and a transfer function (F) 174, which is typically a step or sigmoid function.
  • a neural network is formed by assembling these neurons into interconnected layers. By adjusting the weights, w of each of the neurons, the resulting network can be used to map an input space to an output space, whose functional relationship may be complex and highly nonlinear.
  • the process of adjusting these weights is referred to as training the neural network, and it requires target input data vectors, which contain both desirable and undesirable network behavior, to be presented to the network.
  • Training a neural network is usually performed as an offline, iterative process. Each iteration in training is called an epoch .
  • the goal of training a neural network is to minimize the sum squared error between the computed network output vectors and the target vectors.
  • One popular technique which accomplishes this task is called backpropagation training.
  • the backpropagation training process can be considered to have four phases: 1. Presentation phase: present an input training vector and calculate each successive layer's output until the last layer's output is found.
  • Backpropagation phase calculate the delta vector for the output layer using the target vector. Then backpropagate the delta vector to the proceeding layers.
  • Backpropagation training utilizes a gradient based search technique such that for each training iteration, it adjusts the weights and biases of the network in the direction of steepest descent with respect to the error.
  • the training technique is slow because of relatively small learning rates (large learning rates result in unstable learning) , and local minima found during the gradient descent may trap the network's learning ability.
  • momentum and adaptive learning are usually incorporated into the backpropagation training process. Adding momentum to backpropagation training decreases the probability that the network will get trapped in a local minimum. And adding an adaptive learning rate decreases the training time by keeping the learning rate reasonably high while insuring stable learning.
  • a neural network is applied to recognize controller faults in both the primary and backup controllers.
  • the neural network must be coupled to the process control loop from which it receives its inputs.
  • Figure 9 depicts the integration of a neural network 180 into the control loop of Fig. 3 for the purpose of monitoring the system behavior.
  • the inputs 182, 184 to this neural network 180 are the output of the controller 34 and the process variable from transfer function 36.
  • the two layer network 200 utilizes nine neurons in the hidden layer 202, and one neuron in the output layer 204.
  • the tansig function is used in the hidden layer 202 because it is a fully differentiable function, which suits it well for the backpropagation training techniques used in this embodiment.
  • the logsig neuron transfer function is used in the output layer 204 because its output varies between 0 and 1, which is consistent with the requirements of the status output signal of the neural network 200.
  • Model 11 shows the Simulink simulation model 210 for neural network training.
  • Model 210 was run using various operating inputs in order to build an input vector for training neural network 200.
  • This training input vector depicts the process model 10 in normal operation in which no faults exit.
  • the elements of this vector contain the steady-state values for controller output (Pi) 212 and process variable (P 2 ) 214.
  • Control output error this fault may be caused because of computational error in the controller algorithm, by the controller not being able to write the control output to the field, or by a faulty piece of equipment, e.g.: a stuck valve.
  • Process variable error this fault may be caused by the controller not being able to read the input, by damaged field wiring, or due to a failed sensor.
  • Table 2 The values presented in Table 2 consist of five controller output and process variable pairs, which represent valid steady-state operating points for the process model 10. In order to properly train the neural network 200, bad or invalid operating points must also be presented during training. By taking the good value pairs from Table 2, and rearranging them into other combinations, a complete set of invalid operating pairs was created.
  • Table 3a presents a two-dimensional matrix, which contains both the good (valid) and bad (invalid) operating value pairs. This table represents the entire training data for the neural network 200. For each controller output and process variable pair, a neural network output value of 1 indicates a valid operating point for the process, and a value of 0 indicates that the pair is an invalid operating point.
  • Table 3a Valid and Invalid Process Operating Pairs.
  • Table 3b expands the two dimensional matrix presented in Table 3a in order to specifically describe the failure conditions and fault values which were presented to the network 200 for training.
  • lines 1-5 of Table 3b contain the good operating points.
  • Lines 6-25 contain the operating points at which the control output or process variable is in error due to computational faults, operator interaction errors, misread inputs, or faulty equipment.
  • Table3b Expanded Neural NetworkTrainingVectors.
  • the training parameters used for the network 200 were selected as typical backpropagation training parameters, and their values are presented in Table 4.
  • Table 4 Neural Network Training Parameters.
  • the neural network 200 for the mixing process model 10 completed its training in 403 epochs.
  • the resultant weight and bias vectors were computed to be:
  • Table 5 presents the resultant training data for a sampling of the first and last few training iterations.
  • Fig. 12 shows in graphical form the sum-squared error information.
  • the graph shows that after 300 training epochs a dramatic decrease in the sum-squared error occurred, resulting in a value less than 0.5. Once training epoch 403 was reached, the sum-squared error target of 0.001 was realized.
  • Fig. 13 shows in graphical form the learning rate versus epoch number.
  • the graph in Figure 13 shows that the initial learning rate of the network 200 started small (less than 0.01), but climbed steadily for the first 100 iterations.
  • the network training realized a local minima solution but not a globally optimal solution.
  • the backpropagation training approach caused the learning rate to fall sharply between iterations 100 and 150 to nearly 0.0005, where the network training was able to recover.
  • the learning rate began a steady increase to its final value of just under 40 in epoch 403.
  • the final step in the neural network design effort was to convert the training results to source code which could be readily implemented on the target hardware digital controller platform.
  • the neural network was implemented in C language, as presented in Listing 5 (nnet . c) .
  • the actual function which is used to compute the neural network output is nnet () . Its two arguments are the control output, co, and the process variable, pv, and it returns a Boolean 0 or 1 neural network output status. This function was coded inline without any looping constructs in order to achieve the fast possible executable machine code.
  • the Analysis section provides an analysis of the implementation for neural network 200 as well as its performance on the target digital control system.
  • E. Analysis The first step in the analysis of the trained neural network 200 described above is to consider how the network 200 operates over a variety of both normal and fault inputs. In order to investigate both normal and fault operation, the Simulink model 210 of Figure 11 was enhanced to allow fault insertion and a more detailed analysis.
  • the enhancements to the model 220 include the addition of logic 222, 224, which allows failures to be inserted at both the control output, co, and the process variable, pv.
  • the control output faults are operated by the new co fault switch logic block 222a.
  • the logic block 222 allows the control output to operate normally or at erroneous values, which are specified by the co fault value logic block 222b.
  • the process variable faults are operated by the new pv fault switch logic block 224.
  • This logic block allows the process variable to feedback to the controller normally or at one of several erroneous values, which include an incorrect value, drifting value, or a value with a varied amount of noise.
  • model 220 was enhanced to include additional output graphing logic blocks, which allow for verification of the control loop behavior during the normal and fault simulations.
  • model 220 When model 220 is run, it provides a 60 second simulation of the mixing process model 10, and generates six output vectors, which are defined in Table 6.
  • the first simulation that was run verifies normal operation of the enhanced neural network 220.
  • the setpoint is changed to 66, where it remains until the end of the simulation run. No faults are introduced.
  • Figure 15 shows in graphical form the results of this test.
  • This behavior is consistent with the fact that the neural network 220 was trained using steady-state operation parameters of the process model 10. Thus during process transitions, such as setpoint changes, the network 220 will be unable to distinguish between good (valid) and bad (invalid) process operation. The network 220 maintains this good status throughout the steady-state operation of the process.
  • the second simulation test includes a fault due to an incorrect controller output. Such a condition might arise due to an error in the controller computation algorithm, or an invalid controller gain setting due to operator error.
  • Figure 16a shows in graphical form the results of the first part of the test.
  • the gain of the PI loop is changed (perhaps inadvertently by an operator) .
  • the process model 10 is then allowed to run with the erroneous gain setting.
  • Figure 16b shows in graphical form the results of the second part of the test.
  • the graphs in Figure 16b show that when the controller gain is erroneously changed, the result is a large overshoot and underdamped settling condition in the system response.
  • the enhanced neural network 220 is able to correctly detect the failure. Once the system has settled, the network output returns to valid. This behavior is consistent with the fact that the enhanced neural network 220 was trained with the data taken from steady-state operation of the process.
  • Simulation Test 3 Stuck Mixing Valve
  • the third simulation test presents a fault due to equipment failure.
  • the failure is a stuck mixing valve.
  • Simulation Test 4 Process Variable Input Faults
  • the fourth simulation test also presents a fault due to equipment failure.
  • the failure is a faulty process variable measurement, which could be caused by a failed sensor or damaged field wiring.
  • Figure 18a shows in graphical form the results of this test.
  • Figure 18b shows in graphical form the results of this test.
  • This simulation tests measure the behavior of the enhanced neural network 220 when the network is exposed to disturbances in the process.
  • One cause of such disturbances is sensor noise, which is usually present during normal process operation.
  • This test modifies the Simulink model, so that white noise is introduced with the process variable in the feedback temperature to the controller.
  • the white noise level is set to 5% (a 0.05 variance) of the steady-state process variable value. No additional process faults are active in this test run.
  • Figure 19a shows in graphical form the results of this test.
  • the graphs in Figure 19a show that despite the presence of noise in the sensor feedback temperature (process variable) , the enhanced neural network 220 is able to successfully detect normal process operation.
  • the results of this test match those shown in Figure 15 for Simulation Test 1: Normal Operation.
  • the white noise level is set to 20% (a 0.2 variance) of the steady- state process variable value. No additional process faults are active in this test run.
  • Figure 19b shows in graphical form the results of this test.
  • the graphs presented in Figure 19b show that at process noise disturbance levels of 20% and above, the enhanced neural network 220 begins to have difficulty distinguishing between valid and invalid operating modes of the process.
  • the variations in the feedback temperature signal due to noise cause the neural network output to fluctuate between good (valid) and bad (invalid) process failure detection.
  • the neural network 220 can still be used for fault detection, however due to its output fluctuations between good and bad status, the instantaneous network output cannot be relied on directly as an indicator of failure conditions.
  • a statistical correlation of the output or a time averaged approach could be used in which a set of the most recent neural network outputs are collected and averaged. The result of this average could then be used to detect whether failures exist in the process and report them accordingly.
  • the while noise level is set to 10% (a 0.1 variance) of the steady-state process variable.
  • the enhanced neural network 220 is readily able to distinguish between good (valid) and bad (invalid) process operation in the presence of a moderate amount of noise.
  • Figure 19c shows in graphical form the results of this test.
  • the goal of this analysis is to determine the change in processing resource requirements of the target digital controller due to the change in redundancy techniques (from the state checkpoint method to the synchronous execution method of the present invention) , and also to determine the additional processing requirements needed to perform the neural network computations on the backup controller.
  • the target digital controller used in this analysis is a digital controller used in the SYMPHONYTM DCS. That controller contains a Motorola 68060 based microprocessor executing at 50MHz.
  • the controller redundancy link is a high speed, dedicated serial interface, which is capable of transferring a sustained 300 kilobytes of information per second between the primary and backup controllers .
  • Table 7 presents the computational memory requirements and execution times for the function code logic when executing on the target platform. Table 7: Function Code Memory Requirements and Execution Times.
  • Table 7 shows that for each configured control loop, the primary controller must checkpoint 1156 bytes of controller state information to the backup controller every execution scan, which is once per second in the mixing process model 10.
  • a typical controller can be configured to execute several hundred of these control loops, which results in several hundred kilobytes of data which must be checkpointed to the backup controller each execution scan.
  • the state checkpoint method of controller redundancy is replaced with the synchronous execution method of the present invention, only the data for the input (function code 222) and output (function code 223) function codes must be checkpointed to the backup each scan.
  • the state information for the remaining function codes 2, 19, and 80 is computed in parallel on the backup controller. Therefore, the present invention reduces the amount of checkpoint data from 1156 bytes per control loop to 600 bytes; a 48% reduction.
  • controller configurations often contain additional function codes, which perform operations such as trending or signal shaping.
  • state checkpoint method of controller redundancy the data for these function codes would have to be checkpointed to the backup controller.
  • synchronous execution method of controller redundancy these function codes would also execute in parallel on the backup controller, thus resulting in additional checkpoint data size reductions.
  • the synchronous execution method of controller redundancy allows the redundancy link checkpoint bandwidth to be conserved by executing the control logic in parallel on both the primary and backup controllers.
  • the remaining task for the backup controller is to execute the neural network analysis on the process data sets of both the primary and backup controllers.
  • the backup controller must call the function nnet () , as presented in Listing 5 (nnet.c), with the control output and process variable for each execution scan on both the primary and backup controllers. Since only the primary controller is reading the process variable and driving the control output (via function codes 222 and 223) , the backup controller can use this time to execute the neural network analysis.
  • the backup controller will also receive a copy of the process variable and computed control output from the primary controller each execution scan.
  • Table 8 Machine Instruction Cycles For Function nnet().
  • the total number of machine instruction execution cycles for the neural network analysis function nnet () is given in Table 8 as 14,146. Since the target controller's microprocessor is being clocked at 50MHz, this yields an instruction execution cycle time of 2.0x10 " 8 seconds.
  • the total execution time of function nnet () is computed to be 14,146 * 2.0xl0 "8 , or 2.83xl0 "4 seconds; about 284 microseconds. This time is within the 300 microseconds required to execute function codes 222 and 223. Based on this algorithm implementation, the backup controller can easily execute a neural network analysis on both the primary and its own data sets during a control logic execution scan.
  • the synchronous execution method of the present invention overcomes the limitations of the state checkpoint method. It should also be appreciated that while method of the present invention uses a neural network, the flexibility and simplicity of that network allows the method of the present invention to have increased functionality at virtually no additional cost in computational resources. It should further be appreciated that the method of the present invention offers quite accurate failure detection despite a large signal noise component and the tests described herein provide a good demonstration of the robustness of using neural networks to perform error detection.
  • the method of the present invention may provide valid failure detection operation during dynamic operating modes of the process such as operator setpoint changes. It should be further appreciated that the method of the present invention may allow the neural network to directly resolve failure situations by initiating corrective action.

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Feedback Control In General (AREA)

Abstract

Contrôleurs principaux et de secours pour système de commande de traitement numérique, qui fonctionnent en mode d'exécution synchrone, le contrôleur de secours comprenant un réseau neuronal. Etant donné que le contrôleur de secours reçoit ses entrées de traitement du contrôleur principal, pendant que le contrôleur principal lit les entrées de traitement et commande les sorties de commande, le contrôleur de secours est au repos. Ce temps de repos est utilisé par ledit contrôleur de secours pour l'exécution d'une analyse de réseau neuronal sur les entrées de traitement des contrôleurs principal et de secours. L'analyse du réseau neuronal permet l'identification d'un fonctionnement normal ou défaillant des contrôleurs principal et de secours.
PCT/US2000/009126 1999-04-09 2000-04-06 Redondance de controleur numerique par detection de defaillance sur reseau neuronal WO2000062135A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU42043/00A AU4204300A (en) 1999-04-09 2000-04-06 Digital controller redundancy using neural network fault detection

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US28939799A 1999-04-09 1999-04-09
US09/289,397 1999-04-09

Publications (1)

Publication Number Publication Date
WO2000062135A1 true WO2000062135A1 (fr) 2000-10-19

Family

ID=23111359

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/009126 WO2000062135A1 (fr) 1999-04-09 2000-04-06 Redondance de controleur numerique par detection de defaillance sur reseau neuronal

Country Status (2)

Country Link
AU (1) AU4204300A (fr)
WO (1) WO2000062135A1 (fr)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2434229A (en) * 2006-01-13 2007-07-18 Emerson Process Management Redundant controller synchronization for smooth failover during normal and mismatch conditions
ES2367503A1 (es) * 2009-03-24 2011-11-04 Sociedad Inversiones De Las Cinco Villas 2008, S.L. Sistema de gestión ambiental de explotaciones ganaderas, avícolas y similares.
WO2015169352A1 (fr) 2014-05-07 2015-11-12 Abb Technology Ltd Utilisation de contrôleurs flexibles dans un système de commande de processus
CN109070348A (zh) * 2016-04-24 2018-12-21 富兰卡爱米卡股份有限公司 用于控制机器人的系统和方法
CN111190062A (zh) * 2019-12-30 2020-05-22 清华大学深圳国际研究生院 一种基于神经网络的车辆电控系统安全性分析方法和装置
TWI719319B (zh) 2017-06-15 2021-02-21 美商慧盛材料美國責任有限公司 氣體供應系統
EP4245989A1 (fr) * 2022-03-18 2023-09-20 General Electric Company Dispositif de commande de secours basé sur l'apprentissage pour une éolienne

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5583769A (en) * 1990-09-21 1996-12-10 Kabushiki Kaisha Toshiba Automatic train operation apparatus incorporating security function with improved reliability
US5586220A (en) * 1991-09-09 1996-12-17 Gti Industrial Automation B.V. Safe system provided with neural circuit
US5640514A (en) * 1993-03-16 1997-06-17 Siemens Aktiengesellschaft Synchronization method for automation systems

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5583769A (en) * 1990-09-21 1996-12-10 Kabushiki Kaisha Toshiba Automatic train operation apparatus incorporating security function with improved reliability
US5586220A (en) * 1991-09-09 1996-12-17 Gti Industrial Automation B.V. Safe system provided with neural circuit
US5640514A (en) * 1993-03-16 1997-06-17 Siemens Aktiengesellschaft Synchronization method for automation systems

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
D.MCLEAN ET AL: "A SENSOR FAULT ACCOMODATION SYSTEM USING A NEURAL NETWORK", TRANSACTIONS OF THE INSTITUTE OF MEASUREMENT AND CONTROL, vol. 19, no. 3, 1997, UK, pages 166 - 168, XP000920968 *
R.KIM ET AL: "APPLICATIONS OF NEURAL NETWORKS AND FUZZY LOGIC IN FAILURE DETECTION AND FAULT TOLERANT CONTROL SYSTEM DSIGN", PROCEEDINGS OF THE ELEVENTH SHIP CONTROL SYSTEMS SYMPOSIUM, vol. 2, April 1997 (1997-04-01), UK, pages 189 - 208, XP000920962 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2434229A (en) * 2006-01-13 2007-07-18 Emerson Process Management Redundant controller synchronization for smooth failover during normal and mismatch conditions
CN101004587B (zh) * 2006-01-13 2010-11-03 艾默生过程管理电力和水力解决方案有限公司 用于正常和失配状况期间无缝切换的冗余控制器同步方法
GB2434229B (en) * 2006-01-13 2011-06-22 Emerson Process Management A method for redundant controller synchronization for bump-less failover during normal and mismatch conditions
US8359112B2 (en) 2006-01-13 2013-01-22 Emerson Process Management Power & Water Solutions, Inc. Method for redundant controller synchronization for bump-less failover during normal and program mismatch conditions
ES2367503A1 (es) * 2009-03-24 2011-11-04 Sociedad Inversiones De Las Cinco Villas 2008, S.L. Sistema de gestión ambiental de explotaciones ganaderas, avícolas y similares.
WO2015169352A1 (fr) 2014-05-07 2015-11-12 Abb Technology Ltd Utilisation de contrôleurs flexibles dans un système de commande de processus
CN109070348A (zh) * 2016-04-24 2018-12-21 富兰卡爱米卡股份有限公司 用于控制机器人的系统和方法
US11059175B2 (en) 2016-04-24 2021-07-13 Franka Emika Gmbh System and method for controlling a robot
CN109070348B (zh) * 2016-04-24 2022-04-26 富兰卡爱米卡股份有限公司 用于控制机器人的系统和方法
TWI719319B (zh) 2017-06-15 2021-02-21 美商慧盛材料美國責任有限公司 氣體供應系統
CN111190062A (zh) * 2019-12-30 2020-05-22 清华大学深圳国际研究生院 一种基于神经网络的车辆电控系统安全性分析方法和装置
EP4245989A1 (fr) * 2022-03-18 2023-09-20 General Electric Company Dispositif de commande de secours basé sur l'apprentissage pour une éolienne

Also Published As

Publication number Publication date
AU4204300A (en) 2000-11-14

Similar Documents

Publication Publication Date Title
Theilliol et al. Fault diagnosis and accommodation of a three-tank system based on analytical redundancy
Vemuri et al. Neural network based fault detection in robotic manipulators
Zhang et al. Issues on integration of fault diagnosis and reconfigurable control in active fault-tolerant control systems
Ferrell Failure recognition and fault tolerance of an autonomous robot
Nett et al. An integrated approach to controls and diagnostics: The 4-parameter controller
Mhaskar et al. Integrated fault‐detection and fault‐tolerant control of process systems
US7765427B2 (en) Monitoring system and methods for a distributed and recoverable digital control system
Maciejowski Modelling and predictive control: Enabling technologies for reconfiguration
US6729432B1 (en) Re-configurable control of steer-by-wire systems
Pierri et al. Observer-based sensor fault detection and isolation for chemical batch reactors
Eryurek et al. Fault-tolerant control and diagnostics for large-scale systems
Yang et al. Switching-based adaptive fault-tolerant control for uncertain nonlinear systems against actuator and sensor faults
Mahmoud et al. Model prediction-based approach to fault-tolerant control with applications
Visinsky et al. Layered dynamic fault detection and tolerance for robots
WO2000062135A1 (fr) Redondance de controleur numerique par detection de defaillance sur reseau neuronal
Al-Zyoud et al. Neural network-based actuator fault diagnosis for attitude control subsystem of an unmanned space vehicle
Witczak et al. Fault tolerant-control: Solutions and challenges
Al-Zyoud et al. Detection of actuator faults using a dynamic neural network for the attitude control subsystem of a satellite
KR19980043103A (ko) 자동제어시스템에서 현장제어장치의 콘트롤러 이중화 제어방법및 그 장치
Maciejowski Modelling and predictive control: Enabling technologies for reconfiguration
Paoli et al. A fault tolerant architecture for supervisory control of discrete event systems
Benetazzo et al. Fault-tolerant variable structure control of an overactuated dynamic positioning vessel after thruster failures
Ferrell Many sensors, one robot
Freed et al. Trusted autonomy for spaceflight systems
Navarro et al. Intelligent industrial control

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CZ DE DK DM EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP