WO2011019979A2 - System and method for resilient control over wireless networks - Google Patents

System and method for resilient control over wireless networks Download PDF

Info

Publication number
WO2011019979A2
WO2011019979A2 PCT/US2010/045412 US2010045412W WO2011019979A2 WO 2011019979 A2 WO2011019979 A2 WO 2011019979A2 US 2010045412 W US2010045412 W US 2010045412W WO 2011019979 A2 WO2011019979 A2 WO 2011019979A2
Authority
WO
WIPO (PCT)
Prior art keywords
data
new
predicted
confidence
control
Prior art date
Application number
PCT/US2010/045412
Other languages
French (fr)
Other versions
WO2011019979A3 (en
Inventor
Kun Ji
Dong Wei
Original Assignee
Siemens Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Corporation filed Critical Siemens Corporation
Priority to EP10752216A priority Critical patent/EP2465013A2/en
Publication of WO2011019979A2 publication Critical patent/WO2011019979A2/en
Publication of WO2011019979A3 publication Critical patent/WO2011019979A3/en

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B13/00Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion
    • G05B13/02Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion electric
    • G05B13/04Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion electric involving the use of models or simulators
    • G05B13/041Adaptive control systems, i.e. systems automatically adjusting themselves to have a performance which is optimum according to some preassigned criterion electric involving the use of models or simulators in which a variable is automatically adjusted to optimise the performance

Definitions

  • the invention relates generally to process control. More specifically, the invention relates to a module that employs intelligent model-prediction to provide resilient control for networked wireless closed-loop control.
  • the intelligent model-prediction maintains operational normalcy if a wireless control loop link is affected by Radio Frequency (RF) interferers and increases control loop tolerance to data packet loss and delay.
  • RF Radio Frequency
  • NCS Networked Control System
  • Wireless networks such as IEEE 802.11 are subject to RF interferers and signal blocking.
  • Data delays and data dropouts to a control device or from a process sensor are stochastic in nature and unknown in advance.
  • process sensor data received by a controller, or control data received by an actuator is disrupted which usually cause costly system shutdowns. These costly system shutdowns can be avoided if there is a solution to improve the resiliency of the control system against RF interferers.
  • Embodiments increase control loop tolerance to data packet loss and delay.
  • Embodiments provide control performance resiliency and in conjunction with wireless security enable next generation wireless solutions for industrial automation and control over wireless networks.
  • Each control system control loop employs a resilience module that comprises an adapted Kalman filter that performs Process Variable (PV) data prediction, a confidence engine that provides risk assessment and an alarm mechanism, a Control Variable (CV) packetizer that accumulates predicted CV data and a user configuration tool.
  • a CV buffer for control actuators operates in conjunction with the CV packetizer.
  • One aspect of the invention provides a method for resilient control of a process control loop if a control loop wireless link drops data. Aspects according to the method include for the process control loop, defining a process transfer function model, defining a sampling rate T , and defining a received sample timeout threshold T , and receiving
  • PV Process Variable
  • Another aspect of the invention is generating new
  • Another aspect of the invention is forwarding the packetized new CV M, . data and the predicted CV M, ⁇ ,---,M, ,,- data to an actuator over a wireless CV link, receiving the new CV Ur 1 and the predicted CV M, ⁇ ,---,W, ⁇ data packets at the actuator comprising buffering the new CV M, . and the predicted CV M, ,,-",M, ⁇ data packets, if new CV data is received within the timeout threshold T , executing the new CV Ur 1 data from the CV buffer, and if no new CV data is
  • Another aspect of the invention is deriving state space model parameters A,B,C,Q,R from the process transfer function model, defining a PV error tolerance a, defining a confidence tolerance b, calculating a threshold of consecutively missed samples N, and deriving a resilience index value loopRI for
  • FIG. 1 is an exemplary wireless closed-loop control loop .
  • FIG. 2 is an exemplary wireless closed-loop control loop including a resilience module.
  • FIG. 3 is an exemplary plot of error covariance versus link failure.
  • FIG. 4 is an exemplary estimated error covariance table.
  • FIG. 5 is an exemplary plot comparing PV with time showing three link failures.
  • FIG. 6 is an exemplary plot comparing control performance with time showing a link incidence time.
  • FIG. 7 is an exemplary plot comparing control performance with time showing resilience.
  • FIG. 8 is an exemplary user configuration tool screen view .
  • FIG. 9 is an exemplary PV and CV wireless link resilience method.
  • FIG. 10 is an exemplary control loop resilience index method.
  • components in the method and system may be
  • Embodiments of the invention provide methods, system frameworks, and a computer-usable medium storing
  • the invention may be deployed as software as an application program tangibly embodied on a program storage device.
  • the application code for execution can reside on a plurality of different types of computer readable media known to those skilled in the art.
  • FIG. 1 shows a closed-loop control loop 101 comprising a process sensor 103 outputting Process Variable (PV) z, data representing the process state space X, , a controller 105 configured to receive the PV z, data and output Control Variable (CV) M, data, a process actuator 107 that receives the CV M, data and controls the process X, 106 and a Human
  • PV Process Variable
  • CV Control Variable
  • HMI Machine Interface
  • Ukr data link 111 from the controller 105 and the PV Zk, data link 113 to the controller 105 are over unguided (wireless) media which may experience RF interferers .
  • FIG. 2 shows an embodiment that employs a wireless link resilience module 201 that uses model-prediction to provide resilient process control for control loops using wireless links.
  • the resilience module 201 may be implemented as a function block for use in a DCS, an NCS, a Programmable Logic Controller
  • the resilience module 201 comprises an adapted Kalman filter 203 that receives PV z, data over a wireless PV link
  • the adapted Kalman filter 203 is coupled to a confidence engine 205 that provides risk assessment and outputs an alarm to the HMI 109 if a confidence level of the PV z, data is below a predetermined threshold caused by a link 111, 113, or actuator 107, or process sensor 103 failure.
  • the confidence engine 205 is coupled to a user configuration tool Graphic User Interface (GUI) 207 used to configure the resilience module 201
  • a wired or wireless computing device (not shown) and to a CV packetizer 209 that assembles multiple CV data into the payload of one or more network data packets and forwards the packets to a CV buffer 211 resident at the actuator 107 over a wireless CV link 111.
  • the resilience module 201 enables resilient control against wireless control loop link failure incidences due to RF interferers .
  • the confidence engine 205 alarm functions as a quality gauge and provides risk assessment by constantly monitoring data confidence level and alarms when data
  • the confidence engine 205 determines the risk of extrapolating from missing sensor data due to a CV 111 or PV 113 link failure and takes specific actions when the risk becomes excessive. Embodiments quantify "resiliency" which is used to evaluate the performance of a control loop. [0035] The process 106 is described by the state space model
  • A is a time instance in the discrete-time domain
  • X- is the PV data state vector in discrete-time having a dimension of Yl
  • U j ELR is the CV data output vector in discrete-time having a dimension of TH
  • Z is the PV data.
  • A, B and C are state space parameters which can be derived from the transfer function model of the process.
  • the variables W j and V represent random process and measurement noise, respectively.
  • W, and V are independent of each other, are white noise and exhibit the following Normal Probability Distributions
  • JV( ) denotes a normal probability distribution.
  • the resilience module 201 performs five functions: 1) PV Zr data filtering 203, 2) PV Z, data and CV U, data prediction 203, 3) risk assessment with alarm 205, 4)
  • resilience module 201 parameter configuration 207 and 5) multi-steps ahead CV M,,M, ., ••• ,W, ⁇ - data packetizing 209.
  • the adapted Kalman filter 203 produces estimates from a set of mathematical equations that implement a
  • the prediction-correction estimator which minimizes estimated error covariance and generates an optimal estimate of the desired system states (step 901).
  • the new state estimate lies in between the predicted and measured state and has a better estimated uncertainty than either alone.
  • the filter process is repeated (cycled) every time step with the new estimate and its covariance informing the prediction used in the following iteration.
  • the adapted Kalman filter 203 works recursively and requires only the last best prediction and not the previous history of the system state to calculate a new state.
  • K 1 P kr+l [CP k-+V c ⁇ + R)- 1
  • (7) -(10) are standard Kalman filter equations that are used if data is always available (step 917) . To deal with the scenarios of missing data, embodiments adapt the Kalman filter 203.
  • the adapted Kalman filter 203 does not include the correction step for the prediction if there is no sensor measurement available.
  • a time-out scheme is used to guarantee the timely flow of PV data.
  • the resilience module 201 sends the filtered PV
  • N is the number of the consecutively missing PV Zr data measurements (step 913).
  • (11) -(16) represent the adapted Kalman filter 203 to deal with the scenarios of missing PV data measurements. The error covariance will add up when the predicted sensor data are kept being used instead of the real measurements.
  • FIG. 3 shows a plot of the relationship between estimated error covariance P, and the discrete-time instance k during a PV link 113 failure.
  • the confidence index of the predicted PV z, data measurements will become lower and lower because of extrapolating from missing sensor data.
  • confidence engine 205 provides risk assessment and an alarm and takes specific actions when the risk becomes excessive (step 915) .
  • the CV packetizer 209 packs the new CV M, , data and the predicted multi-steps ahead CV ⁇ , , ⁇ ,'",U, ⁇ - data calculated based on the predicted PV z, ⁇ ,...z, , ⁇ data together into the payload of one network data packet and forwards it to a CV buffer 211 resident at the actuator 107 (steps 923, 925) .
  • the multi-step ahead prediction of PV data is provided by the adapted Kalman filter 203 to the controller 105, and then the controller 105 will generate multi-step ahead prediction of CV data and provide it to the CV data packetizer 209.
  • controller 105 usually can perform multiple CV data generation within one cycle as long as it has enough computing power (step 921) .
  • the number of CV data that needs to be packetized depends on the number of consecutively missing PV data
  • the CV buffer 211 operates in conjunction with the CV packetizer 209 to manage scenarios of CV link 111 interferers .
  • the same time-out scheme with the same timeout period T, as v used in the adapted Kalman filter 203 is used in the CV buffer 211 to guarantee that the actuator 107 always has a CV to execute. If a new network data packet which includes new CV Ur 1 data and predicted CV data arrives within the timeout period, the new CV w, , data is executed by the actuator 107 and the CV buffer 211 is updated with the newly arrived predicted CV M, ⁇ ,...,W, ⁇ data which were packetized in the same packet with the CV w, -. data.
  • the predicted CV U, , data in the CV buffer 211 that arrived together with previous CV w, data in a previous cycle is executed by the actuator 107 (steps 927, 929, 931) .
  • the control loop is resilient against scenarios of missing data consecutively up to N CV data packets.
  • FIG. 4 shows a table of the error covariance of predicted state *£ + p-,*£ +j y and pv *k+V'"'*k+N data measurements.
  • N is the number of consecutively missed sensor measurements .
  • the confidence engine 205 calculates a confidence level C j of predicted PV z, data, i.e., the quality of the prediction.
  • the predicted PV z, data confidence level C j is considered according to the control system Quality of Control (QoC) .
  • QoC Quality of Control
  • the confidence level C j of the predicted PV z, data is defined to relate to control system performance.
  • confidence engine 205 calculates and provides the confidence level C j to a run-time operation view displayed by the HMI
  • the confidence level C j of the predicted sensor data is in terms of what control performance can be expected if this predicted sensor data is used.
  • the confidence level C j of the predicted PV z, data is defined as the probability that the difference between PV and SP in terms of percentage is less than a certain PV error tolerance value a . This is described as
  • Pro.( ). represents the probability of ⁇ a .
  • PV error tolerance a is a QoC parameter which is defined in the process control specification as a control performance requirement.
  • b e.g. 95%
  • QoC threshold another QoC parameter
  • Poor QoC i.e., the data confidence level C j or control performance (defined in (17)) becoming lower than the
  • FIG. 5 shows the resilience module 201 responding to three different failure scenarios over time. Two short time PV link failures #1, #2 and one long time PV link failure #3. If there is no link failure, the PV is close to the SP (minimal error) . When a short time PV link failure occurs, i.e., the number of consecutively missing sensor measurements is less than N with the resilience module 201, the process
  • configuration GUI 206 provides a user interface to configure the threshold value N based on the user defined QoC parameters confidence tolerance, i.e., QoC threshold b (18) and PV error tolerance a (17) .
  • a loose confidence tolerance b (low QoC requirement) will result in a large N and a tight confidence tolerance b (high QoC requirement) will result in a small N .
  • the unit of N is not time but an integer multiple of the sampling time.
  • the confidence engine 205 is used to find the smallest value of N such that the confidence of prediction becomes lower than the threshold (defined in (19)) .
  • SP is the process setpoint
  • a and b are the QoC parameters defined above
  • C is defined in (2) as the process model parameter
  • P[N) is the accumulated state prediction error covariance (21) as shown in FIG. 4,
  • P(N) C[A N ⁇ 1 P(A T ) N ⁇ 1 +A N ⁇ 2 Q(A T ) N ⁇ 2 +...+ AQA T +Q]C T +R .
  • (16) -(21) are the mathematic background of the confidence engine 205.
  • FIG. 8 shows a computing device (not shown) screen view of the configuration GUI 207 and FIG. 10 shows the method.
  • the confidence engine 205 derives the state space model parameters A 1 B 1 C 1 Q and R of the process 106 in (I)- (4) from the classic transfer function model of the process with Q and R provided (step 1007) and calculates the smallest value of N 805 as the threshold for the PV link 113 alarm setting (step 1013) .
  • Embodiments define a Resilient Index (RI) to indicate how resilient a closed-loop control loop is against undesired incidence, and quantifies resiliency in terms of control performance.
  • RI Resilient Index
  • AQoC is the acceptable QoC loss during the incidence, i.e. the tightness of the QoC
  • FIG. 6 shows a plot comparing control system
  • AQoC is defined as the gap between
  • a control loop has a higher resiliency than others if it can tolerate an incidence of long duration or deliver better QoC during the incidence.
  • the RI is applied to the resilience module 201 and define loopRI as
  • N , a and b are defined in (21), (17) and (18), and T is the sampling period of the control system in terms of seconds (step 1015) .
  • FIG. 7 shows a plot comparing control loop performance versus discrete-time instance kT .
  • Control performance is defined in (17) and QoC in (18), and are used to evaluate control loop resiliency (step 1017).
  • Embodiments make a closed-loop control loop resilient by incorporating a Kalman filter, and statistics and
  • the module 201 improves closed-loop control loop resiliency of control systems that use wireless control loop links.
  • the confidence engine 205 provides risk assessment and an alarm that determine the risk of

Abstract

Systems and methods are described that use intelligent model prediction for resilient control of a process control loop if a control loop wireless link is affected by RF interferers and increases control loop tolerance to data packet loss and delay.

Description

SYSTEM AND METHOD FOR RESILIENT CONTROL OVER WIRELESS NETWORKS
CROSS REFERENCE TO RELATED APPLICATIONS
[0001] This application claims the benefit of U.S. Provisional Application No. 61/233,596, filed on August 13, 2009, the disclosure which is incorporated herein by reference in its entirety.
BACKGROUND OF THE INVENTION
[0002] The invention relates generally to process control. More specifically, the invention relates to a module that employs intelligent model-prediction to provide resilient control for networked wireless closed-loop control. The intelligent model-prediction maintains operational normalcy if a wireless control loop link is affected by Radio Frequency (RF) interferers and increases control loop tolerance to data packet loss and delay.
[0003] There has been a growing interest in adopting wireless sensors for industrial control and automation. For example, in Distributed Control Systems (DCSs) where wired links between a process sensor and a process controller, and the process controller and a process control actuator are replaced with wireless links. However, wireless networks present many challenges for closing the control loop.
[0004] Closed-loop control requires a continuous flow of reliable data from a process sensor to a controller and is represented mathematically using a transfer function. Wireless networks are subject to interferers and cannot guarantee the timely flow of data. Disruption experienced in feedback data and control date affects control performance and causes system instability. [0005] Today's Networked Control System (NCS) is a DCS whose components (process sensors, controllers, process actuators, etc.) are distributed using digital network technology. The NCS is a control system where control loops are closed through a real-time distributed control system. Process signals
(process variables) from transmitters, sensors, etc., and control signals (control variables) to actuators, valves, etc., are exchanged among the components as information packages through a network.
[0006] The challenge for wireless closed-loop control is due to the nature of NCS and wireless networks themselves.
Wireless networks such as IEEE 802.11 are subject to RF interferers and signal blocking. Data delays and data dropouts to a control device or from a process sensor are stochastic in nature and unknown in advance. During temporary link failure incidences, process sensor data received by a controller, or control data received by an actuator is disrupted which usually cause costly system shutdowns. These costly system shutdowns can be avoided if there is a solution to improve the resiliency of the control system against RF interferers.
[0007] Solutions for wireless links in industrial automation and control focus on developing wireless communication
protocols that are robust to RF interferers. Some approaches include frequency hopping, channel hopping, etc. However, no solution provides overall resilient control against RF
interferers from the control system perspective. While some wireless protocols may improve data throughput, they introduce time delay for searching and using alternative frequency bands or channels . [0008] What is needed is a method and system that provides operation normalcy when a wireless control loop experiences a temporary link failure.
SUMMARY OF THE INVENTION
[0009] The inventors have discovered that it would be
desirable to have systems and methods that use intelligent model-prediction for resilient control of a process control loop if a control loop wireless link is affected by temporary RF interferers . Embodiments increase control loop tolerance to data packet loss and delay.
[0010] Embodiments provide control performance resiliency and in conjunction with wireless security enable next generation wireless solutions for industrial automation and control over wireless networks. Each control system control loop employs a resilience module that comprises an adapted Kalman filter that performs Process Variable (PV) data prediction, a confidence engine that provides risk assessment and an alarm mechanism, a Control Variable (CV) packetizer that accumulates predicted CV data and a user configuration tool. A CV buffer for control actuators operates in conjunction with the CV packetizer.
[0011] One aspect of the invention provides a method for resilient control of a process control loop if a control loop wireless link drops data. Aspects according to the method include for the process control loop, defining a process transfer function model, defining a sampling rate T , and defining a received sample timeout threshold T , and receiving
Process Variable (PV) z, data over a wireless PV link,
/C~rl
inputting the PV z, data into an adapted Kalman filter
/C~rl
comprising in a current cycle, estimating the process state space X, . , generating predicted PV z, . data from the estimated process state space •£? i data, if new PV z, , data is received within the timeout threshold T , outputting the new PV z, . data to a controller, and if no new PV z, . data is k+l k+l received within the timeout threshold T , outputting predicted PV z, . data to the controller.
[0012] Another aspect of the invention is generating new
Control Variable (CV) U1 Λ data from the new PV z, , data,
K+L K+L
generating predicted CV M, ~,---,w, ,^ data from the predicted PV Zr . data, and packetizing the new CV M, , data and the predicted CV M, ,,-",M, ^ data from the controller.
[0013] Another aspect of the invention is forwarding the packetized new CV M, . data and the predicted CV M, ^,---,M, ,,- data to an actuator over a wireless CV link, receiving the new CV Ur 1 and the predicted CV M, ~,---,W, ^ data packets at the actuator comprising buffering the new CV M, . and the predicted CV M, ,,-",M, ^ data packets, if new CV data is received within the timeout threshold T , executing the new CV Ur 1 data from the CV buffer, and if no new CV data is
received within the timeout threshold T , executing the predicted CV U, .,"-,M, ^ data from the CV buffer. [0014] Another aspect of the invention is deriving state space model parameters A,B,C,Q,R from the process transfer function model, defining a PV error tolerance a, defining a confidence tolerance b, calculating a threshold of consecutively missed samples N, and deriving a resilience index value loopRI for
NT
the control loop using loopRI '. =
a(l -b) '
[0015] The details of one or more embodiments of the invention are set forth in the accompanying drawings and the description below. Other features, objects, and advantages of the
invention will be apparent from the description and drawings, and from the claims.
BRIEF DESCRIPTION OF THE DRAWINGS
[0016] FIG. 1 is an exemplary wireless closed-loop control loop .
[0017] FIG. 2 is an exemplary wireless closed-loop control loop including a resilience module.
[0018] FIG. 3 is an exemplary plot of error covariance versus link failure.
[0019] FIG. 4 is an exemplary estimated error covariance table.
[0020] FIG. 5 is an exemplary plot comparing PV with time showing three link failures. [0021] FIG. 6 is an exemplary plot comparing control performance with time showing a link incidence time.
[0022] FIG. 7 is an exemplary plot comparing control performance with time showing resilience.
[0023] FIG. 8 is an exemplary user configuration tool screen view .
[0024] FIG. 9 is an exemplary PV and CV wireless link resilience method.
[0025] FIG. 10 is an exemplary control loop resilience index method.
DETAILED DESCRIPTION
[0026] Embodiments of the invention will be described with reference to the accompanying drawing figures wherein like numbers represent like elements throughout. Before embodiments of the invention are explained in detail, it is to be
understood that the invention is not limited in its
application to the details of the examples set forth in the following description or illustrated in the figures. The invention is capable of other embodiments and of being
practiced or carried out in a variety of applications and in various ways. Also, it is to be understood that the
phraseology and terminology used herein is for the purpose of description and should not be regarded as limiting. The use of "including, " "comprising, " or "having, " and variations thereof herein is meant to encompass the items listed thereafter and equivalents thereof as well as additional items.
[0027] The terms "connected" and "coupled" are used broadly and encompass both direct and indirect connecting, and
coupling. Further, "connected" and "coupled" are not
restricted to physical or mechanical connections or couplings.
[0028] It should be noted that the invention is not limited to any particular software language described or that is implied in the figures. One of ordinary skill in the art will
understand that a variety of software languages may be used for implementation of the invention. It should also be
understood that some of the components and items are
illustrated and described as if they were hardware elements, as is common practice within the art. However, one of ordinary skill in the art, and based on a reading of this detailed description, would understand that, in at least one
embodiment, components in the method and system may be
implemented in software or hardware. [0029] Embodiments of the invention provide methods, system frameworks, and a computer-usable medium storing
computer-readable instructions that use model-prediction to maintain process control operation if a control loop wireless link is affected by RF interferers . The invention may be deployed as software as an application program tangibly embodied on a program storage device. The application code for execution can reside on a plurality of different types of computer readable media known to those skilled in the art.
[0030] FIG. 1 shows a closed-loop control loop 101 comprising a process sensor 103 outputting Process Variable (PV) z, data representing the process state space X, , a controller 105 configured to receive the PV z, data and output Control Variable (CV) M, data, a process actuator 107 that receives the CV M, data and controls the process X, 106 and a Human
Machine Interface (HMI) 109 configured to display process conditions and allow access to control loop parameters. The CV
Ukr data link 111 from the controller 105 and the PV Zk, data link 113 to the controller 105 are over unguided (wireless) media which may experience RF interferers .
[0031] To address CV 111 and PV 113 link interference, FIG. 2 shows an embodiment that employs a wireless link resilience module 201 that uses model-prediction to provide resilient process control for control loops using wireless links. The resilience module 201 may be implemented as a function block for use in a DCS, an NCS, a Programmable Logic Controller
(PLC), and a Programmable Automation Controller (PAC) or may be implemented as a programmable stand alone control system device. FIG. 9 shows the method. [0032] The resilience module 201 comprises an adapted Kalman filter 203 that receives PV z, data over a wireless PV link
113 and performs filtering and prediction. The adapted Kalman filter 203 is coupled to a confidence engine 205 that provides risk assessment and outputs an alarm to the HMI 109 if a confidence level of the PV z, data is below a predetermined threshold caused by a link 111, 113, or actuator 107, or process sensor 103 failure. The confidence engine 205 is coupled to a user configuration tool Graphic User Interface (GUI) 207 used to configure the resilience module 201
configurable parameters using a wired or wireless computing device (not shown) and to a CV packetizer 209 that assembles multiple CV data into the payload of one or more network data packets and forwards the packets to a CV buffer 211 resident at the actuator 107 over a wireless CV link 111.
[0033] The resilience module 201 enables resilient control against wireless control loop link failure incidences due to RF interferers . The confidence engine 205 alarm functions as a quality gauge and provides risk assessment by constantly monitoring data confidence level and alarms when data
uncertainty becomes a risk.
[0034] To deal with scenarios of consecutively missing sensor PV z, data or actuator CV M, data, the adapted Kalman filter
203 performs state and measurement data filtering and
prediction. The confidence engine 205 determines the risk of extrapolating from missing sensor data due to a CV 111 or PV 113 link failure and takes specific actions when the risk becomes excessive. Embodiments quantify "resiliency" which is used to evaluate the performance of a control loop. [0035] The process 106 is described by the state space model
Figure imgf000012_0001
( D
Figure imgf000012_0002
( 2 )
[0038] where A: is a time instance in the discrete-time domain, X-, e.R is the PV data state vector in discrete-time having a dimension of Yl, Uj ELR is the CV data output vector in discrete-time having a dimension of TH and Z, is the PV data. A, B and C are state space parameters which can be derived from the transfer function model of the process. The variables Wj and V, represent random process and measurement noise, respectively. W, and V, are independent of each other, are white noise and exhibit the following Normal Probability Distributions
[0039] P(W) ~ JV(0,0, and
(3)
[0040] P(v)~N(0,R)
(4)
[0041] where JV( ) denotes a normal probability distribution. [0042] The resilience module 201 performs five functions: 1) PV Zr data filtering 203, 2) PV Z, data and CV U, data prediction 203, 3) risk assessment with alarm 205, 4)
resilience module 201 parameter configuration 207 and 5) multi-steps ahead CV M,,M, .,•••,W, ^- data packetizing 209.
[0043] The adapted Kalman filter 203 produces estimates from a set of mathematical equations that implement a
prediction-correction estimator which minimizes estimated error covariance and generates an optimal estimate of the desired system states (step 901). The new state estimate lies in between the predicted and measured state and has a better estimated uncertainty than either alone. The filter process is repeated (cycled) every time step with the new estimate and its covariance informing the prediction used in the following iteration. The adapted Kalman filter 203 works recursively and requires only the last best prediction and not the previous history of the system state to calculate a new state.
Predicted state space and error covariance for (1) and (2) are
[0044] X1 Λ =AXj +Bu1 , and
/C+l K K
(5)
[0045] Pk+l = APkAT + Q
(6)
[0046] where -^,I is the state prediction and P, , is the state error covariance before correction. [0047] When the process sensor 103 outputs new PV Z, , data, based on the standard Kalman filter theory, the above state prediction and error covariance are updated as
[0048] K1 =P kr+l [CP k-+V cτ + R)-1
(7:
Figure imgf000014_0001
'
(S)
[0050] P k^+l= {i -K1C)P k:+l' and
o:
[0051] P1 = P ■
kk→∞ mm
(io:
[0052] (7) -(10) are standard Kalman filter equations that are used if data is always available (step 917) . To deal with the scenarios of missing data, embodiments adapt the Kalman filter 203.
[0053] If PV z, , data is missing due to a wireless link failure, the predicted sensor data in the adapted Kalman filter 203 is
[0054]
k+l k+l k+l k k [0055] = CAx~ + CAK1 Az1 - Cx~) + CBu 1 , and
( 11 )
[0056] the predicted state without correction i s
[0057 ] %+l = %+l
( 12 )
[0058] The adapted Kalman filter 203 does not include the correction step for the prediction if there is no sensor measurement available.
[0059] A time-out scheme is used to guarantee the timely flow of PV data. The resilience module 201 sends the filtered PV
Cxk1+Λl data 203 to the controller 105 to generate CV Uk1+Λl data if new PV Z1 . data is available (steps 903, 905) . If no new
PV Zk1+Λl data is available within the timeout threshold Tt. which may be set at the sampling period T , i.e. T=T, the resilience module 201 provides predicted PV Z1 . (11) data to the controller 105 together with an updated confidence level Cj calculated by the confidence engine 205 to indicate prediction accuracy, e.g. 98% (steps 903, 907).
[0060] If new PV Z1 . data arrived after the timeout threshold T , but before the end of the next sampling period, it will still be used to update or correct the current prediction as follows (steps 909, 911) [0061] Kk
Figure imgf000016_0001
(13)
Figure imgf000016_0002
(14)
Figure imgf000016_0003
(15)
[0064] If N consecutive PV Z1 1v..,z, ΛT data measurements are
K+L K + 1\
missing due to a PV link 113 failure, the predicted PV
Zr .,..., Zr j. j data measurements are
[0065] zk + l=CAxk+CBuk
[0066] =CAx7 + CAK} Az1 -Cx7) + CBu}
k K-I K κJ K
[0067] z ^=CAx1 M +CBu1 M
κ+2 k+l k+l
[0068] =CA2x~+CA2Kk_l(zk-Cx~) + CABuk+CBuk+l
[0069]
[0070] Z
Figure imgf000016_0004
(16) [0071] where N is the number of the consecutively missing PV Zr data measurements (step 913). (11) -(16) represent the adapted Kalman filter 203 to deal with the scenarios of missing PV data measurements. The error covariance will add up when the predicted sensor data are kept being used instead of the real measurements.
[0072] FIG. 3 shows a plot of the relationship between estimated error covariance P, and the discrete-time instance k during a PV link 113 failure. The confidence index of the predicted PV z, data measurements will become lower and lower because of extrapolating from missing sensor data. The
confidence engine 205 provides risk assessment and an alarm and takes specific actions when the risk becomes excessive (step 915) .
[0073] By way of background, most industrial process control is regulator control, i.e., the PV should track a control loop setpoint (SP) regardless of process perturbations and within a predetermined settling time T . The SP derives an error signal from the PV and a control algorithm in a controller produces a CV (step 919) .
[0074] The CV packetizer 209 packs the new CV M, , data and the predicted multi-steps ahead CV ύ, ,^,'",U, ^- data calculated based on the predicted PV z, ~,...z, ,^ data together into the payload of one network data packet and forwards it to a CV buffer 211 resident at the actuator 107 (steps 923, 925) . The multi-step ahead prediction of PV data is provided by the adapted Kalman filter 203 to the controller 105, and then the controller 105 will generate multi-step ahead prediction of CV data and provide it to the CV data packetizer 209. The
controller 105 usually can perform multiple CV data generation within one cycle as long as it has enough computing power (step 921) . The number of CV data that needs to be packetized depends on the number of consecutively missing PV data
measurements N .
[0075] The CV buffer 211 operates in conjunction with the CV packetizer 209 to manage scenarios of CV link 111 interferers . The same time-out scheme with the same timeout period T, as v used in the adapted Kalman filter 203 is used in the CV buffer 211 to guarantee that the actuator 107 always has a CV to execute. If a new network data packet which includes new CV Ur 1 data and predicted CV data arrives within the timeout period, the new CV w, , data is executed by the actuator 107 and the CV buffer 211 is updated with the newly arrived predicted CV M, ~,...,W, ^ data which were packetized in the same packet with the CV w, -. data. Otherwise, the predicted CV U, , data in the CV buffer 211 that arrived together with previous CV w, data in a previous cycle is executed by the actuator 107 (steps 927, 929, 931) . With the predicted CV data, the control loop is resilient against scenarios of missing data consecutively up to N CV data packets.
[0076] For (16), FIG. 4 shows a table of the error covariance of predicted state *£+p-,*£+jy and pv *k+V'"'*k+N data measurements. N is the number of consecutively missed sensor measurements . [0077] The confidence engine 205 calculates a confidence level Cj of predicted PV z, data, i.e., the quality of the prediction. The predicted PV z, data confidence level Cj is considered according to the control system Quality of Control (QoC) . The confidence level Cj of the predicted PV z, data is defined to relate to control system performance. The
confidence engine 205 calculates and provides the confidence level Cj to a run-time operation view displayed by the HMI
109 if predicted sensor data is provided to the controller 105 (steps 903, 907) . The confidence level Cj of the predicted sensor data is in terms of what control performance can be expected if this predicted sensor data is used.
[0078] The confidence level Cj of the predicted PV z, data is defined as the probability that the difference between PV and SP in terms of percentage is less than a certain PV error tolerance value a . This is described as
SP-PV
[0079] CL = {Confidence Level} = {Control Performance} : = {Pro. ( < a) } . ( 1
SP
7 )
SP - PV
[0080] Pro.( ). represents the probability of < a . The
oP
PV error tolerance a, e.g. 5%, is a QoC parameter which is defined in the process control specification as a control performance requirement.
[0081] That the data confidence level Cj being higher than a minimum requirement is defined as the quality of control (QoC) SP-PV
[0082] {QoC} := {Confidence Level > b} = {Pro. ( < a)≥b}
SP
( i s :
[0083] where b, e.g. 95%, is another QoC parameter (QoC threshold) and is a user defined confidence tolerance value. Poor QoC, i.e., the data confidence level Cj or control performance (defined in (17)) becoming lower than the
threshold can be defined as
[0084] {Confidence Level <b} = {Pro. ( SP-PV <a)< b)
SP
[0085] = {Pro. ( SP-PV >a)≥\-b)
SP
:i9)
[0086] FIG. 5 shows the resilience module 201 responding to three different failure scenarios over time. Two short time PV link failures #1, #2 and one long time PV link failure #3. If there is no link failure, the PV is close to the SP (minimal error) . When a short time PV link failure occurs, i.e., the number of consecutively missing sensor measurements is less than N with the resilience module 201, the process
performance is acceptable, without the resilience module 201, the process may become unstable. When a long time link failure occurs, i.e., the number of consecutively missing sensor measurements is larger than N , an alarm is triggered if the module 201 detects that the link failure time has past the threshold value NT which is calculated by the confidence engine 205 as N times the sampling period T . The
configuration GUI 206 provides a user interface to configure the threshold value N based on the user defined QoC parameters confidence tolerance, i.e., QoC threshold b (18) and PV error tolerance a (17) .
[0087] A loose confidence tolerance b (low QoC requirement) will result in a large N and a tight confidence tolerance b (high QoC requirement) will result in a small N . The unit of N is not time but an integer multiple of the sampling time.
[0088] The confidence engine 205 is used to find the smallest value of N such that the confidence of prediction becomes lower than the threshold (defined in (19)) .
[0089] Based on statistics and probability theory, (19) can be mathematically expressed as
Figure imgf000021_0001
(2 o :
[0091] where SP is the process setpoint, a and b are the QoC parameters defined above, C is defined in (2) as the process model parameter, and P[N) is the accumulated state prediction error covariance (21) as shown in FIG. 4,
[0092] P(N) = C[AN~1P(AT)N~1 +AN~2Q(AT)N~2 +...+ AQAT +Q]CT +R .
(21) [0093] Solving (20) arrives at the value of N , which is used by the confidence engine 205 to set the PV link 113 alarm.
(16) -(21) are the mathematic background of the confidence engine 205.
[0094] FIG. 8 shows a computing device (not shown) screen view of the configuration GUI 207 and FIG. 10 shows the method. The configuration GUI 207 is an interface for a user to configure the process model (step 1001), the sampling rate T 807 (step 1003) , the received sample timeout threshold used in the adapted Kalman filter 203 and in the CV buffer 211 T1=T (step 1005), the sampling QoC requirements including PV error tolerance a 801 (step 1009) and confidence tolerance b 803
(step 1011) .
[0095] The confidence engine 205 derives the state space model parameters A1 B1 C1 Q and R of the process 106 in (I)- (4) from the classic transfer function model of the process with Q and R provided (step 1007) and calculates the smallest value of N 805 as the threshold for the PV link 113 alarm setting (step 1013) .
[0096] Embodiments define a Resilient Index (RI) to indicate how resilient a closed-loop control loop is against undesired incidence, and quantifies resiliency in terms of control performance. The RI of a control loop is defined as
Figure imgf000022_0001
( 22 ) [0098] where T. . , (OoC) is the maximum incidence time
incidence^ '
during which the control loop maintains operational normalcy, i.e., meets QoC requirements. AQoC is the acceptable QoC loss during the incidence, i.e. the tightness of the QoC
requirement .
[0099] FIG. 6 shows a plot comparing control system
performance versus time t . AQoC is defined as the gap between
100% performance and acceptable performance, i.e., the
tolerance. A control loop has a higher resiliency than others if it can tolerate an incidence of long duration or deliver better QoC during the incidence. The RI is applied to the resilience module 201 and define loopRI as
NT
[00100] loopRI : =
a{\-b)'
(23)
[00101] where N , a and b are defined in (21), (17) and (18), and T is the sampling period of the control system in terms of seconds (step 1015) . FIG. 7 shows a plot comparing control loop performance versus discrete-time instance kT . Control performance is defined in (17) and QoC in (18), and are used to evaluate control loop resiliency (step 1017).
[00102] From (23) and FIG. 7, the greater the number of samples N , the higher the control loop resiliency will be which means the control loop can tolerate a longer control loop link failure without instability. For the same N , smaller a or bigger b indicates a higher resiliency which means that better control performance can be expected compared to systems with lower resiliency in the presence of a control loop link failure .
[00103] Embodiments make a closed-loop control loop resilient by incorporating a Kalman filter, and statistics and
probability method. The module 201 improves closed-loop control loop resiliency of control systems that use wireless control loop links. The confidence engine 205 provides risk assessment and an alarm that determine the risk of
extrapolating from missing sensor data due to a link failure and alarms when the risk becomes great.
[00104] One or more embodiments of the present invention have been described. Nevertheless, it will be understood that various modifications may be made without departing from the spirit and scope of the invention. Accordingly, other embodiments are within the scope of the following claims.

Claims

CLAIMS What is claimed is:
1. A method for resilient control of a process control loop if a control loop wireless link drops data comprising:
for the process control loop:
defining a process transfer function model; defining a sampling rate T; and
defining a received sample timeout threshold T ; and receiving Process Variable (PV) z data over a wireless
K+L
PV link;
inputting the PV z, data into an adapted Kalman filter
K+L
comprising :
in a current cycle, estimating the process state space X, , generating predicted PV Z1 , data from the estimated k+l
process state space X, , data;
if new PV z, -, data is received within the timeout k+l
threshold T , outputting the new PV Z1 , data to a controller; and
if no new PV z, - data is received within the
k+l
timeout threshold T , outputting predicted PV Z, , data to the controller .
2. The method according to claim 1 wherein the received sample timeout threshold T equals the sampling rate T .
3. The method according to claim 1 further comprising:
generating new Control Variable (CV) M, . data from the new PV Zj data;
K+L generating predicted CV M, .,"-,U, ^ data from the predicted PV z, . data; and packetizing the new CV M, , data and the predicted CV M, ~,---,W, yy- data from the controller.
4. The method according to claim 3 further comprising:
forwarding the packetized new CV M, , data and the predicted CV w, ~,---,W, ^ data to an actuator over a wireless
CV link;
receiving the new CV M, . and the predicted CV
M, ry,'",ύi -LJ data packets at the actuator comprising: buffering the new CV M, . and the predicted CV
™k+2''"'^k+N data Packets;
if new CV data is received within the timeout threshold T , executing the new CV M, . data from the CV buffer; and
if no new CV data is received within the timeout threshold T , executing the predicted CV M, ^,---,M, ^ data from the CV buffer.
5. The method according to claim 1 further comprising:
deriving state space model parameters A,B,C,Q,R from the process transfer function model;
defining a PV error tolerance a ;
defining a confidence tolerance b ;
calculating a threshold of consecutively missed samples N ; and deriving a resilience index value loopRI for the control loop using loopRI\ = NT
a{\-b)
6. The method according to claim 5 further comprising if the number of consecutive N PV z, -,,...,Z7 Λr data samples have not k+V k+N
been received, generating an alarm indicating a PV link problem.
7. The method according to claim 5 further comprising
calculating a confidence level Cj of predicted PV z, . data indicating the quality of the prediction.
8. The method according to claim 7 wherein the confidence level Cj of the predicted PV z, . data is the probability that the difference between PV z, , data and the controller k+\
setpoint (SP) , in terms of percentage, is less than or equal to the PV error tolerance value a .
9. The method according to claim 8 further comprising deriving a Quality of Control (QoC) wherein the confidence level Cj is greater than or equal to the confidence tolerance b .
10. The method according to claim 8 further comprising
deriving a Quality of Control (QoC) wherein the confidence level Cj is less than the confidence tolerance b .
11. The method according to claim 6 wherein a small confidence tolerance b value results in a large N and a large confidence tolerance b value results in a small N .
12. A system for resilient control of a process control loop if a control loop wireless link drops data comprising:
for the process control loop:
means for defining a process transfer function model;
means for defining a sampling rate T ; and means for defining a received sample timeout
threshold T ; and
means for receiving Process Variable (PV) z, data over
/C~rl
a wireless PV link;
means for inputting the PV z, data into an adapted
/C~rl
Kalman filter comprising:
in a current cycle, means for estimating the process state space X, , ; means for generating predicted PV Z1 1 data from the k+l
estimated process state space X, , data;
if new PV z, , data is received within the timeout k+l
threshold T , means for outputting the new PV z7 , data to a controller; and
if no new PV Z1 data is received within the timeout threshold T , means for outputting predicted PV Z, . data to the controller.
13. The system according to claim 12 wherein the received sample timeout threshold T equals the sampling rate T .
14. The system according to claim 12 further comprising:
means for generating new Control Variable (CV) M, . data from the new PV z, data;
/C~rl means for generating predicted CV M, .,"-,U, ^ data from the predicted PV z, . data; and means for packetizing the new CV M, , data and the predicted CV M, ~,---,W, ^ data from the controller.
15. The system according to claim 14 further comprising:
means for forwarding the packetized new CV Uj 1 data and the predicted CV w, ~,---,W, ^ data to an actuator over a wireless CV link;
means for receiving the new CV M, . and the predicted CV
M, ry,'",ύi -LJ data packets at the actuator comprising: means for buffering the new CV M, . and the predicted CV M, ^,--,M, ^ data packets;
if new CV data is received within the timeout threshold T , means for executing the new CV M, . data from the CV buffer; and
if no new CV data is received within the timeout threshold T , means for executing the predicted CV
M, ~,'",ύi yy- data from the CV buffer.
16. The system according to claim 12 further comprising:
means for deriving state space model parameters A,B,C,Q,R from the process transfer function model;
means for defining a PV error tolerance Cl ;
means for defining a confidence tolerance b;
means for calculating a threshold of consecutively missed samples N; and means for deriving a resilience index value loopRI for the control loop using loopRI '. = NT
a{\-b)
17. The system according to claim 16 further comprising if the number of consecutive N PV z, -,,...,Z7 AT data samples have not been received, means for generating an alarm indicating a PV link problem.
18. The system according to claim 16 further comprising means for calculating a confidence level Cj of predicted PV Z, . data indicating the quality of the prediction.
19. The system according to claim 18 wherein the confidence level Cj of the predicted PV z, . data is the probability that the difference between PV z, , data and the controller k+l
setpoint (SP) , in terms of percentage, is less than or equal to the PV error tolerance value a .
20. The system according to claim 19 further comprising means for deriving a Quality of Control (QoC) wherein the confidence level Cj is greater than or equal to the confidence tolerance b.
21. The system according to claim 19 further comprising means for deriving a Quality of Control (QoC) wherein the confidence level Cj is less than the confidence tolerance b .
22. The system according to claim 17 wherein a small
confidence tolerance b value results in a large N and a large confidence tolerance b value results in a small N .
2\
PCT/US2010/045412 2009-08-13 2010-08-13 System and method for resilient control over wireless networks WO2011019979A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP10752216A EP2465013A2 (en) 2009-08-13 2010-08-13 System and method for resilient control over wireless networks

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US23359609P 2009-08-13 2009-08-13
US61/233,596 2009-08-13

Publications (2)

Publication Number Publication Date
WO2011019979A2 true WO2011019979A2 (en) 2011-02-17
WO2011019979A3 WO2011019979A3 (en) 2011-06-23

Family

ID=43014281

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2010/045412 WO2011019979A2 (en) 2009-08-13 2010-08-13 System and method for resilient control over wireless networks

Country Status (2)

Country Link
EP (1) EP2465013A2 (en)
WO (1) WO2011019979A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104809333A (en) * 2015-04-03 2015-07-29 百度在线网络技术(北京)有限公司 Capacity predicating method and system based on Kalman filter
CN106130918A (en) * 2016-08-24 2016-11-16 杭州华三通信技术有限公司 A kind of message forwarding method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104809333A (en) * 2015-04-03 2015-07-29 百度在线网络技术(北京)有限公司 Capacity predicating method and system based on Kalman filter
WO2016155241A1 (en) * 2015-04-03 2016-10-06 百度在线网络技术(北京)有限公司 Method, system and computer device for capacity prediction based on kalman filter
CN104809333B (en) * 2015-04-03 2017-08-29 百度在线网络技术(北京)有限公司 Capacity prediction methods and system based on Kalman filter
US10437942B2 (en) 2015-04-03 2019-10-08 Baidu Online Network Technology (Beijing) Co. Ltd. Kalman filter based capacity forecasting method, system and computer equipment
CN106130918A (en) * 2016-08-24 2016-11-16 杭州华三通信技术有限公司 A kind of message forwarding method and device

Also Published As

Publication number Publication date
EP2465013A2 (en) 2012-06-20
WO2011019979A3 (en) 2011-06-23

Similar Documents

Publication Publication Date Title
JP6482699B2 (en) Use of predictive means in process control systems with wireless or intermittent process measurements
JP7009432B2 (en) Improved Kalman filter in process control system
JP6259706B2 (en) System and method for reducing transmission from a wireless process controller
CN106575104B (en) Model predictive control using wireless process signals
JP5308306B2 (en) Process control system and process control method
JP6190115B2 (en) Correction method for setpoint changes in non-periodically updated controllers
US20150195216A1 (en) Using learning machine-based prediction in multi-hopping networks
EP2954643A1 (en) Traffic-based inference of influence domains in a network by using learning machines
Schenato Kalman filtering for networked control systems with random delay and packet loss
US20160292051A1 (en) Communication apparatus and wireless communication system
WO2011019979A2 (en) System and method for resilient control over wireless networks
CN104049572B (en) Control signal protection equipment
CN110603799B (en) Method, switching unit, device and system for transmitting data from a device to a data management device
US11463849B2 (en) Data processing device, data analyzing device, data processing system and method for processing data
Gabel et al. QoS-adaptive control in NCS with variable delays and packet losses-a heuristic approach
Nower et al. Traffic pattern based data recovery scheme for cyber-physical systems
CN110574337A (en) Network computing equipment, method and system for predicting time series based on sliding median algorithm
George et al. On the Problem of Delay and Packet Dropout in Networked Adaptive Systems
Xiaoxue et al. Fault detection of networked control system subject to random packet dropout and multi-rate sample data
Pesonen Stochastic estimation and control over WirelessHART networks: Theory and implementation
CN103973539A (en) A method of operating an automation system
Orihuela et al. Model-based networked control systems under parametric uncertainties
Olaya et al. Reliable wireless control: Wireless connection in the control loop
EP3724733B1 (en) Improved latency management
Sombría et al. Analysis of the limit cycles in the PI control of IPD processes with send-on-delta sampling

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10752216

Country of ref document: EP

Kind code of ref document: A2

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2010752216

Country of ref document: EP