An approach for fault detection and isolation in dynamic systems from distributed measurements

Page 1

IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 51, NO. 2, APRIL 2002235
An Approach for Fault Detection and Isolation in
Dynamic Systems From Distributed Measurements
Eric-J. Manders, Student Member, IEEE, Lee A. Barford, Member, IEEE, and Gautam Biswas, Senior Member, IEEE
Abstract—An application is presented for online model-based
fault detection and isolation (FDI) in a multitank fluid system. The
tank system is equipped with a distributed measurement and con-
trol system that implements components of the IEEE standard for
smart transducers, IEEE 1451 [1]. This standard includes an in-
formation model that provides programming constructs to sup-
port high level application functionality on a distributed network
of smart transducers. The model-based FDI methodology in this
work hasseveralaspectsthat mayberealized onsucha distributed
network. In the current work, the FDI application operates on a
workstationthatappearsonthenetworkasanother(virtual)trans-
ducer node. The concurrent tasks in the application may be asso-
ciated with actual transducer nodes. It represents a first effort to-
ward constructing capabilities for distributed FDI in complex dy-
namic systems.
Index Terms—Fault diagnosis, IEEE 1451, instrumentation,
monitoring.
I. INTRODUCTION
M
importance. Such systems are subject to stringent requirements
for robustsupervision and control.Faultsin systemcomponents
are likely to adversely affect both safety and functionality, and
consequently, the need for capabilities to detect faults and to
identify the faulty component(s) is becoming an integral part
of those requirements. This is the fault detection and isolation
(FDI) problem, and the primary objective in fault diagnosis [2].
Conventional techniques to ensure operational safety and
reliability have included hardware redundancy and localized
hardware safety mechanisms (e.g., check valves). These
mechanisms are also the basis for many current approaches to
FDI. For complex systems, the design of comprehensive FDI
capabilities using this approach becomes unfeasible, both from
a theoretical and practical viewpoint. An alternative approach
is to infer faults from discrepancies in the observed behavior of
the system through analytical techniques. Ideally, this analysis
should take the process dynamics into account. When these
dynamics can be described with a model, FDI techniques may
exploit the functional redundancy in the model. This is referred
to as the model-based approach to FDI.
ANY complex engineering systems are deployed in en-
vironments where reliability and safety are of primary
Manuscript received May 4, 2000; revised January 27, 2002.
E.-J. Manders and G. Biswas are with the Department of Electrical
Engineering and Computer Science, Vanderbilt University, Nashville, TN
37235-1592 USA (e-mail: manders@vuse.vanderbilt.edu; biswas@vuse.van-
derbilt.edu).
L. A. Barford is with Agilent Laboratories, Palo Alto, CA 94303-0889 USA
(e-mail: lee_barford@labs.agilent.com).
Publisher Item Identifier S 0018-9456(02)04320-6.
The operational reliability of a complex system can po-
tentially be enhanced also through the use of a distributed
measurement and control (DMC) system, particularly in large
scale, sensor rich environments. The emerging technology of
networked smart transducers facilitates the construction of
DMC systems. Smart transducers contain an embedded pro-
cessor providing computational resources to support complex
sensing and actuating tasks and high level applications in a
distributed setting. FDI is one such application.
This paper discusses an application for online model-based
FDI that exploits the resources of a network of smart trans-
ducers. The application is designed around a multitank fluid
systemtestbed,thatisequippedwithaDMCsystemusingsmart
transducers. Thesmarttransducers are implementedusing com-
ponents from IEEE 1451, the IEEE Standard for a Smart Trans-
ducer Interface for Sensors and Actuators [1].
TRANSCEND is a framework for model-based FDI of dynamic
systems [3]. It combines robust transient analysis methods with
a model-based qualitative fault isolation strategy that apply a
qualitative constraint analysis. Because qualitative methods
process input in symbolic form, a signal-to-symbol transforma-
tion step is required to compute symbolic feature values from
continuously sampled measurement data. The methodology
has been evaluated with simulation studies for various systems,
including multitank fluid systems and a secondary sodium
cooling loop system for a fast breeder reactor [3], [4]. In recent
work, the method was applied offline in FDI of the cooling
system of an automotive engine test bed [5].
Several aspects of this FDI scheme are suitable for a dis-
tributed architecture. Fault isolation based on symbolic descrip-
tions of transient data is explicitly separated from the signal-to-
symbol transformation methods that generate those symbolic
descriptions. Realizing the symbol generation on the transducer
node itself is one of the goals in building the distributed appli-
cation. Thiscan potentially reduce the network loadof the mon-
itoring and supervision tasks considerably.
Theremainderofthispaperisorganizedasfollows.SectionII
describes the DMC system for the tank system. Section III de-
scribes the modeling of the tank system for FDI, the FDI appli-
cationitself,andsomeexperimentalresults.SectionIVpresents
a summary and conclusions.
II. TEST BED FOR DISTRIBUTED MEASUREMENT
AND CONTROL
To demonstrate the benefits of IEEE 1451 for a complex
DMC system, a multitank fluid system test bed, incorporating
0018-9456/02$17.00 © 2002 IEEE

Page 2

236IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 51, NO. 2, APRIL 2002
Fig. 1. Three-tank fluid system test bed with a distributed measurement and control system (shaded) based on the IEEE 1451.1 and 1451.2 standards.
standards compliant hard- and software, was designed and
built at Agilent Laboratories, Palo Alto, California. The system
has subsequently become a test bed for research in distributed
model-based FDI.
A. A Standard for Smart Transducers
The IEEE 1451 family of standards provides an open plat-
form for the development of networked smart transducers [1].
The standardization process is ongoing but several component
standards have been ratified.
The 1451.2 standard specifies a smart transducer interface
module (STIM), the interface between a sensor or actuator and
a microprocessor [6]. The STIM provides plug-and-play capa-
bilities at the transducer level and may handle sensing and ac-
tuating functions over multiple channels. The 1451.1 standard
specifies a Network Capable Application Processor (NCAP),
an extensible object-oriented information model that represents
the interface of an (abstract) transducer to a network [7]. The
NCAP thus facilitates interoperability attheapplicationlayerof
a DMC system. The information model includes function ob-
jects and transducer objects that encapsulate application func-
tionality and sensor/actuator channels, respectively. Distributed
programming constructs support network-neutral communica-
tionthroughpublish-subscribeandclient-servermechanisms.A
completesmarttransducernodeiscomposedofanNCAP/STIM
pair, where the physical device operating as the NCAP includes
a 1451.2 interface driver.
The transducer node hardware in this work is designed
and built by Agilent Laboratories. The STIM is built around
a standard micro-controller [9] and can be configured for
multi-channel mixed analog and digital I/O. A prototype of
an embedded ethernet controller acts as NCAP.1This device
includes an Ethernet network interface and implements the
IEEE 1451.2 interface through custom hardware. The operating
system is an off-the-shelf real-time embedded OS (VxWorks
[8]), with the publish-subscribe mechanism implemented
over IP/multicast. The prototype transducer nodes have some
limitations that affect the design of the FDI application. This
will be discussed further in Section III.
B. Three-Tank Fluid System
The fluid system, shown in Fig. 1, consists of three tanks,
connected in a series configuration. A closed-loop fluid path is
created with an additional drain tank and a variable speed elec-
tric pump. The fluid flow for each tank is controlled by an inlet,
outlet, and bypass valve. Three additional valves in the system
provide further control of the fluid flow and pressure in the
system. Each tank has an ultrasonic level sensor (L1, L2, L3), to
measure the fluid level, which is proportional to the pressure at
the bottom of the tank. The main fluid line includes additional
pressure sensors (P1, P2) and a flow sensor (F1).
A network of six smart transducer nodes makes up the DMC
system. A dedicated node for each tank manages the level
sensing functions and actuating functions of the inlet and outlet
valves for that tank. A tank node publishes its level sensor
data and the state of the valves. A tank with its transducer
node functions as a “smart tank,” capable of adjusting its own
fluid level in a semi-autonomous way using feedback from
the level sensor to stop and start the fill and drain operations.
Supervisory control for a smart tank can therefore be abstracted
into “fill, ” “hold,” and “drain” commands.
1The production version of this device is no longer commercially available.

Page 3

MANDERS et al.: APPROACH FOR FAULT DETECTION AND ISOLATION237
Fig. 2.
are indicated also. The sequence starts with tank 1 in “fill” mode, tank 2 in “drain” mode, and tank 3 full and in “hold” mode.
Complete operating cycle of the system, showing tank level data ??? and line pressure data ???. Commands that initiate “fill tank” and “drain tank” modes
The main node subscribes to the published measurement and
state data from each tank. The main node also has its own STIM
through which it acquires flow sensor data, controls the pump
speed,andcontrolstheadditionalvalvesinthesystem.Thepres-
suretransducers,prototypesfromaprocessautomationindustry
manufacturer, integrate the pressure sensor with the transducer
node in a single housing. These devices publish pressure data.
Supervisory control for the system is also carried out on the
mainnode.Tankcontrolcommandsareissuedtoeachtanknode
through a dedicated client-server connection. The controller is
a finite state machine, implemented as an IEEE 1451.1 function
object. The standard autonomous operating sequence fills and
drains the tanks in a fixed cyclical pattern, shown in Fig. 2. The
tank system thus has multiple operating modes, with different
continuous time dynamics in each mode, making it a hybrid
system. In this work, we address the FDI problem within an
operating mode.
III. FDI APPLICATION FOR THE THREE-TANK SYSTEM
The multitank fluid system represents a simplified version of
a large class of physical plants, and is often used as reference
system for research in automatic control and fault detection and
isolation. Simulationexperiments withTRANSCENDforfaultsin
a two-tank fluid system are described in [3].
A. Modeling the System for FDI
The continuous dynamics of a fluid tank are illustrated in
Fig. 3. For a pipe connected to a tank the rate of change in the
pressure, , at the bottom of the tank is proportional to the net
fluid flow,
, and inversely proportional to the tank capac-
itance,
. The functional relation for flow, , through a pipe is
proportional to the pressure drop over the pipe, , and inversely
proportional to the pipe resistance,
values and qualitative relations are used for fault analysis, it is
in fact not necessary to convert the level measurement values
from the system into actual pressure values.
ThemodelusedinthequalitativeFDIalgorithmscapturesdy-
namic characteristicsof thedependencyrelations betweencom-
ponent parameters and the measured variables in the form of
a temporal causal graph (TCG). The model is constructed as
a bond graph (Fig. 4), a graphical, component based, compo-
sitional modeling language from which the TCG can be gen-
erated automatically. In this work, the pump is modeled as an
ideal source of flow, although it has been modeled as a system
component (gyrator) in other work [3].
When a mode switch occurs during the tanksystem cycle, the
continuous dynamics,and consequentlythemodel, willchange.
In each mode, only one tank can be draining, and only one tank
canbefilling.Thisimpliesthat,wheninertialeffectsofthefluid
flow can be ignored, the dynamics of the model in any mode
never exceeds first order behavior.
. Because only qualitative
B. Fault Isolation
The core algorithms of the qualitative FDI mechanism are
reported in detail in [3]. Fig. 5 shows a high level diagram
of the method. A numerical residual,
difference between the observed and nominal system behavior.
, is computed as the

Page 4

238IEEE TRANSACTIONS ON INSTRUMENTATION AND MEASUREMENT, VOL. 51, NO. 2, APRIL 2002
Fig. 3. One-tank fluid system and model equations.
Fig. 4.
???.
Bond graph model for the fluid tank ??? and the TCG derived from it
Fig. 5.Qualitative fault isolation core.
This residual is mapped into a symbolic form,
tures the dynamics of the fault transients. The hypothesis gen-
eration algorithm, using the TCG, computes a set of possible
fault candidates,
, and predicted behavior, , for each can-
didate. During hypothesis refinement, features computed from
theevolvingfaulttransientarematchedagainstthepredictedbe-
havior. Spurious candidates are eliminated, resulting in a final
set,
. The method is essentially a qualitative parameter esti-
mation method, and applies to those system components that
are modeled as parameters. For the tank system, the parameters
are the resistance of the pipes and capacity of the tanks.
, that cap-
C. Design and Implementation
TheFDIapplicationisimplementedona workstationthatap-
pears on the network as another NCAP, albeit without sensing
or actuating capabilities. We have taken a rapid application de-
velopment (RAD) approach using the Python language. Python
is an object-oriented, byte-compiled/interpreted language with
high-level data types and dynamic semantics. An extension API
supportsdynamicallyloadablemoduleswrittenincompiledlan-
guages.
Fig. 6 shows the architecture of the system. In addition to the
fault isolation core described above, the application includes
modules to communicate with the tank system, compute the
residuals, and perform the signal-to-symbol transformation.
These modules are described next.
1) Communication With the Tank System: An interface to
the tank system was created as a Python extension module. This
module was constructed using a sample implementation of the
C++language bindingsfor IEEE1451.1, and an automaticcode
generation tool to construct the interface code for the exten-
sion API. The module allows 1451.1 objects that interact with
the DMC application to be dynamically created, queried, modi-
fied,and destroyed. Whenthe moduleis loaded inan interactive
Pythoninterpreter,ausercanexploreall1451.1functionobjects
accessible on the network.
The client-server and publish-subscribe mechanisms facili-
tate event driven processing of streaming measurement data.
Event handlers in the application create the subscriber objects,
and forward the data to the rest of the application in a data-flow
computational structure. The fault isolation process uses the
fluid level measurement data and the two pressure measure-
mentsinthemainline.Trackingthemodeofthesystemrequires
the tank state data and the main node command state data.
As mentioned above, the prototype transducer hardware has
somelimitations.First,duetovariouslimitationsonthenetwork
code, the data publishing rate, effectively the sampling rate of
the system, is limited to 1 (s). Second, The NCAP does not gen-
erate time stamp information for the sensor data. A time stamp
is generated by the subscribers in the FDI application, but as a
result of the properties of Ethernet, this leads to a small non-
deterministic error in the time-stamp value. These limitations
affect the residual generation and signal-to-symbol generation
steps described below.
2) Residual Generation: The residual vector is computed as
the difference between the actual measurement data and the
nominal behavior. For the three-tank system, the nominal be-
havior is known in a direct way because the normal operating
cycle is known. For each mode of operation, the nominal be-
havior for all measurements was determined from data of sev-
eral cycles of normal system operation, and then mapped onto a
parametric estimate using regression analysis. The imprecision
in the time stamp of the measurement data increases the vari-
ance of the estimates. The parameter values are stored, together
with the description of the system model for that mode.
3) Signal-to-Symbol Transformation: The signal-to-symbol
transformation component operates on the numerical residual
data. Sophisticated techniques have been developed for robust
fault detection and robust analysis of the transient dynamics,
including derivative estimation and discontinuity detection
[10]. However, the low sampling rate does not provide enough
data to exploitthese techniques effectively.This implies thatthe
signal-to-noise ratio in the experiments must be high enough
so that measurement noise can be ignored and the use of naive
feature extraction methods is permissible.
A fault is detected when the residual deviates significantly
from zero. Fault detection therefore requires a threshold that
indicates a significant discrepancy. In this application, a fault is
detected based on instantaneous signal value, with the threshold
value chosen based on the variance of the signal. An estimate
for the derivative of the signal is computed with a simple first-
order difference operator. Note that fault detection is adversely
affected by the time stamp error in the data. The variance in

Page 5

MANDERS et al.: APPROACH FOR FAULT DETECTION AND ISOLATION 239
Fig. 6.FDI application architecture, the IEEE 1451.1 publishers are grouped by their corresponding embedded Ethernet controller.
the estimated nominal behavior requires a higher threshold, and
thereby decreases the sensitivity of the detection scheme.
The preceding indicates that the transducer limitations result
in lower sensitivity for fault detection and a lack of robustness
in the computed symbol values. These problems are overcome
in the experiments by introducing sufficiently large faults in the
system.
D. Online Experiments
The online FDI system was evaluated on two experiments
that were set up to make the diagnostic problem as interesting
as possible. In the first experiment, a leak is introduced in the
main line pipe. Fluid can be drained from the system through
an additional valve, fitted between the outlet valve of tank 3 and
pressuresensor2,thatisindependentfromtheDMCsystem(see
Fig. 1). The leak is modeled as a change in the resistance of the
fluid path through this drain valve, from an infinitely high value
when the valve is closed, to a finite, but unknown, value when
the valve is opened. Introducing the fault, by opening the valve,
results in an immediate pressure decrease, that is observed by
pressure sensor 2. The resistance parameter is correctly impli-
cated as the fault.
In the second experiment, an object is dropped in tank 1,
which reduces the capacitance parameter of the tank. The diag-
nosis of an object dropped in a tank that is in a “holding” mode
or a into a tank that is filling would be trivial because there is
no dynamic behavior involving the tank parameters, and the re-
sulting model would be of zero-order. Therefore, the fault is in-
troducedwhen thetankis draining.Droppinganobject ina tank
leads to an immediate increase in fluid level which is detected
in the residual, and the subsequent fault isolation correctly im-
plicates the tank capacitance.
IV. CONCLUSION
We have built an online FDI application for a tank-system
that is equipped with an advanced DMC system. Two different
typesoffailureswereintroducedinthesystem,andsuccessfully
detected and isolated using the TRANSCEND framework.
The provisions for both hardware abstraction and interop-
erability at the application level in IEEE 1451 can reduce the
need for specialized knowledge in instrumentation. A DMC ap-
plication with IEEE 1451 enabled smart transducers in effect
becomes a distributed object-oriented system. An application
developer can apply modern software engineering practices to
manage the complexity of a design, including patterns for dis-
tributed applications, and exploit advances in real-time mid-
dleware for embedded systems. In this work, we found that
the standard also facilitates rapid application development. This
is due to the possibility of streaming measurement data and
thedynamicconfigurationofdistributedobjectcommunication.
When these features are combined with an interactive environ-
mentsuchasprovidedbythePython interpreter,a powerfultool
to explore the operation of a DMC system is created.
The work described in this paper represents a first phase in
the development of distributed FDI systems. The next step in-
cludes exploring other aspects of the FDI functionality that can
be moved to a transducer node. Although the diagnosis problem
in general requires a global view of system behavior, several as-
pects allow for local focus. FDI models constructed using com-
positional modeling techniques will likely play an important
role.Ifglobalsystemmodelscanbepartitionedintomodelfrag-
ments, it becomes possible to distribute those model fragments
on the transducer nodes. The problem of fault isolation across
mode switches is being addressed in ongoing research on mod-
eling of hybrid systems. An approach to hybrid model-based
FDI for a multitank system is discussed in [11].
Followingtheworkdescribedinthispaper,AgilentTechnolo-
gies has donated the tank system to the Modeling and Analysis
of Complex Systems (MACS) Laboratory at Vanderbilt Univer-
sity where its continued development focuses on model-based
FDI and fault adaptive control technology (FACT) for complex
dynamic systems.