Moamar decentralized fault free model approach for fault detection and isolation of discret event systems


Published on

fault diagnosis

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Moamar decentralized fault free model approach for fault detection and isolation of discret event systems

  1. 1. Decentralized Fault Free Model Approach for Fault Detection and Isolation of Discrete Event Systems Moamar Sayed-Mouchaweh Univ Lille Nord de France, F-59000 Lille, France EMDouai, IA, F-59500 Douai, France Abstract: This paper presents a Boolean discrete event model based approach for Fault Detection and Isolation (FDI) of manufacturing systems. This approach considers a system as a set of independent components composed of discrete actuators and their associated discrete sensors. Each component model is only aware of its local desired fault free behavior. The occurrence of a fault entailing the violation of the desired behavior is detected and the potential responsible candidates are isolated using event sequences, time delays between correlated events and state conditions, characterized by sensor readings and control signals issued by the controller. The proposed approach is applied to a flexible manufacturing system. Keywords: Discrete Event Systems, Decentralized Approaches, Diagnosis, Manufacturing Systems.  1 Introduction The complexity of man-made systems, such as communication networks, manufacturing systems, electric power systems, etc., increases rapidly with the course of time. It results from the large number of subcomponents of these systems and the large volume of information flow. This increasing complexity enhances the probability of occurrence of faults. The basic idea of Fault Detection and Isolation (FDI) is to collect sequences of observations (or symptoms), in order to decide whether or not a system is working normally (fault detection). Then, if a fault is detected, FDI reports (fault isolation) which fault has occurred (deterministic diagnosis) or the most likely to have occurred (probabilistic diagnosis). Each fault that can result in a certain symptom, or sequence of observations, is considered as a possible fault candidate. Generally, FDI approaches are divided into model reasoning and model based approaches. Model reasoning approaches [7, 11] construct a model about the system behavior based on an initial human experience, e.g. expert systems, on a set of historical data, e.g. pattern recognition and signal processing methods, etc. Model based approaches [4, 5, 10, 15, 20, 21, 25] establish a mathematical or analytical model about the behavior of a system. The model can contain the normal or nominal behavior (fault free behavior) or the normal behavior as well as the system behavior for a predefined set of faults. The model may be quantitative, e.g. expressed in 1
  2. 2. differential/difference equations, transfer functions, etc., or qualitative, e.g. a finite-state automaton, a set oflogic expressions, a combination of both, a Petri net, etc. The principal advantage of approaches using both normal and fault behaviors, is the precision of the faultisolation. However, integrating the system behavior in response to a predefined set of faults increasessignificantly the model size. In addition, only predefined faults can be diagnosed. These disadvantages can beavoided using a fault free model. However, the fault isolation cannot be as precise as the one using normal andfault behaviors. Performing the diagnosis of a large scale Discrete Event System (DES) by using a global model is unrealistic.In addition, this type of systems is naturally decentralized, i.e. they are composed of several subsystems orcomponents possessing their own local information. An alternative to achieve the diagnosis of systems of thistype is the decentralized or distributed approaches. In decentralized approaches [6, 8, 19, 25], the diagnosis isperformed based on a set of local diagnosers. Each local diagnoser is responsible for a restricted area of thesystem. Since no communication is allowed among the local diagnosers, a global model of the system is requiredto take into account the links between the interrelated components. In distributed approaches [4, 9, 12, 24], thereis no need for a global model. The latter is described by a set of local models. Each local model is only aware ofits own behavior. The links, or dependencies, among components are considered via exchange among localdiagnosers using communication protocols [9, 24] or via a merging strategy [1, 4]. The merging is performed bysuccessive synchronous operations of component local diagnoses [4] or by propagating hypotheses from a localdiagnoser to its neighbors [1]. In this paper, we propose a decentralized fault free model based approach to diagnose plant faults of DESs.The independence property between system components is exploited in order to describe the global model by thefault free models of its components. Each component is composed of an actuator and its associated sensors.These models are represented as Boolean DES models. Each behavior which does not correspond to a normalone is considered as a fault behavior. Component elements (actuators/sensors), responsible for this faultbehavior, are considered as fault candidates. The paper is structured as follows. In section 2, the proposed approach is presented. In section 3, the approachis applied to a flexible manufacturing system. The last section concludes the paper and presents future researchdirections.2 Proposed approach for fault detection and isolation2.1 Boolean models of system components We use Boolean DES (BDES) modeling, presented in [2], to model the equipment (sensors/actuators) behaviorof a system. The system model G consists of n local models: G1,…, Gn, each one owns its local observableevents responsible for a particular component ci, i  1,..., n . The model G   Σ , Q, Y , δ, h, q0  is represented asa Moore automaton and L = L(G) denotes its corresponding prefixed closed language. Σ is a finite set of eventsand it includes the observable and unobservable events. Q is the set of states, Y is the output space, δ : Σ * x Q Q is the partial transition function, and Σ * is the set of all event sequences of the language L(G). The partialtransition function δ (σ , q) provides the next state if σ occurs at q. h: Q  Y is the output function. h(q) is the 2
  3. 3. observed output at q. q0 is the initial state. Let Σ f be the set of fault events. Σ f is partitioned into different faulttypes. Each fault type requires the identification not of the fault event itself, but of the type of fault, when suchan event occurs in the system. This fault type corresponds to some kinds of faults in an equipment element(sensor/actuator). Let Σ f Σ F1  ...  Σ Fr where Σ Fj , j  1,..., r denote disjoint sets of fault eventscorresponding to different fault types. It consists of the set of faults which have the same effect according toeither the configuration or maintaining procedure. When a fault of type Fj has occurred, this means that someevent from the set Σ Fj , j  1,..., r has occurred. In [3], controllable events Σc  Σ are defined as controller outputs sent to actuators and uncontrollable eventsΣu  Σ as controller inputs coming from sensors. Σo  ( Σc  Σu )  Σ is the set of observable events.Typically, observable events in a system are either enabled/disabled commands issued by the controller orchanges of sensor readings. Unobservable events are failure events or other events which cause changes in thesystem state not recorded by sensors. Let Gi and its corresponding prefixed closed language, Li = L(Gi), be the local model of the restricted area of the system observed by this model. Gi  Σ i , Qi , Y i , δ i , hi , qi0  is represented as a Moore automaton.Σo  Σci  Σu is the set of local observable events by Gi, and Σo  Σo . The other notations have the usual i i idefinition but for the restricted area observed by Gi. The model G is the synchronous composition of all the localmodels: G = G1 ║G2║...║Gn. G observes the system by one global projection function or mask,PL : Σ *  ε  Σo , where ε denotes the empty sequence. Thus, PL erases the unobservable events in an event *sequence. The inverse projection function is defined as: PL1 (u)  s  L: PL (s)  u . It establishes all the eventsequences producing the same observable event sequence u. Similarly, a local projection function can be definedfor each local model Gi as: PLii : Σ i*  ε  Σo* . A state qj of G is represented by an output vector hj considered ias a Boolean vector whose components are Boolean variables. Let d denote the number of state variables of G,the output vector hj of each state qj can be definedas: q j  Q, h(q j )  h j  (h j1 ,..., h jp ,..., h jd ), h jp  0,1 , h j  Y  0,1 . A transition from one state to another is ddefined as a change of a state variable from 0 to 1, or from 1 to 0. Thus, each transition produces an event αcharacterized by either rising, α  h jp , or falling, α  h jp , edges where p   ,2,...,d  . 1 In order to describe the effect of the occurrence of an event α  Σo , a displacement vector E is used. It isdefined as a Boolean vector E  (e1 ,...,ep ,...,ed ) in 0,1 . If ep = 1, then the value of pth state variable dhjp will be complemented when α occurs. While if ep = 0, the value of pth state variable hjp will remainunchanged when α occurs. Thus, the output vector can be calculated by:qi , q j  Q, α  Σo , q j  δ(α, qi )  hj  hi  Eα . (1)The symbol “  ” denotes the logical operator Exclusive-OR. 3
  4. 4. Similarly, we can define the displacement vectors for the other observable events. The set of all thedisplacement vectors of all the events provides the displacement matrix E. For each event α  Σo , an enablementcondition, en (qi )  0,1 , is defined in order to indicate if event α can occur at state qi, en (qi )  1 , or not,en (qi )  0 . Consequently, (1) can be re-written as:  hi  Eα if enα (qi )  1qi , q j  Q, α  Σo , q j  δ (α, qi )  h j   . (2)  hi if enα (qi )  02.2 Constrained Boolean models of system components Let S   Σ , QS , Y , δS , h, q0  denote the constrained system model, characterized as a Moore automaton. Itdefines the global desired behaviour of the system and it is represented by the prefixed closed specificationlanguage K = L(S)  L(G) . S can be obtained using different algorithms from the literature as the onesdeveloped in [17, 26] and the references therein. To obtain the transition function δS , the enablement conditionsfor all system events, α  Σo , at each state must satisfy all the specifications K, representing the desiredbehavior:  hi  Eα if enα (qi )  1α  Σo , qi , q j  QS , q j  δS (α, qi )  enα (qi )  1, h j   . (3)  hi if enα (qi )  0Thus, the constrained system model contains only the authorized events at each state. When the enablementcondition of an event is not satisfied, this indicates the occurrence of a fault. Each local model Gi has a local constrained model Si, which is a part of the global constrained model S. Si isrepresented by the specification language Ki = L(Si), which is included in K. Si is a Moore automaton: S i  Σ i ,QS ,Y i ,δS ,hi ,qi0 i i  and QS  Q i . All these notations have the usual definition but for the local iconstrained system model Si.2.3 Modeling timing delays of events Most sensors and actuators in manufacturing systems produce correlated events since state changes are usuallyaffected by a predictable flow of materials [14]. Therefore, a temporal model centred on the notion of expectedevent sequencing and timing relationships can be used. In this paper, we define a set of expected consequences EC  for each controllable event β  Σc , in order topredict uncontrollable but observable consequent events within predefined time intervals. EC  is constructedfor observable events and it describes the next events that should occur and the relative time intervals in whichthey are expected. The predefined time intervals are determined by experts or by learning according to thesystem dynamics and to the desired behavior. Let β u be an observable event sequence starting by controllableevent β , and ending by observable but non controllable event sequence u = α1α2 ...αk  Σo . Then, the set of * 4
  5. 5. expected consequences ECβ (u ) is created when controllable event β occurs. α1α2 ...αk is the longest noncontrollable but observable event sequence in response to controllable event β . EC  (u ) has the following form: EC  (u ) = C α1 β α1 α α2 α αi α , C β , Cβ 2 , C β ,..., Cβ i , C β ,..., Cβ k , C β αk . C αi β is a positive αiexpected consequence which should be satisfied in the case of a normal behavior. C β is a negative expected αi αconsequence which should not be satisfied in the case of a normal behaviour. C β i and C β are expected after theoccurrence of controllable event β and are defined, respectively, as follows:   αi  αi  Cβi  αi ,(qαi , tmin  tαi  tmax , l αi ) , C β  αi , (qαi , tmax  tαi  tmax  Δαi , l β ) . Δαi is the maximal time period α αi αi β αi αiwithin which event αi is expected to occur. When i is equal to one, this indicates the occurrence of the firstobservable but non controllable event in response to the occurrence of controllable event β . The positive i expected consequence means that event αi should happen at state q i and within the time interval [ t min , t max ]. iIf it is the case, then the positive expected consequence is satisfied. Otherwise, the positive expected αconsequence is not satisfied and it provides the set of fault labels l β i as the cause of this non satisfaction. The inegative expected consequence means that if event αi occurred after t max , then this satisfaction indicates a fault αibehavior and it provides the set of fault labels l β as the cause of this satisfaction. Positive consequences are usedto infer the fault candidates in the case of non occurrence of an event. While negative consequences are used toinfer the fault candidates in the case of too late event occurrences. The late occurrence of an event characterizesa degraded behavior of a system. Fault behavior causes the production halt while a degraded one reduces theoptimal production performance. The set of fault labels can include one or several fault labels. Each one of themindicates a fault candidate as the responsible for the fault occurrence. Each expected positive/negative consequence C αi β ,C β αi  is evaluated by an expected function EFβ (αi ) . αEFβ (αi ) is equal to 1 if the positive consequence C β i related to event αi is not satisfied or its associated αinegative consequence C β is satisfied. While it is equal to zero if the positive expected consequence is satisfied.If a positive consequence is satisfied, then its associated negative one is not satisfied.2.4 Fault detection and isolation We adopt the hypothesis that each behavior which does not correspond to a normal one is considered as a faultbehavior. Thus, a fault can occur starting from any state of the desired behavior. This fault occurrence isunobservable and it leads the system to a fault state. Each fault state must be reached within a finite time delayfor all the event sequences that can lead to this state starting from any other one of the desired behavior states. Let ΨF j define the set of all event sequences ending by a fault belonging to fault partition Σ F j . Thus,ΨF  r j 1 (ΨFj ) denotes the set of all event sequences ending by a fault belonging to a fault partition of Σ f . 5
  6. 6. Consequently, ΨF  (L – K), i.e. all the fault sequences ending by a fault belonging to one of fault partitions ofΣ f are considered as violation of the specification language K. The FDI of a global model G is defined as follows. Let βρθ be an event sequence starting by controllableevent β. ρ is an event sequence that ends by a failure event and θ is a continuation of ρ. In order to ensure thefault detection, the following condition must hold:(βρθ  L : ρ  ψF ) ( PL (θ )  α1...αk , θ  k  ) (q  Q)  enαk (q)  0 or EFβ (αk )  1. (4) The satisfaction of (4) ensures that any event sequence violating the global desired behavior, due to theoccurrence of a fault, must be detected by: - the non satisfaction of the positive expected consequence related to event αk , - the satisfaction of the negative consequence related to event αk , - the non satisfaction of the enablement condition of the latest observable but non controllable event αk in the event sequence.This detection is performed in a finite time delay ; specifically at k event transitions after ρ. In this paper, we assume that at most one fault may occur at a time. The set of fault candidates can bedetermined as follows. Let hjp denote the state variable describing the discrete status (on/off) of sensor p. Let h jp ,  h jp  be the events produced by this state variable at state qj. The non occurrence of  h jp in the αexpected time interval generates the following three fault candidates: l β = {“sensor p blocked at 1”, “associatedactuator with sensor p stuck-off”, “associated actuator with sensor p acting too slowly according to its normal αbehavior”}. The too late occurrence of  h jp generates the fault candidate: l β = {“associated actuator withsensor p acting too slowly according to its normal behavior”}. If the enablement condition enα (q j )  0 because αhjp = 1, then the fault candidate lq j is {“sensor p blocked at 1”}. In the contrary case, i.e. hjp = 0, the fault αcandidate lq j is {“sensor p blocked at 0”}.2.5 Progressive monitoring Progressive monitoring aims at reducing the number of fault candidates thanks to the occurrence of newevents. The fault candidates which are no more consistent with the occurrence of a new event will be removedfrom the set of fault candidates. In addition, only the common fault candidates explaining together the nonsatisfaction of positive consequences and enablement conditions or the satisfaction of negative consequences arekept. This is justified since one fault may occur at a time. Let FCAN β be the set of fault candidates in the case ofthe occurrence of controllable event β . If enαi (q j )  0 , then FCAN β  lq ji . If αi  h jp (respectively ααi  h jp ) and its enablement condition is satisfied: enαi (q j )  1 , then sensor p is not blocked at 0 (respectively 6
  7. 7. sensor p is not blocked at 1). Thus, the fault candidate: “sensor p blocked at 0” (respectively “sensor p blocked at1”) will be removed from the set of fault candidates. The same reasoning is applied for the satisfaction of thepositive expected consequence or the non satisfaction of the negative expected consequence related to theoccurrence of an event αi . Therefore, the set of fault candidates is reduced by both eliminating the faultcandidates which are no more consistent with the occurrence of an event and by keeping the candidatesexplaining together the non satisfaction of positive consequences and enablement conditions and the satisfactionof negative consequences. Let NFCAN β be the set of fault candidates to be removed from FCAN β . The set offault candidates is reduced as it is depicted in Fig 1. Activation of a command β  Σc FCAN β  {}; NFCAN β  {} For each αi  Σo , i  1,..., k No α C β i is satisfied Yes FCAN β  {}  FCAN β  ( FCAN β  l ) NFCAN β αi β NFCAN β  NFCAN β  l βi α FCAN β  {}  FCAN β  l β i NFCAN β α FCAN β  FCAN β NFCAN β αi Yes C β is satisfied FCAN β  ( FCAN β  lβαi ) NFCAN β No αi NFCAN β  NFCAN β  l β FCANDβ  FCANDβ NFCANDβ No enαi (q)  1 Yes FCAN β  {}  FCAN β  ( FCAN β  lq i ) NFCAN β α NFCAN β  NFCAN β  lq i α FCAN β  FCAN β NFCAN β FCAN β  {}  FCAN β  lq i NFCAN β α No i=k Yes Fig. 1. Progressive monitoring flowchart. “  ” is the union set operation, “  ” is the intersection set operation, and “” is the difference set operation. A preference order among candidates, when the set of fault candidates contains more than one candidate, canbe established by learning. In this case, historic records of past fault occurrences and their associated real faultcandidates are constructed. Then, for each fault occurrence, the probability of its potential fault candidates is 7
  8. 8. established as the number of times that these candidates were the real responsible divided by the total number offault occurrences. The preference order can also be established based on the expert knowledge.2.6 Independent fault detection and isolation property The system considered in this paper is composed of a set of independent components: ci, i  1,..., n . Twocomponents ci and cj, respectively, their local models Gi and Gj, are considered as independent if they verify thefollowing two proprieties: the state-independent and the transition-independent ones. The first property [4] statesthat if Gi and Gj are a decomposition of their global model Gij  Gi G j , then each one of them has a uniqueinitial state. In other words, it expresses that when decomposing a model Gij into two local models Gi and Gj, noconstraints on their initial states have been lost. In this case, the synchronization of the two local models Gi andGj ensures that we get exactly the model Gij. Indeed, when the two local models interact (the state-independenceproperty is not satisfied), the decomposition of the model Gij into two local models Gi and Gj leads to lose theinformation about the constraints existing between the local models initial states to represent the model initialstate. Thus, composing Gi and Gj does not ensure to get exactly Gij ; it may lead to get an automaton includingGij. The transition-independence property is satisfied between two local models Gi and Gj if their automata donot have any common synchronisation event. We adapt the notions of independent diagnosis [22], jointly diagnosis [23] and local diagnosis [16], defined inthe case of models integrating both normal and fault behaviors, for the case of models containing only thenormal behavior. The FDI of a system can be achieved independently if its components are independent. Thesystem is independently FDI if the occurrence of a fault can be detected and the fault candidates can begenerated without any need for inter-local models communication and within a finite number of eventoccurrences. The system can be independently FDI if it is jointly and locally FDI. The system is jointly FDI ifthe occurrence of a fault can be detected and the fault candidates can be generated at at least one local model andwithin a finite number of event occurrences. The system is locally FDI if all the faults occurring at a componentcan be detected and their candidates can be generated at the local model of this component.2.7 Decentralized fault detection and isolation We adapt the notion of decentralized diagnosis [23], defined for models containing both normal and faultbehaviors, for the case of normal behavior models. A system is decentrally FDI iff each fault occurrence can bedetected and its associated set of responsible candidates can be generated based on a set of local models and a setof inter-local models message events. In order to ensure the decentralized FDI, the following conditions musthold:(βθ  L) (θ  K : PLii (θ )  α1...αk )(i  1, 2,..., n)(q  Q)  enαk (q)  1. i (5)(βρθ  L)( ρ  L  K )( PLii (θ )  α1...αk )(i  1, 2,..., n)(q  Q)  enαk (q)  0 or EFβ (αk )  1. i (6) 8
  9. 9. Condition (5) means that all the enablement conditions of all the local desired models must be satisfied for anyevent of a sequence belonging to the global desired behavior. Thus, this condition ensures that no conflict canoccur between local desired models for the enablement of events at any state of the desired behavior. Thesatisfaction of (6) ensures that any event sequence violating the global desired behavior, due to the occurrence ofa fault, must be detected by reaching at least one state q. At this state, the detection is based on the nonsatisfaction of the enablement condition of the latest event αk in the event sequence, of its positive expectedconsequence or on the satisfaction of its negative expected consequence. If the system is composed of independent components, there is no need for inter-models messages to ensure adecentralized FDI equivalent to the centralized FDI. Fig 2 illustrates the decentralized FDI for the case of twoindependent components. Global system c1 c2 G G1 G2 S S1 S2 FDI FDI1 FDI2 FDI of faults FDI of faults related to c1 related to c2 Fig. 2. Decentralized FDI for the case of two independent components.3. Manufacturing system example To illustrate the proposed approach, we use the example of Fig. 3 which presents a flexible manufacturingsystem platform called cellflex ( 9
  10. 10. Stock station Bottles conveyer Pick and place station Processing station Bottles supply Station of manipulation of caressed bottles Corks supply station Filling and screwing station Fig. 3. Flexible manufacturing system. We focus on the pick and place station; the other stations can be treated by the same reasoning. Pick and placestation performs import and export of pieces by a gripper using a pneumatic system of 3 axes (Fig. 4). Symbol refers to Z axis displacement,  to X axis displacement,  to Y axis displacement, and  to the pneumaticsystem gripper. This station is composed of 4 actuators piloted by 6 pre-actuators. The information about thebehavior of the station is provided by 9 sensors (Fig. 5). Fig. 4. Pick and place station. 10
  11. 11. PLANT Gripper X axis cylinder Y axis cylinder CONTROLLER Z axis cylinder Actuators Z axis in upper end position Z axis in lower end position Y axis in retracted position (station side) Y axis in extended position (conveyor side) X axis at feeding belt X axis at slide 2 X axis at middle position (slide 1) Gripper opened Gripper closed Sensors Effector Fig. 5. Actuators and sensors of pick and place station.3.1 Fault free models of Y axis plant elements We illustrate the construction of the Y axis model; the same reasoning can be followed for the construction ofthe other axis models. The Y axis actuator is a Double Acting Cylinder (DAC) where retracted and extendedpositions are indicated respectively by two sensors yR and yE (Fig. 6). yR yE VIn V<- V-> VOut Out In Fig. 6. Elements of the Y axis. Fig. 7 and Fig. 8 illustrate the fault free models of Y axis plant elements. The model GDAC (Fig. 8) evolves fromits initial state q0/VIn after the occurrence of ↑Out. State q0/VIn indicates that the piston rod is in home position.The occurrence of ↑Out leads the piston rod to move forward. This piston rod movement is represented bydynamic state q*1/V->. The output V-> indicates that the piston rod is in movement towards its fully extendedposition. The time Ts required to reach this position is assigned to the time variable Δ . In the same time, a localclock t is initiated to calculate the spent time during the forward movement. At this dynamic state, when thevalue of t becomes equal to the one allocated to Δ , this means that the actuator has reached its fully extendedposition. Therefore, GDAC reaches state q2 with the output VOut. The deactivation of Out leads the system to be instate q3 with the output VOut. At this state, control signal ↑In can occur. This activation leads the piston rod toreturn to its home position. Thus, GDAC evolves to dynamic state q*4 with the output V<- indicating that the pistonrod is in inverse movement. The time Ts is assigned to Δ . Then, the local clock is initiated again to calculate theelapsed time in the inverse movement. When this time becomes equal to the one allocated to Δ , the piston 11
  12. 12. arrives to its home position when reaching state q5/VIn. The deactivation of In transits the system to its initialstate. ↓ yR ↓ yE q1 q0 q1 q0 yR /yR yE /yE ↑ yR ↑ yE a) Sensor yR fault-free model b) Sensor yE fault-free model Fig. 7. Fault free models of sensors yR and yE. q0  Out, Ts->∆ q*1 Out . t := ∆ q2 VIn V-> VOut  In  Out q5 In . t := ∆ q*4  In, Ts->∆ q3 VIn V<- VOut Fig. 8. DAC fault free model. For each plant element, we can enumerate, with the help of an expert, the potential fault or degraded behaviorsand their responsible candidates. Table 1 shows the labels indicating the fault candidates of the fault anddegraded behaviors of Y axis plant elements. Table 1. Fault and degraded behaviors and their responsible candidates for Y axis plant elements. Type Label Description ByR sensor yR blocked at 1 Fault behaviors B/yR sensor yR blocked at 0 ByE sensor yE blocked at 1 B/yE sensor yE blocked at 0 BVin DAC blocked in retracted direction BVout DAC blocked in extended direction Degraded DV-> DAC acting too slowly in extended direction compared to its normal behavior behaviors DAC acting too slowly in retracted direction compared to its normal behavior DV<-3.2 Desired behavior model of the Y axis Y axis plant elements can be represented as a block for which the inputs are control signals of the controller, Inand Out, and the outputs are sensor readings yR and yE (Fig. 9). The controller is supposed to be safe and 12
  13. 13. dependable. For example, it is impossible to have the activation of In and Out at the same time. When controlsignal Out is activated, the normal response is ↓ yR followed by ↑ yE. Y axis Plant Elements In CONTROLLER Y axis cylinder Out yR Y axis retracted (station side) yE Y axis extended (conveyor side) Fig. 9. Observable events of Y axis plant elements. Local constrained system model SY for submodel GY of the Y axis is depicted in Fig. 10. Since any DAC with 2positions has always the same desired behavior, the constrained model can be obtained from a library. While inthe case of DAC with n positions, several constrained models can be obtained according to the global desiredbehavior. This is due to the existence of several intermediate positions for the cylinder. In [17] an algorithm isdefined to extract the local desired behavior based on the global one. Thus, it can be used to obtain local desiredbehaviors in the case of a DAC of n positions. SY h : yR yE Out In 1000 1010 0010 0110 Out *  yR  yE 1 2 3 4 In Out  yR  yE In 8 7 6* 5 1001 0001 0101 0100 Fig. 10. Local constrained-system model SY for submodel GY. In BDES modelling, the desired behavior can be described using two tables; the first one explains theenablement conditions for the occurrence of each event and the second one is the displacement matrix for theestimation of the state output vector of each next state. These tables are shown respectively in Table 2 and Table3 for SY. As an example we can notice that the only event allowed to take place in the initial state of SY,characterized by output vector h1 = (yR yE Out In)=(1000), is controllable event ↑Out since its enablementcondition Y enOut (q1 ) is satisfied and enablement conditions for all other events are false (See Table 2). Thedisplacement vector of this event is EOut  (0010) . The output vector of the next estimated state of SY is Ycalculated using (2): en1Out (q1 )  1  h2  h1  EOut  (1000)  (0010)  (1010) . Similarly, we calculate the next  Youtput vector according to the occurrence of each authorized observable event. 13
  14. 14. Table 2. Enablement conditions for SY. Event: σ of SY Y Enable condition: en ↑ yR /yR . /yE . /Out . In ↓ yR yR . /yE . Out . /In ↑ yE /yR . /yE . Out . /In ↓ yE /yR . yE . /Out . In ↑Out yR . /yE . /Out . /In ↓Out /yR . yE . Out . /In ↑In /yR . yE . /Out . /In ↓In yR . /yE . /Out . In Table 3. Displacement matrix EY for SY State variable ↑ yR ↓ yR ↑ yE ↓ yE ↑Out ↓Out ↑In ↓In yR 1 1 0 0 0 0 0 0 yE 0 0 1 1 0 0 0 0 Out 0 0 0 0 1 1 0 0 In 0 0 0 0 0 0 1 13.3 Definition of expected consequences We use expected consequences to model cylinder response times which can be obtained by learning and/or bytechnical documentation. For SY, we define 2 expected consequences: ECOut and EC In , one for each commandenablement: ↑Out and ↑In. The occurrence of ↑ Out entails events ↓ yR and ↑ yE to occur respectively at states q2 *and q3. After the occurrence of ↑ Out, ↓ yR is expected to occur within the time interval [t1, t2] and ↑ yE withinthe time interval [t3, t4]. These time intervals depend on system dynamics. We define the maximum timeΔ yR accepted for the cylinder response, in the case of degraded behavior, entailing the occurrence of event ↓ yR. maxIf ↓ yR does not occur at q2 within the time interval [t1, t2], then either: -) the cylinder has not responded, -) the *cylinder is acting too slowly, or -) sensor yR is blocked at 1. Thus, the non satisfaction of the correspondingpositive expected consequence at this state provides three fault candidates: “DAC blocked in retracted direction”indicated by the label BVin, “DAC acting too slowly in extended direction” indicated by the label DV->, and“sensor yR blocked at 1” indicated by the label ByR. If ↓ yR occurs but too lately, then the provided fault is “DACacting too slowly in extended direction” indicated by the label DV->. The same reasoning can be followed forevent ↑ yE. Consequently ECOut can be written as follows:    yR  yR    yR   COut , C Out  { yR ,(q 2 , t1  t  t 2,{ByR ,BVin , DV  })},{ yR ,(q 2 , t 2  t  t 2  Δmax ,{DV  })} ,    * *   .  ECOut    yE  C  yE , C Out  { yE ,(q3 , t 3  t  t 4,{B/ yE , BVin , DV  })},{ yE ,(q3 , t 4  t  t 4  Δ yE ,{DV  })}   Out  max  Similarly, the expected consequences for the enablement of command In is written as follows: 14
  15. 15.    yE  yE    yE   C In , C  In  { yE , (q 6 , t1  t  t 2,{ByE ,BVout , DV  })},{ yE , (q 6 , t 2  t  t 2  Δmax ,{DV  })} ,    * *  .   EC In    yR  C , C  In  { yR , (q7 , t 3  t  t 4,{B/ yR , BVout ,DV  })},{ yR , (q7 , t 4  t  t 4  Δmax ,{DV  })}   yR  yE   In    However, these abnormal behaviors require the determination of the intervals defining the acceptable time ofdisplacement of the DAC in the case of normal and degraded behaviors. To determine these intervals, we haveestablished a learning phase about the system normal behavior. The goal of this learning is to obtain realistictime response intervals related to the system dynamics and to the actuators technology. These intervals areobtained by a learning extrapolation of the probability, chance, of the occurrence of an event in this interval. Fig.11 presents the learning extrapolation when command Out is activated. This activation expects as normalresponse events ↓ yR then ↑ yE within respectively the time intervals [t1, t2] and [t3, t4]. Fig 12 shows the timeinterval between the activation of command Out and the cylinder response. This interval is calculated for 100different activations of command Out. Fig. 13 presents the learning of time interval [t3, t4] of the occurrence ofevent ↑yE after the activation of Out. This learning is obtained by exploiting the historic records of past requiredtime by the cylinder to reach its full extended position for different responses, 100 for the example of Fig. 13. Out =1 ↓ yR ↑ yE t  yR  yE t1 t2 Δ max t3 t4 Δ max Fig. 11. Learning extrapolation for time intervals of sensor event occurrences in response to the activation of command Out. 25 Number of occurrences of ↓ yR 20 15 10 5 0 45 48 51 54 57 60 63 66 69 72 75 78 Time (ms)Fig. 12. Learning of the time interval and the number of the occurrence of event ↓ yR after the activation of Out. 50 ↑ yEer 45 40 Number of occurrences of 35 30 25 20 15 10 5 0 120 123 126 129 132 135 138 141 144 147 150 Time (ms)Fig. 13. Learning of the time interval and the number of the occurrence of event ↑ yE after the activation of Out. 15
  16. 16. 3.4 Generation of fault candidates for the Y axis The candidates responsible for the occurrence of a fault in a plant element (sensor/actuator) can be determinedbased on its normal models as well as on its temporal constraints represented by a set of positive/negativeexpected consequences. The following hypotheses are considered:  all components fail independently with equal likelihood,  one fault may occur at a time,  the controller is supposed to be dependable and safe. Consequently, the controller cannot be responsible for any fault as the one of sending two conflicting control signals,  the cylinder does not fail during operation, i.e. if it does fail, the fault occurs at the start of operation. This means that a fault cannot occur during the cylinder movement. The fault candidates are generated as follows. A fault is detected in one of the following cases: an unexpectedevent occurs, an expected event does not occur, or it occurs too lately. In the first case, the enablement conditionof the event occurrence is not satisfied. The possible fault candidate is determined by identifying the statevariable responsible for this non satisfaction. As an example, when the cylinder of the Y axis is in the initial state(Fig 10) and when command Out is activated, the system transits to the next desired state characterized by theoutputs Out = 1, In = 0, yR = 1, yE = 0. The output vector for this state is calculated using (1):h2  (h1  1000)  ( EOut  0010)  (1010) . If the cylinder responds, then sensor event ↓yR will be observed Ywithin the time interval [t1, t2] indicating that the cylinder motor is not faulty. Since enYOut (q1 )  1 , see Table 2, then this state corresponds to a state of the desired behaviour SY. If event ↑ yE occurs at the state q2 instead of *expected event ↓ yR, then en yE ( q2 ) = / yR . / yE .Out. / In = 0. The only reason for this non enablement, based on Y *  the conditions of q2 , is the state variable of sensor yR. Thus, the fault candidate is FCANOut  ByR . If there is *  yRno sensor event within the time interval [t1, t2], then positive expected consequence COut is not satisfied and the  yR fault candidates will be generated as follows: FCANOut  lOut  BVin , D V  , ByR . 3.5 Progressive monitoring The number of candidates can be reduced using a progressive monitoring (Fig 1). The occurrence of newsensor events can lead to eliminate the inconsistent candidates with this new observation. As an example, if  yR  yRis observed within the time interval [t1, t2], then positive expected consequence COut as well as the enablement  yRcondition of  yR are satisfied; while negative expected consequence C Out is not satisfied. Thus, we canobtain: NFCANOut  {ByR , BVin , DV  } and FCANOut = {}. If  yE did not occur, then the non satisfaction of  yECOut generates the fault candidates:  yEFCANOut  (lOut  {B/ yE , BVin , DV  }) {ByR , BVin , DV  }  {B/ yE } .If events  yR and  yE both did not occur, then the fault candidates are generated and then are reduced as it isdepicted in Fig 14. 16
  17. 17. Activation of a command Out  Σc FCANOut  {}; NFCANOut  {} Non occurrence of  yR in the expected normal time interval command  yR  yR  COut is not satisfied : FCANOut  lOut  ByR , BVin , D V   Non occurrence of  yR in the expected degraded time interval command  yR C Out is not satisfied : NFCANOut  D V   , FCANOut  {ByR , BVin , D V }{D V }  {ByR , BVin } Non occurrence of  yE in the expected normal time interval command  yE COut is not satisfied :       FCANOut  ( BVin , ByR  (lOut  BVin , D V  , B/ yE )) D V    BVin  yE Fig 14. Progressive monitoring in the case of non occurrence of both  yR and  yE .4. Conclusion and future works This paper presents a fault free model based approach for the Fault Detection and Isolation of discretemanufacturing system. This approach considers the plant as a set of plant elements composed of actuators andtheir associated sensors. The goal is to take benefit of the composite structure of manufacturing systems. The useof fault free models reduces the model construction complexity since the fault behaviors in response to apredefined set of faults are not integrated in the system models. A fault is detected by one of the following cases: the occurrence of an unexpected event, the non occurrence ofan expected event within predefined time intervals, or its too late occurrence. The occurrence of an unexpectedevent is detected when the enablement condition of this event is not satisfied. The state variable, representingsensor output, responsible for this non satisfaction, are considered as a fault candidate. The non occurrence of anexpected event, or its too late occurrence, within predefined time intervals, is detected using a template. Thelatter is created for each control signal and it represents temporal constraints between events occurrences. In this paper, the components are considered independent. Thus, a future work is to develop the proposedapproach for the case of a system of interrelated components. In this case, a communication protocol must bedefined in order to take into account the links among components. This protocol must be scalable with thesystem size.AcknowledgmentThis work is supported by the Scientific Interest Group surveillance, safety and security of the big systems(GIS3SGS). 17
  18. 18. References[1] Ardissono L, Console L, Goy A, Petrone G, Picardi C, Segnan M, Theseider Dupré D. Enhancing Web Services with diagnostic capabilities. In: 3rd IEEE European Conference on Web Services. 2005, pp 143- 159.[2] Aveyard RL. A boolean mode1 for a class of discrete event systems. IEEE Transactions Systems, Man, and Cybernetics 1973; SMC4-3: pp 249-258.[3] Balemi S, Hoffmann GJ, Gyugyi P, Wong Toi H, Franklin GF. Supervisory control of a rapid thermal multiprocessor. IEEE Transactions on Automatic Control 1993; 38(7): 1040-1059.[4] Cordier MO, Grastien A. Exploiting independence in a decentralised and incremental approach of diagnosis. In: 20th International Joint Conference on Artificial Intelligence. 2007, pp 292-297.[5] Darkhovski B, Staroswiecki M. Theoretic approach to decision in FDI. IEEE Transactions on Automatic Control 2003; 48(5): pp 853-858.[6] Debouk R, Lafortune S, Teneketzis D. Coordinated decentralized protocols for failure diagnosis of discrete event systems. Discrete Event Dynamic Systems: Theory and Applications 2000; 10(1-2): pp 33-86.[7] Devillez A, Sayed Mouchaweh M, Billaudel P. A process monitoring module based on fuzzy logic and Pattern Recognition. International Journal of Approximate Reasoning 2004; 37(1): pp 43-70.[8] Garcia HE, Yoo TS. Model-based detection of routing events in discrete flow networks. Automatica 2005; 41(4): pp 583-594.[9] Genc S, Lafortune S. Distributed diagnosis of discrete-event systems using Petri nets. In: International Conference on Application and Theory of Petri Nets. 2003, pp 316–336.[10] Hadjicostis CN. Probabilistic Fault Detection in Finite-State Machines Based on State Occupancy Measurements. IEEE Transactions on Automatic Control 2005; 50(12): pp 2078-2083.[11] Isermann R. Supervision, Fault Detection and Fault-Diagnosis Methods-an Introduction. Control Engineering Practice 1997; 5(5): pp 639-652.[12] Jiroveanu G, Boel RK. A distributed approach for fault detection and diagnosis based on time Petri nets. Mathematics and Computers in Simulation 2006; 70(5): pp 287-313.[13] Lamperti G, Zanella M. On Processing Temporal Observations in Monitoring of Discrete-Event Systems. Enterprise Information Systems 2008; 3(3): pp 135-146.[14] Pandalai D, Holloway LE. Template Languages for Fault Monitoring of Timed Discrete Event Processes. IEEE Transactions On Automatic Control 2000; 45(5): pp 868-882.[15] Patton R, Clark RR, Frank M. Issues of Fault Diagnosis for Dynamic Systems. Springer, Berlin Heidelberg New York 2000.[16] Pencolé Y. Diagnosability analysis of distributed discrete event systems. In: European Conference on Artificial Intelligence. 2004, pp 43-47.[17] Philippot A, Sayed Mouchaweh M, Carré Ménétrier V. Unconditional decentralized structure for the fault diagnosis of discrete event systems. In: 1st IFAC Workshop on Dependable Control of Discrete event Systems. 2007, pp 255-260.[18] Qiu W. Decentralized/distributed failure diagnosis and supervisory control of discrete event systems. Ph.D. thesis of the Iowa State University 2005. 18
  19. 19. [19] Qiu W, Kumar R. Decentralized failure diagnosis of discrete event systems. IEEE Transactions on systems, man and cybernetics-Part A: Systems and Humans 2006; 36(2): pp 628-643.[20] Rozé L, Cordier MO. Diagnosing Discrete-Event Systems: Extending the “Diagnoser Approach” to Deal with Telecommunication Networks. Discrete Event Dynamic Systems 2002; 12(1): pp 43-81.[21] Sampath M. A Discrete Event Systems Approach to Failure Diagnosis. Ph.D. thesis of the University of Michigan 1995.[22] Sengupta R. Diagnosis and communications in distributed systems. In: International Workshop on Discrete Event Systems. 1998, pp 144-151.[23] Sengupta R, Tripakis S. Decentralized diagnosability of regular languages is undecidable. In: 40th IEEE Conference on Decision and Control 2002, pp 423-428.[24] Su R, Wonham WM. Global and local consistencies in distributed fault diagnosis for discrete event systems. Transactions on Automatic Control 2005; 50(12): pp 1923-1935.[25] Wang Y, Yoo TS, Lafortune S. Diagnosis of discrete event systems using decentralized architectures. Discrete Event Dynamic Systems 2007; 17(2): pp 233-263.[26] Wonham WM, Ramadge PJ. On the supremal controllable sublanguage of a given language. SIAM Journal on Control and Optimization 1987; 25(3): pp 637-659. 19