By Pieter J. Mosterman - The Modelling, Simulation...
233
Transcript of By Pieter J. Mosterman - The Modelling, Simulation...
HYBRID DYNAMIC SYSTEMS: A HYBRID BOND GRAPH MODELINGPARADIGM AND ITS APPLICATION IN DIAGNOSISByPieter J. MostermanDissertationSubmitted to the Faculty of theGraduate School of Vanderbilt Universityin partial ful�llment of the requirementsfor the degree ofDOCTOR OF PHILOSOPHYinElectrical EngineeringMay 1997Nashville, TennesseeApproved: Date:
c Copyright by Pieter J. Mosterman 1997All Rights Reserved
To my parents, Johannes Mosterman and Leny Mosterman-Wolbers.
iii
ACKNOWLEDGEMENTSWell, this is it. Time to sit back and re ect on the past �ve years of my life. Unfor-tunately, there is no overwhelming sense of achievement. I could have accomplishedmuch more had I started working on this topic from day one. Instead, I ended upwriting software that did not get me any closer to a dissertation, though it generatedsome publications [90, 91], and it is now commercially available [89]. It was not untilI took matters into my own hand and decided to work with people dedicated to edu-cate me and help me earn a degree. Dr. Biswas and Dr. Sztipanovits have made thisendeavor academically possible, and I would like to express my sincerest gratitudetowards them. The almost daily interaction with Dr. Biswas and his tremendous workethic have shaped this research into what it is. None of this would have taken placewithout Dr. Sztipanovits who gave me the opportunity to pursue my interests. Hisengineering experience put this work in perspective and his critical questions revealedmany implicit assumptions. Furthermore, I wish to thank the other members of mycommittee, Dr. Cook, Dr. Debelak, Dr. Goldfarb, Dr. Karsai, and Dr. Misra for theirinterest in my work and their comments that improved the quality of this thesis.Of course, this thesis would have never materialized if it were not for the undyingsupport of my parents, Johannes Mosterman and Leny Mosterman-Wolbers. I hopeI do them proud, and I dedicate this work to them.\Nobody put a gun to your head," once used as a justi�cation for being exploited,cheated, threatened, and patronized, proves a remarkably concise summary of toomuch of my gradual student experience. I am not sure how things would have turnedout if it were not for my brother, Rudolf, who gave me the strength to endure theiv
abuse. Furthermore, I would like to thank my sisters, Aleida and Andrea, for theireverlasting a�ection. I missed out on too much these �ve years. Thanks to AnjaFeringa for her love and support even though I am tenthousand miles away.I will sure not forget to mention others who made the experience bearable bytheir continued interest, even though I am hardly around anymore, longtime friendsGerard B. Boelens, Haan, Ronald Hesselink, Jeep L. Zeepbel, Lange T., Roelfsma,Ste fan Teuben, and Hanneke de Knegt, Eric Kooistra, Lies Kroon, Katy Smid, Diana(Z)Uchtman, Petra Visser, and Jochum Zijlstra.I also wish to acknowledge my fellow euroslave Eric-Jan Manders, who helped memake one of the de�ning decisions in my life, my roommate Mark Cambron, DanHartman, Martine Dawant, Magued Bishay, Ravi Kapadia, and Narasimhan Sriram.Then there is Herman van der Molen and Alex Zijdenbos who helped me out on anumber of occasions and probably did not think much of it. I do. Furthermore, Iwould like to mention the guys at HP I worked with, Lee Barford, Mel (MegaMel)Downs, and Marsh Faber (no, he is not from Hollum, Ameland), or just hung outwith, Al Moye. Thanks also to Karl Oelgeschlager and Andy Covell of Falcon Softwarefor picking up my work and believing in it!Finally, I would like to acknowledge PNC Japan, Hewlett-Packard Co., FalconSoftware, Inc., the Alfred P. Sloan Foundation, the National Science Foundation,Vanderbilt University, and Kampeerbedrijf Mosterman for their �nancial support.Without it my thirst for knowledge would have ended in a drought.Thanks to y'all! Pieter J. MostermanNashville, Tennesseev
ELECTRICAL ENGINEERINGHYBRID DYNAMIC SYSTEMS: A HYBRID BOND GRAPH MODELINGPARADIGM AND ITS APPLICATION IN DIAGNOSISPIETER J. MOSTERMANDissertation under the direction of Professor G. Biswas & Professor J. SztipanovitsPhysical system behavior follows the general principles of conservation of energy andcontinuity of power, but may exhibit nonlinearities that result from small, parasitic,e�ects, or occur on a time scale much smaller than the time scale of interest. At amacroscopic level, the detailed continuous behavior may appear to be discontinuous,thus the system is e�ciently described by a mixed continuous/discrete, hybrid, model.In continuous modes the energy distribution describes the system state. Discrete con-�guration changes in the model may cause discontinuities in the energy distributiongoverned by the principle of conservation of state, and may trigger further con�gu-ration changes till a new real mode is achieved where no further changes occur. Theintermediate, mythical, modes between two real modes have no physical representa-tion. The principle of invariance of state applies to derive the energy distribution ina mode as a function of the energy distribution in the preceding real mode. When aloop of consecutive instantaneous mode changes occurs time stops progressing. Thiscon icts with known physical system behavior, therefore, the principle of divergenceof time forms an important model veri�cation mechanism. The principle of tempo-ral evolution of state requires the energy state to be continuous in left-closed time
intervals to ensure proper causal attribution.From another viewpoint, abrupt faults in process components can be modeledas discontinuities that take system behavior away from its nominal, steady state,operation. To quickly isolate the true faults, well constrained hybrid models avoid theinherent intractability problems in diagnostic analyses by integrating and facilitatingthe (1) generation of behavioral constraints from physical laws, (2) expression ofsystem dynamics as energy transfer between constituent elements, and (3) modelingof steady state behavior as a special case of dynamic behavior. The analysis oftransients is paramount to accurate and precise fault isolation. However, this is adi�cult problem which can be further complicated by operator intervention, andintermittent and cascading faults, therefore, quick capture and analysis of transientsis the key to successful diagnosis.This thesis develops a formal hybrid modeling theory based on physical principles,a model veri�cation method, and a physically correct behavior generation algorithm.Next, it describes a methodology for monitoring, prediction, and diagnosis of dynamicsystems from transient behavior, based on the developed hybrid bond graph modelingparadigm. Simulation results from diagnosing a high-order, nonlinear, model of aliquid sodium cooling system in a nuclear reactor demonstrates the success of theapproach.Approved DateApproved Date
TABLE OF CONTENTS PageACKNOWLEDGEMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . ivLIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xLIST OF TABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvChapterI. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Hybrid Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Model Based Diagnosis . . . . . . . . . . . . . . . . . . . . . . . . 8Contributions and Organization of the Thesis . . . . . . . . . . . 10II. MODELING DYNAMIC PHYSICAL SYSTEMS . . . . . . . . . . . . 13Physical Systems Theory . . . . . . . . . . . . . . . . . . . . . . . 13From Reality to Mathematical Models . . . . . . . . . . . . . . . 16Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . 16A Systematic Approach to Abstraction . . . . . . . . . . . 17Bond Graph Modeling . . . . . . . . . . . . . . . . . . . . . . . . 20Energy Based Modeling . . . . . . . . . . . . . . . . . . . . 20The Model Context . . . . . . . . . . . . . . . . . . . . . . 21Primitive Elements in Bond Graph Models . . . . . . . . . 22Systematic Modeling . . . . . . . . . . . . . . . . . . . . . 25Causality . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Qualitative Reasoning with Bond Graphs . . . . . . . . . . 29Applications . . . . . . . . . . . . . . . . . . . . . . . . . . 30Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31III. A THEORY OF DISCONTINUITIES IN PHYSICAL SYSTEM MODELS 32The Nature of Discontinuities . . . . . . . . . . . . . . . . . . . . 32E�ects of the Lumped Parameter Assumption . . . . . . . . . . . 35The E�ects of Discontinuities . . . . . . . . . . . . . . . . . . . . 36Conservation of Energy . . . . . . . . . . . . . . . . . . . . 36Conservation of State . . . . . . . . . . . . . . . . . . . . . 37Invariance of State . . . . . . . . . . . . . . . . . . . . . . 38Illustration . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . 42A Discrete Formalism . . . . . . . . . . . . . . . . . . . . . . . . 43Temporal Evolution in Behavior Transitions . . . . . . . . . . . . 45vi
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47IV. HYBRID BOND GRAPHS . . . . . . . . . . . . . . . . . . . . . . . . 49Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Discontinuities in Bond Graphs . . . . . . . . . . . . . . . . . . . 50The Modeling Language . . . . . . . . . . . . . . . . . . . . . . . 54Mode Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Transfer of Energy State . . . . . . . . . . . . . . . . . . . . . . . 60Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62The Diode-Inductor Circuit . . . . . . . . . . . . . . . . . 63Divergence of Time . . . . . . . . . . . . . . . . . . . . . . 66Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66V. ENERGY PHASE SPACE ANALYSIS FOR MODEL VERIFICATION 69Combined Perfect Elastic and Non-Elastic Collision . . . . . . . . 69Managing Complexity . . . . . . . . . . . . . . . . . . . . . . . . 75The Internal Combustion Engine . . . . . . . . . . . . . . . . . . 78The Working of a Four-Stroke Engine . . . . . . . . . . . . 79The Valve-Timing Sub-System . . . . . . . . . . . . . . . . 80System Partitioning . . . . . . . . . . . . . . . . . . . . . . 82VI. HYBRID DYNAMIC SYSTEMS . . . . . . . . . . . . . . . . . . . . . 88Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88De�nitions . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Approaches to Hybrid Modeling . . . . . . . . . . . . . . . 91Physical System Model Semantics . . . . . . . . . . . . . . 94Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96A Hybrid Dynamic System Implementation Model . . . . . . . . 97The Continuous Model . . . . . . . . . . . . . . . . . . . . 99The Discrete Model . . . . . . . . . . . . . . . . . . . . . . 100Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Partial Liquid Sodium Cooling System . . . . . . . . . . . 102Model Veri�cation . . . . . . . . . . . . . . . . . . . . . . . . . . 105Generalized Invariance of State . . . . . . . . . . . . . . . 106Temporal Evolution of State . . . . . . . . . . . . . . . . . 108Divergence of Time . . . . . . . . . . . . . . . . . . . . . . 109Veri�cation of the Cooling System . . . . . . . . . . . . . . 110Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111VII. FORMAL SPECIFICATIONS FROM HYBRID BOND GRAPHS . . . 113Specifying the Falling Rod . . . . . . . . . . . . . . . . . . . . . . 113The Continuous Model . . . . . . . . . . . . . . . . . . . . 119The Discrete Model . . . . . . . . . . . . . . . . . . . . . . 120vii
Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Veri�cation of the Hybrid Falling Rod Model . . . . . . . . . . . 126Temporal Evolution of State . . . . . . . . . . . . . . . . . 126Divergence of Time . . . . . . . . . . . . . . . . . . . . . . 130Simulation of Hybrid System Models . . . . . . . . . . . . . . . . 130Simulation of the Colliding Rod . . . . . . . . . . . . . . . 131Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134VIII. MODEL BASED DIAGNOSIS . . . . . . . . . . . . . . . . . . . . . . . 136Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Nominal Values . . . . . . . . . . . . . . . . . . . . . . . . 139A Comprehensive Diagnosis Scheme . . . . . . . . . . . . . 141The Model Based Diagnosis System . . . . . . . . . . . . . . . . . 143Modeling for Diagnosis . . . . . . . . . . . . . . . . . . . . 143Bond Graphs for Diagnosis . . . . . . . . . . . . . . . . . . 144Transient Based Diagnosis . . . . . . . . . . . . . . . . . . . . . . 147Time Constants . . . . . . . . . . . . . . . . . . . . . . . . 147Feature Detection . . . . . . . . . . . . . . . . . . . . . . . 151Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153IX. IMPLEMENTATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154The Temporal Causal Graph . . . . . . . . . . . . . . . . . . . . . 154Component Parameter Implication . . . . . . . . . . . . . . . . . 157Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Forward Propagation . . . . . . . . . . . . . . . . . . . . . 160Steady State . . . . . . . . . . . . . . . . . . . . . . . . . . 163Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Sensitivity to the Time Step . . . . . . . . . . . . . . . . . 164Progressive Monitoring . . . . . . . . . . . . . . . . . . . . 165Fault Interaction . . . . . . . . . . . . . . . . . . . . . . . 168Temporal Behavior . . . . . . . . . . . . . . . . . . . . . . 169Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Measurement Selection . . . . . . . . . . . . . . . . . . . . . . . . 172X. THE LIQUID SODIUM COOLING SYSTEM . . . . . . . . . . . . . . 176The Secondary Sodium Cooling Loop . . . . . . . . . . . . . . . . 176Modeling Hydraulics . . . . . . . . . . . . . . . . . . . . . 177The Bond Graph Model . . . . . . . . . . . . . . . . . . . 178The Temporal Causal Graph . . . . . . . . . . . . . . . . . 181Measurement Selection . . . . . . . . . . . . . . . . . . . . . . . . 184Ideal Observations . . . . . . . . . . . . . . . . . . . . . . 184Actual Measurements . . . . . . . . . . . . . . . . . . . . . 185viii
Simulation Results . . . . . . . . . . . . . . . . . . . . . . . . . . 186Fault Detection and Isolation Without Noise . . . . . . . . 188Fault Detection and Isolation With Noise . . . . . . . . . . 190XI. CONCLUSIONS AND DISCUSSION . . . . . . . . . . . . . . . . . . . 193Hybrid Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Summary and Conclusions . . . . . . . . . . . . . . . . . . 193Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Model Based Diagnosis . . . . . . . . . . . . . . . . . . . . . . . . 197Summary and Conclusions . . . . . . . . . . . . . . . . . . 197Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . 199APPENDIXA. THE FALLING ROD SPECIFICATION . . . . . . . . . . . . . . . . . 201The Analytic Model . . . . . . . . . . . . . . . . . . . . . . . . . 201The Numeric Model . . . . . . . . . . . . . . . . . . . . . . . . . 205REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
ix
LIST OF FIGURESFigure Page1. Continuous and discrete process control. . . . . . . . . . . . . . . . . . 22. Embedded computer control systems operate in the signals and powerdomain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43. Physical system with discontinuities. . . . . . . . . . . . . . . . . . . . 64. A series of mode switches may occur. . . . . . . . . . . . . . . . . . . . 65. De�nition of a system. . . . . . . . . . . . . . . . . . . . . . . . . . . . 146. The stages of the modeling process with increasing abstraction. . . . . 197. The tetrahedron of state. . . . . . . . . . . . . . . . . . . . . . . . . . . 248. Continuity of power across junctions is ensured by their constituent equa-tions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259. Relations of the transformer for both of the possible causality assignments. 2510. The bi-tank system and its bond graph model. . . . . . . . . . . . . . . 2611. An electrical circuit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2612. Algorithmic assignment of causality. . . . . . . . . . . . . . . . . . . . . 2813. A perfect elastic collision between a rigid body and a very sti� oor. . . 3414. Free expansion of a gas by di�usion after an instantaneous change. . . . 3615. Two capacitors that become dependent by an ideal connection. . . . . . 4016. Two capacitors that become dependent and switch modes of operationof the diode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4117. A series of discontinuous changes may contain mythical modes. . . . . . 4118. Instantaneous dependency changes between energy storage elements causeproblems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4319. Mode switching of a bi-tank system by a latch. . . . . . . . . . . . . . . 4420. A physical system may contain discontinuities that have memory. . . . 4421. Real modes can have a point or interval presence in time and have toensure time continuity. . . . . . . . . . . . . . . . . . . . . . . . . . . . 46x
22. Switching bonds handle boundary conditions incorrectly. . . . . . . . . 5223. Operation of the switching element. . . . . . . . . . . . . . . . . . . . . 5324. The controlled junction establishes mode-switching behavior. . . . . . . 5525. Operation of the controlled junction. . . . . . . . . . . . . . . . . . . . 5526. Hybrid bond graph model of an ideal non-elastic collision. . . . . . . . 5727. During mythical changes the discrete state vector changes to re ect con-�guration changes. The energy state vector is only changed once a realmode is reached. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6028. A diode-inductor circuit which causes a mythical mode. . . . . . . . . . 6329. Simulation result of the diode-inductor circuit with parameter valuesVin = 10V;R1 = 330; L = 5mH. . . . . . . . . . . . . . . . . . . . . . 6530. A perfect elastic collision. . . . . . . . . . . . . . . . . . . . . . . . . . 7031. A combined perfect elastic and non-elastic collision. . . . . . . . . . . . 7132. Energy phase spaces for each of the modes of operation of a combinedperfect elastic and non-elastic collision. . . . . . . . . . . . . . . . . . . 7333. Conjunction of the multiple energy phase spaces for each mode of oper-ation of a combined perfect elastic and non-elastic collision. . . . . . . . 7434. Multiple energy phase space analysis of the modi�ed model shows thereis a real mode of operation for each energy distribution. . . . . . . . . . 7435. A bouncing ball which comes to rest when its impact velocity is below aspeci�c threshold value. . . . . . . . . . . . . . . . . . . . . . . . . . . . 7536. Sinks of e�ort and ow causality partition the instantaneously a�ectedparts of a bond graph. . . . . . . . . . . . . . . . . . . . . . . . . . . . 7737. Multiple I elements in one ow area may become dependent. . . . . . . 7738. The two steps to establish interacting switches, local modes, and thedimensions of their energy phase space. . . . . . . . . . . . . . . . . . . 7839. The four strokes of a spark-ignition internal combustion engine. . . . . 7940. A spark-ignition internal combustion engine. . . . . . . . . . . . . . . . 8041. Cam mechanism which opens a valve during one revolution. . . . . . . 8142. Hybrid bond graph model of cam-follower system. . . . . . . . . . . . . 82xi
43. Energy phase space analysis of the cam-follower system. . . . . . . . . . 8244. Simulation of the cam-follower system. . . . . . . . . . . . . . . . . . . 8345. Energy part of a hybrid bond graph model of a four stroke spark-ignitioninternal combustion engine. . . . . . . . . . . . . . . . . . . . . . . . . 8446. Instantaneous ow areas for the intake valve mechanism when rod exi-bility is modeled. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8647. A hybrid system (left) and a hybrid dynamic system (right). . . . . . . 8948. A hybrid dynamic system is piecewise continuous and operates on threesub-domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9049. A planar hybrid system. . . . . . . . . . . . . . . . . . . . . . . . . . . 9150. A trajectory is redirected when the transported point is out of the domainof the new patch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9451. System state is derived from the original state vector. . . . . . . . . . . 9552. Continuous and discrete process control. . . . . . . . . . . . . . . . . . 9853. A physical process under hybrid control. . . . . . . . . . . . . . . . . . 9954. Block diagram of a general hybrid system. . . . . . . . . . . . . . . . . 10355. Invariance of state in a dynamic physical system. . . . . . . . . . . . . 10756. A collision between a thin rod and a oor. . . . . . . . . . . . . . . . . 11457. Hybrid bond graph model of a rigid body collision between a thin rodand a oor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11458. Sliding and rotating rod under Coulomb friction. . . . . . . . . . . . . . 11659. Coulomb friction causes physical events. . . . . . . . . . . . . . . . . . 11660. A multi-bond controlled junction to model Coulomb friction. . . . . . . 11661. Possible modes of operation of a thin rigid rod falling onto a rigid oor. 11862. Dynamically generated model con�gurations for the colliding rod. . . . 11863. Switching around a point may require two jumps. . . . . . . . . . . . . 12764. Impulses upon collision when a sliding mode with stiction is reached. . 12765. Flow diagram of hybrid system simulation. . . . . . . . . . . . . . . . . 131xii
66. A number of trajectories in phase space of the colliding rod, vth =0:0015; � = 0:862; l = �0:1; y0 = 0:23. . . . . . . . . . . . . . . . . . . . 13367. A boundary in phase space of the colliding rod, vth = 0:0015; � =0:862; l = �10; y0 = 23. . . . . . . . . . . . . . . . . . . . . . . . . . . . 13468. Diagnosis of dynamic systems. . . . . . . . . . . . . . . . . . . . . . . . 13869. A general observer scheme. . . . . . . . . . . . . . . . . . . . . . . . . . 14070. Complementary diagnosis schemes. . . . . . . . . . . . . . . . . . . . . 14371. Transfer of the state vector and its �eld across discontinuous change. . 14672. Delay times of two �rst order systems (�1 and �2), their sum (�1 + �2),and the actual delay time of their combined e�ects (�1 � �2). . . . . . . 14973. Delay times for observing deviations. . . . . . . . . . . . . . . . . . . . 15074. A second order e�ect with one constant equal to the time constant of a�rst order e�ect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15075. The diagnosis process. . . . . . . . . . . . . . . . . . . . . . . . . . . . 15476. The bi-tank system and its causally augmented bond graph model. . . 15577. Temporal causal graph of the bi-tank system. . . . . . . . . . . . . . . 15678. Steady state bond graph of the bi-tank system and its correspondingcausal graph. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15779. Backward propagation to �nd faults. . . . . . . . . . . . . . . . . . . . 15980. Instantaneous edges propagate �rst. . . . . . . . . . . . . . . . . . . . . 15981. Forward propagation of the e�ect of an implicated component to estab-lish its signature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16282. Signal interpretation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16583. Progressive monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . 16584. Progressive monitoring for fault R+b2. . . . . . . . . . . . . . . . . . . . 16785. Results of the diagnosis system with C�2 faulty and discontinuity detec-tion is used. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16886. Typical signal transients in physical systems that exhibit di�erent qual-itative behavior over time. . . . . . . . . . . . . . . . . . . . . . . . . . 17187. Characteristic response of pressure and out ow to two di�erent faults. . 173xiii
88. Secondary sodium cooling loop. . . . . . . . . . . . . . . . . . . . . . . 17789. Total pressure versus static pressure. . . . . . . . . . . . . . . . . . . . 17990. Bond graph of the secondary sodium cooling system. . . . . . . . . . . 18091. Synchronous ac motor that drives a pump. . . . . . . . . . . . . . . . . 18092. Operation of a centrifugal pump. . . . . . . . . . . . . . . . . . . . . . 18193. Steady state bond graph of the sodium cooling system. . . . . . . . . . 18294. Temporal causal graph of dynamic behavior. . . . . . . . . . . . . . . . 18395. Temporal causal graph of a modulated gyrator. . . . . . . . . . . . . . 18396. Detailed sensitivity analysis of @e8@f9 . . . . . . . . . . . . . . . . . . . . . 18497. Characteristic responses for C�SH . . . . . . . . . . . . . . . . . . . . . . 19098. Characteristic responses for C�SH with 2% uniformly distributed mea-surement noise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19299. Response of e33 to C+OFC with and without noise. . . . . . . . . . . . . 192
xiv
LIST OF TABLESTable Page1. Energy Variables in Di�erent Physical Domains . . . . . . . . . . . . . 212. Generic elements in Di�erent Domains . . . . . . . . . . . . . . . . . . 243. Minimum sets of measurements for completely diagnosable single faults,in case of one pump parameter. . . . . . . . . . . . . . . . . . . . . . . 1854. Fault discrimination based on actual measurement points in case of onepump parameter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1865. Parameter values for the model of the secondary sodium cooling loop. . 1886. Fault detection for ff2; f7; f11; e14; e19; e22; e33g with �t = 0:001, order =3, qmargin = 2%. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1897. Typical fault detection for ff2; f7; f11; e14; e19; e22; e33g with �t = 0:001,order = 3, qmargin = 5%, noise = 2%. . . . . . . . . . . . . . . . . . . . 1928. State transition table specifying C. . . . . . . . . . . . . . . . . . . . . 2039. State transition table specifying S. . . . . . . . . . . . . . . . . . . . . 204
xv
CHAPTER IINTRODUCTIONThe increase in complexity with the introduction of advanced technology intolarge-scale engineering systems necessitates the use of computer based tools to assistin the design, manufacturing, control, monitoring, and diagnosis of these systems.The success of all these tools is critically dependent on the ability to develop accuratemodels for simulating, predicting, and verifying system behavior. State of the artengineering design methods rely almost completely on computer based modeling andsimulation to avoid the high cost of designing and testing mock-ups and physicalprototypes [99].1 As a typical example of such systems, consider the liquid sodiumcooling system in Fig. 1 which constitutes the secondary cooling system in a nuclearreactor [81]. The secondary sodium pump, used to maintain a su�cient ow ofcoolant, is driven by a synchronous ac motor. The ow rate depends on the motorrevolutions per minute, which is determined by the frequency of the ac signal. Toachieve su�cient torque for this ow rate, a continuously operating PID controllercontrols the power supplied by pulse width modulation. Actuated valves throughoutthe loop guard against catastrophic failures. When critical situations occur, the mainloop can be closed by a normally opened valve and, if pressure in the piping exceedsa predetermined threshold value, the alarm loop (which consists of the air-cooler)can be activated by opening a normally closed valve. The behavior of the system is1Assembly of the �rst Boeing 777 showed an unprecedented �rst-time �t and alignment when a37680 kg, 63.8 m long wing and fuselage section were found to be out of alignment by only 0.69 mm!1
evaporator
mainmotor
secondarysodiumpump
intermediateheatexchanger
blow
er
sodium flow stopping valve(normally opened)
sod
ium
flow
stop
pin
gva
lve
(nor
mal
lycl
osed
)
primarysodiumloop
feedwaterloop
air
cool
er
Figure 1: Continuous and discrete process control.inherently continuous, but the time scale for the opening and closing of the valvesis small enough compared to other behavior changes so that they can be modeledto switch instantaneously between on and o� states, as a result of which the systemseems to operate in distinct modes of operation. Each mode corresponds to distincton and o� states of individual valves and switches.In each mode, system behavior evolves continuously and at points in time, whenvalves open and close, discrete mode switches occur. Normally, the valve in the mainloop is open and the valve in the alarm loop is closed (Fig. 1). In this mode the amountof liquid stored in the evaporator vessel, and the ow velocities (momentum) in thepipes change in a continuous manner over time. These two sets of variables constitutethe state vector of the system. When the valve in the main loop is closed (discretechange), interaction between the discrete changes and continuous dynamic behaviorcauses a pressure build-up in the piping because the ow momentum is abruptlyforced to 0. In this mode, the system can be described with one state variable, i.e.,stored liquid since the ow momentum is 0. When the built-up pressure exceeds a2
critical value, to avoid catastrophe, the alarm loop is activated and the model movesinto yet another con�guration where once again stored liquid and ow momentumconstitute the state vector. The challenge in modeling these multi-mode systems isto come up with systematic and consistent speci�cations that govern the interactionbetween continuous behaviors associated with the individual operational modes, anddiscrete model parts that specify transfer of the state vector during switching.Examples of other systems that are best described by multi-mode con�gurationsare auto engine controllers which run quite di�erent control programs as a functionof the engine rpm [5]. Similarly, the Airbus A-320 y-by-wire system has a numberof modes: take o�, cruise, approach, and go-around [119]. Models of these systemstypically support encapsulation and are derived from the concepts of abstraction,partitioning, and hierarchical modeling [9, 46, 133].In general, multi-mode system models often arise from a local piecewise lineariza-tion of complex nonlinear component descriptions to reduce overall complexity, butsystem behavior then appears to make discontinuous changes when mode switchingoccurs. Selection of the appropriate linear component that constitutes the activemode of operation is normally achieved by a meta-level control model that operateson top of the data ow model of a real-time system [73, 132]. Comprehensive modelsof dynamic physical systems, therefore, require a dedicated signal ow model thatselects active model parts.With the emerging complexity of embedded control systems [133], i.e., physicalsystems that are controlled by digital computers (Fig. 2), interest in methods to modelinteraction between the signal and power domain is becoming increasingly important.Process control operations, are now implemented as sophisticated Programming Logic3
power domain
physical systemembedded controller
signal domain
-
+
Tsample
controlalgorithm
processactuator
sensorFigure 2: Embedded computer control systems operate in the signals and powerdomain.Arrays and/or complex software modules run on embedded computer systems. Thesedigital control mechanisms are discrete in nature and coexist with low-level continuousproportional, integral, and derivative (PID) control [42, 103]. Therefore, completeprocess control modeling schemes are required to capture both discrete control andcontinuous process characteristics. Because of their mixed continuous/discrete nature,these systems are referred to as hybrid systems.Hybrid ModelingHybrid modeling techniques can form the basis for a comprehensive study of sys-tem performance of embedded control systems, that include the e�ects of imple-mentation choices such as interfaces, sampling rates, and computation order in soft-ware [133]. This can be achieved by developing a formal description of hybrid systemsthat combines continuous system characteristics with discrete event models. Continu-ous systemmodels are well described by di�erential equations and analytic and numer-ical simulation methods may be employed in solving these equations [11]. Similarly,a number of approaches with well de�ned execution semantics, such as Petri nets and4
�nite state automata, have been applied to discrete system modeling [109, 110]. Sys-tems with mixed continuous/discrete components need model semantics that combinethese two approaches, and simulation schemes that can seamlessly combine continu-ous behavior generation with discrete mode switches. Lygeros, Godbole and Sastry[66] have shown that independent determination and proofs about the continuousbehavior and the discrete phenomena in a hybrid model do not constitute proofs ofcorrectness of their combined e�ects.To develop hybrid models that generate correct system behavior, interaction be-tween the continuous and discrete modeling formalisms has to be rigorous, unambigu-ous, and consistent. Consider the electrical circuit in Fig. 3 which resembles behaviorof the liquid sodium system in Fig. 1. The inductor models the helical coil in theintermediate heat exchanger and the diode resembles operation of the pressure con-trolled alarm switch. When the manual switch is closed, the inductor is connected tothe source and builds up a ux, p0, by drawing a current (Fig. 4). The diode is notactive in this mode of operation. When the switch is opened, the current drawn bythe inductor drops to 0, causing its ux, p0, to discharge instantaneously. Becauseof the derivative nature of the constituent relation VL = Ldpdt , the result is an in�-nite negative (the ux changes from a positive value to 0) voltage across the diode.Because its threshold value, Vdiode, is exceeded, the diode comes on instantaneouslyand the mode of operation where the switch was open and the diode inactive is neverrealized in real time. If it were, the stored energy of the inductor would be releasedinstantaneously in a mode where the model has no real representation, producing anincorrect energy balance in the overall system. Consequently, there would be no owof current after the diode becomes active. This shows that the ux of the inductor5
SwR1
Vin LD
I LFigure 3: Physical system with discontinuities.L
VL
SwR1Vin p0D
I L10
LSwR1Vin 0D
I L00 01
L
-Vdiode
SwR1Vin D
I L
?Figure 4: A series of mode switches may occur.when the diode comes on should be computed based on the ux before switchingstarted, p0.Consider a scenario where the diode requires a threshold current Ith > 0 to remainon. If the inductor has built up a positive ux, the diode comes on when the switchopens. However, if the ux in the inductor is too low to maintain the thresholdcurrent, given a certain inductance, the diode goes o� instantaneously, but when it iso�, the voltage drop exceeds the threshold voltage again. The model goes into a loopof instantaneous changes (see dashed arrow in Fig. 4) during which real time doesnot progress or diverge, and this con icts with the notion that in the physical worldtime does not halt. This example illustrates a number of characteristics speci�c tohybrid system models:{ When changes in the model con�guration, mode of operation, occur, the systemstate vector has to be transferred correctly. This is complicated by discontinuouschanges in state variables and even the state vector itself may change.6
{ When a mode change occurs, a number of consecutive instantaneous changesmay follow. This complicates behavior generation because:1. The �nal mode in which instantaneous mode changes cease has to be de-rived correctly.2. The state vector in the �nal mode has to be computed across a number ofintermediate modes.3. When a sequence of mode changes starts, it should not end up in a loopof instantaneous change, as this would prevent real time from progressing.{ Discontinuous changes in state variables may require computation of limit valuesin time. If limit values at switching time, ts, require future knowledge of systembehavior, limt#ts, the model is acausal, and, consequently, ill de�ned.One of the primary contributions of this thesis is the development of a theory forhybrid modeling of dynamic physical systems. The modeling scheme has three com-ponents: (1) a di�erential equation model of continuous system behavior, associatedwith the operational modes of the system, (2) a discrete-event model, based on �-nite state automata for handling mode transitions, and (3) an algorithm for correctlytransferring the system state vector from one operational mode to another througha sequence of transitions. A systematic set of principles are developed to correctlyspecify semantics and constraints to ensure that the models generate correct behav-ior. The increased sophistication and complexity of current engineering systems hasalso increased by several levels of di�culty the task of monitoring system behavior,and keeping systems operational. A second contribution of this thesis investigates7
the use of these modeling methodologies in developing better monitoring, prediction,and diagnosis methodologies for hybrid systems.Model Based DiagnosisEconomic constraints on commercial systems such as automobiles and chemicalplants, mandate ever stricter demands on maximum down time. To meet these con-straints, diagnosis methodologies can be developed to predict and identify whichcomponents are about to fail, and quickly detect failures before they reach catas-trophic proportions [23]. Initial work in Fault Detection and Isolation (FDI) reliedon hardware redundancy. Multiple hardware components, such as actuators, sensorsand process components, at di�erent points in a system provided redundancy in func-tion to avoid failure. For example, critical measurement points were equipped withmultiple sensors for detecting discrepancies, and schemes such as the majority votemethod were applied for reliable detection of signal and parameter deviations, whichwere then directly mapped into speci�c fault scenarios. As systems became complex,the hardware requirements for FDI became excessive, both in terms of cost and space.Furthermore, processing of a large number of sensor signals for fault isolation greatlyincreased processor and memory requirements. Therefore, functional redundancy hasbecome the preferred approach to FDI [23].Functional redundancy schemes measure system variable values at di�erent pointsin the system, and use relations imposed by the system con�guration and functionalityto study discrepancies among the measured values [113, 115]. When faults occur inthe system, observed deviations in measurement values are analyzed using the systemmodel to generate a set of possible faults. A fault implicates one or more components8
of the system and explains all the observed measurements: deviating and normal.These faults are then used to predict future behaviors of the observed variables basedon the system model.Generally, faults can be characterized as [23]:{ Incipient faults; these faults occur slowly over time and are the result of, e.g.,wear and tear.{ Intermittent faults; these faults are only present for a very short time but canbe disastrous.{ Abrupt faults; these faults are dramatic and persistent, they cause deviationsfrom steady state operations and move the system into new steady state condi-tions or, after some transient behavior, return to the original steady state.Abrupt and incipient faults exhibit di�erent behavior that may, and in general will,require di�erent diagnosis strategies. Moreover, a fault manifestation may not persist(the system may be halted before steady state is reached, new faults may occur, orfaults may be intermittent), therefore, it is essential to track and analyze system be-havior at frequent intervals.2 The goal is to capture the transient behaviors that occurin response to a fault, because they are often the best clue for identifying and iso-lating faulty components in dynamic systems before compensating mechanisms startaltering the transient characteristics. Modeling, tracking, interpreting, and analyzingdynamic systems and transient behavior is a di�cult task. To eliminate the model-ing di�culties but to keep the dynamic, discriminative, information, several methodshave been proposed that perform diagnosis based on deviations from a static model2It is a frustrating experience to take your car in because it is malfunctioning, only to �nd thatthe problem does not seem to occur in the presence of a mechanic.9
[69, 102]. However, these methods result in underconstrained process models. Thisespecially causes problems for larger systems where the number and size of fault can-didate sets explode and the diagnosis problem becomes intractable. To prevent thisexponential blow-up, highly constrained models can be used based on physical lawsof continuity of power and conservation of energy, and these models are inherentlycontinuous.The primary focus of this research is on abrupt faults. When a faulty situationis detected, the fault isolation and prediction methodologies rely on a model of thesystem to reason about its dynamic behavior. Behavior in each mode is continuousbut abrupt faults introduce discontinuities at the point where faults occur. Moreover,when faults occur, the system may undergo structural changes, e.g., when a valve isclosed during normal operation in the cooling system in Fig. 1, the system is split intwo independent systems. The model needs to have the capability to incorporate suchdiscrete structural changes which may a�ect the causal relations among parametersand variables in a system. In the speci�c case of the cooling system, when a valvecloses abruptly it forces ow of liquid to zero that was previously free in its behavior.This causal change predicts excessive build-up of pressure (voltage in the equivalentdiode-inductor circuit in Fig. 3) and demonstrates the need for an alarm loop toprevent damage. Contributions and Organization of the ThesisThis thesis develops a systematic modeling and analysis framework for hybriddynamical systems. It develops formal speci�cations of a hybrid modeling paradigmfor dynamic physical systems and provides systematic principles that govern behavior10
generation. The second part of the thesis uses the systematic modeling framework todevelop a methodology for monitoring, prediction, and diagnosis of abrupt faults incomplex, dynamic systems.Chapter II of the thesis reviews traditional mathematical models of physical sys-tems and bond graphs, a systematic approach for modeling the continuous charac-teristics of physical systems. Chapter III presents a detailed study of the nature ande�ects of discontinuities in physical system models. Chapter IV develops a system-atic set of principles to handle discontinuous changes in system behavior, and thebond graph formalism is augmented to incorporate discrete modeling concepts whosesemantics are in keeping with the principles discussed. To ensure the interaction be-tween the continuous and discrete parts of the resulting hybrid bond graph modelingparadigm is consistent, rigorous, and unambiguous, a multiple energy phase spaceanalysis to verify physical correctness of models is developed in Chapter V. The for-mal mathematical speci�cation for a general hybrid model is developed in Chapter VIand Chapter VII shows how the hybrid bond graph model described in Chapters IVand V can be exploited to systematically derive the required mathematical speci�ca-tions of the model components.In the second half of the thesis, the modeling methodology developed in the �rstpart is used to model and analyze the transient behavior of a system in response toabrupt faults. Chapter VIII develops a comprehensive architecture for process moni-toring and diagnosis starting from a hybrid system model and transforming it into atemporal causal graph for prediction and diagnostic analyses. Chapter IX developsand explains the algorithms for measurement selection, possible fault generation, andprediction of future behaviors under fault conditions. The methodology developed in11
Chapters VIII and IX is applied to the liquid sodium secondary cooling system in anuclear reactor described in this chapter, in Chapter X. A summary and discussionof the accomplishments of this thesis and directions for future research are presentedin Chapter XI.
12
CHAPTER IIMODELING DYNAMIC PHYSICAL SYSTEMSGood modeling schemes for physical systems must include features that capturethe set of salient characteristics that help de�ne physical system behavior. A keycharacteristic is that physical system behavior is continuous in time, and the mostgeneral mathematical model for expressing such behaviors relies on di�erential equa-tions, possibly extended with algebraic constraints. This section reviews physicalsystems theory, and their mathematical representations, and then presents the bondgraph modeling language as a systematic approach to modeling physical systems.Physical Systems TheorySystems theory focuses on describing dynamic behavior of objects and mechanismsof interest which are collectively called a system [65, 130].1 In some cases, a systemis a collection of phenomena that can be observed. The set of phenomena, theirin uences and observations made on the system determine its boundary. Everythingthat does not belong to the system is called its environment and interactions betweenthem de�ne the system context (Fig. 5). Behavior of physical systems is governedby the laws of physics. This thesis focuses on a particular class of physical systems,those that are man-made or engineered. They are referred to as engineering systems.1By de�ning a system like this, it does not preclude other de�nitions of a system.13
system
environmentcontextFigure 5: De�nition of a system.Typically, system behavior is derived by applying physical laws to a system de-scription. As the physical or engineering system under scrutiny becomes more com-plex, additional systematic considerations have to be taken into account for describ-ing and analyzing system behavior. These systematic considerations are often lookedupon as a theory for translating real situations into more abstract forms for analysis,called models.A model of a concrete system is a description of that system, based on theapplication of existing theories [130].The quality of a model is often based on how well its behaviors of interest matchthe real phenomena under study. Though a model may be veri�ed to be correct intheory, i.e., it violates no physical laws, validation of the model with respect to thephenomena of interest is essential before its usefulness can be determined.2 Modelsthat conform to an underlying modeling theory are called theoretical models, otherwisethey are descriptive models. Descriptive models give a formal description of how2A model of a bicycle can be veri�ed to be consistent with the laws of physics. It still has to bevalidated whether it describes the behaviors of interest of the system under consideration correctly(which might be a car). 14
the phenomena of interest in a system behave, and they can only be validated incomparison to the real phenomena. On the other hand, models based on underlyingtheory allow for additional checking, veri�cation, in terms of conformance to physicallaws. For example, a descriptive model of an electrical wire can be: The wire causes avoltage drop which increases linearly with the length of the wire. A corresponding moregeneral theoretical representation is Ohm's law which de�nes the concept of resistanceand introduces a theory for voltage-current dependency based on this concept.Sir Isaac Newton was the �rst to record formal theories in the domain of mechan-ics. Soon formal theories in other domains, such as uid mechanics, electricity, andmagnetism were developed. Further, observations that any physical domain can inter-act with another by means of energy exchange in uenced the beginnings of physicalsystems theories in thermodynamics, which concentrates on thermal processes whichare ubiquitous in physical systems. The emergence of network analysis as powerfultool made it bene�cial to describe the di�erent domains that constituted physicalsystems in terms of an electrical equivalent, i.e., an interconnected topology of en-ergy sources, dissipators (resistors), energy storage elements, such as capacitors andinductors, and transformer and gyrator elements that convert energy from one formto another. More recently, control and information theories have been established.Systems theory uni�es and generalizes formal theories from various domains into acommon mathematical framework, usually in the form of a set of di�erential equa-tions. 15
From Reality to Mathematical ModelsTo e�ciently analyze, design, control, and understand physical systems, it is de-sired to represent their behaviors in a language that captures the salient aspects ofthe behavior, allows formal analysis, and at the same time allows abstraction so thatthe computational burden of the analysis is not overwhelming. Mathematical for-mulations provide a high level of abstraction where physical characteristics becomeimplicit but the systematic and uniform notation allows for formal analysis in a do-main independent way. AbstractionPhysical reality typically embodies numerous phenomena, a lot of which may besecondary to the gross behavior of interest for the problem being addressed. Toprevent unnecessary complexity in tasks such as design, analysis, and control it isdesirable to only capture those aspects of the system that are of immediate interestto the behaviors in question. This process of reducing complexity by eliminatingperipheral phenomena is called abstraction [43], a technique that plays an importantrole in the construction of system models. Often it is not obvious which phenomenaand interactions actually govern the behaviors of interest, therefore, the applicationof abstraction techniques in generating system models involves trial and error anditerative processing. After an initial model is established, it has to be validated interms of how well it represents the behaviors that it is required to capture. Whendiscrepancies occur, the model has to be re�ned (e.g., by increasing its order) oradapted (e.g., by modifying parameters) to more accurately re ect the actual system.This iterative process is repeated until system behaviors of interest are replicated16
satisfactorily.Complex system models are often constructed by considering the system to be acomposition of a set of entities. Each entity is modeled separately, based on the con-cept of reticulation which assumes that certain properties of a system can be isolatedand lumped into processes with well de�ned parameter values, and the system canbe de�ned as a network of interacting processes [14, 104]. To achieve compositionalmodeling three properties have to be satis�ed: (1) decomposition, (2) classi�cation,and (3) representation. Successful application of these concepts to modeling relieson typing and port based interfacing. Typing enforces correctness of object usageand it allows encapsulation of local information of an object. A port based inter-face connects entities that can be either constitutive relations or networks of entitiesthemselves [27]. Therefore, the lumped parameter assumption in modeling allows thede�nition of a system as a composition of entities with each entity having its ownconstitutive relations that can be expressed in a mathematical form. The network orcompositional structure de�nes the system con�guration. System con�guration canbe abstracted away by composition of the mathematical relations of each entity intoa system of equations. A Systematic Approach to AbstractionA general theory of modeling de�nes methodologies that support a succession ofabstractions for a physical system domain and its component structure. The mostabstract representational form is a mathematical set of equations (Fig. 6). There aretwo basic approaches for deriving the mathematical form [65]: (1) state space repre-sentations, and (2) transfer functions. The mathematical representations generated17
by these approaches are equivalent, and the methods are complementary.The state space approach �rst translates the ideal physical model into a physicalanalog3 that de�nes the level of abstraction. Alternately, a generic representation ofphysical mechanisms can be used which moves closer to the mathematical represen-tation by discarding domain speci�c information [54]. Next, the equations for eachof the components of the generic model can be compiled at which point symmetricconstituent equations are obtained and causality is lost. Then, connections betweenequations can be established by substituting variables represented by using a blockdiagram. So, the block diagram helps combine local component equations into aglobal mathematical scheme. In the �nal step, the block diagram can be translatedinto a system of equations which is a pure mathematical description of global systembehavior that does not allow to trace back through the abstraction stages.To obtain a mathematical model in terms of a transfer function representation,the overall system is decomposed into functional components such that individualcomponents are made up of highly interacting system parts, and there is little inter-action between components. In the cooling system example shown in Fig. 6, theseparts are chosen to be the intermediate heat exchanger and the evaporator/motorsub-system. Next, the order of these parts and their parameters in the frequencydomain are estimated. The connected parts can then be combined into one transferfunction in the frequency domain, H(s), which can be transformed into a mathe-matical model as a di�erence or di�erential equation. Alternatively, partial fractionexpansion can be applied to the overall transfer function to obtain a summation of3The mechanics of the Philips CD player, for example, were simulated by translating their modelinto the electrical analog and using SPICE for simulation.18
R R
Rpump
IHXpipe1 pipe2
pipe3
EV
C
C C
0
0 0Sf 1 1
1
p3p2
p1 3
21
in
= ( )-1Rpipe2
p3p22
= ( )-1Rpipe3
p1p33
dp2
dt= ( )-1
CIHX21
dp3
dt= ( )-1
CEV32
dp1
dt= ( )-1
Cpump13=1 in
pump IHX
pipe1
secondarysodiumpump
pipe2pipe3
EV
p3
p2p1
mainmotor
secondarysodium pumpintermediate
heat exchanger
primarysodiumloop
feed waterloop
pipe1
pipe2
pipe3
Levaporator
idealphysicalmodel
electricalanalog
genericphysicalmodel
constituent equations
functional model
transfer function
in1
CEV
1Cpump
Rpipe2
1
Rpipe3
1
1CIHX
+ +
+
+- + -
-
--
p3
block diagram
pEVin
IHXEV /
MotorIHX
y3
y1
u11st order 2ndorder
Y(s)U(s)H(s)
LaPlace transform
mathematical model
p= +dpdt
0
0
-1Rpipe3Cpump
1Rpipe3Cpump
1Rpipe2CIHX
-1Rpipe2CIHX
1Rpipe2CEV
1Rpipe3CEV
+ -1Rpipe3CEV
-1Rpipe2CEV
0
in-Cpump
in
CIHX
=y(n) y(n-1)+an-1a0 + +an
u(n) u(n-1)+bn-1b0 bn+ +
Figure 6: The stages of the modeling process with increasing abstraction.19
lower order constituent responses. These lower order transfer functions can then betransformed to the time domain to establish a mathematical model as a summationof impulse responses. Bond Graph ModelingIn the late �fties, Paynter was able to synthesize the similarities between physicalsystem characteristics in the electrical, mechanical, and hydraulic domains, speci�-cally in terms of power and energy transfer. He exploited these similarities to de-velop a generic modeling language called bond graphs [104]. A number of other re-searchers have added components to the language, particularly Breedveld [14], whodeveloped sound principles for bond graph analysis based on the laws of thermody-namics [7, 20, 35]. Energy Based ModelingBond graphs, based on modeling of the energy content and transfer in physicalsystems, adopt the lumped parameter approach to modeling and describe a physicalsystem at any given time as energy distributions over connected physical elements.This energy distribution re ects the history of the system, and de�nes its state. Futurebehavior is determined by its current state description, and subsequent input to thesystem. Changes in state of a physical system are attributed to energy exchangeamong its components, which can be expressed in terms of the time derivative or owof energy, i.e., power. Irrespective of domain (e.g., mechanical, uid, pneumatic, andelectrical) power is the product of two conjugate variables: the intensive variable or20
Table 1: Energy Variables in Di�erent Physical DomainsDomain E�ort Flow Momentum Displacemente(t) f(t) p = R e � dt q = R f � dtMechanicalLinear force, F velocity, v momentum, p distance, xRotation torque, � angular velocity, ! angular momentum, h angle, �Electrical voltage, V current, i ux, � charge, qHydraulic pressure, P volume ow, _V ow momentum, L volume, VThermal temperature, T entropy owrate, _S { entropy, Se�ort, e, and the extensive variable or ow, f (Table 1).4 Therefore, e�ort and oware called power or signal variables. Intensive variables are speci�ed at points in asystem (e.g., pressure, temperature), and may vary from point to point. Extensivevariables on the other hand, are de�ned over an extent (e.g., volume, charge), and aretypically additive in nature.5 For example, if one considers two blocks of the samematerial at the same temperature, and brings them together to form one system, thevolume of the overall system is the sum of the individual volumes. On the other hand,the temperature of the combined system remains the same.The Model ContextThe �rst law of thermodynamics states thatinternal energy is conserved in processes taking place in an isolated system[30].For a system to adhere to the �rst law it has to be isolated. However, a completelyisolated system is of little practical use, and the conservation of energy principle is4More precise, the ow variable is the time derivative of the extensive variable, q, as formulatedby the free energy equation dE =P edq.5Though variables of an additive nature are extensive, not all extensive variables are necessarilyadditive in nature. This is particularly true in the case of �elds.21
applied to a system by explicitly specifying its energy interaction with the environ-ment. This represents the system context and is modeled by sources and sinks ofe�ort and ow, Se and Sf , respectively. The change of energy in a system can beattributed to losses by dissipation through resistive elements. This energy loss needsto be modeled explicitly as a source of entropy in the case where it constitutes freeenergy. In an isothermal environment, this ow of energy to the thermal domainis not modeled explicitly. Although conservation of energy is the most fundamentallaw of physics, it is the hardest to enforce [35, 105], since only the signi�cant inter-actions are captured by the system model and this may not capture all the energyinteractions that occur. An additional assumption in macrophysics is the restrictionof power continuity, which follows from the assumption of conservation of energy. Itis observed that energy cannot be annihilated at one point in a system and producedat the same rate at another point. It has to traverse the intermediate space [14, 104].Therefore, any physical system not only conserves energy, but by nature is continuousin its signal or power variables, e�ort and ow.Primitive Elements in Bond Graph ModelsEnergy can be represented as stored e�ort and stored ow. The energy corre-sponding to stored e�ort is called generalized momentum, p, and the energy corre-sponding to stored ow is generalized displacement, q. Consequently, p and q arecalled energy variables, and constituent elements that store generalized momentumand displacement in the bond graph framework are called inductors, I, and capacitors,C, respectively (Table 2). These ideal energy storage element relations are shown by22
the tetrahedron of state [107] in Fig. 7, and represent the reversible processes in na-ture. Because of their integrating nature, the actual energy stored in these elementsis a function of the initial value of the energy they contain. Each initial value, there-fore, introduces a degree of freedom in the system and an additional dimension to thestate vector. Note that this does not necessarily add to the order of a system. Forexample, two capacitors in series with a resistor is still a �rst order system. If theintegral form cannot be used, the stored energy value is completely determined bythe other components in the system model, and the element does not introduce anadditional degree of freedom.6 Typically, this occurs when{ a source or sink is modeled to enforce a speci�c amount of stored energy on astorage element (source-storage dependency), or{ storage elements are directly connected to each other without intervening dis-sipators (storage-storage dependency).These two situations can be directly attributed to choices made when designing thesystem model. In the �rst case, component mechanisms that are assumed to haveinsigni�cant e�ects with respect to the modeling task or scope are neglected anddependency of storage elements only introduces additional loading e�ects. In thesecond case, the dependent storage element most likely represent the same e�ect.The lumped parameter assumption can be extended to replace the dependent storageelements by their combined equivalent.Irreversible processes are represented by the dissipative element, R. The Se, Sf ,C, I, and R elements exchange energy via ports. To connect more than two basic6In bond graph terminology, this storage element is then said to operate in derivative causality.23
Table 2: Generic elements in Di�erent DomainsDomain Resistance Capacitance Inductancee(t) = R � f(t) e(t) = 1C R f(t)dt f(t) = 1I R e(t)dtMechanical dashpot spring massElectrical resistor capacitor inductorHydraulic pipe, valve tank narrow pipeThermal thermal resistance thermal capacity {C
qp
f
e
R
Idt
dtFigure 7: The tetrahedron of state.elements together, a junction structure is required. Junctions typically allow anarbitrary number of components to be connected together. They preserve continuityof power by adhering to the generalized forms of Kircho�'s current and voltage laws,which de�ne the two forms of junctions, 0- and 1-junctions, respectively. The 0- and1- junctions are illustrated in Fig. 8. Junction relations are instantaneous, i.e., they donot introduce temporal e�ects. Two special types of junctions, or signal transformers;the transformer, TF , and the gyrator, GY , complete the nine basic elements in thebond graph language. The transformer establishes a ratio between input and outpute�orts and ows as shown in Fig. 9. It can be used as an impedance transformerwithin a physical domain, and as a class transformer between domains [122]. Thegyrator operates similarly, by establishing a relation between input e�ort and output ow, or between input ow and output e�ort.24
0e1
e1
f 1
e2
e2
f 2
en
en
f n
= 0
= = =
f i
i=1
n
1e1
f 1
f 1
e2
f 2
f 2
en
f n
f n
= 0
= = =
ei
i=1
nFigure 8: Continuity of power across junctions is ensured by their constituent equa-tions.n
TFe1
f 1
e2
f 2
e1= ne2
= nf 1 f 2
nTF
e1
f 1
e2
f 2
e1 = ne2
= n f1f 2Figure 9: Relations of the transformer for both of the possible causality assignments.Systematic ModelingOverall, there exists a systematic procedure for building bond graph models ofphysical systems [107]. This procedure is illustrated by two examples.Bi-Tank SystemTo derive the bond graph model for a simple bi-tank system illustrated in Fig. 10,common pressure points are identi�ed �rst. In this system, the two important pres-sures are the ones at the bottom of the tanks, e2 and e7. A 0-junction de�nes each ofthese variables and connects to the storage elements that represent the tank capaci-ties, C1 and C2. The two 0-junctions exchange uid via a common ow connection,the 1-junction, and the dissipative element R is connected to this junction to repre-sent the pressure drop across the connecting pipe. The ow variable f5, represents25
C C
1 6
52
3 8
7
4
R
R R
0 01Sf
R12
Rb1 Rb2
C1 C2
R12
C1 C2
Rb2Rb1
e2
f1
f5 f8f3
e7Figure 10: The bi-tank system and its bond graph model.Se 011
5
4
2
3
RR1
Vin
SfI leak
IL
I leak
R1
Vin L
I LFigure 11: An electrical circuit.the corresponding volume ow. The Bernoulli out ow resistances are modeled bytwo dissipators as well, where their out ow depends on the pressure at the bottom ofthe tanks with respect to a reference value (typically a sump-pressure). The in owinto the left tank is independent of its pressure at the bottom, and, therefore, it isrepresented as an ideal ow source.An Electrical CircuitA second example derives the bond graph for the electrical circuit in Fig. 11. First,0-junctions are associated with all, common voltage, nodes. In the particular circuitthere is one node (apart from ground) with three branches. The current source, Ileak,and inductor, L, can be directly connected to the 0-junction. The remaining branchconsists of a series or common ow connection, 1-junction, between R1 and Vin.26
CausalityA causal structure can be imposed on a bond graph model, using local constraintrelations among the components associated with a junction.7 A systematic algorithmfor causality assignment is the Sequential Causality Assignment Procedure (SCAP)[107]. This algorithm categorizes local constraints as (1) enforced causality, by sourcesSe and Sf , (2) preferred causality, for energy storage elements, C and I, and (3) indif-ferent causality for resistances R. The constraints are applied in the order above, withan e�ort source always imposing an e�ort causality on a junction and a ow sourcealways imposing a ow causality on a junction. Opposite assignment of causalityto a source indicates a physical incorrectness of the model, e.g., a shorted voltagesource. The preferred causality for energy storage elements is for them to operateas integrators as opposed to di�erentiators. The integral relation establishes naturaldependence among the e�ort or ow variables associated with a bond.8 For example,the implication of the integral form for a C element is that it prefers to deliver e�orton a junction, i.e., e = 1C Z fdt (1)An I element prefers to enforce ow on a junction, i.e.,f = 1I Z edt (2)Resistive elements have no preference of causality, they conform with how they aredriven.7In pathological cases, global constraints have to be used as well. This typically happens in caseswhen closed power loops occur.8These relations cannot be recovered from the di�erential relation for lack of knowledge of theintegration constant [25]. 27
Se 011
2
RR1
Vin
SfI leak
IL
2
Se 011
5
4
2
3
RR1
Vin
SfI leak
IL
3
Se 0
1
11
RR1
Vin
SfI leak
ILFigure 12: Algorithmic assignment of causality.Consider the electrical circuit and its bond graph in Fig. 11. Fig. 12 depicts thecausality assignment procedure. The �rst step selects the voltage source, Se andassigns it e�ort causality which means it enforces e�ort on the adjacent 1-junction,depicted by the perpendicular stroke at the end of its connecting power bond (1) inFig. 12. Because the e�ort constraint on a 1-junction requires the sum of all e�ortsto equal zero, the e�ort values of the two remaining bonds are still undetermined.Therefore, the assigned causality does not propagate any further. In the second step,the ow source Sf is selected and enforces ow on its adjacent 0-junction depicted bythe perpendicular stroke at the beginning of bond (2). Again, causality on all otherbonds of the junction is still undetermined. In the third step, L is selected and itspreferred causality enforces ow on the 0-junction through bond (3). By default theremaining bond (4) has to impose e�ort causality on the 0-junction, and, therefore, a ow on the 1-junction. This determines the ow value at all other bonds connectedto the 1-junction (common ow), so resistance R1, through bond (5) has to imposee�ort on the 1-junction. Therefore, R1 is in e�ort causality. In terms of the electricalcircuit, this assignment reveals that the current through R1 is determined by Ileak andL. As long as the corresponding voltage drop across R1 di�ers from Vin the inductorcharges. 28
Qualitative Reasoning with Bond GraphsBond graphs provide a ripe structure for pure qualitative reasoning about physi-cal system behavior. First of all, the di�erential equations directly derived from themodel can be used as qualitative constraints in a QSIM-like constraint-centred simu-lation and analysis [10, 67, 134]. In this regard, bond graphs provide the advantagesof a methodology well grounded in physical laws. This contrasts with the approachused in QSIM [57] that focuses more on pure mathematical constraints and QPT [40]that models component and process descriptions individually. The inability to buildin conservation of energy and continuity of power relations explicitly into the model,and the lack of well de�ned primitives can often lead to the development of rather adhoc models. In a sense, QPT draws many parallels with bond graphs, but its lack ofa small set of constituent processes that de�ne the theory universally makes it hardto verify physical correctness. Imposing power continuity and energy conservationexplicitly eliminate large numbers of spurious behaviors and imprecise parameter es-timation [116]. Second, bond graphs establish global causality assignment based onlocal constraints derived from constituent relations of its primitive components (seeprevious section), enabling the use of global constraints to re�ne system behavior.Third, much like human experts, the bond graph framework allows several qualita-tive aspects of system behavior be derived from physical structure and topology asopposed to mathematical equations. For a linear system these translate to conceptsof controllability, observability, state variables, order, and number of distinct eigenval-ues (degrees of freedom). These qualitative characteristics have proven to be of greatvalue to system engineers and their derivation in a bond graph modeling frameworkis algorithmic [37, 114]. An e�ective technique to apply these qualitative notions in29
complex systems is condensation [127]. Condensation allows one to inspect qualita-tive behavior of sub-systems of zero, �rst and second order, so that their possiblebehaviors can be labeled as static, exponential, or oscillating, respectively. This en-ables qualitative analysis at a level intermediate between the individual interactionsin the system and the complete global structure.Causal analysis is of paramount importance to the successful use of models inconceptual design, tutoring, and diagnosis. In previous work, Iwasaki and Simon [52]have used a basic set of constituent elements as the basic building block for de�ningcausal relations. Furthermore, their work illustrates that causality is determinedjointly by individual mechanisms and interactions with adjoining mechanisms whichis governed by propagation of e�ects through connecting junction structures. TheSCAP algorithm for deriving causal relations in bond graphs is based on exactlythe same set of principles, where the model topology and the energy interactionsamong components de�nes causal assignments [16]. This distinguishes the bond graphcausality assignment scheme from the Iwasaki and Simon method, which attempts toderive the causal constraints from acausal constraint equations, often resulting in adhoc assignments. ApplicationsBond graph modeling has been successfully applied in the areas of analysis [49,61, 118], general design tasks [37, 106] and design of mechatronic systems [28, 112],diagnosis [10, 22], and teaching [32, 58]. An extensive bibliography [38] includes appli-cations to mechanical systems, thermal and thermodynamic systems, biological andphysiological systems, chemical systems, uidic systems, electrical systems, economic30
and social systems, magnetic systems, acoustic systems, agricultural systems, solarsystems and nuclear systems [38]. SummaryIt is important to note that the choice of modelingmethod is very dependent on thetype of system being modeled and the task for which the model is being constructed.For example, informational systems9 are not well suited for energy exchange basedmodeling [73], because of their discrete nature. Petri nets, �nite state automata [56],object modeling, Timed CSP [26], and discrete event systems are more suitable. Inother cases, implicit modeling techniques [72] may be advantageous. Continuoussystems are best modeled by di�erential equations, supplemented by algebraic con-straints, if necessary. Presently tools that incorporate multiple modeling techniquesare being developed to present the user with a generalized environment and allow forinteraction between the methodologies [120, 133].Bond graphs represent a component in terms of its basic physical concepts suchas energy dissipation or energy storage. On the one end, it supports model struc-ture analysis based on component aspects of a dynamic physical system (rather thanspeci�c parameter values). On the other end of the spectrum, it provides a compre-hensive and systematic approach to generating the describing di�erential equations.Moreover, because of its compositional characteristics, it supports partitioning and hi-erarchical modeling of increasingly complex systems as well as modifying a particularsub-system to a more detailed model [34, 54].9Informational systems are those that handle data in its general form. So, no a priori modelingconstraints on data exist. 31
CHAPTER IIIA THEORY OF DISCONTINUITIES IN PHYSICAL SYSTEM MODELSThis chapter introduces the types of modeling abstractions and the discontinu-ous behavior they cause in system models. The resultant mixed behavior patterns,continuous with intervening discrete jumps, are systematically modeled by combiningbond graphs and �nite state automata in the modeling scheme.The Nature of DiscontinuitiesPhysical systems by nature are continuous, and discontinuities are artifacts ofsimpli�cations and assumptions introduced into the system model. In general, dis-continuities in behavior generation can be attributed to two abstraction phenomena:{ time scale abstraction, and{ phenomena or parameter abstraction.The time scale for the actual nonlinear behavior of the system may be much fasterthan the time scale at which system behavior needs to be analyzed. If system behav-ior were explicitly modeled at this small time scale, appropriately positioned smallenergy storage and dissipative e�ects have to be included in the system model. Theensuing time constants may obscure or complicate the generation of the more gross(or abstract) phenomena that are of interest, therefore, time scale abstraction tech-niques may need to be introduced to focus on the more useful behaviors. Furthermore,small time constants cause steep gradients and fast oscillations in system behavior,which results in numerical sti�ness problems when conventional simulation methods32
are used, or lead to the use of less accurate implicit integration methods to avoidsti�ness problems [11, 15]. For example, consider a ball bouncing on a oor. Whenthe ball on its downward trajectory hits the oor, elastic compression of the oor, orthe ball, or both, enables storage of the ball's kinetic energy as internal compressionenergy which eventually builds up a negative force that imparts a negative velocity tothe ball causing it to y back upward. The velocity of the ball changes continuously,but starting from the point of impact for a short time interval, the velocity change hasa very steep slope. This is shown in Fig. 13 for a system where the ball is consideredto be an ideal rigid body and the oor is modeled to have a relatively large sti�nessvalue. The e�ects of compression are indicated by the ball and oor displacementbecoming negative for a very short period of time. When modeled in less detail, thevelocity of the ball is instantaneously negated because the compression behavior isignored. If the interaction between the ball and oor is modeled as a perfect elasticcollision, the overall behavior implies that the ball continues to bounce but with de-creasing amplitude because of air resistance. The simpler but correct behavior wasachieved by abstracting away the sti�ness e�ects causing an instantaneous change invelocity. Therefore, the abstract model combines continuous behavior with abruptor discontinuous behavior changes. Since the elasticity of the ball or oor is not ab-stracted away but condensed into an instantaneous e�ect, this is an example of timescale abstraction.A second cause for discontinuities in models can be attributed to componentparameter abstractions. The e�ects of particular component characteristics, oftenparasitic terms, are simpli�ed or ignored. However, this may reduce the degrees ofbehavioral freedom in the system by making energy storage elements (i.e., capacitors33
0.00
0.05
-0.05
-0.10
-0.15
100 200 300 400 500 600 700 800 900 1000
tx floor
v ball
0
2
4
6
8
-2
-4
-6
-8
100 200 300 400 500 600 700 800 900 1000t
x ball
0.0
0.2
0.4
0.6
0.8
1.0
-0.2
100 200 300 400 500 600 700 800 900 1000
tFigure 13: A perfect elastic collision between a rigid body and a very sti� oor.and inductors in the bond graph framework) dependent. As a result, discontinuitiescan again become part of system behavior. For example, if the ball and oor elas-ticity in the bouncing ball example are abstracted away, the system shows a perfectnon-elastic collision and the ball comes to an immediate stop at the point of impact.Because of the rigid body assumption, the kinetic energy of the ball dissipates instan-taneously the moment its velocity is forced to be 0. In reality, small elastic coe�cientswith deformation e�ects allow the ball to maintain a velocity that is not directly cou-pled to the oor, and the behavior exhibits a steep gradient but remains continuous.This implies that the elasticity and deformation e�ects introduce additional degreesof freedom in the system model that result in continuous system behavior. On theother hand, if these e�ects are very small, and they have a negligible impact on themacroscopic behavior, they can be abstracted away in the system model. In thatcase, at the point of impact, the ball with non-zero velocity is directly coupled to the oor which has 0 velocity, and a discontinuity occurs. Note that this eliminates theball momentum as a state variable. 34
E�ects of the Lumped Parameter AssumptionTo study the lumped parameter assumption in detail, consider the free expansionexperiment conducted by Gay-Lussac and Joule, shown in Fig. 14 [35]. A chamber ismade up of two connected bulbs with an idealized open-closed valve between them.Initially, only the left bulb contains a gas and the valve is closed. When the valveconnecting the two volumes is opened, the gas in the left bulb expands freely andstarts di�using into the right bulb. Even if the connecting ori�ce is non-resistive,this di�usion introduces non-homogeneous turbulence e�ects that are active for aperiod of time. This is not an issue from a thermodynamics perspective, where thegoal is to establish energy balance after the distribution has become homogeneous(e.g., determining the temperature of the water in the compartment surrounding thetwo volumes). Therefore, the lumped parameter assumption holds. Based on theunderlying modeling assumption, the transitional e�ects are negligible to the timescale of interest. However, the lumped parameter assumption does not hold duringdiscontinuous changes. In case of the free expansion experiment, if the valve wereclosed quickly enough after opening to operate as a sequence of two instantaneouschanges, the gas could not have di�used yet. So, the homogeneous distribution ofgas over the two volumes is never actually established. In fact, an immediate closingof the opening renders the intermediate opening mode mythical. Therefore, it leadsto no redistribution of energy which conforms with the observation that in real timethere never was a connection. 35
Figure 14: Free expansion of a gas by di�usion after an instantaneous change.The E�ects of DiscontinuitiesDiscontinuities in physical system models have a number of e�ects that do notoccur in the analysis of continuous system behavior:{ Energy storage elements may become dependent, thus changing the dimensionof the state vector which may result in an apparent violation of conservation ofenergy.{ A discontinuous change may trigger a chain of discontinuous changes.Conservation of EnergyThe lumped parameter assumption requires dependent storage elements to betreated as one, but that may result in a discontinuous change of stored energy whena con�guration change occurs, and may cause a Dirac pulse1 generated at the in-stant the change occurs. The pulse represents an amount of energy that dissipatesdiscontinuously as heat, discontinuous dissipation, much like the loss of energy due1This is a pulse of �nite area but in�nitesimal width that occurs at a point in time.36
to resistive dissipation which is modeled as a source of entropy. If the environment isassumed to be isothermal, this source is not modeled explicitly, otherwise it can berepresented as a Dirac pulse. Note that this instantaneous loss of energy would actu-ally occur over a short time interval if small dissipative elements capturing the energyredistribution e�ects in the connection between the storage elements were returnedin the model. Conservation of StateAfter a new mode of operation is inferred, its state vector has to be derived basedon the state of the system in the previous mode. This is referred to as the initialvalue problem and if the system state is represented by energy stored by independentelements, which have an integrating relation, there are no discontinuous changes.Therefore, discontinuous state changes only occur if storage elements become de-pendent and their value is determined by other system elements. In this case, twosituations characterize the initial value problem:{ Mode changes cause two or more storage elements to become dependent, andthis causes the size of the state vector to change. As discussed, individual energyvariable values change, but their total remains the same and conservation ofstate determines the new state values.{ Mode transitions cause dependency between sources and energy storage ele-ments. In this case, the switching causes a source (i.e., the environment) toinstantaneously transfer energy into or out of the system. The new values ofenergy stored by the elements involved is set to the source enforced values.37
As a result, the system transfers from one mode to another, but the initial energydistribution in the new mode may be di�erent from the distribution in the last realmode. Invariance of StateThe diode-inductor example in Chapter I illustrates that a discontinuous changemay generate additional discontinuous changes that occur instantaneously. In gen-eral, discontinuous changes occur when signal values cross a threshold value duringcontinuous evolution of system behavior [77, 78, 79]. The e�ect of this is that energyconnections are activated or deactivated. This may cause adjoining signals to changediscontinuously and cross switching thresholds themselves. The result is the activa-tion or deactivation of one or more energy connections one after another, leading toa sequence of discontinuous changes. The modeling assumption is that discontinuouschanges are instantaneous, therefore, real time does not progress during a sequenceof discontinuities. Real time continues to evolve only after a model con�guration isreached where no more switches occur. Sequences of instantaneous changes makeit di�cult to infer the new mode of continuous operation. In addition, the task ofcorrectly advancing the system state across a series of model con�guration changes,producing the correct mapping of the system from the last continuous mode onto thenew one, where behavior again evolves in real time is nontrivial.This is solved by observing that any system con�guration that occurs during asequence of switches has no real existence, and these system con�gurations are transi-tional, or mythical. A consequence of this is that the system cannot exchange energywith its environment during this period, in other words, it is isolated. Therefore,38
there is no redistribution of stored energy within the system during this sequence.The principle that energy is not redistributed during discontinuous, instantaneouschanges, but only after a new mode is reached is termed the principle of invarianceof state. IllustrationThis section illustrates the previous concepts and notions by two examples.Conservation of State and EnergyConsider an electrical circuit with two capacitors in parallel connected by an idealswitch (Fig. 15). When the switch is open, the two energy storage elements can chargeand discharge independently, but they become dependent when the connecting switchis closed requiring the two elements to achieve a common potential. The total chargeon the two capacitors before the switch was closed has to be preserved so that thephysical principle of conservation of state (charge), is not violated. Assuming that theinitial charge on C1 is q1, and there is no initial charge on C2, the common potentialafter the switch is closed is V + = q1C1+C2 . The amount of energy before closing theswitch is q212C1 . After closing the switch the charge on C1 is q+1 = C1C1+C2 q1 and the chargeon C2 is q+2 = C2C1+C2 q1, therefore, the amount of energy in the system, q+1 22C1 + q+2 22C2 , isq212(C1+C2). This implies that closing the switch causes a loss of energy equal toq212C1 � q212(C1 + C2) = q21 C22C1(C1 + C2) : (3)Imposition of the conservation of charge principle appears to result in an instanta-neous loss of energy in the system, i.e., the conservation of energy principle is violated.39
Figure 15: Two capacitors that become dependent by an ideal connection.This loss occurs because of an arc across the switch when it closes, and could be ex-plicitly modeled by a dissipative e�ect. However, since it is small and of a parasiticnature, it is abstracted away. In any event, in case the environment is not isothermalthe loss has to be explicitly modeledMythical Modes and Invariance of StateTo illustrate a sequence of discontinuous changes, consider the e�ect of a diodethat operates in one of two possible modes in Fig. 16:{ As an e�ort source; it enforces 0 volts, independent of the current.{ As a ow source; it imposes a negative leakage current, independent of thevoltage.Initially, the voltage drop across the diode is 0 and it operates in its e�ort sourcemode (Fig. 17). When the switch is closed, this e�ort source enforces 0V on bothof the capacitors which requires C1 to discharge instantaneously. This results in acurrent ow that approaches negative in�nity and based on the switching speci�ca-tion of the diode (ID � Ileak) the model con�guration changes immediately to onewhere the diode operates as a current source. Since no more discontinuous changesoccur, the capacitors become dependent and redistribution of charge occurs as in the40
q1
I DV1
C1 DC2
Sw
VD
I D
D I D I leak
I leak0V
VD 0Figure 16: Two capacitors that become dependent and switch modes of operation ofthe diode.q
1q
1q’
1q’
2
I leakI DV1
C1 C2
Sw 0V
C1 C2
Sw V’1
C1 C2
SwFigure 17: A series of discontinuous changes may contain mythical modes.two capacitor system described above. Imposing the modeling assumption that dis-continuous changes occur instantaneously, the model con�guration where the diodeoperates as an e�ort source and the switch is closed is departed instantaneously andnever achieved in reality. The in�nite current is never actually established, it is onlyused to infer the new mode of continuous operation. If it were considered a real modeof operation, C1 would discharge instantaneously during the intermediate mode of op-eration. Therefore, when the diode switches to its current source mode of operationno energy would be left to maintain the leakage current.41
LimitationsThe occurrence of a number of discontinuous changes may make energy storageelements alternate between mutual dependence and independence during a sequenceof changes. From a physical perspective this situation has to be analyzed carefully.To illustrate a situation where this may lead to a con icting system model, considerthe electrical circuit in Fig. 18, where the relay turns o� when the voltage drop acrossC1 equals the voltage drop across C2. If the relay was on initially, the moment theswitch is closed this condition holds and the relay opens. Because of the instanta-neous nature of discontinuities, the model con�guration where there is a connectionbetween both the capacitors is departed immediately. As discussed in terms of thefree expansion experiment, even though dissipative e�ects of the connection are notexplicitlymodeled, energy redistribution still takes time. In real time, the basic modelcon�guration does not change, i.e., the capacitors are disconnected all the time. How-ever, the relay is open and its switching condition implies that the charge on bothof the capacitors has been redistributed to re ect their equal voltage drop, whichit has not. This indicates that analysis of continuous behavior with instantaneousjunction switching does not generate consistent behavior in this scenario, and eitherresistive or inductive e�ects of the connection have to be included, or the modelingmethodology has to be modi�ed.To summarize, switching conditions based on energy stored by elements that arealternating dependent and independent within one sequence of discontinuous changeare inconsistent with lumped parameter assumptions, and, therefore, prohibited. Inthis case, either model re�nement or another modeling approach has to be chosen.Notice that gradients based on these energy variables can be used as demonstrated42
q1
q2
Vrelay
V1 V2
C1
Sw
C2
ON
OFF
V2V1 V2V1=
Relay:Figure 18: Instantaneous dependency changes between energy storage elements causeproblems.by the capacitor-diode example. Though there may not be an actual ow of current,a gradient exists the moment the switch closes, and this causes the diode to changeto its mode of operation where it enforces a leakage current.A Discrete FormalismAn idealized discrete switching element can impose a discontinuous binary, on/o�,relation on energy transfer paths in the system to model con�guration changes. Fig. 19shows two connected tanks that get disconnected when a latch closes. If the latchcloses, the ow through the connection becomes 0. Therefore, there is no energytransfer across it and the net result is that the two tanks become independent sub-systems, and this illustrates a seamless implementation of themode-switching process.The physical on/o� state for a switch is a�ected by continuous variables which causethe switching when variable values cross prespeci�ed thresholds (e.g., p1 > p2 inthe above example) and control logic that governs the on/o� relations is de�nedby combinational or sequential automata. The need for sequential control logic isdemonstrated in Fig. 20. Initially the latch in the connecting pipe is in its uprightposition. When a threshold pressure di�erence is exceeded, the latch opens to the leftor to the right. Once it has opened in one direction, it cannot open in the opposite43
R12
C1 C2
Rb2Rb1
e2
f1
f5 f8f3
e7Figure 19: Mode switching of a bi-tank system by a latch.1 2 tp - p < -p 1 2 tp - p > pOFF
closed
ONleft open
OFFleft closed
1 2p < p1 2p < p 1 2p > p1 2p > p
ONright open
OFFright closedFigure 20: A physical system may contain discontinuities that have memory.direction anymore, therefore, future on/o� states are a function of the past state ofthe latch.An important observation applies to the state vector of a system, which contains anecessary and su�cient number of variables to completely describe the system state.In continuous physical systems the set of variables that describe the energy distribu-tion in the system capture its entire history, and, therefore, serve as the state vectorfor the system. However, when models contain discontinuities that are controlled bysequential logic, the energy state vector cannot completely specify system history. Fu-ture behavior becomes dependent on the internal states of the sequential automata,and a hybrid state vector is required to capture the necessary logic states as well. As44
an illustration, consider the latched bi-tank system. If the internal state of the latch inFig. 20 is not known, future behavior cannot be determined uniquely based on energyvariable values alone. The same energy distribution can result in two di�erent statesfor the latch, depending on its history, and system behavior can evolve along twodi�erent trajectories. To disambiguate this situation, the system state vector needsan additional logic component, which speci�es the model con�guration at di�erentpoints in time. Temporal Evolution in Behavior TransitionsThe semantics of behavior generation for hybrid models need to combine realmodes with instantaneous discrete behavior changes where real time does not advance.Note that a real mode of system behavior can encompass an interval where continuousevolution is speci�ed, or a point in real time where a new energy state value may bespeci�ed by an algebraic relation. All discrete changes have to occur at well de�nedpoints in time. Consider the example of the perfect elastic collision of the bouncingball shown in Fig. 21. Model con�gurations where the ball is moving freely (up ordown) represent continuous modes of operation where system behavior evolves overtime. The system model is abstracted so that the collision process is perfect andelastic, and holds only at a point in time at which the ball momentum is reversed.At this point in real time, no continuous evolution can be speci�ed, if the ball and oor were in contact for any period longer than a point in time, the ball's momentumwould transfer to the oor, and it would come to rest. On the other hand, if thisreal mode did not exist, i.e., the ball and oor never touched, the ball could notexchange momentum with the oor, which implies its velocity would never reverse.45
-v
mv
m
actionP
reactionP
-g
tfree
collide
ts<←, > ts< , >←ts[ ]Figure 21: Real modes can have a point or interval presence in time and have toensure time continuity.The con�guration where the ball is in contact with the oor is abstracted to a point,which is then followed by an interval of time where the ball travels upwards exhibitingcontinuous behavior.In summary, this method for representing the bouncing ball behavior as a discon-tinuous change from a real mode (moving downward) to a second real mode (point ofcontact with the oor modeling the collision) and then a discontinuous change to athird real mode (moving upward) is much cleaner than a discontinuous model whichrepresents the reversal in ball velocity as an initial value problem (e.g., [19, 57]). Inthe latter situation, the point in time at which the collision occurs is considered tobe the start point of the second time interval with the ball moving freely upward,and the model speci�es the initial velocity of the ball at the start point. This modelimplies the ball is always moving freely, up or down, reversing its velocity at a par-ticular position with no explicit physical phenomenon, such as a collision, to accountfor the change. The net result is a model that violates the principle of invariance ofstate, because stored momentum changes abruptly without explicit interaction with46
the environment. SummaryThis chapter categorically analyzes discontinuities in physical system behavior.These discontinuities can be the result from either time-scale abstractions or param-eter abstractions, and result in mode switching behavior of the system. The principleof conservation of state governs transfer of system state between two modes of oper-ation.Principle 1 (Conservation of State) Between two modes of operation, the totalstate in the system (i.e., charge, momentum, etc.) is conserved.Transfer of state between modes of operation may result in discontinuous dissipation.In case of an isothermal system this dissipation is not shown, otherwise it has tobe modeled explicitly as a Dirac source of entropy, to ensure that the principle ofconservation of energy is not violated.Principle 2 (Conservation of Energy) If the environment is not assumed isother-mal discontinuous dissipation as a result of changes in the operational mode has tobe represented by a Dirac source of entropyAnother e�ect of discontinuities is that the system model may move through a seriesof mythical mode changes before a new real mode is achieved.De�nition 1 (Mythical Mode) A mythical mode is a model con�guration that hasno representation in real time. Therefore, its state vector is not part of its operationaldomain. 47
Because the state vector is beyond the operational domain of the model con�guration,a mythical mode immediately generates a new con�guration. Mythical modes donot have a physical meaning nor representation, and, therefore, these sequences ofinstantaneous change are modeling artifacts and could be removed in a model pre-processing step. Since a particular model con�guration may be mythical or real,depending on the corresponding energy state, it is cost-e�ective to formulate modelsemantics that handle mythical modes correctly. These semantics are based on theprinciple of invariance of state, which states that mythical modes do not a�ect themapping of the energy state between real modes.Principle 3 (Invariance of State) The energy state vector of a system is not af-fected by mythical modes.It is important to note that mythical modes do not a�ect the system state. This isa more precise statement than attempting to de�ne mythical modes as states whereno continuous behavior is de�ned. This is clearly illustrated in the bouncing ballexample, where the point of impact represents a mode where only algebraic constraintson priori and posteriori values hold, and no continuous evolution in the form ofdi�erential equations can be de�ned. Though this mode is not continuous, it is stillreal.48
CHAPTER IVHYBRID BOND GRAPHSBond graphs use a small set of domain independent physical mechanisms to pro-vide a powerful modeling formalism for complex physical systems [53, 104, 107].These mechanisms and a junction structure inherently enforce energy conservationand power continuity constraints on system models to provide an elegant basis foranalyzing the continuous behavior of physical systems. However, as shown in Chap-ters I and III, e�cient modeling requires support for discrete, model con�guration,changes. This chapter introduces a primitive switching element and control struc-ture into the traditional bond graph formalism to allow for discrete changes in modelcon�guration, and, therefore, discontinuous changes in system behavior.IntroductionTypically, a system can be looked upon as a composition of n sub-systems, each ofwhich can operate in k possible modes of operation. Overall, the system can operatein nk behavioral modes. However, only a small number of these modes are actuallyachieved during normal operation of the system. In case of well known systems thatoperate in a limited number of modes, a global control structure can be pre-de�nedfor determining system modes and the model associated with each of them [9, 18].However, for lesser known systems, or for systems that will be operated in unknownways, pre-enumeration becomes infeasible and brute force techniques cannot be ap-plied because of combinatorial explosion, therefore, compositional modeling methods49
are often applied to provide a solution [36, 95, 96]. These approaches generate modelsdynamically by composing model fragments.Bond graphs provide a good framework for compositional modeling approaches [10]where the model for a mode of operation is generated by establishing or disconnectingenergy connections between sets of bond graph elements at junctions. Such junctionsare controlled locally using signal values tapped from the bond graph model. Acontrolled junction can be in one of two states, on and o� which correspond, respec-tively, to the presence or absence of energy connections associated with this junction.Consequently, a system is modeled by �rst establishing a bond graph model of allpossible components and their energy connections or interaction. Next, junctions areidenti�ed that turn on and o� based on a local control mechanism. Once all controlmechanisms are de�ned, valid models for each of the modes a system goes into can begenerated dynamically from this overall energy model while components of the bondgraph can be mapped back to components and mechanisms of the physical system.Discontinuities in Bond GraphsTo extend bond graph modeling to hybrid physical systems without losing theinherent principles that govern physical system behavior and captured in bond graphmodels, several issues need to be taken into account.{ Interaction between the discontinuous part and the continuous part has to beconsistent and the formalism specifying the discontinuous behavior has to beveri�ably correct. 50
{ In a discontinuous environment, continuity of power cannot be guaranteed,1however, conservation of energy during a sequence of discontinuous changes canand must be enforced. This means that the basic building block for ideal dis-continuous con�guration changes, modeled as switches, do not dissipate energy.When dissipative e�ects have to be modeled, resistive components have to beincluded in the system model.{ When discontinuous changes occur, causality may change. The formalism hasto provide for a consistent, algorithmic, causality assignment scheme that holdsin general.{ If a number of instantaneous discontinuous changes occur, the formalism hasto ensure that this sequence ends in a valid mode of system operation witha correct state vector. The last mode in this sequence has a real manifesta-tion, therefore, exchange of energy with the environment may occur causingdiscontinuous dissipation.To model con�guration changes in bond graphs, recently Broenink and Wijbranshave introduced switching bonds [18] and Str�omberg, Top, and S�oderman have appliedan ideal switch [116, 117, 126]. Switching bonds are based on structural analysis ofreal-time systems, which can be modeled in terms of two components: a data ow anda control ow component [29, 46, 131, 132]. Lent conjectures that all systems can bedescribed in this manner [128]. For switching bonds, the data ow part is representedby the bond graph formalism and the control ow part is represented by a control boxthat contains switching logic in the form of a global �nite state automaton. Interaction1Consider power supplied by a source that generates a true step.51
Vin R2
R1Sw
C1
Sw open
01
RR1
SeVin
RR2
C1
C
Sw closed
01
RR1
SeVin
RR2
C1
CFigure 22: Switching bonds handle boundary conditions incorrectly.occurs through switching bonds, i.e., an energy connection (or bond) is either presentor not present. The interaction is depicted by a black box that is connected to aswitching energy bond in the bond graph. Though the concept of separate data andcontrol models has a lot of merit, interaction between the two through switching bondscauses problems. First of all, it may cause hanging junctions. More seriously, changingboundary conditions due to switching are incorrectly handled. For example, in Fig. 22if the switch opens, the corresponding bond in the bond graph disappears. Thoughthis disconnects the parallel part, the bond graph still shows a series connection(1-junction) that in reality is not present.To eliminate these problems, Str�omberg, Top, and S�oderman introduced theswitch, a new bond graph element, that enforced 0 e�ort or 0 ow on a junctionto turn it on or o� (Fig. 23). Notice that this is a degenerate form of the regularsource elements, and its primitive e�ort/ ow characteristic is commonly used in powerelectronics [55]. Because of the 0 e�ort or 0 ow, power (e�ort� ow) supplied by theswitch is always 0, which conforms with the requirement that switching consumes noenergy. However, the switch has some disadvantages:52
ON
e 0
OFF
0f
the switch ON
e < 0 f > 0
f
e
OFF
Sw
0
Sw
Se: 0 Sf: 0Figure 23: Operation of the switching element.{ Since switches are not energy elements, it is unnatural to represent them asbond graph elements.{ Switches are transitional elements that are only used to infer new modes ofoperation, consequently they represent control aspects rather than physical con-cepts.{ The use of switches obscures hierarchical structures. Typically when a systemswitches modes, a set of switches go from on to o� or vice versa. Relationsamong switches are hard to identify and the use of bond graph elements cluttersthe model.{ The functionality of a switch is completely determined by the type of junctionit is connected to. The same switch connected to a dual junction is o� whenon and vice versa.Based on the aspects of switching bonds and the switch as bond graph element,Mosterman and Biswas have proposed the controlled junction [76]. The controlledjunction recognizes the presence of data and control ow structures and the need fora separate formalism, along with bond graphs, to represent the control structure of a53
physical system. The interaction between the control structure and the bond graphoccurs by switching controlled junctions (rather than bonds), where the speci�cationof controlled junctions adheres to the ideal speci�cations of the switch. Using �nitestate automata [1, 56] for the control part provides for a powerful hybrid formalismthat is based on proven modeling methods. Interaction between the formalisms isconsistent and rigorous which renders it veri�ably correct.The Modeling LanguageFormally the hybrid bond graph approach combines continuous-time and discrete-time formalisms, which are modeled by traditional bond graphs [53, 104] and �nitestate automata [1], respectively. These two formalisms interact through controlledjunctions which capture discontinuous variable changes. In the bond graph, controlledjunctions have associated subscripts, e.g., 11, 02, to di�erentiate them from traditionaljunctions and also to provide a reference to their corresponding �nite state automaton.The hybrid bond graph model of the latched bi-tank system (Fig. 19) is shown inFig. 24. A controlled junction behaves like an idealized switch. A 0-junction thatis o� enforces 0 e�ort whereas a 1-junction that is o� enforces 0 ow. When thejunctions are on, they operate as regular junctions.2 A change of state of a controlledjunction may a�ect adjoining junctions and thus the causal relations in the graph.These new causal relations can be algorithmically derived using SCAP or its modi�edform MSCAP [129] in the new con�guration.In case of con�guration changes, it becomes critical to establish correct loading onall adjoining bonds. Each power bond connected to a deactivated controlled junction2A similar timed junction has been applied for illustrative purposes in [123].54
p1 p2
CON OFFC
1
R
R R
0 01Sf
R12
Rb1 Rb2
C1 C2C C
1
R
R R
0 01Sf
R12
Rb1 Rb2
C1 C2
p1 p2Figure 24: The controlled junction establishes mode-switching behavior.01 11
0 1Se:0
Sf:0
ON ONOFF OFFFigure 25: Operation of the controlled junction.is loaded by a source element of 0 value to correctly handle boundary conditions ofthe disconnected model fragments (Fig. 25). In most bond graph models of physicalsystems, 0- and 1-junctions appear in alternating sequence, therefore, when a junctionis deactivated, its adjoining power bonds can be removed from the bond graph toestablish the new model con�guration. Also, the e�ort causality as enforced by adeactivated 0-junction typically does not completely determine causality on all bondsof a neighboring 1-junction. Neither does ow causality of a deactivated 1-junctionpropagate directly across adjoining 0-junctions.The subscripts of each controlled junction (e.g., 01 in Fig. 26) identi�es its as-sociated �nite state automaton that determines whether it is in the on or o� state.In other words, the �nite state automaton de�nes a junction's control speci�cation(CSPEC). The input of each CSPEC consists of{ power variables from the bond graph, and55
{ external control signals.This input is depicted in the hybrid bond graph as arrows into the controlled junction.Mathematical operations may be applied to the power signals before they are inputto the CSPEC. These operations can be modeled by a block diagram (as is used inthe bond graph modeling tool CAMAS [16]) to manipulate signal values on activebonds. The output of the CSPEC sets the associated controlled junction to on oro�. Internally the CSPEC can have any number of states, its control logic can becombinational or sequential. Conditions for a valid CSPEC are:{ Each internal state must map onto an on or o� state of the controlled junction.{ Transition conditions on the edges have to evaluate to boolean values in eachmode of operation.{ The CSPEC conditions have to result in at least one real mode of operation forall reachable energy distributions.{ The CSPEC conditions consist of values immediately before (priori) and after(posteriori) switching.The �nal condition is an important characteristic of the CSPECs. The priori valuesare unchanged, invariant, during a sequence of instantaneous changes. Such a se-quence is driven by the posteriori values, as these may di�er for each newly inferredmode of operation. Therefore, priori values determine which modes of operation arerequired to have a physical manifestation (typically the result from time scale abstrac-tion), whereas posteriori values determine sequences of modes that can be traversed to56
Se
I R
mg
0
m R11
Sf
01
vballFball
ON1:
OFF
0Fball 0vball
Se Se
I IR R
mg mg
0 0
m mR1 R11 1
Sf Sf
01
OFF ON
Se:0Figure 26: Hybrid bond graph model of an ideal non-elastic collision.reach these modes (typically the result from parameter abstraction). Discontinuouschanges in signal values are characterized by di�erent priori and posteriori values.The set of local control mechanisms associated with controlled junctions constitutethe control model of the system. The control model performs no energy transfer,therefore, it is distinct from the bond graph model that deals with the dynamicbehavior of the physical system variables. Control models describe the transitional,i.e., mode-switching behavior of the system. A mode of a system is determined bythe combination of the on/o� states of all the controlled junctions in its hybrid bondgraph model. Note that the systemmodes and transitions are dynamically generated,and do not have to be pre-enumerated.A Perfect Non-Elastic CollisionThe use of controlled junctions for a perfect non-elastic collision between a balland oor is illustrated in Fig. 26. The ball inertia is modeled as m, the air resistanceas R1, and gravity as an e�ort source, mg. In the o� state, there is no connectionbetween the ball and the oor and the bonds connecting the ball to the resulting e�ort57
source with 0 value can be disregarded. The ow source with 0 value is disconnectedas well. The CSPEC part of the model shows that at the point the ball touches the oor (R vball � 0), the controlled junction turns on and the ow source with 0 valuebecomes connected to the mass. This implies that the ball velocity = 0, but theconnection between the ball and oor source also causes a change of causality, forcingthe inertial element to operate in derivative causality. The ball stays connected tothe oor as long as the force it exerts is > 0. When this force becomes negative, thejunction turns o� again, and the ball inertia becomes independent. Its momentumis reversed, and the ball ies up. This example illustrates a seamless integration ofmulti-mode behaviors in one model based on a local switching mechanism. Otherexamples of hybrid bond graph models are discussed in [77, 78, 79, 85].Mode SwitchingAs shown in Chapters I and III, a discontinuous change may propagate througha system causing other discontinuous changes to happen instantaneously. Model ab-straction makes it hard to explain such a complex chain of events in incrementalcausal terms. Nishida and Doshita [98] address these problems by moving the systemthrough a sequence of mythical instants. These mythical instants are arrived at anddeparted instantaneously, therefore, they are considered transitional. Sequences ofmythical changes make the task of algorithmically inferring the eventual real modethat is attained and its correct state vector, a real challenge. Since the transitionalmodes are mythical and never achieved in reality, they do not a�ect the energy balanceof the system. Therefore, the signal values in each mode in a sequence of instanta-neous changes are calculated from the original energy distribution, i.e., the energy58
distribution in the last real mode before the sequence of mythical changes occurs.This issue is of paramount importance in correctly inferring new modes of operationand the initial state vector in these modes.The principle of invariance of state (Chapter III), i.e., repeatedly using the energydistribution of the previous real mode during mythical mode switches, governs thecomputation of the initial values of the state variables in the new real mode. Thisprocess is illustrated in Fig. 27. The real modes are depicted by a white backgroundand the mythical modes are shown on a dark background. In the �nal stage, aftera real mode �m is reached, the energy distribution of the previous real mode, asrepresented by their energy state variables p and q, is mapped onto the new mode.Physically, and in real time, the system has moved from mode �k into mode �minstantaneously at time ts. The Mythical Mode Algorithm (MMA) is formally pre-sented as Algorithm 1. In this algorithm, (E;F ) represent the set of e�ort and owvariables, and (P;Q) represent the set of energy variables (generalized momentumandgeneralized displacement) in the system at switching time ts. The set (P�k ; Q�k) andcorresponding (E�k ; F�k) are priori switching values, whereas (P+; Q+) and (E+; F+)are posteriori switching values.Algorithm 1 Mythical Mode AlgorithmCalculate the energy values (Q�k ; P�k) and signal values (E�k; F�k) for bond graph model �k attime ts.Use CSPEC to infer a possible new mode given (E�k ; F�k) and (E+; F+) = (E�k; F�k).while one or more controlled junctions switch state doDerive the new bond graph, �k+iPropagate causality.Calculate the energy values (P+; Q+) and signal values (E+; F+) for the new mode, �k+i, basedon the initial values (Q�k; P�k).Use CSPEC again to infer a possible new mode based on (E�k ; F�k) and (E+; F+).end whileEstablish the mode, �m, as the new real system con�guration at the point of discontinuity.Update (Q�k ; P�k) to the energy distribution for �m, (Q�m ; P�m).59
ts ttsp-
qp
+
q
k k+1 m
αk αk+1 αm αmFigure 27: During mythical changes the discrete state vector changes to re ect con-�guration changes. The energy state vector is only changed once a real mode isreached. Transfer of Energy StateTo derive the new state vector in a new mode, it is observed that in a hybrid bondgraph discontinuous state changes only occur if storage elements become dependent(Chapter III). One of two cases may occur [79]:1. one or more storage element may become dependent on a source, or2. two or more storage elements may become dependent on each other and �-sources become active, and the state vector between the two con�gurations isdi�erent.In the �rst case, the posterior energy stored in the dependent elements, p+i , is deter-mined by the value of the source, u,p+i = rS;iCiu; (4)where rS;i is a gain factor associated with the route from the source to the dependentelement, i, and Ci is the dependent element. In the second case, Dirac pulses, �, are60
induced by explicitly modeled sources or dependent storage elements that enforce adiscontinuous change of the independent, integrated, state variable, p+0 . The area ofsuch a pulse combined with the gain factor from its origin to the independent storageelement speci�es a change of p+0 . The cumulative change is given by the generalformula: p+0 = p0 + Xstorage;i a�;iri;0 + Xsources;j a�;jrj;0: (5)The area a�;j is the explicitly modeled interaction with the environment, and the areaa�;i can be calculated as a�;i = p+i � pi; (6)which is the loss of generalized charge or momentum in the dependent storage el-ements. The new signals generated by dependent states, p+iCi , are forced to valuesdetermined by the new signal from the independent storage element, p+0C0 , and the gainfactor. This is described by p+i = r0;iCiC0p+0 (7)which, along with Eq. (5) and Eq. (6), can be applied to determine the new value ofthe independent state variable, p+0 .In the special case that no explicitly modeled �-sources become active, conserva-tion of state holds because the amount of generalized charge and momentum addedto the independent storage element equals the loss by each of the dependent storageelements combined. Therefore, the total amount of charge and momentum in bothmodes remains the same. For n dependent storage elements, element 0 is assigned tobe in integral causality and the new value of its stored energy, p+0 , is determined byp+0 = p0 + n�1Xi=1(p+i � pi)ri;0 (8)61
This can be expressed in terms of the value of the independent storage element, p+0 ,by substituting Eq. (7) p+0 = p0 + n�1Xi=1(r0;iCiC0p+0 � pi)ri;0 (9)or [85], p+0 (1 � n�1Xi=1 ri;0r0;iCiC0 ) = p0 � n�1Xi=1 ri;0pi (10)where ri;0 is the gain factor associated with the route from storage element i to element0, and Ci is the parameter value of storage element i. Note that this may result inloss of energy to the environment [87].ImplementationThe behavior generation algorithm has three key modules:1. ESPEC, the energy model of the system, speci�ed by a bond graph,2. CSPEC, the information model of the system speci�ed by �nite state automata,and3. MMA, the mythical mode algorithm that controls interaction between ESPECand CSPEC.The MMA was implemented under Microsoft Windows using Visual Basic 3.0 Pro-fessional Edition [24]. The continuous model is incorporated as a system of explicitdi�erence equations which are derived from the bond graph model manually. Notethat the derivation process for system equations is already fully automated in systemslike CAMAS [16]. Integration is implemented as a forward Euler approximation and62
ON2:
OFF
ID I th VD -Vdiode
ON1:
OFF
Sw = TRUESw = FALSEVDI D
Se
Se
0111
2
3
5
6
4
12
Sw
RR1
Vin
Vdiode
IL
SwR1
Vin LD
I L
VL
Figure 28: A diode-inductor circuit which causes a mythical mode.careful selection of the time step produced good results in spite of this simplifyingapproximation. Each CSPEC is implemented as an IF-THEN-ELSE statement.The Diode-Inductor CircuitAn example implementation of the diode-inductor circuit (Fig. 28) discussed pre-viously in Chapter I is illustrated. First, 0-junctions are associated with all commonvoltage nodes. In the particular circuit there is one node (apart from ground) withthree branches. The inductor, L, can be directly connected to the 0-junction. Theremaining branch that consists of a series or common ow connection, 1-junction,connects R1 and Vin. Because of the switch, this is a controlled junction, 11, thatturns on and o� based on an external control signal as speci�ed by CSPEC 1. Finally,the diode branch can turn on and o� as well, based on signal values in the circuitspeci�ed by CSPEC 2. When on, the diode enforces a constant voltage, Vdiode, andthis is represented by a voltage source. 63
This circuit was also described by Lorenz [63], but theMMA methodology is moreformal and systematic. The CSPEC de�nitions for the model are local, therefore, noglobal control structure needs to be known beforehand. Given an initial state, allsystem modes that are reachable from this state will be generated dynamically bysimulation. The four possible modes of the system are: : 8>>>>>>>>>>>><>>>>>>>>>>>>: �00 ! switch open ^ diode not conducting�01 ! switch open ^ diode conducting�10 ! switch closed ^ diode not conducting�11 ! switch closed ^ diode conducting (11)CSPEC and MMA are applied to e�ect mode switching in the system. Initially theswitch is open, the inductor has no stored energy, the diode is not conducting, andthe system is in mode �00 (Fig. 29). At time step 10 the switch is closed, the systemmoves into the mode �10, and all e�ort and ow values are recalculated for the newcon�guration. No further mode transitions occur, and the inductor charges as shown.At time step 100, the switch is reopened and the MMA recomputes all e�orts and ows for the new mode �00. The inductor becomes dependent on a 0 value ow sourcewhich forces its ux to 0 (Eq. (4)). Because it had built up a ux (i.e., energy p0),disconnecting it induces a large negative voltage (�1 in the limit). This causes thediode to come on instantaneously, so mode �00 becomes mythical, and the systemswitches to mode �01, where the e�ort and ow values are recomputed based onthe initial ux of the inductor. Again the new values do not cause another modechange so ESPEC is active and Fig. 29 shows that the inductor discharges throughthe diode. Note that the signal values computed for the mythical mode are onlyused for switching (with no loss of energy), therefore, the in�nite negative voltage64
00 1000
01 00eventual modemythical mode
0
5
10
15
20
0 50 100 150 200 250 300 350 400
0.00
0.01
0.02
0.03
0.04
-0.0150 100 150 200 250 300 350 400
Sw0 50 100 150 200 250 300 350 400
I L
VL
t
t
tFigure 29: Simulation result of the diode-inductor circuit with parameter values Vin =10V;R1 = 330; L = 5mH.is never reached. If it were, the stored energy of the inductor would be releasedinstantaneously, producing an incorrect energy balance in the overall system.With time, the ow (current) through the inductor decreases to zero. At timestamp 315 the current value is � 0. Therefore, the current through the diode is� 0 (opposite sign) and this causes a �nal transition: The system again switches tomode �00, and since there is no stored energy in the system, this becomes the �nalstate. The spike observed in simulation is an artifact caused by the time step used forsimulation. In this simulation, between the two time steps the current went from asmall positive to a small negative value before the transition took place. Thus whenthe system transitioned to the �00 mode the small current in the inductor went to 0instantaneously, which resulted in the spike shown.65
Divergence of TimeConsider a scenario where the diode requires a threshold current Ith > 0 to main-tain its on state. If the inductor has built up a positive ux, the diode comes onwhen the switch opens. However, if the ux in the inductor is too low to main-tain the threshold current, the diode goes o� instantaneously, but in its o� state thevoltage drop exceeds the threshold voltage again. The model goes into a loop ofinstantaneous changes (see Fig. 4) and real time halts.In general, if switching speci�cations are such that at any point in a discontinuoussequence of switches the system comes back to an already generated discontinuouscon�guration, a loop of discontinuous changes ensues. This implies that system be-havior stops progressing or diverging in real time, which is obviously in con ict withphysical reality, and divergence of time constitutes an important condition for verify-ing a system model for physical consistency.Principle 4 (Divergence of Time) Model con�guration changes have to terminatein a real mode of operation.Chapter V presents a veri�cation methodology based on divergence of time by apply-ing a multiple energy phase space analysis in detail. Discussion on the divergence oftime principle also appears in other work [47, 79].SummaryHybrid bond graphs incorporate a combination of continuous energy modeling andmultiple discontinuous behavior modes to de�ne a comprehensive modeling method-ology for physical systems. The systematic and uniform mode-switching method adds66
to the formal compositional modeling properties already associated with traditionalbond graphs. The consistent, rigorous and complete modeling language developedcombines:{ the bond graph scheme to model the energy-related aspects of system behavior,and{ �nite-state automata to model signal- ows that cause con�guration changes inthe bond graph model to produce discontinuous behavior.Interaction between the two components of the model are restricted to signals thatact on so-called controlled junctions. These signals are an integral part of the bondgraph language.The strict de�nition of the interaction between the energy- ow and signal- owcomponents of the modeling methodology is of paramount importance in generatingvalid physical models. The approach presented supports modeling discontinuitiescaused by (1) abrupt switching, such as in idealized valves and diodes, (2) modeswitching caused by parameter value changes, such as the change from laminar toturbulent ow in a pipe when the Reynolds number goes above a threshold value,and (3) con�guration switching caused by changes in sub-system models.The advantages of the described method are:1. focusing on the energy model instead of the external control models (as is donein QSIM and CC) allows for dynamic model composition,2. the inherent integrity checks enforce physically correct models during continuousoperation, and 67
3. the physically consistent interaction between the energy and logic model com-ponents allows for veri�cation of mode switching behavior.Dynamic model composition is extremely important for complex systems that includea large number of discontinuous components. As discussed earlier, such systems canexhibit an exponential number of modes, therefore, pre-enumerating modes is not afeasible approach to building systemmodels. Moreover, a large number of these modesare not physically achievable, but that cannot always be determined before hand.The inherent integrity checks ensure the physical correctness of a model and aid themodeler in building a correct model. Furthermore, the conservation and continuityconstraints help reduce the number of spurious behaviors that are generated. Overall,the four principles outlined in Chapters III and IV along with the hybrid bond graphmethodology provides a powerful scheme for modeling complex physical systems atvarious levels of abstraction, while ensuring the physical correctness of the modelsgenerated.68
CHAPTER VENERGY PHASE SPACE ANALYSIS FOR MODEL VERIFICATIONThis chapter �rst shows how priori switching values are used to model algebraicconstraints. Next, it develops a multiple energy phase space analysis technique foranalyzing CSPECs, detecting physical inconsistencies, and then using priori switchingvalues to correct them. This approach is based on invariance of state (Chapter III)which provides for a switching invariant that can be exploited in analysis of switchingbehavior [79]. Combined Perfect Elastic and Non-Elastic CollisionAs an example, �rst consider a perfect elastic collision (Fig. 30). When the ball hitsthe oor with a velocity v, it creates an impulse which results in a reaction impulse bythe oor. In case of a perfect elastic collision, this causes the ball to instantaneouslyreverse its velocity and start traveling upwards. In the corresponding hybrid bondgraph model, this is modeled as a modulated ow source that becomes active whenthe controlled junction 1 (01) comes on. The CSPEC indicates that this happenswhen the position of the ball reaches the oor. Collision behavior is best describedalgebraically, i.e., v+ = �v, as opposed to continuous dynamic operations de�ned bya set of di�erential equations. Therefore, the con�guration only holds at a point intime, instead of an interval. This is achieved by using the momentum of the ball priorto switching as the condition to turn the ow source o� (pball > 0). Upon impact, itis �rst inferred whether this is the new real model con�guration and if so, switching69
ON1:
OFF
0vball0pball
Se
I R
mg
m R11
MSf
01
v
v
ball
ball
-vball
-v
mv
m
-g Figure 30: A perfect elastic collision.ends and the priori switching values are updated. In this case, the new priori valuesimmediately invoke a con�guration switch, resulting in a model where behavior isgoverned by a set of di�erential equations. The convention throughout this thesis isthat these priori values are expressed as energy variables (generalized momentum p,and generalized charge q) and the posteriori values are described by power variables( ow f , and e�ort, e), here v and F . The con�guration switch infers that the ballmoves upward as a result of reaction force created by the algebraic constraints, and thecontrolled junction turns o� and the ball is represented as a separate model fragmentagain. Notice that the amount of energy returned by the oor, i.e., the coe�cient ofrestitution [13], is a modeling decision since the oor is not part of the system but ofits context.Now, consider a combination of a perfect elastic and a perfect non-elastic collisionmodel. This results in a ball bouncing with decreasing amplitude because of airresistance, and after a certain amount of time, when the ball hits the oor withmomentum less than a pre-set threshold, the perfect non-elastic collision1 mode is1This models the physical notion that the restitution coe�cient depends on the impact veloci-ties [13]. 70
ON1:
OFF
0xball0Fball
ON2:
OFF
0xball
Se
I R
mg
m R11
MSf
0
0Sf
012Fball
-vball
vball
-pthpball
-pthpball
0pballFigure 31: A combined perfect elastic and non-elastic collision.activated, and the ball comes to rest on the oor (Fig. 31).To analyze the physical consistency of this model, all switching conditions in theCSPECs have to be expressed in terms of stored energy prior to switching, which isrepresented as a two dimensional space with axes pball for the momentum of the ball,and xball for the position of the ball. All CSPEC transitions are already speci�ed interms of priori switching values, except for the force Fball which, from the bond graph,is computed as Fball = �Fg + Fm + FR1, where g represents gravity. Fball is the forceof the ball on the oor and when its value is negative, the ball disconnects from the oor. To derive the conditions under which the controlled junction 1 turns o� in asequence of switches, Fball has to be expressed in terms of the priori values for xballand pball. The storage element dependency that arises when the ow source becomesactive, causes Fm to have a derivative relation, i.e.,Fm = dpdt : (12)From the CSPEC for controlled junction 1, the condition for switching is Fball � 0.When this junction is in its o� state, pball = mvball. When it switches on, the velocityand momentum of the ball become 0 instantaneously. Based on the constituent71
relation in Eq. (12), this causes a Dirac pulse on Fm which approaches �1 dependingon whether the stored momentum was negative or positive. If the momentum was 0,Fm equals 0. Let the function sign be de�ned assign(x) = 8>>>>>>><>>>>>>>: �1 if x < 00 if x = 01 if x > 0 (13)The condition for switching becomes Fball = �Fg � sign(p)� + FR1 � 0. Becauseof the magnitude of the Dirac pulse, the e�ect of the gravitational force and the airresistance can be neglected at switching if p 6= 0. With the minus sign compensated,the condition for the controlled junction 1 to transition immediately from the on too� state is sign(p)� � 0. This inequality holds for all values of p > 0. If p = 0 thenFm = 0 and FR1 = 0, so the switching condition becomes �Fg � 0. Because of thenegative value of Fg (the gravitational force acts downward), this condition is neversatis�ed and no further switching occurs. Consequently, the area for which p > 0(modes 01 and 11) is grayed out in the phase space in Fig. 32.The two switches instantaneously a�ect variables that are used in transition con-ditions of their CSPECs so they have to be analyzed for consistency of their combinede�ect. To this end, phase spaces are established for each of the four modes of thecombined elastic and non-elastic collision and labeled 00, 01, 10, and 11, where theleft digit indicates whether the controlled junction 2 is on (1) or o� (0), and the rightdigit indicates the same for controlled junction 1. The energy phase spaces for eachof these modes of operation are shown in Fig. 32. The areas that are instantaneouslydeparted are grayed out and the conjunction of the four energy phase spaces (Fig. 33)shows that there is an energy distribution which does not correspond to a real mode72
-vball
vball
Se
I R
mg
m R11
Fball
MSf
0
0Sf
012
00
2: 0xball
1: 0xball
-pth
xball
pball
-pthpball
-pthpball
-vball
vball
Se
I R
mg
m R11
0Sf
01Fball
MSf
02
01
2: 0xball -pthpball
0sign(p )ball1:
xball
pball
-pth
-vball
vball
Se
I R
mg
m R11
MSf
0
0Sf
012Fball
10
1: 0xball
xball
pball
-pthpball
-pth
2: 0pball -vball
vball
Se
I R
mg
m R11
MSf
0
0Sf
012Fball
11
0sign(p )ball1:
xball
pball
-pth
2: 0pballFigure 32: Energy phase spaces for each of the modes of operation of a combinedperfect elastic and non-elastic collision.of operation. Since the dimensions of the energy phase space are invariant acrossswitches, this energy distribution cannot reach a real mode of operation during asequence of switches, thus violating the divergence of time condition.In this part of the phase space, when the ball hits the oor, it has positive momen-tum. For the bouncing ball, this mode is unreachable, and, therefore, the model isconsistent. The system always moves towards a negative momentum and it instanta-neously reverses when the displacement becomes zero (Fig. 33). So, analytically, thedisplacement never becomes negative. However, due to numerical disturbances, orinitial conditions, the model may arrive in the physically inconsistent area of opera-tion, especially in case the oor is another moving body. Therefore, in such situationsor when simulating the system, the CSPEC conditions are not su�ciently constrainedto avoid meaningless physical behaviors.From the physical system it is clear that additional constraints can be imposed73
xball
pball
-pthFigure 33: Conjunction of the multiple energy phase spaces for each mode of operationof a combined perfect elastic and non-elastic collision.
01
2: 0xball
00
2: 0xball
pball 01: 0xball 0sign(p )ball1: 0pball 0sign(p )ball1: 0pball
10
pball 01: 0xball2: 0pball
11
2: 0pball
xball
pball
-pthpball -pthpball
xball
pball
xball
pball
xball
pball
-pthpball -pthpball
-pth
-pth
-pth
-pthFigure 34: Multiple energy phase space analysis of the modi�ed model shows thereis a real mode of operation for each energy distribution.based on the momentum of the ball. Since the switching conditions of CSPEC 1are not mutually exclusive, the conditions pball < 0 and pball � 0 can be addedto the o�/on and on/o� transitions, respectively. This results in the energy phasespaces shown in Fig. 34, and the conjunction of the energy phase spaces now has areal mode of operation for each energy distribution. Because of the combinatorialswitching logic, this real mode of operation is reachable in one switching step. Asimulation of the physically consistent system is shown in Fig. 35. The air resistance(R1), causes the amplitude of the ball to decrease until the momentum of the ballfalls below the threshold value pth and the ball comes to rest on the oor.74
0.0
0.2
0.4
0.6
0.8
1.0
-0.2
100 200 300 400 500 600 700 800 900 1000
0
2
4
6
8
-2
-4
-6
-8
100 200 300 400 500 600 700 800 900 1000
v ball
t
x ball
t
Figure 35: A bouncing ball which comes to rest when its impact velocity is below aspeci�c threshold value. Managing ComplexityThe multiple energy phase space analysis technique requires combined analysisof all of the individual phase spaces for each permutation of the switches, and thisis exponential in the number of switches. To prevent this combinatorial explosion,the physical characteristics of energy storage elements can be utilized to partition thesystem. If k sub-systems can be identi�ed with l interacting local switches, the energyphase space complexity becomes k2l, which is much smaller than 2k�l. Typically, goodsystem decompositions should result in a small2 number of switches per sub-system,therefore, the analysis becomes more manageable. If decomposition is unable to bringdown the computational complexity to reasonable levels, the model sti�ness can bereduced by introducing additional storage elements (i.e., reintroducing some parasitic2Otherwise, the system is very sti� and dynamic e�ects can be collapsed into fewer storageelements, e.g., this is the case for automatic transmissions in automobiles [68].75
e�ects).To determine the set of locally interacting switches, the input and output signals ofeach switch are established. All switches (i.e., controlled junctions) whose associatedsignals are used as CSPEC input to other switches are considered dependent and partof the same sub-system, thus creating their own local mode. Signal value changes ata switch may eventually a�ect signal values over the entire bond graph, but energystorage elements, because of their integrating e�ects, prevent instantaneous changesacross them. Therefore, there is a time lag before input signal changes can causeoutput signal changes for these elements and their downstream elements. Therefore,switching e�ects only propagate along power bonds till an independent energy storageelement is reached.The delay characteristic of energy storage elements is only valid for elements thatare independent in all switch con�gurations. When elements become dependent, i.e.,their behaviors are de�ned by derivative causality, signals propagate across theminstantaneously. Dependency between storage elements in the bond graph is checkedby identifying causal boundaries. In the bond graph, each 0-junction with an incidentSe, R or C can be considered a sink of ow causality, and each 1-junction with anincident Sf , R or I is a sink of e�ort causality (Fig. 36). These constructs prevent owand e�ort causality from propagating. This property can be exploited to partitionthe bond graph into instantaneous e�ort and ow areas with their corresponding Cand I elements. If each e�ort and ow area contains only one of each type of storageelement, this element is always independent. Therefore, it can be used as a border ofinstantaneous propagation, i.e., no instantaneous propagation is transmitted throughsuch elements. 76
R
0
Se
0
C
0
sinks of flow causality
R
1
I
1
Sf
1
sinks of effort causalityFigure 36: Sinks of e�ort and ow causality partition the instantaneously a�ectedparts of a bond graph.
10I 1 I1
R
C
0 R
I I
11
R
0 11
0I 0 I1
RR
C
0 RFigure 37: Multiple I elements in one ow area may become dependent.Fig. 37 shows several examples of the application of the partitioning method. Inthe left-hand graph, even though the controlled junction is on and the two I elementsare currently independent, they can become dependent, and, therefore, de�ned tobe part of one ow area for creating sub-systems. Similarly, in the middle graph,the I elements are independent when the controlled junction is o�, however, thepartitioning analysis again determines that they may become dependent when thejunction comes on, therefore, they are assigned to the same ow area. In the hybridbond graph model on the right in Fig. 37, the I elements are separated by a sink of ow causality, and, therefore, they are always independent.Once ow areas and partitions are established, the dimensions of the energy phasespace for each of the local modes are derived from the input signals to the CSPECs.All variables of energy storage elements that a�ect a particular signal which is used as77
Figure 38: The two steps to establish interacting switches, local modes, and thedimensions of their energy phase space.a CSPEC transition condition are to be included as a dimension. In addition, inputsignals (i.e., variables enforced by sources) are included as phase space dimensions.Finding locally connected switches and the dimensions of the energy phase spaceis a two step process (Fig. 38):{ For each switch, �nd all other switches that have input signals a�ected by itsoutput.{ For each set of interacting switches, compile the energy variables that a�ecttheir input signals. The Internal Combustion EngineTo illustrate how instantaneous changes propagate through parts of a system, amodel of a spark-ignition internal combustion engine is considered. Special attentionis directed toward the valve- and ignition-timing sub-system.78
intake stroke
intakevalve
piston
exhaustvalve
spark plug
power stroke exhaust strokecompression strokeFigure 39: The four strokes of a spark-ignition internal combustion engine.The Working of a Four-Stroke EngineThe four stroke internal combustion engine operates in four distinct modes (Fig. 39)[100]. During its intake stroke, the intake valve is opened and as the piston movesdown, the air/fuel mixture is drawn into the cylinder. After the piston reaches bottomdead center (BDC, i.e., its lowest point), the intake valve closes and the mixture iscompressed as the piston moves up. Ideally at top dead center (TDC), ignition occursby inducing a high voltage on the spark plug. During ignition, the chemical energycontained by the mixture is released in the form of heat. This causes a dramatic riseof temperature and pressure which is transformed into work during the power stroke,during which the piston moves down. At BDC the exhaust valve opens and duringthe exhaust stroke the exhaust fumes that remain after ignition are expunged fromthe cylinder. At the end of this stroke, the piston is at TDC and ready to start a newintake stroke. Note that in reality valve- and ignition-timing deviates from the idealsituation to optimize engine performance under real conditions.79
tappet
cam
pushingrod
valvespring
valve
rockerarm
piston
cylinderblock
connectingrod
crankaxisFigure 40: A spark-ignition internal combustion engine.The Valve-Timing Sub-SystemThe valve- and ignition-timing mechanism is controlled by a cam-axis. For thefour-stroke engine each valve opens once every two revolutions of the crank-axis,and the cam-axis rotates at half the speed of the crank-axis (Fig. 40). Timing isestablished by a number of cams, a mechanism to open and close valves, on the cam-axis. At desired times, a cam opens a valve by displacing the valve tappet. Thistappet connects to the valve's rocker arm by a pushing rod. A valve spring ensuresthat the valve closes as the cam displacement returns to its original position (its base).The cam-follower mechanism shown separately, is modeled as a combined perfect80
x
base
x x x x
Figure 41: Cam mechanism which opens a valve during one revolution.elastic and non-elastic collision between the tappet of the pushing rod and the rotatingcam. As the cam rotates, the rod is lifted by an amount that is proportional to therotational angle of the cam (Fig. 41) [45]. If this rotation exerts su�cient force,the inertia of the valve mechanism may cause the tappet to lift o� the cam only tobounce back at a later time. If the momentum of the valve mechanism is higher thana threshold value, this collision is considered perfect elastic, otherwise it is perfectnon-elastic.The hybrid bond graph model of this system (Fig. 42) is very similar to thecombined perfect elastic and non-elastic model of the bouncing ball. However, inthis situation, the value of the displacement, xth, that causes contact between thecam and the rod-tappet is variable and the momentum at collision becomes pcol =m(vcam�vrod). Furthermore, the value of the modulated ow source di�ers, as derivedby v+cam � v+rod = ��(vcam � vrod): (14)Given � = 1 and v+cam = vcam (the assumption is that this velocity is not a�ected bythe collision), this yields v+rod = 2vcam � vrod: (15)81
-vrod2vcam
ON1:
OFF
pthpcolxthxrodvcamvrod
0Frodvcamvrod
ON2:
OFF
pthpcol
xthxrod
vcam
pthpcol
xthxrod
C
I R
C1
m R11
MSf
0
Sf
012vrodvrod
vcam
FrodFigure 42: Hybrid bond graph model of cam-follower system.vcam
prod
m
00
2:mv -cam pthprod
1: vcamvrod-mvcam pthprod
pth
m
01
-sign(p )rod 01: vcamvrod2:mv -cam pthprod
vcam
prod
mpth
m
10
vcamvrod2:1: vcamvrod-mvcam pthprod
vcam
prod
mpth
m
11
vcamvrod2:-sign(p )rod 01: vcamvrod
vcam
prod
mpth
mFigure 43: Energy phase space analysis of the cam-follower system.The energy phase space analysis of the hybrid model in Fig. 42 is shown in Fig. 43to be physically consistent, and simulation of one cam revolution is shown in Fig. 44.Notice that one of the phase space dimensions represents a source variable. Becausesequences of switches occur instantaneously, external variables cannot change duringsuch a sequence. Therefore, external variables are invariant across a sequence ofswitches as well, and consequently they can be used in the energy phase space analysis.The dimension of the displacement variable xrod is omitted for clarity reasons.System PartitioningA bond graph model of the internal combustion engine is shown in Fig. 45. On thetop-right, the intake and exhaust valve mechanisms are shown. The elastic collision82
0.00
0.05
0.10
0.15
-0.05
100 200 300 4000.00
0.05
0.10
0.15
0 100 200 300 400
xcamxrod
t tFigure 44: Simulation of the cam-follower system.e�ect is modeled as a modulated ow source and the non-elastic collision enforces thevelocity of the cam-axis. So, the opening and closing of the valves is controlled by thecam-axis, which also controls the ignition by driving a rotor and a breaker. The rotormechanism selects the cylinder that requires ignition and the breaker induces the highvoltage required by the spark plug. A gear train rotates the cam axis at half the speedof the crank-axis. The cylinder, on the left, is a control volume that exerts a forceon the piston which is translated into a torque on the crank-axis by the slider-crankmechanism. The ywheel, which has a high mass, smoothens torque uctuations. Theconnected ow source sets the motor to operate at a desired velocity. The cylinderloses heat to the environment by conduction through the cylinder wall. Also, heatis lost by convection [121, 122, 124, 125] when the exhaust fumes are blown out ofthe cylinder during the exhaust stroke. This energy convection is depicted as a owsource modulated by the ow of matter out of the cylinder (Qex). Correspondingly,there is convection of heat on the intake stroke, which also carries chemical energy.Both of these e�ects are modeled as ow sources modulated by the ow of matterinto the cylinder (Qin and Uc). The intake and exhaust of the cylinder are controlledby the intake and exhaust valve mechanisms and the ignition is controlled by thebreaker-rotor system. 83
C
I
I
C
R
RR
R
R
R4
Tair
PinPex
Qex
Qin
Uc
R1
1/2 camaxis
rotorbreaker
slider-crankmechanism
geartrain
cylinder
evironment
exhaust intake
R2
R3
R4
C1
CC6
I1
I6
II5
C20
0
0
21
21
31
1
1
1
11
1 1
1
MSf
MSf
MSf
Se
Sf
Se
11
11
Se
MTFMTF MTF MTF
MTFTF
TF
TF
vex
vin
vrotor
vbreaker
Apiston
mex
min
crank
desired
cam
cam
exhaustvalve
R I
CC8
R8 I8
1
MSf
0 076
Fex
1
vex
vex
vcam
I flywheel
intakevalve
I R
CC7
I7 R7
1
MSf
0 045
Fin
1
vin
vin
vcam-vin2vcam -vex2vcam
I
Figure 45: Energy part of a hybrid bond graph model of a four stroke spark-ignitioninternal combustion engine.84
To �nd interacting discontinuities, the controlled junctions of the intake valvemechanism can be considered. First, notice that there are no sinks of ow causalityin the crank-cam system, other than the crank velocity ow source and the modulated ow source that models the perfect elastic collision. Therefore, all inertias are eithermutually independent, or they are dependent of the crank velocity ow source. So,when controlled junction 4 switches on, it propagates a ow (crank velocity) upward,and consequently an e�ort (force, torque) downward. This e�ort instantaneouslypropagates through the cam-axis and gear train to the crank-axis where it feeds intothe system environment (where it may simply be dissipated by brakes). Because themotor is kept at constant rpm, this source is a sink of e�ort causality and instanta-neous changes of other variables do not occur. In the opposite direction, switching ofcontrolled junction 4 makes the valve inertia dependent, and, therefore, its velocity(vin) changes instantaneously, which is used as input to controlled junction 1 by aninstantaneous signal connection. The e�ects of this junction are fed into the cylindercontrol volume which is of an integrating nature so instantaneous propagation halts.Also, the abrupt change in vin caused by switching controlled junction 4 a�ects con-trolled junction 5. So, these three junctions (1, 4, and 5) are interacting and theircombination of on/o� states form a local mode. The energy phase space analysis nowhas to include all permutations of this local mode (23 = 8). Analogously, the numberof switch permutations for the exhaust valve is 8, which leaves just one more localmode in terms of controlled junction 3, which regulates ignition. The total numberof switch permutations that have to be considered are, therefore, 17, which is far lessthan the number of permutations of the global mode of this model (27 = 128).System partitions are determined by the degree of sti�ness introduced in the85
R
Pex
exhaust
R2 21
Se
C
R
Pin
R1
intake
C2
0
Se
11
vin intakevalve
I R
C
C
C7
C9
I7 R7
1
MSf
0 045
Fin
1
vin
vin
vcam-vcamvinFigure 46: Instantaneous ow areas for the intake valve mechanism when rod exi-bility is modeled.model. If a system is modeled to be very sti�, instantaneous changes propagatethrough the entire model. Suppose the motor is not kept at constant rpm by anexternal source. Now, any of the inertias that are part of the valve- and ignition-timing sub-system become dependent of the ywheel inertia. These dependent storageelements then reduce to one substitute, Is, with stored momentum ps. This causes thevelocity of the entire timing sub-system to change instantaneously and all controlledjunctions a�ect each other.Alternatively, if the valve rod is modeled to be exible, the valve inertia doesnot become dependent (on a source or other inertia elements) and it always enforcesvalve velocity. In this situation, the one I in the valve model fragment only becomesdependent on the elastic collision ow source, and, therefore, all controlled junctionsthat take the velocity as their input have to be analyzed jointly. This again resultsin the local mode consisting of controlled junctions 1, 4, and 5.As demonstrated by the example, physical systems provide for natural bound-aries of instantaneous changes. This phenomenon is exploited by the multiple energy86
phase space analysis method by partitioning the system into areas of instantaneouspropagation, resulting in local modes. This reduces the complexity of the analysisfrom 2n in case of n controlled junctions to k2l in case of k local modes each with lcontrolled junctions.
87
CHAPTER VIHYBRID DYNAMIC SYSTEMSThis chapter develops the mathematical formalisms for hybrid dynamic systemmodels. Model semantics, like before, are based on the principles that govern physicalsystem behavior. The components for an implementation model for hybrid dynamicsystems are presented and applied to the liquid sodium cooling system described inChapter I. IntroductionA hybrid system combines discrete switching patterns with continuous behavior,and, therefore, operates on a domain with discrete, � 2 @, and continuous, t 2 <,dimensions (Fig. 47). Behavior in this space is speci�ed by piecewise continuousintervals, x�(t), a function of both � and t. A hybrid dynamic systemmodels dynamicphysical system behavior. This behavior has to evolve over time, have and establisheddirection of ow, and necessarily covers the complete interval on the time-line forwhich it is speci�ed, therefore, the piecewise continuous intervals in temporal behaviorevolution are adjacent to each other with no gaps (Fig. 47). Behavior in the piecewisecontinuous intervals is represented by well behaved, continuous functions f , called�elds, which may be linear or nonlinear, and often are de�ned by a set of nonlinearordinary di�erential equations [44]. An instance of temporal behavior in a �eld iscalled a ow, F . Switching from one ow to another occurs at well-de�ned pointsin time when system variable values reach or exceed prespeci�ed threshold values.88
t
α
1
t
α
1Figure 47: A hybrid system (left) and a hybrid dynamic system (right).This de�nes an interval-point paradigm where ows are piecewise continuous andany discontinuous changes that occur have to be simple [108], i.e., limit values existat points of discrete switching. An example of such a discontinuity is shown inFig. 48, where there are two ows F�1 and F�3 that are C2 (i.e., they are two timesdi�erentiable) on their respective domains, V�1 and V�3. A point of discontinuity,P�2, on V�2 occurs at ts. Behavior at this point may be determined by an algebraicrelation instead of a �eld.In summary, a hybrid dynamic system consist of three distinct subdomains (Fig. 48):{ A continuous domain, T , with time, t, as a special continuous variable.{ A piecewise continuous domain, V , that speci�es variable ow, x(t), uniquelyon the time-line.{ A discrete domain, I, that captures the operative piecewise continuous domain,V�. De�nitionsLet I be a discrete indexing set and F�, � 2 I, be a continuous, C2, ow on apossibly open subset V� of <n, called a chart (Fig 49).1 The sub-domain of V� where1De�nitions used in traditional hybrid system modeling [44] are followed but modi�ed in partsto �t the physical system modeling paradigm. 89
t
x
α
α1
α2
α3
tsFigure 48: A hybrid dynamic system is piecewise continuous and operates on threesub-domains.a continuous ow in time occurs is called a patch, U� � V�. The ows constitute thepiecewise continuous part of the hybrid system. An explicitly de�ned isolated pointthat does not embody continuous behavior is called a pinnacle, P�. The discreteswitching function �� is de�ned as a threshold function on V�. If �� � 0 then thesystem transitions from chart V� to V�, de�ned by the mapping g�� : V� ! V�.The piecewise continuous level curves �� = 0 are denoted as S��, and de�ne patchboundaries. If a ow F� includes the level curve, S��, it contains the boundary point,B� (Fig 49). In summary, a hybrid dynamic system is de�ned by the 4-tuple2H =< V�;F�; ��; g�� > : (16)Points within the system are speci�ed by x�(t), a location in chart � at time t.Trajectories in the system start at an initial point x�1(t) and if �2�1 > 0, 8�2, the point2Guckenheimer and Johnson refer to the respective parts as < V�;F�; h��; T �� > [44].90
U1
V1
U2
V2
U3
V3
γ 12
γ 23
g12
g23
B2Figure 49: A planar hybrid system. ows in V�1 as speci�ed by F�1 until the minimal time ts at which �2�1 (x�1(t)) = 0 forsome �2. Taking x�1(t�s ) = limt"ts F�1(t) the transformation g�2�1 takes the trajectoryfrom x�1(t�s ) 2 V�1 to x�2(ts) 2 V�2. The point x�2(ts) = (g�2�1 (x�1(t�s )) is regardedas a new initial point and in case the new point is a pinnacle, it immediately invokes �3�2 which transfers the trajectory to g�3�2 (x�2(ts)) 2 V�3. Continuity of time requiresthat the basic trajectory of a hybrid system evolves in a manner that intervals andpoints have to alternate, and, therefore, this is a point on a ow F�3. Let x�3(t+s ) =limt#ts F�3(t), then x�3(t+s ) = g�3�2 (x�2(ts)) and is regarded the initial point in V�3 , andbehavior evolution in time continues along V�3.Approaches to Hybrid ModelingHenzinger, Alur, and Nicollin, propose an approach which is based on the observa-tion that continuous systems are best modeled by global sets of di�erential equations[2, 97]. A switching mechanism selects the set of di�erential equations whose as-sumptions are satis�ed by the state of the system. This switching mechanism is91
implemented as a temporal state machine. Because of the continuous-time characterof physical systems, this temporal state machine relies on dense time, i.e., transitionsoccur at real-valued points in time instead of discrete (integer) time points [4]. Thisframework has been employed to prove reachability and divergence of time charac-teristics in the limited case where the physical systems being modeled only undergoconstant rate of change in their variable values [48].3A well known characteristic of hybrid systems is the possibility of a number ofdiscrete changes occurring before a new patch is arrived at, where again a ow de�nedby a �eld governs system behavior [2, 44, 77, 98]. This situation occurs if �k+1�ktransports a trajectory to V�k+1 , and the initial point is transported by g�k+1�k to avalue that results in �k+2�k+1 � 0, i.e., g�k+1�k (x�k) 62 U�k+1, and another domain V�k+2 isinstantaneously arrived at. These immediate transitions continue till a domain V�mis arrived at where the initial point is within U�m. To deal with these sequencesof transitions, Alur et al. [2, 3], Guckenheimer and Johnson [44], and Deshpandeand Varaiya [31], propose model semantics based on temporal sequences of abuttingintervals [44] V�0z }| {x0 7! x1[t0 t1] g�1�0,! V�1z }| {x+1 7! x2[t1 t2] g�2�1,! : : : g�m�m�1,! V�mz }| {x+m 7! xm+1[tm tm+1] : (17)Since these intervals overlap in time, a trajectory may be in several locations at apoint in time, ts. Therefore, these points in time are complemented with an index thatspeci�es their order of transition. During a series of discrete switches, (ts; i); (ts; i+3These systems are far more restrictive than linear systems in the classical systems sense, andonly in approximation present in physical reality. Moreover, it requires precise control to achieve,as is elegantly shown by a water clock believed to be built by Ktesibios in Alexandria in the thirdcentury B.C. 92
1) : : : (ts; n) the trajectory moves between these ordered points in time, repeatedlyapplying g��, and depending on the ordering, di�erent initial points of a new ow maybe derived. Iwasaki et al. [51] introduce the concept of hypertime to represent theinstantaneous switching time stamp as an in�nitely short interval of time. Duringswitching, hypertime elapses, but that corresponds only to in�nitesimal actual timechanges. The sequence of switches can be analyzed in hypertime to yield similarresults.As described in Chapters III-V, this thesis de�nes a hybrid dynamic system withmodel semantics that are more speci�c than the approaches described above. Insteadof allowing several ow values at a point in time on a trajectory, it requires that a ow has a unique representation and lets this unique value be independent of thepath during a sequence of instantaneous switches. This requires the implementationof an interval-point paradigm to establish complete coverage of the time-line withinthe domain of operation of the system. This thesis shows that this more restrictivesemantics allow for easier, systematic, model building that results in models whosebehaviors do not violate physical system principles. Furthermore, there is no C2requirement for behavior at pinnacles, only the point needs to be well-de�ned intime. This is of great use when time-scale abstractions result in algebraic constraintsand system behavior is condensed into a posterior value at a point in time. Finally,the model semantics can be used to deterministically model physical systems andallows for a systematic model veri�cation method [80].93
γ α23α
γ α12α gα1
2α
gα13α
α1αx
α2αxα3αx
Figure 50: A trajectory is redirected when the transported point is out of the domainof the new patch. Physical System Model SemanticsTo ensure correct transitions between modes in physical system models, the prin-ciple of invariance of state applies. During a sequence of transitions, speci�ed by ��,a new point x�2 derived by g�2�1 causes an immediate transition because it is not inU�2, it is not considered to have an actual representation on the time-line, and doesnot a�ect the mapping of x� as shown in Fig. 50. Therefore, when �3�2 speci�es atransition to V�3, then new x�3 is derived by applying g�3�1 to the original point x�1.Like before, x�2 is mythical, i.e., it has no real existence in time for this behaviortrajectory. In general, �� is a function that depends on values x�, prior to the jump,and values x+� after the jump. The semantics are speci�ed by the recursive relationbetween �� and g�� which takes the form8>>><>>>: x+�k = g�i�k(x�k) �i+1�i (x�k ; x+�k) � 0 (18)illustrated in Fig. 51. Note the �k subscript in g�i�k .94
[< ]>
ααk
k+1γ
ααk
k+1g ααm
m+1gααk
k+2g ααm
m+2gααk
mg ααm
ng
ααk+1
k+2γ ααm-1
mγ
s2t s2
ts1t < >s3
ts2t
αkV αn
Vαk+1V αm+1
Vαk+2V αm+2
VαmV
αmx
αk
+αx αk
+αx αk
+αx αm
+αx αm
+αx αm
+αx
αkxαk
x
ααm+1
m+2γααm
m+1γ ααn-1
nγ
αnxαn
xFigure 51: System state is derived from the original state vector.The interval-point paradigm implies that two types of jumps are possible:1. V�k c- sV�m: A discontinuity at ts moves x�k from an interval, ow F�k n B�k,to a point, pinnacle P�k+1 or ow F�k+1. In this case, x�k(t�s ) = limt"ts F�k(t) istransported to x+�k, computed by Eq. (18) as g�k+1�k (x�k). The recursive switchingterminates when �m�m�1(x�i; x+�i) > 0 and the function value x�m(ts) is taken asx+�k = g�m�k (x�k).2. V�k s- cV�m : A discontinuity at ts moves x�k from a point, pinnacle P�k orboundary point B�k , to a ow, F�k+1. In this case, x�k = x�k(ts) is transportedto x+�k computed by Eq. (18) as x+�k = g�k+1�k (x�k). The recursive switchingterminates when �m�m�1(x�i; x+�i) > 0 and the function value x�m = limt#ts F�m(t)is taken as x+�k = g�m�k (x�k).A s- c transition results in the activation of a ow, and the system evolves continu-ously before a new sequence of switches is initiated.4A trajectory is now described by initiallymoving along a ow, F�1, x+�1 = g�1�1 (x�1) =4In collision chains, the system may move through a series of pinnacles that represent Newton'scollision law, before a new ow is arrived at. Though this behavior can be well captured by theformulated semantics, it violates the interval-point paradigm and may result in poorly de�ned modelssince no speci�c time is know for each of the separate collisions.95
x�1. At time ts, �2�1 (x�1; x+�1) = 0 with x�1 = limt"tsF�1(t). Therefore, a dis-crete c- s change occurs, and the trajectory is transported from x�1(t�s ) to the pointg�2�1 (x�1(t�s )) which results in a posterior value x+�1 = g�2�1 (x�1(t�s )). If x+�1 62 U�2 thetrajectory is redirected by �3�2 (x�1; x+�1) � 0 (Fig. 50), which immediately transportsthe trajectory to the point g�3�1 (x�1(t�s )). Again, the trajectory may be redirectedbased on x+�1 = g�3�1 (x�1(t�s )) to V�3. This recursive process continues until an x�mis arrived at that is within a patch U�m, �m�1 (x�1; x+�1) > 0. After the successfultransition is made, the a priori value is updated to x�m(ts) = g�m�1 (x�1(t�s )). If thenew point is a pinnacle, �m+1�m (x�m; x+�m) � 0, which leads to s- c switching, and thetrajectory is transported from x�m(ts) to g�m+1�m (x�m(ts)). Based on the new valuex+�m another sequence of recursive switches may ensue until x+�m is within the domainof a patch U�n. When switching ends, a new ow, F�n in V�n , is reached and thepoint x�n(t+s ) = g�n�m(x�m(ts)) is taken as the initial point and this process continuesas system behavior evolves. NotesThe point x� initiates switching and controls point-interval evolution in time,whereas x+� drives the recursive switching and determines intermediate charts, V�,that are traversed before x� is updated. Furthermore, switching conditions of theform �i+1�i < 0 are a special case of �i+1�i � 0 where B�i is the endpoint of F�i.Conjecture VI.1 Consider a transition sequence V�k �! V�m �! V�n.Lemma VI.1 Domain V�m contains a ow if (x = x�k(ts))F�m : g�m�k (x) = x (19)96
Proof: If �n�m(x; g�m�k (x)) > 0 then V�m is real. If V�m is a pinnacle, then �n�m(g�m�k (x); g�m�k (x)) � 0 which cannot be satis�ed for a real mode if x = g�m�k (x).If g�m�k (x) 6= x then V�m contains a ow ifF�m : �n�m(x; g�m�k (x)) > 0 ^ �n�m(g�m�k (x); g�m�k (x)) > 0 (20)where the �rst condition ensures the mode is real, and the second that it is not apinnacle. It consists of a pinnacle ifP�m : �n�m(x; g�m�k (x)) > 0 ^ �n�m(g�m�k (x); g�m�k (x)) � 0: (21)If V�m contains a ow, it may not contain the boundary where its ow exits, (x =x�m(ts))) F�m n B�m : F�m ^ �n�m(x; g�n�m(x)) � 0 (22)which implies that V�n is either a pinnacle or a ow that contains its initial point,F�m n B�m ) P�n _ (F�n \ B�n): (23)A Hybrid Dynamic System Implementation ModelTo model hybrid dynamic systems, the mathematicalmodel has to be implementedby a model that supports the idiosyncrasies of dynamic physical systems. This sec-tion develops this implementation model for embedded control systems, which com-bine discrete mode-switching behavior with modes of continuous operation [88]. Forexample, Fig. 52 shows a cooling sub-system in a nuclear reactor. During normaloperation, the main motor maintains a constant ow of liquid sodium, controlled bycontinuous PID controllers. Valves throughout the loop can be operated to move the97
evaporator
mainmotor
secondarysodiumpump
intermediateheatexchanger
blow
er
sodium flow stopping valve(normally opened)
sodi
umflo
wst
opp
ing
valv
e(n
orm
ally
clos
ed)
primarysodiumloop
feedwaterloop
air
cool
er
Fin
CEV
I IHX
Rpump
Ralarm
BpB
fA
AFigure 52: Continuous and discrete process control.system into di�erent modes of operation. The process and PID controllers are con-tinuous and the opening and closing of valves appear as discontinuous con�gurationchanges. In general, con�guration changes in the system can be attributed to threephenomena: (1) when physical system signals, �p, cross threshold values; this can bemainly attributed to abstractions incorporated in the physical system and continuouscontroller model, (2) explicit signals, �c, that activate the closed loop controller tomake changes, and (3) external, open loop control. The events generated by thesephenomena are called, �p, �c, and �x, respectively. Fig. 53 shows the general hybridarchitecture of a controlled physical process. The process and its continuous controllerembody the continuous characteristics of the system. Note that the input signal u isrequired to be continuous. Discontinuous changes in the input (e.g., step input) andchanges in the low-level continuous controller are modeled by the open loop controllerdeactivating one input signal and at the same time activating the newly desired input.98
process
continuouscontroller
physicaldiscontinuities
open loopcontroller
closed loopcontrollerφ
α
xσ
cs
pspσ
cσ
ur + _ yFigure 53: A physical process under hybrid control.The Continuous ModelPhysical system behavior governed by the principles of conservation of energyand continuity of power, is typically described by a state space representation withordinary di�erential equations (ODEs),_x(t) = f(x(t); u(t); t); (24)where x 2 X is the vector of the state variables of the system and u 2 U the vectorof external input. Thus, the continuous system model is made up of:{ X 2 <m, represents the state vector of the continuous model.{ U 2 <p, represents the input vector of the continuous model.{ _x(t) = f�(x(t); u(t); t); i 2 @; i 2 [0; �max]; t 2 < de�nes the continuous behaviorof the system in operational mode � for which there is one and only one �eld,f�. 99
The Discrete ModelDiscrete events in embedded control systems stem from [59]:{ discontinuous input produced by idealized discrete actuators,{ discontinuous control which switches operational modes based on prede�nedcontrol algorithms,{ modeling artifacts, where nonlinear behaviors of a system may be abstracted orapproximated as piecewise linear behavior, and{ discontinuous output which is the result of measurements made on discretesensors.These events are of two types: (1) time events and (2) state events [17]. Timeevents result from digital control, where discrete actuation occurs at a point in timedetermined by a control algorithm. State events are generated by the process whencertain signal values cross speci�ed thresholds and mode transitions are invoked.Since the only spontaneous change in embedded control systems is data [60], thesetime events are, in principle, state events as well [133]. The discrete changes canbe modeled by a state machine, where each state in a set I corresponds to a modeof system operation. The discrete model may consist of a number of independentstate machines, in which case an operational mode is determined by the combinationof individual states of the independent state machines. Transitions are invoked byevents in a set � and move the discrete model to a new state based on the transitionfunction, �. This paradigm can be implemented by Petri nets or �nite state automata.The discrete model description is represented as:100
{ I = f�0; : : : ; �kg, is a set of states describing operational modes of the system.{ � = f�0; : : : ; �lg, is the set of events that can cause state transitions.{ � : I � � ! I, represents a discrete state transition function that de�nes thenew mode reached after an event occurs. Events are generated by the physicalprocess or the closed loop controller, or they can be external, open loop, controlsignals, � = �p � �c ��x. InteractionInteraction between the continuous and discrete part comes in two forms: (1)discrete events generated by the continuous model, and (2) a change of operationalmode by the discrete model.The interaction can be speci�ed by:{ S 2 <n, the signals used for event generation.{ g : X � I ! X+, transfers the continuous state vector to the new operationalmode, � 2 I, which may result in it changing discontinuously. X+ representsstate vector values at the initial point in time when a mode change has occurred.{ h : X � U � I ! S, determines signal values S and S+ computed from X andX+, respectively.{ : S � S+ ! �s, where �s = �p � �c, generates discrete events from the apriori and a posteriori signal values.The function generates discrete events when signals, s 2 S, cross pre-de�ned thresh-old values. The output function, h, computes the values of these signals from the101
continuous state vector in an operational mode. The generated events applied to themodel may indicate that the system changes its mode of continuous operation. Asso-ciated with every continuous mode, �, is a �eld, f�, specifying continuous behaviorevolution. If a mode has no continuous behavior it is completely speci�ed by thealgebraic relations in g.In summary, the complete hybrid system model is de�ned by the 9-tuple [59]:H =< I;�; �;X;U; f; g; h; >; (25)with the continuous, discrete, and interface components (Fig. 54). In terms of themathematical model in Eq. (16), I de�nes the modes of operation, �. The piecewisecontinuous domain, V�, is determined by X and U , and continuous behavior F� oneach domain is speci�ed by f . The function g�� equals g, and �� is determined byh; ;�, and �. The additional complexity is required because physical con�gurationswitches are typically based on signal values, derived by h from the energy state.Furthermore, the implementation of the discrete model component as a �nite stateautomaton requires and event set, �, and transition function, �.Partial Liquid Sodium Cooling SystemFig. 52 shows a schematic representation of part of the liquid sodium coolingsystem in a nuclear reactor [81]. The main motor drives a pump which establishesa ow-rate Fin, and a continuous controller ensures su�cient torque is available tomaintain the desired ow rate. Pump losses are represented by the dissipation param-eter, Rpump. The uid is pumped through a coil in an intermediate heat-exchangerwhich has an inertia value, IIHX, responsible for building up ow momentum. An102
+s
u
h
g
α
α
γφ
αf
xσ sσ
+x
+x
x x
h
s
Figure 54: Block diagram of a general hybrid system.evaporator is used to transport heat from the heat-exchanger to a steam water loopwhere it drives a turbine to produce electricity. Associated with the evaporator vesselis capacitance CEV . A discrete controller acts on the two valves, A and B. In normaloperation, A is closed and B is open. In an alarm situation, valve B may be closedby supervisory control and the closed loop controller is required to activate the alarmpath with resistance Ralarm by opening valve A until it is safe to stop the ow of uidcompletely.The continuous variables de�ning a state vector in this system are the ow mo-mentum, x1, in the coil of the intermediate heat exchanger, IIHX, and the stored uid, x2, in the evaporator, CEV x = [x1 x2]T : (26)The input to the system is the input ow, Finu = Fin: (27)103
The discrete model is determined by the two valves in the system which resultsin four operational modes, �00 = fAclosed; Bclosedg, �01 = fAclosed; Bopeng, �10 =fAopen; Bclosedg, and �11 = fAopen; Bopeng, soI = f�00; �01; �10; �11g (28)In normal operation, valve A is closed and valve B is open which speci�es the initialmode, �01. Valve A is controlled by a closed loop discrete controller, and valve B byan open loop discrete controller. When the open loop control closes B by generating�B!off , the uid ow becomes 0 instantaneously and a large pressure is induced.To prevent this pressure from becoming too high and causing damage to the piping,the closed loop control makes a release path available by generating �A!on whenpB > pcritical, which opens valve A. Over time, the pressure falls below pcritical, andthe controller closes the valve A, �A!off . This results in the complete event set� = f�A!on; �A!off ; �B!offg (29)The closed loop controller generates events �c, which are speci�ed by : 8>>><>>>: pB > pcritical ! �A!onpB � pcritical ! �A!off (30)and the corresponding mode changes are executed by �� : 8>>>>>>><>>>>>>>: �A!on ! �10 if �00�B!off ! �00 if �01�A!off ! �00 if �10 (31)The instantaneous change in ow to 0 when valve B closes represents a reduction in104
the size of the continuous state vector, and is captured by g in x+ = g � x,g : 8>>>>>>><>>>>>>>: [0 1] if �00[1 1] if �01[1 1] if �10 (32)The function h translates the state variables [x1 x2]T into signal valuess = [pB fA]T (33)that are used by . Note that when both valves are closed, the pressure pB is deter-mined by a derivative relation, pB = FinRpump � IIHX dx1dt , which is approximated bya Dirac pulse, �, for discontinuous changes in x1. Let the function sign be de�ned assign(x) = 8>>>>>>><>>>>>>>: �1 if x < 00 if x = 01 if x > 0 (34)Then, a discontinuous change results in pB = FinRpump � IIHX dx1dt = FinRpump �sign(x+1 � x1)�, which yieldsh : 8>>>>>>><>>>>>>>: pB = sign(x+1 � x1)�; fA = 0 if �00pB = x+2CEV ; fA = 0 if �01pB = Ralarm x+1IIHX ; fA = x+1IIHX if �10 (35)and the speci�cation of the hybrid system is complete.Model Veri�cationA key aspect of hybrid system modeling is to de�ne the interaction between thecontinuous and discrete components in an integrated manner, without violating over-all physical system principles. Chapter IV shows how consistency of interaction is105
maintained if divergence of time is satis�ed. Chapter V employs energy phase spaceanalysis to verify divergence of time based on the principle of invariance of state asdeveloped in Chapter III. This section presents the mathematical equivalent of theenergy phase space analysis methodology for a generalized state vector of linear sys-tems. Furthermore, it introduces the principle of temporal evolution of state as anadditional veri�cation tool to ensure well de�ned models.Generalized Invariance of StateChapter IV shows that a special continuous state vector, p0, of a physical systemmodel represents the stored energy in physical bu�er elements, e.g., springs, capac-itors, and inertias, and is invariant across consecutive changes in operational mode[87].Conjecture VI.2 The special state vector, p0, is invariant across mode changes.Lemma VI.2 (Generalized Invariance of State) Any vector that represents thestate of a linear physical system is invariant across mode changes.Proof: Let x0 represent a possible state vector in operational mode �0. Then, fora linear system, there is an algebraic translation T0 unique to a given operational modethat de�nes the relation between x0 and the special state vector p0 de�ned above,i.e., x0 = T0(p0). Since p0 is invariant across mode changes, so is T�10 (x0). If xn isa vector capturing the system state after the mode changes end, then xn = Tn(pn)and, since p0 is invariant across transitions, xn can be expressed as, xn = Tn(g(p0)).So, xn = Tn(g(T�10 (x0))) also is invariant because the function g and the mappings106
10 SwR1
R2
Vin LD
I L
VL
SwR1
R2
Vin LD
I L
VL
SwR1
R2
Vin LD
I L
VL
00 01Figure 55: Invariance of state in a dynamic physical system.Tn and T�10 are de�ned by the speci�c operational mode and is not a function of howthis mode was achieved, i.e., they are path invariant.The continuous state vector of the diode-inductor circuit in Fig. 55 (which is alsodiscussed in Chapters I and IV) can be chosen as either the inductor current, IL, orthe inductor voltage, VL. The algebraic translation between the states depends onthe operational mode T : 8>>>>>>><>>>>>>>: VL = 0 if �00VL = ILRL + VD if �01VL = �ILRL + Vin if �10 (36)The principle of invariance of state in Chapter III states that if the inductor currentis chosen to represent system state it is invariant, i.e., I+L can be expressed in termsof IL;0, the current before switching, as I+L = IL;0 independent of the intermediatecon�gurations [79].5If the state vector is de�ned in terms of VL, and its value before switching begins isVL;0, then, using invariance of state of the special state variable, IL, I+L = g(IL;0) = IL;0and T�01 : V +L = I+LRL+VD, V +L = IL;0RL+VD. If IL;0 is expressed in terms of VL;0 byusing T�1�10 : IL;0 = � 1R1VL;0+ 1R1Vin the new continuous system state can be expressed5Note that g(x) = x is a special case of mapping the state vector.107
in its value before switching by T�01(T�1�10),V +L = R2R1VL;0 + R2R1Vin + VD (37)This illustrates that, in general, the new value of any continuous state vector isindependent of the intermediate transient operational modes that are instantaneous.It is completely determined by the original and new modes of continuous operationonly. Temporal Evolution of StateChanges in the number of degrees of freedom of a system can occur because ofdependencies caused by con�guration changes. The result is dependencies amongstate variables and exogenous variables, producing discontinuous changes in valuesthat can only occur at well-de�ned points in time. Continuity of power requireswell-de�ned functions on the left and right intervals about the point of discontinuity(Fig. 51), therefore, con�guration changes cause piecewise continuous behaviors witha countable number of simple discontinuities which have a limit value [108]. Asdemonstrated earlier in this chapter, this de�nes an interval-point paradigm for activemodes of operation. It is shown that the state vector at the point of discontinuity isthe limit value of the state in the new operational mode.Conjecture VI.3 A hybrid system is piecewise continuous.Lemma VI.3 (Temporal Evolution of State) Continuous state variable valueshave to be continuous in left-closed intervals.Proof: For simple discontinuities, limit values exist, and, therefore, at a time ofswitching, ts, xk(t�s ) = limt"ts xk(t), and xn(t+s ) = limt#ts xn(t) (Fig. 51). In case of a108
jump, xk(t�s ) 6= xn(t+s ). Because the state vector exists for all points on the real time-line, there is a state vector xm(ts) determined at ts. If the state vector at ts, xm(ts) 6=xn(t+s ) then the system continues to evolve in a left open interval, < ts;!>, aftercon�guration changes have occurred, starting with limt#ts xn(t). However, causalityrequires that the initial state in the new con�guration be a function solely of xm(ts)and the new con�guration, and, therefore, the state vector has to evolve in left-closedintervals, [ts;!>.The required left closed intervals of state variable values in time determine thatdiscontinuous changes in the state vector can only occur when the system transfersfrom an interval to a point. Note that this does not prohibit con�guration changesfrom occurring when the system transfers from a point to an interval, as long asthe number of degrees of freedom of the system does not decrease. The signals asderived by h may contain Dirac pulses which occur at the points in between intervalsof continuous operation. Divergence of TimeChapter IV presents the principle of divergence of time [47, 87] as an importantveri�cation mechanism for hybrid modeling of embedded control systems. Chapter Vshows that this is best addressed by invoking the principle of invariance of state. Sig-nal values may change discontinuously between operational modes, but their values inthe newly arrived mode are always determined by the state vector of the last contin-uous operational mode. Since this state vector is not a�ected by future con�gurationchanges, it is invariant and can be applied to establish a necessary condition for di-vergence of time. However, the event generation conditions are typically speci�ed in109
terms of signals and based on the newly found state vector, and, therefore, a mappinghas to be applied to express the event conditions in terms of the original state vectorbased on the inverse relation of g and h.In general, system veri�cation proceeds by applying to � to determine whichconditions cause transitions between operational modes. Then h is used to expressthese relations in terms of the continuous state variables and g is applied to translatethe conditions in terms of the switching invariant original state.Veri�cation of the Cooling SystemTo verify consistency, the closed loop switching speci�cations in for which furthermode changes occur are found. Using � to establish conditions for further switching, combined with h shows that this occurs when8>>><>>>: FinRpump � sign(x+1 � x1)� > pcritical if �00Ralarm x+1IIHX � pcritical if �10 (38)To verify consistency, these conditions have to be expressed in terms of the switchinginvariant, i.e., the state variables before switching [x1 x2]T , [x+1 x+2 ]T = g[x1 x2]T ,yields 8>>><>>>: FinRpump � sign(�x1)� > pcritical if �00Ralarm x1IIHX � pcritical if �10 (39)Therefore, closed loop switching events are generated when FinRpump�sign(�x1)� >pcritical and x1 � IIHXRalarmpcritical. Considering that � approaches in�nity, there is anarea 0 < x1 � IIHXRalarmpcritical where the system switches between modes �00 and�10 inde�nitely. For this ow momentum, the system is not consistent as it is not110
determined which of the operational mode is reached.6 Note that, if x1 = 0 thenFinRpump > pcritical causes inconsistency, which is true if Fin � pcriticalRpump .The interaction between the discrete and continuous domain shows that a controlalgorithm based on pressures is insu�cient. To establish consistent control, the owmomentum that causes the build-up of pressure needs to be considered as well. If thismomentum has fallen below a safe threshold value, fth, build-up of pressure does notexceed the critical value and the alarm valve can safely be closed. To specify theseconstraints, x1 � IIHXfth is added to the precondition for �A!off and x1 > IIHXfthto �A!on. Now, a unique operational mode is speci�ed for the complete hybrid systemif Fin < pcriticalRpump . Note that the added condition is of an energy nature, since it is basedon the ow momentum of the system. SummaryIn general, hybrid dynamic systems can be classi�ed into three categories:{ Weak hybrid dynamic systems do not allow discontinuous changes of the energystate, nor do they allow sequences of mode changes, i.e., g��(x) = x and h� = h�.{ Mild hybrid dynamic systems deal with discontinuities in the energy state vari-ables, but do not allow sequences of changes, i.e., g��(x) 6= x and h� = h� = ;.{ Strong hybrid dynamic systems generate time and state events that may resultin sequences of mode changes as well.6This is also true if the system were modeled to be non-deterministic. A loop of operationalmodes is di�erent from a unique mode that is not deterministically arrived at.111
The described modeling formalism and semantics cover the spectrum of hybrid dy-namic systems. It di�ers from other approaches by recognizing that there are twotypes of modes: real modes that a�ect the state vector and energy variables directly,and mythical modes that do not. If this distinction is not made, and only real modesare allowed, it is the task of the modeler to ensure only real modes are achieved. Inthe proposed model semantics, any number of mythical modes exist at a point intime, but there is one and only one real mode for each point in time. This distinctionallows for a systematic modeling approach and veri�cation methodologies to ensurethat the hybrid models generate correct behaviors.
112
CHAPTER VIIFORMAL SPECIFICATIONS FROM HYBRID BOND GRAPHSThis chapter brings together the material discussed in Chapters III-VI, and usesthe classic example of a thin rod colliding with a oor [64] to show how formalspeci�cations developed in Chapter VI can be systematically derived from the hybridbond graph model presented in Chapter IV [83, 84]. Model veri�cation issues are alsoexplored in greater detail in this chapter.Specifying the Falling RodConsider an idealized rigid thin rod falling toward a perfectly rigid oor at an angle� shown in Fig. 56. The hybrid bond graph model of the resultant collision is shown inFig. 57. The model fragments in the bond graph, based on rigid body mechanics, wereproposed by Bos [12]. Assuming the movement of the rod is only in the x-y plane,where x is the axis along the oor and y the vertical axis, the rod has three degreesof freedom. Its velocity can be broken down into three components: linear velocitiesin the x and y directions, vx and vy, and an angular velocity, !. The correspondingstorage elements for these components are the inertia or mass elements, mx, my,and J , respectively. The geometric relations between these velocities are illustratedin Fig. 56 and represented in the bond graph model by a modulated transformer.Gravity is modeled by a source of constant force, mag, working on the y componentof the center of mass.The forces and velocities at point A connect to the model at the 0C junctions,113
-lω sinθlω cosθ
M
B
A
x
y
y
x
0
0
1
1
ω
-l
l
lω
θ
v
Ml
l
A
B
00
θ
g-a Figure 56: A collision between a thin rod and a oor.1
S
MTF
0C
0C
IJ -lsin
lcosθθ 1 I
my
Imx
vy
vR,xFA,x
Fn
vx
Sem ag
ω
Fn
ONC:
OFF
00vy- lsinθ
+ lcosθω 0vy
0Ff-Ff
S:ON
OFF
vR,x vx vth| + | < FA,x Fn| | >µ
1
2 3
vR,x vx+ < 0
vR,x vx+ < 0
vR,x vx+ = 0vR,x vx+ = 0
vR,x vx+ > 0
vR,x vx+ > 0Figure 57: Hybrid bond graph model of a rigid body collision between a thin rod anda oor. 114
one for the x direction and one for y. When the body is moving freely, forces on thisjunction are 0, it is o�. When the body is in contact with the oor, 0C is on and ifno other elements are connected, it enforces a 0 velocity at point A. The oor surfacehas associated Coulomb friction, Ff , whose magnitude depends on the normal force,Fn, exerted by the surface and a friction coe�cient, �, as Ff = �Fn. On collision, ifits force along the surface is large enough, i.e., jFA;xj > �Fn, the rod starts to slidealong the oor and rotate around the point of contact. This sliding motion is invokedby a discrete event �slide that is generated when jFA;xj > �Fn (Fig. 58), which causesthe discrete event model, �, to transfer to a discrete mode where the continuous �eld,f , models a rod sliding on a oor under Coulomb friction. If the velocity of therod-tip, A, along the oor falls below a threshold value, jvx;Aj � vth, the discreteevent �stuck is generated and � moves the system into an operational mode wherethe rod is stuck at the point of contact and rotates around it. This represents anexample of closed loop physical events. In the hybrid bond graph, the friction forcein the x direction is represented by a piecewise continuous modulated source, MSe.Depending on whether the rod sticks on the oor or slides, friction exerts a force0; Ff ;�Ff on A (see Fig. 59). The sign of the friction force depends on the directionin which the rod slides, because friction always opposes motion.The CSPEC part of the hybrid model is speci�ed as �nite state automata, onefor each controlled junction. The hierarchical �nite state machine that controls 0Scan be in one of several on states. Each one activates a region of the piecewisecontinuous friction function discussed above. The Coulomb friction (Fig. 59) canbe represented in a concise form in the hybrid bond graph using the multi-bondnotation [14], illustrated in Fig. 60. In its o� state, the junction enforces 0 ow.115
vx
vy
−ω
01
vx
vA,x vy
σstuck
σslide
−ω
11fFFigure 58: Sliding and rotating rod under Coulomb friction.
-FvA,x
Ff
fσslide
σstuck
σzeroσzero
σpos
σpos
σneg
σneg
1
1
23 3
2
0Figure 59: Coulomb friction causes physical events.This allows all source elements to be continuous functions over their active areas andmakes mode switches that are internal to sources explicit in the hybrid bond graphframework, and, therefore, part of the mode-switching algorithm. This guaranteesconsistency in behavior generation, since all discrete phenomena are handled by onemechanism and all other in uences are continuous.Fig. 61 illustrates the di�erent modes of operation for the rod system. Initially,the rod is falling freely under gravity and this corresponds to mode �00 of the system.S(1)1
1S(2)
1S(3)
MSe: 0
MSe: Ff
MSe: -Ff
0CS 0C
0Ff-FfFigure 60: A multi-bond controlled junction to model Coulomb friction.116
In the hybrid bond graph, the controlled junctions 0C and 1S are o� and replacing thejunctions with their 0 value sources results in the bond graph (mode �00) shown inFig. 62. To ensure correct loading, not all 0 value sources can be removed (grayed out)from the bond graph. The position of the rod-tip closest to the oor, yA, is determinedby the sum of the position of the center-point, yM = R vy, and the distance of the rod-tip from the center point, �lsin�. When yA = R vy � lsin� becomes 0, this impliesthe rod has collided with the oor and 0C comes on. The model transitions intomode �01. This causes dependency between the linear and angular velocities, andthe energy redistribution is computed which determines the forces that the rod exertsin the horizontal direction, FA;x, and vertical direction, FA;y. If the rod-length andangle of collision are such that jFA;xj > �Fn, 1S comes on (i.e., the model transitionsinto mode �11) and the rod begins to slide. Otherwise, it sticks and rotates aroundthe point of contact, i.e., mode �01. In case the rod starts to slide, its initial kineticenergy before contact is redistributed over the angular and vertical momentum toensure the vertical velocity of the rod-tip, vA;y, is 0. This corresponds to mode �11.In this mode, the horizontal velocity of the rod-tip, vA;x, is determined by the angularvelocity, !, and the friction force Ff , which is initially 0 given vA;x = 0. However,because of the discontinuous change of ! upon collision, vA;x changes discontinuouslyas well, and, therefore, the system changes from the operational mode where Ff = 0to mode �21 where Ff = �Fn given vA;x < 0. Note that in modes �11 and �21 theinitial vertical momentum is distributed only over its posterior angular momentumand vertical momentum to ensure yA does not change at the point of contact. If theenergy state vector in the sliding mode, �11, was computed from the intermediatestuck mode, �01, it would have a horizontal velocity associated with its center of117
v
Ml
l
A
B
00
θ
vA,x vy
−ω
11
01A,yF
A,xF
vx
vy
−ω
01
vx
vy
−ω
vx
vA,x vy
−ω
21fF
vx
vA,x vy
−ω
21fF
vx
vy
−ω
00
g-a
Figure 61: Possible modes of operation of a thin rigid rod falling onto a rigid oor.1
MTF
0C
0C
IJ
1 Imy
Imx
1 1
1S 1S
MTF MTF
0C 0C
0C 0C
IJ
IJ
MSe0
MSeFf
Se
1 1Imy
Imy
Imx
Imx
1
Sf:0
MTF
Se0
Se0
IJ
MSe0 Sf:0MSe
0
1 Imy
Imx
00 01 11 21
-lsinlcos
θθ
-lsinlcos
θθ
-lsinlcos
θθ
-lsinlcos
θθ
m agm agm agm agSe Se SeFigure 62: Dynamically generated model con�gurations for the colliding rod.mass which would keep the rod-tip from moving in the x direction as well. Thisbehavior would be incorrect. All this demonstrates the importance of the propercomputation of the state vector across a series of discontinuous changes. As shownby this example, the hybrid bond graph approach provides a seamless integration ofcon�guration changes based on local switches. Other examples of hybrid bond graphmodels are discussed in [77, 78, 79]. 118
The Continuous ModelThe continuous model can be directly derived as explicit ODEs in each operationalmode from the hybrid bond graph in Fig. 62. The linear and angular velocities arechosen as state variables, X = f!; vx; vyg (40)and the input vectors include friction and gravitation forces,U = fFf ;magg: (41)As an example, consider operational mode �21. The bond graph shows the J iner-tia to be in integral causality, and, therefore, its angular velocity, !, is completelydetermined by the torque, � , _! = �J (42)The transformer determines the torque value as the sum of horizontal and verticalforces � = �lsin�Ff + lcos�(Fy �mag) where the friction force, Ff , is determined bythe normal force on the rod Ff = �Fn = �(Fy �mag). Combining these equationsand substituting m _vy for Fy, yields� = (lcos� � �lsin�)(m _vy �mag): (43)If the Coriolis component is neglected, _vy = lcos� _! and _! can be solved as_! = �ml(cos� � �sin�)J +ml2cos�(cos� � �sin�)ag (44)and f�21 : 8>>>>>>><>>>>>>>: _! = �ml(cos���sin�)J+ml2cos�(cos���sin�) ag_vx = ��(lcos� _! + ag)_vy = �lcos� _! (45)119
Similarly, the �elds for the other operational modes can be derived as explicit ODEsand these are given in Appendix A.The Discrete ModelThe discrete model, as speci�ed in the CSPEC part of the hybrid bond graph inFig. 57 consists of two independent state machines, one of which is hierarchical. Thecorresponding state transition tables are given in Appendix A. The global state ofthe discrete model is a combination of the states of the C and S automata, indicatedby two digits, one representing the state of C and one representing the state of S,e.g., �01! S(0) ^C(1) and �21 ! S(2) ^C(1), where 0 indicates the correspondingjunction is o� and any other number indicates the corresponding active state. Thediscrete event set consists of the events that capture Coulomb friction and the eventsthat specify whether there is contact, �contact and �free.InteractionSignal values from the continuous model are used to generate discrete events basedon the function, . The events that determine whether there is contact or not arebased on the vertical position of the rod-tip, yA, whether the rod-tip has positiveor negative momentum, pA;y , and the normal force exerted by the oor, Fn. Todetermine the state of the Coulomb friction function, the force exerted by the rod-tipin the horizontal direction, FA;x, the normal force, Fn, and the horizontal velocity ofthe rod-tip, vA;x, are used. A threshold velocity, vth, has to be maintained for the rodto keep sliding. To reiterate the convention in this thesis, energy variables constitutethe a priori switching values. The energy variables for this falling rod example are120
pA;y and yA. All other signals are a posteriori values, indicated by a + superscript inthe event generation function, : 8>>>>>>>>>>>>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>>>>>>>>>>>>:yA � 0 ^ pA;y � 0 ) �contactF+n � 0 ) �freejF+A;xj � �F+n > 0 ) �slidejv+A;xj � vth � 0 ) �stuckv+A;x = 0 ) �zerov+A;x < 0 ) �negv+A;x > 0 ) �pos (46)The signal values S = fyA; vA;x; vA;y; Fn; FA;xg (47)are derived from the a priori or a posteriori state variables using the function h.Except for Fn and FA;x, these signals are independent of the model con�guration.This determines h : 8>>>>>>>>>>>>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>>>>>>>>>>>>:
yA = R vydt� lsin�vA;x = vx � l!sin�pA;y = m(vy + l!cos�)Fn = 8>>><>>>: 0 if �00m( _vy � ag) otherwiseFA;x = 8>>><>>>: 0 if �00m _vx otherwise (48)Note that the derivative nature of the forces results in Dirac pulses during modechanges if there are discontinuous changes in the posterior signal values, s+.1 If a1This does not necessarily require the posterior values of the energy state x+ to change discon-tinuously as well. 121
discontinuous change occurs, a Dirac pulse, �(s+�s), is generated which has area s+�s. This signal dominates continuous variables in switching conditions and comparisonbetween the Dirac pulses is based on their respective areas. For example, uponcollision, FA;x = m�(v+x �vx) and Fn = m(�(v+y �vy)�ag). Because of the magnitudeof the Dirac pulse, the ag term in Fn can be neglected under discontinuous change ofvy, and the comparison of j�(v+x � vx)j > ��(v+y � vy) can be reduced to a comparisonof jv+x �vxj > �(v+y �vy) to determine whether the �slide event is generated to activatethe sliding mode.When a new operational mode is activated by the discrete model, the functiong speci�es the mapping of the original state vector to the state vector speci�ed inthe new con�guration. Discontinuous changes to the state vector are derived usingEq. (5). To illustrate, the derivation of g�01 follows. Operational mode �01 showsdependency between the three storage elements, J , mx, and my, with stored energyh!, px, and py, respectively. This implies that the center of mass has nonzero angularvelocity but the rod-tip A does not move in the horizontal or vertical direction sinceit is in contact with the oor and stuck. Choosing J as the independent storageelement, makes mx and my dependent, therefore,8>>><>>>: a�;mx = p+mx � px; p+x = rJ;mx mxJ h+!a�;my = p+my � py; p+y = rJ;my myJ h+! ; (49)and, Xstorage = (rJ;mxmxJ h+! � px)rmx;J + (rJ;mymyJ h+! � py)rmy ;J : (50)No �-sources become active on switching, so Psources = 0. The complete expression122
for the independent energy, h+! now yieldsh+! = h! + rmx;JrJ;mxmxJ h+! � rmx;Jpx +rmy ;JrJ;mymyJ h+! � rmy ;Jpy: (51)This can be transformed into the state variables by the translations h! = J!, px =mvx, and py = mvy and substitution of the gains of the respective routes, found bytracing power ampli�cation along a route following causal strokes (Fig. 62),8>>><>>>: rmx;J = �lsin�; rJ;mx = lsin�rmy;J = lcos�; rJ;my = �lcos� (52)which yields !+ = !J �ml(cos�vy � sin�vx)J +ml2 (53)and g�01 : 8>>>>>>><>>>>>>>: !+ = !J�ml(cos�vy�sin�vx)J+ml2v+x = l!+sin�v+y = �l!+cos� (54)A situation that involves �-sources occurs when the rod achieves mode �21, thesliding mode of operation (Fig. 56). In this mode there is dependency between thetwo storage elements, J and my, with stored energy h! and py , respectively. Thisimplies that the center of mass velocity is such that the rod-tip A has no verticalmotion since it is in contact with the oor. Choosing J as the independent storageelement, this results in one dependent storage element, my,amy = p+my � py ; p+y = rJ;mymyJ h+! ; (55)and, Xstorage = (rJ;mymyJ h+! � py)rmy ;J (56)123
There is one �-source, Ff , whose value is determined by the Dirac pulse on storageelement my, by Ff = �amy . Substitution of Eq. (55) givesXsources = �(rJ;mymyJ h+! � py)rFw;J (57)The complete expression for the independent energy, h+! now yieldsh+! = h! + rmy;JrJ;mymyJ h+! � rmy ;Jpy + �rFw ;JrJ;mymyJ h+! � �rFw ;Jpy (58)and g�21 : 8>>>>>>><>>>>>>>: !+ = !J�ml(cos���sin�)vyJ+ml2cos�(cos���sin�)v+x = ��(l!+cos� + vy) + vxv+y = �l!+cos� (59)In a similar manner, the state vector mapping can be derived for the other operationalmodes, described in Appendix A.These mapping functions specify the change of system state, (!; vx; vy), as a func-tion of only the new mode, i.e., g�. To �nd out whether a discontinuity occurswhen the state is mapped between speci�c modes � and �, g�� can be derived fromg�(x) = g��(g�(x)), which, in case g� is invertible, yields g��(x) = g�(g��1(x)). Toverify discontinuity in state variables from � to �, a faster approach is to calculateg�(g�(x)). If the mapping g�(x) is invariant under g�, no discontinuous change canoccur from � to �.These calculations can be avoided all together by inspecting the bond graph forchanges in derivative causality between modes. Additional elements in derivativecausality between modes indicate discontinuous changes in the state vector. Forexample, in Fig. 62 both the inertial elementsmx andmy are in derivative causality formode �01, onlymy is in derivative causality for modes �11 and �21. When transferring124
the state from mode �01 to, say, �21 no discontinuous change occurs. However, whentransferring the state from mode �21 to �00, mx goes into derivative causality andmay enforce a discontinuous change in state. To verify, g�21(g�01(x)) is derived:8>>>>>>><>>>>>>>: !+ = !�01J�ml(cos���sin�)v�01yJ+ml2cos�(cos���sin�)v+x = ��(l!+cos� + vy) + vxv+y = �l!+cos� (60)Substituting v�01y = �l!�01cos� (see Eq. (54)) in !+, yields!+ = !�01J +ml2cos�(cos� � �sin�)!�01J +ml2cos�(cos� � �sin�) (61)or !+ = !�01. Substituting this result in v+x and v+y yields8>>>>>>><>>>>>>>: !+ = !�01v+x = ��(l!�01cos� + v�01y ) + v�01xv+y = �l!�01cos� (62)again substituting v�01y = �l!�01cos� shows that the complete state vector in �21,x+ = x�01, and, therefore, no discontinuous change occurs. When performing thesame computations on a mode switch from �21 to �01, x+ remains a function ofx which implies that a discontinuity does occur. Intuitively, these results can beexplained by noting that �01 represents a mode of operation where the rod is stuckand rotating around a stationary point. In �11 and �21, the rod is sliding, and,therefore, it has an additional degree of freedom. When the system moves from �01to either �11 or �21, the degrees of freedom in the state vector increase by one, andthis allows continuous state transfer. However, when the rod gets into the stuckmode from the sliding mode, its center of mass velocity in the x direction becomesdependent on the angular velocity, and this may require a discontinuous change instate. 125
Veri�cation of the Hybrid Falling Rod ModelThe correctness of the hybrid falling rod model can be established by demonstrat-ing that the principles of temporal evolution of state (discussed in Chapter VI) anddivergence of time (discussed in Chapter IV) are satis�ed.Temporal Evolution of StateCausality of physical system models is embodied by the principle of temporal evo-lution of state. To illustrate the importance of this principle, observe that switchingconditions based on relations that include time-derivatives of signals are common inphysical system models. When discontinuous changes occur, the derivative relationsproduce Dirac pulses, and this can often lead to ill de�ned behavior. For example,jFA;xj > �Fn relies on _vx and _vy, and a discontinuous change in these variables when amode change occurs produces a Dirac pulse, �(ts). The Dirac pulse is active at a wellde�ned point in time, ts, and may be generated by either c- s (t�s to ts) transitions,�1(ts), or s- c (ts to t+s ) transitions, �2(ts) (see Fig. 63). The actual Dirac pulse at ts isthen the cumulative �c(ts) = �1(ts)+�2(ts) and is determined by the c- c step. There-fore, switching conditions that are based only on �1(ts) may be incorrectly executedif �2(ts) interferes with the Dirac pulse computation.Upon collision with the oor at ts, the horizontal and vertical velocities of thecenter of mass of the rod change discontinuously. So, vx(t�s ) = limt"ts vx(t) di�ers fromvx(ts) which results in a collision impulse Px;c and vy(t�s ) = limt"ts vy(t) di�ers fromvy(ts) which results in a normal impulse Pn as shown in Fig 64. Since no other forcesare active PA;x = Px;c, and if the force balance is such that jPA;xj > �Pn the modelspeci�es that the rod goes into mode �21;a and starts to slide. Consider a stiction126
ts t
x
Fα1
Pα2
Fα3
1δ
2δFigure 63: Switching around a point may require two jumps.vx
Px,c
vy
−ω
21,a
nPvx
Px,c
vy
−ω
21,b
sPnPFigure 64: Impulses upon collision when a sliding mode with stiction is reached.impulse that becomes active when the rod starts to slide (mode �21;b) and this causesa discontinuous change in the horizontal velocity of the rod, so vx(t+s ) = limt#ts vx(t)di�ers from vx(ts), which causes �2(ts). This stiction impulse, Ps, operates in adirection opposite to the collision impulse and the resultant impulse, PA;x, may notsatisfy the criterium for sliding, i.e., jPA;xj > �Pn.Correct physical models are enforced by determining the actual �c based onc- c . However, the cumulative signal, �c(ts) relies on �2(ts) which is unknown atc- s switching. Therefore, a causal model requires no interference of �2 with �c whichis achieved when �2 = 0. This requires the signal that is involved to be continuouson the left-closed interval, [ts;!> in time, which is called the principle of temporalevolution of state. In case of the example, the stiction impulse cannot become active127
when the rod-tip has crossed some horizontal distance, but it has to be activated atthe moment, ts, the rod is inferred to start sliding, �21;a. Now its e�ect is taken intoaccount along with Px;c and PA;x is derived properly.To ensure �2(ts) = 0, the system speci�cation can be analyzed in terms of hand g. The function h speci�es the relations between signals and state variablesand may compute switching signal values, sd = hd( _xd), using a derivative relation.To enforce continuity in left-closed time-intervals of sd, both hd and _xd have to becontinuous between modes. Assume a transition sequence �k ! �m. The functionhd is continuous if it does not change between �k and �m. Across discrete changes,xd is determined by g�m�k and _xd is continuous if xd = g�m�k (xd).2 This results in thecondition for continuity of signals sd between �k ! �mh�kd = h�md ^ xd = g�m(xd) (63)If this conditions does not hold, either one of the following conditions has to hold for�(ts) to occur on c- s and to satisfy temporal evolution of state:{ F�k n B�k, the trajectory exits a patch on an open interval.{ F�m \ B�m, the trajectory enters a patch on a closed interval.{ P�m, the trajectory enters a pinnacle.3To verify temporal evolution of state for the colliding rod, �rst all mode changesfor which h�kd 6= h�md are found. From FA;x and Fn in Eq. (48) this yields �k =�00 ^ �m = f�01; �11; �21g, and it has to be veri�ed that �00 ! �m and �m ! �00are c- s transitions.2It follows that _xd = 0.3Note that this implies that a sequence of pinnacles (as for example in a collision chain), whichviolates the interval-point paradigm, still satis�es temporal evolution of state.128
Lemma VII.1 �00 ! �m is a c- s transition.Proof: For �i ! �00 ! �m; �i = f�01; �11; �21g; �m = f�01; �11; �21g�00 : (g�00�i (x) = x)) F�00�contact : ( �m�00 � 0)) F�00 n B�00 9>>>=>>>;) �00c- s�mLemma VII.2 �m ! �00 is a c- s transition.Proof: For �m ! �00�00 : (g�00�m (x) = x)) F�00�free : ( �00�m � 0)) F�00 \ B�00 9>>>=>>>;) �mc- s�00Next, inspection of the bond graph determines that derivative causality arises whenswitching to mode �01 from either �11 or �21, which implies that xd 6= g�01�m (xd); �m =f�11; �21g with xd = vx, and it has to be veri�ed that �m ! �01 are c- s transitions.Lemma VII.3 �m ! �01 is a c- s transition.Proof: From Eq. (46) generates �slide for �m ! �01! �i if jF+A;xj ��F+n > 0,for �i = f�00; �11; �21g; �m = f�11; �21g. From Eq. (48) F+A;x = m _v+x and F+n =m _v+y �mag; for a mode change from �01 ! �i, �slide is generated ifjm�(v+x � vx)j � �m�(v+y � vy) + �mag > 0:For x+ = x = g�i�01 this yields �mag > 0 with ag the only negative constant, and,therefore, no immediate mode transition occurs. So,�01 : ( �i�01(g�i�01(x); g�i�01(x))) > 0 ) F�01�stuck : ( �01�m ) � 0) F�01 \ B�01 9>>>=>>>;) �mc- s�01129
In this case �01 ! �m need not be proved because xd = g�m�01(xd) and h�01d = h�md .Divergence of TimeFor the colliding rod, divergence of time is violated if the horizontal rod-tip velocityfalls below vth but its angle and length are such that jFA;xj > �Fn when the systemmoves into mode �01 where the rod is stuck. This would generate �slide but whensliding, jvA;xj � vth and �stuck is generated. To eliminate this inconsistency, a modelingdecision can be made to generate �stuck only if the forces in �01 are such that �slide isnot generated. This requires the addition of a pre-condition jF �01A;x j � �F �01n to �stuck,where F �01A;x and �F �01n are calculated from h(g�01(x)).In general, transition conditions are likely to be more complex with greater inter-action among modes. In such situations, an exhaustive energy phase space analysislike in Chapter V can be applied [79, 82, 85].Simulation of Hybrid System ModelsNumerical simulation schemes like Euler and Runge-Kutta can be used for gener-ating continuous system behavior. The ow graph in Fig. 65 illustrates that discreteevents generated by trigger an event detection module to determine the switchingtime, ts, within a margin of tolerance, �. The continuous �eld, f�k , computes x�k(t�s ),then real time is suspended, and the meta-level control model, �, is activated. Insome cases it may generate a sequence of discrete state transitions. The resultingmodel con�guration is then established, and x�k(t�s ) is transferred to this model con-�guration as x�m(ts). In case of a pinnacle, further events are generated when thestate vector is updated and the a priori switching values change. This may cause a130
eventdetected
Y Y
N
N
derive newmode fromφ
derive newmode fromφ
map x usingg
derive signalsfrom h
derive signalsfrom h
simulate f uptill t s
update statevector
continueat ts
find switchingtime, ts
generateevents from
γ
generateevents from
γ
Figure 65: Flow diagram of hybrid system simulation.new series of con�guration changes that are executed by the discrete model using thedi�erent h functions in each mode. In the new continuous mode, �n, f�n de�nes thesimulation from time ts with initial vector x�m(ts) (= x�n(t+s )). This implements sim-ulation of f�m at ts as a point in time and allows an energy redistribution at a pointspeci�ed by algebraic equations. Note that in certain cases hybrid system simulationrequires further sophistication [94], which is subject of future research.Simulation of the Colliding RodTo derive a numeric model of the continuous function, f�, a 0-order, forwardEuler approximation [130] is obtained by using _x = xk+1�xk�t , or xk+1 = f�t + xk.131
Derivatives that are part of expressions in f are replaced analogously. For example,_vx = lcos� _! becomes vx;k+1 = l(cos�k+1!k+1�cos�k!k)�t �t+vx;k, or, vx;k+1 = lcos�k+1!k+1�lcos�k!k + vx;k = lcos�k+1!k+1. The expressions for �k+1 and yM;k+1 are uniformacross con�gurations. These equations combined with the rest of the numeric modelconstitute continuous behavior. Appendix A lists these models in full detail.The only other function of the analytic speci�cation that has to be representedby a numeric equivalent is hh : 8>>>>>>>>>>>>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>>>>>>>>>>>>:yA = yM;k+1 � lsin�k+1v+A;x = v+x;k+1 � lsin�k+1!+k+1pA;y = m(vy;k + lcos�k!k)F+n = 8>>><>>>: 0 if �00m(v+y;k+1�vy;k�t � ag) otherwiseF+A;x = 8>>><>>>: 0 if �00mv+x;k+1�vx;k�t otherwise (64)The derivative terms in h are simulated as Dirac pulses. So, as long as no discontinu-ous change occurs (e.g., v+y;k+1 = vy;k+1) the magnitudes of the forces are numericallyestimated as shown. However, in case of a discontinuous change (e.g., v+y;k+1 6= vy;k+1)the derivative term represents a Dirac pulse that has in�nite magnitude, and, there-fore, dominates the other terms. Due to numerical approximation, the pulse magni-tude may be small compared to other terms (e.g., ag) which interfere with the correctanalytical solution. Therefore, in case of discontinuous change, the time derivativeterms are treated as Dirac pulses and comparison is based on their areas.The remainder of the analytical speci�cations has no temporal aspects and canbe directly used for simulation. Note the di�erence between pA;y , and vA;x which are132
-0.020
0.020.04
-2-1.5
-1-0.5
0-1.5
-1
-0.5
0
Center of Mass Velocities
horizontalvertical
angular
00.01
0.020.03
0.04
-2-1.5
-1-0.5
0-1.5
-1
-0.5
0
Center of Mass Velocities
horizontalvertical
angular
µ = 0.005
F F
F
F F
F
FF
α α
αα α
α
αα
00 00
0101 01
00
2121
µ = 0.002 µ = 0.004
-0.010
0.010.02
0.03
-2-1.5
-1-0.5
0-1.5
-1
-0.5
0
Center of Mass Velocities
horizontalvertical
angularFigure 66: A number of trajectories in phase space of the colliding rod, vth =0:0015; � = 0:862; l = �0:1; y0 = 0:23.based on a priori and a posteriori values, respectively. Simulation results of threetrajectories in phase space for di�erent values of the friction coe�cient, �, are shownin Fig. 66. Initially, the system is in (0; 0; 0), and ow F�00 determines that the verticalvelocity of the rod increases its magnitude with time. When the rod-tip, point A,touches the oor the rod may start to slide, governed by ow F�21 (� = 0:002 and� = 0:004), or it may get stuck and behavior is governed by ow F�01 (� = 0:005).The discontinuous jumps between ows are illustrated in Fig. 66. Also, for simulationswith � = 0:002 and � = 0:004, the sliding mode, �21, emerges immediately after �00.This is determined by performing a force balance in the mode, �01, when the rod isstuck. However, the state vector is not modi�ed as a result from this mode and it hasno representation in phase space until the rod gets stuck after an interval of sliding.When sliding, the center of mass accelerates in the horizontal direction, and thenegative velocity at the rod-tip decreases. When it falls below a threshold value, therod gets stuck and the system jumps to F�01. If the transition conditions were notproperly speci�ed, the force balance computations in the newly arrived stuck modemay imply that the rod should start sliding again. However, if it starts sliding, itdoes not have su�cient momentum to maintain a velocity larger than the thresholdvalue. This would result in a loop of instantaneous mode changes which violates the133
00.2
0.40.6
-30
-20
-10
0-3
-2.5
-2
-1.5
-1
-0.5
0
Center of Mass Velocities
horizontalvertical
angular
-1-0.5
00.5
1
-30
-20
-10
0-3
-2.5
-2
-1.5
-1
-0.5
0
Center of Mass Velocities
horizontalvertical
angular
Fα00Fα00
Fα00Bα21Fα00
µ = 0 µ = 0.5
Bα21Figure 67: A boundary in phase space of the colliding rod, vth = 0:0015; � = 0:862; l =�10; y0 = 23.principle of divergence of time.If the rod length is increased, the rod may hit the oor and start to slide, butthe moment the sliding motion starts, the balance of forces causes it to disconnect.Therefore, the rod is in the sliding mode of operation at a point in time only afterwhich it moves into the mode of operation where it is free again, even though thecollision is modeled as prefectly non-elastic, i.e., there is no restitution of momentumin any of the operational modes (� = 0). The corresponding phase spaces are shownin Fig. 67 and demonstrate how B�21 changes the state vector between both of the ows in �00. Note that a �eld governs behavior in �21, so the corresponding point inphase space is a boundary point rather than a pinnacle.SummaryThis chapter presented a complex, nonlinear, physical system and went throughthe process of systematically deriving its analytic and numeric models. The applica-tion of formal methodologies for model veri�cation based on the principles of temporalevolution of state and divergence of time was illustrated. The rigor of the veri�cationmechanism makes it suitable for algorithmic implementation but cumbersome to per-form manually. At a more intuitive level, temporal evolution of state can be ensured134
by modeling con�guration changes where events that cause derivative causality aregenerated based on � conditions instead of <. This ensures Dirac pulses are gener-ated from well de�ned limit values. Divergence of time can be achieved by ensuringthat CSPEC on/o� and o�/on transition conditions are mutually exclusive. This iseasiest if they are based on a priori values since these do not change during modechanges.
135
CHAPTER VIIIMODEL BASED DIAGNOSISThe complexity and sophistication of the new generation of aircraft, automobiles,satellites, chemical plants, and manufacturing lines, along with growing demands fortheir reliability and safety while keeping cost low, is being met by more automatedcontrol and monitoring systems, and the use of functional redundancy techniques forfault detection and isolation (FDI). IntroductionTypically systemmodels capture relations between measured variables and systemor component parameters. Simulation and reasoning methodologies generate systembehavior from these models, and when combined with techniques for identifying andanalyzing observed deviations can be used to isolate a large number of possible faultysituations [8, 9, 39, 62, 101]. Some faults, such as a pipe blockage that completelyisolates two parts of a system, change system structure and require a change in thesystem model itself. This renders these faults hard to diagnose unless failure modemodels are explicitly incorporated into the analysis scheme [70]. This thesis studiesFDI techniques that apply to complex dynamic systems that do not undergo suchstructural model changes. The focus of this research is on extracting discriminatinginformation from transients in dynamic behavior caused by discontinuous parameterchanges (faults). The aim is to quickly identify the root-causes for discrepancies insystem behavior [75, 86]. 136
OverviewFDI utilizes system models to predict operating values for a chosen set of systemvariables in a given mode of operation (Fig. 68) [41, 50]. This set of variables, calledobservations, is continuously monitored during normal operation.De�nition 2 (Observation) An observation is a variable in the system model thatis measured.Comparison of predicted operating values against observations help identify devia-tions from normal operation. Simple models may include a margin of error on sen-sors. When error thresholds are exceeded, the diagnosis system responds by settingcorresponding alarms. In general, the diagnosis system maps observations, y, thatdeviate from predicted normal behavior, y, onto a system model (Fig. 68). Analysisof descrepancies, r in the context of the model helps to generate one or more hy-pothesized root-causes, f , that explain the observed deviations. Hypothesized faultssuggest modi�cations to the system models which are then employed to predict fu-ture system behavior. Continued monitoring and comparison with these predictionshelps re�ne the initial fault set, f . Faults whose predictions remain consistent withthe observations determine the root-causes for the observed problems. The goal isto continue the monitoring, comparison, and re�nement process till the exact set offaults occurring in the system are isolated. The overall process of monitoring, gener-ating hypothetical faults, prediction, and fault isolation using system models as theprimary basis is referred to as model based diagnosis.137
e +
-
y
processu y
generate &refine faultsmonitormodel
frFigure 68: Diagnosis of dynamic systems.The ultimate goal of model based diagnosis is to accurately1 isolate problemsand restore the system to normal operation by: (1) replacing faulty components,and (2) making control changes to bring system behavior back to desired operat-ing ranges or quickly move the system into a safe mode of operation. This de�nesa paradigm that covers methodologies for fault detection, isolation, and recovery(FDIR) which requires the integration of methods for prediction, monitoring, andmeasurement selection. Prediction is a di�cult problem even for experienced plantoperators, therefore, it is all the more important to develop useful techniques to pre-dict future behavior from given fault situations. From a computational viewpoint,the better the prediction, the easier it becomes for FDI algorithms to quickly prunethe search space through continued monitoring and comparison with predictions. Themonitoring stage is critical to successful FDI. Monitoring parameters like samplingrates govern the measurement interpretation process, and, therefore, fault hypothesisgeneration and re�nement. The implementation of the monitoring algorithms deter-mines whether faults may not be distinguishable from others, and this determinesthe overall diagnostic accuracy. Finally, a critical issue in FDI is sensor placement1On accuracy and precision: Accuracy is the assessment of whether the actual value is containedby the estimate. Precision is the deviation of the estimate from the actual value.138
and measurement selection. This is all tied into diagnosability analysis, i.e., selectionof measurements that help isolate and di�erentiate among possible faults that mayoccur in the system [21, 71]. Nominal ValuesThe diagnosis scheme compares actual measurements with predicted nominal val-ues of process variables that characterize normal operation. This comparison processis termed fault detection. In processes that operate in steady state, nominal valuescan often be retrieved from design speci�cations or documentation created by pro-cess engineers. To account for the e�ects of noise and measurement inaccuracies,a margin of error is added to the nominal values to increase robustness and avoidfalse alarms [111]. However, this decreases sensitivity, which is acceptable providedthe delayed detection does not result in dramatic errors. For systems that typicallyoperate in steady state modes, design documents often specify the upper and lowerlimits on nominal values of all system parameters and measured variables.For systems whose normal operation modes include transients and dynamic be-haviors, nominal values of process variables are harder to obtain. A fairly accurateprocess model is required to run in parallel with the process. Given the same initialstate and the same input as the process the simulation mechanism should predict theprocess output in normal operation. In reality, approximations in the models anddrift in the system may result in the estimated state vector slowly deviating from theactual system values. To prevent this, an observer mechanism shown in Fig. 69 canbe used to estimate and make corrections to the estimated state vector. A criticalissue when applying this scheme to obtain nominal values is the model adaptation139
observer
process
C
A
B
B
H
C
A
x
e
yux
xy
xFigure 69: A general observer scheme.rate, especially in case of incipient faults. If this rate is too fast, the model quicklyadapts to changes in the system variables due to faults and generates nominal valuesthat do not indicate a deviation.Instead of just providing nominal values, the state estimation scheme can beused for diagnosis by reconstructing the entire set of states of the process if theprocess parameters have been estimated precisely. The reconstructed results are thencompared and the set of most consistent states is chosen as the best estimate. Thisset can then be used to generate residuals based on the actual observations to detectwhether a fault occurred.To identify faults, the set of system equations are modi�ed so that the three basictypes of faults listed below can be explicitly identi�ed as parameters and terms of theequations:{ Instrument faults; which refers to sensor faults.{ Actuator faults. 140
{ Component faults; which refers to the di�erent parts or sub-systems in theprocess where the fault can occur.By explicitly incorporating these faults into the parameters of system equations aspart of the observer system, diagnosis algorithms can be designed to detect and isolatefaults. A unifying representation, in discrete form, is given byxk+1 = Axk +Buk +Edk +Kfkyk = Cxk + Fdk +Gfk (65)where dk represents a disturbance term due to noise, and fk represents the e�ectsintroduced by the fault term. Entries of K can be used to model actuator andcomponent faults and entries of G can be used to model sensor faults [41].A Comprehensive Diagnosis SchemeState estimation requires parameter estimation to determine precise models ofthe process under scrutiny. Like state estimation schemes, diagnosis schemes can bebased on parameter estimation techniques. The advantage of these schemes is theclose relation between estimated values and physical coe�cients. Given that nomi-nal values can be derived from state estimation schemes or from design documents,comprehensive diagnosis can proceed by performing one or several of the followingtechniques (Fig. 70):{ Quantitative parameter estimation is derived from numerical models of the pro-cess. Typically �ltering methods may be applied to estimate system parametersbased on a vector of residuals. These parameters represent aggregate behaviorof process components, and, therefore, a fault may cause a number of parameter141
deviations. This process is computationally intensive, and may be subject tothe convergence problems that occur in numerical estimation. To improve per-formance, other techniques can be used to narrow down the parameter searchspace.{ Performance of diagnosis algorithms can be enhanced by incorporating sophis-ticated sensitivity analysis schemes. The degree to which di�erent faults a�ectmeasurements can be exploited by the parameter estimation procedure to rankpossible causes by the sensitivity of the observables to the hypothesized causes.{ Failure mode mappings can further enhance the fault identi�cation and isolationprocess. They represent a discrete event systems approach that requires knowl-edge about how process components may fail, and what e�ects these failureshave on system parameters.{ Dependency analysis techniques rely on a topological functional model of theprocess and capture a weighted dependency between parameters and measuredvariables. These weights could be a function of various parameters, such asproximity to the observed fault. Sometimes the weights may capture processdelay times, and in such cases the dependency graph represents a dynamicmodelof system behavior. Observed deviations can be traced back to parameter valueswhich can be ordered in terms of when their e�ects become active.Note that the techniques described above are not mutually exclusive. Any of thesemethods can be e�ectively developed into a diagnosis system. However, developinga diagnosis framework that integrates two or more of these approaches is likely to142
F p
F p
F p
f
f
n nf
1 1
2 2
{ }
{ }
{ }
J pF i( ){ }
{ }
{ }
p
p
p
d
d
kd
1
2
{ }
{ }
{ }
p
p
p
f
f
mf
1
2
{ }
{ }
{ }
p
p
pn
1
2
J pi( )+
-
--
0
+L
Rb1
f in f out
C1
dependencyanalysis
failure-modemapping
failure-modesensitivity
parameterestimationFigure 70: Complementary diagnosis schemes.produce more e�cient and robust systems. It remains a challenge to see how best todevelop such systems. The Model Based Diagnosis SystemThis thesis develops an approach for monitoring, prediction, and fault isolationthat focuses on the use of dependency relations between parameters and observedvariables. In previous work, static models were successfully applied to diagnosis tasksfor moderately complex systems based on qualitative constraint equations [8] and thesigned directed graph (SDG) [102]. However, due to the understrained models thatare used, these approaches run into combinatorial problems. Furthermore, in case ofthe SDG, since system dynamics are not part of the model that is used for diagnosis,temporal feedback e�ects have to be re-introduced on an ad hoc basis [39, 101].Modeling for DiagnosisSuccessful modeling for diagnosis requires a unique set of requirements.{ The models should describe normal and faulty system behavior. The formerprovides the reference variable values for the monitoring task, and the latterforms the core for the prediction algorithm.143
{ The model should incorporate su�cient behavioral detail so deviations in ob-served variables can be mapped onto system components and parameters.{ The model should generate dynamic behavior, especially when faults cause tran-sients that take the system away from normal steady state operation. Faultscause changes in system parameters, therefore, the assumption of constant pa-rameters does not hold and their temporal e�ects have to be included.{ When faults occur, the systemmay undergo a structural change. Though struc-tural changes is beyond the scope of this paper, they constitute an importantcategory of failures. To make the presented framework extendable to incorpo-rate this phenomenon, it is important to not preclude it from the onset.In addition, to constrain the inherently exponential search space for diagnosis, itis important that the model impose all relevant physical constraints on the searchprocess. Also, given the limits of purely qualitative and purely quantitative schemesthat have been discussed elsewhere [41, 50, 102], models that generate and use bothqualitative and quantitative information are preferred. This prevents loss of a prioriinformation that may be useful for generating and further re�ning candidate sets.Bond Graphs for DiagnosisBond graphs [107] provide a systematic framework for building consistent and wellconstrained models of dynamic physical systems across multiple domains with inher-ent causality constraints that provide e�ective and e�cient mechanisms for diagnosis.An added advantage of the bond graph derived representation is their direct appli-cability to qualitative processing, which makes them applicable in situations where144
precise numerical information may not be available. However, analytic systemmodelsderived from bond graphs are also amenable to quantitative simulation and analysis.In this thesis, a causal dependency graph is derived from a bond graph to providethe system model. Links among system parameters and variables in a causal de-pendency graph are extended by temporal properties. Propagating e�ects of deviantobservations to hypothesized causes (i.e., faults) can now be classi�ed as instanta-neous versus those that have delayed e�ects. Delayed e�ects can be further classi�edby the order of the e�ect, e.g., �rst order, second order, etc. The causal temporalmodels are derived from a bond graph model that adequately captures the dynamiccharacteristics of system behavior.An important issue in diagnosing parameter deviations of physical systems con-cerns the transfer of the state vector to the failure mode after an abrupt fault occurs.Though changes in dissipative e�ects do not a�ect the state vector expressed in termsof power variables (e.g., pressure and velocity) of the independent energy storage ele-ments (e.g., tanks, springs, and masses), abrupt changes in parameter values of energystorage elements may require an abrupt change of the state vector based on the prin-ciple of conservation of state (Chapter III). To illustrate, assume that at time tf , arock falls into an open tank with capacity C and out ow resistance R for a connectedoutlet pipe. The capacity of the tank decreases abruptly, and, therefore, the pres-sure, p, at the bottom changes instantaneously, however, the amount of liquid in thetank, q, is conserved. The e�ects of this parameter change on the state variable anddescribing �eld equation is shown in Fig. 71. The new pressure is directly derivablefrom the constituent equation p = qC but the e�ect is lost in the time-derivative formf = C dpdt which only shows a change of slope dpdt = fC if C changes. If the time-varying145
pβ
f βf α
gα
t f
pα
qα
(R,C) t(R’,C’)
gβ
qβ=
= =
=
=
RR’
RR’
CC’
CC’
CC’
1C
1C’
q = f(q)
p = g(p)Figure 71: Transfer of the state vector and its �eld across discontinuous change.e�ect of the C parameter is taken into account, the constituent equation becomesf = C @p@t + p@C@t which determines the pressure as @p@t = fC � pC @C@t , and an abruptchange in C results in an instantaneous jump in @C@t , which then causes an immediateabrupt change in p. Now the e�ect on the system state has become explicit. In theintegral form of constituent equations, p = qC = 1C R fdt, used in bond graphs, thise�ect is automatically incorporated, since p = 1C R ttf fdt+ p0(tf)C .To extend bond graph modeling for component oriented diagnosis requires es-tablishing correspondence between individual components and bond graph elements.In the bond graph framework, primitive elements, such as resistors and capacitorsrepresent mechanisms which may not always be in one-to-one correspondences withindividual system components [10]. An individual component may have multiple as-pects represented in the bond graph. For example, a component such as a pipe maybe represented in the bond graph by its build-up of ow momentum (I) and resis-tance to ow (R). Biswas and Yu [10] describe a methodology for deriving bondgraph models for diagnosis from a physical system description so that the bond graph146
elements directly correspond to system components and mechanisms under diagnos-tic scrutiny. The modeling methodology has been further instantiated by Mostermanand Biswas [77, 79, 87]. In this thesis, a deviation of a bond graph parameter fromits normal value is referred to as a fault.De�nition 3 (Fault) A fault is a model parameter that deviates from its value innormal operation. Transient Based DiagnosisTo exploit process dynamics e�ectively for diagnosis requires that faults createtransients in process behavior, which can be detected and their characteristics iden-ti�ed reliably by the monitoring process. Therefore, the approach is applicable toabrupt, possibly intermittent faults, but less suited to processing incipient faults. Forexample, the diagnosis methodology is well-suited to detecting sudden blockages inpipes which cause signi�cant dynamic transients in pressure and ow values, whereasa pipe that accumulates dirt and slowly blocks may not manifest signi�cant dynamiccharacteristics. It is more likely that the slowly blocking pipe will cause a gradualdrift in the system steady state behavior.Time ConstantsTime constants play a key role in characterizing the dynamic behavior of phys-ical systems. As discussed earlier, faults bring about instantaneous change in somesystem variables. For other variables, energy storage elements acting as bu�ers intro-duce propagation delays, thereby slowing down the rate of change in these variablevalues. In general, measurement variables with larger time constants in response to a147
disturbance caused by a fault take longer to show signi�cant changes in their values ascompared to measurement variables that are associated with smaller time constants.If measurement snapshots are available from the system at rates that are faster thanthe smallest time constant, it becomes easier to track and relate system behavior backto primary fault causes. In this thesis, without much discussion, this is assumed tobe true.Assumption 1 (Time scale of observation) The sampling rate for observationsis faster than system time constants in both normal and faulty operation.Relations between hypothesized faults and measurements that do not embody tem-poral behavior propagate abrupt changes instantaneously. Physical systems are in-herently continuous but these abrupt changes occur on a time scale that is muchsmaller than the time scale of observation, and, therefore, are observed to manifest asdiscontinuous changes. Therefore, abrupt changes are a sampling artifact attributedto the time scale of observation.De�nition 4 (Discontinuity) A change in a signal value that happens on a timescale much smaller than the time scale of observation is considered to be abrupt andcalled a discontinuity.Observed transient e�ects in system behavior are often associated with multipletime constants which combine to de�ne the overall delay. Combined e�ects of thesebehaviors is determined by the convolution rather than the sum of their partial ef-fects [74]. To illustrate this, consider the two �rst order systems with time constants�1 and �2 in Fig. 72. The combined e�ect of these systems is given by �1 � �2 (convo-lution) whereas the sum of their individual delay times is shown by �1 + �2. Notice148
1
1
1
2
2
2
= 9= 10+*
time
1
0 10 20 30 40 500
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
fractionFigure 72: Delay times of two �rst order systems (�1 and �2), their sum (�1+ �2), andthe actual delay time of their combined e�ects (�1 � �2).that there is just one point in time where the two coincide which makes it di�cult toderive combined delay times from individual values. The use of delay times is evenfurther complicated given that designed time constants change when faults occur.Even if one qualitatively analyzes e�ects, there can be uncertainty in temporalordering of the observed deviations in two variables where one variable embodies a�rst order e�ect and the other a second order e�ect. Typically a measurement isconsidered normal if it is within a certain percentage (say 2%{5%) of its nominalvalue. Fig. 73 shows two variables, a �rst order e�ect, x1, and a second order e�ect,x2, and their delay times, td1 and td2, respectively in crossing the error-threshold. Attimes between td2 and td1, x2 is reported deviant but x1 is reported normal. Althoughx2 embodies a second order e�ect with a 0 value 1st order derivative at the point offailure, it crosses the error threshold before a �rst order e�ect. This is contrary toexpectations where a �rst order e�ect is expected to dominate (i.e., be much fasterthan) a second order e�ect. Fig. 74 shows that the �rst order e�ect does have a fastere�ect when two signals have the same �rst order time constant, but one of them hasa second order time constant too. 149
x1; τ1=3x2; τ1=1, τ2=0.1
td2 td10 50 150 200 250
0
0.05
0.1
time
frac
tionFigure 73: Delay times for observing deviations.
x1; τ1=3=0.1x2; τ1=3 τ2
0.05
0.1
td2td10 50 200 250
0
time
frac
tionFigure 74: A second order e�ect with one constant equal to the time constant of a�rst order e�ect.This brings up an important issue when dealing with normal values and deviationfrom normal in a qualitative reasoning framework for diagnosis of continuous-valuedsystems. A temporal ordering of �rst and higher order e�ects deviating from normal isin general impossible. Unless the sensor system is wired and calibrated with extremecare to guarantee a temporal ordering in response times, an observation being reportednormal at a given timemay really be an artifact of the implementation, and, therefore,cannot be used to refute faults. Moreover, it can, and in general will, lead to incorrectconsistency based diagnoses.In this thesis, deviant observations are individually analyzed to generate sets ofsingle fault hypotheses. On the other hand, normal observations are not necessarilyused to refute faults. This is because it is hard to di�erentiate between a truly normalsignal versus one that is changing slowly, and at some point in time in the future150
will deviate from normal. Only in situations where discontinuities can be reliablydetected if they occur, can normal observations be used to refute faults which wouldhave de�nitely caused a discontinuity for that observation. In this thesis, the use ofnormal observations is an optional parameter.Feature DetectionEarlier discussion indicated that temporal ordering of measured deviations be-tween signals is fragile and should be used cautiously in diagnosis. This makesindividual signal features the prime discriminating factor between competing faulthypotheses. Prudence must be exercised in distilling information from signals, espe-cially when they are noisy. Magnitude, or zero order, changes are typicallymeasurablewithin a given error tolerance based on sensor characteristics. Filtering techniqueshelp in deriving slopes, or �rst order derivatives, from measured signals, at least asa qualitative � or no change value. However, deriving or measuring higher orderderivatives can be quite unreliable. Dedicated transducers (e.g., accelerometers) mayhelp measure 2nd order derivatives, their use, in general, is often impractical. In thisthesis, monitoring and feature detection focuses on magnitudes and slopes of individ-ual measurements. The previous discussion indicates that in a qualitative frameworkmagnitude values of relevance for diagnosis are above/below normal. Similarly, aslope within bounds cannot be considered to be 0, only when it is measured to havea signi�cant value can it be identi�ed as positive/negative.The previous conjectures were made based on a minimalist basis. In general, track-ing a signal will reveal many more characteristics, especially when dedicated featuredetection algorithms are applied. As an example, consider a discontinuity detection151
mechanism that considers a change discontinuous when it detects that magnitudeand slope of an observed signal have opposing signs. This can be interpreted in aphysical system perspective because discontinuous changes in physical systems dueto parameter deviations are typically caused by abrupt changes in energy storageparameters. In steady state the stored energy in a system does not change, there-fore, energy storage parameters have no e�ect on steady state behavior. After aninitial discontinuous change, the system returns to its original point of operation.This discontinuity detection scheme has been successfully applied to the hydraulicsdomain.Another general characteristic of most physical systems is that dissipation forcesthem to return to a steady state after a transient phase. This yields another featurethat can be used for diagnostic analysis { determining whether the eventual steadystate is detected as being above, below, or at the previous steady state value beforethe transient caused by the fault occurred. This results in three qualitative featuresthat are detectable in actual measurements.{ Magnitude ! discontinuously low, normal, discontinuously high.{ Slope ! negative, positive.{ Steady state ! below, at, above original.For one observation this results in 3 � 2� 3 = 18 feature permutations which wouldmaximally allow for the identi�cation of 18 faults. If measurements of the process aresuch that normal observations and predictions can be used this improves to 3 � 3 �3 = 27 detectable faults, whereas if discontinuities cannot be reliably detected thisdegrades to 2 � 2� 3 = 12 detectable faults.152
SummaryAbrupt faults cause dynamic system behavior and the resulting transients takesystem behavior from its nominal steady state of operation to a new steady state.Based on a model of the system dynamics, these transients can be e�ectively ande�ciently applied to quickly isolate root-causes for deviating behavior. Magnitudes,slopes, and discontinuous changes at the time of failure for individual observationscan be applied in a qualitative reasoning framework. Furthermore, the new steadystate that the system achieves can be used as a �nal mechanism for fault isolation.
153
CHAPTER IXIMPLEMENTATIONThis thesis describes a diagnosis methodology illustrated in Fig. 75, which com-bines fault detection, fault hypothesis generation, prediction, and monitoring. Thischapter describes how the bond graph model of the physical system1 is used to derive atemporal causal graph which captures the dynamic characteristics of system behavior.Next, it presents diagnosis algorithms for each of the diagnosis modules (Fig. 75) thatutilize the temporal causal graph. Observations need to be mapped onto a qualitativerepresentation to detect discrepancies and generate faults hypotheses. Predictions offuture behavior for each fault are then monitored against new observations to re�nethe set of possible faults The Temporal Causal GraphThe temporal causal graph is derived in two steps [80, 92]:1In the diagnosis models that are used, bond graph elements operate in so-called integral causalityonly [107].q
monitor
detectdiscrepancy
u y
sf
fgeneratefaults
predictbehaviorFigure 75: The diagnosis process.154
C C
1 6
52
3 8
7
4
R
R R
0 01Sf
R12
Rb1 Rb2
C1 C2
R12
C1 C2
Rb2Rb1
e2
f1
f5 f8f3
e7Figure 76: The bi-tank system and its causally augmented bond graph model.1. The SCAP or its extended versions [129] are applied to generate a causal as-signment among the power variables associated with the bond graph. Thesepower variables are vertices in the temporal causal graph.2. Components are linked one on one to individual edges in the temporal causalgraph, and additional temporal and magnitude constraints are added to them.The temporal causal graph for the bi-tank system in Fig. 76 (see also Chapter II)is shown in Fig. 77. The graphical structure represents e�ort and ow variables asvertices, and relations between the variables as directed edges. The relations canbe attributed to junctions and system components. Junction relations add labels�1, 1, and = to a graph edge. The = implies that the junction constrains the twovariable vertices associated with the edge to take on equal values, 1 implies a directproportionality and �1 implies an inverse proportionality for the variable associatedwith the two incident vertices. When the edge is associated with a component, itrepresents the component's constituent relation. For example, for a resistor with owcausality, the edge between e�ort and ow is labeled 1R and for a capacitor the edgeis labeled 1Cdt. 155
f6=
=
e4
e6
1
-1 =
-1 =
=-1
-1
1 = 1e2
e3
e8
f3
f8
e7e5 f5
f4
f7f1 f2
1R12
1Rb1
1Rb2
dt1C1 dt1
C2Figure 77: Temporal causal graph of the bi-tank system.Junctions, transformers, and resistors introduce magnitude relations that are in-stantaneous, whereas capacitors and inductors also introduce temporal e�ects. Ingeneral, these temporal e�ects are integrating, and their associated rate of change isdetermined by the path that links an observed variable to the initial point where adeviation occurs. Note that the bond graph formalism presents one way to derive tem-poral causal graphs. Other modeling formalisms that support the physical modelingparadigm and allow for the generation of a temporal causal graph may be employedin its place. Also note the natural feedback mechanisms of dynamic physical systemsthat result in closed paths in the temporal causal graph. Between passive elements,these feedback mechanisms always have a negative gain [130] and if they include anintegrating e�ect, as a result from a state variable in the system, these closed pathsare referred to as state loops.2De�nition 5 (State loop) A closed causal path with one and only one time-integratinge�ect is called a state loop.2In other diagnosis work, where temporal aspects of relations were not modeled, these ubiquitousnegative feedback mechanisms caused di�culties in assigning a consistent graph mapping of devia-tions. Rather than trying to resolve this problem by breaking the causal paths somewhere, it canbe used advantageously by incorporating the temporal phenomena.156
Sf:0 Sf:0
1 6
52 7
4
3 8
R
R R
0 01Sf
R12
Rb1 Rb2
-1 =f4
f6=
e4
e6
1Rb1 Rb2
-1 =
=
=1 = 1
e3
e7
e2
e8e5 f5 f8f1 f3
1R12Figure 78: Steady state bond graph of the bi-tank system and its corresponding causalgraph.An added advantage of bond graph models is that they allow automatic derivationof the steady state model of the system. In case of the bi-tank system, both the tankcapacities in steady state can be replaced by ow sources with value 0, since no changeof stored energy takes place. The steady state bond graph and its resulting steadystate causal graph are shown in Fig. 78. Notice that the causality links in the steadystate graph di�er from the causality links in the dynamic behavior graph (Fig. 77) andhave less meaning. Since there is no temporal ordering, a steady state graph representsa set of algebraic equations rather than di�erential equations. Causality helps solvethese equations, but its actual assignment is not critical. Independent of causalityassignment in steady state graphs, the set of algebraic equations is invariant and equale�ects of parameter deviations are generated for di�erent causality assignments.Component Parameter ImplicationWhen a discrepancy between measurement and nominal value is detected, a back-ward propagation algorithm (Algorithm 2) is invoked on the temporal causal graphto implicate component parameters. Implicated component parameters are labeled �(below normal) and + (above normal). The algorithm propagates observed deviant157
values backward along the directed edges of the temporal causal graph and consis-tent � and + deviation labels are assigned sequentially to vertices along the path ifthey do not have a previously assigned value. An example is shown in Fig. 79 for adeviant pressure, e7+, in the right tank of the two tank system (shown in Fig. 76).When e7 is measured to be above its nominal value, backward propagation startsalong f7 1C2 dt! e+7 and implicates C2 as C�2 (i.e., C2 is below normal) or f7 as f+7 (i.e.,f7 is above normal). Backward propagation from f+7 , the proportional relation onf6 1! f+7 implies f+6 , and the inverse relation on f8 �1! f+7 implies f�8 . Propagation isterminated along a path when a con icting assignment is reached.Because backward propagation does not explicitly take temporal e�ects into ac-count deviant values are propagated along edges with instantaneous relations �rst.This ensures that no faults due to higher order e�ects con ict with faults identi-�ed with lower order e�ects. An example is shown in Fig. 80. Following the pathe1 1 e2 dt e4 a e5 backward, a+ is generated based on the observation e+1 . Note thatthe link e2 dt e4 introduces a �rst order e�ect. However, the path e1 1 e3 �1 e4 a e5also includes e+1 , which implies a�, and this path has no temporal delays. Fromthe time of failure, the a� ! e+1 e�ect which is instantaneous will occur before thea+ ! e+1 e�ect which has a �rst order delay.3 Therefore, temporal e�ects need tobe considered in implicating parameters and backward propagation is along instan-taneous edges �rst. All component parameters along a propagation path are possiblefaults. As discussed in Chapter VIII, observed normal measurements do not termi-nate the backward propagation process. The end result of backward propagation3Since this behavior pertains to the same signal, lower order e�ects always dominate during thetransient stage. 158
-C2 -R12+Rb2 +Rb1-C1
+
+
-
e4
f3-e6
-e8+f6
+
+
++
-
-
-
--
+e7 C2
f8
e7R12
Rb2
f7
f5
e2e5
e7
+
-
-
-
+
-
-C1
Rb1
f4
e2
f2
e3
f5Figure 79: Backward propagation to �nd faults.e2
e4 -1
1
a
e1
e3e51dt
2
1-
e4+e3
+e2
-
+
-
+
a
e4
e5
e1
-e4+e3
+e21
2
++
+
+a
e4 e5e1Figure 80: Instantaneous edges propagate �rst.is a set of hypothesized single faults that are consistent with the reported deviantobservations.Algorithm 2 Identify Possible Faultsadd observed vertex to list vlistmark vertex with qualitative valuewhile vlist is not empty dovcurrent the last vertex in vlistwhile vcurrent has unsearched ancestors doif ancestor relation includes a parameter thenadd the relation to the set of faultsend ifif ancestor vertex is unmarked thenancestor value new value(current value, relation)if relation is instantaneous thenadd the ancestor vertex to the beginning of vlistelseadd the ancestor vertex to the end of vlistend ifend ifend whileend while159
PredictionThe next step is re�nement of the hypothesized faults by prediction and monitor-ing. A complete version of the prediction module incorporates schemes for determin-ing mode changes caused by abrupt structural faults and parameter value changes inthe system. This may result in performing model switches before future behavior ofthe system can be predicted [77]. This thesis does not consider mode switches, andit is assumed that the system model remains valid after faults occur in the system.Assumption 2 (No structural changes) In case of faults, the system model doesnot undergo con�guration changes.The main task of the prediction module in this case is to predict the dynamic, tran-sient, behavior of the observed variables and also the eventual steady state behaviorof the system under the fault conditions. Prediction of future behavior is in quali-tative terms of temporal e�ects like magnitude (0th order time-derivative), slope (1storder time-derivative) and higher order e�ects.De�nition 6 (Signature) The prediction of 0th, 1st, and higher order time-derivativee�ects of a system variable as a qualitative value: below normal (low), normal, andabove normal (high) in response to a fault is called its signature.Forward PropagationPrediction of future behavior is attained by forward propagation of the e�ects ofparameter faults (Algorithm 3) to establish a qualitative value for all measured systemvariables. Forward propagation may occur along instantaneous and temporal edges.Temporal edges imply integration, therefore, the cause variable a�ects the derivative160
of the e�ect variable. Initially, all deviation propagations are 0th order, i.e., they arebased on the magnitude of variable values. When an integrating edge is traversed, themagnitude change becomes a 1st order change, i.e., the �rst derivative of the a�ectedquantity changes, shown by an " (#) in the propagation example in Fig. 81 for thetemporal causal graph in Fig. 77. Similarly, a �rst order change propagating acrossan integrating edge creates a second order change (i.e., the second derivative of thea�ected variable), shown by "" (##) in Fig. 81. Second order changes propagate tothird order changes, and so on.Algorithm 3 Predict Future Behavioradd initial vertex to list vlistmark vertex 0th order derivative with qualitative valuewhile vlist is not empty dovcurrent the last vertex in vlistwhile vcurrent has unsearched successors doif successor relation includes a time integral e�ect thenincrease current derivative orderend ifif derivative order � maximum order thenif successor derivative is no mark thensuccessor derivative value new value(current value, relation)else if successor derivative has opposite value of current thensuccessor derivative value conflictend ifadd the successor to end of vlistend ifend whileend whilefor all vertex derivatives doif value = no mark and any higher order derivative 6= no mark thenreplace no mark with normalend ifif value = conflict thenreplace conflict with no markend ifend forForward propagation with increasing derivatives terminates when a signature ofsu�cient order is generated. The su�cient order of a signature is determined by a161
+-+e7
0+-e2
e2
+
-
-
-
f8
f6
f7
f7-
e5+
+
-+
- +
-e7C2
e7
e7
e6
e6f4
f6
f6e5
f7
f7
e7
e7e2
e7
e7
e2
e2
f2
f2
e5
f3
f5
f2
f5
f8
f8
f7
f7
e8
e8
e8
f5
f4
f4
f2
e4
e3
e6 f6e5 f7 e7
e2f2
f5
f4Figure 81: Forward propagation of the e�ect of an implicated component to establishits signature.measurement selection algorithm and depends on the observed vertices in the tem-poral causal graph, and the desired precision for the diagnosis algorithm. A smallernumber of total observations on a system typically imply that higher order signa-tures of the observed variables are required to achieve a level of precision that onecould obtain with more observations but lower order signatures for each observation.Limiting the order of signatures has other practical advantages. As discussed earlier,higher order e�ects take longer to propagate, and, therefore, their e�ects are observedat later points in time from the time point at which failure occurs. This allows otherphenomena and e�ects from other parts of the system to a�ect the observed variablesand change their characteristics. For example, a fault may cause an abrupt increasein a variable value, but negative feedback e�ects may soon diminish the increasingvalue, and tend to bring the value down toward its previous steady state. This prob-lem is compounded even more when cascading faults occur. They cause con icts withlower order e�ects and hamper fault isolation.A complete signature contains derivatives speci�ed to its su�cient order. Whenthe complete signature of an observed variable has a deviant value, monitoring will162
eventually report a non normal value for this variable. When the signature is incom-plete, the variable has an assigned deviation for higher order derivatives but the lowerorder derivatives are not assigned values. This implies that the lower order deriva-tives of the prediction for the fault under scrutiny are normal (i.e., non-deviating),and, therefore, are marked normal. Note that other faults could have caused devia-tions of lower order derivatives, and the conservative use of normal observations torefute candidates prevents elimination of the fault with predicted normal lower orderderivatives. Steady StateSignatures corresponding to an implicated component are used to track the tran-sient system behavior. Eventually, most systems without catastrophic faults tend tocome back to a steady state. The steady state causal graph derived from the bondgraph model of the system then determines the �nal steady state value that each ob-served variable will achieve under the faulty conditions. Typically, the system returnsto its previous steady state or converges to a new one. In the qualitative framework,steady state values are predicted to be below the original, at the original, or abovethe original steady state value for the variable. This predicted steady state value foreach observed variable is attached to the signature and used in the monitoring stage.MonitoringThe signatures of the observed variables generated in the prediction module areinput to the monitoring module which compares actual observations, as they changedynamically after faults have occurred, to the reported signatures. It is only here that163
a number of previously discussed practical issues are incorporated into the diagnosisengine. This allows localized mechanisms for measuring realistic dynamic e�ects thatcan be easily adjusted to experiment with several assumptions about the quality andcharacteristics of measurements and behavior. This section discusses a number of suchlocalized measures that are employed to improve the robustness of the monitoringtask. Sensitivity to the Time StepThe time step employed in the monitoring process is a critical factor in establishingits success. The choice of the step size is dependent on the di�erent rates of responsethat the system exhibits. Too small a time step may result in lack of sensitivityto changes, and too large a time step may produce incorrect inferences. Considerthe signal (solid curve) shown at the left in Fig. 82. A large monitoring time step(> t1) gives the appearance that this signal undergoes a discontinuous change (dashedcurve). Decreasing the time step may help in di�erentiating between discontinuities(abrupt changes) and continuous e�ects. On the other hand, if the time step is toosmall when applied to a variable with a relatively slowly decreasing slope as shown atthe right of Fig. 86, it appears that the signal does not change for a period of time,therefore, it is reported to be normal or to have reached steady state. In actuality itis decreasing, and reporting it as normal may result in premature elimination of truefaults. 164
t1 t2 t3 t1 t2 t3Figure 82: Signal interpretation.1 2 3 t
1
2
3
00dt 1 2
+
+
+
+
-
-
-
-Figure 83: Progressive monitoring.Progressive MonitoringTransients that occur at the time of failure usually change over time as othere�ects from the system a�ect the observed variables. The signatures for a candidatefault can change dynamically. For example, a variable may have a 0th order derivativewhich is normal and a 1st order derivative which is above normal. Over time, thevariable value will go above normal. Including the e�ect of higher order derivatives inthe monitoring process is referred to as progressive monitoring. It replaces derivativesthat do not match with the observed value with the value of derivatives of higher orderin the signature. An example of this is shown in Fig. 83, where at time stamps marked1, 2, and 3 a lower order e�ect is replaced by a higher order e�ect that has becomemanifest. If the higher order derivatives match the observed value, the fault underconsideration is still plausible, otherwise it is rejected.165
Progressive monitoring is activated when there is a discrepancy between a pre-dicted value and a monitored value (this applies to 0th and higher order derivatives).From the point in time when discrepancies occur between an observation and its pre-diction, the next higher derivative of the measurement is checked to see whether itcould make the prediction consistent with the observation. If this next higher deriva-tive value is predicted to be normal, the next higher derivative value is considered,and so on, till there is either a con ict between the prediction and observation, acon�rmation, or an unknown value is found.To illustrate, Fig. 84 shows the prediction-monitoring output for a sudden increasein out ow resistance Rb2 in the bi-tank system in Fig. 76, where �1; 0; 1 maps ontolow, normal, high and a period indicates the value is unknown. The two observedvariables are the out ow of the left tank, f3, and the pressure in the right tank, e7.Each box depicts the monitored values at time steps when the set of hypothesizedfaults changes, the possible faults, and their signatures. The values on the top of eachbox represent the actual observations of the 0th order, 1st order, and 2nd order behaviorexpressed in qualitative terms.4 The lower section represents the prediction of thebehavior of the observed variables for each of the candidates in terms of their 0th order,1st order and 2nd order derivatives, respectively. An example of the application ofprogressive monitoring is shown between step 9 and step 23 in Fig. 84. The signaturefor observation e7 assuming fault R+b1 changes from 0; 0; 1 to 1; 1; 1. This is basedon the assumption that the 2nd derivative, which is positive, makes an impact onboth the 1st derivative and magnitude of the signal. Updating the prediction in this4Note that the actual observations only deal with magnitude and slope (1st derivative). The 2ndorder derivative is never determined. 166
(1) ACTUAL =>f3: 0 . . e7: 1 . .
==============C2- =>
f3: 0 1 -1 e7: 1 -1 1
Rb2+ => f3: 0 0 1 e7: 0 1 -1
R12- => f3: 0 -1 1 e7: 0 1 -1
C1- => f3: 1 -1 1 e7: 0 1 -1
Rb1+ => f3: -1 1 -1 e7: 0 0 1
(9) ACTUAL =>f3: 0 0 . e7: 1 1 .
==============C2- =>
f3: 0 1 -1 e7: 1 -1 1
Rb2+ => f3: 0 0 1 e7: 0 1 -1
R12- => f3: 0 -1 1 e7: 0 1 -1
C1- => f3: 1 -1 1 e7: 0 1 -1
Rb1+ => f3: -1 1 -1 e7: 0 0 1
(23) ACTUAL =>f3: 1 0 . e7: 1 0 . (-> S)
==============Rb2+ =>
f3: 0 0 1 e7: 1 1 -1
R12- => f3: 0 -1 1 e7: 1 1 -1
C1- => f3: 1 -1 1 e7: 1 1 -1
Rb1+ => f3: -1 1 -1 e7: 1 1 1
(25) ACTUAL =>f3: 1 1 . e7: 1 0 . (-> S)
==============Rb2+ =>
f3: 1 1 1 e7: 1 1 -1
C1- => f3: 1 -1 1 e7: 1 1 -1
(26) ACTUAL =>f3: 1 0 . (-> S)e7: 1 0 . (-> S)
==============Rb2+ =>
f3: 1 1 1 e7: 1 1 -1
e7
f3
1
1
9
9
25
25
tf
tfFigure 84: Progressive monitoring for fault R+b2.manner keeps the signature consistent with the observation that e7 is above normal.As a result, R+b1 is still considered a viable fault hypothesis. Note that based on thequalitative observations, the time of failure, tf , is unknown.Fig. 85 shows the output when the fault C�2 was introduced into the bi-tank systemand discontinuity detection was used. In this case, since the actual deviation of themagnitude changes over time, a fourth value is added to the actual observations thatcaptures whether a discontinuous deviation occurred at the time of failure as soonas it can be inferred. Now, progressive monitoring does not apply to the 0th orderprediction because this value is used to match discontinuous changes. Fig. 85 showsthat the �nal diagnosis result was obtained in two time steps [80], and transientdetection was suspended for both f3 and e7 at time step 7. The diagnosis engine cancorrectly detect and isolate all single fault parameter deviations if pressure in one tankand out ow of the other were measured and a �rst order signature is used. In thiscase, discontinuity detection is not required but steady state detection is. If steadystate detection is not possible, either three observations and discontinuity detectionare required or a second order signature without discontinuity detection can be used.167
(1) ACTUAL =>f3: 0 . . . e7: 1 . . .
================C2- =>
f3: 0 1 -1 e7: 1 -1 1
Rb2+ => f3: 0 0 1 e7: 0 1 -1
R12- => f3: 0 -1 1 e7: 0 1 -1
C1- => f3: 1 -1 1 e7: 0 1 -1
Rb1+ => f3: -1 1 -1 e7: 0 0 1
(2) ACTUAL =>f3: 1 1 . . e7: 1 -1 . 1
================C2- =>
f3: 0 1 -1 e7: 1 -1 1
Rb2+ => f3: 0 0 1 e7: 0 1 -1
R12- => f3: 0 -1 1 e7: 0 1 -1
C1- => f3: 1 -1 1 e7: 0 1 -1
Rb1+ => f3: -1 1 -1 e7: 0 0 1
(7) ACTUAL =>f3: 1 0 . . (-> S)e7: 1 0 . 1 (-> S)
================C2- =>
f3: 0 1 -1 e7: 1 -1 1
e7
f3
2
2
4
4
7
7
tf
tfFigure 85: Results of the diagnosis system with C�2 faulty and discontinuity detectionis used.Similar results were obtained on a three-tank system [80].Fault InteractionWhen the single fault assumption is relaxed multiple faults can occur simultane-ously in the system. Since normal observations are not used to eliminate hypothesizedfaults, it is unlikely that real faults will be dropped during the hypothesis generationand prediction stages. However, when faults interact, and the faults have oppositepredicted deviations on observations, the fault that has the less dominant e�ect islikely to be dropped from contention because its e�ects are masked out by the otherfault. A pragmatic solution to this problem is to use an adequate number of observa-tions so faults can be more easily discriminated. Moreover, for the observed variables,if the su�cient order of the signatures is kept low, the focus is more on the immedi-ate e�ect of transients as opposed to situations where longer propagation delays areconsidered which increases the chances of interaction. Allowing the longer periods ofinteraction also allows for the possibility of cascading faults, where an initial fault168
may change variable values su�ciently to cause other components to start failing.For example, in the bi-tank system in Fig. 76, if Rb1 fails with a high value, it maycause Rb2 to fail with a below normal parameter value because the pressure e7 mayincrease to large enough values. The observed pressures for these faults can becomehigh or low, depending on which e�ect dominates. For multiple fault situations, R+b1and R�b2, and reported magnitude deviations e+2 and e�7 in the observations,5 thediagnosis engine picks R+b1 only if its predicted e�ect on e7 is consistent with theobservation e�7 . The 2nd order prediction for R+b1 is e0 0 +7 , and this is in con ictwith the measurement e�7 , therefore, R+b1 is refuted as a possible fault. However, ifthe su�cient order for the signatures were set to 1 (i.e., consider up to 1st ordere�ects only), the signature for R+b1 becomes e0 ?7 , which is not inconsistent with theobservations.This demonstrates that a natural partitioning of a physical system can be createdbased on the order of its interactions. A measurement selection algorithm discussedin the next section, establishes diagnosability criteria for di�erent parameters. Forthe bi-tank example, 1st order signatures are su�cient for identifying all single faultswhen observing one of the pairs fe2; f8g; ff3; f5g; ff3; e7g; ff3; f8g; ff5; f8g. This givesa high single fault resolution and makes the diagnosis engine robust in a cascadingfault environment. Temporal BehaviorTwo distinct characteristics of signals in response to fault disturbances, transientsand steady state, carry the most distinctive discriminative information for diagnosis.5This is based on the assumption that Rb1 dominates e2 and Rb2 dominates e7.169
For monitoring it is important to know when, after a time of failure tf , the transientdetection phase terminates, and the system moves into the steady state mode, requir-ing steady state detection to be activated. Palowitch [102] reports that signals mayexhibit a compensatory or an inverse response (Fig. 86). A compensatory responseexhibits a decreasing slope and gradually moves towards steady state. For an inverseresponse, after an initial increase or decrease, the signal may reverse direction. Anadditional phenomenon resulting from abrupt faults can be categorized as a reverseresponse. A reverse response occurs if a discontinuous signal overshoots and, conse-quently, its qualitatively interpreted magnitude reverses sign (i.e., goes from abovenormal to below normal or vice versa). In the qualitative analysis framework, thesebehaviors are detected from an initial magnitude deviation by noting that:{ For an inverse response the magnitude and slope deviations have opposing signsand there was no discontinuous change of magnitude at tf . If a discontinuousmagnitude change took place, the transient at tf could indicate a decrease ofthis magnitude, and this results in a slope of opposite sign. However, this is notan inverse response since the transient e�ects are the same as those exhibitedat tf and not a�ected by time at all.{ For a compensatory response the slope has become 0.{ For a reverse response the signal has a discontinuous initial magnitude deviationwith sign that is opposite of the current magnitude deviation.When any of these situations are detected, transient veri�cation for that particularsignal only is suspended (stage t in Fig. 86), and steady state detection activated(stage s in Fig. 86). Therefore, after a period of time, some signals may be processed170
t t t
t
tf tf tf
s
t
t
s
sFigure 86: Typical signal transients in physical systems that exhibit di�erent quali-tative behavior over time.in the transient mode, whereas others are processed in the steady state mode. Steadystate is detected when a �rst order derivative becomes 0 for a su�cient period of time.The su�cient period of time is usually based on design information. As part of futureresearch, more sophisticated steady state detection techniques will be investigated.Algorithm 4 Monitor Predictions of 0th Order DerivativeRequire: predicted and observed 0th order derivative 6= no markfor all observed vertices doif use discontinuities thenif observed discontinuity is consistent with prediction thenassume fault is consistentelseadd to measure of inconsistencyend ifelsepredictions progressive monitor(observed 0th order derivative)end ifif observed 0th order derivative = prediction thenassume the 0th order e�ect is consistentend ifif not sensitive to normal observations and observed 0th order derivative is normal thenassume the 0th order e�ect is consistentend ifend for SummaryTo achieve robustness in analysis, the following measures are introduced:1. A given signal's behavior is used to analyze faults only after the monitoringscheme reports it to be deviant. This circumvents the problem of insensitivityfor small time steps. 171
Algorithm 5 Monitor Predictions of 1st Order DerivativeRequire: predicted and observed 1st order derivative 6= no markfor all observed vertices doassume 1st order e�ect is inconsistentif not sensitive to normal observations and observed 1st order derivative is normal thenassume the 1st order e�ect is consistentelsepredictions progressive monitor(observed 1st order derivative)end ifif observed 1st order derivative = prediction thenassume the 1st order e�ect is consistentend ifend for2. Comparison of a predicted signature with monitored observations is carried outfor a number of time steps, and only if the results are inconsistent for the greaterpart of the comparisons is the fault rejected.3. During this transient monitoring stage a progressive monitoring scheme de�nesthe dynamic characteristics of the initial fault transients.4. A su�cient order of the signatures allows for quick fault isolation before cas-cading faults occur.5. After a period of time, signal behavior may deviate signi�cantly from behaviorat the time of failure (e.g., it may reverse its slope) and the transient predictionand veri�cation process is suspended, and steady state analysis and veri�cationis activated. This is based on three characteristic qualitative signal behaviors.Measurement SelectionMeasurement selection is a critical task in designing an economically viable ande�ective diagnosis system. For example, consider the one-tank system in Fig. 87.While measuring the pressure at the bottom of this tank, a discontinuous change of172
Rb1
f in
f out
f out
f out
C1
p
C1-
Rb1-
t
p
p
t t
ttf
tf tf
tfFigure 87: Characteristic response of pressure and out ow to two di�erent faults.this observable can only be caused by an abrupt change of tank capacity. Any otherchange a�ects the pressure only through integrating e�ects, which smooth out theabrupt change. Note that measuring the out ow would not yield this discriminativeinformation since a discontinuous change in the out ow can be caused either by anabrupt change of tank capacity or by a change of out ow resistance. However, withmultiple out ow resistances, no distinction can be made between the out ow resis-tance faults by observing just the tank pressures. On the other hand, with resistivefailures steady state behavior of the out ow does di�er. So, the ow measurementcan be used for discrimination, if time permits.6 This provides additional informa-tion associated with the out ow resistance to determine whether it has failed or not.So, additional discriminative information becomes available and the importance ofmeasurement selection becomes apparent.Before diagnosis, given a set of possible observations, a measurement selectionalgorithm is utilized o�-line to determine sub-sets of observations that cover theparameter space completely. To this end, the signatures for all parameter deviations(high and low) are determined. Next, each combination of observations is checked to6It is obvious that in case of certain failures it is preferred not to wait for the process to reachsteady state but to take corrective measures or shut it down immediately.173
determine if all parameter deviations have a unique set of characteristics. From thisthe minimal set of observations for a diagnosable system are determined.De�nition 7 (Diagnosability) Diagnosability represents the sets of possible faultsthat can be distinguished from each other based on a given set of observations andsignature order.De�nition 8 (Complete diagnosability) For a completely diagnosable system thesets of distinguishable faults all have one element only.To illustrate this algorithm, consider the bi-tank system in Fig. 76. Possiblemeasurement points are selected to be the left and right out ow, the ow from the leftto the right tank, and the pressure in both tanks. The parameters of the system arethe left and right tank capacities and the ow resistances. First, magnitude changesin the observed variables are determined for positive deviations of all parameters,which yields: 266666666666664 f3e2f5e7f8 377777777777775 = 266666666666664 � 0 0 � 00 0 0 � 00 � 0 � +0 0 0 0 �0 0 � 0 � 377777777777775266666666666664 Rb1R12Rb2C1C2 377777777777775 (66)Similarly, slopes of all observable signals are determined for all positive parameterdeviations: 266666666666664 _f3_e2_f5_e7_f8 377777777777775 = 266666666666664 + + 0 + �+ + 0 + �+ + � + �0 � + � +0 � + � + 377777777777775266666666666664 Rb1R12Rb2C1C2 377777777777775 (67)174
Finally, steady state analysis completes the signature of each observable for all pos-sible positive parameter deviations:266666666666664 f13e12f15e17f18 377777777777775 = 266666666666664 � + + 0 0+ + + 0 0+ � � 0 0+ � + 0 0+ � � 0 0 377777777777775266666666666664 Rb1R12Rb2C1C2 377777777777775 (68)The e�ects of negative parameter deviations are computed analogously. In this sys-tem, these in uences are the opposite of positive parameter deviations.7 An exhaus-tive search is now applied to identify which set of minimal measurements producesunique feature characteristics for all parameter deviations. To this end, 0 value slopesare not used because of the ambiguity in detecting these. The resulting measurementsets are fe2; f8g,ff3; f5g,ff3; e7g,ff3; f8g, and ff5; f8g. Notice that fe2; e7g, whichrepresents both pressures does not result in a completely diagnosable system. In-specting the matrices, one learns that for these observations parameter deviationsin Rb1 and Rb2 have the same magnitude and steady state deviations. Though theslopes di�er between normal (bold faced) and a non-normal value, typically this cannot be used to refute either of the two faults. It is interesting that these variablesconstitute the system state in a systems theory sense. So, simply observing the stateof a system may not be the most e�cient way of doing diagnosis.7In general, this is not true, notably when structural changes occur.175
CHAPTER XTHE LIQUID SODIUM COOLING SYSTEMThe e�ectiveness and use of the diagosis methodology based on transients wasdemonstrated in Chapter IX [80, 92, 93]. As a next step, to investigate the scalabilityof this methodology, its performance was tested on a model of a real system, thesecondary liquid sodium cooling loop in a fast breeder nuclear reactor. The need fora qualitative approach in this system is motivated by the fact that it is a nonlinearcomplex system, modeled as sixth order. This makes it hard to develop accuratenumeric models for generating system behavior in di�erent modes. Moreover, theprecision of the sodium ow sensors used in the system is limited and hardwareredundancy is hard to achieve because of the expense involved in adding ow sensors.The Secondary Sodium Cooling LoopIn a nuclear reactor, heat from the reactor core is transported to the turbineby a primary and secondary cooling system. The primary cooling sub-system con-nects directly to the reactor and transfers heat to the secondary cooling sub-systemwhich then transfers heat carried by the liquid sodium to the steam in the generator(Fig. 88). Heat transfer from the primary cooling loop to the liquid sodium in thesecondary loop happens through an intermediate heat exchanger to drain heat. Theheated sodium is then pumped through two stages: the superheater and the evapo-rator vessel, both of which heat up the water and steam in the steam-water loop thatthen drives the turbine. 176
super heaterevaporator
mainmotor
sodiumoverflowtank
secondarysodium
pump
intermediateheat exchanger
sodium flow stopping valve(normally opened)
sodium flowstopping valve(normally opened)
feedwaterloop
primarysodiumloop
feedwaterloop
CEVCSH
GY
R4
R5
R3
COFC
R2
e33
R1
V in
I IHX
e19e22
f11
e14
Figure 88: Secondary sodium cooling loop.Modeling HydraulicsWhen developing a model for the hydraulics of the system, it is important to notethat bond graphs model total pressure rather than static pressure. Static pressure isthe pressure of a uid on the pipe wall and depends on the uid ow velocity andelevation. Moving uid contains kinetic energy, and combined with potential energydue to elevation from a reference level this yields total pressure. If � is the uiddensity and ag the gravitational acceleration, then the potential energy of a uidvolume, �, at height, h, is represented by ��agh. Given a uid volume, �, owingat velocity, v, its kinetic energy is 12��v2. Combined with the hydraulic energy as aresult from pstatic, this equates the required energy to move a uid volume � againstits total pressure, �ptotal, and after dividing by �, total pressure is then expressedas [130] ptotal = pstatic + �agh + 12�v2 (69)177
This is illustrated by Fig. 89, where in case of piping without resistance, the totalpressure at each of the measurement points, p0; p1; p2; p3 is the same. However, thepressure measured at the pipe wall, depends on the velocity of the uid ow at theopening of the manometer, and the height of the measurement point. The uidvelocity at the point where the manometer measures pressure p0 is 0, therefore, thispressure is solely a function of the pressure in the tank. The manometer that measuresp1 is located at a lower level, and, therefore, it measures the pressure in the tankcombined with the potential energy due to the di�erence in height, which results ina measured pressure that is higher. Pressure measurement p2 is less than p1, thoughat the same level, because it measures pressure of a uid moving with a ow velocity,vw, in the wide pipe segment. Pressure p3 is even less because of the higher uidvelocity in the narrow pipe segment, vn.Note the higher uid ow velocity in the narrow pipe segment. The ow variablein the hydraulics domain is the volume ow rather than ow velocity. Since the widepipe transports the same volume of liquid in the same amount of time as the narrowpipe, because of its smaller area, the ow has a higher velocity in the narrow pipe.This represents an inertial e�ect because the uid velocity is larger and thus, becauseof its mass, builds up relative momentum.The Bond Graph ModelThe model used for diagnosis applies energy and mass balance of the systemin the hydraulics domain combined with the mechanical characteristics of the mainmotor and pump. The bond graph that captures system behavior in these domainsis a nonlinear, sixth-order model (Fig. 90). The main motor driver (Fig. 91) is a178
ρ½ v2w ρ½ v2
n
p0
vw vn
p1
p2
p3
Figure 89: Total pressure versus static pressure.synchronous, ac motor, and as an assumption, its electrical �eld is considered tobe present as soon as it is turned on. Therefore, dynamic electrical e�ects are notmodeled, and the electrical part of the motor system can be represented as a source ofmechanical energy with a given torque/angular velocity characteristic. The inertia ofthe rotor and the mass of transmission gear is modeled by m1, and the transmissionratio between motor and pump by n. Pump losses in the uid connection betweenthe motor and pump are modeled by a dissipation element, R1, and the pump inertiais represented as m2. The model of a centrifugal pump (Fig. 92), can be derived usingconservation of power and momentum [130]. This generates:�� = pout�out; (70)where � is the input torque, � represents angular velocity of the pump rotor, pout ispump pressure, and �out the corresponding mass ow. Conservation of momentumstates that the mechanical momentum, R �dt, equals the hydraulic momentum. Theamount of mass moved by the pump depends on the total area of its veins, a, minusthe e�ective loss in moved mass due to the curvature of the veins, b. This is given asR a�� b�outdt. If the pump veins are not curved, b = 0. The hydraulic momentum of179
nTF
RR3
RR4
RR2
RR5
0
CSH
COFC
0
Sesump
CEV
1
1
Seinτ
RR1
1
IIHX
Im1
Im2
0
MGY
a -b
1
1
01 3 4
5
6
7
8 9
1011
12
13
14
15
16
17
18
20
21
23
24 25
22
192
1Figure 90: Bond graph of the secondary sodium cooling system.f2f7
R1
IgearIpump
τin
m2 m1n}} } }
θ,τ
φout out,p
I rotor
MGY
Figure 91: Synchronous ac motor that drives a pump.the pump is represented by �out R a� � b�outdt. The resulting equationZ �dt = �out Z a� � b�outdt (71)can be written as � = �out(a� � b�out) + _�out Z a� � b�outdt; (72)which for relatively low ow acceleration compared to ow velocity, yields the con-stituent relation � = (a� � b�out)�out. Combined with Eq. (70) this yields pout =(a� � b�out)� which describes a modulated gyrator with modulus a� � b�out.The hydraulics of the sodium loop are modeled by a closed power loop (Fig. 90).The coil in the intermediate heat exchanger accounts for ow momentum build-up,180
θ,τ
veins
φout out,p
φin
inpFigure 92: Operation of a centrifugal pump.represented by a uid inertia, IIHX. The piping from the main pump through the heatexchanger to the evaporator vessel is represented by resistance R2. The two sodiumvessels are modeled by capacitances, CEV and CSH and the connecting pipe by itsresistance, R3. An over ow column, COFC , maintains a desired sodium level in themain motor, and the piping between the evaporator and this column is representedby resistance R4. Both these storage facilities are connected to a sump, Se, by a pipewith resistance, R5.The corresponding steady state bond graph is shown in Fig. 93. Solving thealgebraic equations in this model results in a third order equation because of thequadratic modulus of the gyrator. A closed form symbolic solution was derived usingMathematica. This solution has one real root that represents the steady state solution,and symbolically provides the nominal values of the operation.The Temporal Causal GraphFor diagnosis, the dynamic temporal causal graph of the system is derived fromthe bond graph (Fig. 94). Because of its nonlinear character, the MGY requires moredetailed analysis. The derivation of the causal relations of the modulated gyrator181
nTF
RR1
RR3
RR4
RR2
RR5
0
Sf0
Sf0
0
Sesump
Sf0
1
1
inτSe 1
Se0
Se0
Se0
0
a -b
MGY 1
1
0 1Figure 93: Steady state bond graph of the sodium cooling system.is shown in Fig. 95. First it is observed that the modulation factor g = af8 �bf9 is directly proportional to f8 and inversely proportional to f9, g(f8;�f9). Thedependency of g on f8 and �f9 can be explicitly modeled by edges between thesevariables and the a�ected variables. In case of the dynamic behavior, the a�ectedvariables are e8 and e9 (Fig. 90) and the corresponding edges are added to the causalgraph (Fig. 95). In the secondary sodium cooling loop g > 0, and, therefore, theadded in uences on e8 result in ambiguity. This is revealed by a detailed study of thesensitivity of e8 to f9. From the bond graph e8 = (af8 � bf9)f9, so e8 = af8f9 � bf29 .This relation, plotted in Fig. 96, reveals that the sensitivity of e8 to f9 can be positiveor negative depending on the values of f8 and f9. Given the nominal values of thesteady state operation of the system, which is parameter dependent, the weight off9 ! e8 can be determined as a positive (1) or negative (-1) in uence. However, oncea deviation occurs, f8 and f9 may di�er from their nominal values and a di�erentoperating point may be reached. Since these new values are likely to be causedby failures, and, therefore, will be unknown at monitoring time, the in uence mayreverse. This can only occur if e8 is predicted to be high based on the proportionalin uence (-1 or 1). So, only a predicted decrease in e8 is unambiguous, and, therefore,182
f2 e5 f8n
n
1 g
-1
-1
?
-1
1
1-1
Vine2e1 f5
e3
e7 e9
f9e8
f7dt dtm1 m
R2
1e33
1 =
f14
e16
e14
f16f22
e22
=
=
-11
1 -1-1
1
1
-1
-1
1
-1
1
1
-1
e25
f20
e20
f11
e10
f24
e24
e11
f19
e19
dt
dt
111 dt dt
L
C
RRR C C
R
3
1
345 3 2
2
Figure 94: Temporal causal graph of dynamic behavior.MGY 11
f8 f99
-ba
8
g = a*f8 - b*f9
g > 0
f8=
=g(f8,-f9)
g(f8,-f9) 1
-1
e9
f9e8
f8=
=-g
1
1-1
g
1
1
-1
e9
f9e8
f8=
=?
-1
g
1
1
-1
e9
f9e8Figure 95: Temporal causal graph of a modulated gyrator.propagated. A predicted increase in e8 is propagated as unknown. Note that thetwo pump parameters a and b are represented by one positive parameter, g, in thetemporal causal graph. This prohibits making a distinction between deviation ofeither, but since fa; bg is attributed to the same component, the centrifugal pump,this set can be treated as one fault. Also note the variable e33 that represents e9+e22.This variable is introduced because it is a measured value in the actual system.183
f9
-1
e8
f8a2b
1Figure 96: Detailed sensitivity analysis of @e8@f9 .Measurement SelectionThe measurement selection algorithm was applied to �nd a minimal set of observa-tions required to establish a diagnosable system. In principle, measurement selectionis based on the temporal structure of the graph, and, therefore, no numeric informa-tion is used. However, when f9 or e8 is low numeric information can be applied todetermine whether the relation f9 ! e8 is 1 or �1 instead of generating unknown asis done when f9 or e8 is high. Furthermore, because of the critical nature of failures inthis type of system, it is not desired to wait until the system has reached steady stateafter an abrupt failure. Therefore, measurement selection does not utilize di�erencesin steady state behavior between faults.Ideal ObservationsPossible observations are selected to be the e�orts on 0 junctions, fe5; e14; e19; e22g,and the ows on 1 junctions, ff2; f7; f11; f16; f20; f24g. From the temporal causal graph(Fig. 94) it can be seen that n and R1 have similar temporal e�ects, i.e., they arenot separated by temporal, integrating, e�ects. To distinguish between failure ofthese two parameters the di�erence in angular velocity of the driving motor and the184
Table 3: Minimum sets of measurements for completely diagnosable single faults, incase of one pump parameter.Order Measurementsf2 f5 e5 f7 f11 e14 f16 e19 f20 e22 f24 e33 total5 p p p p p 53 p p p p p 52 p p p p p p p 72 p p p p p p p 72 p p p p p p p 72 p p p p p p p 72 p p p p p p p 72 p p p p p p p 72 p p p p p p p 72 p p p p p p p 7rotating pump, f5, is added to the set of possible measurements. Finally, observationsthat are presently available in the secondary cooling system, indicated by the boxedvariables in Fig. 88, show the pressure generated by the centrifugal pump, e33, as anadditional observation. Adding this measurement to the set of possible observationsresults in a completely diagnosable system for single faults (Table 3). If up till 5thorder is predicted sets of 5 observations can be used while for predictions of up till2nd order 7 observations are required. Note that f7 is never used.Actual MeasurementsThe ideal observations selected to achieve complete diagnosability of single faultsare not necessarily the best measurements to choose in practice. This may be becausesome of the chosen sensors are expensive. As an alternative, measurements that arenot part of the ideal set of observations may be available, for example, regulationsmay require certain pressures and ows to be monitored. In case of the secondarycooling system, variables in the system that are typically hard to measure are ow185
Table 4: Fault discrimination based on actual measurement points in case of onepump parameter.Measurements Order Indistinguishable Parametersff2; f7; f11; e14; e19; e22; e33g 2 fn;R1; R4gfn;R1; R3; R5g3 fn;R1g4 fn;R1g5 fn;R1gff2; f7; f11; e14; e19; e33g 2 fn;R1; R4gfn;R1; R3; R5gfg; C3g3 fn+; R+1 ; R�5 gfn�; R�1 g4 fn;R1g5 fn;R1gff2; f7; e14; e19; e33g 2 fn;R1; R2; R3; R4; R5gfg; C3g3 fn;R1; R3gfn+; R+1 ; R�5 g4 fn;R1gfn�; R�1 ; R�3 g5 fn;R1gvariables because ow sensors for liquid sodium are imprecise and expensive.Using only the observations that are currently available, ff2; f7; f11; e14; e19; e22; e33g,depicted by boxed variables in Fig. 88 and Fig. 91, single faults in the system areequally well diagnosable, except for fn;R1g (Table 4) which can also be achieved witha sub-set. The number of observations in this set and the ideal set of selected mea-surements are the same, but higher order predictions are required to achieve the samediagnosis for the currently used set. This implies there are more likely interactions inmultiple, cascading, fault scenarios for the current observations.Simulation ResultsThe numerical simulation model for the secondary cooling loop utilizes the forwardEuler integration, xk+1 = _x�t+ xk. To ensure stability, the numerical time step waschosen based on the smallest time constant of the model, �min, such that �t < �min3[130]. 186
From system speci�cation documents and by consulting domain experts, the pa-rameter values listed in Table 5 were chosen. Those values are relative to each other(not the exact parameter values), and they su�ce to generate behavior that matchesthe actual system behavior in a qualitative sense. The EVmax parameter indicates themaximum level of the liquid sodium in the evaporator vessel. This over ow mech-anism was modeled but not taken into account in the temporal causal graph thatwas used for diagnosis because it would introduce a model con�guration change. Thesimulation used a numerical time step of �t = 0:001, which produced numericallystable simulation in all situations, normal and failure. This indicates a �min < 0:003in the model which relates to a minimal time constant in the actual system that isin the order of minutes. This time step is also chosen as the monitoring time stepwhich, given a minimum time constant of one minute in the actual system, equates toa maximum sample rate of 20 seconds. Choosing a larger monitoring time step mayresult in incorrect diagnosis results. Smaller time steps imply added computations,but the monitoring algorithms are only sensitive to an upperbound on the step size,and this is likely to be the preferred alternative. Practically, the monitoring stepshould be chosen to be less than �min3 .Failure was simulated in the system by changing the model parameters by a fac-tor 5. Conservation of state (Chapter III) was applied in case any of the capacitanceor inductance elements failed, and keeping its stored momentum or liquid constantresults in an abrupt change of angular velocity/ ow or pressure, respectively. Sim-ulation was stopped when either the transients of all observations were detected or3913 samples had passed.11This number is derived from the time it takes a signal with time constant 10 to reach its steady187
Table 5: Parameter values for the model of the secondary sodium cooling loop.R1 10 CSH 20 m1 0.1 n 0.25R2 1 CEV 20 m2 0.5 a 1R3 0.143 COFC 1.6 IIHX 1 b 0.1R4 0.232R5 1 �in 7 sump 2 EVmax 2.2Fault Detection and Isolation Without NoiseThe �rst set of experiments were conducted for the situation in which no noise wasadded to the measured signals, observations, generated from the simulation model.In this case, the quality of the results depended on (1) the parameter di�erencesin the model and (2) unmodeled con�guration changes. The results established abenchmark for subsequent experiments when noise was added to the observations.For detection of high and low values for signals, a qualitative margin of error of 2%was used in conformance with typical experiences in real situations to avoid spuriousdeviations due to noise. Of course, in case of no noise the margin of error couldbe further reduced, and this would have produced better diagnosis results becausedeviations would be detected sooner, and interactions with other phenomena wouldnot corrupt the detected transients.Table 6 summarizes the results. Columns 1 and 4 are the introduced faults, column2 and 5 list the faults reported by the diagnosis system, and columns 3 and 6 indicatethe number of measurement samples required to arrive at the diagnosis result. Threesingle faults were not accurately detected or isolated, R�3 , R+4 , and C�EV . Because ofthe over ow mechanism in the evaporator vessel, a decrease in capacity, C�EV , doesnot result in an increase in level and this is not detected. To detect this failure,state value within 2%. 188
Table 6: Fault detection for ff2; f7; f11; e14; e19; e22; e33g with �t = 0:001, order = 3,qmargin = 2%.Fault Diagnosis Samples Fault Diagnosis SamplesR+1 n+; R+1 58 R�1 n�; R�1 43R+2 R+2 27 R�2 R�2 46R+3 R+3 1255 R�3 ;(R�3 ) 699(699)R+4 R+5(R+4 ; R+5 ) 3429(378) R�4 R�4 43R+5 n+; R+1 ; R�2 ; R+3 ; R+4 ; R+5 2 R�5 R�3 ; R�4 ; R�5 687C+SH C+SH 73 C�SH C�SH 16C+EV C+EV 45 C�EV - -C+OFC C+OFC 9 C�OFC C�OFC 3m+1 m+1 6 m�1 m�1 2m+2 m+2 2 m�2 m�2 2I+IHX I+IHX 16 I�IHX I�IHX 2 ow of sodium through the over ow mechanism has to be monitored. This type ofcon�guration changes that are introduced by faults are not handled in this thesis.The two other faults, R�3 and R+4 , were detected but not correctly isolated, againbecause the over ow mechanism was not modeled in the temporal causal relations.If this phenomenon is included by tagging a predicted value unknown instead of highwhen it would have predicted an evaporator level that is high, the faults would beaccurately isolated as indicated by the entries in parentheses in Table 6. Not all faultscan be uniquely isolated (fn;R1g) because of the lack of required measurements, orcertain predicted deviations are too small to be observed, e.g., e22 in Fig. 97.To gain precision, e�ects of order higher than 3 can be predicted but this maycause additional multiple fault interference. Alternatively, candidate generation canbe modi�ed to incorporate temporal e�ects as well. In its current implementation,one deviating signal is propagated throughout the graph irrespective of delay times189
0
5
10
15
20
0 50 100 150 200time
e14e29
f11
e19e22Figure 97: Characteristic responses for C�SH .(integrating edges), whereas the prediction for each of the hypothesized faults is lim-ited to a maximum order of derivative. So, an observed deviation may generate faultsthat cannot be monitored and re�ned unless other signals deviate noticeably, becausetheir e�ect on the one initially deviating observation is of too high an order. To elim-inate this e�ect, candidate generation can be limited by a total number of integratingedges traversed in the temporal causal graph as well. Preliminary experiments showthat this implementation results in diagnosed faults for, e.g., R+5 ! fR+4 ; R+5 g in 2steps, if only one integrating edge lies between the observed deviation and all gener-ated faults. Note that, from a practical perspective, it is not required to pin downone root-cause exactly. A small set of likely candidates often su�ces, as long as thisset is accurate, i.e., it contains the true cause.Fault Detection and Isolation With NoiseTo investigate the e�ects of noise on the measured signals, 2% uniformly dis-tributed measurement noise was added to the output values to model discretizationnoise due to analog to digital conversion (Fig. 98). Because of the uniform dis-tribution, all signal deviations were within 2% of the actual value, but derivative190
computations could accumulate errors as high as 4%, and the margin or band fornormal behaviors was set at 5% to extract the qualitative signal values: low, nor-mal, and high. The noise e�ects were well within the qualitative margin of error,and results similar to the ideal case were expected. Table 7 con�rms this, and whencompared to Table 6, indicates that the diagnosed faults were less precise but stillaccurate in the presence of discretization noise. In some simulation runs, the additionof noise resulted in more precise diagnosis because deviations that got masked in theoriginal 2% qualitative margin were accentuated by the noise, and crossed the errorthreshold earlier. The only problem observed was with C+OFC. For this fault, the e33signal stayed within the margin of error, and, therefore, was not reported as deviating(Fig. 99). Therefore, the fault was never detected. Increasing the magnitude of errorin the fault caused su�cient deviation in e33, thus producing the correct diagnosiseven for the noisy signals. An interesting observation that can be made here is thatdi�erent signals may have di�erent sensitivities to possible faults. If they are nottaken into account in setting the error thresholds, faults may be missed. Distillingabrupt changes to characterize transient behavior from noisy signals is also nontrivial.This is especially true when normal distributed noise is present, in which case thereis always the probability of a measurement to be beyond the margin of error. Thisrequires the addition of probabilistic measures to the diagnosis algorithms which willpresent faults ranked according to the probability of their occurrence. Furthermore,other methods [6] need to be tried to improve robustness of the monitoring system.These issues are part of future research. 191
0
5
10
15
20
0 50 100 150 200time
e14e29
f11
e19e22Figure 98: Characteristic responses for C�SH with 2% uniformly distributed measure-ment noise.Table 7: Typical fault detection for ff2; f7; f11; e14; e19; e22; e33g with �t = 0:001,order = 3, qmargin = 5%, noise = 2%.Fault Diagnosis Samples Fault Diagnosis SamplesR+1 n+; R+1 84 R�1 n�; R�1 38R+2 R+2 38 R�2 R�2 68R+3 R+3 2580 R�3 ;(R�3 ; R+5 ) 547(543)R+4 R+5(R+4 ; R+5 ) 2514(709) R�4 R�4 86R+5 n+; R+1 ; R�2 ; R+3 ; R+4 ; R+5 2 R�5 n�; R�1 ; R+2 ;R�3 ; R�4 ; R�5 2C+SH C+SH 128 C�SH C�SH 21C+EV C+EV 80 C�EV - -C+OFC ; 18 C�OFC C�OFC 6m+1 m+1 10 m�1 m�1 3m+2 m+2 3 m�2 m�2 2I+IHX I+IHX 20 I�IHX I�IHX 2
time time
e33 e33
0
5
10
15
0 50 100 150 2000
5
10
15
0 50 100 150 200Figure 99: Response of e33 to C+OFC with and without noise.192
CHAPTER XICONCLUSIONS AND DISCUSSIONThe primary contributions of this thesis cover two main areas: (1) modeling andanalysis of hybrid physical systems, and (2) monitoring, prediction, and diagnosis ofdynamic continuous systems. Hybrid ModelingPhysical system behavior is governed by continuity of power, but to simplify mod-els and reduce the computational complexity in analyses, models are abstracted toallow for discontinuous changes, which results in model behaviors being piecewisecontinuous with discontinuities occurring at points in time.Summary and ConclusionsThe �rst part of this thesis contributes to advances in hybrid modeling of physicalsystems.1. A theory of discontinuities in physical system models is developed, and abstrac-tions are classi�ed as time scale and parameter abstractions. Two principlesthat govern physical system behavior across discontinuities:{ conservation of state, and{ invariance of stateare formulated to ensure that hybrid models generate correct behaviors.193
2. A systematic hybrid bond graph modeling paradigm is developed. Its primarycomponents are:{ An ideal switching element is added to the traditional bond graph elementsto model discontinuous changes in system con�gurations.{ A control structure based on the principles of conservation of state andinvariance of state that is embodied by the Mythical Mode Algorithm isdeveloped to ensure correct state transfer and to ensure that the principleof divergence of time is not violated.3. A formal veri�cation methodology is developed for the divergence of time prin-ciple based on{ multiple energy phase space analysis, and{ a model partitioning method based on areas of instantaneous propagationto keep the analysis computationally manageable.4. A mathematical model for hybrid dynamical systems is derived which{ relies on physical model semantics as embodied by the principles of con-servation of state and invariance of state, and{ formalizes the use of a priori and a posteriori values when discontinuouschanges occur.The resultant principles developed in this work are:{ interval-point behavior,{ temporal evolution of state, and194
{ generalized invariance of state.5. An implementation model for hybrid dynamical systems is presented, whichfacilitates{ a classi�cation of hybrid dynamical systems as weak, mild, and strong, and{ model veri�cation based on the principles of divergence of time and tem-poral evolution of state.6. A mapping from hybrid bond graphs to the implementation model of hybriddynamic systems is presented to support the derivation of model componentsbased on a systematic modeling approach.DiscussionStr�omberg, Top, and S�oderman introduced the notion of idealized switching ele-ments for modeling discontinuous physical system behavior in the bond graph frame-work [117]. The work developed in this thesis extends this concept and demonstratesthe need for control models to correctly handle global implications in the form ofsequences of con�guration changes and transfer of the energy state.Iwasaki et al. [51] introduced hybrid systems in the arti�cial intelligence commu-nity by developing the notion of hypertime to advance time over in�nitesimal intervalsduring discontinuous changes. This ensures divergence of time, but the semantics mayresult in incorrect behaviors when sequences of instantaneous con�guration changesoccur. In contrast, Henzinger et al. [47], Deshpande and Varaiya [31], and Guck-enheimer and Johnson [44] introduce semantics where sequences of instantaneous195
changes occur at one point in time, and all intermediate model con�gurations havea representation on the time-line. This thesis shows that this may generate incor-rect state vectors in new model con�gurations after discontinuous changes. To solvethis problem, this thesis introduces more speci�c model semantics based on physicalsystem constraints, such as conservation of state, divergence of time, and temporalevolution of state to ensure the hybrid models generate physically correct behavior.From a control perspective, Lennartson et al. [59] present a formal hybrid imple-mentation model for embedded control systems. This thesis presents a more elabo-rate framework for de�ning model components and presents a general architecture formodel building by using compositional methodologies. The di�cult part of derivingthe speci�cations for each of the model parts is addressed by a systematic mappingfrom a hybrid bond graph model onto this architecture.Future research on hybrid dynamic systems will focus on developing methods toestablish reachability, controllability, and observability in the mathematical modelingframework. Furthermore, a general purpose hybrid system modeling and simulationtool needs to be developed based on the hybrid bond graph modeling methodol-ogy. Special provisions for simulation of hybrid systems need to be developed andincluded [94]. Also, automated model veri�cation based on divergence of time andtemporal evolution of state has to be facilitated. Finally, collision chains, such as New-ton's cradle present interesting behavior where sequences of pinnacles are traversed,which violates the interval-point principle. These phenomena need to be study infurther detail. 196
Model Based DiagnosisThe basis of this work was that abrupt faults in physical systems cause discontinu-ities and transients in system behavior that can be exploited for developing e�cientdiagnosis strategies. Hybrid models of physical systems are exploited to develop e�-cient and robust diagnosis algorithms.Summary and ConclusionsThe diagnosis models conform to mild hybrid dynamic systems. Monitoring, pre-diction, and fault isolation methodologies are developed for diagnosis of dynamiccontinuous systems. The salient features of this work can be summarized as:1. Hybrid bond graphs are shown to provide a suitable framework for qualitative,model based diagnosis.{ They result in properly constrained models that incorporate conservationof energy and continuity of power principles during continuous operatingregimes while adhering to the conservation of state and the invariance ofstate principles during discontinuous change.{ A steady state model that follows the transient period caused by faults canbe systematically derived as an extension of dynamic transient behavior.{ Continuous system constraints are incorporated into the modeling method-ology as topological properties, and this facilitates qualitative reasoning.2. Temporal causal graphs of dynamic behavior that include time-derivative e�ectscan be derived from bond graph models. Algorithms based on this graph aredeveloped for 197
{ generating a set of hypothesized faults that explain initially observed de-viant behavior, and{ predicting future behavior for each of these faults.3. A transient based diagnosis methodology and a monitoring algorithm are de-veloped to:{ Detect and verify behavior signatures that can be attributed to� discontinuities,� magnitude deviations,� slope deviations, and� steady state behavior.{ Perform progressive monitoring to continue to follow observed measure-ments with predicted behaviors, sometimes invoking higher order deriva-tives to ensure a match between measurements and predictions. Hypoth-esized faults and their signatures are dropped only if the higher orderderivatives cannot resolve con icts.{ A feedback detection mechanism to suspend feature detection in a timelymanner. This is based on a classi�cation of feedback behavior as:� compensatory response,� inverse response, and� reverse response.4. A measurement selection algorithm based on an exhaustive search to determinethe su�cient order of predicted behavior or the required measurement points198
to achieve diagnosability. DiscussionIn the control community, numeric methods like state estimation and parameterestimation are typically used for fault detection and isolation [23, 41, 50]. Theseapproaches are computationally intensive and require precise numerical information.In contrast, the arti�cial intelligence community has applied qualitative reasoningmethodologies based on static system models [8, 33, 101]. However, transients inresponse to abrupt faults are dynamic and diagnosis based on static models only isunderconstrained and results in combinatorial problems. Dynamic models exploitthe typical fault characteristics of transients and allow for conservation of energy andcontinuity of power constraints to reduce the parameter search space. Moreover, itsupports quick fault isolation, eliminating the problems due to multiple, cascading,faults.Feedback in physical systems a�ects transients at the time of failure and higherorder e�ects become manifest over time. A progressive monitoring scheme addressesthese previously unsolved problems. In due time, transients are convoluted to theextent that qualitative characteristics at the time of failure cannot be reliably deter-mined anymore. Three qualitative classes of behavior are categorized based on whichtransient detection is suspended and steady state detection activated.Finally, this thesis shows the balance between the order of predictions and thenumber of measurement points in the system to obtain equivalent diagnostic precision.The presented diagnosis engine has been tested in simulation and the next stepinvolves its application to monitor the lubrication of a one-cylinder engine. This199
will bring out a number of issues, the most important being noisy environments.The system was tested on uniform distributed noise, but normal distribution hasdistinctly di�erent characteristics that require a probabilistic implementation of thedeterministic algorithms to obtain robustness. Also, it needs to be investigated howthe system behaves under modeling approximations.Another important aspect is multiple independent faults (rather than cascading).In bond graphs, one component may be represented by several parameters, and,therefore, component failure is likely to a�ect a number of parameters which areindependent on a bond graph level. Failure mode modeling appears to be a promisingsolution. This also applies to structural changes of the model which need to beinvestigated.The presented approach relies on basic qualitative values high, normal, and low.However, often more precise information is available (at least as an order of magnitudeestimate). It needs to be investigated how to systematically include this into thediagnosis engine.Finally, measurement selection and diagnosability are very important notions indiagnosis, and require further attention. The presented measurement selection algo-rithm has proven helpful but has not utilized to its full potential. As a particularimplementation, it is interesting to research how to select measurements on-line outof a large set of possible measurement points to quickly narrow down the search spacewithout becoming computationally expensive.200
Appendix ATHE FALLING ROD SPECIFICATIONThe Analytic ModelX = f!; vx; vyg (73)U = fFf ;magg (74)S = fyA; vA;x; vA;y; Fn; FA;xg (75)� = f�contact; �free; �slide; �stuck; �zero; �neg; �posg (76)
201
f :8>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>:
�00 : 8>>>>>>><>>>>>>>: _! = 0_vx = 0_vy = ag�01 : 8>>>>>>><>>>>>>>: _! = �mlcos�J+ml2 ag_vx = lsin� _!_vy = �lcos� _!�11 : 8>>>>>>><>>>>>>>: _! = �mlcos�J+ml2cos2�ag_vx = 0_vy = �lcos� _!�21 : 8>>>>>>><>>>>>>>: _! = �ml(cos���sin�)J+ml2cos�(cos���sin�)ag_vx = ��(lcos� _! + ag)_vy = �lcos� _!(77)
202
Table 8: State transition table specifying C.�C �contact �free0 11 0g :
8>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>:�00 : 8>>>>>>><>>>>>>>: !+ = !v+x = vxv+y = vy�01 : 8>>>>>>><>>>>>>>: !+ = !J�ml(cos�vy�sin�vx)J+ml2v+x = l!+sin�v+y = �l!+cos��11 : 8>>>>>>><>>>>>>>: !+ = !J�mlcos�vyJ+ml2cos2�v+x = vxv+y = �l!+cos��21 : 8>>>>>>><>>>>>>>: !+ = !J�ml(cos���sin�)vyJ+ml2cos�(cos���sin�)v+x = ��(l!+cos� + vy) + vxv+y = �l!+cos�
(78)h : 8>>>>>>>>>>>>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>>>>>>>>>>>>:
yA = R vydt� lsin�vA;x = vx � l!sin�pA;y = m(vy + l!cos�)Fn = 8>>><>>>: 0 if �00m( _vy � ag) otherwiseFA;x = 8>>><>>>: 0 if �00m _vx otherwise (79)203
Table 9: State transition table specifying S.�S �free �slide �stuck �zero �neg �pos0 11 0 0 2 32 0 0 1 33 0 0 1 2 : 8>>>>>>>>>>>>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>>>>>>>>>>>>:
yA � 0 ^ pA;y � 0 ) �contactF+n � 0 ) �freejF+A;xj � �F+n > 0 ) �slidejv+A;xj � vth � 0 ) �stuckv+A;x = 0 ) �zerov+A;x < 0 ) �negv+A;x > 0 ) �pos (80)
204
The Numeric Modelxk+1 :
8>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>:�k+1 = �k + !k�tyM;k+1 = yM;k + vy;k�t�00 : 8>>>>>>><>>>>>>>: !k+1 = !kvx;k+1 = vx;kvy;k+1 = mag�t+ vy;k�01 : 8>>>>>>><>>>>>>>: !k+1 = �cos�kJ+ml2 ag�t+ !kvx;k+1 = lsin�k+1!k+1vy;k+1 = �lcos�k+1!k+1�21 : 8>>>>>>><>>>>>>>: !k+1 = �ml(cos���sin�)J+ml2cos�k (cos�k��sin�k )ag�t+ !kvx;k+1 = ��(lcos�k+1!k+1 � lcos�k!k + ag�t) + vx;kvy;k+1 = �lcos�k+1!k+1
(81)h : 8>>>>>>>>>>>>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>>>>>>>>>>>>:
yA = yM;k+1 � lsin�k+1v+A;x = v+x;k+1 � lsin�k+1!+k+1pA;y = m(vy;k + lcos�k!k)F+n = 8>>><>>>: 0 if �00m(v+y;k+1�vy;k�t � ag) otherwiseF+A;x = 8>>><>>>: 0 if �00mv+x;k+1�vx;k�t otherwise (82)205
REFERENCES[1] Alfred V. Aho, John E. Hopcroft, and Je�rey D. Ullman. The Design and Anal-ysis of Computer Algorithms. Addison-Wesley Publishing Company, Reading,Massachusetts, 1974. ISBN 0-201-00029-6.[2] R. Alur, C. Courcoubetis, N. Halbwachs, T.A. Henzinger, P.-H. Ho, X. Nicollin,A. Olivero, J. Sifakis, and S. Yovine. The algorithmic analysis of hybrid systems.In J.W. Bakkers, C. Huizing, W.P. de Roeres, and G. Rozenberg (eds.), editors,Proceedings of the 11th International Conference on Analysis and Optimizationof Discrete Event Systems, pages 331{351. Springer-Verlag, 1994. Lecture Notesin Control and Information Sciences 199.[3] Rajeev Alur, Costas Courcoubetis, Thomas A. Henzinger, and Pei-Hsin Ho. Hy-brid automata: An algorithmic approach to the speci�cation and veri�cation ofhybrid systems. In R.L. Grossman, A. Nerode, A.P. Ravn, and H. Rischel, edi-tors, Lecture Notes in Computer Science, volume 736, pages 209{229. Springer-Verlag, 1993.[4] Rajeev Alur and David L. Dill. A theory of timed automata. TheoreticalComputer Science, 126:183{235, 1994.[5] Lee A. Barford. Discontinuities in phase space. E-mail communication, Decem-ber 1995. Hewlett-Packard.[6] M. Basseville and I.V. Nikiforov. Detection of Abrupt Changes: Theory andApplications. Prentice Hall, Englewood Cli�s, NJ, 1993.[7] I.P. Bazarov. Thermodynamics. The MacMillan Company, New York, 1964.[8] Gautam Biswas, Ravi Kapadia, and Xudong W. Yu. Combined qualitativequantitative steady state diagnosis of continuous-valued systems. IEEE Trans-actions on Systems, Man, and Cybernetics, 27(2):167{185, March 1997.[9] Gautam Biswas, Stefanos Manganaris, and Xudong Yu. Extending componentconnection modeling for analyzing complex physical systems. IEEE Expert,8(1):48{57, 1993.[10] Gautam Biswas and Xudong Yu. A formal modeling scheme for continuous sys-tems: Focus on diagnosis. In Proceedings IJCAI-93, pages 1474{1479, Cham-bery, France, August 1993.[11] W. Borutzky. Exploiting di�erential algebraic system solvers in a novel simu-lation environment. SAMS, 17:165{178, 1995.[12] A.M. Bos and M.J.L. Tiernego. Formula manipulation in the bond graph mod-elling and simulation of large mechanical systems. Journal of the FranklinInstitute, 319(1/2):51{65, January/February 1985.206
[13] Raymond M. Brach. Mechanical Impact Dynamics. John Wiley and Sons, NewYork, 1991.[14] P.C. Breedveld. Multibond graph elements in physical systems theory. Journalof the Franklin Institute, 319(1/2):1{36, January/February 1985.[15] Peter C. Breedveld. The context-dependent trade-o� between conceptual andcomputational complexity illustrated by the modeling and simulation of collid-ing objects. In CESA '96 IMACS Multiconference, Lille, France, July 1996.Ecole Centrale de Lille.[16] Jan F. Broenink. Computer Aided Physical Modeling and Simulation: A BondGraph Approach. PhD dissertation, University of Twente, Febodruk, Enschede,The Netherlands, 1990.[17] Jan F. Broenink and Paul B.T. Weustink. A combined system simulator formechatronic systems. In Proceedings of ESM 96, Budapest, Hungary, June1996.[18] Jan F. Broenink and Klaas C.J. Wijbrans. Describing discontinuities in bondgraphs. In Proceedings of the International Conference on Bond Graph Model-ing, pages 120{125, San Diego, California, 1993.[19] Bernard Brogliato, Silviu-Iulian Niculescu, and Pascal Orhant. On the con-trol of �nite-dimensional mechanical systems with unilateral constraints. IEEETransactions on Automatic Control, 42(2):200{215, February 1997.[20] H.B. Callen. Thermodynamics. John Wiley & Sons, Inc., New York/London,1960.[21] Steve Chien, Richard Doyle, and Luiz Homem de Mello. Model-based reasoningfor sensor placement. In Proceedings of the AAAI-91 Workshop on Model-BasedReasoning, Anaheim, CA, July 1991.[22] Luca Chittaro, Giovanni Guida, Carlo Tasso, and Elio Toppano. Functionaland teleological knowledge in the multimodeling approach for reasoning aboutphysical systems a case study in diagnosis. IEEE Transactions on Systems,Man, and Cybernetics, 23(6):1718{1751, November-December 1993.[23] R.N. Clark, P.M. Frank, and R.J. Patton. Introduction. In Ron Patton, PaulFrank, and Robert Clark (eds.), editors, Fault Diagnosis in Dynamic Systems:Theory and Applications, chapter 1, pages 1{19. Prentice-Hall, UK, 1989.[24] Microsoft Corporation. Visual basic, version 3.0 professional edition. One Mi-crosoft Way, Redmond, WA, 98052-6399, 1993.[25] Stephen H. Crandall, Dean C. Karnopp, Jr. Edward F. Krutz, and David C.Pridmore-Brown. Dynamics of Mechanical and Electromechanical Systems.McGraw-Hill Inc., New York, 1968.207
[26] Jim Davies and Steve Schneider. An introduction to Timed CSP. Oxford Uni-versity Computing Laboratory, Oxford, UK, 1989.[27] Theo J.A. de Vries, Peter C. Breedveld, and Piet Meindertsma. Polymorphicmodeling of engineering systems. In Proceedings of the International Conferenceon Bond Graph Modeling, pages 17{22, San Diego, California, 1993.[28] Theo J.A. de Vries, Arno P.J. Breunese, and Peter C. Breedveld. Max: amechatronic model building environment. In John Sharpe and Vincent Oh,editors, Computer Aided Conceptual Design, pages 299{318, Lancaster, UnitedKingdom, April 1994. ISBN 0-901800-37-6.[29] Tom DeMarco. Structured Analysis and System Speci�cation. Prentice-Hall,Englewood Cli�s, New Jersey, 1979.[30] Kenneth Denbigh. The Principles of Chemical Equilibrium: With applicationsin chemistry and chemical engineering. Cambridge University Press, London,New York, third edition, 1971.[31] Akash Deshpande and Pravin Varaiya. Viable control of hybrid systems. InPanos Antsaklis, Wolf Kohn, Anil Nerode, and Shankar Sastry, editors, HybridSystems II, volume 999, pages 128{147. Springer-Verlag, 1995. Lecture Notesin Computer Science.[32] Peter Drans�eld and Jacek S. Stecki. Bond graph in uenced research and learn-ing in uid power. Journal of the Franklin Institute, 328(5/6):535{545, 1991.[33] Daniel Dvorak and Benjamin Kuipers. Model-based monitoring of dynamicsystems. In Walter Hamscher, Luca Console, and Johan de Kleer (eds.), ed-itors, Readings in Model-Based Diagnosis, pages 249{254. Morgan KaufmannPublishers, Inc., San Mateo, CA, 1992. ISBN 1-55860-249-6.[34] Hallvard Engja. Bond graph model of a reciprocating compressor. Journal ofthe Franklin Institute, 319(1/2):115{124, January/February 1985.[35] Gottfried Falk and Wolfgang Ruppel. Energie und Entropie: Eine Einf�uhrungin die Thermodynamik. Springer-Verlag, Berlin, Heidelberg, New York, 1976.ISBN 3-540-07814-2.[36] B. Falkenhainer and K. Forbus. Compositional modeling: Finding the rightmodel for the job. Arti�cial Intelligence, 51:95{143, 1991.[37] John B. Ferris and Je�rey L. Stein. Development of proper models of hybridsystems: A bond graph formulation. In Fran�cois E. Cellier and Jos�e J. Granada,editors, 1995 International Conference on Bond Graph Modeling and Simulation(ICBGM '95), number 1 in Simulation, pages 43{48, Las Vegas, January 1995.Society for Computer Simulation, Simulation Councils, Inc. Volume 27.208
[38] JennyMontbrun-Di Filippo, Marisol Delgado, Claude Brie, and Henry M. Payn-ter. A survey of bond graphs: Theory, applications and programs. Journal ofthe Franklin Institute, 328(5/6):565{606, 1991.[39] Francis Eric Finch. Automated fault diagnosis of chemical process plants usingmodel-based reasoning. PhD dissertation, Massachusetts Institute of Technol-ogy, August 1989.[40] Kenneth D. Forbus. Qualitative process theory. Arti�cial Intelligence, 24:85{168, 1984.[41] Paul Frank. Fault diagnosis: A survey and some new results. Automatica:IFAC Journal, 26(3):459{474, 1990.[42] H.E. Garcia, A. Ray, and R.M. Edwards. A recon�gurable hybrid system andits application to power plant control. IEEE Transactions on Control SystemsTechnology, 3(2), June 1995.[43] Fausto Giunchiglia and Toby Walsh. A theory of abstraction. Arti�cial Intel-ligence, 57:323{389, 1992.[44] John Guckenheimer and Stewart Johnson. Planar hybrid systems. In PanosAntsaklis, Wolf Kohn, Anil Nerode, and Shankar Sastry, editors, Hybrid Sys-tems II, volume 999, pages 202{225. Springer-Verlag, 1995. Lecture Notes inComputer Science.[45] C.W. Ham, E.J. Crane, and W.L. Rogers. Mechanics of Machinery. McGraw-Hill Book Company, Inc, New York, New York, 4 edition, 1958.[46] Derek J. Hatley and Imtiaz Pirbhai. Strategies for Real-Time Systems Speci�-cation. Dorset House Publishing Co., New York, New York, 1988.[47] Thomas A. Henzinger, Xavier Nicollin, Joseph Sifakis, and Sergio Yovine. Sym-bolic model checking for real-time systems. Information and Computation,111:193{244, 1994.[48] Tomas A. Henzinger and Pei-Hsin Ho. Model checking strategies for linear hy-brid systems. Technical Report CSD-TR-94-1437, Cornell University, ComputerScience Department, Cornell University, 1994.[49] D. Hrovat and W.E. Tobler. Bond graph modeling and computer simulation ofautomotive torque converters. Journal of the Franklin Institute, 319(1/2):93{114, January/February 1985.[50] Rolf Isermann. A review on detection and diagnosis illustrate that processfaults can be detected when based on the estimation of unmeasurable processparameters and state variables. Automatica: IFAC Journal, 20(4):387{404,1989. 209
[51] Yumi Iwasaki, Adam Farquhar, Vijay Saraswat, Daniel Bobrow, and VineetGupta. Modeling time in hybrid systems: How fast is \instantaneous"? In 1995International Conference on Qualitative Reasoning, pages 94{103, Amsterdam,May 1995. University of Amsterdam.[52] Yumi Iwasaki and Herbert A. Simon. Causality in device behavior. Arti�cialIntelligence, 29:3{32, 1986.[53] Dean Karnopp and Ronald C. Rosenberg. System Dynamics: A Uni�ed Ap-proach. The Massachusetts Institute of Technology, Cambridge, Massachusetts,1968.[54] Dean Karnopp and Ronald C. Rosenberg. Analysis and Simulation of MultiportSystems. John Wiley and Sons, New York, 1975. ISBN 0-471-45940.[55] John G. Kassakian, Martin F. Schlecht, and George C. Verghese. Principlesof Power Electronics. Addison-Wesley Publishing Company, Reading, Mas-sachusetts, 1991. ISBN 0-201-09689-7.[56] Zvi Kohavi. Switching and Finite Automata Theory. McGraw-Hill, Inc., NewYork, 1978.[57] Benjamin Kuipers. Qualitative simulation. Arti�cial Intelligence, 29:289{338,1986.[58] J. Lef�evre. A didactic presentation of elementary bond graphs for non-engineering students. Journal of the Franklin Institute, 328(5/6):547{563, 1991.[59] Bengt Lennartson, Michael Tittus, Bo Egardt, and Stefan Pettersson. Hybridsystems in process control. IEEE Control Systems, pages 45{56, October 1996.[60] Bogdan Lent. Data ow Architecture for Machine Control. Research StudiesPress, Wiley, Taunton, England, 1989.[61] D.A. Linkens and H. Wang. Qualitative bond graph reasoning in control en-gineering - part i: Qualitative bond graph modeling and controller design. InFran�cois E. Cellier and Jos�e J. Granada, editors, 1995 International Conferenceon Bond Graph Modeling and Simulation (ICBGM '95), number 1 in Simula-tion, pages 183{188, Las Vegas, January 1995. Society for Computer Simulation,Simulation Councils, Inc. Volume 27.[62] D.A. Linkens and H. Wang. Qualitative bond graph reasoning in control engi-neering - part ii: Fault diagnosis. In Fran�cois E. Cellier and Jos�e J. Granada,editors, 1995 International Conference on Bond Graph Modeling and Simulation (ICBGM '95), number 1 in Simulation, pages 189{194, Las Vegas, Jan-uary 1995. Society for Computer Simulation, Simulation Councils, Inc. Volume27. 210
[63] F. Lorenz and H. Ha�af. Combinations of discontinuities in bond graphs. InFran�cois E. Cellier and Jos�e J. Granada, editors, 1995 International Conferenceon Bond Graph Modeling and Simulation (ICBGM '95), number 1 in Simula-tion, pages 56{64, Las Vegas, January 1995. Society for Computer Simulation,Simulation Councils, Inc. Volume 27.[64] P. L�otstedt. Coulomb friction in two-dimensional rigid body systems. Z. angew.Math. u. Mech., 61:605{615, 1981.[65] David G. Luenberger. Introduction to Dynamic Systems: Theory, Models, &Applications. John Wiley & Sons, New York, 1979. ISBN 0-471-02594-1.[66] John Lygeros, Datta Godbole, and Shankar Sastry. Simulation as a tool forhybrid system design. In 1994 AIS Conference on Distributed Interactive Sim-ulation Environments, 1994.[67] Stefanos Manganaris. Introducing bond-graphs in qualitative reasoning aboutphysical systems. MSc thesis, Vanderbilt University, Computer Science Depart-ment, June 1991.[68] Jakob Mauss. Automatic transmission of a mercedes-benz. Personal communi-cation, November 1995. Daimler-Benz.[69] Jakob Mauss and Bernd Neumann. Diagnosis by algebraic modeling and fault-tree induction. In Wolfgang Nejdl, editor, Sixth International Workshop onPrinciples of Diagnosis, Goslar, Germany, October 1995.[70] A. Misra, J. Sztipanovits, and R. Carnes. Robust diagnostic system: Structualredundancy approach. In Proceedings of the SPIE's International Symposiumon Knowledge-Based Arti�cial Intelligence Systems in Aerospace and Industry,pages 249{260, Orlando, FL, April 1994.[71] A. Misra, J. Sztipanovits, A. Underbrink, R. Carnes, and B. Purves. Diag-nosability of dynamical systems. In Proceedings of the Third InternationalWorkshop on Principles of Diagnosis, pages 239{244, Rosario, WA, October1992.[72] Pieter J. Mosterman. Implicit modeling of nonlinear systems with neural net-works. Technical Report #89R203, Control Laboratory, Electrical EngineeringDepartment, University of Twente, 1989.[73] Pieter J. Mosterman. Structured speci�cations for control system implemen-tation. MSc thesis, University of Twente, Control Laboratory, 1991. ReportNumber: 91R076.[74] Pieter J. Mosterman. Hybrid modeling of dynamic physical systems: An ap-plication in diagnosis. Technical Report #ECE-96-03, Center for IntelligentSystems, Electrical and Computer Engineering Department, Vanderbilt Uni-versity, 1996. area paper. 211
[75] Pieter J. Mosterman and Gautam Biswas. Diagnosis of continuous valued sys-tems in transient operating regions. IEEE Transactions on Systems, Man, andCybernetics. in review.[76] Pieter J. Mosterman and Gautam Biswas. Behavior generation using modelswitching a hybrid bond graph modeling technique. In Fran�cois E. Cellier andJos�e J. Granada, editors, 1995 International Conference on Bond Graph Model-ing and Simulation (ICBGM '95), number 1 in Simulation, pages 177{182, LasVegas, January 1995. Society for Computer Simulation, Simulation Councils,Inc. Volume 27.[77] Pieter J. Mosterman and Gautam Biswas. Modeling discontinuous behaviorwith hybrid bond graphs. In 1995 International Conference on QualitativeReasoning, pages 139{147, Amsterdam, May 1995. University of Amsterdam.[78] Pieter J. Mosterman and Gautam Biswas. Analyzing discontinuities in physi-cal system models. In Yumi Iwasaki and Adam Farquhar, editors, QualitativeReasoning: The Tenth International Workshop, pages 164{173, Stanford SierraCamp, Fallen Leaf Lake, California, May 1996. AAAI Press, 445 Burgess Drive,Menlo Park, CA 94025. AAAI Technical Report WS-96-01, ISBN 0-57735-001-4.[79] Pieter J. Mosterman and Gautam Biswas. A formal hybrid modeling schemefor handling discontinuities in physical system models. In AAAI-96, pages 985{990, Portland, Oregon, August 1996. AAAI Press, 445 Burgess Drive, MenloPark, CA, 94025.[80] Pieter J. Mosterman and Gautam Biswas. An integrated architecture for model-based diagnosis. In Seventh International Conference on Principles of Diagno-sis, pages 167{174, Val Morin, Canada, October 1996.[81] Pieter J. Mosterman and Gautam Biswas. Prediction, monitoring, and diagnosisin complex dynamic systems. Technical Report #ECE-96-04, Center for Intel-ligent Systems, Electrical and Computer Engineering Department, VanderbiltUniversity, 1996.[82] Pieter J. Mosterman and Gautam Biswas. Veri�cation of dynamic physicalsystem models. In ASME-96, pages 707{714, Atlanta, GA, November 1996.[83] Pieter J. Mosterman and Gautam Biswas. Formal speci�cations for hybriddynamical systems. In IJCAI-97, August 1997.[84] Pieter J. Mosterman and Gautam Biswas. Formal speci�cations from hybridbond graph models. In Qualitative Reasoning Workshop, Italy, June 1997.[85] Pieter J. Mosterman and Gautam Biswas. Hybrid modeling speci�cations fordynamic physical systems. In 1997 International Conference on Bond GraphModeling and Simulation (ICBGM '97), pages 162{167, Phoenix, AZ, January1997. Society for Computer Simulation, Simulation Councils, Inc.212
[86] Pieter J. Mosterman and Gautam Biswas. Monitoring, prediction, and faultisolation in dynamic physical systems. In AAAI-97, Rhode Island, August1997. AAAI Press, 445 Burgess Drive, Menlo Park, CA, 94025.[87] Pieter J. Mosterman and Gautam Biswas. A theory of discontinuities in dy-namic physical systems. Journal of the Franklin Institute, 334B(6), 1997.[88] Pieter J. Mosterman, Gautam Biswas, and Janos Sztipanovits. Hybrid modelingand veri�cation of embedded control systems. In IFAC97, Gent, Belgium, April1997.[89] Pieter J. Mosterman, John R. Bourne, Arthur J. Brodersen, and J. Olin Camp-bell. Electronics laboratory simulator instructor manual, laboratory manual,and reference manual. Technical report, Falcon Software, Wentworth, NH, 1995.[90] Pieter J. Mosterman, J. Olin Campbell, Arthur J. Brodersen, and John R.Bourne. Design and implementation of an electronics laboratory simulator.IEEE Transactions on Education, 39(3):309{313, August 1996.[91] Pieter J. Mosterman, Marcel A.M. Dorlandt, J. Olin Campbell, Craig Burow,Ren�e Bouw, Arthur J. Brodersen, and John R. Bourne. Virtual engineeringlaboratories: Design and experiments. Journal of Engineering Education, pages279{285, July 1994.[92] Pieter J. Mosterman, Ravi Kapadia, and Gautam Biswas. Using bond graphsfor diagnosis of dynamic physical systems. In Sixth International Conferenceon Principles of Diagnosis, pages 81{85, Goslar, Germany, October 1995.[93] Pieter J. Mosterman, Narasimhan Sriram, Gautam Biswas, Takashi Washio,and Shinji Yoshikawa. Process diagnosis in transient operating regions: Faultdetection and isolation in a liquid sodium cooling system. In IJCAI-97 QRApplications in Engineering, August 1997. in review.[94] Pieter J. Mosterman, Feng Zhao, and Gautam Biswas. Model semantics andsimulation for hybrid systems operating in sliding regimes. In AAAI Fall Sym-posium on Model Directed Autonomous Systems, 1997. in review.[95] P. Pandurang Nayak. Causal approximations. In Proceedings AAAI-91, pages703{709, Menlo Park, CA, 1991. AAAI/MIT Press.[96] P. Pandurang Nayak, Leo Joscowicz, and Sanjaya Addanki. Automated modelselection using context-dependent behaviors. In Proceedings AAAI-91, pages710{716, Menlo Park, CA, 1991. AAAI/MIT Press.[97] Xavier Nicollin, Joseph Sifakis, and Sergio Yovine. From atp to timed graphsand hybrid systems. In J.W. Bakkers, C. Huizing, W.P. de Roeres, andG. Rozenberg (eds.), editors, Lecture Notes in Computer Science, volume 600,pages 549{571, Mook, The Netherlands, June 1991. Real Time: Theory andPractice. 213
[98] T. Nishida and S. Doshita. Reasoning about discontinuous change. In Proceed-ings AAAI-87, pages 643{648, Seattle, Washington, 1987.[99] Guy Norris. Boeing's seventh wonder. IEEE Spectrum, pages 20{23, October1995.[100] Edward F. Obert. Internal Combustion Engines: Analysis and Practice. Inter-national Textbook Company, Scranton, Pennsylvania, 2 edition, 1950.[101] O.O. Oyeleye, F.E. Finch, and M.A. Kramer. Qualitative modeling and faultdiagnosis of dynamic process by MIDAS. In Walter Hamscher, Luca Console,and Johan de Kleer (eds.), editors, Readings in Model-Based Diagnosis, pages249{254. Morgan Kaufmann Publishers, Inc., San Mateo, CA, 1992. ISBN1-55860-249-6.[102] B.L. Palowitch. Fault Diagnosis of Process Plants using Causal Models. PhDdissertation, Massachusetts Institute of Technology, August 1987.[103] Kevin M. Passino and �Umit �Ozg�uner. Modeling and analysis of hybrid sys-tems: Examples. In Proceedings of the 1991 IEEE International Symposium onIntelligent Control, pages 251{256, Arlington, Virginia, USA, August 1991.[104] Henry M. Paynter. Analysis and Design of Engineering Systems. The M.I.T.Press, Cambridge, Massachusetts, 1961.[105] Roger Penrose. The emperor's new mind: concerning computers, minds, andthe laws of physics. Oxford University Press, Oxford, 1989.[106] J.A.M. Remmerswaal and H.B. Pacejka. A bond graph computer model tosimulate vacuum cleaner dynamics for design purposes. Journal of the FranklinInstitute, 319(1/2):83{92, January/February 1985.[107] Ronald C. Rosenberg and Dean Karnopp. Introduction to Physical SystemDynamics. McGraw-Hill Publishing Company, New York, New York, 1983.[108] W. Rudin. Principles of Mathematical Analysis. McGraw-Hill, New York, 3edition, 1976.[109] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D.C. Teneket-zis. Failure diagnosis using discrete-event models. IEEE Transactions on Au-tomatic Control, 40(9):1555{1575, September 1995.[110] M. Sampath, R. Sengupta, S. Lafortune, K. Sinnamohideen, and D.C. Teneket-zis. Failure diagnosis using discrete-event models. IEEE Transactions on Con-trol Systems Technology, 4(2):105{124, March 1996.[111] H. Schneider and P.M. Frank. Observer-based supervision and fault detection inrobots using nonlinear and fuzzy logic residual evaluation. IEEE Transactionson Control Systems Technology, 4(3):274{282, May 1996.214
[112] J.E.E. Sharpe and R.H. Bracewell. The use of bond graph reasoning for thedesign of interdisciplinary schemes. In Fran�cois E. Cellier and Jos�e J. Granada,editors, 1995 International Conference on Bond Graph Modeling and Simulation(ICBGM '95), number 1 in Simulation, pages 116{121, Las Vegas, January 1995.Society for Computer Simulation, Simulation Councils, Inc. Volume 27.[113] Je�rey L. Stein. Modeling and state estimator design issues for model-basedmonitoring systems. Transactions of the ASME, 115:318{327, June 1993.[114] Je�rey L. Stein and Loucas S. Louca. A component-based modeling approach forsystem design: Theory and implementation. In Fran�cois E. Cellier and Jos�e J.Granada, editors, 1995 International Conference on Bond Graph Modeling andSimula tion (ICBGM '95), number 1 in Simulation, pages 109{115, Las Ve-gas, January 1995. Society for Computer Simulation, Simulation Councils, Inc.Volume 27.[115] Je�rey L. Stein and Youngjin Park. Modeling and sensing issues for machinediagnosis. In Proceedings of the 1988 American Control Conference, Atlanta,Georgia, June 1988.[116] Jan-Erik Str�omberg, Ulf S�oderman, and Jan L. Top. Bond graph supported es-timation of discretely changing parameters. In Proceedings of the InternationalConference on Bond Graph Modeling, pages 47{52, San Diego, California, 1993.[117] Jan-Erik Str�omberg, Jan Top, and Ulf S�oderman. Variable causality in bondgraphs caused by discrete e�ects. In Proceedings of the International Conferenceon Bond Graph Modeling, pages 115{119, San Diego, California, 1993.[118] C. Sueur and G. Dauphin-Tanguy. Bond graph approach for structural analysisof mimo linear systems. Journal of the Franklin Institute, 328(1):55{70, 1991.[119] William Sweet. The glass cockpit. IEEE Spectrum, pages 30{38, September1995.[120] J. Sztipanovits, G. Karsai, C. Biegl, T. Bapty, A. Ledeczi, and A. Misra. Multi-graph: An architecture for model-integrated computing. In ICECCS'95, Ft.Lauderdale, Fla, November 1995.[121] Jean Thoma. Thermo uid systems by multi-bondgraphs. Journal of theFranklin Institute, 329(6):999{1009, 1992.[122] Jean U. Thoma. Bond graph for thermal energy transport and entropy ow.Journal of the Franklin Institute, 292(2):109{120, 1971.[123] Jean U. Thoma. Entropy and mass ow for energy conversion. Journal of theFranklin Institute, 299(2):89{96, 1975.[124] Jean U. Thoma and Henri Atlan. Network thermodynamics with entropy strip-ping. Journal of the Franklin Institute, 303(4):319{328, April 1977.215
[125] J.U. Thoma. Models, bond graphs and entropy. In J.J. van Dixhoorn andF.J. Evans (eds.), editors, Physical Structure in Systems Theory: Network Ap-proaches to Engineering and Economics, pages 17{33. Academic Press, London,1974.[126] Jan Top. Conceptual Modeling of Physical Systems. PhD dissertation, Univer-sity of Twente, CIP-DATA Koninklijke Bibliotheek, Den Haag, The Nether-lands, 1993.[127] J.L. Top, J.M. Akkermans, and P.C. Breedveld. Qualitative reasoning aboutphysical systems. Journal of the Franklin Institute, 328(5/6):1047{1065, 1991.[128] F.W. Umbach. Organisatie van Instrumentatie. H.E. Stenfert Kroese B.V.,Leiden/Antwerpen, 1981.[129] Johannes van Dijk. On the role of bond graph causality in modelling mechatronicsystems. PhD dissertation, University of Twente, CIP-Gegevens KoninklijkeBibliotheek, Den Haag, The Netherlands, 1994. ISBN 90-9006903-8.[130] J.J. van Dixhoorn and P.C. Breedveld. Technische Systeemleer. University ofTwente, Twente, Netherlands, fourth edition, February 1985. class pack.[131] Paul T. Ward. Systems Development without Pain. YOURDON, New York,N.Y., 1984.[132] Paul T. Ward and Stephen J. Mellor. Structured Development for Real-TimeSystems. Prentice-Hall, Englewood Cli�s, New Jersey, 1985.[133] K.C.J. Wijbrans. Twente Hierarchical Embedded Systems Implementation bySimulation: a structured method for controller realization. PhD dissertation,University of Twente, CIP-DATA Koninklijke Bibliotheek, Den Haag, TheNetherlands, 1993. ISBN 90-9005933-4.[134] Xudong Yu. Multi-Level Reasoning and Diagnosis for Complex Continuous-Valued Systems. PhD dissertation, Vanderbilt University, Computer ScienceDepartment, December 1992.216
