[IEEE Automation (MED 2010) - Marrakech, Morocco (2010.06.23-2010.06.25)] 18th Mediterranean...

Abstract—The problem of fault accommodation in discrete-

event systems is considered. Solution of the problem is related

to constructing the control law which provides full decoupling

with respect to fault effects. Existing conditions are

formulated and calculating relations are given for the control

law determination.

I. INTRODUCTION

HE demand on fault tolerance imposed on critical

purpose systems calls for the use of fault adaptation

techniques. There exist two principle ways for adaptation to

faults. The first one is self-tuning or fault accommodation.

It is related to on-line control law determination that

preserves the main performances of the system in faulty

case while the minor performances may degrade. The

second way is self-organization which involves the system

reconfiguration to replace the faulty elements with healthy

ones. This paper is concentrated on the fault

accommodation problem.

Up to now, different solutions have been proposed for

above problem. All these solutions involved the system

models in the form of linear or nonlinear ordinary

differential equations, see e.g. monograph [1], papers [2-6].

Conventional solution of the problem assumes on-line

fault detection and estimation to construct the model of

faulty system (so-called model tuning) followed by the new

control law determination on the base of the tuned model

[1-5]. In [6], another approach has been proposed whose

feature is the use of full decoupling with respect to fault

effects in output space of the system. In contrast to

conventional approach, this approach does not need in fault

estimation. Therefore, such approach looks reasonable if on-

line fault estimation is problematic. Also, it allows

decreasing time expanses for fault accommodation because

of excluding the stage of the model tuning.

In some cases, one needs dealing with discrete-event

systems or the systems described by finite automaton model.

For instance, let the work of partially or fully autonomous

system is characterized by fulfilling the final set of the

tasks. Each of these tasks can be considered as appropriate

automaton state. The automaton inputs which initiate the

Manuscript received January 11, 2010. This work was supported in part

by the Russian Foundation of Basic Researches.

A. E. Shumsky is with the Institute for Marine Technology Problems,

Vladivostok, Russia (phone: +7-4232-437370, e-mail: shumsky@

mail.primorye.ru)

A. N. Zhirabok, is with the Institute for Marine Technology Problems,

Vladivostok, Russia (phone: +7-4232-450864, e-mail: zhirabok@ mail.ru)

transitions from one to another tasks solution are generated

according to some initial program (which determines the

automaton transition function) taking into account the result

of previous task solution (the automaton output). Faults in

the system may cause violation of the sequence of tasks

under solution that corresponds to distortion of the

automaton transition function. Solution of fault

accommodation problem in this case is aimed at automaton

control such that results in admissible sequence of tasks

under fault conditions.

Present paper considers the solution of fault

accommodation problem for discrete-event systems.

Following [6], this solution involves full decoupling with

respect to fault effects.

II. PROBLEM FORMULATION

Let the system is described by the finite automaton model

),,,,( hfYUXA = (1)

where YUX ,, are the finite sets of the system states, inputs

and outputs respectively, f and h are the maps of the form

XUXf →×: and YXh →: specified by appropriate

tables of transitions and outputs. It is assumed that the

faults in the system may cause different distortions of the

map f for some pairs UXux ×∈),( . The set of all

possible distortions ),,,( 21 nddd K is known, but it is

unknown what concrete distortions from this set will take

place under fault conditions.

Denote ),,,,( 210 nddddD K= with 0d corresponding

to the case of healthy system. Introduce the map

XDUXfd →××: related to the set D and consider the

automaton

),,,,( hfYUXA ddd = (2)

with DUU d ×= . The model (2) gives exact description of

the system dynamics with the account of possible distortions

caused by the faults. In this description, the elements of the

set D are considered as additional (unknown) automaton

inputs.

The use of the model (1) for control determination

becomes impossible under fault conditions. On the other

hand, the model (2) allows looking at the fault

Fault Accommodation In Discrete - Event Systems

Alexey E. Shumsky, Alexey N. Zhirabok

T

18th Mediterranean Conference on Control & AutomationCongress Palace Hotel, Marrakech, MoroccoJune 23-25, 2010

978-1-4244-8092-0/10/$26.00 ©2010 IEEE 677

accommodation problem as a problem of full decoupling

with respect to unknown inputs (i.e. faults). Remind, that

full decoupling via feedback techniques were already

involved in [5] to solve fault accommodation problem for

the systems described by ordinary differential equations.

The use of finite automaton model prevents applying these

techniques immediately, but the main their features are

remained. Consider them.

Let the input u is generated according to the rule

),,( 0 ∗= uyxgu (3)

where g is a map to be determined, ∗u is a new input and

0x is the state of the auxiliary automaton

),,( 000 fYUXA ×= (4)

with the map 000 : XYUXf →×× ; the output map is not

considered here as independent object. The automaton

0A will be designed on the base of the model (2).

Suppose that dynamical part of the automaton obtained

by substitution (3) into (2) can be transformed to the

automaton

),,( ∗∗∗∗ = fUXA (5)

which does not contain unknown inputs, where the map

∗∗∗∗ →× XUXf : . In this case, fault accommodation

effect may be achieved by using the model (5) for control

determination. Let, for instance, it is necessary to find the

sequence of inputs which transfers the automaton (2) from

the state 1x to the state 2x . To solve this task, one

determines the states 1∗x and 2

∗x of the automaton ∗A

which in some sense (given below) correspond to the states

1x and 2x respectively. Then, one determines the sequence

of inputs ,,, 2,1, K∗∗ uu which transfers the automaton ∗A

from the state 1∗x to the state 2

∗x . After this, according to

(3) one determines appropriate sequence of inputs

,,, 21 Kuu which solves the task for the automaton (2).

Generally, the cardinality of the set ∗X is less than the

cardinality of the set X . As a result, the automaton (2) can

not be transferred to the state 2x explicitly; it can be only

transferred to some state from the block of some partition of

X which also contains 2x . As it will be shown below, this

partition determines the accuracy of fault accommodation

and shows the existing limitations on the sphere of the

considered approach application.

The problem under solution consists in determination of

the exiting conditions for control law (3) and developing the

designing procedures for the maps gf ,0 , and ∗f . Solution

is ordered as follows: the map 0f of the auxiliary

automaton 0A is determined firstly, then, the map g is

constructed and, finally, the map ∗f of the automaton ∗A

is found.

III. THE AUXILIARY AUTOMATON DESIGN

A. The Basic Relations

For automaton (4) assume existing the map 0: XX →ϕ

such that

)),(()),(),((0 uxfuxhxf ϕ=ϕ (6)

for all Uu ∈ . Since description of the automaton 0A does

not contain unknown inputs from the set D , the equality

Ddduxfuxf d ∈∀ϕ=ϕ )),,(()),(( (7)

holds for all UXux ×∈),( .

Introduce two partitions ϕπ and hπ of the set X given

by the maps ϕ and h respectively according to the rules

)()()( xxxx ′ϕ=ϕ⇔π′≡ ϕ and )()()( xhxhxx h ′=⇔π′≡ ,

i.e. the states x and x′ are contained at the same block of

partition ϕπ ( hπ ) if their images for the map ϕ ( h )

coincide. Denote also 0π the smallest partition satisfying

condition

Ddduxfuxf d ∈∀π≡ ))(,,(),( 0 (8)

for all UXux ×∈),( ; i.e. the block of partition 0π

containing the state ),( uxf also contains all states of the

form Ddduxfd ∈∀),,( .

It follows from (7) and definition of the partition ϕπ that

))(,,(),( ϕπ≡ duxfuxf d for all Dd ∈ . As soon 0π is the

smallest partition, satisfying condition (8), then

ϕπ≤π0 . (9)

It follows from (6) that if the states x and x′ have the

same images for the maps ϕ and h , i.e. )()( xx ′ϕ=ϕ and

)()( xhxh ′= , then the states ),( uxf and ),( uxf ′ have the

same images for ϕ : )),(()),(( uxfuxf ′ϕ=ϕ for all Uu ∈ .

Taking into account the links existing between the maps ϕ ,

h and appropriate partitions ϕπ and hπ , all given above

can be represented in the form

678

)])(,(),([)]([&)]([ ϕϕ π′≡⇒π′≡π′≡ uxfuxfxxxx h .(10)

The partition ϕπ , satisfying both (9) and (10), can be

found involving pair algebra of partitions proposed in [7]

for finite automaton analysis and design.

Let XΠ be the set of all partitions of X . Define the

binary relation XX Π×Π⊆∆ as follows:

)])(,(),()([]),[( β′≡⇒α′≡⇔∆∈βα uxfuxfxx

for every XΠ∈βα, and Uu ∈ . For a given partition α

there exist several partitions β such that ∆∈βα ),( (notice,

one of such partitions exists always: it is unit partition).

Denote the smallest of these partition as )(αm . So, the

operator m is introduced as follows:

∆∈αα ))(,( m , β≤α⇒∆∈βα )(),( m .

The procedure for operator m calculating is given in [7].

The main property of the above operator is the monotony

[7]: )()( β≤α⇒β≤α mm . From (10) and the definition of

binary relation ∆ it follows ∆∈ππ×π ϕϕ ),( h . According

to [7], the last inclusion is equivalent to the inequality

ϕϕ π≤π×π )( hm . (11)

B. Designing Procedure

The partition ϕπ satisfies inequalities (9) and (11). To

find the automaton 0A , one needs in obtaining the smallest

partition, satisfying above properties, because it gives the

automaton 0A with the largest number of states. As it will

be shown below, this allows obtaining the maximally

possible accuracy of the fault accommodation.

Theorem 1. Let

)(1 hiii π×π+π=π + m , i=0,1,… (12)

There exists i=k such that the partition kπ=πϕ 1+π= k is

the smallest one satisfying both conditions (9) and (11).

Because of limited volume of the paper proofs of above

and below following theorems are omitted.

Notice, if 1=πϕ (i.e. ϕπ has a single block containing

all the states) then the problem under consideration has no

solution. The map 0f is given by the table of transitions

which is obtained from the table of transitions for the

automaton A by combining the states which are contained

in the same blocks of the partition ϕπ . The details are

illustrated in the example given below.

IV. DETERMINATION OF THE CONTROL LAW

As soon the map g and the automaton *A are designed

on the base of the automaton 0A , it is necessary to make an

analysis of the possibility of the automaton 0A inputs and

states combining into the blocks of some partitions. It is

caused by the procedure for the map g determination

which consists in replacing the states of the automaton 0A

by the new inputs *u according to relation

*00 ),,( uuyxf = and, then, in expressing the input u from

above equality. Under this, the links between automates A

and ∗A are determined.

Introduce the partitions ρ and δ of the sets U and 0X

as follows. Let iρ and iδ , ,,2,1 K=i be the series of

partitions of U and 0X defined by relations

∑∈

ρ=ρXx

xii , , ∑∈

δ=δXx

xii ,

where xi,ρ and xi,δ are the smallest partitions of U and

0X , satisfying conditions

)]([)])(),(),(()),(),(([ ,100 xii uuuxhxfuxhxf ρ′≡⇒δ′ϕ≡ϕ −

)])(),(),(()),(),(([)]([ ,00 xii uxhxfuxhxfuu δ′ϕ≡ϕ⇒ρ′≡

under 0=δ0 , where 0 is the zero (i.e. containing only one

state in every of its block) partition.

According to above relations, for the partitions iρ and

iδ , one has 1+ρ≤ρ ii , 1+δ≤δ ii . Because of final

cardinality of U and 0X , there exists the finite k such that

1+ρ=ρ=ρ kk and 1+δ=δ=δ kk . From the rules for the

partitions ρ and δ determination, for every Xx ∈ it holds

))(),(),(()),(),(()( 00 δ′ϕ≡ϕ⇒ρ′≡ uxhxfuxhxfuu . (13)

From relation (13), there exists one-to-one link between the

blocks of the partitions ρ and δ . Consider two cases.

A. The First Case

Let 0=ρ ; relation |||| U≥πϕ is the necessary condition

for above equality, where || ϕπ and || U are the number of

679

blocks of the partition ϕπ and the cardinality of the set U

respectively. In this case equation

*00 ),,( uuyxf = (14)

is solvable for all inputs from the set U . To solve equation

(14), one writes the table of transitions for automaton 0A

such that the pairs ),( 0 yx correspond to appropriate rows

of this table while inputs Uu ∈ correspond to appropriate

columns. After this, according to equality (14), the states

0x in the cells of this table are replaced with inputs *u .

Obtained map takes a form

lkji uuyxf *00 ),,( = (15)

for concrete pare ),( 0 ji yx and concrete values of the

inputs ku , lu* . Relation (3) is obtained from (15) and for

concrete values of the arguments has a form

),,( *00 ljik uyxfu = . (16)

Therefore, in this case the map g is the inversion of the

map 0f for the variables *u and u ; it is obtained from

relation *00 ),,( uuyxf = by replacing *u with u . Notice,

in general case the map (16) is not fully determined (in

particular, it always takes place for a case |||| U>πϕ ). It

means that not every sequence of inputs from the set *U

may result in obtaining an appropriate sequence of inputs

from the set U according to relation (16).

B. The Second Case

Let 0≠ρ . It corresponds to the case when some inputs of

automaton 0A are equivalent. These inputs form the blocks

of the partition ρ . In particular, it takes place for

|||| U<πϕ . In this case, equation *00 ),,( uuyxf = is

solvable for those inputs from the set U , which are

contained in one-element blocks of the partition ρ .

Formulas (15) and (16) are transformed by replacing the

input ku with appropriate block kBρ of the partition ρ .

The choice of the representative input from the block of

partition needs in the task addition. Additional conditions

may be found by analysis of the possible system trajectories

which guarantee achieving the goal of control; the details

are considered in the example.

Notice, according to (14) equality 0=δ results in

|||| * ϕπ=U . In this case, inputs *u replace not the states

0x , but appropriate blocks of the partition δ .

V. THE AUTOMATON ∗A DESIGN

For the automaton ∗A design, the input *u in the map

*f is replaced with ),,( 00 uyxf according to relation (14).

Introduce the map *: XX →ψ such that

)),(())),(),((),(( 0* uxfuxhxfxf ψ=ϕψ . (17)

Denote ψπ the partition given by the map ⇔π′≡ ψ )(xx

)()( xx ′ψ=ψ .

Theorem 2. The following inequality is true

ψϕ π≤π. (18)

Because of (18), the map ψ can be specified as the

composition of the map ϕ and some map ∗→ξ XX 0: .

Consider two cases.

A. The First Case

Let 0=δ . Let also 0* XX = and ϕ=ψ that gives

ϕψ π=π . Then )),((),( *** uxfuxf ϕ= . Taking into

account (6) and (14), one obtains from above

**** ),( uuxf = . (19)

In this case, the automaton *A admits fault tolerant

control of the system up to blocks of the partition ϕπ given

by the map ϕ .

B. The Second Case

Let 0≠δ . It is related to the case, when the automaton

A contains autonomous (independent of the input u )

automaton as its part. As a result, the automaton ∗A may

be represented as serial composition of the automates 1∗A

and 2∗A , the last one is autonomous.

To construct above composition, let 21* ∗∗ ×= XXX and

introduce the maps 11: ∗→ψ XX and 22

: ∗→ψ XX as

follows. The map 1ψ is given in the form of composition

)(1 ϕθ=ψ , where 1

0: ∗→θ XX is the map which gives the

partition δ : )()()( 0000 xxxx ′θ=θ⇔δ′≡ . Description of

the automaton ),,(1**

1*

1fUXA =∗ can be obtained by

analogy with previous case ( 0=δ ) in the form

***1

),( uuxf =∗ . Remind that |||| * δ=U . Notice, that fault

tolerant control in this case is possible up to partition

680

21 ψψπ×π , where the partitions 1ψ

π and 2ψπ are given by

the maps 1ψ and 2ψ respectively.

The map 2ψ satisfies condition

)),(())(),((2212

uxfxxf ψ=ψψ∗ (20)

for some function 2∗f and, according to inequality (18),

condition

2ψϕ π≤π (21)

where 2ψπ is the partition of X given by the map 2ψ .

For the automaton 2∗A design, introduce the partition π′

of X by following manner. For every Xx ∈ define the set

xB : }),,({ UuuxfBx ∈= and the partition xπ′ which has

only one non-trivial block and one-element other blocks. Let

∑∈

π=πXx

x'' .

It easily to see that the partition π′ has the following

property:

)')(',(),( π≡ uxfuxf XxUuu ∈∀∈∀ ', .

The case 1=π′ means that the automaton A does not

contain the autonomous part. Under 1≠π′ the automaton

A can be considered consisting of the serial composition of

two automates. Under this, the automaton, determined by

the partition π′ , is autonomous one. So, the partition π′ is

the base for the automaton 2∗A design.

Equality (20) results in relation ))(',(),( 2ψπ≡ uxfuxf

Uuu ∈∀ ', Xx ∈∀ . It follows from definition of the

partition π′ that the last one is the smallest partition,

satisfying (20). One can write from this 2ψπ≤π′ .

Simultaneously, taking into account (21), one obtains

2ψϕ π≤π′+π . (22)

Considering (20) and (22) respectively to (6) and (9), it is

easily to make a conclusion that the smallest partition 2ψπ ,

satisfying both (20) and (22), can be find involving the

result of Theorem 1 if to replace 0π , hπ and ϕπ with

π′+πϕ , 1ψπ and 2ψ

π respectively. If 1=πψ2 , then the

automaton 2∗A is absent.

The map 2∗f is specified by the table of transitions

which is obtained from appropriate table of the automaton

A by combining the states including into the same blocks

of the partition 2ψπ .

VI. EXAMPLE

Consider discrete-event system described by Table 1.

Suppose that fault in the system may result in replacing

2) ,1( =bf with 3) ,1( =bf . Therefore, the partition

{ })5(),4(),3,2(),1(0 =π . The partition =πh

{ })5,3(),2(),4,1( follows immediately from Table 1. As

soon 0=π×π 0h and 00m =)( , then, according to the

rule of Theorem 1, one obtains 01 π=π , and, as a result,

=πϕ { })5(),4(),3,2(),1( . Denoting the blocks of above

partition by symbols DCBA ,,, respectively, the map 0f is

found from (6) in the form of Table 2.

It is easily to see that condition (13) holds for

{ })(),,( bca=ρ and 0=δ . It allows taking ϕ=ψ to find

the automaton ∗A description according (19). Because of its

triviality, appropriate table of transitions is omitted. The

map g is found from Table 2 in the form of Table 3. Notice,

this map is not exactly determined. Obtained map allows

TABLE I

TRANSITIONS AND OUTPUTS OF AUTOMATON A

f(x, u) x

u=a u=b u=c h(x)

1 1 2 1 1

2 2 4 3 2

3 2 5 3 3

4 4 1 4 1

5 5 1 5 3

TABLE 2

TRANSITIONS OF AUTOMATON A0

f0(x0, y, u) (x0, y)

u=a u=b u=c

A A B A

B, y=2 B C B

B, y=3 B D B

C B A B

D D A D

681

determining the automaton inputs up to the partition ρ

blocks.

Let us illustrate the way of control generation on the base

of automaton ∗A . Let the objective of control is to transfer

the initial automaton (Table 1) from the state 1 to the state

5; the input sequence of minimal length to do this for

healthy automaton is bu = , cu = , bu = .

Because of the partition ϕπ , the states 1 and 5 are

corresponded to the states A and D of the automaton ∗A .

Moreover, because 1 and 5 are the single states, belonging

to the blocks A and D, it is possible to transfer the system

from assigned initial state to final one perfectly in spite of

the fault presence.

According to (19), it is necessary to use the input Du =∗

for transferring the automaton ∗A to the state D. But

according to Table 3, this input for the state A is not

available; it is available for the state B under the output

3=y . Also, for the state A the input Bu =∗ is available.

Therefore, the sequence of the inputs Bu =∗ , Du =∗ of

the automaton ∗A allows achieving the objective of control

if after the input Bu =∗ the output 3=y is formed. The

sequence of the inputs bu = , bu = of the initial automaton

under fault conditions corresponds to above sequence,

because only in this case after the input bu = the

automaton may be transferred from the initial state 1 to the

state 3 and the output 3=y is formed. But if the input of

the initial automaton bu = , corresponding to the input

Bu =∗ of the automaton ∗A , the output 3≠y is formed

(that takes place under the fault absence), the input Du =∗

is disable. The input Cu =∗ also prevents the objective

achievement (see Table 3). Therefore, the single possible

input of the automaton ∗A is Bu =∗ . This input

corresponds to the partition ρ block, containing the inputs

of the initial automaton au = and cu = . Choosing the

input cu = is explained by Table 1, because this input

guarantees the output 3=y under the state B of the

automaton ∗A .

Fig.1.The schemes of control for automates A* (a) and A

(b).

VII. CONCLUSION

The paper presents solution of fault accommodation

problem for discrete-event systems. This solution is based

on full decoupling with respect to fault effects. Realization

of the solution involves two stages. At the first stage, the

control is generated on the base of the auxiliary model. At

the second stage, final control is found by transforming and

completing the control obtained at the first stage.

In general case, the cardinality of the state set of the

auxiliary automaton is less than appropriate cardinality of

the initial one. It allows controlling the system only up to

blocks of some partition. The possibility to achieve the goal

of control under this restriction determines the scope of

proposed solution possible application.

REFERENCES

[1] Blanke M., Kinnaert M., Lunze J., Staroswiecki M.

“Diagnosis and Fault Tolerant Control”. Springer-Verlag.

2003.

[2] Patton, R.J. “Fault tolerant control: The 1997 situation”.

In Proc. of IFAC Symposium Safeprocess’97. Hull, UK.

pp. 1033-1055.

[3] Staroswiecki, M. “Fault tolerant control: the pseudo-

inverse method revisited”. In Proc. of 16th

IFAC Congress.

Prague, Czech. Republic, 2005.

[4] Staroswiecki, M., H. Yang and B. Jiang. “Progressive

accommodation of aircraft actuator faults”. In Proc. of

IFAC Symposium Safeprocess’2006. Beijing, pp. 877-882.

[5] Weng Z., R. Patton and P. Cui. (2006). “Active fault-

tolerant control of a double inverted pendulum”. In Proc. of

IFAC Symposium Safeprocess’2006. Beijing, pp.1591-1596.

[6] Shumsky, A., Zhirabok N., Jiang, B. and Ke Zhang.

“Fault accommodation in dynamic systems: fault decoupling

based approach”. In Proc. of IEEE CDC’2009. Shanghai,

PR China. 8464-8469.

[7] Hartmanis J., Stearns R. “The algebraic structure theory

of sequential machines”. Prentice-Hall, New York, 1966.

Yes

No

Yes

No

u*=B

y=3 u*=B

u*=D

(a)

u=b

y=3

u=b

u=c

(b)

TABLE 3

THE MAP g0

g(x0, y, u*) (x0, y)

u*=A u*=B u*=C u*=D

A u∈{a, c} u=b - -

B, y=2 - u∈{a, c} u=b -

B, y=3 - u∈{a, c} - u=b

C u=b - u∈{a, c} -

D u=b - - u∈{a, c}

682

[IEEE Automation (MED 2010) - Marrakech, Morocco (2010.06.23-2010.06.25)] 18th Mediterranean...

Documents

Transcript of [IEEE Automation (MED 2010) - Marrakech, Morocco (2010.06.23-2010.06.25)] 18th Mediterranean...