Elektrotehniški vestnik 69(3-4): 240–246, 2002Electrotechnical Review, Ljubljana, Slovenija

Increasing process safety using analytical redundancy

Stojan Peršin, Boris Tovornik, Nenad Muškinja, Drago ValhUniversity of Maribor, Faculty for Electrical Engineering and Computer Science,Smetanova 17, 2000 Maribor, SloveniaE-mail: stojan.persin@uni-mb.si

Abstract. The paper integrates demands for safe processing and fault detection techniques. An early detection ofthe fault occurrence is vitally important since it contributes to avoidance of product deterioration, performancedegradation, major damages to the machinery itself and damages to human health or even loss of lives. Some faultdetection methods using analytical redundancy are described and principles are outlined of some most importanttechniques of model-based residual generation using parameter estimation, parity space and state estimationapproaches. As the real systems are usually non-linear, a non-linear state estimation observer is described. A watervessel of a heat exchanger was chosen for the experiment. Although there was no water level sensor installed in it,the leakage of the vessel was successfully detected using a non-linear observer.

Key words: fault detection, analytical redundancy, parity space, parameter estimation, state estimation, observers

Povečanje procesne varnosti s pomočjo analitične redundance

Povzetek. Članek združuje zahteve po varnosti v procesni in-dustriji z metodami za detekcijo napak. Zgodnja detekcijanapak je ključnega pomena za doseganje ustrezne kakovostiproizvodov ter lahko prepreči poškodbe na napravah, okoljuin ljudeh. Posebno obravnavo zahteva odkrivanje napak vzaprtozančnih sistemih, kjer so opisane najpogostejše katego-rije napak ter koraki za izvedbo detekcije napak. Opisaneso nekatere metode za detekcijo in prepoznavanje napak, kitemeljijo na analitični redundanci. Poudarjeni so principi mod-elno referenčnega generiranja residualov, in sicer s pomočjoocenjevanja parametrov, paritetnih prostorov in opazovalnikovstanja. Realni sistemi so običajno nelinearni, zato je prikazannelinearni opazovalnik stanja. Primer detekcije napak je izve-den na toplotnem menjalniku oziroma na njegovem primarnemkrogu, katerega del je tudi grelna posoda, napolnjena z vodo.Detekcija puščanja primarnega kroga je bil cilj poskusa, občemer naprava ni bila opremljena s senzorjem nivoja vode.Prikazan je matematični model grelne posode, iz katerega jerazvidno, da sprememba nivoja vode ter s tem spremembaskupne mase vpliva na dinamično obnašanje sistema. Za de-tekcijo puščanja posode je bil uporabljen princip analitične re-dundance z uporabo nelinearnega opazovalnika stanja.

Ključne besede: detekcija napak, analitična redundanca,paritetni prostor, estimacija parametrov, opazovalnik stanj

1 Introduction

The global competitiveness of the production nowadayscannot be achieved if equipment that is used for produc-tion isn’t installed, applied and maintained properly. Theglobal competitiveness depends to a large extent on ef-fectiveness of the use of factory automation. The early

Received 15 September 2000Accepted 15 Jun 2001

1980s heralded the creation of the “Factory of the fu-ture”. The prevalent image then was a “lights off” factoryheavily populated by robots, with a few human supervi-sors keeping track of operations by watching monitors ina central control room. In many cases, this image wasnot achieved. In few words, workers (and wider environ-ment, living and non-living) are still exposed to harmfuleffects of the working area and accidents, caused either byprocess malfunction or incompetence of their colleagueworkers.

Some studies [1] have shown that main causes relatedto automation or control are poor instrumentation and op-erator error. Most of the human errors are usually madeduring start-up operations of the process. The follow-ing conclusion can therefore be drawn: If the degree ofautomation were higher, consequences of a human errormight be smaller. Furthermore, co-operation between au-tomation and a human operator is important in avoidinghuman errors during operation. Occurrences of equip-ment faults giving rise to accidents bring up the neces-sity that potential failures, both in measurement and con-trol equipment as well as in process equipment, should bestudied. By preparing for them a proper process design,an equipment failure of the system would not lead to anaccident. One of the possible solutions is an early detec-tion of malfunctions, called Fault Detection and Isolation(FDI).

Increasing process safety using analytical redundancy 241

2 Some Process Industry Safety Features

Three types of event are traditionally associated with thechemical branch of the process industry. These are re-leases and spills, fires, and explosions.

Controlling the potential risk means that processequipment must withstand the anticipated stresses causedby hazardous substances and that process parametersmust not take on values such that the substances can un-dergo uncontrolled reactions.

Critical process parameters and hazardous potentialignition sources must not occur in the plant as a result ofprocess upsets or even a human error. These become anadditional concern of the plant safety requiring a painstak-ing cause and effect analysis of all possible errors andmalfunctions and institutions of measures to prevent orneutralise situations that could lead to an unsafe condi-tion. Such measures could be technical or organisational.In other words, Process Engineering and Process Con-trol Engineering must consider interconnection of differ-ent science disciplines that have to be taken into accountto achieve the purpose of a “safe plant” (Figure 3), i.e.,following the principles of system engineering.

Unfortunately, a complete absence of all possible haz-ards (absolute safety) is not possible for two reasons:

• it cannot be ruled out that several safety measureswill fail simultaneously;

• people make mistakes, misjudge things, asses themwrongly, fail to notice them.

To go even further, failures usually don’t appear with-out any reason. They must have been caused by groups ofevents from the past (change of parameters due to ageing,disallowed change of one of unmeasured variables, etc.).The causes from the past (recent or distant) would initiatesymptoms of a failure before it happens. If they are knownor pre-studied and if one is able to detect them, a processor its component can be maintained on time to prevent afailure. If a failure is allowed, its primary source has tobe found.

This is one of the recent tasks of process automation.Modern equipment should provide enough measurementsignals to be able to apply early fault detection also forsafety reasons.

However, fault diagnosis has become an issue of pri-mary importance in modern process automation and as itprovides the pre-requisites for fault tolerance, reliabilityor security, which constitute fundamental design featuresin any complex engineering system. It is important to dis-tinguish between:

• fault detection and isolation (FDI) methods based onmathematical or dynamic model of process systems,and

• knowledge based methods, which are in many casesmore failure oriented (searching the primary compo-nent indicating a failure).

Fig. 1 shows a simple classification of diagnostic algo-rithms [1].

Figure 1. Simple classification of the fault detection algorithms

In general, fault monitoring systems must be tolerantto signal deviations caused by process parameter uncer-tainty, disturbances, non-linearities, etc., which are nor-mal functions of the operation of most engineering re-quirements.

3 Fault Detection, Insulation andAccommodation in Feedback ControlSystems

Consequences, even those of simple faults, may be dra-matic and there are considerable incentives to enhancecomputerised feedback loops with methods for fault de-tection and accommodation.

Feedback is established because actuator demands arecalculated from the difference between a reference valueand sensor measurements. Any deviation between thesesignals will cause an immediate reaction on the actuatorswhen actuator demands are updated. The discrete timecontrol algorithm makes use of both current and previousevents in the plant. This makes it possible to employ, forexample, prediction methods to give the control loop de-sired characteristics. Response time to changes in the set-point, disturbance rejection properties, noise sensitivity,and stability properties are key attributes that are alwaysquantified in the requirements to a particular closed-loopdesign.

Feedback control systems are particularly sensitive tofaults. However, faults in feedback loops are in generaldifficult to handle [3]. If a fault develops gradually, aclosed loop will attempt to compensate for it and in thisway hide the development of the malfunction. The faultmay not be discovered until the control loop stops normaloperation. If faults arise suddenly, the effect is ampli-fied by the closed-loop control. Production stops, process

242 Peršin, Tovornik, Muškinja, Valh

damage, or other undesired consequences, may be the re-sult. A feedback sensor fault, for example, may cause alarge deviation between the measurement and reference.This will in most cases cause large actuator demands andeventually lead to a rapid change of the process state.Unacceptable excursions in the process state followed byproduction stop, plant failure or direct damage are expe-riences from actual events in industry.

In normal operation, feedback control should keep theprocess state equal to a desired setpoint while the influ-ence from process disturbances and measurement noiseare kept minimal. This can be achieved by employingmethods that estimate process states and perform opti-mal dynamic filtering in combination with techniques thatadopt parameters in the control method to current processconditions.

In abnormal operation, when faults have occurred, thecontrol loop should react immediately in a way that pre-vents a fault from developing into a malfunction of thesystem being controlled. This requires added functional-ity to well established methods in the control theory.

A general method for design of fault handling as-sociated with closed-loop control includes the followingsteps:

1. Make a failure mode and effect analysis related tocontrol system components [4].

2. Define desired reactions to faults for each case iden-tified by the analysis from Eq. (1).

3. Select appropriate method for generation of resid-uals. This implies consideration of system archi-tecture, available signals, and elementary models ofcomponents. Disturbance and noise characteristicsshould be incorporated in the design if available.

4. Select a method for fault detection and isolation.This implies a decision or whether an event is a faultand, if this is the case, the determination of whichelement if faulty.

5. Consider control method performance and designappropriate detectors for supervision of control ef-fectiveness. Design of appropriate reactions.

6. Design a method for accommodation of faults ac-cording to points 2 and 5.

7. Implement the completed design. Separate the con-trol code from the fault handling code by implemen-tation as a supervisor structure.

Faults in a control loop can be categorised in generictypes:

• reference value (setpoint) fault,

• sensor fault,

• actuator element fault,

• execution fault including timing fault,

• application software, system or hardware fault in acomputer based controller,

• fault in a physical plant.

The chosen diagnostic procedure depends mostly onfault detection demands and available process models.The three basic FDI methods based on analytical modelswill be presented in the next sections:

• parameter estimation approach,

• parity space approach,

• observer approach.

4 Parameter Estimation Approach

As the parameter identification methods are well knownand available in literature [1, 2, 3, 7], they are only men-tioned here. Parameter estimation is a natural approachto the detection and isolation of parametric faults. A ref-erence model is obtained first by identifying the plant ina fault-free situation. Then the parameters are repeatedlyre-identified on-line. Deviations from the reference modelserve as a basis for detection and isolation. The iden-tification algorithm can be applied in continuous or dis-crete time. If continuous time is applied (no need for z-transform), the derivatives of the signals have to be eithermeasured or obtained using observers. Best results areobtained using state variable filters [10]. Another methodof obtaining signal derivatives is by using real differentia-tors. Signals have to be properly filtered before applica-tion, thus a high sample rate is required.

5 Parity Space Approach

Parity space approach means a comparison of the mathe-matical model of the plant and measured variables. Anyfault can be detected through differences between com-pared signals. Consider a dynamic system with inputvector u, output vector y, and feedback control system.A plant in general consists of actuators, plant dynamics(components), and sensors. For a realistic representationit is important to model all effects that can lead to alarmsand false alarms.

The analytical redundancy approach requires that theresidual generator performs some kind of validation of thenominal relationships of the system, using the actual in-put and measured output (Fig. 3). The redundancy rela-tionships to be evaluated can even simply be interpretedas input-output relations of the dynamics of the system.It is highly desirable to have input and output signals of

Increasing process safety using analytical redundancy 243

the actuators of the plant available. This is especially im-portant if the actuators are highly non-linear, because thenthe required system equations do not contain the actuatorsnon-linearities. If a fault occurs, the redundancy relationsare no longer satisfied and a residual, ri =0, occurs. Theresidual is then used to form appropriate decision func-tions. They are evaluated in the fault decision logic inorder to monitor both the time of occurrence and locationof the fault.

For the residual generation a model of the process isrequired, and for better fault isolation an additional modelof the faulty process should be used.

Figure 2. Principle of the parity space approach to fault detec-tion

The first step in model based analytical redundancymethods is to include all the predefined faults into themathematical model of the plant.

Output from the parity equations are signals showinginconsistency between normal and faulty operation. Innormal process operation the parity equations output isapproximately zero. In case of faults the output will benonzero. Fault isolation is achieved with structured par-ity equations. One element of the residual vector is un-affected by a specific fault while all the others will be af-fected. In that way the determination of a fault is possible.The parity equations are designed as follows [3]:

e(s) = ∆y(s)−C(s) ·∆u(s) = y(s)−C(s) · u(s)r(s) = W(s) · e(s)

(1)The residual vector r(s) is found by multiplying a

weighting filter W(s) to the error e(s). The filter is de-signed to make the jth residual unaffected by the ith fault.Unfortunately, the residual is also affected by measure-ment noise n and modelling uncertainty ∆C, not only bythe fault vector f (2)

y(s) = (C + ∆C) · u(s) + n(s) + S · f(s) (2)

where S is a fault distribution matrix. Error vector e(s) isthen:

e(s) = y(s)− ŷ(s) = S · f(s) + n + ∆C · u (3)

In general, the residual vector r(s) is affected by allfaults f(s):

r = [r1, r2, ...rn]T = r(f1, f2, ...fn) (4)

Residual ri should be made unaffected by fault fi.This is achieved if matrix [W×S] has the following struc-ture [5]:

ri = ri(fi)⇔W × S =

0n∑i=1

w1i · si2 · · ·n∑i=1

w1i · sinn∑i=1

w2i · si1 0 · · ·n∑i=1

w2i · sin...

......

...n∑i=1

wni · si1n∑i=1

wni · si2 · · · 0

orn∑

i,j=1

wji · sij = 0 if i = j

(5)Here the first residual r1, depends on all but the first

fault, the second residual r2, on all but the second faultand so on [2]; that is:

r1 = r1(f2,f3,...fn)r2 = r2(f1,f3,...fn)...

ri = ri(f1,f2,...,fi - 1,fi + 1,...,fn)...

rn = rn(f1,f2,...fn - 1)

(6)

The decision function for the logical evaluation of theresiduals is then as follows:

if (r2 ∧ r3 ∧ · · · ∧ rn = 0) ∧ (r1 = 0) ⇒ f1if (r1 ∧ r3 ∧ · · · ∧ rn = 0) ∧ (r2 = 0) ⇒ f2...

if (r1 ∧ r3 ∧ · · · ∧ rn−1 = 0) ∧ (rn = 0) ⇒ fn(7)

6 Observer Approach

The system under consideration is usually non-linear, thusthe model in the observer should also be non-linear in or-der to avoid modelling errors arising from linearization.This leads to the concept of FDI using non-linear stateestimators [7]. Consider the non-linear system given by:

244 Peršin, Tovornik, Muškinja, Valh

ẋ = f(x,u); x(0) = x0 (8)

y = c(x,u) (9)

where vector u denotes the input vector, y denotes theoutput vector, x denotes the state vector and f and c arenonlinear functions. Initial conditions are given by x(0).

The non-linear state estimator equation is then, by def-inition,

˙̂x = f̂(x̂,u,y); x̂(0) = x0 (10)

and the state estimation error, ε = x− x̂, becomes

ε̇ = f(x,u)− f̂(x̂,u,y) (11)

If Eq. (10) is approximated, such that it becomes

ˆ̇x = f(x̂,u) + H(x̂,u) · (y − ŷ); x̂(0) = x̂0 (12)

ŷ = c(x̂,u), (13)

then

H(x̂,u) =∂f̂

∂y

∣∣∣∣∣x̂,u

(14)

is a time-variant observer gain matrix. If system noisen(t) and modelling errors ∆f(t) are present, the state es-timation error equation becomes

ε̇ =[∂f

∂x−H(x,u) · ∂c

∂x

]∣∣∣∣x̂,u

· ε + ∆f + n (15)

The output estimation error e can be calculated from(15). Considering measurement noise, m(t), and sensorfaults, ∆k(t), one obtains

e = y − ŷ = c(x,u)− c(x̂,u) + ∆k + m (16)

If stability of the observer is problematic in practicalapplications, a constant feedback gain matrix can be usedinstead of H(x̂,u). The structural diagram of the result-ing non-linear estimator is illustrated in Fig. 6. A gainmatrix W(0< wi ≤1) is added to the feedback in orderto improve the performance of the observer for fault de-tection purposes (a compromise between modelling errorsand difference in dynamics due to leakage as the systemwill be used in practical application).

Figure 3. Residual generation for a non-linear system using anon-linear observer

7 Example of Fault Detection Method AppliedOn a Heat Exchanger

Heat exchangers play an important role in chemical andprocess industries. In order to improve their reliability,safety and control performance, intelligent concepts forcontrol, supervision and also reconfiguration are neces-sary. Fault detection methods will be presented and ap-plied on a laboratory model of a heat exchanger illustratedin Fig. 7. This is a process that cannot be modelled witha high accuracy. A dynamic response of a heat exchangerdepends strongly on its operating point. The device con-sists of a double-pipe heat exchanger of which the innertube is connected to a closed system with a water vessel.The system is open to the atmosphere.

Figure 4. Laboratory heat exchanger

The derivation of the mathematical model of the ves-sel is simple. The vessel is assumed to be ideally in-sulated. Considering the input-output relationships, thenon-linear differential equation (17) of the mass energybalance of the vessel can be written:

0 = P + mh(t) · cp · ϑh out(t)−mh(t) · cp · ϑh in(t)−M · cp · dϑh indt

(17)

Increasing process safety using analytical redundancy 245

where:

P power of the electric heater (W)

mh mass flow of the heating (inner) water (l/s)

cp specific heat constant (general) (J/kg K)

ϑh in temperature of the heating water entering the heatexchanger (K)

ϑh out temperature of the heating water leaving the heatexchanger (K)

M mass of the water in the vessel (kg)

The main problem associated with the vessel is thatthere is neither level sensor nor pressure sensor installedin it. The question arises how to detect the leakage, whenthe level sensor isn’t applied. Observing the differentialequation, which describes mass energy balance (17), onecan see that the water level (mass of the water in thevessel, M) changes the dynamic behaviour of the ves-sel, while the static behaviour remains unchanged. Thismeans that a change in temperature ϑh in is needed to de-tect the anomaly. The vessel is described by a non-lineardifferential equation, so a non-linear observer can be usedas described in section 6. If the procedure from section 6is applied to Eq. (17), the following equations are ob-tained:

u =

[ϑh outmh

](18)

x = ϑh in (19)

y = c(x,u) = x = ϑh in (20)

ẋ = f(x,u) = f(ϑh in, ϑh out, mh) =dϑ̂h indt =

= 1M ·[

Pcp

+ mh ·(ϑh out - ϑh in

)](21)

H(x̂,u) = H(ϑ̂h in, ϑh out, mh) =∂f̂∂y

∣∣∣x̂,u

=

=∂f̂(ϑ̂

h in, ϑh out, mh)∂ϑ̂

h in

∣∣∣∣ϑh out, mh

= −mhM(22)

The residual is then:

r = y − ŷ = ϑh in − ϑ̂h in (23)The heat exchanger is controlled by a programmable

logic controller (PLC) using a closed-loop control, whilea non-linear observer is realized in the Matlab environ-ment. A performance test of the observer (Fig. 6), using

w=0,5, is made. The ability of water leakage detecting istested, for a case of two missing litres of water (the ca-pacity of the water tank is six litres). As shown in Fig. 8,the fault is successfully detected with a residual.

0 2 0 0 4 0 0 time (s)

6 0 0 8 0 0 1 0 0 0 - 0.8

- 0.6

- 0.4

- 0.2

0

0.2

0.4

0.6

0.8

r

FAULT

Figure 5. Fault detected with a residual

8 Conclusions

The analytical redundancy is an alternative approach tophysical redundancy. Physical redundancy means that re-dundant signals are generated by means of a set of equalredundant sensors through which the failed ones can bedetected. Analytical redundancy uses mathematical mod-els and observers to generate redundant signals. Compu-tations use those signals and present and/or previous mea-surements of other variables. The resulting differences,called residuals, are indicative of the presence of faults inthe system. The three basic FDI methods based on ana-lytical models are parameter estimation approach, parityspace approach and observer approach.

Changes in model parameters can be detected by pa-rameter estimation methods. Observer or a set of ob-servers can be used to detect either sensor, component oractuator faults. If symptoms of a fault are well known,the fault can be detected on time to prevent it to developinto a failure that could lead to an environmental damageor loss of a human life. Nevertheless, implementation ofFDI schemes increases the occupational safety since hu-mans are excluded from the process. Namely, an occurredfault is detected automatically and a proper reconfigura-tion is adopted to keep the process in a safe state.

There are several ways of testing the FDI scheme per-formance. It can be tested either through simulations inwhich the main problem is that disturbances, unknowninputs and noise cannot be modelled properly. Another

way is to work off-line and test the performance of theFDI scheme on previously measured signals. The mainproblem here is that behaviour of the closed-loop systemcannot be tested. The most complex way is on-line test-ing.

A pilot plant of a heat exchanger was chosen for ourexperiment as it is frequently used in process plants. Themain problem associated with the leakage of the vesselwas that there was no level sensor installed in it. Suc-cessful results were obtained using a non-linear observerbased on energy balance equations. A dynamic change inthe mass flow is needed to enable detecting a change ofthe water level from the nominal state.

The complete fault detection scheme consists of acombination of analytical and heuristic methods and isfollowed by a fault diagnostic scheme, where several ap-proaches are also possible. One of the optimal solutions indiagnostics is the use of a transferable belief model [11].

9 References

[1] R. Patton, P. Frank, R. Clark (Eds.), Issues of Fault Di-agnosis in Dynamic Systems, Springer Verlag, London,2000.

[2] R. Patton, P. Frank, R. Clark (Eds.), Fault Diagnosis inDynamic Systems, Prentice Hall, New York, 1989.

[3] M. Blanke, S. B. Nielsen, R. B. Jørgensen, Fault Accom-modation in Feedback Control Systems, Department ofControl Engineering, Research Report R93-4013, April1993.

[4] M. Blanke, R. B. Jørgensen, M. Svavarsson, A New Ap-proach to Design of Dependable Control Systems, Au-tomatika, 36 (3-4), pp. 101-108, 1995.

[5] P. M. Frank, K.-S. Ding, Current developments in the the-ory of FDI, 4th IFAC Symposium on Fault Detection Su-pervision and Safety for Technical Processes, Budapest,2000.

[6] D. Valh, B. Tovornik, Model cevno-plaščnega toplotnegaizmenjevalnika, (Electrotechnical Review), Vol. 66, No. 1,pp. 67-74, Ljubljana, Slovenija, 1999.

[7] P. M. Frank, Fault Diagnosis in Dynamic Systems UsingAnalytical and Knowledge-Based Redundancy – A Sur-vey and Some New Results, Automatica, Vol. 26, No. 3,pp. 459-47, 1990.

[8] R. Isermann, Das regeldynamische Verhalten vonÜberhitzern, Fortschritt-Berichte (VDI-Z), Reihe 6, Nr. 4,Düsseldorf, 1965.

[9] W. Goedecke, Fault Detection in a Tubular Heat Ex-changer Based on Modelling and Parameter Estimation,IFAC Identification and Parameter Estimation 1985, York,UK, 1985.

[10] P. Young, A. Jakeman, Refined Instrumental VariableMethods of Recursive Time-Series Analysis, Interna-tional Journal of Control, No. 31, pp. 741-746, 1969.

[11] A. Rakar, D. Juricic, P. Balle, Transferable belief model infault diagnosis, Eng. appl. artif. intell., vol. 12, pp. 555-567, 1999.

Stojan Peršin received his B.Sc. degree in Electrical Engineer-ing from the University of Maribor, Slovenia, in 1995. From1995 to 1999, he was with Metronik, elements and automationsystems, Ljubljana, and was a project engineer and a manager atthe branch office. Since December 1999, he has been with theFaculty of Electrical Engineering and Computer Science, Mari-bor. He is currently working towards a Ph.D. in Electrical En-gineering. His research interests include industrial automation,building automation, fault diagnosis and intelligent systems.

Boris Tovornik was born in 1947 in Maribor, Slovenia. In1974 he graduated from the University of Ljubljana. In 1984and 1991 he received his M.Sc. and Ph.D. degrees in Elec-trical Engineering from the University of Maribor where he iscurrently Associate Professor. His field of research interests in-cludes Computer Control of Industrial Processes, Modelling andProcess Identification, Fuzzy Control, Intelligent Systems, FaultDetection, Supervision and Safety.

Nenad Muškinja received his B.Sc., M.Sc. and Ph.D. degreesin Electrical Engineering from the University of Maribor, Slove-nia, in 1988, 1992, and 1997, respectively. Since 1989, he hasbeen a faculty member in the Department of Electrical Engi-neering and Computer Science, University of Maribor, where hecurrently holds the rank of Assistant Professor. His research in-terests include industrial automation, adaptive control, sampled-data control, fuzzy control, and intelligent systems.

Drago Valh was born in 1973 in Maribor, Slovenia. In 1997 hegraduated from the Faculty of Electrical Engineering of the Uni-versity of Maribor. In the same year he started his M.Sc. studiesat the Polytechnics, Nova Gorica. His field of research inter-ests includes Fault Detection and Accommodation in IndustrialProcesses.