-
PHYSCON 2011, Leon, Spain, September, 5September, 8 2011
THE HARDWARE-SOFTWARE COMPLEX FOR TEACHINGOF FAULT-TOLERANT
SYSTEMS DEVELOPERS
Anatoliy S. KulikControl Systems Department
National Aerospace University, KhAIKharkov, Ukraine
[email protected]
A.G. ChukhrayControl Systems Department
National Aerospace University, KhAIKharkov, Ukraine
[email protected]
Juan Pablo M. BastidaControl Systems Department
National Aerospace University, KhAIKharkov, Ukraine
[email protected]
AbstractIn this paper the hardware-software complex is pre-
sented. It has been developed to teach developers oftechnical
systems to effective fault-tolerant approach[Kulik, 1991] and
[Kulik and Kozij, 1996], appliedto a gyroscopic sensors unit (GSU).
The fault-tolerantmethod used on the complex has the ability to
performa complete diagnosis of the GSU, constantly monitor-ing its
state by means of several comparisons, deter-mining the possible
existence of a fault in the unit.Once a fault in the unit has
occurred, the method isable to find where the fault is located;
allowing us todefine what kind of fault has appeared in the unit
andthis diagnosis can lead us to perform the proper correc-tive
actions to recover the optimal performance of theGSU.
Key wordsFault-tolerant system, control system, fault-tolerant
,
gyroscopic sensors unit.
1 IntroductionIn the last decades many advances in the field of
con-
trol systems have been developed [Kulik, 1991], [Ku-lik and
Kozij, 1996], [Kulik, Firsov, Kuok and Zlatkin,2008] and
[Guillaume, 2009], having a great impactin all kind of control
disciplines. New theory, actua-tors, sensors, industrial process,
computing methods,approaches or philosophies to improve in
different as-pects the control systems have been implemented.
Ac-tually the control systems are a medullar block in manyspheres
[Guillaume, 2009] and [Stengel, 1991], look-ing forward to meet the
autonomy in fields of aerial,land and maritime vehicles. In any of
these spheresit is necessary to use stabilization and guidance
sys-tems which demand the design into a fault-tolerant ap-proach,
meaning with this, the ability to keep workingeven under influences
of noise, faults or other condi-tions that can alter the proper
work of the system, lead-ing to a malfunction of the system. The
heart of many
control and guidance system is GSU. And its effective-ness
relies on how effective the system can responseto constant or
random faults that can occur during itsfunction. The problem in
practical scheme is that somesensor can fail or give a wrong sensed
value, so thevehicles performance is deteriorated and an
immediateaction to recover the lost performance must be appliedto
avoid mistakes on the control and guidance of the ve-hicle that can
result in a wrong action or even the com-plete lost of the vehicle,
either both, resulting in eco-nomical lost or even worst in lost of
human lives. So,the necessity to develop a platform for applying,
study-ing and testing a fault-tolerant methodology that it willbe
used later. This is the aim of this work. The com-plex is built by
software where the method is computedand it is in charge to emulate
the faults in the system aswell, a data acquisition block and the
GSU. The GSUis constituted by two angular velocity sensors (AVS)and
one angle sensor (AS),[Kulik, 1991] and [Kulikand Kozij, 1996]. The
hardware-software complex hasthe ability to emulate faults in the
GSU by software andapplies the fault-tolerant method, showing the
sensorssignal in real time. The sensors are mounted on a mov-ing
platform that can emulate a real work situation forthem. The
fault-tolerant method is based in hierarchi-cal modules that are in
change to carry on the properand right detection of a fault,
obtains a type of fault inthe gyroscopic unit, passing through a
phase of seekingthe place where the fault has occurred in the unit.
Themethod takes advantage of different techniques and ap-proaches
in order to realize the complete tasks to obtaina correct diagnose
of the gyroscopic sensors unit anddetermine the suitable following
action in case of theexistence of a fault in the unit.
2 Hardware-Software ComplexA block diagram of the complete
complex is depicted
in Fig. 1, where it is shown the main blocks that formit.We can
see the GSU interconnected to a Personal
-
Figure 1. Block Diagram of The Complex.
Computer (PC) through an interface module. The PCis in charge to
process and apply the support algorithmto the system and emulate
the faults.The analog signals from the sensors are digitalized
by
the interface module and are sent to a USB port in orderto be
shown in the computers screen in real time. TheControl Module is in
charge of turning on and off theGSUs motor and change the direction
of the platform.The graphic interface where the signals are
depicted isshow in Fig. 2 as well as the signals from the
sensors.
Figure 2. Graphic Interface.
The graphic interface is designed for the study of
thefault-tolerant algorithm applied to gyro-sensors and ithas
different controls to emulate faults in the systemand apply the
diagnostic and the algorithm for recov-ering the system
performance. In the interface the sig-nals from the three sensors
are depicted, from the top todown, the first on the top is the
signal of Angular Veloc-ity Sensor 1 (AVS1), following down, the
signal of theAngular Velocity Sensor 2 (AVS2) signal and the
nextone in order is the signal from the angle sensor. Each
signal has on its right side the corresponding transfor-mation
for the necessary operations that the method forrecovering the
systems performance needs.In order to perform the method it is
necessary to inte-
grate the signals from the angular velocity sensors andderivate
the signal from the angle sensor as it was ex-plained above. The
complete complex and its intercon-nection are shown in Fig. 3.
Figure 3. Complete Complex.
The program is able to emulate different kind of faultsas well
as different faults can be inserted into the sys-tem at a time and
in different sensors too. The Fig. 4shows and example of this
possibilities, in this figurewe can appreciate how there is a fault
in the sensor 1,shifting the voltage of the signal and in the
sensor 2 thesignal is inverted, proving an inversion of the
transfercoefficient.
Figure 4. Faults in sensor 1 and sensor 2
-
The last example shows the principles of the com-plex. The
complex can emulates faults in the systemand watch how it responses
to certain faults. This helpsto explain the processes in the
fault-tolerant system andto developers to understand how
fault-tolerant conceptsare applied to recovery the systems
performance in casethat the faults permit it.
3 Diagnostic Model for the GSUThe GSU is able to measure the
angular velocity and
the position angle due to the sensors on it. It is neces-sary to
state one angle sensor and two angular veloc-ity sensors as minimum
to guaranty a diagnosis in theGSU, as it is shown in Fig. 5.
Figure 5. Functional Scheme of GSU.
The characteristic equations of the sensors are shownin (1):
U2(t) = K2 (t) + Uu20U1(t) = K1 (t) + Uu10U(t) = K (t) + Uu0
(1)
Where:
U2(t)-AVS2 output.U1(t)-AVS1 output.U(t)-AS outputK2, K1,
K-Transfer-Coefficient of the sen-sors.(t)-Angular
velocity.(t)-Position angle.Uu20 , U
u10 , U
u0 -Offset values.
In order to develop a reliable method for detecting
anddiagnosing faults in the GSU, it is necessary to build
amethodology in base of the analysis of the input-outputsignals of
the three sensors above described. We mustuse diagnostic signs of
the system as well as parametersof faults. The fact of determining
the existence of afault in the GSU leads to find the place, class
and kindof the fault, in Fig. 6 is shown the general scheme ofthe
method. Once, that a fault has presented in the GSUand the complete
process has been performed to obtainthe diagnosis (a complete
characterization and behavior
of the system according to the current fault), we will beable to
go on into the next and very important step, thisstep consists to
determine the possibility of recoveringthe system reliability and
its functional status.
Figure 6. Scheme of the Method.
According to the study and analysis of the GSU, thereare very
specific faults in the unit, leading us to under-stand the behavior
of the system or even better, the sen-sors behavior. The kinds of
faults are determined by theletter d and are following defined:
d1-Positive powersupply cable broken, d2Negative power supply
cablebroken, d3-Signal cable broken, d4-Irremovable posi-tive
voltage shift, d5-Removable positive voltage shift,d6-Removable
negative voltage shift, d7-Irremovablenegative voltage shift,
d8-Change of the transfer coef-ficient, d9-Reorientation of the
transfer coefficient.The following hypothesizes have been defined
in de-
veloping the diagnostic process for the gyroscopic sen-sors.
Only one sensor can not work properly. Each sensor can present
one or two kind of faults
at a time. Only Shift and Coefficient fault type can occur
at
a time in one sensor. The input signal must be of the kind to
determine
the type of fault above described. A kind of fault can
independently appear from
each others.
4 Recovering Method of GSUs operability4.1 Fault DetectionFirst
we must supervise the state of the GSU and iden-
tify the existence of a fault in the system. In the Fig. 7is
depicted the general scheme. The comparison be-tween the three
sensors Angular Sensor (AS), AVS1and AVS2, is carried on by
differences between theiroutput values.The errors in Fig. 3 are
represented by the following
equations (2).
-
1(t) = U1(t) U(t)2(t) = U2(t) U(t)3(t) = U1(t) U2(t)
(2)
Where:
1(t)-Error between AVS1 and AS.2(t)-Error between AVS2 and
AS.3(t)-Error between AVS1 and AVS2.U2(t)-AVS2 output.U1(t)-AVS1
output.U(t)-AS output
Figure 7. Comparison diagram between the three sensors.
After the calculation of the errors between the sensors,it is
applied a Threshold Device (TD) that is in chargeto determine the
existence of a fault in the GSU in casethat some error value is
over the threshold value si,we obtain with this, the value of the
indicator Si. Thisprocess is represented by the equations (3).
S1[k] = {|U1[k] U[k]| > s1}S2[k] = {|U2[k] U[k]| >
s2}S3[k] = {|U1[k] U2[k]| > s3}
(3)
Where:
Si[k]-Presence of fault indicator.U1[k], U2[k], U[k]-Output
sensors sampled.si-Threshold value.
Therefore, if one of the indicators Si has a value equalto 1, so
there is a fault in the GSU, but if the result is 0,then the GSU
properly works. If there is a fault in theGSU so we go on to the
next stage of the process.
4.2 Seeking for Place of FaultOnce a fault in the GSU has been
determined, we pro-
ceed to find the place where the fault has occurred, thismeans,
which of the three sensors is not properly work-ing.
Tabla 1-Place of fault indicators.U2 U1 U
S1 0 1 1S2 1 0 1S3 1 1 0
In order to find the place of fault, we use the Si indica-tors;
the Table 1 shows the three possible combinationsof the indicators
when a fault has occurred, helping ushow to determine the place of
fault or which sensor iswrongly working.
Figure 8. Flow Tree for Seeking the Place of Fault.
The flow tree for this procedure is shown in Fig.8. Ac-cording
to Table 1, it is possible to develop the threefollowing statements
for determining the place of fault.Once the place where the fault
is found, the next step;it is to determine the class of fault.
If S1 =0 THEN fault is in AVS2If S2 =0 THEN fault is in AVS1If
S3 =0 THEN fault is in AS
4.3 Determining the Class of FaultIn this stage of the method we
will work with the sig-
nal of the faulty sensor, comparing its signal with thesignals
of the others sensors that are working well. Thisstage is based in
the fact that only one or two classes offault can occur in the
faulty sensor at a time of the de-tection.
Class Broken
This class is characterized by constants voltages at theoutput
of the faulty sensor, the mathematical model fordetermining this
class is shown in (4).
ZBi ={K
n=0 Ui(n+ 1) Ui(n) > Bi}
(4)
Where:
ZBi-Indicator for class BrokenUi(n)-Sample of the output of the
faulty sensor.
-
Bi-Threshold value for class Broken.
Every truly result of this statement is counted (N)times, and at
the end of the process, it is compared toanother threshold of
reliability B , as is shown in thenext statement (5).
ZBi = {N > B} (5)
Where:
ZBi-Indicator of reliability for class Broken
N-Counter of truly results of ZBi.B-Threshold of reliability for
class Broken.
If N is bigger than B , so the class of fault is deter-mined
asBroken.
Class Shift
This class is defined by a constant shift of the outputvoltage
in the faulty sensor. Then, in the method weapplied a comparison
between the three sensors, tak-ing samples during a period of time,
these values weresaved into variables defined by i, which ones we
aregoing to use to determine this class of fault.As faulty sensor
is defined, so we will use the values
of the errors that do not work properly, and calculate amean of
them with (6).
s =s1+s2
2 (6)
Where:
s-Average value of the two sensors that do notwork
well.s1-Values of the first sensor.s2-Values of the second
sensor.
Then, we apply the mathematical model presented in(7) in order
to check if the class of fault is Shift.
ZSi ={K
n=0 |s(n+ 1)s(n)| > Si}
(7)Where:
ZSi-Indicator for class Shift(n)-Sample of the average value of
the twofaulty sensors.Si-Threshold value for class Shift.
And counting every result above the threshold valueSi, this
statement indicates if the voltage shift is con-stant as in this
class of fault must behave; in that casethe indicator for this
class will be applied, as it is shownin (8).
ZSi = {N > S} (8)
Where:
ZSi-Indicator of reliability for class Shift
N-Counter of truly results of ZSi.S-Threshold of reliability for
class Shift.
Class Coefficient
This class has a constant difference value from theright
coefficient value when the sensor is properlyworking. We will use
the average result of the output ofthe two sensors that work well,
represented by equation(9).
U = U1+U22 (9)
Where:
U -Average value of the two sensors that do workwell.U1-Values
of the first sensor.U2-Values of the second sensor.
It is necessary to obtain the average value of thechange of the
transfer coefficient by equation (10).
K = 1mmn=1
Uc(n)
Ui(n)(10)
Where:
K-Average values of change of the transfer
co-efficient.Uc(n)-Average values of the two sensors that dowork
well.U2-Values of the faulty sensor.
And apply a threshold value to determine if there is achange in
transfer coefficient. Moreover, we can obtainand index of change in
the transfer coefficient by meansof the errors that can be obtained
by (11) and (12).
c =c1+c2
2 (11)
Where:
c-Average value of the two sensors that do notwork
well.c1-Values of the first sensor.c2-Values of the second
sensor.
-
ZCi ={K
n=0 |c(n+ 1)c(n)| > Ci}(12)
Where:
ZCi-Indicator for class Coefficient.c(n)-Sample of the average
value of the twofaulty sensors.Ci-Threshold value for class
Coefficient.
We need counting (N) as well as every result above,the threshold
value Ci. Then, if a change in the trans-fer coefficient has
occurred, so the difference betweenthe values in ZCi will not be
constant. Now, consider-ing both results we can define the
following statement:
If K = 1 & N > c THEN class of fault isCoefficient.
The flow tree for defining the class of fault is depictedin Fig.
9.
Figure 9. Flow Tree to determine the Class of Fault.
4.4 Defining the Kind of FaultNow it is necessary to define the
kind of fault that
has occurred in the GSU. In order to define the kind offault, we
will support on different sort of conditionalsand indicators to
define the fault respectively.
Type of fault Broken
In this kind of fault, we have three different types:Positive
power supply broken, negative power supplybroken and signal cable
broken. The statements (13)define the corresponding kind of fault.
We use a toler-ance value called tb. The Fig. 10 shows the flow
treeto define what kind of fault Broken is in the system.The class
Broke has been defined, then; the method
starts looking for what kind of Broken fault it is. Themethod
uses the statements in (13), starting with theZ1+ indicator, if
this indicator is true then the positivepower cable supply is
broken, if it is not true, then; themethod checks if the Z1
statement is true, in case that
it is, then, the negative power cable supply is broken butif it
is not true, it goes on to the final Z1s statement andif this
statement is true, then, the signal cable supplyis broken but if it
is not true then the fault is unknown.This process is defined in
Fig. 10.
Z1+ = {Umin + tb > U > Umin tb}Z1 = {Umax + tb > U >
Umax tb}Z1s = {tb > U > tb}
(13)
Where:
Z1+-Indicator for positive power supply fault.Z1-Indicator for
negative power supply fault.Z1s-Indicator for signal supply
fault.Umax-Maximum voltage value (+5 V).Umin-Minimum voltage value
(0 V).tb-Threshold value for this kind of fault.
Figure 10. Flow Tree to define type of fault Broken.
In Fig. 11, an example of this type of fault for a pos-itive
power supply fault has been performed in the sig-nal of the AVS2,
where we can see how the signal fromthe sensor behaves under this
condition.
Figure 11. Positive power supply fault in AVS2.
-
Unfortunately the method can not recover from thistype of faults
due to one of the three cables is damagedand the method is not able
to fix it.
Type of fault Shift
This kind of fault has four different types: Irremov-able
positive voltage shift, removable positive voltageshift, removable
negative voltage shift and irremovablenegative voltage shift. The
statements in (14) representeach case for defining this kind of
fault.The flow tree depicted in Fig. 12 shows the procedure
to define what type of shift fault is, the method startstesting
the Z2a statement in case it is true then; the faultis an
irremovable positive voltage shift in case not, Z2bis tested, if it
is true, the fault is removable positivevoltage shift but if it is
not, the Z2c is tested, if it istrue, the fault is removable
negative voltage shift, incase that is not, Z2d is tested, then; if
this is true thefault is a irremovable negative voltage shift but
if it isnot, the fault is unknown.
Figure 12. Flow Tree to define type of fault Shift.
Z2a = { > max+}Z2b = {min+ < < max+}Z2c = {min <
< max}Z2d = { > max}
(14)
Where:
Z2a-Irremovable positive voltage shift.Z2b-Removable positive
voltage shift.Z2c-Removable negative voltage shift.Z2d-Irremovable
negative voltage shift.max,min-Threshold values for this kind of
fault.-Average value of 1 and 2.
When the method has defined that this fault is re-movable, the
method takes value and added to thewrong sensors signal rightly to
recover the systemsperformance.
Figure 13. Irremovable negative voltage shift fault in AVS2.
An example of this kind of fault is shown in Fig. 13.This
example shows the case of an irremovable nega-tive voltage shift
fault in the second sensor of angularvelocity.
Type of fault Change in Transfer Coefficient
In this kind of fault, there are two different defini-tions:
Transfer coefficient decreased and reorientationof transfer
coefficient. Their corresponding statementsare shown in (15).
Z3a = {0 < K < Ki}Z3b = {K < K < 0} (15)
Where:
Z3a-Transfer coefficient decreased indicator.Z3b-Reorientation
of transfer coefficient indicatorK-Average value of the affected
transfer coeffi-cient.Ki-Coefficient value of the faulty sensor in
normalstate.
The flow tree of this process is shown in Fig. 14,where it is
depicted how the method proceeds in thedifferent cases that can be
presented up to the possiblerecovery of the system performance.
FirstZ3a is tested,in case that the statement is true; the transfer
coefficienthas decreased. But it is not true, the method tests
Z3bstatement, if it is true then, the transfer coefficient
hasre-orientated but if it is not true the fault is unknown.Once,
the type of coefficient fault is defined, we pro-
ceed to compensate the wrong coefficient with thevalue of K,
accordingly and only if K is less thanthe 10% of the correct value
of the coefficient.
-
Figure 14. Flow Tree to define type of fault Coefficient.
In Fig. 15, we can appreciate a reorientation of thetransfer
coefficient in sensor one, AVS1. It is possi-ble to see how the
signal has inverted according to thesignals of the others
sensors.
Figure 15. Rerientation of transfer coefficient in AVS1.
5 ConclusionIn the present work a complete complex for the
study
of a fault-tolerant system is presented. The complexworks with
real sensors, permits us to understand thebehavior of this kind of
system and how a method to re-cover or keep the systems performance
is applied. Thecomplex brings up a diagnostic model to different
kingof possible faults that can occur in the unit of gyro-scopic
sensors and dynamically emulates these faults.These faults are
reflected on their signals, these signalsare monitored in real time
and depicted on the screenof a graphic interface in a computer.A
fault-tolerant method is proposed and developed
and a complete complex has built to study the method-ology of
the diagnostic process. The signals from thethree sensors are
dynamically depicted the graphic in-terface in a personal computer
program. This interfacelet us study the behavior of the unit and
shows dy-namically the current state of the sensors. This
entirecomplex permits us to understand a reliable way to testand
develops a fault-tolerant process applied to a gy-roscopic sensors
unit or even another kind of systems.
This complex is a useful tool in the comprehension ofthe
concepts and processes that a fault tolerant methodis involved and
provides a feasible and graphics way todo it, everything in a
dynamic and real interface.
ReferencesG. Guillaume, J. J. (2009). Fault-Tolerant flight
Con-
trol and Guidance Systems. Springer-Verlag LondonLimited
2009.
Kulik, A. S. (1991). Fault Diagnosis in Dynamic Sys-tems via
Signal-Parametric Approach. IMACS Sym-posium of fault detection,
supervision and a technicalprocess SAFE PROCESS 91. , Baden-Baden.
1991 .Vol. 1. pp. 157-162.
Kulik, A. S. and Kozij, F. (1996). Systems Fault-Tolerant
support for a Gyroscopic-Sensor Unit. En-gineering Simulation.
1996. Vol. 13.- pp. 955-965.
Kulik, A. S., Firsov, S. N., Kuok Tuan Do and Zlatkin,O. Y.
(2008). Restoration of measurements of navi-gating system in real
time mode. Aircraft Techniqueand Technology. 2008. 5 (52). pp.
28-33. (Russian)
Kulik, A. S. (2009). The concept of active fault tol-erance of
orientation and stabilization satellite sys-tems. Radio-electronic
and Computer Systems. 2009.2 (36). pp. 101-108. (Russian)
Robert F. Stengel (1991). Intelligent Failure-TolerantControl.
IEEE Control Systems, June 1991. pp. 14-23.