ARTICLE IN PRESS

0967-0661/$ - se

doi:10.1016/j.co

�CorrespondE-mail addr

(L.O. Santos), p

Control Engineering Practice 15 (2007) 459–469

www.elsevier.com/locate/conengprac

Application of agent technology concepts to the designof a fault-tolerant control system

Andrey Romanenkoa,�, Lino O. Santosa, Paulo A.F.N.A. Afonsob

aGEPSI – PSE Group, Departmento de Engenharia Quımica, FCTUC-Polo II Rua Sılvio Lima, 3030-790 Coimbra, PortugalbEscola Superior de Tecnologia e Gestao, Universidade de Aveiro, Zona Industrial da Alagoa — Apartado 473, 3754-906 Agueda, Portugal

Received 20 April 2004; accepted 7 September 2006

Available online 31 October 2006

Abstract

This work concerns the applicability of agent technology concepts to the design of a plant fault-tolerant control system. The operation

of the fault-tolerant system is enhanced by decomposing it into autonomous subsystems and by turning them into agents. The detailed

development of one of the agents, the feed line of the process, is presented and its performance is tested by simulation. The proposed

framework meets the control objectives and features a significant level of fault tolerance to sensor and actuator failures. This is achieved

using an observer based fault detection and diagnosis (FDD) unit. Moreover, this work shows how the control strategy may be altered to

tackle a case of severely impacted control capability.

r 2006 Elsevier Ltd. All rights reserved.

Keywords: Agent technology; Process control system; Fault tolerance; Fault detection and diagnosis

1. Introduction

Process control systems, which are typically large anddistributed, have been shown to benefit from agent basedorganization (Velasco, Gonzalez, & Iglesias, 1996). How-ever, this technology can also be advantageous in smallsized problems, leading to more efficient measurement/control solutions. For instance, problems where singlecontroller techniques fail may be tackled with hybridcontrol based on a supervised controller agency (vanBreemen & de Vries, 2001). Another example is thesuccessful partitioning of a flow measurement system intodistributed components reported by Maric (2003). Theapplication of agent technology concepts can be found inother domains as well. In a related field of process designand optimization, Siirola, Hauan, and Westerberg (2003)illustrates a set of collaborating optimization agents havinga drastic positive impact on system performance. Aldea etal. (2004) report three industrial applications of multi-agent systems for information mining, process design and

e front matter r 2006 Elsevier Ltd. All rights reserved.

nengprac.2006.09.002

ing author. Tel.: +351 239 798700; fax: +351 239 798703.

esses: andrew@eq.uc.pt (A. Romanenko), lino@eq.uc.pt

aulo@estga.ua.pt (P.A.F.N.A. Afonso).

human resource planning. An overview of issues in multi-sensor systems built as an agent society is presented in awork of Xiong and Svensson (2002).In spite of the benefits of agent and object-oriented

technologies, they have been underutilized in processcontrol and automation (Schneider & Marquardt, 2002).A work discussing new PLC software design (Kandare,Godena, & Strmcnik, 2003) attributes this phenomenon tothe difficulty of the mapping of object-oriented models intostandard languages of IEC 1131-3 (IEC, 1999). Seilonen,Appelqvist, Vainio, Halme, and Koshinen (2002) suggestthat factors such as the difficulty to meet strict real-timerequirements in existing agent systems, the complexity ofthe control problem decomposition, and the rarity ofredundant resources, may be at the root of this insufficientdevelopment. On a larger scope, various implementationissues and integration difficulties are addressed in multi-tierprocess automation systems (Wagner, 2002).The increasing process complexity, and more stringent

safety and environmental regulations, demand higherprocess safety levels. In light of this, fault-tolerant systemsable to detect and diagnose an abnormal situation (fault),to execute rectification actions, and to alert the plantpersonnel are a de facto standard in industrial set-ups.

ARTICLE IN PRESSA. Romanenko et al. / Control Engineering Practice 15 (2007) 459–469460

Many of such systems feature hardware redundancyallowing to switch operation from malfunctioned equip-ment to a healthy back-up. Nevertheless, analyticalredundancy methods, enabling fault tolerance by exploitingprocess knowledge, have received much research attentionin the last decades. A large number of successfulapplications are reported in the literature (Patton, 1997;Isermann & Balle, 1997; Venkatasubramanian, 2001;Stephanopoulos, Romagnoli, & Yoon, 2001).

Fault detection and diagnosis (FDD) may be tackledglobally in situations where one has to take intoconsideration overall interactions inside the system. How-ever, such approaches may result in intractable orcomputationally burdensome solutions if the interactionsare weak or the problem dimension is high. An alternativeapproach is to decompose the problem into smallersubtasks and perform control and FDD locally (Chang &Hwang, 1998; Lee, 2001; Stephanopoulos et al., 2001). Atypical example of such system is intelligent instrumenta-tion that is capable of performing self-diagnostics andnotifying the control system of its health status. Besides,such devices may be configured and calibrated remotelyusing appropriate tools.

Another well-defined level of decomposition is processcontrol loops. It is of paramount importance that a controlloop maintains single loop integrity or is brought to a safestate in the case of an uplink communication failure or ahost malfunction. To achieve this integrity it may bebeneficial to delegate regulatory control to a remote unitand to use the host computer to perform advanced controland supervision. This task is easy to accomplish inequipment with fieldbus capabilities (Lee, Allan, Thomp-son, & Bennet, 2001; Vaillant & Garcia, 2003).

In spite of that, many legacy instruments existing inprocess plants are not able to perform self-diagnostics andadditional measures are required in order to integrate themefficiently into modern control systems.

This work describes the application of agent basedtechnology concepts to the design of the model-based fault-tolerant control system of a plant involving a stirred tankpseudo-reactor. The aim is to develop a framework forboth actuator and sensor fault detection extending thework of Afonso, Ferreira, and Castro (1998). Instead oftackling the overall system architecture, the article focuseson the design of the agents. Here, the application of thismethodology is illustrated with the decomposition of theplant into distinct areas and the development of one of thecontrol system agents, namely, a feed line controller. OuldBouamama, Medjaher, Samantaray, and Staroswiecki(2006) used a bond graph modelling approach to thedesign of the supervision system for a similar process. It isshown that the resulting flowcontroller meets flowraterequirements and enables the system to be fault-tolerant.

Section 2 describes the plant and identifies its decom-position into three distinct areas. A brief description of themain characteristics of the resulting agents is provided aswell, by analogy to the agent technologies in Computer

Science (Jennings, 2000). This section also addresses themodel development of one of the proposed agents (a feedline controller) and the implementation of a fault detection,identification and diagnosis framework. In Section 3 theperformance of the resulting fault-tolerant control systemis demonstrated by simulation, where several scenarios ofmalfunctions in the equipment are considered. Finally,conclusions are drawn in Section 4.

2. Description

Consider the simplified system represented in Fig. 1,consisting of a stirred tank pseudo-reactor, two buffervessels, two feed and one outlet lines. The pressure in thebuffer vessels is manipulated by solenoid valves PV bymeans of compressed air. The liquid level control isperformed via solenoid valves LV. Besides, the reactor isnot pressurized. Each of the feed lines is equipped with anequal percentage control valve (FCV), a safety shut-offsolenoid valve (FSV), and a flowmeter (FT). The outlet linefeatures a control valve (LCV) only, thus direct measure-ments of the outlet flowrate are not available. Additionally,the control valves provide feedback of the stem position lthrough a transmitter (ZY).The underlining idea of the agent based technology is to

decompose the entire plant into three distinct areas: twofeed lines and the pseudo-reactor with the outlet line. Thisenables a hierarchical approach to FDD in which someFDD and control functions are carried out locally (that is,within the areas in Fig. 2) while the final diagnosticdecision and control supervision is carried out at the toplevel where information from local fault detectors isconsolidated.

2.1. Agent technology concepts

Such approach has a strong resemblance with agenttechnologies as perceived in Computer Science whereagents are regarded as having certain characteristics(Jennings, 2000) that are commented on below from aprocess control standpoint:

�

They are clearly identifiable problem solving entitieshaving well defined boundaries and interfaces. Incontrol systems, it is possible to unequivocally recognizesuch entities as sensors, final control elements, con-trollers, or, at a higher level, unit operation equipment,production lines, and so on. � They are located in a particular environment. Process

systems have, in general, a well defined structure andwhen operational flexibility is present, its nature andscale are known a priori.

� They are designed with a specific purpose. Temperature

controllers, real-time process optimizers, fault diagnos-tics are examples of such purpose driven entities.

� They have control both over their internal state and

their own behavior. It may be irrelevant for an upper

ARTICLE IN PRESS

Fig. 1. Simplified system.

LI1

1

1

PI

PT

S

S

DB

1YY

LT1

LCL

S

YYD

X

A

S

DB

1YY HS

2L

HS2L

2LEL

HS2L2L

EL2LEL

DBDB

YYD

X

A

LPC

S

1ZY

YYD

X

A

YYD

X

A

HS2L 2L

EL

1YY

1YY

AS TO ATM

1

1FC

YYX

DA

TO PROCESS

WATER SUPPLY

FT

LOOP "h"

LOOP "F"

LOOP "P"

Tank 1

Fig. 2. Feed line 1.

A. Romanenko et al. / Control Engineering Practice 15 (2007) 459–469 461

level control system to know the internal state in whichlow-level equipment is encountered. For instance, in aflow controller, it is not very important where the stemof the control valve is located at a particular moment aslong as the design goal (maintain flowrate) is fulfilled.

� They are capable of exhibiting flexible problem solving

behavior. As will be shown below, it is possible to design

a control agent that will be capable to reconfigure itselfin case of a component failure and keep achieving itsdesign purpose. It is noteworthy, however, that thisreconfiguration action is chosen from a list of availablerecipes. Therefore, the autonomy of the agent is limitedfor the reasons of safety and economical feasibility ofthe process.

ARTICLE IN PRESSA. Romanenko et al. / Control Engineering Practice 15 (2007) 459–469462

2.2. Case study

In order to illustrate the performance of the proposedframework, feed line 1 only is considered (Fig. 2). Althoughit is rather simple, this type of system is very common inindustrial plants and, therefore, potential improvements inits operation may bring about significant overall progress.Three control loops are utilized in normal operation: Loops‘‘h’’ and ‘‘P’’ perform on–off control of the level of waterand the pressure in the feed tank, respectively. Loop ‘‘F’’maintains the feed flowrate to the reactor using a PIalgorithm. Besides, the proposed approach tackles failuresin the actuator of control valve FCV1, its position feedbacksensor ZY1, and in the flowmeter FT1.

Control valve FCV1 is the fulcrum component of thefeed line and it is therefore essential to obtain a modeldescribing its behavior. On one hand, such knowledge maylead to a control performance improvement in normaloperation. Indeed, a larger set of nonlinearities and delaysin the actuator dynamics may be accounted for in thecontrol algorithm. On the other hand, this model mayprovide the means of analytical redundancy for faultdiagnosis.

2.3. Valve dynamics

A throttling control valve with an associated actuatormay be modelled as a dynamic system

_l ¼ f ðl; uÞ, (1)

y ¼ g1ðlÞ, (2)

F ¼ g2ðl;DPÞ, (3)

where l, u, and y are the fractional stem position, itssetpoint, and its feedback, respectively. F and DP are thevolumetric flowrate and the pressure drop across the valve.Although in reality u and y are electric signals, for the sakeof simplicity the data acquisition and conversion details arenot described here. It is common to consider stemdynamics (1) as a first order system (Kayihan & DoyleIII, 2000)

_l ¼ alþ bu. (4)

Exact setpoint following may be achieved by settingb ¼ �a, resulting in

_l ¼ aðl� uÞ; ao0. (5)

It is noteworthy, however, that the actuators installed inthe pilot plant under study are of electro-mechanical andelectro-hydraulic type with an integrated positioner. Theyare capable of rapidly reaching a nominal stem velocity anddriving the stem to the setpoint position. Although suchbehavior may be described by a first order system with ratesaturation or by the signum function, a smooth approx-imating function, such as the hyperbolic tangent ispreferable from a numerical standpoint (Kayihan & Doyle

III, 2000). This way, stem dynamics may be represented as

_l ¼ v tanh½cðl� uÞ�, (6)

where v is the nominal stem velocity, and c is a parameterdetermining the rate of saturation of the tanhðÞ function.However, the installed electro-hydraulic actuators

(SKD62 of Landys & Gyr) exhibit two different velocitiesfor the opening and closing movements, 1

30and 1

15s�1,

respectively. Expression (6) may be further generalized as

_l ¼vo þ vc

2�

vo � vc

2tanh cðl� uÞ � a tanh

vo þ vc

vo � vc

� �� �,

(7)

where vo40 and vco0 are the opening and the closing stemvelocities, respectively.The above representation does not contemplate such

phenomena as deadband and backlash commonly presentin mechanical systems. The former is usually implementedby the actuator manufacturer to decrease workload on thevalve and thus to increase valve lifetime. However, even asupposedly insignificant deadband of a healthy, butimproperly chosen valve, may result in poor quality ofcontrol (Langford, 2002). Backlash, in its turn, is anundesired source of uncertainties caused by, for example,existing gaps in the coupling between the actuator’s and thevalve’s stems. Both phenomena may also be caused by theeffect known as stiction (a combination of sticktion andfriction) that may severely impact the performance of acontrol loop (McMillan, 1995). One may account for theseadverse effects either by considering them an additionalsource of uncertainties in an estimation algorithm or bydeveloping detailed device models (Champagne & Boyle,1996; Kayihan & Doyle III, 2000).When a control valve is equipped with stem position

feedback, its signal (2) can aid substantially in a complexprocess system or in a system with special requirements(fault operational, fault-tolerant, and fault safe). Expres-sion (2) is a linear function in the form

y ¼ p1lþ p2 (8)

with parameters p1 ¼ 1:0 and p2 ¼ 0:0 being the ideal case.The general expression of a flow across a valve (3) is

given by (Shinskey, 1979)

F ¼ Cva

ffiffiffiffiffiffiffiDP

r

s, (9)

where Cv is the flow coefficient of the valve, a is thefractional opening, DP is the pressure drop, and r isdensity. The fractional opening is a function of thefractional stem position l. In a linear valve, a equals l, ina quick opening valve a ¼

ffiffiffilp

, while in an equal percentagevalve the dependency is a ¼ Rl�1, where R is therangeability.Although a valve with linear behavior seems to be most

desirable for control purposes, it is the installed flowcharacteristic that should be as linear as possible (Seborg,

ARTICLE IN PRESSA. Romanenko et al. / Control Engineering Practice 15 (2007) 459–469 463

Edgar, & Mellichamp, 1989). Typically, DP decreaseswith load as pressure losses in the piping system increasewith flow. Thus, a linear or, especially, quick openingvalve would only amplify the nonlinearity. On theother hand, an equal percentage valve is capable ofcompensating for these losses and the installed flowcharacteristics may be close to linear. This explains thewide use of equal percentage valves in the industry (Edgaret al., 1998).

Unfortunately, the pressure drops across control valvesare not measured in this system, thus a direct application of(9) is not possible. However, the latter may be modified asfollows:

F ¼ Cva

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiDP� � kF 2

r

s, (10)

where DP� is the pressure difference between the beginningand the end of the line, and kF 2 is the lumped pressuredrop in the piping and the accessories. It is assumed in (10)that the pressure loses in the piping are proportional to thesquared flowrate.

Squaring (10) and solving for F gives

F ¼ Cv a

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiDP�

rþ kC2va2

s. (11)

The pressure drop DP� can be expressed using availablemeasurements (Fig. 1) as

DP� ¼ Pt þ rght � Pr, (12)

where Pt is the pressure at the top of the feed tank, Pr is thereactor pressure, and ht is the height of the liquid column inthe feed line. Replacing a with its expression for equalpercentage valves and expanding DP� with (12) leads to

F ¼ CvRðl�1:0Þ

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiPt þ rght � Pr

rþ kC2vR

2ðl�1:0Þ

s(13)

or, after a simplification

F ¼

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiPt þ rght � Pr

r=C2vR2ðl�1:0Þ þ k

s. (14)

Fig. 3. Fault detection and i

2.4. Fault detection and diagnosis

The approach utilized for feed line FDD is based onparameter estimation of dynamic systems using a bank ofKalman-type filters (Fig. 3). Actuator faults may bemodelled either as multiplicative or, more commonly, asadditive changes in the nominal parameters of the system.Thus, (7) can be modified to include a fault term f with zerodynamics leading to

_l ¼vo þ vc

2�

vo � vc

2tanh cðl� u� f Þ � a tanh

vo þ vc

vo � vc

� �� �;

_f ¼ 0:

8><>:

(15)

The following assumptions are made:

�

den

the probability of multiple faults occurring at the sametime is negligibly small;

� the stochastic fault parameter f is of random walk

nature.

In order to estimate the stem position and the faultparameter, the unscented Kalman filter (Julier, Uhlmann,& Durrant-Whyte, 1995; Julier, Uhlmann, & Durrant-Whyte, 2000) is utilized. The advantages of the unscentedKalman filter in chemical process systems, namely itsability to deal with high nonlinearities, have beenillustrated elsewhere (Simon & Karim, 2002; Romanenko& Castro, 2004; Romanenko, Santos, & Afonso, 2004).The choice of this technique for this application owes to thefact that it is able to deal with discontinuities in the model,it does not require system Jacobians, and, finally, it is easyto implement.The state vector of the estimators is defined as

x ¼ ½l f �T .

Furthermore, system (15) approximated in discrete timeand combined with measurements gives

xk ¼ f ðxk�1; uk�1Þ þ mk�1,

yk ¼ gðxk; ukÞ þ lk, (16)

tification framework.

ARTICLE IN PRESSA. Romanenko et al. / Control Engineering Practice 15 (2007) 459–469464

where yk is the measurement vector, uk is the input vector,uk ¼ ½u�, mk is system noise, and lk is measurement noise.

In such framework the fault estimate has a physicalmeaning and reflects the magnitude of the problem in thesystem, which is useful for fault diagnosis related decisionmaking. In a previous work of Niemann and Stoustrup(2005), fault residuals were used both for FDI and as afeedforward signal in the fault accommodation. Edwardsand Tan (2006) utilized a sliding mode observer to estimatesensor faults.

The FDD logic is presented in Fig. 4. In order to achieveboth actuator and sensor fault detection, a bank of twounscented filters is utilized (Estimator I and II in Fig. 3).Each of the filters estimates the state vector utilizing onlyone measured variable. Thus, the measurement vector andthe measurement estimate vector of Estimator I are

yI ¼ F 1 and yI ¼

ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiPt þ rght � Pr

r=C2vR2ðlI�1:0Þ þ k

s, (17)

respectively. Likewise, Estimator II real and estimatedmeasurements are

yII ¼ p1lþ p2 and yII ¼ p1lII þ p2. (18)

The fault detection block monitors the estimate f and issueand alarm when it deviates from zero by a value larger thana given threshold. If an actuator fault occurs, the estimatesf of both filters will be affected in a similar manner. In the

Fig. 4. FDD log

presence of a sensor fault, only the estimate produced bythe filter driven by the faulty sensor will be perturbed. It isworth mentioning that due to the model-plant mismatch,the mean of the fault parameter estimate may be differentfrom zero. Therefore, experimental tuning of the boundswhere the estimated fault parameter should stay in normaloperation is required.The proposed framework also includes a fault compen-

sation block which is essentially an information fusionmodule that is controlled by the diagnostics signalgenerated by the fault diagnosis block. The aim of thefault compensation block is to produce a global estimate ofthe stem position and the fault parameter. Its logic is asfollows: if one of the sensors is faulty, the estimated stemposition and the resulting flowrate estimate of thecorresponding estimator are incorrect and, therefore, arediscarded; however, if the two sensors are healthy, bothestimates should be used in order to improve the results.It is worth noting that the flow PI controller has the

estimated flowrate as its feedback signal and thereforeadverse effects of a failure in the flowrate sensor on thecontrol loop are mitigated.The above measures aim to tackle sensor malfunction

only and special treatment for actuator faults is required.The following valve malfunctions are considered in thiswork: sudden step-like or slowly developing deviationbetween the control signal and the actual stem position,and stem jamming. The first two conditions do not

ic diagram.

ARTICLE IN PRESSA. Romanenko et al. / Control Engineering Practice 15 (2007) 459–469 465

necessarily worsen the loop performance. In fact, if thevalve and the controller are not forced outside theirperformance envelope and the primary loop function is toperform regulatory control, the controller may be able torestore the flowrate. However, in cases of servo-controlwith significant stem movements the controller willeventually reach its limits. Moreover, a serious adverseeffect may be observed if the loop features gain schedulingbecause the nonlinearity compensation mechanism will nolonger work properly. The event of stem jamming isundoubtedly very serious as the loop may no longermeet its design purpose. The integral action present inthe control algorithm will drive the controller outputto the extreme (either low or high) value without any effecton the controlled variable. Therefore, an alternative way offlowrate manipulation is necessary.

From (14) it follows that the flowrate depends, besidesthe valve stem position, on the pressure in the feed tank,the height of the liquid column and on the reactor pressure.However, the pressure contribution of the liquid column isinsignificant and it is not feasible to manipulate the liquidvolume fast enough to counter disturbances in the feed line.Additionally, Pr is not available for control for tworeasons: first, the reactor is not pressurized and second,even if the reactor were pressurized, the pressure variationswould rather be disturbances than control means. Thisleaves the feed tank pressure as the only alternative forflowrate control.

This approach requires that the control system bereconfigured because in normal operation the tank pressureis determined by the water supply network. In order toenable a bumpless configuration switching, the PI con-troller output is partitioned similarly to split range control

u ¼ uv þ up, (19)

where uv and up are the control signal for the valve and thetank pressure control component, respectively. Each of thecomponents is related to u and is limited as follows;

uv ¼

1 if 1ou;

u if 0pup1;

0 if uo0

8><>: and up ¼

u� 1 if 1ou;

0 if 0pup1;

u if uo0:

8><>:

(20)

The tank pressure setpoint is defined as

Pt;sp ¼ Pt;sp0 þ kpup, (21)

where Pt;sp0 is the pressure to maintain when the controlvalve is not saturated or out of order, and kp is a gaincoefficient. In addition, the pressure setpoint is bounded byphysical and safety limitations of the system, that is,Pt; sp 2 ½0;P

maxt;sp �.

In the resulting set-up the flowrate controller becomesthe primary controller of a cascade calculating the controlsignal for the valve as well as determining the setpoint forthe secondary controller maintaining pressure in the buffertank. Besides, the discrete liquid level control loop is

activated to maintain the level in the feed tank within apredefined height interval.It should be noted, however, that the system under study

does not have an explicit pressure control regulator in thebuffer tank. In spite of that, it is possible to carry outpressure control using the installed solenoid valves in apulse width modulation mode. This approach has beensuccessfully implemented and tested using RTAI, a freereal-time Linux operating system variant. The obtainedsolution was able to track pressure setpoint quite well, wasinexpensive and of small footprint (Romanenko, 2003).The following limitations of the proposed solution to

valve stem jamming should be pointed out:

�

Pulse width modulation significantly increases workloadon the solenoid valves and, therefore, it should be usedonly in the event of the control valve malfunction andduring a reasonably short period of time. However, ifsteady flowrate is of importance to the downstreamprocess, it may be preferable to sacrifice part of thesolenoid valve budget than to shut down the plantimmediately. � If the flowrate setpoint becomes zero after the valve is

stuck in an intermediate position, complete flowrate cut-off will not result from bringing the buffer tank gaugepressure to zero. However, in this case the solenoid valve(FSV) may be closed.

� Situations in which the pressure, increasing to its

maximum allowed value, does not result in desiredflowrate, are possible. In this case, the plant will beoperating at a degraded level of performance. In spite ofthis, such action is preferable to the initial situationwhere no control capability was available.

� It is possible to increase the buffer tank pressure above

the one of the water supply network as long as it iswithin the safety envelope of the tank. In this case, nowater feed is possible and valve LV1 has to be closed.The time available to the plant personnel for trouble-shooting without process disruption depends on theratio between the liquid volume at the time when thefeed is cut-off and the required flowrate.

3. Application and results

A closed loop simulation test is performed to assess theperformance of the proposed approach. Table 1 sum-marizes the set of parameters used below. The setpoint ofthe flow control loop (Loop ‘‘F’’ in 2) is 1:5L=min. Thesystem dynamics and the measurements are corrupted withzero mean Gaussian noise with covariance

~Q ¼ 10�4 and ~R ¼ diagf10�5; 10�4g,

respectively. It is assumed that at the beginning of thesimulation the system has no malfunctions and thereforethe fault parameter estimate f is set to zero. The stemposition estimate is initialized using a single reading fromthe corresponding sensor, whereas the noise covariance

ARTICLE IN PRESS

Table 1

Parameters

vo 0.033 s�1

vc �0.067 s�1

c 100 –

p1 1.24 –

p2 �0.051 –

Cv 0.524 m2

k 12534 kgm�7

R 50.21 –

Pt;sp0 3.0 bar

Pmaxt;sp 4.5 bar

kc 0.1 min L�1

tI 3.0 s

kp 10.0 –

A. Romanenko et al. / Control Engineering Practice 15 (2007) 459–469466

matrices are assigned the following values:

Q ¼ diagf ~Q; 5 ~Qg and R ¼ ~R.

The system noise covariance component corresponding tothe fault parameter has a larger value in order to reflect alarger uncertainty in its estimate as compared to the stemposition. Moreover, it allows the estimators to performquick adjustments when a fault occurs in the system.Furthermore, the initial state covariance matrix is

P0 ¼ diagf ~Q; 0g,

and the unscented filter parameter k is set to 0. Finally, thedetection threshold is empirically set to 0.05.

A description of the simulation run and a discussion ofthe results (Fig. 5) are given below.

In time interval t 2 ½0; 50Þ s the system is fault free andthe PI controller brings the flowrate to its setpointð1:0L=minÞ. Due to the stochastic disturbances acting onthe system the fault parameter estimate oscillates aroundzero but it is within the detection bounds.

At time t ¼ 50 s, a bias of 0.1 between the input u and thestem position is introduced and maintained until t ¼ 100 s.The fault parameter estimate of both estimators, f I and f II,deviate from zero and converge to the value of 0.1,violating the detection threshold and an alarm on the stempositioner malfunction is issued. However, the controller isable to maintain the flowrate in the line and the initialdisturbance of 0:3L=min is successfully compensated.Although in this case the system remains fully operational,it is important to be able to detect such abnormal situationin order to carry out necessary maintenance or repair work.

At time t ¼ 100 s the offset is removed and the systemreturns to its normal state with the fault parameter withinits bounds. It should be recalled that each of the twoestimators is driven by a single sensor. Furthermore, it isclear that while (8) is a linear expression, (14) is not, whichmay undermine the overall framework performance.Therefore, the abovementioned test is repeated with a biasof �0.1 in time interval t 2 ½150; 200Þ s. One may see that asin the case of the first fault, both estimators produce aconsistent fault parameter estimate that violates the

threshold. Also, as in the first case, the controller is ableto maintain the flowrate at its setpoint.Another type of malfunctions, stem jamming, is simu-

lated at t 2 ½250; 300Þ s. Because of the stochastic distur-bances the flowrate does not remain exactly at its setpoint.Moreover, the stem jam preclude any regulation capabilityand the integrating action of the controller increases theinput signal, u. However, this does not result in flowrateincrease. In spite of that, the estimated fault parameters, f I

and f II, violate the threshold at t ¼ 260 s and themalfunction is detected. It should be noted, however, thatthe detection ability of this type of failure depends on thebehavior of the process: for instance, if the disturbances aresmall and the flowrate stays at its setpoint, the controllerwill not alter the control signal. In such case the stuck stemmay remain undetected. A possible solution is anoccasional valve exercise (similar to the partial stroke test)which may provide the necessary diagnostic information tothe system.In the time interval t 2 ½350; 400Þ s the readings from the

stem position sensor are biased by 0.1 from the true value.As a result, the fault parameter estimate of estimator II, f II,that is driven by the stem position sensor clearly deviatesfrom zero and crosses the threshold. Estimator I, however,maintains the fault parameter estimate f I at zero and itsstem position estimate is correct, as well. Therefore, it ispossible to detect and identify a stem sensor malfunction. Itshould be noted that in normal operation, the stem sensordoes not make part of a control loop and its failure doesnot necessarily upset the system. However, it may becomepart of a control loop in the event of a flowmeter failure. Inthis case the flowrate will be inferred from the stemposition and from the pressure drop according to (14).A flowmeter malfunction is simulated at t 2 ½450; 500Þ s

when a bias of 1:0L=min is added to the correct reading. Inthis case, the fault parameter estimate of Estimator I is outof bound while Estimator II is consistent. Therefore, it ispossible to detect and identify this type of failures. It isnoteworthy that the flowmeter makes part of the flowratecontrol loop and such fault would inevitably offset theprocess. Furthermore, the controller would be induced todrive the true flowrate away from its setpoint value.However, after the flowmeter malfunction is diagnosed, theflowrate reading for control purposes is inferred from theinformation provided by the healthy stem position sensorand the feed tank pressure sensor. As can be observed inFig. 5, although the flowmeter readings are biased duringthis period of time, the true value of the flowrate is aroundits setpoint.The faults described above are of step like nature.

However, some faults encountered in real systems areslowly developing drifts, posing additional challenges fordetection algorithms. In order to test the presentedframework in such circumstances, a test is performed tosimulate an incipient fault in the actuator that slowly drivesthe stem from its setpoint in time interval t 2 ½550; 600� s.This introduces an offset in the flowrate. As expected, the

ARTICLE IN PRESS

0.00.10.20.30.40.50.60.70.80.91.0

0 100 200 300 400 500 600 700 800 900

Ste

m p

ositi

on /

-

Time / s

0 100 200 300 400 500 600 700 800 900

Time / s

0 100 200 300 400 500 600 700 800 900

0 100 200 300 400 500 600 700 800 900

Time / s

�u�I�II

-0.6-0.5-0.4-0.3-0.2-0.10.00.10.20.3

Faul

t par

amet

er /

-

fIfII

ffbound

0.0

0.5

1.0

1.5

2.0

2.5

3.0

Flo

wra

te, l

/min

measuredreal

setpoint

2.8

3.0

3.2

3.4

3.6

3.8

4.0

4.2

Tank

pre

ssur

e / b

ar

Fig. 5. Simulation results.

A. Romanenko et al. / Control Engineering Practice 15 (2007) 459–469 467

controller is able to counteract this disturbance. Besides,the fault parameter estimate of both filters follow theevolution of the simulated fault and violate the threshold att ¼ 560 s, signalling off an actuator fault.

The ability of the control system to reconfigure isdemonstrated with the injection of a large bias (�0.5) intothe actuator model at time t ¼ 650 s. The controller tries tocounteract increasing the control signal u. However, thecontroller saturates as its output becomes 0.9 while the

valve stem is not able to return to the required position.Such limit is deliberately imposed in order to test thereconfiguration mechanism. This makes use of the avail-able control action redundancy existing in the system andachieves the flowrate setpoint with an increase in the feedtank pressure from its nominal value of 3 bar toapproximately 4:1 bar. It should be noted that bothestimators produce consistent estimates of the faultparameter resulting in an actuator fault alarm.

ARTICLE IN PRESSA. Romanenko et al. / Control Engineering Practice 15 (2007) 459–469468

At t ¼ 750 s, the bias is removed and the system resumes itsnormal operation.

Finally, at t ¼ 800 s, the flowrate setpoint is set to1:5L=min in order to check if changes in operationconditions affect the estimation process, for instance,generating a false alarm. However, the estimated faultparameter remains within the detection boundaries and thecontroller is able to meet the new setpoint requirements.

The fault-tolerant control framework was implementedin GNU Octave, a language for numerical computationsand was run a laptop featuring a Pentium IV 2:0GHzprocessor. Nevertheless, the power of specialized, industrialcontrol PC hardware has increased over the decade and itshould be possible to implement the system as anembedded controller. On one hand, this could add newfeatures to legacy field devices and their groups, enablingthe use of hardware and analytical redundancies for thepurpose of better and safer operations. It should be alsonoted that the system model used in this study is somewhatsimplistic and it may be extended further allowing, forexample, the monitoring of valve seal wear. On the otherhand, this strategy may be easily extended to integratecommunication capabilities, from simple protocols asModbus to complicated CORBA or DCOM based com-munication at the heart of multi-agent systems.

4. Conclusions

In this work agent technology concepts were applied inorder to decompose an instrumentation and control systeminto autonomous subsystems featuring fault tolerance. Thedetailed development of one of the subsystems, the feedline, was presented. Agent characteristics of the subsystemwere given special consideration, namely, its clearlyidentifiable entity (controller), its location in a particularenvironment (feed line) and its design with a specificpurpose (flow control). Furthermore, its control over itsinternal state (stem position) and its own behavior (faultdiagnosis and compensation), as well as its ability offlexible problem solving (reconfiguration) were also takeninto consideration.

The performance of this application was illustratedthrough simulation. This framework was shown to becapable of dealing with faults in both sensors and actuatorsand to be able to avoid a disruption in the process during aserious valve actuator failure thanks to its reconfigurationpower. Besides, such agent technology based methodologyprovides a natural and straightforward way to implementplantwide fault tolerant control techniques.

Tests of the proposed system on real plant equipment isconsidered a near future research work.

Acknowledgments

The first author is thankful to Fundac- ao para a Ciencia ea Tecnologia for his grant (PRAXIS XXI/BD/19609/99).Financial support from FCT and the European Science

Foundation under the 3rd European Framework (POCTI/EQU/40023/2001) is gratefully acknowledged. A high-levelcomputer language Octave and a plotting programGnuplot, both free software, were used in this work.

References

Afonso, P. A. F. N. A., Ferreira, J. M. L., & Castro, J. A. A. M. (1998).

Sensor fault detection and identification in a pilot plant under process

control. Transactions of the Institution of Chemical Engineers, 76(Part

A), 490–497.

Aldea, A., Banares-Alcantara, R., Jimenez, L., Moreno, A., Martınez, J.,

& Riano, D. (2004). The scope of application of multi-agent systems in

the process industry: Three case studies. Expert Systems with

Applications, 26(1), 39–47.

Champagne, R. P., & Boyle, S. J. (1996). Optimizing valve actuator

parameters to enhance control valve performance. ISA Transactions,

35(3), 217–223.

Chang, C.-T., & Hwang, J.-I. (1998). Simplification techniques for EKF

computations in fault diagnosis: Model decomposition. AIChE

Journal, 44(6), 1392–1403.

Edgar, T. F., Smith, C. L., Shinskey, F. G., Gassman, G. W., Schafbuch,

P. J., McAvoy, T. J., et al. (1998). Section 8: Process control. In: R. H.

Perry, D. W. Green, & J. O. Maloney (Eds.), Perry’s chemical

engineers’ handbook (7th ed.). New York: McGraw-Hill.

Edwards, C., & Tan, C. P. (2006). Sensor fault tolerant control using

sliding mode observers. Control Engineering Practice, 14(8), 897–908.

IEC (1999). IEC international standard 61131-3, programmable con-

trollers, part 3: Programming languages.

Isermann, R., & Balle, P. (1997). Trends in the application of model-based

fault detection and diagnosis of technical processes. Control Engineer-

ing Practice, 5(5), 709–719.

Jennings, N. R. (2000). On agent-based software engineering. Artificial

Intelligence, 177(2), 277–296.

Julier, S. J., Uhlmann, J. K., & Durrant-Whyte, H. F. (1995). A new

approach for filtering nonlinear systems. In Proceedings of the 1995

American control conference (pp. 1628–1632).

Julier, S. J., Uhlmann, J., & Durrant-Whyte, H. F. (2000). A new method

for the nonlinear transformation of means and covariances in filters

and estimators. IEEE Transactions on Automatic Control, 45(3),

477–482.

Kandare, G., Godena, G., & Strmcnik, S. (2003). A new approach to PLC

software design. ISA Transactions, 42(2), 279–288.

Kayihan, A., & Doyle, F. J., III (2000). Friction compensation for a

process control valve. Control Engineering Practice, 8(7), 799–812.

Langford, C.G. (2002). A method to determine control valve dynamic

requirements. In Proceedings of the ISA 2002 technical conference

(pp. 397–406). Chicago, IL, USA.

Lee, D., Allan, J., Thompson, H. A., & Bennet, S. (2001). PID control for

a distributed system with a smart actuator. Control Engineering

Practice, 9(11), 1235–1244.

Lee, S. (2001). Operating information system for LNG facilities. In G.

Stephanopoulos, J. Romagnoli, & E. S. Yoon (Eds.), On-line fault

detection and supervision in the chemical process industries 2001. Jejudo

Island, Korea (pp. 363–368).

Maric, I. (2003). Software objects in distributed flow measurements. ISA

Transactions, 42(3), 497–504.

McMillan, G. K. (1995). Improve control valve response. Chemical

Engineering Progress, 91(6), 76–84.

Niemann, H., & Stoustrup, J. (2005). Passive fault tolerant control of a

double inverted pendulum—a case study. Control Engineering Practice,

13(8), 1047–1059.

Ould Bouamama, B., Medjaher, K., Samantaray, A. K., & Staroswiecki,

M. (2006). Supervision of an industrial steam generator. Part I: Bond

graph modelling. Control Engineering Practice, 14(1), 71–83.

Patton, R. J. (1997). Fault-tolerant control systems: The 1997 situation. In

Proceedings of IFAC symposium on fault detection, supervision and

ARTICLE IN PRESSA. Romanenko et al. / Control Engineering Practice 15 (2007) 459–469 469

safety for technical processes (Vol. 3) (pp. 1033–1054). UK: Kingston

upon Hull.

Romanenko, A. (2003). Open-source software solutions in chemical

process engineering—present status and perspectives. In Proceedings of

the ISA EXPO 2003 technical conference, Houston, USA, October

21–23.

Romanenko, A., & Castro, J. A. A. M. (2004). The unscented filter as an

alternative to the EKF for nonlinear state estimation: A simulation

case study. Computers & Chemical Engineering, 28(3), 347–355.

Romanenko, A., Santos, L. O., & Afonso, P. A. F. N. A. (2004).

Unscented Kalman filtering of a simulated pH system. Industrial &

Engineering Chemistry Research, 43(23), 7531–7538.

Schneider, R., & Marquardt, W. (2002). Information technology support

in the chemical process design life cycle. Chemical Engineering Science,

57(10), 1763–1792.

Seborg, D. E., Edgar, T. F., & Mellichamp, D. A. (1989). Process

dynamics and control. New York: Wiley.

Seilonen, I., Appelqvist, P., Vainio, M., Halme, A., & Koshinen, K.

(2002). A concept of an agent-augmented process automation system.

In Proceedings of the 2002 IEEE international symposium on intelligent

control (pp. 473–478). Vancouver, Canada.

Shinskey, F. G. (1979). Process-control systems (2nd ed.). New York:

McGraw-Hill.

Siirola, J. D., Hauan, S., & Westerberg, A. W. (2003). Towards agent-

based process systems engineering: Proposed framework and applica-

tion to non-convex optimization. Computers & Chemical Engineering,

27(12), 1801–1811.

Simon, L., & Karim, M. N. (2002). Control of starvation-induced

apoptosis in chinese hamster ovary cell cultures. Biotechnology and

Bioengineering, 78(6), 645–657.

Stephanopoulos, G., Romagnoli, J., & Yoon, E. S. (Eds.) (2001). On-line

fault detection and supervision in the chemical process industries 2001.

Jejudo Island, Korea.

Vaillant, O. R., & Garcia, C. (2003). Natural gas flow computer with open

architecture using intelligent instrumentation and fieldbus. ISA

Transactions, 42(2), 181–195.

van Breemen, A. J. N., & de Vries, T. J. A. (2001). Design and

implementation of a room thermostat using an agent-based approach.

Control Engineering Practice, 9(3), 233–248.

Velasco, J. R., Gonzalez, J. C. L. M., & Iglesias, C. A. (1996). Multiagent-

based control systems: A hybrid approach to distributed process

control. Control Engineering Practice, 4(6), 839–845.

Venkatasubramanian, V. (2001). Process fault detection and diagnosis:

Past, present and future. In G. Stephanopoulos, J. Romagnoli, & E. S.

Yoon, (Eds.), On-line fault detection and supervision in the chemical

process industries 2001. Jejudo Island, Korea (pp. 1–13).

Wagner, T. (2002). An agent-oriented approach to industrial automation

systems. Lecture Notes in Artificial Intelligence 2592, 314–328.

Xiong, N., & Svensson, P. (2002). Multi-sensor management for information

fusion: Issues and approaches. Information Fusion, 3(2), 163–186.