(314b) Model-Predictive Fault Tolerant Control of Safety-Critical Processes, Based on Dynamic Safety Set

Chemical processes and plants heavily rely on automation and control systems for seamless operations. However, these are adversely affected by abnormal events due to faults, such as defects/malfunctions in process equipment, sensors and actuators, failures in the controllers or in the control loops. If not appropriately handled in the control system design, these faults can lead to undesired economic, environmental, and safety issues. Hence, these considerations provide a strong motivation for the development of advanced fault-tolerant control (FTC) strategies that ensure an efficient and timely response to enhance fault recovery, prevent faults from propagating or developing into total failures, and mitigate the risk of safety hazards. In safety-critical processes, ensuring control in the face of abnormal events necessitates the development of robust fault-tolerant control. This paper seeks to develop a systematic FTC strategy for safety critical systems where all safety constraints are satisfied at all times in case of faults.

Active FTC techniques have been broadly explored for over three decades, where the specific control action is triggered by the detection and isolation of the fault. Generally, fall-back configurations for the controller are based on stability regions derived from Lyapunov function as outlined by Mhaskar et al. [1]. They describe a safe parking framework which involves offline computation of stability region and safe-park candidates (set of equilibrium points subject to the failed actuator, and with the other manipulated inputs within the allowable ranges). At the time of the fault, the process state resides in the stability region of the safe park candidate and thus, an appropriate safe park point is picked which lies within the stability region of the nominal controller. The drawback is the conservative estimate of stability region and instantaneous reconfiguration of controller without knowing the size of the fault. Recent work by Du et al. [2] on chemical reactor control has included fault-size estimation in the control algorithm, to prevent unnecessary switching of controller configurations. However, further work is needed to address the issue of timing of activation of the backup controller, utilizing information from the fault estimator in the transient phase.

In this work, we propose an active FTC strategy capable of providing more accurate and timely information for decision-making and maintaining system functionality in the presence of faults. The FTC structure comprises four components (i) fault estimation (ii) fault projection (iii) fault prediction (iv) decision logic for activating a backup controller. A linear functional observer with tunable time constant is built for estimating the fault of step and ramp types, following [3]. Next, fault projection involves estimating rate of change of fault (slope) through linear regression on estimated fault data over a pre-defined sampling period. This projection reduces the lag between estimated and actual faults. Once the projected fault and slope are known, we can predict the fault over a pre-defined prediction horizon. Further, the decision logic is based upon both offline calculations and real-time decision-making. The offline calculations include computation of the dynamic safety set (DSS) corresponding to the maximum fault handled by the backup controller and the critical time (T_c) to cross the DSS boundary by monitoring dynamic safety margin (DSM) for different critical faults size (F_c). The DSS (subset of stability region) is defined as the set of initial conditions that guarantee that the entire system trajectory meets the constraints at all future times [4], and the concept of DSM, defined as the distance from the boundary of the DSS. Thus, we have different pairs of (F_cn, T_cn) where T_cn decreases as F_cn increases with n denoting the number of different simulated fault sizes. Finally, if the predicted fault is large than F_cn within the time between T_c(n-1) and T_cn, we initiate online monitoring of DSM of current states from DSS and when it crosses the positive threshold value (as DSM becomes negative when system goes outside DSS), the backup controller is activated at that time. As T_cn is the maximum time left to activate the backup controller to prevent trajectory going outside DSS with respect to F_cn, this strategy guarantees that the process will remain within DSS in case of abnormal events by improving DSM.

The T2 Laboratories process, which involves an explosive exothermic reaction, serves as a case study motivated by Venkidasalapathy et al. [5] to illustrate the design and implementation of the FTC structure. It involves two parallel irreversible elementary exothermic reactions of the form (Reaction 1: A + B → C + ½ D, Reaction 2: S → 3D + byproducts), where A, B is the feed species, C is the desired product, S is the solvent, and D is the hydrogen. Reaction 2, identified as a side reaction, exhibits a negligible rate at temperatures below 480 K. However, it becomes significant above 480 K due to its activation energy being over six times greater than that of the desired main reaction. Consequently, this leads to an uncontrolled increase in reaction rate at elevated temperatures. Given that both reactions produce hydrogen gas, there exists a potential for a sharp increase in pressure, that can result in the rupture of the reactor wall. Hence, it is imperative to adhere to a safety constraint of maintaining the temperature below 480 K to prevent thermal runaway.

The feed streams reactant (A) in solvent (S) and liquid (B), are heated in a preheater before being fed to the reactor. The process has full state measurement for monitoring. The reactor temperature is controlled at the desired set-point using a state feedback controller manipulating the heat transfer coefficient for the sake of simplicity by adjusting the flowrate of the cooling water, in nominal case (fault-free). Additionally, a backup state feedback controller manipulating feed flowrate is designed which gets activated only in case of faults. Next, disturbances in the reaction kinetics and fault in the feed inlet temperature have been accounted in the process model. By systematically evaluating various fault sizes and types in simulation, we demonstrate the performance of the FTC structure in maintaining system stability and functionality.

The proposed FTC strategy ensures system stability and safety, satisfying input and output constraints at all times. By addressing critical questions regarding the timing of reconfiguring controllers to avoid unnecessary switching and ensuring safety, our approach enhances the reliability in safety-critical systems. This strategy provides answers to questions related to whether sufficient time is available to switch controllers, and if so, precisely when to switch to ensure safety. In this paper, we will develop advanced FTC strategies with the primary goal of enhancing the reliability, safety, and overall performance of complex industrial systems.

References:

[1]. Mhaskar, P., Liu, J., & Christofides, P. D. (2012). Fault-tolerant process control: methods and applications. Springer Science & Business Media.

[2]. Du, P., Venkidasalapathy, J. A., Venkateswaran, S., Wilhite, B., & Kravaris, C. (2023). Model-Based Fault Diagnosis and Fault Tolerant Control for Safety-Critical Chemical Reactors: A Case Study of an Exothermic Continuous Stirred-Tank Reactor. Industrial & Engineering Chemistry Research, 62(34), 13554-13571.

[3]. Venkateswaran, S.; Kravaris, C. Disturbance decoupled functional observers for fault estimation in nonlinear systems. Proceedings 2024, American control conference (ACC), in press.

[4]. Gilbert, E. G., & Tan, K. T. (1991). Linear systems with state and control constraints: The theory and application of maximal output admissible sets. IEEE Transactions on Automatic control, 36(9), 1008-1020.

[5]. Venkidasalapathy, J. A.; Kravaris, C. (2020) Safety-Centered Process Control Design Based on Dynamic Safe Set. Journal of Loss Prevention in the Process Industries 65, 104126.