Examples

Abstract

This chapter illustrates the main problems of diagnosis and fault-tolerant control by means of three examples, which will be used later in the text.

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

2.1 Two-Tank System

Description of the system. As the first example, the two-tank system depicted in Fig. 2.1. The pump causes a liquid flow \(q_\mathrm{P}\) into Tank 1 where the input u(t) describes the pump velocity. u is determined by a security switch-off, which prevents an overflow of Tank 1. The inputs to the tank system prescribe the valve positions \(V_\mathrm{a}\) and \(V_{12}\). The only measured signal is the outflow \(q_\mathrm{M}\). Hence, the tank system results in the simple block diagram shown in Fig. 2.2.

In the faultless case, the valve \(V_\mathrm{a}\) is closed and the valve \(V_{12}\) is used to control the level of Tank 2. Only in case of a valve fault, the upper pipe is used for this purpose.

The control aim results from the requirement of a batch process, in which the outflow of Tank 2 is used in succeeding parts of cascaded vessels and reactors. The valve \(V_{12}\) is used to fill and refill Tank 2 accordingly, where Tank 1 is a storage tank, which is to be filled to the height \(h_\mathrm{max}\), at which the security switch-off stops the pump.

Fig. 2.1

Two-tank system

Fig. 2.2

Block diagram of the tank system

Faults. Two faults are considered. First, a leakage in Tank 1 may occur, which causes the additional flow \(q_\mathrm{L}\) out of Tank 1. The “size” of the leakage is given by the parameter \(c_\mathrm{L}\) (Table 2.1). The different approaches to fault diagnosis presented in the following chapters use this two-tank example with different notions of this fault. Either a parametric fault is considered where \(c_\mathrm{L}\) denotes the fault size to be identified or a symbolic fault f is used which represents the faulty situation with the outflow \(q_\mathrm{L}=c_\mathrm{L}\sqrt{h_1}\) out of Tank 1 where \(c_\mathrm{L}\) is the parameter given in Table 2.1.

The second fault is a blockage of the valve \(V_{12}\) in the closed position. This fault can be modelled by setting the valve constant \(c_{12}\) to zero.

The example is used for illustrating the following diagnostic and fault-tolerant control problems:

• Fault detection: Determine whether a fault has occurred. The valve fault can be detected due to the decreasing outflow from Tank 2, which eventually vanishes. For the leakage the problem is more involved because neither the inflow \(q_\mathrm{P}\) nor the level \(h_1\) is assumed to be measured. Hence, the stationary outflow from Tank 2 is the same as before and the leakage and the fault can only be found by small dynamical effects that are “visible” in the outflow measurement just after the leakage occurs.

• Fault isolation: Determine which part of the system is faulty.

• Fault identification: Determine the size of the leakage.

• Fault accommodation: Design a fault-tolerant level controller that maintains the liquid level in Tank 1 at a given set-point independently of whether the leakage is present or not.

• Control reconfiguration: In case of the valve fault, the auxiliary valve \(V_\mathrm{a}\) has to be used. The reconfiguration problem includes to automatically find that switching to the second pipe is the strategy to apply.

These problems are considered under different circumstances where the tank levels or the outflow from Tank 2 are measured numerically or in a quantised way. Therefore, different models are appropriate to describe the tank system and different methods have to be used to solve the diagnostic problem.

For this simple example, it is obvious under what conditions and how the given problems can be solved. If the pump is controlled according to level measurement \(h_1\), a static tank level will be reached. However, the leakage can only be found if the dynamical changes of the tank levels or of the outflow from Tank 2 are taken into account, because the pump is assumed to be strong enough to maintain the level of Tank 1 at the prescribed value even in case of the leakage. Hence, the system has the same static behaviour with and without the fault.

The diagnostic result will certainly be different if the outflow is the only measurement compared with the case in which all tank levels are measured. Also, the diagnostic problem becomes more difficult if instead of the numerical values of the tank levels only quantised measurements are possible.

If \(q_\mathrm{P}\) is an additional measurement, the fault can be detected by comparing the mean value of \(q_\mathrm{P}\) with its nominal value. If this value is increased, more liquid flows out of Tank 1 which under the given circumstances can only occur if the tank has a leakage.

The fault-tolerant controller is simply found as a PI-feedback of the tank level \(h_1\) towards the pump velocity \(u_\mathrm{P}\). For reasonable leakages (reasonable values of \(q_\mathrm{L}\)) the controller is able to hold the level at the prescribed value even if the fault occurs.

Table 2.1 Signals and parameters of the tank system

Model of the tank system. The two tanks have the liquid levels \(h_1(t)\) and \(h_2(t)\), which are used as state variables in the model given below. The liquid flows are denoted by q, the ground area of the cylindric tanks by A. The parameters used in the example are summarised in Table 2.1.

The following Eqs. (2.1), (2.2) describe the mass balance, where the tank levels \(h_1\) and \(h_2\) are related to the liquid flows indicated in Fig. 2.1 as follows:

$$\begin{aligned} \dot{h}_1(t)= & {} \frac{1}{A} (q_\mathrm{P}(t) - q_\mathrm{L}(t) - q_{12}(t) ) \end{aligned}$$

(2.1)

$$\begin{aligned} \dot{h}_2(t)= & {} \frac{1}{A} (q_{12}(t) - q_2(t) ). \end{aligned}$$

(2.2)

The measured signal \(q_\mathrm{M}\) is proportional to the outflow \(q_2\):

$$\begin{aligned} q_\mathrm{M}= & {} c_\mathrm{M} \cdot q_2. \end{aligned}$$

(2.3)

The different flows used in the equations above can be obtained by Toricelli’s law:

$$\begin{aligned} q_{12}(t) =&\left\{ \begin{array}{ll} c_{12} \;\mathrm{sign} \;({h_1(t)-h_2(t)}) \; \sqrt{\,|h_1(t) - h_2(t)|} \; &{}\text{ if }\;\; V_{12} \;\text{ is } \text{ open } \\ 0 \;\; &{}\text{ else } \end{array} \right. \end{aligned}$$

(2.4)

$$\begin{aligned} q_2(t) =&\left\{ \begin{array}{ll} c_2 \sqrt{\,h_2(t)} \;\; &{}\text{ if }\;\; h_2(t) > 0 \\ 0 &{}\text{ else }, \end{array} \right. \end{aligned}$$

(2.5)

$$\begin{aligned} q_\mathrm{P}(t) =&\left\{ \begin{array}{ll} u(t) \cdot {\bar{q}}_\mathrm{P} &{}\text{ if }\;\; h_1(t) \le h_{\text{ max }}\\ 0 &{}\text{ else }, \end{array} \right. \end{aligned}$$

(2.6)

$$\begin{aligned} q_\mathrm{L}(t) =&\left\{ \begin{array}{ll} c_\mathrm{L} \sqrt{\,h_1(t)} \;\; &{}\text{ if }\;\; h_1(t) > 0 \; \; \text{ and } \text{ Tank } \text{1 } \text{ has } \text{ a } \text{ leakage } \\ 0 &{}\text{ else } . \end{array} \right. \end{aligned}$$

(2.7)

The pump is controlled by the security switch-off included in the level controller LC shown in the figure such that the level in Tank 1 is maintained below the height \(h_{\text{ max }}\). The pump velocity is given by the control input \(u_\mathrm{P}\). Its nominal value is given by \(u\!=\!u_\mathrm{nom}\), and its maximal value by \(u_{\text{ max }}\). If a control problem should be illustrated in the later chapters, then Eq. (2.6) is supplemented with an equation describing the control law \(u=k(h_1)\).

The equations given above are hybrid because they include differential and algebraic equations as well as switching conditions, which result from the physical laws and from a security switch installed at Tank 1. Therefore, the differential equation includes several inequalities that describe the validity range of the given functions.

The tank will be used in many places to illustrate methods and results. For simplicity, often the parameter A is set to one so that the model gets the simpler form

$$ \dot{h} = q_i(t) - q_o(t), $$

where \(q_i\) and \(q_o\) denote the input and the output flow.

2.2 Three-Tank System

Consider the three coupled tanks depicted in Fig. 2.3. These tanks are connected by pipes which can be controlled by different valves. Water can be filled into the left and right tanks using two identical pumps. Measurements available from the process are the continuous water levels \(h_i\) of each tank and, additionally, from tank \(T_2\) discrete signals from two capacitive proximity switches signalling whether the water level in the tank is above or below the position of the sensor.

In the nominal case (Fig. 2.4), only the left tank \(T_1\) and the middle tank \(T_2\) are used. The right tank \(T_3\) and pump \(P_2\) act as redundant hardware. The purpose of the system is to provide a continuous water flow \(q_2(t)=q_N\) to a consumer. Therefore, the water level in the middle supply-tank \(T_2\) has to be maintained within the interval \(h_\mathrm{2L} < h_2 < h_\mathrm{2H}\), i. e. between the two discrete level sensors of tank \(T_2\).

Water flows between the tanks can be controlled by several valves (\(V_\mathrm{12L}\), \(V_\mathrm{12H}\), \(V_\mathrm{23L}\), \(V_\mathrm{23H}\)). All valves can only be completely opened or completely closed (on/off valves). The connection pipes between the tanks are placed at the bottom of the tanks (pipes with valves \(V_\mathrm{12L}\), \(V_\mathrm{23L}\)) and at a height of \(h_\mathrm{H}\) (pipes with valves \(V_\mathrm{12H}\), \(V_\mathrm{23H}\)). One of the considered faults is a leakage in tank \(T_1\) (see below). If such a leakage occurs, there is an additional outflow \(q_\mathrm{L}\) of tank \(T_1\) (cf. Fig. 2.3).

Fig. 2.3

Three-tank system

Fig. 2.4

Nominal configuration of the three-tank system

Dynamical model. Depending on the water levels and the position of the valves, different nonlinear state-space models are valid. In general, the water flow \(q_{ij}\) from Tank i to Tank j can be calculated using Toricelli’s law

$$\begin{aligned} q_{ij}= c_{ij} \cdot \;\mathrm{sign} \;(h_{i}-h_{j})\cdot \sqrt{ |h_{i}-h_{j}| }, \end{aligned}$$

where \(c_{ij}\) is a constant depending on the geometry of the connecting pipe and the valve and \(h_i, h_j\) are the water levels. The change of water volume V in a tank is described by

$$\begin{aligned} \dot{V} = A \cdot \dot{h}= \sum q_{\text{ in }} - \sum q_{\text{ out }}, \end{aligned}$$

(2.8)

where \(\sum q_{\text{ in }}\) is the sum over all water inflows and \(\sum q_{\text{ out }}\) the sum over all water outflows of the tank. In (2.8), A is the cross-section area and h the water level in the cylindric tank. For the three tanks Eq. (2.8) yields:

$$\begin{aligned} \dot{h}_{1}= & {} \frac{1}{A} ( q_\mathrm{P1} - q_\mathrm{12L} - q_\mathrm{12H} - q_\mathrm{L} ) \end{aligned}$$

(2.9)

$$\begin{aligned} \dot{h}_{2}= & {} \frac{1}{A} ( q_\mathrm{12L} + q_\mathrm{12H} - q_\mathrm{23L} - q_\mathrm{23H} - q_2 ) \end{aligned}$$

(2.10)

$$\begin{aligned} \dot{h}_{3}= & {} \frac{1}{A} ( q_\mathrm{P2} + q_\mathrm{23L} + q_\mathrm{23H} ). \end{aligned}$$

(2.11)

The flows in Eqs. (2.9)–(2.11) depend on the levels \(h_1\), \(h_2\) and \(h_3\) as well on the position of the valves and the commands \(u_\mathrm{P1}, u_\mathrm{P2}\) given to the pumps. For example, the existence of the flow \(q_\mathrm{12H}\) depends on the water levels \(h_1\) and \(h_2\) and the position of the valve \(V_\mathrm{12H}\). The flow is only non-zero if the valve is open and at least one liquid level exceeds the height \(h_\mathrm{H}\) of the upper connecting pipe.

More precisely, the following expressions are obtained for the flows, with the parameters given in Table 2.2:

$$\begin{aligned} q_\mathrm{P1} =&\left\{ \begin{array}{ll} c_\mathrm{P1} \cdot u_\mathrm{P1} &{} \;\;\text{ if } \;\; h_1 \le h_{\text{ max }} \; \; \text{ and } \;\; c_\mathrm{P1} \cdot u_\mathrm{P1} < q_\mathrm{P1}^{\text{ max }} \\ \\[1ex]q_\mathrm{P1}^{\text{ max }} &{} \;\;\text{ if } \;\; h_1 \le h_{\text{ max }} \; \; \text{ and } \;\; c_\mathrm{P1} \cdot u_\mathrm{P1} \ge q_\mathrm{P1}^{\text{ max }} \\ 0 &{} \;\;\text{ otherwise }, \end{array} \right. \\ q_\mathrm{P2} =&\left\{ \begin{array}{ll} c_\mathrm{P2} \cdot u_\mathrm{P2} &{} \qquad \qquad \qquad \qquad \;\text{ if } \;\; h_3 \le h_{\text{ max }} \; \; \text{ and } \;\; c_\mathrm{P2} \cdot u_\mathrm{P2} < q_\mathrm{P2}^{\text{ max }} \\ \\[1ex]q_\mathrm{P2}^{\text{ max }} &{} \qquad \qquad \qquad \qquad \;\text{ if } \;\; h_3 \le h_{\text{ max }} \; \; \text{ and } \;\; c_\mathrm{P2} \cdot u_\mathrm{P2} \ge q_\mathrm{P2}^{\text{ max }} \\ 0 &{} \qquad \qquad \qquad \qquad \; \text{ otherwise }, \end{array} \right. \\ q_\mathrm{12L} =&\left\{ \begin{array}{ll} c_\mathrm{12L} \; \;\mathrm{sign} \;({h_1-h_2}) \; \sqrt{|h_1 - h_2|} &{}\;\!\! \text{ if } V_\mathrm{12L} \text{ open } \\ 0 &{} \;\text{ otherwise }, \end{array} \right. \\ q_\mathrm{12H} =&\left\{ \begin{array}{ll} c_\mathrm{12H} \; \sqrt{|h_1 - h_\mathrm{H}|} &{} \!\!\!\;\;\text{ if } \, h_1 \!>\! h_\mathrm{H} , \, h_2 \!\le \! h_\mathrm{H} , \, V_\mathrm{12H} \text{ open } \\ -c_\mathrm{12H} \; \sqrt{|h_2 - h_\mathrm{H}|} &{} \!\!\!\;\;\text{ if } \, h_1 \!\le \! h_\mathrm{H} , \, h_2 \!>\! h_\mathrm{H} , \, V_\mathrm{12H} \text{ open } \\ c_\mathrm{12H} \; \;\mathrm{sign} \;({h_1-h_2}) \; \sqrt{|h_1 - h_2|} &{} \!\!\!\;\;\text{ if } \, h_1 \!>\! h_\mathrm{H} , \, h_2 \!>\! h_\mathrm{H} , \; V_\mathrm{12H} \text{ open } \\ 0 &{} \!\!\!\;\;\text{ otherwise }, \end{array} \right. \\ q_\mathrm{23L} =&\left\{ \begin{array}{ll} c_\mathrm{23L} \; \;\mathrm{sign} \;({h_2-h_3}) \; \sqrt{|h_2 - h_3|} &{} \! \text { if } V_\mathrm{23L} \text { open} \\ 0 &{} \text{ otherwise }, \end{array} \right. \\ q_\mathrm{23H} =&\left\{ \begin{array}{ll} c_\mathrm{23H} \; \sqrt{|h_2 - h_\mathrm{H}|} &{} \!\!\!\;\;\text{ if } \, h_2 \!>\! h_\mathrm{H} , \; h_3 \!\le \! h_\mathrm{H} ,\, V_\mathrm{23H} \text{ open } \\ -c_\mathrm{23H} \; \sqrt{|h_3 - h_\mathrm{H}|} &{} \!\!\!\;\;\text{ if } \, h_2 \!\le \! h_\mathrm{H} , \; h_3 \!>\! h_\mathrm{H} ,\, V_\mathrm{23H} \text{ open } \\ c_\mathrm{23H} \; \;\mathrm{sign} \;({h_2-h_3}) \; \sqrt{|h_2 - h_3|} &{} \!\!\!\;\;\text{ if } \, h_2 \!>\! h_\mathrm{H} ,\, h_3 \!>\! h_\mathrm{H} , \; V_\mathrm{23H} \text{ open } \\ 0 &{} \!\!\!\;\;\text{ otherwise }, \end{array} \right. \\ q_2 =&\left\{ \begin{array}{ll} c_2 \sqrt{h_2} \;\; &{} \;\;\text{ if }\;\; h_2 > 0 \\ 0 &{} \;\;\text{ otherwise }, \end{array} \right. \\ q_\mathrm{L} =&\left\{ \begin{array}{ll} c_\mathrm{L} \sqrt{h_1} \;\; &{} \;\;\text{ if }\;\; h_1 > 0 \; \; \text{ and } \text{ leakage } \text{ in } \text{ tank } \text{1 } \\ 0 &{} \;\;\text{ otherwise }. \end{array} \right. \end{aligned}$$

Table 2.2 Parameters and variables of the three-tank system and the controllers

Nominal configuration. In the nominal case, valves \(V_\mathrm{12L}\), \(V_\mathrm{23H}\), \(V_\mathrm{23L}\) are closed and not in use. Valve \(V_\mathrm{12H}\) is used to control the water level in tank \(T_2\), pump \(P_1\) to control the level in tank \(T_1\). To control the water levels in the reservoir-tank \(T_1\) and the supply-tank \(T_2\), a conventional PI-controller and an discrete (on–off) controller are used (Fig. 2.4):

$$\begin{aligned} u_\mathrm{P1}(t)= & {} k(h_1(t), h_1^{\text{ ref }}) \nonumber \\= & {} K_\mathrm{P} \cdot (h_1^{\text{ ref }} - h_1(t)) + K_\mathrm{I} \cdot \int _0' (h_1^{\text{ ref }} - h_1(\tau )) d\tau \end{aligned}$$

(2.12)

$$\begin{aligned} V_\mathrm{12H}= & {} \left\{ \begin{array}{lcl} \text{ open } &{} : &{} h_2 \le h_\mathrm{2L} \\ \text{ close } &{} : &{} h_2 \ge h_\mathrm{2H} \\ \text{ no } \text{ change } &{} : &{} h_\mathrm{2L} < h_2 < h_\mathrm{2H}, \end{array} \right. \end{aligned}$$

(2.13)

where \(K_\mathrm{P}\) and \(K_\mathrm{I}\) are controller parameters and \(h_1^{\text{ ref }}\) is the set-point for tank \(T_1\). Equation (2.13) describes under what conditions the on–off controller changes the position of the valve from opened to closed or vice-versa. All parameters of the controllers are given in Table 2.2.

In summary, the nominal behaviour is characterised by the following:

• Only the left tank and middle tank are in use, water level \(h_2\) must be medium, the set-point for \(h_1\) is chosen to \(h_1^{\text{ ref }}\).

• Valves \(V_\mathrm{12L}, V_\mathrm{23L}, V_\mathrm{23H}\) are closed.

• No leakage occurs (\(q_\mathrm{L}=0\)).

• The PI-controller (2.12) controls the level \(h_1\) of tank \(T_1\) with pump \(P_1\) using a continuous level sensor.

• The on–off controller (2.13) controls the level \(h_2\) of tank \(T_2\) with valve \(V_\mathrm{12H}\) using discrete level sensors.

Reconfiguration problem. Three different fault scenarios are given:

1. 1.

   Fault \(f_1\): Valve \(V_\mathrm{12H}\) is closed and blocked.

2. 2.

   Fault \(f_2\): Valve \(V_\mathrm{12H}\) is opened and blocked.

3. 3.

   Fault \(f_3\): A leakage in Tank \(T_1\) occurs (\(q_\mathrm{L} \ne 0\)).

The reconfiguration task is to find automatically a new control configuration of the three-tank system such that

• the water level \(h_2\) remains between \(h_\mathrm{2L}\) and \(h_\mathrm{2H}\) for all scenarios, i. e. the relation

  $$\begin{aligned}{}[h_2(k)]=\text{ medium } \end{aligned}$$

  (2.14)

  should hold for \(k\ge \bar{k}\) for a possibly small \(\bar{k}\).

• for scenario 3, the loss of water is minimal, i.e.

  $$\begin{aligned}{}[h_1(k)]=\text{ empty } \end{aligned}$$

  (2.15)

  should hold for \(k\ge \bar{k}\) for a possibly small \(\bar{k}\).

The reconfiguration task consists in finding a new control structure by selection of actuators and sensors, new control laws and new set-points for the control loops, such that the control aims above are met. If needed, the use of redundant hardware components is possible. Obviously, the idea of reconfiguration cannot be satisfied by simply changing the parameters \(K_\mathrm{P}\) or \(K_\mathrm{I}\), but a structural change of the system is necessary.

2.3 Ship Steering and Track Control

Ship navigation and steering is used as an example to illustrate different methods in both diagnosis and fault-tolerant control. A ship is illustrated in Fig. 2.5. The ship is steered by its rudder, the angle of which is \(\delta .\) The ships heading angle is denoted \(\psi ,\) the turn rate \(\omega _{3}.\) The ship velocity ahead is \(v_{1}\), velocity sideways is \(v_{2}\).

Fig. 2.5

Motion of a ship steered by its rudder. A rudder angle to port side (left) generates a turn to the port side of the ship. When turning to port, there is also a side velocity towards starboard (right)

To navigate a ship, information is needed on its position and heading angle as a minimum. In confined waters, distance is needed to a desired track that the ship is supposed to follow.

Should navigation data be wrong, ships may collide with banks or with other vessels. As unexpected manoeuvres can have fairly serious consequences, natural performance requirements exist to diagnosis and fault-tolerant control algorithms. Requirements are derived from the maximal motion the ship could make before a fault was diagnosed and a remedial action taken.

Control modes. In our ship steering example, three levels of steering control are considered:

• Hand steering. The rudder demand is manually set by a helmsman.

• Course control. An autopilot sets the rudder demand according to the deviation between instantaneous heading and a demanded course (heading reference). The ship’s turn rate is used for derivative control action.

• Track control. A set of way-points specify a desired track for the ship to follow. The distance of the ship to the track is calculated and used by the track controller to command a heading reference to the heading controller. This reference is updated in each sampling cycle by the track controller.

A block diagram of the ship with the above-mentioned controllers is shown in Fig. 2.6.

Fig. 2.6

Cascaded architecture of controllers for ship steering. The innermost loop is manual steering with rudder demand as input. The second loop provides automatic heading control, the third implements automatic track control

Instrumentation. The ship motions and position are measured using dedicated sensors. The ship’s heading is measured by some form of gyro compass, distance to a desired track is calculated from a position measurement, with the position measured by a GPS (Global Positioning System) receiver. Two identical gyro compasses are commonly available due to the critical nature of the heading measurement. In the sequel, we will consider the following types of instruments:

• Instrumentation with gyro compass and rate gyro as two separate units. The two measurements are independent.

• Measurement of track error by a navigation computer that measures ship’s position using a GPS receiver.

Faults. For the example we consider four possible faults. These faults and the consequences they will have in the example are as follows:

• Fault in the heading measurement: In heading control mode, this fault will cause the ship to steer a wrong course. In track control mode, there will be a permanent track error present.

• Fault in the turn rate measurement: In heading control mode, this fault will cause a transient error in the heading, but will then be compensated by the controller. A similar behaviour will be seen in track control mode.

• Fault in the measurement of distance to the desired track: This has no effect in heading control. In track control mode, there will be an offset equal to the size of the fault.

• Fault in the track controller: It causes the heading demand output from this controller to remain at the value it had when the fault occurred. With heading demand being input to the heading controller, this will sooner or later cause the ship to steer away from the desired track.

The sensor faults are modelled as additive faults. The rate gyro measures \(\omega _{3\mathrm{{m}}}\) and the gyro measures the heading angle \(\psi _\mathrm{m}\). This is illustrated in the block diagram in Fig. 2.7.

Dynamics of the ship. On a ship, a desired turn rate is obtained by turning the rudder to a certain angle. The input variable is hence rudder angle and the output is turn rate. Waves act as a disturbance to the turn rate, and the combined signal is integrated to give the actual heading of the ship. This dynamics is illustrated in the block diagram in Fig. 2.7. Turn rate and heading angle are measured variables, the sensors are subject to faults. These are added as fault signals in Fig. 2.7.

Fig. 2.7

A simple dynamical model of a ship steered by the rudder. Waves act as unknown input and measurement faults are considered on turn rate and heading angle measurements

The following equations describe the steering problem using the simple model. Waves contribute to turn rate by \(\omega _{w}\). The control input is the rudder angle \(\delta \). The measured signals are \(\psi _\mathrm{m}\) and \(\omega _{3\mathrm{{m}}}\).

In sections dealing with the stochastic case, measurement noise is present on sensor signals. If \(\nu _{\omega }(t)\) and \(\nu _{\psi }(t)\) are noise signals on the turn rate or heading measurements, respectively,

$$\begin{aligned} \begin{array}{l} \dot{\omega }_{3}(t)=b(\delta (t)+H(\omega _{3}))\\ \dot{\psi }(t) =\omega _{3}(t)+\omega _{w}(t)\\ \psi _\mathrm{m}(t)=\psi (t)+f_{\psi }(t)+\nu _{\psi }(t)\\ \omega _{3\mathrm{{m}}}(t)=\omega _{3}(t)+\omega _{w}(t)+f_{\omega }(t)+\nu _{\omega }(t)\\ \end{array} \end{aligned}$$

(2.16)

where \(H(\omega )\) is the steady-state relation between turn rate and rudder angle. In the literature, this is the steering characteristic of the ship.

In the example, we treat the steering characteristic as linear such that

$$ H(\omega _{3})=\eta _{1}\,\omega _{3} $$

The sign convention is that angles are taken positive around the third axis, which points downwards as seen from a surface ship. A positive rudder angle (clockwise) will turn the ship counter-clockwise, which corresponds to a negative value of turn rate. Hence, \(\eta _{1}\) is negative for a ship that is directionally stable.

In the real world, the relation between a rudder angle and the turn rate is not linear.

$$ H(\omega _{3})\approx \eta _{0}+\eta _{1}\,\omega _{3}+\eta _{2}\left| \omega _{3}\right| \omega _{3} $$

Large tankers or container ships may be directionally unstable in a region around zero turn rate angle. This is a consequence of a balance between hydrodynamical forces on the hull. As turn rate builds up, a directionally unstable ship eventually becomes stable. A directionally unstable ship will enter into a steady turn and move in a circle if the rudder is left in neutral position. A directionally unstable ship will be used to illustrate diagnosis techniques for unstable physical systems.

The variables and parameters in the ship example are listed in Table 2.3.

Heading control. The autopilot to control the ship heading in this example is a linear quadratic design, equivalent to a PD controller without any filtering, signal smoothing or integral action

$$\begin{aligned} \delta (t)=L_{\omega }\,\omega _{3\mathrm{m}}+L_{\psi }\,(\psi _\mathrm{ref}-\psi _\mathrm{m}) . \end{aligned}$$

(2.17)

A block diagram of the autopilot loop is shown in Fig. 2.8.

Track control. Track control means that the ship is commanded to follow a line (great circle) over the sea bottom. The desired track is specified to the controller, and position instruments provide the track error. The control architecture for track control was shown in Fig. 2.6.

Table 2.3 Signals and parameters of the ship steering example

Fig. 2.8

Simple heading controller (autopilot) for the ship example

Requirements. The requirement to fault-tolerant control for the ship steering example are the following:

• An undesired alteration in the ship heading \(\left( \psi \right) \) must not exceed 5 deg.

• An undesired alteration in the ship turn rate \(\left( \omega _{3}\right) \) must not exceed 0.2 deg/s

• An undesired alteration in the ship position relative to the track (e) must not exceed 5 m

• An undesired alteration in the ship velocity perpendicular to the track \((\dot{e})\) must not exceed 0.5 m/s

These requirements can be used as objective measures for requirements capture, including detection delay and time to reconfigure.