2002 PATH Conference

Fault Tolerant Longitudinal Control

of Transit Buses: Fault Diagnostics
and Management
Prof. Karl Hedrick
Adam Howell
Bongsob Song


Dept. of Mechanical Engineering
University of California, Berkeley
TO 4206
2002 PATH Conference
Overview
Fault Tolerant Control (FTC) Architecture
Integrated Fault Diagnostics and Sensor Fusion
Physical Redundancy and the PDAF
Example: Range and Range Rate Sensors
Integrated Longitudinal Controller and Fault Classification
Passive Fault Tolerance and Fault Classification
Example: Parametric and Actuator Faults
Conclusions & Future Work
2002 PATH Conference
Fault Tolerant Control (FTC) Architecture
Fault Management System
Decides on control reconfiguration
strategy using information about
vehicle status
Fault Detection and Diagnostics
Detects and identifies faults in
vehicle sensors, actuators, and
components
Sensor Processing and Fusion
Filters, validates, and combines
redundant sensor measurements
Longitudinal Controller
Choose pedal and brake
commands to achieve control
objectives of current mode
Different modes of operation based
on desired maneuver and vehicle
status
Fault Management
Longitudinal Controller
Fused estimates
Database (Hardware Drivers)
Lower-level Controller
Throttle Brake
Sensor
Processing and
Fusion
Commanded pedal
position or brake signal
Synthetic acceleration,
Controller Mode
Fault Detection and
Diagnostics
Raw sensor
measurements
Filtered
measurements
Isolated fault
a_des, v_des, d_des, and
Vehicle ID
Controller Reconfiguration
Normal
Robust
Controller
Fault
Handling
Controller
Controller
Mode
Fault_status
Performance_status
Performance
Status
Reconfiguration
Command
Desired engine torque
Maneuver Planning (Upper Layer)
Coordination Layer
Maneuver
Maneuver Status
Maneuver Mode (Vehicle ID)
Lead Follow
Fused
estimates
Fault
estimates
2002 PATH Conference
Integrated Fault Diagnostics and Sensor Fusion
Fault diagnostics and sensor fusion have different but related
goals
Fault diagnostics: Detect and identify faults in sensors,
actuators, and system components
Sensor fusion: Combine multiple redundant or complementary
sensor measurements to provide better quality estimate
However, the means of achieving these goals is very similar;
Comparison of current sensor measurements and actuator
commands to expected behavior based on past values and/or
mathematical model of system
Both fault diagnostics and sensor fusion can provide improved
performance and reliability for automated vehicle control, and is
therefore advantageous to integrate these capabilities for
efficiency and additional performance

2002 PATH Conference
Physical Redundancy
Definition: multiple physical devices (either sensors and/or
actuators) providing redundant capabilities
Transit buses used for Demo 2003 have several
subsystems with inherent physical redundancy:
Vehicle Speed: 4 wheel speed sensors, engine speed
sensor, and DGPS
Brake System: 2 Brake pressure sensors (at least), and
commanded brake pressure from pedal/driver
Range and Range Rate Sensors: Eaton Vorad Radar,
Denso Lidar, plus two pseudo sensors
Pseudo sensors rely on high-speed wireless
communication to provide local sensor measurements to
following vehicles in order to estimate relative states, i.e.
range and range rate
2002 PATH Conference
Physical Redundancy (cont.)
Sensor measurements passed via wireless
communication
DGPS position and velocity
Vehicle speed based on wheel speed sensors
Distance traveled based on magnet counting
DGPS Wireless
Magnetometers Wheel Speeds
Radar
Lidar
DGPS Wireless
Magnetometers Wheel Speeds
2002 PATH Conference
Probabilistic Data Association Filter (PDAF)
Nonparametric PDAF has been used extensively in sensor fusion to combine multiple measurements
from a single sensor such that the output estimate has minimum estimation error variance (*)
In the case of multiple sensors, the PDAF can be structured as a sequential Kalman Filter which
weights the correction for each sensor based on each sensor measurements validity
For our case, the PDAF can be simplified by assuming that each sensor returns only one measurement
at each time step
The simplified PDAF can be broken down into 3 basic computational stages at each time step
Prediction of fused estimate and estimation error covariance based on dynamic system model (in
our case, a linear kinematic vehicle model)




Validation of sensor i s measurement(s) using g-sigma gating based on predicted measurement
and measurement covariance
If sensor measurement valid, use in Kalman filter to correct fused estimate and estimation error
covariance




* For more detailed information, see (Bar-Shalom and Fortmann, 1988) and (Houles and Bar-Shalom, 1989)
) ( ) ( ) (
) ( ) ( ) (
) ( ) ( ) 1 (
4 4 4
1 1 1
k v k x C k y
k v k x C k y
k w k Ax k x
+ =
+ =
+ = +
Q A k AP k k P
k k x A k k x
T
+ =
=
) 1 ( ) 1 | (
) 1 | 1 ( ) 1 | (
) ( ) ( ) ( ) (
) ( ) ( ) (
) 1 | ( ) (
) 1 | ( ) (
1
1
1 1
1 1 1
1 1 1
1 1
k v k S k v k V
k z k y k v
R C k k P C k S
k k x C k z
T
T

=
=
+ =
=
( )
) ( ) ( ) ( ) ( ) 1 ( ) 1 | ( ) ) ( )( 1 ( ) 1 | ( ) (
) ( ) 1 | ( ) (
) ( ) ( ) 1 | ( ) 1 | ( ) | (
, ) (
1 1 1 1 0 0 1
1
1
1 1 1 1 0 1
2
k W k v k v k W k k P C k W I k k P k P
k S C k k P k W
k v k W k k x k k x k k x
g k V if
T T
T
| | | |
| |
+ + =
=
+ + =
<

2002 PATH Conference

Probabilistic Data Association Filter (PDAF) (cont.)
If sensor measurement invalid, dont use in Kalman filter


Repeat previous stage for each sensor i with


Fault diagnostics can be easily added to the PDAF, by monitoring and
thresholding the Mahalanobis distance V(k) computed in the validation stage
In fact, this construction provides several benefits:
Multiple fault detection and isolation are possible
Inherent fault management in terms of eliminating the bad sensors and
measurements from the fusion process automatically
Faults and external disturbances (i.e. dropouts) can potentially be distinguished
by correllating invalid measurements with known disturbance conditions
) 1 | ( ) (
) 1 | ( ) | (
, ) (
1
1 1
2
=
=
>
k k P k P
k k x k k x
g k V if
) ( ) 1 | (
) | ( ) 1 | (
1
1
k P k k P
k k x k k x
i
i

=
=
2002 PATH Conference
Example: Range and Range Rate Sensors
Level of Modeling
Detailed sensor models based on manufacturers specs and experimental
data
Communication system modeled as constant delay (fairly good
assumption since using token-ring procotol)
Lead vehicle modeled as double integrator with bounded acceleration,
while following vehicle has ideal spacing dynamics using fused estimate
in feedback
Simulation Conditions
Two car platoon with lead vehicle following sinusoidal desired acceleration
(a
des
= 0.5sin(0.1t))
Second vehicle follows at 40m spacing, with incorrect initial condition
Faults occur in following vehicles Denso Lidar (3m bias in range) after 30
seconds, and magnetometer (miss 4 markers) after 35 seconds
2002 PATH Conference
Relativ e States
Prev ious Velocity
Current Velocity
Prev ious Position
current Position
Vehi cl e Model
radar
To Workspace8
mag
To Workspace7
dgps
To Workspace2
l i dar
To Workspace1
Fault
Radar Faul t
Magnetometer Faul t
Prev Velocity
Current Velocity
Prev Position
Current Position
Relativ e State
Magnet+Comm Pseudo-Sensor
Fault
Li dar Faul t
Prev Velocity
Current Velocity
Prev Position
Current Position
Relativ e States
Li dar
Measurements Fused Estimate
Integrate FDI
and Sensor Fusi on
Prev Velocity
Current Velocity
Prev Position
Current Position
Relativ e States
Eaton
VORAD
Prev Velocity
Current Velocity
Prev Position
Current Position
Relativ e States
DGPS+Comm Pseudo-Sensor
Current Velocity
Current Position
Fault
DGPS Faul t
2
2
2
2
8 2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
Simulation Model in Matlab/Simulink
2002 PATH Conference
Sensor Measurements
0 5 10 15 20 25 30 35 40 45 50
-1
-0.5
0
0.5
1
1.5
2
2.5
3
R
a
n
g
e

R
a
t
e

(
m
/
s
)
0 5 10 15 20 25 30 35 40 45 50
0
5
10
15
20
25
30
35
40
45
Time (sec)
R
a
n
g
e

(
m
)
Denso Lidar
Eaton Vorad
DGPS + Comm
Magnetometer + Comm
True State
2002 PATH Conference
Sensor Fusion
0 5 10 15 20 25 30 35 40 45 50
-2
-1.5
-1
-0.5
0
0.5
1
1.5
R
a
n
g
e

R
a
t
e

(
m
/
s
)
0 5 10 15 20 25 30 35 40 45 50
33
34
35
36
37
38
39
40
41
R
a
n
g
e

(
m
)
Time (sec)
fused
true
0 5 10 15 20 25 30 35 40 45 50
-0.5
-0.4
-0.3
-0.2
-0.1
0
0.1
0.2
0.3
0.4
0.5
E
r
r
o
r

i n

R
a
n
g
e

R
a
t
e

(
m
/
s
)
0 5 10 15 20 25 30 35 40 45 50
-0.4
-0.2
0
0.2
0.4
0.6
E
r
r
o
r

i n

R
a
n
g
e

(
m
)
Time (sec)
2002 PATH Conference
Fault Detection and Identification
0 5 10 15 20 25 30 35 40 45 50
0
2
4
6
8
10
12
Symptoms
M
a
g
n
e
t
o
m
e
t
e
r

+

C
o
m
m
0 5 10 15 20 25 30 35 40 45 50
0
2
4
6
8
10
12
E
a
t
o
n

V
o
r
a
d
0 5 10 15 20 25 30 35 40 45 50
0
2
4
6
8
10
12
D
e
n
s
o

L
i
d
a
r
0 5 10 15 20 25 30 35 40 45 50
0
2
4
6
8
10
12
D
G
P
S

+

C
o
m
m
Time (sec)
2002 PATH Conference
Integrated Longitudinal Controller and Fault
Classification
Controllers goal to provide good regulation/tracking despite
uncertainties and disturbances, including some types of faults
Benefits of integrated controller and fault classification
Design robust controller to provide fault-tolerant performance in a
limited way, i.e., include fault-insensitivity in the controller at the
design stage
Maximize controllers robustness to faults using knowledge of
controller performance, modeling uncertainty, and fault effects
Better to avoid frequent switching between the reconfigurable
controllers when faults have small impact on closed-loop performance
Prerequisites for the integrated method
Control model including the modeling uncertainty
Controller design
Fault characteristics

2002 PATH Conference
0
20
40
60
80
100
50
100
150
200
250
300
0
200
400
600
800
1000
1200
Throttle (%)
Engine Speed (rad/s)
E
n
g
i
n
e

T
o
r
q
u
e

(
N
m
)
Control Model
Longitudinal Vehicle Dynamics

Engine model for 280HP CNG
Cummins engine

Pneumatic brake with EBS

bf
T
a m
wf

af
R
trf
F
rf
F
g m
wf
g m
c
a m
c

ar
R
af
R
a
F
90
d
T
br
T
a m
wr

ar
R
trr
F
u
rr
F
g m
wr
m
eq
a r g b g e
f
J
mg F F h R T R T
v
1
) sin (
A +
+ +
=
u

{ }
m e e map
e
e
f T T T
2
) , (
1
A + = o e
t

>
=
otherwise 0
if ) (
o b o b b
b
P P P P K
T
| |
| |

A +
A +
=
emptying for ) (
1
filling for ) (
1
3
3
m w
be
m w
bf
w
f P t
f P t
P
|
t
|
t

2002 PATH Conference

Currently all hardware
installation for the bus is not
completed yet, so we assume
there are similarities between a
bus and a truck
Truck model
Diesel engine model (N14
435HP Cummins)

Engine retarder
Polynomial curve fitting
Transmission
Through j1939 bus
No brake model
Retrofitting EBS brake system
Tested at Crows Landing
{ }
m e f e map
e
e
f T m T T
2
) , (
1
A + =

e
t
Truck Model Validation
Engine Retarder - Low
Engine Retarder - High
2002 PATH Conference
Dynamic Surface Control Design
Applied to passenger vehicles -
Gerdes(1996), Hedrick and Yip
(2000)
Implemented successfully on
the California PATH passenger
vehicles in DEMO97 (San
Diego, CA)
Developed analysis and design
methodology to provide stability
and robustness to modeling
uncertainty Song (2002)
Can extend the method to the
faulty system?
Low-pass
Filter
Nonlinear
System
Uncertainty
MSS
(S
1i
, S
2i
)
DSC
P
f
S
f
A
f
m
y
{ }
wdes edes d
P T x , = { }
w e
P T x , =
{ }
des des d
u | o , =
u
x
f A

des
v



2002 PATH Conference
Fault Characteristics
Actuator fault
Partial failure of airbrake system
due to wrong adjustment of
slack adjuster and wear
The brake failure contribute to
nearly one-third of all the
accidents involving commercial
vehicles


Parametric fault
Change of effective radius due
to tire pressure drop
h = (1 f
P
) h
1 ) ( 0 where
otherwise 0
if ) )( 1 (
s s

>
=
t f
P P P P f K
T
A
o b o b A b
b
2002 PATH Conference
Switched error dynamics in a matrix form
(Song et al. 2002)



Passive Fault Tolerance of DSC
Extensibility to the faulty system
Convex optimization problems to check the quadratic stability numerically can
be formulated as long as a magnitude of the fault is known
Passive fault tolerant approach
Fault tolerant for a certain class of faults due to robustness of DSC
i.e. no difference between the class of faults and uncertainty in the
viewpoint of the controller
| |
| |
T
i fi m i f
T
i i i i
i r i f i w i A P i i
f f f f w
S S z
b e i r B w B z f f A z
1 2 1 ,
2 2 1
, , ,
where
, for ) , (

A A + A =
=
= + + =

Extended
Perturbation
Linear Error
Dynamics
P
f
r
f
w
z
A
f
d
u
u
2002 PATH Conference
Fault Classification & Handling
FDD
DSC
Isolatable
fault
Detectable
fault
Tolerable
fault
Specific
Warning
Severity
Indication
Intolerable
fault
Reconfig-
uration
Emergency
Handling
Controller reconfiguration
Intolerable sensor or
parametric faults, which
cannot be handled by Sensor
fusion using hardware
redundancy
State estimation based
controller
Parameter identification (or
estimation) based controller
Intolerable actuator faults
Optimal trajectory
reconfiguration using actuator
capability information
Emergency Handling
Performed by the fault
management system and
coordination layer (or higher
layer)
Performance status
Quadratic function level
Actuator capability
Fault classification
Fault severity indication
Isolatability on FDD
2002 PATH Conference
Simulation Results: No Fault
Include parametric uncertainties and unmodeled dynamics
Assume normal distribution for the parametric uncertainties
0.2(degree) road grade disturbance
10% parametric uncertainty on effective radius
20% parametric uncertainty on C
a
30% parametric uncertainty on K
b

0 5 10 15 20 25 30 35 40
16
18
20
22
24
V
e
l
o
c
i
t
y

(
m
/
s
)
v
v
des
0 5 10 15 20 25 30 35 40
-0.1
-0.05
0
0.05
0.1
V
e
l
o
c
i
t
y

E
r
r
o
r

(
m
/
s
)
Time (second)
0 5 10 15 20 25 30 35 40
0
50
100
P
e
d
a
l

P
o
s
i
t
i
o
n

(
%
)
0 5 10 15 20 25 30 35 40
0
500
1000
1500
T
b

(
N
m
)
Actual
Desired
0 5 10 15 20 25 30 35 40
0
0.5
1
Time (second)

V
(
z
)
2002 PATH Conference
Simulation Results: Fault Classification
Tolerant faults
Intolerable faults
0 5 10 15 20 25 30 35 40
-0.1
-0.05
0
0.05
0.1
V
e
l
o
c
i
t
y

E
r
r
o
r

(
m
/
s
)
0 10 20 30 40
0.3
0.4
0.5
0.6
0.7
E
f
f
e
c
t
i
v
e

r
a
d
i
u
s

(
m
)
30% Parametric Fault
0 10 20 30 40
0
5
10
15
B
r
a
k
e

C
o
e
f
f
i
c
i
e
n
t

(
K
b
)
40% Actuator Fault
0 10 20 30 40
0
0.5
1
Time (sec)
Q
u
a
d
r
a
t
i
c

F
u
n
c
t
i
o
n

L
e
v
e
l

V
(
z
)
0 10 20 30 40
0
500
1000
1500
T
b

(
N
m
)
Time (sec)
Actual
Desired
0 5 10 15 20 25 30 35 40
-0.1
0
0.1
0.2
V
e
l
o
c
i
t
y

E
r
r
o
r

(
m
/
s
)
0 10 20 30 40
0.2
0.3
0.4
0.5
0.6
E
f
f
e
c
t
i
v
e

r
a
d
i
u
s

(
m
)
50% Parametric Fault
0 10 20 30 40
0
5
10
15
B
r
a
k
e

C
o
e
f
f
i
c
i
e
n
t

(
K
b
)
60% Actuator Fault
0 10 20 30 40
0
0.5
1
Time (sec)
Q
u
a
d
r
a
t
i
c

F
u
n
c
t
i
o
n

L
e
v
e
l

V
(
z
)
0 10 20 30 40
0
500
1000
1500
2000
T
b

(
N
m
)
Time (sec)
Actual
Desired
2002 PATH Conference
Conclusions & Future Work
Integrated sensor fusion and FDD
Transit buses have considerable amount physical redundancy that
can be leveraged for improved reliability and accuracy
For range and range rate sensors, PDAF is an effective framework
for integrated design of diagnostics and sensor fusion
Integrated longitudinal control and fault classification
Fault classification Indicates the fault severity in the viewpoint of the
closed loop system
Integrated design allows us to maximize controllers robustness to
faults in the presence of uncertainties
A great deal of work before the Demo 2003, but in the
near term:
Tests for model validation of 40 ft CNG bus as well as sensor
processing are scheduled in November at Crows Landing