Sensor Placement for Fault Diagnosis Using Graph of a Process

The quality of a diagnostic system strongly depends on the availability of appropriate measurements. In this work sensor placement method using Graph of a Process is introduced. Graph of a Process is a formalization of a causal graph useful in fault diagnosis. Faults are directly incorporated into the model. The necessary and sufficient conditions for fault detectability and isolability are formulated. The analysis is divided into acyclic graph search and calculations within strongly connected components. This method is applicable to the design of the instrumentation of diagnostic systems, when the analytical process model is unavailable.


Introduction
Proper fault detection and isolation in large scale industrial plants is important because of safety, environmental protection, and economical reasons. Due to the complexity of the systems to be diagnosed there is a need for tools supporting the design of the diagnostic system. One of the important problems is sensor placement to meet diagnostic specications. This problem may have more than one solution, so the selected set should be optimal with respect to the chosen objective, like minimal cost or minimal number of sensors.
A review of the methods and criteria for sensor set selection was presented in [1]. The main task of measuring instruments is to estimate the values of process variables, which is important for control, monitoring, and optimization purposes. It should be noted that not every process value needs to be directly measured. Some variables can be estimated by the use of other measurements.
Often the set of measuring instruments installed for control is insucient for fault diagnosis purposes. Therefore, the set of sensors used by the diagnostic system should be selected taking into account one or more of the above criteria and be sucient to: • detect the set of considered faults; • distinguish the specied pairs of faults. The problem of sensor placement for fault diagnosis has been an active research area in recent years. This is a complicated problem and nding a solution in the general case is intractable, so some simplifying assumptions are needed. The most popular approach is to use a simplied, qualitative model of a process. There are sensor placement algorithm using structural analysis [2,3,4,5,6], bond-graphs [7,8], and SDG graphs [9,10,11]. GP approach, presented in this paper, diers from the existing approaches because of the form of the process description and assumptions underlying the diagnostic system.

Graph of a Process and Model Structures
A causal graph shows relations between variables. Vertices of the graph represent process variables, disturbances, and control signals. Graph of a Process is a kind of a causal graph with faults included directly in a model as additional vertices. Directed edges depict relations between the variables. The GP is a simple, intuitive, and easily understandable way of describing diagnostic knowledge. The GP was chosen as a tool for sensor placement because of the following features: • The GP can be constructed using process description, process instrumentation diagrams or with cooperation with process engineers. Mathematical description is not needed, only basic knowledge about the physics of a process. This is an important feature because sensor placement analysis should be performed at the design stage and a detailed process model can be unavailable. • We assume diagnosis using residuals in which values are the dierences between the measured value of the process variable and the value calculated by a local multi input single output (MISO) model. The models can be black-box models identied using process data (fuzzy, neural, or parametric models). The GP was designed to support nding structures of these models. This approach is justied when mathematical description of the system is unavailable, instead archival measurements can be used to train local models for fault detection. The proposed approach gives better fault isolation than Signed Directed Graph (SDG) approach. In this part denitions of GP and model structure (MS) will be recalled. For further details and detailed comparison with other qualitative models, interested reader is referred to [12].

Graph of a Process Denition
Control variables, faults, disturbances, measurements, and physical system variables are included as graph vertices. The set of all physical variables characterizing the system is denoted by X. This set can be divided into the following subsets: where: X U -set of control physical variables, X D -set of input physical variables of unknown values also called disturbances, X X -set of internal physical variables, and X Y -set of output physical variables, which is a representation of measured variables in the set X.
The control system generates control signals u ∈ U , which, in the case of a fault free state, are equal to control physical variables x ∈ X U . All variables x ∈ X Y are measured. Therefore, a set of measured variables Y is as numerous as X Y . If faults are absent, values of variables in both sets are the same within the accuracy of measurement.
The following subsets can be distinguished in the set of faults F : faults of controls F U , faults of installation components F C , and faults of sensors F Y : In this notation, faults of actuators are also regarded as faults of installation components. The set V describing the object of diagnosis can be divided into the following disjoint sets: where K is a set of known variables, which are control variables and measured variables.
The equivalent of the set K in the set X is a set of physical known variables X K , the set of physical variables that have equivalents in the sets Y or U .
where: V = V (GP ) -vertices set, A = A(GP ) ∈ V ×V -binary relation dened on the Cartesian product of the vertices set V , a set of ordered pairs < v, w >∈ V × V representing edges of the graph. Edges represent the direction of inuence. The vertices subset X of the graph GP form a subgraph GP X representing the relation between physical variables.

Example of a Three Tank System
The ideas described will be illustrated using a three tank system (TTS) shown in Fig. 1. The level in tank T 3 is controlled by a ow valve to tank T 1. The GP for the TTS is shown in Fig. 2. Graph GP X , containing only vertices from the set X, is presented in Fig. 3. Symbols are described in Table 1. The last column in Table 1 shows the classication of the vertices of GP. Variables p ZP and n are classied as disturbances because during normal work of a process they have almost constant values and cannot be measured. It is assumed that no measurements are available. It is an articial assumption because the controlled level must be measured, but the example is meant as an illustration of the sensor placement algorithm. It should be noted that if some variables are already measured then some of the conditions from the Section 3.1 are already fullled and should be excluded from the search. Therefore, without the lost of generality, we assume that there are no available measurements. Faults are listed in Table 2.  Figure 3: GP X graph of TTS.

Model Structures
In this paper model structure (MS) is understood as a pair: a modeled variable and a set of model inputs. Models for fault detection are assumed to be black-box models (e.g., parametric models, neural or fuzzy models). All MSs for fault detection can be dened using GP. The modeled variable is always an element of the set X Y and the input variables are dened by the following subsets of X: In the model structure denition, only the subgraph GP X is considered. Denition 1. Model structure is dened as a pair:  pressure of a pump supply P X D n rotational speed of the pump P hydrostatic pressure at the bottom of the tanks T 1, T 2, and T 3 X X F 12 ow between the tanks T 1 and T 2 X X F 23 ow between the tanks T 2 and T 3  where: o ∈ X Y is the modeled variable, I ⊂ X I is the set of input variables, fullling the following conditions: (i) ∀i ∈ I in GP X exists a path from i to o, not containing any other vertex from the set I, (ii) ∀v ∈ GP X if there exists a path from v to o, not containing any vertex from the set I, then there exists a path from some i ∈ I to v. The method for nding all MSs was presented in [12].

Faults-symptoms Relation
If a fault causes a dierence between the measured value of a variable and its estimation calculated from the model, then we say that MS is sensitive to that fault, which leads to the following: ∀f ∈ F X in a graph there exists a path from f to o, not containing any vertex from the set I ∩ X Y . The set F Y contains sensor faults of measurements of variables from the set I ∪ o. The set F U contains faults of controls related to the physical control variables in I ∩ X U .
The algorithm for determining MS sensitivity to faults was presented in [12].

Sensor placement
When using GP in diagnosability analysis, we assume that a fault is detectable if there exists at least one MS sensitive to this fault. Two faults f 1 and f 2 are distinguishable if their signatures are dierent. With binary residual evaluation it means that there must exists at least one MS sensitive to f 1 and insensitive to f 2 or vice versa. Therefore, the proposed solution will be based on the following denitions.
Denition 3. The  We want to nd the set of sensors that allows the diagnostic system to fulll the diagnostic specication. The specication is a set of faults D, which should be detectable and the set of pairs of faults I, which should be distinguishable. Only single faults are considered. This problem has many solutions; therefore, the chosen solution should minimize the selected objective. We chose a minimal number of sensors, but the algorithms to be presented can be easily modied to use some other cost function. These considerations lead to the following problem formulation: Given GP, nd the minimal set of sensors that allows detection all faults in D and isolation of all pairs of faults in I.

Conditions for Faults Detectability and Isolability
In this Section, the sucient and necessary conditions for faults detectability and isolability will be analyzed. The formulation of these conditions is a rst step of a sensor placement algorithm. Moreover, such an analysis can be used for answering the following questions: • Which measurements are useful for detection of the fault? • Which measurements can help isolate indistinguishable faults?

Fault detection
Necessary condition The necessary conditions for detection of the fault is the existence of at least one measured process variable inuenced by this fault. In the context of GP inuence is identied with the existence of the directed causal path from the fault to the variable.
Let V Df denote the set of variables inuenced by the fault f . This set can be obtained by the depth-rst search started at f ; V Df = DF S(G, f ). Therefore, the necessary condition for detectability of f is: This reasoning is similar to SDG approach [9] but there is one crucial dierence. In the case of SDG graphs, fault detection is based on the deviations of the variables from the normal state, and the normal state is assumed to be known. In that case, the necessary condition is also sucient. In case of GP, it is not. Let us consider the exemplary graph G 1 shown in Fig. 4 containing only two vertices: a ∈ X Y and f ∈ F . The necessary condition of detectability of f is fullled; V Df 1 = {a} and a ∈ X Y . In the diagnostic system using the control of the alarm thresholds the fault can be detectable, because the inuence of f can cause crossing of the alarm limits by the value of a. While diagnosing using MSs the fault is not detectable because, for this graph, no MS can be built (the system does not contain any redundancy).
Necessary condition The necessary condition for the detectability of the fault, in the meaning of GP, is an existence at least one MS sensitive to this fault.

Fault isolation
In the isolability analysis, we will use the concept of a strongly connected component. A strongly connected component in a graph is a set of vertices that, for each pair of vertices u and v, there exist paths from u to v and from v to u. One strongly connected component contains a set of variables inuencing each other. Being in a strongly connected component is an equivalency relation dened on the set of vertices, so division into components splits the graph into disjointed sets, which can be considered separately.
The considerations concerning fault isolability should be divided into two parts. We should consider separately the faults aecting dierent strongly connected components of a graph and the faults aecting the same strongly connected component.
Acyclic graph The rst step in the analysis is nding and merging strongly connected components of GP. This can be obtained using an algorithm based on a depth-rst search [13]. The faults inuencing one strongly connected component are identied. After merging strongly connected components we obtain an acyclic graph.
The necessary condition to isolate two faults f 1 and f 2 is that they inuence dierent sets of variables: where ∆ denotes a symmetric dierence of the sets. The set V Df 1 ∆V Df 2 will be denoted by V I12 . Let us consider the exemplary graph G 2 shown in Fig. 5. The detectability sets for this graph are as follows: Considering these sets, we obtain that for detectability of faults, measurement of c is necessary. However this measurement is not sucient because with only one sensor, no model can be built. It should be also noted that detection of f 1 is impossible because there is not a MS sensitive to this fault (according to Denitions 1 and 2).
The isolability sets are as follows: The fault f 1 is undetectable; therefore, only the pair {f 2 , f 3 } can be distinguished. The measurement of b is necessary for this purpose. The isolability can be obtained using the following MS: (c, {b}) and (b, {a}), where the rst one is sensitive to f 3 and the second one is sensitive to f 2 . Without the measurement of b only one MS is possible -(c, {a}), which is sensitive to both faults.
It should be noted that, in the case of faults, inuencing one strongly connected component, the sets of variables inuenced by the faults are equal. This means that in the case of cycles in the graph, another approach must be proposed. Strongly connected components We assume that, at this stage, the analysis for the acyclic graph was nished and that the set of the sensors was selected and that the faults inuencing the strongly connected component are detectable and distinguishable from the other faults.
In the strongly connected component, each fault inuences all vertices. For the isolability of faults, according to Denition 4, we should nd MS sensitive to only one of the considered faults.
For this purpose, we should search for appropriate model inputs, which will cut the inuence of one of the faults (and only one of them) on the modeled variable. This leads us to the denition of the cutting path vertex. Denition 5. Cutting path vertex between the faults f 1 and f 2 is a vertex that afterwards: The proof is omitted due to space limitations. The condition in Theorem 1 is not a sucient condition. Let us consider again graph G 3 shown in Fig. 6. Vertex b cuts the path between the faults f 2 and f 3 . The model (a, {b}) is sensitive to the fault f 1 and insensitive to any of the faults f 2 and f 3 . To assure isolability, appropriate selection of the modeled variable is necessary.
If there exists measured vertex v cutting path form f 1 to f 2 or vice versa, then the modeled variable o should be selected in a way that there exists a path from one of the faults to o not containing v (and such a path does not exists from the other fault). An example of a suitable model is (d, {b}), which is sensitive to f 3 but is not sensitive to f 2 (see Fig. 6).
The condition that v is a vertex cutting path between f 1 and f 2 assures the existence of suitable model outputs o. Finally, to assure isolability of f 1 and f 2 , the MS with o as an output and v as an input must exist (measurements of other inputs are needed). If the previous step of the sensor placement algorithm was completed, then the faults are detectable and such a model exists.
The appropriate set of vertices are calculated by the following algorithms. The subgraph of GP containing only one strongly connected component is denoted by G, DF S(G, f ) denotes all vertices met in the depth-rst search of G started at f . The Algorithm 1 F aults(G, f ) nds the sets of faults f (v) that the vertex v is a vertex cutting path from f to the faults in f (v). The Algorithm 2 P athCut(f 1 , f 2 , G) nds the sets pc(f 1 , f 2 ) of vertices cutting path from f 1 to f 2 or from f 2 to f 1 .
The Algorithm 3 P ossibleM odelOutput(f 1 , f 2 , G) for the pair of the faults f 1 and f 2 and the cutting path vertex v nds the set of the model outputs pmo(f 1 , f 2 , v), where if v is an input then the model will be sensitive to only one of the faults from the pair {f 1 , f 2 }.
The algorithms will be explained for the graph shown in Fig. 6. We will analyze the pair  The work of the Algorithm 1 F aults(G 3 , f 2 ) is shown in Fig. 7. In the subsequent steps, the vertices a, b, c and d are deleted and the edges incident with the other faults (f 1 and f 3 ) are reversed. We obtain the following sets: In a similar way, we obtain the sets for the fault f 3 : On the basis of the above sets, the Algorithm 2 P athCut(f 2 , f 3 , G 3 ) nds the vertices cutting path from f 2 to f 3 or from f 3 to f 2 : The last step is the search for the possible model outputs for each of the cutting path vertices (Algorithm 3 P ossibleM odelOutput(f 2 , f 3 , G 3 )): b : c : Therefore the isolability of the faults f 2 and f 3 can be obtained using the following MS:

Sensor Placement Algorithm
In the previous sections, the considerations concerning sucient and necessary conditions for fulllment of the diagnostic specications were presented. Theses conditions let us formulate the general scheme of the sensor placement algorithm. The analysis should contain the following steps: The number of all MS in the Step 1 can be exponential in the number of measurement (but it is often much smaller than the set of analytical redundancy relations (ARRs) due to the causality limitations). If the calculation of all the set of MS is a problem, the method of calculation of only local MS was proposed in [12]. The set of local MS has the same detectability and isolability properties as a full set with exclusion of sensor faults, which is sucient in that case.
The conditions formulated in Points 3 and 4 are simple and can be obtained in the linear time for each fault (linear in the sense of a size of GP counted as a sum of the number of vertices and edges). Finding the hitting set is known hard algorithmic problem. Analysis in each strongly connected component is carried out locally using only the subset of variables. Both problems can be handled with standard discrete optimization techniques like branch and bound.

Example
The above conditions and algorithms will be illustrated using the three tank system example. The simple example was chosen to demonstrate the dierences between the proposed and the existing approaches. The three tank system is shown in Fig. 1, the lists of faults and symbols are presented in Table 1 and 2, respectively.
At the beginning, there are no assumptions concerning measured variables, only the control signal CV is known. We assume that all process variables can be measured, excluding p ZP and n, which belong to X D . We consider maximal diagnostic specication, and all faults should be detectable and distinguishable pairwise. The rst step of the analysis is verication if the diagnostic specication can be fullled using all possible measurements. For this purpose, sensors for all variables are added, in that case it is the set: and all MS are calculated for diagnosability analysis.
For the three tank system we obtain that all faults are detectable. The pair of faults {f 4 , f 5 } cannot be distinguised. These faults denote the lack of supply water and the fault in the pump. They can be distinguised using the sensor of the level in the buer tank, but this sensor is not considered in the model. The other faults are pairwise distinguishable.
3.3.1. Fault detectability The rst step of the fault detectability analysis is merging all strongly connected components of GP. The graph of a three tank system with merged strongly connected components is shown in Fig. 8. The vertices p P , p 1V , and F 1 were merged into SN 1 , and process variables describing the tanks were merged into SN 0 . All the faults inuencing the component SN 0 were merged into one fault denoted by f Σ . Figure 8: Graph of three tank system with merged strongly connected components Figure 10: The sets V Df of variables inuenced by the particular faults are listed in Table 3. Therefore, the necessary condition for the detectability of all the faults is measurement of at least one variable in each set. It should be noted that, in this case, placing a sensor at SN 0 is enough. The measurement of a vertex denoting a strongly connected component should be understood as a measurement of at least one variable in that component.

Fault isolability
For each pair of faults, we calculate the symmetric dierences of the V Df sets. The obtained sets are shown in Table 6. The necessary condition for the isolabilty of the faults is a measurement of at least one variable from each set. In should be noted that, for the isolation of the pair {f 4 , f 5 }, there is a need for measurement of n or p ZP , which were assumed unmeasurable. It conrms the previous isolability analysis.
The nest step is to nd the hitting set of the sets listed in Table 3 and Table 6. The hitting set should contain only possible sensor locations; therefore, the variables n and p ZP are not considered. This problem has only one solution containing variables: This solution fullls all the necessary conditions for detectability and isolability. The next step is a verication by building all MS with their sensitivity to faults. These model structures are listed in Table 4.      f 7 , f 9 p 1 , F 23 , p 2 , L 1 , F 12 , L 2 f 7 , f 10 F 23 , p 2 , L 2 f 7 , f 11 L 3 , F 23 , p 3 f 8 , f 9 L 3 , p 1 , F 23 , p 2 , F 3 , L 1 , p 3 , F 12 , L 2 f 8 , f 10 L 3 , F 23 , p 2 , F 3 , p 3 , L 2 f 8 , f 11 L 3 , F 3 , p 3 f 9 , f 10 p 1 , p 2 , L 1 , F 12 , L 2 f 10 , f 11 L 3 , F 23 , p 2 , p 3 , L 2 The faults f 1 , f 2 , f 3 , f Σ are detectable and distinguishable pairwise. The faults f 4 , f 5 are detectable and distinguishable from the other faults. In can also be noted that deletion of any sensor changes diagnosability properties of the system.

Strongly connected components
The further analysis will be carried out for each of the strongly connected components separately.
The strongly connected components with faults are shown in Figs. 9 and 10. Only one fault inuences the component SN 1 ; therefore, only the faults in SN 0 should be considered.
The list of the vertices cutting the path between each pair of faults in the component SN 0 is shown in Table 7. These sets were calculated using Algorithm 2. The cutting path vertices can be inputs of a model used for fault isolation. For each of the cutting path vertices, the set of possible model outputs is calculated. These sets are obtained by Algorithm 3. The results for the pair {f 6 , f 7 } are shown in Table 5.

Conclusions
In this paper, the sensor placement method was proposed with use of GP. The sensor placement problem for the fault diagnosis was discussed earlier, but the proposed solution has the following features diering it from the existing approaches: • The GP is used as a qualitative model of a process to be diagnosed. This model can be obtained at the design stage, without knowledge about the process equations. • This solution is intended for diagnosis systems using residuals comparing the measured value of a variable with a value calculated by a local black-box model and the results are consistent with that assumption. • This paper shows how to deal with cycles in a graph within the SDG approach. • The part of isolability analysis is carried out separately within each strongly connected component, which can limit computational complexity. Moreover, the solutions are provided separately for each strongly connected component, which can be suitable when the number of the solutions is large. The proposed solution can be extended by including the signs of the inuence in the isolability analysis or by analyzing signatures of multiple faults (like in [9]).