WO2000062135A1 - Digital controller redundancy using neural network fault detection - Google Patents

Abstract

Primary and backup controllers for a digital process control system where the digital controllers operate in the synchronous execution mode and the backup controller includes a neural network. Since the backup controller receives its process inputs from the primary controller, during the time in which the primary controller is reading the process inputs and driving the control outputs, the backup controller is idle. This idle time is used by the backup controller to execute a neural network analysis on both the primary and backup controller process inputs and control outputs. The purpose of this neural network analysis is to identify normal or failed operation of both the primary and backup controllers.

Description

DIGITAL CONTROLLER REDUNDANCY USING NEURAL NETWORK FAULT DETECTION

1. Field of the Invention

This invention relates to digital control systems and more particularly to those systems which include fault tolerant controllers.

2. Description of the Prior Art

The rapid evolution of microprocessor technology over the past two decades has resulted in an outgrowth of digital controller computers, which are used to operate modern industrial control systems. Digital controllers are capable of performing complex computations with constant accuracy at high speed. Such controllers offer the flexibility of being configured by software, so that by issuing a new program, the entire control operation can be changed. Digital control systems, which are distributed across large-scale processes, enable plant operators to view the system as single optimally controlled process instead of discrete independently controlled units. This view allows plant operators to take into account not only process variables but also economic factors, production requirements, equipment performance, and safety, while accomplishing optimal control of the industrial process.

As the acceptability and reliability of computer based control increases, digital controllers are being deployed for use in increasingly dangerous or hazardous processes. In these processes an unrecoverable computer failure could result in catastrophic consequences. Therefore, the digital controller should be fault tolerant so that the digital control system is recoverable without adverse disruption to the process.

The prior art has investigated several areas of fault tolerant digital control systems, including hardware architectures, performance and reliability versus cost, software design, and fault diagnosis. See for example, Establishing Fault Tolerance In Critical Process Control, Davis, InTech, pp. 57-60, October 1996; The Design Of Fault Tolerant, High Performance Control Systems, Tyrrell, IEE Colloquium Digest, vol. 241, pp. 5/1-5/4, 1994; and Software Design Issues In PC-Based Fault-Tolerant Control Systems, Putnam et al . , Process Automa tion Control Engineering Conference, pp. xiii-25 - xiii-29, May 1990. Hardware architectures include dual, triple, and even n-multiple redundant controller configurations, in which two or more controllers operate in tandem as master/slave pairs or voting clusters. Software designs include active/standby operation in which the primary controller operates the control logic, while one or more backup controllers operate in a passive standby mode.

The prior art has also proposed synchronous software execution models, in which all of the redundant controllers execute the same control logic in lock step (see for example, Campelo et al., Dependability Evaluation Of Fault Tolerant Architectures In Distributed Industrial Control Systems, IEEE International Workshop Of Factory Communications Systems, pp. 193-200, October 1997; and Beckman, Safety Performance vs. Cost Analysis Of Redundant Architectures Used In Safety Systems, Advances In Instrumenta tion And Control , pp. 371-381, October 1996; and Tyrrell) or autonomously (see Webster,

Ultrareliable, Fault-Tolerant, Control Systems-A

Conceptual Description, NASA Technical Memorandum TM- 86017, pp. 1-15, July 1985) . Fault diagnostic techniques proposed by the prior art include augmenting the conventional control logic with artificial neural networks or fuzzy logic (see Kim et al. Application of Neural Networks And Fuzzy Logic In Failure Detection And Fault Tolerant Control System Design, Ships Control Design Symposium, pp. 189-208, April 1997;

Venkatasubramanian et al., A Neural Network Methodology For Process Fault Diagnosis, AIChE Journal , pp. 1993- 2002, December 1989; and Vaidyanathan et al., Process Fault Detection And Diagnosis Using Neural Networks—I.

Steady-State Processes, Computers In Chemical

Engineering, vol. 14, no. 7, pp. 699-712, March 1990) to allow the controller to detect its failures and possibly take corrective control action.

As with any multifaceted problem, there are tradeoffs between hardware architectures, performance, software complexity, ability to diagnose faults, and cost. Certainly when user or environmental hazards may exist, a fail-safe control system is the top priority. But economic factors also place pressures on industry to control operating costs, thus a digital control system must be designed to be a cost effective solution to controlling the process in a safe operating manner.

Campelo et al. and Tyrrell each describe the sta te checkpoint method of controller redundancy which is a fault tolerant control technique that is commonly used in industry. In this technique, a pair of identical digital controllers operate in tandem, one as primary and the other as backup, to provide fault tolerant control of the process. On a periodic basis, the state of the primary controller is transmitted to the backup controller over a dedicated redundancy data link. This state transmission, called checkpointing, allows the backup controller to track the execution of the primary controller. Should the primary controller fail, the backup controller can rapidly take over control action without disruption to the process.

The popularity of the state checkpoint method is due primarily to the following:

1. Ease of implementation: the hardware design for the primary and backup controllers is identical. The software design simply allows one controller to execute the control logic as primary, and the second controller to receive the primary controller state information as backup. 2. Low cost of implementation: a redundant pair configuration requires only two controller modules, while triple or n-multiple redundant implementations will incur additional hardware costs . While the state checkpoint method of redundancy provides a simple, low cost redundant control solution, there are disadvantages to this approach, which include the following:

1. Backup execution lag: the primary controller periodically transmits its state to the backup controller after each control logic execution scan, thus the backup controller state always lags the primary controller state by one execution scan. In the event of a primary controller failure during an execution scan of the control logic, the backup controller will takeover and operate on old controller state information. This behavior may have undesirable side effects.

2. Uncertain availability of the backup controller: when the backup controller is online, it simply functions to periodically receive the primary controller state information and wait for the primary controller to fail. This relatively passive mode of operation does not guarantee that the backup controller will be able to operate correctly in the event of primary controller failure.

3. Backup takes over only on fatal primary failure: the backup controller monitors the status of the primary controller typically through hardware watchdog circuitry. The primary controller software is responsible for periodically refreshing this watchdog circuitry, otherwise it will timeout and a failover occur. Thus the event required to initiate a failover is often only a catastrophic primary controller failure. Various other primary controller failures, which do not trip the watchdog circuitry but may require controller failover, are not considered. These types of failures can include control logic errors and plant operator mistakes.

4. Finite communications bandwidth: the primary controller must transmit its state information to the backup controller every execution scan. This transmission occurs on a dedicated communications link between the primary and backup controllers.

As digital controller configuration grow increasingly complex, the amount of state information which the primary controller must transmit also grows, and this communications link becomes a bottleneck.

In order to address the limitations of the state checkpoint method of controller redundancy, as well as enhance the capabilities of redundant controller fault diagnosis, the present invention presents an alternative method, known as the synchronous execution method, to the state checkpoint method of digital controller redundancy.

In the synchronous execution method, the primary and backup digital controllers operate in a lock step manner, in which they both compute the control algorithm. The primary controller is responsible for reading the process inputs and driving the control outputs. The backup controller receives the process inputs from the primary controller, and executes the control algorithm in parallel to the primary controller.

To date, research has focused on using neural networks within a single controller to help detect operational faults (see Kim et al.; and Marcu et al., Robust Detection And Isolation Of Process Faults Using Neural Networks, IEEE Control Systems, pp. 72-79, October 1997) .

The present invention extends that implementation to redundant controller configurations by including a neural network in the backup controller. Since the backup controller receives its process inputs from the primary controller, during the time in which the primary controller is reading the process inputs and driving the control outputs, the backup controller is idle. This idle time is used by the backup controller to execute a neural network analysis on both the primary and backup controller process inputs and control outputs.

The synchronous execution method of controller redundancy, coupled with the neural network analysis by the backup controller, provides a powerful redundant controller system, which has the following advantages:

1. No backup execution lag: since the primary and backup controllers are operating on the same data set in tandem, both controllers contain the most current control logic information, and the backup controller is able to takeover without adversely impacting the process.

2. Backup controller availability is known: since the backup controller is executing the control logic, its health and readiness can be reported to the operator.

3. Backup controller can takeover on a variety of faults: failover to the backup controller is no longer dependent on only a catastrophic failure of the primary controller.

4. Reduced load on redundancy link: since the backup controller is executing the control logic, it is generating its own state information. Thus the amount of information that is required to be exchanged between the primary and backup controllers is reduced to the process inputs and control outputs.

Summary of the Invention A method for operating a primary digital controller and a backup digital controller that are connected in a redundant configuration. The method has the step of operating the primary and backup digital controllers in a synchronous execution mode. The method also has the step of including in the backup digital controller a neural network. A method for operating a primary digital controller and a backup digital controller that are connected in a redundant configuration. The method has the step of operating the primary and backup digital controllers in a synchronous execution mode. In that mode the primary controller reads for a first predetermined period of time inputs from a process under control by the primary controller and provides for a second predetermined period of time driving control outputs to the process. In that mode the primary and backup controller both execute an algorithm to control the process. The method also has the step of including in the backup digital controller a neural network.

A system for controlling a process. The system has a primary controller for controlling the process. The system also has a backup controller. The primary and backup controllers are connected to each other in a synchronous execution mode. The system further has a neural network included in the backup controller.

Description of the Drawing Fig. 1 shows a model for a process.

Fig. 2 shows the open loop step response of the discrete transfer function for the process of Fig. 1.

Fig. 3 shows a block diagram of a digital PI controller with unity gain feedback.

Fig. 4 shows the closed step response of the controller of Fig. 3. Fig. 5 shows a block diagram of a commercial implementation of the controller of Fig. 3.

Fig. 6 shows two identical controllers implementing the state checkpoint redundancy technique.

Fig. 7 shows two identical controllers implementing the synchronous excitation redundancy technique.

Fig. 8 shows a block diagram of a neural network having a single computational element.

Fig. 9 shows the integration of a neural network into the control loop of the controller of Fig. 3.

Fig. 10 shows a two layer neural network.

Fig. 11 shows the simulation model for training the neural network of Fig. 10.

Fig. 12 shows in graphical form the sum-squared error resulting from the training of the neural network.

Fig. 13 shows in graphical form the learning rate versus epoch number resulting from the training of the neural network.

Fig. 14 shows the enhanced simulation model for training the neural network of Fig. 10.

Fig. 15 shows in graphical form the expected behavior of the enhanced neural network during a step change response of the process model of Fig. 1.

Fig. 16a shows in graphical form the response of the enhanced neural network to the first part of an incorrect controller input test.

Fig. 16b shows in graphical form the response of the enhanced neural network to the second part of an incorrect controller input test. Fig. 17 shows in graphical form the response of the enhanced neural network to a simulation test representative of a stuck valve.

Fig. 18a shows in graphical form the response of the enhanced neural network to the first part of a simulation test representing a fault due to equipment failure.

Fig. 18a shows in graphical form the response of the enhanced neural network to the second part of a simulation test representing a fault due to equipment failure.

Fig. 19a shows in graphical form the response of the enhanced neural network to the first run of a simulation test representing the neural network exposed to disturbances in the process.

Fig. 19b shows in graphical form the response of the enhanced neural network to the second run of a simulation test representing the neural network exposed to disturbances in the process.

Fig. 19c shows in graphical form the response of the enhanced neural network to the third run of a simulation test representing the neural network exposed to disturbances in the process.

Description of the Preferred Embodiment (s) A. Description of the Process

The synchronous execution method of digital controller redundancy of the present invention will now be described in connection with process model 10 shown in Fig. 1. In the process model 10, the temperature of a tank 12 of fluid with a constant flow rate in and out is to be controlled by adjusting the temperature of the incoming fluid. The temperature of the incoming fluid is controlled by a mixing value 14 that adjusts the relative amounts of hot 16 and cold 18 supplies of the fluid. Because of the distance between the mixing valve 14 and the input point 20 of discharge of fluid into the tank 12, there is a time delay between the application of a change in the mixing valve position and the discharge of the flow with the changed temperature into the tank.

The differential equation governing the tank temperature is: ft = (cmTd — crhTc) cM where T. = tank temperature c = specific heat of the fluid M = fluid mass contained in the tank m = mass flow rate (tank inflow equals tank outflow) Tt = temperature of fluid entering tank

The temperature at the input 20 to the tank 12 at time t is the control temperature _Td seconds in the past, which can be expressed as:

where τ<ι = delay time Tec = temperature of fluid immediately after mixing valve

When the constants are combined, the following equation is obtained :

where a = mlM which transformed becomes

To form the discrete transfer function of G (s) , it is preceded by a zero-order hold, and the following is computed (assume χ_ά = IT - mT, 0 ≤ m < 1) :

z-ϊ 1 γ z{l(t + l) - e-^fl'^+mr) l(t + mT)

z-\ 1 -amT . z—\ z-e^' aT

1 (l-e-^αm')z + e- a^βm^mT^/ -e z-e -oT

1-e -amT z + z-e -aT

-amT -e -aT a

1-e -amT

For the specific values of the digital implementation, the sampling period T=l second, the system time constant a=l second, a flow delay _Td=1.5 seconds, and a mass flow

the discrete transfer function, G(z), reduces to:

Fig. 2 shows the open loop step response of G(z) . This graph shows that the process transfer function contains unity gain to constant control, and thus there will be a steady-state error to a constant control setpoint. Therefore, closed loop control is required to realize a target control setpoint. The development of such a controller will be described below in the section entitled "Controller Design." B. Controller Design

One of the most commonly used forms of control is the proportional, integral, and derivative (PID) controller. The PID controller is used throughout modern control theory, and the general form of the digital PID controller is given as follows:

where Kp = proportional gain constant Ti = integral time TD = derivative time T = sampling period

In practice, reduced variations of the PID controller are often used, including proportional only (P) control, and proportional and integral (PI) control. By specifying a sampling period for the digital controller, as well as suitable values for K_p, T_D, and T_Ir the digital PID controller can easily meet the specifications for a large segment of control problems.

The process model 10 described in the Description of Process section is interesting due to the transportation delay. The temperature of the fluid exiting the mixing valve 14 is not realized in the tank until a finite time period later. Such delays are common in the chemical processing industry, and because there is no internal integrator in the process transfer function, good steady- state accuracy requires integral control. In order to eliminate the open loop steady-state error which was observed in the process model 10, proportional and integral (PI) control will be applied to that model. By using only PI control, the digital controller is reduced to:

where Kp = proportional gain constant Ti = integral time T = sampling period

The discrete transfer function of the process model 10 was derived in the Description of Process section as follows : z+0.6065

G(z) = z²(z-0.3679)

Referring now to Fig. 3 there is shown a general block diagram of a digital PI controller with unity gain feedback. In Fig. 3, u is the control setpoint (input) to a summer 32, y is the process variable (output), D (z) is the digital PI controller 34, and G (z) is the transfer function of the process 36. The transfer function for this unity gain feedback controller is: y ₌ D(z)G(z) u l +D(z)G(z)

Given a D (z) transfer function for a digital PI controller, the G (z) transfer function for the process model 10, a sampling rate of T = 1 second, and a controller gain of K = K_p/T_Ir the new system transfer function, is computed as follows:

Kz² + 0.6065£z

(z - l)(z³ - 0.3679z² ) + Kz² + 0.6065Λ_z

Kz² + 0.6065£z

^~ z⁴ -1.3679z³ + 0.3679z² + Kz² + 0.6065Kz

KZ + Q.6065K

^~ z³ -1.3679z² +(0.3679 + K)z + 0.6065K Fig. 4 shows the closed loop step response of the digital PI controller 30 with a controller gain K=0.1. As can be from Fig. 4, using proportional and integral control the desired setpoint can be achieved within 15% overshoot and a reasonable amount of settling time, based on the overall dynamics of the process model 10. The implementation of the digital PI controller 30 in a commercial digital control system will be described below in the section entitled "Controller Implementation." C. Controller Implementation

The proportional and integral (PI) controller which was designed in the Controller Design section can be readily implemented in a commercial digital control system (DCS) . Fig. 5 shows such a DCS 90 using by way of example but not of limitation the SYMPHONY™ DCS manufactured and sold by an operating unit of the assignee of the present invention. In Fig. 5, analog signals are represented by solid interconnection lines, and Boolean signals are represented by dashed interconnection lines.

The DCS 90 includes five blocks 100, 110, 120, 130 and 140 each of which represent a configured function of the DCS. A function code is a module of software that is programmed to execute a specific algorithm or control function based on user configured information, such as control loop gain constants. Groups of function codes are connected together in sequences to create a wide variety of control strategies.

The specific function configured in each of blocks 100-140 is described in Table 1 below.

Table 1: Configured Function Codes.

Block Function Description

Number Code

100 (222) Analog Input from process: supplies the controller logic with a sampled value of the process variable.

110 (2) User Set Constant.: allows the operator to specify the target control setpoint.

120 (19) Proportional, Integral, and Derivative (PID) Control: computes the PID algorithm using the SP (setpoint) and PV (process variable) inputs. The TR and TS inputs are for manual mode operation. TR is the track reference value and TS is the boolean track select signal.

130 (80) Manual/Auto (M/A) Station. 140 (223) Analog Output to process,

The digital controller 90 executes the configured function codes in sequential block number order on a periodic basis. For the mixing process 10, every one second the controller will sample the process variable input, compute the PID algorithm, and drive the control output. The Manual/Auto Station (function code 80 at block 130) is used to provide an operator interface to the process 10 to allow an operator to place the loop into manual control mode, during which time the PID control loop is overridden by an operator supplied value.

In order to achieve redundant controller operation, the DCS 90 includes as is shown in Fig. 6 two identical controllers 150 and 152 which are configured as a redundant pair to thereby implement the well known state checkpoint redundancy technique. Controller 150 is the primary controller and the controller 152 is the backup controller. The primary controller 150 samples process inputs, executes the function code configuration, and drives control outputs on a regular period known as an execution scan .

Each execution scan results in specific state information being computed by the control logic. Such state information includes the process variable input and user setpoint values, intermediate computations of the PID algorithm, the mode of the control loop (auto or manual), and the process control output. At the end of an execution scan, the data structures which contain this state information are transmitted (checkpointed) to the backup controller 152 over a high speed redundancy interface link 154. In the event of catastrophic failure of the primary controller 150, special watchdog hardware on the backup controller 152 allows it to take over control action within a few milliseconds.

A typical DCS 90 can be configured to execute several thousand function code blocks, which may comprise several hundred control loops, in a single redundant controller pair 150, 152. This configuration results in a significant amount of information that is checkpointed from the primary controller 150 to the backup controller 152. The limitations of this configuration have been described previously.

Referring now to Fig. 7 there is shown an embodiment for the synchronous execution method of controller redundancy of the present invention. The method of the present invention overcomes the limitations of the state checkpoint method. In developing the redundancy technique of the present invention it was recognized that controller 152 of the state checkpoint redundancy method spends most of its execution time waiting for the primary controller 150 to execute its control logic.

In the synchronous execution technique of the present invention, the primary controller 160 reads the process variables (inputs) and send them to the backup controller 162 over a high speed redundancy interface link. Both the primary and the backup controllers 160, 162 execute the control logic in parallel, and the primary controller 160 drives the control outputs and sends them to the backup controller 162. During the time in which the primary controller 160 is reading the process inputs and driving the control outputs, the backup controller 162 executes a neural network analysis on the inputs and outputs of the primary as well as its own inputs and outputs.

This approach to controller redundancy enhances system robustness and overcomes several limitations of the state checkpoint method as follows:

1. No backup execution lag: since the primary and backup controllers 160, 162 are operating on the same data set in tandem, both controllers contain the most current control logic information, and the backup controller 162 is able to takeover without adversely impacting the process.

2. Backup controller 162 availability is known: since the backup controller 162 is executing the control logic, its health and readiness can be reported to the operator.

3. Backup controller 162 can takeover on a variety of faults: failover to the backup controller 162 is no longer dependent on only a catastrophic failure of the primary controller 160. 4. Reduced load on redundancy link: since the backup controller 162 is executing the control logic, it is generating its own state information, thus the amount of information that is required to be exchanged between the primary and backup controllers 160, 162 is reduced to the process inputs and control outputs. By changing the redundancy architecture from the state checkpoint method to the synchronous execution method, several benefits are realized including an overall more robust redundant control system. The remaining component to be discussed in this new architecture addresses the need for fault diagnosis by implementing a neural network analysis, which executes on the backup controller 162. The design of this neural network is presented in the section entitled "Neural Network Design and Implementation."

D. Neural Network Design and Implementation

As is well known to those skilled in the art, artificial neural networks (ANN) arose from a desire to model the human brain and thereby build computing algorithms which could emulate the human cognitive process. Such networks have become useful engineering tools, which can be applied to a diverse set of complex problems, including pattern recognition, identification, and classification. The basic idea is to assemble a large number of simple computational blocks, each of which may have the same internal computational function. These computational blocks are then interconnected by various pathways. By adjusting the "strength" of the interconnections, the resulting system can be used to map a set of inputs into a desired output. Figure 8 depicts an example of a single computational element (neuron) 170 and its associated interconnections.

A neuron contains a set of inputs (p ) to a summing block 172, a set of weights Wi) for each input, and a transfer function (F) 174, which is typically a step or sigmoid function. Given that:

R = a vector of theinputs p .../?, W = avectorof theweights w, ...w_t £ = a vectorof the biases b ..b, The output of the neuron 170 can be expressed as: Output = F(WP + B)

A neural network is formed by assembling these neurons into interconnected layers. By adjusting the weights, w of each of the neurons, the resulting network can be used to map an input space to an output space, whose functional relationship may be complex and highly nonlinear. The process of adjusting these weights is referred to as training the neural network, and it requires target input data vectors, which contain both desirable and undesirable network behavior, to be presented to the network. Training a neural network is usually performed as an offline, iterative process. Each iteration in training is called an epoch .

The goal of training a neural network is to minimize the sum squared error between the computed network output vectors and the target vectors. One popular technique which accomplishes this task is called backpropagation training. The backpropagation training process can be considered to have four phases: 1. Presentation phase: present an input training vector and calculate each successive layer's output until the last layer's output is found.

2. Check phase: calculate the network error vector and the sum squared error for the input vector. Stop training if the sum squared error for all training vectors is less than the error goal, otherwise continue.

3. Backpropagation phase: calculate the delta vector for the output layer using the target vector. Then backpropagate the delta vector to the proceeding layers.

4. Learning phase: calculate each layer's new weight matrix and new bias vector. Then iterate to Phase 1, the presentation phase.

Backpropagation training utilizes a gradient based search technique such that for each training iteration, it adjusts the weights and biases of the network in the direction of steepest descent with respect to the error. Generally, the training technique is slow because of relatively small learning rates (large learning rates result in unstable learning) , and local minima found during the gradient descent may trap the network's learning ability. In order to improve its performance, momentum and adaptive learning are usually incorporated into the backpropagation training process. Adding momentum to backpropagation training decreases the probability that the network will get trapped in a local minimum. And adding an adaptive learning rate decreases the training time by keeping the learning rate reasonably high while insuring stable learning.

Once a network is properly trained, its weights and transfer functions can be readily implemented in software, thus providing an efficient method to perform pattern recognition, identification, and classification. For the mixing process model 10, a neural network is applied to recognize controller faults in both the primary and backup controllers. In order to accomplish this task, the neural network must be coupled to the process control loop from which it receives its inputs. Figure 9 depicts the integration of a neural network 180 into the control loop of Fig. 3 for the purpose of monitoring the system behavior.

The inputs 182, 184 to this neural network 180 are the output of the controller 34 and the process variable from transfer function 36. The output 186 of the neural network 180 is a status value, which conveys information regarding the controller operation (l=good, 0=bad) . Given the requirements of two inputs and one output, an initial neural network consisting of a single layer of neurons was purposed for use in the synchronous execution method of the present invention. After further experimentation and analysis it was decided, however, to implement the two layer neural network 200 shown in Figure 10 for the synchronous execution method of the present invention. The two layers are known as the hidden layer 202 and the output layer 204.

The two layer network 200 utilizes nine neurons in the hidden layer 202, and one neuron in the output layer 204. The tansig function is used in the hidden layer 202 because it is a fully differentiable function, which suits it well for the backpropagation training techniques used in this embodiment. The logsig neuron transfer function is used in the output layer 204 because its output varies between 0 and 1, which is consistent with the requirements of the status output signal of the neural network 200.

In order to properly train the network 200, various input data vectors for the control output and process variable were generated by using the Simulink functions in the MATLAB software available from Mathworks, Inc. The approach used to generate these training vectors is as follows:

Given the discrete transfer function of the process model 10, which was computed in the Description of Process section as follows:

_, . z+0.6065

Cr(z) = — z² (z -0.3679)

z + 0.6065 ^~z³-0.3679z² and given the discrete transfer function of the PI controller 30, which was computed in the Controller Design section as follows:

z-1 Figure 11 shows the Simulink simulation model 210 for neural network training. Model 210 was run using various operating inputs in order to build an input vector for training neural network 200. This training input vector depicts the process model 10 in normal operation in which no faults exit. The elements of this vector contain the steady-state values for controller output (Pi) 212 and process variable (P₂) 214.

In addition to using the normal operation steady- state values for the controller output and process variable various fault conditions must also be presented during the training process in order to accurately train the neural network 200. For the mixing process model 10, three such fault conditions were considered:

1. Control output error: this fault may be caused because of computational error in the controller algorithm, by the controller not being able to write the control output to the field, or by a faulty piece of equipment, e.g.: a stuck valve.

2. Process variable error: this fault may be caused by the controller not being able to read the input, by damaged field wiring, or due to a failed sensor.

3. Invalid operator action: this fault may be caused by an operator erroneously tuning the PI control loop, etc.

Table 2 presents a group of selected good operating points, which were used to train the neural network. This group includes normal operating inputs (operator setpoints) , and outputs (controller outputs and process variables) . These values were used to train the network to produce a good output (neural network output=l) . Table 2: Selected Good Operating Points for Training.

Setpoint Controller output Process variable Neural network output

1 0.394 0.997

25 9.850 24.900

50 19.700 49.900

75 29.600 74.800

100 39.400 99.700

The values presented in Table 2 consist of five controller output and process variable pairs, which represent valid steady-state operating points for the process model 10. In order to properly train the neural network 200, bad or invalid operating points must also be presented during training. By taking the good value pairs from Table 2, and rearranging them into other combinations, a complete set of invalid operating pairs was created.

Table 3a presents a two-dimensional matrix, which contains both the good (valid) and bad (invalid) operating value pairs. This table represents the entire training data for the neural network 200. For each controller output and process variable pair, a neural network output value of 1 indicates a valid operating point for the process, and a value of 0 indicates that the pair is an invalid operating point.

Table 3a: Valid and Invalid Process Operating Pairs.

Controller output

Process 0.394 9.850 19.70 29.60 39.40 variable 0 0 0

0.997 1 0 0 0 0

24.900 0 1 0 0 0

49.900 0 0 1 0 0

74.800 0 0 0 1 0

99.700 0 0 0 0 1 Table 3b expands the two dimensional matrix presented in Table 3a in order to specifically describe the failure conditions and fault values which were presented to the network 200 for training. For example, lines 1-5 of Table 3b contain the good operating points. Lines 6-25 contain the operating points at which the control output or process variable is in error due to computational faults, operator interaction errors, misread inputs, or faulty equipment.

Table3b: Expanded Neural NetworkTrainingVectors.

Line Controller output Process variable Network output

1 0.394 0.997

2 9.850 24.900

3 19.700 49.900

4 29.600 74.800

5 39.400 99.700

6 0.394 24.900 0

7 0.394 49.900 0

8 0.394 74.800 0

9 0.394 99.700 0

10 9.850 0.997 0

11 9.850 49.900 0

12 9.850 74.800 0

13 9.850 99.700 0

14 19.700 0.997 0

15 19.700 24.900 0

16 19.700 74.800 0

17 19.700 99.700 0

18 29.600 0.997 0

19 29.600 24.900 0

20 29.600 49.900 0

21 29.600 99.700 0

22 39.400 0.997 0

23 39.400 24.900 0

24 39.400 49.900 0

25 39.400 74.800 0

The training parameters used for the network 200 were selected as typical backpropagation training parameters, and their values are presented in Table 4. Table 4: Neural Network Training Parameters.

Network training parameter Value

Number of neurons 10

Initial weight and bias values Random

Maximum number of epochs to train 500

Sum squared error level target value 0.001

Learning rate 0.01

Learning rate increase multiplier 1.05

Learning rate decrease multiplier 0.7

Degree of momentum 0.95

Maximum old to new error ratio 1.04

Based on the input training vectors and the training parameters, the neural network 200 for the mixing process model 10 completed its training in 403 epochs. The resultant weight and bias vectors were computed to be:

1.1616 - 0.3828

- 0.9816 - 1.9628

- 0.7672 - 0.8481

0.3558 0.0980 w, 1.2344 - 0.3956

0.9421 - 0.4498

1.0240 0.9988

- 0.4693 0.9180

0.6699 0.4941

1.0582

- 0.8882

- 0.3856 0.5710 β, = 0.4197

- 0.6897 0.5156 1.0286

- 1.3597

^. = [2.8567 1.1709 0.2997 -1.3569 2.1400 -4.7262 0.1097 1.2826 -2.7610]

B_ = [- 0.9594 ]

As the neural network 200 was trained, data regarding the training iteration (epoch) , the learning rate, and the sum-squared error for each epoch were accumulated. Table 5 presents the resultant training data for a sampling of the first and last few training iterations.

Table 5: Sample Training Epoch Results.

:h Sum squared error Learning rate Epoch Sum s< quared error l Learning rate

1 6.0600 0.0100 ... ... ...

2 4.4100 0.0105 389 0.0020 20.1000

3 3.7000 0.0110 390 0.0019 21.1000

4 3.6600 0.0116 391 0.0018 22.2000

5 3.6300 0.0122 392 0.0017 23.3000

6 3.6100 0.0128 393 0.0016 24.5000

7 3.5900 0.0134 394 0.0015 25.7000

8 3.5700 0.0141 395 0.0015 27.0000

9 3.5600 0.0148 396 0.0014 28.3000

10 3.5500 0.0155 397 0.0013 29.8000

11 3.5400 0.0163 398 0.0013 31.2000

12 3.5300 0.0171 399 0.0012 32.8000

13 3.5200 0.0180 400 0.0011 34.4000

14 3.5100 0.0189 401 0.0011 36.2000

15 3.5100 0.0198 402 0.0010 38.0000

403 0.0010 39.9000

The samples in Table 5 demonstrate that the target sum- squared error of 0.001 was easily met after 403 training epochs of the neural network 200.

Fig. 12 shows in graphical form the sum-squared error information. The graph shows that after 300 training epochs a dramatic decrease in the sum-squared error occurred, resulting in a value less than 0.5. Once training epoch 403 was reached, the sum-squared error target of 0.001 was realized.

Fig. 13 shows in graphical form the learning rate versus epoch number. The graph in Figure 13 shows that the initial learning rate of the network 200 started small (less than 0.01), but climbed steadily for the first 100 iterations. Just after iteration 100, the network training realized a local minima solution but not a globally optimal solution. The backpropagation training approach caused the learning rate to fall sharply between iterations 100 and 150 to nearly 0.0005, where the network training was able to recover. After iteration 150, the learning rate began a steady increase to its final value of just under 40 in epoch 403.

The final step in the neural network design effort was to convert the training results to source code which could be readily implemented on the target hardware digital controller platform. Given the resultant neural network weights and biases, which were computed during the training process, the neural network was implemented in C language, as presented in Listing 5 (nnet . c) . The actual function which is used to compute the neural network output is nnet () . Its two arguments are the control output, co, and the process variable, pv, and it returns a Boolean 0 or 1 neural network output status. This function was coded inline without any looping constructs in order to achieve the fast possible executable machine code.

The Analysis section provides an analysis of the implementation for neural network 200 as well as its performance on the target digital control system. E. Analysis The first step in the analysis of the trained neural network 200 described above is to consider how the network 200 operates over a variety of both normal and fault inputs. In order to investigate both normal and fault operation, the Simulink model 210 of Figure 11 was enhanced to allow fault insertion and a more detailed analysis.

Referring now to Figure 14, there is shown the enhanced model 220 of model 210. The enhancements to the model 220 include the addition of logic 222, 224, which allows failures to be inserted at both the control output, co, and the process variable, pv. The control output faults are operated by the new co fault switch logic block 222a. The logic block 222 allows the control output to operate normally or at erroneous values, which are specified by the co fault value logic block 222b. The process variable faults are operated by the new pv fault switch logic block 224. This logic block allows the process variable to feedback to the controller normally or at one of several erroneous values, which include an incorrect value, drifting value, or a value with a varied amount of noise. Finally, the model 220 was enhanced to include additional output graphing logic blocks, which allow for verification of the control loop behavior during the normal and fault simulations. When model 220 is run, it provides a 60 second simulation of the mixing process model 10, and generates six output vectors, which are defined in Table 6.

Table 6: Output Vectors of Simulink Model.

Variable Description name sp operator setpoint. co controller output. vp valve position (may differ from co due to fault conditions), tt tank temperature, actual, ft feedback temperature (may differ from tt due to fault conditions), net neural network output.

Several test simulations were run using the enhanced Simulink model 220. The results of these simulations are described below. In each simulation test, the values of each of the six output vectors were graphed versus time and analyzed to verify the operation of the enhanced neural network 220. 1. Simulation Test 1: Normal Operation

The first simulation that was run verifies normal operation of the enhanced neural network 220. In this simulation, the initial setpoint at t=0 is set to 33. Then at t=30, the setpoint is changed to 66, where it remains until the end of the simulation run. No faults are introduced. Figure 15 shows in graphical form the results of this test.

The graphs in Figure 15 show the expected behavior of the neural network 220: during the step change response of the process model 10, the network output is temporarily bad (output=0), but within 4 seconds (4 execution scans) , the neural network 220 output returns to good (output=l) , which indicates that no faults exist. This behavior is consistent with the fact that the neural network 220 was trained using steady-state operation parameters of the process model 10. Thus during process transitions, such as setpoint changes, the network 220 will be unable to distinguish between good (valid) and bad (invalid) process operation. The network 220 maintains this good status throughout the steady-state operation of the process.

2. Simulation Test 2: Incorrect Controller Output.

The second simulation test includes a fault due to an incorrect controller output. Such a condition might arise due to an error in the controller computation algorithm, or an invalid controller gain setting due to operator error. In the first part of this test, the simulation runs normally until t=30, at which time the controller output goes to zero, which simulates a faulty computational output.

Figure 16a shows in graphical form the results of the first part of the test. The graphs in Figure 16a show that when the controller output fault is inserted at t=30, the enhanced neural network 220 is able to detect the failure within one second (one execution scan) .

In the second part of the test, at the start if the simulation, the gain of the PI loop is changed (perhaps inadvertently by an operator) . The process model 10 is then allowed to run with the erroneous gain setting.

Figure 16b shows in graphical form the results of the second part of the test. The graphs in Figure 16b show that when the controller gain is erroneously changed, the result is a large overshoot and underdamped settling condition in the system response. During the overhsoot and longer settling periods, the enhanced neural network 220 is able to correctly detect the failure. Once the system has settled, the network output returns to valid. This behavior is consistent with the fact that the enhanced neural network 220 was trained with the data taken from steady-state operation of the process.

2. Simulation Test 3: Stuck Mixing Valve The third simulation test presents a fault due to equipment failure. In this test, the failure is a stuck mixing valve. The simulation begins with normal operation at a setpoint of 33, but at t=30, the mixing valve becomes stuck. Thus it is unable to move to meet the control output demand required from the new setpoint of 66. Figure 17 shows in graphical form the results of this test. The graphs in Figure 17 show that when the valve fails to move at t=30, the enhanced neural network 220 is able to identify the failure within 2 seconds (2 execution scans) .

4. Simulation Test 4: Process Variable Input Faults The fourth simulation test also presents a fault due to equipment failure. In this test, the failure is a faulty process variable measurement, which could be caused by a failed sensor or damaged field wiring. In the first part of this test, the simulation runs normally at a setpoint of 33, but at t=30, a fault occurs in the input field wiring. This fault causes an erroneous process variable value to be used in the controller operation.

Figure 18a shows in graphical form the results of this test. The graphs in Figure 18a show that when the process variable input fault is introduced at t=30, within one second (one execution scan) the enhanced neural network 220 is able to detect the failure.

In the second part of this test, the simulation again begins normally at a setpoint 33, but at t=30, a sensor fault occurs. This fault causes the process variable value to drift.

Figure 18b shows in graphical form the results of this test. The graphs in Figure 18b show that when the fault is initially introduced at t=30, the enhanced neural network output remains valid for several seconds

(execution scans) . Eventually as the feedback temperature value continues to change due to sensor drift, the enhanced neural network 220 is able to detect the failure.

5. Simulation Test 5: Neural Network Response to

Process Disturbances. This simulation tests measure the behavior of the enhanced neural network 220 when the network is exposed to disturbances in the process. One cause of such disturbances is sensor noise, which is usually present during normal process operation. This test modifies the Simulink model, so that white noise is introduced with the process variable in the feedback temperature to the controller. The initial setpoint of the process is 33, and at t=30, the setpoint is changed to 66. In the first run of this simulation, the white noise level is set to 5% (a 0.05 variance) of the steady-state process variable value. No additional process faults are active in this test run.

Figure 19a shows in graphical form the results of this test. The graphs in Figure 19a show that despite the presence of noise in the sensor feedback temperature (process variable) , the enhanced neural network 220 is able to successfully detect normal process operation. The results of this test match those shown in Figure 15 for Simulation Test 1: Normal Operation.

In the second run of Simulation Test 5, the white noise level is set to 20% (a 0.2 variance) of the steady- state process variable value. No additional process faults are active in this test run.

Figure 19b shows in graphical form the results of this test. The graphs presented in Figure 19b show that at process noise disturbance levels of 20% and above, the enhanced neural network 220 begins to have difficulty distinguishing between valid and invalid operating modes of the process. The variations in the feedback temperature signal due to noise cause the neural network output to fluctuate between good (valid) and bad (invalid) process failure detection. As the noise disturbance levels increase to 20% and above, the neural network 220 can still be used for fault detection, however due to its output fluctuations between good and bad status, the instantaneous network output cannot be relied on directly as an indicator of failure conditions. Instead of using only the instantaneous network output value, a statistical correlation of the output or a time averaged approach could be used in which a set of the most recent neural network outputs are collected and averaged. The result of this average could then be used to detect whether failures exist in the process and report them accordingly.

In the third run of this test, the while noise level is set to 10% (a 0.1 variance) of the steady-state process variable. At this white noise level, the enhanced neural network 220 is readily able to distinguish between good (valid) and bad (invalid) process operation in the presence of a moderate amount of noise. In order to verify that fault detection operation is also possible, at t=30 a stuck valve fault is inserted into this simulation run.

Figure 19c shows in graphical form the results of this test. The graphs presented in Figure 19c show that the enhanced neural network 220 is able to detect both good (valid) and bad (invalid) process operation. From time t=0-29, the network 220 indicates good operation. When the setpoint is changed to 66, and the stuck valve fault is introduced at t=30, the network 220 is able to detect the failure within 2 seconds (2 execution scans) . These results are consistent with those shown in Figure 17 for the free network analysis of Simulation Test 3. Redundancy Resource Requirements Analysis .

Since the enhanced neural network 220 accurately detects both normal and failure modes, the next analysis that was performed was on the target controller implementation. The goal of this analysis is to determine the change in processing resource requirements of the target digital controller due to the change in redundancy techniques (from the state checkpoint method to the synchronous execution method of the present invention) , and also to determine the additional processing requirements needed to perform the neural network computations on the backup controller.

The target digital controller used in this analysis is a digital controller used in the SYMPHONY™ DCS. That controller contains a Motorola 68060 based microprocessor executing at 50MHz. The controller redundancy link is a high speed, dedicated serial interface, which is capable of transferring a sustained 300 kilobytes of information per second between the primary and backup controllers . Given the previously designed function code controller implementation, Table 7 presents the computational memory requirements and execution times for the function code logic when executing on the target platform. Table 7: Function Code Memory Requirements and Execution Times.

Block Function Memory Executioi n time

Number Code (bytes) (μsecs)

100 (222) 300 300

110 (2) 40 7

120 (19) 150 259

130 (80) 366 118

140 (223) 300 300

Totals 1156 884

Table 7 shows that for each configured control loop, the primary controller must checkpoint 1156 bytes of controller state information to the backup controller every execution scan, which is once per second in the mixing process model 10. A typical controller can be configured to execute several hundred of these control loops, which results in several hundred kilobytes of data which must be checkpointed to the backup controller each execution scan. When the state checkpoint method of controller redundancy is replaced with the synchronous execution method of the present invention, only the data for the input (function code 222) and output (function code 223) function codes must be checkpointed to the backup each scan. The state information for the remaining function codes 2, 19, and 80 is computed in parallel on the backup controller. Therefore, the present invention reduces the amount of checkpoint data from 1156 bytes per control loop to 600 bytes; a 48% reduction.

In practice, controller configurations often contain additional function codes, which perform operations such as trending or signal shaping. Using the state checkpoint method of controller redundancy, the data for these function codes would have to be checkpointed to the backup controller. Using the synchronous execution method of controller redundancy, these function codes would also execute in parallel on the backup controller, thus resulting in additional checkpoint data size reductions. Neural Network Execution Time Analysis .

The synchronous execution method of controller redundancy allows the redundancy link checkpoint bandwidth to be conserved by executing the control logic in parallel on both the primary and backup controllers. The remaining task for the backup controller is to execute the neural network analysis on the process data sets of both the primary and backup controllers. In order to accomplish this task, the backup controller must call the function nnet () , as presented in Listing 5 (nnet.c), with the control output and process variable for each execution scan on both the primary and backup controllers. Since only the primary controller is reading the process variable and driving the control output (via function codes 222 and 223) , the backup controller can use this time to execute the neural network analysis. The backup controller will also receive a copy of the process variable and computed control output from the primary controller each execution scan.

Given the C language implementation of the neural network as presented in Listing 5 (nnet.c), it was compiled to Motorola 68000 assembly as presented in Listing 6 (nnet . src) . The compile takes advantage of the math coprocessor that is available on the 68060, and thus highly efficient code is generated. An analysis of the code reveals that to perform the neural network function, 142 machine instructions are required, which includes 138 floating point coprocessor instructions. These instructions are presented in Table 8.

Table 8: Machine Instruction Cycles For Function nnet().

Machine Instruction Execution cycles jsr nnet(co.pv) 120 fmovem. fp2/fp3 fp4,-(sp) 60 x fmove.s 44(sp),fp2 34 fmove.s 40(sp),fp3 34 fmove.x fp3,fp0 33 fmul.d #:3FF295E9E1 B089A0,fp0 98 fmove.x fp2,fp1 33 fmul.d #:BFD87FCB923A29C7,fp1 98 fadd.x fpl.fpO 51 fadd.d #:3FF0EE631 F8A0903,fpO 58 fmul.d #:C000000000000000,fp0 98 fetox.x fpO.fpO 497 fadd.d #:3ff00000,fp0 58 fsub.d #:3ff00000,fp0 58 fmove.d #:4000000000000000,fp1 72 fdiv.x fpO.fpl 128 fmul.d #:4006DA858793DD98,fp1 98 fmove.x fp3,fp0 33 fmul.d #:BFEF694467381 D7E,fpO 98 fmove.x fp2,fp4 33 fmul.d #:BFFF67A0F9096BBA,fp4 98 fadd.x fp4,fp0 51 fadd.d #:BFEC6C226809D495,fp0 58 fmul.d #:C000000000000000,fp0 98 fetox.x fpO.fpO 497 fadd.d #:3ff00000,fp0 58 fsub.d #:3ff00000,fp0 58 fmove.d #:4000000000000000,fp4 72 fdiv.x fp0,fp4 128 fmul.d #:3FF2BC01A36E2EB2,fp4 98 fadd.x fp4,fp1 51 fmove.x fp3,fp0 33 fmul.d #:BFE88CE703AFB7E9,fp0 98 fmove.x fp2,fp4 33 fmul.d #:BFEAF0068DB8BAC7,fp4 98 fadd.x fp4,fp0 51 fadd.d #:BFD8ADAB9F559B3D,fp0 58 fmul.d #:C000000000000000,fp0 98 fetox.x fpO.fpO 497 fadd.d #:3ff00000,fp0 58 fsub.d #:3ff00000,fp0 58 fmove.d #:4000000000000000,fp4 72 fdiv.x fp0,fp4 128 fmul.d #:3FD32E48E8A71 DE7,fp4 98 fadd.x fp4,fp1 51 fmove.x fp3,fp0 33 fmul.d #:3FD6C56D5CFAACDA,fpO 98 fmove.x fp2,fp4 33 fmul.d #:3FB916872B020C4A,fp4 98 fadd.x fp4,fp0 51 fadd.d #:3FE245A1CAC08312,fp0 58 fmul.d #:C000000000000000,fp0 98 fetox.x fpO.fpO 497 fadd.d #:3ff00000,fp0 58 fsub.d #:3ff00000,fp0 58 fmove.d #:4000000000000000,fp4 72 fdiv.x fp0,fp4 128 fmul.d #:BFF5B5DCC63F1412,fp4 98 fadd.x fp4,fp1 51 fmove.x fp3,fp0 33 fmul.d #:3FF3C01A36E2EB1C,fpO 98 fmove.x fp2,fp4 33 fmul.d #:BFD95182A9930BE1 ,fp4 98 fadd.x fp4,fp0 51 fadd.d #:3FDADC5D63886595,fp0 58 fmul.d #:C0O000000O0OO00O,fpO 98 fetox.x fpO.fpO 497 fadd.d #:3ff00000,fp0 58 fsub.d #:3ff00000,fp0 58 fmove.d #:4000000000000000,fp4 72 fdiv.x fp0,fp4 128 fmul.d #:40011EB851 EB851 F,fp4 98 fadd.x fp4,fp1 51 fmove.x fp3,fp0 33 fmul.d #:3FEE25AEE631 F8A1,fp0 98 fmove.x fp2,fp4 33 fmul.d #:BFDCC985F06F6944,fp4 98 fadd.x fp4,fp0 51 fadd.d #:BFE61205BC01A36E,fpO 58 fmul.d #:C000000000000000,fp0 98 fetox.x fpO.fpO 497 fadd.d #:3ff00000,fp0 58 fsub.d #:3ff00000,fp0 58 fmove.d #:4000000000000000,fp4 72 fdiv.x fp0,fp4 128 fmul.d #:C012E7A0F9096BBA,fp4 98 fadd.x fp4,fp1 51 fmove.x fp3,fp0 33 fmul.d #:3FF0624DD2F1A9FC,fp0 98 fmove.x fp2,fp4 33 fmul.d #:3FEFF62B6AE7D567,fp4 98 fadd.x fp4,fp0 51 fadd.d #:3FE07FCB923A29C7,fp0 58 fmul.d #:C000000000000000,fp0 98 fetox.x fpO.fpO 497 fadd.d #:3ff00000,fp0 58 fsub.d #:3ff00000,fp0 58 fmove.d #:4000000000000000,fp4 72 fdiv.x fp0,fp4 128 fmul.d #:3FBC154C985F06F7,fp4 98 fadd.x fp4,fp1 51 fmove.x fp3,fp0 33 fmul.d #:BFDE0902DE00D1 B7,fp0 98 fmove.x fp2,fp4 33 fmul.d #:3FED604189374BC7,fp4 98 fadd.x fp4,fp0 51 fadd.d #:3FF07525460AA64C,fp0 58 fmul.d #:C000000000000000,fp0 98 fetox.x fpO.fpO 497 fadd.d #:3ff00000,fp0 58 fsub.d #:3ff00000,fp0 58 fmove.d #:4000000000000000,fp4 72 fdiv.x fp0,fp4 128 fmul.d #:3FF4858793DD97F6,fp4 98 fadd.x fp4,fp1 51 fmove.x fp3,fp0 33 fmul.d #:3FE56FD21 FF2E48F,fp0 98 fmove.x fp2,fp4 33 fmul.d #:3FDF9F559B3D07C8,fp4 98 fadd.x fp4,fp0 51 fadd.d #:BFF5C154C985F06F,fp0 58 fmul.d #:C000000000000000,fp0 98 fetox.x fpO.fpO 497 fadd.d #:3ff00000,fp0 58 fsub.d #:3ff00000,fp0 58 fmove.d #:4000000000000000,fp4 72 fdiv.x fp0,fp4 128 fmul.d #:C00616872B020C4A,fp4 98 fadd.x fp4,fp1 51 fadd.d #:BFEEB367A0F9096C,fp1 58 fneg.d fp1,fp1 35 fetox.x fpl .fpO 497 fadd.d #:3ff00000,fp0 58 fmove.d #:3FF0000000000000,fp4 72 fdiv.x fp0,fp4 128 ftstx fp4 56 fbngt.w L20001 24 moveq #1 ,d0 10 bra.s L20000 22 moveq #0,d0 10 fmovem. (sp)+,fp2/fp3 fp4 60 x its 40

Total 14146 The total number of machine instruction execution cycles for the neural network analysis function nnet () is given in Table 8 as 14,146. Since the target controller's microprocessor is being clocked at 50MHz, this yields an instruction execution cycle time of 2.0x10^{" 8} seconds. The total execution time of function nnet () is computed to be 14,146 * 2.0xl0^"8, or 2.83xl0^"4 seconds; about 284 microseconds. This time is within the 300 microseconds required to execute function codes 222 and 223. Based on this algorithm implementation, the backup controller can easily execute a neural network analysis on both the primary and its own data sets during a control logic execution scan.

It should be appreciated that the synchronous execution method of the present invention overcomes the limitations of the state checkpoint method. It should also be appreciated that while method of the present invention uses a neural network, the flexibility and simplicity of that network allows the method of the present invention to have increased functionality at virtually no additional cost in computational resources. It should further be appreciated that the method of the present invention offers quite accurate failure detection despite a large signal noise component and the tests described herein provide a good demonstration of the robustness of using neural networks to perform error detection.

It should also be appreciated that the method of the present invention may provide valid failure detection operation during dynamic operating modes of the process such as operator setpoint changes. It should be further appreciated that the method of the present invention may allow the neural network to directly resolve failure situations by initiating corrective action.

It is to be understood that the description of the preferred embodiment (s) is (are) intended to be only illustrative, rather than exhaustive, of the present invention. Those of ordinary skill will be able to make certain additions, deletions, and/or modifications to the embodiment (s) of the disclosed subject matter without departing from the spirit of the invention or its scope, as defined by the appended claims.

Claims

What is claimed is:

1. A method for operating a primary digital controller and a backup digital controller in a redundant configuration comprising the steps of: a. operating said primary and said backup digital controllers in a synchronous execution mode; and b. including in said backup digital controller a neural network.

2. The method of Claim 1 wherein said primary controller reads for a first predetermined period of time inputs from a process under control by said primary controller and provides for a second predetermined period of time driving control outputs to said process and said primary and said backup controller both execute an algorithm to control said process.

3. The method of Claim 2 wherein said backup controller receives from said primary controller said primary controller read process inputs and said primary controller provided driving control outputs, said backup controller having inputs and outputs, and said neural network executes during said first and second predetermined periods of time an analysis on said primary controller read process inputs and provided control outputs and said backup controller inputs and outputs when said primary controller reads said process inputs and provides said driving control outputs.

4. The method of Claim 1 wherein said neural network has two layers.

5. The method of Claim 4 wherein said each of said two layers has one or more neurons.

6. A method for operating a primary digital controller and a backup digital controller in a redundant configuration comprising the steps of: a. operating said primary and said backup digital controllers in a synchronous execution mode wherein said primary controller reads for a first predetermined period of time inputs from a process under control by said primary controller and provides for a second predetermined period of time driving control outputs to said process and said primary and said backup controller both execute an algorithm to control said process; and b. including in said backup digital controller a neural network.

7. The method of Claim 6 wherein said backup controller receives from said primary controller said primary controller read process inputs and said primary controller provided driving control outputs, said backup controller having inputs and outputs, and said neural network executes during said first and second predetermined periods of time an analysis on said primary controller read process inputs and provided control outputs and said backup controller inputs and outputs when said primary controller reads said process inputs and provides said driving control outputs.

8. A system for controlling a process comprising: a. a primary controller for controlling said process; b. a backup controller, said primary and said backup controllers connected to each other in a synchronous execution mode; and c. a neural network included in said backup controller.

9. The system of Claim 8 wherein said primary controller reads for a first predetermined period of time inputs from said process under control by said primary controller and provides for a second predetermined period of time driving control outputs to said process and said primary and said backup controller both execute an algorithm to control said process.

10. The system of Claim 9 wherein said backup controller receives from said primary controller said primary controller read process inputs and said primary controller provided driving control outputs, said backup controller having inputs and outputs, and said neural network executes during said first and second predetermined periods of time an analysis on said primary controller read process inputs and provided control outputs and said backup controller inputs and outputs when said primary controller reads said process inputs and provides said driving control outputs.

11. The system of Claim 8 wherein said neural network has n layers.

12. The system of Claim 11 wherein said each of said n layers has one or more neurons.

13. The system of Claim 8 wherein n = 2.

14. The system of Claim 8 where said neural network has a hidden layer and an output layer.

15. The system of Claim 14 wherein said hidden layer has m neurons and said output layer has n neurons.

16. The system of Claim 15 wherein m = 9.

17. The system of Claim 16 wherein each of said nine neurons are is implemented as a tansig neuron transfer function.

18. The system of Claim 17 wherein said output layer has one neuron which is implemented as a logsig neuron transfer function.