surf final report, september 2014 1 switching control ...hsan/surf_files/persson.pdf · a. testbed...
TRANSCRIPT
SURF FINAL REPORT, SEPTEMBER 2014 1
Switching Control Synthesis in thePresence of Uncertainty for an Aircraft
Electric Power System TestbedLinnea Persson
Mentor: Richard M. Murray Co-mentor: Scott C. Livingston
Abstract—With the recent trend towards moreelectric aircraft follows a larger number of electricalcomponents and an increased architectural com-plexity of the aircraft electric power systems. We arelooking at the case when only partial observabilityof the system is possible due to restricted sensingcapabilities. Even with a limited observation it ispossible to rule out some states from the from theset of all possible states as incompatible with thisobservation. By reconfiguring power and observingthis modified system it is possible to better estimatethe current state. In this report we describe theimplementation of a state detection method thatestimates the state by gradually removing impos-sible ones as knowledge of the system is gained onan aircraft electric power system testbed and on amodel of the testbed made in Ptolemy II .
I. BACKGROUND
Aircraft power systems have traditionally hadpower distributed in hydraulic, pneumatic andelectrical subsystems. Advancements in technol-ogy have enabled a shift from traditional aircraftpower systems towards systems built up of elec-trical subsystems to a higher degree than before,increasing the complexity of the architecture andthe number of components in the electrical system[1]. This makes the fulfillment of reliability andsafety requirements more demanding.
The evolution towards more electric aircraft isdriven by benefits such as the electrical compo-nents being lighter than their traditional coun-terparts, and that the electrical system is moreadaptable. This makes them easier to handle andalso means that the fuel usage will be lower perflight.
The aircraft electric power system (EPS) is anetwork of electrical components such as gen-erators, interconnections, contactors and differenttypes of loads and buses. The safety of the flight
strongly depends on the ability of the system topower essential loads at all times, even in the caseof failure in certain components. Consequently,this means that the more electric aircraft is highlydependent on having a good control system thatis able to reroute power by switching contactorsafter sensing the environment.
Fulfilling the requirements on safety and reli-ability depends in part on the systems ability todetect critical faults that lead to loads becomingunpowered, and in part on its ability to iden-tify alternative routings of power when one ormore components have failed. When we have fullobservability the exact state is known, and soany faults are found directly. However, completeobservability might not always be provided. Ob-servation in the EPS is provided through differenttypes of sensors, e.g., voltage or current sensors,and full observability would require monitoringall components through sensors at all times. Onecase when this is not possible is when one ormore sensors have failed. Another case is whenwe want to limit the number of sensors foreconomical reasons or for practical reasons whenimplementing the physical electric power system.
II. INTRODUCTION
We consider the case when we want to limit thenumber of sensors in the system. To compensatefor the smaller number of sensors estimation tech-niques can be used to evaluate the state. Wherethe sensors are placed in the system is importantsince the state detection efficiency will depend onhaving well placed sensors. This is something thatis important to consider when placing sensors ina system.
Taking measurements at only a limited num-ber of sensors will most often not return theexact state, but it will be possible to rule out
SURF FINAL REPORT, SEPTEMBER 2014 2
Fig. 1: How different components are graphicallyrepresented.
states that are not compatible with this particularmeasurement. The state detection is performedby repeatedly changing the paths that the powertakes from sources to sensors, and thereafterobserving the sensor values. Since loads cannotremain unpowered for more than a certain amountof time, the number of steps that we take inthe state detection will be limited. If assumingthat the state of the system will remain fixedthroughout one state detection, the set of possiblestates will be reduced in each iteration by simplyremoving incompatible states from the set of allpossible states.
Finding actions that rule out as many states aspossible is of interest to render a more effectiveestimation algorithm that requires as few itera-tions as possible. One way of deciding how toreconfigure the contactors is described in Mail-let et al. [2], where an aircraft EPS with fourcontrollable contactors and two sensors has beenconsidered. The proposed greedy algorithm per-forms as well as a brute force tactic where allpossible configurations are tested.
III. AIRCRAFT EPSA possible setup for an aircraft EPS is depicted
in Figure 2. There is an AC side and a DC side,and they are connected by rectifier units. Thepower sources are generators on the DC side, andon both sides there will be different types of loadsand buses connected to the system. Contactorsare electrically controlled relays, and they can beused to reroute power through the system or tocut of power coming from a faulty source.
Often it is convenient to describe the EPSin terms of a graph G = (N , E). We then letthe nodes N of the graph represent generators,rectifiers and loads. The edges E of the graph cancontain contactors, denoted C. There is possiblya subset of the contactors which we cannot con-trol. These are referred to as the uncontrollable
Fig. 2: An outline of the typical setup for Aircraftelectric power systems. The EPS is divided intoright and left following the two engines.
contactors U ⊆ C. The rest of the contactors arecalled controllable contactors.
IV. STATE DETECTION
A. State DefinitionThe state of the total electric power system
is defined as the state of all generators and allrectifier units, together with the state that thecontactors are in.
x : N ∪ C → {0, 1}. (1)
The state of a particular component c when thesystem is in state x is denoted x(c). The setof all states is denoted X . The states of theindividual components are interpreted as follows.Generators and rectifiers may take the state ofhealthy (1) or unhealthy (0), where the formerindicates that they satisfy their supposed functionand the latter indicates that they are not able tofulfill their purpose in a sufficiently good way.Each contactor assumes the state of open (0) orclosed (1). The controllable contactors have astate which is always known and controlled by
SURF FINAL REPORT, SEPTEMBER 2014 3
the user. The uncontrollable contactors states areunknown and fixed throughout an estimation.
An action is a function on the controllablecontactors
u : (C \ U) → {0, 1}. (2)
Taking an action u means that the state x willchange to fulfill ∀c ∈ C \ U x(c) = u(c).
B. SensingThe system is observed with the use of sensors.
By defining a span of admissible voltage levels,each voltage measurement is translated to either(1), indicating an admissible voltage level, or (0)indicating that the voltage level is not correct.
m : S → {0, 1}, (3)
where S is the set of sensors.When in a certain state, the system can return
only one possible set of measurements from thesensors. This set of measurements will most oftennot be unique, but shared between several dif-ferent states. An observation of the sensors thusrelates a configuration to a set of possible systemstates.
f : (m, c) �→ X̂ ⊆ X (4)
where m is the measurement and c is the con-tactor configuration that the measurement wasperformed under. X̂ is the current set of possiblestates.
C. Safety RequirementsFor safety, there are certain requirements which
must be fulfilled. One is that two AC sourcesnever can be paralleled. This can be fulfilled byalways controlling an action against the set ofpossible states. If there is any possibility that twoor more generators might be paralleled with acertain action, this action is not taken.
Another requirement is a time constraint spec-ifying the maximum allowed time for leavingloads unpowered. For safety, we cannot allowloads to be unpowered for more than a time Tload.This means that we must be able to determine thestate sufficiently for reconfiguring the contactorsso that all loads are powered in a finite numberof steps. Whether or not it is possible to fulfillthis requirement depends on the number of andthe placement of the sensors in the system.
To be able to find a suitable way to reroutepower, it is not always necessary to know the
exact state of the system. Finding one path thatwith certainty powers all loads while not breakingany safety requirements in time is sufficient forfulfilling the timing requirement.
D. State DetectionThe sensing is repeatedly performed while
changing the configuration of the controllablecontactors in between each sensing. Algorithm 1captures the key elements of the state detectionimplemented with the testbed.
k := maximum number of steps;m := sensor measurement;c := contactor configuration;X̂ := X;step := 0;while step < k do
X̂step = f(m, c);X̂ = Xstep ∩ X̂;if |X| = 1 then
step = k;else
step = step+ 1;u = next action;for c ∈ C \ U do
x(c) = u(c);end
endendreturn X̂;
Algorithm 1: Description of the state detectionprocess
V. TESTBED
A. Testbed CharacteristicsThe work in this project has been done on
an existing aircraft EPS testbed [3] that hasbeen modified to work with state estimation. Aschematic of the current setup of the testbed isgiven in Figure 3, and an image of it is shown inFigure 4.
The power supplies for the testbed are rep-resented by transformers transforming 120 VACdown to 24 VAC. The rectifiers that separates theAC and DC side is in the testbed represented byDC Power supplies that generates a voltage thatcan be set to values between 1.5 V and 27 VDC.
Loads were to begin with LEDs on both the ACand the DC side. Later we also added resistors
SURF FINAL REPORT, SEPTEMBER 2014 4
Fig. 3: A schematic showing the setup of the testbed. The numbers correspond to different ports thatare used for sensing the voltage.
close to the LEDs of the DC side that each hadresistance of 150 Ω.
The testbed is equipped with four differentsensors that senses the voltage level relative toground. The admissible sensor levels for the DCside is 3.2-3.3 V when the DC voltage level isset to be 3.3 V. The sensors on the AC side doesnot sense a voltage level, but is instead managedby additional relays, that are closed when thevoltage level is close to 24 V. Ports 7 and 8 inFigure 3 will sense 5.0 V when there is no closedcircuit, and 0 when there is a closed circuit toground. Sensors can be set to active or passiveduring the estimation depending on the sensorplacement that is being considered in a particularstate detection test.
Instead of contactors, a relay board has beenused in the testbed with a maximum capacity of16 relays. There is one relay on each edge in thecurrent setup, giving a total of 8 relays connectedin the testbed. It is possible to set each relay tobehave as a controllable contactor, uncontrollablecontactor, or by setting it to always closed, asnormal wire.
B. Fault Injection
Faults of three different types can be injected.To simulate generator failure, the transformers
providing the circuit with power can be un-plugged. Rectifier failure is achieved with exter-nal switches that opens the circuit on the DCside of the rectifier. Faults on the uncontrollablecontactors can be added by opening or closingthe relays corresponding to the uncontrollablecontactors.
C. ImplementationThe state detection algorithm described in al-
gorithm 1 has been implemented to work withthe testbed. The next action is decided by agreedy algorithm as described in [2], which givesthe locally most effective action for all possiblecontactor-measurement combinations. The bestaction is based on the current state of the relays,the latest observation of the sensor measurementsand what actions has previously been taken.
All combinations are calculated offline andsaved into a database from which the next actionis loaded during the actual state detection. End-ing up in illegal states is avoided by forbiddingcertain actions that results in states that does notfollow the rules as described in section IV-C.The illegal actions are found by counting thepossible paths that can be taken between ACnodes and the generators. If there are two ways,the AC will be paralleled and so this action ismarked as unsafe. This calculation is remade
SURF FINAL REPORT, SEPTEMBER 2014 5
Fig. 4: The physical testbed. The LEDs in the back represent AC loads, and the LEDs in the frontrepresents DC loads. Pictured is also the relay board (to the right), the two transformers functioningas generators (bottom), and rectifiers (between the AC and DC loads).
between each estimation since the unsafe actionswill be different depending on what the state ofthe system is.
D. Ptolemy II ModelAs a complement to the physical testbed,
a model representing it has been made inPtolemy II1. Having this model makes it possibleto test scripts that are to be implemented towork with the testbed, and possibly find faultsbefore they are tested on the testbed with therisk of causing permanent harm. It also facilitatestesting more advanced EPS architectures thanwhat is possible with the physical testbed withoutextensive work.
The estimation for the Ptolemy model works inthe exact same way as described for the testbedabove. The model used the same scripts andcommunicate with them using a HTTP server.
1http://ptolemy.eecs.berkeley.edu/ptolemyII/
E. Time delay
The capacitors of the rectifier units provides theDC side with a time relay TRU under which therectifiers can remain unpowered without causingany changes in the output power from it. Thetime delay is among other things dependent onthe resistance on the DC side. When there is onlya very low resistance, as in the case when onlyLEDs were connected to the DC side, the timedelay will be barely noticeable.
Assuming that there is a time delay, if a com-ponent on the AC side fails, and this is discoveredand an alternative power route is found in a timeT < TRU , then the error is never perceived bysensors on the DC side .
This result implies that if TRU is large thenit is not practical to use sensors on the DCside to estimate the state of components on theAC side, since the time delay will vary and thesensor measurements would therefore be eithermeaningless (when T < TRU ) or ambiguous
SURF FINAL REPORT, SEPTEMBER 2014 6
Fig. 5: Timing properties of the TTtestbed. Thetime delay is taken as the time it takes for thevoltage to drop to 95% of the starting value.
(when T ≈ TRU ).This also implies that we can look at the AC
and the DC systems as being separate systemswith their own control and fault detection. Thecontrol is divided into two parts, state detection(Testim) and finding and taking a final actionto route power such that all loads are powered(Tcontrol). If Testim + Tcontrol � TRU , then afault on the AC side will not affect the DC sidesince alternative power will be provided to therectifier before the output power of the rectifieris influenced.
The presented arguments for the distributedview of the system only holds as long as TRU �Testim + Tcontrol. If on the other hand TRU issmall it would be possible to add a delay to letthe DC side adjust to the AC side values at everystep of the fault detection algorithm. This wouldaffect the overall performance since the time ittakes from when a fault happens to when it hasbeen discovered and fixed will increase.
While we do have some control over the inputvoltage, the resistance and the capacitance, it willnot be feasible to give them arbitrarily values tomake the time delay small, since we still needto power the loads. From measurements made on
Fig. 6: Distribution of time it takes to estimatethe state of the AC side with 3 steps for 40 tests.
the testbed, we can see that the time delay for thetestbed vary from 5 to 15 seconds for some usedvalues of the input voltage and the resistance.This is pictured in Figure 5. Compared to thetime it takes to complete the state detection on thetestbed seen in Figure 6, which varies betweenapproximately 1.27 and 1.47 seconds, the timedelay for the rectifier is considerably higher. Thisspeaks in favor of using the distributed version ofthe system, since the centralized version wouldrequire a time delay of several times the order ofthe state detection time to be added at each stepof the detection algorithm.
Using the mean values calculated from thesame data as pictured in Figure 6 and Figure 5,the following lower bound is found
TRU = 9.4 sTstep = 0.5 s
⇒ Testim = 9.9 · 2 + 1.5 = 19.8 s. (5)
It is clear that with these times, adding a timedelay is not a practical solution. Instead, sinceTRU � Tcontrol, using a distributed system is areasonable choice.
The distributed model can be realized by com-pletely deattaching the AC side from the DC side.Figure 7 displays the distributed version of theEPS in Figure 2. The rectifiers on the DC sidecan now be regarded as sources of the DC system,while the rectifiers can be regarded as a specialtype of load for which the requirement is to powerat least one. Almost the exact same state detectionmethod as described previously can be used here,one difference being that paralleling of the DC
SURF FINAL REPORT, SEPTEMBER 2014 7
Fig. 7: If the time delay from the rectifiers islarge enough, it is possible to use a distributedsystem instead of a centralized, as argumentedfor in section V-E
“sources” is allowed.
VI. CONCLUSION
It was possible to implement the state detectionalgorithm on the testbed, but the lack of resistanceon the DC side that was used initially caused thetime delay of the rectifier units to be insignificant.After adding resistance and measuring the timeconstants discussed in section V-E, it is clearthat a distributed system is preferable to thecentralized view that we started out with. Thedistributed system will moreover require fewersteps in the state detection algorithm since thesubsystems contains fewer components than thetotal system.
VII. FUTURE WORK
A first attempt to run the state detection onthe testbed with a distributed setup has beenmade, however, for the state detection to betruly distributed would require that two or morethreads are run in parallel. This remains to beimplemented.
In the current version of the state estimation ‘ itis assumed that the set of controllable contactorsis known and remains constant. A more realisticapproach would allow this set to change betweeneach state detection, especially if the interpreta-tion of the uncontrollable contactors is that theyare failed contactors that presumably started outas non-failed (controllable).
Another challenge related to this is to allow theset of reliable measurements to change in time, orequivalently the set of working sensors to changein time. Both sensor failure and contactor failurewould require a changed version of equation (4),since we assume that we know what to measureand read when we look for the measurement mand the contactor configuration c. A way to findand evaluate these quantities when some of thevalues might be corrupted remains to be done.
REFERENCES
[1] I. Moir and A. Seabridge, Aircraft Systems: Mechani-cal, Electrical and Avionics Subsystems Integration, ser.Aerospace Series. Wiley, 2011.
[2] Q. Maillet, H. Xu, N. Ozay, and R. M. Murray, “Dy-namic state estimation in distributed aircraft electriccontrol systems via adaptive submodularity,” in Decisionand Control (CDC), 2013 IEEE 52nd Annual Conferenceon, Dec 2013, pp. 5497–5503.
[3] R. Rogersten, H. Xu, N. Ozay, U. Topcu, and R. M.Murray, “An aircraft electric power testbed for validatingautomatically synthesized reactive control protocols,” inProceedings of the 16th International Conference onHybrid Systems: Computation and Control, ser. HSCC’13. ACM, 2013, pp. 89–94.