Functional and Behavior Models for the Supervision of an Intelligent and Autonomous System
Nizar Chatti, Anne-Lise Gehin, Belkacem Ould-Bouamama, and Rochdi Merzouki
Abstract—The graphical approaches often have different back- grounds and view a system or an algebraic model from different perspectives in order to facilitate the communication and the understanding. These graphical approaches satisfy the modeling needs and give a clear and easily understandable overview of the behavioral and functional models and make easier to see what the process is, which vulnerabilities and asset that are involved and how the system works. The main goal of this paper is to develop and implement a methodology which combines the functional analysis and the bond graph (BG) tool for intelligent and au- tonomous systems. As a result, a supervisory interface is obtained, given under afinite automaton, displaying to the operators the possibilities the system has to achieve or not, its objectives. Each operating mode, corresponding to a vertex of the automaton, is associated with a set of services from a functional point-of-view and is defined accurately by a behavioral BG model. Further- more, the service availability (associated to the BG elements) and the conditions for switching from one mode to another one are analyzed by fault detection and isolation algorithms generated on the basis of the structural and causal properties of the BG tool.
Moreover, when a fault is not completely isolable some results can nevertheless be expressed in terms of available or unavailable services.
Note to Practitioners—This paper was motivated by the problem of intelligent system diagnosis and supervision. Indeed, by associ- ating diagnosis and reconfiguration aspects, all built on the same model, we hope to contribute to the development of a global super- visory control system. This paper presents a new approach which combines the Generic Component Model (GCM) and the Bond Graph Model (BGM). The GCM provides a systematic tool for finding the different reconfiguration strategies of a system when faults occur. Within a given operating mode, a system is reconfig- urable if there exist different versions of the services which allow to achieve its current objectives. These versions are ranked according to a preference relation. This allows an automated real time man- agement of the system configurations. The BGM is proposed to de- scribe the inner procedure on which the realization of a service rests. Its structural properties are exploited to generate fault in- dicators. Even if the fault mode of a lower level component can not always be identified, interesting results can be obtained on the availability of the associate services and in the most of the cases, it is enough to evaluate the possibility the system has or not to achieve an objective. The proposed approach is applied to design a supervi-
Manuscript received March 16, 2012; accepted July 27, 2012. Date of publi- cation September 21, 2012; date of current version April 03, 2013. This paper was recommended for publication by Associate Editor M. Deng and Editor M. C. Zhou upon evaluation of the reviewers’ comments. This work was sup- ported by the European Project InTraDE (Intelligent Transportation for Dy- namic Environment), Interreg IVB, 091C North West Europe Zone.
The authors are with Polytech’Lille, LAGIS, CNRS-UMR 8219, 59655 Villeneuve d’Ascq, France (e-mail: [email protected];
[email protected]; [email protected];
Color versions of one or more of thefigures in this paper are available online at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TASE.2012.2211350
sion system representing the management of the operating modes and giving the conditions for reconfiguration of an intelligent and autonomous vehicle. The latter should be transferable on different sizes of port terminals in order to transport goods from one spe- cific place to another one in both normal and degraded operating mode. The approach can be also applied to different kind of electro- mechanical systems. In future research, we will address the robust decision making diagnosis based on Fuzzy Logic Methodology in order to facilitate the identification of vulnerabilities by identifying the residuals thresholds changing through time.
Index Terms—Bond graph (BG), electromechanical system, functional analysis, self-diagnosis, supervision, user operating modes.
I. INTRODUCTION
A
N autonomous system is expected to achieve different ob- jectives at different times (production objectives, quality objectives, safety objectives ) without the intervention of a human operator. The realization of these objectives relies on the services provided by the system components (sensors, ac- tuators, process components). Due to hardware failures, it is possible that one or more services are no longer provided and, therefore, the achievement of some operating objectives can be compromised. For this reason, an intelligent and autonomous system requires the integration of fault detection and isolation (FDI) and fault-tolerant control (FTC) procedures [1]. FDI al- gorithms aim to detect and to localize faults as quickly as pos- sible, in order to make decisions that will avoid their propaga- tion and their undesirable effects. FTC concerns the potential for the autonomous system to continue its operations with the re- quired performances, despite component failures. Different ap- proaches are proposed for the design of FDI and FTC algorithms [2], [3]. Most of them rest on a behavior model describing how components operate and interact with each other through rela- tionships among physical quantities, for example, the state and output equations in time domain for a continuous system [4] or a state transition graph for a discrete event system [5]–[7]. The behavior model gives the actual state of the system in terms of the values taken by the physical variables which characterize the system. FDI consists in checking the consistency of the real time system operations with the prediction of the behavior model.Two types of approaches are used for the implementation of the FTC algorithms [8]. In passive approaches, the controllers arefixed and designed to be robust against a class of presumed faults [9]. In active approaches, system uses the available re- sources and both physical and analytic system redundancy to deal with unanticipated faults, either by selecting a precomputed law, or by synthesizing a new one in real time [10], [11].
1545-5955/$31.00 © 2012 IEEE
After a failure, a part of the services provided by the system’s components may become unavailable and the overall system will work inadequately, if for example, a faulty sensor (resp.
actuator) makes the plant partially unobservable (resp. uncon- trollable). Objectives can be achieved, in spite of the faults, if at least one of two procedures—fault accommodation and system reconfiguration—can be used successfully. Fault accommoda- tion relies on estimating the variables provided by the faulty sensors [12]; system reconfiguration uses alternative actuators or sensors to provide services that are equivalent to the services previously provided by the failed components [13]. If behavior models are required to integrate FDI, FTC, accommodation and reconfiguration procedures in intelligent autonomous systems, they have to be completed by functional descriptions giving to the operators, who have to supervise these autonomous systems, the means to analyze faulty situations and to know really what they can obtained from the systems they supervise. We have al- ready done a feasibility study of the approach by summarizing the main ideas in [14]. This paper gives extra details.
To obtain models allowing to produce fault indicators is an important task in the design of a safe system. Nevertheless, to determine the exact mathematical relationships between the physical values characteristic of the system is not always easy, especially if the system makes appear phenomena of different natures as in an electromechanical system. Bond graph (BG) is a multidisciplinary and unified graphical modeling language which has proved its adequacy to represent energy exchanges in mixed systems [15], [16]. BGs havefirst been used as modeling tool, and their causal and structural properties (observability, controllability, monitorability) have been subsequently used to generate fault indicators in a systematic and generic way [17], [18]. However, in supervision tasks, human operator do not con- sider the running process in terms of its mathematical behavior model, but in terms of objectives to achieve and of available functions.
To this end, we introduce in this paper, the notion of func- tional BG. The idea is to associate to each function or objective to achieve a BG model allowing its operating availability eval- uation. With this new tool, the design of supervision systems representing the management of the operating modes and giving the conditions for reconfiguration of an autonomous system, in real time, becomes possible. A finite automaton that specifies the rules for changing modes according to the availability of the services provided by the system’s components is used for this purpose. The information required to manage the transitions comes from the result of a decision procedure applied on a set of residuals calculated from the Bond Graph Model (BGM) as- sociated to each mode. Compared to conventional approaches, this is not only the state of a component that is evaluated, but also the state of a set of components associated with a specific service. Indeed, the fault isolation is performed on a set of bond graph elements corresponding to a service to achieve and not on an elementary component. To introduce the functional aspect of a component, or of a set of components, the Generic Com- ponent Model (GCM) is proposed. It describes a system based on the services provided by its components. Services are orga- nized into coherent subsets with respect to a given situation and
a set of objectives to be achieved. These coherent subsets of ser- vices correspond to the operating modes. The BGM completes the GCM by describing the realization of the different services and objectives from an internal viewpoint. Structural and causal properties of the BGM are used to automatically generate fault indicators [19]. This information coming from the FDI algo- rithms provides to the operating mode management automaton the conditions of switching.
The rest of this paper is organized as follows. Section II is de- voted for the problem statement. Section III deals with the mul- timodel approach. Section IV presents the models that have to be designed offline to describe the system and obtain the tools re- quired for fault detection. Section V explains how the previously obtained model can be managed to supervise the system online.
In Section VI we illustrate the proposed approach to an intel- ligent and autonomous vehicle in the context of an European project [20]. Section VII concludes the paper by highlighting the strengths of the proposed approach.
II. PROBLEMSTATEMENT
Previous diagnosis approaches based on functional analysis [such as Multilevel Flow Modeling (MFM)] [21] are interesting for enabling reasoning to reveal potential hazards in safety critical operations and performing root cause and consequence analysis. Zhaoet al.[22] deal also with a hazard and operability study (HAZOP) which is a structured and systematic exam- ination of a planned or existing process in order to identify and evaluate problems that may represent risks. Furthermore, HAZOP analysis knowledge is represented as cases which are organized with a hierarchical structure. However, they are limited with little information about the dynamics of the systems and the accuracy of diagnosis. With the introduction of our diagnosis algorithms combining both GCM and BGM, it is now possible to not only isolate but to identify the type of fault and then to evaluate online the availability of each User Operating Mode and for each of them, the availability of the services it groups.
In fact, this paper presents fault scenarios illustrating the ap- plication of diagnosis as an effective means to achieve yield en- hancement. The developed tool utilized in this study provides information about the availabilty of the USOMs and services according to the residuals evaluation resulting from the BGM analysis and thresholds calculation. This information is also used to focus fault analysis efforts toward a suspected defect as well as increasing the over all success rate. The behavioral model based BG allows the status (operable, inoperable, or de- graded) of a system or a part of a system to be determined and the isolation of faults within it to be performed if it is possible.
However, different works based on BG approach [16]
show that the isolation logic based on boolean fault signature is limited to the unicity of a fault signature vector. Indeed, each component has a corresponding signature and its fault is isolable if its signature is unique, i.e., different from the signatures of all other components, otherwise, the supervisory operator is facing a non decision mode. In addition, faulty com- ponents in the Fault Signature Matrix (FSM) are not assigned to the functional services which are more understandable by
the supervisory operator. In order to overcome this problem, we prove in this paper that even if a component fault can not be isolated in such situation by using BGM, the developed methodology (integrating GCM to make an isolation decision) allows to determine whether a service is available or not by following a bottom-up approach because services provided by elementary components are used as resources for services at a higher level.
Furthermore, this decomposition describes the system from the services provided by its components (BG elements), and their organization into operating modes, in order to achieve spe- cific objectives.
In fact, we observed that in the sense of BG, the services derived from the GCM correspond to some set of generic and objective BG elements such as services offered by the sensors (to measure) which correspond to effort andflow detectors, ser- vices provided by actuators corresponding to sources of energy (to store mechanical energy, potential or kinetic energy of hy- draulic andfluid pump ), the services offered by process com- ponents (to store, to transform, to transport, etc.) corresponding to transformer, gyrator, etc., BG elements. Hence, by taking into account this decomposition, we are able to transform some basic elements into notions of GCM and achieve compatible services between BGM and GCM. Then, due to the functional decom- position, the high-level services corresponding to the goals and purposes can be highlighted.
However, the proposed methodology presents some limita- tions especially with regards to services provided by the infor- mation system (Network and computer communication, con- trollers, ), which do not correspond to physical exchanges and consequently can not be represented by BG elements. This is why, those systems are modeled by classical block diagram.
III. MULTIMODELAPPROACH
A system may be described from at least three different view- points. Thefirst one sees the system as a set of components that interact with themselves and the system environment in accor- dance with a predefined objective to achieve. Another view de- scribes the system by the functions it has to perform. A func- tion is a characteristic action or activity that needs to be per- formed to achieve a desired objective. Its realization relies on services provided by the physical components which constitute the system. The last viewpoint describes how components work together and interact with themselves in terms of the quanti- ties which characterize their states (variables and parameters) and the laws which govern their operations. Each model gives a partial representation of the system and is used in a different step of its life cycle. For example, functional models are cur- rently used in a design step to describe how the operational re- quirements are satisfied. They can lead to physical architecture choices, risk or value analysis . Physical architecture models are, as for them, well adapted for system sizing or system im- plementation. Whereas, the behavior models are very useful for the design of the control algorithms, for the system simulation, or as reference to monitor the system.
Even if some tools as the Unified Modeling Language (UML) [23] or the Systems Modeling Language (SysML) [24] are de- veloped to take into account the functional, behavioral, and ar-
chitectural aspects in coherent representations of a same system, they remain design and specification languages. They are not adapted to the online supervision of an autonomous system.
Nevertheless, we keep the same idea, to integrate the three as- pects of description of a system though different but coherent diagrams. The functional and physical aspects are taken into account via the generic component model we propose. Each function is then described in an unambiguous way thanks to the BG which is associated to it. An “offline” description of the system to supervise is then obtained. In second time, the gen- erated models are exploited “online” to detect and isolate fault via the BG models and to update the USOM management graph and the list of available services via the functional models.
IV. OFFLINEMODELING
The offline description of the system rests on two parts.
• A description of the services the system has to provide and their organization into USOMs.
• A representation of the services and USOMs by BG models allowing the automatic generation of the Analytical Re- dundancy Relations (ARR) which will be exploited in real time to determine the availability of each service, in the online exploitation of the models, in order to supervise the system.
A. The Generic Component Model (GCM)
The GCM describes components from the point-of-view of the user, who receives services and can use them in different operating modes. Interconnections are taken into account by ag- gregating lower level components into higher level ones. The GCM and its use to analyze the reconfigurability of an auto- mated system is well described in [25]. This section resumes the basic notions before reminding the GCM formal definition and illustrating how the GCM description allows for component manipulation in a systematic way at any hierarchical level.
A system component provides one or more services. A ser- vice is described by the variables its consumescons, the vari- ables its producesprod, and a procedureprocwhich transforms the former into the latter. This procedure may correspond to embedded software or to a physical law. Services are provided unconditionally or on requests rqst. Services may be enable enaor not, so as to control the conditions under which the re- quests are accepted. For example, a tank consumes input and output massflows, and produces a stored mass by the proce-
dure (where is the stored mass,
is theflow in the input pipe, and is theflow in the output pipe), which follows from the principle of conservation of mass;
the regulation service of a controller consumes signals from sen- sors and produces signals to actuators according to a given algo- rithm. The realization of a service rests on hardware or software resourcesres(for example, a non leaking tank). To take into ac- count that a resource is faulty or that a consumed variable is not present or present with improper characteristics (too aged, too noisy ), the notion of versions for a service is introduced. All the versions of a same service share the same request and pro- duce the same outputs, but the inputs, procedures and resources are different from one version to another one. This notion of ver- sion contributes to the definition of fault tolerant devices, since
Fig. 1. Pyramidal decomposition of a system.
when some service resources or service inputs are faulty, the service may be provided as long as at least one of its version is able to perform.
A prioriservice might be addressed to the component at any moment. However, for safety reasons, the component must not run incompatible services (initialization and production services, for example). That is the reason why, similarly to soft- ware applications that are decomposed into consistent menus, the set of services of a given component is structured into several operating modes, which are associated with specific objectives. These modes are called User Selected Operating Modes (USOMs). Configuration, automatic measurement pro- viding, test, maintenance are example of operating modes for a sensor. At each time, the component is in a current USOM and the only services it should accept to run are those which belong to that USOM. Adding to the definition of the list of USOM, the condition to go from one USOM to another one, we obtain a USOM management graph.
B. GCM Definition
Definition 1: The generic model of a component is defined by the following.
1) A deterministic automaton where:
• is a set of USOMs, each of which is
represented by a vertex of the automaton ( is the set of index );
• is a set of transitions, each of which
is defined by where is the origin
USOM, is the destination USOM, and is afiring condition;
• is the initial USOM, that is the mode where the system stays when it is switched on.
2) A set of services ( is the set
of index ), each of them being a set of preordered
versions, ( is the set
of index ). A version of a service is the 6-tuple .
3) USOM and services are linked in the following way.
• Each USOM is associated with a subset of services ,
, with .
• Each USOM is associated with one or several objectives to be achieved.
C. Aggregation of GCM
Systems are built from the interconnection of different com- ponents. Indeed, the services delivered by some components consume variables which are produced by services of other components. For example, the value produced by themeasure- ment service of a level sensor is consumed by theregulation service of a controller, which in turn produces variables which are consumed by thepower modulationservice of the actuator.
In the GCM, interconnections are taken into account by con- sidering higher level components which aggregate lower level ones (see Fig. 1). Sensors, actuators, process components are at the (lowest)field-level. They are namedelementary components and provideelementary services. The highest level of gathering corresponds to the overall system and its objectives.
Let and be the services offered by two components and , and let component be their gathering. Let
be a consistent mode, then any combination of the services (associated with mode of component ) and (associated with mode of component ) can be used to design services provided by component . Combinations which have no functional interpretation with respect to the application are rejected. Combinations which have the same functional inter- pretation correspond to different versions of a same service.
As a result, the relations between the system missions and el- ementary services can be represented by an AND-OR tree, as shown on Fig. 2. The tree connects two types of nodes, namely, service nodes andversionnodes. The successors of aversion node (resp. of aservicenode) areservicenodes (resp.version nodes). This allows to express that a (higher level) version uses a set of (lower level) services and that a service can be pro- vided under several versions. Aversionis an AND node and a serviceis an OR node. The leaves of the tree correspond to ele- mentary services. Faults, when they are detected online by FDI algorithms, remove arcs in the graph. Reconfiguration possibil- ities result from the existence of multiple paths between the root and the leaves.
D. Behavioral Representation of USOM and Services
Services describe what the user expects to obtain from a com- ponent or from a subsystem under normal operation. However, there are two reasons for a service to fail to deliver the appro- priate values of the variables it produces.
Fig. 2. AND-OR tree.
• Internal faultsaffect some resources(res)needed by the service. As a result, the actual values of the produced vari- ables(prod)are not those specified by the procedure(proc).
A leak in a tank is an example of an internal fault. The pro-
cedure does not correctly describe
the behavior of a leaking tank since the flow associated with the leak is not taken into account.
• External faults affect the inputs(cons) of the service. A regulation service is subject to an external fault when the level value it consumes is false, due to the failure of the sensor.
Due to the unavailability of a part of the system component services, the achievement of the nominal system objectives may become impossible and some USOM may become unavailable.
To evaluate the availability of each service and USOM, BG models are associated to services and USOM. They bring the behavioral description required to the generation of the ARRs allowing the fault detection and isolation.
1) Basic Elements of BGM and Correspondance With GCM:
BGM allows to represent any system whatever its nature, me- chanical, electrical, thermal and so on. Because details of the BG theory can be easily found in the literature [26], [27], this section briefly recalls the elementary notions of BG tool for modeling and explains how BG structural and causal features are able to be used for the automatic generation of the ARRs.
BGM is a useful multidisciplinary tool for simulating system behavior by defining the different parts of this latter. The BG is a graphical representation of the system equations. Indeed, the BG model is considered as a graph because it is a combination between vertices and edges (named power bonds). The vertices represent junctions, components or subsystems. Whereas, the power bonds represent the instantaneous mutual power transfer between several nodes with respect to the first principle of power conservation and continuity of power.
Fig. 3(a) illustrates the power exchange between two systems and . This exchange is represented by a bond wherein are denoted the two variables, namely, flow (f) and effort (e) whose product is the instantaneous power. The variable effort
Fig. 3. BG principle and the notion of causality.
is labelled above the bond, while theflow variable is labelled below it. Examples of effort variables include pressure, temper- ature, force, electrical potential, torque and so on. Whileflow variables include current, velocity, entropyflow, volumeflow, molarflows and so on. A half-arrow representing a sign con- vention is used to provide the positive direction of powerflow.
The structural and causal properties of the BG can be ex- ploited to generate systematically fault indicator for diagnosis analysis and supervision. Indeed, each hardware component is defined by such constraints called constitutive equations and de- scribing the behavior of this latter. This constraint restricts the trajectory of the vector formed by the component variables to the space defined by the physical law associated to the com- ponent. A constraint is naturally no causal. The introduction of causality in BG model allows to indicate which side of the bond determines the effort and which side of the bond determines the flow. This specification of the cause and effect relations is re- quired to compute in the right way the different variables. It is worth noting that within the BG notation, a cross stroke [see Fig. 3(a)] is placed in one end of the power bond to indicate that the opposite end is defining the effort so only one end of a bond can have a cross stroke. The example showed in Fig. 3(a) means that the system A imposes effort (or flow) to system B. Fig. 3(b) gives the corresponding block diagrams. The effi- ciency of the causal features of the BG has been already proved for control analysis, namely, structural controllability and struc- tural observability [28], but also for model inversion and iden- tification by resorting to bicausality analysis [29]. The BG ele- ments can be divided into three sets.
• Active elementsallowing to supply power to the process (source of effort andflow ).
• Passive elements allowing to transform the received power into a dissipated power ( -element), stored poten- tial energy ( -element) or kinetics ( -element).
• Conservative multiport elementsallowing to reproduce the constraint architecture of the overall system to be mod- eled. They includejunction structures,TransFormers, and GYrators. Junction structures are used in order to connect several elements of the BG model ( , and ) by a “0”
junction when the effort variable is the same and theflows are different and by a “1” junction in the opposite case.
TransFormer noted and GYrator are used to represent energy transformation from one domain to an- other. Sensors are represented by effort and flow
detectors.
The BG elements
correspond to elementary services of the
GCM. A higher level service is thus represented by a BGM.
Three classes of basic services can be distinguished.
• Measurement services: they are provided by sensors and correspond to effort (DE) andflow (DF) detectors.
• Action services: they are provided by actuators and corre- spond to effort (SE) andflow (SF) sources.
• Storage, transformation, and transportation services: they are provided by process components as tanks, pipes, chock absorbers and so on. They correspond to C, TF, R, and GY BG elements.
BGM appears as well as a complementary tool of GCM since it explains how a high-level service is achieved from a set of low-level services. It offers a representation of the inner proce- dures performed by the service. It is a model of the behavior that complements the functional model offered by the GCM.
Similarly to the existence of a hierarchy between the services of different levels, BGM of higher level can be built from BGM of lower levels. Moreover, there are similarities between the bi- partite graph approach and BG especially from the structural analysis point-of-view [16] that allow ARRs generation.
2) BG for ARRs Generation: Structural analysis rests on the notion of bipartite graph matching. A bipartite graph is defined as a graph representing the system’s model structure by com- bining a set of vertices and edges. The vertices are divided into
two sets, namely, the constraints and
the variables . While, the edges are used to link the variables to the corresponding constraints. The vari- ables which appear in the constraints and which can be quanti- tative, qualitative, fuzzy are partitioned into
where is the subset of the unknown variables and is the subset of the known variables composed of control variables and measured variables . In classical approaches [1], a set of equations obtained from the system behavioral model is used in order to deduce the bipartite graph. In our case, the bipartite graph is directly deduced from the physical BG Model. In fact, the BG methodology encompasses different kinds of informa- tion allowing to deduce directly the set of constraints. The in- formation is related to the structure , the behavior , the measurement , and the control of the system
Structural equations represent the conservation laws and are deduced from the junction equations, transformers and gy- rators. The constraints are associated with the behavior model (expressing how the energy is transformed). In the BGM, they describe the physical phenomena which are represented in lumped-parameter BG elements ( , , and ). Measure- ment constraints express the way in which the sensors transform some state variables of the process into output sig- nals which can be used for FDI and control purposes. The un- known variables are the pair of power variables that label the bonds
is the number of passive BG elements.
Fig. 4. (a) Electrical system and (b) its BG model in integral causality with a flow sensor, and (c) in derivative causality with a dualizedflow sensor.
In the BG sense, the known variables belonging to are represented by theflow and the effort sensors, theflow and the effort sources, the modulatedflow
and effort sources, and the control inputs
Extra constraints can be added while the model is used in derivative causality for model based diagnosis. They correspond to analytical relations between the system’s variables. Indeed, according to the structural analysis concept, a system can be di- vided into an overconstrained (redundant and observable), an under constrained (not redundant and not observable) and a just constrained subsystems, and it is proved that the only moni- torable subsystem is the overconstrained one [1].
Indeed, recall that FDI approach is defined by two phases: the detection and the isolation. In the detection step, the theoretical behavior of the system, described by the system constraints is compared to the actual behavior obtained from the known vari- ables (the measured outputs and the control inputs). If a discrep- ancy exists, a fault is detected. In the isolation step, the nature of the violated constraints is exploited to isolate the faulty compo- nent. This detection and isolation can be performed only if some redundancy exists in the system. Analytical Redundancy Rela- tions (ARRs) are the constraints that express this redundancy.
They are obtained according to the overconstrained subsystem and formulated with only the known variables of the system [30]. They have the form . Numerical evaluation of an ARR yields a residual: . represents a set of BG elements.
Nevertheless, because of the parameters uncertainties and sensor noises within real system, in practice the residuals are different from zero even in normal functioning. For illustration, consider the simple RL electrical example given in Fig. 4. To avoid the problem of the initial conditions unknown in real system, a derivative causality BGM is carried out in order to generate directly the ARRs. Indeed, models are given in inte- gral causality [Fig. 4(b)] when they are for physical simulation purpose while they are in derivative causality [Fig. 4(c)] when they are used for ARRs generation. Here, the effort (or flow) detectors are transformed into signal sources (or modulated by the measured value, as illustrated
Fig. 5. (a) Electrical system (b) with BG model in integral causality, (c) with a conflict of causality, (d) causally correct after dualizing the sensor, and (e) causally correct after adding a new sensor.
in Fig. 4(c). This imposed signal is the starting point for the elimination of unknown variables.
Establishment of the ARRs on a BGM rests on the theory of unknown variables elimination by propagating the causation graphically from one modeling element to the other (from un- known variables to known ones) by using the junction’s struc- tural constraints. The ARRs determined are deduced from equa- tions of the power balance which are represented in a BG by junction equations [31], [32]
with the set of links connected to the junction and respecting to the half arrow direction.
From the BG model given by Fig. 4(b), the candidate ARR can be written as
ARRs generation consists in eliminating unknown variables by following the causal paths [as shown by the dashed lines in Fig. 4(c)] from an unknown variable to a known one. and are then calculated (eliminated) using the following paths:
and .
We obtain the following ARR:
The residual determined by evaluating is sensitive to the faults affecting the set of components (associated with their constraints) covered by the causal path during the elimination
process, namely, , , , and in our case. Nevertheless, the unknown variables elimination related to the causal con- straint is not obvious. Consider the RLC electrical system given by Fig. 5(a) with initially only one current sensor and its BGM in integral causality given in Fig. 5(b). In the presence of a element [Fig. 5(c)], a causality conflict arises on the BG Model as long as both dynamic elements are placed on deriva- tive causality. This is why we have to keep the C-element in in- tegral causality. Roughly speaking, the ARR will depend on the initial effort . Thus, the subsystem still non monitorable.
To overcome this situation, it is possible to add, for instance, a voltage sensor (for instance ) to break a loop in the ori- ented graph [Fig. 5(d)]. The system is then observable but non redundant.
The algorithm of ARRs generation can be outlined by the following phases.
1) Assign a preferred derivative causality on nominal BG; if it is possible (the model is overconstrained), then proceed with the following steps.
2) Choose a junction from a BG model in derivative causality.
Find the corresponding ARR by writing its characteristic equations and by identifying the specific observable sub- graphs. The latter can be found using different techniques proposed in [33] to generate ARRs from a BGM using cov- ering causal paths. The goal is to study all of the causal paths relating the considered junction to the sources and the sensors.
3) Move to the following junction. If the second ARR is inde- pendent of thefirst one, keep it, otherwise move to another junction.
4) Repeat point (3) until all distinct signatures are obtained.
This procedure is implemented in a software developed by one of the authors as a toolbox in Symbols2000 [34].
The advantages of the BG model comparing to the other methodology-based fault diagnosis can be summarized as follows.
1) A generic approach because within an only one representa- tion, we are dealing with modeling, diagnosability analysis and formal ARRs generation [34].
2) A specific dedicated software based BG is devoted for formal ARRs and dynamic model (under state equation format) [35], [36].
3) The topological, the physical and instrumentation architec- ture are obviously distinguished and displayed in the graph due to the energetic approach characterizing BG model.
4) The structural diagnosability (which fault can be detected and isolated) can be directly studied from the graphical model, without numerical calculation even if the numerical relations will be required for the ARRs generation.
5) Due to functional and modular properties of the BG, the ARRs are systematically associated to specific (sensor, ac- tuator and other hardware component) faults which may occur in the system.
However, some of drawbacks can be cited.
1) The derived features are available only structurally.
2) The model is developed under lumped parameter approximation.
V. ONLINESUPERVISION
Once the system is described from the services provided by its components and their organization into USOM and once the ARRs allowing to analyze the availability of each service are generated, the obtained models can be exploited online to su- pervise the system.
A. Evaluation of the Elementary Service Availability
The availability of the elementary services corresponding to the leaves of the AND-OR tree (see Fig. 2) is directly obtained from the evaluation of the ARRs when there are calculated with the measured and the input control values.
Indeed, residuals lead to the formulation of a binary coherence
vector , whose elements, ,
are determined from a decision procedure, , which generates the alarm conditions. A simple decision procedure can be used
for instance, , whereby each residual,
is tested against a threshold ,fixed according to parameter un- certainties, sensor noises, etc. In the simple decision procedure, can be taken equal to twice the standard deviation of the residual in a normal operating mode: .
Robust decision procedures minimize misdetection and false alarms by processing the residual noises. The detection proce- dure tests each residual , against afixed or adaptive threshold
, to generate a coherence vector . The elements of , , are determined from
otherwise
A fault is detected when which means that, at least one residual exceeds its threshold.
It is the aim of the decision phase to try to isolate the fault. It rests, in this case, on logical analysis or pattern recognition ap- proaches using a Fault Signature Matrix (FSM), which describes the participation of the elementary components and associated services in each residual . The elements of FSM, said , are determined as follows:
otherwise
The fault is isolated if its signature is different from the others and the associated service becomes unavailable since it can not be longer provided.
B. High-Level Service and USOM Management
Elementary services are used as resources for versions of im- mediately higher services in the AND-OR tree decomposition (see Fig. 2). The FDI mechanism, previously explained, allows to determine the availability of these elementary services. Con- sequently, the availability of the versions which use them as re- source can be evaluated. A version of the service is disabled when some resources in are detected faulty and the service is unavailable when it has no available version. This mech- anism automatically repeated from a bottom-up approach fol- lowing the AND-OR description allows to determine the avail- ability of each service and objective.
Let be the set of control objectives associated with USOM . As long as the services associated with are avail- able, the objectives can be achieved. When services of become unavailable, some objectives of might turn to be un- achievable [25].Critical servicesare those whose unavailability implies that at least one objective of cannot be achieved. The set of services , associated with is, therefore, decom- posed into , where are the critical and are the noncritical ones.
When noncritical services become unavailable, the system can obviously remain in the current USOM, since its objectives can still be achieved: the system is fault tolerant with respect to the current USOM objectives and the current fault situation.
On the contrary, when critical services of the current USOM be- come unavailable, its objectives can no longer be achieved, and the system is to be given other objectives. This is an objective reconfiguration strategy [37].
Objective reconfiguration means firing a transition towards an USOM whose objectives become the current ones. The system should, obviously, be able to achieve these new objec- tives, which means that in the destination USOM, no critical service is unavailable as a result of the current fault situation.
When several USOM can be reached from the current one in the USOM automaton, the choice of the destination USOM (that is, of the new system objectives) is a decision problem that must be considered at the system design stage. Unless the system objectives can be ranked according to a total ordering relation, the solution cannot be automated, thus leaving a very important role to human operators in fault situations. Note, that the AND-OR trees and the USOM graph are updated at each occurrence of a fault or a repair operation, allowing operators to exactly know what they can obtain from the system.
Fig. 6. The Robucar vehicle.
VI. APPLICATION: THEELECTRICALVEHICLEROBUCAR
A. Description of the Robucar
The electrical vehicle Robucar is presented in Fig. 6. It is an overactuated electric vehicle, with four actuated wheels and two actuated steering systems. Motor part is defined by 4 DC trac- tion motors, delivering a relative important mass torque with a decentralized input control. Front and rear steering motions are obtained through 2 DC actuators, which allow Robucar to make three drive modes, namely, single drive mode where only the front steering is controlled during motion and the rear steering isfixed to its center, dual drive mode where the remote soft- ware controls the front and rear steering during the motion and, finally, park mode, where front and rear steering are controlled for parking configuration.
The choice of the vehicle Robucar as an example to illus- trate the proposed approach can be justified by two reasons.
First, large-scale systems chosen to illustrate diagnosis or fault detection and isolation with BGM are, most of the time hydro-energetic systems, such as steam generator [38], [39].
Second, the vehicle Robucar is used in the context of the Intrade Project (Intelligent Transportation for Dynamic Environment).
This project is financed by European regional development funding through Interreg IVB and is supposed to lead to the development of an automatic navigation system for port termi- nals [20]. In this context, the ultimate objective of our work is to design a supervision system representing the management of the operating modes of a vehicle and giving the conditions for its reconfiguration when a part of its inner components is faulty or when another vehicle with it has to cooperate is not in a nominal operating mode. In this application, the intelligent transportation system is composed of autonomous vehicles, loading and discharging stations, parkings, and a road network.
In a first time, the autonomous vehicles can be considered
similar to Robucar. In the future, they will be equipped with load transportation facilities and with environment perception systems.
B. Offline Modeling of the Robucar
1) Robucar Objectives and Their Organization: In the con- text of the Intrade project, seven objectives andfive USOMs are defined for the Robucar, as follows.
• Objectives
— O1: Do not move.
— O2: Follow a trajectory.
— O3: Bearing a load.
— O4: Make easier the loading and the discharging.
— O5: Park easily.
— O6: Assure the durability of the vehicle.
— O7: Assure the security of the environment.
• USOM
— USOM1: Robucar is parked and not used. It is in good operating conditions (non faulty).
— USOM2: Robucar is in move, without load, toward a loading station.
— USOM3: Robucar is in move, with a load, toward a dis- charging station.
— USOM4: Robucar is returning toward the parking.
— USOM5: Robucar is stopped further to the detection of an obstacle or a major dysfunction.
The USOM automaton is shown in Fig. 7(a), where the nota- tion specifies the objectives that the Robucar has to achieve for the given USOM.
USOM list and automaton are defined by the design engi- neer, taking into account functional and safety specifications.
Several formalisms can be used to implement the USOM au- tomaton which takes the form of a classical state diagram. We have developed our own tool.
2) Hardware Decomposition of Robucar: The hardware decomposition of the Robucar is (partially) given in Fig. 7(b).
It makes appear two identical subsystems: the front part and the rear part of the vehicle. Only the decomposition of the front part is given. It makes appear three subsystems: the steering subsystem and the quarters of vehicle left and right. Only the decomposition of the quarter of vehicle right is given as it is the analysis of the operating conditions of this part that is given in illustration in the following. The complete decom- position of the Robucar is done thank to the software Visual Understanding Environment (VUE), which provides aflexible visual environment for structuring, presenting, and sharing digital information [40].
3) The Realization of the Objectives of Robucar: The realiza- tion of the objectives of Robucar rests on the services provided by the components of Robucar. The set of the versions allowing the realization of an objective can be automatically deduced, from the hardware decomposition of Robucar, by following a bottom-up approach and by considering that services of lower level are used as resources for the higher level services. Let take, as example, the inner components of a quarter of vehicle [cf.
Fig. 7(b)]. The DC Motor provides the service “to generate a torque” which is consumed by the gear. This last, provides the service “to transmit the torque” to the wheel which realized the service “to absorb the torque.” These three services associated with the service “to measure the speed rotation” provided by the pulse sensor allows the quarter of vehicle to realize the ser- vice “to control the speed rotation of the wheel” (cf. Fig. 8).
By associating the two services which control the two wheels of the same part (front or rear), the higher level services “to control the speed of the front (or rear) part” and “to control the direction of the front (or rear) part” are obtained. Note that there are two versions for the service to control the front (or rear) direction.
One is obtained by the service provided by the steering system.
Another is realized by applying some different rotation speeds
Fig. 7. (a) The Robucar USOM automaton. (b) The hardware decomposition of Robucar.
Fig. 8. The AND/OR tree associated to the objective O2.
on the wheels. Following this principle, the different possibili- ties to realize the objective “O2: Follow a trajectory” are auto- matically found. They are partially given on Fig. 8.
4) ARRs Generation: The availability of the service “to con- trol the speed rotation of the wheel” can automatically be evaluated from the BGM which described the physical law ap- plied on the data consumed by the service to produce data in output. This BGM, given on Fig. 10, is the concatenation of the BGM associated to the lower level services implied in the real- ization in this higher level service. The complete BGM of the Robucar can be obtained using the software SYMBOLS 2000 which allows to draw the complete model by using the encap-
sulation principle (an oriented object tool) in order to define the different parts of the BGM (an overview of the software and the capsules is given in both Fig. 9). Symbols 2000 allows also to check the validity of the model and permits to generate auto- matically the ARRs and therefore the residuals according to the causality and parameters of the system.
To illustrate the principle of the ARR generation let return to BG given on Fig. 10. The electric power is provided by the elec- trical part of a DC motor which is equivalent to an input voltage source in serial with a resistance and an inductance . The electrical current is measured by the sensor . The gy- rator element describes the power transformation from the
Fig. 9. (Top) Software interface for designing BGM. (Bottom) BGM design using capsules and ARRs generation.
Fig. 10. The BGM of a quarter of vehicle in intergral causality.
electrical part of the DC motor to its mechanical part which is characterized by its rotor inertia , its viscous friction param- eter and its transmission rigidity . The mechanical gear which links the mechanical and wheel parts with a gearing con- stant is represented by a transformer element . The wheel is characterized by its inertia , its viscous friction parameter , a contact effort and a parameter represented also by a transformer element and which allows to consider the back- lash disturbing torque. The rotation speed of the wheel is mea- sured by the detector .
To obtain ARRs, the BGM has to be put in preferred deriva- tive causality to avoid the problem of unknown initial condi- tions. This is done by converting eachflow or effort detector into a signal source modulated by the measured value. It is
Fig. 11. The BGM of a quarter of vehicle in derivative causality.
worth noting that all the dynamic elements are linked by causal paths to at least one detector and all dynamic elements I and C admit a derivative causality on the BGM in preferred deriva- tive causality. The system is therefore observable. Nevertheless, after dualization of the detectors, a conflict of causality appears on the system located before the transformer TF when we move to a derivative causality, this part of the system is underdeter- mined. However, the part after the transformer TF is overde- termined because no causal conflict appears in dualizing the detector. As the initial conditions are known because the real system is equipped with detectors, the ARRs can be generated even if the causal element C is kept in integral causality. The resulting BGM is given on Fig. 11. From the BGM, the con- stitutive relations of the junctions, the gyrator and of the trans- formers are the following:
The elements c , , of the BG introduce the following behavioral equations:
The set is the set of the known
variables corresponding to the sources and the detectors. From this set, the following equations are introduced:
By solving the system formed by these three subsets of equa- tions, three ARRs, linking only known variables and parameters are found. They are the following:
The associated residual are:
The corresponding Fault Signature Matrix (FSM) is given in Table I. The value, on the residual columns, is equal to “1” if
TABLE I
FSMOF AQUARTER OFVEHICLE
the residual dynamic is affected by a faulty behavior of the cor- responding component. The corresponding service becomes, in this case, unavailable. The vector is the signature of the fault. To each service corresponds a distinct signature. It is thus possible, with this method, to estimate the availability of every service implicated in the realization of the service: “to control the speed rotation of the wheel” associated to the quarter of vehicle even if the fault is not always precisely isolable. For example, as the three signatures associated to the three components of the DC electrical part are identical, the dis- tinction between a default on cannot be done. But such a precision is not required to evaluate the possibility the DC motor has to generate an electrical power. On the other hand, using the procedure of input and output uncertainties modeling developed in [41], the following thresholds can be generated directly from the graphical model using the causal paths:
where , , and are the measurement errors on the current and velocity detectors, respectively.
And where
and is the sampling time.
Fig. 12. Residuals in normal situation.
C. Online Supervision of the Robucar
To correctly supervise the Robucar, a supervision interface has been developed. This interface allows also to introduce different kind of faults in order to verify the efficiency of the methodology for diagnosis and supervision In fact, several kind of fault scenarios can not be applied directly to the vehicle, this is why, we used the data acquired from this latter in normal situation and we add a perturbation block in order to check the relevance of our approach in the different cases. The interface gives online the value of the residuals, the fault signatures, the faulty components, the unavailable services, and USOMs. It is worth noting, that the only faults we can introduce in real time are the faults related to the sensors (by disabling the sensors for a period of time and acquiring the corresponding data).
To illustrate the Robucar USOM management, let consider three fault scenarios. For the three cases, the current USOM is USOM2 where Robucar is in move toward a loading station.
1) Scenario1: Suppose a fault is detected on the DC motor associated to the front steering system. The nominal version of the service “control the front direction” directly by the steering system becomes unavailable but its degraded version can be run by applying different velocity on the wheels. These versions are, respectively, namedvers. 1andvers. 2in Fig. 8. The objectives of the current USOM still achievable.
2) Scenario2: Suppose a fault is detected on the DC motor associated to the right front quarter vehicle. The residuals in normal situation are shown in Fig. 12. The faulty situation is given by Fig. 13. The fault is introduced in the DC electrical part during a 65 s time interval, from 400 to 465 s, by increasing the value of the voltage source . We can see that the residuals and converge to zero but they are not null. This is due to parameters and modeling uncertainties like a backlash phe- nomenon which exists in the real system and which is neglected in our case. The value of the residual observed from 400 to 465 s shows that it is sensitive to the fault. This fault is de- duced by analyzing the residuals which are sensitive to the fault, namely, in our study case and which exceeds the thresholds of detectability during the time interval between 400 and 465
Fig. 13. Residuals in faulty situation (Scenario 2).
Fig. 14. Residuals in faulty situation (Scenario 3).
s. Consequently, the resulting coherence vector is . This coherence vector has multiple matches in the signature ma- trix (see Table I) and hence the fault cannot be isolated, but only detected. Nevertheless, we can deduce that the service “gen- erate the torque” becomes unavailable. Fig. 8 shows that this unavailability implies the unavailability of the services “control the speed rotation of the front right wheel,” “control the front part speed,” and “control the vehicle speed.” Consequently, the achieving of the objective “follow a trajectory” is not possible.
This objective is critical for the USOM2. Robucar has to be switched to a USOM in which this objective does not appear, namely, the “emergency stop” USOM.
3) Scenario3: Suppose a fault is present on the velocity sensor associated to the front left wheel. Suppose that the response of the residuals, when the fault is introduced during a 570 s interval from 400 to 970 s, reveals that residuals and are sensitive (see Fig. 14). This result matches the fault signatures matrix given in Table I. Using the fault signature matrix and the corresponding thresholds, the resulting coher- ence vector is . This coherence vector has only one match in the signature matrix and hence the fault affecting
the velocity sensor can be detected and isolated within the mechanical part of the motor because its signature is unique, i.e., different from the signatures of all other components.
Consequently, the service “Measure the rotation” used as re- source to control the speed rotation of the front left wheel can not be provided under its nominal version, i.e., directly by the velocity sensor associated to the front left wheel. Nevertheless, some degraded version of this services exist. They rest on the service provided by the velocity sensors associated to the others wheels (see Fig. 8). Consequently, the achieving of the objective “follow a trajectory” still possible in a degraded mode. The operator can also take a decision because he has the information corresponding to the state of the vehicle, the USOM, and the ability of the vehicle to achieve its objectives.
VII. CONCLUSION
The GCM is a formalized description of the operation of de- vices at any hierarchical level of a controlled system. It is well suited for human operators reasoning, since the features it im- plements are directly connected with the operator point-of-view, namely, operating modes, delivered services, and achieved ob- jectives.
The GCM provides a systematic tool forfinding the different reconfiguration strategies of a system when faults occur. Within a given operating mode, a system is reconfigurable if there exist different versions of the services which allow to achieve its cur- rent objectives. These versions are ranked according to a pref- erence relation. This allows an automated real-time manage- ment of the system configurations, when faults occur, as long as needed service versions are available. When the objectives of a given operating mode can no longer be achieved, the re- configuration procedure changes the operating mode.
The BGM is proposed to describe the inner procedure on which the realization of a service rests. Its structural properties are exploited to generate fault indicators. Even if the fault mode of a lower level component can not always be identified, inter- esting results can be obtained on the availability of the associate services and in the most of the cases, it is enough to evaluate the possibility the system has or not to achieve an objective.
By associating diagnosis and reconfiguration aspects, all built on the same model, we hope to contribute to the development of a global supervisory control system. A co-simulation on a pla- toon of Intelligent and Autonomous Vehicles (IAVs) in faulty situation inside seaport terminal using a virtual simulation soft- ware SCANER Studio designed within the European Project InTraDE wherein we are involved has been done [42]. Future research concerns the robust decision making diagnosis based on Fuzzy Logic Methodology. Basically, it is a particular set of methods and tools designed to support decision making under conditions of deep uncertainty and we expect that it allows to facilitate the identification of vulnerabilities by identifying the residuals thresholds changing throw time.
REFERENCES
[1] M. Blanke, M. Kinnaert, J. Lunze, M. Staroswiecki, and J.
Schroder, Diagnosis and Fault-Tolerant Control. Secaucus, NJ:
Springer-Verlag, 2006.
[2] M. Blanke, M. Staroswiecki, and E. Wu, “Concepts and methods in fault-tolerant control,” inProc. Amer. Control Conf., Washington, DC, 2001, pp. 2606–2620.
[3] R. Isermann, Fault-Diagnosis Systems: An Introduction From Fault Detection to Fault Tolerance. New York: Springer, 2005.
[4] V. Venkatasubramanian, R. Rengaswamy, K. Yin, and S. N. Kavuri,
“A review of process fault detection and diagnosis: Part I: Quantita- tive model-based methods,”Comput. Chem. Eng., vol. 27, no. 3, pp.
293–311, May 2003.
[5] F. Liu and D. Qiu, “Safe diagnosability of stochastic discrete event systems,”IEEE Trans. Autom. Control, vol. 53, no. 5, pp. 1291–1296, 2008.
[6] P. Baroni, G. Lamperti, and M. Zanella, “Diagnosis of a class of dis- tributed discrete-event systems,”IEEE Trans. Syst., Man, Cybern. A, Syst., Humans, vol. 30, no. 6, pp. 731–752, 2000.
[7] S. Soldani, M. Combacau, A. Subias, and J. Thomas, “Intermittent fault diagnosis: A diagnoser derived from the normal behavior,” inProc.
18th Int. Workshop Principles Diagnosis, DX’07, Nashville, TN, 2007, pp. 391–398.
[8] Y. Zhang and J. Jiang, “Bibliographical review on reconfigurable fault- tolerant control systems,”Annu. Rev. Control, vol. 32, pp. 229–252, 2008.
[9] Y. Sijun, Z. Youmin, W. Xinmin, and C.-A. Rabbath, “Robust fault- tolerant control using on-line control re-allocation with application to aircraft,” inProc. Amer. Control Conf., ACC’09, 2009, pp. 5534–5539.
[10] H. Niemann and J. Stoustrup, “An architecture for fault tolerant con- trollers,”Int. J. Control, vol. 78, pp. 1091–1110, 2005.
[11] D. Theillol, J. Cedric, and Y. Zhang, “Actuator fault tolerant control design based on reconfigurable reference input,”Int. J. Appl. Math.
Comput. Sci., vol. 18, pp. 553–560, 2008.
[12] K. Zhang, B. Jiang, and P. Shi, “Fast fault estimation and accommo- dation for dynamical systems,”IET Control Theory and Appl., vol. 3, pp. 189–199, 2009.
[13] J. Lunze, “Control reconfiguration after actuator failures: The gener- alized virtual actuator,” inProc. 6th IFAC Symp. Fault Detection, Su- pervision and Safety for Tech. Process. (SAFEPROCESS), 2006, pp.
1309–1314.
[14] N. Chatti, A.-L. Gehin, R. Merzouki, and B. Ould-Bouamama,
“Online supervision of intelligent vehicle using functional and behavioral models,” in Proc. IEEE Intell. Veh. Symp. (IV), 2011, pp. 827–832.
[15] B. Ould-Bouamama and A. Samantaray, Model-Based Process Super- vision. A Bond Graph Approach. Berlin, Germany: Spring-Verlag, 2008.
[16] B. Ould-Bouamama, R. El Harabi, M.-N. Abdelkrim, and M.-K.
Ben Gayed, “Bondgraphs for the diagnosis of chemical processes,”
Comput. Chem. Eng., vol. 36, pp. 301–3 24, 2012.
[17] R. Merzouki, M.-A. Djeziri, and B. Ould-Bouamama, “Intelligent monitoring of electric vehicle,” inProc. IEEE/ASME Int. Conf. Adv.
Intell. Mech., AIM’09, 2009, pp. 797–804.
[18] C. Boon-Low, D. Wang, S. Arogeti, and M. Luo, “Quantitative hybrid bond graph-based fault detection and isolation,”IEEE Trans. Autom.
Sci. Eng., vol. 7, no. 3, pp. 558–569, Jul. 2010.
[19] M.-A. Djeziri, R. Merzouki, B. Ould-Bouamama, and G. Dauphin- Taguy, “Robust fault diagnosis by using bond graph approach,”IEEE/
ASME Trans. Mechatronics, vol. 12, pp. 599–611, 2007.
[20] InTraDE, European Project [Online]. Available: http://www.intrade- nwe.eu/
[21] N.-L. Rossing, M. Lind, N. Jensen, and S.-B. Jorgensena, “A functional hazop methodology,”Comput. Chem. Eng., vol. 34, pp. 244–253, 2010.
[22] J. Zhao, L. Cui, L. Zhao, T. Qiu, and B. Che, “Learning hazop expert system by case-based reasoning and ontology,”Comput. Chem. Eng., vol. 33, pp. 371–378, 2009.
[23] OMG, The Unified Modeling Language, 2011. [Online]. Available:
http://www.uml.org
[24] OMG, The System Modeling Language, 2011. [Online]. Available:
http://www.omgsysml.org
[25] A.-L. Gehin and M. Staroswiecki, “Reconfiguration analysis using generic component models,”IEEE Trans. Syst., Man. Cybern.-Part A, vol. 38, no. 3, pp. 575–583, May 2008.
[26] J. Thoma, Bond Graphs: Introduction and Applications. Irvington, NJ: Elsevier Science, 1975.
[27] W. Borutzky, A. Orsoni, and R. Zobel, “Bond graph modeling and sim- ulation of mechatronics systems an introduction into the methodology,”
inProc. 20th Eur. Conf. Modeling and Simulation, Bonn, Germany, May 2006.
