Second, at a chemical plant, anomalies may be considered to be either those which pose an immediate hazard to humans and the environment and are considered to require plant shutdown upon detection or those which do not. When the anomaly detected requires plant shutdown, generally the safety system is used to take extreme actions like cutting feeds to shut down the plant as quickly as possible; these generally have a prespecified nature (e.g., closing the feed valve). Anomalies that do not present immediate hazards to humans may either result in sufficiently small plant/model mismatch that the controller is robust against or the plant/model mismatch could cause subsequent control actions to drive the closed-loop state out of the expected region of process operation (at which point, the anomaly may be a hazard). We consider that characterizing conditions under which closed-loop stability is not lost in the second case may constitute steps in moving toward verification of EMPC for the process industries with adaptive model updates in the presence of changing process dynamics.
3.2.1. Automated Response to Anomalies: Formulation and Implementation Strategy
In the next section, we will present theoretical results regarding conditions under which an LEMPC could be conservatively designed to handle anomalies of different types in the sense that closed-loop stability would not be lost upon the occurrence of an anomaly or that impending loss of closed-loop stability could be detected by defining a region (a superset of ) which the closed-loop state should not leave unless the anomaly has been significant and the model used by the LEMPC should be attempted to be reidentified to try to maintain closed-loop stability. If the closed-loop state leaves , however, it has also left , so that the LEMPC of Equation (24) may not be feasible. For this reason, the implementation strategy below suggests that, if the closed-loop state leaves , should be applied to the process so that a control law with no feasibility issues is used.
The implementation strategy proposed below relies on the existence of two controllers
and
, where
can stabilize the origin of the nominal closed-loop system of Equation (
10) and
can stabilize the origin of the nominal closed-loop system of Equation (
10) with respect to the
th model. Specifically, before the change in the underlying process dynamics that occurs at
is detected at
, the process is operated under the LEMPC with the
qth empirical model. After the change is detected (in a worst case via the closed-loop state leaving
), a worst-case bound
is placed on the time available until the model must be updated at time
to the
th empirical model to prevent the closed-loop state from leaving a characterizable operating region.
We consider the following implementation strategy for carrying out the above methodology:
At
, the
first-principles model (Equation (
1)) describes the dynamics of the process. The
empirical model (Equation (
10)) is used to design the LEMPC of Equation (24). An index
is set to 0. An index
is set to 0. Go to step 2.
At
, the underlying dynamic model of Equation (
1) changes to the
th model. The LEMPC is not yet alerted that the anomaly has occurred; the model used in the LEMPC is not changed despite the change in the underlying process dynamics. Go to step 3.
While , apply a detection method to determine if an anomaly has occurred. If an anomaly is detected, set and . Else, . If but , set and . Go to step 4.
If , go to step 4a. Else, if , go to step 4b, or if , go to step 4c. If , go to step 5.
- (a)
If , operate the process under the LEMPC of Equation (24) with and set . Else, apply to the process. Return to step 3. .
- (b)
If , gather online data to develop an improved process model as well as updated functions and and an updated stability region around the steady-state of the new empirical model but do not yet update the LEMPC and control the process using the prior LEMPC. Else, if , set and apply . Return to step 3. .
- (c)
Operate the process under the LEMPC of Equation (24) that was used at the prior sampling time. Return to step 3. .
If , a process dynamics change occurred at . Set and . Return to step 2 with and . Else, if , ; return to step 3.
We note that we do not specify the detection method to be used in step 3, but the use of a sufficiently conservative (in a sense to be clarified in the following section) allows a worst-case detection mechanism to be that the closed-loop state exits in step 3. We consider that each and are separated by a sufficient period of time such that no second change in the underlying process dynamics occurs before the first change has resulted in an update in the dynamic model and the closed-loop state is within .
Remark 7. A significant difference between the proposed procedure and that in References [53,54], which also involves switched systems under LEMPC, is that Reference [53] assumes that the time at which the model is to be switched is known a priori. In handling of anomalies, this cannot be known; therefore, the proposed approach corresponds to LEMPC for switched systems with unknown switching times. We place bounds in the next section on a number of properties of the LEMPC of Equation (24) for this case to demonstrate the manner in which closed-loop stability guarantees depend on, for example, how large the possible changes in the process model could be when they occur. The goal is to provide a perspective on the timeframes available for detecting various anomalies without loss of closed-loop stability, which could aid in verification and self-design studies for EMPC. 3.2.2. Automated Response to Anomalies: Stability and Feasibility Analysis
According to the implementation strategy above, when an anomaly occurs that changes the underlying process dynamics, one of two things will happen: (1) the model used in Equation (
24b) remains the same or (2) the change in the underlying process dynamics is detected and the model used in Equation (
24b) is changed within a required timeframe to a new model (i.e.,
q is incremented by one in Equation (
10)). In this section, we present the conditions under which closed-loop stability can be maintained in either case. For readability, proofs of theorems presented in this section are available in the Appendix.
We first present several propositions. The first defines the maximum difference between the process model of Equation (
1) and that of Equation (
10) over time when the two models are initialized from the same state, as long as the states of both systems are kept within a level set of
which is also contained within the stability region around the steady-state for the model of Equation (
1) and as long as there is no change in the underlying dynamics. The second sets an upper bound on the difference between the value of
at any two points in
. The third provides the closed-loop stability properties of the closed-loop system of Equation (
10) under the controller
.
Proposition 1 ([
51])
. Consider the systemswith initial states contained within , with , , and . If and remain within for , then there exists a function such that:with:where is defined by:for all x contained in and . Proposition 2 ([
24,
55])
. Consider the Lyapunov function of the nominal system of Equation (10) under the controller that meets Equation (12). There exists a quadratic function such that:for all withwhere is a positive constant. Proposition 3 ([
51])
. Consider the closed-loop system of Equation (10) under that satisfies the inequalities of Equation (12) in sample-and-hold. Let , , and satisfy the following:If , then,for and the state trajectory of the closed-loop system is always bounded in for and is ultimately bounded in . The next proposition bounds the error between the actual process state and a prediction of the process state using an empirical model initialized from the same value of the process state over a period of time in which the underlying process dynamics change, but the empirical model is not updated. This requires overlap in stability regions for the
ith and
th models of Equation (
1) and for the
qth model of Equation (
10) within
while the
qth model is used. The proof of this proposition is available in
Appendix A.
Proposition 4. Consider the following systems:with initial states with , , , and . Also, . If , , for andfor all , , , and , thenwhere is defined in Equation (51) for andfor . The following theorem provides the conditions under which, when no change in the underlying dynamic model occurs throughout the time of operation and
, the LEMPC of Equation (24) designed based on
and the
qth empirical model of Equation (
10) guarantees that the closed-loop state is maintained within
over time and is ultimately bounded in a neighborhood of the origin of the model of Equation (
10).
Theorem 1 ([
51])
. Consider the closed-loop system of Equation (1) under the LEMPC of Equation (24) based on the controller that satisfies the inequalities in Equation (12). Let , , , and satisfy the following:If and Proposition 3 is satisfied, then the state trajectory of the closed-loop system is always bounded in for . Furthermore, if andthen the state trajectory of the closed-loop system is ultimately bounded in and defined as follows: The prior theorem provided conditions under which the closed-loop state is maintained within
in the absence of changes in the dynamic model. In the following theorem, we provide sufficient conditions under which the closed-loop state is maintained in
after
. The proof of this result is presented in
Appendix B.
Theorem 2. Consider the closed-loop system of Equation (1) under the LEMPC of Equation (24) with meeting Equation (12), where the conditions of Propositions 3 and 4 hold and where is contained in both and . If , such that, after , the system of Equation (1) is controlled by the LEMPC of Equation (24), where , and if the following hold true,for both and , andthen the closed-loop state is bounded in for all . We highlight that these conditions are conservative and not intended to form the least conservative bounds possible. However, they do help to elucidate some of the factors which impact whether a model used in an LEMPC will need to be reidentified to continue to maintain closed-loop stability when the underlying dynamics change, such as the extent to which the dynamics change. The above theorem indicates that, if
is initially chosen in a sufficiently conservative fashion and the empirical model is sufficiently close to the underlying process dynamics before the model change, closed-loop stability may be maintained even after the underlying dynamics change if the model changes are such that the empirical model remains sufficiently close to the new dynamic model after the change. In general, anomalies may occur that could violate the conditions of Theorem 2. The result of this could be that the closed-loop state may leave
. In this case, it is helpful to characterize conditions under which changes in the underlying dynamics that could be destabilizing could be detected, triggering a model update and controller redesign for the new dynamic model to stabilize the closed-loop system. Therefore, the following theorem characterizes the length of time that the closed-loop state can remain in
after a change in the underlying process dynamics occurs if the conditions of Theorem 2 are not met. This can be used in determining how quickly a model reidentification algorithm would need to successfully provide a new model for the LEMPC of Equation (24) for closed-loop stability to be maintained as a function of factors such as the extent that the new model deviates from the empirical model used in the LEMPC when the underlying dynamics change, the sampling period, and the conservatism in the selection of
. The proof of this theorem is presented in
Appendix C.
Theorem 3. Consider the closed-loop system of Equation (1) under the LEMPC of Equation (24) with meeting Equation (12) and Proposition 3, where is contained in both and . If at , where , such that, after , the system of Equation (1) is controlled by the LEMPC of Equation (24), where , then if the following hold true with , , and :as well as Equations (65)–(67), then if and and the change to the model is not detected until a sampling time with () after which is used to control the system in sample-and-hold, then the number of sampling periods between and within which the model in the LEMPC can be updated to a new model meeting Equation (65) with i replaced by and q replaced by without the closed-loop state exiting is given by , where floor represents the “floor” function that returns the largest integer less than the value of the argument. refers either to or , depending on whether is within the sampling period preceding the closed-loop state exiting . The following theorem provides the conditions under which the closed-loop state is maintained within
for all times after
and is driven into
after the model reidentification. The proof of the result is presented in
Appendix D.
Theorem 4. If and if both and are contained in and , then if is used to control the system after while with the conditions of Equations (65) and (66) met for the th empirical model for the th dynamic system and the LEMPC of Equation (24) using the th empirical model of Equation (10) is used to control the system for all times after , then the closed-loop state is then maintained within until it enters and is then maintained in for all subsequent sampling times. Remark 8. From a verification standpoint, the proofs above move toward addressing the question of what may happen if a controller is designed and even tested for certain conditions, but the process dynamics change. It provides a theoretical characterization of conditions under which action would subsequently need to be taken as well as indications of the time available to take the subsequent action. However, the results above may be difficult to utilize directly in developing an online monitoring scheme, as many of the theoretical conditions rely on knowing properties of the current and updated models that would likely not be characterizable or would not be known until after the anomaly occurred. However, these still may aid in gaining an understanding of different possibilities. For example, a conservative stability region suggests that larger anomalies could still be detected and mitigated by a combined detection and reidentification procedure without loss of closed-loop stability. Earlier detection may provide more time for reidentification.
Remark 9. If there is an indication from detection methods that are not based on the closed-loop state leaving the stability region that the underlying dynamics may have changed but that the closed-loop state has not yet left , then until the closed-loop state leaves , online experiments (e.g., modifying the objective function as in Reference [51]) could be performed if they do not impact the constraint set to attempt to probe whether the dynamics are more consistent with the prior process model or the potential model postulated after the anomaly is suggested. This may be a method for attempting to detect the changes before the closed-loop state leaves , which could allow larger changes in the process model to be handled practically than could be guaranteed to be handled in the theorems above, as the magnitude of the deviations in the dynamic model allowed above without loss of closed-loop stability depends on the distance between and . However, it is also highlighted that the above is a conservative result, meaning that, in general, larger changes may be able to be handled without loss of closed-loop stability. Remark 10. The above results can be used to comment on why giving greater flexibility to the process after an anomaly to handle it could introduce additional complexity. Specifically, consider the possibility that some actuators may not typically be used for control but could be considered for use after an anomaly (similar to how safety systems activate for chemical processes, but in this case, they would not act according to a prespecified logic but might be able to be manipulated in either an on-off or continuous manner to give the process additional capabilities for handling the anomaly). It is noted that this would constitute dynamics not previously considered. According to the proofs above, one way to guarantee closed-loop stability in the presence of sufficiently small disturbances is to cause the dynamics after they change to not differ too radically from those assumed before the change and used in the prior dynamic model in the EMPC. If additional flexibility is given to the system, this would be an additional model that would have to match up well.
Remark 11. The results above suggest that, if a model identification algorithm could be guaranteed to provide an accurate model with a small amount of data that could be gathered between when the closed-loop state leaves but before it leaves (where the amount of data available in that timeframe could be known a priori by the number of measurements available in a given sampling period), then the model could be reidentified and placed within the LEMPC in a manner that is stabilizing.
Remark 12. Instead of changes to the underlying dynamic model, anomalies may present changes in the constraint set (e.g., anomalies may change equipment material limitations (e.g., maximum shear stresses, which can change with temperature) used to place constraints on the state in an LEMPC). Because the above results assume that the stability region is fully contained within the state constraint set, the detection and response procedure above would need to ensure that there is no time at which the stability region is no longer fully included within the state constraint set under the new dynamic model. This may be handled by making sufficiently conservative such that the closed-loop state never exits a region where the state constraints can be met under different dynamic models.
3.2.3. Automated Response to Unexpected Hazards: Application to a Chemical Process Example
In this section, we demonstrate concepts described above through a process example. This example considers a nonisothermal reactor in which an
reaction takes place, but the reactant inlet concentration
and the heat rate
Q supplied by a jacket are adjusted by an LEMPC. The process model is as follows:
where the parameters are listed in
Table 3 and include the reactor volume
V, inlet reactant temperature
, pre-exponential constant
, solution heat capacity
, solution density
, feed/outlet volumetric flow rate
F, gas constant
, activation energy
E, and heat of reaction
. The state variables are the reactant concentration
and temperature
T in the reactor, which can be written in deviation form from the operating steady-state vector
kmol/m
,
K,
kmol/m
, and
kJ/h as
and
. The model of Equations (
77) and (
78) has the following form:
where
represents a vector function derived from Equations (
77) and (
78) that is not multiplied by
u and where
represents the vector function which multiplies
u in these equations.
The EMPC utilized to adjust the manipulated inputs
and
Q utilizes the following stage cost (to maximize the production rate of the desired product) and physical bounds on the inputs:
Lyapunov-based stability constraints are also enforced (where a constraint of the form of Equation (
22) is enforced at the end of every sampling time if
, and the constraint of the form of Equation (
23) is enforced at
when
but then followed by a constraint of the form of Equation (
22) at the end of all sampling periods after the first).
We will consider several simulations to demonstrate the developments above. In the first, we explore several aspects of the case in which there is a change in the underlying dynamics while the process is operated under LEMPC that is minor such that the closed-loop state does not leave
after the change in the underlying dynamics. For this case, the Lyapunov function selected was
, with
P given as follows:
The Lyapunov-based controller
was designed such that its first component
kmol/m
and its second component
is computed as follows (Sontag’s formula [
56]):
Then, it is saturated at the input bounds of Equation (
82) if they are met.
and
are Lie derivatives of
with respect to the vector functions
and
, respectively.
and
were taken from Reference [
57] to be 300 and 225, respectively. The process state was initialized at
, with controller parameters
and
h. The process model of Equations (
77) and (
78) was integrated with the explicit Euler numerical integration method using an integration step size of
h within the LEMPC and of
h to simulate the process.
For this first simulation, we assume that a change in the underlying process dynamics occurs at 0.5 h that does not compromise closed-loop stability. Specifically, at 0.5 h, it is assumed that an additional source of heat arises outside the reactor such that the right-hand side of Equation (
78) is modified by the addition of another term
K/h.
Figure 6 and
Figure 7 show the process responses when the LEMPC is not aware of the change in the process dynamic model when it occurs and when it is aware of the change in the process dynamic model after it occurs such that it is fully compensated (i.e., an accurate process model is used in the LEMPC at all times, even after the dynamics change). In both cases, the closed-loop state was maintained within the stability region at all times. These simulations were carried out in MATLAB R2016b using fmincon with the default settings except for the increased iterations/function evaluations allowed, scaling
down by
and providing the steady-state input values as the initial guess for the optimization problem solution at each sampling time. No attempt was made to check whether the LEMPCs in the simulations located globally optimal solutions to the LEMPC optimization problems. However, the profit was higher than that at the steady-state around which the LEMPC was designed.
The oscillatory behavior of the states before 0.5 h is caused by the fact that the profit is maximized for this process at the boundary of
. Without plant-model mismatch, the LEMPC is able to maintain the closed-loop state exactly on the boundary of
and therefore always operates the process using the constraint of Equation (
22); however, when the plant-model mismatch occurs (induced by the use of different integration steps to simulate the process dynamic model within the LEMPC and for the simulation of the process under the computed control actions), the closed-loop state then exits
when the LEMPC predicts it will stay inside of it under the control actions computed by the controller. The result is that the constraint of Equation (
23) is then activated until the closed-loop state reenters
. This process of entering
, attempting to operate at its boundary, and then being kicked out only to be driven back in is the cause of the oscillatory response of the states and inputs in
Figure 6 and
Figure 7. It is noted, however, that though this behavior may be undesirable from, for example, an actuator wear perspective, it does not reflect a loss of closed-loop stability or a malfunction of the controller. The controller is in fact maintaining the closed-loop state within
as it was designed to do; the fact that it does so in perhaps a visually unfamiliar fashion means that we have not specified in the control law that it should not do that, so it is not aware that an end user would find that behavior strange (if the oscillatory behavior is deemed undesirable, one could consider, for example, input rate of change constraints and potentially the benefits of the human response-based input rate of change strategy in the prior section for handling unexpected events).
In the case that the LEMPC is not aware of the change in the process dynamics, the profit is 32.7103, whereas when the LEMPC is aware of the change in the dynamics, the profit is 32.5833. Though these values are very close, an interesting note is that the profit when the LEMPC is not aware of the change in the underlying dynamics is slightly higher than when it is aware. Intuitively, one would expect an LEMPC with a more accurate process model to be able to locate a more economically optimal trajectory for the closed-loop state to follow than an LEMPC that cannot provide as accurate predictions. Part of the reason for the enhanced optimality in the case without knowledge of the change in the underlying dynamics, however, comes from the two-mode nature of LEMPC. In the case that the LEMPC is aware of the change in the underlying dynamics, it drives the closed-loop state to an operating condition that remains closer to the boundary of after 0.5 h than when it is not aware of the change in the underlying dynamics due to the plant/model mismatch being different in the different cases. The result is that the process accesses regions of state-space that lead to higher profits when the LEMPC does not know about the change in the dynamics than if the LEMPC knows more about the process dynamics.
The remainder of this example focuses on elucidating the conservativeness of the proposed approach. Specifically, we now consider the Lyapunov function selected as
, with
P given as follows:
Again,
is designed such that
kmol/m
, and
is computed via Sontag’s formula but saturated at the input bounds of Equation (
82) if they are met.
and
were taken to be 1300 and 975, respectively, and
was set to 1800. The process state was initialized at
, with controller parameters
and
h. The process model of Equations (
77) and (
78) was integrated with the explicit Euler numerical integration method using an integration step size of
h within the EMPC and with an integration step size of
h to simulate the process. The constraint of the form of Equation (
23) is enforced at
when
but then followed by a constraint of the form of Equation (
22) at the end of all sampling periods.
At 0.5 h, it is assumed that an additional source of heat arises outside the reactor such that the right-hand side of Equation (
78) is modified by the addition of another heat term
K/h. In this case, with no change in the process model used by the EMPC or even in the control law (i.e., in contrast to the implementation strategy in
Section 3.2.1,
is not employed when the closed-loop state exits
), the behavior in
Figure 8 results. Notably, the closed-loop state does not leave
, and no infeasibility issues occurred. In contrast, if we begin to utilize
when the closed-loop state leaves
, the closed-loop state will eventually leave
(
Figure 9). While we can obtain a new empirical model (in this case, we assume that the dynamics become fully known at 0.54 h and are accounted for completely to demonstrate the result) and can use that to update
to
(i.e.,
but with modified saturation bounds to reflect design around the new steady-state of the system with
K/h) before the closed-loop state leaves
as suggested in the implementation strategy in
Section 3.2.1 (creating the profile shown in
Figure 10 corresponding to 2 h of operation in which the closed-loop state is driven back to the origin under
), the fact that the closed-loop state would not have left the stability region if the controller had not been adjusted illustrates the conservativeness of the approach. We note that
Figure 10 does not complete the implementation strategy in
Section 3.2.1 (which would involve the use of a new LEMPC after the closed-loop state reenters
for this example) because that part of the implementation strategy will be demonstrated in the discussion for a slightly different LEMPC presented below.
Finally, we provide a result where the LEMPC computes a time-varying input policy due to the desire to enforce a constraint on the amount of reactant available in the feed over an hour (i.e., a material/feedstock constraint) as follows:
This constraint is enforced via a soft constraint formulation by introducing slack variables
and
that are penalized in a modified objective function as follows:
They are used in the following constraints:
where
and
when
h and where
and
is the number of sampling periods left in a 1 h operating period when
h. These constraints are developed based on Reference [
12].
signifies the value of
applied to the process at a prior sampling time, and
reflects the value of
predicted at the current sampling time
to be applied for
,
. The upper and lower bounds on
and
were set to
and
, respectively, to allow them to be effectively unbounded. The initial guesses of the slack variables were set to 0 at each sampling time.
When the LEMPC with the above modifications is applied to the process with
K/h starting at 0.5 h, the closed-loop state again exits
for some time after 0.5 h but reenters it and also does not exit
, once again reflecting the conservatism from a closed-loop stability standpoint of a strategy that updates the process model whenever the closed-loop state leaves
. Furthermore, if
is utilized after it is detected that the closed-loop state leaves
(the first sampling time at which this occurs is 0.51 h), then it exits
by 0.52 h, showing that the length of the sampling period or the size of
with respect to
is not sufficiently small enough to impose model updates before closed-loop stability is jeopardized because measurements are only available every sampling time. If instead, however,
is updated to be 1200 and
is set to 900, then the closed-loop state remains in
between 0.51 and 0.52 h. If at 0.52 h, we assume that the new dynamics (i.e., with
K/h) become available and are used in designing
(used from 0.52 h until the first sampling time at which
again) and that a second LEMPC designed based on the updated model is used after the closed-loop state has reentered
, the state-space trajectory in
Figure 11 results.