IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 23, NO.
4, JULY 2015
A Distributed Architecture for HVAC Sensor
Fault Detection and Isolation
Vasso Reppa, Member, IEEE, Panayiotis Papadopoulos, Student Member, IEEE,
Marios M. Polycarpou, Fellow, IEEE, and Christos G. Panayiotou, Senior Member, IEEE
Abstract— This paper presents a design and analysis method-
ology for detecting and isolating multiple sensor faults in heating,
ventilation, and air-conditioning (HVAC) systems. The proposed
methodology is developed in a distributed framework, consid-
ering a multizone HVAC system as a set of interconnected
nonlinear subsystems. A dedicated local sensor fault diagnosis
(LSFD) agent is designed for each subsystem, while it may
exchange information with other LSFD agents. Distributed sensor
fault detection is conducted using robust analytical redundancy
relations of estimation-based residuals and adaptive thresholds.
The distributed sensor fault isolation procedure is carried out
by combining the decisions of the LSFD agents and applying a
reasoning-based decision logic. The performance of the proposed
methodology is analyzed with respect to robustness, sensor fault
detectability, and isolability. Simulation results are used for
illustrating the effectiveness of the proposed methodology applied
to an eight-zone HVAC system.
Index Terms— Distributed fault diagnosis, fault detection, fault
isolation, heating, ventilation, and air conditioning (HVAC)
system, sensor faults.
I. I NTRODUCTION
R ECENT technological advancements in home automation
have contributed to the design of the so-called smart
buildings. A usually large scale and smart building can be
viewed as a cyber-physical system [1], which consists of the
physical-engineered system (the conventional building) that is
usually large scale and complex, and the cyber core, com-
prised of communication networks and computational means,
designed to monitor, coordinate, and control the building
environment to increase energy efficiency and cost effective-
ness, improve comfort, productivity and safety, and increase
system robustness and reliability [2], [3]. One of the essential
components of a smart building is the heating, ventilation,
and air conditioning (HVAC) system, which is responsible
for providing a high quality and healthy environment for the
building’s occupants.
Manuscript received July 12, 2014; accepted September 14, 2014. Date
of publication November 21, 2014; date of current version June 12, 2015.
Manuscript received in final form October 13, 2014. This work was supported
by the European Research Council (ERC) under the ERC Advanced Grant
through the FAULT-ADAPTIVE Project and by the European Union’s Sev-
enth Framework Programme (FP7/2007-2013) within the People Programme
(Marie Curie Actions) through the Research Executive Agency under grant
agreement n◦ 626891. Recommended by Associate Editor C. De Persis.
V. Reppa is with the Department of Automatic Control, Supélec,
Gif-sur-Yvette 91192, France (e-mail: vasiliki.reppa@supelec.fr).
P. Papadopoulos, M. M. Polycarpou, and C. G. Panayiotou are with
the KIOS Research Center for Intelligent Systems and Networks, Depart-
ment of Electrical and Computer Engineering, University of Cyprus,
Nicosia 1678, Cyprus (e-mail: ppapad01@ucy.ac.cy; mpolycar@ucy.ac.cy;
christosp@ucy.ac.cy).
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TCST.2014.2363629
1063-6536 © 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
1323
The HVAC system is comprised a large number of electrical
and mechanical components, including the heating and cool-
ing plant (boilers, chillers, and dehumidifier), the ventilation
system [variable air volume (VAV) terminal units and air
handling unit (AHU)], and one or more zones served by
the terminal units of the ventilation system. Each subsystem
consists of several hardware components, such as sensors
(e.g., temperature and humidity), electrical and mechanical
actuators (e.g., coils, dampers, and valves), and controllers.
Over time, it is inevitable that one or more HVAC components
will fail, necessitating the utilization of a successful fault
detection and isolation (FDI) mechanism [4], [5]. Such a
mechanism may be one of the enhanced functionalities of a
smart building, while, according to [6], it can save 10%–40%
of the HVAC energy consumption.
During the last two decades, various methodologies have
been developed for detecting and isolating faults in HVAC
systems [7]–[10]. Most of these methodologies have focused
on the detection and isolation of faults in actuators and
the plant of the HVAC system. However, the detection and
isolation of sensor faults are becoming a key challenging
problem, since the number of sensors used for monitoring
and control of the energy consumption and living conditions
in large-scale smart buildings is increasing. For example, in
the electromechanical part of the HVAC system, there may
be sensors for measuring supply/return/mixed air tempera-
ture, supply/return air flow, differential pressure, return air
humidity, and so on. Even in a single zone (e.g., room and
corridor), there may be a temperature sensor, humidity sensor,
CO2 sensor, and an infrared occupancy sensor. Any fault in
one or more of these sensors may have significant impact in
the smooth operation of the HVAC system or even jeopardize
the safety of the occupants. For example, a fault in the zone
temperature sensor (stuck at a high temperature) can cause the
continuous operation of the chiller, leading to both discomfort
and increased energy consumption; or a fault in the CO2 sensor
can give the wrong signal to the controller for adjusting the
air flow of the zone, leading to improper ventilation and
unfavorable working conditions.
HVAC sensor faults may also affect the functionality
of supervision schemes [11], executing safety critical tasks
leading to wrong decisions and disorientation of remedial
actions. For example, evacuation plans in case of contaminant
release in a building are usually designed in combination with
emergency control strategies for the HVAC system. These
plans are activated based on measurements of contaminant
and occupancy sensors [12], e.g., aiming at making a zone
to be a safe haven in case of contamination, the exhaust
1324 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 23, NO. 4, JULY 2015
damper in the zone may be activated for directing the conta-
minant to another zone, where there are no people, according
to the measurements of an occupancy sensor. However, a
faulty contaminant sensor may indicate low or zero levels
of contamination in the zone, leading to the nonactivation of
the exhaust damper and characterization of the contaminated
zone as safe. Or, the contaminant may be directed by the
exhaust damper to a zone, which is indicated as empty,
although it is occupied, due to a faulty occupancy sensor
(stuck at zero).
Sensor FDI (SFDI) methods for HVAC systems can
be classified into data-driven and model-based methods.
Data-driven methods are the most commonly used for SFDI
in HVAC systems, since they can be developed using a
black-box model, without the requirement of understand-
ing the system’s model [13]–[18]. However, these methods
need a plethora of data collected under both healthy and
faulty conditions (data under faulty conditions are neces-
sary for fault isolation), implying increased cost due to the
utilization of redundant sensors beyond the sensors required
for the proper system operation [19]. On the other
hand, model-based methods require additional modeling and
calibration effort, since a HVAC model with physical signifi-
cance has to be developed using a priori knowledge of system
process [20]–[23]. Nevertheless, the model-based SFDI meth-
ods are designed based on the data acquired by the
sensors that are usually installed for feedback control
purposes [24]–[27].
The majority of the SFDI methods developed so far
are based on a centralized approach, or have focused on
the diagnosis of faults in one of the HVAC subsystems,
e.g., chiller, AHU, and VAV, considering each subsystem
separately [16], [17], [24]. HVAC systems are highly com-
plex nonlinear systems, typically comprising multiple inter-
connected subsystems, especially in the case of large-scale
buildings, such as hospitals, shopping malls, business centers,
airports, universities, and many more. Thus, a centralized
approach for fault diagnosis may be less suitable compared
with a noncentralized approach, since it is characterized by:
1) increased computational complexity of the FDI algorithms,
since centralized architectures are tailored to handle (multi-
ple) faults globally; 2) increased communication requirements
due to the transmission of information to a central point;
3) vulnerability to security threats, because the central cyber
core in which the SFDI algorithm is implemented is a single-
point of failure; and 4) reduced potential of scalability in
case of system expansion (e.g., building a new ward in a
hospital), due to the utilization of a global physical model
or black box. Moreover, treating the occurrence of faults in a
HVAC subsystem separately may be less efficient, since the
propagation of faults in a distributed control architecture is
neglected. Several researchers have developed decentralized
or distributed techniques for diagnosing actuator, process, or
sensor faults in specific classes of distributed interconnected
nonlinear systems [28]–[34]. However, there are very few
distributed techniques for diagnosing multiple sensor faults in
HVAC systems [35], which are likely to occur in large-scale
buildings.
The objective and main contribution of this paper are the
design and analysis of a distributed, model-based method
for detecting and isolating multiple sensor faults affecting
a multizone HVAC systems. Based on the nonlinear HVAC
model developed in [23] and [36], we develop a distributed
SFDI methodology exploiting the spatial distribution of the
HVAC system, i.e., modeling the HVAC system as a set of
N + 1 interconnected nonlinear systems (N zones and the
electromechanical part). For each nonlinear subsystem, we
design a dedicated local sensor fault diagnosis (LSFD) agent,
which is responsible for detecting and isolating the presence of
sensor faults in a distributed manner. To this end, each LSFD
agent uses the input and output measurements of its underlying
subsystem, as well as the sensor measurements or reference
signals of its neighboring subsystems. The sensor fault detec-
tion decision logic implemented in the agents relies on check-
ing whether certain analytical redundancy relations (ARRs)
are satisfied. The ARRs are formulated using estimation-based
residuals and adaptive thresholds, considering bounded mod-
eling uncertainties and measurement noise. The distributed
isolation of multiple faulty sensors in the HVAC system is
carried out using a diagnostic reasoning-based decision logic
applied to a sensor fault signature matrix. The performance of
the proposed methodology is analyzed with respect to sensor
fault detectability and isolability [37], characterizing under
certain conditions the class of sensor faults that can be detected
and isolated.
The added value of this particular case study is the design
of a distributed isolation decision logic and its application
to multizone HVAC systems that are inherently distributed
systems, where the interconnected subsystems are character-
ized by heterogeneous nonlinear dynamics, as well as the
analysis of the different ways that local and propagated
sensor faults may affect each subsystem. Moreover, the uti-
lization of adaptive thresholds ensures the robustness of the
proposed method against modeling uncertainties and measure-
ment noise, excluding false alarms that are not only annoying
to the occupants but also deceptive in emergency situations.
This paper is organized as follows. The HVAC system
is described in Section II. The architecture and the design
details of the proposed distributed SFDI methodology are
presented in Section III. The HVAC sensor fault detectability
and isolability are analyzed in Section IV. Simulation results
of the application of the proposed SFDI architecture to an
eight-zone HVAC system are provided in Section V, followed
by concluding remarks in Section VI.
II. HVAC S YSTEM D ESCRIPTION
Consider a HVAC system, which consists of N separated
zones (e.g., dormitory rooms and classrooms) and the electro-
mechanical part. The basic components of the electromechan-
ical part of the HVAC shown in Fig. 1 are the cooling coil, the
chiller and the chilled water tank, the fan, the supply and return
ducts, and the VAV boxes. The cooling coil is connected to
the chiller through the chiller water tank, which regulates the
water inserted to the cooling coil. The control inputs to the
HVAC system are the air flow rate to each of the N zones
REPPA et al.: DISTRIBUTED ARCHITECTURE FOR HVAC SFDI 1325

flow rate of air entering into the I th zone and χ (m3 /s)
is the chilled water mass flow rate. The variable T z I (°C/s)
represents the rate of internal heat change, due to occupants
and appliances from the I th zone. For the purposes of this
paper, it is assumed that the ambient temperature Tamb (°C)
is constant and known. The remainder constant parameters of
the HVAC system are the heat mass capacitance corresponding
to the I th zone Mz I (kg), specific heat at constant volume
Cv (J/kg · K), the overall heat transfer coefficients of the
I th zone, the cooling coil, and the chilled water tank Uz I , Ucc ,
and Ut (W/m 2 · K), respectively, the density of air and water
ρa and ρw (kg/m3), respectively, the area of the I th zone, the
Fig. 1. Schematic of a N -zone HVAC system. cooling coil, and the chilled water tank A z I , Acc , and At (m2 ),
(controlled through the fan and the VAV boxes) and the respectively, the specific heat at constant pressure of air and
chilled water mass flow rate (controlled by a three-way valve). water Cpa and Cpw (J/kg · K), respectively, the latent heat of
By controlling these inputs, the objective is to achieve the water h fg (J/kg), the temperature of output water Two (°C),
desired temperature in each building zone (for occupants’ and the humidity factors wz and wao [23].
comfort) and in the cooling coil (for energy efficiency). The In each of the N zones, there exists a sensor measuring
humidity and indoor air quality are not controlled. the zone temperature Tz I , while two sensors are available
The temperature dynamics in each zone, cooling coil, and in the electromechanical part of the HVAC, measuring the
chiller water tank can be modeled based on the fundamental temperature of the air exiting the cooling coil Tao and the
mass and energy conservation equations under the following temperature of the chilled water in the tank Tt . The control
assumptions [23], [36]: 1) the air temperature and velocity inputs to the N-zone HVAC system are the volumetric flow
have uniform behavior throughout a zone; 2) the transient and rate of air Q a I to each zone and the chilled water mass flow
spatial effects are neglected at the components that exchange rate to the storage tank χ, generated by distributed feedback
air; 3) at the exterior and interior surface of the zones, controllers based on some reference signals. The objective
supply/return ducts, and so on, the heat transfer is modeled of this paper is to design a methodology for detecting and
using constant heat transfer coefficients; 4) the heat transfer isolating multiple sensor faults that may affect the sensors used
at the chilled water tank with the ambient is modeled using for monitoring and control of the N-zone HVAC system.
a single constant heat transfer coefficient for all surfaces; III. D ISTRIBUTED HVAC S ENSOR FAULT
and 5) the axial mixing of water is neglected and the water D ETECTION AND I SOLATION
temperature is constant across the cross section of the tubes.
The temperature dynamic equations of the N-zone HVAC This section provides the design details of the distributed
system are described by architecture for detection and isolation of sensor faults in
d Tz I (t) the HVAC system described in Section II. The main step for
Mz I C v = ρa Cpa (Tao (t) − Tz I (t))Q a I (t) employing the proposed distributed model-based sensor fault
dt
+ Uz I A z I (Tamb − Tz I (t)) + T z I (t) (1) diagnosis methodology is to formulate the multizone HVAC
  N system given in (1)–(3) as a set of interconnected nonlinear
d Tao (t) 1  N 
Mcc Cv = ρa Cpa Tz I (t) − Tao (t) Q a I (t) subsystems, where every local subsystem is described by
dt N
I =1 I =1
   ẋ(t) = Ax(t) + γ (x(t), u(t)) + h(x(t), u(t), u z (t), z(t))
1 
N
+ Ucc Acc Tamb − Tao (t)+ Tz I (t) + η(x(t), u(t), u z (t), z(t), t) (4)
N
I =1
+ Q w ρw Cpw (Tt (t) − Two ) where x ∈ Rn and u ∈ R are the state and input vector of

N the local subsystem, respectively, while z ∈ R p and u z ∈
+ ρa (h fg − Cpa )wz Q a I (t) Rz are the interconnection state and input vector, respec-
I =1 tively containing the states and inputs of the neighboring,
N
interconnected subsystems. The constant matrix A ∈ Rn×n
− ρa (h fg − Cpa )wao Q a I (t) (2) is the linearized part of the state equation and γ : Rn ×
I =1
R → Rn represents the known nonlinear dynamics. The
d Tt (t)
Mt Cv = Q w ρw Cpw (Two −Tt (t))+Ut At (Tamb −Tt (t)) term Ax + γ (x, u) represents the known local dynamics,
dt while h : Rn × R × Rz × R p → Rn represents the known
15000
+ χ(t) (3) interconnection dynamics. The last term η : Rn × R × Rz ×
Vt ρw Cpw R p × R → Rn denotes the modeling uncertainty of the local
where Tz I (°C) is the temperature of the I th zone, subsystem, representing various sources of uncertainty, such
I ∈ {1, . . . , N}, Tao (°C) is the output air temperature from the as system disturbances, linearization error, uncertainty in the
cooling coil, and Tt (°C) is the temperature of the water in the model’s parameters, and so on. The input vector u is generated
chiller storage tank. The variable Q a I (m3 /s) is the volumetric by a local feedback controller based a desired reference input.
1326 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 23, NO. 4, JULY 2015

A. Architecture characterized by the output y (I ) ∈ R

The N-zone HVAC system can be regarded as a set of S (I ) : y (I ) (t) = Tz I (t) + d (I ) (t) + f (I ) (t) (13)
N + 1 interconnected nonlinear subsystems that correspond
to the electromechanical part, comprising the cooling coil where d (I ) ∈ R denotes the noise corrupting the measurements
and chiller water tank, and the N building zones. Let us y (I ) of sensor S (I ) and f (I ) ∈ R represents the possible sensor
define T e = [T1e , T2e ] = [Tao , Tt ] , Tz = [Tz1 , . . . , Tz N ] , fault, i.e., the change in the I th output y (I ) due to a single
and Q a = [Q a1 , . . . , Q a N ] . By writing (2) and (3) in the fault in the I th sensor is described by
form of (4) with x ≡ Te , u ≡ χ, z ≡ Tz , and u z ≡ Q a ,  ) (I )  )
f (I ) (t) = β (I ) t − t (I
f φ t − t (I
f (14)
the subsystem that corresponds to the electromechanical part,
denoted by  e , can be expressed as where β (I ) is the time profile and φ (I ) is the (unknown)
d T e (t) function of the sensor fault that occurs at the (unknown)
e : = Ae T e (t) + γ e (χ(t)) + h e (T e (t), Tz (t), Q a (t)) time instant t (I )
f . The time profile of the fault is modeled as
dt (I )
(5) β (I ) (t) = 0 for t < 0 and β (I ) (t) = 1 − e−k t for t ≥ 0,
where k (I ) is the (unknown) evolution rate of the fault. In the
where case of abrupt sensor faults, the time profile of the fault is
 Q w ρw C pw  modeled by letting k (I ) → ∞. In practice, there may be more
− UMccccACccv Mcc C v
A =
e
Q ρ C +U A (6) than one sensor covering a single zone (especially large zones).
0 − w Vwt ρwpwCpw t t In this case, the multiple measurements can be combined by
 Q w ρw C pw 
Ucc Acc averaging or using advanced sensor fusion methods, while the
Mcc C v Tamb − Mcc C v Two
γ (χ) =
e
Ut At Q w ρw C pw proposed methodology can still be applied.
Vt ρw C pw Tamb + Vt ρw C pw Two The nonlinear subsystem  e is monitored and controlled
 
0 using a sensor set S e that includes two temperature sensors
+ 15000 χ (7) S e {1} and S e {2}, characterized by
Vt ρw C pw

e e 
 e h 1 T1 , Tz , Q a S e {1} : y1e (t) = T1e (t) + d1e (t) + f1e (t) (15)
h T1 , Tz , Q a =
e
(8) e
0 S {2} : y2e (t) = T2e (t) + d2e (t) + f2e (t) (16)
 
ρa Cpa  Ucc Acc 1 
N N
 e where y ej∈ R, j = 1, 2, is the sensor output, ∈ R denotes
d ej
h 1 T1 , Tz , Q a =
e
QaI − Tz I
Mcc Cv Mcc Cv N the noise corrupting the measurements of sensor S e { j }, and
I =1 I =1
ρa  f je ∈ R represents the possible sensor fault described by
+ (h fg − Cpa )(wz − wao )  
Mcc Cv f je (t) = β ej t − t ef j φ ej t − t ef j , j = 1, 2 (17)
N
− Cpa T1e QaI . (9) where β ej is the time profile (the time profile β ej is modeled
I =1 as β (I ) ) and φ ej is the (unknown) function of the sensor
It is noted that the first two terms of (5) represent the local fault that occurs at the (unknown) time instant t ef j . Assuming
dynamics of  e , while h e characterizes the interconnection the occurrence of sensor faults described by (13)–(16) allows
dynamics between  e and { (1), . . . ,  (N) }, where  (I ) cor- us to test several time profiles (the time profile is the way that
responds to the temperature dynamics of the I th zone for a fault evolves) and fault functions (the forms of the faults)
all I ∈ {1, . . . , N}. By writing (1) in the form of (4) with that may vary for every subsystem.
x ≡ Tz I , u ≡ Q a I , z ≡ T1e , and u z = 0, the subsystem of the The design of the proposed distributed SFDI technique is
I th zone can be expressed as realized as follows. Considering the N +1 subsystems, defined
through (5) and (10), the first step is to design a LSFD agent
d Tz I (t)
 (I ) : = A(I ) Tz I (t) + γ (I ) (Tz I (t), Q a I (t)) for each of the interconnected subsystems, i.e., the agent Me
dt  dedicated to subsystem  e and the agent M(I ) dedicated to
+ h (I ) T1e (t), Q a I (t) + η(I ) (t) (10) subsystem  (I ) , I ∈ {1, . . . , N} [33], [34], [38]. Each LSFD
z I and agent has access to the input and output data of the underlying
where A(I ) = −(Uz I A z I /Mz I Cv ), η(I ) = (1/Mz I Cv )T
subsystem, while it may exchange information with some
ρa Cpa Uz A z agents. The exchanged information is associated with the form
γ (I ) (Tz I , Q a I ) = − Tz I Q a I + I I Tamb (11)
Mz I C v Mz I C v of the physical and input interconnections. Particularly, the
 ρ C agent Me that monitors the electromechanical part transmits
h (I ) T1e , Q a I =
a pa
T e Qa . (12) the measurements of S e {1} to each agent M(I ) , while it
Mz I C v 1 I
uses a priori known temperature reference signals of  (I ) ,
Again, the first two terms A(I ) Tz I and γ (I ) (Tz I , Q a I ) corre- I ∈ {1, . . . , N} from the agent M(I ) [39].
spond to the local dynamics of  (I ) , while h (I ) represents the The task of Me is to detect and isolate sensor faults affect-
interconnection dynamics between  (I ) and  e . ing S e {1} and S e {2}. Assuming the occurrence of multiple
The I th subsystem  (I ) , I ∈ {1, . . . , N}, is monitored sensor faults, two modules are designed in the agent Me
and controlled using a temperature sensor, denoted by S (I ) , such that the j th module, denoted by Mej is dedicated to
REPPA et al.: DISTRIBUTED ARCHITECTURE FOR HVAC SFDI 1327

the sensor S e { j }, j = 1, 2, and is responsible for isolating conditions can be rewritten as

a sensor fault that affects S e { j }. The task of M(I ) is to Ae t
εey1 (t) = C1e e L 1 εTe 1 (0) + d1e (t)
isolate sensor faults in S (I ) . However, each agent M(I ) t
Ae (t −τ )  e  e
uses the sensor information y1e transmitted from Me , which + C1e e L 1 h T1 (τ ), Tz (τ ), Q a (τ )
may be faulty, thus affecting the decision of M(I ) , i.e., the 0 
− h e y1e (τ ), Tr (τ ), Q a (τ )
agent M(I ) may not be able to distinguish between sensor
faults in S (I ) and S e {1}. Therefore, the decision of the agent − L e1 d1e (τ ) dτ (21)
Me is transmitted to M(I ) upon request, after the time where y1e is the sensor measurement defined in (15). According
instant that M(I ) detects the presence of sensor faults [34]. to (20) and (21), the residual εey1 is affected only by a possible
The decision logic implemented in Me1 , Me2 , and M(I ) , fault in the sensor S e {1}.
I ∈ {1, . . . , N} relies on checking whether ARRs are satisfied, The estimator in the module Me2 is structured as in (18)
while every ARR is formulated using estimator-based residuals with y ≡ y2e , u ≡ χ, A ≡ Ae22 , γ ≡ γ2e (γ2e is the second
and adaptive thresholds. Considering (4), the structure of every e ≡ x̂
element of γ e ), and h ≡ 0 and defining T 2
estimator, designed for each agent/module, has the following
˙ e e

general representation: T̂ (t) = A T (t) + γ (χ(t)) + L y (t) − T
2
e
22 2
e
2
e e
2
e (t)
2 (22)
2
˙
x̂(t) = A x̂(t) + γ (y(t), u(t)) + h(y(t), u(t), z
(t), u z (t)) where e
T∈ R is the estimation of T2e ,
with initial conditions
2
+ L(y(t) − C x̂(t)) (18) e (0) = 0, Ae is the element {2, 2} of the matrix Ae given
T 2 22
in (6), and L e2 ∈ R is the estimator gain chosen such that
where x̂ ∈ Rn is the estimation of x (with x̂(0) = 0) using AeL 2 = Ae22 − L e2 is stable.
the measurements y ∈ Rm , L is the gain matrix chosen such The residual generated by the module Me2 , denoted by
that the matrix A − LC is stable, and z
∈ R p is comprised ε y2 ∈ R, is expressed as
e
of a priori known reference signals or measurements of the
interconnection variables z. The sensor output is described 2e (t)
εey2 (t) = y2e (t) − T (23)
by y(t) = C x(t) + d(t) + f (t), where C ∈ Rm×n is the where y2e is the sensor measurement described by (16). Let us
output matrix, while d and f are the noise and fault vector, define the state estimation error as εTe 2 (t) = T2e (t) − T e (t);
2
respectively, corrupting the sensor measurements. The estima- given (5), (16), and (22), the residual ε y2 under healthy
e
tor (18) is a special case of the Lipschitz observer designed conditions is rewritten as
in [33] and [34], satisfying the corresponding assumptions, t
AeL t e Ae (t −τ ) e e
while the stability of the estimator (18) is ensured if the pair ε y2 (t) = e
e 2 εT2 (0) + d2 (t)−
e
e L2 L 2 d2 (τ )dτ . (24)
(A, C) is observable. 0
According to (23) and (24), the residual εey2 is affected only
B. Residual Generation
by a possible fault in the sensor S e {2}.
The first stage of decision-making process conducted by The nonlinear estimator implemented in the agent M(I ) ,
the LSFD agents is the generation of residuals. Residuals are I ∈ {1, . . . , N} is structured as in (18) with y ≡ y (I ) , u ≡
features that portray the status of the monitoring subsystem. Q a I , z
≡ y1e , A ≡ A(I ) , γ ≡ γ (I ) , and h ≡ h (I ) and defining
Any unusual change in these features may imply the presence z I ≡ x̂
T
of faults. In this paper, residuals represent the deviations of ˙ 
the sensor data (observed behavior) from the estimated sensor T̂z I (t) = A(I ) T z I (t) + γ (I ) y (I ) (t), Q a I (t)

outputs (expected behavior). z I (t)) (25)
+ h (I ) y1e (t), Q a I (t) + L (I ) (y (I ) (t) − T
The nonlinear estimation model of the module Me1 is
where T z I ∈ R is the estimation of Tz I , I ∈ {1, . . . , N},
selected as in (18) with y ≡ y1e , u ≡ χ, u z ≡ Q a , z
≡ Tr ,
e ≡ x̂ with initial conditions T z(II ) (0) = 0 and L (I ) ∈ R is the
A ≡ Ae , γ ≡ γ e , and h ≡ h e and defining T
estimator gain, chosen such that A(I )
1 (I ) − L (I ) is stable,
˙  L = A
1e (t) + γ e (χ(t)) + h e y1e (t), Tr (t), Q a (t)
T̂1e (t) = Ae T (I )
i.e., L > A . (I )

1e (t)
+L e1 y1e (t) − C1e T (19) The residual generated by the agent M(I ) , I ∈ {1, . . . , N},
is denoted by ε(I )
y ∈ R and is described by
where T e ∈ R2 is the estimation of T e (using the measure-
1
e (0) = [0, 0] , L e ∈ R2×1 ε(I ) (I ) 
y (t) = y (t) − Tz I (t). (26)
ments y1e ), with initial conditions T 1 1
is the estimator gain matrix, chosen such that AeL 1 = Ae − Considering (10), (13), and (25), the residual ε y , I ∈
(I )
L e1 C1e is stable, C1e = [1, 0] and Tr (t) = [Tr1 (t), . . . , Tr N (t)] , {1, . . . , N} under healthy conditions can be expressed as
where Tr (t) includes the a priori known reference signals of t
(I ) (I )
subsystem  (I ) , I ∈ {1, . . . , N}. (I ) A L t (I ) (I )
ε y (t) = e εT (0) + d (t) + e A L (t −τ )
The residual generated by the module Me1 , is denoted by  0
ε y1 ∈ R and is defined as
e
× η (τ ) − L d (τ ) + γ (I ) (Tz I (τ ), Q a I (τ ))
(I ) (I ) (I )

1e (t).
εey1 (t) = y1e (t) − C1e T (20) 
− γ (I ) (y (I ) (τ ), Q a I (τ )) + h (I ) T1e (τ ), Q a I (τ )

e (t);
Let us define the state estimation error εTe 1 (t) = T e (t)− T 
1 − h (I ) y1e (τ ), Q a I (τ ) dτ (27)
given (5), (15), and (19), the residual ε y1 under healthy
e
1328 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 23, NO. 4, JULY 2015

where y (I ) and y1e are sensor measurements described where T I is a known constant bound such that
by (13) and (15), respectively. Based on (26) and (27), the |Tz I (t) − Tr I (t)| ≤ T I for all t.
(I )
residual ε y is affected by possible faults in either sensor Considering (24), the adaptive threshold εey2 , implemented
S {1} or sensor S (I ).
e in the module Me2 , is described by
t
e e e
εey2 (t) = ρ2e e−ξ2 t T 2 + d 2 + ρ2e e−ξ2 (t −τ )|L e2 |d 2 dτ (31)
e e
C. Computation of Adaptive Thresholds
0
Due to the presence of disturbances and sensor measurement
e e
noise, the observed behavior is typically not identical to the where T 2 is a known bound such that |T2e (0)| ≤ T 2 , and
Ae t
are positive constants such that |e L 2 | ≤ ρ2e e−ξ2 t
e
expected behavior even during the healthy operation of the ρ2e and ξ2e
sensors in the building zones and electromechanical part. For for all t.
this reason, the residuals are compared with thresholds that The adaptive threshold implemented in the agent M(I ) ,
are designed to bound the residuals under healthy conditions, (I )
denoted by ε y (t), I ∈ {1, . . . , N}, is computed such that
ensuring the robustness of the agents Me and M(I ) , for all I ,  (I ) 
with respect to various sources of uncertainties. The adaptive ε (t) ≤ ε(I ) (t) (32)
y y
thresholds designed in this paper are time-varying functions
of measured or computable signals. The adaptive nature of where ε(I )
y (t) is the residual under healthy conditions
the thresholds can contribute in reducing the conservativeness ( f (I ) = 0, I ∈ {1, . . . , N} and f 1e = 0) defined in (27). Hence,
in the decision making compared with fixed thresholds. The the adaptive threshold ε(I )
y (t) is described by
adaptive thresholds are computed considering the following t
(I ) −ξ (I ) t (I ) (I )
assumption. ε(I
y
)
(t) = ρ e T zI + d + ρ (I ) e−ξ (t −τ )
Assumption 1: The modeling uncertainty of  (I ) ,  0

I ∈ {1, . . . , N} and the measurement noise of each sensor (I ) ρa pa  (I )
C e
× η(I )+|L (I ) |d + d +d 1 |Q a I (τ )| dτ
S (I ) and S e { j }, j = 1, 2 are unknown but uniformly bounded, Mz I C v
(I ) e
i.e., |η(I ) (t)| ≤ η(I ) , |d (I ) (t)| ≤ d , and |d ej (t)| ≤ d j , where (33)
(I )
η(I ) , d j , and d̄ ej are known constant bounds. where T z I is a known bound such that |Tz I (0)| ≤ T z I , ρ (I )
(I ) (I )
The bound η(I ) is commonly used for distinguishing and ξ (I ) are positive constants such that |e A L t | ≤ ρ (I ) e−ξ t
between disturbances and faults [40], while the noise bounds for all t, and
(I ) e
d and d j correspond to a practical representation of the  (I )  
available knowledge for the sensor noise that is typically γ (Tz , Q a ) − γ (I ) y (I ) , Q a  ≤ ρa Cpa |Q a |d (I ) (34)
I I I I
Mz I C v
provided in a given operation range by sensor manufacturers.
 (I )  e   ρa Cpa
It is noted that in the case of available time varying bounds h T1 , Q a I − h (I ) y1e , Q a I  ≤
e
|Q a I |d 1 . (35)
(I ) e Mz I C v
η(I ) (t), d (t), and d j (t), this information can be incorporated
into the following procedure without significant difficulties. It is noted that the adaptive thresholds defined in (29),
The adaptive threshold implemented in the module Mej , (31), and (33) can be implemented using straightforward linear
denoted by εey j (t), j = 1, 2, is computed such that filtering techniques:
 e   e 
ε̄ey1 (t) = ρ1e e−ξ1 t T 1 + d 1 + H1e (s) d 1 + h (t)
e e e e
ε (t) ≤ εe (t) (28) (36)
yj yj  e e
T + d + H (s) L d
e −ξ2e t e
e e e
ε̄ (t) = ρ e
y2 2 2 2 2 2 2 (37)
where εey j (t) is the residual defined in (20) for j = 1 and (23) (I ) (I )
(I ) −ξ (I ) t
for j = 2. Considering Assumption 1 and that there exists ε̄(I )
y (t) =ρ e T z I + d + H I (s)(η(I ) + |L (I ) |d )
e e
a known bound T such that |T ee (0)| ≤ T , and positive

ρa Cpa  (I ) e
constants ρ1e and ξ1e such that |C1e e L 1 | ≤ ρ1e e−ξ1 t for all t, the
A t e +H I (s) d + d 1 |Q a I (t)| (38)
Mz I C v
adaptive threshold is obtained considering (21) under healthy
conditions ( f 1e (t) = 0) and Assumption 1 where H (I )(s) = ρ (I ) /(s + ξ (I ) ), I ∈ {1, . . . , N}, H1e (s) =
ρ1e /(s + ξ1e ), and H2e (s) = ρ2e /(s + ξ2e ) are stable, first-order
e e
εey1 (t) = ρ1e e−ξ1 t T + d 1
e
filters. Note that for any signal z(t), the notation H (s)[z(t)]
t denotes the output of the filter H (s) with z(t) as input, while
 e e
ρ1e e−ξ1 (t −τ ) |L e1 |d 1 +h (τ ) dτ
e
+ (29) s is the Laplace operator.
0
e
where h (t) is computed such that D. Distributed SFDI Decision Logic
e
|h e (T1e (t), Tz (t), Q a (t)) − h e (y1e (t), Tr (t), Q a (t))| ≤ h (t)
This section presents the decision-making process realized
 
ρ C  by the agent Me and its modules Me1 and Me2 , and the agent
Ucc Acc  1 
N N
e  a pa
h (t) =  Q a I (t) −  TI M(I ) , I ∈ {1, . . . , N} for detecting and isolating multiple
 Mcc Cv Mcc Cv  N
I =1 I =1 sensor faults in a distributed manner. The decision logic relies
 N 
ρa Cpa e  

on checking the satisfaction of a set of ARRs [41]–[43]. In this
+ d1  Q a I (t) (30) paper, the ARRs are dynamical constraints, formulated using
Mcc Cv  
I =1 the residuals and adaptive thresholds.
REPPA et al.: DISTRIBUTED ARCHITECTURE FOR HVAC SFDI 1329

1) Sensor Fault Detection: The decision logic implemented TABLE I

in the modules Me1 and Me2 , which are included in the S ENSOR FAULT S IGNATURE M ATRIX F e (F1e = { f 1e },
agent Me , is based on the following ARR: F2e = { f 2e }, AND F3e = { f 1e , f 2e })
 
E ej : εey j (t) − εey j (t) ≤ 0, j = 1, 2 (39)
where εey1 , εey2 and εey1 , εey2 are defined in
(20), (23) and (29), (31), respectively. Under healthy
conditions, the inequality (39) is always true, implying that
the ARRs E1e and E2e are always satisfied. The module Mej TABLE II
(I )
infers the presence of sensor fault f je , j = 1, 2, when E ej S ENSOR FAULT S IGNATURE M ATRIX F (I ) (F1 = { f (I ) },
(I ) (I )
defined in (39) is violated. The decision of the module Mej , F2 = { f 1e }, AND F3 = { f (I ) , f 1e })
j = 1, 2 can be described by the following Boolean function:

e
0, if t < t D e
D j (t) = j
(40)
1, if t ≥ t D je
   
e
tD j
= min t : εey j (t) − εey j (t) > 0 (41)
t
where e
tD is the time instant of detection. When D ej (t) = 1, F2e = { f 2e }, and F3e = { f 1e , f 2e }. The j th theoretical pattern
j
the module Mej , j = 1, 2 detects the sensor fault f je . Note of the matrix F e is defined as F je = [F1ej , F2ej ] , j = 1, 2, 3,
that as long as D ej (t) = 0 either there is no sensor fault where Fqej = 1 if at least one sensor fault of the combination
affecting S e { j } or sensor fault f je has occurred, but has not F ej is involved in the ARR Eqe , and Fqej = 0 otherwise. Based
been detected by the module Mej until the time instant t D e . on the sensor fault signature matrix presented in Table I, all
j
possible sensor fault combinations are isolable by the agent
If D ej (t) = 1, this implies that the sensor fault f je is guaranteed
Me , since there are three distinct theoretical patterns.
to affect S e { j }.
Assuming the occurrence of multiple sensor faults, the
The sensor fault detection decision logic of the agent M(I ) ,
decision of the agent M(I ) is combined with the decision of
I ∈ {1, . . . , N} is based on the following ARR:
 (I )  the agent Me . Specifically, when M(I ) detects the presence
(I )
E (I ) : ε y (t) − ε y (t) ≤ 0, I ∈ {1, . . . , N} (42) of sensor faults (D (I,1) (t) = 1), it requests from Me to
(I ) (I ) transmit its decision D1e on whether the sensor S e {1} is faulty
where ε y and ε y are defined in (26) and (33), respectively. to isolate a sensor fault affecting S (I ) . The reason for the
Under healthy conditions the ARR E (I ) , I ∈ {1, . . . , N} is combinatorial process of the decisions is that the agent M(I )
always satisfied. If E (I ) is violated, then this implies that a uses the measurements of sensor S1e for the generation of the
sensor fault has occurred in either S (I ) or S e {1} or both of residual and adaptive threshold as well as the formulation of
them. The decision of M(I ) on the presence of sensor faults the ARR E (I ) . Hence, the distributed sensor fault isolation is
f (I ) or f 1e is represented by a Boolean function, defined as conducted by comparing the observed pattern of sensor faults,

(I ) defined as D (I ) (t) = [D (I,1) (t), D1e (t)] to the columns of the
(I,1) 0, if t < t D
D (t) = (I ) (43) sensor fault signature matrix F (I ) , I ∈ {1, . . . , N}, presented
1, if t ≥ t D in Table II. The rows of F (I ) correspond to the ARRs E (I )
(I )   )  
tD = min t : ε(I  (I )
y (t) − ε y (t) > 0 (44) and E1e , while the columns correspond the three possible
t (I )
combinations of sensor fault occurrence, i.e., F1 = { f (I ) },
(I )
where tD is the time of detection for agent M(I ) . When F2(I ) = { f 1e }, and F3(I ) = { f (I ) , f 1e }.
(I,1) (t) = 1, the agent M(I ) , I ∈ {1, . . . , N} infers
D The j th column of the matrix F (I ) corresponds to the
that either f 1e or f (I ) or both, have occurred. As long j th theoretical pattern of sensor faults, defined as F j(I ) =
as D (I,1) (t) = 0 either there is no sensor fault in both (I ) (I ) (I )
[F1 j , F2 j ] , j = 1, 2, 3 where: 1) Fq j = 1, if the sensor
S (I ) and S e {1} or sensor faults have occurred, but have not
been detected by the agent M(I ) until the time instant t D .
(I ) fault combination F (Ij
)
contains at least one sensor fault that
If D (I,1) (t) = 1, then it is ensured that at least one of S (I ) can provoke the violation of (or else, is involved in) the ARR
(I )
and S e {1} is faulty. of the qth row, q = 1, 2; 2) Fq j = 0, if none of the sensor
2) Sensor Fault Isolation: In the context of smart buildings, faults of the combination F (I
j
)
are involved in the ARR of
it is important not only to be able to detect the occurrence of (I )
the qth row, q = 1, 2; and 3) Fq j = ∗, if none of the
sensor faults but also to be able to isolate the location of the
fault as soon as possible. The agent Me can isolate multiple sensor faults of the combination F (I )
may affect the sensor
j
sensor faults in the sensor set S e by comparing the observed set S (I ) , but all of them are involved in the ARR of the qth
(I )
pattern of sensor faults, defined as D e (t) = [D1e (t), D2e (t)] to row, q = 1, 2. Particularly, equation F21 = ∗ implies that the
the columns of the sensor fault signature matrix F e , presented sensor fault f 1 can explain why E is violated, but E (I ) may
e (I )

in Table I. The rows of F e correspond to the ARRs E1e be less sensitive to f 1e than f (I ) , so it may be satisfied although
and E2e , while the columns correspond to the three possible f 1e has occurred. This is based on the fact that the effects of the
(I )
combinations of sensor faults that occur in S e , i.e., F1e = { f 1e }, faulty transmitted information y1e on the residual ε y , used in
1330 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 23, NO. 4, JULY 2015

the formulation of E (I ) , depend on the type of interconnection Me and M(I ) , I ∈ {1, . . . , N}. Specifically, certain condi-
dynamics h (I ) , defined in (12). The sensitivity of ARRs to tions are derived, under which we characterize the class of
sensor faults is analyzed next. sensor faults affecting S e , S (I ) , I ∈ {1, . . . , N} that can be
For isolating multiple sensor faults, the agents detected and isolated. It is important to note that the class
Me and M(I ) check the consistency between the observed of detectable/isolable sensor faults satisfying these conditions
patterns D e (t) and D (I ) (t) and the theoretical patterns is obtained under worst-case assumptions, in the sense that
F e and F (I ) , respectively. As long as D e (t) = [0, 0] and they are valid for any modeling uncertainty and measurement
D (I ) (t) = [0, 0] , no consistency check is realized; otherwise, noise satisfying Assumption 1. It is noted that in practice, the
the result of the consistency test is the determination of the modeling uncertainty and measurement noise may not reach
sensor fault diagnosis set, which contains the diagnosed the limit (worst case) of Assumption 1.
sensor fault combinations. Specifically, the agent Me isolates
sensor faults in the electromechanical part of HVAC based A. Electromechanical Sensor Fault Isolability Conditions
on the diagnosis set Dse (t), defined as
The conditions for guaranteeing the isolation of sensor faults
 
Dse (t) = Fcei : i ∈ ID
e
(t) (45) f 1e and f 2e by the modules Me1 and Me2 , respectively, are
stated in the following Lemma.
where ID e (t) = {i : F e = D e (t), i ∈ {1, 2, 3}}. The decision
i Lemma 4.1: Consider that the sensor faults f 1e and f2e occur
of the agent M(I ) , I ∈ {1, . . . , N}, relies on the diagnosis set at the time instants t ef1 and t ef2 , respectively.
(I )
Ds (t), defined as 1) The occurrence of a fault in the temperature sensor
 (I )  of the cooling coil S e {1} is guaranteed to be isolated
Ds(I ) (t) = Fc(Ii ) : i ∈ ID (t) (46)
under worst-case conditions, if there exists a time instant
(I )
where ID (t) = {i : Fi(I ) = D (I ) (t), i ∈ {1, 2, 3}}. It is noted t ∗ > t ef1 such that the sensor fault f 1e satisfies the
(I ) condition
that F21 = ∗ is consistent to either 0 or 1.  t∗

Remark 3.1: The proposed sensor fault diagnosis methodol-  e ∗ Ae (t ∗ −τ )  e e
 f 1 (t ) − C1e e L 1 L 1 f 1 (τ )
ogy has been developed by applying a dedicated scheme with  e
tf
multiple observers, where each observer of an agent/module ⎡ 1
 N  ⎤⎞
ρa C pa 
is driven by a single sensor (like in Me1 and Me2 ) or a set of Q (τ ) f 1 (τ ) ⎦⎠
e
+ ⎣ Mcc Cv I =1 a I dτ | > 2εey1 (t ∗ ) (47)
one local sensor and one sensor in the neighboring subsystem
(as the observer in M(I ) for all I ). The isolation decision logic 0
relies on the fact that the agents/modules are characterized by: where εey1 (t) is the adaptive threshold, generated by the
1) robustness, i.e., the agents are insensitive to modeling uncer- module Me1 .
tainties and measurement noise under healthy conditions and 2) The occurrence of a fault in the temperature sensor of
2) structural fault sensitivity, implying that the agents/modules the chilled water tank S e {2} is guaranteed to be isolated
are sensitive to subsets of sensor faults. Particularly, the agent under worst-case conditions, if there exists a time instant
M(I ) is designed to be structurally sensitive to sensor faults t ∗ > t ef2 such that the sensor fault f 2e satisfies the
f (I ) and f 1e , while the modules Me1 and Me2 are sensitive condition
to sensor faults f 1e and f 2e , respectively. The residuals are  t∗ 
 
 e ∗ AeL (t ∗ −τ ) e e 
generated using an observer driven by a set of sensors, while  f 2 (t ) − e 2 L 2 f 2 (τ )dτ  > 2εey2 (t ∗ ) (48)
the adaptive thresholds are designed to bound the residual  te 
f2
under healthy conditions. Therefore, when the magnitude of
a residual exceeds the corresponding adaptive threshold, this where εey2 (t) is the adaptive threshold, generated by the
sensor set is isolated as faulty. An alternative decision logic module Me2 .
for isolating sensor faults is to infer that there are faults in Proof: 1) Assume that no fault affects S e {1}, i.e., f 1e = 0;
a specific sensor set, when the magnitudes of all residuals then using (5) and (19), the state estimation error of the module
generated by the observer, which is not driven by this specific Me1 satisfies
t
sensor set, do not exceed the corresponding thresholds [44]. e AeL t e Ae (t −τ )  e  e
This decision logic is applied to a generalized scheme of εT1 (t) = e 1 εT1 (0) + e L1 h T1 (τ ), Tz (τ ), Q a (τ )
multiple observers or an unknown input observer (UIO)  0
−h e T1e (τ ) + d1e (τ ), Tr (τ ), Q a (τ ) − L e1 d1e (τ ) dτ.
scheme [45], [46]. In the case of multiple sensor faults, the
(49)
number of observers in a dedicated scheme may be less than
the number of observers in a generalized or UIO scheme. For t ≥ t ef1 , the residual εey1 is described by
εey1 (t)
IV. HVAC S ENSOR FAULT D ETECTABILITY 
AeL t −t ef  t
AeL (t −τ )
AND I SOLABILITY = C1e e 1 1 εTe 1 t ef1 + d1e (t) + f1e (t) + C1e e 1
t ef
The objective of this section is to analyze the performance  1

of the proposed distributed SFDI methodology with respect × − L e1 d1e (τ ) − L e1 f 1e (τ ) + h e (T1e (τ ), Tz (τ ), Q a (τ ))

to the sensor fault detectability and isolability of the agents − h e (T1e (τ ) + d1e (τ ) + f1e (τ ), Tr (τ ), Q a (τ )) dτ. (50)
REPPA et al.: DISTRIBUTED ARCHITECTURE FOR HVAC SFDI 1331

t AeL (t −τ )
By adding and subtracting the integral t ef C1e e 1 i.e., f 1e = θ1e , and at some time instant t ∗ , the constant sensor
×h e (T1e (τ ) + d1e (τ ), Tr (τ ), Q a (τ ))dτ , and using (49), we
1
fault θ1e satisfies
obtain 2εey1 (t ∗ )
|θ1e | > (58)
εey1 (t) = εey1H (t) + εey1F (t) (51) |w(t ∗ )|
where
where εey1H (t) is equal to the residual under healthy conditions
described by (21), and εey1F (t) describes the effects of sensor w(t) = 1
⎛ ⎡ ⎤⎞
fault f1e on the residual εey1 and is defined as t∗ ρa C pa 
N
t 
e ∗
A (t −τ ) ⎝ (I ) Q a I (τ ) ⎦⎠
 − C1e e L 1 L +⎣ Mcc C v
I =1 dτ
e A L 1 (t −τ )
e
ε y1F (t) =
e
C1 e h e T1e (τ ) + d1e (τ ), Tr (τ ), Q a (τ ) t ef
1 0
t ef
1
 (59)
e

−h T1e (τ ) + d1e (τ ) + f 1e (τ ), Tr (τ ), Q a (τ ) dτ given that w(t ∗ )
= 0, the module Me1is guaranteed to isolate
t sensor fault f 1e . Similarly, if f 2e is constant, i.e., f 2e = θ2e , and
AeL (t −τ ) e e
+ f 1e (t) − C1e e 1 L 1 f 1 (τ )dτ . (52) at some time instant t ∗ , the constant sensor fault θ2e satisfies
t ef
1 2εey2 (t ∗ )
|θ2e | >    (60)
Considering (28) and (51), it yields  e ∗ e !
1 − Le2 1 − e A L 2 t −t f2 
e
 e       
ε (t) ≥ εe (t) − εe (t) ≥ εe (t) − εe (t). (53)  AL
2

y1 y1F y1H y1F y1

If there exists a time instant t ∗ such that the effects of sensor Ae (t ∗ −t e )

given that |1 − (L e2 /AeL 2 )(1 − e L 2 f 2 )| = 0, the module

fault f1e on the residual εey1 satisfy the condition |εey1F (t ∗ )| > M2 is guaranteed to isolate sensor fault f2e .
e
2εey1 (t ∗ ), i.e., satisfy (47), then, based on (53), this implies Considering (58) and (60), we can derive valuable intu-
that |εey1 (t ∗ )| > εey1 (t ∗ ) and the violation of the ARR E1e . Thus, ition for the minimum isolable magnitude of sensor fault θ ej ,
sensor fault f 1e is guaranteed to be isolated by the module Me1 . e
j = 1, 2, with respect to the bound of sensor noise d j , and
2) Assume that no fault affects S e {2}, i.e., f 2e = 0; using the selected design parameters used for the implementation of
(5) and (22), the state estimation error of the module Me2 is the estimator in the module Mej (e.g., L ej ) and the adaptive
t
AeL t e Ae (t −τ ) e e thresholds (ρ ej , ξ ej ).
εT2 (t) = e 2 εT2 (0) −
e
e L2 L 2 d2 (τ )dτ . (54)
0
B. Building Zone Sensor Fault Detectability
For t ≥ t ef2 ,the residual is expressed as εey2 and Isolability Conditions

Ae t −t ef e The conditions for ensuring the detection/isolation of f (I )
εey2 (t) = e L 2 2 ε
T2 t f 2 + d2 (t) + f 2 (t)
e e e
and f 1e by the agent M(I ) , are stated in the following Lemma.
t
Ae (t −τ ) e  e Lemma 4.2: Consider that the sensor faults f 1e and f (I )
− e L2 L 2 f 2 (τ ) + d2e (τ ) dτ . (55) (I )
t ef occur at the time instants t ef1 and t f , respectively.
2
(I )
1) Let t f < t ef1 : the occurrence of a fault in the tem-
By replacing εTe 2 (t ef2 ) using (54), we have
perature sensor of the I th zone S (I ) is guaranteed to
εey2 (t) = εey2H (t) + εey2F (t) (56) be isolated under worst-case conditions, if there exists
a time instant t ∗ ∈ [t (I ) e
f , t f 1 ) such that the sensor fault
where εey2H (t) is equal to the residual under healthy conditions
described by(24), and εey2F (t) describes the effects of sensor f (I ) satisfies the condition
 t∗
fault f2e on the residual εey2 and is defined as  (I ) ∗ (I ) ∗
 f (t ) − e A L (t −τ )
 (I )
tf
t   
εey2F (t) = f 2e (t) −
AeL (t −τ ) e e
L 2 f 2 (τ )dτ . ρa Cpa 
e 2 (57) (I ) (I )
× L f (τ ) − Q a I (τ ) f (τ ) dτ  > 2ε(I
(I ) ) ∗
y (t )
t ef Mz I C v
2

Following the same procedure described in (53), if there exists (61)

a time instant t ∗ such that the effects of sensor fault f 2e on (I )
where ε y (t) is the adaptive threshold, generated by the
the residual εey2 satisfy the condition |εey2F (t ∗ )| > 2εey2 (t ∗ ), agent M(I ) .
i.e., (48) is valid, then it is implied that |εey2 (t ∗ )| > εey2 (t ∗ ) and 2) Let t ef1 < t (I )
f : the occurrence of a fault in the temper-
the ARR E2e is violated. Thus, sensor fault f 2e is guaranteed ature sensor of the cooling coil S e {1} is guaranteed to
to be isolated by the module Me2 . be detected under worst-case conditions, if there exists
In general, (47) and (48) can be regarded as a figure of a time instant t ∗ ∈ [t ef1 , t (I )
f ) such that the sensor fault
merit, characterizing the ability of Me1 and Me2 to capture e
f 1 satisfies the condition
the occurrence of sensor faults f 1e and f 2e , respectively. Based  ∗ 
 t 
 A L (t ∗ −τ ) ρa Cpa 
on these conditions, we can define the minimum magnitude (I )
 e Q a I (τ ) f 1 (τ )dτ  > 2ε(I
e ) ∗
y (t ). (62)
of sensor faults f 1e and f 2e that are isolable by the modules  te Mz I C v 
f1
Me1 and Me2 , respectively. Particularly, if f 1e is constant,
1332 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 23, NO. 4, JULY 2015

3) The occurrence of faults in the temperature sensors entails that |ε(I ) ∗ (I ) ∗

y (t )| > ε y (t ), leading to the isolation of
S (I ) and S e {1} is guaranteed to be detected under (I
sensor fault f . )

worst-case conditions, if there exists a time instant 2) Part 2 of Lemma 4.2 can be proved in a similar way to
t ∗ ≥ max(t (I ) e
f , t f1 ) such that the sensor fault f
(I ) part 1.
(I ) (I )
satisfies the condition 3) For t ≥ t ef1 > t f , the residual ε y is expressed as

t∗
 (I ) ∗ ρa Cpa ε(I )
(I ) ∗
 f (t ) − e A L (t −τ ) Q a I (τ ) f 1e (τ )dτ y (t)
 e Mz I C v

tf (I ) t (I )
A (t −t ef ) (I ) e (I ) (I ) (t −τ )
  
1

t∗ = e L 1 ε
T (t f 1 ) + d (t) + f (t) + e AL
(I ) ∗ ρa Cpa 
− e A L (t −τ ) (I ) (I )
L f (τ )− Q a I (τ ) f (τ ) dτ 
(I )

t ef
1
(I ) Mz I C v
tf
× η(I ) (τ ) − L (I ) d (I ) (τ ) − L (I ) f (I ) (τ )
> 2ε(I ) ∗
y (t ). (63)
Proof: 1) Assume that no fault affects S (I ) , I ∈ + γ (I ) (Tz I (τ ), Q a I (τ ))
!
{1, . . . , N}, and S e {1}, i.e., f (I ) = f 1e = 0; based on (10) − γ (I ) Tz I (τ ) + d (I ) (τ ) + f (I ) (τ ), Q a I (τ )
and (25), the state estimation error of the agent M(I ) is
(I )
+ h (I ) (T1e (τ ), Q a I (τ )) − h (I ) (T1e (τ ) + d1e (τ )
εT (t) 

t + f 1 (τ ), Q a I (τ )) dτ.
e
(69)
(I ) (I )
= e A L t εT(I ) (0) + e A L (t −τ )
0
 (I )
The term εT (t ef1 ) is determined through the following
× η(I ) (τ ) − L (I ) d (I ) (τ ) + γ (I ) (Tz I (τ ), Q a I (τ )) equation:
(I ) (I )
!
t
+ h (I ) (T1e (τ ), Q a I (τ ))−γ (I ) (Tz I (τ ) + d (I ) (τ ), Q a I (τ )) εT(I ) (t) = e L
A t −t f
εT(I ) (t (I )
) +
(I )
e A L (t −τ )
 f (I )
tf
(I ) e e 
− h (T1 (τ ) + d1 (τ ), Q a I (τ )) dτ. (64)
× η(I ) (τ )− L (I ) d (I ) (τ )− L (I ) f (I ) (τ )
For t ≥ t (I ) (I )
f , the residual ε y is expressed as
+γ (I ) (Tz I (τ ), Q a I (τ )) − γ (I ) (Tz I (τ )
ε(I )
y (t) +d (I ) (τ ) + f (I ) (τ ), Q a I (τ )) + h (I ) (T1e (τ ), Q a I (τ ))
(I ) (I )
!
t 
t −t f (I )
AL (I ) (I )
=e εT (t f ) + d (I ) (t) + f (I ) (t) + e AL (t −τ ) (I )
−h (T1 (τ ) + d1 (τ ), Q a I (τ )) dτ.
e e
(70)
(I )
tf

Using (64) and (70) and after some algebraic manipulation,
× η(I ) (τ ) − L (I ) d (I ) (τ ) − L (I ) f (I ) (τ ) (I )
the effects of sensor faults f (I ) and f 1e for t ≥ t ef1 > t f are
+ γ (I ) (Tz I (τ ), Q a I (τ )) + h (I ) (T1e (τ ), Q a I (τ )) described as

t
(I ) ρa Cpa
− γ (I ) (Tz I (τ ) + d (I ) (τ ) + f (I ) (τ ), Q a I (τ )) ε(I )
(t) = f (I )
(t) − e A L (t −τ ) Q a I (τ ) f 1e (τ )dτ
 y F e
tf M z I C v
− h (I ) (T1e (τ ) + d1e (τ ), Q a I (τ )) dτ.
t  
1
(65) (I ) ρ C
e A L (t −τ ) L (I ) f (I ) (τ ) − Q a I (τ ) f (I ) (τ ) dτ.
a pa
−
(I ) Mz I C v
After some algebraic manipulation and using (64), it yields tf
(71)
ε(I ) (I )
y (t) = ε y H (t) + ε y F (t)
(I )
(66)
If there exists a time instant t ∗ such that the effects of sensor
(I )
where ε y H (t) corresponds to the residual under healthy con- fault f (I ) on the residual ε(I )
y satisfy the condition |ε y F (t )| >
(I ) ∗
(I ) (I )
ditions described by (27), and ε y F (t) describes the effects of 2ε y (t ∗ ), implying that (63) is valid, then, using (68) and (71),
sensor fault f (I ) (I )
on the residual ε y and defined as it is implied that |ε(I ) ∗ (I ) ∗
y (t )| > ε y (t ), leading to the detection

t of sensor faults f (I ) e
and f 1 . Following the same procedure,
(I )
(I ) (I )
ε y F (t) = f (t) − e A L (t −τ )
it can be proved that (63) is also valid for t ≥ t (I )
f > t f1 .
e
(I )
tf Using Lemma 4.2, we may characterize the class of sen-
 
ρa Cpa sor faults f (I ) and f e that are detectable/isolable by the
× L (I ) f (I ) (τ ) − Q a I (τ ) f (I ) (τ ) dτ. (67) agent M(I ) with respect1 to the bounds of modeling uncertainty
Mz I C v
and measurement noise, as well as the selected design para-
Considering (32) and (66), it yields meters used for the implementation of the estimator of M(I )
 (I )   (I )   (I )   (I ) 
ε (t) ≥ ε (t) − ε (t) ≥ ε (t) − ε (t). (I )
(68) (e.g., L (I ) ) and the adaptive thresholds (ρ (I ) , ξ (I ) ). During the
y yF yH yF y
design, we can simulate various types of faults, i.e., various
If there exists a time instant t ∗ such that the effects of sensor fault functions and profiles, which may affect a single sensor,
(I ) (I )
fault f (I ) on the residual ε y satisfy the condition |ε y F (t ∗ )| > and seek the minimum fault magnitude that satisfies the sensor
(I ) ∗
2ε y (t ), implying that (61) is valid, then, using (68), this fault detectability/isolability conditions. This analysis can be
REPPA et al.: DISTRIBUTED ARCHITECTURE FOR HVAC SFDI
performed offline for calibrating the design parameters before
the real-time implementation of the proposed agents.
Comparing (61) with (62), we may infer that sensor fault
f (I ) affects the residual generated by M(I ) in a different way
than sensor fault f 1e in the sense that the effects of f (I ) are
function of f (I ) and its filtered version that depends on L (I ) ,
while the effects of f 1e are the filtered version of f 1e that
depends only on the interconnection function h (I ) [defined
in (12)]. The fact that sensor fault f 1e may affect E (I ) in a
different way than f (I ) is exploited in the design of the sensor
(I )
fault signature matrix F (I ) , I = 1, 2, by differentiating F11
(I )
from F12 . Based on (61) and (62) and assuming constant
sensor faults, we may determine the minimum magnitude of
sensor faults f (I ) and f 1e that are detectable/isolable by the
agent M(I ) in a similar way as in (58) and (60).
For the modules Me1 and Me2 of the agent Me , the
detectability analysis is equivalent to the isolability analysis,
since each module is dedicated to monitor the status of a single
sensor, leading to the sensor fault signature matrix presented
in Table I. Thus, in Lemma 4.1, we characterize the minimum
effects of sensor faults f 1e (t) and f 2e (t) that will be isolable
by the modules Me1 and Me2 , respectively, by provoking the
violation of E1e and E2e , respectively. In the case of the agent
M(I ) , we distinguish the case of a single sensor fault occur-
rence and the occurrence of two sensor faults. In the first case,
we characterize the minimum effects of a local sensor fault
( f (I ) ) or a propagated sensor fault ( f 1e ) that are guaranteed to
provoke the violation of the ARR E (I ) of the agent M(I ) in
conjunction with the sensor fault signature matrix presented
in Table II. In the second case, we characterize the minimum
effects of both local and propagated sensor faults that are
guaranteed to be detectable by the agent M(I ) .
V. S IMULATION R ESULTS
The objective of this section is to illustrate the application
of the proposed distributed SFDI method applied to the
class of HVAC systems described in Section II consisting
of eight zones (N = 8) [23]. The operation of the HVAC
system is simulated based on (5)–(12). The dimensions
of each zone are 3.5 m × 1.75 m × 2 m. The parameters
used for the simulation of  e described by (5)–(9) are:
(Ucc Acc /Mcc Cv ) = 0.02815, (Q w ρw Cpw /Mcc Cv ) = 1.2084,
and ((Q w ρw C pw + Ut At )/Vt ρw C pw ) = 0.0007, and
Two = 5, (Ucc Acc /Mcc Cv ) = 0.02815, (Ut At /Vt ρw Cpw ) =
5.4566×10−4 , (Q w ρw Cpw /Vt ρw Cpw ) = 1.544×10−5 , and
(15000/Vt ρw Cpw ) = 0.006. The function h e is defined using
the parameters (ρa Cpa /Mcc Cv ) = 3.932, (Ucc Acc /Mcc Cv ) =
0.02815, and ((ρa /Mcc Cv )((h fg − Cpa )(wz − wao )) =
0.0005. The parameters used for the simulation of
the subsystem  (I ) I ∈ {1, . . . , 8} given in (10)–
(12) are A(I ) = −0.0006, (ρa Cpa /Mz I Cv ) = 0.1144,
(Uz I A z I /Mz I Cv ) = 0.0006, and Tamb = 35. The modeling
uncertainty η(I ) (t) is simulated as η(I ) (t) = 5%Y (I ) sin(2πνt)
and ν = 10, and the noise of each sensor is uniformly
( j) e detectable by these agents [Fig. 2(c)–(j)]. The distinct effects
distributed and bounded by d = 3%Y ( j ) and d j = 3%Y je ,
j = 1, 2, where Y (I ) and Y je are the steady state values
of y (I ) and y ej , respectively, under healthy conditions,
1333
i.e., controlling the temperatures of each building
zone and the electromechanical part and assuming no
uncertainty, the steady state values are defined when the
temperatures converge to the desired reference signals.
Here, Y1e = 10, Y2e = 4, and Y (I ) = 24 for all I .
Eight feedback linearization controllers [47] were imple-
mented, where each controller is responsible for keeping
the temperature of each zone at 24 °C. A backstepping
controller [48] was applied for maintaining the temperature
of the output air of the cooling coil at 10 °C. It is noted
that every zone temperature controller uses the measurements
of the temperature of the cooling coil, while the controller
of the electromechanical part uses the a priori known set
points of the temperature of the zones, as well as the air flow
rate (control input) of every zone. Based on Section III, we
design nine agents, one for the electromechanical part and
eight for the zones, while the agent of the electromechanical
part consists of two modules. The estimators of the agents
are structured as in (19), (22), and (25) with estimator gains
L (I ) = 3, I ∈ {1, . . . , 8}, L e1 = [4.97, 5.16] , and L e2 = 3.
The adaptive thresholds of the agents, defined in (29), (31),
and (33), are designed using the following parameters: ρ1e = 1,
ξ1e = 4, ρ2e = 1, ξ2e = 3 ρ (I ) = 1, and ξ (I ) = 3.
We have considered two multiple sensor fault scenarios:
in the first scenario, the sensors of the electromechanical
subsystem and zones 3–6 are affected by faults, while in the
second scenario, the sensors in all building zones become
faulty. In all scenarios, the sensor faults are abrupt with time
varying fault functions, i.e., φ1e (t) = 15%Y1e + 0.5sin(0.01t),
φ2e (t) = 15%Y2e + 0.5sin(0.01t) and φ (I ) (t) = 15%Y (I ) +
0.5sin(0.01t), I ∈ {1, . . . , 8}. The time instants of occurrence
of sensor faults are t ef1 = 2000 s, t ef2 = 2500 s, t (1)
f = 3000 s,
(2) (3) (4) (5)
tf = 3500 s, t f = 4000 s, t f = 4500 s, t f = 5000 s,
t (6)
f = 5500 s, t (7)
f = 6000 s, and t (8)
f = 6500 s. Note that the
considered amounts of uncertainty and fault functions were
chosen such that the isolation of sensor faults is guaranteed,
because the goal of this example is to illustrate the proposed
distributed sensor fault isolation decision logic.
The results of the application of the distributed SFDI
method to the HVAC system are shown in Figs. 2–5, with
Figs. 2 and 4 presenting the results for the first sensor
fault scenario, while Figs. 3 and 5 for the second scenario.
Comparing the observed pattern, D e (t) = [D1e (t), D2e (t)] ,
where the temporal evolution of D1e (t) and D2e (t) is shown
in Fig. 2(a) and (b), respectively, to the columns of fault
signature matrix F e shown in Table I, the agent Me isolates
the sensor faults initially in the cooling coil and then in
the chilled water tank, based on the following diagnosis set:
1) Dse (t) = { f 1e }, since D e (t) = F1e for t ∈ [2000, 2500) and
2) Dse (t) = { f 1e , f 2e }, since D e (t) = F3e for t ≥ 2500.
It is noted that the effects of the sensor fault in the
cooling coil on the residuals and thresholds of the eight
agents that monitor the building zones are low and are not
of local sensor fault ( f (I ) ) and propagated sensor fault ( f 1e ),
which are analyzed in Section IV-B, can be observed through
the simulation results presented in Fig. 2(c)–(j). Based on
1334 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 23, NO. 4, JULY 2015

Fig. 2. Decision-making process of (a) Me1 , (b) Me2 , and (c)–(j) M(I ) , I ∈ {1, . . . , 8} for isolating multiple sensor faults that affect the electromechanical
(I )
subsystem and building zones 3–6 consecutively. The temporal evolution of the magnitude of the residuals (blue line) (a) εey1 , (b) εey2 , and (c)–(j) ε y ,
(I )
I ∈ {1, . . . , 8} and the adaptive thresholds (green line) (a) ε̄ey1 , (b) ε̄ey2 , and (c)–(j) ε̄ y , I ∈ {1, . . . , 8}, as well as the Boolean decision functions (red dashed
line) (a) D1e , (b) D2e , and (c)–(j) D (I,1) , I ∈ {1, . . . , 8} are presented in (a)–(j).

Fig. 3. Decision-making process of (a) Me1 , (b) Me2 , and (c)–(j) M(I ) , I ∈ {1, . . . , 8} for isolating multiple sensor faults that affect all building zones
(I )
consecutively. The temporal evolution of the magnitude of the residuals (blue line) (a) εey1 , (b) εey2 , and (c)–(j) ε y , I ∈ {1, . . . , 8} and the adaptive thresholds
(I )
(green line) (a) ε̄ey1 , (b) ε̄ey2 , and (c)–(j) ε̄ y , I ∈ {1, . . . , 8}, as well as the Boolean decision functions (red dashed line) (a) D1e , (b) D2e , and (c)-(j) D (I,1) ,
I ∈ {1, . . . , 8} are presented in (a)–(j).

Fig. 2(c)–(j), the agents M(1) , M(2) , M(7), and M(8) do
not detect the presence of the faulty temperature sensor in
the cooling coil, although they use its measurements. These
agents do not also detect the occurrence of sensor faults in the
building zones 3–6, but this is due to the fact that every agent
M(I ) is sensitive to faults f (I ) and f1e and not to fault f (Q),
Q
= I .
Each of the agents M(3)–M(6) detects the presence of
sensor faults just after the consecutive occurrence of the
sensor fault in each monitoring building zone, as shown
in Fig. 2(e)–(h). Then, using the decision of Me1 , the
agent M(I ) compares the observed pattern D (I ) (t) =
[D (I,1) (t), D1e (t)] , I ∈ {3, 4, 5, 6}, where the temporal evo-
lution of D1e , D (3,1) , D (4,1) , D (5,1) , and D (6,1) is shown
in Fig. 2(a) and (e)–(h) to the columns of the sensor fault
signature matrix F (I ) shown in Table II. Given that D (I ) (t) =
[1, 1] for all I ∈ {3, 4, 5, 6}, the resultant diagnosis set is
Ds(I ) (t) = {{ f (I ) , f 1e }, f 1e }. Based on this diagnosis outcome,
the agent M(I ) for all I ∈ {3, 4, 5, 6} infers that the sensor
S (I ) in the I th building zone is possibly faulty, because it
cannot conclude if only the sensor fault f 1e has occurred,
possibly provoking the violation of E (I ) or both f1e and
f (I ) have occurred. On the other hand, in the second fault
scenario, where the sensors of all building zones become
faulty, but the temperature sensor of the cooling coil is healthy,
the agent M(I ) not only detects the presence of sensor
REPPA et al.: DISTRIBUTED ARCHITECTURE FOR HVAC SFDI 1335

Fig. 4. Temperature estimation models (magenta dashed line) (a) T̂1e , (b) T̂2e , and (c)–(j) T̂z I , I ∈ {1, . . . , 8} of (a) Me1 , (b) Me2 , and (c)–(j) M(I ) ,
I ∈ {1, . . . , 8} compared with actual temperatures (blue solid line) (a) T1e , (b) T2e , and (c)–(j) Tz I , I ∈ {1, . . . , 8} of the cooling coil, chilled water tank, and
building zones under healthy conditions and consecutive occurrence of sensor faults in the electromechanical subsystem and building zones 3–6.

Fig. 5. Temperature estimation models (magenta dashed line) (a) T̂1e , (b) T̂2e , and (c)–(j) T̂z I , I ∈ {1, . . . , 8} of (a) Me1 , (b) Me2 , and (c)–(j) M(I ) ,
I ∈ {1, . . . , 8} compared with actual temperatures (blue solid line) (a) T1e , (b) T2e , and (c)–(j) Tz I , I ∈ {1, . . . , 8} of the cooling coil, chilled water tank, and
building zones under healthy conditions and consecutive occurrence of sensor faults in all building zones.

faults but also isolates the sensor fault in the I th building
zone. This is realized in conjunction with the decision of
the module Me1 [Fig. 2(a)]. In other words, all monitoring
agents M(1) –M(8) can isolate in a distributed manner the
consecutive occurrence of multiple sensor faults in all zones
[Fig. 3(c)–(j)]. Particularly, when the agent M(I ) detects sen-
sor faults, the observed pattern is equal to the D (I ) (t) =
[1, 0] , which is consistent with the first column of the sensor
fault signature matrix F (I ) shown in Table II, leading to the
diagnosis set Ds(I ) (t) = { f (I ) }. By comparing the simulation
results shown in Fig. 3(c)–(j) with the simulation results in
Fig. 2(c)–(j), it can be stated that the effects of the propagated
sensor fault f 1e on the residuals and adaptive thresholds of
M(1)–M(8) are much lower than the effects of the local sensor
faults. Therefore, in the first sensor fault scenario, we may
infer that the occurrence of the local fault f (I ) is more likely
to have provoked the violation of E (I ) , I ∈ {3, 4, 5, 6}, than
the single occurrence of the propagated sensor fault f 1e , and
characterize the sensor S (I ) as faulty for all I ∈ {3, 4, 5, 6} .
The effects of sensor faults on the actual temperature
of the cooling coil, chilled water tank, and all building
zones, as well as the temperature estimations derived by
the modules Me1 and Me2 and agent M(I ) , I ∈ {1, . . . , 8}
can be observed in Figs. 4 and 5. According to Fig. 4(a),
when the temperature sensor of the cooling coil becomes
faulty, the backstepping controller perceives the positive
fault variation in the sensor output as an increase in the
temperature and generates chilled water flow rate aiming
at decreasing the actual temperature of the cooling coil.
In addition, due to this sensor fault, the estimation of the
1336 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 23, NO. 4, JULY 2015
temperature in the cooling coil is faulty, i.e., different from
the actual temperature. When the temperature sensor of the
water tank becomes also faulty, based on Fig. 4(a) and (b),
the actual temperature in the chilled water tank is less
influenced compared with the actual temperature of the
cooling coil, while its estimation deviates from the actual
temperature less than the estimation of the temperature in the
cooling coil. The occurrence of the sensor faults in the cooling
coil and the chilled water tank is not observable in the actual
temperature of the zones and their estimations provided by the
agents M(1) –M(8). As expected, the actual temperature of
the building zones and their estimations are directly affected
by faults in their temperature sensors [Figs. 4(e)–(h) and 5(c)–
(j)]. Particularly, due to the positive variation in the output
of the sensor in the I th zone I ∈ {1, . . . , 8}, the feedback
linearization controller generates air flow rate (control input)
aiming at decreasing the temperature in the I th zone. In
addition, in the second scenario, it can be observed that the
actual temperatures of the cooling coil and chilled water tank
are not affected considerably by the occurrence of multiple
sensor faults in all building zones [Fig. 5(a) and (b)]. By
comparing the simulation results shown in Fig. 5(c)–(j) with
the simulation results in Fig. 4(c)–(j), we can observe that the
effects of the propagated sensor fault f 1e on the actual temper-
ature of all zones and the estimated temperature provided by
M(1)–M(8) are much lower than the effects of the local sensor
faults.
VI. C ONCLUSION
In this paper, we presented a model-based distributed archi-
tecture for multiple sensor fault detection and isolation (SFDI)
in a multizone HVAC system. The HVAC system was modeled
as a set of interconnected subsystems. For each subsystem,
we designed a local sensor fault diagnosis (LSFD) agent,
where every agent was dedicated to each of the interconnected
subsystems. The distributed isolation of multiple sensor faults
was conducted by combining the decisions of the LSFD
agents and applying a reasoning-based decision logic. The
performance of the proposed methodology was analyzed with
respect to sensor fault detectability and multiple sensor fault
isolability, characterizing the class of detectable and isolable
sensor faults. The proposed SFDI technique may contribute
to the reduction of energy consumption in large-scale build-
ings, as well as provide a procedure for the condition-base
maintenance, thus reducing unnecessary maintenance work.
Moreover, the distributed deployment of the LSFD agents
enhances the reliability with respect to security threats, while it
is scalable for handling additional building zones in large-scale
buildings. Simulation results illustrated the effectiveness of the
proposed distributed SFDI methodology in isolating multiple
sensor faults in an eight-zone HVAC system.
Future research work will involve the integration of the
proposed distributed methodology with other techniques for
diagnosing both sensor and actuator faults in the HVAC
system, aiming at resolving the problem of multiple sensor and
actuator fault isolation, as well as the propagation of the sensor
and actuator fault effects. The proposed methodology offers a
framework for incorporating additional agents designed to be
robust and structurally sensitive to subsets of actuator faults
or some combinations of both sensor and actuator faults.
R EFERENCES
[1] P. J. Antsaklis et al., “Control of cyberphysical systems using passivity
and dissipativity based methods,” Eur. J. Control, vol. 19, no. 5, pp. 379–
388, 2013.
[2] K. W.-J. Wong, “Development of selection evaluation and system intelli-
gence analytic models for the intelligent building control systems,” Ph.D.
dissertation, Dept. Building and Real Estate, Hong Kong Polytechnic
Univ., Hong Kong, 2007.
[3] J. E. Braun, “Intelligent building systems—Past, present, and future,” in
Proc. Amer. Control Conf., Jul. 2007, pp. 4374–4381.
[4] R. Isermann, Fault-Diagnosis Systems: An Introduction From Fault
Detection to Fault Tolerance. New York, NY, USA: Springer-Verlag,
2006.
[5] J. Chen and R. Patton, Robust Model-Based Fault Diagnosis for Dynamic
Systems. Norwell, MA, USA: Kluwer, 1999.
[6] J. Schein, S. T. Bushby, N. S. Castro, and J. M. House, “A rule-based
fault detection method for air handling units,” Energy Buildings, vol. 38,
no. 12, pp. 1485–1492, 2006.
[7] B. T. Thumati et al., “An online model-based fault diagnosis scheme
for HVAC systems,” in Proc. IEEE Int. Conf. Control Appl. (CCA),
Sep. 2011, pp. 70–75.
[8] J. Liang and R. Du, “Model-based fault detection and diagnosis of HVAC
systems using support vector machine method,” Int. J. Refrig., vol. 30,
no. 6, pp. 1104–1114, 2007.
[9] D. A. Veronica, “Detecting cooling coil fouling automatically—Part 2:
Results using a multilayer perceptron,” HVAC&R Res., vol. 16, no. 5,
pp. 599–615, 2010.
[10] J. Hyvärinen and S. Kärki, Building Optimization and Fault Diagnosis
Source Book. Espoo, Finland: VTT Tech. Res. Centre Finland, 1996.
[11] E. Miller-Hooks and T. Krauthammer, “An intelligent evacuation, rescue
and recovery concept,” Fire Technol., vol. 43, no. 2, pp. 107–122, 2007.
[12] J. S. Zhang et al., “Intelligent control of building environmental systems
for optimal evacuation planning,” in Proc. Int. Conf. Indoor Air Quality
Problems Eng. Solutions, 2003, pp. 1–20.
[13] B. Fan, Z. Du, X. Jin, X. Yang, and Y. Guo, “A hybrid FDD strat-
egy for local system of AHU based on artificial neural network and
wavelet analysis,” Building Environ., vol. 45, no. 12, pp. 2698–2708,
2010.
[14] X. Xu, F. Xiao, and S. Wang, “Enhanced chiller sensor fault detection,
diagnosis and estimation using wavelet analysis and principal component
analysis methods,” Appl. Thermal Eng., vol. 28, nos. 2–3, pp. 226–237,
2008.
[15] Z. Du and X. Jin, “Detection and diagnosis for sensor fault in HVAC
systems,” Energy Convers. Manage., vol. 48, no. 3, pp. 693–702, 2007.
[16] S. M. Namburu, M. S. Azam, J. Luo, K. Choi, and K. R. Pattipati,
“Data-driven modeling, fault diagnosis and optimal sensor selection
for HVAC chillers,” IEEE Trans. Autom. Sci. Eng., vol. 4, no. 3,
pp. 469–473, Jul. 2007.
[17] S. Wang and J. Qin, “Sensor fault detection and validation of VAV ter-
minals in air conditioning systems,” Energy Convers. Manage., vol. 46,
nos. 15–16, pp. 2482–2500, 2005.
[18] S. Wang, Q. Zhou, and F. Xiao, “A system-level fault detection and
diagnosis strategy for HVAC systems involving sensor faults,” Energy
Buildings, vol. 42, no. 4, pp. 477–490, 2010.
[19] S. Katipamula and M. R. Brambley, “Methods for fault detection,
diagnostics, and prognostics for building systems—A review, part I,”
HVAC&R Res., vol. 11, no. 1, pp. 3–25, 2005.
[20] M.-L. Chiang and L.-C. Fu, “Hybrid system based adaptive control for
the nonlinear HVAC system,” in Proc. Amer. Control Conf., Jun. 2006,
pp. 5324–5329.
[21] M. Zaheer-Uddin, R. V. Patel, and S. A. K. Al-Assadi, “Design of decen-
tralized robust controllers for multizone space heating systems,” IEEE
Trans. Control Syst. Technol., vol. 1, no. 4, pp. 246–261, Dec. 1993.
[22] M. Zaheer-Uddin, “Temperature control of multizone indoor spaces
based on forecast and actual loads,” Building Environ., vol. 29, no. 4,
pp. 485–493, 1994.
[23] A. Thosar, A. Patra, and S. Bhattacharyya, “Feedback linearization based
control of a variable air volume air conditioning system for cooling
applications,” ISA Trans., vol. 47, no. 3, pp. 339–349, 2008.
[24] W.-Y. Lee, J. M. House, and N.-H. Kyong, “Subsystem level fault
diagnosis of a building’s air-handling unit using general regression
neural networks,” Appl. Energy, vol. 77, no. 2, pp. 153–170, 2004.
[25] S. Wang and J.-B. Wang, “Law-based sensor fault diagnosis and valida-
tion for building air-conditioning systems,” HVAC&R Res., vol. 5, no. 4,
pp. 353–380, 1999.
REPPA et al.: DISTRIBUTED ARCHITECTURE FOR HVAC SFDI
[26] S. Wang and J.-B. Wang, “Robust sensor fault diagnosis and valida-
tion in HVAC systems,” Trans. Inst. Meas. Control, vol. 24, no. 3,
pp. 231–262, 2002.
[27] R. F. Escobar, C. M. Astorga-Zaragoza, A. C. Téllez-Anguiano,
D. Juárez-Romero, J. A. Hernández, and G. V. Guerrero-Ramírez,
“Sensor fault detection and isolation via high-gain observers: Appli-
cation to a double-pipe heat exchanger,” ISA Trans., vol. 50, no. 3,
pp. 480–486, 2011.
[28] X.-G. Yan and C. Edwards, “Robust decentralized actuator fault detec-
tion and estimation for large-scale systems using a sliding mode
observer,” Int. J. Control, vol. 81, no. 4, pp. 591–606, 2008.
[29] J. Weimer, J. Araujo, M. Amoozadeh, S. Ahmadi, H. Sandberg, and
K. H. Johansson, “Parameter-invariant actuator fault diagnostics in
cyber-physical systems with application to building automation,” in
Control of Cyber-Physical Systems (Lecture Notes in Control and Infor-
mation Sciences), vol. 449. Berlin, Germany: Springer-Verlag, 2013,
pp. 179–196.
[30] R. M. G. Ferrari, T. Parisini, and M. M. Polycarpou, “Distributed fault
detection and isolation of large-scale discrete-time nonlinear systems: An
adaptive approximation approach,” IEEE Trans. Autom. Control, vol. 57,
no. 2, pp. 275–290, Feb. 2012.
[31] C. Keliris, M. M. Polycarpou, and T. Parisini, “A distributed fault
detection filtering approach for a class of interconnected continuous-
time nonlinear systems,” IEEE Trans. Autom. Control, vol. 58, no. 8,
pp. 2032–2047, Aug. 2013.
[32] Q. Zhang and X. Zhang, “Distributed sensor fault diagnosis in a class of
interconnected nonlinear uncertain systems,” Annu. Rev. Control, vol. 37,
no. 1, pp. 170–179, 2013.
[33] V. Reppa, M. M. Polycarpou, and C. G. Panayiotou, “Multiple sensor
fault detection and isolation for large-scale interconnected nonlinear
systems,” in Proc. Eur. Control Conf., Zurich, Switzerland, Jul. 2013,
pp. 1952–1957.
[34] V. Reppa, M. M. Polycarpou, and C. G. Panayiotou, “A distributed detec-
tion and isolation scheme for multiple sensor faults in interconnected
nonlinear systems,” in Proc. IEEE 52nd Conf. Decision Control (CDC),
Florence, Italy, Dec. 2013, pp. 4991–4996.
[35] V. Reppa, P. Papadopoulos, M. M. Polycarpou, and C. G. Panayiotou,
“Distributed detection and isolation of sensor faults in HVAC sys-
tems,” in Proc. 21st Medit. Conf. Control Autom. (MED), Jun. 2013,
pp. 401–406.
[36] A. Talukdar and A. Patra, “Dynamic model-based fault tolerant control
of variable air volume air conditioning system,” HVAC&R Res., vol. 16,
no. 2, pp. 233–254, 2010.
[37] M. Polycarpou and A. Trunov, “Learning approach to nonlinear fault
diagnosis: Detectability analysis,” IEEE Trans. Autom. Control, vol. 45,
no. 4, pp. 806–812, Apr. 2000.
[38] V. Reppa, M. M. Polycarpou, and C. Panayiotou, “Distributed sensor
fault detection and isolation for nonlinear uncertain systems,” in Proc.
8th IFAC SAFEPROCESS, Mexico City, Mexico, 2012, pp. 1077–1082.
[39] W. Chen and J. Li, “Decentralized output-feedback neural control
for systems with unknown interconnections,” IEEE Trans. Syst., Man,
Cybern. B, Cybern., vol. 38, no. 1, pp. 258–266, Feb. 2008.
[40] P. M. Frank, “Handling modelling uncertainty in fault detection and
isolation systems,” J. Control Eng. Appl. Informat., vol. 4, no. 4,
pp. 29–46, 2002.
[41] M. Blanke, M. Kinnaert, J. Lunze, and M. Staroswiecki, Diagnosis and
Fault-Tolerant Control. New York, NY, USA: Springer-Verlag, 2003.
[42] M.-Q. Cordier, P. Dague, F. Lévy, J. Montmain, M. Staroswiecki, and
L. Travé-Massuyès, “Conflicts versus analytical redundancy relations: A
comparative analysis of the model based diagnosis approach from the
artificial intelligence and automatic control perspectives,” IEEE Trans.
Syst., Man, Cybern. B, Cybern., vol. 34, no. 5, pp. 2163–2177, Oct. 2004.
[43] V. Puig, A. Stancu, and J. Quevedo, “Robust fault isolation using non-
linear interval observers: The DAMADICS benchmark case study,” in
Proc. 16th IFAC World Congr., 2005, pp. 1850–1855.
[44] M. Du, J. Scott, and P. Mhaskar, “Actuator and sensor fault isolation
of nonlinear process systems,” Chem. Eng. Sci., vol. 104, pp. 294–303,
Dec. 2013.
[45] S. Klinkhieo, R. J. Patton, and C. Kambhampati, “Robust FDI for FTC
coordination in a distributed network system,” in Proc. 16th IFAC World
Congr., Seoul, Korea, 2008, pp. 13551–13556.
[46] I. Samy, I. Postlethwaite, and D.-W. Gu, “Survey and application of
sensor fault detection and isolation schemes,” Control Eng. Pract.,
vol. 19, no. 7, pp. 658–674, 2011.
[47] H. K. Khalil, Nonlinear Systems. Englewood Cliffs, NJ, USA: Prentice-
Hall, 2002.
[48] J. A. Farrell and M. M. Polycarpou, Adaptive Approximation Based
Control. New York, NY, USA: Wiley, 2006.
1337
Vasso Reppa (M’12) received the Diploma and
Ph.D. degrees in electrical and computer engineering
from the University of Patras, Patras, Greece, in
2004 and 2010, respectively.
She was an External Scientific Collaborator with
Patras Scientific Park S.A., Patras, from 2006 to
2008. She was a Student Intern with the Depart-
ment of Storage Technologies, IBM Zurich Research
Laboratory, Rüschlikon, Switzerland, in 2009. From
2011 to 2013, she was a Post-Doctoral Researcher
with the KIOS Research Center for Intelligent
Systems and Networks, University of Cyprus, Nicosia, Cyprus. She was
a Researcher in various Hellenic and European research and operational
programs. She is currently a Post-Doctoral Researcher with the Department
of Automatic Control, Supélec, Gif-sur-Yvette, France. Her current research
interests include fault diagnosis, fault-tolerant control, adaptive learning, and
set-membership identification, with applications to microelectromechanical
systems and large-scale engineering systems.
Dr. Reppa was a recipient of the Marie Curie Intra European Fellowship in
2014.
Panayiotis Papadopoulos (S’13) received the
B.Sc. and M.Sc. degrees from the University of
Cyprus, Nicosia, Cyprus, in 2012 and 2014, respec-
tively, where he is currently pursuing the Ph.D.
degree, all in electrical engineering.
His current research interests include fault
diagnosis for distributed nonlinear systems, nonlin-
ear control theory, intelligent systems, and adaptive
fault-tolerant control in HVAC Systems
Marios M. Polycarpou (F’06) is currently a
Professor of Electrical and Computer Engineering
and the Director of the KIOS Research Center
for Intelligent Systems and Networks, University
of Cyprus, Nicosia, Cyprus. He has authored over
250 articles in refereed journals, edited books, and
refereed conference proceedings, and co-authored
six books. He holds six patents. His current research
and teaching interests include intelligent systems
and control, fault diagnosis, adaptive and coopera-
tive control systems, computational intelligence, and
distributed agents.
Prof. Polycarpou was a recipient of the Prestigious European Research
Council Advanced Grant in 2011. He served as the President of the IEEE
Computational Intelligence Society from 2012 to 2013 and the Editor-in-
Chief of the IEEE T RANSACTIONS ON N EURAL N ETWORKS AND L EARNING
S YSTEMS from 2004 to 2010. He participated in 60 research projects/grants,
funded by several agencies and industry in Europe and the U.S.
Christos G. Panayiotou (SM’06) received the
B.Sc. and Ph.D. degrees in electrical and computer
engineering from the University of Massachusetts,
Amherst, MA, USA, in 1994 and 1999, respectively.
He was a Research Associate with the Center for
Information and System Engineering, Department
of Manufacturing Engineering, Boston University,
Boston, MA, USA, from 1999 to 2002. He was with
the Department of Electrical and Computer Engi-
neering, University of Cyprus, Nicosia, Cyprus, from
2002 to 2003, where he is currently an Associate
Professor and a Founding Member of the KIOS Research Center on Intelligent
Systems and Networks. His current research interests include wireless, ad
hoc, and sensor networks, distributed control systems, fault diagnosis and
fault-tolerant systems, computer communication networks, optimization and
control of discrete-event systems, resource allocation, and simulation.
Prof. Panayiotou is an Associate Editor of the Conference Editorial Board
of the IEEE Control Systems Society, the Discrete-Event Dynamical Systems
journal, and the European Journal of Control.