Main Content

Model Fault-Tolerant Fuel Control System

This example shows how to combine Stateflow® with Simulink® to model hybrid systems. This type of modeling is particularly useful for systems that have numerous possible operational modes based on discrete events. Traditional signal flow is handled in Simulink while changes in control configuration are implemented in Stateflow. The model described in this example represents a fuel control system for a gasoline engine. The system is robust in that individual sensor failures are detected and the control system is dynamically reconfigured for uninterrupted operation.

Analysis and Physics

Physical and empirical relationships form the basis for the throttle and intake manifold dynamics of this model. The air-fuel ratio is computed by dividing the air mass flow rate pumped from the intake manifold by the fuel mass flow rate injected at the valves. The stoichiometric mixture ratio provides a good compromise between power, fuel economy, and emissions. The target air-fuel ratio for this system is 14.6. Typically, a sensor determines the amount of residual oxygen present in the exhaust gas (EGO). This gives a good indication of the mixture ratio and provides a feedback measurement for closed-loop control. If the sensor indicates a high oxygen level, the control law increases the fuel rate. When the sensor detects a fuel-rich mixture, the controller decreases the fuel rate.


Open the model. To run the simulation, in the Simulink Toolstrip, on the Simulation tab, click Run.

The model uses a callback function to load the data required for the simulation into the model workspace from sldemo_fuelsys_data.m. Loading initial conditions into the model workspace keeps simulation data isolated from data in other models that you may have open and helps avoid MATLAB workspace cluttering. To view the contents of the model workspace, in the Simulink Editor, on the Modeling tab, in the Design section, expand the gallery and select Model Explorer. In the Model Explorer window, in the Model Hierarchy list on the left, expand sldemo_fuelsys and select Model Workspace. For more information about how to use callbacks to load simulation data, see Automatically Initialize Variables and Load Data.

The model logs relevant data to MATLAB workspace in a data structure called sldemo_fuelsys_output and streams the data to the Simulation Data Inspector. Logged signals are marked with a blue badge. To learn more about data logging, see Save Signal Data Using Signal Logging.

Note that units are visible on the model and subsystem icons and signal lines. Units are specified on the ports and on the bus object.

The Dashboard subsystem allows you to interact with the model during simulation. The Fault Injection switches can be moved from the Normal to Fail position to simulate sensor failures, while the Engine Speed selector switch can be toggled to change the engine speed.The fuel and air/fuel ratio signals are visualized using gauges and scopes. The blocks in the Dashboard subsystem are from the Dashboard library. To learn about dashboard blocks, see Control Simulations with Interactive Displays.

The fuel_rate_control uses signals from the system's sensors to determine the fuel rate which gives a stoichiometric mixture. The fuel rate combines with the actual air flow in the engine gas dynamics model to determine the resulting mixture ratio as sensed at the exhaust.

You can simulate the failure of each of the four sensors (throttle angle, speed, EGO and manifold absolute pressure [MAP]) by switching off the corresponding slider switch in the dashboard subsystem. To access the switches, double-click the subsystem block named Dashboard. To flip a switch, click where you want the handle of the switch to move. If you stop the simulation, select the Slider Switch block, then click where you want the handle to move. Each slider switch connects to the value parameter of a Constant block. When you switch off the slider switch, you change the value of the Constant block.

Similarly, you can induce the failure condition of a high engine speed by toggling the engine speed switch on the dashboard subsystem. A Repeating Table block provides the throttle angle input and periodically repeats the sequence of data specified in the mask.

The fuel_rate_control subsystem uses the sensor input and feedback signals to adjust the fuel rate to give a stoichiometric ratio. The model uses three subsystems to implement this strategy: one for control logic, one for airflow calculation, and one for fuel calculation. Under normal operation, the model estimates the airflow rate and multiplies the estimate by the reciprocal of the desired ratio to give the fuel rate. Feedback from the oxygen sensor provides a closed-loop adjustment of the rate estimation in order to maintain the ideal mixture ratio.

Control Logic

A single Stateflow chart, consisting of a set of six parallel states, implements the control logic in its entirety. The four parallel states shown at the top of the chart correspond to the four individual sensors. The remaining two parallel states at the bottom consider the status of the four sensors simultaneously and determine the overall system operating mode. The model synchronously calls the entire Stateflow diagram at a regular sample time interval of 0.01 sec. This permits the conditions for transitions to the correct mode to be tested on a timely basis.

If you enable animation in the Stateflow debugger, the state transitions are highlighted in the Stateflow diagram as the various states are activated. The sequence of activation is indicated by changing colors. This closely coupled synergy between Stateflow and Simulink fosters the modeling and development of complete control systems.

To open the control_logic Stateflow chart, double-click on it in the fuel_rate_control subsystem.

When execution begins, all of the states start in their normal mode with the exception of the oxygen sensor (EGO). The O2_warmup state is entered initially until the warmup period is complete. The system detects throttle and pressure sensor failures when their measured values fall outside their nominal ranges. A manifold vacuum in the absence of a speed signal indicates a speed sensor failure. The oxygen sensor also has a nominal range for failure conditions but, because zero is both the minimum signal level and the bottom of the range, failure can be detected only when it exceeds the upper limit.

Regardless of which sensor fails, the model always generates the directed event broadcast Fail.INC. In this way the triggering of the universal sensor failure logic is independent of the sensor. The model also uses a corresponding sensor recovery event, Fail.DEC. The Fail state keeps track of the number of failed sensors. The counter increments on each Fail.INC event and decrements on each Fail.DEC event. The model uses a superstate, Multi, to group all cases where more than one sensor has failed.

The bottom parallel state represents the fueling mode of the engine. If a single sensor fails, operation continues but the air/fuel mixture is richer to allow smoother running at the cost of higher emissions. If more than one sensor has failed, the engine shuts down as a safety measure, since the air/fuel ratio cannot be controlled reliably.

During the oxygen sensor warm-up, the model maintains the mixture at normal levels. You can change the design by moving the warm-up state to within the Rich_Mixture superstate. If a sensor failure occurs during the warm-up period, the Single_Failure state is entered after the warm-up time elapses. Otherwise, the Normal state is activated at this time.

A protective overspeed feature has been added to the model by creating a new state in the Fuel_Disabled superstate. Through the use of history junctions, the model ensures that the chart returns to the appropriate state when the model exits the overspeed state. With this approach, you could add additional shutdown states to the Fuel_Disabled superstate if additional safety requirements for the engine were to be specified.

Sensor Correction

When a sensor fails, the model computes an estimate of the sensor. For example, open the pressure sensor calculation. Under normal sensor operation, the model uses the value of the pressure sensor. Otherwise, the model estimates the value.

The model computes an estimate of manifold pressure as a function of the engine speed and throttle position. To compute the value, the model uses a Simulink function in Stateflow.

Airflow Calculation

The subsystem named airflow_calc is the location for the central control laws. This block is found inside the fuel_rate_control subsystem (open this block). The subsystem estimates the intake air flow to determine the fuel rate which gives the appropriate air/fuel ratio. Closed-loop control adjusts the estimation according to the residual oxygen feedback in order to maintain the mixture ratio precisely. Even when a sensor failure mandates open-loop operation, the most recent closed-loop adjustment is retained to best meet the control objectives.

Equation 1

The engine's intake air flow can be formulated as the product of the engine speed, the manifold pressure and a time-varying scale factor.

$$q=\frac{N}{4\pi}V_{cd}\nu \frac{P_m}{RT} = C_{pump}(N,P_m) N P_m =
\mbox{ intake mass flow}$$

$$N = \mbox{ engine angular speed (Rad/sec)}$$

$$V_{cd} = \mbox{ engine cylinder displacement volume}$$

$$\nu = \mbox{ volumetric efficiency}$$

$$P_m = \mbox{ manifold pressure}$$

$$R, T =\mbox{ specific gas constant, gas temperature}$$

Cpump is computed by a lookup table and multiplied by the speed and pressure to form the initial flow estimate. During transients, the throttle rate, with the derivative approximated by a high-pass filter, corrects the air flow for filling dynamics. The control algorithm provides additional correction according to Equation 2.

Equation 2

$$e_0 = 0.5 \mbox{ for } EGO\le 0.5$$

$$e_0 = -0.5 \mbox{ for } EGO > 0.5$$

$$e_1 = K_i (N,P_m) e_0 \mbox{ for } EGO\le 0.5$$

$$\dot{e_2} = e_1 \mbox{ for LOW mode with valid EGO signal} $$

$$\dot{e_2} = 0 \mbox{ for RICH, DISABLE or EGO warmup} $$

$$ e_0, e_1, e_2 = \mbox{ intermediate error signals}$$

The nonlinear oxygen sensor is modeled using the MATLAB® Function block named EGO Sensor. To view the block, from the top level of the model, enter the subsystem named Engine Gas Dynamics. Then, enter the subsystem named Mixing & Combustion.

The EGO Sensor is modeled as a hyperbolic tangent function, and it provides a meaningful signal when in the vicinity of 0.5 volt. The raw error in the feedback loop is thus detected with a switching threshold, as indicated in Equation 2. If the air-fuel ratio is low (the mixture is lean), the original air estimate is too small and needs to be increased. Conversely, when the oxygen sensor output is high, the air estimate is too large and needs to be decreased. Integral control is utilized so that the correction term achieves a level that brings about zero steady-state error in the mixture ratio.

The normal closed-loop operation mode, LOW, adjusts the integrator dynamically to minimize the error. The integration is performed in discrete time, with updates every 10 milliseconds. When operating open-loop however, in the RICH or O2 failure modes, the feedback error is ignored and the integrator is held. This gives the best correction based on the most recent valid feedback.

Fuel Calculation

The subsystem named fuel_rate_control contains a subystem named fuel_calc. The fuel_calc subsystem sets the injector signal to match the given airflow calculation and fault status. The first input to the subsystem is the computed airflow estimation. This is multiplied with the target fuel/air ratio to get the commanded fuel rate. Normally the target is stoichiometric, i.e. equals the optimal air to fuel ratio of 14.6. When a sensor fault occurs, the Stateflow control logic sets the mode input to a value of 2 or 3 (RICH or DISABLED) so that the mixture is either slightly rich of stoichiometric or is shut down completely.

The subsystem named fuel_calc employs adjustable compensation in order to achieve different purposes in different modes. In normal operation, phase lead compensation of the feedback correction signal adds to the closed-loop stability margin. In RICH mode and during EGO sensor failure (open loop), however, the composite fuel signal is low-pass filtered to attenuate noise introduced in the estimation process. The end result is a signal representing the fuel flow rate which, in an actual system, would be translated to injector pulse times.

Results and Conclusions

The simulation is run with a throttle input that ramps from 10 to 20 degrees over a period of two seconds, then goes back to 10 degrees over the next two seconds. This cycle repeats continuously while the engine is held at a constant speed so that the user can experiment with different fault conditions and failure modes.

Click on a sensor fault switch in the dashboard subsystem to simulate the failure of the associated sensor. Repeat this operation to slide the switch back for normal operation.

Now run the simulation with different sensors turned off. Plot the fuel flow rate and air fuel ratio for these scenarios:

  • All sensors function properly

  • Throttle sensor failed

  • Speed sensor failed

  • EGO sensor failed

  • MAP sensor failed

Examine the fuel flow rate plots. In the baseline case, the fuel rate is regulated tightly, exhibiting a small ripple due to the switching nature of the EGO sensor's input circuitry. In the other four cases the system operates open loop. The control strategy is proven effective in maintaining the correct fuel profile in the single-failure mode. In each of the fault conditions, the fuel rate is essentially 125% of the baseline flow, fulfilling the design objective of 80% rich.

In each case note the nonlinear relationship between fuel flow and the triangular throttle command.

Now, examine the air/fuel ratio plots. The baseline plot shows the effects of closed-loop operation. The mixture ratio is regulated very tightly to the stoichiometric objective of 14.6. The rich mixture ratio is shown in the bottom four plots. Although they are not tightly regulated, as in the closed-loop case, they approximate the objective of air/fuel: 0.8*14.6=11.7.

Examine the transient behavior of the system. With a constant 12 degree throttle angle and the system in steady-state, a throttle failure is introduced at t = 2 and corrected at t = 5. At the onset of the failure, the fuel rate increases immediately. The effects are seen at the exhaust as the rich ratio propagates through the system. The steady-state condition is then quickly recovered when closed-loop operation is restored.

Related Topics