This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
I it holds:
&
..... i ¸¸...........
! ............
...........
......
~RPIn ~1.
Fig. 2. The terminal constraint set Z r
P)@Y2( Wlk p.k 1] ), V k c g>p,
07k
for all w[k 1] C {~U }k and all w[~ p,k 1] C {~U }P, respectively. The functions/31 C ~ S , )'1 C JU and 132 c ~S, Y2 c ~ are obtained as in (3) for some constants t~,_0 c [0, 1) and some ~ - f u n c t i o n s ~'1 (_s_)_Aas, ~'2(s) zx bsand cq(s) ZXas, cz2(s) zx bs, witha, b,a,b > 0, respectively. Then, for all k c Z>p and all p c Z>I it follows that
07k < j~2(/~1( 070 ,p) q-)'l( W[p 11 ),k + }'2( w[~-p,k-1] )
p)
lO
8
D
2
0
2
a
0
N
+y2( w[~ p,~ ~] )
Fig. 3. The feasible set ~ f ( 1 ) U •RPI: Z f(1) - light grey; a part of ZRn - dark grey.
+y2( w[~ ~i )
p)
(3) o~_1(2p ~ PO~2(Z~ll(Z~p~2(s)))
dual-mode MPC control law one has to compute the terminal set Z r . The MPT (Kvasnica et al., 2004) was employed in order to calculate the maximal RPI set ZRPI contained in Zu. We choose/~ - 0.1 and N -- 1, for which the terminal constraint set XT -- XRp~ N Z1 -¢ 0 (see Figure 2), where Z1 - U j - 1 ..... 4{~"~j SO }, satisfies the hypothesis of Theorem 13. An ext - . _ I
< 8[3b-[)ks zx /~3(s,k), aa
(13)
and t5 zx m a x ( p , p ) ~ [0, 1). Hence, /33 ~ ~ ~ and, since 132 ~ ~ ~ and )'1, Ye ¢ ~c~, we obtain that )'3 ~ . Applying Case 1 and Case 2 and combining with the result obtained above for Case 3 it follows that:
x~ I, where /3 (s, k) zx max(/3~ (s, k),/32 (s, k),/33 (s, k)) is a ~c~<~-function and )'(s) zx max()'~ (s),)'2 (s),)'s (s)) is a ~ - f u n c t i o n . Hence, ISS is proven for system (4b) in closed-loop with blDM for all initial conditions in Z f ( N ) U ZRPI and disturbances in ~ u . []
Illustrative example
plicit solution of Problem 7 with @'N(Xk) instead of @';V(Xk) was calculated with the MPT. The feasible set Z / ( 1 ) U Zapi of the dual-mode MPC control law and the state-space partition (138 regions) corresponding to the explicit MPC control law are plotted in Figure 3. Note that, by Theorem 13, ISS is ensured for the closed-loop system for initial states in Z / ( 1 ) U N a n and disturbances in ~'~, without employing a continuous MPC value function. Indeed, the dual-mode MPC value function V is discontinuous at any x c c?f~s2 N c?f~s0. For example, Vs2(x*) = 2.9038 and Vso(x*) 11.7383 for x* - [0 - 2.1830] T, i.e. the critical point at which the nominal MPC value function of Example 10 is not an ISS Lyapunov function. In order to illustrate the ISS property of the dual-mode MPC controller we simulated system (9) in closedloop with fiDM for initial states x01 [--1.9649 1.9649] (solid line) and xo2 - [5 - 5] (dashed line) and the disturbance values depicted in Figure 4 - (a), (b) for both x01 and x02. The control inputs are also plotted in Figure 4 - (c), (d) for initial states x01 and x02, respectively. Once the disturbance converges to zero, the state trajectories also converge to the origin _
Next, we demonstrate the ISS properties of the dualmode MPC control law (12) on the PWL system (9) of Example 10, introduced in Section 4. The terminal weight matrices Pj - P for j - 1,..., 4 and the feedbacks {Kj ]j C J } given in (10) are such that inequality (6) holds for all x c IRn. In order to implement the
327
0
5
10
15
Samples
i,
20
25
0
5
0
5
10
15 Samples
20
25
20
25
ference on Decision and Control. Maui, Hawaii. pp. 1413-1418. Grimm, G., M.J. Messina, S.E. Tuna and A.R. Teel (2004). Examples when nonlinear model predictive control is nonrobust. Automatica 40(10), 1729-1738. Heemels, W.RM.H., B. De Schutter and A. Bemporad (2001). Equivalence of hybrid dynamical models. Automatica 37, 1085-1091. Jiang, Z.-R and Y. Wang (2001). Input-to-state stability for discrete-time nonlinear systems. Automatica 37, 857-869. Kerrigan, E.C. and D.Q. Mayne (2002). Optimal control of constrained, piecewise affine systems with bounded disturbances. In: 41st IEEE Conference on Decision and Control. Las Vegas, Nevada. pp. 1552-1557. Kvasnica, M., R Grieder, M. Baotic and M. Morari (2004). Multi Parametric Toolbox (MPT). In: Hybrid Systems: Computation and Control. Lecture Notes in Computer Science, Volume 2993. Springer Verlag. Pennsylvania, Philadelphia, USA. pp. 448-462. http://control.ee.ethz.ch/mpt. Lazar, M., W.RM.H. Heemels, A. Bemporad and S. Weiland (2005a). On the stability and robustness of non-smooth nonlinear model predictive control. In: Workshop on Assessment and Future Directions of NMPC. Freudenstadt-Lauterbad, Germany. pp. 327-334. Lazar, M., W.RM.H. Heemels, S. Weiland, A. Bempotad and O. Pastravanu (2005b). Infinity norms as Lyapunov functions for model predictive control of constrained PWA systems. In: Hybrid Systems: Computation and Control. Vol. 3414 of Lecture Notes in Computer Science. Springer Verlag. Zfirich, Switzerland. pp. 417-432. Limon, D., T. Alamo and E. F. Camacho (2002). Inputto-state stable MPC for constrained discrete-time nonlinear systems with bounded additive uncertainties, In: 41st IEEE Conference on Decision and Control. Las Vegas, Nevada. pp. 4619-4624. Mignone, D., G. Ferrari-Trecate and M. Morari (2000). Stability and stabilization of piecewise affine systems: An LMI approach. Technical Report AUT00-12. Automatic Control Laboratory, ETH Zfirich. Switzerland. Rakovid, S.V. and D.Q. Mayne (2004). Robust model predictive control of contrained piecewise affine discrete time systems. In: 6th IFAC NOLCOS. Stuttgart, Germany. Rakovid, S.V., R Grieder, M. Kvasnica, D.Q. Mayne and M. Morari (2004). Computation of invariant sets for piecewise affine discrete time systems subject to bounded disturbances. In: 43nd IEEE Conference on Decision and Control. Paradise Island, Bahamas. pp. 1418-1423. van der Schaft, A. J. and J. M. Schumacher (1998). Complementarity modeling of hybrid systems. IEEE Transactions on Automatic Control 43(3), 483-490.
i i0
S.=ples
15
Samples
Fig. 4. Disturbance inputs w = [Wl w2] q- - (a) and (b); fiDM for x01 - (c); fiDM for x02 - (d). for both initial states, due to the ISS property. It is also worth to point out that the initial state x01, which was a problematic initial condition, as shown in the proof ofLemma 11, is contained in the feasible set of the ISS dual-mode MPC controller. This illustrates the effectiveness of the proposed methodology.
6. CONCLUSIONS This paper considered robust asymptotic stability in terms of ISS for discontinuous PWA systems controlled by MPC strategies, as this is an important property from a practical point of view. We presented an example of a PWA system (with the origin lying on the boundaries of multiple regions in the partition) taken from literature for which a nominally stabilizing MPC scheme generates an MPC value function that is not an ISS Lyapunov function. In such cases, there are no systematic ways available for modifying hybrid MPC schemes such that robustness (ISS) is a priori ensured. Therefore, a new method for setting up MPC schemes for general discontinuous PWA systems, with an a priori ISS guarantee, was developed via a dual-mode approach. The dual-mode hybrid MPC algorithm uses tightened constraints and does not require continuity of the system, the MPC control law nor of the MPC value function. An example demonstrated the effectiveness of the developed methodology.
REFERENCES Bemporad, A. (2003). Hybrid Toolbox-User's Guide. http://www.dii.unisi.it/hybrid/toolbox. Bemporad, A. and M. Morari (1999). Control of systems integrating logic, dynamics, and constraints. Automatica 35, 407-427. Borrelli, F. (2003). Constrained optimal control of linear and hybrid systems. Vol. 290 of Lecture Notes in Control and Information Sciences. Springer. Grimm, G,, M.J. Messina, S.E. Tuna and A.R. Teel (2003). Nominally robust model predictive control with state contraints. In: 42nd IEEE Con-
328
Copyright © Analysis and Design of Hybrid Systems Alghero, Italy 2006
ELSEVIER
IFAC PUBLICATIONS
R O B U S T M O D E L P R E D I C T I V E C O N T R O L FOR P I E C E W I S E A F F I N E S Y S T E M S S U B J E C T TO B O U N D E D D I S T U R B A N C E S (1) j. Thomas, (z)S. Olaru, (3) j. Buisson and (2) D. D u m u r
a) Industrial Education College Beni S w e f Egypt Phone • +20 (0)12 52 63 476 (:) SupOlec F 91192 G ~ s u r Yvette cedex , France Phone • +33 (0)1 69 85 13 75 (3) Supdlec F 35 511 Cesson-SOvignd cedex, France Phone • +33 (0)2 99 84 45 42 Email : [email protected], {sorin.olaru, jean, buisson, didier.dumur}@supelec.fr
Abstract: This paper investigates the robust tracking and regulation control problems for discrete-time, piecewise affine systems subject to bounded disturbances. In particular, the main question addressed is related to the existence of a controller such that the closed-loop system exhibits an attainable desired behavior under all possible disturbances. Checking attainability and calculating the state space regions for which a robust control is assured despite the disturbance is performed using a polyhedral approach. A model predictive control law derived from a quadratic cost function minimization is further examined as a fast sub-optimal robust control. An application of the proposed technique to a two-tank benchmark is finally presented. Copyright © 2 006 IFA C
Keywords: Piecewise affine systems, hybrid systems, bounded disturbances, teachability, model predictive control. An attractive and challenging field of research is currently dealing with hybrid systems subject to uncertainties (Bemporad and Morari, 1999b), either parameters uncertainties or disturbances influences, where problems like safety, reachability, attainabili~ and robust control become interesting questions for researchers.
1. INTRODUCTION Hybrid systems are now of common use in many control applications in industry, e.g. in control of mechanical systems, process control, automotive industry, power systems, aircraft and traffic control. Hybrid systems are heterogeneous dynamical systems, their behavior is determined by interacting continuous variable and discrete event dynamics. Various approaches have been proposed to model hybrid systems (Branicky et al., 1998), such as Automata, Petri nets, Linear Complementary (LC), Piecewise Affine (PWA) (Sontag, 1981), Mixed Logical Dynamical (MLD) models (Bemporad and Morari, 1999a). Different techniques are used to control hybrid systems, for example Model Predictive Control (MPC) (Schutter and van den Boom, 2004; Thomas et al., 2003; Olaru et al., 2003; Olaru et al., 2004) and optimal control (Bemporad, and Morari, 1999a).
In this direction, this paper examines a class of discrete-tilne piecewise affine systems subject to bounded disturbances. For this class of systems, some solutions to the above mentioned problems are already proposed in the literature. For example, in (Lin and Antsaklis, 2003), an attainability checking that employs the predecessor operator, and a controller technique using finite automata and linear programming is presented. In (Necoara et al,, 2004, Bemporad et aL, 2003), a control technique based on minimizing the worst-case cost function (rain-max problem) is proposed to solve the control problem.
329
The contribution of this paper is based on a polyhedral approach enabling the elaboration of the state space regions for which a robust control exists which drives the plant to a desired behavior despite the disturbances. The safety, reachability and attainability questions are examined through this framework and a robust Model Predictive Control (MPC) with quadratic cost function is presented as a fast suboptimal robust control.
r are respectively the dimension of state, input and disturbance vectors, and Pi is the number of hyperplanes defining the Zi polyhedral. In this formalism, a logical control input is taken into account by developing an affine model (1) for each input value (1/0), defining linear inequality constraints linking the model with the relevant input value (2).
The paper is organized as follows. A brief description of PWA systems and the related class is given in Section 2. Section 3 develops the polyhedral approach which will elaborate the state space regions where reachability, safety and attainability questions can be assured. A fast and suboptimal robust control is then developed in Section 4 for the considered class. An application of the proposed technique to a two-tank benchmark is presented in Section 5. Finally the conclusions and some remarks are given in Section 6.
3. DIRECT R£ACHABILITY, SAFETY AND ATTAINABILITY: A POLYHEDRAL APPROACH Let consider the region R k , k > 1 as a target region in the global state space X. This section considers the robust one-step control region Rk_ 1 as the region in the state space for which there exist a feasible mode (1) and an admissible control signal able to drive the states from R k_ 1 into R k in one-step despite all allowable disturbances, i.e.:
2. PIECEWISE AFFINE SYSTEMS SUBJECT TO BOUNDED DISTURBANCES
xk_ 1 ~ X 3iAuk_ 1 ~ U,l_uk_l Piecewise affine systems are powerful tools for describing or approximating both nonlinear and hybrid systems, and represent a straightforward extension from linear to hybrid systems. This paper focuses on the particular class of discrete-time piecewise affine systems subject to bounded disturbances, defined as:
Rk_m = ~.t.
IA
Uk
Vd~_ 1 ~ D
In the following, the computation of this region Rk_ 1 is achieved through a polyhedral approach. Consider the global state space defined by the following constraints:
S i .~ik+ 1 =AiXk +Biuk +Cid~ + f i } for
(3)
iXk_l +Biuk_l + C / d k-i / + fi E Rk,
~ Zi
x ::
Xk e X, uk e U, d i e D denote the state, input and disturbance vector respectively at instant k (for the i th model) with X,U,D assigned polytopes (D contains the origin). {d(i }'iSl is the polyhedral coverage of the state and input spaces X x U , s being the number of subsystems. Each Zi is given by:
}
The control input is supposed to be bounded: U:= {mu_
(5)
With disturbance given inside an assigned polytope d~_ 1 ~ D, with the target region Rk, defined by: R k:={vx k_g
}
(6)
and considering each valid model i where i ~ (1,2,..., s) and using the system evaluation equation (1), enables to derive the following region: Exact state measurement x is supposed to be available. Note that the sets Zi are assumed here to be not disjoint so that the desired model dynamics can be chosen by the bias of switching (logical) decision variables. lAaCh subsystem
i,Bi,ci,fi,Qi,qi)
Si
defined by the i~ I = (1,2,..-,s)
R;_ l ={Xk_ 1.9t nl]Vd;1_ .D, F(A i xk_ 1 + Biuk_l + Cid~:_l + fi)___g, (7) Qi[Xk_ 1 Uk_1Y -< q ' , } f"l {Lx
-g<
}
The presence of disturbances can be in a first step ignored, leading to the computation of the set:
6-uple is a
:IrF F"lrx O ' E 1}
component of the global hybrid system where I is the collection of all subsystems. A i E ~nxn,Bi E ~n×m C i E ~ n x r Q i E ~ pi(n+m) and
1 <-
-qi
N {F,x~_~ _
qi ~ ~pi is a suitable constant vector, where n, m,
330
(8)
and to the expression of the maximal admissible region for the mode i in the absence of disturbances: Iii_l : Prx ~ k-1 Remark
1. the direct reachability from region Rk+j+l for O < j < _ N - l ,
Rk+j
to
2. the safe~ (or control invariance) for region
(9)
Rk+N .
1: the projection of polyhedral sets can be
efficiently handled in a double representation (generators/ constraints) and related tools can be found as for example - POLYLIB (Wilde, 1994). Due to the fact that the goal is the construction of a control strategy robust with respect to the entire family of possible disturbances realizations, the previous equation finally becomes: k-1 = R~ ik-1 - C ' D
R /
O .....O O
R~ . . . .
R~ .....
....
R1k 4 N - 2
(10)
O .....O O
R~,~=~
R2~N2
O
;
where the subtraction is computed in the Minkowsky sense (exact geometric operation, based on the double representation of polyhedral domains). The set CiD is the image of D by the linear mapping:
R 1. . . .
O
R;+Nz
R~ . . . .
R1k + N
2
R.....
;
$
O
R~+N_2
O .....O O
O
RL~ 2
RLN~
Fig. 1. Regions exploration, (a) complete exploration, (b) exploration with no switch over the N steps,
f : D -+ 9~n, f (d) : Ci d With these sets constructed for each linear sub-model, the global one-step robust controllable region of the state space is thus given by: Rk_ 1 =
0'
Rk_ 1
4. ROBUST MODEL PREDICTIVE CONTROL The min-max control technique is proposed in the literature as a robust control for such problems, which minimizes the maximum cost, to try to counteract the worst disturbance. This paper focuses on the model predictive control for PWA systems with quadratic cost function as a fast suboptimal robust solution.
(11)
i=1
The procedure presented above can be repeated in a recursive way to find the domain for ans, limited N steps horizon. Using a dynamic programming approach, after defining the target region R k+N , the state space domain Rk can be recursively calculated, that includes all the states having a feasible control policy that can in N steps derive the states to R k+Adespite the disturbances.
The model predictive control proposed here requires solving at each sampling time the following problem: -. k+N-1 min -atu k
k+N-1 uk
~ Xk+j j=l
2: For PWA systems with many sub-models s and for long horizon N , this may imply the exploration of a large number of regions (exponential complexity, Figure 1a). Considering thus "no switch" between sub-models over the N steps horizon (Figure l b) leads to a lower complexity mechanism. Even if this may imply more conservatism, this suboptimal construction appears to be broad enough for many applications, this will be applied in the following sections.
Remark
s.t."
, x k). =
N-1
+ Z
j=0
(12)
Qi[X/c+J] < " LUk+j J - q',
Xk+ j ~ Rk+j,
for j = 0,1,---,N
where x e is the states reference, A, F are the weighting diagonal matrices in the sense x ]A = X T A x . (12) is solved according to the following steps: 1. solve this quadratic problem for each dynamic among the s sub-models, staying on the dedicated branch of Figure 1.b (i.e. as assumed with Remark 2, the open-loop control sequence of the predictive law is elaborated without switching),
S a f e t y , a well-known geometric condition for a set to be safe (control invariant) is the following (Lin and Antsaklis, 2002):
2. compare all the resulting costs,
the set Rk+ 1 is safe if and only if Rk+ 1 c R k
3. retain the model with the lowest cost and the associated control sequence,
Attainability, given a finite number of regions (Rk, Rk + 1, ' " , Rk+N ) ~ I x Z, the attainability for this sequence of regions is equivalent to the following two different properties:
4. apply only the first value of this sequence and restart the procedure at the next sampling time.
331
3: At each sampling time, the decision process can drive the system to any particular feasible mode due to receding horizon implementation of the optimal open-loop sequence. To sum up, the conservatism is only related to the feasible set coverage and not directly to the chosen performance index. Remark
Remark
where the Qs denote the flows and A is the crosssectional area of each of the tanks. The Toricelli law defines the flows in the valves by following expressions: Q12/712 =
VlzaSlZsign(hl - hz)~12g(hl - h2)
(14)
QN2 = VNzaSN2 ~/2gh2
4: If the initial state x k is included in the
union of regions Rk_ N i of different modes ( i ), the MPC technique can select a suboptimal solution among all feasible modes. The feasibility at instant k implies feasibility at any instant k + 1 to k + N . The longest the prediction, the largest the feasible domain will be.
where S i represents the area of valves V/ and a is a constant depending on the liquid. From this, a simplified linear model can be obtained under the form: Q12v12 ~ k12//12 (hl - h2 )
(15)
QN2-- kN2 VN2h2 5. APPLICATION where: k12 = aS12 ( hmax, 2g Let consider as application of the previous theory the following benchmark consisting of two tanks (Figure 2), filled by pump acting on tank 1, continuously manipulated from 0 up to a maximum flow Q1 •
kN2 - aSN2 1 2ghmax
The Euler discretisation tec~ique is used to further derive the discrete form : h 1(k + 1) = h 1(k)+
Ts (Ql(k)_k12V12(h1(k)_h2(k)) A
(16)
h 2(k + l) = h 2(k) + 1
2
--~-(k12/712 (h 1(k) - h 2 (k)) -
kN2/TN2h2 (k))
where Ts is the sampling time, equal to 10 s. This benchmark can be considered as a piecewise system of form (1), with two subsystems (two modes) described as follows: For mode one, the valve /712 is open: A 1 = I 0'9269 0.073051 [_0.07305 0.8539 J'
B 1 =I649;3511
Fig. 2. Two-tank benchmark. 1
One switching valve /712 controls the flow between the tanks, this valve is assumed to be either completely opened or closed (/712 =1 or 0 respectively). The /7:v2 manual valve controls the nominal outflow of the second tank. It is assumed in further simulations that the manual valves, /7N1 is always closed and VN2 is open. The liquid levels to be controlled are denoted h I and h 2 for each tank respectively.
0
0
0.62 0.62
0
1
0
Q1 = - 1 0
0
0
-1
0
0
0
0
1
0.0001
0
0
-I
_
0
q1=
0 _
_
For mode two, the valve 1712 is closed:
:E; o.9O2691 , :E6490'1
The conservation of mass in the tanks provides the following differential equations: 1
/~1 =-~(Q1 - Q12V12) (13) /~2 = A (Q12v12 - Q N 2 )
1
0
0
0.62
0
1
0
0.62
Q2 = - 1 0
-1
0
0
0
0
1
0.0001
0
0
-1
0
0 , q2=
0
0 _
332
The previous constraints have integrated limitations on the global state space: ,
X:=
0
0
@
F0.621
1 x<
/0.62 /
,Oo ,
L°o]
E,
g~
(17)
and limitations on the control signal: U:=
[:1 [°°°°'1 1
Q1 -<
m
(18) Fig. 4. Regions for mode two with N = 5.
n
The target region, to which system states will be derived to, is defined by the following constraints:
° lx-/_o.4s //
Rk+N := --1 0 0
(19)
/-O.lSj
--1
g
A polytope for bounded considered with:
disturbance
is finally e ~
[i00,1_< [00q oo,,
o:
83
ca
e
es
(20) The robust model predictive control presented above, is applied considering many different initial states inside the region R k, and at each time step, a random disturbance is added to the system states. The weighting diagonal terms in the cost function are chosen such that A = 1000" 12 and F = 1, and the states reference is (0.5, 0.2). Figure 6 shows some results of robust MPC with N = 2 for extreme initial states inside R k with random disturbance, and as Figure 6 shows, all the states in Rk are derived in two steps ( N = 2 ) to the desired region Rk+2 despite the disturbance.
With this assumption, Figure 3 presents the regions for mode one for N = 5, and Figure 4 for mode two with N = 5 as well. For both modes, the regions are presented in Figure 5 with N = 3.
o
e ::,~
Fig. 5. Regions for both modes with N = 3.
The approach presented above is first applied to elaborate the region R k in the state space which includes the states that can be derived in finite N steps to R k+N despite the disturbance. However, a suboptimal approach is used here (see Remark 2) as a compromise with the computational load.
8
e~
@5
Fig. 6. Robust MPC for different initial states, with N=2.
Fig. 3. Regions for mode one with N = 5.
333
conference on Decision and Control, Las Vegas, Nevada USA, December.
When talking about complexity, one has to mention that the convex regions computed here, R ik_~ as in (11), are obtained in a dual representation (extreme points/constraints), which does not represent a computational challenge (the MPT toolbox was used here - (Kvasnica et al., 2004)) as long as the number of vertices does not increase (there are polytopic regions with either 4 or 5 vertices). This fact is strongly related to the particular shape of the target region. In this case, neither the projections nor the difference of polyhedral regions should require an important computational effort.
Lin H. and P.J. Antsaklis (2003). Robust tracking and regulation control of uncertain piecewise linear hybrid systems. ISIS Technical report. http ://www.nd.edu/qsis/tech.html. Kvasnica M., P. Grieder and M. Baotic (2004). Multi-Parametric Toolbox (MPT),
http://control.ee.ethz.ch/-mpt/ Necoara I., B. De Schutter, T.J.J. van den Boom and J. Hellendoorn (2004). Model predictive control for perturbed continuous piecewise affine systems with bounded disturbances. Proceedings of the 43 rd IEEE conference on Decision and Control, Paradise Island, The Bahamas, pp. 1848-1853, December.
Finally, in Figure 6 one can remark several state trajectories generated based on random disturbance realizations validating any physical extreme combination of states.
Olaru, S., I. Dumitrache and D. Dumur (2003). Modified MLD form for discrete optimization of hybrid systems, IFAC Conference on Analysis and Design of Hybrid Systems ADHS'03, SaintMalo, France.
6. CONCLUSION This paper has examined a class of discrete-time piecewise affine systems with bounded disturbance, for which a polyhedral technique has been proposed to find the regions in the state space where a feasible mode and a robust control is assured to derive the system states to the desired region despite the disturbance. Model predictive control technique has been proposed as a fast and suboptimal robust control for the considered problem.
Olaru S., J. Thomas, D. Dumur and J. Buisson (2004). Genetic Algorithm based Model Predictive Control for Hybrid Systems under a Modified MLD Form. International Journal of Hybrid Systems. Vol. 4 : 1-2. De Schutter B. and T.J.J. van den Boom (2004). Model Predictive Control for Discrete-Event and Hybrid Systems Part II: Hybrid Systems. Proceedings of the 16th International Symposium on Mathematical Theory of Networks and Systems, B. De Moor and B. Motmans, editor Leuven, Belgium, 5-9 July.
Future work will consider applying the same tec~iques on discrete-time piecewise affine systems with parameter uncertainties and exogenous disturbances.
Sontag E.D. (1981). Nonlinear regulation: the piecewise linear approach. IEEE Transaction on Automatic Control, 26(2):346-358, April.
REFERENCES
Thomas, J., J. Buisson, D. Dumur and H. Gudguen (2003). Predictive Control of Hybrid Systems under a Multi-MLD Formalism. IFAC Conference on Analysis and Design of Hybrid Systems ADHS'03, Saint-Malo, France.
Bemporad A. and M. Morari (1999a). Control of systems integrating logical, dynamics and constraints. Automatica, 35(3):407-427. Bemporad A. and M. Morari (1999b). Robust model predictive control: A survey, In Robustness in Identification and Control, A. Garulli, A. Tesi, and A. Vicino, Eds., N. 245 in LNCIS, pp. 207226. Springer Verlag,
Wilde, D.K. (1994). A Library for Doing Polyhedral Operations. In Technical report 785, IRISARennes, France.
Bemporad A., F. Borrelli and M. Morari (2003). Minmax control of constrained uncertain discrete-time linear systems. IEEE Transactions on Automatic Control, 48(9): 1600-1606. Branicky M.S., V.S. Borkar and S.K. Mitter (1998). A unified framework for hybrid control: model and optimal control theory. IEEE Transactions on Automatic Control, 43(1):31-45. Lin H. and P.J. Antsaklis (2002). Controller synthesis for a class of uncertain piecewise linear hybrid @namical systems. Proceedings of the 41 st IEEE
334
Copyright © Analysis and Design of Hybrid Systems Alghero, Italy 2006
ELSEVIER
IFAC PUBLICATIONS
S T A B I L I Z A T I O N OF S W I T C H E D L I N E A R SYSTEMS WITH UNKNOWN TIME VARYING DELAYS Laurentiu Hetel,
Jamal Daafouz,
Claude hng
Institut National Polytechnique de Lorraine, C R A N UMR 7039 C N R S - U H P - INPL, ENSEM, 2, av. for~t de la Haye, 5~516, Vandoevre-L~s-Nancy, Cedcx, France. Email: {Laurentiu.Hetel, Jamal.Daafouz, Claude. Iu ng} @ens era. inpl- n ancy. f f
Abstract: We consider continuous time switched systems t h a t are stabilized via a computer. Our goal is to construct a switched digital control for continuous time switched systems that is robust to the varying feedback delay problem. The key idea of this paper is that the control synthesis problem in the case of continuous time systems with uncertain time varying feedback delays can be expressed as a problem of stabilizability for uncertain systems with polytopic uncertainties. For the sake of generality, the problem of switched systems will be considered (the solution for LTI systems can trivially be deduced by eliminating the switching aspect of the problem). Copyright©2006 IFAC. Keywords: Switched linear systems, time varying feedback delays, polytopic uncertainties, robustness, LMI.
1. I N T R O D U C T I O N Nowadays, many control problems are solved via a computer generated feedback. When dealing with such a digital control, uncertain time varying feedback delays are unavoidable. These delays can affect system performances and lead to instability if they are not taken into account (Wittenmark et al., 1995). The problem engaged scientists from both computer science (Buttazzo, 2002; Martf et al., 2001; Stankovic et al., 2001) and control systems (AstrSm and Wittenmark, 1997; Wittenmark et al., 1995). It has been studied in the general context of real-time control systems (Nilsson et al., 1998) for embedded and networked control systems (Arzen et al., 2000; Hristu-Varsakelis and 1 Work (partially) done in the framework of the HYCON Network of Excellence, contract number FP6-IST-511368
Levine, 2005; Montestruque and P.J.Antsaklis, 2004; Tzes et al., 2005; Zhang et al., 2001). Here, we treat the control synthesis problem for continuous time systems affected by uncertain time varying feedback delays in a digital control context. This paper is organized as follows. In Section 2, we mathematically formalize the problem under study: "the robust stabilizability of continuous time switched systems relative to time varying feedback delays" and we introduce its sampled version. In Section 3, we show that, by using a Taylor series approximation, the system affected by time varying feedback delays can be expressed as a polytopic uncertain system. In Section 4, we present the control synthesis for this problem and we apply it to the polytopic version of the system affected by feedback delays. The approach is illustrated by a numerical example in Section 5.
335
P r o b l e m : Assuming that switching signal cr and
N o t a t i o n s : For a matrix M we denote by IIMII the induced matrix norm. By M > 0 or M < 0 we mean that the matrix M is positive or negative definite respectively. By I (or O) we denote the identity (or the null) matrix with the appropriate dimension.
the sampling T are synchronous, find a switched state feedback that robustly stabilizes the continuous time switched system (1) when the input is affected by time varying delays (3). R e m a r k : It is clear that this problem is the same as the classical "timing problem" in the case of LTI systems if we consider N--1.
2. P R O B L E M F O R M U L A T I O N
In order to solve such a problem, we consider the discrete representation of the system (1) over a sampling period:
We consider a continuous time switched system
dx(t) - M~x(t) + N~u(t) dt
(1)
z(k
The switching function or(t) • R + --+ P { 1 , 2 , . . , N } gives a particular index i indicating the active system regime. It is used to represent sudden changing of system dynamic (for example the switch on/off of a pump in a tank system). { ~ c R ~×~. i c P} ,~d {N~ c R ~ . i c P} are two families of matrices. Each pair (Mi, Ni), i c P describes a continuous time model representing different regimes of system behavior. Here cr will be considered a piecewise constant function that may change its value at t kT, k c Z + with T > 0 the sampling period.
+
l)
-
¢~x(k)+ r°(AT(k))u(k) +C~ (AT(/~))u(/~- 1)
where (I)~- e M~T - A~,
T--AT(k)
r°(AT(k))
-
jo
=
tt
eM~SdsN~, -
F~(AT(/~)).
where A~(k)
~%(k) and z(k)
(I)~ 0
r~(Ar(k)) 0
r°(AT(k)) I
~(k
1)
This representation has been adapted for switched systems from the real time linear system representation presented by AstrSm and W i t t e n m a r k (~strSm and Wittenmark, 1997). In this model .~
~t~o~ly d~p~-
dent on the uncertain time varying delay AT(k). Therefore the previous system is an uncertain system with time varying uncertainty.
~0T e V ' S d s N ~
A more realistic discrete representation should consider that the system is affected by several delays (Wittenmark et al., 1995): delays between the sensor and the digital control r~C(k), computing delays in the controller r c(k) and communication delays between the controller and the actuator r~a(k). The total delay in the closed-loop
Now, the problem under study reduces to find a switched state feedback u(k) K ~ z ( k ) that stabilizes the discrete switched uncertain system (8) when the total system delay AT,~in < AT(k) < ATmax is time varying and unknown. In the next section we will show the way the uncertain delay dependent system (8) can be expressed as a switched polytopic uncertain system.
have an unknown random varying length. However, the total system delay is bounded, AT,~m < AT(k) < AT,~,x. Here we will analyze the case where ATmax < T and where the switching signal cr and the sampling T are synchronous. When the effect of time delays is taken into account the system input is given by:
3. E X P R E S S I N G UNCERTAINTIES AS P O L Y T O P E S OF MATRICES When considering the equivalent discrete representation (8), the two matrices F~(AT(k)) and F°o_(AT(k))are delay dependent uncertainties. If
u(k
~(t)
(7)
(s)
r~(aT(k)) . ~ d r°(aT(k))
1), t C [kT, k T -I- AT(k)) ~(k), t c [kT +/',T(k), (K + I)T)
(6)
The proposed system can be written as:
When sampling and actuation are considered to be periodic and synchronous with the periodicity T, the equivalent discrete representation of the system is given by integrating the solution of the system over one sampling period:
Bo- -
(5)
T--AT(k)
In order to design a computer based control, a sampled model of the continuous time system is derived and discrete time control methods are applied. The final digital control is strongly dependent on the sampling period and on the discrete description of the plant.
Ao- - eMiT
(4)
(3)
336
they can be expressed as convex polytopes, system (8) can be treated as a switched polytopic uncertain system, for which stability conditions can be expressed in terms of linear matrix inequalities.
Consider the notations •
Co-q
S t e p 1: T a y l o r series e x p a n s i o n of t h e unc e r t a i n t i e s F~(AT(k)) a n d F ° ( A T ( k ) )
q
q!
(~1
[/9 hi /9 h 1I.../9 2I /9I]I ~
02
[__phI_ph 1i...__p2 I ~ I ] ' , . . . ,
Oh+l
Proposition 1. F ~ ( A T ( k ) ) a n d F ° ( A T ( k ) ) , theelements of system (8) matrices can be expressed as:
1)q+l M J 1 e M°-TNo-,
(
[~h I ~ h
with mp
1i...~21
ATtain and ~
1'' h
and
(15)
~I]'
ATmax.
(x)
FI(/~T(~))
Proposition 2. The h-order approximation c ;1 h (/',T(k)) and F°,h(AT(k)) can be expressed as the convex matrix polytopes:
/~T(~))q]~I~~.lgM~'TNo - and
--E(
q-1 (9)
r°(A~(~))
~ + }~( zx~(~))~
Mq 1
h+l
q! ~ ' ~ x ~
P r o o f . Consider
//
I(x)
i-1 h+l
r°'~(zxT(k)) eM~ds.
h+l
x
dqI
re(k)
xq
1,..,h+l, w c z
+,
where the polytope vertices are
[Go-,1.-. Go-,h] ~i
UJ:/h
x)qMq-I~M~,T
and
q~
q--1
1, m ( k ) > 0 v i
/--1
~(o) + i(o)~ + . . . + -=:,~ ( o ) q1 _ +... agu L(
Z'~(k)u°) , i-1
(10)
Using the Taylor series expansion one can write:
~(~)
(16)
r~'~(zxT(k)) - Z ' ~ ( k ) u J : ) ,
q--1
0,h U~I /
(11) From (10), (11) and (5) Proposition 1 is proved for x - AT(k). [] S t e p 2: h - o r d e r a p p r o x i m a t i o n series for u n c e r t a i n t i e s
1 U~/
B~
respectively. P r o o f . From equation (14)and the notations (15) can be expressed as
of T a y l o r
rZ'h(AT(k))
h
Focusing on the first h terms of the previous formulation, F Icr( A T ( k ) ) can be expressed as a finite sum and a remainder
q=l
with p(k) - written as:
h
r l ' h ( ~ T ( ~ ) ) = [Go-1.,. Go-h ] tI/(~)
q=l
(12)
$(k)
M q_ 1
[p(k)hI. . . p2(k)I p(k)I]'
-
In the space of parameters $(k) it can be shown t h a t p ( k ) C [p,~], Vk C S +
q=h+l
=--
(18)
where
where the remainder is oo
AT(k). The equation (17) can be
eM~Tdv-_.....
( - - A T ) q M qq!- 1
h+l
eM°-TN°-"
$(k) = E P { ( k ) ¢ / '
q=l
with
(19)
4=1 h+l
,~(k) > 0
F~,h(AT(k)) and r°£h(AT(k)), given by
.~a Z ' ~ ( k ) - 1 vk
c z +.
i=1 h
~_
1
The uncertain parameters #/(k) are solutions of the linear system:
q=l
r°,~(~T(k))- B, - r~,~(~T(k)).
1
(~4)
......... _
1 _
1 ,~(k)
~(k)
will be called the h-order approximation. o
S t e p 3" P o l y t o p i c f o r m of t h e h - o r d e r approximation
ph . . . . . .
337
/9 h ~ h
#h+l (~)
/ghi/~)
Using the classical Gauss method, the solutions can be computed by the recursive formula: p-p (90) #1 = 1 -, p-p
et al., 2002) and for polytopic uncertain systems (J.Daafouz and Bernussou, 2001). Here we extend the existing approaches for the following switching uncertain system:
_
m
pk-1
pk-1
_
-
# E - -fiE-1 _ pE-1 -
-
One can prove that pk--1 _ pk--1 # k - - -fiE- l _ f i k - 1
~--~+hl -
)~
#~,
where
k - 2 . . h .
i=k+l
nag
nbG
pk _ pk
j=l
1=1
~k _ pk ' k=
2 . .h. ~
m
which is strictly positive since the function f : - , ~ , f (x) - 5px_px x _ , ~ is monotone decreasing for
9~(k) = l. 9~(k) _> 0. v k c
represent the uncertainty on the dynamic and input matrix, respectively. The switching signal is given by or. Here a~j and ~ l are the uncertain parameters describing each uncertainty while na~ and nb~ represent the number of extreme points in the uncertainty A~ and B~ respectively, This is a more general form of the switched polyopic system (21); the input and the state matrix are affected by distinct polytopic uncertainty with different uncertain parameters. This system can also be expressed as:
Let 0
~'~ 0
A~
i~
,B~-
C o n s i d e r i n g the h-order approximation of the uncertainties in equation (14) and Proposition 2, the system (8) can be expressed in the truncated polytopic form:
z ( k + 1 ) - fth~z(k) + Bh~n(k)
s+
/--1
S t e p 4: S y s t e m p o l y t o p i c t r u n c a t e d f o r m
~
~ . . ~ j ( k ) > 0.
nbG
m
~ --
G
j=l
~ (0, o ~ ) w e c~. ~m~rk t h ~ whi~ ~ ~ [_~,~1, 0 < #E < 1 Vk = 1..h + 1 therefore all the solutions are barycentric coordinates. From (18,19), with the notations (15)and (14) Proposition 2 is proved. []
~
a
Z"~J(k)-
N
N
z(h+l) = E
(21)
~i(k)Ai(h)z(h)+E
i=1
[i(k)B~(k)n(k),
i=1
(23)
where
N
h+l
h+l
~ : s+ ~ {0,1}, Z ~(k) = 1,
i=1
i=1
The closed-loop dynamics with the switched state feedback
i= 1
System (8) truncation is a switched uncertain system with polytopic uncertainty (21).
N
i=1
is described by the equation:
4. CONTROL SYNTHESIS
N
In the previous section it was shown that for any switched system with time varying feedback delay there exists a polytopic approximation. Considering the control synthesis in this context, one has to find a switched state feedback that stabilizes the h-order approximation system (21). It is clear that finding such a control law and proving that it is also valid for non truncated form of the system (8) solves the original problem. Robust stability results for switched uncertain systems with polytopic uncertainty are given in this section.
i=1
With the uncertainty description (22), the equation becomes N
na~ nbi
i=1 j=l
/=1
where Hijl -- Aij + B~lK~. We use switched parameter dependent Lyapunov functions given by:
v(k) - S(k)P~(k)
g. 1 Switched control design for uncertain switched systems
with N
Until now several control approaches have been presented separately for switched systems (Daafouz
338
nai
nbi
i=1 j=l
1=1
(2s)
The difference along the system trajectories is:
A procedure based on considering the neglected remainder O~h (see Step 2 and Step 5 in Section 3) as a disturbance and using LMI based conditions for stability analysis can be used to check that the control law obtained using Proposition 3 is valid for the non truncated form of the system (8). Consider the notations:
where N
na~ nb~
i=S j:l
N
/:1
hal nbi
i=1 j=l
P r o o f . see (Hetel et al., 2005) []
/=1 h+l
N
h
na.~ n b ~
h
~h j=l
h+l
m=l u=l v=l
o,
>
Theorem 1. System (23) is stabilizable via the control law (24) if there exists symmetric positive definite matrices Sijl and Smuv, and matrices Gi and Ri, solutions of the LMI:
gi @ g T --
~ijl
G Ti
AijT
AijGi + BilRi
R iT
÷ Smuv
BitT
> 0,
s2K~, h c R
i, m = 1 . . N , j = 1..nai, l = 1..nbi, n = 1..nam, v = 1..nbm. The switched state feedback control is given by (24) with K~ = R i G ~ ~.
Remark: Theorem 1 gives robust LMI stabilizability conditions based on switched parameter dependent Lyapunov functions and hence less conservative than all the other results in the literature (Ji et al., 2003; Zhai et al., 2003). Moreover, these results obviously apply to the state reconstruction problem for uncertain switched systems (Daafouz et al., 2003).
w c z+,(3o)
s ,q
with
(27)
P r o o f . see (Hetel et al., 2005). []
i i:i
D-[I0]
T
~×~,
E~h -
K~, h c R ~ × ~
[I I] [ - K ~ ' h
'
0
[
I - K ~ 'h
Theorem 2. If there exists symmetrical positive definite matrices Pij, and matrices Gij with i 1,. .... N and j = 1 , . . . , h + 1 solutions of the LMI:
hT T H~) I --Pi.i hT 0GpqD Hi.J Gpq a T (o) T Ppq -- Gpq -- pq (.)T (o)T D T (Gpq -4- Glq)D -- I (.)T
(.)T
V i,p-
(.)T
1,...,N
E~hT 1 0 0
<0
--oil
(3s) 1 . . . . ,h + 1 with
j,q-
ensure the stabilizability of the original discrete time system with time varying delays (8), that is system (4) is stable.
~.2 Control synthesis for switched systems with uncertain time varying feedback delay Proof. The truncation (21) of the system with uncertain feedback delay (8) can be considered as a switched uncertain system with polytopic uncertainty (22) for which we developed LMI stabilizability conditions (27). The problem of finding a computer control u ( k ) = K h z ( k ) for the discrete h-order truncation ( 2 1 ) o f the discrete time switched system (8) is the same as the control synthesis problem for a switched uncertain system with polytopic uncertainty (22).
In practical applications, finding a feedback control for the original discrete time system (8) is a compromise between two constraints: high order uncertainty approximation, for a good discrete system representation, and small number of LMIs. These two constraints are opposite because a high order uncertainty approximation implies a large number of LMIs and the numerical LMI solvers are not able to compute a feedback gain when the number of LMIs is too large.
Proposition 3. If there exists positive definite symmetric matrices Sij, S~v and matrices Gi and Ri solutions of the LMI conditions:
[ Gi @ GT
sij CT~hT --
v
i
- -ij
I~T~hT] @
i
ij
>
0
(28)
see (Hetel et al., 2005)D
5. NUMERICAL EXAMPLE Consider the following system: dx dt
where i , u = 1 . . . N , j , v = 1 . . . h + 1 then the switched state feedback stabilizing gains are given by K h = R i G ; 1.
= M ~ x ( t ) ÷ N~u(t), a C {1, 2} with M1-
339
3
1-1
2
,
M2-
21]
3-4'
x~-[~0]'
~d
Hristu-Varsakelis, D. and Levine, W. S., Eds. (2005). Handbook of Networked and Embed' ded Control Systems Series: Control Engineering. Birkh~user. J.Daafouz and J. Bernussou (2001). Parameter dependent lyapunov functions for discrete time systems with time varying parametric uncertainties. Systems and Control Letters
x~-[~.50]'
The system is sampled with T -- 0.3s and the feedback delay is bounded by AT,~i~ - 0s and ATmax -- 0.1s. When considering a first order approximation of the system, state feedback K~ gains are found via the LMIs (28) but are not validated by (31). A second order approximation is performed. In this case we obtain the switched feedback gains: K~
[ 2.99
43,355-359. Ji, Z., L.Wang and G.Xie (2003). Robust stability analysis and control synthesis for discrete time uncertain switched systems. In: Proceedings of the 42th IEEE Conference on Decision and Control. Maul, Hawaii USA. Martf, P., G. Fohler, K. Ramamritham and J. M. Fuertes (2001). Jitter compensation for realtime control systems. In: In 22nd IEEE RealTime Systems Symposium (RTSSO1). London, UK. Montestruque, L. and P.J.Antsaklis (2004). Stability of model-based networked control systerns with time-varying transmission times. IEEE Transactions on Automatic Control, @ecial Issue on Networked Control Systems 49, 1562-1572. Nilsson, J., B. Bernhardsson and B. Wittenmark (1998). Stochastic analysis and control of real-time systems with random time delays. Automatica 34, 57-64. Stankovic, J. A., T. He, T. F. Abdelzaher, M. Marley, G. Tao, S. H. Son and L. Cenyan (2001). Feedback control scheduling in distributed real-time systems.. In: IEEE RealTime Systems Symposium. Tzes, A., G. Nikolakopoulos and I. Koutroulis (2005). Development and experimental verification of a mobile client-client networked controlled system. European Journal of Control. Wittenmark, B., J, Nilsson and M. TSrngren. (1995). Timing problems in real-time control systems. In: Proceedings of the 1995 American Control Conference. Seattle,WA,USA. Zhai, G., H. Lin and P.J. Antsaklis (2003). Quadratic stabilizability of switched linear systems with polytopic uncertainties. Int.& Control 76, 747-753. Zhang, W., M.S. Branicky and S.M. Phillips (2001). Stability of networked control systerns. IEEE Control Systems Magazine.
1.3 0.27]
and K~-[
2
0.38 0.21]
which can be validated by (31) for the original system.
6. CONCLUSION This paper was dedicated to the robust control synthesis for continuous time switched systems relative to time varying feedback delays. The sampled version of the system has been considered and the control synthesis in this context has been treated as a problem of stabilizability for uncertain systems with polytopic uncertainties. A method for switched state feedback control synthesis has been presented. A numerical example has been presented to illustrate this approach.
REFERENCES ~rzen, K. E., A. Cervin, J, Eker and L. Sha (2000). An introduction to control. In: 39th IEEE Conference on Decision and Control. Sydney, Australia. ~strSm, K. J. and B. Wittenmark (1997). Computer-Controlled Systems. Prentice Hall. Buttazzo, G. (2002). Real-time operating systems: Problems and novel solutions. In: Proceedings of the 7th Int. Symposium on Formal Techniques in Real-Time and Fault Tolerant Systerns. Oldenburg, Germany. Daafouz, J., P. Riedinger and C. Iung (2002), Stability analysis and control synthesis for switched systems: A switched lyapunov function approach. IEEE Trans. Automat. Contr. 47, 1883-1887. Daafouz, J., P. Riedinger and C. Iung (2003). Observer-based switched control design with pole placement for discrete-time switched systerns. International Journal Of Hybrid Systern 3, 263-282. Hetel, L., j. Daafouz and C. Iung (2005). Stabilization of arbitrary switched linear systems with unknown time varying delays. Technical report, December.
340
Copyright © Analysis and Design of Hybrid Systems Alghero, Italy 2006
ELSEVIER
IFAC PUBLICATIONS
STABILIZING DYNAMIC CONTROLLER SWITCHED LINEAR SYSTEMS
OF
S a l i m C h a i b , 2' , A b d e r r a o u f B e n a l i * , D r i s s B o u t a t *, J e a n - P i e r r e B a r b o t **
* Laboratoire de Vision et Robotique, Ecole Nationale Supdrieure d'Ingdnieurs de Bourges, 10 Boulevard de Lahitolle, 18020 Bourges, France. ** Equipe Commande des Syst~mes, Ecole Nationale Supdrieure de l'Electronique et de ses Applications, 6 Avenue du Ponceau, 9501~ Cergy-Pontoise, France.
Abstract: This paper is devoted to the problem of design a dynamic controller of switched linear systems. In the first part of this paper, we give some remarks about the influences of switching signal on the asymptotic stability of switched systems. We give a practical example to generate a large class of switching signals. The second part is devoted to the switched dynamic controller design, based on a common Lyapunov function approach. A sufficient condition are formulated as an LMI problem for the switched controller design under arbitrary switching. A stabilizing switched controller with regional pole placements is also formulated as a convex problem, an LMI approach is used to derive the switched dynamic controller with performance limitations. Copyright © 2006 IFAC Keywords: Switched linear systems, Common Lyapunov function, Dynamic controller, LMI, Pole placements.
1. I N T R O D U C T I O N Switched systems are hybrid dynamical systems consisting of a family of continuous-time subsystems and a switching rule that orchestrates the switching among them. The primary motivation for studying switched systems in control theory comes partly from the fact that switched systerns have numerous applications in control of mechanical systems, process control, automotive industry, power systems, aircraft, traffic control, biology, network and many other fields [8], [9]. Stability of switched systems is not systematic s T h i s w o r k was s u p p o r t e d by " l a R6gion C e n t r e de France" u n d e r t h e g r a n t 2004 0472 A026. 2 C o r r e s p o n d i n g a u t h o r . Tel: + 3 3 2 48 48 40 98. F a x + 3 3 2 48 48 40 50. E - m a i l a d d r e s s : s a l i m . c h a i b @ e n s i - b o u r g e s . f r
and we can meet certain strange phenomena, even when all the subsystems are asymptotically stable. For example, the switched system can be unstable under certain switching signals [2], [11]. Thus, the stability of switched systems depends not only on the dynamics of each subsystem but also on the behavior of the switching signals. The common Lyapunov approach is one of the principal methods to study stability and design a controller of switched systems. This approach is based on the existence of a common quadratic Lyapunov function for all subsystems of the switched system. There have been various attempts to derive conditions for the existence of a common quadratic Lyapunov function. Under the asymptotic stability of each subsystem, a common Lyapunov function exists when the subsystems
341
matrices are pairwise commutative [13]. In [1], [10], the authors proposed a generalization of the commutativity notion, based on the solvability of the Lie algebra generated by the subsystems state matrices, i.e., state matrices are uppertriangularizable in the same reference frame. Note that many other results are based on the multiple Lyapunov (or like Lyapunov) functions approach [2], [5], [11]. In the context of switched systems with linear continuous-time subsystems, the issues of stabilization and control have been studied in many works [5], [11], [12], [14], [15], [16] and [17]. In this paper, we will focus on the study of a dynamic stabilization of switched linear systems. The paper is then organized as follows: In the next Section, we present some remarks on the influence of the switching signal on the stability of switched systems. In section III, a switched dynamic controller is studied based on an LMI approach. A dynamic switched controller with regional pole placements is investigated in section IV. Sufficient conditions for the existence of a dynamic switched controller with performance limitations are then given.
1 a2
0
10
15 Time
20
25
[s]
Fig, 1. The random signal used for the generation of c7(t) are separated by some dwell-time rD. Denote by P l the set of this class, TA1 = {(7 C ~ "
tk+l - - t k > TD}
(2)
Class 2. This class can be defined as P2={(TcQ
3T>0"VT>0,
3i>0
such that t i + i - r > _ t i _ > T }
(3)
This class includes the class for which the number of discontinuities of (7 in any interval of time is bounded [7] t-7-
:v.(t,~)_
vt_>~_0
TD
(4)
where N~(t, r) is the number of discontinuities of (7 in the open interval (r, t), r > is called the average dwell time and No the chatter bound. Class 3, This class is the class of all switching signals who dot not belong to P0, 7~1 or 7)2. This class contains the chattering and Zeno switching signals. We can write that
2. STABILITY U N D E R SOME S W I T C H I N G SIGNALS In this section, we are interested in switched linear systems of the form 2(t) -- A~(t)x(t)
5
"P1 C J)2 C J)3
(1)
(5)
Now, we give a procedure to generate each class of switching signals given above. Consider a random signal, with some sample time AT, and amplitude a c [-am, am]. Fig.1 shows an example of such signal. The three classes P l , P2, P3 can be generated for Q - {1, 2} as
where A~ c R ~×~, (7 c Q A { 1 , . . . , N } , x c R ~ and (7(0 • [0, ~ ) ~ Q is a piecewise constant switching signal. As mentioned in the introduction, the stability of switched systems are strongly related to the switching signal behavior, except in the case when all subsystems share the same Lyapunov function. Hereafter we will analyze the switched systems by using different class of switching signals. For this, we give four basic classes of switching signals, each class is characterized by some behavior, which can have a significant influence on the asymptotic stability of the switched system. These classes can be summarized by: Class O. This class contains all switching signals with a finite number of switchings. We denote this class by 7)o. Theoretically for this class, if all the subsystems are asymptotically stable, then at a certain finite time, the switched system evolves as only one subsystem. Therefore the switched system is asymptotically stable. The remaining classes considered in this paper are those containing an infinite number of switchings. Class 1. This class defines all switching signals for which anv consecutive switching times t~ and tk+~
(7 = 1 if [a _< - a i ] V [(-a~ < a < ai) A ((7- = 1)] (7 = 2 if [a _> a~] V [ ( - a t < a < ai) A ((7- = 2)]}
(6) where i = 1, 2, 3 and a3 < a2 < al < am are the parameters characterizing each class (see Fig.l), and (7- is the previous value of (7. The same procedure can be used for Q - {1, ..., N}, N > 2. We can also generate more complex classes by this procedure. Like a Zeno signal can be generated by setting
a~-
/
-c~t+~ift_<
0
~
if t > - ~ ' c ~ , / 3 > 0 (Y
(7)
for an analytic example see [7]. Now, we give some remarks about the stability
342
under these classes. For this, we limit our remarks to the case of a Lyapunov function equal to zTz. Rewrite each m a t r i x A~ as A~ - S~ + M~, where S~ and M~ are the symmetric and the skew-symmetric part of A~ respectively, given by S~ - ~*(A~ + A T ~) and M~ = I(A~ - A~). The following theorem is a sufficient condition for stability of the switched system (1). Theorem
1 --
i
................
g::
.................
i ..................
o
ii
i
........................................................
O.5
1'.5
.
4
xl
.
.
.
Fig. 2. Trajectory of the switched system under a switching signal of class 3. (7 C 793.
1. If the following conditions
i) S~ is semi negative for all cr C Q, ii) (S~, A~) is observable for all cr c Q,
1.2
hold, then the switched system (1) is globally uniformly stable under arbitrary switching. Moreover,
~i
0.8
0.6
-
~
....
i
iiii
iiii
ii
--0.2
0
i .........................................
iii) If or(t) C P2, then the switched system is
globally uniformly asymptotically stable.
--0.2 --0.4
--1.2
--1
--0.8
Pro@ The proof can be found in [4]. II C o r o l l a r y 1. 1) If the matrices A~ are Hurwitz, then the pair
(S~,A~) is observable, therefore condition ii) of theorem 1 is fulfilled. 2) If the symmetric part S~ is negative definite for all cr c Q, then the switched system is globally uniformly asymptotically stable under arbitrary switching, and condition iii) of theorem 1 can be relaxed. 3) If the linear algebra generated by {A~,A~} is solvable and A~ are Hurwitz, then S~ are negative definite, therefore the switched system (1) is globally uniformly asymptotically stable and condition iii) of theorem 1 can be relaxed. Example
--0.4
0.2
Fig. 3. Trajectory of the switched system under a switching signal of class 2, cr C 792. 1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . .
-o.6
....
.........
~...............................................
; ................. _. . . .
~
i ...........................
-oi. . . . . x l
i '
..................
-o12
'
o.2
Fig. 4. Trajectory of the switched system under a switching signal of class 1. cr E 791. asymptotically- stable. However the convergence is faster t h a n situation b).
1. Consider the switched system 2 -
A~(t)z, with A1 -
--0.6 xl
0 -1 1-2
'
A2-
71 J 2
(8)
The symmetric part of the matrices A~, cr = 1, 2 are given by &
_
&
This example confirms t h a t the asymptotic stability depends critically- on the class of switching signals considered. In the sequel, the stability based on the common Lyapunov function will be used to design a stabilizing dynamic controller of switched linear systems.
_oo]r_ /o
which are semi-negative definite. Condition i) and ii) of t h e o r e m 1 are satisfied, then the switched system is globally uniformly stable. Now we present some situations in which the switched system can be stable or asymptotically stable dep e n d i n g on condition iii) of theorem 1.
3. S W I T C H E D D Y N A M I C C O N T R O L L E R Consider the continuous-time switched linear syst e m described by
~(~)- A~(n~(~ ) + B~(n~(t),
a) We use a switching signal of class 3. As stated
y(t) -C~(t)x(t),
in theorem i, in Fig.2, the switched system is stable but does not converge to zero (see [7] for an analytic proof). b) We use a switching signal or(t) C 792. In Fig.3 the switched system is asymptotically stable as mentioned in iii) of theorem 1. c) In the third case, we use a switching signal of class 1. Fig.4 shows t h a t the switched system is
a(t) : R + - + Q ,
(10) Q:={1,...,N}.
where x(t) C R ~ is the continuous state, u(t) C R ~ is the control input, y(t) C R ny is the output, or(t) is the switching signal, and A~ c R ~×'~, B~ c R '~×~~, C~ c R ~y × ~ are t h e subsystem matrices. We assume t h a t the switching signal or(t) is available in real time. In this section, we search a dy-
343
This dual inequality is an equivalent condition for quadratic stability. Now, consider that there exists a symmetric matrix P > 0, such that (19) holds. Define P and its inverse as
namic stabilizing controller having the following state representation
{ ~c(t) - ~¢.(,)*c(t) + u(t)
~.(,)v(t) %(t)Xc(t) + ~.(t)y(t)
~(t) ~ ~, ~(o)
(11)
~o
I A~5 + 5A r
i
(~i
:-
(~2
(20)
Q~ Qa
12.(1, 1) 12.(1, 2) ] 12.(2.1) 12.(2.2). < 0
12"
(21)
where 12.(1.1)
~T~T A.P~ + P~A~ + p 1,J. :~. B .T q_p,2Tc~T ~ . B T. + B . ~ . C . P I
v~(1, 2) - A~P[ + B ~ C ~ t
+r 4~
+ B.~.P2 "r + B ~ % t ' ,
+P~r~BT + P~df <0,
AT + C .TF ~ 1T B .T
Q I A . + A.Q~ T
+~
+ ~ c ~ + o T~ F 3T
L
p '
The development of (19) gives
A~ + ~r~c~
+.. r: + r: ~.:
P1 pT P2 Pa
p.
where x~(t) ¢ / ~ is the state of the controller, ag. ~ R ~cx~c, ~ ' . ~ R ~ c x ~ , % ~ R ~ x ~ and _@. c R ~ x ~ , cr ~ (2 are the state parameters of the switched dynamic controller. A sufficient conditions for the existence of the stabilizing controller of the form (11) are provided by the following theorem. T h e o r e m 2. If there exist matrices P~,Q~, (F 1, F 2, F 3, F 4 ) . , (7 ~ Q, and matrices P2, Pa, Q2 such that the following LMIs/equation
(12)
F.(2, 1)
2o-Co-P~ + ago-P2 + P2A T
v.(2.2)
~ . c . t ,r + w.t.~ +
P~rsr
(13) and
;~Pf
Pa
>0
We show well that 12, with the parameters defined in the above equations, is not affine in the variables P1, P2, Pa and (ag, ~', ~ , _@),, then 12, < 0 is not a convex problem. For this we must transform (21) to an affine form in synthesis variables. First, we apply to (21) a transformation, (21) is equivalent to
(14)
hold, then the dynamic controller (11), with the parameters (sg, ~ , g?, ~ ) . given by
1( [ .
O~ Q~B~ 0
I
C
q_ [QIA.P10 00
12.
C.)91 I
(I)TV.(I) < 0
(22)
,FT A ~IP ,F + ¢pT p A ~IT ,F < 0 and ,FT A~zP,F, ~ r pAcl:r ~ _ indirectly affine (P1
P2. Pa. do-. ~.. %. -@o-)
p~ p r
P2Pa
0 ~
where • is a matrix transformation to be determined, such that
(15)
ensures the asymptotic stability of the closed loop switched system under arbitrary switching, and all closed loop subsystems share the common Lyapunov function V(2) = 2 r P - ~ 2 , P :=
[
<
'
Define the matrix transformation • as
Proof. The closed loop switched system is given by ~(t) - A.(t)x(t), d ~(0) - Xo (16) with
~P:=
0
2
P20
where I is the identity matrix. Define the following change of variables
~.C.
sO.
; 2 :=
xc
(17) a sufficient condition for quadratic stability of (16) under arbitrary switching is the existence of a common Lyapunov function V(~) = 2 r w 2 , such that
W = W r > O, W A ~ I + A f r W
(24)
l : = ~o-,
(26) FO :~ O 2 d , P2 + Q~A.P~ + Q2Wo-Co-P1
< O, crc Q (18)
(27)
Multiplying the second inequality in (18) on the left and right by W -~, and defining a new variable P = W -1, we may rewrite (18) as
by this change of variables, ,~TA~ZP,~, ,~r pA~zr,~ become
p -- p T > o ,
12.:= Ad. P + P A dT <0,
~ T A c l p ~ _ I A~PI +4B~F
cr c (19)
344
Ao- + B~F~C~ + Fa~C~
Im A T + c a T F I~T B T ~
AT ~ + ~ c T p 3T
F~, P1, Q1 and the nonlinear inequality of the synthesis variables P1,P~,P3 and ( ~ , ~ , ~ , ~ ) ~ can be transformed to an LMI form, with F~, F~, F2, F 2, P1 and Q1 as variables of the LMI. Then the problem which consists to find s~¢~,~ , ~ , ~ is transformed to an LMI problem, which consists to compute the variables F~, F~, F2, F 2, P1, Q1. These LMIs are given by
I
A~P1 + P1A~ 2T T
A~ + B~F~C~ , F4T
Re p.
L-~
Fig.
5. Circular region ~ ( f ~ , r a )
and the closed loop switched system stability is ensured by the common Lyapunov function V(x) xTp-lx.
<0,
L AT
@O
~T Fj1T B~T +r 4
Q~A~ + J~T Q1 + r2 + < T r ;3T
4. DYNAMIC SWITCHED CONTROLLER WITH REGIONAL POLE PLACEMENTS
(28) the change of variables (24)-(27) can be putted in the compact form
-
0
~
~ ~
c~P1
+ [ 01]
(29)
The goal of this section is to combine the first result of theorem 2 and pole placements, our objective consists then to determine a stabilizing dynamic switched controller of the switched system with some constraint specifications on the poles of the closed loop system, which is defined previously as
LMI (28) do not depend on P2, Q2, but these two variables appear in (29), then these variables are necessary to compute the switched controller parameters (~{~, ~ , % , ~ ) . For this the variables P2 and Q2 should be computed a posteriori. Given matrices QI > 0 and PI > 0, the matrices P2 > 0 and Q2 > 0 must be computed from 13, and finally the dynamic switched controller gains are computed using (15). | R e m a r k 1. If dim x = dim Xc, i.e., the controller has the same order of the plant, then P2, Q2 are square and nonsingular matrices. Thus the controller parameters can be calculated by the equation
z~ - O~] ~ - I-O[~O;l om ~ [F4-Q2A~P1
1B~
A ~ :=
The first objective is then to place the poles of the closed loop switched system inside a circular region ~ ( f ~ , r ~ ) in the complex plane, with a center at ( - f ~ , 0 ) , radius r~ < f~, ~ c Q, and distance ( f ~ - r~) from the imaginary axis. Fig.5 shows the circular region ~ ( f ~ , r~) for pole location. The full problem can then be formulated as
subject to:
]
F~] [ rJ -c sp -i P2--1
0
The asymptotic stability of A d is ensured by the existence of a common Lyapunov function V(2) = 2 T w 2 , W = W T > 0. The problem concerning the eigenvalues of A d is resolved as : In [6] a necessary and sufficient condition assuring that all eigenvalues of a given matrix A~Zlie inside a circular region ~ ( f ~ , r ~ ) is provided by the existence of a symmetric positive definite matrix P such that
[Af + (f~ - r~)I]P + P [ A f + (f~ - r~)I] T
where P is a symmetric positive definite matrix. The switched static controller gains K~, for cr C Q are given by -
X ~ P -1, o- c Q
H~
eigenvalues(A~l) c ~ ( f ~ , r~)
C o r o l l a r y 2. In the case of a switched static controller of the form u(t) = K~(t)x(t), where K~, for cr C Q are the controller gains. Assume that x(t) is available, the conditions in theorem 1 are reduced to the LMI with X~ as variables of synthesis
K~
~C~
1
+ - - [ A ~ 1 + (f~ - r~)I]P[A d + (f~ - r~)I] T < 0 rcr
(33)
(31)
345
Theorem 3. I f there exist matrices P1, Q1, ( F 1, F2~ F 3, F4)c~, (7 e Q, and matrices P2, P3, Q2
to show t h a t s t a b i l i t y d e p e n d s c r i t i c a l l y on t h e b e h a v i o r of t h e s w i t c h i n g signal. T h e p r o b l e m of s y n t h e s i s of a s w i t c h e d d y n a m i c c o n t r o l l e r has been addressed t h r o u g h LMI approach. A generali z a t i o n of this r e s u l t is given, c o n s i s t i n g to r e g i o n a l pole p l a c e m e n t s , a n L M I f o r m u l a t i o n is also given.
such that the following L M I s / e q u a t i o n 611 612 613 621 622 62; 61T3 6T3 -- r ; t91
I
61T4 62T4 - r a _ /
614 1 624 < O, -- for I -rae
(34)
1
Q1/91 ~- P 2 Q T -- I,
REFERENCES
(35)
[1] A. A. Agrachev and D. Liberzon, "Lie-algebraic stability criteria for switched systems". SIAM J. Control Optim., vol. 40, pp. 253-270, 2001. [2] M. S. Branicky, "Multiple Lyapunov functions and other analysis tools for switched and hybrid systems". IEEE Trans. AC. vol. 43. no. 4. pp. 475-482. 1998. [3] S.Boyd, L.EI Ghaoui. E.Feron. V.Balakrishnan, "Linear Matrix Inequalities in System and Control Theory", SIAM. Philadelphia, 1994. [4] S. Chaib. D. Boutat. A. Benali. J. P. Barbot, "Observer Design of Switched Linear Systems", submited to Journal of Nonlinear Analysis : Hybrid Systems and Applications. [5] R. A. Decarlo, M. S. Branicky, S. Pettersson. and B. Lennartson, "Perspectives and results on the stability and stabilizability of hybrid systems". Proceedings of the IEEE. Special issue on Hybrid Systems. P. J. Antsaklis Ed.. vol. 88. no. 7. pp. 1069-1082. 2000. [6] W.M. Haddad. D.S. Bernstein. "Controller design with regional pole constraints". IEEE Trans. Automat. Contr. vol. 37. no. 1. pp. 54-69. 1992. [7] J. Hespanha. "Uniform Stability of Switched Linear Systems: Extensions of LaSalle's Invariance Principle". IEEE Trans. on Automat. Contr.. vol. 49. no. 4. pp. 470-482. Apr. 2004. [8] J. Hespanha, Stochastic hybrid modeling of on-of TCP flows. In proceedings of Hybrid Systems, Computation Control. 2004. [9] H. de Jong, G. J.. C. Hernandez. M. Page, T. Sari, and J. Geiselmann. "Qualitative simulation of genetic regulatory networks using piecewise-linear models". Bulletin of Mathematical Biology, vol.66 pp. 301-340. 2004. [10] D. Liberzon, J. P. Hespanha and A. S. Morse, "Stability of switched linear systems: A Lie-algebraic condition". Syst. Contr. Lett.. vol. 37, no. 3, pp. 117-122, 1999. [11] D. Liberzon and A. S. Morse. "Basic problems in stability and design of switched systems". IEEE Contr. Syst. Magazine, vol. 19, no. 5. pp. 59-70, 1999. [12] V.F. Montagner, V. J. S. Leite. R.C.L.F. Olineira, P.L.D. Pers, "State feedback control of switched linear systems : an LMI approach", Journal of Computational and Applied Mathematics. article in press, 2005. [13] K. S. Narendra and J. Balakrishnan, "A common Lyapunov function for stable LTI systems with commuting A-matrices". IEEE Trans. AC, vol. 39, no. 12, pp. 24692471. 1994. [14] A.V. Savkin, E. Skafidas. R.J. Evans. "Robust output feedback stabilizability via controller switching", Automatica, vol. 35. no. 1. pp. 69-74, 1999. [15] F. M. PaR and A. S. Morse. "A cyclic switching strategy for parameter adaptive control", IEEE Trans. Automat. Contr.. vol. 39. pp. 1172-1183. June 1994. [16] G. Zhai, B. Hu. K. Yasuda. and A. N. Michel. "Qualitative analysis of discrete-time switched systems," in Proc. 2002 American Contr. Conf., vol. 3. pp. 1880-1885, 2002. [17] G.S. Zhai. H. Lin. P.J. Antsaklis. "Quadratic stabilizability of switched linear systems with polytopic uncertainties", Internat. J. Control, vol. 76. no. 7. pp. 747-753. 2003.
hold, where
= A P1 + +2(L
2T
+ PlAY +
<
T
- r~)P1
e12 = A~ + B~FI~C~ + F 4T + 2(f~ - r ~ ) I
613 = A~P1 + B~F~ + (f~ - r~)P1 614 = A~ + B ~ F J C ~ + (f~ - r ~ ) I
TFITBT 622 = Q 1 J a
T
cTp3T
-+- F3 Ca -}- J a Q1 -}- ~ cr - cr
+ 2 ( f ~ -- r~)Q1
624 = QiAcr -~- F2Ccr -~- (f~ -- rot)Q1
then the dynamic controller (11), with the parameters ( d , ~ , ~ , ~ ) ~ given by (15), is a stabilizing controller for (10), and the stability of the closed loop switched system is ensured by the c o m m o n Lyapunov function V ( 2 ) = x T p - l x , where P is defined as in theorem 2. Pro@ If t h e r e exists a m a t r i x t r a n s f o r m a t i o n (P w h i c h will be d e t e r m i n e d , such t h a t [A~1 + (f~ - r~)I]P, P[A~ 1 + (f~ - r~)I] T a n d r ~ P c a n be t r a n s f o r m e d to a n affine f o r m of all t h e v a r i a b l e s s y n t h e s i s like ( d ~ , ~ , ~ , _ ~ ) . Then the Schur c o m p l e m e n t c a n be a p p l i e d to n o n l i n e a r e q u a t i o n (33), w h i c h is e q u i v a l e n t by u s i n g t h e Schur c o m p l e m e n t to CZp + P A c ~ + 2 ( f ~ - ~ ) P
[A
PA clT -}- (for -- ?'(7)P
ACZp + (f~ - ~ ) P
--?'orP
<0
(36) Define p , p - 1 a n d t h e t r a n s f o r m a t i o n (I)as in (20) a n d (23), a n d define t h e t r a n s f o r m a t i o n ~ : = d i a g ( ~ , ~ ) . A p p l y this t r a n s f o r m a t i o n to (36), we o b t a i n (34), w h i c h is a n L M I of t h e variables s y n t h e s i s F~l, F ~ , F ~ , F J , P1, Q1, w h e r e ( F 1, F 2, F a, F4)cr are t h e c h a n g e of v a r i a b l e s defined as in (24)-(27). |
5. C O N C L U D I N G
REMARKS
T h e p r o b l e m r e l a t e d to t h e influence of s w i t c h i n g signal on t h e a s y m p t o t i c s t a b i l i t y of s w i t c h e d syst e m is i n v e s t i g a t e d in t h e first p a r t of this p a p e r , some r e m a r k s are driven, b a s e d on i d e n t i t y Lyap u n o v f u n c t i o n , a n i l l u s t r a t i v e e x a m p l e is given,
346
Copyright © Analysis and Design of Hybrid Systems Alghero, Italy 2006
ELSEVIER
IFAC PUBLICATIONS
DYNAMIC OUTPUT FEEDBACK STABILIZATION OF CONTINUOUS-TIME SWITCHED SYSTEMS J o s 6 C. G e r o m e l # a n d P a t r i z i o C o l a n e r i *
# D S C E / School of Electrical and Computer Engineering UNICAMP, CP 6101, 13081 - 970, Campinas, SP, Brazil, geromel@dsce, fee. unicamp, br * Politecnico di Milano Dipartimento di Elettronica e Informazione Piazza Leonardo da Vinci 32, 20133 Milano (Italy) colaneri @elet.polimi. it
Abstract: This paper considers the closed-loop stabilization problem for continuous time linear switched system. The state variables are assumed to be not accessible so that the feedback strategy hinges on given output variables. The solution of this problem is based on the solution of suitable matrix inequalities for the construction of a full order switched filter and the derivation of the stabilization rule. The main theoretical basis is constituted by the so-called Lyapunov-Metzler inequalities which play a prominent role in the state-feedback stabilization of linear switched systems. Being nonconvex, a more conservative version of the inequalities, expressed in terms of linear matrix inequalities (LMI) plus a line search is given. The theoretical results are illustrated by means of an academic example.
Copyright © 2006 IFAC Keywords: Switched systems, Output Feedback, Linear Matrix Inequalities.
1. I N T R O D U C T I O N This paper considers a switched linear system of the following general form
de(t)
A ~ ( t ) x ( t ) , z(O) - zo
(1)
y(t)
C~(~)~(t)
(2)
defined for all t > 0 where x(t) c IR~ is the state, x0 is the initial condition, y(t) c R p is the measurement vector and or(t) C { 1 , 2 , . . . , N } is the switching rule. Assuming that the two sets of matrices Ai c R~×~,i- 1,...,NandCicR p×~,i-1,...,N are given, we want to tackle the problem of finding a switching rule or(t) depending on the measurements y(.) in such a way t h a t the closed-
loop switched system is globally asymptotically stable. The stability of continuous time linear switched systems have been addressed by many authors, (Branicky, 1998), (Hockerman et al., 1998), (Johansson et al., 1998), (Ye et al., 1998) and (Hespanha, 2004), where the interested reader can find an interesting discussion on a collection of results on uniform stability of switched systems. However, very little attention has been devoted to the design of output feedback control stabilizing laws. See (Liberzon, 2003) for a rather complete review of stability of continuous time linear switched systerns where special attention is given to the case of switching between two linear systems. The same reference also provides a discussion on hybrid feedback based on output measurements which,
347
known that the eigenvector associated to the null eigenvalue of H is non-negative yielding the conclusion that there exists A~ > 0 with cIAoo = 1 such that HAoo = 0. The following result holds.
in our opinion, can not be directly generalized to cope with the problem to be stated afterwards. In this paper a novel approach is pursued, which is inherited by the recent results obtained for the related state-feedback stabilization problem via the so-called Lyapunov-Metzler inequalities. Precisely, the solution involves a set of symmetric and positive matrices {Z1,.-. , Z N } , a Metzler matrix H, a positive matrix X and extra variables { L 1 , . . . , L x } . Being the solution of non-convex nature a more conservative but easier to solve asymptotic stability condition is proposed. This condition is expressed in terms of linear matrix inequalities plus a line search, every LMI being solvable in polynomial time, (Boyd et al., 1994).
Lemma 1. Let Qi _> 0, i = 1 , 2 , . . . , N , be given. Assume that there exist a set of positive definite matrices { P I , . . . , P x } and H C Ad satisfying the Lyapunov-Metzler inequalities N
A~Pi + PiAi + ~
u(x(t)) - arg
rain i=1,... ,N
x(t)Pix(t)
makes the equilibrium solution x = globally asymptotically stable and
x(t)IQ~(t)x(t)dt <_ rain
i = 1 .... , N
(7) 0 of (1)
ip x 0 ~x0
(8)
The result above is important in that it also includes the stability of possible sliding modes. However the numerical determination, if any, of a solution of the Lyapunov-Metzler inequalities with respect to the variables (H, { P I , " " ,PN}) is not a simple task due to the non-convex nature inherited by the products of variables. Hence, a simpler, although more conservative stability condition can be expressed by means of LMIs being thus solvable by the available machinery plus a line search. The next theorem shows that working with a subclass of Metzler matrices, with the same diagonal elements, this goal is accomplished.
2. S T A T E - F E E D B A C K In this section we resume some recent results for the state-feedback stabilization of switched systems, that form the basis for the subsequent achievements on dynamic output feedback. For more information and detailed proofs, the reader is requested to see the reference (Geromel et al., 2005). Precisely, consider the continuous-time linear switched system
Lemma 2. Let Qi >__ 0, i = 1 , 2 , . . - , N , be given. Assume that there exist a set of positive definite matrices {P1," "" , PN} and a scalar 7 > 0 satisfying the modified Lyapunov-Metzler inequalities
(3)
Alip~ + P~A~ + 7(Pj - P ~ ) + Q~ < 0
where all symbols have already been defined earlier. Assume that the state-variable is accessible for feedback. The goal is to determine the function u ( . ) : IR~ -+ { 1 , . . . , N}, such that -
(6)
for i = 1 , . . . , N. The state switching control (4) with
The notation used throughout is standard. Capital letters denote matrices, small letters denote vectors and small Greek letters denote scalars. For matrices or vectors (i) indicates transpose. For symmetric matrices, X > 0 (> 0) indicates that X is positive definite (nonnegative definite). For square matrices trace(X) denotes the trace function of X being equal to the sum of its eigenvalues. The sets of real and natural numbers are denoted by R and N respectively. The £2 norm of x(t) C IR~ defined for a l l t > 0 e q u a l s x(t) 22f o x(t)'x(t)dt, see (Colaneri et al., 1997) for details.
it(t) - A~(t)x(t) , x(O) - xo
7rjiPj + Qi < 0
j=l
(9)
for all j ~ i = 1 , . . . , N . The state switching control ( 4 ) w i t h u(x(t)) given by ( 7 ) m a k e s the equilibrium solution x = 0 of (1) globally asymptotically stable and
(n)
N
f0
makes the equilibrium point x - 0 of (1) asymptotically stable. Before we proceed, let us recall the class of Metzler matrices denoted by 54 and constituted by all matrices H C R N×N with elements 7r~j, such that
-
(10)
i=1
Remark 1. The L y a p u n o v - Metzler inequalities have been introduced in order to study the MeanSquare (MS) stability of Markov J u m p Linear Systems (MJLS), where matrix H C Ad is given and H I represents the infinitesimal transition matrix of a Markov chain or(t) governing the dynamic system (1). In this respect the vector of probabilities hi(t) to be in the i - th logical state at any time t _> 0 obeys the differential equation
N
i--=1
It is clear that any H C 54 presents an eigenvalue at the origin of the complex plane since cIH - 0 where c I - [1 ... 1]. In addition, it is well
348
~(t) -- H,~(t) with initial probability vector ,~0. Hence, ,~oo represents the stationary probability vector. The stochastic system is MS-stable if and only if there exist a set of positive definite matrices {Ps, • • • , PN } satisfying the Lyapunov-Metzler inequalities (6), see (Fang et al., 2002).
3. O U T P U T - F E E D B A C K This section contains the new results relative to the output feedback case. Given the measurements y(t) C~(t)x(t) (11) our main result consists on the determination of a switching rule of the form
or(t)
u(y(.))
(12)
such that the closed-loop system is asymptotically stable. The function u(.) is indeed a functional of y(.) in the sense that y(t) is viewed as the input of a switched filter that rules out the change of the switching index. To this end, let us introduce the full order switched filter
)(t)
~i.(~)~(t) + B.(~)~(t), ~(0)
~0
(13)
where (A/,/)/), i 1, 2 , . . . , N are matrices to be determined. Putting (13) and (1), (2)together we obtain
) ( t ) - &(~)e(t), ~ ( o ) - ~o where ~ ' - I x '
(14)
The following result is a direct consequence of Lemma 1 applied to the composite switched system (14).
Lemma 3. Let Q / > 0, i - 1, 2 , . . . , N , be given. Assume that there exist a set of positive definite matrices {/51,...,/5N} where each t5/ is of the form (16), a s e t of matrices { A 1 , " " ,AN}, a s e t of matrices { / ) s , ' " " , / ) N } and a Metzler matrix H C M satisfying the Lyapunov-Metzler inequalities N
A~P~ + P~& + Z ~J~P5 + c)~ < o
(20)
j-1 for i -- 1 , . . . , N . The output switching control (12) with u(y(.)) given by (18) makes the equilibrium solution x - 0 of (1) globally asymptotically stable and
/
~ x(t)t Qc~(t)x(t)dt <
rain
2;/5/2 0
(21)
i--1,..-,N
The main problem underlying inequality (20) is that the unknowns of the filter and t5/ appear in a nonlinear form. Hence, we try to simplify the inequalities by introducing the square matrices 2~/
II] F/ 0
(22)
where F/ for i - 1,.-. , N are suitable extra variables to be determined in order to simplify the problem. To this end, notice that
~'] and
T:P/A/T/
[ A/ 0
~/_
[Nls N12 N22
(23)
where Therefore the solution of our problem requires the determination of the switched filter matrices A/ and B/ and of a switching rule such such that the enlarged switched system is asymptotically stable. However, in doing so, only switching rules that depends exclusively on 2(.) are permitted. In order to apply the results of the previous section, we limit the structure of the Lyapunov function so as to structurally incorporate switching rules that depends only on 2(.), Therefore, let ' 2/
'
detV¢0
]Vll
=
Xl 2
z
(X -@r'~V')A~ + (V + r'~2~)(&G + A~r~) (X -@r'~V')A~ + (V + r'~2~)f~G
N 2 1 - X A / + VB/C/ + VA/F/ N22 - XA~ + VB~G Therefore, a sensible choice of Fi is F / = - J ~ i - l V ! which, by redefining the unknowns as ! ! z ~ - x + r~v
(16)
~ - -vA~r~ - vA~v -~(x - z~)
and notice that
Hence, to solve the problem under consideration, we need to find a stabilizing rule of the form
u(y(.)) = arg
rain
/=1,.-. , f
2(t)X/2(f)
0 0j
(26)
for all i - 1 , . . . , N leads to the conclusion that the matrix blocks of (23) can alternatively be written as
(18)
Nls = ZiAi
Finally consider positive semidefinite matrices Q/ of compatible dimensions and let
©~_ @ 0]
(24)
(19)
349
(27)
N12 = ZiA/
(28)
N2s = X A / + L/C/ - M~
(29)
N22 = X A / + L/C/
(30)
and, in addition, simple algebraic calculations put in evidence that
' [Q~ Q~] T:P~T~T~Q~T~ - Oi Qi '
Z~ Z~ zi x
(31)
The importance of the transformation matrices Ti introduced before is apparent since, as indicated in (31), the product ~ / 5 ~i is linearized and the product T'Pj T~ for j ¢ i can be expressed in terms of LMIs. Indeed,
~;~
Proof." Assume first that inequalities (32)-(35) are satisfied and consider the partitioned matrix (23) whose blocks, from the definitions (24) to (26) together with F~ - - x - ~i v I , are written as (27)-(30). Consequently, our main purpose is to investigate the structure of the following symmetric matrix expression
(
s~ .= ~'~ A'~ + ~
[ z~ z~ ~+~z~x
_ [z~ + r;(2~ - £ ) r ~ z~ L
+ O~ ~
j=l
and show that & < 0 for some choice of the filter matrices. Letting Sss, Se~ and See the three characterizing blocks of &, it follows that
: ~,(b~ _ b~)~ + ~ ; ~
_ ~, o o - ~ o2~-£
)
+ ~ ~~
z~
N
x j-1
_ [ z~ + (z~ - z~)(X-z~ z~)-~(z~ - z~) Z~
S e s - A'iZi + XAi + L~Ci - Mi + Q~ See A~X + XA~ + L~C~ + C~L'~ + Q~
which calculated for all i, j = 1,... , N imply that
where
~j - z~ + (z~ N
~~
z~ + (z~
z~)(x
j-1
0
B~sed on these calculations, we are now in position to provide the main result of the paper.
Theorem 1. Let Qi ~_ O, i 1, 2 , . . . , N be given. There exist matrices A~ and B~, i - 1, 2 , . . . , N for which inequalities (20) are satisfied for some positive definite matrices Pi of the form (16) if and only if there exist a Metzler matrix II, a positive definite matrix X, a set of positive matrices Z~, a set of positive matrices R 0 and a set of matrices L~ for all i, j 1, 2 , - . . , N, such that the following matrix inequalities ^
z~) ~(z~
z~)
The filter matrix/}i directly follows from equation (25), where V is a selected nonsingular matrix. Notice now that See < 0 in view of (33). Notice also that assumptions (34) and (35) imply Rij > YO and R~ < Y~, so that Sss < 0. Finally, take the filter matrix A~ such that M~ A{ Z~ + XA~ + LeCe ÷ Q~ which implies $2~ - 0. In conclusion, from (25) and (26), the filter matrices are
z~) ~(z~ - z~) o 0
z~)(x
~,
/~i
A ~ - V sM~(X
(38)
Zi) SV
(39)
V S(A'iZi + X A i + LiCi + Qi)(X
Zi) XV
and /5i as in (16) with )(i V'(X Zi) sV. Viceversa, assume that inequalities (20) holds for some _A~, /3i and /5i as in (16). Then, apply the state-space transformation (22) with Fi ) ( i - i V ~ and consider the expressions (24)-(30). Hence Si < 0 and the filter matrices are
N
A'iZi + ZiAi + E rcjilgij + Qi < 0
V SL~
(32)
j--1
A~X + XA~ + C~L'~ + L~C~ + Q~ < 0 (33)
/~
V ZLi
R~ < Z~
A~
y ~M~(x
z~
(34)
i#j
>0,
z~ x - z ~
(35)
• ^ / X arg minx(t)V (
$
oo x(t,)l Qcr(t)x(t)dt, <
(41)
~o~gh. From th~ (34) ,~d (35) ,r~ ~ , t ~ d .
Zi) SV2(t) (36)
Finally, assume that (32)-(35) are satisfied, and recall Lemma 3. Therefore, from Xi V'(X Zi) sV, it follows that the output switching con^
where V is an arbitrary nonsingular matrix, makes the equilibrium solution x 0 of (1) globally asymptotically stable and
f
z~) ~v
In conclusion, condition (33) coincides with $22 < 0, and (32) comes from 5'xs < 0 by letting R O Yo+cI, i-CJ andRi~-Zi-~I, forc>0small
hold. Finally, assume that (32)-(35) are satisfied. The output switching control (12) defined by
u(y(.))
(40)
mi~ ~ P ~ 0
i-1,....N
tro~ (12) with ~(y(.)) g~v~n by (36) m , k ~ th~ equilibrium solution x 0 of (1) globally asymptotically stable and (37) is satisfied. []
(37)
350
The conclusion is that if there exist N gains that make the filter quadratically stable, see equation (44), then the usual solution to the MetzlerLyapunov inequality (state feedback, equation (43)) provides a stabilizing switching rule. It is important to keep in mind that if we want to determine a good switching strategy by minimizing a guaranteed quadratic cost then this solution although stabilizing is not the best that can be done. Moreover, it should be noticed that the output feedback strategies invoked by the theorems presented so far require the existence of a state-observer injection matrices Li X 1Li, i - 1 , . . . , N that render the set of matrices Ai + LiC~ quadratically stable (see e.g. equation (33)).
It is important to stress the fact that formulas (40) and (41) provide a parametrization of all filters (13) for which (20) is satisfied with/5i as in (16). In order to provide less stringent conditions, the equality Mi - A ~ Z i + X A i + L ~ C ~ + @ has been set in the proof of the sufficient part of the theorem so as to put to zero the off-diagonal block entries of S~. The structure of the full-order filter is not in the observer form, i.e. Ai # Ai /)iCi. To recover this condition, an additional constraint, unfortunately non linear, has to be added, namely (the simple check is left to the reader)
M{ - ( V A {
- L{C{)V ~(X
Z{)
- A~Zi + X A i + L{Ci + Qi
Remark 2. There is no difficulty to get the versions of Theorem 1 and Theorem 2 associated to the modified Lyapunov-Metzler inequalities appearing in Lemma 2. The BMIs are replaced by LMIs with an additional parameter that can be determined by line search. The results follow the same pattern of each mentioned theorem, being thus omitted.
(42)
A notable exception can be devised by letting Q{ 0, so overlooking the guaranteed cost property (37). Indeed, in this case, we have the following result.
Theorem 2. Assume that there exist a Metzler matrix II, a positive definite matrix X, a set of positive matrices Li and a set of positive matrices Zi for all i - 1, 2 , . . . , N, such that the following matrix inequalities are satisfied:
The next example illustrates some aspects of the theoretical results obtained so far. Consider the system (1) with N - 2 and matrices {A1,A2} given by
N
A'iZi + ZiA{ + E 70iZJ < 0 j-1
(43)
A'iX + X A i + C;'L'i + LiCi < 0
(44)
which, as it can be easily verified by inspection, are both unstable. Setting Q - I our goal is to design an output feedback stabilizing control which minimizes the quadratic cost on the left hand side of (37). Considering the filter initial condition 2(0) - O, it is readily seen that
Then, the switching rule
u(y(.)) -- arg m)n2(t)Zi2(t)
(45)
$
makes the equilibrium solution x - 0 of (1) globally asymptotically stable where 2 satisfies the differential equation of the filter (13) in observer form with
Bi
-
-
B~C~
~ • (t)'O~(~)~(t)~t < ~o' x ~o
(47) n
P r o o f : The proof relies to Theorem 1, by letting Zi --~ cZi with e > 0 arbitrarily small and V - X . Indeed, notice that the condition (42) for the filter to be in observer form is satisfied for c going to zero and that
20 20
r a i n { t r a c e ( X ) , (32)
(50)
(35)}
(51)
which means that the minimum guaranteed cost (49) is calculated with x0 being a random variable with zero mean and unitary covariance matrix. The optimal solution provided the minimum guaranteed cost trace(X) ~ 338.04. The associated matrix variables and the choice V - - X allow the determination of the stabilizing output feedback switching rule or(t) - u(y(.)) given by (36) as well as the switching filter (13).
$
X-1)-l)~(t)
$
arg min2(t)eZi2(t ) ~ arg m i n 2 ( t ) Z i 2 ( t ) $
20 20
matrices X, Z 1 , . . . ,ZN and L 1 , - . - , L N have been determined from the solution of the convex programming problem
arg m i n ~ ( t ) V ' ( X - c Z i ) - l V ~ ( t ) arg m ! n ~ ( t ) ( X ÷ ( U 1 / c -
(49)
whenever the switching rule satisfies the conditions provided by Theorem 1. Setting
(46)
-X-1Li
A i - A~
f
$
holds.
351
so called Lyapunov-Metzler inequalities have a feasible solution. In a precise case, identifying in the paper, the switching filters are of the form of classical observers. Special attention has been devoted towards the numerical solvability of the design problems by means of methods based on linear matrix inequalities. There are several points that deserve further investigation. Among them, it is important to mention the possible introduction of robustness issues against parameter uncertainty as considered, for instance, in (Geromel et al., 1991) appearing in the system and filters parameters. The example showed that the switching rule is particulary sensitive to parameter uncertainty which may in particular cases lead to instability of the closed loop system.
0.9 0.8 0.7 0.6 0.5 0.4
o,IiI~
0.2 I 0.1
0
015
i
115
;
215
315
4
Fig. 1. Time simulation- first state variable
15
REFERENCES
-0.5
~
-1
.
S. P. Boyd, L. E1 Ghaoui, E. Feron and V. Balakrishnan (1994). Linear Matrix Inequalities in System and Control Theory, SIAM, Philadelphia, 1994. M. S. Branicky (1998). Multiple Lyapunov functions and other analysis tools for switched and hybrid systems. IEEE Trans. Automat. Contr., vol. 43, pp. 475 482. P. Colaneri, J. C. Geromel, and A. Locatelli (1997). Control Theory and Design- An RH2 and RHoo viewpoint, Academic Press. Y. Fang, and K. A. Loparo (2002). Stabilization of continuous-time jump linear systems, IEEE Trans. Automat. Contr., vol. 47, pp. 1590 1603. J. C. Geromel, P. L. D. Peres, and J. Bernussou (1991). On a convex parameter space method for linear control design of uncertain systems, S I A M J. Control Optirn., vol. 29, pp. 381 402. J. C. Geromel, and P. Colaneri (2005). Stabilization of continuous-time switched systems, IFA C World Congress. Prague. J. P. Hespanha (2004). Uniform stability of switched linear systems : extensions of LaSalle's principle, I E E E Trans. Automat. Contr., vol. 49, pp. 470 482. J. Hockerman-Frommer, S. R. Kulkarni and P. J. Ramadge (1998). Controller switching based on output predictions errors, I E E E Trans. Automat. Contr., vol. 43, pp. 596 607. M. Johansson, and A. Rantzer (1998). Computation of piecewise quadratic Lyapunov functions for hybrid systems, IEEE Trans. Automat. Contr., vol. 43, pp. 555 559. D. Liberzon (2003). Switching in Systems and Control, Birkhauser. H. Ye, A. N. Michel and L. Hou (1998). Stability theory for hybrid dynamical systems, IEEE Trans. Automat. Contr., vol. 43, pp. 461 474.
~.'~
.
.
.
115
~
215
3
315
Fig. 2. Time simulation - second state variable Time simulation has been performed from the initial conditions x0 [1 1]' and 20 - [0 0]' Figures 1 and 2 show the trajectories of the state variable x(t) c IR2 of the system (solid line) and the state variable 2(t) c ]R2 of the switching filter (dashed line) versus time for the system and filter controlled by the output switching rule or(t) u(y(.)) given by (36). Even though, in this case, the filter does not exhibit an observer structure, it estimates with good precision- under switching - the state variable of the system. Indeed, as it is clearly indicated in the mentioned figures, after a small period of time (~ 1.0 sec.) 2(t) provides x(t) from the available measurements y ( r ) , r < t. From the same figures, it can be seen, that the proposed control strategy is very effective to stabilize the system under consideration.
4. CONCLUSION In this paper we have introduced a new stability condition for continuous time switched systems based on output measurements. Furthermore, the determination of a guaranteed cost associated to the proposed control strategy has been addressed. The results reported are necessary and sufficient for the existence of a switching filter and a switching rule based exclusively on the output vector of the original system in such a way the
352
Copyright © Analysis and Design of Hybrid Systems
ELSEVIER
Alghero, Italy 2006
IFAC PUBLICATIONS
PRACTICAL STABILIZATION OF DISCRETE-TIME LINEAR SISO SYSTEMS UNDER ASSIGNED INPUT AND OUTPUT QUANTIZATION 1 B r u n o P i c a s s o ,,**,2 A n t o n i o
Bicchi *
* Universit~ di Pisa, Centro Interdipartimentale di Ricerca E. Piaggio", Via Diotisalvi 2, 56100 Pisa, Italy ** Politecnico di Milano, Piazza Leonardo da Vinci 32, 20133 Milano, Italy
Abstract: This work is concerned with the practical stabilization of discrete-time SISO linear systems under assigned quantization of the input and output spaces. A controller is designed ensuring practical stability properties. Unlike most of the existing literature, quantization is supposed to be a problem datum rather than a degree of freedom in design. Moreover, in the framework of control under assigned quantization, results are concerned with state quantization only and do not include the quantized output feedback case considered here. While standard stability analysis techniques are based on Lyapunov theory and invariant ellipsoids, our study involves a particularly suitable family of sets, which are hypercubes in controller form coordinates. Copyright, © 2006, IFA C Keywords: Quantized systems, stabilizability, dynamic output feedback.
1. I N T R O D U C T I O N
UDu
@
yCY [Physical level
'
The need of studying quantized control systems (i.e., dynamical systems with discrete input and/or output variables) arises by many control applications. Commonly encountered examples include the presence of digital sensors and actuators or of finite capacity communication links in the control loop. Quantized control systems have been attracting increasing attention of the control community in the past twenty years (see for instance (Delchamps, 1990; Wong-Brockett, 1999; Brockett Liberzon, 2000: Elia-Mitter, 2001; Baillieul, 2001; Bicchi et al., 2002; TatikondaMitter, 2004; Fagnani Zampieri, 2004)). This paper deals with the control of the linear, time-invariant dynamical system
1 This work was supported by European Commission through the IST-2004-004536 (IP) "RUNES - Reconfigurable Ubiquitous Networked Embedded Systems" and the IST-2004-511368 (NoE) "HYCON - HYbrid CONtrol: Taming Heterogeneity and Complexity of Networked Erabedded Systems". 9, Corresponding author, e-mail: b.p/casso~sns. ±t
"1
.o0,ca,,ev ,
k~
J
Controller: finite state automaton
Fig. 1. Graphical illustration of the quantized control system considered in this paper.
I x(t + 1) - Ax(t) + b u(t)
y(t)- q(C.(t))
x c R ~, u c N c R , A c I R ~x~, b c I R ~,
ycY
tcN
(1)
C c I R ~<~
where b/ is a given closed discrete set and q : ]R ~ y is an assigned output map taking values in a countable set y (finite or infinite). A pictorial representation of the control problem is illustrated in Fig. 1 : the system has a hybrid structure and is organized into two levels. At the logical level, the controller manipulates output and input strings from discrete alphabets. At the physical level, the plant is modelled by Eqn. (1). We focus on the stabilization problem. It has been clarified in (Delchamps, 1990) that "practical"
353
stability notions are the suitable stability properties to be considered for quantized systems. Accordingly, our study concerns the construction of symbolic feedback controllers capable of steering the system to within small neighborhoods of the equilibrium, starting from large attraction basins• In most of the existing literature on stabilization, quantization is considered as a degree of freedom in control synthesis: the designer can choose the elements of the control set 5/, as well as the o u t p u t map q. Results in this vein have a strong theoretical interest as they allow to identify fundamental limitations in quantized control (Wong Brockett, 1999; Elia-Mitter, 2001; Ishii Francis, 2002; Nair Evans, 2004; Tatikonda Mitter, 2004; Fagnani-Zampieri, 2004). On the contrary, in this paper we assume t h a t the input and o u t p u t sets 5/, 3;, as well as the o u t p u t map q, are data of the problem: control synthesis for practical stabilization is then s u b d u e d to these data. This kind of study provides tools for the analysis of achievable control objectives by using a given technology, as e.g., actuators (modelled by 5/) or sensors (modelled by q ) .
{Ace co c Vt} while (Ax)/ is the ith coordinate of the vector A x . x' denotes the transpose of the vector x , x + stands for x(t + 1).
2. P R O B L E M S T A T E M E N T We deal with the discrete time, quantized SISO system given in Eqn. (1). We assume t h a t the pair (A,b) is reachable and that the pair (A, C) is observable. W i t h o u t loss of generality, we assume t h a t the pair (A, b) is in controller form:
A oo
"
[
0"
1
(~S 0~2
an
0
.
b 0
'
Ai,j
max
i--1 ..... n
max
j--1
1,
a/ t--1
if ~ i=1 c~/ < 1 t h e n the system is stable, we hence assume }-~-/-1 a/ > 1 and we let c~ • n
nl
O~i
.
The o u t p u t quantizer q • iR --+ 3; is characterized by the induced o u t p u t space partition: iR Uyey q S(y). The partition is supposed to be locally finite, namely, if B c I[{ is bounded, #p {y c 32 B N q s (y) _¢ ~} < + o c . We also assume t h a t V y c 32 , q - l ( y ) c iR is a connected set. In this case, by suitably redefining q without varying the induced o u t p u t space partition (hence, without loss of generality), we can assume t h a t 32 c I[{ and q" iR --+ 32 is such t h a t Vy c 32 the closure of q s (y) is either an interval of length ,~y of the type [y - ~ - ; y + ~ ] or a half-line. Let 32, : {y c 32 q S(y) is an interval of finite length}. W i t h regard to the control set, we assume t h a t 0 c 5/ so t h a t (x 0, u 0) is an equilibrium pair. Given 5/. c 5/, let Pu. represent the dispersion (or maximal gap) of 5/., t h a t is:
b[) ]a; b[ < U Pu, : +oc
]a;b[Nb/,-0} (conventionally)
if # 5 / , > 1 otherwise. (2)
Definition 1. Given system (1), let
The paper is organized as follows: the problem is formulated in Sec. 2, the main result about practical stability is in Sec. 3 (including an example) and its proof is given in Sec. 4. The easy proofs of the most technical results are omitted. Q~(A)
0 /
•
where s ~ c~s~ s ... a2s c~1 is the characteristic polynomial of A. Because
The main contribution of this paper consists in providing a novel, simple and general technique to solve the practical stabilization problem for quantized SISO systems. The controller is synthesized so as to encapsulate the trajectories into increasingly smaller hypercubes in the controller form coordinates. This approach results in a controller in the form of a finite state automaton. The fundamental observation is t h a t most of the significant information related to the input set 5/, to the o u t p u t map q and to the dynamics of the system, are contained in a pair ( p , H) of scalar functions providing an effective representation of the resolution (or dispersion) of the quantizers. The quantization schemes typically encountered in the literature include either innovation (EliaMitter, 2001; T a t i k o n d a - M i t t e r , 2004) or state quantization (Delchamps, 1990; Wong Brockett, 1999; Liberzon, 2o03; Picasso Bicchi, 2o03). In the latter case, the o u t p u t map y q(x) is such t h a t q s (y) is a b o u n d e d set. In this work instead, quantized o u t p u t s are considered- the o u t p u t map q o C • iR~ --+ 3; induces a state space partition iRn _ UyEy(q o C) S(y) made of unbounded sets and this makes the problem considerably different. We also remark t h a t the onlv contributions addressing quantization as a problem d a t u m do so by fixing either input or state quantization. In our work, we expressly consider the case in which b o t h input and o u t p u t quantizations are assigned.
Notation:
1 .-•
l
A-
0
.
: R
,u
(3)
be a map which associates to each real number r an element of 5/ minimizing the Euclidean distance from r . The feedback law k iRn __+ 5/ defined by
A. zX
A iRn x ~ < -if}. Let E c iRk : E c h and #pE denote respectively its convex hull and its cardinality; d i a m ( E ) • sup x - y 2 is the diameter
is called state feedback quantized deadbeat controller (state feedback qdb controller).
x,.gE E
of E . Given v c iRk , E + v • {x c iRk ix v c E } . Let xi be the ith coordinate of x"
giw~ ~ c R ~, p r ~ ( ~ ) diami(~) :-diam(Pr/(~)).
The definition of the map u is well posed because 5/ is a closed set.
{ ~ ~ c ~} ~ d If A c iRn×n
A~-
P r o b l e m s t a t e m e n t : given system (1), we are interested in the synthesis of a controller which,
'
354
based on quantized output measurements y C £P, selects a quantized control u C L/ and ensures practical stability properties• We will consider dynamical controllers and we will study the practical stability notion of (Xo, X1, ft) stability• More precisely, let the controller be described by the following system defined on some set l/F: { w ( t + 1) 7(w(t), y(t), t) ~(t) 9(~(t),y(t),t),
(n)
where ? : W x y x N ~ W and 9 : W x y x N ~ b/. The closed loop dynamics induced by the feedback interconnection of such a controller with system (1) is:
x(t + 1)
Ax(t) + b ¢ @ ( t ) , q ( C x ( t ) ) , t )
(5)
on the n th component while the others shift upward (see Eqn. (6)): hence, trajectories with both the properties of converging to a small neighborhood gt of the equilibrium and a high speed of convergence towards gt can be obtained by selecting the control value u so that the middle point of the set Pr~ (ACx(t)) + u is as near as possible to 0. This task is accomplished by the state feedback qdb controller. Accordingly, the dynamic qdb controller proposed below is based on the following paradigm: 1- a bounded set within which the current state lies is located; 2- an estimate 2 of the current state is obtained; 3- the control action is selected by the state feedback qdb controller, namely u - k(2). Before explicitly defining the dynamic qdb controller, we need the following preliminary result.
Definition 2. (Cf. (Fagnani Zampieri, 2004)) Let f~, X0 and X1 be subsets of R ~ such that f~ and X0 are neighborhoods of the origin and X1 D X0 is bounded. The controller (4) is said to be (Xo, X1, f~) stabilizing iff the corresponding closed-loop dynamics (5) is so that V x(0) c X0 and Vw(O) c W , x(t) c X1 Vt>O and 3 { c N such that V t > {, x(t) c gt.
L e m m a l . If x c Q~(A) and u is such that ,
The use of a controller endowed with memory, hence taking the general form in Eqn. (4), allows to treat the quantized output case by taking advantage of some techniques introduced for the quantized state case. In fact, by storing the past inputs and outputs, it is possible to reconstruct a bounded region within which the current state is confined. Nevertheless, the state quantization obtained in this way is time varying so that the results from the quantized state case need to be further elaborated in order to be applied to the quantized output problem. Following (Picasso et al., 2002; Picasso Bicchi, 2003), the stabilization problem is studied taking into consideration sets X0, X1 and gt in the form of hypercubes in the controller form coordinates. This choice makes the analysis particularly simple so that explicit results can be provided for arbitrarily assigned input and output quantized sets.
3.1 Preliminaries Suppose that at time t the current state of the system x(t) is only known to belong to a certain bounded set, more precisely assume that x(t) c Cx(t) c Q~(A). The existence of a control value u c /~ ensuring that x(t 4- 1) c Q~(A) is tantamount to requiring that 3 u c N such that ACx(t) + bu c_ Q n ( A ) . For u c N , by the controller form of (A, b), it holds that
Therefore, x(t + 1) C Qn(A) if and only if
.
U~
[ -ff A(~+I). ,-ff A(a+1)]
.
(8)
Notice that ¢p/I/(A) < +oc because b/ is a closed discrete set. Let
{ ~(a)~(zx)-
m~ u(a) m~x U(A)
and, according to (2), let
p(A) :- p~(~)
(9)
be the dispersion of M(A).
3.2 The dynamic qdb-controller In this section the dynamic qdb-controller is defined following the steps listed in the paradigm described in the previous section. The practical stability properties of the corresponding closed loop system are then analyzed in Theorem 1.
Step l - Derivation of Cx(t) The function q " R~--+ y n defined by q(z) "(q(zl),..., q(zn)) induces a partition of IRn such that Vy c Y.~ the closure of q - 1 (y) is y + P y , n where 79y = I-L=1[
S :=
2 ].Let A~ ; Ay~
0
0
Cb
0
...
0 o
CAb
Cb
0
c R ~×(~-1)
•
CA~-2b CA~-3b
Cb
Denote by u(t) and y(t) the vectors collecting respectively the last n - 1 inputs and the last n outputs at time t ( t k n - 1 ) , that is u ( t ) " -
A
It is then important to have an estimate of diamn (ACx(t)). Furthermore, the control acts only
,-ff
Hence, if the goal is to find u c b/ such that x + remains in Q ~ ( A ) , the set of the control values that are relevant to this problem is
U(A)" 3. INPUT AND O U T P U T QUANTIZATION
-ff
-
+ i),...,
+ 1),...,y(t))'
R n×(n-I)
355
and 0
- i))',
R .-
v
-
(y(t -
. . . Ab b] c
c R n×n be the observability
m a t r i x (i.e., the m a t r i x whose ith row is CA i-s )" (.9 is invertible by hypothesis. By s t a n d a r d theory on observability it holds t h a t
y (t) = q ( ( g x ( t -
A1 IIA.... 111~" Consider the following
and A0 := algorithm:
o Input: A := A s .h:=l;
n + 1) + S u (t)),
hence
• while (p(ah)+ H(ah) < ah) do
and
o Output: A .
(~+~--
~(~)+
H(~)
;
(17)
A := (A,Ah+~) e Rh+~; h := h + 1) The o u t p u t A 6 R f for some f < + o c and Ah > Ah+s V h = 1 , . . . , f - 1 . Moreover, let k(x) be the s t a t e feedback qdb-controller with saturated inputs N = N ( A s ) , t h e n the d y n a m i c q d b controller ( 1 2 ) i s (O~(Ao),O~(As),O~(Af))stabilizing.
- A ~ - ~ O -~ s u (t) + ~ u (t) If moreover y ( t ) 6 y n as the closure of q - S ( y ) is y + 79v , then the current state belongs to the following b o u n d e d set:
x(t) ~ Cx(~) := A n - S o - S /79 v ~(~);+
+A~-~O-~
(~0)
(t) + ( ~ - A ~ - ~ O - ~ S ) u (t) .
P r o o f . The proof is given in next Section 4. •
Step 2- State estimation
Example 1. Consider t h e unstable system
{+
Let the map ~: ~n x/1/n s __+ Rn be defined by
¢ ( y , u ) : - A n sO Sy+(R-An SO SS)u. (11) If y (t) 6 3;.~ , then 2c(t) :- w ( y ( t ) , u (t)) is the centroid of the parallelogram Cx(t).
v-
The controller is defined by selecting the control action as if the current state was w( y ( t ) , u (t)). Naturally, such controller needs to be initialized for t < n 2, we hence define the dynamic qdbcontroller as follows: denote by k(x) the state feedback qdb controller and let 3 if t < n - 2 (k o ¢)(y (t), u (t)) if t > n - 1 .
0
(12)
Practical stability analysis Let us analyze the resulting closed loop dynamics. For t _< n 1, by the controller form of A, it holds t h a t Vx(O) c Q~(A) and V t < n 1, x(t) 6 Q n ( A A n s ~ ) . For t > n , let us determine an upper bound H ( A ) for diamn(ACx(t))" for any A > 0, consider y ( A ) : - (q o C ) ( Q n ( A ) ) . If N(A) C 3;., let An " m a x Av and H ( A ) "yey(A)
a~(A~o ~(O~(&))),
~
H(zx)-
stabilizing with A f -
4. P R O O F OF T H E O R E M 1 In order to prove T h e o r e m 1 some preliminary results are needed. We will refer to the following notation: V A > 0 such t h a t p ( A ) < +oc, define the partition ]R SM(zX) UNzx U $,~(zx),
of th~ ~ t A~ ~O *(%(~)) ( ~ S q ~ (10)), ~ 79y(t) c Qn(A~x), t h e n
where SM(A)"
(13)
]
oc;
M(A)-
P(-~[, A/'A"
] .~(zx)+~@ ; + ~ [ L~t S~ :- S~(~)uS~(~)
Theorem 1. Let As > 0 be such t h a t
Let us analyze the main properties of the map u defining the state feedback qdb-controller.
As
m(~) > ~(~ i) ~(~) + H(~) < ~,
-~ (see Fig. 2).
+~
Let A > 0 be such t h a t 3;(A) C 3;. and suppose t h a t y (t) 6 Y ( A ) n " since Cx(t) is a translation
diamn(ACxtt)) d i a m n ( A n O s(79u(t)))< < d i a m n ( , A n O S(Qn(A~))) - H(A).
q(¢~),
where (7 ( 3/2 1/3 ), u 6/1/ {0, +1,-t-2,-I-3, -I-4,-t-6,-I-8,-I-12,-I-16,-t-24} and the extremes of the intervals forming the o u t p u t space partition induced by q are { ± 5 , ± 5 , ~ ±~ , ±~ , ± ~ } According to the developed theory, let 3; - 3;. U {+Ys} - {0, + 3 , + 6 , + 1 0 , + 1 6 , ±Ys} (where 3;. collects the middle points of the o u t p u t quantization intervals and q takes the values +Ys for Ca > ~ ) . The values of A~ for y 6 3;. are: A0 A + 3 - A+6 3, A+s0 5 and A+s6 7. 3 The infinity norm of A is c~ - 5" By direct c o m p u t a t i o n s it holds t h a t p(A) + H ( A ) < A ¢=> 6A =-; • 2-. Also, M(~) 24 > 234ss a2 s 5.32 and inequalities (14 15) are satisfied V A C 17 (see L e m m a 4 in Sec. 4), hence T h e o r e m 1 guarantees t h a t V A 6 Z , the dynamic q d b c o n t r o l l e r with s a t u r a t e d
Step 3- Control selection
u(t) :-
()
(15) (~6)
Lemma 2. (Basic properties of u). Let A > 0: ~) if inequalities (14-15) hold, then Vz 6 Pr~ ( A Q ~ ( A ) ) , u(z) c b / ( A ) ; tt) if p(A) < + ~ and z 6 .A/A, then Iz + u ( - z ) < ~(zx).
3 This controller can be modelled in the form of Eqn. (4) with )/V := 3;n × 5/n-s • see in Appendix.
n~) assume p ( A ) <
356
+ o c and let z be such t h a t
~X 2
~(~)+H(~) / / / / / /
10
/ /
~Xl
/
58/7
/ /
44/7
/
/
32 / 7 25/7 / 4
/
/
/
'
O2ea5k
t"
I
24 T
I
I
90 48 ~ ~
I
150 II
Q 2 (I 4)
A I,.
I
96 234 5 II
'
',
Q2{21)
Fig. 2. Left: graph of p(A) + H ( A ) . Right: a trajectory generated by the dynamic qdb controller for A 0 14 and x(0) (5.42 6.60). Broken lines identify the state space partition induced by q o (7. , ( - z ) ~ D/(~). If z ~ SM(ex), then - ( - z ) = M ( A ) and z + u ( - z ) -- - ( z + u ( - z ) ) > P(ex) ; if z C 8,~(ex), then u ( - z ) = re(A) and z +
The core of the proof of Theorem 1 is represented by the following result"
Lemma 3. (Main tool). Let A > 0 be such that p(A) < ÷ ~ and inequalities (I4-15) hold. Assume that x c Qn(A) and 2 6 R n are so that ICA(~-~))~I _<~ (for some ~ > 0 ) . Let k(z) be the state feedback @b-controller and suppose that k(~) ~ gJ(A), then x + = Am + b h(~) is such that x + < _ max { P(ex)+~ ~ , • ~-~(~)}, where ~(A) "-- min { M ( A ) -
A--(c~1) 2
( ~ - l ) - ~(~) }.
(18)
P r o o f . By definition of k, x + = (Ax)n + u ( (A~)~). Notice also that, by Lemma 2. z, u( (A.)~) c u ( = ) T h r ~ ¢ ~ ~ n oCCur: I) Suppose that (A2)~ c Alex, then
~+~
( A ( ~ - ~))~ + (A~)~ + . ( - (A~)~) < ( A ( x - x))n + (A2)n + u ( - (A2)~) < ~_ ,o(A)
=
where the last inequality follows by the hypothesis on ~ and by Lemma 2.n. II) Suppose that (A~)n C 8ex and x is such that (Ax)n C A/'ex. If (A2)n C 8,~(A), then k(~) = re(A) thanks to Lemma 2. ~ which can be applied because, by assumption, k(~) c L/(A). n~nc~. * i - (A.)~ + .~(~X) < (A.)~ + ~ ( -
(A.)~) < ~(-~. wh~r~ th~ ~r~t ~ n ~ q ~ t y ho~d~ because u ( - (Ax)n) ~ gg(A) and the latter by Lemma 2.n. Moreover, by Lemma 2. zu, (A2)~ +
~ ( - (x~)~) > ~(-#, ~n~ ~y ~ m p t ~ o n
(X(.2)) > ~ therefore x + = ( A ( x - ~)) + (~)~ + ~ ( - (A~)~) > - ( + @ > - ~+p(~) n
--
--
--2-
'
n
To sum up, z + < P(A)+~ The case (d2)~ S~(A) is similar. III) Suppose that (A2)n ~ Sex and (Ax)r~ ~ Sex. If (A2)n ~ Sm(ex), we know by part II that k(~) - . ~ ( A ) a n d z l > - ~+P(ex) ~ • Assume that
(Ax)n c $ ~ ( A ) , since u(
(Ax)n) c N ( A ) , then (A~)~ + . ~ ( a ) < (A~)~ + ~ ( a ) (A~)~ + u( (Am)n) < p(A) where both the last equal2 ity and the last inequality hold by Lemma 2.n~. If instead (Az)n c Hence, x + < ~+P(ex) 2 $,~(ex), then x + < x o o - ~ ( A ) . In fact: in this case k(x) k(3c) re(A) and, thanks to inequalities (14-15) , we can write re(A) ex ( a -ff 1) ~(A) 0 , w i t h 0 > 0 . A g a i n b y L e m m a 2 . zn, ~+
(A.)~ + . ~ ( A ) < E~ ~ *~ +'~(zx) < ~ ~ 0o + .~(A)-~. zoo A(~ 1) ~(A) 0 < • o c -~~(A) because ( x oo ~)(c~ 1) 0 < 0. The case (A:r)n 6 SM(A) is similar. • _
Remark 1. The motivation for assuming k(a~) C gg(A) (which corresponds to the restriction of the state feedback qdb controller to the saturated input set /t/ 6/(A1) in Theorem 1) is that, by Lemma 1, if k(~) ~gg(A), then x + ~ Q n ( A ) . Lemma ~. If A > 0 satisfies inequalities (14-15), and A' is such that p(A) < A' < A , then A' satisfies inequalities (14-15) P r o o f of T h e o r e m 1. The sequence defined by the algorithm (17) is decreasing by construction, let us show that it is finite: first notice that, by definition, H ( A ) is a piecewise constant and nondecreasing function. As for p(A), 3/~ > 0 such that p(A) +co VA < /~, whilst for A > /~, p(A) is piecewise constant and non-decreasing with A . If p(Ah+l) + H(Ah+s) < p(Ah) + H ( A h ) , then p(Ah+l) < p(Ah) or H(Ah+S) < H(Ah)" in the first case #gg(Ah+s) < # g g ( A h ) , in the latter # Y(Ah+~) < #Y(Ah). Therefore, f < # 5 / ( A z ) + # y ( A ~ ) < +co because gg is a closed discrete set and the output space partition induced by q is supposed to be locally finite. We have already noticed that Vx(0) c Q~(A0) and Vt < n 1, x(t) c Q~(A1), therefore y(n 1) C Y(As) n Since H(A1) < +co (see inequality (16)), then Y(A1) C_ 3). and diam~(ACx(n 1 ) ) < H ( A s ) . Because 2(n 1) is the centroid of the parallelogram Cx(~ 1), then (A(z(n
1)-2(n
1)))
k(•(n
357
2
1)) C U(A1) by assumption, therefore
N. Elia and S. Mitter, Stabilization of Linear Systems With Limited Information, IEEE Trans. Autom. Control, 46(9); pages: 13841400. 2001. F. Fagnani and S. Zampieri Quantized stabilization of linear systems: complexity versus performance, IEEE Trans. A utom. Control, ~9 (9) special issue on "Networked Control Systems", pages: 1534 1548. 2004. H. Ishii and B.A. Francis, Stabilizing a Linear Systems by Switching Control With Duel Time, IEEE Trans. Autom. Control, 47(12); pages: 1962 1973. 2002. D. Liberzon, Hybrid feedback stabilization of systems with quantized signals, Automatica, 39; pages: 1543-1554. 2003. G.N. Nair and R.J. Evans, Stabilizability of stochastic linear systems with finite feedback data rates, SIAM Journal on Contr. Optim. Vol. 43 (2), Pages: 413 436. 2004. B. Picasso, F. Gouaisbaut and A. Bicchi, Construction of invariant and attractive sets for quantized-input linear systems, Proc. of the 41st IEEE Conference on Decision and Control "CDC 2002" pages: 824 829. 2002. B. Picasso and A. Bicchi, Stabilization of LTI Systems with Quantized State Quantized Input Static Feedback, In A. Pnueli and O. Maler, editors, Hybrid Systems: Computation and Control, volume LNCS 2623 of Lecture Notes in Computer Science, pages: 405 416. Springer Verlag, Heidelberg, Germany. 2003. D.E. Quevedo, G.C. Goodwin, J.A. De Don& Finite constraint set receding horizon control, Int. J. of Robust and Nonlinear Control, 14(4); pages: 355 377. 2004. S.C. Tatikonda and S. Mitter, Control Under Communication Constraints, IEEE Trans. Autom. Control, 49(7); pages: 1056 1068.. 2004. W. Wong and R. Brockett, Systems with finite communication bandwidth constraints- part II: Stabilization with limited information feedback, IEEE Trans. Autom. Control, 44(5); pages: 1049-1053. 1999.
Lemma 3 guarantees that x?),(n) _< m a x { -z~22---- H(/~l)-~-P(/~l)2 . ( ~ - 1) ~ - ~ ( ~ ) } < ~
(19)
(where ~(A1) > 0 is defined in Eqn, (18)). Since = (X2,.,. , X n , X ~ ) , then x(n) C 0 n ( A 1 ) and y (n) C Y(As)n" therefore, the arguments which have allowed us to prove that x ( n ) c Qn(As) can be repeated so that V t > n, x(t) c Q~(A1). Furthermore, because ~(A1) > 0 does not depend on t, 3ts > 0 such that V t _> tl, x(t) c Q ~ ( a ~ ) . T h ~ f o r ~ y (t, + n - 1) e Y(a~) ~ , ~ d diam~(Agx(t,+~_s)) <_ H(A2). If f > 2, the arguments above can be iterated until t f - s is found such that V t > t f - s , x(t) e Qn(Af)" we have only to check that Vh = 2 . . . , f - 1, Ah satisfies the hypotheses of Lemma 3. Indeed, let h c { 2 , . , . , f 1}. By the algorithm (17), p ( A h ) = A h + s - H(Ah) < + ~ . Inequalities (14-15) are satisfied by Ah (this guarantees that p(Ah) > 0), in fact: such inequalities hold for As by assumption and, since X +
~(ah_,) _< ah - ~ ( a h _ , ) + H(ah_,) < a h _ , ,
-
then the result follows by recursive application of Lemma 4. As far as the remaining two hypotheses are concerned, that is k(2(th_s + n /
1)) C N(Ah) and n
-
i))]
(A(x(th_s + n - 1 ) - X(th-1 @ \
< -
H(Ah) 2 , we
have
already
noticed
/ J ft
that diamn(Agx(tl+n-s)) <_ H(A2) implies that
( A ( ~ ( ~ , + , ~ - 1 ) - ~(t, + ~ -
1)) ) ~
.
Moreover, since V t _> ts, x(t) C Qn(A2), then Vt >_ ts, k(9(t)) C b/(A2) thanks to Lemma 1. We then conclude by a recursive argument. •
5. CONCLUSION We have introduced a novel technique for the stabilizability analysis of quantized SISO systems. The results hold under very general hypotheses and are of direct applicability. Interesting questions are open for future investigations, especially in the framework of sampled continuous-time systerns under communication constraints.
6. APPENDIX Let us represent
the dynamic
qdb-controller
w c W are denoted either by (y, U) or W -- ( W l , . . . , W2n_ 1). Let
the elements
¢. w x (Nu{-1})
REFERENCES
--, u
be defined by
J. Baillieul, Feedback Designs in InformationBased Control, Proc. of the Workshop on Stochastic Theory and Control, Kansas, pages: 35-57. Springer-Verlag. 2001. A. Bicchi, A. Marigo and B. Piccoli, On the Reachability of Quantized Control Systems, IEEE Trans. Autom. Control, 47(4); pages: 546-563. 2002. R. Brockett and D. Liberzon, Quantized feedback stabilization of linear systems, IEEE Trans. Aurora. Control, 45(7); pages: 1279i289. 2000. D.F. Delchamps, Stabilizing a Linear System with Quantized State Feedback, IEEE Trans. Autom. Control, 35(8); pages: 916-924. 1990.
¢((y,u) t)--{~k '
if if
o¢)(y,u)
t_
and -~' W x y x N
~
W
be defined by
~(~,~,~) = (~,~,,. ,~_~, ¢(~, t - i), ~+~,...,
~_~).
Finally,
6" W x y x N - - , 5 /
(~. y. ~)
358
de-
~ Eq~. (~2) ~n th~ form of Eq~. (4). L~t W := yn X/I/n-l,
~d
~ ~(~(~. ~. ~). ~)
w
Cop).right % Anal).sis and Design of Hjbrid S).stems Alghero. Italy 2006
BOX INVARIANCE OF HYBRID AND SWITCHED SYSTEMS Alessandro Abate
'
Ashish Tiwari
"
Abstract: 'l'his papcr investigates the concept of box invariancc for classes of hybrid and switched systcrns. .After motivating and defining the notion. tvc present a concise surnrnary of results o n its chnractcri~atiorifor single-domain dynarnical systcrns. 'l'hc notion is then cxtcndcd to the case of hybrid and sIvitchcd systcrns. \I-c provide sufficient conditions for a hybrid or switched systcrn to be box invariant. hlodcls of many real systcrns. especially those drawn frorrl biology. have bccn found t o be box invariant. This papcr illustrntcs the concept using a pharrnacodynarriic rnodcl of blood glucose rnctabolisrn. Copyrighl O 2006 IbilC KcyIvords: Invariant Sets. Hybrid and Slvitchcd 1)ynnrnical Systems
1. INTRODUCTION 'Slir (,orirrpt of k)ox irivari;~ri(~rlias k~rrii rrcwitly iritrociuc.rci for c:l;~ssrs of tiyiiarriic.;~l systrrris (A1);~tr;~ii(i'Siwilri, 2006). 'Slir iri~~ili rrlotivatiori for tliis riotiori rorrirs fkoin 1)iological cxsr stutiirs arid iriotirls that wrrr irivestig;~trciwit11 tllr followiiig clllrstioii: is the strict c,oric~rptof Lyaplliiov st;~l)ility~ L ~ T V (irs(.riptivr ~ L ~ S aiid (,0rr1~)lltiLtiOll~11y fri~sik~lr ill the 1)iologicalrraliri. ~vkiic+i is oftel1 c,ki;~r;~c.trrizr(i k)y (~orriplrx(iyriarrii(.s wit11 irriprrc~isrly kiiowri ~)ararrietrrs'lAs a viak~lr i~1trrrii~tivr.~volll(iit iiot rriakr srrisr to look for k)olliitird 1)rliavior iri tkir c.loserirss of ail eclllili1)riurri? Iiltuitivrly, it is appr;~liligto coilsidrr ;L riotion of stability defined 'within certain lirnits". or .'bounds", rather than o n c-neighborhoods ofcquilibria. In othcr Ivords. wc rnay be intcrcst,cd in the existence of rcgions around the cquilibriurn Ivithin which a trajectory ~vouldindefinitely d~vcllonce it rrac,lirs tlirrri. \Vr forlls lirrr oil the sirriplrst possil~lrS ~ I R Tfor ) ~ tkirsr rrgioris-tht of a 1)ox. \Vr have lound that rnodcls of many natural systcrns have box shaped rcgions as invariant sets. Box invariancc is also appealing from the autornatcd verification standpoint. since it is cornputationally L ) ~ p a rrln ~ n l or Electrical Engin~ering and ('ornputcr Scicr~ccs. 1;rlivcrsity of C'aliforr~ia. a t Rcrkclcy {aat)atc8ccci.bcrkclc~y.c~~i11}. Rcscarcl~ supported t)y tklc grarlti C'C'R-0225610 arid nhhn 19-03-1-0373. C o r r ~ p ~ iSt ~Cr~ C ~T,at)oratory. ICC SRT Tr~tcrr~atior~al. hIcr~lo Park. CA {l i~varii~csl.sri.co~n}. S11pport ~d in 11r1rt by NSF ('C'K-0311348 and L)AHPA L)E-A('03-7R3F0009ti.
'
-
tractable for a large class of systcrns and helps in proving strong safety propcrtics of systcrns. .l'lic notion is rclat,cd to othcr concepts in thc literature. scc Abate and 'I'i~vari(2006) for details. 111 this paper. ~ v first r foriri;~llytirfirir tlir ~iotiori of k~oxirlvi~ri;~ii(~r for (~oiitiri11o11~ (iyrii~irii(~il1 systrrris (Src,. 2). \Vr tlirii provide c:kiaractrriz;~tioiis for lirirar arid affirir dyriarriicxl systrrris arid skio~v ho~vto prac,ticxlly c:orriplltr ari actual k~ox(Src~. 3). ,4 drt;~ilrti stutiy of i~ffiii~ systriris ;~ri(ifill1 proofs of c:l;tiiris a1.r prrsrritrd rlsrwhrrr (Almtr ;~ri(i'l'i~vi~ri? 2006). 'Slir rriairi foc,lls of this article is oil rxtriidirig tlir iiotioii to liyk~riti arid s~vitc,lirdsystriris (Src,. 4). 'l'kirsr systrrris provitir a po~vcrfulrnodcling tool. particularly for dornains such ns biology. As a n illustrative example. tvc shall tiiscuss ;L switckirti rriodrl for 1)lood gl~lc~osr c~oric~rritr;~tioil ill 1nlrri;~ii1)rairi (Src,. 5) aiid ;~rialyzr it llsillg tlir c.oiic.rpt of k~oxiriv;~rii~ii(.r. 2. T H E CONCEPT OF BOX INVARIANCE I\? consider general. autonornous and uncontrolled dynarnical systcrns of the forrn x = S ( x ) . x t Rn.I\c ass~~rric basic continuity and 1,ipschit~propcrtics for the cxist,cncc of a unique solution of the vector field. given any possible initial condition. A rectangular box around a. point xu ( ~ r I)? i spe(:ifir(i usiiig t~irotiiagoiially opposit? poirits xlb ;~il(ix , b : ~vlirrr216 < xu < x , ~ (iilterprrtrd c,orri~)olirilt-~visr). S11(+i a 1)ox lias 211 sllrfi~crs P k ( l 5 j 5 rt, k E { I . w ) ) : ~ i ~ l i r r r
<
<
{ y : (xlO), y , (xtLb),for i # j.yJ = ( x ~ ~i f )k ,=~I. y, = ( x , ~ ) if, ~k = 11). Definition I . A dynarnical systcrn x = / ( x ) is said to be box in71arianl around an cquilibriurn point x u if thcrc cxists a finite rectangular box itr~llll(ixu, spec,ifird 1)y xlb ailti x,b! snc,li that for itiiy poilit y or1 itiiy ~1lrfilc.eS.7.k(1 5 j 5 11. k t { l ? v } )of tliis rrc.tarignlar box. it is tkir cxsr tliat f (y),] 5 O if I; = '11 arid f (y),] 2 0 if k = 2 . 'l'kir systrrri will I-)r sitid to 1)r strir:tly/ box iwoariant if tkir last iiircpalitirs kiolti stric,tly.
S.7."
Remark 1. 'l'kir c,oricq)t of I-)ox ili~itriitli(~r for a (iyilitrrii(~it1systrlri rr(lnirrs tkir rxistrric~r of itii irsoaria~~,t srt wit11 a sprc.iit1 (polykirtiral) sliapr. 111 tkir case of liiirar systriris, wr sliall srr that this irivitriitiit set is also it11 w-lirratt set (or it ~ ~ ' I I C ~ IofT I ,
ottrwctloT1,). Definition 2. A systcrn x = / ( x ) is said to be synlrrlelrical boz invarianl around the cquilibriurn xo if thcrc cxists a point u > xo (interpreted cornporicnt-\vise) such that the systcrn is box invariant with respect to the box dcfincd by u and (22" u ) . -
3. CHARACTERIZATION OF BOX INVARIANCE. 3.1 Linear Systems. . it liliritr systrin ailti a 1)ox itr~llli(iits rcplirllrii 1il)rinin poirit, tlir prol-~lrrriof c~kirc,kiiigif tkir systriri is I-)oxilinriarit wit11 rrsprc,t to tlir girrri 1)ox car1 I-)? solvrd 1)y rrrifyirig tlir c,oriciitioil orily at tkir 2" vrrtic,rs of tkir k~ox(illstrati of all poirits oil it11 tlir fitcrs of tklr box). (7'
Proposition 1. A lincar systcrn x = Ax. x t R" is box invariant i f thcrc exist t\vo points u t (Rt)" and 1 t (RP)" such that for cach point c. with c, t {u,.I,).Vi. \vc have Ac 0.\?here .-, is iTc, = 11, and -, is if(:, = I,.
<
>
-
Propositiorl 1 shows t h a t box ir1vari;nlce of lirleal. systcrns can be checked by testing satisfiability of 2n lincar inequality constraints (ovcr 271 unkno\vns givcn by 1 and u). In two steps. \vc \vill show that thcsc 27Lcoristrairits arc sut~s~~rricd by just rI lincar inequality constraints (ovcr n unkno\vns). 1:irst \vc prove his fact for syrnrnctric box invariancc.
Theorem I . All n-dilnc~lsio~lel lilicar syst,crrlj: = Ax is syrnrnctrical box invariant ifT thcrc cxists a positive vector c t Rt" such that AV'c 0. whcrc (1,": = a,, < 0 and a;; = a , , 7 for i # j . This is cquivalcnt to checking if the lincar systcrn dcfincd by rnodificd rnatrix Am is syrnrnctrical box invariant.
<
Irl tkir src,oriti step. \vr sliow tlir snrprisilig rrsnlt that tlir property of I-)ox iiiritriaric~r itlid tkiilt of syrriirirtric~al1)ox ilivitriitiic~rilrr ~(lnivitleritfor lillritr systriris.
Theorem 2. .A lincar systcrn x = Ax. whcrc A t R n X r Lis. box invariant if it is syrnrnctrical box invariant. Pnttirig togrtkirr 'l'lirorrrri 1 aii(i 'l'hrorriri 2. ~ v r c,oric,lntir that to c,lirc.k if it lirirar systrrri x = Ax is I-)oxirimriitrit! Tvr oiily rirrd to test if tlir srt of rr liriritr ilirc~nality(~oiistritillts~ snc,(~iii(~tly ~vrittrrias AnLc5 O (over tkir n niikriowiis c ) has a rioiizrro solntioii. 'l'kiis (,it11 I-)? (ioiir iri polynorr~,ialtirrir. M> car1 itlso fiii(i a 1)ox 1)y grrirratirig solntiolis for tkir it1)orr liiiritr c,oristrairit satisfac~tioiiprok)lrrri. Iii grrirral: it is possi1)lr to itssociatr witki it dyriairiicxl systriri: (Lrfiilrtl 1)y systrin iriatrix A t IWrJXr'? 11, it COTI,F iri tkie positire 2" -itlit (irsc.ril)r(i1)y tkir set
C
=
{ x t IWtn
: Arr'x 5 0).
Aiiy ckoirr of it siriglr poilit or a pair of distiric,t poilits iri C tietrrrriiiir, rrsprc~tirrly,a syirirrirtric itii(i a riori-syrrirrirtri(~1)oxfor tkir systriri tirsrril-)rd by A. Box Iri~it~iit11~r is a strorigrr iiotioii tkiitii stal~ilityfor liiieitr systerris. Theorem 3. If it liriritr tiyiiarriic~itlsystrrri is I-)ox irlvitriitilt itrollrl(i its rc~ni1il)rinrri~ tkirii it is ~tit1)lr. Surprisingly. the ~vcll-kno~vn concept of P-rnatriccs in lincar algebra provides a st,ructural charact,cri/ation for box invariant lincar systcrns. .A rnatrix A is said to be a P-rnalriz if all of its principal rninors arc positive. Theorem 4 . Lrt A 1)r a rr x n iriittrix snc.ki tliat r17/ 5 0 itlid 2 O for it11 i # j. 'l'kirri~ tkir followirig statriririits itrr rclllivitlrrit:
(1) 'l'kir liiirar systrrri x = Ax is strictly syiriirirtrical 1)ox iinariarit. (2) A is it P - v ~ a t r i : ~ . (3) For rrrry .i = 1, 2. . . . . ra: tlir cirtrririiriaiit of tkir top left .i x .i snl-~rriatrixof A is positirr. Remark 2. 'I'hcorcrn 4 sho~vsthat box invariancc of general linear systcrns can also be tcstcd by checking if the rnodificd rnatrix -AnL is a Prnatrix. 11 is known t llat 1 he prob1c111 OI ticciding if a givcn rnatrix is a P-rnatrix is co-KPhard (('oxson. 1994: ('oxson. 1999). Our case is special though. since \vc knolv that only the diagonal entries in -Arr' arc positive. .As a result. we can dctcrrninc if A " ' is a P-rnatrix using a sirnplc pol~nornialtirnc algorit,hrn; for cxarnplc. t llc 1:ouricr-Mot zkin clirrlinat ion rrlct llod car1 tictrrrriiiir satisfiit1-~ilityarlti grilrrittr tlir c~orirC. A1ittric.r~mitki tkir skiapr of tliosr iri 'l'kirorriri 4 (or. equivalently. of A"' i n .l'hcorcrn I ) have actually bccn studied under the appellative of Afclzler rnatrices. .l'hcrc is a {vcalth of literature on l l c t ~ l c r rnatriccs that can be used to dcrivc results cquivalcnt to those presented above for box invariancc: scc Abate and I'iwari (2006) for details. Remark 2. 'l'kle c~oilc,eptof 1)ox iiivitriaiic~e,n.liic,li is c,losrly rrlatrd to tliitt of c~litssic,alstability ill
tklr lirl~itr('ilSr: ('ill1 i t 1 ~ 0I)? stll(ii~(i~ i i Lyit~)llrlO~ t argl~rrirrits.Iri our particmlar iristaric,r. to prove 1)ox ir1rnriaric.r wr firiti it Lyaplliiov filric.tioria1 ~vkii(~ki is (irfirird (itt least) iiisidr a (~rrtitiiil)oxr(i rrgioii of tkir statr sl)it('r. 'So go fkoiri srriootki L y ~ ~ ) l ~ rfilrictioris iov to 0r1r tliilt is tirfirird oil a I)ox, wr ('it11 iritrrsrct ~ ) r o ~ )rllipsoi(ia1 rr filri(.tioris that have k~rriiittirclllatrly strrtrllrd to tlir lirriit (Al~ittrarid 'l'i~vitri! 2006) or llsr vrc~torriorrris (Kicndl e l al.. 1992). A linear systcrn x = Ax is box stable iK thcrc exists a diagonal rnatrix W t (Rt)"'" s.t. V(x) = I I Z i x , is a 1.yapunov function (cf. Kicndl e l al. (1992)). 'I'hc 1.yapunov argurncnts will help in the casc of hybrid and switched systcrns. as \vc shall scc latcr.
9.2 A f i n e S y s t e m s . (lonsidcr the alfinc systcrn, x = A x + b . \I: rclatc tkir box iinariaricr of this systrrri to tkir positivity of its rclllilil-~rilirripoilit, z" > 0.'l'lir assllrriptiori of z o 1)ririg ill tlir positivr (lllit(iriti1t is jllstifird 1)otli frorri a. trckliiral staritipoirit itlid frorri 0111. appliei~tioils, T h e o r e m 5. If tlir affirir systrrri x = Ax
+ b is
s.t. A is 1Irtzlrr itlid b > 0 , thrri its r(llli1il)rilliri poirit z o > 0 iff' tlir systrrri is I-~oxirl\ariitrit. Remark
E C () X C) is a srt of f2dyf2.s tklitt (irfirlrs a sollrcwtargrt relation brt~vrriitlir (iorrlitiils. D = {Z),),c(a is it set of d o ~ r n u i r~vkirrr ~ , ~ D, is a c,orripac:t sill-,set of RrJ. G = {Gf:)ct E is it set of g , i ~ i ~ r i\l~~~:~ I P L(:,. P C D, (1). R = {Re)rcE is a set of rrJsr~trraups: kirrr we assulrir idrritity rrsrts. F = {f?},tcris a set of i!f2ctor fif'lrls sllc,ll tklitt ,I, is 1,ipschitx o n R". A hybrid trajectory (in the statc spacc) is dcscribed by adequately specifying a scqucncc of its initial conditions. switching tirncs and cdgcs. properly related via the guards and rcsct rnaps. 'I'hc behavior of 'H allows for possible Zcno tra,jcctorics. As the rcadcr rnay notice. the switching conditions (the '.events") arc due to spacial restrictions o n the various dornains. In contrast. s w i l c h e d s!lslerns specify ,jumping conditions in tirnc. rather than in tlic statc spacc. D e f i n i t i o n 4 . A su1itched systerrr is ((2. b;. 1). (;. I<. 1"). ~ v k l ~ r ~
it
tllplr S
=
C). E:R. F are ( ~ l l i t r i t ( ~ t ~ ras i ~iri r t iDrf. 3. D = {Dz),cQ is it set of do,rr~,uir~,s ~vkirrr D,
= Rn.
{O. TI. 72:. . .) is it set of g,narrls ill tirrie, ~vlir1.rT, t R+ itrr iii(.rrasiiig iri I. Eit(.li T, is ~ i ~ i i - i i ~ g i t t i ~ ~ l ~ l i t p p ~to t i ?I stitt? it fllll~~tiOll g : (: + () ~ l ~ tkiitt ~ k (i g ( r j p l ) g ; ( r , ) ) t E for d l i .
G
=
4 . 'l'lir itss~linptioiisof tlir prrviolls tlir-
orrrri rail k)r rrlaxrti to kiitvirig b ) O . b # 0.
it
I n rnodcling biochemical pathways. the statc varia l ~ l r sz rrprrsriit c~oiicrritratioriof sprcirs sllcli as protriris. M7k1er1 iriotirlirig tkir tiyrlitiriic~sof sllc.11 sprcirs, tlir AIrtzler forin itrises ~iittllritllysiii(.r sprc.irs (i~('ity~)ro~)Ortioilit11y to tklrir (.oii(:f'rltl^iltioll itlid itre ('l.C'itt?(i ~)rO~)OrtiOrli~11y to their prrc.llrsorls c:oric~riltrittiorls.'l'lir vrrtor b > 0 r e p rrsrllts tlir proc.rss of sprcirs ('~.~ittiOli (by trilri~(TiptiOllitlld t~itllsliltiO~1~ f0r P X R ~ I ~ ~ ~ C ? ) FOr . St& 1)lr systeins, sllc.ki iriotirls t~rpic'itllykiavr positive ccluilibriurr~poir~t.By 'I'hcorclr~3. ell sucl~rr~odcls will be box invariant. 'l'hus. .l'hcorcrn 3 explains. in part. why rnany rnodcls proposed by biologists tend to be box invariant. 1:or rnorc results o n box invariance of affinc systcrns. the rcadcr is referred to Abate and 'I'ilvari (2006).
4. BOX INVARIANCE FOR HYBRID AND SWITCHED SYSTEMS. Iri this Src~tioll1i7r rxtrllti tkir ilotiori of 1)ox ill~itriitli('rto tlir (,as? of (.oiripositioii of (iiff'rrrrit dyrlitiriic~alsystrrris. TI> first cirfiiir kiyl~rici itlid switc~kirtisystrrris arid rrfrr tkir rracirr to sprc.iitlizrti 1itrratln.r for morr drtitils (Lygrros e t al.: 2003; Airirs p t al.: 2005). D e f i n i t i o n ;I. A Isybrjrl systerrr is ((2. b;. I). c.; I<.I(>).\vklcrc
it
tllplr 'FI
=
(loiisidrr tlir 1iyl)ritidoiriairi (2 x RrJ.Ail irs.r!ar./arst s e t of a Iiyl~ridor switckirti systrin is a s1ll)srt of C) x RrJ s1lc:li tkiitt every tritjrrtory origiiiatiiig ill this srt c~)ritiiillrsto d~vrllirisidr it. 'l'lir riotioii of I-~oxirlvitriitii(~rfor kiybrici i~ii(iswitckir(i (XSPS is dclincd so as to crncornpass the possibility of rnultiplc equilibria and s\vitchings bct\vccn the difTcrcnt dornains. D e f i n i t i o n 5. A kiyl-)rid systrin 'FI (a sn.itc.kirti systrrri S) is said to 1)r box i~i~itriitlit if tkirrr exists a boxed region R c RrLand a subset Q1 c Q oS states such that Q1x H is an invariant set Tor 'H (or S).
I n this paper. we will restrict oursclvcs to lincar vector fields. that is. all ,rZ/;'s arc lincar functions of x. Hcncc. in individual dornains. boxes will IF arorlnd tllr local rqrlilibri~lrn point. lcor the sake of analysis, we difTcrcntiatc the follo\ving two cases: dornains \vith direrent equilibria and dornains {vith overlaying cquilibria. I'urthcrrnorc. in the hybrid casc. the equilibria rnay or rnay not belong to one or rnorc guard sets.
For a kiyl~ridsystrrri 'FI: if sorrir tiisc.rrtr statr I has it11 r(llli1il)rilliri xo tkiilt (iors riot 1)rlorig to ally gllitrti? tkiitt is z g @ UrtE C e ,tlieri a. sllffic,irrlt c~ollditiorifor box ili~itriit11(~~ of 'FI is obtitillr(i frolri 1)ox iinariaric,r of tlir dyrlairiic~alsystriri of stittr I.
Iri s~lc.ki;L (,ilsr? 'H is I-)ox iiiv;~riaiit if tlirrr is a siri;~11rriollgki I-)ox I3 for tlir tiy1i;~iriic~al systriri of state i tkiat is c,orriplrtrly c~oiitairirdill tlir tioiri;~iii, I3 C I),:;~ii(ithat ciors riot iiitrrsrc,t tlir gllard. I3 n C , = fl. l'liis oc~.llrs,for rx;~iriplr,iri tkir kiyl~ridrriodrl of tlir Delta-Kotcli 1atrr;~liiiliibitioii rrir(;ki;~ilisrriof (iliosli ;~ii(i'Sorriliii (2001). 'Skir rradrr skiolll(i r1otic.r that: ~ L iri S tkir siiiglr-(ioiri;~iii rioiiliriri~r(,ilsr? tkir rxistrri(.r of ;L 1)ox (iors iiot irnply the cxistcncc oS boxes of diKcrcnt, s i ~ c s : expanding a box may cnusc it to intcrscct a guard. Kcxt consider the cnsc whcrc xo is a shared cyuilibriurn that belongs to at least one spacial guard. In this inslance. a sufficient condition is the cxistcncc oS a single box for rnulliple domains.
U F,,
For s~vitc;liirigsystrrns, 1)otli iri tkir cxsr of s1i;~rrd r(plilil)ri~liriaiid (iiff'rrrrit rquili1)ria;jllirips at possil~ly tiinr iristarit forrrs 11s to firiti a. c:o!rn!rraor?, I-~ox? wlii(;li ~vo~ll(i I)? iiiv;~riilritiii all tlir (iorri;~iiis. The results in this section rcscrnblc those obtained for stability of hybrid and s\vitchcd systcrns. In particular. it is known that thcrc arc cxarriplcs of unstable hybrid and s\vitchcd systcrns that arc the cornposition of slable dynarnical systcrns (Hranicky. 1993). Ilk arc similarly interested in understanding how the notion of box invariancc. ~i~kii(,ki is sliowri iri tlir 1irir;~r( ~ ~tos I)? r iiltriiisi(~;~lly relateti to tliat of stabilit?; is tr;~iislatrd iri tlir kiyl~ridor s~vitc,lirdsrttirig. F11rtkirririorr.sufficiriit c~oriditiorisfor tkir irlvi~ri;~ii(~r of tkir iritrr(~oriiir~tioii, ;~(~(,or(iirig to Drf. 5; will 1)r (irrivrd. 'So 1)rgiii with: lrt 11s strrss ;L tr(.liili(lllr to ol~tilirisllffifi(.iriit c~oriditiorisfor a 1iyl)rid dyri;~iriic~al systriri.
Proposition 2. Lrt 11s assoc.i;~trto a liyl-xiti systriri 'H a c~orrrspoiidirigsn.itc.kirti systrin S.in;~tir 111) of tlir s;~irir tllplr, rxcrpt for tlir follo~virig two rlrrrirrits: tlir t1oin;~iiisD, = Rr' arid ;L syiribolic n o n decreasing scqucncc G = { 0 . 7 1 . 7 . ~ ....}. Given an initial condition. i f a universal property P holds in all traicctorics of S (given by all the possible tiifircnt scq~lcnccswith t llc Sorrn oS G): tkirii P kioltis ill 'H.
is a liiirar prograrri tli;~t ( x i 1 1)r solvrti iri tiirir polyrioinial ill rtm.
R e m a r k 5. 'I'hcrc is a lot of work (for instance. scc Hranicky (1994)) in describing conditions for the 1.yapunov stability of switched systcrns. 71'hcsc conditions cithcr assurnc the cxistcncc of a cornrriori Lyaplliiov filric.tiori, or rrcp1ir.r tkie prrsrr1c.r of irnlltiplr Ly~~)11iiov filrictioris (orir for rilcli (10rriairi) witki rrrt;~iiis~vit(,kiirigrrstrictioils. Our result ( x i 1 1)r iritrrprrtr(i ;LS follo~vs:a c,orrirriorl 1)ox car1 I-)? tkiollglit of as I-~ririgtkir r(llliv;~lrlitof ;L .'c.oinrrioii Lyaplliiov filiic.tioil" (tlir o1)srrv;~tioris tirvrloprd iri Kr1n;~r.k3 sliolll(i iriakr tliis poilit clear). 'Skir rxplic,it c:orriplltatiori of a gloI-);~lLyaplliiov filric.tioii rrtillcw to solvirig ;L set of lirirar rriatrix irirclllalitirs. Marly rff'orts ki;~\-rI-~rriirriatir to ?;LSr this task (.Joki~iissoi1;~ii(iHilritzrr? 1!108). otlirr~visr.wr iriay irituitivrly wi~iitto (.oirir 111) wit11 c~oriditiorisoil tlir possil~les~i~itc~liirigs by ;~1lo~viiigtkir trajectory to jllinp 1)rtn~rrridorriairis oiily ~vlirriit I-~rloilgsto tlir iritrrsrc.tioil of tkir I-~oxrsof tkirsr tioiri;~iiis: tliis c.oiiditiori ~liifortllrii~trlysrrrris ki;~r(irrto iiriposr. Handling box invariancc for hybrid systcrns {vith general spacial guards is not easy. as we shall later discuss (scc for instance Ex. I ) . Ncvcrthclcss. exploiting the fact that box invariancc is a stronger propcrt,y than stability. we report the following cornposit,ional result, for proving stability of hybrid systcrns (illustmtcd in Fig. I ) .
T h e o r e m 7'. If a liilrar kiyk~ridsystrin is c.oiriposrd of I-)oxiiivariarit lirirar systriiis wit11 a siiiglr spaci;~lgll;~r(i(irs(,ril)r(i1)y ;L kiy~)rrplaiir(.rossirig tkir sli;~rr(ir(llli1il)rillrri~tlirii tlir kiyl)ri(i systrrri is stal~lr.
.l'hc follo\virig result deals with the case of s\vitchcd lincar systcrns. Such systcrns share the origin as a cornrnon cyuilibriurn.
T h e o r e m 6. .A switched lincar systcrn S.charact c r i ~ c dby a set oS vector fields of the forrn: Fig. I . .A planar hybrid systcrn with one single guard (line). as in I'h. 7.
is I-)ox iriv;~rii~lit ilrollrl(i tlir origiri if tlirrr exists ;L siriglr Ilox arolliid n.liic,li rarli of tklr tiyi1arriic~;~l systrrns is I-~oxiinariarlt. 'l'knls? a. s~lfficieritc~oiidition Sor box invariancc is that C,# B; ~ v h c r c the concs C,'s arc defined as in Section 3.1.
'Slir prrvious tkirorriri kiol(1s ~lii(irrr;~tkirrrrstri(,tivr c~oilditioris.Its grrirralizatioii to tlir cxsr of kiyl~ridsystrrns wit11 rrnlltiplr g1l;~r.d~ per (ioirii~iii tiors iiot kiolci.
('hccking whether t\vo concs. both pivoted o n the origin. intcrscct is cyuivalcnt to checking for the iritrrsrc~tioiiof two c.oin-rx sets. IVr rirrd to fiiid a c s~lc,kitliat A,c 5 0 for all i t (1: . . . rn). 'l'kiis
E x a m p l e I . (lonsidcr the follo\ving two-dirncnsional HS charnctcriscd by t ~ v ornodcs with domains coiricitiiilg wit11 tlir ~vkiolrST)R(.P. 11,= D2 = (R+)j: ;~ii(iri~(io~vrd wit11 the followirig vr(.tor fields:
n,tcr
/
,
z'~
x2
i2
x2
-0.1 -1
x2
'
x2
"
/
/
' /
7,
4
-1
................
Assume that there are two edges with the following guards in R2: G~+~(~,
~)=
{~ c R~: ~
(.~, ~ ) =
G~
- 5 . ~ = 0};
{~ c R ~ : 4 ~ - ~ = 0}.
Assume again trivial reset maps, and initial condition ( x s ( O ) , x 2 ( O ) ) = (0.1, 0.1) c D s . In isolation, both linear systems are box invariant and indeed have spiraling convergent trajectories towards t h e origin. The HS though is evidently unstable (see Fig. 2). Notice t h a t
c~ = { ( ~ , ~ ) :
~-
~
c~ = { ( x ~ , x ~ ) : 4 x ~ -
and that Ci rDC2 = ~. ,
/
,
~ 0 A ~ > 0};
N (< +
iEQ
,
\
//
a
6
\, \
\
\
\
£
# 0 A N (cr + iEQ
#0
In conclusion, the concept of box invariance, even though stronger than that of asymptotic stability, is still not fully compositional in the hybrid case. Nevertheless, the sufficient conditions we have proposed for composability are easy to check and quite general. The comparison with the literature on stability of hybrid and switched systems confirms this fact. Furthermore, our sufficient conditions are enough to establish box invariance in many applications, one of which is described next.
\\ \
/
_
T h e o r e m 9. Consider an affine hybrid system 7-/, where each domain has an equilibrium point x~ q, i c Q. 7-{ will be box invariant if the following holds:
x~ _< 0 A x~ > 0};
/
2
will depend on having a nonempty intersection of both the positive and negative cones.
[]
/
C
Fig. 3. Common box (shown in dark) for a two mode positive affine switched system.
8
9
5. A M O D E L F O R B L O O D G L U C O S E CONCENTRATION
Fig. 2. Simulation for Example 1. We finally consider the case of affine hybrid (and switched) systems. For a system of the form - Ax+band equilibrium x ~q A S b, we transform the variables into the new set y - x x ~q and consider the new system ~) - A y . Using the modified matrix A m , we define C - {y c R +" : A n y < 0}. Let us introduce the "negative cone" C - {y c R - " : ( Am)y < 0}. Note that the actual cones, C + x ~q and C + x ~q, are obtained by translating these cones to the equilibrium point. Unlike the linear case, each subsystem could have a different equilibrium point in an affine hybrid system. However, we can still derive sufficient conditions for the existence of a "common box" as in the case of linear hybrid and switched systems (see Fig. 3). T h e o r e m 8. Consider an affine hybrid system 7-t, where each domain has an equilibrium point eq xi ,i c Q, and all variables are bound to be eq positive. 7-{ is box invariant if Aiec2 (Ci + x~ ) -¢ 0.
More generally, if we allow the state space to include negative values, we need to make the condition stronger. Now, the existence of a global box
The following model is taken from (Sorensen, 1985). It is a model of a physiologic compartment, specifically the human brain, and describes the dynamics of the blood glucose concentration. In general, this compartment is part of a network of different parts, which model the concentration in other organs of the body, and which follow some conservation laws that account for the exchange of matter between different compartments. The mass balance equations are the following: VBCBoVI(/I-
Q B ( C B i -- CBo) + P A ( C I PA(CBo
CBo) -- r R B C
C I ) - rT,
where VB describes the capillary volume, 1/i the interstitial fluid volume, QB the volumetric blood flow rate, P A the permeability-area product, CBi the arterial blood solute concentration, CBo the capillary blood solute concentration, CI the interstitial fluid solute concentration, r R B c the rate of red blood cell uptake of solute, and rT models the tissue cellular removal of solute through cell membrane. The quantity P A can be expressed as the ratio V I / T , where T is the transcapillary diffusion time.
363
\I+ allow Y ' to assllirie two diff'rrriit l-al~~c's, wkiicki c,orrrsporid to diff'rrrrit p1iysiologic~;~l situatioris; fi~rtkirrrriorr,wr ;Lssllirir tliirt tlir s~vitc.kiI ~ r t ~ v r r r i tkirsr two c.oiiditioris car1 1 i ~ p ~ ) at r r ii~iiytirrir. 'l'kiis (~11sfor tlir iritroci~~c.tiori of a 1)irriocial s~vitclird rriotirl: c~oiriposrtiby tkir follonririg two tiy11;~inics:
It (.ail 1)r r;tsily c+irc,krd tliat 1)otli rriodrls, (,orisidrrrti ill iso1;~tiori;are 1)ox iinariarit. 'l'kiry tkirrrforr arc stable around t\vo difTcrcnt equilibria. I n Fig. 4 we plot tra,jcctorics for thcsc two systcrns. and dralv sornc boxes (that wcrc obtained frorn the cornputation of the cigcnvaluc ~viththe rightmost real part and its corresponding cigcnvcctor). .Additionally. pivoted on the equilibria. the concs arc shown. I n Fig. 5 the t\vo rcalixations arc shown superimposed: the intcrscction of the t\vo concs is non crnpty (the concs difTcr by only one of their boundaries. as cxpcctcd bccnusc of the relative rnodificat,ion of only one row of the state rnatrix). The smaller one was thus choscn to define the .'global" box. 'l'wo dilTcrcnt simulations. with randorn switching. starting frorn opposit,c initial condilions. arc sholvn in 1;ig. 6. .As can be observed. thc box is iridccd an invariant for the switched system. This box yields a bound on the values of x. 1vhic.h is the brain blood glucosc concentration. 'l'kirsr I-~ollritisR ~ 11srfil1 P to vrrify safety of iiisllliii trr;~tiririitsfor iriocirls of 'l'ypr I ciia1)rtrs patierits.
Fig. 4. Sirnulation of a tra,jcctory for the first(top part) ;~li(isr(~orici(1)ottorripart) systrrri. ;~il(i corriplltatiori of solrir sjrrrilrirtric~al1)oxrs. KEP'LHLNCES
.Abate. A. and A. .17i\vari (2006). The concept of box invariancc for biologically-iris~~irccidynarnical systcrns. '1.cchnical report. 1!(1 Hcrkcley - EE(1S. Arrirs. A,: ,4. AImtr ;~ii(iS. Si~stry(2005). Suficiriit c,orltiitiolls for tklr rxistrric~rof zrlio I-)?lial-ior. 111: Pror:r~~ilirsg.s of the 44th Corrif~r.f:nr:r~ orr Decisio~~, and (:o!rskrol. IEEE.
Fig. 5. ('orripariiig tkir t ~ v otrajrc.torirs: their rrsprc,tivr I-~oxrsarid cwlic,al rrgioiis. 'l'lir first iri solid, tkir srrorici ill cli~skircilirirs.
Fig. 6. R;~iidoirily Switc:liirig Systrrri c.oinposrtL by tlir two tiyiiarriic.;~lsystrrris. wit11 glok~al I-~oxrs. Er;~iii(,ky,AI. (1!104). St;~l)ilitj~ of s~i~itc~lir(i ;~ri(i liyl-xiti systerris. Iri: P~ror:eeilirsgsof tlse ;I;lril (:orr,jf;r.ence on 1)et:isio.n ancl (:ontrol. IEEE. pp. 3498-3503. ('oxsoii~ C.E. (1!194). 'l'kir ~)-irl;~trix prok~lrrriis c~o-ri~)-c~oiri~)lrtr. Mathe.rrcat;rcal Progrwna'rrsirsg 64: 173-178. ox soil^ (: .E. (1!19!1). ('orrip~ltirigrxart I-)o~lli(is 011 rlriririits of ail iiil-rrsr iiitrrl-a1 iri;~trixis 111)liard. Reliable Co,rrsp,nt;rny5 : 137-142. (~liosli~ R. ;~ii(i('. .J. 'l'orriliii (2001). L;~trr:rl iiiliiI~itioritkirougki tirlta-riotc,ki sigiii~liilg:,4 1)irc.r\vise alfinc hybrid rnodcl. In: Hybrid S ~ s l e r n s : Corr~pulalionand Conlrol, HSCC 2001. Vol. 2034 of LN(7,I'. 1 ) ~ ) 232-246. . .Joliarissori~11.aii(i A. Raritzrr (1!108). (:orriplltatioii of pirc:r~visr ly;~p11riovfilri(,tioris for kiyI~ritisystriris. IEEE 'li-w.r~,.saction.s on Auto.rraat;rc Corstr.ol 43. 555-559. Kiriidl, 11.: .J. Ad~rriy ;~ii(iP. Strlzrirr (1!102). Vrc.tor iioriris as lyapliriol- fi~iic.tioilsfor lirirar systcrns. 1bSHb; Transaclions on Aulomalic Conlrol 37. 839 842. 1,ygcros. J . . K . H . Johansson. S.K. Sirnic. J . %hang and S. Sastry (2003). Ilynarnical properties of hybrid automata. 1bSb;bS '1i.ansaclions on Aulorr~alicConlrol48. 2 17. Sorcnscn. J . l ' . (1985). .A physiologic rnodcl of glucose rnctabolisrn in m a n and its use to drsigri arid assess irripro\-rd iiislilili tlirrapirs for tiial~rtrs.PkiI) tkirsis. AII'l'.
Copyright © Analysis and Design of Hybrid Systems Alghero, Italy 2006
ELSEVIER
IFAC PUBLICATIONS
P E R F O R M A N C E V E R I F I C A T I O N OF D I S C R E T E EVENT SYSTEMS USING HYBRID M O D E L - C H E C K I N G Bruno Denis ~, Jean-Jaques Lesage (~, Zulema Jufirez-Orozco (~,(2~
Cl)LURPA-ENS de Cachan, France, {denis, lesage, juarez}@lurpa.ens-cachan.fr ~2)CIA TEQ - Quer~taro, Mexico, PhD grant financed by CONACYT (Mexico)
Abstract: The results generated over the past few years on the formal verification of both Discrete Event Systems (DES) and Hybrid Dynamic Systems (HDS) are quite substantial, especially as regards the controller's properties of liveness and safe~. In this paper, we will study the range of possibilities offered using the model-checking techniques in order to evaluate DES performances (in terms of quality of service provided by the automated system). This task calls for proceeding with a model-based approach that couples a hybrid model of the plant with a timed discrete model of the controller. We will also show, using a basic example, that by parameterizing the hybrid process model, the model-checker may then be employed to evaluate the robustness of the discrete control to perturbations encountered by the plant. Copyright © 2006 IFAC Keywords:DES controller, hybrid plant model, model-based verification, modelchecking, linear hybrid automaton, HYTECH.
1. INTRODUCTION A physical system is not, in most cases, intrinsically either purely discrete or purely continuous; instead, it's the abstraction the control engineer undertakes to ensure automation specification is being met that lends one distinction or the other. In the area of manufacturing systems for example, many processes have mobility axes that enable products to circulate, establish their position, etc.; consequently, some of the major physical variables controlled are either displacements or speeds. Depending not only on the level of quality to be guaranteed for these controlled variables, but also on the aggressiveness or variability in the external environment (e.g. type and importance of perturbations, parameter variation interval for the law of movement) and on the relative weight of economic constraints, the control engineer is required to choose between a servo control or a discrete control for each of these axes. Such automation-related choices will yield the physical variables to be observed and controlled by the controller, with either continuous or discrete control abstraction. Once the requisite displacement axis positioning quality has been achieved and provided that the perturbations encountered remain tolerable,
the control engineer will then select a discrete control for obvious cost reduction reasons. This discrete displacement control, despite often being able to accommodate mobile positioning quality requirements, still constitutes an abstraction, and as such necessarily a simplification of the associated physical variables. The logic control of a linear displacement between two extreme positions, observed by means of two limit switch sensors, clearly does not enable ascertaining the precise position of the mobile, nor the time elapsed to complete this displacement. Satisfying industrial system dependability requirements often necessitates conducting offiine analyses, such as formal verification, before placing the automated system into operation (for further information on this topic, see the standard IEC 61508 entitled "Functional safety of electrical / electronic / programmable electronic safety-related systems "). These verifications, which are now frequently performed by means of model-checking (MacMillan, 1993), may be practiced by electing to incorporate or not a plant model. In this paper, our efforts have focused on checking systems composed of a discrete controller coupled
365
algebraic statement denotes that "the system model satisfies the set of properties co") or, when such is not the case, to propose a counterexample that revokes those properties not verified by S. Moreover, a DES may be represented in a generic manner, as shown in Figure 2: a discrete controller acting in a closed loop on a plant. As part of a dependable controller design approach, the system being targeted for verification can thus be (according to Frey. and Litz, 2000) either the controller on its own, presumed to be operating within an open loop on the plant (a non "model-based" verification), or the {controller+ plant} assembly set interacting within a closed loop ("model-based" verification).
with a continuous (or partially-continuous) physical process whose entire set of observed and controlled variables constitute discrete abstractions of physical variables. To proceed, we will make use of modelchecking techniques by coupling the discrete controller model with a hybrid plant model; this setup will demonstrate that beyond the liveness and safe~ properties, it is indeed possible to check whether automated system performance is compatible with that stipulated in the specifications. We will also show that by parameterizing the hybrid process model, it becomes possible to use the modelchecker to evaluate the robustness of discrete control to perturbations encountered by the plant. This paper has been organized as follows. After having recalled the possibilities and limitations of both DES and HDS model-checking, we will introduce the expectations derived from a hybrid plant model for veri~ing a discrete controller. In order to illustrate our approach, the paper's second part will present the example of a positioning axis, which represents a component of a more complex assembly system. We will thus be able to show that use of a model-checker (such as HYTECH), by implementation of a hybrid process model, makes it possible to verify the expected performance of this DES. Furthermore, a sensifivi~ study conducted on model parameters will allow evaluating the robustness of discrete control when confronted with perturbations.
Controller information [
Formal verification techniques stem from the field of computer science. Only recently have they been adapted and applied to DES verification and, more specifically, to model-checking (Clarke E. M., et al., 1986). The general principle behind model-checking may be expressed as follows (see Figure 1).
Formal model of system behaviour: S (automaton)
Formal model of properties: ~0 (temporal formula)
",,
~--
The research work focusing on DES verification initially favored a non model-based approach (Moon I., 1994). The reachable state space of the controller model is thus to be built in the most permissive manner possible, i.e. such that the evolution of its inputs are in no way constrained by plant behavior. In this case, the safe~ properties capable of being demonstrated provide the basis for strong proof given that they can be demonstrated regardless of the evolution in controller inputs. On the other hand, a good number of liveness or accessibility properties cannot be demonstrated via a non model-based model-checking approach given the often fast,paced combinatory explosion of the reachable state space. One means for reducing this combinatory explosion, using realistic constraints that depict the interaction of plant behavior with controller behavior, is to conduct a model-based verification. (Rausch and Krogh, 1998), (Machado, et al., 2003). Through reliance upon these results, we are now in a position to study the possibilities offered by the model-checking procedure in evaluating DES performance (in terms of quality of service provided by the automated system). To accomplish this task, it is necessary to undertake a model-based approach by selecting a hybrid plant model. The physical variables of the plant, and not their discrete abstraction by the controller, are what give the actual performance measures to be evaluated. The coupling of a hybrid plant model with a discrete controller model thus leads to a Hybrid Dynamic System (HDS) verification problem. We will now proceed by recalling the basic knowledge acquired and current limitations of liDS verification.
2.1 DES ver~cation.
Expected Properties
Plant
Fig. 2. A generic closed-loop DES.
2. ACQUIRED KNOWLEGE AND LIMITATIONS FROM AUTOMATED SYSTEM VERIFICATION
System to be verified
control instructions
J Model-checker ?
s~e Yes / No (+ diagnosis)
Fig. 1. Model-checking scheme. Let's start with a system that has been designed to veri~ an entire array of properties (logical correctness, dependabili~, liveness, etc.). The first task of model-checking consists of formalizing system behavior in the form of a finite state automaton: S, plus the properties to be verified within a temporal algebra such as CTL (Emerson and Halpern, 1986): ~. The model-checker then conducts a thorough analysis of the state space reachable by S, which serves either to prove that S ~ ~ (this
2.2 Hybrid systems ver~cation. While model design using hybrid automata is not exactly straightforward, their semantics is welladapted to the analysis of HDS behavior. We will then assume that HDS verification is tantamount to exploring the reachable state space of a hybrid automaton. When framed as such, the fundamental
366
problem of HDS verification becomes one of computing the reachable state space of a hybrid automaton from an initial region. Not only is this computation prone to encountering a rapid combinatory explosion, but in the general case the problem is not-decidable, i.e. impossible to identi~ a computation algorithm with guaranteed convergence (Henzinger, et al.,1995a). The linear hybrid automata (Alur, et al. 1995) constitute a category of hybrid automata that places verification within the domain of a decidable problem and for this reason, such automata have been selected for the purposes of our work. From an other hand, modular approaches are essential for modeling and veri~ing of industrial systems. This is why we felt that the HYTECH tool (Henzinger, et al., 1995b) was adapted to our needs, by virtue of allowing for the verification of models obtained by composition of linear hybrid automata. With the context and objectives of our research now established and both the category of hybrid automata and model-checker selected, we will turn our attention next to presenting our approach for verifying discrete control performance via the assessment of a pertinent example.
logical inputs and 50 logical outputs are managed by the PLC. The control model, written using Sequential Function Chart(SFC) syntax according to IEC 61131-3 standard has been verified with a timed model-checking technique (Bel Mokadem, et al., 2005). The objective of our study herein consists of verifying whether the quality of the positions obtained using such a discrete control is compatible with the precision required by the process. This concept of precision only takes on meaning with respect to the positioning of objects manipulated by either a displacement axis or a group of combined axes. It is thereby unnecessary to include the entire control model and the plant model in order to verify position quality, but rather just the subset that pertains to control of the axis (or group of axes) involved in the studied displacement. Our investigation will focus more heavily on the displacement axis of station 2 (Fig. 3b), with the only relevant information available for displacement control being given in Figure 4.
3. A CASE STUDY
3.1 Presentation of the production system. The system we are targeting is one of assembling/disassembling bearings within gears; it comprises four workstations (see Figure 3a). The four workstations pertain respectively to the following functions: loading at the beginning of the line (Station 1); identification of the gear material and eventual presence of a bearing (Station2); insertion or removal of a bearing in the gear (Station 3); and gear sorting, taking into account the material, in anticipation of their unloading (Station 4). This entire assembly line is controlled by a Programmable Logic Controller (PLC). 3.b - Station
3.c - Test station
Fig. 3. Assembly/disassembly line. Control of this assembly system is purely discrete; since this proves to be the most typical case for such systems, seeking more competitive costs leads to avoiding servo controls as much as possible in favor of logic controls. All continuous physical variables of the process being controlled (which for the most part consist of positions) are thus observed and controlled via their discrete abstractions. In all, 82
Load~os ~,,.~....: Test~os
Unload~os
Fig. 4. Displacement axis of station 2. The gear is initially located on the conveyor at the loading station (Load_pos). A motor rotation order in a clockwise direction (Go to test) implies the conveyor in displacement to the test position (Test_pos), a detailed view is provided in Figure 3c. For the test to be successfully conducted, stopping precision must be < 1.5 mm. The conveyor position between these two discrete positions is denoted X. When the presence test of a bearing is completed, a subsequent motor rotation order in the clockwise direction positions the gear, where it gets unloaded (Unload_pos). A motor rotation in the counterclockwise direction then brings the conveyor into the loading position, where a new cycle can be launched. We are seeking to quantify the precision of gear positioning at the test station, enabled by this discrete control along the path Load_pos Test~oos, so as to verify whether this precision is compatible with specification. Execution of this task will entail application of hybrid model-checking using the HYTECH tool (Henzinger, et al., 1995b).
3.2 Modelling. The model of the entire {controller + displacement axis} set, which allows this positioning quali~ verification, has been laid out in Figure 5. The hybrid automaton is composed of two synchronized automata.
367
Controller
(Tc=0)/x(X<Xtest) ~ , , , ~ TC:=[Tcmin,Tcmax] " Q1 N~
,J~ X:=0 ~ . . , , Displacement _/Load~osN~ axis
synchronization event thereby triggers controller automaton re-initialization at the same time it activates the Test_pos situation of the displacement axis automaton. Figure 6 shows the synchronization of the two automata presented in Figure 5 by the stop event as well as the evolution in continuous variables Tc and X. The axis positioning error at the level of the test station thus results from the time lag between the moment the axis reaches the Xtest position and the moment the PLC is able to react at this event in the input reading phase, with the consequence being that the axis stop order may be issued either within the same PLC cycle or one cycle later. The experimental campaign conducted using HYTECH has revealed this finding and the following discussion is intended to provide greater detail.
>_>0 1
\stop
~ 2c;o°:=ETomin,T.... ] ~
~°P°:=[ D°min0D°max]
Fig. 5. Hybrid automata of the axis control. The automaton that model electromechanical axis contains three discrete locations: two correspond with conveyor stopping positions at the extremities (Load_pos and Test_pos), and the other location corresponds with the movement phase between these extreme positions (Go_to test). The return to loading position, which does not enter into the scope of the present study, is modeled by means of a timer with variable duration D0. The two continuous state variables associated with this automaton are conveyor position X and timer duration D0. Upon initialization, the conveyor is placed into the loading position and hence X - 0 . Both of the stopping situations are associated with the function dX/dt-- 0 (denoted X = 0); the movement location is associated with a continuous dynamics of the form X = a, with a representing a rational constant arbitrarily chosen within an interval: [Vmm, Vmax]. This arbitrary assignment of constant a enables abstracting the variability in conveyor displacement speed due to perturbations undergone by the displacement axis (mechanical friction, resistant torque on the motor axis, kinematic nonlinearities, etc.). Two synchronization events with the automaton used for modeling controller behavior, called start and stop respectively, are associated with the transitions that correspond to the conveyor movement phase. The automaton that models controller behavior is composed of four discrete locations and is initialized at location Qo. The start synchronization event with the axis automaton shows that the motor starts up during a PLC cycle change, The monitor of this PLC is of the "periodic" ~pe, indicating that execution of the control program is to take place according to a constant-duration cycle (see Figure 6), which the user is required to setup in PLC. In practice, this cycle duration undergoes slight variations (on the order of 1%), called "jitters". To translate these operations into the hybrid controller automaton, the duration of each PLC processing cycle(Tc) is assigned an arbitrarily-chosen value within an interval: [TCmin,TCmax]. Once location Q~ has been entered, the automaton remains there until the axis has traveled the distance required to position it in alignment with the test station (at which point X=Xtest). Locations Qla and Qlb serve to translate that this information is taken into account by the PLC during the subsequent input reading phase, followed by processing and then execution of the motor stop order (Figure 6). The stop
Tc
PLC
'
"i
cycles ~ III ~ I°llI ~ ~ ~ t°V]~ ~T- ~111 ~ IoIII T q
C~;tr21/er ~
l
Q1
×test Axis
T
automaton PLCphases:~
top
q
n i t
position error
Qla I elb l
Go_to_test Inputreading
QO
- -
~stop l Test~os q
t I1~ t Treatment[-7] Outputwriting
Fig. 6. Synchronous evolutions of automata.
3.3 Implementation and the experimental protocol. All of our experiments have been carried out by constraining the variation of duration the conveyor's return to the loading position (Do) over the interval [3000ms, 3500ms] (which thus yields Domin = 3000ms and D o m ~ = 3500ms). Moreover, the abscissa (Xtest) of the conveyor at the test station is 80 mm. Given that these data remain fixed, the HYTECH code obtained from the hybrid automaton shown in Figure5 is a parametric code, with intervals [Tcmin, Tcmax] (for the cycle time to be adjusted on the PLC) and [Vmin, Vmax] (for the translation speed of the conveyor subjected to perturbations) constituting the two parameters. For each experiment, numerical values are ascribed to these two intervals. The model-checker then computes the region the automaton is capable of reaching from its initial region. We will initially derive the intersection of this reachable region with the discrete location Test_pos so as to build the accessibili~ domain of the axis position, which is then obtained by projection of this sub-region with respect to the variable X. The set of positions reached by the conveyor thus assumes the form of an interval on X. As an example, for Vmin = Vmax = 200mm/s, Tcmin= l lms -°5~ and Tcmax = l lms +°5%, the conveyor stopping position in front of the test station is contained within the interval [83.182ram,
368
84.018mm], which represents a resultant position deviation of 0.836mm. 3.4 Position-stopping quality without perturbations.
For this initial study, the hypothesis has been adopted that the conveyor is not submitted to any perturbation. Its translation speed is thus presumed to be constant and yields: Vmin = Vmax = 200 mm/s. The changes in conveyor stopping position may then be observed as a function of the PLC cycle time value when such value varies by more or less than 0.5% around the period adjusted by the user (the socalled jitter phenomenon described in Section 3.2). Figure 7 reveals that the positioning error evolves in accordance with two phenomena that we will now differentiate. The first corresponds to a systematic error (positive slope line passing through the average error interval value), which can be corrected by an adapted adjustment of sensor position Test_pos. The second phenomenon is homogeneous to a random error (the fixed interval deviation on the positions reached for a given 7"c), whose general amplitude shape increases with PLC cycle time. It can nonetheless be remarked that for certain 7c values (e.g. Tc = 9ms or T c - 13.1ms), the range of these "random" errors is narrower than that for proximate 7c values. The existence of these particular zones of smaller positioning error, while PLC cycle time is increasing, highlights a non-trivial temporal correlation phenomenon between the PLC cycle and occurrence of the test position arrival event depicted in Figure 8. 87 86
~
of the same PLC cycle and the error range will always solely depend on the jitter and cycle number N (this configuration will be referred to as "Scenario 1" in the following discussion). On the other hand, should the ratio between the distance traveled and 7"c be such that a variable number of cycles is necessary for conveyor displacement, the stop order may then be issued at the end of the various PLC cycles (Figure 8c). The error range is thus merely a function of 7"c (this configuration will be called "Scenario 2").
{Xtest}
(a)
lxtest}
(b)
III q
I Xtest
XI~
(c) Fig. 8. Correlation b e ~ e e n occurrences and stop order.
Tc,
Xtest
event
Figure 9 clearly highlights this phenomenon. For Scenario 2, the stopping range is proportional to the cycle time value. Whereas for Scenario 1 positioning error is independent of cycle time (at least up to the limit of values selected for our experiment). If specifications call for a maximum positioning error in 7"est_pos of 1.5mm, the PLC cycle period has to be set at a value of below 7.4ms. If the full PLC load (for execution of the overall assembly line program with its 82 inputs and 50 outputs) does not enable parameterizing such a low cycle time, it would then be necessary to target a Scenario 1 parameterization, e.g. 9.0ms or 13.1ms. 3.5 ¸
dX/dt = 200 mm/s Tc jitter = +0.5 %
g (D 2.5
Tc(ms 0
i
i
2
4
5.1
i
6
8
9
i
i
10
12
13.1
14
Scenario 2
H
/~ Scenario 1
16 1.5
Fig. 7. Conveyor positioning error. When the temporal detection region of the X=Xtest event has been included within a single PLC cycle, conveyor stopping will systematically be controlled during the subsequent cycle output assignment phase (see Figure Sa). In contrast, while the temporal detection region of the X=Xtest event straddles two PLC cycles, stopping will intervene during the output assignment phase of one of the two subsequent cycles (Figure 8b). The range of the stopping zone will thus increase. This temporal dispersion in stop order execution is heavily correlated with the PLC cycle time jitter (Figure 8c). Though the ratio between the distance to be traversed and 7"c is such that, despite the jitter on 7c, the number N of PLC cycles elapsed between the conveyor start order and detection of the test position (X=Xtest) is the same with each new conveyor displacement from X=O to X=Xtest, the conveyor stop order will always be issued at the end
0.5
5.1 0
2
4
9 6
8
13.1 10
12
14
16
Fig. 9. Conveyor positioning error range. 3.5 Positioning robustness.
It has already been demonstrated that the PLC cycle time may be judiciously chosen in order to guarantee the quali~ of conveyor positioning under a hypothesis of no translation speed perturbations. Figure 10 presents the results from experiments conducted in order to evaluate the influence of such perturbations on positioning quali~ for a given cycle time Tc=13.1ms (which remains contaminated with a jitter o f + 0.5%). This curve shape is the same for Tc = 9ms or Tc = 5.1ms,
369
4. CONCLUSION AND OUTLOOK 2.5 2
./
~" X ~
1.5
J
In this paper, we have focused on the verification of systems composed of a discrete controller coupled with a continuous (or partially-continuous) physical process, whose full extent of observed and controlled variables are logical abstractions of physical variables. For that, we employed a model-checking technique that couples the timed discrete model of the controller with a hybrid plant model. By relying upon a case study, we showed the possibili~ of verifying whether or not system performance is compatible with the specifications. By parameterizing the hybrid system model, it becomes possible for the model-checker to evaluate discrete control robustness to plant perturbations. According to this approach, HYTECH has proven to be an efficient tool. It goes without swing that the size of the model being verified must remain compatible with the difficulties inherent in the wellknown combinatou explosion phenomenon typical of model-checking. For this reason, it is necessary to limit performance verification to just the {control + plant} subsystem involved in deriving the evaluated variables. Determining this subsystem being targeted by performance verification along with building the hybrid model used as the abstraction are the current focus of a complementary research project.
Tc = 13.1 ms Tc jitter = +0.5 %
1 ~ 0,5 0 0.0%
Speed Perturbation 0.8% 0.5% 1.0%
i
1.5%
2.0%
i
i
i
2.5%
3.0%
3.5%
4.0%
Fig. 10. Effect of conveyor speed perturbation. Two distinct zones appear on this curve. Above 2% speed perturbation, the positioning error is basically constant; this corresponds to Scenario 2, for which the error range is directly correlated with Tc without any major influence on the speed-related perturbation. Below this 2% level, the error increases linearly with perturbations since the system here is behaving according to Scenario 1, which is sensitive to both the jitter on Tc and perturbations on the conveyor translation speed. For a requirement that limits the positioning error to 1.5mm, it thus becomes necessary to ensure that speed perturbations remain less than 0.8% (in the case of a PLC adjustment to Tc=13.1ms). Should such not be the case, adopting a servo control in the conveyer position would need to be examined. 3.5 Assessment o f the use o f HYTECH.
REFERENCES
The results provided above have necessitated several hundreds of model-checking experiments on the hybrid automaton shown in Figure5 using the HYTECH tool, with different parameter sets being introduced for each experiment. The search for the reachable region of a model never took more than 5 minutes and, in most instances, 30 seconds were sufficient. Computation time did not therefore pose any problem for this study. The primary difficulty encountered had to do with the interruption of teachability computations due to exceeding the integer limit value (2 64) during the region computation step. Our case study did necessitate manipulating numerical values with quite varied scales. As an example, the conveyor position progressed over a total path length of 80mm, whereas the calculated stopping error at times amounted to just a few hundredths of a millimeter. For all of the distances manipulated, numerical values out to 4 significant digits thus had to be used. The same difficulty gets magnified when manipulating time since the duration of the conveyor position return lasts approximately 3s, while a ~- 0.5% jitter on Tc - l m s equals + 5/as; seven significant digits therefore proved necessary. This numerical value coding is very detrimental when running HYTECH, which interrupts the computation of regions once the integer coding capacity has been exeeded, thereby making it impossible to draw any conclusion on the current verification. In order to avoid this predicament, the units for each model parameter set have been adjusted. For example, depending on the value of Tc, the time unit has been fixed at 1~as, 10~as or 100/as, which makes only 5% of the verifications inconclusive.
Alur R. et al. (1995). The algorithmic analysis of hybrid systems. Theoritical computer science, Vol. 138, p. 334. Bel Mokadem H., B6rard B., Gourcuff V., Roussel J.-M., De Smet O. (2005). Verification of a timed multitask system with UPPAAL. Proc. of 10th IEEE ETFA, CDRom paper, 8 pages, September, Catania-Italy. Clarke, E. M., Emerson, E. A. and A. P. Sistle, (1986). Automatic verification of finite state concurrent system using temporal logic. A CM Trans. on Programming Languages and Systems Vol. 8, n ° 2, p. 244-263. Emerson E.A. and Halpern J.Y. (1986). Sometimes and Not Never revisited: on branching versus linear time temporal logic. Journal of the ACM. Vol. 33, n ° 1, p. 151-178. Frey G. and Litz L. (2000). Formal method in PLC programming. Proc. of IEEE SMC'2000, CDRom paper, 6 pages, October 8-11, Nashville, USA. Henzinger T.A., Kopke P.W., Puri A., Varaiya P. (1995a). Waht's decidable about hybrid automata ?. Proc. of the 27th annual ACM Symposium of Theory of Computing, p. 373-382. Henzinger T.A., Ho P.-H., Wong-Toi H. (1995b). A user guide to HyTech. Proc. of TACAS, Lecture Notes in Computer Science 1019, Springer-Verlag, p. 41-71. Mac Millan K.L. (1993). Symbolic model checking, Kluwer Academic. Moon I. (1994). Modeling programmable logic controllers for logic verification. IEEE Control Systems, Vol. 14, n ° 2, 1994, p. 53-59. Rausch M. and Krogh H. (1998). Formal verification of PLC programs. Proc. of ACC '98, Philadelphia, USA.
370
Copyright © Analysis and Design of Hybrid Systems Alghero, Italy 2006
ELSEVIER
IFAC PUBLICATIONS
VERI FI C ATI O N-INTEG RATED FALSIFICATION OF NON-DETERMINISTIC HYBRID SYSTEMS Stefan Ratschan * Jan-Georg
S m a u s **
* Max-Planck-Institut fiir Informatik, Saarbriicken, Germany ** Albert-Ludwigs- Universit5t Freiburg, Germany
Abstract: This paper provides a method for coupling safety verification algorithms for non-deterministic (and, in general, non-linear) hybrid systems with the ability of finding concrete counterexamples, i.e., with falsification. Such a tight integration of verification with falsification has the advantage that verification a t t e m p t s guide the search for concrete counterexamples, and endless attempts to verify unsafe systems or to find counterexamples in safe systems can often be avoided. Copyright © 2006 IFA C Keywords: hybrid systems, verification, falsification, simulation, testing
1. I N T R O D U C T I O N For debugging designs of embedded systems, it is essential to be able to falsify hybrid systems, i.e., to find concrete counterexamples to a given property (e.g., safety). This is usually done by checking the results of simulation runs. However, such an approach has the disadvantage that one might continue looking for counterexamples although there are none, since the system fulfills the sought property. Also, simulation usually requires considerable user intelligence for avoiding redundant runs, determining the necessary time horizon, and canceling obviously useless simulation runs. Moreover, for systems with non-deterministic evolution, even from a given starting point there are uncountably many different trajectories that might be a counterexample. Hence it usually does not suffice to simulate with a fixed instantiation of the non-deterministic values in the specification 1 This work was partly supported by the German Research Council (DFG)as part of the Transregional Collaborative Research Center "Automatic Verification and Analysis of Complex Systems" (SFB/TR 14 AVACS). See www.avacs, org for more information.
of the given hybrid system, since these values might change over time (e.g., due to changes of the system input or changes in the environment). In this paper, we consider non-deterministic systems, and take a step towards avoiding these problems by an approach that is integrated into verification, and that solves for counterexamples instead of blindly searching for them in the space of all possibilities opened by non-determinism. The verification we have in mind is based on a finite abstraction of the infinite state space of a hybrid system. The safety of the abstract system implies the safety of the original system, and by successively refining the abstraction, it is often (but not always, due to resource and decidability limitations) possible to find an abstraction that is safe, provided the original system is safe. Thus, by integrating the method presented here into such an abstraction refinement loop, on the one hand we avoid endless refinement for systems that have an unsafe trajectory, on the other hand we avoid endless search for an unsafe trajectory for safe systems. Moreover, by using information computed by the verification engine, the approach
371
The systems we consider are non-deterministic in the sense t h a t the flow constraints are typically inequalities, as in the example just given, rather t h a n equations. We do not need to define precisely when a system is (non-)deterministic or give some measure for the degree of non-determinism. It suffices to note that the more non-deterministic the system is, the more likely it is t h a t our m e t h o d will find an unsafe trajectory.
can often avoid trying to find counterexamples in parts of the state space t h a t do not lead to an unsafe state. Furthermore, by following the statespace partition of the verification engine instead of the usual time partitioning of simulation, the approach avoids r e d u n d a n t recomputations for the same part of the state space, and is not restricted to a certain time horizon. By non-determinism, we refer to systems where the flow of the real variables within one control mode is not uniquely determined, but rather, this flow has a whole set of evolution possibilities at any time point. In this case, there is hope t h a t a flow described by piecewise polynomial functions fulfills the (in general, non-linear) flow conditions. This observation is the basis of our method. We formalize constraints t h a t imply the existence of a trajectory leading from an initial to an unsafe state, and solve these constraints, arriving at connection points between the pieces.
Concerning the verification, we assume an abstraction refinement algorithm (Clarke et al. 2003, Alur et al. 2003, Ratschan and She 2005) for verifying safety properties of hybrid systems. Such m e t h o d s decompose the state space into pieces, and based on that, construct a finite system (the abstraction) whose safety implies the safety of the original (concrete) system. The abstraction consists of abstract states, which are pairs consisting of a mode (i.e., an element of M ) and a subset of the continuous state space (i.e., a subset of RIxI). How these sets are represented depends on the verification technique, e.g., they could be polyhedra or hyper-rectangles--however, the material of this section is independent of the chosen representation.
The limitation of our m e t h o d to non-deterministic systems can also be interpreted as follows: given a system t h a t is deterministic (the flows are uniquely determined), one could relax the flow constraints to a certain extent to make the system non-deterministic, and then apply our method. If an error p a t h is then found, one can argue t h a t the original system is very close to an unsafe one. From a practical perspective, similar conclusions arise in b o t h cases: one could either say, to be on the safe side, one should assume t h a t systems behave non-deterministically within a certain range, or, to be on the safe side, one should reject systems t h a t are close to an unsafe one.
Given an abstract counterexample consisting of a sequence of abstract states (m0, B 0 ) , . . . , (rnk, Bk) such t h a t (rn0, B0) is initial and (rnk, Bk) is unsafe in the abstraction, we try to find points (m0, x 0 ) , . . . , (rnk,xk) such t h a t xi c Bi for all i c { 0 , . . . , k } , and such t h a t there is a piecewise polynomial trajectory of the hybrid system t h a t follows (rn0, x 0 ) , . . . , (rnk, xk), with (rn0, x0) initial, and (rnk,xk) unsafe. By piecewise polynomial, we mean t h a t the trajectory within one mode is a continuous curve composed of (in general) several polynomial pieces.
2. M E T H O D
So we try to find a solution to the constraint
We assume t h a t the hybrid system is given using a tuple of families of constraints
(
A
c
A init,.o(Xo) A
iE{1 .... ,k}
(InitmeM, Flowmev, Jump.~,.~,cM, Unsafeme~),
A
where M denotes the set of discrete modes, Init,~ specifies the set of initial states in mode rn, the constraint Flow,~ the possible continuous flows in mode m, the constraint Jump,~.,~, the possible discontinuous jumps from mode rn to mode rn' and Unsafe,~ the set of unsafe states in mode rn. These constraints may contain elements of a finite set X of continuous state variables. The flow constraints may in addition contain dotted versions of the continuous state variables t h a t denote their differentiation, and the j u m p constraints may in addition contain primed versions of these variables t h a t denote their value after the jump. As examples, consider the flow constraint sin x 1 < a~ A :b < sin x + 1, and the j u m p constraint x' x + 1 which denotes the fact t h a t the j u m p increases the variable x by one.
(J~tmPmi
l'grLi
(xi
1, X i ) V
iE{1 .... ,k} (?Tti_ 1
?Tbi A j~ OW m .i ( X i 1 , X i ) ) ) A
u~f~,(x~)
(1)
which we call the concretization constraint. This uses the constraints defining the given hybrid systern (the ones with uppercase first letter), except the constraint defining the flow, since it contains the differentiation operator, which we would like to avoid. Since we assume t h a t our input system is non-deterministic, the set of trajectories from x i - 1 to xi fulfilling Flow,~ will in general consist of a central trajectory together with a certain neighborhood around it. Hence, one can find a polynomial approximation of the central trajectory t h a t also fulfills Flow,~. If the neighborhood
372
is sufficiently large or x~ 1 and xi sufficiently close, the polynomial t r a j e c t o r y might even be linear.
An especially i m p o r t a n t class is the class where Oa is linear, i.e., Ca,.ao(t) -- a l t + ao, where a l 6 R x l ao C IRIx
So we assume a polynomial function 0~ that gives us for a given time point in an interval [0, r-] the corresponding value of the trajectory. Here, a is a vector of p a r a m e t e r s (real numbers) t h a t specifies o~ in some way t h a t we deliberately leave open at this point. We will later be more specific.
So we have: traj (x, y, @~1~o, r-) = Oal.ao (0) -- X
ao
-- x
i
¢ a 1 .ao ( r )
(4)
Y --
A air- + ao -- y,
and constrm(Oal,ao, r-) =Vt C [0, 7-] [ F l o w m ( a i t @ a 0 , a 1)]
Hence we define flow m (x, y) =
(5)
Now we can solve (4) for a0 and a l , and substitute the resulting terms in (5) which thus becomes
3a3r- > 0 [traj(x, y, Oa, r-) A constrm(Oa, r-)].
(2)
Vt c [O,r] EFlow.~(y
Here t r a j ( x , y, 0~, r-) models the fact t h a t function o~ leads to a t r a j e c t o r y of length r- from x to y, and c o n s t r , ~ ( ¢ ~ , r ) models the fact t h a t the t r a j e c t o r y (ha fulfills the differential constraint Flow,~ valid in mode m in the time interval [0, r-].
7-
and (2) becomes Flow n ( Y
3 r > 0Vt e [0, r]
X t+x,
y-
r
x
)
7-
(6) We call Flow convex if for every vector c c IR2Ix and vector d e R 21xl, if Flow(c) and Flow(d) hold, then for every .~ c [0, 1], also F l o w ( A c + ( 1 )~)d) holds.
So we define traj (x, y, Q~, r-) Ca(0)-
x)]
Xt + x Y 7-
x A ¢~(r-)--y,
and constrm (¢~, r-) =
w
I0,<
(3)
where F l o w n is the constraint defining the flow of the given hybrid system in mode m. Now observe t h a t we have to solve the constraint f l o w n ( x , y) m a n y times for a given input system, since it occurs k times in (1), and since (1) has to be solved over and over again in the verification/falsification loop sketched in the introduction. Hence we would like to arrive at a formulation of f l o w r ~ ( x , y) for which it is as easy as possible to check whether it has a solution.
In general, flow__constraints of the form F l o w ( x , 5:) A x + b < i: < A x + b, where A, A are a X × X matrices, and b, b are vectors in IRIXI, are convex. This follows from the trivial arithmetic facts t h a t e < e I implies Ae < Ae', for every A > 0, and t h a t e 1 < ei f e2 < e 2 I implies el + e2 -< e~ + e; • Now if 0a is a linear function and Flow,~ is convex, t h e n (3) is equivalent to
i.e., the universal quantification can be replaced by a conjunction referring to the endpoints of the quantified interval. Note t h a t just convexity of F l o w n or linearity of aSa alone are not sufficient.
Observe t h a t flow n (x, y) contains several quantitiers. Assume that we have a given, fixed input system containing only polynomial constraints with a certain constraint Flow,~ defining the possible flow in mode m, and a class of functions Oa containing only polynomials, in which we search for concrete trajectories. Then, due to the classical result (Tarski 1951) that the first-order theory of the real numbers with addition and multiplication admits quantifier elimination, it is always effectively possible to find an equivalent formula without quantifiers.
Thus (6) can be simplified to 3r- > 0 F l o w n ( X , y - x ) A Flow m (y, y - x ) ] 77J
(7)
Now we assume, in addition to the linearity of Ca,
that Flow~ is of the form P(x) < x < P(x). So (7), i.e. (2), becomes F ( x ) < y - x < -F(x) A F ( y ) < y - x < -fi(y) 7-
7-
t h a t is _
r-F(x)
In spite of the fact t h a t quantifier-free constraints are easier to check t h a n constraints with quantifiers, we do not opt for automatic quantifier elimination since it can be very costly and lead to a big increase in formula size. Instead, we will try to identify problem classes corresponding to special cases for these constraints for which manual quantifier elimination will yield simple and useful results.
< y-x
_
< r-F(x)Ar-F(y) < y
x < r-F(y) _
If we again take the case F.(x)
_
A x + b_b_,F ( x )
Am + b, we get m
r-A.x+b__ < y
x < r-Ax+bArAy+b
< y
x < r-Ay+b
t h a t is x + T A x + b < y < x + T A x + bA y
373
r-Ay+b<x
rAy+b
For example, in the case x + y - 0 A x y -= 0 and a starting interval [ 1, 1] for both x and y, these intervals cannot be pruned, although there is only one solution the origin. Still, for certain cases (e.g., for constraints in which no variable occurs more than once), the result of constraint propagation will be tight. Hence, in this case, if constraint propagation yields non-empty intervals, the constraint has a solution, and we do not need numerical local optimization at all.
and equivalently _
_
(I + r A ) x + b < y < (I + r A ) x + bn
(I
r A ) y + b < x < (I
rA)y + b
One might want to derive special methods for this specific constraint, however this is beyond the scope of the current paper. Considering the concretization constraint (1) and its special forms shown above, we know: For a given abstract counterexample, if there is a solution to the corresponding concretization constraint, then there is a trajectory from an initial to an unsafe state following this abstract counterexample, i.e., a concrete counterexample. We will show how to solve the concretization constraint in the next section.
3. C O N S T R A I N T SOLVING We only consider cases where the universal quantifier of (3) has been eliminated (due to convexity), and where Ca is linear (although F l o w n , while convex, might still be non-linear). Then we are left with (7) whose quantifiers are only existential. For finding solutions, it suffices to drop the existential quantifiers, and finding a solution in all variables, including the ones that were existentially quantified before. One could solve the concretization constraint using numerical local optimization techniques. However, these need good starting points to be able to find a solution. For this we use interval constraint propagation techniques (Davis 1987, Cleary 1987). These can, given an interval for each variable in a constraint, prune these intervals to smaller ones without losing any solution of the constraint. After constraint propagation we can use the midpoints of the resulting intervals as starting points for local optimization.
However, also in our application interval constraint propagation is not necessarily tight: Assume a 2-dimensional system with just one mode m, whose flow constraint Flow m is given by Xl 1 < Xl < X1 + 1 A a52 1, and assume interval vectors x - - ([0,0],[0,0]) and y - ([ 5,5],[5,5]). Then propagation of (7) wrt. the second conjunct of Flown will result in the interval w c [5, 5]. Further propagation will yield the interval [-1.25, 1.25] for the first component of y. However, computation of the explicit solution of the borderline cases of Flowm shows that this is an overestimation of approximately 25%. For example, for y (1.25, 5), the trajectory would have the slope (0.25, 1), and these values do not satisfy Flown. The problem comes from the fact that the slope (0.25, 1) satisfies Flown in combination with another point within the computed bounds, namely the point y ( 1.25, 5). However, due to the enclosure of variables in intervals, the precise depency of specific values for y and a specific slope of the trajectory is lost.
4. I M P L E M E N T A T I O N AND E X A M P L E S We integrated a prototype implementation of the method into the verification engine HSOLVER (Ratschan and She 2005, Ratschan and She 2004), which does abstraction refinement by incrementally refining a decomposition of the state space into hyper-rectangles, i.e., by bisecting hyperrectangles. After each refinement step we apply our m e t h o d to the current abstraction.
The most basic interval constraint propagation method decomposes all atomic constraints (i.e., constraints of the form t > 0 or t 0, where t is a term) into conjunctions of so-called primitive constraints (i.e., constraints such as x + y z, xy - z, z C [a,g], or z > 0, where x, y, z are variables) by introducing additional auxiliary variables (e.g., decomposing x + sin y > 0 to sin y Vl A x + Vl - v9 A v9 > 0). Then it applies interval arithmetic based algorithms (Hickey et al. 1998) for pruning the intervals corresponding to the variables occurring in the primitive constraints to smaller ones that still contain the solution set of these primitive constraints. This is done until a fixpoint is reached.
However, this abstraction might have a huge number of abstract counterexamples to check. For avoiding this, we observe that many of them share the same sub-sequence (a fragment); if there is no trajectory through a given fragment, then there is also no trajectory through any of the abstract counterexamples containing the fragment. Hence we also check fragments, using a version of the concretization constraint that does not contain the first line (specifying an initial state) or last line (specifying an unsafe state), if the corresponding sequence of abstract states does not start with an initial state, or end in an unsafe state, respectively.
Usually constraint propagation can only compute an overapproximation of the exact bounds on the solution set of constraints (this is also known as the dependency problem of interval arithmetic).
In the current version, we produce fragments by recursively transversing the abstraction from ini-
374
tial to unsafe states and checking the corresponding fragments. If the given fragment cannot be concretized we backtrack, refine the abstraction, and avoid checking the abstract counterexamples containing this fragment. The current prototype does not yet consider jumps, and instead of doing numerical local optimization (which would be difficult to in~egrate due to the constraint representation used by HSOLVER) to find a solution to the concretization constraint, it simply iterates taking the midpoint of some interval enclosing the solution set and doing interval constraint propagation using the solver RSOLVER ( h t t p : / / r s o l v e r . s o u r c e f o r g e . n e t ) . In lucky cases this already results in a solution. Since constraint propagation does not enclose the solution set closely, also the unlucky case that this midpoint is not a solution happens quite often. This would make numerical optimization necessary. However, the fact that already such a prototype can solve several examples shows the strength of the method.
E x a m p l e 3: A non-deterministic version of another example from (Kapinski et al. 2003)" x2 - 1.5 1.5 x 4 - 1.5 4Xa 1.5 8X 1 --
< 3~1 < X2 ÷ 1.5 <_ i2 < 8xl ÷ 1.5 < afa < X4 ÷ 1.5 ~_ X4 < 4xa + 1.5
The set of initial states is given by x~ + x~ + x~ + x] <_ 4 the set of unsafe states by x~ + x ~ + x~ + x ] > 9, and the state space by [ 4, 4] x [ 4,4] × [ 4,4] × [-4,4]. After 16 bisections, but a few minutes of computation, the method finds the counterexample (2, 0, 0, 0), (2, 0, 0, 0), (1.792, 2.64. 0.155, 0.155).
We tried the following examples: E x a m p l e 1: A very simple example where trajectories follow circles around the origin: x2 xl
1 ~. Xi < X2 ÷ 1 l
The set of initial states is given by Xl < 0, x2 > 2. the set of unsafe states by Xl > 2, x2 < 2.5, and the state space [ 4, 4] × [ 4, 4]. The fact that a counterexample has to flow around a half-circle makes this example non-trivial. After 10 bisections of the state space, in negligible time, the method finds the counterexample (0, 3), (2, 2), (2, 2), (2.959, 0), (2.322,-2), (2, 2.57). The repeated point stems from two different, neighboring abstract states.
E x a m p l e 2: A non-deterministic version of an example from (Kapinski et al. 2003): Xl ÷ 3 x 2 - 1 < Xl ~ Xl ÷ 3X2 ÷ 1
Xl-X2-1
<x2_<Xl-X2+l
The set of initial states is given by x~ < - 3 , the set of unsafe states by x l > 1, x2 > 0, and the state space [-4, 4] × [-4, 4]. After 75 bisections, in a few seconds, the method finds the counterexample (-3.5, 3.5), (-2.75, 2.75), (-2.25, 2.288), (-1.75, 1.686), (-1.25, 1.355), (-0.5, 1), (-0.5, 1), (-0.5, 1), (0.25, 0.464), (1, 0.440).
5. RELATED WORK Apart from manual simulation using according tools (Lee and Zheng 2005, and references therein), the main approach for falsifying safety of dynamical systems is bounded model checking (BMC). This approach is well developed for discrete systems (Biere et al. 1999), but only lately receives attention in the hybrid systems cases (Frgnzle and Herde 2004, Abrahgm et al. 2005). However, the current approaches are limited to dynamics formulated by linear inequalities (i.e., the solution of constant differential inclusions), and there is no systematic way of using bounded model checking for obtaining concrete counterexamples for hybrid systems whose dynamics is given by more interesting (e.g., linear) differential (in)equations. Moreover, BMC might redundantly compute similar information for the same part of the start space, and explores branches that might never lead to an unsafe state. We avoid this by taking advantage of the information generated in the verification algorithm. For linear discrete-time systems with input, another approach (Kapinski et al. 2003) exhaustively simulates the system using a time and state discretization of the input, and tries to avoid redundant computation by merging nearby trajectories. Our approach avoids time discretization by searching for a trajectory between two given points in the state space that may be of un, bounded length in time. Bhatia and Frazzoli (2004) adapt techniques from robotic motion planning to compute an under-
375
approximation of the set of trajectories of a given hybrid system. Prajna and Rantzer (2005) show t h a t - - i n analogy to Lyanpunov functions the existence of certain functions implies the reachability of given sets in (non-linear) ODEs. Such functions can be computed using sum-of-squares (SOS) tools (S. Prajna 2002).
Bhatia, A. and E. Frazzoli (2004). Incremental search methods for reachability analysis of continuous and hybrid systems. In: HSCC'O4 (Rajeev Alur and George J. Pappas, Eds.). number 2993 In: LNCS. Springer. Biere, A., A. Cimatti, E. M. Clarke and Y. Zhu (1999). Symbolic model checking without BDDs. In: TA CAS '99. Springer. pp. 193-207. Clarke, E., A. Fehnker, Z. Hart, B. Krogh, J. Ouaknine, O. Stursberg and M. Theobald (2003). Abstraction and counterexampleguided refinement in model checking of hybrid systems. Int. Journal of Foundations of Comp. Science 14(4), 583 604. Cleary, J. G. (1987). Logical arithmetic. Future Computing Systems 2(2), 125 149. Davis, E. (1987). Constraint propagation with interval labels. Artif. Intell. 82(3), 281 331. Frgnzle, M. and C. Herde (2004). Efficient proof engines for bounded model checking of hybrid systems. In: FMICS 0~, Electr. Notes in Theor. Comp. Sc. (ENTCS). Elsevier. Hickey. T. J., M. H. van Emden and H. Wu (1998). A unified framework for interval constraint and interval arithmetic. In: CP'98 (M. Maher and J.F. Puget, Eds.). number 1520 In: LNCS. Springer. pp. 250-264. Kapinski, J., B. H. Krogh, O. Maler and O. Stursberg (2003). On systematic simulation of open continuous systems. In: HSCC'03 (Oded Maler and Amir Pnueli, Eds.). Vol. 2623 of LNCS. Springer. Lee, E. A. and H. Zheng (2005). Operational semantics of hybrid systems. In: Morari and Thiele (2005). Morari, M. and Thiele, L., Eds. (2005). Hybrid Systems: Computation and Control. Vol. 3414 of LNCS. Springer. Prajna, S. and A. Rantzer (2005). Primal-dual tests for safety and reachability. In: Morari and Thiele (2005). Ratschan, Stefan and Zhikun She (2004). HSOLVER. h t t p : / / h s o ] _ v e r , s o u r c e f o r g e . net. Software package. Ratschan, Stefan and Zhikun She (2005). Safety verification of hybrid systems by constraint propagation based abstraction refinement. In: Morari and Thiele (2005). S. Prajna, A. Papachristodoulou, P. A. Parrilo. (2002). Introducing SOSTOOLS: A general purpose sum of squares programming solver.. In: CDC'02. Tarski, A. (1951). A Decision Method for Elementary Algebra and Geometry. Univ. of California Press. Berkeley.
Tools for counterexample guided abstraction refinement based on flow pipe computation (Clarke et al. 2003) may terminate with a concrete counterexample. They can deal with non-determinism only in the form of parametric systems, where different values for these parameters are tried to search for trajectories that happen to be counterexamples. This fixes the parameter to a certain value between switches. In contrast to that, our approach the trajectory can take any solution of the differential constraint, also solutions that might correspond to inputs or disturbances that change between switches.
6. CONCLUSION We provided a first version of a method for coupling hybrid systems verification algorithms with the ability to find concrete counterexamples for non-deterministic hybrid systems, i.e., with falsification. The advantage of the method is that it uses information from system abstractions computed by the verification algorithm to guide the search for a counterexample. In future work we will provide an efficient implementation of the method based on local optimization, we will try to come up with special, efficient constraint solving algorithms for the special cases of the concretization constraint that we have identified in this paper, we will avoid a full re-check of all the counterexamples after each refinement step by re-using information from earlier checks, and we will provide efficient strategies for the order in which the abstract counterexamples (and their fragments) should be checked. Moreover, we will work on similar methods for hybrid systems without non-determinism.
REFERENCES Abrahgm, E., B. Becker, F. Klaedtke and M. Steffen (2005). Optimizing bounded model checking for linear hybrid systems. In: VMUAI (R. Cousot, Ed.). Vol. 396-412 of LNUS. Springer. pp. 396-412. Alur, R., T. Dang and F. Ivan~id (2003). Counter-example guided predicate abstraction of hybrid systems. In: TA UAS (H. Garavel and J. Hatcliff, Eds.). Vol. 2619 of LNUS, Springer. pp, 208-223.
376
Copyright © Analysis and Design of Hybrid Systems Alghero, Italy 2006
ELSEVIER
IFAC PUBLICATIONS
AN EVALUATION OF TWO RECENT REACHABILITY ANALYSIS TOOLS FOR HYBRID SYSTEMS Ibtissem Ben Makhlouf, Stefan Kowalewski*
* R W T H Aachen University, Chair "Informatik 11" Embedded Software Laboratory, Ahornstr. 55, 5207~ Aachen, Germany
Abstract: The hybrid systems community is still struggling to provide practically applicable verification tools. Recently, two new tools, PHAVer and Hsolver, were introduced which promise to be a further step in this direction. We evaluate and compare both tools with the help of several benchmark examples. The results show that both have their strengths and weaknesses, and that there still is no all-purpose reachability analysis tool for hybrid systems. Copyright © 2006 IFAC Keywords: Hybrid systems, reachability analysis, Hsolver, PHAVer.
1. I N T R O D U C T I O N Automatic verification of hybrid systems is still a topic of research and far from being established as a standard tool in industry, like, e.g., simulation. To become so, reachability analysis, the core procedure of hybrid systems verification, must be made sufficiently efficient for models of real-world systems, including large, complex and non-linear dynamics. The first publicly available reachability analysis tool for hybrid systems was HyTech (Henzinger et al., 1997; Henzinger et al., 2000), developed more than a decade ago. It was intended to be a demo implementation of theoretical results and not a prototype of an engineering tool. Consequently, numerical issues were largely neglected which lead to overflow errors even for relatively simple examples. In the following years, however, HyTech became the archetype for numerous attempts to implement reachability tools with better practical applicability, usually extending the basic HyTech algorithm by abstraction techniques. Recently, the research on reachability analysis of hybrid systems got fresh momentum by the intro-
duction by two different tools, Hsolver (Ratschan and She, 2005) and PHAVer (Frehse, 2005c). Both tools build on well tried algorithms while introducing new methodical approaches at the same time. And in both cases, the example computations which were presented in the corresponding publications promised that a new level of practical efficiency has finally been reached. The aim of this paper is to evaluate the two tools from an independent point of view. For this purpose, we applied both tools to more than ten benchmark examples with several modifications, trying to fathom the boundaries of applicability. An excerpt of the results is presented in the sequel. We concentrate on the examples which revealed qualitative differences rather than quantitative performance differences. Some detailed data including runtime measurements are provided. The paper is organized as follows. In the next section, we briefly introduce both tools. Section 3 is presenting the experimental results. Numerical results are depicted to make it possible to compare the analysis results to the "real" behavior. Finally, a comparison and some conclusions are given.
377
2. H S O L V E R AND P H A V E R
• a set of modes el, ..., sn each corresponding to a different continuous behavior of the system, • variables x s , . . . , x k ranging over closed real intervals Is, ..., Ik and • constraints defining the flow in each mode, the jump, the initial and safe conditions.
Hsolver is a safety verification tool for non-linear hybrid systems developed by R a t s c h a n and She ( R a t s c h a n and She, 2005). T h e tool is based on interval arithmetics to delimit the trajectories in a piecewise m a n n e r to a r e c t a n g u l a r grid. The m e t h o d avoids explicit c o m p u t a t i o n of continuous reachability sets reducing, therefore, rounding errors drastically. To avoid the drawbacks of this approach, namely vast over-approximations, an a b s t r a c t i o n refinement framework is developed in which the a b s t r a c t states are hyper-rectangles in the continuous part of the state space. The a b s t r a c t i o n is refined using a splitting strategy, which is optimized by using constraint programming. T h e splitting m e t h o d reduces information from possibly incomplete constraint p r o p a g a t i o n steps in order to avoid new splitting. J u m p conditions, initial states, and unsafe states are also described by constraints. Moreover, a pruning function makes it possible to eliminate unreachable sets avoiding inefficient repetitions.
A hybrid system is t h e n
defined as a tuple
(Flow, Jump, Init, U n S a f e ) with: • the constraint Flow c ~ x R k in which • is the s t a t e space {ss, ..., s~} x I1 x ... x Ik, and R k represents {2s,..., a?k}, • the constraint J u m p c (I) x ~, defined over the variables z s , . . . , x k of the start mode s and the variables x's, ..., x~' of the t a r g e t mode 8I, and • the constraints I n i t c ~ und U n S a f e c describing the set of the initial and unsafe st at es. The original hybrid system described above will be a b s t r a c t e d by a discrete system defined over a new variable s t a t e space S. A discrete system over S is defined as a tuple (Trans, Init, UnSafe) where T r a n s c S x S, I n i t c S and U n S a f e c S are new constraints deduced from original constraints via the definition of an a b s t r a c t i o n relation between the original and the a b s t r a c t e d system as follows:
The other tool is PHAVer (Polyhedral Hybrid Aut o m a t i o n Verifyer) developed by Frehse (Frehse, 2005c) (Frehse, 2005b) for verifying safety of linear hybrid a u t o m a t a s (LHA). PHAVer uses Hybrid I / O - A u t o m a t a with affine dynamics (Lynch et al., 2003). C o m p u t a t i o n s use convex p o l y h e d r a as the basic d a t a s t r u c t u r e as it was already done in HyTech (Henzinger et al., 1997; Henzinger et al., 2000). The i m p l e m e n t a t i o n is based on the P a r m a P o l y h e d r a Library ( P P L ) ( B a g n a r a et al., 2002). T h e P P L s u p p o r t s closed and nonclosed convex p o l y h e d r a and infinite precision arithmetic.
D e f i n i t i o n : An a b s t r a c t i o n relation between a hybrid system (Flows, Jumps, Inits, U n S a f es ) and a discrete system (Trans2, Init2, UnSafe2) over S is a relation c~ c (I) x S such t h a t : • for all q c ~, if there is a t r a j e c t o r y from an element of I n i t l to q according to Flow1 and dumps, then for all qa with c~(q, q~) there is a t r a j e c t o r y from an element of Init2 to q~ according to trans2, • for all q c I n i h , there is a qa c Init2, with a(q, q~) and • for all q c UnSafe1, if q is reachable from I n i h , t h e n there is a qo~ c UnSafe2, with
Beginning with the initial state, the reachability s t r a t e g y of PHAVer c o m p u t e s reachable sets by using refinement of locations when affine dynamics are o v e r - a p p r o x i m a t e d by LHA-dynamics. The refinement can be adjusted by parameters. To do so, the constraints are prioritized according to the refinement parameters. T h e tool offers the possibility to enforce other prioritization criteria. For more details see (Frehse, 2005a). O v e r - a p p r o x i m a t i o n using b o u n d i n g boxes and convex hull abstractions are also possible. T h e user can combine the different types of overa p p r o x i m a t i o n and control the n u m b e r of iterations for each t y p e with special p a r a m e t e r s given by the tools. PHAVer s u p p o r t s compositional and a s s u m e - g u a r a n t e e reasoning (Frehse et al., 2004).
~(q, q~). Hence, Hsolver c o m p u t e s for every hybrid system with a description D an a b s t r a c t i o n Abstractn(B) over sets of abstract states 13 containing all elements of the state space reachable from the initial set such t h a t all boxes corresponding to the same mode are non-overlapping. T h e resulting a b s t r a c t e d system is refined, during the computation, with a n o t h e r reduced a b s t r a c t e d syst e m under the condition t h a t an a b s t r a c t i o n relation between the two systems exists, which preserve the reachable states during the transformation. The refinement s t r a t e g y is r e p e a t e d until a fixpoint is attained. Using strategies based on constraint p r o p a g a t i o n p r o g r a m m i n g (Mackworth and Freud, 1985) parts of s t a t e space showing not to be reachable are excluded during the ab-
2.1 Reachability analysis strategy of Hsolver In Hsolver, a hybrid system is described by: s In the sense that the continuous dynamics in each discrete location are linear.
378
straction process. For this purpose, a constraint reachableB,(S',Z) is formulated expressing the conditions under which a point in a box B is reachable. Before t h a t , the flow within a box B and a mode s is described with the constraint f l o w B ( s , y, z). It expresses the fact t h a t a point Y - (Yl,...,Yk) c B is reachable from a point x - ( x s , . . . , x k ) C B via a flow in B and s.
Using linear programming, these constraints are first o v e r a p p r o x i m a t e d conservatively with linear constraints of the form aT:b ~ i /3i, ai C Z n, /3i C Z which are o b t a i n e d using the result of an infim u m c o m p u t a t i o n of (1) inside Inv(loc) d e n o t e d (when it exits) with:
The constraint reachable B, (s', z) is defined as the disjunction of three principle constraints:
T h e linear constrMnt on ~ is t h e n given by ch qai and/3i - qb~ - p. This o v e r a p p r o x i m a t i o n introduces a loss of accuracy d e p e n d i n g on the size of the location and the angular spread of the derivative vectors in the location. To improve the accuracy, locations are recursively split along hyperplanes which par a m e t e r s are a d e q u a t e l y chosen from the user to minimize the partitions. The splitting of a location is s t o p p e d when a m i n i m u m size is attained. Otherwise, the splitting process can include a refinement procedure of a location controlled from the user. T h e user provides a list of c a n d i d a t e normal vectors ah.i of hyperplanes defined by equations having this form a ~ x - bh and the m i n i m u m and m a x i m u m slack /~,~m.h, /~,~ax.h t h a t the hyperplanes will have in the refined location. The slack is here defined by:
• Constraints formulating the reachability from the initial set i n i t f l o w B ( s , z) expressed for a mode s, a box B and a point z c B reachable from the initial set via a flow in s and B. • Constraints j u m p f l o w B . B , ( s , s ' , z) describing the reachability from a j u m p between two modes s and s' corresponding to two boxes B and B ' and a point z c B'. • Constraints boundaryflowB.B, (s', z) expressing the reachability of a point z c B ' from a c o m m o n point of neighboring boxes B and B' via a flow in B. After the d e t e r m i n a t i o n of the teachability constraint reachableB,(S',z), the problem of reachability is t r a n s f o r m e d in a constraint satisfaction problem. It is solved by constraint propagation p r o g r a m m i n g , applying several techniques for making the analysis more efficient like, e.g., pruning.
2.2 Reachability analysis strategy of P H A V e r
p\q
in f
a iT x ,
p, q C Z.
xEInv(loc)
/~(~)-
.~ xE Inv(loc)
a~-
.~
a~
xE Inv(loc)
T h e c a n d i d a t e hyperplanes are prioritized according to a user controlled list of criteria. For each constraint of type aT z ~ b in a location loca set of evaluations included in the reachable states N of the location are associated according to a chosen criterium from the following list (Frehse, 2005e):
P HAVer is a verification framework for linear hybrid systems and compositional reasoning. The a u t o m a t a model differentiates between state, input and o u t p u t variables. T h e o u t p u t can be declared as the inputs for an other a u t o m a ton. A hybrid I / O - a u t o m a t o n (HIOA) in PHAVer is a tuple H - (Loc, V a t s , V a r i , V a r o , Lab, --+ ,Act, Inv, I n i t ) where Loc, Lab, Act, I n v , and I n i t are defined as usual, and where:
• Prioritize constraints according to their slack. • Prioritize constraints t h a t have reachable states only on once side. • Prioritize constraints according to the spread of the derivatives where constraints are discarded if a m i n i m u m spread is reached and the slack is smaller t h a n /kmax, h. • Prioritize constraints according to the derivative spread after the constraint is applied.
V a r s , V a r i and V a r o c V a r s are finite and disjoint sets of state, input and o u t p u t variables. --+c Loc x Lab x 2 V(Var) xV(Var) x Loc is a finite set of discrete transitions, where V a t - V a t s 0 Vat1 and V ( V a r ) denotes the set of evaluations over V a t . A t r a n s i t i o n (1, a, p, l') c -+ m e a n s / a,F* l'.
Moreover, the n u m b e r of constraints during the c o m p u t a t i o n is reduced in order to save memory. To select the constraints to be eliminated, P HAVer uses for instance an angle criterion for which the negative cosine of the closest angle between the normal vector of the ith constraint and all others is measured and t h e n compared. Only a predefined n u m b e r of constraints with the greatest angles are retained. In addition, a procedure for limiting the n u m b e r of bits necessary to represent a constraints is executed as soon as a given threshold z is exceeded. A new constraint a T z Mi ~i including the original i t h constraint aT z Mi bi of a polyhedron is c o m p u t e d so t h a t ch,j[, fli[ < 2 ~ + s - 1. The procedure makes an
PHAVer deals with I / O - a u t o m a t a with affine dynamics given for each location loc by a conjunction of constraints of the form:
(1)
air~? + 5 Tx ~ bi, a ~ , ~ c Z~, M~c {<, < , - } , i -
1, ..., m.
379
E x a m p l e 4" The collision example from a part of the car convoi control problem proposed in (Purl and Varaiya, 1995). It has been transformed in (Ratschan and She, 2004). The problem has no jumps and can be described as follows: Flow: 21 - z 3 - z2, 22 - z4, - 2 _< 23 _< - 0 . 5 ,
estimation of the scaling error f. It recomputes/3i using linear programming. If ~i has more t h a n z bits, f will be decreased and the procedure starts again.
~4 - - - - 3 " 2 ; 4
3. E X P E R I M E N T A L RESULTS 3.1 B e n c h m a r k s
A n o t h e r version of this problem denoted by conv o i l is also taken from (Ratschan and She, 2004). The main difference is the dynamics of 23 = -42;1 -}- 3x2 - 3x3 + x4. E x a m p l e 5: A heating example of 3 rooms with 2 heaters from (Fehnker and Ivancic, 2004):
In order to assess the performance of the tools, we applied t h e m to b e n c h m a r k examples from the the literature, including examples from (Ratschan and She, 2004). The c o m p u t a t i o n s were performed on a P C with a P e n t i u m IV processor at 3,06 GHz and 1 GB of memory. The obtained results summarized in table 1 allow a first comparison between the two tools, A brief description of the studied examples is given here: E x a m p l e 1: The two tanks problem. It is a nonlinear problem, formulated in (Ratschan and She, 2005) as follows:
=
() ( hl
h2
0.5 0
-1.3 0,5
0)
0.5 -0,9
x ÷
0.3 0.4
u + d i a g ( 6 , 7, 8)h
where x is the vector of t e m p e r a t u r e s , h is indicating whether a heater is on or off and u - 4. We performed c o m p u t a t i o n s with t h e minimal t e m p e r a t u r e threshold equal to 14 and a space state given by [14, 22] x [14, 22] x [14, 22].
riot:
2---+
-- 3 " (2;2 -- 3;3) -~- (2;1 -- 2;2 -- 10)
Init" xl = 1, 2;2 = 2, 2;3 = 2, 2;4 = - 0 . 5 Unsafe: 2;1 <__ 0 S t a t e space: [0, 4] x [0, 2] x [0, 2] x [ - 2 , - 0 . 5 ]
1 -- V / h 1 - h 2
V/hl-h2+l-
Jump:(s - 1 A 0.99 _< h2 _< 1) ~ (s' - 2Ahl 1) I n i t : s -- 1 A (hi - 5.5) 2 + (h2 - 0 . 2 5 ) 2 _< 0.0625 U n s a f e : ( s = 1 A ( h i - 4 . 5 ) 2 + ( h 2 - 0 . 2 5 ) 2 < 0.0625) S t a t e space:(1, [4, 6] x [0, 1])O (2, [4, 6] x [1, 2])
3.2 H s o l v e r
h I A h~-
E x a m p l e 2: The navigation b e n c h m a r k problem is a linear problem from (Fehnker and Ivancic, 2004). An object at a position z = ( z x , z 2 ) f moves within a 3 x 3 map with a velocity v determined by the differential equation 0 - A ( v - va), where
(1 01 1°1
7r/4)) T is a desired velocity adopting different values depending on t h e chosen map (i is equal to the value in each cell of the map). We take two different maps: map1
=
23 4 22A
and
map2 =
22
4
.
11A
A a n d / 3 correspond to the reachable and forbidden cells. For m a p 1 , we choose x0 c [0,1] x [0, 1], v0 c [-0.1, 0.5] x [-0.05,0.25] as initialization. However, for m a p 2 the c o m p u t a t i o n begins with
• 0 c [0,1] × [0,1],
c
0.s] × [-0.0s, 0.25]
as initial sets. E x a m p l e 3: The 1-flow problem used in (Preuf3ig et al., 1998) is a simple example without jumps described as follows: Flow: 21 - 22 -- ~3 -- 1 Init:O<_x~ < 2Al <w2 <_2AO
[0, 2] × [0, 2] × [0, 4]
380
Hsolver permits the verifications of nonlinear systern from the outset. Difficulties appear, however,when arithmetic operations different t h a n • , +,' s i n , cos, e x p appear, as in the two t a n k example which involves a s q r t operation. In this case, we must transform the equations in order to avoid this operation. The c o m p u t a t i o n results for the different examples are given in table 1. We also present some graphical results of the two tanks and the navigation b e n c h m a r k examples, in order to u n d e r s t a n d b e t t e r the function of the tools. For the two tanks example, in Fig. 1 we see the pruned region in light grey boxes, the 10 boxes corresponding to mode 1 are dark grey and the 12 boxes of mode 2 are m e d i u m grey. The t r a j e c t o r y is obtained from a M a t l a b simulation. The figure shows t h a t the unsafe region (circle left) is in the pruned region. This means, t h a t this region was alreadv excluded from the reachable set at the beginning of the c o m p u t a t i o n which accelerates the t e r m i n a t i o n of the verification process, as we expected. For the navigation benchmark, the comp u t a t i o n time for the two instances was very long and the tool could not conclude about the safety in both cases (resulting o u t p u t "safety unknown"). The problem behind t h a t is illustrated by Fig. 2. It represent the different box decompositions in the three modes of the systems together with one t r a j e c t o r y from M a t l a b simulations. The issue is that the whole state space needed to be examined during the analysis without ever being able to
Example
refinement steps
box recomputation
Hsolver # calling prune
safety
time(s)
memory(KB)
safety
2-tanks mapl map2 flow convoi convoil heating
11 362 342 1 367 0 142
13 511 107 0 443 1 191
397 509306 889110 2 68675 3 469416
safe unsafe unsafe safe safe safe unsafe
0.33 2647.75 4457,7 0.12 9462 0.31 638.76
1548 48048 46892 1136 7200 6204 37744
safe safe safe sa% safe safe safe
PHAVer time
[
0.11 139.02 22.14 0 0.10 0.11 0.41
memory 1688 126608 54168 868 148 1652 5720
Table 1. In71plementation results of the b e n c h m a r k examples.
26 2 t.5
J5 0 -Z6 t
1,5
2
2.5
3
3,5
t
4,5
5
55
3
Fig. 1. Hsolver: two tanks problem, initial region: (xs 5.5) 2 + (x2 0.25)2 < 0.065, unsafe region ( x s 4.5) 2 + (x2 - 0.25)2 < 0.065
1.5
Z
56
~
~.f
4
45
K
5.5
Fig. 3. PHAVer: Two tanks problem, initial region [5.25, 5.75] × [0, 0.5], unsafe region [4.25, 4.75] × [0.5, 1]
21 C
C
I
2
3
Fig. Fig.
2. Hsolver:Navigation benchmark, m a p -[B24,234,22A], x0 E [2,3] × [1,2], v0 E [ 0.3,0.3] ×
[ 0.0~, 0.25]
[ 0.3, 0] exclude safely the unsafe region. Such a behavior can not be predicted by a s t a n d a r d user.
3.3
PHA Ver
Nonlinear problems must be linearized to be analyzable by PHAVer, For the two t a n k s example, we use the Jacobi m e t h o d to linearize the s y s t e m for each box using the center of the boxes as reference point. Of course, this is not an abstraction, and any reachability results for the linearized system will be inconclusive with respect to safety. However, it allows us to gather d a t a for the comparison. We chose two different unsafe sets for the verification. From M a t l a b simulations we know t h a t the system is safe for the first case and unsafe for the second case. The results of our verification with PHAVer confirm these findings. Fig.3 shows the results for the unsafe case. T h e compositional feature of PHAVer is illust r a t e d with the navigation b e n c h m a r k examples. Here, t h e a u t o m a t o n is decomposed in two aut o m a t a , one for t h e position and a n o t h e r for the
4. PHAVer: Navigation benchmark, m a p -[B24,224,11Al, x0 E [0,1] x [0,1],v0 E [ 0.1,0.5] x
velocity. B o t h a u t o m a t a are synchronized with global labels. T h e refinement is controlled with the factor d l m i n = d 2 m i n = 0.25 and d l m a x = d2max = oc. For m a p s with the default p o l y h e d r a abstraction, the c o m p u t a t i o n time of the verification lies in acceptable range. Using this m e t h o d for the second map, we get a very long c o m p u t a tion time. For such cases PHAVer offers a further feature which permits the c o m b i n a t i o n of different types of abstractions. In our example, we chose a convex hull a b s t r a c t i o n during 20 iterations followed by t h e default a b s t r a c t i o n with bounding box iterations until the 39th iteration. We t o o k two different maps: m a p 1 = [B24, 234, 22A] and m a p 2 = [B24, 224, 11A]. For the second m a p the t e r m i n a t i o n is accelerated by the convex hull abstractions for the 20 first iterations, t h e n the processing is switched to normal reachability with b o u n d i n g box iterations until the 39th iteration. T h e results for t h e second map are shown in Fig. 4. T h e examples are proved to be safe. The figures show the p o l y h e d r a decomposition of a restricted region of the position s t a t e space. T h e o t h e r examples have been i m p l e m e n t e d as simple a u t o m a t a because the decomposition is not necessary in
381
world examples and that, nevertheless, there were examples for which computation times exceeded hours or the result was unnecessarily inconclusive, it seems fair to say that the goal has not been reached yet.
this case. The corresponding results are shown in Table 1.
3.~ Comparison of the results of both tools Comparing the time and the memory requirements in table 1, we can conclude that for all our examples PHAVer is faster than Hsolver. From the memory consumption point of view, we note that, against our expectation, the amount of memory used by Hsolver in examples 3, 2, 4 and 5 is greater than that used by PHAVer. When the safety is unknown, the verification analysis by Hsolver lasts a long time. In the case of non linear systems, we are not able to conclude about the safety of this type of systems because we have no estimation of the linearization error. In summary, Hsolver is an efficient and fast tool, as long as its results are conclusive. In these cases, it is well applicable to non-linear hybrid systems. However, the navigation and heating benchmarks show that the tool still has some limitation. On the other hand, Phaver is an efficient tool for verifying linear hybrid systems. It offers possibilities to control and choose refinement and over-approximation strategies used during computation with a number of functions, commands and parameters. Complicated hybrid systems could be decomposed or simplified and treated by Compositional Reasoning provided by the tool. This could be used to verify non-linear systems, if it would be possible to abstract the original problem by linear hybrid automata. Otherwise, we have to linearize the systern and take the linearization error into account. Finally, we could not confirm the conjecture that the use of polyhedra and refinement steps will increase strongly the necessary amount of memory space.
REFERENCES Bagnara, R., E. Ricci, E. Zaffanella and P.M. Hill (2002). Possibly not closed convex polyhedra and the parma polyhedra library. In:
Static Analysis: Proc. Int. Syrup., LNCS 2~77. Springer. pp. 213 229. Fehnker, A. and F. Ivancic (2004). Benchmarks for hybrid systems verification. In: HSCC'O~, LNCS 2993. Springer. pp. 326 341. Frehse, G. (2005a). Compositional Verification of Hybrid Systems using Simulation Relations. PhD thesis. Cornell University. Frehse, G. (2005b). Phaver. http://www.andrew. cmu.edu/-gfrehse. Software package. Frehse, G. (2005c). PHAVer: Algorithmic verification of hybrid systems past HyTech. In: HSCC, LNCS 3~1~. Springer. pp. 258 273. Frehse, G., Z. Han and B.H. Krogh (2004). Assume-guarantee reasoning for hybrid I/Oa u t o m a t a by over-approximation of continuous interaction. In: Proc. CDC'O~. Bahamas. Henzinger, T.A., B. Horowitz, R. Majumdar and H. Wong-Toi (2000). Beyond HyTech: Hybrid systems analysis using interval numerical methods. In: HSCC'00, LNCS 1790. Springer. pp. 130 144. Henzinger, T.A., P.S. Ho and H. Wong-Toi (1997). Hytech: A model checker for hybrid systems. Soft. Tools Techn. Transl. 1(1,2), 110 122. Lynch, N., R. Segala and F. Vaandrager (2003). Hybrid i/o automata. Inf. Comput.
lS5(~),
4. CONCLUSIONS Not quite surprisingly, the application results show that both tools have their strengths and weaknesses. Hsolver is extremely fast for examples where safety can be proven or disproved, but it shows excessive computation times when the results are inconclusive. Since it is able to treat nonlinear dynamics directly, it has a clear advantage over P HAVer in this respect since the latter is restricted to affine hybrid systems. PHAVer, on the other side, provided more exact results in the sense that it was able to prove safety correctly for examples for which Hsolver gave the result 'safety u n k n o w n
105 157.
Mackworth, A. K. and E.C. Freud (1985). The complexity of some polynomial network consistency algorithms for constraint satisfaction problems. Artificial Intelligence 25, 65 74. Preuf3ig, J., S. Kowalewski, H. Wong-Toi and T.A. Henzinger (1998). An algorithm for the approximative analysis of rectangular automata. In: Proc. FTRTFT'98, LNCS 1~86. Springer. pp. 228 240. Purl, A. and P. Varaiya (1995). Driving safely in smart cars. In: Proc. of the 1995 American Control Conference. pp. 3597 3599. Ratschan, S. and Z. She (2004). Hsolver. h t t p : / / www.mpi-sb.mpg.de/ratschan/hsolver. Software package. Ratschan, S. and Z. She (2005). Safety verification of hybrid systems by constraint propagation based abstraction refinement. In: HSCC 2005, LNCS 3~1~. Springer. pp. 573 589.
~.
Both tools represent a good step in the direction of making reachability analysis applicable for practioneers. However, considering that the benchmarks still were more academic than real
382
Copyright © Analysis and Design of Hybrid Systems Alghero, Italy 2006
ELSEVIER
IFAC PUBLICATIONS
SAFETY AND RELIABILITY ANALYSIS OF PROTECTION SYSTEMS FOR POWER SYSTEMS
L u c a Ferrarini *, L e o n a r d o A m b r o s i * and E m a n u e l e C i a p e s s o n i **
* Politecnico di Milano, P.za L. da Vinci 32, 20133 Milan, Italy ** CESI RICERCA, Via Rubattino 54, 20134 Milan, Italy
Abstract: This paper addresses the problem of risk analysis of protection systems and protection scheme of transmission grid. According to IEC 61508, a hybrid model has been developed supporting the analysis of protection systems. The use of analytic models in risk analysis of the elements of system protection scheme allows evaluating the security level associated to different protection strategies and supports the identification of specific ICT criticalities. Copyright © 2006 IFA C K e ~ o r d s : power systems, technique, hybrid systems
simulation,
1. INTRODUCTION Like many other industrial and production systems, the field of production and transmission of energy is facing a trend towards deregulation, in Italy as well as in many European countries. This basically amounts to move from a single-operator, clearly regulated, easily predictable system to a competitive, uncertain, multi-operator system. The introduction of competitive supply and the organizational separation imposed by deregulation has resulted in highly stressed operating conditions and more ~lnerable networks. Extremely important in this scenario is the definition of "quality" criteria, to be obeyed by market operators and vendors, in order to be able to positively cooperate to provide a correct service. Strangely enough, in a market-oriented energy production and management, the "classic" deterministic criteria, adopted and useful in the regulated market, are still adopted to guarantee the security of the system. These are based on the fact that each abnormal operating condition contained in a suitable "contingency set" satisfies predefined performance criteria. This allows to pragmatically design protection systems without considering all combinations of system configurations and operating conditions, which would be simply unfeasible. The deterministic
383
safety,
standards,
object-modelling
approach, and the associated simulation methods, provides a simple rule to make decisions: optimize economy within the constraints of the secure operational region. This simplicity has made the deterministic method very attractive and useful in the past. Though effective in practice, the deterministic approach tends to focus on the most severe and credible event, thus producing an oversized and a less agile protection system, which reduces marginal gains and return of investments. Among others, the main deficiencies consist in not taking into account the frequency and the impact of events, and thus the likelihood of unwanted or catastrophic events, and in the negligence of non-limiting events. This classical approach can be superseded by probabilistic risk based approach: several studies (Dobson, 2004b), (Lucarella et al., 2004), (McCalley and Vittal, 2001) demonstrated the possible gain associated to the use of risk based approach in the analysis and management of electric system security. Accordingly a CIGRE report (Marceau and Endrenyi, 1997) recommended to stu@ probabilistic security assessment methods, and the CIGRE task force 38.02.21 is working on this recommendation. The Electric Power Research Institute (EPRI) was also involved in efforts to develop probabilistic risk assessment methods and tools for risk based security assessment (McCalley and Vittal, 2001). Following the risk-based perspective in the reliability analysis,
the international standard IEC 61508 is the main normative reference. However, power systems exhibit a special behavior with respect to the safety and reliability problems, so that the standard needs to be integrated. In this paper we pursue this approach by advocating the application of risk analysis techniques in the life cycle of protection system and protection scheme of the transmission grid. In particular, the goal is here to obtain a quantitative model in order to evaluate and compare protection systems and protection strategies able to improve the overall reliability of a system. Yu and Singh (Yu and Singh, 2004) followed this approach trying to define a simulationbased method to quantitatively evaluate hybrid stochastic models of power systems. That model was based on stationary continuous models (the so called "load flow model"), and discrete part is a logic model of the operating modes of a suitable combination of more physical components. The work here discussed extends that approach in these facts: instead only stationary continuous models, dynamic models are used (DAEs) - a full modular approach has been adopted, implemented into an object-oriented hybrid dynamic simulator (Modelica/Dymola): any model of the system can be rewritten with more or with less detail without changing anything else of the system , provided that its physical interface is not changed of course; - the discrete parts have been greatly improved, by separating components - each discrete model of the physical component has a higher number of states, associated to physical phenomena and not to modes of operation. -
The paper first summarize the relevant features of the power systems (Sect. 2) and then discusses the construction of the modular hybrid model in Sect. 3. Sect. 4 hints to the implementation into the simulation environment chosen.
conditions (Bie And Wang, 2001). Moreover the electrical connection makes the propagation of faults extremely fast. Under these conditions, the risk assessment of the transmission system becomes a complex matter. While in fact the components are standard, their specific way of working while interconnected in real operating conditions are much more difficult and more uncertain to estimate in design phase. Therefore, the concept itself of Safety Integrity Level (SIL) defined in the IEC 61508 standard must be revised, being insufficient if applied to single components, and being useless if applied to the entire system.
2.2 Undesired trips The IEC 61508 basically focuses on the fact that protection systems may fail to intervene when a fault occurs in the system. On the contrary, one of the major causes of outages is constituted by undesired trips, often leading to cascade tripping. These are characterized by the fact that the protection system actually does intervene when it is not requested to do so, which constitutes a possible cause of cascading outages (Bie And Wang, 2001). Notice that the failure does not derive from a specific fault of a device, but from "external" factors to the protection, like the impossibility to measure the real current operating state (Padke, 2002), (Yu and Singh, 2004). In order to consider these facts, it is necessary to define a common usage of reliability terms. We will use the dependabili~ as the main property of a protection system. It concerns the ability to work properly and it is defined as the combination of reliability, the ability of a protection system to trip for a fault inside the protection zone, and security, the ability to refrain from tripping for fault outside the protection zone.
2.3 Dynamic constraints 2. CHARACTERISTICS OF POWER SYSTEM
2.1 Inwrconnections of subsyswms The substantial peculiarity of power systems consists in its complexity, wide area nature and strong interconnection of different subsystems. The system itself is composed of a high number of components belonging to a few types (lines, bars, transformers, breakers), but all these elements are electrically interconnected with variable topologies from zone to zone and country to country. This makes that anomalous behaviours of some components have unexpected consequences on others, which are located far away and which operate also in different
This is one of the most important aspects of power systems, aspect that is ignored completely in the IEC standards. It consists in the fact that in many cases those limits that some process variables must satisfy to be in a "safe" condition can vary dynamically in time. This means that a system condition can be estimated as "safe" or not according to other operating conditions of the whole system. Clearly, it is necessary to take this behaviour into account, both in the design phase of the protection systems and in its evaluation. In any case, it is necessary to develop models somehow adapt to the operating condition of the system.
384
This allows carrying out a much finer "dynamical" analysis than the classic static analysis of the system, which in turn allows to develop a definitely more precise protection system, on the base of specific risk-based indices of the transmission grid (Makarov, and Hardiman, 2003).
3. A HYBRID MODULAR MODEL FOR TRANSMISSION SYSTEM
Lighting Propagation
One way to evaluate quantitatively the functional safety of the power system is the development of a model capable to capture both continuous dynamics of the system, its probabilistic nature, and its eventdriven phenomena. To this purpose, a suitable modular hybrid model (continuous and discrete event based), sketched in Fig. 1, has been developed. In that figure, the main elements (lines, bars, transformers, breakers) of the transmission grid are shown, with their own interfaces and connections.
l
Is Open
Is
n
FaUit
Fault
}en
BFD ]
Fig. 1. Sketch o f the hybrid model o f the transmission systems
As it can be seen in the Fig. 1, each component has some connection with the neighbor. The connections painted with a thick line and a square interface represent the physical connections, i.e. the electrical connections regulated by the classical electrical equations. The connections painted with a thin line and a rectangular interface represent the logical connections, i.e. the way the discrete part of the model "inform" the others about their internal states, dispatching events. Each module is internally described in a dual way, it has a discrete model and a continuous model that are able to communicate together as we'll see later. The basic modeling criteria are the following. - Modularity It is advisable to have a component-wise modeling and simulation environment, where the user instantiates modules that directly correspond to physical components, instead of writing equations. This means that each module should be thought as the generic behavior of a component under generic constraints; the overall model will come out of the assembly of the basic components, and the user should not intervene in the assembling of equations. - Hybrid behavior
It's necessary, since the system under investigation shows continuous-time behavior for electrical phenomena, and event-based behavior for discontinuous phenomena like breaks and faults (clearly enough, the modeling of "fast" phenomena as discontinuous is a modeling simplification, if one does not need to go into the atomic details of electricity transmission). To do so, we implemented the discrete part of a model with Petri net, a well-known formal technique to represent discrete-event systems. Ordinary Petri net models have been extended, with a simple semantic rule, in order to generate outputs and receiving inputs with the continuous part. The continuous part of the model is quite simply, each element is represented with the classics electrical components (impedance, inductance, switch, and so on), electrically connected with the continuous part of the other models. - Discrete-Continuous connection. Some of the transitions of the Petri net model have been endowed with a time delay, stochastically distributed as proposed in the GSPN formalism (Ajmone et al. 1995). This means that a stochastic transition is associated with a value representing the mean time to fire, once enabled, generally represented with the symbol ~,i.
385
Notice that some of those )g i a r e exogenous (i.e. represent physical phenomena that have external causes with respect to the model itself, like the falling of a tree or thunder on the system), but other are not. A typical example relates to the cascade effect. Consider for example the rate of failures of an electrical component. This depends on the instantaneous current circulating in it, as hinted in Fig. 2.
Icc
IZccl VS1
~ VCC
Vs2
Fig 3.- Basic continuous behaviour o f the line
~L
)~fl
m
The discrete time part describes behaviour of the net (see Fig. 4).
//
•I1 I2 Ip I Fig. 2. Fault rate dependence from the circulating current (an example)for an electric device From the modeling and simulation point of view, this means that the fault rate of a (stochastic) transition of the Petri net model of the discrete-event part of the model of a component depends on the value computed in the continuous time part of the model of the same component. Here clearly arise the connection between the discrete and the continuous part of the model. This is clearly not a trivial step, since again the continuous part depends on the discrete one, and since the occurrence of future events can not be precalculated since other events may occur in the meanwhile. In fact, if an electrical part should break, the circulating currents and the voltage calculated by the continuous part should change, possibly influencing again in the future the discrete part. In the sequel, some details are provided on the modeling of the basic components of the power transmission system.
all the other
LFAILURE
CC
TLI~_FAIL
F CC
LFULM Fig. 4. Petri net model o f a line The meaning of the places and transitions is hinted in the following.
Places: • LOK = line is healthy. • L c c - line is short-circuited • L C C p = line is permanently short-circuited • LFULM= line is lightened • LFAILURE-line is faulty Transitions: • TLFULM= the line is struck by a lightning • TLF OK = the lightning is extinguished autonomously and the line returns in OK state. (LoK) • tL'F E -- the lightning is extinguished by the intervention of protections,. This immediate transition is conditioned by IL~E <~ • TLcc - the line from the state of OK goes to short-circuit with ground • TLcc O K - the short-circuit is autonomously extinguished • tL'cc E - the short-circuit is extinguished by the intervention of protections. This transition is conditioned by VL~E <~
3.1 Line The line is the basic transmission element for power. The continuous model takes into account the fact that a line can be interrupted (by a breaker or a fault), can be short-circuited (a fault, or an external cause, like a falling tree for example) or can be hit by thunders. The modelling of the lightning effect on lines has been simplified to a logic behaviour (a switch), being the physical modelling out of the scope of this project. Thus, the basic continuous behaviour is sketched in Fig. 3, where ZL1, ZL2, Zcc are impedances.
386
• • • • • •
•
TLcc _p the line goes from OK state to permanent short-circuit TLcc _R E P - line is repaired to eliminate the permanent short-circuit TLFAm- failure of a line (normally caused by an object) TLm~p= line is restored to OK state TLv _FAIL failure of a line caused by a lightning. The effect of the lightning is extinguished TLF_cc - the line goes to short-circuit because of a lightning. The energy of the lightning is considered discharged to the ground. TLcc _FAIL the line fails because of a shortcircuit (normally caused by the breaking of an insulator)
Fig. 5.
Petri net model of a breaker.
As it can be argued, also the automatic re-close operation has been modelled. Actually, after an open operation, the breaker can be closed (modelled with a stochastic transition). Should the breaker be opened again, then it can be closed again only with transition Tclose2, only once: such a transition will be conditioned to the fact that the lines attached to it are in "functioning" state.
- -
Transitions: •
=
•
The overall behaviour of the Petri net model can now be deduced quite straightforwardly.
• •
Finally, the interaction of the two sub-models. It is clear that, if the line change its internal state, the topological view of the net can change, and consequently the electrical calculus. Besides the change of the value of the electrical variables, make change the )~ regulating the fire rate of the discrete transition. It is quite obvious, for example, that if an external event occurs, like a short-circuit caused by a falling tree, then the fictitious switch shunting the line to ground is closed and at the same time a transition in the Petri net part is enabled.
• • • •
tIMAN = opening of the breaker triggered by manual command or by backup devices (Breaker Failure Device) T I o P E N - opening of the breaker triggered by the associated protection T I c L o s E - fast reclosure of the breaker T I ' c L o s E : - reclosure of the breaker conditioned by "OK state" of the connected elements T l s r u c x c = failure of the breaker from closed to stuck close T l s r u c x o = failure of the breaker from open to stuck open TI~p o reparation of the breaker and restoration in state of stuck open T I ~ p c - time interval between the failure of the breaker and the moment in which the failure is recognized. The breaker is then opened and restored (TI~p _o transition).
2.2 B r e a k e r
2.3 B a r a n d t r a n s f o r m e r
The breaker has been modelled with a similar approach. It has four main logical states: open, close, stuck closed and stuck open. The transition from one state to another one are quite simple and be deduced with an easy spot of the name of the transition. The Petri net model is sketched in Fig. 5.
Similarly, also bars and transformers have been modelled. Details are here omitted for the sake of simplicity.
TIOPEN~ _
~
~~'q~
I TIREPC
II~l ~ TIsTucKC ISTUCKCLOSED~
4. SIMULATION
/ / /
/
In order to evaluate quantitatively the above model, a suitable simulation environment is to be used. The simulation engine should be accurate enough to deal with continuous-time dynamics, event-based dynamics, and stochastic behaviours. Our choice is the Modelica/Dymola environment. It's an objectoriented modelling and simulation framework, with an easy-to-comprehend component-oriented description, with different physical and communication ports, endowed with a fine symbolic manipulation of equations, which allows both the user to "describe" the equations directly in the continuous time domain and to obtain an optimised simulation code. It's a time-based simulator, which means that the discrete-event part must be suitably treated for efficient and effective implementation, and similarly there is no support for stochastic behaviour, which must then be explicitly introduced.
387
Currently, the basic models of line, bar, transformer, breaker, generator and load are under final testing. Such specific and reusable components have been modelled as hybrid systems, whose internal behaviour is given by a suitable combination of continuous dynamic sub-module with a discreteevent stochastic sub-module. In particular, to do so, the stochastic Petri net submodule has been directly implemented in Modelica, exploiting the capability of using "external functions". Special care has been paid to the modelling of switching behaviours (due to e.g. breakers or faults) and to the mutual interaction between the continuous and the discrete part of each component, and the "transmission" of events between components. The description of the modelling choices is matter of future works, along with the application to the IEEE Reliability Test System prepared by the Reliability Test System Task Force of the Application of Probability Methods to Power Systems.
5. CONCLUSION AND FUTURE WORK The application of IEC 61508 to the life cycle of E/E/EP systems for the protection of transmission grid, depends on the identification of appropriate risk analysis techniques, able to manage the complexity and wide area nature of the grid, and supporting the identification of the required security level. To this aim, the paper proposes a hybrid model, based on Generalised Stochastic Petri Net integrated with continuous simulations approach, supporting the risk analysis and evaluation of different protection strategies, on the base of specific risk-based indices. The paper describes the hybrid model, taking into account both the continuous time dynamics of the power system itself, but also the discrete dynamics involved by disrupt phenomena due to breaks, outages, natural phenomena. The use of analytic models in SIL analysis of the element of system protection scheme allows to evaluate the security level associated to different protection strategies and to support the identification of specific criticalities of protection system. Acknowledgement. This work has been supported by MAP (Italian Ministw for Productive Activities) in the frame of Public Interest Energy Research Project named "Ricerca di Sistema" (MAP Decree of 28 Feb. 2003).
REFERENCES Ajmone, M.Marsam, G. Balbo, G. Conte, S. Donatelli and G. Franceschinis (1995). Modelling with Generalized Stochastic Petri Nets, Wiley Series in Parallel Computing, John Wiley and Sons. Bie, Z., and X. Wang (2002). Evaluation of power system cascading outages. IEEE Power System Technology Intl. Conference.. Vol. 1, 13-17 Oct. 2002, p. 415 419. Marceau, R.J., and J. Endrenyi (1997). "Power System Security Assessment." A Position Paper". CIGRE Task Force 38.03.12. Electra, No. 175, pp. 48-78. Dobson, I., B. A. Carreras, V. E. Lynch and D. E. Newman (2004a). Complex Systems Analysis of Series of Blackouts: Cascading Failure, Criticality, and Self-organization; Bulk Power System Dynamics and Control, Cortina d'Ampezzo, Italy. Dobson, I., B. A. Carreras and D. E. Newman (2004b). A criticality approach to monitoring cascading failure risk and failure propagation in transmission systems; "Electricity transmission in deregulated markets'" Conference at Carnegie Mellon university. Grigg, C. et al. (1999). The IEEE Reliability Test System-1996: a report prepared by the Reliability Test System Task Force of the Application of Probability Methods Subcommittee Power Systems. IEEE Transactions on Power Systems, Vol. 14, Issue 3, pages 1010 1020. Lucarella, D., M. Pozzi, M. Valisi and G. Vimercati (2004). Un approccio basato sull'analisi di rischio per l'esercizio in sicurezza del sistema elettrico; Italian National Congress on the estimation and management of risk in civil and industrial sites; Pisa, Italy. Makarov, Y.V., and R.C. Hardiman (2003). On Riskbased Indices for Transmission Systems. Proc. IEEE PES Annual Meeting, Toronto, Ontario, Canada, July 13-17, 2003 McCalley, J. and V. Vittal (2001). Risk Based Security Assessment, EPRI Project WO860401,2001, final report. Padke, A. (2002). Hidden failures in protection systems. Power systems and communications infrastructures for the future, International conference, Beijing, 2002. Yu, X., and C. Singh (2004). A Practical Approach for Integrated Power System Vulnerability Analysis With Protection Failures, IEEE Transaction on power systems, vol. 19, no. 4, pages 1811 - 1820.
388
Copyright © Analysis and Design of Hybrid Systems Alghero, Italy 2006
ELSEVIER
IFAC
Illl/lllll
PUBLICATIONS
A HYBRID A P P R O A C H F O R SAFETY ANALYSIS OF A I R C R A F T SYSTEMS
E. Villani +, P. E. Miyagi*
+Instituto Tecnol6gico de Aerondutica, Department of Mechanical Engineering 12228-900 Sao JosO dos Campos, Sao Paulo, BRAZIL * Escola PolitOcnica, University ofSao Paulo Av. Prof. Mello Moraes, 2231 CEP 05508-900 Sgto Paulo, BRAZIL e-mail: e v i l l a n i ~ , ~ . b r
Abstract: This paper introduces the use of a hybrid modelling and simulation approach for the analysis of safety issues in aircraft systems. Traditionally, safety analysis in aircraft industry is performed without considering the system dynamics. In this paper the dynamics of the aircraft components are modelled using Petri nets and differential equations. Faults are incorporated in the model using probabilistic distributions functions. The reliability of the system under fault is then estimated by simulation. The approach is applied to the landing system of a military aircraft in order to compare two different control strategies for detecting and processing faults. Copyright © 2006 IFA C K e ~ o r d s : Petri nets, hybrid systems, probabilistic behaviour, safety analysis.
1. INTRODUCTION
•
Safeness is one of the major concerns in the design of aircraft systems. Most of the aircraft components are provided with redundancy. The degree of redundancy of each component depends on a number of factors such as the kind and probability of fault, per hour of flight. Usually, in order to estimate how safe an aircraft system is, the probabilities of fault in each one of the system components are combined in a static approach using methods such as fault-tree analysis. These methods derive the total probability of fault in the system, which must be within predefined limits. The maximum allowed probability of fault depends on how the system deteriorates the level of flight quality and how it affects the aircraft operation and functionality (Stevens; Lewis, 1992).
•
An important limitation of the methods current under usage in the aeronautic industry is that they do not consider the system dynamics when analysing safeness. When the aircraft behaviour is taken into account, more precise and detailed information can be obtained. Among the issues to be investigated are: • How a component fault affects the aircraft system behaviour?
• •
How does it influence the probability of fault in other components? How to estimate the probability of critical scenarios that combine a set of component faults? How does redundancy affect the system behaviour? How to estimate the probability of a wrong diagnostic and its consequences?
In this context, this paper proposes the use of hybrid system modelling and simulation techniques for analysing how the aircraft system dynamics may affect or influence the occurrence, detection and diagnosis of faults. The problem of fault modelling has already been approached by a number of works in many domains. However, most of them consider the problem either from a discrete (Ait-Ameur et al, 2003; Lundqvist, Asplund, 2003) or continuous (Matsuura et al, 2005) point of view. The use of hybrid simulation for the analysis of aircraft safeness is discussed in Pritchett et al (2000). A hybrid approach is necessary when the system under analysis mixes both continuous and discrete behaviour (Alla, David, 2004). A number of aircraft systems are typically classified as hybrid. They
389
the pilot in the case fault. Particular emphasis must be given to the analysis of situations that may result in a wrong diagnostic made either by the automatic control system or the pilot.
incorporate continuous dynamics such as the continuous positioning of surfaces or the pressure evolution in a hydraulic system, as well as discrete sequence of events, such as switching between components in the case of fault, or executing the command sequences for landing and take-off.
Finally, in Step 3 the critical situations are translated into properties that the system must fulfil. An example is to establish a maximum probability to be in a critical state. The requirements are then analysed using Monte Carlo simulation.
The hybrid modelling formalism considered in this work is the Object-Oriented Differential Predicate Transition nets (OO-DPT net). It combines Petri net for the discrete part and differential equation systems for the continuous one. The object-oriented paradigm is incorporated in order to achieve modularity. The problem of design and analysing aircraft systems using DPT nets has already been presented before (Villani, Miyagi, Valette, 2003). However, previous works have assumed that the system is operating under nominal conditions, i.e., without modelling equipment redundancy and the possibility of fault occurrences. In this paper, faults are incorporated into the models by using probabilistic distribution functions.
2.2 The O 0 - D P T net
The OO-DPT net is the modelling formalism adopted in this work. It has been introduced in (Villani, Miyagi, Valette, 2005) and it is based on the incorporation of object-oriented (OO) concepts to the Differential Predicate-Transition (DPT) net, proposed in (Champagnat et al, 1998). The OO paradigm assures that an aircraft system can be specified by combining the model of the system components, such as sensors and actuators. According to the definition of OO-DPT net, the model of a system is composed of the a set of objects organized in 'n' classes (C1, C2, ..., Cn). Each class Ci is modelled by a DPT net, which defines an interface between differential equation systems and Petri net elements. Its main features are: Each object Ow.i of the class Ci is represented by a token or a set of tokens in the DPT net of Ci. A set of variables (Xi) is associated with each object of the class Ci: they correspond to the attributes of the class. They are divided in Xco ~, Xint i, Xpb_i and Xim i. Xco i are constant parameters and do not change their value during the object lifetime. X~nti are internal variables and other objects cannot access their value. Xpb are public variables, other objects can read their value. X~m ~ are image variables, they are public variables of other objects that are read by Owi. A differential equation system (Fj i) is associated with each place (pj i): it defines the dynamic of a sub-set of X~ according to the time (0), when a token of Ow~ is in Pji,. An enabling function (ej i) is associated with each transition (tj0: it triggers the firing of the enabled transitions according to the value of Xi. A junction function (jj i) is associated with each transition (tj i): it defines the value xi associated with the tokens of the output places of tji after the transition firing.
The landing system of a military aircraft is presented as an example. Particularly, the approach is used to compare two different control strategies that combine the output of a set of redundant sensors in order to detect fault and avoid dangerous states. This paper is organized as following. Section 2 describes the proposed approach and the modelling formalism. Section 3 describes the example and Section 4 presents some conclusion.
-
2. THE APPROACH FOR SAFETY ANALYSIS 2.1 Overview
The proposed approach for safety analysis is divided into the following steps: Step l - System modelling, Step 2 - Specification of safety requirements, Step 3 - Simulation.
-
The approach is illustrated in Section 3 using as an example a landing system. Basically, in Step 1, the behaviour of the system under analysis is modelled using the OO-DPT net (presented in Section 2.2). For this purpose the designers must specify the list of all possible faults in each component. A fault may be a discrete event, such as an ON/OFF sensor is blocked in the OFF position. Or faults may also be a continuous activity, such as a leakage in the hydraulic system. In this case the fault is characterized by a set of parameters associated to continuous variables, such as the amount of the leakage per time unit. In the OO-DPT nets faults are modelled by probabilistic distribution functions, which are explained in Section 2.2. The model built in Step 1 must include not only the aircraft components and equipment but also the automatic control system. The strategies used for fault detection, diagnostic and treatment are also modelled as OO-DPT objects. Step 2 consists of specifying the safety requirements. The system designers must determine what the critical situations are and how is the interaction with
-
-
The communication among objects can be discrete or continuous. The continuous interactions are modelled by sharing the continuous variables among objects (e.g. Ow.i and Oz.v). The value of the shared variables is determined by one object (Ow.i), where it is defined as a public variable (Xpb i), and can be used in the junction function, the equation systems or the enabling function of another object (Oz.v), where it is defined as an image variable (Xim z). The discrete interactions are method calls. Each class offers methods that are associated with its transitions and that can be requested by other classes. A method call is modelled as the fusion of two transitions: the _
390
transition tj.i of the class Ci that offers the method and the transition tw v of the class Cv that calls the The method call happens when both transitions are enabled in their classes.
m
e
t
h
o
d
.
-
-
-
In order to model the occurrence of faults, probabilistic behaviour must be introduced into the OO-DPT net. The problem of modelling uncertainty in hybrid system has already been approached in many works of the literature (e.g. Pola et al. (2003)). Among the formalisms that model the discrete dynamics using Petri net is the Fluid Stochastic Petri net (Horton et al, 1996) and Dynamically Coloured Petri (Everdij, Blom, 2005). The introduction of uncertainty into models that merge Petri net and differential equation system is briefly approached in (Khalfaoui, 2003) and is based on Generalized Stochastic Petri net. In the proposed approach, probabilistic behaviour is introduced in junction functions. In this case, a probabilistic distribution (PD) is used to define the value of a variable after the firing of a transition. Each time the transition fires a new value is attributed to the variable according to the probabilistic distribution. As an example, Figure 2 presents the OO-DPT net of the class (71 - H y d r a u l i c Cylinder, which models the behaviour of the cylinder illustrated in Figure 1. Fext
Figure 1. Hydraulic Cylinder. f
C 1 - Hydraulic Cylinder tl _ 1 P2_ 1 t3_ 1 R e t r a c t e ~ i n g
-
-
-
The communication of the class C1 - Hydraulic Cylinder with other classes is made by sharing variables R, E and QL, and by reading variable PL and VpL from the class Cs - Electro-valve (presented in Section 3). The OO-DPT net of class C1 models a fault as a certain amount of hydraulic fluid leakage. The pressure PL and a leakage coefficient CE, which is set according to the probabilistic distribution PD1, determine the amount of leakage. The probabilistic distribution combines the probability of having different kinds of fault with the probability of having a certain amount of leakage when a certain fault occurs. A qualitative example of PD1 is presented in Figure 3. The low values of CE am the normal amount of leakage (when no fault occurs), the values on the centre of the graphic are related to problems in the cylinder seal, the high values of CE are related to structural faults such as cracks in the actuating cylinder.
/~Extended
Pl__IL ) Retracting
I
...........
-
~P3__1 |
The next section presents the example considered in this paper: the landing system of a military aircraft.
,,,~ fault
PD1A
~
.............................................t27 ...........................................t4-! ..............
{i
Variables
Xint 1 -- {X, V, CE}; Xpb_l - {R, E, PL}; Xc~ 1 = {A, B, W, M, L, p}; Xpb I = {QL} Enabling
functions
(A.P L - B.v + W)/M - CE.PL).4.J~/(A.L) (A.P L - B.v - W)/M - CE.PL).4.13/(A.L)
\~,
Figure 2. OO-DPT net of class C1 - Hydraulic Cylinder.
The hydraulic cylinder can be completely extended (P3_l) or retracted (Pu), or can be extending (P2j) or retracting (P4 1). When moving, the dynamics of the cylinder is set according to a differential equation system (F2 1 and F4 1) composed by 3 equations. The time is represented as '0'. The first equation relates the speed of the piston with its position. The second equation is the balance of the forces acting on the piston. The third equation is the balance of mass in Chambers 1 and 2 and it includes the effects of the fluid compressibili~ on the cylinder dynamics. The class variables are:
seal fault
crack fault
3. THE EXAMPLE
systems
F2j: dx/d0 = v; dr/d0 = dPL/d0 = (QL "A.v F41: dx/de = v; dv/d0 = d P ] d e = (QL - A.v
)
Figure 3. Probabilistic Distribution PD1 of class C1 - Hydraulic Cylinder.
e~. 1: PL .> O; e. 2 1: x .- O; e 3 1: x - L; e 4 1: PL < O; Junction functions J1_1: R=0; CE=PD1; J2j: R=I' J3j: E=I; J4_1: E=0; CE=PD1; Equation
x, v - position and speed of the piston (x=0 when the piston is completely retracted); QL - amount of fluid entering Chamber 1 and leaving Chamber 2. R, E - auxiliary variables that indicate if the piston is completely extended or retracted; CE- leakage coefficient; PL - difference between the pressure in Chamber 1 and that in Chamber 2; VpL - derivative of PL; A, M - area and mass of the piston; B - damper coefficient; Fext - external force; L - maximum value of x; 13- compressibility coefficient of the fluid;
The case-study considered in this paper is the landing-system of a military aircraft. It is composed of 3 landing sets (called A, B and C) containing each one a door and a landing-gear. The sequence that must be performed at landing consists of opening the doors of the 3 landing-gear compartments, extending the landing-gears and closing the doors. A similar sequence must be performed at take-off. The landinggear and door movement is performed by a set of actuating hydraulic cylinders. For each door, a hydraulic cylinder opens and closes the door. For each landing gear, a hydraulic cylinder extends and retracts the landing gear. The hydraulic cylinders are moved by electro-valves. Figure 4 illustrated the hydraulic circuit for the doors.
391
Door A
Door B
Table 2 - Rules for Level 2 - Strategy 1.
Door C
Level 1 - DO
Level 1 - DC
Level 2
ON OFF OFF ON
OFF ON OFF ON
Open Closed Moving Fault
In the case of Strategy 2, the following rules are considered for Level 1: • If all the three output signals are 'ON', the combined sensor output is 'ON'. If all the three output signals are 'OFF', the combined sensor output is 'OFF'. • If two output signals are 'OFF', and one is 'ON', the combined sensor output is 'OFF' and the identity of the sensor with output 'ON' is memorized. If on the next time the sensors are read, the output of this sensor is still different from the other two, this sensor is considered as fault, and from this moment on it is ignored by the control system. • A similar approach is executed when two output signals are 'ON', and one is 'OFF'. • If one sensor has been eliminated and the other two are 'OFF', the combined sensor output is 'OFF'. If one sensor has been eliminated and the other two are 'ON', the combined sensor output is 'ON'. • If one sensor has been eliminated and the other two sensor signals are different from each other, the combined sensor output remains unchanged and an error is memorized. If on the next time the sensors are read, the two outputs are still different, the combined sensor output is fault.
Figure 4. Door hydraulic circuit. Discrete sensors inform the control system about the positions of the actuating cylinders, the pressure in the hydraulic system, among others. Each discrete sensor is provided with redundancy 3. Sensors signal are used for coordinating the landing system movements during landing and take-off. Furthermore, during cruise and other flight phases, they are constantly read and processed with a certain frequency in order to monitor the landing system and detect problems. In the case of fault the pilot is notified. The purpose of this example is to analyze how the sensor redundancy augments the system safety and what is the best strategy for combining the signal from the redundant sensors. Because of the limited space, only the door sensors are considered in this paper. Each door has two different kinds of sensor, one indicating if the door is completely open (DO sensor) and one indicating if it is completely closed (DC sensor). Each of them has redundancy 3. In order to unambiguously refer to a sensor, the notation DOxy is used to refer to the DO sensor 'x' (1, 2 or 3) of the door 'y' (A, B or C). Similarly, DCxy is used to identi~ the DC sensors. The same configuration is adopted for the landing-gears.
The rules for defining the Level 2 output for Strategy 2 are presented in Table 3.
Usually, the sensor outputs are processed in 4 levels. In Level 1, the outputs of three redundant sensors (e.g. DOla, DO2A and DO3A) are compared among them and a combined sensor output is generated. In Level 2, for each door the combined sensor output of door open (DO sensors) is compared with the combined sensor output of door closed (DC sensors) and a door output is provided. It indicates the current state of the door (open, closed, moving or fault). The output of Level 2 is also used in timing monitoring functions. When an order to open or close the door is emitted, the operation must be complete within a time interval. Otherwise, a fault is detected and informed to the pilot. The same approach is performed for each landing-gear. In Level 3, for each landing set, the landing-gear output is compared with the door output and a landing-set output is generated. At this level, faults are detected in situations such as if the door is closed and the landing-gear is moving. Finally, Level 4 compares the three landing-set outputs of Level 3 and a landing-system output indicating the current state of the landing system.
Table 3 - Rules for Level 2 Strategy2. Level I - DO
Level 1 - DC
Level 2
ON ON ON OFF OFF OFF Fault Fault Fault
ON OFF Fault ON OFF Fault ON OFF Fault
Fault Open Open Closed Moving Fault Closed Fault Fault
This is typically a hybrid problem because an abnormal output of the system can be the result of a sensor fault or of a leakage in a hydraulic cylinder (continuous variable CE of Figure 2). In the second case, the leakage affects the cylinder dynamics, slowing it down or even reverting movement direction if the weight of the landing gear is against it. In this situation the control system must detect a fault and inform the pilot, which can then activate a backup system for the movement of the landing gear. The detection can be affected by a sensor fault and depends on the strategies at Levels 1 and 2.
In this example, two different control strategies are considered for processing the sensors at Level 1 and Level 2. In the Level 1 of Strategy 1, if three or two output signals are 'ON', the combined sensor output is 'ON', otherwise the output is 'OFF'. Level 2 of Strategy 1 adopts Table 2 for defining its output.
3.1
System
Modelling
Once that the focus of this example is on the processing of door sensor signals, the model of the system is limited to the doors hydraulic cylinders, electro-valve, sensors and controller. Similar objects are used to model the landing-gear hydraulic system. 392
The system model is composed of a set of 6 classes: C1 - Hydraulic Cylinder, C2 - Discrete Sensor, C3 Hydraulic Electro-valve, C 4 - Level_l Processor, C5 - Level_2 Processor, C6 - Door Sequence Controller. The first 3 classes model the behavior of the physical components, while C4, Cs and C6 model the control system. The model of class C1 has already been presented in Section 3. There are three objects of class C1:O1.1 - Door A, 02,1 - Door B, 03,1 -- Door C.
Model of Class C2- Discrete Sensor Under normal operation, the discrete sensor is either ON (P2_2) or OFF (Pl 2). The switching between ON and OFF takes place according to the value of the image variable Sin, which corresponds either to the public variable E or R of class C1 - H y d r a u l i c Circuit. However, each time the sensor must switch, a fault may occur and the sensor may go to states 'Blocked ON' (P7_2) or 'Blocked OFF' (P6 2). The fault corresponds to the firing of t4_ 2 or ts 2, and happens with a probability of (1-PoFF) and (1-PoN), respectively, The probabilistic distribution PD2 sets a random value between 0 and 1 to the variable 'rd', which determines the occurrence of a fault. There are 18 objects of class C2: O1. 2 - DO1A, 02.2 -- D O 2 A , 03.2 -- D O 3 A , 04.2 - D O 1 B , 05.2 - D O 2 B , 0 6 . 2 -
D O 3 B , 07.2
-- D O 1 c , 08.2 - D O 2 c , 09.2 - D O 3 c , O 1 0 . 2 - D C 1 A , Oll.2
DC3a, O13.2 -
- DC2A, O12,2 -
O15.2 -- D C 3 B , O16.2 DC3c.
DC1c,
DC1B, O14.2 - D C 2 B , O17.2 -
DC2c,
/
O18.2 -
\,
Sensor
C 2 - Discrete
"1 "\__J OF
F~
Pl_2
ts-~B~ocked
.I
~k
"1
#-~
I..
/
+o N
t2_2 Blocked ON \'----/' '
)~m_2
= {Sin}; Xint2 = {rd};
Enabling functions el _2: Sin - 1" e 2_2: Sin - 0; e 3_2: rd<=Poa; e4_2: rd>Poa; e5_2: rd>PoFF; e6_2: rd<=PoFF;
.,.
Junction functions Jl 2: rd = PD2; J2 2: rd = PD2; J3 2: Sout = 0; J6 2: Sout - 1"
Figure 5. OO-DPT net of class
C2 -
-
-
P23
t2 3
~
P33
t4 3
:Variables X 't 3 = {QT }; Xpb 3 = {PL' VpL}; X'no~3 = {KI' K2' P-s, PR }; Xim_3 = {QLA' QLB' QLC}
Equation systems : F1 3:dPL/d0 = VpL; QT - PL = KI"(Ps'PR)' F3 3:dPJd0 = VpL; QT PL = KI"(Ps'PR) -
= Qu+QL2 + QL3; K2"QT 2; = QLI+QL2 + QL3; K2"QT 2;
Junction function Jl_3' J4_3: PL =0; VpL -- 0; Method provided by the class t2 3: Set negative pressure t3-3: Set positive pressure
Figure 6. OO-DPT net of class C3 - Hydraulic Electro-valve.
Model of Class C4-Level_l Processor This class represents the processing of sensor outputs at Level 1 and has mainly a discrete dynamics. It receives the output of 3 redundant sensors as image variables and provides an output to an object of class ( / 5 - Level 2 Processor. The OO-DPT model of this class varies according to the chosen strategy. Due to limited space, it has not been presented. There are 6 objects of this class: O1.4 - DO Output_A, 0 2 . 4 - - DO Output_B, 03.4 -- D O Output_C, 04.4 -- D C Output_A, Os.4- DC Output_B, 06. 4 -- DC Output_C.
j
3.2 Safety Requirements
Discrete Sensor
Model of Class (73 - Hydraulic Electro- Valve This class relates the pressure on the hydraulic circuit (Pc) with the position of the electro-valve (Figure 4). The OO-DPT net is presented in Figure 6. The equation that defines the pressure PL combines the amount of fluid through the valve and the decreasing of pressure when passing through a restriction. No fault is considered for the electro-valve. The class variables are: Vpc - derivative of the pressure PL; QT - total amount of fluid to the door cylinders. QLA, QCB, Q c c amount of fluid entering Cylinders A, B and C. K1, K2 - constants of the electro-valve; Ps, P R - Supply and return pressures of the hydraulic system. -
"UP
t3-3 Positive
Model of Class C6- Door Controller This class controls the operation of the electro-valve and the door opening and closing according to commands emitted by the pilot. It is important to observe that it uses the output of the objects of class Cs to detect any fault. There is only one object of this class: O1.6- Door Controller.
I t4 2
Variables Xpb_2 = {Sout};
P1_3
Electro-valve
tl-3
Model of Class (/5- Sensor Level_2 The model of this class is similar to the model of class C4, but instead of processing the sensor signals, this class processes the output of the objects of class C4 and warns the pilot in the case of fault. There are 3 objects of this class: O1.s- Door Output_A, O2.sDoor Output_B, 03.5- Door Output_C.
OFF
J,
P2 2
I~
~-~
C 3 - Hydraulic
Negative
The number of detected faults and wrong diagnostics are selected as a parameter to evaluate the two control strategies. The best strategy is the one that detects more faults and minimizes the wrong diagnostics. The following situation can be found and are particularly critical to the system operation: • Case 1" Due to sensor faults, the control system indicates the doors are completely open when they are not yet. This is a particular critical situation because the control system will then follow the landing sequence, extending the landing-gear. A crash between the door and landing-gear may occur, damaging the landing system. Similarly, if the control system does not detect that one or more doors have a critical leakage, the pilot is not warned and therefore cannot activate the emergency system. 393
Case 2" One of the objects O1.5, 02,5 or 03. 5 of class C5 - Sensor Level_2 of the control system warns the pilot of a fault in the sensors. Case 3: The object O1.6 - Door Controller of the control system detects a fault in the hydraulic actuator (at least one of the doors is not open in maximum time interval) and warns the pilot.
properties. This is a particular critical point in aerospace application because, differently from the data used in Section 3.3, the probabilities of fault of aircraft components and equipment are extremely low, reaching 104 and even low. AC~OWLEDGES
3.3 Simulation
The authors would like to thank the partial financial support of the governmental agencies FAPESP, CNPq and CAPES.
No software is available yet for simulating OO-DPT nets. As a consequence, Monte Carlo simulation has been performed by translating the OO-DPT net into MatLab language. The continuous dynamics is discretized with fixed time steps. Each class corresponds to a different subroutine. Furthermore, due to the confidential nature of aircraft system data, the results published in this section are not based on real values for model parameters and probabilities of faults. They must be considered only as an example of simulation output and not as the behaviour of a real military aircraft.
REFERENCES Ait-Ameur, Y. et al. (2003) "Robustness analysis of avionics embedded systems." Proceedings of the ACM SIGPLAN Conference on Language, Compiler, and Tool for Embedded Systems, San Diego. Alla, H.; David, R. (2004), Discrete, Continuous, and Hybrid Petri Nets. Springier Verlag. Champagnat, R. et al. (1998), "Modelling and Simulation of a Hybrid System through Pr/Tr PN-DAE Model", 3rd International Conference on Automation of Mixed Processes, Reims. Everdij, M.H.C.; Blom, H.A.P., (2005) "Piecewise deterministic Markov processes represented by dynamically coloured Petri nets", Stochastics, vol.77, n.1, pp. 1-29. Horton, G.; Kulkami, V.; Nicol, D.; Trivedi, K. "Fluid stochastic Petri nets" ICASE Report 96-5, Hampton, 1996. Lundqvist, K.; Asplund, L. (2003) "A RavenscarCompliant Run-time Kernel for Safety-Critical Systems." Real-Time System, vol.24, n.1, pp.2954. Khalfaoui, S. (2003), "M6thode de Recherche des Sc6narios Redout6s pour l'Evaluation de la Sfiret6 de Fonctionnement des Syst6mes Mechatroniques du Monde Automobile", PhD Thesis, Laboratoire d'Analyse et d'Architecture des Systkmes du CNRS, Toulouse. Matsuura, J.P.; Yoneyama, T.; Galv~o, R.K.H., (2005) Learning bayesian networks for fault detection: application to the 747 longitudinal motion. 18th Int. Cong. Of Mechanical Engineering, Ouro Preto. Pola, G. et al. (2003), "Stochastic hybrid models: an overview". IFAC Conference on Analysis and Design of Hybrid System (ADHS), St Malo. Pritchett, A.R.; Lee, S.; Huang, D.; Goldsman, D. (2000) Hybrid-system simulation for national airspace system safety analysis, Proc. of the 2000 Winter Simulation Conference, Orlando. Stevens, B.L.; Lewis, F.L. (1992), Aircraft control and simulation. Jonh Wiley & Son. Villani, E.; Miyagi, P.E., (2003), "Petri Net and OO for the modular analysis of an aircraft landing system", 17th International Congress of Mechanical Engineering, S~o Paulo. Villani, E.; Miyagi, P.E.; Valette, R., (2005), "A Petri-Net based Object-Oriented Approach for the Modelling of Hybrid Productive Systems", Non-linear Analysis: Theory and Methods, vol.62, n.8, pp.1394-1418.
Referring to Figure 5, the probability of a discrete sensor remaining blocked 'ON' or 'OFF' is PoN = POFF = 0.05. Referring to Figure 2, the PDI, which assign a value to CE, is the result of the sum 3 distribution, with the following weight and media: • Case of no fault: weight=0.8, media=0.01 • Case of seal fault: weight=0.1, media=0,5 • Case of crack fault: weight=0.1, media=0.9 Using this data, simulation is performed by executing sequences of extending and retracting cycles. Table 4 presents the percentage of retracting and extending cycles that corresponds to Case 1, 2 or 3 (described in Section 2). The best strategy must minimize the occurrence of Case 1 (wrong diagnostic) and maximize the occurrence of Cases 2 and 3 (correct fault detections) According to this result the best strategy is Strategy 2. Table 4 - Simulation results. Case 1 Case 2 Case 3
Strategy 1
Strategy 2
0.01 7.28 0.89
0.00 7.19 1.42
4. CONCLUSION This paper presents the application of a hybrid approach for the safety analysis of aircraft systems. The proposed approach is based on OO-DPT net and faults are modelled by means of probabilistic distributions. The approach is applied to the landing system of a military aircraft. As an example the problem of analyzing sensor redundancy and comparing control strategies is detailed. Results are currently obtained by Monte Carlo simulation. One of the points to be investigated in future work is the development of techniques and strategies to reduce the number of simulations, such as in the Dynamically Petri nets (Everjid, Blom, 2005). For this purpose the modelling flexibility may be restricted in order to satisfy the strong Markov 394
Copyright © Analysis and Design of Hybrid Systems Alghero, Italy 2006
ELSEVIER
IFAC PUBLICATIONS
DETECTING AND ENFORCING MONOTONICITY FOR HYBRID CONTROL SYSTEMS SYNTHESIS s Dmitry
Gromov
* J S r g R a i s c h * , **
* Fachgebiet Regelungssysteme Technische UniversitSt Berlin Ema±l : {gromov Iraisch} @control.tu-berlin.de ** Systems and Control Theory Group Max-Planck-Institut, Magdeburg, Germany
Abstract: Abstraction based approaches to control of hybrid systems require efficient means of computing outer approximations of reachable continuous state sets. This contribution discusses how the concept of monotonicity can be used for this purpose. It provides an efficient algorithm to check whether a given continuous system is monotone with respect to a (a-priori unknown) partial order and, if not, investigates how to use continuous feedback to enforce monotonicity. In the latter case, the resulting continuous feedback represents a (lower) control level within a hierarchical hybrid control system. Copyright © 2006 IFAC Keywords: Monotone systems, hybrid control, hierarchical control.
1. I N T R O D U C T I O N Abstraction-based approaches to hybrid control systems synthesis have become popular during the last decade (e.g. [Cury et al., 1998, Koutsoukos and Antsaklis, 2003, Chutinan and Krogh, 2000, Lemch and Caines, 1999. Moor and Raisch, 1999]). They essentially "replace" continuous dynamics by discrete abstractions and hence convert the underlying hybrid control problem into a purely discrete one, which can subsequently be addressed using standard methods from discrete event systems (DES) theory. To guarantee that desired closed-loop properties carry over from the approximation level to the underlying hybrid system, one needs to make sure that the behaviour of the abstraction covers the behaviour of the continuous dynamics on a suitable (discrete) external signal space. This, in turn, boils down 1 Work partially done in the framework of the HYCON Network of Excellence, contract number FP6-IST-511368
to computing guaranteed overapproximations for reachability sets in the continuous component 's state space. For general nonlinear systems, this represents a highly nontrivial problem. However, if the system under consideration is monotone (e.g. [Smith, 1995, Angeli and Sontag, 2003]) with respect to a partial order in its state space, this becomes a straightforward exercise [Moor and Raisch, 2002]. This paper addresses two problems from this context: (i) it provides a mechanism to efficiently check for the existence of a suitable partial order and hence for monotonicity. (ii) for the case when this test fails, the paper also discusses how continuous feedback can be used to enforce monotonicity. This contribution is organised as follows: in Section 2, we briefly review the notion of a partial order. Section 3 addresses the concept of monotone, i.e., order preserving, dynamical systems, both for the autonomous and the controlled case. This section is mostly based on [Smith, 1995, Angeli
395
3.1 Autonomous systems
and Sontag, 2003], but also contains new results on how to efficiently check m o n o t o n i c i t y (Propositions 3 and 8). In Section 4, we briefly outline how monotonicity can be used in the context of abstraction based hybrid control synthesis. Finally, in Section 5, we investigate how a p p r o p r i a t e continuous feedback on a lower level of a hierarchical hybrid control scheme can enforce m o n o t o n i c i t y and hence facilitate the c o m p u t a t i o n of discrete abstractions for higher level control purposes.
Consider the d y n a m i c a l system:
ie(t)- f(x(t)),
(1)
where x(t) c X c IR~, f : X -+ IR~ is a continuously differentiable vector field. T h e solution of (1) t h a t starts at the point x0 at t - 0 is defined as Ot(Xo) and referred to as the flow of (1). To make an assertion a b o u t qualitative properties of the above d y n a m i c a l system we have to introduce some classification.
2. P A R T I A L O R D E R R E L A T I O N S
Definition 1. A vector field f : X -+ IR~ is said to be of type K5 on an open subset D c X if for each i c { 1 , . . . , n } , ( 1 ) a * f i ( a ) < ( 1 ) 5 ~ f i ( b ) for any two points a and b in D satisfying a -<5 b and
A partial order relation -< on a Banach (or, more precisely, ordered metric) space B is defined as an o p e r a t i o n satisfying the following three properties:
1. x--<x
ai -- bi.
Vx c X ,
2. ( x - < y ) A (y-< z) ~ x-< z Vx, y, z c X,
3. (x ~ y) A (y -Z, x) ~ x - y
The following proposition ([Smith, 1995], Chapt.3, Prop.5.1) asserts t h a t the t y p e Ka condition is necessary and sufficient for the order preserving p r o p e r t y to hold.
Vx, y C X.
We write x -< y if x -~ y and x -¢ y. This relation is no longer reflexive and is referred to as a strict order relation. Usually, to introduce an order relation one uses an auxiliary set K c B, such t h a t 1. c ~ k c K VkcK, c~cR+, 2. k l + k 2 c K 3. k c K A
Proposition 2. Let f be of type Ka on D and xo,Yo c D. Ifx0 -
Vkl,k2cK, /ccK~k
0.
or @t(:Co) -<-
Thus, K is a convex pointed cone. The relation is defined by x -< y if and only if y xcK. 2 IfK has n o n e m p t y interior i n t K t h e n we define x -+< y iff y x c i n t K . It is stronger t h a n -< or -4 as x -+< y implies x -< y and therefore x -< y. In Euclidean space R ~, o r t h a n t s can play the role of cones. Each o r t h a n t R2 c R ~ is characterised by its signature, i.e. the n-tuple (~ {(~s,..., ~ } whose elements take values from the two-element set {0, 1}. R ~ is defined as IR2 - {x c R ~ ( 1)5~xi > 0}. Hence, the zero signature corresponds to the positive orthant. We use n o t a t i o n -<5 (resp., -<5 and -+<5) to show t h a t the corresponding relation is defined with respect to the o r t h a n t IR~ Relation symbols w i t h o u t index refer to relations w.r.t, the positive orthant.
The most n a t u r a l way to decide w h e t h e r a vector field f is of type Ka is to analyse the sign s t r u c t u r e of the Jacobian m a t r i x of f. More specifically, it can be shown ([Smith, 1995]) t h a t the vector field f ( x ) is of t y p e Ka on the convex subset D if and only if
( 1)<+~,0f~(.)>0, oxj
i#j,,cD.
(2)
Condition (2) can be checked in two steps: S t e p 1: Check w h e t h e r the off-diagonal elements of the Jacobian m a t r i x are sign-stable, i.e.
Oxj
Oxj (3)
and sign-symmetric, i.e.
3. M O N O T O N E D Y N A M I C A L S Y S T E M S
Ofi(x)
A m o n o t o n e dynamical system is a d y n a m i c a l system on an ordered metric space which has the p r o p e r t y t h a t ordered states remain ordered when time progresses. In other words, monotone systems are order preserving d y n a m i c a l systems. In this section we give some conditions for an arbit r a r y a u t o n o m o u s d y n a m i c a l system to be monotone. F u r t h e r m o r e , these results are extended to d y n a m i c a l systems with inputs.
2 x-~yiffy
Oxj
Ofj(x) > 0Vx c D Oxi
(4)
for all i , j c { 1 , . . . , n } such t h a t i ¢ j.
S t e p 2: If the tests in Step 1 are satisfied, we need to check w h e t h e r the (Boolean) equalities
5~5 5
s~5,
i<j
(5)
hold, where @ represents "exclusive OR" and the n(n 1)/2 variables sij, i < j, j - 2 , . . . , n are defined as follows:
xEK\{O}
396
sij 0 i f Ofi(x) > 0 V ( O f i ( x ) _ 0 A Ofj(x) > O~ ] Oxj \ Oxj Ox~ 1if Ofi(x) < O v ( Ofi(x) _ O A Ofj(x) < 0 ) OXj
OXj
OX i
arbitrary in{0, 1} if Ofi(x)
O f j ( x ) _ O.
OXj
OX i
(6) Often, one wants to check whether a given vector field is of type K5 for some (yet unknown) sign structure 6. Step 1 obviously remains the same, but in Step 2 we need to decide whether (5) is solvable for the unknown 6 = { 6 1 , . . . , 6 ~ } . The following proposition presents an easy way to do this. Moreover, it shows that if the answer is positive, the orthant signature can be easily extracted from the sign structure of the Jacobian matrix.
Proposition 3, The system of Boolean equations (5) is solvable w.r.t. 6i if and only if the following condition is satisfied" Sij @ Sik -- Sjk,
i < j, j < k, i , j , k < n.
Proof (necessity) sij @ sik using (5):
8ij @ 8ik -- 6i @ 6j @ 6i @6 k.
6 -- {0, 8 1 2 , . . . , Sln}
is a solution of (5). 6s @ 5j trivially for j - { 2 , . . . , n } , ssO - sij, i , j c {2, n } , j equality follows from (7).
Example 5. Let us consider the Jacobian matrix with the following sign structure
j
__
,+0+,+0 0+, 0 0 0 •
I 1
Here we use asterisks to stress the fact that diagonal elements do not affect the monotonicity property. According to (6), we have {s~2, ss4, s23} = {0, 1, 0} while ss3 ,s24, and sa4 are arbitrary. From Proposition 3 we can deduce t h a t (5) is solvable iff {s13, s24, s34} = {0, 1, 1}. The corresponding signature is 6 = {0, 0, 0, 1}.
(7)
. Let us rewrite expression
By definition, a@b = b@a, a@a = 0 and a@0 Thus, sij O sik - 6j ® O ® 6k -- 5j ® 6k and we have shown t h a t (7) follows from (sufficiency). We now show t h a t (7) implies
the Jacobian matrix is the A matrix, i.e. g(x, u) = A. Thus, the sign structure of the Jacobian is completely determined by the signs of the elements aij. Obviously, they are sign-stable, so we need to check only conditions (4) and (5). Condition (4) (sign-symmetry) holds if aiyaji >_ O, i ¢ j. The second step is to check the corresponding Boolean equation (5) using the m e t h o d described in Prop. 3.
= a. sjk, (5). that (S)
- 0 @ ssj -- ssj holds and 6i @ 6j - ssi @ > i, where the last []
3.2 Controlled systems Some of the previous results can be extended to dynamical systems driven by an exogenous input signal. A system
Jc(t)
f (x(t), u(t) ),
(10)
where x(t) c X c R ~, u(t) c U c R m, f • X x U + R ~, generates a flow Ot(xo, u~), u~ u(r), 0 < r < t, which represents a solution of (10) with initial condition x(0) x0 and external input signal u.
Definition 6. A controlled dynamical system (10) is monotone w.r.t, the orthants R n and R-"~ r if the following implication holds for all t > 0"
Similarly, it can be shown that
(~
{ 1, 812 @ 1 , . . .
,
81n @ 1}
(9)
is also a solution of (5) if (7) holds. Furthermore, (8) and (9) represent the only solutions. This can be shown by considering a vector 6' with 6~ ~ 6i (i.e. 6~ 6i@ 1) for some i C { 1 , . . . , n} and 6] 6j for some j ¢ i. Hence,
In [Angeli and Sontag, 2003], a condition for the controlled system (10) to be monotone w.r.t, the orthants R~a and R~'~ has been proposed.
which shows t h a t 6' is not a solution of (5).
Proposition 7. ([Angeli and Sontag, 2003]). The syst e m (10) is monotone w.r.t, the orthants R ~ 6 and IR~ if and only if the following properties hold for all x c D and all u c U:
R e m a r k ~. (8) and (9) signify orthants that are symmetric w.r.t, the origin. For linear systems
( 1)a~+aJ~-~xj~X,U)>0, Ofi,
i ¢ j, i , j < n
(- 1)<+~JmOfi,~x, u )
i
Ouj
2(t) = A x ( t ) ,
397
> O,
-
3.3 Special cases
The above conditions are, in fact, the extended variant of condition (2) from the previous section. Hence, in addition to conditions (3), (4) and (5), which are used to check (2), t h e following tests need to be performed:
In the following we point out two special cases of a controlled system (10) where the simpler Proposition 3 suffices to check monotonicity. a) If u(t) is entirely defined by the present state x(t), i.e. u(t) u ( x ( t ) ) , the aacobian of the closed loop system is
First, the partial derivatives w.r.t, the control variables need to be sign stable, i.e.
Ofi(x,u) <0, Ouj
Ofi(x,u) >0or Ouj -
VxCD, VucU
(11) for all i _< n, j <_ m. Moreover, the set of Boolean equations
(~i @~/j -- qij,
i < n, j <_ m,
~(x)) o~z(x) &j(z) OL(x,u(x)) + ~ of{(x, Ou~ Oxj Oxj
(16) and the procedure described in Proposition 3 can be applied to (16).
(12)
where 0 q~j --
if
:-~
>0,
~
< 0,
vvvy
1 if
b) In a hybrid control context, the control vector often consists of two components, i.e. u'(t) [n~(t), u~(t)], where us(t) c R k, k < m is determined by continuous state feedback, i.e. us(t) us (z(t)), and u2 is a piecewise constant signal with finite range b / c IR"~ k, b/ - N c N. In this case, the system can be t r e a t e d separately on intervals, where u2 is constant, i.e. u2(t) - u~ c L/ t c [t~, t~+l), and Proposition 3 can be applied again. The value u~ is interpreted as a parameter, and the Jacobian is given by
d
arbitrary in{0,1}
Ofi(x) = 0 Ouj
if
(la)
needs to be solvable with respect to t h e vector
~= {~,...,~}. The following proposition gives a necessary and sufficient condition for equations (5) and (12) to be solvable.
J;) (~, ~ ) Ofi(x, ?_tl(x), ~t~) __~~
Proposition 8. The systems of Boolean equations (5) and (12) are solvable if and only if the following conditions are satisfied: Siy@S~k=Sjk,
qij @ qkj = sik,
i<j,
j
1-s
Oxj
1-~
of~(~,~!,),~) o~(~) 0-~11 Oxj
V~cN. Note that in our hybrid systems context, monotonicity is only needed to c o m p u t e safe abstraction. Hence, having monotonicity w.r.t, different orthants for different values of n will not pose any problems.
(14)
i ¢ k, i , k <_ n, j <_ m. (15)
Moreover,
= {0, s12,..., sly}, ~/ = {qss, . . . , qsm}
4. T H E R O L E OF M O N O T O N I C I T Y IN A B S T R A C T I O N BASED H Y B R I D C O N T R O L SYNTHESIS
is a solution. P r o o f . The proof can be carried out according to the same scheme as in Prop. 3. []
To put the previous discussion into context, we will now briefly describe the specific hybrid systems scenario we envisage as an application. Consider a continuous system
R e m a r k 9. It can be shown t h a t the solution is also defined up to inversion, i.e.
~(t)
N
(5 -- { 1, 812 @ 1 , . . . ,
81n @ 1},
-- {q11@ 1 , . . . , q l m @ 1}
g~(~) (x(t))
(lr)
where, as indicated before, u2 is a piecewise constant signal with finite range H, b/ - N.
is the only other solution of (5), (12).
z(t)
h(x(t))
(18)
R e m a r k 10. Condition (15) can be represented as qksGqlS--Skl,
COil(Q) ~ colj(Q)
k
is a discrete-valued o u t p u t signal with finite range, i.e. h : R ~ --+ Z, I Z l - _/1// < oc. Let us further assume t h a t the system (17), (18) is sampled, either on a regular sampling grid ("time-driven sampling") or on the sampling grid defined by the o u t p u t signal z switching values ("event-driven
k,l_
Vi, j <_ rn,
where Q = qij,i c { 1 , . . . , n } , j c { 1 , . . . , m } , and denotes an equality up to the inversion w.r.t. @.
398
sampling"). In the latter case, the input may only be switched at the time instances where the output changes. In both cases, eqns. (17), (18) and the considered sampling device form a continuous system (with state set X c IR~) evolving in discrete time 1N on a discrete external signal space U x Z. Let 13 c (U x Z ) N° denote its behaviour, i.e. the set of all pairs of discrete input and output signals compatible with the model assumptions. For abstraction based control synthesis, we need a discrete approximation, evolving on the same external signal space and exhibiting behaviour /3ab D /3. In [Moor and Raisch, 1999], strongest gcomplete approximation was advocated as a particularly suitable abstraction. It is characterised by the behaviour
5. MONOTONISATION THROUGH FEEDBACK We consider linear control systems { 2 ( t ) - Ax(t) + Bu(t),
v(t) = c~(t)
(~9)
wh~r~ ~(t) c R ~, ~(t) c R ~, y(t) c R', B h ~ full column rank and C has full row rank. If the monotonicity test fails, we may still be able to enforce monotonicity by appropriate feedback. For this purpose, we divide the vector of control inputs, u' - - [ u's, u~], where means "transpose" and us (t) c R k, k < m, is the part of the control input devoted to enforce monotonicity, The system (19) then takes the form
2(t) - A x ( x ) + BSus (t) + B2u2(t).
/36 :--
{(u2,
Z)
(20)
1% --+ b t x Z (u2, z) [k,k+e] C 13 [0,e] VkCN0}, Defining the control input us (t) as a linear func-
where the restriction operator (')l[k,k+e] : (U x Z) N° ---, (bt x Z) (e+s) picks the finite string ranging from the k-th to the (k + g)-th pair of external events and disregards its absolute location on the time axis; it can naturally be extended to sets of signals. From a computational point of view, determining the strongest &complete approximation boils down to deciding whether a given string of input and output symbols ( u 2 0 , . . . , u2e, z o , . . . , ze) is an element in /3 [0,e]- To obtain a precise answer, we would need to compute the evolution of the quantisation cell h S(z0) under the flow @~20 associated with g~20, intersect the result with h-S(Zl), track the evolution of the result under the flow ~21 associated with g~21 etc. To obtain safe approximation, or abstraction, it is sufficient to compute outer approximations of these solutions. Clearly, if g is monotone w.r.t, the partial order -<, and quantisation cells are "boxes" w.r.t. -<_, then ~2~(h ~(z~)) is "trapped" within the the evolution of "external points", i.e. a -< h s (zi) -< b implies
tion of the current output, us(t) = K y ( t ) K C z ( t ) , we change the Jacobian to J = A + B S K C and, therefore, alter its sign structure accordingly. But we still do not have a clear algorithm to solve this problem in general because of the large number of degrees of freedom (recall that the number of orthants for an n-dimensional system is equal to 2 n-s) The proposed semiformal algorithm uses an approach based on the successive reduction of the number of available degrees of freedom. (1) If either i-th row of B s or the j - t h column of C is identical to zero, the elements aij of the Jacobian remain unchanged.We can now check these elements for consistency by investigating whether Conditions (4) and (5) are satisfied. Clearly, if this is not the case, the monotonicity condition cannot be enforced by feedback from y(t) to us (t). (2) If the result in Step 1 is positive, we can deduce the signs of some other elements of the Jacobian from (7), Note the following "extreme" case: suppose, as above, that the i-th row of B s (resp., the j - t h column of C) are zero and that all the elements in the corresponding row (resp., column) of A are nonzero (apart possibly from the entry on the diagonal). Then, the corresponding sik, k ~ i (resp., ski, k ~ j) completely determine the required sign structure of J, as (see (7))
, ~ , (a) -< ¢ ~ (h *(~) -< 9 ~ , (b).
It is then a straightforward exercise to compute the required outer approximations and hence the desired safe abstraction [Moor and Raisch, 2002]. On the basis of such an abstraction, one can compute a discrete non-blocking supervisor enforcing a language-type specification. In [Moor and Raisch, 1999] it has been shown that the resulting supervisor will also be non-blocking and enforce the specification when connected to the underlying continuous model (17), (18).
sklk2 -- s~kl • sik2,
(21)
resp., (22) If, on the other hand, elements in the corresponding row (resp., column) of A are zero, there may be several admittable orthants. (3) In the next step, we isolate the entries of the Jacobian exhibiting inappropriate signs. We S]~1]~2 -- S~I j @ S]~2j.
399
where # is the maximum specific growth rate and Ks is the half-velocity constant. The tank volume is denoted V, and the incoming and outgoing flows are Q~n and Qo~t, respectively. The growth yield is Y and b is the decay rate. It is worth noting that all concentrations, input and output variables as well as parameters, are positive. Moreover, the growth yield Y is always less than one.
now need to determine a feedback matrix K to adjust these elements without changing the signs of the other entries. For this, the elements of the real [k x / ] - m a t r i x K have to satisfy k
1
+ Z X: bl ,k,J J,) -> o,q # p i=1 j=l
Using the conventional notation x "-- [Xb, Ss, So]' and u "-- [Xb,in , Ss,in , So,in , Qin]' one can rewrite
The extension of the proposed algorithm to the class of nonlinear control systems is not straightforward. Usually, an arbitrary nonlinear control system admits monotonisation only in some subset of the state space, if it does at all. Let's denote by X5 c X a subset of the state space X where the system can be rendered monotone w.r.t, the orthant with signature 6. It is quite common that some subspaces have nonempty intersection, i.e. Xs~ rh X5 2 7~ 0. Then, one must choose between several orthants. In this case, a decision can be made on the basis of heuristic considerations and can hardly be formalised. However, in some special cases (e.g. positive systems) the procedure can be successfully applied as is illustrated in the following example,
(23)
it1
tt l tt4 V
22-
U2U4 v
#KsXl
To illustrate the applicability of the developed approach we consider a model of the biological processes in an activated sludge process, the socalled IAWQ's 3 Activated Sludge Model No.1 (see [Henze et al., 1987, Lindberg, 1997]). This model describes the three following biological processes: removal of organic matter, nitrification, and denitrification. The considered process is an ideally mixed bioreactor with three components, which can be described by the following differential equations:
dS~ dt
V
@~S~ V
Qo~tXD + #(Ss)XD V
*
(K~+x2)2
1 #x2 Y K~+x2
•
1-Y
#x2
Y
K~+x2
b
1-Y
Y
0
0 #Ksxl
•
(K~+x2) 2
-
(25)-
We see that the partial derivatives ~of 1 and of 2 do not satisfy the s i g n - s y m m e t r y condition. Now one has to determine, which one has the "right" sign. The remaining elements of the Jacobian matrix satisfy conditions (3) and (4). The corresponding variables are s13 = 1, s23 = 1. Then, from (22) s12 = 0. This means t h a t both oA and 0/2 must be nonnegative. The easiest way to change the sign of ~of 2 is to use the control u2, because it does not enter the remaining equations. Considering the control u2 as a function of the state variables, u~ = u~(x), we c~n rewrite the Jacobian (25) ~s:
bXb
1 Q°~S~ ~(S~)Xb
"
(24)
The Jacobian matrix has the following form
Df
@~Xb.m
i
. 1 _
Dx
dt
Qout -
U3U4 Qout 1-Y V V x3 - - - ~ - - p ( x 2 ) x z - bxl.
23 -
5.1 Example
dXb
~ out V x l + # ( x 2 ) x l - bxl
V
dSo Qin So.in dt - ~
Qout So V
1 Y
y
Df
bXb (23) where X b , S s and So represent the concentrations of biomass, soluble substrate and dissolved oxygen in the reactor. Xb.m, Ss.m and So.i~ are the influent concentrations of biomass, soluble substrate and dissolved oxygen, p(Ss) is the specific growth rate of the biomass. It is described by Monod's equation, #Ss
~(s~)
#(Ss)XD
z
Dx ~Ksxl (K~ +x2) 2
*
V
Oxl
Y Ks+x2
1-Y px2 Y Ks+X2
b
0
V
Ox3
1-Y #Ksxl Y (Ks+X2) 2
Hence, the control u2(x) has to be chosen to satisfy the following conditions:
Ks + Ss'
3 I n t e r n a t i o n a l Association for W a t e r Quality.
400
0u2
V
U~i (~) ->- tt 4 Y K 0u2 Ox3 (x) < O,
#x2
M. Henze, C.P.L. Grady, W. Gujer, G.v.R Marais, and T. Matsuo. Activated sludge model No.1. IAWPRC Scientific and technical reports, No.1. International Association on Water Pollution Research and Control, IAWPRC, London, 1987. X.D. Koutsoukos and P.J. Antsaklis. Safety and reachability of piecewise linear hybrid dynami. cal systems based on discrete abstractions. Discrete Event Dynamic Systems, 13(3):203- 243, July 2003. E.S. Lemch and P.E. Caines. Hybrid partition machines with disturbances: hierarchical control via partition machines. In Proceedings of the
(26)
s -}-3; 2
(27)
Vx c R3>o, u4 # O. Conditions (26), (27) define a family of control laws. In particular, a control law can be chosen as ~(.) V#
- ~***,
,
where cl ~y-, U4 m i n t t 4 . Thus, the system can be rendered monotone by a simple linear feedback. Moreover, it turns out, that the monotonisation procedure does not require the measurement of all state variables.
38th IEEE Conference on Decision and Control, volume 5, pages 4909 - 4914, 1999. C.-F. Lindberg. Control and estimation strategies applied to the activated sludge process. P hD thesis, Uppsala University, 1997. T. Moor and J. Raisch. Abstraction based supervisory controller synthesis for high order monotone continuous systems. In S. Engell, G. Frehse, and E. Schnieder, editors, Modelling, Analysis, and Design of Hybrid Systems, LNCIS 279, pages 2 4 7 - 265. Springer-Verlag, 2002. T. Moor and J. Raisch. Supervisory control of bybrid systems within a behavioural framework. Systems ~ Control Letters, 3 8 ( 3 ) : 1 5 7 - 166, October 1999. Hal L. Smith. Monotone dynamical systems: an
6. CONCLUSION We discussed the question how the concept of monotonicity can be used in the context of hybrid systems. We provided a simple and efficient algorithm to check whether an arbitrary continuous system is monotone with respect to some (a priori unknown) partial order relation. This algorithm was extended to the case of control systems. It was also shown how to enforce monotonicity with the help of feedback. The developed semiformal approach was illustrated by an example. We considered a nonlinear model of an ideally mixed bioreactor and showed that this system can be rendered monotone by a very simple linear feedback.
introduction to the theory of competitive and cooperative systems, volume 41 of Mathematical surveys and monographs. American Mathematical Society, Providence, RI, 1995.
7. A C K N O W L E D G E M E N T S The authors gratefully acknowledge helpful discussions with D. Flockerzi, MPI Magdeburg.
REFERENCES David Angeli and Eduardo D. Sontag. Monotone control systems. IEEE Transactions on Automatic Control, 48(10):1684- 1698, October 2003. A. Chutinan and B. H. Krogh. Computing approximating a u t o m a t a for a class of hybrid systerns. Mathematical and Computer Modeling of
Dynamical Systems: @ecial Issue on Discrete Event Models of Continuous @stems, 6 : 3 0 - 50, March 2000. J.E.R. Cury, B.H. Krogh, and T. Niinomi. Synthesis of supervisory controllers for hybrid systerns based on approximating automata. IEEE Transactions on Automatic Control, 43(4):564 568, April 1998.
401
Copyright © Analysis and Design of Hybrid Systems Alghero, Italy 2006
ELSEVIER
IFAC PUBLICATIONS
HYBRID SYSTEM CONTROL USING AN ON-LINE DISCRETE EVENT SUPERVISORY STRATEGY J a m e s M i l l a n * , Siu O ' Y o u n g * * .
* Institute for Ocean Technology, National Research Council, St.John's, NL, Canada ** Memorial University of Newfoundland, St.John's, NL, Canada
Abstract: This paper describes a technique for synthesizing controllers for hybrid plants. Our modeling framework allows for the e~cient online construction of limited lookahead discrete abstractions of the nonlinear continuous dynamics of the plant model. Discrete event supervisory controller synthesis techniques are used to construct a controller based on a DES specification and the abstracted plant model. The controller is advanced in a moving horizon approach. The modeling framework, synthesis techniques and the on-line computational strategy are discussed. A simple illustrative example is presented in detail and a realistic industrial application is outlined. Copyright © 2006 IFAC Keywords: Discrete-Event Systems, Control, Hybrid Systems, On, line Control, Supervisory Control
1. INTRO D UCTIO N
cal dynamical (MLD) hybrid systems in discrete time is available (Torrisi and Bemporad 2004). In the case of simulation tools such as MATLAB Stateflow. the controller design is tested under a variety of conditions to evaluate its safety and correctness. Due to the ad-hoc choice of the test conditions, this technique may miss the particular combination of conditions that leads to design failure. With hybrid verification tools, the computational burden of an exhaustive reachability requires the use of simplified continuous dynamical models. Due to these limitations, the ad-hoc simulation technique is the accepted industry solution, which leaves two problems unsolved: How does the designer take a specification and produce the design? And, how can the resulting design be verified to be correct?
Theoretical developments in the area of hybrid system control have yet to lead to the widespread solution of any practical industrial problems. While hybrid system modeling is recognized clearly as being central to future control development. the intractability of computations, coupled with a steep learning curve for control system designers, have acted as a barrier to the adoption of hybrid system theory by industry. A variety of software tools are available for both hybrid system analysis and verification such as HyTech (T.A.Henzinger et al. 1997), and CheckMate (Chutinan and Krogh 2003). In verification problems, the controller is assumed to be given. Thus. the controller synthesis is a manual process that relies upon the domain knowledge and intuition of the designer. A MATLAB toolbox for simulation and control synthesis for mixed logi-
This work a t t e m p t s to answer both of these questions, by seeking a solution that is familiar to system designers, automates the controller synthesis,
402
and verifies the resulting controller design. The approach is to harness the power of industrially proven system modeling (simulation tools). The nonlinear continuous models are wrapped in a discrete abstraction layer t h a t is based on event detection. The discrete abstraction combined with a DES specification in a limited horizon reachability computation, produces a discrete event (DE) controller that is. within this limited space and time. locally safe. Furthermore. a reduction in computational complexity is achieved by exploiting a lazy (just-in-time) synchronous composition of the specification and plant models at design time. This scheme is implemented as an online computation, in order for the controller operation to be extended into an infinite time horizon. Limited lookahead (LL) supervisory control has been extensively studied in a DES setting by (Chung et al. 1992). In (Raisch and O'Young 1998), discrete abstractions based on the truncated time history of discrete-time LTI continuous models were used to synthesize DES supervisory controllers. Others, (Su et al. 2003) and (Abdelwahed et al. 2005), have also used discrete abstractions of switched continuous systems in a LL framework to effect control over hybrid systems. Similar to our work is (Stursberg 2004), in which the nonlinear continuous dynamics are retained as embedded simulations, and a graph search algorithm has been described for optimal hybrid control. Our approach differs in that we do not limit switching to discrete time intervals and controller graph pruning is done in a maximally permissive sense with respect to safety as is commonly done in optimal DES supervisory control (Ramadge and W o n h a m 1987). Although the discrete event controller size is exponential in lookahead horizon, our computational approach can significantly reduce the complexity of computing a controller, provided that the specification is sufficiently restrictive, since m a n y trajectories are eliminated during the reachability sweep. On the other hand. an overly restrictive specification may lead to the failure of the online synthesis to find a suitable control solution within the lookahead horizon. This paper is organized as follows: section 2 develops the continuous system modeling and the associated discrete event abstraction technique; section 3 develops a switched continuous model t h a t provides a means of switching between abstractions of continuous model simulations; section 4 develops controller synthesis in this hybrid framework: and finally in section 5 presents an illustrative controller design process.
2. C O N T I N U O U S S Y S T E M A B S T R A C T I O N It is desirable to utilize a natural and expressive continuous modeling framework, overlaying it with a discrete event, i n p u t / o u t p u t (I/O) interface. This approach has been adopted by (Koutsoukos et al. 2000). For now, we will consider the o u t p u t aspects of the interface, or the conversion of the continuous dynamics to t h a t of discrete event dynamics. Let the continuous dynamics of a system be described by a nonlinear ordinary differential equation (ODE), 2(t) = f ( x , t) (1) For now, the dynamics described by equation 1 will serve as a placeholder for the complex continuous dynamics t h a t may be produced by industrial/commercial simulation packages. A solution x of t h e system modeled by equation 1 on a time interval [to, tl] and for some initial condition is a solution to an initial value problem (IVP). We now define the continuous system model with abstraction framework, as follows:
Definition 1. Let a continuous system model (CSM), s, be defined as a triple s - (f, ~ , x 0 ) , where: f is a Lipschitz-continuous ordinary differential equation, 2 - f ( x , t ) , is a finite set of partitioning functionals, {Fi • R n ~ R, 1 _< i_< N}, where each Fi is a continuously differentiable functional, x0 is the initial condition, x(to). The set of functionals ~, establishes an equivalency, for x l, x2 c N n •
x l ~ px2 ~
s i g n ( F i ( x l ) ) × s i g n ( F i ( x 2 ) ) = 1,
I
x = a~/~=
{% c R ~}
A state transition occurs when a continuous trajectory of the CSM crosses the hypersurface H ( F ) = {x c N n : F ( x ) = 0}, t h a t lies between adjacent regions. For example, a trajectory x on the time interval [t0,tl], such t h a t x(to) c Q1 and x(t~) c Q2, the state transition from Q~ to Q2 is notationally indicated as Q~ ~,~ Q2. The CSM communicates with outside discrete event processes via o u t p u t events cr C Eo~t t h a t are uniquely associated with these state transitions. Note t h a t the transition direction is important, t h a t is Q1 ~ Q2 ¢ Q2 ~ Q1. For any CSM s~, it can be shown t h a t a unique trajectory xi exists for a finite time interval and t h a t this trajectory will generate a finite n u m b e r of o u t p u t events.
403
3. S W I T C H E D C O N T I N U O U S M O D E L In (Koutsoukos et al. 2000), input symbols to the continuous abstraction are translated into actuator actions, or sampled inputs (similar to a D / A converter). In this work, we have chosen to have each input event cri C E~n map to the selection (or choice) of a CSM si from a set of available continuous system models 5 . Thus, control is achieved by switching a m o n g s t a set of continuous systems t h a t represent either different operating modes of a system or different systems (hot swapping). D e f i n i t i o n 2. Let a switched continuous model
(SCM) be defined as an automaton-like triple G = ( 5 , F, so), where: 5 is an infinite set of CSMs each with its own discrete abstraction, as in definition 1, F is the enabled system function, which embodies an implementation specific selection mechanism. Let s' C 5 be the currently selected model, and let A - {a c 5 ' 1_< a < oc} be the set of non-empty finite subsets of 5 , then F • 5 - - ~ A. so is the initial continuous system model,
{so }
ff to
to + 6t
ff to + At
to + kAt
Fig. 1. Reachable continuous system models.
3.1 S C M E x e c u t i o n
3.2 P r e d i c t i o n
An e x e c u t i o n v of a SCM is a set of sequentially selected CSM, v { 8 o , 8 1 , . . . 8 a . . . } starting with the initial model so. The point in the execution at which the execution changes from one system to another is known as a choice point. The term choice refers to the ability of the controller at this point to influence the future dynamics of the systetn, by the selection of the next CSM. In this framework, the choice points occur on some predictable (not necessarily regular) timed schedule, t h a t is governed by a universal timebase. These choice points will be associated with the t i c k (output) event. Additionally, choice points occur whenever an o u t p u t event is generated by a CSM. so t h a t the controller is able to respond asynchronously to modeled events as they occur. Note t h a t this theoretical modeling framework of the SCM allows both time and state-dependent switching. Because each CSM si has its own partitioning set 9i. and dynamics fi, in the most general case, then our framework admits both partitioning and dynamics changes within a region, due to time dependent switching. This is analogous to the operation of industrial control systems in which a synchronous control cycle is a u g m e n t e d by interrupt-driven control.
Predicting the future execution of an SCM G ( 5 , F, so) consists of extending simulations (solutions) for each of the continuous system models, creating new choice points, and again extending the simulations. Thus, the set of future enabled CSMs SR, can be c o m p u t e d in either a depth or breadth-first teachability. This is the set of CSMs reachable from so, or the set of all future executions v of G t h a t originate with so (figure 1). The choice points are identified by the nodes of the graph and the edges are the selected continuous system models. To ensure finiteness of set SR, it is computed for a limited time lookahead, which can be measured by an integer number p, p # ~ , of t i c k events. Also, the number of choices (branches at any choice point) is finite and is bounded above by r defined as the maxin:mm F(si) , Vsi. If the n u m b e r of asynchronous events within one t i c k is b o u n d e d above by q, 1 G q < oc, (a non-zeno condition on the execution) then it can be shown t h a t SR is finite and has bounds as follows: rpq+ l _ 1 pq+l<
8R < -
404
r - 1
r> '
1
(2)
3.3 Discrete Event Equivalent
~.1 Control
The set of si C SR uniquely and concisely describes b o t h the future continuous and discrete event dynamics of the SCM in dense time. Thus, the SCM is capable of generating a language (with timing) t h a t consists of a finite number of finite length strings. Examining figure 1, at any choice point, there are a finite number of choices of CSM. Each choice (or branch) corresponds to a continuous simulation with event detection and each simulation has an associated discrete event equivalent transition defined as follows.
The previous section (3.3) outlined how a limited horizon DE representation of the SCM dynamics can be constructed. Let P be a switched continuous model of a plant. And at any point in time and space, there exists a LL plant language where each string u~ c L(P) is a discrete abstraction of a possible controlled execution in the future (out to some lookahead horizon). The decision of which execution to use must be made based on our knowledge of the plant dynamics represented by this LL model language. A specification can be used to partially implement this decision. Let S be a DE a u t o m a t o n model of a specification, such t h a t K = L(S), the legal language. From a DES perspective, we wish to remove from L(P) any strings t h a t may carry the system to an illegal state. In its simplest form, this can be achieved by taking the reachable part of synchronous product of the plant and specification, P II S. Then, by ensuring t h a t only strings t h a t can carry the system to the LL horizon remain in L ( P [i S), we are left with a nonblocking controller. This problem was studied extensively by (Chung et al. 1992).
Definition 3. Let G = ( 5 , F, so) be a SCM and let s~ c 5 , Sa = ( f , ~ , x o ) be a CSM. Let x~ C R n be a solution to the IVP posed by s~ on a time interval t c [t0,tl) then let the DE equivalent transition be ~-~ = (q0,cr~,cr/~, ql). Where q0 = (x~(to),to),ql = (x~(tl),tl) C R n × IR are timed continuous states, the endpoints of the solution x~, and cr~ C Ein and cr~ c Eo~t are discrete events. The input event cr~ is the selection mechanism or guard event for the transition. T h e o u t p u t event crZ occurs as a result of the transition of the continuous solution into another state. (crossing a hypersurface), or as a result of reaching the end of the designated simulation time interval, At, in which case the o u t p u t event is t i c k . Thus, the input event can be seen as initiating the occurfence of the o u t p u t event. The set of transitions Ta, corresponding to the set of reachable CSMs SR, forms a DE transition structure similar to a Mealy implementation of a finite state a u t o m a t o n . T h e transition structure TR also gives rise to a language L(G) based on the o u t p u t events of the transitions ~-i c TR. Each string ui C L(G) such t h a t p < l u i l _< pq < ~ , represents the discrete event behaviour of a particular future execution vi of the SCM out to the time horizon p a t in the future. The set TR (and likewise SR) is valid for the current state and time only, and must be recomputed ( p r o p a g a t e d ) f r o m control point to control point as the online control is exercised. Clearly, the language L(G) is also valid only for the current state and time as well.
4. C O N T R O L L E R S Y N T H E S I S Having established a framework t h a t allows the discrete abstraction of a continuous model to coexist with discrete event models, we will look at the controller synthesis including the computational model.
It should be noted t h a t there is a possibility t h a t no control solution exists, t h a t is the pruned L(P II S) = O, known as a run-time block. While this is a serious problem for an online controller, it is possible to handle it gracefully through the use of special states t h a t represent safe, but nonuseful states of the system; essentially an emergency shutdown system, which is consistent with industrial practice (Millan 2006a). If L(P II S) -~ O, then the remaining strings represent the legal traces available to the system. The choice of which particular event (or CSM) t h a t will be selected to advance the system is left to another process or a person (in the event of h u m a n in the loop control), to make the final decision. This is the nature of an underspecified system for which control must be implemented (Dietrich et al. 2002).
~.2 Complexity The philosophy of the computational and modeling framework is to compute the controller in an efficient manner, t h a t allows for real-time computation. T h e DE behaviour of a SCM on a finite lookahead horizon is finite, and so it is therefore computable. Unfortunately, the n u m b e r of states required to represent this language is bounded above by an expression t h a t is exponential in the event lookahead horizon (see equation 2). However, the number of states is bounded below by a linear expression, implying t h a t a range of poten-
405
tially sub-exponential complexity computations exist. The controller state complexity is reduced from the unconstrained plant size by the inclusion of the specification S, at design time (which is also runtime). This is because many unsafe traces are invalidated in the joint behaviour of the plant and specification due to the requirement for synchronization on common events. The extent to which the state complexity will be reduced by the inclusion of the specification is difficult to predict, since it is dependent on the plant and specification models as well as the state and time of the execution. This reduction in complexity due to the inclusion of a specification has been noted for validation of hybrid control systems (Stursberg et al. 2003).
...........................
21
...........................
20
Fig. 2. Tank control schematic, V1 and 1/2 are control valves. 5. EXAMPLES
5.1 Tank Control
The controller graph represents the set of Such a controller merely disables unsafe transitions. As was stated earlier some sort of decision mechanism is still required to choose the actual event (actuation) that will be used to send the system forward in time. We will assume that this decision mechanism is implemented by either another controller module, or possibly even a human in the loop (HIL). In any case, the system will find itself at a new state, and the controller will have to be recomputed before the next decision is taken.
In this example, a SCM will represent the model of the tank, which has predominantly continuous dynamics, and a finite state machine will model the specification. Together, the specification and plant models will be used to form a DES controller that can be propagated to enforce the desired behaviour of the tank. In figure 2, the tank has both a fill and drain pipe, which can be controlled independently. If there is turbulent flow from the tank, then the liquid level dynamics are described by the differential equation p A h - q , ~ i - q,~o, where h is the liquid level, p is the density of the liquid, and A is the cross sectional area of the tank. The liquid mass flow into the tank is q,~i. Assuming turbulent flow from the tank, and choosing appropriate values, the resulting nonlinear relation J z - q m i - ~ applies when the tank is draining . If the tank can be switched between filling only, draining only, and simultaneously filling and draining, there are three different CSM dynamics.
~.3 Encapsulation of Simulation Tools Suppose there exists a simulation tool that, given an initial condition and some parameters, produces a numerical solution for a particular systern model. Then without loss of generality, this is comparable to the ODE solver of the IVP of equation 1. Indeed• our only stipulations on the simulation tool are. given a set of parameters: a) it always produces an output (solution existence), b) the output is repeatable for the same parameters (solution uniqueness) and c) the solution is computed in less time than it takes the actual system to execute (real-time implementation). Whether the latter requirement (c) is met, hinges on the extent to which the specification limits the legal trajectories of the plant. If the simulation tool meets each of the above requirements, then with suitable wrapper functions (object methods)~ an SCM can be built around it, and an online hybrid controller is feasible.
fl" h -
q,~i, filling only
f2" J ~ - - ~ f3" h -
draining only
q~i - ~ ,
both filling and draining
Each continuous system model si C 5 will contain one of these dynamics. The family of continuous system models 5 will be infinite if the initial condition, h0 c IR is inherited from the preceding CSM. Table 1 defines a common set of partitioning functionals, shared by all CSMs, and associates a set of output events with them. The specification will be designed so that the tank fills to the overfill mark (21) after one t i c k , draining it back through the overfill 2 mark (20), again after one t i c k , repeating this cycle ad infinitum. The finite state machine that represents this specification is given in figure 3. This example was coded in HYSYNTH, and the tank was given an initial level of h = 20.
Based on the computation structure outlined here. an experimental software package that computes DE controllers for hybrid systems, called HYSYNTH has been developed. HYSYNTH was developed as a MATLAB class structure to enable developers to leverage the high-level simulation capabilities of the MATLAB environment.
406
Table 1. Functionals with related output events for the tank control example.
1012
!!!!!
10 !°
Functional Fl(h) = h - 21 F2(h) = h - 20 Fa(h) = h - 5 F4(h) = h - 4
Alarm overfill 1 overfill 2 underfill1 underfill2
Output Events 108
o f 1+, o f l o f 2 +, of 2 ufl+,ufl uf2 +, u f 2 -
106 co 104
tick 4 10 ° 10
of 2
,5
1"
12
14
16 18 Lookahead Horizon (events)
20
1
tick
Fig. 5. Comparative complexity of controller and unspecified plant model.
Fig. 3. The tank controller specification. Using an event horizon lookahead of 15 events, a controller was synthesized repeatedly, propagating the solution by simulation and random selection of controller action. The evolution of the controller structure is illustrated in figure 4(a)(c); each of the subgraphs in the figure represents the controller at successive time steps. The states are tiny dots connected by edges and the initial state of the graph, i.e. the current state of the controlled system, is indicated by the larger dot. An arrow marks the same state in (a)-(c) and is used to illustrate the growth of the graph ends as the horizon is extended. Any path from the initial state to the end of a branch is 15 events, and represents a safe nonblocking execution of the plant. The past path of the system is indicated by the light line as the initial state moves along. In (b), a choice between the upper and lower lefthand branches must be made. In (c) the lower lefthand branch has been discarded through a choice made by a runtime choice mechanism. For this example, the number of controller states varied from 51 to 231 over 40 iterations of controller synthesis. Clearly, from equation 2, without the specification, the plant would have a theoretical upper limit of over 21 million states (equation 2, r = 3 and pq = 15). In this example, the incIusion of the specification at design time has dramaticaliy reduced the computational (state)complexity of the controller. Based on the empirical results of this example, figure 5 clearly illustrates the dramatic improvement in state complexity as a function of lookahead that can be achieved. The upper line is the theoretical state size of the unconstrained plant, while the lower line is a fit through the mean of empirically derived data.
5.2 Oil Of-floading
Figure 6 illustrates a control problem that inspired the control techniques that have been developed by the authors. In the offshore oil indus-
Fig. 6. The offtoading of oil from a production vessel (at right) to a shuttle tanker (at left). try, oil is produced and stored by one vessel, and then transferred to a second vessel that takes it to shore. The goal is to encode the complex and extensive operations manual for this otItoading task as a DE specification which will be used to enforce a safe subset of operations for a HIL control. In (Milian and O'Young 2000), the authors developed a simplified version of this problem as a linear hybrid automaton and verified an ad hoc emergency shutdown controller. HYSYNTH has since been used successfully to synthesize a controller for this problem with a complex nonlinear continuous dynamics (Millan 2006b).
6. CONCLUSION In this paper a switched continuous modeling framework was described that allows generalized nonlinear continuous models to be included seamlessly in a discrete event supervisory control synthesis process. Control is effected by switching between multiple continuous models that may represent either differing operating modes of a system, control inputs or differing systems. Controller nonblocking is identified as the existence of at least one complete string (one that carries the system to the lookahead horizon) in the controller language. A significant reduction in computational complexity is achieved by the inclusion of the specification at design time. An experimental software tool (HYSYNTH) designed for the MATLAB environment, allows for a high level com-
407
(c) Fig. 4. Propagation of the controller through three updates. mand interface, coupled with the native MATLAB simulation tools.
Millan, J. P. (2006b). Online Discrete Event Control of Hybrid Systems. P hD thesis. Memorial University of Newfoundland. Expected July 2006. Millan, James and Siu O'Young (2000). Hybrid modeling of tandem dynamically positioned vessels. In: Proceedings of the 39th IEEE Conference on Decision and Control. Raisch, J. and S.D. O'Young (1998). Discrete approximation and supervisory control of continuous systems. IEEE Transactions on Autornatic Control 43(4), 569-573. Ramadge, P.J. and W.M. Wonham (1987). Supervisory control of a class of discrete event processes. S I A M Journal on Control Optimization 25(1), 206-230. Stursberg, O. (2004). A graph search algorithm for optimal control of hybrid systems. In: Proceedings of the ~3rd IEEE Conference on Decision and Control. pp. 1412-1417. Stursberg, O., A. Fehnker, Z. Han and B. H. Krogh (2003). Specification-guided analysis of hybrid systems using a hierarchy of validation methods. In: IFA C Conference on Analysis and Design of Hybrid Systems. IFAC. Su, R., S. Abdelwahed, G. Karsai and G. Biswas (2003). Discrete abstraction and supervisory control for switching systems. In: IEEE International Conference on Systems, Man, and @bernetics. Vol. 1. IEEE. pp. 415-421. T.A.Henzinger, P. Ho and H. Wong-Toi (1997). HyTech: A model checker for hybrid systerns. Software Tools for Technology Transfer 1, 110-122. Torrisi, F.D. and A. Bemporad (2004). HYSDEL - a tool for generating computational hybrid models. IEEE Transactions on Control Systerns Technology 12(2), 235-249.
Future work will consist of improving the software to allow for enhancing design flexibility and iraprovements in efficiency. As of now, the control scheme has only been tested in simulation. It would be desirable to put it to a real-world test. Future areas of particular interest are developing techniques to deal with unmodeled effects such as disturbance, and modeling errors.
REFERENCES Abdelwahed. S.. R. Su and S. Neema (2005). A feasible lookahead control for systems with finite control set. In: Proceedings of the 2005 IEEE Conference on Control Applications. IEEE. pp. 663 668. Chung, S., S. Lafortune and F. Lin (1992). Liraited lookahead policies in supervisory control of discrete event systems. IEEE Transactions on Automatic Control 37(12). 1921 1935. Chutinan. A and B. H. Krogh (2003). Computational techniques for hybrid system verification. IEEE Transactions on Automatic Control 48(1), 64 75. Dietrich. P.. R. Malik. W.M. Wonham and B.A. Brandin (2002). Implementation considerations in supervisory control. Synthesis and control of discrete event systems pp. 185-201. Koutsoukos. X.D.. P.J. Antsaklis, J.A. Stiver and M.D. Lemmon (2000). Supervisory control of hybrid systems. In: Proceedings of the IEEE. pp. 1026 1048. IEEE. Millan. J. P. (2006a). On-line supervisory control of hybrid systems using embedded sireulations. In: Proceedings of the 8th International Workshop on Discrete Event Systems WODES06.
408
Copyright © Analysis and Design of Hybrid Systems Alghero, Italy 2006
E L S EV i E R
IFAC PUBLICATIONS
NON-DETERMINISTIC REACTIVE SYSTEMS, FROM HYBRID SYSTEMS AND BEHAVIOURAL SYSTEMS PERSPECTIVES J . M . D a v o r e n * and T h o m a s M o o r * *
* Department of Electrical ~ Electronic Engineering, The University of Melbourne, VIC 3010 A U S T R A L I A ** Lehrstuhl fiir Regelungstechnik, Friedrich-Alexander- Universit5t, Erlangen, 91023 GERMANY
Abstract: A reactive system is an entity which takes as inputs signals from a certain set, and transforms them to produce as o u t p u t s signals in some further set, where a signal is modeled as a function from a time domain to a value space, and time domains are linearly ordered sets. Building on our previous work which generalizes Aubin's Evolutionary Systems model, we develop a general formulation of nondeterministic input-output reactive systems that is uniform for discrete, continuous and hybrid time, and which extends Willems' Behavioural Systems input-output model by allowing hybrid time, and by allowing different time domains for input and output signals. However, our approach differs from these existing frameworks in t h a t instead of taking as primitive signals over infinite-length time domains, we work with finite-length paths and utilize their algebraic and partial-order structure. We illustrate our framework with a generic model of event-driven A / D conversion, transforming a continuous-time input signal into a discrete-time output signal via an intermediate hybrid-time signal. Copyright © 2006 IFAC Keywords: hybrid systems, input-output systems, behavioural systems.
1. I N T R O D U C T I O N In previous work (Davoren et al., 2004), we identify and investigate a class of non-deterministic dynamical systems we call general flow systems which include discrete-time transition systems, continuous-time differential inclusions, and hybrid-time systems such as hybrid a u t o m a t a and impulse differential inclusions. Over any value space X and a (non-negative) time line L, a general flow system • maps each point x c X to the set ~(x) of all signals or paths 7 : T --+ X of the system with 7(0) - x and time domain s This research is supported by the Australian Research Council, Grant No. DP0208553.
T C L; in the non-deterministic setting, there may be none, exactly one, or many possible (I)paths starting from x. In (Davoren et al., 2004), we adapt Aubin's model of Evolutionary Systems (Aubin and Dordan, 2002; Aubin et al., 2002) to provide semantics for a temporal logic that is uniform for discrete-time, c°ntinu°us-time and hybrid-time systems. Over the hybrid time line L N x R0+ (ordered lexicographically), hybrid paths 7 • T --+ X have time domains T C L of the form T [-Jt
409
first was to work with finite-length paths having a start-point and an end-point, instead of infinite-length paths over the whole time line, as used for the usual discrete and continuous time lines in the work of Aubin, and also within the Behavioural Systems framework (Willems, 1989; Willems, 1991; Moor and Raisch, 1999). The second was to develop a theory of finite-length paths 7 : T --+ X with time-domains T C L t h a t are not simply intervals T - [0, b] but rather finite disjoint unions of intervals, with "gaps" in between. We then build up a theory of maximal extensions of finite paths to compare with signal models over u n b o u n d e d time domains. By working with finite-length paths, we also get to use monoidal and partial-order structure that is not accessible within frameworks based on infinitelength signals. In this respect, our approach is close to t h a t of (Tabuada et al., 2004). In the present paper, we develop a general formulation of non-deterministic i n p u t - o u t p u t reactive systems t h a t is uniform for discrete, continuous and hybrid time. In broad terms, a reactive system F takes as input a signal r] from a certain set, and transforms it to produce as o u t p u t one or more signals 7 c F(r]) in some further set. While such i n p u t - o u t p u t systems have been well-studied within Behavioural Systems theory (Willems, 1989; Willems, 1991) for the usual discrete or continuous time lines, t h a t framework does not extend to hybrid time or to systems where the time-line Lout for o u t p u t paths may differ from the time-line Lin for input paths. Basic examples are A / D converters transforming continuous-time signals into discrete-time signals (particularly event-driven rather t h a n fixed periodic sampling), and D / A converters transforming discrete-time signals into continuous-time signals. Our approach is also c o m m e n s u r a t e with the Tagged Signal "Models of C o m p u t a t i o n " metamodel (Lee and Sangiovanni-Vincentelli, 1998), restricted to the timed case of linearly ordered signal domains, in t h a t it provides a general framework which includes within it diverse model classes, and within which various system properties can be formulated and compared.
extended with inputs and outputs, which are not possible within this short paper. The body of t h e paper is as follows. Section 2 covers preliminaries on set-valued maps and linear orders. In Section 3, we develop some basic theory of paths with "gappy" time domains, and tersely review the theory of general flows and their infinitary extensions, enabling a first comparison in Section 4 with Aubin's Evolutionary Systems and with state behaviours in Willems' Behavioural Systems Theory. In Section 5, we develop i n p u t - o u t p u t reactive systems and some basic system properties and their inter-relationships. The main result concerns the relationship between Willems' concept of non-anticipation, which is a non-deterministic analogue of causality, and t h e system property of being extension-preserving with respect to the natural partial order of extension of finite paths (that is not available in frameworks based on signals with infinite time domains). We also including several illustrative examples, including event-driven A / D conversion. In Section 6, we compare our work with other i n p u t - o u t p u t system models. In particular, we show t h a t for the usual discrete and continuous time lines, our finite-path formulations of systern properties such as non-anticipation, input freedom, and time-invariance (suffix-closure), all have an exact correspondence with their infinite signal formulations in Willems' i n p u t - o u t p u t Behavioural Systems theory. 2. P R E L I M I N A R I E S : R E L A T I O N S / S E T - V A L U E D MAPS, MONOIDS, AND L I N E A R O R D E R S We write R0+ " - [0, ~ ) and N for the non-negative reals and natural numbers, respectively. We write r • X ~ Y to mean r • X --+ 2 Y is a set-valued map, with r(x) c_ Y for every x ¢ X (possibly r(x) = ~); equivalently, r c_ X x Y is a relation - we don't distinguish between a setvalued map and its graph. Let I X ---+ Y] " - 2 x x Y denote the set of all maps r • X -,~ Y from X to Y; it is partially ordered by the subset relation, with least element c (empty map), and closed under relational converse: for a map r • X -.~ Y, the converse r -1 • Y --~ X is given by: x c r - l ( y ) i f f y C r(x). The domain is dora(r) "- {x c X r(x) -¢ ~}, and the range is r a n ( r ) : = d o m ( r -1) ___ Y. a map r " X ~ Y is total on X if dora(r) - X. Given rl • X ~- Y and r2 ' Y ",~ Z, their sequential composition is @1 o r2)" X ~ Z, defined by @x o r 2 ) ( x ) : = {z c
In a follow-on paper, we will extend the present work with a study of compositions of inputo u t p u t reactive systems by sequential, parallel and feedback constructions, with the aim of giving an explicit set-theoretic semantics for blockdiagram based modeling and description frameworks, such as CHARON (Alur et al., 2000), t h a t allow non-determinism, hybrid signals and timetranslations. Additionally, we will give a representation within our framework of Lynch and Vandraager's hybrid I / O automata model (Lynch et al., 1996), as well as of Aubin's impulse differential inclusion hybrid model (Aubin et al., 2002),
We distinguish several sub-classes of deterministic maps. We write r • X --+ Y to m e a n r is a single-valued function t h a t is total on domain X, with values in Y, written r(x) - y (rather t h a n
410
r(x)
{y}). Let [ X --+ Y] denote the set of all r : X ~ Y. We also need partial functions, and write r : X --+ Y to mean t h a t on dora(r) c X, r is a single-valued function; let I X --+ Y] denote the set of all such maps. For partial functions, we also write r(x) - y when x ~ dora(r), and may write r(x) - UNDEY when x ~ dora(r). As sets of maps, [ X - ~ Y] c [ X - - + Y] c [X~.~ Y]. -
-
On any set X, we define a monoidal family over X to be a structure ( X , M , . , ~) where the functions : X ~ [(M x M) --+ M ] and c : X ~ M , are such that, if "x : - .(x) : ( M x M ) --+ M and cx : - c(x) ¢ M , for each x ¢ X, the following conditions are satisfied, for all m, m ~, m " ¢ M: (a) family associativity: if ( m , m ' ) ¢ dom(-z) and ( m ' , m ' ) ~ dom(.y), then (m "x m ' , m ' ) dom(.y) and (m, m' .~ m ' ) ~ dom(.x) and (-~ "x -~')"~ - < - -~ "x (-~' "~ -~") (b) right identity: if ( m , m ' ) ~ dom(.x) then (m, ~x) ~ dom(.x) and m "x ~x - m; (c) left identity: if ( m ' , m ) ~ dom(.x) then (~x, m) ~ dom(.x) and ~x "x m - m. Let (L, <. 0) be a linear order with least element 0 and no largest element, and let ~< be the reflexive closure of <. We use usual interval notation: for a,b c L, the bounded intervals in L include [~,b] : - {l c L a ~< I ~< b} ~ d (a,b):{l C L a < l < b}. The right unbounded intervals are: [a, c o ) : {1 c L I a <~ l} and
(a, co) :-- {1 C L
if i - k and G-a(i, t)"-l -- (i, t) C [a, co),
( i - [~,t)
if i > k, for all
We will also require some additional properties of time lines. A time line (L, <, 0) will be called w-compact if there exists an w-length sequence {bn}~<~ such t h a t for all n < w, b~ c L and 0 < b~ < b~+s, and L - U~<~[0, b~]. A time line (L, <, 0) is called Dedekind'complete if for every subset A c_ L such t h a t A ¢ 2~, if A has an upper b o u n d b c L such t h a t l ~ b for all l c A, then sup(A) exists in L, and likewise for lower bounds and inf's. The time lines N, R0+ and H each have b o t h these properties. 3. PATHS, G E N E R A L F L O W SYSTEMS, AND THEIR EXTENSIONS Let (L, <, 0) be a time line. We define a bounded time domain in L to be a subset T C L such t h a t T = Un<x[an, b~] with N C N +, a0 = 0, bN-1 = bT the m a x i m u m element, and an ~< bn < an+l ~ b~+s for all n < N - 1. Let BT(L) c 2 c denote the set of all b o u n d e d time domains in L,
and let B T ~ ( L ) = BT(L)U {%}. Define BI(L):= {T c BT(L) I (3b c L ) d o m ( ~ ) - [0, b]} and Ble(L) = BI(L)U {Z}. Over any set X # ~ (an arbitrary value space or signal space), define the set of L-paths in X , and the set of interval L-paths in X"
Path(L, X) -- { ? - L - - , X I dora(? ) C BT(L)}
a < l}. Given (L1,<1,01)
and (L2, <2,02), a map g : Ls --+ L2 is: • [strictly] order-preserving if (Vl, k c d o m ( g ) ) , i f l ~ < s k [if l < s k] then g(1) <~2 g(k) [then g(1) <2 g(k)]; • an order-isomorphism if g is a total function and a bijection, and b o t h g and 9 1 are strictly order-preserving.
I P a t h ( L , X ) := {?" L - - + X dora(?) c BI(L)} For ? c P a t h ( L , X ) , define b~ := bdom(G) to be the m a x i m u m of dora(?), so ?(b~) c X is the end-point and ?(0) c X the start-point of ?. Where c is the empty path, let P a t h c ( L , X ) : P a t h ( L , X ) U {c} and 79~ := 79 U {c} for p a t h sets 79 c_ Path(L, X).
We take a (future) time line to be any linear order (L, <, 0) t h a t is shift-invariant in the sense t h a t it is equipped with a family of maps {or a}~CL such t h a t ~ ° : L --+ L is the identity map, and for each a c L, cr a: [a, co) -+ L (the left a-shift) is an order-isomorphism, with inverse cr+a : ((7 a) 1: L ~ [a, co) (the right a-shift).
We utilise t h r e e operations on P a t h c ( L , X ) ; for 7, 7' c Paths(L, X), t c L and x c X, define: • restriction or prefix ending at t c dora(?): ?It c P a t h ~ ( L , X ) where
The basic examples are the discrete time line N, and the dense continuum R 0, ~ the non-negative cones of linearly ordered abelian groups under addition, Z and IR respectively. The group operation trivially gives shift-invariance: take a a(1) - l - a for 1 c [a, co), and inverse or+a(1) - l + a. The hybrid time line H • N x R~- is linearly ordered lexicographically: (i, t)
?It : = ? F[0,t]ndom(v).
• translation or suffix starting at t c dora(?): ~1~ e Pathc(g,X) where (~l~)(1) =- ~(~+~(1)) for ~Hl c dom(~l~):= ~-~([t, b~] n dom(~)). • point-concatenation at x C X: ? *x 0/ C Path, (L, X) where, for all l c L:
(? *x ?')(l):-- ?(1) if I C dora(?) and ~ ' ( 0 ) = ~ = ~(b~); (? *z ? ' ) ( 1 ) : = ?'(cr-b~ (l)) if I C cr+b~ (dora(?'))
~ d ~'(0) = ~ = ~(b~); ~ d (? *x ?')(l) := UNDE~ for all other l and x. For each x c X, the trivial path 0x : [0, 0] -+ X is given by 0x(0) := x. T h e n the map 0 : X -+ P a t h ( L , X ) given by 0(x) := 0x is an embedding (injective function) of X into P a t h ( L , X ) . For any subset of paths 79 _ Pathc(L, X), we say 79 is closed under suffixes (closed under prefixes) if
411
for all 7 ~ 79 and all t c dora(7), the p a t h tl~ ~ P
from Behavioural Systems t h e o r y (Willems, 1989; Willems, 1991), and as we shall see in examples in Section 5, we can for certain i n p u t - o u t p u t systems associate a general flow dynamical system over an i n p u t - s t a t e - o u t p u t product space.
(r~p~ctiv~y, vl~ e 7)). D ~ X v := {. e X l (?V e V) V(0) = . v V(V.~)= . } Th~ ~tr.ct.r~ (Xw, 79, ,, 0) constitutes a monoidal family over the set X p if for all 7, 7' ~ 79 and all x ~ X p , if (v, v') e aom(.x), then V .~ V' e P ~nd Ox ~ P.
Definition 3.2. Let (L, <, 0) be a time line and let X -¢ 2~ be any space. A general flow system over X with time line L is a m a p (I): X ~ Path(L, X )
For discrete time L = N, the interval p a t h set IPath~ (N, X ) = X* is the set of all finite words or sequences over X. The usual operation of wordconcatenation from a u t o m a t a and DES theory equips the set X* as a (total) monoid with identity e. Denoting it b y . , t h a t operation is definable in terms of point-concatenation as follows: for all 7, 7' ~ IPath(N, X ) = X +, we have 7 • 7' = 7 *x ('xy)*yT', where dom(uxy) = {0, 1},-xy(0) = x = ~(b~), ~na .x~(1) = v = ~'(o)
~t~fying, for ~ H . C dom(~), for ~H V ~ ~(.). and for all t C dora(7): (GF0) (GF1)
property: ~1~ c ~(~(t)); the point-concatenation property: vl~*~v' c ~ ( . ) for ~H v' c ~ ( y ) w i t h y - v ( t )
(GF2)
• (I) is non-blocking x C dom(~); • • is prefix-closed
Note t h a t for all n o n - e m p t y 7 ~ P a t h ( L , X ) and we have: e*xe = e, 7 * r e = 7, and e*~7 = 7. Hence as well as 0, functions as a monoid identity for the *x operation. The following structures are
mo~o~a~ f ~ m ~
over X: (X, P~th(r, X ) , . , 0),
for all t c dora(7), 7It = 7 ' I t and for all t' c dora(7') - d o r a ( 7 ) , t < t'; 7' = 7 *x 7" for some 7" c Path(L, X ) a n d , ~ X with 7"(0) = x and ~(~) = ~'(~) = . ~nd ~" ¢ Ox.
HPath(X) := {~ ~
for all
Definition 3.3. Let L be an w-compact time line. For any p a t h set 79 c P a t h c ( L , X ) , define the wextension of 79 , and the maximized w-extension of 79, as follows:
Now consider the hybrid time line H - N x IR0+. Define D S "- iPath~(N, IR0+) to be the set of all (finite) duration sequences. For A ~ DS, define H T ( A ) to be the hybrid time domain determined by A, and over any X ¢ ~ , define HPath~(X) c Paths(H, X ) to be the set of all hybrid paths over X, as follows:
•
Ext ~ (79) {Z3 C IL --+ X] I (3~ c [w -+ Path(L,X)]) (Vk < w ) ffk " ~(k) A "Tk 679 A ~k < 7k-I-1
A /3
U 7k
}
k<w
M~(79)
[(~, 0), (~, a~)]
i
~(x)
It is clear t h a t if a flow (I) is non-blocking, then for each x c do,~(~) and ~ c ~(~), there exists an infinite sequence of paths { % } with 70 - 7 and 7n C (I)(x) and % < % + s for all n. Motivated by this fact, we view "maximal extensions" or "completions" of paths as infinitary objects, arising as limits of infinite ordered sequences of finite b o u n d e d paths.
(i) ~ < ~';
U
7It c
Among other results (Davoren et al., 2004), it is readily, established t h a t (I) is non-blocking iff (I) is < - u n b o u n d e d . Examples of general flow systems include state transition systems over L IN, differential inclusions over L - IR~-, and hybrid a u t o m a t a and impulse differential inclusions over L H. Any p a t h set 79 c P a t h ( L , X ) t h a t is monoidal and suffix-closed determines a general flow system.
Proposition 2.1. Let L be any time line, and X any value space. T h e n for all 7, 7' c Path(L, X ) , the following are equivalent:
HT(~) . -
if
{Ox} for all
p a t h set ~ ( x ) is linearly-ordered by <. • • is <-unbounded if for all x c d o m ( ~ ) and 7 c ~(x), there exists 7' c ~ ( x ) such t h a t 7 < 7'.
The point-concatenation operation is usefully related to the notion of extensions of paths which continue from the end value of a given path. Define a partial order on Pathc (L, X ) from the subset relation and the underlying linear order on L; (re-using notation) we define: 7 < 7' iff 7 C 7' and t < t' for all t c dora(7) and for all t' 6 d o r a ( 7 ' ) - dora(7), in which case we say 7' is a proper extension of 7. As usual, 7 E 7' iff either 7 < 7 ' o r 7 = 7 ~.
(iii)
if (I)(x) #
c a o ~ ( ~ ) , v c ~ ( . ) ~ a t c ao~(v); • • is deterministic if for every x c d o m ( ~ ) , the
(X, Pathe(L, X ) , ,, ~), (X, I P a t h ( L , X ) , ,, 0) and (X, IP at h~ (L, X ) , ,, ~).
(ii)
the initialization property: 7 ( 0 ) - x; the time-invariance or suffix-closure
: - { 9 c E×t ~ (7~)
}
(V~ c 7~) 9 ~ "y }
Define EPath ~(L, X ) "
Ext'( Pathc(L, X ) ), and EIPath ~ (L, X ) : - Ext'( IPath~(L, X ) ).
Path(H,X) I dom(~) ~ HT}
The a - e x t e n s i o n Ext ~:(79) contains all the partial functions ~" L - - + X t h a t arise as the limit of an
General flow systems are dynamical systems over a state space or signal value space. As expected
412
w-length strictly extending sequence of paths in 79. The maximised w-extension M~(79) throws out from Ext ~ (79)all limit paths fl t h a t are properly extended by some finite-length path 7 in 79. (The path extension partial ordering on bounded paths straightforwardly lifts to limit paths.)
Definition 3.~. Let L be an w-compact time line. Given a general flow system (I): X ~,~ Path(L, X), define the maximised w-extension M~(I): X ~,~ EPath~:(L,X) by (M~(I))(x):-- M~((I)(x)) for all x ~ d o m ( ~ ) . A flow (I) will be called: • w-extendible if for all x ~ dora(d2) and 7 ~ (I)(x), there exists c~ c (M~(I))(x) such that 7 < c~. • w-full if for all x ~ d o m ( ~ ) and ~3 ~ Ext~((I)(x)), there exists c~ ~ (M~(I))(x) such that ~3 ~< c~. In general, dom(M~(P) c dora(02), and we have dom(M~(P) - dom((P) iff (I) is w-extendible.
Proposition 3.5. Given a general flow system (I)- X ~-+ Path(L, X ) over any time line L, iff
(I) is w-extendible (I) is < - u n b o u n d e d and w-full.
For L -- N, all limit paths z3 c ElPath~(N, X ) have infinite time domain, so ( M ~ ) ( z ) - Ext~((I)(z)) for any non-blocking (I). For L - H and wextendible ~, limit paths c~ c ran(M~(I )) include those with time domains dom(c~) - U~<~{n} x E0, A~], as well as those with dom(c~) - To U ( {i} x [0, d) ) for some To e BT(]I-]I) and (i, 0) >]ex
bTo and d c R~ U {~}. 4. C O M P A R I S O N W I T H E V O L U T I O N A R Y AND B E H A V I O U R A L SYSTEM MODELS Aubin's evolutionary system's (Aubin and Dordan, 2002) are over the usual time lines L R~or L - N, and consist of a map • : X ~-+ EL --+ x ] , with extended whole line paths ~3 : L ~ X, where • is closed under the operations of translation/suffix and point-concatenation, analogous to In Willems' Behavioural Systems theory (Willems, 1989; Willems, 1991), a dynamical system is a structure E (L, X, %) where L c R is the time line, X is the signal space, and ~B c [L --+ X] is the behaviour. A behaviour ~3 is called time invariant if for all I3- L ~ X and all t ¢ L, if fl c ~B then the t-translation/suffix rid c ~ ; and is called a state behaviour if for all t c L and for all/3, ~' c ~B, if x - / 3 ( t ) z3'(t) then the pointconcatenation (fl t ) * x (t fl') c ~ . A behaviour q3 is called complete if for all 3 • L --+ X, if [ (Va, b c L) fl [[a,b]C ~r[a,b] ] then /3 C ~3 ( - and note that the reverse implication is trivially true).
iff iff
$ is an Aubin evolutionary system; ~3 is a time-invariant and complete state behaviour in the sense of Willems; there exists an w-extendible interval path general flow system (I): X ~ IPath(L, X ) such t h a t $ = M~(I) and ~ = ran(M~(I)).
5. I N P U T - O U T P U T R E A C T I V E SYSTEMS To allow that the time-line Lout for output paths may differ from the time-line Lin for input paths, we need to use at least order-preserving partial functions r : Lout --+ Lin which do a time translation by looking in reverse, starting from a "now" instant t c dora(7 ) c Lout in an output path 7, and asking at what time r(t) c dom(r]) c Lin is the corresponding "now" time point in the input path r] which generates 7 among its output.
Definition 5.1. Let Lin and Lout be time-lines, and let U, Y be any non-empty sets. Define TT(Lout, Lin) := { r 6 Path(Lout, Lin) I preserving A r(Oout) = Oin A r a n ( r ) 6 BT(Lin) }
A reactive system is any map P of type F: Pathc (Lin, U) (Pathc(Lout, Y ) x TTc(Lout,Lin)) such that for all inputs r/ c dora(F), and for all outputs (T, r) 6 V(~), we have r a n ( r ) C dom(fi)
and dora(r) = dom(7 ). A reactive system F will be called: • time-homogeneous if: Lout = Lin = L, and (V~ c dom(V))(V(7, r) c r(r])), dom(~) = dom(~) and r is the identity function restricted to dora(7), in which case we t r e a t F as a map of type r : Path(L, U ) ~ Path(L, Y); • [strictly] extension-preserving if:
(V, c dom(r))(V,' c dora(P)), if fl ~ rl' [if rl < rl' ] then (V(7, r) e C(r])(3(7', r ' ) e C(r]'))such that r4r' and 7 4 7 ' [r
(V, e dom(r))(V(~, r) e r(,))(vt e dora(V)), (3r' 6 TT(Lout, Lin)), such that
• prefix-closed if: the path set dora(F) is prefixclosed, and (Vr/E dom(F))(V(7, r) c F(r/)) (Vt c dora(7)), (7It, t i t ) c • non-anticipating (the output has a non-anticipatory dependence on the input) if: (Vr], r]' c d o m ( r ) ) ( V s c dom(r])N dom(r]')) if rl[s = r/Is
th~ Theorem ~.1. Let the time line be either L - N or L - R ; , and X -¢ 2~. Let $" X ~-+ [L -+ X] and let ~3 c [L --* X]. Then:
(v(v, ~ ) e r(,))(3(v', ~') e r(,')) (Vt C dom(7 ) • dora(7')) if r ( t ) ~ s
th¢~ ~I~ = ~'I~ ~ d vl~ = v'l~; • strictly non-anticipating if:
413
Before discussing some examples of reactive systems, we first apply w-extension constructions to the input-output setting.
(v~, ~' c d o m ( r ) ) ( w c dom(~) n dora(#)) if
Ds - [0, s) ~ dora(r/) - [0, s) rq dora(r/) and ~1 los-- rl' los
Definition 5.3. Given a reactive system F with time lines Lin and Lout both w-compact, define the w-extension of F to be the map Ext~F: EPath ~°(Lin , U) " - - + EPath a (Lout, Y x Lin ) such that: (Ext~V) (ct)
(Vt ~ dora(7)rq dora(7')) if r ( t ) <. S t~ ~1~ - ~'1~ ~ d ~1~ - ~'1~; • input-time-unbounded if: for every input path
r/ ¢ dora(F), there exists an c~ ~ M ~ ( d o m ( r ) ) such that f/ < o~ and the time domain dom(c~) is an unbounded set in Lin; • totally free in input if: dora(F) - Path~(Lin, U); i.e. F is total as a map; • monoidal if: (a) (Uz~, D, ,, 0) and (Yn, n , ,, 0) are both monoidal families, where D : - dora(F) and n : - try(ran(F)); and (b) (Vr/, r / ~ dora(F)) (Vu ~ Uz)) if rl(b,~) - u -- rl' (0) then (V(7, r) F(r/)), ( V ( 7 ' , r ' ) ~ V(r/)), if 7(b~) - 7'(0), then (7", r " ) ~ F(r/,~r/), where 7" - 7"v7', Y - 7(b~), r " -- r *t (r' ocr +t) and t - b~.
:= { (~, v) C Ext'(ran(F)) I (3ff C [w --+ Path(Lin, U)]) (3 (T, ~) C Ew --+ Path (Lout, Y x Lin)] )
(vk < ~) ~k := ~(k) A vk := T(k) A % :=~(k) A ,/~
A r/k C d o m ( F ) A (%, %) CC(r/k)
< T]/c+z k<w
A
(Tk, Tk) k<w
<
(7k+l, r/~+l)
A
k<w
for all ct e d o m ( E x t ~ F ) : = Ext'(dora(F)).
Given any non-empty set X, a map $ will be called a parameterized reactive system if it is of type $ : (X x Path~(Lin, U)) ~-* (Paths(Lout, l/) x TTc(Lout, Lin)), and for all (x,r/) c dora(9), and for all (7, r ) C 9(x,r/), r a n ( r ) C dora(r/) and dora(r) - dora(7). Most of these properties of reactive systems can be simply extended to parameterized reactive systems by substituting quantification over r/ c dora(F) with (x,r/) c dora(9), and substituting (7, r) C F(r/) with
In defining the m a z i m i z e d co-eztension M~F of a reactive system F, we want to restrict to limit input paths c~ c dom(Ex
(v, ~) c ~(x, ~). In (Willems, 1989; Willems, 1991), over the discrete and the continuous time lines, the nonanticipating property for input-output behaviours is proposed as the non-deterministic analogue of the causality property in deterministic systems. Our first major result is that, under the assumption of prefix-closure, the properties of being nonanticipating and of being extension-preserving are equivalent.
Note, however, that on the output side, we will not be assuming that all resulting limit output paths must be time-unbounded; rather, we will identify that condition into a system property of outputtime-u nbou ndedness. Definition 5.~. Let L be an w-compact time line, and let X ~ ~ be any value space. For any path set 7~ c_ Pathc(L,X), define the timeunbounded m a x i m i z e d w-extension of P to be the limit path set TM ~ (P), with TM w(P) c_ Mw(p) c_ Ext w (79) c_ EPath ~°(L, X ) , defined by: T M ~ ( P ) "- {~ c M~(P) (Mr c L) (qs C dora(a)) s > t}
Theorem 5.2. Let F : Pathc(Lin, U ) - ~ (Paths(Lout,Y) x TT~(Lout, Lin)) be a reactive system, where the time lines Lin and Lout are cocompact and Dedekind-complete. (1.) If F is strictly non-anticipating, then F is non-anticipating. (2.) If F is strictly extension-preserving, then F is extension-preserving (3.) If F is extension-preserving and prefix-closed, then F is non-anticipating. (4.) If F is non-anticipating, then F is extensionpreserving. From (3.) and (4.), if F is prefix-closed, then P is extension-preserving iff F is non-anticipating. (5.) If F is monoidal and sufl3x-closed, then P is strictly extension-preserving. (6.) If F is totally free in input, then F is inputtime-unbounded.
So the limit path set TMW(P) is that subset of M~(P) obtained by throwing away all limit paths a where the time domain dora(a) is a bounded subset of L. We shall require time-unbounded maximized extensions on the input side. Definition 5.5. Given a reactive system F with ~-compact time lines Lin and Lout, define the m a x i m i z e d cz-extension of F to be the map M~F of type:
M~F : EPath~°(Lin, U) ~
EPath ~ (Lout, Y x Lin)
such t h a t dom(MWF) := TM~(dom(F)), and (M~V)(e) := (Ext~V)(~) for all ~ c dom(M~V).
414
A reactive system F will be called: • w-responsive if it is input-time-unbounded and (Vr/~ dom(r))(Vc~ ~ d o m ( M ~ r ) ) , if rl < ct then (V('7, r) ~ F(r/))(q(#,v) C (M~F)(c~)) such that ('7, r) < (/3, v) • output-time-unbounded if every limit output path has an unbounded time domain, which means r a n ( M ~ F ) - T M ~ ( r a n ( r ) ) . The following theorem gives a first characterisation of the co-responsiveness property.
Theorem 5.6. For any reactive system F, (7.) F is w-responsive iT F is strictly extensionpreserving and input-time-unbounded. (8.) If F is monoidal, suffix-closed and input-timeunbounded, then F is w-responsive. Example 5.7. A state machine is a structure $ (X, U, Y, UpDt) with state set X, input set U, output set Y, and UpDt : ( X x U) ~.+ ( X x Y) the s t a t e / o u t p u t update map; equivalently, $ is a non-deterministic Mealy machine. Associate with $ three maps on interval paths over L - N. The first map is the full input-state-output map ~ s : (U x X x Y) ~-+ IPath(N, U x X x Y) with:
~s(u,x,y) •
{ (r/,{,7) c IPath(N, U x X x Y)[ u--r](O)
A x--~(0)
A y--'7(0)
A
(Vi < b,7) (((i + 1),'7(i)) c UpDt(~(i),rl(i)) i (3z' c X ) ( x ' , ' 7 ( b v ) ) c UpDt({(b,~),rl(bv) ) } It is readily seen that (I)s is a prefix-closed genera] flow system and that (I)s is non-blocking (and czextendible) iff the map UpDt is total. We can then define two reactive systems from the flow (I)s via projections. First, the input-state system: an parameterized time-homogeneous reactive system ~ s : (X x IPath (N, U) ) ~-+ IPath(N,X) and second, the (external behaviour) input-output system: a time-homogeneous reactive system Fs : IPath(N, U) ~+ IPath(N, Y) transforming input-paths into output-paths. These two maps are defined as follows: • s(x,r/) : - {{ c IPath(N,X) [ (3"7 c IPath(N,Y))
]R~, U -- IRm, Y -- IRP, b/ c_ I P a t h ( R ~ , U ) i s a set of input paths, and the maps F ' ( X x U) ~ IRn and C • (X x U) ~ Y are subject to regularity assumptions to guarantee existence of solutions without finite escape time (Aubin et al., 2002). The resulting solution map Solz~z • (X x H) ~ IPath (R+ , X) is an initialized time-homogeneous reactive system which is suffix-closed, prefix-closed and strictly nonanticipating. The time-homogeneous external I/O map Pz~z • IPath( R+0 , g ) ~ + IPath(R +, Y) also incorporates the G output constraint, and is suffixclosed, prefix-closed, and non-anticipating. These two maps can be combined to define the inputstate-output general flow @>z " (U x X x Y) ~,~ IPath(R~, g x X x Y). As our basic example of differing time lines, consider analog-to-digital conversion based on eventdriven sampling rather than fixed periodic sampiing.
Example 5.9. Let Y c_ R ~ be a continuous measurement space, and the input signals will be continuous-time interval paths r/ C IPath(R0+, Y). Let Z ~ ~ be a finite set of event symbols, and let A " Z ~ Y be any total map from Z to Y which associates with each event symbol z C Z a nonempty subset A(z) c_ Y of measurement values y which trigger the event symbol z. We require A(z) 0 A ( z ' ) ¢ ~ for some z -7! z', as it is in these overlap regions (e.g, common boundaries) that the discrete event output signal '7 c IPath(N, Z) can switch from value z to value z' (or vice-versa). We define reactive systems AnlnA and Dig0utA: A n l n a ' IPath(R +, Y) (HPath(Z x Y) x T T ( H , R0+)) Dig0utA: HPath(Z x Y) (IPath(N, Z) x T T ( N , H ) ) with AnlnA(r/)
•= { ((,e) c HPath(Z x Y) x TT(H, Ro+) ran(P) C_ dom(r/) A d o m ( ¢ ) - dom({) A
(v(i, t) c dom(~)) ( ~(i, t ) - ~ + E j < ~ j where A - ds(() A 7rye(i, t) = r](¢(i, t)) )
(~, ~, ~) ~ cs(~(o), ~, ~(o)) }
A (V{ < d~(~))(3~ c z)(vt c [0, a~])
Fs(~7) : - {'7 ~ IPath(N, Y) I (q~ ~ IPath(N,X))
(~, ~, v) ~ +s(,~(o), ~(0), v(0)) } In particular, (x,r~) c d o m ( ~ s ) iT (x,r/(0)) dom(UpDt), and d o m ( r s ) - 7ru(dom(~s)). Observe also that ~ s and Fs are both suffix-closed and prefix-closed, and if the map UpDt is total, then both ~ s and Ps are monoidal, extensionpreserving, non-anticipating, totally free in input, w-responsive and output-time-unbounded.
Example 5.8. Over continuous time, an inputstate-output system of differential inclusions is a structure DZ - (X, U, Y, g/, F, G) where X
}
7 r z { ( i , t ) - z~ A ~7(¢(i,t))C A(zi)
DigOutA({) •= { ('7, e) C IPath(N, Z) x T T ( N , H ) ran(e) C dom(~C) A d o m ( e ) = dom('7)A length(7 ) = dl(~) A (Vk C dora('7))
~(k)
-
(k, 0)
A
v(k)
-
~,~(~(k))
}
Applied to a real-time input path r/with values in Y, the map Anlna will produce as output hybrid paths { over the product space X = Z x Y, where the Y-projection Try{ reproduces the input r/ on the hybrid o u t p u t time line, in the sense
415
discrete, continuous and hybrid time, and that allows for the time line of output paths to differ from that of input paths. The work is intended as a first installment of a larger project on the study of compositions of input-output reactive systems by sequential, parallel and feedback constructions, with the aim of providing explicit settheoretic semantics for non-deterministic dynamics and for time-translations within block-diagram based modeling and description frameworks such as CHARON (Alur et al., 2000), among others.
that 7rye -- ¢ o r], and the time translation ¢ • dora({) --+ dora(r/) maps a hybrid time point (i, t) back to ¢(i,t), the (real.valued)total duration of the hybrid path { to this point. The further constraint on { is that the Z-projection 7rz{ is constant with some value z~ for all positions (i, t) between ( i , 0 ) a n d (i, Ai), and (¢orl)(i,t) c A(zi). This means for each i < dl({), the input path remains continuously within the region A(z~) c_ Y for all times s c dora(r/) such that r(i, O) ~ s T({, Ai) , and r/(s) c A(zi)F]A(zi+l) at a switching time s - r(i, Ai) - r(i + 1, 0). The second map DigOut A takes as input hybrid paths c with values in X - Z x Y and returns as output a discretetime path 7 with values in Z obtained from ~ by simply projecting on to discrete time and discrete values in Z.
REFERENCES Alur, R., R. Grosu, Y. Hur, V. Kumar and I. Lee (2000). Modular specifications of hybrid systems in CHARON. In: Hybrid Systems: Computation and Control (HSCC'00) (N.A. Lynch and B.H. Krogh, Eds.). LNCS 1790. Springer-Verlag. pp. 6 19. Aubin, J.-P. and O. Dordan (2002). Dynamical qualitative analysis of evolutionary systems. In: Hybrid Systems: Computation and Control (HSCC'02) (C.J. Tomlin and M.R. Greenstreet, Eds.). LNCS 2289. SpringerVerlag. pp. 62 75. Aubin, J.-P., J. Lygeros, M. Quincampoix, S. Sastry and N. Seube (2002). Impulse differential inclusions: A viability approach to hybrid systerns. IEEE Trans. Automatic Control 47, 2 20. Davoren, J.M., V. Coulthard, N. Markey and T. Moor (2004). Non-deterministic temporal logics for general flow systems. In: Hybrid Systems: Computation and Control (HSCC'O4) (R. Alur and G.J. Pappas, Eds.). LNCS 2993. Springer-Verlag. pp. 280 295. Lee, E.A. and A. Sangiovanni-Vincentelli (1998). A framework for comparing models of compuration. IEEE Trans. Computer-Aided Design of Integrated Circuits 64 Sys 17, 1217 1229. Lynch, N.A., R. Segala, F. Vaandrager and H.B. Weinberg (1996). Hybrid I,/O Automata. In: Hybrid Systems III (R. Alur, T.A. Henzinger and E. Sontag, Eds.). LNCS 1066. SpringerVerlag. pp. 496 510. Moor, T. and J. Raisch (1999). Supervisory control of hybrid systems within a behavioural framework. System and Control Letters 38, 157-166. Tabuada, P., G. J. Pappas and P. Lima (2004). Compositional abstractions of hybrid control systems. Discrete Event Dynamic Systems 14, 203 238. Willems, J.C. (1989). Models for dynamics. Dynamics Reported 2, 171 269. Willems, J.C. (1991). Paradigms and puzzles in the theory of dynamical systems. IEEE Trans. Automatic Control 36, 259 294.
The overall analog-to-digital conversion system is a map AnDig A" IPath(Ro+,Y) ~
(, Path (N, Z) x
TT(N, R0+)), induced by the map A, and obtained from the two components AnlnA and DigOut A by a compound sequential composition operation. The systems AnlnA and DigOut A and AnDig A are each extension-preserving, non-anticipating, prefix-closed, suffix-closed and monoidal. 6. COMPARISON W I T H O T H E R I N P U T - O U T P U T SYSTEM MODELS Consider an input-output behaviour ~ c_ [L --+ (U × Y)]; we write (c~, fl) c ~ where c~ C [L --+ U] and fi c [L --+ Y]. An input-output behaviour ~3 has free input if 7ru(~) = [L ~ U]. The output of ~ is non-anticipating of the input, if
for ~H (~', 9'), (~", 9") c ~ , a~d for ~Ht c L, if a' t - a " t, then there exists fl C [L --+ Y] such that fit = fl' t and (a",fl) c ~ . The following result establishes a basic correspondence, for interval paths with time lines L - N and L - R +, between these behavioural properties and the corresponding properties of reactive systems.
Theorem 6.1. Let the time line be either L = N or L - R + and let F" IPath~(L, U) ~
IPath~(L, Y )
be a time-homogeneous, w-extendible, outputtime-unbounded, interval-path reactive system, in which case, dom(M~r) c_ [L ~ U] and ran(MaF) c [L -+ Y]. Further suppose t h a t = M~F =
{(~,9) 19 c
( M ~ F ) ( ~ ) } . Then:
(1.) $ is a non-anticipating behaviour with free input iff F non-anticipating with totally free input; (2.) $ is a time-invariant behaviour iff F is suffixclosed/time-invariant. 7. CONCLUSION We have developed a general formulation of non-deterministic input-output reactive systems, based on finite length paths, that is uniform for
416
Copyright © Analysis and Design of Hybrid Systems Alghero, Italy 2006
E L S EV i E R
IFAC PUBLICATIONS
CONTROL-INVARIANCE OF SAMPLEDDATA HYBRID SYSTEMS WITH PERIODICALLY CLOCKED EVENTS AND JITTER Yoshiyuki
Tsuchie * Toshimitsu
Ushio *
* Graduate School of Engineering Science, Osaka University, Toyonaka, Osaka 560-8531, Japan
Abstract: Silva and Krogh formulate a sampled-data hybrid automaton to deal with time-driven events and discuss its verification. In this paper, we consider a state feedback control problem of the automaton. First, we introduce two transition systems as semantics of the automaton. Next, using these transition systems, we derive necessary and sufficient conditions for a predicate to be controlinvariant. Finally, we show t h a t there always exists the supremal control-invariant subpredicate for any predicate, Keywords: Hybrid automaton; Jitter; Control-invariance; State feedback;
1. I N T R O D U C T I O N A hybrid automaton is widely used as a model of hybrid systems (Henzinger, 1996). A computercontrolled system is an example of hybrid systerns since it has both continuous and discrete variables associated with the physical process (the plant) and the logical dynamics (the control logic and external environment), respectively. In the computer-controlled systems, the measurements and subsequent discrete control actions are usually time-driven events and there exist the jitter variations in their occurrence times. Silva and Krogh proposed an extension of a hybrid automaton called a sampled-data hybrid automaton (SDHA) to model explicitly discrete transitions that are based on time-driven sampling of the continuous state and define a transition system called a sampled-trace transition system (STTS) as semantics to verify its dynamics (Silva and Krogh, 2000; Silva and Krogh, 2001). The SDHA is a pair of a clock structure and a hybrid automaton with clocked and unclocked events. Unclocked events are enabled when its continuous states satisfy their guards while clocked events are time-driven, t h a t is, they are enabled only at specified sampling times in addition to constraints for their guards. A clock structure, which is given by variation interval in the initial phase, a period
of clocked times, and a sampling jitter, specifies sequences of sampling times that can be generated in the system. The SDHA can be used as a model of various controlled systems with timedriven events. For example, in networked control systems, the samplings and subsequent control actions through the network can be associated with clocked events while the changes of external environments and internal model changes of plants are associated with unclocked events. Silva and Krogh (2001) propose a verification method for the SDHA using approximated quotient transition systems. But, to the best of our knowledge, a control problem of the SDHA has not been studied. In discrete event systems, a state feedback controller is often used as a logical control problem, where a control specification is given by a predicate on their states(Ramadge and Wonham, 1987). Its control action is determined by their current states. A discrete event system is called control-invariant if there exists a state feedback controller such that all reachable states in the closed-loop system controlled by the controller satisfy the predicate. A necessary and sufficient condition for the system to be control-invariant is derived(Ramadge and Wonham, 1987). The state feedback control for the discrete event systerns is extended to hybrid systems(Chen and
417
Hanisch, 1999) and hybrid a u t o m a t a with forcible events (Ushio and Takai, 2005). Forcible events are events t h a t can be forced to occur by the control so t h a t temporal performance can be iraproved (Brandin and Wonham, 1994). Ushio and Takai extend transition semantics of uncontrolled hybrid systems (Henzinger, 1996) to controlled hybrid systems with forcible events and show necessary and sufficient conditions for a predicate to be control-invariant. T h e y also show t h a t there alw
1 if Post(q, a)¢O and
wpa(P)(q) -
0 otherwise,
wlpa(P) - wp~(P) V ~D~, where Post(q, a ) = { q ' c Q (q, a, q')c~¢}. For a subset AC_Act, we define WpA(P)=VacA wp~(P). For a subset AC_Act, P c ~ ( Q ) is said to be (T;A)invariant iff, for VacA, P<<.wlpa(P). Let ~>0 and ~>0 be the sets of non-negative and positive reals, respectively, For a piecewise continuous function h • ~>0 --+ A, where A is an arbitrary set, d(h) = do(h)ds(h)d2(h).., is the sequence of points where h is discontinuous. For t c ~>0, h(t-) and h(t +) denote the values for the limits of h at t from the left and right, respectively.
In this paper, we consider state feedback control of the SDHA. Since enablingness of the clocked events depends on the clock structure, a state feedback controller is time-varying in general while it is time-invariant in b o t h hybrid systems without clocked events and discrete event systems. On the other hands, in conventional sampled-data control systems where controllers and sensors activate periodically, the sampling times are periodic but d a t a transmission time may be fluctuated so t h a t a jitter must be taken into consideration. So, we introduce a slight modification of the clock structure to represent sequences of periodic sampling times with jitter so t h a t a periodic state feedback controller is designed.
3. S A M P L E D - D A T A H Y B R I D A U T O M A T O N AND STATE F E E D B A C K C O N T R O L Silva and Krogh proposed a sampled-data hybrid a u t o m a t o n (SDHA) which is modeled by a pair of a hybrid a u t o m a t o n with clocked and unclocked events and a clock structure (Silva and Krogh, 2001). First, we modify the SDHA to introduce a control mechanism with forcible events which are forced to occur by external control action. We define a controlled hybrid a u t o m a t o n with forcible events as follows:
The rest of this paper is organized as follows: Section 2 reviews transition systems, several predicate transformations, and a concept of controlinvariance. Section 3 introduces a controlled SDHA with forcible events, which is given by a pair of a clock structure and a hybrid a u t o m a t o n with clocked and unclocked events. Two labeled transition systems are introduced to define its semantics and necessary and sufficient conditions for existence of state feedback controllers based on the transition systems are shown. Section 3 shows t h a t there always exists the supremal controlinvariant subpredicate for any predicate.
H=(V, E, E, Econ,Euncon,Eforc, Ecz ,Eund ,X, init, Flow, j~zmp). • V, E are sets of nodes, events, respectively; • Econ and Eu~co~ are sets of controllable and uncontrollable events, respectively, • Eforc is the set of forcible events and, for simplicity, we assume t h a t Efo~C_Econ; • E d and E ~ d are sets of clocked and unclocked events, respectively; • EC_VxExV is the set of edges with associated events, t h a t is, e(v, cr, v') is an edge e c E from v to v' labeled by event cr and corresponds to a discrete transition by the occurrence of or; • X C_ ~n is the set of continuous variables; • init" V --+ 2x assigns the initial continuous states, t h a t is, init(v) is the set of all possible initial continuous states in node v; • Flow={fv:X--+~ ~ VvcV} is the set of flows defining the continuous state equation a?= L ( x ) for each discrete state vcV. T h e n let x=¢v,x0 (t) be a trajectory which starts from discrete state v at time t = 0 and the initial continuous state x(0)=x0, on which no event occurs; and • jump" E--+2 x × x is the j u m p relation, t h a t
2. P R E L I M I N A R I E S We use a labeled transition system T - ( Q , Act, J . Q0) in order to define semantics of controlled bybrid systems, where Q is a set of states, Act is a set of labels, J CQ x Act x Q is a state transition relation, QoCQ is a set of initial states. Act(T; q)CAct is defined by Act(T; q)-{acActl3q ' c Q s.t (q, a, q ' ) c J } . Let ~ ( Q ) be the set of all predicates on Q. A predicate P is trite at state qcQ if P ( q ) - l , and false if P(q)-O. Denoted by v, A, and ~ are disjunction, conjunction, and negation of predicates, respectively. The t e r m "predicate" and " s u b s e t " ( - { q c Q I P ( q ) - l } ) can be used interchangeably. A partial order "~<" for ~ ( Q ) is defined as follows: for P1,P2c~(Q), Ps <<.P2e>Ps(q)< P~(q) for Vq~Q. For each acAct, a predicate Da is defined by D~(q) -
1
if a ~ Act(T;q),
0
otherwise.
(1)
We define predicate transformations wp~:~(Q)--+ ~ ( Q ) and wlp~:~(Q)--+~(Q) as follows:
l
(for Vq'cPost(q,a)) P ( q ' ) = l ,
i~, (,, ,') c j ~ p ( ~ )
m~n~ that th~ ¢onti~-
ous state x jumps to x' when cr occurs. Note t h a t Econ N Euncon EcZ n Euncl = @ and E=Ecor~UEur~cor~=EczUEuncZ. In addition, Ei,j denotes Ei A E3, where i6{con, urtcort, forc} and jc{cl, ~trtcl}. T h e state set QH of hybrid automaton H is given by QH={(v,x) VvcV, VxcX}. Let guard(e) be an occurrence condition of the discrete transition by edge e c E: guard(e)={zcX
3 . ' c x ~.t. ( ~ , . ' ) c j ~ p ( ~ ) } .
418
A s s u m p t i o n 1 We assume: (1) If, for e(v. or. v ' ) ~ E and x. x ' ~ X , (x, x ' ) ~ j u m p ( e ) , then x'~guard(~) for any ~(v'.cr'. v ' ) ~ E , (2) for any e(v, cr, v ' ) ~ E and cr~Efor~, guard(e) is a closed set, and (3) if e(v, or, v ' ) ~ E , then vCv'. The enablingness of clocked events does not depend on only the continuous states but also sampling times. To model the sequence of the sampling times, Silva and Krogh defines the clock structure such t h a t durations between each sampling times are specified by the clock period interval and the sampling jitter interval (Silva and Krogh, 2001). In conventional computer controlled systems and networked control systems, controllers and sensors are activated periodically with a specified sampling period and computational del
Henzinger (1996) introduces two transition systerns, called timed and timed-abstract transition systems, in order to represent semantics of the hybrid a u t o m a t o n and Ushio and Takai (2005) extended t h e m to a controlled hybrid automaton with a control specification given by a predicate. Next, we extend t h e m to H f . This is also an extension of S T T S (Silva and Krogh, 2001). To define semantics of the controlled S D H A by a transition system, the transition system must have a state variable which indicates duration between the current time and sampling times since b o t h the sampling times and the current state in Q H determine its behavior. In t h e S T T S , t h e state is composed of the state variable q c Q H and two variables p and a which indicate time and elapsed time from the latest sampling time, respectively. Since we modify the clock structure, we introduce a new variable ~ as a state variable, which indicates if a clocked event m a y occur at the current time. Thus, we can define two semantics for t h e controlled SDHA H f given by a controlled t i m e d / t i m e - a b s t r a c t transition system. A controlled timed transition system is defined by S b ( H ~ , P ) : (@, Actt, ~ f , Qto). (2) Qt C_QH x { - 1, 0, 1} x [0, max(00, To)] x {0, 1} is the state set of the transition system. Each element of a state ( q , p , ~ , ~ ) c Q t is defined as follows: q indicates a state of H c . p indicates t h a t the current time is before the first nominal sanapling time 00 ( p - - - l ) , at 00 (p=0), after 00 ( p = l ) . w indicates absolute time until the current time becomes 00, where the system starts at w=0. W h e n the current time is equal to or greater t h a n 00, a is an elapsed time from the latest nominal sampling time and is reset to zero at each nominal sampling time. Note t h a t w is zero if p is zero. is reset to one at each nominal sampling time and to zero if a > J or after a clocked event occurs. Q t o = { ( v , x , - 1 , O, O)cQt x c i n i t ( v ) , V v c V } is the set of initial states in Qt. A c t t = E U R>0. To define the transition relation ~ f of S Ct ~H f , P), ~ C we introduce a set of clock sequence S T S c ( q t , 5) as follows: for qt = (q, P,~, 7) C Qt and 5 c ~>_0, S T S c ( q ~ , 5) -
{tot1 ..... tN
ti C [Oi - w, Oi - w -}- J],
i = 0,1,. . . , tN < 5 <_ tN+l } if p - - --1,
{tot~ . . . tN
ti-~ C [iTo - w, iTo - w + J],
i = 1 , 2 , . . . , tN < 5 <_ tN+l } if p-¢ - 1 , r / = 0,
{tot~...tN l t~ C [iTO, iTO + J], i - - 0 , 1 , 2 , . . . , tN < 5 <_tN+l} if p-¢ - 1 , w { t 0 t l . . . tN
-- 0,~] -- 1,
ti-1 C [iTo - co, iTo -a~ + J],
i = 1 , 2 , . . . , tN < 5 <_ tN+l} LJ {t0tl .... tN I
ti C [iTo - co, iTo - ~ + J], i = 1 , 2 , . . . ,
to c [o, J - ~], tN < 6 _< tN+~} if p - -
419
1,w ~0,~/-
1.
~t f
Transitions related to events in E are the same as those in ~ f in S ct ( H cf, P ). Consider two states qa - (q, P, ~, rl), q~ - (q', p', c~', ~]') C Q~, where
Qt x Actt x Qt is defined as follows: Consider states qt (q, p, a~. rl) and q~ (q', p'. w', ~]') ~ Qt. ( A ) For each cr C E. (qt, or. q~) ~ ~t f C
iff the following conditions are satisfied: (1) cz - c z ' , p - p', and e(v, or. v') ~ E. (2) (x,x') ~ jump(e). (3) if p p' 1, then (i) ~ ~ fund,~ (q, w) and (ii) r/ r/ 0. (4) i f p - p ' - 0 , then • if cr C E d , then (i) cr ~ fd,s(q, Oo) and (ii)r/ 1. r/ • otherwise (i) (7 ~ fund.~(q, Oo) and (ii) r/ - r / (5) if p - p ' - 1, then • if cr ~ Ecz, then ( i ) w ~ [0, J], cr ~ fd,s (q, Oo+w), and (iii) r/ 1. r / • otherwise (i) cr ~ f ~ d , s (q, 00 + a~) and (ii) ~ (B) For 6 ~ ~>0, (qt, 6, q~) ~ ~t f iff the following conditions are satisfied:
{a c ~>o (q~,a, q') c ~ } . (A) (qa, %o~, qi) C ~ f ! iff A(qa, %)¢0 and for any 5eA(qa, q~a),
~~,~o~(~)(q~) 0,
{q~}6SDSc,f
V{v~[o,~)
1.
(wP~"nc~'~°~~(P)(v'(q(~)))} - 1 ' ( 4 )
(ii) 0,
where SDSc, f = SDSc, f(qa, ~, q~a),P(qa) = P(q). (B) (q~, %~o~, q l ) ~ ~ 7 ! i~ A(qa, %)¢0 ~ d th~r~ ~i~t~ 5 ~ ( ~ ,
r/.
Let open=(opend,s, opend,2, open~d,s, openu~d,2 ) be a state feedback controller defined as follows: for any qCQH and any tc~>_o, opend,s (q, t)=Ecz, opend,2(q, t)=0, openund,s (q, t ) = E ~ n d , openund,2( q, t)=0. Two transition systems controlled by the controller open are denoted as follows:
(2) For v a . ~ ~ (0,6), P(v,(q(Ct))-P(v,(q(/~)). (3) One of the following conditions is satisfied: • if p - p ' - 1, then (i) 6-w' w, (ii) r / - 0 , r / - 0 , and (iii) for re(v, #. 0)CE. v t~[0, 6), (q(t)~guard(e)=>#¢f~d ~(v, ¢q (t). w+t). • if p-- 1,p'--0, then(i) 6-0o w, (ii) r/-0 , r / - 1 , and (iii) forVe(v, #. 0 ) ~ E , v t~[0, 6), ¢q(t)Cguard(e):=>(rC fund.~(v, ¢q (t), w+t). • ifp-- 1, p'--l, then (i) ~ K > 0 s.t. 6--w'+ OK w, (ii)if K--0, w'-~0, (iii)ifw'~[0, g], r/--1, (iv) for re(v, 5 . 0 ) ~ E , vt~[0, 6),
(r, O)'~E. t~{tk}, ¢q(t)~guard(e)=>(r¢ f d,~(V, (q(t), cz+t). • if p-¢ 1, p ' - l , then (i) ~neZ>o s.t. 6 w' w+nTo, (ii) for Ve(v, #, O)~E, vtc[0. 6), (q(t)~guard(e)=~#¢f~ncz.~(v, (q(t). t+w+Oo), (iii) ~ {tk }~STSc(qt, 6) s.t for Ve(v,~, 0 ) ~ E , vt~{tk}, (q(t)cguard(e) ~#~fd,~(V,(q(t),t+cz+Oo), ( i v ) i f r/-1, cz'~[0, J]=~r/-1, and ( v ) i f r/-0, for any n satisfying (i), the following equations holds, if n > 1 and cz~[0, J], r / - 1 . if n - 0 ,
~'--0. Le~ SDSc.f(qt, 6, q~) be the set of sampled state sequences on a transition relation (qt, 6. q~) ~ ~t f defined as follows: SDSc,f(qt, 5. q~)-{(v,
(V,(q(t~))}, where qt,~ -- (q~.p~,a~,rl~). In the controlled timed transition system, ~>0 c Actt is the set of elapsed times from the latest occurrence of events. So, by aggregating such events into two events indicating that time elapses, a controlled time-abstract transition system is defined by
(0~. A~t~, ~ . 0~0).
qt) ~uch
t h a t Eq. 4 does not hold.
(~) v-v', x'-
s ~c(H~. P)
c~6{qk}
(3)
The sets Qa and Q~0 are the same as those of S~, that is, Qa Qt and Qao - Qto. dcta E U {Tcon, Tuncon} , where Tcon and Tunco n ~ Y] are events. ~ f C Qa x Aet~ x Q~ is defined as follows:
=
~,Ckll C
S$(P) -- (Qa, Acta, < , QaO) -- ~C ~a ~k~tzopen C , p) • Note that S S ( P ) and S~(P) correspond to semantics of the uncontrolled system. From the above definitions, the following lemma is easily shown. L e m m a 1 Let f - ( f d,s , f d,2 , f ~d,s , f ~d,2 ) be a state feedback controller for a controlled SDHA Hc(H, C(0, J)). Then, for two states qa (q, p, c~, r/), q~ c Qa - Qt, and event cr c E, " (qa, 0, qta)C ~ f ~ (qa, 0, qta)C ~ .
cr C fcl,S (q, Oo + c~) if cr C E d C funds(q, Oo -}-w) otherwise (qa, 0", qla) C ~ f , where q - (v,x) C QH. Let r be a run for H cf , and r is defined as follows: = (v, x, c), (5) where v(t) C V is a trajectory for the discrete variable, x(t) c X is a trajectory for the continuous variable, and c c C is the sampling times synchronizing with H Cf ' It is said that r is a run for H f if the following conditions hold:
(1) ~(0) c v, ~(0) c i~it(~(0)) (2) if t C d(v), then there exists cr C E such that the following three conditions hold: (i) e(v(t-),o,v(t+)) e E, ( i i ) i f ~ e Ecz, (7 e f d , s ( ( v ( t - ) , x ( t - ) ) , t ) and t e c, (iii)if cr e
Eund, cr e f u n d , l ( ( v ( t - ) , x ( t - ) ) , t ) . (3) if t ¢ d(v), then (i) ~(t)-fv(t)(x(t)), (ii) for re(v, #, 0)CE, if x(t)cguard(e), #¢f~nd,2(v(t), x(t),t), and (iii) (if tCc) for re(v, ~, 0 ) c E , x(t) c g u a r d ( e ) ~ # ¢ fd,2 (v (t), x(t)), t). The following propositions indicate that the transition systems are the semantics of the controlled
SDAH H ~
420
Proposition 1 Consider a controlled SDHA H I and its associated timed transition system t f Sc(H&, P). If r is a run for H I , then there exists
a corresponding sequence of states qt =qt,0%,l- • • t h a t is a state t r a j e c t o r y for S ct ( H ~f, V). Proposition 2 Consider a controlled SDHA H I and its associated timed transition system
P r o o f : ( i ) ~ ( i i ) . Suppose that P is control-invariant. Let f be a permissive feedback controller. Suppose t h a t P is not ( S ~ ( P ) ; Euncont, ~>o,Eforc)invariant. Then, we have the following cases: • Consider the case t h a t there exist qt,q~cQt, f and crCE~ncon such t h a t (qt, (7. qt)CJt, P(qt)
E~nco~,~dC f~d.1, we have (qt, (7, q~)C~t f by L e m m a 1. Since f is a permissive feedback controller, we have P(qt)-O, which is a contradiction. • Consider the case t h a t there exist (~ c ~>0 and qt - (q, P, w, rl) c Qt which do not satisfy Eq. (6). Then, P(qt) 1, there exists q~ (q', p', w'. ~') c Qt such that (qt, & q~) c Jtt, one of the following conditions is satisfied" ( A ) P(v,~q(e)) 0 for any eC(0,(~) ~nd WPero~ (P)(qt)-O. Since wpefo~.~(P)(qt)-O, there exist 0
S Ct t fH C~ f P) . If .qt=qt,oqt,~qt,2 is a state trajec. . tory for Stc(HI,p), there exists a corresponding run r t for H/c . The above propositions are also true for the timeabstract transition system S~(H f , P). We extend a predicate P on QH to Qt = Qa as follows: for each s t a t e qt -- (q,P,w,~) ~ Qt, ~ . @ -~ {0, ~} is d ~ d by P(q~) - P(q).
4. C O N T R O L - I N V A R I A N C E A concept of control-invariance plays an import a n t role in state feedback control of discrete event systems ( R a m a d g e and W o n h a m , 1987). A pred, icate P c ~ ( Q a ) is said to be control-invariant if there exists a state feedback controller f such t h a t P is ~¢t ~ c ~ ~Hfc, P);Actt)-invariant. Such a controller f is called a permissive feedback controller. We show necessary and sufficient conditions for P to be control-invariant in the controlled SDHA. We define predicates for trajectories of the continuous variables as follows: for a predicate P ~ ~ ( 0 a ) , states qa = (q,p,w, fl) ~ Qa, q~a = (V', ~q((~),/,W', r/) ~ Qa, and time a ~ ~>0,
{~ PCC,5(P)(qa) --
~~,.
ifP(v,(q(e))-l,Ve~(O,~), if P(v, ~q(e)) -- 0, v e ~ (0, ~),
..... ~(~)(q~) =
{V~i0,~) (~'~ .....~"......(~)(~, ¢~(~)))}
twpc, a(P)(qa) = P(q') V pwpe~ ......a(P)(qa), where S D S c - SDSc,open(qa,(~,q~a). If a predicate P is a closed set, twp can be rewritten as follows: twpc, a(P)(qa) = pwp~, ......a(P)(qa). A predicate P is said to be (S~(P);E~n~o~,~>o, E/o~c)-invariant if the following conditions hold: (1) P is (Stc(P);Eun~on)-invariant, and (2) in Sb(P), for any (~ ~ R>0,
(qt , (~,qtl ) C ~
, which is also a contradiction. From the above contradictions, P is shown to be (S~ (P); Euncon, ~>0, Eforc)-invariant. (ii)=>(iii) For qa. q~aCOa-Ot, and c r 6 E ~ o n , the following implication is easily shown: (qa, or. q'a)C Jt (qa, Or, q~a) C ~ . Thus, we have P is (S~ (P) ; Euncon )-invariant if P is (S~ (P); Euncon )-invariant. Suppose t h a t P is not ( S ~ ( P ) ; runcon)-invariant. Then. there exist qa and q~a such t h a t (qa, %~con, q ~ ) C ~ , P ( q a ) - - l , and P(q~)-O. From the definition of %~co~, there exits (~ c ~>0 such t h a t (qa, 6, q~) c Jtt, which is a contradiction since P is ( S ~ ( P ) ; Euncon, ~>0, Eforc)-invariant. Thus, P is (S~. (P); Euncon U {%ncon})-invariant. (iii)=>(i) Suppose t h a t P is (S~(P);Euncon U {%~co~ })-invariant. Then, we consider the following state feedback controller f - ( f d . s , fd,2, f~d,1. f~nd,2)" for each q ~ QH, t ~ ~>0, fd,l(q,t) 2d.~o~U {~eEd.~o~ w p , (P) (q, a, w, ~ ) ~ in S b ( P ) } , funcZ.~(q, t)--runcZ.uncon U{crEEund.con wp~(P)(q,p,c~,O)--i in S b ( P ) } , where p and cz satisfy (a) if t<00, then p - 1, and a~-t. (b) if t - 0 0 , then p - 0 , and w - 0 . (c) if t>00, then p - l , and w - t Oo L(t-Oo)/ToJTo. fd.~(q,t)--Ed,forcCh fd.s. f~d.~(q,t) E ~ d , f o ~ rq f ~ d . s . Thus, it f P); Actt)is easy to prove t h a t P is (St ~ c v(H c, invariant. II
P 4--,Da V wp~.o~.~(P) We show necessary and sufficient conditions for the control-invariance. T h e o r e m 1 Consider the controlled SDHA Hc and a predicate P ~ ~ ( Q a ) . Then, the following three s t a t e m e n t s are equivalent: (i) P is control-invariant. (ii) P is ( S ~ ( P ) ; Euncon,~>o, Efo~)-invariant. (iii) P is (S~(P) ; E ~ o ~ U {%nco~})-invariant.
f
5. S U P R E M A L C O N T R O L - I N V A R I A N T SUBPREDICATE In general, a given predicate P c ~ ( Q a ) is not necessarily control-invariant. In this section, we propose a procedure for c o m p u t a t i o n of the suprereal control-invariant subpredicate. We introduce some definitions for the predicate P as follows: • ~ I ( P ) is the set of all control-invariant subpredicates of P c ~ ( Q a ) .
421
• O~(Q~)
is the predicate such that for any
that (qa,%ncon, q~a) C Ja in S~(Pz) and Pl(q~a) 0. By Lemma 2, we have (qa, %r~con, q~a) C ~ in S~(PT). Since pT(q;) = 0, this contradicts the assumption that pT is control-invariant. For the above cases, we have pT ~ Pl+l and pT ~ p~. Therefore, we have P~ = pT. II
q~O~, o(q~)=o, s ~
o~(P), ~(P)¢O. • A predicate pT ~ ~ I ( P ) called the supremal control-invariant subpredicate of P is defined as follows: for any P' ~ ~I(Q~), P' ~ pT. Ushio and Takai (2005) showed that there always exists pT for the hybrid systems with forcible event. In this section, we show the same property also holds for the controlled SDHA.
Note that pT computed by the above scheme depends on time in general while the control specification P c ~ ( Q H ) is independent of time.
Since P' ~ P => forV~ ~ E, wp~(P') ~ wp~(P), the following lernma is easily shown. L e m m a 2 Let P and P ' c ~ ( Q a ) be predicates such that P' ~ P and P' is (S~(P'); Eur~cor~ U {%ncon})-invariant. For anyqa ~ {qa = (q, p,w, ~) Q~P'(q~) = 1}, if there exists q; ~ Qa such that (qa, %ncon, q~a) ~ & in S ~ ( P ) , then (qa, %~o~, q~) ~ ~ also holds in S~(P')
6. C O N C L U S I O N This paper considered state feedback control of a sampled-data hybrid automaton as a model of computer-controlled systems where control specifications are given by predicates.
Using Lemma 2, we prove the following theorem. T h e o r e m 2 Let I be any index set. if Pi ~ ~ ( Q ~ ) i~ (s&(~) I r ~ o ~ u {~o~}) -invariant for each i ~ I, then, PI = V i~x Pi is ( s ~ ( P i ) ; ~uncon U {%ncon}) -invariant.
We introduced two transition systems as semantics for the controlled sampled-data hybrid aut o m a t a and proved necessary and sufficient conditions for the control-invariance, and showed that there always exists the supremal control-invariant subpredicate for any predicate.
By Theorem 2, there exists its supremal controlinvariant subpredicate P$ for any predicate P
In general, the procedure for computation of the supremal control-invariant subpredicate is not decidable. So it is future work to obtain an approximation method for the computation.
~(o~). The following theorem gives an iterative scheme for computing the supremal control-invariant subpredicate. T h e o r e m 3 For any P c ~ ( Q ~ ) , consider the following iterative computation: Pj+s - Pj A ~(pj) (vj > 0), where P0 : - P.
REFERENCES Brandin, B. A. and Wonham (1994). Supervisory control of timed discrete-event systems.
Then the following implication holds: 3/c > 0 s.t. Pk+l Pk ~ pT p~. (7) where ~ " ~(q~)---+~(qa) is defined as follows:
IEEE Transactions on Automatic Control
39(2),
329-342. Chen, H. and H.-M. Hanisch (1999). Control synthesis of hybrid systems based on predicate invariance. In: Hybrid Systems V. pp. 1-15. Henzinger, T. A. (1996). The theory of hybrid automata. Proceedings of the 11th Symposium on Logic in Computer Science pp. 278-292. Ramadge, P. a. and W. M. Wonham (1987). Modular feedback logic for discrete event systems.
¢(p)(q~) A
wlp~(P)(q~)
1
if
0
~c~ ....... u{r ........ } otherwise.
1 in S~(P)
P r o o f : Assume that there exists k such that P~+s Pk. For the above iterative scheme, we have Pk--Pk+l--Pk A ~(Pk)<~wlpa(Pk) for any acE~nco~ U{"r,-.,.,~on} and Pj+s-Pj/~¢(Pj)<~Po-P for any j > 0 . So P~ is a control-invariant subpredicate of P i.e. Pt~ c ~ I ( P ) , which implies P~<~P*.
SIAM Journal on Control and Optimization 25(,5), 1202-1218. Silva, B. I. and B. H. Krogh (2000). Modeling and verification of sampled-data hybrid systems. A D P M 2000 pp. 237-242. Silva, B. I. and B. H. Krogh (2001). Modeling and verification of hybrid systems with clocked and unclocked events. Proc. 40th IEEE CDC pp. 762-767. Ushio, T. and S. Takai (2005). Control-invariance of hybrid systems with forcible events. Automatica 41,669-675.
Next, we prove that pT ~< P1 for 1 - 0, 1 . . . . . k by induction. (1) 1 - 0. Since pT is a subpredicate of P, we have pT ~< P0- (2) Suppose that pT ~< Pl holds. Then, we show by a contradiction that pT ~< Pl+l holds. If pT ~< Pl+s does not holds, then there exists qa c Qa such that pT(q~) -- 1 and ~(P1)(qa)- 0 since p T ( q a ) - 1 =~ P l ( q a ) - 1 for any qa C Qa. If ~(Pl)(q~) - 0 holds. One of the following cases always holds: (a) In S~(P1), there exists cr C E~ncon such that wlp~,(Pz)(qa) 0. Since D~ in S ~ ( P T) is equivalent to that in S~(P1), there exists q~ C Qa such that (q~, or. q~) C ~a in S ~, ( P T) and P l(qa) 0, which implies that ! _ pT (q~a) -- 0. This contradicts the assumption that pT is control-invariant. (b) wlp~-....... (P1)(q~) -- 0 holds in S ca ( 1p) . Then there exists q~ c Qa such
422
Author Index
ADHS'06 2nd IFAC Conference on Analysis and Design of Hybrid Systems AIghero, I t a l y - June 7-9, 2006
Abate A. Alessio A. Ambrosi L. Andersson M. )~rz~n K. E. Axelsson H. Azhmyakov V. Bacconi F. Bakule L. Balluchi A. Ba rbot J.- P. Bartolini G. Bastin G. Bauso D. Beccuti A. G. Beers C. D. Bemporad A. Ben Makhlouf I. Benali A. Benvenuti L. Blanchini F. Bicchi A Birouche A. Biswas G. Biota H. A. P. Boccadoro M. Bordons C. Bouchhima F. Boutat D. Buisson J. Bujorianu M. L. Bukkems B. Caines P.E. Camacho E. F. Camlibel K. Casavola A. Cassandras C. G. Cervin A. Chaib S. Ciapessoni E. Clune M. I. Colaneri P. Corona D. Cuijpers P. J. L.
359 3O2 383 272 272 95 89 83 130 259 124 341 276 191 77 315 71 241 302 377 341 259 77 353 12 71 160 95 101 199 274 341 309 329 160 142 166 199 290 83 136 267 272 341 383 267 347 253 56
Daafouz J. Davoren J. M. de BestJ. De Santis E. De Schutter B. Denis B. Di Benedetto M. D.
Di Cairano S. Di Gennaro S. D'Innocenzo A. Djemal M. Dochain D. Dotoli M. Dumur D. Egerstedt M. El Moudni A. Engell S. Fanti M. P. Ferrarini L. Ferrier J.-L. FIoquet T. Garcfa-Gabfn W. Geist S. Geromel J. C. Gheorghe L. Girard A. Giua A. Gromov D. Gu4guen H. Hagander P. Haugwitz S. Hayat S. Heemels W. P. M. H.
Hellendoorn J. Henriksson D. Hermanns H. Hetel L. H4treux G. Hrovat D. Iannelli L, Inagaki S.
423
12 335 409 142 112 148 253 365 24 112 259 241 24 24 124 191 44 329 95 101 50 211 44 383 283 124 199 205 347 274 106 37 205 395 118 185 185 5O 290 296 321 148 272 160 335 235 241 247 64
Iung C.
Johansson K. H. Jolly J-C. J~nsson U. T. Ju~rez-Orozco Z. Julius A. A. Kaakai F. Kolmanovsky I. Kouretas P. Koutoumpas K. Kowalewski S. Lazar M. Le Lann M.-V. Le Lann J.-M. Lecoeuche S. Lee E.A. Lee H. Lefebvre M.-A. Leirens S. Lesage J. J. Lichtenberg G. Lunze J. Lygeros J. Ma Z. Mahulea C. Malhame R. Manamanni N. Manders E.-J. Mangini A. M. Messai N. Millan J. Miyagi P. E. Moor T. Morari M. Mosca E. Mosterman P. J. Nasri O. Necoara I. Nicolescu G. O'Young S. Olaru S. Olivier N. Papafotiou G. Pappas G. J. Pekpe K. M. Pesenti R. Pettersson S. Picasso B. Pisano A. Pochet Y. Pogromsky A. Y. Pola G.
Qu~mard C. Raisch J.
4 12 335 247 283 247 365 106 5O 241 172 172 377 296 321 235 235 154 270 1 118 309 365 179 229 172 166 37 166 124 71 44 217 402 389 409 315 83 71 267 118 148 274 402 329 235 315 106 154 77 18 353 276 191 6 112
Ratschan S. Recalde L. Reniers M. A. Riedinger P. Riera B. Rodrigues M. Rooda J.E. Rostalski P. Saadaoui H. Sangiovanni-Vincentelli A. L. Sauter D. Schiffelers R. R. H. Schumacher H. Seatzu C. Silva M. Simeonova I. Smaus J. G. Sonntag C. Steinbuch M. Stursberg O. Suzuki T. Theilliol D. Thomas J. Tiwari A. Tsuchie Y. Usai E. Ushio T. Utkin V. Valigi P. van Beek D. A. van de Molengraft R. van den Berg R. A. van den Boom T. J. J. Vasca F. Villa T. Villani E. Wardi Y. Warichet F. Wesselowski K. S. Xu J. Yamada N. Zambrano D. Zaytoon J. Zheng H.
424
283 89 205 395 371 30 37 56 4 217 223 6 265 179 124 2 259 223 265 290 37 30 37 191 371 211 142 211 64 223 329 359 417 276 417 1 101 265 142 6 148 247 259 389 95 101 191 136 30 64 199 217 270
