Automated Formal Synthesis of Digital Controllers for State-Space Physical Plants

Alessandro Abate; Iury Bessa; Dario Cattaruzza; Lucas Cordeiro; Cristina David; Pascal Kesseli; Daniel Kroening; Elizabeth Polgreen

doi:10.1007/978-3-319-63387-9_23

International Conference on Computer Aided Verification

CAV 2017: Computer Aided Verification pp 462-482 | Cite as

Automated Formal Synthesis of Digital Controllers for State-Space Physical Plants

Authors
Authors and affiliations

Alessandro Abate
Iury Bessa
Dario Cattaruzza
Lucas Cordeiro
Cristina David
Pascal Kesseli
Daniel Kroening
Elizabeth Polgreen

Conference paper

First Online: 13 July 2017

Part of the Lecture Notes in Computer Science book series (LNCS, volume 10426)

Abstract

We present a sound and automated approach to synthesize safe digital feedback controllers for physical plants represented as linear, time-invariant models. Models are given as dynamical equations with inputs, evolving over a continuous state space and accounting for errors due to the digitization of signals by the controller. Our counterexample guided inductive synthesis (CEGIS) approach has two phases: We synthesize a static feedback controller that stabilizes the system but that may not be safe for all initial conditions. Safety is then verified either via BMC or abstract acceleration; if the verification step fails, a counterexample is provided to the synthesis engine and the process iterates until a safe controller is obtained. We demonstrate the practical value of this approach by automatically synthesizing safe controllers for intricate physical plant models from the digital control literature.

This is a preview of subscription content, to check access.

A Stability of Closed-Loop Models

A.1Stability of Closed-Loop Models with Fixed-Point Controller Error

The proof of Jury’s criterion [11] relies on the fact that the relationship between states and next states is defined by $x_{k+1} = (A_d - B_dK) x_k$, all computed at infinite precision. When we employ a FWL digital controller, the operation becomes:

$$\begin{aligned} x_{k+1}&= A_d \cdot x_{k} -(\mathcal {F}_{\langle I_c,F_c \rangle }(K)\cdot \mathcal {F}_{\langle I_c,F_c \rangle }(x_{k})). \\ x_{k+1}&= (A_d - B_dK) \cdot x_k + B_dK\delta , \end{aligned}$$

where $\delta $ is the maximum error that can be introduced by the FWL controller in one step, i.e., by reading the states values once and multiplying by K once. We derive the closed form expression for $x_n$ as follows:

$$\begin{aligned} x_{1}&= (A_d - B_dK)x_0 + B_dK\delta \\ x_{2}&=(A_d - B_dK)^2x_0 + (A_d - B_dK)B_dK\delta + B_dK\delta \\ x_{n}&= (A_d - B_dK)^nx_0 + (A_d - B_dK)^{n-1}B_dK\delta + ... + (A_d - B_dK)^1B_dK \delta + B_dK\delta \\&= (A_d - B_dK)^nx_0 + \sum _{i=0}^{i=n-1}(A_d - B_dK)^iB_dk\delta . \end{aligned}$$

The definition of asymptotic stability is that the system converges to a reference signal, in this case we use no reference signal so an asymptotically stable system will converge to the origin. We know that the original system with an infinite-precision controller is stable, because we have synthesized it to meet Jury’s criterion. Hence, $(A_d - B_dK)^n x_0$ must converge to zero.

The power series of matrices converges [15] iff the eigenvalues of the matrix are less than 1 as follows: $\sum _{i=0}^{\infty }T^i = (I - T)^{-1}$, where I is the identity matrix and T is a square matrix. Thus, our system will converge to the value

$$\begin{aligned} 0 + (I - A_d + B_dK)^{-1}B_dk\delta . \end{aligned}$$

As a result, if the value $(I - A_d + B_dK)^{-1}B_dk\delta $ is within the safe space, then the synthesized fixed-point controller results in a safe closed-loop model. The convergence to a finite value, however, will not make it asymptomatically stable.

B Errors in LTI Models

B.1 Errors Due to Numerical Representation

We have used $\mathcal {F}_{\langle I,F \rangle }(x)$ denote a real number x represented in a fixed point domain, with I bits representing the integer part and F bits representing the decimal part. The smallest number that can be represented in this domain is $c_m=2^{-F}$. The following approximation errors will arise in mathematical operations and representation:

1.

Truncation: Let x be a real number, and $\mathcal {F}_{\langle I,F \rangle }(x)$ be the same number represented in a fixed-point domain as above. Then $\mathcal {F}_{\langle I,F \rangle }(x) = x-\delta _T$ where the error $ \delta _T=x\ \%_{c_m}\ \tilde{x}$, and $\%_{c_m}$ is the modulus operation performed on the last bit. Thus, $\delta _T$ is the truncation error and it will propagate across operations.
2.
Rounding: The following errors appear in basic operations. Let $c_1, c_2$ and $c_3$ be real numbers, and $\delta _{T1}$ and $\delta _{T2}$ be the truncation errors caused by representing $c_1$ and $c_2$ in the fixed-point domain as above.
1. (a)
  
  Addition/Subtraction: these operations only propagate errors coming from truncation of the operands, namely $\mathcal {F}_{\langle I,F \rangle }(c_1) \pm \mathcal {F}_{\langle I,F \rangle }(c_2) = c_3 + \delta _3$ with $|\delta _3| \le |\delta _{T1}| + |\delta _{T2}|$.
2. (b)
  
  Multiplication: $\mathcal {F}_{\langle I,F \rangle }(c_1) \cdot \mathcal {F}_{\langle I,F \rangle }(c_2) = c_3 + \delta _3$ with $|\delta _3| \le |\delta _{T1}\cdot \mathcal {F}_{\langle I,F \rangle }(c_2)|+ |\delta _{T2}\cdot \mathcal {F}_{\langle I,F \rangle }(c_1)| + c_m$, where $c_m=2^{-F}$ as above.
3. (c)
  
  Division: the operations performed by our controllers in the FWL domain do not include division. However, we do use division in computations at the precision of the plant. Here the error depends on whether the divisor is greater or smaller than the dividend: $\mathcal {F}_{\langle I,F \rangle }(c_1) / \mathcal {F}_{\langle I,F \rangle }(c_2) = c_3 + \delta _{T3}$ where $\delta _{T3}$ is $(\delta _{T2}\cdot c_1 - \delta _{T1}\cdot c_2)/(\delta _{T2}^2 - \delta _{T2} c_2)$,
3.

Overflow: The maximum size of a real number x that can be represented in a fixed point domain as $\mathcal {F}_{\langle I,F \rangle }(x)$ is $\pm (2^{I-1}+1-2^{-F})$. Numbers outside this range cannot be represented by the domain. We check that overflow does not occur.

B.2 Modeling Quantization as Noise

During any given ADC conversion, the continuous signal will be sampled in the real domain and transformed by $\mathcal {F}\langle I_{c},F_{c} \rangle (x)$ (assuming the ADC discretization is the same as the digital implementation). This sampling uses a threshold which is defined by the less significant bit ($q_{c}=c_{m_c}=2^{-F_c}$) of the ADC and some non-linearities of the circuitry. The overall conversion is

$$\mathcal {F}\langle I_{c},F_{c} \rangle (y(t)) = y_k : y_k \in \left[ y(t)-\frac{q_{c}}{2}\ \ \ \ y(t)+\frac{q_{c}}{2}\right] .$$

If we denote the error in the conversion by $\nu _k=y_k-y(t)$ where $t = nk$, and n is the sampling time and k the number of steps, then we may define some bounds for it $\nu _k \in [-\frac{q_{c}}{2}\ \ \frac{q_{c}}{2}]$.

We will assume, for the purposes of this analysis, that the domain of the ADC is that of the digital controller (i.e., the quantizer includes any digital gain added in the code). The process of quantization in the DAC is similar except that it is calculating $\mathcal {F}\langle I_{dac},F_{dac} \rangle (\mathcal {F}\langle I_{c},F_{c} \rangle (x)) $. If these domains are the same ($I_{c}=I_{dac},F_{c}=F_{dac}$), or if the DAC resolution in higher than the ADCs, then the DAC quantization error is equal to zero. From the above equations we can now define the ADC and DAC quantization noises ${\nu _1}_k \in [-\frac{q_1}{2}\ \ \frac{q_1}{2}]$ and ${\nu _2}_k \in [-\frac{q_2}{2}\ \ \frac{q_2}{2}]$, where $q_1=q_{c}$ and $q_2=q_ dac $. This is illustrated in Fig. 1 where $Q_1$ is the quantizer of the ADC and $Q_2$ the quantizer for the DAC. These bounds hold irrespective of whether the noise is correlated, hence we may use them to over-approximate the noise effect on the state space progression over time. The resulting dynamics are

$$\begin{aligned} {x}_{k+1} = {A}_d{x}_k+{B}_d({u}_k+{{\nu }_2}_k), \quad u_k = -K{x}_{k}+{{\nu }_1}_k, \end{aligned}$$

which result in the following closed-loop dynamics:

$$\begin{aligned} {x}_{k+1}&= ({A}_d-{B}_d{K}_d) {x}_k+{B}_d{{\nu }_2}_k +{{\nu }_1}_k. \end{aligned}$$

References

1.
Control tutorials for MATLAB and SIMULINK. http://ctms.engin.umich.edu/
2.
Abate, A., Bessa, I., Cattaruzza, D., Cordeiro, L.C., David, C., Kesseli, P., Kroening, D.: Sound and automated synthesis of digital stabilizing controllers for continuous plants. In: Hybrid Systems: Computation and Control (HSCC), pp. 197–206. ACM (2017)Google Scholar
3.
Anta, A., Majumdar, R., Saha, I., Tabuada, P.: Automatic verification of control system implementations. In: EMSOFT, pp. 9–18 (2010)Google Scholar
4.
Åström, K., Wittenmark, B.: Computer-Controlled Systems: Theory and Design. Prentice Hall Information and System Sciences Series. Prentice Hall, Upper Saddle River (1997)Google Scholar
5.
Bessa, I., Ismail, H., Palhares, R., Cordeiro, L., Filho, J.E.C.: Formal non-fragile stability verification of digital control systems with uncertainty. IEEE Trans. Comput. 66(3), 545–552 (2017)MathSciNetCrossRefzbMATHGoogle Scholar
6.
Brain, M., Tinelli, C., Rümmer, P., Wahl, T.: An automatable formal semantics for IEEE-754 floating-point arithmetic. In: ARITH, pp. 160–167. IEEE (2015)Google Scholar
7.
Cattaruzza, D., Abate, A., Schrammel, P., Kroening, D.: Unbounded-time analysis of guarded LTI systems with inputs by abstract acceleration. In: Blazy, S., Jensen, T. (eds.) SAS 2015. LNCS, vol. 9291, pp. 312–331. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48288-9_18 CrossRefGoogle Scholar
8.
David, C., Kroening, D., Lewis, M.: Using program synthesis for program analysis. In: Davis, M., Fehnker, A., McIver, A., Voronkov, A. (eds.) LPAR 2015. LNCS, vol. 9450, pp. 483–498. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48899-7_34 CrossRefGoogle Scholar
9.
de Bessa, I.V., Ismail, H., Cordeiro, L.C., Filho, J.E.C.: Verification of fixed-point digital controllers using direct and delta forms realizations. Des. Autom. Emb. Syst. 20(2), 95–126 (2016)CrossRefGoogle Scholar
10.
Duggirala, P.S., Viswanathan, M.: Analyzing real time linear control systems using software verification. In: IEEE Real-Time Systems Symposium, pp. 216–226, December 2015Google Scholar
11.
Fadali, S., Visioli, A.: Digital Control Engineering: Analysis and Design. Electronics & Electrical. Elsevier/Academic Press, Amsterdam/Cambridge (2009)Google Scholar
12.
Fialho, I.J., Georgiou, T.T.: On stability and performance of sampled-data systems subject to wordlength constraint. IEEE Trans. Autom. Control 39(12), 2476–2481 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
13.
Franklin, G., Powell, D., Emami-Naeini, A.: Feedback Control of Dynamic Systems, 7th edn. Pearson, Upper Saddle River (2015)zbMATHGoogle Scholar
14.
Frehse, G., et al.: SpaceEx: scalable verification of hybrid systems. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 379–395. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22110-1_30 CrossRefGoogle Scholar
15.
Horn, R.A., Johnson, C.: Matrix Analysis. Cambridge University Press, Cambridge (1990)Google Scholar
16.
Itzhaky, S., Gulwani, S., Immerman, N., Sagiv, M.: A simple inductive synthesis methodology and its applications. In: OOPSLA, pp. 36–46. ACM (2010)Google Scholar
17.
Kroening, D., Strichman, O.: Efficient computation of recurrence diameters. In: Zuck, L.D., Attie, P.C., Cortesi, A., Mukhopadhyay, S. (eds.) VMCAI 2003. LNCS, vol. 2575, pp. 298–309. Springer, Heidelberg (2003). doi: 10.1007/3-540-36384-X_24 CrossRefGoogle Scholar
18.
Li, G.: On pole and zero sensitivity of linear systems. IEEE Trans. Circuits Syst.-I: Fundam. Theory Appl. 44(7), 583–590 (1997)Google Scholar
19.
Liberzon, D.: Hybrid feedback stabilization of systems with quantized signals. Automatica 39(9), 1543–1554 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
20.
Liu, J., Ozay, N.: Finite abstractions with robustness margins for temporal logic-based control synthesis. Nonlinear Anal.: Hybrid Syst. 22, 1–15 (2016)MathSciNetzbMATHGoogle Scholar
21.
Mazo, M., Davitian, A., Tabuada, P.: PESSOA: a tool for embedded controller synthesis. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 566–569. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14295-6_49 CrossRefGoogle Scholar
22.
Moore, R.E.: Interval Analysis, vol. 4. Prentice-Hall, Englewood Cliffs (1966)Google Scholar
23.
Oliveira, V.A., Costa, E.F., Vargas, J.B.: Digital implementation of a magnetic suspension control system for laboratory experiments. IEEE Trans. Educ. 42(4), 315–322 (1999)CrossRefGoogle Scholar
24.
Oudjida, A.K., Chaillet, N., Liacha, A., Berrandjia, M.L., Hamerlain, M.: Design of high-speed and low-power finite-word-length PID controllers. Control Theory Technol. 12(1), 68–83 (2014)MathSciNetCrossRefGoogle Scholar
25.
Park, J., Pajic, M., Lee, I., Sokolsky, O.: Scalable verification of linear controller software. In: Chechik, M., Raskin, J.-F. (eds.) TACAS 2016. LNCS, vol. 9636, pp. 662–679. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49674-9_43 CrossRefGoogle Scholar
26.
Picasso, B., Bicchi, A.: Stabilization of LTI systems with quantized state - quantized input static feedback. In: Maler, O., Pnueli, A. (eds.) HSCC 2003. LNCS, vol. 2623, pp. 405–416. Springer, Heidelberg (2003). doi: 10.1007/3-540-36580-X_30 CrossRefGoogle Scholar
27.
Ravanbakhsh, H., Sankaranarayanan, S.: Counter-example guided synthesis of control Lyapunov functions for switched systems. In: Conference on Decision and Control (CDC), pp. 4232–4239 (2015)Google Scholar
28.
Ravanbakhsh, H., Sankaranarayanan, S.: Robust controller synthesis of switched systems using counterexample guided framework. In: EMSOFT, pp. 8:1–8:10. ACM (2016)Google Scholar
29.
Roux, P., Jobredeaux, R., Garoche, P.: Closed loop analysis of control command software. In: HSCC, pp. 108–117. ACM (2015)Google Scholar
30.
Solar-Lezama, A., Tancau, L., Bodík, R., Seshia, S.A., Saraswat, V.A.: Combinatorial sketching for finite programs. In: ASPLOS, pp. 404–415. ACM (2006)Google Scholar
31.
Tan, R.H.G., Hoo, L.Y.H.: DC-DC converter modeling and simulation using state space approach. In: IEEE Conference on Energy Conversion, CENCON, pp. 42–47, October 2015Google Scholar
32.
Wang, T.E., Garoche, P., Roux, P., Jobredeaux, R., Feron, E.: Formal analysis of robustness at model and code level. In: HSCC, pp. 125–134. ACM (2016)Google Scholar
33.
Wu, J., Li, G., Chen, S., Chu, J.: Robust finite word length controller design. Automatica 45(12), 2850–2856 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
34.
Zamani, M., Mazo, M., Abate, A.: Finite abstractions of networked control systems. In: IEEE CDC, pp. 95–100 (2014)Google Scholar

Copyright information

Authors and Affiliations

Alessandro Abate
- 1
Iury Bessa
- 2
Dario Cattaruzza
- 1
Lucas Cordeiro
- 1
- 2
Email author
Cristina David
- 1
Pascal Kesseli
- 1
Daniel Kroening
- 1
Elizabeth Polgreen
- 1

1.University of OxfordOxfordUK
2.Federal University of AmazonasManausBrazil

Automated Formal Synthesis of Digital Controllers for State-Space Physical Plants

Abstract

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite paper