3.6 Results

3.6.2 Distributed Control Architecture

In this section we describe the results for a distributed control structure based on the refinement tech- nique discussed in Section2.4. More specifically, we decompose the centralized electric power system topology into two smaller subsystems and synthesize two local controllers. When implemented to- gether, these controllers are guaranteed to be correct with respect to the global specification. The physical decomposition of the electric power system is shown in Figure 3.6. Let SYS₁ represent subsystem on the left, andSYS₂the subsystem on the right. The environment and system variables for the two subsystems are denoted bye1, s1, e2ands2, respectively.

We now present results for two types of distributed control architectures: master/slave and bi-directional.

Master/Slave Control Architecture: For a master/slave architecture, power flow between the decomposed systems is controlled by one side, and unidirectional only. For the decomposition

B_3! B_4!

C_4! C7!

C_5! C6!

B_1! B2!

G_L!

C_1! C_2!

C3!

A_L! AR! G_R!

SYS1! SYS_2!

Health Status !

(of SYS1 generators)!

Power_!

Figure 3.6: A distributed controller decomposition for the electric power system. Components enclosed within the dashed rectangles are controlled by their own respective controllers. The dashed arrow represents information flow, in the form of a health status variable, directed from SYS₁ to SYS₂. The solid arrow represents the physical transfer of power fromSYS₂to SYS₁.

shown in Figure 3.6, subsystem SYS₂ is the “master” and can control the supply of power that can flow via contactor C₄. Subsystem SYS₁ is the “slave” and can only receive power whenSYS₂ provides it. We decompose the global environment assumption, in which at least one power source must remain healthy at each step, such that

ϕe₂ =(g3= 1∨g4= 1), ϕ_e1=(true).

The specification forϕe₁ states that there are no restrictions on the behavior ofϕe₁. The assumption placed onϕe₂ ensures that for any executionσ∈Σ, the controller forSYS2is able to supply power to SYS1 at any step. Health status information for g1 and g2 are sent to the SYS2 via a health status variableH1. The variable is set to0if neither source is healthy, and is set of1if eitherg1 or g2 is healthy so thatϕe₂ can assume knowledge about the health status of the left side.

In order for the master/slave distributed synthesis problem to become realizable, additional assumptions and guarantees (i.e., interface refinements) need to be implemented. It is not enough for generatorsG₃andG₄to be able to generate power at all steps. The controller forSYS₂must also be able to guarantee that power can be delivered to SYS₁. Thus, we introduce φ₂ as a guarantee for controller SYS2, and denote φ⁰₂ as an assumption for controller SYS1. Because the master subsystem controls the flow of power, a single-sided refinement is sufficient for the design problem to be realizable, and we can setφ1 =true. The additional specification φ2 imposes conditions on contactor statusc4and bus statusb3(the components nearest to the interface of SYS2andSYS1).

These specifications are of the following form: BusB₃ is never unpowered for a pre-specified period of timeT. Essentially,B₃becomes a safety-critical bus, and we introduce a variable t₃ that is used as a counter to monitor the power status

{(b3= 0)→(#t3=t3+ 1)} ∧ {(b3= 1)→(#t3= 0)} ∧ {t3≤T}.

If health status H₁= 0, i.e., bothG₁ andG₂ are unhealthy, then, whenever B₃ is powered, C₄ will close

{((H1= 0)∧(B3= 1))→( ˜c4=−1)}.

A similar modification is made for the case when power flows fromSYS1toSYS2(andSYS2still remains master). In both of the cases discussed in the master/slave architecture, all other specifi- cations remain the same as those discussed from Section3.3and decomposed with their respective components. Simulation results are comparable to those for the centralized controller, shown in Figure3.5, and thus omitted.

Decentralized Control Architecture: Consider again the physical decomposition shown in Figure3.6, where power is allowed to flow from either subsystem to the other. The physical actuation of contactor C4 is still controlled by the right side. The environment variables for SYS1 include G1, G2, and C4, while environment variables for SYS2 contain G3, G4, B2, and H1. Note that this differs from the master/slave control architecture with the necessary addition of B2 as an environment variable to allow for power to flow in two directions.

The case where there is power flow between SYS1 and SYS2 corresponds to an interconnection where part of the output of each system acts as an environment variable for the other, i.e., both φ₁ andφ₂ are non-trivial. In order to ensure that the interconnection is well-posed, i.e., the inter- connected system avoids deadlock, environment variables should be partitioned into external and feedback parts. For subsystemSYS₁, external environment variables areg₁ and g₂, while the feed- back environment is contactor C4. In order for the system to be well-posed, decisions made by the controller forSYS1at steptmust use the value ofC4at the previous stept−1. A deadlock situation can occur between subsystems if this time shift is not accounted for, where each subsystem waits on an action from the other subsystem before it can make a move. See [67] for further discussion.

Due to the issue of well-posedness in the decentralized controller architecture, additional speci- fications are introduced in order to make the problem realizable. In order to successfully synthesize controllers for each subsystem, the following guarantees/assumptions are imposed.

• ForSYS₂, if neitherG₃ norG₄ is healthy, then busB₂is powered. This is written as

φr={g3= 1∨g4= 1∨b2= 1}.

• For SYS1, if neither G1 nor G2 is healthy, then power will be delivered throughC4. This is written as

φl={g1= 0∧g2= 0→(c4=−1)}.

Because power must be able to be delivered to both subsystems, safety-critical buses are moved to those buses nearest the interface, i.e., toB₂andB₃. In order to enforce well-posedness, specifications for the controller for SYS₁ involving C₄ are defined with additional next operators to implement a shift in time step. For the decentralized synthesis problem to be realizable, contactor delays are thus omitted in this problem formulation in order avoid conflicting specifications.

There are advantages and disadvantages in synthesizing controllers for a centralized versus dis- tributed architectures. A centralized controller has complete knowledge of all components’ statuses.

It can anticipate the behavior of the entire environment, and thus control protocols can be less con- servative (e.g. longer delays in contactor closing/opening times). For large-scale systems, though, a less-conservative controller comes at the cost of computational complexity. Distributed synthesis can be solved using less memory (due to the smaller number of components) and are thus more scalable to larger problems. However, due to lack of full information between subsystems, additional refine- ments are required at the interfaces. These refinements involve a more conservative contactor and bus configuration, (e.g, buses at the interface need to be powered more often). This is easily imple- mentable for a master/slave architecture in which only a single-sided refinement is necessary. For the bi-directional distributed case in which refinementsϕ1andϕ2are needed, well-posedness conditions further restrict the system. Contactor delays are no longer possible, and additional specifications are imposed on all components along the interfaces.