5.1 Design Space Exploration: Case Study

5.1.4 Distributed Synthesis

Given a global specification and a system composed of subsystems, distributed synthesis proceeds by first finding local specifications for each subsystem, and then synthesizing local controllers for these subsystems separately. If the local specifications satisfy certain conditions, it can be shown that the local controllers realizing these local specifications can be implemented together and the overall system is guaranteed to satisfy the global specification, as detailed in [67]. We describe below a special case of distributed architecture, i.e. a serial interconnection of controllers, which is used in the design in Section5.1.4.1 to synthesize controllers for AC and DC subsystems separately.

Theorem 5.1.1 Given

• a system characterized by a set S = P∪E of variables, where P and E are disjoint sets of controllable and environment variables,

• its two subsystems with variables S1=P1∪E1 andS2 =P2∪E2, where for eachi∈ {1,2}, Pi andEi are disjoint sets of controllable and environment variables for thei^thsubsystem, P1

andP₂ are disjoint, and P =P₁∪P₂,

• a set I of pairs of variables representing the interconnection structure, that is, for a serial interconnection, I = {(o₁, i₂)|o₁ ∈ O₁ ⊆ (P₁∪E₁), i₂ ∈ I₂ ⊆ E₂}, where for all (o, i) ∈ I, o=i,

• a global specification ϕe →ϕs, and two local specifications ϕe₁ →ϕs₁ andϕe₂ →ϕs₂, where ϕe,ϕe₁,ϕe₂,ϕs,ϕs₁, andϕs₂ are LTL formulas containing variables only from their respective sets of environment variablesE,E1,E2 and system variablesS,S1,S2;

if the following conditions hold:

1. any behavior that satisfiesϕ_e also satisfies (ϕ_e1∧ϕ_e2), 2. any behavior that satisfies (ϕ_s1∧ϕ_s2) also satisfiesϕ_s,

3. there exist two controllers that make the local specifications (ϕe₁ →ϕs₁) and (ϕe₂ →ϕs₂) true with ϕe₁ andϕe₂ both true;

then, implementing the two controller together leads to a controller that satisfies the global specifica- tionϕe→ϕs.

Proof: The conditions onP,P₁,P₂ ensure that the two controllers are composable, i.e. they do not try to control the same output (controllable) variables. We first define the following sets of behaviors in terms of assumptions and guarantees:

A={σ:σ|=ϕe}; Ai={σ:σ|=ϕe_i};

G={σ:σ|=ϕ_s}; G_i ={σ:σ|=ϕ_si}.

Let S = (A, G∪ ¬A) be the contract for the global specification and S1 = (A1, G1 ∪ ¬A1), S2 = (A2, G2∪ ¬A2) be the ones for the local specifications, all in saturated form. Since any implementations ofS1andS2are composable, contract composition using equations (5.1) and (5.2) is well defined.

We first prove that

S1⊗ S2 S,

i.e., S1⊗ S2 = (A₁₂, G₁₂)refinesS. By the definition of refinement, this amounts to showing that G₁₂⊆G∪ ¬AandA₁₂⊇A. We obtain

G12= (G1∪ ¬A1)∩(G2∪ ¬A2)

= (G₁∩G₂)∪(G₁∩ ¬A2)∪(¬A1∩G₂)∪(¬A1∩ ¬A2)

⊆G∪ ¬A2∪ ¬A1 (5.4)

=G∪ ¬(A₁∩A₂)⊆G∪ ¬A,

where we have used that (G1∩G2) ⊆ G by condition 2 in the theorem statement, and ¬A ⊇

¬(A1∩A2)(or, equivalently,A⊆(A1∩A2)) by condition 1. Moreover

A12=A1∩A2∪ ¬G12

=A1∩A2∪ ¬(G1∪ ¬A1)∪ ¬(G2∪ ¬A2)

=A₁∩A₂∪(¬G1∩A₁)∪(¬G2∩A₂) (5.5)

⊇A1∩A2⊇A

by condition 1. Equations (5.4) and (5.5) allow us to conclude that S1⊗ S2 refines S, hence any implementations ofS1andS2 satisfy the global specification.

However, for the composite contract to be well defined, we must also show that S₁ ⊗ S₂ is compatible, i.e. there exists an environment that satisfies the composite contract or, equivalently, A12={σ|σ|=ϕA₁₂}is not empty, where

ϕA₁₂ = (ϕe1∧ϕe2)∨(ϕe1∧ ¬ϕs1)∨(ϕe2∧ ¬ϕs2). (5.6)

By condition 3, there exist behaviors that make the second and third term of the above disjunction false and the first term true. Therefore,ϕA₁₂ is satisfiable andS1⊗ S2 is compatible.

There are two sources of conservatism in distributed synthesis. The first one is due to the fact that local controllers have only local information. Therefore, even if there exists a centralized controller that realizes a global specification, there may not exist local controllers that do so. This is an inherent problem and can only be addressed by modifying the control architecture (e.g., by changing the mapping of controlled variables to controllers, by introducing new sensors, or by modifying the information flow between local controllers).

The second source of conservatism is rather computational. Even when local controllers that realize the global specification exist, it might be difficult to find them (e.g., see [71] for some un- decidability results). We note that the conditions provided in Theorem 5.1.1 are only sufficient conditions. The choices ofϕej andϕsj forj∈ {1,2}plays a role in the level of conservatism. Hence, when conditions 1 and 2 are satisfied but condition 3 is not satisfied, one can gradually refine the local specifications.

5.1.4.1 Results

For the single-line diagram in Fig. 5.3, the distributed control synthesis problem can be solved by splitting the topology into two subsystems S1 and S2. The sets ES1, SS1, and ES2, SS2 con- tain all environment and system variables for subsystems S1 and S2, respectively. E_S1 is com- posed of generators LG1, AP U1 and RG1. S_S1 contains AC buses LB2, RB2, and contactors C_LG1,LB2, C_{AP U1,LB2}, C_RG1,RB2, C_LB2,RB2. E_S2 is composed of rectifiersLR2, RR2and AC buses LB2, RB2, whileS_S2 contains DC busesLD2, RD1and contactorsCLR2,LD2, CRR2,RD1,CLD2,RD1. We assume the link between AC buses and rectifier units is a solid wire.

The environment assumption ϕeS1 for subsystem S1 enforces that at least one generator will always remain healthy. Environment assumption ϕeS2 enforces that at least one rectifier unit will always remain healthy. In addition, it also assumes that both AC buses will always be powered. This is an additional guaranteeS1 must provide toS2 for the distributed synthesis problem to become

Table 5.6: Topology Reliability Topology No. Comp. Reliability

1 9 2×10⁻⁴

2 9 4×10⁻⁸

3 9 4×10⁻⁸

4 13 2×10⁻¹⁴

realizable. All other specifications remain the same as the centralized control problem.

The synthesized controllers for S1 and S2 contains 4 and 8 states, respectively. Each controller has a computation time of approximately 0.5 seconds on a Powerbook 2.2 GHz Intel Core Processor.

5.1.4.2 Reliability Results

Consider again an electric power system topology in which generators, APUs, and rectifier units may fail with a probability of 10⁻⁵,10⁻⁵, and 2×10⁻⁴, respectively. The environment assumption is designed based on the overall aircraft reliability level. For different topologies, however, the synthesis problem may still be realizable for higher reliability levels. If the synthesis problem is realizable for all possible failure conditions that occur with probability greater than10^−xper hour (which can then be converted to allowable environment behaviors), then the controlled system’s failure rate would be less than10^−xper hour. For the topologies shown in Fig. 5.2and5.3, we perform a line-search onxto determine the highest reliability level for which the synthesis problem is still realizable, with the specification that all DC loads must always be powered. Table5.6lists these levels alongside the number of components within each topology. Note that reliability level increases as the number of edges in the topology increase, which corresponds to the number of paths that exist to continuously power DC loads.