First and foremost thanks to Ufuk Topcu and Necmiya Ozay, who were fantastic mentors. Special thanks to everyone at MCE and CMS for their support and friendship, including Cheryl Geer, Chris Silva, and Maria Koeper.
Motivation
The move toward more electric aircraft increases efficiency by reducing power output from the motors that would otherwise be needed to drive hydraulic and pneumatic components. Figure 1.1 compares the difference between a traditional aircraft power generation and distribution system with a more electric aircraft system.
![Figure 1.1: A comparison between the electric generation and distribution on a traditional aircraft and on the Boeing 787 (i.e., a more-electric aircraft) [85].](https://thumb-ap.123doks.com/thumbv2/123dok/11410642.0/10.918.224.747.94.449/comparison-electric-generation-distribution-traditional-aircraft-electric-aircraft.webp)
Overview and Related Work
Formal Methods, Verification, and Synthesis
Past work in the avionics field has focused on aircraft performance analysis and power optimization using modeling libraries and simulations [91,94]. As a result, this has led to a greater emphasis on the use of formal methods to assist in the assurance and certification of performance.
Specification and Requirements Capture
Although the use of formal specification languages and correct-by-construction synthesis methods are beneficial in the field of controller design, unfamiliarity of formal methods among engineers can present a challenge to widespread implementation of formal methods. Examples of languages used in the context of cyber-physical systems can be found in [4] and [13].
Design Space Exploration and State Estimation
Domain-specific languages have been proposed as a way to interface industrial engineers with domain knowledge with methods and tools used by computer scientists and software engineers. While general-purpose languages (e.g., C or Java) may offer broader programming capabilities, domain-specific languages (e.g., HTML or Verilog) provide more expressiveness and ease of use within a given domain [59].
Outline and Contributions
System Components
Depending on the power status of generators and buses, contactors can reconfigure, i.e. switch between open and closed. Contactors control the reconfiguration of the electrical power system topology, changing the paths along which power is delivered from generators to loads depending on the contingencies.
System Description
Four high-voltage rectifier units (HVRUs) are selectively connected to the four high-voltage AC buses, which convert alternating current to direct current. These essential buses are also selectively connected to two emergency low-voltage AC generators in the event of a failure on the HVAC side.
Temporal Logic
Linear Temporal Logic
High voltage AC Bus 2 and Bus 3 are also selectively connected to a set of transformers (marked as XFMR on the single line diagram) which convert high voltage AC power to low voltage AC power. The low voltage AC system is depicted in the two panels in Figure 2.1 just below the high voltage AC panels.
Other Temporal Logics
Reactive Synthesis
From state 1, if the environment determines that GL and GR are both set to 0, then the automaton goes to state 2 and the system variables C1 and C6 become 0. If the environment receives the transition from state 1 to state 3, then the system becomes C1 = 1 and C6 = 0.
Distributed Synthesis
The first is the size of the state space involved in local synthesis problems. If the possible values of the variables included in the local specification are significantly smaller than the possible values of the variables in the global specification, then.
Specifications for Aircraft Electric Power Systems
In practice, these reliability specifications define the combination of simultaneous errors that must be accounted for by the control protocol. A power system must still be able to meet its safety specifications given any combination of faults leading to the default level.
Formal Specifications For Aircraft Electric Power Systems
No combination of two contactors can be connected (and send the power into a bus) at the same time. For each safety-critical bus inB∈ Bs, these specifications can be written as follows.
Capturing Actuation Delays
If the contactor intent is open and the contactor state is closed, the contactor will open in [Tomin, Tomax] time units unless a close command is issued before opening. When the control command is equal to the state of the contactor, the state of the contactor remains the same, ie.
Case Study
Variables
Again, component variables and status variables are case-separated, e.g. the first generator is represented by G1, while its health state is denoted by g1. Controlled variables: Statusesc1, c2, c5, c6 of the contactors that connect the generators to the buses, each value can be open (0) or closed (1).
Specifications
The health statuses of all four sources g1, g2, g3 and g4 can have the values healthy (1) and unhealthy (0). 2 and B1 ∈ N1(B2), if bus B1 is energized and contactor C1 is closed with power flowing to side 1, B2 will be energized.
Results
Centralized Controller Design
Once the environment acts, then the system responds and the automaton moves to its next state. Thus, as long as the environment meets its assumption, then the system will meet its specifications.
Distributed Control Architecture
In order to make the distributed master/slave synthesis problem feasible, additional assumptions and guarantees (i.e., interface refinements) must be implemented. To ensure that the interconnection is well-positioned, i.e., the interconnected system avoids deadlock, the environment variables must be separated into external and return parts.
Timing Benchmarks
Thus, the second column shows the total time that the core bus can be without power. However, as soon as the number of clocks used increases to 3, the computation time jumps several orders of magnitude.
![Table 3.2: Synthesized Automaton Size No. of Clocks Clock “Ticks” Aut. Size Time [sec]](https://thumb-ap.123doks.com/thumbv2/123dok/11410642.0/47.918.294.674.292.683/table-synthesized-automaton-size-clocks-clock-ticks-size.webp)
Conclusions
The development of a domain-specific language provides an easy interface between industrial engineers with knowledge of aircraft systems and the methods/tools used by computer scientists and software engineers. In this chapter, we describe a domain-specific language for aircraft electrical power systems as well as an automatic specification generator available in TuLiP.
Input Files
Each component has an attribute of name and failure probability, that is, the probability that each component has to fail over a certain number of operational hours. The third input is a set of primitives used to represent the high-level requirements that specify the desired behavior of the system.
Specifications and Primitives
In addition, contactors have open time and close time characteristics, which indicate the time it takes to physically open or close the contactor.
Tool Integration
Untimed: SAT Solver (Yices)
In general, define Xij to be the set of all paths between two components Xi and Xj. From the above set of specifications, Yices solves a satisfiability problem and defines the configuration for all contactors, for each environment configuration.
Timed: TuLiP
Letxi,j represents the set of components along a path between generatorspi, pj, forpi, pj ∈ Gandi6=j. Letxi,b denote the set of all components (ie contactors and buses) along a path between busb and the environment variable pi for i∈ I, except b andpi.
Benchmarks
Given the set of automatically generated specifications, Table 4.2 compares the time it takes Yices and TuLiP to solve/synthesize a controller for a given topology. While the number of environment configurations is large, generating all other primitives takes only 10 seconds.
Broadening the Domain-Specific Language
- Exceptions and Nominal Cases
- Primitives
- Sequence Diagrams
- Live Sequence Charts
- Live Sequence Chart Semantics
- LTL-Live Sequence Chart Semantics
- Superstep Requirements
- Environment Assumptions
- System Guarantees
- Live Sequence Chart Example
The live sequence graph to temporal logic conversion can be shown to generate a formula that is at most quadratic in the size of the graph. Figure 4.8 is a generic example assume-guarantee live sequence graph for the system topology depicted from Figure 4.5 (with 2 base topology units).
Timed Temporal Logics
Timed Specifications
- Protector
- Supervisor
- UPPAAL-TIGA
For the protector LRU, the voltage level v is an environmental variable and can take values of bt (below threshold) and at (above threshold). Figure 4.10 shows the protector finite-state automata used for the time-controlled synthesis tool UPPAAL-TIGA, which includes two processes: Voltage and Fault.
Discrete-Time LTL
- Protector
- Supervior
If the contactor status is the same as the contactor command, the contactor status in the next step should not change. If the contactor command is set to close, the contactor status must be closed within Cmin and Cmax time.
Conclusions
Components
Examples of non-functional maps include the performance model, the calculation of a set of performance figures by solving the behavioral model, or the reliability model, which provides the failure probability of a component. Given a set of components at level l, a system can then be assembled by parallel assembly and represented as a new component at level l+1.
Contracts
Contract coherence can be calculated by defining a partial order of contracts, which formalizes a notion of refinement. Conjunction can be used to calculate the total contract for a component based on the contracts related to multiple views (concerns, requirements) in a design.
Signal Temporal Logic
Syntactically, a PSTL formula is an STL formula in which numerical constants, either in the constraints given by the predicates µ or in the time intervals of the temporal operators, can be replaced by symbolic parameters. An STL formula is obtained by pairing a PSTL formula with a valuation function that assigns a value to each symbolic parameter.
Design Space Exploration: Case Study
- Electric Power System
- Topology Synthesis
- Control Synthesis
- Distributed Synthesis
- Results
- Reliability Results
- Real-Time Performance
The synthesized topology serves as a specification for the next step of control design. b) The original high-level power system specifications are translated into LTL formulas for. In Figure 5.3a) and b), horizontal connections between the DC buses and AC buses on the left and right sides of the system have been added.
Hardware Testbed
- Testbed Specifications
- Implementing Formal Specifications
- Design and Implementation
- Generation and Circuit Protection
- Sensing
We assume that the time a generator stays healthy is not arbitrarily short, so that the AC bus-driven time (i.e. the time between two intervals when AC bus is not driven) is large enough to charge the capacitors on rectifier -units charged. A few lines of auto-generated code corresponding to this controller are shown in Figure 5.9.
Experiments
Testbed Characteristics
The time TI in equation (5.8) is negligible compared to andRe, so the time taken to read the health state from an environment variable can be approximated as c0/4.
Controller Tests
The first vertical line indicates a fault, the second vertical line is when the regulator reacts, and the third line is when the generator restarts. The measured bus de-energized times are listed in Table 5.8, which shows a maximum value of Tmax = 414.9 ms.
Conclusions
This chapter investigates the design problem of state estimation based on sensor placement for a given power system topology. Previous work in state estimation of electrical power systems has focused on static, centralized, continuous state estimation problems.
Problem Setup
General Problem Description
Equipping the system with a large number of sensors is an expensive and therefore undesirable solution for achieving accurate condition assessments. On top of the circuit and sensing topology is a distributed control architecture with a dynamic state estimation mechanism.
Mathematical Formulation
The overall goal is to design a strategy that the fault detection controller directs to adaptively estimate the discrete state of the circuit by taking "actions" (ie, closing and opening the controllable contactors) and then reading the measurements of voltage sensor. We denote by V(π, x˜ 0)⊆ V the set of all actions performed according to strategyπ, the state of the system is x0.
Strategy
Greedy strategy
Performance Guarantees
Implementation
Implementation Details
Model Reduction Via Abstraction
Examples
Small Circuit Tests
- Average Execution Time
- Average Remaining States
As shown in Figure 6.3, the greedy strategy with a horizon length ofk= 6 works as well as the brute force strategy, i.e. the value of the objective functionf at the end of 6 steps using the greedy strategy is the same as after the brute force strategy brutal 16 steps. Starting with 1600 possible states, the greedy strategy reduces the number of candidates to less than 20 states in all cases.
Large Circuit Tests
Using this performance measure to compare greedy and brute force strategies, we can see in Fig.
Background Results in Submodularity
Definitions
So f is adaptively submodular with respect to the distribution P[x]if for allψt, ψt0 such thatψis a subrealization ofψt0, and for allv∈ V\{v0,. The adaptive greedy algorithm, a generalization of the greedy algorithm [47], is a strategy that selects the action that maximizes the conditionally expected marginal benefit depending on the outcomes of all previous actions.
Proofs
In particular, by setting k =l we see that the greedy strategy that chooses k items stepwise takes at least (1−1/e) of the value of the optimal strategy that chooses k items stepwise. This expression of ∆(v|ψt) in terms of variables τi is similar for the partial realization ψt0; the only difference is the set St, which is represented in the function b with a different value of theτi.
Conclusions and Future Work
Given a given topology for an electric power system and a set of system requirements formalized in linear time logic, we automatically synthesized a control protocol for an electric power system in a more electric aircraft. Finally, we perform discrete state estimation using active control of switches within the power system in a distributed control architecture.
Future Work
To generate the correct controller according to the design for a given topology, we take advantage of reactive synthesis results from linear time logic specifications. Automatic verification of finite-state concurrent systems using timing logic specifications. ACM Transactions on Programming Languages and Systems (TOPLAS.
