Controller Synthesis and Properties Generation

Over the last two decades the use of formal methods for the synthesis of logic based controllers has increased. This approach is known as correct-by-design because the control algorithm is synthesized using a formal approach with requirements as a formal input. This is an appealing application of formal methods and model checking because it provides a new way of generating control schemes using the advantages provided by the formal approach. The use of this approach is mainly in research activities and academia but the obtained results are promising and encouraging towards accepting this methodology in an industrial development application framework [9]. In particular, when the synthesis problem under analysis can be portrayed in a scheduling scenario manner, the formal approach of correct-by-designis popular [14, 17, 22, 31, 42, 81, 83, 95, 103, 105, 156].

Within model checking, linear-priced automata is the variant to address the control prob- lem using an optimization criteria as part of the formulation to find a solution. An adversarial approach to solve a two player game (e.g. the controller versus the environment) has been used for DPM controller synthesis in [77] and a probabilistic model checking approach to DPM is analysed in [142]. The two player game-type approach to controller synthesis led to the realization of the UPPAAL-TiGa tool [11, 12] and linear-priced timed automata led to the realization of the UPPAAL-CORA tool [14], where the model checker is turned into an optimization schedule-solver. Adaptive schedule strategies for a pipeline system of a printer are generated using UPPAAL-TiGa in [2], this is an industrial-type case study. A power-grid relay controller was synthesized and verified using Linear Temporal Logic (LTL), Computa- tion Tree Logic (CTL), and the model checker tool UPPAAL [60]. This example addresses a case study of significant size regarding the problem it solves, showing promising results for UPPAAL as a working tool in industrial applications. Within the aerospace domain, power management for avionics has also been addressed by formal methods [163, 164]. Given a set of power sources, buses, and contactors find the best configuration possible to meet safety and performance requirements. Controllers are synthesized and verified to comply with the given requirements. Another important aspect of this work is the comparison between centralized and distributed control architectures and how to cope with them while using formal methods. This is important due to the trend towards DCS in the aerospace industry. Python was used to develop the in-house tool for this work and UPPAAL is mentioned as a good option for future work [163, 164].

Regarding dynamic control systems, a design and verification framework was developed in [58], using not model checking but theorem provers as the formal methods tool. In [40, 67] a control synthesis toolbox is presented combining the use of both Matlab and the model checker UPPAAL to construct a set of control laws by solving a game abstraction as a reachability property in the model checker. In this example the system dynamics are abstracted as time-invariant properties so the model checker can reason about them using clocks. In [65, 151, 152] the design of regulators for hybrid systems using requirements in the form of LTL formulae is explored. This work focuses on stability and regulation of hybrid systems, providing a working framework in Matlab for the synthesis of symbolic controllers. Also, this framework has been applied to motion planning as well. In [159–161] a working framework for motion and trajectory planning is presented. The toolbox TuLiP developed in Python takes a subset of LTL to describe control specifications as inputs and generates a symbolic controller which is provably correct.

Another interesting area of research for formal methods is the automatic generation of properties. As mentioned at the beginning of this section, not only the model of the system

has to be formal but also the language in which the properties are expressed. This means that high-level requirements have to be translated into a formal language and sometimes this is difficult, and because this activity is mostly conducted by hand and relying on the expertise of the designer and end-user, it is prone to human error as well. It is desirable to be able to translate requirements in a solid and systematic manner to avoid errors in the translation into properties expressed in a formal language such as LTL or CTL. This has been explored in [146] applied to an aerospace case study, and in [164] a property generation algorithm is proposed.

The use of formal methods for controller design, V&V, and the automatic translation of high level requirements into formal properties to address one particular problem, all at the same time, may seem ambitious at the moment. Nevertheless, in many cases the use of formal methods deals with at least two of these activities, particularly the combination of the controller design and V&V. Formal methods and model checking still need to address some weaknesses before becoming a standard development practice for software and hardware in every engineering field [16, 80, 143]. Particularly in the area of dynamic control systems for safety-critical applications, the state-space explosion is perhaps the main limitation due to the nature of the processes under analysis and the required data representation to deal with them. The following subsection elaborates this particular issue.