Discussion

The obtained results show that the model checking approach allows to reason about the original system using the system abstraction and the timed-automata. The model checker returns a Pass/Fail answer to the query regarding the high level performance requirements.

Fig. 4.18 Closed loop response of the system abstraction and the scaled original system. Highlighted in red is the area where the over approximation and the original system fail to meet the overshoot requirement. The original system response is scaled for comparison purposes (using KS= 10, 000).

Depending on the result of the query either a witness trace or a counter-example trace is generated which in turn returns information regarding the Pass/Fail result. The posteri- ori cross-check verification with the original system shows that the system behaviour is bounded by the system abstraction consisting of the over approximation and the under approximation. This in turn shows how model checking results of over-approximations and under-approximationscombined can be used to infer properties of the original system, high level control performance requirements in this case.

The verification of the high level performance requirements fails because the overshoot requirement is not met. This is detected by the model checker in the over approximation where a value of 15.74% of overshoot is detected. Overshoot in the original system is 13.93% which also fails the requirement of maximum overshoot of 13%. Given the fact that the original system response is bounded by the system abstraction there can be cases

where a requirement is not met by the abstraction but indeed is met in the original system (e.g. a 14% maximum overshoot requirement in the previous case shows that). This is an important consideration related to the amount of parametric compensation and fixed-point representation. Nonetheless, if the abstraction meets requirements then the original system also meets requirements.

High level performance requirements are translated into a CTL formula so the model checker can understand them, which removes uncertainty and possible ambiguity during a typical verification and validation phase. So far, the exhaustive verification capabilities of the model checker have not been used because the control system as portrayed in the current automata framework does not include non-deterministic behaviour. Nonetheless it has been demonstrated that the approach is suitable to formally verify control system high level performance requirements using a model checker.

The proposed formal verification methodology presented in this chapter in combination with the abstraction methodology presented in Chapter 3 allow to address the controller design problem from a model checking point of view, which in turn will aid in the gain scheduling design problem (Chapter 6). The following chapter addresses the discrete PID- type controller tuning problem from a model checking point of view. The controller structure is presented in detail and how to digitize the controller transfer function is explained. This is necessary in order to perform the tuning process in the model checker, operating directly over controller gains. The automata presented in this chapter need to be updated to enable these capabilities of controller tuning. Using the updated automata an algorithm to systematically use the model checker in order to find a set of gains is presented: If the current controller tuning does not drive the system to meet requirements, the model checker can explore different tuning configurations in order to find if there exists a valid set of controller gains which drive the system into meeting requirements.

Digital PID Controller Formal Design

5.1

Overview

The gain schedule control design and verification problem is the main focus of this thesis. In order to address the problem in its entirety the problem was broken down into individual problems which in turn are interconnected and have a dependency relationship. Providing a solution to each of these individual problems lays the foundations for the following problem.

A novel methodology to formally verify high level performance control requirements was presented in Chapter 4. A timed-automata framework was proposed to address the verification problem. The presented approach from Chapter 4 is designed to address the verification problem only. The controller structure is known and if modifications to the controller are needed in order to drive the system into meeting requirements, they must be performed outside the model checking environment. In order to provide a full formal solution to the gain scheduling design problem, the controller tuning problem must also be addressed in a formal manner.

By exploiting the model checking capabilities to perform exhaustive search within a defined operating space, the controller tuning problem can be formulated as a reachabil- ity/safety problem in a similar fashion to the performance requirements verification in Chapter 4. By augmenting the proposed timed-automata (Section 4.3) the PID-type controller gains can be tuned in order to drive the system to meet control performance requirements. In this way, performance requirements become a direct input for the model checker in a correct-by- construction fashion to find a possible solution to the problem. By addressing the tuning problem from a model checking perspective, a push-button approach is taken to perform the design and verification of the controller, providing a systematic way to tune the controller with minimum intervention from the user.

The process by which controller parameters are selected in order to meet certain require- ments criteria (e.g. stability, performance) is called controller tuning. For a single variable feedback control loop there are many methods for control design and tuning. Among the most popular methods are [121, 167]:

1. Root locus pole placement.

2. Lead-lag compensation.

3. Ziegler-Nichols.

The first two methods are frequency domain approaches where the controller structure is constructed by shaping the closed-loop poles of the system. They rely on a model of the plant to be controlled. The Ziegler-Nichols method can be used with either a model of the plant or with an experimentally derived time-response of the system. This method is aimed at PID-type controllers (known structure). The Ziegler-Nichols rules provide a good guess for the controller parameters to make the closed loop system stable but in no way takes into account performance requirements [121, 167]. The usual approach is to generate a first set of controller gains and then a series of fine tunings are performed to the gains until requirements are met rather than generating the final set of gains in one attempt [121, 167]. In this chapter, a novel formal controller tuning methodology is proposed. From an initial controller tuning (e.g. such as one provided by the Ziegler-Nichols method) the fine-tuning procedure is addressed from a model checking point of view as a reachability and safety problem synthesising a controller which meets performance requirements.

This chapter is structured as follows: Section 5.2 presents the tuning problem formulation. Section 5.3 presents the updated timed-automata and the controller synthesis methodology. Finally, Section 5.4 presents a case study to demonstrate the applicability of the approach to formally synthesize a PID-type controller.