Lecture Notes - Hybrid Systems

Transcription

1 Thomas Bak, Roozbeh Izadi-Zamanabadi, with input from class Lecture Notes - Hybrid Systems October 7, 004 Aalborg University Department of Control Engineering Fredrik Bajers Vej 7C DK-90 Aalborg Denmark

2 Table of Contents. Introduction Background Models Analysis Techniques Synthesis Techniques Notes on Lecture Introduction to Hybrid Systems Traditional Control Supervision Hybrid Systems Examples Pendulum Manufacturing Machine Water Tank Notes from Lecture Model Checking and Transition Systems Transition Systems The Predecessor Operator Partitions and Bi-simulation Example: Finite State Machine Model Checking summary

3 4. Notes from Lecture Open Hybrid Automata Composition Example (Automatic Transmission) Notes on Lecture Modeling Notation Connectives in Boolean Algebra How to build up equations Mixed Logical Dynamical (MLD) Systems - An example General Form for MLD systems Round-off Piece-wise linear dynamic systems Notes for Lecture Recapitulation of Lecture Modelling and Control of Hybrid Systems Optimal Control of MLD system Matrix representation of MDL systems Soft Constraints and Constraints Priorities Predictive Control Strategy Implementation procedure Predictive Control of MLD systems A. Notation

4 . Introduction Most of the cost in today's control system development is spent on ad-hoc systems integration and engineers typically rely on exhaustive testing as a way of validating a design. Why do we spend so much time on integration test and validation? At the lowest level, control systems typically rely on individual feedback control (servo loops). These loops are typically interconnected and characterized by their continuous input/output behavior (often a discrete controller is used, but it is typically just a discrete version of a continuous design). The controller design is veried by design e.g. by placing the poles in the left half plane we have guaranteed stability and possibly a certain gain and phase margin. Most control system designs, however, naturally include discrete control modes (due to saturations, different set points, mode changes etc.). Hybrid phenomena also arises at the high-level as abstract protocol layers of hierarchical control designs. The discrete protocols are a way to manage system complexity. By adding these discrete components and transitions the design that was originally veried by design is no longer guaranteed stable stable and performance may not be exactly what we designed it to be. As a result we end up having to spend considerable time testing and validating the design. To tackle design problems, we need a mathematical well founded theory that integrate models with heterogeneous components. New research directions in control use an analytical foundation based on hybrid systems, i.e. work with models that combine nontrivial interactions of continuous and discrete phenomena a fundamental characteristics of software-based control systems. The focus is on systematic hierarchical design methodologies, and a practical set of software design tools which support the construction, integration and safety and performance analysis of hierarchical control systems.. Background While the notion of hybrid systems is relative new, it builds on previous work in the areas of computer science and control theory. We illustrate the basic concepts of hybrid systems with the following small example, see Figure.. The example consists of two tanks. Both tanks are leaking at a 4

5 constant rate, v, v. Water is added to the system at a constant rate, w. The water input can only be directed to one tank at a time. The switching between the tanks is assumed instant. The water levels in the tanks are x, x and the control task is to maintain the levels above r and r. Initially the water levels in both tanks are above r and r. w x r x r v v x r x r x r x : = x q x = w v x = v x r x q x = v = w v x r x : = x x r Fig... Directed graph representation and illustration of tank example. As the example illustrates the control of such a system requires a combination of an automata making discrete transitions between states, in this case q and q feeding one or the other cylinder. Within each state the evolution of the state space is described by conventional differential equations. Hybrid systems theory has developed such models, analysis techniques and synthesis techniques. It has found application in a number of areas, just to name a few: air trafc management (Tomlin, Pappas, and Sastry 998), automotive control (Balluchi, Benvenuti, Benedetto, Pinello, Luigi, and Sangiovanni-Vincentelli 000), transportation systems (Varaiya 993; Lygeros, Godbole, and Sastry 998), mobile robotics (Bak, Bendtsen, and Ravn 003), and mechatronic systems (Ravn, Rischel, Holdgaard, Eriksen, Conrad, and Andersen 995), (Ravn, Eriksen, Holdgaard, and Rischel 998). 5

6 . Models Early attempts to formulate a theory are derived from computer science. They represent extensions of verication methodologies to timed and hybrid systems. Typically these approaches are able to deal with complex discrete dynamics described by automata and emphasize analysis results (verication), simulation and abstraction. The initial contributions include, (Alur and Dill 990) introduced algorithms for checking properties of timed automata while (Chaochen, Ravn, and Hansen 993) used duration calculus for hybrid real-time systems; (Back, Guckenheimer, and Myers 993) provided a framework for numerical simulation, (Hooman 993) discussed composition of hybrid systems. Concurrently hybrid phenomena were addressed by control theory, extending control theoretical results to include discrete transitions. Typically these approaches are able to deal with complex continuous dynamics and emphasize stability results. Contributions include (Nerode and Kohn 993) that took an an automata theoretic approach, (Sontag 98) discusses a piecewise linear approach, (Brockett 993) addressed hybrid motion control systems, and (Antsaklis, Stiver, and Lemmon 993) discussed discrete event dynamical systems. A unied hybrid systems model was introduced in (Branicky 995; Branicky 996). It captures many discrete phenomena arising in hybrid systems: autonomous jumps and switches, which model discontinuous changes of the dynamics, and controlled jumps and switches between dynamics in response to external command. Important variations of this model include the work on hybrid timed automata (Henzinger 996), the hybrid I/O automata (Lynch, Segala, Vaandrager, and Weinberg 996) that introduces synchronization and compositionality and (Kesten, Pnueli, Sifakis, and Yovine 993) that among other things addresses the notion of abstraction and hierarchy..3 Analysis Techniques One class of approaches to modelling and analysis of hybrid systems extends techniques from discrete systems to include simple continuous dynamics. Given an extended model, the emphasis is placed on answering questions such as Does the system satisfy the specication? One approach has been to use model checking techniques, which veries system specication algorithmically. Model checking is eccentrically techniques that determine if the dynamics of a given model (automaton) allow it to reach certain states. Properties or specications may be specied in terms of reachability or unreachability of such states. For timed automata (Alur and Dill 990), where differential equations are very simple, ẋ =, modelling clocks, model checking can be completely automated. For a larger class e.g. linear hybrid automata models that use differential inclusions of the 6

7 form Aẋ b, the techniques of timed automata can in most cases be reused and provide semiautomatic verication procedures (Henzinger 996;?). A number of tools have been developed (Henzinger, Ho, and Wong-Toi 995; Daws, Olivero, Tripakis, and Yovine 995) for these classes of systems and allow (semi)automated model checking. Other tools are based on various approximation techniques for reachable sets such that they can give an indication of wether certain states are denitely reachable or denitely unreachable in a given system. A different approach has been to extend theorem proving techniques, which use software tools, theorem provers (Ghosh, Tiwari, and Tomlin 003), to prove mathematical results. The emphasis has been on models (Lynch, Segala, Vaandrager, and Weinberg 996) that support proof techniques such as induction, invariant assertions and simulation. Theorem provers are far from being automatic and require signicant interaction with the designer. A second class of techniques for hybrid systems has developed out of the control research community. The emphasis here has been on extending the standard modelling, stability analysis, and controller design techniques to capture the interaction between the continuous and discrete dynamics. Results include extension of stability theory (Branicky 998), optimal control (Branicky 998; Hedlund and Rantzer 999; Lygeros, Godbole, and Sastry 996; Johansson and Rantzer 998), model predictive control (A. and Morari 999), and supervisory control (Maler, Pnueli, and Sifakis 995;?), to hybrid systems. As part of verication efforts the notion of reachability, i.e. determination of regions of the state space to which the system can evolve from a set of initial conditions has been addressed. In general one cannot compute the reachable set and even with over-approximations it is computationally expensive (Chutinan and Krogh 003; Asarin, Dang, Maler, and Bournez 00; Kurzhanski and Varaiya 998; Mitchell, Bayen, and Tomlin 00)..3. Synthesis Techniques As discussed above analysis is difcult and results in synthesis are hence also limited. However, there are some models for design discrete controllers, (Maler, Pnueli, and Sifakis 995; Wong-Toi 997) building on supervisory control for discrete event systems by (Ramadge and Wonham 987). An indication that synthesis is really a hard problem is the recent result from distribute d controllers that it is not decidable wether a controller exists (Arnold, Vincent, and Walukiewicz ; Pnueli and Rossner 990). In order to deal with the complexity of the problem another approach has been based on compositionality techniques (Tabuada, Pappas, and Lima 00). A development paradigm using such ideas may be based on the Charon language and tool set, see e.g. (Alur, Grosu, Lee,, and Sokolsky 00). Thanks to Carsten Kallese 7

8 . Notes on Lecture Notes by: This lecture introduces the general notation and terminology used in the eld of hybrid systems. This is done by starting form the traditional control problems, increasing the complexity to control systems where the control is obtained by switching between a set of controllers. For this switched control system the terminology of hybrid system is obtained. The lecture ends with three examples of respectively a dynamic system, a time discrete system and nally a hybrid system.. Introduction to Hybrid Systems.. Traditional Control In traditional control the plant and the controller is connected in a feedback loop as shown in gure.. Controller u Plant y Fig... Control loop used in traditional control theory. The following characteristic can be put on the theory of traditional control, Model: In the continuous case the system is described by a set of rst order ordinary differential equations (ODE) given by the following expression in the general case, 8

9 or in the linear case, ẋ = f(x, u) y = h(x) ẋ = Ax + Bu y = Cx In the discrete time case the system is described by a set of differece equations instate of ODE, x k+ = Ax + Bu y = Cx Synthesis: In the linear case a lot of methods exist for designing controllers, such as PID, pol-placement, optimal or robust control. Also in the nonlinear case design methods exists, such as feedback linearization or Lyapunov redesign. Validation: In control theory performance validation and stability are obtained by construction. Meaning that the design guarantees stability and performance. Beside that numerical simulations are used... Supervision In real life applications it is often not enough to design one single controller for a given application. This could be due to nonlinearities in the plant or due to different performance demands in different operating points. Therefore it is common to design a supervision system to supervise the plant and to choose between different controllers. A possible structure of such a system is shown in gure.. subervisor Ctrl Ctrl u Plant y Ctrl 3 Fig... Control loop with a set of different controllers. A supervision system is used to switch between the controllers. Here the supervision system is used to switch between a set of different controllers. As the system contains a switching part it is not modelled by only a set of ODE as in 9

10 the previous case. Moreover in the general case the model of the plant might itself contain switching function and is therefore not modelled by only ODE either. The following characteristic can be put on this type of control, Model: The continuous time part of the model is either modelled by ODE or by difference equations. The supervision system is modelled as a discrete event system. Synthesis: Each of the controllers could be design as in the previous case, but the supervision system is normally design ad-hoc using rule-of-thumb and common sense. Validation: Here there are only three ways for validation, these are simulation, simulation and simulation. It is said that a normal control engineer is using the majority of his or hers time on the design of the supervision system and not designing traditional controllers. This combination of dynamic systems and discrete event system is called a hybrid system. As a lot of time is spend on this part it is reasonable to look into theories, which can help solving problems in this area. This is exactly the concept of hybrid systems theory...3 Hybrid Systems The system described in the previous subsection is really a hybrid system as the model modelling the system is a hybrid of continuous time models and a discrete event model. One can ask what is needed to guarantee stability of such system? And how to design such systems? The following example will reveal some of the complexity connected to the analysis of hybrid systems. Ex: In this example two asymptotical stable continuous time system are dened. A trajectory with initial condition x 0 = [ ] for each of the systems is shown in the rst two plots in gure.3. These trajectories show that the systems are stable. If a switching function switching between the two systems is added, the trajectory could be as shown in the last plot of gure.3. This plot shows that even though the two subsystems are asymptotical stable the overall system might be unstable. This is of cause not the only choice of switching function. There could easily have been found a switching function, which do not affect the stability of the system. In gure.4 another switching function is used for switching between the two asymptotical stable subsystems. With this switching function the overall system is stable. This example shows that the stability of the dynamics in the two subsystems is not enough the guarantee stability of the overall system. A matter of fact is that the stability of the dynamics of the subsystems is a necessary condition for stability of the overall system. But as the example shows it is not a sufcient condition. 0

11 system system Hybrid system Sys Sys x 0 x 0 x 0 0 x 0 x 0 x Fig..3. A hybrid system containing two stable dynamic systems, with a unstable switching function. system system Hybrid system x 0 x 0 x 0 0 x 0 x Sys 0 Sys x Fig..4. A hybrid system containing two stable dynamic systems, with a stable switching function. The previous example shows that it is necessary to be able to analysis hybrid system. As the nature of a hybrid system is a combination of continuous time systems and discrete event systems the tools necessary for such analysis must be found in the area of respectively control theory and computer science. In the following table some theories necessary from both areas are listed. Control Theory Stability Feedback Robustness Existence and uniqueness Computer Science Transition systems Composition (Parallel running systems) Abstractions (bi-simulations) Reach ability non-determined Using a combination of theories from the two areas a description of a hybrid system is obtained. A Hybrid Automaton is dened as Denition.. (Hybrid Automaton). A hybrid automaton H is a collection H = (Q, X, Init, f, Dom, E, G, R), where Q is a set of discrete variables and Q is countable; X is a set of continuous variables; Init Q X is a set of initial states;

12 f : Q X T X is a vector eld; Dom : Q P (X) assigns to each q Q an domain; E Q Q is a collection of discrete transitions; G : E P (XX) assigns to each e = (q, q ) E a guard; and R : E X P (X) assigns to each e = (q, q ) E and x X a reset relation. Remarks:. We refer to (q, x) Q X as the state of H.. Examples To illustrate the similarities and differences between continuous time systems discrete event system and hybrid systems, three examples are given in this section... Pendulum The pendulum is a well-known dynamic system and is in this example used to present the characteristics of dynamic systems. A gure of the pendulum is shown in gure.5. In this gure l is the length of the pendulum, M is the masse, θ is l θ d ~ drag losses. M Fig..5. The pendulum. the angular displacement from the equilibrium and d is the drag losses due to air. The evolution of this system is governed by the following second order nonlinear ordinary differential equation (ODE), Ml θ + dl θ + Mg sin(θ) = 0 Assuming the initial conditions θ(t 0 ) = θ 0 and θ(t 0 ) = θ 0 a solution of ODE exists and is given by, θ : [t 0, t ] R

13 For the function θ(t) to be a solution, it must fulll, Ml θ(t) + dl θ(t) + Mg sin(θ(t)) = 0 θ(t 0 ) = θ 0 θ(t0 ) = θ 0 This must be fullled for all t [t 0, t ]. A graph of the solution can be obtained using numerical simulations. Let l =, M =, d = 0. and g = 9.8. Moreover the initial conditions are given by θ 0 = 0.75 and θ 0 = 0. The result of a simulation under these conditions is shown in gure.6. θ : [t 0,t ] R phase plot x, x 0 θ dθ/dt x t x Fig..6. Simulation results with the pendulum process. The pendulum system could also be written as a set of nonlinear rst order differential equations, when this is done the model becomes, ẋ = f(x) ( ) (ẋ = ẋ x g l sin(x ) d m x where f is a vector eld, in this case dened as f : R R. ).. Manufacturing Machine To show the characteristic of a discrete event system a simple manufacturing machine is dened. This machine is dened as a machine, which is able to manufacture a part whenever a part arrives. Unfortunately the machine is sometime broken, in which case it has to be repaired. The following discrete states, events and transitions dene this machine. Discrete states q i Q = {I, W, D} where, I Idle. W Working. D Down. 3

14 Events σ Σ = {p, c, f, r} where, Transition relations δ : Q Σ Q, p Part arrives. c Completed processing the part. f failure. r repair. δ(i, p) = W δ(w, f) = D δ(w, c) = I δ(d, r) = I For a discrete system dened by Q, Σ and δ a nite state machine representation exits (directed graph). This state machine is shown in gure.7. r I c p D f W Fig..7. Finite state machine for the manufacturing machine example. The language of this state machine is dened as, (pc + pfr) ( + p + pf) where the + is the or operator, means that the sequence can be taken any number of time and nally means the empty sequence...3 Water Tank To illustrate the characteristic of a hybrid system a water tank system is dened. A sketch of the system is shown in gure.8. The system consists of two tanks, from which water is drained. Water is led to the tanks be a valve, form which the water is either put into tank T or tank T. The amount of water led to this valve is W. This two directional valve is the actuator of the system. The levels in the tanks are respectively x and x and the outlet ow from the tanks are respectively V and V. The control objective for the systems is x > r and x > r. With this control objective a stable solution exists whenever W V, W V, W V + V, x (t 0 ) > r and x (t 0 ) > r. 4

15 w x r x r v v x r x r x r x : = x q x = w v x = v x r x q x = v = w v x r x : = x x r Fig..8. Directed graph representation and illustration of tank example. The system is modelled by a set of discrete states with a dynamic model in each of these states. The set of discrete states is given by Q = {q, q } where q is the inow to tank T and q is the inow to tank T. The state space for the dynamic systems are X R and the domain D = {(x, x ) x > r, x > r }. The dynamics in state q is governed by, ẋ = W V ẋ = V and the dynamics in state q is governed by, ẋ = V ẋ = W V Numerical simulation results form this process is shown in gure.9. In this simulation V =.5, V = and W =.335. The control references are r = r =. And nally the initial conditions are x (t 0 ) = 3 and x (t 0 ) =. It is seen that the system is asymptotical moving towards (, ) but with an increasing switching frequency. Eventually this switching frequency would escape to innity. This phenomenon is called Zeno behavior and is obviously not wanted. The name Zeno refers to the philosopher Zeno of Elea ( B.C.), who established a number of famous paradoxes. They were designed to explain the view of his mentor, 5

16 4 4 phase plot level T level T 3 filling T filling T x, x.5 x t x Fig..9. Test results form the tank simulations. The outlet ow is model as constant values. Now the process is changed so that V = R x and V = R x meaning that the outow is a linear function of the pressure across the valve or pipe. In gure.0 the result of a simulation under these conditions is shown. Here R = 0.5 and R = 0.5, moreover W =.6 in this simulation. From this gure it is seen phase plot 3 level T level T 3 filling T filling T x, x.5 x t x Fig..0. Test results form the tank simulations. The outlet ow is model as a linear function of the level in the tanks. that a stable solution exist, and that this solution is a limit cycle guaranteeing that T W dt = T V + V dt where T is the switching period. The water tank automaton is a hybrid automaton with Q = {q, q } and X = R ; Init = Q {x X : (x > r ) (x > r )}, r, r > 0; f(q, x) = (w v, v ) T and f(q, x) = ( v, w v ) T, v, v, w > 0; Dom(q ) = {x X : x r } and Dom(q ) = {x X : x r }; Parmenides, that the ideas of motion and evolving time lead to contradictions. An example is Zeno's suggestion of a race between Achilles (the world's swiftest runner) and a tortoise. The tortoise was to get a substantial headstart. Zeno reasoned that after a short time Achilles would close the lead to / its original length. Then shortly afterward, he would close that distance by a / to /4 its original length. Zeno said then that Achilles would have to continue this process forever, always closing the remaining gap by / but never catching the tortoise. 6

17 E = {(q, q ), (q, q )}; G(q, q ) = {x X : x r } and G(q, q ) = {x X : x r }; and R(q, q, x) = R(q, q, x) = {x}. 7

18 8

19 3. Notes from Lecture 3 Notes by Lars Alminde (lalm00@control.auc.dk) This lecture treats the possibilities of formally checking a hybrid model using the reachability concept. However, in order to make model checking feasible it is necessary to reduce, or rather abstract, the hybrid model into a more manageable format suitable for discrete analysis. In order to facilitate this analysis two new concepts are introduced: Transition systems and bi-simulation. According to San-Giovani the following levels of system validation can be established: Construction Verication Simulation Intuition Assertion Intimidation The tools to presented here falls in the verication category. 3. Model Checking and Transition Systems Model checking or verication can be expressed as Automatic exploration of systems by exploring their state-space, i.e. from a given set of initial values the all outgoing trajectories are analyzed in order to determine if it is possible to reach a set of nal values in the state-space. In other words; we want to examine if some target state(s) are reachable from an initial state.the target state(s) can either be some state that we would like the system to reach or a state that we must prove is not reachable by the system. 9

20 In this section the concept of transitions systems will be presented, which adequately facilitates reachability analysis for discrete systems, while the next section will present further abstractions that will allow the reachability analysis to be extended to hybrid systems containing innite numbers of continues states. 3.. Transition Systems The transition system (TS) is an abstraction/generalization of our nominal hybrid system in which we only take into account the discrete states and their transitions, as well as initial and nal states. Formally dened as: Denition 3.. (Transition system). A transition system is dened by: where: S : Set of all states δ : Transition relations: δ : s P (s) S 0 : Initial states: S o S S f : Final states: S f S T = (S, δ, S 0, S f ) Note the TS description does not include the concept of time. Examples of TS systems are given in section The Predecessor Operator Having dened the TS it will be the focus of the reachability analysis of the system that it models. The problem statement is: to examine if a nal state s f S is reachable from the initial condition s o S by a sequence of transitions. To facilitate this analysis the predecessor operator P re(x) will be dened: Denition 3.. (Predecessor operator). P re(ŝ) = {s S ŝ ŝ with ŝ δ(s)} P re(ŝ) takes a set of states ŝ and returns the set of states s that can be reached from ŝ in a single transitions. Now, by starting from the nal set of states s f it is possible to work backwards in order to determine if there are trajectories in the state-space that connects the nal set of states with the initial set of states (and visa versa), i.e. if the nal set of states are reachable from the initial. This can be expressed as a backwards reachability algorithm that iteratively traverses all trajectories backwards from the nal set of stages until it reaches an initial state or until all possible trajectories have been examined. 0

21 Denition 3..3 (Backwards Reachability). For a TS reachability can be analyzed by using the following algorithm: Initial values: ω 0 = s f, i = 0 do: if ω i S 0 then return Reachable else ω i = P re(ω i ) ω i ; i + + while ω i ω i return Not reachable Figure 3. demonstrates the algorithm. Starting from S f we iterates backwards in the state-space until the S 0 states can be reached. In this case two iterations are required before ω i includes states that are part of S 0. S o Pre(Pre(Sf)) Pre(Sf) S f Fig. 3.. Illustration of the backward reachability procedure In order for any system to be decidable, using the above sketched algorithm, it must have a nite set of states. Otherwise the algorithm may never complete. This limits this kind of analysis to systems that contain no continuous variables, but only discrete. The next section will explore the possibility of by-passing this requirements, by partitioning the continuous state-space, such that the complete state-space can be explored as a discrete system. 3. Partitions and Bi-simulation The idea behind the bi-simulation is to look at the complete state-space and identify partitions, i.e. regions in the state-space, that have similar behavior in the sense that if there is a trajectory from one partition to another partition then the target partition is reachable from every point in the source partition. Denition 3.. (Partition). A partition is a collection of sets of states {s i } i I with s i S, such that:

22 s i s j = 0, i.e. disjoint i,j i j i=i s i = s S0 S S S3 S4 S5 S6 S7 S8 S9 Fig. 3.. The state-space is envisioned as a number of partitions that separates the state-space into regions of similar behavior This denition can now be used to dene the bi-simulation: Denition 3.. (Bi-simulation). A by-simulation of T = (S, δ, S 0, S f ) is a partition {s i } i I s 0 is a union of elements in partition s f is a union of elements in partition if s S i can transit to s S j then all states in s i must be able to transit to s j : (i, j), ŝ s i ifδ(s) s j then δ(ŝ) s j The denitions of partition and bi-simulation leads to the following theorem for bi-simulations: Theorem 3... Let {s i } i I be a bi-simulation of T then s f is reachable by T if and only if S f is reachable by ˆT, where ˆT = (Ŝ, ˆδ, ŝ 0, sˆ f ). In this theorem T is the transition system of the original continuous hybrid system, while ˆT is the transition system of the same hybrid system, but abstracted using partitioning, such that ˆT only depends on discrete states. In this sense the bi-simulation makes reachability much easier (possible) for hybrid systems containing continuous state variables by abstracting the model without loosing generality. 3.3 Example: Finite State Machine In order to demonstrate the concepts introduced an example incorporating a Finite State Machine (FSM) will be presented. Consider gure 3.3. The system consists of 7 discrete states and a number of transitions between these states.

23 q0 q q q3 q4 q5 q6 Fig Example: Finite State Machine Denition of the Transition-system. : The following denes the transition system T of the FSM-example: S = {q 0, q, q, q 3, q 4, q 5, q 6 } δ(q 0 ) = {q 0, q, q } δ(q ) = {q 0, q 3, q 4 } δ(q ) = {q 0, q 5, q 6 } δ({q 3, q 4 }) = { } δ({q 5, q 6 }) = { } S 0 = q 0 S f = {q 3, q 6 } Backward Reachability. : For the FSM system we will analyze reachability between s f = {q 3, q 6 } to s 0 = {q 0 } using the backwards reachability algorithm: Initially: w 0 = {q 3, q 6 } and s 0 = {q 0 } Iteration : No intersection: w = P re(w 0 ) w 0 = {q, q, q 3, q 6 } Iteration : No intersection: w = P re(w ) w = {q 0, q, q, q 3, q 6 } Iteration 3: No intersection: w 3 = P re(w ) w = {q 0, q, q, q 3, q 6 } Iteration 4: Intersection, thus reachable Partitioning. : The FSM system can, according to level, be partitioned into three partitions: {q 0 }, {q, q } and {q 3, q 4, q 5, q 6 }. 3.4 Model Checking summary This lecture has led to the denition of the bi-simulation, which is a tool to facilitate reachability analysis of hybrid systems by abstracting them into discrete systems. 3

24 This is done identifying regions, called partitions, of similar behavior in the continuous state-space and using the possible transitions between the partitions to perform reachability. T Discrete only transition system Partitioning Continuity abstracted by partitions T Transition system. No time H Orginal Hybrid System Fig The procedure for abstracting hybrid systems to facilitate reachability studies This allows systematic model checking of hybrid systems, such that it is possible to conclude if the hybrid system is able to reach certain states that either represents behavior of the system that is agreeable or must be avoided. Figure 3.4 shows the steps required in order to abstract a hybrid system model into a discrete transitions system suitable for reachability. The steps are:. The hybrid system H is abstracted to a transition system T including continuous variables, but in which the concept of time no longer applies.. The transitions system is analyzed in order nd partitions for the continuous variables. 3. Using the partitions the transition system is re-stated using into ˆT only discrete variables. The bi-simulation theorem then ensures that reachability analysis performed on the simpler ˆT also applies for the original hybrid system H. 4

25 4. Notes from Lecture 4 Up until now, we have only studied autonomous hybrid systems, also known as closed hybrid systems, i.e. hybrid automata with no inputs or outputs. These systems are good for modelling and simulation of small to medium size physical systems as well as analysis, e.g. verifying that all executions satisfy certain desirable properties. They are, however, limited as they have no sense of control, and they model single monolithic blocks. In many situations, however, it is natural to build up a hybrid system from subsystems. It is therefore useful to have a notion of composition of hybrid automata. In this lecture we introduce open hybrid automata, i.e., hybrid automata with inputs and outputs, and we discuss composition of two open hybrid automata. 4. Open Hybrid Automata Denition 4.. (Open Hybrid Automaton). An open hybrid automaton H is a collection H = (Q, X, U, Y, Init, f, h, Dom, E, G, R), where Q is a nite collection of discrete state variables; X is a nite collection of continuous state variables; U is a nite collection of input variables. We assume U = U D U C, where U D contains discrete and U C contains continuous variables. Y is a nite collection of output variables. We assume Y = Y D Y C, where Y D contains discrete and Y C contains continuous variables. Init Q X is a set of initial states; f : Q X U R n is a vector eld; h : Q X Y is a vector eld; Dom : Q P (X U) assigns to each q Q an invariant set; E Q Q is a collection of discrete transitions; G : E P (X U) assigns to each e = (q, q ) E a guard; and 5

26 R : E X U P (X) assigns to each e = (q, q ) E, x X and u U a reset relation. To avoid technicalities with continuous dynamics we impose the following assumption: Assumption 4... Assume f(q, x, u) and h(q, x) are globally Lipschitz continuous in x and f(q, x, u) is continuous in u. Note that a discrete transition may either take place due to a (conventional) discrete transition or due to that a transition takes place in some hybrid automaton connected to H, and, thus, possibly affecting the continuous part of the input variables of H. 4.. Composition Denition 4.. (Compatible Hybrid Automata). Two open hybrid automata H and H are called compatible if Y Y =. Denition 4..3 (Composition). Consider two compatible open hybrid automata, H and H, with X X =, Y = U, and Y = U. The composition is an open hybrid automata H = H H = (Q, X, U, Y, Init, f, h, Dom, E, G, R), where Q = Q Q, X = X X, X R n, n = n + n, U = (U U ) \ (Y Y ), Y = Y Y, for all ((q, q ), (x, x ), (w, w ))) Q Q X X U U, with w = h (q, x ) and w = h (q, x ), it holds that Init = {((q, q ), (x, x )) Q X : (q, x ) Init (q, x ) Init }, f : Q X U R n given by: f ((q, q ), (x, x ), (u, u )) = h : Q X Y is a vector eld given by: h ((q, q ), (x, x )) = Dom : Q X P (Q X) given by: [ f (q, x, w ) f (q, x, w ) [ ] h (q, x ) h (q, x ) Dom(q, x) = {((q, q ), (x, x )) Q X : (q, x ) Dom (q, x ) Dom } ] 6

27 E Q Q given by: E = {((q, q ), (q, q )) Q Q : (q, q ) e (q, q ) E } G : E P (X U) given by: G(q, q ) = {((x, x ), (u, u )) X U : e E (q, x, u ) G (e ) (q, x, u ) G (e )} R : E X U P (X) dened by: R(q, q, x, u) = {x X : e E x R (e, x, u ) x R (e, x, u )} Remarks:. Both interleaving and synchronous transitions are allowed.. A transition is forced for the composition if a transition is forced in at least one of the constituents. 3. A transition is enabled for the composition if a transition is enabled in at least one of the constituents. 4. The parallel composition of the two automata H and H may be viewed as simply choosing variable names for input variables in H that are output variables in H. 5. It may sometimes be desirable to eliminate output variables, especially after it has been composed with an input variable of another automaton. This operation does not change the dynamics of the automaton, it just affects its external behavior (Alur and Henzinger 997; Alur and Henzinger 996). 4. Example (Automatic Transmission) Example 4... Figure 4. shows a model of car with a transmission having three gears, neutral, gear and gear. The lateral position of the car is denoted x and the velocity x. The model has two control signals: gear {0,, } and the throttle position, u [ ; ]. The function α i represent the efciency of gear i. From zero velocity gear = 0 is most efcient, but as the velocity increases, gear = becomes more efcient etc. The two control signals gear and throttle, u are not specied. Assume that another (control) hybrid automaton is given that models these two signals out of the position and the speed of the car. By coupling the car model with the control model we get a a conventional feed-back type system. Such connection is possible with the notion of open hybrid automata we have just introduced. The open hybrid automata H = (Q, X, U, Y, Init, f, h, Dom, E, G, R ) modelling the car is (partly) given by: 7

28 x = 0 x = 0 gear = gear = zero x = 0 x = 0 gear = 0 x = α x ) u low x = x ( gear = high x = x x = α ( x ) u gear = Fig. 4.. Directed graph for car model. gear = 0 gear = Q = {zero, low, high}, X = {x, x }, U D = {gear} and U C = {u}, Y D =, Y C = {x, x }, etc. Next we design a controller with the following specications: take the car from the position x = 0 to x = 00. Wait the rst 0 s with zero velocity, then accelerate in gear = until the speed x 0, and, nally, continue in gear = until the nal position is reached. This type of specication with mixed discrete and continuous components ts into our open hybrid automata framework and is illustrated in Figure 4.. t = 0 u = 0 0 < t < 00, u : = 0 x < 00 x > 0, u : = 0 stop t = u = 0 t 0 gear t = u = x 0 gear t = x u = 00 x > 00, u : = 0 Fig. 4.. Directed graph for transmission controller. x > 00, u : = 0 The open hybrid automata H = (Q, X, U, Y, Init, f, h, Dom, E, G, R ) modelling the controller is (partly) given by: Q = {stop, gear, gear}, X = {t, u}, U D = and U C = {x, x }, Y D = gear, Y C = {u}, etc. 8

29 Let us connect the car and the controller by deriving the composition of H and H. First note that they are compatible and satisfy the assumptions of Denition Q = Q Q = {zero, low, high} {stop, gear, gear}, X = X X = {x, x, t, u}, etc. 9

30 5. Notes on Lecture 8 The course material for the next two lectures are taken from following reference: Control of systems integrating logic, dynamics, and constraints by Alberto Bemporad and Manfred Morari, Automatica 35(999), pp Interested students can obtain additional references from the publication site of the Institute für Automatic, ETH given in the following MLD-Systems Mixed Logical Systems The lecture will cover Physical Dynamic Relations Rules (logic) Constraints 5. Modeling In the following a framework for modelling and control of systems described by physical laws, logical rules, and operating constraints called Mixed Logical Dynamical (MLD) systems. Model. is described by linear dynamic equations subject to linear inequalities involving real and integer variables. MLD systems include linear hybrid systems, - nite state machines, some class of DESs, constrained linear systems and nonlinear systems (approximated by piecewise linear functions). Control. is performed by using different schemes of Optimal control (via dynamic programming) or predictive control. 30

31 5.. Notation X i represents statements (also called litterals) for example: δ(x) 0 Temp is too High X i has the truth value of either T or F. 5.. Connectives in Boolean Algebra Boolean algebra enables compositions of statements by means of connectives (OR), (AND), (NOT), (IMPLIES), (IFF), (Excluded OR). Connectives are dened by means of truth tables. We can transform compound statements into equivalent statements involving different connectives. Examples are provided below: x x equivalent to x x {, } x x equivalent to x x x x equivalent to (x x ) (x x ) 5..3 How to build up equations Statement X i could be associated with a logical variable: δ i {0, } { if Xi = T δ i = 0 else Problem in Propositional logic. : Prove that the statement X i is true given a set of (compound) statements involving litterals X,, X n. One solution. : Use linear integer programming by translating the original compound statements into linear inequalities involving logical variables δ i. Some examples: x x equivalent to δ + δ x x equivalent to δ = δ = x equivalent to δ = 0 x x equivalent to δ δ 0 x x equivalent to δ δ = 0 x x equivalent to δ + δ = 3

32 We would like to represent systems involving both dynamics and logic. In particular, we would like to build statements from operating events concerning physical dynamics. Consider statement X [f(x) 0] where f : R n R is a linear function and x X (a bounded set). Dene: M maxf(x), x X overestimate (5.) m minf(x), x X underestimate (5.) So, the following statements are valid [f(x) 0] [δ = ] is true iff: f(x) Mδ (5.3) [f(x) 0] [δ = ] is true iff: f(x) δ + m( δ) (5.4) [f(x) 0] is true iff: f(x) ɛ, ɛ positive small number(5.5) [f(x) 0] [δ = ] is true iff: f(x) ɛ + (m ɛ)δ (5.6) [f(x) 0] [δ = ] is true iff: f(x) ɛ + (m ɛ)δ (5.7) [f(x) 0] [δ = ] is true iff: f(x) M( δ) (5.8) In this case both continuous variables and logical variables are involved. The next step. : is to transform products of logical variables, and of continuous and logical variables to linear inequalities using auxiliary variables. For instance, δ δ is computed by introducing δ 3 : δ δ δ 3 then [δ 3 = ] [δ = ] [δ = ] or δ + δ 3 0 δ 3 δ δ δ + δ 3 0 δ + δ δ 3 Another example: δf(x) where f : R n R, δ {0, } We can write this product as y δf(x) which satises [δ = 0] [y = 0] (5.9) [δ = ] [y = f(x)], (5.0) 3

33 that is equivalent to So instead of 5.9 one may use 5.. y Mδ y mδ y f(x) m( δ) y f(x) M( δ) (5.) There exists alternative methods for transforming propositional logics problems into equivalent integer programs. An example is Conjunctive Normal Forms (CNF) which will be treated later on Mixed Logical Dynamical (MLD) Systems - An example Consider the following system: where { 0.8x(t) + u(t) x(t) 0 x(t + ) = 0.8x(t) + u(t) else x(t) [ 0; 0] u(t) [ ; ] (5.) The condition X [x(t) 0] will be associated to a binary variable δ(t) (logic variable), meaning that: [x(t) 0] [δ = ] Using the transformation 5.8 we can transform the proposition to the following inequalities: { mδ(t) x(t) m (5.3) (M + ɛ)δ x ɛ where ɛ is a very small positive number M = 0 m = 0 Now we can rewrite 5. to: 33

34 x(t + ) =.6x(t)δ(t) 0.8x(t) + u(t) (5.4) Eq. 5.4 has a nonlinear part x(t)δ(t). This part is substituted with z(t), and the following equations can be stated: z(t) Mδ z(t) mδ z(t) x(t) m( δ(t)) z(t) x(t) M( δ(t)) (5.5) The system dynamics (evolution) can hence be expressed by the following linear dynamic equation subject to constraints in 5.3 and 5.5 x(t + ) =.6z(t) 0.8x(t) + u(t) 5..5 General Form for MLD systems The generalized formulation for the mixed logical dynamical (MLD) systems is expressed through the following relations: x(t + ) = A t x(t) + B t u(t) + B t δ(t)b 3t z(t) (5.6) y(t) = C t x(t) + D t u(t) + D t δ(t)d 3t z(t) (5.7) E t δ(t) + E 3t z(t) E t u(t) + E 4t x(t) + E 5t (5.8) where t Z, and x(t) = [ xc x l ] x c R nc x l {0, } n l n = n c + n l y(t) = [ yc y l ] y c R p c y l {0, } p l p = p c + p l [ ] uc u c R mc u(t) = u l u l {0, } m m = m c + m l l and δ {0, } r l are the auxiliary logical variables and z R c are the auxiliary continuous variables. In principle, the inequalities in 5.8 might be satised for many values of δ(t) and/or z(t). But, what is of interest is to determine x(t + ) and y(t) values uniquely by x(t) and u(t). Following denition is introduced: 34

35 Denition 5... Let I Bt denote the set of all indices i {,..., r l }, such that [B t ] i denotes the i th column of B t. Let I Dt, J Bt, J Bt be dened analogously by collecting the positions of nonzero columns of D t, B 3t, and D 3t respectively. Let I t I Bt I Dt, J t J Bt J Dt. A MLD system is said to be well posed if, t Z (i) x(t) and u(t) satisfy Eq. 5.8 for some δ(t) {0, } r l, z(t) R rc, and x l (t + ) {0, } n l ; (ii) i I t there exists a mapping D it : R n+m {0, } such that the i th component δ i (t) = D it (x(t), u(t)), and j J t there exists a mapping Z jt : R n+m R such that z j (t) = Z jt (x(t), u(t)). A MLD system (Eqs. 5.6, 5.7, 5.8) is said to be completely well posed if in addition I t {,..., r l } and J t {,..., r c }, t Z. In the sequel, an auxiliary variable δ i (t) (z j (t)) is said to be well posed if i I t (j J t ), or indenite otherwise. Assumption. The MLD system (Eqs. 5.6, 5.7, 5.8) is well posed, i.e. once x(t) and u(t) are known then x(t + ) and y(t) are uniquely dened, and hence, the trajectories in the x-space and y-space for the system can be dened. Lets generate a trajectory from the initial state x(t 0 ) = x 0 by applying the command inputs u(t 0 ), u(t 0 +,..., u(t )) on the system. The generated trajectory is denoted by x(t, t o, x 0, u t t 0 ). In order to transform propositional logic into linear inequalities and to include the physical constraints that are present during plant operation (e.g. saturating actuators, safety conditions,...), the following constraints will be added to the control problem: [ x {[ x G R u] u] n+m } : F x + Gu H (5.9) Since physical constraints are typically specied on continuous components, often Eq. 5.9 can be expressed as a Cartesian product G = G c [0, ] n l+m l where {[ ] } xc G c R nc+mc : F c x c + G c u c H c u c Note that F x + Gu H can be included in 5.8. Assumption. G is a polytope. This assumption is used to dene the upper- and lower-bounds as in Eqs. 5. and Round-off Observe that MLD-systems can represent different classes of systems, including: 35

36 Linear Hybrid Systems. Sequential logical systems (Finite State Machines, Automata) (n c = m c = p c = 0). Constrained linear systems (n l = m l = p l = r l = r c = 0). Nonlinear dynamic systems, where the nonlinearity can be expressed through combinational logic (n l = 0). Linear Systems (n l = m l = p l = r l = r c = 0 E it = 0, i =, 4, 5. Some classes of discrete event systems (n c = p c = 0). In the following subsection, it will be shown how systems classied as piece-wise linear time-invariant dynamic systems are represented as MLD systems Piece-wise linear dynamic systems Consider the following piece-wise linear time-invariant (PWLTI) dynamic system A x(t) + B u(t) if δ (t) = x(t + ) =. A s x(t) + B s u(t) if δ s (t) = (5.0) where δ i (t) {0, }, i =,..., s are 0 variables satisfying the exclusive-or condition s [δ i (t) = ]. (5.) i= System 5.0 is completely well posed iff G can be partitioned in s parts G i such that G i G j = 0, i j, (5.) s G i = G (5.3) i= and δ i 's are dened as [[ x [δ i = 0] u ] G i ] (5.4) Several nonlinear models can e approximated by a model of the form 5.0, although this approximation capability is limited for computational reasons by the number s of logical variables. When the sets G i are polytopes of the form 36

37 {[ x } G i = : S i x + R i u T i u] the implication in Eq. 5.4 corresponds to n i [δ i = 0] [S j i x + Rj i u T j i ] (5.5) j= Where S j i denotes the j th row of S i. It is easy to see that 5.5 is implied by Eqs. 5., 5.3, and 5.4, and therefore can be omitted (Proof it as an exercise). Equations are therefore equivalent to S i x(t) + R i u(t) T i Mi [ δ i (t)] (5.6) s δ i (t) =, (5.7) i= where Mi max x G S i x(t) + R i u(t) T i. The system model (Eq. 5.0) can be rewritten as s x(t + ) = [A i x(t) + B i u(t)]δ i (t) (5.8) i= However, this equation is nonlinear as it involves products between logical variables, states, and inputs. In order to circumvent this problem, we should use the same procedure as shown in Eq. 5.5 by introducing mixed-integer linear inequalities as it is shown below. Set s x(t + ) = z i (t), (5.9) i= z i (t) [A i x(t) + B i u(t)]δ i (t) (5.30) and dene the vectors M = [M,..., M n ] T, m = [m,..., m n ] T as { } M j (t) max A j i x(t) + Bj i u(t) m j (t) max i=,...,s min i=,...,s { x u x u max G G (5.3) A j i x(t) + Bj i u(t) }. (5.3) Note that by Assumption, M and m are nite, or can be either estimated or exactly computed by solving ns linear programs. Then Eq is equivalent to 37

38 z i (t) Mδ i (t), z i (t) mδ i (t), z i (t) A i x(t) + B i u(t) m( δ i (t)), z i (t) A i x(t) + B i u(t) M( δ i (t)), (5.33) Hence, Eqs. 5.6, 5.7, 5.9, and 5.33 represent Eq. 5.0 in the general form given by Eqs. 5.6, 5.7, and

39 6. Notes for Lecture 9 6. Recapitulation of Lecture 8 Lecture 8 provided an introduction to modelling of different classes of systems including hybrid systems using Mixed Logical Dynamical Systems (MLD). The theory of Mixed Logical Dynamical Systems (MDL), which is being developed by Morari & Co., Switzerland, was introduced together with a notation set. The elements of an MDL model consists of:. Dynamics. Rules 3. Constraints From a set of literals X i (e.g. statements that could either be True or False) describing the rules of a MDL system and associated these with logical variable δ i. A boolean variable can be dened as a boolean function: that represents f : {T rue, F alse} n {T rue, F alse} X n f(x,..., X n ) where the function f represents a combination of NOT( ), OR( ), AND( ), Exclusive OR( ), Implies ( ) or if ( ) operators. The function can be written in its Conjunctive Normal Form (CNF) k j= i P j X i X i, N j, P j {,..., n} (6.) i N j These can be rewritten into a set of integer linear inequalities: 39