Synthesis of software-based protocols for dynamically reconfigurable networks Ufuk Topcu (Univ of Pennsylvania) www.seas.upenn.edu/~UTopcu Outline: • Reconfiguration in electric power networks on aircraft • An academic testbed • Newer thoughts: reconfiguration in software-based networks Collaboration with Murray, Ozay, Xu (Caltech), Rogersten (KTH) and Wang (UPenn) References: CDC ’12, IEEE TII ’13 (review), HSCC ’13, CDC ’11
More-electric aircraft Electrically powered systems (rather than pneumatically or hydraulically) • air conditioning & cabin pressurization power generation capacity (MVA) • brakes & landing gear • wing ice protection Data: Frost & Sullivan (2008) 1.5 1.125 0.75 Opportunities: 0.375 • More efficient 0 - Less power off-takes from engines B767 A330 A340 A380 B787 - Lower losses due to transfer • Right function at the right time Fan • Weight reductions Controllers Power Power - Electrical systems heavier than Power Electronics Gen Distribution and Electronics Cooling Conversion Systems conventional counterparts Flight Control Power Actuators - System-level power and energy Gen Electronics Avionics-IFE optimization is key. Power Power Electric Gen Electronics Distribution and Brakes Conversion WIPS Challenges: Cabin Air Compressor • Safety-critical electric power system 787 has a total of 1 MW of Power Electric Driven Electronics Loads • Distributed architectures Hydraulic Pumps • Increased complexity Picture from: www.ece.cmu.edu/~electriconf/2008/PDFs/Karimi.pdf Ufuk Topcu, UPenn 2
Single-line diagram -- generators electric power contactors high-voltage distribution AC buses • Generation - Engines - APUs - External power high-voltage rectifier DC buses units • Buses - AC vs DC - Essential vs non-essential - High vs low voltage • Loads transformers low-voltage • Transformers AC buses • Rectifier units • Contactors low-voltage DC buses Figure adapted from US Patent 7439634 B2 by Rich Poisson (UTAS) Ufuk Topcu, UPenn
Dynamic reconfiguration Reconfigure the network by opening and/or close the contactors in reaction to the changes in × the environment • health status of the ENGINE 1 APU E components • flight phase • pilot requests Start Bus 1 Start Bus 2 HVAC Bus 1 HVAC Bus 2 HVAC Bus 3 HVAC Bus 4 to satisfy safety and L s L L L s performance specifications. HVRU 1 HVRU 2 HVRU 3 BAT1 BAT2 HVRU 4 HVDC Bus 1 HVDC Bus 2 ESS ESS ESS ESS Motor Motor Motor Motor Motor Motor Motor Motor Drive Drive Drive Drive Drive Drive Drive Drive Ufuk Topcu, UPenn 4
Sample specifications Requirements: No AC bus shall be simultaneously powered by more than one AC source Essential AC buses shall never be unpowered more than 50 msec Do not exceed the capacity of the generator Do not lose more than one bus for single failure Buses shall be powered according to their priority tables Bounds on the number and sequence of contactor switchings ENGINE 1 APU Assumptions: Known reliability of components Start Bus 1 S Worst-case bounds on contactor switching times HVAC Bus 1 HVAC Bus 2 HVAC Bus 3 Typical failure modes to react to L s L HVRU 1 HVRU 2 HVRU 3 BAT1 Ufuk Topcu, UPenn
Workflow Single-line diagram for the testbed Abstract Model Single Line Diagram + Formal Specifications Temporal Logic TuLiP Python-based toolbox for automatic controller synthesis Software Models Simulink + Power Systems Toolbox Hardware Implementation Ufuk Topcu, UPenn 6
Formal specifications (a subset of them) Requirements: G 1 ! G 2 ! G 3 ! G 4 ! Always open contactors neighboring an unhealthy generator C 1 ! C 5 ! C 2 ! C 6 ! C 3 ! C 4 ! C 7 ! B 1 ! B 3 ! B 4 ! B 2 ! No paralleling “Flow direction” through contactor Bounded duration of “unpoweredness” of Buses are powered only if connected to essential buses -- introduce a clock a healthy generator or a powered bus Assumptions: At least one of the generators is always healthy Ufuk Topcu, UPenn 7
Reactive synthesis as a two-player temporal logic game Given: • Environment ( e ) and controlled ( p ) variables over finite domains • Temporal logic specification = ϕ ( e, p ) ϕ e → ϕ s environment, output, e Controlled Find: A map F such that realizes s = ( p , e ) variables, p the specification. F Can be formulated as a game between the environment and the system. Ufuk Topcu, UPenn 8
Reactive synthesis as a two-player temporal logic game Given: • Environment ( e ) and controlled ( p ) variables over finite domains • Temporal logic specification = ϕ ( e, p ) ϕ e → ϕ s environment, output, e Controlled Find: A map F such that realizes s = ( p , e ) variables, p the specification. F Solving the game: Both sides are of the form ( ): α ∈ { e, s } • Intractable for general LTL ^ ^ θ α ⇤ ψ α ⇤ ⇧ J α init ^ i ^ ϕ α = i • Polynomial complexity for GR[1] i ∈ K α i ∈ L α specifications { { { initial conditions fairness + safety + [Piterman et al., 2007&2011] goals transitions (always (always) eventually) Ufuk Topcu, UPenn 9
Structure of the controller Automaton representation: G 1 ! G 2 ! G 3 ! G 4 ! C 1 ! C 5 ! C 2 ! C 6 ! -3435%)% C 3 ! C 4 ! C 7 ! !"#$%& ' %(%)*%% B 1 ! B 3 ! B 4 ! & + %(%)*%,% B 2 ! -./$%0 ) %(%)*%% 0 1 %(%),%% e : health status of the generators p : contactor status & bus powered -3435%6% -3435%7% s = ( e, p ) !"#$%& ' %(%2*%% !"#$%& ' %(%)*%% & + %(%2*%,% & + %(%2*%,% -3435%1% -./$%0 ) %(%2*%% -./$%0 ) %(%)*%% 0 1 %(%2,%% Strategy: 0 1 %(%2,%% !"#$%& ' %(%)*%% & + %(%)*%,% -3435%8% -./$%0 ) %(%)*%% f : ( s 0 s 1 . . . s t , e t +1 ) 7! p t +1 0 1 %(%),%% !"#$%& ' %(%2*%% & + %(%)*%,% -3435%9% -./$%0 ) %(%2*%% 0 1 %(%),%% !"#$%& ' %(%2*%% & + %(%2*%,% -./$%0 ) %(%2*%% 0 1 %(%2,%% Ufuk Topcu, UPenn 10
A sample simulation -- sanity check Given arbitrary, admissible environment signals, read the system outputs from the automaton Ufuk Topcu, UPenn 11
Overview of testbed functionality Ufuk Topcu, UPenn 12
A look of the testbed sensing switchboard, power circuitry + i.e., contactors sources more cables connection to controller rectifier unit AC load AC load switches to induce transformer failures DC loads Ufuk Topcu, UPenn 13
Hardware tests -- normal operation AC generator fault controller generator fault reacts on again Ufuk Topcu, UPenn 14
Hardware tests -- environment assumptions violated Both transformers become unhealthy simultaneously---violating an assumption---and the controller cannot assign a “next” value for the controlled variables. “next” controlled -3435%)% variable value is assigned !"#$%& ' %(%)*%% & + %(%)*%,% -./$%0 ) %(%)*%% 0 1 %(%),%% -3435%6% -3435%7% !"#$%& ' %(%2*%% !"#$%& ' %(%)*%% & + %(%2*%,% & + %(%2*%,% -3435%1% -./$%0 ) %(%2*%% -./$%0 ) %(%)*%% 0 1 %(%2,%% 0 1 %(%2,%% !"#$%& ' %(%)*%% & + %(%)*%,% -3435%8% -./$%0 ) %(%)*%% 0 1 %(%),%% !"#$%& ' %(%2*%% & + %(%)*%,% -3435%9% -./$%0 ) %(%2*%% 0 1 %(%),%% !"#$%& ' %(%2*%% & + %(%2*%,% -./$%0 ) %(%2*%% 0 1 %(%2,%% Ufuk Topcu, UPenn 15
Limitations and lessons Sensing and perception are important and often ignored. • Matching the sensing modalities in theory and practice • Limitations in sensing • Uncertainties in perception Have ignored most of the hard timing constraints Have mostly ignored the underlying dynamics • Seems to work fine at this level of detail • In general, need for hierarchical control ENGINE 1 APU ENGINE 2 Controller structure is key for... • Reliability • Scalability Start Bus 1 Start Bus 2 HVAC Bus 1 HVAC Bus 2 HVAC Bus 3 HVAC Bus 4 L s L L L s HVRU 1 HVRU 2 HVRU 3 BAT1 BAT2 HVRU 4 HVDC Bus 1 HVDC Bus 2 ESS ESS ESS ESS Motor Motor Motor Motor Motor Motor Motor Motor Drive Drive Drive Drive Drive Drive Drive Drive Ufuk Topcu, UPenn 16 B1 A1 A3 B2 C1 A2 A4 C2
Compositional synthesis of distributed protocols ϕ e 1 → ϕ s 1 ϕ e 3 → ϕ s 3 K 1 ∧ i ϕ e i → ϕ e → ϕ s → ∧ i ϕ s i K 3 S 3 S 1 } } “weaker” “stronger” environment system controlled subsys assumptions requirements S 2 local controller K 2 physical coupling information flow ϕ e 2 → ϕ s 2 exogenous signal Extra (mild) technical conditions: No common controlled variables & loops are well-posed. Fact: is realizable if every is realizable. ϕ e → ϕ s ϕ e i → ϕ s i Contracts formalize information exchange,... • design-time---between the design teams---and • run-time---between the subsystems. Ufuk Topcu, UPenn 17
Distributed controllers for the power network Master (SYS2) / Slave (SYS1) : Decentralized: • Uni-directional power flow • Bi-directional power flow • Restrictions to avoid deadlock (SYS2 → SYS1) • Assume always A R or G R healthy • Make B 2 and B 3 an essential bus • SYS2 sees the health status of SYS1 • Additional assumptions on both sides • Make B 3 an essential bus ⇤ ( G L = 0 ∧ A L = 0 → C 4 = − 1) ⇤ ( G R = 0 ∨ G L = 0 ∨ B 2 = 1) SYS 1 ! SYS 2 ! Health Status ! A L ! A R ! G R ! G L ! (of SYS1 generators) ! C 1 ! C 2 ! C 5 ! C 6 ! Power ! C 3 ! C 4 ! C 7 ! B 1 ! B 2 ! B 4 ! B 3 ! Ufuk Topcu, UPenn 18
Recommend
More recommend