Quantized Feedback Control Software Synthesis from System Level Formal
  Specifications for Buck DC/DC Converters by Mari, Federico et al.
Quantized Feedback Control Software
Synthesis from System Level Formal
Specifications for Buck DC/DC Converters
Federico Mari, Igor Melatti, Ivano Salvo, Enrico Tronci
Department of Computer Science
Sapienza University of Rome
via Salaria 113, 00198 Rome
email: {mari,melatti,salvo,tronci}@di.uniroma1.it
November 5, 2018
Abstract
Many Embedded Systems are indeed Software Based Control Sys-
tems (SBCSs), that is control systems whose controller consists of
control software running on a microcontroller device. This motivates
investigation on Formal Model Based Design approaches for automatic
synthesis of SBCS control software. In previous works we presented
an algorithm, along with a tool QKS implementing it, that from a for-
mal model (as a Discrete Time Linear Hybrid System, DTLHS) of the
controlled system (plant), implementation specifications (that is, num-
ber of bits in the Analog-to-Digital, AD, conversion) and System Level
Formal Specifications (that is, safety and liveness requirements for the
closed loop system) returns correct-by-construction control software
that has a Worst Case Execution Time (WCET) linear in the number
of AD bits and meets the given specifications. In this technical report
we present full experimental results on using it to synthesize control
software for two versions of buck DC-DC converters (single-input and
multi-input), a widely used mixed-mode analog circuit.
1
ar
X
iv
:1
10
5.
56
40
v5
  [
cs
.SY
]  
20
 Ju
n 2
01
2
1. Every T seconds (sampling time) do
2. Read AD conversion xˆ of plant sensor outputs x
3. If (xˆ is not in the Controllable_Region)
4. Then // Exception (Fault Detected):
5. Start Fault Isolation and Recovery (FDIR)
6. Else // Nominal case:
7. Compute (Control_Law) command uˆ from xˆ
8. Send DA conversion u of uˆ to plant actuators
Figure 1: A typical control loop skeleton
1 Introduction
Many Embedded Systems are indeed Software Based Control Systems (SBCSs).
An SBCS consists of two main subsystems: the controller and the plant. Typ-
ically, the plant is a physical system consisting, for example, of mechanical or
electrical devices whereas the controller consists of control software running
on a microcontroller. In an endless loop, the controller reads sensor outputs
from the plant and sends commands to plant actuators in order to guaran-
tee that the closed loop system (that is, the system consisting of both plant
and controller) meets given safety and liveness specifications (System Level
Formal Specifications).
Software generation from models and formal specifications forms the core
of Model Based Design of embedded software [2]. This approach is par-
ticularly interesting for SBCSs since in such a case system level (formal)
specifications are much easier to define than the control software behavior
itself.
Fig. 1 shows the typical control loop skeleton for an SBCS. Measures
from plant sensors go through an AD (analog-to-digital) conversion (quan-
tization) before being processed (line 2) and commands from the control
software go through a DA (digital-to-analog) conversion before being sent to
plant actuators (line 8). Basically, the control software design problem for
SBCSs consists in designing software implementing functions Control_Law
and Controllable_Region computing, respectively, the command to be sent
to the plant (line 7) and the set of states on which the Control_Law function
works correctly (Fault Detection in line 3).
In [5] we presented an algorithm and a tool QKS that from the plant
2
model (as a hybrid system), from formal specifications for the closed loop
system behaviour (System Level Formal Specifications) and from implemen-
tation specifications (that is, number of bits used in the quantization process)
can generate correct-by-construction control software satisfying the given
specifications.
In this technical report we present full experimental results on using it
to synthesize control software for two versions of buck DC-DC converters
(single-input and multi-input), a widely used mixed-mode analog circuit.
2 Background
We denote with [n] an initial segment {1, . . . , n} of the natural numbers. We
denote with X = [x1, . . . , xn] a finite sequence (list) of variables. By abuse
of language we may regard sequences as sets and we use ∪ to denote list
concatenation. Each variable x ranges on a known (bounded or unbounded)
interval Dx either of the reals or of the integers (discrete variables). We
denote with DX the set
∏
x∈X Dx. To clarify that a variable x is continuous
(i.e. real valued) we may write xr. Similarly, to clarify that a variable x
is discrete (i.e. integer valued) we may write xd. Boolean variables are
discrete variables ranging on the set B = {0, 1}. We may write xb to denote
a boolean variable. Analogously Xr (Xd, Xb) denotes the sequence of real
(integer, boolean) variables in X. Finally, if x is a boolean variable we write
x¯ for (1− x).
2.1 Predicates
A linear expression over a list of variables X is a linear combination of vari-
ables in X with real coefficients. A linear constraint over X (or simply a
constraint) is an expression of the form L(X) ≤ b, where L(X) is a linear
expression over X and b is a real constant.
Predicates are inductively defined as follows. A constraint C(X) over a list
of variablesX is a predicate overX. If A(X) andB(X) are predicates overX,
then (A(X)∧B(X)) and (A(X)∨B(X)) are predicates over X. Parentheses
may be omitted, assuming usual associativity and precedence rules of logical
operators. A conjunctive predicate is a conjunction of constraints. For linear
constraints we write: L(X) ≥ b for −L(X) ≤ −b, L(X) = b for ((L(X) ≤ b)
∧ (−L(X) ≤ −b)) and a ≤ x ≤ b for x ≥ a ∧ x ≤ b, being x ∈ X.
3
A valuation over a list of variables X is a function v that maps each
variable x ∈ X to a value v(x) in Dx. We denote with X∗ ∈ DX the sequence
of values [v(x1), . . . , v(xn)]. By abuse of language, we call valuation also the
sequence of values X∗. A satisfying assignment to a predicate P over X is a
valuation X∗ such that P (X∗) holds. Abusing notation, we may denote with
P the set of satisfying assignments to the predicate P (X). Two predicates
P and Q over X are equivalent, notation P ≡ Q, if they have the same set
of satisfying assignments.
A variable x ∈ X is said to be bounded in P if there exist a, b ∈ Dx such
that P (X) implies a ≤ x ≤ b. A predicate P is bounded if all its variables
are bounded.
Given a constraint C(X) and a fresh boolean variable (guard) y 6∈ X,
the guarded constraint y → C(X) (if y then C(X)) denotes the predicate
((y = 0) ∨ C(X)). Similarly, we use y¯ → C(X) (if not y then C(X)) to
denote the predicate ((y = 1)∨C(X)). A guarded predicate is a conjunction
of either constraints or guarded constraints.
When a guarded predicate is bounded, it can be easily transformed into
a conjunctive predicate, as stated by the following proposition.
Proposition 1. For each bounded guarded predicate P (X), there exists an
equivalent bounded conjunctive predicate Q(X).
3 Discrete Time Linear Hybrid Systems
In this section we introduce our class of Discrete Time Linear Hybrid Systems
(DTLHS for short).
Definition 1. A Discrete Time Linear Hybrid System is a tuple H = (X,
U, Y, N) where:
• X = Xr ∪Xd ∪Xb is a finite sequence of real (Xr), discrete (Xd) and
boolean (Xb) present state variables. We denote with X ′ the sequence
of next state variables obtained by decorating with ′ all variables in X.
• U = U r ∪ Ud ∪ U b is a finite sequence of input variables.
• Y = Y r ∪ Y d ∪ Y b is a finite sequence of auxiliary variables. Auxil-
iary variables are typically used to model modes (e.g., from switching
elements such as diodes) or uncontrollable inputs (e.g., disturbances).
4
V
C
i+v
v
r
R
v
u
+ D
L
+ O
C+v
Ci
L
rC
i D
Di
u
iu L
Figure 2: Single-input buck DC-DC converter
• N(X,U, Y,X ′) is a conjunctive predicate over X ∪U ∪ Y ∪X ′ defining
the transition relation (next state) of the system.
A DTLHS is bounded if predicate N is bounded.
By Prop. 1, any bounded guarded predicate can be transformed into
a conjunctive predicate. For the sake of readability, we will use bounded
guarded predicates to describe the transition relation of bounded DTLHSs.
Note that DTLHSs can effectively model linear algebraic constraints involv-
ing both continuous as well as discrete variables. Therefore many embedded
control systems may be modeled as DTLHSs.
4 Single-input Buck DC-DC Converter
The buck DC-DC converter (Fig. 2) is a mixed-mode analog circuit convert-
ing the DC input voltage (Vin in Fig. 2) to a desired DC output voltage
(vO in Fig. 2). As an example, buck DC-DC converters are used off-chip to
scale down the typical laptop battery voltage (12-24) to the just few volts
needed by the laptop processor (e.g. [8]) as well as on-chip to support Dy-
namic Voltage and Frequency Scaling (DVFS) in multicore processors (e.g.
[3, 7]). Because of its widespread use, control schemas for buck DC-DC con-
verters have been widely studied (e.g. see [3, 7, 8, 9]). The typical software
based approach (e.g. see [8]) is to control the switch u in Fig. 2 (typically
implemented with a MOSFET) with a microcontroller.
Designing the software to run on the microcontroller to properly actu-
ate the switch is the control software design problem for the buck DC-DC
converter in our context.
5
The circuit in Fig. 2 can be modeled as a DTLHSH = (X, U , Y , N). The
circuit state variables are iL and vC . However we can also use the pair iL,
vO as state variables in H model since there is a linear relationship between
iL, vC and vO, namely: vO = rCRrC+R iL +
R
rC+R
vC . Such considerations lead
to use the following sets of variables to model H: X = Xr = [iL, vO], U =
U b = [u], Y = Y r ∪ Y b with Y r = [iu, vu, iD, vD] and Y b = [q]. Note how H
auxiliary variables Y stem from the constitutive equations of the switching
elements (i.e. the switch u and the diode D in Fig. 2). From a simple circuit
analysis (e.g. see [4]) we have the following equations:
˙iL = a1,1iL + a1,2vO + a1,3vD (1)
v˙O = a2,1iL + a2,2vO + a2,3vD (2)
where the coefficients ai,j depend on the circuit parameters R, rL, rC , L
and C in the following way: a1,1 = − rLL , a1,2 = − 1L , a1,3 = − 1L , a2,1 =
R
rc+R
[− rcrL
L
+ 1
C
], a2,2 = −1rc+R [
rcR
L
+ 1
C
], a2,3 = − 1L rcRrc+R . Using a discrete time
model with sampling time T (writing x′ for x(t+ 1)) we have:
iL
′ = (1 + Ta1,1)iL + Ta1,2vO + Ta1,3vD (3)
vO
′ = Ta2,1iL + (1 + Ta2,2)vO + Ta2,3vD. (4)
The algebraic constraints stemming from the constitutive equations of
the switching elements are the following:
q → vD = RoniD (5)
q → iD ≥ 0 (6)
u → vu = Roniu (7)
vD = vu − Vin (8)
q¯ → vD = Roff iD (9)
q¯ → vD ≤ 0 (10)
u¯ → vu = Roff iu (11)
iD = iL − iu (12)
The transition relation N of H is given by the conjunction of the con-
straints in Eqs. (3)–(12) and the following explicit (safety) bounds: −4 ≤
iL ≤ 4 ∧ −1 ≤ vO ≤ 7 ∧ −103 ≤ iD ≤ 103 ∧ −103 ≤ iu ≤ 103 ∧ −107 ≤ vu ≤
107 ∧ −107 ≤ vD ≤ 107.
6
4.1 Modelling Robustness on Input Vin and Load R
In this section we address the problem of refining the model given in Sect. 4
so as to require a controller for our single-input buck to be robust to foreseen
variations in the load R and in the power supply Vin. That is, given tolerances
ρR and ρVin , we want the controller output by QKS for our single-input
buck to work for any R ∈ [max{0, R(1 − ρR)}, R(1 + ρR)] and any Vin ∈
[max{0, Vin(1− ρVin)}, Vin(1 + ρVin)].
Variations in the power supply are modeled by replacing Eq. (8) in Sect. 4
with the following:
vD ≤ vu − Vin(1− ρVin) (13) vD ≥ vu − Vin(1 + ρVin) (14)
Along the same lines, we may model also variations in the load R. How-
ever, since N dynamics is not linear in R, much more work is needed (along
the lines of [1]). To this aim, we proceed as follows.
The only equation depending on R is Eq. (4) of Sect. 4. Consider con-
stants a2,1(R) = Rrc+R [− rcrLL + 1C ], a2,2(R) = −1rc+R [ rcRL + 1C ], a2,3(R) = − 1L rcRrc+R
as (nonlinear) functions of R. It is easy to see that a2,1(R), a2,2(R) are mono-
tonically increasing functions for R ∈ R+, while a2,3(R) is monotonically de-
creasing for R ∈ R+. Thus, if signs of iL, vO, vD are known, it is possible to
replace Eq. (4) with two inequalities vO ≥ Ta2,1(R−iL)iL+(1+Ta2,2(R−vO))vO+
Ta2,3(R
−
vD
)vD and vO ≤ Ta2,1(R+iL)iL + (1 + Ta2,2(R+vO))vO + Ta2,3(R+vD)vD,
being
• R−w = if w ≥ 0 then R(1 − ρR) else R(1 + ρR) and R+w = if w ≥ 0
then R(1 + ρR) else R(1− ρR) for w ∈ {iL, vO};
• R−vD = if vD ≥ 0 then R(1 + ρR) else R(1− ρR) and R+vD = if vD ≥ 0
then R(1− ρR) else R(1 + ρR).
This leads us to replace Eq. (4) of Sect. 4 with the equations in Fig. 3.
Note that, w.r.t. the model in Sect. 4, in Fig. 3 we add to Y b 11 auxiliary
boolean variables ziL , zvO , zvD , zppp, zppp, zppn, zppn, zpnp, zpnp, zpnn, zpnn,
znpp, znpp, znpn, znpn, znnp, znnp, znnn, znnn with the following meaning. The
boolean variable ziL [zvO , zvD ] is true iff iL [vO, vD] is positive (see Eqs. (15)
and (18) [Eqs. (16) and (19), Eqs. (17) and (20)]). The boolean variable zabc,
with a, b, c ∈ {p, n}, is true iff (if a = p then iL ≥ 0 else iL ≤ 0) ∧ (if
7
ziL → iL ≥ 0 (15)
zvO → vO ≥ 0 (16)
zvD → vD ≥ 0 (17)
ziL → iL ≤ 0 (18)
zvO → vO ≤ 0 (19)
zvD → vD ≤ 0 (20)
zppp → 1− ziL + 1− zvO + 1− zvD ≥ 1 (21)
zpnp → 1− ziL + zvO + 1− zvD ≥ 1 (22)
zppn → 1− ziL + 1− zvO + zvD ≥ 1 (23)
zpnn → 1− ziL + zvO + zvD ≥ 1 (24)
znpp → ziL + 1− zvO + 1− zvD ≥ 1 (25)
znnp → ziL + zvO + 1− zvD ≥ 1 (26)
znpn → ziL + 1− zvO + zvD ≥ 1 (27)
znnn → ziL + zvO + zvD ≥ 1 (28)
zppp → v′O ≤ Ta(M)2,1 iL + (Ta(M)2,2 + 1)vO + Ta(m)2,3 vD (29)
zppp → v′O ≥ Ta(m)2,1 iL + (Ta(m)2,2 + 1)vO + Ta(M)2,3 vD (30)
zppn → v′O ≤ Ta(M)2,1 iL + (Ta(M)2,2 + 1)vO + Ta(M)2,3 vD (31)
zppn → v′O ≥ Ta(m)2,1 iL + (Ta(m)2,2 + 1)vO + Ta(m)2,3 vD (32)
zpnp → v′O ≤ Ta(M)2,1 iL + (Ta(m)2,2 + 1)vO + Ta(m)2,3 vD (33)
zpnp → v′O ≥ Ta(m)2,1 iL + (Ta(M)2,2 + 1)vO + Ta(M)2,3 vD (34)
zpnn → v′O ≤ Ta(M)2,1 iL + (Ta(m)2,2 + 1)vO + Ta(M)2,3 vD (35)
zpnn → v′O ≥ Ta(m)2,1 iL + (Ta(M)2,2 + 1)vO + Ta(m)2,3 vD (36)
znpp → v′O ≤ Ta(m)2,1 iL + (Ta(M)2,2 + 1)vO + Ta(m)2,3 vD (37)
znpp → v′O ≥ Ta(M)2,1 iL + (Ta(m)2,2 + 1)vO + Ta(M)2,3 vD (38)
znpn → v′O ≤ Ta(m)2,1 iL + (Ta(M)2,2 + 1)vO + Ta(M)2,3 vD (39)
znpn → v′O ≥ Ta(M)2,1 iL + (Ta(m)2,2 + 1)vO + Ta(m)2,3 vD (40)
znnp → v′O ≤ Ta(m)2,1 iL + (Ta(m)2,2 + 1)vO + Ta(m)2,3 vD (41)
znnp → v′O ≥ Ta(M)2,1 iL + (Ta(M)2,2 + 1)vO + Ta(M)2,3 vD (42)
znnn → v′O ≤ Ta(m)2,1 iL + (Ta(m)2,2 + 1)vO + Ta(M)2,3 vD (43)
znnn → v′O ≥ Ta(M)2,1 iL + (Ta(M)2,2 + 1)vO + Ta(m)2,3 vD (44)
Figure 3: DTLHS Buck Model Robust on R
8
R+vO
L
iD
Vn
Vn−1
Vi
V1
Iun
Iun−1
Iui
+vun un
D0
D1
Di
Dn−1
iL rL
+vC C
rCiC
+vui
un−1
ui
+vD
. . .
. . .
Iu1 +v
D
1
+vDi
+vun−1 +vDn−1
+vu1 u1
Figure 4: Multi-input Buck DC-DC converter
b = p then vO ≥ 0 else vO ≤ 0) ∧ (if c = p then vD ≥ 0 else vD ≤ 0).
This is stated by Eqs. (21)–(28). Finally, we use boolean variables zabc as
guards for the inequalities replacing Eq. (4) as stated before. This is done in
Eqs. (29)–(44).
5 Multi-input Buck DC-DC Converter
A multi-input buck DC-DC converter [6] (Fig. 4), consists of n power supplies
with voltage values V1 < . . . < Vn, n switches with voltage values vu1 , . . . , vun
and current values Iu1 , . . . , Iun , and n input diodes D0, . . . , Dn−1 with voltage
values vD0 , . . . , vDn−1 and current values iD0 , . . . , iDn−1 (in the following, we will
also write vD for vD0 and iD for iD0 ). As for the converter in Sect. 4, the state
variables are iL and vO. Differently from the converter in Sect. 4, the action
variables are u1, . . . , un, thus a control software for the n-input buck dc-dc
converter has to properly actuate the switches u1, . . . , un.
We model our n-input buck DC-DC converter with DTLHS H = (X, U,
Y, N), where X = Xr = [iL, vO], U = U b = [u1, . . . , un], and Y = Y r ∪ Y b
with Y r = [vD, vD1 , . . . , vDn−1, iD, Iu1 , . . . , Iun , vu1 , . . . , vun] and Y b = [q0, . . . ,
qn−1]. As for the predicate N , from a simple circuit analysis (e.g. see [4]) we
have that state variables constraints are the same as Eqs. (3) and (4) of the
converter in Sect. 4.
The algebraic constraints stemming from the constitutive equations of
the switching elements are the following (where i and j range in [n− 1] and
[n] respectively):
9
q0 → vD = RoniD (45)
q0 → iD ≥ 0 (46)
qi → vDi = RonIui (47)
qi → Iui ≥ 0 (48)
uj → vuj = RonIuj (49)
iL = iD +
n∑
i=1
Iui (50)
q¯0 → vD = Roff iD (51)
q¯0 → vD ≤ 0 (52)
q¯i → vDi = RoffIui (53)
q¯i → vDi ≤ 0 (54)
u¯j → vuj = RoffIuj (55)
vD = v
u
i + v
D
i − Vi (56)
vD = v
u
n − Vn (57)
Finally, N is given by the conjunction of Eqs. (3) and (4) of Sect. 4,
Eqs. (45)–(57) and the following explicit (safety) bounds: −4 ≤ iL ≤ 4∧−1 ≤
vO ≤ 7 ∧ −103 ≤ iD ≤ 103 ∧
∧n
i=1−103 ≤ Iui ≤ 103 ∧
∧n
i=1−107 ≤ vui ≤
107 ∧ ∧n−1i=0 −107 ≤ vDi ≤ 107.
5.1 Modelling Robustness on Inputs Vi and Load R
In this section we address the problem of refining the model given in Sect. 5
so as to require a controller for our multi-input buck to be robust to foreseen
variations in the load R and in the power supplies Vi (for i ∈ [n]). As it
is explained in Sect. 4.1, given tolerances ρR and ρVi (for i ∈ [n]), we want
the controller output by QKS for our multi-input buck to work for any R ∈
[max{0, R(1−ρR)}, R(1+ρR)] and any Vi ∈ [max{0, Vi(1−ρVi)}, Vi(1+ρVi)]
(for i ∈ [n]).
Variations in the power supplies are modeled by replacing Eqs. (56)
and (57) in Sect. 5 with the following (where i ranges in [n− 1]):
vD ≤ vui + vDi − Vi(1− ρVi) (58)
vD ≥ vui + vDi − Vi(1 + ρVi) (59)
vD ≤ vun − Vn(1− ρVn) (60)
vD ≥ vun − Vn(1 + ρVn) (61)
As for the robustness w.r.t. the load R, since the only equation depending
on R is Eq. (4) of Sect. 4, which also holds for the multi-input buck, the same
reasoning of Sect. 4.1 may be applied. Thus, we have to replace Eq. (4) of
Sect. 4 with the equations in Fig. 3.
10
6 Experimental Results
In this section we present our experimental results about running QKS [5]
on the buck models described in Sects. 4 and 5. Namely, we will present
experimental results on the robust model for the single-input buck described
in Sect. 4.1 (Sect. 6.1) and on the (non-robust) model for the multi-buck
described in Sect. 5 (Sect. 6.2). All experiments run on an Intel 3.0 GHz
hyperthreaded Quad Core Linux PC with 8 GB of RAM.
6.1 Single-input Buck
We run QKS on the single-input buck model taking into account foreseen
variations in the load R and in the power supply Vin (see Sect. 4.1). Since
QKS also require as input the number of AD bits b (see [5] for details), we run
multiple times QKS for different values of b, each time obtaining a controller
Kb. All other constants introduced in Sect. 4 are fixed as follows: T = 10−6
secs, L = 2 · 10−4 H, rL = 0.1 Ω, rC = 0.1 Ω, R = 5 Ω, C = 5 · 10−5 F,
Vi = 15 V, ρR = ρVin = 25%, Ron = 0 Ω, Roff = 104 Ω.
Tabs. 1, 2 and 3 show our experimental results. Columns in Tab. 1 have
the following meaning. Column b shows the number of AD bits (see [5] for
details). Columns labeled Control Abstraction show performance for control
abstraction computation (see [5] for details) and they show running time
(column CPU, in secs), memory usage (MEM, in bytes), the number of tran-
sitions in the generated control abstraction (Arcs), the number of self-loops
in the maximum control abstraction (MaxLoops), and the fraction of loops
that are kept in the minimum control abstraction w.r.t. the number of loops
in the maximum control abstraction (LoopFrac).
Columns labeled Controller Synthesis show the computation time (col-
umn CPU, in secs) for the generation of Kb, and the size of its OBDD rep-
resentation (OBDD, number of nodes). The latter is also the size (number
of lines) of Kb C code synthesized implementation. Finally, columns labeled
Total show the total computation time (column CPU, in secs) and the mem-
ory (MEM, in bytes) for the whole process (i.e., control abstraction plus
controller source code generation), as well as the final outcome µ ∈ {Sol,
NoSol, Unk} of QKS (see [5] for details).
For each MILP problem solved in QKS (see [5] for details), Tabs. 2 and 3
show (as a function of b) the total and the average CPU time (in seconds)
spent solving MILP problem instances, together with the number of MILP
11
Ta
bl
e
1:
Si
ng
le
-in
pu
t
bu
ck
D
C
-D
C
co
nv
er
te
r:
co
nt
ro
la
bs
tr
ac
ti
on
an
d
co
nt
ro
lle
r
sy
nt
he
si
s
re
su
lt
s.
C
on
tr
ol
A
bs
tr
ac
ti
on
C
on
tr
ol
le
r
Sy
nt
he
si
s
T
ot
al
b
C
P
U
M
E
M
A
rc
s
M
ax
Lo
op
s
Lo
op
Fr
ac
C
P
U
|K
|
C
P
U
M
E
M
µ
8
1.
95
e+
03
4.
41
e+
07
6.
87
e+
05
2.
55
e+
04
0.
00
33
3
2.
10
e-
01
1.
39
e+
02
1.
96
e+
03
4.
46
e+
07
U
n
k
9
9.
55
e+
03
5.
67
e+
07
3.
91
e+
06
1.
87
e+
04
0.
00
44
0
2.
64
e+
01
3.
24
e+
03
9.
58
e+
03
7.
19
e+
07
S
o
l
10
1.
42
e+
05
8.
47
e+
07
2.
61
e+
07
2.
09
e+
04
0.
00
78
1
7.
36
e+
01
1.
05
e+
04
1.
42
e+
05
1.
06
e+
08
S
o
l
11
8.
76
e+
05
1.
11
e+
08
2.
15
e+
08
2.
26
e+
04
0.
01
43
5
2.
94
e+
02
2.
88
e+
04
8.
76
e+
05
2.
47
e+
08
S
o
l
12
Table 2: Single-input buck DC-DC converter: number of MILPs and time to
solve them
b = 8 b = 9
MILP Num Avg Time Num Avg Time
1 6.6e+04 7.0e-05 4.6e+00 2.6e+05 7.0e-05 1.8e+01
2 4.0e+05 1.5e-03 3.3e+02 1.6e+06 1.4e-03 1.1e+03
3 2.3e+05 9.1e-04 2.1e+02 9.2e+05 9.2e-04 8.4e+02
4 7.8e+05 9.9e-04 7.7e+02 4.4e+06 1.0e-03 4.5e+03
5 4.3e+05 2.8e-04 1.2e+02 1.7e+06 2.8e-04 4.9e+02
Table 3: Single-input buck DC-DC converter: number of MILPs and time to
solve them (continuation of Tab. 2)
b = 10 b = 11
MILP Num Avg Time Num Avg Time
1 1.0e+06 2.7e-04 2.8e+02 4.2e+06 2.3e-04 9.7e+02
2 6.4e+06 3.8e-03 1.3e+04 2.5e+07 3.3e-03 4.6e+04
3 3.7e+06 3.0e-03 1.1e+04 1.5e+07 2.6e-03 3.8e+04
4 3.0e+07 2.6e-03 7.8e+04 2.6e+08 2.2e-03 5.7e+05
5 6.8e+06 1.8e-03 1.3e+04 2.7e+07 1.6e-03 4.2e+04
13
Figure 5: Single-input robust buck: controlled region with b = 8 bits
instances solved. Columns in Tabs. 2 and 3 have the following meaning: Num
is the number of times that the MILP problem of the given type is called,
Time is the total CPU time (in secs) needed to solve all the Num instances
of the MILP problem of the given type, and Avg is the average CPU time (in
secs), i.e. the ratio between columns Time and Num. Each row in Tabs. 2
and 3 refer to a type of MILP problem solved, see [5] for details.
Finally, in Figs. 5–8 we show the guaranteed operational range (controlled
regions, see [5] for details) of the controllers generated for the single-input
buck by QKS.
6.2 Multi-input Buck
We run QKS on the multi-input buck model described in Sect. 5. Differently
from Sect. 6.1, we fix the number of AD bits b for QKS, namely b = 10.
On the other hand, we run multiple times QKS by varying the number n
14
Figure 6: Single-input robust buck: controlled region with b = 9 bits
15
Figure 7: Single-input robust buck: controlled region with b = 10 bits
16
Figure 8: Single-input robust buck: controlled region with b = 11 bits
17
of inputs for the multi-input buck. As for input voltages, we have Vi = 10i
V for all i ∈ [n]. All other constants introduced in Sect. 5 are fixed as in
Sect. 6.1.
Tabs. 4, 5 and 6 show our experimental results. Columns in Tab. 4 have
the following meaning. Column n shows the number of inputs of the multi-
input buck (see Sect. 5 for details). All other columns of Tab. 4, as well as
of Tabs. 5 and 6 have the same meaning of the same columns of Tabs. 1, 2
and 3.
Finally, in Figs. 9–12 we show the guaranteed operational range (con-
trolled regions, see [5] for details) of the controllers generated for the multi-
input buck by QKS.
7 Conclusions
We presented experimental results on using the QKS tool [5], to support a
Formal Model Based Design approach to control software. Our experiments
have been carried out on two versions of the buck DC-DC converter, namely
the single-input and the multi-input versions. We also showed how robust
controllers may be generated for such bucks, namely by taking into account
also foreseen variations on some important buck parameters such as load and
input power supplies.
References
[1] Thomas A. Henzinger, Benjamin Horowitz, Rupak Majumdar, and
Howard Wong-Toi. Beyond hytech: Hybrid systems analysis using in-
terval numerical methods. In HSCC, LNCS 1790, pages 130–144, 2000.
[2] Thomas A. Henzinger and Joseph Sifakis. The embedded systems design
challenge. In FM, LNCS 4085, pages 1–15, 2006.
[3] W. Kim, M. S. Gupta, G.-Y. Wei, and D. M. Brooks. Enabling on-chip
switching regulators for multi-core processors using current staggering.
In ASGI, 2007.
[4] Ping-Zong Lin, Chun-Fei Hsu, and Tsu-Tian Lee. Type-2 fuzzy logic
controller design for buck dc-dc converters. In FUZZ, pages 365–370,
2005.
18
Ta
bl
e
4:
M
ul
ti
-in
pu
t
bu
ck
D
C
-D
C
co
nv
er
te
r:
co
nt
ro
la
bs
tr
ac
ti
on
an
d
co
nt
ro
lle
r
sy
nt
he
si
s
re
su
lt
s
C
on
tr
ol
A
bs
tr
ac
ti
on
C
on
tr
ol
le
r
Sy
nt
he
si
s
T
ot
al
n
C
P
U
M
E
M
A
rc
s
M
ax
Lo
op
s
N
oL
oo
ps
P
er
c
C
P
U
|K
|
C
P
U
M
E
M
µ
1
2.
88
e+
04
6.
41
e+
07
7.
38
e+
06
1.
91
e+
04
0.
00
37
7
1.
97
e+
01
1.
21
e+
04
2.
88
e+
04
8.
35
e+
07
S
o
l
2
8.
94
e+
04
7.
63
e+
07
1.
47
e+
07
1.
91
e+
04
0.
00
74
3
2.
66
e+
01
2.
52
e+
04
8.
94
e+
04
8.
25
e+
07
S
o
l
3
2.
46
e+
05
9.
47
e+
07
2.
93
e+
07
1.
90
e+
04
0.
01
16
2
3.
66
e+
01
3.
47
e+
04
2.
46
e+
05
1.
05
e+
08
S
o
l
4
6.
43
e+
05
9.
51
e+
07
5.
84
e+
07
1.
88
e+
04
0.
00
33
0
5.
32
e+
01
4.
31
e+
04
6.
43
e+
05
0.
00
e+
00
S
o
l
19
Table 5: Multi-input buck DC-DC converter: number of MILPs and time to
solve them
n = 1 n = 2
MILP Num Avg Time Num Avg Time
1 1.0e+06 2.0e-04 2.1e+02 1.0e+06 2.1e-04 2.2e+02
2 6.4e+06 1.4e-03 5.1e+03 1.3e+07 1.9e-03 1.6e+04
3 3.7e+06 8.8e-04 3.2e+03 7.4e+06 1.6e-03 1.1e+04
4 8.7e+06 1.0e-03 8.9e+03 1.7e+07 1.7e-03 2.8e+04
5 6.9e+06 6.8e-04 4.6e+03 1.4e+07 1.1e-03 1.5e+04
Table 6: Multi-input buck DC-DC converter: number of MILPs and time to
solve them (continuation of Tab. 5)
n = 3 n = 4
MILP Num Avg Time Num Avg Time
1 1.0e+06 2.1e-04 2.2e+02 1.0e+06 2.2e-04 2.3e+02
2 2.5e+07 3.0e-03 4.6e+04 5.1e+07 4.5e-03 1.2e+05
3 1.5e+07 2.2e-03 3.2e+04 2.9e+07 2.9e-03 8.6e+04
4 3.2e+07 2.4e-03 7.9e+04 6.3e+07 3.2e-03 2.0e+05
5 2.7e+07 1.6e-03 4.3e+04 5.5e+07 2.1e-03 1.1e+05
20
Figure 9: Multi-input buck: controlled region with n = 1 inputs
21
Figure 10: Multi-input buck: controlled region with n = 2 inputs
22
Figure 11: Multi-input buck: controlled region with n = 3 inputs
23
Figure 12: Multi-input buck: controlled region with n = 4 inputs
24
[5] Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci. Synthesis
of quantized feedback control software for discrete time linear hybrid
systems. In CAV, LNCS 6174, pages 180–195, 2010.
[6] M. Rodriguez, P. Fernandez-Miaja, A. Rodriguez, and J. Sebastian. A
multiple-input digitally controlled buck converter for envelope tracking
applications in radiofrequency power amplifiers. IEEE Trans on Pow El,
25(2):369–381, 2010.
[7] G. Schrom, P. Hazucha, J. Hahn, D.S. Gardner, B.A. Bloechel, G. Der-
mer, S.G. Narendra, T. Karnik, and V. De. A 480-mhz, multi-phase
interleaved buck dc-dc converter with hysteretic control. In PESC, pages
4702–4707 vol. 6. IEEE, 2004.
[8] Wing-Chi So, C.K. Tse, and Yim-Shu Lee. Development of a fuzzy logic
controller for dc/dc converters: design, computer simulation, and experi-
mental evaluation. IEEE Trans. on Power Electronics, 11(1):24–32, 1996.
[9] V. Yousefzadeh, A. Babazadeh, B. Ramachandran, E. Alarcon, L. Pao,
and D. Maksimovic. Proximate time-optimal digital control for syn-
chronous buck dc–dc converters. IEEE Trans. on Power Electronics,
23(4):2018–2026, 2008.
25
