Towards a Runtime Standard-Based Testing Framework for Dynamic Distributed Information Systems

International audienceIn this work, we are interested in testing dynamic distributed information systems. That is we consider a decentralized information system which can evolve over time. For this purpose we propose a runtime standard-based test execution platform. The latter is built upon the normalized TTCN-3 specification and implementation testing language. The proposed platform ensures execution of tests cases at runtime. Moreover it considers both structural and behavioral adaptations of the system under test. In addition, it is equipped with a test isolation layer that minimizes the risk of interference between business and testing processes. The platform also generates a minimal subset of test scenarios to execute after each adaptation. Finally, it proposes an optimal strategy to place the TTCN-3 test components among the system execution nodes

Modular and Safe Event-Driven Programming

Asynchronous event-driven systems are ubiquitous across domains such as device drivers, distributed systems, and robotics. These systems are notoriously hard to get right as the programmer needs to reason about numerous control paths resulting from the complex interleaving of events (or messages) and failures. Unsurprisingly, it is easy to introduce subtle errors while attempting to fill in gaps between high-level system specifications and their concrete implementations.This dissertation proposes new methods for programming safe event-driven asynchronous systems.In the first part of the thesis, we present ModP, a modular programming framework for compositional programming and testing of event-driven asynchronous systems.The ModP module system supports a novel theory of compositional refinement for assume-guarantee reasoning of dynamic event-driven asynchronous systems. We build a complex distributed systems software stack using ModP.Our results demonstrate that compositional reasoning can help scale model-checking (both explicit and symbolic) to large distributed systems.ModP is transforming the way asynchronous software is built at Microsoft and Amazon Web Services (AWS). Microsoft uses ModP for implementing safe device drivers and other software in the Windows kernel.AWS uses ModP for compositional model checking of complex distributed systems. While ModP simplifies analysis of such systems, the state space of industrial-scale systems remains extremely large.In the second part of this thesis, we present scalable verification and systematic testing approaches to further mitigate this state-space explosion problem.First, we introduce the concept of a delaying explorer to perform prioritized exploration of the behaviors of an asynchronous reactive program. A delaying explorer stratifies the search space using a custom strategy (tailored towards finding bugs faster), and a delay operation that allows deviation from that strategy. We show that prioritized search with a delaying explorer performs significantly better than existing approaches for finding bugs in asynchronous programs.Next, we consider the challenge of verifying time-synchronized systems; these are almost-synchronous systems as they are neither completely asynchronous nor synchronous.We introduce approximate synchrony, a sound and tunable abstraction for verification of almost-synchronous systems. We show how approximate synchrony can be used for verification of both time-synchronization protocols and applications running on top of them.Moreover, we show how approximate synchrony also provides a useful strategy to guide state-space exploration during model-checking.Using approximate synchrony and implementing it as a delaying explorer, we were able to verify the correctness of the IEEE 1588 distributed time-synchronization protocol and, in the process, uncovered a bug in the protocol that was well appreciated by the standards committee.In the final part of this thesis, we consider the challenge of programming a special class of event-driven asynchronous systems -- safe autonomous robotics systems.Our approach towards achieving assured autonomy for robotics systems consists of two parts: (1) a high-level programming language for implementing and validating the reactive robotics software stack; and (2) an integrated runtime assurance system to ensure that the assumptions used during design-time validation of the high-level software hold at runtime.Combining high-level programming language and model-checking with runtime assurance helps us bridge the gap between design-time software validation that makes assumptions about the untrusted components (e.g., low-level controllers), and the physical world, and the actual execution of the software on a real robotic platform in the physical world. We implemented our approach as DRONA, a programming framework for building safe robotics systems.We used DRONA for building a distributed mobile robotics system and deployed it on real drone platforms. Our results demonstrate that DRONA (with the runtime-assurance capabilities) enables programmers to build an autonomous robotics software stack with formal safety guarantees.To summarize, this thesis contributes new theory and tools to the areas of programming languages, verification, systematic testing, and runtime assurance for programming safe asynchronous event-driven across the domains of fault-tolerant distributed systems and safe autonomous robotics systems

Provision of voltage ancillary services through enhanced TSO-DSO interaction and aggregated distributed energy resources

The electrical energy generated from renewable energy resources connected to transmission and distribution systems and the displacement of synchronous generators continues to grow. This presages a paradigm-shift away from the traditional provision of ancillary services, essential to ensure a robust system, from transmission-connected synchronous generators towards provision from synchronous and non-synchronous generation (including distribution-connected resources). Given that the available resources at the disposal of system operators are continuously increasing, the flexibility for operating the network can be enlarged. In this context, this paper introduces a dedicated voltage ancillary services strategy for provision of reactive power. A main feature of the proposed strategy is that it is technology-neutral, unlike existing ones that are focused on synchronous generators. The system need for voltage stability is placed at the core of this strategy, which is translated into a requirement for reactive power provision. The proposed strategy achieves, through the combined utilization of distributed generation and traditional resources, to defer the investments in reactive compensating equipment. Dynamic and transient studies are conducted to demonstrate the technical benefits of the strategy, while its practical feasibility is also validated through hardware-in-the-loop testing

Management of Distributed Energy Storage Systems for Provisioning of Power Network Services

Because of environmentally friendly reasons and advanced technological development, a significant number of renewable energy sources (RESs) have been integrated into existing power networks. The increase in penetration and the uneven allocation of the RESs and load demands can lead to power quality issues and system instability in the power networks. Moreover, high penetration of the RESs can also cause low inertia due to a lack of rotational machines, leading to frequency instability. Consequently, the resilience, stability, and power quality of the power networks become exacerbated. This thesis proposes and develops new strategies for energy storage (ES) systems distributed in power networks for compensating for unbalanced active powers and supply-demand mismatches and improving power quality while taking the constraints of the ES into consideration. The thesis is mainly divided into two parts. In the first part, unbalanced active powers and supply-demand mismatch, caused by uneven allocation and distribution of rooftop PV units and load demands, are compensated by employing the distributed ES systems using novel frameworks based on distributed control systems and deep reinforcement learning approaches. There have been limited studies using distributed battery ES systems to mitigate the unbalanced active powers in three-phase four-wire and grounded power networks. Distributed control strategies are proposed to compensate for the unbalanced conditions. To group households in the same phase into the same cluster, algorithms based on feature states and labelled phase data are applied. Within each cluster, distributed dynamic active power balancing strategies are developed to control phase active powers to be close to the reference average phase power. Thus, phase active powers become balanced. To alleviate the supply-demand mismatch caused by high PV generation, a distributed active power control system is developed. The strategy consists of supply-demand mismatch and battery SoC balancing. Control parameters are designed by considering Hurwitz matrices and Lyapunov theory. The distributed ES systems can minimise the total mismatch of power generation and consumption so that reverse power flowing back to the main is decreased. Thus, voltage rise and voltage fluctuation are reduced. Furthermore, as a model-free approach, new frameworks based on Markov decision processes and Markov games are developed to compensate for unbalanced active powers. The frameworks require only proper design of states, action and reward functions, training, and testing with real data of PV generations and load demands. Dynamic models and control parameter designs are no longer required. The developed frameworks are then solved using the DDPG and MADDPG algorithms. In the second part, the distributed ES systems are employed to improve frequency, inertia, voltage, and active power allocation in both islanded AC and DC microgrids by novel decentralized control strategies. In an islanded DC datacentre microgrid, a novel decentralized control of heterogeneous ES systems is proposed. High- and low frequency components of datacentre loads are shared by ultracapacitors and batteries using virtual capacitive and virtual resistance droop controllers, respectively. A decentralized SoC balancing control is proposed to balance battery SoCs to a common value. The stability model ensures the ES devices operate within predefined limits. In an isolated AC microgrid, decentralized frequency control of distributed battery ES systems is proposed. The strategy includes adaptive frequency droop control based on current battery SoCs, virtual inertia control to improve frequency nadir and frequency restoration control to restore system frequency to its nominal value without being dependent on communication infrastructure. A small-signal model of the proposed strategy is developed for calculating control parameters. The proposed strategies in this thesis are verified using MATLAB/Simulink with Reinforcement Learning and Deep Learning Toolboxes and RTDS Technologies' real-time digital simulator with accurate power networks, switching levels of power electronic converters, and a nonlinear battery model

The pros and cons of using SDL for creation of distributed services

In a competitive market for the creation of complex distributed services, time to market, development cost, maintenance and flexibility are key issues. Optimizing the development process is very much a matter of optimizing the technologies used during service creation. This paper reports on the experience gained in the Service Creation projects SCREEN and TOSCA on use of the language SDL for efficient service creation

International White Book on DER Protection : Review and Testing Procedures

This white book provides an insight into the issues surrounding the impact of increasing levels of DER on the generator and network protection and the resulting necessary improvements in protection testing practices. Particular focus is placed on ever increasing inverter-interfaced DER installations and the challenges of utility network integration. This white book should also serve as a starting point for specifying DER protection testing requirements and procedures. A comprehensive review of international DER protection practices, standards and recommendations is presented. This is accompanied by the identifi cation of the main performance challenges related to these protection schemes under varied network operational conditions and the nature of DER generator and interface technologies. Emphasis is placed on the importance of dynamic testing that can only be delivered through laboratory-based platforms such as real-time simulators, integrated substation automation infrastructure and fl exible, inverter-equipped testing microgrids. To this end, the combination of fl exible network operation and new DER technologies underlines the importance of utilising the laboratory testing facilities available within the DERlab Network of Excellence. This not only informs the shaping of new protection testing and network integration practices by end users but also enables the process of de-risking new DER protection technologies. In order to support the issues discussed in the white paper, a comparative case study between UK and German DER protection and scheme testing practices is presented. This also highlights the level of complexity associated with standardisation and approval mechanisms adopted by different countries

Submodularity and Optimality of Fusion Rules in Balanced Binary Relay Trees

We study the distributed detection problem in a balanced binary relay tree, where the leaves of the tree are sensors generating binary messages. The root of the tree is a fusion center that makes the overall decision. Every other node in the tree is a fusion node that fuses two binary messages from its child nodes into a new binary message and sends it to the parent node at the next level. We assume that the fusion nodes at the same level use the same fusion rule. We call a string of fusion rules used at different levels a fusion strategy. We consider the problem of finding a fusion strategy that maximizes the reduction in the total error probability between the sensors and the fusion center. We formulate this problem as a deterministic dynamic program and express the solution in terms of Bellman's equations. We introduce the notion of stringsubmodularity and show that the reduction in the total error probability is a stringsubmodular function. Consequentially, we show that the greedy strategy, which only maximizes the level-wise reduction in the total error probability, is within a factor of the optimal strategy in terms of reduction in the total error probability

Resilient Distributed Energy Management for Systems of Interconnected Microgrids

In this paper, distributed energy management of interconnected microgrids, which is stated as a dynamic economic dispatch problem, is studied. Since the distributed approach requires cooperation of all local controllers, when some of them do not comply with the distributed algorithm that is applied to the system, the performance of the system might be compromised. Specifically, it is considered that adversarial agents (microgrids with their controllers) might implement control inputs that are different than the ones obtained from the distributed algorithm. By performing such behavior, these agents might have better performance at the expense of deteriorating the performance of the regular agents. This paper proposes a methodology to deal with this type of adversarial agents such that we can still guarantee that the regular agents can still obtain feasible, though suboptimal, control inputs in the presence of adversarial behaviors. The methodology consists of two steps: (i) the robustification of the underlying optimization problem and (ii) the identification of adversarial agents, which uses hypothesis testing with Bayesian inference and requires to solve a local mixed-integer optimization problem. Furthermore, the proposed methodology also prevents the regular agents to be affected by the adversaries once the adversarial agents are identified. In addition, we also provide a sub-optimality certificate of the proposed methodology.Comment: 8 pages, Conference on Decision and Control (CDC) 201