Lessons learned in the application of formal methods to the design of a storm surge barrier control system

The Maeslantkering is a key flood defense infrastructural system in the Netherlands. This movable barrier protects the city and harbor of Rotterdam, without impacting ship traffic under normal circumstances. Its control system, which operates completely autonomously, must be guaranteed to work correctly even under extreme weather conditions, although it closes only sporadically. During its development in the 1990's, the formal methods Z and Spin were used to increase reliability. As the availability of industrial expert knowledge on these formal methods declines, maintaining the specifications defined back then has become cumbersome. In the quest for an alternative mathematically rigorous approach, this paper reports on an experience in applying supervisory control synthesis. This formal method was recently applied successfully to other types of infrastructural systems like waterway locks, bridges, and tunnels, with the purpose to ensure safe behavior by coordinating hardware components. Here, we show that it can also be used to coordinate several (controller) software systems. Additionally, we compare the lessons learned from the originally used formal methods and link Z to supervisory control synthesis

New concepts in the abstract format of the Compositional Interchange Format

The compositional interchange format for hybrid systems (CIF) supports inter-operability of a wide range of tools by means of model transformations to and from the CIF. Work on the CIF takes place in the FP7 Multiform project, and in several other European projects. The CIF consists of an abstract and a concrete format, used for defining a formal semantics and for modeling, respectively. This paper discusses the results of a redesign of the abstract format as previously published, leading to the following main changes: variables are introduced using scoping operators; the abstract language is made more orthogonal by providing an operator for each concept in the language; parallel composition has been defined in such a way that compositional verification (assume/guarantee reasoning) is supported; and the concept of urgent actions has been properly defined. As a result, the expressivity and semantics of the abstract language have been considerably improved

Model Properties for Efficient Synthesis of Nonblocking Modular Supervisors

Supervisory control theory provides means to synthesize supervisors for systems with discrete-event behavior from models of the uncontrolled plant and of the control requirements. The applicability of supervisory control theory often fails due to a lack of scalability of the algorithms. We propose a format for the requirements and a method to ensure that the crucial properties of controllability and nonblockingness directly hold, thus avoiding the most computationally expensive parts of synthesis. The method consists of creating a control problem dependency graph and verifying whether it is acyclic. Vertices of the graph are modular plant components, and edges are derived from the requirements. In case of a cyclic graph, potential blocking issues can be localized, so that the original control problem can be reduced to only synthesizing supervisors for smaller partial control problems. The strength of the method is illustrated on two case studies: a production line and a roadway tunnel.Comment: Submitted to Journal of Control Engineering Practice, revision

Sampled-data control of hybrid systems with discrete inputs and outputs

We address the control synthesis of hybrid systems with discrete inputs, disturbances and outputs. The control objective is to ensure that the events of the closed-loop system belong to the language of the control requirements. The controller is sampling-based and it is representable by a finite-state machine. We formalize the control problem and provide a theoretically sound solution. The solution is based on solving a discrete-event control problem for a finite-state abstraction of the plant. We propose a specific construction for the finite-state abstraction. This construction is not based on discretizing the state-space, but rather on converting the continuous-time hybrid system to a discrete-time one based on sampling. The construction works only for a specific class of hybrid systems. We describe this class of systems and we provide an example of such a system, inspired by an industrial use-case