Control of Industrial Systems to Avoid Failures : Application to Electrical System

We resolve the control problem for a class of dynamic hybrid systems (DHS) considering electrical systems as case study. The objective is to guarantee that the plan never reaches unsafe states. We consider a subclass class of DHS called Cumulative Preemptive Event-driven DHS (CPE-DHS). This class is distinguished by the dominance of its discrete aspect characterized by features as cumulative continuous variables combined with actions behavior that may be interrupted and restarted. We utilize a subclass of Rectangular Hybrid Automata (RHA), named Constant Slope RHA (CSRHA), as a solution framework to resolve the control problem. The main contribution is a control Algorithm for the class of systems described above. This algorithm ensures that the system meet the requirement specifications by forcing some events. The forcing action is given in the form of restrictions on the transition guards of the CSRHA. The termination/decidability as well as correctness of the algorithm is given by theorems and formal proofs. This contribution ensures that the system will always be safe states and avoid failure due to the reachability of unsafe states. Our approach can be applied to a large category of industrial systems, especially electrical systems that we consider as case study. Keywords—Dynamic hybrid systems; supervisory control; hybrid automata; electrical systems; safety


I. INTRODUCTION
Dynamic hybrid systems [1]- [4] (DHS) are systems characterized by the interaction of both discrete and continuous components.A large variety of real-time and embedded systems and many computer automated systems as well as industrial and electrical systems are described by both continuous and discrete aspects.In this paper, we concentrate in a particular class of dynamic hybrid systems where system behavior is captured essentially by preemptive activities which can be produced sequentially or in parallel.Besides, these systems are depicted by an interaction of dominant discrete component with a slight continuous one.
DHS are modeled by a large variety of modeling frameworks.We distinguish essentially several timed and hybrid extensions of finite state automata [5] as well as Petri nets [6], [7].Petri nets extensions benefit a salient graphical modeling power.However, computations are mostly based on similar automata extension.On the other hand, there are many extensions of finite state machines, such as time transition systems [8], timed automata [5] and stop watch automata [9].In these frameworks, time is included in configurations and transitions in the form of constraints and/or speed rate.In order to deal with dynamic hybrid systems, we consider essentially hybrid automata, linear hybrid automata, and rectangular automata [10].All the previous frameworks capture various aspects of DHS depending on their modelling power which is generally inversely proportional with the decidability of the accessibility problem.In fact, models that cover more classes of systems become more difficult to manage by a computer due to the undecidability problems [11].
In our case, we use a subclass of RHA: the CSRHA to model our systems.This subclass is better managed from decidability side.The control problem, as one of the highly studied problems in literature [12], will be resolved using CSRHA formalism.One of the important problems in the DHS control theory is related to safety verification.This problem states that the controller has to ensure that all the trajectories of the system do not reach any "unsafe" state.In order to guarantee this safety property, the controller may restrict the scope of some controllable events.By taking such decision, the controller avoids that system trajectories interfere with any undesired state induced by uncontrollable events.However, in this paper, we consider that the computational power of the controller is limited to narrowing time intervals on transitions related to controllable events.Technically speaking, this action is similar to modifying guards on transitions associated to controllable events in the CSRHA model.This paper is organized as follows.The next section provides background of hybrid automata and a description of the CSRHA.In Section 3, we present and solve the supervisory control problem.We note that throughout this paper we use the same case study of an electrical system to illustrate our supervisory control approach.

II. BACKGROUND ON HYBRID AUTOMATA
In the following, we define the retained subclass of RHA: the CSRHA.

A. Constant Piece-wise Rectangular Hybrid Automata
We consider these notations: X = {x 1 , x 2 , . . ., x n } is a finite set of real valued clocks (variables).Ẋ = { ẋ, x ∈ X } denotes the set of first derivative variables of X .A variable x is considered piece-wise linear variable if ẋ ∈ R. ∼ denotes an element of operator's set {<, ≤, =, ≥, >, =}.A rectangular inequality over X , is an inequality of the form, x ∼ c, where c ∈ R, and x ∈ X .A rectangular predicate over X is a conjunction of rectangular inequalities over X .Rect(X ) denotes the set of rectangular predicates over X .A polyhedral inequality over X is an inequality of the form , where c, c 1 , . . ., c k ∈ R, and x 1 , . . ., x k ∈ X .A polyhedral predicate over X is boolean combination of polyhedral inequalities over X .Ψ(X ) is the set of polyhedral predicates over X .v = ( v 1 , . . ., v n ) denotes an element of R n that captures clocks valuation, v i ∈ R, of every clock x i ∈ X .v(x i ) = v i corresponds to the value of x i .We denote by region, a subset of R n .For a region z and x i ∈ X , z(x i ) = {v i |v ∈ z}.ψ(v) denotes the boolean function which equals true if the predicate ψ is satisfied by the input vector v and false if not.We denote by [[ψ]], the region composed by the set of vectors v ∈ R n , where the predicate ψ is true when we substitute each x i by its corresponding Definition 1: In [13]- [15] A constant piece-wise linear hybrid automata (CSRHA) is a tuple A = (X , Q, T ∪ {e 0 }, inv, dyn, guard, assign, l 0 ) where: • X , is a finite set of variables.
• Q, is a finite set of locations.
• T , is a finite set of transitions.A transition e = (l, l ) ∈ T , leads the system from the source location l ∈ Q, to the end location l ∈ Q.The entry transition of the initial state l 0 is denoted by e 0 .
• inv: Q −→ Ψ(X ) is the location invariant, it associates a predicate to each location.
• dyn: Q×X −→ R, is a function describing the evolution of variables.This evolution is usually of the form l, ẋ = k, k ∈ R or simply ẋ = k in the location l.Ẋ (l) denotes the evolution of all variables in the location l.
• guard: T −→ Ψ(X ) is the guard function.It associates a predicate, C e to each transition, e.The guard, C e should equals true to allow the execution of the transition e.
• assign, is the initialization function.It associates a relation, assign e to each transition e defining the clocks to be reset.
The semantic of a constant piece-wise linear hybrid automata (CSRHA) is given by the following definition: Definition 2: The semantic of a CSRHA A = (X , Q, T ∪ {e 0 }, inv, dyn, guard, assign, l 0 ) is defined by a timed transition system S A = (Q, q 0 , −→) with where where w is a sequence of pairs (a i , δ i ), with a i ∈ T ∪ {e 0 } a transition, and δ i+1 ∈ R + is the delay between the two successive events a i and a i+1 , where : δ 0 = 0, and ∀i ≥ 1, δ i = (t i ) − (t i−1 ).Example 2.1: Consider the electrical system for mixing chemical solution given in Fig. 1.Filling action is composed of two stages.Firstly, a tray is replenished by a chemical solution with a rate of 2cm 3 /s.We assume that initially the tray is filled by 10dm 3 of a neutral liquid.This phase is accomplished when the current content of the tray is bounded by 30 and 50 liters.The next phase should be fulfilled before a deadline of 18s, elapses in order to avoid the risk of obtaining improper solution.An authorization at a random time prompts the second stage which has a deadline of 16s once started.
When the next stage is activated, a second chemical solution is replenished with the rate of 4cm 3 /s.The filling process is accomplished when the total content of the tray is bounded by 70dm 3 and 90dm 3 .The CSRHA modeling of this electrical system is illustrated in Fig. 2. Fig. 2. The CSRHA of the electrical system.

III. CONTROL OF CPE-DHS
In the following, we describe our contribution to resolve the control problem.Our solution define a derived space where all trajectories satisfy the requested specifications to avoid system failure.Thus, all unsafe locations will be inaccessible.The safety specification is considered as the set of forbidden locations.The control action acts by reducing transition guard intervals.By nature, some events are not eligible for narrowing their time occurrence scope.Such events are considered uncontrollable from the controller perspective.An event is controllable if the controller has the power to reduce its occurrence time slot.In general, event connected to forbidden locations are uncontrollable, otherwise it becomes trivial to define the control solution.Moreover, the restriction action on the time intervals should be minimalist.

A. Specification of the Control Problem
The inputs are the set of unsafe locations and the partition of events as controllable/uncontrollable.The main steps that we propose to resolve the control problem are as follows: Steps: 1) Mark all unsafe locations considering the safety specification.2) Mark all transitions as controllable and uncontrollable considering the input events partition.3) Perform a computation of the desired space adopted by the controller in all the locations to ensure that the system is not accessing forbidden locations.4) Reassign the restricted guards of transition related to controllable events and update any necessary location invariant to force that the system remains in safe states.

B. Control Algorithm
Let A = (L, l 0 , X, Σ, E, inv, Dif ) the CSRHA model of the system to be controlled.A d represents the output (controlled) CSRHA.We consider these notations: • L F represents the set of forbidden locations (given by the safety specification).
• E F represents the set of CSRHA transitions where the output location is a forbidden.
• e l,l represents a transition e = (l, δ, α, Af f, ρ, l ) where the source location is l and the destination location is l .
• E l represents the set of transitions having l as source location.
E l = {e ∈ E|e = (l, δ, α, Af f, ρ, l ), l ∈ L} • E F l = E l ∩ E F represents the forbidden transitions having l as source location.
• E F l = E l − E F represents the non forbidden transitions having l as source location.
• In Algorithm III.1, we consider that l and E F l as follows: This corresponds to the closure of the set {l} under the relation {(p, q) : there is a transition e = (p, δ, α, Af f, ρ, q) ∈ E, q ∈ L R (l)}.E F := E F ∪ {e l,l } 7: end for 8: calculate L R (l) 9: initialize L R (l) := {l} 10: while ∃e = (l , δ, α, Af f, ρ, l ) ∈ E, with l ∈ L R (l) and l ∈ L R (l) do 11: L R (l) := L R (l) ∪ {l }. 12: end while 13: for all location l ∈ L\L F do 14: calculate E F l and E F l : 15: for all e l,l ∈ E F , l ∈ L do 16: end for L F := L F ∪ {l} for all calculate the new guard δ n i regarding δ i and guards of transitions in E F l : 2 end for 35: end for 36: do a forward analysis, started at the initial location.We note by S f orward l the reachable space 3 calculated by forward analysis at location l. 37: for all location l where E F l = ∅ do 38: do a backward analysis started at location l considering δ n k+1 ∨ δ n k+2 ∨ . . .∨ δ n m as initial entry space.We note by par S backward l,l the space calculated by backward analysis (from location l ) in the location l ∈ L R l 39: end for 40: for all l ∈ L R (l) where E F l = ∅ do 41: calculate the final space of backward analysis at loca- 2 Our goal is to reduce the state space in order to avoid the possibility of occurrence of prohibited events. 3The reachable space at a given location is a polyhedron with dimension |X| defined the inequalities system A.XR ≺ b, with A ∈ M a,|X| (R) a matrix with a lines and |X| columns, and X ∈ R n the vector of CSRHA variables.for all transition e l,l ∈ E F l do 47: redefine the guards : end for 49: end for 50: end function The CSRHA modelling a CPE-DHS system is the input of the Algorithm III.1.Algorithm III.1 produces the output as an updated CSRHA where forbidden states can never be reached.The control algorithm computes the new transition guards and the new location invariants.
Theorem 1: The Algorithm III.1 terminates if the entry CSRHA has no loop.
Proof: 1 The Algorithm III.1 terminates if the computation of reachable space (both backward and forward) terminates.This analysis use discrete and continuous predecessor and successor operators which perform certain geometric calculus on regions [14].Software like PHAVer [17] and SpaceEx [18], [19] implement such region operations, using polyhedral libraries, to accomplish the reachable space computation.We note that these analysis terminate if the CSRHA is acyclic.Nevertheless, for more general forms, the accessibility problem is known as undecidable [14], [20].
In the following, we present some particular and interesting cases where this problem is decidable.
Theorem 2: The Algorithm III.1 terminates if the input CSRHA satisfies the following proprieties: 1) All derivative variables in the locations are non negative or null.2) Guards and invariants are defined by single non negative constraints.3) Assignments are of the form x := x or x = c.Proof: This is ensured due to the decidability of accessibility problems in that case [21].Furthermore, we can ensure the algorithm decidability for these interesting classes of CSRHA: 1) CSRHA where each loop contains at least one initialization of all clocks [22].2) CSRHA where each loop contains at most one transition guard in the form of "dangerous" test [22].3) CSRHA where the dynamic changing (the derivative value) of a variable between two locations is accompanied by resetting the variable assignment at the transition between the two locations [16].
Theorem 3: The automaton A d obtained by applying Algorithm III.1 ensures that all reachable spaces respect the safety specification while being maximal permissive.
Part 1: We demonstrate (by contradiction) that the reachable space meets the safety specification.
Suppose that ∃l ∈ L F such as it exists a run in A d from initial state: We have l ∈ L F =⇒ e a ∈ E F .Suppose that e a = (l a , δ a , α a , Af f a , ρ a , l).According to the TTS of A d , we have inv(l)(v a ) = true and δ(v a ) = true.However, according to Algorithm III.1, the calculation of S backward l conclude that According to the construction of the set E F la in the Algorithm, we have e a ∈ E F la .Thus, ∃j ∈ [ [1, k]] such as e a = e j .This implies that inv(l )(v) = f alse, which contradicts the starting assumption.
Part 2: We demonstrate (by contradiction) that the reachable space at A d is maximal permissive.
To do this, let us suppose that there is a location (l, v) ∈ Q A such that (l, v) ∈ Q A d and l ∈ L F .Also suppose that (l, v) do not lead to forbidden locations by the specification.
The fact that (l, v) does not lead to unauthorized locations, means that there is no run from (l, v) leading to a state (l , v ) with l ∈ L F .Let l f ∈ L F a location such that l ∈ L R (l f ).Since there is no run from (l, v) leading to forbidden location, thus, (l f , v f ) is not reachable since (l, v), and that, for any v f ∈ R |X| .Similarly, (l, v) is not reachable from (l f , v f ) at the reverse automaton −A (or by backward analysis).Let S backward l,l f the obtained space at l by backward analysis from (l f , v f ).Thus, we have S backward l,l f (v) = f alse.
According to Algorithm III.1, S d l start by the initial space Moreover, according to the calculation formula of location invariant, we have inv d (l)(v) = true.=⇒ (l, v) ∈ Q d .Thus, any location leading exclusively to locations respecting the specification is in the reachable space of A d .Consequently, A d is maximal permissive.
Example 3.1: We reconsider the CSRHA of the electrical system illustrated in Fig. 2. According to the safety specification, we consider the following unsafe locations: SF = {l 7 , l 8 , l 10 , l 4 , l 6 }.The results related to the reachable space computation by forward and backward analysis are performed by PHAVeR [17] and SpaceEx [18], [19] software.The intersection between backward and forward spaces is illustrated in Table I.The results meets with the safety specification.Thus, the controller defines a derived CSRHA where invariant locations and transition guards are truncated by the new obtained polyhedral equations in each location.This derived  automaton is maximal permissive and describes all possible trajectories that obey to the requirements.
Table I illustrates the intersection space, obtained by PHAVer and SpaceEx.This allows capturing the maximal polyhedron that meet with requirements.For example, the updated location invariant of l 4 is given by I Similarly, all guards and invariants will be updated according to the results given by the intersection space.Furthermore, we omit any outgoing transition from a forbidden location (since it becomes unreachable).

IV. CONCLUSION
In this paper, our main contribution is to solve the problem of supervisory control of the particular class of dynamic hybrid systems (DHS) called Cumulative Preemptive Eventdriven DHS (CPE-DHS) by narrowing guards and invariants of transitions relative to controllable events in a way that forbidden states remain inaccessible.Our proposed solution can be applied in a systematic way to any system that fits with our requirements.Then we applied this approach to an electrical system as case study.Generally speaking, the control problem is known to be undecidable for this class of complex systems.Nevertheless, in quest of decidability, we propose some restrictions that makes the problem decidable.In our future directions, we will focus on the supervisor generation while considering uncontrollable variables.

Algorithm III. 1 3 :
Control Algorithm 1: function Control(A, M F ):A d 2: initialize the output CSRHA by the entry CSRHA.A d := A function initialize() 4: calculate the set E F : 5: for all e l,l ∈ E with l ∈ L F do 6: