Promotors: prof.dr.ir. J.E. Rooda (TU/e) and prof.dr.ir. J.H. van Schuppen (TUD)
Co-promotor: dr.ir. D.A. van Beek (TU/e)
Technische Universiteit Eindhoven
Date: 2 March 2015, 16:00
Control systems can be divided into multiple layers: regulative control, supervisory control and user interfacing. Regulative control assures that a system reaches the desired position or the desired state in the desired way. These controllers are typically designed in the continuous-time domain. This is the domain of classical control theory. Supervisory control assures that a system correctly performs its function by determining and executing allowed sequences of tasks on (in)dependent resources. These controllers are typically designed in the discrete-event domain. User interfacing is provided to interact with the users of the system. A user of the system can be a human operator, but also another system. This thesis focuses on the design of controllers for the supervisory control layer.
In the traditional approach to supervisory controller design, behavioral requirements are informally specified by domain experts, and software is coded by software experts. This leads to long development cycles, and to code and requirements that are difficult to develop, debug, maintain, and adapt. Observed erroneous behavior of the system under test can be caused by, among others, ambiguous or inconsistent control requirements, miscommunication between domain engineer and software coder, and errors in the control code. This can be especially problematic when the functionality of existing products evolves over time, such as in the case of Magnetic Resonance Imaging (MRI) scanners, that can be maintained at the level of new, state of the art, systems by periodic upgrades over a period of approximately ten years.
To address these issues, this thesis proposes the use of existing supervisory control theory for formal specification of the control requirements and the uncontrolled plant, and generation of the control code by means of supervisory control synthesis. By combining supervisory control synthesis with the well-known principles of model-based engineering, ?synthesis-based engineering? is obtained.
Using supervisory control theory has the following advantages: The engineering process changes from implementing and debugging the control code, to designing and debugging the behavioral requirements. The models of the uncontrolled system and the control requirements are unambiguous, leaving no room for different interpretations. The synthesized supervisors are suitable for code generation, which makes the design relatively independent of the implementation technology. Finally, changes in the control requirements can be realized quickly without introducing errors. As a result, the development time of the supervisors decreases while the quality increases.
Model-based analysis techniques can be used to get early feedback on the system under development. The control requirements can be validated by means of interactive simulation and visualization of the synthesized supervisor together with the plant model. The use of supervisory control synthesis means that changes in the requirements, resulting from these validation steps, can be incorporated in the supervisor quickly.
The synthesis-based engineering design process is applied to two cases in the Philips Healthcare MRI scanner patient environment, namely the patient support table, and the patient communication system. Different kinds of supervisory control theory are applied: event-based supervisory control, state-based supervisory control using automata, and state-based supervisory control using automata with variables, the so-called ‘extended automata’.
In event-based supervisory control, the plant and the control requirements are both modeled by automata. The patient support table case has shown that the evolvability of the control system can be improved by dividing the plant model and control requirements into small, mostly independent, specifications. The plant models are divided into models for the actuators, sensors, and for structural restrictions. The control requirements are divided into requirements for the individual components and for requirements defining their interaction. This division is facilitated by splitting of events, such as stop events, into a number of independent sub-events, and by introducing internal events to allow modeling of various modes of operation. In this way, model errors can more easily be detected, and attributed to specific parts of the specification. The improved evolvability is demonstrated by means of an actual redesign of the control requirements to incorporate a user change request.
The generated real-time implementation was extensively tested on an actual patient support system: several operating procedures, that are used in practice, were carried out. In addition, attempts were made to generate erroneous behavior by means of very rapid pressing of buttons and switches, and by intentionally giving illegal commands. In all cases, the control system reacted as desired. The system was also operated and tested by Philips employees, but no errors were found.
State-based supervisory control is introduced as an extension of event-based supervisory control: in addition to automata, plants and control requirements can also be specified using state exclusion predicates, and state-event exclusion predicates. Experience at Philips Healthcare has shown that state-based control requirements are intuitive for both domain experts and software experts, since they closely match the view of the systems in terms of states, transitions between states, and restrictions on allowable states and state-transitions. To allow a straightforward comparison of event-based and state-based supervisory control specifications, the same patient support table has been modeled in detail using event-based and state-based specifications. A comparison shows that the combination of state-based and event-based requirements leads to far more intuitive specifications than are possible using event-based specifications alone. In addition, where event-based supervisory control in general allows only a single initial state, the state-based supervisory control synthesis algorithm of allows an arbitrary number of initial states. This has proved to be essential for actual real-time control of the patient support system, because it allows activation of the controller in any initial state of the physical system. Finally, the state-based control requirements that are defined in this thesis not only facilitate the exclusion of unsafe behavior by means of state-event exclusion and state exclusion (safety), but also the inclusion of required safe behavior by means of state-event inclusion (liveness).
In existing ‘extended automata’-based supervisory control, automata are extended with variables, guards and updates. The patient communication system application illustrates how the use of variables is essential for intuitive modeling of various modes of operation of the system. To support systematic, modular specification of the patient communication system for supervisory control synthesis, observers that record sequences of events in terms of states are shown to be essential. An advantage of this approach is that it facilitates state-based output. That is, the definition of the values of output variables as a function of the state of the control system.
The applications discussed in this thesis show that synthesis-based engineering has major advantages compared to conventional supervisory control system design. As a result, Philips Healthcare has started to investigate the use of supervisory control synthesis for all major components of MRI scanners. Regarding the tool chain, also considerable progress is made: a new supervisory control tool chain, based on the tool chain that is proposed in this thesis, is currently implemented in the Systems Engineering Group.