Content uploaded by Pierpaolo Dini
Author content
All content in this area was uploaded by Pierpaolo Dini on Oct 06, 2020
Content may be subject to copyright.
Co-simulation and Verification of a Non-linear
Control System for Cogging Torque Reduction
in Brushless Motors?
Cinzia Bernardeschi, Pierpaolo Dini, Andrea Domenici, and Sergio Saponara
Dept. of Information Engineering, University of Pisa, Italy
Abstract. This work aims at demonstrating the benefits of integrating
co-simulation and formal verification in the standard design flow of a
brushless power drive system for precision robotic applications. A suf-
ficient condition on controller gain for system stability is derived from
the system’s mathematical model, including a control algorithm for the
reduction of cogging torque. Then, using co-simulation and design space
exploration, fine tuning of the controller gain parameters has been exe-
cuted, exploiting the results from the formal verification.
1 Introduction
Electronic power drive systems in hybrid vehicles in which mechanical and elec-
trical parts coexist with electronic controllers have very complex dynamics [28].
Standard methods in the development of such systems are based on a hi-
erarchical simulation workflow [22]: An abstract model of the system is first
described and simulated in some modeling language such as Simulink or Open
Modelica (model-in-the-loop, MIL); then the control algorithms, implemented
in the C/C++ programming language, are simulated with the rest of the system
in Matlab/Simulink (software-in-the-loop, SIL). Successively, the implemented
algorithms are run on the target processor mounted on a development board
(processor-in-the-loop, PIL) and on the target processor mounted in the de-
ployed Electronic Control Unit (ECU) that interacts with an emulated physical
plant (hardware-in-the-loop, HIL).
Special HW and SW tools have been developed to support the hardware-in-
the-loop phase (e.g., dSPACE or Speedgoat). However, HIL simulation is very
time-consuming and expensive. Most of the time, new control algorithms are
simulated at the PIL level. Moreover, most simulators available capture the
performance of controllers when the code is executed on the specific instruction
set of the processor, while they offer limited support for verification.
Finally, state space exploration of the controller during the design phase often
considers only the variation of one of a set of parameters at a time, assuming
?Work partially supported by the Italian Ministry of Education and Research (MIUR)
in the framework of the CrossLab project (Departments of Excellence).
the others constant. Therefore, the coverage of the design space is often time
consuming and not exhaustive.
This work reports our experience in the application of co-simulation and
formal verification supported by the INTO-CPS framework [16] to a real case
study for the reduction of the cogging torque in brushless motors by a non-linear
control system [7]. The effect of the cogging torque is due to the interaction
between permanent magnets and the teeth of the stator slots. This is a main
issue in precision electric drive applications, which is often solved with physical
modification of the electrical machine.
The added value of the proposed approach is to include co-simulation and
formal verification, in parallel with the standard approach, for the calibration of
design parameters. Co-simulation improves flexibility because it does not require
a single modeling language for all system parts (e.g., discrete and continuous
parts), and formal verification enables proofs of correctness for fundamental
properties of the system. In this work, OpenModelica has been used to model the
physical part, while PVSio-web has been used to model the feedback linearization
control part. Moreover, The Prototype Verification System (PVS) [23] has been
used to describe the theory of the closed loop system in a formal language and
prove sufficient conditions for stability. In particular, after finding the parameter
ranges ensuring stability, co-simulation and design space exploration have been
used to find a combination of control gains optimizing power consumption and
precision according to the Pareto criterion.
The paper is structured as follows: Section 2 reports on related work; Sec-
tion 3 describes the non-linear control technique for cogging torque reduction
and the tools used for co-simulation and formal verification. The mathematical
model of the motor and control is shown in Section 4. Section 5 shows results of
co-simulation. Section 6 shows how the PVS theorem prover can perform proofs
of properties for the non-linear control algorithm. Design space exploration is
reported in Section 7. Finally, Section 8 concludes the paper.
2 Related Work
Proposals to apply formal methods to cyber-physical systems follow many dif-
ferent approaches and languages.
An important family of languages is that of hybrid automata [14], a concep-
tual model that lends itself to the integration of discrete- and continuous-time
behaviors. In particular, timed automata [1] are supported by such tools as the
UPPAAL environment [2].
Another approach is based on logic-based methods, which use various forms
of logic languages to model and analyze systems. These logic languages include
temporal logics [27, 20], normally used in conjunction with state-machine repre-
sentations, and higher-order logics [18].
KeYmaera [11] is a theorem prover, recently developed and applied suc-
cessfully for the verification of cyber-physical systems. Its language includes
conditions, non-determinism, loops, composition, and continuous dynamics, i.e.,
behaviors defined by differential equations.
In [3], the Prototype Verification System theorem prover is used to prove
basic safety properties of a nonlinear (hybrid) control system (a storage tank).
In [8], co-simulation and formal verification have been applied to a simple
autonomous vehicle. The vehicle kinematics have been simulated in Simulink,
whereas the controller has been modeled in PVS. Co-simulation and formal
verification were also applied to a bio-medical system, namely, a pacemaker and
a human heart, modeled in PVS and Simulink, respectively [4].
The Vienna Definition Method (VDM) [10] family of languages and tools, in
particular the Crescendo tool [17] have also been used extensively.
Palensky et al. [24, 25] advocate the integration of HIL simulation with co-
simulation in the analysis of intelligent power grid systems. In [5], mixing formal
verification with simulation-based techniques is proposed to create a new formal-
verification-in-the-loop methodology.
3 Background
In this work, we refer to a three-phase permanent-magnet brushless motor, ba-
sically composed of a stator bearing three electric windings, and a rotor bearing
permanent magnets on its surface. The currents in the windings create a rotating
magnetic field that interacts with the magnets creating a torque Tem causing the
rotor to spin and transmit mechanical power to its load. The three currents are a
three-phase system characterized by the respective phasors, each defined by the
amplitude and phase shift of the corresponding current. The basic three-phase
representation can be transformed into other representations by a change of co-
ordinate frame. In the following, two coordinate frames called d−qand α−β
will be used [28].
3.1 Cogging Torque in Brushless Motors
In this section we describe briefly the cogging torque phenomenon, which is an
intrinsic feature of synchronous motors. Basically the cogging torque is due to
the magnetic interaction between permanent magnets on the rotor surface and
the stator teeth. In particular, it produces a tangential force on the magnets.
The tangential force (hence, the torque) on each magnet depends on its
position with respect to nearby stator teeth, i.e., on the rotor’s angular position
θ. This force varies between opposite orientations as the magnet approaches
or recedes from each tooth, therefore it has a null mean value, as shown in
Fig. 1. The top part shows that during the movement of the rotor different
configurations occur. The lower part shows schematically that the movement of
a magnet with respect to a stator tooth generates a null mean contribution of
cogging torque.
Therefore the cogging torque can be described as an additive disturbance to
the electromagnetic torque, periodic and with zero mean. In this work we use
cogging torque
θ
Fig. 1. Schematic representation of torque ripple due to the interaction between per-
manent magnets and stator teeth.
a result from [29] describing the cogging torque through the following Fourier
development:
Tcog =
m
X
k=1
Tksin(kZθ+αk) (1)
In the above formula, Tkand αkare the amplitude and the phase shift relative
to the kth harmonic of the development, Z is the number of stator teeth, θis
the absolute (mechanical) angular position of the rotor and mis the number of
harmonics necessary to approximate the actual cogging torque. The formula has
been obtained through a finite element analysis (FEM) [29], in which it has also
been verified that a limited number of harmonics, in particular four, is adequate
for the mathematical description of the phenomenon.
3.2 The INTO-CPS Framework
Simulation in cyber-physical systems often takes the form of co-simulation [13],
i.e., integrated simulation of different subsystems, each modeled with a specific
formalism and simulated by a specific simulation engine. The Functional Mockup
Interface (FMI) [6] is a standard for co-simulation: sub-models implemented as
Functional Mockup Units (FMUs) are orchestrated by a master that communi-
cates with them through proxy modules (FMI wrappers) whose interfaces are
FMI-compliant. Recently, the INTO-CPS project [16] created an integrated co-
simulation framework based on FMI.
INTO-CPS also supports the possibility of looking for optimal design pa-
rameter values by using the Design Space Exploration (DSE) functionality. This
functionality allows developers to choose a set of values for each parameter and
define objective functions on simulation results. The design exploration engine
then executes one simulation for each combination of parameter values, retrieves
results, computes objective functions, and ranks the resulting values.
3.3 The Prototype Verification System
The Prototype Verification System (PVS) [23] is an interactive theorem-proving
environment whose users can define theories in a higher-order logic language
and prove theorems with respect to them. Moreover, the PVSio extension [21]
allows a PVS theory to be used as an executable model for simulation, and the
PVSio-web [26] framework extends prototypes with interactive user interfaces,
and converts stand-alone device prototypes into FMUs capable of exchanging
commands and data with any FMI-compliant co-simulation engine. The PVS
environment includes the NASALIB theory libraries [9] providing axioms and
theorems addressing many topics in mathematics, including real number analy-
sis, and it can be applied to model both the discrete and the continuous part of
the system [3].
4 Mathematical Model of Motor and Control
The behavior of the brushless motor considered in this paper is modeled by
parameters representing its physical characteristics and by a set of equations
combining the electromagnetic, mechanical, and control laws [28]. The latter have
been adapted from [7]. The electromagnetic laws are expressed in terms of d-q
phasors [28]. For simplicity, the law describing the cogging torque considers only
its first harmonic. Tables 1 and 2 show the parameters and variable magnitudes,
respectively, used in the model.
4.1 Motor Model
In the following, udand uqare the d-q components of the supplied voltage and
idand iqare the current components, while L and R are the inductance and
equivalent resistance, respectively. The supplied voltage is then:
Table 1. Parameters
Parameter Value Meaning
Z 10 number of stator teeth
p 3 number of pole pairs
T14.0 N ·m amplitude of cogging torque’s first harmonic
α10.009 rad phase of cogging torque’s first harmonic
R 3.3 Ω resistance
L 0.05 H inductance
k 0.5 Wb magnetic flux
J 0.01 kg ·m2rotational inertia
β0.01 N ·s/m friction coefficient
Table 2. Variables
Variable Meaning
id, iqdirect and quadrature components of current
ud, uqdirect and quadrature components of voltage
θ, ω angular position and speed
¯ıd,¯
θdesired values of idand θ
Tem, Tcog electromagnetic and cogging torques
ud
uq= R id
iq+ L d
dt id
iq+ed
eq(2)
where
ed=−pωLiq
eq= pω(k + Lid)
is the counter-electromotive force vector.
Equations (3) represent the useful electromagnetic torque Tem and the cog-
ging torque Tcog, and Equations 4 represent the resulting mechanical behavior.
Tem =3
2pkiq
Tcog = T1sin(Zθ+α1)
(3)
J ˙ω+βω =Tem +Tcog
ω=˙
θ(4)
4.2 Controller Model
The controller shown here is based on the one presented in [7] and uses a feedback
linearization technique.
Its inputs are the desired values of current ¯
idand angular position ¯
θ, and
the feedback values of current (idand iq), angular position θ, and angular speed
Table 3. Numerical coefficients
Coefficient Value Coefficient Value
C14040 C21237529
C39/1000 C4153666659/90000
C51597813728139/27000000 C66371/300
ω. Its characteristic parameters are the gains K11 and K22, used to compute a
signal proportional to the error on the motor outputs (see [7] for details):
v1
v2=K11 0
0 K22id−¯
id
θ−¯
θ(5)
The control voltages udand uqare computed according to (6).
ud= Lv1+ Rid−Lpiqω
uq=2JL
3pk [v2−3pk
2J (−Riq−pω(Lid+ k))]
+ Zω(T1cos(Zθ+α1)) −β
J[3
2pkiq+ (T1sin(Zθ+α1))])
(6)
4.3 Choice of Gain Coefficients
The values of the controller’s gain coefficients are a design choice. A standard
method to choose their values is based on linearizing the system’s dynamics
around a given operating condition. The behavior of the system under analysis
is given in matrix form by (7), where the first derivative of each controlled vari-
able is equated to the respective generating function and Edq = (ed, eq)Tis the
counter-electromotive force vector. The system’s Jacobian is the matrix of the
partial derivatives of the generating functions with respect to their variables.
The gain coefficients must then be chosen so that the real part of the Jaco-
bian’s eigenvectors is less than or equal to zero, as is well known from control
theory [15].
The four eigenvalues of the Jacobian have been computed with the Matlab
symbolic toolbox in terms of the numerical coefficients reported in Table 3 and
of the auxiliary functions Φ1and Φ2defined in (8). Note that the coefficients are
expressed as exact rational numbers.
˙
Idq = L−1
dq (Udq −RdqIdq −Edq )
˙
θ=ω
˙ω=Tem +Tcog −βω
J
(7)
Φ1(θ)=C1cos(10θ+ C3)/3−C4
Φ2(θ)=C2cos(10θ+ C3)/15 + C5
(8)
The real parts of the eigenvalues λ1,λ2,λ3, and λ4are shown in (9) below:
Re(λ4)=K11
Re(λ3) = Φ1(θ)
3
rK22
2+Φ2(θ) + qK22
2+Φ2(θ)2−Φ1(θ)3
+3
v
u
u
tK22
2+Φ2(θ) + sK22
2+Φ2(θ)2
−Φ1(θ)3
−C6
Re(λ2) = −Φ1(θ)
23
rK22
2+Φ2(θ) + qK22
2+Φ2(θ)2−Φ1(θ)3
−1
2
3
v
u
u
tK22
2+Φ2(θ) + sK22
2+Φ2(θ)2
−Φ1(θ)3
−C6
Re(λ1) = Re(λ2)
(9)
5 Co-simulation
Figure 2 shows the architecture of the power drive system. The full system
consists of six blocks: FLC represents the controller function derived from (6) for
the reduction of the cogging torque, dq2alfa transforms the electrical values
from the d-qrepresentation to an intermediate α-βframe, alfa2abc transforms
them to the three-phase form, Motor implements the dynamic model of the
motor, abc2alfa is the transformation block from three-phase to the α-βframe
and alfa2dq is the last coordinate transformation into the d-qframe.
Fig. 2. System model in OpenModelica.
In the co-simulation, blocks relative to the modeling of the electrical machine
and coordinate transformation are implemented in OpenModelica, while the FLC
block is implemented in Misra C. Every block is exported as an FMU. The FMUs
are linked together in a multimodel created by the INTO-CPS application.
Fig. 3. Co-simulation for K11 =−2500, K22 =−250000 (yaxis: θ−¯
θ;xaxis: time).
Figures 3 and 4 show two runs with a duration of 1 s and a step size of
5µs. The initial values of current and rotor position are 0 A and 10 rad, with
a zero set-point for rotor position. The values of the controller gains are (K11 =
−2500,K22 = 250000) for the first run (Fig. 3), and (K11 =−3000,K22 =
300000) for the second one.
Fig. 4. Co-simulation for K11 =−3000, K22 =−300000 (yaxis: θ−¯
θ;xaxis: time).
6 Proofs
From the conditions for stability on the eigenvalues, we can find allowable ranges
of values for the elements of the control gain matrix. The range for K11 is found
immediately to be K11 ≤0, while K22 requires more work.
First, let us define
X(K22, θ) = 3
v
u
u
tK22
2+Φ2(θ) + sK22
2+Φ2(θ)2
−Φ1(θ)3.
It can be shown that Φ1(θ)≤0, hence
X(K22, θ)≥0.
The condition on λ3, Re(λ3)≤0, can be rewritten as
Φ1(θ)
X(K22, θ)+X(K22, θ)−C6≤0(10)
yielding
C6−pC2
6−4Φ1(θ)
2≤X(K22, θ)≤C6+pC2
6−4Φ1(θ)
2(11)
Similarly, the condition on λ2and λ1can be written as
−Φ1(θ)
2X(K22, θ)−X(K22, θ)
2−C6≤0
yielding
X(K22, θ)≤ −C6−qC2
6−Φ1(θ)∨X(K22, θ)≥ −C6+qC2
6−Φ1(θ) (12)
Finally, it can be proved that:
−C6+qC2
6−Φ1(θ)≤X(K22, θ)≤C6+pC2
6−4Φ1(θ)
2(13)
Let us first determine the possible ranges for the bounds of X(K22 , θ), depending
on Φ1(θ):
−C6+qC2
6−Φ1(θ)∈(7.37,38)
C6+pC2
6−4Φ1(θ)
2∈(32.6,67)
(14)
Let us now consider the lower bound
X(K22, θ)≥ −C6+qC2
6−Φ1(θ) = c , (15)
which leads to
sK22
2+Φ2(θ)2
−Φ1(θ)3≥c3−K22
2+Φ2(θ).
Assuming
c3−K22
2+Φ2(θ)≥0 (16)
we get
K22 ≥c3+Φ1(θ)3
c3−2Φ2(θ).(17)
Considering the allowable ranges in (14), we find
Kmin
22 ≥(7.37)3+(1346 −1707)3
(7.37)3−2·(82501 + 59178) ≥ −400000
Kmax
22 ≥(38)3+(−1346 −1707)3
(38)3−2·(82501 + 59178) ≥ −417000
(18)
Discharging Assumption (16), we get two more bounds on K22, i.e.,
K22 ≤47446
K22 ≤ −173614 (19)
With a similar procedure, for the upper bound we obtain
Kmin
22 ≤(32.6)3+(1346 −1707)3
(32.6)3−2·(82501 + 59178) ≤ −250000
Kmax
22 ≤(67)3+(−1346 −1707)3
(67)3−2·(−82501 + 59178) ≤ −254000
(20)
K22 ≤115998
K22 ≤318168 (21)
We can finally gather the required bounds on K22 and take their intersection
to obtain a sufficient condition for stability:
−400000 ≤K22 ≤ −250000
6.1 A PVS Theory
The preceding proofs have been carried out with the PVS theorem prover. The
system under study has been specified in the cogging theory:
cogging: THEORY BEGIN
IMPORTING trig_fnd@sincos_def, power@root, reals@quadratic
C_1: posrat = 4040
%...
Phi_1(theta: real): real = C_1*cos(10*theta + C_3)/3 - C_4
Phi_2(theta: real): real = C_2*cos(10*theta + C_3)/15 + C_5
cubicrt(x: real): real = root(x, 3)
%...
The theory imports library theories on trigonometry and properties of roots
and quadratic equations, then it defines the numeric coefficients as positive ra-
tional (posrat) constants, and introduces functions Φ1and Φ2. Function cubicrt
is an abbreviation for the predefined nth-root function.
Then the real parts of the eigenvalues are defined. For example, the real part
of λ3is:
re_lambda_3(k_22, theta: real): real =
Phi_1(theta)/cubicrt(k_22/2 + Phi_2(theta)
+ sqrt((k_22/2 + Phi_2(theta))^2 - Phi_1(theta)^3))
+ cubicrt(k_22/2 + Phi_2(theta)
+ sqrt((k_22/2 + Phi_2(theta))^2 - Phi_1(theta)^3)) - C_6
After the real parts of the eigenvalues, the definition of function X, using an
auxiliary function a:
a(k_22, theta: real): real = k_22/2 + Phi_2(theta)
X(k_22, theta: real): real =
cubicrt(a(k_22, theta) + sqrt(sq(a(k_22, theta)) - Phi_1(theta)^3))
The definitions of the eigenvalues’ real parts have been obtained with Matlab,
and can be rewritten more compactly in terms of X. The correctness of the
rewriting is verified by proving a simple lemma:
real_lam3(k_22, theta: real): real =
Phi_1(theta)/X(k_22, theta) + X(k_22, theta) - C_6
lem_1: LEMMA
FORALL (k_22, theta: real):
real_lam3(k_22, theta) = re_lambda_3(k_22, theta)
The theory includes several lemmas corresponding to proofs of the steps
shown above. For example, it has been proved that Re(λ3)≤0 implies that
Xλ3,1(θ)≤X(K22, θ)≤Xλ3,2(θ), where Xλ3,1(θ) and Xλ3,2(θ) are the roots of
the quadratic equation associated with inequality 10:
X_lam3_1(theta: real): real = root(1, -C_6, Phi_1(theta), -1)
X_lam3_2(theta: real): real = root(1, -C_6, Phi_1(theta), 1)
lem_3: LEMMA
FORALL (k_22, theta: real):
real_lam3(k_22, theta) <= 0 IMPLIES
X(k_22, theta) >= X_lam3_1(theta)
AND X(k_22, theta) <= X_lam3_2(theta)
Table 4. DSE experiment 1.
Rank K22 K11 power consumption object error row
1 -250000 -2500 1461.051 248 9 2.610 011 611 13 1
2 -262000 -2620 1778.528 548 57 2.690 901 212 23 2
3 -275000 -2750 2213.324 031 29 2.818 490 551 17 3
4 -288000 -2880 2799.888 897 6 3.014 504 515 82 4
5 -300000 -3000 3539.791 604 1 3.278 982 117 31 5
6 -312000 -3120 4599.740 439 17 3.676 395 756 42 6
7 -325000 -3250 6450.851 819 19 4.398 670 957 85 7
Some proofs consist in the invocation of a single PVS command, while others
may require longish manipulations and the introduction of lemmas from prede-
fined theories. The effort results in a rigorous and reliable characterization of
the allowable ranges for design parameters.
7 Design Space Exploration
The DSE feature of INTO-CPS has been applied to analyze the behavior of
the feedback controlled system in the range of controller gains obtained in
Sect. 6. The analysis uses the Pareto method [12, 19] to rank the (K11 ,K22)
pairs for the following objective functions, where Nis the number of time sam-
ples collected in each simulation: (i) the absorbed power, power consumption =
Pk∈[1..N](UkIk); and (ii) the sum of the mean square errors on θand id,
object error =1
NPk∈[1..N]((θ−¯
θ)2+ (id−¯ıd)2). All co-simulation runs have a
duration of 1 s with a step-size of 5 µs.
Each DSE experiment can be configured with a specific search strategy in the
design space. As an example, the following paragraphs present two experiments
with different aims.
First Experiment This experiment aims at locating optimal values for K22,
under the arbitrary constraint K11 =1
100 K22. Gain K22 takes values in the range
(-325000, -250000). Table 4 shows that, when the modulus of K22 increases, the
power consumption increases, since higher absolute values of K22 correspond to
higher voltages. Also the error increases with K22. Figure 5 shows the corre-
sponding Pareto plot, where the circled numbers refer to the table rows.
Second Experiment This experiment compares the influence of the two gains
on the evaluation criteria, by considering different combinations of values for K11
and K22, taken from discrete sets: K22 ∈ {−300000,−288000,−275000,−262000,
−250000}and K11 ∈ {−2750,−2500,−2250,−2000,−1000}, performing 25 dif-
ferent simulations. From Table 5 and the corresponding plot in Fig. 6, it turns
out that K22 is the dominant factor. In fact, for each distinct value of K22 there
is a cluster of five closely spaced points corresponding to values of K11.
12
3
4
5
6
7
Fig. 5. Pareto front experiment 1.
8 Conclusions
A main theme of this work is the integration and complementarity of different
tools. In particular, finding the allowable ranges for the controller gain has relied
on Matlab and PVS. The symbolic and numerical computational capabilities
of Matlab made it possible to obtain quickly the expressions for the system’s
eigenvalues. Then, interactive theorem proving made it possible to determine the
conditions for stability on the eigenvalues, starting from the Matlab results and
performing the necessary logical steps under the continuous check for correctness
enforced by the PVS prover. Finally, co-simulation and design-space exploration
with INTO-CPS led to the final design choices.
9 Acknowledgments
The authors wish to thank the anonymous referees for their valuable suggestions.
The authors also thank the INTO-CPS project for providing the co-simulation
environment.
Table 5. Experiment 2.
Rank K22 K11 power consumption object error row
1 -250000 -2750 1460.478 569 4 2.609 204 754 2 1
2 -250000 -2500 1461.051 248 9 2.610 011 611 13 2
3 -250000 -2250 1461.719 784 71 2.610 992 746 16 3
4 -250000 -2000 1462.506 807 86 2.612 210 964 64 4
5 -250000 -1000 1467.166 926 01 2.622 677 806 15 5
6 -262000 -2750 1778.081 499 89 2.690 342 527 51 6
· · ·
11 -275000 -2750 2213.324 031 29 2.818 490 551 17 11
· · ·
16 -288000 -2750 2801.065 865 43 3.015 619 303 04 16
· · ·
21 -300000 -2750 3543.858 860 91 3.282 293 941 7 21
22 -300000 -2500 3548.614 530 09 3.286 233 799 06 22
23 -300000 -2250 3554.239 909 85 3.290 996 682 75 23
24 -300000 -2000 3560.979 044 03 3.296 866 120 91 24
25 -300000 -1000 3606.615 552 53 3.344 957 314 12 25
1 5
...
6 10
...
11 15
...
16 20
...
21 25
...
Fig. 6. Pareto front experiment 2.
References
1. Alur, R., Dill, D.L.: A theory of timed automata. Theoretical Computer Science
126(2), 183–235 (1994)
2. Behrmann, G., David, A., Larsen, K., Hakansson, J., Petterson, P., Yi, W., Hen-
driks, M.: UPPAAL 4.0. In: Third International Conference on Quantitative Eval-
uation of Systems (QEST 2006). pp. 125–126 (Sept 2006)
3. Bernardeschi, C., Domenici, A.: Verifying safety properties of a nonlinear control by
interactive theorem proving with the Prototype Verification System. Inf. Process.
Lett. 116(6), 409–415 (2016)
4. Bernardeschi, C., Domenici, A., Masci, P.: A PVS-Simulink Integrated Environ-
ment for Model-Based Analysis of Cyber-Physical Systems. IEEE Trans. Software
Eng. 44(6), 512–533 (2018)
5. Bernardeschi, C., Domenici, A., Saponara, S.: Formal verification in the loop to
enhance verification of safety-critical cyber-physical systems. Proc. of Interactive
Workshop on the Industrial Application of Verification and Testing, InterAVT 2019
(ETAPS 2019), Electronic Communications of the EASST, to appear (2019)
6. Blochwitz, T., Otter, M., Akesson, J., Arnold, M., Clauß, C., Elmqvist, H.,
Friedrich, M., Junghanns, A., Mauss, J., Neumerkel, D., Olsson, H., Viel, A.:
Functional Mockup Interface 2.0: The Standard for Tool independent Exchange
of Simulation Models. In: Proceedings of the 9th International MODELICA Con-
ference; September 3-5; 2012; Munich; Germany. pp. 173–184. No. 76 in Link¨oping
Electronic Conference Proceedings, Link¨oping University Electronic Press (2012)
7. Dini, P., Saponara, S.: Cogging torque reduction in brushless motors by a nonlinear
control technique. Energies 12(11), 2224 (2019)
8. Domenici, A., Fagiolini, A., Palmieri, M.: Integrated simulation and formal verifi-
cation of a simple autonomous vehicle. In: Cerone, A., Roveri, M. (eds.) Software
Engineering and Formal Methods. Lecture Notes in Computer Science, vol. 10729,
pp. 300–314. Springer International Publishing, Cham (2018)
9. Dutertre, B.: Elements of mathematical analysis in PVS. In: Proceedings of the
9th International Conference on Theorem Proving in Higher Order Logics. pp.
141–156. TPHOLs ’96, Springer-Verlag, Berlin, Heidelberg (1996)
10. Fitzgerald, J.S., Larsen, P.G., Verhoef, M.: Vienna development method. In: Wah,
B. (ed.) Wiley Encyclopedia of Computer Science and Engineering. John Wiley &
Sons, Inc. (2007)
11. Fulton, N., Mitsch, S., Quesel, J.D., V¨olp, M., Platzer, A.: KeYmaera X: An ax-
iomatic tactical theorem prover for hybrid systems. In: International Conference
on Automated Deduction. pp. 527–538. Springer (2015)
12. Gamble, C.: DSE in the INTO-CPS Platform. Tech. Rep. D5.3e, INTO-CPS De-
liverable (2017)
13. Gomes, C., Thule, C., Broman, D., Larsen, P.G., Vangheluwe, H.: Co-simulation:
State of the art. CoRR abs/1702.00686 (2017)
14. Henzinger, T.A.: The theory of hybrid automata. In: Proceedings of the 11th An-
nual IEEE Symposium on Logic in Computer Science. pp. 278–292. LICS ’96, IEEE
Computer Society, Washington, DC, USA (1996)
15. Isidori, A.: Nonlinear Control Systems. Communications and Control Engineering,
Springer London (1995)
16. Larsen, P.G., Fitzgerald, J., Woodcock, J., Fritzson, P., Brauer, J., Kleijn, C.,
Lecomte, T., Pfeil, M., Green, O., Basagiannis, S., Sadovykh, A.: Integrated tool
chain for model-based design of Cyber-Physical Systems: The INTO-CPS project.
In: 2016 2nd International Workshop on Modelling, Analysis, and Control of Com-
plex CPS (CPS Data). pp. 1–6 (April 2016)
17. Larsen, P., Gamble, C., Pierce, K., Ribeiro, A., Lausdahl, K.: Support for Co-
modelling and Co-simulation: The Crescendo Tool. In: Fitzgerald, J., Larsen,
P., Verhoef, M. (eds.) Collaborative Design for Embedded Systems. pp. 97–114.
Springer (2014)
18. Leivant, D.: Higher order logic. In: Gabbay, D.M., Hogger, C.J., Robinson, J.A.
(eds.) Handbook of Logic in Artificial Intelligence and Logic Programming, pp.
229–321. Oxford University Press, Inc., New York, NY, USA (1994)
19. Lotov, A., Miettinen, K.: Visualizing the Pareto Frontier. In: Multiobjective Op-
timization. pp. 213–243. Springer, Berlin, Heidelberg (2008)
20. Manna, Z., Pnueli, A.: The Temporal Logic of Reactive Systems: Safety. Springer-
Verlag New York (1995)
21. Mu˜noz, C.: Rapid prototyping in PVS. Tech. Rep. NIA 2003-03, NASA/CR-2003-
212418, National Institute of Aerospace, Hampton, VA, USA (2003)
22. Nibert, J., Herniter, M.E., Chambers, Z.: Model-Based System Design for MIL,
SIL, and HIL. World Electric Vehicle Journal 5(4), 1121–1130 (2012)
23. Owre, S., Rushby, J., Shankar, N.: PVS: A prototype verification system. In: Kapur,
D. (ed.) Automated Deduction — CADE-11, Lecture Notes in Computer Science,
vol. 607, pp. 748–752. Springer Berlin Heidelberg (1992)
24. Palensky, P., van der Meer, A., Lopez, C., Joseph, A., Pan, K.: Applied cosimu-
lation of intelligent power systems: Implementing hybrid simulators for complex
power systems. IEEE Industrial Electronics Magazine 11(2), 6–21 (June 2017)
25. Palensky, P., Meer, A.A.V.D., Lopez, C.D., Joseph, A., Pan, K.: Cosimulation
of intelligent power systems: Fundamentals, software architecture, numerics, and
coupling. IEEE Industrial Electronics Magazine 11(1), 34–50 (March 2017)
26. Palmieri, M., Bernardeschi, C., Masci, P.: A Flexible Framework for FMI-Based
Co-Simulation of Human-Centred Cyber-Physical Systems. In: Software Technolo-
gies: Applications and Foundations - STAF 2018 Collocated Workshops, Toulouse,
France, June 25-29, 2018, Revised Selected Papers. pp. 21–33 (2018)
27. Pnueli, A.: The temporal logic of programs. In: 18th Annual Symposium on Foun-
dations of Computer Science (sfcs 1977). pp. 46–57 (Oct 1977)
28. Pulle, D., Darnell, P., Veltman, A.: Applied Control of Electrical Drives: Real
Time Embedded and Sensorless Control using VisSimTM and PLECSTM. Power
Systems, Springer International Publishing (2015)
29. Tudorache, T., Trifu, I., Ghita, C., Bostan, V.: Improved mathematical model of
PMSM taking into account cogging torque oscillations. Advances in Electrical and
Computer Engineering 12(3), 59–64 (2012)
