formal methods for stability analysis of networked control...

IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 26, NO. 5, SEPTEMBER 2018 1635

Formal Methods for Stability Analysis ofNetworked Control Systems With

IEEE 802.15.4 ProtocolBo Wu, Student Member, IEEE, Michael D. Lemmon, Member, IEEE, and Hai Lin, Senior Member, IEEE

Abstract— Wireless networked control systems (WNCSs) withcontrol loops closed over a wireless network are prevailing thesedays. However, due to uncertainties such as random accessingdelays and possible packet drops, the stability analysis for aWNCS is a challenging task. Most previous studies on thecommunication network analysis either relied on Monte Carlosimulation or followed the multistate Markov chain framework.In this paper, our main contribution is to propose a formalmethod-based stability analysis in which the communicationsystem is modeled as a probabilistic timed automaton. Theunderlying communication protocol is analyzed through prob-abilistic model checking. In particular, the stability conditionof the WNCS is expressed in the probabilistic temporal logicformula as the quality of service requirement, which can bechecked, and the satisfaction of the specification is equivalent tothe stability guarantee of the WNCS. We then study the impactof different media access control (MAC) parameters on thesatisfaction of the specification. Furthermore, if the specificationis not satisfied initially, we propose a systematic way to tunethe MAC parameters or redesign the controller so that thespecification can be met. This paper presents an attempt anda new angle to the communication and control system codesignproblem.

Index Terms— Codesign, model checking, probabilistic timedautomata (PTAs), wireless networked control system (WNCS)stability.

I. INTRODUCTION

OVER the last decade, wireless networked control sys-tems (WNCSs) have enjoyed a great and increasing

popularity in both academic and industrial worlds because oftheir flexible architectures, reduced installation and mainte-nance costs, and distributed nature [1]. They find applicationsin a wide range of areas, such as mobile sensor networks [2],robotics [3], and unmanned aerial vehicles [4]. However, it isalso well known that multiple control loops being closed inthe same network to share communication resources inevitablyintroduce new challenges in analyzing the closed-loop systemperformance [5], [6]. Indeed, a WNCS suffers from delays and

Manuscript received November 11, 2016; revised March 21, 2017; acceptedJune 5, 2017. Date of publication July 26, 2017; date of current versionAugust 6, 2018. Manuscript received in final form July 2, 2017. This workwas supported by NSF under Grant NSF-CNS-1239222, Grant NSF-ECCS-1253488, and Grant NSF-CNS-1446288. Recommended by Associate EditorY. Shi. (Corresponding author: Bo Wu.)

The authors are with the Department of Electrical Engineering, Univer-sity of Notre Dame, Notre Dame, IN 46556 USA (e-mail: [email protected];[email protected]; [email protected]).

Color versions of one or more of the figures in this paper are availableonline at http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TCST.2017.2723877

packet drops introduced during transmission, channel access,retransmission, and routing, which may affect the controlsystem stability or even destabilize the system [7]. Such achallenge generates a lot of research interest in recent yearsto analyze the WNCS with imperfect communication [8]–[13].

This paper aims to investigate the stability issues of WNCS,which involves modeling and analysis of both the controlsystem and the communication network. Most studies froma controller design and analysis point of view usually skipthe latter and assume that the communication delay or packetdrop properties are given [14]. However, it may be difficult toobtain such properties in real applications.

On the other hand, there have been analytical studies ofthe communication protocols based on the detailed multistateMarkov models [15]. The key approximation in [15], which isalso adopted in most subsequent studies such as [16] and [17],is the assumption of a constant and independent channelbusy probability at each channel access attempt for eachnode, regardless of the number of backoffs or retransmissionsalready suffered. This assumption may not always hold inpractice [18] especially for node that is not saturated, i.e., eachnode’s transmission queue can become empty—like in manyWNCS applications. In [19], the analytical study of the802.15.4 protocol was conducted using a multistate Markovmodel, where the assumption of the independent channelbusy probability was dropped, but probability distributionfunction approximations have to be made to make the analysismathematically tractable. Furthermore, an energy optimizationproblem in wireless sensor networks with the 802.15.4 proto-col was considered in [20] based on the derived analyticalmodel.

Another direction of the stability analysis of WNCS is tofirst simulate the wireless network protocols and characterizetheir properties, such as the delay distribution [21], [22].However, in some cases, the simulation may be unrealistic andproduce results that vary widely between different simulatorsand field experiments [23]. In fact, the impacts of the selectionof different simulators on the simulation results may be asmuch as the design of the protocol [24].

Motivated by these difficulties, we propose to use formalmethods, especially model checking [25] to study the com-munication network and solve the stability analysis problem.Model checking is an automated and algorithmic approach toexhaustively verify system properties [26]. While simulationresults are only correct for the sampled runs, model checking

1063-6536 © 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

1636 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 26, NO. 5, SEPTEMBER 2018

results are correct with respect to all possible system scenarios.Our basic idea is first to derive the stability condition fromthe control system and convert it into a specification that canbe checked. Then, we model the communication system asa probabilistic timed automaton (PTA) and perform modelchecking to see if the specification is satisfied. If not, eitherwe redesign the controller or tune the communication protocolparameters so that the specification can be met. Our ideaof communication protocol tuning is inspired by the recentadvances in the future communication networks with flexibleand adaptive media access control (MAC) layers [27].

The applications of formal methods for the analysis ofthe wireless communication protocol emerged recently fromcomputer aided verification society and gained much interest.In [28]–[30], IEEE 802.11 protocol and IEEE 802.15.4 weremodeled using PTAs, and the probabilistic model checkingwas performed using PRISM model checking tool [31]. Whilethese results mostly focused on analysis, in this paper, we gofurther to consider a particular application scenario in controlsystems and the communication and control codesign problem.

A stability analysis of networked control systems has beenconsidered in [14] based on the packet drop characteristicsthat were given a prior. In this paper, we do not make such anassumption; instead, we get it from the model checking. Alsowe do not make the assumption of constant packet collisionprobability as in [15] or probability distribution functionapproximations as in [19]. Our framework considers a practi-cal communication protocol with delays and possible packetdrops, unlike [32] where networked control system stabiliza-tion was achieved by communication sequence scheduling,assuming perfect communication without delay. Furthermore,we stick to time triggered communication, which contrastswith the event-triggered scheme that has also been extensivelystudied in WNCS [33]. Admittedly, the event-triggered controlscheme can save communication resources, especially whenthe system is near the equilibrium, but scheduling event-triggered packages with time varying intervals and delay con-straints will impose greater challenges to the communicationsystem implementation.

Compared with the existing work, our novelty and maincontributions can be summarized as follows. First, we convertthe stability condition into probabilistic specifications that canbe checked using model checking. Second, we model the com-munication network as a PTA and study the impact of differentMAC parameters on the satisfaction of the specification. Third,given the model checking results and if the specification is notsatisfied, we propose a systematic way to make sure that thespecification can be met.

The preliminary results of this paper were published in [34].We extend the previous results in the following aspects. First,in [34], the stability condition required that the probabilityof all the senders successfully transmitting their packagesin the same transmission round must be greater than themost strict package delivery probability requirement. In thispaper, our stability condition is that for each control system,the successful transmission probability should be greater thanits own least tolerable probability, which is less conservative.Furthermore, a detailed comparison of the existing analytical

Fig. 1. WNCS with star topology.

results [19] with our proposed formal method-based analysisis given. Since analytical methods usually need simplifyingassumptions, the analysis based on methods presented in [19]tends to be less accurate, especially when the number of nodesis small or the data length is large. As for our results, since itdoes not make any approximations, it matches the simulationresults very well. In addition, our codesign framework shedssome light on the tradeoff between the communication qualityof service (QoS) and the open-loop instability of the controlsystem.

The rest of this paper is organized as follows. We give theproblem formulation in Section II followed by an introductionto the preliminary knowledge in Section III. Section IV pro-vides the modeling of the communication network with PTA.In Section V, we provide the model checking results andanalysis. We present controller redesign results in Section VI.Section VII shows an illustrative example. Section VIII con-cludes this paper.

II. PROBLEM FORMULATION

As shown in Fig. 1, let us consider a WNCS with the startopology consisting of N linear time-invariant (LTI) systems.The sensors are spatially distributed, while the controllersand actuators are collocated in the center of the network.In this case, we do not have to consider the delay betweenthe controller and the actuator and thus facilitate our analysis.The communication conforms to the IEEE 802.15.4 unslottedprotocol, which will be introduced in Section III-A. Assumethat the i th control system has the discrete time dynamic asfollows:

xi (k + 1) = Ai xi (k)+ Bi ui (k)+ Ciwi (k) (1)

where xi (k) ∈ Rni , ui (k) ∈ R

mi , and wi (k) ∈ Rri are the state,

control input, and external input, respectively. Ai , Bi , and Ci

are the matrices of appropriate sizes and ui (k) = Ki di(k)xi (k)is the control input, where Ki ∈ R

mi ×ni and di (k) is aBernoulli random process. We assume that the full state ofeach plant is transmitted over the shared wireless network inthe form of packets periodically. If a packet fails to completelyarrive at the controller side within one sampling period, it willbe discarded. Here, we implemented a zero control in the caseof packet dropouts, but it is worth mentioning that there areother dropout compensation strategies available as discussed

WU et al.: FORMAL METHODS FOR STABILITY ANALYSIS OF NETWORKED CONTROL SYSTEMS 1637

in [35]. For any k, di (k) is 0 with probability pi , whichindicates that the packet is lost and di (k) equals 1 withprobability 1 − pi , meaning that the packet is successfullyreceived. pi is referred to as the packet dropping probability.

Definition [36]: A control system defined in (1) withui (k) = Ki di (k)xi (k), P(di (k) = 0) = pi is said to be stablein the mean-square sense if limk→∞ E{|xi (k)|} = 0 for anyinitial state x0 ∈ R

n and wi (k) = 0. The control systemin (1) is said to be nominally stable if it is mean-square stablefor pi = 0.

In [36], a quantity called the packet dropping margin wasintroduced. It is guaranteed that the control system is stablein mean-square sense with any packet dropping probability nogreater than its packet dropping margin. Formally, it is definedas follows [36].

Theorem 1: For the i th control system defined in (1), Ai =Ai + Bi Ki , the system is mean-square stable for any pi ≤ Pi .Pi is the packet dropping margin given by

Pi = 1

μ(Vi )(2)

where

Vi =[(Si ⊗ Si + Si ⊗ Si )(I − Si ⊗ Si )

−1 Si ⊗ Si

(I − Si ⊗ Si )−1 0

]

Si = Ai ⊗ Ai

Si = Ai ⊗ Ai − Ai ⊗ Ai (3)

where μ(.) is the largest positive eigenvalue of a matrixand ⊗ denotes a Kronecker product.

Therefore, let pi denote the packet dropping probabilityprovided by the communication system for plant i , from thedefinition of the packet dropping margin, the specification toguarantee the mean-square stability of all the N distributedcontrol systems is that

pi ≤ Pi ∀i ∈ {1, . . . , N}. (4)

Given a WNCS, what we are interested in is first, whetherthe above specification is satisfied with the correspondingcommunication network and the protocol. Second, if not, howto tune the protocol parameters or redesign the controllerto meet the specification. In Section IV, we will model thecommunication network as a PTA, and in Section V, we willshow how to transform the above specification into a timebounded model checking problem. In Section VI, we willprove that if the specification is not satisfied, we can alsoredesign the controller so it can be met.

III. PRELIMINARIES

A. Overview of the Unslotted IEEE 802.15.4 Protocol

There are three types of nodes defined by the standard:coordinator, router, and end devices. The coordinator serves toinitiate a network and can allow others to join it. The routersare similar to the coordinators, but they do not start a networkon their own. The end devices only join the network. Theremust be and can only be one coordinator in each network butmultiple routers and end devices. Every node gets access tothe channel according to the unslotted carrier sense multiple

Fig. 2. Unslotted IEEE 802.15.4 CSMA/CA algorithm.

access/collision avoidance (CSMA/CA) protocol. The protocolis implemented with units of time called backoff periods Tb,which contains 20 symbol time Ts . One symbol has 4 b andthe bit rate is 250 kb/s, so Ts = 16 μs and Tb = 320 μs.

To send a packet, each node initializes and maintains twovariables: NB and BE. NB denotes the number of times thatone node was required to back off due to the busy channel.NB is initialized to 0 and upper bounded by NBmax whosedefault value is 4. BE, on the other hand, is the backoffexponent related to the maximum number of backoff periodsthat a node has to wait before attempting to assess thechannel. BE is initialized to the value of BEmin whose defaultvalue is 3 and cannot exceed BEmax, which is equal to 5in the standard. No retransmission is assumed in this paper.Therefore, the acknowledgment (ACK) is not needed here.

The protocol is shown in Fig. 2. Whenever a node hasa packet to send, it first initializes NB and BE. Then,the CSMA/CA algorithm would uniformly delay a randomnumber of backoff periods between 0 and 2BE − 1. Afterthe delay, it senses the channel to determine if the channelis idle. Sensing channel typically takes Tb time. If the channelis sensed to be idle, the node will transmit the packet imme-diately. On the other hand, if the channel is busy, NB andBE will be automatically updated. If NB ≤ NBmax, the nodewill return to the backoff stage. Otherwise, the packet will bedropped. One thing to note is that the collision may occur andpackets will be lost if at least two nodes happen to sense thechannel idle at the same time slot and, consequently, start thetransmission at the same time. We assume that the wireless


channel is perfect, so the packets fail to be transmitted onlyfor two reasons: channel access failure or packet collision.

B. Probabilistic Timed AutomataPTAs are modeling tools for systems that involve time,

nondeterminism, and probabilistic choices. Our notationfollows [37]. In particular, because of the discrete time natureof both control and communication systems considered in thispaper, we will use the integral-time semantics where the timeis considered as an integer variable.

1) Syntax: Let T = N be the time domain from which afinite set X of clocks take value. A function v : X → T

is referred to as a clock valuation. For any t ∈ T, the clockvaluation v ⊕ t denotes the time increment for v with t . LetZones(X ) be the set of clock constraints over X describedby conjunctions of atomic constraints of the form x ∼ c forx ∈ X , ∼∈ {≤,=,≥} and c ∈ N. A clock valuation vsatisfies a clock constraint ζ , denoted as v � ζ , if and onlyif ζ resolves to true after substituting each clock x ∈ X withthe corresponding value v(x).

Formally, a labeled PTA is a tuple T = (Loc, l,X ,�, inv,prob, L), where Loc is a finite set of locations, l ∈ Loc isthe initial location, X is a finite set of clocks, � is a finiteset of events disjoint from T, inv : Loc → Zones(X ) isthe invariant condition, prob ⊆ Loc × Zones(X ) × � ×Dist(2X × Loc) is the probabilistic transition relation, andL : Loc → 2AP is a labeling function, where AP is a set ofatomic propositions.

2) Semantics: There are two types of transitions in eachlocation of a PTA: one is the delay transitions which denote thepassage of time. They can happen if the invariant condition issatisfied. Another is event transitions that correspond to takingthe probabilistic transitions (l, g, σ, p) ∈ prob. Accordingto the definition, if the current location l satisfies the clockconstraint g and the current event is σ , then p(X ′, l ′), wherep ∈ Dist(2X × Loc) denotes the probability of moving to thenew location l ′ while resetting all clocks in X ′ to 0.

A state s ∈ S of a PTA is defined to be a pair⟨l, v

⟩, where

l ∈ Loc and v is a clock evaluation, such that v � inv(l).It can be shown that for integral-time semantics, there are afinite number of states. We follow a classical way to formallydefine the semantics of PTA in terms of the timed probabilisticsystems [37]. The following definitions will also help us todefine the model checking.

Definition [37]: A timed probabilistic system is a tuple(S, s, Act,T, Steps), where S is the set of states, s ∈ S isthe initial state, Act = � is the set of actions, T = N is theset of durations, and Steps ⊆ S × (Act ∪ T)× Dist (S) is theprobabilistic transition relation. The function μ : S → [0, 1]is a discrete probability distribution. If (s, t, μ) ∈ Steps forany t ∈ T, then μ is a point distribution.

Definition [37]: Given T = (Loc, l,X ,�, inv, prob) as aPTA. The semantics of T with respect to the time domain T

and the time increment ⊕ is the timed probabilistic system�T �⊕

T= (S, s,�,T, Steps, L ′) where S ⊆ Loc × T

|X |, suchthat

⟨l, v

⟩ ∈ S if and only if v�inv(l), s = ⟨l, 0

⟩, (

⟨l, v

⟩, a, μ) ∈

Steps if: 1) time transitions: a ∈ T and μ = δ〈l,v⊕a〉 is a pointdistribution, such that v ⊕ t ′ � inv(l) for all 0 ≤ t ′ ≤ a and

2) discrete transitions: a ∈ � and there exists (l, g, a, p) ∈prob, such that v � g and for any

⟨l ′, v ′⟩ ∈ S

μ(⟨l ′, v ′⟩) =

∑X⊆X&v ′=v[X :=0]

p(X, l ′)

for each (X, l ′), if p(X, l ′) > 0 then v[X := 0] � inv(l ′), andL ′(

⟨l, v

⟩) = L(l) for all

⟨l, v

⟩ ∈ S.A path of a timed probabilistic system is a nonempty

finite or infinite sequence of probabilistic transitions

ω = s0a0,μ0−→ s1

a1,μ1−→ · · ·We denote by ω(i) the i th state of ω and last (ω) is the laststate of ω if finite. A scheduler of a timed probabilistic systemM is a function A mapping every finite path ω to a pair (a, μ),such that (last (ω), a, μ)∈ Steps. We denote SchM as theset of all schedulers of a PTA M. Furthermore, we denotePath f in

s as the finite paths and Paths as the infinite pathsthat are starting in a state s.

C. Probabilistic Timed Computation Tree Logic

The specification language we use for PTA is probabilistictimed computation tree logic (PTCTL), which can been seen asCTL [26] extended with both time and probability constraints.In addition to the system clock X , we define a set of formulaclocks Z , which is disjoint from X and assigned values by aformula clock valuation E : Z → N. Intuitively, the systemclock denotes how much time elapsed, since the system starts.The syntax of PTCTL is as follows:

φ ::= a|ζ |¬φ|φ1 ∧ φ2|z.φ|P��p[ψ]where a is an atomic proposition, ζ ∈ Zones(X ∪ Z),z ∈ Z ,��∈ {≤,< . ≥,>}, and p ∈ [0, 1]. And the satisfaction rela-tionship is defined as follows. Let T = (Loc, l,X ,�, inv,prob, L) be a labeled PTA and M = (S, s,�,N, Steps, L ′)its corresponding probabilistic timed system. For any s ∈ S,formula clock evaluation E , the satisfaction relation is definedas follows:

s, E |� true for all s, Es, E |� a ⇔ a ∈ L(s)

s, E |� ζ ⇔ ζ [s, E] = true

s, E |� ¬φ ⇔ s �|� φ

s, E |� φ1 ∧ φ2 | ⇔ q |� φ1 ∧ q |� φ2

s, E |� z.φ ⇔ s, E[z := 0] |� φ

s, E |� P��p[φ1Uφ2] ⇔ pAs,E(φ1Uφ2) �� p, ∀A ∈ SchM.

where U means until and for any scheduler A ∈ SchM

pAs,E(φ1Uφ2)

def= pAs

{ω ∈ Path A

s |ω |� φ1Uφ2}.

A simple example of PTCTL is

z.(P≥0.8[true U(transmitted ∧ z ≤ 10)])which denotes that “with probability 0.8 or higher, the systemis able to transmit the packet within ten time units.” The modelchecking of PTCTL essentially gives a true or false answer if


Fig. 3. PTA for channel in unslotted IEEE 802.15.4 CSMA/CA.

M satisfies a PTCTL formula under all schedulers. In thispaper, we refer to PRISM model checker [31] for the modelchecking.

IV. PROBABILISTIC TIMED AUTOMATA MODELS

In this section, we will present the PTA model for thecommunication network. The model is similar to [29], but theyonly considered two stations.

A. Modeling AssumptionsWe consider a WNCS with the fixed star topology consisting

of N LTI systems. The sensors are spatially distributed as enddevices, while the collocated controllers and actuators are thecoordinator. All systems start running at the same time. Onetime unit represents 1Tb, which denotes our time-scale abstrac-tion. The packet length for each system is the same constantnot exactly known a prior. Instead, it is nondeterministic withinthe same range and is integer times of Tb, which is equivalentto 10 B. But once selected, the packet length will remainunchanged throughout the operation. Due to the tight timeconstraint of sensor data transmission, we assume that thereis no AC K sent by the receiver, so there is no retransmissioneither. Each station has the same deadline, which is theircommon sampling period h in integer times of Tb. Therefore,each packet has to be transmitted within time h or it willbe discarded for the transmission of the newly sampled data.Furthermore, when the backoff period has ended, the senderwill perform a clear channel analysis (CCA), which will taketime TZCCA = 1 time unit. The communication channel isassumed to be ideal, meaning that if the packet is transmittedin time without collision, it will be received error free.

B. Modeling With PTA

In this paper, we use PRISM to model the communicationnetwork as a PTA, which is a parallel composition [37] of thesmaller modules, namely, the channel as shown in Fig. 3 andthe senders as shown in Fig. 4.

Definition: Formally, given two PTAs withTi = (Loci , li , Xi ,�i , invi , probi , Li ), i ∈ {1, 2} andX1 ∩ X2 = ∅. The parallel composition T1||T2 is a new PTAT = (Loc1 × Loc2, (l1, l2),X1 ∪ X2,�i ∪ �i , inv, prob, L)where ∀ (l1, l2) ∈ Loc1 × Loc2, inv(l1, l2) = inv1(l1)∧inv2(l2). ((l1, l2), g, σ, p) ∈ prob if and only if the followingconditions holds.

1) σ ∈ �1\�2 and ∃(l1, g, σ, p1) ∈ prob1, such thatp = p1 ⊗ δ(∅,l2).

2) σ ∈ �2\�1 and ∃(l2, g, σ, p2) ∈ prob2. such that p =δ(∅,l1) ⊗ p2.

3) σ ∈ �1 ∩ �2 and ∃(l1, g, σ, p1) ∈ prob1,∃(l2, g, σ, p2) ∈ prob2, such that g = g1 ∧ g2 andp = p1 ⊗ p2, where for any l1 ∈ Loc1, l2 ∈ Loc2,X1 ⊆ X1 and X2 ⊆ X2

p1 ⊗ p2(X1 ∪ X2, (l1, l2)) = p1(X1, l1)p2(X2, l2).

Note that when the event is not shared among differentsubsystems, the concurrence is represented through interleav-ing to model any possible realization sequence. Our modelingis quite general with the protocol parameters BEmin,BEmax,and NBmax and data length configurable to study their impacton the specification satisfaction. Furthermore, we utilize theextended features in PRISM model checking for compactnessto introduce additional integer variables that can be assignedvalue directly. PTAs with integer variables can be translated toan equivalent PTA without integer variables but with a muchlarger state space.

Fig. 3 shows the channel model with one location s0 and 2Nevents, where for each station there are two events—sendi

and finishi . We omit the clock, invariant conditions, andtransition relations, since the only location is labeled urgent—a high-level feature from PRISM indicating that the transitionhappens instantaneously without time passing when the eventhappens. In addition, each transition is a self-loop with proba-bility 1. We introduce integer variables ci to denote the channelcondition for sender i . Initially, all ci values are 0 indicatingthat no station is sending. When sendi is performed whichmeans that the station i is sending, if c j = 0,∀ j �= i indicatingthat no other station is transmitting at the same time, it can beseen that ci will be set to 1. Otherwise, ci = 2 indicating thatthere is a collision. When sender i finishes the transmission,ci is reset to 0 indicating that it no longer occupies the channel.

Fig. 4 shows the modeling of the i th sender where the timeis abstracted in integers, and each time unit represents 1Tb,xi is the clock, and datai denotes the packet length forstation i . There are six locations {l0, .., l5}, where l1, l2, andl3 have invariant conditions indicated. Another three omit theinvariant conditions, since they are either urgent location (l0)or terminal locations (l4, l5). The events are sendi and finishi ,and the label for each location is shown in curly braces.To make the PTA model compact, we introduce additionalinteger variable backoffi to indicate the backoff time selected.According to the protocol in Fig. 2, first we initialize NBi

and BEi and the clock xi , then backoffi is set uniformlywithout time delay, and the location transits from l0 to l1. At l1,the clock xi would increase to 1 and, then, get reset to 0 afterself-loop; meanwhile, the backoff time will decrease by 1 untilit reaches 0. Note that for each transition, the inequities abovethe dashed line denote the clock and variables constraintsthat must be satisfied to make the transition. The equationsunder the dashed line are reset maps. After backoff timeis over (backoffi = 0), the sender performs CCA at l2 todetermine if the channel is busy. If there exists c j > 0, j ∈{1, . . . , N}, j �= i indicating that some other sender j is usingthe channel, it will go to the backoff stage l0 as long as thenumber of backoffs does not exceed the maximum allowed


Fig. 4. PTA for station i in unslotted IEEE 802.15.4 CSMA/CA.

value. If the number of backoffs exceeds NBmax, sender i willgo to l4 labeled with “FAILUREi,” indicating that it fails toget access to the channel within maximum allowed number ofattempts. If the channel is free (c j = 0,∀ j ∈ {1, . . . , N}, j �=i ), then sender i will start data transmission in l3. Aftertransmitting the packet, if there is no collision (ci = 1),the sender goes to the location l5 labeled with “DONEi”and stays there; otherwise, it goes to location l4 labeled with“FAILUREi” (ci = 2), indicating that the data are garbled.If the transmission deadline is reached before transmission iscomplete, the sender will stop at where it is. As a result, thisPTA models the transmission of one packet for each node withgiven deadline, which is enough for our Bernoulli jump linearsystem.

V. MODEL CHECKING AND ANALYSIS

In this section, we will perform probabilistic model check-ing with the specification given in Section II and study theimpacts of different protocol parameters on the satisfaction ofthe specification. With the model given in Section IV, we canreadily express the specification for guaranteeing stability intoa bounded reachability formula in PTCTL

z.(P≥1−Pi [true U (DONEi ∧ z ≤ h)]) (5)

for all i ∈ {1, . . . , N}, where z is the formula clockdenoting how long the communication system has run inone transmission attempt. DONEi is the state for senderi to reach for a successful transmission. This PTCTL for-mula essentially carries the same meaning as the spec-ification in (4). Note that (5) is less conservative thanthe one presented in [34] which required that the proba-bility of all senders successfully transmitting the packagein the same transmission round must be no smaller thanmax{1 − Pi }—the most strict package delivery probability

requirement. According to (5), as long as each sender i hasthe successful rate no smaller than 1 − Pi , the specificationwould be satisfied.

The probability we are interested in is defined as follows:P Ri = minimum probability of station i successfully trans-mitted its packet within one sampling period.

Since all the senders have the identical protocol parametersand packet length, it is not hard to find that PRi values areequal and we denote as PR. The sampling period is set to be60Tb. We are interested in how different parameters BEmin,BEmax, and NBmax and a number of nodes N affect PR. If PR≥ 1 − pi for all i ∈ {1, .., N}, then (5) holds, and fromSection II, we know that the overall WNCS is guaranteed tobe mean-square stable so we would like PR to be as high aspossible. PRISM probabilistic model checker has been appliedto get PR.

We first compare our model checking results forPR with [19] and the simulation results in Fig. 5. In [19],the distribution for the number of nodes that have notyet transmitted at time slot j − 1 and will compete forslot j was approximated. In our model, no approximation isneeded, since every step is explicitly modeled. Here, we setBEmax = 5,NBmax = 4 and vary BEmin from 2 to 5.For the purpose of numerical comparison, we implemented[19, Algorithm 1] as well as a simulation tool both in C++and set fixed data length in all cases to 50 B or 150 B. Ourmodel checking results match perfectly with the simulation,which has 5000 runs for every case. The analytical model in[19] may incur an over approximation, especially when BEminis small or data length is large, as seen in Fig. 5(d). Therefore,our approach is preferred in its accuracy to guarantee the sta-bility of the WNCS when the number of nodes is small, sinceover approximation of the transmission success rate may leadto unstable behavior if the controller is designed based on it.


Fig. 5. Comparison between the results from PRISM model checker [19]and simulation. (a) N = 2,max data = 50 B. (b) N = 3, data length = 50 B.(c) N = 2, data length = 150 B. (d) N = 3, data length = 150 B.

In the following experiments, we set the data length to benondeterministically varying with minimum at 50 B with theincremental of 10 B but is equal for all senders. Once the datalength is picked at the beginning, it will remain the same in thefuture transmissions. Fig. 6 shows the relationship between PRand BEmin. We set BEmax = 5,NBmax = 4, and h = 60Tb.The maximum data length varies from 150 B to 250 B forN = 2 and from 100 B to 200 B for N = 3 for comparableloads. From Fig. 6(a) and (b), it can be seen that for mostcases, the maximum PR can be achieved when BEmin = 3.This is because when BEmin is small, the backoff time willbe relatively short and it is more likely that after backoff,the channel is still busy. Furthermore, the probability ofcollision is also higher with small BEmin, since the probability

Fig. 6. PR with BEmin. (a) N = 2. (b) N = 3.

that senders pick the same backoff period is larger. On theother hand, if BEmin is too large, even though the collisionprobability is lower and the channel is less likely to be busyafter backoff, the time spent in backoff stage could be toolong and thus miss the deadline. Furthermore, PR decreasesnotably with longer maximum data length.

Fig. 7 indicates how PR changes with BEmax. In all subfig-ures, BEmin = 2 and NBmax = 4. The trend is similar withBEmin. Initially, PR increases rapidly with increasing BEmaxand, then, tends to decrease. For N = 4 in Fig. 7(c), we wereonly able to perform the model checking up to BEmax = 5due to the well-known state-space explosion problem. WhenBEmax is small, the waiting time for each sender will tendto be short, and the channel is more likely to be busy afterbackoff. Furthermore, collision also happens more often. Butif BEmax is too large, again due to the deadline constraint,even though it helps to solve the channel busy and collisionproblem, it did not help to increase PR.

Fig. 8 represents how NBmax affects PR. In Fig. 8,BEmin = 3, BEmax = 5. Fig. 8(a) and (b) shows thatwhen NBmax is small, there is higher likelihood that thetransmission fails due to exceeding the maximum number ofbackoffs. However, it can be seen that when increasing NBmax,PR quickly levels off. This is because even with higher NBmax,the transmission may still fail due to the time exceeding thedeadline or the collision at first few backoff stages. Note thatwe did not pick larger NBs, because it would not make toomuch sense to have too many number of backoffs given thetime constraint to transmit the packet.

Remark 1: Note that one limitation of our proposed methodis the computation complexity in the centralized model check-ing, in which the state space will increase quickly withthe number of subsystems. To this end, it will also beour future research direction to exploit state-space reduction


Fig. 7. PR with BEmax. (a) N = 2. (b) N = 3. (c) N = 4.

Fig. 8. PR with NBmax. (a) N = 2. (b) N = 3.

methods, such as symmetry reduction, partial-order reduc-tion, symbolic representations, as well as recent advances incompositional model checking of probabilistic systems with

assume-guarantee reasoning framework [38]–[40] that mayhelp to avoid performing computationally expensive parallelcomposition. Furthermore, the verification problem can also beextended to synthesizing communication protocol supervisorsthat could dynamically select protocol parameters [41], [42].

VI. CONTROLLER DESIGN FOR GUARANTEED

SYSTEM STABILITY

In Section V, we check if the specification is satisfied. If so,we know that the control system is guaranteed to be stable.However, if the PR from the model checking cannot meet thecontrol system requirement, in this section, we will show thatunder certain conditions, we can redesign the controller so thatthe specification can be met. To this regard, we will first needthe following lemma from [36].

Lemma 1: If (1) is nominally stable, for packet drop mar-gin Pi , it holds that

Pi ≥ 1 − ρ2( Ai )

κ22 ( Ai )||Ai ||22 − ρ2( Ai )

(6)

where Ai = Ai + Bi Ki , and ρ(.), ||.||2, and κ2(.) denotethe spectral radius, spectral norm, and the spectral conditionnumber of a matrix, respectively.Then, we have Theorem 2.

Theorem 2 [34]: For the nominally stable i th control sys-tem defined in (1), Ai = Ai + Bi Ki , PR= 1 − α, α ∈ [0, 1]from the probabilistic model checking, the system is mean-square stabilizable if the following holds:

α||Ai ||22 ≤ 1 (7)

and Bi has the right inverse Xi ∈ Rmi ×ni such that Bi Xi = Ini ,

where Ini denotes the identity matrix of dimension ni × ni .Proof: From Lemma 1, we know that if we can design

the controller Ki such that Ai = Ai + Bi Ki satisfies

1 − ρ2( Ai)

κ22 ( Ai )||Ai ||22 − ρ2( Ai )

≥ α (8)

then from (6), it is easy to find that Pi ≥ α. As a result,from the definition of packet drop margin, we know that thesystem will be mean-square stable. So now the problem is todesign Ki , such that (8) holds. From (8), we need to show

(1 − α)ρ2( Ai ) ≤ 1 − ακ22 ( Ai )||Ai ||22 (9)

when α = 1, since κ22 ( Ai ) ≥ 1 by definition and ||Ai ||2 > 1

meaning the open loop system is unstable, it can be foundthat (9) will not hold. Furthermore, no package will be lost ifα = 0 and the original controller will suffice with no need toredesign. Therefore, we can just focus on α ∈ (0, 1). Then,we need to guarantee that

ρ2( Ai ) ≤ 1 − ακ22 ( Ai )||Ai ||221 − α

. (10)

The nonnegativeness of the left-hand side of (10) requires itsupper bound on the right side to be nonnegative as well, whichindicates the following:

α||Ai ||22 ≤ 1

κ22 ( Ai )

. (11)


Fig. 9. Control and communication codesign framework.

Then, what is left is to find the Ai , such that both (10) and (11)hold. In fact, there could be many such Ai , and we choosethe diagonal matrix with positive and identical eigenvalues inthe form of β In for simplicity, where β ≥ 0. In this case,all its eigenvalues are the same and equal its singular values.Obviously, κ2

2 ( Ai ) = 1. From (10) and (11), we simply need

β2 = ρ2( Ai ) ≤ 1 − α||Ai ||221 − α

and α||Ai ||22 ≤ 1. (12)

Then, with Ai we found, we can use the following equationto find Ki :

Ki = Xi (β In − Ai ). (13)

Because from (13)

Bi Ki = Bi Xi (β In − Ai ) = β In − Ai

⇒ Ai + Bi Ki = Ai = β In. (14)

The above equalities result from the existence of the rightinverse of Bi . The redesigned Ki value will guarantee thestability under given α. �

Remark 2: Even though Theorem 2 is only a sufficientcondition for the existence of the controller that stabilizesthe control system given packet drop rate, it clearly suggestsa control and communication codesign framework, which isshown in Fig 9. The key insight is from (7), which impliesthat αρ2(Ai ) ≤ 1, since ρ(Ai) ≤ ||Ai ||2. It illustrates thetradeoff between α and ρ(Ai ). Note that α is the resultfrom model checking indicating what QoS in terms of thepacket drop rate the communication system can offer given

current network topology, protocol, and parameters. On theother hand, ρ(Ai ) from the control system’s side has theinherent information on how unstable the open-loop systemis. Then, in the circumstances, when the specification is notsatisfied initially, if we have a pair of α and ||Ai ||22 suchthat (7) holds indicating either the packet drop rate is relativelysmall or states in the open-loop system do not grow toofast or both, it is then possible to design a controller, such thatthe control system can tolerate such packet loss and guaranteestable. However, if (7) does not hold, we may have to ask fora better QoS with smaller α value from the communicationsystem side. This can be done by, for example, tuning BEminand BEmax, compressing harder to get shorter data length and,in the worst case, decrease the number of plants in the systemwith the guidance obtained from Section V.

VII. ILLUSTRATIVE EXAMPLE

In this section, we show a numerical example to illustrateour control and communication codesign framework, as shownin Fig. 9. Consider a WNCS consisting of three plants in theform of (1) with

A1 =⎡⎢⎣

−0.1223 −1.4532 0.0502

0.1600 0.7951 1.1058

−0.4088 0.2808 0.5120

⎤⎥⎦

B1 =⎡⎢⎣

−0.0339 −0.9170

−0.7849 0.6095

−0.8064 0.5146

⎤⎥⎦

K1 =[−0.6778 0.5246 0.7362

−0.1407 −0.4350 0.4080

]

A2 =⎡⎢⎣

−0.3992 0.1690 1.7059

−0.0809 0.7839 −0.1349

−0.8757 0.0024 0.4491

⎤⎥⎦

B2 =⎡⎢⎣

0.5021 −0.8689

−0.3944 0.7479

−0.5344 −1.1358

⎤⎥⎦

K2 =[−0.7121 1.1589 −0.1769

0.3157 0.0817 0.4385

]

A3 =[−1.8563 −0.1741

0.5347 −0.1039

]

B3 =[−0.5954 −0.5246 0.2346

−0.6492 0.4349 −0.5717

]

K3 =⎡⎢⎣

−0.3239 −0.66361

−2.3239 0.3711

−1.1479 0.7110

⎤⎥⎦.

All the systems are open loop unstable and nominallystable. From (2) and (3), it can be found that P1 = 0.3551,P2 = 0.2404, and P3 = 0.1464. Then, p = min{P1, P2, P3} =0.1464.

Suppose we have the communication network describedin Sections IV and V with BEmin = 2, BEmax = 5, andNBmax = 4 and the maximum data length is 100 B. From the


model checking results in Fig. 6(b), we know that PR= 0.69in this case. Clearly, PR< 1 − P3 = 0.8536, and it may notbe possible to guarantee that all the subsystems are stable.Observe that both plants 2 and 3 violate the specification, sincePR< 1 − P2 and PR< 1 − P3. Also for station 2, B2 does nothave a right inverse and for station 3 with α = 1− P R = 0.31

α||A3||22 = 1.1628 > 1.

Neither of them satisfy the conditions in Theorem 2 forcontroller redesign. Therefore, we need the communicationsystem to tune its MAC parameters to provide better QoS.

If we increase BEmin to 4, from Fig. 6(b), we knowPR= 0.8357. This time, station 2 can be guaranteed to bestable, but still not station 3. However, observe that for α =1 − P R = 0.1643, we have

α||A3||22 = 0.6163 ≤ 1.

Also B3 has right inverse. Then, from Theorem 2, we knowthat it is possible to redesign the controller. Take β = 0.15,we can get

K3 =⎡⎢⎣

−1.3382 −0.31751

−1.8304 −0.0135

1.0626 −0.0937

⎤⎥⎦.

With this new controller, it can be found that P3 = 0.3033.The specification is satisfied, and thus, our WNCS is guaran-teed to be stable.

VIII. CONCLUSION

In this paper, we proposed to study the stability properties inWNCS, which has been converted into a probabilistic modelchecking problem. The stability requirement was transformedinto a PTCTL formula so that with the formal methods,we could have the guaranteed performance in terms of sta-bility. The PTA model was built, and the model checkingwas performed with PRISM model checker and comparedwith the analytical as well as simulation results. The effectof the different protocol parameters on reachability propertywas analyzed. If the specification is not satisfied, it is possibleto tune the MAC layer parameters or redesign the controllerto meet the specification. The model checking, communicationparameter analysis, and controller redesign together featureda codesign framework.

ACKNOWLEDGMENT

The authors would like to thank the anonymous reviewersfor their insightful comments and suggestions that helped toimprove the presentation of this paper.

REFERENCES

[1] J. P. Hespanha, P. Naghshtabrizi, and Y. Xu, “A survey of recent resultsin networked control systems,” Proc. IEEE, vol. 95, no. 1, pp. 138–162,Jan. 2007.

[2] I. I. Hussein and D. M. Stipanovic, “Effective coverage control formobile sensor networks with guaranteed collision avoidance,” IEEETrans. Control Syst. Technol., vol. 15, no. 4, pp. 642–657, Jul. 2007.

[3] N. Kottenstette, J. F. Hall, X. Koutsoukos, J. Sztipanovits, andP. Antsaklis, “Design of networked control systems using passivity,”IEEE Trans. Control Syst. Technol., vol. 21, no. 3, pp. 649–665,May 2013.

[4] P. Seiler and R. Sengupta, “An H∞ approach to networked control,”IEEE Trans. Autom. Control, vol. 50, no. 3, pp. 356–364, Mar. 2005.

[5] J. Baillieul and P. J. Antsaklis, “Control and communication challengesin networked real-time systems,” Proc. IEEE, vol. 95, no. 1, pp. 9–28,Jan. 2007.

[6] G. C. Walsh, H. Ye, and L. G. Bushnell, “Stability analysis of networkedcontrol systems,” IEEE Trans. Control Syst. Technol., vol. 10, no. 3,pp. 438–446, May 2002.

[7] F.-L. Lian, J. Moyne, and D. Tilbury, “Network design consideration fordistributed control systems,” IEEE Trans. Control Syst. Technol., vol. 10,no. 2, pp. 297–307, Mar. 2002.

[8] Q. Ling and M. D. Lemmon, “A necessary and sufficient feed-back dropout condition to stabilize quantized linear control systemswith bounded noise,” IEEE Trans. Autom. Control, vol. 55, no. 11,pp. 2590–2596, Nov. 2010.

[9] S.-J. Liu, S. S. Ge, and J.-F. Zhang, “Adaptive output-feedback controlfor a class of uncertain stochastic non-linear systems with time delays,”Int. J. Control, vol. 81, no. 8, pp. 1210–1220, 2008.

[10] L. Xie and L. Xie, “Stability analysis of networked sampled-data linearsystems with Markovian packet losses,” IEEE Trans. Autom. Control,vol. 54, no. 6, pp. 1375–1381, Jun. 2009.

[11] L. Shi, M. Epstein, and R. M. Murray, “Control over a packet droppingnetwork with norm bounded uncertainties,” Asian J. Control, vol. 10,no. 1, pp. 14–23, 2008.

[12] R. Yang, G.-P. Liu, P. Shi, C. Thomas, and M. V. Basin, “Predictiveoutput feedback control for networked control systems,” IEEE Trans.Ind. Electron., vol. 61, no. 1, pp. 512–520, Jan. 2014.

[13] H. Li, M.-Y. Chow, and Z. Sun, “Optimal stabilizing gain selection fornetworked control systems with time delays and packet losses,” IEEETrans. Control Syst. Technol., vol. 17, no. 5, pp. 1154–1162, Sep. 2009.

[14] N. W. Bauer, P. J. H. Maas, and W. P. M. H. Heemels, “Stability analysisof networked control systems: A sum of squares approach,” Automatica,vol. 48, no. 8, pp. 1514–1524, 2012.

[15] G. Bianchi, “Performance analysis of the IEEE 802.11 distributedcoordination function,” IEEE J. Sel. Areas Commun., vol. 18, no. 3,pp. 535–547, Mar. 2000.

[16] P. Park, P. Di Marco, C. Fischione, and K. H. Johansson, “Delaydistribution analysis of wireless personal area networks,” in Proc.IEEE 51st Annu. Conf. Decision Control (CDC), Dec. 2012,pp. 5864–5869.

[17] B. Wu, H. Lin, and M. Lemmon, “Stability analysis for wirelessnetworked control system in unslotted IEEE 802.15.4 protocol,” inProc. 11th IEEE Int. Conf. Control Autom. (ICCA), Jun. 2014,pp. 1084–1089.

[18] K. Duffy, D. Malone, and D. J. Leith, “Modeling the 802.11 distributedcoordination function in non-saturated conditions,” IEEE Commun. Lett.,vol. 9, no. 8, pp. 715–717, Aug. 2005.

[19] C. Buratti and R. Verdone, “Performance analysis of IEEE 802.15.4 nonbeacon-enabled mode,” IEEE Trans. Veh. Technol., vol. 58, no. 7,pp. 3480–3493, Sep. 2009.

[20] C. Fischione, P. Park, S. C. Ergen, K. H. Johansson, andA. Sangiovanni-Vincentelli, “Analytical modeling and optimization ofduty-cycles in preamble-based IEEE 802.15.4 wireless sensor net-works,” IEEE/ACM Trans. Netw., vol. 19, no. 7, pp. 1691–1717,2013.

[21] J. Nilsson, “Real-time control systems with delays,” Ph.D. dissertation,Dept. Autom. Control, Lund Inst. Technol. (LTH), Sweden, 1998.

[22] P. Park, P. Di Marco, P. Soldati, C. Fischione, and K. H. Johansson,“A generalized Markov chain model for effective analysis of slottedIEEE 802.15.4,” in Proc. IEEE 6th Int. Conf. Mobile Adhoc SensorSyst., Oct. 2009, pp. 130–139.

[23] M. Fruth, “Formal methods for the analysis of wireless network pro-tocols,” Ph.D. dissertation, Dept. Comput. Sci., Oxford Univ., England,U.K., 2011.

[24] A. Fehnker and P. Gao, “Formal verification and simulation for per-formance analysis for probabilistic broadcast protocols,” in Ad-Hoc,Mobile, and Wireless Networks. Berlin, Germany: Springer, 2006,pp. 128–141.

[25] E. M. Clarke, O. Grumberg, and D. Peled, Model Checking. Cambridge,MA, USA: MIT Press, 1999.

[26] C. Baier, J.-P. Katoen, and K. G. Larsen, Principles of Model Checking.Cambridge, MA, USA: MIT Press, 2008.

[27] I. Tinnirello, G. Bianchi, P. Gallo, D. Garlisi, F. Giuliano, andF. Gringoli, “Wireless MAC processors: Programming MAC proto-cols on commodity hardware,” in Proc. IEEE INFOCOM, Mar. 2012,pp. 1269–1277.


[28] M. Kwiatkowska, G. Norman, and J. Sproston, “Probabilistic modelchecking of the IEEE 802.11 wireless local area network protocol,” inProcess Algebra and Probabilistic Methods: Performance Modeling andVerification. Berlin, Germany: Springer, 2002, pp. 169–187.

[29] M. Fruth, “Probabilistic model checking of contention resolution in theIEEE 802.15.4 low-rate wireless personal area network protocol,” inProc. 2nd Int. Symp. Leveraging Appl. Formal Methods, VerificationValidation (ISoLA), 2006, pp. 290–297.

[30] T. Kapus, “Modelling medium access control in IEEE802.15.4 nonbeacon-enabled networks with probabilistic timedautomata,” Mobile Inf. Syst., vol. 9, no. 2, pp. 157–188, 2013.

[31] M. Kwiatkowska, G. Norman, and D. Parker, “PRISM 4.0: Verificationof probabilistic real-time systems,” in Computer Aided Verification.Berlin, Germany: Springer, 2011, pp. 585–591.

[32] L. Zhang and D. Hristu-Varsakelis, “Communication and control co-design for networked control systems,” Automatica, vol. 42, no. 6,pp. 953–958, Jun. 2006.

[33] C. Peng and T. C. Yang, “Event-triggered communication and H∞control co-design for networked control systems,” Automatica, vol. 49,no. 5, pp. 1326–1332, 2013.

[34] B. Wu, H. Lin, and M. Lemmon, “Formal methods for stabilityanalysis of networked control systems with IEEE 802.15.4 protocol,”in Proc. IEEE 53rd Annu. Conf. Decision Control (CDC), Dec. 2014,pp. 5266–5271.

[35] L. Schenato, “To zero or to hold control inputs with lossy links?” IEEETrans. Autom. Control, vol. 54, no. 5, pp. 1093–1099, May 2009.

[36] S. Hu and W.-Y. Yan, “Stability robustness of networked control systemswith respect to packet loss,” Automatica, vol. 43, no. 7, pp. 1243–1248,2007.

[37] J. J. M. M. Rutten, M. Kwiatkowska, G. Norman, and D. Parker,Mathematical Techniques for Analyzing Concurrent and ProbabilisticSystems. Providence, RI, USA: AMS, 2004.

[38] A. Komuravelli, C. S. Pasareanu, and E. M. Clarke, “Assume-guaranteeabstraction refinement for probabilistic systems,” in Computer AidedVerification. Berlin, Germany: Springer, 2012, pp. 310–326.

[39] L. Feng, M. Kwiatkowska, and D. Parker, “Compositional verificationof probabilistic systems using learning,” in Proc. IEEE 7th Int. Conf.Quant. Eval. Syst. (QEST), Sep. 2010, pp. 133–142.

[40] X. Zhang, B. Wu, and H. Lin. (Mar. 2017). “Counterexample-guidedabstraction refinement for POMDPs.” [Online]. Available: https://arxiv.org/abs/1701.06209

[41] B. Wu and H. Lin, “Counterexample-guided distributed permissivesupervisor synthesis for probabilistic multi-agent systems throughlearning,” in Proc. IEEE Amer. Control Conf. (ACC), Jul. 2016,pp. 5519–5524.

[42] B. Wu, X. Zhang, and H. Lin. (Mar. 2017). “Permissive supervisorsynthesis for Markov decision processes through learning.” [Online].Available: https://arxiv.org/abs/1703.07351

Bo Wu (S’13) received the B.S. degree fromthe Harbin Institute of Technology, Harbin, China,in 2008, and the M.S. degree from Lund University,Lund, Sweden, in 2011. He is currently pursuing thePh.D. degree with the Department of Electrical Engi-neering, University of Notre Dame, Notre Dame, IN,USA.

His current research interests include formalmethods and control of probabilistic systems withapplication in cyber-physical systems, multirobotsystems, and communication systems.

Michael D. Lemmon (M’81) received the B.S.degree in electrical engineering from Stanford Uni-versity, Stanford, CA, USA, in 1979, and the Ph.D.degree in electrical and computer engineering fromCarnegie Mellon University, Pittsburgh, PA, USA,in 1990.

His current research interests include networkedcontrol system and the resilience of dynamicalsystems.

Dr. Lemmon was an Associate Editor of the IEEETRANSACTIONS ON NEURAL NETWORKS and the

IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY. He was theChair of the first IEEE working group on hybrid dynamical systems andthe Program Chair of the Hybrid Systems Workshop in 1997.

Hai Lin (SM’10) received the Ph.D. degree fromthe University of Notre Dame, Notre Dame, IN,USA, in 2005.

Before returning to his alma mater, he has beenan Assistant Professor with the National Universityof Singapore, Singapore, from 2006 to 2011.He is currently an Associate Professor with theUniversity of Notre Dame. His current researchinterests include the intersections of control theory,formal methods, machine learning, cyber-physicalsystems, multirobot cooperative tasking, and

human–machine collaboration.Dr. Lin was a recipient of the 2013 NSF CAREER Award. He has

been served in several committees and editorial board, including the IEEETRANSACTIONS ON AUTOMATIC CONTROL. He is the Program Chair of theIEEE ICCA 2011 and the IEEE CIS 2011, and the Chair of the IEEE SMCSingapore Chapter in 2009 and 2010. He is currently serving as the Chair ofthe IEEE CSS Technical Committee on Discrete Event Systems.

formal methods for stability analysis of networked control...

Documents