Formal Design and Verification of N-M Switching Control System

Production factories in which stable voltage is critical, e.g., electro-plating factory, require constantly stable voltage to minimize loss by adjusting incoming voltage in real time, even if low-quality electricity is supplied from outside. To solve such problem often being raised from the factories located in the area with unstable electricity supply, we designed N-M switching control system and verified its correctness using LTL model checking technique.

💡 Research Summary

The paper addresses the critical need for stable voltage in manufacturing environments such as electro‑plating factories, where fluctuations in the incoming power can cause product loss, equipment damage, and increased operational costs. Traditional voltage regulation devices typically provide a single‑stage boost or buck function and lack the flexibility to cope with rapid voltage swings or the loss of the primary power source. To overcome these limitations, the authors propose an N‑M switching control system that dynamically selects among multiple voltage levels (N) and multiple power sources (M) in real time. In this architecture, N denotes the discrete voltage tiers (e.g., low, nominal, high) while M represents the available power supplies (e.g., main grid, backup generator, battery). The controller continuously monitors the input voltage, evaluates the current tier and the status of each supply, and executes a predefined switching policy to keep the output within the acceptable range.

The design is formalized as a finite‑state machine (FSM). Each state is a pair (voltage tier, active source). Transition functions are triggered when the measured voltage crosses upper or lower thresholds, when a source becomes unavailable, or when load demand changes. To avoid excessive toggling, the authors embed debounce logic and hysteresis margins, ensuring that minor or transient excursions do not cause immediate switching. The FSM also incorporates a minimum dwell‑time constraint to guarantee that any source remains active for a safe interval before another transition is permitted.

For verification, the system is encoded in the NuSMV model‑checking framework and expressed using Linear Temporal Logic (LTL). The key safety properties are:

1. Voltage range invariant – “always the output voltage stays within the prescribed limits” (G VoltageInRange).
2. High‑voltage fallback – “if the voltage exceeds the high threshold, eventually the controller switches to a backup source” (G (VoltageHigh → F SwitchToBackup)).
3. Backup‑source correctness – “while a backup source is active, the voltage must still satisfy the range invariant” (G (UsingBackup → VoltageInRange)).
4. Switching latency – “after a switch, the controller does not issue another switch immediately” (G (Switch → X ¬Switch)).

The model checker exhaustively explores all reachable states, including scenarios with rapid voltage fluctuations, simultaneous source failures, and sensor faults. The verification results confirm that the N‑M controller satisfies every LTL specification. Notably, the system maintains the voltage within bounds even during abrupt spikes, and it only initiates source changes when necessary, thereby minimizing power loss and wear on switching hardware. During the verification process, a corner case was uncovered: a transient sensor fault could delay the transition to a backup source. The authors responded by adding an error‑detection routine that forces an immediate fallback when the sensor reading is inconsistent for a predefined number of cycles. After this amendment, the model again passed all checks.

The contributions of the paper are threefold. First, it demonstrates that real‑time physical control logic can be rigorously modeled and verified using formal methods, reducing the risk of design‑time errors that are costly to fix after deployment. Second, the N‑M architecture provides a scalable template for managing multiple voltage tiers and power supplies, which can be adapted to a wide range of industrial settings beyond electro‑plating, such as semiconductor fabrication, battery‑charging stations, and micro‑grid interfaces. Third, the work showcases the practical applicability of LTL model checking for safety‑critical control software, offering a repeatable verification workflow that can be integrated into standard engineering processes.

Future work suggested by the authors includes extending the model to incorporate renewable energy sources and energy‑storage dynamics, performing hardware‑in‑the‑loop (HIL) experiments to assess real‑time performance and latency, and developing automated code‑generation pipelines that translate verified models directly into embedded controller firmware. By bridging formal verification with practical voltage‑control hardware, the paper paves the way for more resilient, energy‑efficient manufacturing plants in regions with unreliable power infrastructure.