Using SCADE for Decision Support in Dam

Management

⋆

Mar´ıa del Mar Gallardo

, Pedro Merino

, and Laura Panizo

and Antonio Linares

Dep. Lenguajes y Ciencias de la Computaci´on, University of M´alaga, Spain

BEFESA AGUAS, SAU, Spain

Abstract. Formal methods have been widely used to analyze discrete systems

such as software. However, in recent years their ﬁeld of application has been ex-

tended to deal with hybrid systems, that is, systems that combine both continuous

and discrete behaviors. This paper presents the experimental use of formal meth-

ods in a new application domain, the management of dams. Such systems present

hybrid behaviors which are not properly dealt with by classic numerical models.

We use the tool SCADE, based on the formal language Lustre, to model, simu-

late and verify dam elements in order to obtain a Decision Support System (DSS)

suitable for use by the dam operator.

1 Introduction

A Decision Support System (DSS) is a specialized type of information system for busi-

ness and organizationaldecision-making activities. One emerging ﬁeld of application of

DSS is water resource management. In this domain, DSSs are mainly used as ﬂood sim-

ulation and prediction tools. They include numerical models of dams, rivers, and other

water management systems. In this context, DSSs need to work with a huge amount of

data, like weather forecasts, water levels in real-time, etc. The output of a DSS could

be, for instance, the evolution of water at different points along the river. If it is obtained

rapidly, it provides valuable information for the managing staff.

Currently, increasing numbers of DSSs are implanted in different basins, such as the

DSS SAD Ebro [7]. Traditionally, these systems have used numerical models which are

a powerful and precise simulation tool of continuous variables, such as river ﬂow. Arti-

ﬁcial intelligence has also contributed to the development of DSS in this area, deﬁning

heuristics to introduce probabilities and uncertainty [6]. However, an important chal-

lenge of these proposals is how to integrate the discrete part, which typically appears in

a dam. Current DSSs consider dams as black boxes with the ability to control the water

ﬂow, but they do not consider the real behavior of its elements and the complexity of

managing them in order to obtain a precise goal, such as releasing 2Hm

in an hour to

avoid having the river burst its banks. The operator’s decisions should take into account

a lot of parameters like the behavior of each outﬂow element, the current level of the

⋆

Partially supported by the Spanish MEC under grants P07-TIC3131 and TIN2008-05932

del Mar Gallardo M., Merino P., Panizo L. and Linares A. (2009).

Using SCADE for Decision Support in Dam Management.

In Proceedings of the 7th International Workshop on Modelling, Simulation, Veriﬁcation and Validation of Enterprise Information Systems, pages

125-131

DOI: 10.5220/0002194801250131

 SciTePress

dam, the water demand for citizens or the minimum ﬂow needed for energy produc-

tion. The aim of this paper is to use formal methods to implement this combination of

discrete and continuous behavior in order to improve the functionalities of DSSs with

a more precise management of dams. Using formal models, we can take advantage of

powerful features, such as automatic veriﬁcation, automatic code generation or auto-

matic generation of operational procedures.

Recently, formal methods techniques have been extended to cover both continuous

and discrete behavior [8,3]. They have been used in some attempts to model and verify

water resource management subsystems such as a hydroelectric power plant in [2] or

supervisory water level control for cascaded river power plants in [4].

In this paper, we present a model of a dam using the SCADE suite [1], a tool based

on the language Lustre that provides facilities for modeling, simulating and verifying

hybrid systems. Our model uses data ﬂows to implement the continuous behavior and

safe state machines to implement the discrete part. This model is used for decision sup-

port at the dam, allowing the operators to a) simulate the effect of actions like opening

or closing spillways, b) to verify that these actions will enable the dam to reach a safe

state, and c) to generate sequences of actions in order to make the system evolve towards

a safe state. Compared with related work, our approach offers interesting advantages,

such as the ability of verifying certain critical properties to be preserved in dams. Fi-

nally, it is also scalable, that is every element in the system may be easily replicated.

2 Dam Management

A dam is a complex water management system that can have different objectives, the

most common being the regulation of ﬂoods and water supply for human consumption

and irrigation. To meet these objectives, a dam has different types of outﬂow elements.

Figure 1 shows the different outﬂow elements in the dam used as an example. Wide

Surface Spillways, Intermediate Outﬂows and Low Level Outﬂows are gates used for

ﬂood regulation; they are usually opened in emergency situations.

Fig.1. Dam Section and Control Room.

126

They have a high outﬂow capacity when the height of stored water rise above them.

Water Supply Inﬂows are pipes used to obtain water for human consumption. They con-

form the water supply system, together with valves and machinery located downstream

on one side of the dam. That guarantees the water supply when gravity does not allow

it naturally. Figure 1 shows 3 pipes at different heights connected to the water supply

canal. In our reference dam there is a special structure that transfers water from other

reservoirs. This subsystem increments water level in the dam in a controlled way.

The operational procedure of a dam can be very complex depending on the number

of outﬂow elements and the limitations imposed by nature and ofﬁcial regulation rules.

Dams have different states depending on the water level, and a set of operational pro-

cedures is associated to each state to ensure the safety of the dam and the population

downstream, as well as the efﬁcient use of water.

3 Modeling a Dam with SCADE

A dam is composed of different outﬂow elements. The DSS is very dependant of the

model of dam elements and the environment. A ﬁrst model have been developed, ap-

plying simpliﬁcations in the number of gates and their behavior. The model is shown in

Figure 2.

Fig.2. Dam Model.

Three elements conform the dam: wide surface spillways, the water supply system and

the transfer from other reservoirs. These nodes mix ﬁnite state machines and data ﬂows.

Additional blocks are needed to analyze the system, for instance, the inﬂow caused

by rain and the river, or the behavior of users. Communication between the dam with

user and rain models is performed by dam inputs: inflows, cmd transfer, cmd wss,

value and cmd spillway. Dam outputs are the state of each gate and the current water

level. The behavior of modeled elements is as follows:

– Wide Surface Spillway: This element has been modeled with a nested state ma-

chine with two main states, Open and Close, as shown in Figure 3. Init state is

also included for correct initialization. There are two opening positions:

127

Intermediate and Complete. Transitions from these states are ﬁred by user

commands(close, open i, open c). Besides, delay states havebeen introduced

to model the time needed to open and close gates. For simplicity, the contribution

of spillways only depends on the opening degree. If the water level is below the

height of the gates, spillways do not work properly. Each spillway has a cmd input

to receive user commands, a dam level input and an init state for correct ini-

tialization. It has two outputs: its contribution to dam level and its current state

(st).

– Water Supply System: This node models pipes, valves and machinery for water

supply. This node acts as a valve with different degrees of openings. It has been

modeled with a state machine with two states: steady and delay. In the ﬁrst one,

water ﬂows and gates are opened a ﬁxed degree. When user want to modify the

degree, a command is sent, and a transition to delay state is produced; where the

new degree of opening is loaded. This node has inputs to receive user commands

and opening degrees. It has two outputs: its contribution to dam level and its

current state.

– Water Inﬂow from other Reservoirs, Transfer: This node is similar to the spill-

way model, but in this case, transfer increases the water level and its contribution

to the dam level is independent of the modeled dam.

Fig.3. Spillway State Machine.

4 Decision Support Systems with SCADE

The normal operation of DSS is based on the simulation of models with different pa-

rameters, some of them real-time data collected from sensors. SCADE can be used

for this purpose because it offers a complete simulation environment. In the following

paragraphs, we describe the roles of SCADE as a DSS.

Simulation: SCADE allows two simulation modes: step by step and batch modes,

both allow the manual change of input values. Figure 4 shows a simulation step of a

128

dam model. To run a simulation, it is needed a scenario, which provides the inﬂow value

for each simulation step; and a model of the user, that contains the set of operational

procedures carried out. In Figure 4, the user model is very simple and does not consider

status information of the dam. Finite state machines can be used to model user behavior.

Fig.4. Simulation Scenario.

Training: This task can be oriented to form new dam operators with different objec-

tives, from avoiding a disaster to minimizing water wasted or released in case of ﬂood-

ing. To this end, a real user has to manually interact with the dam model through its in-

puts in each cycle. The dam returns to the user data about gates’ state (st spillways,

st transfer, st wss) and the water level.

Veriﬁcation of Safety Properties: In addition to the usual safety properties, the

SCADE veriﬁcation module is used to analyze speciﬁc properties regarding the dam

management, that are informally described in the dam operation manual. The method-

ology used is shown in Figure 5. The user model reﬂects the operational procedure

under analysis. Some examples of interesting properties to be analyzed are: (1) after

user carries out some operations, the water level is reduced to the desired level in N

ticks (N simulation steps); or (2) if dam level reaches a threshold, then the water level

is reduced to the desired level in N ticks. Using a simple user model, we have imple-

mented and validated these properties. The analysis of the ﬁrst one lasted 58.797 sec.,

with a depth of 20 transitions in the search space. The second property lasted 190.203

sec. with a similar depth. This huge increment in time could be more signiﬁcant if the

user model is extended or if properties are more complex.

Automatic Synthesis of Operational Procedures: Automatic synthesis has been

analyzed previously in other areas, such as industrial controllers [8,5]. The challenge

is to manage the dam, satisfying user objectives. An example is shown in Figure 5. The

user model has to be carefully designed to not discard any procedure. The objective

has to be expressed as a property that the system does not fulﬁl. The counter example

returned will be the sequence of actions needed to fulﬁll the property.

129

Fig.5. Veriﬁcation and Automatic Synthesis Scenario.

5 Conclusions

In general, modeling the dam with SCADE has been feasible with a moderate effort,

showing that Lustre is a powerful language that allows the implementation of part of

these systems. However, since Lustre does not support non-deterministic behaviors,

other formal methods have to be used to introduce these behaviors in the model. Veri-

ﬁcation of non-trivial properties may be unfeasible, if the system grows in complexity.

When the model includes real variables, analysis may return non-concluding results.

For this reason, integer inputs and outputs are used. Automatic synthesis of operational

procedures strongly depends on the user model which is in fact the module that imple-

ments the DSS functionality. Future work includes the construction of a graphical user

interface, suitable for dam operators. It should integrate different parts of a DSS, built

with different formal methods and technologies such as numerical modeling.

Acknowledgements

Authors would like to thank Agust´ın Merch´an, Spanish expert in dams, for his help.

References

1. SCADE Language Reference Manual. http://www. esterel-technologies.com.

2. Ferrari-Trecate, G., Mignone, D., Castagnoli, D., and Morari, M.: Mixed Logic Dynamical

Model of a Hydroelectric Power Plant. In ADPM’2000.

3. Frehse, G.: PHAVer: Algorithmic Veriﬁcation of Hybrid Systems Past HyTech. In HSCC’05.

4. Glanzmann, G., von Siebenthal, M., Geyer, T., Papafotiou, G., and Morari, M.: Supervi-

sory Water Level Control for Cascaded River Power Plants. In Int. Conf. on Hydropower,

Stavanger, Norway, 2005.

5. Jessen, J.J., Rasmussen, J.I., Larsen, K.G., and David, A.: Guided Controller Synthesis for

Climate Controller Using UPPAAL Tiga. In FORMATS, 2007.

6. Rajasekaram, V., and Nandalal, K.D.W.: Decision support system for reservoir water man-

agement conﬂict resolution. Journal of Water Resources Planning and Management, 2005.

130

7. Romero, R., Linares, A., Garc´ıa, E., and L´opez, L.: Resevoir management in real time ﬂood

forecastig and decision support in the Ebro river basin. In ACTIF/FloodMan/FloodRelief,

2005.

8. Torrisi, F., and Bemporad, A.: HYSDEL - A tool for generating computational hybrid models

for analysis and synthesis problems. IEEE Trans. on Control Systems Technology, 2004.

131