Robust Hybrid and Embedded Systems Design

Jerry Ding, Jeremy Gillula, Haomiao Huang, Michael Vitus, and Claire Tomlin

MURI Review Meeting

Frameworks and Tools for High-Confidence Design of Adaptive, Distributed Embedded Control Systems

Berkeley, CA

December 2, 2009

2

Hybrid System Model

3

Backwards Reachable Set

All states for which, for all possible control actions, there is a disturbance action which can drive the

system state into a region G(0) in time t

Backwards Reachable Set

Reachability as game: disturbance attempts to force system into unsafe region, control attempts to stay safe

4

Reachable Set Propagation

[Mitchell, Bayen, Tomlin 2005]

Theorem [Computing ]:

where is the unique Crandall-Evans-Lions viscosity solution to:

5

Backwards Reachable Set: Safety

unsafe

Backwards Reachable Set

On boundary, apply control to stay out of red

In red, system may become

unsafe

In blue, system will stay safe

Safety Property can be encoded as a condition on the system’s reachable set of states

6

Computation

Ian Mitchell’s level set computational toolbox for Matlab

available at:

5

uv

d

v y

inertial frame

wind framebody frame

• Used for a variety of applications• Handles 3 dimensions easily, up to 5 tractably• Library of level set functions

http://www.cs.ubc.ca/~mitchell/ToolboxLS/

7

Backwards Reachable Set: Capture

desired

Backwards Reachable Set

Capture property can also be encoded as a condition on the system’s reachable set of states

8

Target Set

Maneuver sequencing is accomplished by stringing together capture sets, starting from the target set and working backwards

Avoid sets can be combined with capture sets to guarantee safety

Unsafe Set

Maneuver Sequencing Using Reachable Sets

9

Experimental Platform: STARMAC

The Stanford Testbed of Autonomous Rotorcraft for Multi-Agent Control

10

Example: Collision Avoidance

Pilots instructed to attempt to collide vehicles

[Gabe Hoffmann]

11

Example: Quadrotor Back-Flip

Divide flip into three modes Difficult problem:

Hitting some target sets while avoiding some unsafe sets Solution:

Analyze rotational dynamics and vertical dynamics separately

ImpulseDriftRecovery

12

Back-flip: Method (1)

Recovery Drift Impulse Identify target region in rotational state space for each mode

Use reachable sets to calculate capture basin for each target Dynamic game

formulation accounts for worst-case disturbances

Verify that target of each mode is contained by capture basin of next mode

13

Back-flip: Method (2) Identify unsafe region in

vertical state space for final mode

Use reachable sets to propagate unsafe set for each modeDynamic game

formulation accounts for worst-case disturbances

Verify that control keeps state out of unsafe set

14

Assumptions and Dynamics

Assumptions: 2D flip Linear drag

System Dynamics:

15

Back-Flip: Recovery Mode

Controller:

Target set:

Calculate reachable sets using closed-loop dynamics and worst-case disturbances

16

Back-Flip: Drift Mode

No control input

Target set:

Calculate reachable sets using closed-loop dynamics and worst-case disturbances

But what if motors don’t turn off instantly?

17

Back-Flip: Motor Turn Off (1)

Model motor turn off as linear decay in angular acceleration

Linear regression to get parameters:

0 0.05 0.1 0.15 0.2 0.25-40

-30

-20

-10

0

10

20

An

gu

lar

Acc

ele

ratio

n (

rad

/se

c2)

Time (sec)

Measured 1Measured 2Predicted 1Predicted 2

0 0.1 0.2 0.3 0.4 0.5-6.8

-6.6

-6.4

-6.2

-6

-5.8

-5.6

-5.4

-5.2Drift Maneuver

Time (seconds)

An

gu

lar

rate

(ra

d/s

)

18

Back-Flip: Motor Turn Off (2)

Calculate forward reachable set for the motors turning off

2D ProjectionConvex Hull

19

Back-Flip: Drift Mode & Motor Turn Off

Target set:

Calculate motor turn off set

Ensure motor turn off set is contained in drift set

20

Back-Flip: Impulse Mode

Controller:

Target set:

Calculate reachable sets using closed-loop dynamics and worst-case disturbances

21

Back-Flip: Vertical Conditions

Drift Mode: Dynamics:

Decouples as 3 independent 2D systems

Use reachable sets to calculate unsafe starting conditions

Impulse Mode: Assume no loss of

altitude during impulse

22

Back-Flip: Results

23

Back-Flip: Results

24

Back-Flip: Results

Assumptions Validated

Safety Guaranteed

Reachability Demonstrated

18 20 22 24 26 28 30 32 34-15

-10

-5

0

5

10

time (seconds)

Pitc

h (

de

gre

es)

Pitch vs Time

Ground

Climb

ImpulseDrift

Recovery

25

Reachability with sampling and quantization

In many embedded control applications, use digital controller to control continuous dynamics

Safety and capture results available in discrete and continuous domain

Problem becomes more difficult at interface:Continuous behavior:

• Continuous state evolution

Discrete behavior:• Mode switching• Sampling, quantization

25

26

Continuous Time Verification Methods

Problems:How to implement the safe continuous time control law in a digital

controller?Does the discretized control law still ensure safety?Issues:

• Sampling• Quantization• Switched mode control

26

27

Infinite Horizon Unsafe Set: Comparisons

Unsafe Initial Condition

∞ Horizon Unsafe Set without quantization and sampling

∞ Horizon Unsafe Set with quantization and sampling

27

28

Reachavoid Set for Two Mode System

Time horizon N = 12 (2 minutes)

Reachavoid Set Over 2 min

Infinite Horizon Unsafe Set

Desired Target Set

28

29

Next steps

Transitions with state dependent guards at sampling instants

Considerations for partial state information

Overapproximations methods for continuous time reachable sets

Parametrization of reachable sets by quantized control values

Methods for robust optimal control

31

Back-Flip: Vertical Conditions (1)

Initial unsafe set:

Recovery Mode:Dynamics:

Assume nominal trajectoryCalculate the constrained reachable set

within the nominal trajectory