Set-Based Adaptive Safety Control

1 Set-Based Adapti v e Safety Control Prithvi Akella, Sean Anderson, Da vid Lov ell Abstract —Feedback Control Systems, ME C134/EE C128, is an introductory contr ol systems course at UC Berkeley . Over the entire course, students gain practical experience by implementing various control schemes and designing observers in an effort to ultimately stabilize an in verted pendulum on a linear track. Throughout this learning process, frequent mishaps occur where improper contr oller implementation damages hardwar e. A simple example concerns the student’ s controller driving the cart into the wall at full speed. T o offset the financial b urden placed on the university in light of these mishaps, we designed a str eamlined adaptive control system using set theory . W e utilized lab-provided plant models to generate an O ∞ set, attenuated the vertices to generate a safe, sub-region S ∞ , and attenuated in such a manner as to ensure an evolution of the vertices of S ∞ remained within O ∞ for at least one time step. Afterwards, we constructed a single Simulink block for students to easily implement within their own control schemes. This block consistently checks to see whether the system state remains within S ∞ . If that check is true, our controller does nothing. If it returns false, our controller takes o ver , drives the system to a pr escribed safe-point, and shuts the system down. Overall, our process assumes perfect plant modelling, though our insistence on an ev olution of S ∞ remaining within O ∞ resulted in considerable rob ustness to disturbances. In the end we were successful in implementing this real-time adaptive system and will provide it to the department for use in future labs. V ideo Link: https://drive.google.com/file/d/1kPw5FTVs3hOcy yhZ8gXrCNN5lqBWi0v/view?usp=sharing I . I N T RO D U C T I O N In an introductory controls class at Berkele y , students at- tempt to stabilize an in verted pendulum on a linear track [1]. Often, students implement unstable or otherwise flawed controllers that cause a v ariety of issues. This can cause the cart to drive into one of the side-walls subsequently destroying hardware, or cause the system to act wildly posing a risk to the students. Damage to this commercial lab equipment represents a non-tri vial financial cost to the uni versity , and injuries to students are unacceptable. T o mitigate these issues, we created an adapti ve control scheme that monitors and o verrides the student’ s controller in the e vent of unsafe actions. In that ef fort, we note that the action of the cart running into the wall can be extrapolated from system dynamics. That is to say , gi ven a specific braking scheme, we can use set theory to identify all possible states for which the aforementioned scheme can feasibly prevent unsafe actions. Since the actuation of the system occurs from a single motor v oltage input that directly controls the position of the cart on the track, it sufficient to only check if the cart position leaves a region defined as safe. Provided that region is a subset of the larger , calculated region, our controller will still function to bring the system back to a predefined safe point. I I . B A C K G RO U N D I N F O R M A T I O N A. Stable Contr oller Development T o clarify , O ∞ is a positiv e in variant set defined as follows [2]: ∀ x (0) ∈ O x ( t ) ∈ O ∀ t ∈ [0 , ∞ ] | x ( k + 1) = f ( x ( k )) . Note that f ( ... ) in the above equation represents the linearized ev olutionary scheme we de veloped by Euler-discretization of a lab-developed transfer function. More specifically , for y ( n ) + α 1 y ( n − 1) + ... = u ( p ) + β 1 u ( p − 1) + ..., y k +1 = y k + ∆ t ˙ y ( k ) ˙ y k +1 = ˙ y k + ∆ t ¨ y ( k ) .... The successive Euler-discretization steps can be reformatted into a matrix equation as y k +1 = Ay k + B u k = f ( x k , u k ) . Note that the y k +1 in the above equation corresponds to a vector whose elements are y k , ˙ y k , and so forth. Howe ver , O’ s functional dependence is only restricted to functions of x. T o remedy that, we dev elop a specific, stable controller such that each u k = − K x k . Stability in the discrete scenario implies that the closed-loop ev olution, A − B K decays to 0 after multiple iterations. That is, ( A − B K ) N → 0 as N → ∞ . It is also critical to mention that the aforementioned sta- bility implies that the poles of the Closed Loop System, A cl = A − B K all lie within the unit circle on the imaginary plane. M AT LAB emplo ys that last criteria to generate stable controllers through the place function as shown below: K = place(A,B,[p_1,p_2,...]). Note that each of the p i correspond to the a pole location for the closed-loop system. Choosing each | p i | < 1 identifies a stable controller as per our definitions earlier . B. Calculation of O ∞ O ∞ is found through a recursi ve process detailed below: O = X; numiterations = 500; for i = 1:numiterations Pre_O = Pre(O); if Pre_O.intersect(O) == O Oinf = O; break ; else O = Pre_O.intersect(O); 2 end end T o clarify , the initial line setting O = X concerns initializing the inv ariant set to be the initial, inv ariant, state-constraint set, X . As a result, intersecting the set each iteration ensures that the resulting O ∞ ∈ X . Furthermore, the P r e operation is defined as follo ws: P re ( G ) = S = { x | y = f ( x ) ∀ y ∈ G } . Note that G is some predefined set, and for our purposes, f ( ... ) is the closed-loop ev olutionary scheme we dev eloped with K . The number of iterations is limited to pre vent against infinite loop calculations. It is important to qualify that both of the aforementioned processes, generating K and calculating O ∞ are model-specific processes. As such, this process as stated, assumes a perfect model with no noise or disturbances. T o protect our process against faults in those assumptions, we implement a set attenuation and boundary evolution process detailed in the following implementation section. I I I . I M P L E M E N T A T I O N A. Set Gener ation For our specific system, our continuous time matrices were, A =  0 1 0 − 7 . 2  B =  0 1 . 6  , which, gi ven a sample time of 0.002 seconds, transformed to the following discrete time matrices: A =  1 ∆ t 0 1 − 7 . 2∆ t  B =  0 1 . 6∆ t  . Afterwards, we placed our desired closed loop poles at λ 1 = 0 . 99 and λ 2 = 0 . 985 , which generated the follo wing K controller: K = [ 23 . 3 3 . 3 ] In addition, our only state constraints concerned the position limitations on the cart, while the velocity could feasibly be any real-value. In reality , the physical constraints, predefined ev olution, and specific controller should limit velocity , but we had no constraints a priori. Noting that, our initial X set was defined as, X = { x | − 0 . 4 < = x (1) < = 0 . 4 ∀ x (2) ∈ R } . After following the aforementioned process to create O ∞ we decided that the two main limitations inherent to our system could be addressed by implementing a buf fer region. Namely , this system is only valid with respect to our specific plant model, and that we could not use the calculated O ∞ as a boundary for the prescribed safe zone. The second limitation arises if you consider an event where the system state left O ∞ . In this ev ent, no controller would be able to control the system back to a safe region, as the state is already outside its region of attraction. T o remedy both, the vertices of O ∞ were found and scaled down to create S ∞ . This set represents the the set of states that if violated gi ve adequate response time for the system to be prevented from exiting O ∞ . The entire system can be distributed to the students as a single Simulink sub-system block which is placed in the feedback loop between the student’ s controller and the input to the plant. The simplicity of this application is shown in Figure 1. The inputs and outputs to the subsystem are labeled for ease of use. Fig. 1. The background controller can easily be incorporated into the Simulink model by the student. The contents of the sub-system is sho wn in Figure 2. It contains two MA TLAB function blocks, a variable switch, and a switch logic block. The function, bound 2 D , which can be found in the appendix, implements the real time monitoring of the system and produces a flag if the system will violate constraints. If a flag is thrown, the switch logic prevents the student’ s input from feeding to the motor and instead feeds the signal through the f or estf ir es function block to driv e the system to the defined zero point. The adaptiv e switch subsystem counts the number of flags and terminates the Simulink model at a defined time. If there is no flag, the student’ s input is passed through after being saturated to prev ent damage to the physical system from large inputs. Fig. 2. The subsystem implementing the background controller mainly consists of two user-defined functions. B. Robustness Measures T o ensure that our controller would always bring the cart back to a safe region and that our system was relati vely robust to model errors, noise, and disturbances, we attenuated O ∞ by scaling the vertices of the set by a scalar less than 1. In doing so, we generated a subset of O ∞ , S ∞ while ensuring that the ev olution of ev ery vertex of S ∞ , with respect 3 to the worst possible input for that state, remained within O ∞ . This method created a ”gray-zone” that is the difference between the sets. This gray-zone represents combinations of states that are outside of the predefined ”safe” region, but still remain controllable. The process that was used to dev elop the gray-zone, e volving the boundary with the w orst case input, provided the largest possible buffer region that simultaneously did not overly limit the working space along the track. If the working space on the track was too sev erely limited, it would effect the student’ s ability to conduct lab exercises. This gray- zone hedges against disturbances and modelling errors insofar as it provides the largest area to ”catch” errors of the kind that would cause a danger to the lab equipment or students. In addition, this process resulted in a system so robust that when the result of the 2D (cart-only) system was tested on the 4D (cart-and-pendulum) system, it proved to be sufficient. I V . R E S U LT S The outlined process work ed across all testing scenarios without failure. S ∞ sets were calculated for both the 2D and 4D systems, ho wev er , the 4D process restricted the usable track length too sev erely . Rather than construct a different method for the monitoring of the 4D system, the 2D system was tested to determine its effecti veness. These tests prov ed that the 2D system was fully capable of monitoring and overriding the 4D system. A characteristic test result of the 2D system acting on both systems are shown in Figure 3. Fig. 3. The upper image depicts O ∞ , S ∞ , and the trace of one instance of the 2-D system with S ∞ violation. The lower image uses the same set but the trace is for the cart-pendulum self-erecting scenario. In Figure 3, S ∞ is identified as the green area, with O ∞ as the larger gray area. The difference in areas, the ’grey- zone’, is the set of states that violate the constraints of S ∞ , but remain within O ∞ . This ’grey-zone’ gi ves the o verride controller sufficient time to physically stop the system from violating O ∞ by driving the cart away from the wall. In the top image of Figure 3, the 2D system is shown. The red line indicates the state trajectory of the cart during a step input which places it at the boundary of S ∞ . At this point, a disturbance is applied to the cart which causes the system to lea ve S ∞ . The monitoring system identifies this violation and initiates the ov erride controller to bring the cart back to the defined zero point. Note that this prov es an instance of our controller’ s robustness to disturbances. Even though the disturbance that caused the violation was not factored into our set calculation, our controller still acted properly in the ev ent of the failure and brought the system to safety . Additionally , the lower image of Figure 3, exhibits a char- acteristic response of the 2D monitoring and override system acting on the cart with the pendulum added. In this scenario the pendulum started at rest in the vertically do wn position. The axes of this plot are the position and v elocity of the cart, as such, the trajectory of states for the pendulum are not shown. As the student’ s control system initiates a pumping sequence, the position and velocity of the cart oscillate from positiv e to negati ve until the pendulum is erected and stabilized near the left boundary of the track. This process verifies that S ∞ does not overly restrict our av ailable region. That is, there is more than sufficient track length for the pendulum to be erected and balanced. After the cart stabilized the pendulum, a disturbance was applied to the pendulum. The cart then acted to attempt to regain balance of the pendulum and in the process the S ∞ set was violated. Again, it is interesting to note that the disturbance to the pendulum was responsible for the violation of S ∞ , but was not considered in the calculation. Still, the override system responded correctly to prevent the cart from colliding with the wall. In this w ay , the addition of the pendulum to the 2D system can be interpreted simply as a disturbance. This disturbance can cause the cart to violate S ∞ , which the monitoring system then identifies causing the override system to respond. Also of note is that the unpredictable inertia of the swinging pendulum does not prev ent the override system from recovering the cart before a violation of O ∞ occurs. This further proves the robustness of our system. V . C O N C L U S I O N W e successfully created a simple Simulink block that mon- itors and o verrides a student’ s controller in the e vent of a hardware failure or safety concern. The application of set theory provided a means to accurately determine the safe operating length of the track. The resulting matrices allowed for real-time identification of state violations e ven with a controller operating in millisecond sample periods. This system also proved to be robust to the extent that a high degree of modifications to the mass and inertia of the plant were successfully tolerated. 4 V I . A P P E N D I C E S A. Main Code % Kd = 8.56; % Kp = 65.6; % K = [Kp Kd]; clc close all dt = .002; Adt = [1 dt; 0 1-7.197 * dt]; Bdt = [0; 1.606 * dt]; K = place(Adt,Bdt,[0.99 0.985]); scale = .95; disp (K); Acl = Adt - Bdt * K; nu = size (Bdt,2); xl = [-.4, - Inf ]; xu = [.4, Inf ]; ul = -6; uu = 6; % find Oinf for discrete controlled system X = Polyhedron( ’lb’ ,xl, ’ub’ ,xu); U = Polyhedron( ’lb’ ,ul, ’ub’ ,uu); S = X.intersect(Polyhedron( ’H’ ,[-U.H(:,1:nu) * K U.H(:,nu+1)])); S = X; Oinf = max_pos_inv(Acl,S); % plot Oinf and a scaled version (based on vertices) figure ; plot (Oinf, ’color’ , ’red’ , ’alpha’ ,.5); hold on; plot (S, ’color’ , ’blue’ , ’alpha’ ,0.5); vertices = Oinf.V; numVert = Oinf.minHRep(); scaled_vertices = vertices * scale; figure (2); hold on; O2 = Polyhedron( ’V’ ,scaled_vertices); plot (Oinf, ’color’ , ’black’ , ’alpha’ ,0.3); plot (O2, ’color’ , ’green’ , ’alpha’ ,.6); xlabel ( ’Position (m)’ ); ylabel ( ’Velocity (m/s)’ ); legend ( ’O_{\infty}’ , ’Safe region’ ); title ( ’O_{\infty} and safe set for stable controller’ ); % step system forward one step with worst case scenario % worst case scenario is taken to be full acceleration pairs = size (scaled_vertices,1); H = Oinf.H; Aconst = H(:,1: end -1); Bconst = H(:, end ); count = 0; for i = 1:pairs x_now = scaled_vertices(i,:)’; x_dir = sign (x_now(1)); x_next = Adt * x_now + Bdt * (x_dir * 6); FLAG = all (Aconst * x_next <= Bconst); count = count + double(FLAG); end disp (count == pairs); s = O2.H; Aconstr = s(:,1: end -1); Bconstr = s(:, end ); save ( ’allowable_states_4d.mat’ , ’Aconstr’ , ’Bconstr’ , ’Oin f’ , ’O2’ ); B. bounds2D function [ flag ,V_sat] = bounds2D(xk,vk,... uk, Aconst, Bconst) % Goals: % a) Compute the evolution of the states based on intended input % b) Verify that I don’t violate my state constraints % c) if I don’t... do absolutely nothing % d) If I do, flag the system to stop %%%%%%%%%%%%% % Saturate input so that the model predicts accurately %%%%%%%%%%%%% max_lim = min (6, max (4,10 * vk+5)); min_lim = min (-4, max (-6,10 * vk-5)); % Dynamic Saturations V_sat = max (min_lim,uk); V_sat = min (max_lim,V_sat); %%%%%%%%%%%%% % Create state vector for S_inf violation calculation %%%%%%%%%%%%% x_now = [xk; vk]; %%%%%%%%%%%%% % Check to see if a violation will occur %%%%%%%%%%%%% flag = ˜ all (Aconst * x_now<= Bconst); % Note that if the above flag is true, that means the evolved state will % violate constraints. If no violation occurs flag = 0. end C. for estfir es function V_sat = forestfires(xk,vk) % This code acts as an override controller to drive the cart away from the % wall to the defined zero point. %%%%% % set responsive gains for fast action %%%%% K = [23.3499 3.3020]; 5 %%%%% % identify state vector %%%%% statek = [xk;vk]; %%%%% % state control law %%%%% uk = -K * statek; %%%%% % saturate input to prevent damage to physical system %%%%% max_lim = min (6, max (4,10 * vk+5)); min_lim = min (-4, max (-6,10 * vk-5)); % Dynamic Saturations V_sat = max (min_lim,uk); V_sat = min (max_lim,V_sat); end A C K N O W L E D G M E N T P re function and set theory were sourced from ME C231A- EECS C220B, UC Berkeley , Fall 2017 course material. System dynamics, gains, and state matrices for the lab hardware were sourced from ME C134-EECS C128, UC Berkeley , Fall 2017 course material. R E F E R E N C E S [1] Staff ME C134/ EECS 128. ”Lab 6d: Self-erecting inv erted pendulum (seip), mec134/ eecs c128, April 2017. [2] F . Borrelli, Lecture notes: Model predictive control reachability and in variance, eecs c220b/me c231a, November 2017.