Set-Based Adaptive Safety Control
Prithvi Akella, Sean Anderson, David Lovell

TL;DR
This paper presents a set-theoretic adaptive safety control system for educational control labs that prevents hardware damage by ensuring system states remain within safe regions, with real-time switching to a safe mode if needed.
Contribution
We designed a set-based adaptive safety control method integrated into Simulink for educational use, enhancing hardware safety during control system experiments.
Findings
Successfully implemented real-time adaptive safety control
Ensured system states remain within safe regions
Provided a reusable safety control block for labs
Abstract
Feedback Control Systems, ME C134/EE C128, is an introductory control systems course at UC Berkeley. Over the entire course, students gain practical experience by implementing various control schemes and designing observers in an effort to ultimately stabilize an inverted pendulum on a linear track. Throughout this learning process, frequent mishaps occur where improper controller implementation damages hardware. A simple example concerns the student's controller driving the cart into the wall at full speed. To offset the financial burden placed on the university in light of these mishaps, we designed a streamlined adaptive control system using set theory. We utilized lab-provided plant models to generate an set, attenuated the vertices to generate a safe, sub-region , and attenuated in such a manner as to ensure an evolution of the vertices of remained…
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsEvolutionary Algorithms and Applications
Set-Based Adaptive Safety Control
Prithvi Akella, Sean Anderson, David Lovell
Abstract
Feedback Control Systems, ME C134/EE C128, is an introductory control systems course at UC Berkeley. Over the entire course, students gain practical experience by implementing various control schemes and designing observers in an effort to ultimately stabilize an inverted pendulum on a linear track. Throughout this learning process, frequent mishaps occur where improper controller implementation damages hardware. A simple example concerns the student’s controller driving the cart into the wall at full speed. To offset the financial burden placed on the university in light of these mishaps, we designed a streamlined adaptive control system using set theory. We utilized lab-provided plant models to generate an set, attenuated the vertices to generate a safe, sub-region , and attenuated in such a manner as to ensure an evolution of the vertices of remained within for at least one time step. Afterwards, we constructed a single Simulink block for students to easily implement within their own control schemes. This block consistently checks to see whether the system state remains within . If that check is true, our controller does nothing. If it returns false, our controller takes over, drives the system to a prescribed safe-point, and shuts the system down. Overall, our process assumes perfect plant modelling, though our insistence on an evolution of remaining within resulted in considerable robustness to disturbances. In the end we were successful in implementing this real-time adaptive system and will provide it to the department for use in future labs.
Video Link: https://drive.google.com/file/d/1kPw5FTVs3hOcy_yhZ8gXrCNN5lqBWi0v/view?usp=sharing
I Introduction
In an introductory controls class at Berkeley, students attempt to stabilize an inverted pendulum on a linear track [1]. Often, students implement unstable or otherwise flawed controllers that cause a variety of issues. This can cause the cart to drive into one of the side-walls subsequently destroying hardware, or cause the system to act wildly posing a risk to the students. Damage to this commercial lab equipment represents a non-trivial financial cost to the university, and injuries to students are unacceptable. To mitigate these issues, we created an adaptive control scheme that monitors and overrides the student’s controller in the event of unsafe actions. In that effort, we note that the action of the cart running into the wall can be extrapolated from system dynamics. That is to say, given a specific braking scheme, we can use set theory to identify all possible states for which the aforementioned scheme can feasibly prevent unsafe actions. Since the actuation of the system occurs from a single motor voltage input that directly controls the position of the cart on the track, it sufficient to only check if the cart position leaves a region defined as safe. Provided that region is a subset of the larger, calculated region, our controller will still function to bring the system back to a predefined safe point.
II Background Information
II-A Stable Controller Development
To clarify, is a positive invariant set defined as follows [2]:
[TABLE]
Note that in the above equation represents the linearized evolutionary scheme we developed by Euler-discretization of a lab-developed transfer function. More specifically, for
[TABLE]
The successive Euler-discretization steps can be reformatted into a matrix equation as
[TABLE]
Note that the in the above equation corresponds to a vector whose elements are , , and so forth. However, O’s functional dependence is only restricted to functions of x. To remedy that, we develop a specific, stable controller such that each . Stability in the discrete scenario implies that the closed-loop evolution, decays to [math] after multiple iterations. That is,
[TABLE]
It is also critical to mention that the aforementioned stability implies that the poles of the Closed Loop System, all lie within the unit circle on the imaginary plane. employs that last criteria to generate stable controllers through the place function as shown below:
K = place(A,B,[p_1,p_2,...]).
Note that each of the correspond to the a pole location for the closed-loop system. Choosing each identifies a stable controller as per our definitions earlier.
II-B Calculation of
is found through a recursive process detailed below:
O = X;
numiterations = 500;
for i = 1:numiterations
Pre_O = Pre(O);
if Pre_O.intersect(O) == O
Oinf = O;
break;
else
O = Pre_O.intersect(O);
end
end
To clarify, the initial line setting concerns initializing the invariant set to be the initial, invariant, state-constraint set, . As a result, intersecting the set each iteration ensures that the resulting . Furthermore, the operation is defined as follows:
[TABLE]
Note that is some predefined set, and for our purposes, is the closed-loop evolutionary scheme we developed with . The number of iterations is limited to prevent against infinite loop calculations. It is important to qualify that both of the aforementioned processes, generating and calculating are model-specific processes. As such, this process as stated, assumes a perfect model with no noise or disturbances. To protect our process against faults in those assumptions, we implement a set attenuation and boundary evolution process detailed in the following implementation section.
III Implementation
III-A Set Generation
For our specific system, our continuous time matrices were,
[TABLE]
which, given a sample time of 0.002 seconds, transformed to the following discrete time matrices:
[TABLE]
Afterwards, we placed our desired closed loop poles at and , which generated the following K controller:
[TABLE]
In addition, our only state constraints concerned the position limitations on the cart, while the velocity could feasibly be any real-value. In reality, the physical constraints, predefined evolution, and specific controller should limit velocity, but we had no constraints a priori. Noting that, our initial set was defined as,
[TABLE]
After following the aforementioned process to create we decided that the two main limitations inherent to our system could be addressed by implementing a buffer region. Namely, this system is only valid with respect to our specific plant model, and that we could not use the calculated as a boundary for the prescribed safe zone. The second limitation arises if you consider an event where the system state left . In this event, no controller would be able to control the system back to a safe region, as the state is already outside its region of attraction. To remedy both, the vertices of were found and scaled down to create . This set represents the the set of states that if violated give adequate response time for the system to be prevented from exiting .
The entire system can be distributed to the students as a single Simulink sub-system block which is placed in the feedback loop between the student’s controller and the input to the plant. The simplicity of this application is shown in Figure 1. The inputs and outputs to the subsystem are labeled for ease of use.
The contents of the sub-system is shown in Figure 2. It contains two MATLAB function blocks, a variable switch, and a switch logic block. The function, , which can be found in the appendix, implements the real time monitoring of the system and produces a flag if the system will violate constraints. If a flag is thrown, the switch logic prevents the student’s input from feeding to the motor and instead feeds the signal through the function block to drive the system to the defined zero point. The adaptive switch subsystem counts the number of flags and terminates the Simulink model at a defined time. If there is no flag, the student’s input is passed through after being saturated to prevent damage to the physical system from large inputs.
III-B Robustness Measures
To ensure that our controller would always bring the cart back to a safe region and that our system was relatively robust to model errors, noise, and disturbances, we attenuated by scaling the vertices of the set by a scalar less than 1. In doing so, we generated a subset of , while ensuring that the evolution of every vertex of , with respect to the worst possible input for that state, remained within . This method created a ”gray-zone” that is the difference between the sets. This gray-zone represents combinations of states that are outside of the predefined ”safe” region, but still remain controllable. The process that was used to develop the gray-zone, evolving the boundary with the worst case input, provided the largest possible buffer region that simultaneously did not overly limit the working space along the track. If the working space on the track was too severely limited, it would effect the student’s ability to conduct lab exercises. This gray-zone hedges against disturbances and modelling errors insofar as it provides the largest area to ”catch” errors of the kind that would cause a danger to the lab equipment or students. In addition, this process resulted in a system so robust that when the result of the 2D (cart-only) system was tested on the 4D (cart-and-pendulum) system, it proved to be sufficient.
IV Results
The outlined process worked across all testing scenarios without failure. sets were calculated for both the 2D and 4D systems, however, the 4D process restricted the usable track length too severely. Rather than construct a different method for the monitoring of the 4D system, the 2D system was tested to determine its effectiveness. These tests proved that the 2D system was fully capable of monitoring and overriding the 4D system. A characteristic test result of the 2D system acting on both systems are shown in Figure 3.
In Figure 3, is identified as the green area, with as the larger gray area. The difference in areas, the ’grey-zone’, is the set of states that violate the constraints of , but remain within . This ’grey-zone’ gives the override controller sufficient time to physically stop the system from violating by driving the cart away from the wall. In the top image of Figure 3, the 2D system is shown. The red line indicates the state trajectory of the cart during a step input which places it at the boundary of . At this point, a disturbance is applied to the cart which causes the system to leave . The monitoring system identifies this violation and initiates the override controller to bring the cart back to the defined zero point. Note that this proves an instance of our controller’s robustness to disturbances. Even though the disturbance that caused the violation was not factored into our set calculation, our controller still acted properly in the event of the failure and brought the system to safety.
Additionally, the lower image of Figure 3, exhibits a characteristic response of the 2D monitoring and override system acting on the cart with the pendulum added. In this scenario the pendulum started at rest in the vertically down position. The axes of this plot are the position and velocity of the cart, as such, the trajectory of states for the pendulum are not shown. As the student’s control system initiates a pumping sequence, the position and velocity of the cart oscillate from positive to negative until the pendulum is erected and stabilized near the left boundary of the track. This process verifies that does not overly restrict our available region. That is, there is more than sufficient track length for the pendulum to be erected and balanced.
After the cart stabilized the pendulum, a disturbance was applied to the pendulum. The cart then acted to attempt to regain balance of the pendulum and in the process the set was violated. Again, it is interesting to note that the disturbance to the pendulum was responsible for the violation of , but was not considered in the calculation. Still, the override system responded correctly to prevent the cart from colliding with the wall. In this way, the addition of the pendulum to the 2D system can be interpreted simply as a disturbance. This disturbance can cause the cart to violate , which the monitoring system then identifies causing the override system to respond. Also of note is that the unpredictable inertia of the swinging pendulum does not prevent the override system from recovering the cart before a violation of occurs. This further proves the robustness of our system.
V Conclusion
We successfully created a simple Simulink block that monitors and overrides a student’s controller in the event of a hardware failure or safety concern. The application of set theory provided a means to accurately determine the safe operating length of the track. The resulting matrices allowed for real-time identification of state violations even with a controller operating in millisecond sample periods. This system also proved to be robust to the extent that a high degree of modifications to the mass and inertia of the plant were successfully tolerated.
VI Appendices
VI-A Main Code
VI-B bounds2D
VI-C forestfires
Acknowledgment
function and set theory were sourced from ME C231A-EECS C220B, UC Berkeley, Fall 2017 course material.
System dynamics, gains, and state matrices for the lab hardware were sourced from ME C134-EECS C128, UC Berkeley, Fall 2017 course material.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Staff ME C 134/ EECS 128. ”Lab 6d: Self-erecting inverted pendulum (seip), mec 134/ eecs c 128,” April 2017.
- 2[2] F. Borrelli, “Lecture notes: Model predictive control reachability and invariance, eecs c 220b/me c 231a,” November 2017.
