Walking with Confidence: Safety Regulation for Full Order Biped Models
Nils Smit-Anseeuw, C. David Remy, Ram Vasudevan

TL;DR
This paper presents a novel method combining sums-of-squares optimization and hybrid zero dynamics to generate safety guarantees for complex 10-dimensional walking robot models, enabling safer control strategies.
Contribution
It introduces a hybrid approach that applies sums-of-squares verification on a hybrid zero dynamics manifold for high-dimensional walking robots.
Findings
Generated a guaranteed safe set for a 10D walking robot model
Developed a safety-maintaining controller by adjusting manifold parameters
Demonstrated the approach on a bipedal Rabbit model
Abstract
Safety guarantees are valuable in the control of walking robots, as falling can be both dangerous and costly. Unfortunately, set-based tools for generating safety guarantees (such as sums-of-squares optimization) are typically restricted to simplified, low-dimensional models of walking robots. For more complex models, methods based on hybrid zero dynamics can ensure the local stability of a pre-specified limit cycle, but provide limited guarantees. This paper combines the benefits of both approaches by using sums-of-squares optimization on a hybrid zero dynamics manifold to generate a guaranteed safe set for a 10-dimensional walking robot model. Along with this set, this paper describes how to generate a controller that maintains safety by modifying the manifold parameters when on the edge of the safe set. The proposed approach, which is applied to a bipedal Rabbit model, provides a…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Walking with Confidence:
Safety Regulation for Full Order Biped Models
Nils Smit-Anseeuw1, C. David Remy2, and Ram Vasudevan1 Manuscript received: February, 24, 2019; Revised June, 4, 2019; Accepted July, 8, 2019.This paper was recommended for publication by Editor Nikos Tsagarakis upon evaluation of the Associate Editor and Reviewers’ comments. This work was supported by the National Science Foundation under Grant No. 1562612. Any opinion, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.1Nils Smit-Anseeuw and Ram Vasudevan are with the Department of Mechanical Engineering at the University of Michigan, Ann Arbor [email protected], [email protected]2C. David Remy is with the Institute for Nonlinear Mechanicas at the University of Stuttgart [email protected] Object Identifier (DOI): see top of this page.
Abstract
Safety guarantees are valuable in the control of walking robots, as falling can be both dangerous and costly. Unfortunately, set-based tools for generating safety guarantees (such as sums-of-squares optimization) are typically restricted to simplified, low-dimensional models of walking robots. For more complex models, methods based on hybrid zero dynamics can ensure the local stability of a pre-specified limit cycle, but provide limited guarantees. This paper combines the benefits of both approaches by using sums-of-squares optimization on a hybrid zero dynamics manifold to generate a guaranteed safe set for a 10-dimensional walking robot model. Along with this set, this paper describes how to generate a controller that maintains safety by modifying the manifold parameters when on the edge of the safe set. The proposed approach, which is applied to a bipedal Rabbit model, provides a roadmap for applying sums-of-squares techniques to high dimensional systems. This opens the door for a broad set of tools that can generate flexible and safe controllers for complex walking robot models.
Index Terms:
Legged Robots; Robot Safety; Underactuated Robots
I Introduction
Avoiding falls is a safety critical and challenging task for legged robotic systems. This challenge is compounded by strong limits on the available actuation torques; particularly at the ankle or ground contact point. These limits in actuation mean that the motion of a legged robot is often dominated by its mechanical dynamics, which are hybrid, nonlinear, and unstable. A consequence of these limitations is that a controller might be required to take a safety preserving action well before the moment a failure occurs.
Consider, for example, a bipedal robot that just entered single stance during a fast walking gait. The robot is pivoting dynamically over the stance foot and can only apply limited ankle torques to control its motion. To catch the robot again, the swing foot needs to be brought forward rapidly and be placed well in front of the robot. If the forward velocity of the robot and hence the pivoting motion is too fast, there will not be enough time to complete this foot placement far enough in front of the stance leg to slow the robot down [1]. As a result, the robot’s speed increases further, leaving even less time for leg swing in the subsequent steps. The robot might manage to complete another couple of strides, but at this point a fall is inevitable and no control action can prevent it.
Knowing the limits of safe operation is akin to knowing the set of states from which falls, even in the distant future, can be avoided. Such knowledge is valuable for many reasons. Knowing that a fall is inevitable is useful in itself, as it allows a robot to brace for the imminent impact. Knowing the distance from the border of the safe set could allow a robot to estimate the set of impulses that can be withstood without failing. This would allow it to judge whether or not it can safely interact with the environment in a given situation; for example, to push a cart while walking.
Most importantly, this knowledge is valuable due to the flexibility it can create. Rather than stabilizing the robot motion along a specified trajectory, one could imagine controllers that are adaptive to adjust to the environment, to maximize performance, or to fulfill a secondary task such as pointing a sensor onto a target. Any of these secondary tasks can be pursued as long as the state of the robot is within the safe set.
In this context, a representation of the set of safe states enables the construction of a regulator that monitors the system state and takes safety preserving actions only when the robot is at risk of failure [4]. Such a regulator could guarantee safe operation, while allowing a secondary control system to behave flexibly as long as safety is not threatened.
Identifying such safety limits, however, is a challenging problem for nonlinear and hybrid systems. A promising tool for identifying the safety limits of a legged robotic system is sums-of-squares (SoS) optimization [3]. This approach uses semi-definite programming to identify the limits of safety in the state space of a system as well as associated controllers for a broad class of nonlinear [5, 6, 7] and hybrid systems [8, 9]. These safe sets can take the form of reachable sets (sets that can reach a known safe state) [10, 9, 5] or invariant sets (sets whose members can be controlled to remain in the set indefinitely) in state space [11, 8, 12]. However, the representation of each of these sets in state space severely restricts the size of the problem that can be tackled by these approaches.
To accommodate this limitation, sums-of-squares analysis has been primarily applied to reduced models of walking robots: ranging from spring mass models [13], to inverted pendulum models [10, 14] and to inverted pendulum models with an offset torso mass [12]. The substantial differences between these simple models and real robots causes difficulty when applying these results to hardware.
A contrasting approach to designing stable controllers for high dimensional, underactuated robot models uses hybrid zero dynamics (HZD) [15]. In this approach, feedback linearization is used to drive the actuated degrees of freedom of the robot towards a lower dimensional hybrid zero dynamics manifold. This manifold is specified as the zero levelset of a configuration-dependent output vector and represents the motion of the robot in its underactuated degrees of freedom.
Significant progress has been made in the generation of safety certificates for HZD controllers. Much of this work [16, 17, 18, 19, 20] relies on the Poincaré stability of a periodic limit cycle in order to generate safety guarantees. This reliance is restrictive, as it precludes behaviors that would leave the neighborhood of the limit cycle. Recent work has been done to extend the range of safe HZD behaviours beyond a single limit cycle neighborhood [21, 22, 23]. In [21] and [22], the controller is allowed to discretely switch between a family of periodic gaits. Safety is then ensured using a dwell time constraint that limits how frequently switching can occur. In [23], a combination of HZD and finite state abstraction is used to safely regulate forward speed of a fully-actuated bipedal robot in continuous time. Our approach shares similarities with these recent papers, but allows for continuous-time variation of behaviour (instead of discrete switching), and applies to underactuated robotic systems.
In this paper, we build on both of these broad approaches to safety and control synthesis for legged robotic systems. To combine the full-model accuracy of hybrid zero dynamics and the set-based safety guarantees of sums-of-squares programming, we propose the following approach (Fig. 1). First, we use hybrid zero dynamics to map the full order dynamics to a low dimensional hybrid manifold. We control the dynamics on the manifold using a set of shaping parameters, which are modified in continuous time to modify robot behaviour. We then use sums-of-squares programming to find a subset of this manifold which can be rendered forward control invariant. Once this subset is found on the low dimensional manifold, a regulator can be constructed that allows for free control of the manifold dynamics when safety is not at risk, but switches to a safety preserving controller when safety is threatened.
The approach is presented in a general form that extends to a large class of underactuated bipedal robots. Throughout the paper, an example implementation is given for a 10-dimensional model of the robot Rabbit [2] and a tracking task is used to illustrate semi-autonomous safe control. To the best of our knowledge, this is the highest dimensional walking robot model for which set-based safety guarantees have been generated thus far.
The rest of this paper is organized as follows: Section II formally defines the assumptions and objective of this paper. The next two sections describe our method. Section III constructs a low dimensional zero dynamics manifold with control input. In Section IV we present a sums-of-squares optimization which finds a control invariant subset of the manifold that avoids a designated set of unsafe states. Section V describes the results of our implementation on the robot Rabbit [2], and conclusions are presented in Section VI.
II Problem Setup
II-A Robot Model
For simplicity, we apply similar modeling assumptions to those made in [15]. That is, the robot is modeled as a planar chain of rigid links with mass. Each joint is directly torque actuated except for the point of contact with the ground, leading to one degree of underactuation for a planar model.
The full configuration of the robot is given by the set of joint angles . We next define the set of feasible configurations (similarly to [11]):
Definition 1**.**
A configuration is feasible if the joint angles satisfy actuator limits, and only foot points are touching the ground (i.e. the robot has not fallen over).
Using the method of Lagrange, we can obtain a continuous dynamic model of the robot during swing phase:
[TABLE]
where denotes the tangent space of , , describes the permitted inputs to the system, and denotes time.
We assume that an instantaneous and impulsive impact occurs each time the swing foot hits the ground, with the stance leg leaving the ground immediately after impact. As in [15], we can construct a reset map for the state after impact:
[TABLE]
Here the superscript plus indicates the time just after the event and the superscript minus indicates the time just before the event. is the reset map of the robot state. is a coordinate transformation matrix that swaps the swing leg and the stance leg after impact. , is the configuration-dependent reset map of the configuration velocities.
This equation holds true for all states in , which is called the guard of the hybrid system, and represents the states of the robot with zero swing foot height and downwards swing foot velocity. Any time the state of the robot enters , the reset event must occur.
Example 1**.**
The configuration for Rabbit is shown in Figure 1 (top left). is the set of robot configurations in which only foot points intersect the ground and all joints are within the limits: , When the swing foot intersects with the ground, we enter the guard . This causes an impulse to be transmitted to the colliding foot, and the swing and stance feet swap. The impulse and coordinate swap are given by . The joint torques torques are saturated to take values in the interval . All kinematic and inertial properties of the model are given in [2].
II-B Safety
In this paper, safety is defined as keeping the configuration feasible for all time (i.e. ). To guarantee safety, this paper finds a viability domain [11]:
Definition 2**.**
A viability domain is any set satisfying which is also forward control invariant. That is, there exists a Lipschitz state feedback controller , such that for every initial condition , the execution of the system from the initial condition remains in for all time . We refer to any feedback controller that is able to ensure that the system is forward control invariant as an Autonomous Viable Controller.
The forward control invariance property ensures that any state that begins within a viability domain can be controlled to remain within the domain. Since contains only feasible configurations (), we know that safety can be maintained by at least one controller from all states in .
Once a viability domain is found, we use it to construct a semi-autonomous, safety preserving controller. Given an initial state within , a user defined control input is applied without modification to the system. The state of the system is then continuously monitored. If the state approaches the boundary of the viability domain, the control input is overridden by an autonomous viable controller. This gives the user full control over the system until safety is threatened, at which point, safety is automatically enforced. Once safety is no longer at risk, control is returned to the user.
II-C Goal
Using these definitions, we state our objective as:
Find a viability domain and a corresponding autonomous viable controller. 2. 2.
Use this domain and autonomous viable controller to construct a semi-autonomous viable controller.
III Controlled Hybrid Zero Dynamics Manifold
We intend to use sums-of-squares optimization to achieve these objectives. However, the state-space dimension of realistic robot models far exceeds the limits of this tool. For instance, the state-space of the benchmark model Rabbit [2] has dimension 10, while many sums-of-squares problems become computationally challenging above dimension 6 [12]. In this section, we show how the the state-space dimension can be reduced to a feasible size using the idea of hybrid zero dynamics [15].
III-A Shaping Parameters
The hybrid zero dynamics approach uses feedback linearization to drive the actuated degrees of freedom onto a low-dimensional manifold specified by a set of user-chosen outputs, which depend on the robot configuration . We modify this approach by making these outputs also depend on a set of time varying shaping parameters . The shaping parameters are used in this paper to provide an input within the manifold dynamics. By varying continuously over time, the user can change the hybrid zero dynamics manifold to modify the robot behaviour in real-time. The idea of modifying the HZD manifold in real-time is similar to [23] in which the desired hip velocity acts as an input to the manifold.
We define the dynamics of as:
[TABLE]
where , are the shaping parameter inputs (with permitted values ), and denotes time. We require that has vector relative degree two under these dynamics. We assume a trivial discrete update for the shaping parameters when the robot state hits a guard: .
Example 2**.**
*As shown in the bottom left of Figure 1, we use a single shaping parameter to modify the desired pitch angle of Rabbit.
Note that this choice is somewhat arbitrary; could instead modify properties such as step length or center of mass height. We define the dynamics of as follows:*
[TABLE]
where represents the user-controlled pitch acceleration.
III-B Constructing the Manifold
In this subsection, we incorporate these shaping parameters in the construction of the hybrid zero dynamics manifold described in [15]. Throughout the section, we use and to represent the Lie derivatives in with respect to and , and and to represent the Lie derivatives in with respect to and (where we drop the arguments).
We begin by using a set of outputs: to implicitly define the hybrid zero dynamics manifold as:
[TABLE]
These outputs must satisfy hypotheses similar to HH 1-4 in [15], and the resulting manifold must satisfy the hybrid invariance condition:
[TABLE]
Provided these conditions are met, we can use the results in [24, Chapter 9.3.2] to show that is a smooth submanifold in of dimension . In addition, the control input given by:
[TABLE]
renders invariant under the hybrid dynamics of the robot (note the right hand side arguments are suppressed to simplify presentation).
As in hypothesis HH 3 in [15], we define a set of phasing coordinates which represent the underactuated degrees of freedom of the robot. Using these coordinates, we can parameterize the on-manifold state of the robot as: (where we have suppressed the time dependence on the right hand side). The continuous dynamics under this parameterization are then:
[TABLE]
where we have suppressed the time dependence. The discrete manifold dynamics are given by:
[TABLE]
where is the state before impact, and the manifold guard and reset ( and ) are defined as:
[TABLE]
Example 3**.**
We begin by using the trajectory optimization toolbox FROST [25] to find a time-varying, periodic walking trajectory: . For this trajectory, the stance leg angle of the robot: is monotonic in time and varies from to . This allows us to define a phasing function which satisfies (i.e. maps from points in the state space to points along the trajectory).
We modify the pitch angle of the FROST trajectory using the shaping parameter , giving us the output function:
[TABLE]
Here we also added the function which is chosen to ensure satisfaction of the hybrid invariance condition (7). This technique for ensuring hybrid invariance is similar to the procedure given in [26].
The guard of our HZD manifold is given as and the reset is defined as in (12).
III-C Safety on the Manifold
We now revisit the safety criteria from Section II-B under the assumption that our state is controlled to lie on . For the biped to be safe, we require that the manifold state remains in the feasible set , and that the state does not leave the manifold (either by leaving the manifold boundary, or by encountering actuator limits when trying to stay on ). We define the unsafe states as the union of:
- •
The infeasible states:
- •
The states that leave the manifold boundary, i.e. all members of the boundary set () which do not lie on a guard, and that have an outward velocity.
- •
The states requiring unattainable actuation to remain on , i.e. all states for which .
Additionally we define the state-dependent set of realizable shaping parameter inputs , as (where denotes the set of all subsets of ).
Provided we constrain the manifold state to avoid , and constrain the shaping parameter input to lie within , our safety criteria is maintained.
Our goal from Section II-C can now be re-stated as:
Find a viability domain on that does not intersect , and an autonomous viable controller . 2. 2.
Use this domain and autonomous viable controller to construct a semi-autonomous controller.
Example 4**.**
For the Rabbit example, the set of states that leave the manifold boundary are given by . All other states on the manifold boundary either lie on a guard (), or flow inwards. We use sampling and fitting to find a region where the actuator torque limits can be satisfied for some . We then define our unsafe set (see Fig. 2):
[TABLE]
The set of attainable inputs is given by the minimum and maximum values of at each sample point that satisfy .
IV Hybrid Control Invariant Set
This section outlines how the low dimensional safety problem from Section III-C can be solved using sums-of-squares optimization [3]. Broadly, the sums -of-squares approach enforces constraints of the form (where p is a function) by constraining to be a sum-of-squares polynomial, i.e. (where are polynomials). We refer to this constraint as .
We begin by showing how the sets and dynamics from the preceding section can be represented using polynomials. We next define a bilinear semi-definite program for finding a viability domain, and describe the alternation used to solve it. Finally, we construct a guaranteed safe semi-autonomous controller for the full robot, based on this viability domain.
IV-A Polynomial Representation
For the dynamics of the system to be used inside our sums-of-squares program, they must be represented in a polynomial form. In particular, we require polynomial representations of the functions and the sets . Since these sets and functions can contain trigonometric as well as rational terms in their definition, we rely on approximate representations. It is important to take care to ensure that the safety guarantee is preserved under approximation.
To generate polynomial approximations and verify bounding relations, we use sampling to obtain the exact function values over a dense grid in the state space. This sampling approach is made tractable by the reduction in dimension of the previous section. In our example, this reduces the dimension that must be sampled from 10 to 4. We use a sample grid to fit and bound the polynomials. The bounds are then verified using a dense set of randomly generated test points.
We begin by sampling and over our grid of points in . Least-squares fitting can then be used to obtain the corresponding polynomial representations: and . To account for the approximation error in the continuous dynamics functions, we introduce a set of error-bounding polynomials which satisfy:
[TABLE]
for all and where the inequality and absolute value are taken element-wise. These polynomials can be found using a linear program that minimizes the integral of subject to (15) enforced at our set of sample points.
To represent sets in polynomial form, we require them to take the form of semi-algebraic sets (i.e. a set is defined as , where is a collection of polynomials). We use a bounding set to approximate the reset map in a conservative manner. That is, we find a set that bounds all possible reset behaviours:
[TABLE]
The sets and are represented with semi-algebraic outer approximations as follows: , . We define the sets using the respective polynomials: , , . The space of feasible inputs can be approximated using a state-dependent box constraint:
[TABLE]
where are polynomial input bounds, and the inequality is taken element-wise. The set of inputs that satisfy this box constraint is denoted by .
IV-B Optimization Formulation
We use an optimization similar to [12] to find the largest possible viability domain for our hybrid zero dynamics system. We represent as the zero super-levelset of a polynomial function (i.e. ), and represent the autonomous viable controller using a polynomial function . To enforce the viability of according to Definition 2, we require and to satisfy four conditions:
Viability Conditions**.**
* does not intersect (i.e. )* 2. 2.
All states that are contained in both the guard and must be mapped to a state in (i.e. ) 3. 3.
At the boundary of (i.e. where ), the state flows inward under the controller (i.e. ) 4. 4.
The autonomous safe controller must satisfy the input bounds within the safe set (i.e. )
Condition 1 ensures that states can not leave the viability domain by simply leaving the space . Condition 2 ensures that states can not leave the viability domain when traversing a guard. Condition 3 ensures that states cannot leave the viability domain under the continuous dynamics of the system. Finally, Condition 4 ensures that our controller respects the robot torque constraints. Each of these conditions are ensured with a corresponding sums-of-squares constraint, giving us:
SoS Constraint 1**.**
(Viability Condition 1)
[TABLE]
Here are sums-of-squares polynomials that relax the positivity constraint outside . We refer to such polynomials as s-functions.
SoS Constraint 2**.**
(Viability Condition 2)
[TABLE]
Here are s-functions. The superscripts and indicate whether a function is evaluated using the first () or second () argument of . That is, this constraint enforces: . Note that the addition of the term is not strictly necessary, since points in must lie in . However, this term can help relax the constraint when points in lie outside .
SoS Constraint 3**.**
(Viability Condition 3)
[TABLE]
Here and are s-functions that relax the constraint inside , and is a slack polynomial that can relax the constraint whenever . The polynomials are used to bound the effects of the dynamics error on the time derivative of .
SoS Constraint 4**.**
(Viability Condition 4)
[TABLE]
Here are s-functions that relax the constraint inside .
The desired objective of our optimization is to maximize the volume of . This volume is difficult to compute exactly for an arbitrary , since the domain of integration is given by a semi-algebraic set. We propose an analytically tractable approximation to this objective:
[TABLE]
This objective is combined with the following constraint in order to approximate the volume of :
SoS Constraint 5**.**
(Objective Constraint)
[TABLE]
To understand how this objective and constraint approximate the volume of , take a continuous function that satisfies the constraints of the previous section. For every point not in the set , the value is constrained only by Constraint (5). This means that can increase to a value of 1 for points inside , and increases to a value of 0 for points outside this set. As a result, approaches the indicator function over , and the integral in the objective function approaches the volume of .
Combining the constraints and objective, we arrive at the following sums-of-squares problem:
[TABLE]
To express this problem as a semi-definite program or SDP (which can be solved with commercial solvers), all SoS constraints must be linear functions of the decision variable polynomials. However, Constraint 3 in the above problem includes the terms and which are bilinear in and in respectively. Problems of this form are referred to as bilinear sums-of-squares problems. The bilinear nature of the constraints means that these problems are non-convex, and we can no longer guarantee a globally optimal solution to this problem.
To solve this nonconvex bilinear sums-of-squares program we turn to a strategy called alternation. This strategy breaks (19) into a pair of linear sums-of-squares programs which can each be solved using a commercial solver. In each program one of the bilinear variables is kept fixed while the other is optimized over. The variables that were optimized are then fixed while the other pair of variables are optimized. If the final solution satisfies the constraints of the original program, the solution is guaranteed to be a viability domain. Computationally, each SDP is formulated in spotless111https://github.com/spot-toolbox/spotless and solved using Mosek.
IV-C Guaranteed Safe Semi-autonomous Controller
We use a feasible solution to the above optimization problem to generate a guaranteed safe semi-autonomous controller. This controller modifies user input to ensure that the Viability Conditions 3 and 4 are always satisfied. Condition 4 can be enforced by saturating the user inputs to always lie within the input bounds. To enforce condition 3, we note that it is only active on the boundary of . This means that we can ensure safety so long as we use the autonomous safe controller when the state lies on the boundary of , i.e. .
Since a controller that is discontinuous on the boundary of the safe set would pose difficulties for systems with finite bandwidth, we additionally must ensure that the new controller is continuous near the boundary. To achieve this, we smoothly interpolate between the user input and the guaranteed safe controller (which satisfies the safety condition when ) to get the regulated input :
[TABLE]
where and are computed using (19), is a smooth step-like function that satisfies , and , and controls the smoothness of the interpolation.
When satisfies , the user input is unmodified, as we are sufficiently removed from the boundary of the safe set. When , the safe controller is fully active, keeping the state in the safe set.
V Results
We used the proposed approach to compute a viability domain for the robot Rabbit [2]. The viability domain is represented using a set of 8 degree-4 polynomials, each covering an interval within the full range of . A two-dimensional slice of the viability domain is shown in Fig. 2.
To demonstrate the semi-autonomous safe controller, we used it to ensure safety while performing a reference following task. The task is to track a time-varying pitch angle . To follow the target, we set a desired pitch acceleration using a ”naïve” PD controller:
[TABLE]
We used the feedback controller (8) to map the desired acceleration to the four motor torques of the Rabbit model.
For the feedback controller to respect Rabbit’s actuator torque limits, we first saturated with a real-time Quadratic Program (QP) to get the input to our safety regulator:
[TABLE]
Using a QP to satisfy the actuator constraints of the system is similar to many state of the art approaches for high-dimensional robot control [17, 18, 19, 20] . A major limitation of these approaches is the inability to guarantee the feasibility of the QP. That is, for some states, there may not be an input that satisfies the actuator constraints (the set of such states is shown in red in Fig. 2).
Our approach guarantees the feasibility of (22) by constraining the state of the robot to be within the QP-feasible region (i.e. outside of in Fig. 2). To maintain this state constraint, we modified the input using the guaranteed safe semi-autonomous controller defined in (20). In Fig. 3, we compare the results of the naïve controller (21) and the safe controller (20) using a simulation of the full dynamics of the robot Rabbit.
When tracking the backwards pitch target, the naïve controller slows to the point of falling backwards, while the safe controller deviates slightly to maintaint forward walking. For the forward pitch target, the naïve controller speeds up as it leans forward. At a certain speed, it cannot longer stay on the low dimensional manifold under the torque limits and falls. The safe controller recognizes this risk early and deviates from the desired forward pitch before reaching this speed. The bottom-left figure shows how the set of torque-limit satisfying control inputs disappears for the naïve controller.
This task demonstrates that robot safety can be maintained even for states that are far away from any periodic limit cycle. Indeed, the only periodic limit cycle used in our approach keeps the body pitch relatively upright (). As such, our approach broadens the set of real-time safe behaviours that can be executed by Rabbit, since previous methods [16, 18, 20, 21] would all require a pre-computed limit cycle for each new reference trajectory.
VI Conclusion
This paper presents a method to construct a guaranteed safe semi-autonomous controller for high-dimensional walking robots. The resulting controller guarantees viability and allows for flexible input when viability is not at risk. The method is evaluated on a model of the robot Rabbit, and a tracking task is used to illustrate its capabilities. With a 10-dimensional state space, this model is larger than any known model for which continuous-time safety guarantees have been generated.
Despite this increase in model dimension, our example is still somewhat simplified: the dynamics are two dimensional, the terrain is flat, and the range of behaviour is limited to modifying the torso pitch angle. In contrast, bipedal robots in the world must traverse three dimensional, varied terrain while performing a wide range of tasks.
When extending our method to these cases, a trade-off arises between the degree of underactuation of the model, the genericity of the behaviour (i.e. the number of shaping parameters), and the computational complexity of the optimization problem. From Section III-B, the dimension of the reduced order manifold (our state space) is twice the sum of the degree of underaction and the number of shaping parameters. In [12], the authors show that a 6 dimensional state space is tractable for similar sums-of-squares programs. Our approach can thus currently handle a maximum of three degrees of underactuation and/or shaping parameters.
Under this constraint, we can directly extend our method to 3D. For instance, take the 3D biped with controlled steering given in [21]. This application has two degrees of underactuation (pitch and yaw) and would have one shaping parameter controlling yaw rate (i.e. turning left or right). Using our method, we could construct a safe steering controller for the robot that avoids the risk of turning too quickly and falling. An extension to rough terrain, however, will likely require improvements in scaling of the sums-of-squares problem. Such scaling improvements are an active research target [27, 28].
The core insight behind our approach is that sums-of-squares and hybrid zero dynamics are remarkably complementary tools. Sums-of-squares analysis generates the set based guarantees needed to render hybrid zero dynamics safe, and hybrid zero dynamics provides the dimensionality reduction needed for sums-of-squares analysis to be tractable. The key innovation for combining these two tools was the introduction of a set of shaping parameters which control the dynamics on the manifold. The ability to combine sums-of-squares and hybrid zero dynamics presents a promising path forward for building guaranteed safe walking controllers for complex legged robots.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] J. Pratt, J. Carff, S. Drakunov, and A. Goswami, “Capture point: A step toward humanoid push recovery,” in 2006 6th IEEE-RAS International Conference on Humanoid Robots , pp. 200–207, Dec 2006.
- 2[2] C. Chevallereau, G. Abba, Y. Aoustin, F. Plestan, E. Westervelt, C. C. de Wit, and J. Grizzle, “Rabbit: A testbed for advanced control theory,” IEEE Control Systems Magazine , vol. 23, no. 5, pp. 57–79, 2003.
- 3[3] P. A. Parrilo, Structured semidefinite programs and semialgebraic geometry methods in robustness and optimization . Ph D thesis, California Institute of Technology, 2000.
- 4[4] P. Wieland and F. Allgöwer, “Constructive safety using control barrier functions,” IFAC Proceedings Volumes , vol. 40, no. 12, pp. 462–467, 2007.
- 5[5] A. Majumdar, R. Vasudevan, M. M. Tobenkin, and R. Tedrake, “Convex optimization of nonlinear feedback controllers via occupation measures,” The International Journal of Robotics Research , p. 0278364914528059, 2014.
- 6[6] D. Henrion and M. Korda, “Convex computation of the region of attraction of polynomial control systems,” IEEE Transactions on Automatic Control , vol. 59, no. 2, pp. 297–312, 2014.
- 7[7] M. Korda, D. Henrion, and C. N. Jones, “Controller design and value function approximation for nonlinear dynamical systems,” Automatica , vol. 67, pp. 54–66, 2016.
- 8[8] S. Prajna and A. Jadbabaie, “Safety verification of hybrid systems using barrier certificates,” in International Workshop on Hybrid Systems: Computation and Control , pp. 477–492, Springer, 2004.
