ARobust Model Predictive Control AlgorithmAugmented

witha Reactive SafetyMode

John M. Carson III
a
, Behcet Acikmese
b
, Richard M. Murray
c
,
Douglas G. MacMartin
c
a
Jet Propulsion Laboratory, 4800 Oak Grove Dr., Pasadena, CA 91109
b
The University of Texas at Austin, 1 University Station, Austin, TX 78712
c
California Institute of Technology, 1200 E. California Blvd, Pasadena, CA 91125
Abstract
A reactive safety mode is built into a robust model predictive control algorithm for uncertain nonlinear systems with bounded
disturbances. The algorithm enforces state and control constraints and blends two modes: (I) standard, guarantees re-solvability
and asymptotic convergence in a robust receding-horizon manner; (II) safety, if activated, guarantees containment within an
invariant set about a reference. The reactive safety mode provides robustness to unexpected, but real-time anticipated, state-
constraint changes during standard mode operation. The safety-mode control policy is designed oine and can be activated
at any arbitrary time. The standard-mode control has feedforward and feedback components: feedforward is from online
solution of a nite-horizon optimal control problem; feedback is designed oine to provide robustness to system uncertainty
and disturbances and to establish an invariant state tube that guarantees standard-mode re-solvability at any time. The
algorithm design is shown for a class of systems with incrementally-conic uncertain/nonlinear terms and bounded disturbances.
1 Introduction
Control algorithms for physical systems with model
and environmental uncertainties and disturbances must
incorporate state and control constraints and must
also often blend multiple modes of operation. The
SR-MPC (Safe and Robust Model Predictive Control)
algorithm herein combines two modes: (I) standard, to
ensure asymptotic convergence to a desired nal state;
(II) safety, if activated, to sustain a safe invariant set
about a desired reference. This work is motivated by
autonomous vehicle applications that require guidance
and control methods with guaranteed real-time re-
solvability, assurance of safety from uncertainty in state-
constraints, and robustness to model uncertainties and
disturbances; e.g., safety from other vehicles unexpect-
edly blocking the feasible path or unexpected ground
proximity during spacecraft landing operations [9,11].
Traditional MPC(Model Predictive Control) [12,19,21,24]
computes a feedforward control input and associated
trajectory by solving online an FHC (Finite-Horizon op-
timal Control problem) subject to state and control con-

c 2011 California Institute of Technology. Government

sponsorship acknowledged.
straints and with the current system state as the initial
state. This solution is applied over a time interval until a
re-computation provides an updated feedforward input,
which is then applied and the cycle repeats. The FHC
uses a nominal system model, and robustness to model
uncertainty and re-solvability guarantees (i.e., contin-
ued FHC feasibility) are dicult to establish. Signicant
research eorts have provided valuable contributions to
robust MPC, e.g., [5,6,13,15,18,19,23,25,27,28].
The SR-MPC algorithm herein is a progression of our
prior R-MPC (Robust MPC) algorithm [1,2,9,11,3] de-
veloped for uncertain, nonlinear continuous-time sys-
tems with bounded disturbances. The SR-MPC stan-
dard mode uses feedforward and feedback components
similar to R-MPC: the feedforward comes from the on-
line FHC solution, as in traditional MPC; feedback is
designed oine to provide robustness to model uncer-
tainties and disturbances and to maintain the actual sys-
tem in an invariant state tube about the nominal feed-
forward trajectory. The feedback also guarantees FHC
re-solvability without bounds on re-computation time
intervals. Our R-MPC contribution was contemporary
with other robust MPC research. References [20,17] also
formulate an initial-state relaxation within the FHC so-
lution and establish invariant state tubes to ensure
Preprint submitted to Automatica 28 October 2012
robustness. These are developed for discrete-time LTI
(Linear Time Invariant) systems with bounded distur-
bance inputs, and extensions in [22] incorporate matched
nonlinearities. In contrast, the R-MPC algorithm is de-
veloped for continuous-time systems, has provable re-
solvability at any re-computation time, and is applica-
ble to a more general class of incrementally-conic un-
certainty/nonlinearity that includes many practical sys-
tems (e.g., uncertainties/nonlinearities with Jacobians
in convex polytopes) [3].
The contribution of SR-MPC is the enhancement
of our R-MPC algorithm to incorporate a reactive
safety mode [8,10] that is available at any time during
standard-mode operations and is reactive to static state-
constraint changes. Specically, a new constraint en-
forced within the FHC during online re-solves generates
anytime safety-mode availability and retains provable
re-solvability. On safety-mode activation, the system is
held in an invariant safety set until higher-level planning
algorithms (not considered here) re-establish feasibility
to resume standard-mode operation. The safety control
policy is reactive since it is designed oine and no on-
board information is used for online (proactive) policy
alteration. Additionally, unknown obstacles are assumed
visible just outside the safety set (i.e., state constraints
do not change within the safety set). Our SR-MPC
approach diers from prior research (e.g., [16,26]) with
discrete-time systems that guarantees safety only at the
MPC time-horizon and assumes perfect state-constraint
knowledge during the current horizon.
A general overview in Section 2 of the SR-MPC al-
gorithm provides the reader with a visualization of
the approach and conveys the primary contributions
and overarching conditions behind the main theorem
within this paper, which rigorously proves SR-MPC re-
solvability in a receding-horizon implementation with
anytime-available safety mode. Section 3 then develops
the SR-MPC algorithm for a class of systems that have
incrementally-conic uncertainties/nonlinearities. This
provides conditions under which the hypotheses of the
main SR-MPC theorem are satised and applies the
main result to a broad class of systems with engineering
applications. Section 4 provides a simple, illustrative
example for SR-MPC; refer to our work in [11] for an
example of spacecraft landing on asteroids and comets.
2 Overview of the SR-MPC Method
This section introduces the invariant state tubes used
in the SR-MPC method. A high-level review of R-MPC
is provided; see [2,3] for details. The actual uncertain dy-
namical system for SR-MPC application is assumed to
be represented by a smooth nonlinear dierential equa-
tion:
x = f(x, u, t), (1)
with actual state x R
n
and control input u R
m
. Let
a nominal model of the actual system (1) be given by
z =

f(z, u
o
, t), (2)
with nominal state z R
n
and control input u
o
R
m
,
and where

f() is a known, approximate model of f().
The origin x = z = 0 is assumed to be an equilibrium
point for both systems: f(0, 0, t) =

f(0, 0, t) = 0.
The SR-MPC objective is to obtain control input u that,
when applied to the actual system, achieves the following
closed-loop response for each mode:
(I) standard mode: the actual system origin (x = 0) is
asymptotically stable, with a region of attraction
R
a
X, such that, when x(t
0
) R
a
,
x(t) X and u(t) U, t t
0
. (3)
(II) safety mode: if activated during standard mode, the
actual system trajectory x is contained within an
invariant set X
s
about a given reference r
s
such that
x(t) X
s
, u(t) U, and x(t) X, t t
s
, (4)
where x(t) x(t) r
s
, and t
s
t
0
.
Sets XR
n
and UR
m
dene actual-system state and
control constraints, respectively, X
s
R
n
denes safety
state constraints, and reference r
s
is set at safety-mode
activation and satises {r
s
} +X
s
X.
We assume the availability of perfect state knowledge for
the controller. Additionally, since safety mode reacts to
changes in the state constraints that are not accounted
for during the standard-mode, our working assumption
is that such changes will be detected in real-time and
{r
s
}+X
s
will remain feasible for safety mode states (i.e.,
unexpected changes do not occur within set {r
s
} +X
s
).
2.1 Algorithm Architecture
The control approach builds on our R-MPC algorithm
[2,3] where control u is given by
u(t) = u
o
(t) +u
f
(t), (5)
with u
o
being feedforward and u
f
being feedback. Sets
X, U, and X
s
are given constraints for the overall con-
trol design. The following additional constraint sets are
used in construction SR-MPC and ensure the overall-
constraint satisfaction:
U
o
+U
f
() U, Z
o
+X
s
X, Z
s
+X
f
() X
s
, (6)
where parameter (see Remark 4) characterizes the
mismatch between actual and model nonlinearity and
aids in the design of X
f
() and U
f
(). Note, for sets
A and B, A+B := {z : z = x + y, x A, y B} and
AB:={z : z +y A, y B}.
Condition 1 Sets X, U, X
s
, Z
o
, Z
s
, X
f
(), U
o
, U
f
()
are compact and contain the origin in their interiors.
2
Actual Trajectory
Nominal Trajectory
Relaxation:
0
Fig. 1. Standard Mode: FHC constraint relaxation from feed-
back-invariant state tube X
f
() guarantees re-solvability
(shown at t1). When nominal system enters terminal set o,
a local controller ensures actual-system asymptotically ap-
proaches terminal set EP
f
X
f
().
Actual Trajectory
Nominal Trajectory
U
n
k
n
o
w
n

C
o
n
s
t
r
a
i
n
t
0
Fig. 2. Standard Mode: an FHC constraint maintains feasible
safety state tube Zs for safety-mode activation at any time.
Standard mode solves an FHC online to nd feedforward
u
o
U
o
that gives nominal states z Z
o
(Figure 1). As
in R-MPC, oine-designed feedback policy u
f
U
f
()
gives robustness to system uncertainty and disturbances
and also establishes invariant set X
f
(), which generates
an invariant state tube about the nominal trajectory:
z(t) + X
f
(), t. FHC re-solves remain feasible due to
a constraint relaxation involving X
f
(), and standard
mode gives asymptotic convergence into terminal set
o
.
A second FHC constraint involving Z
s
generates a
safety-set available for safety-mode activation at any
time during standard mode (Figure 2). The safety-mode
control policy u is designed oine to establish invariant
set X
s
about any nominal state from the FHC solu-
tion; this ensures the actual state remains within X
s
after safety-mode activation and provides robustness to
static state-constraint uncertainty (Figure 3).
Actual Trajectory
Nominal Trajectory
U
n
k
n
o
w
n

C
o
n
s
t
r
a
i
n
t
0
Fig. 3. Safety Mode: on activation, actual system remains
in invariant safety-set Xs about reference rs (in tube Zs),
ensuring robustness to uncertainty in static state constraints.
2.2 Standard-Mode Control
The SR-MPC standard mode augments R-MPC [2,3]
with an additional safety constraint to ensure safety-
mode availability at any time. The FHC uses nominal
system (2), an objective function, and state and control
constraints to generate feedforward u
FHC
u
o
U
o
and z
FHC
z Z
o
over a nite time horizon.
FHC (Finite-Horizon optimal Control problem)
min
uo,T
f
,z(ti)
_
ti+T
f
ti
h(z(), u
o
())d +V
o
(z(t
i
+T
f
))
subject to
_

_
z =

f(z, u
o
, t)
z(t) Z
o
, u
o
(t) U
o
z(t) T (z(t)) Z
s
_
_
_
t [t
i
, t
i
+T
f
]
x(t
i
)z(t
i
) X
f
()
z(t
i
+T
f
)
o
with x(t
i
) the state of the actual system (1) at t
i
.
Set R
a
is the region of attraction for control objective I
and is dened by standard-mode FHC feasibility:
R
a
={Z
o
+X
f
(): FHC feasible with x(t
i
)=}. (7)
Remark 1 u
o
= 0 is considered to be the only feasible
FHC control input for z
0
=0 (recall that

f(0, 0, t) = 0).
Remark 2 (Nominal State Notation) Nominal state z
appears in standard and safety modes, so z
FHC
denotes
the FHC nominal-state solution used during safety mode.
The following three conditions are sucient for proving
standard-mode asymptotic stability; these are also com-
mon in proofs of MPC stability (e.g., [12]).
Condition 2 (Quadratic Cost) FHC function h satises
h(z(t), u
o
(t)) = z(t)
T
Qz(t) +u
o
(t)
T
Ru
o
(t), (8)
with Q = Q
T
> 0 and R = R
T
> 0.
3
Condition 3 (Terminal Control Lyapunov Function)
FHC function V
o
is positive denite [14] and there exists
feedback control law u
o
=L(z) U
o
such that V
o
denes
a nominal-system Control Lyapunov Function satisfying
V (z)

f(z, L(z), t) +h(z, L(z)) 0 , z
o
, (9)
where
o
Z
o
contains the origin. Additionally, feedback
lawLrenders
o
R
n
invariant for nominal system(2),
i.e., if z(t
0
)
o
for some t
0
, then z(t)
o
, t t
0
.
Condition 4 There exists B
n
R
such that set
o
satises
B
n
R

o
, (10)
where B
n
r
:={xR
n
: x r, r > 0}.
The following condition on the actual and nominal sys-
tems is used to design feedback u
f
for robustness to dy-
namics uncertainty and disturbances and to generate the
invariant state tube X
f
(): if (t
0
) X
f
() for some
t
0
0, then (t) X
f
(), u
f
(t) U
f
(), t t
0
.
Condition 5 (FeedbackState Tube) There exists feed-
back control law u
f
=K
f
(x, z) U
f
() that renders set
X
f
() in (6) invariant for (t)x(t)z(t)X
f
(), t
t
0
and u
o
(t), with dynamics (1) for x and (2) for z.
Our prior R-MPC algorithmic contribution, developed
in [13] and used in SR-MPC, is the FHC initial-state
relaxation:
x(t
i
) z(t
i
) X
f
(). (11)
This relaxation makes use of the feedback-invariant
state tube about the nominal trajectory to guarantee
FHC re-solvability (Figure 1).
Remark 3 (FHC Re-solvability) Re-solvability comes
from feedback policy u
f
that generates X
f
(), so related
R-MPC proofs apply directly to SR-MPC [3,8,10].
This paper introduces our second FHC contribution, a
constraint to ensure safety-mode availability at any time:
z(t) T (z(t)) Z
s
, t [t
i
, t
i
+T], (12)
where T : Z
o
Z
o
denes the safety reference r
s
below.
This constraint generates a second state tube Z
s
that
the nominal trajectory resides within (Figure 2). Initial
feasibility of the FHC guarantees nominal trajectories
that satisfy this constraint for all time.
2.3 Reactive Safety-Mode Control
The safety-mode control policy is designed oine to gen-
erate invariant set X
s
and ensure x X
s
about reference
r
s
for all time after safety activation time t
s
(Figure 3).
Denition 1 (Safety Reference) The safety reference
state at any safety-activation time t
s
is given by
r
s
= T (z
FHC
(t
s
)) Z
o
where T : Z
o
Z
o
. (13)
The following condition on the design of safety-mode
control (u u
s
) is sucient to prove the satisfaction of
SR-MPC control objective II:
Condition 6 There exists control law u
s
=K
s
(t, x, r
s
)
Uthat renders set X
s
invariant for x(t) x(t)r
s
X
s
,
t t
s
with dynamics (1) for x and r
s
Z
o
.
2.4 Safe and Robust Model Predictive Control
The SR-MPC algorithm relies on the online FHC solu-
tion and the oine-designed feedback and safety-mode
control policies. Feedback design for a general class of
systems will be given in Section 3.
SR-MPC (Safe and Robust MPC Algorithm)
Let t
k
, k = 0, 1, ..., be FHC solution time instances
satisfying inf
k
t
k
for some >0, where t
k
=
t
k
t
k1
. Begin with k = 0 and iterate the following
steps over computation times t
k
:
Standard mode
(1) Solve the FHCat t
i
=t
k
with T
f
=T
k
to obtain
u

o,k
with u
o
(t) = u

o,k
(t) and the correspond-
ing state trajectory z

k
(t) on t [t
k
, t
k
+T
k
].
(2) Apply u(t) = u
o
(t) + u
f
(t) to actual system
(1) where u
f
(t) = K
f
(x(t), z(t)) with z(t) =
z

k
(t) on t [t
k
, t
k+1
).
(3) Check the following over t [t
k
, t
k+1
]:
If safety-event detected at t
s
t
k
, set r
s
=
T (z
FHC
(t
s
)) with z
FHC
(t
s
) = z

k
(t
s
), then
switch to safety mode and stop iteration.
If z(

t)
o
for some

t t
0
, then u
o
(t) =
L(z(t)), t

t and skip step 1 in iteration.

Safety mode
For t t
s
, apply u(t) = u
s
(t) to actual system
(1) where u
s
(t) = K
s
(t, x(t), r
s
).
The following theorem builds upon Theorem 1 in [2] and
is also applicable to our R-MPC framework in [3].
Theorem 1 Consider system (1) with a control input
described by the SR-MPC algorithm. Suppose Conditions
2-6 are satised. Then the resulting closed-loop system
satises control objective I for the region of attraction R
a
and control objective II.
PROOF. The proof is split into two parts:
(I) Standard Mode: The proof of asymptotic stability
with region of attraction R
a
follows the same steps
as Theorem 1 in [2,3]. The proof also establishes
FHCre-solvability guarantees in a receding-horizon
implementation and establishes the invariant state
tube about the nominal trajectory, z(t)+X
f
(),t.
(II) Safety Mode: The standard-mode control in-
put guarantees x(t
s
) z(t
s
) X
f
() since tube
X
f
() is invariant from applying feedback u
f
4
in Condition 5. Further, the FHC is satised in
standard mode, thus constraint (12) guarantees
z(t
s
)r
s
=z(t
s
)T (z(t
s
)) Z
s
with r
s
from (13).
Thus, x(t
s
) r
s
= (x(t
s
) z(t
s
)) +(z(t
s
) r
s
)
X
f
() +Z
s
X
s
where set denition (6) for X
s
is used. Now, applying safety-mode control input
u = u
s
= K
s
(t, x, r
s
) from Condition 6 ensures
x(t) = x(t)r
s
X
s
, t t
s
. Since r
s
Z
o
, then
{r
s
}+X
s
X and x(t)=r
s
+ x(t)X, t t
s
. 2
3 Application to a SystemClass with Incremen-
tally-Conic Uncertainty / Nonlinearity
This section develops SR-MPC for a special class of sys-
tems with structured uncertainty/nonlinearity for which
the design of feedback and safety-mode control policies
is constructive. This system class was also used to de-
velop R-MPC [3]. The actual-system dynamics are
x = Ax +Bu +E(t, v) +Fd, x(t
0
) = x
0
,
y = C
y
x +D
y
u +Gd,
v = C
q
x +D
q
u,
(14)
where : R
nq+1
R
np
with (t, 0) = 0, t, is a con-
tinuously dierentiable function representing the uncer-
tain/nonlinear part of the dynamics with argument v
R
nq
, d R
n
d
is the disturbance input with d(t)
1, t t
0
, and y R
ny
is a performance output. Ma-
trices A R
nn
, B R
nm
, E R
nnp
, C
y
R
nyn
,
D
y
R
nym
, C
q
R
nqn
, and D
q
R
nqm
. This form
implies f(x, u, t) = Ax +Bu +E(t, v) +Fd in (1).
The nominal system model for this class of systems is
z = Az +Bu
o
+E(t, v
o
), z(t
0
) = z
0
,
y
o
= C
y
z +D
y
u
o
,
v
o
= C
q
z +D
q
u
o
,
(15)
where : R
nq+1
R
np
with (t, 0) = 0, t, approxi-
mates in actual system (14), v
o
R
nq
, and y
o
R
ny
.
Thus,

f(z, u
o
, t) = Az +Bu
o
+E(t, v
o
) in (2).
The uncertain/nonlinear functions and are assumed
to satisfy an IQI (Incremental Quadratic Inequality),
which provides a mathematical characterization of a
large class of uncertainty/nonlinearity, including incre-
mentally sector-bounded functions and functions with
Jacobians in convex polytopes (See [3] for examples):
Condition 7 Functions and are continuously dif-
ferentiable, (t, 0)=(t, 0)=0, t, and there exists a set
of multiplier matrices MR
(nq+np)(nq+np)
such that
_
q
2
q
1
(t, v
2
) (t, v
1
)
_T
M
_
q
2
q
1
(t, v
2
) (t, v
1
)
_
0,
M = M
T
M, v
2
, v
1
, and t,
(16)
where q = v + D(t, v) = C
q
x + D
q
u + D(t, v) with
q R
nq
and D R
nqnp
. Additionally, satises (16)
with q
o
and replacing q and , respectively, where q
o
=
v
o
+D(t, v) = C
q
z +D
q
u
o
+D(t, v
o
) with q
o
R
nq
.
Since the nonlinear/uncertain terms satisfy (t, 0) =
(t, 0) = 0, t, satisfaction of the IQI also implies and
satisfy the following QI (Quadratic Inequality):
_
q
(t, v)
_T
M
_
q
(t, v)
_
0, M M, v R
nq
, t. (17)
As a result, F(M) and F(M), where
F(M):=
_
: R
nq+1
R
np
: satises QI (17)
_
. (18)
The multiplier matrices M in Condition 7 are also as-
sumed to satisfy the following additional Condition,
which is instrumental in the control synthesis.
Condition 8 There exist a nonsingular matrix T and a
convex set N of matrix pairs (X, Y ) with Y R
npnp
and X, Y symmetric and nonsingular such that for each
(X, Y ) N, the matrix
M=T
T
_
X
1
0
0 Y
1
_
T M with T =
_
T
11
T
12
T
21
T
22
_
, (19)
where T
22
+ T
21
D is nonsingular, T
22
R
npnp
, and
T
21
R
npnq
. Furthermore, the set N can be parame-
terized by a nite number of Linear Matrix Inequalities.
The actual system dynamics are partitioned into the
nominal system and a dierence system.
= A +Bu
f
+E [(t, v) (t, v
o
)] +Fd, (20)
where = x z is the dierence state and u
f
= u u
o
is the feedback control input, which is designed oine
to satisfy Condition 5 and generate feedback-invariant
state tube X
f
(). This system can be rewritten as
= A +Bu
f
+E +E +Fd,
y
f
= C
y
+D
y
u
f
+Gd,
(21)
where (t
0
) = x
0
z
0
, y
f
= yy
o
, = (t, v)(t, v
o
),
and = (t, v
o
) = (t, v
o
) (t, v
o
). Since satises
the IQI (16), then satises the QI (17) with
q := q q
o
= C
q
+D
q
u
f
+D, (22)
and thus F(M) with q. Since (t, 0) = (t, 0) =
0, t, then (t, 0) = 0, t. Additionally, a bounded mis-
match between and is assumed:
Condition 9 There exist scalars

0,

0 such that
(t, v
o
)

v
o
, t, v
o
(23)
where (t, v
o
) = (t, v
o
) (t, v
o
), with v
o
from (15).
Remark 4 Condition 9 diers from that in [3] but does
not aect the Lemmas or Theorems aside from the value
of used for oine design of R-MPC feedback tube
5
X
f
(). In [3], =

0
, where
0
:= sup
zXo, uoUo
C
q
z +
D
q
u
o
with X
o
Z
o
+Z
s
. From (23), =

0
for
the SR-MPC construction of X
f
(). If = 0 (no nonlin-
earity mismatch), feedback tube X
f
(0) depends solely on
bounded disturbance d in dierence system (21).
The disturbance d is handled through the feedback pol-
icy designed for the dierence system. Additionally, a
bound on performance output y is enforced.
Condition 10 Feedback control law u
f
= K
f
(x, z) en-
sures that if (t
0
) = 0 and = 0, then y
[t0,)
for
any d such that d
[t0,)
1.
Note, nonlinearity mismatch = 0 when z = 0, which
also implies u
o
= 0 (See Remark 1), and thus v
o
= 0,
= x, u
f
= u, and y = y
f
.
The constraints dened in the design process are speci-
ed as convex half spaces (H
a
:={x: a
T
x1}) to ensure
satisfaction of the overall set denitions in (6):
Condition 11 (State/Control Constraints) There exist
a
i
R
n
, i =1,..., p
x
, b
i
R
m
, i =1,..., p
u
,
c
i
R
n
, i =1,..., p
s
,
(24)
a
f,i
R
n
, i =1,..., q
x
, b
f,i
R
m
, i =1,..., q
u
, (25)
such that the following hold
px

i=1
H
ai
Z
o
,
pu

i=1
H
bi
U
o
,
ps

i=1
H
ci
Z
s
, (26)
qx

i=1
H
a
f,i
((XZ
o
)(X
s
Z
s
)),
qu

i=1
H
b
f,i
UU
o
. (27)
Further,
o
= sup
zZo+Zs, uoUo
C
q
z + D
q
u
o
exists, where
Z
o
+Z
s
X. Sets Z
s
X
s
and Z
o
X describe nom-
inal, feasible states for safety-mode and standard-mode,
respectively, and set U
o
U describes nominal controls.
Note, for any convex region described by V =

p
i=1
H
ni
,
then ellipsoid E
P
V if
n
T
i
P
1
n
i
1, i = 1, . . . , p, (28)
with P = P
T
0, as given in Section 5.2.2 of [7].
3.1 Standard-Mode FHC Algorithm
The SR-MPC standard-mode derives directly from our
R-MPC algorithm, as previously outlined. This section
will give a brief overview (See [3] for extensive detail).
The quadratic cost in Condition 2 can be rewritten as
z
T
Qz +u
T
o
Ru
o
= C
v
z +D
v
u
o

2
where
C
v
=
_
H
q
0
_
, D
v
=
_
0
H
r
_
, Q=H
T
q
H
q
, and R=H
T
r
H
r
,
which gives C
T
v
D
v
=0. This property is useful for synthe-
sis of control policies that generate feedback-invariant
state tube X
f
() and terminal invariant set
o
.
Satisfaction of the following inequality from [3] estab-
lishes feedback-invariant state tube X
f
() for feedback
policy u
f
= K
f
, satisfying Condition 5.
2
T
P
f
[(A+BK
f
)+E(+)+Fd ]
+
T
(Q+K
T
f
RK
f
)0 for
T
P
f
>
2
+d
2
, t,
(29)
provided P
f
=P
T
f
>0 and K
f
exist. Since d(t)1, t
t
0
, satisfaction of the above inequality also ensures a
bounded output vector y
f
for dierence system (21):
y
f

[t0,)
rc(P
f
, K
f
) +G =
f
(30)
where r =
_
1+
2
[t0,)
and c()=
_
_
_(C
y
+D
y
K
f
)P
1/2
f
_
_
_.
This bounding is used in the design of feedback gain
K
f
to satisfy Condition 10, shown in [3], and makes use
of nominal y
o
0. The following Lemma is used for
construction of P
f
and K
f
that satisfy inequality (29):
Lemma 1 Consider the dierence dynamics (21) where
F(M) with Msatisfying Condition 8, and suppose
that the relationships (27) hold for sets X, Z
o
, X
s
, Z
s
, U,
and U
o
. Suppose there exist Q
f
=Q
T
f
>0, S
f
, Z=Z
T
>0,
> 0, and (X, Y ) N such that the following matrix
inequalities hold
_

_
V

Q
f
,S
f
,

E
1
Y Wq

Q
f
,S
f

T
E Wv

Q
f
,S
f

T
Y
T
E
T
Y Y
T
0 0
Wq

Q
f
,S
f

Y X 0 0

E
T
0 0 I 0
Wv

Q
f
,S
f

0 0 0 I
_

_
0, (31)
_
(G)
2
I C
y
Q
f
+D
y
S
f
Q
f
C
T
y
+S
T
f
D
T
y
Q
f
_
0,
_
Z S
f
S
T
f
Q
f
_
0, (32)
a
T
f,i
Q
f
a
f,i
1/(
2
+ 1), i = 1, ..., q
x
,
b
T
f,i
Zb
f,i
1/(
2
+ 1), i = 1, ..., q
u
,
(33)
where T is given in Condition 8,

E=[E F] , =

0
,
V(Q
f
, S
f
, ) = (AC
q
)Q
f
+Q
f
(AC
q
)
T
+(BD
q
)S
f
+S
T
f
(BD
q
)
T
+Q
f
,
W
q
(Q
f
,S
f
)=C
q
Q
f
+D
q
S
f
, W
v
(Q
f
,S
f
)=C
v
Q
f
+D
v
S
f
,
= T
21
D +T
22
, = E
1
T
21
,
= (T
11
D+T
12
)
1
, = T
11
(T
11
D+T
12
)
1
T
21
.
Let K
f
= S
f
Q
1
f
, P
f
= Q
1
f
, and R
f
= Z
1
. Then
the inequality (29) holds for the closed-loop dierence
system (21) with u
f
= K
f
, c(P
f
, K
f
) + G ,
X
f
() = E
P
f
/(
2
+1)
((XZ
o
) (X
s
Z
s
)) and
U
f
() = E
R
f
/(
2
+1)
UU
o
.
6
As noted in [3], matrix inequality (31) is an LMI for
a given , which is determined via a line search in the
solution of the following optimization problem:
max
Q
f
,S
f
,X,Y,Z,

f
such that Q
f
=Q
T
f

f
I,
(X, Y ) N, and LMIs (31),(32),(33).
(34)
Remark 5 The proof of Lemma 1 is in [3] and es-
tablishes X
f
() = E
P
f
/(1+
2
)


qx
i=1
H
a
f,i
. Since the
a
f,i
vectors are specied in the design process, sat-
isfaction of the LMIs in Lemma 1 ensure X
f
()
((XZ
o
) (X
s
Z
s
)) from Condition 11.
Satisfaction of the following inequality and constraint
from [3] establish invariant terminal set
o
= E
Po
for
terminal control policy u
o
= K
o
z, satisfying Condition
3. Note,
o
also satises Condition 4:

V
o
+z
T
(Q+K
T
o
RK
o
)z 0, z,t where
V
o
(z)=z
T
P
o
z, u
o
=K
o
z U
o
for z E
Po
and E
Po
X
o
,
(35)
provided P
o
=P
T
o
>0 and K
o
exist. The following Lemma
is used to construct P
o
and K
o
that satisfy (35).
Lemma 2 Consider the nominal system dynamics (15)
where F(M) with M satisfying Condition 8. Sup-
pose there exist Q
o
= Q
T
o
> 0, S
o
, and (X, Y ) N such
that the following LMIs hold:
_

_
V(Qo, So, 0) E
1
Y Wq(Qo,So)
T

T
Wv(Qo,So)
T
Y
T

T
E
T
Y Y
T
0
Wq(Qo,So) Y X 0
Wv(Qo,So) 0 0 I
_

_
0, (36)
a
T
i
Q
o
a
i
1, i =1,..., p
x
,
_
1 b
T
i
S
o
S
T
o
b
i
Q
o
_
0, i =1,..., p
u
,
(37)
with T and matrix functions V, W
q
, W
v
from Lemma 1.
Let K
o
=S
o
Q
1
o
and P
o
=Q
1
o
. Then the conditions in
(35) hold, establishing
o
=E
Po
as a terminal invariant
set for closed-loop nominal system (15) with u
o
= K
o
z.
A proof is provided in [3], and the following LMI opti-
mization problem is used to generate Q
o
and K
o
:
max
Qo,So,X,Y

o
such that Q
o
=Q
T
o

o
I,
(X, Y ) N, and LMIs (36),(37).
(38)
3.2 Safety Mode for a Subclass of Systems
The following formfor nominal system(15) is used in the
design of nominal safety-mode control policy (u
o
u
os
):

z = A z +Ar
s
+Bu
os
+E(t, v
o
),
y
os
= C
y
z +D
y
u
os
+C
y
r
s
,
v
o
= C
q
z +D
q
u
os
+C
q
r
s
,
(39)
where safety state z = z r
s
, safety reference r
s
is xed
at safety-activation time t
s
, and y
o
y
os
during safety
mode. Two special subclasses of system (39) are pre-
sented that provide the safety-mode component of The-
orem 1 and satisfaction of Condition 6. The cases are
motivated by practical application of SR-MPC.
3.2.1 Subclass I
This subclass is representative of mechanical systems
that can come to rest at arbitrary positions and that have
velocity-dependent nonlinearities (e.g., hovercraft/road
vehicles with velocity-dependent drag).
Condition 12 Safety reference r
s
for Subclass I satises
r
s
N(A) N(C
q
), (40)
where N(X) is the null-space of a matrix X.
Recall, r
s
is dened by mapping T in (13). The above
condition implies T is such that Ar
s
= 0 and C
q
r
s
= 0.
Corollary 1 Consider a class of systems modeled by
(15) with F(M) and satisfying Condition 8, with
state and control constraints in Condition 11, and r
s
satisfying Condition 12. Suppose there exist matrices
Q
s
= Q
T
s
> 0, R
s
, and (X, Y ) N satisfying the LMIs:
_

Qs(AE
1
T
21
Cq)
T
+(AE
1
T
21
Cq)Qs
+(BE
1
T
21
Dq)Rs
+R
T
s
(BE
1
T
21
Dq)
T

E
1
Y

QsC
T
q

T
+R
T
s
D
T
q

T

Y
T
E
T
Y Y
T
CqQs+DqRs Y X
_

_
0, (41)
c
T
i
Q
s
c
i
1, i = 1, . . . , p
s
, and
_
1 b
T
i
R
s
R
T
s
b
i
Q
s
_
0, i = 1, . . . , p
u
,
(42)
where T is given in Condition 8,
=T
21
D+T
22
, =(T
11
D+T
12
)
1
, =T
11
T
21
. (43)
If safety-mode control u
s
= K
s
(t, x, r
s
) is given by
K
s
(t, x, r
s
)=K
s
(zr
s
)+K
f
(xz), K
s
=R
s
Q
1
s
, (44)
where r
s
=T (z(t
s
)) and K
f
and X
f
() are obtained as in
Lemma 1, then E
S
Z
s
with S=Q
1
s
satises Condition
11, {r
s
}+E
S
+X
f
() is invariant for the actual dynamics
(14), and E
S
+X
f
() X
s
. Further, u
s
=K
s
(t, x, r
s
)
U, xZ
o
+E
S
+X
f
() and r
s
Z
o
.
PROOF. Let V
s
( z) = z
T
Q
1
s
z be a Lyapunov
function candidate. Pre- and post-multiply (41) by
diag(Q
1
s
, Y
1
, I), use K
s
= R
s
Q
1
s
from (44), let
7
K
q
= C
q
+D
q
K
s
, and rearrange terms to obtain
_

_
_
_
_
_
_
Q
1
s
A+A
T
Q
1
s
+Q
1
s
BKs + K
T
s
B
T
Q
1
s
Q
1
s
E
1
T21Kq
K
T
q
T
T
21

T
E
T
Q
1
s
_
_
_
_
_
Q
1
s
E
1
K
T
q

T

T
E
T
Q
1
s
Y
1

T
Kq X
_

_
0. (45)
A Schur complement of the above is equivalent to
_

_
_
_
_
_
Q
1
s
A+A
T
Q
1
s
+Q
1
s
BK
s
+K
T
s
B
T
Q
1
s
Q
1
s
E
1
T
21
K
q
K
T
q
T
T
21

T
E
T
Q
1
s
_
_
_
_
Q
1
s
E
1

T
E
T
Q
1
s
0
_

_
+
_
K
q
0
0 I
_T_

0 I
_T_
X
1
0
0 Y
1
__

0 I
__
K
q
0
0 I
_
0.
(46)
and then post- and pre-multiplying (46) by matrix
_
I 0
T21Kq

and its transpose, respectively, gives

_
_
Q
1
s
A+A
T
Q
1
s
+Q
1
s
BKs+K
T
s
B
T
Q
1
s
Q
1
s
E
E
T
Q
1
s
0
_
_
+
_
_
Kq 0
T
21
Kq
_
_
T_
_

0 I
_
_
T_
_
X
1
0
0 Y
1
_
_
_
_

0 I
_
_
_
_
Kq 0
T
21
Kq
_
_
0.
(47)
Making use of (43) with T dened in Condition 8, then
_

0 I
__
K
q
0
T
21
K
q

_
= T
_
K
q
D
0 I
_
, (48)
from which inequality (47) becomes
_

_
_
Q
1
s
A+A
T
Q
1
s
+Q
1
s
BKs+K
T
s
B
T
Q
1
s
_
Q
1
s
E
E
T
Q
1
s
0
_

_+
_
Kq D
0 I
_T
M
_
Kq D
0 I
_
0, (49)
where M M. Pre- and post-multiplying this inequal-
ity by [ z
T

T
] and its transpose, respectively, gives
z
T
Q
1
s

z+

z
T
Q
1
s
z +
_
q
o

_T
M
_
q
o

_
0, (50)
where q
o
= v
o
+D, u
os
= K
s
z, and v
o
and

z are from
(39) with Condition 12 satised. Since F(M) with
q
o
, the above inequality implies
z
T
Q
1
s
(A z+Bu
os
+E)+(A z+Bu
os
+E)
T
Q
1
s
z 0,(51)
hence,

V
s
( z)0. Thus, E
S
is an invariant set for z [4,14].
The rst set of inequalities in (42) imply E
S

ps
i=1
H
ci

Z
s
, as indicated by inequality (28) and the denitions in
Condition 11. Pre- and post-multiply the second set of
inequalities in (42) by matrix diag(I, Q
1
s
) to obtain
_
1 b
T
i
K
s
K
T
s
b
i
Q
1
s
_
0, i = 1, . . . , p
u
, (52)
where K
s
= R
s
Q
1
s
. Now, a Schur complement and pre-
and post-multiplication by z
T
and z, respectively, gives
u
T
os
b
i
b
T
i
u
os
z
T
Q
1
s
z, i = 1, . . . , p
u
, (53)
where u
os
=K
s
z, which implies |b
T
i
u
os
|1 when zE
S
.
Since
pu

i=1
H
bi
U
o
in Condition 11, then u
os
U
o
when
z E
S
. Further, since u
s
=u
os
+u
f
has u
f
=K
f
(xz),
and u
f
U
f
() for all xz X
f
() (per Lemma 1), then
safety-mode control u
s
U, with U dened in (6). The
remainder of the proof follows Theorem 1, part II. 2
3.2.2 Subclass II
This subclass is representative of mechanical systems
that have position-dependent nonlinearities that do not
disappear when the system comes to rest at arbitrary
positions (e.g., spacecraft hovering in a gravity eld).
Condition 13 Safety reference state r
s
satises
r
s
N(A). (54)
Condition 14 There exists scalar
s
> 0 such that
(t, v
o
)
s
, t, z Z
o
+Z
s
, u
o
U
o
, (55)
where function () is from nominal system (39).
Note, Conditions 9 and 14 together imply actual-system
nonlinearity is bounded over the domain of v
o
, t; this
bound is not needed to establish the safety control policy.
The matrix inequality (56) below is an LMI for a given
, which is determined via a line search.
Corollary 2 Consider a class of systems modeled by
(15) with satisfying Condition 14, with state and con-
trol constraints in Condition 11, and r
s
satisfying Con-
dition 13. Suppose there exist matrices Q
s
= Q
T
s
> 0 and
R
s
and scalar > 0 satisfying the matrix inequalities:
_
_
Q
s
A
T
+AQ
s
+BR
s
+R
T
s
B
T
+Q
s
E
E
T

2
s
I
_
_
0, (56)
c
T
i
Q
s
c
i
1, i = 1, . . . , p
s
, and
_
1 b
T
i
R
s
R
T
s
b
i
Q
s
_
0, i = 1, . . . , p
u
.
(57)
If safety-mode control u
s
= K
s
(t, x, r
s
) U is given by
K
s
(t, x, r
s
)=K
s
(zr
s
)+K
f
(xz), K
s
=R
s
Q
1
s
, (58)
where r
s
=T (z(t
s
)), and K
f
and X
f
() are obtained as in
Lemma 1, then E
S
Z
s
with S=Q
1
s
satises Condition
8
11, {r
s
}+E
S
+X
f
() is invariant for the actual dynamics
(14), and E
S
+X
f
()X
s
. Further, u
s
=K
s
(t, x, r
s
)U
for all xZ
o
+E
S
+X
f
() and r
s
Z
o
.
PROOF. Let V
s
( z) = z
T
Q
1
s
z be a Lyapunov function
candidate. Pre- and post-multiply (56) by diag(Q
1
s
, I),
use K
s
= R
s
Q
1
s
from (58), and then pre- and post-
multiply by
T
and , respectively, where = ( z
T
,
T
)
T
:
z
T
(A
T
Q
1
s
+Q
1
s
A) z +2 z
T
Q
1
s
(Bu
os
+E)
+( z
T
Q
1
s
z
1

2
s

T
)0,
with u
os
= K
s
z. Since satises Condition 14, then
1

2
s

T
z
T
Q
1
s
z when z
T
Q
1
s
z 1.
Since > 0, this further implies that when z
T
Q
1
s
z 1,
z
T
(A
T
Q
1
s
+Q
1
s
A) z + 2 z
T
Q
1
s
(Bu
os
+E)0,
and hence

V
s
( z) 0 when z
T
Q
1
s
z 1. Thus, E
S
is
an invariant set for z [4,14]. The remainder of the proof
follows identically with that of Corollary 1. 2
3.2.3 Bounded Performance Output in Safety-Mode
During safety mode, the actual-system output y is not
bounded as in standard mode since the nominal output
y
os
, in the general case, does not asymptotically go to 0.
However, the nominal output y
os
will be bounded. For
u
os
= K
s
z, the following holds for system (39):
y
os

[ts,)
(C
y
+D
y
K
s
) z +C
y
r
s
.
Let z = S
1/2
z, then z 1, z E
S
, since z
2
=
z
T
z = z
T
S z 1. Thus,
y
os

[ts,)
(C
y
+D
y
K
s
)S
1/2
z+C
y
r
s

os
, (59)
where
os
= (C
y
+D
y
K
s
)S
1/2
+C
y
r
s
. The safety-
mode bound on y
f
follows from (30), with r (renamed
r
s
) set by the safety-mode operational domain:
y
f

[ts,)
r
s
c(P
f
, K
f
) +G =
fs
,
r
s
=
_
1 +
2
[ts,)
=
_
1 + (

s
)
2
.
(60)
The r
s
value comes from Condition 9 and z E
S
:

[ts,)

v
o

[ts,)

s
,
where
s
is dened by
v
o

[ts,)
= sup
zE
S
(C
q
+D
q
K
s
) z +C
q
r
s

(C
q
+D
q
K
s
)S
1/2
+C
q
r
s
=
s
.
Note, safety subclass I (Section 3.2.1) has r
s
N(C
q
),
so the
s
expression further simplies. The overall bound
on performance output y = y
os
+y
f
in safety mode is
y(t)
[ts,)
y
os
+y
f

os
+
fs
=
s
. (61)
4 An Illustrative Example
The following simplied example illustrates SR-MPCfor
a system that satises Corollary 2: a mechanical system
with an exogenous disturbance and a position-dependent
nonlinearity that persists when the system comes to rest
(e.g., a spacecraft hovering in a comet gravity eld and
experiencing comet outgassing disturbances).
x
1
=x
2
, x
2
=u0.1(t) sin
2
(x
1
)+0.1d(t), y = x
1
, (62)
where disturbance d(t) 1, t, (t)[0, 0.5], t, is an
unknown time-varying parameter, and x(0) = (4, 0.4)
T
.
This system can be rewritten like system (14) with
(v, t) = (t) sin
2
(v), v = x
1
= C
q
x +D
q
u,
A =
_
0 1
0 0
_
, B =
_
0
1
_
, E =
_
0
0.1
_
, F =
_
0
0.05
_
,
C
y
=
_
1 0
_
, D
y
= 0, G = 0, C
q
=
_
1 0
_
, D
q
= 0.
The chosen nominal system (15) uses A, B, E, C
q
, D
q
and the following model for actual uncertainty (v, t):
(v
o
, t) =
o
sin
2
(v
o
), v
o
= C
q
z,
o
= 0.2.
The nonlinearity mismatch (t, v
o
) is bounded: (t, v
o
)
= (t, v
o
) (t, v
o
) 0.3, which satises Condition
9 with

= 0.3 and

= 0. Further, the nominal non-

linearity satises Condition 14 with
s
= 0.2. Since

= 0, then =

= 0.3 in Lemma 1 for the generation

of the feedback policy and state tube X
f
().
Nonlinearities and satisfy the IQI in Condition 7
and the QI of (17) for D = 0, which gives q = v. The
nonlinearities also satisfy Condition 8: see Appendix C2
of [3] for uncertainties/nonlinearities with Jacobians in
convex sets. In short, the Jacobian of is bounded:

q
(q) = 2(t) sin(q) cos(q)
_
_
_
_

q
_
_
_
_
0.5.
Thus, =(t)q, (t) , where ={ : 0.5}.
Condition 8 is satised with N = {(X, Y ) : X = X
T
>
0, Y =Y
T
>0} and T =
_
1 0
5.54510
8
1

. One valid (X, Y )

matrix pair, used for this example, is (0.0831, 0.1011).
The FHC time horizon is T
f
= 30 seconds with re-solves
every 2 seconds, and the FHC cost function h(z, u
o
)
has R = 1 and Q = [
1 0
0 0.01
]. The standard-mode per-
formance bound is = 0.1. The actual state and con-
trol constraints are x
1
[0.35, 5], x
2
[1, 1], and
u 1.4. The safety requirement is x
1
[0.2, 0.2]
with safety reference r
s
being nominal rest (z
2
= 0) at
the safety-activation nominal position z
FHC,1
(t
s
):
r
s
= T
s
z
FHC
(t
s
) =
_
zFHC,1(ts)
0
_
, T
s
= [
1 0
0 0
],
where T
s
() = T
s
. Note, r
s
satises Condition 13 and
essentially sets a safe stopping distance for a moving ve-
hicle. By specifying safety constraints only on the nomi-
9
nal position, the SR-MPCalgorithmintrinsically bounds
the velocity in the generation of safety ellipse E
S
.
The constraints are partitioned as in Condition 11 and
can be shown to satisfy the constraint sets in (6):
a
i
=
__
1
4.8
0
_
,
_

1
0.15
0
_
,
_
0
1
0.9
_
,
_
0

1
0.9
__
, b
i
=
_
1
1.15
,
1
1.15
_
,
c
i
=
__
1
0.15
0
_
,
_

1
0.15
0
__
,
a
f,i
=
__
1
0.1
0
_
,
_

1
0.1
0
_
,
_
0
1
0.2
_
,
_
0

1
0.2
__
, b
f,i
=
_
1
0.25
,
1
0.25
_
Values a
i
bound set Z
o
, c
i
bound set Z
s
, and a
f,i
describe
the set that bounds X
f
(). Values b
i
and b
f,i
bound
u
o
1.2 and u
f
0.2, respectively, and form the
bounds for sets U
o
and U
f
(), respectively.
In the LMI line searches, the oine design for X
f
gives
= 0.8 and for Z
s
gives = 0.01. The resultant
terminal-set, feedback-set, and safety-set matrices are
Ko =
_
2.9302 3.0359
_
, Po =
_
_
100.39 3.7115
3.7115 35.124
_
_
,
Ks =
_
6.4983 2.1992
_
, S =
_
_
61.731 9.6611
9.6611 6.8179
_
_
,
K
f
=
_
2.0047 2.0139
_
, P
f
=
_
_
127.71 40.240
40.240 86.531
_
_
, R
f
= 17.440.
Figure 4 compares R-MPC [3] and SR-MPC (standard-
mode). The same X
f
() and U
f
() are used, but a larger
nominal domain X
o
= Z
o
+Z
s
is used for R-MPC since
it does not include safety mode (Z
s
0).
Both R-MPC and SR-MPC asymptotically converge
into terminal set
o
(Figure 4). The invariant tube
X
f
() contains dierence state (t)=x(t)z(t) and guar-
antees FHC re-solvability via relaxation (11), even when
the actual trajectory leaves the nominal constraint set
as in the R-MPC case. The relaxation allows discontinu-
ous nominal trajectories, but the actual trajectories stay
continuous. For R-MPC, the feedback-tube constraint
is XX
o
, while for SR-MPC, Condition 27 provides the
constraint. The maximum SR-MPC velocity (z
FHC,2
(t))
is limited by FHC safety constraint (12), which ensures
safety-mode availability (Control Objective II). This
result is intuitive: to ensure a desired vehicle stopping
distance, the maximum speed must be bounded.
Figure 5 shows SR-MPC safety-mode activation due to
an unexpected actual-system constraint. Recall, we as-
sume perfect state knowledge (visibility) inside and on
the boundary of X
s
. The SR-MPC safety mode can be
activated at any time due to FHC safety constraint (12).
Per design, the safety-mode nominal trajectory remains
within Z
s
(gray ellipse), and the actual trajectory re-
mains within X
s
(green ellipse). These sets satisfy the
design constraints in Condition 11.
0 1 2 3 4 5
1
0.5
0
0.5
1
x
1
x
2
1
o
x
0


0.1 0 0.1
0.2
0
0.2
d
1
d
2
X
f
(j)
x(t)
z(t)
d(t)
resolve
X Constraint
X
o
Constraint
XX
o
Constraint
0 1 2 3 4 5
1
0.5
0
0.5
1
x
1
x
2
1
o
x
0


0.1 0 0.1
0.2
0
0.2
d
1
d
2
X
f
(j)
x(t)
z(t)
d(t)
resolve
X Constraint
Z
o
Constraint
X
f
Constraint
Fig. 4. (top) R-MPC without FHC safety constraint; (bot-
tom) SR-MPC standard mode with FHC safety constraint.
0 1 2 3 4 5
1
0.5
0
0.5
1

S
+X
f
X
s

S
Unexpected
Obstacle
x
1
x
2
1
o
x
0


0.1 0 0.1
0.2
0
0.2
d
1
d
2
X
f
(j)
x(t)
z(t)
d(t)
resolve
X Constraint
Z
o
Constraint
X
f
Constraint
r
s
Fig. 5. SR-MPC operates in standard mode until unexpected
obstacle is encountered and safety mode is triggered
1.4
0.7
0
0.7
1.4
u


1.15
0
1.15
u
o
0 2 4 6 8 10 12 14 16 18 20 22 24
0.25
0
0.25
Time (sec)
u
f
u(t)
u
o
(t)
u
f
(t)
resolve
U Constraint
U
o
Constraint
UU
o
Constraint
t
1o
Entry
Fig. 6. SR-MPC standard-mode control is within bounds
10
Figure 6 shows SR-MPC standard-mode control com-
ponents satisfying the control constraints. The R-MPC
comparison and SR-MPC safety-mode simulations also
satisfy the constraints (omitted for brevity), and the SR-
MPC performance outputs are within bounds, as pre-
scribed in standard-mode design and as calculated for
safety mode (Section 3.2.3); results omitted for brevity.
5 Conclusions
The SR-MPC algorithm combines two operation modes
and ensures satisfaction of state and control constraints
and robustness to uncertainty. In standard mode, the
control algorithm provides asymptotic stability to the
origin and re-solvability guarantees once an initial feasi-
ble solution is obtained. The reactive safety mode, if ini-
tiated, contains the closed-loop states within an invari-
ant set about a desired safety reference for all time. The
algorithmallows safety-mode activation at any arbitrary
time, which is the major contribution of this research.
This algorithm is applicable to systems with state con-
straints that might change after initial feasibility is es-
tablished in standard mode; e.g., another vehicle cross-
ing/stopping in the feasible path, or unexpected proxim-
ity/altitude relative to the ground. If state constraints
change, the guaranteed immediate availability of safety
mode allows entry into an invariant safety state for all
time. From this state, a higher-level, control-decision-
making process (outside the scope of this paper) can
search for a new feasible solution.
Acknowledgements
This research was funded by AFOSR MURI grant
FA9550-06-1-0303 and JPL internal R&D. Publication
support was provided by the Jet Propulsion Laboratory,
California Institute of Technology, under a contract with
the National Aeronautics and Space Administration.
References
[1] B. Ackmese and J.M. Carson. A robust model predictive
control algorithm with guaranteed resolvability. Document
D-32947, Jet Propulsion Laboratory, September 2005.
http://hdl.handle.net/2014/40902.
[2] B. Ackmese and J.M. Carson. A nonlinear model predictive
control algorithm with proven robustness and resolvability.
In Proc. of the American Control Conference, pages 887893,
Minneapolis, 2006.
[3] B. Ackmese, J.M. Carson, and D.S. Bayard. A robust
model predictive control algorithm for incrementally conic
uncertain/nonlinear systems. International Journal of
Robust and Nonlinear Control, 21(5):563590, 2011.
[4] B. Ackmese and M. Corless. Robust tracking
and disturbance rejection of bounded rate signals for
uncertain/non-linear systems. International Journal of
Control, 76(11):11291141, 2003.
[5] A. Bemporad, F. Borelli, and M. Morari. Model predictive
control based on linear programming the explicit solution.
IEEE Trans. on Automatic Control, 47(12):19741985, 2002.
[6] A. Bemporad, M. Morari, V. Dua, and E.N. Pistikopoulos.
The explicit linear quadratic regulator for constrained
systems. Automatica, 38(1):320, 2002.
[7] S. Boyd, L. El Ghaoui, E. Feron, and V. Balakrishnan. Linear
Matrix Inequalities in System and Control Theory. SIAM,
1994.
[8] J.M. Carson. Robust Model Predictive Control with a Reactive
Safety Mode. PhD thesis, California Institute of Technology,
2008.
[9] J.M. Carson and B. Ackmese. A model-predictive control
technique with guaranteed resolvability and required thruster
silent times for small-body proximity operations. In Proc. of
the AIAA GN&C Conference and Exhibit, Keystone, 2006.
[10] J.M. Carson, B. Ackmese, R.M. Murray, and D.G.
MacMynowski. A robust model predictive control algorithm
with a reactive safety mode. In Proc. of the International
Federation of Automatic Control Conference, Seoul, 2008.
[11] J.M. Carson, B. Ackmese, R.M. Murray, and D.G.
MacMynowski. Robust model predictive control with a safety
mode: Applied to small-body proximity operations. In Proc.
of the AIAA GN&C Conference and Exhibit, Honolulu, 2008.
[12] H. Chen and F. Allg ower. A quasi-innite horizon nonlinear
model predictive control scheme with guaranteed stability.
Automatica, 34(10):12051217, 1998.
[13] A.A. Jalali and V. Nadimi. A survey on robust model
predictive control from 1999-2006. In Proc. of the
International Conference on CIMCA-IAWTIC, pages 207
212, Sydney, 2006.
[14] H.K. Khalil. Nonlinear Systems, Second Edition. Prentice
Hall, 1996.
[15] M.V. Kothare, V. Balakrishnan, and M. Morari. Robust
constrained model predictive control using linear matrix
inequalities. Automatica, 32(10):13611379, 1996.
[16] Y. Kuwata, T. Schouwenaars, A. Richards, and J. How.
Robust constrained receding horizon control for trajectory
planning. In Proc. of the AIAA GN&C Conference and
Exhibit, San Francisco, 2005.
[17] W. Langson, I. Chryssochoos, S.V. Rakovic, and D.Q. Mayne.
Robust model predictive control using tubes. Automatica,
40(1):125133, 2004.
[18] M. Magni, H. Nijmeijer, and A. Van Der Schaft. A receding
horizon approach to the nonlinear H control problem.
Automatica, 37(3):429435, 2001.
[19] D.Q. Mayne, J.B. Rawlings, C.V. Rao, and P.O.M.
Scokaert. Constrained model predictive control: Stability and
optimality. Automatica, 36(6):789814, 2000.
[20] D.Q. Mayne, M.M. Seron, and S.V. Rakovic. Robust model
predictive control of constrained linear systems with bounded
disturbances. Automatica, 41(2):219224, 2005.
[21] H. Michalska and D.Q. Mayne. Robust receding horizon
control of constrained nonlinear systems. IEEE Trans. on
Automatic Control, 38(11):16231633, 1993.
[22] S.V. Rakovic, A.R.Teel, D.Q. Mayne, and A. Astol. Simple
robust control invariant tubes for some classes of nonlinear
discrete time systems. In Proc. of the 45
th
IEEE Conference
on Decision & Control, pages 63976402, San Diego, 2006.
[23] S.V. Rakovic and D.Q. Mayne. A simple tube controller for
ecient robust model predictive control of constrained linear
discrete time systems subject to bounded disturbances. In
Proc. of the 16
th
IFAC World Congress, Prague, 2005.
11
[24] J.B. Rawlings and K.R. Muske. The stability of constrained
receding horizon control. IEEE Trans. on Automatic Control,
38(10):15121516, 1993.
[25] A.G. Richards and J.P. How. Robust stable model predictive
control algorithm with constraint tightening. In Proc. of the
American Control Conference, pages 15571562, 2006.
[26] T. Schouwenaars, J. How, and E. Feron. Receding horizon
path planning with implicit safety guarantees. In Proc. of
the American Control Conference, pages 55765581, 2004.
[27] P.O.M. Scokaert and D.Q. Mayne. Min-max feedback model
predictive control for constrained linear sytems. IEEE Trans.
on Automatic Control, 43(8):11361142, 1998.
[28] R.S. Smith. Robust model predictive control of constrained
linear systems. In Proc. of the American Control Conference,
pages 245250, Boston, 2004.
12