Kun Wang,Tao Meng,Weijia Wang,Jiakun Lei

DOI: https://doi.org/10.1016/j.asr.2023.11.035

IF: 2.611

2024-01-01

Advances in Space Research

Abstract:In this paper, the safety control problem for spacecraft inspection mission is investigated, which means that there is no position and attitude obstacle collisions between the inspection spacecraft and the defined forbidden zones. We propose a control strategy that ensures safety, utilizing the control barrier function to address multiple safety constraints with logical relationships among them. Firstly, the position and attitude constraints are defined, and the hybrid logical relationship among different attitude constraints is analyzed. To handle complex position and attitude constraints, the Kreisselmeier-Steinhauser function is introduced to approximate the max/min function, thereby expressing them as continuous and differentiable functions. Subsequently, the control barrier function-based quadratic programming (CBF-QP) problems are solved to generate safe velocity and angular velocity. These problems have explicit solutions and do not require extensive computational resources. The safe position and attitude are then obtained by integrating the safe velocity and angular velocity. Notably, the forbidden regions are expanded by a constant in the construction of CBF-QP problems, which acts as a margin for the tracking controller’s performance. Finally, attitude and position tracking controllers based on the control Lyapunov barrier function (CLBF) are designed respectively, taking into account the lumped disturbance in the system, which means that the attitude and position control are computed independently. Numerical simulation results demonstrate that the proposed control strategy effectively handles complex constraints in inspection missions, ensuring system stability and safety, even under severe conditions.

Kyle Dunlap,Kochise Bennett,David van Wijk,Nathaniel Hamilton,Kerianne Hobbs

2024-06-18

Abstract:The trial and error approach of reinforcement learning (RL) results in high performance across many complex tasks, but it can also lead to unsafe behavior. Run time assurance (RTA) approaches can be used to assure safety of the agent during training, allowing it to safely explore the environment. This paper investigates the application of RTA during RL training for a 6-Degree-of-Freedom spacecraft inspection task, where the agent must control its translational motion and attitude to inspect a passive chief spacecraft. Several safety constraints are developed based on position, velocity, attitude, temperature, and power of the spacecraft, and are all enforced simultaneously during training through the use of control barrier functions. This paper also explores simulating the RL agent and RTA at different frequencies to best balance training performance and safety assurance. The agent is trained with and without RTA, and the performance is compared across several metrics including inspection percentage and fuel usage.

Systems and Control

Cassie-Kay McQuinn,Kyle Dunlap,Nathaniel Hamilton,Jabari Wilson,Kerianne L. Hobbs

2024-02-23

Abstract:A fundamental capability for On-orbit Servicing, Assembly, and Manufacturing (OSAM) is inspection of the vehicle to be serviced, or the structure being assembled. This research assumes autonomous slewing to maintain situational awareness of multiple vehicles operating in close proximity where several safety constraints must be satisfied. A variety of techniques may be used as the primary controller. The focus of this research is developing Run Time Assurance (RTA) filters that monitor system behavior and the output of the primary controller to enforce safety constraint satisfaction. Specifically, this research explores combining a subset of the constraints into an Active Set Invariance Filter (ASIF) RTA defined using control barrier functions. This method is minimally invasive to the primary control by minimizing deviation from the desired control output of the primary controller, while simultaneously enforcing all safety constraints. The RTA is designed to ensure the spacecraft maintains attitude requirements for communication and data transfer with a ground station during scheduled communication windows, adheres to conical attitude keep out zones, limits thermally unfavorable attitude duration, maintains attitude requirements for sufficient power generation, ensures maneuvers are below threshold to cause structural damage, ensures maximum angular velocity is below limits to maintain ability to respond quickly to new slewing commands, and conserves actuator use to prevent wear when possible. Slack variables are introduced into the ASIF controller to prioritize safety constraints when a solution to all safety constraints is infeasible. Monte Carlo simulation results as well as plots of example cases are shown and evaluated for a three degree of freedom spacecraft with reaction wheel attitude control.

Systems and Control

Kyle Dunlap,Michael Hibbard,Mark Mote,Kerianne Hobbs

DOI: https://doi.org/10.1109/lcsys.2021.3135260

2022-01-01

IEEE Control Systems Letters

Abstract:Run Time Assurance (RTA) systems are online safety verification techniques that filter the output of a primary controller to assure safety. RTA approaches are used in safety-critical control to intervene when a performance-driven primary controller would cause the system to violate safety constraints. This letter presents four categories of RTA approaches based on their membership to explicit or implicit monitoring and switching or optimization interventions. To validate the feasibility of each approach and compare computation time, four RTAs are defined for a three-dimensional spacecraft docking example with safety constraints on velocity.

Umberto Ravaioli,Kyle Dunlap,Kerianne Hobbs

DOI: https://doi.org/10.48550/arXiv.2209.01120

2022-09-02

Abstract:With the rise of increasingly complex autonomous systems powered by black box AI models, there is a growing need for Run Time Assurance (RTA) systems that provide online safety filtering to untrusted primary controller output. Currently, research in RTA tends to be ad hoc and inflexible, diminishing collaboration and the pace of innovation. The Safe Autonomy Run Time Assurance Framework presented in this paper provides a standardized interface for RTA modules and a set of universal implementations of constraint-based RTA capable of providing safety assurance given arbitrary dynamical systems and constraints. Built around JAX, this framework leverages automatic differentiation to populate advanced optimization based RTA methods minimizing user effort and error. To validate the feasibility of this framework, a simulation of a multi-agent spacecraft inspection problem is shown with safety constraints on position and velocity.

Systems and Control

Kyle Dunlap,Nathaniel Hamilton,Zachary Lippay,Matthew Shubert,Sean Phillips,Kerianne L. Hobbs

2024-05-11

Abstract:On-orbit spacecraft inspection is an important capability for enabling servicing and manufacturing missions and extending the life of spacecraft. However, as space operations become increasingly more common and complex, autonomous control methods are needed to reduce the burden on operators to individually monitor each mission. In order for autonomous control methods to be used in space, they must exhibit safe behavior that demonstrates robustness to real world disturbances and uncertainty. In this paper, neural network controllers (NNCs) trained with reinforcement learning are used to solve an inspection task, which is a foundational capability for servicing missions. Run time assurance (RTA) is used to assure safety of the NNC in real time, enforcing several different constraints on position and velocity. The NNC and RTA are tested in the real world using unmanned aerial vehicles designed to emulate spacecraft dynamics. The results show this emulation is a useful demonstration of the capability of the NNC and RTA, and the algorithms demonstrate robustness to real world disturbances.

Systems and Control

David van Wijk,Kyle Dunlap,Manoranjan Majji,Kerianne Hobbs

DOI: https://doi.org/10.2514/1.i011391

2024-09-14

Journal of Aerospace Information Systems

Abstract:While reinforcement learning (RL) offers high-performance solutions to complex tasks, its trial-and-error paradigm presents safety concerns when exploring unsafe states may be unacceptable. Safety filtering or run-time assurance (RTA) approaches can be used to monitor the RL agent’s desired control and prevent the agent from taking unsafe actions by satisfying safety constraints during and after training. This study investigates the problem of on-orbit inspection of a chief spacecraft using a deputy spacecraft controlled by an RL agent with safety constraints. Several constraints on the state space are enforced using discrete control barrier functions and an optimization-based RTA system. This assures the safety of the deputy spacecraft and its sensors even with a neural-network-based primary controller. A detailed analysis of RL agent performance for eight separate experiments is presented, including each safety constraint individually, all constraints simultaneously, and no constraints. Results demonstrate that the RL agent can complete the inspection task while adhering to safety constraints in a simulated RL environment. These results also show that the RTA system can aid the RL agent in learning a successful policy over fewer time steps but may lead to higher fuel usage, depending on the constraint(s) enforced.

engineering, aerospace

Chengrui Shi,Tao Meng,Kun Wang,Jiakun Lei,Weijia Wang,Renhao Mao

DOI: https://doi.org/10.1016/j.robot.2024.104865

IF: 3.7

2024-01-01

Robotics and Autonomous Systems

Abstract:Safety is a critical problem for space robots in future complex automomous On-Orbit Services. In this paper, we propose a real-time and guaranteed method for whole-body safe tracking control of free-flying space robots using High Order Control Barrier Functions (HOCBFs).We start by utilizing capsule-shaped safety envelopes for an accurate approximation of space robots. This is followed by the development of HOCBF-based safety filters to ensure simultaneous collision avoidance and compliance with specified joint limits. To mitigate feasibility issues, we incorporate the optimal decay method into our safety filter design. Furthermore, we introduce a data-driven re-planning mechanism to avoid local minimums of control barrier functions. Such a mechanism primarily operates through anomaly detection of tracking behavior using One-Class Support Vector Machines.Numerical experiments demonstrate that our method effectively ensures safety of space robots under complicated circumstances without compromising the system’s ability to achieve its intended goals.

Kerianne Hobbs,Mark Mote,Matthew Abate,Samuel Coogan,Eric Feron

DOI: https://doi.org/10.48550/arXiv.2110.03506

2021-10-07

Systems and Control

Abstract:Run Time Assurance (RTA) Systems are online verification mechanisms that filter an unverified primary controller output to ensure system safety. The primary control may come from a human operator, an advanced control approach, or an autonomous control approach that cannot be verified to the same level as simpler control systems designs. The critical feature of RTA systems is their ability to alter unsafe control inputs explicitly to assure safety. In many cases, RTA systems can functionally be described as containing a monitor that watches the state of the system and output of a primary controller, and a backup controller that replaces or modifies control input when necessary to assure safety. An important quality of an RTA system is that the assurance mechanism is constructed in a way that is entirely agnostic to the underlying structure of the primary controller. By effectively decoupling the enforcement of safety constraints from performance-related objectives, RTA offers a number of useful advantages over traditional (offline) verification. This article provides a tutorial on developing RTA systems.

Kristina Miller,Christopher K. Zeitler,William Shen,Kerianne Hobbs,Sayan Mitra,John Schierman,Mahesh Viswanathan

2023-10-06

Abstract:A runtime assurance system (RTA) for a given plant enables the exercise of an untrusted or experimental controller while assuring safety with a backup (or safety) controller. The relevant computational design problem is to create a logic that assures safety by switching to the safety controller as needed, while maximizing some performance criteria, such as the utilization of the untrusted controller. Existing RTA design strategies are well-known to be overly conservative and, in principle, can lead to safety violations. In this paper, we formulate the optimal RTA design problem and present a new approach for solving it. Our approach relies on reward shaping and reinforcement learning. It can guarantee safety and leverage machine learning technologies for scalability. We have implemented this algorithm and present experimental results comparing our approach with state-of-the-art reachability and simulation-based RTA approaches in a number of scenarios using aircraft models in 3D space with complex safety requirements. Our approach can guarantee safety while increasing utilization of the experimental controller over existing approaches.

Systems and Control,Artificial Intelligence,Formal Languages and Automata Theory

Kyle Dunlap,Nathaniel Hamilton,Francisco Viramontes,Derrek Landauer,Evan Kain,Kerianne L. Hobbs

2024-05-11

Abstract:As the number of spacecraft on orbit continues to grow, it is challenging for human operators to constantly monitor and plan for all missions. Autonomous control methods such as reinforcement learning (RL) have the power to solve complex tasks while reducing the need for constant operator intervention. By combining RL solutions with run time assurance (RTA), safety of these systems can be assured in real time. However, in order to use these algorithms on board a spacecraft, they must be able to run in real time on space grade processors, which are typically outdated and less capable than state-of-the-art equipment. In this paper, multiple RL-trained neural network controllers (NNCs) and RTA algorithms were tested on commercial-off-the-shelf (COTS) and radiation tolerant processors. The results show that all NNCs and most RTA algorithms can compute optimal and safe actions in well under 1 second with room for further optimization before deploying in the real world.

Systems and Control

Kerianne L. Hobbs,Benjamin K. Heiner,Lillian Busse,Kyle Dunlap,Jonathan Rowanhill,Ashlie B. Hocking,Aditya Zutshi

DOI: https://doi.org/10.48550/arXiv.2209.00552

2022-09-01

Systems and Control

Abstract:This research considers the problem of identifying safety constraints and developing Run Time Assurance (RTA) for Deep Reinforcement Learning (RL) Tactical Autopilots that use neural network control systems (NNCS). This research studies a specific use case of an NNCS performing autonomous formation flight while an RTA system provides collision avoidance and geofence assurances. First, Systems Theoretic Accident Models and Processes (STAMP) is applied to identify accidents, hazards, and safety constraints as well as define a functional control system block diagram of the ground station, manned flight lead, and surrogate unmanned wingman. Then, Systems Theoretic Process Analysis (STPA) is applied to the interactions of the the ground station, manned flight lead, surrogate unmanned wingman, and internal elements of the wingman aircraft to identify unsafe control actions, scenarios leading to each, and safety requirements to mitigate risks. This research is the first application of STAMP and STPA to an NNCS bounded by RTA.

Christopher Lazarus,James G. Lopez,Mykel J. Kochenderfer

DOI: https://doi.org/10.48550/arXiv.2010.10618

IF: 5.414

2020-10-20

Machine Learning

Abstract:The airworthiness and safety of a non-pedigreed autopilot must be verified, but the cost to formally do so can be prohibitive. We can bypass formal verification of non-pedigreed components by incorporating Runtime Safety Assurance (RTSA) as mechanism to ensure safety. RTSA consists of a meta-controller that observes the inputs and outputs of a non-pedigreed component and verifies formally specified behavior as the system operates. When the system is triggered, a verified recovery controller is deployed. Recovery controllers are designed to be safe but very likely disruptive to the operational objective of the system, and thus RTSA systems must balance safety and efficiency. The objective of this paper is to design a meta-controller capable of identifying unsafe situations with high accuracy. High dimensional and non-linear dynamics in which modern controllers are deployed along with the black-box nature of the nominal controllers make this a difficult problem. Current approaches rely heavily on domain expertise and human engineering. We frame the design of RTSA with the Markov decision process (MDP) framework and use reinforcement learning (RL) to solve it. Our learned meta-controller consistently exhibits superior performance in our experiments compared to our baseline, human engineered approach.

Sean Vaskov,Utkarsh Sharma,Shreyas Kousik,Matthew Johnson-Roberson,Ramanarayan Vasudevan

DOI: https://doi.org/10.48550/arXiv.1902.01786

2019-02-06

Abstract:Trajectory planning is challenging for autonomous cars since they operate in unpredictable environments with limited sensor horizons. To incorporate new information as it is sensed, planning is done in a loop, with the next plan being computed as the previous plan is executed. The recent Reachability-based Trajectory Design (RTD) is a provably safe, real-time algorithm for trajectory planning. RTD consists of an offline component, where a Forward Reachable Set (FRS) is computed for the vehicle tracking parameterized trajectories; and an online part, where the FRS is used to map obstacles to constraints for trajectory optimization in a provably-safe way. In the literature, RTD has only been applied to small mobile robots. The contribution of this work is applying RTD to a passenger vehicle in CarSim, with a full powertrain model, chassis and tire dynamics. RTD produces safe trajectory plans with the vehicle traveling up to 15 m/s on a two-lane road, with randomly-placed obstacles only known to the vehicle when detected within its sensor horizon. RTD is compared with a Nonlinear Model-Predictive Control (NMPC) and a Rapidly-exploring Random Tree (RRT) approach. The experiment demonstrates RTD's ability to plan safe trajectories in real time, in contrast to the existing state-of-the-art approaches.

Systems and Control

Charles Hartsell,Shreyas Ramakrishna,Abhishek Dubey,Daniel Stojcsics,Nagabhushan Mahadevan,Gabor Karsai

DOI: https://doi.org/10.48550/arXiv.2102.09419

2021-03-24

Abstract:Autonomous CPSs are often required to handle uncertainties and self-manage the system operation in response to problems and increasing risk in the operating paradigm. This risk may arise due to distribution shifts, environmental context, or failure of software or hardware components. Traditional techniques for risk assessment focus on design-time techniques such as hazard analysis, risk reduction, and assurance cases among others. However, these static, design-time techniques do not consider the dynamic contexts and failures the systems face at runtime. We hypothesize that this requires a dynamic assurance approach that computes the likelihood of unsafe conditions or system failures considering the safety requirements, assumptions made at design time, past failures in a given operating context, and the likelihood of system component failures. We introduce the ReSonAte dynamic risk estimation framework for autonomous systems. ReSonAte reasons over Bow-Tie Diagrams (BTDs) which capture information about hazard propagation paths and control strategies. Our innovation is the extension of the BTD formalism with attributes for modeling the conditional relationships with the state of the system and environment. We also describe a technique for estimating these conditional relationships and equations for estimating risk based on the state of the system and environment. To help with this process, we provide a scenario modeling procedure that can use the prior distributions of the scenes and threat conditions to generate the data required for estimating the conditional relationships. To improve scalability and reduce the amount of data required, this process considers each control strategy in isolation and composes several single-variate distributions into one complete multi-variate distribution for the control strategy in question.

Robotics

Karen Leung,Edward Schmerling,Mengxuan Zhang,Mo Chen,John Talbot,J. Christian Gerdes,Marco Pavone

DOI: https://doi.org/10.48550/arXiv.2012.03390

IF: 3.7

2020-12-06

Robotics

Abstract:Action anticipation, intent prediction, and proactive behavior are all desirable characteristics for autonomous driving policies in interactive scenarios. Paramount, however, is ensuring safety on the road -- a key challenge in doing so is accounting for uncertainty in human driver actions without unduly impacting planner performance. This paper introduces a minimally-interventional safety controller operating within an autonomous vehicle control stack with the role of ensuring collision-free interaction with an externally controlled (e.g., human-driven) counterpart while respecting static obstacles such as a road boundary wall. We leverage reachability analysis to construct a real-time (100Hz) controller that serves the dual role of (i) tracking an input trajectory from a higher-level planning algorithm using model predictive control, and (ii) assuring safety by maintaining the availability of a collision-free escape maneuver as a persistent constraint regardless of whatever future actions the other car takes. A full-scale steer-by-wire platform is used to conduct traffic weaving experiments wherein two cars, initially side-by-side, must swap lanes in a limited amount of time and distance, emulating cars merging onto/off of a highway. We demonstrate that, with our control stack, the autonomous vehicle is able to avoid collision even when the other car defies the planner's expectations and takes dangerous actions, either carelessly or with the intent to collide, and otherwise deviates minimally from the planned trajectory to the extent required to maintain safety.

Karan Mahesh,Tyler M. Paine,Max L. Greene,Nicholas Rober,Steven Lee,Sildomar T. Monteiro,Anuradha Annaswamy,Michael R. Benjamin,Jonathan P. How

2024-10-02

Abstract:Marine robots must maintain precise control and ensure safety during tasks like ocean monitoring, even when encountering unpredictable disturbances that affect performance. Designing algorithms for uncrewed surface vehicles (USVs) requires accounting for these disturbances to control the vehicle and ensure it avoids obstacles. While adaptive control has addressed USV control challenges, real-world applications are limited, and certifying USV safety amidst unexpected disturbances remains difficult. To tackle control issues, we employ a model reference adaptive controller (MRAC) to stabilize the USV along a desired trajectory. For safety certification, we developed a reachability module with a moving horizon estimator (MHE) to estimate disturbances affecting the USV. This estimate is propagated through a forward reachable set calculation, predicting future states and enabling real-time safety certification. We tested our safe autonomy pipeline on a Clearpath Heron USV in the Charles River, near MIT. Our experiments demonstrated that the USV's MRAC controller and reachability module could adapt to disturbances like thruster failures and drag forces. The MRAC controller outperformed a PID baseline, showing a 45%-81% reduction in RMSE position error. Additionally, the reachability module provided real-time safety certification, ensuring the USV's safety. We further validated our pipeline's effectiveness in underway replenishment and canal scenarios, simulating relevant marine tasks.

Robotics,Systems and Control

Stanley Bak,Johannes Betz,Abhinav Chawla,Hongrui Zheng,Rahul Mangharam

DOI: https://doi.org/10.48550/arXiv.2110.01095

2021-10-04

Abstract:High-performance autonomy often must operate at the boundaries of safety. When external agents are present in a system, the process of ensuring safety without sacrificing performance becomes extremely difficult. In this paper, we present an approach to stress test such systems based on the rapidly exploring random tree (RRT) algorithm. We propose to find faults in such systems through adversarial agent perturbations, where the behaviors of other agents in an otherwise fixed scenario are modified. This creates a large search space of possibilities, which we explore both randomly and with a focused strategy that runs RRT in a bounded projection of the observable states that we call the objective space. The approach is applied to generate tests for evaluating overtaking logic and path planning algorithms in autonomous racing, where the vehicles are driving at high speed in an adversarial environment. We evaluate several autonomous racing path planners, finding numerous collisions during overtake maneuvers in all planners. The focused RRT search finds several times more crashes than the random strategy, and, for certain planners, tens to hundreds of times more crashes in the second half of the track.

Robotics

Jonathan Rowanhill,Ashlie B. Hocking,Aditya Zutshi,Kerianne L. Hobbs

2023-03-28

Abstract:Recent advances in artificial intelligence and machine learning may soon yield paradigm-shifting benefits for aerospace systems. However, complexity and possible continued on-line learning makes neural network control systems (NNCS) difficult or impossible to certify under the United States Military Airworthiness Certification Criteria defined in MIL-HDBK-516C. Run time assurance (RTA) is a control system architecture designed to maintain safety properties regardless of whether a primary control system is fully verifiable. This work examines how to satisfy compliance with MIL-HDBK-516C while using active set invariance filtering (ASIF), an advanced form of RTA not envisaged by the 516c committee. ASIF filters the commands from a primary controller, passing on safe commands while optimally modifying unsafe commands to ensure safety with minimal deviation from the desired control action. This work examines leveraging the core theory behind ASIF as assurance argument explaining novel satisfaction of 516C compliance criteria. The result demonstrates how to support compliance of novel technologies with 516C as well as elaborate how such standards might be updated for emerging technologies.

Systems and Control,Software Engineering

Kun Wang,Tao Meng,Jiakun Lei,Weijia Wang

2023-06-08

Abstract:This paper investigates the safety guaranteed problem in spacecraft inspection missions, considering multiple position obstacles and logical attitude forbidden zones. In order to address this issue, we propose a control strategy based on control barrier functions, summarized as "safety check on kinematics" and "velocity tracking on dynamics" approach. The proposed approach employs control barrier functions to describe the obstacles and to generate safe velocities via the solution of a quadratic programming problem. Subsequently, we design a proportional-like controller based on the generated velocity, which, despite its simplicity, can ensure safety even in the presence of velocity tracking errors. The stability and safety of the system are rigorously analyzed in this paper. Furthermore, to account for model uncertainties and external disturbances, we incorporate an immersion and invariance-based disturbance observer in our design. Finally, numerical simulations are performed to demonstrate the effectiveness of the proposed control strategy.

Systems and Control