Christopher Lazarus,James G. Lopez,Mykel J. Kochenderfer

DOI: https://doi.org/10.48550/arXiv.2010.10618

IF: 5.414

2020-10-20

Machine Learning

Abstract:The airworthiness and safety of a non-pedigreed autopilot must be verified, but the cost to formally do so can be prohibitive. We can bypass formal verification of non-pedigreed components by incorporating Runtime Safety Assurance (RTSA) as mechanism to ensure safety. RTSA consists of a meta-controller that observes the inputs and outputs of a non-pedigreed component and verifies formally specified behavior as the system operates. When the system is triggered, a verified recovery controller is deployed. Recovery controllers are designed to be safe but very likely disruptive to the operational objective of the system, and thus RTSA systems must balance safety and efficiency. The objective of this paper is to design a meta-controller capable of identifying unsafe situations with high accuracy. High dimensional and non-linear dynamics in which modern controllers are deployed along with the black-box nature of the nominal controllers make this a difficult problem. Current approaches rely heavily on domain expertise and human engineering. We frame the design of RTSA with the Markov decision process (MDP) framework and use reinforcement learning (RL) to solve it. Our learned meta-controller consistently exhibits superior performance in our experiments compared to our baseline, human engineered approach.

Enjun Liu,Shuang Liu,Qiyang He,Hanzhang Cai,Shanling Dong

2024-01-01

Abstract:This paper studies the issue of trajectory tracking control for constrained unmanned surface vehicles with uncertainties and cyber attack. To handle the uncertainties and output constraints, adaptive neural networks (NNs) and barrier Lyapunov functions are respectively employed. The input signals are modeled under the consideration of cyber attack. A control law based on adaptive NNs is proposed to solve the trajectory tracking problem. It is proved that with the proposed control law, the output constraints can be guaranteed, and the expected tracking errors can converge to zero asymptotically when cyber attack occurs. Furthermore, the analysis is extended to situations without output constraints. Finally, the performance of the new control laws are demonstrated through simulation results.

Kyle Dunlap,David van Wijk,Kerianne L. Hobbs

2023-08-07

Abstract:As autonomous systems become more prevalent in the real world, it is critical to ensure they operate safely. One approach is the use of Run Time Assurance (RTA), which is a real-time safety assurance technique that monitors a primary controller and intervenes to assure safety when necessary. As these autonomous systems become more complex, RTA is useful because it can be designed completely independent of the primary controller. This paper develops several translational motion safety constraints for a multi-agent autonomous spacecraft inspection problem, where all of these constraints can be enforced with RTA. A comparison is made between centralized and decentralized control, where simulations of the inspection problem then demonstrate that RTA can assure safety of all constraints. Monte Carlo analysis is then used to show that no scenarios were found where the centralized RTA cannot assure safety. While some scenarios were found where decentralized RTA cannot assure safety, solutions are discussed to mitigate these failures.

Systems and Control

Kyle Dunlap,Nathaniel Hamilton,Francisco Viramontes,Derrek Landauer,Evan Kain,Kerianne L. Hobbs

2024-05-11

Abstract:As the number of spacecraft on orbit continues to grow, it is challenging for human operators to constantly monitor and plan for all missions. Autonomous control methods such as reinforcement learning (RL) have the power to solve complex tasks while reducing the need for constant operator intervention. By combining RL solutions with run time assurance (RTA), safety of these systems can be assured in real time. However, in order to use these algorithms on board a spacecraft, they must be able to run in real time on space grade processors, which are typically outdated and less capable than state-of-the-art equipment. In this paper, multiple RL-trained neural network controllers (NNCs) and RTA algorithms were tested on commercial-off-the-shelf (COTS) and radiation tolerant processors. The results show that all NNCs and most RTA algorithms can compute optimal and safe actions in well under 1 second with room for further optimization before deploying in the real world.

Systems and Control

Jonathan Rowanhill,Ashlie B. Hocking,Aditya Zutshi,Kerianne L. Hobbs

2023-03-28

Abstract:Recent advances in artificial intelligence and machine learning may soon yield paradigm-shifting benefits for aerospace systems. However, complexity and possible continued on-line learning makes neural network control systems (NNCS) difficult or impossible to certify under the United States Military Airworthiness Certification Criteria defined in MIL-HDBK-516C. Run time assurance (RTA) is a control system architecture designed to maintain safety properties regardless of whether a primary control system is fully verifiable. This work examines how to satisfy compliance with MIL-HDBK-516C while using active set invariance filtering (ASIF), an advanced form of RTA not envisaged by the 516c committee. ASIF filters the commands from a primary controller, passing on safe commands while optimally modifying unsafe commands to ensure safety with minimal deviation from the desired control action. This work examines leveraging the core theory behind ASIF as assurance argument explaining novel satisfaction of 516C compliance criteria. The result demonstrates how to support compliance of novel technologies with 516C as well as elaborate how such standards might be updated for emerging technologies.

Systems and Control,Software Engineering

Kyle Dunlap,Nathaniel Hamilton,Zachary Lippay,Matthew Shubert,Sean Phillips,Kerianne L. Hobbs

2024-05-11

Abstract:On-orbit spacecraft inspection is an important capability for enabling servicing and manufacturing missions and extending the life of spacecraft. However, as space operations become increasingly more common and complex, autonomous control methods are needed to reduce the burden on operators to individually monitor each mission. In order for autonomous control methods to be used in space, they must exhibit safe behavior that demonstrates robustness to real world disturbances and uncertainty. In this paper, neural network controllers (NNCs) trained with reinforcement learning are used to solve an inspection task, which is a foundational capability for servicing missions. Run time assurance (RTA) is used to assure safety of the NNC in real time, enforcing several different constraints on position and velocity. The NNC and RTA are tested in the real world using unmanned aerial vehicles designed to emulate spacecraft dynamics. The results show this emulation is a useful demonstration of the capability of the NNC and RTA, and the algorithms demonstrate robustness to real world disturbances.

Systems and Control

David van Wijk,Kyle Dunlap,Manoranjan Majji,Kerianne Hobbs

DOI: https://doi.org/10.2514/1.i011391

2024-09-14

Journal of Aerospace Information Systems

Abstract:While reinforcement learning (RL) offers high-performance solutions to complex tasks, its trial-and-error paradigm presents safety concerns when exploring unsafe states may be unacceptable. Safety filtering or run-time assurance (RTA) approaches can be used to monitor the RL agent’s desired control and prevent the agent from taking unsafe actions by satisfying safety constraints during and after training. This study investigates the problem of on-orbit inspection of a chief spacecraft using a deputy spacecraft controlled by an RL agent with safety constraints. Several constraints on the state space are enforced using discrete control barrier functions and an optimization-based RTA system. This assures the safety of the deputy spacecraft and its sensors even with a neural-network-based primary controller. A detailed analysis of RL agent performance for eight separate experiments is presented, including each safety constraint individually, all constraints simultaneously, and no constraints. Results demonstrate that the RL agent can complete the inspection task while adhering to safety constraints in a simulated RL environment. These results also show that the RTA system can aid the RL agent in learning a successful policy over fewer time steps but may lead to higher fuel usage, depending on the constraint(s) enforced.

engineering, aerospace

David D. Fan,Jennifer Nguyen,Rohan Thakker,Nikhilesh Alatur,Ali-akbar Agha-mohammadi,Evangelos A. Theodorou

DOI: https://doi.org/10.1109/ICRA40945.2020.9196709

2021-07-04

Abstract:Deep learning has enjoyed much recent success, and applying state-of-the-art model learning methods to controls is an exciting prospect. However, there is a strong reluctance to use these methods on safety-critical systems, which have constraints on safety, stability, and real-time performance. We propose a framework which satisfies these constraints while allowing the use of deep neural networks for learning model uncertainties. Central to our method is the use of Bayesian model learning, which provides an avenue for maintaining appropriate degrees of caution in the face of the unknown. In the proposed approach, we develop an adaptive control framework leveraging the theory of stochastic CLFs (Control Lyapunov Functions) and stochastic CBFs (Control Barrier Functions) along with tractable Bayesian model learning via Gaussian Processes or Bayesian neural networks. Under reasonable assumptions, we guarantee stability and safety while adapting to unknown dynamics with probability 1. We demonstrate this architecture for high-speed terrestrial mobility targeting potential applications in safety-critical high-speed Mars rover missions.

Systems and Control,Machine Learning,Robotics

Kerianne Hobbs,Mark Mote,Matthew Abate,Samuel Coogan,Eric Feron

DOI: https://doi.org/10.48550/arXiv.2110.03506

2021-10-07

Systems and Control

Abstract:Run Time Assurance (RTA) Systems are online verification mechanisms that filter an unverified primary controller output to ensure system safety. The primary control may come from a human operator, an advanced control approach, or an autonomous control approach that cannot be verified to the same level as simpler control systems designs. The critical feature of RTA systems is their ability to alter unsafe control inputs explicitly to assure safety. In many cases, RTA systems can functionally be described as containing a monitor that watches the state of the system and output of a primary controller, and a backup controller that replaces or modifies control input when necessary to assure safety. An important quality of an RTA system is that the assurance mechanism is constructed in a way that is entirely agnostic to the underlying structure of the primary controller. By effectively decoupling the enforcement of safety constraints from performance-related objectives, RTA offers a number of useful advantages over traditional (offline) verification. This article provides a tutorial on developing RTA systems.

Kyle Dunlap,Kochise Bennett,David van Wijk,Nathaniel Hamilton,Kerianne Hobbs

2024-06-18

Abstract:The trial and error approach of reinforcement learning (RL) results in high performance across many complex tasks, but it can also lead to unsafe behavior. Run time assurance (RTA) approaches can be used to assure safety of the agent during training, allowing it to safely explore the environment. This paper investigates the application of RTA during RL training for a 6-Degree-of-Freedom spacecraft inspection task, where the agent must control its translational motion and attitude to inspect a passive chief spacecraft. Several safety constraints are developed based on position, velocity, attitude, temperature, and power of the spacecraft, and are all enforced simultaneously during training through the use of control barrier functions. This paper also explores simulating the RL agent and RTA at different frequencies to best balance training performance and safety assurance. The agent is trained with and without RTA, and the performance is compared across several metrics including inspection percentage and fuel usage.

Systems and Control

Kristina Miller,Christopher K. Zeitler,William Shen,Kerianne Hobbs,Sayan Mitra,John Schierman,Mahesh Viswanathan

2023-10-06

Abstract:A runtime assurance system (RTA) for a given plant enables the exercise of an untrusted or experimental controller while assuring safety with a backup (or safety) controller. The relevant computational design problem is to create a logic that assures safety by switching to the safety controller as needed, while maximizing some performance criteria, such as the utilization of the untrusted controller. Existing RTA design strategies are well-known to be overly conservative and, in principle, can lead to safety violations. In this paper, we formulate the optimal RTA design problem and present a new approach for solving it. Our approach relies on reward shaping and reinforcement learning. It can guarantee safety and leverage machine learning technologies for scalability. We have implemented this algorithm and present experimental results comparing our approach with state-of-the-art reachability and simulation-based RTA approaches in a number of scenarios using aircraft models in 3D space with complex safety requirements. Our approach can guarantee safety while increasing utilization of the experimental controller over existing approaches.

Systems and Control,Artificial Intelligence,Formal Languages and Automata Theory

Kyle D. Julian,Mykel J. Kochenderfer

DOI: https://doi.org/10.48550/arXiv.1912.07084

2019-12-15

Systems and Control

Abstract:The decision logic for the ACAS X family of aircraft collision avoidance systems is represented as a large numeric table. Due to storage constraints of certified avionics hardware, neural networks have been suggested as a way to significantly compress the data while still preserving performance in terms of safety. However, neural networks are complex continuous functions with outputs that are difficult to predict. Because simulations evaluate only a finite number of encounters, simulations are not sufficient to guarantee that the neural network will perform correctly in all possible situations. We propose a method to provide safety guarantees when using a neural network collision avoidance system. The neural network outputs are bounded using neural network verification tools like Reluplex and Reluval, and a reachability method determines all possible ways aircraft encounters will resolve using neural network advisories and assuming bounded aircraft dynamics. Experiments with systems inspired by ACAS X show that neural networks giving either horizontal or vertical maneuvers can be proven safe. We explore how relaxing the bounds on aircraft dynamics can lead to potentially unsafe encounters and demonstrate how neural network controllers can be modified to guarantee safety through online costs or lowering alerting cost. The reachability method is flexible and can incorporate uncertainties such as pilot delay and sensor error. These results suggest a method for certifying neural network collision avoidance systems for use in real aircraft.

Weiming Xiang,Taylor T. Johnson

DOI: https://doi.org/10.48550/arXiv.1805.09944

2018-05-25

Abstract:Autonomous cyber-physical systems (CPS) rely on the correct operation of numerous components, with state-of-the-art methods relying on machine learning (ML) and artificial intelligence (AI) components in various stages of sensing and control. This paper develops methods for estimating the reachable set and verifying safety properties of dynamical systems under control of neural network-based controllers that may be implemented in embedded software. The neural network controllers we consider are feedforward neural networks called multilayer perceptrons (MLP) with general activation functions. As such feedforward networks are memoryless, they may be abstractly represented as mathematical functions, and the reachability analysis of the network amounts to range (image) estimation of this function provided a set of inputs. By discretizing the input set of the MLP into a finite number of hyper-rectangular cells, our approach develops a linear programming (LP) based algorithm for over-approximating the output set of the MLP with its input set as a union of hyper-rectangular cells. Combining the over-approximation for the output set of an MLP based controller and reachable set computation routines for ordinary difference/differential equation (ODE) models, an algorithm is developed to estimate the reachable set of the closed-loop system. Finally, safety verification for neural network control systems can be performed by checking the existence of intersections between the estimated reachable set and unsafe regions. The approach is implemented in a computational software prototype and evaluated on numerical examples.

Systems and Control

Xiao Li,Yutong Li,Anouck Girard,Ilya Kolmanovsky

2024-05-19

Abstract:The Neural Network (NN), as a black-box function approximator, has been considered in many control and robotics applications. However, difficulties in verifying the overall system safety in the presence of uncertainties hinder the deployment of NN modules in safety-critical systems. In this paper, we leverage the NNs as predictive models for trajectory tracking of unknown dynamical systems. We consider controller design in the presence of both intrinsic uncertainty and uncertainties from other system modules. In this setting, we formulate the constrained trajectory tracking problem and show that it can be solved using Mixed-integer Linear Programming (MILP). The proposed MILP-based approach is empirically demonstrated in robot navigation and obstacle avoidance through simulations. The demonstration videos are available at

Robotics,Machine Learning,Systems and Control,Optimization and Control

Yifei Simon Shao,Chao Chen,Shreyas Kousik,Ram Vasudevan

DOI: https://doi.org/10.1109/lra.2021.3063989

IF: 5.2

2021-04-01

IEEE Robotics and Automation Letters

Abstract:Reinforcement Learning (RL) algorithms have achieved remarkable performance in decision making and control tasks by reasoning about long-term, cumulative reward using trial and error. However, during RL training, applying this trial-and-error approach to real-world robots operating in safety critical environment may lead to collisions. To address this challenge, this letter proposes a Reachability-based Trajectory Safeguard (RTS), which leverages reachability analysis to ensure safety during training and operation. Given a known (but uncertain) model of a robot, RTS precomputes a Forward Reachable Set of the robot tracking a continuum of parameterized trajectories. At runtime, the RL agent selects from this continuum in a receding-horizon way to control the robot; the FRS is used to identify if the agent's choice is safe or not, and to adjust unsafe choices. The efficacy of this method is illustrated in static environments on three nonlinear robot models, including a 12-D quadrotor drone, in simulation and in comparison with state-of-the-art safe motion planning methods.

robotics

Wenbo Zhang,Xiangkun Meng,Jianyuan Wang,Tieshan Li,Qihe Shan,Fei Teng

DOI: https://doi.org/10.1109/iccss53909.2021.9722016

2021-12-10

Abstract:Automatic crane is a complex system affected by the external environment and the internal components of the system, information fusion, software and hardware combination, and man-machine integration. The improvement of its automation and informatization proposes various challenges in the accident model construction and safety analysis. However, the safety analysis methods based on fault types consider that the occurrence of accidents is linear and ignore the correlation among components of the system. This paper adopts the system-theoretic accident model and process (STAMP) and system-theoretic process analysis (STPA) mode is to implement safety analysis of the automatic crane trolley running system (ACTRs). The paper starts from the identification of system-level losses and hazards, clarifies the function and internal logical control relationships of the system’s components, and then finds potential unsafe control actions (UCAs) and loss scenarios during the trolley running. The results show that the control requirements for the regular operation of the trolley running system can be analyzed in detail. Therefore, the STAMP/STPA can apply to the safety investigation of automatic cranes.

Frank Yang,Sinong Simon Zhan,Yixuan Wang,Chao Huang,Qi Zhu

2024-08-16

Abstract:Neural networks are increasingly used in safety-critical applications such as robotics and autonomous vehicles. However, the deployment of neural-network-controlled systems (NNCSs) raises significant safety concerns. Many recent advances overlook critical aspects of verifying control and ensuring safety in real-time scenarios. This paper presents a case study on using POLAR-Express, a state-of-the-art NNCS reachability analysis tool, for runtime safety verification in a Turtlebot navigation system using LiDAR. The Turtlebot, equipped with a neural network controller for steering, operates in a complex environment with obstacles. We developed a safe online controller switching strategy that switches between the original NNCS controller and an obstacle avoidance controller based on the verification results. Our experiments, conducted in a ROS2 Flatland simulation environment, explore the capabilities and limitations of using POLAR-Express for runtime verification and demonstrate the effectiveness of our switching strategy.

Robotics

DOI: https://doi.org/10.1007/s00521-023-08417-z

2023-03-15

Neural Computing and Applications

Abstract:In this paper, an event-triggered fixed-time adaptive neural network formation control method is proposed for underactuated multiple autonomous surface vessels with model uncertainties and unknown external disturbances under communication distance constraints. First, a time-varying barrier Lyapunov function is developed to obtain prescribed performances, such as formation error constraints, and avoid collisions in the communication range with distance limitations. Second, combining backstepping technology with neural networks, a fixed-time adaptive minimum learning parameter (MLP) is proposed to improve robustness against external disturbances and model uncertainties, and an adaptive law is designed to compensate for the approximation error of MLP. Third, a relative threshold-based event-triggered strategy is developed to greatly save communication resources without degrading control performance. Subsequently, Theorem analysis shows that all signals in the closed-loop system are bounded and practical fixed-time stable. Finally, the effectiveness of the proposed method is demonstrated by numerical simulations.

computer science, artificial intelligence

Ammar N. Abbas,Georgios C. Chasparis,John D. Kelleher

2023-10-16

Abstract:Traditional controllers have limitations as they rely on prior knowledge about the physics of the problem, require modeling of dynamics, and struggle to adapt to abnormal situations. Deep reinforcement learning has the potential to address these problems by learning optimal control policies through exploration in an environment. For safety-critical environments, it is impractical to explore randomly, and replacing conventional controllers with black-box models is also undesirable. Also, it is expensive in continuous state and action spaces, unless the search space is constrained. To address these challenges we propose a specialized deep residual policy safe reinforcement learning with a cycle of learning approach adapted for complex and continuous state-action spaces. Residual policy learning allows learning a hybrid control architecture where the reinforcement learning agent acts in synchronous collaboration with the conventional controller. The cycle of learning initiates the policy through the expert trajectory and guides the exploration around it. Further, the specialization through the input-output hidden Markov model helps to optimize policy that lies within the region of interest (such as abnormality), where the reinforcement learning agent is required and is activated. The proposed solution is validated on the Tennessee Eastman process control.

Machine Learning,Artificial Intelligence,Systems and Control

Samuel Teuber,Stefan Mitsch,André Platzer

2024-06-14

Abstract:While neural networks (NNs) have potential as autonomous controllers for Cyber-Physical Systems, verifying the safety of NN based control systems (NNCSs) poses significant challenges for the practical use of NNs, especially when safety is needed for unbounded time horizons. One reason is the intractability of analyzing NNs, ODEs and hybrid systems. To this end, we introduce VerSAILLE (Verifiably Safe AI via Logically Linked Envelopes): The first general approach that allows reusing control theory results for NNCS verification. By joining forces, we exploit the efficiency of NN verification tools while retaining the rigor of differential dynamic logic (dL). Based on provably safe control envelopes in dL, we derive specifications for the NN which is proven via NN verification. We show that a proof of the NN adhering to the specification is mirrored by a dL proof on the infinite-time safety of the NNCS. The NN verification properties resulting from hybrid systems typically contain nonlinear arithmetic and arbitrary logical structures while efficient NN verification merely supports linear constraints. To overcome this divide, we present Mosaic: An efficient, sound and complete verification approach for polynomial real arithmetic properties on piece-wise linear NNs. Mosaic partitions complex verification queries into simple queries and lifts off-the-shelf linear constraint tools to the nonlinear setting in a completeness-preserving manner by combining approximation with exact reasoning for counterexample regions. Our evaluation demonstrates the versatility of VerSAILLE and Mosaic: We prove infinite-time safety on the classical Vertical Airborne Collision Avoidance NNCS verification benchmark for two scenarios while (exhaustively) enumerating counterexample regions in unsafe scenarios. We also show that our approach significantly outperforms State-of-the-Art tools in closed-loop NNV.

Systems and Control,Artificial Intelligence,Machine Learning,Logic in Computer Science