control for safety specifications of systems with imperfect information on a partial order

982 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 59, NO. 4, APRIL 2014

Control for Safety Specifications of Systems WithImperfect Information on a Partial Order

Reza Ghaemi and Domitilla Del Vecchio, Member, IEEE

Abstract—In this paper, we consider the control problem for un-certain systems with imperfect information, in which an output ofinterest must be kept outside an undesired region (the bad set) inthe output space. The state, input, output, and disturbance spacesare equipped with partial orders. The system dynamics are eitherinput/output order preserving with output in or given by theparallel composition of input/output order preserving dynamicseach with scalar output. We provide necessary and sufficient con-ditions under which an initial set of possible system states is safe,that is, the corresponding outputs are steerable away from the badset with open loop controls. A closed loop control strategy is explic-itly constructed, which guarantees that the current set of possiblesystem states, as obtained from an estimator, generates outputs thatnever enter the bad set. The complexity of algorithms that checksafety of an initial set of states and implement the control map isquadratic with the dimension of the state space. The algorithms areillustrated on two application examples: a ship maneuver to avoidan obstacle and safe navigation of an helicopter among buildings.

Index Terms—Complexity, feedback control, reachability,vehicles.

I. INTRODUCTION

T HE problem of keeping the state of a dynamic system ina desired region via feedback control has been considered

by researchers for decades [1]–[4]. A common approach is to de-termine the set, called maximal controlled invariant set (MCIS),of all initial states that can be kept in the desired region via a con-trol strategy [4]–[6]. This problem has also been cast as that ofavoiding the complement of the desired region [7], called “badset,” and is referred to as safety control problem. In this case, thecomplement of the MCIS is called the “capture set” as it repre-sents the set of all states that cannot be steered away from (arecaptured by) the bad set for any control strategy.The safety control problem of uncertain dynamical systems

can be considered as a min-max or pursuit-evasion problemwhere the disturbance tries to steer trajectories away from thedesired region and the controller tries to counteract the distur-bance. In [2], a finite horizon MCIS is characterized as the level

Manuscript received August 21, 2012; revised March 19, 2013, August 22,2013, and November 12, 2013; accepted January 09, 2014. Date of publicationJanuary 20, 2014; date of current version March 20, 2014. This work was inpart supported by NSF CAREER AWARD # CNS-0642719. Recommended byAssociate Editor P. Shi.R. Ghaemi is with General Electric Global Research, Schenectady, NY 12309

USA (e-mail: [email protected]).D. Del Vecchio is with the Department of Mechanical Engineering and Lab-

oratory for Information and Decision Systems, Massachusetts Institute of Tech-nology, Cambridge, MA 02139 USA (e-mail: [email protected]).Color versions of one or more of the figures in this paper are available online

at http://ieeexplore.ieee.org.Digital Object Identifier 10.1109/TAC.2014.2301563

set of the optimal cost of a min-max problem for discrete-timesystems with perfect and imperfect state information and poly-hedral and ellipsoidal algorithms for approximating the MCISare provided. In the context of hybrid systems with perfect stateinformation and infinite horizon, [8]–[10] represent the MCISas the level set of the optimal cost of a min-max problem,which, for continuous nonlinear systems is computable bysolving the Hamilton–Jacobi–Bellman (HJB) equation. TheHJB equation involves issues such as existence, uniqueness,and smoothness of the solutions so that in general it is veryhard to solve. Therefore, numerical methods for approximatingthe MCIS using level set methods [11], [12] and polygonal ap-proximation of flow pipes [13] have been proposed. For linearsystems, the reachability problem has been extensively studiedand algorithms that finitely determine polyhedral approxima-tions [14]–[16], ellipsoidal approximations [17] (see also [5]and the references therein), and approximations through unionof zonotopes [18], [19] have been proposed.Decidability theory is another approach to the reachability

problemwhere mathematical logic is used to represent sets sym-bolically [20]–[24]. Within this approach, the reachable set isrepresented in the form of formulas with quantifiers and com-putational tools are developed to eliminate quantifiers and pro-vide formulas that define reachable sets [25], [26]. Quantifierelimination is applicable to reachable sets that are decidablein the theory of real numbers with additive and multiplicationfunctions. Therefore, this approach is only applicable to specialclasses of linear/affine systems [21]–[23]. Moreover, the com-putational demand is exponential in the size of input and outputdata [14]. Application-driven literature has also addressed thereachability problem for specific aerospace vehicles, such as he-licopters [27], [28]. Different in scope but related to this workis also recent literature on observer-based stabilization of non-linear and switched systems [29]–[32].Except for the discrete time systems work by [2], the above

cited works have focused mostly on systems with perfect stateinformation. The safety control problem when the state of thesystem is not exactly known has been receiving much less at-tention. In [33], hybrid automata in which the mode is unknownto the controller and needs to be estimated are considered. Fordiscrete-time systems, dynamic control of block triangular orderpreserving hybrid automata with imperfect state information isconsidered in [34]. In [35] and [36], safety control results areextended to continuous time piecewise systems that are the par-allel composition of two decoupled monotone systems [37], forwhich a scalar output must be controlled. These results havebeen extended in [38] to the case in which the system does not

0018-9286 © 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

GHAEMI AND DEL VECCHIO: CONTROL FOR SAFETY SPECIFICATIONS OF SYSTEMS WITH IMPERFECT INFORMATION 983

need to be the parallel composition of two decoupled systems,but still monotonicity and two-dimensional output are required.In this paper, we extend the results of [38] to systems that do

not need to bemonotone, but whose two-dimensional output tra-jectories are enveloped by extremal trajectories correspondingto extremal control inputs. We refer to this property as input/output order preserving. We further extend these results to sys-tems that are the parallel composition of an arbitrary numberof input/output order preserving systems, each with output inor . When some of the systems in the parallel compositionhave output in , perfect state information and no uncertaintyare considered. Even if the dynamics of the subsystems are de-coupled from each other, the control objective (avoiding a badset in the Cartesian product of the whole system output) implic-itly introduces coupling, so that the problem cannot be solvedby solving separate simpler problems.Our approach to deal with imperfect information is similar

to that of open loop feedback control [39]. Specifically, we de-termine whether a current set of system states, obtained from astate estimator, generates outputs that can be steered away fromthe bad set as if no further measurements were received after thecurrent time. As a consequence, we provide necessary and suf-ficient conditions to determine whether a set of possible systemstates belongs to the open loop MCIS, that is, it generates out-puts that can be steered away from the bad set with open loopcontrols. Then, we explicitly provide a feedback control strategythat guarantees that the current set of possible system states, ob-tained from a state estimator, is kept in the computed MCIS. Fordimensional systems, the computational demand of our algo-

rithms is of order . Therefore, the computational complexityscales at most quadratically with the number of states.The class of input/output order-preserving systems canmodel

a number of applications and include the class of monotonesystems [37]. Several biological systems are shown to have themonotone property or to be composition of subsystems withmonotone property [40], [41]. Transportation networks whereeach carrier, car or train, moves unidirectionally according toa predetermined path can be modeled as a group of interactingagents with monotone dynamics [42] or with input/outputorder preserving dynamics [43]. In this paper, we illustrate twodifferent applications. First, we consider the free motion of aship in and tackle an obstacle collision avoidance problem.Second, we consider the free three-dimensional motion of anhelicopter among buildings. We model the helicopter dynamicsby an 18-dimensional model and design a supervisor that over-rides the pilot with safe control actions whenever the systemconfiguration hits the boundary of a building’s capture set.

A. Motivating Example

In order to illustrate how the monotonicity property of theflow with respect to the input simplifies the problem of calcu-lating the capture set of a bad set, we consider the free motion ofan object in as follows. Let denote the po-sition of the object and assume that the motion can be describedby the three integrators , , , in whichthe input is bounded and subject to constraints

, . There is an obstacle (bad set) that must

Fig. 1. Capture set and a safe trajectory obtained enforcing the control strategyexplained in the text.

be avoided given by. We seek to determine the capture set of this obstacle and the

control strategy that guarantees that any initial condition startingoutside of the capture set is kept outside it.Consider an initial condition and let and denote

trajectories generated by the extremal inputs or .It follows that for all . Sys-tems with this property belong to the class of input/output orderpreserving systems. Consider all extremal trajectories of ingenerated by all combinations of extremal inputs, pick a point oneach of these trajectories, and consider the convex hull of thesepoints. Because the system is input/output order preserving anytrajectory corresponding to any arbitrary input will cross this

convex hull. If all extremal trajectories cross the bad set , wecan pick all the points on the extremal trajectories in such a waythat they are all inside the bad set, so that their convex hull isalso all contained in the bad set (since the bad set is convex).It follows that if all extremal trajectories cross the bad set, thenany trajectory for any arbitrary input will also cross the bad set.As a consequence, belongs to the capture set of the bad set.This reasoning illustrates that for an input/output order pre-

serving systemwe can determine whether an initial state is in thecapture set by only checking whether all its extremal trajectoriescross the bad set. This also implies that the capture set (depictedin Fig. 1) can be geometrically determined by intersecting all thebackward reachable sets of the bad set obtained with extremalinputs. Denote the extremal inputs by and denotethe backward reachable set of corresponding to each of theseinputs by for . A control strategy that leavesthe input free and constrains it only on the boundary of the cap-ture set is easily constructed by enforcing input whenever theposition is on the boundary of and inside for all .An example of state trajectory obtained employing this strategyis illustrated in Fig. 1. We will show in this paper that we need toactually calculate only six extremal trajectories for this system.That is, for an dimensional system we need to calculate only

extremal trajectories.In this paper, we extend this reasoning to general systems that

are input/output order preserving, with disturbance inputs, and


with imperfect state information. The paper is organized as fol-lows. Section II introduces the class of systems and the controlproblem. Section III provides necessary and sufficient condi-tions for the set of initial states to be steerable away from thebad set and Section IV provides a control strategy. Implementa-tion details are addressed in Section V. In Sections VI and VII,we address the application examples. The Appendix containsbasic definitions, intermediate results, and proofs.

II. SYSTEM CLASS AND PROBLEM FORMULATION

A system is a tuple , whereis the state space, and are the sets of

disturbances and inputs, respectively, is the space of outputsto be controlled, is a piecewise continuousvector field, is the output map. Let

denote the flow of the system whereis the set of control input signals and is the set of

disturbance input signals. In addition, letdenote the output to be controlled. We

assume that the space of disturbance signals is connected,that , that the flow of the system is continuous withrespect to time, to initial condition, and to disturbance, and thatis continuous. In this paper, we denote signals in bold. For twosets , we say is below denoted by , if forall and such that , .We say that is strictly below denoted by , if for all

and such that , .Definition 1: System is said to be input/output order pre-

serving provided thati) The set is partially ordered with respect to a cone

. Moreover, there are such that for all, and .

ii) For all , we have that•

, for all , , ifand

• , for all, , and , if ,

in which and for all .The above definition is weaker than the order preserving

property of [36], [38] as it only requires the output trajectoriescorresponding to the extremal control signals to envelop allother trajectories. The order preserving property of [36], [38]instead requires that the flow is an order preserving map [44].A sufficient condition for to be input/output order preservingis to be an input/output monotone system for which algebraicchecks exist [37].Definition 2: Given systems ,

, the parallel composition is asystem in which, , ,

, for , ,, the flow of the system is

and the output is .In this paper, we consider systems given by the parallel

composition of subsystems in which and assumethat the state of is not perfectly measured. Specifically, let

denote the measured output space and let

be the measurement map that for each measurementreturns a set of possible states that can have generated such ameasurement. In particular, we have that the signal mea-sured in correspondence to flow must be such that

for all . Let denote the setof all possible states at time compatible with the measurementsignal up to time , the control input signal applied up to thetime , and the set of possible initial states . This set, often re-ferred to as nondeterministic information state [45], is formallydefined as

s.t.

(1)

Consider a bad set in the output space, denoted . Weseek to determine the set of initial sets such that the corre-sponding output trajectories are steerable away from the bad set. The problem is formally stated as follows.Problem 1: Given system and a bad set , determine

the open loop maximal safe controlled invariant set given by

s.t.

(2)

Set is the set of all state uncertainties for whichan open loop control signal exists that keeps all the possibleoutput trajectories outside of the bad set . At each time instant, we have current information given by the information state(or its estimate, as we will see in the sequel) , so that if

we can compute a set-valued feedback mapsuch that if then is kept outside forall . This is formally introduced by the following problem.Problem 2: Determine a control map such

that for all output measurements and , wehave that if ,for all .Note that the control strategy sought in Problem 2 is a (closed

loop) feedback control strategy. This approach is similar to thatof open loop feedback control [39], in which existence of a con-troller is established based on open-loop controls as if no furtherinformation on the system state were acquired in the future, butthe control applied at time is based on a map from a state esti-mate, which progressively reduces the uncertainty on the state.When , we have that ,

, and that . Insuch a case, we also have that the set of initial states is such that

. We solve the above two problems under theassumption that systems are input/output order preserving,that are connected, that the bad set with

is also connected, and that the map issuch that for all , is a closed and connected set.Under these assumptions, it follows that is also connected.We also assume the following liveness property:Assumption 1: There exists such that

, for all, , , and .

This assumption basically prevents the trivial solution inwhich the bad set is avoided by stopping the system fromevolving.


III. SOLUTION TO PROBLEM 1

In this section, we provide necessary and sufficient conditionsto determine whether a given set is in . First, we considerthe case where system is an input/output order preservingsystem with . Then, we employ this result to providethe solution to Problem 1 for the case in which system is theparallel composition of input/output order preserving systems,each with scalar output . This result can be, in turn,extended to the case in which in the case of perfectstate information and no disturbance inputs.Given , define the set

s.t.(3)

The set is the set of all initial states such that there exists adisturbance signal whose corresponding output trajectory inter-sects the bad set when the input signal is fixed to . This set is thebackward reachable set of under fixed control signal .Theorem 1: Consider an input/output order preserving

system with . Then, if and only ifor .

Proof: Since if and only if, the statement of the theorem can be rephrased as:if and only if and

. This is what we prove, that is,that there is no control input signal if and only if both extremalcontrol signals take some output trajectory into .If , then for all we have

. Hence, and.

Now, we proceed to prove that ifand then . As-

sume , , , andare such that and

. Let . By continuity ofthe output flow with respect to time and Assumption 1,there exists such that . More-over, since is an input/output order preserving system, wehave that . If then

. Since and ischosen arbitrarily, . Hence, the theorem is proved. Oth-erwise, define ,

and, and

and . Since is input/output order pre-serving, we must have that . Following thesame argument for the point , we have .Without loss of generality, one can assume . Then

. If then thetheorem is proved. Otherwise,

. To proceed, define the fol-lowing mapping. For , , , and

, let be such that. Define the map

as , in which we think ofand as fixed parameters. Given , the map determinesthe intersection of the line and the path .Given Assumption 1 and the continuity of with respect totime, for all and with ,there exists a unique such that .

Hence, the mapping is a function. It can also be shownthat this function is continuous with respect to its argumentsand by the continuity of the flow. According to Assumption1, and openness of the sets and ,we have . Hence, .From , we have .Since is connected, is connected, and is contin-uous, we have that is connected. Since

, we have . Therefore,. Hence, ,

which implies .Theorem 1 implies that to check whether , it is suf-

ficient to only consider the trajectories of the system with con-stant inputs and . In particular, one can check member-ship of in by simply checking whether either of the fixedsignals and keep all the outputs outside . If noneof the extremal signals can keep the outputs outside of the badset, no other open loop control can. This dramatically reducesthe computational demand since it removes the need to searchfor all possible control signals to determine whether a set is amember of .Consider now system , in which

are input/output order preserving with scalar output .For with , define and usesuperscript for all signals, states, and outputs of system .Also define the bad set for system as .Since are connected, we have that is an interval.Since systems are input/output order preserving, system

is also input/output order preserving according to Def-inition 1 with minimal and maximal input values given by

and , respectively, accordingto the cone and , andminimal and maximal control signals given byand for all , respectively. For systems

, and a given wedefine the set

s.t.

(4)

Theorem 2: Given system , in whichare input/output order preserving with . Then

if and only if there existwith , such that

or (5)

Proof: We first prove that if , then (5) does not hold.If , then for all we have

. Therefore, for all and , forsystem the output trajectory intersects ,i.e., (5) does not hold.Second, we prove that if (5) does not hold, then .

Given an arbitrary signal , we wantto show that . The proof proceedsin two steps. First we show that for all and

,

(6)Then using (6), we show that there exists such that forall , , which will beshown to be equivalent to .


According to Definition 1, we have that, , .

Therefore, for system , belongs tothe rectangle defined by opposite verticesand . Since output trajectories are strictlyincreasing with respect to time according to Assumption1, the output trajectories generated by and enve-lope all trajectories from below and above, respectively.Therefore, Definition 1 holds for system when theinput space is ordered with respect to the cone

and . From (5)not holding, we have that there exists such that

and.

Therefore, applying Theorem 1 to system , for any arbitrarycontrol signal , there exists such that

(7)

According to Assumption 1, trajectories and are strictlyincreasing with respect to time. Moreover, since is con-nected, the flow is continuous with respect to time and withrespect to initial state and disturbance signal, we have that

and are intervals.Therefore, there are time intervals and

such that

if and only if (8)

if and only if (9)

According to (7), there exists such thatand

. Hence, from (8) and (9), we have that . Sinceand were arbitrarily chosen, for all ,

. Therefore, for all. Define , for

all , . Hence, according to(8) and (9), for all . Bydefinition, we have . Therefore, for all

, . Since,and

, we have .Since is any arbitrary control signal, we have .This result implies that to check membership of in , it

is enough to check for all non-repeated pairs of sys-tems whether intersect both and .If there is at least one pair for which these two sets are notboth intersected, then . Explicit checks to determine thisintersection are given in Section V.

A. The Case of Perfect State Information and No DisturbanceInput

In the case in which the state is exactly measured and no dis-turbance inputs are present , Theorem 2 can be ex-tended to the case in which some of have two-dimensionaloutput . Let then be the dimension of theoutput space for system and define . In thiscase, the th element of the output vector of , denoted by, corresponds to a system with output . If the dimension

of the output space of system is one then and ifthe dimension of the output space is two then either or

. For , , let and be thesystems corresponding to and , respectively. We define thesystem as follows:• If , then , , and

.• If , then , , and .

We introduce the following additional assumption.Assumption 2: For all those systems with , we

have the following propertiesi) For all

, for all, , where the in-

equalities are defined with respect to the cone.

ii) There exists such that,

and , 2 for all , , and .iii) The bad set is a rectangle.

Assumption 2(i) implies, in particular, that is input/outputorder preserving, but it has a stronger requirement. It requiresthat extremal output trajectories “envelop” all others time-wiseas opposed to just geometrically in the plane (Definition 1). Welet denote the th interval of . If , thenand therefore it is input/output order preserving according toDefinition 1. If , then will be a system with twooutputs, one corresponding to an output of system and theother corresponding to an output of system . For systemto be input/output order preserving according to Definition 1we define its maximal and minimal inputs and as fol-lows. If , , , setand . If , , , set

and . If , ,, set and . If ,, , set and .

If , , . The maximal and minimal inputsignals are and for all ,respectively.Once perfect state information is available and no disturbance

is present, i.e., , the maximal safe controlled invariant setfor system takes the following form:

s.t.(10)

Given , the set defined in (3) also modifies to

(11)

Similarly, for a given , the set defined in (4) for systemwith takes the form

(12)

Theorem 3: Let , in which can haveoutput , it is input/output order preserving, and satisfiesAssumption 2. Then, if and only if there exist

with such that .Proof: First we prove that if thenfor all with . If , then

according to (10), for all with , and, . Therefore, there exists such

that for all , so that


for all . Second, we prove thatif for all , then .Given an arbitrary signal , we want

to show that . The proof proceeds in twosteps. First we show that for all and

(13)

Then, using (13), we show there exists such that. This is equivalent to .

Depending on the choices of and , two cases may occur:Case (a): and are trajectories corresponding to a sub-system, i.e., there exists such that .Case (b): and are trajectories corresponding to two dif-ferent subsystems. Note that Case (a) occurs if for system ,

, , and . In the following, weconsider Case (a) and Case (b) separately.We first introduce the following definition. Let correspond

to system and correspond to system . According toAssumption 2(ii), trajectories and are strictly increasingwith respect to time. Therefore, there are time intervals

and such that

if and only if (14)

if and only if (15)

Case (a): If for all , wehave and . Therefore,

. Similarly, we have . Fromthese and Theorem 1, we have

(16)

Since and , (16) leads to (13) forall .Case (b): Now we show that (13) holds when and

are trajectories corresponding to two subsystems and ,respectively. If , then . If , then either

or . According to Assumption 2, if wehave ,

, , and if we have that,

, , for . Let .Then, system is input/output order preserving accordingto Definition 1 when the input space is orderedwith respect to the coneand with appropriate choice of

and . Let and denote the minimal and max-imal point of . Depending on the values of and, the pair of the minimal and maximal points, , is oneof the pairs , ,

, or . Fromfor all , we have that

the trajectories, corresponding to maximal and minimal controlsignals in the control space intersect .Therefore, Theorem 1 holds for system . Consequently,according to Theorem 1, (13) holds.Considering Cases (a) and (b), we know (13) holds.

Namely, there exists such thatand . Hence, according to (14) and (15),

and . Consequently, we have that for all, . Therefore, for

all . Defining ,for all , . Hence, according to (14)and (15), for all , .Therefore, .

IV. SOLUTION TO PROBLEM 2: THE CONTROL STRATEGY

First, we solve Problem 2 for the case in which is an input/output order preserving system with . Then, we exploitthis result to provide the solution to Problem 2 for the parallelcomposition of input/output order preserving systems. Specifi-cally, consider the following set-valued map :

ifand

ifand

ifand

otherwise(17)

then, we have the following result.Theorem 4: Let be an input/output order preserving

system. Let be a compact set such that . If

(18)

then for all .Proof: Define and note that

if and only if .Therefore, we prove the result for the latter.We introduce a fictitious control strategy that is the same as

the control strategy (17) as long as the state estimate set doesnot intersect the sets and simultaneously. The intro-duced fictitious control strategy is different from (17) only if

and . Since is equivalent byTheorem 1 to or , it will be shown thatthe latter implies that does not intersect the sets andsimultaneously, under the fictitious control strategy. Hence, theactual control strategy (17) also prevents from intersectingboth and at the same time and therefore is kept inand, as a consequence, does not intersect .The fictitious control strategy is a map with memory defined

as follows:

ifand

if

andif

andif or

otherwise(19)


where or .We first show that with the control law

(20)

the statement of the theorem holds.Assume and let be the control signal that com-

plies with (20). If for all , , orthen the proof is complete. Otherwise,

there is a time such thatand , Define as

. Since is open by thecontinuity of the flow and openness of , from Lemma 1 inAppendix we have . Now, we show that

(21)

By contradiction argument, assume that. By Lemma 1 in Appendix, we have that

. Since is compact, there exists suchthat

(22)

Since is upper-hemicontinuous (by the continuity of theflow), there exists such that for all ,

. Since, according to (22),

we have

(23)

Hence, for all , whichcontradicts the definition of . Therefore, (21) holds.Let be defined as

. With a similar argument applied to , we havethat and .We then have three possible cases: , , or . Weconsider the first case where . According to the definitionof , for all , we have that .Therefore, . Moreover, from (21) wehave and . Ac-cording to (20), . Moreover (Lemma 1 in Appendix),for all ,

(24)

Then, by control law (20), , for .Since, , with controlsignal for and , we have that

, for . Moreover,for , .Therefore, for , , whichcontradicts (24). Therefore, under the control law (20),

or , for all. Hence, under control law (20), ,

for all . The cases where or can be treatedin a similar way.Hence, under the control law (20) the last condition in (20)

will never occur. Therefore, it can be substituted bywhich results in the control law (18) with the same property

as (20). That is, under control law (18), ,for all .According to this theorem, the map (17) used as a feedback

control law from the current state estimate guaranteesthat is kept in and the output corresponding to the cur-rent state estimate never intersects the bad set. The employmentof a closed-loop control as opposed to an open-loop control al-lows for less conservative controllers. In fact, while the initialstate uncertainty may require restricting the control actionsfrom to or , for example, the current state estimate

may very well not require the same restriction.When with input/output order pre-

serving systems, consider system and the sets defined in (4).Define the set valued map as follows:

if

andif

and

if

and

otherwise.(25)

Given the set of states for system ,define the set of pairs , , as follows:

or (26)

According to this definition, if the set of statesof system with bad set belongs to the

corresponding maximal safe controlled invariant set.The control map for system is defined as follows:

s.t. (27)

Theorem 5: Let with input/outputorder preserving systems. If some we also let Assump-tion 2 hold, , and perfect state information. Let the set ofinitial states be a compact set such that . If

(28)

then for all .Proof: Note that if and only if

, with . Therefore, we provethe theorem for the latter. By virtue of Theorem 2 and Theorem3, we have that is equivalent to . Assumethere exists such that

(29)

Let and define. We first show


that . Considering as the measure-ment signal and the estimated state of system , de-fine ,or . According to (26)

(30)

Since and are open sets, according to Lemma 1 inAppendix, for all ,

, or . Therefore,from (30), we have .We proceed by introducing a fictitious control strategy that is

the same as (28) as long as . We provethat for all and thereby theproof is complete. The fictitious control strategy is a map withmemory as follows:

ifotherwise

(31)

where is such that for somewith . According

to (31), for we have

(32)

By (26) and Theorem 4, system is such thator

for . This contradicts (29). Therefore, underfictitious control strategy (31), and consequently under (28) wehave for all .Control law (27) determines all possible inputs that can

be applied while avoiding that intersects andfor all . In particular, for restricting the control input ,it is required that for all pairs the control input isrestricted. In this case, only one pair of components of willneed to be restricted, so that all that can be applied are thosein which one pair of components are restricted accordingto . As long as there is one pair of components forwhich , we have that .

V. ALGORITHM IMPLEMENTATION

When is an input/output order preserving system or when itis the parallel composition of input/output order preserving sys-tems with scalar output, Theorem 1 and Theorem 2 determinewhether a set is in by checking whether intersects thesets . Furthermore, to implement the control strategy of The-orem 4 and of Theorem 5, we need a procedure to determinewhether intersects the set or its boundary .In order to provide this procedure, we introduce one additionalstructural assumption on the input/output order preserving sys-tems .Assumption 3: There is a partial order in the state space

and on the disturbance space with the properties:i) There are and such that

for .ii) There are disturbance signals and such that forall we have that and .

iii) For all , , initial state , wehave that—

if and—

if .The first item of this assumption requires that the state spaceis also equipped with a partial order and that the set has amaximum and a minimum in this partial order. The second itemrequires that the disturbance space is also equippedwith a partialorder and that the space of disturbance signals has a minimumand a maximum in the associated partial order. The third itemrequires that extremal output trajectories obtained with extremalinitial conditions in and extremal disturbance signals envelopall possible output trajectories. This property is also weaker thanthe properties required in earlier works [36], in which it wasrequired that the flow was an order preserving map with respectto all its arguments.Theorem 6: Let be an input/output order preserving system

with Assumption 1 and let Assumption 3 also hold for . Letthe set be compact and let be an arbitrary control signal.Then if and only if or

.This theorem states that a set does not intersect if and

only if with input the output trajectory obtained with maximaldisturbance signal and maximal initial condition flows belowthe bad set or if the output trajectory obtained with minimaldisturbance signal and minimal initial condition flows abovethe bad set. By virtue of Assumption 1, according to which theoutput flow does not stop, the check of the above theorem canbe performed in finite time, that is, in the time required to havethe first component of the output trajectory become greater than. This simple check to determine intersection of with is

all it is required for the implementation of the control strategy.According to this result, we only need to calculate two ex-

tremal finite time trajectories for each of the two extremal con-trol inputs, for systems. Therefore, the compu-tational demand is of order , being the dimension of theoutput space of system . Note that in the case in which thecurrent state estimate does not include its supremum or its in-fimum, the provided checks to determine membership in areconservative. The extent of conservatism is directly determinedby the distance between the supremum (infimum) and the set .

VI. APPLICATION EXAMPLE I: SHIP MANEUVERING

As an example to illustrate the application of the proposedalgorithm, we consider a system that is input/output order pre-serving, has imperfect state information and disturbance input.Specifically, we consider the problem of steering a ship froman initial position to a desired target position, where an obstaclemust be avoided. The following ship model, taken from [46], isconsidered:

(33)


Fig. 2. (a) Ship coordinate system. The obstacle on the path of the ship is a line segment that connects point to the point . (b) Parametervalues.

where is the ship position [in nautical miles (nm)] inthe plane, is the heading angle, is the yaw rate, andis the forward velocity. The two control inputs are: the rudderangle and the propeller thrust . Fig. 2(a) represents the shipwith the coordinates. The model parameters are summarized inTable I [Fig. 2(b)]. With these parameters, the ship has a max-imum speed of for a maximum thrustof 0.215 . The maximal rudder angle is 35 degrees,i.e.,

(34)

With constant propeller thrust , and the effect of headingvelocity on the speed of the ship being negligible, the speedof the ship is assumed to be constant at .Therefore, for the forward velocity , we have thatfor all . Moreover, according to Table I, . Hence,the model is reduced to the following:

(35)

Without loss of generality, we assume that the ship moves fromthe origin heading toward a target in the first orthant. The ini-tial heading angle is and the ship initially is headingtoward the target, moving toward the middle of the obstacle.The ship heading angle and heading velocity are initiallyknown with uncertainty of and , respectively. The po-sition of the ship is initially known with an uncertainty of .Specifically,

and , whereis the measurement and m, degrees and

rad/s. The bad set is.

A. Order Preserving Property of the Ship

In this section, we first approximate the dynamics (35), bytreating in the first two equations of (35) as a disturbance.Then we show that this approximate model is input/output orderpreserving according to Definition 1.

Considering (35), we have that .Let be such that . Consideringthe saturation constraint (34), for we have that

. Similarly, for, we have that . Therefore, for all , the

set is an attracting invariant set and forthe dynamics (35), we have , where rad/s.Since , we consider in the first two equations of(35) as a disturbance input that is bounded, i.e., .System (35) then modifies to the system given by

(36)

Transforming the system output to radial coordinatesgiven by and . Thedynamics of system (36) in the new coordinates is given by

(37)

In these new coordinates, where, ,

, , isthe vector field in (37), . We are only interested inthe truncated trajectories where . Because, sincethe bad set is connected, it is not possible for the trajectoriesto intersect , while , with both extremal controlinputs (rudder angles) and . In other words, if the ship isreturning to the origin, it has already avoided collision with thebad set. Confining the trajectories to , we can showthat system (37) is input/output order preserving according toDefinition 1 by directly using the algebraic checks of [37].It is possible to show that also Assumption 3(iii) withis satisfied, that is, that output trajectories are enveloped by

those obtained with maximal and minimal disturbancesand . To see this, note that dynamics (36)

imply that the velocity vector in the plane is given


Fig. 3. Ship trajectory and sets and in the position space corre-sponding to different heading angles and yaw velocities. The bad set is theblack part line. Four different time instants are depicted: (a) shows the time in-stant where , , , and

. According to control law (18), either or can be ap-plied.We applied . Subplots (b) and (c) show when ,

, and , so that must be applied. Subplot(d) shows when the set passes the obstacle.

by , in which and

. Since is perpendicular to

and , the extremal distur-bances generate perpendicular disturbance velocity vectors thatresult in extremal trajectories that envelop all possible outputtrajectories. Therefore, for a fixed signal, all trajectories areenveloped by those generated by and .The control strategy is implemented as detailed in the first

three algorithms of Section V. To do so, we “inflated” the setby the uncertainty on the output variables and considered a

single value for the output as given by the center of the setof possible outputs. This removed the need for the flow of thesystem to preserve the orderingwith respect to initial conditions.Fig. 3 shows the trajectory of the ship and the position uncer-

tainty as it approaches the bad set, slides on the border of thesets and , and adopts the control signal until theship passes the bad set. As it can be seen in Fig. 3(c), the stateestimate passes fairly close to the bad set, indicating thatthe approximation of as a bounded disturbance did not intro-duce substantial conservatism.

VII. APPLICATION EXAMPLE II: HELICOPTER NAVIGATIONAMONG OBSTACLES

In this section, we consider the safety control problem fora system that can be described by the parallel composition ofinput/output order preserving systems. Specifically, we consideran helicopter navigating among buildings in a city and seek todesign a supervisor that enforces safe control actions to preventcollisions with buildings.We consider the helicopter model introduced in [47], which

is full state linearizable with respect to velocity and heading

angle. The helicopter is modeled as a rigid body subject to ex-ternal forces and torques originating from the propellers. Letand be force and torque with respect to body coordi-

nate frame. Let , in which Euler angles , ,and are rotation angles about the , and axis, respec-tively. Let denote the rotation matrix of thebody axes relative to the spatial axes . Therefore,

where are skew-sym-metric matrices representing rotations , , and about , ,and , respectively. Let and denote the position and ve-locity, respectively, of the center of mass with respect to a fixedcoordinate frame. Let denote the body angular velocity inbody coordinate frame. According to Euler–Newton equations,the equations of motion are given by

where is the inertial matrix and

The force and torque in body-fixed coordinates are given by

and

where , , and are forces, , , and aretorques generated by the main rotor and and are forceand torque generated by the tail rotor, respectively. The forcesand torques generated by the main rotor are controlled by ,, and , in which is the force generated by the main

rotor and , and , are the longitudinal and lateral tilt ofthe tip path plane of the main rotor with respect to the shaft,respectively, while are constants. Thetail rotor is considered as a source of pure lateral forceand anti-torque , which are controlled by . We also have

, ,, ,

, ,and . In these equations,and , and , ,

, , and are constants. For the inputs, we have, , , and

. All other constants are provided in [47].Fig. 4 shows the helicopter body-fixed coordinate frame. Asshown in [47], by choosing as the output


Fig. 4. Body-fixed coordinate frame of the helicopter.

and applying the decoupling algorithm [48], the system takesthe form

where , , , andare functions of the states . Let

. Since is invertible for all values of the states([47]), if the control inputs , , and are

such that , then with respect to the new controlinput we have four decoupled systems , ,

, .By setting , is tracked

to so that we can use , , to control the posi-tion. We design closed-loop systems

,where the coefficients are chosen such that the polynomial

has roots with strictly negative realparts, chosen, in particular, equal to , isthe input and is the state ofsubsystem . Hence, we have ,

in which , ,for some and , , ,

with, and the output map is given by . Systems ,

are input/output order preserving. Fig. 5(a) showsthe trajectory of the helicopter avoiding a building while underthe control strategy (28). Note that the capture set is 15 dimen-sional. The figures show the capture set of the building in outputspace corresponding to the current value of the speed and itsderivatives. Fig. 5(b) shows the capture set in output space atone specific time from different views. Fig. 6(a) shows the he-licopter maneuvering among three buildings, each of which ismodeled as the product of three intervals. Therefore, we havethree rectangle bad sets in the output space of system . Specif-ically, we have building1: ,building2: , and building3:

Fig. 5. (a) Capture set in position space corresponding to the current values ofthe velocity and its derivatives at three different time instants. In each subplot,the trajectory up to the current time is depicted in red. (a)-A shows the timeinstant in which the trajectory hits the boundary of the capture set, (a)-B showsa time at which the vehicle is controlled by the supervisory control and slidesalong the border of the capture set, (a)-C shows the trajectory that slides on theborder of the capture set until it passes the building. (b) shows the capture set in(a)-B viewed from different angles.

. The helicopter navigates to-ward its final target while avoiding the buildings. For each ofthese buildings we have a capture set (not shown), which thecontrol strategy (28) avoids. Note that to guarantee that the he-licopter can avoid all of the buildings, the speeds should be keptat sufficiently low values so that the capture sets of the buildingsin the position space do not intersect with each other. Fig. 6(b)shows the control efforts. The three bumps in the control signalscorrespond to safe control being enforced so to avoid enteringinto the capture set of the first, second, and third building. In allcases, the control effort does not exceed the prescribed bounds.For simplicity of illustration, perfect state information was

assumed in this example since feedback linearization was usedon the original model. In the presence of imperfect state infor-mation, the calculation of from will be subject to boundederror. This bounded error can be treated as a bounded distur-bance and directly accounted for in the design of the controlas we have detailed in the paper. This, however, is beyond thescope of the current example.

VIII. CONCLUSION

In this paper, we have considered control under safety speci-fications for systems with imperfect state information, in whichthe flow preserves some ordering between the input and theoutput. Under these order preserving properties, we providedan explicit characterization of the open loopmaximal control in-variant set (MCIS), or equivalently, of the capture set given a setof bad states to be avoided. Accordingly, we provided an explicitconstruction of a control strategy that keeps the system state


Fig. 6. Trajectory of the helicopter maneuvering among (a) three buildings and (b) control signals.

within the MCIS (outside of the capture set) at all times. Thealgorithms for both determining whether a set of system statesbelongs to theMCIS and for evaluating the control strategy havea complexity that is at most quadratic with the dimension of thestate space. Systems whose flow preserves an ordering betweenthe input and the output are found in a number of applicationdomains from biology to engineering. In this paper, we have il-lustrated the implementation of the proposed algorithms in twoapplications, one involving a ship maneuver to avoid an obstacleand the other involving an helicopter navigating in a city whileavoiding buildings. In both cases, the system models and pa-rameters were taken from domain-specific literature.Future work includes extending the techniques proposed in

this paper to apply to general systems that are not necessarilyinput/output order preserving, but that can be approximatedby input/output order preserving systems. Also, the problemof making the proposed algorithms robust to input delays andcommunication delays needs to be addressed. Promising resultshave been obtained in these directions in the context of vehiclecollision avoidance at traffic intersections [43], but a rigoroustheoretical framework has yet to be developed. Similarly, weseek to extend our results to when the bad set is not fixedbut evolves dynamically as this could be used in a number ofapplications in transportation systems. This case can be treatedby assuming a dynamic model for how the bad set moves andby taking the system into bad set-fixed coordinates.

APPENDIX

A cone is a set that is closed under multiplicationby positive scalars and . A set is partially orderedwith respect to “ ” if for all , pro-vided . Let be an ordered Banach space withrespect to a cone and let be the norm in Banach space. Given Banach space , , and ,

. Given a Banach space and, denotes the set of all piece-wise continuous func-

tions . For , we let denotethe infimum (supremum) of with respect to the partial order

of . Given a Banach space and , denotesthe set of all measurable functions . Once ispartially ordered, and are partially ordered such thatfor , if and only iffor all . We equip the sets and with thenorm . If , then denotesthe th element of the vector . For any set and ,

. For and ,denotes the distance of from .

A family of non-empty compact subsets of is denoted by. For , denotes the closure of . For

any set , we denote the power set of by and it is theset of all subsets of . Given two sets ,

and is the Minkowski sum of the twosets. A mapping is said upper-hemicon-tinuous at if for all , there exists suchthat for all we have that .A mapping is lower-hemicontinuous at

if for all , there exists such that for allwe have that . A map-

ping is said lower-hemicontinuous (upper-hemicontinuous) if itis lower-hemicontinuous (upper-hemicontinuous) at all pointsin [6].Lemma 1: Let be an open set such thatand for some compact set and .

Then, , where

(38)

Proof: We proceed by contradiction argument and assumethat . Therefore, there exists and

such that . Since is the mea-surement map, and for all , .From (1), for all .Since is open and , there existssuch that . By continuity of the flowwith respect to time, there exists such that for all

, . Hence,


. This contradicts (38).Therefore, we must have that .Proof of Theorem 6: The output trajectory partitions

the space into three sets. The trajectory, the set of allpoints above the trajectory, and the set of all points below it,defined in the following

and, and

and . We know thatif and only if

and if and only if.

A. We prove that if orthen . Assume

(39)

According to Assumption 3, for all , and ,for all , , and

. Therefore, it follows that

(40)

Since is open, from (39), we have .Therefore, considering (40), and the fact that

, we have .Namely, . With a similar argument, if

, then andtherefore .B. We prove that if , then

or . Proceedingby contradiction argument, assume there exists suchthat

(41)

By Assumption 3, we have that. Hence, the trajectories

and divide into thesets: ,

, and. Set is the set

of all points between the trajectories and, is the set of all points on and above the

trajectory , and is the set of all points on andbelow the trajectory .In the sequel, we show that for all points , there exists

an initial state and a disturbance such that. Moreover, all trajectories are confined inside .

Hence, we show in the sequel that ifand , then from whichwe conclude that . Since

, we have that , so that

.With the same argument we have that

. From (41),we may face two cases: or .

Assume and let be defined as in the proof of The-orem 1. Then, .Since is continuous and , and are connected,there exists and , such that. That is, and conse-

quently . Hence, .If then, since is open, .

Also, according to (41), .Since is connected, the union of the two open sets

and does not covers .Hence, . Hence, whichis a contradiction.

REFERENCES

[1] H. S. Witsenhausen, “A minmax control problem for sampled linearsystems,” IEEE Trans. Autom. Control, vol. AC-13, no. 1, pp. 5–21,Feb. 1968.

[2] D. P. Bertsekas and I. B. Rhodes, “On the minmax reachability of targetsets and target tubes,” Automatica, vol. 7, no. 2, pp. 233–247, 1971.

[3] J. D. Glover and F. C. Schweppe, “Control of linear dynamic systemswith set constrained disturbances,” IEEE Trans. Autom. Control, vol.AC-16, no. 5, pp. 411–423, Oct. 1971.

[4] D. P. Bertsekas, “Infinite-time Reachability of state-space regions byusing feedback control,” IEEE Trans. Autom. Control, vol. AC-17, no.5, pp. 604–613, Oct. 1972.

[5] F. Blanchini, “Set invariance in control,” Automatica, vol. 35, no. 11,pp. 1747–1767, 1999.

[6] J. Aubin, Viability Theory. Boston, MA, USA: Birkhäuser, 1991.[7] C. Tomlin, G. J. Pappas, and S. Sastry, “Conflict resolution for air

traffic management: A study in multiagent hybrid systems,” IEEETrans. Autom. Control, vol. 43, no. 4, pp. 509–521, Apr. 1998.

[8] J. Lygeros, C. J. Tomlin, and S. Sastry, “Controllers for reachabilityspecifications for hybrid systems,” Automatica, vol. 35, no. 3, pp.349–370, 1999.

[9] C. Tomlin, J. Lygeros, and S. Sastry, “Synthesizing controllers fornonlinear hybrid systems,” in Hybrid Systems: Computation andControl. New York, NY, USA: Springer, 1998, vol. 1386, LectureNotes in Computer Science, pp. 360–373.

[10] C. J. Tomlin, J. Lygeros, and S. Sastry, “A game theoretic approach tocontroller design for hybrid systems,” Proc. IEEE, vol. 88, no. 7, pp.949–970, Jul. 2000.

[11] I. Mitchell and C. J. Tomlin, “Level set methods for computation inhybrid systems,” in Hybrid Systems: Computation and Control. NewYork, NY, USA: Springer, 2000, vol. 1790, Lecture Notes in ComputerScience, pp. 310–323.

[12] C. J. Tomlin, I. Mitchell, A. M. Bayen, and M. Oishi, “Computationaltechniques for the verification of hybrid systems,” Proc. IEEE, vol. 91,no. 7, pp. 986–1001, Jul. 2003.

[13] A. Chutinam and B. Krogh, “Verification of polyhedral-invarianthybrid automata using polygonal pipe approximations,” in HybridSystems: Computation and Control. New York, NY, USA: Springer,1999, vol. 1569, Lecture Notes in Computer Science, pp. 76–90.

[14] S. Rakovic, E. C. Kerrigan, D. Q. Mayne, and J. Lygeros, “Reach-ability analysis of discrete-time systems with disturbances,” IEEETrans. Autom. Control, vol. 51, no. 4, pp. 546–561, Apr. 2006.

[15] M. Althoff, C. Le Guernic, and B. H. Krogh, “Reachable set compu-tation for uncertain time-varying linear systems,” in Hybrid Systems:Computation and Control. New York, NY, USA: Springer, 2011, pp.93–102.

[16] C. Le Guernic, “Reachability analysis of hybrid systems with linearcontinuous dynamics,” Ph.D. dissertation, Univ. Joseph Fourier, Saint-Martin-d’Hères, France, 2009.

[17] A. Kurzhanski and P. Varaiya, “Ellipsoidal techniques for reachabilityanalysis,” in Hybrid Systems: Computation and Control. New York,NY, USA: Springer, 2000, vol. 1790, Lecture Notes in Computer Sci-ence, pp. 203–213.

[18] A. Girard, “Reachability of uncertain linear systems using zonotopes,”in Hybrid Systems: Computation and Control. New York, NY, USA:Springer, 2005, vol. 3414, Lecture Notes in Computer Science, pp.291–305.


[19] A. Girard, C. Le Guernic, and O. Maler, “Efficient computation ofreachable sets of linear time-invariant systems with inputs,” in HybridSystems: Computation and Control. New York, NY, USA: Springer,2006, vol. 3927, Lecture Notes in Computer Science, pp. 257–271.

[20] G. Laferriere, G. J. Pappas, and S. Yovine, “A new class of decidablehybrid systems,” in Hybrid Systems: Computation and Control. NewYork, NY, USA: Springer, 1999, vol. 1569, Lecture Notes in ComputerScience, pp. 137–151.

[21] G. Laferriere, G. J. Pappas, and S. Yovine, “Symbolic reachability com-putation for families of linear vector fields,” J. Symb. Comput., vol. 32,no. 3, pp. 231–253, 2001.

[22] R. Ghosh and C. Tomlin, “Symbolic reachable set computation ofpiecewise affine hybrid automata and its application to biologicalmodeling: Delta-notch protein signalling,” IET Syst. Biol., vol. 1, no.1, pp. 170–183, 2004.

[23] A. Tiwari, “Termination of linear programs,” in Hybrid Systems:Computation and Control. New York, NY, USA: Springer, 2004,vol. 3114, Lecture Notes in Computer Science, pp. 70–82.

[24] H. Anai and V.Weispfenning, “Reach set computation using real quan-tifier elimination,” in Hybrid Systems: Computation and Control.NewYork, NY, USA: Springer, 2001, vol. 2034, Lecture Notes in Com-puter Science, pp. 63–76.

[25] A. Dolzmann and T. Sturm, “REDLOG: Computer algebra meets com-puter logic,” Univ. Passau, Fakultät Für Mathematik und Informatik,Passau, Germany, Tech. Rep. MIP-9603, 1996.

[26] G. Collins and H. Hong, “Partial cylindrical algebraic decompositionfor quantifier elimination,” J. Symb. Comput., vol. 12, pp. 299–328,1991.

[27] E. Frazzoli, M. A. Dahleh, and E. Feron, “Real-time motion planningfor agile autonomous vehicles,” AIAA J. Guidance, Control, Dynamics,vol. 25, pp. 116–129, 2002.

[28] E. Frazzoli, M. A. Dahleh, and E. Feron, “Maneuver-based motionplanning for nonlinear systems with symmetries,” IEEE Trans. Robot.,vol. 21, no. 6, pp. 1077–1091, Dec. 2005.

[29] Z. Sun, Y. Liu, and X. Xie, “Global stabilization for a class of high-order time-delay nonlinear systems,” Int. J. Innovative Comput., Inf.,Control, vol. 7, no. 12, pp. 7119–7130, 2011.

[30] L. Yao and H.-K. Wen, “Design of observer based adaptive PID con-troller for nonlinear systems,” Int. J. Innovative Comput., Inf., Control,vol. 9, no. 2, pp. 667–677, 2013.

[31] R. B. Messaoud, N. Zanzouri, and M. Ksouri, “Local feedbackunknown input observer for nonlinear systems,” Int. J. InnovativeComput., Inf., Control, vol. 8, no. 2, pp. 1145–1154, 2012.

[32] L. Zhang, P. Shi, and M. Liu, “Stability and stabilization of switchedlinear systems with mode-dependent average dwell time,” IEEE Trans.Autom. Control, vol. 57, no. 7, pp. 1809–1815, Jul. 2012.

[33] R. Verma and D. Del Vecchio, “Safety control of hidden mode hybridsystems,” IEEE Trans. Autom. Control, vol. 57, no. 1, pp. 62–77, Jan.2012.

[34] D. Del Vecchio, “Observer-based control of block triangular discretetime hybrid automata on a partial order,” Int. J. Robust Nonlinear Con-trol, vol. 19, no. 14, pp. 1581–1602, 2009.

[35] D. Del Vecchio, M.Malisoff, and R. Verma, “A separation principle fora class of hybrid automata on a partial order,” in Proc. Amer. ControlConf., 2009.

[36] M. R. Hafner and D. Del Vecchio, “Computational tools for the safetycontrol of a class of piecewise continuous systems with imperfect in-formation on a partial order,” SIAM J. Control Optimiz., vol. 9, no. 6,pp. 2463–2493, 2011.

[37] D. Angeli and E. D. Sontag, “Monotone control systems,” IEEE Trans.Autom. Control, vol. 48, no. 10, pp. 1684–1698, Oct. 2003.

[38] R. Ghaemi and D. Del Vecchio, “Safety control of piece-wise contin-uous order preserving systems,” in Proc. IEEE Conf. Decision Control,2011, pp. 545–551.

[39] D. Bertsekas, “Dynamic programming and suboptimal control: Asurvey from ADP to MPC,” Eur. J. Control, vol. 11, pp. 310–334,2005.

[40] D. Angeli and E. D. Sontag, “Interconnections of monotone systemswith steady-state characteristics,” in Optimal Control, Stabilizationand Non-Smooth Analysis. New York, NY, USA: Springer, 2004,vol. 301, Lecture Notes in Control and Information Science, pp.135–154.

[41] D. Angeli and E. D. Sontag, “Oscillations in I/O monotone systemsunder negative feedback,” IEEE Trans. Circuits Syst., vol. 55, no. 1,pp. 166–176, Jan. 2008.

[42] R. Raffard, S. Waslander, A. Bayen, and C. Tomlin, “A cooperativedistributed approach to multi-agent Eulerian network control: Applica-tion to air traffic management,” in Proc. AIAA Guidance, Nav., ControlConf. Exhibit, 2005.

[43] M. Hafner, D. Cunningham, L. Caminiti, and D. Del Vecchio,“Cooperative collision avoidance at intersections: Algorithms andexperiments,” IEEE Trans. Intell. Transport. Syst., vol. 14, no. 3, pp.1162–1175, Sep. 2013.

[44] B. A. Davey andH. A. Priesteley, Introduction to Lattices andOrder.Cambridge, U.K.: Cambridge Univ. Press, 2002.

[45] S. Lavalle, Planning Algorithms. Cambridge, U.K.: CambridgeUniv. Press, 2006.

[46] M. H. Casado, A. Fernandez, and J. Iglesias, “Optimization of thecourse in the ship’s movement by input-output linearization,” in Proc.IFAC Conf. Control Applicat. Marine Syst., 2001.

[47] T. J. Koo and S. Sastry, “Output tracking control design of a helicoptermodel based on approximate linearization,” in Proc. IEEE Conf. Deci-sion Control, 1998, pp. 3635–3640.

[48] J. Descusse and C. Moog, “Dynamic decoupling for right invertiblenonlinear systems,” Syst. Control Lett., vol. 8, pp. 345–349, 1987.

Reza Ghaemi received the B.S. and M.S. degreesfrom the University of Tehran, Tehran, Iran, in 1998and the Ph.D. degree in electrical engineering fromthe University of Michigan, Ann Arbor, MI, USA, in2001 and 2009, respectively.From 2001 to 2004, he conducted research on

control and monitoring of power electronic sys-tems at the Power Research Institute, Tehran. During2010–2012, he was a Post-Doctoral Researcher at theMassachusetts Institute of Technology, Cambridge,MA, USA. He is now Lead Engineer at General

Electric, Schenectady, NY, USA. His research interests include optimal controltheory and model predictive control.

Domitilla Del Vecchio (M’05) received the Laureadegree in electrical engineering from the Universityof Rome at Tor Vergata, Rome, Italy, in 1999 and thePh.D. degree in control and dynamical systems fromthe California Institute of Technology, Pasadena, CA,USA, in 2005.From 2006 to 2010, she was an Assistant Pro-

fessor in the Department of Electrical Engineeringand Computer Science, University of Michigan, AnnArbor, MI, USA. In 2010, she joined the Departmentof Mechanical Engineering at the Massachusetts

Institute of Technology (MIT), where she is currently an Associate Professor.Her research interests include analysis and control of nonlinear and hybrid dy-namical systems with application to biomolecular networks and transportationnetworks.Prof. Del Vecchio was a recipient of the Donald P. Eckman Award from the

American Automatic Control Council (2010), the NSF Career Award (2007),the American Control Conference Best Student Paper Award (2004), and theBank of Italy Fellowship (2000).

control for safety specifications of systems with imperfect information on a partial order

Documents