Resilient Reachability for Linear Systems

Abstract

A fault-tolerant system is able to reach its goal even when some of its components are malfunctioning. This paper examines tolerance to a specific type of malfunction: the loss of control authority over actuators. Namely, we investigate whether the desired target set for a linear system remains reachable under any undesirable input. Contrary to robust control, we assume that the undesirable inputs can be observed in real time, and subsequently allow the control inputs to depend on these undesirable inputs. Building on previous work on reachability with undesirable inputs, this paper develops a reachability condition for linear systems, and obtains a formula that describes reachability of the goal set for driftless linear systems by computing the minimum of a concave-convex objective function. From this formulation we establish two novel sufficient conditions for resilient reachability.

1. INTRODUCTION

Fault-tolerant systems are required to be resilient to malfunctioning actuators. Among the possible malfunctions, the most widely studied type is actuator failure, which considers an actuator performing with a reduced amplitude or with a fixed unknown magnitude (Tang et al., 2007; Wang and Wen, 2010). Yet, the situation where an actuator becomes unmanageable and produces undesirable, uncontrolled outputs has been less investigated. Such a situation is referred to as loss of control authority over an actuator (Bucić et al., 2018). For instance, a damaged rudder flapping in the wind produces undesirable outputs, but cannot be turned off like a defective engine.

We are interested in the case of a system losing control authority over at least one of its actuators. The desire of this paper is to develop simple verification conditions determining whether the system is still able to reach its initial goal. While computation of a reachable set is a classical problem in control theory (Brockett, 1976; Isidori, 1985) and significant computational work has been performed in order to make finding a solution feasible (see, e.g., Kurzhanski and Varaiya (2000); Girard and Guernic (2008)), classical methods often rely on full knowledge of system state and inputs and cannot be directly applied to the case of loss of control authority.

To handle systems enduring undesirable inputs, the field of robust control aims at guaranteeing strong reachability i.e. finding a control working for any perturbation, and has been widely studied by, e.g., Bertsekas and Rhodes (1971), Bertsekas (1972) and Raković et al. (2006). However, our case of interest does not feature perturbations, but undesirable inputs from one of the very own actuators of the system. In that case, real-time input measurements are usually available, rendering robustness unnecessarily conservative, and calls for a different type of reachability. Namely, we say that a goal is resiliently reachable from an initial state if for any undesirable inputs, there exists a control law — possibly dependent on current undesirable inputs, but with no knowledge of future ones — able to drive the system to the target set. While not referring to it as resilient reachability, Marzollo and Pascoletti (1973) and Mitchell and Tomlin (2003) considered this setting but focused on algorithmic approaches instead of looking for an analytical solution. Delfour and Mitter (1969) transformed the problem of resilient reachability into a minimax formula assessing whether a target set is reachable. While our paper heavily draws from the latter work, their resulting reachability conditions are highly abstract, lack intuition, and are difficult to compute.

This paper aims at extending reachability analysis methods to linear systems with loss of control authority. The contributions of this paper are fourfold. First, we consider the reachability condition of Delfour and Mitter (1969) and develop it into a usable equation describing resilient reachability for linear systems. Second, we tackle the specific case of driftless systems, and derive a computable condition for resilient reachability. Third, we analyze the evolution with time of resilient reachability for driftless systems, and show that the resilient reachability problem can be formulated as a minimax optimization of a concave-convex objective function. Fourth, we establish several sufficient conditions that enable us to avoid solving the developed optimization problem.

The remainder of the paper is organized as follows. Section 2 defines the problem of interest and states the related necessary definitions. Section 3 introduces preliminary results obtained by Delfour and Mitter (1969), upon which we build our theory. In Section 4 we develop a resilient reachability condition for linear systems. Section 5 applies this condition to driftless systems, while Section 6 explores how resilient reachability of a target set evolves with time and establishes a sufficient condition for resilient reachability. A scenario with an underwater robot illustrates our theory in Section 7.

Notation:

We use ∥·∥_X to denote the canonical norm on the space X. For $x=\left(x_1,\dots ,x_n\right)\in {ℝ}^n$, $\Vert x{\Vert }_{{ℝ}^n}=\sqrt{\sum x_i^2}$. The ball of center x and radius ε in the space X is ${\mathbb{B}}_X(x,\epsilon )$. We use ⟨·,·⟩_X to denote the inner product on X. The space of continuous linear maps from X into Y is denoted by $\mathcal{L}(X,Y)$, while ${\mathcal{L}}_2\left([0,T],{ℝ}^m\right)$ or simply ${\mathcal{L}}_2$ denotes the space of the square integrable functions. For a Banach space X, its topological dual space is $X\ast =\mathcal{L}(X,ℝ)$. The dual vector of x ∈ X is x* ∈ X*, and denotes the associated linear form from X to $ℝ$. For $S\in \mathcal{L}(X,Y)$, $S*\in \mathcal{L}\left(Y*,X*\right)$ is the adjoint linear map.

2. PROBLEM STATEMENT

Consider a system’s dynamics $\dot{x}=Ax+D\overline{u}$, where $A\in {ℝ}^{n\times n}$ and $D\in {ℝ}^{n\times (m+p)}$ are constant. Let $G\subset {ℝ}^n$ be the target set (“goal”) to be reached by the system. Assume that, during its mission, the system loses authority over p of its m + p actuators. We can then separate the controlled inputs $u\in {ℝ}^m$ from the undesirable inputs $w\in {ℝ}^p$ by writing $\overline{u}={\left[u^{\top }{w}^{\top }\right]}^{\top }$ and D = [B C], with $B\in {ℝ}^{n\times m}$ and $C\in {ℝ}^{n\times p}$. The system’s dynamics can thus be rewritten as follows:

$$\dot{x}(t)=Ax(t)+Bu(t)+Cw(t),x(0)=x_0\in {ℝ}^n.$$ (1)

The goal of this paper is to find a simple condition that characterizes whether a target set is reachable in a given time for a system undergoing a loss of control authority, regardless of the inputs imposed by the malfunctioning actuators, but with possible real-time knowledge of those inputs. We thus formulate the problems of resilient reachability of G within a time T ≥ 0.

Problem 1.

Determine if, for any undesirable inputs w, there exists a control law u_w driving the system from x₀ to G at time T.

Problem 2.

Determine if, for any undesirable inputs w, there exists a control law u_w driving the system from x₀ to G before the time T.

We note the possible dependence of u_w on the undesirable input w. Unlike the concept of strong reachability in classical robust control (Bertsekas, 1972; Raković et al., 2006), the objective in Problems 1 and 2 is not to a priori design a control law driving the state to the target set for any undesirable inputs, but instead to guarantee that whatever the undesirable inputs are, one can determine a control law dependent on the undesirable inputs to drive the system to its goal. The intuition behind posing such problems is that the system inputs, even if not desirable, can often be measured. In turn, one can counteract undesirable inputs more efficiently when these inputs are known and a subsequent controller can thus handle perturbations of a larger magnitude than a standard robust controller.

The technical work of this paper follows the assumptions of Delfour and Mitter (1969) and considers square integrable inputs over their time domain [0, T]. Namely, if U is the set of admissible control laws and W is the set of undesirable signals, we consider

$$U=\left\{u\in {\mathcal{L}}_2\left([0,T],{ℝ}^m\right):\Vert u{\Vert }_{{\mathcal{L}}_2}\le 1\right\}={\mathbb{B}}_{{\mathcal{L}}_2}(0,1),$$

$$W=\left\{w\in {\mathcal{L}}_2\left([0,T],{ℝ}^p\right):\Vert w{\Vert }_{{\mathcal{L}}_2}\le 1\right\}={\mathbb{B}}_{{\mathcal{L}}_2}(0,1),$$

$$G=\left\{x\in {ℝ}^n:{\Vert x-x_{goal}\Vert }_{{ℝ}^n}\le \epsilon \right\}={\mathbb{B}}_{{ℝ}^n}\left(x_{goal},\epsilon \right),$$

where $x_{goal}\in {ℝ}^n$ and 0 ≤ ε < ∞.

Let us formally define the sets of the initial states from which the system can be driven to G at or before time T:

$$\begin{gathered} X_0^T=\left\{x_0\in {ℝ}^n:\forall w\in W,\exists u\in U:x(T)\in G\right\}, \\ {X}_0^{\le T}=\left\{x_0\in {ℝ}^n:\exists t\in [0,T]:x_0\in X_0^T\right\}. \end{gathered}$$ (2)

We can now define the notion of resilient reachability associated with our problems:

Definition 1.

The target set G is resiliently reachable from x₀ in time t if $x_0\in X_0^T$.

Definition 2.

The target set G is resiliently reachable from x₀ by time T if $x_0\in X_0^{\le T}$.

We emphasize that this paper is focused on solving Problems 1 and 2 as they are stated, i.e., on determining the existence of a control law and not on its calculation. The subsequent problem of determining the appropriate control law is naturally of future interest.

We now describe prior results enabling our work.

3. PRELIMINARIES

The main result of this section is a resilient reachability condition derived from Delfour and Mitter (1969), which will serve as foundation to build our theory.

Delfour and Mitter (1969) worked with the abstract system

$$x=s+S(u)+R(w),$$ (3)

where x ∈ X₃ is the state, u ∈ X₁ is the control and w ∈ X₂ is the disturbance. The system’s initial state is s ∈ X₃, while maps $S\in \mathcal{L}\left(X_1,X_3\right)$ and $R\in \mathcal{L}\left(X_2,X_3\right)$ represent respectively the effects of controlled and undesirable inputs. We consider, $X_1={\mathcal{L}}_2\left([0,T],{ℝ}^m\right)$, $X_2={\mathcal{L}}_2\left([0,T],{ℝ}^p\right)$, and $X_3={ℝ}^n$.

We first transform (1) into (3) by applying the process described in Section 7 of Delfour and Mitter (1969). We define the following continuous linear operators:

$$S(u)={\displaystyle {\int }_0^T{e}^{A(T-t)}}Bu(t)dt,R(w)={\displaystyle {\int }_0^T{e}^{A(T-t)}}Cw(t)dt.$$

By taking $s=e^{AT}{x}_0\in {ℝ}^n$, the solution of (1) is then

$$x(T)=s+S(u)+R(w).$$

For a Banach space X and its adjoint X*, the norm of x* ∈ X* is defined (Conway, 1990) by

$${\Vert x*\Vert }_{X^{*}}=\underset{\Vert x{\Vert }_X=1}{\sup }\left\{\left|x*(x)\right|\right\}=\underset{\Vert x{\Vert }_X\le 1}{\sup }\left\{\left|x*(x)\right|\right\}.$$ (4)

Proposition 1.

G is resiliently reachable from x₀ in time T if and only if

$$\underset{{\Vert x*\Vert }_{X_3^{*}}=1}{\sup }\left\{x*\left(s-x_{goal}\right)-{\Vert S*x*\Vert }_{X_1^{*}}+{\Vert R*x*\Vert }_{X_2^{*}}-\epsilon \right\}\le 0.$$

Proof.

Let us start from Corollary 5.8 of Delfour and Mitter (1969), which, while not using the same terminology, states that the goal G is resiliently reachable if and only if

$$\begin{gathered} \underset{{\Vert x*\Vert }_{X_3^{*}}=1}{\sup }\{x*(s)+\underset{u\in U}{\inf }\left(S*x*(u)\right) \\ +\underset{w\in W}{\sup }\left(R*x*(w)\right)-\underset{y\in G}{\sup }\left(x*(y)\right)\}\le 0. \end{gathered}$$ (5)

By the definition of U, for u ∈ U, −u ∈ U. Since S*x* is linear, $\underset{u\in U}{\inf }\left(S*x*(u)\right)=-\underset{u\in U}{\sup }\left(\left|S*x*(u)\right|\right)=-{\Vert S*x*\Vert }_{X_1^{*}}$.

And similarly, $\underset{w\in W}{\sup }\left(R*x*(w)\right)={\Vert R*x*\Vert }_{X_2^{*}}$.

For $y\in G={\mathbb{B}}_{{ℝ}^n}\left(x_{goal},\epsilon \right)$, we write y = x_goal + δy, since and x* is linear, x*(y) = x*(x_goal) + x*(δy). Then,

$$\underset{y\in G}{\sup }\left(x*(y)\right)=x*\left(x_{goal}\right)+\underset{\Vert \delta y\Vert \le \epsilon }{\sup }\left(x*(\delta y)\right)=x*\left(x_{goal}\right)+\epsilon ,$$

because $\underset{\Vert \delta y\Vert \le \epsilon }{\sup }\left(x*(\delta y)\right)=\epsilon \underset{\Vert z\Vert \le 1}{\sup }\left(x*(z)\right)=\epsilon \underset{=1}{\underbrace{{\Vert x*\Vert }_{X_3^{*}}}}=\epsilon$.

We can then simplify the terms in (5) to obtain the desired formula. ■

The reachability condition derived in Proposition 1 is highly abstract due to the dual terms and is impractical to use. The following two sections aim to develop more workable conditions.

4. INTEGRAL RESILIENT REACHABILITY CONDITION

We will now work on the simplification of Proposition 1 into a more explicit condition. First, note that x* is bounded as ${\Vert x*\Vert }_{X_3^{*}}=1$. We can thus use the Riesz representation theorem (Conway, 1990): there exists a unique $h\in {ℝ}^n$ such that

$$x*(\cdot )=\langle h,\cdot \rangle \text{and}\Vert h{\Vert }_{{ℝ}^n}={\Vert x*\Vert }_{X_3^{*}}=1.$$

Then, the supremum in Proposition 1 is over the unit sphere in ${ℝ}^n$, i.e. for $h\in \mathbb{U}=\left\{x\in {ℝ}^n:\Vert x\Vert =1\right\}$. With $s=e^{AT}{x}_0$, the first term in Proposition 1 becomes

$$x*\left(s-x_{goal}\right)={\langle h,e^{AT}{x}_0-x_{goal}\rangle }_{{ℝ}^n}.$$ (6)

We can now simplify the adjoint maps with the definition from Conway (1990). For any $u\in {\mathcal{L}}_2$ we have

$$\begin{gathered} S*x*(u)=\left(x*\circ S\right)(u)=x*(S(u))=\langle h,S(u)\rangle \\ =\langle h,{\displaystyle {\int }_0^T{e}^{A(T-\tau )}}Bu(\tau )d\tau \rangle . \end{gathered}$$ (7)

Putting (4) and (7) together, we obtain

$${\Vert S*x*\Vert }_{{\mathcal{L}}_2^{*}}=\underset{\Vert u{\Vert }_{{\mathcal{L}}_2}=1}{\sup }\left\{\left|\langle h,{\displaystyle {\int }_0^T{e}^{A(T-\tau )}}Bu(\tau )d\tau \rangle \right|\right\}.$$ (8)

We proceed similarly for ${\Vert R*x*\Vert }_{{\mathcal{L}}_2^{*}}$. We can then simplify Proposition 1.

Theorem 2.

G is resiliently reachable from x₀ in time T if and only if

$$\begin{gathered} \underset{h\in \mathbb{U}}{\max }\{\langle h,e^{AT}{x}_0-x_{goal}\rangle \\ -\underset{\Vert u{\Vert }_{{\mathcal{L}}_2}=1}{\sup }\left\{\left|\langle h,{\displaystyle {\int }_0^T{e}^{A(T-\tau )}}Bu(\tau )d\tau \rangle \right|\right\} \\ +\underset{\Vert w{\Vert }_{{\mathcal{L}}_2}=1}{\sup }\left\{\left|\langle h,{\displaystyle {\int }_0^T{e}^{A(T-\tau )}}Cw(\tau )d\tau \rangle \right|\right\}-\epsilon \}\le 0. \end{gathered}$$ (9)

Proof.

After using (6) and (8) for S* and R* in Proposition 1, the only work left is to prove that the supremum from Proposition 1 turns into ${\max }_{h\in \mathbb{U}}$, which follows from the discussion preceding (6), $\mathbb{U}$ being closed, and the function to maximize being continuous in h. ■

Because Theorem 2 directly uses matrices A, B and C instead of adjoint maps, it is more direct than the equation (5) we started from. Yet, computing the two supremums on ${\mathcal{L}}_2$ is a difficult task because of its infinite dimension. We now focus on driftless systems where the integrals in (9) can be simplified.

5. DRIFTLESS SYSTEMS

Driftless systems are widely studied in robotics; examples are described in Siciliano and Khatlib (2016). For these systems matrix A equals 0, so that (1) becomes

$$\dot{x}(t)=Bu(t)+Cw(t).$$ (10)

We can then distill Theorem 2 into a simpler form.

Theorem 3.

$G={\mathbb{B}}_{{ℝ}^n}\left(x_{goal},\epsilon \right)$ is resiliently reachable at T from x₀ iff

$$\underset{h\in \mathbb{U}}{\max }\left\{\langle h,x_0-x_{goal}\rangle -\sqrt{T}{\Vert B^{\top }h\Vert }_{{ℝ}^m}+\sqrt{T}{\Vert C^{\top }h\Vert }_{{ℝ}^p}\right\}\le \epsilon .$$

Proof.

When A = 0, the leftmost term in (9) clearly equals ⟨h, x₀ − x_goal⟩. We simplify the next term with the Cauchy-Schwarz inequality:

$$\left|{\langle h,B{\displaystyle {\int }_0^{T}u}(\tau )d\tau \rangle }_{{ℝ}^n}\right|\le {\Vert B^{\top }h\Vert }_{{ℝ}^m}{\Vert {\displaystyle {\int }_0^{T}u}(\tau )d\tau \Vert }_{{ℝ}^m}$$ (11)

The equality in (11) occurs when B^⊤h and ${\displaystyle {\int }_0^{T}u}(\tau )d\tau$ are positively collinear (Conway, 1990).

By decomposing u on the canonical basis of ${ℝ}^m$, we can bound the norm of the integral of u:

$$\begin{gathered} {\Vert {\displaystyle {\int }_0^{T}u}(\tau )d\tau \Vert }_{{ℝ}^m}=\sqrt{{\displaystyle \sum _{i=1}^m{\left({\displaystyle {\int }_0^{T}1}\times u_i(\tau )d\tau \right)}^2}} \\ \le \sqrt{{\displaystyle \sum _{i=1}^m\left(T\times {\displaystyle {\int }_0^T{u}_i^2}(\tau )d\tau \right)}}=\sqrt{T}\Vert u{\Vert }_{{\mathcal{L}}_2}. \end{gathered}$$ (12)

In (12), we use again the Cauchy-Schwarz inequality. The equality occurs when each u_i is almost everywhere (in the measure-theoretical sense) collinear with the function τ ⟼ 1, i.e., when u is almost everywhere constant. By combining (11) and (12), we proved that

$$\underset{\Vert u{\Vert }_{{\mathcal{L}}_2}=1}{\sup }\left\{\left|\langle h,{\displaystyle {\int }_0^{T}B}u(\tau )d\tau \rangle \right|\right\}\le {\Vert B^{\top }h\Vert }_{{ℝ}^m}\sqrt{T}.$$ (13)

If we can find a function u_h of unit norm in ${\mathcal{L}}_2$ for which the inequality in (13) is an equality, then the supremum in (13) would be a maximum. The function u_h must realize both equality cases of the Cauchy-Schwarz inequality used previously. Hence, for $h\in \mathbb{U}$ we define the following constant function: $u_h(t):=B^{\top }h/\left(\sqrt{T}{\Vert B^{\top }h\Vert }_{{ℝ}^m}\right)$. We note that ${\Vert u_h(t)\Vert }_{{ℝ}^m}=1/\sqrt{T}$ for all t. Thus,

$${\Vert u_h\Vert }_{{\mathcal{L}}_2}=\sqrt{{\displaystyle {\int }_0^T{\Vert u_h(t)\Vert }_{{ℝ}^m}^2}dt}=\sqrt{{\displaystyle {\int }_0^T\frac{1}{T}}dt}=1.$$ (14)

Moreover, as u_h is positively collinear with B^⊤h and is constant over time, it satisfies both of the Cauchy-Schwarz equality cases in (11) and (12), which leads to

$$\left|\langle h,{\displaystyle {\int }_0^{T}B}{u}_h(\tau )d\tau \rangle \right|={\Vert B^{\top }h\Vert }_{{ℝ}^m}\sqrt{T}{\Vert u_h\Vert }_{{\mathcal{L}}_2}.$$ (15)

From (13), (14) and (15), we clearly obtain

$$\underset{\Vert u{\Vert }_{{\mathcal{L}}_2}=1}{\max }\left\{\left|\langle h,{\displaystyle {\int }_0^{T}B}u(\tau )d\tau \rangle \right|\right\}=\sqrt{T}{\Vert B^{\top }h\Vert }_{{ℝ}^m}.$$

The same process can be applied to the final term in (9), yielding the theorem claim. ■

To simplify the notation of Theorem 3, let us first write d = x₀ − x_goal and define the functions:

$$J(h,t):=\langle h,d\rangle +\sqrt{t}\left(\Vert C^{\top }h\Vert -\Vert B^{\top }h\Vert \right)$$ (16)

and $f(t):=\underset{h\in \mathbb{U}}{\max }\{J(h,t)\}$. Thus, the condition of Theorem 3 is equivalent to f(T) ≤ ε.

The scalar product ⟨h, d⟩ gives the intuition that h represents a travel direction. Call h* the argument of the maximum. Then, h* is positively collinear with d, so it is driving the system away from x_goal. On the other hand, the terms B^⊤h and C^⊤h represent how the inputs drive the system when they are along the direction h. Hence, on an intuitive level, h* is the direction giving the most strength to the undesirable inputs over the controlled inputs. Since $\mathbb{U}$ is the unit sphere in ${ℝ}^n$, ${\max }_{h\in \mathbb{U}}$ explores every direction. Therefore, h* represents the “worst direction” for resilient reachability.

We can strengthen our faith in Theorem 3 by looking at a few special cases. Assuming x₀ = x_goal, G becomes reachable at time T = 0 since, for all $h\in \mathbb{U}$, ⟨h, d⟩ = 0. Another simple case is when B = C = 0, so ˙x = 0, i.e. x(t) = x₀ for all t, and the reachability condition becomes as expected ∥d∥ ≤ ε, which is equivalent to x₀ ∈ G.

Theorem 3 gives a condition on resilient reachability at time T. We now have all the tools to study how the resilient reachability of G evolves with time.

6. EVOLUTION OF REACHABILITY WITH TIME

Note first that for t > 0, J(·, t) is not a concave function, and thus its maximization over $\mathbb{U}$ may not be an easy task. Indeed, both functions h ↦ ∥C^⊤h∥ and h ↦ ∥B^⊤h∥ are convex, so J(·, t) is the difference between two convex functions. This type of maximization is referred to as a difference of convex (DC) problem, and analytical solutions are only available for a few special cases. Numerous algorithms have been developed by, e.g. Tuy (1987) and Tao and An (1997). In particular, the simple algorithm devised by Yuille and Rangarajan (2003) to minimize a function composed of a concave and a convex part has been of great interest and is called the concave-convex procedure. While these numerical results, combined with Theorem 3, enable us to determine whether set G is resiliently reachable at every given time, they do not enable us to directly gain insight regarding reachability by a certain time like an analytical solution would.

In order to discuss reachability by a certain time, we apply Theorem 3 to note that G is resiliently reachable from x₀ by time T if and only if

$$\underset{t\in [0,T]}{\min }\left\{\underset{h\in \mathbb{U}}{\max }\{J(h,t)\}\right\}\le \epsilon .$$

Hence the reachability by time T can be described as a minimax problem with a DC cost function. We will omit the discussion of possible numerical solutions to such a problem and instead focus on analytical results.

Let us define the function g(h) := ∥C^⊤h∥ − ∥B^⊤h∥, so that $J(h,t)=h^{\top }d+g(h)\sqrt{t}$. For a given goal and initial state, ∥h^⊤d∥ is bounded. So, as time grows, $\sqrt{t}$ becomes the leading term in J, with its sign determined by g(h). We therefore study the sign of max {g(h)}. We will show the following:

• if $\underset{h\in \mathbb{U}}{\max }\{g(h)\}>0$, G is only resiliently reachable up to a certain time,

• if $\underset{h\in \mathbb{U}}{\max }\left\{g(h)\right\}=0$, the resilient reachability of G depends on the distance d,

• if $\underset{h\in \mathbb{U}}{\max }\left\{g(h)\right\}<0$, G is resiliently reachable from some time onwards.

We prove these claims in the following three subsections.

6.1. Maximum of g is positive

If max {g(h)} > 0, then ∥C^⊤h∥ > ∥B^⊤h∥ for some h. In other words, in line with our intuition, there is an input direction where the matrix C produces a stronger undesirable input than what the control matrix B is capable of counteracting. Since we want to guarantee reaching the goal for any undesirable input, the target is not resiliently reachable. We formalize this intuition as follows.

Theorem 4.

Let $x_0\in {ℝ}^n$. If $\underset{h\in \mathbb{U}}{\max }\left\{g(h)\right\}>0$, then there exists t_lim > 0 such that for all t ≥ t_lim, $x_0\notin X_0^T$.

Proof.

We use the notation as given above. Because $\underset{h\in \mathbb{U}}{\max }\{g(h)\}>0$, there is a $h_{+}\in \mathbb{U}$ such that g(h₊) > 0. $f(t)\ge \langle h_{+},d\rangle +g\left(h_{+}\right)\sqrt{t}\underset{t\to \infty }{\to }+\infty$. So, $\underset{t\to \infty }{\lim }f(t)=+\infty$. Then, there exists t_lim > 0 such that for t ≥ T, f(t) > ε. In that case, Theorem 3 states that G is not reachable at time t from x₀, i.e. $x_0\notin X_0^T$. ■

Theorem 4 states that, for a fixed initial state x₀ and a goal G, there exists a time T after which the target set is not resiliently reachable anymore. Thus, all resilient reachability can only happen in finite time.

6.2. Maximum of g equals zero

When max {g(h)} = 0, there is at least one $h\in \mathbb{U}$ such that g(h) = 0. Intuitively, in this direction h the strength of the undesirable inputs matches the strength of the controlled ones. In directions where g is negative, the controlled inputs have a greater magnitude than the undesirable inputs. Thus, the resilient reachability of G depends on its location.

Let us define $H_0=\{h\in \mathbb{U}:g(h)=0\}$. The set H₀ is closed, bounded, and nonempty by the assumption of max{g(h)} = 0. So with d = x₀ − x_goal, we can define $h_0=\arg \underset{h\in H_0}{\max }\left\{h^{\top }d\right\}$. We note that vector h₀ need not be uniquely defined. The theorem below holds for every h₀.

Theorem 5.

Assume $\underset{h\in \mathbb{U}}{\max }\{g(h)\}=0$. If ε ≥ ∥d∥, then $x_0\in X_0^T$ for all t ≥ 0, and if $\epsilon <h_0^{\top }d$, then $x_0\notin X_0^T$ for all t ≥ 0.

Proof.

We note that $\underset{h\in \mathbb{U}}{\max }\left\{h^{\top }d\right\}=f(0)=\Vert d\Vert$. Thus,

$$f(t)\le \underset{h\in \mathbb{U}}{\max }\left\{h^{\top }d\right\}+\underset{h\in \mathbb{U}}{\max }\{g(h)\sqrt{t}\}=\Vert d\Vert +0=\Vert d\Vert ,$$

so $\underset{t\ge 0}{\max }\{f(t)\}=\Vert d\Vert$.

Additionally, $h_0\in \mathbb{U}$, so $f(t)\ge h_0^{\top }d+g\left(h_0\right)\sqrt{t}=h_0^{\top }d$. Thus, $h_0^{\top }d\le f(t)\le \Vert d\Vert$ for all t ≥ 0.

If ε ≥ ∥d∥, then for t ≥ 0, f(t) ≤ ε, i.e., by Theorem 3, $x_0\in X_0^T$. On the other hand, if $\epsilon <h_0^{\top }d$, then for t ≥ 0, f(t) > ε, so by Theorem 3, $x_0\notin X_0^T$.

So, if ε ≥ ∥d∥, G is resiliently reachable from the start and remains always resiliently reachable, while if $\epsilon <h_0^{\top }d$, G is never resiliently reachable. There is obviously an intermediate case for $\epsilon \in \left[h_0^{\top }d,\Vert d\Vert \right]$ where the resilient reachability of G depends on time.

6.3. Maximum of g is negative

We can now tackle the third case, where max {g(h)} < 0 In this situation, our intuition indicates that controlled inputs are stronger than the undesirable inputs in every direction, so the reachable set grows unbounded with time. The theorem below confirms this intuition.

Theorem 6.

If $\underset{h\in \mathbb{U}}{\max }\{g(h)\}<0$, then there exists t_lim ≥ 0 such that $x_0\in X_0^T$ for all t ≥ t_lim.

Proof.

Let $\underset{h\in \mathbb{U}}{\max }\{g(h)\}=-\gamma <0$. Then f can be bounded by above:

$$\begin{gathered} f(t)=\underset{h\in \mathbb{U}}{\max }\left\{h^{\top }d+g(h)\sqrt{t}\right\} \\ \le \underset{h\in \mathbb{U}}{\max }\left\{h^{\top }d\right\}+\underset{h\in \mathbb{U}}{\max }\{g(h)\}\sqrt{t}=\Vert d\Vert -\gamma \sqrt{t}. \end{gathered}$$

We compare this upper bound with ε to obtain a reachability condition

$$\Vert d\Vert -\gamma \sqrt{t}\le \epsilon \iff t_{lim}:={\left(\frac{\Vert d\Vert -\epsilon }{\gamma }\right)}^2\le t.$$

such that, for all t ≥ t_lim, f(t) ≤ ε, which is equivalent to $x_0\in X_0^T$ according to Theorem 3. ■

The t_lim defined in the proof of Theorem 6 might not be the minimal time for resilient reachability. Nonetheless, Theorem 6 proves that, after some time, any target set becomes resiliently reachable.

Theorems 4, 5 and 6 show that the sign of the maximum of g leads to interesting conclusions. It is thus natural to attempt to analytically determine an upper bound for g.

6.4. Bounding g

Let ${\sigma }_{max}^{C^{\top }}$ be the maximal singular value of C^⊤, and ${\sigma }_{min}^{B^{\top }}$ be the minimal singular value of B^⊤. We claim that the relationship between these two values impacts the maximal value of g.

Theorem 7.

If ${\sigma }_{max}^{C^{\top }}<{\sigma }_{min}^{B^{\top }}$, then $\underset{h\in \mathbb{U}}{\max }\{g(h)\}<0$.

Proof.

Let us define M = CC^⊤. The matrix M is symmetric, so we can use the following classical inequality (Horn and Johnson, 2012):

$${\lambda }_{min}^M\Vert x{\Vert }^2\le x^{\top }Mx\le {\lambda }_{max}^M\Vert x{\Vert }^2,\forall x\in {ℝ}^n,$$

with ${\lambda }_{min}^M$ and ${\lambda }_{max}^M$ respectively, the minimum and maximum eigenvalues of M. Since M is trivially positive semi-definite, ${\lambda }_{min}^M\ge 0$. Note that $\Vert C^{\top }h\Vert =\sqrt{h^{\top }C{C}^{\top }h}=\sqrt{h^{\top }Mh}$. Thus we obtain

$$\sqrt{{\lambda }_{min}^M}\le \Vert C^{\top }h\Vert \le \sqrt{{\lambda }_{max}^M}={\sigma }_{max}^{C^{\top }},\forall h\in \mathbb{U}.$$

By doing the same for B^⊤, g can be bounded as follows:

$$\sqrt{{\lambda }_{min}^{C^{\top }}}-\sqrt{{\lambda }_{max}^{B^{\top }}}\le g(h)\le {\sigma }_{max}^{C^{\top }}-{\sigma }_{min}^{B^{\top }},\forall h\in \mathbb{U}$$

So if ${\sigma }_{max}^{C^{\top }}<{\sigma }_{min}^{B^{\top }}$, then $\underset{h\in \mathbb{U}}{\max }\{g(h)\}<0$.

Theorems 6 and 7 trivially imply the following corollary.

Corollary 8.

If all singular values of C^⊤ are strictly smaller than those of B^⊤, then the target set is resiliently reachable in finite time.

The intuition behind Corollary 8 is that the singular values of B^⊤ and C^⊤ respectively quantify the strength of the controlled and undesirable inputs. We now proceed to computationally confirm the above theoretical results.

7. NUMERICAL EXAMPLE

We consider an underwater robot propelled by three engines, as shown in Fig. 7. The main engine u₁ has a small bias in the y direction.

Our example is motivated by the work of Vela et al. (2002) and Yu et al. (2016), which have also considered driftless dynamics. The assumption of driftlessness can intuitively be justified by the viscosity of the water combined with a small speed of the robot.

During its mission the controller loses authority over the third actuator. The terms in (10) can thus be written as follows:

$$u=\left[\begin{array}{l}{u}_1\hfill \\ u_2\hfill \end{array}\right],w=u_3,B=\left[\begin{array}{cc}10& 1\\ 0.2& -1\end{array}\right],C=\left[\begin{array}{l}1\hfill \\ 1\hfill \end{array}\right].$$

Intuitively, the robot should still be able to reach any goal set, since the second actuator u₂ can counteract the undesirable inputs of u₃, and the small bias of u₁ on y provides a net motion on y, while the desired displacement along x is also realized by the main engine. Theorem 7 provides only a sufficient condition for reachability, so even if its conditions are not met $({\sigma }_{max}^{C^{\top }}\approx 1,4>{\sigma }_{min}^{B^{\top }}\approx 1,0)$ it does not mean that the target is not resiliently reachable. Actually, we can compute $\underset{h\in \mathbb{U}}{\max }\{g(h)\}=-0.02$, and use Theorem 6 to show that any target ball is eventually resiliently reachable, as suggested by our intuition.

In the situation where the controller loses authority over both the second and third actuators, our intuition suggests that a controlled motion along x is still possible, but the displacements along y cannot be controlled. Therefore, we cannot guarantee to reach any target position. We numerically compute g and obtain $\underset{h\in \mathbb{U}}{\max }\{g(h)\}=1.4>0$. The conclusion of Theorem 4 validates our intuition.

If the controller only loses authority over the first actuator, then $\underset{h\in \mathbb{U}}{\max }\{g(h)\}=8.6>0$. Of course none of the side engines can make up for the loss of the main one, as predicted by Theorem 4.

Another interesting case to note is when u₁ thrusts only along x without bias on y, i.e.,

$$\dot{X}=\left[\begin{array}{l}\dot{x}\hfill \\ \dot{y}\hfill \end{array}\right]=\left[\begin{array}{ccc}10& 1& 1\\ 0& -1& 1\end{array}\right]\left[\begin{array}{l}{u}_1\hfill \\ u_2\hfill \\ u_3\hfill \end{array}\right].$$

Then, a loss of control authority over one of the side engines results in $\underset{h\in \mathbb{U}}{\max }\{g(h)\}=0.02>0$. Indeed, we cannot guarantee to reach a goal that is not on the x axis, because no net motion on y is guaranteed, since both side engines can cancel each other out.

8. CONCLUSION

This paper described the problem of resilient reachability: deciding whether a system can always be driven to a desired goal, given that some of its actuators act in an undesirable manner and without prior knowledge of these undesirable inputs. To solve this problem, we derived a resilient reachability condition for linear systems and a more specific condition for driftless systems. We investigated the evolution of resilient reachability with time and rewrote the problem as a minimax optimization with a concave-convex objective function. We then derived results that do not require directly solving the optimization problem, at the price of providing sufficient or necessary conditions.

This manuscript, however, presents only the first step in our long-term goal of resilient system synthesis, i.e., design of actuator functionality (in the context of this paper represented by system matrices) for which the system retains resilient reachability to loss of one or more actuators. Furthermore, since resilient reachability relates to the existence of a control law, our future work will naturally tackles the construction of such a control law.

Fig. 1.

A model of an underwater robot with three engines.