safety control of hidden mode hybrid systems

62 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 57, NO. 1, JANUARY 2012

Safety Control of Hidden Mode Hybrid SystemsRajeev Verma, Member, IEEE, and Domitilla Del Vecchio, Member, IEEE

Abstract—In this paper, we consider the safety control problemfor hidden mode hybrid systems (HMHSs), which are a specialclass of hybrid automata in which the mode is not available forcontrol. For these systems, safety control is a problem with imper-fect state information. We tackle this problem by introducing thenotion of nondeterministic discrete information state and by trans-lating the problem to one with perfect state information. The per-fect state information control problem is obtained by constructinga new hybrid automaton, whose discrete state is an estimate of theHMHS mode and is, as such, available for control. This problem issolved by computing the capture set and the least restrictive con-trol map for the new hybrid automaton. Sufficient conditions forthe termination of the algorithm that computes the capture set areprovided. Finally, we show that the solved perfect state informa-tion control problem is equivalent to the original problem with im-perfect state information under suitable assumptions. We illustratethe application of the proposed technique to a collision avoidanceproblem between an autonomous vehicle and a human driven ve-hicle at a traffic intersection.

Index Terms—Dynamic feedback, mode estimation, multi-agentsystems.

I. INTRODUCTION

H IDDEN mode hybrid systems (HMHSs) are a specialclass of hybrid automata [29], [39], in which the mode is

unknown and mode transitions are driven only by disturbanceevents. There are a large number of applications that can bewell described by hybrid automata models, in which it is notrealistic to assume knowledge of the mode. This is the case,for example, of intent-based conflict detection and avoidancefor aircraft, in which the intent of aircraft in the environment isunknown and needs to be estimated (see [45] and the referencestherein). In robotic games such as RoboFlag [11], [16], theintents of non-team members are unknown and need to beidentified to allow decisions toward keeping the home zonesafe. Next generation warning and active safety systems forvehicle collision avoidance will have to guarantee safety in thepresence of human drivers and pedestrians, whose intentionsare unknown [1]. More generally, in a variety of multi-agentsystems, for example assistive robotics, computer games, and

Manuscript received December 23, 2009; revised October 08, 2010, February13, 2011, and February 14, 2011; accepted April 19, 2011. Date of publicationMay 05, 2011; date of current version December 29, 2011. This work was sup-ported by NSF CAREER Award Number CNS-0642719. Recommended by As-sociate Editor M. Prandini.

R. Verma is with the Department of Electrical Engineering and ComputerScience, University of Michigan, Ann Arbor, MI, 48109 USA (e-mail: [email protected]).

D. Del Vecchio is with the Department of Mechanical Engineering, Mass-achusetts Institute of Technology, Cambridge, MA 02139 USA (e-mail:[email protected]).

Color versions of one or more of the figures in this paper are available onlineat http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TAC.2011.2150370

robot–human interaction, the intentions of an observed agentare unknown and need to be identified for control [21].

There has been a wealth of research on safety control forhybrid systems in which the state is known [5], [25], [26],[37], [39], [48]–[50]. In [39], and [48]–[50], the safety controlproblem is elegantly formulated in the context of optimal con-trol and leads to the Hamilton–Jacobi–Bellman (HJB) equation.This equation implicitly determines the maximal controlledinvariant set and the least restrictive feedback control map.Due to the complexity of exactly solving the HJB equation,researchers have been investigating approximate algorithmsfor computing inner-approximations of the maximal controlledinvariant set [30], [31], [44], [50]. Termination of the algorithmthat computes the maximal controlled invariant set is often anissue and work has been investigating special classes of systemsthat allow to prove termination [46]–[48]. The safety controlproblem for hybrid systems has also been investigated within aviability theory approach by a number of researchers [5], [26].

The safety control problem for hybrid systems when the modeis not available for feedback has been rarely addressed in the lit-erature. The safety control problem in the case when the set ofobservations is a partition of the state space was discussed by[43]. The proposed algorithm can deal with a system with finitenumber of states. It excludes important classes of systems suchas timed and hybrid automata. A number of recent works haveaddressed the safety control problem for special classes of hy-brid systems with imperfect state information [13], [15], [17],[28], [54]. In [54], a controller that relies on a state estimator isproposed for finite state systems. The results are then extendedto control a class of rectangular hybrid automata with imper-fect state information, which can be abstracted by a finite statesystem. In [15], [17], and [28], linear complexity state estima-tion and control algorithms are proposed for special classes ofhybrid systems with order preserving dynamics. In particular,discrete time models are considered in [13] and [15] while con-tinuous time models are considered in [17], [28]. In these works,the mode is assumed to be known and only continuous state un-certainty is considered.

Here, we consider the safety control problem for HMHSs,in which the mode is unknown and its transitions are drivenonly by uncontrollable and unobservable events. For this classof systems, designing a controller to guarantee safety is a con-trol problem with imperfect state information. In the theory ofgames, control problems with imperfect state information havebeen elegantly addressed by translating them to problems withperfect state information [36], [38]. This transformation is ob-tained by introducing the notion of derived information state(non-deterministic or probabilistic), which, in the case of thenon-deterministic information state, keeps track of the set of allpossible current states compatible with the system history upto the current time. In the case in which a recursive update law

0018-9286/$26.00 © 2011 IEEE

VERMA AND DEL VECCHIO: SAFETY CONTROL OF HIDDEN MODE HYBRID SYSTEMS 63

can be constructed for the derived information state, the controlproblem can be described completely in terms of this new state.Since the derived information state is known, the problem be-comes one with perfect state information.

In this paper, we introduce the notion of nondeterministic dis-crete information state for a HMHS and formulate the safetycontrol problem in terms of this derived information state. Wetranslate this problem to one with perfect state information byintroducing a new hybrid system called an estimator, which up-dates a discrete state estimate in the form of a set of possiblediscrete states. In this paper, we only require that the discretestate estimate is correct, that is, that it contains the current modeof the original HMHS at any time, while we are not concernedwith tightness or convergence guarantees [18]. This ensures thatan estimator always exists and allows to separate the estimationproblem from the control problem. Since the estimator state ismeasured, the original control problem becomes one with per-fect state information.

We solve the new perfect state information control problemby providing an algorithm to determine the capture set (the com-plement of the maximal controlled invariant set) and the leastrestrictive control map. Then, we provide sufficient conditionsfor the termination of the algorithm that determines the captureset. We further illustrate how to construct an abstraction of theestimator for which the algorithm that determines the captureset always terminates and has as fixed point the capture set ofthe estimator. Finally, we tackle the question of how the per-fect state information problem that we have solved is relatedto the original problem with imperfect state information. Undera structural assumption and a mode distinguishability assump-tion on the original HMHS, we show that the two problems areequivalent, that is, their solution gives the same capture sets andcontrol maps.

The problem considered in this paper has much in commonwith two-person repeated games of incomplete information, inwhich one player is informed about the environment state whilethe other is not [6], [27]. In these types of games, the informedplayer must take into account how his/her actions may reveal in-formation that will affect future payoffs. The control of a HMHScan be viewed as a game between the controller (uninformedagent) and the disturbance (informed agent), in which the ac-tions of the latter can reveal information on the current mode ofthe hybrid automaton. The equivalence result of this paper im-plies that the best strategy for the disturbance is simply to keepthe maximal uncertainty possible on the mode. In doing so, itwill in fact not reveal useful information to the controller re-garding its range of action.

This paper is organized as follows. In Section II, we recallbasic definitions and concepts. In Section III, we introduce theHMHS model and its information structure. In Section IV, weintroduce the control problem with imperfect state information(Problem 1) and its translation to a problem with perfect stateinformation (Problem 2). We then provide the solution toProblem 2 in Section V. We consider the problem of termina-tion in Section VI. In Section VII, we show the equivalenceof Problem 1 and Problem 2. In Section VIII, we illustrate theapplication of the proposed control algorithms to a collisionavoidance problem at a traffic intersection.

II. BASIC NOTIONS AND DEFINITIONS

In this section, we introduce some basic notions and defini-tions. We employ basic notions from partial order theory [12].A partial order is a set with a partial order relation “ ”and it is denoted by . If any two elements in have aunique supremum and a unique infimum in , then is a lat-tice. If is a lattice, we denote for any subset itssupremum by . For a set , we denote by the power set,that is, the set of all subsets of . In this paper, we considerthe lattice given by with order established by set inclusion.This lattice is denoted by . For any subset ,the supremum is given by the union of all sets in . An-other partial order that is considered in this paper is given by

with order established component-wise, that is, forand , we say that

provided for all . We denote thispartial order by . Let be a lattice, an interval in

is denoted by . For any vector, we denote by its th component. Let denote the

set of non-negative real numbers and let denotea signal with values in . Denote the set of all such signals by

. We define a partial order on this space of signals as fol-lows. For any two signals , we say thatprovided for all . Let and betwo partial orders and consider the map . This mapis said to be an order preserving map if for all suchthat , we have that . It is said to be astrongly order preserving map if for all such that

, we have that . For any mapand any subset , we define .

Notions from viability theory as found in [4] are here recalled.Let be a normed space and let be nonempty. Thecontingent cone to at is the set given by

, in which denotesthe distance of from set , that is, .When is an open set, the contingent cone to at any point in

is always equal to the whole space.A set valued map is said to be Mar-

chaud provided 1) the graph and the domain of arenonempty and closed; 2) for all , is compact,convex and nonempty; and 3) has linear growth, thatis, there exist such that for all we have

.A set valued map is said to be Lipschitz con-

tinuous on if there is such that for all wehave that , in whichis a ball in of radius 1 centered at 0.

III. HIDDEN MODE HYBRID SYSTEMS

A hybrid system model with hidden modes is a hybrid au-tomaton [39] in which the current mode of the system is un-known and mode transitions are driven by disturbance eventsonly. This model is formally introduced by the following defi-nitions.

Definition 1: A hybrid system with uncontrolled mode tran-sitions is a tuple , in which isa finite set of modes; is a vector space; is a set of con-trol inputs; is a bounded set of disturbance inputs; is a


finite set of disturbance events, which includes a silent eventdenoted ; is the discrete state update map;

is the vector field, which is piecewisecontinuous on .

The vector field is allowed to be piece-wise continuous inorder to model switches in the dynamics determined by subman-ifolds in the space of states and inputs. We denote by

the hybrid state of the system. Similarly, we denote bythe continuous inputs to the system and by

the disturbance event. We define for all. Let for with

be the sequence of times at which and for. Let in which

with , and the “)]” parenthesis is closed (“]”) if is finiteand open (“)”) if it is not finite. Then, we define the discrete andcontinuous trajectories of , that is, and for asfollows.

Definition 2: Given initial conditions ,the discrete trajectory for is such that

and for ifwith ;the continuous trajectory for is such that

for withand with .

Since we can have that , multiple discrete transi-tions can occur at one time. The value of immediately beforeand immediately after a set of transitions occurring at the sametime is unchanged. The vector field immediately after a setof transitions occurring at the same time is evaluated on thevalue that takes after the last transition occurred at time . It istherefore useful to define also the discrete and continuous flowsof as follows. Let , , andbe the disturbance event, the continuous control, and the contin-uous disturbance signals.

Definition 3: For initial condition ,the discrete flow is defined asfor all ;the continuous flow is defined as

in which ,for all .

Therefore, is a piece-wise constant signal that attime takes the value of at the last transition that occurredbefore or at time . When for all , we denote thecorresponding continuous flow by .

Definition 4: A Hidden Mode Hybrid System (HMHS) is ahybrid system with uncontrolled mode transitions in whichis not measured and is only known to belong to a set .

Therefore, in a HMHS only is measured and its evolutionis driven by hidden mode transitions. In the remainder of thispaper, denotes a HMHS.

Definition 5: Let . The set of modes reachable fromunder the trajectories of is denoted and is

defined as .Remark 1: The hybrid automaton model considered in this

paper is a special case of more general models [29], [39]. Specif-ically, we assume that there is no continuous state reset, thatmode transitions cannot be controlled, and that no mode inhas a nonzero minimum dwell time (as it would be enforced by

suitable interaction between guards and invariants). As a conse-quence, any mode in can instantaneously transit to any ele-ment in its reachable set . Even though this structurelimits the generality of the model, it still well captures applica-tion scenarios of interest, as described in Section IV-B.

A. Non-Deterministic Discrete Information State

For a signal , we define its truncation up totime as and its truncation up to time as

. At time , the measured signals of are givenby and , in which . Furthermore, the knowledgeof the function implies that also the function

is known.Definition 6: The history of system at time for is

defined as , in which for isthe initial mode information.

The available information on the system mode at timemust be derived from the history signal , in which

contains information on the initial stateof the system. We define the set of all possible current modesof the system compatible with the history. This set is calledthe nondeterministic discrete information state and is formallydefined as follows in analogy to what is performed in the theoryof games with imperfect information [38].

Definition 7: The nondeterministic discrete information stateat time for system is the set defined as

and

for

Hence, a mode is possible at time provided 1) there is adiscrete state trajectory starting from a mode in that reaches

at time and 2) such a discrete state trajectory is consistentwith the continuous state trajectory up to time . It follows that

for all and that .

IV. PROBLEM FORMULATION

In this section, we first employ the notion of nondetermin-istic discrete information state to formulate the safety controlproblem with imperfect state information. Then, we translatethis problem to one with perfect state information by intro-ducing a mode estimator.

A. Safety Control Problem With Imperfect Mode Information

Let represent a set of unsafe continuous states.We consider the problem of determining the set of all initialinformations for which a dynamic feedback map doesnot exist that maintains the trajectory outside for alltime. For this purpose, we first define the closed loop systemunder a feedback map .

Definition 8: Consider a feedback map .The closed loop system is defined as system , in which

for all . The continuous flow ofis denoted .

The set of all initial informations for whichthere is no feedback map that maintains the trajectory

outside for all , , and iscalled the capture set and is formally defined as follows.


Definition 9: For , the capture set for system isdefined as

.The following alternative expression of the capture set (ob-

tained directly from the definition) is used in this paper.Proposition 1: For all , let the mode-dependent cap-

ture set be defined as. Then,

.Proposition 2: For all , we have that .

Proof: We first show that . Let. Then, there is a feedback map such that for all

and we have thatfor all , , and with such that .

In particular, such is such that for all and ,for all , , and with such

that . This, in turn, implies thatfrom the definition of and the fact thatimplies .

We then show that . Let . Then, thereis in which such that for all ,

, we have that for all . For all, there is and such that

. Therefore, for any piece-wise continuous signalwith , we can find and such that

for all . This implies that thefeedback map is such that forall , , and . Hence, .

Problem 1: (Safety Control with Imperfect State Informa-tion) Determine the capture set and the set of feedback mapssuch that if , then

for all , , , and .

B. Motivating Example

In this section, we present an example in the context of coop-erative active safety at traffic intersections [1], wherein a con-trolled vehicle has to prevent a collision with a non-controlled/non-communicating, possibly human-driven, vehicle (Fig. 1).A possible approach to tackle this problem is to treat the non-communicating vehicle as a “disturbance” and employ avail-able safety control techniques for hybrid systems with mea-sured state. This approach, however, leads to conservative con-trollers, which are not acceptable as they result in warnings/con-trol actions that the driver perceives as unnecessary. Therefore,in this application it is crucial to exploit all the available sensoryinformation to reduce as much as possible the uncertainty onthe non-communicating vehicle. For the controller on board theautonomous vehicle, the human-driven vehicle is a hybrid au-tomaton with unknown state. A related but different applicationis the one in which a single vehicle can receive inputs from botha human driver and an on-board controller as considered, for ex-ample, by [40] in the context of a red-light violation problem.As opposed to our application, the resulting hybrid automatonto control in [40] has known state.

Since both vehicles are constrained to move along their lanes(see Fig. 1), only the longitudinal dynamics of the vehicles along

Fig. 1. (Top) Two-vehicle conflict scenario. Vehicle 1 is equipped with a co-operative active safety system and communicates with the infrastructure wire-lessly. Vehicle 2 does not communicate with the infrastructure. A collision oc-curs when both vehicles occupy the conflict area. We refer to vehicle 1 as the“autonomous vehicle” and to vehicle 2 as the “human driven vehicle”. (Bottom)Hybrid automaton model� , in which � and � are given by equations (1), (2).

their respective paths are relevant. The longitudinal dynamicsof vehicle 1 along its path are modeled by the equation

, in which , are the longitudinal dis-placement and speed along the path, respectively, representsthrottle/braking, represents the static friction term, and

with models air drag (see [52] for more details).The control input ranges in the interval for givenmaximum braking action and maximum throttle action

. For vehicle 2, we assume a model given by ,in which for some and represents the un-known driving mode that can be acceleration mode, denoted ,coasting mode, denoted , and braking mode, denoted . Foreach mode, has a different value representing the nominalacceleration corresponding to that mode. For more details onmodeling human (controlled) activities through nondetermin-istic hybrid systems, the reader is referred to [19], [20]. Vehicle1 receives information about the position and speed of vehicle2 from the infrastructure, which monitors speed and position ofvehicles through roadside sensors. We assume that there are alower bound and an upper bound on the achievablespeed of the vehicles due, for example, to physical limitations(i.e., vehicles cannot go in reverse and have a finite maximumachievable speed).

The resulting HMHS modelingthe system is such that , , ,and . Denote with

. Let


. The vector field is piece-wise continuous and given by, with

ifif andor and

(1)

ifif andor and .

(2)

We assume that the human driven vehicle can transit from accel-eration, to coasting, to braking [35]. This scenario can be mod-eled by and such thatand . Here, we assume that , , and

, with for . This system is aHMHS, in which and it is pictorially representedin the right-side plot of Fig. 1. Finally, the unsafe set is givenby correspondingto both vehicles constrained to their paths being in the conflictarea of Fig. 1.

C. Translation to a Perfect State Information Control Problem

In order to solve Problem 1, it is necessary to compute the set. Computing this set from its definition is impractical as

one would need to keep track of a growing history. Hence, it iscustomary to determine it recursively through a suitable updatelaw [38]. A wealth of research on observer design and state esti-mation for hybrid systems has been concerned with determiningsuch an update law and in particular with its properties for spe-cial classes of hybrid systems [7]–[9], [14], [16], [18], [23], [53].Specifically, key properties, when considering discrete state es-timation, are correctness, tightness, and convergence [14], [18].Correctness requires that the estimated set of modes containsthe true mode at any time; tightness requires that the estimatedset of modes contains only modes compatible with the systemhistory and dynamics; convergence requires that the estimatedset converges to a singleton. In this paper, we only require thatthe discrete state estimator has the correctness property. We arenot concerned with tightness nor with convergence guarantees,which usually require observability assumptions. Hence, a dis-crete state estimator always exists as, for example, forall is also an estimator. This allows us to separate the designof the estimator from that of the control map.

More formally, let be a hybridsystem with uncontrolled mode transitions with state

, in which , and disturbance events . Letfor with be

the sequence of times at which and for. Denote in which

, and . For all , we define .Let the initial state be . The trajectories of

are defined as in Definition 2, in which the continuous stateobeys the differential inclusion

for

in which and . As performedfor system , we can define the flow of system . Specif-ically, the discrete flow of is denoted

and any continuous flow of is denoted byfor all . When ,

it is useful to extend the definition of this flow to whenis any element in , that is,with such that for alland . Note that, however, this may not be re-alizable in if . Also, for all , we denote

the set of reachable modes from and it isdefined as . Then, we havethe following definition of an estimator for .

Definition 10: The hybrid system with uncontrolled modetransitions with initial state is called anestimator for provided:

1) for all input/output signals of and all initialmode informations , there is an event signal in

such that for all ;2) for all and , we have that

;3) for all , we have that

.The dynamics of model for a suitable event signal the set

of all possible dynamics of in system compatible with thecurrent mode estimate . Note that in we can have that

with the mode taking any value in .Since by 1) of the above definition can be any elementof , we must have that for all there is suchthat to ensure that .According to the above definition, an estimator always ex-ists as one can choose, for example, ,

, such that , ,and . This implies that , that

, and that for all. Hence, always contains

for all as for all . An exampleof how to construct a less trivial estimator is provided in thefollowing paragraph.

Example 1: Consider the HMHS, in which ,

, , for , ,and , in which is a parameter whosevalue depends on the mode . This system can model, forexample, the non-communicating vehicle of the applicationexample of Section IV-B, in which “ ” is acceleration modeand “ ” is braking mode. Let the initial information be

, in which . We let , in which, , and . The signal determines

how to transit among these modes on the basis of so toguarantee that . Since does not allowtransitions between and , the only transitions allowedby are from to and from to by property 2)of Definition 10. Then, let , in which issuch that and is such that .Let and define as

if , if ,and otherwise.


Note that while the discrete state of system is unknown,the discrete state of system is known as its initial state isknown and both and are measured. Hence, we definethe closed loop system under a static feedback map as follows.

Definition 11: Consider a feedback map .The closed loop system is defined as system , in which

for all . The flow ofis denoted by and the continuous flow by

.Definition 12: The capture set for system is denoted

and is given by.

Proposition 3: Let and define the mode-de-pendent capture set

. Then, we havethat .

Problem 2: (Safety Control with Perfect State Information)Let be an estimator for . Determine the capture set andthe set of feedback maps such that if , then allflows for all , ,and .

Definition 13: Consider the feedback mapand an estimator . The estimator-based closed loopsystem is defined as system , in which

for all .Definition 14: We say that system with initial state

is safe provided implies thatfor all , , and . Similarly, we say that system with initialinformation is safe provided implies that

for all , , and .Definition 15: (Weak equivalence) We say that Problem 1

and Problem 2 are weakly equivalent provided that 1) if withinitial state is safe then also with initial information

is safe; 2) for all , we have that .Definition 16: (Equivalence) We say that Problem 1 and

Problem 2 are equivalent provided that 1) they are weaklyequivalent; 2) for all , we have that .

Weak equivalence guarantees that any feedback map thatkeeps safe keeps also system safe. Equivalence guaran-tees that system has the same mode-dependent capture setsas system .

Proposition 4: Problem 1 and Problem 2 are weakly equiva-lent.

Proof:1) If is safe with initial state , we have that

implies that for all , , and. In particular, this is true for such that

for all and hence for such that, ,

and hence for trajectory of .2) We show that for all . Specifically, we

show that if then . If , thereis a feedback map such that for all allflows . In particular, this istrue for such that , ,and for all (note that a forwhich must always exist inby the definition of an estimator). This implies that

for all . Insuch a case, is a map fromthe continuous state only as the first argument is alwaysconstant. Hence, the flowsatisfies forall . In turn, any that satisfies this also satis-fies for all

and all . As a consequence, is such thatfor all , all , all ,

and all . This, in turn, implies that .

We first solve Problem 2 and then address the question ofwhen this problem is equivalent to Problem 1.

V. SOLUTION TO PROBLEM 2

Since is a hybrid system with uncontrolled mode transi-tions, it has more structure than the general class of hybrid au-tomata. We exploit this structure to provide a specialized itera-tive algorithm for the computation of the capture set and of thefeedback maps . The proofs are in the Appendix.

A. Computation of the Capture Set

In order to compute the set , we introduce the notion ofuncontrollable predecessor operator.

Definition 17: For a set and the uncontrollablepredecessor operator for is defined as

.This set represents the set of all states that are mapped to

when the mode estimate is constant and equal to . The fol-lowing properties of the Pre operator follow from the fact that itis an order preserving map in both of its arguments.

Proposition 5: The operator has the fol-lowing properties for all and : 1) ;2) ; 3) ,for all ; 4) , for all

; 5) , for all ; 6)

for for all .We use for all the notation

, in which we set if is notdefined for some .

Proposition 6: The sets for all satisfy.

Definition 18: A set is said a controlled invariantset for if there is a feedback map such that for all

, we have that all flows for all , ,and . A set is the maximal controlled invariantset for provided it is a controlled invariant set for and anyother controlled invariant set for is a subset of .

Proposition 7: The set is the maximalcontrolled invariant set for contained in .

Let with for ,for , and define

. We define the map as

...


Proposition 8: Let be a tuple of setssuch that . Then,

is a controlled invariant set for .Let represent the set of all M-tuples of subsets

of and define the partial order , where is definedcomponent-wise. One can verify that is an orderpreserving map (it follows from property 3) of the Pre operatorfrom Proposition 5).

Algorithm 1

,

while

end.

If Algorithm 1 terminates, that is, if there is a such that,

we denote the fixed point by .Theorem 1: If Algorithm 1 terminates, the fixed point is

such that .Proof: If Algorithm 1 terminates, then there is

such that , in which . Thus,is a fixed point of . To show that it is the least fixed point,

consider any other fixed point of , called . Since andis an order preserving map, we have that ,

. Since, we have that . Thus is the least fixed point of .Proposition 6 indicates that the set

is such that the tuple of sets is a fixed point of. Assume that such a tuple of sets is not the least fixed point

of . This implies that there are sets such that thetuple is also a fixed point of . Consider the sets

and the new set defined as

. By Proposition 8, thesetwo sets are both controlled invariant and are both contained in

. Since , we have that is not themaximal controlled invariant set contained in the complement of

. This contradicts Proposition 7. Therefore, the tuplemust be the least fixed point of . Since the

least fixed point of equals by the first part of the proof, itfollows that .

This result is based on the assumption that Algorithm 1 ter-minates and hence it is sufficient that the map is an orderpreserving map. A stronger property for , such as omega-con-tinuity [34], is required for the result of Theorem 1 to hold iftermination of Algorithm 1 is not assumed. In Section VI, weaddress termination.

B. Control Map

To determine the set of feedback maps that keep the comple-ment of invariant, we employ notions from viability theory.

Definition 19: A set valued map is said piece-wise Lipschitz continuous on if it is Lipschitz continuous on

a finite number of sets for that cover ,that is, , and for .

The next result extends conditions for set invariance as foundin [4] to the case of piece-wise Lipschitz continuous set valuedmaps. This extension is required in our case because the vectorfield is allowed to be piece-wise continuous.

Proposition 9: Let be a set-valued Marchaudmap. Assume that is piecewise Lipschitz continuous on .A closed set is invariant under if and only if

for all .For simplifying notation, for each mode define the

set valued map asfor all . Define

for all and consider the set valued mapdefined as

(3)

Theorem 2: Assume that is such that forall the set-valued map isMarchaud and piecewise Lipschitz continuous on . Then, theset is invariant for if and only if

.Proof:

Assume that and that, we show that all

for all . This is shown by induction argumenton the transition times . (Base case) By assump-tion we have that . (Induction step)Assume that . We show that this im-plies for all , in which

. This in turn is equivalent to showing thatfor all and .

Since by the properties of the Preoperator and by Proposition 6, then ifalso . Therefore, it is enough to showthat for all . If , thensince we have that .If , for , the trajectory sat-isfies .Since , it follows that

. Proposition 9 thus implies that is in-variant by . Therefore, we have that for all

. Thus, for all .The fact that if the set

is not invariant for follows from Proposition 9.

Given the current mode estimate , a control map as given inTheorem 2 is one that makes all the possible vector fields pointoutside the current mode-dependent capture set . Once themode estimate switches to , the current mode-dependent cap-ture set also switches to the new mode-dependent capture set

, which is (by Algorithm 1) contained in the previous one. At this point, the feedback map switches to one that makes

all the possible vector fields originating from point outside thenew current mode-dependent capture set . Note that controlmap (3) guarantees safety for any choice of an estimator. How-ever, a coarser estimator leads to larger mode dependent capture


sets to be avoided at any time and, as a consequence, the controlactions are more conservative.

VI. TERMINATION OF ALGORITHM 1

There are two main difficulties in the implementation of Al-gorithm 1. The first one is the exact computation of the Pre op-erator, which is known to be a hard problem for general classesof nonlinear and hybrid dynamics and general results are stilllacking. Hence, research has been focusing on special classesof systems for which such an operator can be exactly computed[46]–[48]. The second difficulty lies in guaranteeing the termi-nation of Algorithm 1. In this section, we address the termina-tion of Algorithm 1, that is, the existence of a finite such that

. We then discuss the problem of the exact compu-tation of the Pre operator.

For the termination problem, we first provide sufficient con-ditions on for which Algorithm 1 terminates. Then, we showthat one can construct an abstraction of for which Algo-rithm 1 always terminates and such that the fixed point givesthe mode-dependent capture sets of . In order to proceed, weintroduce the notion of kernel sets for .

Definition 20: (Kernel set) The kernel set correspondingto a mode is defined as

and .The kernel set for a mode is thus the set of all modes that

can be reached from and from which can be reached. Onecan verify that for all pairs of modes , we have that

and if and only if. The next result shows that any two modes of in the

same kernel set have the same mode-dependent capture set andhence the same set of safe feedback maps.

Proposition 10: For every kernel set and for anytwo modes , we have that and hence that

.Proof: Since , we have that

and that . By Proposition 6, the first inclusionimplies that , while the second inclusion implies that

. Hence, we must have that . By (3), this inturn implies also that .

Let . Let there be distinctelements in denoted . Note that

, for . If each of the kernel sets is just one element in ,it means that there are no discrete transitions possible in thatbring a discrete state back to itself. That is, there is no loopin any of the trajectories of . In this case, one can verify thatAlgorithm 1 terminates in a finite number of steps. If insteadthere are kernel sets composed of more than one element, itmeans that there are discrete transitions that bring a discretestate back to itself, that is, there are loops in the trajectories of. In this situation, Algorithm 1 may not terminate. The next

result shows that even when there are loops in the trajectoriesof , Algorithm 1 still terminates if each kernel set contains amaximal element.

Theorem 3: Algorithm 1 terminates if all the kernel setshave a maximal element with respect to the

partial order .This theorem provides an easily checkable sufficient condi-

tion for the termination of Algorithm 1 based on the structure

of the map . Note that a corollary of this theorem is that ifsystem is such that all of its kernel sets are singletons in ,then Algorithm 1 terminates for . The proof of this theorem isin the Appendix. Here, we illustrate the logic of the proof andthe concept of kernel set on a simple example.

Example 2: Consider a simple instance of inwhich , , , and

. That is, we have one kernel set equal to. Because of the loop between and , Algo-

rithm 1 may not terminate. Here, we show that if we assumethat, for example, , then Algorithm 1 terminates inthree steps. In this example, we have that and

. Hence,, and

. Consider. On the one hand, we have that

by properties 4) and 2) of Proposition 5.On the other hand, we have that

by property 3) of Proposition 5. Hence, wemust have that . Similar reasoningslead to . This leads to

, which, em-ploying again the properties of the Pre operator, leads to

. This set is, in turn, equalto and therefore Algorithm 1 terminates in three steps.

A. Proving Termination Through Abstraction

When not all kernel sets have a maximal element, Theorem 3does not hold. However, for any estimator , one can constructan abstraction of , denoted , for which Algorithm 1 ter-minates and such that the fixed point gives the mode-dependentcapture sets of . This abstraction is constructed by merging allthe modes of that belong to the same kernel set in a uniquenew mode as follows.

Definition 21: Given hybrid system, the abstraction

is a hybrid system with un-controlled mode transitions such that:

1) , such that andfor all ;

2) for all there is such thatif and only if there are ,

, and such that ;3) for all , , , and , we

have that .For a feedback map , ini-

tial states and , and signals ,, we denote the flows of the closed loop system

by and ,in which satisfies

.We also denote by for the mode-de-

pendent capture sets of . For any , wedefine provided . Also, for all

, we denote the set of reachable modes from as. In the sequel, we

denote , in which we


set if is not defined for some. The following proposition is a direct consequence

of Theorem 3 and of the fact that all kernel sets of aresingletons.

Proposition 11: Algorithm 1 terminates for system .The next result shows that any piece-wise continuous

signal, which is continuous from the right and contained inis a possible discrete flow of for suitable

starting from some .Proposition 12: For any piece-wise continuous signalthat is continuous from the right and such that

, there are and such thatfor all .

Proof: Since for all , there aretimes and a sequencesuch that for all . Since any modein can transit to any other mode in instantaneouslyunder the discrete transitions of , we have that there are

and such thatfor all . Also, for any two modesand we have that .Hence, let and

. Then, since

multiple transitions are possible in at the same time, there isa signal such that . Hence, thereis a signal such that for all .

Theorem 4: For all kernel sets with andfor all , we have that .

Proof: Let . We first show that . Let

, then for all , there are , , andsuch that . This is in particular

true for all those feedback maps such thatwhenever for some . Hence, wealso have that for all , there are , , and

such that , in whichwith

if . Such a signal also satisfiesby the definition of . By

the definition of , there is such thatfor all . Hence, is also a continuous flow of starting at

and therefore .

We now show that . If , then for all

feedback maps , there are , , andsuch that .Here, we have that satisfies

,which is equivalent (by the definition of ) to

,which is equivalent to

for piece-wise contin-uous signal (continuous from the right) such that

. By Proposition 12, any suchis such that there are and such that

for all , that is, it is a discrete flowof system . Hence, for all with

for all for all , there are

, , , such that . ByProposition 10, this implies that for all thereare , , , such that .Hence, .

The above theorem provides a useful result for the computa-tion of the mode-dependent capture sets of . In particular, oneconstructs the abstraction and applies Algorithm 1 to it. Al-gorithm 1 is in turn always guaranteed to terminate for system

. The result (by Theorem 4) provides the sets . Hence,can be considered only as a structural abstraction as it does notprovide an over-approximation of the capture set of , but pro-vides it exactly.

The next two technical propositions provide a char-acterization of the Pre operator computed for system

and the relationship between and . Specifi-cally, denote the predecessor operator for system by

for some as.

Proposition 13: For all and , we have that.

Proof: From the definition of , we havethat if and only if for all , thereare such that

, in which ,which, by the definition of and of is equivalent to

. Hence, by the defini-tion of Pre, we have that if and only if

.Proposition 14: Let . If then

.Proof: If , then by the definition of

there are and such thatfor some . By the definition of a kernel set, this also im-plies that for all and , there is asequence of events and of modessuch that , and for

. Since for alland , this in turn implies that

for . This leads to forall and . This also implies that

and hence (since this holds for all) to .

Lemma 1: For all , we have that.

Proof: First, we show that .Since Algorithm 1 terminates in a finitenumber of steps for , we have that

.

By Proposition 13, we also have that

. By Proposition 14,we have that andthat for .


Since the Pre operator and Reach preserve the inclu-sion relation in the first argument, these imply that

. Since for allwe have that ,

we also have that for all. Hence, for all

. This along with Theorem 4 finally imply that forall we have .

To show that , we employthe properties of the Pre operator and Proposition 6. Bysuch a proposition, by the fact that (since is an esti-mator for ) for all there is such that

, and by property 3) of Proposition 5,it follows that . In turn we havethat by Proposition 6and property 3) of Proposition 5. Hence, we have that

, which by property 1)of Proposition 6 leads to .

This result shows that the mode-dependent capture set canbe computed by computing the Pre operator only once as op-posed to being determined through a (finite, by Theorem 4 andProposition 11) iteration of Pre operator computations. Exactcomputation of Pre for general dynamics is not always possible.However, there are a number of works that have focused onthe exact computation of uncontrollable predecessor operatorsfor restricted classes of systems. For example, the work of [46]shows that Pre can be exactly computed for special classes oflinear systems; [47] further extends this result to linear hybridsystems; [48] shows that Pre is exactly computable also for tri-angular hybrid systems. Finally, [17], [28] show that Pre is com-putable with a linear complexity algorithm for classes of orderpreserving systems. Based on these results and on Lemma 1, weconclude that Problem 2 is decidable when for each modethe continuous dynamics , belong to oneof the above cited classes of systems. Since the application ex-ample falls in the class of systems described in [17], [28], wesummarize the main result here. For this sake, we restrict thestructure of and to that of a two-agent game.

Definition 22: The pair has the form of atwo-agent game provided with

for with ,, , , and with .

Proposition 15: Let be in the form of a two-agentgame. Assume that:

1) ; the flow of denotedis an order preserving function in both

arguments; there is such that ;;

2) For there are and a functionsuch that

; the flow of ,that is, , is an orderpreserving map in both arguments; there is suchthat ; .

Then, ,in which

and

.A feedback map is given by

ifififotherwise.

(4)By virtue of this result, one can avoid computing the set

, which requires optimization over the space ofcontrol inputs. One can instead compute the setsand , which, since the control input is fixed andthe flow preserves the ordering, can be computed by linear com-plexity algorithms. The structure of the set well modelscollision configurations between agents sharing a commonspace as illustrated in the application examples of Section VIII.We omit the details of the algorithms, which can be foundelsewhere [17], [28] and instead present in Section VIII theirapplication to a concrete example.

VII. EQUIVALENCE BETWEEN PROBLEM 1 AND PROBLEM 2

Showing that Problem 1 is equivalent to Problem 2 is basedon showing that for all we have that . In general,the set of possible continuous trajectories of system for everymode contains but is not equal to the set of continuoustrajectories possible in . This is due to the fact that in notall transitions may be possible among the modes in due to thestructure of . This information was lost in the construction of

in order to obtain a hybrid system with uncontrolled modetransitions and known discrete/continuous state. In order to il-lustrate this point, consider the following example.

Example 3: Consider system with two modes andbetween which there is no transition and let the continuous dy-namics for each mode be given, for , by

for and for (5)

in which and . Let .In order to determine , refer to the left plot of Fig. 2, in whichwe depict the sets and . Any point

admits a control that keepsoutside for every initial mode. This is due to the fact that

the mode of does not switch and hence a continuous trajectorystarting at will follow either of the two directions depicted,none of which takes the flow inside . Hence, we have that

. By contrast, we have that, which includes point in Fig. 2 as this

can be taken to by, for example, first flowing under andthen under . Hence, in this case we have that is strictlylarger than .

If we instead had that, we would also have that . In order to

illustrate how we can obtain this equality, we modify system(5) to

when

when (6)


Fig. 2. (Left) Example 3, in which the continuous dynamics are given by equa-tions (5). (Right) Example 3, in which the continuous dynamics are given byequations (6). The set �� is in red while the set �� is inblue. Both sets extend to ��.

In this case, the sets andare larger than before and are depicted in the right sideplot of Fig. 2. One can check that in this case we stillhave that and that

, but, as opposed to before, we also havethat so that thetwo capture sets are the same, that is, .

This example illustrates an instance of a system inwhich due to not being equalto . It also illustrates how requiringthat (note that

derives from the defi-nition of Pre) is sufficient to have . We thus pose thefollowing assumption.

Assumption 1: For all we have that.

This assumption requires that if an initial state is takento by an arbitrary sequence of modes in , then there is adisturbance signal for which it is also taken to by at leastone mode . We provide at the end of this section classesof systems for which this assumption is satisfied.

Since by Lemma 1, for all ,in order to obtain equivalence, we should at least have that

is also a subset of , which is not the case ingeneral. In fact, an element is in if and only ifthere is no feedback map that prevents the flow startingfrom this element to end-up in . Nevertheless, for such anelement there could still be a feedback mapthat prevents the flow originating from it to enter . Hence,

may not be in . However, ifimplies that is equal to a constant for all , then themap that prevents the flow from enteringbecomes a simple feedback map . In this case, if is in

, it must also be in . The next assumption andproposition provide conditions for when this is the case.

Definition 23: A mode is called weakly distinguish-able provided

1) there is a set of modes such thatfor all and

for all ;2) for all there is such that

for all .The set is called the indistinguishable set for .

Note that in the case in which the indistinguishable set foris itself, the mode is distinguishable from any other

mode, that is, for all there is such thatfor all . Weak distinguishability allows

for to generate the same vector fields as those generated bythe modes in the set .

Assumption 2: System is such that all modes in areweakly distinguishable.

Proposition 16: Let , and. Then, Assumption 2 implies that

there is such that forall .

Proof: Assumption 2 implies that for all ,there is a such that

for some implies that. Hence, can be rewritten as

and

for

This, in turn, implies thatfor all .

Let . Then, for allthere are and such that and

for all . This, in turn,implies that . Since for all we have that

forall , there must be a disturbance signal such that

for all . Hence,we also have that for all .

Lemma 2: Let Assumption 2 hold. Then, we have thatfor all .

Proof: Let , then there is a feedback map suchthat for all , , , it guarantees that

for all . This holds in particular for ,and such that leads to

for all , which exists by Proposition 16. In this case,is a

simple feedback from for all . Since, we thus have that is also such that

for all . Hence, .Theorem 5: Under Assumptions 1 and 2, Problem 1 and

Problem 2 are equivalent.Proof: Proposition 4 proves that . We next prove

the reverse inclusion. Specifically, by Lemma 1 and Assumption1 we have that , in which byLemma 2 we have that , in which

by Proposition 2. This proves equivalence.

A. Systems That Satisfy Assumption 1 and Assumption 2

Assumption 1 can be difficult to check for general hybrid sys-tems. We thus provide two classes of systems for which such anassumption is satisfied and illustrate in the next section how oneof these classes well models the application example. We firstintroduce two intermediate results.

Proposition 17: Let , witha lattice, and consider the system , in which

. Assume that:


1) the flow of the system is acontinuous and order preserving map for alland ;

2) we have that , , andfor all .

Then, for all , , , and such thatthere is with for and with

, there are and withfor such that .

Proof: Let forfor . By property 1) and

property 2), we have thatfor all

. Hence, it follows that

. Since ,this implies that there is such that

. Since is acontinuous map from the space of input signals to

, it maps the connected set for allto the connected set . Sinceall connected sets in are intervals, we have that

.Hence, , which implies thatthere is with for such that

.This proposition states that for a system defined on partial or-

ders whose flow preserves the order and whose set of inputs isa connected union of intervals, any point reachable by a coor-dinate of the flow through an arbitrary input signal can also bereached by an input signal that takes values in one only of thepossible intervals.

Proposition 18: Let forand consider a differential inclusion of the form

. Assume that there are such that. Then, for all and

such that , there issuch that with for .

Proof: Let for for all. Rewriting this equality component-wise, we have that for

all for forall . Then, there is such that

and hence such that . The constant vectoris thus such that , in which

. Since , thereis such that . Hence, there is

such that forfor all .

This proposition states that any point that can be reachedunder a rectangular differential inclusion in the form of aunion of “smaller” rectangular differential inclusions can alsobe reached under at least one of these smaller rectangulardifferential inclusions.

Proposition 19: Let be in the form of a two-agentgame. Assumption 1 is satisfied if for all with

either one of the two following properties are sat-isfied by :

1) for all there are such that, there are

such that ,and ;

2) for all there are with alattice and a function such that

and, withsatisfies 1) and 2) of Proposi-

tion 17, and .Proof: Let , we show that when

either 1) or 2) is satisfied there is such that. We consider first case 1). Then, for all feedback

maps there is a such that andfor for all . Let

, then by Proposition 18 there issuch that with for

. Hence, .Consider now case 2). We have that for all feedback maps

there are and with for allsuch that and .

Let , then by Proposition 17 there are alsoand with for all such

that . Hence, .This proposition states that if is in the form of a

two-agent game and the continuous dynamics of (the uncon-trolled agent) have either the order preserving properties estab-lished by the assumptions of Proposition 17 or can be modeledby a family of differential inclusions according to Proposition18, then Assumption 1 is satisfied. In turn, the assumptions ofPropositions 17 and 18 are simple to check. Note that modelingthe uncontrolled agent by a family of switching differential in-clusions is often a practical approach when an accurate dynam-ical model of such an agent is missing. In this case, rectangulardifferential inclusions can be effectively employed to approxi-mate the agent dynamics for safety control purposes. Similarly,systems whose dynamics have order preserving properties arefound in several application domains, including biological net-works [2], [3] and networks of agents evolving on pre-specifiedpaths such as trains on rails [32], [41], aircraft on their routes[33], [42], and vehicles in their lanes [22], [24].

Assumption 2 requires that for all values , the possiblevector fields generated by any given mode cannot be all gen-erated by modes that do not belong to the indistinguishable setfor . In the case in which is affine in the distur-bance , that is, , in which

can be regarded as the “nominal” dynamics, a suffi-cient condition for weak distinguishability of mode is given,for example, when the nominal dynamics of mode are notpossible dynamics in any other mode. This can, in turn, be en-sured if . As anexample, consider in the form of a chain of integrators, that is,

. Lettingfor some , one can verify that any mode is weakly dis-tinguishable if for all . For the special case


in which is linear, one can obtain the following general suffi-cient condition for weak distinguishability.

Proposition 20: Let withand for all . Then, mode

is weakly distinguishable iffor all .

Proof: Iffor all , then for all with

we have that , which isequivalent to having .This, in turn, is equivalent to having that there is such that

for all , which impliesweak distinguishability.

Finally, consider the class of systems introduced in Proposi-tion 15, in which for all we have . Iffor every we have that and the map

is strongly order preserving with respect tothe second argument, then Assumption 2 is satisfied. Similarly,consider case 1) of Proposition 19. If for all such thatwe have that , then Assumption 2 issatisfied.

VIII. APPLICATION EXAMPLE: CONTROL DESIGN

Consider the application example described in Section IV-Band depicted in Fig. 1. Here, we construct an estimator, calcu-late the mode-dependent capture sets, and determine the feed-back map. An estimator is uniquelydetermined by , , and . We set , in which

, , and . To determine and, consider the estimate .

For each possible value of , we compute the interval inwhich must lie. Thus, we have to consider three cases: 1)

; 2) ; 3) .Case 1) . Then, in the interval of time , the

mode can only have been equal to . Since it isstill possible that when is exceeded,we have that withfor . This, in turn, leads to having

.Case 2) . Then, in the interval of time , the

mode can be for all time or be first equal toand then be equal to . In this case, we have that

for some such that. As a consequence, we have

that .Case 3) . Then, in the interval of time ,

the mode can be in for all time, or also infor some time, or also in and then for some

time. It is easy to verify that this implies that, that is, can be anywhere.

Hence, we have that if then necessarily. Similarly, if then, is not currently

possible and thus we must have that . As a conse-quence, we let and define forif , if , and

otherwise. Thus, is such that ,, and . System is represented

in the top left diagram of Fig. 3. The properties of an esti-mator are satisfied as when or are ruled out, the struc-ture of guarantees that cannot take again those values.By Theorem 3, Algorithm 1 terminates and by Lemma 1 wehave that , , and

. Since for all , the assumptionsof Proposition 15 are satisfied, we employ such a proposition todetermine whether for all andto determine the feedback map . Assumption 1 is satisfied andAssumption 2 is also satisfied for . Simula-tion results are shown in panels (a)–(e) of Fig. 3.

IX. CONCLUSION

In this paper, we have addressed the safety control problemfor hybrid systems in which the mode is not available for con-trol (HMHS). We have adopted an approach inspired by thetheory of games with imperfect information. Specifically, wehave introduced the notion of nondeterministic discrete infor-mation state and formulated the control problem on its basis(Problem 1). We have introduced the notion of an estimator andwe have formulated a control problem with perfect state infor-mation on a new hybrid automaton (Problem 2). We haveprovided an algorithm for the computation of the capture setfor and for the least restrictive control map. We have pro-vided conditions for the termination of the iterative algorithmthat computes the capture set. We have also shown how to con-struct an abstraction of for which the algorithm always termi-nates and has as fixed point the capture set of . We showed thatProblem 2 is equivalent to Problem 1 under suitable assump-tions and provided classes of systems for which these assump-tions are satisfied. Accordingly, an application example in thecontext of cooperative active safety systems has been presented.Future research will include removing Assumptions 1 and 2 byemploying a dynamic feedback design that does not impose sep-aration between estimation and control. Also, we will considerthe case in which there is a nonzero minimum dwell time asso-ciated with the modes in .

APPENDIX

Proof of Proposition 5: Property 1) follows directlyfrom the definition of Pre, in which . To showproperty 2), let . By the defini-tion of Pre, we have that for all there is and a time

such that some . De-fine . Since ,we have by the definition of Pre that for all there isand such that some . Let

and define such that forand for . Then, we

have that . Sincefor all there is such that , wealso have that . Property 3) is an immediateconsequence of the definition of Pre. Property 4) followsfrom the fact that if for all a trajectory such that

enters , then also atrajectory such thatwith enters . Property 5) follows from the factthat a) by property 1)


Fig. 3. (Top Left) Diagram representing �� . In each of the plots (a)–(e), the red box represents �� . In the simulation, we have � � � � ��,� � � � ��, � � �� , � � �� , � � ��, � � �, and � � ��. The black solid lines delimit the slice of the set �� forthe current speeds values � � � �. Similarly, the green dashed lines delimit the slice of the set �� for the same current speeds values � � � �. Theintersection of these two slices delimits the slice of the current mode dependent capture set � for the same current speeds values � � � �. The red circle denotesthe pair of current longitudinal displacements � � � , while the blue trace represents the trajectory of this pair. The initial (unknown) driving mode of the humandriver is acceleration and it stays constant for the first 1 second, then from 1 to 3 seconds, the driving mode is coasting �, and finally after 3 seconds the mode isbraking �. Plot (a) shows the pair of initial longitudinal displacements. Here, the current mode estimate is �� and the current mode dependent captureset is � . Plot (b) shows the mode estimate switching to �� and the current mode dependent capture set shrinks to � . Plot (c) shows the time at whichthe mode estimate becomes �� , so that the current mode dependent capture set further shrinks to � . Plot (d) shows when the continuous state hits theboundary of � and thus control is applied. Plot (e) shows the vehicles passing the intersection.

and 3); and from the fact that b)by properties 4) and 3); and from the

fact that c) by property2). Finally, we show property 6). By property 1), we havethat .Thus, applying property 3), we have that

.Also, applying property 4) and property 3), we havethat

. However,

by the definition of Pre [using the samestrategy as used for proving property 2)]. Hence,

for for all .Proof of Proposition 6: See Proposition 4 of [51].Proof of Proposition 7: Let . Then, by the def-

inition of we have that there is a feedback map such thatall for all , and . Define theset , which is con-trolled invariant with feedback map . Since the class of con-trolled invariant sets contained in is closed under union (seethe proof of Proposition 3 of [39]), there is a feedback map thatmakes the union controlled invariant.

Therefore, is also controlled invariant. It is the maximal con-trolled invariant set contained in because

if then , which implies that for all mapssome flow enters for some , ,

and .Proof of Proposition 8: See Proposition 5 of [51].Proof of Proposition 9: We construct from an impulse

differential inclusion whose trajectories are the same asthe ones of the system and then apply Theorem3 from [5] to the resulting impulse differential inclusion toconclude invariance of . An impulse differential inclusion isa tuple , in which is a finite dimensionalspace, is a set valued map regarded as adifferential inclusion , is a reset map,and is a forced discrete transition set. Since ispiecewise Lipschitz continuous on , there are setsfor that cover on which is Lipschitz. Definefor each the maps such that

for all and for the mapis extended so that it is Lipschitz continuous on . Then,

is Marchaud and Lipschitz continuous. Letfor and define .

Let and define the new mapas . Define areset map by , if .Define the set of forced transitions as

and . By construction, the trajectoriesof starting from initial conditions and for


all coincide with the trajectories of starting withthe same .

Let and define the setas . This is a closed set. Theorem 3 from [5] statesthat if is Marchaud and Lipschitz and is closed, then isinvariant under if and only if 1) and 2)

we have . Notice that bythe way is constructed. Let then for all .We show that this implies that also for all

. By the way , , and have been defined, forall we have that with

. Since also , we have becauseand for . Since , we have that

. As a consequence, .Given that [10], it follows that

for all . By Theorem 3in [5], set is invariant under , which implies that set isinvariant by as the trajectories of the first system startingin are the same as the trajectories of the secondsystem starting at .

Conversely, if for some , then for somesuch that we have that . This in turn

implies that for (that is, for ) we have. By Theorem 3 in [5] set is thus not

invariant under . This implies that there is a time at whicheither or . However, if we musthave that for all as can change its value onlythrough , which always maps back in . Therefore, theremust be a time such that for system . Since thetrajectories of starting at are the same as thoseof starting at , it must be that also forsystem , implying that cannot be invariant for .

Definition 24: (Type of a kernel set) We say that a kernel settransits to a kernel set if there is ,, and such that . A kernel set is

if it does not transit to any other kernel set. A kernel setis if it transits to kernel sets and only to

kernel sets.Proposition 21: Let for be in a

kernel set. Then, Algorithm 1 is such that there is a forwhich .

Proof: See Theorem 2 of [51].Proof of Theorem 3: See Theorem 2 of [51]

REFERENCES

[1] U.S. DOT Joint Program Office ITS, [Online]. Available: http://www.its.dot.gov

[2] D. Angeli and E. D. Sontag, “Interconnections of monotone systemswith steady-state characteristics,” Optimal Control, Stabilization, Non-smooth Anal.. Lecture Notes Control Inf. Sci. Springer, vol. 301, pp.135–154, 2004.

[3] D. Angeli and E. D. Sontag, “Oscillations in I/O monotone systemsUnder Negative Feedback,” IEEE Trans. Circuits Syst., vol. 55, no. 1,pp. 166–176, Jan. 2008.

[4] J. Aubin, Viability Theory. New York: Birkhäuser, 1991.[5] J. Aubin, J. Lygeros, M. Quincampoix, S. Sastry, and N. Seube, “Im-

pulse differential inclusions: A viability approach to hybrid systems,”IEEE Trans. Autom. Control, vol. 47, no. 1, pp. 2–20, Jan. 2002.

[6] R. J. Aumann and M. Maschler, Repeated Games With Incomplete In-formation. Cambridge, MA: MIT Press, 1995.

[7] M. Baglietto, G. Battistelli, and L. Scardovi, “Active mode ob-servability of switching linear systems,” Automatica, vol. 43, pp.1442–1449, 2007.

[8] A. Balluchi, L. Benvenuti, M. D. Di Benedetto, and A. Sangio-vanni-Vincentelli, “Design of observers for hybrid systems,” in HybridSystems: Computation and Control, C. J. Tomlin and M. R. Greensreet,Eds. Berlin, Germany: Springer Verlag, 2002, vol. 2289, LectureNotes in Computer Science, pp. 76–89.

[9] L. Blackmore, S. Rajamanoharan, and B. C. Williams, “Active estima-tion for switching linear dynamic systems,” in Conf. Decision Control,2006, pp. 137–144.

[10] F. H. Clarke, Optimization and Nonsmooth Analysis. New York:Wiley, 1983.

[11] R. D’Andrea, R. M. Murray, J. A. Adams, A. T. Hayes, M. Campbell,and A. Chaudry, “The RoboFlag game,” in Proc. Amer. Control Conf.,2003, pp. 661–666.

[12] B. A. Davey and H. A. Priesteley, Introduction to Lattices and Order.Cambridge, U.K.: Cambridge Univ. Press, 2002.

[13] D. Del Vecchio, “A partial order approach to discrete dynamic feedbackin a class of hybrid systems,” in Hybrid Systems: Computation andControl, A. Bemporad, A. Bicchi, and G. Buttazzo, Eds. Pisa, Italy:Springer Verlag, 2007, vol. 4416, Lecture Notes in Computer Science,pp. 159–173.

[14] D. Del Vecchio, “Cascade estimators for systems on a partial order,”Syst. Control Lett., vol. 57, no. 10, pp. 842–850, 2008.

[15] D. Del Vecchio, “Observer-based control of block triangular discretetime hybrid automata on a partial order,” Int. J. Robust Nonlinear Con-trol, vol. 19, no. 14, pp. 1581–1602, 2009.

[16] D. Del Vecchio and E. Klavins, “Observation of guarded commandprograms,” in Proc. Conf. Decision Control, 2003, pp. 3353–3359.

[17] D. Del Vecchio, M. Malisoff, and R. Verma, “A separation principle fora class of hybrid automata on a partial order,” in Proc. Amer. ControlConf., 2009, pp. 3638–3643.

[18] D. Del Vecchio, R. M. Murray, and E. Klavins, “Discrete state estima-tors for systems on a lattice,” Automatica, vol. 42, no. 2, pp. 271–285,2006.

[19] D. Del Vecchio, R. M. Murray, and P. Perona, “Primitives forhuman motion: A dynamical approach,” in Proc. IFAC World Congr.,Barcelona, Spain, 2002.

[20] D. Del Vecchio, R. M. Murray, and P. Perona, “Decomposition ofhuman motion into dynamics-based primitives with application todrawing tasks,” Automatica, vol. 39, no. 12, pp. 2085–2098, 2003.

[21] Y. Demiris, “Prediction of intent in robotics and multi-agent systems,”Cognitive Processes, vol. 8, pp. 151–158, 2007.

[22] V. Desaraju, M. H. C. Ro, E. Tay Yang, S. Roth, and D. Del Vec-chio, “Partial order techniques for vehicle collision avoidance: Ap-plication to an autonomous roundabout test-bed,” in Proc. Int. Conf.Robot. Autom., 2009, pp. 82–87.

[23] E. A. Domlan, J. Ragot, and D. Maquin, “Active mode estimation forswitching systems,” in Proc. ACC, 2007, pp. 1143–1148.

[24] J. Duperret, M. Hafner, and D. Del Vecchio, “Formal design of a prov-ably safe robotic roundabout system,” in Proc. Int. Conf. Intell. Robot.Syst., 2010, pp. 2006–2011.

[25] O. Maler, E. Asarin, and A. Pnueli, “Symbolic controller synthesisfor discrete and timed systems,” in Hybrid Systems II, P. Antsaklis,W. Kohn, A. Nerode, and S. Sastry, Eds. Berlin, Germany: SpringerVerlag, 1995, vol. 999, Lecture Notes in Computer Science, pp. 1–20.

[26] Y. Gao, J. Lygeros, and M. Quincampoix, “The reachability problemfor uncertain hybrid systems revisited: A viability theory perspective,”Lecture Notes Comput. Sci. LNCS, no. 3927, pp. 242–256, 2006.

[27] A. Gilpin and T. Sandholm, “Solving two-person zero-sum repeatedgames of incomplete information,” in Proc. 7th Int. Conf. Auton. AgentsMultiagent Syst., 2008, pp. 903–910.

[28] M. Hafner and D. Del Vecchio, “Computation of safety control for un-certain piecewise continuous systems on a partial order,” in Proc. Conf.Decision Control, 2009, pp. 1671–1677.

[29] T. A. Henzinger, “The theory of hybrid automata,” in Proc. 11th Annu.Symp. Logic Comput. Sci., 1996, pp. 278–292, IEEE Press.

[30] T. A. Henzinger, P. H. Ho, and H. Wong-Toi, “A user guide to HyTech,”in TACAS 95: Tools and Algorithms for the Construction and Analysisof Systems, E. Brinksma, W. Cleaveland, K. Larsen, T. Margaria, andB. Steffen, Eds. Berlin, Germany: Springer-Verlag, 1995, vol. 1019,Lecture Notes in Computer Science, pp. 41–71.

[31] T. A. Henzinger, B. Horowitz, R. Majumdar, and H. Wong-Toi,“Beyond HyTech: Hybrid systems analysis using interval numericalmethods,” in Hybrid Systems: Computation and Control, B. Krogh andN. Lynch, Eds. Berlin, Germany: Springer Verlag, 2000, vol. 1790,Lecture Notes in Computer Science, pp. 130–144.


[32] R. J. Hill, “Electric railway traction tutorial, part 1: Electric tractionand DC traction motor drives,” Power Eng. J., no. 1, pp. 47–56, 1994.

[33] J. Hu, M. Prandini, and S. Sastry, “Aircraft conflict prediction in thepresence of a spatially correlated wind field,” IEEE Trans. Intell. Trans-port. Syst., vol. 6, no. 3, pp. 326–340, Sep. 2005.

[34] S. Istrail, “Generalization of the Ginsburg-Rice Schützenbergerfixed-point theorem for context-sensitive and recursive-enumerablelanguages,” Theoret. Comput. Sci., vol. 18, pp. 333–341, 1982.

[35] J.-H. Kim, Y.-W. Kim, and D.-H. Hwang, “Modeling of human drivingbehavior based on piecewise linear model,” Automatika, vol. 46, pp.29–37, 2005.

[36] H. W. Kuhn, “Extensive games and the problem of information,” inContributions to the Theory of Games, H. W. Kuhn and A. W. Tucker,Eds. Princeton, NJ: Princeton Univ. Press, 1953, pp. 196–216.

[37] A. B. Kurzhanski and P. Varaiya, “Ellipsoidal techniques for hybriddynamics: The reachability problem,” in New Directions and Applica-tions in Control Theory, W. P. Dayawansa, A. Lindquist, and Y. Zhou,Eds. New York: Springer, 2005, vol. 321, Lecture Notes in Controland Information Sciences, pp. 193–205.

[38] S. M. LaValle, Planning Algorithms, 1st ed. Cambridge, U.K.: Cam-bridge Univ. Press, 2006.

[39] J. Lygeros, C. J. Tomlin, and S. Sastry, “Controllers for reachabilityspecifications for hybrid systems,” Automatica, vol. 35, no. 3, pp.349–370, 1999.

[40] M. Oishi, I. Mitchell, A. Bayen, and C. Tomlin, “Invariance-preservingabstractions of hybrid systems: Application to user interface design,”IEEE Trans. Control Syst. Technol., vol. 16, no. 2, pp. 229–244, Mar.2008.

[41] J. Pachl, Railway Operation and Control. Mountlake Terrace, WA:VTD Rail Publishing, 2002.

[42] R. Raffard, S. Waslander, A. Bayen, and C. Tomlin, “A cooperativedistributed approach to multi-agent eulerian network control: Applica-tion to air traffic management,” in Proc. AIAA Guidance, Navigation,Control Conf. Exhibit, 2005, pp. 1–20.

[43] J. H. Reif, “The complexity of two-player games of incomplete infor-mation,” J. Comput. Syst. Sci., vol. 29, no. 2, pp. 274–301, 1984.

[44] E. De Santis, M. D. Di Benedetto, and L. Berardi, “Computation ofmaximal safe sets for switching systems,” IEEE Trans. Autom. Control,vol. 49, no. 2, pp. 184–195, Feb. 2004.

[45] C.-E. Seah and I. Hwang, “Terminal-area aircraft tracking by hybridestimation,” AIAA J. Guidance, Control, Dynamics, vol. 32, no. 3, pp.836–849, 2009.

[46] O. Shakernia, G. J. Pappas, and S. Sastry, “Decidable controller syn-thesis for classes of linear systems,” in Hybrid Systems: Computationand Control. Berlin, Germany: Springer Verlag, 2000, vol. 1790,Lecture Notes in Computer Science.

[47] O. Shakernia, G. J. Pappas, and S. Sastry, “Semidecidable controllersynthesis for classes of linear hybrid systems,” in Proc. Conf. DecisionControl, 2000, pp. 1034–1039.

[48] O. Shakernia, G. J. Pappas, and S. Sastry, “Semi-decidable synthesisfor triangular hybrid systems,” in Hybrid Systems: Computation andControl, M. D. Di Benedetto and A. Sangiovanni-Vincentelli, Eds.Berlin, Germany: Springer Verlag, 2001, vol. 2034, Lecture Notes inComputer Science.

[49] C. J. Tomlin, J. Lygeros, and S. Sastry, “A game theoretic approach tocontroller design for hybrid systems,” Proc. IEEE, vol. 88, no. 7, pp.949–970, Jul. 2000.

[50] C. J. Tomlin, I. Mitchell, A. M. Bayen, and M. Oishi, “Computationaltechniques for the verification of hybrid systems,” Proc. IEEE, vol. 91,no. 7, pp. 986–1001, Jul. 2003.

[51] R. Verma and D. Del Vecchio, “Continuous control of hybrid automatawith imperfect mode information assuming separation between stateestimation and control,” in Proc. Conf. Decision Control, 2009, pp.3175–3181.

[52] R. Verma, D. Del Vecchio, and H. Fathy, “Development of a scaledvehicle with longitudinal dynamics of a HMMWV for an ITS testbed,”IEEE/ASME Trans. Mechatron., vol. 13, no. 1, pp. 46–57, Feb. 2008.

[53] R. Vidal, A. Chiuso, and S. Soatto, “Observability and identifiabilityof jump linear systems,” in Proc. Conf. Decision Control, 2002, pp.3614–3619.

[54] M. De Wulf, L. Doyen, and J.-F. Raskin, “A lattice theory for solvinggames of imperfect information,” in Hybrid Systems: Computationand Control, J. Hespanha and A. Tiwari, Eds. Berlin, Germany:Springer-Verlag, 2006, vol. 3927, Lecture Notes in Computer Science,pp. 153–168.

Rajeev Verma (M’11) received the B.S. degree inmechanical engineering from the National Instituteof Technology, Warangal, India, in 2003 and theM.S. degree in electrical engineering: systems fromthe University of Michigan, Ann Arbor, in 2008.He is currently pursuing the Ph.D. degree at theUniversity of Michigan.

From 2003 to 2005, he was with Ashok LeylandLtd., India. Since January 2005, he has been a Grad-uate student at the University of Michigan. His re-search interests include hybrid systems and system

modeling and control.

Domitilla Del Vecchio (M’05) received the Laureadegree in electrical engineering from the Universityof Rome at Tor Vergata, Italy, in 1999 and the Ph.D.degree in control and dynamical systems from theCalifornia Institute of Technology, Pasadena, in2005.

From 2006 to 2010, she was an Assistant Pro-fessor in the Department of Electrical Engineeringand Computer Science and in the Center for Com-putational Medicine and Bioinformatics, Universityof Michigan, Ann Arbor. In 2010, she joined the

Department of Mechanical Engineering and the Laboratory for Informationand Decision Systems (LIDS), Massachusetts Institute of Technology (MIT),Cambridge, where she is currently the W. M. Keck Career DevelopmentAssistant Professor in Biomedical Engineering.

Prof. Del Vecchio is a recipient of the Donald P. Eckman Award from theAmerican Automatic Control Council (2010), the NSF Career Award (2007),the Crosby Award, University of Michigan (2007), the American Control Con-ference Best Student Paper Award (2004), and the Bank of Italy Fellowship(2000). Her research interests include analysis and control of nonlinear and hy-brid dynamical systems and the analysis and design of bio-molecular networks.

safety control of hidden mode hybrid systems

Documents