Great. So I'm, I'm Sam Coogan and I'm an Assistant Professor in Electrical and Computer Engineering. I have a secondary appointment in civil and environmental engineering. Of course, I'm a member of i room and I'm also a member of the decision and control lab. And so you'll see a little bit of that today as well. So I'm going to talk a little bit about our work in safe autonomy using the concept of runtime assurances. Good. So first and foremost, I need to thank my students. So everything I want to talk about today is, is though is the hard work output from them. We call ourselves the formal methods and autonomous control of transportation systems lab. What we do is we apply mathematical control theory to problems in autonomy so that we can get formal guarantees on their performance. And we're usually motivated by applications and transportation. Although the work we tend to do tends to be more on the theoretical mathematical side of things. So let me sort of motivates this picture of runtime assurance for safety critical systems. So the idea is we're trying to control some, some system, some plants in it, safety critical, so we have to make sure that we control it in a safe way, right. So in this picture right here, this is the upper stage of the Astros test bed that is in panel C O trusses lab. I'll show some more videos of this in a moment. And the idea is we want, these are complex systems. We want to be able to deploy controllers that somehow learn about the system as they, as they evolve, right? So maybe this is some reinforcement learning algorithm, some neural network control, or maybe it's just even a human that's trying to get used to interacting with a complicated system. It could be a pilot's on a, on a, on a, on a new generation of aircrafts, something like this. And of course they have a goal, so they have a reference or objective that they're trying to achieve. And we need to make sure that they do this safely rates. And this is generally, of course, a challenging problem, making sure that these learning based controllers always behave safely, right? Especially if they're learning in the loop, right? And so, uh, a paradigm for achieving this goal, certainly not a new paradigm. This has existed for a while, is to insert something in-between this learning based controller and the system that you're trying to control, right? And somehow this, this, this, this mechanism, this algorithm that you slot in-between the learning based controller and the plant. Its job is to, is to maintain safety, right? It's just it's job is solely to make sure That's a system Stacy freight. So it, for example, takes input, proposed inputs from this learning based controller. It takes sensor measurements from the system and it monitors the safety of the system. It's somehow needs to predict the possible future evolution of the system. And then it needs to adjust these proposed inputs if required, right? So we call this a runtime assurance mechanism. It can go by many different names in the literature. Simplex architecture, shielding, sandboxing, say Pfizer. All of these kind of refer to the same idea that somehow you put something in between this learning based controller and the plants that you're trying to control, right? And in general, there could be unknowns about the system. Disturbances or the dynamics are not fully known in somehow this, this RTA. So I'll call it RTA from now on. It needs to reason about the worst-case unknowns for the system, right? And so this is kind of the picture here. If you have a quadrotor of some sort and it's trying to reach, say, some goal region, right? But somehow the learning based controller didn't notice that there's this large unsafe region, right? So you want to design an RTA mechanism that somehow only intervenes when it's absolutely necessary, but it must intervene, right? And this is generally difficult for highly dynamic systems, right? So for example, in this quadrotor down here, if you think of the inputs being rotor speeds, right? And if you've, if you hearken back to your control's class, right, there are four integration steps between the control inputs and this horizontal position output, right? And so in order to maintain safety, you have to make control action changes quite early so that by the time you integrate it four times, you maintain sort of the CIF horizontal position, right? And so that's sort of the challenge with designing these Archean mechanisms and these kind of complex dynamic environments. So let me show some videos what we've been doing here. So for example, this isn't an application in swarm aerial vehicles. So this is a simulation where there's 20 UAVs. I'll just let this play. There are 20 aerial vehicles. They're each trying to drive to the other side of a circle, right? And the nominal controller, that learning based controller doesn't hasn't, isn't aware that there's other vehicles trying to do the same thing. So we design a safety mechanism that will detect nearby vehicles and then adjust the control action in real time, right? And what's kind of interesting here is what you're going to see. You're going to see this emergent behavior. Were these, these agents kinda do this, the strange swarming formation in a way that maintains safety throughout the execution. And this wasn't me, you know, this isn't a hard program to maneuver that these agents are, are executing. This is something that emerges from this, our team mechanism that we put on this system. So let this video just kinda finished playing. So, you know, and another kind of interesting phenomenon is that these vehicles are there in sort of a 2D. They're all on the same two-dimensional plane. But the safety mechanism is able to take advantage of this third dimension in kind of swarm around ands and get to the other side of the circle without, without collision. Right? And so you can just see that they're all sort of doing their own, their own behavior, but they're all doing it in a way where they're taking measurements with their neighbors and making sure they maintain safety rate. Another example where we've applied somebody, you, so let me just kind of show some of this video is human UAV interaction. So here's, here's Chris, my students. He's hard to see, but there's a string attached to this UAV, right? So he's got, he's got a quadrotor on a leash and he's he's moving it around and the quadrotor is able to infer. Chris is trying to get the UAV to go based on measurements, force measurements from, from, from Chris. And it's able to, it's kinda safely follow this desired trajectory. From Chris, right? So these are sort of the ideas that the applications we're interested in. Let me just sort of just briefly touch on some of the math that's underneath what we're trying to do. That's at the heart of our techniques, right? So if you think of, do you think of the system we're trying to control as a dynamical system, right? You might write it as a, as a differential equation like this. It's got some state variable and the rate of change of the state is somehow some non-linear function of the state space, as well as control inputs and maybe some disturbance inputs, right? And from our perspective, really the challenge here in achieving save autonomy is knowing where the system could possibly end up as the system evolves, right? You don't you don't want to slam on the brakes when it's too late to avoid an obstacle, right? You need to know far enough in advance that you're approaching this obstacle to quickly and then put on the brakes. Write, mathematically, we can formulate this is the problem of computing what we would call the reachable set for the system. These are the set of states the system could end up in say, 10 seconds into the future, right? And it's a sets, right? Because even if you know exactly where your vehicle or your system is right now, there's disturbances are things you don't know about the dynamics, right? And somehow you have to reason about all of these unknowns and compute what we call a reachable set, right? Mathematically, this is a very difficult set to compute in general. So what we typically do is we try to approximate this reachable set. And in particular, we want to over approximate it to make sure that we get all of the possible scenarios that we could encounter. And then we just need to check that this approximation doesn't intersect, say, obstacles in the environment. And if it looks like it might start to intersect an obstacle, we need to make some sort of corrective action to the control loop, right? So what our research aims at is we tried to develop tools that allow us to leverage ideas for non-linear control theory and embed these reachable set computations in the loop in this runtime assurance mechanism that we're aiming to design, right? And that's typically pretty hard. Computing these offline even is typically very computationally expensive. Trying to do them in the loop at some fast update rate is even more challenging. I just want to extremely briefly highlight kind of the main theoretical mathematical nugget that we leverage in our tools. And it's this concept of what we call mixed monotonicity. So I'm just going to really briefly try to give you some intuition for what this concept is using these two examples, right? If you imagine two weights, let's say one's at, say a 110 feet and the others at 90 feet. And you drop both of these weights at the same time right there. Height of course is going to decrease. They'll accelerate towards the ground. But they're going to maintain that sort of ordering, right? This, this weight that you started at a higher, higher height is never going to fall beyond the lower weight. They're always going to have this kind of ordering over time, right? This property is known in dynamical systems theory is a Monod tonicity property, right? These trajectories will always stay ordered. And this monotonicity property makes it extremely convenient to compute reachable sets. You just need to kind of compute to extreme trajectories. And then suddenly I know everything about the possible reachable set. My weight is somewhere anywhere between 9010 feet when I dropped it. Right. This is extremely convenient if your system has this property, it's very rare and random systems you might encounter in mechanical systems, you might encounter at this property holds. So what we've done is we developed a technique called mixed monotonicity that allows us to leverage monotone systems theory even in these contexts, right? So to give, it's very simple example of a system that is not monotone. Picture swinging pendulum, right? Initialize it at two different angles and drop them right? They're gonna kinda swing back and forth past each other and they're not going to maintain this ordering like the weights did, right? But what we can do. We can kind of do this clever transformation where we can, we can embed this into a monotone system. And it lets us get these envelopes like this in this picture. And this envelope contains all of the possible trajectories that our system can have. And it largely lets us leverage these mixed, these concepts of monitoring systems theory, even in complex systems that are not mixed monotone. We've been working on this tool for awhile now we have a rich body of work that tells us how we can extend this to certain systems. How we can reduce conservatism when we do this. And we've applied, it's, it's sort of a diverse series of application, spacecraft satellites, team of UAVs. And it's really the tool that's I'd are the heart of our approach to runtime assurance because we can do this really fast in the control loop and compute these reachable set computations. So let me just show this video. This is what I'm gonna show you here. And this is the asteroids platform that I mentioned that's in Professor CEO trust his lab. The goal here. So it's going to be driven by a human who's controlling it with a joystick. The goal is to keep the, the Z-axis orientation of this aircraft within some safety cone. And, and the, and the way we do this is we put an RTA mechanism on, in the algorithm in the control loop. It's going to constantly be computing, going to start the video. It's going to be constantly computing this reachable set for the system. So this is the reachable set shown in blue. It gets larger over time because there's disturbances involved, right? And the disturbances could take on a number of different instantiations, right? And every time you see this reachable set turn green, that means you're right on the cusp of possibly leaving the safe set. This RT and mechanism's going to take over and it's going to, it's going to make sure that the human can't accidentally drive this spacecraft out of this cone. And we're do this at something like ten hertz. This is a seven dimensional system, so we're computing reachable sets at a rate of about ten hertz in this particular example. So here's just another video, same platform, different angle, different control objective. We mounted a laser on top of this, on top of Astros. And now the goal is to keep the laser out of this hula hoop, right? So you can imagine maybe the whole hoops, the sun, you have a sensitive instrument. You're trying not to point it at the sign and so you want to make sure that you maintain safety at all times. Let me just skip head a little bit. So what you can see is this Archea mechanism. It does a great job, kinda just, just making sure that if we're too close to this, to that, to the whole loop, it just takes an enough control action to keep us. I'm out of this unsafe region rate. And again, we're doing this in the control loop. There's a human driving this with a joystick. That's a pretty challenging task actually. And so this, our team mechanism is projecting forward with these reachable sets and making sure that we keep the system safe at all time. Good. Let me just talk a little bit about where we're going with this, right? So a big question is if you have a learning based controller in the loop, presuming presumably it's trying to learn something about its environments, right? So can we embed sort of learning in the runtime assurance mechanism as well? That's something we're currently thinking about, currently working on, I think the two kind of philosophical things I want to highlight here, whatever learnings happening in the RTA, it should be distinct from the learning that's happening, that's learning based controller, right? You're trying to protect this learning based controller. So somehow the learning you're doing, the RTA mechanism should be more conservative, more focused on safety, and you should be able to provide formal guarantees that perhaps you don't get in a learning-based controller. And it's really the safety. That's, that's the key responsibility of the RTA mechanism. So it really needs to be as conservative as possible in doing this, right? So again, we can kind of leverage ideas from mixed monotone systems theory and Gaussian and in this case Gaussian process theory. So me just kinda give the simulation example. Here's an example where this, this, this, this multiverse trying to learn how to achieve a target altitude of 50 and come back to the ground safely without kind of leaving the safe horizontal positions. But there's an unknown when field. And so if you just try to go to 50 feet and then come back, you're reachable set computation is too large in the system could potentially go on safe. So what we can propose here is maybe this, this, this, this, this quadrotor should, should go to lower altitudes, right? Takes and when measurements update its understanding of this unknown when field, right? And then eventually over time, this reachable set computation becomes small enough that we can guarantee safety, right? And you see that, you can kinda see it. Quadrotors able because it has some knowledge. Now the wind feel it's able to, to kind of orient itself in, in the wind and keep a better horizontal position, right? So of course this is just stimulation. But some, but we're pretty sure we can do this in hardware. And in fact, again, these reachable set computations, we can do so fast that even on these complex systems that might have up to 10 state dimensions, we can compute reachable sets. It were pushing like a 100 hertz right now, right? So we can really put these in the, in the control loop on embedded hardware and get this to work out pretty well. Alright, so I think I'm running out of time. So there's a number of folks interested in this kind of work. So nasa is supporting some of this work. Air Force and Navy are interested in how we can do this with humans in the loop. Ford's interested in how we can do this with robots interacting with, you know, just common pedestrians on the street, for example. Even Cisco's kind of interested in these RTA mechanisms to protect, you know, if they're doing really clever networking algorithms, how can I make sure that they don't reach unsafe conditions of their, of their network. So I think there's lots of interesting ways to think about this problem. Here's my group. We recently played puppet go off. And it was excellent ticket out with my to see them actually out in the real world and not on Zoom. And if you want more information, you can check out my website also, again, DCL, the decision and controls lab. We do a lot of this kind of controls work. Thanks. Yeah. Yeah. That's an excellent question. So we do have to make some assumptions on that. They're all using the same kind of RTA mechanism, right? So if you make that kind of assumption, you can guarantee that these types of problems don't happen. That's right. Yeah, This could happen. But again, our philosophy is the OTAs responsibilities is solely safety and it will always be able to maintain safety, right? Maybe I can't guarantee you're going to get to the goal region that you're trying to get to. But if we consider that a secondary concern and we're always maintaining safety, we consider it a success. That's sort of our Philip philosophy here. Yeah. All right.