Model-Invariant Safety-Preserving Control Mahdi Yousefi, Klaske van Heusden, Guy A. Dumont, Ian M. Mitchell and J. Mark Ansermino Abstract— Employing viability techniques to preserve safety in safety-critical control applications has recently attracted much attention. The techniques rely on a conservative approx- imation of the viability kernel based on a state-space model of the system. However, in the case where the system’s model is uncertain the safety concern has yet to be addressed in literature. In this work, we are seeking a single control action preserving safety for a set-represented model uncertainty. We define the model-invariant viability kernel for a multi-model uncertainty description. Based on this kernel, we show that under some assumptions, the control action taken based on any model in the model set is capable of preserving safety for the entire set. We propose a model-invariant safety-preserving control input which is the same for all models in the set. We evaluate and discuss the performance of the proposed scheme by applying it to the closed-loop control of anesthesia in which safety is critical. I. INTRODUCTION Addressing the problem of constraint satisfaction for sys- tems under closed-loop control is a major concern, especially in safety-critical applications. Such applications include con- trol of anesthesia [1], aircraft envelop protection [2], and process control [3]. Constrained model predictive control (MPC) [4] is commonly employed in cases where control variables are constrained and bounded due to safety concerns. However, there is no guarantee that MPC controller provides a feasible control input to keep the system’s states within the constraint set (safe region). Safety-preserving control addresses the above mentioned problem by guaranteeing the existence of a control input for a subset of the state space that can keep the states within the safe region. The set of states for which there exists a safety- preserving control input is called the “viability kernel” [5]. Accordingly, the first step in this method is viability kernel approximation. Margellos et al. [6] employ set theory and propose a dynamic programming based algorithm to approx- imate the viability kernel based on recursive computation of reachable sets. Kaynama et al. [7] use ellipsoidal represen- tations of sets and propose a more computationally efficient approach to under-approximate the viability kernel. Gao et al. [8] discuss the viability approximation in the presence of uncertainty. They discuss the case where the model includes stochastic disturbances based on an approximation of the Mahdi Yousefi, Klaske van Heusden and Guy A. Dumont are with the Department of Electrical and Computer Engineering, The University of British Columbia, Vancouver BC. {mahdiyou,klaskeh,guyd }@ece.ubc.ca. Ian M. Mitchell is with the Department of Computer Science, The Uni- versity of British Columbia, Vancouver BC. mitchell@cs.ubc.ca. J. Mark Ansermino is with the Department of Anesthesiology Pharma- cology and Therapeutics, The University of British Columbia, Vancouver BC. anserminos@yahoo.ca. discriminating kernel, which is the viability kernel in the presence of a stochastic disturbance. Once the viability kernel is approximated, one needs to synthesize a control law to preserve safety. Kurzhanski et al. [9] address the control synthesis problem through set- valued techniques as well as dynamic programming meth- ods. Lygeros et al. [10] introduce a framework to design controllers to satisfy reachability specifications. This work was the basis for Kaynama et al. [11] to propose a hybrid automaton by combining the safety-preserving control with an arbitrary controller (performance controller) satisfying the performance criteria. In the scheme proposed in [11], the safety-preserving controller lets the performance controller achieve the desired performance as long as the states are sufficiently inside the safe region. As the states approach the boundaries of the viability kernel, the safety-preserving control adjusts the control input to prevent the states from going beyond the safe region. Although a number of articles have been reported on different aspects of safety-preserving control, there is scant literature on invariability of the control technique to model uncertainties. Girard [12] and Kaynama et al. [7] discuss the safety issue in uncertain linear systems. However, the type of uncertainty they consider is additive state uncertainty, not model uncertainty. Although model-uncertainty can be represented as state uncertainty, the result might be very conservative and may not lead to satisfactory performance. Abate et al. [13] and Summers et al. [14] propose safety- preserving control approaches for hybrid stochastic systems. They define a control policy to be safety-preserving, if it maximizes the probability that the trajectory starting from the stochastic viability kernel remains within a safe region. In this case the safety-preserving control policy is selected from a set of control policies specified by the stochastic hybrid model. In this paper, we aim to reduce the conservatism in safety- preserving control due to model uncertainty by extending the framework to model-invariant safety-preserving control. The proposed solution is limited to a specific model structure commonly used in control in anesthesia. We define a control input to be “model-invariant safety preserving” if it is capable of keeping the states of a set of state-space models within the safe region. Initially, for a finite set of models, we define the “model-invariant viability kernel” as the intersection of the viability kernels of all models in the model set. Subsequently, under certain assumptions, we prove that the safety preserving control input generated based on any model in the model set maintains the states of all models inside the safe region. We show that there exists a single control action