Dual Control System for Virtual Protection of a Remote UAV Experiment

The topic of this paper is the utilisation of a strategy with a dual control system for the prevention of damage on laboratory equipment used in a remote laboratory. One control system is implemented before the laboratory is deployed and is responsible for damage control and can override the second control system that is programmed by the user of the remote laboratory and is fully configurable. The laboratory is used for verification of control algorithms for quad rotor helicopters through practical experiments. The damage control strategy should not limit or impede the natural movement of the equipment as long as the behaviour is kept within predefined limits. The nature of the system to be controlled, exclude the use of physical constraints that are normally used for damage control, as these in some way or another will impede or limit the movement of the helicopter.

with Matlab, Das et.al [2] with Visual Basic, Pradarelli et.al. [3], and Ferreira and Muller [4] using a home developed systems. This type of laboratories have gained a high degree of popularity, especially in engineering education where the demand and desire for laboratory activities is high, but also possibly due to the fact that educators in engineering education are very well capable of designing and building at least parts of the equipment necessary to assemble a remote laboratory.
Universities around the world are attracted by the possibilities offered by remote laboratories, as opposed to the traditional, physical, hands-on laboratories. Remote laboratories represent first and foremost a convenience for the students and the university. For the students as this make the laboratory available for them 24/7, and from the location of their choice, as long as they have an internet connection and some type of computer. For the universities remote laboratories also offer advantages with cost saving compared to the traditional laboratories, in that they reduce the expenses related to staff needed for maintenance tutoring and guidance, but also cost saving in that the wear and tear of the equipment is largely reduced as the students get their hands off the equipment.
The popularity of remote laboratories comes in spite of the disadvantages for the students in running remote laboratories instead of the physical, hands-on laboratory exercises. The disadvantages stem from the fact that the tutor will not be available in the remote laboratory; nor will the tutor be available 24/7, as is the case with the remote laboratory. This means that the quality of the tutoring will in some way be affected by the introduction of the remote laboratory. In some cases the remote laboratory is used as a substitute for the physical laboratory, while in other cases this is used as an addition to the traditional exercises as reported in [5] and [6], where the laboratory is integrated in the exercise program together with physical, hands-on laboratory, normal problem solving, as well as simulations. This is done in order to improve the quality of the exercise program as a whole, and to remove some of the disadvantages of running the laboratory program purely on remote laboratory platforms.

A. Damage control
Damage to and wear and tear on laboratory equipment is a common experience for universities, as the students embark on the tasks to develop practical skills and create a link between theory and practice. The students have to learn how to handle laboratory equipment, equipment that can be delicate, breakable and even dangerous. In a classical hands-on laboratory setting, the staff will constantly monitor the students and do what they can to reduce risk of damage to laboratory equipment, by instructing the students of what they are allowed to do and what they should avoid, and then observe and intervene as necessary.
In a remote laboratory, there are no staffs present to instruct the students, and more importantly continuously observe and intervene. One aim for a remote laboratory is to be available 24/7 in order for as many students as possible to do the laboratory exercise within a limited time, and to allow them to work at the time of their own choosing. A well-known fact is that at least some students prefer to work at different times of the day or night compared to staff, or at least the standard work hours for staff. In the context of failure, this has the implication that if the equipment of the laboratory fails due to damage caused by the failing of an experiment or misuse by the user, all students that has scheduled time or desired to run the lab after the damage has occurred will have to wait until the laboratory is fixed by the staff. At the authors' university, the cost of having staff monitoring the equipment at evenings, in weekends and even occasionally during the day are too high to even consider this type of service.

II. PROTECTION METHODS
In order for a remote laboratory to function without damage or failures for extended periods of time, one of the requirements is that is must be impossible by use of the web interface to, deliberately or by bad luck inflict damage to the equipment.

A. Traditional protection of laboratory equipment
In a general remote laboratory setup, protection against damage can be achieved in a number of ways. For simple electronic circuits a possible way of doing this is to have limited configurability of the circuit design so that it is impossible to configure the laboratory into states where damage will occur. Such states can be calculated before the laboratory is set up by identifying maximum and possibly minimum levels for voltages, currents and power for each component. Now each of these states can be programmed in the remote laboratory supervision system as not allowed configurations, and it is not possible to cause damage to the equipment through the web interface. This is in the authors' opinion the preferred option whenever possible for all remote laboratories.
For some types of laboratory setup the analytic identification of potential damaging states either cannot be done, or is dependent on a number of uncertain factors that is simply unknown or is not possible to calculate before the laboratory is actually run. For these laboratories a selected solution is to install a supervising or monitoring system that constantly monitors all critical values, like the temperature of components that is subject to high power, current sensing into components with limited current capabilities, which can be damaged by over-currents without actually being overheated. Other components may have limited voltage tolerances, and should be protected against damage caused by too high voltage. Compound circuits can have multiple simultaneous limiting factors that define certain areas as "safe zones". If the behaviour of the circuit causes the states of the circuit to move beyond these limits, the circuit's protection system can be activated.
When a state which might cause damage to the equipment has been identified, active measures must be taken to avoid damage, and in these cases this means that the system must be brought to a state where damage cannot occur. For many laboratory installations this is very simple: Turn of the power supply and the system will immediately be brought to a resting state where components will cool down, and currents and voltages will be zeroed out within a short time. For some types of laboratories, certain elements will have energy storage capabilities, and the energy stored in components such as capacitors, inductors, or objects in movement must be safely zeroed out in order not to cause damage to neighbouring components. This is most often possible to do by installing extra circuitry around those components, alternatively mechanical breaks to have a controlled speed reduction of moving parts.

B. Challenges in protecting the UAV laboratory
The laboratory experiment with the four-rotor helicopter shown in figure 1, presented in [7] is used as a basis for the development of protection measures against damage to unsupervised laboratory equipment. The proposed laboratory setup has no simple protection methods. In this remote laboratory the purpose is to have an option of verifying high performance, multivariable control algorithms for UAV's (unmanned aerial vehicles), which the students develop during a module in multivariable control theory. The reasoning behind the desire to develop a physical test bench for the UAV is that the models used for development of the controllers more or less will be the same as the models used for verification of the performance of the Figure 1. The quad rotor helicopter used in the remote laboratory setup controllers developed. As described in more details in subsection C later, an error in the model can cause a malfunction in the control algorithms to pass the performance check undetected, hence there is a need for a physical verification of the performance.
The problem now arises: If the control algorithm fails in some way, e.g. becoming unstable during certain states or fail to react fast enough, the quad-rotor helicopter will suffer damage due to a potentially hard landing, crashing into obstacles, walls, etc. The protection method described here is created to protect such a system from damage.
For this setup none of the methods described in subsection A for protecting the remote laboratory will be capable of protecting the system from damage: The simple strategy of turning off the power to the motors will result in the UAV crashing to the ground from an arbitrarily altitude. The potential energy stored in the UAV as it gains altitude cannot be released into any simple breaking system, without significantly altering the light weight, free flying properties of the UAV.
This means that the protection of the UAV from damage when this is used as a testing platform for verification of control algorithms is far more complicated than the protection of the traditional laboratory. The risk of students making errors when programming the UAV is considered to be high and a result of this is that protection always must be present in the system.
In order to describe the difficulty in detecting situations that has the potential of damage to the equipment and those that does not have this potential, two scenarios are presented that have similar characteristics, but where the reality of the situation is completely different. In the first scenario destruction is imminent because the control algorithm has failed completely due to instability of the control system. The UAV is oriented upside-down half a meter above the ground, and all four engines has full throttle upward, relative to the UAV's orientation, or downward relative to the room the laboratory resides in. Clearly, in this state there is a high risk of damage within the next fractions of a second.
In the second scenario the UAV is also turned upsidedown, full throttle on all four engines, but now 3 meters above the ground, and the control system is wellfunctioning and in the process of rapidly changing the position of the UAV to a lower altitude and a different position. While this state also has a potential for damage, a SPECIAL FOCUS PAPER DUAL CONTROL SYSTEM FOR VIRTUAL PROTECTION OF A REMOTE UAV EXPERIMENT well-designed control system have no problem turning the UAV and stabilising the aircraft in the final position.
There are two main points that can be deduced from these two examples. First, it is not possible to identify damaging situations based on the simple schemes described in the previous subsection. Second, any of the methods described in the previous subsection for bringing the system out of the possibly damaging states is not going to prevent damage in the scenarios presented. Turing off power will cause the UAV to crash uncontrolled into the ground, and there are no simple rules to follow to avoid possible damaging states.

C. Why not use simulations?
The typical phases of a controller design involve modelling of the system to be controlled, before the controller synthetisation of the controller is performed [8]. When the controller has been created, it is run through a number of simulations as an initial verification of stability and performance. Final verification is always done on a real system. There are a number of reasons for this, the most important being the models used, as introduce in subsection B.
Creating models for processes in general involves understanding the purpose of the modelling: Is the model used for simulation of the process or for synthesising the controller. Complex models will take longer time to run in a simulator, and are far more difficult to create, but gives more accurate results -that is the results that are closer to the reality for which the model is designed. When the model is used for synthetisation of the controller, more complex models might lead to controllers of very high order or even controllers that are impossible to synthesise.
In practice, for controller design a model is used which gives a controller with as low order as possible, but at the same time is capable of fulfilling the requirements for stability and performance. For the simulation, the most accurate and complex models available is normally used.
If very accurate models are used in the simulation, some may argue that the physical laboratory can be discarded. This is in the authors' opinion not correct, and the argument for this is that the same base model will be used for the controller design as well as the simulation. In other words, the simulation can only confirm if the controller is capable of fulfilling the stability and performance re-quirements when subjected to the model for which it was designed. The validity of this result depends on to which degree the base model mimics the real physical system accurately. This means that a simulation cannot be used in the final verification of the stability and performance of the control system.

III. TWOFOLD PROTECTION STRATEGY
The focus of the solution presented in this paper is to overcome the challenge of protecting advanced laboratory equipment, without impeding or limiting the movement of the helicopter.
In order to avoid the scenarios when damage will occur for this type of remote laboratory the authors suggest a twofold strategy. First, the system is analysed and a vector field [9] is drawn to identify any dynamic state from where it is not possible to avoid collision with other objects. This is explained in more details in the next sections. Second, the UAV is equipped with two sets of control system, as shown in figure 4. The user supplied control system is configured by the students and is normally in control of the UAV, by setting the selector to forward control signals from the first control block to the actuators of the UAV. The supervising system is designed by the staff, and contains a high-performance control system for the aircraft, as well as a monitoring system. The monitoring system will continuously monitor the movement of the aircraft, and if a dynamic state is identified as threatening to the UAV, this control system will take over the control of the UAV by changing the state of the selector, and bring the UAV to a safe landing. A report is then sent to the remote laboratory supervision system to inform the user that the control algorithm undergoing the test has failed.

A. Vector field analysis
Due to the naturally unstable configuration of the quadrotor helicopter, the movement of the UAV will be highly non-linear, and standard methods for analysing Linear Time Invariant (LTI)-systems fail to capture the behaviour correctly. The standard open-or closed loop analysis used for LTI systems is therefore not usable for any analysis of this type of systems.
For nonlinear systems of order 2 or more, vector fields can be used to analyse the behaviour of the system's  states. An example of a vector field is shown in figure 2 for the movement of a pendulum without friction. States in this context will be position or orientation and their derivatives. These states will then constitute the dimensions or axis of the vector field.
In figure 2, it can be seen a number of arrows. These arrows have a starting point based on the position and velocity of the pendulum, and the length and direction of the arrow indicates what the position and velocity of the pendulum will be after a given time has passed. In the proposed method for damage control, patterns are retrieved from the vector field that describes the natural movement of the pendulum. In figure 2, x1 denotes position as the angle of the pendulum rod, and x2 denotes the angular speed of the rod.
In general, the behaviour of the system represented by the set of differential scalar equations can be represented in a state plane with a vector field by using . A vector on this state plane is then used to describe the transition from x(0) to x(t), which is called a trajectory. A set of trajectories is now referred to as a phase portrait. This is normally done by numerical simulations using computer software, or by the isocline method.
In figure 2 it can be seen that the pendulum will have a repetitive movement, shown as the black circle in the figure. This is true as long as the angular speed and position is kept within certain limits. Describing these limits without the vector field is however quite difficult. Using the vector field on the other hand gives a clear description of when the pendulum gain high enough speed to swing over the top, and make more than one revolution.
Another example is the vector field on a sphere, as shown in figure 3. Here the arrows can be used to represent wind on a ball-shaped object, like the earth. In this example an arrow represents wind direction and speed, and is used for visualising wind in a more meaningful way.
Similar to these descriptions, in the proposed method the vector field is being used to describe the behaviour of a process -or in this case a system consisting of a process and a controller. The controller will now be the well-designed controller that is capable of landing the aircraft safely, and is therefore known. The complete system consisting of the UAV and the controller is described in a state space description. The movement of the quad-rotor helicopter, based on speed, position and orientation will then be visualised in the phase portrait. A complicating factor is of course the force exerted by the motors, but this can be incorporated in the vector field analysis as well, by performing the analysis with a number of different speeds on the motors.
In order to identify the safe and non-safe areas, an analysis similar to the simple analysis of the pendulum in figure 2 is performed. The phase portrait is drawn for the UAV with controller from the supervisor system, and the safety zones are established based on this. It is important that the analysis is based on the correct controller, as this will be used to bring the UAV out of a potentially dangerous situation. This also means that the calculation of the safe zones will be done only once for the remote laboratory, as long as the built-in controller stays the same. Within the safe zones the controller will be able to gain control over the aircraft, while outside the safe zones, the control system will not manage to prevent contact with the surrounding objects, and there will be a high risk of damage to the aircraft.
A safety margin is placed around these safe zones, and if the monitoring system detects that the UAV enters this safety margin, control is removed from the failing control system, and the UAV can be brought safely to the ground. The vectors of the vector field demonstrated in figure 2 and 3 are now used to identify a potentially uncontrollable situation. A potentially uncontrollable situation is defined as a situation where the built-in controller is not capable of avoiding a collision, and has to be tested for on-line by the supervisor system. In order for the calculations to be manageable within a reasonable processing time, some of the parameters, i.e. rotor speed and rotation of the UAV around one of its axis, are excluded from the test algorithm, and rather assembled as lumped buffer zones. This can be done as the time constant of these are assumed to be less than the time constant of the linear movement of the UAV.
The supervision system will now constantly calculate the movement vector of the UAV, based on the direction of flight, motor speed, and rotation. The length of this vector is chosen based on how long time it takes for the supervisor system to take over control of the motors, bring the motors to the speed reference, and rotate the UAV to the desired orientation. If this vector touches any of the SPECIAL FOCUS PAPER DUAL CONTROL SYSTEM FOR VIRTUAL PROTECTION OF A REMOTE UAV EXPERIMENT buffer zones calculated previously, then control is switched from the user supplied controller to the supervisor system, as explained in figure 4.
It can be argued that a control system superior in performance when compared to the control system in the supervision system might be hindered in showing its performance as the supervision system falsely will detect situations where the user provided control system might have failed, simply because the superior control system can move beyond the limits of the safe zones. This is however regarded as a minor problem, as this only will have effect when the UAV is close to some objects. The superior performance can easily be tested and demonstrated far from the dangerous objects, where the supervision system is far from taking over control.
IV. CONCLUSIONS AND FURTHER WORK A physical laboratory setup where the students can test UAV control algorithms is required as no simulation models will offer the same realism. The authors' university has a desire to offer as flexible learning situation of our students as possible. In order for students in modules that deal with multi-input control algorithms, the option to use laboratories other than simple tank systems, an effort has been made in order to make the UAV laboratory available remotely.
The principle of using the vector field method to establish safe zones for the UAV to operate, combined with the supervision system allows the user to download any control algorithm to the aircraft without risking damage to the equipment, as the system will take over control as long as the aircraft does not move beyond the safe zones established by the phase portrait.
It remains to set up the models for the aircraft, and to create the phase portraits of the model for identification of the safe zones, and the margins around these.
The system, when completed, will make the development of control systems for UAV much easier, and with much lower cost of maintenance of the laboratory equipment.