Quantitative Resilience of Generalized Integrators

When failure is not an option, systems are designed to be resistant to various malfunctions, such as a loss of control authority over actuators. This malfunction consists in some actuators producing uncontrolled and, thus, possibly undesirable inputs with their full actuation range. After such a malfunction, a system is deemed resilient if its target is still reachable despite these undesirable inputs. However, the malfunctioning system might be significantly slower to reach its target compared to its initial capabilities. To quantify this loss of performance, we introduce the notion of quantitative resilience as the maximal ratio over all targets of the minimal reach times for the initial and malfunctioning systems. Since quantitative resilience is then defined as four nested nonlinear optimization problems, we establish an efficient computation method for control systems with multiple integrators and nonsymmetric input sets. Relying on control theory and on two specific geometric results, we reduce the computation of quantitative resilience to a linear optimization problem. We illustrate our method on an octocopter.

Index termsreachability, quantitative resilience, linear systems, optimization Notice of previous publication: This manuscript is a substantially extended version of [1] where we remove the assumption of symmetry on the input sets, leading to more general and more complex results, e.g., Theorems 1 and 2. This paper also provides several proofs omitted from [1] and tackle systems with multiple integrators.Entirely novel material includes Sections VII, VIII, Appendices A, B and parts of all other sections.

I Introduction
When failure is not an option, critical systems are built with sufficient actuator redundancy [2] and with fault-tolerant controllers [3].These systems rely on different methods like adaptive control [4,5] or active disturbance rejection [6] in order to compensate for actuator failures.The study of this type of malfunction typically considers either actuators locking in place [4], actuators losing effectiveness but remaining controllable [3,5], or a combination of both [6].However, when actuators are subject to damage or hostile takeover, the malfunction may result in the actuators producing undesirable inputs over which the controller has realtime readings but no control.This type of malfunction has been discussed in [7] under the name of loss of control authority over actuators and encompasses scenarios where actuators and sensors are under attack [8].
In the setting of loss of control authority, undesirable inputs are observable and can have a magnitude similar to the controlled inputs, while in classical robust control the undesirable inputs are not observable and have a small magnitude compared to the actuators' inputs [9,10].The results of [11] showed that a controller having access to the undesirable inputs is considerably more effective than a robust controller.
After a partial loss of control authority over actuators, a target is said to be resiliently reachable if for any undesirable inputs produced by the malfunctioning actuators there exists a control driving the state to the target [7].However, after the loss of control the malfunctioning system might need considerably more time to reach its target compared to the initial system.Previous work [1] introduced the concept of quantitative resilience for control systems in order to measure the delays caused by the loss of control authority over actuators.While concepts of quantitative resilience have been previously developed for water infrastructure systems [12] or for nuclear power plants [13], such concepts only work for their specific application.
In this work we formulate quantitative resilience as the maximal ratio of the minimal times required to reach any target for the initial and malfunctioning systems.This formulation leads to a nonlinear minimax optimization problem with an infinite number of equality constraints.Because of the complexity of this problem, a straightforward attempt at a solution is not feasible.While for linear minimax problems with a finite number of constraints the optimum is reached on the boundary of the constraint set [14], such a general result does not hold in the setting of semi-infinite programming [15] where our problem belongs.However, the fruitful application of the theorems of [16,17] stating the existence of time-optimal controls combined with the optimization results derived in [18] reduces the quantitative resilience of systems with multiple integrators to a linear optimization problem.
As a first step toward the study of quantitative resilience for linear systems we restricted our previous work [1] to driftless linear systems with symmetric input sets.Building on these earlier results we now extend the theory to linear systems with multiple integrators and general input sets.With these extensions we are able to tackle feedback linearized systems [19].
The contributions of this paper are threefold.First, we extend the notion of quantitative resilience from [1] to systems with multiple integrators and nonsymmetric inputs.Secondly, we provide an efficient method to compute the quantitative resilience of linear systems with integrators by simplifying a nonlinear problem of four nested optimizations into a linear op-timization problem.Finally, based on quantitative resilience and controllability we establish necessary and sufficient conditions to verify if a system is resilient.
The remainder of the paper is organized as follows.Section II introduces preliminary results concerning resilient systems and quantitative resilience.To evaluate this metric we need the minimal time for the system to reach a target before and after the loss of control authority.We calculate this minimal time for the initial system in Section III and for the malfunctioning system in Section IV.Section V is the pinnacle of this work as we design an efficient method to compute quantitative resilience.This metric also allows to assess whether a system is resilient or not, as detailed in Section VI.The quantitative resilience of systems with multiple integrators is studied in Section VII.In Section VIII our theory is illustrated on a linear trajectory controller for a low-thrust spacecraft and on an unmanned octocopter.The continuity of a minimum function is proved in Appendix A. We compute the dynamics of the low-thrust spacecraft in Appendix B. Notation: For a set X we denote its boundary ∂X, its interior X • := X\∂X and its convex hull co(X).The set of integers between a and b is [[a, b]], while N denotes the set of all positive integers.The factorial of k ∈ N is denoted k!.Let R + := [0, ∞) and we use the subscript * to exclude zero, for instance R + * := (0, ∞).We denote the Euclidean norm with • and the unit sphere with S := {x ∈ R n : x = 1}.The infinity-norm of a vector

II Preliminaries and Problem Statement
We are interested by generalized k th order integrators in R n , i.e., m+p) is constant.Let ūmin ∈ R m+p and ūmax ∈ R m+p be the bounds on the inputs so that the set of allowable controls is After a malfunction, the system loses control authority over p of its m + p initial actuators.Because of the malfunction, the initial control input ū is split into the remaining controlled inputs u and the undesirable inputs w.Similarly, we split the control bounds ūmin and ūmax into u min ∈ R m , u max ∈ R m and w min ∈ R p , w max ∈ R p .Without loss of generality we always consider the columns C representing the malfunctioning actuators to be at the end of B. We split the control matrix accordingly: B = B C .Then, the initial conditions are the same as in (1) but the dynamics become We will use the concept of controllability of [16].
Definition 1: A system following dynamics (1) is controllable if for all target x goal ∈ R n there exists a control ū ∈ Ū and a time T such that x(T ) = x goal .
We recall here the definition of the resilience of a system introduced in [11].
Definition 2: A system following dynamics (1) is resilient to the loss of p of its actuators corresponding to the matrix C as above if for all undesirable inputs w ∈ W and all target x goal ∈ R n there exists a control u ∈ U and a time T such that the state of the system (3) reaches the target at time T , i.e., x(T ) = x goal .
Previous efforts [7,11] assumed that the L 2 -norm of the inputs is constrained.In this work, we instead consider L ∞ bounds because of their broad use in applications.Therefore, most of the resiliency conditions of [7,11] do not directly apply here.We will establish a simple necessary condition for this new setting.
Proposition 1: If the system (1) is resilient to the loss of p actuators, then the system x (k) (t) = Bu(t) is controllable.
Proof.Let y ∈ R n , x goal := y + x 0 ∈ R n and w ∈ W such that w(t) = 0 for all t ≥ 0. Since the system is resilient, there exist u ∈ U and t 1 ≥ 0 such that x goal = x(t 1 ).Since x (l) (0) = 0 for l ∈ [[1, k − 1]] and B is constant we can write While a resilient system is capable of reaching any target after losing control authority over p of its actuators, the time for the malfunctioning system to reach a target might be considerably larger than the time needed for the initial system to reach the same target.We introduce these two times for the target x goal ∈ R n and the target distance d := x goal − x 0 ∈ R n .

Definition 3:
The nominal reach time of order k, denoted by T * k,N , is the shortest time required for the state x of (1) to reach the target x goal under admissible control ū ∈ Ū : Definition 4: The malfunctioning reach time of order k, denoted by T * k,M , is the shortest time required for the state x of (3) to reach the target x goal under admissible control u ∈ U when the undesirable input w ∈ W is chosen to make that time the longest: By definition, if the system is controllable, then T * k,N (d) is finite for all d ∈ R n , and if it is resilient, then T * k,M (d) is finite.In light of ( 6) and ( 7), T * k,N and T * k,M would also depend on the initial conditions x (l) (0) if they were non zero for l ∈ [[1, k − 1]].It would cause the unnecessary complications discussed in Remark 2.

Definition 5:
The ratio of reach times of order k in the direction d ∈ R n is .
After the loss of control, the malfunctioning system (3) can take up to t k (d) times longer than the initial system (1) to reach the target d + x 0 .Since the performance is degraded by the undesirable inputs, t k (d) ≥ 1.We take the convention that t k (d) = +∞ whenever = 0 can only happen when d = 0, because x(0) = x 0 = x goal .To make this case coherent with (8) and subsequent definitions we choose In order to quantify the resilience of a system, we introduce the following metric.
Definition 6: The quantitative resilience of order k of system (3) is .
For a resilient system, r k,q ∈ (0, 1].The closer r k,q is to 1, the smaller is the loss of performance caused by the malfunction.Quantitative resilience depends on matrices B and C, i.e., on the actuators that are producing undesirable inputs.
Computing r k,q naively requires solving four nested optimization problems over continuous constraint sets, with three of them being infinite-dimensional function spaces.A brute force approach to this problem is doomed to fail.
Problem 1: Establish an efficient method to compute r k,q .
We will explore thoroughly the simple case k = 1 in the following sections and generalize their results to the case k ∈ N in Section VII.For k = 1, the systems (1) and (3) simplify into the following linear driftless systems ẋ(t) = B ū(t), with ū ∈ Ū and x(0 For k = 1 we are also able to write the nominal reach time T * N as and the malfunctioning reach time T * M as The ratio of reach times in the direction d ∈ R n becomes t(d) := T * M (d)/T * N (d).The quantitative resilience r q of a system following (11) is then Then, for all d ∈ R n and r 1,q = r q .We now discuss the information setting in the malfunctioning system.The resilience framework of [7,11] assumes that u has only access to the past and current values of w, but not to their future.Then, the optimal control u * in (13) cannot anticipate a truly random undesirable input w.Hence, this strategy is not likely to result in the global time-optimal trajectory of Definition 4.
In fact, there would be no single obvious choice for u * t, w(t) , rendering T * M ill-defined and certainly not time-optimal, whereas T * N is time-optimal.In this case, our concept of quantitative resilience becomes meaningless.The work [20] states that to calculate u * without future knowledge of w * the only technique is to solve the intractable Isaac's equation.Thus, the paper [20] derives only suboptimal solutions and concludes that its practical contribution is minimal.
Instead, we follow [21] where the inputs u * and w * are both chosen to make the transfer from x 0 to x goal time-optimal in the sense of Definition 4. The controller knows that w * will be chosen to make T * M the longest.Thus, u * is chosen to react optimally to this worst undesirable input.Then, w * is chosen, and to make T * M the longest, it is the same as the controller had predicted.Hence, from an outside perspective it looks as if the controller knew w * in advance, as reflected by (7).
We will prove in the following sections that with this information setting w * is constant.Then, the controller can more easily and more reasonably predict what is the worst w * and build the adequate u * .With these two input signals, T * M is time-optimal in the sense of Definition 4 and can be meaningfully compared with T * N to define the quantitative resilience of control systems.

III Dynamics of the Initial System
We start with the initial system of dynamics (10) and aim to calculate the nominal reach time T * N .We introduce the constant input set Ūc : Proposition 2: For a controllable system (10) and d = x goal − x 0 ∈ R n , the infimum T * N (d) of ( 12) is achieved with a constant control input ū * ∈ Ūc .
Proof.Dynamics (10) are linear in x and ū.Set Ū defined in (2) is convex and compact.The system is controllable, so x goal is reachable.The assumptions of Theorem 4.3 of [16] are satisfied, leading to the existence of a time optimal control û ∈ Ū .Thus, the infimum in ( 12) is a minimum and then according to Remark 1, T * N = 0 and we take ū * = 0 so that B ū * T * N = d.Otherwise, T * N > 0, so we can define the constant vector ū * := 1 Thus, ū * ∈ Ūc .Additionally, Following Proposition 2, the nominal reach time simplifies to The multiplication of the variables ūc and T prevents the use of linear solvers.Instead, we can numerically solve The work [1] showed that T * N is absolutely homogeneous when the input set Ū is symmetric.However, in this work the allowable controls (2) are not symmetric and thus T * N loses its absolute symmetry but conserves a nonnegative homogeneity.
We can now tackle the dynamics of the malfunctioning system after a loss of control authority over some of its actuators.

IV Dynamics of the Malfunctioning System
We study the system of dynamics (11), with the aim of computing the malfunctioning reach time T * M .We define the constant input sets Proposition 4: For a resilient system (11), d ∈ R n * and w ∈ W , a constant control input u * d (w) ∈ U c achieves the infimum T M (w, d) of ( 13) defined as vector because w is fixed.Since the system is resilient, any z ∈ R n is reachable.Additionally, U is convex and compact, and Then, according to Theorem 4.3 of [16] a time-optimal control exists.Following the proof of Proposition 2, we conclude that the infimum of ( 16) is a minimum and that the optimal control u * d (w) belongs to U c .We can now work on the supremum of (13).
Proposition 5: For a resilient system (11) and d ∈ R n * , the supremum T * M (d) of ( 13) is achieved with a constant undesirable input w * ∈ W c .

Proof. For d ∈ R n
* and with u * d defined in Proposition 4, ( 13) simplifies to Conversely, note that for all w c ∈ W c and T > 0, we can define w(t) := 1 T w c for t ∈ [0, T ] such that T 0 Cw(t) dt = Cw c and w ∈ W .Therefore, the constraint space of the supremum of ( 13) can be restricted to W c .We define the function ϕ : is the supremum of a continuous function over the compact set A Wc , so the supremum of ( 13) is a maximum achieved on W c .Following Propositions 4 and 5, the malfunctioning reach time becomes The simplifications achieved so far were based on existence theorems from [16,17] upon which the bang-bang principle relies.The logical next step is to show that the maximum of ( 17) is achieved by the extreme undesirable inputs, i.e., at the set of vertices of W c , which we denote by V c .However, most of the work on the bang-bang principle considers systems with a linear dependency on the input [22,16,23], while ϕ introduced in Proposition 5 is not linear in the input w c .The work from Neustadt [17] considers a nonlinear ϕ, yet his discussion on bang-bang inputs would require us to show that co(ϕ(W c )) = co(ϕ(V c )).Since ϕ is not linear, such a task is not trivial and in fact it amounts to proving that inputs in V c can do as much as inputs in W c , i.e., we would need to prove the bang-bang principle.
Two more works [24,25] consider bang-bang properties for systems with nonlinear dependency on the input.However, both of them require conditions that are not satisfied in our case.Work contained in [24] needs the subsystem ẋ = Cw to be controllable, while [25] requires T M defined in (16) to be concave in w c .Thus, even if bang-bang theory seems like a natural approach to restrict the constraint space from W c to V c in (17), we need a new optimization result, namely Theorem 2.1 from [18].To employ this result, we first need to relate resilience to an inclusion of polytopes.Proof.Sets U c and W c are defined as polytopes in R m and R p respectively.Sets X and Y are linear images of W c and U c , so they are polytopes in R n [26].
For a resilient system, following Propositions 4 and 5 we know that for all w c ∈ W c and all d 0 ∈ R n there exists u c ∈ U c and T ≥ 0 such that (Bu c + Cw c )T = d 0 .It also means that for all x ∈ X and all d 0 ∈ R n there exists y ∈ Y and T ≥ 0 such that (x + y)T = d 0 .Since d 0 can be freely chosen in R n , we must have dim Y = n.Take x ∈ X, x = 0 and d 0 = x.Then, there exists y 1 ∈ Y and If x = 0, this process fails because we would get T = 0 when taking d = 0. Instead, take d 0 ∈ S, then there exists T > 0 and y ∈ Y such that yT = d 0 .Repeating this for −d 0 and using the convexity of Y , we obtain 0 ∈ Y .Thus −X ⊂ Y .Now assume that there exists −x 1 ∈ −X ∩ ∂Y .Take d = −x 1 , then the best input is We can now prove that the maximum of ( 17) is achieved on V c .Proposition 7: For a resilient system (11) and d ∈ R n * , the maximum of ( 17) is achieved with a constant input w * ∈ V c .
Following Proposition 6, sets X and Y are polytopes in R n , −X ⊂ Y • and dim Y = n.Then, we can apply Theorem 2.1 of [18] and conclude that the minimum x * of ( 18) must be realized on a vertex of X.Now, we want to show that we are done.Otherwise, two possibilities remain.In the first case w c is on the boundary of the hypercube W c and then we take F to be the surface of lowest dimension of ∂W c such that w c ∈ F and dim F ≥ 1.The other possibility is that w c ∈ W • c ; we then define F := W c .Thus, in both cases V c ∩ F = ∅ and F is convex.Then, we take v ∈ V c ∩ F and a := v − w c ∈ F .Since dim F ≥ 1 and w c ∈ F , there exists some α > 0 such that w c ± αa ∈ F .Then Therefore, the maximum of ( 17) is achieved on V c .
We have reduced the constraint set of ( 13) from an infinite-dimensional set W to a finite set V c of cardinality 2 p , with p being the number of malfunctioning actuators.Following Propositions 4, 5 and 7, the malfunctioning reach time can now be calculated with It is logic to wonder if the minimum of ( 19) could be restricted to the vertices of U c , just like we did for the maximum over W c .However, that is not possible.Indeed, w c is chosen freely in W c in order to make T * M as large as possible, while u c is chosen to counteract w c and make Bu c + Cw c collinear with d.This constraint could not be fulfilled for all d ∈ R n if u c was only chosen among the vertices of U c .
Similarly to the nominal reach time, T * M is also linear in the target distance.
According to Lemma 1, T M is continuous in d, so α is continuous in λ but its codomain is finite.Therefore, α is constant and we know that α(1) = 0.So α is null for all λ > 0, leading to T M (w c , λd) = λT M (w c , d) for λ > 0 and d not collinear with any face of ∂Y .Since the dimension of the faces of ∂Y is at most n − 1 in R n and T M is continuous in d, the homogeneity of T M holds on the whole of R n .Note that We can now combine the initial and malfunctioning dynamics in order to evaluate the quantitative resilience of the system.

V Quantitative Resilience
Quantitative resilience is defined in (14) as the infimum of T * N (d)/T * M (d) over d ∈ R n .Using Proposition 3 and Proposition 8 we reduce this constraint to d ∈ S. Focusing on the loss of control over a single actuator we will simplify tremendously the computation of r q .In this setting, we can determine the optimal d ∈ S by noting that the effects of the undesirable inputs are the strongest along the direction described by the malfunctioning actuator.This intuition is formalized below.
Theorem 1: For a resilient system following (11) with C a single column matrix, the direction d maximizing the ratio of reach times t(d) is collinear with the direction C, i.e., max Proof.Let d ∈ S. We use the same process that yielded (18) in Proposition 7 but we start from (15) where we split B into B and C: We can now gather (18) with d ∈ S and (20) into Since the system is resilient, Proposition 6 states that X and Y are polytopes in R n , −X ⊂ Y • and dim Y = n.Because C is a single column, dim X = 1.Then, the Maximax Minimax Quotient Theorem of [18] states that max Since the sets U c and W c are not symmetric, t is not an even function.Thus, to calculate the quantitative resilience r q we need to evaluate T * N (±C) and T * M (±C), i.e., solve four optimization problems.The computation load can be halved with the following result.
Theorem 2: For a resilient system losing control over a single nonzero column C, r q = min r(C), r(−C) , where Proof.Let ū ∈ Ūc , u ∈ U c and w ∈ W c be the arguments of the optimization problems ( 15) and ( 19) We consider the loss of a single actuator, thus W c = [w min , w max ] ⊂ R which makes CwT * M (C) and Cu C T * N (C) collinear with C. From Proposition 7, we know that w ∈ ∂W .Since w maximizes T * M (C) in ( 21), we obviously have w = w min .On the contrary, u C is chosen to minimize T * N (C) in ( 21), so u C = w max .According to (21), Bu B and Bu are then also collinear with C. The control inputs u B and u are chosen to minimize respectively T * N (C) and T * M (C) in (21).Therefore, they are both solutions of the same optimization problem: We transform this problem into a linear one using the transformation λ = 1 τ : By combining all the results, (21) simplifies into: Following the same reasoning for d = −C, we obtain We introduced quantitative resilience as the solution of four nonlinear nested optimization problems and with Theorem 2 we reduced r q to the solution of two linear optimization problem.We can then quickly calculate the maximal delay caused by the loss of control of a given actuator.

VI Resilience and Quantitative Resilience
So far, all our results need the system to be resilient.However, based on [11] verifying the resilience of a system is not an easy task.Besides, as explained in Section II, the resilience criteria from [11] do not apply here because the set of admissible controls are different.Proposition 1 is only a necessary condition for resilience, while we are looking for an equivalence condition.
Proposition 9: A system following ( 10) is resilient to the loss of control over a column C if and only if it is controllable and max T * M (C), T * M (−C) is finite.Proof.First, assume that the system (10) is resilient.Then, according to Proposition 1 for k = 1, the system ẋ(t) = Bu(t) is controllable.Since Im(B) ⊂ Im( B), the system ( 10 In the case C = 0, this yields Bu d = λd = Bu d + Cw, so the system is resilient. For C = 0, we will first show that for any w ∈ W c we can find u ∈ U c such that Bu + Cw = 0.Because T * M (C) and T * M (−C) are finite, T M (w, ±C) is positive and finite for all w ∈ W c = [w min , w max ], with T M (•, •) defined in (16).Take w ∈ W c .Then, there exists T M (w,C)+T M (w,−C) ∈ (0, 1) and u := We want to make a convex combination of u and u d to build the desired control, but without an extra step that will not work if w ∈ ∂W c .We first need to show that even if w is a little bit outside of W c we can still counteract it.Let ε := min Since w − w max ≤ 1/2T M (w max , −C), we can similarly define T − > 0 such that Similar to above we take α = T + T + +T − ∈ (0, 1) making u = αu + + (1 − α)u − ∈ U c by convexity and Bu + Cw = 0.An analogous approach holds for w ∈ [w min − ε, w min ).
Since W c is convex, w ∈ W c and w d ∈ W c , we can take w ∈ [w min − ε, w max + ε] such that there exists γ ∈ (0, 1) for which w = γw d + (1 − γ)w .We build u ∈ U c as above to make Bu + Cw = 0.By convexity of U c , u : Since γ > 0, we have γλ > 0 making the system resilient to the loss of column C.
The intuition behind Proposition 9 is that a resilient system must fulfill two conditions: being able to reach any state, this is controllability, and doing so in finite time despite the worst undesirable inputs, which corresponds to T * M (±C) being finite.Our goal is to relate resilience and quantitative resilience through the value of r min .To breach the gap between this desired result and Proposition 9, we evaluate the requirements on the ratio M (±C) for a system to be resilient.Corollary 1: A system following ( 10) is resilient to the loss of control over a column C if and only if it is controllable, Proof.First, assume that the system (10) is resilient.Then, according to Proposition 1, it is controllable.
If C ∈ R n * , we then have 0 < Now, assume that the system is controllable, M (C) = 0 according to Remark 1.We conclude with Proposition 9 that the system is resilient.Now for the case where C = 0, let d ∈ R n * .Since the system following ( 10) is controllable, Then, according to Proposition 9, the system is resilient.Theorem 2 allows us to compute r q for resilient systems with a linear optimization.We now want to extend that result to non-resilient systems, by showing that r min also indicates whether the system is resilient.
Corollary 2: A system following (10) is resilient to the loss of control over a nonzero column C if and only if it is controllable, and r(C), r(−C) from Theorem 2 are in (0, 1].
We now have all the tools to assess the quantitative resilience of a driftless system.If B is not full rank, the system following ( 10) is not controllable and thus not resilient.Otherwise, we compute the ratios r(±C) and Corollary 2 states whether the system is resilient.If it is, then r q = r min by Theorem 2, otherwise r q = 0. We summarize this process in Algorithm 1.
Algorithm 1: Resilience algorithm for system (10) Data: A column C of B, r(C) and r(−C) from Theorem 2 Result: r q if rank( B) = n and 0 ∈ int( Ū) then # system (10) is controllable if r(C) ∈ (0, 1] and r(−C) ∈ (0, 1] then r q = min{r(C), r(−C)} # resilient to loss of C else r q = 0 # not resilient to loss of C end else r q = 0 # not resilient to any loss end

VII Systems with Multiple Integrators
We can now extend the results obtained for driftless systems to generalized higher-order integrators.
Proposition 10: If system (10) is controllable, then for all k ∈ N system (1) is controllable.The infimum of ( 6) is achieved with the same constant control input ū * ∈ Ūc as T * N in (12).Additionally, , so the result holds.Let d = 0.By assumption, system ẏ(t) = B ū(t) with y(0) = 0 is controllable.Following Proposition 2 there exists a constant optimal control ū ∈ Ūc such that y T Then, applying the control input ū to (1) on the time interval [0, t 1 ] leads to , we obtain x(t 1 ) − x 0 = d.Thus, the state x goal is reachable in finite time t 1 , so the system (1) is controllable and T * k,N (d) ≤ t 1 .Assume for contradiction purposes that there exists ũ ∈ Ū such that the state of (1) can reach x goal in a time τ ∈ (0, t 1 ).Since ũ can be time-varying, we build û : And thus, û ∈ Ūc , i.e., û is an admissible constant control input.Then, we apply ũ to (1) on the time interval [0, τ ] and we obtain Applying the control input û to the system ẏ(t) = B ū(t) on the interval [0, T ] with T := τ k k! leads to , which contradicts the optimality of T * N (d).Then, t 1 is the minimal time for the state of (1) to reach x goal .Therefore, the infimum of ( 6) is achieved with the same constant input ū ∈ Ūc as T * N (d) in ( 12), and The proof of Proposition 10 went smoothly because the initial condition had zero derivatives.We will study a simple case with non-zero initial condition and show that even the existence of T * k,N is not obvious.Let k = 2 and denote v := ẋ.Assume that system v = B ū is controllable, and ẋ(0 , and . These are n scalar equations for n + 1 unknowns: v 1 and T .Because T * N (v 1 ) depends on v 1 , the equations are not independent and thus might not have a solution.Then, even for this seemingly simple case, the existence of T * 2,N is not obvious to justify.
A result similar to Proposition 10 holds for the malfunctioning reach time of order k.
Proposition 11: If system (11) is resilient, then system (3) is resilient for all k ∈ N. The supremum and infimum of ( 7) are achieved with the same constant inputs u * ∈ U c and w * ∈ W c as T * M in ( 13), and , so the result holds.From now on we assume that d = 0.As shown in the proof of Proposition 10 we can work with only constant inputs.First, we need to prove that the function u * d : W c → U c defined in Proposition 4 produces the best control input u * d (w) for any undesirable input w ∈ W c .
By assumption, system ẏ(t) = Bu(t) + Cw(t) with y(0 , with T M (w, d) > 0 defined in Proposition 4.Then, applying u * d (w) and w to (3) on the time interval [0, t w ] leads to Assume for contradiction purposes that for the same w there exists u ∈ U c such that the state of (3) reaches x goal at a time τ ∈ (0, t w ).Then, Applying the control u and undesirable input w to the system ẏ(t) = Bu(t) + Cw(t) on the time interval [0, T ] with T := τ k k! leads to which contradicts the optimality of T M (w, d).Therefore, u * d (w) is the best control input to counteract any w ∈ W c for system (3).Now we need to prove that w * defined in Proposition 5 is the worst undesirable input for system (3).With the control input u * d (w * ) = u * , the state of (3) verifies x(t 1 ) because w * is the worst undesirable input for system (11).
Assume for contradiction purposes that there exists some w 2 ∈ W c such that for the control u * d (w 2 ) ∈ U c the state of (3) can only reach x goal in a time τ > t 1 .Then, and undesirable input w 2 to the system ẏ(t) = Bu(t) + Cw(t) on the time interval [0, T ] with T := τ k k! leads to Thus, y cannot reach d in a time shorter than , which contradicts the optimality of w * as worst undesirable input for (11).Then, w * is also the worst undesirable input for the system (3).
Therefore, the supremum and the infimum of ( 7) are achieved with the same constant inputs w * ∈ W c and u * ∈ U c as T * M in ( 13), and M with the same formula as T * k,N is related to T * N , we can exploit all previous results established for the system of dynamics (10).
Theorem 3: If system (10) is resilient, then for all k ∈ N system (1) is resilient and r k,q = k √ r q .
Proof.Let d ∈ R n * , then based on Propositions 10 and 11, (8) becomes Therefore, r k,q = k √ r q .For a resilient system r q ∈ (0, 1], so r k,q ∈ (0, 1] and r k,q ≥ r q .Thus, adding integrators to a resilient system increases its quantitative resilience. Thus, by studying the system ẋ(t) = B ū(t) we can verify the resilience and calculate the quantitative resilience of any system of the form x (k) (t) = B ū(t) for k ∈ N. We will now apply our theory to two numerical examples.

VIII Numerical Examples
Our first example considers a linearized model of a low-thrust spacecraft performing orbital maneuvers.We study the resilience of the spacecraft with respect to the loss of control over some thrust frequencies.Our second example features an octocopter UAV (Unmanned Aerial Vehicle) enduring a loss of control authority over some of its propellers.

VIII-A Linear Quadratic Trajectory Dynamics
We study a low-thrust spacecraft in orbit around a celestial body.Because of the complexity of nonlinear low-thrust dynamics the work [27] established a linear model for the spacecraft dynamics using Fourier thrust acceleration components.Given an initial state and a target state, the model simulates the trajectory of the spacecraft in different orbit maneuvers, such as an orbit raising or a plane change.The states of this linear model are the orbital elements x := a, e, i, Ω, ω, M whose names are listed in Table 1.
Because of the periodic motion of the spacecraft, the thrust acceleration vector F can be expressed in terms of its Fourier coefficients α and β: where F R is the radial thrust acceleration, F W is the circumferential thrust acceleration, F S is the normal thrust acceleration and E is the eccentric anomaly.The work [28] determined that only 14 Fourier coefficients affect the average trajectory, and we use those coefficients as the input ū: The Fourier coefficients considered in [28] are chosen in − 2.5 × 10 −7 , 2.5 × 10 −7 , so we can safely assume that for our case the Fourier coefficients all belong to [−1, 1].Following [27], the state-space form of the system dynamics is ẋ = B(x)ū.We calculate B(x) in Appendix B using the averaged variational equations for the orbital elements given in [28].We implement the orbit raising scenario presented in [27], with the orbital elements of the initial and target orbits listed in Table 1.We approximate B(x) as a constant matrix B taken at the initial state.The resulting matrix is: B = 10 Coefficients B1,4 and B1,5 are significantly larger than all the other coefficients of B because the semi-major axis is larger than any other element, as can be seen in Table 1.Losing control over one of the 14 Fourier coefficients means that a certain frequency of the thrust vector cannot be controlled.Since the coefficients B1,5 and B6,1 have a magnitude significantly larger than coefficients of respectively the first and last row of B, we have the intuition that the system is not resilient to the loss of the 1 st or the 5 th Fourier coefficient.The matrix B is full rank, so ẋ = B ū is controllable.We denote with r min and r q the vectors whose components are respectively r min (j) and r q for the loss of the frequency j ∈ [ [1,14]], r min = −0.20.34 0.9 −0.004 −0.38 0.15 0.83 −0.32 0.71 −0.06 0.24 0.2 −0.5 0.5 Since the 1 st , 4 th , 5 th , 8 th , 10 th , and 13 th values of r min are negative, according to Corollary 2 the system is not resilient to the loss of control over any one of these six corresponding frequencies.Their associated r q is zero.This result validates our intuition about the 1 st and 5 th frequencies.Corollary 2 also states the resilience of the spacecraft to the loss over any one of the 2 nd , 3 rd , 6 th , 7 th , 9 th , 11 th , 12 th and 14 th frequency because their r min belongs to (0, 1].Indeed, the input bounds are symmetric, so we can use the results from [1] stating that r(C) = r(−C) = r min .Then, using Theorem 2 we deduce that r q = 0 0.34 0.9 0 0 0.15 0.83 0 0.71 0 0.24 0.2 0 0.5 .
Since r q (3), r q (7) and r q (9) are close to 1, the loss of one of these three frequency would not delay significantly the system.The lowest positive value of r q occurs for the 6 th frequency, r q (6) = 0.15.Its inverse, 1 rq(6) = 6.8 means that the malfunctioning system can take up to 6.8 times longer than the initial system to reach a target.
The maneuver described in Table 1 yields d = x goal − x 0 = 667, 0.067, 2, 2, 2, 2 .We compute the associated time ratios t(d) using ( 15) and (19) for the loss over each column of B: Then, losing control over one of the first four frequencies will barely increase the time required for the malfunctioning system to reach the target compared with the initial system.However, after the loss over the 7 th , 9 th , 11 th , 12 th , or the 14 th frequency of the thrust vector, the undesirable input can multiply the maneuver time by a factor of up to 151.1.If one of the 5 th , 8 th , 10 th , or the 13 th frequency is lost, then some undesirable inputs can render the maneuver impossible to perform.When computing r q , we have seen that the system is not resilient to the loss of the 1 st or the 4 th frequency.Yet, the specific target described in Table 1 happens to be reachable for the same loss since the 1 st and 4 th components of t(d) in (22) are finite.Indeed, r q speaks only about a target for which the undesirable inputs cause maximal possible delay.

VIII-B A Resilient Octocopter
Resilience of unmanned aerial vehicles (UAV) to system failure is crucial to their operations over populated areas [29].The most common design for UAV is the quadcopter with four horizontal propellers.Quadcopters have six degrees of freedom (position and orientation) but only four inputs: the angular velocities of the propellers.These systems are thus underactuated and cannot be resilient to the loss of control authority over one of their propeller [29].
To remedy this crucial safety concern the solution is to consider overactuated drones like octocopters [30].Most octocopters models have only horizontal propellers as on Figure 1a, so they must be tilted to operate an horizontal motion, which can be an issue for some payloads.An innovative solution has been devised in [31], where four propellers are horizontal and four are vertical, as represented on Figure 1b.This design decouples the rotational and the translational dynamics, which simplify the control of the UAV.In this section, we evaluate the quantitative resilience of such an octocopter model.

VIII-B.1 Rotational Dynamics
The roll, pitch and yaw angles of the octocopter are gathered in Y := (φ, θ, ψ).The propeller i ∈ [ [1,8]] spinning at an angular velocity ω i produces a force f i = kω 2 i , with k the thrust coefficient.The airflow created by the lateral rotors produces an extra vertical force referred as f 9 to f 12 on Figure 1b.Then, f 9+i = bf 5+i for i ∈ [[0, 3]] with the coupling constant b = 0.64 from [31].Relying on [30] and [31], the rotational dynamics of the octocopter are The numerical values used in [30] are: l = 0.4 m the arm length, m = 1.64 kg the mass, I x = I y = 0.5I z = 0.044 kg m 2 the inertia, k = 10 −5 N s 2 the thrust coefficient, d = 0.3 × 10 −6 N m s 2 the drag coefficient, I rotor = 9 × 10 −5 kg m 2 the rotor inertia, and ω max = 8000 rpm = 838 rad/s the maximal angular velocity of the propellers.The linearized rotational equations are Ÿ (t) = Brot Ω(t), with Ω(t) ∈ R 8 gathering the squared angular velocities of the propellers, i.e.,

VIII-B.2 Quantitative Resilience of the Rotational Dynamics
The matrix Brot in (23) has more columns than rows and each output is affected by four different inputs, so we have the intuition that Brot is resilient.Because the non-zero coefficients of Brot have similar magnitudes to one another and are evenly spread in the matrix, we expect the quantitative resilience to be the same for each actuator.
Since the input sets are nonsymmetric: ūi (t) := ω 2 i (t) ∈ [0, ω 2 max ], and the dynamics are given by a double integrator: Ÿ (t) = Brot ū(t), the theory of [1] cannot deal with this UAV model.Using Theorem 2 we calculate the quantitative resilience of the system vY (t) = Brot ū(t) with v Y (t) := Ẏ (t) for the loss of control over each single propeller: Based on Corollary 2, the UAV is resilient to the loss of control over any single propeller in terms of angular velocity and r q = r min .Following Theorem 3 we deduce that Ÿ (t) = Brot ū(t) is also resilient and r 2,q = √ r q = √ 0.1 ≈ 0.32.Then, after the loss of control over any single propeller the UAV might take as much as three times longer to reach a given orientation, while it might be ten times slower to reach a given angular velocity.

VIII-B.3 Translational dynamics
In the inertial frame the position of the UAV is X := (x, y, z) and its orientation yields the rotation matrix R(ψ, θ, φ).The translational equations of motion from [31] Because of the gravitation term G, the above dynamics are affine.We combine G with the input Ω to make the dynamics driftless using R(ψ, θ, φ horizontal propeller.However, they are not resilient to the loss of any vertical propeller, as predicted. We can also pick a direction of motion and evaluate how the loss of each single actuator would impact the change of velocity in this direction.For the impact on the vertical velocity we take d = (0, 0, −1) and t(d) = 1.7738 1.7738 1.7738 1.7738 2.2644 2.2644 2.2644 2.2644 .
Note that the first four values are the same as in 1/r q because the direction that is the worst impacted by a loss of an horizontal propeller is the vertical direction.
If we look at how a change of forward velocity is impacted by a loss of control we take d = (1, 0, 0), ψ = 0 and we obtain t(d) = 1 1 1 1 + ∞ + ∞ 1 1 .Thus, the four horizontal propellers have no impact on the forward velocity as expected.Losing control over one of the two lateral vertical propellers (columns 7 and 8) does not affect the forward motion.However, the loss of the front or back vertical propeller (columns 5 and 6) completely prevents a guaranteed forward motion.

VIII-B.5 High-fidelity dynamics of the propellers
So far in this work, all inputs were bang-bang because our definition of quantitative resilience asks for time-optimal transfers.The inputs of the translational dynamics (25) encode the propellers' angular velocities, which cannot physically change in a bang-bang fashion.Thus, in order to provide a more realistic model and display the capabilities of our work, we follow [32] and add first-order propellers' dynamics: Ẍ(t) = Btrans ū(t), u(t) = 1 τ ūc (t) − ū(t) , with ūc ∈ R 8 a new, possibly bang-bang, command signal.System (27) is not driftless, hence preventing a direct application of our theory.Instead, we proceed heuristically, building on the intuition provided by our theory to tackle this high-fidelity model.The time constant τ = 0.1 s is chosen to match the propeller response in Fig. 3 of [33].After the loss of control over the first propeller, we split Btrans and ū as before such that Ẍ(t) = Bu(t) + Cw(t), u(t) = 1 τ u c (t) − u(t) , ẇ(t) = 1 τ w c (t) − w(t) , with the bang-bang command signals u c and w c .We will now study how the actuators' dynamics impact the resilience of the UAV in the vertical direction d = (0, 0, 1).Since the inputs ū in (27) and (u, w) in ( 28) have a non-zero rise time as shown on Fig. 2, the vertical velocities żN of (27) and żM of (28) react smoothly and slower than their bangbang counterparts, as illustrated on Fig. 3.For t ≥ 0.4 s, ū and (u, w) have converged to their commands ūc and (u c , w c ), and thus the two slopes of żN (t) in (25) and (27) are equal, as shown on Fig. 3, and so are that of żM (t) in ( 26) and (28).
The slower reaction time caused by the dynamics of the propellers is also reflected on the vertical positions z N and z M on Fig. 4. Figure 3: Vertical velocities żN (t) and żM (t) of the nominal and malfunctioning systems demonstrating the impact of the propellers' dynamics in ( 27) and (28).
Figure 4: Vertical positions z N (t) and z M (t) of the nominal and malfunctioning systems demonstrating the impact of the propellers' dynamics in ( 27) and (28).
Because of the specific geometry of the system, the optimal inputs for direction d = (0, 0, 1) were trivial to determine.Then, we calculate the ratio of reach times for systems (27) and ( 28 However, the time-optimal commands ūc for ( 27) and (u c , w c ) for ( 28) can be timevarying for other directions d ∈ R 3 [16], and determining these optimal commands requires complex algorithms [34,21] because the dynamics are not driftless anymore.Additionally, the Maximax-Minimax Quotient Theorem of [18] does not hold, which invalidates Theorem 1 and prevents the exact calculation of r q without calculating T * M (d) T * N (d) for all d ∈ R 3 .A stronger theory will be needed to tackle linear non-driftless systems.

IX Conclusion and Future Work
This paper built on the notion of quantitative resilience for control systems introduced in previous work and extended it to linear systems with multiple integrators and nonsymmetric input sets.Relying on bang-bang control theory and on two novel optimization results, we transformed a nonlinear problem consisting of four nested optimizations into a single linear problem.This simplification leads to a computationally efficient algorithm to verify the resilience and calculate the quantitative resilience of driftless systems with integrators.
There are two promising avenues of future work.Because of the complexity of the subject, we have only considered driftless systems so far.However, future work should be able to extend the concept of quantitative resilience to non-driftless linear systems.Finally, noting that Theorems 1 and 2 only concern the loss of a single actuator, our second direction of work is to extend these results to the simultaneous loss of multiple actuators.

Proposition 3 :
The nominal reach time T * N is a nonnegatively homogeneous function of d, i.e., T * N

Definition 8 :
A polytope in R n is a compact intersection of finitely many half-spaces.We define the sets X := Cw c :w c ∈ W c and Y := Bu c : u c ∈ U c .Proposition 6: For a system following(11), X and Y are polytopes in R n .If the system is resilient, then dim Y = n and −X ⊆ Y • .

Proposition 8 :
The malfunctioning reach time T * M is a nonnegatively homogeneous function of d, i.e., T * M (λd) = λ T * M (d) for d ∈ R n and λ ≥ 0. Proof.Because of the minimax structure of (19), scaling like in the proof of Proposition 3 is not sufficient to prove the homogeneity of T * M (d).According to Remark 1, for d = 0 we have T * M (d) = 0, so T * M is absolutely homogeneous at d = 0. Let d ∈ R n * , w c ∈ W c , x = Cw c and y * (x, d) := arg min y ∈ Y T ≥ 0 : (y + x)T = d .Note that Bu * d (w c ) + Cw c = y * (x, d) + x, with u * d defined in Proposition 4.Then, with T M introduced in (16), we have Bu * d ) is controllable a fortiori.If C = 0, then following Proposition 5, T * M (C) and T * M (−C) are finite.If C = 0, then T * M (C) is also finite according to Remark 1. Now, assume that the system (10) is controllable and max T * M (C), T * M (−C) is finite.Let w ∈ W c and d ∈ R n * .By controllability, there exists ū ∈ Ūc and λ > 0 such that B ū = λd.We split B into [B C] and same for ū into (u d , w d ).Then, u d ∈ U c and B ū = Bu d +Cw d = λd.

N
(d) = 1.12 and for systems(25) and(26),T c * M (d) T c * N (d) = 1.14.Hence, modeling the dynamics of the propellers increases slightly the resilience of the vertical dynamics.

Lemma 1 :
For a resilient system following(11), the function T M (w c , d) := min uc ∈ Uc T ≥ 0 :(Bu c + Cw c )T = d is continuous in w c ∈ W c and d ∈ R n * .Proof.We define sets X := Cw c :w c ∈ W c and Y := Bu c : u c ∈ U c .Then, by abuse of notation T M (x, d) = min y ∈ Y T ≥ 0 : (y + x)T = d .Using the transformation λ = 1/T , we obtain T M (x, d) = 1/max y ∈ Y λ ≥ 0 : x + y = λd .Since d > 0 and λ ≥ 0, we have λ = λd / d = x + y / d .Let d 1 := d/ d so that d 1 ∈ S and R + d 1 = R + d.Thus T M (x, d) = d /max y ∈ Y x + y : x + y ∈ R + d 1 .According to Proposition 6, X and Y are polytopes in R n and −X ⊂ Y .Then, Lemma 5.2 of[18] states that T M is continuous in w c and d.

Table 1 :
Initial and Target States for Raising Maneuver