Minimal Constraint Violation Probability in Model Predictive Control for Linear Systems

Handling uncertainty in model predictive control (MPC) comes with various challenges, especially when considering state constraints under uncertainty. Most methods focus on either the conservative approach of robustly accounting for uncertainty or allowing a small probability of constraint violation. In this work, we propose a linear MPC approach that minimizes the probability that linear state constraints are violated in the presence of additive uncertainty. This is achieved by first determining a set of inputs that minimize the probability of constraint violation. Then, this resulting set is used to define admissible inputs for the optimal control problem. Recursive feasibility is guaranteed and input-to-state stability is proved under assumptions. Numerical results illustrate the benefits of the proposed MPC approach.


I. INTRODUCTION
Considering uncertainty presents a major challenge in the control of safety-critical systems.Depending on the application, uncertainty ranges from noise and disturbances to model and parameter inaccuracy.For example, the control of automated vehicles needs to account for sensor noise, disturbances such as wind, or unknown future behavior of other vehicles that are close enough to be considered for safety.Ideally, the control of such safety-critical systems realizes minimal risk in the presence of uncertainty.
A prominent method for the control of safety-critical systems is Model Predictive Control (MPC), due to its ability to consider input and state constraints to satisfy safety requirements [1].In general MPC requires a model of the system to solve an optimal control problem in each time step.
When uncertainty is present, constraints are handled in a robust way by Robust Model Predictive Control (RMPC) [2].Initially known bounds on the uncertainty allow for a guarantee on stability and recursive feasibility.Nevertheless, robustly accounting for uncertainty comes with issues.If the uncertainty bound was initially not estimated large enough, all guarantees are lost.If uncertainty bounds are chosen too large, potentially to account for rare worst-case events, RMPC becomes highly conservative.
Overcoming conservatism is addressed by Stochastic Model Predictive Control (SMPC) [3], [4].In SMPC, constraints subject to uncertainty are handled as chance constraints.A chance constraint requires that the constraint is satisfied to a certain level, based on a chosen risk parameter, representing the acceptable risk.While a lowrisk parameter results in a high probability of constraint violation, performance is improved, as rare uncertainty realizations are neglected.Again, multiple issues arise.Similar to RMPC, wrong initial This work was funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) -project number 490649198.This work was supported by a fellowship within the IFI program of the German Academic Exchange Service (DAAD) and the Bavaria California Technology Center (BaCaTeC) grant 1-[2020 -2].
The authors are with the Chair of Automatic Control Engineering, Department of Electrical and Computer Engineering, Technical University of Munich, 80333 Munich, Germany (e-mail: {michael.fink,tim.bruedigam, dw, marion.leibold}@tum.de).assumptions for the uncertainty cause feasibility issues.Furthermore, SMPC does not penalize the allowed constraint violation, e.g. the constraint violation probability is not considered in the cost function.
When developing MPC for safety-critical systems, a small probability of constraint violation may be tolerated.It is nevertheless fundamental to achieve the minimum probability of constraint violation.In addition, recursive feasibility and stability of the closed-loop system dynamics are essential.Also dealing with variations in the uncertainty as well as in the constraints has to be considered.
Whereas RMPC and SMPC partially consider these requirements, both methods are impractical for safety-critical systems due to the above-mentioned issues, e.g., uncertainty bounds must be known in advance or recursive feasibility is not guaranteed in every situation.These considerations resulted in the development of MPC with constraint violation probability minimization (CVPM) [5], [6].

A. Related Work
While there exist different approaches to RMPC, the main ideas are similar: robustly handling constraints, accounting for worst-case uncertainty realizations.An overview of RMPC approaches is given in [1,Ch. 3] and a summary of early works in [7].The most prominent RMPC approaches are min-max MPC [8], considering maximal uncertainties, and tube-based MPC [9], [10], which defines a tube around the nominal state trajectory to tighten constraints appropriately.While RMPC was used to control safety-critical systems, e.g., a robotic manipulator [11] or an automated vehicle [12], [13], solutions are generally conservative, as no knowledge about the disturbance distribution is taken into account.Additionally, changing uncertainty bounds or distributions, as well as changing constraints cause a loss of properties, e.g., recursive feasibility or require intensive recomputation.SMPC employs chance constraints, i.e., the probability of violating a constraint is bounded by a risk parameter.Chance constraints are difficult to handle in general as their evaluation requires computing multivariate integrals.Therefore, approaches to reformulating these probabilistic constraints into deterministic (potentially approximated) constraints are proposed: For Gaussian uncertainties and linear constraints, the chance constraints can be analytically reformulated [4].Gaussian distributions are suitable to describe certain types of uncertainty, e.g., noise, while often safety-critical systems require considering other distributions.For this case, sampling-based SMPC approaches are suitable.Particle-based SMPC [14] approximates the chance constraint by ensuring that only a small number of samples leads to constraint violations.In Scenario Model Predictive Control (SCMPC) [15], based on [16], the number of required samples is computed depending on a risk parameter.Then, for all sampled scenarios, the constraints must be satisfied.A major issue with sampling-based SMPC is that guarantees on recursive feasibility are difficult to obtain.A combination of RMPC and SMPC is considered in [17], [18], where robust constraints are employed on the short-term horizon and chance constraints are used for long-term predictions.This approach improves performance compared to RMPC while still employing short-term robust constraints; however, proofs of recursive feasibility and stability are challenging.
The SMPC approaches, introduced in the previous paragraph, consider open-loop chance constraints, i.e., chance constraint satisfaction is only required in the optimal control problem for the open-loop prediction.Though, recursive feasibility can only be guaranteed if closed-loop constraint satisfaction is considered [19].An alternative method to guarantee recursive feasibility is proposed in [20], proposing an additional constraint on the predicted state of the first prediction step, making recursive feasibility challenging in SMPC.
However, safety of SMPC is only specifically addressed in few works.In [29], failsafe trajectory planning is used to guarantee safety in case of infeasible SMPC optimal control problems.A different idea is presented in [30], where a least-intrusive trajectory is found if a collision is inevitable.
All previously described SMPC approaches are unable to provide recursive feasibility or stability guarantees once unexpected changes arise, potentially due to time-varying uncertainties or time-varying constraints.While slack variables can be introduced or alternative problems can be solved [31], [32] to regain feasibility, the optimization does not necessarily provide the safest possible solution.This issue is addressed in [5] for a collision avoidance scenario.There, the probability of violating a collision avoidance norm constraint in the first prediction step is minimized with CVPM-MPC.An extension of CVPM-MPC where the norm constraint is taken into account for more than one prediction step is presented in [6].Unlike multiobjective MPC [33], [34], in CVPM-MPC, safety is not part of an objective trade-off, but safety is maximized first before other objectives are considered.However, the approach in [5] and [6] is designed particularly for obstacle avoidance, i.e., the approach is limited to norm constraints, and only uncertainty affecting the obstacle dynamics is considered.
In summary, previous MPC approaches only cover parts of the requirements for safety-critical systems.The major challenge, reasonably minimizing constraint violation probabilities for general linear systems, is still an open problem.

B. Contribution and Structure
In this work, we propose an MPC algorithm that minimizes the probability of constraint violation.This is achieved by guaranteeing constraint satisfaction whenever possible and ensuring minimal constraint violation probability whenever constraint satisfaction is not possible.We generalize, extend, and simplify the results of the CVPM-MPC method from [5] and [6].In particular, we now replace norm constraints by general linear constraints.
We investigate the requirements for recursive feasibility and stability.We show that no additional assumptions are needed for recursive feasibility because there are no bounds on the maximum allowed constraint violation probability.Furthermore, we propose additional rather strong assumptions for proving input-to-state stability (ISS).Finally, the practical consequences of relaxing these assumption are discussed.
The remaining parts are structured as follows.Section II introduces the problem.The CVPM-MPC method for linear systems and constraints is derived in Section III, followed by details on the properties in Section IV.A numerical example is shown in Section V, demonstrating the benefits of applying CVPM-MPC to safety-critical systems.A discussion and conclusive remarks are given in Section VI and Section VII, respectively.A state at time step t is denoted by xt.Within an MPC optimal control problem, the state at prediction step k is denoted by x k+t , where the notation x k+t|t explicitly denotes that the prediction x k+t was obtained at time step t.A function γ : R n → R ≥0 is of class K if it is strictly increasing and γ(0) = 0.A function α : R n → R ≥0 is of class K∞ if α ∈ K and lims→∞ α(s) = ∞.An asterisk denotes the optimal value, i.e., u * is the optimal solution.

II. PROBLEM SETUP
In the following, we first introduce the system dynamics and define properties of the uncertainty.Then, the MPC problem statement is introduced, including constraints for which violation probability must be minimized.

A. System Dynamics
We consider the linear, discrete-time dynamical control system with state xt ∈ R nx and input ut ∈ R nu at time step t, as well as the bounded uncertainty wt ∈ W ⊆ R nx , where A, B have appropriate dimensions, G ∈ R nx×nx is not singular.
Assumption 1.The uncertainty wt is a truncated Gaussian uncertainty with wt ∼ N (0, Σw), covariance matrix Σw, and bounded by the polytope W.
In the following, MPC requires to predict the state trajectory.Based on the initial state xt, we denote the augmented system dynamics, delivering predictions xt+1, xt+2, ..., xt+N , by where and A, B, and G defined as in [35].

B. Model Predictive Control
MPC is applied to control system (1).In MPC, an optimal control problem is repeatedly solved on a finite horizon N , where state and input constraints are considered and only the first entry of the optimal input trajectory is applied.The prediction steps are denoted by index k.The MPC cost function is given by with weighting matrices Q, R and terminal weighting matrix Qf, where xt is known and x t+k denotes the mean of x t+k .Furthermore, the set of admissible input sequences u is given as the bounded polytopic set U N , which contains the origin.The polytopic set X ⊂ R nx allows to formalize state constraints for all states in a prediction horizon of length N .
Assumption 2. The constraint set X is closed, bounded, and contains the origin.
The constraint set X may be expressed in augmented form by A terminal constraint xN ∈ Xf ⊆ X is introduced for the state xN .The set Xf is defined later as part of the stability analysis.

C. Problem Statement
Both, RMPC and SMPC, do not provide adequate solutions if the probability of violating constraint (5) must be minimized.This problem may be formulated as Given this constraint violation probability minimization, we now specify the problem to be addressed in this work.
Problem 1.The optimal control problem of each MPC iteration corresponding to time t is In the following section, an MPC method is derived that provides a strategy to solve Problem 1.

III. METHOD
Here, we first present the CVPM-MPC method in Section III-A and then details on the probability optimization required for CVPM-MPC in Section III-B.Major properties of the CVPM-MPC method are discussed in Section IV.

A. CVPM-MPC
The general idea of CVPM-MPC is to solve an MPC optimal control problem where only those inputs are allowed that enable minimal constraint violation probability.Therefore, a set is defined that includes all inputs that minimize the constraint violation probability.
Definition 1 (Optimal CVPM Input Set).The optimal CVPM input set U cvpm consists of admissible input sequences u that minimize the constraint violation probability Pr (x / ∈ X ).
Determining U cvpm uses two cases, depending on whether an input sequence u exists that guarantees constraint satisfaction or not.
Definition 2 (CVPM Safe Case).In the safe case, at least one admissible input sequence u exists that guarantees constraint satisfaction, i.e., Definition 3 (CVPM Probabilistic Case).In the probabilistic case, no input sequence u exists that guarantees constraint satisfaction, i.e., At each MPC iteration, it is determined whether the safe case is feasible, i.e. it is evaluated if the set of possible input sequences is not empty.If not, the probabilistic case is applied.In the following, for both cases separately, it is addressed how the set U cvpm is obtained.
1) Safe Case: Here the set U cvpm is (10) which is the intersection of the admissible input set U N and the set of input sequences that guarantee constraint satisfaction of (5).The set {−Axt} is a singleton that takes into account the current state xt and the set U cvpm is determined with algorithms from [35].
The intersection (10) does not only deliver the set of admissible inputs, it also allows to check if the safe case applies: if U cvpm is nonempty, an input sequence u exists guaranteeing that the constraint ( 5) is satisfied.
Based on the previous result, it is possible to obtain a set of feasible initial states XcaseS (for the current MPC iteration) for which the safe case is applicable.This set is given by which is obtained analog to (10).We make the following assumption to ensure that XcaseS is non-empty.
Assumption 3. The disturbances are small enough and propagated disturbances alone never exceed state constraints, i.e., G•W N ⊂ X .
This assumption is straight-forward to satisfy when the system matrix A is stable and motivates the following assumption.
Assumption 4. The system matrix A is stable, i.e. the eigenvalues of A are within the unit circle.
Remark 1.Note that even if the system is unstable, the assumption on A can still be fulfilled by using a feedback controller for prestabilization.Then the sets X and U have to be redefined taking into account the prestabilization, such as in [36].
2) Probabilistic Case: For the safe case, U cvpm collects those input trajectories that guarantee constraint satisfaction.However, if such an input trajectory does not exist, at least minimal constraint violation probability can be ensured.Therefore, for the probabilistic case, U cvpm collects input trajectories u * that result in minimal constraint violation probability.
The safe case is applied if the current state is in XcaseS and results in zero constraint violation probability.Thus for all other states, i.e., xt / ∈ XcaseS, the probability of constraint violation is non-zero.To minimize the probability of violating x ∈ X N , we transform the problem to minimize the probability of violating x ∈ X N caseS u * =arg min The set X \ XcaseS contains all states in X that are not initial states for the safe case, where all predicted states remains in X .A trajectory will leave X eventually if its initial state is in X \ XcaseS.Therefore, trajectories with states in X \ XcaseS result in a high constraint violation probability.In contrast, XcaseS \ X contains all states that are not in X , but the predicted trajectory remains in X and results in a zero probability of constraint violation in the subsequent MPC iterations.Changing the probability optimization from (7b) to (12) does, therefore, not significantly change u * .However, this adjustment makes it possible to prove stability (see Section IV-B).Once u * is obtained, we set: 3) CVPM-MPC Formulation: The CVPM-MPC optimal control problem is with U cvpm according to (10) or (13).The closed-loop system, compare (1), is then given by where u * t is the first element of the optimal trajectory u * obtained at time step t.Remark 2. Solving (14) requires two steps: first, a set U cvpm is calculated, and then, this set is used as a constraint for the MPC controller.Thus, CVPM can also serve as preprocessing for other controllers.

B. Probability Optimization in the Probabilistic Case
In the probabilistic case, the input trajectory u * with minimal constraint violation probability, is solution of the optimization problem (12).In general, neither analytic solution nor exact numerical solution of Pr x / ∈ X N caseS is possible.Therefore, we propose two approximations.In the first approximation, the probabilities are computed using a sampling-based approach, which allows to increase the accuracy as the number of samples increases.However, this computation is time-consuming and not suitable for fast real-time systems.Therefore, the second method does not approximate the probability but modifies the optimization problem to find the input sequence u.
In the following, we prepare both approximations.We assume, the probability distribution in the safe case has a truncated support.This ensures existence of trajectories with a zero probability of constraint violation.However, in the probabilistic case, this leads to a vanishing gradient in the optimization.Therefore, we approximate the truncated Gaussian of Assumption 1 by the corresponding nontruncated Gaussian wt ∼ N (0, Σw).The mean x of the state trajectory x is x = Axt + B u and the covariance matrix is given as Σx = diag (Σx, .., Σx) , where Σx is the steady-state solution of the uncertainty propagation Given the mean and the covariance matrix for the state sequence x with a particular input sequence u, we obtain proving that the state trajectory is subject to a Gaussian distribution.1) Sampling-Based Probability Optimization: A numerical Monte Carlo sampling approach is employed to determine the probability of violating constraints.From the distribution (17), Ns samples of state sequences are drawn.The number of samples that are an element of the set X is denoted as NX .It follows that the constraint violation probability is approximately The minimization of the constraint violation probability is approximated with a numeric optimization of (18).In each step within the optimization, (18) must be determined for a given input sequence u resulting in a huge computational burden.

2) Probability Optimization approximated as Quadratic Program:
We propose an approximation in the following to speed up the computation.For the probabilistic case, the input sequence u * is defined as the solution to the optimization problem (12) with where c = (2π) nxN det Σx −1 .As ( 19) is a non-convex cost for the optimization problem, we approximate it.In the probabilistic case, the mean state sequence x is not in X N caseS , otherwise the safe case is applied.Therefore, we assume that the distribution function ( 17) is nearly constant over the set XcaseS.We then approximate the integral in (19) by a multiplication of the probability density function for the states in (17) and the volume of the polytope VP(X N caseS ) , yielding The probability density function is evaluated at a point ξ ∈ X N caseS within the polytope.The variable ξ is then included in the optimization, yielding a similar structure as the MPC cost function.Later, this structure is essential for the proof of stability.The volume of the polytope VP(XcaseS) does not change if u is varied.We need to minimize Pr x / ∈ X N caseS , thus it is sufficient to solve the quadratic optimization problem The matrix Σx is an adapted version of Σx and is defined later when stability is discussed.The solution of ( 21) leads to state sequences in the direction of small eigenvalues of Σ−1 x , which result in the fastest decrease of the probability of constraint violation.

A. Recursive Feasibility
Recursive feasibility is a fundamental property for MPC algorithms.In each MPC time step, an optimal control problem has to be solved, and it needs to be ensured that the optimal control problem is feasible at time step t + 1 if it is feasible at time step t.

Definition 4 (Recursive Feasibility
).An MPC optimal control problem is recursively feasible if it holds that U t = ∅ → U t+1 = ∅ for all t ∈ N0 where U t is the set of admissible inputs at time step t.
Recursive feasibility is fulfilled in CVPM per construction, because if the safe case is infeasible, the probabilistic case is applied that will always deliver a solution.In the following, we prove recursive feasibility of the safe case, i.e., once the safe case is applicable, XcaseS is invariant under CVPM-MPC.For this purpose, the following assumption is required, which defines the terminal set in (5).
Assumption 5.The terminal set Xf ⊆ X is chosen as a robust control invariant set [35] and fulfills Remark 3. Ass. 5 yields candidates for the terminal set Xf by extending the standard notion for a robust invariant set [35], such that disturbances propagated over the horizon N are included, i.e. it is a robust control invariant set where the set of disturbances is A N G • W.
Lemma 1.If Assumption 5 holds, then for all xt ∈ XcaseS there exists an input ut such that the state at the next time step is also in the set XcaseS, i.e., XcaseS is robust control invariant.
Proof.The proof is given in Appendix A.
Based on Lemma 1, we can now formulate the following theorem on recursive feasibility.Theorem 1.The safe case is recursively feasible.Remark 4. In a practical situation, a terminal set, not satisfying Assumption 5 is also possible, This would imply that XcaseS is not robust control invariant and thus the recursive feasibility guarantee in the safe case is lost.Nevertheless, still a solution with possibly non zero probability of constraint violation can be found.

B. Stability
We show that both the safe case and the probabilistic case ensure input-to-state stability, proving that the CVPM-MPC method is inputto-state stable (ISS).We start with the definition of an ISS Lyapunov function.
The following assumption is required.
Assumption 6.The weighting matrices of the stage cost are positive definite and symmetric, i.e., Q = Q ⊤ ≻ 0 and R = R ⊤ ≻ 0. The terminal cost weighting matrix Qf is a solution of the discrete-time algebraic Riccati equation.
Based on the robust control invariance of XcaseS it can be shown that the origin is ISS for the safe case.Consecutively applying the safe case yields same behavior as robust MPC.If the safe case is not applicable, i.e., xt / ∈ XcaseS, it needs to be ensured that the system is still ISS.For the inverse covariance matrix of the last predicted state xN , the solution S of the discrete-time algebraic Riccati equation is used, i.e., where K is a control gain such that xt ∈ XcaseS ⇒ xt+1 ∈ XcaseS.It follows that describes the adapted inverse of the covariance matrix.
Lemma 4. Let Assumptions 4 and 6 hold.For xt / ∈ XcaseS, the origin of the error dynamics of the error between the closed-loop system (15) and the optimization variable ξ ∈ XcaseS is ISS using the method from Section III-B2.
Proof.The proof is given in Appendix C.
Based on Lemma 3 and Lemma 4, we can now formulate the stability theorem for CVPM-MPC.
Proof.From Lemma 4 we conclude that the state converges to the set XcaseS.Based on Lemma 3 the origin of system ( 15) is ISS for xt ∈ XcaseS.Finally, the origin is ISS for all xt ∈ R nx .

C. Extension to Time-Variant Constraints
We have assumed that the state constraint set X and the disturbance set W are time-invariant.However, the method can also handle timevariant X and W during runtime without preprocessing.We discuss two different situations here.First, we discuss stability when the sets X and W change for a short time, and second, when the sets change permanently.
1) Short-term change: A change of the sets X or W for one time step, i.e., an unexpected large disturbance, may lead to a violation of Assumptions 2 and 5, and thus invalidate the stability guarantee in the safe case.A violation of Assumption 3 leads to XcaseS = ∅ and, therefore, the probabilistic case is applied.Although recursive feasibility is preserved, stability of the origin can no longer be ensured.As the temporary change subsides, all assumptions are again satisfied, resulting in stability.
2) Permanent change: It can be shown that, under Assumptions 2, 3, and 5, also a permanent change of the sets X and W does not affect the stability of the system.
To meet Assumption 5, a precomputed terminal set Xf can be utilized, which is computed for an initially large disturbance set W. If the disturbance set changes during runtime, the assumptions still hold.A suitable choice for Xf is a minimal robust invariant set.This, due to Xf ⊆ X , enables to choose the state constraint set X rather small.

V. NUMERICAL EXAMPLE
In the following, we discuss recursive feasibility and stability of the proposed method in simulation studies and demonstrate the capability of CVPM-MPC to handle time-variant uncertainty bounds.

A. Simulation Setup
We consider a discrete-time linear system.The system matrix, input matrix, and disturbance matrix are given by The model describes a DC-DC converter, see [38], where the state x1 stands for the current in a coil and the state x2 is the voltage of a capacitor.The goal is to stabilize a voltage of 3.3 V, yielding the reference xref = 1.06 3.30 ⊤ , and uref = 0.28.The method is adapted such that the reference state is stabilized.The input is the duty cycle of a transistor, thus U = {u | 0 ≤ u ≤ 1} .In the simulation, modeled and unmodeled disturbances are considered.The support of the modeled disturbance is with covariance matrix Σw = diag(0.2,0.2).The time-invariant state constraint set is chosen as Note that state constraints, uncertainty, and system matrix satisfy Assumptions 1, 2 and 4.
The MPC employs a horizon of N = 10 with sampling time ∆t = 0.1 and the weighting matrices are chosen as Q = diag (1,5), and R = 1.The terminal cost Qf is determined according to Assumption 6.The computation of the polyhedra U cvpm and XcaseS is done with the MPT3 toolbox [39].

B. Comparison of Probability Minimization Methods
The minimum of the constraint violation probability ( 12) is challenging to compute.Therefore, two methods to approximate the probability are introduced.First, in Section III-B1, a numeric computation of the probability using a Monte Carlo method, and in Section III-B2, an approximation of the probability utilizing a quadratic program.As shown on the left in Figure 1, the trajectories that result from applying both methods are almost identical.The initial value is not in X leading to a high probability of constraint violation.Applying the proposed method leads to a convergence to the set X and a decrease in the constraint violation probability.On the right side in Figure 1, the constraint violation probability for the approach from Section III-B2 is given.Initially the constraint violation probability is almost 1 and the minimization allows to approach the set XcaseS.We observe that the probabilistic case can deal with otherwise infeasible initial states and find a trajectory that converges to XcaseS.
The average computation time for one step of the approximation introduced in Section III-B2 is 60 ms on a standard computer while the average computation time of one step of the sampling method is 4 min on a computer with an Intel Xeon E5-2630.The samplingbased approach uses Ns = 10 5 randomly generated samples in each iteration distributed according to (17).

C. Performance with Modeled and Unmodeled Disturbances
The following simulation shows convergence to a reference when starting with a non-zero constraint violation probability.At time step t = 50, an unmodeled disturbance affects the system for one time step, which is handled by the CVPM-MPC method.An unmodeled disturbance may be interpreted as an increase of W for one time step or as wt / ∈ W. Figure 2 illustrates the simulation results.The set X is indicated by the blue box.The set XcaseS is marked in yellow.If the system state is in XcaseS, the safe case is applicable.The initial state does not allow zero constraint violation probability in the next step, i.e., x0 / ∈ XcaseS; therefore, the probabilistic case is required, indicated by the red dot in Figure 2.
Applying the CVPM-MPC procedure for the probabilistic case moves the system state into the set XcaseS, as seen on the left side in Figure 2. In XcaseS the control input is determined based on the safe case, as indicated by the green dots since it is possible to reach X in the next step.The subsequent steps with the safe case move the system state towards the origin.Not that in this simulation, mostly the probabilistic case is active whereas in application the standard situation is applying the safe case and only switching to the probabilistic case when unexpected disturbances occur.
At time step t = 50, an unmodeled disturbance occurs, which moves the system state outside of XcaseS, as illustrated on the right side in Figure 2. Note that input-to-state stability is not guaranteed in this step as the uncertainty bound increased which violates Assumption 1. Similar to the initial simulation state, the probabilistic case is required because it is not possible to reach the constraint set X in the next step.By switching from the safe case to the probabilistic case, recursive feasibility is maintained.Afterwards, the CVPM-MPC method steers the system state back to XcaseS.

VI. DISCUSSION
In contrast to the CVPM-MPC method presented in [5] and [6], the CVPM-MPC approach proposed in this work is more general.Here, we consider general linear constraints for a system with additive uncertainty, whereas [5], [6] are motivated by a vehicle collision avoidance scenario utilizing two dynamics and norm constraints.The proposed approach significantly extends the possible applications to all linear or linearized systems where constraints are linear or where constraints may be linearized.The stability of the origin with general linear constraints is achieved with a robust control invariant set of initial states for the safe case and Assumption 5 on the terminal constraint.heworkspace of a robot.
In Section IV-B, stability is discussed.As seen in the simulation example, the CVPM-MPC method is capable of remaining feasible even in the presence of unmodeled disturbances, but at the cost of a constraint violation probability close to 1.The stability results may not hold in case of unmodeled disturbances, as a bounded uncertainty is assumed in the proofs (Assumption 1).The proposed method, however, allows updating the assumed uncertainty bound and state constraint.Therefore, the stability proof becomes valid again for an updated set W or X as long as Assumptions 2, 3, and 5 hold.If the uncertainty bound is not known initially, a conservative guess may be chosen and then the bound may be tightened over time, based on recorded data.The potential short loss of a stability guarantee is acceptable, however, as the main focus of this work is the minimization of constraint violation probability.Note that recursive feasibility remains guaranteed even for unmodeled disturbances.
If only SMPC is applied to the scenario shown in Fig. 2, an 8 % chance of violating the x1 < 2 constraint is observed, while CVPM avoids constraint violation robustly.In contrast to SMPC, the probabilistic case does not optimize a control objective but focuses only on the constraint by minimizing the probability of constraint violation.Only when the measured state, which is initial value for the prediction, is in XcaseS, the control objective is again taken into account.We assume to have applications where the safe case is active almost all the time while the the probabilistic case tackles rare problems with safety and is active if initial values are not safe or unmodeled disturbances disturbances occur.
In contrast to RMPC, we consider the disturbance set W as a tuning parameter.Conservative assumptions with large W results in conservative policies, whereas a small W leads to a more optimistic but also more risky behavior.

VII. CONCLUSION
The proposed CVPM-MPC method provides an MPC approach that combines the advantages of robust and stochastic MPC.The ability of CVPM-MPC to cope with time-variant constraints and uncertainty bounds provides a significant benefit for safety-critical systems.Recursive feasibility is guaranteed and stability is ensured under assumptions on the state constraint and disturbance support.
CVPM-MPC is suitable for linear and linearized systems, enabling the use in applications such as quadcopter control or automated vehicles.Furthermore, the proposed CVPM-MPC method may be extended to consider probabilistic constraints and robust state constraints simultaneously.This extension would allow practitioners to employ robust constraints where possible and necessary as well as probabilistic CVPM constraints if suitable.
Whereas robust methods guarantee safety for predictable events, unpredictable environmental changes are not covered.This is especially complex if ethical concerns are relevant for applications, e.g., how autonomous systems should behave if collision avoidance cannot be guaranteed.CVPM-MPC provides a novel way to handle such scenarios and ethical issues.

APPENDIX A PROOF OF LEMMA 1
In this section, we use the following notation.The input sequence u t obtained at time step t until prediction step t + N − 1 yields the state sequence x t , where these sequences are defined as u t = (u t|t , ..., u t+N−1|t ) and x t = (x t+1|t , ..., x t+N|t ).(28) The initial state for the state sequence is given as x t|t = xt.Predictions made at time step t + 1 are denoted depending on the uncertainty wt at time step t.Optimal trajectories for the states and inputs are denoted by u * t and x * t .
Proof.We first show that a subsequent state sequence is in the zero violation set X ⊖ G • W N if the previous state sequence is also in the zero violation set.Let the predicted state sequence (x t+1|t ...x t+N|t ), based on the initial state xt ∈ XcaseS, be in X ⊖ G • W N .It follows that Then, the subsequent state sequence intial state x t+1|t+1 = x t+1|t + Gwt is affected by the disturbance wt.All states in the candidate state sequence are affected by the propagation of the disturbance yielding Next, we show that the terminal state does not leave the terminal set.The state x t+N|t is in the terminal set Xf. Based on Assumption 5, it follows that an input u exists such that the terminal state of the subsequent sequence is also in the terminal set, i.e., x t+N+1|t+1 ∈ Xf.To conclude, the subsequent state sequence ( 31) is always in the zero violation set X ⊖ G • W N .
Since XcaseS includes all states where a prediction x t ∈ X ⊖ G • W N exists and the subsequent prediction x t+1 affected by a disturbance wt ∈ W is in the same set, we conclude that XcaseS is a robust control invariant set.

APPENDIX B PROOF OF LEMMA 3
We start with preparations for the proof.The optimal input u * t (xt) is obtained by solving the MPC optimal control problem (14).Based on (4), we abbreviate the stage cost and the terminal cost by l(xt, ut) = ||xt|| 2 Q + ||ut|| 2 R , and Vf(xt) = ||xt|| 2 Q f .In the following, the notation introduced in (28) is used.
Proof.For x t|t ∈ XcaseS with Assumption 5, XcaseS is robust control invariant according to Lemma 1.We define the Lyapunov function V (x t|t ) = J(x t|t , u * k ) based on the cost (4) with the optimal feedback law u * k (xt) obtained according to (14) where U cvpm is from the the safe case.As V is continuous, positive definite, and radially unbounded based on Assumption 6, α1, α2 ∈ K∞ exist such that (22a) is fulfilled [40].Additionally, V is Lipschitz continuous on XcaseS as V only consists of quadratic terms and XcaseS is bounded.
The term q(•) is Lipschitz continuous due to Assumption 6 and the boundedness of XcaseS and U, resulting in with Lipschitz constant Lq.Given (34b) and (35), It is straightforward that the previous procedure holds for any t ≥ 0. Therefore, all requirements of Definition 5 are fulfilled, i.e., V is an ISS Lyapunov function and the origin of system (15) is ISS if x t|t ∈ XcaseS.LEMMA 4 In the following, the notation introduced in (28) is used.

APPENDIX C PROOF OF
Proof.The optimal input is now determined in (21).We define the error between a state sequence x k and the optimization variable ξ in each time step t + k as e t+k|t based on the initial value at time t.The candidate Lyapunov function is = l ′ e * t|t + q ′ (e * t+1|t ) (36b) with an optimal input sequence u * k , values of ξ * k and stage cost l ′ e t+k|t = ||e t+k|t || 2 Σ −1 x according to (21).The terminal cost is defined as V ′ f (e t+N|t ) = e t+N|t 2 S , based on (24).Since V ′ is positive definite, radially unbounded, and Lipschitz continuous on R nx , (22a) holds.
Similar to Lemma 3, we define the total cost starting at e t+1|t as q ′ (e t+1|t ).For t + 1 the optimal cost is V ′ (e t+1|t+1 ) with the optimal values u * k+1 and ξ * k+1 .We apply a shifted non-optimal input sequence (u * t+1|t , ..., u * t+N−1|t , Kx * t+N−1|t ), where the last input is determined with the feedback matrix K. Similar for the error, the shifted sequence (e t+1|t , ..., e t+N|t , (A + BK)e t+N|t ) is used.We obtain an upper bound = q ′ (e * t+1|t+1 ), which can be summarized to q ′ (e t+1|t+1 ) due to (24).Since q ′ is Lipschitz continuous on R nx , the same arguments as in Lemma 3 yields It follows that for x t|t ∈ R nx , which includes x t|t / ∈ XcaseS, the error e t|t between (15) and the optimization variable ξ ∈ X N caseS is ISS.
Norms are denoted by ||.||.We define ||a|| 2 A = a ⊤ Aa.An augmented vector is denoted by a = [a1, • • • , ai] ⊤ .We denote linear transformations of sets by A•B = {Ab | b ∈ B} and B•A = {b | Ab ∈ B}.The Cartesian product of the set A and B is A×B = {[a, b] | a ∈ A, b ∈ B}.The n-ary Cartesian power of a set A is denoted by A n = {[a1, • • • , ai] | ai ∈ A ∀i ∈ I1,n}.The Minkowski sum of two sets is denoted A⊕B = {a + b | a ∈ A, b ∈ B} and the Pontryagin difference is given by A⊖B = {c | c + b ∈ A, ∀b ∈ B}.

Lemma 3 .
Let Assumptions 2, 4, 5 and 6 hold.Then, for xt ∈ XcaseS, the origin of the closed-loop system(15) is ISS.Proof.The proof is given in Appendix B.

Fig. 2 :
Fig.2: Simulation of CVPM-MPC with an unmodeled disturbance: Left: convergence to the set X ; Right: convergence to the set X after unmodeled disturbance.(green: safe case; red: probabilistic case; bright marker: current state)