Content uploaded by Ting-Wei Hsu
Author content
All content in this area was uploaded by Ting-Wei Hsu on Dec 01, 2023
Content may be subject to copyright.
JOURNAL OF THE AMERICAN HELICOPTER SOCIETY 69, 022003 (2024)
Towards Flight Envelope Protection for the NASA Tiltwing eVTOL
Flight Mode Transition Using Hamilton–Jacobi Reachability
Ting-Wei Hsu∗Jason J. Choi Divyang Amin Claire Tomlin Shaun C. McWherter Michael Piedmonte
Flight Controls Engineer PhD Candidate Flight Sciences Lead Professor Aerospace Engineer CEO and Founder
Bechamo LLC UC Berkeley Bechamo LLC UC Berkeley NASA Armstrong Flight Bechamo LLC
Buffalo, NY Berkeley, CA Buffalo, NY Berkeley, CA Research Center Buffalo, NY
Edwards, CA
Innovative electric vertical take-off and landing (eVTOL) aircraft designs and operational concepts, driven by advance-
ments in battery and electric motor technologies, seek to achieve superior safety records with increased system redundancy.
Validating safe ight operations within the prescribed ight envelope for passenger ights in densely populated urban en-
vironments remains a primary challenge. This paper establishes a framework for applying Hamilton–Jacobi reachability
analysis to the full six-degree-of-freedom (6-DOF) dynamics of the NASA Tiltwing vehicle, verifying the ight envelope
during the ight mode transition between near-hover and cruise ight, which prevents loss of control of the vehicle and
ensures recoverability to safe trim conditions. This involves rst verifying the nominal ight mode transition path as a series
of trim points, dening the safe ight envelope using reachability, and decomposing the system dynamics into longitudinal
and lateral subsystems. Our formulation guarantees the computed envelope’s robustness against modeling errors and un-
certainties, and the usage of state decomposition signicantly improves the tractability of the reachability computation. The
result is validated through Monte Carlo 6-DOF nonlinear simulation of vehicle dynamics, demonstrating that the vehicle
states within the ight envelope can successfully recover to trim states and continue the ight mode transition safely.
Nomenclature
Problem formulation and reachability
BRT backward reachable tube
Dset of possible disturbance (disturbance bounds)
Dset of measurable functions for disturbance
signals
ddisturbance signal
d∗worst-case disturbance
ddisturbance vector
FRT forward reachable tube
FRS forward reachable set
FE ight envelope
fsystem dynamics
HHamiltonian
Jcost function
ktrim state index
Ltarget set
lLipschitz continuous implicit function
characterizing the target set L
N,M,Pdimensions of the state, input, and disturbance
vectors
ntotal number of trim states
proj,proj−1projection and back projection operators
Sset in the state space of a full system or a
subsystem
Ttime horizon, s
ttime instance, s
t0initial time, s
∗Corresponding author; email: twhsu@bechamo.com
Presented at the Vertical Flight Society’s 79th Annual Forum & Technology Dis-
play, West Palm Beach, FL, May 16–18, 2023. Manuscript received April 2023;
accepted October 2023.
Uset of admissible control input (input bounds)
Uset of measurable functions for control input
signals
ucontrol input signal
u∗optimal control policy
ucontrol input vector
Vvalue function
Xstate space of a subsystem
xstate trajectory
xstate vector
x0initial state vector
xtrim trim state
Zstate space of a full system
ztrajectory of the full aircraft dynamics
zstate vector of the full aircraft dynamics
domain of the non-anticipative disturbance
strategy
γnon-anticipative disturbance strategy
Aircraft coordinates and dynamic model
Astate matrix of the linear state-space model
Binput matrix of the linear state-space model
ggravity, m/s2
Ixx,Iyy,Izz ,Ixy,Ixz components of the mass moment of inertia with
respect to the stability axes, kg ·m4
L,M,Nbody moments along the stability axes, N·m
mmass, kg
p,q,rbody angular velocity along the stability axes,
rad/sordeg/s
T1,T2··· ,T8thrust generated by each propeller, N
Tw,Tttotal thrusts generated by propellers on the main
wing and the horizontal tail, N
Td12,Td34,TdDiag differential thrusts, N
Utrim trim airspeed, m/s
DOI: 10.4050/JAHS.69.022003 C
2024 Vertical Flight Society022003-1
T.-W. HSU JOURNAL OF THE AMERICAN HELICOPTER SOCIETY
Vairspeed, m/s
u,v,wbody linear velocity along the stability axes, m/s
X,Y,Zbody forces along the stability axes, N
xE,yE,zEaxes of the Earth frame
xb,yb,zbbody axes
xs,ys,zsstability axes
αangle of attack, rad or deg
βside slip angle, rad or deg
perturbation
δe,δa,δrdeection angles of the elevator, aileron, and
rudder, rad or deg
0trim pitch angle, rad or deg
, ξ parameters of the disturbance-bound models
a constant in the control allocation scheme that
ensures TdDiag does not produce roll moments
σw,σ
ttilt angles of the main wing and the horizontal
tail, rad or deg
ϕ, θ, ψ roll, pitch, and yaw Euler angles, rad or deg
Subscripts
(·)full full system
(·)lat lateral subsystem
(·)lon longitudinal subsystem
(·)trim trim state
(·)Bbackward reachable tube
(·)Fforward reachable tube
(·)Qaerodynamic force or moment
Introduction
Motivation
The recent progress in battery and electric motor technologies has
paved the way for innovative distributed electric propulsion and elec-
tric vertical take-off and landing (eVTOL) aircraft designs, along with
evolving concepts of operation (ConOps) (Ref. 1). Of greater signi-
cance, these novel designs have potentially reduced maintenance and op-
erations costs with superior safety by incorporating multiple propellers
and propulsion units. These improved features come at the cost of new
challenges to electric propulsion and y-by-wire control systems, among
others.
One of the primary challenges to bringing urban air mobility (UAM)
into mainstream operations is ensuring the aircraft is own within a safe
operating envelope. The complexities of the number of actuators and
nonunique trim conditions are difcult to impossible for a pilot to main-
tain without the aid of some type of automated lower level control sys-
tems (Ref. 2). The overarching objective for the community driving inno-
vation in the next-generation aircraft is to enable their use for passenger
ights in densely populated urban environments (Ref. 3). Flights over
populated areas involving passengers are safety critical, and it is nec-
essary that the ight system operates solely within the ight envelope
veried to be safe. The wide variety of vehicle design concepts and con-
gurations currently under investigation poses considerable challenges
to ight envelope verication. This contrasts with traditional aircraft,
where safety verication processes are more streamlined and supported
by established safety requirements mandated by regulations (Ref. 4).
Flight envelope verication of emerging eVTOL vehicle concepts
presents several challenges, primarily due to the intricacies of their novel
aerodynamics. An important concern is ensuring the vehicle’s recover-
ability to safe trim states. Most established ight controller designs ne-
cessitate the aircraft to operate around a specic set of trim conditions. In
these conditions, both the vehicle dynamics and the controller’s perfor-
mance undergo rigorous validation. However, when the vehicle deviates
from these trim conditions, the vehicle models which are locally veried
near the trim conditions exhibit larger errors. This can lead the aircraft
into regions where the controller may not meet its intended objectives
and recovery to safe trim points may be impossible.
Further complicating ight envelope verication for eVTOL vehicles
is the challenge posed by their ight mode transitions. Shifting between
vertical and forward ight is vital for these vehicles, enabling successful
takeoffs, cruising, and landings. Yet, during these transitions, the vehi-
cle faces a precarious balance. The rotor propulsion may not adequately
sustain altitude or speed. Simultaneously, the vehicle, with its high an-
gle of attack and diminished airspeed, is at an increased risk of stalling,
elevating the potential for loss of control. Actuator recongurations dur-
ing these phases further modify the vehicle’s aerodynamics, a factor that
must be intricately accounted for during model-based verication. Con-
sequently, a thorough evaluation of safety during these transitions is a
critical aspect of ight envelope verication for eVTOL vehicles.
In light of the challenges, this paper presents a collaborative research
effort among authors from Bechamo LLC, UC Berkeley, and NASA to
evaluate the feasibility of using Hamilton–Jacobi (HJ) reachability anal-
ysis (Ref. 6) as a practical approach to conducting ight envelope veri-
cation for eVTOL aircraft. Bechamo’s goal is to develop a ight envelope
protection strategy that safeguards the safety-critical eVTOL ight mode
transition using novel technologies researched in academia. The authors
of UC Berkeley hope to disseminate the usage of the HJ reachability tool,
so far which has been primarily used in academia, to industry to facili-
tate the development of eVTOL control systems that can ensure safety.
The effort also supports two broader research goals of the NASA author.
These are (1) to investigate variable human–machine teaming concepts
for the safe operation of UAM eVTOL aircraft by operators with lim-
ited training and (2) to develop runtime safety assurance technologies
to be able to expedite the envelope expansion, model identication, and
validation process for new eVTOL vehicles.
The analysis was performed for the NASA Tiltwing concept vehi-
cle for urban air mobility (Ref. 7) as a representative realistic full-scale
eVTOL target design. This aircraft is capable of transitioning between
vertical and forward ight by reconguring the tilt angles of its main
wing and the horizontal tail. The design was selected because the ne-
cessity of transferring lift and thrust between the wing and propellers
during the transition poses signicant challenges to model-based con-
trollability analysis. HJ reachability analysis is employed to verify safe
ight conditions for the transition, which are encompassed within the
computed ight envelope. The expectation is that the safety guarantees
derived from the reachability theory will both predict leaving veried
safe regions and automatically push the aircraft back to the safe region
of operation, rendering the overall system provably safe.
Relevant work
Flight envelope protection has been employed to mitigate various
in-ight risks for aircraft, such as hazardous touchdown during landing
(Ref. 8), and structural damage due to excessive loading (Ref. 9). In this
study, we concentrate on the ight envelope as a means of preventing loss
of control and ensuring recovery to safe trim conditions for eVTOL ve-
hicles. Methods of characterizing ight envelope for preventing loss of
control have been extensively investigated for conventional xed-wing
aircraft (Refs. 10–12).
The HJ reachability approach has been employed in previous research
to estimate safe ight envelopes for conventional aircraft (Refs. 12–14)
and xed-wing vectored-thrust VTOL aircraft (Ref. 15). Early work
on applying HJ reachability analysis to the safety control of a VTOL
022003-2
TOWARDS FLIGHT ENVELOPE PROTECTION FOR THE NASA TILTWING eVTOL FLIGHT MODE TRANSITION 2024
Fig. 1. Diagram showcasing the HJ reachability framework to verify the safe ight envelope for NASA’s Tiltwing vehicle (Ref. 7) during
mode transitions. The vehicle transitions through a series of trim conditions (green) ranging from 20 to 62.5 m/s airspeed. By linearizing and
decomposing system dynamics into longitudinal and lateral subsystems at each trim point, we reduce the state dimension from eight to four,
making reachability computations feasible. The full system’s ight envelope is then reconstructed from each subsystem’s reachable tubes (blue).
Harrier aircraft in (Ref. 15) focused on applying the analysis to a low-
dimensional model of the vehicle’s longitudinal dynamics. During that
period, the community used simple closed-form expressions to represent
the ight envelope based on the low-dimensional model, as more gener-
alizable computational methods for solving reachability problems were
not yet developed.
Later-developed numerical methods, such as those in Ref. 6, enabled
computational verication of ight envelopes for conventional xed-
wing aircraft (Refs. 12–14). However, the exponential increase in com-
putational complexity with respect to the state dimension of the ve-
hicle model hindered the application of these methods to using high-
dimensional models of vehicle dynamics. The reduced order models that
are used instead allowed for envelope verication only in the subspace of
the full system, specically the longitudinal dynamics. Recent advance-
ments in HJ reachability methods have addressed this computational lim-
itation through system decomposition techniques (Ref. 16). Another re-
cent study in Ref. 17 employs an alternative method called distance eld
on grids that utilizes nonlinear programming to solve the optimal control
problem underlying reachability analysis.
Contributions
The main contribution of this study is the development of a frame-
work for applying the HJ reachability analysis to the NASA Tiltwing ve-
hicle, with the purpose of verifying the safe ight envelope during ight
mode transitions. It is important to note that HJ reachability is not used
to design the nominal transition controller. Instead, the computed ight
envelope through HJ reachability is used to verify the safety of the tran-
sition between near-hover and cruise. In case the vehicle is about to exit
the ight envelope due to pilot commands or unexpected disturbances,
the optimal controller derived from HJ reachability can be employed to
recover the vehicle to a safe region within the veried ight envelope.
To achieve this, the nominal ight mode transition path is identied
as a series of trim conditions through which the vehicle passes between
hover and cruise ight. Then, the safe ight envelope is dened using the
concept of reachability, which captures vehicle states that can recover to
and be reached from the trim states, similar to the denition proposed
in Ref. 12. We then decompose the system dynamics into the longitu-
dinal and the lateral subsystems at each trim point, by linearizing the
perturbed dynamics at the trim point and decoupling the propeller thrust
components.
With the system decomposed into self-contained longitudinal and
lateral subsystems, we can apply system decomposition techniques
(Ref. 16) and perform reachability computations for each subsystem sep-
arately. In doing so, the theoretical results in Ref. 16 are extended to
guarantee the exact reconstruction of the ight envelope of the full sys-
tem dynamics in our case. Moreover, our formulation guarantees that the
computed envelope is robust against the modeling error induced by the
linearization of the dynamics and the uncertainty arising from wing and
tail tilt reconguration.
The overall framework is illustrated as a diagram in Fig. 1. Utiliz-
ing state decomposition is critical to the success of our framework for
verifying the safe ight envelope, expressed in a rich high-dimensional
space encompassing vehicle speed, pose, and angular rates in the three-
dimensional axis. The decomposition reduces the maximum state dimen-
sion from eight to four, signicantly enhancing the tractability of reacha-
bility computation from nearly infeasible to a runtime of just a few hours.
This runtime reduction is sufcient for the intended application, as these
envelopes are computed ahead of time during the design phase rather than
in real-time ight. Finally, we validate the computation results through
Monte Carlo six-degree-of-freedom (6-DOF) nonlinear simulation of the
vehicle dynamics, demonstrating that vehicle states captured within the
ight envelope can successfully recover to trim states and continue with
a safe ight mode transition.
Problem Formulation
Safe ight envelope of the ight mode transition
The NASA Tiltwing features a main wing and a horizontal tail that are
horizontal during cruise ight but can be tilted up during hover or vertical
takeoff and landing (Fig. 2). The tilt angles are scheduled by airspeeds
022003-3
T.-W. HSU JOURNAL OF THE AMERICAN HELICOPTER SOCIETY
Fig. 2. The NASA Tiltwing aircraft (Ref. 7).
and adjusted slowly throughout the transition between hover and cruise
ight. Such scheduled tilt angles are determined such that the aircraft can
be trimmed at various airspeeds during the transition. Therefore, we can
obtain a series of trim states at different airspeeds throughout the transi-
tion, where each trim state is a locally stable equilibrium with a specic
tilt-angle conguration. The nominal control strategy for the transition is
to stabilize the aircraft at one trim state before it transitions to the next.
The transition between hover and cruise is then realized by transitions
among a series of trim states.
The goal of safe ight envelope protection in this paper is to ensure
that the Tiltwing aircraft can safely transition between the trim states
without loss of control. When the vehicle deviates from one of the trim
states due to pilot commands or unexpected disturbances, no guarantees
of recovery to the trim points can be made unless the vehicle is protected
robustly against the set of states that might lead to the loss of control.
Thus, in this study, we are concerned with computing the ight envelope
around a set of trim states during the transition between near-hover and
cruise ight. Once the ight envelope is computed, by ensuring that the
vehicle does not exit the boundary of the envelope, we can protect the
vehicle against loss of control during the mode transition.
Reachability for the characterization of the ight envelope
The reachability-based characterization of the ight envelope that
will be described in this section is adapted from the framework proposed
in Ref. 12. In this framework, the ight envelope must rule out any states
from which recovery to the trim points is not guaranteed, and any states
that are irrelevant to the trim points since reaching them from the trim
points is infeasible. Thus, the veried ight envelope must satisfy the
following two properties.
1) (Guarantee of recovery) From any state in the envelope, the vehicle
must be able to recover to one of the trim states robustly to any possible
effect of the unmodeled dynamics.
2) (Relevance to the transition) The envelope must encompass only
the set of trajectories of the transition that are actually feasible, starting
from one of the trim points.
To mathematically dene the ight envelope satisfying such proper-
ties, the concept of reachability is employed. We begin with dening the
dynamics of the system and the trim states. Consider the dynamics of the
vehicle described as
˙
x(t)=f(x(t),u(t),d(t)),x(t0)=x0(1)
where t0denotes the initial time, x0∈RNdenotes the initial state,
x(·):R→RNdenotes the state trajectory, u(·):R→U(⊂RM)de-
notes the admissible control input signal, and d(·):R→D(⊂RP)
denotes the possible disturbance signal. N,M,Pare state, input, and
disturbance dimensions, respectively. Urepresents the control bound
that is physically allowed for the vehicle, and Dis the bound of the
possible disturbance. We assume that the control and the disturbance sig-
nals are always measurable to ensure the uniqueness of the trajectory
under the bounded and Lipschitz continuous dynamics. Dene U[t1,t2]
and D[t1,t2]as the sets of measurable control and disturbance signals in
a time domain [t1,t2]. We assume that the disturbance is determined in
response to the control signal in a nonanticipative way (Ref. 18), given
by γ:U[t1,t2]→D[t1,t2]∈[t1,t2],sothatd(t)=γ[u](t)for t∈[t1,t2].In
other words, the disturbance does not have access to the information of
future controls but can adapt to the controls at the current time, thereby
accounting for the worst-case scenarios.
The trim state xtrim of an aircraft is a state at which the forces and
the moments acting on the vehicle are balanced. In this work, we as-
sume that the state vector xdoes not contain positional variables. Thus, a
trim state can be dened as an equilibrium of the dynamics where there
exist a certain aircraft conguration and a control input utrim ∈Usuch
that f(xtrim,utrim ,0) =0. This implies that the state remains stationary
at the trim state. Furthermore, we assume that each trim state is locally
robustly stabilizable, meaning that there exists a small neighborhood
L(xtrim)around xtrim such that L(xtrim )is robustly controlled invariant under
the dynamics in Eq. (1). Note that a set Lis robustly controlled invari-
ant if for all state x∈L,forallγ∈[0,∞), there exists a control signal
u(·)∈U[0,∞)such that x(t)∈Lfor all t≥0,wherexis the trajectory of
Eq. (1) with initial state xat initial time 0.
Next, we dene the backward and forward reachable tube of
a set. First, the backward reachable tube of a target set Lis
dened as
BRT (L,T)
={x∈RN|∀γ∈[−T,0] ,∃u(·)∈U[−T,0],∃t∈[−T,0],
s.t. x(t)∈L,where x(·)solves Eq. (1) for (x0,t0)=(x,−T).},(2)
where T>0. In other words, any trajectory that starts in BRT (L,T) is
guaranteed to reach the target set Lwithin the time horizon Trobustly
under an appropriate control signal. The forward reachable tube of an
initial set Lis dened as
FRT(L,T) ={ˆx∈RN|∀γ∈[0,T],∃u(·)∈U[0,T],∃x∈L,∃t∈[0,T],
s.t. x(t)=ˆxwhere x(·)solves Eq. (1) for (x0,t0)=(x,0).}
(3)
Intuitively, the forward reachable tube of Lcaptures all the states in the
state space that can be reached by trajectories starting from the set L.
With a slight abuse of notation, we dene the backward and for-
ward reachable tubes of a trim state as the reachable tubes of the ro-
bustly controlled invariant local neighborhood of the trim state, that is,
BRT (xtrim,T) :=BRT (L(xtrim ),T) and FRT(xtrim,T) :=FRT(L(xtrim ),T),re-
spectively. For any states that are included in the backward reachable
tube of the trim state, the vehicle can recover robustly to the trim state,
satisfying the rst property of the safe ight envelope. Moreover, for any
states that are included in the forward reachable tube of the trim state,
022003-4
TOWARDS FLIGHT ENVELOPE PROTECTION FOR THE NASA TILTWING eVTOL FLIGHT MODE TRANSITION 2024
Fig. 3. Conguration of propellers and control surfaces (rendered at
the cruise conguration).
Fig. 4. Denition of coordinates and motion parameters.
the second property of the ight envelope is satisfying, implying that the
states can be reached during the ight mode transition.
Building on this analysis, we now dene the ight envelope of the
ight mode transition. Let {xk
trim}n
k=1be the sequence of trim states that
compose the ight mode transition of the vehicle between near-hover
and cruise ight, where k=1indicates the trim state at the lowest air-
speed (closest to hover) and k=nindicates the trim state at the highest
airspeed (closest to cruise ight). We dene the safe ight envelope of
the transition as
FE(T) :=n
k=1
BRT xk
trim,Tn
k=1
FRTxk
trim,T(4)
In other words, FE(T) is a collection of states that are included by at
least one of the backward reachable tubes and one of the forward reach-
abletubes of the trim states. The time horizon Tin Eq. (4) is a tuning
parameter that can be chosen by the designer—a small Tmight result
in a ight envelope that is too restrictive; however, an excessive value
of Tmight be computationally intractable. Typically, a longer Tleads
to a larger reachable tube unless the reachable tube saturates due to the
worst-case disturbance. Tand nare chosen based on engineering judg-
ment such that the reachable tubes of neighboring trim states overlap with
each other.
In order to compute the reachable tubes to verify FE(T), we utilize
the HJ characterization of the reachable tubes (Ref. 19). However, the
main challenge of the HJ method is the curse of dimensionality wherein
the computation complexity grows exponentially with respect to the state
dimension. In this study, we employ a method based on state decomposi-
tion (Ref. 16) to leverage the high-dimensional state-space model which
captures the full vehicle dynamics more accurately. To employ the de-
composition, we rst decompose the vehicle dynamics into decoupled
subsystems. In the next section, we describe the vehicle dynamics of the
NASA Tiltwing vehicle and its decomposition into lateral and longitudi-
nal dynamics around the trim states.
Dynamic Model of NASA Tiltwing
The aircraft dynamic models used in this research were created en-
tirely by Bechamo LLC based on the openly available NASA vehicle
design information (Ref. 20).
Aircraft conguration and coordinates
The conguration of the propellers and the control surfaces of the
NASA Tiltwing is demonstrated in Fig. 3. The Tiltwing is equipped with
six propellers on the main wing and two on the tail. Propellers numbered
1, 3, 5, and 8 are spinning counterclockwise, and propellers numbered
2, 4, 6, and 7 are spinning clockwise. The control surfaces include the
elevator, aileron, and rudder.
The coordinate systems of the aircraft are dened in Fig. 4. The Earth
frame is an inertial reference frame xed to the Earth, dened by axes xE,
yE,andzE. The body axes, dened by xb,yb,andzb, are xed to the air-
craft’s center of mass, which is on the centerline of the aircraft. The three
axes are dened such that xbis aligned with the chord line of the fuse-
lage, pointing forward; ybis perpendicular to xband the plane of symme-
try, pointing to the right; zbis perpendicular to the xb−zbplane, pointing
downwards. Vis the aircraft’s velocity in the air with respect to the Earth
frame. We dene the angle of attack αas the angle between xband the
projection of Vonto the xb−zbplane. The side-slip angle βis dened as
the angle between Vand xs. The stability axes xs,ys,andzsare dened
by rotating the body axes about yb≡ysby the trim value of the angle
of attack at the trim state. In this study, the body frame of the aircraft is
dened using the stability axes. The main wing and the horizontal tail
can be rotated about yb≡ysduring vertical takeoff and landing. The tilt
angles of the wing and the tail are denoted by σwand σt, respectively.
Equations of motion of the aircraft
The 6-DOF equations of motion of the aircraft are dened in the body
frame (Refs. 21, 22), given by
˙ϕ=p+qsϕtθ+rcϕtθ,X−mgsθ=m(˙u−rv+qw),L=Ixx ˙p−Ixz ˙r−pqIxz +qrIzz −rqIyy,
˙
θ=qcϕ−rsϕ,Y+mgsϕcθ=m(˙v+ru −pw),M=Iyy ˙q+p2Ixz −prIzz +rpI
xx −r2Ixz,
˙
ψ=qsϕscθ+rcϕscθ,Z+mgcϕcθ=m(˙w−qu +pv),N=−Ixz ˙p+Izz˙r+pqIyy −qpIxx +qrIxz ,
(5)
022003-5
T.-W. HSU JOURNAL OF THE AMERICAN HELICOPTER SOCIETY
where (ϕ, θ, ψ )denote the roll, pitch, and yaw Euler angles. (u,v,w)
and (p,q,r)denote the body linear and angular velocities as shown in
Fig. 4. (X,Y,Z)and (L,M,N)denote the body forces and moments as
showninFig.4.mdenotes the aircraft mass. gdenotes gravity. Ixx,Ixz,
Izz,andIyy denote the components of the moment of inertia taken about
the center of mass in the body frame. It is assumed that the center of
mass is on the centerline of the aircraft, and the aircraft is symmetric
with respect to the xb−zbplane. Thus, Ixy =Iyz =0.c(·):=cos(·),
s(·):=sin(·),t(·):=tan(·),andsc(·):=sec(·)are the simplied notations.
The control inputs applied to the dynamics include the control surface
deections—δefor the elevator, δafor the aileron, δrfor the rudder—
and the thrusts from each propeller, T1,T2,...,T8. In this work, the ac-
tuator dynamics of the control surfaces and the thrusters are neglected
based on the assumption that timescale separation between the actuators
and the aircraft dynamics can be applied (Ref. 12). It should be noted
that such timescale separation is applicable only if the actuator band-
widths are sufciently higher than the bandwidth of the aircraft dynam-
ics. The aerodynamic forces and moments (i.e., X,Y,Z,L,M,Nin
Eq. (5)) are estimated using a modied vortex lattice method (VLM) as
functions of the aircraft conguration and control inputs. We start with a
basic VLM (Ref. 21) and modify it by allowing the algorithm to account
for induced velocities due to the wash downstream of the propellers at
each control point. The propeller properties, which include tangential and
axial velocities along the propeller blade, thrust coefcient, and torque
coefcient, are calculated using blade element momentum (BEM) theory
(Ref. 28). We thencreate a set of ight conditions, consisting of every ex-
pected combination of freestream velocity, sideslip, and angle of attack
in their expected range. The aerodynamic forces and moments are rst
calculated for each of these combinations at expected propeller RPMs
and collective pitch settings, while the deections of the control surfaces
are set to zero, and the intermediate calculated coefcients of thrust and
torque (from the BEM) are stored in a table. We then calculate the aero-
dynamic forces and moments at the same ight conditions and propeller
settings with various control surface deections and store in a table the
differences from the values where the deections are set to zero. The total
forces and moments acting on the aircraft at a specic ight condition are
extracted from interpolating the values in the stored table of coefcients,
asshowninFig.5.
Tri m s tat e s
As aforementioned, the trim states {xk
trim}n
k=1play an important role
in dening the nominal ight path for the transition and the denition
of the safe ight envelope. The trim states of an aircraft are dened by
the local equilibrium states where all the forces and moments acting on
the aircraft can be balanced (Refs. 21, 22). This condition results in the
following trim state variables:
(ϕtrim,θ
trim,ψ
trim )=(0,
trim,0),(utrim,vtrim ,wtrim )=(Utrim,0,0),
(ptrim,qtrim ,rtrim )=(0,0,0),(Xtrim,Ytrim,Ztrim )=(mgstrim,0,−mgctrim ),
(Ltrim,Mtrim ,Ntrim)=(0,0,0),(6)
Fig. 5. The process of calculating the aerodynamic forces and mo-
ments using lookup tables.
Table 1. Trim states at different airspeeds during the
transition between near-hover and cruise
k(xtrim Utrim σwσtT1,T2, ..., T6T7,T8
index) (m/s) (deg) (deg) (N) (N)
1 20.0 70.79 9.05 4,347.8 1,216.5
2 22.5 69.47 10.33 4,305.3 1,732.7
3 25.0 67.47 9.39 4,283.4 1,297.7
4 27.5 65.00 13.57 4,155.2 870.8
5 30.0 62.32 17.97 4,012.0 847.9
6 32.5 59.64 13.13 4,006.9 481.6
7 35.0 57.02 18.20 3,778.1 324.5
8 37.5 54.40 20.23 3,455.2 352.4
9 40.0 51.56 21.71 3,262.7 169.6
10 42.5 48.22 3.36 1,797.6 718.7
11 45.0 44.08 −3.06 1,933.1 706.9
12 47.5 38.96 1.50 940.6 993.6
13 50.0 32.82 −9.18 1,212.1 1,226.7
14 52.5 25.86 −20.24 1,529.6 2,491.1
15 55.0 18.50 −23.50 1,485.1 3,665.1
16 57.5 11.35 5.30 1,66.5 795.6
17 60.0 5.13 8.46 257.6 784.0
18 62.5 0.51 3.74 173.4 816.0
where the subscript (.)trim denotes the trim state, Utrim is the airspeed at
the trim state, and trim =0rad is assumed in this work. We consider
the rst trim state, x1
trim, to be at a near-hover conguration and the last
trim state, x18
trim, to be at a cruise conguration. In this study, we focus
on near-hover as the lower boundary of our analysis, given that the VLM
model does not adequately represent the aerodynamics at the hover state,
especially with vertical wing tilt angles and negligible airspeeds.
In order to nd the set of trim states, we rst determine the range of
the wing tilt angles the aircraft can trim at each airspeed throughout the
transition. This is done by solving for the minimum and maximum wing
tilt angle that is subjected to the constraint in Eq. (6) using the sequential
least-squares programming algorithm (Ref. 23). We then nd the optimal
wing tilt angle that maximizes the maneuver margin for accelerating and
decelerating the vehicle, at each airspeed within the computed wing tilt
angle range. The maneuver margin used in the optimization is the maxi-
mum force and moment available to the aircraft in each of the three axes
in both the forward and reverse directions. This is found by varying the
control actuators and the thrusters within their physical limits. Then, the
values of control surface deections, propeller thrusts, and the tail tilt
angle that can trim the aircraft at each airspeed and the wing tilt angle
are determined. The control surface deections at the resulting trim con-
ditions are all close to zero because varying the propeller thrusts and the
tail tilt angle can handle the force and moment balance more effectively.
The trim states considered in this study are primarily longitudinal; con-
sequently, aileron and rudder deections remain at zero. The use of the
elevator is minimized since we permit the tail to tilt. The entire horizon-
tal tail, due to its larger surface area compared to the elevator, serves as a
more effective aerodynamic component in balancing both moments and
forces to meet the trim condition.
The resulting aircraft congurations at the trim states at different air-
speeds across the transition are presented in Table 1. Overall, the tilt
angles of the wing monotonically decrease as the aircraft transition from
near-hover to cruise ight. Note that the tilt angles of the wing and tail
can be adjusted only quasi-steadily due to the large rotational inertia of
the wing, the tail, and the gearing system that rotates the components.
Therefore, the tilt angles are considered part of the aircraft conguration
instead of control inputs to the system.
022003-6
TOWARDS FLIGHT ENVELOPE PROTECTION FOR THE NASA TILTWING eVTOL FLIGHT MODE TRANSITION 2024
Decomposition into longitudinal and lateral dynamics
Applying the technique of small perturbation on Eq. (5) around each
trim state and taking the rst-order Taylor approximation of the per-
turbed forces and moments, we can obtain the linearized dynamics that
approximate the aircraft dynamics near each trim state. It is shown that
the motion variables, forces, and moments are decoupled in the lin-
earized dynamics (Refs. 21, 22). Therefore, we can decompose the lin-
earized dynamics into two lower dimensional subsystems, one repre-
senting the longitudinal dynamics, and the other representing the lateral
dynamics.
The control inputs can also be decomposed based on their contri-
butions to either the longitudinal or the lateral dynamics. For the con-
trol surfaces, we assume that the perturbed elevator deection, δe,af-
fects only the longitudinal dynamics, and the perturbed aileron and rud-
der deections, δaand δr, affect only the lateral dynamics. However,
the perturbed thrusts of the propellers, Ti, affect both the longitudinal
and lateral dynamics and thus cannot be decomposed directly. We notice
the fact that the longitudinal motion is affected by the moment induced
by the perturbed total thrusts generated by propellers on the wing (i.e.,
T1+T2+ ···+ T6) and the tail (i.e., T7+T8). The lateral motion
is affected by the moments induced by the thrust differences between
the left side and the right side of the fuselage. Therefore, the decom-
position of thrusts can be done through proper thrust allocation. A sim-
plied control allocation scheme is adopted in this work, described as
follows.
For the longitudinal dynamics, we consider the perturbed total thrust
generated by the propellers on the main wing, Tw, and the perturbed
total thrust generated by propellers on the tail, Tt,givenby
Tw=T1+T2+T3+T4+T5+T6,Tt=T7+T8(7)
where T1,T2,...,T8are the perturbed thrusts of each propeller from
their trim thrust values. Here, we assume that T1=T2=···=T6
and T7=T8, so that no roll or yaw moments are induced. Note that
the aircraft relies on Twand Ttto generate the pitch moment during
vertical takeoff and landing when the elevator is less effective.
For the lateral motion, the aircraft utilizes the differential thrusts to
generate roll and yaw moments at near-hover and lower airspeed trim
states {xk
trim}9
k=1(20 ≤Utrim ≤40 m/s), where the main wing and tail
are tilted up and the aileron and rudder are less effective. It deactivates
the differential thrusts and utilizes only the aileron and rudder to pro-
duce roll and yaw moments at near-cruise trim states {xk
trim}18
k=10 (Utrim ≥
42.5m/s) as the control surfaces become more effective. In this section,
we focus on how the differential thrusts are employed to generate roll
and yaw moments at near-hover trim states. To produce the roll moment,
we dene two differential thrusts, Td12 and Td34, for the propellers onthe
main wing, given by
T1=Tw
6−Td12,
T2=Tw
6+Td12,
T3=Tw
6−Td34,
T4=Tw
6+Td34.(8)
Note that such differential thrusts also generate undesired yaw moments,
which increase as the tilt angles of the main wing decrease. To produce
the yaw moment, we take advantage of the propeller torque and the law of
conservation of angular momentum. Because propellers T6and T7rotate
clockwise and T5and T8rotate counterclockwise (see Fig. 3), we can
dene a differential thrust, TdDiag, for these four propellers to produce the
yaw moment. Such control allocation is given by
T5=Tw
6−TdDiag,
T6=Tw
6+TdDiag,
T7=Tt
2+TdDiag,
T8=Tt
2−TdDiag,
(9)
where is a constant determined such that TdDiag does not generate any
roll moment. Specically, the undesirable roll moments produced by
TdDiag in T7and T8are canceled by roll moments produced by TdDiag
in T6and T5.
Due to the symmetry in Eqs. (8) and (9), Td12,Td34,andTdDiag for the
lateral dynamics do not affect Twand Ttfor the longitudinal dynamics.
Therefore, if we preallocate the control authorities for each thruster input,
the longitudinal and lateral dynamics can be fully decoupled in control
inputs.
With the perturbed dynamics fully decomposed, we can now dene
the decoupled state variables and control inputs for the longitudinal
and lateral dynamics, respectively. For the longitudinal dynamics,
we dene xlon :=[u,w,q,θ]T∈R4as the state vector and
ulon :=[δe,Tw,Tt]T∈Ulon ⊂R3as the input vector. For the lateral
dynamics, we dene xlat :=[β, p,r,ϕ]T∈R4as the state vector
and ulat :=[δa,δr,Td12,Td34,TdDiag]T∈Ulat ⊂R5as the input vector.
Note that in the state vector of the lateral dynamics, we choose the per-
turbed side slip angle β instead of vas a state variable since they are
related by β ≈v/Utrim.
The bounds of the control inputs are dened by
Ulon ={[δeTwTt]T∈R3|δe∈[δ emin,δemax],Tw∈[Tw, mi n ,Tw, m ax ]Tt∈[Tt, min,Tt, max]}
Ulat ={[δaδrT
d12 Td34 TdDiag ]T∈R5|δa∈[δamin ,δamax],δr∈[δrmin,δrmax]
Td12 ∈[Td12, min ,Td12, max ],Td34 ∈[Td34, min,Td34, max],TdDiag ∈[TdDiag, min,TdDiag, max]}(10)
022003-7
T.-W. HSU JOURNAL OF THE AMERICAN HELICOPTER SOCIETY
where the bounds of each control input are determined by calculating the
differences between the trim value (see Table 1) and the feasible input
limits of each actuator. Further information on the determination of the
control input bounds can be found in the Appendix.
Linear longitudinal dynamics. By applying the linearization and decom-
position technique mentioned above, we can obtain the linear longitudi-
nal dynamic model dened with respect to xlon =[u,w,q,θ]Tand
ulon =[δe,Tw,Tt]T,givenby
⎡
⎢
⎢
⎢
⎢
⎣
˙u
˙w
˙q
˙
θ
⎤
⎥
⎥
⎥
⎥
⎦
=⎡
⎢
⎢
⎢
⎢
⎣
Xu/mX
w/mX
q/m−gctrim
Zu/mZ
w/mZ
q/m+Utrim −gstrim
Mu/Iyy Mw/Iyy Mq/Iyy 0
00 1 0
⎤
⎥
⎥
⎥
⎥
⎦
⎡
⎢
⎢
⎢
⎢
⎣
u
w
q
θ
⎤
⎥
⎥
⎥
⎥
⎦
+⎡
⎢
⎢
⎢
⎢
⎣
Xδe/mX
Tw/mX
Tt/m
Zδe/mZ
Tw/mZ
Tt/m
Mδe/Iyy MTw/Iyy MTt/Iyy
000
⎤
⎥
⎥
⎥
⎥
⎦
⎡
⎢
⎢
⎣
δe
Tw
Tt
⎤
⎥
⎥
⎦
(11)
where Qλ:=∂Q
∂λ (Q=X,Z,M)is a simplied notation of the derivatives.
These derivatives are evaluated from the VLM model at each trim state
using a nite difference method. Then, we can derive the linear system
model of the longitudinal dynamics that will be used for the reachability
analysis, represented in the form of Eq. (1) as
˙
xlon(t)=flon (xlon (t),ulon (t),dlon (t)) =Alon xlon (t)+Blon ulon(t)+dlon (t)
(12)
where Alon and Blon denote the state matrix and input matrix dened in
Eq. (11). dlon(t)∈Dlon ⊂R4is the disturbance vector that can be utilized
to capture modeling errors, model uncertainties, or any external distur-
bances (e.g., wind gusts) at time t. The details of how the disturbance is
determined will be discussed in the next section.
Linear lateral dynamics. Similarly, we can obtain the linear lateral
dynamics dened with respect to xlat =[β, p,r,ϕ]Tand ulat=[δa,
δr,Td12 ,Td34,TdDiag]T,givenby
⎡
⎢
⎢
⎢
⎢
⎢
⎣
Utrim 000
01
−Ixz
Ixx 0
0−Ixz
Izz 10
0001
⎤
⎥
⎥
⎥
⎥
⎥
⎦
⎡
⎢
⎢
⎢
⎢
⎣
˙
β
˙p
˙r
˙ϕ
⎤
⎥
⎥
⎥
⎥
⎦
=⎡
⎢
⎢
⎢
⎢
⎣
Yβ/mY
p/mY
r/m−Utrim gctrim
Lβ/Ixx Lp/Ixx Lr/Ixx 0
Nβ/Izz Np/Izz Nr/Izz 0
01 ttrim 0
⎤
⎥
⎥
⎥
⎥
⎦
⎡
⎢
⎢
⎢
⎢
⎣
β
p
r
ϕ
⎤
⎥
⎥
⎥
⎥
⎦
+⎡
⎢
⎢
⎢
⎢
⎣
Yδa/mY
δr/mY
Td12/mY
Td34/mY
TdDiag/m
Lδa/Ixx Lδr/Ixx LTd12 /Ixx LTd34/Ixx LTdDiag/Ixx
Nδa/Izz Nδr/Izz NTd12/Izz NTd34/Izz NTdDiag/Izz
00 0 0 0
⎤
⎥
⎥
⎥
⎥
⎦
⎡
⎢
⎢
⎢
⎢
⎢
⎢
⎢
⎣
δa
δr
Td12
Td34
TdDiag
⎤
⎥
⎥
⎥
⎥
⎥
⎥
⎥
⎦
(13)
where Qλ:=∂Q
∂λ (Q=Y,L,N)denotes the derivatives. Note that YTd12 =
YTd34 =YTdDiag =0because all propellers are assumed to be aligned with
the xb−zbplane. In addition, LTdDiag =0is achieved through a proper
selection of as discussed in Eq. (9). In the context of the linear model,
we can dene =|∂L/∂T7|
|∂L/∂T6|=|∂L/∂T8|
|∂L/∂T5|under which TdDiag does not pro-
duce undesirable roll moments.
Then, we can derive the linear model for reachability analysis from
Eq. (13) using the form of Eq. (1), given by
˙
xlat(t)=flat (xlat (t),ulat (t),dlat(t)) =Alat xlat (t)+Blat ulat (t)+dlat (t)(14)
where Alat and Blat denote the state matrix and input matrix derived from
Eq. (13). dlat(t)∈Dlat ⊂R4is the disturbance vector, of which more
details will be discussed in the next section.
Disturbance bounds capturing linearization errors
and model uncertainties
In the determination of safety and conservativeness of the ight en-
velope, a crucial aspect is the usage of adequate disturbance bounds, Dlon
and Dlat. These bounds can be selected to encompass any possible dis-
turbances of interest, such as exogenous disturbances (e.g., wind gusts),
modeling errors, and model uncertainties. If the disturbance bounds are
too small and do not adequately capture the disturbances of interest, the
resulting ight envelope may be overly optimistic and ultimately unsafe
in the real world. Conversely, excessively large disturbance bounds can
lead to reduced reachable tubes and overly constrained ight envelopes.
This research focuses on accounting for two sources of disturbances
in these bounds. The rst source encompasses the linearization errors in
aerodynamic forces and moments resulting from rst-order Taylor ap-
proximation. The second source arises from the fact that the linear mod-
els are only applicable when the tilt angles of the wing and the horizontal
tail correspond to the specied trim state conguration. The congura-
tion of the propellers under each tilt angle results in distinct aerodynam-
ics at each trim state, from which the linear models are determined. Dur-
ing the actual transition, these angles can only change in a quasi-steady
manner and may not precisely match the required trim conguration.
Consequently, it is essential to address the impact of such uncertainties in
the tilt angles on aerodynamic forces, moments, and ultimately the linear
models. Note that wind gusts or other possible exogenous disturbances
can also be included in the disturbance bounds but are not considered in
this work.
From Eqs. (11) and (13), the disturbance vectors in Eqs. (12) and (14)
can be written as
dlon(t)=⎡
⎢
⎢
⎢
⎢
⎣
dX(t)/m
dZ(t)/m
dM(t)/Iyy
0
⎤
⎥
⎥
⎥
⎥
⎦
∈Dlon;
dlat(t)=⎡
⎢
⎢
⎢
⎣
Utrim 000
01
−Ixz
Ixx 0
0−Ixz
Izz 10
0001
⎤
⎥
⎥
⎥
⎦
−1⎡
⎢
⎢
⎢
⎣
dY(t)/m
dL(t)/Ixx
dN(t)/Izz
0
⎤
⎥
⎥
⎥
⎦
∈Dlat (15)
where dQ(t)(Q=X,Y,Z,L,M,N) denotes the individual disturbance cor-
responding to each aerodynamic force or moment evaluated at time t.
The bounds of each disturbance are dened by dQ(t)∈[−dQ,max,dQ,max ],
where dQ,max is dened as a function of the state vector in the following
form:
dQ,max =⎧
⎨
⎩
xT
lon Qxlon +ξQ≥0,if Q=X,Z,M
xT
lat Qxlat +ξQ≥0,if Q=Y,L,N
(16)
where Q∈R4×4and ξQ∈R4are parameters that can be obtained by
least-squares regression. At each trim state, we compute the discrepan-
cies in the aerodynamic forces and moments between the linear models
and the nonlinear aerodynamic model with uncertainties in the tilt an-
gles of the wing and the tail. This enables the evaluation of the combined
022003-8
TOWARDS FLIGHT ENVELOPE PROTECTION FOR THE NASA TILTWING eVTOL FLIGHT MODE TRANSITION 2024
Fig. 6. Least-squares tting of (a) dX,max,(b)dM,max ,and(c)dL,max at trim state x8
trim. All forces and moments here are evaluated at q=0deg/s,
θ =0deg, r=0deg/s, and ϕ =0deg. σi
wand σi
tare uniformly sampled from [−2.84,2.62] deg and [−2.03,1.48] deg, of which the upper
and lower bounds are the tilt-angle differences between x8
trim and x7
trim and x8
trim and x9
trim, respectively.
effects of the linearization errors and the tilt-angle uncertainties at var-
ious states within the computation domain of the reachability analysis. At each trim state, Qand ξQare obtained by solving the following op-
timization problem using least-squares regression:
argmin
Q,ξ
Q
i
⎛
⎜
⎜
⎜
⎝
max
ui
lon
σ i
w,σ i
t¯
Qxi
lon,ui
lon−ˆ
Qxi
lon,ui
lon,σi
w,σi
t−xiT
lon Qxi
lon −ξQ⎞
⎟
⎟
⎟
⎠
2
s.t. xiT
lon Qxi
lon +ξQ≥0for Q=X,Z,M;
argmin
Q,ξ
Q
i
⎛
⎜
⎜
⎜
⎝
max
ui
lat
σ i
w,σ i
t¯
Qxi
lat,ui
lat−ˆ
Qxi
lat,ui
lat,σi
w,σi
t−xiT
lat Qxi
lat −ξQ⎞
⎟
⎟
⎟
⎠
2
s.t. xiT
lat Qxi
lat +ξQ≥0for Q=Y,L,N
(17)
where xi
lon and xi
lat are state vectors uniformly sampled from the com-
putation domain of the reachability analysis. ui
lon and ui
lat are uniformly
sampled within the input bounds, Ulon and Ulat, dened in Eq. (10). σ i
w
and σ i
tdenote the perturbations of the wing and tail tilt angles, which
are uniformly sampled from the tilt-angle differences between the previ-
ous and the next adjacent trim states. ¯
Qis the force or moment evaluated
by the linear model at each combination of (xi
lon,ui
lon )and (xi
lat,ui
lat )around
the trim state with the tilt angles set to the trim conguration. ˆ
Qdenotes
the perturbed force or moment evaluated by the nonlinear aerodynamic
model at (xi
lon,ui
lon )and (xi
lat,ui
lat )around the trim state with the tilt an-
gle perturbations σ i
wand σ i
t. Some example plots of the least-squares
tting of the disturbance bounds are shown in Fig. 6.
Hamilton–Jacobi Reachability Computation based
on System Decomposition
In this section, we discuss how to compute the reachable tubes in
Eqs. (2) and (3) by applying the HJ reachability analysis. The general
strategy for solving the reachable tube problem with the HJ approach is
rst to dene a value function that characterizes the reachable tube as its
level set. Then, the dynamic programming principle is applied to deter-
mine the value function as the unique solution of an HJ partial differential
equation (PDE), which can be solved numerically by well-established
PDE solvers (Ref. 27). We will rst discuss how this methodology is ap-
plied to compute the backward and forward reachable tubes of the lon-
gitudinal and lateral subsystems of the vehicle dynamics. An additional
benet of the HJ approach is that the optimal policy of the reachabil-
ity problem is concurrently extracted from the computed value function.
The optimal policy can be used to safeguard the vehicle from escaping
the ight envelope and can also be used as a reversionary controller that
quickly recovers to the vehicle’s trim state when its safety is at stake.
Finally, we explain how the reachable tubes computed for the decoupled
longitudinal and lateral subsystems can be composed into the reachable
tubes of the full dynamics of the aircraft.
Backward reachable tubes
To dene the value function for the reachable tube problems, let us
assume that a Lipschitz continuous function l:RN→Ris given that
satises the following property:
L={x∈RN|l(x)≤0}(18)
where Lis the target set of the reachable tubes. Recall that for each trim
state xtrim, a small robust control invariant set around the trim state L(xtrim)
is set as the target set. The value of l(x)determines the proximity of xto
Lwhen l(x)>0and the inclusion of xin Lwhen l(x)≤0. Such functions
can be easily obtained by using the signed distance of L.
In the backward reachability, the problem of interest is that given an
initial state, whether there exists a control policy that can drive the state
trajectory into the target set Lwithin a specied time horizon under the
worst-case disturbance. This problem can be captured by a differential
game between the control input and the disturbance wherein the control
022003-9
T.-W. HSU JOURNAL OF THE AMERICAN HELICOPTER SOCIETY
input always tries to drive the trajectory towards L, while the disturbance
always tries to drive it away from L. For a given time horizon T>0,the
cost function for this differential game is dened as
JB(x,−T,u(·),d(·)) =min
t∈[−T,0] l(x(t)) (19)
where x(·)solves Eq. (1) for (x0,t0)=(x,−T). The minimum over the time
horizon in the cost function captures the instance when the trajectory is
closest to the target set. Thus, JB(x,−T,u,d) ≤0indicates that l(x(t)) ≤0
for some t∈[−T,0], that is, the trajectory reaches the target set.
The objective is to nd an optimal control policy that drives the tra-
jectories towards L(i.e., minimize the cost function) while consider-
ing the worst-case disturbance that tries to drive the trajectories away
from L(i.e., maximize the cost function). Therefore, the value function
VB:RN×[−T,0] →Ris dened as
VB(x,t)=max
γ∈[t,0]
min
u(·)∈U[t,0]
JB(x,t,u(·),γ[u](·)) (20)
By denition, the backward reachable tube is the zero-sublevel set of the
value function:
BRT (L,T) ={x∈RN|VB(x,−T) ≤0}(21)
The value function VB(x,t)can be obtained by solving the viscosity
solution to the nal value Hamilton–Jacobi–Isaacs partial differential
equation (HJI-PDE) in the variational inequality form as given below
(Ref. 24):
min{l(x)−VB(x,t),DtVB(x,t)+HB(x,DxVB(x,t))}=0;VB(x,0) =l(x)
(22)
where the Hamiltonian HB(x,DxVB(x,t)) is given by
HB(x,DxVB(x,t)) =min
u∈Umax
d∈DDxVB(x,t)·f(x,u,d) (23)
From the Hamiltonian, we can also derive the optimal control law to
reach the target set Las
u∗
B(x,t)=arg min
u∈Umax
d∈DDxVB(x,t)·f(x,u,d) (24)
Forward reachable tubes
Similarly to backward reachability, the computation of the forward
reachable tubes can be formulated as a differential game between the
control input and the disturbance. The control input tries to drive the
state as far away from Las possible, whereas the worst-case disturbance
tries to drive the state as close to Las possible. The differential game
problems for backward and forward reachability are very similar to each
other; however, the main difference is that from the initial state’s stand-
point, the time ows in the opposite direction along the system trajectory.
Accordingly, the cost function for the forward reachability becomes
JF(x,T,u(·),d(·)) =min
t∈[−T,0] l(x(t)) (25)
where x(·)solves Eq. (1) for (x0,t0)=(x,0). The value function VF:
RN×[0,T]→Ris dened as
VF(x,t)=max
γ∈[−t,0]
min
u(·)∈U[−t,0]
JF(x,t,u(·),γ[u](·)) (26)
The forward reachable tube is the zero-sublevel set of the value function,
given by
FRT(L,T) ={x∈RN|VF(x,T)≤0}(27)
The value function VF(x,t)is the viscosity solution to the initial value
HJI-PDE:
max{VF(x,t)−l(x),DtVF(x,t)+HF(x,DxVF(x,t))}=0;VF(x,0) =l(x)
(28)
where the Hamiltonian HF(x,DxVF(x,t)) is given by
HF(x,DxVF(x,t)) =max
u∈Umin
d∈DDxVF(x,t)·f(x,u,d) (29)
Note that VF(x,t)is obtained by solving the initial value HJI-PDE instead
of the nal value HJI-PDE as in the case of computing VB(x,t). Finally,
the optimal control law is given by
u∗
F(x,t)=arg max
u∈Umin
d∈DDxVF(x,t)·f(x,u,d) (30)
Optimal control policy and the worst-case disturbance
Note that for both optimal policies for the backward and forward
reachability, since the longitudinal and the lateral dynamics are both
afne in control and disturbance (Eqs. (12) and (14)), the min and max
in Eqs. (24) and (30) can be decoupled from each other. For instance, the
optimal policy in Eq. (24) becomes
u∗
B(x,t)=arg min
u∈UDxVB(x,t)·Bu(31)
where B=Blon or Blat. The worst-case disturbance can be similarly writ-
ten as
d∗
B(x,t)=arg max
d∈DDxVB(x,t)·d(32)
Similarly, the optimal control policy and worst-case disturbance for the
forward reachable tubes are given by
u∗
F(x,t)=arg max
u∈UDxVF(x,t)·Bu(33)
and
d∗
F(x,t)=arg min
d∈DDxVF(x,t)·d(34)
Such a closed-form expression of worst-case disturbance policies can be
useful to validate the robustness of the optimal policies and the computed
reachable tubes in simulation.
With access to the backward reachable tube value function, VB,we
can monitor whether the state xis in the interior of the backward reach-
able tube of the target set, and how close it is to the boundary of the
tube, by checking the value VB(x,−T). As seen in Eq. (21), the value is
negative when xis in the backward reachable tube and becomes close
to zero as it approaches the boundary. Based on this knowledge, we can
design a simple switching safety lter logic that switches from a nomi-
nal ight mode transition controller to the optimal control policy, u∗
B(x,t),
in Eq. (31), when the trajectory is about the leave the backward reach-
able tube. As long as the optimal control policy is executed before the
state leaves the backward reachable tube of L, the policy is guaranteed to
drive the trajectory back to the interior of L, even under the worst-case
effect of the disturbance. This simple switching logic is used in various
applications to safeguard the system from exiting the safe region veried
through reachability analysis (Refs. 25, 26).
Construction of the full safe ight envelopes
To construct the safe ight envelope for the ight mode transition of
the full dynamics, we construct the reachable tubes for the full aircraft
dynamics from the subsystem reachable tubes. The full aircraft dynamics
022003-10
TOWARDS FLIGHT ENVELOPE PROTECTION FOR THE NASA TILTWING eVTOL FLIGHT MODE TRANSITION 2024
consist of
˙
z(t)=˙
xlon(t)
˙
xlat(t)=flon (xlon (t),ulon (t),dlon(t))
flat(xlat (t),ulat (t),dlat(t)) (35)
where z(t)=[xlon(t)Txlat (t)T]T∈Z=R8is the full state vector. flon and
flat are two self-contained subsystems that are fully decoupled in state,
control, and disturbance. This feature allows us to construct the full ight
envelope from the reachable tubes of the subsystems using the technique
of back-projection introduced in Ref. 16.
First, we introduce the projection and back-projection operators. The
projection of the full state onto the subspace for each subsystem is
dened as
proji(z)=xi∈Xi,i=lon,lat (36)
where Xi=R4is the state space of each subsystem. The projection of a
set S⊆Zis dened as
proji(S)={xi∈Xi|∃z∈S,s.t. proji(z)=xi},i=lon,lat (37)
To back-project the state of each subsystem to the full state space, the
back-projection operator is dened as
proj−1(xi)={z∈Z|proji(z)=xi},i=lon,lat (38)
The back-projection of a set Si⊆Xiis dened as
proj−1(Si)={z∈Z|∃xi∈Si,s.t. proji(z)=xi},i=lon,lat (39)
The next two propositions establish the relationship between the
reachable tubes for subsystems and the reachable tube for the full dy-
namics. Intuitively, they imply that the projection of the reachable tubes
of the full dynamics to each subsystem is the reachable tube of the sub-
system dynamics itself. The proofs of the propositions are presented in
the Appendix.
Proposition 1. Let Llon and Llat both be robustly controlled invariant
sets for each subsystem. Consider the target set of the full system given
as Lfull =proj−1(Llon) ∩proj−1(Llat ). Then, the following holds:
BRTfull(Lfull,T) =proj−1(BRTlon(Llon ,T)) ∩proj−1(BRTlat(Llat,T)) (40)
Proposition 2. Consider the target set of the full system given as Lfull =
proj−1(Llon)∩proj−1(Llat ). Then, the following holds:
FRT
full(L,T) =proj−1(FRT
lon(Llon ,T)) ∩proj−1(FRT
lat(Llat ,T)) (41)
Computation methods
We compute the backward and forward reachable tubes of the longi-
tudinal and lateral dynamics at a series of trim states that span the entire
transition (Table 1). The vector elds fdened in Eq. (12) for the lon-
gitudinal dynamics and Eq. (14) for the lateral dynamics of the aircraft
are used in Eqs. (22) and (28) to compute the reachable tubes of each
subsystem. The reachable tubes are computed by solving the HJI-PDEs
(Eqs. (22) and (28)) using the Level Set Toolbox (Ref. 27) and the helpe-
rOC toolbox (Ref. 19). In this work, a time horizon of T=2sisconsid-
ered for each reachable tube such that the reachable tubes of all neigh-
boring trim states are large enough to overlap.
The grid size used in the numerical computation of the PDEs plays
a crucial role in the accuracy of the resulting reachable tubes and com-
putation time. The trade-off between accuracy and computation time is
straightforward—a smaller grid size results in a more accurate reach-
able tube at the cost of longer computation time. In this work, we treat
the grid size as a tuning parameter and attempt to nd the largest al-
lowable grid size that yields satisfactory results. The resulting reachable
tube is considered satisfactory if there are no noticeable numerical er-
rors observed, and its corresponding optimal controller can be validated
in simulation. As a result, different grid sizes are used for different trim
states. Typically, reachable tubes of trim states at higher airspeeds re-
quire smaller grid sizes and take longer computation times. This is be-
cause the norm of the vector eld is larger due to higher dynamic pres-
sure at higher airspeeds. Among all computation tasks performed, the
smallest grid size is used at trim state x18
trim for computing the backward
reachable tubes. For dimensions (u,w,q,θ,β,p,r,ϕ), the
corresponding grid sizes are (0.2 m/s, 0.2 m/s, 0.032 rad/s, 0.016 rad,
0.02 rad, 0.04 rad/s, 0.04 rad/s, 0.02 rad). The computation time for each
reachable tube at x18
trim was approximately 6 h on a standard laptop. On
the other hand, the largest grid size is used at x1
trim, given by (0.25 m/s,
0.25 m/s, 0.04 rad/s, 0.02 rad, 0.04 rad, 0.08 rad/s, 0.08 rad/s, 0.04 rad),
and the computation took approximately 2 h.
Simulation Methods
Validation of the reachable tubes using 6-DOF nonlinear simulation
To verify the computed reachable tubes, we carry out Monte Carlo
simulations using the 6-DOF nonlinear dynamic model given by Eq. (5).
By using the 6-DOF nonlinear model, we can examine if the disturbance
bounds dened in Eq. (16) can capture the discrepancies between the
6-DOF nonlinear model and the decomposed linear models, thereby ver-
ifying the linearization and decomposition techniques we employed.
In this work, we validate the backward reachable tubes at three rep-
resentative trim states: x1
trim (near-hover), x9
trim (midtransition), and x18
trim
(cruise). For each trim state, we randomly select 30 states inside the back-
ward reachable tube as the initial states for simulation. Then, we simulate
the state trajectories under the optimal control policy (Eq. (31)) by solv-
ing the ordinary differential equations (ODEs) of the 6-DOF nonlinear
dynamic model (Eq. (5)). At each trim state, the aircraft is congured
according to Table 1. If the backward reachable tube is valid and the dis-
turbance bounds capture the linearization error adequately, the simulated
trajectories are supposed to return to the target set within the time hori-
zon (T=2s). Note that the validation of the forward reachable tubes can
be done similarly.
Safe transition between neighboring trim states using
the reachable tubes
In addition to verifying the safety of the reachable tubes at individual
trim states, we also examine the safety of transitions between neighbor-
ing trim states. The entire transition between hover and cruise consists of
a series of transitions between consecutive trim states. Ideally, a nominal
controller is designed to perform the transition smoothly, stabilizing the
aircraft at one trim state before moving on to the next. However, due to
pilot commands or unexpected disturbances, the state trajectory might
deviate from the nominal transition trajectory. Referring back to the def-
inition of the ight envelope in Eq. (4), we investigate the safety of the
veried ight envelope consisting of the computed reachable tubes, and
the use of the optimal control policy of the backward reachable tube in
Eq. (31) as a safety controller that recovers the trajectory to the trim states
while preventing it from exiting the envelope. We conduct simulations
using the 6-DOF nonlinear model given by Eq. (5) at three represen-
tative pairs of consecutive trim states: x1
trim,x2
trim (near-hover), x9
trim,x10
trim
(midtransition), and x17
trim,x18
trim (near-cruise).
It must be noted that the longitudinal and lateral models of each trim
state are derived for a specic trimmed conguration (Table 1). Thus, the
transition between neighboring trim states also involves the change in the
aircraft conguration, thus, the change in dynamics. Here, we assume
022003-11
T.-W. HSU JOURNAL OF THE AMERICAN HELICOPTER SOCIETY
Fig. 7. Backward reachable tubes of the longitudinal and lateral dynamics at trim states {xk
trim}18
k=1.
that the tilt angles of the wing and tail change slowly at a constant rate
of 4 deg/s. Such uncertainties in the tilt angles are taken into account in
the reachability analysis using the disturbance bounds, as described in
Eq. (16).
For each pair of consecutive trim states, we consider a scenario where
the aircraft is stabilized at one trim state and is about to transition to the
next trim state. However, due to pilot commands or unexpected distur-
bances, the state deviates from the nominal trajectory. Here, we employ
the optimal controller of the forward reachable tube of the current trim
state, as given by Eq. (33), to simulate such deviations. Our goal is to
verify whether the trajectory can recover to the current or the next trim
state, provided the disturbed state remains within the ight envelope. If
the disturbed state lies within the backward reachable tube of the next
trim state, the optimal control law of the next trim state can be applied
to safely transition to that state. On the other hand, if the disturbed state
is not within the next trim state’s backward reachable tube, the optimal
control law of the current trim state can be used to recover the trajectory
back to the current trim state.
Results and Discussion
Reachable tubes of all trim states
The computed backward reachable tubes of the longitudinal and lat-
eral dynamics of all trim states are shown in Figs. 7(a), 7(b), 7(c), and
7(d). The forward reachable tubes are shown in the Appendix in the
same manner. Because the reachable tubes are in four-dimensional space,
we demonstrate each of them using a two-dimensional (2D) projec-
tion in two separate plots. For the longitudinal dynamics, the reachable
tubes are visualized in the 2D projection on u−θand w−qplanes.
For the lateral dynamics, we project the reachable tubes on β−ϕand
p−rplanes. The ideal state trajectories of transition are also plotted
in these gures using black dashed lines. In particular, Fig. 7(a) shows
that the backward reachable tubes of neighboring trim states overlap
with one another and entirely cover the ideal state trajectories of transi-
tion. This demonstrates the potential capability of using the optimal con-
troller in Eq. (31) for the entire transition while guaranteeing safety by
maintaining the state trajectories to stay within the backward reachable
tubese.
The size and shape of each reachable tube are inuenced by the lo-
cally linearized dynamic model at each trim state. It is difcult to con-
clude a clear pattern among the reachable tubes spanning the entire tran-
sition because the dynamics are distinct at different trim states. However,
certain qualitative characteristics can be observed from the results. For
example, we can see that in Figs. 7(a) and 7(b), the sizes of the longitu-
dinal backward reachable tubes generally decrease with increasing air-
speed at lower-airspeed trim states, from x1
trim to x9
trim. This occurs because
the aircraft primarily relies on the propellers to generate pitch moment
when the wing and tail are tilted up at lower airspeeds, and this control ef-
fectiveness decreases as the wing tilts down. In addition, the longitudinal
backward reachable tubes become larger above x10
trim in Fig. 7(b) due to
the improved control effectiveness of the elevator as airspeed increases
and the tail tilts down. Moreover, at x16
trim,x17
trim,andx18
trim, the longitudi-
nal backward reachable tubes shape towards lower airspeeds, as shown
in Fig. 7(a), indicating that these trim states are reachable from lower
airspeed. This is because the trimmed thrust values are small at these
trim states (see Table 1), resulting in limited control authority for the
propellers to decrease airspeed, while they have a high control author-
ity to increase airspeed. We can also identify some characteristics from
the lateral backward reachable tubes (Figs. 7(c) and 7(d)). For instance,
022003-12
TOWARDS FLIGHT ENVELOPE PROTECTION FOR THE NASA TILTWING eVTOL FLIGHT MODE TRANSITION 2024
Fig. 8. Validation of BRT (x1
trim,2s)using Monte Carlo 6-DOF nonlinear simulation.
a noticeable change in the size of the lateral reachable tubes occurs
between x9
trim and x10
trim. This change can be attributed to the discontin-
uation of thrust differential usage for generating roll and yaw moments
above an airspeed of 40 m/s.
Validation of the reachable tubes using 6-DOF nonlinear simulation
The results of the Monte Carlo 6-DOF nonlinear simulation for back-
ward reachable tubes at the three representative trim states (i.e., x1
trim:
near-hover, x9
trim: midtransition, and x18
trim: cruise) are demonstrated in
Figs. 8–10. As shown, all trajectories reach the target set within the 2-s
time horizon, which implies that the computed backward reachable tubes
do not contain initial states that are not recoverable to the target set. Thus,
we conclude that the computed backward reachable tubes are safe conser-
vative estimates of the actual backward reachable tubes, and the optimal
control law given by Eq. (31) can drive the state trajectories back to the
vicinity of the trim states.
The results prove that the linearization and decomposition techniques
in conjunction with the disturbance bounds dened by Eq. (16) are valid
for computing the backward reachable tubes for the 6-DOF nonlinear
model. This allows us to circumvent the curse of dimensionality of reach-
ability analysis by decomposing the full nonlinear system into two sub-
systems with lower dimensionality, thereby making the problem more
computationally tractable.
Safe transition between neighboring trim states
The safety guarantee of the transition between neighboring trim
states is demonstrated by three representative pairs of consecutive
trim states: {x1
trim,x2
trim}(near-hover), {x9
trim,x10
trim}(midtransition), and
{x17
trim,x18
trim}(near-cruise). The results are shown in Fig. 11. In all three
cases if the deviated state (red dot) remains within the backward reach-
able tube of the current trim state (x1
trim,x9
trim,andx17
trim), it can safely
recover back to the target set of the current trim state. If the disturbed
state is contained in the backward reachable tube of the next trim state
(x2
trim,x10
trim,andx18
trim), then it can safely transition to the next trim state
using the optimal control law. As mentioned earlier, transitioning to the
next trim state involves changing the aircraft conguration according to
Table 1, particularly the tilt angles of the wing and tail. As illustrated
in Fig. 11, the optimal controllers are capable of driving the trajecto-
ries to the next target set despite the uncertainties in the dynamics in-
duced by the aircraft reconguration, demonstrating that the disturbance
bounds dened in Eq. (16) are sufcient to capture such model uncer-
tainty. Consequently, the ight mode transition can always be protected
against leaving the backward reachable tubes by applying the optimal
controllers, dened in Eq. (31), when the trajectory is on the verge of ex-
iting the tubes, ensuring that the trajectories consistently remain within
the ight envelope as dened in Eq. (4).
Conclusions
In this work, HJ reachability analysis is employed to establish a safe
ight envelope for the NASA Tiltwing vehicle during its ight mode
transition. With the safe ight envelope and the corresponding optimal
control policies obtained by HJ reachability, the vehicle’s safety during
the transition is guaranteed by ensuring its controllability. Using the
technique of back projection, the reachable tubes of the full system
022003-13
T.-W. HSU JOURNAL OF THE AMERICAN HELICOPTER SOCIETY
Fig. 9. Validation of BRT (x9
trim,2s)using Monte Carlo 6-DOF nonlinear simulation.
are constructed from the reachable tubes of the longitudinal and lateral
subsystems of lower dimensions, allowing us to circumvent the curse of
dimensionality and signicantly reduce computation time. It is shown
that the sizes and shapes of the computed reachable tubes depend on
the trim congurations and the locally linearized dynamics at each
trim state. The results of the 6-DOF nonlinear simulation show that
all trajectories can reach the target set within the given time horizon,
validating the computed reachable tubes. Because the reachable tubes
are computed using the locally linear subsystems, the success of the
validation using 6-DOF nonlinear simulation proves that the lineariza-
tion errors are adequately addressed by the worst-case disturbance term
in the reachability formulation. The safety guarantee of transitioning
between consecutive trim states is also conrmed by the 6-DOF non-
linear simulation. Because the reachable tubes are computed based on
the trim congurations, such success in utilizing the reachable tubes to
perform safe transitions as the tilt angles of the wing and tail vary proves
that the uncertainties in the tilt angles are sufciently captured by the
disturbance bounds given by Eq. (16).
This work has established a milestone towards employing the HJ
reachability-based framework for practical ight envelope verication
of novel eVTOL aircraft designs. As a future research direction, we
plan to further investigate how the veried ight envelope and a re-
covery controller derived from HJ reachability can be integrated with
a nominal ight controller responsible for conducting the ight mode
transition or responding to pilot commands. While blending these ele-
ments, it will be crucial to preserve the provable safety guarantee of HJ
reachability while ensuring that other important specications, such as
energy efciency and handling qualities of the vehicle, are adequately
addressed.
Acknowledgments
This research is supported in part by NASA SBIR funding on “Inte-
grated Flight Control Design and Multidisciplinary Optimization” (21-
2-A1.01-3185), DARPA Assured Autonomy program (FA8750-18-C-
0101), and NASA University Leadership Initiative on Safe Aviation Au-
tonomy (80NSSC20M0163). This article solely reects the opinions and
conclusions of its authors and not any NASA entity. The authors would
like to thank Chams Eddine Mballo for suggestions that helped to im-
prove the presentation of this article.
Appendix
Determination of Control input bounds
The control input bounds are determined based on the differences be-
tween the trim value (see Table 1) and the range of each actuator.
Control surfaces. We assume that the full range of each control surface
(i.e., elevator, aileron, and rudder) is ±20 deg. As aforementioned, the
trim values of all control surfaces are almost zeros, so the control in-
put bounds of each control surface (i.e., δemin,δ emax,δ amin,δamax,
δrmin ,andδrmax) are approximately equal to the range of the control
surface.
Propellers. The control input bounds of the propellers at each trim state
are shown in Table A1. The thrust produced by each propeller ranges
from 0 to 5000 N. Take the rst trim state x1
trim forexample, the thrust
022003-14
TOWARDS FLIGHT ENVELOPE PROTECTION FOR THE NASA TILTWING eVTOL FLIGHT MODE TRANSITION 2024
Fig. 10. Validation of BRT (x18
trim,2s)using Monte Carlo 6-DOF nonlinear simulation.
Table A1. The control input bounds of the propellers
k(xtrim Utrim Tw, min Tw, max Tt, min Tt, max Td12, min Td12, max Td34, min Td34, max TdDiag, min TdDiag, max
index) (m/s) (N) (N) (N) (N) (N) (N) (N) (N) (N) (N)
1 20.0 −13,043.4 1,956.6 −1,216.5 3,783.5 −326.1 326.1 −326.1 326.1 −480.8 480.8
2 22.5 −12,915.8 2,084.2 −1,732.7 3,267.3 −347.4 347.4 −347.4 347.4 −607.8 607.8
3 25.0 −12,850.1 2,149.9 −1,297.7 3,702.3 −358.3 358.3 −358.3 358.3 −601.4 601.4
4 27.5 −12,465.6 2,534.4 −870.8 4,129.2 −422.4 422.4 −422.4 422.4 −435.4 435.4
5 30.0 −12,035.9 2,964.1 −847.9 4,152.1 −494.0 494.0 −494.0 494.0 −423.9 423.9
6 32.5 −12,020.7 2,979.3 −481.6 4,518.4 −496.5 496.5 −496.5 496.5 −240.8 240.8
7 35.0 −11,334.2 3,665.8 −324.5 4,675.5 −611.0 611.0 −611.0 611.0 −162.3 162.3
8 37.5 −10,365.5 4,634.5 −352.4 4,647.6 −772.4 772.4 −772.4 772.4 −176.2 176.2
9 40.0 −9,788.1 5,211.9 −169.6 4,830.4 −868.6 868.6 −868.6 868.6 −84.8 84.8
10 42.5 −5,392.8 9,607.2 −718.7 4,281.3 0.0 0.0 0.0 0.0 0.0 0.0
11 45.0 −5,799.4 9,200.6 −706.9 4,293.1 0.0 0.0 0.0 0.0 0.0 0.0
12 47.5 −2,821.8 12,178.2 −993.6 4,006.4 0.0 0.0 0.0 0.0 0.0 0.0
13 50.0 −3,636.2 11,363.8 −1,226.7 3,773.3 0.0 0.0 0.0 0.0 0.0 0.0
14 52.5 −4,588.7 10,411.3 −2,491.1 2,508.9 0.0 0.0 0.0 0.0 0.0 0.0
15 55.0 −4,455.3 10,544.7 −3,665.1 1,334.9 0.0 0.0 0.0 0.0 0.0 0.0
16 57.5 −499.6 14,500.4 −795.6 4,204.4 0.0 0.0 0.0 0.0 0.0 0.0
17 60.0 −772.9 14,227.1 −784.0 4,216.0 0.0 0.0 0.0 0.0 0.0 0.0
18 62.5 −520.1 14,479.9 −816.0 4,184.0 0.0 0.0 0.0 0.0 0.0 0.0
produced by the rst propeller on the wing is trimmed at T1=4347.8N
(see Table 1). Thus, the lower and upper bounds of T1are 0−4347.8=
−4347.8Nand5000 −4347.8=652.2N. We then allocate this range
of T1to longitudinal and lateral controls equally, which gives us up-
per and lower bounds of −4347.8/2=−2173.9Nand652.2/2=326.1
N, respectively, for the longitudinal and lateral controls. For longitudi-
nal controls, by (7), we have Tw, mi n =−2173.9×6=−13043.4and
Tw, max =326.1×6=1956.6(see Table A1). For lateral controls,
we assume symmetric upper and lower bounds. Thus, by (8), we have
Td12, max =−Td12, min =min(|−2173.9|,326.1) =326.1N (see Table A1).
Note that the bounds of Td12,Td34,andTdDiag are zero at higher airspeed
trim states {xk
trim}18
k=10 (Utrim ≥42.5m/s) because we do not utilize the
022003-15
T.-W. HSU JOURNAL OF THE AMERICAN HELICOPTER SOCIETY
Fig. 11. Safety guarantee of the transition between neighboring trim states.
thrusters to control the lateral dynamics when the aircraft is in near-cruise
or cruise congurations.
Proof of Proposition 1
For the brevity of notations, we denote BRTi(Li,T) as BRTi(T),where
i=full, long, lat. Proving (40) is equivalent to proving
z∈BRTfull(T) ⇔z∈proj−1(BRTlon(T)) ∩proj−1(BRTlat(T)).
Consider the trajectory z(t)of the full dynamics in (35) with time t∈
[−T,0] and the initial state z=z(t)at initial time −T. By denition of the
backward reachable tube in (2), we have
z∈BRTfull(T) ⇔∀(γlon,γ
lat )∈full,∃(ulon ,ulat )∈Ufull,
s.t. ∃t∈[−T,0] s.t. z(t)∈Lfull.(A1)
Because flon and flat are fully decoupled in controls and disturbance,
z∈BRTfull(T) ⇔∀γlon,∃ulon ,s.t. ∃tlon ∈[−T,0],xlon(tlon )∈Llon ∧
∀γlat,∃ulat ,s.t. ∃tlat ∈[−T,0],xlat(tlat )∈Llat ,
(A2)
where xlon(·)solves (12) for (xlon0 ,t0)=(projlon (z),−T)and xlat (·)solves
(14) for (xlat0,t0)=(projlat (z),−T).
Note that “⇐” of (A2) only holds if both Llon and Llat are robustly
control invariant by taking tin (A1) as max{tlon,tlat }, since once for all
t∈[ti,0] ,xi(ti)∈Li(i=long, lat) due to the control invariance. Then,
(A2) becomes
z∈BRTfull(T) ⇔xlon ∈BRTlon(T) ∧xlat ∈BRTlat(T ),(A3)
where xlon =projlon(z)and xlat =projlat (z). By Corollary 2 of Ref. 16,
(A3) becomes
z∈BRTfull(T) ⇔z∈proj−1(BRTlon(T)) ∩proj−1(BRTlat(T))
Proof of Proposition 2
We prove this proposition by proving that the projection of the for-
ward reachable set of Lfull to each subsystem is the forward reachable
sets of Llon and Llat, respectively. First, the forward reachable set of a set
Lfor the dynamics ˙
x(t)=f(x(t),u(t),d(t)) is dened as
FRS(L,T) ={ˆx∈RN∀γ∈[0,T],∃u(·)∈U[0,T] ,s.t. ∃x∈L,
x(T) =ˆxwhere x(·)solves (1) for (x0,t0)=(x,0)}.(A4)
Consider the trajectory z(t)of the full dynamics in Eq. (35) with
time t∈[0,T]and the initial state z=z(t)at initial time 0. Then,
projlon(z(t)) =xlon(t),wherexlon(·)solves (12) with an initial state and
time (projlon(z),0). Similarly, projlat(z(t)) =xlat (t)where xlat (·)solves (14)
with initial state and time (projlat (z),0). From these facts, by denition,
022003-16
TOWARDS FLIGHT ENVELOPE PROTECTION FOR THE NASA TILTWING eVTOL FLIGHT MODE TRANSITION 2024
Fig. A1. Forward reachable tubes of the longitudinal and lateral dynamics at trim states {xk
trim}18
k=1.
proji(FRS(L,T)) =FRSi(Li,T) for i=lon,lat. Thus,
FRSfull (L,T) =proj−1(FRSlon (Llon ,T)) ∩proj−1(FRSlat (Llat ,T)).
Finally, (41) is proved by noticing the fact that
FRT(L,T) =
t∈[0,T]
(FRS(L,t)).
Forward reachable tubes of all trim states
The computed forward reachable tubes of the longitudinal and lateral
dynamics of all trim states are shown in Figs. A1(a), A1(b), A1(c), and
A1(d).
References
1Parker, D. V., & Hansman, R. J., Jr., “Scaling Constraints for Urban
Air Mobility Operations: Air Trafc Control, Ground Infrastructure, and
Noise,” Proceedings of the 2018 Aviation Technology, Integration, and
Operations Conference, Atlanta, GA, June 25–29, 2018.
2Milz, D. & Looye, G., “Tilt-Wing Control Design for a Unied Con-
trol Concept,” Proceedings of the AIAA SciTech Forum, San Diego, CA,
January 3–7, 2022.
3Hill, B. P., et. al., “UAM Vision Concept of Operations (ConOps)
UAM Maturity Level (UML) 4,” NASA TM 20205011091, 2020.
4Federal Aviation Administration, U.S. Department of Transporta-
tion, “Standard Airworthiness Certication Regulations: Title 14,” Code
of Federal Regulations, 2023.
5Boeing Commercial Aircraft, “Statistical Summary of Commercial
Jet Airplane Accidents – Worldwide Operations 1959 – 2021,” Statistical
Summary, 2022.
6Mitchell, I., and Tomlin, C., “Level Set Methods for Computation in
Hybrid Systems,” Proceedings of the 3rd International Workshop on Hy-
brid Systems: Computation and Control (HSCC), Pittsburgh, PA, USA,
March 23–25, 2000.
7Whiteside, S. K. S., et. al., “Design of a Tiltwing Concept Vehi-
cle for Urban Air Mobility,” NASA/TM–20210017971, NASA Langley
Research Center, Hampton, VA, NASA Ames Research Center, Moffett
Field, CA, 2021.
8Bayen, A. M., Mitchell, I. M., Oishi, M. M., and Tomlin, C. J., “Air-
craft Autolander Safety Analysis through Optimal Control-Based Reach
Set Computation,” AIAA Journal of Guidance, Control, and Dynamics,
Vol. 30, (1), 2007, pp. 68–77.
9Mballo, C. E., and Prasad, J. V. R., “Real Time Rotor Component
Load Limiting via Model Predictive Control,” Proceedings of the 75th
Annual Forum of the Vertical Flight Society, Philadelphia, PA, May 13–
16, 2019.
10Belcastro, C. M., et. al., “Aircraft Loss of Control Problem
Analysis and Research toward a Holistic Solution,” AIAA Jour-
nal of Guidance, Control, and Dynamics, Vol. 40, (4), 2007,
pp. 733–775.
11Wilborn, J., and Foster, J., “Dening Commercial Transport Loss-
of-Control: A Quantitative Approach,” Proceedings of the AIAA At-
mospheric Flight Mechanics Conference and Exhibit, Providence, RI,
August 16–19, 2004.
022003-17
T.-W. HSU JOURNAL OF THE AMERICAN HELICOPTER SOCIETY
12Lombaerts, T., Schuet, S., Wheeler, K., Acosta, D. M., and
Kaneshige, J. “Safe Maneuvering Envelope Estimation Based on a
Physical Approach,” Proceedings of the AIAA Guidance, Navigation,
and Control (GNC) Conference, Boston, MA, August 19–22, 2013.
13Lombaerts, T., Schuet, S., Wheeler, K., Acosta, D. M., and
Kaneshige, J. “Robust Maneuvering Envelope Estimation Based on
Reachability Analysis in an Optimal Control Formulation,” Proceedings
of the 2013 Conference on Control and Fault-Tolerant Systems, Nice,
France, (IEEE SysTol), October 9–11, 2013.
14Lygeros, J., “On Reachability and Minimum Cost Optimal Con-
trol,” Automatica, Vol. 40, (6), June 2004, pp. 917–927.
15Oishi, M., and Tomlin, C. “Switched Nonlinear Control of a VS-
TOL Aircraft” Proceedings of the IEEE Conference on Decision and
Control (CDC), Phoenix, AZ, December 7–10, 1999.
16Chen, M., Herbert, S., Vashishtha, M. S., Bansal, S. and Tomlin, C.
J., “Decomposition of Reachable Sets and Tubes for a Class of Nonlinear
Systems,” IEEE Transactions on Automatic Control, Vol. 63, (11), 2018,
pp. 3675–3688.
17Lu, Z., Hong, H., Gerdts, M., and Holzapfel, F., “Flight Enve-
lope Prediction via Optimal Control-Based Reachability Analysis,” AIAA
Journal of Guidance, Control, and Dynamics, Vol. 45 (1), 2022, 185–
195.
18Evans, L., and Souganidis, P. E., “Differential games and repre-
sentation formulas for solutions of Hamilton-Jacobi-Isaacs equations,”
Indiana University Mathematics Journal, Vol. 33, (5), 1984, pp. 773–
797.
19Bansal, S., Chen, M., Herbert, S., and Tomlin, C. J., “Hamilton-
Jacobi Reachability: A Brief Overviewand Recent Advances,”
Proceedings, of the IEEE 56th Conference on Decision and Con-
trol (CDC), Melbourne, Australia, December 2–15, 2017.
20Johnson, W., “NDARC. NASA Design and Analysis of Rotorcraft,”
NASA/TP-2015-218751, NASA Ames Research Center, Moffett Field,
CA, 2015.
21Drela, M. Flight Vehicle Aerodynamics. MIT Press, Cambridge,
MA, 2014.
22How, J. P., “Aircraft Stability And Control,” MIT OpenCourseWare
(License: Creative Commons BY-NC-SA), 2004.
23Kraft, D., “A Software Package for Sequential Quadratic Program-
ming,” Technical Report DFVLR-FB 88-28, DLR German Aerospace
Center – Institute for Flight Mechanics, Koln, Germany, 1998.
24Fisac, J. F., Chen, M., Tomlin, C. J, and Sastry, S. S. “Reach-Avoid
Problems with Time-Varying Dynamics, Targets and Constraints,” Pro-
ceedings of the 18th International Conference on Hybrid Systems: Com-
putation and Control, Seattle, WA, April 14–16, 2015.
25Lygeros, J., Tomlin, C. J., and Sastry, S. S. “Controllers for Reacha-
bility Specications for Hybrid Systems,” Automatica, Vol. 35, (3), 1999,
pp. 349–370.
26Tomlin, C. J., Pappas, G. J., and Sastry, S. S. “Conict Resolution
for Air Trafc Management: A Study in Multiagent Hybrid Systems,”
IEEE Transactions on Automatic Control, Vol. 43, (4), 1998, pp. 509–
521.
27Mitchell, I. M., “A Toolbox of Level Set Methods (version 1.1),”
Department of Computer Science, University of British Columbia, Van-
couver, BC, Canada, Tech. Rep. TR-2007-11, June 2007.
28Drela, M., “QPROP Formulation,” MIT Aeronautics and Astronau-
tics, Cambridge, MA, 2006.
022003-18
