Design of Guaranteed Safe Maneuvers Using Reachable Sets:Autonomous Quadrotor Aerobatics in Theory and Practice∗

Jeremy H. Gillula†, Haomiao Huang†, Michael P. Vitus†, and Claire J. Tomlin

Abstract— For many applications, the control of a complexnonlinear system can be greatly aided by modeling the systemas a collection of simplified hybrid modes, each representinga particular operating regime or portion of the state space.An example of this is the decomposition of complex aerobaticflights into sequences of discrete maneuvers, an approach thathas proven very successful for both human piloted and au-tonomously controlled aircraft. However, a critical componentof designing such control systems for autonomous flight is toensure the safety and feasibility of transitions between these ma-neuvers. This work presents a hybrid dynamics framework forthe design of guaranteed safe switching regions in performingan autonomous backflip by a quadrotor helicopter. The regionsare constructed using reachable sets calculated via a Hamilton-Jacobi differential game formulation, and experimental resultsare presented from flight tests on the STARMAC quadrotorplatform.

I. INTRODUCTION

Modern robotic systems are growing ever more capableand complex. In particular, as UAVs grow in power andmaneuverability they require increasingly sophisticated con-trol systems to take advantage of the full range of theircapabilities. In the development of these control systems, it isoften difficult if not impossible to consider a full, nonlinearmodel of the system. Many approaches to the control ofhighly maneuverable aircraft have used statistical learningtechniques, for example by copying an expert pilot’s exampletrajectory either through machine learning or via manualcreation of approximate trajectories [2]–[4]. These methodshave been able to push the envelope of what is possiblewith autonomous control, but since they lack performanceguarantees about their stability and robustness, their use maybe limited in situations where safety is critical.

An alternate approach that allows more rigorous formalanalysis is hybrid decomposition, where the behavior ofthe system of interest is approximated as a discrete set ofsimpler modes representing the dynamics in specific regimesor portions of the state space. The decomposed hybrid model(consisting of continuous states and discrete states represent-ing the modes of the system) is then used for analysis and

J. Gillula is a Ph.D. Candidate in Computer Science, Stanford University,Stanford, CA 94305, USA jgillula@cs.stanford.edu

H. Huang is a Ph.D. Candidate in Aeronautics and Astronautics, StanfordUniversity, Stanford, CA 94305, USA haomiao@stanford.edu

M. Vitus is a Ph.D. Candidate in Aeronautics and Astronautics, StanfordUniversity, Stanford, CA 94305, USA vitus@stanford.edu

C. Tomlin is a Professor of Electrical Engineering andComputer Sciences, UC Berkeley, Berkeley, CA 94720, USAtomlin@eecs.berkeley.edu†These authors contributed equally to this work.∗An earlier version of this paper, with preliminary reachable set calcu-

lations and simulation results, was presented at ISRR 2009 [1].

Fig. 1. STARMAC quadrotor performing an autonomous backflip maneu-ver.

control. This approach has proven successful in a varietyof applications, including manipulator motion planning [5],[6], specifications for mobile robot behaviors [7], and aircrafttrajectory planning, where complex trajectories are designedby building up sequences of discrete maneuvers [8].

An important consideration in the design and control ofsystems with switched dynamics is the safety of transitionsbetween modes. For example, in the case of aircraft ma-neuver sequences it is necessary to ensure that an aircraftcompleting one maneuver is able to begin the next maneuverwithout being in an unsafe or infeasible configuration. Inthe work described above, this has been accomplished in avariety of ways. The aircraft helicopter maneuvering workused “trim states” such as steady flight or hover that theaircraft must return to after a maneuver to begin another [8],while the manipulator work has used sequences of speciallyderived Lyapunov functions to guarantee that a definedsequence could be followed [6] or analytically calculatedregions where a given motion was guaranteed to place apart in a desired configuration [5]. There has also beenextensive work in the Hybrid Systems literature on construc-tion of switching regions for mode switching in switchedsystems [9]–[11], where partitions or manifolds in the statespace are found that are regions of attraction for particularmodes or controllers. Much of this work, though, has focusedon switching under nominal conditions or sensing uncertaintyand do not explicitly consider external disturbances.

This paper introduces a novel method for the design ofprovably safe aerobatic maneuvers using hybrid dynamics

and reachability tools under the presence of external dis-turbances. This method is applied to a quadrotor helicopterperforming a backflip, where the backflip maneuver is brokeninto three main stages: impulse, drift, and recovery. Theimpulse mode initializes the rotation of the vehicle. Uponreaching the appropriate switching condition the motors areturned off for the drift mode, where the vehicle freely rotatesand falls under gravity. Finally the recovery mode brings thevehicle to a controlled hover condition. Provably safe switch-ing conditions on altitude, altitude rate, attitude, and attituderate are generated using a Hamilton-Jacobi differential gameformulation that guarantee the vehicle will successfully passthrough all three modes to arrive at a desired final state.Controlled backflips were successfully performed using theseswitching rules on the Stanford Testbed of AutonomousRotorcraft for Multi-Agent Control (STARMAC) [12] andresults from these flight tests are presented.

The use of a Hamilton-Jacobi game formulation is apromising tool for the design and verification of safe ma-neuver sequences. By constructing the reachability problemas a game between a disturbance and control, backwardsreachable sets can be calculated where a given controlleris guaranteed to either keep out of or arrive into a definedregion of the state space within some time horizon [13]. Thisformulation was first used to derive guaranteed safe switch-ing regions for a collision avoidance controller for mannedaircraft, where an evader aircraft could be guaranteed to keepsome distance away from a pursuer, but has been generalizedto a range of systems [14], [15].

The organization of this paper is as follows. Section IIdiscusses the background for the Hamilton-Jacobi differentialgame formulation for robust reachability, and the use ofreachability for maneuver sequencing and design is presentedin Section III. Flight test results with the STARMAC quadro-tor are presented in Section IV, with conclusions and futurework in Section V.

II. REACHABILITY FOR MODE SWITCHINGThe concept of backwards reachability is used in this work

as a means of generating guaranteed safe sets for modetransitions. For any given mode i, the system evolves underdynamics

x = fi(t, x, u, d) (1)

where x is the system state, u is the control input, and dis the disturbance input, where u and d are assumed to beconstrained in some sets U and D, respectively.

A. Hamilton-Jacobi Reachability

A backwards reachable set GT is defined as the set of allstates where the system can arrive in some set G0 withintime T , under some appropriate set of assumptions aboutthe disturbance and control. Two conditions are consideredhere: safety, where the goal of the control is to stay out of anundesired set in the state space that the disturbance is tryingto force the system into, and attainability, where the goalis to reach a desired set while the disturbance tries to keepthe system out of this set. The reachable sets in this work

are calculated using the technique described in Mitchell et al.with some modifications [13]. In this method, the reachabilityproblem is posed as a differential game between the controlinput and disturbance under which the disturbance choosesthe worst-case inputs to either drive the system into theundesired set or away from the desired, set and the controldoes the opposite.

1) Unsafe Sets for Safety: For safety, the consideration athand is to keep out of some undesired set, and the disturbanceis assumed to be attempting to drive the system into thisunsafe area of the state space. The unsafe set relative tothe undesired set G0 for some time T is denoted GT , and isdefined as the region of the state space where, for any controlinputs u(t) ∈ U , there exists some sequence of disturbancesd(t) ∈ D such that x(t) ∈ G0 for some t ∈ [0, T ]. Thatis, if x(0) ∈ GT , then no matter what the control does thedisturbance can drive the system into G0 in time less thanor equal to T . Conversely, if the initial state x(0) is outsideof GT , then there exists a control u(t) that keeps the systemout of G0 for up to time T .

In the game formulation, the boundary of the initial set G0

is defined as the zero level set of an appropriately selectedcost function C(x) that is negative inside G0 and positiveoutside (for an example see Fig. 2). To drive the system intothe undesired set, the disturbance is modeled as attempting tominimize C(x), while the control attempts to maximize thecost. To be conservative, the disturbance is allowed to selectits input after the control input is known. The reachabilitycalculations use a dynamic programming formulation andrequire the optimal Hamiltonian H∗(x, p) for this system,which for a particular mode i is defined as

H∗(x, p) = maxu∈U

mind∈D

pT fi(t, x, p, u, d) (2)

where p is the Hamiltonian costate.2) Capture Sets for Attainability: Symmetrically, for at-

tainability the desired goal of the controller is to drive thesystem into some desired set D0 by minimizing the costfunction, while the disturbance is assumed to be attemptingto drive the system away, thereby maximizing the costfunction. Thus a capture set DT can be defined for thesystem which guarantees that there exists a control inputthat drives the system into D0 within time T no matter whatthe disturbance does. This reverses the role of control anddisturbance, although again for robustness the disturbanceis allowed knowledge of the control input, and the optimalHamiltonian in this case is then

H∗(x, p) = minu∈U

maxd∈D

pT fi(t, x, p, u, d) (3)

3) Reachable Set Calculations: In many cases (such asthe quadrotor maneuvers described below) it can be incon-venient to use the optimal control input described by thedifferential game, and instead a particular pre-determinedcontroller may be used. This is easily accounted for bydefining a controller

u = Ci(t, x) (4)

specified for the currently active mode. The controller canbe subsumed into modified system dynamics as

x = fi(t, x, d) (5)

and the optimal Hamiltonians for safety and reachability canbe modified by removing the max and min, respectively,over u, and leaving only the the optimization over d.

Once the dynamics and initial set (and defining costfunction) are selected, the appropriate Hamiltonian of thesystem can be formulated and the backwards reachablesets calculated using the Level Set Toolbox developed atthe University of British Columbia [16]. Using the givencost function and Hamiltonian, the toolbox propagates theboundary of the level set describing the initial set of interest(either G0 or D0) backwards in time to find the sets GT andDT . This toolbox has been used in a variety of reachabilityapplications, and was used to compute the results shownlater in this paper. The specific implementation details arenot described here, but details on computing reachable setsusing the optimal Hamiltonian can be found in the toolboxdocumentation.

B. Mode Switching

The application of the backwards reachable sets to thedesign of mode switching control is pursued in the followingmanner. Given a sequence of n modes and a final desired setD0,n, the capture set for the nth mode DTncan be computedfor a relevant time horizon. Then, for the n − 1st mode, adesired set D0,n−1 is chosen where D0,n−1 ∈ DTn

, anda capture set DTn−1 can be computed that guarantees thatmode n − 1 will take the state into DTn

, where mode ncan be activated to take the state into D0,n. This can berepeated until an initial capture set DT1 is found, where ifx(0) ∈ DT1 , then x is guaranteed to be taken to D0,n throughthe defined modes where the transition from mode i to i+1occurs when x ∈ D0,i. A similar process can be conductedfor safety calculations, where an initial unsafe set GT1 canbe found that keeps the system out of G0,n through all ofthe mode transitions.

III. APPLICATION TO QUADROTOR MANEUVERSEQUENCING

A. Experimental Platform

To demonstrate the validity of this approach to maneuversequencing, this method was used to develop a backflip ma-neuver for the STARMAC quadrotor helicopter. The vehiclehas a max thrust of 800g per motor for a total max grossthrust of 3.6kg. The platform has a total weight of 1.1kgwhich leaves 2.5kg of thrust left for actuation. The vehicle isequipped with a Microstrain 3DMG-X1 inertial measurementunit (IMU) which provides three-axis attitude, attitude rateand acceleration. The resulting attitude estimates are accurateto ±2◦, so long as sustained accelerations are not maintained.Height above the ground is determined using the SenscompMini-AE (10m range) sonic ranging sensor which has anaccuracy of 3− 5cm. Computation and control are managedat two separate levels. The low level control, which performs

01

23

4

−10

−5

0

5

−4

−2

0

2

4

Attitude RateAttitude

Cost

Fun

ctio

n

Fig. 2. The zero sub-level set of an appropriate cost function is used todefine capture or unsafe regions in the state space. This is the cost functionand desired set for attitude in the recovery mode.

real-time control loop execution and outputs PWM motorcommands, occurs on an Atmega 128 processor. The highlevel planning, estimation and control occurs on a lightweightGumstix Verdex, a PXA270 based single board computerrunning embedded Linux.

B. Quadrotor Dynamics

To simplify the reachability calculations the quadrotor’sdynamics were modeled in a 2D plane, on the assumption(later verified) that the out-of-plane dynamics could be sta-bilized without affecting the vehicle’s performance or safetyduring the backflip. The planar dynamics are given as:

d

dt

xxyyφ

φ

=

x− 1mC

vDx

y− 1m (mg + CvDy)

φ

− 1IyyC

φDφ

+

0Dx

0Dy

0Dφ

(6)

+

0 0− 1m sinφ − 1

m sinφ0 0

1m cosφ 1

m cosφ0 0− lIyy

lIyy

[T1

T2

]

where the state variables x, y, and φ represent the vehicle’slateral, vertical, and rotational motion, respectively; Dx, Dy

and Dφ are disturbances; and constant system parameters aregiven by m for the vehicle’s mass, g for gravity, CvD for lineardrag1, CφD for rotational drag, and Iyy for the moment ofinertia. Six-dimensional problems are currently not tractableusing the Level Set Toolbox, so the system’s states weredivided into three sets for independent analysis: the rotational

1It should be noted that for simplicity the vehicle’s drag was modeled aslinear, an assumption that was later shown via experiment to be sufficientlyaccurate.

Recovery Drift Impulse

Fig. 3. The backflip maneuver, broken down into three modes. The vehicletravels from right to left, spinning clockwise as it does so. The size of eacharrows indicates the relative thrust from each rotor.

dynamics were analyzed to ensure the attainability of thebackflip; the vertical dynamics were analyzed to ensuresafety (i.e. that the vehicle remained above some minimumaltitude); and the horizontal dynamics were ignored forsimplicity.

C. Backflip Attainability

For the purpose of guaranteeing attainability the backflipwas divided into three modes, as shown in Fig. 3: impulse,in which the rotation of the vehicle is initialized; drift,where the vehicle freely rotates and falls under gravity; andrecovery, which brings the vehicle to a controlled hovercondition.2

Each mode was designed using the method described inSection II-B. To provide further detail on this process, eachmode is described in reverse order below.

1) Recovery: The final target set for the recovery modewas chosen to be φ = 0± 5◦, φ = 0± 10◦/sec, essentiallya stable hover configuration. As described in Section II-A.3, a fixed controller (in this case a standard PD controlleron φ) was used to drive the vehicle to this configuration.(The control input u was divided between the two rotorsas T1 = Tnom − u, T2 = Tnom + u, where Tnom wasthe nominal total thrust necessary to counteract gravity.)This target set was then propagated backwards using theHamilton-Jacobi framework, taking into account the worst-case disturbances due to motor noise and wind. It shouldbe noted that the magnitude of these disturbances has asignificant impact on the resulting reachable sets; as onewould expect, if the potential worst-case disturbances aretoo large, the vehicle may not be able to reach the targetset. For this calculation (and those following) the worst-casedisturbances were determined from previous experience, andwere generally on the order of 5% of the total nominal thrustnecessary to keep the vehicle aloft. The resulting level set,as shown by region A in Fig. 4, represents the capture setfor this maneuver.

2) Drift: The same procedure was followed for the driftmode; the target set was chosen as φ = 110 ± 20◦, φ =−180 ± 185◦/sec (region B in Fig. 4), and was again

2This division was driven largely by the fact that unlike a standardhelicopter, a quadrotor’s blades have a fixed pitch, which means that aquadrotor is only capable of generating thrust in one direction. As a result,whenever the vehicle is inverted any thrust generated by its rotors mustpropel it downward. Thus, to successfully complete a backflip maneueveron board the STARMAC vehicle with a slow rotational rate (e.g. around400◦/sec), it was necessary to turn off the motors while the vehicle wasinverted to prevent the vehicle from propelling itself into the ground.

A

B

C

D

F

E

Á

Á0 1 2 3 4 5 6

-8

-6

-4

-2

0

2

Fig. 4. Composite attainable sets of the backflip maneuver are plotted inthe φ (radians) vs φ (radians/second) plane. The backflip maneuver startsin the region labeled F and ends in the region labeled A.

propagated back (this time with no control input, and thusreduced worst-case disturbances due to the lack of motornoise) to produce the capture set for the drift mode (regionC of Fig. 4).

3) Impulse: Finally, for the impulse mode, the target setwas φ = 310±10◦, φ = −287±58◦/sec (region E of Fig. 4).Once again, a fixed controller was used, and the worst-casedisturbances were chosen so as to account for motor noiseand wind. The resulting capture set is pictured in region Fof Fig. 4.

4) Motor Turnoff: Originally, it was assumed that the ro-tors would turn off instantaneously when the vehicle enteredthe drift mode; that assumption proved to be false after someinitial experiments. As a result an additional mode was addedfor the purpose of analysis. In this mode, the motor turnoff was modeled as a linear decay in the vehicle’s angularacceleration, i.e.:

τ = fsat(αt+ φ)/Iyy (7)

where fsat(y) = {y, if y < 0; 0, otherwise}, and the param-eter α was found using linear regression. These dynamicswere then propagated forward from the target set of theimpulse mode; the resulting level set (pictured in region Dof Fig. 4) contains all possible states the vehicle could be inwhile the motors are turning off. Thus, as long as this setwas contained in the drift set, attainability of the backflipwas once again guaranteed.

D. Backflip Safety

To ensure the vehicle would perform the backflip safely,a similar procedure to that described for attainability wasused. First, a final unsafe set was chosen to represent allconfigurations the vehicle would need to avoid during therecovery mode. Because the vehicle’s rotational and verticaldynamics are coupled during powered thrust, however, it wasfirst necessary to find a way to decouple them so that safetycould be analyzed solely in the vertical state space. This

y

y

-2 0 2 4 6 8 10 12 14 16 18-15

-10

-5

0

5

10

15UnsafeRecoveryDrift

Fig. 5. Unsafe vertical sets of the backflip maneuver are plotted in the y(meters) vs y (meters/second) plane. As long as the vehicle begins a givenmode outside that mode’s unsafe set, safety is guaranteed.

decoupling was accomplished by taking advantage of the factthat the recovery mode was designed to use a fixed controllaw. As a result, a nominal trajectory could be generated thatcould then be plugged into the system dynamics, allowingthe backwards reachable set to be computed as usual bypropagating it backward for a fixed time Tr, based onthe maximum time that the rotational part of the recoverymode could take. The resulting level set indicates all theconfigurations in which it would be unsafe for the vehicle toenter the recovery mode.

In the drift mode the rotational and vertical dynamicsdecouple, and so the unsafe set for the drift mode wasgenerated by propagating backward the unsafe recovery setunder the vertical dynamics. Once again, this was done for afixed time Td, based on the maximum length of the maneuveras calculated from the rotational dynamics. The resultinglevel set represents all the configurations in which it wouldbe unsafe for the vehicle to enter the drift mode.

For the impulse mode it was assumed that there wouldbe no loss in altitude, due to the fact that the impulsemode was designed so that the vehicle’s thrust would alwaysbe upward during this mode. The resulting unsafe sets arepictured in Fig. 5; as long as the vehicle began each modeoutside the unsafe set for that mode, the overall safety of thesystem was guaranteed. To ensure that the vehicle began theentire maneuver outside of these unsafe sets, an additionalpreliminary climb mode was added before the impulse mode,in which the vehicle would accelerate upward until it reacheda safe altitude and velocity.

IV. RESULTSA mosaic of one of the demonstrations of the backflip

maneuver is shown in Fig. 7. Fig. 7(a) depicts the quadrotorafter the initial climb mode which is the start of the impulsemode, and Fig. 7(b) is at the end of the impulse mode andat the beginning of the drift mode. Figs. 7(b)-(f) display theentire drift portion of the maneuver and Fig. 7(e) shows thequadrotor inverted. Finally, Figs. 7(f)-(j) display the recovery

A

B

C

D

F

E

0 1 2 3 4 5 6

-8

-6

-4

-2

0

2

φ

φ

Fig. 6. Three experimental validations (solid, dash and dash-dot lines) ofthe backflip maneuver overlaid on the composite reach sets. The transitionsfrom the impulse to drift mode are shown as black diamonds which arecontained in region E, and the transitions from the drift to the recoverymode are indicated by the black squares that are confined to region B.

mode of the backflip maneuver which successively returnsthe quadrotor to a safe condition of φ = 0◦ and φ = 0◦/sec.Video of the backflip maneuver can be viewed at http://hybrid.eecs.berkeley.edu/aerobatics.html.

Fig. 6 shows the (φ, φ) trajectory of three experimentalvalidations through the designed attainable sets for the back-flip maneuver. As the figure illustrates, the trajectories arecontained within the capture sets for each maneuver. Thetransition between the impulse and drift modes is denotedby a black diamond, and the transition between the drift andrecovery modes is indicated by a black square. The switchbetween the maneuvers are contained within each of theirgoal regions, E and B, respectively. When the quadrotorswitches into the drift mode, it takes approximately 0.2seconds for the motors to spin down which explains whythe quadrotor is still accelerating at the beginning of the driftmaneuver. Table I displays the time spent in each mode foreach experimental validation.

A. Backflip Safety

Fig. 8 displays the unsafe vertical reachable sets and theswitching points for the three experimental validations of themaneuver. The blue points correspond to entering into thedrift mode and the orange points correspond to entering intothe recovery mode. As the figure illustrates, all the pointsare outside of their respective unsafe set and therefore the

TABLE ITHE AMOUNT OF TIME SPENT IN EACH MODE FOR EACH EXPERIMENTAL

TRIAL OF THE BACKFLIP MANEUVER.

Impulse Drift Recovery(sec.) (sec.) (sec.)

Trial 1 0.55 0.55 2.56Trial 2 0.50 0.55 5.54Trial 3 0.55 0.61 4.70

(a) (b) (c) (d) (e)

(f) (g) (h) (i) (j)Fig. 7. A mosaic of the successful demonstration of the backflip maneuver. (a): The quadrotor has finished the climb portion of the backflip and is startingthe impulse mode. (b): The quadrotor has finished the impulse stage and is entering into the drift portion. (b)-(f): Display of the drift stage of the backflip.(f): The drift mode is concluding and the recovery mode has started. (f)-(j): The recovery mode is safely returning the quadrotor to its hovering position.

vehicle can safely perform the maneuver without hitting theground. Fig. 9 displays the pitch of the quadrotor throughoutthe maneuver which is within ±5◦ for almost the entiremaneuver. This validates the assumption that the backflipmaneuver can be modeled in the 2D (φ, φ) plane.

Finally, it should be noted that while the results of onlythree trials are presented here, several additional trials werealso conducted, with varying levels of success. However,these other trials were unsuccessful solely due to factorsoutside the scope of the reachable set analysis. For example,some trials failed because of human error, in the form of bugsin the code running on the vehicle. Others were unsuccessfuldue to hardware malfunctions (e.g. a broken sonic ranger, orsaturation of the IMU’s accelerometers). As every roboticistknows, these sorts of failures are typical when making thetransition from theory to “real” engineering. However, they

y

y

-2 0 2 4 6 8 10 12 14 16 18-15

-10

-5

0

5

10

15UnsafeRecoveryDrift

Fig. 8. Three experimental validations (×, +, and •) of the backflipmaneuver. The light blue symbols correspond to the when the vehicleentered into the drift mode and the orange symbols correspond to whenthe vehicle entered into the recovery mode. Since all points are outside oftheir respective reachable set, the vehicle was safe to execute the maneuver.

also serve a useful purpose: they underscore the importanceof understanding the limititations that arise when applyingguarantees generated by provably safe techniques to real-world robots.

V. CONCLUSIONS AND FUTURE WORKS

Reachable set analysis was successfully used to examineand design an autonomous backflip maneuver. The analy-sis provided a theoretical proof that under the worst casebounded disturbances, which account for modeling errorsand external disturbances such as wind, the quadrotor wouldsafely complete the complicated maneuver. The backflipmaneuver was split into three main stages: impulse, driftand recovery in which switching conditions were providedto ensure a safe transition between the three different modes.The impulse mode begins the rotation of the vehicle. Duringthe drift mode of the maneuver, the motors are turned offto prevent a severe loss of altitude since the motors cannotprovide reverse thrust. Finally, the recovery mode stabilizesthe vehicle at a controlled hover condition. The aerobaticmaneuver was successfully demonstrated on the STARMACquadrotor platform.

The success of several trials, coupled with the failure ofseveral others (due to human error or hardware malfunctions)

0 2 4 6−5

0

5

10

Time (seconds)

Pitc

h (d

egre

es)

Pitch vs Time

Fig. 9. Experimental data from a single run of the backflip maneuvershowing the out-of-plane pitch (degrees) of the quadrotor throughout themaneuver.

emphasize how useful the presented methodology can be.Because practical robotics can be fraught with engineeringchallenges that can cause robots to fail, it is all the moreimportant that as many guarantees as possible about safetybe made. The reachable set framework presented here isone useful way to make such guarantees. While it cannoteliminate all possible failure modes, it can help to ensurethat under reasonable circumstances a robot will perform itstasks in a provably safe manner.

There are several interesting areas of future work thatthe authors wish to explore. First, a method of describingthe reachable sets in a parametric way will be explored.In the current framework, the resulting reachable set isgreatly dependent on the parameters used when generatingit. Consequently, if the parameters change then the entirereachable set needs to be recalculated offline. If the reachableset could be described parametrically, then the effect of asimple parameter change could be computed online whichwould facilitate a more expressive maneuver. Second, thereachable set analysis was performed on a continuous timemodel for the dynamics of the vehicle, but the imple-mentation of the maneuver was performed on a discretecomputing platform. Therefore, the vehicle may pass throughthe switching regions without knowing it. Even though inall of the experiments that were conducted this wasn’t anissue, it still raises an important area of future work. Third,the gyros in the IMU used in the experimental validationof the maneuver saturate around ±450◦/sec in practice. Themaneuver was designed in such a way to avoid saturating theIMU, but a more rigorous analysis would include the statesthat saturate the IMU as unsafe and a reach-avoid operatorwould be used to compute the reachable set.

ACKNOWLEDGMENTS

The authors would like to thank Tony Mercer for hisassistance in performing the flight tests presented in thiswork.

REFERENCES

[1] J. H. Gillula, H. Huang, M. P. Vius, and C. J. Tomlin, “Designand analysis of hybrid systems, with applications to robotic aerialvehicles,” in Proceedings of the International Symposium of RoboticsResearch (ISRR), Lucerne, Switzerland, August 2009.

[2] A. Coates, P. Abbeel, and A. Y. Ng, “Apprenticeship learning forhelicopter control,” Commun. ACM, vol. 52, no. 7, pp. 97–105, 2009.

[3] V. Gavrilets, I. Martinos, B. Mettler, and E. Feron, “Flight testand simulation results for an autonomous aerobatic helicopter,” inProceedings of the 21st Digital Avionics Systems Conference, 2002,pp. 8.C.3/1–6, dOI: 10.1109/DASC.2002.1052943.

[4] P. Abbeel, A. Coates, M. Quigley, and A. Y. Ng, “An application ofreinforcement learning to aerobatic helicopter flight,” in In Advancesin Neural Information Processing Systems 19. MIT Press, 2007, p.2007.

[5] T. Lozano-Perez, M. T. Mason, and R. H. Taylor, “Automatic Synthesisof Fine-Motion Strategies for Robots,” The International Journal ofRobotics Research, vol. 3, no. 1, pp. 3–24, 1984.

[6] R. Burridge, A. Rizzi, and D. Koditschek, “Sequential compositionof dynamically dexterous robot behaviors,” International Journal ofRobotics Research, vol. 18, no. 6, pp. 534–555, 1999.

[7] H. Kress-Gazit, G. E. Fainekos, and G. J. Pappas, “Translatingstructured english to robot controllers,” Advanced Robotics SpecialIssue on Selected Papers from IROS 2007, vol. 22, no. 12, pp. 1343–1359, 2008.

[8] E. Frazzoli, M. A. Dahleh, and E. Feron, “Maneuver-based motionplanning for nonlinear systems with symmetries,” IEEE Transactionson Robotics, vol. 21, no. 6, pp. 1077–1091, 2005.

[9] M. Zefran and J. W. Burdick, “Stabilization of systems with changingdynamics,” in Hybrid Systems: Computation and Control Conference,Berg en Dal, the Netherlands, 1999.

[10] M. Lazar and A. Jokic, “Synthesis of trajectory-dependent controllyapunov functions by a single linear program,” in Hybrid Systems:Computation and Control Conference, San Francisco, California, 2009.

[11] M. Egerstedt, T. J. Koo, F. Hoffmann, and S. Sastry, “Path planningand flight controller scheduling for an autonomous helicopter,” inHybrid Systems: Computation and Control Conference, Berkeley,California, 1998.

[12] G. M. Hoffmann, H. Huang, S. L. Waslander, and C. J. Tomlin,“Quadrotor helicopter flight dynamics and control: Theory and experi-ment,” in Proceedings of the AIAA Guidance, Navigation, and ControlConference and Exhibit, Hilton Head, SC, August 2007.

[13] I. M. Mitchell, A. M. Bayen, and C. J. Tomlin, “A time-dependenthamilton-jacobi formulation of reachable sets for continuous dynamicgames,” IEEE Transactions on Automatic Control, vol. 50, no. 7, pp.947–957, 2005.

[14] M. Oishi, I. M. Mitchell, A. M. Bayen, and C. J. Tomlin, “Invariance-preserving abstractions of hybrid systems: Application to user interfacedesign,” IEEE Transactions on Control Systems Technology, vol. 16,no. 2, pp. 229–244, 2008.

[15] J. Ding, J. Sprinkle, S. S. Sastry, and C. J. Tomlin, “Reachabilitycalculations for automated aerial refueling,” in Proceedings of the 47thIEEE Conference on Decision and Control, Cancun, Mexico, 2008.

[16] I. Mitchell, A Toolbox of Level Set Methods, 2009, http://people.cs.ubc.ca/∼mitchell/ToolboxLS/index.html.