Integrated Supervised Adaptive Control for the More Electric Aircraft

The innovative concept of Electric Aircraft is a challenging topic involving different control objectives. For instance, it becomes possible to reduce the size and the weight of the generator by using the battery as an auxiliary generator in some operation phases. However, control strategies with different objectives can be conflicting and they can produce undesirable effects, even instability. For this reason an integrated design approach is needed, where stability can be guaranteed in any configuration. In other words, the design of the supervisory controller must be interlaced with that of low-level controllers. Moreover, uncertainties and noisy signals require robust control techniques and the use of adaptiveness in the control algorithm. In this paper, an aeronautic application aiming at recharging batteries and to use the battery to withstand generator overloads is addressed. Detailed and rigorous stability proofs are given for any control configuration, including the switching phases among different control objectives. Effectiveness of the proposed strategies is shown by using a detailed simulator including switching electronic components.


Introduction
In July 2018 the flight of the Norway's transport minister in an aircraft completely powered by electric energy was the first step towards the decision of providing Norway with a fleet of electric planes by 2040 [11]. A small airline based in Vancouver is currently working for commercial flights done by a purely electric aircraft to be operative in 2022 [24].
The above are just two examples of what is now considered the future of flight, i.e., the "electric plane" [21], an idea that has been addressed since the beginning of the century, with the preliminary concept of More-Electric Aircraft (MEA [17]). A detailed review of opportunities and potential for electric aircraft, with a chronological presentation of the associated technologies, is presented in [14], with emphasis on the reduction of the empty weight of the aircraft, on the benefits in terms of safety and reliability (due to increased fault-tolerance), and on reduction of maintenance costs (due to reduction of moving parts). Under the generic umbrella of "Electric Aircraft" different targets and opportunities are comprised. Major advancements are required in the field of electric battery enhancement, e.g., by using fuel cells [27] to replace current gas turbine APU (Auxiliary Power Units) or even for fuelling electrically powered fan (E-Fan) [15,32]. Other crucial points are the increase of generator power density (in terms of power per unit of weight), and in general, all the issues related to dramatic changes in electric power generation, distribution and management [25].
The role, the opportunities and the needed development for electric machines and motors have been widely analysed [35], and the potential for improvement in this field is clearly acknowledged, see [5], [26] for exhaustive discussions on this topic. In contrast to the well-assessed interest in electric system and power electronic field, the new requirements in the field of Automatic Control is not clearly pointed out. The standard approach to controller design for MEA applications starts from a two-layer based modelling phase, resulting in functional models and behavioural models [36].
Referring to the case of DC-DC power converters, that is of interest in this paper, the functional modelling produces nonswitching averaged models, that are employed to assess system dynamics and stability, while behavioural models are intended to model high-frequency phenomena, including commutation for switching devices. The next step in most cases, is to employ simple standard controllers (PI and PID) for low-level control [9], while high-level strategies aiming at the interaction of different controlled devices are based on ingenuous heuristic approaches. This naïf approach is reasonable in the classic approach of the Power Electronic field, where the focus is on the topology of the converter and the modulation techniques (see [16] and references therein for a broad analysis), while the details of the control law receive marginal attention since the PI usually suffices. In some cases, due to the simplicity of the functional model, only very rough simulations are carried out, and the focus is moved to the experimental implementation (see, for instance [37], where different controllers are tested with this approach). This methodology is effective when single control tasks are considered, with only one working condition around which the controlled system evolves during time. But in the case of multiple tasks, this kind of approach is limited from the control point of view, because it is implicitly based on the linearised model of the system and is neither able to deal with large variations of the variable, nor guarantee global or semiglobal stability. A more rigorous approach uses sliding mode control (both standard [29], [33] and second-order [28]). One of the difficulties faced with this approach is to produce a control signal that can be implemented with a PWM modulation [20], that is the standard technology used in converter's drives.
In addition, in the case of multiple tasks, when the operative point changes also the control must change. Different from the above approach, from the automatic control point of view there is the need for integration between the design of the low-level layer, basically controlling the single devices (power converters, motors, generators) and highlevel control, defining how different controlled device interface each other when control objectives change. Indeed, a typical and well-known problem arise when two controlled devices behave like constant-power load, due to the action of the controller, and this can even result into instability [13]. Even more subtle is the case of a supervisory control action autonomously switching among different stable configurations, e.g., due to changing control objective. Also in this case, counterexamples have been discovered showing that switching among stable configurations can result into overall instability [4]. The above drawbacks can be explicitly dealt with by co-designing high-level and low-level control. Specifically, low-level controllers must fulfil standard requirements (e.g., closed-loop stability, robustness) but they must also produce an estimate of the region of attraction. On the other side, high-level control must reformulate control objectives so as to adapt their action to the current condition of the controlled system, with reference to the regions of attraction mentioned above.
Recently, a multi-objective problem for the MEA involving the control of a bidirectional DC-DC converter has been addressed by the authors. Specifically, the aircraft power grid can be modelled as a simple two-busbars system [31], one high voltage (HV) DC bus at 270V and a low voltage (LV) DC bus at 28V, with a DC-DC bidirectional converter in between. The HV bus is energised by a starter-generator followed by a rectifier. On the HV side all the "heavy" loads are present (e.g., anti-icing and de-icing). On the LV side a battery is located, for avionics and emergency conditions. In normal operating conditions the battery is charged by the generator (so the battery is a further load for the generator). Since generator sizing is based on its capability to withstand large loads for more than 5s, (the so-called 5s-5 min capability [6]) the idea is to use the battery to help the generator in the case of overload, so as to reduce generator sizing (and weight). It is clear from the above discussion that the battery must be able to supply power to the HV size within 5s from the request, so as to comply with the 5s-5 min constraint. In [7] a solution employing high-gain control has been proposed, with an approach with properties similar to the classic Integral Sliding Control [34], i.e., the state starts directly from a well-defined sliding manifold and remains in a neighbourhood of it thereafter. Moreover, when the state is on the manifold the closed-loop system behaves like a linear system, with apparent advantages in terms of simplicity and global stability. However, the crucial point in this design is that the parameters of the system have to be exactly known in order to compute a suitable control gain. A way to overcome this limitation is use data-mining algorithms with a learning phase [8]. Another approach, considered in this paper, is to use an adaptive approach to directly estimate this gain. The use of adaptive approaches is not new in power converter control design. In [23] an adaptive design is proposed for a DC/DC converter for electric vehicles. However, this approach in based only on steady-state consideration, hence it cannot deal with stability issues. A rigorous approach, based on output regulation and an asymptotic computation of the stabilising feedback, is presented in [18], where only the case of a boost converter is considered. Also in [22] an adaptive approach is proposed for the control of a buck converter, training the parameters of a neural network until a stabilising control action is achieved. The adaptive approach has proved to be effective when the load has to be estimated, as in [1], where the control of a boost converter is addressed. Recently, in [2] an approach based on stability analysis of switched systems has been proposed and applied to a Flyback converter. Finally, an adaptive approach producing a sliding mode controller for a boost converter has been proposed in [12]. All the above approaches focus on e single objective, e.g., a current or a voltage regulation. The strategy proposed in this paper focusses on two different objectives The rest of the paper is organised as follows. Section 2 presents the model of the bidirectional converter to control, along with some physical considerations. Section 3 is the core of the paper and presents the mathematical results. It is split into three different subsections, showing the uniform stability of the controlled system, the stability of the adaptive control laws with different control objectives, and the supervisory control, respectively. All the strategies are presented with a single, integrated design approach taking into account an estimate of the Regions of Attraction of the control as a vital part of the design. Section 4 presents a possible implementation of the integrated strategy discussed in Section 3, along with detailed simulation to test the effectiveness of the proposed. Finally, some conclusions are presented in Section 5.

BBCU Model
The BBCU bidirectional converted considered in this paper is shown in Figure 1. This circuit is representative of the HV and LV buses on-board aircraft. As stated in the Introduction, the HV side voltage source is a three-phases generator undergoing rectification which is here schematically represented as an ideal DC voltage generator E H and its internal resistance R H . Also the battery on the LV side is represented by an ideal voltage generator E L and its internal resistance R L . The bidirectional converter employs an inductor L and two capacitors, one for each side, C H and C L for the HV and the LV side, respectively. The circuit modulates power due to two switches, Q 1 and Q 2 , which are controlled by an ON/OFF synchronised signal. Usually, with PWM implementations, the switching frequency and duty-cycle determine the power flow and its intensity. Since only active power is of interest for this application, the load can be modelled as a resistor R D with a slowly time-varying resistance value. Therefore, a load variation will be simulated by a variation of the circuit resistance R D .
− The circuit equations are easily derived for both configurations (Q 1 OFF, Q 2 ON) and (Q 1 ON, Q 2 OFF) and can be written in a compact way asẋ x 1 is the current flowing through the inductor L, x 2 is the voltage across the capacitor C H on the HV bus side, x 3 is the voltage across the capacitor C L on the LV bus side, and the control u ∈ {0, 1} is a binary variable defining the two configurations. Note that R DH is physically the value of the resistance resulting from the parallel connection of R D and R H . Finally, we assume that E H > E L and that the resistor R H is small enough so that Physically this requirement is very reasonable, since usually R H /R D ≪ 1.

BBCU Control
The control of the BBCU is designed in a hierarchical manner. A low-level control layer is designed in order to accomplish proper current tracking capabilities while a high-level control layer is responsible for the selection of the proper BBCU operating modality according to a prescribed functional policy. Preliminarily, we point out a structural property of the system under consideration. Then we will discuss the control strategies.

Uniform Stability of the BBCU
In this Section we show that there is no loss of generality in assuming the BBCU to operate in a bounded region in the variables state space. To formally show this statement, we present the following Lemma.
proof 1 Consider a nonzero solution ξ = ξ(t) of the system (1)-(3) for a bounded u = u(t). Using the change of variables the translated system can be written asẏ Note that, due to the assumption u ∈ L ∞ , the right-hand side of (7)-(9) is locally Lipschitz in y on a domain D ⊂ R n . Now, consider the Lyapunov function whose time derivative along the trajectory of the system iṡ Thus, using [19,Theorem 4.8] the uniform stability of y = 0 is proved.
Equipped with the above Lemma, it makes sense to assume that all the variables are bounded, and in particular there exist X − 1 and positive scalars X Strictly speaking, the hypothesis of positivity of x 2 and x 3 does not come directly from Lemma 1, but is a trivial requirement in this kind of applications, and is physically sound.
Moreover, although the lemma considers the case of time-varying control u, in practical implementations the control always approaches constant values, since stepwise constant references are used. Then it will be useful to denote by T the steady-state solution of the system (1)-(3) with any fixed u in the interval [0, 1] and for a given α in (2). 1 It is of particular interest the investigation of stability of the steady-state solutions in both extreme configurations (namely u ≡ 0 and u ≡ 1, fixed). It is clear that in both configurations, system (1)-(3) reduces to an LTI system. Specifically, for u ≡ 0, the system has a globally exponentially stable equilibrium point at Analogously, when u ≡ 1, the dynamic matrix is that is clearly Hurwitz (it is sufficient to apply the Routh-Hurwitz criterion) and the globally exponentially stable equilibrium point is at These properties will be used in the next Section.

Low-Level Control
Both the battery current control and the generator current limitation are based on the definition of a sliding manifold where the sliding function σ(k, x) is where k is a design parameter. The basic idea is that when σ(k, x) = 0, i.e., the state is on the manifold S, the control objective has been achieved for a suitable value k chosen adaptively. A similar approach to this problem has already been proposed in [7] through High-Gain Control Theory and Tikhonov's Theorem on the infinite time horizon. We here just recall the final results of [7] since they will be used later in this paper. The key point is that the parameter k(t) has to be chosen so that it asymptotically approaches the value k ∞,1 , in the case of battery recharging, assuming a constant current recharge, i.e., a constant referencex 1 for the inductor current. In the case of generator current limitation, k(t) must approach 1 For the sake of notational simplicity we will drop the dependence of the solution on α hereafter. wherex 2 is a prescribed voltage reference such that the generator current does not go beyond an upper bound (see later). However, the control strategy proposed above presents several drawbacks. The parameter k in (20) and (21) is chosen assuming that the load value is known, which is not always the case in practical applications. Moreover, the computation of the parameter k is done exploiting the knowledge of most of the system parameters. This may translate into poor robustness of the control algorithm since small variations of the actual value of the system parameters cause an erroneous computation of k, thus a wrong definition of the sliding manifold. An alternative approach has been proposed in [8], where possible values of the load have been preliminarily identified by using statistic approaches, but the robustness of the approach is still an open issue. It is clear that the preferred solution is the design of an adaptive control law, yielding more robust characteristics and the capability of achieving the control goal even when the system load is not known. In this work, the parameter k(t) is chosen adaptively. In the case of battery charging with constant currentx 1 , k is chosen so as to satisfẏ with γ 1 being a positive constant to be chosen andx 1 the current reference to be tracked. It will be shown that a first order Sliding Mode Control is enforced and the control law guarantees that the sliding manifold (18) is reached in finite time. Moreover, the closed-loop system converges to an asymptotically stable equilibrium point. The above considerations are formalised in the following Theorem.
Theorem 1 (Adaptive Current Control) Consider the system (1)-(3) and the control law (23) where the sliding function is defined as in (19) and the parameter k is chosen adaptively according to (22). Assume and let |k| < K max with and choosing γ 1 > 0 such that and such that the closed-loop system has the property that for any ǫ > 0 there exist T > 0 such that Moreover, the system state reaches the positively invariant set S (18) in finite time.
proof 2 The proof is based on the Theory of Sliding Mode. First, the reaching and the existence conditions of the sliding mode are shown, then the stability of the zerodynamics in sliding regime is proven. In order to prove the reaching condition, we need to demonstrate that starting either from σ(k(0), x(0)) < 0 or from σ(k(0), x(0)) > 0, the sliding manifold σ(k, x) = 0 is reached in finite time. Let us consider the case σ(k(0), x(0)) < 0, thus u ≡ 0, first. In this case, the system exponentially tends towards [x * 10 x * 20 x * 30 ] T and, given (22) and (25), k eventually will be increasing. Therefore there must be a time t * such that the system trajectory crosses the sliding surface. Analogously, for σ(k(0), x(0)) > 0, the initial control input is u ≡ 1. In this case the system exponentially tends towards [x * 11 x * 21 x * 31 ] T and k eventually decreases with time (note that, due to (5), x * 11 > 0), hence, also in this case, the system trajectory crosses the sliding surface. The sliding mode existence property is guaranteed by proving with ω > 0. Basically, the proof is based on the computation ofσ Then it is easy to verify that σσ < −ω|σ| holds if and only if it holds Let us verify the first condition, namely φ 1 > 0 by taking into account the worst case scenario. It is easy to verify that φ 1 > 0 holds if γ 1 is chosen such that Note that, in order for γ 1 to be positive it must hold Similarly, γ 1 can be properly selected in order to obtain 2φ 2 − φ 1 > 0 which holds if where K max must be chosen such that in order to guarantee positivity of γ 1 . Thus the systems trajectory reaches the sliding manifold and remains onto it in finite time. Moreover, in order to consider the tightest estimate of the decay rate of σ, ω can be selected as Hereafter, stability of the system trajectories constrained on the manifold must be studied. Once on the manifold, the sliding function is identically zero, therefore σ ≡ 0 andσ = 0. Solvingσ = 0 for u with σ ≡ 0, the equivalent control can be computed Replacing (42) in (2) and (3), the equations of the system sliding on the manifold are obtaineḋ Stability of the equilibrium point of this system can be studied resorting to Lyapunov theory. Preliminarily, the equilibrium point of the system is translated to the origin by using the new state z ∈ R 3 , with z 1 = k −k * , z 2 = x 2 −x * 2 and z 3 = x 3 − x * 3 , the superscript (·) * denoting the steady-state solution. Thus, in the new coordinates one haṡ Let us consider the Lyapunov function whose time derivative, after some computation, iṡ After some algebraic manipulation, the following expression is obtaineḋ In the above derivation the well-known inequality for any ρ ∈ R has been extensively used. Note that c > 0 due to (24), a(γ 1 ) and b(γ 1 ) impose respectively a lower and an upper bound on the choice of the gain γ 1 . Considering hypothesis (31) and denotingẑ = [ Therefore, (54) will be negative definite in a cylinder of radius ||ẑ|| such that Hence local asymptotic stability of the origin and an estimate of the region of attraction have been proved.
Some remarks are now in order. (24) simply says that there are well-defined LV and HV voltage side, in the sense that it is not possible that in some working condition HV becomes smaller then LV. Condition (26) better quantifies this voltage relationship between LV and HV side. Condition (25) is obvious in practical applications, simply the current cannot exceed the values it has in the extreme cases (u = 0 or u = 1). Finally, condition |k| < K max can be easily ensured by using a saturated integral to compute k from (22) The second task of the control is to limit the generator current, and this is enforced by considering a reference valuex 2 that the HV capacitor voltage has to track (see also Remark 4). Also in this case we consider the sliding manifold (18), with sliding function (19). However, now the adaptation strategy changes as followṡ

Remark 1 (Feasibility) Condition
with γ 2 > 0. Note that the reference voltage has to has to be selected so that where the upper bound comes from Corollary 2 in [7]. Also in this case, the control law (23) guarantees that the sliding manifold (18) is reached in finite time, as it will be shown below. Stability of the adaptive law in the case of voltage control is considerably harder to show than in the case of current tracking. Preliminarily, define the following symbols Finally, define the polynomial equation p(γ) = a 11 a 21 γ 2 + (a 11 a 20 + a 10 a 21 − a 3 a 0 ) γ + a 10 a 20 = 0 (66) and let γ + be the smallest real positive solution (if any) of (66). If (66) has only complex or real negative solutions, we let γ + = ∞. Now we are in the position to state the following Theorem.
Theorem 2 (Stability on the manifold, Voltage Control) Consider the system (1)-(3) and the control law (23) where the sliding function is defined as in (19) and the parameter k is chosen adaptively according to (56). Suppose Then γ 2 can be any positive scalar. If otherwise then select γ 2 < min(γ 2 , γ + ). Assume and let |k| < K max with K max as in (27) and ψ 1 , ψ 2 and ψ 3 selected as in Theorem 1. Then, choosing γ 2 > 0 such that the additional condition is satisfied, the closed-loop system converges locally asymptotically to a unique steady-state solution with x * 2 =x 2 , and for any δ > 0 there exists a T > 0 such that Moreover, the system state reaches the positively invariant set S (18) in finite time.
proof 3 As in the proof of Theorem 1, we have to prove that the sliding manifold is reached first, and then the stability of the system on the manifold. The proof of reaching follows the same steps as in Theorem 1, with the due modification of the upper bound on γ 2 , and is omitted for the sake of brevity. Once the sliding has been established, The stability on the manifold has to be proved. The equivalent control is again (42), but (43) changes to (56). Consider the coordinate translation where k * = x * 1 /x 2 . Then the dynamic of the translated system is given bẏ Local stability of the origin of the system (77)-(79) can be assessed locally by linearization. The dynamic matrix can be computed as whose characteristic polynomial is Stability of system (77)-(79) for different values of γ 2 can be analyzed by using root locus analysis. Note that, although x 2 > 0, the sign of k * is not known apriori. However, if (67) holds, it is possible to show, by algebraic calculation, that k * > 0. In this case both the polynomials a(s) and b(s) in (81) have roots in the closed complex left half-plane, and the stability is assured by any γ 2 > 0. On the contrary, if (68) holds, k * is surely negative. In this case the stability holds for γ 2 > 0 only if 2R L k * x 2 + E L is imposed positive. In this case the polynomial b(s) has one positive and one negative root, hence there will be an upper bound to the stabilizing values of γ 2 . The upper bound can be sought by using Routh-Hurwitz criterion. After some algebraic computation, the following stability conditions must be satisfied.
Remark 2 (Adaptation gain) From the proof of Theorem 2 it can be shown that if the load satisfies (68), then a negative γ 2 could be sought to stabilize the closed-loop system. However, in practical applications often the load is unknown, and since negative γ 2 are destabilizing for the case (67), the solution is to use the smallest positive γ 2 stabilising any load.

Remark 3 (Reaching time)
It is easy to estimate the reaching time [30,Chap. 7] for the case of battery current regulation t reach ≤ σ(0)/ω (85) with ω given in (41). With the same approach, a similar estimate holds also for the control strategy presented in Theorem 2. Details are omitted.

Remark 4 (Robust implementation)
The choice of the adaptation law (56) is based on the algebraic relationship x 2 = E H − R H I g so that, the generator current can be limited to a prescribed overload current I OL by considering a reference voltagex However, the estimate ofx 2 is prone to errors due to possible uncertainties in R H and E H . Hence, assuming the generator current measurement available, a better and more robust adaptive law is simplẏ where γ ′ 2 = R H γ 2 is a positive gain. Remark 5 (ROA estimate) From the above derivation, it is clear that obtaining an analytic estimate of the Region of Attraction (ROA) is considerably harder in the case of voltage control, Theorem 2 than in the case of Theorem 1. However, a numeric estimate of the ROA is possible by using a techniques proposed in [10] and starting from a Lyapunov function computed for the linearised case. In particular, since we are interested in reaching the steadystate within 5s, for a given load R D and reference voltagex 2 , considering the model (77)-(79) compute the dynamic matrix A (80) such that the related Lyapunov function V = x T P x has decay rate less than 0.75 (so that after about 3s the transient can be considered vanished). This can be accomplished by solving the Lyapunov equation for a positive solution P , being I 3 the 3 × 3 identity matrix. Then define the Lyapunov function V (z) = z T P z, with z = (z 1 , z 2 , z 3 ) T . Note that, being V (z) quadratic, its derivative along the trajectory of (77)-(79),V = ∆Vż is a fractional function, since the gradient ∆V is linear in z and the entries ofż are ratios of polynomial in z. Thus, it is easy to show thatV is the ratio of a rather complex polynomial numerator, call it N (z) and the positive polynomial L(z 1 + k * ) 2 + C H . Thus, the problem of computing an estimate of the ROA can be reduced to solving a sequence of SDP [10, Chapter 2.2]. Note that in general the positive solution of (88) is not guaranteed to exist. Another possibility is to start from the Lyapunov function maximising the decay rate of the closed-loop system [3], obtained by solving the GEVP max λ subject to P > 0, A T P + P A + 2λP ≤ 0 (89) and then again using the procedure in [10] for the estimate of the ROA. The effectiveness of this approach will be illustrated in Section 4.

High-Level Control
In view of what has been expressed above, it is clear that the entire BBCU has at least two main operational modalities: charging the battery, when the generator can accomplish the objective of feeding the grid loads keeping its current below a prescribed threshold, and regulating the generator current to a prescribed level in order to let the battery help the generator when an overload occurs. This can be accomplished with a simple automaton using just two modes. Specifically • Mode 1: the generator on the high voltage side recharges the battery with a constant currentx 1 choosing the adaptive parameter k(t) as in (22).
• Mode 2: if an overload occurs the supervisor must commute to Mode 2 to regulate the high voltage capacitor voltage (equivalently, the generator current) to a prescribed voltage set-pointx 2 (equivalently, I OL ), possibly asking the battery to provide energy to loads. In this case, the the adaptive parameter k(t) is chosen as in as in (87).
It must be noted that, in order to avoid fast switching between modalities, an hysteresis with band [I OL − η, I OL + η] is used rather than a strict threshold.
Moreover, for ensuring a safe commutation between the two Modes, an estimate of the region of attraction is computed in both operational modes. The overall strategy works as follows. Initially the system is in Mode 1 (assumed in the region of attraction of the controller). Next, if an overload occurs, Mode 2 is activated. However, before entering Mode 2 we must be sure that, after the finite time needed to reach the new sliding manifold, the system state belongs to the region of attraction of the new active controller configuration, i.e., Mode 2. This is done comparing the current state and the estimate of the region of attraction for the new controller configuration. If the state is in the interior of the region of attraction, then the transition to Mode 2 is enabled, otherwise, a reduced performance mode is activated, with I OL increased so that the current state is within the reduced-performance ROA. This point will be clarified in Section 4.2. Next, the generator current is reduced, by slowly reducing the I OL until the original performance are achieved. A similar idea can be found in [6].

Numerical estimate of the ROA and simulation results
The proposed adaptive sliding control and associated supervisory strategy for MEA have been tested in a detailed MATLAB/Simulink/SimPowerSystem simulator, shown in Figure 2, and composed of five blocks: • LOAD: contains a bank of parallel resistors (yellow block).
• SUPERVISOR: implements the High-Level Control designed according to Section 3.3 (green block).
• ADAPTIVE LEVEL: estimates the parameter k according to (22) (orange block).
• LOW LEVEL CONTROL: implements the Low-Level Control logic according to Section 3.2 (light blue block).
• SWITCHING LOGIC: realizes the switching logic for Q 1 and Q 2 switches (red block).
The supervisor is a simple two-modes automaton, as shown in Figure 3, and it is been implemented using the MATLAB StateFlow toolbox.
The system and controller parameters are shown in Tables 1a-1b. The reaching time is estimated according to (85) for the inductor current control, and is 0.14s. A similar computation for the generator current control gives an estimate of the reaching time for the second sliding surface of 0.02s, that will be neglected in the following discussion, due to its small value. Two scenarios have been simulated, as presented in the following sections.

Scenario 1: small load variations
A preliminary set of simulations has been carried out by considering a stepwise constant load R D varying from 300Ω to 15Ω. Since, as shown by (20), (21), for low values of R D the parameter k varies widely, then nonuniform variation of R D has been considered. Specifically, in the interval [20,300]Ω a large step of 70Ω has been selected, in [17,20]Ω interval the step has been reduced to 1Ω. Finally, the interval [15,17]Ω has been swept with step interval 0.5Ω. The varying load is shown in Figure 4, with a zoom around the zone with smaller variation of R D .
The purpose of this first set of simulations is to gain insight in the variation of the gains k associated to the loads and an estimate of the ROA's for the controlled plant with a reasonable set of loads. In this first set of simulations the overload current is fixed to IOL = 16A. The simulations starts with R D = 300Ω. The generator current is below the prescribed threshold (I OL ), therefore no overload occurs. The supervisor is initially in Mode 1, hence the objective is to recharge the battery with constant current (x 1 ) through the inductor, as shown in Figure 5 (first 21s).
Every 3s the load resistor is decreased, and the supervisor for the first 18s remains in Mode 1, with generator current increasing ( Figure 6), but without reaching the threshold of maximum current. At time t = 18s, the load becomes R D = 18Ω and the current request to the generator becomes I g = 16.4A. Note that, although the requested current exceeds I OL , the value I OL + η is not exceeded, hence the supervisor remains in Mode 1. After 3 more seconds, at t = 21s, the load R D = 17Ω makes the generator current exceed I OL + η, hence the supervisor switches to Mode 2, changing the control objective to drive the generator current to the current threshold I OL .
In order to guarantee the stability, some considerations on the ROA's are in order. When in Mode 1, the ROA is the cylinder with radius (55). Using the numerical values above and Theorem 1, we have a rough estimate of the   ROA is ||ẑ|| < 4.3, that is a large region in our case. Thus, in this case study, we can safely assume that any load variation in Mode 1 happens when the controlled state is within the ROA. The situation is different when in Mode 2, where, moreover, larger variations of the variables happen. In Figure 7 the ROA's are shown for different loads. Although the ROA is a 3D region, only its projection on the (x 3 , k) plane will be presented, for the sake of clearness. Two estimates of the ROA are computed for each load: one resulting from (88) (thick region) and one from (89) (thin region). The union of the two regions is in the ROA. Note that at t = 21s, when the supervisor decides the commutation from Mode 1 to Mode 2, the large blue ROA, that is the ROA of the new control action, includes the current state, hence the supervisor can safely switch to the strategy in Theorem 2. The remaining load variation cause related changes in the steady-state of the closed-loop system. Figure 7 shows that if the change of load is small and slow enough, stability is preserved. Indeed, for the values of R D shown in Figure 7, note that the centre of the ROA associated to a given load belongs to the interior of the ROA associated to the next load (assuming the sequence of loads defined by the load profile in Figure 4): e.g., the centre of the blue region is within the elongated azure region pertaining to R D = 16.5Ω, and the centre of the azure region is within the elongated region of the cyan region related to R D = 16Ω. This shows that a smooth and "slow" transition from R D = 17Ω to R D = 16Ω preserves stability. Note that "slowness" is related to the optimal decay rate computed by means of (89), hence it can be precisely estimated. In Figure 7 also the actual trajectory of the system (in red) is shown. Note that, since the ROA's are positively invariant sets, no trajectory exits its ROA.

Large loads variations
Different is the case where there is an abrupt change of load. For instance, in Figure 8 it is clear that, since the centre of the blue region does not intersect the yellow region, there is no guarantee that the transition from R D = 17Ω to R D = 15Ω will preserve stability. A possible solution to this issue is adopt a "transient reduced performance" approach, i.e., to temporarily relax the constraints. If we increase the overload current, we have that, with the same R D , the steady-state of k increases (since less current is needed from the battery) and this observation ban be applied to move the leftmost region in Figure 8 to the right.
To gain insight in the above consideration, we fix the load to R D = 15Ω and compute the estimate of the ROA by considering different overload current assuming values in the interval [16, 17.5]A and varying with steps of 0.5A. The result is depicted in Figure 9, that suggests us how to guarantee stability when the load changes abruptly. Simply, when the load goes to R D = 15Ω, imposing I OL = 17.5A makes the ROA to include the centre of the ROA with R D = 17Ω, I OL = 16A, thus preserving stability. Next, by changing the reference smoothly to I OL = 16A the original performance are restored with assured stability.
A final consideration is in order. The selection of a reduced performance overload current depends on the knowledge of an estimate of the load. In practical applications sometimes even a rough estimate of the load is not available. In this case a viable strategy is to assume the worst-case scenario, i.e., large variations of the load, and use the "transient reduced performance" approach.

Scenario 2
The second set of simulations has been carried out referring to the large and unknown load variations in Figure 10 and Table 2.
In this case the reference generator current I OL is step-wise varied in time in order to guarantee stability, so that the initial condition belongs to the ROA. The reference is varied after it has approximately reached its steady-state. The time required for this is estimated based on the worst case of decay time estimated when solving the GEVP (89). Using the above numerical values, one can assess that in the worst case, at least 0.79s are required to reach the steady state with 90% accuracy.
At the beginning of the simulation, the supervisor is in Mode 1 with load R D = R D1 = 300Ω so the low-level goal is to control the inductor current x 1 tox 1 = 10A as shown in Figure 11. Five seconds later a new load is added, and R D becomes R D2 . In this step the generator current increases (Figure 12), but it is again below the threshold   of maximum current hence the supervisor remains in Mode 1. As stated in Section 4.1, load variations always leave the state of the controlled system in the ROA of the current objective, thus stability in Mode 1 is ensured. At time t = 10s an additional load is inserted, producing a power request exceeding overload. The supervisor reacts by switching to Mode 2, i.e., changing the control objective to drive the generator current. However, in this case the amplitude of the load variation is unknown, hence, the generator reference is increased to 17.5A in order to guarantee the system stability, as discussed in Section 4.2. Every 0.79s I OL is decreased by 0.5A, until it reaches 16A. The result is that the current to the battery is reduced, thus compensating for the increased power demand. At time instant t = 15s the power request is further increased by reducing the load resistor to R D = 15Ω. Again, a reduced performance phase starts with I OL = 17.5A until the nominal condition I OL = 16A is restored within 5s. Note that at the end of this phase the inductor current has reversed, so that actually the battery is helping the generator. In Figure 9 the controlled state trajectory is represented in red. It is always within the ROA's. Figure 11 shows the time evolution of the inductor current, and one can note that the proposed controller tracks accurately the current references. Moreover, in Figure 12 the generated current is reported. Note that the 5s-capability to suppress the overload is fulfilled.

Conclusions
In this paper the design of a controller for the DC/DC bidirectional converter has been discussed. The future aircraft will depend more and more on electric devices, that must be autonomously operated. Essentially, two electrical busses are present in any aircraft, with different voltages. A DC/DC converter then is essential as a bridge between the two busses. The converter has to be controlled, and the control actions can be selected to fulfil different objectives, e.g., to recharge the battery or to use the battery to help the generator in supplying extra-power when requested to do so. A sensible approach is to consider two control layers, one implementing tracking and/or regulation of some variables with assured stability characteristics, the other coordinating the actions of the low-level controllers. However, it has been shown that such an approach may undergo instability, hence an integrated design has to be performed, characterising the Regions of Attractions of the low-level controllers and ensuring that switching among different control modes can happen only when the state of the controlled system is within the ROA of the next control strategy. Thus, safe switching is ensured. Sometimes, in order to guarantee such a requirement, it can be necessary to consider a transient situation of reduced performances. All the above characteristics are discussed in details in the paper and two different scenarios are considered in a detailed simulation environment considering also switching power electronic devices, showing the effectiveness of the proposed approach.