Online Guaranteed Reachable Set Approximation for Systems with Changed Dynamics and Control Authority

This work presents a method of efficiently computing inner and outer approximations of forward reachable sets for nonlinear control systems with changed dynamics and diminished control authority, given an a priori computed reachable set for the nominal system. The method functions by shrinking or inflating a precomputed reachable set based on prior knowledge of the system's trajectory deviation growth dynamics, depending on whether an inner approximation or outer approximation is desired. These dynamics determine an upper bound on the minimal deviation between two trajectories emanating from the same point that are generated on the nominal system using nominal control inputs, and by the impaired system based on the diminished set of control inputs, respectively. The dynamics depend on the given Hausdorff distance bound between the nominal set of admissible controls and the possibly unknown impaired space of admissible controls, as well as a bound on the rate change between the nominal and off-nominal dynamics. Because of its computational efficiency compared to direct computation of the off-nominal reachable set, this procedure can be applied to on-board fault-tolerant path planning and failure recovery. In addition, the proposed algorithm does not require convexity of the reachable sets unlike our previous work, thereby making it suitable for general use. We raise a number of implementational considerations for our algorithm, and we present three illustrative examples, namely an application to the heading dynamics of a ship, a lower triangular dynamical system, and a system of coupled linear subsystems.


I. INTRODUCTION
R EACHABILITY analysis forms a fundamental part of dynamical system analysis and control theory, providing a means to assess the set of states that a system can reach under admissible control inputs at a certain point in time from a given set of initial states. Inner approximations of reachable sets are often used to attain a guaranteed estimate of the system's capabilities, while outer approximations can be used to verify that the system will not reach an unsafe state.
Inner approximations of reachable sets have received comparatively less attention than outer approximations [7], but have recently seen use in path-planning problems with collision avoidance [8], as well as viability kernel computation [9], which can in turn be used for guaranteed trajectory planning [10]. Another application lies in safe set determination, in which one aims to obtain an inner approximation of the maximal robust control invariant set [11]. Methods for determining inner approximations of reachable sets have been based on various principles, including relying on polynomial inner approximation of the nonlinear system dynamics using interval calculus [12], ellipsoid calculus [13], and viscosity solutions to HJB equations [14]. One major drawback of these methods is that they are computationally intensive and are often only suitable for systems of low dimension, making them ill-suited for online use.
In this work, we consider the problem of obtaining meaningful approximations of the reachable set of an off-nominal system by leveraging available a priori information on the nominal system dynamics. Here, we consider the reachable set of the nominal system, or an inner/outer approximation thereof, to be known prior to the system's operation. While obtaining reachable sets is often a computationally intensive task, it is often done during the design phase of a system, where computation times are less of a concern [15]. We then consider a change in dynamics of the system, for example due to partial system failure, which turns the nominal system into the off-nominal system. Our goals is to obtain inner and outer approximations of the off-nominal reachable sets based on the nominal reachable set, in a way that can be applied in real-time.
In [16], the case in which the system experiences diminished control authority was considered, i.e., its set of admissible control inputs has shrunk with respect to that of the nominal system. In addition, stringent restrictions on the family of system that could be considered were made in [16], in particular due to the requirement that the reachable set for the nominal and off-nominal set be convex. This ultimately limits the applicability of the theory presented there to a limited set of problems.
Here, we do not impose any demands on the convexity of the reachable set, while still presenting an algorithm that can be run in real-time. This latter generalization to nonconvex sets requires a significant shift in the way we reason about the minimum deviation between trajectories of the nominal and off-nominal system. In this work, we also consider a change in the system dynamics, and provide methods for obtaining tighter inner and outer approximations for the off-nominal reachable set with respect to what the theory of [16] provides. This latter improvement follows from the fact that the theory in [16] considers the trajectory deviation as expressed by the norm of the states, whereas here we separately consider the deviation in single dimensions of the state.
To obtain inner and outer approximations of the off-nominal reachable set, we consider that an upper bound on the minimal rate of change of the trajectory deviation between the offnominal system's trajectories with respect to those of the nominal system's is known, with both trajectories emanating from the same point. These growth dynamics provide an upper bound on the minimal rate of change between two trajectories emanating from the same point, with one trajectory being generated by the nominal set of control inputs, and the other by the off-nominal set of control inputs and the off-nominal dynamics. An upper bound on these growth dynamics can be obtained analytically during the design phase, and allows us to obtain an inner approximation to the off-nominal system's reachable set at low computational cost, in an online manner.
While other methods have been proposed to compute reachable sets under system impairment, due to their computational complexity, these have either used reduced order models, or have been limited to offline applications [17]. In more extreme cases of system impairments, such as those were very little is known about the system's present capabilities, more conservative methods for computing reachable sets exist [18]. Here, we present a general algorithm that yields guaranteed inner and outer approximations, given limited knowledge of the failure modes as expressed by a bound on the trajectory deviation growth dynamics. We leverage the fact that the offnominal system dynamics are related to the nominal system's dynamics, allowing us to leverage reachable sets computed for the nominal system, unlike in [18]. Given a sufficiently tight deviation growth bound, our approach can be applied online to high dimensional systems with no additional computational cost for the growth in system dimension.
The paper is organized as follows. First, we present preliminary theory in Section II. Then, we present our main results Section III, followed by a simulation example involving the heading dynamics of ship, as well as two general scalable system examples, in Section IV. Finally, we draw conclusions in Section V. In Appendix I, we present a slightly more relaxed set of assumptions under which the theory presented continues to hold.
We define ℝ + ∶= [0, ∞). We define the distance between two sets , ⊆ ℝ to be where is the Euclidean metric. We denote the Hausdorff distance as where is the Euclidean metric. An alternative characterization of the Hausdorff distance reads [19, pp. 280-281]: where + denotes the -fattening of , i.e., + ∶= Given a point ∈ and a set ⊆ , we denote ( , ) ∶= inf ∈ ( , ). We denote by the boundary of in the topology induced by the Euclidean norm. For a function ∶ → , we denote by −1 the inverse of this function if an inverse exists, and by dom( ) the domain of the function (in this case ). We denote a multifunction by ∶ ⇉ , where maps elements of to subsets of . Given a multifunction , we define a differential inclusion as being the set of ordinary differential equationṡ ∈ ( ) that have velocities in ( ).

A. Problem Statement
Consider a dynamical system of the forṁ ( ) = ( ( ), ( )), where ≥ 0, ∈ ℝ is the state, and ∈ ⊆ ℝ is the control input, where is some admissible set of control inputs. The dynamics have the form ∶ ℝ × → ℝ . We refer to these dynamics as the 'nominal' dynamics.
We consider an impairment in the system dynamics, as well as the system's control authority, such that̄ ( ) ∈̄ ⊆ ⊆ ℝ . The modified dynamics then read:̄ We refer to these modified dynamics as the 'off-nominal' dynamics.
Definition 1 (Forward reachable set). We define a function ∶ ℝ + → as an admissible input signal, if a unique solution to (4) exists given that input signal. The set of admissible control signals is defined as all possible admissible input signals ∶= We define a trajectory ∶ ℝ + ×ℝ × → ℝ to be such that ( ) = ( | 0 , ) satisfies (4) given initial state (0) = 0 ∈ ℝ and input signal ( ) = ( ) ∈ , i.e., From the dynamics of (4), we define a multifunction ( , ) ∶= ( , , ) ∶ ℝ + × ℝ ⇉ ℝ . This multifunction defines an ordinary differential inclusioṅ ( ) ∈ ( , ( )), of which any instance of (4) is a part. We define the solution set of this ordinary differential inclusion as follows: Given a set of initial states 0 ⊆ ℝ , we define the forward reachable set (FRS) at time ∈ ℝ + as We consider the following main problem, comprised of two parts: one relating to obtaining inner approximations of reachable sets, and the other concerned with obtaining outer approximations of reachable sets. In this work, we treat both the case of impaired control authority, as well as changed dynamics, simultaneously.
As mentioned in the introduction, inner approximations of the off-nominal reachable set are useful for safety critical control, when guaranteed reachability is demanded. However, when dealing with collision avoidance, outer approximations of the off-nominal reachable set of a moving target are needed. This justifies the need for two separate approximation objectives.

B. Generalized Nonlinear Trajectory Deviation Growth Bound
As mentioned in the introduction, we wish to find an upper bound on the minimum normed distance between two trajectories emanating from the same, once governed by (4), and the other by (8). We call this upper bound the trajectory deviation growth bound. To this end, we first consider a means of obtaining and upper bound to the norm of the solution of a given ordinary differential equation (ODE). This particular ODE will be described by the rate of change of the deviation between two trajectories, which we refer to as the trajectory deviation growth dynamics, as will be described shortly.
We consider the following general nonlinear time-varying dynamicṡ Our goal is to find an upper bound for the magnitude of ( ), given particular assumptions on the form of control input and the function ℎ, over a finite period of time. We make the following assumption on the growth rate of : where , are continuous and positive and is continuous, monotonic, nondecreasing and positive. In addition, is uniformly monotonically nondecreasing in ‖ ‖.
and ⊆ ℝ is compact and satisfies max ∈ ‖ ‖ = . Let Assumption 1 hold. Then, where the expression on the right-hand side is strictly increasing in . In (7), we define for arbitrary 0 > 0 and for all ≥ 0 for which it holds that Proof. Given the premise, this claim follows directly from Theorem 1.
Proof. Similarly to Corollary 1, given the premise, this claim follows directly from Theorem 1. □ □ 1) Generalization to off-nominal dynamics: We now consider the following nonlinear time-varying off-nominal dynamics: which gives rise to the following assumption that relates these unknown dynamics to the known nominal system dynamics: where is a positive, continuous function on [ 0 , ∞).
This assumption gives rise to the following lemma

Lemma 1. Let Assumption 2 hold true. Consider functions
,̄ ,̄ , in the sense of Assumption 1, which apply to the following dynamicṡ̃ We consider nominal control signal ∈ , and an offnominal control signal of the form ( +̄ ) ∈ are such that In addition, consider the following off-nominal trajectory deviation dynamics:̂ Control signals and̂ are defined similarly to those of the nominal dynamics. We have a nominal control signal ∈ , and an off-nominal control signal of the form ( +̂ ) ∈ such that sup̂ ( ), Proof. This result follows straightforwardly by application of the the triangle inequality on the trajectory deviation growth dynamics and Corollary 1. □ □

III. MAIN RESULTS
We now present the main results of this paper. We give a method for inner and outer approximation of the forward reachable sets for off-nominal systems that are subject to both diminishment of control authority and changed dynamics.
Unlike in [16], a new hyperrectangular version of the Bihari inequality is required to obtain inner and outer approximations to more generalized reachable sets. As will be specified later, the only requirements imposed on these reachable sets will be that they are nonempty, compact, and connected. To construct a hyperrectangular Bihari inequality, we present a modified nonlinear bound on the deviation dynamics:  Proof. The proof follows by repeated application of Corollary 1 on each dimension.

□ □
In what follows, we will equivalently express the bound (9) as Whereas Corollary 1 gives a bound on the trajectory deviation as a ball, Lemma 2 provides a hyperrectangular trajectory deviation bound. This distinction is key in the theorem that will follow next.
We first introduce two new definitions relating to the hyperrectangular trajectory deviation growth bound.
From Definition 4 it trivially follows that for two compact sets , ⊆ ℝ , we have ⊞ ⊇ and ⊞ ⊇ if and only if ⪰ R ( , ). This is analogous to the fattening-based characterization of the Hausdorff distance in (3).
Before we can proceed, we must impose a number of mild conditions on the differential inclusion defined by dynamics (4) and (5), as well as the initial set of states 0 . In particular, we wish to show that the reachable set → ( , 0 ) is connected. This property is key in proving the main result of this work.
We first present a prerequisite lemma on the connectedness of the solution set of a differential inclusion. To this end, we require the definition of the following metric space, as well as two propositions that provide sufficient conditions for to produce solution sets with connected and compact values. In and let ( , ) be continuous and Lipschitz in and . Then for any 0 ∈ ℝ , the set of solutions Remark 3. Since the conditions of Lemma 3 on will be required throughout this work, we will look at the applicability of these conditions to commonly encountered classes of dynamical systems. We list two here: that form the following differential equation: From this system, we can introduce a differential inclusion defined by a multifunction where ⊆ ℝ is nonempty, compact, and pathconnected. If and ℎ are continuous and Lipschitz in their arguments, then will satisfy conditions of Lemma 3. 2) General nonlinear systems: For a dynamical system of the form of (4), a sufficient condition for ( , ) ∶= ( , , ) to satisfy the condition of Lemma 3, is for to be nonempty, compact, and path-connected, and ( , ) to be continuous and Lipschitz in and .
Relaxations to the conditions of Lemma 3 are presented in Appendix I.
□ □ In Proposition 1, we have shown that the sets ( 0 ) for ∈ [0, ∞) are path-connected. In our main theorem, we will also require that these sets are compact and nonempty. The following proposition guarantees this.
Proof. The fact that ( 0 ) is a nonempty compact subset of follows from [22,Thm. 5.1,p. 228]. It is clear that the values of ( 0 ) will be nonempty, since can be shown to be continuous, then is a preserving map in the sense of [23, p. 21], i.e., the image ( ( 0 )) = ( 0 ) ⊆ ℝ preserves the compactness and path-connectedness properties of ( 0 ). We proceed to show that is indeed a continuous linear functional. We require linearity to show that is uniformly continuous on all of . To show that is linear, consider two functionals , ∈ , and a scalar ∈ ℝ. We clearly find  is continuous at any one ∈ . Continuity of the functional is shown next by using the -criterion [24, p. 52].
Having shown that is a continuous (linear) operator (and therefore a preserving map), we have proven that ( ( 0 )) is a path-connected continuum for all ∈ [0, ∞) and 0 ∈ ℝ . □ □ Given the result of Proposition 2, we can now show that given the above conditions and a condition on the initial set of states, the reachable set ( , 0 ) is also path-connected. Proof. We draw upon [26,Cor. 4.5,p. 233], which says that the choice of in Lemma 3 is sufficient for the solution set ∶ ℝ ⇉ to be continuous on ℝ . In other words, the solution set has a continuous dependence on the initial value.
We characterize the reachable set as follows: It is clear that for any two values , ∈ ( ), there exist 0 , ′ 0 ∈ 0 such that ∈ ( 0 ) and ∈ ( ′ 0 ). Since 0 is path-connected and is continuous, there exists a continuous path 0 ∶ [0, 1] → 0 connecting 0 and ′ 0 . Therefore, the solution sets for ( 0 ) and 1] ( ) is path-connected, this implies that its values are also path-connected, analogous to the latter part of the proof of Proposition 1. Hence, ( ) is pathconnected for all ∈ [0, ∞).

□ □
We can now provide a means of inner and outer approximating the off-nominal reachable set based on a hyperrectangular trajectory deviation growth bound.
Proof. (i) This fact follows directly from Lemma 2. (ii) From (i), the maximal distance between two points in → ( , 0 ) and → ( , 0 ) is upper-bounded by ( , ). In Theorem 1 it was shown that ( , ) is increasing in , meaning that the hyperrectangular distance bound holds for all times ≤ 0 + . (iii) We define = → ( , 0 ) and = → ( , 0 ) for any ∈ [ 0 , 0 + ]. Note that in this proof, unlike in [16], and need not be convex, making the proof more technically challenging. We wish to show that ∶= ⧵ ( ) ⊞ * is a subset of .
We now consider case b). Let us denote by the projection of all points of a set ⊆ ℝ onto the -th Cartesian axis, such that ⊆ ℝ. Since and are both compact, connected, and nonempty, we find that and are closed intervals in ℝ for each = 1, … , . This fact follows trivially by considering that the projection operation is continuous, and continuous maps are preserving maps in the sense of [23, p. 21], i.e., their images preserve connectedness and compactness. From [27,Thm. 12.8,p. 116], any connected subspace of ℝ is an interval, which shows that the , are compact (or closed) intervals.
We can then note that for any * , there exists some * ∈ such that | * − * | ≤ * by Lemma 2. Finally, let ∈ be the other point in the boundary of the interval such that ≠ * . We can identify twelve arrangements of ( , * , , * ), barring cases of symmetry. Some of these arrangements are inadmissible, as shown below. In what follows, we must have * ≠ , since would otherwise be on the boundary of , which was treated as case a). Also, necessarily, ≠ * , since we have ∉ . We prove that for each admissible arrangement, the claim of (11) does not hold; an illustration of some of these arrangements in given in Fig. 2. For some , , , ∈ ℝ, we will denote the ordering < < < by the shorthand notation , , , . We have: a) * , , * , : Not admissible since ∉ ⧵ . b) * , , , * ; Not admissible since ∉ ⧵ , and inconsistent with the definition of * . c) * , * , , : In this case, by Lemma 2 we have ( * , * ) ≤ * . Since we have ( , * ) < ( * , * ), we find that Having considered all cases, in all admissible scenarios it follows that the statement in (11) is false. This in turn contradicts the claim that there exists ∈ ⧵ such that ∉ ( ) ⊞ * . Therefore, we have proven that ⊆ .

□ □
We now present two corollaries that cover the case of a changed set of initial conditions, as well as guaranteed overapproximations of the reachable set.

IV. SIMULATION RESULTS
We consider three numerical examples: a simplified representation of the heading dynamics of a sea-faring vessel, and lower triangular dynamical system, and an interconnected system of linear subsystems. The restriction to lower dimension systems stems from computational limitations in obtaining the nominal reachable sets with sufficient accuracy, as well as a desire to keep derivations concise. We will show how Theorem 2 and Corollary 4 can be applied to these systems.
For both examples, we have used the CORA MATLAB toolkit [28] to compute the nominal and off-nominal reachable sets for illustrative purposes; in reality, such tools are not required to apply the theory presented here. In practice, the nominal reachable set would be computed prior to the system's operation using a similar toolkit. The methods used in such toolkits can often not be used online because of hardware limitations and poor scalability, hence the need for an approach such as ours.
In practice, it is difficult to obtain a hyperrectangular slimming of the form ⧵ ( ) ⊞ using widely used software packages. For this reason, we propose an alternative using a conservative ball-based slimming operation. It is obvious that the following holds: where ‖ ‖ denotes the Euclidean norm of the vector . This follows from the fact that the ball  +‖ ‖ includes the In the following, we will show approximations based on naive ball-based slimming using single elements , which give an indication of the shape of a true hyperrectangular slimming in that particular dimension. We also give a guaranteed inner approximation by applying a ball-based slimming operation with radius ‖ ‖. Compared to [16], this approximation approach yields tighter approximations, since the bounds obtained there are greater or equal to ‖ ‖, as a bound on the Euclidean norm of the trajectory deviation is used there.

A. Norrbin's Ship Steering Dynamics
We first consider Norrbin's model of the heading dynamics of a ship sailing at constant velocity [29]: where 1 is the heading (or yaw) angle, and 2 is the heading rate; in this example, denotes the rudder angle, denotes the fixed cruise speed, and denotes the vessel length. As can be observed in the dynamics, a vessel's ability to make turns is strongly correlated with its velocity (higher speeds provide greater resistance, but induce stronger rudder authority), as well as the length of the vessel. Intuitively, a longer vessel is harder to turn due to its inertia and hydrodynamic resistance of the hull. The dynamics are of second order, as a rudder deflection naturally induces a yaw moment. We can find the following bound on trajectory deviation growth: where 2 = max ∈ → ( , 0 ) | 2 |. 2 can be determined since the nominal reachable set → ( , 0 ) is available to us. We note that (13) contains an integrator in statẽ 1 , which allows us to obtain a hyperrectangular trajectory deviation bound as follows. We first compute the deviation bound on statẽ 2 , such that |̃ 2 ( )| ≤ 2 ( ). We then compute an upper bound oñ 1 , which is of the form 1 ( ) = ∫ 0 2 ( ) d , which gives |̃ 1 ( )| ≤ 1 ( ). Alternatively, a more conservative expression for 1 can be obtained by defining it as 1 ( ) ∶= ( ) , which follows from the fact that is strictly increasing (see the proof of Theorem 1). We first consider the case of diminished control authority, i.e., the case in which the system dynamics remain the same, but the control inputs are draw from̄ instead of .
We evaluate the reachable set at = 0.5 s, = 1 s, and = 3 s, yielding the results shown in Fig. 3. We have given a guaranteed inner approximation based on the conservative ball-based slimming approach, as well as guaranteed intervals in each Cartesian axis using the entries of ( ). These guaranteed intervals are shown as cross-hatched areas, and give an indication of what a hyperrectangular slimming would have produced, in addition to providing a guarantee that there exists at least one state in the off-nominal reachable set that has one of its coordinates on one of the intervals. Unlike the results in [16], the quality of the inner approximations degrades little with time (see Fig. 3c). This feature can be attributed to the fact that we are using a hyperrectangular growth bound in this work, as opposed to a more conservative norm-based bound.
An application to computing a guaranteed reachable set of the positions of the ship after control authority diminishment based on Norrbin's model has been prepared as a video 1 .
2) Changed Dynamics: In addition to the diminished control authority, we now also consider the following changed dynamics: , where we consider < and > , to capture a slowdown and speedup of the vessel, respectively. a) Slowdown: We first consider s = 0.95 = 4.75 m/s. This slowdown causes the reachable set to shrink and shift slightly towards higher heading angles, since there is insufficient velocity to reach lower angles. The bound given in Lemma 1 is used, where we define ( ) as follows: where 2 = min ∈ → ( , 0 ) 2 . Combining this bound with the trajectory deviation growth bound given at the beginning of this section, we obtain the conservative inner approximation shown in Fig. 4. As can be clearly seen, not only is the offnominal reachable set smaller, but it has also drifted to the top-left. This change is intuitively correct, since at a slower velocity rudder inputs become more effective as the vessel can make tighter turns at slower speeds. This phenomenon is reflected in the upward shift in heading rate and heading angle.    We now demonstrate outer approximations in the case of changed dynamics. We still consider a diminishment in control authority, but in this case, s = 1.4 = 7 m/s, indicating a speedup. In practice, one would like to know what the worst case trajectory could be in such a case, for example when attempting to avoid a high speed vessel. Instead of shrinking the nominal set, we now fatten it as shown in Corollary 4. Our ( ) in this setting is as follows: With a similar trajectory deviation growth bound as in the case of a slowdown, we obtain an outer approximation as shown in Fig. 5, this time with an exact hyperrectangular fattening. In this case, it is also possible to apply a conservative ball-based fattening using the same radius as given previously.
In Fig. 5, it is clear that the off-nominal reachable set has shifted towards lower heading angles as rates, since the vessel will have less effective rudder authority at higher cruise speeds due to the its inertia. As a result, the outer approximation includes a large area of unused space towards the top right, since it needs to make up for both the translation and growth of the off-nominal reachable set with respect to the nominal reachable set.

B. Cascaded System
To demonstrate that the approach given in Theorem 2 is scalable for high-dimensional systems, we present the fol-lowing academic example. We consider a lower triangular system; such systems often arise in practice when dealing with interconnected dynamical systems [30]. Namely, we consider the system: where ∈ ℝ and ∈ ⊆ ℝ , ∈ ℝ × is a lower triangular matrix, ∈ ℝ × is arbitrary, and ∶ [ 0 , ∞) → ℝ is a differentiable function. The contribution of ( ) is that of a nonlinear drift, possibly due to phenomena such as actuator bias or periodic disturbances.
We consider both the case of diminished control authority and changed dynamics below.
where each ( ) is computed as per Lemma 2. We will now show how to obtain the hyperrectangular trajectory deviation bound. Given the lower triangular structure of matrix , by (15) we first compute 1 ( ) from the following growth bound: By an application of Lemma 1, we can obtain 1 ( ). Repeated application of (15) and Lemma 1 will then yield the hyperrectangular deviation bound ( ).  (16) which is obtained by the same arguments as in Lemma 1.
As an illustration of the bound given in (15), we consider the following parameters:  It can clearly be observed that the volume fractions of the inner approximations remain reasonably tight with increasing system dimension when considering the tightness of the hyperrectangular distance bound. These results serve to demonstrate that our method is capable of producing reasonably tight approximations even for systems with increased dimension by exploiting partially decoupled system structure. In comparison, ball-based slimming used in [16] yields worse results, as can be seen by comparing the fourth and fifth column of Table I. For instance, a hyperrectangular shrinking operations defined by = [ 0. 1 10 ] yields a sufficient ball-based shrinking operation with radius ‖ ‖ ≈ 10, which would likely shrink away most of the first Cartesian dimension in practice. A similar phenomenon can be observed when considering dimensions 1 and 3 in Table I; using hyperrectangular bounds prevents excessive slimming of the reachable set.
3) Computational Complexity: To show that the theory presented in this work is scalable on systems such as (14), we consider the computational complexity of a basic algorithmic implementation to compute for each , as well as verifying if a state is guaranteed to lie in the off-nominal reachable set. Both of these tasks are subject to hard real-time constraints in practice, making it essential to study how their computational complexity grows. a) Computing the Trajectory Deviation Bound: We note that we must perform numerical integration to compute , ∫ ( ) d , and ∫ ( ) d in the Bihari inequality (7). To compute the inverse −1 , one may use a root-finding scheme or an approximate look-up table (LUT) based approach. We consider here a LUT approach.
When using a method an explicit non-adaptive numerical integration scheme such as Euler's method or Runge-Kutta, it suffices to consider an a priori set integration step ℎ > 0. Let us consider the reachable set in an interval ∈ [0, ], and take ℎ = ∕ with ∈ ℕ. By the results from [31], the computational complexity of a Runge-Kutta scheme is ( ). Since we will need to perform three rounds of numerical integration per dimension (for , and in and ), which together take ( ). We store all value of and their argument in a lookup table of size . Since values can be retrieved from an array in constant time, the complexity of numerical integration to populate the LUT combined with lookup is (1) + ( ) = ( ). We then note that this process must be repeated for all dimensions, which gives computational complexity ( ). Therefore, the value of ( ), which is instrumental in producing guaranteed inner-and outer-approximations, can be computed in linear time with respect to the system dimension . b) Verifying Reachability of a State: We now consider the complexity of verifying whether a state lies in the computed inner approximation of the reachable set. Let us assume that we have access to a signed distance function, ∶ ℝ → ℝ, of the nominal reachable set at time (see, e.g., [32, p. 811] for more information on signed distance functions). We assume that we can evaluate using primitive operations. Then, to evaluate whether or not a point ∈ ℝ lies in the inner approximation of the off-nominal reachable set, it suffices to check the following: 1) Check if ( ) ≤ 0; we must first check if lies in the nominal reachable set. If this is false, is not guaranteed to lie in the off-nominal reachable set. 2) Check if ( ) ≤ − min ( ); we must verify that lies at least distance min ( ) away from the boundary of the nominal reachable set. If this is false, is not guaranteed to lie in the off-nominal reachable set. a) Check if ( ) ≤ −‖ ( )‖. This verification is based on the ball-based slimming operation of (12). If this is true, is guaranteed to lie in the off-nominal reachable set. If false, continue to the next step. b) Perform gradient ascent on starting at , such that we reach ′ that satisfies ( ′ ) = 0. This ′ is the point on the boundary of the nominal reachable set that is closest to . Verify whether ( ) ⪯ | − ′ |. If this inequality is true, is guaranteed to lie in the off-nominal reachable set. In the above algorithm, it will take at least one evaluation of to verify whether is guaranteed to be in the offnominal reachable set. Doing so requires operations, and corresponds to step 1). An evaluation of ( ) will cost ( ) operations as discussed previously, which yields a complexity of ( ). Evaluating the norm of ( ) can be done in linear time as part of step 2a), but performing gradient ascent in step 2b) may require a significant number of evaluations of . It is possible to truncate the gradient ascent algorithm based on a maximum number of evaluations of , say eval . Given some ′′ ∈ ℝ obtained after eval − 1 evaluations of , it is clear that ′ ∈ { ′′ } +| ( ′′ )| . We can check if for each = 1, … , , it holds that | − ′′ | + | ( ′′ )| ≤ ( ). If this inequality is true, then is guaranteed to lie in the off-nominal reachable set, and if not, then cannot be verified with certainty. Therefore, it is possible to verify guaranteed reachability with complexity ( ).

C. Interconnected System
To demonstrate the results shown in Subsection IV-B on a different system structure, we consider a cascaded system of linear equations [33]. Let there be ∈ ℕ interconnected systems, such that the -th subsystem may only depend on its own states and inputs, as well as the states of the previous subsystem ( − 1). The overall system thus takes the form: where In the above definition, we have ( ) ∈ ℝ × −1 for all = 2, … , . For the first system, we can compute the hyperrectangular deviation bound as in [16], simply by considering the ball-based growth bound for that system. Doing so yields From this inequality, we can compute the trajectory deviation bound ( ) as per Corollary 1. For subsequent systems, we find for > 1. In case any of the constituent systems possess a decoupled structure, simplifications of the form of (15) can be made in (18) or (19). 1) Numerical Example: We consider the following system: where the set of admissible control inputs is = [−2, 2] 2 , the set of initial states is 0 = {0}. We take the impaired set of admissible control inputs to bē = [−1.9, 1.9] 2 , such that = H ( ,̄ ) = 0.1. Using the approach of Theorem 2, we obtain the results as shown in Table II.
As can be observed in Table II, the inner-approximations based on the hyperrectangular slimming outperform those based on ball-based slimming operations. In particular, in states 3 and 4, the ball-based slimming operations eliminate the entire reachable set, which is not the case with hyperrectangular slimming operations. The computations applied to the system in this example are scalable while preserving relatively tight bounds, provided that the system structure permits decoupling of subsystems as shown here.

V. CONCLUSION
In this work, we have introduced a new technique for efficiently computing both inner and outer approximations to a reachable set in case of changed dynamics and diminished control authority, given basic knowledge of the trajectory deviation growth as well as a precomputed nominal reachable set. This work expands on previous work by extending the theory to changes in dynamics, and lifting the assumption of convexity of the reachable sets. To obtain an inner approximation of the reachable set under diminished control authority, we have given an integral inequality that provides an upper bound on the minimal trajectory deviation between the nominal and off-nominal systems. We have extended the classical norm bound on the trajectory deviation to a hyperrectangular bound, allowing us to compute both inner and outer approximations of the off-nominal reachable set based on the nominal set, regardless of the convexity of the reachable set. Similarly to our previous results, these results can be applied online on systems at a low computational cost.
We have demonstrated our approach by three examples: a model of the heading dynamics of a vessel, a lower triangular system, and an interconnected linear system. In general, the use of a hyperrectangular growth bound is superior to a norm bound for systems that have one or more integrators. The numerical examples indicate that the use of hyperrectangular slimming operations would produce tighter inner approximations, coupled with periodic reinitialization of the reachable set. As was mentioned in previous work, the tightness of both the inner and outer approximation are strongly related to the quality of the trajectory deviation bound, as well as any additional drift that appears as part of a change in dynamics. We have shown that the ability to compute these approximations online can have practical application to control of dynamical systems in off-nominal conditions. This was shown in the second example, where the computational complexity was shown to be linear in the system dimension for a lower triangular system. Finally, in the third example, it was shown how system structure can be leveraged when dealing with interconnected systems in the context of formulating an efficient hyperrectangular growth bound that consists of several coupled ball-based growth bounds. The latter approach was shown to be applicable to larger systems, provided that it is possible to decouple some subsystems from each other.
In future work, we aim to study the utility of a bounding method based on non-axis-aligned hyperrectangles, as could be described by zonotopes, insofar as obtaining tighter growth bounds and approximations is concerned. A potential avenue for this work would lie in considering principle components of the system using singular value decomposition [34], or by considering the system structure itself (e.g., when the set of velocities of a system lies in a subspace). In the same direction, (normalizing) state-space transformations may also prove to be useful in obtaining tighter approximations by easing magnitude difference between states. In addition, generalized slimming and fattening operations that are based on sets that are not centered at the origin may also prove to be key to obtaining tighter approximations in the case of changes in dynamics. Finally, real-time applications of the theory presented here will be studied in future work, with a focus on safety-critical predictive control.

APPENDIX I GENERALIZATIONS TO THE THEORY
In the theory presented in Section III, a number of assumptions can be weakened to address a larger class of dynamical systems; we present these relaxations below.
For the claim of Proposition 2, it suffices that in addition to assumptions 1)-3) above, multifunction possesses the Scorza-Dragoni property [35,Def. 19 Finally, for Lemma 4 to hold, conditions 1)-3) above and the Scorza-Dragoni property again form sufficient conditions; in its proof, the solution set is indeed continuous if conditions 1)-2) are met, by Corollary 4.5 in [26].
Melkior Ornik received the Ph.D. degree from the University of Toronto, Toronto, ON, Canada, in 2017. He is currently an Assistant Professor with the Department of Aerospace Engineering and the Coordinated Science Laboratory, University of Illinois Urbana-Champaign, Urbana, IL, USA. His research focuses on developing theory and algorithms for learning and planning of autonomous systems operating in uncertain, complex, and changing environments, as well as in scenarios where only limited knowledge of the system is available.