Responsive Economic Model Predictive Control for Next-Generation Manufacturing

: There is an increasing push to make automated systems capable of carrying out tasks which humans perform, such as driving, speech recognition, and anomaly detection. Automated systems, therefore, are increasingly required to respond to unexpected conditions. Two types of unexpected conditions of relevance in the chemical process industries are anomalous conditions and the responses of operators and engineers to controller behavior. Enhancing responsiveness of an advanced control design known as economic model predictive control (EMPC) (which uses predictions of future process behavior to determine an economically optimal manner in which to operate a process) to unexpected conditions of these types would advance the move toward artiﬁcial intelligence properties for this controller beyond those which it has today and would provide new thoughts on interpretability and veriﬁcation for the controller. This work provides theoretical studies which relate nonlinear systems considerations for EMPC to these higher-level concepts using two ideas for EMPC formulations motivated by speciﬁc situations related to self-modiﬁcation of a control design after human perceptions of the process response are received and to controller handling of anomalies.


Introduction
The buzz around artificial intelligence (AI), machine learning, and data in recent years has sparked both excitement and skepticism from the process systems engineering community [1,2]. Some of the most prevalent uses of data in the process systems field have included its use in developing models of various processes (e.g., Reference [3]) with potential applications in model-based control [4], in learning control laws [5,6], and in process monitoring [7,8]. Control engineers have debated about whether control itself should be considered to be artificial intelligence, particularly as control laws become more advanced. For example, a particularly intelligent form of control (known as economic model predictive control (EMPC) [9][10][11][12]) is an optimization-based control strategy that determines the optimal manner in which to operate a chemical process in the sense that the control actions optimize a profit metric for the process over a prediction horizon, subject to process constraints. The significant potential benefits of this control law for next-generation manufacturing have prompted a wide range of investigations in the context of EMPC, including how it may be used for building temperature regulation [13], wastewater treatment [14], microgrid dispatch [15], and gas pipeline networks [16]. Though chemical processes have traditionally been operated at steady-state, EMPC does not necessarily enforce steady-state operation in its efforts to optimize process economic performance. This has raised key questions for this control design regarding important properties of intelligent systems such as interpretability of its operating strategy and verification that it will work correctly for the real environment that it will need to control and interact with.
Interpretability is a desirable property for artificially intelligent systems. It has been considered in a variety of contexts; for example, the issue of building interpretable data-driven models has been considered to be enhanced by sparse regression, where a model with a small number of available possible terms which could be utilized to build it is derived (with an underlying assumption being that simpler models are more physically realistic and therefore should be more interpretable) [17]. Models identified via sparse regression techniques have been utilized in model predictive control for hydraulic fracturing [18]. Interpretability of other model-building strategies has also been a consideration; for example, for neural networks, where interpretability may be considered to be multidimensional, but to generally constitute whether a human can trace how a neural network obtained its conclusions via how the input information was processed [19], recurrent neural networks with long short-term memory were analyzed for how their cells processed different aspects of character-level language models [20].
It is recognized that interpretability of the control actions computed by an EMPC will be a major determining factor in the adoption of EMPC in the process industries (because, if operators and engineers do not know if the process is in an upset condition, they will likely disable features of the controller that make it difficult to understand due to the need to be sure that safety is maintained at all times). Interpretability for EMPC has not yet received significant focus in the literature. The subset of EMPC formulations which track a steady-state [21] possess a form of interpretability in that the reference behavior is understood by engineers and operators. Reference [22] developed an EMPC formulation in which the desired closed-loop process response specified or restricted by an operator or engineer is tracked by the controller. However, developing the best means for ensuring interpretability for EMPC to appropriately trade off end user understanding with economic optimality remains a largely open question. This work provides new perspectives on this important issue, suggesting that a controller formulation that bridges the human-machine interface by allowing the adjustment of constraints in response to human opinions about the process behavior under the EMPC may provide new avenues of both democratizing advanced control and allowing end users to adjust the response to their liking from an interpretability standpoint.
Another important topic for intelligent control systems is enabling their verification (i.e., certifying that they will perform in practice as intended). Verification can take a significant amount of engineering time and expense, and methods for reducing the time required to validate the controller's performance could reduce the cost of advanced control, could promote operational safety, and could make the controller more straightforward to implement (a lack of ability to verify can prevent an intelligent system from being placed online at all). In the control community, a traditional approach to verification is to design controllers with guaranteed robustness to bounded uncertainty and to use this as a certificate that the controller will be able to maintain closed-loop stability in practice (e.g., References [23][24][25]). This requires some knowledge of the disturbance characteristics (e.g., upper bounds), which may be difficult to fully determine a priori but is important for EMPC, as the controller could drive the closed-loop state to operate at boundaries of safe operating regions to optimize profits, where the uncertainty in the disturbance characteristics could lead to unsafe conditions. Additional conservatism to account for the uncertainty could lead to over-conservatism that could decrease profits. Other methods for handling disturbances in EMPC have been developed, including methods that account for disturbances probabilistically (making assumptions on their distribution) [26] or adapting models used by the predictive controller online (e.g., References [27][28][29]). Results on the use of adapting models in EMPC have even included closed-loop stability guarantees when a recurrent neural network that is updated via error triggering is used as the process model [30]. An example of an adaptive control strategy which handles uncertain dynamics in batch processing is that in Reference [31], which uses model predictive control equipped with a probabilistic recursive least squares model parameter update algorithm with a forgetting factor to capture batch process dynamics. In addition, Reference [32] analyzed a learning-based MPC strategy with a terminal constraint for systems with unmodeled dynamics, where performance is enhanced by using a learned model in the MPC but safety goals are met by ensuring that control actions computed via the MPC are stabilizing.
Another direction that has received attention for handling uncertainty is fault tolerance in the sense of controller reconfigurations upon detection of an actuator fault/anomaly (e.g., Reference [33]) or anomaly response cast in a framework of fault-tolerant control handled via fault/anomaly detection followed by updating the model used by a model-based controller [34]. In Reference [35], fault-tolerant control for nonlinear switched systems was analyzed in the context of safe parking for model predictive control with a steady-state tracking objective function for actuator faults. For EMPC, Reference [36] handled faults through error-triggered data-driven model updates in the controller, and the uniting of EMPC with driving the state into safety-based regions in state-space (e.g., References [37,38]) also constitutes a form of fault-handling. Despite these advances in handling anomalies and uncertainty, which are critical for addressing moving toward a verification paradigm for EMPC, verifying the controller today would still be expected to be time-consuming; additional work is needed to explore further ways of considering and establishing verification for the control design.
Another approach in verification of controllers has been online verification via data-driven models complemented by detection algorithms for problematic controller behavior leading to bounds on the time that would elapse before detection of problematic controller behavior [39]. A feature of this direction in verification, therefore, is the combination of data-driven modeling for control (to address model uncertainty) with guarantees that problematic behavior due to model inaccuracies can be flagged within a given time period. In the present work, we take a conceptually similar approach to verification for EMPC using online anomaly handling with a conservative Lyapunov-based EMPC (LEMPC) [24] design approach that facilitates guaranteed detection of significant plant/model mismatch under sufficient conditions and allows upper bounds on the amount of time available until the mismatch would need to be compensated via model updates without compromising closed-loop stability (as well as the characteristics of the resulting control law after model reidentification required to obtain these theoretical results) to be presented. The development of theoretical guarantees on closed-loop stability with data-driven models that can be updated online in LEMPC has some similarities to References [30,40] but is pursued from a different angle that allows the underlying process dynamics to suddenly change and also allows for more general nonlinear data-driven models to be considered (i.e., we do not restrict the modeling methodology to neural networks as in References [30,40]). It also has similarities to the framework for accounting for faults in LEMPC via model updates in Reference [41] but considers a theoretical treatment of anomaly conditions with data-driven LEMPC, which was not explored in that work.
Motivated by the above considerations, this work focuses on advancing both interpretability and verification for EMPC. These are important considerations for human-machine interaction and can be viewed as different aspects of a "responsive" control design in the sense that the controller is made responsive to changing or unexpected conditions like a human would be. We first address the interpretability concept suggested above in an LEMPC framework in which we elucidate conditions under which an LEMPC could be made responsive to potentially inaccurate metrics reflecting the reactions of end users to the LEMPC's behavior without loss of closed-loop stability. We subsequently move in the direction of addressing verification considerations for LEMPC by developing theoretical guarantees which can be made for the controller in the presence of process dynamics anomalies/changes when potentially adapting data-driven models are used in the controller. We evaluate the conditions under which closed-loop stability may be lost in such circumstances, with exploration of bounds on times before which detection and accommodation of the anomaly could be stabilized to avoid potential plant shutdown. Numerical examples utilizing continuous stirred tank reactors (CSTRs) are presented to illustrate major concepts. Throughout, we highlight cases where the proposed methods could interface with other artificial intelligence techniques (e.g., sentiment analysis or image-based sensing) without compromising closed-loop stability, highlighting the range of intelligent techniques which can be used to enhance next-generation control within an appropriate theoretical framework.
This work is organized as follows: in Section 2, preliminaries are presented. These are followed by the main results in Section 3, which consist of controller formulations and implementation strategies, with demonstration via numerical examples, where (1) the controller constraints can be adjusted online in response to potentially inaccurate stimuli without closed-loop stability being lost (Section 3.1) and (2) the control strategy has characterizable properties in the presence of process anomalies resulting in unanticipated changes in the underlying process dynamics (Section 3.2). Section 4 concludes and provides an outlook on the presented results. Proofs for theoretical results associated with the second control strategy noted above are provided in the Appendix. This manuscript is an extended version of Reference [42].

Class of Systems
This work considers switched nonlinear systems of the following form: where x a,i ∈ X ⊂ R n denotes the state vector, u ∈ U ⊂ R m denotes the input vector (u = [u 1 , . . . , u m ] T ), and w i ∈ W i ⊂ R z denotes the disturbance vector, where W i := {w i ∈ R z : |w i | ≤ θ i , θ i > 0}, for i = 1, 2, . . .. In this notation, the ith model is used for t ∈ [t s,i , t s,i+1 ), where x a,i (t s,i+1 ) = x a,i+1 (t s,i+1 ) and t s,1 = t 0 . The vector function f i is assumed to be a locally Lipschitz function of its arguments with f 1 (0, 0, 0) = 0 and f i (x a,i,s , u i,s , 0) = 0 for i > 1 (i.e., the steady-state of the updated models when w i = 0 is at x a,i = x a,i,s , u = u i,s ). The system of Equation (1) with w i ≡ 0 is known as the nominal system. Synchronous measurement sampling is assumed, with measurements available at every t k = k∆, k = 0, 1, . . .. It is noted that t s,i , i = 1, 2, . . ., is not required to be an integer multiple of t k . We definē x a,i = x a,i − x a,i,s andū i = u − u i,s and definef i as f i rewritten to have its origin atx a,i = 0,ū i = 0, w i = 0. Similarly, we define U i to be the set U in deviation variable form from u i,s and X i to be the set X in deviation variable form from x a,i,s .
We assume that there exists an explicit stabilizing (Lyapunov-based) control law h i (x a,i ) = [h i,1 (x a,i ) . . . h i,m (x a,i )] T that renders the origin of the nominal system of Equation (1) asymptotically stable in the sense that the following inequalities hold: for allx a,i ∈ D i ⊆ R n and i = 1, 2, . . ., where D i is an open neighborhood of the origin off i , and for a positive definite, sufficiently smooth Lyapunov function V i . The functions α 1,i , α 2,i , α 3,i , and α 4,i are of class K. A level set of V i denoted by Ω ρ i ⊂ D i is referred to as the stability region of the system of Equation (1) under the controller h i (x a,i ). We consider that Ω ρ i is selected to be contained within X. The Lyapunov-based controller is assumed to be Lipschitz continuous such that the following inequalities hold: for a positive constant L h,i for all x, x ∈ Ω ρ i , and i = 1, 2, . . ., with j = 1, . . . , m.
Lipschitz continuity of f i and sufficient smoothness of V i provide the following inequalities, for positive constants M i , L x,i , L w,i , L x,i , and L w,i : for all x, x ∈ Ω ρ i , u ∈ U i , and w i ∈ W i . As this work considers responses to unexpected conditions, we consider that there may be cases in which the nonlinear model of Equation (1) may not be available, though an empirical model with the following form may be available:ẋ b,q (t) = f NL,q (x b,q (t), u(t)) (10) where f NL,q is a locally Lipschitz nonlinear vector function in x b,q ∈ R n and in the input u ∈ R m with f NL,1 (0, 0) = 0 and f NL,q (x b,q,s , u q,s ) = 0 for q > 1 (i.e., the steady-state of the updated models is at x b,q = x b,q,s , u = u q,s ). Here, q = 1, 2, . . ., to allow for the possibility that, as the underlying process dynamics change (i.e., the value of i increases in Equation (1)), it may be desirable to switch the empirical model used to describe the system. However, we utilize the index q instead of i for the empirical model to signify that we do not assume that the empirical model must switch with the same frequency as the process dynamics. When the model of Equation (10) does switch, we assume that the switch occurs at a time t s,NL,q+1 in a manner where x b,q (t s,NL,q+1 ) = x b,q+1 (t s,NL,q+1 ). We definex b,q = x b,q − x b,q,s and u q = u − u q,s and definef NL,q as f NL,q , rewritten to have its origin atx b,q = 0,ū q = 0, as follows: Similarly, we define U q to be the set U in deviation variable form from u q,s and X q to be the set X in deviation variable form from x b,q,s .
We consider that, for the empirical models in Equation (10), there exists a locally Lipschitz explicit stabilizing controller h NL,q (x b,q ) that can render the origin asymptotically stable in the sense that: for allx b,q ∈ D NL,q (where D NL,q is a neighborhood of the origin off b,q contained in X), whereV q : R n → R + is a sufficiently smooth Lyapunov function,α i,q , i = 1, 2, 3, 4, are class K functions, and q = 1, 2, . . .. We define Ωρ q ⊂ D NL,q as the stability region of the system of Equation (10) under h NL,q and Ωρ sa f e,q as a superset of Ωρ q contained in D NL,q and X. Lipschitz continuity of f NL,q and sufficient smoothness ofV q imply that there exist M L,q > 0 and L L,q > 0 such that ∀x, x 1 , x 2 ∈ Ωρ q , u ∈ U q , and q = 1, 2, . . .. Furthermore, we definex a,i,q = x a,i − x b,q,s as the variable representing the deviation of each x a,i from the steady-state of the qth empirical model of Equation (10) andf i,q as the right-hand side of Equation (1) when the model is rewritten in terms of the deviation variablesx a,i,q andū q , as follows:x a,i,q =f i,q (x a,i,q (t),ū q (t), w i (t)) (14) We assume that the following holds: for all x, x , u , u and w such that x + x b,q,s − x a,i,s ∈ Ω ρ i , x + x b,q,s − x a,i,s ∈ Ω ρ i , u + u q ∈ U, u + u q ∈ U, and w ∈ W i . We define a level set ofV q contained in Ωρ sa f e,q that is also contained in Ω ρ i to be Ωρ q,i , and L x,i,q , L w,i,q , L x,i,q , L w,i,q > 0

Economic Model Predictive Control
Economic model predictive control (EMPC) [12] is an optimization-based control design formulated as follows: where L e (·, ·) represents the stage cost of the EMPC, which can be a general scalar-valued function that is optimized in Equation (17). The notation u ∈ S(∆) signifies that u is a piecewise-constant input trajectory with period ∆. The prediction horizon is denoted by N. Equation (18) represents the nominal process model, with predicted statex a,i for the ith model. Equations (20) and (21) represent the input and state constraints, respectively. We denote the optimal solution of an EMPC at t k by u * p (t j |t k ), p = 1, . . . , m, j = k, . . . , k + N − 1, where each u * p (t j |t k ) holds for t ∈ [t j , t j+1 ) within the prediction horizon. x(t k ) in Equation (19) signifies that the state measurement represents the actual system state at t k placed in deviation variable form with respect tox a,i,s . Due to the potential switching of the underlying process dynamics before the model in Equation (18) is updated, the measurement may come from a dynamic system different than the ith model used in Equation (18).

Lyapunov-Based Economic Model Predictive Control
A variety of variations on the general EMPC formulation in Equations (17)- (21) have been developed. One such variation which will receive focus in this paper is Lyapunov-based EMPC (LEMPC) [24], which is formulated as in Equations (17)-(21) but with the following Lyapunov-based constraints added as well: where Ω ρ e,i ⊂ Ω ρ i is selected such that the closed-loop state is maintained within Ω ρ i over time when the process of Equation (1) is operated under the LEMPC of Equations (17)- (23). t is a time after which the constraint of Equation (23) is always applied, regardless of the value of V i (x(t k )). The activation conditions of the LEMPC with respect to V i (x(t k )) ensure that the LEMPC can maintain closed-loop stability within Ω ρ i as well as recursive feasibility.

Lyapunov-Based Economic Model Predictive Control with an Empirical Model
Several prior works have developed LEMPC formulations including empirical models [43,44] when the model of Equation (1) is either unknown or undesirable for use (e.g., more computationally intensive than an empirical model). They have the following form: where the notation follows that found in Equations (17)- (23) except that the predictions from the nonlinear empirical model are denoted byx b,q (Equation (24b)) and are initialized from a measurement of the state of the ith system of Equation (1) (i.e., from the state measurement of whichever model describes the process dynamics at t k ). Regardless of which dynamic model describes the underlying process dynamics, the qth empirical model along with the state (Equation (24d)) and Lyapunov-based stability constraints corresponding to that model are used.

Responsive Economic Model Predictive Control Design
The next sections present two concepts for moving toward interpretability and verifiability goals for EMPC, cast within a framework of making EMPC more responsive to "unexpected" behavior.

Automated Control Law Redesign
In this section, we focus on a case in which the process model used does not change over time (i.e., the i = 1 process model in Equation (1) is used for all time) and consider the problem that, despite the pushes toward next-generation manufacturing, many companies that may benefit from automation can have difficulty implementing the appropriate advances if they do not have a knowledgeable control engineer on site due to both a lack of knowledge of advanced control as well as a lack of interpretability of the controller's actions. We present one idea for making an LEMPC easier to work with by giving it a "self-design" capability that allows the controller to update its formulation in a manner that satisfies end-user requirements without requiring understanding of the control laws on the part of the end users. Critically, closed-loop stability and recursive feasibility guarantees are retained. This can be considered to be a case in which the human response to the operating strategy is "unexpected" (in the sense that it is not easily predictable by the control designer), but the controller must have the ability to adjust its control law in response to the human reaction.
The first step toward designing an appropriate controller for this scenario is to recognize that the human response to the process behavior is some function of the pattern observed in the state and input data and that the pattern is dictated by the control formulation. For EMPC, for example, it is dictated by the constraints and objective function (though the process model of Equation (18) also plays a role in determining the response, we consider that the model must represent the process at hand and that therefore it cannot be tuned to impact the state/input behavior). Conceptually, then, the solution to handling the "unexpected" response of the end user of the controller is to learn the mapping between the end user's satisfaction with the response and the constraint/objective function formulation and then to use that mapping to find the constraint/objective function formulation that provides "optimal" satisfaction to the end user.
An open question is how to do this and, in particular, how to do it in a manner that provides theoretical guarantees on feasibility/closed-loop stability. To demonstrate this challenge, consider the LEMPC of Equations (17)- (23). The theoretical results for LEMPC which guarantee closed-loop stability and recursive feasibility under sufficient conditions when no changes occur in the underlying process dynamics rely on the constraints of Equations (22) and (23) being present in the control design [24]. Therefore, ad hoc constraint development in an attempt to optimize end-user "satisfaction" with the process response would not be a means for providing closed-loop stability and recursive feasibility guarantees. Instead, any modification of constraints must take place in a more rigorously defined manner.
One approach would be to develop constraints for EMPC which allow "tuning" of the process response but impact neither closed-loop stability nor feasibility as the tuning parameter in these constraints is adjusted. They thus offer some flexibility to the end user in modifying the response but also ensure that the end user's power to adjust the control law is appropriately restricted for feasibility/stability purposes.
An example of constraints which meet this requirement is the input rate of change constraints added to LEMPC in Reference [45]. In the following section, we will discuss in detail how these constraints may be incorporated within the proposed framework for providing an end user with a restricted flexibility in adjusting the process response without losing theoretical properties of LEMPC.

Remark 1.
The question of how the human response may be accurately sensed is outside the scope of the present manuscript. A process example will be provided below in which the end user is assumed to take time to rank his or her "satisfaction" with the process behavior under a number of different controllers to develop a mapping between satisfaction and the tuning parameter of the control law. However, human responses could also be considered to be obtained through other machine learning/artificial intelligence methods, such as sentiment analysis [46].

Remark 2.
Potential benefits of an approach that adjusts the controller's behavior based on the end user's response (rather than assuming that some type of standard metric for evaluating control performance (e.g., settling time, rise time, or overshoot of the steady-state) is able to capture the desired response) are that (1) EMPC may operate processes in a potentially time-varying fashion, meaning that the closed-loop state may not be driven to a steady-state and that the behavior of the process under the EMPC may not be easily predictable a priori (e.g., without running closed-loop simulations). Therefore, determining what metrics to use to state whether performance under EMPC is acceptable or not may not be intuitive or easily generalizable, unlike in the case where steady-state operation is desired. (2) Again, unlike the steady-state case, not all end users of a given EMPC formulation may have the same definition of "good" behavior. Ideally, the "best" behavior is the one computed by the EMPC when it optimizes the process economics over the prediction horizon in whatever manner is necessary to ensure that the constraints are met but profit is maximized. However, an end user may not find this to constitute the "best" behavior due to other considerations that are perhaps difficult or costly to include in the control law (for example, the most profitable input trajectories from the perspective of the profit metric being used in Equation (17) may be expected to lead to more actuator wear than is desirable, which will be the subject of the example below). Therefore, it may be difficult to set a general metric on "good" behavior under EMPC, as the additional considerations defining "goodness" that are not directly included in the control law may vary between processes. (3) The concept of designing a controller that is responsive to unexpected evaluations of its behavior could have broader implications, if appropriately developed, than the initial goal of achieving desired process behavior for a given control law. Ideally, developments in this direction would serve as a springboard for reducing a priori control design efforts while increasing flexibility for next-generation manufacturing such that end users are able to achieve many goals during production that they may conceive over time as being important to their operation but without needing to interface extensively with vendors or even needing to update their software to achieve these updated process responses. The vision is one where modifications for manufacturing could become as flexible and safe through new responsive and intelligent controller formulations as modifications to codes are for computer scientists who do not work with physical processes and therefore can readily test and evaluate new protocols to advance the field quickly.

LEMPC with Self-Designing Input Rate of Change Constraints
In Reference [45], an LEMPC formulation with input rate of change constraints was designed with the form in Equations (17)-(23) but with the following rate of change constraints added on the inputs: where r ≥ 0. This formulation is demonstrated in Reference [45] to maintain closed-loop stability and recursive feasibility under sufficient conditions and to cause the following constraints to be met: where desired > 0. The goal of this formulation of LEMPC is to utilize input rate of change constraints to attempt to reduce variations in the inputs between sampling periods that have the potential to cause actuator wear. However, as noted in Reference [47], despite the intent of the method to prevent actuator wear, there is no explicit relationship between desired or r and the amount of actuator wear. Therefore, a control engineer seeking to prevent actuator wear for a given process under the LEMPC of Equations (17)-(23), (25), and (26) might design the value of r by performing closed-loop simulations of the process under various values of r and then by selecting the one that gives the response that the engineer judges to present a sufficient tradeoff between optimizing economic performance and reducing actuator wear. A company with little control expertise on hand, however, may have difficulties with tuning r without vendor assistance. The fact that controllers today cannot readily "fix" their response if engineers who do not have control expertise would like the response to have different characteristics presents a hurdle to the adoption of even simple control laws, let alone the more complex designs which we would like to move into widespread use as part of the next-generation manufacturing paradigm.
These potential negative responses to a lack of on-site control expertise might be prevented by allowing the controller itself to be responsive to end-user preferences. For example, the value of r might be designed by allowing a short period of operation under the control law of Equations (17)-(23), (25), and (26) with different values of r . The engineers at the plant could then look at time periods in the plant data during which each of the values of r were used and could evaluate the performance of the plant through some metric that can be recorded. Then, the value of r that is predicted to provide the highest rate of satisfaction (based on some relationship between the value of r and the evaluation metrics which can be derived through techniques for fitting appropriate models to the kind of data generated, such as regression or other techniques of machine learning) could be selected for use (and further updated over time through a similar mechanism as necessary).

Remark 3.
One could argue that the algorithm by which a control engineer judges whether a given value of r is preferable could be represented mathematically (e.g., as an optimization problem with an objective function representing a tradeoff between penalties on input variation and loss of profit). However, for the reasons noted in Remark 2 above and also with the goal of developing an algorithm which may facilitate interpretability of LEMPC by allowing its control law to be self-adjusted based on how end users feel about the response of the process under the controller, we handle this within the general case of "unexpected" scenarios to which we would like to make EMPC responsive.

LEMPC with Self-Designing Input Rate of Change Constraints: Theoretical Guarantees
The methodology proposed above incorporates human judgments on the process response for different values of r for setting r in Equations (17)-(23), (25), and (26). Despite the fact that human judgment is imprecise, the LEMPC formulations of Equations (17)-(23), (25), and (26), by design, maintains closed-loop stability and recursive feasibility under sufficient conditions (proven in Reference [45]) that are unrelated to the value of r , demonstrating that the combination of control theory and data-driven models for "unexpected" behavior or human intuition may be possible to achieve with theoretical guarantees.
When the proposed strategy for evaluating r online via human responses to different values of the parameter r is used, closed-loop stability and feasibility still hold; however, it may not be guaranteed that Equations (27) and (28) hold. Since desired is arbitrary in many respects since it is indirectly tied to actuator wear (primarily though human evaluation), the satisfaction of Equations (27) and (28) may not be significant during the time period that an operator or engineer is evaluating r .
There is no guarantee that the proposed method will produce a value of r that gives "optimal satisfaction" to the end user. However, this is not considered a limitation of the method, as the end user's satisfaction is subjective and various methods for modeling the relationship between r and the end user's satisfaction could be examined if one is found to produce an inadequate result. The value of r can also be adjusted further over time if the response after an initial value of r is chosen is determined not to be preferable. Reference [45] does guarantee however that, throughout all of the time of operation (both when various values of r are tested and when a single value of r is selected), closed-loop stability and recursive feasibility can be guaranteed. This is because the value of r only impacts whether Equations (27) and (28) are satisfied under the LEMPC of Equations (17)-(23), (25), and (26), and Equations (27) and (28) are only of potential concern for actuator wear and not closed-loop stability or feasibility. Furthermore, because Reference [45] (17)-(23), (25), and (26) at every sampling time regardless of the value of r because Equations (25) and (26) can be satisfied by h i (x a,i (t q )), t ∈ [t q , t q+1 ), q = k, . . . , k + N − 1 for any r ≥ 0, the value of r can change between two sampling periods as r is being evaluated and recursive feasibility (and therefore closed-loop stability, since closed-loop stability depends on Equations (22) and (23) and not on Equations (25) and (26)) will be maintained. Finally, though when r is being evaluated, the process profit or actuator wear level may not be the same as they would be after the value of r is selected, this is not expected to pose significant problems for many processes if it is performed over a short period of time. Furthermore, if there are hard process constraints defined by X i that must be met in order to ensure that the product produced during the time when r is evaluated can be sold, these can be met even as various values of r are tried becausex a,i (t) ∈ Ω ρ i ⊆ X i according to Reference [45] for any value of r . Furthermore, Reference [45] also guarantees that, even as the values of r are adjusted, the closed-loop state can be driven to a neighborhood of a steady-state to avoid production volume losses as r is adjusted if necessary.

Remark 4.
The fact that the above stability analysis holds regardless of the value of r indicates that the accuracy of the method used in obtaining r does not impact closed-loop stability. This is particularly important if the method used in obtaining r involves, for example, performing sentiment analysis of human speech data to determine how well humans like a given value of that parameter. We overcome the limitation of interfacing humans with machines by ensuring that the only parameter of the control law design which is modified in response to the algorithm that carries uncertainty is one which, deterministically, does not impact closed-loop stability.

Remark 5.
Though this section on automated control law redesign has explored only input rate of change constraints, other online redesigns may also be possible in control. For example, in the LEMPC formulation of Equations (17)-(23), the value ρ e,i could be modified over time if an appropriate implementation strategy was developed. Specifically, there exist bounds on ρ e,i given in Reference [24] which are required for closed-loop stability to be maintained for the process of Equation (1) operated under the LEMPC of Equations (17)- (23). Given this, a similar strategy to that presented for the selection of r could be utilized to adjust the value of ρ e,i within its bounds online without impacting closed-loop stability. This holds because a value of ρ e,i between the minimum and maximum at a given time would always be utilized. According to Reference [24], the consequence of this is that, at the next sampling time,x a,i (t k ) ∈ Ω ρ i . Ifx a,i (t) ∈ Ω ρ i at the end of every sampling period for any ρ e,i between its minimum and maximum,x a,i (t) ∈ Ω ρ i at all times. If both r and ρ e,i were to be simultaneously varied, for example, closed-loop stability would again hold, as the value of r does not impact closed-loop stability for the reasons noted above and the value of ρ e,i can vary between its minimum and maximum value as just described without impacting closed-loop stability. Recursive feasibility would also not be impacted. This suggests that it may be possible to design more complex control laws with multiple self-tuning parameters that are simultaneously optimized based on human response to develop control laws that behave in a desirable manner online without posing a safety concern due to loss of closed-loop stability. EMPC with Self-Designing Input Rate of Change Constraints: Application to a Chemical Process Example In this section, we employ a process example that demonstrates the concept of self-designing input rate of change constraints. For simplicity, in this example, we do not employ the Lyapunov-based stability constraints of Equations (22) and (23); therefore, no theoretical stability guarantees can be made for this example. However, this does not present problems for illustrating the core concepts of the method of integrating human responses to operating conditions with EMPC.
The process under consideration is an ethylene oxidation process in a continuous stirred tank reactor (CSTR) from Reference [48] with reaction rates from Reference [49]. The following three reactions are considered to occur in the CSTR: Mass and energy balances for the reactor, in dimensionless form, are as follows:x where the process model parameters are listed in Table 1; the state vector componentsx 1 ,x 2 ,x 3 , andx 4 (i.e.,x = [x 1x2x3x4 ] T ) are dimensionless quantities corresponding to the gas density, ethylene concentration, ethylene oxide concentration, and temperature in the CSTR, respectively; and the input vector componentsū 1 andū 2 are dimensionless quantities corresponding to the feed volumetric flow rate and the feed ethylene concentration. The process of Equations (32)-(35) has a steady-state atx 1 = 0.998, An EMPC is designed to control this process by maximizing the yield of ethylene oxide, which is defined by the following equation over a time interval from the initial time (t 0 = 0) to the final time of operation t f : However, it is assumed that, in addition to the following bounds on the inputs, 0.0704 ≤ū 1 ≤ 0.7042 (37) 0.2465 ≤ū 2 ≤ 2.4648 (38) there is also a constraint on the total amount of material which can be fed to the CSTR over time: As Equation (39) fixes the denominator of Equation (36), the stage cost to be minimized using the EMPC is as follows: To attempt to avoid actuator wear, input rate of change constraints will also be considered. The general form of the EMPC for this example is therefore as follows: In this formulation, no Lyapunov-based stability constraints are employed and no closed-loop stability issues arose in the simulations (i.e., the closed-loop state always remained within a bounded region of state-space). Furthermore, due to the lack of Lyapunov-based stability constraints, the input rate of change constraints of Equations (27) and (28) are enforced directly on input differences (i.e., they have the form of Equations Equations (27) and (28) rather than the form of Equations (25) and (26)).x represents the predicted value of the process state according to the model of Equation (42).ū * 1 andū * 2 represent the optimal values ofū 1 andū 2 that have been applied in past sampling periods (i.e.,ū * 1 =ū 1 (t k−1 ), andū * 2 =ū 2 (t k−1 )). The values ofū 1 (t k−1 ) andū 2 (t k−1 ) for k = 0 are assumed to be the steady-state values of these inputs. N k is a shrinking prediction horizon in the sense that, at the beginning of every operating period of length t v = 46.8, the value of N k is reset to 5 but is then reduced by 1 at each subsequent sampling time of the operating period. This shrinking horizon allows the constraint of Equation (39) to be enforced within every operating period to ensure that, by the end of the time of operation, Equation (39) is met. In Equation (46), r signifies the operating periods completed since the beginning of the time of operation (e.g., in the first t v time units, r = 0 because no operating periods have been completed yet).
We assume that the engineers and operators do not know the value of that they would like to impose in the EMPC of Equations (41)-(46) but plan to determine an appropriate value by assessing the process behavior from the same initial condition under EMPC's with different values of and by selecting a value that they expect will give the optimal tradeoff between economic performance and actuator wear reduction. To represent the process behavior as is varied in these experiments, we performed eight closed-loop simulations of the process of Equations (32) The open-source interior point solver Ipopt [50] was used to solve all optimization problems. Figures 1 and 2 show the state and input trajectories for each of the values of chosen. Table 2 shows how the yield varies with the choice of . To express the engineer's or operator's judgment of the relative "goodness" of the response that they see when both profit and input variations are considered, the engineers and operators are considered to have ranked the response for a given on a scale of 1 to 10 as shown in Table 2, with 1 being the worst and 10 being the best. Figure 3 shows the rankings as a function of as solid blue circles. From this figure, we postulate that a model that may fit this data has the following form: Using the MATLAB function lsqcurvefit, the data from Table 2 for the various values of reported was fit to the function in Equation (48), resulting in c 1 = 68.8901, c 2 = 3.8356, c 3 = 0.8480, and c 4 = 0.7933. The plot of the function fit to the data is shown as the red curve on Figure 3. A more rigorous method could have been utilized to fit the model and the data (involving, for example, more samples and an evaluation of the deviation of the model from the data), but the present method is sufficient for demonstrating the concepts developed in this work.
The utility of the function in Equation (48) is that it provides a mathematical representation of the model that an engineer or operator is using within his or her mind to determine the best value of to utilize when this engineer or operator is not aware of the model himself or herself. This makes the advanced control design more tractable for the operator or engineer to utilize without advanced control knowledge by fitting the "mind of the human" to a function that can then be utilized in optimizing the control design automatically. To demonstrate this, we determine the "optimal" value of based on the model of Equation (48)     Ranking Figure 3. Scatter plot reflecting rankings in Table 2 (solid blue circles) and the curve fit using lsqcurvefit (solid red line). Remark 6. The rankings in Table 2 are fabricated to demonstrate the concept that a human judgment could be translated to a modification of an EMPC formulation parameter. They were contrived to display a form to which a reasonable model could be readily fit using lsqcurvefit and, furthermore, are highly simplified (e.g., only a single ranking is provided for each value of rather than an average ranking with additional information such as standard deviation that might be expected if more than one individual was to rank the response). For an actual process, the transformation of human opinion on the response to a function of would therefore be expected to be more complex and to potentially involve statistics-based techniques or other methods for obtaining models from process data; however, an investigation of such methods is outside of the scope of this paper, and therefore, a simplified ranking model was used to demonstrate the concept that a control law parameter might be decided upon by evaluating characteristics of a response where there is a tradeoff between competing operating objectives where at least one of them (in this case, the actuator wear) is more difficult to quantify with a simple model such that the incorporation of human judgment can make the control law design potentially simpler (than if, for example, a detailed actuator wear model was to be developed to allow the controller to more accurately predict the wear itself to then prevent it through a constraint on wear rather than input rate of change).

EMPC Response to Unexpected Scenarios via Model Updates
A second case for which we will explore EMPC designs which are responsive to unexpected events considers these "unexpected" events to be defined by a change in the underlying process dynamics (i.e., the value of i increases in Equation (1)). This class of problems covers anomaly responses for EMPC, for which we will adopt the common anomaly-handling strategy (as described in the Introduction section) of updating the process model. Mathematically, we assume that the process model was known with reasonable accuracy before the anomaly (i.e., there is an upper bound on the error between the model used in the LEMPC and the model of Equation (1) with i = 1).
We make several points with respect to model updates in this section. First, if the underlying dynamics change, it is possible that the structure of the underlying dynamic model has fundamentally changed. When identifying a new model, it may therefore be preferable to identify the parameters of one with a revised structure; this is a case of seeking to identify a more physics-based model from process data [51]. In keeping with the prior section where the potential was shown for integrating machine learning algorithms known to not be guaranteed to provide accurate data with control, we here highlight that, if machine learning-based sensors (e.g., image-based sensors) are utilized with the process, they may aid in suggesting how to update a process model's structure over time to attempt to keep the structure physically relevant. Because such sensing techniques may not provide correct suggestions, however, a model with a structure suggested by such an algorithm does not need to be automatically implemented in model-based control; instead, engineers could consider multiple models after a machine learning-based algorithm suggests that an anomaly/change in the underlying process model has occurred, where one model to be evaluated is that used until this point and the second is a model that includes any updates implied by the sensing techniques. Subsequently, the prediction accuracy of the two models could be compared, and whichever is most accurate can be considered for use in the LEMPC [52]. Like the methodology in Section 3.1.1, this method limits the ability of any attempts to integrate machine learning (in the sensors) and control from impacting closed-loop stability by using it to complement a rigorous control design approach rather than to dictate it.
Second, at a chemical plant, anomalies may be considered to be either those which pose an immediate hazard to humans and the environment and are considered to require plant shutdown upon detection or those which do not. When the anomaly detected requires plant shutdown, generally the safety system is used to take extreme actions like cutting feeds to shut down the plant as quickly as possible; these generally have a prespecified nature (e.g., closing the feed valve). Anomalies that do not present immediate hazards to humans may either result in sufficiently small plant/model mismatch that the controller is robust against or the plant/model mismatch could cause subsequent control actions to drive the closed-loop state out of the expected region of process operation (at which point, the anomaly may be a hazard). We consider that characterizing conditions under which closed-loop stability is not lost in the second case may constitute steps in moving toward verification of EMPC for the process industries with adaptive model updates in the presence of changing process dynamics.

Automated Response to Anomalies: Formulation and Implementation Strategy
In the next section, we will present theoretical results regarding conditions under which an LEMPC could be conservatively designed to handle anomalies of different types in the sense that closed-loop stability would not be lost upon the occurrence of an anomaly or that impending loss of closed-loop stability could be detected by defining a region Ωρ samp,q (a superset of Ωρ q ) which the closed-loop state should not leave unless the anomaly has been significant and the model used by the LEMPC should be attempted to be reidentified to try to maintain closed-loop stability. If the closed-loop state leaves Ωρ samp,q , however, it has also left Ωρ q , so that the LEMPC of Equation (24) may not be feasible. For this reason, the implementation strategy below suggests that, if the closed-loop state leaves Ωρ samp,q , h NL,q should be applied to the process so that a control law with no feasibility issues is used.
The implementation strategy proposed below relies on the existence of two controllers h NL,q and h NL,q+1 , where h NL,q can stabilize the origin of the nominal closed-loop system of Equation (10) and h NL,q+1 can stabilize the origin of the nominal closed-loop system of Equation (10) with respect to the q + 1th model. Specifically, before the change in the underlying process dynamics that occurs at t s,i+1 is detected at t d,q , the process is operated under the LEMPC with the qth empirical model. After the change is detected (in a worst case via the closed-loop state leaving Ωρ q ), a worst-case bound t h,q is placed on the time available until the model must be updated at time t ID,q to the q + 1th empirical model to prevent the closed-loop state from leaving a characterizable operating region.
We consider the following implementation strategy for carrying out the above methodology: 1. At t 0 , the i = 1 first-principles model (Equation (1)) describes the dynamics of the process. The q = 1 empirical model (Equation (10)) is used to design the LEMPC of Equation (24). An index i hx is set to 0. An index ζ is set to 0. Go to step 2.

At t s,i+1
, the underlying dynamic model of Equation (1) changes to the i + 1th model. The LEMPC is not yet alerted that the anomaly has occurred; the model used in the LEMPC is not changed despite the change in the underlying process dynamics. Go to step 3. 3. While t s,i+1 < t k < t s,i+2 , apply a detection method to determine if an anomaly has occurred. If an anomaly is detected, set ζ = 1 and t d,k = t k . Else, ζ = 0. If x(t k ) / ∈ Ωρ q but ζ = 0, set ζ = 1 and t d,k = t k . Go to step 4. 4. If i hx = 1, go to step 4a. Else, if ζ = 1, go to step 4b, or if ζ = 0, go to step 4c. If t k > t s,i+2 , go to step 5.
(a) If x(t k ) ∈ Ωρ q+1 , operate the process under the LEMPC of Equation (24) with q ← q + 1 and set i hx = 0. Else, apply h NL,q+1 (x(t k )) to the process. Return to step 3. t k ← t k+1 . (b) If (t k+1 − t d,q ) < t h,q , gather online data to develop an improved process model as well as updated functionsV q+1 and h NL,q+1 (x) and an updated stability region Ωρ q+1 around the steady-state of the new empirical model but do not yet update the LEMPC and control the process using the prior LEMPC. Else, if (t k+1 − t d,q ) ≥ t h,q , set i hx = 1 and apply h NL,q+1 (x(t k )). Return to step 3. t k ← t k+1 . (c) Operate the process under the LEMPC of Equation (24) that was used at the prior sampling time.
We note that we do not specify the detection method to be used in step 3, but the use of a sufficiently conservative Ωρ q (in a sense to be clarified in the following section) allows a worst-case detection mechanism to be that the closed-loop state exits Ωρ q in step 3. We consider that each t s,i+1 and t s,i+2 are separated by a sufficient period of time such that no second change in the underlying process dynamics occurs before the first change has resulted in an update in the dynamic model and the closed-loop state is within Ωρ q+1 .

Remark 7.
A significant difference between the proposed procedure and that in References [53,54], which also involves switched systems under LEMPC, is that Reference [53] assumes that the time at which the model is to be switched is known a priori. In handling of anomalies, this cannot be known; therefore, the proposed approach corresponds to LEMPC for switched systems with unknown switching times. We place bounds in the next section on a number of properties of the LEMPC of Equation (24) for this case to demonstrate the manner in which closed-loop stability guarantees depend on, for example, how large the possible changes in the process model could be when they occur. The goal is to provide a perspective on the timeframes available for detecting various anomalies without loss of closed-loop stability, which could aid in verification and self-design studies for EMPC.

Automated Response to Anomalies: Stability and Feasibility Analysis
According to the implementation strategy above, when an anomaly occurs that changes the underlying process dynamics, one of two things will happen: (1) the model used in Equation (24b) remains the same or (2) the change in the underlying process dynamics is detected and the model used in Equation (24b) is changed within a required timeframe to a new model (i.e., q is incremented by one in Equation (10)). In this section, we present the conditions under which closed-loop stability can be maintained in either case. For readability, proofs of theorems presented in this section are available in the Appendix.
We first present several propositions. The first defines the maximum difference between the process model of Equation (1) and that of Equation (10) over time when the two models are initialized from the same state, as long as the states of both systems are kept within a level set ofV q which is also contained within the stability region around the steady-state for the model of Equation (1) and as long as there is no change in the underlying dynamics. The second sets an upper bound on the difference between the value ofV q at any two points in Ωρ q . The third provides the closed-loop stability properties of the closed-loop system of Equation (10) under the controller h NL,q .

Proposition 1 ([51]). Consider the systemṡx
with initial statesx a,i,q (t 0 ) =x b,q (t 0 ) =x(t 0 ) contained within Ωρ q,i , with t 0 = 0,ū q ∈ U q , and w i ∈ W i . Ifx a,i,q (t) andx b,q (t) remain within Ωρ q,i for t ∈ [0, T], then there exists a function f W,i,q (·) such that: with: where M err,i,q > 0 is defined by: for all x contained in Ωρ q,i and u ∈ U q .
The next proposition bounds the error between the actual process state and a prediction of the process state using an empirical model initialized from the same value of the process state over a period of time in which the underlying process dynamics change, but the empirical model is not updated. This requires overlap in stability regions for the ith and i + 1th models of Equation (1) and for the qth model of Equation (10) within Ωρ q,i while the qth model is used. The proof of this proposition is available in Appendix A. Proposition 4. Consider the following systems:x a,i,q =f i,q (x a,i,q (t),ū q (t), w i (t)) for allx a,i,q ,x a,i+1,q ∈ Ωρ q,i ,ū q ∈ U q , w i ∈ W i , and w i+1 ∈ W i+1 , then The following theorem provides the conditions under which, when no change in the underlying dynamic model occurs throughout the time of operation and x(t k ) ∈ Ωρ q , the LEMPC of Equation (24) designed based on h NL,q and the qth empirical model of Equation (10) guarantees that the closed-loop state is maintained within Ωρ q over time and is ultimately bounded in a neighborhood of the origin of the model of Equation (10). (24) based on the controller h NL,q (x) that satisfies the inequalities in Equation (12). Let W,i,q > 0, ∆ > 0, N ≥ 1, andρ q >ρ e,q >ρ min,i,q >ρ s,q > 0 satisfy the following:

Theorem 1 ([51]). Consider the closed-loop system of Equation (1) under the LEMPC of Equation
If x(0) ∈ Ωρ q and Proposition 3 is satisfied, then the state trajectoryx a,i,q (t) of the closed-loop system is always bounded in Ωρ q for t ≥ 0. Furthermore, if t > t and then the state trajectory x a,i (t) of the closed-loop system is ultimately bounded in Ωρ min,i,q and defined as follows: ρ min,i,q := max{V q (x a,i,q (t + ∆)) |V q (x a,i,q (t)) ≤ρ s,q } The prior theorem provided conditions under which the closed-loop state is maintained within Ωρ q in the absence of changes in the dynamic model. In the following theorem, we provide sufficient conditions under which the closed-loop state is maintained in Ωρ q after t s,i . The proof of this result is presented in Appendix B. (24) with h NL,q meeting Equation (12), where the conditions of Propositions 3 and 4 hold and where Ωρ sa f e,q is contained in both Ω ρ i and Ω ρ i+1 . If t s,i+1 ∈ [t k , t k+1 ), such that, after t s,i+1 , the system of Equation (1) is controlled by the LEMPC of Equation (24), where x a,i (t s,i+1 ) = x a,i+1 (t s,i+1 ) ∈ Ωρ q , and if the following hold true, −α 3,q (α −1 2,q (ρ e,q )) +α 4,q (α −1 1,q (ρ q ))M err,p,q + L x,p,q M p ∆ + L w,p,q θ p ≤ − W,p,q /∆ (68)

Theorem 2. Consider the closed-loop system of Equation (1) under the LEMPC of Equation
for both p = i and p = i + 1, and then the closed-loop state is bounded in Ωρ q for all t ≥ 0.
We highlight that these conditions are conservative and not intended to form the least conservative bounds possible. However, they do help to elucidate some of the factors which impact whether a model used in an LEMPC will need to be reidentified to continue to maintain closed-loop stability when the underlying dynamics change, such as the extent to which the dynamics change. The above theorem indicates that, if Ωρ q is initially chosen in a sufficiently conservative fashion and the empirical model is sufficiently close to the underlying process dynamics before the model change, closed-loop stability may be maintained even after the underlying dynamics change if the model changes are such that the empirical model remains sufficiently close to the new dynamic model after the change. In general, anomalies may occur that could violate the conditions of Theorem 2. The result of this could be that the closed-loop state may leave Ωρ q . In this case, it is helpful to characterize conditions under which changes in the underlying dynamics that could be destabilizing could be detected, triggering a model update and controller redesign for the new dynamic model to stabilize the closed-loop system. Therefore, the following theorem characterizes the length of time that the closed-loop state can remain in Ωρ sa f e,q after a change in the underlying process dynamics occurs if the conditions of Theorem 2 are not met. This can be used in determining how quickly a model reidentification algorithm would need to successfully provide a new model for the LEMPC of Equation (24) for closed-loop stability to be maintained as a function of factors such as the extent that the new model deviates from the empirical model used in the LEMPC when the underlying dynamics change, the sampling period, and the conservatism in the selection ofρ q . The proof of this theorem is presented in Appendix C. (24) with h NL,q meeting Equation (12) and Proposition 3, where Ωρ sa f e,q is contained in both Ω ρ i and Ω ρ i+1 . If at t = t s,i+1 , where t s,i+1 ∈ [t k , t k+1 ), such that, after t s,i+1 , the system of Equation (1) is controlled by the LEMPC of Equation (24), where x a,i (t s,i+1 ) = x a,i+1 (t s,i+1 ) ∈ Ωρ sa f e,q , then if the following hold true withρ sa f e,q >ρ samp,q >ρ q >ρ q,e , ρ q,e >ρ min,q,i >ρ s,q > 0, andρ q,e >ρ min,i+1,q >ρ s,q > 0: −α 3,q (α −1 2,q (ρ s,q )) +α 4,q (α −1 1,q (ρ q ))M err,i+1,q + L x,i+1,q M i+1 ∆ + L w,i+1,q θ i+1 ≤ W,i+1,q /∆ (72) ρ e,q + f V,q ( f W,i,q ∆ + (M change,i,q )∆ + L w,i,q θ i + M err,i,q L x,i,q (e L x,i,q ∆ − e L x,i,q t s,i+1 )) ≤ρ samp,q

Theorem 3. Consider the closed-loop system of Equation (1) under the LEMPC of Equation
as well as Equations (65)-(67), then if x(t s,i+1 ) ∈ Ωρ q and Ωρ min,i+1,q ⊂ Ωρ samp,q and the change to the model is not detected until a sampling time t d,q withx(t d,q ) ∈ Ωρ sa f e,q /Ωρ q (x(t d,q ) ∈ Ωρ samp,q ⊂ Ωρ sa f e,q ) after which h NL,q is used to control the system in sample-and-hold, then the number of sampling periods between t ID,q and t d,q within which the model in the LEMPC can be updated to a new model meeting Equation (65) with i replaced by i + 1 and q replaced by q + 1 without the closed-loop state exiting Ωρ sa f e,q is given by t h,q = floor( (ρ sa f e,q −ρ samp,q ) W,i,q ), where floor represents the "floor" function that returns the largest integer less than the value of the argument.x(t) refers either tox a,i+1,q (t) orx a,i,q (t), depending on whether t s,i+1 is within the sampling period preceding the closed-loop state exiting Ωρ q .
The following theorem provides the conditions under which the closed-loop state is maintained within Ωρ sa f e,q+1 for all times after t ID,q and is driven into Ωρ q+1 after the model reidentification. The proof of the result is presented in Appendix D.

Theorem 4.
If Ωρ sa f e,q ⊂ Ωρ sa f e,q+1 and if both Ωρ sa f e,q and Ωρ sa f e,q+1 are contained in Ω ρ i and Ω ρ i+1 , then if h NL,q+1 is used to control the system after t ID,q while x(t k ) ∈ Ωρ sa f e,q+1 /Ωρ q+1 with the conditions of Equations (65) and (66) met for the q + 1th empirical model for the i + 1th dynamic system and the LEMPC of Equation (24) using the q + 1th empirical model of Equation (10) is used to control the system for all times after x(t k ) ∈ Ωρ q+1 , then the closed-loop state is then maintained within Ωρ sa f e,q+1 until it enters Ωρ q+1 and is then maintained in Ωρ q+1 for all subsequent sampling times.

Remark 8.
From a verification standpoint, the proofs above move toward addressing the question of what may happen if a controller is designed and even tested for certain conditions, but the process dynamics change. It provides a theoretical characterization of conditions under which action would subsequently need to be taken as well as indications of the time available to take the subsequent action. However, the results above may be difficult to utilize directly in developing an online monitoring scheme, as many of the theoretical conditions rely on knowing properties of the current and updated models that would likely not be characterizable or would not be known until after the anomaly occurred. However, these still may aid in gaining an understanding of different possibilities. For example, a conservative stability region Ωρ q suggests that larger anomalies could still be detected and mitigated by a combined detection and reidentification procedure without loss of closed-loop stability. Earlier detection may provide more time for reidentification.

Remark 9.
If there is an indication from detection methods that are not based on the closed-loop state leaving the stability region that the underlying dynamics may have changed but that the closed-loop state has not yet left Ωρ q , then until the closed-loop state leaves Ωρ q , online experiments (e.g., modifying the objective function as in Reference [51]) could be performed if they do not impact the constraint set to attempt to probe whether the dynamics are more consistent with the prior process model or the potential model postulated after the anomaly is suggested. This may be a method for attempting to detect the changes before the closed-loop state leaves Ωρ q , which could allow larger changes in the process model to be handled practically than could be guaranteed to be handled in the theorems above, as the magnitude of the deviations in the dynamic model allowed above without loss of closed-loop stability depends on the distance between Ωρ sa f e,q and Ωρ samp,q . However, it is also highlighted that the above is a conservative result, meaning that, in general, larger changes may be able to be handled without loss of closed-loop stability.

Remark 10.
The above results can be used to comment on why giving greater flexibility to the process after an anomaly to handle it could introduce additional complexity. Specifically, consider the possibility that some actuators may not typically be used for control but could be considered for use after an anomaly (similar to how safety systems activate for chemical processes, but in this case, they would not act according to a prespecified logic but might be able to be manipulated in either an on-off or continuous manner to give the process additional capabilities for handling the anomaly). It is noted that this would constitute dynamics not previously considered. According to the proofs above, one way to guarantee closed-loop stability in the presence of sufficiently small disturbances is to cause the dynamics after they change to not differ too radically from those assumed before the change and used in the prior dynamic model in the EMPC. If additional flexibility is given to the system, this would be an additional model that would have to match up well. Remark 11. The results above suggest that, if a model identification algorithm could be guaranteed to provide an accurate model with a small amount of data that could be gathered between when the closed-loop state leaves Ωρ q but before it leaves Ωρ sa f e,q (where the amount of data available in that timeframe could be known a priori by the number of measurements available in a given sampling period), then the model could be reidentified and placed within the LEMPC in a manner that is stabilizing.

Remark 12.
Instead of changes to the underlying dynamic model, anomalies may present changes in the constraint set (e.g., anomalies may change equipment material limitations (e.g., maximum shear stresses, which can change with temperature) used to place constraints on the state in an LEMPC). Because the above results assume that the stability region is fully contained within the state constraint set, the detection and response procedure above would need to ensure that there is no time at which the stability region is no longer fully included within the state constraint set under the new dynamic model. This may be handled by making Ωρ sa f e,q sufficiently conservative such that the closed-loop state never exits a region where the state constraints can be met under different dynamic models.

Automated Response to Unexpected Hazards: Application to a Chemical Process Example
In this section, we demonstrate concepts described above through a process example. This example considers a nonisothermal reactor in which an A → B reaction takes place, but the reactant inlet concentration C A0 and the heat rate Q supplied by a jacket are adjusted by an LEMPC. The process model is as follows:Ċ where the parameters are listed in Table 3 and include the reactor volume V, inlet reactant temperature T 0 , pre-exponential constant k 0 , solution heat capacity C p , solution density ρ L , feed/outlet volumetric flow rate F, gas constant R g , activation energy E, and heat of reaction ∆H. The state variables are the reactant concentration C A and temperature T in the reactor, which can be written in deviation form from the operating steady-state vector C As = 1.22 kmol/m 3 , T s = 438.2 K, C A0s = 4 kmol/m 3 , and The model of Equations (77) and (78) has the following form: wheref represents a vector function derived from Equations (77) and (78) that is not multiplied by u and where g(x) = [g 1 g 2 ] T = [ F V 0; 0 1 ρ L C p V ] T represents the vector function which multiplies u in these equations. The EMPC utilized to adjust the manipulated inputs C A0 and Q utilizes the following stage cost (to maximize the production rate of the desired product) and physical bounds on the inputs: Lyapunov-based stability constraints are also enforced (where a constraint of the form of Equation (22) is enforced at the end of every sampling time if x(t k ) ∈ Ωρ e , and the constraint of the form of Equation (23) is enforced at t k when x(t k ) ∈ Ωρ/Ωρ e but then followed by a constraint of the form of Equation (22) at the end of all sampling periods after the first).
We will consider several simulations to demonstrate the developments above. In the first, we explore several aspects of the case in which there is a change in the underlying dynamics while the process is operated under LEMPC that is minor such that the closed-loop state does not leave Ωρ after the change in the underlying dynamics. For this case, the Lyapunov function selected wasV q = x T Px, with P given as follows: The Lyapunov-based controller h NL,1 (x) was designed such that its first component h NL,1,1 (x) = 0 kmol/m 3 and its second component h NL,1,2 (x) is computed as follows (Sontag's formula [56]): Then, it is saturated at the input bounds of Equation (82) if they are met. LfV q and Lg 2V q are Lie derivatives ofV q with respect to the vector functionsf andg 2 , respectively.ρ andρ e were taken from Reference [57] to be 300 and 225, respectively. The process state was initialized at x init = [−0.4 kmol/m 3 8 K] T , with controller parameters N = 10 and ∆ = 0.01 h. The process model of Equations (77) and (78) was integrated with the explicit Euler numerical integration method using an integration step size of 10 −4 h within the LEMPC and of 10 −5 h to simulate the process. For this first simulation, we assume that a change in the underlying process dynamics occurs at 0.5 h that does not compromise closed-loop stability. Specifically, at 0.5 h, it is assumed that an additional source of heat arises outside the reactor such that the right-hand side of Equation (78) is modified by the addition of another term Q extra = 300 K/h. Figures 6 and 7 show the process responses when the LEMPC is not aware of the change in the process dynamic model when it occurs and when it is aware of the change in the process dynamic model after it occurs such that it is fully compensated (i.e., an accurate process model is used in the LEMPC at all times, even after the dynamics change). In both cases, the closed-loop state was maintained within the stability region at all times. These simulations were carried out in MATLAB R2016b using fmincon with the default settings except for the increased iterations/function evaluations allowed, scaling u 2 down by 10 5 and providing the steady-state input values as the initial guess for the optimization problem solution at each sampling time. No attempt was made to check whether the LEMPCs in the simulations located globally optimal solutions to the LEMPC optimization problems. However, the profit was higher than that at the steady-state around which the LEMPC was designed. The oscillatory behavior of the states before 0.5 h is caused by the fact that the profit is maximized for this process at the boundary of Ωρ e . Without plant-model mismatch, the LEMPC is able to maintain the closed-loop state exactly on the boundary of Ωρ e and therefore always operates the process using the constraint of Equation (22); however, when the plant-model mismatch occurs (induced by the use of different integration steps to simulate the process dynamic model within the LEMPC and for the simulation of the process under the computed control actions), the closed-loop state then exits Ωρ e when the LEMPC predicts it will stay inside of it under the control actions computed by the controller. The result is that the constraint of Equation (23) is then activated until the closed-loop state reenters Ωρ e . This process of entering Ωρ e , attempting to operate at its boundary, and then being kicked out only to be driven back in is the cause of the oscillatory response of the states and inputs in Figures 6 and 7. It is noted, however, that though this behavior may be undesirable from, for example, an actuator wear perspective, it does not reflect a loss of closed-loop stability or a malfunction of the controller. The controller is in fact maintaining the closed-loop state within Ωρ as it was designed to do; the fact that it does so in perhaps a visually unfamiliar fashion means that we have not specified in the control law that it should not do that, so it is not aware that an end user would find that behavior strange (if the oscillatory behavior is deemed undesirable, one could consider, for example, input rate of change constraints and potentially the benefits of the human response-based input rate of change strategy in the prior section for handling unexpected events).
In the case that the LEMPC is not aware of the change in the process dynamics, the profit is 32.7103, whereas when the LEMPC is aware of the change in the dynamics, the profit is 32.5833. Though these values are very close, an interesting note is that the profit when the LEMPC is not aware of the change in the underlying dynamics is slightly higher than when it is aware. Intuitively, one would expect an LEMPC with a more accurate process model to be able to locate a more economically optimal trajectory for the closed-loop state to follow than an LEMPC that cannot provide as accurate predictions. Part of the reason for the enhanced optimality in the case without knowledge of the change in the underlying dynamics, however, comes from the two-mode nature of LEMPC. In the case that the LEMPC is aware of the change in the underlying dynamics, it drives the closed-loop state to an operating condition that remains closer to the boundary of Ωρ e after 0.5 h than when it is not aware of the change in the underlying dynamics due to the plant/model mismatch being different in the different cases. The result is that the process accesses regions of state-space that lead to higher profits when the LEMPC does not know about the change in the dynamics than if the LEMPC knows more about the process dynamics.
The remainder of this example focuses on elucidating the conservativeness of the proposed approach. Specifically, we now consider the Lyapunov function selected asV q = x T Px, with P given as follows: Again, h NL,1 (x) is designed such that h NL,1,1 (x) = 0 kmol/m 3 , and h NL,1,2 (x) is computed via Sontag's formula but saturated at the input bounds of Equation (82) if they are met.ρ andρ e were taken to be 1300 and 975, respectively, andρ sa f e was set to 1800. The process state was initialized at x init = [0 kmol/m 3 0 K] T , with controller parameters N = 10 and ∆ = 0.01 h. The process model of Equations (77) and (78) was integrated with the explicit Euler numerical integration method using an integration step size of 10 −4 h within the EMPC and with an integration step size of 10 −5 h to simulate the process. The constraint of the form of Equation (23) is enforced at t k when x(t k ) ∈ Ωρ/Ωρ e but then followed by a constraint of the form of Equation (22) at the end of all sampling periods.
At 0.5 h, it is assumed that an additional source of heat arises outside the reactor such that the right-hand side of Equation (78) is modified by the addition of another heat term Q extra = 500 K/h. In this case, with no change in the process model used by the EMPC or even in the control law (i.e., in contrast to the implementation strategy in Section 3.2.1, h NL,1 is not employed when the closed-loop state exits Ωρ), the behavior in Figure 8 results. Notably, the closed-loop state does not leave Ωρ sa f e , and no infeasibility issues occurred. In contrast, if we begin to utilize h NL,1 when the closed-loop state leaves Ωρ, the closed-loop state will eventually leave Ωρ sa f e (Figure 9). While we can obtain a new empirical model (in this case, we assume that the dynamics become fully known at 0.54 h and are accounted for completely to demonstrate the result) and can use that to update h NL,1 to h NL,2 (i.e., h NL,1 but with modified saturation bounds to reflect design around the new steady-state of the system with Q Added = 500 K/h) before the closed-loop state leaves Ωρ sa f e as suggested in the implementation strategy in Section 3.2.1 (creating the profile shown in Figure 10 corresponding to 2 h of operation in which the closed-loop state is driven back to the origin under h NL,2 ), the fact that the closed-loop state would not have left the stability region if the controller had not been adjusted illustrates the conservativeness of the approach. We note that Figure 10 does not complete the implementation strategy in Section 3.2.1 (which would involve the use of a new LEMPC after the closed-loop state reenters Ωρ for this example) because that part of the implementation strategy will be demonstrated in the discussion for a slightly different LEMPC presented below.
Finally, we provide a result where the LEMPC computes a time-varying input policy due to the desire to enforce a constraint on the amount of reactant available in the feed over an hour (i.e., a material/feedstock constraint) as follows: This constraint is enforced via a soft constraint formulation by introducing slack variables s 1 and s 2 that are penalized in a modified objective function as follows: They are used in the following constraints: where N k = N and δ = 1 when t k < 0.9 h and where δ = 0 and N k is the number of sampling periods left in a 1 h operating period when t k ≥ 0.9 h. These constraints are developed based on Reference [12]. u * 1 (t i |t i ) signifies the value of u 1 applied to the process at a prior sampling time, and u 1 (t i |t k ) reflects the value of u 1 predicted at the current sampling time t k to be applied for t ∈ [t i , t i+1 ), i = k, . . . , k + N k . The upper and lower bounds on s 1 and s 2 were set to 2 × 10 19 and −2 × 10 19 , respectively, to allow them to be effectively unbounded. The initial guesses of the slack variables were set to 0 at each sampling time.
When the LEMPC with the above modifications is applied to the process with Q Added = 500 K/h starting at 0.5 h, the closed-loop state again exits Ωρ for some time after 0.5 h but reenters it and also does not exit Ωρ sa f e , once again reflecting the conservatism from a closed-loop stability standpoint of a strategy that updates the process model whenever the closed-loop state leaves Ωρ. Furthermore, if h NL,1 is utilized after it is detected that the closed-loop state leaves Ωρ (the first sampling time at which this occurs is 0.51 h), then it exits Ωρ sa f e by 0.52 h, showing that the length of the sampling period or the size of Ωρ with respect to Ωρ sa f e is not sufficiently small enough to impose model updates before closed-loop stability is jeopardized because measurements are only available every sampling time. If instead, however,ρ is updated to be 1200 andρ e is set to 900, then the closed-loop state remains in Ωρ between 0.51 and 0.52 h.
If at 0.52 h, we assume that the new dynamics (i.e., with Q Added = 500 K/h) become available and are used in designing h NL,2 (used from 0.52 h until the first sampling time at which x(t k ) ∈ Ωρ again) and that a second LEMPC designed based on the updated model is used after the closed-loop state has reentered Ωρ, the state-space trajectory in Figure 11 results.

Conclusions
This work developed a Lyapunov-based EMPC framework for handling unexpected considerations of different types. One of the types of considerations handled was end-user response to how a control law operates a process, providing a controller self-update capability through input rate of change constraints that allows even uncertain or imprecise information about the end-user response to be used in optimizing the controller formulation without loss of closed-loop stability or feasibility. The second type of consideration was the occurrence of anomalies, where conditions which would guarantee that the closed-loop state can be stabilized in the presence of an anomaly that changes the underlying process dynamics as long as a detection method identifies a new process model sufficiently quickly, were presented that uses the LEMPC stability properties in developing an anomaly detection mechanism. Chemical process examples were presented for both cases to demonstrate the proposed approach.
The work above provides insights into interpretability and verification considerations for EMPC from a theoretical perspective. However, these remain significant challenges for this control design. For example, there is no guarantee that adjusting a given constraint (e.g., adjusting the upper bound on an input rate of change constraint) will cause process behavior to appear interpretable to an end user before it approaches steady-state behavior, which may reduce the benefits of using EMPC. Furthermore, the results related to anomaly handling were demonstrated via process examples to be highly conservative. No methods were presented for practically ascertaining time (online) until an anomaly would result in the closed-loop state leaving a known region of state-space after detection to facilitate appropriate actions to be taken. Further work on these issues needs to be undertaken to develop practical EMPC designs with appropriate safety and interpretability properties with low time required to verify the designs before putting them into the field for different processes. Using Equation (50) we get the following, |x a,i+1,q (t) −x b,q (t)| ≤ f W,i,q (t s,i+1 − t 0 ) + M change,i,q (t − t s,i+1 ) + (L w,i,q θ i + M err,i,q ) t t s,i+1 (e L x,i,q s − 1)ds + t t s,i+1 (L w,i,q θ i + M err,i,q )ds ≤ f W,i,q (t s,i+1 − t 0 ) + M change,i,q (t − t s,i+1 ) + (L w,i,q θ i + M err,i,q ) t t s,i+1 (e L x,i,q s − 1)ds +(L w,i,q θ i + M err,i,q )(t − t s,i+1 ) ≤ f W,i,q (t s,i+1 − t 0 ) + M change,i,q (t − t s,i+1 ) + (L w,i,q θ i +M err,i,q ) L x,i,q (e L x,i,q t − e L x,i,q t s,i+1 ) (A5)

Appendix B. Proof of Theorem 2
Proof. To guarantee the results, recursive feasibility of the LEMPC must hold. Feasibility of the LEMPC of Equation (24) follows from Theorem 1 when x(t k ) ∈ Ωρ q . Subsequently, closed-loop stability must be proven both when t s,i+1 = t k and when t s,i+1 ∈ (t k , t k+1 ). Consider first the case that t s,i+1 = t k . In this case, if Equation (68) holds with p = i + 1 and x(t k ) ∈ Ωρ q , then x(t) ∈ Ωρ q from Theorem 1 for t ≥ 0. Consider second the case that t s,i+1 ∈ (t k , t k+1 ). In this case, until t s,i+1 , if Equations (68) and (69) hold for p = i, the closed-loop state is maintained within Ωρ q from Theorem 1. To guarantee that the closed-loop state is maintained in Ωρ q after t s,i+1 until t k+1 , it is first noted that, if x(t k ) ∈ Ωρ e,q and t s,i+1 ∈ (t k , t k+1 ), then from Proposition 2, we have the following: ifx a,i+1,q (t),x b,q (t) ∈ Ωρ q for t ∈ [t k , t k+1 ]. If Proposition 4 holds, then from Equation (24f), we have the following: V q (x a,i+1,q (t)) ≤ρ e,q + f V,q ( f W,i,q (t s,i+1 − t k ) + (M change,i,q )(t − t s,i+1 ) + L w,i,q θ i +M err,i,q L x,i,q (e L x,i,q t − e L x,i,q t s,i+1 )) (A7) If Equation (70) holds, thenV q (x a,i+1,q (t)) ≤ρ q for t ∈ [t s,i+1 , t k+1 ].
If x(t k ) ∈ Ωρ q /Ωρ e,q , then the constraint of Equation (24g) is used. In this case, we consider the cases where t s,i+1 ∈ [t k , t k+1 ) and the case where t s,i+1 occurs before t k , separately.
Part 3. At t d,q , h NL,q in sample-and-hold begins to be used to control the process. Again, Equations (A16)-(A18) hold.
To ensure that the time between t k and t out,q is no greater than (ρ sa f e,q −ρ samp,q )∆ W,i+1,q , the number of sampling periods available after t d,q until the model needs to be updated with one which meets the conditions in Equation (66) with i set to i + 1 and q set to q + 1 is floor( (ρ sa f e,q −ρ samp,q ) W,i+1,q ).

Appendix D. Proof of Theorem 4
Proof. If h NL,q+1 is used to control the system after t ID,q and the conditions of Theorem 4 are met, then x a,i+1,q (t ID,q ) = x a,i+1,q+1 (t ID,q ), which lies in both Ωρ sa f e,q and in Ωρ sa f e,q+1 so that the closed-loop state has not left either region. From Reference [51], if Equation (66) is met for the q + 1/i + 1 model combination, then h NL,q+1 causesV q+1 to decrease so that it will not leave Ωρ sa f e,q+1 before the closed-loop state enters Ωρ q+1 . Once the closed-loop state enters Ωρ q+1 , then the LEMPC of Equation (24) is used with the q + 1 model, and if Equations (65) and (66) are met for the q + 1/i + 1 model combination, the closed-loop state is maintained in Ωρ q+1 from Reference [51].