MPC is becoming increasingly implemented on embedded systems, where low precision computation is preferred either to reduce costs, speedup execution or reduce power consumption. However, in a low precision implementation, constraint satisfaction cannot be guaranteed. To enforce constraint satisfaction under numerical errors, we adopt tools from forward error analysis to compute an error bound on the output of the embedded controller. We treat this error as a state disturbance and use it to inform the design of a constraint-tightening robust controller. The technique is validated via a practical implementation on an FPGA evaluation board.
algorithms. The control engineer worries about high-level issues, such as closedloop performance, while the software engineer worries about implementation issues, such as code efficiency and timing [1] .
In addition to high numerical precision, other factors such as high clock speed 10 and small packaging have become standard features of modern embedded systems processors. Such advances in digital electronics (together with the development of sophisticated algorithms) have facilitated the spread of computationallyheavy control schemes in low-cost applications with relatively fast dynamics.
The embedded control community has started exploring the hardware design 15 dimension in order to reduce hardware costs and increase execution speed by, for example, implementing algorithms with finite and low precision arithmetic [2, 3] .
It is well-known that low precision, especially if implemented in fixed-point, allows for much simpler circuits and greater computational speeds [4] . All of the 20 above is at the expense of increased numerical errors that cannot and should not be ignored. There is a surprisingly small amount of theory for the design of such computer-based control systems. These issues could be considered as part of the emerging science called cyber-physical systems theory [5] . Cyberphysical systems are integrations of computation with physical processes and 25 therefore would also embrace the problem of control algorithm performance under numerical errors.
Model Predictive Control (MPC) is a powerful control scheme that, due to the necessity of solving an optimization problem every sampling instant, has only recently found application outside the process industry. One of the often ignored 30 drawbacks of MPC, however, is its sensitivity to numerical errors [6] . The use of different discretization methods has been proven to be an advantage when working with low precision [7] . Methods to avoid variable overflow have been proposed by constraining their ranges with carefully selected scaling methods [8] . However, for these approaches, stability and constraint satisfaction are 35 not guaranteed and, in practice, the only solution to this problem is extensive simulation analysis.
In this paper, we extend the basic idea presented in [9] and we propose a method to guarantee hard constraint satisfaction of an explicit MPC scheme [10, 11] when the algorithm is implemented on a platform using finite and low 40 precision arithmetic. Compared to [9] , this paper adds a detailed algorithmic presentation, unveiling the machinery required for the robust controller design, adds a detailed implementation on a FPGA platform and provides experimental results. Furthermore, this paper uses the design tools presented in [12] and [13] . The idea is to quantify the maximum error made by the processor when 45 evaluating the control policy. This is achieved by applying techniques from forward error analysis [14] to the explicit MPC controller. Considering the error as an additive disturbance to the plant dynamics, a controller that is robust to such a disturbance is designed.The resulting controller will therefore be robust against its own finite-precision implementation in a true cyber-physical sense.
50
The proposed method requires the offline solution of an optimization problem, which is non-trivial but possible to automate. The validity of the method has been tested experimentally with a hardware-in-the-loop test ring where the controller has been implemented in a Xilinx Zynq Field-Programmable Gate Array (FPGA) platform.
55
In Section 2 the explicit MPC problem is formulated. In Section 3 the robust controller design methodology is presented. The procedure requires the analytical computation of error bounds, which is described in Section 4. The experimental validation setup is presented in Section 5 and test results of guaranteed robustness and implementation efficiency are discussed in Section 6. 
Problem setup
Let us assume that we want to find a discrete-time feedback control law
where κ : R n → R m is designed to stabilize and guarantee some performance for the discretized plant
where n is the number of states, m the number of inputs inputs, and A ∈ R n×n and B ∈ R n×m are the discretized plant matrices. For simplicity we assume that we want to regulate the system from the current state x 0 to the origin.
State and input variables are subject to the constraints
where X and U are the polyhedral sets
containing the origin in their interior. The constraints on state and input may be physical or chosen by design. The finite horizon constrained linear quadratic regulator problem with horizon N is defined as min u0,u1,...,u N −1
subject to:
where P, Q ∈ R n×n are positive semidefinite matrices, R ∈ R n×m is a positive definite matrix, N is the length of the prediction horizon, X f is the set in which the terminal state x N is constrained to lie and, at sample instant k, the state vector x k ∈ R n is either measured or estimated. Solving (5) yields the optimal open-loop input sequence u *
, where, as per standard MPC, the first element u * 0 is applied and the optimization is repeated at every time step in a receding horizon control fashion. MPC relies on a successive solution of the optimization problem in (5) . Such an optimization problem can be expressed as a parametric Quadratic Programming (QP) problem for varying parameters x 0 defined as
where the vector U = u 0 u 1 . . . u N −1 ∈ R N m is the vector of decision variables and matrices H, T , Y , G, W and E are easily obtained from Q, R and P and by substituting
When N , n, and m are small, we can compute an MPC feedback controller κ
65
explicitly by solving a multi-parametric optimization problem. In parametric programming, the goal is to find the solution of (6) for a range of parameters values, or equivalently, the closed form solution x 0 → U (x 0 ) of (6) 
associated with the selected region in step 1.
A variety of algorithms have been proposed to solve the point location problem, since this is the most time-consuming task [17, 18, 19, 20] . Such algorithms range from simple ones (a sequential search through the regions of the partition) to 80 more complex ones where the region is found via a binary search tree. In either case, the solution of the point location problem and the evaluation of the control law are operations that have to be performed online on the target hardware.
If infinite-precision arithmetic was available, the control action u k could be computed exactly without introducing any numerical errors, hence complying 85 with the QP problem theoretical guarantees such as constraint satisfaction.
However, computing u k in a processor that works with finite precision (typically any processor) results in the introduction of an error. Such an error is the combination of two factors: first, the selection of the wrong region due to the point location algorithm and second, numerical errors due to the computation 90 of the control law in (7).
It should be noted that this is not a particular feature of fixed-point arithmetic, since errors are also introduced when computations are performed in other (finite) arithmetics, such as IEEE floating-point double-precision. However, in high precision, this error can often be safely ignored. In the sequel,
95
when we refer to 'infinite precision' we are in practice performing computations in a desktop PC using floating-point double-precision (high enough not to cause noticeable failures in the practical problems we have studied).
The computational error cannot be computed offline because this error depends on the online value of the current state x k . However, it will be shown in Section 4 that such an error can be bounded. If we therefore consider this error as a bounded additive disturbance w k to the plant dynamics, such as
a robust controller can be designed for which constraint satisfaction is guaranteed [21, 22, 23, 24] . The interesting point here is that the newly designed 100 robust controller will result in a new control scheme with possibly different error bounds. Hence, the proposed error analysis must be re-applied and the controller design process is repeated (Section 3). In practice, only a few design iterations are required. Constraint satisfaction for the resulting explicit MPC scheme is guaranteed for the chosen finite and low precision arithmetic, if a 105 controller realization exists. We will carry out the analysis for a fixed-point implementation because this is more suitable for inexpensive applications with fast dynamics [2] and we will assume that enough bits are used for the integer part to avoid overflow. However, a similar procedure could be applied to other number representations, including custom floating-point.
110

Iterative controller design
Let the chosen finite-precision implementation of the feedback control law (1), at time k, produce a numerical error q k . We can define the finite precision control actionû k asû
where u k is the control action obtained if computations were performed in infinite precision. By applying (9) to the discrete plant dynamics we get
where w k ∈ R n and w k := Bq k is an additive state disturbance to the plant states. Equation (10) is in the same form as (8) and therefore, if the upper bound vector w and the lower bound vector w on w k were known, a robust MPC law can be designed using a minimax approach (e.g. [21] ). However, Within the pool of robust controllers generated, select the controller that generates the smallest error bound and produces an error bound smaller than the error bound used to design the controller itself.
we can proceed with selecting the most appropriate controller. Clearly, we 125 would like to select the controller that generates the smallest error so this will guarantee that the worst numerical error produced by such a controller is always smaller than the error the controller was designed to be robust against, hence guaranteeing constraint satisfaction.
The algorithmic procedure for the controller design is summarized in Algo- antee constraint satisfaction. This is because its finite precision implementation will produce errors bounded by the value given at iteration 5, which is smaller than the error bound value this controller was designed for. On the other hand, if we decide to use the controller obtained from iteration 5 (see Square in Figure   1 ), we would not be able to guarantee constraint satisfaction. This is the case 145 because this controller's error bound (given at iteration 6) is larger than the bound it was designed to be robust against. A similar argument can be made for the lower bound.
From a theoretical and intuitive perspective, the numerical error bounds do 150 not need to converge. It should be noted that, running extensive simulations we have been able to verify that the preliminary results presented in [9] where misleading. In most of the cases the numerical error does not converge. Moreover, no clear pattern seem to exists and the behavior is not predictable. For example, Figure 2 shows the first 100 iterations. It is difficult to see a clear 155 pattern, which confirms our intuition that such a pattern may not exist. 
Error Bound Computation
We will now discuss one of the main contributions of this paper, which is how the error bounds w and w in Algorithm 1 are computed. To compute such bounds, all the possible sources of error q k , generated by the control law, need 160 to be investigated. Errors are generated by two factors: (i) the selection of a wrong region due to quantization of the (measured or estimated) current state x k and/or quantization of the polyhedral partition and (ii) the numerical errors introduced by the computation of the control law (7) using finite precision.
The analysis of these two sources of error will be considered in Sections 4.1.
165
The quantification of the error bounds, achieved by solving an optimization problem, will be given in Section 4.3.
Point Location Algorithm: Binary Search Tree
A more efficient approach to solve the point location problem consists of building a binary search tree off-line [17] and traverse the tree on-line as de- Compared to the case of infinite precision, in finite precision some leaves might not be reachable due to numerical errors. This becomes more likely to happen as the arithmetic precision is reduced. On the other hand, in finite pre-180 cision the reachable convex sets are able to cover the areas that were associated with the unreachable leaves, as shown in Figure 4 . However, even if the search tree point location algorithm can guarantee to locate a unique region, computational error q k might still occur. This is because a different region would have been selected when compared to the infinite precision case, due to numerical 185 errors introduced when representing the convex sets associated with the leaves.
Let us define P := {x|M x ≤ s} to be the convex set associated with a leaf of the search tree implemented in infinite precision andP := {x|Mx ≤ŝ} to be the convex set associated with a leaf of the search tree in finite precision. An error in the region identification can occur if the convex set, resulting from the 190 intersection P ∩P, contains at least one finite precision value of the state vector x k . This happens when P andP do not represent the same convex set.
Function Evaluation Analysis
Once a region is selected, the associated control law in (7) is computed.
Here, errors are introduced because of the finite-precision arithmetic used to perform the algebraic operations.
Let us define the finite-precision representationα of a real constant α ∈ R asα := α + α ,
where α ∈ R is the quantization error. If a fixed-point representation is used, the quantization error due to truncation is α ∈ −2 −l , 0 and l ∈ N + is an integer that defines the fraction length, in terms of the number of bits. The assumption here is that we use enough bits for the integer part so that overflow 200 does not occur. finite precision (fixed-point, 4 bits fraction length). Using finite precision, the leaf number 3 becomes unreachable, the area associated to leaf number 3 is covered now by leaf number 4, thus the state space fully coverage is preserved.
By applying the finite-precision representation (11) to the control law (7) we define the finite-precision control actionû k associated with the convex setP aŝ
andF andĝ are the finite-precision representation of F and g, respectively. The values inF andĝ can be computed exactly, since their infinite-precision values are known and fixed. The state vector x k , however, is unknown and thus is its quantization error vector ex ∈ R n .
205
By considering the infinite-precision control action (7) associated with the convex set P and substituting (12) into (9), we can compute the control law error q k and express the additive state disturbance w k to the plant as
The state disturbance w k cannot be computed exactly because the value ofx k and ex k , as well as the error in the point location algorithm, are unknown. We will now show how to compute the maximum w(n i ) and minimum w(n i ) bounds
210
(worse case scenario) for each element n i ∈ {1, 2, . . . n} of the disturbance vector w k (Section 4.3) considering all possible sources of error.
Let us define index i ∈ {1, 2, . . . N leaf } to denote P i -the convex set associated with leaf i of the search tree implemented in infinite precision -and index j ∈ {1, 2, . . .N leaf } denoteP j -the convex set associated with leaf j of 215 the search tree in finite precision. Here, N leaf andN leaf are the number of leaves of the search tree in infinite and finite precision, respectively. Therefore, every possible permutation of i and j has to be exhaustively investigated to determine when the point location algorithm makes an error when selecting the region.
220
This leads to an algorithm complexity proportional to N leaf * N leaf , thus proportional to the square of the number or regions. The procedure is outlined in Algorithm 3. 
Maximum and Minimum Bound Computation
Based on the considerations above, the task of computing the upper w ij (n i )
225
and lower w ij (n i ) bounds associated with the polytope intersection P i ∩P j is translated into solving two optimization problems: a maximization and a minimization, respectively.
As an example, let us consider the maximization problem (a similar approach can be used for the minimization). Because the statex k has fixed-point values, it can be scaled by a factor of 2 l and expressed as an integer z k ∈ Z n , i.e.
This will lead to the mixed-integer linear programming (MILP) problem
where z k is the integer decision variable and the vector b ni is the row n i of The solution of a MILP problem is computationally demanding [25] , especially when the number of bits l used for the fraction length is large. This is because the search space area given by the inequality constraints (16c) increases proportionally with 2 l . Our proposed solution is to assume that the variablê x k is continuous. This will allow us to solve, instead of the MILP in (16), the linear programming (LP) problem max
The solution, as shown for an example in Figure 5 , will be a worst case approximation of the real solution provided by (16) . Although slightly more conservative, this is admissible since only a bound is computed.
Experimental setup
235
In this section we describe the setup for the hardware-in-the-loop (HIL) test rig we have built to show the validity of the robust controller design approach described above. This setup consists of a low-end FPGA evaluation board, where the controller is implemented at variable finite precision arithmetic, connected in a feedback loop to a real-time host system that simulates a classical 240 unstable system, namely the inverted pendulum. The FPGA board where the control algorithm has been implemented is a Xilinx Zynq FPGA (xc7z020) [26] mounted on the ZedBoard evaluation module [27] . In order to set up the controller for the HIL implementation and the whole of the HIL simulation, a new FPGA development tool has been built and used. This tool is called Protoip
245
[12] and more details can be found in [13] . Protoip is open source and allows one to automatically build and deploy an algorithm written in C/C++ onto an Once the prototype has been built, Protoip also provides measurements of 260 the hardware characteristics of the digital circuit being built in terms of the amount of hardware resources (e.g. memory) used and an accurate estimate of its energy consumption.
The system to be controlled (the inverted pendulum) is described by the host system linearized continuous-time dynamics
where the states ϑ and ω are, respectively, the angular displacement measured from the equilibrium position and the angular velocity; u is the input torque, constraints have been set to
The procedure for the experimental results is the following:
1. Decide on a finite precision (fixed-point) representation. Use enough bits 265 for the integer part to avoid overflow and we set the number of bits for the fraction length to be equal to an arbitrary l. Using MATLAB and MPT toolbox Software, execute, off-line, the iterative controller design procedure described in Section 3.
2. Within the pool of resulting robust controllers, select the controller that 270 guarantees constraints satisfaction with minimum conservativeness as described in Section 3.
3. Build and deploy the controller on the FPGA using the Protoip tool.
4. Run closed loop tests using the HIL setup provided by Protoip. Perform extensive testing (statistics collected from about 1000 simulations) from 275 random initial conditions to steady states using the setup shown in Figure   7 .
Test case description
In order to validate our claims, we have devised two sets of experiments using the design procedure described above.
280
The first set, composed of tests 1, 2 and 3, is aimed at showing how a finite precision arithmetic impacts on constraint satisfaction when a controller is not designed to be robust against it. Thus, we have designed a nominal controller (equivalent to setting the state disturbance bounds w := 0 and w := 0) and implemented it into the FPGA using:
285
• test ID 1 : single precision floating-point arithmetic.
• test ID 2 : l = 8 bits fraction length fixed-point arithmetic.
• test ID 3 : l = 12 bits fraction length fixed-point arithmetic.
The second set, composed of tests 4 and 5, is aimed at showing how constraint satisfaction can be guaranteed by design even with finite precision arith- • test ID 4 : the controller designed at iteration 4 in Figure 8 guarantees 300 constraint satisfaction while being the least conservative in constraints tightening.
• test ID 5 : the controller designed at iteration 5 in Figure 8 does not guarantee constraint satisfaction despite being less conservative.
Experimental results
305
Closed-loop simulation results
Consider the first set of tests based on an explicit MPC controller robust to the (very small) error introduced by floating-point double precision arithmetic (this will be almost equivalent to the design of a 'non-robust' explicit MPC).
If this controller is implemented on-line using finite-precision arithmetic (fixed-310 point), constraint violations might occur due to the numerical errors arising from the implementation. The lower the precision, the larger the errors, as shown in Figure 9 for an example.
On the other hand, if it is known that finite-precision arithmetic will be used, then the controller can be designed using Algorithm 1. Constraint satisfaction 315 can be guaranteed by design (test ID 4) only if the selected controller generates error bounds than are smaller that the error bounds that were used for the design, as shown in Figure 10 . However, if this is not the case (test ID 5), constraints might be violated (Figure 11 ).
Performance analysis 320
We have summarized all the results in Table 1 . We compare the controller performance in terms of implementation complexity, closed-loop performance.
For implementation complexity we measure the number of regions and hyperplanes generated, the maximum depth of the search tree, the memory utilized and the hardware energy consumption. For the closed-loop performance we 325 measure the closed-loop cost J cl , the percentage of the times that constraints have been violated and the largest constraint violation.
The closed-loop cost of constrained systems controller in presence of roundoff errors cannot be computed analytically. This is measured by averaging the costs of 1000 simulations of the controlled plant evolution from a set of random and uniformly distributed initial condition to steady state. Hence, we define J cl as
where N cl is the number of simulation steps chosen long enough so that x j ≈ 0 and u j ≈ 0 for all j ≥ N cl and all feasible initial conditions. From the table, the following can be observed:
• As expected, constraints are violated more frequently the smaller the number of bits used when implementing a nominal controller.
• When implementing a nominal controller in fixed-point, the constraints are violated by a factor of 10 times (for this specific test case) the computational quantization error. • The controller implementation complexity (number of regions and hyper- • Although robustness is guaranteed by design, the closed-loop performance of the robust controller is slightly worse when compared to the nominal controller due to constraint tightening.
The proposed controller design and the presented HIL test procedure have 350 been indeed applied to various plants in different configuration scenarios. As far as we have observed, we can say that all the tests gave us the expected behaviour: constraint satisfaction is guaranteed at all times if a proper state disturbance bound is selected and it is not guaranteed otherwise. These results have not been included in the manuscript as we thought they were not adding 355 any additional insight.
Conclusions
We have proposed, and verified via an FPGA implementation in an HIL setup, an explicit MPC design that robustly guarantees hard constraint satisfaction in the presence of finite-precision arithmetic errors introduced by the 360 controller's own implementation. We have shown that robust constraints satisfaction can indeed be guaranteed by the robust controller implemented in low numerical precision while this was not the case for the nominal controller. The controllers were tested experimentally with precision as low as 8 bits. Some side benefits of our approach include a reduction in complexity due to a reduction 365 in number of regions. This, together with the reduction in hardware resources given by the low precision would allow explicit MPC to be implemented in small, inexpensive and energy efficient platforms. Future work may include the extension of this technique to other controllers design methods.
