SafeCF-SSM: Cognitive-Flexible Control with Explicit Physical Safety Guarantees for Latent-Space MPC

IEEE L-CSS, 2026

SafeCF-SSM is a cognitive-flexible control framework for latent-space MPC under distributional shift. It addresses two open problems: unregulated representation adaptation and the physical-latent safety gap — through surprise-driven bounded latent adaptation, adaptive constraint tightening, and an explicit decoder-aware physical safety certificate.

---

What Is the Problem?

Latent-space MPC approaches adapt to distributional shift but provide safety guarantees in latent space only. When the decoder has approximation error \(\varepsilon_{\mathrm{dec}}\geq 0\), a plan safe in \(z_t\) may be unsafe in \(x_t\) — the physical-latent gap.

Matters worsen under distributional shift: as the encoder \(\phi_{\theta_t}\) adapts online, this gap can grow without bound if representation reorganization is left unregulated. Existing approaches implicitly assume \(\varepsilon_{\mathrm{dec}}=0\) and provide no bound on the rate of encoder change during adaptation.

Three Coupled Mechanisms

SafeCF-SSM addresses the problem through three dedicated components, each satisfying one requirement of the problem statement:

• SSM Latent Model: provides latent state \(z_t\) and predictive uncertainty \(\Sigma_t\) via EKF encoder \(q_{\phi_{\theta_t}}(z_t|\mathcal{H}_t)\), enabling uncertainty-aware BMPC planning.
• BMPC with Adaptive Tightening: enforces physical safety via the unified margin \(\beta_{i,t}=\max(c_i\mathcal{S}_t,\,L_{g,i}L_d\,r_{\delta_i,t})\), where \(r_{\delta_i,t}=c_{\delta_i}\sqrt{\lambda_{\max}(\Sigma_t)}\) is a calibrated confidence radius (Assumption 3). The probabilistic constraint \(\mathbb{P}(\tilde{\mathcal{G}}_i(z_{t+k},u_{t+k})\leq0)\geq1-\delta_i\) is implemented as deterministic tightening (Lemma 1). Unlike Nominal MPC (\(\beta\equiv0\)) and Robust MPC (fixed \(\beta_{\max}\)), \(\beta_{i,t}\) responds online to both model uncertainty \(\Sigma_t\) and distributional shift \(\mathcal{S}_t\).
• Surprise-driven CF Adaptation: bounds encoder reorganization \(\|\phi_{\theta_{t+1}}-\phi_{\theta_t}\| \leq L_\phi\eta_{\max}L_\Delta=:\varepsilon_{\mathrm{cf}}\), satisfying the CF constraint and lifting latent safety to physical space via Proposition 1.

The Dual Role of \(\mathcal{S}_t\)

The predictive surprise \(\mathcal{S}_t:=-\log p_{\theta_t}(o_{t+1}|z_t,u_t)\) is large when the model is mismatched and small when consistent with observations. The same signal \(\mathcal{S}_t\) that tightens \(\beta_{i,t}\) in the BMPC layer also moderates \(\eta_t=\eta_{\max}/(1+\sqrt{\mathcal{S}_t})\), bounding \(\|\phi_{\theta_{t+1}}-\phi_{\theta_t}\|\) and reducing the physical-latent gap.

Main Theoretical Guarantees

• Theorem 1 (Bounded Representation Drift — G1): \(\mathbb{E}[\mathrm{CFI}_t]\leq1\) for all \(t\), where \(\mathrm{CFI}_t:=\|\phi_{\theta_{t+1}}-\phi_{\theta_t}\|/\varepsilon_{\mathrm{cf}}\). Unlike prior adaptive MPC methods that bound parameter drift \(\|\theta_{t+1}-\theta_t\|\) alone, SafeCF-SSM bounds encoder reorganization directly.
• Theorems 2–3 (Recursive Feasibility & ISS — G2): The BMPC remains feasible for all \(t'\geq t\) and the closed-loop belief is input-to-state stable: \(\|z_t\|\leq\bar\beta(\|z_0\|,t)+\gamma(\bar{d})\), \(\bar\beta\in\mathcal{KL}\), \(\gamma\in\mathcal{K}\).
• Proposition 1 + Corollary 1 (Physical Safety Certificate — G3): \[ \mathbb{P}\bigl((x_t,u_t)\in\mathcal{S}\bigr) \geq 1-\delta - f(\varepsilon_{\mathrm{dec}}), \quad\forall t\geq0, \] where \(\sum_i\delta_i\leq\delta\) and \(f(\varepsilon_{\mathrm{dec}})=L_{g,i}L_d\varepsilon_{\mathrm{dec}}\geq0\), \(f(0)=0\). The residual vanishes when \(\varepsilon_{\mathrm{dec}}=0\). This is the first verifiable physical safety guarantee for latent-space MPC accounting for decoder approximation error.

Core Insight

Unlike prior latent-MPC works that establish (G1)–(G2) in latent space only, SafeCF-SSM provides an explicit physical safety certificate that accounts for decoder approximation error and bounds encoder reorganization simultaneously — closing the physical-latent gap identified as the central open problem.

---

Nonlinear-Benchmark Motivation: Van der Pol Phase Plane

The Van der Pol oscillator exhibits significantly different limit cycles under different damping parameters \(\mu\), motivating the need for online adaptation. The safety bound \(|x_1|\leq X_{1,\max}=A(\mu_2)\approx2.66\) is physically motivated: the uncontrolled limit cycle amplitude \(A(\mu_1)\approx2.13\) lies within the bound, while \(A(\mu_2)\approx X_{1,\max}\) makes enforcement non-trivial without active adaptation. Adjust \(\mu\) below to observe how the phase portrait changes — this distributional shift is precisely what SafeCF-SSM detects via \(\mathcal{S}_t\) and compensates for online (Fig. 2).

Simulation Studies: Van der Pol (VdP) Benchmark

Validated on the VdP oscillator (\(M=25\) Monte Carlo, \(T=345\,\text{s}\), \(\mu_1=0.5\), \(\mu_2=2.66\)) across four consecutive distributional-shift regimes in a single continuous experiment without re-initialization:

Regime	Duration	Shift Type	Key Result
Nominal	\(0\)–\(45\,\text{s}\)	\(\mu=\mu_1=0.5\), accurate model	No overhead: \(\beta_{i,t}\approx0\) ✓
Abrupt shift	\(45\)–\(115\,\text{s}\)	\(\mu_1\uparrow\mu_2=2.66\) instantaneously	Safety via \(\mathcal{S}_t\) spike ✓
Observational drift	\(115\)–\(275\,\text{s}\)	Bias \(b_t\to[0.83,0.88]^\top\) exponentially	Safety despite unabsorbable bias (Gap 2) ✓
Gradual drift	\(275\)–\(345\,\text{s}\)	\(\mu_t:\mu_1\nearrow\mu_2\) exponentially	Formal certificate via Cor. 1 ✓

All four regimes confirm \(\mathbb{E}[\mathrm{CFI}_t]\leq1\) (Theorem 1) and \(\geq99.8\%\) safety (Corollary 1) with \(\varepsilon_{\mathrm{dec}}\leq0.10\). Both baselines violate safety during observational drift; SafeCF-SSM maintains \(|x_1|\leq X_{1,\max}\) throughout.

Reproducibility

All Julia source code is publicly available:

• cf_deepsssm_vdp_v6[150526].jl — Van der Pol benchmark, 4 regimes, Gap-2 validation (Fig. 2, Table I)
• safecf_ssm_quad3d_[150526].jl — 3D quadrotor benchmark (\(n=12\) states, motor failure, Fig. 3, Table I)

Extended Validation: 3D Quadrotor under Motor Failure

Can SafeCF-SSM maintain safety and tracking when a rotor partially fails mid-flight?

A 3D quadrotor (\(n=12,\,m=4\)) undergoes rotor-1 efficiency loss \(\rho_t: 1.0\to0.6\) at \(t_s=40\,\text{s}\), inducing yaw-torque asymmetry and lateral drift. The dynamics are: \[ \dot{v} = \tfrac{1}{M}R(\phi,\theta,\psi) \begin{bmatrix}0\\0\\T_t\end{bmatrix}\!-ge_3, \qquad \dot{\omega} = J^{-1}(\tau - \omega\times J\omega), \] where \(T_t=\rho_t T_1+T_2+T_3+T_4\) and \(\tau=[\ell(T_2-T_4),\,\ell(T_3-\rho_t T_1),\, \kappa(\rho_t T_1-T_2+T_3-T_4)]^\top\). SafeCF-SSM adapts \(\hat\rho_t\) online via: \[ \hat\rho_{t+1} = \hat\rho_t + \eta_t\,\nabla_{\hat\rho} \log p_{\theta_t}(o_{t+1}\mid z_t,u_t), \quad \eta_t = \frac{\eta_{\max}}{1+\sqrt{\mathcal{S}_t}}, \] with safety enforced via adaptive margin \(\beta_{i,t} = \max(c_i\mathcal{S}_t,\,L_{g,i}L_d\,r_{\delta_i,t})\).

Parameter	Value	Parameter	Value
\(M\)	\(1.0\,\text{kg}\)	\(\ell\)	\(0.2\,\text{m}\)
\(I_{xx},I_{yy}\)	\(0.01\,\text{kg\,m}^2\)	\(\kappa\)	\(0.1\)
\(I_{zz}\)	\(0.02\,\text{kg\,m}^2\)	\(\rho_1\to\rho_2\)	\(1.0\to0.6\) at \(t_s=40\,\text{s}\)
\(\sigma_w,\sigma_v\)	\(0.05,\,0.10\)	Safety: \(p_z\)	\(\geq0.3\,\text{m}\)
\(T_{\max}\)	\(10\,\text{N}\)	Safety: \(|\phi|,|\theta|\)	\(\leq30^\circ\)

\(M=25\) Monte Carlo runs confirm: SafeCF-SSM maintains \(|p_y|\leq0.1\,\text{m}\) throughout the failure, while both baselines accumulate drift exceeding \(0.5\,\text{m}\). \(\mathbb{E}[\mathrm{CFI}_t]\leq1\) (Theorem 1) and \(\geq99.8\%\) safety (Corollary 1) hold across all runs — consistent with the VdP validation above.

---