【Control】🧩 10. Envelope Control and Design Recovery Control
— Handling “Boundaries” and “Assumptions,” Not Control Itself
topics: [“control”, “design”, “architecture”, “AI”, “LLM”]
🧭 Introduction
Recently, in discussions around control and AI,
it is common to hear phrases such as:
- “Control with LLMs”
- “AI optimizes the controller”
However, in real physical systems and device design practice,
a very different intuition dominates:
- Control is something applied last
- What truly breaks are design assumptions and operational boundaries
- Putting AI into real-time control loops is dangerous
Based on this perspective, this article introduces
two architectural control concepts.
| Envelope Control | Protects runtime (operational) boundaries |
| Design Recovery Control | Restores design-time assumptions |
Neither concept is about “control itself.”
They deal with structures that prevent control from breaking.
🛡 What Is Envelope Control?
Envelope Control is the concept of:
Constraining a system to a safe operating region (the envelope)
under uncertainty.
The key points are what it does not aim to do:
- It does not pursue high performance
- It does not optimize
- It does not learn
What it does is extremely simple:
- Monitor physical quantities such as voltage, current, temperature, speed
- Enforce non-negotiable bounds on those quantities at runtime
Conventional controllers (e.g., PID) operate normally inside the envelope.
But the moment the system approaches the boundary,
operation is restricted or suppressed.
👉 Envelope Control answers not
“How should we control?”
but
“How far are we allowed to operate?”
🧠 What Is Design Recovery Control?
Design Recovery Control (DRC) operates on
a completely different time axis.
It addresses failures caused by broken design assumptions themselves,
not by control errors.
DRC explicitly does not:
- Generate control inputs
- Intervene in real time
- Optimize through learning
Instead, it examines and updates:
- Whether PID gains are still valid
- Whether FSM transition conditions still match reality
- Whether operating mode definitions have become outdated
Even when LLMs are involved:
- They never execute actions
- They only generate proposals
- Humans or systems must explicitly approve changes
👉 DRC is not control.
It is structured design review and recovery.
🔗 Relationship Between the Two (Critical)
These two concepts do not compete.
| Aspect | Envelope Control | Design Recovery Control |
|---|---|---|
| Time axis | Runtime (operation) | Design-time (updates) |
| Target | Operating envelope | Design assumptions |
| Control inputs | Not touched | Not touched |
| AI / LLM | Generally avoided | Design supervision only |
In short:
-
Envelope Control
→ “How do we safely constrain operation right now?” -
Design Recovery Control
→ “Why did the original design assumptions stop working?”
Only when both exist can
ordinary control remain ordinary control.
🧱 This Is About Positioning, Not Implementation
It is important to emphasize:
This is not a discussion about control algorithms.
This comes before questions such as:
- PID tuning
- Mathematical formulations
- Stability proofs
Instead, it addresses:
Where responsibility is divided in system design
🔗 Reference Links
Definitions and concept documents are available here:
-
Envelope Control
https://samizo-aitl.github.io/envelope-control/
https://github.com/Samizo-AITL/envelope-control -
Design Recovery Control
https://samizo-aitl.github.io/design-recovery-control/
https://github.com/Samizo-AITL/design-recovery-control
🧭 Closing Remarks
Before making control more sophisticated,
it is far more important to clarify:
- Where systems break
- What assumptions were made
- When design must be revisited
Structurally separating these questions
is what makes real systems robust.
Envelope Control and Design Recovery Control
are design-side tools for that purpose.
Before making control “smarter,”
design a structure that prevents control from breaking.
That is the role of these two concepts.