Control Barrier Functions: Theory and Applications
Aaron D. Ames, Samuel Coogan, Magnus Egerstedt, Gennaro Notomista,, Koushil Sreenath, and Paulo Tabuada

TL;DR
This paper reviews recent advances in control barrier functions, highlighting their theoretical foundations and practical applications in ensuring safety in safety-critical control systems, especially in robotics.
Contribution
It offers a comprehensive survey of control barrier functions, summarizing key theoretical results and demonstrating their applications across various domains.
Findings
Control barrier functions effectively verify safety properties.
They enable the design of safety-critical controllers.
Applications include robotic systems and other safety-critical domains.
Abstract
This paper provides an introduction and overview of recent work on control barrier functions and their use to verify and enforce safety properties in the context of (optimization based) safety-critical controllers. We survey the main technical results and discuss applications to several domains including robotic systems.
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11
Figure 12
Figure 13
Figure 14
Figure 15Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Control Barrier Functions: Theory and Applications
Aaron D. Ames1, Samuel Coogan2, Magnus Egerstedt3,
Gennaro Notomista4, Koushil Sreenath5, and Paulo Tabuada6 1 Mechanical and Civil Engineering and Control and Dynamical Systems, California Institute of Technology, Pasadena CA 91125, U.S.A, [email protected]2 Electrical and Computer Engineering and Civil and Environmental Engineering, Georgia Institute of Technology, Atlanta GA 30332, U.S.A, [email protected]3 Electrical and Computer Engineering, Georgia Institute of Technology, Atlanta GA 30332, U.S.A, [email protected] 4 Institute for Robotics & Intelligent Machines, Georgia Institute of Technology, Atlanta GA 30332, U.S.A, [email protected]5 Mechnical Engineering, Univ. of California, Berkeley CA 94720, U.S.A, [email protected]6 Electrical and Computer Engineering, UCLA, Los Angeles CA 90095, U.S.A, [email protected]
Abstract
This paper provides an introduction and overview of recent work on control barrier functions and their use to verify and enforce safety properties in the context of (optimization based) safety-critical controllers. We survey the main technical results and discuss applications to several domains including robotic systems.
I Introduction
It is easy to agree that any engineered system should be designed to be safe. In fact, the term safety-critical system is many times used to distinguish those systems for which safety is a major design consideration. But what exactly is safety? How do we define it and how can we design systems to achieve it? The notion of safety was first introduced in 1977 in the context of program correctness by Leslie Lamport [1] and formalized in [2], see also [3]. Intuitively, safety requires that “bad” things do not happen while liveness requires that “good” things eventually happen, e.g., asymptotic stability can be seen as an example of a liveness property in the sense that an asymptotically stable equilibrium point is eventually reached. Dually, invariance can be seen as an example of a safety property in the sense that any trajectory starting inside an invariant set will never reach the complement of the set, describing the locus where bad things happen. Based on the identification of liveness with asymptotic stability and safety with invariance, it can be argued that safety has received much less attention in control theory than liveness. Moreover, the notion of Lyapunov function has played a predominant role in the investigation of liveness properties.
The objective of this paper is to refocus the discussion on safety by introducing control barrier functions that play a role equivalent to Lyapunov functions in the study of liveness properties. There are two main reasons driving a surge in research related to safety and control barrier functions: 1) the recent interest in autonomous systems has brought safety to the forefront of systems’ design. In particular, autonomous systems are expected to operate in unknown and unstructured environments which makes it considerably harder to enforce safety properties; 2) the recent introduction of control barrier functions suggests that many control design techniques based on Lyapunov and control Lyapunov functions can be suitably transposed to address safety considerations. Hence, we have both the societal need for safety as well as the tools to raise safety to the same level of maturity than liveness in the design of control systems.
I-A Brief History of Barrier Functions
The study of safety in the context of dynamical systems dates back to the 1940’s when Nagumo provided necessary and sufficient conditions for set invariance [4] (see [5] for a more detailed historical account, and [6] for a modern proof). In particular, given a dynamical system with , assuming that the safe set is the superlevel set of a smooth function , i.e., , and that for all such that , then Nagumo’s Theorem gives necessary and sufficient conditions for set invariance based upon the derivative of on the boundary of :
[TABLE]
These conditions have been independently re-discovered on multiple occasions; in particular, around the 1970s by Bony and Brezis [7, 8] (the proof in [6] follows Brezis).
In the 2000’s we saw another change of perspective brought by the need to verify hybrid systems. Barrier certificates were introduced as a convenient tool to formally prove safety of nonlinear and hybrid systems [9, 10]; these results, again, seemed to independently discover Nagumo’s theorem. The choice of the term “barrier” was motivated by its use in the optimization literature where barrier functions are added to cost functions to avoid undesirable regions. In the case of barrier certificates, one considers an unsafe set and a set of initial conditions together with a function where for all and for all . Then is a barrier certificate if
[TABLE]
In the notation for above, by picking the safe set to be the complement of the unsafe set , with the barrier certificate conditions become: which implies that is invariant. Therefore, these conditions reduce to those of Nagumo’s theorem on the boundary. Importantly, the necessity of barrier certificates were studied [11] along with their extension to a stochastic setting [12].
As a means to extend the safety guarantees beyond the boundary of the set, there have been a variety of approaches that can be best described as “Lyapunov-like.” That is, Lyapunov functions yield invariant level sets so, if these level sets are contained in the safe set one can guarantee safety—importantly, these conditions can be applied over the entire set and not just on the boundary. In this case, as developed in [13], one constructs a “barrier Lyapunov function” much as above but with the additional requirement that it is, for all intents and purposes, positive definite. Then, by enforcing the condition that over the set , it ensures invariance of this set and thus safety. The major limitation is that, while these conditions ensure safety they also enforce invariance of every level set. Thus, they are overly strong and conservative.
While the above results addressed closed dynamical systems, i.e., systems without inputs, the work on viability theory [14, 15, 16] extended them to open dynamical systems, e.g., control systems given by for . This required moving from invariant sets to controlled invariant sets: sets that can be made invariant by suitably designing a controller.
The notion of a barrier certificate was extended to a “control” version to yield the first definition of a “control barrier function” [17]—although this definition is different than the one considered in this paper. In particular, given a control system and a safe set as defined above by a function , the conditions in [17] are effectively:
[TABLE]
These ideas were built upon so as to explicitly combine barrier functions with control Lyapunov functions [18]—this was done contemporaneously with the development of the methods presented in this paper which use optimization based controllers to unify Lyapunov and barrier functions. In particular, as further developed in [19], conditions were given on creating “control Lyapunov barrier functions” that jointly guarantee safety and stability. Yet, in these cases the conditions in the end reduce to enforcing . However, these conditions are stronger than necessary, and thus motivate the “modern” version of control barrier functions.
The aforementioned methods all led to the most recent formulation of certificates of safety, termed control barrier functions, as recognition of the historical developments outlined above—these were first introduced in [20], and later refined in [21]. In particular, the idea was to extend the barrier function conditions (e.g., those discovered by Nagumo) to the entirety of the safe set. For a control system, and a safe set defined by a function , this new form of control barrier functions are defined by the condition:
[TABLE]
for an (extended) class function. Importantly, this condition is necessary and sufficient (for compact sets) and thus is minimally restrictive. Finally, because these conditions are true over the entire set they give a way to synthesize safe controllers—in this case, through the use of optimization-based control methods that modify the desired controller again in a minimally invasive fashion. This formulation, therefore, provides a foundational framework for safety-critical control.
The utility of this new formulation of control barrier functions is evidenced by the application domains it has been applied to since its inception, including: automotive systems [22, 23, 24], mulit-robot systems [25, 26, 27], quadrotors [28, 29] and robotic systems including walking robots [30, 31, 32], to name a few. Additionally, it allows for the unification of safety (via a control barrier function) and stability (via a control Lyapunov function) in the context of an optimization based controller—in fact, it was optimization based controllers using control Lyapunov functions that motivated the development of this new form of barrier function. This formulation of control barrier functions will be the focus of this paper, as motivated by the conceptual connections with control Lyapunov functions together with a recognition of the basic differences between control barrier and Lyapunov functions.
I-B Overview of Paper
Building upon the history of barrier functions, and motivated by the new developments, this paper aims to establish the basic theory of safety-critical control and highlight some important applications.
**Theory: ** We begin in Section II by establishing the foundations of control barrier functions. This is motivated from the perspective of stabilization with control Lyapunov functions, leading to the “dual” of stability: safety as enforced by control barrier functions. The properties of these functions are discussed, along with the synthesis of optimization-based controllers. In Section III, the application of CBFs to systems with actuation constraints is considered. Finally, in Section IV, the extension of CBFs to constraints with higher relative degree is considered.
**Application: ** The discussion of the application of CBFs begins in Section V with the consideration of robotic systems. In particular, we begin by considering the “stepping stone” problem, wherein a robot must walk safely on a series of stepping stones. This is followed by a brief discussion of the experimental implementation of barriers in the context of automotive safety systems and dynamic robotic systems. Additionally, the application of CBFs in the context of long duration autonomy is formulated and demonstrated experimentally.
II Foundations of Control Barrier Functions
In this section, we introduce the fundamentals of control barrier functions. That is, we introduce safety, safety sets, and a means in which to enforce safety in a minimally invasive fashion. To motivate these considerations, we will begin by reviewing control Lyapunov functions (CLFs) and discuss how they can be used to synthesize controllers that enforce stability. This naturally leads to the “dual” for safety: control barrier functions (CBFs). We will formulate optimization based controllers from CBFs and conclude by describing how they can be unified with CLFs.
Throughout this paper, we will suppose that we have a nonlinear affine control system:
[TABLE]
with and locally Lipschitz, and is the set of admissible inputs.
II-A Motivation: Control Lyapunov Functions
To motivate safety for systems of this form, and hence control barrier functions, we begin by considering the familiar objective of stabilizing the system. Suppose we have the control objective of (asymptotically) stabilizing the nonlinear control system (1) to a point , i.e., driving . In a nonlinear context, this can be achieved—and, in fact, understood—by equivalently finding a feedback control law that drives a positive definite function, , to zero. That is, if
[TABLE]
where
[TABLE]
then the system is stabilizable to , i.e., . Note that here is a class function defined on the entire real line for simplicity, i.e., maps zero to zero, , and it is strictly monotonic: for all , implies that . Thus, the process of stabilizing a nonlinear system can be understood as finding an input that creates a one-dimensional stable system given by the Lyapunov function: , wherein the comparison lemma (see, e. g., [33]) implies that the full-order nonlinear system (1) is thus stable under the control law .
The above observations motivate the notion of a control Lyapunov function wherein a function is shown to stabilize the system without the need to explicitly construct the feedback controller . That is, as first observed by Sontag and Artstein [34, 35, 36], we only need a controller to exist that results in the desired inequality on . Concretely, is a control Lyapunov function (CLF) if it is positive definite and satisfies:
[TABLE]
where is again a class function. The importance of this definition is that it allows for us to consider the set of all stabilizing controllers for every point :
[TABLE]
This is an affine constraint in and thus will allow for the formulation of optimization based controllers. It also elucidates conditions on when is a CLF; for example, if , it is easy to verify that
[TABLE]
and thus there are stabilizing controllers. More generally, we have the following central stabilization result for CLFs [37].
Theorem 1**.**
For the nonlinear control system (1), if there exists a control Lyapunov function , i.e., a positive definite function satisfying (3), then any Lipschitz continuous feedback controller asymptotically stabilizes the system to .
II-B Control Barrier Functions
Unlike stability which involves driving a system to a point (or a set), safety can be framed in the context of enforcing invariance of a set, i.e., not leaving a safe set. In particular, we consider a set defined as the superlevel set of a continuously differentiable function , yielding:
[TABLE]
We refer to as the safe set.
**Safety. ** Let be a feedback controller such that the resulting dynamical system
[TABLE]
is locally Lipschitz. To formally define safety, due to the locally Lipschitz assumption, for any initial condition there exists a maximum interval of existence such that is the unique solution to (6) on ; in the case when is forward complete [33], . This allows us to define safety:
Definition 1**.**
The set is forward invariant if for every , for and all . The system (6) is safe with respect to the set if the set is forward invariant.
**Control Barrier Functions (CBFs). ** Using control Lyapunov functions as motivation, we wish to generalize to the concept of safety. Yet, one must be careful about directly generalizing Lyapunov (as done, in particular, in [38]). If there exists a CLF such that and has a superlevel set , then the corresponding controllers in (4) will render invariant, and hence safe. Nevertheless, this is overly restrictive as it would render every sublevel set invariant, i.e., for all . Rather, we wish to enforce set invariance without requiring a positive definite function, i.e., for to be a control barrier function it should render invariant but not its sublevel sets.
This motivates the formulation of control barrier functions. Before defining these, we note that an extended class function is a function that is strictly increasing and with ; that is, extended class functions are defined on the entire real line: . This allows us to define [21, 22]:
Definition 2**.**
Let be the superlevel set of a continuously differentiable function , then is a control barrier function (CBF) if there exists an extended class function such that for the control system (1):
[TABLE]
for all .
Remark 3**.**
Note that, as discussed in Section I, the first notion of a control barrier function [20] was defined in terms of what are now termed reciprocal barrier functions. These blow-up on the boundary, hence the use of the term “barrier”:
[TABLE]
wherein the control barrier function condition (7) becomes:
[TABLE]
This class of barrier functions can be more suitable for some applications, but typically barrier functions, , are preferable since they are well defined outside of . **
Remark 4**.**
The idea of extending set invarience conditions, i.e., the condition that for all , to all of was first considered in [14] in the form of the following condition: for all . This can be viewed as a very special case of a CBF wherein in (7). **
**Guaranteed Safety via CBFs. ** We can consider the set consisting of all control values that render safe:
[TABLE]
That is, as in the case of CLFs, we can quantify the set of all control inputs at a point that keep the system safe.
The main result of [21], and the main result with regard to control barrier functions, is that the existence of a control barrier function implies that the control system is safe:
Theorem 2**.**
Let be a set defined as the superlevel set of a continuously differentiable function . If is a control barrier function on and for all , then any Lipschitz continuous controller for the system (1) renders the set safe. Additionally, the set is asymptotically stable in .
Remark 5**.**
The condition that the gradient of not vanish on the boundary is equivalent to requiring that [math] is a regular value of [6]. Note that this condition was not explicitly stated in [21], but the proof of this result utilizes Nagumo’s theorem [4] which requires this regularity condition [6]. **
Remark 6**.**
It is important to stress that this result not only guarantees that the safe set is invariant, but makes the set asymptotically stable. This has beneficial consequences with regard to practical implementation. While a system will not formally leave the safe set , noise and modeling errors might force the system to leave this set. As a result of the main CBF theorem, controllers in will drive the system back to the set . **
**Necessity for Safety. ** Finally, we note that control barrier functions provide the strongest possible conditions for safety in that they are necessary and sufficient given reasonable assumptions on [21]:
Theorem 3**.**
Let be a compact set that is the superlevel set of a continuously differentiable function with the property that for all . If there exists a control law that renders safe, i.e., is forward invariant with respect to (6), then is a control barrier function on .
II-C Optimization Based Control
Having established that control barrier functions give (necessary and sufficient) conditions on safety, the question becomes: how does one synthesize controllers? Importantly, we wish to do so in a minimally invasive fashion, i.e., modify an existing controller in a minimal way so as to guarantee safety. This naturally leads to optimization based controllers:
**Safety-Critical Control. ** Suppose we are given a feedback controller for the control system (1) and we wish to guarantee safety. Yet it may be the case that for some . To modify this controller in a minimal way so as to guarentee safety, we start by noticing that the conditions on safety given in (10) are affine in . Thus, we can consider the following Quadratic Program (QP) based controller that finds the minimum perturbation on :
[TABLE]
where here we assumed that . Thus, when there are no input constraints, since we have a single inequality constraint the CBF-QP has a closed-form solution (per the KKT conditions [39]) given by the min-norm controller; this was first utilized in the context of CLFs [40, 37].
**Unifying with Lyapunov. ** The QP based formulation of safety-critical controllers suggests a means in which to unify safety and stability. In fact, optimization-based controllers were first utilized in the context of CLFs exactly for the purpose of multi-objective nonlinear control [41], e.g., combining stability with torque constraints [42]. Concretely, we consider the following QP based controller:
[TABLE]
where here is any positive definite matrix (pointwise in ), and is a relaxation variable that ensures solvability of the QP as penalized by (i.e., to ensure the QP has a solution one must relax the condition on stability to guarantee safety). In [21] it was established that this controller is Lipschitz continuous.
III CBFs for Systems with Actuation constraints
Consider again the nonlinear affine control system (1) and assume there exists an allowable set of states defined via some performance function . Our objective is to construct a CBF such that
[TABLE]
that is, such that the safe set , corresponding to the superlevel set of the CBF , is contained within the set of allowed states . Of course, it may be possible to take if this choice satisfies (7) for an appropriate function , in which case our objective is met.
However, in this section, we focus on the case when cannot be rendered invariant and instead we must find a safe subset that is a strict subset of the allowable set. The inability of itself to be rendered forward invariant could be due to, e.g., a control set that restricts the available control actions or due to dynamics with higher relative degree; an alternative approach to accommodate the latter is proposed in Section IV.
We assume that a locally Lipschitz nominal controller (called nominal evading maneuver in [43]) is known. Intuitively, encapsulates a controller that, for some initial conditions, is expected to keep the system within the allowable set, although no guarantees on the ability of to ensure safety are required a priori. For example, for an autonomous mobile agent, might be a swerving maneuver or a rapid deceleration maneuver.
For any and , let denote the state of the control system (1) at time when is used as input and the system is initialized at , that is, satisfies with initial condition .
A barrier function can be computed from and as
[TABLE]
that is, the barrier is constructed by assigning to each point the infimum value of the performance function attained along the trajectory initialized at when the nominal control strategy is used. Under mild conditions on and , is indeed a CBF [43].
Theorem 4**.**
Let be a continuously differentiable performance function and let be a nominal controller such that is continuously differentiable. Define as in (12) with the corresponding superlevel set of and suppose for each there exists a unique such that and for some . Then
* is a CBF;* 2. 2.
, that is, the safe set is a subset of the allowable set; and 3. 3.
* for all .*
In some cases, computing given in (12) is possible in closed form; see [43] for examples.
Alternatively, one could approximate by simulating the system trajectory for a finite horizon and computing the infimum in (12) numerically. However, notice that to use in a resulting quadratic program as in (CBF-QP) requires computing the gradient of , thus such an approach would also require numerically approximating the gradient of , and therefore this approach becomes computationally challenging as the dimension of the system grows.
Another approach is to parameterize and search for a potentially conservative CBF satisfying (11). For example, we could parameterize as a fixed degree polynomial and use sums-of-squares (SOS) programming [44] to enforce the required conditions on . To this end, a polynomial is a SOS polynomial if for some polynomials for . Let denote the set of SOS polynomials in . The following Proposition is closely related to results presented in [24, 45].
Proposition 5**.**
Given the affine control system (1), assume and are polynomials. Let be a polynomial performance function and let be a polynomial nominal controller. A polynomial is a CBF if there exists positive constants and SOS polynomials , such that
[TABLE]
Moreover, and for all .
Condition (13) is sufficient for ensuring that for all such that , thereby implying . Likewise, (14) is sufficient for ensuring that for all . Since for all , this in turn implies (7) with the choice .
There exist efficient computational toolboxes that convert certain SOS constraints into semidefinite programs such as [46]. However, viewing , , , and as decision variables in the above, the products and are bilinear in the decision variables and prevent such a conversion.
Nonetheless, a common approach for accommodating such bilinearities is to propose an iteration of constraints so that in each iteration, one element of each problematic product is fixed, i. e., in each iteration, either and are fixed or is fixed, leading to an efficient numerical procedure for finding a CBF . For example, in [24], a sequence of SOS programs is proposed to compute a CBF for lane-keeping and adaptive cruise control in an autonomous vehicle, and in [45], a sequence of SOS programs is proposed to compute a region of safe stabilization.
Variants of the SOS-based approach proposed in Proposition 5 are possible and have been explored in related contexts, e. g., [24, 45]. For example, it is possible to compute a new nominal controller after computing a barrier . Further, the constraints (13)–(14) can be augmented with an objective function that, e. g., seeks to maximize the volume of the safe set . In addition, it is possible to consider an allowable set characterized as the intersection of the superlevel sets of multiple performance functions by including a constraint like (13) for each performance function.
IV Exponential Control Barrier Functions
In the previous sections we have seen how control barrier functions (CBFs) can be (i) used to enforce safety-critical constraints for nonlinear (control affine) systems, (ii) combined with control Lyapunov functions to arbitrate between stability and safety, and (iii) used for systems with actuator constraints. While CBFs offer a powerful methodology, there is one critical restriction: the safety-critical constraints have been so far assumed to be of relative-degree one, i.e., the first time-derivative of the CBF has to depend on the control input. However, this is a restrictive assumption that is typically not held for most safety constraints for robotic systems. We therefore need a way to enforce arbitrarily high relative-degree safety constraints. In this section, we introduce a special type of CBFs called Exponential CBFs that enable this functionality.
Control barrier functions for high-relative degree safety constraints were initially studied simultaneously in [47, 30]. However, the results in [47] only extended to position based safety constraints with relative-degree 2. On the other hand, the results in [30] extended to arbitrary high relative-degree using a backstepping based method. However, backstepping based CBF design for higher relative-degree systems (greater than 2) is challenging and has not been attempted. Building off the work in [47], exponential control barrier functions were first introduced in [48] as a way to easily enforce high relative-degree safety constraints. The rest of this section provides an introduction to exponential CBFs.
IV-A High Relative-Degree Safety Constraints
Consider the nonlinear dynamical system in (1) with initial condition with the goal to enforce the forward invariance of the safe set defined in (II-B). However, unlike in earlier sections, we relax the relative-degree 1 assumption on and assume has arbitrarily high relative-degree . This translates to the time-derivative of being,
[TABLE]
with and . Next, we define,
[TABLE]
and assume for a given , can be chosen such that . This choice of is possible since by the relative degree of we have and moreover is a scalar (while ). With this, the above dynamics of can be written as the linear system,
[TABLE]
where
[TABLE]
Clearly, if we choose a state feedback style , then . Moreover, by the comparison lemma, if , then .
We now have everything setup to define exponential control barrier functions.
Definition 7**.**
Given a set defined as the superlevel set of a -times continuously differentiable function , then is an exponential control barrier function (ECBF) if there exists a row vector such that for the control system (1),
[TABLE]
* results in whenever .*
Remark 8**.**
Note that in the above definition needs to satisfy certain specific properties. As we will see, we will require to make the closed-loop system matrix stronger than Hurwitz (total negative) and additionally satisfy a condition based on the initial conditions . These will be presented in more detail in the subsequent subsection on designing ECBFs. **
Remark 9**.**
Note that when the relative-degree , in (19) reduces to with . Thus, Definition 2 defines a relative-degree 1 exponential CBF when (with a small abuse of notation), . In this sense, the above definition is a generalization of the definition of CBFs for higher relative-degree functions . **
Given an ECBF, we can implement a controller that enforces the condition given in Definition 7 by extending the optimization based control methodology presented earlier. Concretely, we can consider the following QP based controller:
[TABLE]
IV-B Designing Exponential Control Barrier Functions
In order to design an exponential CBF, we begin by noting that (IV-A) is in controllable canonical form and if then the characteristic polynomial of is , whose roots we will denote by . Note that there is a well established relation between the coefficients of a polynomial and its roots.
We next define a family of functions and corresponding superlevel sets for as follows:
[TABLE]
Note that is identical to . Our goal is to design to ensure is forward invariant. We begin with the following result.
Proposition 6** ([48]).**
For a given , if is forward-invariant then is forward-invariant whenever and .
The above result follows from noting that under the given conditions when reaches the boundary of , we have resulting in forward invariance of . The recursive application of the above proposition then motivates the following result:
Theorem 7** ([48]).**
If is forward-invariant and then is forward-invariant.
From the above results, for invariance of , we require two conditions for each : (a) and (b) . The first condition on implies that the poles of the closed-loop need to be real and negative. The second condition on and the definition of implies we require . Both these conditions can be achieved by choosing as specified in the main result below.
Theorem 8** ([48]).**
Suppose is chosen such that is Hurwitz and total negative (resulting in negative real poles) and the eigenvalues satisfy , then guarantees is an exponential CBF.
Thus, an exponential CBF can be designed using classical pole placement strategies from linear feedback theory. The location of the poles is specified to be both real and negative as well as dependent on the higher time-derivatives of the barrier function at initial time.
V Applications: CBFs for Robotic Systems
Having seen the theoretical development of control barrier functions in the earlier sections, we will now present practical uses of CBFs in various robotic application domains. Sections V-A to V-C will introduce CBFs for single-agent robotic systems: we will look at three sufficiently different types of robotic systems, i. e. walking robots, cars, and Segways. Section V-D will introduce CBFs for multi-agent robotic systems.
V-A Dynamic Walking on Stepping Stones
Legged robots are unique in the sense that these systems are able to locomote over discrete terrains - such as a terrain with steeping stones with discrete gaps between the steps (see Fig. 1a). Precisely stepping on the footholds is critical and missing the foothold even by a few centimeters will cause a dramatic fall of the robotic system. In this sense, stepping stones are examples of safety-critical control that have to be strictly enforced. While this is challenging, in the preceding sections we have developed the theory to specifically attack such safety-critical problems. Dynamic walking over stepping stones using CBFs was first demonstrated in [49]. Here, we present results on the DURUS bipedal robot reported in [31].
Legged systems are modeled as multi-domain hybrid systems with walking consisting of a single-support phase when one (stance) foot is in contact with the ground and an instantaneous double-support phase when the swing foot impacts ground. The single-support phase is modeled as a continuous-time differential equation while the double-support phase is modeled as an instantaneous impact due to the swing foot impacting on the ground. The impact causes an instantaneous jump in the system state. Mathematically, this is represented as the hybrid system
[TABLE]
with representing the switching surface that denotes swing foot contact with the ground.
For the above system, a hybrid zero dynamics (HZD) based approach (see [50] for details) is used to design a stable periodic orbit—representing walking—by means of an offline nonlinear constrained optimization, in order to find a set of outputs that are then regulated by constructing a Lyapunov function such that driving results in driving the outputs to zero, resulting in stable walking. This is achieved by the CLF based approach detailed in Section II-A, with the difference for a hybrid system being that rapid exponential stability is sought through a RES-CLF [37] s.t. , where . This ensures that the controller contracts faster than the potential expansion that happens at impacts. See [37, 42] for more details.
Now, let us look into the problem of how we can guarantee the safety-critical constraint of precisely placing the feet on the stepping stone on each step. In Fig. 1b, the start of the step is shown as the dotted stick-figure with the stance foot at . The goal is to move the swing leg and precisely impact the ground within the solid red foothold at the end of the step. This is a constraint at the step end-time which can not be directly enforced as a barrier. We convert this end-time constraint into a barrier constraint that is enforced point-wise in time. In particular, if the swing foot position, denoted by in the Fig. 1b, is maintained within the outer circle (with center and radius ) and outside the inner circle (with center and radius ), then the foot follows the red trajectory and impacts the foothold at the end of step. This can be formulated through enforcing the nonnegativity of the following CBFs:
[TABLE]
where and are the distances between the swing foot and the centers of the two circles at and respectively. Since are position constraints, they have relative-degree 2. We thus use the tools of the exponential CBF to design and pick s.t., . This results in enforcing resulting in dynamic walking on stepping stones. Fig. 2a shows plotted against time to illustrate that they are non-negative. Fig. 2b illustrates snapshots from simulation of walking over a stepping stone terrain with different step lengths. This method can also be used to walk over a terrain of stepping stones with changing step width or step height.
V-B Automotive Systems: Automatic Cruise Control and Lane Keeping
Our next example is from the automotive domain. Many modern Advanced Driver Assistance Systems (ADAS) provide prime examples of safety-critical constraints. For instance, in Adaptive Cruise Control (ACC) the vehicle’s speed is regulated to a user-set speed when there is no vehicle immediately ahead in the lane, yet if a vehicle is detected ahead then a safe following distance is maintained. On the other hand, in Lane Keeping (LK) the vehicle’s steering is controlled so as to maintain the vehicle within a lane. Furthermore, two or more ADAS control modules can be simultaneously activated and designing provably correct controllers for simultaneous operation becomes critical; this subsection follows from [23], but see also [21].
In order to demonstrate adaptive cruise control and lane keeping in an experimental setting, we will consider a Khepera robot modeled as a unicycle model
[TABLE]
where represent the 2D position, orientation, and longitudinal and angular velocities of the robot respectively, with the resulting state vector. Further, is the longitudinal force and is the angular torque and serve as control inputs. The mass and inertia are respectively and represents the distance from the center of the wheel-base to the point of interest . This model can be written as a nonlinear control affine system as given in (1).
As mentioned, adaptive speed regulation comprises of following a user-set speed when there is no vehicle ahead in the lane. This will be formulated as a soft constraint through a CLF. However, when there is a vehicle ahead, the speed needs to be adaptively reduced so as to maintain a fixed time-headway based follow distance. This will be enforced as a safety-critical constraint through the following CBF:
[TABLE]
Here, is the distance to the vehicle ahead, is minimum time-headway to be maintained, and is the velocity of the vehicle (follower)—see [20] for the derivation.
Similarly, the objective of lane keeping is to maintain the vehicle within the lane. We need to enforce a safety-critical constraint of the form , where is the lateral distance w.r.t. the center of the lane and is the distance from the center of the lane to either end of the lane that captures the lane width. We enforce this safety constraint through the following CBF:
[TABLE]
Here, is the maximum lateral acceleration and is the lateral velocity of the vehicle. More details about the properties of this CBF are detailed in [21, 23].
Finally, the performance objectives such as driving the longitudinal velocity to a user-defined velocity (), creating a smoother path following (), and following the desired path () are specified through output functions that are regulated to zero through CLFs. As earlier, the CLF and CBF conditions are unified into a single controller via (CLF-CBF QP) given in Section II-C. Fig. 3a shows experimental results on the Khepera robot where simultaneous enforcement of lane keeping and adaptive speed regulation safety constraints are enforced. Fig. 3b illustrates the value of the CBFs in experiments and simulation.
V-C Dynamic Balancing on Segways
To demonstrate the application of control barrier functions as “safety filters,” we will consider their experimental realization on a Segway type robot, i.e., a two-wheeled inverted pendulum. In particular, this subsection summarizes the results of [32] which provided the first experimental evaluation of CBFs on a robotic system that is not statically stable. To realize these results, a Ninebot Segway was rebuilt, with only the original chassis and motors remaining—all of the electronics were customized to allow for the real-time control of the system via optimization based controllers. The objective is to ensure “safe” operation of the Segway, defined in this case as the robot not tipping over, i.e., always staying upright. Additionally, the goal is to achieve this safety condition even while using a nominal controller for the system (that may not be safe) and thus modifying the controller in a minimally invasive fashion so as to ensure safety. The result will be a safety filter, or an Active Set Invariance Filter (ASIF) of the form illustrated in Fig. 4, where the nominal control input, , is filtered through a QP of the form (CBF-QP) to ensure safety in the system.
The dynamics of the Segway can be written in the standard form given in (1), where in this case the input, , is the voltage input into the motors and , where is the forward velocity of the Segway, is the angle of the pendulum from upright, and is the rate of change of this angle. Correspondingly, there are input bounds on the system of the following form: (this input bounds will play a role in determining the CBF that will be implemented on hardware). The safety constraint for the system is that the pendulum component of the robot stays upright, i.e., that the Segway does not tip over. This can be captured by the condition that the angle of the pendulum, , stays within a bounded region, in this case chosen to be . Finally, to ensure valid inputs, we also restrict the rate of change of the angle of the pendulum to be , and the forward velocity of the Segway to be . Finally, the nominal controller for the system, , is chosen to be a standard PD controller that tracks a desired signal, i.e., an angle of the pendulum and velocity for the wheels.
Since the safety constraint is to keep the Segway upright, i.e., keep , one might be tempted to simply utilize two control barrier functions of the form:
[TABLE]
Yet, while these could be implemented via a CBF-QP to enforce these conditions, they will not enforce all of the additional constraints necessary to guarantee experimental implementation. Therefore, the Hamilton-Jacobi method [51] was utilized to determine the safe set resulting by enforcing all the above-mentioned constraints. In particular, a reachability analysis was performed over a 75x75x75 grid of the state space with the edges of the grid at the state constraints given in the previous paragraph. The resulting safe set can be seen in Fig. 5a. A control barrier function can then be synthesized from this set—in this case, polynomial regression was used to create an analytic expression that can be used in the safety filter.
The safety filter was implemented on hardware using the general framework indicated in Fig. 4. In particular, the CLF-QP was solved onboard the hardware on a BeagleBone Black with an average computation time of 0.4 ms, with the resulting signal passed to the motor controller. To demonstrate the ability of the ASIF to enforce safety, the desired pendulum angle was passed to the system in the form of a sinusoidal signal with an amplitude exceeding the angle constraint. Two experiments were then performed, one without and one with the ASIF, i.e., the CLF-QP active. The results can be seen in Fig. 5b, wherein the system remains safe only when the safety filter, implementing the CBF, is active. Finally, to show the potential power of CBFs, a disturbance is added to the system in the form of a kick—the system is able to stay upright, and hence safe, with CBFs while the systems fails without them (illustrated in Fig. 5c).
V-D Long Duration Autonomy
Another robotic application of CBFs involves the long duration autonomy problem for multi-robot systems. This problem considers a team of robots deployed over long time scales which are asked to execute tasks (such as environmental monitoring, search and rescue, or precision agriculture) that require more than a single charge of the battery of the robots. An effective control paradigm to use in this case is the constraint-based control [52], where survivability constraints, i.e., conditions for the robots to remain operational over long temporal scales, can be enforced by means of CBFs and included in a single constrained optimization problem.
Consider a collection of mobile robots, whose dynamics are modeled by the following control affine system:
[TABLE]
where and , , are the state and the input of robot , respectively, and and are locally Lipschitz. As the energy plays an important role in ensuring persistent operation, we augment the state by the energy stored in robot ’s battery obtaining: . The energy dynamics are given by
[TABLE]
where and are also assumed to be locally Lipschitz. The dynamics of the augmented state are then:
[TABLE]
We assume the robot workspace is endowed with charging stations, interpreted as regions of the state space where robots can charge their batteries. Letting
[TABLE]
be a static mapping from robot ’s state to its position , for ground robots or for aerial robots, we define
[TABLE]
as the function that evaluates the energy that robot requires to reach a charging station starting from position .
We are now ready to encode the survivability constraints mentioned above. Following what has been done in [53], survivability, realized by ensuring that each robot never gets stranded away from a charging station, is encoded by ensuring that the following always holds:
[TABLE]
i. e. each robot always has enough energy to reach a charging station with a minimum desired amount of energy, . Moreover, to prevent overcharging, we also want the following inequality to be always satisfied:
[TABLE]
We can combine these two objectives by defining the logical and of these constraints, , as
[TABLE]
and enforcing differential constraints affine in the control variable , which are analogous to (7), as shown in [54].
Considering the environmental monitoring task, we reformulate the task itself using CBFs which can be then combined with the ones related to survivability introduced above in order to implement persistent environmental monitoring [55]. Consider robots tasked with monitoring a compact and convex set . We can define a measure of the coverage quality by [56]:
[TABLE]
where is the ensemble state of the robots, is the Voronoi tessellation of the set , the value , encodes the importance of the point , and where the quality of the sensor coverage associated with the point decreases quadratically with the distance . The further away the point to monitor is, the worse the coverage is, and the higher the coverage cost is. Defining the barrier function related to the task as , where represents the ensemble compound state of the robots, containing and of each robot, we can express the constraint (7) as
[TABLE]
As shown in [22], the constraint (24) ensures that the zero superlevel set of the function is asymptotically stable, with the effect of minimizing the coverage cost defined above [55].
Additionally, safety, specifically intended as collision avoidance, can be guaranteed by ensuring that
[TABLE]
, where is the safety distance to be maintained between any two robots, and , located at positions and . Similarly to what has been done to obtain (22), we can define
[TABLE]
which combines energy and safety constraints, in order to formulate a differential constraint analogous to (24).
Thus, each robot executes the input solution of the following QP:
[TABLE]
where is a weighting factor and the gradients involved in the computation of the Lie derivatives are intended as a particular class of generalized gradients (see [54]). Note that introducing the relaxation variable , as discussed in Section II, allows us to trade the execution of the coverage task for safety and energy, i. e., survivability.
The persistent environmental monitoring strategy has been implemented on the Robotarium [27], where six ground mobile robots have been asked to monitor a given domain over a time horizon that is longer than their (simulated) battery life (see Fig. 6). The robots perform coverage control by minimizing the cost (23) by enforcing the constraint (24). Additionally, they have to avoid two obstacles moving in the environment (robots circled in red in Fig. 6) and never run out of energy. This is realized by means of the constraint (26). Six charging stations (blue circles, which turn yellow when the robots are charging) allow the robots to recharge their battery. The charging stations are projected onto the testbed, together with the boundary of the Voronoi tessellation of the domain to cover. The execution of the controller solution of (25) is summarized in Fig. 6.
VI Conclusions
This paper presented a summary of recent results in safety-critical control based upon a novel form of control barrier functions. The basis theoretic foundations of this formulation were reviewed, all with selected application domains. Due to the recent activity in this domain, and the pressing need for safety in the context of autonomous systems, the authors imagine control barrier functions to become an essential component of modern control system design.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] L. Lamport, “Proving the correctness of multiprocess programs,” IEEE Transactions on Control Engineering , vol. 3, no. 2, pp. 125–143, 1977.
- 2[2] ——, “Basic concepts,” in Advanced Course on Distributed Systems–Methods and Tools for Specification , ser. Lecture Notes in Computer Science, vol. 190. Springer, 1984.
- 3[3] B. Alpern and F. B. Schneider, “Defining liveness,” Information Processing Letters , pp. 181–185, 1985.
- 4[4] M. Nagumo, “Über die lage der integralkurven gewöhnlicher differentialgleichungen,” Proceedings of the Physico-Mathematical Society of Japan. 3rd Series , vol. 24, pp. 551–559, 1942.
- 5[5] F. Blanchini, “Set invariance in control,” Automatica , vol. 35, no. 11, pp. 1747–1767, 1999.
- 6[6] R. Abraham, J. E. Marsden, and T. Ratiu, Manifolds, tensor analysis, and applications . Springer Science & Business Media, 2012, vol. 75.
- 7[7] J.-M. Bony, “Principe du maximum, inégalité de harnack et unicité du probleme de cauchy pour les opérateurs elliptiques dégénérés,” Ann. Inst. Fourier (Grenoble) , vol. 19, no. 1, pp. 277–304, 1969.
- 8[8] H. Brezis, “On a characterization of flow-invariant sets,” Communications on Pure and Applied Mathematics , vol. 23, no. 2, pp. 261–263, 1970.
