Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

gatekeeper: Online Safety Verification and Control for Nonlinear Systems in Dynamic Environments

Devansh R Agrawal, Ruichang Chen, Dimitra Panagou

TL;DR

The paper tackles safety guarantees for nonlinear robotic systems operating in dynamic environments with online perception, where the exact safe set is unknown. It introduces gatekeeper, a modular module that sits between planning and control and constructs infinite-horizon safety by forward-propagating a nominal trajectory over a short horizon and then switching to a backup controller, ensuring $x(t)\in\mathcal{S}(t)$ for all $t$. A formal framework defines $\mathcal{S}(t)$, a perceived safe set $\mathcal{B}_k(t)$, and a backup set $\mathcal{C}_k(t)$, along with ISS tracking guarantees and robust validity under disturbances, culminating in a theorem that committed trajectories preserve safety. The approach is demonstrated via a dynamic firefront (firewatch) mission and real quadrotor experiments, showing substantial computational efficiency (3–10x faster than MPC in some cases) and improved safety performance while maintaining near-nominal behavior. Gatekeeper thus offers a practical, scalable bridge between planners and controllers in safety-critical, perception-limited settings, with future work on backup-set design and multi-constraint safety scenarios.

Abstract

This paper presents the gatekeeper algorithm, a real-time and computationally-lightweight method that ensures that trajectories of a nonlinear system satisfy safety constraints despite sensing limitations. gatekeeper integrates with existing path planners and feedback controllers by introducing an additional verification step to ensure that proposed trajectories can be executed safely, despite nonlinear dynamics subject to bounded disturbances, input constraints and partial knowledge of the environment. Our key contribution is that (A) we propose an algorithm to recursively construct safe trajectories by numerically forward propagating the system over a (short) finite horizon, and (B) we prove that tracking such a trajectory ensures the system remains safe for all future time, i.e., beyond the finite horizon. We demonstrate the method in a simulation of a dynamic firefighting mission, and in physical experiments of a quadrotor navigating in an obstacle environment that is sensed online. We also provide comparisons against the state-of-the-art techniques for similar problems.

gatekeeper: Online Safety Verification and Control for Nonlinear Systems in Dynamic Environments

TL;DR

The paper tackles safety guarantees for nonlinear robotic systems operating in dynamic environments with online perception, where the exact safe set is unknown. It introduces gatekeeper, a modular module that sits between planning and control and constructs infinite-horizon safety by forward-propagating a nominal trajectory over a short horizon and then switching to a backup controller, ensuring for all . A formal framework defines , a perceived safe set , and a backup set , along with ISS tracking guarantees and robust validity under disturbances, culminating in a theorem that committed trajectories preserve safety. The approach is demonstrated via a dynamic firefront (firewatch) mission and real quadrotor experiments, showing substantial computational efficiency (3–10x faster than MPC in some cases) and improved safety performance while maintaining near-nominal behavior. Gatekeeper thus offers a practical, scalable bridge between planners and controllers in safety-critical, perception-limited settings, with future work on backup-set design and multi-constraint safety scenarios.

Abstract

This paper presents the gatekeeper algorithm, a real-time and computationally-lightweight method that ensures that trajectories of a nonlinear system satisfy safety constraints despite sensing limitations. gatekeeper integrates with existing path planners and feedback controllers by introducing an additional verification step to ensure that proposed trajectories can be executed safely, despite nonlinear dynamics subject to bounded disturbances, input constraints and partial knowledge of the environment. Our key contribution is that (A) we propose an algorithm to recursively construct safe trajectories by numerically forward propagating the system over a (short) finite horizon, and (B) we prove that tracking such a trajectory ensures the system remains safe for all future time, i.e., beyond the finite horizon. We demonstrate the method in a simulation of a dynamic firefighting mission, and in physical experiments of a quadrotor navigating in an obstacle environment that is sensed online. We also provide comparisons against the state-of-the-art techniques for similar problems.
Paper Structure (22 sections, 3 theorems, 54 equations, 10 figures, 3 tables, 1 algorithm)

This paper contains 22 sections, 3 theorems, 54 equations, 10 figures, 3 tables, 1 algorithm.

Table of Contents

  1. INTRODUCTION
  2. RELATED WORK
  3. MOTIVATING EXAMPLE and METHOD OVERVIEW
  4. PROBLEM FORMULATION
  5. Nominal System Description
  6. Perturbed System Description
  7. Set Invariance
  8. Assumptions
  9. Perception System
  10. Nominal Planner
  11. Tracking Observer-Controller
  12. Backup Controller
  13. Problem Statement
  14. PROPOSED SOLUTION
  15. Nominal Case
  16. ...and 7 more sections

Key Result

Theorem 1

Suppose Assumptions assump:bcal-assum:ccalk hold. Suppose $p^{can, T_S}_0 : [t_0, \infty) \to \mathcal{X}$ is a candidate trajectory that is dynamically feasible wrt eqn:dynamics and valid according to Def. def:valid for some $T_S \geq 0$. If, for every $k \in \mathbb{N}$, $p^{com}_{k} :[t_k, \infty

Figures (10)

  • Figure 1: Block Diagram describing the gatekeeper algorithm. (a) shows that gatekeeper is an additional module that fits within the common perception-planning-control stack of a robotic system. (b) is a pictorial representation of Algorithm \ref{['alg:full']}.
  • Figure 2: Notation used in this paper. The nominal planner can plan trajectories into unknown spaces, but gatekeeper ensures the committed trajectory lies within the estimated safe sets, for all future time.
  • Figure 3: Diagram depicting the challenge due to disturbances. (a) Green line shows the committed trajectory at iteration $k$, and the shaded region is the tube that contains the system trajectory. If the validation step only checks that the green tube lies within the safe set, a new candidate trajectory (red) cannot be committed, since the candidate tube (red shaded region) intersects with the unsafe set. (b) shows the proposed approach, where safety is checked wrt the yellow set, i.e., a tube of radius $R$ along the trajectory and a ball of radius $R+r$ at the end. This allows for sufficient margin to commit a new trajectory at the next iteration.
  • Figure 4: Simulation results from Firewatch mission. (a) Snapshots of the fire and trajectories executed by each of three controller. The fire is spreading outwards, and the helicopters are following the perimeter. The black line traces the nominal controller, the blue line is based on the backup filter adapted from singletary2022onboard and the green line shows the proposed controller. (b, c) show specific durations in greater detail. At $t=0$, the gatekeeper controller behaves identically to the nominal controller, and makes small modifications when necessary to ensure safety. The backup filter is conservative, driving the helicopter away from the fire and slowing it down. (d) Plot of minimum distance to fire-front across time for each of the controllers. (e) The nominal controller becomes unsafe 3 times, while FASTER, the backup controller, and the gatekeeper controllers maintain safety. Animations are available at gatekeeperRepo.
  • Figure 5: (Left) Simulation environment comprising of a quadrotor navigating in a 50 m long corridor with randomly scattered cylindrical obstacles of various heights and radii. This picture depicts the "Easy 1" world. (Right) The point-cloud sensor data received by the quadrotor describing the environment. Using the point-cloud, a SDF representation of the environment is constructed. A SFC, i.e., a convex polyhedron of obstacle-free space, centered on the quadrotor is extracted and used as the perceived safe set. The nominal planner treats unknown regions as free, while gatekeeper treats unknown regions as occupied.
  • ...and 5 more figures

Theorems & Definitions (24)

  • Definition 1: Controlled-Invariant Set
  • Definition 2: Robustly Controlled-Invariant Set
  • Definition 3: Trajectory
  • Definition 4: Input-to-State Stable Observer-Controller
  • Definition 5: Backup Controller
  • Remark 1
  • Remark 2
  • Remark 3
  • Definition 6: Candidate Trajectory
  • Definition 7: Valid
  • ...and 14 more