Practical Considerations for Discrete-Time Implementations of Continuous-Time Control Barrier Function-Based Safety Filters

TL;DR

This work analyzes a practical failure mode of continuous-time control barrier function (CBF) safety filters when implemented in discrete time: as $\|L_g L_f^{s-1} h(x)\|$ approaches zero, the safety filter can become inactive, risking safety violations and chattering between control modes. To address this, the authors propose three mitigation strategies: (1) augmenting the safety objective with a penalty term and switching to a safe backup policy near problematic regions, (2) transforming the safe set to shift away from critical regions, and (3) constructing an alternative safe set using multiple affine CBFs to avoid vanishing Lie derivatives. They validate these approaches in simulation on an ellipsoidal CBF for a linear system and in real-world Crazyflie 2.1 quadrotor experiments, demonstrating reduced chattering and preserved safety. The results provide practical guidelines for implementing discrete-time CBF safety filters in safety-critical, real-world systems.

Abstract

Safety filters based on control barrier functions (CBFs) have become a popular method to guarantee safety for uncertified control policies, e.g., as resulting from reinforcement learning. Here, safety is defined as staying in a pre-defined set, the safe set, that adheres to the system's state constraints, e.g., as given by lane boundaries for a self-driving vehicle. In this paper, we examine one commonly overlooked problem that arises in practical implementations of continuous-time CBF-based safety filters. In particular, we look at the issues caused by discrete-time implementations of the continuous-time CBF-based safety filter, especially for cases where the magnitude of the Lie derivative of the CBF with respect to the control input is zero or close to zero. When overlooked, this filter can result in undesirable chattering effects or constraint violations. In this work, we propose three mitigation strategies that allow us to use a continuous-time safety filter in a discrete-time implementation with a local relative degree. Using these strategies in augmented CBF-based safety filters, we achieve safety for all states in the safe set by either using an additional penalty term in the safety filtering objective or modifying the CBF such that those undesired states are not encountered during closed-loop operation. We demonstrate the presented issue and validate our three proposed mitigation strategies in simulation and on a real-world quadrotor.

Figures (4)

• Figure 1: Visualization of the case study in \ref{['sec:simu-and-exp']} for a linear system with an ellipsoidal CBF. The states for which $\lVert L_gh(x) \rVert$ is small allow the CBF-based safety filter to apply control inputs close to the uncertified control input, rendering the safety filter close to being inactive. Moreover, along the green line, the Lie derivative term $L_{g}h(x)$ is zero, and the relative degree $s$ does not equal one. In these states, the safety filter is completely inactive. In a discrete-time implementation, the instantaneous inactivity of the safety filter can result in undesirable inputs that cannot be corrected at the subsequent discrete-time step. In both cases, this can lead to chattering and/or safe set violations.
• Figure 2: A block diagram of a typical CBF-based safety filter framework. A CBF-based safety filter is augmented to an uncertified controller $\pi(x)$ and modifies the input of the uncertified controller if it is deemed unsafe.
• Figure 3: Demonstration of the undesired closed-loop behaviour when $\lVert L_g h(x) \rVert \to 0$ (see (a)) and our proposed mitigation strategies (see (b), (c), and (d)) in simulation. The closed-loop trajectories in (a, left) show the state trajectories using the uncertified control policy $\pi(x)$ and the certified control policy $u_s(x)$, respectively. In both cases, the system leaves the safe set $\mathbb{C}$. For the certified control policy, this is caused by the closed-loop trajectory $x_{u_{s}}$ entering the neighbourhood of states where $L_g h(x) = 0$ (indicated by $\mathbb{X}_{s \neq 1})$. This results in the system starting to chatter (see (a, right)) and eventually violating the safe set constraint $\mathbb{C}$. In (b), we prevent safety violations by adding our proposed penalty term to the safety filtering objective. Initially, the closed-loop system behaves similarly to the standard CBF-based safety filter. Then, the system switches to a backup control policy $\pi_{\text{safe}} = 0$ when it enters a neighbourhood of $\mathbb{X}_{s \neq 1}$. In (c), we successfully prevent chattering and safety violations by using a transformed safe set $\Tilde{\mathbb{C}}$. This allows the closed-loop system to safely pass through the set $\mathbb{X}_{s \neq 1}$ during the first couple of time steps and then stabilize at the final state in the simulation far from $\mathbb{X}_{s \neq 1}$. Finally, in (d), we demonstrate the mitigation of $\lVert L_g h(x) \rVert \to 0$ by using an alternative safe set $\Tilde{\mathbb{C}}$. Again, no safe set violations occur, as none of the affine constraints given by $h_i$ are parallel to the input matrix $B$. Therefore, $\mathbb{X}_{s \neq 1}$ is empty.
• Figure 4: Demonstration of the undesired closed-loop behavior when $\lVert L_g h(x)\rVert \to 0$ (see (a)) and our proposed mitigation strategies (see (b), (c), and (d)) on a real-world quadrotor system. The closed-loop trajectories in (a, left) show the state trajectories using the uncertified control policy $\pi(x)$ and the certified control policy $u_s(x)$, respectively. The quadrotor violates the safe set $\mathbb{C}$ for both scenarios. For the standard CBF-based safety filter, chattering happens when the system enters the vicinity of set $\mathbb{X}_{s \neq 1}$, which causes the quadrotor to leave the safe set. In (b), with our proposed penalty formulation, the system switches to the backup control policy $\pi_{\text{safe}} = 0$ when it enters the neighbourhood of $\mathbb{X}_{s \neq 1}$ and chattering is significantly reduced. Most importantly, the quadrotor strictly stays inside the safe set in this experiment. Then, in (c), when using a transformed safe set $\Tilde{\mathbb{C}}$, no chattering and safety violations can be observed. The quadrotor ends up hovering inside of the transformed safe set $\Tilde{\mathbb{C}}$. In (d), we apply an alternative safe set $\Tilde{\mathbb{C}}$ to achieve $L_g h_i(x) \neq 0$ for all $x \in \Tilde{\mathbb{C}}$. The quadrotor violates the new smaller safe set for a few states. However, the system stays inside the original safe set $\mathbb{C}$ throughout the experiment. No chattering is observed with this alternative safe set.

Theorems & Definitions (5)

• Definition 1: Extended class-$\mathcal{K}$ function ames2019a
• Definition 2: Positively control invariant set
• Definition 3: Relative degree khalil2002
• Definition 4: CBF ames2019a
• Definition 5: Higher-Order CBFxiao2021high