Adaptive Safety with Control Barrier Functions

Adaptiv e Safety with Contr ol Barrier Functions Andre w J. T aylor and Aaron D. Ames Abstract — Adaptive Control L yapunov Functions (aCLFs) were introduced 20 years ago, and provided a L yapunov- based methodology for stabilizing systems with parameter uncertainty . The goal of this paper is to re visit this classic formulation in the context of safety-critical control. This will motivate a variant of aCLFs in the context of safety: adaptive Control Barrier Functions (aCBFs) . Our proposed approach adaptively achieves safety by keeping the systems state within a safe set even in the pr esence of parametric model uncertainty . W e unify aCLFs and aCBFs into a single control methodology for systems with uncertain parameters in the context of a Quadratic Pr ogram (QP) based framew ork. W e validate the ability of this unified framework to achie ve stability and safety in an adaptive cruise control (A CC) simulation. I . I N T RO D U C T I O N In many modern control applications, safety is of critical importance. It is impossible to model the system dynamics in these applications exactly—that is, parameters of the model may not match the real system. For instance, the mass and electrical properties of robotic systems are often approximate values. Thus, to truly enforce safety , it is necessary to quantify safety in the context of unknown parameters. The use of Control Barrier Functions (CBFs) [1], [2] for ensuring safety of nonlinear control systems has become increasingly popular [18], [25], [26]. Controllers synthesized via CBFs rely on a model, and the guarantees they achiev e may fail in the presence of model uncertainty . Robust control methods can ensure safety [7], [28] or quantify how safety properties degrade [9] in the presence of model uncertainty , but may be overly conservati ve in restricting the behavior of the system. Data-driv en methods employing machine learning [19], [5] provide probabilistic safety guarantees, but may require episodic, offline training to improve model estimates [6]. In this paper , we focus on an online, adaptive approach to ensuring that a system remains safe in the presence of model uncertainty . Adaptiv e control seeks to update a model of the system as it ev olves to achieve stability or a desired level of performance [10]. In particular , we build upon the idea of adaptive Control L yapunov Functions (aCLFs) [11], which hav e been used to stabilize nonlinear systems in the presence of parametric model uncertainty [12], [13], [15]. That is, the goal of this paper is to find conditions for adapti ve safety (via Control Barrier Functions) equi valent to those derived for adaptive stability (via Control L yapunov Functions). One challenge in developing adapti ve control methods that guarantee safety is ensuring that the a nonlinear system’ s Both authors are with the Department of Computing and Mathematical Sciences, California Institute of T echnology , Pasadena, CA 91125, USA ajtaylor@caltech.edu, ames@caltech.edu state remains within a prescribed safe set at all times. In contrast, guarantees on stability provided by aCLFs describe the behavior of the state and parameter estimation error jointly , allowing the state to gro w large before stabilizing, as long as the parameter estimation error diminishes. T o achiev e this stricter guarantee of safety , we le verage stronger assumptions on the initial parameter estimation error . The end result are conditions for safety even under the presence of model uncertainty , i.e., that a system with unknown parameters can be rendered safe for all time. The main contribution of this paper is a formal method- ology for ensuring safety in nonlinear (control affine) sys- tems with parameter uncertainty through the formulation of adaptive Contr ol Barrier Functions (aCBFs) . Like aCLFs, aCBFs provide a framew ork for updating model parameter estimates online, but do so to ensure safety . Unlike aCLFs, aCBFs require a different viewpoint on adapti ve control to make stronger statements on the behavior of the system’ s state. T o the best of our knowledge, our approach is the first that adaptively ensures safety utilizing CBFs. The definitions and results in this paper provide the first steps towards a framew ork for adapti ve safety unifying both online and data- driv en, episodic updates of model parameters. This paper is organized as follows. Section II re views CLFs and aCLFs and how quadratic program based con- trollers can be synthesized to adaptiv ely stabilize a system. Section III discusses CBFs and how the y can be used to ensure the safety of a system. Section IV provides the main result of the paper by defining aCBFs, and shows how a sys- tem can be rendered adaptiv ely safe in the presence of model uncertainty . Section V offers a discussion on the assumptions and constraints made in the preceding section through a counter example. Section VI presents simulation results for an adaptive cruise control (A CC) system using both a safety- critical controller and a quadratic program based controller implementing an aCLF and an aCBF simultaneously . I I . A DA P T I V E C O N T RO L L Y A P U N O V F U N C T I O N S T o dev elop provably correct controllers for nonlinear sys- tems, it is typically assumed that the model is known. Y et there are many practical applications where this assumption is not adequate. A simple illustration is a mechanical system whose parameters (masses, inertias, etc) are not completely known—and one may not want to treat the unknown model parameters as a perturbation from nominal parameters since this would only guarantee stability to a region corresponding to a bound on this difference (which also may not be kno wn). The purpose of this section, therefore, is to re view the framew ork of adaptiv e Control L yapunov Functions. Consider a state space X ⊂ R n and a control input space U ⊂ R m , where it is assumed X is path-connected and 0 ∈ X . Consider the affine dynamic system giv en by: ˙ x = f ( x ) + g ( x ) u (1) where x ∈ X , u ∈ U , f : X → R n and g : X → R n × m are smooth on X . W e additionally assume f ( 0 ) = 0 . W e will use the following definition, found in [8], to study the stability of (1). Definition 1 ( Class K Function) . A continuous function α : [0 , a ) → R + , with a > 0 , is a class K function ( α ∈ K ) if α (0) = 0 and α is strictly monotonically increasing. If a = ∞ and lim r →∞ α ( r ) = ∞ , then α is said to be a class K ∞ function ( α ∈ K ∞ ). Giv en this definition, we can define a Control L yapunov Function (CLF) as in [3], [14]. Definition 2 ( Contr ol L yapunov Function (CLF)) . A smooth function V : X → R + is a Control Lyapuno v Function (CLF) for (1) if there exists α 1 , α 2 , α 3 ∈ K ∞ such that: α 1 ( k x k ) ≤ V ( x ) ≤ α 2 ( k x k ) (2) inf u ∈U ˙ V ( x , u ) ≤ − α 3 ( k x k ) (3) for all x ∈ X . This definition can be constructed with α 1 , α 2 , α 3 ∈ K , with resulting stability guarantees holding locally . The existence of a CLF for (1) implies there exists a smooth (except at x = 0 ) state-feedback controller k : X → U , that renders the origin globally asymptotically stable [3], [22], noting that global refers to the state space X . k can be made continuous at 0 if V satisfies the small control property [23]. Follo wing the classic formulation of aCLFs in [11], un- certainty in the dynamics (1) appears as: ˙ x = f ( x ) + F ( x ) θ ? + g ( x ) u , (4) where θ ? ∈ Θ ⊂ R p is a vector of unknown parameters and F : X → R n × p is assumed to be smooth on X with F ( 0 ) = 0 . The impossibility of designing explicit controllers that are robust to unbounded unknown parameters suggests that we need to consider a larger class of controllers to stabilize (4). In particular, controllers that update an estimate of the unknown parameters. These are called adapti ve controllers, and take the form: u = k ( x , b θ ) (5) ˙ b θ = Γ τ ( x , b θ ) , (6) where b θ ∈ Θ represents an estimate of the parameters θ ? maintained by the controller , Γ ∈ R n × n is a matrix adaptiv e gain, and τ : X × Θ → R p is the adaptation law . W e make the following assumption on these functions: (A1) k is locally Lipschitz continuous on ( X \{ 0 } ) × Θ and k ( 0 , b θ ) = 0 , (A2) τ is locally Lipschitz continuous on X × Θ , (A3) Γ ∈ R p × p is symmetric and positive-definite. Introducing this parameter update results in a composite dynamic system: " ˙ x ˙ b θ # = " f ( x ) + F ( x ) θ ? + g ( x ) k ( x , b θ ) Γ τ ( x , b θ ) # (7) Solutions to this system ev olve in X × Θ . Giv en this construction we introduce the following definition from [11]: Definition 3 ( Globally Adaptively Stabilizable) . The system with unknown parameters (4) is globally adaptively stabiliz- able if there exists a dynamic controller of the form (5)-(6) satisfying (A1)-(A3) such that solutions ( x ( t ) , b θ ( t )) of (7) are globally bounded and lim t →∞ x ( t ) = 0 . Remark 1 . Note that the requirements for global adaptive stabilizability are rather weak in the sense that b θ is not required to conv erge to θ ? . W e will see, in fact, that con vergence of b θ to θ ? is not necessary for x ( t ) to con ver ge to the equilibrium. The strategy in designing adaptiv e controllers is to show that this problem is equiv alent to a non-adaptiv e controller design problem. Such equiv alence is shown via the notion of adaptive control L yapunov functions as in [11]: Definition 4 ( Adaptive Contr ol Lyapunov Function (aCLF)) . Let α 1 ( · , θ ) , α 2 ( · , θ ) , α 3 ( · , θ ) ∈ K ∞ for all θ ∈ Θ . A smooth function V a : X × Θ → R + , satisfying: α 1 ( k x k , θ ) ≤ V a ( x , θ ) ≤ α 2 ( k x k , θ ) , (8) is called an adaptive Contr ol L yapunov Function (aCLF) for (4) if there exists a symmetric positi ve-definite matrix Γ ∈ R p × p such that for every θ ∈ Θ , V a is a CLF for the system: ˙ x = f ( x ) + F ( x ) λ clf ( x , θ ) + g ( x ) u , (9) where λ clf ( x , θ ) , θ + Γ  ∂ V a ∂ θ ( x , θ )  T . (10) That is, inf u ∈U  ∂ V a ∂ x ( f ( x ) + F ( x ) λ clf ( x , θ ) + g ( x ) u )  ≤ − α 3 ( k x k , θ ) . (11) Adaptiv e control L yapunov functions can be used to obtain the following result establishing the equiv alence between the original adaptive controller design problem and a non- adaptiv e one. Theorem 1. [11] System (4) is globally adaptively stabiliz- able iff there exists an aCLF for (4) . It is useful to gi ve a sketch of the proof for the sufficiency portion of this result, as it will inform the proof of the analogous result in the context of control safety functions. Sketch. Assume that we ha ve an aCLF V a for (4). As V a is a CLF for (9) with θ = ˆ θ , we can construct a smooth (away from x = 0 ) controller u = k ( x , b θ ) stabilizing (9) (a specific example of a Lipschitz continuous controller will be giv en after the proof), i.e., we can construct a controller u = k ( x , b θ ) such that: L ˜ f clf V a ( x, b θ ) + L g V a ( x , b θ ) k ( x , b θ ) ≤ − α 3 ( k x k , b θ ) , (12) where ˜ f is giv en by: ˜ f clf ( x , b θ ) = f ( x ) + F ( x ) λ clf ( x , b θ ) . (13) W e note that this controller only depends on the current estimate of the parameters b θ , and does not depend on the actual parameters θ ? . Define the parameter error: e θ = θ ? − b θ (14) to be the difference between the actual and estimated pa- rameters. Consider no w the candidate composite L yapunov function: V ( x , b θ ) = V a ( x , b θ ) + 1 2 e θ T Γ − 1 e θ . (15) Computing its deriv ative we obtain: ˙ V = ˙ V a − e θ T Γ − 1 ˙ b θ ≤ − α 3 ( k x k , b θ ) + e θ T a ( x , b θ ) −  ∂ V a ∂ θ ( x , b θ )  Γa ( x , b θ ) . where: a ( x , b θ ) =  ∂ V a ∂ x ( x , b θ ) F ( x )  T − τ ( x , b θ ) ! . (16) It is now easy to see that using the update law τ ( x , b θ ) =  ∂ V a ∂ x ( x , b θ ) F ( x )  T (17) implies ˙ V ≤ − α 3 ( k x k , b θ ) , (18) from which we conclude that the equilibrium point ( 0 , θ ? ) of (7) is globally stable. In particular , we see that ( x ( t ) , b θ ( t )) is globally bounded. It no w follows from the LaSalle in variance principle that x ( t ) con ver ges to the largest in v ariant subset of the collection of points x ∈ X satisfying α 3 ( k x k , b θ ) = 0 which is the singleton x = 0 . As noted in the preceding proof, given an aCLF V a , we can correspondingly synthesize a Lipschitz continuous controller u = k ( x , b θ ) . This can be achie ved in a point-wise optimal fashion by considering an optimization based control framew ork. In particular , since the aCLF condition (11) is satisfied, we can consider the following quadratic program: k ( x , b θ ) = argmin u ∈U 1 2 k u k 2 (aCLF-QP) s . t . ∂ V a ∂ x ( x , b θ )  ˜ f clf ( x , b θ ) + g ( x ) u  ≤ − α 3 ( k x k , b θ ) This QP based controller will be guaranteed to ha ve a solution, again because (11) is satisfied, and is Lipschitz continuous [16]. Moreov er , a closed form solution to this optimization problem, termed the min-norm contr oller , can be obtained via the KKT conditions [4]. T o see this, define: φ 0 ( x , b θ ) , ∂ V a ∂ x ( x , b θ ) ˜ f clf ( x , b θ ) + α 3 ( k x k , b θ ) φ T 1 ( x , b θ ) , ∂ V a ∂ x ( x , b θ ) g ( x ) wherein the solution to (aCLF-QP) follows from : k ( x , b θ ) = ( − φ 0 ( x , b θ ) φ 1 ( x , b θ ) φ T 1 ( x , b θ ) φ 1 ( x , b θ ) if φ 0 ( x , b θ ) > 0 0 if φ 0 ( x , b θ ) ≤ 0 I I I . C O N T RO L B AR R I E R F U N C T I O N S The goal of this work is to provably enforce safety , ev en in the context of uncertain models. As a result, we will leverage the framework of Control Barrier Functions (CBFs) [1], [2], [28]. This section, therefore, will re vie w the basic concepts related to these functions and corresponding controller synthesis. In the context of safety , we consider a set S defined as the 0-superlev el set of a continuously dif ferentiable function h : X → R , yielding: S , { x ∈ X | h ( x ) ≥ 0 } , (19) ∂ S , { x ∈ X | h ( x ) = 0 } , (20) in t( S ) , { x ∈ X | h ( x ) > 0 } , (21) W e refer to S as the safe set . Consider again the known dynamics (1). A feedback controller u = k ( x ) induces closed loop dynamics: ˙ x = f cl ( x ) , f ( x ) + g ( x ) k ( x ) (22) which is assumed to be locally Lipschitz continuous. This as- sumption implies that for any initial condition x 0 ∈ X there exists a maximum interval of existence I ( x 0 ) = [0 , τ max ) such that x ( t ) is the unique solution to (22) on I ( x 0 ) ; in the case when f cl is forward complete, τ max = ∞ . This notation allows us to define forward inv ariance and safety: Definition 5 ( F orwar d Invariant) . The set S is forward in variant if for every x 0 ∈ S , x ( t ) ∈ S for x (0) = x 0 and all t ∈ I ( x 0 ) . Definition 6 ( Safety) . The system (22) is safe with respect to the set S if the set S is forward inv ariant. It is desirable to achiev e safety without the need to specify a specific controller as was done in (22). This leads to the notion of Control Barrier Functions. Before defining these, we require the following definition as in [2]: Definition 7 ( Extended Class K Function) . A continuous function α : ( − b, a ) → R , with a, b > 0 , is an extended class K function ( α ∈ K e ) if α (0) = 0 and α is strictly monotonically increasing. If a, b = ∞ , lim r →∞ α ( r ) = ∞ , lim r →−∞ α ( r ) = −∞ . then α is said to be an extended class K ∞ function ( α ∈ K ∞ ,e ). This enables the following definition as in [2]: Definition 8 ( Contr ol Barrier Function (CBF)) . Let S ⊂ X be the 0-superlev el set of a continuously dif ferentiable function h : X → R . h is a Contr ol Barrier Function (CBF) for S if there exists an extended class K ∞ function α such that for the system (1): sup u ∈U [ L f h ( x ) + L g h ( x ) u + α ( h ( x ))] ≥ 0 . (23) for all x ∈ S . W e can consider the pointwise set consisting of all control values that render S safe: K cbf ( x ) = { u ∈ U : L f h ( x ) + L g h ( x ) u + α ( h ( x )) ≥ 0 } . (24) The main results of [1], [28] is that the e xistence of a CBF for S implies the system (1) can be rendered safe with respect to S : Theorem 2. Given a set S ⊂ X defined as the 0-superlevel set of continuously differ entiable function h : X → R , if h is a CBF on S , then any Lipschitz continuous contr oller k such that k ( x ) ∈ K cbf ( x ) for all x ∈ S r enders the system (1) safe with respect to the set S . In addition, if k ( x ) ∈ K cbf ( x ) for all x ∈ X , then the set S is asymptotically stable in X . I V . A D AP T I V E C O N T R O L B A R R I E R F U N C T I O N S Motiv ated by the construction of adaptiv e control L ya- punov functions (aCLFs), we now explore the notion of an adaptiv e Control Barrier Function. W e again assume the control system has the form gi ven in (4), wherein θ ? is a set of unknown parameters, and extend the previous construction of the safe set S to be parameter dependent. In this case, we construct a family of safe sets parameterized by θ and defined as the 0-superlevel sets of a continuously differentiable function h a : X × Θ → R : S θ , { x ∈ X | h a ( x , θ ) ≥ 0 } , (25) ∂ S θ , { x ∈ X | h a ( x , θ ) = 0 } , (26) in t( S θ ) , { x ∈ X | h a ( x , θ ) > 0 } , (27) In particular , we will see this construction allows the states in the state space that are considered safe to change according to the current estimate of the parameters. If set in the state space to be kept safe is independent of the parameters, the preceding construction is identical to that in (19)-(21). Giv en this construction, we can define adapti vely safe in a similar fashion to the definition of global adapti vely stabilizable given in Definition 3 (note that in this case we opt for a local rather than global definition). Definition 9 ( Adaptively Safe) . The system with unkno wn parameters (4) can be rendered adaptively safe with respect to a family of sets S b θ if there exists a dynamic controller of the form (5)-(6) satisfying (A1)-(A3) such that solutions ( x ( t ) , b θ ( t )) of (7) controlled by (5)-(6) satisfy x ( t ) ∈ S b θ ( t ) for all t ∈ I ( x (0) , b θ (0)) . This definition implies that the state of the system must remain within a potentially time-v arying set, S b θ ( t ) , e ven in the presence of uncertainty in the dynamics. It is not necessary that the parameters con ver ge, or even that they remain bounded, as in the adaptively stabilizable formulation. As will be seen, this is inherently connected to the fact that safety does not force the system to con verge to an equilibrium point, but only requires it remains within a set. Before defining aCBFs, we also specify that a set of adaptiv e gains G is defined such that: Γ ∈ G = ⇒ Γ satisfies A(3) . (28) W e note that G need not be all values of Γ satisfying A(3). W e can now define aCBFs as an extension of Definitions 4 and 8. Definition 10 ( Adaptive Contr ol Barrier Function (aCBF)) . Let S θ ⊂ X be a family of 0-superle vel sets of a contin- uously differentiable function h a : X × Θ → R , with ∂ h a ∂ x Lipchitz continuous. Then h a is an adaptive contr ol barrier function (aCBF) on the family of sets S θ ov er adaptive gains G for (4) if for any θ ∈ Θ and Γ ∈ G : sup u ∈U  ∂ h a ∂ x ( x , θ ) ( f ( x ) + F ( x ) λ cbf ( x , θ ) + g ( x ) u )  ≥ 0 . (29) with λ cbf ( x , θ ) , θ − Γ  ∂ h a ∂ θ ( x , θ )  T . (30) Let us make a few observations of this definition: Remark 2 . As will be seen in the proof that an aCBF can ensure a system is adaptiv ely safe, there is a requirement on the smallest eigen value of Γ . As not e very value of Γ satisfying A(3) will satisfy this requirement, we must consider a restricted set of values for Γ , gi ven by G . This leads to the incorporation of the set G in the definition of an aCBF . If the family of sets S θ does not depend on θ , such that: ∂ h a ∂ θ ( x , θ ) ≡ 0 , (31) then Γ will not appear in (29). This implies h a being an aCBF for (4) will not depend on G . Remark 3 . The constraint in (29) differs from (23) in that the term α ( h a ( x , θ )) does not appear . Rather , this closely resembles early definitions of barrier certificates and L ya- punov barrier functions [21], [27], [24], which did not allo w the state to approach the boundary of the safe sets, enforcing forward inv ariance of level sets of h a . As will be shown in Section V, using the constraint from (23) doesn’t lead to the state safe set remaining forward inv ariant. W e note that a QP-based Lipschitz continuous con- troller attaining safety can be constructed similarly to the (aCLF-QP) gi ven an aCBF . W e now have the necessary framew ork in which to present the main result of this paper — that the existence of an aCBF implies safety of the family of sets S b θ ev en under parameter uncertainty . Theorem 3. Let h a : X → R be an adaptive control barrier function on the family of sets S b θ over G . Assume that e θ 0 = e θ (0) with k e θ 0 k 2 ≤ c for c > 0 and x 0 = x (0) ∈ int( S b θ 0 ) If ther e exists a positive definite gain matrix, Γ ∈ G , such that: λ min ( Γ ) ≥ c 2 2 h a ( x 0 , b θ 0 ) , (32) then ther e exists a Lipschitz continuous function τ ( x , b θ ) such that for the update law: ˙ b θ = Γ τ ( x , b θ ) , (33) the family of sets S b θ is forward in variant. The main idea is to approach the proof much in the same way as the proof of Theorem 1. Y et the construction of a composite CBF as was done in (15) in the case of aCLFs requires more care. Adding the parameter error term would result in the composite safety function 0-superlev el set properly containing the 0-superlev el set of the aCBF , adding additional states to the set that can be rendered safe. This extension of the safe set can be quantified if the parameter estimates (and thus the parameter error) remains bounded, as in the case of aCLFs, but this is not guaranteed giv en the necessary form of τ . Pr oof. Define the following composite candidate CBF for the extended system dynamics (7): h ( x , b θ ) = h a ( x , b θ ) − 1 2 e θ T Γ − 1 e θ (34) By assumption, x 0 ∈ int( S b θ 0 ) , implying that h a ( x 0 , b θ 0 ) > 0 . Further, our assumption that k e θ 0 k 2 ≤ c implies that: 1 2 ˜ θ > 0 Γ − 1 ˜ θ 0 ≤ 1 2 λ min ( Γ ) k ˜ θ 0 k 2 2 ≤ c 2 2 λ min ( Γ ) (35) Therefore, choosing Γ such that λ min ( Γ ) ≥ c 2 2 h a ( x 0 , b θ 0 ) (36) leads to: h ( x 0 , b θ 0 ) ≥ 0 (37) Now consider the time deriv ative of h as giv en in T able I. The second equality follows the addition and subtraction of the term: ∂ h a ∂ x ( x , b θ ) F ( x ) b θ − Γ  ∂ h a ∂ θ ( x , b θ )  > ! (38) The third equality is a rearrangement rev ealing the form of the aCBF time deriv ative as gi ven in (29)-(30). In particular , condition (29) permits the choice of an input u such that the first inequality is satisfied. Choosing the update law τ as: τ ( x , b θ ) = −  ∂ h a ∂ x ( x , b θ ) F ( x )  > (39) results in the last inequality . This inequality , in conjunction with (37) and the comparison lemma in [8] imply that h ( x ( t ) , b θ ( t )) ≥ 0 (40) for all t ≥ 0 . Giv en the construction of h in (34), it follows that: h a ( x ( t ) , b θ ( t )) ≥ 1 2 e θ ( t ) > Γ − 1 e θ ( t ) ≥ 0 . (41) Lastly , we conclude that x ( t ) ∈ S b θ ( t ) for t ≥ 0 . The proof re veals that superle vel sets of h are forward in variant. As h can not be computed without knowing the true parameters θ ? , it is not possible to set ˙ h ≥ − α ( h ) as is typical with CBFs. Furthermore, we ha ve that h a ≥ h , implying that − α ( h a ) ≤ − α ( h ) . Thus setting ˙ h ≥ − α ( h a ) does not yield the desired lo wer bound on ˙ h . One may note that setting ˙ h ≥ − α ( h a ) leads to ˙ h ≥ 0 when h a = 0 , or when the state is on the boundary of the safe set. This fact is concurrent with the common forward in variance proof technique utilizing Nagumo’ s theorem [17]. Despite this, it is in fact possible to construct simple examples (in R 2 ) such that the state must leave the safe set defined by h a for any choice of differentiable α and Γ as shown in Section V. Remark 4 . The assumption on e θ implies that the initial pa- rameter error must be bounded, unlike the aCLF formulation. This is due to the fact that we seek to keep a particular set forward inv ariant. In contrast, the only set kept prov ably forward in variant in the aCLF formulation is the suble vel set of the composite L yapunov function V corresponding to the initial conditions ( x (0) , b θ (0)) . Ev aluating that set would too require assumptions on the boundedness of e θ (0) . Additionally , while this may seem restrictiv e, we note that the input for the system will not be chosen to be robust to all uncertainties in this initial uncertainty set. Rather, the uncertainty will be handled by adapting parameter estimates. Remark 5 . The lower bound on the adaptiv e gain allows us to ensure that the system can adapt quickly enough to ensure safety from the given initial condition. Initial distance from the safety set boundary and smaller possible initial parameter error allow the adaptive gain to be made smaller . A quadratic program based controller similar to (aCLF-QP) can be constructed using an aCBF . T o this end, we adopt the safety-critical control formulation in [25], [7] that filters a desired b ut potentially unsafe controller k d : X × Θ → U to find the nearest safe control action: k ( x , b θ ) = argmin u ∈U 1 2 k u − k d ( x , b θ ) k 2 (aCBF-QP) s . t . ∂ h a ∂ x ( x , b θ )( ˜ f cbf ( x , b θ ) + g ( x ) u ) ≥ 0 where e f cbf is defined like e f clf in (13). As with (aCLF-QP), this quadratic program has a closed form solution. V . A N A L Y S I S O F A C B F F O R M U L A T I O N In this section we analyze the aCBF conditions to verify that, in fact, they do not appear ov erly conserv ati ve. In partic- ular , changing the aCBF condition ˙ h a ≥ 0 to ˙ h a ≥ − α ( h a ) does not necessarily lead to adaptiv e safety . Consider the simple dynamic system given by: ˙ x = θ + u (42) ˙ h ( x , b θ , u ) = ∂ h a ∂ x ( x , b θ ) ( f ( x ) + F ( x ) θ ? + g ( x ) u ) + ∂ h a ∂ θ ( x , b θ ) ˙ b θ + e θ > Γ − 1 ˙ b θ = ∂ h a ∂ x ( x , b θ ) ( f ( x ) + F ( x ) θ ? + g ( x ) u ) + ∂ h a ∂ θ ( x , b θ ) Γ τ ( x , b θ ) + ∂ h a ∂ x ( x , b θ ) F ( x ) b θ − Γ  ∂ h a ∂ θ ( x , b θ )  > ! − ∂ h a ∂ x ( x , b θ ) F ( x ) b θ − Γ  ∂ h a ∂ θ ( x , b θ )  > ! + e θ T τ ( x , b θ ) = ∂ h a ∂ x ( x , b θ ) f ( x ) + F ( x ) b θ − Γ  ∂ h a ∂ θ ( x , b θ )  > ! + g ( x ) u ! + ∂ h a ∂ x ( x , b θ ) F ( x ) e θ + Γ  ∂ h a ∂ θ ( x , b θ )  > ! + ∂ h a ∂ θ ( x , b θ ) Γ τ ( x , b θ ) + e θ > τ ( x , b θ ) ≥  ∂ h a ∂ θ ( x , b θ ) Γ + e θ >   ∂ h a ∂ x ( x , b θ ) F ( x )  > + τ ( x , b θ ) ! ≥ 0 T ABLE I. Calculation of ˙ h as used in the proof of the main result. with θ unkno wn and the safety function h a ( x ) = 1 − x 2 defining the state safe set S = { x ∈ R | x 2 ≤ 1 } . Assume that x 0 ∈ int( S ) and ˜ θ 2 0 ≤ c 2 . The resulting composite safety function is giv en by: h ( x, ˆ θ ) = h a ( x ) − 1 2 γ − 1 ˜ θ 2 (43) with any γ satisfying: γ ≥ c 2 2 h a ( x 0 ) . (44) W e additionally define the following sets: U = { ( x, ˜ θ ) ∈ R 2 | x ∈ S } (45) H 0 = { ( x, ˜ θ ) ∈ R 2 | h ( x, ˆ θ ) ≥ 0 } (46) W e note that the set U extends infinitely along the ˜ θ -axis, and completely contains H 0 . Furthermore, H 0 ∩ ∂ U = { ( − 1 , 0) , (1 , 0) } . The time deri vati ve of the composite safety function is giv en by: ˙ h ( x, ˆ θ , u ) = − 2 x ( ˆ θ + u ) + ˜ θ ( − 2 x + τ ( x )) (47) for ˙ ˆ θ = γ τ ( x ) . Choosing the update law τ ( x ) = 2 x and controller u = − ˆ θ + 1 2 xα ( h a ( x )) , with extended K ∞ function α , we hav e: ˙ h ( x, ˆ θ ) = − x 2 α ( h a ( x )) ≥ − α ( h a ( x )) . (48) as when α ( h a ( x )) ≥ 0 , x 2 ≤ 1 , and when α ( h a ( x )) ≤ 0 , x 2 ≥ 1 . Noting the construction of U , we ha ve the implication that ( x, ˜ θ ) ∈ U = ⇒ ˙ h ( x, ˆ θ ) ≤ 0 . The closed- loop state and parameter error dynamics are giv en by: " ˙ x ˙ ˜ θ # =  ˜ θ + 1 2 xα ( h a ( x )) − 2 γ x  =  ˜ θ − F ( x ) − g ( x )  , (49) which has an unstable equilibrium point at the origin. This system is an example of a Li ´ enard system (like the V an der Pol oscillator) as in [20], with F ( x ) = − 1 2 xα ( h a ( x )) and g ( x ) = 2 γ x . For systems of the this form, the following theorem, attributed to Li ´ enard, provides the existence of a unique, stable limit cycle: Theorem 4 (Li ´ enard’ s Theorem, [20]) . Under the assump- tion that F, g ∈ C 1 ( R ) , F and g ar e odd functions of x , xg ( x ) > 0 for x 6 = 0 , F (0) = 0 , F 0 (0) < 0 , F has single positive zer o at x = a , and F incr eases monotonically to infinity for x ≥ a as x → ∞ , it follows that the Li ´ enar d system (49) has exactly one limit cycle and it is stable. If α is continuously differentiable in addition to an ex- tended K ∞ function, the assumptions of this theorem are met by the functions giv en in (49). W e note that a = 1 in this giv en example. Thus we can conclude that the system (49) has a stable periodic orbit, which we denote Φ . W e denote the open set in R 2 enclosed by the limit c ycle as in t(Φ) . Additionally , the proof of this theorem as in [20] implies the following corollary regarding the stable limit cycle: Corollary 1. The stable limit cycle Φ is symmetric about the origin and passes through a point, denoted as P 2 = ( x 2 , ˜ θ 2 ) , such that x 2 > a . Giv en that a = 1 , this corollary rev eals that the stable limit cycle leaves the set U , for which the state is considered safe. Additionally , as the limit cycle is symmetric about the origin, and the origin is an unstable equilibrium, the origin is contained in int(Φ) . This corollary also implies that H 0 ⊂ (Φ ∪ in t(Φ)) . T o see this, note that as the limit cycle encircles the origin, it must reenter the set U after leaving the point P 2 . At an y point v = ( v 1 , v 2 ) ∈ U that the limit cycle enters, we must have h ( v ) ≤ 0 , giv en the two points in H 0 ∩ ∂ U . Once the limit cycle enters U , we have ˙ h ≤ 0 until the limit cycle leaves U as pre viously noted. Thus, h ≤ 0 along the portion of the limit cycle contained in U , implying H 0 ⊂ (Φ ∪ int(Φ)) . T o complete the proof, we will employ the following definition and lemma from [8]: Definition 11 (Positive Limit Set) . The positi ve limit set L + is defined as all points p ∈ R 2 such that there is a sequence { t n } with t n → ∞ as n → ∞ , and ( x ( t n ) , ˜ θ ( t n )) → p as n → ∞ . Lemma 1. If a solution ( x ( t ) , ˜ θ ( t )) of (49) is bounded for t ≥ 0 , then its positive limit set L + is a nonempty , compact, in variant set, and ( x ( t ) , ˜ θ ( t )) appr oaches L + as t → ∞ . W e note that the unstable equilibrium point is not con- tained within the positive limit set L + . As the 0-superlevel set of h , and thus all possible initial conditions given our bound on ˜ θ 0 , are contained inside the limit cycle, all solutions to (49) are bounded (by the limit cycle). Furthermore, L + = Φ , and thus all solutions starting in the 0-superlevel approach set approach Φ . As the point P 2 ∈ Φ , and P 2 / ∈ U , we see that any solution starting in the 0-superlevel set of h leav es the desired state safe set S . Hence, the relaxation does not achiev e safety of the state as desired, as seen in Figure 1. -1.5 -1 -0.5 0 0.5 1 1.5 -8 -6 -4 -2 0 2 4 6 8 Fig. 1. Evolution of the system governed by (49) with α ( r ) = k r , k = 10 , ( x 0 , ˜ θ 0 ) = (0 . 2 , 1) , c = 5 , and γ = 26 achieving the lower bound. V I . A DA P T I V E C RU I S E C O N T R O L T o demonstrate how an aCBF can be used to render a system adaptiv ely safe, we consider the problem of adapti ve cruise control (ACC) as posed in [1]. The dynamics of the system are giv en by: d d t  v D  =  0 v 0 − v  − 1 m  1 v v 2 0 0 0    f 0 f 1 f 2   +  1 m 0  u (50) with v the v elocity of the vehicle, D the distance between the vehicle and a leading v ehicle trav eling at a fixed velocity v 0 , m the vehicle’ s mass, and f 0 , f 1 , and f 2 unknown parameters associated with rolling frictional force. In this problem, we seek to dri ve the velocity to a desired velocity , v d , while simultaneously ensuring the distance between the vehicles satisfies a safety constraint giv en by: D ≥ 1 . 8 v . (51) The parameters f 0 , f 1 , and f 2 are often determined empiri- cally , and if they are not accurate, the desired velocity may not be accurately tracked. Furthermore, if the parameters do not exactly match the true parameters, it may not be possible to certify that the system will satisfy the safety constraint. The control objecti ve of tracking a desired v elocity can be achiev ed with a hand-designed controller k d or encoded using a CLF , and the safety constraint can be encoded using a CBF . Additional constraints on the maximum acceleration and deceleration can be enforced to maintain passenger comfort. T o handle uncertainty in the parameters, we utilize the tool of aCBFs to maintain and update estimates of these parameters. An aCBF that yields desirable results is defined as the following continuously differentiable function: h a ( v , D ) = ( α 2 if D − 1 . 8 v ≥ α α 2 − ( D − 1 . 8 v − α ) 2 if D − 1 . 8 v < α for α > 0 . This particular construction of h a is constant a way from the safety boundary and diminishes to 0 (quadratically to preserve dif ferentiability) as the boundary is approached. In practice, this is to handle the fact that superle vel sets of the composite safety function h are forward inv ariant. In re gions where h a is constant, ∂ h a ∂ x , and thus the update law in (39), is 0 , thus making ˙ h = 0 as in the first equality in T able I. aCBF-QP Controller: A simple proportional controller on tracking error v − v d can be implemented and achiev e good tracking performance, b ut is not necessarily safe. A CBF alone would not ensure the safety of this controller with model uncertainty , but treating the proportional controller as k d in aCBF-QP with an aCBF , safety can be achiev ed. aCLF-aCBF-QP Controller: Additionally , we can unify aCLF and aCBFs in a quadratic program based controller to receiv e the benefits of optimal and adapti ve tracking while remaining safe. Separate estimates of the parameters are mainted for the aCLF and the aCBF , as the form of the update laws in (17) and (39) may not be simultaneously satisfiable for only one estimate of the parameters. The CLF in [1] on the velocity tracking error v − v d , giv en by V a = ( v − v d ) 2 , also satisfies the aCLF condition (11). Letting x = ( v, z ) and b θ and b ψ be parameter estimates associated with the aCLF and aCBF , respectiv ely , we formulate a QP-based controller: k ( x , b θ , b ψ ) = argmin u ∈U J ( u ) + c V ( x ) δ V + c p ( x ) δ p s . t . L ˜ f clf V a ( x , b θ ) + L g V a ( x , b θ ) u ≤ − α 3 ( k x k , b θ ) + δ V L ˜ f cbf h a ( x , b ψ ) + L g h a ( x , b ψ ) u ≥ 0 u ≤ u max + δ p u ≥ − u max − δ p δ V , δ p ≥ 0 with parameter updates for b θ and b ψ as in (17) and (39), respectiv ely . δ V and δ p are relaxations to the optimization problem to ensure its feasibility , while safety is ensured. The functions c V and c p are Lipschitz continuous and are used to achieve smoothness. W ith initial parameter estimates  ˆ f 0 ˆ f 1 ˆ f 2  = 10  f ? 0 f ? 1 f ? 2  (less friction than mod- eled), the results of this controller appear in Figure 2. 0 5 10 15 20 -150 -100 -50 0 50 100 0 5 10 15 20 12 14 16 18 20 22 24 26 0 5 10 15 20 -20 0 20 40 60 Fig. 2. Comparison of different adaptive and non-adaptiv e control methodologies. The aCBF-QP is able to enforce safety of the proportional controller (left). An aCLF controller is able to track the desired velocity with zero steady state error (center). Both aCBF controllers are able to keep the vehicle within the safe region for all time (right) W e see that the proportional controller fails to keep the vehicle safe, but filtering it with the aCBF-QP keeps it safe (with D ≥ 1 . 8 v for all time) even with model uncertainty . A CLF-CBF controller with no adapti ve elements fails to either track the desired velocity (with steady state error) or keep the vehicle safe. The CLF-aCBF controller keeps the vehicle safe but has steady state tracking error, while an aCLF-aCBF controller accurately tracks the desired velocity with no steady state error , and keeps the vehicle safe. V I I . C O N C L U S I O N W e presented a novel approach for ensuring the safety of a system under a form of parametric uncertainty . This approach builds of f the structure established with adaptive Control L yapunov Functions, and highlights the differences that must be considered when ensuring the forward in v ariance of a specific set. Future w ork includes considering this frame work within a batched-data framew ork, in which initial parametric uncertainty can be iteratively and episodically reduced to permit less conservati ve safe sets. R E F E R E N C E S [1] A. Ames, J. Grizzle, and P . T abuada. Control barrier function based quadratic programs with application to adaptiv e cruise control. In 53rd IEEE Confer ence on Decision and Contr ol , pages 6271–6278. IEEE, 2014. [2] A. D. Ames, X. Xu, J. W . Grizzle, and P . T abuada. Control barrier function based quadratic programs for safety critical systems. IEEE T ransactions on Automatic Contr ol , 62(8):3861–3876, 2017. [3] Z. Artstein. Stabilization with relaxed controls. Nonlinear Analysis: Theory , Methods & Applications , 7(11):1163–1173, 1983. [4] S. Boyd and L. V andenberghe. Con vex optimization . Cambridge univ ersity press, 2004. [5] R. Cheng, G. Orosz, R. M. Murray , and J. W . Burdick. End-to-end safe reinforcement learning through barrier functions for safety-critical continuous control tasks. arXiv preprint , 2019. [6] J. F . Fisac, A. K. Akametalu, M. N. Zeilinger , S. Kaynama, J. Gillula, and C. J. T omlin. A general safety framework for learning-based control in uncertain robotic systems. IEEE T ransactions on Automatic Contr ol , 2018. [7] T . Gurriet, A. Singletary , J. Reher , L. Ciarletta, E. Feron, and A. Ames. T ow ards a framework for realizable safety critical control through activ e set inv ariance. In Pr oc. of the 9th ACM/IEEE International Conf. on Cyber-Physical Systems , pages 98–106. IEEE Press, 2018. [8] H.K. Khalil. Nonlinear Systems - 3r d Edition . PH, Upper Saddle Riv er , NJ, 2002. [9] S. K olathaya and A. D. Ames. Input-to-state safety with control barrier functions. IEEE contr ol systems letters , 3(1):108–113, 2018. [10] M. Krsti ´ c, I. Kanellakopoulos, and P . V . K okotovi ´ c. Nonlinear and adaptive control design . Wile y New Y ork, 1995. [11] M. Krsti ´ c and P . V . K okotovi ´ c. Control lyapunov functions for adaptive nonlinear stabilization. Systems & Contr ol Letters , 26(1):17–23, 1995. [12] M. Krsti ´ c and P . V . K okotovi ´ c. Modular approach to adapti ve nonlinear stabilization. Automatica , 32(4):625–629, 1996. [13] Z. Li and M. Krsti ´ c. Optimal design of adaptive tracking controllers for non-linear systems. Automatica , 33(8):1459–1473, 1997. [14] Y . Lin and E. D. Sontag. A univ ersal formula for stabilization with bounded controls. Sys. & Contr ol Letters , 16(6):393–397, 1991. [15] J. Moore and R. T edrake. Adapti ve control design for underactuated systems using sums-of-squares optimization. In 2014 American Contr ol Conference , pages 721–728. IEEE, 2014. [16] B. Morris, M. J. Powell, and A. D. Ames. Suf ficient conditions for the lipschitz continuity of qp-based multi-objectiv e control of humanoid robots. In 52nd IEEE Confer ence on Decision and Control , pages 2920–2926. IEEE, 2013. [17] M. Nagumo. ¨ Uber die lage der integralkurven gew ¨ ohnlicher differen- tialgleichungen. Proceedings of the Physico-Mathematical Society of J apan. 3rd Series , 24:551–559, 1942. [18] Q. Nguyen and K. Sreenath. Exponential control barrier functions for enforcing high relati ve-degree safety-critical constraints. In 2016 American Control Confer ence (ACC) , pages 322–328. IEEE, 2016. [19] M. Ohnishi, L. W ang, G. Notomista, and M. Egerstedt. Barrier- certified adaptive reinforcement learning with applications to brushbot navigation. IEEE T ransactions on Robotics , 2019. [20] L. Perko. Dif fer ential equations and dynamical systems , volume 7. Springer Science & Business Media, 2013. [21] S. Prajna. Optimization-based methods for nonlinear and hybrid systems verification . PhD thesis, Caltech, 2005. [22] E. D. Sontag. Smooth stabilization implies coprime factorization. IEEE transactions on automatic control , 34(4):435–443, 1989. [23] E. D. Sontag. A univ ersal construction of artstein’s theorem on nonlinear stabilization. Systems & control letters , 13(2):117–123, 1989. [24] K. P . T ee, S. S. Ge, and E. H. T ay . Barrier lyapunov functions for the control of output-constrained nonlinear systems. A utomatica , 45(4):918–927, 2009. [25] L. W ang, A. D. Ames, and M. Egerstedt. Safe certificate-based maneuvers for teams of quadrotors using differential flatness. In 2017 IEEE International Confer ence on Robotics and A utomation (ICRA) , pages 3293–3298. IEEE, 2017. [26] L. W ang, E. A. Theodorou, and M. Egerstedt. Safe learning of quadro- tor dynamics using barrier certificates. In 2018 IEEE International Confer ence on Robotics and Automation (ICRA) , pages 2460–2465. IEEE, 2018. [27] P . W ieland and F . Allg ¨ ower . Constructive safety using control barrier functions. IF AC Pr oceedings V olumes , 40(12):462–467, 2007. [28] X. Xu, P . T abuada, J. W . Grizzle, and A. D. Ames. Robustness of con- trol barrier functions for safety critical control. IF AC-P apersOnLine , 48(27):54–61, 2015.