## I Introduction

Autonomous robotic systems are increasingly employed in warehouse and home automation, transportation, and security applications. A crucial aspect of successfully deploying such systems is the satisfaction of safety and stability requirements, even in the presence of uncertainty in the system model or constraints. The notion of safety in the context of program correctness was first introduced in the ’s [lamport1977safety, Alpern1985DefiningL]. Around the same time, Artstein [Artstein1983StabilizationWR] introduced control Lyapunov functions (CLFs) to enforce stability in the context of nonlinear system control. The seminal work of Sontag [SONTAG1989117] established a universal formula for constructing feedback control laws that stabilize nonlinear systems. In the ’s, barrier certificates were proposed to formally prove the safety of closed-loop nonlinear and hybrid systems [barrier-certificate, barrier-hybrid]. Control barrier functions (CBFs) were developed to support task-independent safe control synthesis, serving as a barrier certificate for a closed-loop nonlinear system [wieland2007].

A key observation is that, for control-affine systems, the CLF and CBF conditions are linear in the control input, allowing a formulation of safe and stable control synthesis as a quadratic program (QP) [XU201554, ames2016control, nguyen2016acc, cbf]. CLF-CBF-QP techniques have been successfully employed in a variety systems, including aerial robots [Wang2017SafeCM], walking robots [nguyen2016cdc], and automotive systems [xu2017realizing]. Most existing work, however, assumes complete knowledge of the system dynamics and control barrier functions. In reality, the dynamics model and safety constraints are obtained using noisy sensor data and simplifying assumptions, leading to uncertainty and errors that should be captured when ensuring safety and stability.

Capturing system-model and barrier-function estimation errors impacts the formulation of CLF and CBF constraints, and no longer give rise to QPs. Our main contribution is to show that such uncertainty-aware stability and safety constraints can still be formulated as convex constraints under two different models of uncertainty: probabilistic and worst-case. To capture probabilistic uncertainty, we specifically consider

*Gaussian Process*(GP) regression [GPBook]

as an example approach for modeling a probability distribution over a function space. When the estimated barrier function and system dynamics are described by a GP, we aim to ensure probabilistic safety and stability up to a user-specified risk tolerance. We compute the distribution of the CLF and CBF constraints, and use Cantelli’s inequality

[CantelliSuiCD]to bound the computed means with a margin dependent on the variances and the desired risk-tolerance. The control input appears linearly in the mean and quadratically in the variance of the CLF and CBF constraints. This allows us to restate the probabilistic constraints as second-order cone constraints, leading to a second-order cone program (SOCP), which is convex and can be solved efficiently online.

Alternatively, when *worst-case error bounds* on the system dynamics, barrier function and its gradient are given, the goal is to formulate a robust safe control synthesis problem. Under worst-case disturbances, we show that the input appears both linearly and within a norm term in the CLF and CBF constraints. Similar to the probabilistic formulation, the original QP problem can be reformulated as a convex SOCP for safe control synthesis.

We demonstrate our safe control synthesis techniques in mobile robot navigation simulations. We consider a robot tasked to follow a desired path in an unknown environment, relying on online noisy obstacle sensing and offline dynamic model estimation to ensure safety and stability. We show that both the probabilistic and the robust CLF-CBF-SOCP formulation allows the robot to safely track the deisred path.

In summary, we make the following contributions. First, we formulate novel probabilistic safety and stability constraints by considering stochastic uncertainty in the barrier functions and system dynamics. Second, we formulate novel robust safety and stability constraints by considering worst-case error bounds in the barrier functions and system dynamics. Finally, we show that either the probabilistic or the worst-case formulations lead to a (convex) SOCP, enabling efficient synthesis of safe and stable control.

## Ii Related Work

CLF-CBF-QP optimization techniques [cbf] have gained significantly popularity for enforcing stability and safety for robotic systems. While the original formulation does not take uncertainty into account, several recent works address uncertainty due to unmodeled dynamics, input disturbances, and barrier function estimation separately.

For system dynamics uncertainty, Jankovic [jankovic_robust_2018] considered worst-case disturbance bounds on the dynamics and proposed robust CBF formulations with a modified QP. Eman et al. [yousef2019cdc] utilized convex hulls to model disturbances in a CBF-based safety framework. Clark [andrew2019acc] considered stochastic control systems with incomplete information and derived sufficient conditions for ensuring safety on average. Nguyen and Sreenath [Nguyen2021] formulated a robust CLF-CBF-QP by introducing additional robust constraints to guarantee stability and safety under model uncertainty. Ahmadi et al. [Ahmadi2020RiskSensitivePP] introduced a conditional value-at-risk (CVaR) barrier function to ensure safety for discrete-time systems subject to stochastic uncertainty. In our previous work [dhiman2020control], we proposed Bayesian learning methods to obtain the distribution of system dynamics online and enable safe control synthesis while taking system dynamics uncertainty into account.

For input disturbances, the concept of *input-to-state safety* (ISSf) was introduced by Romdlony and Jayawardhana in [romdlony2016cdc]. The ISSf-CBF concept was extended in [Kolathaya2019issf], which focused on enlarging the safe set by modifying CBF. Recently, Alan et al. [alan2021safe] introduced the tunable ISSf-CBF concept for safe controller synthesis while reducing conservatism. In addition, Cosner et al. in [cosner2021measurement] introduced measurement-robust CBFs to account for uncertainty in state estimation and conducted experiments on a Segway.

For barrier function uncertainty, Srinivasan et al. [srinivasan2020synthesis]

estimated barrier functions online using a Support Vector Machine approach and solved the CLF-CBF-QP to generate safe control inputs. Our previous work

[Long_learningcbf_ral21] computed worst-case error bounds of barrier function constraints and formulated a robust CLF-CBF-SOCP that enforces safety and stability. Zhang et al. [zhang2021adversarially] constructed robust output CBFs from safe expert demonstrations while considering worst-case error bounds in measurement map and system dynamics.In this work, we provide a unified formulation for safe control synthesis while taking either probabilistic or worst-case uncertainty of the system dynamics and barrier function simultaneously into account.

## Iii Problem Formulation

Consider a robot with dynamics model:

(1) |

where is the robot state and is the control input.^{1}^{1}1Notation: We denote by the set of non-negative reals and the boundary of a set . For a vector and a matrix , we use and to denote the Euclidean norm and the spectral norm. We use to denote the vectorization of , obtained by stacking its columns, and to denote a diagonal matrix whose diagonal is .
We denote by the gradient and the Lie derivative of a differentiable function along a vector field . We use to denote the Kronecker product and to denote a Gaussian Process distribution with mean function and covariance function . A continuous function is of class if it is strictly increasing and . A continuous function is of extended class if it is of class and .
We assume and are continuously differentiable.
The admissible control input space is given by , where

is the basis vector with

at the first entry and elsewhere, and .###### Definition III.1.

A continuously differentiable function is a *control Lyapunov function (CLF)* for the system (1) if there exists a class function such that:

(2) |

where the *control Lyapunov condition (CLC)* is:

(3) | ||||

A CLF may be used to encode a variety of control objectives, including path following [Long_learningcbf_ral21], adaptive cruise control [xu2017realizing], and bipedal robot walking [nguyen2016cdc].

To define safety requirements for the control objective, consider a continuously differentiable function , which implicitly defines a (closed) safe set of system states . The following definition is a useful tool to ensure that is forward invariant, i.e., the robot state remains in throughout its evolution.

###### Definition III.2.

A continuously differentiable function is a *control barrier function (CBF)* on for the system (1) if there exists an extended class function such that:

(4) |

where the *control barrier condition (CBC)* is:

(5) | ||||

According to [cbf, ames2016control], any Lipschitz-continuous controller that satisfies for all renders the set forward invariant for the system (1).

### Iii-a Safety and Stability with Known System Dynamics and Barrier Function

When the system dynamics and the barrier function are precisely known, one can combine CLF and CBF constraints to synthesize a safe controller via the following quadratic program:

(6) | ||||

The term is a baseline controller and may be used to specify additional control requirements, such as desirable velocity or orientation. This term may be set to if minimum control effort is the main objective. The term is a weighting matrix penalizing deviation from the baseline controller. The term is a slack variable that relaxes the CLF constraints to ensure the feasibility of the QP, controlled by the scaling factor . The QP formulation in (6) modifies the baseline controller online to ensure safety and stability via the CBF and CLF constraints.

### Iii-B Safety and Stability with Estimated System Dynamics and Barrier Function

Our work focuses on enforcing safety and stability for the control-affine system (1) when the system dynamics and the barrier function are *unknown* and need to be estimated from data. We consider two scenarios, depending on whether probabilistic or worst-case error descriptions of the dynamics and barrier functions are available.

###### Problem 1 (Safety and stability under Gaussian uncertainty).

Given an estimated distribution on the unknown system dynamics and an estimated distribution on the barrier function , design a feedback controller such that, for each :

where is a user-specified risk tolerance.

Many robotic systems require instead the guarantee that safety and stability hold under all possible error realizations, which motivates us to also consider the following problem.

###### Problem 2 (Safety and stability under worst-case uncertainty).

Given estimated system dynamics with known error bound ,

(7) |

and estimated barrier function and gradient with known error bounds and , i.e., for all ,

(8) |

design a feedback controller such that, for each :

## Iv Probabilistic Safe Control

This section presents our solution to Problem 1. Inspired by the design (6) when the dynamics and the barrier function are known, we formulate the control synthesis problem via the following optimization problem:

(9) | |||

The uncertainty in and affects the linearity in of the CLC and CBC conditions in the constraints of (9), making this optimization problem no longer a QP. Here, we justify that nevertheless the optimization can be solved efficiently. To show this, we start by analyzing the distributions of and in detail.

###### Proposition IV.1 (Distribution for CBC).

Assume is a CBF with a linear function , i.e., for . Given independent distributions and , the mean and variance of satisfy

(10a) | ||||

(10b) |

where

(11) |

and , are computed in (IV).

###### Proof.

The control barrier condition can be written as:

(12) |

Note that is a GP because the gradient of a GP with differentiable mean function and twice-differentiable covariance function is also a GP, cf. [dhiman2020control, Lemma 6],

where is finite for all . Since for appropriately sized matrices , , , we can write

(13) | ||||

We abbreviate and for conciseness in the rest of this section. The term is an inner product of two independent GPs, and . Thus, using [dhiman2020control, Lemma 5], (13), and that , corresponds to a distribution with mean and variance:

(14) | ||||

To factorize from the variance expression, we apply the property for any appropriately sized matrices ,

(15) | ||||

By substituting (15) in (14), we can factorize out to get,

(16) |

Next, we write using [dhiman2020control, Lemma 5] and ,

(17) |

We can now write mean and variance of explicitly by using (14), (IV) and (IV),

(18) | |||

Next, we describe the distribution of .

###### Proposition IV.2 (Gaussian distribution for CLC).

Given the distribution , the is Gaussian with mean and variance:

(19a) | ||||

(19b) |

where

(20) |

and , are computed in (21).

###### Proof.

We can write the control Lyapunov condition as

We can use the Kronecker product property to rewrite first term in as:

Since , are known and deterministic and , we can express the distribution of as follows:

(21) | ||||

The result follows from plugging (21) into . ∎

Using the distributions of and , problem (9) can be formulated as a convex SOCP as follows.

###### Proposition IV.3 (Probabilistic-CLF-CBF-SOCP).

###### Proof.

To deal with the probabilistic constraints in (9), we employ Cantelli’s inequality [CantelliSuiCD]. For any scalar ,

Given this inequality, and since we want , we choose and require the lower bound to be greater than or equal to , i.e.,

The equation can be rearranged into

which corresponds to the safety constraint in (22).

Next, we show that this constraint is a valid second-order cone (SOC) constraint. By (10), given that , and are known and deterministic, the expectation is affine in . Since is positive semi-definite, we can write

(23) |

where . Acccording to [alizadeh2003second], the safety constraint in (22) is a valid SOC constraint.

For stability, the CLC condition can be constructed using a similar approach with Cantelli’s inequality, resulting in (22). By (19), we know that the expectation is affine in and the variance is quadratic in terms of , similar to (23). This shows that the CLC condition is also a valid SOC constraint.

Our last step is to show that the minimization of the objective function can be reformulated with a linear objective and an additional SOC constraint, resulting in the standard SOCP in (22). We introduce a new variable so that the problem in (9) is equivalent to

s.t. | ||||

(24) |

The last constraint in (IV) corresponds to a rotated second-order cone, , which can be converted into a standard SOC constraint [alizadeh2003second],

Let , and consider the constraint . Multiplying both sides by and adding , makes the constraint equivalent to

Taking a square root on both sides, we end up with , which is equivalent to the third constraint in (22). ∎

## V Robust Safe Control

In this section, we develop a solution to Problem 2. Let denote the estimated system dynamics, , the estimated barrier function and its gradient, and let , , and be associated error bounds. For convenience, for each , we denote , and . By (7) and (8), we have

(25) |

Using this notation, we can rewrite as

Let . We group the error term in the expression for in the variable . Thus, is satisfied if

Similarly, let and , a robust version of the stability constraint can be written as:

(26) |

This leads us to the following robust reformulation of the original control synthesis problem in (6),

(27) | ||||

Note that we used the same approach as in the proof of Proposition IV.3 to reformulate the original quadratic objective with a linear objective plus a SOC constraint. The difficulty in solving (27) arises from the complexity of the constraints. The next result considers a restriction of the feasible set that gives rise to a convex SOCP formulation.

###### Proposition V.1 (Robust-CLF-CBF-SOCP).

###### Proof.

The stability constraint directly follows from the fact:

For the safety constraint, note that

(29) |

Since and is an extended class function,

(30) |

Applying the Cauchy-Schwarz inequality on each term,