key: cord-0460546-5cn35ur3
authors: Molnar, Tamas G.; Kiss, Adam K.; Ames, Aaron D.; Orosz, G'abor
title: Safety-Critical Control with Input Delay in Dynamic Environment
date: 2021-12-15
journal: nan
DOI: nan
sha: 8f836c49bff7a5d0c40d89b59a796632393df69c
doc_id: 460546
cord_uid: 5cn35ur3

Endowing nonlinear systems with safe behavior is increasingly important in modern control. This task is particularly challenging for real-life control systems that must operate safely in dynamically changing environments. This paper develops a framework for safety-critical control in dynamic environments, by establishing the notion of environmental control barrier functions (ECBFs). The framework is able to guarantee safety even in the presence of input delay, by accounting for the evolution of the environment during the delayed response of the system. The underlying control synthesis relies on predicting the future state of the system and the environment over the delay interval, with robust safety guarantees against prediction errors. The efficacy of the proposed method is demonstrated by a simple adaptive cruise control problem and a more complex robotics application on a Segway platform.

S AFETY is of great importance in many modern control systems. Safety-critical control covers a wide spectrum of applications ranging from automated vehicles [1] , [2] through robotics [3] - [6] and multi-robot systems [7] - [9] , to controlling the spread of infectious diseases [10] , [11] . Notably, in many applications safety is affected by a dynamically changing environment that surrounds the control system. For example, robots must avoid collision with other agents in multi-robot systems [12] , [13] , automated vehicles must be safe with respect to other road users [14] , and robotic manipulators must collaborate safely with their human operator [15] - [17] .

Such strict safety requirements call for theoretical safety guarantees and provably safe controllers. To achieve safety, control synthesis must take into account how the control system interacts with its environment. As the environment of delay-free dynamics robust control design for delayed dynamics safe unsafe safe unsafe Fig. 1 . The proposed safety-critical control framework implemented in high-fidelity simulation of a Segway. The Segway is able to safely avoid a moving obstacle, even when the obstacle's future position is unknown and there is input delay in the control loop. This is accomplished via the environmental control barrier function (ECBF) plotted at the bottom. many engineering systems changes over time, one must ensure that this dynamic evolution does not lead to safety violations.

As such, dynamic environments pose a major challenge for safety-critical control.

An important element of this challenge is that the response time of control systems may be commensurate with how fast the environment changes. Response times include sensory, feedback and actuation delays arising in practice [18] . The magnitude of the delay depends on the application: it is milliseconds in robotic systems [19] , a few tenths of a second in connected automated vehicles [20] and days in epidemiological models [21] . Delays have significant impact on safety in the context of dynamic environments: it may occur that by the time the control system responds, the environment changes and safety is compromised. To overcome this danger, one needs to consider how the dynamic -and often uncertain -environment evolves over the delay period. This yields a major challenge in designing provably safe controllers. This paper aims to address this problem by establishing a framework for safety-critical control in which dynamic environments and time delays are explicitly taken into account.

Formally, safety is often framed as a set invariance problem by requiring that the state of the system evolves within a safe set for all time. The theory of control barrier functions (CBFs) provides an elegant solution to achieve this goal and maintain safety [22] . While this theory delivers the required formal safety guarantees, one shall secure these guarantees in dynamic environments during practical implementation. Several works have built on CBFs to transfer safety-critical controllers from theory to practice, by providing robustness against disturbances [23] - [27] , measurement uncertainty [28] - [30] and model mismatches [31] , [32] . These strategies significantly facilitate controller deployment, however, their formulation has not yet considered dynamic environments explicitly but is restricted to quasi-static environments. For the first time, this paper explicitly involves dynamically changing environments into the mathematical framework for safety-critical control.

On the other hand, the safety of time delay systems has also attracted increasing attention in the recent literature. The safety of continuous-time systems with state delay was established by safety functionals in [33] , [34] , which were extended to control barrier functionals in [35] . Discrete-time control systems with input delay were studied in [36] for linear and in [37] for nonlinear dynamics. Linear control systems with input delays were investigated in continuous time in [38] , [39] via control barrier and control Lyapunov functions. Safetycritical control of continuous-time nonlinear systems with measurement delays was tackled in our works [10] , [11] in an application to controlling the spread of COVID-19. In these papers, we leveraged predictor feedback [40] - [43] to compensate the delay by predicting the future evolution of the system. Parallel to our work, [44] , [45] used predictor feedback to compensate multiple and time-varying input delays with robustness against prediction errors. Yet, these works have not addressed safety-critical scenarios in dynamic environments that evolve independently of the control input being synthesized. This paper intends to fill this gap and tackle the challenges arising from the combination of dynamic environments and delays.

Here we build on [10] , [11] to establish the theory of safetycritical control for nonlinear continuous-time systems with input delay, operating in dynamically changing environments. Our contributions are threefold:

1. We establish the notion of environmental control barrier functions (ECBFs) for delay-free systems to explicitly address scenarios in which safety is affected by a dynamic environment. This notion is particularly useful when the dynamics of the environment are inherently more uncertain than those of the control system. 2. We develop the notions of CBFs and ECBFs for systems with input delay, and synthesize safety-critical controllers via predictor feedback. The use of predictors requires special care in dynamic environments, since the environment's future is not controlled and cannot be predicted accurately. We make controllers robust against prediction errors, especially those related to the future of the dynamically changing environment. 3. We demonstrate the efficacy of this framework on real-life engineering systems: adaptive cruise control and obstacle avoidance with a Segway platform. Figure 1 illustrates a sample of these results. A Segway is controlled to safely avoid a moving obstacle via the proposed ECBFs in high-fidelity simulation. Without delay in its control loop (left) the Segway pitches backwards to go under the obstacle. With input delay (right) the Segway first approaches the obstacle, then moves in reverse to make space, and finally pitches forward to go under it. Remarkably, these safe behaviors emerge from the ECBF automatically, which handles reactive planning in a holistic fashion.

The paper is structured as follows. Section II revisits CBFs for delay-free systems. Section III addresses safety in dynamic environments by introducing ECBFs. Section IV extends CBFs and ECBFs to systems with input delays, and discusses safetycritical control via predictor feedback with robustness against prediction errors. In these sections, adaptive cruise control is used as illustrative example, whereas Section V demonstrates the safety-critical control of a Segway by numerical simulations. We conclude our work in Section VI.

Consider a control-affine system with state x(t) ∈ X ⊆ R n and input u(t) ∈ U ⊆ R m :

where f : X → R n and g : X → R n×m are locally Lipschitz continuous on X that is an open and connected subset of R n . Consider the initial condition x(0) = x 0 ∈ X. When the control input u = k(x) is given by a locally Lipschitz continuous controller k : X → U , then system (1) has a unique solution over a time interval t ∈ I(x 0 ). For simplicity of exposition, we assume I(x 0 ) = [0, ∞), i.e., the solution exists for all t ≥ 0.

We consider the system safe if its state is contained within a safe set S ⊂ X for all time. Accordingly, we frame safetycritical control as rendering set S forward invariant under dynamics (1): the controller needs to ensure for all x 0 ∈ S that x(t) ∈ S, ∀t ≥ 0. Specifically, we define S as the 0-superlevel set of a continuously differentiable function h : X → R:

where the selection of h is application-driven.

We ensure the forward invariance of the safe set S by the framework of control barrier functions (CBFs). First, we briefly revisit the main result in [22] that establishes theoretical safety guarantees by CBFs. We state the definition of CBFs and the conditions of safety below. We use the notation . for Euclidean norm, and we call a function α : (−a, b) → R, a, b > 0 as extended class K function, if it is continuous, strictly monotonically increasing and α(0) = 0. 

whereḣ

is the derivative of h along system (1) .

With the CBF definition, [22] establishes formal safety guarantees as follows. 

∀x ∈ S renders S forward invariant (safe), i.e., it ensures

The proof can be found in [22] , and further technical details with discussion about the selection of α are in [46] . Throughout the paper, we use variants of the safety condition (5). (5) is often used in the context of optimization-based controllers [22] . Given a control input u d = k d (x) by a desired controller k d : X → U , one can modify this input in a minimally invasive fashion to guarantee safety by solving the following quadratic program (QP):

This defines the control law u = k(x) implicitly. The feasibility of this QP is guaranteed by the definition of CBFs (Definition 1). However, verifying that a particular choice of h is indeed a CBF is nontrivial when there are input constraints (U ⊂ R m ). If there are no input bounds (U = R m ), feasibility guarantees can be proven, and the solution to QP (6) can even be expressed explicitly based on the KKT conditions [47] as

) is the right pseudoinverse of φ 1 (x). The derivation of (7) is given in Appendix I. Note that for φ + 1 (x) to exist, one needs ∇h(x)g(x) = 0, ∀x ∈ S. This is often referred to as h has relative degree 1 (i.e., the first derivative of h with respect to time is affected by u). For higher relative degrees (when a higher derivative of h is affected by u), there exist systematic methods to construct CBFs from h and guarantee safety; see [48] - [51] for details. An example for such extension is given later in Section V.

So far we related safety to the state x of the system. Often safety is also affected by the state of the environment, which we characterize by e(t) ∈ E ⊆ R l , where e is a continuously differentiable function of time withė(t) ∈ E ⊆ R l and e(0) = e 0 ∈ E. Then the safe set modifies to an environmental safe set S e :

where H : X × E → R is assumed to be continuously differentiable in both arguments.

We enforce safety in dynamic environments by introducing the notion of environmental control barrier functions (ECBFs).

Function H is an environmental control barrier function (ECBF) for (1) if there exists an extended class K function α such that for all (x, e) ∈ S e andė ∈ E sup u∈UḢ (x, e,ė, u) ≥ −α(H(x, e)),

wherė

is the derivative of H along system (1) .

With this definition, an extension of Theorem 1 yields theoretical safety guarantees in dynamic environments, as given below. 

∀(x, e) ∈ S e and ∀ė ∈ E renders S e forward invariant, i.e., it ensures (x 0 , e 0 ) ∈ S e ⇒ (x(t), e(t)) ∈ S e , ∀t ≥ 0.

Proof. We couple (1) with its environment into the augmented systemż

with augmented state z, input v and dynamics F and G as

I .

(13) For this system, function H z : X × E → R, H z (z) = H(x, e) is a CBF, since H is an ECBF. Hence, safety can be guaranteed with respect to the 0-superlevel set of H z based on Theorem 1 via the conditionḢ

Substituting the definitions of z, v, F , G and H z leads to (11) and proves the statement in Theorem 2.

Remark 2. Theorem 2 yields safety-critical controllers of the form u = K(x, e,ė) with control law K :

That is, the control input depends on the environment as well through e andė which need to be measured. For example, a controller based on optimization (specifically, a QP) reads

analogously to (6) , with explicit solution for U = R m :

analogously to (7) .

ECBFs rely on the environment state e and its derivativė e. In practice, these quantities are typically estimated with uncertainty. Therefore, now we robustify safety-critical controllers against uncertainties in the environment. Motivated by the method developed in [30] for state uncertainty, we provide robustness based on worst-case uncertainty bounds (i.e., in a deterministic fashion). For simplicity, we consider no uncertainty in x, since typically the environment is associated with more uncertainty than the state of the control system.

Consider that true environment state e and its derivativeė are not available, only some estimatesê andê. We assume these estimates have known uncertainty bounds ε e and εė:

The main idea is to enforce safety through a conservative lower bound on the unknown expressionḢ(x, e,ė, u) + α(H(x, e)) that must be kept nonnegative according to Theorem 2. The bound uses the known quantitiesê andê in the form:

≥Ḣ(x,ê,ê, u) + α(H(x,ê)) − C(ε e , εė, u) ≥ 0. (18) This is stated more formally with the specific expression of C(ε e , εė, u) below, after some additional assumptions. Assume that the following regularity conditions on H hold.

and α(H(x, e)) are Lipschitz continuous in argument e on S e with Lipschitz coefficients L ∇Hf,e , L ∇Hg,e and L α•H,e , whereas ∇ e H(x, e)ė is Lipschitz continuous in arguments e andė on S e × E with Lipschitz coefficients L ∇Hė,e and L ∇Hė,ė . This implies:

Then, the following sufficient condition for safety can be constructed.

If H is an ECBF for (1) and the regularity conditions in (19) hold, then any locally Lipschitz continuous

with

∀(x,ê) ∈ S e and ∀ê ∈ E renders S e forward invariant, i.e., it

Proof. The steps of the proof follow those of Theorem 2 in [30] . We prove the Proposition by showing that (20) implies (11) and by applying Theorem 2. We relate (20) to (11) by introducing the difference between their corresponding terms. Applying (10) to express bothḢ(x, e,ė, u) anḋ H(x,ê,ê, u), we geṫ

=Ḣ(x,ê,ê, u) + α(H(x,ê))

These differences show up on the left-hand side of (19) . Thus, the regularity conditions (19) on H, the uncertainty bound (17) and condition (20, 21) sufficiently provide (11) , which completes the proof. Less conservative problem-specific bounds than the one given by (21) also work as long as they sufficiently provide (11) . Furthermore, we highlight that (21) involves a term u . This, when incorporated into an optimization problem like (6), leads to a second-order cone program (SOCP) rather than a QP if L ∇Hg,e = 0.

Example 1 (Adaptive Cruise Control). We consider an adaptive cruise control (ACC) problem, where an automated vehicle (AV) intends to follow a human-driven vehicle (HV) without collision; see Fig. 2 . This problem was studied in [1] , [2] without the notion of ECBFs. We revisit this problem and use ECBFs to tackle it, which will play an essential role to extend the resulting safety-critical controller to safe ACC with input delay in Section IV.

We denote the length of the AV by l, the position of its rear bumper by s and its speed by v, and we model its longitudinal motion by

where p(v) indicates resistance terms. The input u is the commanded acceleration that is assumed to be realized by a low-level controller. We denote the HV's position and speed by s 1 and v 1 . These quantities characterize the environment for the AV: e = s 1 andė = v 1 .

To avoid collisions, the AV intends to keep its speed v below a safe limitV (d) =κd for a selectedκ > 0, where this limit depends on the distance d = s 1 − s − l. Thus, we use the ECBF:

and select a linear class K function

Substituting these expressions, while using (10), into the safety condition (11) leads tō

This implies that the AV should not accelerate more than how much the expression on the left-hand side dictates. This expression resembles the desired acceleration of simple ACC controllers, in fact, for p(v) = 0 it is equivalent to the one in [2] with a special choice of feedback gains and range policy. Enforcing (25), for example, through the QP (15), guarantees safety based on Theorem 2. Fig. 2 shows numerical simulation results with the safetycritical controller for p(v) = 0.1 + 0.0003v 2 , γ = 3 andκ = 2 (with units in SI). The speed of the HV is presented in panel (b): it performs constant speed cruising, braking with 2 m/s 2 and constant speed cruising again. The AV intends to travel at a constant speed higher than the HV's speed with desired controller K d (x, e,ė) = 0. By applying the QP (15) with the constraint (25), the AV is able to slow down safely behind the HV; see the black curve.

The controller relies on the position and speed of the HV. These can be obtained by on-board sensors such as radar, lidar, cameras or ultrasonics, or by means of vehicle-to-vehicle connectivity with the HV. If these quantities are measured with error, safety may be violated. This is demonstrated by red color in Fig. 2 , where the controller relies on the measured valuê e =ŝ 1 = s 1 + 1 m andê =v 1 = v 1 + 1 m/s instead of the true values e = s 1 andė = v 1 . That is, both the position and speed of the HV are overestimated, which causes the system to leave the safe set.

The controller can be made robust to such uncertainties in the environment by replacing the safety condition (11) with the robustified constraint (20) in the QP (15) . If the HV's position and speed estimates have known error bounds ε s and ε v , that is, |s 1 −ŝ 1 | ≤ ε s and |v 1 −v 1 | ≤ ε v , then, after substitution into (20) and using (21) , the robustified constraint becomes (26) where we used the Lipschitz coefficients L ∇Hf,e = L ∇Hg,e = L ∇Hė,e = 0, L α•H,e = γκ, L ∇Hė,ė =κ. In this example, the additional robustifying terms are equivalent to considering the worst-case (smallest possible) position and speed for the HV.

The effect of these robustifying terms is shown by blue color in Fig. 2 for ε s = 1.4 m and ε v = 1.4 m/s. The AV is able to safely slow down behind the HV despite the uncertainty in the HV's measured state. Notice that the controller is slightly conservative: the AV stays farther from the boundary of the safe set than in the case without uncertainty.

Now consider the system with input delay τ > 0:

where f and g are the same as in (1), and u is bounded and continuous almost everywhere (with a potential discontinuity at t = 0 when the controller is turned on). We still assume that there exists a unique solution x(t) over t ≥ 0.

To synthesize safety-critical controllers, we ensure that given the state x(t) at time t the solution of (27) continues to be safe over [t, t + τ ]. This property depends on the instantaneous control input u(t) that will be synthesized via CBFs and also on the control input over [t − τ, t) given by the input history u t ∈ B:

Here B denotes the space of functions mapping from [−τ, 0) to U that are bounded and continuous almost everywhere. The solution over [t, t + τ ] is characterized by the semi-flow Ψ as a function of the state x(t) and as a functional of the input history u t :

The semi-flow Ψ : [0, τ ] × X × B → X can be obtained by the forward integration of (27) as follows:

Of particular interest will be the state x(t + τ ), that reads

We remark that since u is bounded, u(t) does not affect the value of the integral and thus u t is defined over [−τ, 0). That is, the input history u t does not include the instantaneous control input u(t). This will allow us to utilize the input history u t when synthesizing a control input u(t).

Hereinafter, x(t + τ ) = Ψ(τ, x(t), u t ) is called predicted state and (30) serves as predictor. The predicted state will play a key role in safety-critical control. It can be calculated by forward integration of (27) over [t, t + τ ]. Explicit expressions may also be available for linear systemṡ

with A ∈ R n×n , B ∈ R n×m , where the predicted state is given by the convolution integral

The following definition generalizes CBFs for systems with input delay in the form (27) with τ > 0.

Function h is a control barrier function (CBF) for (27) with τ > 0 if there exists an extended class K function α such that for all x ∈ S and u t ∈ B

where x p = Ψ(τ, x, u t ) with Ψ given by (30) .

Notice that the definition recovers Definition 1 for the delay-free case, since x p = x if τ = 0. We use this definition to guarantee safety analogously to Theorem 1. We assume that safety-critical control starts at t = 0. According to (29) , x(ϑ) = Ψ(ϑ, x 0 , u 0 ), ϑ ∈ [0, τ ], that is, the solution over [0, τ ] evolves based on the initial input history u 0 which we cannot prescribe. Therefore, we need the following assumption to ensure the system is safe over [0, τ ].

Now we are ready to state our main theorem that ensures safety in the presence of the input delay τ > 0.

If h is a CBF for (27) with τ > 0, then any locally Lipschitz continuous controller u = k(x p ),

∀x ∈ S and ∀u t ∈ B renders S forward invariant under Assumption 1, i.e., it ensures x 0 ∈ S ⇒ x(t) ∈ S, ∀t ≥ 0.

Proof. Since Assumption 1 ensures x(ϑ) ∈ S, ∀ϑ ∈ [0, τ ], it is sufficient to prove x(τ ) ∈ S ⇒ x(t) ∈ S, ∀t ≥ τ . By differentiation of (30) with respect to ϑ we have

Furthermore, by noticing d dϑ x(t + ϑ) = d dt x(t + ϑ) and by using (29), we get d dϑ Ψ(ϑ, x(t), u t ) = d dt Ψ(ϑ, x(t), u t ). Substituting this into (36) and using ϑ = τ , we get the following delay-free system for x p (t) = Ψ(τ, x(t), u t ):

For this system, Theorem 1 can be applied since (34, 35) hold, thus we get

Remark 3. As opposed to the delay-free case, the controller in Theorem 3 is no longer a state-feedback controller, but it also depends on the input history u t through feedback of the predicted state x p = Ψ(τ, x, u t ). Furthermore, optimizationbased controllers for systems with input delay can be synthesized via Theorem 3 similarly to (6) . The following QP can be solved if τ > 0:

Here the desired controller k d : X → U may also account for the delay and can potentially depend on the predicted state. The solution to (38) is equivalent to applying the control law (6) of the corresponding delay-free system on the predicted state x p = Ψ(τ, x, u t ). This allows one to extend explicitly available delay-free control laws, such as (7), for systems with input delays. However, an explicit expression for k is not always available, especially if additional constraints are added to (6) . In such cases, one cannot construct u by separately solving the delay-free QP (6) and calculating the predicted state x p , but one needs to solve QP (38) directly.

In practice, predicting the future state may not be perfectly accurate. Often only an estimatex p of the predicted state x p is available. Classically, this estimate is provided by the numerical forward integration of (27) . Alternatively, state prediction can also be done by more modern tools such as datadriven methods and machine learning. Theorem 3 guarantees safety for the ideal scenario of accurate prediction,x p = x p . However, mismatches betweenx p and x p inevitably occur due to model uncertainties and computation errors [42] . Robustness against the prediction errorx p − x p can be provided analogously to Proposition 1 using the following condition:

where ε x is the prediction error bound, x p − x p ≤ ε x , and L is the Lipschitz coefficient of the subscripted function on S. Moreover, safety can also be studied under the notion of input-to-state safety [24] , [27] as we did in [11] , where it was shown that without robustification the input disturbance d = k(x p ) − k(x p ) may make a larger set S d ⊇ S forward invariant.

Finally, we consider the scenario when safety needs to be guaranteed for the time delay system (27) in a dynamic environment described by the state e(t) and the environmental safe set S e . In Theorem 3, the key step to achieve safety was to predict the state of the system over the time interval [t, t+τ ]. Similarly, this section will rely on a prediction for the environment. For simplicity of exposition, we assume that the future state of the environment is determined by the current state in the form:

where the maps Γ :

We call e(t + τ ) = Γ(τ, e(t)) anḋ e(t + τ ) =Γ(τ, e(t),ė(t)) as the prediction of the environment.

For this setup, we establish safety by extending the notion of ECBFs to systems with input delay. (27) with τ > 0 if there exists an extended class K function α such that for all (x, e) ∈ S e ,ė ∈ E and u t ∈ B sup u∈UḢ (x p , e p ,ė p , u) ≥ −α(H(x p , e p )),

where x p = Ψ(τ, x, u t ) with Ψ given by (30) , while e p = Γ(τ, e),ė p =Γ(τ, e,ė) with Γ,Γ defined by (40) .

With this definition, Theorems 2 and 3, that separately guarantee safety in dynamic environment and for input delay, respectively, can be integrated into Theorem 4 below. Again, we need a preliminary assumption that the system is safe over the first delay interval t ∈ [0, τ ] when safety depends on the input history u 0 .

Assumption 2. The initial history u 0 of the control input satisfies (x(ϑ), e(ϑ)) = (Ψ(ϑ, x 0 , u 0 ), Γ(ϑ, e 0 )) ∈ S e , ∀ϑ ∈ [0, τ ]. Now we can state the main theorem to ensure safety for systems with input delay in dynamic environment. (27) with τ > 0, then any locally Lipschitz continuous controller u = K(x p , e p ,ė p ),

x p = Ψ(τ, x, u t ), e p = Γ(τ, e),ė p =Γ(τ, e,ė) with history u t satisfyingḢ (x p , e p ,ė p , u) ≥ −α(H(x p , e p )),

∀(x, e) ∈ S e , ∀ė ∈ E and ∀u t ∈ B renders S e forward invariant under Assumption 2, i.e., it ensures (x 0 , e 0 ) ∈ S e ⇒ (x(t), e(t)) ∈ S e , ∀t ≥ 0.

Proof. Assumption 2 yields (x 0 , e 0 ) ∈ S e ⇒ (x(ϑ), e(ϑ)) ∈ S e , ∀ϑ ∈ [0, τ ], thus what remains to prove is (x(τ ), e(τ )) ∈ S e ⇒ (x(t), e(t)) ∈ S e , ∀t ≥ τ . This is equivalent to (x p (0), e p (0)) ∈ S e ⇒ (x p (t), e p (t)) ∈ S e , ∀t ≥ 0 based on the definitions of x p and e p . According to the proof of Theorem 3, x p (t) is governed by the delay-free dynamics (37) . Hence, Theorem 2 is directly applicable to this delay-free system considering the environment given by e p . This provides (x p (0), e p (0)) ∈ S e ⇒ (x p (t), e p (t)) ∈ S e , ∀t ≥ 0 as desired, which completes the proof.

Remark 5. Theorem 4 ultimately leads to controllers that depend on the state x, the input history u t , and the state of the environment given by e,ė. An example is the following quadratic program:

with x p = Ψ(τ, x, u t ), e p = Γ(τ, e) andė p =Γ(τ, e,ė), cf. (15, 38) .

In practice, the future state of the environment given by e p is unknown, we can only potentially provide an estimateê p with corresponding estimateê p for the derivative. Robustness with respect to environment prediction errors is a significant problem since the evolution of the environment is often more uncertain than the dynamics of the control system. Robustness can be addressed similarly to Section III-B, as discussed below. For simplicity, we assume that the dynamics of the control system (27) is well-known and its state can be predicted with negligible error (x p = x p ); otherwise prediction errors could be overcome based on Remark 4. Then, the approach of Proposition 1 can be applied to achieve robustness against environment prediction errors, via the condition:

with C(ε e , εė, u) defined in (21), where ε e and εė are the error bounds on the environment prediction, satisfying e p −ê p ≤ ε e and ė p −ê p ≤ εė.

Consider the adaptive cruise control problem outlined in Example 1, now with input delay:

where τ represents powertrain delays. For passenger vehicles, this delay is around 0.5-1 s [20] , hence it is not negligible for safety-critical applications. The effect of this delay is demonstrated in Fig. 3 by black color. Simulation results are shown with a large delay τ = 1, zero initial input history, and the same parameters as in Example 2: p(v) = 0.1 + 0.0003v 2 , γ = 3 andκ = 2 (with units in SI). If one implements the delay-free control design (15) relying on (25) , it fails to keep system (45) safe due to the delay τ . Safety violations happen even when the HV drives with constant speed.

Thus, we use Theorem 4 to maintain safety for τ > 0. We predict the AV's motion by forward integrating (45) over the delay interval [t, t + τ ] using the input history u t . The resulting predicted state is denoted by x p (t) = [s p (t), v p (t)] . Furthermore, we predict the HV's motion by assuming constant speed over [t, t + τ ]: e p (t) = v 1 (t) andê p (t) = s 1 (t) + v 1 (t)τ . These predictions can be incorporated into the safety condition (42) to synthesize a control input satisfyinḡ (46) cf. (25) .

Red color in Fig. 3 shows the result of executing the corresponding controller given by QP (43) with desired controller K d (x p , e p ,ė p ) = 0 and constraint (46) . The controller is able to maintain safety as long as the HV travels at constant speed and the corresponding prediction accurately captures HV's future motion (ê p (t) =ė p (t) andê p (t) =ė p (t)). Then, safety is violated once the HV starts to slow down and the prediction is no longer equal to the true future motion of the HV (ê p (t) =ė p (t) andê p (t) =ė p (t)). While one can argue that the constant speed prediction is overly simplistic and more sophisticated predictions exist, the HV's future motion is inherently uncertain. Hence, we need to robustify the controller with respect to this uncertainty.

Assuming that the HV's acceleration is limited to a range [−a min , a max ], we have the following physical bounds for the environment prediction error: εė =āτ and ε e =āτ 2 /2 with a = max{a min , a max }. Then the robustified condition (44) leads to the form (47) cf. (46) . Besides, it can be shown that replacingā with a min in (47) also implies (42) . This provides a problem-specific bound that is less conservative than (47) if a min < a max .

The blue curve in Fig. 3 shows simulation results for a min = a max = 2.5 m/s 2 using controller (43) with the robustified constraint (47) . By Theorem 2, the controller ensures safety even in the presence of the input delay, in a dynamic, uncertain environment. The price of robustness is slight conservatism: the system does not exactly get to the boundary of the safe set but keeps a small distance, since the controller considers the 2.5 m/s 2 braking limit as opposed to the actual 2 m/s 2 braking over the 1 s delay interval.

Now we apply the theoretical constructions of this paper to a real-life robotic system: we consider the control of a Ninebot E+ Segway platform [52] shown in Fig. 4(a) . We intend to drive the Segway so that it safely avoids a moving obstacle, even when the obstacle position is uncertain and there is a delay in the control loop. We conduct numerical simulations of the Segway's motion using a high-fidelity dynamical model.

We characterize the planar motion of the Segway using its position p and pitch angle ϕ via the mechanical model shown in Fig. 4(b,c) . Fig. 4(b) illustrates the Segway in equilibrium, where the center of mass of its frame (point G) is located above the wheel center (point C). Notice that the frame is asymmetric and its axis is tilted in equilibrium at an offset angle ϕ 0 . Fig. 4(c) shows the Segway in motion, executing the obstacle avoidance, and Fig. 4(d) illustrates a simplified representation of the wheel and frame.

Our goal is to drive the Segway forward with a desired speedṗ d while avoiding a moving, circular obstacle centered at [e, y] (point E in Fig. 4) with radius r. The obstacle represents the environment of the Segway. We intend to control the Segway such that its tip -point T in Fig. 4 , located at distance from the wheel center -does not collide with the obstacle. The obstacle moves horizontally with constant speed v obs : e = e 0 − tv obs ,ė = −v obs ,ẏ = 0. For numerical casestudy, we considerṗ d = 1 m/s, r = 0.2 m, v obs = 0.5 m/s, e 0 = 1 m and y = 1.0418 m (for this value, point T is located 0.05 m above the bottom of the obstacle when the Segway is in equilibrium). First, we consider safety-critical control by neglecting the time delay that may arise in the Segway's control loop, then we address the effects of delays.

We describe the dynamics of the Segway using its position p and pitch angle ϕ as a planar, two-degrees-offreedom system with general coordinates q = [p, ϕ] ∈ Q. With the general velocitiesq = [v, ω] ∈ R 2 , the state becomes x = [p, ϕ, v, ω] ∈ X. Note that the configuration space is Q = R × [0, 2π] and the state space is X = Q × R 2 . The control input u is the voltage applied on the motors at the wheels, u ∈ R. The dynamics are governed by

For the derivation of this equation and the detailed expressions of f v , f ω , g v and g ω , please refer to Appendix II-A. The model parameters were identified in [52] and are listed in Table I .

We track the desired speedṗ d by the desired controller

with gains Kṗ = 8 Vs/m, K ϕ = 40 V/rad, Kφ = 10 Vs/rad, that also stabilizes the Segway to the upright position. To avoid the moving obstacle, we construct the ECBF candidate

where d is the vector pointing from the obstacle center to the tip of the Segway. We seek to maintain safety with respect to the environmental safe set (8) using Theorem 2. However, H is not a valid ECBF sinceḢ does not depend on the input u since ∇ x H(x, e)g(x) = 0. Therefore, we consider a dynamic extension of the ECBF based on [48] . We define the following extended environmental control barrier function:

with γ e > 0, whose derivative depends on the control input u:

With this choice, H e (x, e,ė) ≥ 0 is equivalent to (11) in Theorem 2 considering a linear class K function with gradient γ e . Thus, safety is achieved if H e is kept nonnegative for all time, which can be enforced if H e (x 0 , e 0 ,ė 0 ) ≥ 0 anḋ

according to Theorem 2. Notice that this condition involves the second derivativeë as well.

We implement a QP-based controller similar to (15) , with desired controller (49) and constraint (53) using linear class K function α(H e ) = γH e with γ = 7.5 s −1 and γ e = 7.5 s −1 . The performance of the controller is demonstrated in Fig. 5 for a scenario with known obstacle position. Snapshots of the motion are illustrated at the bottom whereas the characteristics of the motion are quantified at the top. Panel (a) shows that the Segway tracks the desired velocity (ṗ ≈ p d ) in upright position (ϕ ≈ 0) until it has to evade the obstacle. Panel (b) indicates that the obstacle is safely avoided as H is positive for all time. Panel (c) shows the corresponding phase portrait, whereas panel (d) indicates the desired and actual control inputs.

Now we consider the dynamics with input delay τ > 0 arising from sensory, feedback and actuation latencies:

cf. (48) . The effect of the delay is illustrated in Fig. 6 . Here the same delay-free control design is used as in Fig. 5 , but the dynamics are subject to the input delay τ = 0.1 s. Although the Segway realizes a stable motion, the delay leads to safety violation: the Segway collides with the obstacle (H becomes negative in Fig. 6(b) ). While collision could be avoided by buffering the obstacle, formal safety guarantees no longer hold with delay. Moreover, the control input is much larger for the case with input delay than without delay, cf. Fig. 5 (d) and Fig. 6(d) . Although this example did not consider physical bounds on the control input, large inputs are undesired, and safety-critical control could become infeasible when considering input bounds. To overcome the unsafe behavior, the delay needs to be incorporated into the control design.

The input delay can be tackled via predictor feedback, using Theorem 4. We assume that the state x p is accurately predicted (x p = x p ), while the predictions e p ,ė p andë p of the environment are uncertain. Hence the controller relies on estimatesê p ,ê p andê p and their error bounds e p −ê p ≤ ε e , ė p −ê p ≤ εė and ë p −ê p ≤ εë. Analogously to (44) , we use the robustified safety constrainṫ H e (x p ,ê p ,ê p ,ê p , u)−C(ε e , εė, εë, u) ≥ −α H e (x p ,ê p ,ê p ) , (55) with C(ε e , εė, u) = (L ∇Hef,e +L α•He,e +L ∇Heė,e +L ∇Heë,e )ε e + (L ∇Hef,ė + L α•He,ė + L ∇Heė,ė + L ∇Heë,ė )εė + L ∇Heë,ë εë + (L ∇Heg,e ε e + L ∇Heg,ė εė) u , (56) cf. (21) . Here L denotes the Lipschitz coefficient of the subscripted function with respect to the argument at the end of the subscript. These coefficients were determined based on the detailed expressions of the Segway dynamics, and they are listed in Appendix II-B. Fig. 7 shows the implementation of the corresponding QPbased controller, similar to (43) , with desired controller (49) applied on the predicted state and with constraint (55). The true future of the environment is given byë p = 0, e p = −v obs and e p = e − v obs τ , which is unknown to the controller. Instead, the controller relies on the prediction e p = 0,ê p = −(v obs − ∆v) andê p = e − (v obs − ∆v)τ . That is, we consider that the speed of the obstacle is underestimated by ∆v = 0.05 m/s. The controller is robustified with respect to the prediction error using the error bounds εë = 0, εė = 0.055 m/s and ε e = τ εė = 0.0055 m. With the proposed robust controller, the Segway is able to safely execute the obstacle avoidance task, despite the delay in the control loop and the uncertainty in the obstacle's future position. The Segway achieves this with a qualitatively different motion than in the delay-free case. For zero delay in Fig. 5 , the Segway pitches backwards to go under the obstacle. For nonzero delay in Fig. 7 , the Segway first moves in reverse to get away from the obstacle, then pitches forward to go under it. Notably, this behavior is automatically generated by the control barrier function, and with provable guarantees of safety.

We have discussed safety-critical control for systems with input delay that operate in dynamically evolving environment. We have provided formal safety guarantees and proofs thereof. We have established a method for safe control synthesis by proposing environmental control barrier functions and integrating them with predictor feedback. We have strengthened the underlying safety condition to provide robustness against uncertain environments, in which the future of the environment cannot be predicted accurately but bounds on the related prediction error are known. The resulting control design utilizes worst-case uncertainty bounds and is provably safe. We have demonstrated the method by an adaptive cruise control problem where the motion of other road participants create an uncertain environment, and by a Segway controller executing a moving obstacle avoidance task. Our future work includes further analysis of prediction errors, control of systems with both state and input delays, and considering control barrier functionals acting on delayed states.

This appendix shows the derivation of the solution (6) to the quadratic program (7) for the case without input constraints (U = R m ). Let us define ∆k(x) = k(x) − k d (x) and consider the expressions ofḣ(x, u) in (4) and φ 0 (x), φ 1 (x) in (7) with φ 1 (x) = 0. Then, we can restate (6) as

This optimization problem has convex objective and affine constraint, hence the Karush-Kuhn-Tucker (KKT) conditions [47] provide the necessary and sufficient conditions for optimality. The KKT optimality conditions imply that there desired motion safe unsafe robust control design for delayed dynamics Fig. 7 . Safety-critical control of the Segway to avoid a moving obstacle. The dynamics (54) involve an input delay that is compensated via predictor feedback. The controller is designed based on (55), taking into account prediction errors. The Segway successfully accomplishes the obstacle avoidance task despite the delay and the uncertain future motion of the obstacle.

exists a Lagrange multiplier µ : X → R such that µ(x) and ∆k(x) satisfy

which are referred to as dual feasibility, stationary, primal feasibility and complementary slackness conditions, respectively. We decompose the dual feasibility condition (58) into two cases: µ(x) = 0 and µ(x) > 0. For µ(x) = 0, the stationary condition (59) gives

and with the primal feasibility condition (60) this leads to

For µ(x) > 0, the complementary slackness condition (61) implies

Recall that φ 0 (x) is a scalar (φ 0 (x) ∈ R), φ 1 (x) is a vector (φ 1 (x) ∈ R n ), φ 1 (x) is nonzero, and its right pseudoinverse is denoted by φ + 1 (x) = φ 1 (x)/(φ 1 (x)φ 1 (x)). Then, we can express ∆k(x) from (64) as

Furthermore, we can show that φ 0 (x) < 0 holds by expressing φ 0 (x) from (64) and substituting the stationary condition (59):

where we used that µ(x) > 0 and φ 1 (x)φ 1 (x) > 0. In summary, for µ(x) = 0 we have ∆k(x) = 0 and φ 0 (x) ≥ 0, while µ(x) > 0 implies ∆k(x) = −φ 0 (x)φ + 1 (x) and φ 0 (x) < 0. These can be written as

or more compactly as [10] ∆k(x) = max{−φ 0 (x), 0}φ + 1 (x).

Since k(x) = k d (x) + ∆k(x), we finally obtain (7) as the solution to the quadratic program (6) .

Here we derive the governing equations of the Segway model described in Section V, using Lagrange equations of the second kind. This reproduces the model in [52] . Then, we describe the ECBF and the corresponding Lipschitz coefficients for the obstacle avoidance task.

The Segway's mechanical model is shown in Fig. 4 . This planar model contains two rigid bodies: the frame and the wheels. The two wheels are considered to be identical, hence they are treated together with their combined mass and inertia, while the voltage and torque at the two motors are assumed to be the same. We denote the center of the wheels by point C, the center of mass (CoM) of the frame by point G, their distance by L and the wheel radius by R. We measure the pitch angle such that ϕ = 0 in equilibrium position, where G is located above C. Note that since the frame is asymmetric, the frame axis is not vertical in equilibrium, but it has an offset angle ϕ 0 .

Assuming the wheels are rolling without slipping, the angular velocities ω w and ω f of the wheel and the frame and the velocities v C and v G of points C and G can be calculated by

Then, with the mass M and mass moment of inertia J C of the wheels and the mass m and mass moment of inertia J G of the frame the kinetic energy of the Segway is

where m 0 = m + M + J C /R 2 and J 0 = mL 2 + J G . The potential energy of the Segway is

The power of the total driving torque M d exerted by the two motors at the wheels can be expressed as

yielding the general forces Q p = M d /R and Q ϕ = −M d . The driving torque M d can be related to the voltage u of the motors. We regard the voltage as control input, obtained from the following motor model:

where i is the armature current, R a is the armature resistance, K b is the back electromagnetic field constant of the motors and K t is the torque constant of the motors. This implies the driving torque

With these preliminaries, we can write Lagrange's equations d dt

which, after substitution, lead to

Ultimately, we obtain the equations of motion in the form D(q)q + H(q,q) = Bu,

with the inertia matrix D(q), Coriolis and gravity terms included in H(q,q) and input matrix B: D(q) = m 0 mL cos ϕ mL cos ϕ J 0 , B = K m /R −K m , H(q,q) = −mL sin ϕφ 2 + b t /R(ṗ − Rφ) −mgL sin ϕ − b t (ṗ − Rφ) .

The equations of motion can be rearranged to the first-order control-affine form (1):

which leads to    ṗ

cf (48) . The expressions of the drift terms are whereas those of the control matrix read

with parameters

The values of all parameters are listed in Table I . These were identified for the Ninebot E+ Segway platform in [52] .

Now we give the detailed expressions of the extended ECBF in (51) and the corresponding Lipschitz coefficients in (56). The ECBF candidate in (50) 

with coefficients h 0 (x) = p + sin(ϕ + ϕ 0 ) 2 + R + cos(ϕ + ϕ 0 ) − y 2 − r 2 , h 1 (x) = −2 p + sin(ϕ + ϕ 0 ) .

Then, the extended ECBF in (51) becomes H e (x, e,ė) = H 0 (x) + H 1 (x)e + h 1 (x)ė + γ e e 2 + 2eė,

where H 0 (x) = ∇ p h 0 (x)v + ∇ ϕ h 0 (x)ω + γ e h 0 (x),

Notice that h 0 and h 1 depend on the states p and ϕ only, whose derivatives are independent of the control input u.

The Lipschitz coefficients in (56) belong to the functions ∇ x H e f (x, e,ė) = C 0 (x) + C 1 (x)e + C 2 (x)ė, ∇ x H e g(x, e,ė) = C 3 (x) + C 4 (x)e, ∇ e H eė (x, e,ė) = H 1 (x)ė + 2γ e eė + 2ė 2 , ∇ėH eë (x, e,ė,ë) = h 1 (x)ë + 2eë, α • H e (x, e,ė) = γH 0 (x) + γH 1 (x)e + γh 1 (x)ė + γγ e e 2 + 2γeė,

where C 0 (x) = ∇ x H 0 (x)f (x),

,

For example, to identify the Lipschitz coefficients of ∇ e H eė , we can write 

Here we considered that the unknown environment state derivativeė is restricted to a domain Dė ⊆ E to get local Lipschitz coefficients. Similarly, the unknown environment state e and accelerationë can also be restricted to some domains D e ⊆ E and Dë ⊆ R l . In the case of the Segway, we assumed that the obstacle's position and velocity are restricted to D 

Note that these coefficients may depend on the state x or the estimatesê,ê andê to reduce conservatism, while they are independent of the unknown values e,ė andë.

Correct-by-construction adaptive cruise control: Two approaches

Safety guaranteed connected cruise control

Toward safetyaware informative motion planning for legged robots

Faster: Fast and safe trajectory planner for flights in unknown environments

Bridging the gap between safety and real-time performance in recedinghorizon trajectory design for mobile robots

Safe and fast tracking on a robot manipulator: Robust MPC and neural network control

Distributed coordination control for multi-robot networks using Lyapunov-like barrier functions

Nonsmooth barrier functions with applications to multi-robot systems

Control of multi-agent systems with finite time control barrier certificates and temporal logic

Safetycritical control of active interventions for COVID-19 mitigation

Safetycritical control of compartmental epidemiological models with measurement delays

Edge-weighted consensus-based formation control strategy with collision avoidance

Collision free navigation with interacting, non-communicating obstacles

Planning and decisionmaking for autonomous vehicles

Safety in human-robot collaborative manufacturing environments: Metrics and control

Safety barrier functions for human-robot interaction with industrial manipulators

Online active safety for robotic manipulators

Retarded Dynamical Systems: Stability and Characteristic Functions

Measuring and modelling delays in robot manipulators for temporally precise control using machine learning

Bayesian inference for time delay systems with application to connected automated vehicles

Can the COVID-19 epidemic be controlled on the basis of daily test reports?

Control barrier function based quadratic programs for safety critical systems

Robust control barrier functions for constrained stabilization of nonlinear systems

Input-to-state safety with control barrier functions

Robust control barrier-value functions for safety-critical control

Safe learning-based tracking control for quadrotors under wind disturbances

Safe controller synthesis with tunable input-to-state safe control barrier functions

Robust constrained stabilization control using control Lyapunov and control barrier function in the presence of measurement noises

Control barrier functions for stochastic systems

Guaranteeing safety of learned perception modules via measurementrobust control barrier functions

Safe learning of quadrotor dynamics using barrier certificates

Reinforcement learning for safety-critical control under model uncertainty, using control Lyapunov functions and control barrier functions

Safety functionals for time delay systems

Certifying safety for nonlinear time delay systems via safety functionals: A discretization based approach

Safety guarantee for time-delay systems with disturbances by control barrier functionals

Scalable computation of controlled invariant sets for discrete-time linear systems with input delays

Control barrier functions for sampled-data systems with input delays

Control barrier functions for constrained control of linear systems with input delay

Constrained stabilization of multiinput linear systems with distinct input delays

Delay Compensation for Nonlinear, Adaptive, and PDE Systems

Nonlinear Control Under Nonconstant Delays. SIAM

Predictor feedback for delay systems: Implementations and approximations

Stability and stabilization of time-delay systems: An eigenvalue-based approach. SIAM

Constrained control of input delayed systems with partially compensated input delays

Safety-critical control of systems with time-varying input delay

Characterizing safety: Minimal control barrier functions from scalar comparison systems

Convex Optimization

Exponential Control Barrier Functions for enforcing high relative-degree safety-critical constraints

Control barrier functions for systems with high relative degree

High-relative degree stochastic control Lyapunov and barrier functions

Learning control barrier functions with high relative degree for safety-critical control

Towards a framework for realizable safety critical control through active set invariance