IEEE CONTROL SYSTEMS LETTERS, VOL.

7, 2023 127

Safe and Robust Observer-Controller Synthesis

Using Control Barrier Functions
Devansh R. Agrawal , Graduate Student Member, IEEE, and Dimitra Panagou , Senior Member, IEEE

Abstract—This letter addresses the synthesis of safety- using only (often noisy) measurements obtained from sen-
critical controllers using estimate feedback. We propose sors. In such systems, it is common to design a full-state
an observer-controller interconnection to ensure that the feedback controller, and then replace the state by an estimate
nonlinear system remains safe despite bounded distur-
bances on the system dynamics and measurements that provided by an observer [6, Sec. 8.7]. It is well established
correspond to partial state information. The co-design that a controller capable of stabilizing a system with perfect
of observers and controllers is critical, since even in state information may fail to do so when using the state esti-
undisturbed cases, observers and controllers designed mate [7, Ch. 12]. Similarly, the use of imperfect information
independently may not render the system safe. We pro- for feedback control may cause safety violations.
pose two approaches to synthesize observer-controller
interconnections. The first approach utilizes Input-to-State In this letter, we study the implications on safety that
Stable observers, and the second uses Bounded Error arise due to imperfect and partially available information, and
observers. Using these stability and boundedness prop- propose a method to design safe observer-controllers. This
erties of the observation error, we construct novel Control important challenge has only recently received some attention.
Barrier Functions that impose inequality constraints on Measurement-Robust CBFs [8] have been proposed to address
the control inputs which, when satisfied, certifies safety.
We propose quadratic program-based controllers to sat- control synthesis in output-feedback, in the context of vision-
isfy these constraints, and prove Lipschitz continuity of based control. The authors assume sensors are noiseless and an
the derived controllers. Simulations and experiments on imperfect inverse of the measurement map is known, i.e., from
a quadrotor demonstrate the efficacy of the proposed a single measurement, a ball containing the true state is known.
methods. Using this bound, a second-order cone program-based con-
Index Terms—Robust control, constrained control, troller was proposed, although the Lipschitz continuity of this
observers for nonlinear systems. controller is yet to be established [8]. For many safety-critical
systems, the measurement maps are non-invertible, limiting
the scope for this method.
In [9], a safety critical controller is proposed for stochas-
I. I NTRODUCTION
tic systems, and a probabilistic safety guarantee is proved.
OR SAFETY-CRITICAL systems, one must not only
F design controllers that prioritize system safety above
all else, but also certify that the system will remain
The authors consider linear (non-invertible) measurement
maps, additive gaussian disturbances, and specifically use the
Extended Kalman Filter (EKF) as the observer. In [10] this
safe when deployed. In recent years, Control Barrier work is extended to consider a broader class of control-affine
Functions (CBFs) [1] have become a popular method to design systems, and probabilistic guarantees of safety over a finite for-
safety-critical controllers, since a certifiably safe control input ward interval are obtained. Establishing safety in a determin-
can be computed efficiently for nonlinear systems. Many istic (non-probabilistic) sense or using alternative observers
extensions have been proposed to address specific challenges remains challenging. It has also been demonstrated that in
in using CBFs, including robustness [2], [3], sampled-data some cases, safety guarantees can be obtained by modeling
considerations [4] and integration with high-level planners [5]. the system as a Partially Observable Markov Decision Process,
However, these works assume the controller has access to e.g., [11], although such methods are computationally expen-
perfect state information. In most practical systems, the true sive for high-dimensional systems and are more suitable for
state of the system is unknown and must be reconstructed systems with discrete action/state spaces.
The primary contribution of this letter is in synthesiz-
Manuscript received 21 March 2022; revised 24 May 2022; accepted ing safe and robust interconnected observer-controllers in
6 June 2022. Date of publication 22 June 2022; date of current ver- such a manner as to establish rigorous guarantees of safety,
sion 11 July 2022. This work was supported by the National Science
Foundation (NSF) under Grant 1942907. Recommended by Senior despite bounded disturbances on the system dynamics and sen-
Editor S. Tarbouriech. (Corresponding author: Devansh R. Agrawal.) sor measurements. We propose two approaches to solve this
The authors are with the Aerospace Engineering Department, problem, owing to the wide range of nonlinear observers [6].
University of Michigan at Ann Arbor, Ann Arbor, MI 48105 USA (e-mail:
[email protected]; [email protected]). The first approach utilizes the class of Input-to-State Stable
Digital Object Identifier 10.1109/LCSYS.2022.3185142 observers [12]. The second approach employs the more general
2475-1456 
c 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: University of Oklahoma Libraries. Downloaded on October 12,2023 at 22:19:06 UTC from IEEE Xplore. Restrictions apply.
128 IEEE CONTROL SYSTEMS LETTERS, VOL. 7, 2023

class of ‘Bounded Error’ observers, in which a set containing where y and u are defined in (1b) and (2b) respectively.
the state estimation error is known at all times. This class of Under the stated assumptions, there exists an interval I =
observers includes the Deterministic Extended Kalman Filter I(x0 , x̂0 ) = [0, tmax (x0 , x̂0 )) over which solutions to the
(DEKF) [7, Ch. 11.2], Lyapunov-based sum-of-squares poly- closed-loop system exist and are unique [15, Th. 3.1].
nomial observers [13], and others discussed later. We show that 2) Safety: Safety is defined as the true state of the system
our safe estimate-feedback controller can be obtained by solv- remaining within a safe set, S ⊂ X , for all times t ∈ I. The
ing quadratic programs (QP), and prove Lipschitz continuity safe set S is defined as the super-level set of a continuously-
of these controllers, allowing for low-computational complex- differentiable function h : X → R:
ity real-time implementation. The efficacy of the methods is
demonstrated both in simulations and in experiments on a S = {x ∈ X : h(x) ≥ 0}. (4)
quadrotor. A state-feedback controller1 π : R≥0 × X → U renders
system (1) safe with respect to the set S, if for the closed-
II. P RELIMINARIES AND B ACKGROUND loop dynamics ẋ = f (x) + g(x)π(t, x) + gd (x)d(t), the set S
Notation: Let R be the set of reals, R≥0 the set of non- is forward invariant, i.e., x(0) ∈ S =⇒ x(t) ∈ S ∀t ∈ I. In
negative reals and Sn++ the set of symmetric positive definite output-feedback we define safety as follows.
matrices in Rn×n . λmin (P), λmax (P) denote the smallest and Definition 1: An observer-controller pair (2) renders
largest eigenvalues of P ∈ Sn++ . For x ∈ Rn , xi is the system (1) safe with respect to a set S ⊂ X from the
i-th element, x is the Euclidean norm. The norm of a initial-condition sets X0 , X̂0 ⊂ S if for the closed-loop
signal w : R≥0 → Rq is w(t)∞  supt≥0 w(t). γf system (3),
denotes the Lipschitz constant of a Lipschitz-continuous func-
x(0) ∈ X0 and x̂(0) ∈ X̂0 =⇒ x(t) ∈ S ∀t ∈ I. (5)
tion f : Rn → Rm . Class K, extended class K and class KL
functions are as defined in [14]. Lie derivatives of a scalar Note the importance of the observer-controller connection,
function h : X → R, (X ⊂ Rn ), along a vector field i.e., using only x̂(t), we must obtain guarantees on x(t).
f : X → Rn are denoted Lf h(x) = ∂h ∂x (x)f (x). If vector fields 3) Control Barrier Functions: Control Barrier Functions
has an additional dependency, e.g., f : X × Rp → Rn , the (CBFs) have emerged as a tool to characterize and find con-
notation Lf h(x, y) = ∂h
∂x (x)f (x, y) is used. trollers that can render a system safe [1]. Robust-CBFs [2]
1) System: Consider a nonlinear control-affine system: also account for the disturbances d(t) in (1a). We introduce a
modification to reduce conservatism, inspired by [3].
ẋ = f (x) + g(x)u + gd (x)d(t), (1a)
Definition 2: A continuously differentiable function
y = c(x) + cd (x)v(t), (1b) h : X → R is a Tunable Robust CBF (TRCBF) for system (1)
if there exists a class K function α, and a continuous,
where x ∈ X ⊂ Rn is the system state, u ∈ U ⊂ Rm is the
non-increasing function κ : R≥0 → R with κ(0) = 1, s.t.
control input, y ∈ Rny is the measured output, d : R≥0 → Rnd
is a disturbance on the system dynamics, and v : R≥0 → sup Lf h(x) + Lg h(x)u + α(h(x))
Rnv is the measurement disturbance. We assume d and v are u∈U
 
piecewise continuous, bounded disturbances, supt d(t)∞ = ≥ κ(h(x))Lgd h(x)d̄, ∀x ∈ S. (6)
d̄ and v(t)∞ ≤ v̄ for some known d̄, v̄ < ∞. The functions
f : X → Rn , g : X → Rn×m , c : X → Rny , gd : X → Rn×nd , Examples include κ(r) = 1 and κ(r) = 2/(1 + exp(r)).
and cd : X → Rny ×nv are all assumed to be locally Lipschitz Given a TRCBF h for (1), the set of safe control inputs is
continuous. Notice that gd (x)d(t) accounts for either matched
Ktrcbf (x) = {u ∈ U : Lf h(x) + Lg h(x)u − κ(h(x))
or unmatched disturbances.  
Lg h(x)d̄ ≥ −α(h(x))}, (7)
In observer-controller interconnections, the observer main- d

tains a state estimate x̂ ∈ X , from which the con-

and a safe state-feedback controller is obtained by solving a
troller determines the control input. The observer-controller
QP, as in [2, eq. (30)]. The main question is:
interconnection is defined to be of the form:
Problem 1: Given a system (1) with disturbances of known
x̂˙ = p(x̂, y) + q(x̂, y)u, (2a) bounds d(t)∞ ≤ d̄, v(t)∞ ≤ v̄, and a safe set S defined
by (4), synthesize an interconnected observer-controller (2)
u = π(t, x̂, y), (2b)
and the initial condition sets X0 , X̂0 to render the system safe.
where p : X × Rny → Rn , q : X × Rny → Rn×m are We study systems subject to disturbances with a known
locally Lipschitz in both arguments. The feedback controller bound. We will use this bound to derive sufficient conditions
π : R≥0 × X × Rp → U is assumed piecewise-continuous in on the control policy to guarantee safety satisfaction. In prac-
t and Lipschitz continuous in the other two arguments. Then, tice, a conservative upper bounds can be used, although future
the closed-loop system formed by (1, 2) is work will address the probabilistic safety guarantees that are
possible under probabilistic disturbances.
ẋ = f (x) + g(x)u + gd (x)d(t), (3a)
x̂˙ = p(x̂, y) + q(x̂, y)u,
1 In state-feedback the control input is determined from the true state, u =
(3b)
π(t, x). In estimate-feedback the input is determined from the state estimate
x(0) = x0 , x̂(0) = x̂0 , (3c) and measurements, u = π(t, x̂, y).

Authorized licensed use limited to: University of Oklahoma Libraries. Downloaded on October 12,2023 at 22:19:06 UTC from IEEE Xplore. Restrictions apply.
AGRAWAL AND PANAGOU: SAFE AND ROBUST OBSERVER-CONTROLLER SYNTHESIS USING CBFs 129

III. M AIN R ESULTS Proof: Consider the function H(t, x̂) = h(x̂) − γh Mδ (t). By
A. Approach 1 the Lipschitz continuity of h, and (9), H(t, x̂) ≥ 0 =⇒
h(x) ≥ 0. The total derivative of H is
Approach 1 relies on defining a set of state estimates,
Ŝ ⊂ X , such that if the estimate x̂ lies in Ŝ, the true state ∂H ∂H ˙
Ḣ = + x̂ = −γh Ṁδ + Lp h(x̂, y) + Lq h(x̂, y)u
x lies in the safe set S. The controller is designed to ensure ∂t ∂ x̂
x̂ ∈ Ŝ at all times. We consider Input-to-State Stable observers: therefore, for any π(t, x̂, y) ∈ Korcbf (t, x̂, y) we have Ḣ ≥
Definition 3 (Adapted From [12]): An observer (2) is an −α(H). Since H(0, x̂0 ) ≥ 0 (from the initial condition (12)),
Input-to-State Stable (ISS) Observer for system (1), if there H(t, x̂) ≥ 0, ∀t ∈ I, completing the proof.
exists a class KL function β continuously differentiable wrt Remark 1: Under the same assumptions as Theorem 1, if
to the second argument, and a class K function η such that U = Rm and a desired control input πdes : R≥0 × X → Rm
   
x(t) − x̂(t) ≤ β(x(0) − x̂(0), t) + η(w̄), ∀t ∈ I, (8) is provided, a QP-based safe estimate-feedback controller is
 2
where w̄ = max(d̄, v̄). π(t, x̂, y) = argminu − πdes (t, x̂) , s.t.
u∈Rm
Various methods to design ISS observers for nonlinear
Lp h(x̂, y) + Lq h(x̂, y)u ≥ −α(h(x̂) − γh Mδ (t)) + γh Ṁδ (t) (15)
systems have been developed, and reader is referred to
[6], [12], [16], [17], [18] and references within for specific Remark 2: The constraint in (15) does not explicitly depend
techniques. on the disturbances d(t) and v(t), since the effect of these
The key property of an ISS observer is that the estimation disturbances is captured by the estimation error bound Mδ (t).
error is bounded with a known bound: for any δ > 0, there Furthermore, since γh Ṁδ (t) ≤ 0,5 the constraint (15) is easier
exists a continuously differentiable, non-increasing function to satisfy for higher convergence rates of the observer.
Mδ : R≥0 → R≥0 , such that Remark 3: For a linear class K function, α(r) = γα r, if
    Ṁδ ≤ −γα Mδ (t), a sufficient condition for (15) is
x(0) − x̂(0) ≤ δ ⇒ x(t) − x̂(t) ≤ Mδ (t) ∀t ∈ I. (9)
Lp h(x̂, y) + Lq h(x̂, y)u ≥ −γα h(x̂).
Comparing (8) and (9), Mδ (t) = β(δ, t) + η(w̄). Define
Ŝ = {x̂ ∈ X : h(x̂) − γh Mδ (t) ≥ 0}, (10) which does not depend on the bound Mδ (t) or Lipschitz con-
stant γh . In other words, if the observer converges faster than
the set of safe state-estimates, and we obtain the property the rate at which the boundary of the safe set is approached,
x̂(t) ∈ Ŝ =⇒ x(t) ∈ S by the Lipschitz continuity of h.2 i.e., if Ṁδ ≤ −γα Mδ , then a safe control input can be obtained
Then the conditions to guarantee safety are as follows: without explicit knowledge of Mδ or γh . This matches the gen-
Definition 4: A continuously differentiable function eral principle that for good performance observers should be
h : X → R is an Observer-Robust CBF for system (1) with converge faster than controllers.
an ISS observer (2a) of known estimation error bound (9), if
there exists an extended class K function α s.t.3 B. Approach 2
sup Lp h(x̂, y) + Lq h(x̂, y)u ≥ −α(h(x̂) − γh Mδ (0)) (11) While in Approach 1 we used the stability guarantees of ISS
u∈U observers to obtain safe controllers, in Approach 2 we consider
for all x̂ ∈ S, and all y ∈ Y(x̂) = {y : y = c(x) + cd (x)v(t) | observers that only guarantee boundedness of the estimation
x − x̂ ≤ Mδ (0), v ≤ v̄}, an overapproximation of the set error. First, we define Bounded-Error Observers:
of possible outputs.4 Definition 5: An observer (2a) is a Bounded-Error (BE)
Theorem 1: For system (1), suppose the observer (2a) is Observer, if there exists a bounded set D(x̂0 ) ⊂ X and a
ISS with estimation error bound (9). Suppose S is defined by (potentially) time-varying bounded set P(t, x̂) ⊂ X s.t.
an Observer-Robust CBF h:X → R associated with extended
x0 ∈ D(x̂0 ) =⇒ x(t) ∈ P(t, x̂) ∀t ∈ I. (16)
class K function α. If the initial conditions satisfy
Figure 1 depicts the sets D and P. Note, ISS observers
x̂(0) ∈ X̂0 = {x̂ ∈ S : h(x̂) ≥ γh Mδ (0)}, (12)
  are a subset of BE observers, using the definitions D(x̂0 ) =
x(0) ∈ X0 = {x ∈ S : x(0) − x̂(0) ≤ δ}, (13) {x : x − x̂0  ≤ δ} and P(t, x̂) = {x : x − x̂(t) ≤ Mδ (t)}. BE
then any Lipschitz continuous estimate-feedback controller observers are more general than ISS observers in the following
u = π(t, x̂, y) ∈ Korcbf (t, x̂, y) where ways: (A) The sets D and P do not have to be norm-balls. For
example, they could be zonotopes [19], intervals [20], or sub-
Korcbf (t, x̂, y) = {u ∈ U : Lp h(x̂, y) + Lq h(x̂, y)u ≥ level sets of sum-of-squares polynomials [21]. (B) The shape
 
− α h(x̂) − γh Mδ (t) + γh Ṁδ (t)} (14) and size of P is allowed to change over time.
The idea is to find a common, safe input for all x ∈ P(t, x̂):
renders the system safe from the initial-condition sets X0 , X̂0 . Theorem 2: For system (1), suppose the observer (2a)
2 By Lipschitz continuity, |h(x)−h(x̂)| ≤ γ x− x̂ =⇒ h(x̂)−γ x− x̂ ≤ is a Bounded-Error observer. Suppose the safe set S is
h h
h(x). Therefore, if x̂ ∈ Ŝ, then 0 ≤ h(x̂) − γh Mδ (t) ≤ h(x̂) − γh x − x̂ ≤ h(x), defined by a continuously differentiable function h : X →
i.e., x ∈ S. Thus, x̂ ∈ Ŝ =⇒ x ∈ S. R, where h is a Tunable Robust-CBF for the system.
3 Recall the notation L h(x̂, y) = ∂h (x̂)p(x̂, y).
p ∂x
4 Y is defined using M (0) instead of δ since Y(x̂(t)) must contain the set 5 Since M (t) = β(δ, t) + η(w̄), and β is a class KL function, Ṁ (t) =
δ δ δ
of possible outputs at time t for all t ∈ I. ∂β/∂t < 0. Finally since γh ∈ R≥0 is a Lipschitz constant, γh Ṁδ (t) ≤ 0.

Authorized licensed use limited to: University of Oklahoma Libraries. Downloaded on October 12,2023 at 22:19:06 UTC from IEEE Xplore. Restrictions apply.
130 IEEE CONTROL SYSTEMS LETTERS, VOL. 7, 2023

piecewise continuous wrt t and Lipschitz continuous wrt x̂. Then

the estimate-feedback controller π : R≥0 × X → Rm
 2
π(t, x̂) = argmin u − πdes (t, x̂)
u∈Rm

m
s.t. a(t, x̂) + min{b− +
i (t, x̂)ui , bi (t, x̂)ui } ≥ 0 (18)
i=1
is piecewise continuous wrt t, Lipschitz continuous wrt x, and
renders the system safe from the initial-condition sets x0 ∈
Fig. 1. Depiction of Input-to-State Stable observers and Bounded-Error
observers. (a) In ISS observers, the estimation error is bounded by a
X0 = D(x̂0 ) and x̂0 ∈ X̂0 = {x̂ : P(0, x̂0 ) ⊂ S}.
norm-ball, and must be non-increasing in time. (b) In BE observers, the Proof: First, we prove existence and uniqueness of solutions
state estimate must be contained in a bounded set P(t, x̂). to the QP. In standard form, the QP (18) is equivalent to
1 T
Suppose π : R≥0 × X → U is an estimate-feedback controller, min u u − πdes
T
u
u∈Rm ,k∈Rm 2
piecewise-continuous in the first argument and Lipschitz ⎡ − ⎤⎡ u ⎤ ⎡ ⎤
continuous in the second, s.t. b1 · · · 0 −1 ··· 0 1 0
 ⎢b+ · · · 0 ⎢ . ⎥ ⎢ ⎥
⎢ 1 −1 ··· 0 ⎥ ⎢ . ⎥
⎥⎢ . ⎥ ⎢ 0 ⎥
π(t, x̂) ∈ Ktrcbf (x), (17) ⎢ . . .. ⎥ ⎢ . ⎥
⎢ .
⎢ . . . ... ..
.
..
. ⎥⎢um ⎥
. ⎥⎢ ⎥ ⎢ .. ⎥
x∈P (t,x̂) s.t. ⎢ ⎥⎢ ⎥ ⎢
≥ ⎥
⎢ ⎥(19)
⎢ 0 · · · b− 0 ··· ⎢ k ⎥
− 1⎥⎢ ⎥ ⎢ 0 ⎥
1
where Ktrcbf is defined in (7). Then the observer-controller ⎢ m ⎥ . ⎥ ⎢ ⎥
⎣ 0 · · · b+ 0 ··· − 1⎦⎢ ⎣ .. ⎦ ⎣ 0 ⎦
renders the system safe from the initial-condition sets x(0) ∈ m
0 ··· 0 1 ··· 1 −a
X0 = D(x̂0 ) and x̂0 ∈ X̂0 = {x̂ : P(0, x̂0 ) ⊂ S}. k m
Proof: The total derivative of h for any x ∈ ∂S and π(t, x̂) ∈ where the dependences on (t, x̂) were omitted for brevity. Here
Ktrcbf (x) satisfies k ∈ Rm is an auxiliary variable encoding the constraint ki ≤
ḣ = Lf h(x) + Lg h(x)π(t, x̂) + Lgd h(x)w(t) min{b− +
i ui , bi ui } for all i = {1, . . . , m}. This constraint matrix
  has size (2m + 1, 2m). However, since sign(b− i ) = sign(bi )
+
≥ Lf h(x) + Lg h(x)π(t, x̂) − κ(0)Lgd h(x)w̄
by Assumption 2, only one of either the (2i − 1)-th or (2i)-
≥ −α(0) = 0 th constraints can be active.8 Considering the sparsity pattern
since h(x) = 0, κ(0) = 1, and x(t) ∈ P(t, x̂). Therefore, at of active constraint matrix, these constraints must be linearly
any x ∈ ∂S, ḣ ≥ 0, i.e., the system remains safe [22]. independent. Therefore, the proposed QP has 2m decision vari-
In general, designing a controller satisfying (17) can be dif- ables with at most m + 1 linearly independent constraints,
ficult. We propose a method under the following assumptions: and thus a non-empty set of feasible solutions. Since the cost
Assumption 1: There exists a known function a : R≥0 × function is quadratic, there exists a unique minimizer.
X → R, piecewise continuous in the first argument and Second, we prove Lipschitz continuity. Since the active
Lipschitz continuous in the second, such that for all x̂ ∈ S, constraints matrix has linearly independent rows, the regu-
  larity conditions in [23] are met. Thus the solution π(t, x̂)
a(t, x̂) ≤ inf Lf h(x) − κ(h(x))Lgd h(x)w̄ + α(h(x)). is Lipschitz continuous wrt πdes (t, x̂), a(t, x̂), b− i (t, x̂) and
x∈P (t,x̂)
b+i (t, x̂). Since these quantities are piecewise continuous wrt t
By Assumption 1, a(t, x̂) lower-bounds the terms in ḣ inde- and Lipschitz continuous wrt x̂, the same is true for π(t, x̂).
pendent of u. These bounds can be obtained using Lipschitz Finally, we prove safety. Since (omitting t, x, x̂),
constants. Similarly, we bound each term of Lg h. 
m 
m
Assumption 2: There exist known functions b− +
i , bi : R≥0 × Lg hu = [Lg h]i ui ≥ min{b− +
i ui , bi ui },
X → R for i = {1, . . . , m}, piecewise continuous in the first i=1 i=1
argument and Lipschitz continuous in the second, such that6 satisfaction of the constraint in (18) implies satisfaction
b− +
i (t, x̂) ≤ [Lg h(x)]i ≤ bi (t, x̂)
of (17). Therefore, by Theorem 2, the system is rendered
safe.
for all t ≥ 0, all x ∈ S and all x̂ ∈ {x̂ : x ∈ P(t, x̂)}.
Furthermore, suppose sign(b− +
i (t, x̂)) = sign(bi (t, x̂)) at every IV. S IMULATIONS AND E XPERIMENTS
t, x̂ ∈ S, and that h is of relative-degree 1, i.e., Lg h(x) = 0. Code and videos are available here: https://github.com/dev
Intuitively, by assuming sign(b− +
i (t, x̂)) = sign(bi (t, x̂)) it is 10110/robust-safe-observer-controllers
clear whether a positive or negative ui increases ḣ(x, u).7 1) Simulation (Double Integrator): We simulate a double
Theorem 3: Consider a system (1) with U = Rm and suppose integrator system without disturbances, to demonstrate the
the observer (2a) is a Bounded-Error observer. Suppose S is importance of the observer-controller interconnection. The
the safe set defined by an TRCBF h and Assumptions 1, 2 are system is (with U = R)
satisfied. Suppose πdes : R≥0 × X → U is a desired controller,
ẋ1 = x2 , ẋ2 = u, y = x1 , (20)
6 Recall, [L h(x)] refers to the i-th element of L h(x).
g i g
7 Future work will attempt to relax this assumption. In our limited expe- 8 Note, if b− = b+ = 0, then both constraints are equivalent, and thus
i i
rience, the estimation error can be sufficiently small that the assumption still means a single constraints is active. Since Lg h(x) = 0 (Assumption 2),
− +
holds. bi = bi = 0 for atleast one of i = 1, . . . , m.

Authorized licensed use limited to: University of Oklahoma Libraries. Downloaded on October 12,2023 at 22:19:06 UTC from IEEE Xplore. Restrictions apply.
AGRAWAL AND PANAGOU: SAFE AND ROBUST OBSERVER-CONTROLLER SYNTHESIS USING CBFs 131

Fig. 2. Simulation results for the Double Integrator (20), using (a) the
baseline CBF controller, (b) Approach 1 and (c) Approach 2. The same
initial conditions and observer is used for each simulation.

and the safe set is defined as S = {x : x1 ≤ xmax }. We Fig. 3. Simulation Results for the Planar Quadrotor. The objective is
to fly the quadrotor from the starting state to the target position while
use the CBF h(x) = −x2 + α0 (xmax − x1 ). A Luenberger- avoiding the circular obstacle region. The blue lines indicate the path
observer, x̂˙ = Ax̂ + Bu + L(y − Cx̂), is used, where L = of the state estimate and grey lines the projection of P(t, x̂) on the x-y
1/2P−1 CT and P ∈ S2++ is the solution the Lyapunov equa- plane. The icons show the quadrotor’s true position every 0.2 s and is
colored red while violating safety. (a) uses the baseline CBF controller,
tion PA + AT P − CT C = −2θ P for design parameter θ > 0. and (b) uses Approach 2.
This observer √ is ISS, since for any δ > 0, (9) is satisfied
with Mδ (t) = λmax (P)/λmin (P)δe−θt . This observer is also The safety condition is to avoid collision with a circular
a Bounded Error observer since for any δ > 0, (16) is sat- obstacle at [x1∗ , x2∗ ]T of radius r, i.e., S = {x : (x1 − x1∗ )2 +
isfied with D(x̂0 ) = {x : x0 − x̂0  ≤ δ} and P(t, x̂) = (x2 − x2∗ )2 − r2 ≥ 0}. The CBF proposed in [24] is used.
{x : (x − x̂)T P(x − x̂) ≤ λmax (P)δ 2 e−2θt }. The desired control input is a LQR controller linearized about
We compare the methods proposed in this letter to the the hover state. The observer is a DEKF adapted from [25]9 :
CBF-QP of [1] (referred to as the Baseline-QP), using x̂ in Defining constant matrices D1 = gd (x) and D2 = cd (x), the
lieu of x. Plots of the resulting trajectory are depicted in observer is
Figure 4, demonstrating safety violation. The trajectory plots ⎧
under the controllers based on Approaches 1 and 2 are shown ⎨ x̂˙ = f (x̂) + g(x̂)u + PCT R−1 (y − c(x̂))
Ṗ = PAT + AP √
− PC T −1 CP + Q + 2θ P
in Figure 2, demonstrating that safety is maintained in both ⎩  RT −1/2    

V̇ = −2θ V + 2 V D1 P d̄ + (LD2 )T P−1/2 v̄
cases. In Approach 2, the function Lf h(x) is affine in x and
Lg h(x) = −1 is independent of x, and therefore the func- where θ ≥ 0 is a design parameter, A = ∂∂x̂ (f (x̂) + g(x̂)u),
tion a(t, x̂) was determined using a box bound around P(t, x̂) ∂c
C = ∂x (x̂). In the standard form of EKFs [26, Sec. 5.3], the
and b− +
i (t, x̂) = bi (t, x̂) = −1. Numerically, we have noticed disturbances are assumed to be Weiner processes and Q, R
that for some initial conditions and convergence rates, the con-
represent the covariances of the d(t) and v(t). However in
troller of Approach 1 is less conservative than the controller of
the Deterministic EKF, we assume d(t), v(t) are bounded, and
Approach 2, and in other cases the converse is true. Identifying ny
thus Q ∈ Sn++ , R ∈ S++ can be freely chosen. Assuming
conditions that determine whether Approach 1 or 2 is less
there exist positive constants p1 , p2 such that p1 I ≤ P(t) ≤
conservative remains an open question.
p2 I ∀t ∈ I, (see [7, Sec. 11.2]), this observer is a Bounded-
2) Simulation (Planar Quadrotor): Consider
⎡ ⎤ ⎡ ⎤ ⎡ ⎤ ⎡ ⎤ Error observer, and satisfies (16) with D(x̂0 ) = P(0, x̂0 ), and
ẋ1 x4 0 0 0 P(t, x̂) = {x:(x − x̂)T P(t)−1 (x − x̂) ≤ V(t)}.
⎢ẋ2 ⎥ ⎢ x5 ⎥ ⎢ 0 0 ⎥ ⎢ ⎥
⎢ ⎥ ⎢ ⎥ ⎢ ⎥  ⎢ 0 ⎥ The method in Approach 2 is used to synthesize the
⎢ẋ3 ⎥ ⎢ x6 ⎥ ⎢ 0 ⎥
0 ⎥ u1 ⎢ 0 ⎥ interconnected observer-controller. Specifically, the functions
⎢ ⎥ = ⎢ ⎥+⎢ +⎢ ⎥
⎢ẋ4 ⎥ ⎢ 0 ⎥ ⎢ sin x3 /m ⎥ ⎢ ⎥ a, b− +
⎢ ⎥ ⎢ ⎥ ⎢ 0 ⎥ u2 ⎢d1 (t)⎥ i , and bi were determined using Lipschitz bounds, and
⎣ẋ5 ⎦ ⎣−g⎦ ⎣cos x3 /m 0 ⎦ ⎣d2 (t)⎦ the QP (18) is used to determine the control input.
ẋ6 0 0 J −1 0 Figure 3 compares the trajectory of the planar quadrotor
 T  T using the controller proposed in [24] (baseline case) to the
y = x1 , x2 , x3 + v1 (t), v2 (t), v3 (t)
proposed controller of Approach 2. In the baseline case, since
where [x1 , x2 ]T are the position coordinates of the quadro- the state estimate is used in lieu of the true state, safety is
tor with respect to an inertial coordinate frame, x3 is the violated. By accounting for the state estimation uncertainty,
pitch angle, [x4 , x5 ]T are the linear velocities in the inertial the proposed controller avoids the obstacle.
frame, and x6 is the rate of change of pitch. The quadrotor 3) Experiments (3D Quadrotor): For our experiments, we
has mass m = 1.0 kg and moment of inertial J = 0.25 kg/m2 , use the Crazyflie 2.0 quadrotor, using the on-board IMU
and the acceleration due to the gravity is g = 9.81 m/s2 . The and barometer sensors and an external Vicon motion cap-
control inputs are thrust u1 and torque u2 . The disturbances ture system. The objective was to fly in a figure of eight
d : R≥0 → R2 captures the effect of unmodeled aerody-
9 In [25], only the undisturbed case is demonstrated. The extension to
namic forces on the system, bounded by d ≤ 2 m/s2 . The
include bounded disturbances can be derived using the same techniques as in
measurement disturbance is v : R≥0 → R3 , bounded by 5 cm the original paper. The additional terms due to the disturbances are bounded
for position measurements, and 5◦ for pitch measurements. using [7, eq. (B4)].

Authorized licensed use limited to: University of Oklahoma Libraries. Downloaded on October 12,2023 at 22:19:06 UTC from IEEE Xplore. Restrictions apply.
132 IEEE CONTROL SYSTEMS LETTERS, VOL. 7, 2023

[2] M. Jankovic, “Robust control barrier functions for constrained sta-

bilization of nonlinear systems,” Automatica, vol. 96, pp. 359–367,
Oct. 2018.
[3] A. Alan, A. J. Taylor, C. R. He, G. Orosz, and A. D. Ames, “Safe
controller synthesis with tunable input-to-state safe control barrier
functions,” IEEE Contr. Syst. Lett., vol. 6, pp. 908–913, 2021.
[4] J. Breeden, K. Garg, and D. Panagou, “Control barrier functions in
sampled-data systems,” IEEE Contr. Syst. Lett., vol. 6, pp. 367–372,
2021.
[5] D. R. Agrawal, H. Parwana, R. K. Cosner, U. Rosolia, A. D. Ames,
and D. Panagou, “A constructive method for designing safe multirate
controllers for differentially-flat systems,” IEEE Contr. Syst. Lett., vol. 6,
pp. 2138–2143, 2021.
[6] P. Bernard, V. Andrieu, and D. Astolfi, “Observer design for continuous-
time dynamical systems,” Annu. Rev. Control, vol. 53, pp. 224–248,
Jan. 2022.
[7] H. Khalil, Nonlinear Control. Boston, MA, USA: Pearson, 2015.
[8] S. Dean, A. Taylor, R. Cosner, B. Recht, and A. Ames, “Guaranteeing
safety of learned perception modules via measurement-robust control
barrier functions,” in Proc. Conf. Robot Learn., 2021, pp. 654–670.
[9] A. Clark, “Control barrier functions for complete and incomplete
information stochastic systems,” in Proc. Amer. Control Conf. (ACC),
2019, pp. 2928–2935.
[10] N. Jahanshahi, P. Jagtap, and M. Zamani, “Synthesis of stochas-
tic systems with partial information via control barrier functions,”
Fig. 4. Experimental results. The quadrotor is commanded to track
IFAC-PapersOnLine, vol. 53, no. 2, pp. 2441–2446, 2020.
a figure-of-eight trajectory, while avoiding the physical barrier at x =
[11] M. Ahmadi, A. Singletary, J. W. Burdick, and A. D. Ames, “Safe policy
0.5 m. Ground truth trajectories are plotted in (a, c) for the baseline CBF
synthesis in multi-agent POMDPs via discrete-time barrier functions,”
and proposed controllers respectively. Snapshots from the experiment
in Proc. IEEE 58th Conf. Decis. Control (CDC), 2019, pp. 4797–4803.
are show in (b, d). (e, f) Plots of the safety value, h over time for both
[12] H. Shim and D. Liberzon, “Nonlinear observers robust to measurement
trajectories.
disturbances in an ISS sense,” IEEE Trans. Autom. Control, vol. 61,
no. 1, pp. 48–61, Jan. 2016.
trajectory, but to not crash into a physical barrier placed at [13] D. Pylorof, E. Bakolas, and K. S. Chan, “Design of robust Lyapunov-
x = 0.5 meters. State was estimated using an EKF [27], assum- based observers for nonlinear systems with sum-of-squares program-
ming,” IEEE Contr. Syst. Lett., vol. 4, pp. 283–288, 2020.
ing the true state lies within the 99.8% confidence interval of [14] X. Xu, P. Tabuada, J. W. Grizzle, and A. D. Ames, “Robustness
the EKF. To design the controller, first πdes (t, x̂) is computed of control barrier functions for safety critical control,” IFAC-
using an LQR controller, which computes desired accelera- PapersOnLine, vol. 48, no. 27, pp. 54–61, 2015. [Online]. Available:
https://www.sciencedirect.com/science/article/pii/S2405896315024106
tions wrt to an inertial frame to track the desired trajectory. [15] H. K. Khalil, Nonlinear Systems, 3rd ed. Upper Saddle River, NJ, USA:
This command is filtered using a safety critical QP, either Prentice-Hall, 2002.
the baseline CBF-QP (Figure 4a) or the proposed QP using [16] A. Howell and J. K. Hedrick, “Nonlinear observer design via con-
vex optimization,” in Proc. Amer. Control Conf. (ACC), vol. 3, 2002,
Approach 2 (18) (Figure 4c). Finally, the internal algorithm pp. 2088–2093.
of the Crazyflie (based on [28]) is used to map the output of [17] A. Alessandri, “Observer design for nonlinear systems by using input-to-
the QP to motor PWM signals. The magnitude of the distur- state stability,” in Proc. 43rd IEEE Conf. Decis. Control (CDC), vol. 4,
2004, pp. 3892–3897.
bances was estimated by collecting experimental data when the [18] M. Arcak and P. Kokotović, “Nonlinear observers: A circle crite-
quadrotor was commanded to hover. The trajectories from the rion design and robustness analysis,” Automatica, vol. 37, no. 12,
two flight controllers are compared in Figure 4. In the baseline pp. 1923–1930, 2001.
[19] T. Alamo, J. M. Bravo, and E. F. Camacho, “Guaranteed state estimation
controller, the quadrotor slows down as it approaches the bar- by zonotopes,” Automatica, vol. 41, no. 6, pp. 1035–1043, 2005.
rier, but still crashes into barrier. In the proposed controller, [20] L. Jaulin, “Nonlinear bounded-error state estimation of continuous-time
the quadrotor remains safe, Figure 4e. systems,” Automatica, vol. 38, no. 6, pp. 1079–1082, 2002.
[21] A. Alessandri, “Lyapunov functions for state observers of dynamic
systems using Hamilton–Jacobi inequalities,” Mathematics, vol. 8, no. 2,
V. C ONCLUSION p. 202, 2020.
[22] F. Blanchini, “Set invariance in control,” Automatica, vol. 35, no. 11,
In this letter we have developed two methods to synthesize pp. 1747–1767, 1999.
observer-controllers that are robust to bounded disturbances on [23] W. W. Hager, “Lipschitz continuity for constrained processes,” SIAM J.
system dynamics and measurements, and maintain safety in Control Optim., vol. 17, no. 3, pp. 321–338, 1979.
[24] G. Wu and K. Sreenath, “Safety-critical control of a planar quadrotor,”
the presence of imperfect information. We have demonstrated in Proc. Amer. Control Conf. (ACC), 2016, pp. 2252–2258.
the efficacy of these methods in simulation and experiments. [25] K. Reif, F. Sonnemann, and R. Unbehauen, “An EKF-based non-
Future work will investigate methods to learn the disturbance, linear observer with a prescribed degree of stability,” Automatica,
vol. 34, no. 9, pp. 1119–1123, 1998. [Online]. Available:
such that the controller can adaptively tune itself to achieve https://www.sciencedirect.com/science/article/pii/S0005109898000533
better performance, and to extend the work to handle prob- [26] F. L. Lewis, L. Xie, and D. Popa, Optimal and Robust Estimation: With
abilistic guarantees of safety when the system is subject to an Introduction to Stochastic Control Theory. Boca Raton, FL, USA:
CRC Press, 2017.
stochastic disturbances instead of bounded disturbances. [27] M. W. Mueller, M. Hamer, and R. D’Andrea, “Fusing ultra-wideband
range measurements with accelerometers and rate gyroscopes for
R EFERENCES quadrocopter state estimation,” in Proc. IEEE Int. Conf. Robot. Autom.
(ICRA), May 2015, pp. 1730–1736.
[1] A. D. Ames, X. Xu, J. W. Grizzle, and P. Tabuada, “Control barrier [28] D. Mellinger and V. Kumar, “Minimum snap trajectory generation and
function based quadratic programs for safety critical systems,” IEEE control for quadrotors,” in Proc. IEEE Int. Conf. Robot. Autom., 2011,
Trans. Autom. Control, vol. 62, no. 8, pp. 3861–3876, Aug. 2017. pp. 2520–2525.

Authorized licensed use limited to: University of Oklahoma Libraries. Downloaded on October 12,2023 at 22:19:06 UTC from IEEE Xplore. Restrictions apply.