Tunable Input-to-State Safety with Input Constraints

Imagine you are driving a car that has a very smart, super-protective autopilot. This autopilot's only job is to keep you from crashing into anything. It uses a "safety bubble" around your car. If you get too close to a wall, the bubble pops, and the car slams on the brakes.

Now, imagine two problems with this autopilot:

The "Paranoid" Problem: Sometimes, the autopilot is too scared. Even when you are far from a wall, it thinks you might crash, so it drives very slowly and cautiously. This is annoying and inefficient.
The "Broken Limb" Problem: The autopilot tells the car to brake with 100% force to avoid a crash, but the car's brakes can only handle 50% force. The autopilot is asking for something the car physically cannot do. If the autopilot doesn't know about this limit, it might try to command the impossible, causing the system to glitch or fail.

This paper is about fixing the second problem while keeping the first one under control.

The Old Way: "Guess and Check"

Previously, engineers tried to make the autopilot less paranoid (Problem 1) by adding a "tuning knob." They would turn the knob to tell the system, "Hey, we are far from the wall, you can relax a bit."

However, they often turned this knob without checking if the car's brakes (the input constraints) could actually handle the new commands. It was like telling a runner, "Run as fast as you want!" without checking if they have a broken leg. Sometimes it worked, but often it led to the autopilot asking for impossible moves. Engineers had to fix this by trial and error, which is slow and risky.

The New Way: "Designing with Limits in Mind"

This paper proposes a new way to design that "tuning knob." Instead of guessing, they mathematically calculate exactly how much the knob can be turned before it asks for an impossible move.

Here is the analogy of their solution:

1. The "Safety Zone" Map

Think of the car's possible movements as a map.

The Safe Zone: The area where the car can move without crashing.
The Brakes' Limit: The edge of the map where the brakes stop working (e.g., you can't brake harder than 50%).

The old method drew the "Safety Zone" and then tried to fit the "Brakes' Limit" inside it later. If the zone was too big, it didn't fit.

The new method draws the "Brakes' Limit" first, and then designs the "Safety Zone" to fit perfectly inside it.

2. The "Support Function" (The Invisible Ruler)

The authors use a mathematical tool called a Support Function. Imagine you have a weirdly shaped rock (the car's physical limits). You want to know if a flat piece of glass (the safety rule) can touch the rock without breaking it.

The Support Function is like an invisible ruler that measures the exact distance from the center of the rock to its furthest edge in any direction. The paper uses this ruler to calculate the exact minimum setting for the tuning knob.

If the knob is set below this number, the safety rule asks for a move the brakes can't do.
If the knob is set above this number, the safety rule is safe and doable.

This gives engineers a "Goldilocks Zone": a specific range of settings where the car is safe, not too paranoid, and always within its physical limits.

3. The "Offline Cheat Sheet" (The LP Solver)

Calculating this perfect setting for every single second of a drive is too hard for a computer to do in real-time. So, the authors created a "Cheat Sheet" generation process.

Before the car even starts, they run a simulation (a Linear Program) that samples thousands of different driving scenarios (turning, braking, speeding up). They find the one perfect setting for the tuning knob that works for all those scenarios at once.

Analogy: It's like a coach studying a player's entire season of games to find the perfect training plan that ensures the player never gets injured, rather than trying to fix the player's form mid-game.

The Result: The Connected Cruise Control Test

To prove it works, they tested this on a "Connected Cruise Control" system (cars talking to each other to avoid traffic jams).

The Old Way: Sometimes the car tried to brake too hard, violating the physical limits. Other times, it was so scared of crashing that it drove painfully slow.
The New Way: The car drove smoothly. It kept a safe distance from the car in front, reacted quickly to sudden stops, but never asked the brakes to do something impossible. It was the perfect balance of "cautious but capable."

Summary

In simple terms, this paper teaches us how to build safety systems that know their own limits. Instead of asking a machine to be safe and then hoping it doesn't break itself, we design the safety rules so that they are guaranteed to be possible to execute from the very beginning. It's the difference between telling a runner "Don't fall" and giving them a pair of shoes that makes falling impossible.

Here is a detailed technical summary of the paper "Tunable Input-to-State Safety with Input Constraints" by Ming Li, Jin Chen, and Dimos V. Dimarogonas.

1. Problem Statement

The paper addresses a critical limitation in Tunable Input-to-State Safety (TISSf), a robust control framework that extends Control Barrier Functions (CBFs) to handle bounded perturbations (e.g., model uncertainties, disturbances).

The Gap: While TISSf introduces a tuning function $\varepsilon(h(x))$ to adjust the trade-off between safety conservatism and performance, existing designs often ignore actuator input constraints (e.g., limits on acceleration or torque).
The Consequence: Without explicit consideration of input constraints, the TISSf tuning function may be chosen such that the set of admissible control inputs (defined by the TISSf condition) becomes disjoint from the set of physically feasible inputs. This leads to infeasibility in the safety filter (Quadratic Program), causing the system to violate safety guarantees or fail to find a control solution.
Objective: The authors aim to construct a framework where the tuning function is synthesized a priori to guarantee that the TISSf safety condition and the input constraints are simultaneously satisfiable for all states within the safe set.

2. Methodology

The proposed methodology transforms the compatibility problem from a post-hoc verification task into a constructive design objective using geometric analysis and optimization.

A. Geometric Characterization via Support Functions

The authors characterize the TISSf condition as a state-dependent half-space in the input space. They use support functions ( $\sigma_U$ ) to mathematically define the boundary of the admissible input set $U$ .

Compatibility Condition: They derive a necessary and sufficient condition for the intersection of the TISSf half-space and the input constraint set $U$ to be non-empty.
Lower Bound Derivation: This condition yields an explicit lower bound on the tuning function $\varepsilon(h(x))$ :
$\varepsilon(h(x)) \geq \frac{\|d(x)\|_2^2}{c(x) + \sigma_U(d(x))}$
where $c(x)$ and $d(x)$ are Lie derivatives related to the barrier function, and $\sigma_U(d(x))$ is the support function of the input set. This bound ensures that the "shifted" safety hyperplane always intersects the feasible input set.

B. Specialization to Common Constraints

The framework is specialized for three common types of input constraints, providing tractable conditions for each:

Norm-bounded: $\|u\|_2 \leq \gamma$ .
Polyhedral: $Au \leq b$ (solved via Linear Programming duality).
Box constraints: $u_{min} \leq u \leq u_{max}$ (decoupled component-wise).

C. Parametric Synthesis and Offline Optimization

To make the infinite-dimensional functional design problem tractable, the authors parameterize the tuning function using an exponential form:
$\varepsilon(h(x)) = \epsilon_0 e^{\lambda h(x)}$

Affine Reformulation: By taking the logarithm, the compatibility condition is transformed into a linear inequality in terms of the design parameters $(\ln \epsilon_0, \lambda)$ :
$\ln \epsilon_0 + \lambda h(x) \geq \eta(x)$
where $\eta(x)$ is a state-dependent term derived from the support function.
Covering-Based Sampling: To ensure the condition holds for the entire safe set $C$ (not just specific points), they employ a $\kappa$ -covering strategy. They sample the safe set and use Lipschitz continuity constants ( $L_h, L_\eta$ ) to create robust constraints that account for discretization errors.
Offline LP Formulation: The problem of finding optimal parameters $(\ln \epsilon_0, \lambda)$ is formulated as a Linear Program (LP). This allows for the offline selection of parameters that guarantee compatibility across the entire safe set.

D. Online Control Synthesis

Once the optimal parameters are selected offline, the online controller is implemented via a Safety Filter QP:
$\min_u \frac{1}{2}\|u - k_{nom}(x)\|^2 \quad \text{s.t.} \quad \text{TISSf condition with tuned } \varepsilon, \quad u \in U$
Because the tuning function was designed to satisfy the compatibility condition, this QP is guaranteed to be recursively feasible.

3. Key Contributions

Constructive Compatibility Framework: The paper provides the first rigorous framework to synthesize TISSf tuning functions that inherently respect input constraints, moving beyond trial-and-error or saturation-based fixes.
Exact Support Function Characterization: It derives a verifiable, closed-form lower bound for the tuning function using support functions, applicable to general compact convex input sets.
Tractable Offline Synthesis: It introduces a covering-based sampling strategy combined with an LP formulation to select exponential tuning parameters that guarantee compatibility over the entire safe set, not just at sampled points.
Recursive Feasibility Guarantee: The approach ensures that the resulting QP-based safety filter is always feasible, preventing control failure due to constraint conflicts.

4. Results

The framework was validated using a Connected Cruise Control (CCC) simulation involving a perturbed vehicle model with strict acceleration limits ( $u \in [-6, 0.8] \, \text{m/s}^2$ ).

Comparison: The proposed method (LP-QP) was compared against:
- TISSf (Baseline): Manually tuned parameters (often violated input constraints).
- TISSf (Sat): Standard TISSf with input saturation (led to safety violations or sluggish performance).
- TISSf (Trial): Trial-and-error tuning.
Performance:
- Safety: The proposed method maintained robust safety ( $h(x) + \zeta > 0$ ) while strictly adhering to input bounds.
- Performance: It achieved the smallest headway distance (closest to the lead vehicle) among all safe methods, demonstrating superior performance compared to the overly conservative Baseline and Saturation methods.
- Feasibility: Unlike the Baseline, which occasionally violated input bounds, the proposed method never violated constraints, confirming the theoretical recursive feasibility.

5. Significance

This work bridges a critical gap between robust safety theory and practical implementation. In real-world systems, actuators always have limits; ignoring these limits in robust safety designs (like TISSf) can lead to catastrophic failures where the controller demands impossible inputs.

Theoretical Impact: It establishes a formal link between the tuning of robustness margins and the geometry of input constraints.
Practical Impact: It offers a systematic, automated design procedure (via LP) for safety-critical systems (e.g., autonomous vehicles, robotics) where both disturbance rejection and actuator limits are non-negotiable. The method ensures that safety filters are not just theoretically sound but also practically implementable without ad-hoc tuning.