Safe sets matter when their coordinates match the controller that will use them.
A Safety-Critical Controls Researcher
Control barrier functions and reachability methods give formal language for safe sets. They do not solve every robotics problem, but they provide a disciplined way to define when nominal actions must be corrected or rejected.
Why This Matters
Control barrier functions and Hamilton-Jacobi reachability sits at the boundary between learning and safety engineering. The question is not whether the policy usually behaves well, but whether dangerous states are detected, blocked, or exited fast enough to protect people, equipment, and mission goals.
For a control-affine system $\dot{x}=f(x)+g(x)u$, a control barrier function $h(x)$ enforces the safe set $\mathcal{S}=\{x: h(x) \ge 0\}$ through the inequality $$\nabla h(x)^{\top}(f(x)+g(x)u) + \alpha(h(x)) \ge 0.$$ Hamilton-Jacobi reachability instead reasons about a value function whose superlevel set marks states from which safety can still be guaranteed.
A barrier or reachability layer is valuable because it speaks directly in state and action geometry. It says which commands keep safety recoverable, regardless of whether the nominal controller came from optimization, imitation, or a foundation model.
- Choose a reduced dynamics model and define the safe state set in coordinates that matter physically.
- Construct a barrier condition or reachable safe set that can be evaluated online.
- Given a nominal action, solve a correction step that finds the nearest admissible command.
- Log both the nominal and corrected actions for later audit.
- Validate the approximation limits, because safe-set claims are only as good as the model used to derive them.
Worked Example
A mobile robot commanded toward a human workspace can have its velocity projected onto a safe half-space that preserves clearance, even if the nominal planner wanted a more aggressive turn.
x = {"distance_m": 0.55, "velocity_mps": 0.8}
clearance = 0.5
alpha = 1.0
h = x["distance_m"] - clearance
lhs_nominal = -x["velocity_mps"] + alpha * h
u_corrected = min(x["velocity_mps"], alpha * h)
print({"h": round(h, 3), "lhs_nominal": round(lhs_nominal, 3), "u_corrected": round(u_corrected, 3)}){'h': 0.05, 'lhs_nominal': -0.75, 'u_corrected': 0.05}Expected output: The negative nominal left-hand side indicates the command would leave the safe set too aggressively. The corrected control restores feasibility, which is the practical role of a barrier filter.
CBF and QP solvers, plus reachability toolchains, save substantial derivation and numerical work. Small filters are often prototyped with cvxpy and OSQP, while reachability studies rely on dedicated level-set or hj_reachability-style workflows once the reduced model is fixed.
Concrete stack anchors for this chapter include CasADi, python-control, Drake, cvxpy, and OSQP for modeling barrier inequalities and QP filters, ROS 2 lifecycle nodes for intervention authority, and Weights & Biases or TensorBoard traces when simulation sweeps compare constraint violations across policies. The same safety set should be visible in the notebook, simulator, and runtime controller.
| Tool | Role | Failure To Watch |
|---|---|---|
| cvxpy | Prototype barrier QPs and inspect constraints explicitly. | The deployed controller solves a different optimization than the notebook. |
| OSQP | Fast online QP backend for small safety filters. | Infeasible or poorly conditioned cases are not surfaced in logs. |
| hj_reachability-style workflows | Offline safe-set approximation for reduced dynamics. | The real robot leaves the reduced-model assumptions through delay, contact, or sensing error. |
These methods work best when the safety set can be expressed in low-dimensional coordinates that are updated reliably at runtime. They become brittle when the state estimate is poor or the reduced model hides important contact or delay effects. A practical workflow is to prototype the barrier inequality in a notebook, validate it in replay, and only then move the filter into the runtime controller path.
For auditability, save the symbolic constraint, the numeric optimization problem, the solver status, and the action before and after filtering. CasADi or Drake can make the dynamics explicit, python-control helps inspect linearized assumptions, and ROS 2 logs show whether the real intervention respected the same bound.
The dangerous mistake is to assume a formal safe-set proof transfers unchanged when the perception stack, latency profile, or actuation limits change. The proof depends on the deployed interface, not only on the math on paper.
Cross-References
This section connects back to Chapter 7 on control design and forward to Section 54.4 on shielded policies, where these corrections become part of a larger runtime supervisor.
Implement a tiny barrier filter for a 1D or 2D toy robot, then log nominal and corrected actions under near-boundary states. Inspect which states generate repeated corrections.
Do not claim more safety than the reduced dynamics model can support. Barrier and reachability methods are powerful, but only inside the modeling assumptions they actually enforce.
For autonomous driving, a barrier can enforce headway or lane boundary margins. For drones, it may enforce altitude and obstacle separation. For manipulators, it may enforce joint, speed, or force limits.
Current research is expanding barrier methods to uncertainty-aware, learned-dynamics, and multi-agent settings, but the challenge remains to keep the guarantees meaningful under real sensing and delay.
Can you say what your safe set is, in state variables, without mentioning the controller implementation? If not, the barrier idea is still too abstract.
Barrier and reachability methods matter because they define when nominal intelligence must yield to explicit safety geometry.
Define a safe set for one embodied platform, write the corresponding barrier condition or reachable-state description, and identify which state estimate errors would undermine the guarantee most.
A control barrier function is just a bouncer with a physics degree. It does not care how good the policy looks on paper; if the state is heading for the unsafe set, the bouncer says no.
Section References
Ames, A. D. et al. "Control Barrier Function Based Quadratic Programs for Safety Critical Systems." (2017). https://arxiv.org/abs/1609.06408
A core barrier-function reference.
Fisac, J. F. et al. "General Safety and Control of Autonomous Systems: A Hamilton-Jacobi Reachability-Based Approach." (2019). https://arxiv.org/abs/1810.07406
A strong introduction to reachability-based safety reasoning.
Section 54.4 widens the lens from geometric corrections to general shielded policies and runtime safety filters around learned agents.