characterizing safety: minimal barrier functions from...

GENERIC COLORIZED JOURNAL, VOL. XX, NO. XX, XXXX 2017 1

Characterizing Safety: Minimal Barrier Functionsfrom Scalar Comparison Systems

Rohit Konda, Student Member, IEEE , Aaron D. Ames, Senior Member, IEEE , andSamuel Coogan Member, IEEE

Abstract— Verifying set invariance, considered a funda-mental problem in dynamical systems theory and prac-tically motivated by problems in safety assurance, hasclassical solutions stemming from the seminal work byNagumo. Defining sets via a smooth barrier function con-straint inequality results in computable flow conditionsfor guaranteeing set invariance. While a majority of thesehistoric results on set invariance consider flow conditionson the boundary, recent results on control barrier functionsextended these conditions to the entire set—although theystill reduced to the classic Nagumo conditions on theboundary and thus require regularity conditions on the bar-rier function. This paper fully characterizes set invariancethrough minimal barrier functions by directly appealing toa comparison result to define a novel flow condition overthe entire domain of the system. A considerable benefitof this approach is the removal of regularity assumptionsof the barrier function. This paper also outlines necessaryand sufficient conditions for a valid differential inequalitycondition, giving the minimum conditions for this type ofapproach and allowing for the verification of the largestclass of invariant sets. We also show when minimal barrierfunctions are necessary and sufficient for set invariance.This paper further discusses extensions into time varyingand control formulations, and outlines the connectionsbetween the proposed minimal barrier function and thehistoric boundary-based conditions for set invariance.

Index Terms— Barrier Functions, Set Invariance, Nonlin-ear Dynamics, Nonlinear Control, Safety

I. INTRODUCTION

Safety is a major consideration in many engineered systems.As such systems become increasingly complex, new tools forprovable verification of safety are required. In the context ofdynamical systems, safety has become synonymous with setinvariance, the property that state trajectories of a system arecontained within a given subset of the state space. Specifically,if it can be established that some set containing the system’sinitial condition(s) is invariant, and further this invariant setis a subset of a given set of safe states, then the system isdeclared to be safe.

This research was supported by NSF Awards # 1544332 and#1749357.

R. Konda is with the School of Electrical and Computer En-gineering, Georgia Institute of Technology, Atlanta, GA [email protected]

A. D. Ames is with the Dept. of Mechanical and Civil Engineering,California Institute of Technology, Pasadena, CA. [email protected]

S. Coogan is with the School of Electrical and Computer Engineeringand the School of Civil and Environmental Engineering, Georgia Instituteof Technology, Atlanta, GA 30332. [email protected]

Given a candidate set contained within a set of safe states,safety verification then reduces to certifying that this set isinvariant, a now classical problem in dynamical systems theoryand control; e.g., see the textbook [1]. Intuitively, invariancecan be established by ensuring that a system’s vector fieldevaluated on the boundary of the candidate invariant set isalways sub-tangent to the set so that trajectories cannot escapethe set. The main technical challenge of this approach is indefining an appropriate notion of sub-tangency applicable togeneral sets, and finding conditions that extend over the entireset so they can be used for controller synthesis. Recent workon (control) barrier functions provided necessary and sufficientconditions for set invariance [2], [3], subject to regularityconditions on the set, that therefore allow for the synthesis ofsafety critical controllers. The question this paper addresses is:Are these the strongest possible conditions for set invariance?

The main result of this paper is necessary and sufficientconditions on set invariance that are minimal in that they arethe least restrictive conditions needed to ensure set invariance.To obtain this result, we begin considering comparison resultsfor scalar systems which lead to a notion of a minimal solution.This motivates the introduction of a minimal barrier func-tion which leverages a comparison result for scalar systems.Minimal barrier functions are necessary and sufficient for setinvariance and, importantly, they do not require the regularityconditions imposed by the original formulation of barrierfunctions. To put this in context, we relate these results tohistoric contributions to set invariance, including Nagumo’stheorem, and illustrate through examples. Finally, minimalcontrol barrier functions are introduced wherein state depen-dent input constraints and controller synthesis are considered.

Conditions on set invariance, and hence safety, have thepotential to positively impact a variety of safety-critical do-mains. Examples include automotive systems where semi-autonomous safety features like adaptive cruise control andlane keeping can be framed as set invariance problems; thusthe ability to give certificates of invariance can be used toverify these safety features. This was the genesis for themodern version of control barrier functions, and has beenstudied in depth [4]–[7]. Another domain where safety iscritical is robotic systems. For example, swarms of robots mustachieve objectives without colliding into each other and theworld around them. In this context, control barrier functionshave been utilized to guarantee collision avoidance, even whenthe system is governed by an existing nominal controller; theseideas have been applied to both ground robots [8]–[10] and

arX

iv:1

908.

0932

3v1

[ee

ss.S

Y]

25

Aug

201

9

2 GENERIC COLORIZED JOURNAL, VOL. XX, NO. XX, XXXX 2017

drones [11], [12]. These are a few examples among manywhere the characterization of safety plays an important role inthe controller synthesis of safety-critical systems.

A. History of Set Invariance & Existing Results

There is a long and rich history establishing conditions forset invariance. These conditions often considered general sets,S , for which the set is (positively) invariant with respect to adynamical system x = f(x) if for all x0 ∈ S solutions withthis initial condition satisfy x(t) ∈ S for all t ≥ 0. Conditionson set invariance can be traced back to the tangent cone, firstintroduced by Bouligand in 1932 [13], which characterized thedynamic’s tangent vectors on the boundary of S. These wereutilized by Nagumo in 1942 to provide the first necessaryand sufficient conditions on set invariance [14]—the set isinvariant if and only if the vector field lies in the tangentcone. Nagumo’s theorem still plays an essential role in resultscharacterizing set invariance to this day.

In the late 1960’s and early 1970’s, Nagumo’s theorem wasindependently rediscovered by Bony and Brezis [15], [16].The results of Brezis again utilized the tangent cone to giveconditions on set invariance, while Bony utilized a comparisontheorem type result; these were generalized by Redheffer in[17] by leveraging uniqueness functions. These ideas werefurther generalized by Ladde and Lakshmikantham in [18]via Lyapunov-like conditions which again leverage uniquenessfunctions and comparison type theorems—it is shown that theresults of Bony, Brezis and Redheffer (and thus Nagumo) allform special cases of this broader formulation. These historicresults serve as motivation for the approach considered inthis paper, which utilize minimal solutions and correspondingcomparison theorems.

There was a modern resurgence of interest in set invariancefrom the dynamics and control community beginning in the1990s. This is best captured by the survey paper [19], whichincludes a nice overview of set invariance. In the dynamicsand control domain, the set S is often assumed to be practical,i.e., given as the superlevel set of a collection of functions [1](these were also considered for control systems in [20]). Forsimplicity, we will consider the case in which the invariantset is defined as the superlevel set of a single scalar-valued(candidate) barrier function, h, of the state space, i.e., S ={x : h(x) ≥ 0} wherein S is an invariant set if and only ifh(x(t)) ≥ 0 for all t ≥ 0 whenever h(x0) ≥ 0. The goal is tofind conditions on h such that it becomes a barrier function,i.e., certifies the forward invariance of S.

The modern literature has predominately focused on veri-fying flow conditions on the boundary of the set S. The mostvisible example of this is barrier certificates, which were firstintroduced to verify safety properties of hybrid systems in[21], through the independent discovery of Nagumo’s theorem[14], to get the familiar condition ∂h

∂xf(x) ≥ 0 ∀x ∈ ∂S.Extensions of barrier certificates have been plenty, see e.g.[22]–[24], but a major assumption is that the gradient ∂h

∂x onthe boundary does not vanish and corresponds to the exteriornormal vector of S. This assumption is necessary, as a simplecounterexample is given in Example 5 and also appears in

[21]. A notable exception is in [25], [26], where they removethe assumption of a nonvanishing gradient in favor of a flowcondition that holds in a neighborhood around the boundary∂S.

The alternative approach to considering conditions onlyon the boundary is to enforce a flow constraint over theentire domain —this has important ramifications for controllersynthesis. For example, [21] proposes the convex condition∂h∂xf(x) ≥ 0 ∀x ∈ D as a sufficient condition for ensuringinvariance of S = {x : h(x) ≥ 0} ⊂ D. However, thissufficient condition is quite strong as it requires invariance ofall super-level sets of h that are contained in D. Similar con-ditions were considered in [27]–[29] wherein Lyapunov-likefunctions are considered and combined with barrier functions.Less conservative sufficient conditions for invariance have alsobeen proposed. For example, both [20] and [30] introducedthe convex relaxation conditions of the form: ∂h

∂xf(x) ≥λh(x) ∀x ∈ D for some λ ∈ R (in the case of [20], λ = 1for the relaxation). Importantly, while these conditions canbe enforced over the entire set, they are not necessary andsufficient and thus are overly conservative.

With a view toward obtaining the least restrictive conditionsfor set invariance that hold over the entire set S, a new formof barrier functions was recently introduced in [3] (whichdetails the original formulations from [2] and [4]). The setS is invariant if ∂h

∂xf(x) ≥ −α(h(x)) ∀x ∈ D for anextended class K function α. Here, the use of an extendedclass K function implies stability of the set S for initialconditions outside of the set. Importantly, these conditionsare necessary and sufficient for set invariance in the casewhen S is compact and 0 is a regular value of h—sufficiencyfollows from Nagumo’s theorem while necessity follows fromconstructing the function α. Thus they meet the requirementthat they are the least restrictive conditions possible under theaforementioned assumptions. Yet the question remains: canthese assumptions, especially with respect to the regularityof h, be relaxed further and still guarantee set invariance?Answering this question is important as it allows for theverification for a larger set of invariance specifications for agiven system. This leads to the main contribution of paper:the largest possible set of continuous functions, µ, in whichto lower bound the flow via ∂h

∂xf(x) ≥ −µ(h(x)) ∀x ∈ D.

B. Overview of ContributionsIn this paper, we introduce novel conditions for ensuring

invariance of a set defined via a smooth barrier function. Amajor objective of this paper is to characterize conditions, thatare, in a certain sense, the minimum conditions required onthe resulting differential inequality to certify invariance for asmooth barrier function h(x). The remainder of this paper isorganized as follows:Section II: introduces standard definitions associated with so-lutions of autonomous systems and positive invariance.Section III: presents two main theorems for minimal barrierfunctions.• Theorem 1 establishes that h = ∂h

∂x (x)f(x) ≥ µ(h(x))globally for x ∈ D is sufficient for establishing invariance

CHARACTERIZING SAFETY: MINIMAL BARRIER FUNCTIONS FROM SCALAR COMPARISON SYSTEMS 3

of S = {x : h(x) ≥ 0} when µ(·) is a minimal function,that is, solutions of the initial value problem w = µ(w),w(0) = 0 remain positive for all time. Notably, µ neednot be Lipschitz continuous. The proof of Theorem 1relies on a comparison result tailored for non-Lipschitzvector fields with potentially nonunique solutions.

• Theorem 2 presents necessary and sufficient conditionsfor verifying that a function µ is a minimal function.These conditions recover as a special case the instancewhen µ is locally Lipschitz.

We also give several examples on the application of minimalbarrier functions, including Example 4, which delineates an in-stance when a Lipschitz vector field for the comparison systemis impossible. Furthermore, connections of minimal barrierfunctions to Lyapunov theory regarding sets and extensionsto nonautonomous systems are stated. Lastly, we compareminimal barrier functions to prior work in zeroing barrierfunctions.

Section IV: recalls several classic tangent conditions for veri-fying invariance and discusses their connection with minimalbarrier functions. That is, we connect the results presented inthis paper with the historic results discussed above. Thus, weare able to show that the results presented in this paper includeclassic results as a special case.

Section V: presents necessary conditions on the existence forminimal functions. More concretely, the main result is:• Under regularity conditions on S, namely, twice-

differentiability of h, compactness assumptions of levelsets of h, and the requirement that ∂h

∂x (x) 6= 0 for all xsuch that h(x) = 0, Theorem 5 proves that a locallyLipschitz minimal function µ always exists satisfyingthe barrier function ∂h

∂x (x) ≥ µ(h(x)) for all x if S isinvariant.

Section VI: considers the case of control systems and con-troller synthesis through the introduction of minimal controlbarrier functions. Systems with state dependent input con-straints are considered in this case, and several results arepresented on guaranteeing continuity properties of a viablecontroller.

Section VII: presents concluding remarks.

II. BACKGROUND

We study the system

x = f(x) (1)

with state x ∈ D where D ⊆ Rn is assumed to be an openset and f : D → Rn is assumed to be continuous. In general,continuity of f ensures solutions exist for (1), but they neednot be unique. A solution x(t) to (1) with the initial conditionx(0) = x0 ∈ D defined for t ∈ [0, τ) is called maximal if itcannot be extended for time beyond τ [31]. Given a maximalsolution x(t) defined on [0, τ), we write τmax[x(·)] to denotethe right (maximal) endpoint τ of its interval of existence andwe write I[x(·)] = [0, τmax[x(·)]) to indicate the (maximal)interval of existence of x(t).

To avoid cumbersome notation, we often write simply τmax

instead of τmax[x(·)] when x(t) is clear, e.g., I[x(·)] =[0, τmax). Further, we write t ≥ 0 instead of t ∈ I[x(·)]when clear from context. The system (1) is forward completeif τmax[x(·)] =∞ for all maximal solutions x(t).

We adapt the following definitions from [1]. A set S ⊆D is positively invariant for (1) if, for any x0 ∈ S , allcorresponding maximal solutions x(t) with x(0) = x0 satisfyx(t) ∈ S for all t ∈ I[x(·)]. A set S ⊆ D is weakly positiveinvariant for (1) if, for any x0 ∈ S, there exists at least onemaximal solution x(t) with x(0) = x0 satisfying x(t) ∈ S forall t ∈ I[x(·)].

If solutions are unique for (1) for every x0 ∈ D, then thedefinitions of positive invariance and weak positive invariancecoincide. While we are almost exclusively interested in pos-itive invariance in this paper, we will occasionally referencethe weaker formulation.

Throughout this paper, we will study invariance of setsdefined as S = {x ∈ D : h(x) ≥ 0} for a continuouslydifferentiable function h : D → R. For a set S ⊆ D, werefer ∂S as the boundary of S, S◦ as the interior of S, and Sas the closure of S with the standard topological definitions.The Lie derivative of h along the vector field f is denotedLfh : D → R and defined by Lfh(x) := ∂h

∂x (x)f(x). Wedenote standard Euclidean norm by ‖ · ‖.

III. MINIMAL BARRIER FUNCTIONS

By studying sets S defined by inequality constraints of asmooth function h, we can develop Lyapunov-like conditionson the time evolution of h over the whole domain D. Inparticular, we observe that if h(x(t)) ≥ 0 can be assuredfor all t ≥ 0 and for all initial conditions x0 ∈ S, then S ispositively invariant. In this section, we make clear the connec-tion between barrier functions and differential inequalities forscalar systems and propose a new barrier function condition.First we recall some standard notions of solutions for firstorder differential equations.

Consider the initial value problem

w = g(w) w(0) = w0 (2)

where g : W → R is a continuous function defined on an openset W ⊆ R and w0 ∈ W . Again, continuity of g guaranteesexistence but not uniqueness of solutions to (2). The followingdefinitions appear in, e.g., [32, Section 2.2].• A differentiable function w(t) defined on some interval

[0, τ) is a solution of (2) if w(t) ∈ W for t ∈ [0, τ),w(0) = w0, and w(t) = g(w(t)) for all t ∈ [0, τ).

• A solution w(t) is a minimal solution of (2) on [0, τ) if,for any other solution w′(t) defined on [0, τ), w(t) ≤w′(t) for all t ∈ [0, τ).

The existence of minimal solutions is guaranteed by thefact that g(w) is continuous on the domain W [33, Thm1.3.2], while uniqueness of minimal solutions is guaranteed byproperties of the standard ordering on R. Minimal solutionsare fundamental for establishing comparison results in scalardifferential inequalities. In particular, the following propositionpresents a comparison result similar to the one outlined in [34,


Thm 6.3] for which a solution to a differential inequality isbounded below by the minimal solution of the correspondingcomparison system. For completeness, a proof is provided thatfollows closely to the proof of [34, Thm 6.3].

Proposition 1. Let the minimal solution of the initial valueproblem (2) be w(t) with domain [0, τ). If η(t) is anydifferentiable function such that η(t) ∈ W for all t ∈ [0, τ)and

η(t) ≥ g(η(t)) for all t ∈ [0, τ), η(0) ≥ w0, (3)

then

η(t) ≥ w(t) for all t ∈ [0, τ). (4)

Proof. We initially show η(t) ≥ w(t) on any compact timeinterval [0, τf ] with τf < τ . Let {εn} be a strictly monoton-ically decreasing sequence with limn→∞ εn = 0 and εn > 0for all n. We have that for all n,

η(t) ≥ g(η(t)) > g(η(t))− εn ∀t ∈ [0, τf ] (5)

andη(0) ≥ w0 > w0 − εn. (6)

Let {rn} denote a sequence of solutions that satisfy the initialvalue problem

rn(t) = g(rn(t))− εn rn(0) = w0 − εn (7)

for each n. By [34, Thm 6.2], the minimal solution for (7)exists on [0, τf ] for large enough n, and to simplify notation,we assume this holds for all n.

We first claim that η(t) > rn(t) for all t ∈ [0, τf ] forany n. Suppose for contradiction that η(t) ≤ rn(t) for somet ∈ [0, τf ] for some n. Then

T := inf{t ∈ (0, τf ] : η(t) ≤ rn(t)} (8)

is well defined and T ∈ (0, τf ] since η(0) > w0−εn. This factcoupled with continuity of rn(t) and η(t) shows that rn(T ) =η(T ) and η(t) > rn(t) for t ∈ [0, T ). Moreover, η(T ) >rn(T ) and since rn(T ) = η(T ), this implies that η(t) < rn(t)on the interval (T − ε, T ) for some ε > 0. However, thiscontradicts the definition of T , proving the claim. Thus, lettingn → ∞, we have η(t) ≥ r(t) for t ∈ [0, τf ] with r(t) =limn→∞ rn(t).

Now we claim that limn→∞ rn converges uniformly tosome function r on [0, τf ] and that r is the minimal solutionto (2). Note that because {εn} is strictly monotone, rn+1(t) >rn(t) for t ∈ [0, τf ] and rn+1(0) > rn(0), it holds thatrn+1(t) > rn(t) for t ∈ [0, τf ]. By similar reasoning, rn(t) isalso bounded above by any solution of (2), and in particularby w(t), so the limit r(t) exists for all t ∈ [0, τf ]. Solving forthe solution gives

rn(t) = w0 +

∫ t

0

g(rn(s))ds− εn(1 + t). (9)

Hence for n < m,

‖rn(t)− rm(t)‖ ≤(εn − εm)(1 + τf ) + (10)∫ τf

0

‖g(rn(s))− g(rm(s))‖ds

Because g is continuous, it is uniformly continuous on thecompact set

{z : mint∈[0,τf ]

r1(t) ≤ z ≤ maxt∈[0,τf ]

w(t)}. (11)

Together with the proposed Cauchy criterion (10), thisimplies uniform convergence of {rn} to r. Furthermore lettingn→∞ gives

r(t) = w0 +

∫ t

0

g(rn(s))ds, (12)

so r is a solution for (2). As established previously, r isupper bounded by any solution to (2), so r( is necessarily theminimal solution for (2), i.e. r(t) = w(t) and η(t) ≥ r(t) =w(t) holds for all t ∈ [0, τf ].

Finally we show the result holds over [0, τ) with τ poten-tially being ∞. Suppose for contradiction, η(t) < w(t) forsome t ∈ [0, τ) and let

T := inf{t ∈ [0, τ) : η(t) < w(t)}. (13)

Consider some τf such that T < τf < τ . Since the minimalsolution w(t) also exists on [0, τf ], the preceding argumentimplies η(t) ≥ w(t) on [0, τf ], contradicting the definition ofT and proving η(t) ≥ w(t) for all t ∈ [0, τ).

Motivated by our interest in using scalar differential equa-tions as barrier functions, we are especially interested in scalarsystems for which minimal solutions remain nonnegative wheninitialized at the origin.

Definition 1. A continuous function µ : R→ R is a minimalfunction if the minimal solution w(t) defined on t ∈ [0, τ)for the initial value problem w = µ(w), w(0) = 0 satisfiesw(t) ≥ 0 for all t ∈ [0, τ).

We now present a formulation for barrier functions thatdirectly utilizes minimal functions and the comparison resultof Proposition 1. This notion will be a central building blockfor the results presented in this paper.

Definition 2. For the system in (1), a continuously differ-entiable function h : D → R is a minimal barrier function(MBF) if there exists a minimal function µ that satisfies

Lfh(x) ≥ µ(h(x)) ∀x ∈ D. (14)

The notion of a minimal barrier function allows us toestablish that, given such a function, it follows that h(x(t))will be nonnegative for all time, i.e., the set S will be invariant.

Theorem 1. Consider the system (1) and a nonempty S ={x ∈ D : h(x) ≥ 0} for some continuously differentiableh : D → R. If h is a MBF as in Definition 2, then S ispositively invariant.

Proof. Consider some x0 ∈ S , and let x(t) be a solution to(1) with the initial condition x(0) = x0 with an interval ofexistence I[x(·)] = [0, τmax). Observe that h(x(0)) ≥ 0. Nowwe formulate the comparison system

w = µ(w) w(0) = 0. (15)

We first claim there exists a minimal solution w(t) of thecomparison system (15) defined on I[x(·)]. To prove the claim,


suppose for contradiction that the largest interval of existencefor a minimal solution to the comparison system is [0, τ∗)with τ∗ < τmax. Because µ is a minimal function, w(t) ≥ 0for t ∈ [0, τ∗). Moreover, it must be that limt→τ∗ w(t) = ∞[33, Corollary 1.1.2]. By Proposition 1, h(x(t)) ≥ w(t) fort ∈ [0, τ∗), which implies limt→τ∗ h(x(t)) = ∞, but this isa contradiction since h(x) is continuous on D and x(t) ∈ Dfor t ∈ [0, τmax), and in particular for t ∈ [τ∗, τmax), and theclaim is proved.

Then, by Proposition 1,

h(x(t)) ≥ w(t) ≥ 0 for all t ∈ I[x(·)] (16)

and equivalently, x(t) ∈ S for all t ∈ I[x(·)]. Therefore S ispositively invariant.

Remark 1. Theorem 1 is a direct application of Proposition1 and highlights the strong connection between minimalsolutions and differential inequalities and the invariance ofsets parameterized by a barrier function. In this way, byinterpreting h as a scalar-valued output system, we see thatverifying invariance of a set S ⊂ Rn parameterized by abarrier function h is converted to the problem of verifyinginvariance of {h ∈ R : h ≥ 0} in the scalar output system,which is accomplished using differential inequalities.

It can be seen that the flow constraint in condition (14) issimilar to the standard Lyapunov flow constraint. And indeed,as h is a scalar function defining a positively invariant set S,we can also utilize h to verify stability properties of S as well.We recall the following definitions of stability for closed setsin Rn.

Let ρ(x,S) = inf{‖y − x‖ : y ∈ S} denote the distancefrom x to a set S. A closed, invariant set S ⊂ D is uniformlystable if for any δ > 0, there exists ε > 0 such that forany x0 that satisfies ρ(x0,S) < ε, the solution x(t) satisfiesρ(x(t),S) < δ for t ∈ I[x(·)] [35, Def 1, Sec. 1.9].

A set S ⊂ D is asymptotically stable if it is uniformly stableand there exists a δ > 0 such that for all x0 with ρ(x0,S) < δ,ρ(x(t),S)→ 0 as t→∞ [36, Def 1.6.26].

A continuous function α : R+ → R+ is of class K if it isstrictly increasing and α(0) = 0.

Proposition 2. Let h be a minimal barrier function for (1)and S = {x ∈ D : h(x) ≥ 0}. Assume there exists class Kfunctions α, β and a constant δ > 0 such that

− β(ρ(x,S)) ≤ h(x) ≤ −α(ρ(x,S)) ∀x ∈ Sδ \ S (17)

where Sδ = {x ∈ D : h(x) ≥ −δ}. If there exists a minimalfunction µ for h such that (14) is satisfied and µ(w) ≥ 0 forall −δ ≤ w < 0, then S is uniformly stable. Furthermoreif the system (1) is forward complete and µ(w) > 0 for all−δ ≤ w < 0, then S is asymptotically stable.

Proof. Define a Lyapunov function candidate

Vh(x) =

{0 if x ∈ S−h(x) if x ∈ D \ S.

(18)

Notice that for all x ∈ Sδ ,

α(ρ(x,S)) ≤ Vh(x) ≤ β(ρ(x,S)). (19)

Additionally, since Vh(x) is continuous, Vh(x) is upperbounded by β(ρ(x,S)), and for δ > 0, there exists γ > 0such that the set

Sγ = {x ∈ D : ρ(x,S) < γ} (20)

is a subset of Sδ .We first prove that Vh(x) satisfies the hypotheses of [36,

Corollary 1.7.5], namely, that Vh(x) is upper and lowerbounded by class K functions as in (19) over Sγ and thatVh(x(t)) ≤ Vh(x0) for any x0 ∈ Sγ and all t ∈ I[x(·)],which implies that S is uniformly stable. If x0 ∈ S , thenVh(x(t)) = Vh(x0) = 0 for all t ∈ I[x(·)], as x(t) ∈ S for allt ∈ I[x(·)], which is verified by h(x) being a barrier functionfor S with the minimal function µ(w). If x(t) ∈ Sγ \ S forall t ∈ I[x(·)], then Vh(x(t)) ≤ Vh(x0) for all t ∈ I[x(·)]because

Vh ≤ −µ(−Vh) ≤ 0, (21)

where the first inequality holds since Vh = −h on Sγ \ Sand the second follows by hypothesis. Finally, if x(τ) ∈ Sat some time τ > 0, then Vh(x(t)) = 0 for all t > τ , soVh(x(t)) ≤ Vh(x0) for all t ∈ I[x(·)] as well. So for any x0

in Sγ , Vh(x(t)) ≤ Vh(x0) for all t ∈ I[x(·)]. Therefore Vhsatisfies all the required hypotheses and S is uniformly stable.

Second, under the further assumptions of the propositionregarding asymptotic stability, we claim that Vh satisfies allof the hypotheses of [36, Theorem 1.7.8], proving that S isindeed asymptotically stable. In particular, these hypothesesare that there exists an open invariant set B with Sγ ⊂ B,where Sγ is as defined in (20) and γ > 0, such that: H1)limt→∞ Vh(x(t)) = 0 for any x0 ∈ B; H2) Vh(x(t)) <Vh(x0) for all t ≥ 0 and any x0 ∈ B \ S; H3) Vh(x) isupper and lower bounded by class K functions as in (19) overB.

We first claim S◦δ = {x ∈ D : h(x) > −δ} is an openinvariant set and observe that there exists a γ > 0 whereSγ ⊂ S◦δ . By assumption, we have Lfh(x) ≥ µ(h(x)) > 0for x ∈ D such that −δ ≤ h(x) < 0. Invoking Case 1 inTheorem 2 below, Sδ is invariant, and in fact, S◦δ is invariantas well, due to the fact that Lfh(x) > 0 on h(x) ∈ [−δ, 0),showing the claim.

If x0 ∈ S◦δ \S, then Vh(x(t)) < Vh(x0) for all t > 0, since

Vh ≤ −µ(−Vh) < 0, (22)

where the first inequality holds since Vh = −h on S◦δ \ Sand the second follows by hypothesis, and thus H2) holds.Moreover, we claim that limt→∞ Vh(x(t)) = 0 for all x ∈ S◦δ .If x0 ∈ S , then Vh(x(t)) = 0 for all t ≥ 0 because S isinvariant. If x0 ∈ S◦δ \S, using Proposition 1 with the compar-ison system w = µ(w) and the initial condition w0 = h(x0),h(t) ≥ w(t), for the minimal solution w(t). In addition, as thesystem (1) is assumed to be forward complete, both solutionsw(t) and h(x(t)) are defined for all t ≥ 0. Since w0 < 0and µ(w) > 0 on [w0, 0), limt→∞ w(t) must be non-negative.Thus limt→∞ h(x(t)) ≥ 0 and limt→∞ Vh(x(t)) = 0 as welland H1) holds. Hypothesis H3) holds by the assumption (19),and therefore Vh satisfies all the necessary hypotheses and Sis asymptotically stable.


Remark 2. The explicit requirement of forward completenessof solutions is only needed if S is not compact. If S iscompact, this necessarily means that there exists a δ > 0such that S◦δ is compact as well, since its assumed thath(x) < −α(ρ(x,S)) outside of S. Because it can be shownthat S◦δ is invariant, the system (1) is automatically forwardcomplete in the domain S◦δ .

Remark 3. The barrier function h can also define sets S inwhich the closure of the interior of S doesn’t necessarily equalthe set S. This can happen, for example, if the interior of Sis empty. For the special case that S is a point, the utility ofh is analogous to a standard Lyapunov function.

A. Necessary and sufficient conditions for minimalfunctions

In this section, we present verifiable conditions on µ toensure that it is a minimal function. Because these results arenecessary and sufficient, we note that there does not exist alarger class of continuous comparison functions that can beused for a barrier function. The backbone of the followingtheorem comes from uniqueness results in [37].

Theorem 2. A continuous function µ : R → R is a minimalfunction if and only if any of the following cases are satisfied:

1) µ(0) > 02) µ(0) = 0 and there exists ε > 0 such that µ(w) ≥ 0 for

all w ∈ [−ε, 0)3) µ(0) = 0 and for every ε > 0, there exists some w′, w′′

in [−ε, 0] such that µ(w′) > 0 and µ(w′′) < 04) µ(0) = 0 and there exists k > 0 such that for all ε with

0 < ε < k, µ(w) ≤ 0 on [−ε, 0] and 1/µ(w) is notintegrable on [−ε, 0], i.e.

∫ −ε0

dwµ(w) is divergent

Proof. Let the system be w = µ(w) and the correspondingminimal solution be w(t) for the initial condition w(0) = 0.We use a.e. for abbreviation for almost everywhere. First weshow the sufficient direction.

Case 1) Since µ(0) 6= 0, the minimal solution w(t) is uniqueby [37, Thm 1.2.7]. Because µ(0) > 0 and µ is continuous,there exists ε > 0 such that µ(w) > 0 everywhere on [−ε, 0]Suppose for contradiction, there exists τ > 0 where w(τ) =b < 0. Integration gives∫ w(τ)=b

w(0)=0

dw

µ(w)= τ − 0. (23)

The integral on the left is negative since b < 0 and µ(w) > 0on [−ε, 0], but τ > 0, giving a contradiction.

Case 2) [37, Thm 2.2.2] First we show that any solutionw(t) is monotone. Suppose for contradiction, that w(t) is notmonotone. Then there exists two times t1 6= t2 ∈ [0, τ ] suchthat w(t1) = w(t2) and w(t1) > 0 and w(t2) < 0. But this isa contradiction, since w(t) = µ(w(t)) is a function of w(t).

Since any solution w(t) is monotone, and we assume thatµ(w) ≥ 0 for all w ∈ [−ε, 0], w(t) is a non-decreasingfunction. Therefore, there does not exist a time τ in whichw(t) < w(0) = 0, and any solution w(t) ≥ 0 for all t ≥ 0,including specifically w(t).

Case 3) [37, Thm 2.2.2] Suppose for contradiction, thereexists τ > 0, where w(τ) = b < 0. By assumption, µ(w(t))switches sign on [b, 0], and thus w(t) is not monotone on [0, τ ].However, solutions must be monotone, giving a contradiction.

Case 4) [37, Thm 2.2.2] Suppose for contradiction, thereexists a τ > 0 where w(τ) = b ∈ [−ε, 0) for some ε < k.Let τ < τ be the greatest point such that w(τ) = 0. Takea monotonic sequence τ < tk < τ converging down to τ .Integration of the ODE gives

limtk→τ+

∫ b

w(tk)

dw

µ(w)= limtk→τ+

τ − t. (24)

Since w(t) is monotone, the set of w in [b, 0] in whichw = µ(w) = 0 is a measure zero set. Thus, it must be thatµ(w) < 0 a.e. on w ∈ [b, 0] and there exists a set G =[b, 0] \ Z such that µ(w) < 0 for all w ∈ G, where Z is ameasure zero set. Let Gk = [b, w(tk)] ∩G. Then the integral∫Gk

dwµ(w) converges to the improper integral

∫ b0

dwµ(w) via the

monotone convergence theorem. By assumption, 1/µ(w) isnot integrable on [b, 0], since −b < k and

∫ b0

dwµ(w) diverges.

However, limtk→τ+ τ − t is bounded above by τ and thereforeconverges, giving a contradiction.

Now we consider the necessary direction. Assume all condi-tions do not hold. Then either µ(0) < 0 or µ(0) = 0, 1/µ(w)is integrable on [−ε, 0], and µ(w) < 0 on [−ε, 0]\Z for someε > 0 and some measure zero set Z. If µ(0) < 0, there exists a[−ε, 0] where µ(w) < 0. Note also the minimal solution w(t)is unique by [37, Thm 1.2.7]. Choose a point b ∈ U−ε andintegrate to get

∫ b0

dwµ(w) = τ . Because µ(w) < 0 on [b, 0], we

can set τ to the value of the integral. Therefore this equationdefines the solution where w(τ) = b < 0.

Now consider the second condition, which follows from [37,Thm 1.4.3]. Let Gt = [w(t), 0]\Z. The integral of the ODE is∫Gt

dwµ(w) = t for −ε ≤ w(t) < 0. Since 1/µ(w) is integrable

on [−ε, 0] by assumption, the integral converges and definesa family of solutions wc(t) satisfying{

wc(t) = 0 t ≤ c∫Gt

dwµ(w) = t− c t > c

(25)

for c ∈ R+∪{∞}. Since µ(w) < 0 on Gt, taking c = 0 givesthe minimal solution in which wc(t) < 0 for t > 0.

Remark 4. Case 1 and Case 2 are similar to standard Lyapunovconditions, as Lfh ≥ µ(h) ≥ 0 on h ∈ [−ε, 0] for some ε > 0.Case 3 considers the case when µ changes sign infinitely often.Case 4 relaxes the usual locally Lipschitz condition to a one-sided nonintegrability condition to handle a more general classof comparison functions.

Remark 5. Minimal function are akin to uniqueness functionsin [38], as −u(−w) can be extended to be a minimal functionfor a uniqueness function u(w). However, in this paper, weuse minimal functions directly in a comparison framework,instead of using it to define unique solutions. We note thatcomparison systems defined with minimal functions have one-sided uniqueness type behavior around 0.


Remark 6. Additionally, Osgood functions [37, Lemma 1.4.1],which are traditionally used to relax locally Lipschitz assump-tions for unique solutions, share similarities with minimalfunctions, namely that −o(−w) for any Osgood function o(w)can be extended to satisfy the conditions outlined in Case 4.

If a minimal function is assumed to induce unique solutions,then only the condition that µ(0) ≥ 0 needs to be checked.More specifically, it can be shown that all locally Lipschitzminimal functions with µ(0) ≥ 0 satisfy the hypotheses ofTheorem 2, as seen in the following Proposition.

Proposition 3. Any locally Lipschitz continuous function µL :R→ R with µL(0) ≥ 0 satisfies the hypotheses of Theorem 2and therefore is a minimal function.

Proof. Notice that if, for any ε > 0, there exists a positivemeasure set P ⊂ [−ε, 0] where µL(w) ≥ 0 for all w ∈ P ,then µL has to satisfy one of the cases 1–4 of Theorem 2 andis necessarily a minimal function. Thus, assume µL is not aminimal function so that µL(0) = 0 and there exists a constanta > 0 such that µL(w) < 0 a.e. for w ∈ [−a, 0]. Since µLis locally Lipschitz, there exists a neighborhood U around 0such that µL is Lipschitz on U . Choose 0 < k ≤ a such that

[−k, 0] ⊂ [−a, 0] ∩ U. (26)

Since µL is Lipschitz on [−k, 0],

‖µL(w)‖ ≤ L‖w‖ (27)

for all w ≤ k for some Lipschitz constant L. Because µL <0 a.e. on [−k, 0], it follows that 1/µL(w) < 1/(Lw) a.e. on[−k, 0]. Then 1/µL(w) is not integrable since 1/(Lw) is notintegrable on any [−ε, 0] for ε ≤ k and µL then satisfies Case4 of Theorem 2. Therefore one of the cases of Theorem 2must hold.

Furthermore, if µL(0) < 0, then µL is necessarily not aminimal function, which comes as a direct corollary of thefirst necessary condition in the proof of Theorem 2.

B. ExamplesThe following examples and anti-examples demonstrate

the utility of the proposed formulation of minimal barrierfunctions.

This first example introduces a simple barrier function fora scalar system that results in a linear minimal function.

Example 1. Consider x = f(x) = −x for x ∈ R andlet h(x) = x3. We have Lfh(x) = −3x3 = −3h(x) so hsatisfies (14) with µ(w) = −3w, and µ is a minimal functionby Proposition 3 since it is locally Lipschitz and µ(0) ≥ 0.Indeed, S = {x : h(x) ≥ 0} = {x : x ≥ 0} is positivelyinvariant.

The next anti-example highlights the importance of con-sidering minimal solutions to differential inequalities whenconstructing comparison systems.

Example 2. Consider x = f(x) = −1 for x ∈ R and leth(x) = x3. Take µ(w) = −3w2/3 where (·)2/3 is interpretedas ((·)1/3)2. Then Lfh(x) = µ(h(x)) for all x ∈ R.

Although the function µ satisfies µ(0) ≥ 0, it is not locallyLipschitz, so Proposition 3 does not apply. Moreover, µ doesnot satisfy any of the conditions of Theorem 2. Indeed, S isnot positively invariant on R.

Further, the comparison system w = µ(w) with initialcondition w(0) = 0 has the minimal solution w(t) = −t3.Observe that the comparison system with the initial conditionw(0) = 0 also has as a solution w(t) = 0 for all t ≥ 0.However, considering x(t), the solution to x = f(x) withx(0) = 0, we see that h(x(t)) = w(t), i.e., the barrier hevaluated along solutions of the system x = f(x) match theminimal solution of the comparison system.

The following example examines the case where the set Shas corners, but still can be verified using a minimal barrierfunction.

Example 3. Consider the system

x1 = −ax1 + bx2 (28)x2 = cx1 − dx2 (29)

where a, b, c, d ≥ 0. Let a barrier function be h(x) = x1x2 sothat S is the union of the first and third quadrants of the plane.Lfh(x) = −ax1x2+bx2

2+cx21−dx1x2 ≥ −ax1x2−dx1x2 =

(−a−d)h(x) so that (14) is satisfied with µ(w) = −(a+d)wand S is positively invariant.

In the next example, it is necessary to consider a non-Lipschitz minimal function to establish forward invariancewith a given barrier function. Even though the vector field ofthe system is Lipschitz, and the barrier function h is smooth,the resulting dynamics for Lfh, as a function of h, may notbe Lipschitz.

Example 4. Consider x = −|x| for x ∈ R and let

h(x) =

{exp(−1/x) if x ≥ 0

− exp(1/x) if x < 0(30)

so that S = {x : h(x) ≥ 0} = {x : x ≥ 0} is indeed invariant.Now we calculate

Lfh(x) =

{− exp(−1/x)/x if x ≥ 0

exp(1/x)/x if x < 0.(31)

The function h is invertible with inverse

h−1(w) =

{−1

ln(w) if 0 ≤ w < 11

ln(−w) if −1 < w < 0.(32)

Define a minimal function candidate

µ(w) =

{w ln(w) if 0 ≤ w < 1

−w ln(−w) if −1 < w < 0(33)

and observe that µ(h(x)) = Lfh(x). We check that µ is aminimal function. Indeed, µ(h) is continuous with µ(0) = 0and µ(h) < 0 over D \ {0}. Corresponding to Case 4 inTheorem 2, we check that the improper integral∫ −a

0

1/µ(w)dw =

∫ −a0

−1

w ln(−w)dw (34)

= − ln(‖ ln(−w)‖)|−a0 (35)


diverges to ∞ for any a ∈ (0, 1). Therefore µ is a validminimal function. Observe that µ is not locally Lipschitz at0. Indeed, it is easy to establish that there exists no locallyLipschitz minimal function satisfying (14) since any suchfunction must be upperbounded by µ constructed above andbe nonnegative at the origin.

C. Comparing to Zeroing Barrier Functions

In this section, we compare MBFs to zeroing barrierfunctions (ZBFs) in [39], which use extended class K functionsfor the class of comparison systems, and is a major inspirationfor the work in this paper. We remark that if α is an extendedclass K function, then −α is a minimal function, as guaranteedby Case 2 in Theorem 2.

In the development of ZBFs in [39], the construction utilizesNagumo’s Theorem and therefore requires the assumption that∂h∂x does not degenerate to a zero vector on the boundary ofthe set. By directly invoking a comparison theorem argument,however, we can dispense with this assumption. Enforcinga minimal function to be of class K is not a restrictiveassumption on R+, since any continuous function can be lowerbounded on R+ by some −α with α being an extended classK function.

However, as seen through all the cases in Theorem 2, thematter of guaranteeing strong invariance is tightly related tothe behavior of the comparison system on [−ε, 0] for someε > 0. In particular, observe that (14) in Theorem 1 is requiredto hold for all x ∈ D. In general, this cannot be relaxed tojust all x ∈ S, as seen in the next example.

Example 5. Consider again Example 2, and take

α(w) =

{3w2/3 if w ≥ 0

−3w2/3 if w < 0(36)

so that Lfh(x) = −α(h(x)) for all x ∈ S, although notablythe equality does not hold for x ∈ R\S and thus Theorem 1is not applicable since it requires (14) to hold for all x ∈ D.Notice that α is an extended class K function on R and that −αis a minimal function. Then, for the dynamics w = −α(w),the set {w : w ≥ 0} is positively invariant. It is tempting touse w = −α(w) as a comparison system with w(0) = h(x(0))to obtain the false conclusion that S is positively invariant.

A considerable benefit of using the more general classof minimal functions over extended class K functions for acomparison system is that using an extended class K functionnecessitates that Lfh > 0 on D \ S. While this type ofrobustness is sometimes desirable, it does not hold in general.

Example 6. Consider x = x for x ∈ R and h(x) = x, with thecorresponding S = {x : x ≥ 0}. Therefore, Lfh(x) = x =h(x). In particular, Lfh(x) < 0 whenever h(x) < 0, and thusthere does not exist an extended class K function α satisfyingLfh(x) ≥ −α(h(x)) for all x ∈ R. However, µ(w) = w is aminimal function satisfying Lfh(x) ≥ µ(h(x)) for all x ∈ R,thus proving invariance of S.

D. Extending to nonautonomous barrier functionsIn this section, we extend the above results to nonau-

tonomous systems and/or nonautonomous barrier functions.This is crucial when either the vector field of the system orthe set under inspection is a function of time. In this section,we study the time varying system

x = f(t, x) (37)

where f : [0,∞) × D → Rn is continuous in t and in x. Asolution x(t) is defined on a maximum time interval I[x(·)] =[t0, τmax) such that x(t) ∈ D and (37) is satisfied for t ∈I[x(·)] with an initial condition x(t0) = x0 ∈ D for t0 ≥ 0,and the solution cannot be extended for time beyond τmax.

Consider S ⊆ [0,∞) × D so that St := {x ∈ D : (t, x) ∈S} is nonempty for all t ≥ 0. S is positively invariant for(37) if for all t0 ≥ 0 the condition x(t0) ∈ St0 implies allcorresponding solutions x(t) satisfy x(t) ∈ St for all t ∈[t0, τmax) [1]. S is weakly positively invariant for (37) if forall t0 ≥ 0 the condition x(t0) ∈ St0 implies the existence ofa solution x(t) that satisfies x(t) ∈ St for all t ∈ [t0, τmax).We assume that S = {(t, x) ∈ [0,∞) × D : h(t, x) ≥ 0}for a function h that is continuously differentiable in botharguments.

Given a scalar initial value problem w = g(t, w), w(t0) =w0 with g : [0,∞)×W → R continuous in t and w and foropen set W ⊆ R, t0 ≥ 0, and w0 ∈W , solutions and minimalsolutions are defined analogously to the definitions in SectionIII.

We slightly modify the definition of minimal barrier func-tions for time varying formulations.

Definition 3. A continuous function µ : [0,∞) × R → R isa time varying minimal function if any minimal solution w(t)defined on t ∈ [t0, τ) to the initial value problem w = µ(t, w),w(t0) = 0 satisfies w(t) ≥ 0 for all t ∈ [t0, τ) for any t0 ∈[0, τ).

A sufficient condition for time varying minimal functionsis that solutions to w = µ(t, w) are unique for any initialconditions and that µ(t, 0) ≥ 0 ∀t ≥ 0. Finding necessary andsufficient conditions analogous to Theorem 2 is challengingsince separation of variables is not possible to get an explicitintegral expression.

The following definition parallels Definition 2 for the timevarying case.

Definition 4. For the system in (37), a continuously differen-tiable function h : [0,∞)×D → R is a time varying minimalbarrier function (TMBF) if there exists a time varying minimalfunction µ that satisfies

∂h

∂t(t, x) + Lfh(t, x) ≥ µ(t, h(t, x)) ∀(t, x) ∈ [0,∞)×D.

(38)

Theorem 3. Consider the system (37) and a nonempty S ={(t, x) ∈ [0,∞) × D : h(t, x) ≥ 0} for some continuouslydifferentiable h : [0,∞) × D → R. If h is a TMBF as inDefinition 4, then S is positively invariant.

Proof. Analogous to the proof of Theorem 1.


Remark 7. Time varying systems and/or barrier functions canalso be handled by transforming to a time invariant systemby appending an indicator state θ = 1 for time. Then it ispossible to apply the standard formulations of minimal barrierfunction. However, for certain specifications, it is not possibleto find a time invariant minimal function and a time varyingminimal function is necessary.

The following examples illustrate scenarios in which a timevarying formulation is necessary. We first look at a systemwith a time varying vector field and a time invariant barrierfunction.

Example 7. Consider x = f(t, x) = xt for x ∈ R andlet h(x) = x so that S = {x : x ≥ 0}. Along solutions,Lfh(x) = xt = h(x)t. Take µ(t, w) = wt so that Lfh(x) =µ(t, h(x)). The function µ is smooth in both t and w, sow = µ(t, w) has unique solutions. Since µ(t, 0) = 0, µ isa time varying minimal function, and h is a time varyingminimal barrier function by Theorem 3 so that S is positivelyinvariant.

It can be seen that a time invariant minimal function doesnot exist for this system and barrier. For µ(w) to be a minimalfunction, ∂h

∂x (x)f(t, x) = xt ≥ µ(h(x)) = µ(x) for all t ≥ 0and all x ∈ R, but there does not exist a smooth function µsatisfying wt ≥ µ(w) for all t ≥ 0. Specifically, the inequalitydoes not hold for any w ∈ R−.

Now we consider a case where the barrier function istime varying but the vector field is time invariant. Theseformulations are important, for example, when consideringbarrier functions as an approach to verify reachability [40].

Example 8. Consider x = f(x) = x3 + x for x ∈ R andlet h(t, x) = e−tx − e−2t. At t = 0, S0 = {x : x ≥ 1},and St increases to {x : x ≥ 0} as t → ∞. Along solutions,Lfh(t, x) = e−tx3 + 2e−2t = e−t(h(x)et + e−t)3 + 2e−2t =h3e2t+3h2 +3he−2t+e−4t+2e−2t. Let µ(t, h) = Lfh(t, x)where Lfh(t, x) is understood to be a function of t and has just computed. Then µ(t, h) can be verified to be a validminimal function. However, like Example 7, no time-invariantminimal function exists for this system and barrier function.

IV. COMPARISON BETWEEN BOUNDARY CONDITIONS

Arguably, the most common approach for establishing pos-itive invariance of a set S is to verify, in some appropriatesense, that the velocity field of the system points inwards toS at each point on the boundary of S. First formalized byNagumo in [14] and independently discovered by others, therehas since been a volume of work dedicated to making thisbasic approach precise in various contexts, e.g. [38], [1], [20].In particular, care must be taken to appropriately define normaland tangent directions to arbitrary sets and to accommodatevector fields with potentially nonunique solutions or differ-ential inclusions. In this section, we recall a few versions ofthese results, and we then compare minimal barrier functionswith these alternative approaches.

The following result by Nagumo (and independently dis-covered by Brezis) gives a tangent condition on the flow of

the system relative to the set S that is necessary and sufficientfor positive invariance.

Theorem 4 (Nagumo’s Theorem [16]). Given the system (1)under the further condition that f(x) is locally Lipschitz,consider a nonempty S ⊆ D assumed to be closed relativeto D. Then S is positively invariant if and only if

limε↓0

ρ(x+ εf(x),S)

ε= 0 for all x ∈ S (39)

where ρ(x,S) = inf{||y − x|| : y ∈ S} for x ∈ D.

Another condition which uses normal vectors instead oftangent spaces is given below. A vector n is an outer normalto S at x if n 6= 0 and if the closed ball with the center x+nand radius ‖n‖ has exactly one point in common with S whichis x.

Proposition 4 ( [15]). Given the system (1) under the furthercondition that f is locally Lipschitz, consider a nonempty S ⊆D assumed to be closed relative to D. Then S is positivelyinvariant if and only if

n · f(x) ≤ 0 ∀x ∈ S, ∀n ∈ N(x) (40)

where N(x) is the set of outer normal vectors to S at x.

In Theorem 4 and Proposition 4, it is assumed that thevector fields are locally Lipschitz. Interestingly, uniquenessfunctions are also used in [38], [17] to relax locally Lipschitzassumptions for the flow of the system for unique solutions,and in [26] to relax an inequality similar to (40).

An important specialization of Theorem 4 is to the casewhere S = {x : h(x) ≥ 0} for a smooth function h : D →R, the situation that is the focus of this paper. When S isdefined this way, then the gradient of h corresponds to theouter normal, provided that the gradient is nonzero. Provinginvariance of S then requires showing that the vector field f(x)always has a nonnegative inner product with the gradient, asformalized next.

For a continuously differentiable function h : D → R for anopen set D ⊆ Rn, λ ∈ R is a regular value of h if ∂h

∂x (x) 6= 0for all x ∈ {x ∈ D : h(x) = λ}.

Corollary 1 ( [1, Sec 4.2.1]). Given the system (1) underthe further condition that f(x) is locally Lipschitz, consider anonempty set S = {x ∈ D : h(x) ≥ 0} for some continuouslydifferentiable h : D → R. Further assume that 0 is a regularvalue of h. Then S is positively invariant if and only if

Lfh(x) ≥ 0 (41)

for all x ∈ {x ∈ D : h(x) = 0}.

Remark 8. Corollary 1 provides a powerful result for estab-lishing invariance of S provided that 0 is a regular valueof h. When 0 is a regular value of the barrier function h,then the only property of µ satisfying (14) that is relevantfor establishing invariance of S is that µ(0) ≥ 0 sinceLfh(x) ≥ µ(0) ≥ 0 whenever h(x) = 0 and Corollary 1then applies. In other words, when 0 is a regular value ofh, there is no need to invoke a comparison result to prove


invariance and µ does not need to be a minimal function oreven be continuous or well-behaved, so long as µ(0) ≥ 0.

Remark 9. In the case where 0 is not a regular value ofthe barrier, however, the structure of µ defined in Theorem2 is necessary for guaranteeing invariance, as demonstrated inExample 2. If the assumption that 0 is a regular value is lifted,Examples 1, 3, and 4 are then cases that can be considered.

Remark 10. An important case when 0 is not a regular valueis if S denotes a set with no interior. For example, if the set Scorresponds to a fixed point or a limit cycle, it is not possibleto verify invariance using Corollary 1.

Extensions of invariance results from the standardNagumo’s theorem usually relax three conditions, specificallya smoothness assumption of the boundary of S, a tangentcondition on the flow of the system at the boundary, and auniqueness assumption on the dynamics of the system (1)[38]. By adding a smoothness condition for differentiabilityof the minimal barrier function, a comparison argument canbe utilized to relax some of the uniqueness assumptions forthe resulting comparison system.

V. NECESSARY CONDITIONS FOR MINIMAL BARRIERFUNCTIONS

In this section, conditions for existence of minimal functionsare detailed. We motivate this discussion with the followingsimple example.

Example 9. Consider

x1 = x1x2 (42)x2 = 0 (43)

and h(x) = x1 so that S = {x : h(x) ≥ 0} = {x : x1 ≥ 0}.Then ∂h

∂x =[1 0

], and thus any λ ∈ R is a regular value of h,

so Corollary 1 is applicable and S is invariant. However, theredoes not exist a minimal function that allows for verifyinginvariance using Theorem 1. To see this, notice that for sucha minimal function µ to exist, µ(w) ≤ Lfh(x) must hold forevery x such that h(x) = w. But Lfh(x) = x1x2 so thatfor any fixed w, all x satisfying h(x) = w have the formx =

[w x2

]Tand x2 can be chosen to make Lfh(x) an

arbitrarily large negative number for x1 6= 0.

In this example, we see that even though S is positivelyinvariant, there is no guarantee that a minimal function willexist, i.e., minimal barrier functions are only sufficient forestablishing invariance in general.

However, under certain structural conditions on the barrierfunction and the system (1), it is possible to guarantee theexistence of a minimal function when the set S = {x ∈D : h(x) ≥ 0} is known to be invariant. In this section,we provide these sufficient conditions to ensure that a validminimal function can be found based on observations of anexplicit construction.

We first provide a construction for a minimal function givena candidate barrier function, provided one exists.

Lemma 1. Given a system of the form (1) and a candidatebarrier function h(x), let Γ : W → R be defined as

Γ(w) = infx:h(x)=w

Lfh(x) (44)

where W = {h(x) : x ∈ D} is the range of h. If there existssome minimal function that satisfies condition (14), and if Γis continuous, then Γ is also a minimal function that satisfiescondition (14).

Proof. Let µ be a minimal function satisfying (14) so thatµ(h(x)) ≤ Lfh(x) ∀x ∈ D. It follows from the definition ofΓ that

µ(w) ≤ Γ(w) (45)

for all w ∈W . Since µ is a minimal function, µ satisfies oneof the cases in Theorem 2.

If, for every ε > 0, there exists a positive measure setP ⊂ [−ε, 0] where µ(w) ≥ 0 for w ∈ P , then Γ(w) ≥µ(w) ≥ 0 on P and therefore Γ has to satisfy one of thecases 1–4 of Theorem 2 so that Γ is a minimal function.We can then consider the alternative condition that Γ(w) andµ(w) < 0 a.e. on [−k, 0] for some k. Because µ(h(x)) ≤Γ(h(x)) for all x ∈ D and Γ 6= 0 a.e., then it mustbe that 1/µ(h(x)) ≥ 1/Γ(h(x)) a.e. Because 1/µ(h(x)) isnonintegrable and negative a.e., 1/Γ(h(x)) is nonintegrableas well. So Γ must necessarily satisfy one of the cases if thereexists a minimal function that does.

Therefore, showing that Γ(w) is a minimal function isequivalent to the existence of a minimal function under theassumption of continuity of Γ(w). Thus, we will only focusour attention on Γ(w).

To analyze what conditions on the barrier function arenecessary for the continuity properties of Γ, we introduce sometools from topology and optimization.

First we describe a generalized inverse of h(x) as a point-to-set mapping h−1 : W ⇒ D, where h−1(w) = {x ∈ D :h(x) = w} and W ⊂ R is the range of h, i.e., W = {h(x) :x ∈ D}. We use W ⇒ D in place of W → 2D for ease ofnotation. The function Γ(w) can now be defined as Γ(w) =inf{Lfh(x) : x ∈ h−1(w)}.

We now introduce some necessary definitions for h−1 to becontinuous as a point-to-set map:• h−1 is lower semicontinuous (l.s.c) at w0 if for each open

set G s.t. G∩h−1(w0) 6= ∅, there exists a neighborhoodU(w0) s.t. w ∈ U(w0) =⇒ h−1(w) ∩G 6= ∅ [41].

• h−1 is upper semicontinuous (u.s.c) at w0 if for eachopen set G s.t. h−1(w0) ⊂ G, there exists a neighborhoodU(w0) s.t. w ∈ U(w0) =⇒ h−1(w) ⊂ G [41].

• h−1 is continuous at w0 if it is both upper and lowersemicontinuous at w0.

If h−1 always maps to a single point, then definitions oflower and upper semicontinuity coincide with the standarddefinitions of continuity for functions [41].

Since all cases in Theorem 2 depend only on some neigh-borhood U around 0, we are only concerned with showingcontinuity of Γ on some U around 0. The next propositiongives sufficient conditions on when this is the case.


Proposition 5. Let h : D → R be a continuously differentiablefunction. If 0 is a regular value of h and there exists δ > 0such that Λ := {x ∈ D : −δ ≤ h(x) ≤ δ} is compact, thenΓ(w) defined in (44) is continuous on some neighborhood of0.

Proof. We first claim that h−1 is a continuous point-to-set mapon some open set U containing 0. Let W = {h(x) : x ∈ D}and S = {x ∈ D : h(x) ≥ 0}. Define two point-to-set mapsh+, h− : W ⇒ D according to

h+(w) = {x ∈ D : −h(x) + w ≤ 0}, (46)h−(w) = {x ∈ D : h(x)− w ≤ 0}, (47)

and observe that h−1(w) = h+(w) ∩ h−(w) for all w ∈ W .Because 0 is assumed to be a regular value of h and ∂S isnonempty, h+(w) and h−(w) are both nonempty for all w insome neighborhood V of 0. The functions −h(x) + w andh(x)− w are both continuous on W ×D, so h+ and h− areclosed on V [42, Thm 10], and so is h−1 due to [41, 6.1 Thm5]. Since h−1(w) is assumed to map into the compact set Λfor w ∈ [−δ, δ], h−1(w) is also u.s.c on V ∩ [−δ, δ] [41, 6.1Corollary to Thm 7].

Because 0 is a regular value of h and h is continuouslydifferentiable, ∂h

∂x is constant rank in a neighborhood N (x)of each x ∈ h−1(0). Defining G =

⋃x∈h−1(0)N (x) gives

an open cover of h−1(0) ⊂ G and since h−1 was shownto be u.s.c at 0, there exists a neighborhood V ′ of 0 whereh−1(w) ⊂ G for w ∈ V ′ by definition of u.s.c. Therefore forany w ∈ V ′, w is a regular value of h. Now define

h+I (w) = {x ∈ D : −h(x) + w < 0}, (48)

h−I (w) = {x ∈ D : h(x)− w < 0}. (49)

We now show h+I (w) ⊇ h+(w) for all w ∈ V ′. Let w ∈ V ′

and let x∗ ∈ h+(w). If h(x∗) > w, then by definition, x∗ ∈h+I (w). If h(x∗) = w and w ∈ V ′, then w is a regular value ofh and there exists a direction d ∈ Rn satisfying ∂h

∂x (x∗)d > 0.Let

F (a) = h(x∗ + ad) (50)

and notice that F is continuous, so lima→0+ F (a) = w andfor a > 0 sufficiently close to 0, F (a) > w. Therefore, x∗ isa limit point of h+

I (w), and thus x∗ ∈ h+I (w). A symmetric

argument implies h−I (w) ⊇ h−(w) for all w ∈ V ′. Then, since−h(x) + w and h(x) − w are both continuous on W × D,h+I (w) ⊇ h+(w), and h−I (w) ⊇ h−(w), it holds that h+ andh− are both l.s.c on V ′ [42, Thm 13]. Because h+ and h− arel.s.c, h+

I (w) and h−I (w) are nonempty on V , and h−1(w) isassumed to be compact for w ∈ [−δ, δ], h is a l.s.c. point-to-set map on V ∩V ′∩[−δ, δ] [43, Thm 3], [44]. Finally, we haveh−1 is both u.s.c and l.s.c on any open set U ⊂ V ∩V ′∩[−δ, δ]and is therefore continuous on U .

Now we prove Γ is continuous on U . Since h is assumedto be continuously differentiable, and f in (1) is assumedto be continuous, Lfh is also continuous. Because h−1 isa continuous point-to-set map on U , and Lfh is continuouseverywhere,

Γ(w) = − sup{−Lfh(x) : x ∈ h−1(w)} (51)

is continuous on U [42, Thm 7].

Since Γ is continuous on a neighborhood of 0, and if Γ is abounded function, then Γ only needs to be checked to satisfyone of the cases in Theorem 2 in a neighborhood U around 0.If Γ satisfies one of the cases on U , then it can be continuouslyextended to a minimal function over R. However, it is easierto show conditions in which Γ is Lipschitz continuous around0, which, as seen in Proposition 3, allows for only checkingthe condition that Γ(0) ≥ 0 to show existence of a minimalfunction.

The next theorem gives the necessary conditions for alocally Lipschitz minimal function to exist.

Theorem 5. Let h : D → R be a twice continuouslydifferentiable function and assume f is locally Lipschitz.Assume further that 0 is a regular value of h, and Λδ :={x ∈ D : −δ ≤ h(x) ≤ δ} is compact for all δ ≥ 0. IfS = {x : h(x) ≥ 0} is a positively invariant set, then his a minimal barrier function for (1) with a locally Lipschitzminimal function µ.

Proof. Let ρ(x,A) = inf{‖x− y‖ : y ∈ A} denote the point-to-set distance from x ∈ D to some set A ⊆ Rn. Because 0is a regular value of h, Lyusternik’s Theorem [45] applies, sothat for all x ∈ h−1(0), there exists a neighborhood N1(x) ⊂Rn of x, a neighborhood N2(x) ⊂ R of 0, and a constantK(x) > 0 such that

ρ(x′, h−1(w)) ≤ K(x)‖h(x′)− w‖ (52)

for all x′ ∈ N1(x) and all w ∈ N2(x).Next, notice that

⋃x∈h−1(0)N1(x) is an open cover of

h−1(0), and h−1(0) = Λ0 is assumed to be compact. Bycompactness of h−1(0), there exists a finite subcover, i.e., afinite set of points {xi}Ni=1 ⊂ h−1(0) such that

h−1(0) ⊂N⋃i=1

N1(xi) =: C. (53)

It was shown in Proposition 5 that h−1 is u.s.c at 0 under theassumptions of the theorem statement. By definition of uppersemicontinuity, since C is an open set that covers h−1(0), thereexists a neighborhood V of 0 such that

w ∈ V =⇒ h−1(w) ⊂ C. (54)

For some i ∈ {1, . . . , N}, there also exists a neighborhoodX of the point xi and a neighborhood W of 0 such that thesolution for h(x) = w exists for any w ∈W and some x ∈ X ,due to 0 being a regular value [46]. Then, for all w ∈ W ,h−1(w) is nonempty. Let

L1 = maxi∈{1,...,N}

K(xi) (55)

and let

U =

N⋂i=1

N2(xi) ∩ V ∩W. (56)

Observe that U is a neighborhood of 0 since it is a finiteintersection of neighborhoods of 0. Therefore,

ρ(x′, h−1(w)) ≤ L1‖h(x′)− w‖ (57)


for all x′ ∈ C and all w ∈ U .Because f and ∂h

∂x are locally Lipschitz, so is Lfh, andthus Lfh is Lipschitz on some compact set Uc ⊃ U withsome Lipschitz constant L2. Now we show that Γ defined in(44) is Lipschitz on U . Choose w1, w2 ∈ U . Now choosex1 ∈ h−1(w1) such that Lf (x1) = Γ(w1). This is possiblesince Lfh is continuous and h−1(w1) ⊂ Λ‖w1‖ is compact,so an extremal point exists. Next, choose x2 ∈ h−1(w2) suchthat

‖x1 − x2‖ = ρ(x1, h−1(w2)) (58)

which is also possible since h−1(w2) is also compact and‖x1 − x2‖ is continuous in x2 for a fixed x1. Note that

Γ(w2)− Γ(w1) ≤ Lfh(x2)− Lfh(x1) (59)≤ ‖Lfh(x2)− Lfh(x1)‖ (60)≤ L2‖x1 − x2‖ (61)

≤ L2ρ(x1, h−1(w2)) (62)

≤ L1L2‖h(x1)− w2‖ (63)≤ L1L2‖w1 − w2‖. (64)

The inequality (59) holds from properties of inf and (61) is dueto Lfh being Lipschitz with a Lipschitz constant L2 on Uc ⊃U . Note that we previously chose x2 to give the inequalityin (62). Finally, since w1 and w2 are chosen from U , weapply Lyusternik’s theorem for the inequality in (63). A similarargument establishes that Γ(w1)− Γ(w2) ≤ L1L2‖w1 − w2‖i.e,

‖Γ(w1)− Γ(w2)‖ ≤ L1L2‖w1 − w2‖, (65)

and thus Γ is Lipschitz on U with a Lipschitz constant L1L2.Because Λδ is assumed to be compact for all δ ≥ 0 and

Lfh is continuous, Γ is bounded on [−δ, δ] for all δ ≥ 0as well. Therefore, there exists a locally Lipschitz functionµ : R → R such that µ(w) ≤ Γ(w) for all w ∈ W and,for some neighborhood U ′ ⊂ U of 0, µ restricted to U ′ isequal to Γ. Furthermore, Lfh(x) ≥ Γ(h(x)) ≥ µ(h(x)) forall x ∈ D, so the barrier condition (14) is satisfied. Since Sis assumed to be invariant, Lfh(x) ≥ 0 for all x ∈ h−1(0),so µ(0) = Γ(0) ≥ 0. Therefore µ is locally Lipschitz andµ(0) ≥ 0, and by Proposition 3, µ is a valid locally Lipschitzminimal function.

Remark 11. In Section IV, it was noted that under thesatisfaction of the hypotheses of Corollary 1, any function µwith µ(0) ≥ 0 can be used in a flow inequality, without havingto invoke a comparison system. However, Theorem 5 showsthat under some reasonable additional assumptions, specifi-cally the smoothness properties of the barrier function andcompactness properties of the level sets, a locally Lipschitzminimal function exists.

Remark 12. Under the hypotheses of Theorem 5, it can beseen that minimal barrier functions in Definition 2 are notonly equivalent to the conditions in Corollary 1, but also tothe positive invariance of S.

VI. MINIMAL CONTROL BARRIER FUNCTIONS

A major benefit for using differential inequalities definedover the whole domain rather than just a boundary-typecondition is that it is more amenable to controlled invariance.In constraint-based control, it is desirable to have constraintson the controller that are applied at every point on the domainrather than just a condition on the boundary ∂S. If a boundarycondition is directly applied for controlled invariance, theconstraints are only active on ∂S. This may introduce dis-continuities in the controller and render it sensitive to modeland sensor noise.

Extensions of minimal barrier functions to control formu-lations is direct. In this section, we instead consider a controlaffine system of the form

x = f(x) + g(x)k(x) (66)

with state x ∈ D, where D ⊆ Rn is assumed to be an openset, a feedback controller k : D → Rm, and f : D → Rnand g : D → Rn×m, both assumed to be continuous. We alsoassume that k(x) ∈ U(x) for all x ∈ D, where U : D ⇒ Rmis a point-to-set map defining state-based input constraints anddefine U as the viable set of continuous controllers

U = {k ∈ C0 : k(x) ∈ U(x) ∀x ∈ D}. (67)

A practical way of representing U is through a set of qinequalities

U(x) = {u ∈ Rm : ei(x, u) ≤ 0 i = 1, . . . , q} (68)

where ei(x, u) : D × Rm → R are scalar-valued functionsthat define state based input constraints. We assume U can bewritten in this form for the rest of the section.

A set S ⊆ D is positively controlled invariant if thereexists a continuous controller k within the possible class ofcontrollers U such that S is positively invariant with respectto the closed loop system x = f(x) + g(x)k(x) [1, Def 4.4].

We now state the corresponding definition of minimalbarrier functions for control affine systems.

Definition 5. For the control affine system in (66), a continu-ously differentiable function h : D → R is a minimal controlbarrier function (MCBF) if there exists a minimal function µsuch that for all x ∈ D,

supu∈U(x)

[Lfh(x) + Lgh(x)u] ≥ µ(h(x)) (69)

where Lfh(x) = ∂h∂xf(x) and Lgh(x) = ∂h

∂xg(x) denotecorresponding Lie derivatives.

The set of viable controls is described by the point-to-setmap K : D ⇒ Rm given by

K(x) = {u ∈ U(x) : Lfh(x) + Lgh(x)u ≥ µ(h(x))}. (70)

Verification of the existence of controllers with certainproperties can be treated as a selection problem, which hasbeen extensively studied in topology [47]. Specifically, thefeedback controller k is a selection of K if k(x) ∈ K(x)for all x ∈ D. Note that for a controller k to render the set Sinvariant, it must necessarily be a selection from the point-to-set map K.


Additionally, the controller k must come from the set ofcontinuous viable controllers U in order for solutions ofthe closed loop system to exist. Furthermore, continuity ofk is also necessary to apply the differential inequality inProposition 1 and to satisfy the proposed definition of positivecontrolled invariance.

Theorem 6. Given the control affine system (66), consider anonempty S = {x ∈ D : h(x) ≥ 0} for some continuouslydifferentiable h : D → R. If h is a MCBF as in Definition 5and there exists a continuous controller k ∈ U such that k isa selection of K, then S is positively controlled invariant.

Proof. Analogous to the proof of Theorem 1.

To guarantee existence of a continuous controller k, K beingnonempty is not sufficient, and additional conditions on Kmust be assumed. The next theorem gives sufficient conditionson the existence of a continuous controller k that is a selectionof K and therefore can be used to satisfy Theorem 6 to renderS positively invariant.

We introduce strictly quasiconvex [44] functions as func-tions e : D → R that satisfy

e(u1) < e(u2) =⇒ e(θu1 + (1− θ)u2) < e(u2) (71)

for θ ∈ (0, 1). We use strictly quasiconvex functions togeneralize linear input constraints to a certain class of convexinput constraints.

With U characterized as in (68), we also denote the strictinterior KI : D ⇒ Rm as

KI(x) = {u ∈ Rm : ei(x, u) < 0 i = 1, . . . , q,

Lfh(x) + Lgh(x)u > µ(h(x))}. (72)

using ei(x, u) directly in lieu of the admissible input set U(x).

Proposition 6. Given U defined as in (68), assume theconstraint functions ei are all continuous in x and u andstrictly quasiconvex in u for each fixed x. If KI(x) is nonemptyfor each x, then there exists a continuous controller k that isa selection of K.

Proof. Define e0 : D × Rm → R according to

e0(x, u) = −Lfh(x)− Lgh(x)u+ µ(h(x)). (73)

Notice that e0 is also continuous in x and u and strictlyquasiconvex in u for each fixed x. The viable control mapK defined in (70) can then be described as

K(x) = {u ∈ Rm : ei(x, u) ≤ 0 for all i = 0, . . . , q}. (74)

Because KI(x) is assumed to be nonempty for each x, and allei are continuous and strictly quasiconvex in u for each fixedx, the closure KI(x) = K(x) for all x ∈ D [44, Lemma 5],[42], and therefore K is a l.s.c map [42, Thm 13]. Furthermore,since all ei are continuous in x and u and strictly quasiconvexin u for each fixed x, it holds that K(x) is a closed, convexset in Rm for all x ∈ D. Because K is a l.s.c point-to-set mapthat maps to closed, convex subsets, there exists a continuouscontroller k that is a selection of K [48, 1.11 Thm 1].

Proposition 6 is based on the well known Michael’s se-lection theorem [47]. Other selection theorems exist, e.g. see

[48], which can give existence conditions for different typesof controllers.

Usually, a controller k is selected from K based on someoptimality criteria. A common approach for safety based con-trol is to first obtain a nominal controller knom : D → Rm thatis not verified for either guaranteeing invariance or satisfyinginput constraints. The nominal controller is then used withinan optimization program in which k is selected from K, whileminimizing loss from k(x) and knom(x) at each x, that is,

k(x) = argminu∈K(x)

`(u, knom(x)) (75)

where ` : Rm × Rm → R+ is some loss function.Properties of the controller k can be analyzed as a selection

of K, and conditions on K can be formulated to guaranteecontinuity of k. In [4] and [49], Lipschitz continuity ofcontrollers specifically for quadratic programs regarding aminimum norm controller of knom ≡ 0 was explored. In[49], continuity of a controller defined by a quadratic programwas also explored with linear input constraints. In this paper,however, continuity of a controller is defined by a generalnonlinear optimization program, with a quadratic cost as aspecial case.

The next proposition shows continuity of a pointwise opti-mal controller defined by a general nonlinear program.

Proposition 7. Consider k defined by the optimization prob-lem (75). If K defined in (70) is a continuous, nonemptypoint-to-set-map, the nominal controller knom is continuous,`(u1, u2) is continuous in u1 and u2, and there exists a uniqueminimizer u ∈ K(x) of `(·, knom(x)) for each x ∈ D, thenthe controller k is continuous.

Proof. Since knom is a continuous function, it trivially in-duces the continuous singleton point-to-set map k′nom(x) ={knom(x)}. Since k′nom and K are continuous point-to-setmaps, the Cartesian product

K × k′nom : D ⇒ Rm × Rm (76)

is a continuous point-to-set map as well [41, Sec 6.4, Thm 4,4’]. Define

V (x) = inf{`(u1, u2) : (u1, u2) ∈ K(x)× k′nom(x)} (77)

and let the optimal selection function be

Φ(x) = {(u1, u2) ∈ K(x)× k′nom(x) : `(u1, u2) = V (x)}.(78)

By assumption of a unique minimizer u1 for a fixed u2 =knom(x), Φ is a singleton point-to-set map. We show that Φis a u.s.c map. Since K × k′nom is a continuous point-to-setmap and ` is a continuous function, V is a continuous function[41, Max Thm 4.2]. The point-to-set map

∆(x) = {(u1, u2) ∈ K(x)× k′nom(x) : (79)V (x)− `(u1, u2) ≤ 0}

is a closed point-to-set map, since V is continuous in x and` is continuous in u1 and u2 [42, Thm 10]. Notice that

Φ(x) = (K(x)× k′nom(x)) ∩∆(x). (80)


Because K is assumed to be continuous map and ∆ is a closedmap, Φ is an u.s.c map [41, Sec 6.1 Thm 7]. Since Φ is an u.s.csingleton point-to-set map, it directly induces a continuousfunction Φ′ defined by Φ(x) = {Φ′(x)} [41]. Take

k(x) = (p ◦ Φ′)(x) (81)

where p is the projection function from (u1, u2) to u1. Itfollows that the optimal controller k is a continuous functionsince Φ′ is continuous.

A point-to-set map formulation allows for analyzing prop-erties regarding a general pointwise optimization of a safecontroller. However, in real time applications, a quadraticprogram can be utilized to minimize the Euclidean distancebetween the optimal and nominal controller [2]. The nextproposition gives practical conditions on when the quadraticprogram gives a continuous controller.

Proposition 8. Given U as defined in (68), assume that⋃x∈D U(x) is compact, ei are all continuous and strictly

quasiconvex functions in u for each fixed x, and knom iscontinuous in x. If KI(x) as defined in (72) is nonempty foreach x, the controller k defined by the quadratic program

k(x) = argminu∈K(x)

∥∥u− knom(x)∥∥2

(82)

is continuous.

Proof. It is shown in the proof of Proposition 6 that K is anl.s.c point-to-set map that maps to convex sets in Rm. As all eiare continuous, K is a closed mapping [42, Thm 10], and sinceK is assumed to map into the compact set

⋃x∈D U(x), K is

u.s.c [41, Sec 6.1 Thm 7]. Therefore K is a continuous point-to-set map. Since K maps to a convex set and `(u, knom(x)) =∥∥u− knom(x)

∥∥2is strictly convex in u for a fixed knom(x) for

each x ∈ D, there exists at most one solution to the quadraticprogram. Because K is a continuous, nonempty point-to-setmap, knom is continuous in x, and ` is continuous in u1 andu2 and there is a unique minimizer of `(·, knom(x)) for eachx ∈ D, by Proposition 7, k is a continuous controller that isa selection of K.

The next example verifies that a program with a quadraticcost and linear constraints returns a continuous controller.

Example 10. Consider a system x = u for the domain D =(−1,∞), a barrier function h(x) = x, and a minimal functionµ(w) = −w. Furthermore, let the input constraints be a state-independent box constraint U(x) = {u ∈ R : −1 ≤ u ≤ 1}and the desired nominal controller be knom(x) ≡ 0. Thenwe can define the following quadratic program to generate anoptimal controller

k(x) = argminu∈Rm

∥∥u∥∥2

s.t. u ≥ −Lfh(x) + µ(h(x))

Lgh(x)= −x

u ≥ −1

−u ≥ −1.

Solving for the explicit controller gives

k(x) =

{−x 0 ≥ x > −1

0 x ≥ 0(83)

Notice all of the assumptions for Proposition 8 are satisfied,and indeed the resulting controller k is continuous in x. Wealso observe that there is no feasible solution on the interval{x < −1}.

VII. CONCLUSION

This paper presents minimal barrier functions, which stemfrom scalar differential inequalities, to give the minimumassumptions for utilizing a continuously differentiable barrierfunction. We have characterized a class of comparison systemsviable for verifying invariance of sets defined via a barrierfunction inequality and have proposed equivalent computableconditions. This paper also exemplifies the connection betweenbarrier flow constraints and ones stemming from set-basedLyapunov theory. We then further extend these minimal barrierfunctions to time varying and control formulations. We alsopropose relevant conditions for the existence of a continuouscontroller that can be used for a minimal control barrierfunction.

While directly associated with Lyapunov theory, with acomparable domain-wide flow inequality, this paper also ex-plores the relationship of minimal barrier functions and thehistoric theory for set-invariance verification developed byNagumo, Bony, Brezis and others. By formulating necessaryconditions for the existence of minimal barrier functions,the relation between the assumptions of both approaches isalso elucidated. By characterizing this relationship with theclassical approach of verifying set invariance and rooting theproposed formulation directly in differential inequalities, thispaper aims to provide a theoretical foundation for minimalbarrier functions.

REFERENCES

[1] F. Blanchini and S. Miani, Set-theoretic methods in control. Springer,2008.

[2] A. D. Ames, J. W. Grizzle, and P. Tabuada, “Control barrier functionbased quadratic programs with application to adaptive cruise control,” in53rd IEEE Conference on Decision and Control, pp. 6271–6278, IEEE,2014.

[3] A. D. Ames, X. Xu, J. W. Grizzle, and P. Tabuada, “Control barrierfunction based quadratic programs for safety critical systems,” IEEETransactions on Automatic Control, vol. 62, no. 8, pp. 3861–3876, 2017.

[4] X. Xu, P. Tabuada, J. W. Grizzle, and A. D. Ames, “Robustness ofcontrol barrier functions for safety critical control,” IFAC-PapersOnLine,vol. 48, no. 27, pp. 54–61, 2015.

[5] X. Xu, T. Waters, D. Pickem, P. Glotfelter, M. Egerstedt, P. Tabuada,J. W. Grizzle, and A. D. Ames, “Realizing simultaneous lane keepingand adaptive speed regulation on accessible mobile robot testbeds,” inIEEE Conference on Control Technology and Applications, (Mauna Lani,HI), pp. 1769–1775, August 2017.

[6] X. Xu, J. W. Grizzle, P. Tabuada, and A. D. Ames, “Correctnessguarantees for the composition of lane keeping and adaptive cruisecontrol,” IEEE Transactions on Automation Science and Engineering,vol. 15, no. 3, pp. 1216–1229, 2018.

[7] M. Jankovic, “Robust control barrier functions for constrained stabiliza-tion of nonlinear systems,” Automatica, vol. 96, pp. 359–367, 2018.

[8] U. Borrmann, L. Wang, A. D. Ames, and M. Egerstedt, “Control barriercertificates for safe swarm behavior,” IFAC-PapersOnLine, vol. 48,no. 27, pp. 68–73, 2015.


[9] L. Wang, A. D. Ames, and M. Egerstedt, “Safety barrier certificatesfor collisions-free multirobot systems,” IEEE Transactions on Robotics,vol. 33, no. 3, pp. 661–674, 2017.

[10] D. Pickem, P. Glotfelter, L. Wang, M. Mote, A. Ames, E. Feron, andM. Egerstedt, “The robotarium: A remotely accessible swarm roboticsresearch testbed,” in Robotics and Automation (ICRA), 2017 IEEEInternational Conference on, pp. 1699–1706, IEEE, 2017.

[11] G. Wu and K. Sreenath, “Safety-critical control of a planar quadrotor,”in American Control Conference (ACC), 2016, pp. 2252–2258, IEEE,2016.

[12] L. Wang, A. D. Ames, and M. Egerstedt, “Safety barrier certificatesfor collisions-free multirobot systems,” IEEE Transactions on Robotics,vol. 33, no. 3, pp. 661–674, 2017.

[13] G. Bouligand, Introduction a la geometrie infinitesimale directe. Vuibert,1932.

[14] M. Nagumo, “Uber die lage der integralkurven gewohnlicher differen-tialgleichungen,” Proceedings of the Physico-Mathematical Society ofJapan. 3rd Series, vol. 24, pp. 551–559, 1942.

[15] J.-M. Bony, “Principe du maximum, inegalite de harnack et unicitedu probleme de cauchy pour les operateurs elliptiques degeneres,” inAnnales de l’institut Fourier, vol. 19, pp. 277–304, 1969.

[16] H. Brezis, “On a characterization of flow-invariant sets,” Communica-tions on Pure and Applied Mathematics, vol. 23, no. 2, pp. 261–263,1970.

[17] R. Redheffer, “The theorems of bony and brezis on flow-invariant sets,”The American Mathematical Monthly, vol. 79, no. 7, pp. 740–747, 1972.

[18] G. Ladde, V. Lakshmikantham, et al., “On flow-invariant sets.,” PacificJournal of Mathematics, vol. 51, no. 1, pp. 215–220, 1974.

[19] F. Blanchini, “Set invariance in control,” Automatica, vol. 35, no. 11,pp. 1747–1767, 1999.

[20] J.-P. Aubin, Viability theory. Springer Science & Business Media, 2009.[21] S. Prajna and A. Jadbabaie, “Safety verification of hybrid systems

using barrier certificates,” in International Workshop on Hybrid Systems:Computation and Control, pp. 477–492, Springer, 2004.

[22] S. Prajna, A. Jadbabaie, and G. J. Pappas, “A framework for worst-case and stochastic safety verification using barrier certificates,” IEEETransactions on Automatic Control, vol. 52, no. 8, pp. 1415–1428, 2007.

[23] R. Wisniewski and C. Sloth, “Converse barrier certificate theorems,”IEEE Transactions on Automatic Control, vol. 61, no. 5, pp. 1356–1361,2015.

[24] A. Rantzer and S. Prajna, “On analysis and synthesis of safe controllaws,” in 42nd Allerton Conference on Communication, Control, andComputing, 2004.

[25] M. Maghenem and R. G. Sanfelice, “Characterizations of safety inhybrid inclusions via barrier functions,” in Proceedings of the 22nd ACMInternational Conference on Hybrid Systems: Computation and Control,pp. 109–118, ACM, 2019.

[26] M. Maghenem and R. G. Sanfelice, “Sufficient conditions for forwardinvariance and contractivity in hybrid inclusions using barrier functions,”arXiv preprint arXiv:1908.03980, 2019.

[27] K. P. Tee, S. S. Ge, and E. H. Tay, “Barrier lyapunov functions for thecontrol of output-constrained nonlinear systems,” Automatica, vol. 45,no. 4, pp. 918–927, 2009.

[28] M. Z. Romdlony and B. Jayawardhana, “Uniting control lyapunov andcontrol barrier functions,” in Decision and Control (CDC), 2014 IEEE53rd Annual Conference on, pp. 2293–2298, IEEE, 2014.

[29] M. Z. Romdlony and B. Jayawardhana, “Stabilization with guaranteedsafety using control lyapunov–barrier function,” Automatica, vol. 66,pp. 39–47, 2016.

[30] H. Kong, F. He, X. Song, W. N. Hung, and M. Gu, “Exponential-condition-based barrier certificate generation for safety verification ofhybrid systems,” in International Conference on Computer Aided Veri-fication, pp. 242–257, Springer, 2013.

[31] P. Hartman, “Ordinary differential equations,” 1964.[32] B. Pachpatte, Inequalities for differential and integral equations,

vol. 197. Elsevier, 1997.[33] V. Lakshmikantham and S. Leela, Differential and Integral Inequalities:

Theory and Applications: Volume I: Ordinary Differential Equations.Academic press, 1969.

[34] D. D. Bainov and P. S. Simeonov, Integral inequalities and applications,vol. 57. Springer Science & Business Media, 2013.

[35] V. I. Zubov, Methods of AM Lyapunov and their Application. P.Noordhoff, 1964.

[36] N. P. Bhatia and G. P. Szego, Dynamical systems: stability theory andapplications, vol. 35. Springer, 2006.

[37] R. P. Agarwal and V. Lakshmikantham, Uniqueness and nonuniquenesscriteria for ordinary differential equations, vol. 6. World ScientificPublishing Company, 1993.

[38] R. M. Redheffer and W. Walter, “Flow-invariant sets and differentialinequalities in normed spaces,” Applicable Analysis, vol. 5, no. 2,pp. 149–161, 1975.

[39] A. D. Ames, S. Coogan, M. Egerstedt, G. Notomista, K. Sreenath, andP. Tabuada, “Control barrier functions: Theory and applications,” arXivpreprint arXiv:1903.11199, 2019.

[40] L. Lindemann and D. V. Dimarogonas, “Control barrier functions forsignal temporal logic tasks,” IEEE control systems letters, vol. 3, no. 1,pp. 96–101, 2019.

[41] C. Berge, Topological Spaces: including a treatment of multi-valuedfunctions, vector spaces, and convexity. Courier Corporation, 1997.

[42] W. W. Hogan, “Point-to-set maps in mathematical programming,” SIAMreview, vol. 15, no. 3, pp. 591–603, 1973.

[43] H. J. Greenberg and W. P. Pierskalla, “Extensions of the Evans-Gouldstability theorems for mathematical programs,” Operations Research,vol. 20, no. 1, pp. 143–153, 1972.

[44] J. P. Evans and F. J. Gould, “Stability in nonlinear programming,”Operations Research, vol. 18, no. 1, pp. 107–118, 1970.

[45] A. V. Dmitruk, A. A. Milyutin, and N. P. Osmolovskii, “Lyusternik’stheorem and the theory of extrema,” Russian Mathematical Surveys,vol. 35, no. 6, p. 11, 1980.

[46] J.-P. Aubin and I. Ekeland, Applied nonlinear analysis. Courier Corpo-ration, 2006.

[47] E. Michael, “Continuous selections. i,” Annals of mathematics, pp. 361–382, 1956.

[48] J.-P. Aubin and A. Cellina, Differential inclusions: set-valued maps andviability theory, vol. 264. Springer Science & Business Media, 2012.

[49] B. J. Morris, M. J. Powell, and A. D. Ames, “Continuity and smoothnessproperties of nonlinear optimization-based feedback controllers,” in 201554th IEEE Conference on Decision and Control (CDC), pp. 151–158,IEEE, 2015.

Rohit Konda received a B.S in Biomedical En-gineering in 2018 and an M.S in Electrical andComputer Engineering in 2019 from GeorgiaTech. He is currently a Regent’s Fellow pur-suing a Ph.D in the Department of Electricaland Computer Engineering at the University ofCalifornia, Santa Barbara. His research interestsinclude formal methods and safety verification ofnonlinear systems with applications to autonomyand robotics.


Aaron D. Ames is the Bren Professor of Me-chanical and Civil Engineering and Control andDynamical Systems at the California Institute ofTechnology. He received a B.S. in MechanicalEngineering and a B.A. in Mathematics fromthe University of St. Thomas in 2001, and hereceived a M.A. in Mathematics and a Ph.D. inElectrical Engineering and Computer Sciencesfrom UC Berkeley in 2006. Dr. Ames served asa Postdoctoral Scholar in Control and DynamicalSystems at Caltech from 2006 to 2008, and

began is faculty career at Texas A & M University in 2008. Prior to joiningCaltech, he was an Associate Professor in Mechanical Engineeringand Electrical & Computer Engineering at the Georgia Institute ofTechnology. At UC Berkeley, he was the recipient of the 2005 Leon O.Chua Award for achievement in nonlinear science and the 2006 BernardFriedman Memorial Prize in Applied Mathematics. Dr. Ames receivedthe NSF CAREER award in 2010, and is the recipient of the 2015Donald P. Eckman Award recognizing an outstanding young engineerin the field of automatic control. His research interests span the areasof robotics, nonlinear control and hybrid systems, with a special focuson applications to bipedal robotic walking–both formally and throughexperimental validation. His lab designs, builds and tests novel bipedalrobots, humanoids and prostheses with the goal of achieving human-likebipedal robotic locomotion and translating these capabilities to roboticassistive devices. The application of these ideas range from increasedautonomy in robots to improving the locomotion capabilities of themobility impaired.

Samuel Coogan is an Assistant Professor atGeorgia Tech in the School of Electrical andComputer Engineering and the School of Civiland Environmental Engineering. Prior to joiningGeorgia Tech in July 2017, he was an assistantprofessor in the Electrical Engineering Depart-ment at UCLA from 2015-2017. He receivedthe B.S. degree in Electrical Engineering fromGeorgia Tech and the M.S. and Ph.D. degrees inElectrical Engineering from the University of Cal-ifornia, Berkeley. His research is in the area of

dynamical systems and autonomy and focuses on developing scalabletools for verification and control of networked, cyber-physical systemswith an emphasis on transportation systems. He received a CAREERaward from NSF in 2018, a Young Investigator Award from the Air ForceOffice of Scientific Research in 2018, and the Outstanding Paper Awardfor the IEEE Transactions on Control of Network Systems in 2017.

characterizing safety: minimal barrier functions from...

Documents