Soft-Minimum and Soft-Maximum Barrier Functions for
Safety with Actuation Constraints

Robots and autonomous systems are often required to respect safety-critical constraints while achieving a specified task [1, 2]. Safety constraints can be achieved by determining a control that makes a designated safe set ${\mathcal{S}}_{\rm s}\subset{\mathbb{R}}^{n}$ forward invariant with respect to the closed-loop dynamics [3], that is, designing a control for which the state is guaranteed to remain in ${\mathcal{S}}_{\rm s}$. Approaches that address safety using set invariance include reachability methods [4, 5], model predictive control [6, 7, 8], and barrier function (BF) methods (e.g., [9, 10, 11, 12, 13, 14, 15]).

Barrier functions are employed in a variety of ways. For example, they are used for Lyapunov-like control design and analysis [9, 10, 11, 12]. As another example, the control barrier function (CBF) approaches in [13, 14, 15] compute the control signal using real-time optimization. These optimization-based methods can be modular in that they often combine a nominal performance controller (which may not attempt to respect safety) with a safety filter that performs a real-time optimization using CBF constraints to generate a control that guarantees safety. This real-time optimization is often formulated as an instantaneous minimum-intervention problem, that is, the problem of finding a control at the current time instant that is as close as possible to the nominal performance control while satisfying the CBF safety constraints.

Barrier-function methods typically rely on the assumption that ${\mathcal{S}}_{\rm s}$ is control forward invariant (i.e., there exists a control that makes ${\mathcal{S}}_{\rm s}$ forward invariant). For systems without actuator constraints (i.e., input constraints), control forward invariance is satisfied under relatively minor structural assumptions (e.g., constant relative degree). In this case, the control can be generated from a quadratic program that employs feasible CBF constraints (e.g., [13, 14, 15]). In contrast, actuator constraints can prevent ${\mathcal{S}}_{\rm s}$ from being control forward invariant. In this case, it may be possible to compute a control forward invariant subset of ${\mathcal{S}}_{\rm s}$ using methods such as Minkowski operations [16], sum-of-squares [17, 18], approximate solutions of a Hamilton-Jacobi partial differential equation [19], or sampling [20]. However, these methods may not scale to high-dimensional systems.

Another approach to address safety with actuator constraints is to use a prediction of the system trajectories into the future to obtain a control forward invariant subset of ${\mathcal{S}}_{\rm s}$. For example, [21] uses the trajectory under a backup control. However, [21] uses an infinite time horizon prediction, which limits applicability. In contrast, [22, 23] determine a control forward invariant subset of ${\mathcal{S}}_{\rm s}$ from a BF constructed from a finite-horizon prediction under a backup control. This BF uses the minimum function, which is not continuously differentiable and cannot be used directly to form a BF constraint for real-time optimization. Thus, [22, 23] replace the original BF by a finite number of continuously differentiable BFs. However, the number of substitute BFs (and thus optimization constraints) increases as the prediction horizon increases, and these multiple BF constraints can be conservative. It is also worth noting that [22, 23] do not guarantee feasibility of the optimization with these multiple BF constraints. Related approaches are in [24, 25, 26].

This paper makes several new contributions. First, we present a soft-minimum BF that uses a finite-horizon prediction of the system trajectory under a backup control. We show that this BF describes a control forward invariant (subject to actuator constraints) subset of ${\mathcal{S}}_{\rm s}$. Since the soft-minimum BF is continuously differentiable, it can be used to form a single non-conservative BF constraint regardless of the prediction horizon. The soft-minimum BF facilitates the paper’s second contribution, namely, a real-time optimization-based control that guarantees safety with actuator constraints. Notably, the optimization required to compute the control is convex with guaranteed feasibility. Next, we extend this approach to allow from multiple backup controls by using a novel soft-maximum/soft-minimum BF. In comparison to the soft-minimum BF, the soft-maximum/soft-minimum BF (with multiple backup controls) can yield a larger control forward invariant subset of ${\mathcal{S}}_{\rm s}$. Some preliminary results on the soft-minimum BF appear in [27].

Let $\rho>0$, and consider $\mbox{softmin}_{\rho},\mbox{softmax}_{\rho}:{\mathbb{R}}^{N}\to{\mathbb{R}}$ defined by

which are the soft minimum and soft minimum. The next result relates soft minimum and soft maximum to the minimum and maximum.

Proposition 1 shows that as $\rho\to\infty$, $\mbox{softmin}_{\rho}$ and $\mbox{softmax}_{\rho}$ converge to the minimum and maximum. Thus, $\mbox{softmin}_{\rho}$ and $\mbox{softmax}_{\rho}$ are smooth approximations of the minimum and maximum. Note that if $N>1$, then the soft minimum is strictly less than the minimum.

For a continuously differentiable function $\eta\colon{\mathbb{R}}^{n}\to{\mathbb{R}}^{l}$, let $\eta^{\prime}\colon{\mathbb{R}}^{n}\to{\mathbb{R}}^{l\times n}$ be defined by $\eta^{\prime}(x)=\frac{\partial\eta(x)}{\partial x}$. The Lie derivatives of $\eta$ along the vector field of $\psi\colon{\mathbb{R}}^{n}\to{\mathbb{R}}^{n\times p}$ is $L_{\psi}\eta(x)\triangleq\eta^{\prime}(x)\psi(x)$. Let $\mbox{int }{\mathcal{A}}$, $\mbox{bd }{\mathcal{A}}$, $\mbox{cl }{\mathcal{A}}$ denote the interior, boundary, and closure of the set ${\mathcal{A}}\subset{\mathbb{R}}^{n}$. Let $a,b\in{\mathbb{R}}^{r}$. If each element of $a$ is less than or equal to the corresponding element of $b$, then we write $a\preceq b$.

Consider

where $f:{\mathbb{R}}^{n}\to{\mathbb{R}}^{n}$ and $g:{\mathbb{R}}^{n}\to{\mathbb{R}}^{n\times m}$ are continuously differentiable on ${\mathbb{R}}^{n}$, $x(t)\in{\mathbb{R}}^{n}$ is the state, $x(0)=x_{0}\in{\mathbb{R}}^{n}$ is the initial condition, and $u(t)\in{\mathbb{R}}^{m}$ is the control. Let $A_{u}\in{\mathbb{R}}^{r\times m}$ and $b_{u}\in{\mathbb{R}}^{r}$, and define

which we assume is bounded and not empty. We call $u$ an admissible control if for all $t\geq 0$, $u(t)\in{\mathcal{U}}$.

Let $h_{\rm s}:{\mathbb{R}}^{n}\to{\mathbb{R}}$ be continuously differentiable, and define the safe set

Note that ${\mathcal{S}}_{\rm s}$ is not assumed to be control forward invariant with respect to (1) where $u$ is an admissible control. In other words, there may not exist an admissible control $u$ such that if $x_{0}\in{\mathcal{S}}_{\rm s}$, then for all $t\geq 0$, $x(t)\in{\mathcal{S}}_{\rm s}$.

Next, consider the nominal desired control $u_{\rm d}:{\mathbb{R}}^{n}\to{\mathbb{R}}^{m}$ designed to satisfy performance specifications, which can be independent of and potentially conflict with safety. Thus, ${\mathcal{S}}_{\rm s}$ is not necessarily forward invariant with respect to (1) where $u=u_{\rm d}$. We also note that $u_{\rm d}$ is not necessarily an admissible control.

The objective is to design a full-state feedback control $u:{\mathbb{R}}^{n}\to{\mathbb{R}}^{m}$ such that for all initial conditions in a subset of ${\mathcal{S}}_{\rm s}$, the following hold:

1. (O1)

   For all $t\geq 0$, $x(t)\in{\mathcal{S}}_{\rm s}$.

2. (O2)

   For all $t\geq 0$, $u(x(t))\in{\mathcal{U}}$.

3. (O3)

   For all $t\geq 0$, $\|u(x(t))-u_{\rm d}(x(t))\|_{2}$ is small.

Consider a continuously differentiable backup control $u_{\rm b}:{\mathbb{R}}^{n}\to{\mathcal{U}}$. Let $h_{\rm b}:{\mathbb{R}}^{n}\to{\mathbb{R}}$ be continuously differentiable, and define the backup safe set

We assume ${\mathcal{S}}_{\rm b}\subseteq{\mathcal{S}}_{\rm s}$ and make the following assumption.

Assumption 1 states that ${\mathcal{S}}_{\rm b}$ is forward invariant with respect to (1) where $u=u_{\rm b}$. However, ${\mathcal{S}}_{\rm b}$ may be small relative to ${\mathcal{S}}_{\rm s}$.

Consider $\tilde{f}:{\mathbb{R}}^{n}\to{\mathbb{R}}^{n}$ defined by

which is the right-hand side of the closed-loop dynamics (1) with $u=u_{\rm b}$. Next, let $\phi:{\mathbb{R}}^{n}\times[0,\infty)\to{\mathbb{R}}^{n}$ satisfy

which implies that $\phi(x,\tau)$ is the solution to (1) at time $\tau$ with $u=u_{\rm b}$ and initial condition $x$.

Let $T>0$ be a time horizon, and consider $h_{*}:{\mathbb{R}}^{n}\to{\mathbb{R}}$ defined by

and define

For all $x\in{\mathcal{S}}_{*}$, the solution (6) under $u_{\rm b}$ does not leave ${\mathcal{S}}_{\rm s}$ and reaches ${\mathcal{S}}_{\rm b}$ by time $T$. The next result relates ${\mathcal{S}}_{*}$ to ${\mathcal{S}}_{\rm b}$ and ${\mathcal{S}}_{\rm s}$. The result is similar to [22, Proposition 6].

Let $x_{1}\in{\mathcal{S}}_{\rm b}$. Assumption 1 implies for all $t\geq 0$, $\phi(x_{1},t)\in{\mathcal{S}}_{\rm b}\subseteq{\mathcal{S}}_{\rm s}$, which implies for all $t\geq 0$, $h_{\rm s}(\phi(x_{1},t))\geq 0$ and $h_{\rm b}(\phi(x_{1},t))\geq 0$. Thus, it follows from (7) and (8) that $h_{*}(x_{1})\geq 0$, which implies $x_{1}\in{\mathcal{S}}_{*}$. Therefore, ${\mathcal{S}}_{\rm b}\subseteq{\mathcal{S}}_{*}$.

Let $x_{2}\in{\mathcal{S}}_{*}$, and (7) implies $h_{\rm s}(x_{2})=h_{\rm s}(\phi(x_{2},0))\geq h_{*}(x_{2})\geq 0$. Thus, $x_{2}\in{\mathcal{S}}_{\rm s}$, which implies ${\mathcal{S}}_{*}\subseteq{\mathcal{S}}_{\rm s}$. $\Box$

The next result shows that ${\mathcal{S}}_{*}$ is forward invariant with respect to (1) where $u=u_{\rm b}$. In fact, this result shows that the state converges to ${\mathcal{S}}_{\rm b}\subseteq{\mathcal{S}}_{*}$ by time $T$.

To prove (a), since $x_{0}\in{\mathcal{S}}_{*}$, it follows from (7) and (8) that $h_{\rm b}(\phi(x_{0},T))\geq 0$, which implies $x(T)=\phi(x_{0},T)\in{\mathcal{S}}_{\rm b}$. Since $x(T)\in{\mathcal{S}}_{\rm b}$, Assumption 1 implies for all $t\geq T$, $x(t)\in{\mathcal{S}}_{\rm b}$, which confirms (a).

To prove (b), let $t_{1}\geq 0$ and consider 2 cases: $t_{1}\geq T$, and $t_{1}<T$. First, let $t_{1}\geq T$, and it follows from (a) that for all $t\geq t_{1}$, $x(t)\in{\mathcal{S}}_{\rm b}\subseteq{\mathcal{S}}_{\rm s}$. Since, in addition, for all $t\geq t_{1}$, $x(t)=\phi(x(t_{1}),t-t_{1})$, it follows from (7) and (8) that $h_{*}(x(t_{1}))\geq 0$, which implies $x(t_{1})\in{\mathcal{S}}_{*}$. Next, let $t_{1}<T$. Since $x_{0}\in{\mathcal{S}}_{*}$, it follows from (7) and (8) that for all $t\in[t_{1},T]$, $h_{\rm s}(\phi(x_{0},t))\geq 0$, which implies for all $t\in[t_{1},T]$, $x(t)=\phi(x_{0},t)\in{\mathcal{S}}_{\rm s}$. Since, in addition, for all $t\geq T$, $x(t)\in{\mathcal{S}}_{\rm b}\subseteq{\mathcal{S}}_{\rm s}$, it follows from from (7) and (8) that $h_{*}(\phi(x_{0},t_{1}))\geq 0$, which implies $x(t_{1})\in{\mathcal{S}}_{*}$. $\Box$

Proposition 3 implies that for all $x_{0}\in{\mathcal{S}}_{*}$, the backup control $u_{\rm b}$ satisfies (O1) and (O2). However, $u_{\rm b}$ does not address (O3). One approach to address (O3) is to use $h_{*}$ as a BF in a minimum intervention quadratic program. However, $h_{*}$ is not continuously differentiable. Thus, it cannot be used directly to construct a BF constraint because the constraint and associated control would not be well-defined at the locations in the state space where $h_{*}$ is not differentiable. This issue is addressed in [22] by using multiple BFs—one for each argument of the minimum in (7). However, (7) has infinitely many arguments because the minimum is over $[0,T]$. Thus, [22] uses a sampling of times. Specifically, let $N$ be a positive integer, and define ${\mathcal{N}}\triangleq\{0,1,\ldots,N\}$ and $T_{\rm s}\triangleq T/N$. Then, consider $\bar{h}_{*}:{\mathbb{R}}^{n}\to{\mathbb{R}}$ defined by

and define

The next result relates $\bar{\mathcal{S}}_{*}$ to ${\mathcal{S}}_{*}$ and ${\mathcal{S}}_{\rm s}$.

Let $x_{1}\in{\mathcal{S}}_{*}$, and it follows from from (7)–(10) that $x_{1}\in\bar{\mathcal{S}}_{*}$, which implies ${\mathcal{S}}_{*}\subseteq\bar{\mathcal{S}}_{*}$.

Let $x_{2}\in\bar{\mathcal{S}}_{*}$, and (9) implies $h_{\rm s}(x_{2})=h_{\rm s}(\phi(x_{2},0))\geq\bar{h}_{*}(x_{2})\geq 0$. Thus, $x_{2}\in{\mathcal{S}}_{\rm s}$, which implies $\bar{\mathcal{S}}_{*}\subseteq{\mathcal{S}}_{\rm s}$. $\Box$

The next result shows that for all $x_{0}\in\bar{\mathcal{S}}_{*}$, the backup control $u_{\rm b}$ causes the state to remain in $\bar{\mathcal{S}}_{*}$ at the sample times $T_{\rm s},2T_{\rm s},\ldots,NT_{\rm s}$ and converge to ${\mathcal{S}}_{\rm b}$ by time $T$.

To prove (a), since $x_{0}\in\bar{\mathcal{S}}_{*}$, it follows from (9) and (10) that $h_{\rm b}(\phi(x_{0},T))\geq 0$, which implies $x(T)=\phi(x_{0},T)\in{\mathcal{S}}_{\rm b}$. Since $x(T)\in{\mathcal{S}}_{\rm b}$, Assumption 1 implies for all $t\geq T$, $x(t)\in{\mathcal{S}}_{\rm b}$, which confirms (a).

To prove (b), let $i_{1}\in{\mathcal{N}}$. Since $x_{0}\in\bar{\mathcal{S}}_{*}$, it follows from (9) and (10) that for all $i\in\{i_{1},\ldots,N\}$, $h_{\rm s}(\phi(x_{0},iT_{\rm s}))\geq 0$, which implies for all $i\in\{i_{1},\ldots,N\}$, $x(iT_{\rm s})=\phi(x_{0},iT_{\rm s})\in{\mathcal{S}}_{\rm s}$. Since, in addition, for all $t\geq NT_{\rm s}$, $x(t)\in{\mathcal{S}}_{\rm b}\subseteq{\mathcal{S}}_{\rm s}$, it follows from (9) and (10) that $\bar{h}_{*}(\phi(x_{0},i_{1}T_{\rm s}))\geq 0$, which implies $x(i_{1}T_{\rm s})\in\bar{\mathcal{S}}_{*}$. $\Box$

Proposition 5 does not provide any information about the state in between the sample times. Thus, Proposition 5 does not imply that $\bar{\mathcal{S}}_{*}$ is forward invariant with respect to (1) where $u=u_{\rm b}$. However, we can adopt an approach similar to [22] to determine a superlevel set of $\bar{h}_{*}$ such that for all initial conditions in that superlevel set, $u_{\rm b}$ keeps the state in ${\mathcal{S}}_{*}$ for all time. To define this superlevel set, let $l_{\rm s}$ be the Lipschitz constant of $h_{\rm s}$ with respect to the two norm, and define $l_{\phi}\triangleq\sup_{x\in\bar{\mathcal{S}}_{*}}\|\tilde{f}(x)\|_{2}$, which is finite if ${\mathcal{S}}_{\rm s}$ is bounded. Define the superlevel set

The next result combines [22, Thm. 1] and Proposition 4.

Together, Propositions 3 and 6 imply that for all $x_{0}\in\underaccent{\bar}{\SSS}_{*}$, the backup control $u_{\rm b}$ keeps the state in ${\mathcal{S}}_{*}$ for all time. However, $u_{\rm b}$ does not address (O3).

Since $\bar{h}_{*}$ is not continuously differentiable, [22] addresses (O3) using a minimum intervention quadratic program with $N+1$ BFs—one for each of the arguments in (9). However, this approach has 3 drawbacks. First, the number of BFs increases as the time horizon $T$ increases or the sample time $T_{\rm s}$ decreases (i.e., as $N$ increases). Thus, the number of affine constraints and computational complexity increases as $N$ increases. Second, although imposing an affine constraint for each of the $N+1$ BFs is sufficient to ensure that $\bar{h}_{*}$ remains positive, it is not necessary. These $N+1$ affine constraints are conservative and can limit the set of feasible solutions for the control. Third, [22] does not guarantee feasibility of the optimization used to obtain the control.

The next section uses a soft-minimum BF to approximate $\bar{h}_{*}$ and presents a control synthesis approach with guaranteed feasibility and where the number of affine constraints is fixed (i.e., independent of $N$).

This section presents a continuous control that guarantees safety subject to the constraint that the control is admissible (i.e., in ${\mathcal{U}}$). The control is computed using a minimum intervention quadratic program with a soft-minimum BF constraint. The control also relies on a linear program to provide a feasibility metric, that is, a measure of how close the quadratic program is to becoming infeasible. Then, the control continuously transitions to the backup control $u_{\rm b}$ if the feasibility metric or the soft-minimum BF are less than user-defined thresholds.

Let $\rho_{1}>0$, and consider $h:{\mathbb{R}}^{n}\to{\mathbb{R}}$ defined by

which is continuously differentiable. Define

Proposition 1 implies that for all $x\in{\mathbb{R}}^{n}$, $h(x)<\bar{h}_{*}(x)$. Thus, ${\mathcal{S}}\subset\bar{\mathcal{S}}_{*}$. Proposition 1 also implies that for sufficiently large $\rho_{1}>0$, $h(x)$ is arbitrarily close to $\bar{h}_{*}(x)$. Thus, $h$ is a smooth approximation of $\bar{h}_{*}$. However, if $\rho_{1}>0$ is large, then $\|h^{\prime}(x)\|_{2}$ is large at points where $\bar{h}_{*}$ is not differentiable. Thus, selecting $\rho_{1}$ is a trade-off between the conservativeness of $h$ and the size of $\|h^{\prime}(x)\|_{2}$.

Next, let $\alpha>0$ and $\epsilon\in[0,\sup_{x\in{\mathcal{S}}}h(x))$. Consider $\beta\colon{\mathbb{R}}^{n}\to{\mathbb{R}}$ defined by

where $\beta$ exists because ${\mathcal{U}}$ is not empty. Define

The next result follows immediately from (14) and (15).

Let $\kappa_{h},\kappa_{\beta}>0$ and consider $\gamma\colon{\mathbb{R}}^{n}\to{\mathbb{R}}$ defined by

and define

Note that $\Gamma\subseteq{\mathcal{B}}$. For all $x\in\Gamma$, define

Since $\Gamma\subseteq{\mathcal{B}}$, Proposition 7 implies that for all $x\in\Gamma$, the quadratic program (18) has a solution.

Consider a continuous function $\sigma:{\mathbb{R}}\to[0,1]$ such that for all $a\in(-\infty,0]$, $\sigma(a)=0$; for all $a\in[1,\infty)$, $\sigma(a)=1$; and $\sigma$ is strictly increasing on $a\in[0,1]$. The following example provides one possible choice for $\sigma$.

Finally, define the control

Since $h$ is continuously differentiable, the quadratic program (18) requires only the single affine constraint (18b) as opposed to the $N+1$ constraints used in [22]. Since (18) has only one affine constraint, we can define the feasible set ${\mathcal{B}}$ as the zero-superlevel set of $\beta$, which is the solution to the linear program (14). Since there is only one affine constraint, we can use the homotopy in (19) to continuously transition from $u_{*}$ to $u_{\rm b}$ as $x$ leaves $\Gamma$.

The next theorem is the main result on the control (12)–(19) that uses the soft-minimum BF approach.

To prove (a), we first show that $u_{*}$ is continuous on $\Gamma$. Define $J(x,\hat{u})\triangleq\|\hat{u}-u_{\rm d}(x)\|_{2}^{2}$ and $\Omega(x)\triangleq\{\hat{u}\in{\mathcal{U}}:L_{f}h(x)+L_{g}h(x)\hat{u}+\alpha(h(x)-\epsilon)\geq 0\}$. Let $a\in\Gamma\subseteq{\mathcal{B}}$, and Proposition 7 implies $\Omega(a)$ is not empty. Since, in addition, $J(a,\hat{u})$ is strictly convex, ${\mathcal{U}}$ is convex, and (18b) with $x=a$ is convex, it follows that $u_{*}(a)$ is unique. Next, since for all $x\in\Gamma$, $u_{*}(x)\subseteq{\mathcal{U}}$ is bounded, it follows that $u_{*}(\Gamma)$ is bounded. Thus, $\mbox{cl }u_{*}(\Gamma)$ is compact. Next, since ${\mathcal{U}}$ is a convex polytope and (18b) is affine in $\hat{u}$, it follows from [31, Remark 5.5] that $\Omega$ is continuous at $a$. Finally, since $u_{*}(a)$ exists and is unique, $\mbox{cl }u_{*}(\Gamma)$ is compact, $\Omega$ is continuous at $a$, and $J$ is continuous on $a\times\Omega(a)$, it follows from [32, Corollary 8.1] that $u_{*}$ is continuous at $a$. Thus, $u_{*}$ is continuous on $\Gamma$.

Define $J_{2}(x,\hat{u})\triangleq L_{f}h(x)+L_{g}h(x)\hat{u}+\alpha(h(x)-\epsilon)$, and note that (14) implies $\beta(x)=\max_{\hat{u}\in{\mathcal{U}}}J_{2}(x,\hat{u})$. Since $J_{2}(x,\hat{u})$ is continuous on $\Gamma\times{\mathcal{U}}$ and ${\mathcal{U}}$ is compact, it follows from [32, Theorem 7] that $\beta$ is continuous on $\Gamma$. Thus, (17) implies $\gamma$ is continuous on $\Gamma$.

For all $x\in\Gamma$, define $b(x)\triangleq[1-\sigma(\gamma(x))]u_{\rm b}(x)+\sigma(\gamma(x))u_{*}(x)$. Since $u_{*}$, $\gamma$, and $u_{\rm b}$ are continuous on $\Gamma$, and $\sigma$ is continuous on ${\mathbb{R}}$, it follows that $b$ is continuous on $\Gamma$. Next, let $c\in\mbox{bd }\Gamma$. Since $u_{*}(c)\in{\mathcal{U}}$ is bounded, it follows from (16) and (17) that $b(c)=u_{{\rm b}}(c)$. Since $b$ is continuous on $\Gamma$, $u_{\rm b}$ is continuous on ${\mathbb{R}}^{n}$, and for all $x\in\mbox{bd }\Gamma$, $b(x)=u_{{\rm b}}(x)$, it follows from (19) that $u$ is continuous on ${\mathbb{R}}^{n}$.

To prove (b), let $d\in{\mathbb{R}}^{n}$. Since $u_{\rm b}(d),u_{*}(d)\in{\mathcal{U}}$, it follows from (2) that $A_{u}u_{\rm b}(d)\preceq b_{u}$ and $A_{u}u_{*}(d)\preceq b_{u}$. Since, in addition, $\sigma(\gamma(d))\in[0,1]$, it follows that

Next, summing (20) and (21) and using (19) yields $A_{u}u(d)\preceq b_{u}$, which implies $u(d)\in{\mathcal{U}}$.

To prove (c), assume for contradiction that for all $\tau\in(0,T_{\rm s}]$, $x(t_{1}+\tau)\not\in\bar{\mathcal{S}}_{*}$. Since, in addition, $x(t_{1})\in\rm{bd\,}\bar{\mathcal{S}}_{*}$, it follows from (10) that for all $\tau\in[0,T_{\rm s}]$, $\bar{h}_{*}(x(t_{1}+\tau))\leq 0$. Thus, Proposition 1 implies for all $\tau\in[0,T_{\rm s}]$, $h(x(t_{1}+\tau))<\bar{h}_{*}(x(t_{1}+\tau))\leq 0$, which combined with (16) and (17) implies $x(t_{1}+\tau)\not\in\Gamma$. Next, (19) implies the for all $\tau\in[0,T_{\rm s}]$, $u(x(t_{1}+\tau))=u_{\rm b}(x(t_{1}+\tau))$. Hence, Proposition 5 implies $x(t_{1}+T_{\rm s})\in\bar{\mathcal{S}}_{*}$, which is a contradiction.

To prove (d), let $a\in\Gamma$, and (16) and (17) impliy $h(a)\geq\epsilon\geq\frac{1}{2}T_{\rm s}l_{\phi}l_{\rm s}$. Since, in addition, Proposition 1 implies $\bar{h}_{*}(a)>h(a)$, it follows that $\bar{h}_{*}(a)>\frac{1}{2}T_{\rm s}l_{\phi}l_{\rm s}$. Thus, (11) implies $a\in\mbox{int }\underaccent{\bar}{\SSS}_{*}$, which implies $\Gamma\subset\underaccent{\bar}{\SSS}_{*}\subseteq{\mathcal{S}}_{*}$.

Let $t_{3}\geq 0$, and assume for contradiction that $x(t_{3})\notin{\mathcal{S}}_{*}$. Since, in addition, $x_{0}\in{\mathcal{S}}_{*}$ and $\Gamma\subset{\mathcal{S}}_{*}$, it follows that there exists $t_{2}\in[0,t_{3}]$ such that $x(t_{2})\in{\mathcal{S}}_{*}$ and for all $\tau\in[t_{2},t_{3}]$, $x(\tau)\not\in\Gamma$. Thus, (19) implies for all $\tau\in[t_{2},t_{3}]$, $u(x(\tau))=u_{{\rm b}}(x(\tau))$. Since, in addition, $x(t_{2})\in{\mathcal{S}}_{*}$, Proposition 3 implies $x(t_{3})\in{\mathcal{S}}_{*}$, which is a contradiction. $\Box$

Parts (a) and (b) of Theorem 1 guarantee that the control is continuous and admissible. Part (d) states that if $\epsilon\geq\frac{1}{2}T_{\rm s}l_{\phi}l_{\rm s}$, then ${\mathcal{S}}_{*}$ is forward invariant under the control and $x$ is in ${\mathcal{S}}_{\rm s}$ for all time. Part (c) shows that for any choice of $\epsilon>0$, $x$ is in the safe set ${\mathcal{S}}_{\rm s}$ at sample times $0,T_{\rm s},2T_{\rm s},3T_{\rm s},\ldots$.

The control (12)–(19) relies on the Lie derivatives in (14) and (18b). To calculate $L_{f}h$ and $L_{g}h$, note that

where $Q:{\mathbb{R}}^{n}\times[0,\infty)\to{\mathbb{R}}^{n\times n}$ is defined by $Q(x,\tau)\triangleq\frac{\partial\phi(x,\tau)}{\partial x}$. Differentiating (6) with respect to $x$ yields

Next, differentiating (23) with respect to $\tau$ yields

Note that for all $x\in{\mathbb{R}}^{n}$, $Q(x,\tau)$ is the solution to (24), where the initial condition is $Q(x,0)=I$. Thus, for all $x\in{\mathbb{R}}^{n}$, $L_{f}h(x)$ and $L_{g}h(x)$ can be calculated from (5), where $\phi(x,\tau)$ is the solution to (1) under $u_{\rm b}$ on the interval $\tau\in[0,T]$ with $\phi(x,0)=x$, and $Q(x,\tau)$ is the solution to (24) on the interval $\tau\in[0,T]$ with $Q(x,0)=I$. In practice, these solutions can be computed numerically at the time instants where the control algorithm (12)–(19) is executed (i.e., the time instants where the control is updated). Algorithm 1 summarizes the implementation of (12)–(19), where $\delta t>0$ is the time increment for a zero-order-hold on the control.

The control (12)–(19) involves the user-selected parameters $\rho_{1},\alpha,\kappa_{h},\kappa_{\beta}>0$. Recall that large $\rho_{1}$ improves the soft-minimum approximation of the minimum but can also result in large $\|h^{\prime}(x)\|_{2}$, which can tend to cause $\|\dot{u}(x(t))\|_{2}$ to be large. The quadratic program (18) shows that small $\alpha$ results in more conservative behavior; specifically, $u$ deviates more from the desired control $u_{\rm d}$ in order to keep the state trajectory farther away from $\mbox{bd }{\mathcal{S}}$. The homotopy (19) and definition (16) of $\gamma$ show that large $\kappa_{h}$ or $\kappa_{\beta}$ cause the control $u$ to deviate more from the optimal control $u_{*}$ to the backup control $u_{\rm b}$ if either the feasibility metric $\beta$ or the barrier function $h$ are small.