Safe-by-Design Control for Euler-Lagrange Systems

Safety-critical control is characterized as ensuring constraint satisfaction for a given dynamical system. Recent developments in zeroing control barrier functions (ZCBFs) have provided a framework for ensuring safety of a superlevel set of a single constraint function. Euler-Lagrange systems represent many real-world systems including robots and vehicles, which must abide by safety-regulations, especially for use in human-occupied environments. These safety regulations include state constraints (position and velocity) and input constraints that must be respected at all times. ZCBFs are valuable for satisfying system constraints for general nonlinear systems, however their construction to satisfy state and input constraints is not straightforward. Furthermore, the existing barrier function methods do not address the multiple state constraints that are required for safety of Euler-Lagrange systems. In this paper, we propose a methodology to construct multiple, non-conflicting control barrier functions for Euler-Lagrange systems subject to input constraints to satisfy safety regulations, while concurrently taking into account robustness margins and sampling-time effects. The proposed approach consists of a sampled-data controller and an algorithm for barrier function construction to enforce safety (i.e satisfy position and velocity constraints). The proposed method is validated in simulation on a 2-DOF planar manipulator.


I. INTRODUCTION
Recent technological advancements have increased the presence of autonomous systems in human settings. The push for self-driving cars, drone delivery systems, and automated warehouses are a few examples of how autonomous systems are being exploited to improve efficiency and productivity. However, safety is key to properly incorporate these systems, particularly in human settings. The control of these autonomous systems must be able to guarantee safety of both the device and humans.
Euler-Lagrange systems are reflective of many real-world autonomous systems including autonomous vehicles and robotic manipulators. To promote safety of these systems, we specify position and velocity constraints, e.g., do not leave a pre-defined region or exceed this speed, that must be respected at all times. Typically these position and velocity constraints are specified as multiple constraints (e.g., box constraints). These systems are almost always controlled digitally in a sampled-data fashion and are prone to model uncertainties or external disturbances that must be accounted for. Furthermore, we consider a practical limitation of real-world systems in that they have limited actuation to ensure the system constraints hold. The problem addressed here is how to simultaneously satisfy input and system constraints for Euler-Lagrange systems to ensure safety.
Control barrier functions have attracted attention for constraint satisfaction of nonlinear systems. Existing barrier function methods have been applied to general nonlinear continuous/hybrid systems [1] and used in control to satisfy constraints while providing stability [2]. Those methods have been extended to less restrictive barrier function definitions and have been applied to bi-pedal walking, adaptive cruise control, and robotics [3]- [6]. Similar approaches have also addressed high relative degree systems [7] and systems evolving on manifolds [8]. Recently, the distinction between reciprocal control barrier functions (RCBFs) and zeroing control barrier functions (ZCBFs) has been established [9], in which RCBFs are undefined at the constraint boundary while ZCBFs are zero at the boundary and well-defined outside of the constraint set. Aside from practical implementations, ZCBFs are advantageous in that they hold robustness properties in the form of input-to-state stability [10]. A review of existing approaches can be found in [11].
A well known set-back of barrier function methods is the difficulty in constructing them. Many existing results are dependent on the existence of a function to satisfy the barrier conditions, but have no method to define the function. This issue is further exacerbated when also considering input constraints, which are characteristic of real-world systems. One existing method to construct control barrier functions includes sum-of-squares programming [1], [11], [12], however that approach is only applicable to polynomial systems, and not to the Euler-Lagrange systems considered here. One method that can be applied to nonlinear affine systems (and thus Euler-Lagrange systems) requires a pre-defined evasive maneouver to then construct the control barrier function [13]. However the design of the evasive maneouver is not straight forward in general, particularly with dynamically coupled systems such as Euler-Lagrange systems. Furthermore, existing methods are usually restricted to one ZCBF to implement, and not the multiple position and velocity constraints considered here. For example, robotic manipulators typically require independent joint constraints, which results in multiple ZCBFs that must be satisfied at all times. This requires more in-depth analysis to respect actuation limitations and ensure the constraints are non-conflicting. Finally, existing approaches do not consider robustness margins nor sampling time effects in the barrier construction. Thus despite recent advancements, there is no existing approach to construct ZCBFs for Euler-Lagrange systems.
In this paper, we present a methodology to construct ZCBFs for Euler-Lagrange systems. The proposed approach satisfies multiple workspace constraints (position and velocity) to ensure safety of real-world systems. A correct-by-design algorithm is presented for the ZCBF construction that ensures forward invariance of the safe set, which can be computed offline. The method considers robustness margins and sampling time effects, which are commonly associated with implementation of Euler-Lagrange systems and two control laws, one continuous time control and one sampled-data control, to enforce safety at all times. The proposed approach is validated in numerical simulation on the 2-DOF planar manipulator. All of the code, including the algorithm to construct the the ZCBFs, is provided in [14]. A preliminary version of this work can be found in [15]. The approach presented here is less conservative than that of [15] and also relaxes the assumptions of [15]. Furthermore, the approach presented here also addresses robustness and sampling terms in the ZCBF construction, which are not considered in [15].
Notation: Throughout this paper, the term e j ∈ R 1×r denotes the jth row of the identity matrix I r×r . The Lie derivatives of a function h(x) for the systemẋ = f(x) + g(x)u are denoted by L f h = ∂h ∂x f(x) and L g h = ∂h ∂x g(x), respectively. The terms and are used to denote element-wise vector inequalities. The matrix inequality A < B for square matrices A and B means that the matrix B − A is positive-definite. The interior and boundary of a set A are denotedÅ and ∂A, respectively. The notation α • β for a function α represents the composition α(β). We use the notation x a and x a, for some a ∈ R, to denote the limit as x approaches a from above and below, respectively. The term D + v(t) is used to denote the upper right hand derivative of a function v(t).

A. Preliminary Lemmas
Here we present existing definitions and Lemmas relevant for control barrier function design: . A continuous function, α : R → R is an extended class-K ∞ function if it is strictly increasing 1 and α(0) = 0.
Note that the results presented herein are also applicable to extended class-K functions, which are extended class-K ∞ functions whose domain is some set A ⊂ R with 0 ∈Å [9].
Lemma 1 (Comparison Lemma [16]). Consider the scalar differential equatioṅ where f (t, u) is continuous in t and locally Lipschitz in u, for all t ≥ 0 and all u ∈ J ⊂ R. Let [t o , T ) (T could be infinity) be the maximal interval of existence of the solution u(t), and suppose u(t) ∈ J for all t ∈ [t 0 , T ). Let v(t) be a continuous function whose upper right-hand derivative D + v(t) satisfies the differential inequality: Lemma 2. Let α be an extended class-K ∞ function that is locally Lipschitz on J ⊂ R and h : [0, T ) → R be a continuously differentiable function on some interval of existence [0, T ), T ∈ R >0 . Let z(t) be a solution ofż = −α(z(t)) with maximal interval of existence [0, T ). Ifḣ(t) ≥ −α(h(t)) for Proof. Local Lipschitz continuity of α on J ensures z(t) is uniquely defined on [0, T ) and since α is of class-K there exists a class KL function β so that z(t) = β(z(0), t) for all t ∈ [0, T ) [17]. Note that since z(0) ≥ 0, we deduce that . Lemma 1 then completes the proof.
The following Lemma is adapted from [17] to the notation used here: [17] ). Let α be an extended class-K ∞ function that is locally Lipschitz on J ⊂ R and h : [0, T ] → R be an absolutely continuously function for some interval

B. Control Barrier Functions
Here we introduce the existing work regarding ZCBFs for nonlinear affine systems: where x(t) ∈ R n is the state, u ∈ R m is the control input, f : R n → R n and g : R n → R n×m are locally Lipschitz continuous. We denote I ⊆ R ≥0 , where 0 ∈ I, as the maximal interval of existence of x(t). A set S ⊂ R n is forward invariant if x(0) ∈ S implies x(t) ∈ S for all t ∈ I.
Let h(x) : R n → R be a continuously differentiable function, and let the associated constraint set be defined by: Constraint satisfaction is ensured via Lemma 2 by showing thatḣ(x(t)) ≥ −α(h(x)(t)) for all x ∈ C, t ∈ I(x(0)), for a locally Lipschitz, extended class-K ∞ function α. Here the function h is considered the zeroing control barrier function and formerly defined as: 11]). Let C ⊂ E ⊂ R n defined by (3) be the superlevel set of a continuously differentiable function h : E → R, then h is a zeroing control barrier function if there exists an extended class-K ∞ function α such that for the control systemẋ = f(x) + g(x)u: If h is a zeroing control barrier function, the conditioṅ h(x) ≥ −α(h(x)) is then enforced in the control by rewriting it as: L f h + L g hu ≥ −α(h(x)), which is linear with respect to u. Resulting methods for ZCBFs then implement this condition as a constraint in a quadratic program to define the constraint satisfying control u [11].
We further note that the ZCBF conditions can be extended to sampled-data systems for which u is piece-wise continuous. That is, for a ZCBF h whereḣ(x) ≥ −α(h(x)) holds for almost all t ∈ [0, T ], then Lemma 3, ensures forward invariance of C.

C. Euler-Lagrange Dynamics
Consider the following Euler-Lagrange system: where M (q) ∈ R n×n is the inertia matrix, C(q, v) ∈ R n×n is the Coriolis and centrifugal matrix, g(q) ∈ R n is the generalized gravity on the system, F ∈ R n×n is the positive semi-definite, diagonal damping matrix, and u ∈ R m is the control input. Let (q(t, q 0 ), v(t, v 0 )) ∈ R 2n be the solution of (5) starting at t = 0, which for ease of notation is denoted by (q, v).
Note that due to the bounded, positive-definite property of the inertia matrix M (q) the following lemma follows: Lemma 4. Under Property 1, there exists k m1 , k m2 ∈ R >0 , k m2 > k m1 such that k m1 I n×n < M (q) −1 < k m2 I n×n .
Remark 1. Note that we assume Properties 1-3 for simplicity here. In fact the proposed approach presented here extends to more general Euler-Lagrange systems because we do not require q ∈ R n . We consider safety of the system for q ∈ C for a compact set C such that k m1 , k m2 , k c , and k g exist also for more general Euler-Lagrange systems [19].

D. Problem Formulation
The goal of constraint satisfaction is to ensure the states q, v stay within a set of constraint-admissible states. Here we focus on workspace constraints reminiscent of real-world systems which are defined by: for q min , q max ∈ R n and q max q min . These types of constraints are highly applicable in robotics and general automated systems.
We further address the velocity constraints that the system must satisfy as: where v min , v max ∈ R n , v max 0, and for simplicity of the presentation let v min = −v max . In addition to state constraints, real-world systems have limited actuation capabilities. Thus the aforementioned state constraints must be realizable with the available control inputs. Let U be the available control inputs: where u min , u max ∈ R n , u max 0, and for simplicity of the presentation let u min = −u max .
The problem addressed here is to design a control law that renders the set of state constraints forward invariant. We formally define a safe system as follows: Definition 3. Consider the constraint sets (6), (7), and (8).
We note that this definition of safety is stronger than forward invariance of the constraint set as we require forward invariance for all t ≥ 0. The problem addressed here is formally stated as follows: Problem 1. Consider the system (5) with position, velocity, and input constraints (6), (7), (8). Design a control law u ∈ U that renders (5) safe.

III. PROPOSED SOLUTION
In this section, we present the candidate ZCBFs and the proposed control laws to ensure safety. We first construct the candidate ZCBFs with design parameters. We proceed to construct bounds on the design parameters such that system safety is ensured under the condition that u ∈ U. The construction of the design parameters yields an algorithm for constructing ZCBFs. Finally, we design continuous-time and sampled-data control laws to guarantee system safety.

A. ZCBF Construction
In this section, we construct the ZCBFs for system safety. We note that the construction is motivated by the approach from [20], although in a less conservative manner as will be discussed later. Let N n = {1, ..., n}. To define the ZCBFs, we re-write the constraint set Q into individual constraints with respect to functionsh i ,h i : R → R, which are defined as: where q maxi , q mini ∈ R are the ith elements of q max , q min , respectively, from (6). We define the superlevel set ofh i and h i as: The Cartesian product of all Q i satisfies: In order to define a superset of Q over which the ZCBF conditions hold (i.e E from Definition 2), we introduce the following functions: where δ ∈ R ≥0 is a design parameter. We similarly define a superlevel set forh δ i andh δ i as: and it follows that Q = Q 0 . Moreover, consideration of Q δ for δ > 0 allows for consideration of robustness to perturbations in the proposed formulation. We refer to [10] for a discussion on robustness of ZCBFs.
To ensure safety with respect to each Q i (and consequently Q), the following conditions must hold: for some δ > 0 and some extended class-K ∞ function α to then apply Lemma 2. Substitution of (9) with (5) yields the following requirement: We note that due to the fact that the the position constraints are of relative degree two with respect to this system, there is no control input at the velocity level of (5) to ensure the conditions hold.
We now introduce new functions to address the relativedegree of the system:b i ,b i : R × R → R, and we treat these functions as the candidate ZCBFs for Euler-Lagrange systems defined as follows: where α is a continuously differentiable, extended class-K ∞ function, and γ ∈ R >0 is a design parameter. We see that when as required by Lemma 2 for safety with respect to Q i . We treatb i ≥ 0 andb i ≥ 0, ∀i ∈ N n as new constraints to be satisfied. To properly address the set of states whereb i ≥ 0 andb i ≥ 0, we define the following set: In similar fashion, we define the following functions to define supersets of B: with the following superlevel sets: (16) and B δ = B δ 1 ×...×B δ n . By construction, it follows that B δ ⊃ B for δ > 0 and B 0 = B.
Next we define the intersection of Q i and B i and the respective superset as: We denote H as the safe set. Note that since Q is compact, so are H i and H δ i for i ∈ N n . In order to ensure forward invariance of B (and thus Q), we repeat the ZCBF conditions required from Lemma 2 with respect to the ZCBF candidatesb i ,b i : is an additional barrier function design parameter, andη ∈ R ≥0 is an added term motivated by [20] to incorporate sampling-time effects into the proposed ZCBF construction. We note that forη := 0, (19) follows the conventional requirements for ZCBFs [11]. Substitution of (5) into (19) and concatenation over all i ∈ N n yields: To summarize, satisfaction of (20) for all (q, v) ∈ H δ ⊃ H for some δ > 0 ensures (19) We note that (20) is linear with respect to u, and define the proposed quadratic program-based control law: where u nom : R n × R n → R n is some nominal control law which can represent, for example, a pre-defined stabilizing controller or possibly a human input to the system. Implementation of (21), assuming a solution exists, will ensure forward invariance of H.
Remark 2. Insofar, the ZCBF construction resembles that of [20], apart from two key observations. First, the barrier candidate functions (13), do not have additional robustness margins as required in [20]. This reduces the conservativeness of the approach presented here. Second, the results from [20] are dependent on the assumption that there exist a solution to (21). Here we present the formal design of the ZCBFs to guarantee the solution to (21) always exists.
Before we present the main theorem, we must state two assumptions to be satisfied. First, we make the following realistic assumption that the system has sufficient control authority in the set Q δ : Assumption 1. There is sufficient control authority such that for given δ,η ∈ R ≥0 , there exists some ε ∈ R >0 such that This is a common assumption to ensure that in fact the system can be held statically and has the capability to move from any configuration over Q δ . From a pragmatic perspective, we note that this assumption is always satisfied in practice in order for the system to perform a desired task. Furthermore, this assumption is much less conservative than that of [15], which effectively requires each u i to satisfy (19) independently while all other inputs are at their respective maximum values (i.e., |u j |= u maxj for all j = i).
Second, we require the extended class-K ∞ functions α and β to satisfy the following properties: Assumption 2. Given a δ ∈ R ≥0 , the extended class-K ∞ functions α and β satisfy the following conditions: 1) There exists a d ∈ R >0 such that the following condition holds for all i ∈ N n , e ∈ [0, δ]: 2) For any a, c ∈ R >0 and b ∈ R ≥0 such that a − b = 2c, then β satisfies: Assumption 2 requires that the slope of α and β on the negative real-axis is sufficiently small with respect to that of the positive real-axis. This condition is required to consider how the system behaves in H δ \ H. For example, if a disturbance exists that pushes the system into H δ \ H (wherē b i < 0 orb i < 0), the restoring "force" that keeps the system ultimately bounded [20] must not exceed the capabilities of the actuators.
Remark 3. Assumption 2 is not restricted to linear functions used in "exponential barrier functions" [7], nor polynomial functions used in sum-of-squares programming techniques [1]. Assumption 2 only restricts the slope of the two extended class-K ∞ functions over the negative real-axis. As a result of this generality, both linear functions and (odd) polynomial functions are subclasses of functions that satisfy Assumption 2.
In the following theorem, we ensure a solution to (21) always exists for all (q, v) ∈ H δ by appropriately computing γ and ν: Theorem 1. Consider the system (5) with the state and input constraints defined by (6), (7), and (8). Let the set H δ i be defined by (18) for i ∈ N n with the continuously differentiable extended class-K ∞ function α and extended class-K ∞ function β. Suppose Assumptions 1 and 2 hold for The proof of Theorem 1 is constructive. In the following section, we analyze the properties ofb i andb i for Euler-Lagrange systems to construct γ * 1 , γ * 2 , γ * 3 , ν * 1 , and ν * 2 , as well as bounds on δ,η, and a valid controlũ ∈ U such that there always exists a solution to (21).

B. Analysis
In this section, we present properties of H δ in relation to the candidate ZCBFsb i , andb i to design γ and ν.
Lemma 5 provides insight into how the ZCBF construction affects the system behaviour. First, by appropriately tuning γ, the velocity bounds from (23) can be adjusted to satisfy the shows that as q approaches the boundary ∂Q, the velocity approaches zero. This is an important property because it restricts the system's inertia relative to the constraint boundary. This aligns with intuition in that if the velocity is too high near the boundary, exceedingly large control effort would be required to ensure forward invariance. While γ dictates the system's velocity, ν dictates the behaviour of u as the system approaches the constraint boundary. From (19), ν will dictate how soon the control acts to keep the system in the constraint set.
From Lemma 5, we define the following upper bound on γ such that the maximum velocity will be contained in V to ensure safety: where a ∈ R >0 is defined in (23).

Lemma 6. Consider the functions and setsh
Proof. Strict positivity of γ * 1 follows since v maxi > 0 and for δ ≥ 0, a > 0 due to q max q min . From Lemma 5 it follows that v ∞ ≤ γa. To ensure v ∈ V, i.e., v min v v max , we must ensure γ is sufficiently small such thatv from (23) is smaller than the minimum component of v max . Note that we are only concerned with v max since v min = −v max . More precisely, for γ ∈ (0, γ 2) Satisfaction of Input Constraints: Next, we will construct aũ ∈ U to show that there always exists a solution to (20). However to do so, we must introduce some notation and additional terms. First we present ρ : Q δ i → R: The function ρ(q i ) defines the level set that divides B i (see Figure 1). More specifically, the manifold defined by: Lemma 7. Suppose the conditions of Theorem 1 hold. Consider ρ(q i ) andρ δ defined by (25) and (26), respectively, for a given γ > 0, δ ≥ 0 for q i ∈ Q δ i , i ∈ N n . Then ρ(q i ) is strictly positive, and there exists a c ∈ R >0 such thatρ δ ≥ c.
Proof. First, we show ρ(q i ) is always strictly positive in Q i ⊆ Q δ i . Fromh i ≥ 0,h i ≥ 0, and γ > 0, then α(h i (q i )) only equals 0 at the boundary when q i = q maxi , and α(h i (q i )) only equals 0 at the boundary when q i = q mini . Evaluation at both boundaries yields ρ(q maxi ) = ρ(q mini ) = γ 2 α(e i ), for e i = q maxi − q mini . Since q maxi > q mini , e i > 0. Now in the interior of Q i (i.e. q mini < q i < q maxi ), α(h i ) and α(h i ) are strictly positive. Thus there exists no such q i ∈ Q i such that ρ(q i ) = 0. Since ρ is a continuous function on the compact set Q i , and is strictly positive, there exists some g i ∈ R >0 such that ρ(q i ) ≥ g i in Q i . We note that g i is independent of δ.
Next, for when δ > 0 and Q i ⊂ Q δ i , we divide Q δ i into two sections: a) when q i ≥ q maxi and b) when q i ≤ q mini . For Q δ i \Q i where q i > q maxi , let q i = q maxi +e for e ∈ [0, δ] such that ρ(e) = γ 2 α(−e) + α(q maxi − q mini − e . Then from Similarly, it follows that ρ(e) = γ 2 α(−e) + α(q maxi − q mini − e , and again from Assumption 2, ρ(q i ) ≥ d. Thus there exists somẽ i . Let c be the minimum ofd i for i ∈ N n . By definition ofρ δ , it follows thatρ δ ≥ c.
The following Lemma ensures that the sum ofb i andb i is always positive on H δ . Lemma 8. Suppose the conditions of Theorem 1 hold, γ > 0, δ ≥ 0, and consider ρ(q i ) from (25).
Proof. Substitution of (13) intob i +b i yieldsb i +b i = 2ρ(q i ). From Lemma 7, ρ is strictly positive. Thus it follows that Second, we introduce ζ δ i ∈ R: The term ζ δ i is the lower bound ofb i andb i on H δ . We denote the lower bound of ζ δ i over i ∈ N n as: Lemma 9. Suppose the conditions of Theorem 1 hold, and consider ζ δ i , ζ δ defined by (27) and (28), respectively, for γ > 0 and δ ≥ 0. Then ζ δ i always exists, is non-positive, and as δ 0, ζ δ 0.
Proof. A solution for ζ i always exists sinceb i andb i are continuous functions over the compact set H δ i . Furthermore, with γ > 0, δ ≥ 0, there exists a coordinate (q maxi + δ, 0) ∈ H δ i for whichb i = −γα(δ) ≤ 0. Similarly the coordinate (q mini − δ, 0) ∈ H δ ensuresb i = −γα(δ) ≤ 0. Since by definition (27), ζ δ i is the minimum value of the minimum of b i andb i and we have specified coordinates in H δ i for which b i andb i are non-positive, it follows that ζ δ i must also be non-positive.
Next, from the proof of Lemma 5, it follows that −v i ≥ −γα(q maxi − q i + δ) and v i ≥ −γα(q i − q mini + δ). Thus from (13) Thus we can re-write (27) as: By inspection off i andf i , it follows that ζ δ i = 0 when δ = 0. Furthermore,f i andf i are non-positive, continuous, and strictly decreasing functions of δ since α is an extended class-K ∞ function and δ ≥ 0. Thus as δ 0,f i 0 andf i 0. Since ζ δ i is the minimum off i andf i over Q δ i , it follows that as δ 0, ζ δ i 0. Finally, since this property holds for all i ∈ N n , it also holds for ζ δ , which completes the proof.
Remark 4. The computation of ζ δ i can be done off-line as it is purely a function of the choice of α. We explicitly define ζ δ i for the following commonly used choices for α: Finally, we divide H δ i into eight regions which are outlined in Table I, and depicted in Figure 1.
We are now ready to present a candidateũ : H δ → R n to satisfy (20) andũ ∈ U: where , ..., µ n (q n , v n )] T , and ψ := [ψ 1 (q 1 , v 1 ) , ..., ψ n (q n , v n )] T . We note thatũ is well-defined over all of H δ . Furthermore, u is discontinuous over H δ . We address discontinuities in a sampled-data fashion as will be discussed later. Our first task is to ensure thatũ ∈ U for all (q, v) ∈ H δ . We do this by bounding γ using: y(q) = max i∈Nn ∂α ∂h i (q i ), ∂α ∂h i (q i ) , and f i ∈ R is the ith element of the diagonal of F from (5). The idea behind γ * 2 is that as γ decreases, the system velocity will decrease and ensure the system inertia is not too large to exceed the limitations of the system's actuators.
Similarly, we define the upper bound ν * 2 to ensure χ ∞ ≤ ε to respect actuator constraints in H δ \ H: In the event that δ = 0, then clearly ν * 2 = ∞, which implies that the choice of ν is not upper bounded.
, then the following conditions are always satisfied: Proof. To show satisfaction (44), we note the following bounds for (q i , v i ) ∈ H δ i : because α is strictly increasing. Also, the bound: |v i |≤v = γa follows from Lemma 5. From Lemmas 11 and 12, the are well-defined. Satisfaction of (44) follows by substution of (43) with the above bound.
Next we show satisfaction of (45). Using the aforemen- Thus substitution of (43) along with the previous bound ensures (45) is satisfied. Satisfaction of (46) is similar to the above cases.
For (46) is satisfied with this bound and appropriate substitution of (43).
Note that the requirements of Lemma 13 are the main components to avoid conflict such that (44) and (45) always hold simultaneously. The formal guarantees of non-conflicting conditions are found in the following proof of Theorem 1.
The left-hand-side (38) yields: such that substitution in the above inequality and Lemma 13 ensures the above inequality is nonpositive and so (38) holds. The left-hand-side of (39) yields νβ(b i ), which is non-negative in IV, and so (39) holds.
The left-hand-side of (38) equals 0 and thus (38) is satisfied. The left-hand-side of (39) yields: We note that the above inequality holds due to Assumption 2 sinceb i +b i = 2ρ(q i ) (via Lemma 8),b i < 0 in V, and thus Since ρ ≥ρ δ , (39) is satisfied from Lemma 13.
The left-hand-side of (38) yields: Again, the above inequality holds due to Lemma 8 and . Thus (38) holds from Lemma 13. The left-hand-side of (39) equals 0 and so (39) is satisfied.
The left-hand-side of (38) with the substitution ofη ≤ 2η andb i = ρ ≥ρ δ (see Lemma 8) is less than or equal to the negative of the left-hand-side of (44), such that (38) holds via Lemma 13.
Finally, since (38) and (39) hold for all i ∈ N n ,ũ ∈ U is a valid control law to enforce (20) over H δ . This implies that there always exists at least one point-wise solution to u * from (21), namelyũ. Due to the linearity in the constraints and positive-definiteness of the cost function in (21), the solution to u * is uniquely defined [21]. Thus for any (q, v) ∈ H δ , there always exists a unique, point-wise solution to (21), and v ∈ V.
Remark 5. Theorem 1 ensures each b i satisfies the conditions of Lemma 2 on the set H δ and explicitly uses δ in the derivation of γ and ν. The use of δ shows how robustness can be incorporated into the control design while respecting input constraints. In the set H δ \ H, the system (5) with (21) is asymptotically stable to the safe set H [10]. In other words, for a sufficiently small, bounded perturbation (e.g from model uncertainty) the system will be contained in H δ .
The proof of Theorem 1 is constructive and provides insight into designing γ, ν to ensure there always exists a solution to (21). As discussed in Remark 5, the proposed design considers both constraints on the available control input and robustness with respect to bounded perturbations and sampling time effects. The full ZCBF design is outlined in Algorithm 1.
Proof. The proof follows directly from the construction of the ZCBF parameters from Theorem 1.
Next, we use the results of [20] to show that if u * k is applied for almost all t ∈ [kT, kT + ∆t], for ∆t ∈ (0, T ], Thus we can re-write the constraints of (48) as . From (48), implementation of u * k for almost all t ∈ [kT, ∆t] is equivalent to: , for almost all t ∈ [kT, kT + ∆t], k ≥ 0, i ∈ N 2n , Now, following the method from [20] and definition of η(T ), the above condition ensures that the following holds: Now we will investigate the implementation of u * k on (5) to analyze the system behaviour over [kT, (k +1)T ]. By showing that (49) holds, we ensure (q(t), v(t)) ∈ H on [kT, (k + 1)T ]. We then extend the results to k ≥ 0 to prove safety.
Furthermore, since the previous analysis holds for any k ∈ N, we conclude that (q(t), v(t)) ∈ H for all t ≥ 0. Finally, since H ⊂ Q × V from Theorem 1, (q(t), v(t)) remains in Q × V for all t ≥ 0 which completes the proof.
We note that both the continuous time and sample-data controllers require slightly stronger conditions than that of Theorem 1 on the ZCBF design parameters to ensure safety. Namely, both controllers require δ > 0, while the sampled-data control law also requires ν ∈ (ν * 1 , ν * 2 ]. However, Algorithm 1 was constructed appropriately such that both of these conditions can always be satisfied for any choice of α, β, δ 0 > 0, andη 0 = 0 for the continuous time control, otherwiseη 0 > 0 for the sampled-data control.

IV. NUMERICAL EXAMPLES
In the previous sections, we developed guarantees for the correct construction of a safe-stabilizing control law for Euler-Lagrange systems. Here we demonstrate the proposed technique in simulation on a 2-DOF planar manipulator. The simulations were performed in Python and the code used for these results along with Algorithm 1 is available at [14]. We note that the results presented here are accompanied with the corresponding simulation file to recreate the results.
The manipulator consists of two identical links with a length of 1 m and mass of 1 kg, which are parallel to the ground such that g = 0. The system is equipped with motors capable of u max1 = −u min2 = 18 Nm, and u max2 = −u min2 = 10 Nm of torque. The system damping is F = 0.001I 2×2 kg/s. Let the position/velocity safety constraints be defined by q max1 = −q min1 = π/2 rad, q max2 = 5π/6 rad, q min2 = π/2 rad, and v max1,2 = −v min1,2 = 1.5 rad/s. We choose the following extended class-K functions for the ZCBFs: α 1 (h) = tan(h) −1 , α 2 (b) = b 3 . The nominal control is the computed torque control law: u nom = M (q 2 )(r −ė − e) + Cv [19] where e = q−r and r = [3.4708 sin(1.3t), 2.6236 sin(1.3t)+ 2.0944] T is the reference that attempts to move the system outside of Q × V and U. This nominal control is used to Fig. 2: Plots of q, v, and u for the control u = u nom (orange curve), u = u * from (21) for the ZCBF parameters from [15] (green curve), and u = u * from (21) for the ZCBF parameters from Algorithm 1 (blue curve). The black-dashed lines depict the boundaries of Q in (a), (b), V in (c), (d), and U in (e), (f), respectively. represent a pre-defined control law or equivalently a human that is incorrectly operating the system. The reader is directed to [14] for all simulation parameters used.  Figure 2 Initialize: First, we compare the proposed technique presented with the preliminary, more conservative method from [15] in continuous time. Figure 2 shows three system trajectories. The first, depicted in orange, is the system (5) subject to the nominal control law, u nom , alone. As shown, the nominal control results in violation of all system and input constraints. The second trajectory, depicted in green, shows the result of the system (5) subject to the proposed control (21) (in continuous time) using the ZCBF parameters constructed from      η(T = 0.001) = 6.2616 ≤η ≤ η * [15] ("ZCBF control exp1.yaml" from [14]). The resulting trajectories show satisfaction of all state and input constraints, while attempting to track the nominal control law. This implementation ensures safety, however significant conservativeness is seen by the distances between the trajectories and state/input constraints. The third trajectory, depicted in blue, shows the system (5) subject to the proposed control (21) using the ZCBF parameters constructed from Algorithm 1 ("ZCBF control exp2.yaml" from [14]). See Table II for the resulting ZCBF computations from Algorithm 1. As shown, the controller ensures safety of the overall system, but is also less conservative than the approach from [15]. One difference between the ZCBF parameter construction between [15] and Algorithm 1 lies in computation. The method in [15] only requires the associated bounds from Properties 1-3 and scales well with the number of degrees of freedom. Algorithm 1 on the other hand is dependent on searching over some dynamic terms of (5) over Q δ . This results in larger computational effort, but yields less conservative behaviour as seen in Figure  2. By less conservative behaviour, we mean that the state trajectories more closely approach the state constraints for a more aggressive system response.
Next, we note that the results shown in Figure 2 were developed using the continuous time control law (21). However, this is dependent on the assumption of local Lipschitz continuity of u * , which is not guaranteed in general. Indeed, under certain parameter configurations (see "ZCBF control exp2 fail.yaml") the system leaves the safe set as a result of discontinuities in the control. When discontinuities occur,η > 0 is required to account for jumps in the control law to ensure forward invariance of the safe set. However, the sampled-data control law (48) is able to ensure forward invariance of the safe set for T = 0.001 s (see "ZCBF control exp2 discrete.yaml"). The results of the system trajectory subject to the sampled-data controller and ZCBF parameters from Algorithm 1 are shown in Figure  3, with the resulting parameters and intermittent calculations listed in Table III. Figure 3 shows the proposed, sampled-data control u * k enforcing state constraints, while always respecting input constraints. The effect of incorporatingη > 0 into the control design does impose some conservativeness in the system behaviour. This can be seen by comparing the blue curves between Figures 2 and 3. The state trajectories resulting from the sampled-data control do not approach the state constraints as closely as that of the continuous-time controller. Finally, we note some caveats associated with Algorithm 1. As stated, given any appropriately defined α, β, δ 0 ≥ 0, η 0 ≥ 0, the algorithm will always output a γ, ν, andη such that there exists a u ∈ U to enforce safety. However, the choices of α, β, δ 0 , andη 0 are subject to respecting Assumptions 1 and 2. Of particular note is Assumption 1 which requires a specified ε to be known. In general, the choice of ZCBF parameters to ensure ε > 0 is not straightforward. This may result in an iterative procedure to find the appropriate α, β, δ 0 ,η 0 combination. Furthermore, the use of T as a design parameter may not be representative of real-world systems. Usually a sampling time is given. In such a case, iterations over Algorithm 1 will be required to ensure that the appropriate choice of α, β, δ 0 , andη 0 yield an η * ≥η ≥ η(T ). We do note however that the explicit computation of η(T ) allows for straightforward computation of η −1 (η) to specify the sampling time required for the given parameters: α, β, δ 0 , andη 0 , and facilitates the ZCBF design.

V. CONCLUSION
In this paper, we designed multiple, non-conflicting ZCBFs to ensure safety of Euler-Lagrange systems. The design takes into account actuator limitations, robustness margins, and sampling time effects. The proposed design yielded an algorithm to compute safe-by-design ZCBF parameters. Additionally, two controllers, one continuous-time and one in a sampled-data implementation, were presented to enforce safety of the Euler-Lagrange system. The proposed approach was demonstrated in simulation on a 2 DOF planar manipulator. Future work will consider simultaneous safety and stability as well as the use of data-based methods to further improve system performance.