Control Barrier Functions for Cyber-Physical Systems and Applications to NMPC

Tractable safety-ensuring algorithms for cyber-physical systems are important in critical applications. Approaches based on Control Barrier Functions assume continuous enforcement, which is not possible in an online fashion. This paper presents two tractable algorithms to ensure forward invariance of discrete-time controlled cyber-physical systems. Both approaches are based on Control Barrier Functions to provide strict mathematical safety guarantees. The first algorithm exploits Lipschitz continuity and formulates the safety condition as a robust program which is subsequently relaxed to a set of affine conditions. The second algorithm is inspired by tube-NMPC and uses an affine Control Barrier Function formulation in conjunction with an auxiliary controller to guarantee safety of the system. We combine an approximate NMPC controller with the second algorithm to guarantee strict safety despite approximated constraints and show its effectiveness experimentally on a mini-Segway.


I. INTRODUCTION
Two cornerstones of safety-critical control for robotic systems are "stability" (i.e., convergence towards desired behavior) and "safety" (i.e., remaining within a designated set of safe states). A key challenge to deployment of cyber-physical systems is the design of fast, tractable control algorithms with safety guarantees that hold in the face of real-world challenges such as discretization error. For instance, as shown in Figure 1, a mini-Segway must maintain a bounded pitch angle at all times to avoid falling over.
Nonlinear Model Predictive Control (NMPC) is a promising method for safety-critical control. In NMPC, a control input is obtained as the first input of an optimal trajectory computed by a constrained optimization at each time step. Indeed, the NMPC problem can encode safety with state and input constraints, but these are generally only enforced at discrete time steps. One approach to obtain continuoustime constraint enforcement is to account for discretization error in tube NMPC [1]. However, NMPC is computationally demanding and thus remains an open problem for systems with pronounced nonlinearities, high dimensionality, or fast response times [2]. To address this, an NMPC problem can be replaced with an approximation that is easier to solve [3][4][5]. For example, the Real-Time Iteration (RTI) scheme approximates an NMPC problem with a Quadratic Program (QP) at each time-step [6]. While RTI has been shown to be stabilizing, strict constraint satisfaction, recursive feasibility, and hence safety are no longer guaranteed, due to linearly approximated constraints [5,7].
A popular tactic in ensuring both safety and stability is to de-couple the two tasks [8][9][10][11]. To this end, a stabilizing controller can be applied jointly with some form of safety certificate function, such as a Control Barrier Function (CBF). Specifically, for nonlinear control-affine systems, CBFs can be used to reformulate nonlinear, nonconvex constraints as affine constraints point-wise in time. CBFs have been applied to discrete [12], stochastic [13,14], and hybrid systems [15] as a part of control Lyapunov function-based controllers [15][16][17], and dedicated safety filters [11]. However, the notion of safety in CBFs relies on the assumption that one has continuous access to the system states and has the ability to continuously modify the states. However, these assumptions do not hold in systems with discrete-time control schemes [18]. An extension of CBFs to such systems is presented in [19], where the pointwise CBF constraints must be robustly satisfied over a set. This leads to robust optimization problems, which may be difficult to solve.
Contributions: This paper proposes a new tractable approach to safely control continuous-time dynamical systems using discrete-time controllers. Specifically: guarantee constraint satisfaction for nonlinear controlaffine systems under discrete-time nominal controllers. • We combine CBFs and approximate NMPC into an efficient algorithm with continuous-time safety guarantees. • We validate our proposed approach in hardware experiments on a mini-Segway, and demonstrate the need to account for discretization errors to guarantee safety at all times given limited computational resources. Notation: For a vector v ∈ R n or vector-valued function v : R n → R m , we use v i to denote its i-th component. We denote the Euclidean norm as v = for all x ∈ X , so we use L f := max x∈X ∇f (x) when X is compact. We denote the Minkowski sum of two sets X ⊂ R n and Y ⊂ R n as X ⊕Y, and similarly the Pontryagin difference as X Y. We denote the interior and boundary of a set S as int(S) and ∂S, respectively.

II. CONTINUOUS TIME CONTROL BARRIER FUNCTIONS
Consider the nonlinear control-affine dynamical systeṁ with state x(t) ∈ R n and control input u(t) ∈ R m , where f : R n → R n and B : R n → R n×m are Lipschitz continuous.
In this section, we largely follow prior work [16,20,21] to formalize "safety" as controlling the state of (1) to remain within a designated safe set X ⊂ R n using only control inputs from an admissible set U ⊂ R m . To this end, we search for a subset C ⊆ X which is controlled invariant, i.e., such that for each x(0) ∈ C there exists an admissible input trajectory u(t) ∈ U such that x(t) ∈ C for all t ≥ 0. Our objective is to render this C forward invariant, i.e. design a controller, such that x(t) ∈ C for all t ≥ 0. Specifically, we restrict ourselves to the case where, given a continuously differentiable function h : X → R such that ∇h(x) = 0 whenever h(x) = 0, we define C as the super-level set and assume 0 ∈ C without loss of generality. The description in (2) conveniently ensures that C is controlled invariant if and only if for each x ∈ ∂C, there exists an input u ∈ U such thaṫ We use property (3) to define CBFs. Definition 1 (Control Barrier Function): Let h : X → R be continuously differentiable and satisfy ∇h(x) = 0 whenever h(x) = 0. Then h is a Control Barrier Function (CBF) for the dynamical system (1) if there exists an extended class-K function 1 α : R → R such that for all x satisfying h(x) ≥ 0.
for some a, b > 0 is said to belong to extended class-K if β is strictly increasing and β(0) = 0.
Finding a CBF for the system (1) is sufficient to guarantee that (3) holds and hence that the system is safe. We slightly rearrange (4) into which we term the affine CBF condition to highlight that it is indeed affine in the control input u. Thus, (5) can be embedded as a simple affine constraint to design safe optimization-based controllers [16] and safety filters [11].
However, the affine CBF condition (5) assumes the control signal u(t) is applied in continuous-time, while in practice, controllers operate at discrete time instants. Thus, we generally lose the safety guarantees provided by CBFs. Moreover, prior work on CBFs implicitly assumes the control input u chosen to satisfy the affine CBF condition (3) lies in the admissible set U, while in general this may not hold.

III. PROBLEM DEFINITION
The objective of this work is to design a control law using only admissible inputs from U which steer the system (1) to a desired state x d ∈ X safely, i.e., we require x(t) ∈ X for all t ≥ 0. Specifically, we assume X ⊂ R n is a compact set encoding any safety constraints, while U ⊂ R m is a convex polytopic set encoding control input constraints. Furthermore, we consider discrete-time controllers of the form The input u k ∈ U is computed at the time instant t k ≥ 0 and applied over the interval [t k , t k+1 ), where t k+1 − t k = T for all k ∈ N 0 and some sampling time T > 0, which corresponds to a zero-order hold. As stated in Section II, controllers derived using CBFs rely on the continuous enforcement of the affine CBF condition (5), while in practice this condition can only be enforced at each sample time t k . This discretization contradicts prior continuous-time analyses, thus safety constraints may not hold at all times τ ∈ [t k , t k+1 ). Alternatively, NMPC controllers only consider constraints enforcement at a finite number of discretization nodes {t k } N k=0 . Although both approaches may lead to controllers satisfying constraints at all times given fast enough update rates, computational limitations motivate a finer analysis to explicitly account for this type of error and guarantee constraint satisfaction at all times.
IV. DISCRETE-TIME CONTROL BARRIER FUNCTIONS WITH CONTINUOUS CONSTRAINT SATISFACTION In this section, we derive two controllers of the form (6) which guarantee constraint satisfaction at all times. To this end, we first characterize the maximum variation of the CBF condition (5) over a time interval, and use it to derive a discretetime CBF condition which results in a general and intuitive controller which explicitly accounts for the discretization error. For the second controller we propose, we exploit additional problem structure in the form of an auxiliary controller. We then characterize the difference between an ideal but intractable continuous-time controller which leverages the affine CBF condition (5), and a tractable discrete-time approximation which follows (6). With this analysis, we provide a tube-based CBF controller with continuous-time safety guarantees.

A. Discrete Barrier Condition
Consider the affine CBF condition (5) for some safe set C and a corresponding CBF h. For a discrete-time controller (6), we want to bound the maximum change in the CBF condition over some time to construct a guarantee that holds over an entire time interval. To this end, consider some differentiable, Lipschitz continuous function φ : R n → R d . To bound the change in φ along the trajectory (x(t), u(t)), we seek a constant L φ such that By the chain rule, , and thus we can use This augments the Lipschitz constant L φ for φ into a Lipschitz-like constant L φ with respect to time along any stateinput trajectory of the dynamical system. Then, over the time where we define the truncation error hypercube The affine CBF condition (5) depends on f , B, h, and ∇h, so we can treat as a set of possible disturbances w = (w f , w B , w h , w ∇h ) which should be accounted for to guarantee safety at all times τ ∈ [t k , t k+1 ). From this observation, we introduce the Discrete-time Barrier Condition (DBC) DBC(x, u, w) At time t k , this discrete barrier condition captures all possible system evolutions, thus guaranteeing that the affine CBF condition (5) holds for an entire time interval τ ∈ [t k , t k+1 ). Further, if a discrete time controller u k is synthesized such that it enforces this condition at all discrete times t k , then the system is safe for all times under this controller. These two statements are formalized in the following theorem. Theorem 1 (Controlled Invariance Using a DBC): Consider the dynamical system in (1) and a safe set C with a corresponding CBF h. Assume that the control law for all w ∈ W, where W is defined as in (11).
Furthermore, if x(0) ∈ C and the discrete-time controller with u k ∈ U satisfies (13) at every time step t k for k ∈ N 0 , then the system is safe for all t ≥ 0. Proof: Denote x t := x(t) for conciseness. We start with the proof of the first claim, and show that (13) holding at time t k implies that (5) holds for all times τ ∈ [t k , t k+1 ). According to (9) Substituting these into the affine CBF condition (5) along with the given discrete-time control input yields If DBC(x t k , u k , w) ≥ 0 for all w ∈ W, then this holds for the particular w above, so (13) . This, and the fact that h is a CBF, guarantee The second statement follows; by assumption, x(t k ) ∈ C and there exists a u k ∈ U such that (13) holds. By induction with the previous result, C is forward invariant under this discrete-time controller.
Remark 1: We can reduce conservatism of our derivations in two ways. First, we can define the Lipschitz constant component-wise as which is equivalent to normalizing each dimension of the dynamics. Second, local upper bounds can reduce conservatism of the Lipschitz-like constants.
Since (13) is nonconvex, it can be challenging to enforce for general dynamical systems. Inspired by work on CBFbased robust controllers [11], we relax (13) to a set of affine conditions, which can then be used to construct safety filters and safe controllers. To this end, we write (13) as where For fixed u, the left-hand side of (15) is nonconvex in w. A sufficient relaxed condition for (15) to hold is where we omit the dependency on x for conciseness, and j = 1, . . . , m. A j W are nonconvex sets. Compared to (15), this last condition is conservative, since a different disturbance w can be chosen for each j-th dimension of a. As W and a can be nonconvex, (16) is nonconvex. This robust constraint can be relaxed as a set of affine constraints. However, they are compact and thus can be outerbounded conservatively as polytopic sets. In this work for tractability, we consider conservative hyperrectangular sets of the form With these rectangular sets, we can rewrite the condition in (16) as affine constraints of the form Then, a sufficient condition for (16) is given as (18) is a linear program inã andb (guaranteed feasible by a proper choice of C). Denotingũ [u, 1] T ∈ R m+1 for the concatenation of u with the scalar 1, we can express its dual as whereλ ∈ R 2(m+1) are the dual variables. Since (18) is convex, its dual problem (19) is equivalent by strong duality. Any feasible solution of this problem will guarantee safety. These solutions must necessarily satisfy the following set of affine conditions Using these affine constraints, we propose an optimizationbased controller which guarantees safety at all times. Specifically, given a nominal control input u k , it consists of solving, at each time t k , the following quadratic program (QP): To summarize, the affine conditions (20) allow to continuously guarantee safety for our system (1), if satisfied at discrete times t k only. The resulting formulation can be used as a safety filter or to synthesize controllers in combination with optimization-based control approaches, such as Control Lyapunov Functions-based controllers or MPC. We discuss the advantages and limitations in section VI.

B. Tube-CBF
We present our second algorithm, Tube-CBF, which in contrast to the DBC, we uses the unaltered affine CBF condition from section II.
First, consider a nominal case where we have an ideal continuous-time controller fulfilling the affine CBF condition at all times and denote the nominal trajectory asx(t). As we use a discrete-time controller (6), naturally, discretization leads to a difference between the resulting trajectory x(t) andx(t). As the affine CBF condition only guarantees safety for the nominal trajectoryx(t), the true trajectory x(t) is potentially outside of the safe set and may be unsafe. Inspired The Tube-CBF algorithm consists of applying the affine CBF condition to a reduced set C . Then, the discretization error arising between the trajectories under an ideal continuous time controller (denoted asx), and a discrete counterpart (denoted as x) is kept in the invariant tube Ω with an auxiliary controller κ.
by tube MPC, we propose the use of a discrete-time auxiliary controller κ to regulate the error z(t) = x(t)−x(t) to zero and ideally bound it in an invariant tube. Knowledge of such an auxiliary controller and a corresponding invariant tube together with the affine CBF condition, allows us to design a discretetime controller (6) with continuous-time safety guarantees. To this end, we first define a robust invariant set.
Definition 2 (Robust Invariant Set with Discrete Feedback): A set Ω ⊂ C ⊂ R n is a robust control invariant set for the error x −x if there exists an auxiliary feedback control law κ : R n × R n → R m of the form (6), such that κ(x,x) ∈ U for all x,x ∈ C, and under this controller, if x(0) −x(0) ∈ Ω, then x(t) −x(t) ∈ Ω, for all t ≥ 0.
Note that finding Ω and κ is in general not straightforward. A rather coarse over-approximation of Ω with a corresponding κ can be found in [22]. This leads to the following assumption, which is strong but common in tube NMPC literature [22]: Assumption 1: Suppose we have a control law κ of the form (6), and a set Ω, such that Ω is robust control invariant, i.e., (κ, Ω) satisfy definition 2.
We use the auxiliary controller to compensate discretization errors in addition to the nominal controller. In the presence of control input constraints, we need to account for the contribution to the control input from the auxiliary controller. We capture this in the following set: where Poly() denotes the smallest polytopic hull. To account for the error z ∈ Ω, we define a reduced compact safe set C as summarized in the following definition: Definition 3 (Reduced Safe Set): A reduced safe set C to a set C is a compact set such that C ⊆ C Ω ⊂ R n , where C is characterized by a CBF h under U := U G.
Assumption 2: We have access to a reduced safe set C according to definition 3.
Building on assumptions 1 and 2, we propose the Tube-CBF algorithm.
2) At time t k , find a nominal inputū(t k ) ∈ U , such that the affine CBF condition for C holds atx(t k ). 3) Apply the control input u(t k ) =ū(t k ) + κ(x(t k ),x(t k )) to the system during the time interval τ ∈ [t k , t k+1 ). 4) At time t k+1 , measure the state x(t k+1 ) and find a statē x(t k+1 ) ∈ C such that x(t k+1 ) ∈x(t k+1 ) ⊕ Ω and go to step 2. Figure 2 depicts multiple time steps of the algorithm. Furthermore, we formalize the safety guarantees in the following theorem. Theorem 2 (Controlled Invariance Using Tube-CBF): Consider the dynamical system in (1) and a safe set C. Suppose assumptions 1 and 2 hold. Then, C is forward invariant under the Tube-CBF algorithm for (1) under (6) at all times t ≥ 0 if x(0) ∈ C .
Proof: We proceed by induction and consider first the induction step. At time t k , we assume we havex(t k ) ∈ C and x(t k ) ∈x(t k ) ⊕ Ω. Then, according to Step 2 of the Tube-CBF algorithm, we compute an inputū(t k ) that satisfies the CBF condition for C atx(t k ). A feasible control input exists by the definition of C . Next we apply the control input u(t k ) =ū(t k ) + κ(x(t k ),x(t k )) to the system over a time interval t ∈ [t k , t k+1 ) according to Step 3. By definition of (κ, Ω) and C , u(t k ) ∈ U. Further, by definition of (κ, Ω), this guarantees that x(τ ) −x(τ ) ∈ Ω for τ ∈ [t k , t k+1 ). Also, x follows an ideal controller, such thatx(τ ) ∈ C for τ ∈ [t k , t k+1 ). Therefore, at Step 4, there exists ax(t k+1 ) such that x(t k+1 ) ∈x(t k+1 ) ⊕ Ω. We continue withx(t k+1 ) at step 2.
The initial condition x(t 0 ) =x(t 0 ) ∈ C completes the proof.

V. CONTINUOUS SAFETY GUARANTEES WITH NMPC
In this section, we design an optimal controller of the form (6). We consider a direct NMPC approach to reduce the optimal control problem to a nonlinear program (NLP). We discretize the system dynamics (1) where the integral in (22) can be approximated using a numerical integration scheme of choice. In NMPC, we solve the NLP at each time step t k ≥ 0 to obtain the controller (6). The NLP formulation we consider is We tackle (24) using Sequential Quadratic Programming (SQP) [23]. In SQP, we solve a series of approximated subproblems to iteratively arrive at a solution to (24). Specifically, SQP methods minimize a second-order Taylor expansion of the Lagrangian of (24), where λ and µ ≥ 0 are the Lagrange multipliers. We start out with an initial guess v 0 and incrementally update it with computed update steps δw i according to v i+1 = v i +δv i . Minimizing the second-order Taylor expansion s.t.
The optimization variables are then updated according to Solving a sequence of QPs until convergence of the underlying NLP is still computationally intense. Thus, we opt for an approximate NMPC scheme, also known as the realtime iteration scheme (RTI). The RTI is designed for NMPC problems with a quadratic cost function and uses the Gauss-Newton approximation for the Hessian. Furthermore, in RTI, we only solve a single QP at each time step t k , which leads to a non-converged and generally suboptimal solution. This nonconverged solution poses a few challenges. First, the linear approximation of the constraints in (26) no longer guarantees strict constraint satisfaction of the original problem (24). Second, recursive feasibility is lost and (24) might become infeasible at some point, which must be avoided at all cost in safety critical systems. Now, we use Tube-CBF introduced in IV to combine the enhanced performance of RTI with safety and recursive feasibility. To this end, we return again to the RTI formulation in (26) and complement it with two hard constraints. First, we add the constraintū 0 ∈Ũ. To facilitate notation, we use an affine operator Ξ u0 with u 0 ≡ Ξ u0 v to extract u 0 from our optimization variables v. Second, we add the affine CBF condition to our CBF for C , where we use x 0 ≡ Ξ x0 v. This leads to The formulation (27) provides point-wise constraint satisfaction, but does not yet guarantee recursive feasibility. To obtain recursive feasibility, we additionally perform the Tube-CBF algorithm from section IV-B. The combination of RTI and Tube-CBF is summarized in algorithm 1 and the following theorem.
Theorem 3 (Safe RTI Using Tube-CBF): Consider the dynamical system in (1) under the RTI controller (27) and a reduced safe set C with a corresponding CBF h according to definition 3. We assume that x(t 0 ) ∈ C . Then C is forward invariant for (1) under (27) at all times t ≥ 0 and hence the constraints are strictly satisfied under the Tube-CBF algorithm. Furthermore, since the constraints are satisfied at all times, the RTI is also recursively feasible.
Proof: We leverage theorem 2 for the proof. Theorem 2 states that C is forward invariant for all times t ≥ 0 if x(0) ∈ C and there is a discrete-time controller that provides a nominal inputū(t k ) ∈ U such that CBF(x(t k ),ū(t k )) ≥ 0 for all k ≥ 0.
First, note that since U and G are convex polytopes, U is a convex polytope. Thus, u ∈ U ⇔ Au ≤ b for some A and b, i.e., we can encodeū ∈ U as a set of affine conditions. From the definition of CBFs we have that U ∩ {u | CBF(x, u) ≥ 0} = ∅ for allx ∈ C . Thus, there exists aū(t k ) such that Aū(t k ) ≤ b and CBF(x,ū) ≥ 0 and hence (27) is feasible for allx ∈ C , as all other constraints are soft constraints.
By assumption x(0) ∈ C and thus we can use theorem 2 to guarantee forward invariance of C and correspondingly safety for (1). And since the constraints are affine and thus convex, the feasibleū(t k ) can be found with the QP.
Recursive feasibility can be seen directly from step 4 in the Tube-CBF algorithm. Since the nominal statex(t k ) ∈ C for all k ≥ 0 and since (27) is feasible for allx ∈ C , we see that (27) is recursively feasible for all time steps t k with k ≥ 0.

VI. RESULTS
To demonstrate the performance of the proposed algorithms DBC and Tube-CBF, we performed simulations and hardware experiments. We simulated the DBC as a safety filter in conjunction with a nominal LQR controller, and we implemented the Tube-CBF algorithm with a nominal RTI on a mini-Segway and compared it to several baseline controllers. Figure 1 shows the mini-Segway, which is equipped with an Arduino capable ATmega32U4 MCU, wheel encoders, Fig. 3. The figure shows the simulation of two mini-Segways with different dynamics . We use an LQR controller in conjunction with a DBC safety filter (21) to keep the system safe. We simulate a regulation task with the safety filter applied at various rates. Without the filter, the systems are unsafe (only slow unsafe dynamics are shown). For sufficiently large filter rates and slow dynamics, the DBC is viable and successfully keeps the system safe.
low-level motor controllers, and an LSM6DS33 IMU. The mini-Segway connects to a Raspberry Pi model 3B+ through I2C which runs Ubuntu 18.04 and performs the controller computations. We only run the system in a planar mode, i.e., apply the same input to both wheels. The publication [24] presents the dynamics of the mini-Segway.

A. Discrete Barrier Condition
Although the DBC provides a very general formulation for safety guarantees, the approach is too conservative for the particularly fast dynamics of our hardware. Specifically, the resulting Lipschitz constants are large and consequently the feasible region has collapsed.
However, the DBC is applicable for dynamics with smaller Lipschitz constants. To show the feasibility of the DBC we performed simulations for two different mini-Segways. One has the same dynamics as our hardware, whereas the other has slower dynamics and consequently smaller Lipschitz constants. We use an LQR controller in conjunction with the DBC safety filter (21) to ensure safety. We simulate a regulation task on the position and apply the safety filter at various rates. Without the filter, the system is unsafe for both the fast and slow dynamics. For sufficiently large filter rates and slow dynamics, the DBC is viable and successfully keeps the system safe. Figure 3 shows the simulation results.

B. Tube-CBF Implementation on Hardware
We implement the proposed combination of RTI with Tube-CBF on the mini-Segway and compare its performance to three baseline controllers:

C. Derivation of Tube-CBF
The only hard constraint present in our system is the motor input voltage of ±5.4 V. First, we design an auxiliary controller. We linearize the mini-Segway's dynamics around the origin and compute a full state feedback controller using LQR, i.e., We need the invariant tube Ω for K aux to perform the constraint tightening to arrive at a reduced safe set C and the corresponding input constraints U . While [22] presents and approach to compute Ω using Lipschitz continuity, our system's closed-loop Lipschitz constants are large and the approach in [22] is too conservative. Thus, we opted for a not exact constraint tightening of 33 % or ±1.8 V, which we found to work well in practice. Now that we have an auxiliary controller and the corresponding constraint tightening, we compute a CBF for C . To this end, we perform a numerical Hamilton-Jacobi reachability-analysis [25] on a 99 × 99 × 99 sampling grid of our state space x = [ṡ, θ,θ] T considering our tightened motor voltage constraints of ±3.6 V. We turned the sampled data into an analytical representation of a CBF using polynomial regression.

D. Controller Design
All RTI and NMPC controllers are designed with the same dynamics and a sampling time of 70 ms using FORCES PRO [26], with a quadratic cost of the form When it comes to computational performance, there is a trade-off between prediction horizon length and update frequency. A longer horizon increases computational intensity, as does a higher frequency. We found the minimal frequency required for stability to be around 33 Hz. The following configurations exploit all of the available computational resources.

E. Control Task and Results
The experimental task is to track a reference position. The results of the experiments are captured in figures 4 and 5. Figure 4 shows the performance of the full NMPC and the RTI. While the full NMPC cannot handle a 0.4 m step in the reference position, the RTI controller remains safe due to its longer prediction horizon. However, increasing the step in the reference position from 0.4 m to 0.7 m renders also the RTI controller unsafe, as shown in figure 5. Extending the RTI controller with our Tube-CBF algorithm successfully keeps the system safe. It's noteworthy that just extending the RTI formulation with the affine CBF condition but without applying the Tube-CBF algorithm, does not lead to safety. In fact, the affine CBF condition becomes infeasible shortly after the step in the reference position.
Thus, this shows that extending MPC with CBFs enhances safety. When using the affine CBF condition, compensating the discretization error is necessary, for example with the Tube-CBF algorithm.

VII. CONCLUSION
In this work, we extend CBFs to account for discretization error and guarantee constraints satisfaction for nonlinear control-affine systems under discrete-time nominal controllers. We presented two algorithms that result in enforcing (a set of) affine conditions at a finite rate to guarantee safety. The DBC relies on Lipschitz continuity to capture the discretization error. The Tube-CBF algorithm relies on an auxiliary controller that spans an invariant tube to compensate for arising discretization errors. We combine Tube-CBF and approximate NMPC to obtain an efficient algorithm with continuoustime safety guarantees despite the approximate nature of the controller. We validate our proposed approach in hardware experiments on a mini-Segway, and demonstrate the need to account for discretization errors to guarantee safety at all times given limited computational resources.
Future work will focus on making auxiliary controllers and robust control invariant sets available for a larger number of systems. Furthermore, we will extend our formulation to include more real-world challenges, like external disturbances and model mismatch to provide more realistic implementations.