On the sufficient conditions for input-to-state safety

In this paper, we present a novel notion of input-to-state safety (ISSf) for general nonlinear systems which can be useful for certifying system's safety under the influence of external bounded input (or disturbance) signals. We provide sufficient conditions for ISSf using barrier function/certificate which are analogous to the input-to-state stability Lyapunov function.


I. INTRODUCTION
Robustness analysis tools for safety certification of safetycritical cyber physical systems have recently been proposed in [14], [15].In these papers, the notion of input-to-state safety (ISSf) is introduced that captures the dynamical effect of external disturbance/input signals to the safety of the systems.The notion can be used to describe the robustness of a number of safety control designs which have recently been proposed in literature.To name a few, we refer to our approach based on control Lyapunov-Barrier function in [12], [13] and to the min-norm control approach using quadratic programming as in [1], [3], [8], [19].
In [1], [3] and [19], the authors proposed an optimization problem, in the form of a quadratic programming, where both control Lyapunov and control Barrier inequalities are formulated in the constraints.The proposed method generalizes the well-known pointwise min-norm control method for designing a control law using control Lyapunov functions via an optimization problem [10].It has been successfully implemented in the cruise control of autonomous vehicle as reported in [8].Another direct approach is pursued in [11], [13] which is based on the direct merging of control Lyapunov function and control Barrier function.The merging process results in a control Lyapunov-Barrier function which can be used to stabilize the system with guaranteed safety by using Sontag's universal control law.
Despite the appealing idea in the aforementioned works for guaranteeing stability and safety, it remains unclear on how to analyze the robustness of the closed-loop system in the presence of external (disturbance) input signals.
There are many tools available for analyzing the robustness of systems' stability, including, H ∞ and L 2 -stability m.z.romdlony@rug.nl,zakiyullah@telkomuniversity.ac.idB. Jayawardhana is with Engineering and Technology Institute Groningen, Faculty of Science and Engineering, University of Groningen, Netherlands.b.jayawardhana@rug.nltheories [16], [4], absolute stability theory [6], input-tostate stability (ISS) theory [18] and many others.However, analogous tools for systems' safety are still lacking which makes it difficult to carry out robustness analysis to the aforementioned results that deal with the problem of stabilization with guaranteed safety.
The seminal work in [17], [18] on the characterization of input-to-state stability has been one of the most important tools in the stability analysis of nonlinear systems.It has allowed us to study stability of interconnected systems, to quantify systems' robustness with respect to external disturbances and to provide means for constructing a robustly stabilizing control law.The use of ISS Lyapunov function is crucial in all of these applications.In the following decade, the concept of ISS has been used and/or generalized in various directions with a commonality on the robustness analysis of systems' stability.However, safety and constraint aspects have not been considered in this framework.
In this paper, we propose a new notion of input-tostate safety which is an adaptation of ISS inequality to the systems' safety case.In particular, instead of the usual ISS inequality where the state trajectory x(t) of the system can be bounded from above by a term that depends on initial condition and decays to zero and another term that depends on the L ∞ -norm of the external input signal u(t), we look at the following inequality where D is the set of unsafe state, |x| D denotes the distance of x to D, the function σ is strictly increasing function, µ is strictly increasing function in both arguments, δ > 0 and φ as the gain function that is dependent on input u, akin to the ISS case.As will be discussed later in Section 3, the inequality (1) will be called input-to-state safety (ISSf) inequality.
Roughly speaking, this inequality can be interpreted as follows.When there is no external input signal u, then the state trajectory will never get closer to D. On the other hand, if there is an external input signal then it may jeopardize the systems' safety when the input signal u is taken sufficiently large.The above interpretation serves very well with what we can expect in real systems where external disturbance input can potentially bring the system into the unsafe state.
Complementary to the work of Xu etal. in [19], we adapt the ISS framework a'la Sontag to the systems' safety case through the use of ISSf barrier function which implies (1).Preliminary work on this concept has been presented in [14] which is restricted to the case of exponential input-to-state safety.In this paper, we extend it to general nonlinear case, as well as to the analysis of feedback interconnection.This paper is organized as follows.In Section 2, we briefly recall the notion of stabilization with guaranteed safety, of ISS and of barrier certificate.In Section 3, we introduce formally the notion of input-to-state safety and present our main results on the characterization of ISSf using ISSf barrier functions.Finally, the conclusion is given in Section 4.

II. PRELIMINARIES
Notation.Throughout this paper, we consider an affine non-linear system described by where x(t) ∈ R n denotes a state vector, u(t) ∈ U ⊆ R m denotes an (external) input or disturbance to the system.The functions f (x) and g(x) are C 1 where the space C 1 (R l , R m ) consists of all continuously differentiable functions F : R l → R m .Without loss of generality and for simplicity of presentation, we will assume throughout that the solution to (2) is complete (i.e., it exists for all t ≥ 0) for any bounded signal u.This assumption holds when the system has the input-tostate stability property which we will recall shortly.For a given signal x : R + → R n , its L p norm is given by We define the class of continuous strictly increasing functions α : R + → R + by P and denote by K all functions α ∈ P which satisfy α(0) = 0.Moreover, K ∞ denotes all functions α ∈ K which satisfy α(r) → ∞ as r → ∞.By K L we denote all functions β : R + × R + → R + such that β (•,t) ∈ K for a fixed t ≥ 0 and β (s, •) is decreasing and converging to zero for a fixed s ≥ 0. Correspondingly, we also denote by K K all functions µ : R + × R + → R + such that f (0, 0) = 0 and f (s,t) is srictly increasing in both arguments.
Let X 0 ⊂ R n be the set of initial conditions and let an open and bounded set D ⊂ R n be the set of unsafe states, where we assume that D ∩ X 0 = / 0. For a given set D ⊂ R n , we denote the boundary of D by ∂ D and the closure of D by D.
Following safety definition in [13], the (autonomous) system (2) with u = 0 is called safe if for all x 0 ∈ X 0 and for all t ∈ R + , x(t) / ∈ D. Additionally, (2) with u = 0 is called (asymptotically) stable with guaranteed safety if it is both (asymptotically) stable and safe.
As discussed briefly in the Introduction, analyzing the robustness of systems stability in the presence of an (external) input signal can be done using the input-to-state stability (ISS) framework [17], [18].Let us briefly recall the ISS concept from [18].
The system ( 2) is called input-to-state stable if there exist a β ∈ K L and γ ∈ K such that for any u ∈ L ∞ and x 0 ∈ X 0 , the following inequality holds for all t: In this notion, the functions β and γ in (3) describe the decaying effect from a non-zero initial condition x 0 and the influence of a bounded input signal u to the state trajectory x, respectively.The Lyapunov characterization of ISS systems is provided in the following well-known theorem from [17], [18].Theorem 1: The system (2) is ISS if and only if there exists a smooth V : and hold for all ξ ∈ R n and for all v ∈ R m .The notion of ISS and its Lyapunov characterization as above have been seminal in the study of nonlinear systems robustness with respect to the uncertainties in the initial conditions and to the external disturbance signals.For instance, a well-known nonlinear small-gain theorem in [7] is based on the use of β and γ.The study of convergence input convergence state property as in [5] is based on the use of ISS Lyapunov function.However, as mentioned in the Introduction, existing results on robustness have focused on the systems' stability and there is not many attention on the robustness analysis on systems' safety.
Let us recall few main results in literature on safety analysis.In order to verify the safety of system (2) with respect to a given unsafe set D, a Lyapunov-like function which is called barrier certificate has been introduced in [9] where the safety of the system can be verified through the satisfaction of a Lyapunov-like inequality without having to explicitly evaluate all possible systems' trajectories.The barrier certificate theorem is summarized as follows.
Theorem 2: Consider the (autonomous) system (2) with u = 0, i.e., ẋ = f (x) where x(t) ∈ X ⊂ R n , with a given unsafe set D ⊂ X and set of initial conditions X 0 ⊂ X .Assume that there exists a barrier certificate B : X → R satisfying Then the system is safe.
The proof of this theorem is based on the fact that the evolution of B starting from a non-positive value (c.f. ( 7)) will never cross the zero level set due to (8), i.e., the state trajectory will always be safe according to (6).
Although the safety result as in Theorem 2 is formulated only for autonomous systems, an extension to the nonautonomous case has also been presented in [9].For the case where an external input u is considered, e.g., the complete system as in (2), the safety condition (8) becomes where U ⊂ R m denotes the admissible set of input.However, the condition ( 9) is a very restrictive assumption since it must hold for all u(t) ∈ U including the case when the initial condition x(0) is very close to D. It means that when we start very close to the unsafe state, the system must always remain safe for whatever type of input signals u as long as it has values in U .In this case, we can say that such system is very robust with respect to bounded external input signals.In practice, we should expect a certain degree of fragility in the system, in the sense that, if we start very close to the unsafe state, a small external input signal can already jeopardize the systems' safety; a feature that is not captured in (9).Instead of considering the inequality ( 9), we will consider a more restrictive condition on B for our main results later, where the non-increasing assumption of B as in ( 8) is replaced by a strict inequality as follows where α is a K function.
In [13], [20], the use of such barrier function B for control design that guarantees safety has been presented.It is shown in these works that the standard Lyapunov-based control design can directly be extended to solving the safety problem by replacing the Lyapunov function with the barrier one.Interested readers are referred to [13] for control design methods that solve the stabilization with guaranteed safety by merging the control Lyapunov function with the control barrier function.

III. INPUT-TO-STATE SAFETY
In this section, we will explore a new notion of input-tostate safety as a tool to analyze the robustness of systems' safety.In particular, we focus our study on extending existing results on barrier certificate to the input-to-state safety framework; akin to the role of Lyapunov stability theory in the input-to-state stability results.
Definition 1: The system (2) is called input-to-state safe (ISSf) locally in X ⊂ R n and with respect to the set of unsafe state D ⊂ X if for all holds for almost all t ∈ [0, ∞) and for all admissible 1 (x 0 , u), where the constant δ > 0 can be dependent on boundary of X .
If a system is ISSf, we can infer from (11) that the system (2) may be brought to the unsafe state if the L ∞ -norm of u is sufficiently large such that the RHS of (11) is negative.Hence one can quantify the robustness of the system's safety 1 By admissible (x 0 , u), we mean that the tuple is such that the RHS of ( 11) is strictly positive for almost all t ≥ 0.
with respect to an external input signal using this notion.For instance, if the initial condition x 0 is in the neighborhood of the boundary of unsafe state D then (11) shows that a small external input signal u may steer the state trajectory to enter D; even when the autonomous case is safe.Since the first element on the RHS of ( 11) is a K K function, it implies that the distance between x(t) and D is lower-bounded by a strictly increasing function until x(t) leaves X .As this lower-bound of the distance is non-decreasing with time, (11) means that the system can eventually withstand larger input signal.
We can also take a different view to the ISSf inequality above.If u is considered to be a disturbance signal with known magnitude, e.g., u L ∞ ≤ k with k > 0, then (11) provides us with information on the admissible x 0 such that the RHS of ( 11) remains positive so that the system under such external disturbance will remain safe.
Let us now investigate the ISS-Lyapunov like condition for input-to-state safety of system (2) in the following proposition.
Proposition 1: Consider system (2) with a given unsafe set D ⊂ X ⊂ R n .Suppose that there exists an ISSf barrier function where α i ∈ K ∞ , i=1,..4.Assume further that the system is ISS.
Then the system is input-to-state safe locally in X and w.r.t.D. In particular, for any θ , ε ∈ (0, 1) and for all x 0 ∈ R n \D, the ISSf inequality (11) holds for all t ≥ 0 and for all admissible (x 0 , u) where σ , y(0) = s ∈ R + , so that α(s,t) := y(t) for all s ≥ 0.
The complete proof of the proposition can be found in [15].The main idea of the proof is that we evaluate the evolution of the barrier function B along the trajectory of the state x for a given bounded input signal u.Following a similar derivation of ISS property from an ISS Lyapunov function, we can show that when the input is small then the distance is bounded from below by an increasing function of time and, on the other hand, when the input is large then the distance can be lower bounded by a positive function that depends on input.Finally, we can patch the two lower-bound functions together.
The ISS assumption in this proposition can be relaxed by weaker conditions that can guarantee the boundedness of |x(t)| D .For instance, we can assume that the system is integral input-to-state stable or it is practically input-to-state stable.
One can see from Proposition 1 that the inequalities in ( 12) and ( 13) are reminiscent to those used in the study of ISS Lyapunov function.In this context, the inequality (13) resembles the dissipation inequality in the ISS Lyapunov function and the growth of B as in (12) can be likened to the growth of V as in (4), albeit they grow with different sign as well as with different metric norm.
We can now combine the notion of input-to-state stability and that of input-to-state safety which allows us to study the robustness of a stable and safe system with respect to an external input signal u.Definition 2: System (2) is called ISS with guaranteed safety (ISS-GS) with respect to D if there exists X ⊂ R n such that the system ( 2) is both input-to-state stable and input-to-state safe locally in X and w.r.t.D ⊂ X .
It is trivial to show that if there exist both an ISS Lyapunov function V satisfying (4)-( 5) and an ISSf barrier function B satisfying ( 12)-( 13) locally on X ⊂ R n with D ⊂ X then the system is input-to-state stable with guaranteed safety.Instead of considering two separate functions V and B as suggested before, we can also consider combining the ISS Lyapunov inequality (5) and ISSf barrier inequality (13) as shown in the following corollary.
Corollary 1: Suppose that there exists W : R n → R and D ⊂ X ⊂ R n such that where Ξ X is an indicator function for X , c > 0, the functions α i ∈ K ∞ for i = 1, ..7.Then it is ISS with guaranteed safety with respect to D.
Proof : It is trivial to check that W (x) qualifies as an ISS Lyapunov function satisfying (4)-( 5) and as an ISSf barrier function satisfying ( 12)-( 13) locally in X .The ISS property follows trivially from ( 14) and ( 16) and Theorem 1.Let B(ξ ) = W (ξ ) − c for all ξ ∈ X \D.Subsequently, let the function B be extended smoothly to ξ ∈ R n \X so that (12) holds for all R n \D.It follows from (16) that holds for all ξ ∈ X \D and for all v ∈ U .By Proposition 1, it implies that it is ISSf.

IV. CONCLUSION
In this paper, we have presented a new notion of input-tostate safety for nonlinear systems which is complementary to the well-known input-to-state stability notion and provides safety certification for the system under the influence of external disturbance signals.We present also sufficient conditions for a nonlinear system to be ISSf by using a barrier certificate/function satisfying a dissipation inequality that resembles the ISS Lyapunov function.
we define the distance of a point ξ ∈ R n with respect to M by |ξ | M := min a∈M ξ − a where • is a metric norm.We define an open ball centered at a point a ∈ R n with radius r > 0 by B r (a) := {ξ ∈ R n | ξ − a < r} and its closure is denoted by B r (a).