f 1 ; f 2 ; g 1 ; g 2 = arbitrary functions in model definition H i = inner constraint set corresponding to h i , index potentially omitted H Δ i = subset of inner constraint set corresponding to h i with margin Δ, index potentially omitted h i = generic control barrier function, index potentially omitted M 1 ; M 2 ; M alt 2 = constants of a constraint function of relative degree 1 M - 2 ; M 2 ; M - 3 ; M 3 = constants of a constraint function of relative degree 2 p η ; p alt η = polynomials that upper bound evolution of a constraint function of relative degree 1 p κ ; p h = polynomials that upper bound evolution of a constraint function of relative degree 2 Q i = constraint set corresponding to κ i , index potentially omitted Q δ i = subset of constraint set corresponding to κ i with margin δ, index potentially omitted q = state coordinates in Eq. ( 1), also used as quaternion in Eq. (2) S = safe set (intersection of constraint sets) ssq∶R → R = ssqλ λjλj (ssq is monotone increasing, invertible, and once continuously differentiable) T = time step of discretization T = set of considered times t = time (arbitrary units) t s = specific time instance on a trajectory (see also σ) t 0 = initial time U = set of allowable control inputs U z i = set of guaranteed safe control inputs for the ith constraint, index potentially omitted u = control input V i = constraint set corresponding to η i , index potentially omitted v = state velocities in Eq. (1) w = vector of wheel states w i in Eq. (2) X = set of possible states x = full state vector x is equal to q; v Z = inverse of combined matrix of moments of inertia Z 11 ; Z 12 ; Z 21 ; Z 22 = submatrices of Z Z i = robust inner constraint set corresponding to κ i or η i , index potentially omitted η i = generic relative-degree-1 constraint function, index potentially omitted κ i = generic relative-degree-2 constraint function, index potentially omitted μ = parameter used to define control barrier functions for relative-degree-2 constraints Ξ = set of considered disturbances ξ = perturbing input σ = specific time instance on a trajectory (see also t s ) τ = arbitrary number in R ≥0 ϕ = function for _ η under no disturbances ϕ 1 ; ϕ 2 = functions used for constructing relativedegree-1 safety conditions ψ = function for κ under no disturbances ω = angular velocity state in Eq. (2) ; , ;
= open interval, closed interval
T HIS paper extends the recent theory of control barrier functions (CBFs) to solve the problem of constrained spacecraft attitude reorientation. At present, most spacecraft reorientations are accomplished either via shortest-path maneuvers, which can be easily implemented onboard a spacecraft, or else are preplanned by ground operators when more complex maneuvers are required. As the number of active spacecraft increases, there is potential for reducing operating costs in the latter case by increasing spacecraft autonomy, i.e., by computing maneuvers onboard without consulting ground operators. A common scenario in which shortest-path maneuvers are not allowable is when a spacecraft is not permitted to point sensitive instruments (body-fixed vectors) at bright objects (inertially fixed vectors), or equivalently, when a spacecraft is required to keep an instrument pointed in a specified direction.
The problem of constrained reorientation has been studied extensively, using methods including path planners [1][2][3][4][5][6][7][8][9][10], model predictive controllers (MPCs) [11][12][13][14][15], sliding mode controllers (SMCs) [16][17][18], reference governors [19], and barrier functions [20][21][22][23][24]. It has also been studied using CBFs combined with path planning *Ph.D. Candidate, Department of Aerospace Engineering; jbreeden@ umich.edu. Student Member AIAA (Corresponding Author).
† Associate Professor, Department of Robotics and Department of Aerospace Engineering; dpanagou@umich.edu. Member AIAA.
in [25], along with cursory treatment using CBFs with controllers computed online in [26][27][28][29]. Compared to prior approaches, this paper develops a method that provably guarantees both state constraint (i.e., instrument pointing requirements are obeyed) and input constraint (i.e., maximum allowable torques are not exceeded) satisfaction in the presence of bounded disturbances and under a sampled-data control law. The final control law is the output of a four-dimensional quadratic program (QP) that is computationally lightweight. These guarantees are particularly useful when designing SmallSat attitude controllers, which often operate with infrequent ground contact, using undersized actuators (i.e., tight input constraints), at low altitudes (i.e., large disturbances), at low control sampling frequencies, and with limited computational capabilities.
To employ standard CBF terminology, we refer to the set of states with allowable separations between all instruments and all bright objects, and with allowable angular rates, as the safe set, which we assume to be nonempty at all times. The central problem is that of rendering trajectories always inside the safe set from some viable set [30] of initial conditions where this problem is well-posed.
Early work on constrained reorientation in [20] developed a Lyapunov function for safe reorientation in terms of Euler angles, though this Lyapunov function may be nonconvex. The authors in [1] noted that this same constraint could be expressed as a convex set of quaternions, and in [21,22] authors developed a strictly convex Lyapunov function in terms of quaternions. The work in [17,18] added an angular velocity constraint and actuator-allocation algorithm to the same technique. The work in [24] expanded the technique to modified Rodrigues parameters and proposed a method for ensuring input constraint satisfaction. Note that, while these Lyapunov functions resulted in simple control laws that could be implemented online, none of these approaches consider controller sampling, and these controllers can result in slow trajectories, as we show in Sec. V.
An early path-planning technique utilized a variant of rapidly exploring random trees to find safe paths in SO3 space [10]. Later, path-planning techniques using direct optimization along with the quaternion constraint identified in [1] were developed in [1,2,6] and combined with translational planning in [5], though these methods are potentially too computationally intensive to implement online on a spacecraft processor. Related work in [3,4,8] discretized the safe set to a finite set of nodes and used graph search techniques to plan paths between the nodes. The maneuvers resulting from these techniques are safe but possibly inefficient due to the discretization. The planners in [7,9] add additional refinements to improve efficiency, whereas the controller proposed in [25] executes a faster transition between the path nodes and uses CBFs to keep the trajectory within a safe region around the preplanned path. By comparison, the approach employed in this work and in [21,22] only keeps the state away from unsafe states rather than in a neighborhood of a precomputed safe path as in [25].
MPC approaches to constrained reorientation, such as [11] and its extensions in [12,13], are generally special applications of pathplanning techniques. Similarly, the SMC approach in [16][17][18] and the approximate optimal control via reinforcement learning in [23] are special applications of the barrier functions used in [21,22]. While MPC and optimal control can provide safety guarantees, in this paper, we seek a method that is less computationally intensive. The reference governor approach in [19] is notable because it developed an explicit control law without path planning that is guaranteed to satisfy input constraints. However, few of the aforementioned approaches explicitly consider disturbances, whereas there is extensive CBF literature on disturbance rejection [31,32], and a recent result on simultaneous disturbance rejection and input constraint satisfaction [33]. Finally, spacecraft often operate with digital controllers with slow update cycles. Path planners and MPC can account for controller sampling given sufficiently sophisticated models, while most Lyapunov methods cannot. On the other hand, margins for controller sampling have also been considered in prior CBF literature such as [29,34], which this paper will extend to also account for relative-degree-2 state constraints, input constraints, and disturbance rejection.
CBFs are a Lyapunov-like method for determining safe control inputs, i.e., control inputs that generate trajectories that provably satisfy the state constraints. For an overview of CBFs, see [35]. In this methodology, we assume that each requirement that the system trajectories must satisfy is expressed as the state belonging to a given constraint set (e.g., the set of states such that a particular instrument is sufficiently far away from a particular bright object). The safe set is then the intersection of all constraint sets [36,37]. For each constraint set, we then construct a corresponding CBF (e.g., [33,38,39]) and associated zero-sublevel set, herein called an inner constraint set. Each CBF then provides a pointwise condition on the control input that is sufficient to ensure that state trajectories always belong to the CBF's inner constraint set. Multiple CBFs and inner constraint sets may then be combined to establish forward invariance of a subset of the safe set [36,37]. Application of CBFs to attitude control was first suggested in [27], and in fact, it would be simple to express the quaternion constraint developed in [1] as a CBF. However, such a CBF would suffer from the same challenges with input constraints, disturbances, and controller sampling as the related Lyapunov approaches in [17,18,21,22]. These challenges are amplified when some of the constraint functions are of relative degree 2 with respect to the system dynamics, as is the case for spacecraft pointing constraints. That said, extensions of [35] in the CBF literature provide several general tools for addressing these challenges [29,31-33, 35,40,41], as well as other potentially relevant phenomena not presently considered. The authors have recently addressed input constraint satisfaction, robustness to disturbances, and zero-order-hold (ZOH) controller sampling with CBFs individually in [29,33,41], and will incorporate and extend all of these results in this paper. In particular, we will show in Example 1 that the ZOH discretization method in [29] is not immediately compatible with the input constraint work in [33,40,41], so the bulk of Sec. III is devoted to reconciling these two approaches while minimizing conservatism. We then apply all the CBF conditions together online using an m-dimensional (QP), where m is the number of control inputs and is generally far smaller than the dimension of the optimizations in planning or MPC approaches.
The rest of this paper is organized into both 1) a general method accomplishing the above foci for arbitrary systems and constraints, and 2) a case study that applies this method to the constrained reorientation problem. The case study is presented in parallel as each step of the theory is developed for numerical motivation. Section II presents the formulation of the general problem, and of the specific system and constraints used in the case study. Section III presents the main result combining ZOH control inputs [29] with input constraints [33,40,41] and disturbances [31,33] for relative-degree-2 constraints (e.g., pointing constraints), while Sec. IV presents a related extension of [29] for relative-degree-1 constraints (e.g., angular rate constraints). Section V presents the real-time QP controller and simulations both in MATLAB and in a NASA-developed attitude control simulator. Section VI presents concluding remarks. Proofs of the theorems in Secs. III and IV are contained in the Appendix.
Drawing upon [37], let q ∈ Q ⊆ R n 1 be the coordinates and v ∈ V ⊆ R n 2 the velocities of a second-order system:
_ v f 2 t; q; v g 1 t; q; vu g 2 t; q; vξ (1b)
and control u ∈ U ⊂ R m , where U is compact, and disturbance ξ ∈ Ξ ⊂ R p , where Ξ is bounded. Assume that function f 1 is twice continuously differentiable in all arguments, that functions f 2 ; g 1 ; g 2 are continuously differentiable in all arguments, and that f 1 ; f 2 ; g 1 ; g 2 ; u; ξ are sufficiently regular so as to admit unique system trajectories for the entire time domain T. The results of this paper hold for general f 1 ; f 2 ; g 1 ; g 2 , but we are most interested in applications to attitude control, so suppose the following specific system.
Case Study Part i (System Definition): Assume a single rigid-body spacecraft. Let F N be an inertial frame and F B a spacecraft-fixed frame. For this case study, let Q fq ∈ R 4 jkqk 1g be the quaternion space and let q q 0 ; q 1 ; q 2 ; q 3 T ∈ Q be the quaternion (with scalar element q 0 first) that rotates from F N to F B . Let ω ∈ R 3 be the angular velocity of F B with respect to F N expressed in frame F B . Suppose that the spacecraft has m reaction wheels. Let a i ; i 1; : : : ; m, a i ∈ R 3 , ka i k 1, denote the spin axes of the wheels in frame F B , and define A ∈ R 3×m as A ≜ a 1 ; : : : ; a m . Let w i ; i 1; : : : ; m, w i ∈ R, denote the angular velocity of the wheels with respect to F B , and define w ∈ R m as w w 1 ; : : : ; w m T . The system velocities as in Eq. (1b) are v ω; w ∈ V R 3m . Assume that each wheel is axially symmetric and let J w;i ∈ R >0 be the axial moment of inertia of the ith wheel, and let J w ∈ R m×m be a diagonal matrix whose ith row and column element is J w;i . Let J b be the moment of inertia of the spacecraft without wheels plus the transverse moments of inertia of the wheels (e.g., see [42] (Eq. 3.140, Chap. 3.3.5.1)) expressed in frame F B , and let J tot ≜ J b m i1 J w;i a i a T i denote the total moment of inertia of the spacecraft. Assume that J b and J w are constant. The spacecraft state is then x q; ω; w ∈ X Q × R 3m and the dynamics [43] are
where u ∈ U ⊂ R m is the commanded wheel torque. The maximum wheel torque is limited to u max , so U fu ∈ R m jkuk ∞ ≤ u max g. For this particular case study, we suppose a 6U CubeSat with parameters given in Table 1 and visualized in Fig. 1. Note that we have chosen a configuration with four wheels in Table 1 rather than a more typical three-wheel configuration in order to demonstrate the general applicability of these results. The wheel moments of inertia and maximum torques in Table 1 are based off a commercially available wheel package, ‡ with the maximum per-wheel torque reduced to be comparable to a three-wheel configuration. Let Ξ fξ ∈ R 3 jkξk ≤ ξ max g for ξ max in Table 1, which comes from approximate values of aerodynamic drag on a 6U CubeSat at 500 km altitude.
Next, suppose that the trajectories of Eq. ( 1) are required to lie in the intersection of several constraint sets, each defined by the zero sublevel set of some constraint function. Let κ i ∶T × Q → R for i 1; : : : ; N 1 denote the relative-degree-2 constraint functions, and let η i ∶T × V → R for i N 1 1; : : : ; N 1 N 2 denote the relativedegree-1 constraint functions. The constraint sets are
and the resultant safe set is
where Q i , V i , and S are permitted to be time-varying. As an abuse of notation, we will generally write κ i t; x and η i t; x in place of κ i t; q and η i t; v in order to match the CBF notation in Sec. II.C. Some constraint functions that are common in attitude control are as follows; these constraints are also the basis of our simulations in Sec. V.
Case Study Part ii (Constraints): For the spacecraft system in Eq. ( 2), let b ∈ R 3 , kbk 1, be a body-fixed vector, such as an instrument boresight vector (e.g., the green or blue vectors in Fig. 1). Let st, kstk 1, be a vector, potentially time-varying (provided s is thrice continuously differentiable), for which we require that the angle between st and b is always at least θ (e.g., the local sun vector, represented by the yellow vector in Fig. 1). This leads to a constraint function of the form
where Rq is
2q 1 q 2 -2q 0 q 3 2q 0 q 2 2q 1 q 3 2q 0 q 3 2q 1 q 2 1 -2q 2 1 -2q 2 3 2q 2 q 3 -2q 0 q 1 2q 1 q 3 -2q 0 q 2 2q 0 q 1 2q 2 q 3 1 -
This is a relative-degree-2 constraint function, since _ κ b is not a function of u; ξ. Note that Eq. ( 5) can be used to express both keep-out and keep-in zones. Also note that κ b in Eq. ( 5) is equivalent to κ b t; q q T Mq in [1] (Eq. 2.5), where M is given in [1] (Eq. 2.6) and q -q 1 ; -q 2 ; -q 3 ; q 0 T is the conjugate of q where jP ij j < 10 -20 for i ≠ j e max 5.09210 -5 kg ⋅ m 2 ∕s 2 w max 628.3 rad∕s ξ max 1.0010 -5 N ⋅ m with the scalar element q 0 last (the conjugate arises because of notational differences with [1]). Next, we also require that the maximum angular rate of the spacecraft is bounded for safety of the spacecraft structure. This leads to the constraint function η ω t; v ω T Pωe max (7) where e max ∈ R and P ∈ R 3×3 are given in Table 1. The values of e max and P are constructed so that the safe set allows for angular rates of up to 1 deg/s on the largest principal axis and up to 2.730 deg∕s on the smallest principal axis, and will be elaborated upon in Case Study Parts xi-xii. This is a relative-degree-1 constraint, since _ η ω is a function of u; ξ. Finally, we require that the wheel angular velocities are limited, so introduce m constraint functions:
where w max is a constant. This paper will assume that a suitable momentum dumping control law (e.g., scheduled thruster or magnetorquer application) has been developed so that the constraints encoded by η w i t; x are always satisfied without impacting the rest of the control design. Thus, we only focus on the relative-degree-1 constraint in η ω and the relative-degree-2 constraint in κ b , though we still incorporate the wheel rate bounds in Eq. ( 8) in the safe set construction in Eq. ( 4). Finally, for this case study, suppose that there are two constraints of the form Eq. ( 5) for body-fixed vectors b 1 and b 2 , so the safe set is
This paper will utilize and extend CBF theory to address the problem of rendering state trajectories always inside the safe set. A formal definition of CBF with robustness to bounded disturbances is as follows.
Definition 1 ([33] Def. 3): For the system (1), a continuously differentiable function h i ∶T × X → R is a CBF on the set S if there exists a locally Lipschitz continuous class-K function
where H i is called the inner constraint set and is given by
That is, a scalar-valued function h i is a CBF if there is sufficient control authority given the set U that the total derivative of h i can be upper bounded regardless of the disturbance value ξ in the considered set Ξ. The following lemma, derived from [33] (Lemma 4) and [37] (Lemma 3), can then be used to guarantee forward invariance (i.e., safety) of the set
for all t ∈ t 0 ; t f , where t f is possibly ∞, then xt remains in H i t for all t ∈ t 0 ; t f . That is, as long as the control law satisfies the condition (11), called the CBF condition, the state trajectory cannot leave H i ; i.e., H i is a controlled-invariant set. In general, H i is not equivalent to S, because there may exist states in St 0 that are instantaneously safe at t 0 , but that cannot be rendered safe for all t ∈ t 0 ; t f [33]. Thus, we call H i an inner constraint set. We note that Lemma 1 can be applied to any number of CBFs, so we seek a collection of CBFs fh i g M i1 such that ∩ M i1 H i is a subset of S in Eq. ( 4) (see [37] Lemmas 2 and 3). Specifically, our final control law will employ one CBF h i for each constraint function κ i or η i (equivalently, one CBF set H i for each constraint set Q i or V i ) in order to leverage existing literature [33,40,41], though such a one-to-one correspondence is not necessary [37].
Denote the set of control inputs satisfying Eq. ( 11) as U h i t; x. Note that the total derivative of h i is
so each condition (11), i 1; : : : ; N 1 N 2 , is affine in u and each U h i is a half-space. Thus, a QP-based control law as in [35] (Sec. II.C) can efficiently solve for u satisfying several constraints of the form Eq. ( 11) simultaneously.
For each relative-degree-1 constraint η i in Eq. (3b), we will choose the CBF h i ≡ η i so H i ≡ V i . For the relative-degree-2 constraints κ i in Eq. (3a), various methods to construct a CBF h i such that H i ⊆ Q i are covered in [33,40,41], and this paper will extend the method in [33] (Sec. 3.1) specifically. For a constraint function κ i satisfying certain properties (covered in [33] Sec. 3.1), one possible choice of CBF is
for some parameter μ > 0. This choice of CBF does not work for all systems, but is particularly useful for systems similar to the double integrator, such as a double integrator with small nonlinearities. We hypothesize that Eq. ( 13) can be used for pointing constraints as in Eq. ( 5), so this is the only CBF for relative-degree-2 constraint functions κ i considered in this paper. Possible extensions of the other CBFs in [33,40] to ZOH control inputs are left to future work. Let μ 1 > μ 2 > 0, and let h i;μ 1 and h i;μ 2 be two corresponding CBFs. Note that H i;μ 1 ⊃ H i;μ 2 . Thus, the least conservative CBF of the form (13) will have the largest allowable parameter μ. Also note that with h i as in Eq. ( 13), the set H i is does not meet our requirement that H i is a subset of Q i . To address this, we recall the following lemma.
Lemma 2 ([33] Lemma 7): Let ut; x be a control law. For some function κ i , let h i be as in Eq. ( 13). If xt 0 ∈ H i t 0 ∩ Q i t 0 and u satisfies Eq. ( 11) for all t ∈ t 0 ; t f , where t f is possibly ∞, then xt remains in
That is, even though Lemma 1 only guarantees forward invariance of H i , because of the special form of h in Eq. ( 13), the set H i ∩ Q i is also rendered forward invariant. We now consider how Eq. ( 13) applies to our case study.
Case Study Part iii (Continuous-Time CBF): For the constraint function κ b in Eq. ( 5), the function h b in Eq. ( 13) is a CBF on S as in Definition 1 for any parameter 0 < μ ≤ 0.0025.
Thus far, all results have been for continuous controller updates, but our goal is to apply the CBFs ( 13) and ( 7) when the controller is instead updated at a fixed frequency. Now suppose that the control input u is updated at discrete times t k ; k ∈ N, where t k1t k T for fixed time-step T > 0, and that u is fixed between time steps k and k 1. That is, we seek a ZOH control law ut u k ; ∀t ∈ t k ; t k1 (14) where
Since the control input is updated only at the times t k , it is difficult to ensure that Eq. ( 11) is satisfied at every time instant (i.e., including between time steps), as is required for Lemma 1 to apply. The work in [29] summarizes three stricter versions of Eq. ( 11) that when applied only at times t k ; k ∈ N ensures that the original condition (11) is always satisfied between time steps, and a related method that accomplishes the same result without using Eq. ( 11). However, the methods in [29] do not easily apply to CBFs constructed from relative-degree-2 constraint functions, such as in Eq. ( 13). This is demonstrated by way of the following example.
Example 1: Given a relative-degree-2 constraint function κ i , one possible CBF is that in Eq. ( 13) for some constant μ > 0. According to [29] (Thm. 3), this CBF can be rendered safe in a ZOH fashion if for all x ∈ H i t; t ∈ T there exists u ∈ U such that
where r ≥ 0 is a parameter defined in [29] (Eq. ( 17)). As explained in [29], r could either be a constant ("global" case), or a function of t; x ("local" case) depending on the implementation. In either case, r represents possible values of κ i and, for that reason, is usually lower bounded by a positive number, here denoted r 0 > 0 (in the global case, let r 0 r).
The issue that arises here is that, for any arbitrarily small δ > 0, there exist x ∈ H i t; t ∈ T such that _ κ i t; x δ and κ i t; x δ 2 2μ . For such x, Eq. ( 15) simplifies to
Because r ≥ r 0 > 0, it follows that lim δ→0 ϵδ -∞. That is, the ZOH sampling margin r causes the required κ i to go to -∞ near the boundary of H i , which also causes the required u to become unbounded. Thus, the methods in [29] cannot be applied to the CBF (13), or any of the relative-degree-2 strategies in [33], if there are also input constraints.
Thus, the method in [29] suffers from the infeasibility of the condition [29] (Eq. 5) when the control input u is constrained. The interested reader can examine this problem further by downloading the code linked in [29] and increasing the value of the constant μ in [29] (Table 1). Thus, the central problem of this paper is as follows.
Problem 1: Given the safe set S in Eq. ( 4), focus on a single constraint function η i ∶T × V → R or κ i ∶T × Q → R that is of relative degree 1 or 2, respectively, with respect to the dynamic model (1). Assume that xt k ∈ St k in Eq. (4) at the current sample time k, and that all other constraints xt ∈ Q j t and xt ∈ V j t for j ≠ i are satisfied for all t in the inter-sample period t k ; t k1 . We seek to derive a set Z i t ⊆ Q i t or Z i t ⊆ V i t for all t ∈ T and a set
We refer to set Z i as the ith robust inner constraint set. Similar to how we restricted the constraint set Q i to the inner constraint set H i to account for input constraints, leading to the safe control set U h i , in this paper, we will further restrict the allowable sampled states to the new set Z i to account for disturbances and controller sampling, leading to the new safe control set U z i . Figure 2 shows the relation between Q i (cyan), H i (hashed), and Z i (gray) for a relative-degree-2 constraint function. Section III will address the relative-degree-2 case of Problem 1, while Sec. IV will address the simpler relativedegree-1 case.
We begin by addressing the relative-degree-2 case of Problem 1, as the relative-degree-1 case easily follows. In this section, we drop the subscript i, so let κ denote any relative-degree-2 constraint function [e.g., Eq. ( 5)], and h the corresponding CBF as in Eq. ( 13). The core idea of this method, and those in [29,34], is that given ht k ; xt k ≤ 0, we want to identify a formula for a worst-case value of ht k τ; xt k τ, denoted h bound t k ; xt k ; τ, for τ ∈ 0; T and find a suitable control input to ensure that h bound t k ; xt k ; τ is nonpositive for all τ ∈ 0; T. However, the problem highlighted in Example 1 is that the worst-case formulas h bound following from all the methods in [29,34] rely upon linear approximations of h on the interval t k ; t k1 . The obvious extension is to use a higherorder approximation of the worst-case trajectory that h could follow between time steps. However, when using a higher-order approximation, it is no longer sufficient to only check that h bound t k ; xt k ; T ≤ 0, as there may exist τ ∈ 0; T such that h bound t k ; xt k ; τ > h bound t k ; xt k ; T, as visualized by the red and cyan points in Fig. 3. Thus, unlike in [29,34], we must instead check that h bound t k ; xt k ; τ ≤ 0 for all τ ∈ 0; T, which adds complexity to the problem. To address this possibility of exiting and returning to the inner constraint set, we seek local maximizers σ (e.g., the red circle in Fig. 3) such that h bound t k ; xt k ; σ ≥ h bound t k ; xt k ; τ for all τ ∈ 0; T. We then identify a bound Δ on the differences h bound t k ;xt k ;σht k ;xt k and h bound t k ; xt k ; σh bound t k ; xt k ; T and define the sets for all τ ∈ 0; T. This is visualized in Fig. 2, where the red sample trajectory is always safe, because at the sample times t k , the trajectory meets the stricter condition of being in the gray set.
To define a set Z as in Problem 1, we will need expressions for suitable Δ in Eq. ( 16) and δ in Eq. ( 17), from which it will follow that Z H Δ ∩ Q δ . We seek to minimize conservatism, i.e., to choose the smallest δ; Δ for which we can still provably demonstrate safety between each t k and t k1 . To this end, Secs. III.C and III.D study possible expressions for δ; Δ that work well for the system (2), and that lead to a final control strategy summarized in Theorem 4. We begin by presenting a naive approach to determining Δ; δ. Assuming a second-order h bound function [such as that in Eq. ( 28)], the required margin Δ can be determined entirely by the values of the second derivative h. Thus, consider the following (very conservative) baseline example with numbers derived from our case study.
Case Study Part iv (A Naive Approach to Computing Maximum Overshoot): Let the time step for the controller of Eq. ( 2) be T 0.2 s. Let h b as in Eq. ( 13) be a CBF for κ b in Eq. ( 5) and suppose that μ 0.00167 as in Table 2 (which we will justify later). Suppose that ξ ≡ 0 for this example. Let r min x∈St;t∈T;u∈U h b t; x; u; 0 -0.550. It follows that one possible upper bound on the overshoot of h b between time steps is Δ -1 8 T 2 r 2.7510 -3 . We will show in Secs. III.C and III.D that this is over 200 times as conservative as necessary for this system.
We now proceed similarly to [29] by defining several constants of the system, analogous to the Lipschitz constants in [29], and then using these constants to bound system behavior. First, define
The constants M - 2 and M 2 represent bounds on our uncertainty in κ because of the unknown disturbance. We assume that Eqs. ( 18) and ( 21) are well-defined. We represent the component of κ that is certain using the function ψ as follows:
In practice, the value of ψ is exactly known only at the sampling times t k , so we also define the constants to describe our uncertainty in the evolution of ψ between time steps due to both the ZOH sampling and the disturbance. That is, for τ > 0,
Note that the control input u is the same on both sides of the inequalities in Eq. ( 22), so these inequalities are only useful during a single ZOH time step. Also, unlike in [29], we assume the bounds M - 2 ; M 2 ; M - 3 ; M 3 are global (i.e., are computed over all of S for simplicity, though extensions for local bounds computed online as in [29] could also be developed at greater computational cost. If the global bounds ( 18) and ( 21) are undefined, then more involved analysis than is presently considered may be required. Note that we defined the lower bounds M - 2 ; M - 3 and upper bounds M 2 ; M 3 separately to cover cases such as when the dynamics and/or disturbance environment are known to tend to increase/decrease h [e.g., if the unsafe state is of higher/lower potential energy than other states, such as would occur if gravity gradient were included in Eq. ( 2)]. In other cases, it may occur that M - 2 -M 2 and M - 3 -M 3 . In the upcoming theorems, we will need the following relations. Let σ be some time in t k ; t k1 , where u is constant on t k ; t k1 , and let τ ∈ R ≥0 be such that σ τ (or σ -τ) is also within t k ; t k1 . Then, using only the time argument for brevity, it holds that κσ
Case Study Part v (Constants): For the system (2) and constraint κ b in Eq. ( 5), the values of M - 2 ; M 2 ; M - 3 ; M 3 are given in Table 2. Note that these values hold for all θ ≤ π∕2 in Eq. ( 5), and are larger than the resultant values (i.e., are overly conservative) when θ > π∕2.
Using the above constants, we now determine suitable values of Δ; δ for Eqs. ( 16) and (17) in two parts. First, we note that a necessary condition for a maximizer σ of h occurring between time steps t k and t k1 is _ hσ; xσ; u k ; ξ 0. Because of the form of h in Eq. ( 13), a sufficient condition for _ h 0 is _ κ 0, so maximizers of h will often be co-located with maximizers of κ, as illustrated by the blue lines in Fig. 4. Thus, this subsection determines appropriate margins Δ; δ specifically when the maximizers of κ and h are co-located, while the following subsection determines these margins when this is not the case (green lines in Fig. 4). We begin with the following lemma.
Lemma 3: Suppose that κ is thrice differentiable and of relative degree 2 with respect to Eq. ( 1), and u is constant on t k ; t k1 . If σ ∈ t k ; t k1 is the time of a local maximizer of h in Eq. ( 13) on t k ; t k1 and _ κσ; xσ 0, then σ is also a local maximizer of κ on t k ; t k1 and it must hold that 0 ≥ κσ; xσ; u; ξ ≥ -μ. The consequence of Lemma 3 is that, provided that the stated condition holds, we can now use knowledge about κ to upper bound the variation in h between time steps. Lemma 3 is particularly helpful because analysis of κ is generally simpler than analysis of h, and because μ is a tunable parameter. Note that maximizers of the CBF h can also occur when _ κσ; xσ ≠ 0 and in these cases Lemma 3 would no longer apply, thus motivating Lemma 4 in Sec. III.D. However, when Lemma 3 does hold, we can substantially reduce the required conservatism to prevent xt from leaving Ht between sample times, as illustrated using our case study as follows.
Case Study Part vi (Application of Lemma 3): Suppose the same setup as in Case Study Part iv and suppose that the conditions of Lemma 3 hold. It follows that hσ; xσ κσ; xσ, so we can instead compute Δ as a bound on the possible overshoot of κ between time steps. Let r min x∈St;t∈T ;u∈U κ ::: t; x; u; 0 -0.0262
(recall that Case Study Part iv assumed ξ ≡ 0), which leads to the new bound Δ -1 8 T 2 r 1.3110 -4 . Finally, since Lemma 3 also says that κσ; xσ; u; ξ ≥ -μ, and we can show that min x∈St;t∈T ;u∈U κ ::: t; x; u; 0 -0.0062, it follows that κt; xt; u; 0 ≥ r -μ -0.0062T -0.00291 for all t ∈ t k ; t k1 assuming σ ∈ t k ; t k1 , which leads to Δ -1 8 T 2 r 1.4610 -5 . Thus, Lemma 3 reduces the conservatism Δ on H needed to ensure safety during the between-sample interval compared to Case Study Part iv.
We now apply Lemma 3 to calculate a general formula for appropriate margins Δ; δ in Eqs. ( 16) and (17) on ht k ; x k ; κt k ; x k to ensure that x remains safe between sampling times.
Theorem 1: Suppose that κ is thrice differentiable and of relative degree 2 with respect to Eq. ( 1), and u is constant on t k ; t k1 . Suppose that all maximizers σ of h in Eq. ( 13) on the interval t k ; t k1 satisfy _ κσ; xσ 0. Define δ 1 as 16) and ( 3) and xt k1 ∈ Ht k1 ∩ Q δ 1 t k1 in Eqs. ( 10) and ( 17), then xt ∈ Ht for all t ∈ t k ; t k1 .
Case Study Part vii (Application of Theorem 1): Using the values of M - 2 ; M 2 ; M - 3 ; M 3 ; μ in Table 2, it follows that δ 1 1.1010 -5 in Eq. (24). This is of similar magnitude to the value of Δ in Case Study Part vi, as expected, and is equivalent to 2.27 arcseconds of shrinkage of the inner constraint set.
Thus, in the case where the maximizers of κ and h are consistent, we have an explicit formula for how much we should further restrict the set H at the sample times to ensure that the state never leaves the set H between the sample times. Having established this, we note that the requirements of Theorem 1 are still overly conservative. This is because we assumed that H Δ and Q δ were defined using the same margin parameter Δ δ δ 1 . For certain systems, applying different margins Δ 2 on ht k ; x k and δ 2 on κt k ; x k may reduce this margin, as presented in the following theorem.
Theorem 2: Suppose that κ is thrice differentiable and of relative degree 2 with respect to Eq. ( 1), and u is constant on t k ; t k1 . Suppose that all maximizers σ of h in Eq. ( 13) on the interval t k ; t k1 satisfy _ κσ; xσ 0. Suppose that there exist constants δ 2 ≥ 0 and Δ 2 ≥ 0 for which it holds that 16) and ( 3) and xt k1 ∈ H Δ 2 t k1 ∩ Q δ 2 t k1 in Eqs. ( 16) and ( 17), then xt ∈ Ht in Eq. ( 10) for all t ∈ t k ; t k1 . The primary difference between Theorem 1 and Theorem 2 is that, in Theorem 1, the form for δ 1 was provided explicitly. On the other hand, in Theorem 2, neither δ 2 nor Δ 2 is uniquely defined. If we fix either δ 2 or Δ 2 , we can use condition (25) to compute the other constant. It follows from Theorem 1 that one valid combination is Δ 2 δ 2 δ 1 . Another helpful strategy is to set Δ 2 Δ 3 , where Δ 3 is presented in the next subsection, and to then compute the smallest allowable δ 2 . We also note that, unlike Theorem 1, the conditions of Theorem 2 are recursively feasible. That is, the ending condition
Case Study Part viii (Application of Theorem 2): Using the values of M - 2 ; M 2 ; M - 3 ; M 3 ; μ in Table 2, one possible combination satisfying Eq. ( 25) besides Δ 2 δ 2 δ 1 is Δ 2 1.310 -5 and δ 2 9.710 -6 .
Now that we have thoroughly covered excursions outside the sets H Δ ; Q δ when Lemma 3 applies, we finally discuss the behavior between sampling times when this is not the case, as is illustrated by the green lines in Fig. 4.
Lemma 4: Suppose that κ is thrice differentiable and of relative degree 2 with respect to Eq. ( 1), and u is constant on t k ; t k1 , where t k1 t k T. Suppose that M 3 > 0, M - 3 < 0, and μ ≥ M 2 -M - 2 maxfjM 3 j; jM Case Study Part ix (Application of Lemma 4): Using the values of M - 2 ; M 2 ; M - 3 ; M 3 ; μ in Table 2, it follows that Δ 3 1.0910 -5 in Eq. (A34). This occurs for γ 3.610 -6 , σt k 0.13 s, and t s -σ 0.0023 s. In this case, Δ 3 < δ 1 , but this is not guaranteed in general.
Remark 1: Note that the necessary condition κσ; xσ; u; ξ -μ in the proof of Lemma 4 [preceding Eq. (A16)] is very specific, so in the authors' experience, maximizers of h meeting the conditions of Lemma 4 are rarer than maximizers meeting the conditions of Lemma 3. However, the conditions of Lemma 4 occur more frequently if μ is chosen very small. Thus, we have now identified bounds on the overshoot of κ between time steps both when κ and h share maximizers (Lemma 3) and when the maximizer of κ is distinct from the maximizer of h
Fig. 4 Illustration of trajectories where the maximizers of κ and h on t k ;t k1 are co-located (blue), and where the maximizer of h precedes that of κ (green).
(Lemma 4). We thus have all the tools we need to define the robust inner constraint set Z. We now combine Theorem 2 and Lemma 4 to state our main theorem. Theorem 3: Suppose that κ is thrice differentiable and of relative degree 2 with respect to Eq. ( 1), and u is constant on t k ; t k1 , where t k1 t k T. Suppose that M 3 > 0, M - 3 < 0, and μ ≥ M 2 -M - 2 maxfjM 3 j; jM - 3 jgT. Suppose that there exist δ 2 and Δ 2 satisfying condition (25), and that Δ 2 ≥ Δ 3 in Eq. (A34). If
It follows from Theorem 3 that we can express the robust inner constraint set as in Fig. 2 as
Remark 2: Note that δ 1 in Eq. ( 24) decreases with decreasing μ, while Δ 3 in Eq. (A34) tends to increase with decreasing μ. Although μ is a tunable variable, this tradeoff suggests that there is some minimum amount of margin required when using a ZOH controller, regardless of the choice of μ. Note that both δ 1 and Δ 3 decrease with decreasing T.
Now that we have thoroughly addressed the problem of overshoot between time steps, we seek a condition on u that guarantees ht k1 ; xt k1 ≤ -Δ 2 and κt k1 ; xt k1 ≤ -δ 2 so that we may apply Theorem 3. Moreover, we seek a choice of parameters δ 2 ; Δ 2 ; μ such that this condition is always feasible with respect to the input constraints everywhere in Z in Eq. (26). To this end, define the following polynomials in τ: Theorem 4: Suppose that κ is thrice differentiable and of relative degree 2 with respect to Eq. ( 1); M - 3 ; M 3 ; δ 2 ; Δ 2 ; Δ 3 ; μ satisfy the conditions of Theorem 3; Z is as given in Eq. ( 26); and u satisfies Eq. ( 14) for every k ∈ N. If xt 0 ∈ Zt 0 and
both hold for every k ∈ N, then xt ∈ Qt for all t ∈ T. Note that while the upper bounds p κ and p h are valid for any τ ≥ 0, Theorem 4 only considers the values of p κ and p h at τ T, and thus relies on the analysis leading up to Theorem 3 (which was not dependent on p κ ; p h ) to guarantee that κ remains nonpositive between sampling times, i.e., for τ ∈ 0; T. Based on Theorem 4, we conclude with the following definition of a CBF for ZOH applications, analogous to that in [35] (Def. 2).
Definition 2: For a thrice continuously differentiable constraint function κ i , the function h i ∶T × X → R in Eq. ( 13) with parameter μ is a degree-2 ZOH CBF (D 2 ZohCBF) on the set S for time-step T if there exist constants δ 2 ; Δ 2 satisfying Eq. ( 25) and Δ 2 ≥ Δ 3 in Eq. (A34) such that min u∈U maxfp κ i t; x; u; T δ 2 ; p h i t; x; u; T Δ 2 g ≤ 0;
where Z i , p κ i , and p h i are given in Eqs. (26)(27)(28), respectively. We revert to using the i indexing notation in Definition 2 for completeness (recall that this entire section and thus Definition 2 too are for one constraint at a time). Similar to Eq. ( 9) with continuous control, Eq. ( 30) accounts for the allowable control set U, so if h is a D 2 ZohCBF, then the conditions (29) are feasible in the presence of input constraints for all xt ∈ Zt; t ∈ T. Equivalently, if h is a D 2 ZohCBF then the set U z t; x ∩ U is nonempty for all x ∈ Zt ∩ St, t ∈ T, where
The only remaining component is to determine a valid triple δ 2 ; Δ 2 ; μ. One such triple is δ 2 δ 1 in Eq. ( 24), Δ 2 Δ 1 where Δ 1 ≜ maxfδ 1 ; Δ 3 g in Eqs. ( 24) and (A34), and μ μ as follows:
assuming that μ exists. One can also choose μ ≤ μ δ 2 ; Δ 2 . Note that for large ξ or T, δ 2 and Δ 2 will also be large, and there may be no μ satisfying Eq. ( 32) and the conditions of Theorem 3, indicating that Eq. ( 1) cannot be safely controlled at such a sampling time T. A plot of μ using δ 2 δ 1 and Δ 2 Δ 1 for dynamics ( 2) is shown in Fig. 5, where the black region is where μ does not exist or is less than M 2 -M - 2 maxfjM 3 j; jM - 3 jgT. Case Study Part x (Selection of μ for Input Constraints): Using the values of M - 2 ; M 2 ; M - 3 ; M 3 in Table 2, the choice δ 1 ; δ 1 ; μ δ 1 ; δ 1 where μ δ 1 ; δ 1 0.00167 as in Eq. ( 32) is one valid triple. Alternatively, δ 2 ; Δ 2 ; μ δ 2 ; Δ 2 is another such triple. We note that μ δ 2 ; Δ 2 is slightly larger than μ δ 1 ; δ 1 , but the difference is only in the fourth significant digit of μ for this particular system. The authors observed a greater difference between μ δ 2 ; Δ 2 and μ δ 1 ; δ 1 for problems where u max was greater. Thus, ZOH discretization has led to a more conservative result than the continuous-time case with μ 0.0025 in Case Study Part iii.
Note that the polynomial p κ is linear in ψ, and therefore affine in u, so one can encode Eq. (29a) in a QP-based control law as in [35] (Sec. II-C). The polynomial p h has nonlinear dependence on ψ (because of the ssq function), but p h is still monotone increasing in ψ, Fig. 5 Plot of μ in Eq. ( 32) variation with the disturbance bound ξ max and sampling period T for the system (2), where "x" marks the case study parameters.
and thus one can write p h ≤ -Δ 2 in Eq. (29b) equivalently as ψ ≤ ψ max for some number ψ max (the expression for ψ max is omitted for brevity, but the interested reader is referred to the function get_PhiQ in the simulation code in Sec. V). Thus, one can also encode Eq. (29b) in a QP, and the set U z in Eq. ( 31) is a polytope. In conclusion, the sets Z in Eq. ( 26) and U z in Eq. ( 31) solve the relativedegree-2 case of Problem 1.
We now extend the method in Sec. III to constraint functions that are of relative degree 1 with respect to the dynamics (1). As before, we drop the subscript i and assume that η represents any relative-degree-1 constraint function. In this section, we assume that η is also a CBF, so we will not need to employ the intermediary step of defining h and H, as was done for relative-degree-2 constraints. Similar to Eq. ( 19 In this section, we only require the upper bounds on Eqs. ( 34) and ( 36), so we omit the superscripts + andused in the prior section.
Here, M 1 and M 2 are analogous to M 2 and M 3 , respectively, from Sec. III.B. Now define the following polynomial in τ
which serves as an upper bound on the evolution of η and is employed in the following theorem. Theorem 5: Suppose that η is twice differentiable and of relative degree 1 with respect to Eq. ( 1) and u satisfies Eq. ( 14) for every k ∈ N. Suppose that M 2 ≥ 0 in Eq. (36). If xt 0 ∈ Vt 0 and
for every k ∈ N, then xt ∈ Vt for all t ∈ T. Note that Theorem 5 is a straightforward extension of [29] (Cor. 3) to systems with disturbances, while the insights in the following subsection are new to this paper and motivated specifically by the system in Eq. (2).
Case Study Part xi (Application of Theorem 5): For the system (2), in order for the constants M - 2 ; M 2 ; M - 3 ; M 3 for κ b in Eq. ( 5) to be well-defined [i.e., for S in Eqs. ( 18) and ( 21) to be compact], the maximum system angular velocity must be bounded. There are various ways to encode such a bound. First, if one desires that kωk ≤ ω max for some ω max ∈ R >0 , then one could use either η 1 t; x kωk -ω max or η 2 t; x kωk 2 -ω 2 max . Note that M 2 is undefined for the constraint function η 1 , so Theorem 5 does not apply. Instead, suppose that we choose η 2 . Then, letting ω max 0.0175 rad∕s, it follows that M 2 0.00153. While η 2 satisfies the definition of D 1 ZohCBF, this leads to an effective margin of 1 2 M 2 T 2 ∕w 2 max ≈ 10%, which is rather large. While this does not directly impact the robust inner constraint set Z in Eq. ( 46), this margin in effect makes certain states in the safe set inaccessible (see [29] for a more extensive discussion of ZOH margins), so we would like to reduce this margin Next, suppose that the matrix Z in Eq. ( 2) is of the form
where
Note that, under the dynamics in Eq. ( 2), kωk 2 is not a conserved quantity, so if the spacecraft is not spinning about a principal axis, it will take active control effort to keep the state within a level set of η 2 . On the other hand, kinetic energy is a conserved quantity, which takes no control effort to maintain (unless the disturbance adds energy to the system). For this reason, define P in η ω in Eq. ( 7) as P Z -1 11 , so that η ω encodes a maximum kinetic energy constraint. Then, using η ω in Eq. ( 7) with e max in Table 1, one finds M 2 8.3010 -5 , leading to a smaller effective margin of 1 2 M 2 T 2 ∕e max ≈ 3.3%.
Before we present a definition for a valid CBF for the relativedegree-1 case, we present an extension of Theorem 5 that reduces conservatism for certain systems and constraint functions, and in particular the constraint function η ω in our case study in Eq. ( 7). In developing this paper, the authors noticed that the main contributor to M 2 for the constraint function in Eq. ( 7) was the control input u. While x and ξ are not known exactly between time steps t k and t k1 , the value of ut ut k for t ∈ t k ; t k1 is a known quantity, and thus can be removed from the uncertainty bound M 2 . Motivated by this, suppose that there exists functions
for all t ∈ T; x ∈ S; u ∈ U; ξ ∈ Ξ. The value of ϕ 1 u is known, so define a constant analogous to Eq. ( 36) using ϕ 2 only as
Then we can define the polynomial
Corollary 1: Suppose that η is twice differentiable and of relative degree 1 with respect to Eq. ( 1) and u satisfies Eq. ( 14) for all k ∈ N. Suppose that ϕ 1 in Eq. ( 41) is positive semidefinite and M alt 2 ≥ 0 in Eq. (42). If xt 0 ∈ Vt 0 and
for every k ∈ N, then xt ∈ Vt for all t ∈ T.
We are now ready to give the complete requirements for a relativedegree-1 constraint function η to be a CBF in ZOH applications.
Definition 3: A twice continuously differentiable function η i is a degree-1 ZOH CBF (D 1 ZohCBF) on the set S for time-step T if there exists a positive semidefinite function ϕ 1 ∶U → R ≥0 and a function ϕ 2 ∶T × S × U × Ξ (where one can use ϕ 1 u ≡ 0) satisfying Eq. ( 41) such that
where p alt η i is as given in Eq. ( 43). That is, η is a D 1 ZohCBF if the condition (39) is always feasible inside the safe set. Unlike Definition 2, Definition 3 does not contain any additional tuning parameters. We assume that the function η has already been constructed or tuned so as to be possible to render the corresponding set V forward invariant in the presence of input constraints. This is reasonable in the context of spacecraft attitude control, because the function η ω in Eq. ( 7) represents spacecraft kinetic energy. A fundamental requirement of control design should be that the spacecraft is able to reduce its kinetic energy from any safe state. In math, this requirement is equivalent to Eq. ( 45) for η ω . One case in which this requirement is not satisfied is if the spacecraft is allowed to achieve large angular velocities while operating at a control frequency too slow to stabilize the system. In this case, no amount of tuning will yield a safe controller, so Eq. ( 45) will be violated, and one will need to operate at lower angular velocities or smaller time steps to achieve a stable system and satisfy Eq. (45).
For the D 1 ZohCBF, denote
which solves the relative-degree-1 case of Problem 1. Note that if ϕ 1 ≡ 0 in Eq. ( 41), then U z in Eq. ( 46) is a half-space and safe control inputs can again be computed using a QP-based control law. Alternatively, if ϕ 1 is a convex function, then U z in Eq. ( 46) is not necessarily a polytope, but will still be a convex set, allowing the use of other convex optimization tools to choose control inputs. For instance, in Sec. V.A, ϕ 1 will be a strictly convex quadratic function, yielding a quadratically constrained quadratic program (QCQP) as a control law.
Case Study Part xii (Application of Corollary 1): Suppose that η 2 is as described in Case Study Part xi, and let ϕ 1 u 2u T Z T 12 Z 12 u. This leads to M alt 2 4.8810 -4 , resulting in an effective margin of 1 2 M alt 2 T 2 ∕w 2 max ≈ 3.2%, much less than in the prior case with ϕ 1 u ≡ 0. Thus, when ϕ 1 u is large, we still end up applying the same amount of margin as in Case Study Part xi, but when ϕ 1 u is small (i.e., u is small), the margin inherent in p alt η in Eq. ( 43) is reduced compared to the margin in p η in Eq. (38).
Next, for η ω with P as described in Case Study Part xi, let ϕ 1 u u T Z T 12 PZ 12 u, resulting in M alt 2 1.9510 -5 . This yields an effective margin of 1 2 M alt 2 T 2 ∕e max ≈ 0.77%, and is therefore the setup used for simulation in Sec. V.A.
In this section, we demonstrate the above methods in simulation. We assume a spacecraft with two instruments with boresight vectors b 1 , b 2 and keep-out zones θ 1 , θ 2 in Table 3, which induce two pointing constraint functions κ 1 , κ 2 of the form in Eq. (5). Let s 1 s 2 be the local sun vector, which is slowly time-varying. We construct two D 2 ZohCBFs h 1 , h 2 as in Sec. III with the constants in Table 2. Suppose that there is also an angular velocity constraint function η 3 of the form in Eq. ( 7) with the previously presented parameters in Table 1, and with ϕ 1 u u T Z T 12 PZ 12 u as discussed in Case Study Part xii. Then η 3 is a D 1 ZohCBF. The set of safe control inputs is U ∩ U z1 t; x ∩ U z2 t; x ∩ U z3 t; x.
Suppose that the spacecraft (visualized in Fig. 1) is required to point instrument b 1 at inertially fixed target b t , given in Table 3. Define the following shortest-path proportional-derivative control law:
where u pd may be unsafe and does not necessarily satisfy the input constraints. Here, let sat be the saturation function and Z † 12 be the Moore-Penrose pseudoinverse. We then construct the final control law as a QCQP:
Using this "ZohCBF" controller, we simulated a single reorientation maneuver with initial and final parameters given in Table 3, and in the presence of a random disturbance bounded by ξ max in Table 1. For more details, we refer the interested reader to the simulation code. § The simulation is short enough that we do not presently concern ourselves with momentum management (i.e., ensuring that w i remains bounded for i 1; 2; 3; 4). A diagram of the excluded pointing zone and the trajectories of the two instrument vectors is shown in Fig. 6, and a video of the reorientation in three dimensions can be found below. ¶ The constraint values over the maneuver duration are shown in Fig. 7, and the control inputs are shown in Fig. 8. As expected, safety is maintained, and the control input constraints are always satisfied. The absolute value of the maximum value of η 3 in Fig. 7 is the "controller margin" explained in [29]. Both ZohCBF plots in Fig. 7 exhibit a controller margin, but the margin is only noticeable for the constraint η 3 without zooming in.
For comparison, we also simulated the controllers in 1) [21] (Eq. 22), denoted "Log-B", with α 0.75, β 8, k 1 0.0165; 2) [17] (Eq. 17) denoted "SMC", with k 0.01, k 1 5015, k 2 0.0167, d ≡ 0; and 3) [12], denoted "NMPC", with n 5, h 0.2, Q 1 P 1 0.01I, Q 2 P 2 38I, Q 3 100I, where I is the identity matrix. The resultant trajectories are shown in Figs. 678and described in Table 4, where all simulations were run on a 3.5 GHz Intel Xeon processor. While the Log-B and SMC controllers do not guarantee safety in the presence of input constraints or ZOH control inputs, Figs 678show that when properly tuned, all of the above controllers can behave similarly. That said, the ZohCBF controller took a different route around the exclusion zone than all of the comparison controllers. The ZohCBF and NMPC controllers approached closer to the edge of the safe set than the Log-B and SMC controllers, and the NMPC controller briefly violated the κ 1 constraint. Also, the Lyapunov function introduced in [21] is infinitely differentiable, so the trajectories under the Log-B controller are smooth. We observe this particularly in Fig. 7, where the green lines have unique maximizers, whereas the other controllers spend much of the trajectory very close to zero. This allowed the ZohCBF controller to achieve the fastest settling time, defined here as time to 0.1 deg error, in Table 4. We note that for larger values of k 1 , the Log-B controller could be faster but would exceed the angular velocity constraint, and for much larger values of k 1 , the Log-B controller would violate the pointing constraints due the ZOH implementation. The NMPC controller approached the target at a rate similar to the ZohCBF controller, but exhibited oscillations around the target due to the small prediction horizon, thus resulting in a large settling time.
The SMC controller was the slowest due to the upper bound on k implied by [17] (Eq. 16).
Another notable difference between the ZohCBF and Log-B controllers is that the Lyapunov function in [21] is strictly convex, so the controller is globally convergent. This is not true of the ZohCBF or NMPC controllers. To examine this, we increased the value of θ 1 ; θ 2 to 0.95 rad and resimulated the ZohCBF and Log-B controllers. The results are shown in Figs. 9 and 10 and Table 5 and are demonstrated in the video below. ** Note that the blue lines (ZohCBF controller) in Fig. 9 both approach the edge of the red region, and then stop when the controller cannot safely move closer to the target direction (green dot) due to the set S ∩ Z 1 ∩ Z 2 ∩ Z 3 being nonconvex. The spacecraft remains safe, but does not complete its objective. On the other hand, the Log-B controller is eventually able to navigate around the exclusion zone and converge to the target vector. That said, the Log-B controller is very slow in Table 5. Lastly, we note that the ZohCBF technique can be applied to any nominal controller, so we introduce the control law u combined arg min u∈U∩U z 1 t;x∩U z 2 t;x∩U z 3 t;x kuu logb-fast t; xk 2 (49)
which we call the "Combined" controller. The controller u logb-fast in Eq. ( 49) is the same as the Log-B controller, but with a much more aggressive choice of gain k 1 0.04. Without the ZohCBF application, the controller u logb-fast would violate the system energy constraint η 3 , but with the additional ZohCBF acting as a safety-filter, the controller u combined yields the orange trajectory in Figs. 9 and 10. Unlike under u zohcbf , the trajectory under u combined converged to the target, and exhibited a reduced settling time in Table 5 compared to the Log-B controller. Remark 3: We note that while the controllers (48) and (49) were successful in the simulations above, it still may be possible for the optimizations (48) and (49) to become infeasible because these controllers apply multiple CBFs at once. Progress toward provably guaranteed feasibility of multiple CBFs simultaneously with input constraints is studied in continuous time in [37], and such studies for sampled-data CBFs are left to future work.
The prior subsection validates the methods in Secs. III and IV in a simple simulation, so we now present results from a more detailed spacecraft simulator, specifically the NASA "42" open-source spacecraft attitude control simulator [44]. Here, rather than random disturbances, the disturbances are representative of disturbances in the orbital environment for an input spacecraft geometry and specified solar and geomagnetic activity indices.
Specifically, we simulated a 6U CubeSat with the parameters presented in Table 1 in a 500 km altitude circular Earth orbit. Suppose that the spacecraft has a single instrument that must point at a sequence of targets but must avoid the sun by at least 25°(encoded in κ 1 ), and a star tracker that must not point at the sun within 45°( encoded in κ 2 ) or the moon within 30°(encoded in κ 3 ). The angular velocity is constrained by η 4 η ω as in Case Study Part xi, where we now use ϕ 1 u 0, so that M alt 2 M 2 8.310 -5 . This change makes U z 4 more conservative than in the prior but makes U ∩ U z 1 ∩ U z 2 ∩ U z 3 ∩ U z 4 a polytope and thus changes Eq. (48) from a QCQP to a regular QP, which was implemented using the fast Operator Splitting QP solver [45]. Finally, the code limited the QP solver to only 20 solver iterations to mimic realistic spacecraft computing constraints. For more details and input parameters, the interested reader is referred to the simulation code.
The instrument and star tracker pointing vectors are shown in Fig. 11, the constraint values are shown in Fig. 12, and the control inputs are shown in Fig. 13 using both u zohcbf in Eq. ( 48) and u pd in Eq. (47c). Avideo of the reorientation sequence is linked below. † † All constraints and actuator limits were satisfied for the entire pointing sequence using the ZohCBF controller (solid lines in Fig. 11), while there were several constraint violations using the nominal controller (dashed lines in Fig. 11). We note that three of the targets (green dots in Fig. 11) were located very close to the sun vector (i.e., outside the safe set), so the ZohCBF controller prioritized safety over convergence for these targets.
We have presented a methodology for ensuring that trajectories of a dynamic system always remain within a specified constraint set in the presence of ZOH sampled-data control inputs, bounded disturbances, and input constraints using extensions of CBF theory. This methodology is generally applicable to constraint functions of relative degree 1 or 2, and was specialized to spacecraft attitude control. Special attention was devoted to decreasing the margins for overshoot in the case of relative-degree-2 constraints, and for the case of a relative-degree-1 kinetic energy constraint specifically. The methodology was then demonstrated in simulation, where it exhibited faster settling times than all compared online controllers (note that path-planning methods were not tested). While the methods in this paper provably achieve all desired safety criteria, the comparison plots show that similar safe reorientations can be achieved with the comparison methods, although only with careful tuning and without proof of safety under these circumstances. The improvement in convergence by the "combined" controller over the original ZohCBF controller show that this approach may be limited in part by the capabilities of the nominal control law, so choosing "optimal" nominal control laws is one area of future work. Additional future work includes the incorporation of momentum-management techniques and measurement-delay considerations, study of more general conditions on the existence of a guaranteed safe control input in the presence of several CBFs simultaneously. where we do not need to break the integral into two parts here because _ κt does not change signs on t k ; σ. We then define the function d left ∶R ≥0 × R ≥0 → R as the simplification of the integral in Eq. (A32) as follows:
Both Eqs. (A31) and (A32) must apply simultaneously, so we define Δ 3 below as a maximization of the lesser of d left and d right , subject to the constraints on t s -σ in Eqs. (A26) and (A29). Furthermore, the maximizer σ of h must occur in the present time step, so σt k ∈ 0; T, and γ must be positive. Let τ 1 σt k and τ 2 t s -σ, and finally define Note that although γ is not upper bounded in Eq. (A34), in practice there is a maximum value of γ for which the interval r 1 γ; r 2 γ; σt k is nonempty. Finally, using both bounds (A31) and (A32 In summary, we have shown that 1) when _ κσ < 0, no maximizer t s of κ can occur, and 2) when _ κσ > 0, only one maximizer t s of κ can occur and by Eq. (A35) and Lemma 2, κt s < 0, so xt ∈ Qt for all t ∈ t k ; t k1 in all cases where _ κσ ≠ 0. □ Proof of Theorem 3: By assumption, κt k ≤ 0, ht k ≤ -Δ 2 ≤ 0, κt k1 ≤ -δ 2 ≤ 0, and ht k1 ≤ -Δ 2 ≤ 0. Thus, xt can only exit Q if there is a local maximizer t s of κ for t s ∈ t k ; t k1 . As a result of Lemma 2, it is only possible for κt s > 0 to occur if there also exists a local maximizer σ of h for σ ∈ t k ; t k1 such that hσ > 0, where it is possible that σ t s . Suppose the existence of both t s and σ, where neither is necessarily unique. If there exists a maximizer σ of h such that _ κσ ≠ 0, then Lemma 4 implies that t s is unique and that κt s ≤ 0.
Next, if every maximizer σ of h satisfies _ κσ 0, then Theorem 2 implies that κt s ≤ 0 for every t s , where t s σ. Finally, if there is one or more maximizers σ 1 of h such that _ κσ 1 0, and one maximizer σ 2 of h such that _ κσ 2 ≠ 0, then by the first paragraph, t s is unique and κt s ≤ 0, and it follows that σ 1 is unique and σ 1 t s . That is, the conditions presented so far do not preclude the possibility of the cases described in Lemma 3 and Lemma 4 both occurring in the same time step, but in this case, safety is ensured by Lemma 4 alone. Since κt s ≤ 0 for every maximizer t s of κ, it follows that κt ≤ 0 for all t ∈ t k ; t k1 , and thus xt ∈ Qt for all t ∈ t k ; t k1 .
Proof of Theorem 4: First, note that we can upper bound the evolution of _ κ and κ between time steps as follows:
Thus, p κ in Eq. ( 27) is an upper bound on κt k τ, and Eq. ( A36) is an upper bound on _ κt k τ. Since h in Eq. ( 13) is monotonically increasing in both κ and _ κ, it follows that p h in Eq. ( 28) is an upper bound on ht k τ. Since t k1 t k T, it follows that Eq. (29a) implies xt k1 ∈ Q δ 2 t k1 and Eq. (29b) implies xt k1 ∈ H Δ 2 t k1 , or equivalently xt k1 ∈ Zt k1 . Since this holds for every k ∈ N, Theorem 3 implies that xt ∈ Qt for all t ∈ T. □ Proof of Theorem 5: First, note that we can upper bound the evolution of η between time steps as follows: It follows that if p η t k ; τ ≤ 0, then ηt k τ ≤ 0 and thus xt k τ ∈ Vt k τ. Note that p η in Eq. ( 38) is a concave upward quadratic in τ (since M 2 is assumed to be nonnegative), so if p η t k ; 0 ηt k ≤ 0 and p η t k ; T ≤ 0, then ηt k τ ≤ p η t k ; τ ≤ p η t k ; T ≤ 0 for all τ ∈ 0; T. Since we assumed xt 0 ∈ Vt 0 , or equivalently p η t 0 ; 0 ηt 0 ≤ 0, and since Eq. (A38) implies p η t k ; T ≤ 0 for all k ∈ N, it follows that ηt ≤ 0 for all t ∈ T, or equivalently, xt ∈ Vt for all t ∈ T. □ Proof of Corollary 1: Similar to Eq. (A38), p alt η t k ; τ in Eq. ( 43) is an upper bound on ηt k τ. By Eq. ( 14), u is constant between time steps and therefore the quadratic coefficient of p alt η given by ϕ 1 ut k M alt 2 is constant. Because ϕ 1 maps to R ≥0 and M alt 2 ≥ 0, the coefficient ϕ 1 ut k M alt 2 is also nonnegative. Thus, p alt η t k ; τ is a concave upward quadratic polynomial in τ, so if ηt k ≤ 0 and p alt η t k ; T ≤ 0, then it follows by the same logic as Theorem 5 that xt ∈ Vt for all t ∈ T. □
Center for developing and distributing the "42" Spacecraft Simulation platform [44].
Downloaded by University of Michigan on February 27, 2024 | http://arc.aiaa.org | DOI: 10.2514/1.G007456
§ All simulation code can be found at https://github.com/jbreeden-um/phdcode/tree/main/2022.¶ https://youtu.be/EVuyZ-06-1Y. **https://youtu.be/sZ_F4N75kcw.