Distributed Safety-Critical Controller
- Distributed Safety-Critical Controller (DSCC) is a class of architectures where agents compute local control actions while ensuring safety using mechanisms like control barrier functions and invariant sets.
- DSCC methods integrate nominal controllers with explicit safety filters, often implemented via quadratic programs and predictive safety layers to guarantee forward invariance.
- Applications span robotics, power systems, and DC microgrids, demonstrating improved safety and performance through decentralized coordination and localized safety verification.
Searching arXiv for papers on distributed safety-critical controllers and closely related formulations. Distributed Safety-Critical Controller (DSCC) denotes a class of distributed control architectures in which multiple agents compute local control actions while an explicitly safety-oriented mechanism enforces constraint satisfaction, typically through control barrier functions, invariant sets, predictive safety filters, or run-time assurance logic. In the cited literature, DSCCs appear as decentralized safety filters around nominal controllers, distributed optimization schemes with local and pairwise constraints, safety-critical MPC laws, invariant-set supervisors for learning systems, and domain-specific controllers for power networks and DC microgrids. Their common objective is to preserve forward invariance of a safe set while retaining distributed execution, local information flow, and performance-oriented nominal control (Hobbs et al., 2021, Mestres et al., 2024, Yuan et al., 2022, Ohnemus et al., 31 Mar 2026).
1. Architectural concept and scope
The architectural template most explicitly articulated in run-time assurance work consists of a primary controller , a monitor, a safety filter, and a backup controller . The primary controller may be human, AI/ML, or advanced control; the monitor predicts future safety using the current state and control; the safety filter either switches to a backup controller or minimally modifies ; and the backup controller is guaranteed to render a safe set forward invariant. Two canonical implementations are emphasized: Simplex, which performs hard switching to , and Active Set Invariance Filters (ASIFs), which solve a quadratic program to modify only as needed. In distributed settings, this template is specialized so that each agent maintains local safety sets, pairwise inter-agent constraints, local monitors, and local safety filters, while the global safe set is composed as an intersection of local and pairwise safe sets (Hobbs et al., 2021).
Across the literature, DSCC is not a single algorithmic object. It encompasses distributed CBF-QP controllers for safe navigation, collaborative high-order barrier filters for formation control, synchronization-based distributed MPC, discrete-time high-order barrier MPC, distributed predictive control barrier functions, communication-aware robust safety-invariant synthesis, and decentralized energy-based safety-critical control in power-electronic networks. Taken together, these formulations suggest that DSCC is best understood as an architectural category defined by three recurring properties: distributed computation, explicit safety certification, and a formal interface between a nominal or performance-oriented controller and a safety-preserving correction mechanism.
2. Barrier-based distributed safety mechanisms
A large part of the DSCC literature adopts set-invariance as the primitive notion of safety. A standard starting point is a safe set
with control-affine dynamics
For relative-degree-one constraints, safety is enforced through a CBF inequality of the form
and the minimally invasive filter is written as
subject to the barrier constraints and actuator bounds. In distributed settings, agent typically solves a local QP using local constraints and pairwise constraints such as
0
or, in the run-time assurance exposition,
1
A representative state-dependent network formulation minimizes a separable team objective under local obstacle constraints and pairwise inter-agent CBF constraints, while a distributed reformulation with auxiliary mismatch variables 2 and projected saddle-point dynamics removes the need for a centralized solver and still guarantees forward invariance and asymptotic optimality under the stated convexity and time-scale assumptions (Mestres et al., 2024).
For higher-order and dynamically coupled safety constraints, the barrier machinery becomes correspondingly more elaborate. In collaborative formation control with acceleration inputs, the safety filter is built from high-order barrier functions 3, 4, 5, and 6, and the coupled influence of neighbors is assembled in a stacked capability vector
7
The framework then computes a “maximum capability” action by solving
8
equivalently an LP, before entering collaborative negotiation algorithms that either find a jointly feasible safe action or certify terminal infeasibility. A different route to distributed enforcement appears in the reconstructed-CBF approach for systems with uncontrollable agents: each controllable agent runs a distributed adaptive observer, reconstructs the coupled barrier as
9
and uses prescribed-performance adaptation so that satisfying the reconstructed constraint is sufficient to satisfy the original coupled one. This construction is designed precisely to avoid the fully coupled centralized CBF-QP that would otherwise depend on unknown inputs of uncontrollable agents (Butler et al., 2024, Peng et al., 11 Mar 2026).
3. Predictive, optimization-based, and invariant-set DSCCs
A second major line of work embeds safety constraints inside predictive control. In synchronization-based cooperative distributed MPC, each agent solves a local OCP using predicted neighbor trajectories and then enters a synchronization phase that averages competing predictions until consistency is reached. This addresses the specific failure mode in which concurrent distributed solves satisfy local safety constraints against inconsistent neighbor predictions, yet produce unsafe joint plans. The synchronization update
0
converges if the local coupling subgraph contains a spanning tree, and the resulting consistent predictions support recursive feasibility and safety at the first implemented step; a discrete-time CBF layer is also identified as a recommended fail-safe (Beerwerth et al., 2024).
For high-relative-degree nonlinear multi-agent systems, Distributed Safety-Critical MPC (DSMPC) replaces first-order discrete-time barrier constraints with discrete-time high-order control barrier functions (DHCBFs),
1
and enforces 2. Formation convergence is handled through a discrete-time control Lyapunov terminal condition, neighbor coupling is decoupled through shared estimated trajectories 3, and a bound constraint limits the mismatch between predicted and estimated states. Under Assumption 1, the paper proves recursive feasibility and stability. In simulation, DSMPC 4 achieved “act 5 s, min d 6, max r 7, cost 8,” whereas MPC-DC 9 reported “act 0 s, min d 1, max r 2, cost 3,” and the tested CLF-CBF baseline was infeasible (Wang et al., 27 Aug 2025).
Predictive safety is extended further in distributed predictive control barrier functions (D-PCBFs). There, structured local barriers 4 form a network-level certificate through 5, while the predictive layer solves an optimization over local slacks 6 to minimize
7
subject to tightened constraints and terminal structured-CBF sets. The resulting 8 is a CBF with enlarged domain 9 and safe set 0, and the framework adds explicit plug-and-play admission certificates for joining or leaving agents (Ohnemus et al., 31 Mar 2026).
A more offline-oriented branch of DSCC uses invariant sets. One formulation computes a robust non-convex invariant set as a union of ellipsoids and pairs each ellipsoid with a structured stabilizing linear feedback; when a learning input is unsafe, the filter switches to the appropriate backup control law, and online computation reduces to membership tests and simple function evaluations (Carron et al., 2020). A related communication-aware formulation for discrete-time linear systems under bounded disturbances and imperfect uplink communication constructs ellipsoidal robust safety-invariant sets
1
and synthesizes 2 and 3 through LMIs and SDP. Communication errors enter as bounded estimation-error sets derived from Kalman covariance bounds and a chi-squared truncation, without explicit channel modeling (Liu et al., 31 Mar 2026).
4. Communication, topology, and coordination
DSCC research repeatedly treats communication not merely as an implementation detail but as a safety variable. A foundational set-theoretic treatment defines a coordination-free independent controller
4
and the safety-restricted coordination-free predecessor
5
From the centralized invariant set
6
the sets 7 characterize the states robustly safe to a connection delay 8. The same construction yields a self-triggered coordination scheme in which agents act independently for a countdown determined by the level-set partition of 9, and then re-coordinate only when needed (Kim et al., 2018).
In distributed transient frequency control for power systems, communication is reduced even further. The controller is distributed because 0 uses only local states and incident line information, while dynamic budget assignment introduces a state-dependent unsafe-bus subgraph 1. Only buses with 2 exchange the scalar 3, budgets satisfy 4, and they vanish automatically once buses re-enter the safe band. This mechanism is used to relax per-bus Lyapunov inequalities while retaining collective stability and frequency safety (Yuan et al., 2022).
Time-varying communication topologies require an additional layer of regularization. In the reach-avoid framework with limited communication range, the binary edge condition 5 is replaced by a smooth truncation function 6, equal to 1 when 7, equal to 0 when 8, and smoothly varying in between. Auxiliary mismatch variables 9, 0, and 1 then evolve on a fast time scale, while the plant evolves slowly under the local controller 2. Through singular perturbation analysis, the resulting DSCC guarantees collision avoidance, connectivity preservation, and convergence to the target region despite state-dependent, time-varying topology changes (Cheng et al., 1 Apr 2026).
5. Domain-specific realizations
Robotic multi-agent navigation is the most extensive application area. Distributed safe navigation with CBF-based optimal controllers has been validated on “5 Husky robots in complex obstacle fields” and on “3 Jackal robots with GPS/IMU/LIDAR,” with no collisions and successful formation maintenance. Collaborative safety-critical formation control extends the same agenda to acceleration-controlled agents, proving linear-time convergence for a tree-structured special case and reporting safe actions “within at most 13 communication rounds” in a fully connected multi-obstacle scenario. For legged systems, safety-critical distributed NMPC with discrete-time HOCBFs was validated on up to four Unitree A1 quadrupeds in simulation and two A1 robots in hardware; the CBF-based DNMPCs achieved a “27.89% higher success rate than conventional NMPCs without CBF constraints” under pushes, rough terrain, and uncertain obstacle information (Mestres et al., 2024, Butler et al., 2024, Imran et al., 18 Mar 2025).
Power-system DSCCs emphasize transient safety and certified stabilization rather than geometric collision avoidance. In transient frequency control, the safety set is
3
and the controller combines barrier-type frequency inequalities, a Lyapunov energy function, dynamic budget assignment, and reinforcement learning. On the IEEE 39-bus network with safety band 4 Hz, the reported costs were: RL baseline 5 (unsafe), Safety-only 6 (safe), RLb 7 (safe), and RLb* 8 (safe). The RL baseline was stable but violated safety, whereas RLb was both stable and safe, with budgets vanishing after the transient (Yuan et al., 2022).
In resilient DC microgrids, the DSCC is fully decentralized and communication-free at the primary-control layer. Each DER-side and load-side controller uses only local measurements and a known setpoint, while safety is enforced through reciprocal CBFs on converter terminal voltages and the load-side filter current, and large-signal stability is established through a port-Hamiltonian global energy function. In switched-circuit simulations, the desired bus-voltage setpoint was 9 V. The reported DSCC steady-state values were “0 V, 1 A, 2 V, 3 A, 4 V, 5 A,” whereas the nominal dynamic IDA-PBC comparator yielded “6 V,” “7 A,” and “8 V, 9 V” (Abdirash et al., 4 Sep 2025).
6. Guarantees, limitations, and open directions
The guarantees attached to DSCCs vary by formulation but are unusually explicit. The literature repeatedly states forward invariance of safe sets, constraint satisfaction, and minimal invasiveness for ASIF-type filters; asymptotic optimality for distributed CBF-based network optimization; recursive feasibility and formation convergence for DSMPC; recoverable safety and enlarged safe domains for D-PCBF; local asymptotic stability for transient frequency control; and large-signal exponential stability for decentralized DC microgrid control (Hobbs et al., 2021, Mestres et al., 2024, Wang et al., 27 Aug 2025, Ohnemus et al., 31 Mar 2026, Abdirash et al., 4 Sep 2025).
A common misconception is that distributed safety follows automatically from localizing computation. The cited results show the opposite. Independent choices from permissive local controllers can be unsafe unless coordination is scheduled; concurrent distributed MPC can violate collision constraints through inconsistent predictions; and coupled CBF constraints can obstruct fully distributed safe control when other agents are not directly controllable. The distributed machinery in these papers—projection-based predecessor operators, synchronization steps, auxiliary mismatch variables, collaborative capability negotiation, adaptive observers, and predictive slacks—exists precisely because naïve decentralization is not safety preserving in the general case (Kim et al., 2018, Beerwerth et al., 2024, Peng et al., 11 Mar 2026).
The limitations are equally recurrent. Several works identify model uncertainty, measurement noise, actuator saturation, relative-degree complications, computational budget, dense-environment feasibility loss, and communication delays as principal failure modes. Some formulations explicitly do not model actuator saturation or communication delays; the communication-aware RSI method is conservative because of ellipsoidal sets, S-procedure relaxations, and condition-number bounds; reconstructed-CBF schemes require each agent to maintain estimates of all other agents; and predictive methods rely on tuning horizons, tightening sequences, or time-scale separation parameters (Hobbs et al., 2021, Yuan et al., 2022, Liu et al., 31 Mar 2026, Peng et al., 11 Mar 2026).
The stated research directions are correspondingly concrete. They include higher-order generator and inverter models, voltage and reactive-power dynamics, adaptive budget negotiation, input-constrained and delay-robust distributed implementations, stochastic disturbances, cyber-physical security extensions, asynchronous synchronization, more permissive terminal sets for predictive safety, and robustness margins for bounded disturbances in modular multi-agent systems. This suggests that the mature core of DSCC research is no longer the existence of distributed safety filters, but the systematic reduction of conservatism under uncertainty, coupling, reconfiguration, and limited communication (Yuan et al., 2022, Ohnemus et al., 31 Mar 2026, Cheng et al., 1 Apr 2026).