MPC-Based Safety Filter

• MPC-based safety filters are defined as receding-horizon intervention mechanisms that modify arbitrary inputs to ensure hard state and input constraints while maintaining system stability.
• The framework utilizes an online constrained MPC optimization to minimally adjust proposed control signals, enforcing a stability bound through a Lyapunov-based cost function.
• Practical applications, such as automotive driver assistance, demonstrate the filter’s ability to integrate backup control laws and guarantee bounded convergence under dynamic conditions.

A Model Predictive Control (MPC)-based safety filter is a receding-horizon intervention mechanism that wraps an arbitrary (and potentially unsafe) input signal—typically from a learning-based controller, human operator, or trajectory planner—with a formal guarantee of safety and, when possible, stability. The core principle is to solve a constrained MPC problem at each time-step, "filtering" the proposed input so that the actual control administered is certifiably safe (i.e., satisfying state and input constraints), and, in advanced treatments, ensures desirable stability properties such as bounded convergence or uniform asymptotic stability. This framework extends and systematizes classical MPC safety and stability results, allowing seamless integration with practical system designs, robust backup control, and adaptation to dynamic trajectory tracking.

1. System Architecture and Notation

Consider the discrete-time, nonlinear plant model: $x_{k+1} = f(x_k,u_k)$ where $x_k \in X \subseteq \mathbb{R}^n$ is the state (in a compact set $X$), $u_k \in U \subseteq \mathbb{R}^m$ is the control input (in a compact set $U$), and $f$ is continuous with $f(0,0)=0$. The filter operates online: at each time $k$, it receives a proposed input $u_{\mathrm{des}}(k)$, which may not satisfy constraints or deliver stability. The safety filter dynamically checks the feasibility of $u_{\mathrm{des}}(k)$. If infeasible, it substitutes the minimally invasive safe action $u(k)$ through the receding-horizon MPC framework.

Key aspects:

• Hard state and input constraint enforcement,
• Optional stabilization/tracking to a target (origin or reference),
• Online backup controller for recursive feasibility.

2. MPC-Based Safety Filter Formulation

At each time $k$, after measuring the current state $x_k$ and receiving the candidate input $u_{\mathrm{des}}(k)$, the filter solves the following finite-horizon nonlinear MPC optimization: $$\min_{u_{0|k},...,u_{N-1|k}} \; G(x_{\cdot|k},u_{\cdot|k},u_{\mathrm{des}}(k))$$ subject to

$$x_{0|k} = x_k, \quad x_{i+1|k} = f(x_{i|k}, u_{i|k}), \quad x_{i|k} \in X, \quad u_{i|k} \in U, \quad x_{N|k} \in X_f$$

where the cost function $G$ is typically

$G = \|u_{\mathrm{des}}(k) - u_{0|k}\|^2$

to ensure minimal perturbation from the nominal command. The terminal set $X_f$ is chosen so it is forward-invariant under a nominal local controller, ensuring recursive feasibility.

The safe output assigned to the plant is always: $u(k) = u_{0|k}^*$ where the superscript * denotes the optimizer's solution.

3. Stability Augmentation Mechanism

To guarantee stability beyond mere constraint satisfaction, the filter augments the optimization with a classical MPC Lyapunov-style cost: $$J(x_k, u_{\cdot|k}) = \sum_{i=0}^{N-1} \ell(x_{i|k}, u_{i|k}) + V_f(x_{N|k})$$ where $\ell(x,u)$ is a positive-definite stage cost (often quadratic), and $V_f$ is a terminal cost (typically via Riccati or LQR design). At each step, a one-step upper bound constraint is enforced: $J(x_k, u_{\cdot|k}) \leq J_B(k)$ where $J_B(k)$ is a time-varying stability bound, initialized by $J_B(0)$ and updated recursively: $$J_B(k + 1) = V(x_k, k) - \zeta(k+1) \cdot \ell(x_k, u_{0|k}^*)$$ with $\zeta(k+1) \in [\zeta_{\min}, 1]$, trading off convergence speed and nominal matching.

Terminal ingredients:

• A local backup controller $\kappa(x)$ and invariant terminal set $X_f$ so that

$$V_f(f(x,\kappa(x))) - V_f(x) \leq -\ell(x, \kappa(x))$$

This guarantees recursive feasibility as well as bounded, Lyapunov-style stability.

Formal guarantees:

• Bounded convergence: The state sequence remains bounded and converges to zero, i.e., $x_k \rightarrow 0$ as $k \rightarrow \infty$.
• Uniform asymptotic stability: The same bound/convergence applies uniformly in any time-shifted window.

Proof relies on standard MPC Lyapunov decrease, shift-append backup policy, and recursive feasibility.

4. Online Filter Algorithm and Implementation

Algorithm 1 (Model Predictive Stability Filter)

1. Initialize with horizon $N$, stage cost $\ell$, terminal cost $V_f$, terminal set $X_f$, and bound $J_B(0)$.
2. For each time-step $k$:
   • Measure current state $x_k$.
   • Receive input $u_{\mathrm{des}}(k)$.
   • Solve MPC safety filter:

   $$\min G(x_{\cdot|k}, u_{\cdot|k}, u_{\mathrm{des}}(k))$$

   subject to dynamics, constraints $x_{N|k} \in X_f$, and stability bound $J(x_k, u_{\cdot|k}) \leq J_B(k)$. - Apply $u(k) = u_{0|k}^*$. - Update the stability bound:

   $$J_B(k+1) = V(x_k, k) - \zeta(k+1)\ell(x_k, u_{0|k}^*)$$

- Increment $k$.

Backup logic: If $u_{\mathrm{des}}$ is safe and does not violate the stability bound, the filter passes it through. Otherwise, it "projects" $u_{\mathrm{des}}$ into the largest subset admitting a feasible backup trajectory.

5. Design Guidelines and Tuning Parameters

Critical parameters and their tuning:

• Prediction horizon $N$: Larger $N$ expands the filter’s feasible domain and reduces conservatism, but incurs higher computation. Typical values are $N \in [10, 50]$.
• Stage cost $\ell(x,u)$: Quadratic form $\ell(x,u) = x^T Q x + u^T R u$; $Q$ penalizes state error, $R$ penalizes input deviation.
• Terminal cost $V_f(x)$: Quadratic $V_f(x) = x^T P x$, where $P$ is obtained from the Riccati equation for an LQR design.
• Terminal set $X_f$: Defined as $X_f = \{x : V_f(x) \leq \tau \}$, with small $\tau$.
• Stability trade-off $\zeta(k)$: Lower $\zeta_{\min}$ reduces intervention, higher values yield faster convergence.

6. Demonstrative Automotive Application

The framework is validated using an advanced driver assistance system scenario for a single-track car model linearized about 10 m/s cruising:

• States: $$x = [z_{\mathrm{long}}, z_{\mathrm{lat}}, \psi, v, \beta, \dot \psi]^T \in \mathbb{R}^6$$
• Inputs: $u = [\delta, a]^T$, with constraints such as $|\delta| \leq 35^\circ$, $-7 \leq a \leq +2\,\mathrm{m/s}^2$, box constraints on other variables.
• Reference: Generated from a lane-change planner: sequence $r_k = (x_k^r, u_k^r)$.
• Filter parameters: $N = 30$, $Q = I_6$, $R = I_2$, $P$ from LQR, $\zeta_{\min} = 0.1$.

Key findings:

• For nominal demanded (u_des) inputs, the filter is minimally invasive: average $\zeta \approx 0.18$.
• When u_des would induce instability or violate constraints, e.g., sharp steering reversals, the filter actively projects the steering into the largest safe admissible set, ensuring convergence to the reference trajectory.
• The performance bound

$$V(x_T, T) - V(x_0, 0) \leq -\sum_{k=0}^{T-1} \zeta(k+1)\ell(x_k, u_k)$$

is numerically verified for monotonic decrease.

• Full constraint satisfaction and uniform convergence to the reference are attained.

7. Context and Significance

MPC-based safety filters with formal stability mechanisms, as constructed in this framework (Milios et al., 8 Apr 2024), represent a systematic methodology to shield safety-critical systems from the risks of arbitrary learning-based or human inputs. These filters guarantee hard constraint satisfaction and, by embedding Lyapunov-style stability costs and bounds, admit rigorous guarantees of bounded, even uniform, convergence under minimal intervention. The modular architecture enables plug-and-play augmentation of existing control stacks (including learning-based policies), supports computationally tractable online filtering, and is readily tuned for application-specific requirements. The framework's utility is exemplified in contextually demanding domains such as automotive lane-keeping and trajectory stabilization, delivering both empirical safety and mathematical guarantees without imposing excessive conservatism. The approach admits straightforward extensions to trajectory tracking and other domains, subject to the expressiveness of the terminal ingredients and stability bounds.