arXiv:1609.00651v1  [cs.RO]  2 Sep 2016
Safety Barrier Certiﬁcates for Heterogeneous Multi-Robot Systems*
Li Wang, Aaron Ames, and Magnus Egerstedt†
Abstract— This paper presents a formal framework for
collision avoidance in multi-robot systems, wherein an existing
controller is modiﬁed in a minimally invasive fashion to ensure
safety. We build this framework through the use of control
barrier functions (CBFs) which guarantee forward invariance
of a safe set; these yield safety barrier certiﬁcates in the
context of heterogeneous robot dynamics subject to acceleration
bounds. Moreover, safety barrier certiﬁcates are extended to
a distributed control framework, wherein neighboring agent
dynamics are unknown, through local parameter identiﬁcation.
The end result is an optimization-based controller that formally
guarantees collision free behavior in heterogeneous multi-agent
systems by minimally modifying the desired controller via safety
barrier constraints. This formal result is veriﬁed in simulation
on a multi-robot system consisting of both “cumbersome” and
“agile” robots, is demonstrated experimentally on a system with
a Magellan Pro robot and three Khepera III robots.
I. INTRODUCTION
When designing coordinated controllers for teams of mo-
bile robots, the primary control objective tends to drive the
behavior of the team so as to realize tasks such as achieving
and maintaining formations, covering areas, or collective
transport [6], [8]. Safety, in terms of collision-avoidance,
is then added as a secondary controller that overrides the
existing controllers on individual robots if they are about to
collide, e.g., following the behavior-based control paradigm
[4]. As a result, what is actually deployed is not always
what the design calls for, and as the robot density increases,
the team spends more and more time avoiding collisions as
opposed to progressing toward the primary design objective.
One remedy to this problem is to make collision-avoidance
an explicit part of the design. This, however, means that
the already established, coordinated multi-robot controllers
in the literature [6], [8], [11] are no longer valid and must
be revisited. An alternative view, as is for example pursued in
[12] for two aircrafts performing optimal evasive maneuver,
is to introduce a minimally invasive collision-avoidance con-
troller, i.e., a controller that only changes the original control
program when it is absolutely necessary. But the heavy
computation associated with solving the Hamilton-Jacobian-
Bellman Equations prohibits the applicability of [12] to
large-scale mutli-robot systems. Similarly, the concept of
“velocity obstacle” was developed in [13] to generate colli-
sion free trajectory in cluttered multi-agent workspace, while
*The work by the ﬁrst and third authors was sponsored by Grant No.
N0014-15-1-2115 from the U.S. Ofﬁce for Naval Research, and the work
of the second author is supported by NSF CPS-1239055.
†Li
Wang,
Aaron
Ames
and
Magnus
Egerstedt
are
with
the
school of Electrical and Computer Engineering, Georgia Institute of
Technology, Atlanta, GA 30332, USA. Email: {liwang, ames,
magnus}@gatech.edu
the constant velocity assumption severely limits available
control options. This approach was pursued in [5], where
the main idea is to let the actual control input associated
with Robot i, ui, be as close to the designed control input ˆui
in a least-squares sense, subject to safety contstraints.
The way that safety constraints were encoded in [5] was
using distributed barrier functions, that prevented the robots
from entering unsafe states. This line of inquiry is continued
in this paper, but in the context of heterogeneous robot teams.
In particular, the barrier functions in [5] were symmetric in
the sense that the responsibility for avoiding collisions was
shared in an equitable manner among the robots. But, in a
heterogeneous multi-robot system, not all agents are equally
nimble and can respond to potential collisions in the same
way, due to such factors as different maximal accelerations.
In this paper, we pursue this question and we show how
barrier functions can be used also for teams of heterogeneous
networks, even when the robots are unaware of which class
neighboring robots belong.
The reason why heterogeneous multi-agent systems are of
importance is that they, through the robots’ diverse set of
capabilities, can solve some tasks more effectively than their
homogeneous counter parts, i.e., [1]. Moreover, heterogene-
ity already exists in many systems, such as transportation
systems with automobiles and trucks [3], multirobot systems
with ground and aerial robots [7], mobile sensor network
with nodes with varying locomotion capabilities [10], just to
name a few. As such, collision-avoidance algorithms must be
extended also to heterogeneous systems. Yet, such an exten-
sion is not straightforward in that agents with “aggressive”,
“neutral” or even “timid” behaviors must be able to respond
to possible collisions in dramatically different manners.
Motivated by these considerations, this paper extends
previous work on safety barrier certiﬁcates in [5] in two
important directions. First, we propose a provably safe way
to decentralize the barrier certiﬁcates that explicitly takes the
agents’ heterogeneous dynamics into account. In this paper,
the robotic swarm is heterogeneous in the sense that agents
have different acceleration limits (agile or cumbersome),
and use different barrier certiﬁcate parameters (aggressive,
neutral or conservative). Second, we formally ensure safety
of the robotic swarm when no prior information about
neighboring agents’ dynamical properties is provided. To
achieve this, the agents will have to estimate the dynamical
properties of neighboring agents with local measurements,
and update online their barrier certiﬁcate parameters to
generate more reasonable evasive maneuver. The enabling
technique for this heterogeneous safety barrier certiﬁcates is
Control Barrier Function [2], [14]. Control Barrier Function
is similar to Control Lyapunov Function in that it provides
a way to guarantee the forward invariance of the safety set
without computing the system’s reachable set. A Quadratic
Program (QP) based controller with safety barrier constraints
is developed to check the safety of pre-designed control
strategy, and generate minimally-invasive and collision-free
trajectory.
The remainder of this paper is organized as follows.
Section II revisits the concepts of (zeroing) control barrier
function, which is incorporated into the optimization based
controller as safety barrier constraints. Heterogeneous safety
barrier certiﬁcates are then constructed in Section III to
generate collision free behaviors for agents’ with different
dynamical capabilities. Incorporating unknown parameters
into heterogeneous barrier certiﬁcates without losing safety
guarantee is the topic of Section IV. Simulation and ex-
perimental results for heterogeneous barrier certiﬁcates are
presented in Section V and VI. At last, we conclude the paper
with a summary and discussion of future work in Section VII.
II. BACKGROUND: CONTROL BARRIER FUNCTIONS
In this section, we will review the fundamentals of Control
Barrier Functions (CBFs), which is employed as a means
to ensure that the robots execute collision-free trajectories.
CBFs are conceptually similar to Control Lyapunov Func-
tions (CLFs) in that they can be used to guarantee desired
system properties without explicitly having to compute the
forward reachable set. Analogously to CLFs, by constraining
the time derivative of the CBFs within prescribed bounds,
CBFs can formally guarantee the forward invariance of a
desired set, e.g. safe set.
The fundamental idea behind CBFs is thus to design
them in such a way that the agents always remain in the
safe set. We are particularly interested in control afﬁne
dynamic systems because they result in afﬁne safety barrier
constraints, which can be incorporated into simple QP based
controllers. Even though the main focus of this paper is
on double integrator dynamics, we start the exposition with
general control afﬁne case. In particular, consider a nonlinear
control system in afﬁne form
˙x = f(x)+ g(x)u
(1)
where x ∈Rn and u ∈U ⊂Rm, with f and g locally Lipschitz
continuous. Note that, for the sake of simplicity, we will
assume that (1) is forward complete, i.e. solutions x(t) are
deﬁned for all t ≥0.
Suppose now that we have a set C ⊂Rn where we wish
the state of the robot to remain. The goal is thus to design
a controller u that guarantees the forward invariance of set
C , i.e., solutions to (1) that start in set C , stay in set C for
all time. We will assume that the set C , boundary ∂C and
interior Int(C ) can be deﬁned as levels sets to a particular
function h(x),
C = {x ∈Rn : h(x) ≥0},
∂C = {x ∈Rn : h(x) = 0},
Int(C ) = {x ∈Rn : h(x) > 0},
(2)
and we have the following deﬁnition that allows us to be
precise about what safety entails, as was done in [14],
Deﬁnition 1: Given a dynamical system (1) and the set
C deﬁned by (2) for a continuously differentiable function
h : Rn →R, if there exist a locally Lipschitz extended class
K function α (strictly increasing and α(0) = 0) and a set
C ⊆D ⊂Rn such that, for all x ∈D,
inf
u∈U

Lf h(x)+ Lgh(x)u + α(h(x))

≥0
(3)
then the function h is called a Zeroing Control Barrier
Function (ZCBF) deﬁned on set D.
Now, given a ZCBF h, the set of feasible control inputs is
K(x) =

u ∈U : Lf h(x)+ Lgh(x)u + α(h(x)) ≥0
	
and in [14], the following key result was obtained;
Theorem [14]: Given a set C ⊂Rn deﬁned by (2) and
a ZCBF h deﬁned on D with C ⊆D ⊂Rn, any Lipschitz
continuous controller u: D →R such that u ∈K(x) for the
system (1) renders the set C forward invariant.
ZCBFs also imply asymptotic stability of set C , which
provides favorable robustness properties with respect to
different perturbations on system (1) [14]. If the state x is
perturbed into D \ C , it will converge asymptotically back
into set C .
In this paper, we will choose α(h(x)) = γh3(x) for deﬁning
our ZCBF candidate, which means the designed controller u
needs to satisfy the following constraint.
Lf h(x)+ Lgh(x)u + γh3(x) ≥0
(4)
III. HETEROGENEOUS SAFETY BARRIER CERTIFICATES
This section focuses on constructing the decentralized
heterogeneous safety barrier certiﬁcates that take into ac-
count the heterogeneity in agents’ dynamical properties.
Importantly, in an effort to reduce the amount of information
required when executing barrier certiﬁcates, we will explore
safety guarantees subject to unknown parameters of neigbor-
ing agents in Section IV.
A. Problem Formulation
Consider a heterogeneous robotic swarm containing N mo-
bile agents represented with set M = {1,2,...,N}, the robot
agent i ∈M is modelled with double integrator dynamics (5).
Agents in the robotic swarm are heterogeneous in the sense
that each of them has different dynamical capability, which
is modelled with different speed and acceleration limit:
"˙pi
˙vi
#
=
"
0
I2×2
0
0
#"
pi
vi
#
+
"
0
I2×2
#
ui,
(5)
where pi ∈R2, vi ∈R2, and ui ∈R2 are the position, velocity,
and acceleration of agent i respectively. The ensemble form
is p ∈R2N, v ∈R2N, and u ∈R2N. The speed and acceleration
limits of agent i are ∥vi∥p ≤βi and ∥ui∥p ≤αi, where ∥·∥p
is vector p−norm depending on actual robot model. The
relative position and relative velocity between agent i and j
are denoted as ∆pij = pi −pj and ∆vij = vi −v j.
Next, we need to formulate an appropriate safe operation
set C that characterizes safety of the robotic swarm. A
pairwise safety constraint (6) is adopted to ensure that agents
will always keep safety distance Ds away from each other
in dangerous scenarios while the maximum braking force is
being applied; this results in the constraint:
−
∆pT
ij
∥∆pij∥∆vij ≤
q
2(αi + αj)(∥∆pij∥−Ds),∀i ̸= j
(6)
As illustrated in Fig 1, the normal component (∆¯v =
∆pT
ij
∥∆pij∥∆vij) of the relative velocity between agent i and j
is the component that might lead to collision. For instance,
it is considered safe when two neighboring agents’ relative
velocity is perpendicular to their relative position (∆¯v = 0).
Fig. 1: Relative position and velocity between agent i, j
The safety constraint (6) is derived by regulating the
normal component of the relative velocity ∆¯v, while the
tangent component is unregulated. When two agents are
actively avoiding collision, the maximum relative braking
acceleration is (αi +αj). The safety requirement is to main-
tain safety distance Ds away from each other when the
maximum relative braking acceleration (αi + αj) is applied
in dangerous scenarios, which leads to:
∥∆pij∥−
(∆¯v)2
2(αi + αj) ≥Ds,
∀i ̸= j.
(7)
Note that when two agents are moving closer to each other
(∆¯v < 0), (7) regulates how fast the approaching speed
could be; when they are moving away from each other
∆¯v ≥0), no constraint is enforced because safety is not
endangered. Those two cases combined together gives the
safety constraint in (6). Therefore, we can formally deﬁne
the safe operation set C .
Cij
=
{(pi,vi)|hij =
q
2(αi + αj)(∥∆pij∥−Ds)
+
∆pT
ij
∥∆pij∥∆vij ≥0}, j ̸= i
(8)
C
=
∏
i∈M







\
j∈M
j̸=i
Cij







(9)
where hij, short for hij(∆pij,∆vij), is a ZCBF candidate to
ensure that the pairwise constraint (6) always holds. ∏
i∈M
is
the Cartesian product over the states of all agents in the set
of robots.
Deﬁnition 2: The robotic swarm represented with set M with
dynamics given in (5) is deﬁned to be safe if the state (p,v)
of the system stays in set C for all time.
According to Deﬁnition 2, the robotic swarm needs to
simultaneously satisfy all the pairwise safety constraints to
ensure safety. ZCBF constraints are constructed to guarantee
the forward invariance of the safe operation set C , i.e. there
are the following pairwise CBF constraints:
Lf hij + Lghiju+ γh3
ij ≥0,∀i ̸= j,
(10)
Theorem 3.1: The robotic swarm represented with set M
is safe, if the control variable u satisﬁes all the pairwise
ZCBF constraints in (10).
Proof:
If the control variable u satisﬁes the pairwise
ZCBF constraints in (10), then hij is a valid ZCBF with
α(x) = γx3 according to Deﬁnition 1. Following Theorem
[14], the forward invariance of set C is guaranteed, which
means the robotic swarm denoted with set M is safe.
Combining (8) with (10), the ZCBF constraint can be rewrit-
ten as;
−∆pT
ij∆uij ≤γh3
ij∥∆pij∥−
(∆vT
ij∆pij)2
∥∆pij∥2
+ ∥∆vij∥2 +
(αi + αj)∆vT
ij∆pij
p
2(αi + αj)(∥∆pij∥−Ds),
∀i ̸= j
(11)
This safety barrier constraint can be represented as linear
constraints on the control variable u as Aiju ≤bij, where
Aij = [0,...,−∆pT
ij
| {z }
agent i
,..., ∆pT
ij
|{z}
agent j
,...,0],
and bij is the right side of (11).
The safety barrier constraints assembled together, termed
the safety barrier certiﬁcates, deﬁnes the space of permissi-
ble controls. The objective of the safety barrier certiﬁcates is
to validate the safety of pre-designed control strategy ˆu, and
interfere with minimal impact to the desired strategy when
collision is truly imminent. The goals of collision avoidance
and minimal interference are combined together using QP:
u∗= argmin
u
J(u) =
N
∑
i=1
∥ui −ˆui∥2
s.t.
Aiju ≤bij,
∀i ̸= j,
∥ui∥∞≤αi,
∀i ∈M
(12)
where the acceleration limit of agent i is deﬁned with ∞-norm
for simplicity. This QP based controller follows pre-designed
control strategy ˆu when the system is safe; takes over and
computes the closest permissible control in a least-squares
sense when collision is about to happen. Note that this
QP based controller is a centralized controller, demanding
centralized computation, which provides a starting point for
decentralized heterogeneous barrier certiﬁcates.
B. Decentralized Heterogeneous Barrier Certiﬁcates
Centralized safety barrier certiﬁcates face signiﬁcantly
increased communication and computation burden when the
size of robotic swarm grows. It is desirable to have decen-
tralized barrier certiﬁcates that act only based on local infor-
mation, while safety is still guaranteed. In the heterogeneous
robotic swarm, agents with different acceleration limits have
different capabilities to avoid collision. Thus we propose
three different strategies to decentralize the safety barrier
certiﬁcates to each agent based on their acceleration limits.
Motivated by the fact that agents with higher acceleration
limits are more agile, these agents are assigned with larger
portion of the admissible control space.
1) Strategy A partitions the increase rate of ZCBF ˙hij =
∂hij
∂xi
T
˙xi + ∂hij
∂xj
T
˙x j to two robot agents i and j, where
xi =
 pi
vi

is the state of agent i.
−∂hij
∂xi
T
˙xi ≤
αi
αi + αj
γh3
ij,
−∂hij
∂x j
T
˙x j ≤
αj
αi + αj
γh3
ij,
2) Strategy B distributes bij to two robot agents.
−∆pT
ijui ≤
αi
αi + αj
bij,
∆pT
ijuj ≤
αj
αi + αj
bij,
3) Strategy C is a hybrid approach, which is inspired
by strategies A and B. It partitions the terms related
to acceleration limits of robot agents in (11) and
distributes other terms appropriately like strategies A.
−∆pT
ijui +
∆pT
ij∆vij
∥∆pij∥2 ∆pT
ijvi −∆vT
ijvi
≤
αi
αi+αj (γh3
ij∥∆pij∥+
√αi+αj∆pT
ij∆vij
√
2(∥∆pij∥−Ds) ),
(13)
∆pT
ijuj −
∆pT
ij∆vij
∥∆pij∥2 ∆pT
ijv j + ∆vT
ijv j
≤
αj
αi+αj (γh3
ij∥∆pij∥+
√αi+αj∆pT
ij∆vij
√
2(∥∆pij∥−Ds) ),
(14)
These three decentralization strategies differ from each
other in the required amount of information to implement
the safety barrier certiﬁcates as shown in TABLE I. The
required information is categorized into self known parame-
ters, sensing data and neighbors’ parameters. The self known
parameters and sensing data can be easily attained by the
controller. Meanwhile, obtaining neighboring agents’ param-
eters, e.g. acceleration limit αj, requires identity recognition
or communication. Swarm robots are usually designed to be
simple with limited hardware resources. In terms of required
information, strategy C surpasses A and B by not requir-
ing neighbors’ parameters. Handling unknown neighboring
agents’ safety barrier parameters using strategy C is the topic
of Section IV.
All of the three decentralization strategies still guarantees
safety, if the controller follows safety barrier constraints. This
is true because they partition the admissible control space to
each agent, while safety barrier constraint (11) still holds.
TABLE I: Comparison of required information for the im-
plementation of three decentralization strategies
Strategy
Self params
Sensing data
Neighbors’ params
A
αi,γ
∆pij,∆vij,vi
αj
B
αi,γ
∆pij,∆vij
αj
C
αi,γ
∆pij,∆vij,vi,
With strategy C, we can come up with a decentralized QP-
based controller that is minimally invasive to pre-designed
controller and provably safe.
u∗
i = argmin
ui
J(ui) = ∥ui −ˆui∥
s.t.
¯Aijui ≤¯bij,
∀j ̸= i,
∥ui∥∞≤αi,
(15)
where
¯Aij = −∆pT
ij,
¯bij = −
∆pT
ij∆vij
∥∆pij∥2 ∆pT
ijvi + ∆vT
ijvi +
αi
αi+αj (γh3
ij∥∆pij∥+
√αi+αj∆pT
ij∆vij
√
2(∥∆pij∥−Ds) ).
Fig. 2 illustrates a test case showing how the safety barrier
certiﬁcates interact with pre-designed controller to guarantee
safety. The pre-designed controller is a goal-to-goal con-
troller without considering collision avoidance. The agent
moved straight towards the goal when it is executed (Fig. 2a).
When agents were about to collide, the barrier certiﬁcates
automatically took over and computed an appropriate way
to avoid collision while honoring the pre-designed control
as much as possible(Fig. 2b). In the given case, agents
successfully completed task and avoided collision. This is
achieved by solving a simple online QP without computing
the complicated forward reachable set.
-1.5
-1
-0.5
0
0.5
1
1.5
-1
-0.5
0
0.5
1
(a) Pre-designed control is used
-1.5
-1
-0.5
0
0.5
1
1.5
-1
-0.5
0
0.5
1
(b) Barrier certiﬁcates take over
-1.5
-1
-0.5
0
0.5
1
1.5
-1
-0.5
0
0.5
1
(c) Task Complete
Fig. 2: Two robot agents regulated by safety barrier cer-
tiﬁcates. The circles, arrows and dash-dot lines represent
the agents’ safety margin, current velocity and trajectories
respectively.
IV. BARRIER CERTIFICATES WITH UNKNOWN
PARAMETERS
Heterogeneity in agents’ dynamical capabilities brings
extra challenge to collision avoidance. In the robotic swarm,
agents need to ﬁrst assess how effective other agents can
respond to safety threats before making decision for collision
avoidance. Meanwhile, swarm robots are often designed to be
simple and therefore lack the ability to obtain other agents’
parameters. This section addresses the scenario that agents
need to ensure safety when some dynamical parameters of
other agents are unknown.
A. Barrier Certiﬁcates with Different γ
The safety barrier parameter γ determines how fast the
agents’ states can approach the boundary of safe operation
set C . It turns out that agents with different γ are still safe
when running the decentralized barrier certiﬁcates.
Lemma 4.1: Two heterogeneous agents i, j ∈M regulated
by safety barrier certiﬁcates (15) with different parameters
γi,γj are guaranteed to be safe.
Proof: Agent i and j follow the safety barrier constriant
given in (13) and (14) with different parameters γi,γj. Adding
the two safety barrier constraints together gives:
−∆pT
ij∆uij ≤γ′
Bij
h2
ij∥∆pij∥−
(∆vT
ij∆pij)2
∥∆pij∥2
+∥∆vij∥2 +
(αi + αj)∆vT
ij∆pij
p
2(αi + αj)(∥∆pij∥−Ds),
(16)
where γ′ = αiγi+αjγj
αi+αj . This inequality can be rewritten as
−˙hij ≤γ′h3
ij, which guarantees safety as if a weighted version
of γ is used in the safety barrier certiﬁcates.
This lemma provides the freedom for heterogeneous agents
to choose or adaptively change their own γ without worrying
about endangering safety. The designer can use γ to inten-
tionally prioritize certain agents over others, which resembles
the real life case of ambulance granted higher priority to go
through the trafﬁc ﬂow.
Fig. (3) demonstrates how heterogeneous γ in safety bar-
rier certiﬁcates can be used to coordinate conﬂicting agents.
Two agents executing goal-to-goal controller regulated by
heterogeneous barrier certiﬁcates are simulated in three dif-
ferent scenarios. When both agents adopt the same safety
barrier parameter γ, they have neutral behavior when their
goals conﬂict as shown in Fig. (3a). When the left agent uses
larger γ, it moves straight to its goal aggressively, while the
other agent moves around it to avoid collision (Fig. (3b)).
When the left agent is assigned with smaller γ, the left agent
gives way to other agent when their goals conﬂict (Fig. (3c)).
With heterogeneous safety barrier certiﬁcates, we can de-
ﬁne the notion of neighbors to reduce the pairs of necessary
safety barrier constraints:
Ni = { j ∈M , j ̸= i|∥∆pij∥≤Di
N ,Di
N = Ds
+
1
2(αi + αmin)( 3
s
2(αi + αmin)
γi
+ βi + βmax)2},
(17)
-0.6
-0.4
-0.2
0
0.2
0.4
-0.2
0
0.2
0.4
0.6
0.8
1
1.2
(a) Both agents are neutral
-0.6
-0.4
-0.2
0
0.2
0.4
0
0.5
1
(b) Left agent aggressive
-0.6
-0.4
-0.2
0
0.2
0.4
-0.2
0
0.2
0.4
0.6
0.8
1
1.2
(c) Left agent conservative
Fig. 3: Trajectories of two agents regulated by safety barrier
certiﬁcates with different parameter γ
where αmin =
min
j∈M ,j̸=i{αj} and βmax =
max
j∈M ,j̸=i{β j} are the
minimal acceleration limit and maximum speed limit of
other agents in the robotic swarm. When αmin and βmax
are unknown, the most conservative values can be used, i.e.
lower bound of αmin and upper bound of βmax. The neigh-
bor’s notion is helpful in reducing computation intensity and
sensing requirement. This notion is valid because there is no
threat of collision when agents are sufﬁciently far away from
each other.
Theorem 4.2: Any agent i ∈M is guaranteed to be safe
if it only forms ZCBFs with its heterogeneous neighbors
deﬁned by (17).
Proof:
Heterogeneous agents each possesses a safety
neighbor disk with different radius. Thus there are gen-
erally three scenarios considering ∀j ∈M , j ̸= i, i.e.
∥∆pij∥> max{Di
N ,Dj
N },
max{Di
N ,Dj
N } ≥∥∆pij∥≥
min{Di
N ,Dj
N } or ∥∆pij∥< min{Di
N ,Dj
N }.
Agent i
Agent j
D j
N
Di
N
∆pi j
Fig. 4: Two heterogeneous agents with different safety neigh-
bor disks
When ∥∆pij∥> max{Di
N ,Dj
N }, both agents are not
within neighbor’s range. We can prove −˙hij ≤min{γi,γj}h3
ij
following similar reasoning of Theorem [5] by considering
the worst-case scenario.
When max{Di
N ,Dj
N } ≥∥∆pij∥≥min{Di
N ,Dj
N }, one
agent is a neighbor of the other, while the other agent is
not. Following Theorem 1, we can prove −˙hij < γkh3
ij, where
k = argmin
k∈{i,j}
Dk
N . When ∥∆pij∥< min{Di
N ,Dj
N }, both agents
are neighbors of each other. Following Lemma 4.1, it is
guaranteed that −˙hij ≤γ′h3
ij.
To sum up, safety is guaranteed in all three cases with
different ZCBF parameters. Heterogeneous agents only needs
to form ZCBFs with their neighbors to guarantee safety.
B. Barrier Certiﬁcates with Unknown Acceleration Limits
As discussed in Section III-B, identifying the acceleration
limits of neighboring agents can be a complicated problem.
When no prior knowledge about other agents’ acceleration
limits is provided, we will prove that estimated values can
be used. Consequently, the safe set deﬁnition will be slightly
different for different agents. Let αi and αij be agent i’s
acceleration limit and estimate of agent j’s acceleration limit.
The pairwise safe operation set
¯
Cij of agent i is:
¯
Cij = {(pi,vi) | hij(αi + αij) =
∆pT
ij
∥∆pij∥∆vij
+
q
2(αi + αij)(∥∆pij∥−Ds) ≥0}, j ̸= i,
With the estimated parameters, the hybrid strategy in Section
III-B for distributing safety barrier certiﬁcates is:
−∆pT
ijui +
∆pT
ij∆vij
∥∆pij∥2 ∆pT
ijvi −∆vT
ijvi ≤
αi
αi + αij
(γih3
ij(αi + αij)∥∆pij∥+
√αi + αij∆pT
ij∆vij
p
2(∥∆pij∥−Ds) ) (18)
∆pT
ijuj −
∆pT
ij∆vij
∥∆pij∥2 ∆pT
ijv j + ∆vT
ijv j ≤
αj
αj + αji
(γjh3
ji(αj + αji)∥∆pij∥+
√αj + αji∆pT
ij∆vij
p
2(∥∆pij∥−Ds) ) (19)
Before introducing the estimation method, we need to
make sure that safety is still guaranteed when imperfect
estimation parameters are used. In order to guarantee safety
with inaccurate parameters, it is desirable to ensure that
¯
Cij
is always subset of Cij. Notice that when αji ≤αi,αij ≤αj,
we have ¯
Cij ⊆Cij. It is intuitive to guess that agents are safe
if conservative estimates of neigboring agents’ acceleration
limits are used. We will prove this intuition for decentralized
heterogeneous barrier certiﬁcates.
Lemma 4.3: If αji ≤αi,αij ≤αj and the safety barrier
constraints in (18),(19) are satisﬁed, safety is still guaranteed.
Proof: When agents i and j use their own estimates of
acceleration limits based on (18) and (19), we can get:
−∆pT
ij∆uij +
(∆pT
ij∆vij)2
∥∆pij∥2
−∆vT
ij∆vij
≤
αiγih3
ij(αi + αij)
αi + αij
∥∆pij∥+
αjγjh3
ji(αj + αji)
αj + αji
∥∆pij∥
+ (
αi
√αi + αij
+
αj
√αj + αji
)
∆pT
ij∆vij
p
2(∥∆pij∥−Ds),
(20)
Recall that if perfect parameter estimation is achieved (αji =
αi,αij = αj), (20) is identical to (16). Next, we will discuss
safety under two different scenarios where two agents are
moving closer or further away from each other:
1) when ∆pT
ij∆vij ≤0, agents i and j are moving closer to
each other. With αji ≤αi,αij ≤αj, we have
αi
√αi+αij +
αj
√αj+αji ≥√αi + αj. Thus
−∆pT
ij∆uij +
(∆pT
ij∆vij)2
∥∆pij∥2
−∆vT
ij∆vij
≤
¯γh3
ij(αi + αj)∥∆pij∥+
√αi+αj∆pT
ij∆vij
√
2(∥∆pij∥−Ds) ,
(21)
where
¯γ =
αiγi
αi+αij +
αjγj
αj+αji . Compared with (11),
this inequality can be rewritten as −˙hij(αi + αj) ≤
¯γhij(αi + αj)3,
which
guarantees
safety
as
if
a
weighted version of γ is adopted. This means that, if
∆pT
ij∆vij ≤0, the forward invariance of the nominal
safe operation set C is guaranteed.
2) when ∆pT
ij∆vij > 0 (agents are moving away from each
other), it is guaranteed to have hij(αi + αj) ≥0. Thus
agents always stays in the nominal safe operation set
C in this scenario.
Now we are one step away from proving the safety guaran-
tee for all cases. Because agents are switching back and forth
between the two cases. The switchings might compromise
safety. In case (1), forward set invariance requires agent i to
always start in C after each switching. Due to the second
order dynamical model used for barrier certiﬁcates, ∆pT
ij∆vij
is continuous with respect to time. Thus the switching
between two cases always occurs at ∆pT
ij∆vij = 0, where
hij(αi +αj) ≥0. Combining the two scenarios with the safe
switching condition, agent i is guaranteed to be safe with
respect to the nominal safe operation set C .
Now, what is left to do is to ﬁnd an appropriate estimation
method to estimate the acceleration limits of neighboring
agents with local observation. With the local sensor measure-
ments of neighboring agents, we can construct a distributed
least squares estimator or Kalman ﬁlter [8] to estimate the
current acceleration ∥¯uj∥of agent j. The steps to update the
estimate of αj can be designed as:
1) Set conservative initial guess as αij(t0) = αmin.
2) Use local observations to update ∥¯uj∥.
3) Update αij with ˙αij = k(max{αij,∥¯uj∥}−αij), where
k depends on the accuracy of local observations.
note that this strategy will ensure that parameter estimation
satisﬁes αji ≤αi,αij ≤αj. Thus safety is still guaranteed
using the estimated parameters due to lemma 4.3. With
this estimation strategy, agents do not need to know the
acceleration limits of neighboring agents. They can start
with conservative initial guesses, and gradually improve
their knowledge with local observations without endangering
safety.
V. SIMULATION RESULTS
A multi-robot system with six heterogeneous agents is
simulated with MATLAB. Each agent is modelled with
double integrator dynamics and executes a goal-to-goal con-
troller without considering collision avoidance. This system
contains two types of agents: small agile agents (αs =
1.2 m/s2, safety radius is 0.2 m); large cumbersome agent
(αl = 0.6 m/s2, safety radius is 0.4 m). As illustrate in Fig.5,
the objective of the pre-designed controller is to make all
agents exchange position with the agents on the opposite
side of the large circle. Without collision avoidance strategy,
the goal-to-goal controller will lead to collision of all agents
in the middle.
The heterogeneous safety barrier certiﬁcates are imple-
mented side by side with the pre-designed control strategy.
All agents started heading towards the center following the
goal-to-goal controller (Fig. 5a). As they moved closer to
each other, the safety barrier certiﬁcates were activated and
kept all agents with enough safety distance away from each
other (Fig. 5b). The small agents are more agile and took
up more responsibilities in avoiding collision, while the
cumbersome agent decelerated but still continued its own
path because of its large inertia (Fig. 5c). When the large
agent was about to reach its destination, its speed is almost
zero. Other small agents were safe to pursue their own
goals without worrying about colliding with the large agent
(Fig. 5d). At last, the heterogeneous safety barrier certiﬁcates
successfully helped navigate all agents out of the “crowded”
scenarios and achieved their individual objectives.
Note that the core of safety barrier certiﬁcates is a QP-
based controller, which can be executed very efﬁciently.
Compared with conventional multi-agent collision avoidance
methods, the proposed method is more suitable for real-time
application on large-scale robotic swarm because it does not
require computation of complicated forward reachable set.
VI. EXPERIMENTAL RESULTS
The heterogeneous safety barrier certiﬁcates were im-
plemented on a heterogeneous robotic swarm with three
Khepera III robots (αK = 2.0 m/s2) and one Magellan Pro
robot (αM = 0.5 m/s2). The positions of robots are tracked
by Optitrack motion capture system. Those two types of
robots have distinct dimensions and dynamical capabilities.
The diameters of Khepera III and Magellan Pro robots are
13 cm and 41 cm. The actual dynamical model of mobile
robots used in this experiment is unicycle model, which is
approximated with double integrated dynamics using Lya-
punov based approach. The pre-designed controller is a goal-
to-goal controller (ˆui = −k1(pi−ri)−k2vi), which exchanges
the positions of agents on the diagonal line of a rectangle,
without considering collision avoidance. The heterogeneous
safety barrier certiﬁcates were executed as a lower level
safety program with no knowledge about overall goal of the
higher level controller.
Fig. 6 shows a overhead view of the robots during the
experiment and plots of corresponding experimental data. All
four robots started heading straightly towards the opposite
side of the rectangle (Fig. 6a). The safety barrier was inactive
because the pre-designed coordination control command
is considered safe. When robots moved closer, the safety
barrier interfered because collision was about to happen.
As illustrated in (Fig. 6b), three Khepera III robots turned
-2
0
2
-2
-1
0
1
2
(a) Time step t = 10
-2
0
2
-2
-1
0
1
2
(b) Time step t = 520
-2
0
2
-2
-1
0
1
2
(c) Time step t = 1000
-2
0
2
-2
-1
0
1
2
(d) Time step t = 2400
-2
0
2
-2
-1
0
1
2
(e) Time step t = 2830
Fig. 5: Six robot agents regulated by heterogeneous safety
barrier certiﬁcates. The acceleration limits of small and large
agents are 1.2 m/s2 and 0.6 m/s2. The speed limits of all
agents are 0.6 m/s. The small and large circles represent the
safety radius of different agents, which are 0.2 m and 0.4 m
respectively. Units for X and Y coordinates in the plots are
in meters.
around to avoid collision, while the Magellan robot kept
pushing forward. This is because Magellan Pro robot has
more momentum and can not brake fast enough to avoid
collision. Those more agile Khepera III robots carried more
responsibilities in collision avoidance when Magellan Pro
robot reacted slowly. When the Magellan Pro robot almost
reached its goal position and became slower in motion, other
Khepera III robots got the chance to pursue their goals
(Fig. 6c). It can be observed that the safety barrier directed
robots away from collision and computes the command that
is closest to pre-designed control command. After robots
navigated away from the “crowded” area, the pre-designed
controller took over again (Fig. 6d). Ultimately, all robots
reached desired conﬁguration, i.e. exchange position with
robots on the opposite side (Fig. 6e). A video can be found
online [9].
(a) Agents at 4.0s
−1
0
1
−1
0
1
(b) Agents at 7.0s
−1
0
1
−1
0
1
(c) Agents at 13.0s
−1
0
1
−1
0
1
(d) Agent at 16.0s
−1
0
1
−1
0
1
(e) Agent at 21.3s
−1
0
1
−1
0
1
Fig. 6: Test run of three Khepera robots (small circles) and
one Magellan robot (large circle) with heterogeneous safety
barrier certiﬁcates. The arrow, circle and dashed line repre-
sent current velocity, position and trajectory of robot agents.
The square markers stand for initial and goal positions.
VII. CONCLUSION AND FUTURE WORK
The heterogeneous safety barrier certiﬁcates proposed in
this paper provides a provable way to address the challenges
in collision avoidance brought by heterogeneity in robots’
dynamical capabilities. Both simulation and experimental
results validate the effectiveness of the proposed approach.
While studying those results, several interesting future re-
search directions also arise. When the objectives of several
agents conﬂict with each other, the agents sometimes get into
a deadlock. When deadlock happens, safety is guaranteed but
desired tasks can not be completed. It is important to design
a strategy that breaks deadlock to ensure task completion.
In some “crowded” situations, several safety barrier
constraints might conﬂict with each other, rendering the
optimization-based controller infeasible. To remedy this
problem, zeroing control barrier function is designed to pull
the states of agents back to the safe operation set when
violation occurs. However, for some safety critical systems,
synthesizing safety barrier certiﬁcates that are guaranteed
feasible is very signiﬁcant.
REFERENCES
[1] W. Abbas and M. Egerstedt. Distribution of Agents in Heterogeneous
Multiagent Systems. In Decision and Control and European Control
Conference (CDC-ECC), 2011 50th IEEE Conference on, pages 976–
981. IEEE, 2011.
[2] A. D. Ames, J. W. Grizzle, and P. Tabuada. Control Barrier Func-
tion Based Quadratic Programs with Application to Adaptive Cruise
Control. In Decision and Control (CDC), 2014 IEEE 53rd Annual
Conference on, pages 6271–6278, Dec 2014.
[3] V. T. Arasan and R. Z. Koshy. Methodology for Modeling Highly
Heterogeneous Trafﬁc Flow. Journal of Transportation Engineering,
131(7):544–551, 2005.
[4] R. C. Arkin. Behavior-based Robotics. MIT press, 1998.
[5] U. Borrmann, L. Wang, A. D. Ames, and M. Egerstedt. Control Barrier
Certiﬁcates for Safe Swarm Behavior.
In Analysis and Design of
Hybrid Systems, 2015 IFAC Conference on, Oct 2015.
[6] F. Bullo, J. Cort´es, and S. Martinez. Distributed Control of Robotic
Networks: a Mathematical Approach to Motion Coordination Algo-
rithms. Princeton University Press, 2009.
[7] X. C. Ding, A. R. Rahmani, and M. Egerstedt.
Multi-uav Convoy
Protection: an Optimal Approach to Path Planning and Coordination.
Robotics, IEEE Transactions on, 26(2):256–268, 2010.
[8] M. Mesbahi and M. Egerstedt. Graph Theoretic Methods in Multiagent
Networks. Princeton University Press, 2010.
[9] Online.
Heterogeneous
Control
Barrier
Certiﬁcates.
https://www.youtube.com/watch?v=9RnV18u1T0g,
2015.
[10] L. E. Parker, B. Kannan, X. Fu, and Y. Tang.
Heterogeneous
Mobile Sensor Net Deployment Using Robot Herding and Line-of-
sight Formations.
In Intelligent Robots and Systems, 2003.(IROS
2003). Proceedings. 2003 IEEE/RSJ International Conference on,
volume 3, pages 2488–2493. IEEE, 2003.
[11] W. Ren and R. W. Beard.
Distributed Consensus in Multi-vehicle
Cooperative Control. Springer, 2008.
[12] C. Tomlin, G. J. Pappas, and S. Sastry.
Conﬂict Resolution for
Air Trafﬁc Management: A Study in Multiagent Hybrid Systems.
Automatic Control, IEEE Transactions on, 43(4):509–521, 1998.
[13] J. Van Den Berg, S. J. Guy, M. Lin, and D. Manocha. Reciprocal n-
Body Collision Avoidance. In Robotics research, pages 3–19. Springer,
2011.
[14] X. Xu, P. Tabuada, J. W. Grizzle, and A. D. Ames. Robustness of
Control Barrier Functions for Safety Critical Control. In Analysis and
Design of Hybrid Systems, 2015 IFAC Conference on, Oct 2015.