A Novel Safety-Aware Energy Tank Formulation Based on Control Barrier Functions

In this work, we propose a novel formulation for energy tanks based on Control Barrier Functions (CBF). Our approach is able to handle simultaneously energy constraints to ensure passivity, as well as enforce power limits in the system to enhance safety. Furthermore, our approach overcomes the discrete switching nature of classical energy tanks, ensuring smooth control commands. To achieve our desiderata, we formulate our tank as a second order dynamical system, where we exploit CBF and Higher-Order CBF to obtain theoretical guarantees on fulfilling the energy and power constraints in the system. Furthermore, we derive conditions related to our tank design in order to ensure the passivity of the controlled robot. Our proposed approach is tested in a series of robot experiments where we validate our approach on tasks such variable stiffness and force control, and in a scenario where it is desired to constrain the kinetic energy in the system.

A Novel Safety-Aware Energy Tank Formulation Based on Control Barrier Functions Youssef Michel , Matteo Saveriano , Senior Member, IEEE, and Dongheui Lee , Senior Member, IEEE Abstract-In this work, we propose a novel formulation for energy tanks based on Control Barrier Functions (CBF).Our approach is able to handle simultaneously energy constraints to ensure passivity, as well as enforce power limits in the system to enhance safety.Furthermore, our approach overcomes the discrete switching nature of classical energy tanks, ensuring smooth control commands.To achieve our desiderata, we formulate our tank as a second order dynamical system, where we exploit CBF and Higher-Order CBF to obtain theoretical guarantees on fulfilling the energy and power constraints in the system.Furthermore, we derive conditions related to our tank design in order to ensure the passivity of the controlled robot.Our proposed approach is tested in a series of robot experiments where we validate our approach on tasks such variable stiffness and force control, and in a scenario where it is desired to constrain the kinetic energy in the system.Index Terms-Energy tanks, passivity-based control, safetyaware robotics.

I. INTRODUCTION
E NSURING a stable and safe behavior is of paramount importance for modern robots.Clearly, such a requirement is crucial for performance reasons, but perhaps even more so for safety considerations.This is especially true for robots designed to operate in dynamic ein close proximity to humans, and to interact physically with their surroundings.
By definition, such a physical interaction involves a bidirectional exchange of energy between the robot and the environment.In this regard, passivity theory offers a powerful tool to analyze the stability properties of a controlled system, without necessarily assuming the environment's structure.In fact, as shown in [1], if a system is not passive, it is possible to construct an environment that can extract an infinite amount of energy from the system, thereby destabilizing it.Intuitively, the system is passive if it does not generate energy on its own.This simple idea has been instrumental in developing several control techniques such as the Interconnection-damping assignment [2] and energy shaping controllers [3], with the latter being the inspiration behind the well-known PD+gravity compensation controller [4].Several methods have been also proposed to restore the passivity in a potentially non-passive controlled system.For example, the Time Domain Passivity Approach (TDPA) [5] was developed to ensure the stability of haptic rendering interfaces, as well as bilateral teleoperators [6].The main idea is to monitor in real-time the power flows in a network, and inject damping as necessary to balance the passivity-violating energy in the system.
Along the same lines, energy tanks [1], [7] are another powerful method that has been widely used to restore system's passivity.The work in [8] laid the foundations for energy tanks by demonstrating the concept of energy routing, where passivity is ensured by directing and re-routing energy flows in the system, through suitable power preserving interconnections.Intuitively, the energy tank is a storage element interconnected to the system in a power-preserving manner.By manipulating the interconnection structure, it is possible to passify any potentially non-passive control action.The tank acts as a monitoring mechanism, providing an "energy budget" that can be allocated for the execution of non-passive control actions, which are allowed to be executed as long as some energy remains in the tank.
From thereon, energy tanks have been effectively deployed in a plethora of robotic applications.For example, the work in [9] considered energy tanks to implement time-varying stiffness control actions, and later extended it in [10] to realize a time-varying admittance.Later, [11] and [12] extended these approaches for the case of hierarchical time-varying compliance control, based on the work of [13] and [14], which used energy tanks to passify projection operators in hierarchical control; however, for the constant compliance case.In teleoperation, the authors in [15] proposed a two-layer bilateral teleoperation framework, where in the performance layer, a generic control law is implemented for the master and remote robots, while the passivity layer implements an energy tank that ensures passivity in the system, taking into account potential communication delays.The work in [16] considered energy tanks to restore passivity in bilateral teleoperation, where additionally the remote robot is commanded with a state-varying stiffness.Finally, Selvaggio et al. [17], [18] used energy tanks in order to passify a shared control framework.
Despite their simplicity, energy tanks have also several shortcomings.First, the classical energy tank implementation [1], [7]  relies on a set of discretely switching conditions realized via "if-else" statements in order to implement the tank dynamics, as well as to disable the control commands when the tank is depleted.Clearly, this discrete switching nature results in non-smooth control commands, which potentially could result in chattering, thereby increasing the wear and tear on the robot actuators.Additionally, despite ensuring passivity, using energy tanks does not preclude unsafe behaviors, since in certain scenarios, a large amount of energy could be extracted from the tank over a short period of time, resulting in abrupt and even dangerous robot behaviors.To solve this problem, [19], [20] proposed safety valves that regulate the power flow from the tank to the system, however at the expense of introducing additional scaling factors in the control law.
In this work, we propose the Control Barrier Function-based energy tank (CBF-tank), a novel and unified formulation for energy tanks where energy and power constraints are concurrently accounted for, thereby alleviating the need to treat them separately.Furthermore, our proposed tank dynamics are inherently continuous and do not feature any discrete switching between different modes (i.e., tank on/off), thereby resulting in smooth control laws.Our formulation outputs a single scaling factor that modulates the control law, and wherein are embedded limits on the energy to ensure passivity, as well on the power flow.Thereby, we tackle safety in this work from an energetic perspective, specifically, by bounding both the energy and power of the robot.Through ensuring passivity, we guarantee that the robot energy remains bounded.The second aspect of safety we consider here is power-flow regulation, which refers to ensuring that the power associated with the control actions is constrained by a pre-defined limit.To realize our objectives, we formulate the tank as a second order dynamical system, where we exploit Control Barrier Functions (CBF) [24] to obtain theoretical guarantees on the energy and power constraints enforcement.CBFs are becoming increasingly popular in the control and robotics community, with applications ranging from Adaptive Cruise Control [25] to bipedal walking [26] and passivity-based control [23], [27].Recently, [23] proposed a tank formulation where CBF are exploited to enforce constraints regarding the minimum energy allowed in the tank.Our approach is similar in this regard since we also use CBF; however, in addition to the energy constraint, our novel tank dynamics formulation allows to seamlessly integrate power constraints, thereby enhancing the safety of the controlled robot.Table I provides an overview of some of the relevant literature on energy tanks, and how they compare to the proposed approach in this letter.

A. Control Barrier Functions
In this section, we briefly review the fundamental concepts related to CBF [25], [28] that this work is built on.CBFs allow to obtain control inputs that guarantee the system states to remain in a safe set of choice.To this end, we consider an affine dynamical system of the form For a continuously differential function b(ξ) such that b : R d → R, termed the barrier function, the goal in CBF is to render the set C := {ξ ∈ R d : b(ξ) ≥ 0} forward invariant for the system (1), through a suitable control input u.That is, for any ξ(t 0 ) ∈ C, we have ξ(t) ∈ C ∀ t > t 0 (all solutions starting in C remain in C for all future times).To achieve that, first let us define the notion of a CBF [28]: Definition 1.Control Barrier Function: The function b(ξ) is a control barrier function for the system (1) if there exists a class-K function ϕ(.) such that for all ξ(t) ∈ C, we have where L f and L g are the Lie derivatives of b(ξ) along f (ξ) and g(ξ for some a > 0 it is strictly increasing and ϕ(0) = 0.With this definition, the following theorem can be stated: Theorem 1: For a CBF b(ξ), any Lipschitz continuous controller u(t) satisfying (3) would render the set C forward invariant for (1).
In practice, we usually have a nominal control input u * specified according to certain performance objectives for a given system (e.g., tracking a desired reference).To force the system states into the safe set defined by C, the actual control input u is computed as the solution to an optimization problem that minimizes the norm between u and u * , while subjected to the constraint of Theorem 1.It is quite common to formulate the optimization as a Quadratic Program (QP) for real-time control.

B. High-Order Control Barrier Functions
It happens sometimes that, when formulating the constraint (2), we have L g b(ξ) = 0, which means that the control input u does not appear in the constraint.To solve this problem, the concept of high-order control barrier functions [28] can be employed.
For a m-th order differentiable function b(ξ), we define a series of functions ψ 0 , ψ 1 , ..., ψ m where , and their associated sets m, where ϕ i−1 (.) are the class-K functions introduced in Definition 1.We can now make the following definition.
Definition 2: Given the functions ψ i−1 and the sets C i , for i = 1, . . ., m, the function b : R d → R is a High Order Control Barrier Function (HOCBF) of relative degree 1 m for the system (1) if there exists differentiable class-K functions ϕ i (.) such that where O(.) represents the Lie derivatives along f which have a degree less than or equal to m − 1.
We can now state the main theorem in relation to HOCBF.Theorem 2: For the HOCBF b(ξ), let u(t) be a Lipschitz continuous controller such that u ∈ K hocbf where the set K hocbf satisfies then u(t) renders the set C 1 ∩ C 2 ∩ . . .C m forward invariant for the system (1).

C. Passivity Theory
In this section, we briefly explain the concept of passivity [29].Passivity theory is an intuitive tool that allows us to analyze the stability properties of a system.The main idea is that a system is passive if the stored energy at any given time is not larger than the initially stored energy plus the external supplied energy through its ports of interaction.In other words, no internal generation of energy happens in the system.For that, we associate with the system (1) a positive definite function S(ξ) called the storage function.We can then formulate the passivity condition as follows.
Theorem 3: The system (1) is passive if the following inequality holds for all admissible inputs u(.), and for any time t 1 > t 0 where t 0 is the initial time. 1 The number of times we need to differentiate b along the dynamics (1) for the control input u to show up.
In the coming sections, we will make use of the following alternative formulation of the passivity condition [29]: which simply states that the energy that can be extracted from a passive system is bounded by the initially available storage.

D. Classical Energy Tanks
In classical energy tanks [1], [7], the goal is to passify a potentially passivity-violating power port ( ẋ, F d ) with associated power P d = ẋT F d , where ẋ is the robot velocity, and F d is a generic passivity violating control action (e.g., time-varying stiffness or force-control action).Please note that, in the common sign convention, P d > 0 indicates an active system and P d ≤ 0 a passive one.
Typically, an energy tank has an associated energy level E t , an initial energy E 0 , and a lower threshold for minimum allowable tank energy ≥ 0. To assign the tank dynamics, we first need to define the following valve: Then, we can assign the tank dynamics as In order to actually realize the tank, the control action is scaled such that F a = αF d .The tank dynamics (9) essentially means that the tank provides an energy budget E 0 that can be exploited to balance out the passivity violating power P d in the system, such that the sum of the two terms when taking the derivative of the total storage (controlled system plus tank) is zero.As soon as the energy tank is depleted (i.e., E t < ), the passivity violating control action can be no longer executed.Power Flow Regulation: Additionally, there might be cases where limiting the tank energy is not enough, and we further need to limit the power extracted from the tank.To this end, the concept of power flow regulation [19], [20] is used, where we want to limit the passivity violating power to a power limit2 P max > 0. This is achieved by defining the valve which is then applied to modulate the control force F a = α † αF d , which will then have associated power P a = α † αP d < P max .

A. CBF Tanks
In CBF tanks, our goal is to have a unified tank formulation that simultaneously takes into account energy and power limits (i.e., without the need to treat them separately), while avoiding the discrete-switching nature of classical energy tanks.To this end, we make use of Control Barrier Functions (CBF), and higher-order CBFs.We propose in the following an alternative formulation for the tank dynamics.Given the state ξ = [s, ṡ] T , with s ∈ R, we consider the second-order dynamics for some scalar gain k f > 0, and where Pd = −P d .The above dynamics can be easily put in the control affine form Intuitively, the system is designed such that ṡ "tracks" the nominal power flow Pd .With reference to classical energy tanks, ṡ would correspond to the power extracted (injected) from (into) the tank, while s corresponds to the tank energy.By using CBFs, we can find the optimal u, i.e., the power that keeps that the system state in the safe set, where the tank energy and power are constrained.To enforce these constraints, we define the following barrier functions B 1 represents the maximum allowable power Pmax = −P max in the system, and B 2 represents the minimum allowable energy (E min = > 0) in the tank.While B 1 ( ṡ) can be straightforwardly enforced using the standard CBF approach introduced in Section II-A, it can be easily noticed that B 2 (s) has a relative degree of 2, and, therefore, we need to use the formulation from Section II-B to enforce it.
In order to design a control action that forces the system states into the safe set where B 1 and B 2 are enforced (positive), we solve the following QP optimization problem in real-time minimize where p 1 and p 2 are positive constants that define a linear class-K-function, and where (14b), (14c) are responsible for enforcing the power and energy constraints, respectively.The expression for these constraints can be easily derived from (3) and ( 5) using m = 2. Substituting along the energy tank dynamics (11), and using the expressions for B 1 and B 2 in (13), we obtain minimize ) Once u is obtained, we compute α = − u P d and scale the control force such that F a = αF d , which will have an associated power It should be noted that, while we do not directly enforce the energy and power constraints on u, the tank dynamics (12) ensures that, for a relatively large k f , ṡ ≈ u and, in consequence, s ≈ T 0 u.Therefore, enforcing the constraints on s and ṡ indirectly enforces also the constraints on u and T 0 u, with the added advantage that the system will always remain in the safe set where the constraints are satisfied.
We also would like to point out that the smooth behavior can be attributed to i) the second-order dynamics which are continuous by design as well as ii) the nature of CBFs, which naturally scale down the control signal whenever the system is approaching the constraints resulting in a smooth behavior.

B. On Passivity 1) General Considerations:
The controller-tank subsystem would render the overall system dynamics passive, if it is passive with respect to the port ( ẋ, −F a ).Formally, using s as a positive definite storage with an initial value s 0 , the passivity condition can be formulated as Our goal is to relate this passivity criteria to some conditions we can apply during our tank design.To this end, let us integrate the dynamics ( 11) Assuming initial conditions ξ 0 = [s 0 , 0] (i.e., the system starts from rest), and recalling that u = −P a , we can further write Substituting − We know that s is lower bounded (s > ) by the CBF B 2 in (13), while ṡ can be positive or negative.Clearly, ṡ > 0 does not constitute a problem since the passivity condition will be automatically satisfied.On the other hand, for the case ṡ < 0, passivity can be lost if However, ṡ is lower bounded by the maximum power Pmax allowed in the system (CBF B 1 in (13)).Therefore, choosing k f such that guarantees that (19) always holds regardless of the sign ṡ, and, therefore, ensures (16) to be always valid.As a consequence, the passivity of the closed-loop system can be straightforwardly deduced.While (20) might at a first glance appear restrictive, we would like to point out that generally k f should be chosen high enough to ensure that ṡ accurately tracks Pd 3 , and in practice, for Fig. 1.Port-based model of a robot augmented with a CBF-tank.To ensure a stable interaction, we need to ensure the passivity of the Block II with the storage S r with respect to the port ( ẋ, F e ), which requires the passivity of Block II with the storage S c with respect to the port ( ẋ, −F a ).Note that we implicitly assume here that F c = F a .
reasonably chosen bounds and P max , the condition imposed by (20) will be satisfied.In the next section, we show how these values are chosen for different robot experiments, while in Section V, we discuss further on how such values can be extracted based on realistic human injury data.

2) Robot Cartesian Dynamics:
The pre-gravity compensated robot dynamics in cartesian space can be expressed as where x is the Cartesian position, M (x) is the symmetric positive-definite inertia matrix, C(x, ẋ) is the Coriolis and Centrifugal matrix, and where Ṁ (x) − 2C(x, ẋ) is skewsymmetric.The external forces are denoted F e , while F c indicates the control forces, which potentially consist of a nonpassive component (F d ), as well other passive components such as dissipation control actions.Please note that in this work we assume the controller has an impedance causality and that the robot provides a torque control interface.Using as storage S r = 1 2 ẋT M (x) ẋ, the robot is passive with respect to the port ( ẋ, F c + F e ).This implies that designing a controller that is passive w.r.t the port ( ẋ, −F c )4 concludes the passivity of the robot w.r.t the port ( ẋ, F e ) through which the robot interacts with the environment, and in consequence the stable interaction with arbitrary passive environments is guaranteed [1].Fig. 1 shows a port-based model illustrating the integration of our CBF-tank with a robot described by the dynamics (21).

IV. EXPERIMENTS
We validate our proposed approach in experiments on real robot hardware (Please check the attached video).In particular, we use a Kuka LWR with 7 DOF, controlled via the Fast Research Interface (FRI) library in C++, with a control frequency of 500 Hz, and where the qpOASES library5 was used for the QP optimization.In the following, we showcase the effectiveness of our approach in a series of benchmarks on control tasks which are well known to cause passivity loss in the system.For all the coming experiments, we used k f = 100 for the CBF tank dynamics, and p 1 = p 2 = 7 for the constraints in (15).

A. Force Control Task
In the first experiment, similar to works such as [19] and [30], we test our algorithm with a force control task.Specifically, the robot has to apply a constant downward force of 10 N along the z−axis, while following a desired motion horizontal motion along the y−axis.Here, we focus only on the passivity loss resulting from the force control action, such that We consider a scenario where, due to a planning error, the robot suddenly looses contact with the environment.As pointed out in [19], this can result in a large instantaneous release of energy, which makes it necessary to enforce constraints both on the tank energy and on the power flow from the tank to the robot at each time instant.To this end, we use our approach to achieve these objectives setting s 0 = 10 J, = 9.5 J and P max = 0.6 W. We compare the performance with the tank switched on (F c = αF d ) and off (F c = F d ).
Snapshots of the final robot state in Fig. 2 highlight that without activating the tank, upon loosing contact, the robot accelerates rapidly until making a collision with the table.On the other hand with the tank activated, as soon as the robot looses contact, the power constraint becomes active limiting the power P d = ẋT F d injected by the controller, and therefore slowing down the robot (Fig. 2(d)).Subsequently, the energy tank is depleted (i.e s = ) resulting in smoothly stopping the robot (Fig. 2(c)).In this scenario, higher values of will result in the robot coming to rest sooner, as the tank is depleted more quickly.

B. Variable Stiffness Control
Another classical problem commonly tackled in the energy tanks literature is variable stiffness control [9], [11], [31].Given a time-varying stiffness profile K d (t), the robot controller is designed as6 where F d is the non-passive stiffness control action to be compensated by the tank, x d is the constant equilibrium position, and D is a positive definite damping matrix.To design K d (t), we use a smoothly rising minimum jerk profile.We compare the performance of i) without activating the tank, ii) with our CBF-tank approach and iii) the approach presented in [23], which also combines CBFs with energy tanks, however does not take into account power constraints.In [23], the optimal power u is found also by minimizing 1 2 ||u − P d || 2 , however subject to the constraint u ≥ −η(E t − ), which enforces that the tank energy does not go below , and where η denotes the class-K function chosen as a constant.When the tank is on, we set s 0 = 10 J, = 5.5 J, and set P max = 4.5 W when our approach is used.The results of this experiment are shown in Fig. 3. Clearly, activating our tank allows to respect both the energy and power constraints, as compared to the case where the tank is off, and to [23], where only energy constraints are respected.The power Fig. 2. Results for the force control task.The subscript "ns" indicates the results with no scaling, while "ws" indicate the results where the CBF-tank is activated.(a) Shows a snapshot of the final robot state with the tank off, while (b) is with the tank activated.(c) Shows the tank energy, and the energy associated with the force-control action when the tank is off (E a,ns ), while (d) shows the power with and without activating the tank.Fig. 3. Results for the time varying stiffness task comparing the performance between our CBF-tank approach (legend cbf t ), the approach from [23] which relies on first order tank dynamics (cbf 1 ), and without tank (ns).s and ṡ are the states of our cbf tank approach.(a) shows the energy comparison, while (b) shows the power trajectories.(c) shows the scaling factors between cbf t and cbf 1 .
constraint becomes initially active to scale down F d and keep the system state ṡ below the power limit (Fig. 3(b)).Since ṡ follows very closely P a , having ṡ < ṡmax results also in P a < P max .Note that when [23] is used, the α starts to decrease later since no power constraints are activated.Finally, the tank energy starts to approach its lower bound ( = 5.5 J) and, as a consequence, α further decreases to scale down the control commands at t ≈ 1.6 s until the robot comes to rest (Fig. 3(a) and (c)).

C. Kinetic Energy Limitation
In this experiment, we showcase the effectiveness of our approach in a more complex task scenario, where the power constraints are time varying.In particular, the safety objective in this case is to constraint the kinetic energy of the robot to be always below a predefined upper limit.E ke,max Robot's kinetic energy has been commonly used as a safety metric in several prior works on safety based control, e.g., [32], [33].In our previous work [12], we devised a power flow limitation scheme that always ensures the robot kinetic energy is upper bounded by a known limit.Here, we show how such a scheme can be integrated in our framework to limit the maximum kinetic energy of a robot driven by the varying stiffness controller in Section IV-B.
For a robot with dynamics (21) operating in free motion (i.e., F e = 0), the kinetic energy is E ke = 1 2 ẋT M (x) ẋ, and its rate of change can be computed as which defines the power injected into the robot through the control port ( ẋ, F c ).Using F c = F d , and a first-order euler approximation, we can express (24) as where E ke,k is the robot kinetic energy at step k and Δt is the sampling time.In order to limit the kinetic energy, we need to enforce E ke,t + ΔtP d < E ke,max , which can be achieved by limiting P d .For that, we compute the maximum power demand for P d at each time step as To fulfill this constraint, we again resort to our CBF-tank formulation.In Fig. 4, we compare the performance with and without activating the tank, where the goal is always to limit the robot's kinetic energy below 0.5 J.As highlighted in Fig. 4(a), even though the maximum power demand P max is actually time varying, activating the tank ensures the kinetic energy remains below the desired limit, at the expense of temporarily scaling down the time-varying stiffness control action (Fig. 4(c)).As it can be noted however in the zoomed-in part of Fig. 4(b), the power constraint is violated at few time instants, which is to be expected since our CBF does not deal with time-varying barrier functions.This requires alternative CBF formulations that are able to explicitly handle time-varying constraints, as done in [34], where the CBF constraint accounts for the rate of change of the barrier function with respect to time.Future works will consider such an improvement, in order to increase the flexibility of CBF-tanks.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

D. Comparison With Classical Energy Tanks
In this experiment, we aim to better highlight the working principle and performance of our approach, by comparing it with classical energy tanks.Specifically, we continue with our variable stiffness control example and consider a scenario where the tank is depleted before the task is completed.We set s 0 = E 0 = 10 J and = 6.5 J, while P max is set to an arbitrary high value such that the power constraint is always fulfilled.We compare the performance of our CBF-tanks to the classical energy tanks in (8) and (9).
The results of this experiment are shown in Fig. 5.It can be easily noticed that the tank energy s obtained with CBF-tank follows closely the tank energy than the E t obtained with the classical formulation.The main difference in performance, however, occurs when the tank energy is close to reaching its lower bound .Due to the discrete formulation, the scaling α in the classical approach switches abruptly from 1 to 0, compared to a rather smooth transition in our proposed formulation (Fig. 5(c)).This gets reflected in terms of the power, as the peak power for the classical energy tank approach is approximately twice as higher the peak power in CBF tanks (Fig. 5(b)).

V. DISCUSSION AND CONCLUSION
Ensuring passivity is an important requirement for robots that operate in dynamic environments and close to humans.Unfortunately, the realization of numerous control objectives, such as force control actions and variable stiffness behaviors, can lead to passivity loss in the system.Clearly, simply disabling these control actions does not represent a practical solution, as it conflicts with the task fulfilment.To solve this problem, energy tanks provide a simple and intuitive framework to monitor the energy these control actions inject in the system, making sure that the energy is always bounded, and, as a consequence, ensuring passivity of the system.
Unfortunately, energy tanks have some limitations.In particular, the discrete switching implementation of the dynamics, as well the risk of extracting a high amount of power from the tank.In this work, we formulated a new expression for the energy tank using continuous second order dynamics.We are also able to simultaneously fulfill energy and power constraints, by leveraging CBFs and HOCBFs.As experimentally shown in Section IV-D, when the constraints are not active, our tank dynamics formulation essentially results in nearly identical performance to classical energy tanks in terms of energy and power evolution.We consider this a powerful feature of the proposed framework, as we are able to retain the intuitive and easy to interpret behavior of classical energy tanks.
The goal of our approach is to realize an energy tank framework that is capable of ensuring the system passivity (i.e., putting an upper bound of the passivity-violating energy), and additionally constraining the power injected in the system.This objective is similar to [20].However, the major difference is that the approach in [20] relies on the classical discrete energy tank formulation, and, therefore, inherits its potential drawbacks.In principle, it is possible to also avoid the discrete switching by incorporating a smooth transition function between the conditions of (8).Such an enhancement, however, was only considered in few works [21], [22], and, as shown therein, this requires relatively complex, two-dimensional switching functions that take into account both the tank energy as well as extracted power, and with a large number of tuning parameters.While our approach still requires some tuning (the p 1 and p 2 defining the class-K functions in (15)), these parameters have a clear and Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
intuitive meaning.Namely, they influence the degree of conservatism in the system, where larger values render the system less conservative, at the expense of sharper rates of change in the scaling factor α.
In this work, similar to several related works, we assume that safety-related parameters like the initial tank energy (E 0 ), the minimum allowable energy in the tank ( ), and the power limit (P max ), are provided beforehand by the user, or, as shown in Section IV-C regarding P max , are extracted from other safety objectives (robot kinetic energy), which was also assumed to be known a priori.However, it is possible to relate these parameters to concrete and well-defined safety metrics.For instance, one can extract these parameters from realistic human injury data using the safe motion unit [35] or the safety map framework [36].Alternatively, several works [37], [38] extract energy and power limits to conform with ISO/TS certifications, that specify these parameters taking into account aspects such as the type of application and potential collision location with the human body.Recent work [33] proposed an energy tank that limits the robot kinetic energy in order to satisfy the ISO constraints.Differently however than this work, their approach does not permit to apply generic power limits on the control actions.In the future, we will focus on combining our approach with a higher-level supervisor, in order to parameterize our tank depending on the safety objective considered.

Fig. 4 .
Fig. 4. Results for the kinetic energy limitation experiment comparing the perfomance with and without the activation of the CBF-tank.(a) shows the kinetic energy, while (b) shows the powers.Finally, (c) shows the scaling factor α.

Fig. 5 .
Fig. 5. Results for the time varying stiffness task obtained using classical energy tanks and CBF-tank.(a) shows the tank energy comparisons.(b) shows the powers and (c) shows the scaling factors for CBF and classical tanks.

TABLE I THE
MAIN FEATURES OF RELEVANT LITERATURE IN ENERGY TANKS AND THE ADOPTED APPROACH