Safety Guardrails in the Sky: Realizing Control Barrier Functions on the VISTA F-16 Jet

Saf ety Guar drails in the Sky REALIZING CONTROL B ARRIER FUNCTIONS ON THE VIST A F-16 JET Andrew W . Singletar y , Max H. Cohen, T amas G. Molnar , and Aaron D . Ames T he deployment of autonomous systems requires the satisfaction of strict safety speciﬁcations that ensure these systems do not harm themselves or their environments. These safety speciﬁcations may encompass a variety of constraints for differ- ent systems, including limits on the conﬁgurations, veloc- ities, and torques of robotic systems, collision avoidance constraints for ground vehicles, or ﬂight envelope bounds for aircraft, to name a few examples. T o achieve end-to- end safety , functional safety systems have been utilized and demonstrated success, allowing autonomous behavior under normal (safe) operating conditions but intervening when a safety limit is tripped. During intervention, these systems often use a fail-safe mechanism by switching over to a backup safety maneuver that controls the system in a safe, but potentially conservative way , often sacriﬁcing the completion of tasks and the fulﬁllment of performance objectives in the interest of safety . As autonomous systems become more sophisticated, there is an incr easing need for executing highly dynamic high-performance maneuvers on the edge of the sys- tem’s safe operating domain. Examples include high-speed collision-free driving on autonomous vehicles, dexter ous locomotion and manipulation on robotic systems, or highly dynamic maneuvers on unmanned aerial vehicles. W ith these r equirements, conservative safety trips that pr event the achievement of performance objectives may no longer be satisfactory as they may be overly restrictive and prevent autonomous systems from achieving their goals. This cr eates a need for more dynamic notions of safety and for runtime assurance modules that allow the system operate on the edge of its safety envelope but not beyond. Importantly , such dynamic safety modules should come with formal certiﬁcates of safe behavior while remaining minimally invasive, allowing nominal autonomous opera- tions to continue when they are safe and gradually taking control authority when approaching the safety limit. In this paper , we introduce Guardrails — a novel frame- work to runtime assurance and safety ﬁltering for highly dynamic autonomous and semi-autonomous systems. This is achieved through a unique control strategy that blends nominal commands, potentially coming from a human operator or AI agent, with safe control actions in a smooth, non-disruptive fashion, with formal guarantees of safe behavior backed by the theory of control barrier functions (CBFs). While Guardrails applies to general autonomous systems, such as humanoids and quadrotors, our emphasis in this paper is on the application of Guardrails to safe ﬂight control , an arguably more safety-critical setting than those found in traditional robotics applications. Her e, we illustrate how integrating Guardrails into an existing ﬂight control system on a ﬁxed-wing aircraft enables pilots to operate safely , even on the edge of the ﬂight envelope. W e demonstrate how Guardrails’ blended controllers super- vise both human pilots and AI-based ﬂight controllers to maintain a variety of safety constraints, including g-limits, altitude ceiling and ﬂoor limits, geofence constraints, and the combination thereof. Importantly , Guardrails modiﬁes pilot authority only when approaching a constraint limit and has no impact on ﬂight characteristics otherwise, making it a minimally invasive safety system. As an add- on safety module, Guardrails enables the safe deployment of advanced autonomy on ﬂy-by-wire vehicles. In collaboration with the US Air Force T est Pilot School, we implemented and experimentally tested Guardrails on the V ariable In-Flight Simulation T est Aircraft (VIST A), 1066-033X/20©2020IEEE 2026 « IEEE CONTROL SYSTEMS 1 a modiﬁed F-16 ﬁghter jet. A total of fourteen real-life test scenarios were executed during ﬁve ﬂights at the Edwards Air For ce Base, where Guardrails was used to supervise a human pilot aboard the VIST A and ensure the satisfaction of various operational constraints. T o the best of our knowledge, this marks the ﬁrst implementation of a CBF-based control strategy on a full-scale ﬁxed-wing aircraft. In all tests, Guardrails ensured the satisfaction of the prescribed safety constraints, even in the presence of adversarial pilot inputs that were deliberately intended to violate these constraints. In what follows, we frame Guardrails in the context of the broader literature, cover the technical background of our approach, the results of our ﬂight tests, and discuss the capabilities and limitations of Guardrails. Finally , we discuss potential future directions to extend Guardrails towards a comprehensive runtime assurance system that guards safety in the sky — protecting both the pilots and passengers, the air craft, and their environment. W e also highlight Guardrail’s broader implications for safe autonomous systems. Summary T he adv ancement of autonomous systems — from legged robots to self-driving vehicles and aircraft — necessitates ex ecuting increasingly high-performance and dynamic mo- tions without ev er putting the system or its environment in harm’s wa y . In this paper, we introduce Guardrails — a novel runtime assurance mechanism that guarantees dynamic safety for autonomous systems, allowing them to safely ev olv e on the edge of their operational domains. Rooted in the theory of control barr ier functions, Guardrails offers a control strategy that carefully blends commands from a human or AI operator with safe control actions to guarantee safe behavior . T o demonstr ate its capabilities, we imple- mented Guardrails on an F-16 ﬁghter jet and conducted ﬂight tests where Guardrails super vised a human pilot to enforce g-limits, altitude bounds, geofence constraints, and combinations thereof. Throughout extensiv e ﬂight testing, Guardrails successfully ensured safety , keeping the pilot in control when safe to do so and minimally modifying unsafe pilot inputs otherwise. Related W orks W e now provide a brief overview of the literature on collision avoidance systems for aircraft and safety-critical control in a broader context, and we position our work relative to the state of the art. Collision A v oidance and Run-Time Assurance for Aircraft Existing ﬂight control systems of fer various collision avoidance features that monitor safety and intervene when necessary [1]. Automatic ground collision avoidance sys- tems (GCAS) prevent controlled ﬂight into terrain acci- dents where the aircraft crashes into the ground [2]–[7]. Being the leading cause of F-16 fatalities, it is especially important for military jets to prevent ground collisions, because maneuvers with large g-forces may cause pilots to lose consciousness or become disoriented. GCAS monitors the terrain and the aircraft trajectory , and when a collision is predicted, it commands a maneuver that rolls the air craft to wing level and pulls it up. In a similar fashion, auto- matic airborne collision avoidance systems (ACAS) serve to pr event air -to-air collisions between two aircraft [8]–[10]. ACAS supplements air trafﬁc control and operates without the use of ground-based equipment. This system monitors the airspace around an aircraft and when other aircraft are detected with the risk of mid-air collision, ACAS warns the pilot and recommends a maneuver to mitigate the risk. ACAS systems have been studied extensively in the context of veriﬁcation [11]–[14], optimization [15], imple- mentation on unmanned aircraft [16]–[18], security [19], and advancements through artiﬁcial intelligence [20]. The most common implementation of ACAS, called the au- tomatic trafﬁc collision avoidance system (TCAS) [21]– [29], is utilized on commercial aircraft. Finally , ACAS and GCAS may be fused into automatic integrated collision avoidance systems (ICAS), preventing both ground and airborne collisions. Mor e recently , such ideas have been extended to encompass ground and airborne collisions with multiple aircraft as well as ﬁxed obstacles in the environment that may repr esent, e.g., no-ﬂy zones or bad- weather areas [30]. Many of these collision avoidance systems act as a supervisor that lets the pilot operate without interruption in safe situations and intervenes when safety is in danger of violation. This operational principle, often referred to as runtime assurance (RT A) [31]–[33], is able to supervise not only human pilots but also complex ﬂight controllers for which safety is difﬁcult to verify . This is crucial for facilitating safe autonomy , especially with the increasing presence of artiﬁcial intelligence in ﬂight systems [34]. R T A has shown success in achieving safety , for example, in unmanned aircraft navigation along corridors [35], aerial refueling tasks [36], and neural network-based aircraft taxiing [37]. Some existing R T A mechanisms ar e disruptive in na- ture, taking the authority away from the pilot or the nominal ﬂight controller in dangerous situations and fully switching over to predeﬁned safe backup maneuvers. Rather than using disruptive switching R T A, recently the attention has shifted towards optimization-based R T A [33] 2 IEEE CONTROL SYSTEMS » 2026 — continuously active control systems that take into ac- count what the human operator or the primary ﬂight controller commands and optimize for the closest safe action to minimize the intervention. In a similar fashion, Guardrails also offers a strategy to blend primary com- mands with safe actions, but in a less computationally in- tensive optimization-free manner while preserving partial control authority for the human or AI operator . Safety-Critical Contr ol Motivated by the increasing levels of autonomy of modern engineering systems, the past decade has witnessed a surge of research in the area of safety-critical control in which safety — a system-theoretic property formalized through the framework of set invariance [38] — is a top design priority . Such control designs are often carried out using a class of controllers that have become known as safety ﬁlters . These controllers supervise a nominal (typi- cally performance-based) controller and adjust its actions so that the r esulting closed-loop system is safe [39], [40]. In recent years, safety ﬁlters have been constructed using various control methodologies including control barrier functions (CBFs) [41]–[43], model predictive control [44], [45], Hamilton-Jacobi reachability [46]–[48], and refer ence governors [49]. Each of these approaches comes with their advantages and disadvantages, with more details outlined in comprehensive surveys such as [39], [40]. As noted earlier , our Guardrails framework is based on the theory of CBFs, but operates in a somewhat un- traditional manner compared to most CBF approaches. In general, CBF-based safety ﬁlters are instantiated as convex optimization problems, typically a quadratic program, that can be solved efﬁciently at any state to produce a safe control input [41]–[43]. Our Guardrails framework differs from these traditional CBF approaches in two ways: i) the computation of the CBF itself and ii) the structure of the safety ﬁlter . T o compute the CBF , we leverage the framework of backup CBFs [50]. At its core, this method takes in a known small control invariant set, which can be constructed ofﬂine, that is expanded to a larger control invariant set online via rollouts of the system trajectory under a pre-speciﬁed “backup" control policy . The end result is an implicit CBF that ensures compatibility with hard input bounds, a pr operty that is challenging to ensure using traditional CBF approaches. One of the main limita- tions of this approach is the need to compute the gradient of the r esulting implicit CBF , which r equires computing the sensitivity of the system’s ﬂow under the backup policy and scales poorly to higher dimensional systems, such as the aircraft models used in our results. Guardrails resolves this issue by using a blended safety ﬁlter that does not requir e gradients of the CBF , which facilitates scalability to higher dimensional systems. The efﬁcacy of these blended safety ﬁlters has been previously illustrated through their application to high-speed geofencing with quadrotors [51]– [53]. Here, we extend this methodology to a more complex and safety-critical setting by deploying Guardrails on a ﬁxed-wing aircraft. Outside of Guardrails, CBFs have shown success in ensuring safety on ﬁxed-wing aircraft in the context of probabilistic safety certiﬁcates [54], learning-based [55] and data-driven CBFs [56], and multi-aircraft control [57]. Furthermore, high-or der CBFs [58], barrier L yapunov func- tions [59], and robust CBFs [60] have also been used for trajectory tracking on ﬁxed-wing aircraft. Finally , our prior work has established simultaneous collision avoidance and geofencing on ﬁxed-wing aircraft using an optimization- based R T A system with CBFs [61]. These works, however , are restricted to theoretical and simulation studies, and the literature has not yet reported hardwar e implementations of CBF-based aircraft R T A systems. Overview of Guardrails Before presenting the technical details of our method and our experimental results, we ﬁrst provide a high-level overview of our Guardrails framework. Guardrails is a module that integrates into a system’s existing autonomy stack, such as the VIST A as outlined in Fig. 1, to ensure the safety of the resulting system. Guardrails acts as a safety ﬁlter by adjusting nominal commands sent to the auton- omy stack, such as those pr oduced by a pilot, so that the eventual actions taken by the system are deemed to be safe. As Guardrails is based on the theory of CBFs, safety here is synonymous with set invariance: Guardrails computes control inputs that ensure that the trajectory of the system remains within a desirable region of the system’s operating domain. T o compute such inputs, Guardrails requires: i) a dynamical model of the system with state x ∈ X and input u ∈ U ; ii) a safety requir ement, mathematically encoded by the nonnegativity of a scalar safety function h : X → R ; and iii) a backup maneuver k b : X → U that brings the system to a nominal operating condition from a small set of initial conditions (e.g., returning to level ﬂight). Guardrails leverages these components to compute a safe operating region — the set of all states where the system can safely return to a nominal operating condition without ever violating safety requirements — and moni- tors the system’s proximity to the boundary of this safe op- erating region. Based on this, Guardrails smoothly blends desired actions from a performance controller or a human operator with the actions from the backup maneuver via a scalar parameter λ taking values between 0 and 1, with λ = 0 allowing desired actions to freely pass thr ough the autonomy stack, λ = 1 overriding these desired actions in favor of those corresponding to the prespeciﬁed backup maneuver , and λ ∈ ( 0 , 1 ) carefully blending these two actions to ensure safety of the overall system. 2026 « IEEE CONTROL SYSTEMS 3 real-time dynamic safet y Guardrails that filters guidance commands to sta y safe lo calization & mapping data Guardrails guidance aircraft con trol na vigation p erception TCAS info, ground info state estimate sensor data pilot, AI engines, surfaces RT A load factor, roll rate commands unsafe safe FIGURE 1 Overview of Guardrails — a runtime assurance system that super vises ar tiﬁcial intelligence or human pilots in real time for safe highly dynamic maneuv ers. Guardrails was implemented on the X-62 V ariable-stability In-ﬂight Simulator T est Aircraft (VIST A) sho wn at the bottom, and ev aluated during ﬂight tests with the Edwards Air F orce Base T est Pilot School. TECHNICAL O VERVIEW In this section, we provide a more in-depth technical overview of the tools used within our Guardrails frame- work for ensuring dynamic safety of autonomous systems. Safety-Critical Control Our Guardrails framework is based on the control- theoretic notion of set invariance [38], which, in recent years, has proven to be a powerful proxy for safety of autonomous systems [43]. In this setting, an autonomous system of interest is modeled as a nonlinear contr ol system: ˙ x = f ( x ) + g ( x ) u , (1) where x ∈ X ⊂ R n is the system state with state space X ⊂ R n and u ∈ U ⊂ R m is the control input with ad- missible control space U ⊂ R m . Here, f : X → R n and g : X → R n × m are locally Lipschitz functions characteriz- ing the system dynamics: f captures the drift dynamics of the system and columns of g model the control directions. Safety of such control systems is often centered on the notion of set invariance. T o introduce these ideas, let k : X → U be a locally Lipschitz feedback controller . By taking u = k ( x ) in (1), this pr oduces the closed-loop system: ˙ x = f ( x ) + g ( x ) k ( x ) . (2) Since both the dynamics and controller are locally Lips- chitz, the closed-loop system is as well, and thus admits a unique continuously differentiable solution deﬁned on a maximal interval of existence for each initial condition x 0 ∈ X . W e will denote by φ ( t , x 0 ) the ﬂow associated with the closed-loop system in (2), that is, the state reached at time t when starting from state x 0 . The following deﬁnitions formalize the concept of safety for autonomous systems via set invariance. Deﬁnition 1 A set S ⊂ X is said to be forward invariant for the closed- loop system in (2) if for each x 0 ∈ S we have φ ( t , x 0 ) ∈ S for all t ≥ 0 . If S is forward invariant, the closed-loop system is said to be safe on S . Deﬁnition 2 A set S ⊂ X is said to be control invariant for the control system in (1) if there exists a locally Lipschitz feedback controller k : X → U such that S is forward invariant for the resulting closed-loop system in (2). Note that Def. 1 applies to closed-loop systems — those equipped with feedback controllers — whereas Def. 2 is tailored to contr ol systems where the input is yet to be 4 IEEE CONTROL SYSTEMS » 2026 speciﬁed as in (1), and characterizes the existence of con- trollers that ensure the safety of the corresponding closed- loop system. In the following subsection, we illustrate how these fundamental concepts may be used to systematically design controllers enforcing safety of autonomous systems. Implicit Control In variant Sets Perhaps the most fundamental challenge in safety-critical control is constructing control invariant sets. When the ad- missible control space U is unbounded, i.e., when U = R m , there exist systematic approaches to construct these con- trol invariant sets [62]–[64]. When this control space is bounded U ⊂ R m , however , constructing control invariant sets becomes quite difﬁcult. In general, these sets are char- acterized as the zero superlevel set of the value function satisfying a particular Hamilton-Jacobi-Bellman equation [46]. While strides have been made to solve these partial differ ential equations more efﬁciently , one is ultimately limited by the “curse of dimensionality ," which, in practice, precludes one from applying these techniques to high- dimensional systems. In this section, we present a technique that over comes these limitations through the notion of an implicit control invariant set, deﬁned using the ﬂow of the system. T o this end, let: C = { x ∈ X : h ( x ) ≥ 0 } , (3) denote a state constraint set that characterizes operational limits on the autonomous system, where h : X → R is a locally Lipschitz function. This set could, for example, describe hard limits on various components of the sys- tem state (e.g., altitude limits) or admissible regions of the state space in which the system must operate (e.g., within the boundaries of a geofence). While it may seem restrictive to encode a collection of complex constraints into the superlevel set of a single function, this function, unlike traditional CBF approaches, need only be Lipschitz continuous; it can thus be taken as, e.g., the signed distance to a set of failure states or as the Boolean combination of multiple constraint functions. Although it is desired to keep the system within C , it may be the case that C is not control invariant – it may be impossible to ﬁnd a controller that ensures invariance of this set. In this situation, we assume the existence of a smaller control invariant set, termed the backup safe set : C b = { x ∈ X : h b ( x ) ≥ 0 } ⊂ C , (4) where h b : X → R is a locally Lipschitz function. In par - ticular , this set is assumed to be forward invariant for the closed-loop system: ˙ x = f ( x ) + g ( x ) k b ( x ) , (5) under the inﬂuence of a locally Lipschitz backup contr oller k b : X → U . This backup contr oller r epresents a fail-safe maneuver that brings the system into a safe operating condition. W ith this backup controller in hand, we deﬁne the implicit safe set : S = { x ∈ X : h I ( x ) ≥ 0 } (6) h I ( x ) = min  h b ( φ b ( T , x ) ) , min θ ∈ [ 0 , T ] h ( φ b ( θ , x ) )  , (7) where φ b ( θ , x ) is the ﬂow of the closed-loop system in (5) under the backup controller , starting from state x over time θ ∈ [ 0 , T ] , and T > 0 is the backup horizon. The intuition behind the above deﬁnition is as follows: if x ∈ S , then, by taking u = k b ( x ) , the trajectory of the closed-loop system remains within C for T units of time and enters C b ⊂ C in, at most, T units of time. Since C b is forward invariant under k b and C b ⊂ S , the system may remain in C b ⊂ S for all time thereafter , implying that S is also forward invariant. The following theorem formally characterizes the properties of S and h I . Theorem 1 (backup set method [50]) Consider the control system in (1), a state constraint set C as in (3), and a backup safe set C b ⊂ C as in (4), assumed to be forward invariant for the closed-loop system in (5) under a locally Lipschitz backup controller k b : X → U . Provided that h : X → R and h b : X → R are locally Lipschitz continuous, then: 1) h I : X → R as in (7) is locally Lipschitz continuous; 2) S ⊂ C as in (6) is control invariant. 3) S ⊂ C as in (6) is forwar d invariant for the closed- loop system under the backup controller . Blended Safety Filters In the previous subsection, we presented a framework for generating implicit control invariant sets. W e now turn our attention to the construction of controllers that allow for maximal operational freedom while still ensuring safety , broadly characterized as safety ﬁlters . Her e, we leverage a blended safety ﬁlter fr om [52] that continuously blends a desired controller k d : X × R → U (which may r epre- sent a human or AI operator) and a backup controller k b : X → U based on the value of h I ( x ) as: k ( x , t ) =  1 − λ ( h I ( x ) )  k d ( x , t ) + λ ( h I ( x ) ) k b ( x ) , (8) where λ : R → [ 0 , 1 ] is any locally Lipschitz function sat- isfying λ ( 0 ) = 1 and λ ( r ) ≈ 0 when r ≫ 0 . W e refer to any such λ satisfying these properties as a blending function . In our results, we choose: λ ( h ) = e − β max { 0 , h } , (9) with parameter β > 0 , which satisﬁes the required proper- ties of a blending function. The rationale behind the choice of the controller in (8) is that as h I ( x ) → 0 , we have k ( x , t ) → k b ( x ) , a particular choice of input that ensur es forward invariance of S , whereas when h I ( x ) ≫ 0 we have k ( x , t ) → k d ( x , t ) . This means that the backup controller is used when the system is at the boundary of the safe set 2026 « IEEE CONTROL SYSTEMS 5 while the desired controller is used far inside the safe set. The following theorem outlines the main properties of the safety ﬁlter in (8). Theorem 2 (blended safety ﬁlter [52]) Let the conditions of Theorem 1 hold and suppose that k d : X × R → U is locally Lipschitz in its ﬁrst argument and piecewise continuous in its second argument. Then, k : X × R → U as deﬁned in (8) is locally Lipschitz in its ﬁrst argument, piecewise continuous in its second argu- ment, and enforces the forward invariance of S . When implementing Guardrails on the VIST A, we lever- age the controller in (8), where the desired controller k d is a human pilot while the backup controller k b , the safety functions h , h b , and the underlying dynamical model are outlined shortly . The blending strategy in (8) allowed us to smoothly transition fr om pilot inputs to backup commands when approaching the boundary of the safe operation domain, operate on the edge of this domain for signiﬁcant durations of time, and return control authority to the pilot whenever its actions were deemed safe based on the safety function h I in (7). Preliminary r esults on applying Guardrails to quadrotors [65], [66], rather than ﬁxed-wing aircraft, are highlighted in “Guardrails for High-Speed Geofencing on Quadrotors." INV ARIANT SETS FOR FIXED-WING AIRCRAFT In this section we outline how the preceding technical de- velopments may be applied to construct control invariant sets on ﬁxed-wing aircraft. W e ﬁrst introduce the dynamic model used in our ﬂight tests, describe the safety con- straints considered, and ﬁnally discuss the various backup maneuvers used during testing. Dynamical Model T o describe the aircraft’s motion, we use a simpliﬁed dynamical model from [68], given by (57)-(64) on page 57 of this reference. This model was derived from the body- frame six-degree-of-freedom equations of motion in [69] with the following simplifying assumptions. » The aircraft is modeled as a point mass. » The angle of attack and the angle of side slip are assumed to be zero. » The roll mode (i.e., the roll control system of the aircraft) is modeled as a ﬁrst-order system. » Similarly , the load factor dynamics are also modeled as a ﬁrst-order system. » Gravity and load factor are the only accelerations on the aircraft. The model describes the evolution of the Euler angles ϕ , θ , ψ (i.e., the roll, pitch, and yaw angles, respectively); the north and east position coordinates p N and p E , and the altitude H ; the roll rate P (more precisely , the angular velocity about the forward axis of the aircraft); the load factor N z ; and the true airspeed V T . By omitting the equation of the airspeed (because it is not being controlled by the Guardrails system in the experiments), and by neglecting wind disturbances, the dynamical equations are summarized as: ˙ ϕ = P + N z g V T sin ϕ tan θ , ˙ θ = g V T ( N z cos ϕ − cos θ ) , ˙ ψ = N z g sin ϕ V T cos θ , ˙ p N = V T cos θ cos ψ , ˙ p E = V T cos θ sin ψ , ˙ H = V T sin θ , ˙ P = 1 τ P ( u P − P ) , ˙ N z = 1 τ z ( u z − N z ) . (15) Here, g is the gravitational acceleration; u P is the com- manded roll rate and τ P is the roll-mode time constant; u z is the commanded load factor and τ z is the time constant of the load factor dynamics. In this model, we refer to: x = ( ϕ , θ , ψ , p N , p E , H , P , N z ) ∈ R 8 (16) as the state of the system, whereas: u = ( u P , u z ) ∈ R 2 (17) is the control input. For the case of wing-level ﬂight (with ϕ = 0 ), the follow- ing simpliﬁed version of the model can be used to describe the altitude and pitch dynamics only: ˙ H = V T sin θ , ˙ θ = g V T ( N z − cos θ ) , ˙ N z = 1 τ z ( u z − N z ) , (18) with state x = ( H , θ , N z ) ∈ R 3 and input u = u z ∈ R . Safety Constraints The safety of the aircraft depends on its state x as charac- terized by the constraint set C as in (3) whereby the aircraft satisﬁes the constraints at a state x if: h ( x ) ≥ 0 , (19) where h : R n → R is a scalar-valued locally Lipschitz func- tion. During ﬂight tests we consider thr ee classes of con- straints: i) those imposed on load factors (i.e., the g -for ce experienced by the pilot), ii) those imposed on the altitude, iii) those imposed on the overall position of the aircraft. Load Factor Constraints. When enforcing load factor limits, the safety function becomes: h 1 ( x ) = N z − N z ,min , (20) 6 IEEE CONTROL SYSTEMS » 2026 Guardrails for High-Speed Geofencing on Quadrotor s P reliminary steps toward applying our Guardrails framew ork on ﬁx ed-wing aircraft inv olved the application of Guardrails to high-speed geofencing with quadrotors [65], [66]. Here, we model the quadrotor using a 13-dimensional state: x = ( p , q , v , ω ) , ( S1) where p ∈ R 3 is the Car tesian position, q ∈ S 3 is a unit quaternion describing the or ientation, v ∈ R 3 is the velocity , and ω ∈ R 3 is the angular velocity . The dynamics of the quadrotor are modeled as a control afﬁne system (1) with: d d t       p q v ω       | {z } ˙ x =       v 1 2 q ⊗ ω q − g e z − J − 1 ω × J ω       | {z } f ( x ) +       0 3 × 1 0 3 × 3 0 4 × 1 0 4 × 3 1 m R ( q ) e z 0 3 × 3 0 3 × 1 J − 1       | {z } g ( x ) " τ M # | { z } u , ( S2) where the input u = ( τ , M ) ∈ R 4 consists of the thr ust τ ∈ R and moment M ∈ R 3 generated by the propellers, ω q = ( 0 , ω ) is the pure quaternion representation of the angular velocity , g is the acceler ation due to g ravity , e z = ( 0 , 0 , 1 ) is the unit vector in the z direction, J ∈ R 3 × 3 is the inertia matr ix represented in the body frame, m is the mass of the quadrotor, and R ( q ) ∈ SO ( 3 ) is the rotation matrix associated with q . The main control objective is to keep the quadrotor’s position within a box in 3D space (cf. Fig. S1), characterized by the safety constr aint: h ( x ) = min { h x ( x ) , h y ( x ) , h z ( x ) } , h x ( x ) = r 2 x − ( p x − x c ) 2 , h y ( x ) = r 2 y − ( p y − y c ) 2 , h z ( x ) = r 2 z − ( p z − z c ) 2 , ( S3) where p = ( p x , p y , p z ) , which deﬁnes a box with side lengths ( r x , r y , r z ) centered at ( x c , y c , z c ) . T o generate an implicit con- trol invariant set, we lev erage a geometr ic tracking controller, similar to that in [67], as a backup controller that trac ks ref- erence velocity commands. Given a reference v elocity com- mand v r = ( v x ,r , v y ,r , v z ,r ) , the backup controller k b ensures that v → v r where: v i ,r =    0 h i ( x ) ≥ δ i , − ( δ i − h i ( x ) ) h i ( x ) < δ i , ( S4) for i ∈ { x , y , z } . This backup maneuver attempts to br ing the quadrotor to a zero velocity state at a position some positive distance from the boundary of the geof ence. The backup set C b associated with this backup controller is go verned by: h b ( x ) = min { ϵ − ∥ v ∥ , h ( x ) } ( S5) for some ϵ > 0 , describing states within the bo x with small velocity . This bac kup set is then used to generate an implicit control invariant set as in (6) , which was used to construct a blended safety ﬁlter as in (8) , where the desired controller k d ( x , t ) represents commands from a human pilot. FIGURE S1 3D geofence from the application of Guardrails to a quadrotor . Figure adapted from [65]. The resulting safety ﬁlter was deploy ed in high-speed out- door ﬂight tests with the objective of avoiding ﬂying through geofences . A snapshot of these ﬂight tests is highlighted in Fig. S2, where the quadrotor is able to safely stop from a speed of ov er 100 km/h without crossing a vertical geofence. FIGURE S2 The implicit safe set and resulting blended safety ﬁlter ensures that a quadrotor does not cross a ver tical geof ence despite moving at high speeds. Figure adapted from [65]. 2026 « IEEE CONTROL SYSTEMS 7 and: h 2 ( x ) = N z ,max − N z , (21) where N z ,min and N z ,max denote the minimum and maxi- mum load factors, respectively . Note that since the ﬁrst or- der system ˙ N z = ( u z − N z ) / τ z in (15) does not exhibit over- shoots, enforcing N z ,min ≤ u z ≤ N z ,max leads to the satis- faction of N z ,min ≤ N z ≤ N z ,max . Therefor e, simply clamp- ing the input between N z ,min and N z ,max guarantees safety ( h 1 ( x ) ≥ 0 and h 2 ( x ) ≥ 0 ) w .r .t. load factor limits. Altitude Constraints. When imposing a ﬂight ﬂoor at height H min the safety function is deﬁned as: h 3 ( x ) = H − H min . (22) Similarly , for a ﬂight ceiling at height H max the safety function is given by: h 4 ( x ) = H max − H . (23) Geofencing Constraints. In case of geofencing, safety is captured by: h 5 ( x ) = n g · ( p − p g ) , (24) where p = ( p N , p E ) is the position of the aircraft, p g is the position of the geofence, and n g is the normal vector of the geofence. Here, h represents the distance of the aircraft from the geofence, which was then converted into a time- to-collision measure based on the velocity to design safe controllers. Combining Constraints. In general, the aircraft may be subject to a collection of safety constraints, each de- scribed by a safety function h i as above and indexed by i ∈ { 1 , . . . , N } , where N is the number of constraints. This collection of constraints may be combined into a single constraint by taking the minimum among all constraints: h ( x ) = min i h i ( x ) . (25) While CBF approaches typically require h to be contin- uously differ entiable, in the Guardrails framework we only require Lipschitz continuity , which is preserved when taking the minimum. Backup Maneuver s The safety constraints deﬁne a collection of states C as in (3) that are deemed to within prescribed state limits. Y et, as noted earlier , this constraint set may not be control invariant – it may be impossible to keep the system in this set for all time. In our application to ﬁxed-wing air craft, we address this using implicit contr ol invariant sets, wherein a backup safety maneuver is used to efﬁciently compute control invariant sets contained within these state limits. In what follows, we outline backup strategies used to compute these invariant sets for the aircraft model in (15). The backup strategy , repr esented as k b in (5), is a coordinated 180-degr ee turn at a constant altitude. This maneuver allows the satisfaction of geofence constraints by turning away from directions crossing the geofence boundary , while also satisfying altitude limits (ﬂoor and ceiling) by keeping the altitude constant. As mentioned earlier , the load factor limits are enforced by clamping the load factor command. The coordinated turn is designed to be a steady-state motion where the aircraft’s roll angle is a constant that determines the turning radius as well as the corresponding normal load command needed to maintain the altitude. The direction of the turn (left or right) is chosen based on which dir ection r esults in a shorter turn. The aircraft is assumed to be upright ( | ϕ | < 90 degrees). The steady-state motion is given by ϕ ( t ) ≡ ϕ ∗ , θ ( t ) ≡ 0 , and H ( t ) ≡ H ∗ with a constant roll angle ϕ ∗ , zero pitch angle, and a constant altitude H ∗ . Based on the model in (15), this leads to: ˙ ϕ = 0 , ˙ θ = 0 , = ⇒ P ( t ) ≡ 0 , N z ( t ) ≡ N ∗ z = 1 cos ϕ ∗ , = ⇒ ˙ ψ = g V T tan ϕ ∗ . (26) By choosing the steady-state roll angle ϕ ∗ , one obtains the corresponding normal load factor N ∗ z and the turning radius R = V T / ˙ ψ = V 2 T / ( g tan ϕ ∗ ) . The backup controller k b is designed to execute this coordinated turn. While the details of its exact implemen- tation are omitted, a controller that could achieve a similar result is: u P = k b, 1 ( x ) = sat  K ϕ ( ¯ ϕ − ϕ )  , ¯ ϕ = min  ϕ ∗ , K ψ ( ψ ∗ − ψ )  , u z = k b, 2 ( x ) = sat  1 cos ϕ  1 + K H ( H ∗ − H ) − K θ θ   , (27) where sat indicates saturating (clamping) the inputs at their limits. The control input u P involves a feedback term driving the roll angle ϕ to the desired value ¯ ϕ using a gain K ϕ . The desired roll angle ¯ ϕ matches the equilibrium value ϕ ∗ during the most of the turn, but towards the end of the turn is reduced to K ψ ( ψ ∗ − ψ ) , wher e K ψ is a gain and ψ ∗ is the desired yaw angle corr esponding to the completion of a 180-degree turn. The control input u z involves the feedforward term 1 / cos ϕ corresponding to N ∗ z in (26) as well as feedback terms driving the altitude H to the equilibrium H ∗ and the pitch angle θ to zero using the gains K H and K θ , respectively . The parameters of the controller were tuned using extensive simulations and using feedback from human pilots about how the resulting behavior felt. Similar backup control strategies for ﬁxed- wing aircraft are reported in [70]. For the coordinated turn maneuver , the backup safe set (occurring in (4)) is the set of states where a 180-degree turn is completed. This can be described, for example, by: h b ( x ) = ± ( ψ − ψ ∗ ) , (28) where the sign depends on whether the turn is to the left or to the right. 8 IEEE CONTROL SYSTEMS » 2026 � 1 5 0 70 time, t (s) 10 20 3 1 4 2 0 30 40 50 60 load factor, N z (g) � 5 30 0 70 time, t (s) 10 20 15 5 20 10 0 30 40 50 60 25 safe measured pilot safe measured pilot (a) (b) load factor, N z (g) FIGURE 4 Results associated with using Guardrails f or load factor limiting. Here, the dashed b lue curve represents the load f actor requested b y the pilot, the solid orange curve represents the saf e load f actor computed by Guardr ails, and the thin green curve represents the measured load factor on the aircr aft. P anel (b) is a zoom-in view of panel (a). RESUL TS In this section, we present the results from ﬂight tests involving Guardrails as applied to a ﬁxed-wing air craft. Before discussing the details of these tests, we ﬁrst provide a brief overview of the results. Guardrails was extensively tested on the X-62 V ariable In-Flight Simulation T est Air - craft (VIST A), a modiﬁed F-16 ﬁghter jet developed by Lockheed Martin and used for testing advanced autonomy algorithms, in collaboration with the Edwards Air Force Base T est Pilot School. Guardrails completed all 14 test points, including pilot assault on safety limits. Multiple ﬂights were conducted over the span of September 9 through September 20 of 2024 with 100% success rate on these test points, consisting of combinations of the various constraints previously discussed. V ideo clips from a few of these tests can be viewed at [71]. Experimental Setup: X-62 VIST A Although our Guardrails framework is applicable to gen- eral autonomous systems, our results in this paper stem from the application of Guardrails to the X-62 VIST A. Guardrails integrates into the VIST A ’s existing control stack through Lockheed Martin’s System for Autonomous Control of the Simulation (SACS) module, which relays aircraft state information to the Guardrails module and converts contr ol commands generated by Guardrails into lower-level actuator commands. During our tests, Guardrails computes two different control inputs: commanded normal load factor ( u z ) and commanded roll rate ( u P ). The commanded normal load factor is converted into pitch rate commands by the SACS module, which are then passed to lower layers of the au- tonomy stack to determine the requir ed surface deﬂections (elevator , aileron, rudder) to achieve the desir ed command. Roll rate commands are directly sent to lower layers of the autonomy stack and do not require conversion via the SACS module. While the VIST A is capable of being ﬂown fully autonomously by an AI pilot, our tests are carried out with a human pilot in the loop. The pilot’s inputs to the VIST A are pitch rate and roll rate commands. T o interface these inputs with the Guardrails module, the pilot’s pitch rate command is ﬁrst converted to a normal load factor command. Then, Guardrails smoothly blends pilot inputs ( u P ,d and u z ,d ) with the backup controller to achieve safety of the overall semi-autonomous system. In what follows, we present extensive experimental results from a week of ﬂight testing to illustrate the efﬁcacy of Guardrails for achieving safety of highly dynamic autonomous systems. Flight T ests W e now present our key results obtained through in-ﬂight enforcement of various safety constraints of increasing difﬁculty using Guardrails. All r esults were obtained in collaboration with the Edwards Air Force Base T est Pilot School between September 9 and September 20 of 2024. Load Factor Limiting Our ﬁrst results were obtained by leveraging Guardrails for limiting the load factor on the VIST A. The main ob- jective of this test was to limit the load experienced by the pilot (i.e., how many g’s they feel) to eliminate any pilot discomfort or safety trips. Limiting the load factor is critical to ensure the safety of a manned aircraft, as excessive loads can, in certain cir cumstances, lead to loss of consciousness by the pilot. For this particular test, the load factor limit was set between 0.2 and 4 g’s. Based on our chosen dynamical model of the aircraft in (15), the load factor N z is directly related to one of the control inputs u z through a ﬁrst- order actuator lag. Given this close relationship between the constrained state of the system N z and the control input u z , Guardrails achieves load factor limiting with an input saturation rather than a state limit, as noted earlier . During this test, the pilot is instructed to pull up hard on the stick, requesting signiﬁcantly more g’s than allowed by the prescribed load factor limit. The results of applying Guardrails to ensure load factor limits are illustrated in Fig. 4 and the attached supplementary video [71]. In 2026 « IEEE CONTROL SYSTEMS 9 altitude, H (ft) 18000 24000 0 350 time, t (s) 50 100 22000 20000 23000 21000 19000 150 200 250 300 ceiling safe floor load factor, N z (g) � 30 30 0 350 time, t (s) 50 100 10 � 10 20 0 � 20 150 200 250 300 blending,  (1) 0 1 0 350 time, t (s) 50 100 0.8 0.4 0.6 0.2 150 200 250 300 Guardrails active safe measured pilot Guardrails active pitc h,  and AoA,  (deg) � 5 20 0 350 time, t (s) 50 100 10 0 15 5 150 200 250 300 (a) (b) (c) (d) angle of attac k pitc h FIGURE 5 Results from applying Guardrails for altitude limiting. In panel (a), the green cur ve denotes the ev olution of the aircraft’ s altitude ov er time, with the green area denoting the saf e region and the red area denoting the unsafe region. Panel (c) displays the ev olution of the aircraft’ s pitch angle (thin green) and angle of attack (orange). P anel (b) illustrates the pilot’s requested load f actor (dashed blue), the commanded load f actor computed by Guardrails (solid orange), and the measured load factor aboard the aircraft (thin green). Here, the purple region denotes the span of time where Guardrails is active ( λ > 0 ), as quantiﬁed by the v alue of λ in panel (d). Fig. 4, the dashed blue curve repr esents the load factor requested by the pilot (i.e., u z ,d ), the solid orange curve indicates the safe load factor computed by Guardrails (i.e., u z ), and the thin green curve shows the load factor experienced by the pilot as measured by sensors onboard the aircraft (i.e., N z ). As illustrated in Fig. 4, the load factor requested by the pilot far exceeds the limit while the commanded load factor computed by Guardrails always abides by the limit. Given that the commanded load factor , as computed by Guar drails, must pass through actuator dynamics before impacting the physical system, there is a slight delay between the commanded load factor (orange) and measured load factor (green curve) in Fig. 4, leading to small overshoots of the measured load factor beyond its limits. Despite these overshoots, the measured load factor stays well below the original, potentially unsafe load factor requested by the pilot and violates the imposed limits only by fractions of a g. Altitude Floor and Ceiling Our next test involves using Guardrails to impose limits on the altitude of the VIST A. Our objectives in this test were fourfold: i) ensure the altitude of the air craft r espects the prescribed limits; ii) modify the commanded load factor (the relevant control input for this test) smoothly and slowly so that no abrupt changes ar e felt by the pilot; iii) only restrict motion towar ds, not away from, the altitude limits; iv) always maintain partial control authority for the pilot. For this test, we placed a ﬂoor of 18,700 ft and a ceiling of 22,700 ft on the altitude of the VIST A. The initial altitude of the aircraft at the start of the test is just under 21,000 ft. During this test, the pilot is instructed to increase the aircraft’s altitude fr om its initial value, attempting to drive the aircraft through the altitude ceiling for a period of time, after which the pilot repeats the same procedure for the altitude ﬂoor before returning the aircraft to its initial altitude. The results of this altitude limiting test are provided in Fig. 5. As shown in Fig. 5(a), Guardrails ensures that the altitude limits are respected for all time, thereby achieving our ﬁrst objective. That Guardrails achieves the second objective is illustrated in Fig. 5(b), which, like Fig. 4, shows the pilot’s requested load factor u z ,d , the commanded load factor u z computed by Guardrails, and the measured load factor N z aboard the aircraft. The satisfaction of objectives (iii) and (iv) can be inferred from Fig. 5(d), which portrays the evolution of λ , the parameter that blends inputs from the pilot and from the Guardrails, with λ = 0 implying the pilot is in full control and λ = 1 implying that Guardrails is in complete control. During this test, λ remains strictly less than one for all time, indicating that the pilot always has partial control over the aircraft, thereby achieving objective (iv). The evolution of λ also indicates that motion away from the altitude limits is not r estricted: at around 10 IEEE CONTROL SYSTEMS » 2026 100 seconds, when the pilot begins pitching the aircraft down, λ quickly decreases to zero, allowing the pilot to freely move the aircraft away from the boundary . A similar phenomenon is seen just before the 300-second mark, where the aircraft is pitched back up off the lower altitude limit and λ quickly decays to a low value. Geofencing Our next test leverages Guardrails for geofencing, wherein the objective is to keep the aircraft in a prespeciﬁed airspace; see Fig. 6. For this test, the aircraft begins with its heading perpendicular to the geofence (see Fig. 6(a)) and must perform a smooth coordinated turn to avoid ﬂying through the geofence. Unlike the previous tests, per- forming this maneuver requires coordinating two different control inputs – the commanded load factor , as in the previous tests, and the commanded roll rate. Importantly , this maneuver must be performed while respecting hard limits on these control inputs. The commanded roll rate u P is related to the actual roll rate P through a ﬁrst-order actuator lag; hence, as discussed in the pr evious results, we enforce constraints on the roll rate through control limits rather than state limits. During this test, the pilot is initially instructed to ﬂy the aircraft towar d the geofence. As the aircraft approaches the geofence (see Fig. 6(a)) and the distance to the geofence decreases (see Fig. 6(b)), Guardrails is gradually given more control authority over the aircraft, as indicated by the increasing value of λ in Fig. 6(f). At around t ≈ 25 seconds, the commands fr om the pilot and those computed by Guardrails begin to deviate signiﬁcantly (Fig. 6(d) and Fig. 6(e)), with Guardrails issuing commands that cause the aircraft to bank and align its heading to be parallel with the geofence (see Fig. 6(a)). Once the aircraft is moving parallel to the geofence, the pilot is instructed to attempt to drive the aircraft into the geofence by issuing aggressive roll rate commands toward the unsafe region from t ≈ 35 to t ≈ 60 seconds, as illustrated in Fig. 6(e). Over this time span, Guardrails counteracts these unsafe commands by computing much smaller roll rate commands (Fig. 6(e)). Coupled with the fact that λ ≈ 1 over this interval, this ensures that the actual roll rate measured onboard the aircraft is small, keeping the aircraft aligned with the geofence and preventing safety violations. Geofencing and Altitude Limiting Our next test combines geofence and altitude ﬂoor limits, testing the ability of Guardrails to handle multiple state limits. During the test, the pilot is instructed to ﬂy the aircraft directly at the geofence with a downward pitch of about ﬁve degrees, so that the aircraft comes close to both the geofence and altitude ﬂoor limits simultaneously . The results of this test are shown in Fig. 7 and the attached supplementary video [71]. The test begins with the aircraft at level ﬂight heading directly toward the geofence. At around t ≈ 50 seconds, the aircraft pitches up to achieve an altitude of just under 22,000 ft before pitching down in an attempt to arrive at the altitude ﬂoor limit at a similar time to the geofence limit (see Fig. 7(b)). At around t ≈ 100 seconds, Guardrails begins to intervene, as indicated by the value of λ in Fig. 7(f), and banks the aircraft away from the geofence (Fig. 7(a)) by commanding positive roll rates (Fig. 7(e)), which causes the air craft’s roll angle to increase to about 60 degrees. Simultaneously , Guardrails produces load factor commands between 1-3 g’s (Fig. 7(d)), causing the aircraft to pitch up so that it does not violate the altitude ﬂoor (Fig. 7(b)). At ar ound t ≈ 140 seconds, Guardrails is disengaged through a pilot overtake as indicated by the signiﬁcant deviation between the measured load factor (thin green) and commanded load factor (solid orange) in Fig. 7(d), concluding the experiment. Geofencing, Altitude, and Load Factor Limiting Our ﬁnal tests employ Guardrails to enforce geofence constraints, altitude limits, and load factor limits simul- taneously . W e show two test scenarios for this case, to demonstrate the capabilities of Guardrails in assuring safety in various situations. In the ﬁrst test, shown in Fig. 8, the pilot is instructed to ﬂy towar ds the geofence (Fig. 8(a)) while descending from 22 , 000 ft to approach the altitude ﬂoor (Fig. 8(b)). At t ≈ 100 seconds, Guardrails starts to gradually take control (Fig. 8(f)) and slowly bank the jet to a 75 degree roll angle (Fig. 8(c)), making it ﬂy parallel to the geofence (Fig. 8(a)). During this process, between t ≈ 120 and t ≈ 150 seconds, the pilot actively tries to bank towards the geofence but Guardrails prevents it from doing so (Fig. 8(e)). After- wards, the pilot decides to ﬂy the aircraft away from the geofence, and Guardrails gives the control authority back to the pilot at t ≈ 150 seconds (Fig. 8(f)). Then, the pilot banks the aircraft in the other direction, decreasing the roll angle to − 75 degrees, and turns the VIST A hard toward the geofence to assault it once again, while bringing the aircraft’s nose down. Guardrails intervenes for the second time, at around t ≈ 180 seconds, to prevent the aircraft from entering the restricted airspace despite the pilot’s commands. At the same time, the aircraft arrives at the altitude ﬂoor (Fig. 8(b)), and the pilot commands a large positive load factor to pull it up (Fig. 8(d)). In response, Guardrails allows the aircraft to pull up and avoid the altitude ﬂoor , but it limits the load factor to 4 g’s to maintain the safety of the pilot. Finally , control authority is given back to the pilot as it ﬂies away from the geofence at a safe altitude. In the second test, shown in Fig. 9, the combination of a geofence constraint, an altitude ﬂoor , and load factor limits is enfor ced, while the pilot is instructed to attempt 2026 « IEEE CONTROL SYSTEMS 11 position, y (ft) 0 position, x (ft) 15000 30000 load factor, N z (g) 0 4 0 70 time, t (s) 10 20 1 3 2 30 40 50 60 60 0 70 time, t (s) 10 20 0  0 30 40 50 60 safet y function, h (1) 0 10000 0 70 time, t (s) 10 20 8000 4000 6000 2000 30 40 50 60 blending,  (1) 0 1 0 70 time, t (s) 10 20 0.8 0.4 0.6 0.2 30 40 50 60 20000 10000 20000 40000 geofence unsafe safe 50000 25000 10000 0 5000 roll,  (deg)  30 60 0 70 time, t (s) 10 20 30 0 45 15  15 30 40 50 60 (a) (b) (c) (d) (e) (f)  0  0 safe pilot pilot safe measured roll rate, (deg/s) FIGURE 6 Results from employing Guardrails for geofencing. Panel (a) highlights that the aircraft’ s trajector y (green curve) stays in the safe region (green area), avoiding the restricted airspace (red area). P anel (b) plots the safety function h (a normalized time to collision measure associated with the distance to the geofence), whose positive value indicates saf ety . P anel (c) depicts how the aircraft rolls to abide by the geofence. P anels (d) and (e), respectively , show that the load factor and roll rate commanded by the pilot (dashed blue) are modiﬁed to a saf e command by Guardrails (solid orange) which is trac ked by the aircraft (thin green). The control authority of Guardrails is shown in panel (f). the violation of these constraints several times during a 10 - minute experiment. In each case, Guardrails successfully maintains the geofence constraint (Fig. 9(a)), even when it requir es a r oll action opposite to what is being commanded by the pilot (Fig. 9(e)). Guadrails also keeps the altitude above the ﬂoor for all time (Fig. 9(b)) with the appropriate load factor command (Fig. 9(d)). The load factor computed by Guardrails is within the prescribed safe limits, even when the pilot applies a hard pull on the stick, while the load factor measur ed on boar d exhibits slight overshoots beyond the limits. T o achieve safe behavior , Guardrails repeatedly claims back control authority when needed to guarantee safety (Fig. 9(f)), and gives it back to the pilot otherwise. Through smoothly blending pilot commands with safe actions, Guardrails enables the jet to be operated with formal guarantees of safety , including ﬂights at the edge of the safe operation domain bounded by multiple constraints. DISCUSSION T akeaways from Flight T esting Overall, Guardrails showed success in enfor cing g-limits, altitude bounds, geofence constraints, and their combina- tion in a variety of scenarios. Throughout the ﬂight tests, Guardrails managed to supervise a human pilot aboard the F-16 jet and establish safe behaviors by smoothly blending the pilot actions with backup strategies that pro- vided provably safe normal load and roll rate commands based on a reduced-order model of the aircraft dynamics. The pilot actions were directly executed whenever the situation was deemed safe based on the corresponding 12 IEEE CONTROL SYSTEMS » 2026 position, y (ft) 0 position, x (ft) 20000 load factor, N z (g)  1 3 0 200 time, t (s) 25 50 1 2 0 100 125 150 175  0 90 60 0 30 roll,  (deg) 60 20 0 blending,  (1) 0 1 0.8 0.4 0.6 0.2 30000 20000 40000 geofence unsafe safe 80000 40000 10000 0 altitude, H (ft) 18000 22000 20000 21000 19000 60000 safe floor pilot safe measured 75 0 200 time, t (s) 25 50 100 125 150 175 75 0 200 time, t (s) 25 50 100 125 150 175 75 0 200 time, t (s) 25 50 100 125 150 175 75 0 200 time, t (s) 25 50 100 125 150 175 75 40 (a) (d) (b) (e) (c) (f) pilot safe measured roll rate, (deg/s) FIGURE 7 Results from using Guardrails f or sim ultaneous geof encing and altitude limiting. In panels (a) and (b), respectively , the VIST A’ s trajectory and altitude (green cur v e) are shown, with the safe (green) and unsafe (red) regions indicated. P anel (c) depicts the ev olution of the roll angle. Panels (d) and (e) display the corresponding load factor and roll rate, respectively , as requested by the pilot (dashed blue), computed by Guardr ails (solid orange), and measured aboard the aircraft (thin green). The par tial control authority of Guardrails is quantiﬁed by the b lending parameter λ in panel (f). safety function, and otherwise Guardrails gradually took the control authority away from the pilot, allowing the satisfaction of safety constraints even in the presence of adversarial, intentionally unsafe pilot actions. Importantly , Guardrails enabled operation at the safety limit, such as ﬂight along geofence boundaries or at an altitude ceiling or ﬂoor , for sustained durations of time. A discussion on the observed minor safety violations as well as on limitations and potential future improvements is given below . Design Decisions W e now summarize some of the important design deci- sions that were made to facilitate the successful imple- mentation of Guardrails during r eal-world ﬂight testing. These decisions seek a balance between minimizing safety violations, reducing the complexity of the contr ol design, while maximizing the control authority of the pilot. Input vs. State Limits As noted in our results section, one of our control inputs is the commanded load factor u z , which is r elated to the actual normal load factor N z through a ﬁrst order actuator model. When faced with tests that required limiting the load factor , we chose to simply limit the commanded load factor by clamping the input at the speciﬁed bounds, rather than constructing a control invariant set to enforce the cor- responding state limit. This greatly simpliﬁes the control design, but may result in small violations of the prescribed state limit as illustrated in Fig. 4(b), Fig. 8(d), and Fig. 9(d), where the measured state N z exhibits small violations of the required limit despite the fact that the commanded input u z remains within the limits. These violations occur because, while we r epresent the actuator dynamics using a ﬁrst-order lag model, in reality these actuator dynamics 2026 « IEEE CONTROL SYSTEMS 13 position, y (ft) 0 position, x (ft) 20000 load factor, N z (g)  1 5 1 2 0  0 120 60 0 30 roll,  (deg) 90 30  90 blending,  (1) 0 1 0.8 0.4 0.6 0.2 30000 30000 120000 60000 10000 0 altitude, H (ft) 18000 22000 20000 21000 19000 60000 0 300 time, t (s) 60 120 180 240 60 (a) (d) (b) (e) (c) (f) pilot safe floor 4 3 pilot safe measured 0  60  0 0 300 time, t (s) 60 120 180 240 0 300 time, t (s) 60 120 180 240 0 300 time, t (s) 60 120 180 240 0 300 time, t (s) 60 120 180 240 90  0  0 safe measured geofence unsafe safe 90000 40000 50000 roll rate, (deg/s) FIGURE 8 Results from applying Guardrails to enforce combinations of geofence, altitude, and load factor constraints. The same information is shown with the same notations as in Fig. 7, while panel (d) also displays the safe (green shading) and unsafe load factor ranges (red shading). are much more complicated. This discrepancy between our model and the true dynamics of the system causes the actual N z (labeled as “measured" in the plots) to overshoot the commanded signal. These violations could be eliminated by either adding an additional margin to the limit enfor ced on the commanded load factor or by tr eating the N z limits as a state limit rather than an input limit, and including a more complex actuator model. Further justiﬁcation for this simpliﬁed choice of actuator model is expanded on in the the following subsection. Simpliﬁed Models for Contr ol Design Aircraft dynamics ar e inherently complex, high- dimensional, nonlinear , and are subject to uncertain parameters and disturbances, making the use of high- ﬁdelity aircraft models challenging for control design. T o overcome this, aerospace engineers typically employ highly simpliﬁed models for control design, trimmed at certain operating conditions, which provide local approximations of the full-order aircraft dynamics [69], [72]. Guardrails follows a similar philosophy by leveraging a simpliﬁed, reduced-order model of an aircraft that captures the essential features (kinematics of the pitch and roll axes) relevant to the safety constraints in our tests. Higher order dynamics are abstracted away by assuming a ﬁrst-order actuator model for our two control inputs, the roll rate and normal load factor . It is essential to note that the safety assurances offered by Guardrails are predicated on the choice of model used for contr ol design, raising the question if the simpliﬁed models used in our results are accurate enough to establish safety guarantees. Fortunately , in the context of robotic systems, there is a large body of supporting work on using CBFs for reduced-order models while still making practical guarantees on safety of the full-or der system [73]– [76]. These approaches have been successfully deployed 14 IEEE CONTROL SYSTEMS » 2026 position, y (ft) 0 position, x (ft) 20000 load factor, N z (g)  1 5 1 2 0  0 180 0 60 roll,  (deg) 90 30  90 blending,  (1) 0 1 0.8 0.4 0.6 0.2 30000 20000 100000 50000 10000 0 altitude, H (ft) 20000 24000 22000 23000 21000 60000 0 time, t (s) 100 200 300 60 (a) (d) (b) (e) (c) (f) safe floor 4 3 0  60  0 120  0  0 80000 40000 400 500 600 0 time, t (s) 100 200 300 400 500 600 0 time, t (s) 100 200 300 400 500 600 0 time, t (s) 100 200 300 400 500 600 0 time, t (s) 100 200 300 400 500 600 pilot safe measured pilot safe measured geofence unsafe safe 40000 roll rate, (deg/s) FIGURE 9 Results of repeatedly using Guardrails to enforce combinations of geof ence, altitude, and load factor constraints. The same information is shown with the same notations as in Fig. 8. to ensure safety on highly dynamic robotic systems, such as drones, quadrupeds, and hopping robots, despite using dramatically simpliﬁed models for the control design, such as single integrators and unicycles. These well-established results apply to our ﬂight control case study as well — despite abstracting away high-order terms in the aircraft dynamics, the theoretical results from, e.g., [73]–[76], may be employed to provide practical safety assurances for the original full-order dynamics of the aircraft. Reduced Pilot A uthority The performance of the Guardrails system is determined by the interplay of the pilot commands and the safe backup inputs as well as by how the pilot authority is reduced in safety-critical situations. This interplay can be observed, for example, in our altitude limiting tests (see Fig. 5(a)), where the air craft was bouncing up and down with mild oscillatory motion when it was near the altitude limits and the pilot was attempting to push the aircraft through these limits (between t ≈ 250 and t ≈ 300 seconds). The oscillatory motion is due to the ﬂuctuations in λ (see Fig. 5(d)), causing Guardrails to rapidly transition between the commanded pilot inputs and the push-back from the backup controller to prevent safety violation. These oscillations could be r educed by choosing a mor e aggres- sive blending function λ , which would reduce the pilot’s control authority more signiﬁcantly upon approaching the constraint boundary and allow the backup controller to (almost) independently control the aircraft. Alternatively , one could choose a more aggressive backup maneuver to achieve a similar r esult. In our testing, we chose not to implement these changes as ensuring adequate pilot authority near the constraint boundary was deemed a high priority . Future efforts will focus on mitigating oscillations while r etaining some level of contr ol authority for the pilot. Preliminary efforts towards this goal are presented in [70]. 2026 « IEEE CONTROL SYSTEMS 15 Limitations While Guardrails successfully enfor ced safety across var- ious scenarios through extensive real-world ﬂight testing, there are details in the design of Guardrails that could be further investigated and improved to enhance perfor- mance and optimize overall system behavior on the VIST A and other autonomous systems. These include making Guardrails less conservative so that the space where the pilot has signiﬁcant contr ol authority is maximized. For ex- ample, we observed some conservativeness when the air- craft approached the altitude ﬂoor constraint as Guardrails activated relatively far from the boundary . Less conserva- tive behavior could be achieved through optimizing the backup maneuvers, or by ﬁne-tuning the blending function λ . T uning the blending function could also help mitigate the oscillations of the air craft when the pilot is pushing against the ﬂoor — this, however , requir es reducing the control authority of the pilot, marking a trade-off in the control design. Furthermore, our backup maneuvers could be improved, for example, by formulating the desir ed bank angle as a function of the distance from the geofence, which could make the transition into the geofence bank more gradual. CONCLUSION In this article, we introduced Guardrails, a framework for safety ﬁltering on highly dynamic autonomous sys- tems. Guardrails is rooted in the theory control bar- rier functions and enables the construction of control invariant sets and computationally efﬁcient safety ﬁlters for high-dimensional nonlinear systems. W e implemented Guardrails on the VIST A – a modiﬁed F-16 ﬁghter jet – conducting numerous real-world ﬂight tests to ensur e the satisfaction of safety-critical constraints such as g-force limits, altitude limits, and geofence constraints. There are several directions for future work to expand the capabilities of Guardrails on the VIST A. These include enforcing additional safety constraints on a variety of states. For example, angle of attack and pitch angle limits may help prevent rapid speed losses that wer e experienced during some of the tests. Similarly , one could establish collision avoidance with nearby air craft by synthesizing a backup controller that executes an evasive maneuver and incorporating the distance of the two aircraft into the safety function. Other directions include leveraging gradi- ent information of the safety function in a computationally efﬁcient manner to further improve performance. While our results in this paper focused on the applica- tion of Guardrails to the VIST A in the context of safety- critical ﬂight control, we stress that our overall framework is broadly applicable to a wide range of autonomous systems, such as ground vehicles and legged robots. By using Guardrails as an add-on safety module for these sys- tems, novel decision making, motion planning, and control algorithms can be tested and deployed without additional safety risks, which greatly facilitates the development of next-generation autonomous systems. A CKNO WLEDGMENT The authors thank Al Moser for his help and support in this resear ch. This resear ch was supported by the AFOSR T est and Evaluation program, grant F A9550-22-1-0333. A UTHOR INFORMA TION Andrew W . Singletary (asingletary@3lawsrobotics.com) received the B.S. degr ees in mechanical engineering and nuclear and radiological engineering from the Georgia Institute of T echnology in 2017, and the M.S. and Ph.D. degrees in mechanical engineering from the California Institute of T echnology in 2019 and 2022, respectively . His doctoral work at Caltech focused on safety-critical control for robotics, including control barrier functions and real- time safety ﬁltering frameworks. He is the co-founder and CEO of 3Laws, where he leads the translation of these control-theor etic advances into deployable safety technolo- gies for autonomous robotic systems. He was named to the Forbes 30 Under 30 Science list in 2024. Max H. Cohen (mhcohen2@ncsu.edu) is an Assistant Professor of Electrical and Computer Engineering at North Carolina State University . Prior to joining NC State, he served as a Postdoctoral Scholar at the California Insti- tute of T echnology from 2023-2025. He earned the B.S. in Mechanical Engineering from the University of Florida in 2018, the M.S. in Mechanical Engineering from Boston Uni- versity in 2022, and the Ph.D. in Mechanical Engineering from Boston University in 2023. He was awarded an NSF Graduate Research Fellowship in 2019 and the best paper award at the 2025 Conference on Learning for Dynam- ics and Control. His research interests include nonlinear control and learning-based control with applications to robotics and autonomous systems. Tamas G. Molnar (tamas.molnar@wichita.edu) is an As- sistant Professor of Mechanical Engineering at the W ichita State University since 2023. Beforehand, he held postdoc- toral positions at the California Institute of T echnology , from 2020 to 2023, and at the University of Michigan, Ann Arbor , from 2018 to 2020. He received the Ph.D. and M.S. degrees in Mechanical Engineering and the B.S. degree in Mechatronics Engineering fr om the Budapest University of T echnology and Economics, Hungary , in 2018, 2015, and 2013. His research interests include nonlinear dynamics and control, safety-critical control, and time delay systems with applications to connected automated vehicles, robotic systems, and autonomous systems. Aaron D. Ames (ames@caltech.edu) received the B.S. degree in mechanical engineering and the B.A. degree in mathematics from the University of St. Thomas, Saint Paul, MN, USA, in 2001, the M.A. degree in mathematics and 16 IEEE CONTROL SYSTEMS » 2026 the Ph.D. degr ee in electrical engineering and computer sciences from UC Berkeley , Berkeley , CA, USA, in 2006. He began his faculty career with T exas A&M University , in 2008. He was an Associate Professor of mechanical en- gineering and electrical & computer engineering with the Georgia Institute of T echnology and a Postdoctoral Scholar of control and dynamical systems with Caltech from 2006 to 2008. He is currently the Bren Pr ofessor of mechanical and civil engineering and control and dynamical systems with the California Institute of T echnology , Pasadena, CA, USA. His research interests include in the areas of robotics, nonlinear control, and hybrid systems, with a special focus on applications to bipedal robotic walking—both formally and through experimental validation. Dr . Ames was the recipient of the 2005 Leon O. Chua A ward for achievement in nonlinear science at UC Berkeley , 2006 Bernard Fried- man Memorial Prize in Applied Mathematics, NSF Career A ward in 2010, Donald P . Eckman A war d in 2015, and the 2019 Antonio Ruberti Y oung Researcher Prize. REFERENCES [1] X. Guan, R. L yu, H. Shi, and J. Chen, “A survey of safety separation management and collision avoidance approaches of civil UAS operating in integration national airspace system,” Chinese Journal of Aeronautics , vol. 33, no. 11, pp. 2851–2863, 2020. [2] A. Burns, D. Harper , A. F . Barﬁeld, S. Whitcomb, and B. Jurusik, “Auto GCAS for analog ﬂight control system,” in IEEE/AIAA 30th Digital Avionics Systems Conference , 2011, pp. 8C5–1–8C5–11. [3] D. E. Swihart, A. F . Barﬁeld, E. M. Grifﬁn, R. C. Lehmann, S. C. Whitcomb, B. Flynn, M. A. Skoog, and K. E. Processor , “Automatic ground collision avoidance system design, integration, & ﬂight test,” IEEE Aerospace and Electronic Systems Magazine , vol. 26, no. 5, pp. 4–11, 2011. [4] A. W . Suplisson, “Optimal recovery trajectories for automatic ground collision avoidance systems (Auto GCAS),” Ph.D. dissertation, Air Force Institute of T echnology , 2015. [5] P . Heidlauf, A. Collins, M. Bolender , and S. Bak, “V eriﬁcation challenges in F-16 ground collision avoidance and other automated maneuvers,” in 5th International Workshop on Applied V eriﬁcation of Continuous and Hybrid Systems , ser . EPiC Series in Computing, G. Frehse, Ed., vol. 54, 2018, pp. 208–217. [6] J. Carpenter , K. Gahan, and R. Cobb, Automatic-Ground Collision Avoid- ance System (Auto-GCAS) for Performance Limited Aircraft , ser . AIAA A VIA- TION Forum, 2019. [7] Z. Kirkendoll and L. R. Hook, “Automatic ground collision avoidance system trajectory prediction and control for general aviation,” in IEEE/AIAA 40th Digital Avionics Systems Conference , 2021, pp. 1–10. [8] E. Williams, “Airborne collision avoidance system,” in 9th Australian Workshop on Safety Critical Systems and Software , vol. 47, 2004, pp. 97–110. [9] R. Chamlou, “Future airborne collision avoidance — Design principles, analysis plan and algorithm development,” in IEEE/AIAA 28th Digital A vionics Systems Conference , 2009, pp. 6.E.2–1–6.E.2–17. [10] M. J. Kochenderfer , J. E. Holland, and J. P . Chryssanthacopoulos, “Next- generation airborne collision avoidance system,” Lincoln Laboratory Journal , vol. 19, no. 1, pp. 17–33, 2012. [11] T . Jun, M. A. Piera, and S. Ruiz, “A causal model to explore the ACAS induced collisions,” Proceedings of the Institution of Mechanical Engineers, Part G , vol. 228, no. 10, pp. 1735–1748, 2014. [12] C. von Essen and D. Giannakopoulou, “Analyzing the next generation airborne collision avoidance system,” in T ools and Algorithms for the Construc- tion and Analysis of Systems , E. Ábrahám and K. Havelund, Eds. Berlin, Heidelberg: Springer , 2014, pp. 620–635. [13] J.-B. Jeannin, K. Ghorbal, Y . Kouskoulas, R. Gardner , A. Schmidt, E. Zawadzki, and A. Platzer , “Formal veriﬁcation of ACAS X, an industrial airborne collision avoidance system,” in International Conference on Embedded Software , 2015, pp. 127–136. [14] R. Lee, M. J. Kochenderfer , O. J. Mengshoel, G. P . Brat, and M. P . Owen, “Adaptive stress testing of airborne collision avoidance systems,” in IEEE/AIAA 34th Digital A vionics Systems Conference , 2015, pp. 6C2–1–6C2–13. [15] M. J. Kochenderfer , C. Amato, G. Chowdhary , J. P . How , H. J. D. Reynolds, J. R. Thornton, P . A. T orres-Carrasquillo, N. K. Ure, and J. V ian, “Optimized airborne collision avoidance,” in Decision Making Under Uncer- tainty: Theory and Application , 2015, pp. 249–276. [16] G. Manfredi and Y . Jestin, “An introduction to ACAS Xu and the challenges ahead,” in IEEE/AIAA 35th Digital Avionics Systems Conference , 2016, pp. 1–9. [17] M. P . Owen, A. Panken, R. Moss, L. Alvarez, and C. Leeper , “ACAS Xu: Integrated collision avoidance and detect and avoid capability for UAS,” in IEEE/AIAA 38th Digital Avionics Systems Conference , 2019, pp. 1–10. [18] J. Deaton and M. P . Owen, Evaluating Collision Avoidance for Small UAS using ACAS X , 2020. [19] M. Smith, M. Strohmeier , V . Lenders, and I. Martinovic, “Understanding realistic attacks on airborne collision avoidance systems,” Journal of T rans- portation Security , vol. 15, no. 1, pp. 87–118, 2022. [20] J. M. Christensen, A. A. Girija, T . Stefani, U. Durak, E. Hoemann, F . Köster , T . Krüger , and S. Hallerbach, “Advancing the AI-based realization of ACAS X towards real-world application,” in IEEE 36th International Conference on T ools with Artiﬁcial Intelligence , 2024, pp. 57–64. [21] W . H. Harman III, “TCAS: A system for preventing midair collisions,” Lincoln Laboratory Journal , vol. 2, no. 3, pp. 437–458, 1989. [22] T . W illiamson and N. A. Spencer , “Development and operation of the trafﬁc alert and collision avoidance system (TCAS),” Proceedings of the IEEE , vol. 77, no. 11, pp. 1735–1744, 1989. [23] C. Livadas, J. L ygeros, and N. A. Lynch, “High-level modeling and anal- ysis of the trafﬁc alert and collision avoidance system (TCAS),” Proceedings of the IEEE , vol. 88, no. 7, pp. 926–948, 2000. [24] J. K. Kuchar and A. C. Drumm, “The trafﬁc alert and collision avoidance system,” Lincoln Laboratory Journal , vol. 16, no. 2, pp. 277–296, 2007. [25] A. A. O. Sathyan Murugan, “TCAS functioning and enhancements,” International Journal of Computer Applications , vol. 1, no. 8, pp. 45–49, 2010. [26] C. Munoz, A. Narkawicz, and J. Chamberlain, “A TCAS-II resolution advisory detection algorithm,” in AIAA Guidance, Navigation, and Control Conference , 2013. [27] J. T ang, “Review: Analysis and improvement of trafﬁc alert and collision avoidance system,” IEEE Access , vol. 5, pp. 21 419–21 429, 2017. [28] J. T ang, F . Zhu, and M. A. Piera, “A causal encounter model of trafﬁc collision avoidance system operations for safety assessment and advisory optimization in high-density airspace,” T ransportation Research Part C: Emerging T echnologies , vol. 96, pp. 347–365, 2018. [29] G. Longo, M. Strohmeier , E. Russo, A. Merlo, and V . Lenders, “On a collision course: Unveiling wireless attacks to the aircraft trafﬁc collision avoidance system (TCAS),” in 33rd USENIX Security Symposium , 2024, pp. 6131–6147. [30] F . Corraro, G. Corraro, G. Cuciniello, and L. Garbarino, “Unmanned air- craft collision detection and avoidance for dealing with multiple hazards,” Aerospace , vol. 9, no. 4, p. 190, 2022. [31] J. G. Fuller , “Run-time assurance: A rising technology ,” in AIAA/IEEE Digital Avionics Systems Conference , 2020, pp. 1–9. [32] P . Nagarajan, S. K. Kannan, C. T orens, M. E. V ukas, and G. F . Wilber , “ASTM F3269 - An industry standard on run time assurance for aircraft systems,” in AIAA SciT ech Forum , 2021. [33] K. L. Hobbs, M. L. Mote, M. C. Abate, S. D. Coogan, and E. M. Feron, “Runtime assurance for safety-critical systems: An introduction to safety ﬁltering appr oaches for complex control systems,” IEEE Control Systems Magazine , vol. 43, no. 2, pp. 28–65, 2023. [34] K. L. Hobbs, B. Heiner , L. Busse, K. Dunlap, J. Rowanhill, A. B. Hocking, and A. Zutshi, “Systems theoretic process analysis of a run time assured neural network control system,” in AIAA SciT ech Forum , 2023. [35] J. D. Schierman, M. D. DeV ore, N. D. Richards, and M. A. Clark, “Run- time assurance for autonomous aerospace systems,” Journal of Guidance, Control, and Dynamics , vol. 43, no. 12, pp. 2205–2217, 2020. [36] D. Costello and H. Xu, “Using a run time assurance approach for 2026 « IEEE CONTROL SYSTEMS 17 certifying autonomy within naval aviation,” Systems Engineering , vol. 26, no. 3, pp. 271–278, 2023. [37] D. Cofer , I. Amundson, R. Sattigeri, A. Passi, C. Boggs, E. Smith, L. Gilham, T . Byun, and S. Rayadurgam, “Run-time assurance for learning- enabled systems,” in NASA Formal Methods , R. Lee, S. Jha, A. Mavridou, and D. Giannakopoulou, Eds. Cham: Springer , 2020, pp. 361–368. [38] F . Blanchini and S. Miani, Set-theoretic methods in control . Springer , 2008. [39] K. P . W abersich, A. J. T aylor , J. J. Choi, K. Sreenath, C. J. T omlin, A. D. Ames, and M. N. Zeilinger , “Data-driven safety ﬁlters: Hamilton-Jacobi reachability , control barrier functions, and predictive methods for uncertain systems,” IEEE Control Systems Magazine , vol. 43, no. 5, pp. 137–177, 2023. [40] K. C. Hsu, H. Hu, and J. F . Fisac, “The safety ﬁlter: A uniﬁed view of safety-critical control in autonomous systems,” Annual Review of Control, Robotics, and Autonomous Systems , vol. 7, pp. 47–72, 2023. [41] A. D. Ames, X. Xu, J. W . Grizzle, and P . T abuada, “Control barrier func- tion based quadratic programs for safety critical systems,” IEEE T ransactions on Automatic Control , vol. 62, no. 8, pp. 3861–3876, 2017. [42] T . Gurriet, A. Singletary , J. Reher , L. Ciarletta, E. Feron, and A. Ames, “T owards a framework for realizable safety critical control through active set invariance,” in International Conference on Cyber-Physical Systems , 2018, pp. 98–106. [43] A. D. Ames, S. Coogan, M. Egerstedt, G. Notomista, K. Sreenath, and P . T abuada, “Control barrier functions: theory and applications,” in European Control Conference , 2019, pp. 3420–3431. [44] D. Mayne, J. B. Rawlings, and M. Diehl, Model Predictive Control: Theory, Computation, and Design , 2nd ed. Nob Hill Publishing, 2017. [45] F . Borelli, A. Bemporad, and M. Morari, Predictive control for linear and hybrid systems . Cambridge University Press, 2017. [46] I. M. Mitchell, A. M. Bayen, and C. J. T omlin, “A time-dependent Hamilton-Jacobi formulation of reachable sets for continuous dynamic games,” IEEE T ransactions on Automatic Control , vol. 50, no. 7, pp. 947–957, 2005. [47] J. J. Choi, D. Lee, K. Sreenath, C. J. T omlin, and S. L. Herbert, “Robust control barrier–value functions for safety-critical control,” in IEEE Confer- ence on Decision and Control , 2021, pp. 6814–6821. [48] J. J. Choi, D. Lee, B. Li, J. P . How , K. Sreenath, S. L. Herbert, and C. J. T omlin, “A forward reachability perspective on robust control invariance and discount factors in reachability analysis,” arXiv preprint arXiv:2310.17180 , 2024. [49] E. Garone, S. D. Cairano, and I. Kolmanovsky , “Reference and command governors for systems with constraints: A survey on theory and applica- tions,” Automatica , vol. 75, pp. 306–328, 2017. [50] T . Gurriet, M. Mote, A. Singletary, P . Nilsson, E. Feron, and A. D. Ames, “A scalable safety critical control framework for nonlinear systems,” IEEE Access , vol. 8, pp. 187 249–187 275, 2020. [51] A. Singletary , K. Klingebiel, J. R. Bourne, N. A. Browning, P . T okumaru, and A. Ames, “Comparative analysis of control barrier functions and artiﬁcial potential ﬁelds for obstacle avoidance,” in IEEE/RSJ International Conference on Intelligent Robots and Systems , 2021, pp. 8129–8136. [52] A. Singletary , A. Swann, Y . Chen, and A. D. Ames, “Onboard safety guarantees for racing drones: High-speed geofencing with control barrier functions,” IEEE Robotics and Automation Letters , vol. 7, no. 2, pp. 2897–2904, 2022. [53] A. Singletary , A. Swann, I. D. J. Rodriguez, and A. D. Ames, “Safe drone ﬂight with time-varying backup contr ollers,” in IEEE/RSJ International Conference on Intelligent Robots and Systems , 2022, pp. 4577–4584. [54] W . Luo and A. Kapoor , “Airborne collision avoidance systems with probabilistic safety barrier certiﬁcates,” in NeurIPS ’19 Workshop on Safety and Robustness in Decision-making , 2019. [55] E. Scukins and P . Ögren, “Using reinforcement learning to create control barrier functions for explicit risk mitigation in adversarial environments,” in IEEE International Conference on Robotics and Automation , 2021, pp. 10 734– 10 740. [56] E. Squires, R. Konda, S. Coogan, and M. Egerstedt, “Model free barrier functions via implicit evading maneuvers,” arXiv preprint , 2021. [57] E. Squires, P . Pierpaoli, R. Konda, S. Coogan, and M. Egerstedt, “Compo- sition of safety constraints for ﬁxed-wing collision avoidance amidst limited communications,” Journal of Guidance, Control, and Dynamics , vol. 45, no. 4, pp. 714–725, 2022. [58] H. Zhou, Z. Zheng, Z. Guan, and Y . Ma, “Control barrier function based nonlinear controller for automatic carrier landing,” in 16th International Conference on Control, Automation, Robotics and V ision , 2020, pp. 584–589. [59] Y . Xu, R. Zhou, Z. Y u, F . Chen, and Y . Zhang, “Barrier Lyapunov function-based ﬁnite-time reliable trajectory tracking control of ﬁxed-wing UA V with error constraints,” IF AC-PapersOnLine , vol. 55, no. 6, pp. 597–602, 2022. [60] Z. Zheng, J. Li, Z. Guan, and Z. Zuo, “Constrained moving path following control for UA V with robust control barrier function,” IEEE/CAA Journal of Automatica Sinica , vol. 10, no. 7, pp. 1557–1570, 2023. [61] T . G. Molnar , S. K. Kannan, J. Cunningham, K. Dunlap, K. L. Hobbs, and A. D. Ames, “Collision avoidance and geofencing for ﬁxed-wing aircraft with control barrier functions,” IEEE T ransactions on Control Systems T echnology , vol. 33, no. 5, pp. 1493–1508, 2025. [62] W . Xiao and C. Belta, “High order control barrier functions,” IEEE T ransactions on Automatic Control , vol. 67, no. 7, pp. 3655–3662, 2022. [63] X. T an, W . S. Cortez, and D. V . Dimarogonas, “High-order barrier func- tions: robustness, safety and performance-critical contr ol,” IEEE T ransactions on Automatic Control , vol. 67, no. 6, pp. 3021–3028, 2022. [64] M. H. Cohen, T . G. Molnar , and A. D. Ames, “Safety-critical control for autonomous systems: Control barrier functions via reduced order models,” Annual Reviews in Control , vol. 57, p. 100947, 2024. [65] A. Singletary , A. Swann, Y . Chen, and A. D. Ames, “Onboard safety guarantees for racing drones: High-speed geofencing with control barrier functions,” IEEE Robotics and Automation Letters , vol. 7, no. 2, pp. 2897–2904, 2022. [66] A. Singletary , A. Swann, I. D. J. Rodriguez, and A. D. Ames, “Safe drone ﬂight with time-varying backup contr ollers,” in IEEE/RSJ International Conference on Intelligent Robots and Systems , 2022, pp. 4577–4584. [67] T . Lee, M. Leoky , and N. H. McClamroch, “Geometric tracking control of a quadrotor UA V on SE(3),” in IEEE Conference on Decision and Control , 2010, pp. 5420–5425. [68] S. Stephens, “A real-time algorithm to achieve pr ecise coor dinated arrival times in a time-variant environment,” Ph.D. dissertation, Air Force Institute of T echnology , 2021. [69] B. L. Stevens, F . L. Lewis, and E. N. Johnson, Aircraft Control and Simulation: Dynamics, Controls Design, and Autonomous Systems, 3rd Edition . John W iley & Sons, New Y ork, 2016. [70] D. E. J. van W ijk, E. Das, T . G. Molnar , A. D. Ames, and J. W . Burdick, “Safety-critical control with bounded inputs: A closed-form solution for backup control barrier functions,” arXiv preprint , 2025. [71] “Dynamic safety guardrails on vista F-16 aircraft,” Y ouT ube, April 2025, accessed: 2026-03-27. [Online]. A vailable: https://youtu.be/gnAKMio4Pn8 [72] E. Lavretsky and K. A. W ise, “Robust adaptive control,” in Robust and adaptive control: With aerospace applications . Springer , 2012, pp. 317–353. [73] T . G. Molnar , R. K. Cosner , A. W . Singletary , W . Ubellacker , and A. D. Ames, “Model-free safety-critical control for robotic systems,” IEEE Robotics and Automation Letters , vol. 7, no. 2, pp. 944–951, 2022. [74] T . G. Molnar and A. D. Ames, “Safety-critical contr ol with bounded inputs via reduced order models,” in American Control Conference , 2023, pp. 1414–1421. [75] M. H. Cohen, T . G. Molnar , and A. D. Ames, “Safety-critical control for autonomous systems: Control barrier functions via reduced-or der models,” Annual Reviews in Control , vol. 57, p. 100947, 2024. [76] M. H. Cohen, N. Csomay-Shanklin, W . D. Compton, T . G. Molnar , and A. D. Ames, “Safety-critical controller synthesis with r educed-order models,” in American Control Conference , 2025. 18 IEEE CONTROL SYSTEMS » 2026

Safety Guardrails in the Sky: Realizing Control Barrier Functions on the VISTA F-16 Jet

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment