Backup-based safety filters are safe, but can be very conservative
How can we achieve this behavior?
We revisit three backup-based safety filters—Backup CBF, Model Predictive Shielding (MPS), and gatekeeper—under a common safety-filter abstraction. All three methods share the same backbone: when the nominal controller becomes risky, they rely on a backup policy that keeps the system safe and steers it to a terminal controlled invariant set.
Recovered safe sets (light-colored regions) and filter-inactive sets (dark-colored regions) for the planar double-integrator example. The dashed black curve denotes the viability kernel. Backup CBF and MPS intervene earlier because safety is certified through an immediate or near-immediate commitment to backup, whereas gatekeeper enlarges the nominal-acceptance region by searching over the switching time.
This is a compact tutorial and comparative review paper. It clarifies the theoretical connections among Backup CBF, MPS, and gatekeeper, and explains when the three methods agree, differ, and intervene unnecessarily.
Motivation
Backup-based safety filters are attractive because they provide formal safety guarantees without requiring an explicit safe set certification online. However, a key limitation is what we call safety evaluation on backup: the nominal policy is often judged through the feasibility of switching to the backup maneuver, rather than through the nominal policy’s own continued safe execution.
(Backup CBF): Backup CBF is safe, but unnecessarily conservative. The filter commits to the backup lane change because its online certificate is tied to the backup trajectory itself.
(MPS): MPS is also safe, but still myopic. Because it checks validity only at a fixed switching time, it triggers an unnecessary lane change even when longer nominal execution would remain safe.
The consequence is unnecessary intervention. In the highway example below, both Backup CBF and MPS remain safe, but they change lanes even though continuing in the nominal lane is still safe. The issue is therefore not lack of safety, but conservatism induced by how the backup maneuver is used inside the certificate.
Q: How can we address this myopic behavior? Is there an existing method that can mitigate this issue?
A: Although Backup CBF, MPS, and gatekeeper have each attracted attention in different communities, their core ideas are surprisingly similar! This paper revisits the three methods in a unified framework, compares them side by side, and clarifies the advantages and limitations of each. The comparison also shows why gatekeeper can reduce this conservatism by searching over the switching time.
A Unified View of Backup CBF, MPS, and gatekeeper
All three methods share the same ingredients: a nominal policy, a backup policy, and a terminal controlled invariant set. From the current state, each method asks whether the system can remain safe and eventually recover by switching to the backup policy. The comparison becomes especially clear when we use one common candidate trajectory: first follow the nominal policy for some time, then switch to the backup policy, and ask whether that combined trajectory remains safe and reaches the terminal set.
High-level comparison of Backup CBF, MPS, and gatekeeper. Backup CBF constructs an implicit safe set from the backup policy and modifies the control via a QP; MPS performs a binary accept/reject check at a fixed switching time; gatekeeper searches over switching times to reduce unnecessary intervention.
The key difference lies in how each method uses the backup policy online. Backup CBF uses the backup policy to construct an implicit safe set and then minimally modifies the nominal input through a QP. MPS performs a binary accept/reject decision by checking a single switching time. gatekeeper uses the same validity check as MPS, but searches over switching times and selects the longest certified nominal segment before switching to backup.
This unified view makes the source of conservatism explicit. If backup is checked too early or too rigidly, the filter may reject nominal behavior that is in fact safe. gatekeeper mitigates this issue by turning the switching time into a decision variable.
MPS checks only one candidate switching time. The nominal controller is accepted only if switching to backup at the very next update is already certified safe.
gatekeeper uses the same validity check as MPS, but treats the switching time as a decision variable and selects the largest valid switching time. This simple change enlarges the set of states where the nominal controller can be left unchanged.
Preview Experiments
The key question is not only whether the system stays safe, but how long the nominal controller can be preserved without unnecessary intervention.
1. Reach-Avoid Scenario
This scenario was motivated by the Mario game.
(Backup CBF): Backup CBF repeatedly retreats to the safety pocket whenever the obstacle approaches. The robot remains safe, but it becomes overly conservative and fails to make progress.
(MPS): MPS exhibits similar behavior. Because the validity test is tied to a fixed switching time, the robot commits to backup too early and does not reach the goal.
(gatekeeper): gatekeeper stays safe while delaying the switch to backup whenever possible. After the obstacle passes, it resumes nominal motion and reaches the goal.
2. Highway Overtake Scenario
(Backup CBF): Although the nominal lane is safe, Backup CBF performs an unnecessary backup lane change because its certificate is tied to the backup maneuver itself.
(MPS): MPS also changes lanes unnecessarily. The fixed switching-time check evaluates only a near-term switch to backup, not the continued safe execution of the nominal controller.
(gatekeeper) gatekeeper keeps following the nominal lane because a later switch to backup remains valid. This reduces intervention without sacrificing safety
3. Highway Overtake Scenario (two obstacles)
(Backup CBF)
(MPS)
(gatekeeper) gatekeeper better exploits safe nominal motion by searching over the switching time before committing to backup.
4. GPS-Denied Navigation with Visual Odometry Error Constraints
A UAV navigates to a goal in an unknown environment and uses visual odometry to estimate its position. Visual features are discovered and mapped online. The safety constraints are to maintain at least 6 features in the FoV and to avoid the red no-fly zone. The budget constraint is to limit visual odometry error to no more than 9 m. The nominal policy is to fly towards the goal and the backup policy is to follow a path back to a landmark to reset the visual odometry budget. The backup policy paths are provided by ReRoot [see paper]. gatekeeper and MPS are used as the backup-based safety filters.
(MPS) the myopic switching time used in MPS means the UAV keeps returning back to the starting location without sufficiently exploring the features and cannot find a safe path to the goal.
(gatekeeper) gatekeeper's longer horizon for choosing a switching time allows the UAV to explore more of the environment before switching to the backup, resulting in a successful mission where the UAV reaches the goal.
For more details on the theory, proofs, and implementation, please refer to the paper and GitHub repository.
Acknowledgement
BibTex
@inproceedings{kim2026backupbased,
author = {Kim, Taekyung and Menon, Aswin D. and Trivedi, Akshunn and Panagou, Dimitra},
title = {Backup-Based Safety Filters: A Comparative Review of Backup CBF, Model Predictive Shielding, and gatekeeper},
booktitle = {arXiv preprint arXiv:2604.02401},
shorttitle = {Backup-Based Safety Filters},
year = {2026}
}
LaTeX
복사