What are Safety Filters?

The Brief Explanation

As a community, we are relying more and more on planning and control stacks that rely on black-box and data-driven approaches. While sometimes more performant, these methods generally 1) are not explainable (i.e. it’s hard to follow their logic), and 2) cannot guarantee that they will generate safe control actions. Because of this, there has become more and more demand for a standalone “safety module” that can wrap around this autonomy stack and ensure that the resulting action to the system is safe. This is the basic idea for safety filters.

A safety filter takes in the current state of the system and the desired control action from the planning and control stack. The filter, if designed correctly, will minimally modify this desired action to ensure safety. For a large class of systems, this optimization is a “quadratic program,” and can be solved very quickly during runtime.

The filter depends on a key function, often called a Control Barrier Function, Safety Value Function, or sometimes we directly call it the Safety Filter. This function is designed based on the system dynamics and the safety constraints. It has two very important features:

1. The function takes in the current state of the system, and outputs the current safety level. Positive is safe, negative is unsafe (i.e. may lead to failure).

2. The gradient of the function informs the set of control actions that are allowed, i.e. that preserve safety.

These two pieces of information are used in the filter to assess current safety levels and to modify the performance control action to stay within the set of safety-preserving actions. (aside: if you are familiar with control Lyapunov functions, these are intimately related).

There are a few challenges with safety filters, but by far the biggest challenge is how to find a valid safety filter. This is especially hard when: a) the system is high-dimensional, b) the system has complicated dynamics (e.g. nonlinear, high-order), c) the system has bounded inputs and/or disturbances, and d) the safety constraints are complicated.

The Thorough Explanation

Here is a nice survey on safety filters from 2024 from Professor Jaime Fisac and his group.

Here is a comparison of several approaches for data-driven safety filters from 2023, written by several experts in the field.

For deeper theory connections, I am quite partial to my student Dylan Hirsch’s recent paper from 2026.

Theory papers from our Group

These papers cover how HJ reachability relates to other approaches for safety analysis and control, and how it can be applied beyond its original problem formulation.

Generalizing HJ Reachability to Temporal Logic Specifications

In these papers, we show how HJ reachability can be used for general task logic. For example, in the hardware experiment below, the two quadcopters must “deliver” packages to random goals while avoiding obstacles and a no-fly zone (the square in the center). They must also regularly “charge” by flying over the quadruped. This kind of long-horizon complex task can be specified using temporal logic. However, solving these temporal logic problems for control is challenging.

We have some nice results showing how we can decompose such specifications into small sub-problems that are easier to learn/compute. Importantly, when we recompose the solved value functions, the resulting value function satisfies the original task specification.

• Bellman Value Decomposition for Task Logic in Safe Optimal Control [RSS 2026]

• Dual-Objective Reinforcement Learning from Novel Hamilton-Jacobi-Bellman Equations [ICLR 2026]

On the Relationship between Hamilton-Jacobi Reachability and Control Barrier Functions

A specific use case of HJR is to generate a value function that can act as a safety filter. Safety filters are used to minimally modify a nominal control input to maintain safety. These have gotten very popular, as companies often want to add a safety “wrapper” to a performance layer that doesn’t guarantee safety (e.g. foundation models, video-language-action models, etc.). More on this on the safety filter page.

Another common safety filter is called a control barrier function (CBFs). We took a deep dive into understanding the relationship between CBFs and HJR, and how the two approaches can be used together to strengthen the theoretical underpinnings and practical tools for each method.

• Viscosity CBFs: Bridging the Control Barrier Function and Hamilton-Jacobi Reachability Frameworks in Safe Control Theory [ACC 2026]

• Robust Control Barrier–Value Functions for Safety-Critical Control [CDC 2021]

• Refining Control Barrier Functions through Hamilton-Jacobi Reachability [IROS 2022]

HJ Reachability for Stabilization Problems

Traditional HJR solves for the minimum time to reach a goal. This is useful in many applications, but not all. For example, reaching a parking space in the minimum time would involve accelerating straight through the parking space. In many cases, we want to ensure that the system not only reaches a goal, but stabilizes there. The following works explore how to formulate this using HJR.

• Solving Reach- and Stabilize-Avoid Problems Using Discounted Reachability [TAC 2026]

• Constructing Control Lyapunov-Value Functions Using Hamilton-Jacobi Reachability Analysis [LCSS 2023]

  
  

Papers on Tools for Solving Reachability

Learning-based approaches for scalability

To extend the scalability of HJR, one of the most promising approaches is via learning-based methods. The challenge is how to encourage goal-reaching and obstacle-avoiding behavior when learning over high-dimensional state spaces. We have several approaches to this.

For reinforcement learning, we can a) propose special safety Bellman equations that can decompose rigorously into smaller problems with richer reward functions that are easier to learn, b) incorporate adversarial players during learning for robustness, and c) encourage the system to return efficiently to safety when it is in danger.

For supervised learning, we have work showing that we can a) guide the training using supervision from linear methods or model-predictive control, and b) locally patch small invalid regions of the value function using HJR, recovering guarantees.

• Reinforcement Learning

  • Bellman Value Decomposition for Task Logic in Safe Optimal Control [RSS 2026]

  • Hamilton-Jacobi Reachability in Reinforcement Learning: A Survey [OJ-CSYS 2024]

  • Iterative Reachability Estimation for Safe Reinforcement Learning [NeurIPS 2023]

• Supervised Learning

  • Patching Approximately Safe Value Functions Leveraging Local Hamilton-Jacobi Reachability Analysis [CDC 2024]

  • Linear Supervision for Nonlinear, High-Dimensional Neural Control and Differential Games [L4DC 2025]

  • MADR: MPC-guided Adversarial DeepReach [ICRA 2026]

Transformation to linear spaces (e.g. Koopman)

This paper employs a tool from the applied math community (Hopf reachability) to perform very fast reachability analysis. The catch is that this tool requires the system to be linear time varying. By linearizing a nonlinear system (by lifting it to a higher dimension), we can bound the resulting linearization error and treat this error as an adversarial disturbance in the reachability computation. This results in guaranteed conservative results on the true nonlinear system with the speedup available using the linear approach.

• State-Augmented Linear Games with Antagonistic Error for High-Dimensional, Nonlinear Hamilton-Jacobi Reachability [CDC 2024]

• Conservative Linear Envelopes for High-Dimensional, Hamilton-Jacobi Reachability for Nonlinear Systems via the Hopf Formula [TAC 2026]’

Decomposition-based Approaches

By decomposing the dynamic system either in space or time, we can solve smaller sub-problems.

• Decomposition in time

  • Approximate Hamilton-Jacobi Reachability Analysis for a Class of Two-Timescale Systems, with Application to Biological Models [CDC 2025]

• Decomposition in space

  • Efficient and Guaranteed Hamilton-Jacobi Reachability via Self-Contained Subsystem Decomposition and Admissible Control Sets [LCSS 2023]

  • Synthesizing Control Lyapunov-Value Functions for High-Dimensional Systems Using System Decomposition and Admissible Control Sets [CDC 2024]

Reduced order modeling

We have shown that by solving a game between a high-fidelity model of a system and its low-dimensional reduced-order model, we can use the precomputed solution to augment any low-dimensional planner with a tracking error bound and tracking controller on the high-fidelity system. This allows us to plan in low dimensions with safety guarantees on the high-dimensional system. For more details, see the FaSTrack page.

• Safe Returning FaSTrack with Robust Control Lyapunov-Value Functions [LCSS 2024]

• Parameterized Fast and Safe Tracking (FaSTrack) using DeepReach [L4DC 2024]

Available Toolboxes

• hj_reachability (Python) — this is the Python implementation of the above toolboxes, led by Edward Schmerling at Stanford. It is much more efficient than the MATLAB version and has an active group maintaining and updating it. It currently lacks some of the niche functionality of the helperOC toolbox below, but it is very good for most reachability applications and is adding new functionality rapidly.

• helperOC (MATLAB) — Our public code for computing reachable sets can be cloned or downloaded at https://github.com/HJReachability/helperOC (note: this is essentially a user-friendly wrapper with extra functionality for Prof. Ian Mitchel’s level set toolbox). This MATLAB repository contains a lot of visualization functionality. The downside is that it is not as efficient as the other toolboxes.

• DeepReach (Python) — Toolbox from Prof. Somil Bansal at the University of Southern California for approximating high-dimensional value functions using sinusoidal neural networks. Paper here.

• BEACLS (C++) — BEACLS stands for Berkeley Efficient API in C++ for Level Set methods. It is essentially a reimplementation of the MATLAB toolboxes in C++ with tweaks to improve efficiency and compatibility with GPUs. It is quite a bit faster than the MATLAB implementation, but sacrifices readability for performance.

• optimized_dp (Python/C++) — This toolbox was built by Prof. Mo Chen at Simon Fraser University, with the goal of having an easy python-based user interface to set up a reachability problem, and then conversion to fast C++ code via HeteroCL.

• Flow* — Developed by Prof. Sriram Sankaranarayanan at CU Boulder. Good for computing safe sets for large numbers of states, and computing sets that do not have control/disturbance inputs (i.e. policy is already determined and plugged into dynamics). Uses scalability tools that lead to over-approximation of reachable sets.