Combined Left and Right Temporal Robustness
for Control under STL Specifications

This paper studies temporal robustness of time-critical systems, i.e., systems in which meeting real-time safety constraints is of great importance. Examples of time-critical systems include multi-robot systems and self-driving cars. While time-critical systems may satisfy their safety constraints under nominal operating conditions, already slight temporal perturbations such as time delays may jeopardize its safety if the system is not robust against such perturbations.

A common way to express real-time constraints is to use signal temporal logic (STL) [1]. Spatial robustness of STL specifications, quantifying permissible spatial perturbations, has been widely studied in the literature, see e.g., [2, 3, 4]. For control under spatial robustness objectives, there exist mixed-integer linear programming (MILP) approaches [5, 6, 7], gradient-descent searches [8, 9], control barrier functions for STL [10, 11], and learning-based frameworks [12]. However, these notions do not directly capture any robustness against temporal uncertainties. A first attempt to define time robustness for STL specifications was made in [13]. The authors define the left (right) time robustness by quantifying the maximal permissible left (right) time shifts in the predicates of the STL specification that do not result in a violation of the specification. In our previous works [14, 15], we analyze various properties of left (right) time robustness and propose an MILP encoding to control linear systems such that the left (right) time robustness is maximized. We continue along these lines and propose a novel notion of temporal robustness to account for both forward and backward temporal perturbations.

Besides the aforementioned notion of left (right) time robustness, there exist various other time robustness notions. Averaged STL was presented in [16] and captures temporal robustness by averaging spatial robustness over time intervals. Hybrid system conformance, see e.g., [17, 18], quantifies the closeness of hybrid systems trajectories and measures a combination of spatial and time robustness, but does not allow for asynchronous time shift in the predicates. The authors in [19] introduce a metric that can quantify the temporal relaxation of STL specifications. Tailored to multi-agent systems, the authors in [20, 21] propose counting linear temporal logic which requires a minimum number of agents for the satisfaction of a specification. The authors design control laws for such specifications where agents can implement their plans asynchronously, which can even account for time scaling effects, e.g., an agent pauses or speeds up, and not only time shifts in the predicate signal as we consider in this work. Temporal robustness of stochastic signals has been considered in [22] by using risk measures, but the authors there consider time shifts in the system signal, opposed to time shifts in predicates. In [23], monitoring of STL specifications under timing uncertainty in the underlying signal is considered by using over- and under-approximation of the satisfaction times of predicates. While [24] considers the time sensitive control for a subset of STL specifications, the authors in [25] present the time window temporal logic that is used in [26, 27] to obtain control laws for finding temporal relaxations when the specification is not satisfiable. In [28], the STL-based resiliency for cyber-physical system is presented that can capture temporal violations by recoverability and durability.

We make the following contributions. First, we propose a novel notion of temporal robustness for STL specifications to account for forward and backward temporal perturbations. We quantify the amount of permissible time shifts in the STL predicates to the left and right. We then show a set of desirable properties of our definition. Furthermore, we propose an MILP encoding for control of linear systems under the temporal robustness objective.

Let $\mathbf{x}:\mathbb{T}\to X$ be a discrete-time signal with $\mathbb{T}\subseteq\mathbb{N}$ (we assume that $\mathbb{N}$ includes $0$) being the time domain and $x_{t}\in X$ being the state at time $t$, where $X\subseteq\mathbb{R}^{n}$ is a metric space. We call the set of all signals $\mathbf{x}:\mathbb{T}\to X$ the signal space $X^{\mathbb{T}}$. A predicate $p$ is defined as $p:=\mu(x)\geq 0$, where $\mu(x):X\to\mathbb{R}$ is a real-valued function of the state $x$. Let $I\subseteq\mathbb{T}$ be a time interval. For any time point $t\in\mathbb{T}$, we define the set $t+I:=\{t+\tau\ |\,\tau\in I\}$. The syntax of Signal Temporal Logic (STL) is defined recursively as follows [1]:

where $p\in AP$ is a predicate from a set of predicates $AP$, $\neg$ and $\wedge$ are the Boolean negation and conjunction, respectively, and $\mathcal{U}_{I}$ is the Until temporal operator over a time interval $I$. One can further define additional STL operators such as $\varphi_{1}\vee\varphi_{2}:=\neg(\neg\varphi_{1}\wedge\neg\varphi_{2})$ (disjunction), $\Diamond_{I}\varphi:=\top\mathcal{U}_{I}\varphi$ (eventually) and $\square_{I}\varphi:=\neg\Diamond_{I}\neg\varphi$ (always).

The semantics of an STL formula $\varphi$ define when a signal $\mathbf{x}$ satisfies $\varphi$ at time $t$. Commonly, it is given via the STL characteristic function $\chi_{\varphi}(\mathbf{x},t):X^{\mathbb{T}}\times\mathbb{T}\to\{\pm 1\}$, see [13] for details. Intuitively, when $\chi_{\varphi}(\mathbf{x},t)=1$, it holds that the signal $\mathbf{x}$ satisfies the formula $\varphi$ at time $t$, while $\chi_{\varphi}(\mathbf{x},t)=-1$ indicates that $\mathbf{x}$ does not satisfy $\varphi$ at time $t$.

While the semantics of STL indicate if the signal satisfies a given specification at time $t$, the left and right time robustness measures how robustly a signal satisfies a given specification at time $t$ with respect to perturbations in time [13]. The left and right time robustness $\theta^{\pm}_{\varphi}(\mathbf{x},t)$ of a formula $\varphi$ relative to a signal $\mathbf{x}$ at time $t$ is defined recursively. For instance, the left and right time robustness of a predicate $p$ are defined as follows:

and then, to obtain the $\theta^{\pm}_{\varphi}(\mathbf{x},t)$, one needs to apply the standard recursive $\inf$/$\sup$ rules to each $\theta^{\pm}_{p}(\mathbf{x},t)$, similarly to the characteristic function $\chi_{\varphi}(\mathbf{x},t)$, see [15] for details.

The sign of the left (right) time robustness reflects the satisfaction of the specification. Formally, if $\theta^{\pm}_{\varphi}(\mathbf{x},t)>0$ then $\chi_{\varphi}(\mathbf{x},t)=1$ and if $\theta^{\pm}_{\varphi}(\mathbf{x},t)<0$ then $\chi_{\varphi}(\mathbf{x},t)=-1$. In [15], we also showed that the absolute value of the left (right) time robustness measures how robustly a signal $\mathbf{x}$ satisfies a formula $\varphi$ at time $t$ with respect to time shifts in the predicates of formula $\varphi$. In fact, one can asynchronously shift predicates in time to the left by up to $|\theta^{+}_{\varphi}(\mathbf{x},t)|$ and the specification will not change its satisfaction. Formally, for $\tau_{1},\ldots,\tau_{K}\in\mathbb{N}$, where $K$ is the number of predicates, if $\max_{k}\tau_{k}\leq|\theta^{+}_{\varphi}(\mathbf{x},t)|$ then $\chi_{\varphi}(\mathbf{x}^{\leftarrow\bar{\tau}},t)=\chi_{\varphi}(\mathbf{x},t)$, where $\bar{\tau}=(\tau_{1},\ldots,\tau_{K})$ and $\mathbf{x}^{\leftarrow\bar{\tau}}$ is a $\bar{\tau}$-early signal¹¹1The signal $\mathbf{x}^{\leftarrow\bar{\tau}}$ is called a $\bar{\tau}$-early signal if $\forall p_{k}\in AP$, $\forall t\in\mathbb{T}$, $\chi_{p_{k}}(\mathbf{x}^{\leftarrow\bar{\tau}},t)=\chi_{p_{k}}(\mathbf{x},t+\tau_{k})$. The signal $\mathbf{x}^{\rightarrow\bar{\tau}}$ is called a $\bar{\tau}$-late signal if $\forall p_{k}\in AP$, $\forall t\in\mathbb{T}$, $\chi_{p_{k}}(\mathbf{x}^{\rightarrow\bar{\tau}},t)=\chi_{p_{k}}(\mathbf{x},t-\tau_{k})$, see [15].. Analogously, if one shifts predicates in time to the right by up to $|\theta^{-}_{\varphi}(\mathbf{x},t)|$ then $\varphi$ will not change its satisfaction. Formally, for $\tau_{1},\ldots,\tau_{K}\in\mathbb{N}$, if $\max_{k}\tau_{k}\leq|\theta^{-}_{\varphi}(\mathbf{x},t)|$ then $\chi_{\varphi}(\mathbf{x}^{\rightarrow\bar{\tau}},t)=\chi_{\varphi}(\mathbf{x},t)$, where $\mathbf{x}^{\rightarrow\bar{\tau}}$ is a $\bar{\tau}$-late signal.

Note that the left (right) time robustness is directional: its value provides a bound on how much predicates can be shifted to the left (right). Importantly, one cannot consider time shifts of some predicates to the left, while some other predicates are shifted to the right. For instance, note that if we shift a predicate $p$ in Fig.1(a) by 1 time step to the left, but a predicate $q$ by 2 time steps to the right, see Fig. 1(c), then for the shifted signal $\mathbf{x}_{\bar{\tau}}$, where $\bar{\tau}=(1,-2)$, the formula satisfaction at time $t$ changes, i.e., it holds that $\chi_{\varphi}(\mathbf{x}_{\bar{\tau}},t)=-1\not=\chi_{\varphi}(\mathbf{x},t)$. To overcome this limitation, we propose a temporal robustness which quantifies the amount of permissible time perturbation in both directions.

We next show soundness of our definition, and remark that the proofs of our results are provided in the Appendix.

Let us next analyze what information $\theta_{\varphi}(\mathbf{x},t)$ gives us about robustness. First going back to Example 1 and Fig. 1(a), the temporal robustness is $\theta_{p\vee q}(\mathbf{x},t)=1$ (since $\theta_{p}(\mathbf{x},t)=0$ and $\theta_{q}(\mathbf{x},t)=1$) which gives us the desired result that the left (right) time robustness could not give us. Recall that we consider temporal robustness by time shifts in the characteristic functions $\chi_{p_{k}}(\mathbf{x},t)$ in an asynchronous manner, i.e., for each predicate $p_{k}$ individually. Formally, for time shifts $\tau_{1},\ldots,\tau_{K}\in\mathbb{Z}$, we say that a signal $\mathbf{x}_{\bar{\tau}}$ is an asynchronously shifted signal if $\chi_{p_{k}}(\mathbf{x}_{\bar{\tau}},t)=\chi_{p_{k}}(\mathbf{x},t+\tau_{k})$ for all $t\in\mathbb{T}$ and for all $p_{k}\in AP=\{p_{1},\ldots,p_{K}\}$. We next show how the temporal robustness $\theta_{\varphi}(\mathbf{x},t)$ relates to permissible time shifts $\tau_{k}$ via $\mathbf{x}_{\bar{\tau}}$.

For predicates, we show an interesting connection between the temporal robustness and the left (right) time robustness which follows directly from the definition.

For a formula $\varphi$, it however does not hold that $\theta_{\varphi}(\mathbf{x},t)=\chi_{\varphi}(\mathbf{x},t)\cdot\min\left(|\theta^{+}_{\varphi}(\mathbf{x},t)|,\ |\theta^{-}_{\varphi}(\mathbf{x},t)|\right)$, e.g., as in Example 1. However, we can prove the following relation between them.

Let us next address the question of how to control a system to be temporally robust. We particularly consider linear systems and assume that the formula $\varphi$ is build upon linear predicates. Our goal is to find an optimal control sequence $\mathbf{u}^{*}$ such that the corresponding trajectory $\mathbf{x}$ respects input and state constraints and satisfies the specification $\varphi$ robustly while maximizing a desired cost function $J$.

To solve Problem 1 with $J=\theta_{\varphi}(\mathbf{x})$, we present a mixed-integer linear (MILP) encoding of the temporal robustness $\theta_{\varphi}(\mathbf{x})$. Recall that by Def. III.1, $\theta_{\varphi}(\mathbf{x},t)$ is defined recursively on the structure of $\varphi$. Below, we describe the main milestone of the overall MILP encoding, that is the encoding of predicates $\theta_{p}(\mathbf{x},t)$. From Cor. III.3 and Thm. III.1, we get that

The complete MILP encoding of $\theta^{+}_{p}(\mathbf{x},t)$, $\theta^{-}_{p}(\mathbf{x},t)$ and $\chi_{p}(\mathbf{x},t)$ is presented in [14]. The encoding in [14] introduces binary variables $z_{t}\in\{0,1\}$ to represent the Boolean satisfaction of the given predicate $p$ at every time point $t$ within the horizon and also introduces the integer counter variables $c_{t}^{1}$ and $c_{t}^{0}$ to enumerate sequential time points in the future and in the past for which $\chi_{p}(\mathbf{x},t)$ does not change its value.

Next, having encoded the left $\theta^{+}_{p}(\mathbf{x},t)$ and right $\theta^{-}_{p}(\mathbf{x},t)$ temporal robustness of a predicate $p$, the $\min$ and $\max$ operators used in (3) can be encoded utilizing the rules from [5]. For instance, if $\theta^{+}_{p}(\mathbf{x},t)=r_{1}$ and $\theta^{-}_{p}(\mathbf{x},t)=r_{2}$, then $\min(\theta^{+}_{p}(\mathbf{x},t),\ \theta^{-}_{p}(\mathbf{x},t))=r$ if and only if:

where $b_{i}=\{0,1\}$ are introduced binary variables and $M$ is a big-$M$ parameter. The $\max$ operator can be encoded similarly.

Thus, we obtain the MILP encoding of the two variables from (3), ${\color[rgb]{0,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@gray@stroke{0}\pgfsys@color@gray@fill{0}\nu_{t}}:=\min\left(\theta^{+}_{p}(\mathbf{x},t),\ \theta^{-}_{p}(\mathbf{x},t)\right)$ and ${\color[rgb]{0,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{0,0,0}\pgfsys@color@gray@stroke{0}\pgfsys@color@gray@fill{0}\omega_{t}}:=\max\left(\theta^{+}_{p}(\mathbf{x},t),\,\theta^{-}_{p}(\mathbf{x},t)\right)$. Using (3) and the binary variables $z_{t}:=\frac{\chi_{p}(\mathbf{x},t)+1}{2}$, the temporal robustness $\theta_{p}(\mathbf{x},t)$ is defined as³³3Note that (5) can be expressed as a set of MILP constraints according to [14, Lemma 4.1].

We can now use the MILP encoding for the remaining Boolean and temporal operators as originally presented in [5]. In Section V and Table I we present a comparison analysis of the performance and computation times of solving Problem 1 for various temporal robustness functions, such as $J=\theta_{\varphi}(\mathbf{x})$ and $J=\theta^{\pm}_{\varphi}(\mathbf{x})$.

In this section, we present two case studies in which we solve the control-synthesis problem 1 for various cost functions. All simulations were performed on an Intel Core i7-9750H 6-core processor with 16GB RAM. The code was implemented in MATLAB using YALMIP [29] with Gurobi 9.1 [30] as the solver. The computation times and links to animations are reported in Table I.

Scenario 1 - Timed Navigation. Consider an autonomous agent with 2D position and velocity $x:=(\text{pos},\,\text{vel})\in\mathbb{R}^{4}$ where $(\text{pos}_{0},\text{vel}_{0}):=(0,6,0,0)$. We consider the dynamics

where $F:=I_{2}\otimes\begin{bmatrix}1&0.1\\ 0&1\end{bmatrix}$ and $G:=\begin{bmatrix}0.005\\ 0.1\end{bmatrix}$. The agent should first reach zone $A$, see Fig. 2 for an illustration, any time within the time interval $[10,14]$ and then reach zone $B$ any time within $[19,23]$ as captured by the STL specification:

where $A:=(x\geq 4)\wedge(x\leq 8)\wedge(y\geq 4)\wedge(y\leq 8)$ and $B:=(x\geq 6)\wedge(x\leq 10)\wedge(y\geq 12)\wedge(y\leq 16)$.

We first solve Problem 1 for $J=\theta_{\varphi}(\mathbf{x})$ and plot the resulting trajectory $\mathbf{x}^{*}$ in Fig. 2(a), and obtain $\theta_{\varphi}(\mathbf{x}^{*})=4$. From the characteristic function plotted in Fig. 2(a), one can see that if the agent starts the execution of the trajectory by up to 4 time steps earlier or later, the mission specification $\varphi$ will still be satisfied, since for such a shifted trajectory there will be at least one point in time, where the agent is within zone $A$ and $B$ within the specified time intervals (depicted in grey color). This result supports Thm. III.2 derived previously. For comparison, the calculated left and right time robustness are $\theta^{+}_{\varphi}(\mathbf{x}^{*})=6$ and $\theta^{-}_{\varphi}(\mathbf{x}^{*})=4$, respectively. One can see, that indeed, $\theta_{\varphi}(\mathbf{x}^{*})\leq\theta^{\pm}_{\varphi}(\mathbf{x}^{*})$ which is expected by Thm. III.4.

To compare the system’s behavior under different cost functions in Problem 1, we use the left time robustness $J=\theta^{+}_{\varphi}(\mathbf{x})$ and the right time robustness $J=\theta^{-}_{\varphi}(\mathbf{x})$ as control objectives. We next show that the temporal robustness is preferred over the left and right time robustness when dealing with systems where the direction of perturbations in time is unknown.

The results of maximizing the left time robustness are presented in Fig. 2(b) where $J^{*}=\theta^{+}_{\varphi}(\mathbf{x}^{*})=10$. It is expected that the maximization of the left time robustness leads to a trajectory for which the agent reaches the desired goal within the required time bounds and then it stays there for as long as possible. In Fig. 2(b) this is represented as $\chi_{\text{pos}\in A}(\mathbf{x}^{*},9)=\ldots=\chi_{\text{pos}\in A}(\mathbf{x}^{*},20)=1$ and $\chi_{\text{pos}\in B}(\mathbf{x}^{*},23)=\ldots=\chi_{\text{pos}\in B}(\mathbf{x}^{*},34)=1$. This means that if the agent starts the execution earlier by up to 10 time units (the trajectory is shifted to the left), the mission will still be satisfied. However, any perturbation that leads to a trajectory shifted to the right results in a violation of the specification, $\theta_{\varphi}(\mathbf{x}^{*})=\theta^{-}(\mathbf{x}^{*})=0$. Indeed, in this case, the agent will not be able to visit the zone $B$ within $[19,23]$ time units, see Fig. 2(b).

The results of maximizing the right time robustness are presented in Fig. 2(c) where $J^{*}=\theta^{-}_{\varphi}(\mathbf{x}^{*})=6$. Note that in this case, the agent reaches both zones as soon as possible, see Fig. 2(c). We obtain the temporal robustness and left time robustness of $\theta_{\varphi}(\mathbf{x}^{*})=\theta^{+}_{\varphi}(\mathbf{x}^{*})=3$. We can again see that $\theta_{\varphi}(\mathbf{x}^{*})\leq\theta^{\pm}_{\varphi}(\mathbf{x}^{*})$ which is consistent with Thm. III.4. Also note that since the evaluated left time robustness $\theta^{+}_{\varphi}(\mathbf{x}^{*})=3$, only the predicate shifts up to $3$ time steps to the left still guarantee the satisfaction of the specification. From Fig. 2(c) one can see that the shift by $4$ time steps to the left leads to an agent leaving both regions of interest sooner than the predefined intervals, therefore, the mission is violated.

Scenario 2 - Timed Multi-UAV Surveillance. We now consider two unmanned aerial vehicles (UAVs) in a surveillance mission. Particularly, consider the $d$th agent with state $x^{(d)}:=(\text{pos}^{(d)},\text{vel}^{(d)})\in\mathbb{R}^{6}$ where pos and vel are the 3D position and velocity, see Fig. 3. The initial states are set to be $(\text{pos}_{0}^{(1)},\text{vel}_{0}^{(1)}):=(1,14,0,0,0,0)$ and $(\text{pos}_{0}^{(2)},\text{vel}_{0}^{(2)}):=(9,1,0,0,0,0)$. Let the dynamics of both UAVs be of the form $x^{(d)}_{t+1}=Fx^{(d)}_{t}+Gu^{(d)}_{t}$ where $F$ and $G$ are obtained through the linearization of the UAV dynamics, see [31] for more details. The inputs $u^{(d)}_{t}\in\mathbb{R}^{3}$ are the thrust, roll, and pitch of the UAV.

The UAVs are tasked with a persistent surveillance mission of the region $C$, see Fig. 3, while each of them must visit their individually assigned regions $A$ and $B$. The overall specification is of the form $\varphi:=\bigwedge_{i=1}^{3}\varphi_{i}$ where:

1. 1.

   UAV 1 should reach and stay in zone $A$ all the time from $29$ to $31$ time units, $\varphi_{1}:=\square_{[29,31]}\left(\text{pos}^{(1)}\in A\right)$.

2. 2.

   UAV 2 should eventually reach zone $B$ any time between $0$ and $20$ time units, $\varphi_{2}:=\Diamond_{[0,20]}\left(\text{pos}^{(2)}\in B\right)$.

3. 3.

   Region $C$ should be surveilled, i.e. either one or both UAVs must be within $C$ all the time from $11$ to $30$ time units, $\varphi_{3}:=\square_{[11,30]}\left(\text{pos}^{(1)}\in C\ \vee\ \text{pos}^{(2)}\in C\right)$.

Similarly to the 2D case, the regions $A$, $B$ and $C$ are defined via a set of conjunctions over linear predicates.

We solve Problem 1 for the temporal robustness objective which leads to the optimal solution $J^{*}=\theta_{\varphi}(\mathbf{x}^{*})=3$. Such optimal solution due to Thm. III.2 guarantees that for any shifted signal $\mathbf{x}_{\bar{\tau}}$ with $\max(|\tau_{1}|,|\tau_{2}|)\leq 3$, the mission specification will be satisfied. Take a look at Fig. 4. For the corner case, if one shifts the orange line to the left by $3$ time units and the violet one to the right by $3$ time units, i.e. $\bar{\tau}=(3,-3)$, then one can see that $\chi_{\text{pos}^{(1)}\in C}(\mathbf{x}_{\bar{\tau}},5)=\ldots=\chi_{\text{pos}^{(1)}\in C}(\mathbf{x}_{\bar{\tau}},16)=1$ and $\chi_{\text{pos}^{(2)}\in C}(\mathbf{x}_{\bar{\tau}},17)=\ldots=\chi_{\text{pos}^{(2)}\in C}(\mathbf{x}_{\bar{\tau}},34)=1$, therefore, $\chi_{\varphi_{3}}(\mathbf{x}_{\bar{\tau}})=1$. Analogously, $\varphi_{1}$ and $\varphi_{2}$ are satisfied by $\mathbf{x}_{\bar{\tau}}$, therefore, the overall satisfaction of $\varphi$ is indeed preserved by the shift $\bar{\tau}=(3,-3)$.

We proposed a temporal robustness for STL specifications to account for forward and backward temporal perturbations. We showed the desirable properties of this new robustness notion, including soundness and the meaning of the temporal robustness in terms of permissible forward and backward time shifts. We then designed control laws for linear systems that maximize the temporal robustness objective using mixed-integer linear programming (MILP). Finally, we presented two case studies to illustrate how the proposed temporal robustness accounts for timing uncertainties.