Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications

Diagnosis and Repair for Synthesis
from Signal Temporal Logic Specifications

Abstract

We address the problem of diagnosing and repairing specifications for hybrid systems formalized in signal temporal logic (STL). Our focus is on the setting of automatic synthesis of controllers in a model predictive control (MPC) framework. We build on recent approaches that reduce the controller synthesis problem to solving one or more mixed integer linear programs (MILPs), where infeasibility of a MILP usually indicates unrealizability of the controller synthesis problem. Given an infeasible STL synthesis problem, we present algorithms that provide feedback on the reasons for unrealizability, and suggestions for making it realizable. Our algorithms are sound and complete, i. e., they provide a correct diagnosis, and always terminate with a non-trivial specification that is feasible using the chosen synthesis method, when such a solution exists. We demonstrate the effectiveness of our approach on the synthesis of controllers for various cyber-physical systems, including an autonomous driving application and an aircraft electric power system.

Diagnosis and Repair for Synthesis

from Signal Temporal Logic Specifications


Shromona Ghosh            Dorsa Sadigh            Pierluigi Nuzzo
Vasumathi Raman            Alexandre Donzé            Alberto Sangiovanni-Vincentelli
S. Shankar Sastry            Sanjit A. Seshia
Department of Electrical Engineering and Computer Sciences, University of California, Berkeley, CA
United Technologies Research Center, Berkeley, CA


\@float

copyrightbox[b]

\end@float

The automatic synthesis of controllers for hybrid systems from expressive high-level specification languages allows raising the level of abstraction for the designer while ensuring correctness of the resulting controller. In particular, several controller synthesis methods have been proposed for expressive temporal logics and a variety of system dynamics. However, a major challenge for the adoption of these methods in practice is the difficulty of writing correctly formal specifications. Specifications that are poorly stated, incomplete, or inconsistent can produce synthesis problems that are unrealizable (no controller exists for the provided specification), intractable (synthesis is computationally too hard), or lead to solutions that fail to capture the designer’s intent. In this paper, we present an algorithmic approach to reduce the specification burden for controller synthesis from temporal logic specifications, focusing on the case when the original specification is unrealizable.

Logical specifications can be provided in multiple ways. One approach is to provide monolithic specifications, combining within a single formula constraints on the environment with desired properties of the system under control. In many cases, a system specification can be conveniently provided as a contract to emphasize what are the responsibilities of the system under control (guarantees) versus the assumptions on the external, possibly adversarial, environment [?, ?]. In such a scenario, besides “weakening” the guarantees, realizability of a controller can also be achieved by “tightening” the assumptions. Indeed, when the specification is unrealizable, it could be either because the environment assumptions are too weak, or the requirements are too strong, or a combination of both. Finding the “problem” with the specification manually can be a tedious and time-consuming process, nullifying the benefits of automatic synthesis. Further, in the reactive setting, when the environment is adversarial, finding the right assumptions a priori can be difficult. Thus, given an unrealizable logical specification, there is a need for tools that localize the cause of unrealizability to (hopefully small) parts of the formula, and provide suggestions for repairing the formula in an “optimal” manner.

The problem of diagnosing and repairing formal requirements has received its share of attention in the formal methods community. Ferrère et al. perform diagnosis on faulty executions of systems with specifications expressed in linear temporal logic (LTL) and Metric Temporal Logic (MTL) [?]. They identify the cause of unsatisfiability of these properties in the form of prime implicants, which are conjunctions of literals, and map the failure of a specification to the failure of these prime implicants. Similar syntax tree based definitions of unsatisfiable cores for LTL were presented in [?]. In the context of synthesis from LTL, Raman et al. [?] address the problem of categorizing the causes of unrealizability, and how to detect them in high-level robot control specifications. The use of counter-strategies to derive new environment assumptions for synthesis has also been much studied over the past few years [?, ?, ?]. Our approach, based on exploiting information from optimization solvers, is similar to that taken by Nuzzo et al. [?] to extract unsatisfiable cores for satisfiability modulo theories (SMT) solving.

In this paper, we address the problem of diagnosing and repairing specifications formalized in signal temporal logic (STL) [?], a specification language that is well-suited for hybrid systems. Our work is conducted in the setting of automated synthesis from STL using optimization methods in a model predictive control (MPC) framework [?, ?]. In this approach to synthesis, both the system dynamics and the STL requirements on the system are encoded as mixed integer linear constraints on variables modeling the dynamics of the system and its environment. Controller synthesis is then formulated as an optimization problem to be solved subject to these constraints [?]. In the reactive setting, this approach proceeds by iteratively solving a combination of optimization problems using a counterexample-guided inductive synthesis (CEGIS) scheme [?]. In this context, an unrealizable STL specification leads to an infeasible optimization problem. We leverage the ability of existing mixed integer linear programming (MILP) solvers to localize the cause of infeasibility to so-called irreducibly inconsistent systems (IIS). Our algorithms use the IIS to localize the cause of unrealizability to the relevant parts of the STL specification. Additionally, we give a method for generating a minimal set of repairs to the STL specification such that, after applying those repairs, the resulting specification is realizable. The set of repairs is drawn from a suitably defined space that ensures that we rule out vacuous and other unreasonable adjustments to the specification. Specifically, in this paper, we focus on the numerical parameters in a formula since their specification is often the most tedious and error-prone part. Our algorithms are sound and complete, i. e., they provide a correct diagnosis, and always terminate with a reasonable specification that is realizable using the chosen synthesis method, when such a repair exists in the space of possible repairs.

The problem of infeasibility in constrained predictive control schemes has also been widely addressed in the literature, e.g., by adopting robust MPC approaches, soft constraints, and penalty functions [?, ?, ?]. Rather than tackling general infeasibility issues in MPC, our focus is on providing tools to help debug the controller specification at design time. However, the deployment of robust or soft-constrained MPC approaches can also benefit from our techniques. Our use of MILP does not restrict our method to linear dynamical systems; indeed, we can handle constrained linear and piecewise affine systems, mixed logical dynamical (MLD) systems [?], and certain differentially flat systems. We demonstrate the effectiveness of our approach on the synthesis of controllers for a number of cyber-physical systems, including an autonomous driving application and an aircraft electric power system.

The paper is organized as follows. We begin in Sec. Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications and Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications with preliminaries and a running example. We formally define the diagnosis and repair problems in Sec. Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications and describe our algorithms for both monolithic and contract specifications in Sec. Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications and Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications. In Sec. Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications we illustrate our approach on the case studies, and finally conclude in Sec. Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications.

In this section, we introduce preliminaries on hybrid dynamical systems, the specification language Signal Temporal Logic, and the Model Predictive Control framework.

We consider a continuous-time hybrid dynamical system:

(1)

where represent the hybrid (continuous and logical) states at time , are the hybrid control inputs, are the outputs, and are the hybrid external inputs, including disturbances and other adversarial inputs from the environment. Using a sampling period , the continuous-time system (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) lends itself to the following discrete-time approximation:

(2)

where states and outputs evolve according to time steps , where . Given that the system starts at an initial state , a run of the system can be expressed as:

(3)

i. e., as a sequence of assignments over the system variables . A run is, therefore, a discrete-time signal. We denote .

Given an initial state , a finite horizon input sequence , and a finite horizon environment sequence , the finite horizon run of the system modeled by the system dynamics in (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) is uniquely expressed as:

(4)

where , are computed using (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications). We finally define a finite-horizon cost function , mapping -horizon trajectories to costs in .

Signal Temporal Logic (STL) was first introduced as an extension of Metric Interval Temporal Logic (MITL) to reason about the behavior of real-valued dense-time signals [?]. STL has been largely applied to specify and monitor real-time properties of hybrid systems [?]. Moreover, it offers a robust, quantitative interpretation for the satisfaction of a temporal formula [?, ?], as further detailed below.

An STL formula is evaluated on a signal at some time . We say when evaluates to true for at time . We instead write , if satifies at time . The atomic predicates of STL are defined by inequalities of the form , where is some function of signal at time . Specifically, is used to denote both the function of and the predicate. Any STL formula consists of Boolean and temporal operations on such predicates. The syntax of STL formulae is defined recursively as follows:

(5)

where and are STL formulae, is the globally operator, is the finally operator and is the until operator. Intuitively, specifies that must hold for signal at all times of the given interval, i. e., . Similarly specifies that must hold at some time of the given interval. Finally, specifies that must hold starting from the current time until a specific time at which becomes true. Formally, the satisfaction of a formula for a signal at time is defined as:

(6)

The bound of an STL formula is defined as the maximum over the sums of all nested upper bounds on the temporal operators of the STL formula. For instance, given , the bound can be calculated as . An STL formula is bounded-time if it contains no unbounded operators.

A quantitative or robust semantics is defined for an STL formula by associating it with a real-valued function of the signal and time , which provides a “measure” of the margin by which is satisfied. Specifically, we require if and only if . The magnitude of can then be interpreted as an estimate of the “distance” of a signal from the set of trajectories satisfying or violating .

Formally, the quantitative semantics is defined as follows:

(7)

Using the definitions above, the robustness value can then be computed recursively for any STL formula.

Model Predictive Control (MPC), or Receding Horizon Control (RHC), is a well studied hybrid system control method [?, ?]. In RHC, at any time step, the state of the system is observed and an optimization is solved over a finite time horizon , given a set of constraints and a cost function . When , as defined in (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications), is nonlinear, we assume optimization is performed at each MPC step after locally linearizing the system dynamics. For example, at time , the linearized dynamics around the current state and time are used to compute an optimal strategy over the time interval . Only the first component of is, however, applied to the system, while a similar optimization problem is solved at time to compute a new optimal control sequence along the interval for the model linearized around . While the global optimality of MPC is not guaranteed, the technique is frequently used and performs well in practice.

In this paper, we use STL to express temporal constraints on the environment and system runs for MPC. We then translate an STL specification into a set of mixed integer linear constraints, as further detailed below [?, ?]. Given a formula to be satisfied over a finite horizon , the associated optimization problem has the form:

(8)
subject to

which extracts a control strategy that minimizes the cost function over the finite-horizon trajectory , while satisfying the STL formula at time step . In a closed-loop setting, we compute a fresh at every time step , replacing with in (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) [?, ?].

While (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) applies to systems without uncontrolled inputs, a more general formulation can be provided to account for an uncontrolled disturbance input that can act, in general, adversarially. To provide this formulation, we assume that the specification is given in the form of an STL assume-guarantee (A/G) contract [?, ?] , where is the set of variables, captures the assumptions (admitted behaviors) over the (uncontrolled) environment inputs , and describes the guarantees (promised behaviors) over all the system variables. A game-theoretic formulation of the controller synthesis problem can then be represented as a minimax optimization problem:

(9)
subject to

where we aim to find a strategy that minimizes the worst case cost over the finite horizon trajectory, under the assumption that the disturbance signal acts adversarially. We use in (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) to denote the set of disturbances that satisfy the environment specification , i.e., .

To solve the control problems in (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) and (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) the STL formula can be translated into a set of mixed integer constraints, thus reducing the optimization problem to a Mixed Integer Program (MIP). Specifically, in this paper, we consider control problems that can be encoded as Mixed Integer Linear Programs (MILP).

The MILP constraints are constructed recursively on the structure of the STL specification, and express the robust satisfaction value of the formula. We see from Section Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications that the robustness value of formulae with temporal and Boolean operators is expressed as the min or max of the robustness values of the operands over time. We then demonstrate the encoding of the min operator. Given , we introduce Boolean variables for and a continuous variable . The resulting MILP constraints are:

(10)

where is a constant selected to be much larger than for all , and . The above constraints ensure that takes the value of the minimum robustness and if is the minimum. To get the constraints for max, we replace by in (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications).

We solve the MILP with an off-the-shelf solver. If the receding horizon scheme is feasible, then the controller synthesis problem is realizable, i.e., the algorithm returns a controller that satisfies the specification and optimizes the objective. However, if the MILP is infeasible, the synthesis problem is unrealizable. In this case, the failure to synthesize a controller may well be attributed to just a portion of the STL specification. In the rest of the paper we discuss how infeasibility of the MILP constraints can be used to infer the “cause” of failure and, consequently, diagnose and repair the original STL specification.

Figure \thefigure: Vehicles crossing an intersection. The red car is the ego vehicle, while the black car is part of the environment.

To illustrate our approach, we introduce a running example from the autonomous driving domain. As shown in Fig. Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications, we consider a scenario in which two moving vehicles approach an intersection. The red car, labeled the ego vehicle, is the vehicle under control, while the black car is part of the external environment and may behave, in general, adversarially. The state of the system includes the position and velocity of each vehicle, the control input is the acceleration of the ego vehicle, and the environment input is the acceleration of the other vehicle, i.e.,

(11)

We also assume the dynamics of the system is given by a simple double integrator for each vehicle, e.g.,

(12)

A similar equation holds for the environment vehicle which is, however, constrained to move along the horizontal axis. We assume the ego vehicle is initialized at the coordinates and the other vehicle is initialized at . We further assume all the units in this example follow the metric system. We would like to design a controller for the ego vehicle to satisfy an STL specification under some assumptions on the external environment, and provide diagnosis and feedback if the specification is infeasible. We discuss the following three scenarios.

Example 1 (Collision Avoidance)

We want to avoid a collision between the ego and the adversary vehicle. In this example, we assume the environment vehicle’s acceleration is fixed at all times, i.e., , while the initial velocities are and . We encode our requirements using the formula where and are defined as follows:

(13)

We prescribe bounds on the system acceleration, and state that both cars should never be confined together within a box of width around the intersection to avoid a collision.

Example 2 (Non-adversarial Race)

We discuss a race scenario, in which the ego vehicle must increase its velocity to exceed whenever the adversary’s initial velocity exceeds . We then formalize our requirement as a contract (, ), where are the assumptions made on the environment and are the guarantees of the system provided the environment satisfies the assumptions. Specifically:

(14)

The initial velocities are and , while the environment vehicle’s acceleration is at all times. We also require the acceleration to be bounded by .

Example 3 (Adversarial Race)

We discuss another race scenario, in which the environment vehicle acceleration is no longer fixed, but can vary up to a maximum value of . Initially, and hold. Under these assumptions, we would like to guarantee that the velocity of the ego vehicle exceeds if the speed of the adversary vehicle exceeds , while maintaining an acceleration in the range. Altogether, we capture the requirements above via a contract (, ), where:

(15)

In this section, we define the problems of specification diagnosis and repair in the context of controller synthesis from STL. We assume the discretized system dynamics and , the initial state , the STL specification , and a cost function are given. Then, the controller synthesis problem denoted as translates into solving (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) (when is a monolithic specification of the desired system behaviors) or (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) (when represents a contract between the system and the environment).

If synthesis fails, the diagnosis problem is, intuitively, to return an explanation in the form of a subset of the original problem constraints that are already infeasible when taken alone. The repair problem is to return a “minimal” set of changes to the specification that would render the resulting controller synthesis problem feasible. To diagnose and repair an STL formula, we focus on its sets of atomic predicates and time intervals of the temporal operators. We then start by providing a definition of the support of its atomic predicates, i.e., the set of times at which the value of a predicate affects satisfiability of the formula, and a notion for the set of repairs that we allow.

Definition 1 (Support)

The support of a predicate in an STL formula is the set of times such that appears in .

For example, given , the support of predicate is the time interval .

Definition 2 (Allowed Repairs)

Let denote the set of all possible STL formulae. A repair action is a relation consisting of the union of the following:

  • A predicate repair returns the original formula after modifying one of its atomic predicates to . We denote this sort of repair by ;

  • A time interval repair returns the original formula after replacing the interval of a temporal operator. This is denoted where .

Repair actions can be composed to get a sequence of repairs . Given an STL formula , we denote as the set of all possible formulae obtained through compositions of allowed repair actions on . Moreover, given a set of atomic predicates and a set of time intervals , we use to denote the set of repair actions that act only on predicates in or time intervals in . We are now ready to provide the formulation of the problems addressed in the paper, both in terms of diagnosis and repair of a monolithic specification (general diagnosis and repair) and an A/G contract (contract diagnosis and repair).

Problem 1 (General Diagnosis and Repair)

Given a controller synthesis problem such that (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) is infeasible, find:

  • A set of atomic predicates or time intervals of the original formula ,

  • ,

such that is feasible, and the following minimality conditions hold:

  • (predicate minimality) if is obtained by predicate repair111For technical reasons, our minimality conditions are predicated on a single type of repair being applied to obtain ., for , , and is a norm on , then

    (16)

    and is feasible, with

  • (time interval minimality) if is obtained by time interval repair, are the non-empty repaired intervals, and is the length of interval :

    (17)

    and is feasible, with

Problem 2 (Contract Diagnosis and Repair)

Given a controller synthesis problem such that (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) is infeasible, find:

  • Sets of atomic predicates , or sets of time intervals ,, respectively, of the original formulas and ,

  • , .

such that is feasible, and , , and satisfy the minimality conditions of Problem (1).

In the following sections, we discuss our solutions to the above problems.

Figure \thefigure: Diagnosis and repair flow diagram.
1:procedure DiagnoseRepair
2:       Input:
3:       Output: , , ,
4:        GenMILP(),
5:        Solve()
6:       if  then
7:             , , ,
8:             while  do
9:                     Diagnosis(, )
10:                    , ,
11:                     UserInput()
12:                     ModifyConstraints()
13:                                  
14:              Solve(, )        
Algorithm 1 DiagnoseRepair

The scheme adopted to diagnose inconsistencies in the specification and provide constructive feedback to the designer is pictorially represented in Fig. Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications. In this section we find a solution for Problem 1, as summarized in Algorithm 1. Given a problem , defined as in Section Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications, GenMILP reformulates (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) in terms of the following MILP:

(18)
subject to

where and are mixed integer linear constraint functions over the states, outputs, and inputs of the finite horizon trajectory associated, respectively, with the system dynamics and the STL specification . We let represent this MILP, where is the objective, and is the set of constraints. If problem (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) is infeasible, we iterate between diagnosis and repair phases until the repaired feasible specification is obtained. We let and denote, respectively, the set of predicates returned by the diagnosis procedure, and the constraints corresponding to those predicates.

Optionally, we support an interactive repair mechanism, where the designer provides a set of that prioritize which predicates to modify (UserInput procedure) and get converted into a set of weights (ModifyConstraints routine). The designer can then leverage this weighted-cost variant of the problem to define “soft” and “hard” constraints in the controller synthesis problem. In the following, we detail the operation of the Diagnosis and Repair routines.

1:procedure Diagnosis(, )
2:       Input: ,
3:       Output: , ,
4:        IIS()
5:        ExtractPredicates(,)
6:        ExtractConstraints(,)
Algorithm 2 Diagnosis

Our diagnosis procedure is summarized in Algorithm 2. Diagnosis receives as inputs the controller synthesis problem and an associated MILP formulation . can either be the feasibility problem associated with the original problem (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications), or a relaxation of it. This feasibility problem has the same, possibly relaxed, constraints as (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) but zero cost. Formally, we provide the following definition of relaxed constraint and relaxed optimization problem.

Definition 3 (Relaxed Problem)

We say that a constraint is a relaxed version of if there exists a slack variable such that . In this case, we also say that is relaxed into . Then, an optimization problem is a relaxed version of another optimization problem if it is obtained from by relaxing at least one of its constraints.

When is infeasible, we rely on the capability of state-of-the-art MILP solvers to provide an Irreducibly Inconsistent System (IIS) [?, ?] of constraints , defined as follows.

Definition 4 (Irreducibly Inconsistent System)

Given a feasibility problem with constraint set , an Irreducibly Inconsistent System is a subset of constraints such that: (i) the optimization problem is infeasible; (ii) , problem is feasible.

In other words, an IIS is an infeasible subset of constraints that becomes feasible if any single constraint is removed. For each constraint in , ExtractPredicates traces back the STL predicate(s) originating it, which will be used to construct the set of STL atomic predicates in Problem 1, and the corresponding set of support intervals (adequately truncated to the current horizon ), as obtained from the STL syntax tree. will be used to produce a relaxed version of as further detailed in Section Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications. For this purpose, the procedure also returns the subset of all the constraints in that are associated with the predicates in .

The diagnosis procedure isolates a set of STL atomic predicates that jointly produce a reason of infeasibility for the synthesis problem. For repair, we are instead interested in how to modify the original formula to make the problem feasible. The repair procedure is summarized in Algorithm 3. We formulate relaxed versions of the feasibility problem associated with problem (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) by using slack variables.

Let , denote both of the categories of constraints and in the feasibility problem . We reformulate into the following slack feasibility problem:

(19)
subject to

where is a vector of slack variables added to the subset of optimization constraints , as obtained after the latest call of Diagnosis, to make the problem feasible. Not all the constraints in the original optimization problem (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) can be modified. For instance, the designer will not be able to arbitrarily modify constraints that can directly affect the dynamics of the system, i. e., constraints encoded in . Solving problem (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) is equivalent to looking for a set of slacks that make the original control problem feasible while minimizing a suitable norm of the slack vector. In most of our application examples, we choose the -norm, which tends to provide sparser solutions for , i.e., nonzero slacks for a smaller number of constraints. However, other norms can also be used, including weighted norms based on the set of weights . If problem (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) is feasible, ExtractFeedback uses the solution to repair the original infeasible specification . Otherwise, the infeasible problem is returned for another round of diagnosis to retrieve further constraints to relax. In what follows, we provide details on the implementation of ExtractFeedback.

1:procedure Repair
2:       Input: , , , ,
3:       Output: , ,
4:       
5:       for  in  do
6:             if  then
7:                                         
8:       (, ) Solve(, )
9:       if  then
10:              ExtractFeedback(,,)        
Algorithm 3 Repair

If a minimum norm solution can be found, then the slack variables can be mapped to a set of predicate repairs , as defined in Problem 1, as follows. The slack vector in Algorithm 3 includes the set of slack variables , where is the variable added to the optimization constraint associated with an atomic predicate at time , . We then set

(20)

being the time horizon for (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications), and .

To find a set of time-interval repairs, we proceed, instead, as follows:

  1. The slack vector in Algorithm 3 includes the set of slack variables , where is the variable added to the optimization constraint associated with an atomic predicate at time . For each , with support interval , we search for the largest time interval such that the slack variables for are . If , then we set .

  2. We convert every temporal operator in into a combination of (timed or untimed) and untimed by using the following transformations:

    where is the untimed (unbounded) until operator. Let be the new formula obtained from after applying these transformations222While the second transformation introduces a new interval , its parameters are directly linked to the ones of the original interval (now inherited by the operator) and will be accordingly processed by the repair routine..

  3. The nodes of the parse tree of can then be partitioned into three subsets, , , and , respectively associated with the atomic predicates, Boolean operators, and temporal operators () in . We traverse this parse tree from the leaves (atomic predicates) to the root and recursively define for each node a new support interval as follows:

    (21)

    where denotes the children of node , while and are, respectively, the subsets of nodes associated with the and operators. We observe that the children set of a operator node is a singleton. Therefore, with some abuse of notation, we also use in (21) to denote a single node in the parse tree.

  4. We define the interval repair for each (timed) temporal operator node in the parse tree of as . If is empty for any , no time-interval repair is possible. Otherwise, we map back the set of intervals into a set of interval repairs for the original formula according to the transformations in step 2 and return .

We provide an example of predicate repair below, while time interval repair is exemplified in Section Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications.

Example 4 (Collision Avoidance)

We diagnose the specifications introduced in Example 1. To formulate the synthesis problem, we assume a horizon and a discretization step . The system is found infeasible at the first MPC run, and Diagnosis detects the infeasibility of at time . Intuitively, given the allowed range of accelerations for ego, both the cars end up with entering the forbidden box at some time. Algorithm 1 chooses to repair by adding slacks to all of its predicates, such that . Table Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications shows the optimal slack values at each , while and are set to zero at all . We can then conclude that the specification replacing with

(22)

is feasible, i.e., the cars will not collide, but the original requirement was overly demanding.

Alternatively, the user can choose to run the repair procedure on and change its predicate as . In this case, we decide to stick with the original requirement on collision avoidance, and tune, instead, the control “effort” to satisfy it. Under the assumption of constant acceleration (and bounds), the slacks will be the same at all . We then obtain = , which ultimately turns into The ego vehicle should then slow down to prevent entering the forbidden box at the same time as the other car. This latter solution is, however, suboptimal with respect to the -norm selected in this example.

time 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8
0 0 0 0 0 -0.26 0 0 0 0
0 0 0 0 0 0 -0.07 0 0 0
Table \thetable: Slack variables for horizon, with , and .

Our algorithm offers the following guarantees, for which a proof is reported below.

Theorem 1 (Soundness)

Given a controller synthesis problem , such that (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) is infeasible at time , let be the repaired formula returned from Algorithm 1 without human intervention, for a given set of predicates or time interval . Then, is feasible at time and (, , ) satisfy the minimality conditions in Problem 1.

  • Suppose is the MILP encoding of as defined in (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications), is the repaired formula, and the set of diagnosed predicates, as returned by Algorithm 1. We start by discussing the case of predicate repair. We let be the MILP encoding of and be the set of predicates that are fixed to provide , i.e., such that , with . Algorithm 1 modifies by introducing a slack variable into each constraint associated with an atomic predicate in at time . Such a transformation leads to a feasible MILP and an optimal slack set . We now observe that and are both a relaxed version of . In fact, we can view as a version of in which only the constraints associated with the atomic predicates in are relaxed. Therefore, each constraint having a nonzero slack variable in is also relaxed in . Moreover, by (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications), the relaxed constraints in are offset by the largest slack value over the horizon . Then, because is feasible, , and subsequently , are feasible.

    We now prove that (,) satisfy the predicate minimality condition of Problem 1. Let be any formula obtained from after repairing a set of predicates such that the resulting problem is feasible. We recall that, by Definition 4, at least one predicate in generates a conflicting constraint and must be repaired for to become feasible. Then, holds. Furthermore, since Algorithm 1 iterates by diagnosing and relaxing constraints until feasibility is achieved, contains all the predicates that can be responsible for the infeasibility of . In other words, Algorithm 1 finds all the IISs in the original optimization problem and allows relaxing any constraint in the union of the IISs. Therefore, repairing any predicate outside of is redundant: a predicate repair set that only relaxes the constraints associated with predicates in , by the same amount as in , and sets to zero the slack variables associated with predicates in is also effective and exhibits a smaller slack norm. Let be such a repair set and the corresponding repaired formula. and can then be seen as two repair sets on the same predicate set. However, by the solution of Problem (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications), we are guaranteed that has minimum norm; then, will hold for any such formulas , and hence .

    We now consider the MILP formulation associated with and in the case of time-interval repairs. For each atomic predicate , for , includes only the associated constraints evaluated over time intervals for which the slack variables are zero. Such a subset of constraints is trivially feasible. All the other constraints, enforcing the satisfaction of Boolean and temporal combination of the atomic predicates in are also feasible if the atomic predicate constraints are feasible. Then, is feasible.

    To show that (,) satisfy the minimality condition in Problem 1, we observe that, by the transformations in step 2 of the time-interval repair procedure, is logically equivalent to a formula which only contains untimed and timed operators. Moreover, and have the same interval parameters. Therefore, if the proposed repair set is minimal for , this will also be the case for . We now observe that Algorithm 1 selects, for each atomic predicate the largest interval such that the associated constraints are feasible, i.e., their slack variables are zero after norm minimization333Because we are not directly maximizing the sparsity of the slack vector, time-interval minimality is to be interpreted with respect to slack norm minimization. Directly maximizing the number of zero slacks is also possible but computationally more intensive.. Because feasible intervals for Boolean combinations of atomic predicates are obtained by intersecting these maximal intervals, and then propagated to the temporal operators, the length of the intervals of each operator in , hence of the temporal operators in , will also be maximal, which is what we wanted to prove.

Theorem 2 (Completeness)

Assume the controller synthesis problem results in (Diagnosis and Repair for Synthesis from Signal Temporal Logic Specifications) being infeasible at time . If there exist a set of predicates or time-intervals such that there exists for which ,