Control Barrier Functions for Nonholonomic Systems under Risk Signal Temporal Logic Specifications
aa r X i v : . [ m a t h . L O ] A p r Control Barrier Functions for Nonholonomic Systemsunder Risk Signal Temporal Logic Specifications
Lars Lindemann, George J. Pappas, and Dimos V. Dimarogonas
Abstract — Temporal logics provide a formalism for express-ing complex system specifications. A large body of literaturehas addressed the verification and the control synthesis prob-lem for deterministic systems under such specifications. Forstochastic systems, however, only the probability of satisfyinga specification has been considered so far, neglecting the riskof not satisfying the specification. To address this shortcoming,we consider, for the first time, risk metrics, such as (but notlimited to) the Conditional Value-at-Risk, and propose risksignal temporal logic. Specifically, we compose risk metrics withstochastic predicates, which are the basic logical elements. Asa particular instance of such stochasticity, we consider a prioriunknown environments described by semantic maps, which canbe obtained by recent learning-enabled perception algorithms.For nonholonomic control systems in such environments underrisk signal temporal logic specification, we present a deter-minization of the risk signal temporal logic specification thatallows us to transform the stochastic control problem into adeterministic one. We then use time-varying control barrierfunction to minimize the risk of violating the specification.
I. I
NTRODUCTION
Temporal logic-based control studies the problem of con-trolling a dynamical system such that a complex specifi-cation, expressed as a temporal logic formula, is satisfied.Linear temporal logic (LTL) allows to impose qualitativetemporal properties and has been used in [1]–[3]. More re-cently, signal temporal logic (STL) has been considered [4].STL allows to impose quantitative temporal properties, hencebeing more expressive than LTL. One can additionally asso-ciate quantitative semantics with an STL specification whichgive a real-valued answer to the question whether or not aspecification is satisfied, indicating the robustness (severity)of the satisfaction (violation) [5], [6]. Control approachesunder STL specifications result in costly mixed integer linearprograms [7] or in nonconvex optimization programs [8],[9]. Reinforcement learning-based approaches for partiallyunknown systems have appeared in [10], [11]. We haverecently proposed an efficient automata-based framework in[12] that decomposes the STL specification into STL sub-specifications that can be implemented by low-level feedback
This work was supported in part by the Swedish Research Council (VR),the European Research Council (ERC), the Swedish Foundation for StrategicResearch (SSF), the EU H2020 Co4Robots project, the Knut and AliceWallenberg Foundation (KAW), the DARPA Assured Autonomy program,and the AFOSR grant FA9550-19-1-0265 (Assured Autonomy in ContestedEnvironments).L. Lindemann and D. V. Dimarogonas are with the Division of Decisionand Control Systems, KTH Royal Institute of Technology, 100 44 Stock-holm, Sweden. Emails: { llindem,dimos } @kth.se G. J. Pappas is with the Department of Electrical and Systems Engi-neering, University of Pennsylvania, Philadelphia, PA 19104, USA. Email: [email protected] control laws, such as those in [13], [14] which are based ontime-varying control barrier functions. An advantage of [12]is the separation of computationally expensive operationsinto an offline stage. Futhermore, satisfaction guaranteesare provided in continuous time, while most of the otheraforementioned works consider discretized systems.The underlying assumption in [7]–[14], however, is thatthe environment is known. For LTL, this assumption has beenrelaxed in [15]–[18]. Specifically, [15] and [18] assume thatthe environment is modeled as a semantic map using recentlearning-enabled perception algorithms [19], [20]. Semanticmaps are stochastic and useful since objects can be la-beled semantically while additionally allowing differentiationbetween objects. These algorithms assign a mean and avariance, indicating the amount of uncertainty, to each object.For STL, literature on unknown environments is sparse. Theworks in [21] and [22] address the problem to some extentby considering a stochastic setup and chance constraints.Our first contribution is to incorporate, for the first time,risk metrics [23], such as (but not limited to) the ConditionalValue-at-Risk [24], into a temporal logic framework. Wedefine risk predicates that encode the risk of not satisfyingan STL predicate and call the obtained logic risk signaltemporal logic (RiSTL). We propose quantitative semanticsfor RiSTL specifications, indicating how robustly (severely)a specification is satisfied (violated). As a particular instanceof stochasticity, we consider an unknown environment thatis modeled as a semantic map. Our second contribution isto show that, under certain sufficient conditions, an RiSTLspecification can be translated into an STL specification. Thistranslation is sound in the sense that satisfaction of the STLspecification implies satisfaction of the RiSTL specification,mapping the stochastic control problem into a deterministicone. We show that these conditions can efficiently be checkedfor linear predicates, while we argue that, for more generalforms, these conditions can be checked numerically. Thethird contribution is to solve the obtained deterministic con-trol problem by using time-varying control barrier functions[13], [14], here specifically for nonholonomic systems. Wealso show how to maximize the quantitative semantics, i.e.,how to minimize the risk of the specification, by establishinga connection between robustness properties of the control lawand the robustness of the specification. We emphasize thatthis is the first work considering unknown environments forcontinous-time systems under STL alike specifications.Sec. II presents preliminaries, RiSTL, and problem formu-lation. Our proposed problem solution is stated in Sec. III.Simulations and conclusions are given in Sec. IV and Sec. V.I. P
RELIMINARIES AND P ROBLEM F ORMULATION
True and false are ⊤ and ⊥ with B := {⊤ , ⊥} ; R and R ≥ are the real and nonnegative real numbers, respectively.We denote the expected value of a random variable as E [ · ] and the probability of an event as P ( · ) . Let N ( ˜ µ , ˜Σ) denotea multivariate normal distribution with mean vector ˜ µ andvariance matrix ˜Σ . All proofs in this paper are provided in theappendix, while the following Lemma follows immediately. Lemma 1:
For ǫ ≥ and α > , ˙ z ( t ) = − αz ( t ) + ǫ with z (0) ≥ ǫ / α has the solution z ( t ) = exp( − αt )( z (0) − ǫ /α ) + ǫ / α ≥ ǫ / α . For all z (0) ∈ R , z ( t ) → ǫ / α as t → ∞ . A. Risk Signal Temporal Logic (RiSTL)
Let x : R ≥ → R n and X ∈ R ˜ n . Signal temporallogic (STL) [4] is based on signals x ( t ) and predicates µ STL : R n × R ˜ n → B . Let h : R n × R ˜ n → R be acontinuously differentiable function, also called predicatefunction . A predicate µ STL ( x ( t ) , X ) is satisfied at time t if and only if x ( t ) is such that h ( x ( t ) , X ) ≥ when X is deterministic and known; h ( x ( t ) , X ) may hence also beviewed as a barrier function. In this paper, however, X isnon-deterministic and a random variable. Consider the proba-bility space (Ω , F , P Ω ) where Ω is the sample space, F is theBorel σ -algebra of Ω , and P Ω : F → [0 , is a probabilitymeasure. Then X is a measurable function X : Ω → R ˜ n .Letting B denote the Borel σ -algebra of R , the probabilityspace ( R ˜ n , B ˜ n , P X ) can be associated with X where, for B ∈ B ˜ n , P X : B ˜ n → [0 , with P X ( B ) := P Ω ( X − ( B )) and X − ( B ) := { ω ∈ Ω | X ( w ) ∈ B } . Similarly, for a given x ( t ) , one can associate the probability space ( R , B , P h ) with h ( x ( t ) , X ) . We now propose an extension to STL thattakes chance and risk constraints into account and whichwe call risk signal temporal logic (RiSTL). For a givenprobability δ ∈ (0 , , the truth value of a chance predicate µ Ch : R n × R ˜ n → B at time t is obtained as µ Ch ( x ( t ) , X ) := ( ⊤ if P ( h ( x ( t ) , X ) ≥ ≥ δ ⊥ otherwise (1)where P ( h ( x ( t ) , X ) ≥ denotes the probability that h ( x ( t ) , X ) ≥ , which is the probability of satisfying µ STL ( x ( t ) , X ) . We further consider risk predicates basedon risk metrics as advocated in [23], [24] and motivatedby the fact that chance predicates do not take the left tailof the distribution of h ( x ( t ) , X ) into account. Risk metricsallow to exclude behavior which is deemed more risky thanother behavior (see Example 1 for further motivation). Let H denote the set of all random variables derived from (Ω , F , P Ω ) . Formally, a risk metric is a mapping R : H → R .We are interested in R ( − h ( x ( t ) , X )) to argue about the riskof not satisfying µ STL ( x ( t ) , X ) . The truth value of a riskpredicate µ Ri : R n × R ˜ n → B at time t is obtained as µ Ri ( x ( t ) , X ) := ( ⊤ if R ( − h ( x ( t ) , X )) ≤ γ ⊥ otherwise (2) for γ ∈ R . Note that R ( · ) can take different forms withdesireable properties such as monotonicity, translational in-variance, positive homogeneity, subadditivity, law invariance,or commotone additivity [23]. The syntax of RiSTL is φ ::= ⊤ | µ Ch | µ Ri | ¬ φ | φ ′ ∧ φ ′′ | φ ′ U [ a,b ] φ ′′ (3)where φ ′ and φ ′′ are RiSTL formulas and where U [ a,b ] isthe until operator with a ≤ b < ∞ . Also define φ ′ ∨ φ ′′ := ¬ ( ¬ φ ′ ∧ ¬ φ ′′ ) (disjunction), F [ a,b ] φ := ⊤ U [ a,b ] φ (eventu-ally), and G [ a,b ] φ := ¬ F [ a,b ] ¬ φ (always). Let ( x , X , t ) | = φ denote the satisfaction relation, i.e., if x satisfies φ at t given X . We recursively define the RiSTL seman-tics as ( x , X , t ) | = µ Ch iff P ( h ( x ( t ) , X ) ≥ ≥ δ , ( x , X , t ) | = µ Ri iff R ( − h ( x ( t ) , X )) ≤ γ , ( x , X , t ) | = ¬ φ iff ¬ (( x , X , t ) | = φ ) , ( x , X , t ) | = φ ′ ∧ φ ′′ iff ( x , X , t ) | = φ ′ ∧ ( x , X , t ) | = φ ′′ , and ( x , X , t ) | = φ ′ U [ a,b ] φ ′′ iff ∃ t ′′ ∈ [ t + a, t + b ] s.t. ( x , X , t ′′ ) | = φ ′′ ∧ ∀ t ′ ∈ [ t, t ′′ ] , ( x , X , t ′ ) | = φ ′ . Given X , φ is satisfiable if ∃ x : R ≥ → R n suchthat ( x , X , | = φ . Quantitative semantics for RiSTL aredenoted by ρ φ ( x , X , t ) and recursively defined as ρ µ Ch ( x , X , t ) := P ( h ( x ( t ) , X ) ≥ − δ,ρ µ Ri ( x , X , t ) := γ − R ( − h ( x ( t ) , X )) ,ρ ¬ φ ( x , X , t ) := − ρ φ ( x , X , t ) ,ρ φ ′ ∧ φ ′′ ( x , X , t ) := min( ρ φ ′ ( x , X , t ) , ρ φ ′′ ( x , X , t )) ,ρ φ ′ U [ a,b ] φ ′′ ( x , X , t ) := max t ′′ ∈ [ t + a,t + b ] min( ρ φ ′′ ( x , X , t ′′ ) , min t ′ ∈ [ t,t ′′ ] ρ φ ′ ( x , X , t ′ )) ,ρ G [ a,b ] φ ( x , X , t ) := min t ′ ∈ [ t + a,t + b ] ρ φ ( x , X , t ′ ) ,ρ F [ a,b ] φ ( x , X , t ) := max t ′ ∈ [ t + a,t + b ] ρ φ ( x , X , t ′ ) . It holds that ( x , X , t ) | = φ iff ρ φ ( x , X , t ) ≥ which followsdue to [6, Prop. 16]. For R ( · ) , we use, in this paper, theexpected value (EV), the Value-at-Risk (VaR), and the Con-ditional Value-at-Risk (CVaR). The EV of − h ( x ( t ) , X ) is E [ − h ( x ( t ) , X )] which provides a risk neutral risk measure.More risk averse measures are the VaR and the CVaR as in[24]. The VaR of − h ( x ( t ) , X ) for β ∈ (0 , is defined as V aR β ( − h ( x ( t ) , X )) :=min( d ∈ R | P ( − h ( x ( t ) , X ) ≤ d ) ≥ β ) . Note in particular that the probability that − h ( x , X ) >V aR β ( − h ( x ( t ) , X )) is − β . If the cummulative distri-bution function of h ( x ( t ) , X ) is smooth, as in this case, theCVaR of − h ( x ( t ) , X ) for probability β is given by CV aR β ( − h ( x ( t ) , X )) := E [ − h ( x ( t ) , X )) |− h ( x ( t ) , X )) > V aR β ( − h ( x ( t ) , X ))] . We next illustrate why considering risk predicates may beadvantageous compared to considering chance predicates. Note that [6] requires a strict inequality, which can be relaxed here. ig. 1: Let X have ˜ µ := (cid:2) .
75 2 − .
75 2 0 4 (cid:3) T and variance ˜Σ := 0 . · diag (1 , , , , , in the leftand ˜Σ := 0 . · diag (2 , , , , , in the right figure.Left figure: It holds that ρ φ Ch ( x , X , > ρ φ Ch ( x , X , as well as ρ φ Ri ( x , X , > ρ φ Ri ( x , X , so that bothmetrics suggest that x ( t ) is more favorable. Right figure: Itholds that ρ φ Ch ( x , X , > ρ φ Ch ( x , X , , while, however, ρ φ Ri ( x , X , < ρ φ Ri ( x , X , ; ρ φ Ri now suggests that x ( t ) is more favorable, while ρ φ Ch still favors x ( t ) . Example 1:
Let x := (cid:2) x x x y (cid:3) T ∈ R and X ∼ N ( ˜ µ , ˜Σ) with X := (cid:2) X TO X TO X TR (cid:3) T = (cid:2) X O ,x X O ,y X O ,x X O ,y X R ,x X R ,y (cid:3) T ∈ R (see Fig. 1). The uncertainty of X O and X O differs inthe left and right part of Fig. 1 and is larger in the rightpart (see dotted circles). The specification is to always avoidthe obstacles indicated by X O and X O , while eventuallyreaching the region indicated by X R . Let UN ∈ { Ch , Ri } andd φ UN := G [0 , ( φ UN O ∧ φ UN O ) ∧ F [0 , φ UN R where φ UN O := µ UN ∨ µ UN ∨ µ UN ∨ µ UN φ UN O := µ UN ∨ µ UN ∨ µ UN ∨ µ UN φ UN R := µ UN ∧ µ UN ∧ µ UN ∧ µ UN encode avoidance of X O and X O and reachability of X R , respectively. Now each µ UN i for i ∈ { , . . . , } is either interpreted as a chance predicate (UN = Ch ) with δ i := 0 . or as a risk predicate (UN = Ri) with R ( · ) := CV aR β i ( · ) , γ i := 1 . , and β i := 0 . . Fig. 1shows the trajectories x ( t ) (blue) and x ( t ) (red); x ( t ) reaches the center of X R while x ( t ) only reaches aneighborhood of X R suggesting that x ( t ) is favorablewhen the uncertainty is low. In the left part, both ρ φ Ch and ρ φ Ri hence indicate that x ( t ) satisfies φ UN more. In theright part, however, the uncertainty grows; ρ φ Ch still suggeststhat x ( t ) is the favorable trajectory, while now ρ φ Ri , beingmore risk sensitive, suggest that x ( t ) is more favorable. Weemphasize that using risk may be even more advantageouswhen the probability density function of X is skew. Remark 1:
Considering chance and risk constraints onthe predicate level as in (1) and (2), respectively, has For µ UN , µ UN , µ UN , and µ UN , define h ( x , X ) := X O ,x − ǫ − x x , h ( x , X ) := − X O ,x − ǫ + x x , h ( x , X ) := X O ,y − ǫ − x y , h ( x , X ) := − X O ,y − ǫ + x y for ǫ := 0 . . Define the remaining h i ( x , X ) for µ UN i with i ∈ { , . . . , } similarly. the advantage of rendering the associated control problemcomputationally tractable as well as being able to assignindividual δ m or β m and γ m to each predicate µ Ch m or µ Ri m within φ , respectively. Considering instead the probability orrisk of the formula φ itself is intractable in continuous-timedue to expressions such as P ( ∀ t ∈ [ a, b ] , ( x , X , t ) | = µ ) . B. Nonholonomic Systems under RiSTL Specifications
Let z ( t ) := (cid:2) x ( t ) T θ ( t ) (cid:3) T ∈ R where x ( t ) and θ ( t ) are the position and orientation of a unicycle modeled as in ˙ z ( t ) = f ( z ( t )) + g ( z ( t )) u + c ( z ( t ) , t ) , z (0) ∈ R (4)with control input u := (cid:2) u u (cid:3) T ∈ R . The functions f ( z ) := (cid:20) f x ( z ) f θ ( z ) (cid:21) g ( z ) := cos( θ ) 0sin( θ ) 00 1 c ( z , t ) := (cid:20) c x ( z , t ) c θ ( z , t ) (cid:21) are assumed to be locally Lipschitz continuous in z andpiecewise continuous in t ; f ( z ) is a known function withbounded f θ ( z ) while c ( z , t ) is an unknown but boundedfunction, i.e., k c ( z , t ) k ≤ C for known C ≥ .We consider the RiSTL fragment ψ ::= ⊤ | µ Ch | µ Ri | ψ ′ ∧ ψ ′′ (5a) φ ::= G [ a,b ] ψ | F [ a,b ] ψ | ψ ′ U [ a,b ] ψ ′′ | φ ′ ∧ φ ′′ (5b)where ψ ′ and ψ ′′ are Boolean formulas of the form (5a),whereas φ ′ and φ ′′ are of the form (5b). The full RiSTLlanguage as in (3), also considering disjunctions, can bedealt with when combining the control laws presented inthis paper with automata theory as in [12]. Assume a RiSTLspecification φ of the form (5b) whose satisfaction dependson x and X , but not on θ . Assume also that φ consistsof M chance and risk predicates µ Pr m ( x , X ) and µ Ri m ( x , X ) for m ∈ { , . . . , M } with associated predicate functions h m ( x , X ) . The next assumption is needed for the proposedgradient-based feedback control laws, similar to [14]. Assumption 1:
Each h m ( x , X ) is concave in x .Let each µ Pr m ( x , X ) be associated with δ m and each µ Ri m ( x , X ) be associated with R m ( · ) , β m , and γ m . Weassume that X is described by a semantic map obtained by,for instance, performing semantic simultaneous localizationand mapping [19]. Assume that the mean ˜ µ and covariancematrix ˜Σ of X are given and let p X ( X ) denote the corre-sponding known probability density function of X . Problem 1:
Consider an RiSTL formula φ as in (5).Design a feedback control law u ( z , t ) for the nonholonomicsystem in (4) so that ρ φ ( x , X , t ) ≥ r ≥ , i.e., ( x , X , t ) | = φ , where r is maximized.III. P ROPOSED P ROBLEM S OLUTION
It holds that, for a fixed x , each h m ( x , X ) has a mean ˜ µ h m ( x ) and a variance ˜Σ h m ( x ) ; ˜ µ h m ( x ) and ˜Σ h m ( x ) canbe easily calculated for predicate functions that are linear orquadratic in X . In case that h m ( x , X ) is linear in X , iteven holds that h m ( x , X ) ∼ N (˜ µ h m ( x ) , ˜Σ h m ( x )) if X isnormally distributed. Let p h m ( h, x ) denote the probabilitydensity function of h m ( x , X ) for a fixed x . . Chance and Risk Constrained Sets Note that P ( h m ( x , X ) ≥ and R ( − h m ( x , X )) dependon x . For given δ m , β m ∈ (0 , and γ m ∈ R , define the sets X Ch m ( δ m ) := { x ∈ B | P ( h m ( x , X ) ≥ ≥ δ m } when considering chance predicates and X EV m ( γ m ) := { x ∈ B | E [ − h m ( x , X )] ≤ γ m } X VaR m ( β m , γ m ) := { x ∈ B | V aR β m ( − h m ( x , X )) ≤ γ m } X CVaR m ( β m , γ m ) := { x ∈ B | CV aR β m ( − h m ( x , X )) ≤ γ m } when considering risk predicates where B is an arbitrarilybig compact and convex set, as further explained in SectionIII-C; X Ch m ( δ m ) defines all x in B for which the probabilitythat h m ( x , X ) ≥ is greater or equal than δ m , while X EV m ( γ m ) , X VaR m ( β m , γ m ) , and X CVaR m ( β m , γ m ) define all x in B for which the EV, VaR, and CVaR of − h m ( x , X ) isless or equal than γ m , respectively. If these sets are empty,the underlying predicate is not satisfiable. For c m ∈ R , whichis a design parameter as opposed to δ m , β m , and γ m , define X m ( c m ) := { x ∈ B | h m ( x , ˜ µ ) − c m ≥ } . where the mean ˜ µ has been used instead of X to eval-uate the predicate function h m . Note that X m ( c m ) is acompact and convex set since h m ( x , ˜ µ ) is concave in x [25]. If X Ch m ( δ m ) ⊇ X m ( c m ) , then x ∈ X m ( c m ) implies x ∈ X Ch m ( δ m ) (similarly for X EV m ( γ m ) , X VaR m ( β m , γ m ) , and X CVaR m ( β m , γ m ) ). This implies that an RiSTL formula canbe determinized into an STL formula using h m ( x , ˜ µ ) − c m instead of P ( h m ( x , X ) ≥ − δ m and γ m − R ( − h m ( x , X )) in φ by conserving some soundness properties (see SectionIII-B). This implies that the stochastic control problem canbe reduced to a deterministic one (see Section III-C). Example 2:
Consider X ∼ N (0 , and the predicate µ m ( x , X ) with predicate function h m ( x , X ) := X − x .It holds that X m ( c m ) := ( −∞ , − c m ] since ˜ µ = 0 . Notethat h m ( x , X ) ∼ N ( − x , so that X Ch m (0 .
5) = ( −∞ ,
0] = X m (0) , while X Ch m ( δ m > .
5) = ( −∞ , − a ] and X Ch m ( δ m < .
5) = ( −∞ , a ] for some positive a , i.e., X Ch m ( δ m ) ⊇ X m (0) for δ m ≤ . and X Ch m ( δ m ) ⊂ X m (0) for δ m > . .Similarly, let β m := 0 . and note that X CVaR m (0 . , .
28) =( −∞ ,
0] = X m (0) , while X CVaR m (0 . , γ m < .
28) =( −∞ , − a ] and X CVaR m (0 . , γ m > .
28) = ( −∞ , a ] for somepositive a , i.e., X CVaR m (0 . , γ m ) ⊇ X m (0) for γ m ≥ . and X CVaR m (0 . , γ m ) ⊂ X m (0) for γ m < . . The main idea isthat, for given δ m , β m , and γ m , c m can be selected so that X Ch m ( δ m ) ⊇ X m ( c m ) and X CVaR m ( β m , γ m ) ⊇ X m ( c m ) . Then,we can control x based on X m ( c m ) to satisfy µ m ( x , X ) .For given c m , checking these set inclusions may be non-convex. When h m ( x , X ) is linear in x , this can be checkedefficiently since the distribution of h m ( x , X ) is only shifted. Lemma 2:
Assume h m ( x , X ) = v T x + h ′ ( X ) for v ∈ R n and for h ′ : R ˜ n → R , then X Ch m ( δ m ) ⊇ X m ( c m ) iff P ( h m ( x ∗ , X ) ≥ ≥ δ m X EV m ( γ m ) ⊇ X m ( c m ) iff E [ − h m ( x ∗ , X )] ≤ γ m X VaR m ( β m , γ m ) ⊇ X m ( c m ) iff V aR β m ( − h m ( x ∗ , X )) ≤ γ m X CVaR m ( β m , γ m ) ⊇ X m ( c m ) iff CV aR β m ( − h m ( x ∗ , X )) ≤ γ m where x ∗ := argmin x ∈ X m ( c m ) v T x (a convex problem).We remark that P ( h m ( x ∗ , X ) ≥ , E [ − h m ( x ∗ , X )] , V aR β m ( − h m ( x ∗ , X )) , and CV aR β m ( − h m ( x ∗ , X )) can be efficiently computed. In particular, note that CV aR β ( − h m ( x ∗ , X )) = min ζ ∈ R J m ( x ∗ , ζ ) with J m ( x ∗ , ζ ) := ζ + − β R X ∈ R ˜ n [ − h m ( x ∗ , X ) − ζ ] + p X ( X )d X and where [ s ] + := max( s, [24]. It holds that F m ( x ∗ , ζ ) is convex in ζ [24, Thm. 1] and that V aR β ( − h m ( x ∗ , X )) is obtained as a byproduct of the calculation of CV aR β ( − h m ( x ∗ , X )) . B. Determinization of RiSTL Specifications
The RiSTL formula φ is now translated into an STLformula ϕ by replacing chance and risk predicate in φ by µ STL m ( x ( t ) , ˜ µ ) := ( ⊤ if h m ( x ( t ) , ˜ µ ) − c m ≥ ⊥ otherwise (6)where h m ( x ( t ) , ˜ µ ) is used instead of h m ( x ( t ) , X ) . Thesemantics of the STL formula ϕ are, besides the evaluationof predicates in (6), the same as for the RiSTL formula φ [4]. We also define quantitative semantics ρ ϕ ( x , ˜ µ , t ) for theSTL formula ϕ by letting ρ µ STL m ( x , ˜ µ , t ) := h m ( x ( t ) , ˜ µ ) − c m and then following the recursive definition of RiSTL asintroduced in Section II-A [5]. The following assumptionis necessary for X m ( c m ) to be non empty and hence for ϕ to be satisfiable. Assumption 2:
For each m ∈ { , . . . , M } , there exists x ∈ R n so that h m ( x , ˜ µ ) − c m > . Furthermore, foreach ψ ′ ∧ ψ ′′ in ϕ (recall (5a)), there exists x ∈ R n sothat ρ ψ ′ ∧ ψ ′′ ( x , ˜ µ , > .Note that Assumption 2 can efficiently be checked since h m ( x , ˜ µ ) is concave in x . It can always be satisfied by asufficiently small c m and hence poses an upper bound on c m . The next assumption is sufficient to ensure soundness inthe sense that ( x , X , | = ϕ implies ( x , X , | = φ . Assumption 3:
For each m ∈ { , . . . , M } , X Pr m ( δ m ) ⊇ X m ( c m ) , X EV m ( γ m ) ⊇ X m ( c m ) , X VaR m ( β m , γ m ) ⊇ X m ( c m ) ,or X CVaR m ( β m , γ m ) ⊇ X m ( c m ) depending on the predicate.Increasing c m shrinks the set X m ( c m ) so that Assump-tion 3 (verifiable by Lemma 2) poses a lower bound on c m . Theorem 1:
Let Assumption 3 hold. If x : R ≥ → R n issuch that ( x , X , | = ϕ , it follows that ( x , X , | = φ .An important task is now to pick the set of c m so thatAssumptions 2 and 3 hold. In general, we may induce conser-vatism in the way that we have defined X m ( c m ) and included c m since the level sets of X m ( c m ) may not be aligned withthe level sets of X Ch m ( δ m ) , X EV m ( γ m ) , X VaR m ( β m , γ m ) , and X CVaR m ( β m , γ m ) . When we assume linearity of h m ( x , X ) in x as in Lemma 2, such conservatism can be avoided. More formally, necessity holds when the “ > ” are replaced with “ ≥ ”. Werequire strict inequalities to be able to synthesize a control barrier function b ( x , ˜ µ , t ) according to [13] in Section III-C. This further ensures that a laterproposed coordinate transformation does not introduce any conservatism. emma 3: Assume that h m ( x , X ) = v T x + h ′ ( X ) for v ∈ R n and for h ′ : R ˜ n → R . Then there exists a designparameter c m so that X m ( c m ) = X Ch m ( δ m ) , X m ( c m ) = X EV m ( γ m ) , X m ( c m ) = X VaR m ( δ m ) , or X m ( c m ) = X CVaR m ( δ m ) .The above result together with Lemma 2 alleviates findinga set of c m that satisfy Assumptions 2 and 3. C. Control Barrier Functions for Nonholonomic Systemsunder STL Specifications
Theorem 1 allows to map the stochastic control probleminto a deterministic one. The proposed control method isbased on time-varying control barrier functions where afunction b ( x , ˜ µ , t ) encodes the STL formula ϕ [13]. Giventhat Assumptions 2 and 3 hold, we impose conditions on thefunction b ( x , ˜ µ , t ) as in [13, Steps A, B, and C] that accountfor the STL semantics of ϕ ; [14] presents a formally correctprocedure to construct such b ( x , ˜ µ , t ) . Define C ( ˜ µ , t ) := { x ∈ R n | b ( x , ˜ µ , t ) ≥ } and note that ( x , ˜ µ , | = ϕ if x ( t ) ∈ C ( ˜ µ , t ) for all t ≥ according to [13]; C ( ˜ µ , t ) is ensured to be bounded sothat we let D be an open and bounded set with D strictlycontaining C ( ˜ µ , t ) for all t ≥ . It is also ensured that x (0) ∈ C ( ˜ µ , . In [13] and [14], the function b ( x , ˜ µ , t ) is concavein the first argument and piecewise continuous in the thirdargument with discontinuities at times { s := 0 , s , . . . , s q } for some finite q . The following Theorems 2 and 3 solve adeterministic control problem that provide the desired resultsin terms of satisfying the RiSTL formula φ by Theorem 1. Theorem 2:
Let the design parameters c m be so that As-sumptions 2 and 3 hold and let b ( x , ˜ µ , t ) be constructed for ϕ as in [14]. If, for α > and for all ( z , t ) ∈ D × ( s j , s j +1 ) ,there exists a continuous control law u ( z , t ) such that ∂ b ( x , ˜ µ , t ) ∂ z ( f ( z ) + g ( z ) u ( z , t )) + ∂ b ( x , ˜ µ , t ) ∂t ≥ − α b ( x , ˜ µ , t ) + (cid:13)(cid:13)(cid:13) ∂ b ( x , ˜ µ , t ) ∂ z (cid:13)(cid:13)(cid:13) C, (7)then ρ φ ( x , X , ≥ r for some r ≥ , i.e., ( x , X , | = φ .For the non-holonomic system in (4), the constraint in (7)may not be feasible in case that ∂ b ( x , ˜ µ , t ) ∂ z g ( z ) = ∂ b ( x , ˜ µ , t ) ∂x x cos( θ ) + ∂ b ( x , ˜ µ , t ) ∂x y sin( θ ) is equal to the zero vector, i.e., when ∂ b ( x , ˜ µ ,t ) ∂ x and (cid:2) cos( θ ) sin( θ ) (cid:3) T are perpendicular. Theorem 2, however,assumes feasibility of (7) for all ( z , t ) ∈ D × ( s j , s j +1 ) by a continuous feedback control law u ( z , t ) . To avoid aninvolved control design necessitating discontinuous or time-varying feedback control laws [26, Chapter 4], we use anear-identity diffeomorphism as in [27], [28] and providea continuous control law u ( z , t ) that solves a related controlproblem. First, introduce the coordinate transformation p := x + lR ( θ ) e where l > can be set arbitrarily small to approximatethe original coordinates with the needed precision. Also, R ( θ ) := (cid:20) cos( θ ) − sin( θ )sin( θ ) cos( θ ) (cid:21) and e := (cid:2) (cid:3) T . Note that ˙ x = f x ( z ) + R ( θ ) e u + c x ( z , t ) so that we can derive that ˙ p = f x ( z ) + g p ( z ) u + c x ( z , t ) where g p ( z ) := (cid:20) cos( θ ) − sin( θ ) l sin( θ ) cos( θ ) l (cid:21) has full rank [27, Lem.1]. We now construct b ( p , ˜ µ , t ) based on the near-identitydiffeomorphism inducing p . Consider the modified predicate ¯ µ STL m ( x ( t ) , ˜ µ ) := ( ⊤ if h m ( x ( t ) , ˜ µ ) − c m − χ m ≥ ⊥ otherwise (8)for χ m > . The STL formula ϕ is now transformed into theSTL formula ¯ ϕ by replacing each predicate µ STL m ( x ( t ) , ˜ µ ) in ϕ by ¯ µ STL m ( x ( t ) , ˜ µ ) . We first choose a sufficiently small χ m for each m ∈ { , . . . , M } so that Assumption 2 holds for themodified predicate function h m ( p , ˜ µ ) − c m − χ m and ¯ ϕ andthen construct b ( p , ˜ µ , t ) for ¯ ϕ as in [14]. We remark that wedo not induce any conservatism with respect to the construc-tion of b ( p , ˜ µ , t ) as compared to b ( x , ˜ µ , t ) and that choosingsuch χ m is always possible. Note next that each h m ( x , ˜ µ ) is locally Lipschitz continuous with Lipschitz constant L mh on the domain D so that | h m ( x , ˜ µ ) − h m ( p , ˜ µ ) | ≤ L mh l .After choosing χ m , we choose l ≤ χ m / L mh for each m ∈ { , . . . , M } , i.e., l is such that p approximates x sufficiently accurate. Consequently, h m ( p , ˜ µ ) − c m − χ m ≥ implies h m ( x , ˜ µ ) − c m ≥ . Theorem 3:
Let the design parameters c m be so thatAssumptions 2 and 3 hold, set χ m and l as instructed above,and let b ( p , ˜ µ , t ) be constructed for ¯ ϕ as in [14]. If α is asin [14, Lemma 4], then the control law u ( z , t ) given as u ( z , t ) := argmin u ∈ R m u T u (9a) ∂ b ( p , ˜ µ , t ) ∂ p ( f x ( z ) + g p ( z ) u ) + ∂ b ( p , ˜ µ , t ) ∂t ≥ − α b ( p , ˜ µ , t ) + (cid:13)(cid:13)(cid:13) ∂ b ( p , ˜ µ , t ) ∂ p (cid:13)(cid:13)(cid:13) C, (9b)ensures ρ φ ( x , X , ≥ r for some r ≥ , i.e., ( x , X , | = φ . Remark 2:
By defining B ( z , ˜ µ , t ) := − ∂ b ( p , ˜ µ ,t ) ∂ p f x ( z ) − ∂ b ( p , ˜ µ ,t ) ∂t − α b ( p , ˜ µ , t ) + (cid:13)(cid:13)(cid:13) ∂ b ( p , ˜ µ ,t ) ∂ p (cid:13)(cid:13)(cid:13) C and B ( z , ˜ µ , t ) := ∂ b ( p , ˜ µ ,t ) ∂ p g p ( z ) , the control law u ( z , t ) can be written as [29] u ( z , t ) := ( B ( z , ˜ µ ,t ) B ( z , ˜ µ ,t ) B ( z , ˜ µ ,t ) B ( z , ˜ µ ,t ) T if B ( z , ˜ µ , t ) < otherwise. D. Minimizing Risk via Low-Level Control Robustness
To increase robustness, one can now aim at maximizing r . One idea to do so is to find the set of c m that resultsin the largest r . This may result in a tidious search iteratingbetween adjusting the set of c m , checking Assumptions 2 and3, and comparing r . Another idea, possibly not obtaining thebest r but still maximizing r to some extent, is to obtain a setof c m so that Assumptions 2 and 3 hold. We then construct b ( p , ˜ µ , t ) and α as in Theorem 3 and solve, instead of (9), (cid:0) u ( z , t ) , ǫ ( z , t ) (cid:1) := argmin ( u ,ǫ ) ∈ R m × R ≥ u T u − ǫ (10a) R X R X O X O µ STL1 µ STL2 µ STL3 µ STL7 µ STL6 µ STL5 µ STL4 x (0) Fig. 2: The RiSTL task φ imposes to avoid obstacles in-dicated by X O and X O with a risk less than or equalto zero and to reach regions indicated by X R and X R with a probability greater than or equal to . . The redSTL predicates are associated with the STL task ϕ that, ifsatisfied, guarantees satisfaction of the RISTL task φ . ∂ b ( p , ˜ µ , t ) ∂ p ( f x ( z ) + g p ( z ) u ) + ∂ b ( p , ˜ µ , t ) ∂t ≥ − α b ( p , ˜ µ , t ) + (cid:13)(cid:13)(cid:13) ∂ b ( p , ˜ µ , t ) ∂ p (cid:13)(cid:13)(cid:13) C + ǫ (10b)in order to put some extra robustness margin into the righthand side of (10b) through ǫ , resulting in extra robustness of u ( z , t ) . Note that (10) is again a convex quadratic programthat is feasible for each ( z , t ) ∈ D × R ≥ . It can, similarlyto the proof of Theorem 3, be shown that u ( z , t ) is againcontinuous. Furthermore, let ǫ r := inf ( z ,t ) ∈ D × R ≥ ǫ ( z , t ) and C r ( ˜ µ , t ) := { p ∈ R n | b ( p , ˜ µ , t ) ≥ ǫ r / α } . Lemma 4:
The control law u ( z , t ) in (10) renders the set C r ( ˜ µ , t ) forward invariant and attractive.One may want to put more emphasis on maximizing ǫ r (which correlates with r as we show in the remainder) byintroducing weights into (10a) constituting a trade-off withreducing the control input. We next establish the connectionbetween the transformed coordinates p and the real position x of the system in (4) so that we can find a lower bound on r based on C r ( ˜ µ , t ) . Therefore, we need the following result. Corollary 1:
The control law u ( z , t ) in (10) results in ρ ϕ ( x , ˜ µ , ≥ ǫ r / α if p (0) ∈ C r ( ˜ µ , t ) .Let us next define X r m ( c m ) := { x ∈ B | h m ( x , ˜ µ ) − c m ≥ ǫ r / α } for which X r m ( c m ) ⊆ X m ( c m ) with strict inclusion if ǫ r > . Based on X r m ( c m ) , let r m := sup r ∈ R r s.t. CSwhere CS ∈ { X Ch m ( r + δ m ) ⊇ X r m ( c m ) , X EV m ( γ m − r ) ⊇ X r m ( c m ) , X VaR m ( β m , γ m − r ) ⊇ X r m ( c m ) , X CVaR m ( β m , γ m − r ) ⊇ X r m ( c m ) } depending on the type of the predicate. Letus also define r := min( r , . . . , r M ) so that the next resultfollows by by Corollary 1 and the definitions of X r m ( c m ) , r ,and the quantitative semantics of φ . Theorem 4:
The control law u ( z , t ) in (10) results in ρ φ ( x , ˜ µ , ≥ r . IV. S IMULATIONS
Consider the dynamics in (4) with f ( z ) := and c ( z ) := 0 . · (cid:2) − sat ( x x ) − sat ( x y ) 0 (cid:3) T with x := (cid:2) x x x y (cid:3) T ∈ R and where sat ( x ) = x if | x | ≤ and sat ( x ) = 1 otherwise so that C = 0 . .Furthemore, let X := (cid:2) X TO X TO X TR X TR (cid:3) = (cid:2) X O ,y X O ,x X O ,y X R ,x X R ,y X R ,x X R ,y (cid:3) T where X ∼ N ( ˜ µ , ˜Σ) with ˜ µ := (cid:2)
10 5 8 8 9 2 9 (cid:3) T and ˜Σ := diag (0 . , . , . , . , . , . , . . Let φ := F [0 , ( φ Pr R ∧ F [0 , φ Pr R ) ∧ G [0 , ( φ Ri O ∧ φ Ri O ) where φ Pr R := µ Pr and φ Pr R := µ Pr denote the probability ofreaching regions indicated by X R and X R and φ Ri O := µ Ri and φ Ri O := µ Ri ∨ µ Ri ∨ µ Ri ∨ µ Ri encode the risk ofcolliding with obstacles indicated by X O and X O . Weuse δ := δ := 0 . and γ m := 0 and β m := 0 . for each m ∈ { , . . . , } while using CVaR. We obtain X Ch m ( δ m ) ⊇ X m ( c m ) for m ∈ { , } if c m := 0 . and X CVaR m ( β m , γ m ) ⊇ X m ( c m ) for m ∈ { , . . . , } if c m := 0 . . This impliesthat Assumption 3 holds. See also Fig. 2 for an illustrationof the obtained tightened STL predicates µ STL , . . . µ STL usedto transform φ into ϕ (see (6)), which is then transformedinto ¯ ϕ by means of ¯ µ STL , . . . ¯ µ STL for control (see (8)). Notenow that φ can not be encoded using the fragment in (5).We here use, however, the automata-based approach in [12]to decompose ¯ ϕ into subtasks ¯ ϕ i := G [0 ,b ] µ STLinv ,i ∧ F [ b ] µ STLreach ,i with i ∈ { , . . . , } and where each ¯ ϕ i can be encoded usingthe fragment in (5). Then sequentially satisfying each ¯ ϕ i guarantees satisfaction of ¯ ϕ , and consequently satisfaction of φ . For an initial condition x (0) such that x (0) | = µ STLinit where µ STLinv ,i := ¯ µ STL ∧ ¯ µ STL ∧ ¬ ¯ µ STL ∧ ¬ ¯ µ STL ∧ ¬ ¯ µ STL , the algorithmin [12] provides the sequence indicated by the blue waypointsin Fig. 2. For instance, the first trajectory is constrained by µ STLinv , := µ STLinit , µ STLreach , := ¯ µ STL ∧ ¯ µ STL ∧¬ ¯ µ STL ∧¬ ¯ µ STL ∧ ¯ µ STL ,and b := 1 . . Note in Fig. 2 that the system is never allowedto go around the obstacle X O from above which is deemedtoo risky. The simulation results are shown in Fig. 3 where,for each ¯ ϕ i , (10) has been solved. For i = 1 , we obtain ǫ r = 2 . and it is visible that the system always tries tomaximize r and hence the distance to the obstacles (see forinstance the trajectory from . to . s).V. C ONCLUSION
In this paper, we present risk signal temporal logic(RiSTL), an extension to signal temporal logic, by compos-ing risk metrics, which have extensively been used in finance,with stochastic predicates, the atomic logical elements. Thisallows to quantify the risk by which a predicate, and hencea specification, is not satisfied. The nonholonomic controlsystem at hand operates in a stochastic environment. Weshow that the arising stochastic control problem, in whichthe control system is subject to an RiSTL specification, canbe transformed into a deterministic control problem, whichwe solve by using time-varying control barrier functions. In particular, for ǫ := 0 . and ǫ := 0 . we define h ( x , X ) := ǫ −k x − X R k , h ( x , X ) := ǫ −k x − X R k , h ( x , X ) := − x y + X O ,y , h ( x , X ) := − x x + X O ,x − ǫ , h ( x , X ) := x x − X O ,x − ǫ , h ( x , X ) := x y − X O ,y − ǫ , and h ( x , X ) := − x y + X O ,y − ǫ . ig. 3: Simulation results.A PPENDIX
Proof of Lemma 2:
Note that − h m ( x , X ) has mean ˜ µ − h m ( x ) := − v T x − E [ h ′ ( X )] and variance ˜Σ − h m ,which is a function of h ′ ( X ) that does not depend on x .Let F − h m ( h, x ) be the cumulative distribution function of − h m ( x , X ) with F − h m ( h, x ) = P ( − v T x − h ′ ( X ) ≤ h ) = P ( − h ′ ( X ) ≤ h + v T x ) = F − h ′ ( h + v T x ) where F − h ′ ( h + v T x ) is the cumulative distribution function of − h ′ ( X ) .Hence, p − h m ( h, x ) = p − h ′ ( h + v T x ) , i.e., p − h m ( h, x ) isof the same type for each x only shifted by v T x .Ch) Note that X Ch m ( δ m ) ⊇ X m ( c m ) if and only ifmin x ∈ X m ( c m ) P ( h m ( x , X ) ≥ ≥ δ m by definition. Nowargmin x ∈ X m ( c m ) P ( h m ( x , X ) ≥
0) = argmin x ∈ X m ( c m ) P ( − h m ( x , X ) ≤ argmin x ∈ X m ( c m ) P ( − h ′ ( X ) ≤ v T x ) = argmin x ∈ X m ( c m ) F − h ′ ( v T x ) ( a ) = argmin x ∈ X m ( c m ) v T x = x ∗ where (a) holds since F − h ′ ( v T x ) is nondecreasing. Hence,min x ∈ X m ( c m ) P ( h m ( x , X ) ≥
0) = P ( h m ( x ∗ , X ) ≥ .EV) Note that X EV m ( γ m ) ⊇ X m ( c m ) if and only ifmax x ∈ X m ( c m ) E [ − h m ( x , X )] ≤ γ m by definition. Nowargmax x ∈ X m ( c m ) E [ − h m ( x , X )] = argmax x ∈ X m ( c m ) Z ∞−∞ hp − h m ( h, x )d h = argmax x ∈ X m ( c m ) Z ∞−∞ hp − h ′ ( h + v T x )d h ( b ) = argmin x ∈ X m ( c m ) v T x = x ∗ where (b) holds since x ∗ maximizes p − h ′ ( h + v T x ) for each h ∈ ( −∞ , ∞ ) , which maximizes the integral. Consequently,max x ∈ X m ( c m ) E [ − h m ( x , X )] = E [ − h m ( x ∗ , X )] .VaR) Note that X VaR m ( β m , γ m ) ⊇ X m ( c m ) if and only ifmax x ∈ X m ( c m ) V aR β m ( − h m ( x , X )) ≤ γ m by definition. Nowargmax x ∈ X m ( c m ) V aR β m ( − h m ( x , X )) = argmax x ∈ X m ( c m ) min( d ∈ R | P ( − h m ( x , X ) ≤ d ) ≥ β m )= argmax x ∈ X m ( c m ) min( d ∈ R | F − h ′ ( d + v T x ) ≥ β m )= argmax x ∈ X m ( c m ) h ∗ − v T x = argmin x ∈ X m ( c m ) v T x = x ∗ where h ∗ := min( d ∈ R | F − h ′ ( d ) ≥ β m ) . Hence,max x ∈ X m ( c m ) V aR β m ( − h m ( x , X )) = V aR β m ( − h m ( x ∗ , X )) .CVaR) Note that X CVaR m ( β m , γ m ) ⊇ X m ( c m ) ifand only if max x ∈ X m ( c m ) CV aR β m ( − h m ( x , X )) ≤ γ m . Noting p − h m ( h, x ) = p − h ′ ( h + v T x ) , itholds that argmax x ∈ X m ( c m ) CV aR β m ( − h m ( x , X )) = argmax x ∈ X m ( c m ) V aR β m ( − h m ( x , X )) = x ∗ . Con-sequently, max x ∈ X m ( c m ) CV aR β m ( − h m ( x , X )) = CV aR β m ( − h m ( x ∗ , X )) . Note also that argmin x ∈ X m ( c m ) v T x is aconvex program and that x ∗ is finite. Proof of Theorem 1:
Due to Assumption 3, x ∈ X m ( c m ) implies x ∈ X Pr m ( δ m ) , x ∈ X EV m ( γ m ) , x ∈ X VaR m ( β m , γ m ) , or x ∈ X CVaR m ( β m , γ m ) depending on the type of the predicate m . Since the semantics of STL and RiSTL only differ onthe predicate level, ( x , X , | = ϕ implies ( x , X , | = φ . Proof of Lemma 3:
The proof follows by the definitions of P ( h m ( x , X ) ≥ , E [ − h m ( x , X )] , V aR β ( − h m ( x , X )) ,and CV aR β ( − h m ( x , X )) and noting that all x that sat-isfy v T x = d for some d ∈ R result in the same P ( h m ( x , X ) ≥ , E [ − h m ( x , X )] , V aR β ( − h m ( x , X )) ,and CV aR β ( − h m ( x , X )) , respectively. In other words,the level sets of P ( h m ( x , X ) ≥ , E [ − h m ( x , X )] , V aR β ( − h m ( x , X )) , and CV aR β ( − h m ( x , X )) form againhyperplanes with normal vector v . Noting that the level setsof X m ( c m ) also result in a hyperplane with normal vector v that can be shifted by c m completes the proof. Proof of Theorem 2:
Recall that z ( t ) := (cid:2) x ( t ) T θ ( t ) (cid:3) T .Since u ( z , t ) is continuous, there exist solutions z :[0 , τ max ) → D to (4) with τ max > . Now, (7) im-plies ∂ b ( x , ˜ µ ,t ) ∂ z ( f ( z ) + g ( z ) u ( z , t ) + c ( z , t )) + ∂ b ( x , ˜ µ ,t ) ∂t ≥− α b ( x , ˜ µ , t ) so that, for all t ∈ (0 , min( τ max , s )) , ˙ b ( x ( t ) , ˜ µ , t ) ≥ − α b ( x ( t ) , ˜ µ , t ) . Due to Lemma 1, theComparison Lemma [30, Ch. 3.4], and since b ( x (0) , ˜ µ , ≥ , it follows that b ( x ( t ) , ˜ µ , t ) ≥ , i.e., x ( t ) ∈ C ( ˜ µ , t ) , for all t ∈ [0 , min( τ max , s )) . If τ max ≥ s , it holds x ( t ) ∈ C ( ˜ µ , t ) for all t ∈ [ s , min( τ max , s )) . By [14], for each s j with j ∈ { , . . . , q } , it holds that lim τ → s − j C ( ˜ µ , τ ) ⊇ C ( ˜ µ , s j ) where lim τ → s − j C ( ˜ µ , τ ) is the left-sided limit of C ( ˜ µ , t ) at t = s j . It hence holds that x ( s ) ∈ C ( ˜ µ , s ) . This argumentcan be repeated unless τ max < s j for some j ; however, b ( x ( t ) , ˜ µ , t ) ≥ implies that x ( t ) ∈ B for the compactset B ⊂ R n and for all t ∈ [0 , τ max ) . Similarly, θ ( t ) willbe contained in a compact set since f θ ( z ) and c θ ( z , t ) are bounded so that τ max = ∞ [30, Thm. 3.3]. By [13], x ( t ) ∈ C ( ˜ µ , t ) for all t ≥ so that ( x , ˜ µ , | = ϕ , i.e., ρ ϕ ( x , ˜ µ , ≥ r ′ for some r ′ ≥ . Hence, ( x , ˜ µ , | = φ ,i.e., ρ φ ( x , ˜ µ , ≥ r for some r ≥ , by Theorem 1. roof of Theorem 3: The near-identity diffeomorphismresults in (9) being always feasible opposed to the case wherethe constraint (7) would have been used instead of (9b). Inparticular, if ( z , t ) ∈ R × ( s j , s j +1 ) with ∂ b ( p , ˜ µ ,t ) ∂ p g p ( z ) = , (9) is feasible and u ( z , t ) is locally Lipschitz continuousat ( z , t ) [31, Thm. 8]. Note that ∂ b ( p , ˜ µ ,t ) ∂ p g p ( z ) = ifand only if ∂ b ( p , ˜ µ ,t ) ∂ p = since g p ( z ) has full rank. If ( z , t ) ∈ R × ( s j , s j +1 ) with ∂ b ( p , ˜ µ ,t ) ∂ p = , (9b) is satisfiedsince ∂ b ( p , ˜ µ ,t ) ∂t ≥ − α b ( p , ˜ µ , t ) + χ for some χ > duethe choice of α so that u ( z , t ) := . Due to continuityof ∂ b ( p , ˜ µ ,t ) ∂t and α b ( p , ˜ µ , t ) , there exists a neighborhood U around ( p , t ) so that, for each ( p ′ , t ′ ) ∈ U , ∂ b ( p ′ , ˜ µ ,t ′ ) ∂t ≥− α b ( p ′ , ˜ µ , t ′ )) and consequently u ( p ′ , t ′ ) = . Hence, u ( z , t ) is continuous on R × ( s j , s j +1 ) so that, similarlyto the proof of Theorem 2, ρ ¯ ϕ ( p , ˜ µ , ≥ which implies ρ ϕ ( p , ˜ µ , ≥ min( χ , . . . , χ M ) by (6) and (8) and the syn-tax of φ (and consequently ϕ ) in (5) that exclude disjunctionsand negations. By the choice of l , this implies ( x , ˜ µ , | = ϕ so that again ( x , X , | = φ , i.e., ρ φ ( x , X , ≥ r for some r ≥ , as in proof of Theorem 4. Proof of Lemma 4:
First note that, for each solution p : R ≥ → R n that arises under u ( z , t ) , ˙ b ( p ( t ) , ˜ µ , t ) ≥− α b ( p ( t ) , ˜ µ , t ) + ǫ r due to (10b). Due to Lemma 1 andthe Comparison Lemma [30, Ch. 3.4] it follows that p ( t ) ∈ C r ( ˜ µ , t ) for all t ≥ if p (0) ∈ C r ( ˜ µ , , i.e., C r ( ˜ µ , t ) isrendered forward invariant by means of u ( z , t ) . Attractivityof C r ( ˜ µ , t ) under u ( z , t ) follows similarly due to Lemma 1. Proof of Corollary 1:
Due to Lemma 4 and since p (0) ∈ C r ( ˜ µ , t ) , it holds that b ( p ( t ) , ˜ µ , t ) ≥ ǫ r / α for all t ≥ .By the construction of b ( p , ˜ µ , t ) and [13] it follows that ρ ¯ ϕ ( p , ˜ µ , ≥ min( χ , . . . , χ M ) + ǫ r / α . Note again that,for each m ∈ { , . . . , M } , h m ( p , ˜ µ ) − c m − χ m ≥ ǫ r / α implies h m ( x , ˜ µ ) − c m > ǫ r / α by the choice of l . This,consequently, results in ρ ϕ ( x , ˜ µ , ≥ ǫ r / α .R EFERENCES[1] H. Kress-Gazit, G. E. Fainekos, and G. J. Pappas, “Temporal-logic-based reactive mission and motion planning,”
IEEE Trans. Robot. ,vol. 25, no. 6, pp. 1370–1381, 2009.[2] M. Kloetzer and C. Belta, “A fully automated framework for controlof linear systems from temporal logic specifications,”
IEEE Trans.Autom. Control , vol. 53, no. 1, pp. 287–297, 2008.[3] Y. Kantaros and M. M. Zavlanos, “Sampling-based optimal controlsynthesis for multirobot systems under global temporal tasks,”
IEEETrans. Autom. Control , vol. 64, no. 5, pp. 1916–1931, 2018.[4] O. Maler and D. Nickovic, “Monitoring temporal properties of con-tinuous signals,” in
Proc. Int. Conf. FORMATS FTRTFT , Grenoble,France, September 2004, pp. 152–166.[5] A. Donz´e and O. Maler, “Robust satisfaction of temporal logic overreal-valued signals,” in
Proc. Int. Conf. FORMATS , Klosterneuburg,Austria, September 2010, pp. 92–106.[6] G. E. Fainekos and G. J. Pappas, “Robustness of temporal logicspecifications for continuous-time signals,”
Theoret. Comp. Science ,vol. 410, no. 42, pp. 4262–4291, 2009.[7] V. Raman et al. , “Model predictive control with signal temporallogic specifications,” in
Proc. Conf. Decis. Control , Los Angeles, CA,December 2014, pp. 81–87. See [14, Lemma 4] for details on the choice of α . The intution is that b ( p , ˜ µ , t ) is concave in p so that ∂ b ( p , ˜ µ ,t ) ∂ p = only happens at the globaloptimum p ∗ where b ( p ∗ , ˜ µ , t ) > . Then choosing α large enough ensuresthat ∂ b ( p ∗ , ˜ µ ,t ) ∂t ≥ − α b ( p ∗ , ˜ µ , t ) + χ for some χ > . [8] Y. Pant et al. , “Fly-by-logic: control of multi-drone fleets with tempo-ral logic objectives,” in Proc. Int. Conf. Cyber-Physical Syst. , Porto,Portugal, April 2018, pp. 186–197.[9] N. Mehdipour, C. Vasile, and C. Belta, “Arithmetic-geometric meanrobustness for control from signal temporal logic specifications,” in
Proc. Am. Control Conf. , Philadelphia, PA, July 2019, pp. 1690–1695.[10] P. Varnai and D. V. Dimarogonas, “Prescribed performance controlguided policy improvement for satisfying signal temporal logic tasks,”in
Proc. Am. Control Conf.
IEEE, 2019, pp. 286–291.[11] D. Aksaray, A. Jones, Z. Kong, M. Schwager, and C. Belta, “Q-learning for robust satisfaction of signal temporal logic specifications,”in
Proc. Conf. Decis. Control , Las Vegas, NV, December 2016, pp.6565–6570.[12] L. Lindemann and D. V. Dimarogonas, “Efficient automata-basedplanning and control under spatio-temporal logic specifications,” in
Proc. Am. Control Conf. (accepted, available under arXiv preprintarXiv:1909.11159) , Denver, CO, July 2020.[13] ——, “Control barrier functions for signal temporal logic tasks,”
IEEEControl Syst. Lett. , vol. 3, no. 1, pp. 96–101, 2019.[14] ——, “Decentralized control barrier functions for coupled multi-agentsystems under signal temporal logic tasks,” in
Proc. Europ. ControlConf. , Naples, Italy, June 2019, pp. 89–94.[15] Y. Kantaros and G. Pappas, “Optimal temporal logic planning formulti-robot systems in uncertain semantic maps,” in
Proc. Int. Conf.Intel. Robots Syst. , Macau, Hong Kong, November 2019, pp. 4127–4132.[16] M. Guo and D. V. Dimarogonas, “Multi-agent plan reconfigurationunder local ltl specifications,”
Int. Journal Robot. Research , vol. 34,no. 2, pp. 218–235, 2015.[17] M. Lahijanian, M. R. Maly, D. Fried, L. E. Kavraki, H. Kress-Gazit, and M. Y. Vardi, “Iterative temporal planning in uncertainenvironments with partial satisfaction guarantees,”
IEEE Trans. Robot. ,vol. 32, no. 3, pp. 583–599, 2016.[18] J. Fu, N. Atanasov, U. Topcu, and G. J. Pappas, “Optimal temporallogic planning in probabilistic semantic maps,” in
Proc. Int. Conf.Robot. Autom. , Stockholm,Sweden, May 2016, pp. 3690–3697.[19] S. L. Bowman, N. Atanasov, K. Daniilidis, and G. J. Pappas, “Proba-bilistic data association for semantic slam,” in
Proc. Int. Conf. Robot.Autom. , Singapore, May 2017, pp. 1722–1729.[20] G. Pavlakos, X. Zhou, A. Chan, K. G. Derpanis, and K. Daniilidis, “6-dof object pose from semantic keypoints,” in
Proc. Int. Conf. Robot.Autom. , Marina Bay Sands, Singapore, May 2017, pp. 2011–2018.[21] S. S. Farahani, R. Majumdar, V. S. Prabhu, and S. Soudjani, “Shrinkinghorizon model predictive control with signal temporal logic constraintsunder stochastic disturbances,”
IEEE Trans. Autom. Control , 2018.[22] D. Sadigh and A. Kapoor, “Safe control under uncertainty withprobabilistic signal temporal logic,” in
Proc. of Robotics: Science andSystems , AnnArbor, Michigan, June 2016.[23] A. Majumdar and M. Pavone, “How should a robot assess risk?towards an axiomatic theory of risk in robotics,” in
Robotics Research .Springer, 2020, pp. 75–84.[24] R. T. Rockafellar, S. Uryasev et al. , “Optimization of conditionalvalue-at-risk,”
Journal of risk , vol. 2, pp. 21–42, 2000.[25] S. Boyd and L. Vandenberghe,
Convex optimization , 1st ed. NewYork, NY: Cambridge university press, 2004.[26] D. Liberzon,
Switching in systems and control , 1st ed. New York,NY: Springer Science & Business Media, 2003.[27] R. Olfati-Saber, “Near-identity diffeomorphisms and exponential e-tracking and 6-stabilization of first-order nonholonomic SE (2) vehi-cles,” in
Proc. Amer. Control Conf. , Anchorage, AK, May 2002, pp.4690 – 4695.[28] A. De Luca, G. Oriolo, and M. Vendittelli, “Control of wheeled mobilerobots: An experimental overview,” in
Ramsete . Springer, 2001, pp.181–226.[29] R. Freeman and P. V. Kokotovic,
Robust nonlinear control design:state-space and Lyapunov techniques . Springer Science & BusinessMedia, 2008.[30] H. K. Khalil,
Nonlinear Systems , 2nd ed. Englewood Cliffs, NJ:Prentice-Hall, 1996.[31] X. Xu, P. Tabuada, J. W. Grizzle, and A. D. Ames, “Robustness ofcontrol barrier functions for safety critical control,” in