SafeDec: Constrained Decoding for Safe Autoregressive Generalist Robot Navigation Policies

Parv Kapoor¹, Akila Ganlath², Michael Clifford², Changliu Liu¹, Sebastian Scherer¹, Eunsuk Kang¹

¹Carnegie Mellon University ²Toyota InfoTech Labs

Accepted to International Conference on Machine Learning (ICML), 2026

SafeDec biases action selection on-the-fly so that robot trajectories provably satisfy user-defined STL safety and mission constraints—no model fine-tuning or retraining necessary. Around 0:07, constrained decoding prevents the model from entering the room due to the geofence specification. The model then finds an alternate route and explores other rooms before locating the target object (an apple).

Abstract

Recent advances in end-to-end, multi-task robot policies based on transformer models have demonstrated impressive generalization to real-world embodied navigation tasks. Trained on vast datasets of simulated and real-world trajectories, these policies map multimodal observations directly to action sequences for physical execution. Despite promising real-world capabilities, these models are still data-driven and, therefore, lack explicit notions of behavioral correctness — they cannot reliably enforce complex temporal rules such as "visit the charging dock before entering the storage room, and never re-enter the kitchen once you have left it." We address this gap by introducing SafeDec, a constrained decoding framework for autoregressive, transformer-based robot navigation policies that enforces safety specifications expressed as Signal Temporal Logic (STL) formulas. Our method ensures that generated actions provably satisfy STL specifications under assumed dynamics at runtime without retraining while remaining agnostic of the underlying policy. We evaluate SafeDec on tasks from the CHORES benchmark for state-of-the-art embodied navigation policies across hundreds of procedurally generated environments and show that our decoding-time interventions are useful not only for filtering unsafe actions but also for conditional action generation.

SafeDec

We take the constrained-decoding principle and apply it to enforce safety specifications over state trajectories. Safety rules are captured by Signal Temporal Logic (STL), a language defined over continuous signals from dynamical systems. SafeDec simulates candidate actions with an approximate dynamics model and evaluates STL satisfaction in real time, directly inside the decoding loop.

From token-space constraints to temporal STL constraints — In LLMs, constraints are syntactic and local; in RFMs, constraints are temporal and depend on forward-simulated dynamics. SafeDec bridges the gap with STL-guided decoding.

Hard Constrained Decoding (HCD)

If a candidate action's predicted next state would violate the STL spec φ, set its logit to −∞ (zero probability) before softmax. This yields provable compliance under the assumed dynamics model.

Robustness Constrained Decoding (RCD)

Compute the STL robustness score ρ for each candidate's predicted successor state and convert it to a weight that boosts safer actions and suppresses risky ones (tunable via β). Preserves task performance while greatly reducing violations.

SafeDec is model-agnostic: it only needs (1) access to decoder logits and (2) an approximate dynamics function. STL evaluation is done efficiently via STLCG++ for real-time inference.

Safety Specifications

SafeDec is evaluated on five safety specifications expressed as STL invariants, spanning geofencing, avoidance, temporal ordering, conditional constraints, and object-interaction safety. All specifications are enforced at runtime without any retraining.

φ_avoid — Obstacle Avoidance

STL: G(⋀ᵢ ¬Rᵢ)

The robot must always stay outside all designated unsafe regions throughout the entire trajectory.

φ_geofence — Geofencing

STL: G(⋁ᵢ Rᵢ)

The robot must always remain within at least one of the designated safe/allowed regions.

φ_ordered — Ordered Visitation

STL: G(¬R₂) ∨ (¬R₂ U R₁)

The robot must avoid region R₂ until it has first reached region R₁, or avoid R₂ forever — enforcing a temporal ordering constraint on regions.

φ_no–return — No Re-entry

STL: G(R₀ ⇒ G(¬R₀ ⇒ G ¬R₀))

Once the robot leaves region R₀, it may never re-enter — a conditional, one-way constraint on previously visited areas.

φ_SafetyChores — Object Safety

Specs: φ_fragile & φ_dangerous

Evaluated on the SafetyChores benchmark: the robot must respect fragile-object and dangerous-object constraints — ensuring safe interaction in household environments.

An RGB view and natural-language goal are passed through a frozen transformer policy (e.g., SPOC / FLaRe), which proposes an action distribution. The STL-robustness constrained decoder consults the rulebook, reweighting candidate actions: pink = original, green = safe-reweighted, red line = per-action STL robustness. The bird's-eye-view trajectory (orange) reaches the target (green circles) while avoiding exclusion zones (red squares).

The orange bars show original action probabilities proposed by the policy. Lighter bars are previous-step probabilities; darker bars are reweighted values after applying temporal logic constraints. The final selected action (shown in green) is chosen for safety and task alignment. The red curve overlays the STL robustness score, guiding the decoder away from unsafe candidates in real time.

Top-down views across indoor environments with SafeDec-induced trajectories. Red circles mark target objects, green boxes are avoidance regions, and orange paths show safe trajectories under constrained decoding.

Sample Visualizations

Each plot shows a bird's-eye view of trajectories starting from the white dot under the instruction "find a sofa." The unconstrained model passes through forbidden regions (red squares) on the way to the goal. SafeDec modifies the trajectories to respect STL safety specifications while still reaching the target.

Base model behavior — top-down view — **Base model:** trajectory enters forbidden regions.

SafeDec behavior — top-down view — **SafeDec:** trajectory avoids all forbidden regions while reaching the goal.

FPV — base model violating the constraint.

Results at a Glance

Evaluated on hundreds of procedurally generated AI2-THOR scenes with three state-of-the-art policies (SPOC, FLaRe, PoliFormer) across all five specifications. The figure below shows the average STL satisfaction vs. task success rate aggregated across all five specs and all three policies.

SafeDec Tradeoff: STL satisfaction vs. task success rate — Average STL satisfaction vs. task success rate across all five specifications and three policies. RCD achieves the best trade-off — high safety satisfaction while staying close to unconstrained task performance. HCD and Filtering reach near-perfect STL satisfaction at a greater cost to success rate.

Comparison with SafeVLA

We evaluate SafeDec on the SafetyChores benchmark against ISA (SafeVLA), a safety-reinforcement-learning baseline trained specifically to minimize constraint violations, using fragile-object and dangerous-object STL specifications. Despite being entirely training-free, SafeDec achieves competitive task performance while dramatically reducing safety cost. Notably, pairing HCD with ISA reduces safety cost by an order of magnitude (0.205 → 0.015) with only a modest 4.5% drop in success rate.

Method	Cost ↓	Success Rate (%) ↑
ISA (SafeVLA)	0.205	86.5
ISA + HCD	0.015	82.0
ISA + RCD	0.060	86.0
FLaRe	0.192	82.0
FLaRe + HCD	0.115	84.0
FLaRe + RCD	0.155	79.0

Evaluated on the SafetyChores benchmark with fragile-object and dangerous-object specifications. Cost is the safety violation metric (lower is better); SR is task success rate (higher is better).

Ablations

Since SafeDec assumes a simple unicycle dynamics model for state prediction, we evaluate the impact of noisy dynamics on final STL satisfaction. We also sweep over the β parameter for RCD, which controls how much specification satisfaction is prioritized over task performance.

Dynamics noise ablation — STL satisfaction (%) for HCD and RCD under baseline vs. noisy dynamics across base models. SafeDec degrades gracefully under dynamics noise.

Beta ablation — Effect of β on success rate and STL satisfaction. For PoliFormer, both metrics improve until β = 10; beyond that, safety continues to improve at the cost of task success. The influence of β is model-dependent, demonstrating a tunable safety–performance knob.

BibTeX

@article{kapoor2025safedec,
  title   = {SafeDec: Constrained Decoding for Safe Autoregressive Generalist Robot Navigation Policies},
  author  = {Kapoor, Parv and Ganlath, Akila and Clifford, Michael and Liu, Changliu and Scherer, Sebastian and Kang, Eunsuk},
  booktitle = {International Conference on Machine Learning (ICML)},
  year      = {2026}
}