As cyber-physical systems increase in both complexity and criticality, formal methods have gained traction for design-time verification of safety properties.

A lightweight formal method, runtime verification (RV), embeds checks necessary for safety-critical system health management; however, these techniques have been slow to appear in practice despite repeated calls by both industry and academia to leverage them.

Additionally, the state-of-the-art in RV lacks a best practice approach when a deployed system requires increased flexibility due to a change in mission, or in response to an emergent condition not accounted for at design time.

Human-robot interaction necessitates stringent safety guarantees to protect humans sharing the workspace, particularly in hazardous environments.

For example, Robonaut2 (R2) developed an emergent fault while deployed to the International Space Station.

Possibly-inaccurate actuator readings trigger the R2 safety system, preventing further motion of a joint until a ground-control operator determines the root-cause and initiates proper corrective action.

Operator time is scarce and expensive; when waiting, R2 is an obstacle instead of an asset.

We adapt the Realizable, Responsive, Unobtrusive Unit (R2U2) RV framework for resource-constrained environments.

We retrofit the R2 motor controller, embedding R2U2 within the remaining resources of the Field-Programmable Gate Array (FPGA) controlling the joint actuator.

We add online, stream-based, real-time system health monitoring in a provably unobtrusive way that does not interfere with the control of the joint.

We design and embed formal temporal logic specifications that disambiguate the emergent faults and enable automated corrective actions.

We overview the challenges and techniques for formally specifying behaviors of an existing command and data bus.

We present our specification debugging, validation, and refinement steps.

We demonstrate success in the Robonaut2 case study, then detail effective techniques and lessons learned from adding RV with real-time fault disambiguation under the constraints of a deployed system.