1. No category

Least-violating control strategy synthesis with safety

Least-violating Control Strategy Synthesis
with Safety Rules
Jana Tůmová
∗
Masaryk University
Brno, Czech Republic
[email protected]
Gavin C. Hall
Sertac Karaman
Massachusetts Institute of
Technology
Cambridge, MA, USA
Massachusetts Institute of
Technology
Cambridge, MA, USA
[email protected]
[email protected]
Emilio Frazzoli
Daniela Rus
Massachusetts Institute of
Technology
Cambridge, MA, USA
Massachusetts Institute of
Technology
Cambridge, MA, USA
[email protected]
[email protected]
ABSTRACT
1.
We consider the problem of automatic control strategy synthesis, for discrete models of robotic systems, to fulfill a task
that requires reaching a goal state while obeying a given set
of safety rules. In this paper, we focus on the case when the
said task is not feasible without temporarily violating some
of the rules. We propose an algorithm that synthesizes a motion which violates only lowest priority rules for the shortest amount of time. Although the proposed algorithm can
be applied in a variety of control problems, throughout the
paper, we motivate this problem with an autonomous car
navigating in an urban environment while abiding by the
rules of the road, such as “always stay in the right lane” and
“do not enter the sidewalk.” We evaluate the algorithm on
a case study with several illustrative scenarios.
The motivation for our work comes from the following
scenario. We would like to automatically generate a control
strategy for a robotic car in a road-like environment given
its goal is to reach a target location while obeying a set of
safety traffic rules (e.g., “always stay in the right lane”, or
“do not go on the sidewalk”). In many cases, this goal is not
feasible (e.g., due to obstacles present in the environment)
and in order to reach the target location, the robot needs to
temporarily break some of the rules. We would like to systematically find the strategy that violates the rules as little
as possible. In order to do that, we define a fine, quantitative characterization of how much a safety rule is obeyed or
disobeyed on a particular trace and we aim to find a leastviolating strategy with respect to this characterization.
In our approach, we decompose the robot motion planning into high-level planning and low-level control. (In fact,
this is a common approach that appears, e.g., in [17, 16,
25] and many other recent publications on robot planning
with complex specifications.) This hierarchical approach to
control synthesis follows roughly three steps: (1) construct a
discrete abstraction of the system’s dynamics, (2) synthesize
a plan for the resulting discrete abstraction, and (3) compute a controller that implements the discrete plan on the
original system. Numerous methods exist for the first step
of computing discrete abstractions for hybrid systems; See,
e.g., [17, 16, 25] and the references therein. The third step,
in particular, computing low-level controllers that can drive
a robot from one region to another, regardless of the initial
position of the robot within the initial region, has also been
largely explored (see, e.g., [3]). In this paper, we focus on
the second step of the hierarchical approach: synthesizing
a plan for a discrete system. We assume that all dynamical phenomena are captured by a weighted, deterministic,
discrete transition system.
The safety rules are expressed in any formal specification
language that can be translated into finite automata, such
as regular expressions or Linear Temporal Logic (LTL) over
finite traces. Each safety rule is assigned a priority. We
define the level of unsafety of a vehicle trace based on the
number of steps made that caused violation of each safety
rule weighted by the respective rule priority. We present an
Categories and Subject Descriptors
D.2.4 [Software Engineering]: Software/Program Verification—Formal Methods; I.2.8 [Artificial Intelligence]:
Problem Solving, Control Methods, and Search—Control
Theory; I.2.9 [Artificial Intelligence]: Robotics
General Terms
Algorithms, Verification
Keywords
least-violating planning; control strategy synthesis; robot
path planning; formal specification
∗This work was initiated while this author was a visiting
student and MIT and Singapore-MIT Alliance for Research
and Technology.
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. To copy otherwise, to
republish, to post on servers or to redistribute to lists, requires prior specific
permission and/or a fee.
HSCC’13, April 8–11, 2013, Philadelphia, Pennsylvania, USA.
Copyright 2013 ACM 978-1-4503-1567-8/13/04 ...$15.00.
1
INTRODUCTION
algorithm for finding a finite trace of the transition system
that (1) leads from the current robot’s location into a target
location, (2) minimizes the level of unsafety among traces
satisfying (1), and (3) minimizes the length of the trace
among traces satisfying (1) and (2). Our solution builds on
some ideas from automata-based model checking and graph
theory. We express the rules specification as a set of finite
automata and augment each of them with new transitions
and weights. Then, we construct the product automaton
between the transition system and the newly obtained finite
automata. The shortest path of the product (found e.g.,
by a modification of the Dijsktra’s shortest path algorithm)
provably projects onto a trace of the transition system that
is the solution to our problem.
Our work in this paper can be seen in context of works
aimed at the use of formal methods in optimal robot path
planning, e.g., [22, 23, 9, 13], where the authors aim to find
an optimal high-level controller for a robot that guarantees
satisfaction of a given temporal logic mission.
Other related work includes the recent literature adressing
the control strategy synthesis problem with an unsatisfiable
set of specifications. In [19, 20], the authors focus on explaining the reasons of unsatisfiability; given an LTL specification and a model that does not satisfy this specification,
they answer whether or not the invalidity is limited to the
provided model. Related literature includes also [5], where
the authors aim to pinpoint the (un)realizable fragments of
the specification to reveal causes of the specification violation. Other authors propose to construct control strategies
with minimal changes in the input. On one hand, in [10,
15, 14], the authors aim to revise the given specification to
(i) make it satisfiable by the given model, and (ii) make it
as close as possible to the original specification according
to a suitable metric. On the other hand, in [12] the author
focuses on finding the least set of constraints (in the model)
whose removal results in the satisfaction of the specification
and in [4, 2] the authors aim to repair model in the form
of a transition system or a Markov chain in order to ensure
the satisfaction a given CTL or PCTL formula, respectively.
Finally, some others, such as [7, 6], focus on synthesis of the
least-violating controllers. They find, according to a proposed metric, the maximal part of the specification that can
be satisfied by the model, and they generate the corresponding controller for this part of the specification.
The contribution of this paper can be summarized as follows. We address the problem of least-violating control
strategy synthesis with a reachability task and a set of safety
rules to be obeyed. We suggest a quantitative metric called
level of unsafety to capture “how much” a given trace disobeys the given set of rules and suggest an algorithm to find
the optimal trace with respect to the level of unsafety. We
demonstrate the proposed algorithm on an extensive case
study. Throughout the paper, we motivate the problem by
a robotic car navigating in an urban environment while abiding by the rules of the road, although the algorithm can be
used to address a wide class of automated synthesis problems.
The paper is organized as follows. In Sec. 2, we introduce
necessary notation and prelimiaries. In Sec. 3, we formalize
our problem and summarize our approach. Sec. 4 is dedicated to the details of the proposed algorithm and its analysis. In Sec. 5, the results of our case study are presented.
Finally, we conclude the paper with remarks and directions
for future work in Sec. 6.
2.
PRELIMINARIES
In this section, we introduce some necessary notation and
preliminaries.
Notation
Given a set S, let |S|, 2S , and S ∗ denote the cardinality of
S, the set of all subsets of S, and set of all finite sequences
of elements of S, respectively. A word over S is a finite
sequence of elements from S. Given words u, v ∈ S ∗ , we
denote by u · v their concatenation.
Transition Systems and Finite Automata
Definition 1 (Weighted transition system)
A weighted labeled deterministic transition system (TS) is a
tuple T = (S, sinit , R, AP , L, WT ), where S is a finite set of
states; sinit ∈ S is the initial state; R ⊆ S × S is a deterministic transition relation; AP is a set of atomic propositions;
L : S → 2AP is a labeling function; WT : R → N is a weight
function.
A finite trace of T is a finite sequence of states τ =
s0 s1 . . . sn such that s0 = sinit and (si , si+1 ) ∈ R, for all
0 ≤ i < n. A finite trace τ = s0 s1 . . . sn produces a finite word w(τ ) = L(s0 )L(s1 ) . . . L(sn ). We say that τ =
s0 s1 . . . sn satisfies ”go from A to B” task if and only if
A, B ∈ AP , A ∈ L(s0 ), and B ∈ L(sn ).
We define the weight of a trace s0 s1 . . . sn as the sum of the
weights of its transitions. With a slight abuse of notation,
this quantity is denoted as follows:
WT (s0 s1 . . . sn ) =
n−1
X
WT ((si , si+1 )).
i=0
Definition 2 (Finite automaton)
A (non-deterministic) finite automaton (FA) is a tuple A =
(Q, qinit , Σ, δ, F ), where Q is a finite set of states; qinit ∈ Q
is the initial state; Σ is an input alphabet; δ ⊆ Q × Σ × Q is
a non-deterministic transition relation; F ⊆ Q is the set of
accepting states.
The semantics of finite automata are defined over finite
input words over Σ (such as those generated by transition
system from Def. 1 if Σ = 2AP ). A run of the finite automaton A over an input word w = w(1) . . . w(n) is a sequence
ρ = q0 q1 . . . qn , such that q0 = qinit , and (qi−1 , w(i), qi ) ∈ δ,
for all 1 ≤ i ≤ n. If qn ∈ F , then ρ is accepting and the
word w is accepted by the automaton. We say that a trace
τ = s0 s1 . . . sn of T satisfies the property defined by A (denoted by τ |= A) if and only if the word produced by τ is
accepted by A.
A weighted (non-deterministic) finite automaton is a tuple
A = (Q, qinit , Σ, δ, F, W ), where (Q, qinit , Σ, δ, F ) is a finite
automaton (see Def. 2) and W : δ → Nk , where k ∈ N is a
weight function. In other words, each transition is assigned
a k-tuple of natural numbers.
A (weighted) finite automaton A can be viewed as a graph
GA = (V, E), where the set of nodes V is the set of states
Q and the set of edges E with their weights are given in the
expected way by the transition function δ and the weight
2
function W , respectively. Consider a run ρ = q0 q1 . . . qn over
a word w = w(1) . . . w(n) and assume that (xj,1 , . . . , xj,k ) =
W ((qj , w(j), qj+1 )) denotes the weight of the corresponding
transition, for all j ∈ {1, . . . , n}. The weight of the run ρ
over the word w is
Let us consider a robot moving in a partitioned environment with its motion capabilities modeled as a weighted
transition system T = (S, sinit , R, AP, L, WT ) (see Def. 1).
Each region of the environment is modeled as a state of the
transition system and the robot’s ability to move between
the adjacent regions is captured through the transition relation. We assume that there are no transitions leading from
and to the states representing regions where obstacles are
present. Therefore, each trajectory of the robot in the said
subset of the environment is obstacle-free. The weight function assigns each transition a weight, such as distance or
travel time. Each region is labeled with a set of atomic
propositions (e.g., “region A”, “region B”, “left lane”, “right
lane”, “safe region”, or “sidewalk”) that are true in this region. Our robot mission is simply “go from A to B” while
abiding by a set of (safety) rules, which we will describe
using LTL formulas and assign a priority each.
Consider a trace that starts at the region with label A
and reaches that with label B. Suppose for the moment that
there is a single safety rule, which we denote by ψ. Although
its priority, denoted by $(ψ), is not important for now, its
role will become clear shortly when we consider multiple
safety rules. Examples of such rules include “never enter
region C” and “region D can only be visited after visiting
region E.” Note that ψ can be given in any form, as long as it
can be translated into a finite automaton Aψ . In particular,
it can be a regular expression or an LTL formula that is
interpreted over finite words (see Sec. 2). For notational
simplicity, we denote by τ |= ψ the property that the trace
τ of T satisfies property ψ, i.e., that τ |= Aψ . Furthermore,
in the sequel, we tacitly assume that the empty trace of T
and the empty word always satisfy any safety rule ψ. That
is, by convention, an empty run does not violate any safety
rules.
We define the level of unsafety λ(τ, ψ) of a finite trace τ of
the transition system T as the minimum number of transitions in τ that must “vanish” so that τ |= ψ holds, weighted
by the priority $(ψ). Intuitively, the level of unsafety can be
seen as the number of steps that violate the given safety rule
multiplied by $(ψ). For instance, a trace sA sD sC sE sC sB ,
where sX ∈ S for all x ∈ {A, B, C, D, E}, visits regions
A, D, C, E, C, B in this order has level of unsafety 2 for the
rule ψ1 “never enter region C,” with $(ψ1 ) = 1 and it has
level of unsafety 3 for the rule ψ2 “region D can only be
visited after visiting region E.”, where $(ψ2 ) = 3. On the
other hand, the level of unsafety of a trace visiting regions
A, D, B is 0 for the former rule and remains 3 for the latter
one. The smaller the level of unsafety of a trace, the closer
the trace is to a trace that satisfies the given safety rule.
Indeed, the trace satisfies the rule ψ if and only if its level
of unsafety is equal to 0.
More formally, let T = (S, sinit , R, AP , L) be a transition
system, and let ψ be a property over AP that can be expressed as a finite automaton.
W (ρ) = (X1 , . . . , Xk ),
n
X
where Xi =
xj,i , for all i ∈ {1, . . . , k}.
j=0
In other words, the weight of a run is the tuple obtained
by component-wise sum of the weights associated with the
transitions executed along the run.
The shortest run over w(1) . . . w(n) is the run ρ minimizing the weight W (ρ) in the lexicographical ordering 1 .
Linear Temporal Logic
Finite automata can capture a large class of properties that
are exhibited by the traces of a transition system. However, some specification languages with similar expressive
power, such as regular expressions or variants of Linear Temporal Logic (LTL) interpreted over finite runs, provide a
more user-friendly means to express these properties. For a
through exposition to regular expressions and the LTL, the
reader is referred to the standard texts [21, 1].
In Section 5, we will demonstrate how the desirable properties of the system, e.g., the rules of the road, can be conveniently captured in Finite LTL (FLTL) [18], a definition
for which is given below.
Definition 3 A FLTL formula φ over the set of atomic
propositions AP is defined inductively as follows:
1. every atomic proposition σ ∈ 2AP is a formula, and
2. if φ1 and φ2 are formulas, then φ1 ∨ φ2 , ¬φ1 , X φ1 ,
X φ1 , φ1 U φ2 , G φ1 , and F φ1 are each formulas,
where ¬ (negation) and ∨ (disjunction) are standard Boolean
connectives, and X, X, U, G, and F are temporal operators.
Unlike the well-known LTL (see e.g., [1]), FLTL is interpreted over finite traces, as those generated by the transition
system from Def. 1. Informally, X π states that there is the
next state of a trace and that proposition π is true there (i.e.,
π ∈ L(s1 )). Strong next operator X π is defined as ¬X¬π,
expressing that if there exists a next state of a current state
of a trace, then π is true there. In contrast, π1 U π2 states
that there is a future moment when proposition π2 is true,
and proposition π1 is true at least until π2 is true. The formula G π states that proposition π holds at all states of a
finite trace, and F π states that π holds at some future time
instance.
Similarly as LTL formulas can be algorithmically translated into automata over infinite words, FLTL formulas can
be translated into finite automata [11].
3.
Definition 4 (Level of unsafety for a safety rule)
Let τ = s0 . . . sn be a finite trace producing a word w(τ ) =
w(0)w(1) . . . w(n) and {i1 , . . . , ik } ⊆ {0, . . . , n}. Define
PROBLEM STATEMENT
In this section, we provide a formal description of the
problem, after presenting some intermediate definitions.
vanish(τ, {i1 , . . . ik }) =
s0 . . . si1 −1 si1 +1 . . . sik −1 sik +1 . . . sn ,
1
The lexicographical ordering ≤ is defined as follows:
(x1 , . . . , xk ) ≤ (x01 , . . . , x0k ) if (x1 , . . . , xk ) = (x01 , . . . , x0k ) or
if ∃1 ≤ i ≤ k, such that ∀j < i : xj ≤ x0j and xi < x0i .
i.e., the finite sequence of states obtained by erasing states
indexed with i1 , . . . , ik from τ .
3
The level of unsafety λ(τ, ψ) of a finite trace τ with respect to a safety rule ψ is the cardinality-wise minimal I ⊆
{0, . . . n} such that the trace vanish(τ, I) satisfies the safety
rule ψ:
λ(τ, ψ) =
min
Intuitively, the sets Ψ1 , . . . Ψn from Ψ can be seen as priority classes. According to Definition 6, it is always preferred to satisfy the rules in Ψi rather than those in Ψj ,
for all i < j. However, one can trade off when violating
rules that are in the same priority class. For an illustrative
example, see Sec. 5.
|I| · $(ψ)
I⊆{0,...,n},vanish(τ,I)|=ψ
Level of unsafety of the word w(τ ) is defined analogously.
4.
Now, consider a sequence of nonempty sets of safety rules
Ψ = (Ψ1 , . . . , Ψn ). Suppose each rule ψ ∈ Ψi , for all 1 ≤ i ≤
n, is given in any form that can be translated into a finite
automaton. Define the priority function as $ : Ψ → N,
which assigns a priority to each rule ψ ∈ Ψi , for all 1 ≤
i ≤ n. In the sequel, the ordered set Ψ together with the
priority function $ will be called a set of safety rules with
priorities (Ψ, $).
Given a transition system T and a set of rules with priorities, denoted by (Ψ = (Ψ1 , . . . , Ψn ), $), we extend the
definition of the level of unsafety for a trace τ of T to a set
of safety rules Ψi ∈ Ψ and a set of safety rules with priorities
(Ψ, $) as follows.
In this section, we first describe the proposed approach,
and subsequently we prove its correctness and analyze its
computational complexity. Before closing this section, we
also consider a more general problem description, and point
out how the proposed algorithm can be modified to address
the resulting problem.
ALGORITHM AND ANALYSIS
4.1
The Proposed Approach
In this section, we outline the proposed algorithm, which
leverages ideas from automata theory, graph algorithms and
reachability analysis of transition systems. Along the way,
we provide the necessary intermediate results to prove the
correctness and analyze the computational complexity of our
algorithm.
The proposed algorithm can be outlined as follows. First,
we translate each specification ψi,j in Ψi ∈ Ψ into a finite
automaton Ai,j . We propose a method to augment this automaton with new transitions and weights, such that the
resulting weighted automaton also accepts all words w that
do not satisfy the rule ψi,j ; however, the weights are picked
such that the weight of this accepting run over w determines
the level of unsafety of w with respect to ψi,j (see Definition 7). Second, we combine all the weighted automata into
a single automaton AΨ , using its weights to capture the
level of unsafety of all words (and thus traces of T ) with
respect to the given set of safety rules with priorities (Ψ, $)
(see Definition 8). Third, we build a weighted product of
the transition system T and the automaton AΨ (see Definition 9), and we search for the shortest path from the initial
state to a final state. We show that this path projects onto
a trace of T that satisfies the conditions (i)–(iii) put forth
in the statement of Problem 1. In the rest of this section,
we describe each of these steps in detail in this order.
First, let us describe the construction of Aψi,j . Let T =
(S, sinit , R, AP , L, WT ) be a weighted transition system, and
let (Ψ = (Ψ1 , . . . , Ψn ), $) be a set of safety rules with
priorities, where Ψi = {ψi,1 , . . . , ψi,mi }. Furthermore, let
Aψi,j = (Qi,j , qinit,i,j , 2AP , δi,j , Fi,j ) denote a finite automaton capturing the safety rule specification ψj ∈ Ψi over AP .
We augment Aψi,j as follows.
Definition 5 (Level of unsafety for a set of rules)
Level of unsafety λ(τ, Ψi ) of a finite trace τ with respect to
a set of safety rules Ψi is defined as
X
λ(τ, Ψi ) =
λ(τ, ψ).
ψ∈Ψi
Level of unsafety λ(τ, Ψ) of finite trace τ with respect to
a set of safety rules with priorities (Ψ, $) is defined as
λ(τ, Ψ) = λ(τ, Ψ1 ), . . . , λ(τ, Ψn ) .
The measure of unsafety, as given by Definition 5, implies
an ordering relation, which we formalize below.
Definition 6 (Unsafety order) A finite trace τ is said to
be safer than a finite trace τ 0 if and only if
λ(τ, Ψ) ≤ λ(τ 0 , Ψ)
in the standard lexicographical ordering, i.e., iff
• λ(τ, Ψ) = λ(τ 0 , Ψ), or
• ∃1 ≤ i ≤ n, such that λ(τ, Ψi ) < λ(τ 0 , Ψi ) and
λ(τ, Ψj ) ≤ λ(τ 0 , Ψj ), for all j < i.
Then, the problem can be formally stated as follows.
Problem 1 Given
Definition 7 (Automaton Aψi,j )
Given an automaton Aψi,j , a weighted finite automaton
• a weighted labeled deterministic transition system
T = (S, sinit , R, AP , L, WT );
Aψi,j = (Qi,j , q init,i,j , 2AP , δ i,j , F i,j , W i,j )
• a task “go from A to B,” where A, B ∈ AP , A ∈ L(sinit );
and
is built as follows:
• a set of safety rules with priorities (Ψ, $) over AP ,
• Qi,j = Qi,j ;
• q init,i,j = qinit,i,j ;
find a finite trace τ of T that
• δ i,j = δi,j ∪ {(q, σ, q) | q ∈ Q and σ ∈ 2AP };
• F i,j = Fi,j ; and
•
0
if (q, σ, q 0 ) ∈ δi,j
W (q, σ, q 0 ) =
$(ψi,j ) if (q, σ, q 0 ) ∈ δ i,j \ δi,j .
(i) satisfies the task;
(ii) is safer than all the other traces satisfying the condition
(i); and
(iii) minimizes WT (τ ) among the traces satisfying the conditions (i) and (ii).
4
Proof. Consider a word w ∈ (2AP )∗ . From Lemma 1,
we have that w is accepted by Aψi,j and the weight of
the shortest accepting run q0,i,j . . . q|w|,i,j of Aψi,j over w
is λ(w, ψi,j ), for all ψi,j ∈ Ψ. Thus there exists an accepting run (q0,1,1 , . . . q0,n,mn ) . . . (q|w|,1,1 , . . . q|w|,n,mn ) over w
P|w|
P|w|
and its weight is ( k=1 x1,k , . . . , k=1 xn,k ), where xi,k =
Pmi
j=1 W i,j (qk−1,i,j , w(k), qk,i,j ), for all k ∈ {1, . . . |w|}. On
the other hand, each accepting run ρ = (q0,1,1 , . . . q0,n,mn ) . . .
(q|w|,1,1 , . . . q|w|,n,mn ) of AΨ over w maps to an accepting
run of q0,i,j . . . q|w|,i,j of Aψi,j over w, such that
P|w|
P|w|
W (ρ) ≤ ( k=1 xk,1 , . . . , k=1 xk,n ), where
P i
xk,i = m
j=1 W i,j (qk−1,i,j , w(k), qk,i,j ), for all k ∈ {1, . . . |w|}
and all ψi,j ∈ Ψ.
Lemma 1 Let w be a word over 2AP . Then w is accepted by
Aψi,j and the weight of the shortest accepting run of Aψi,j
over w is equal to the level of unsafety λ(w, ψi,j ).
Proof. Note that, thanks to our assumption that an
empty word and an empty trace satisfy ψi,j , each finite word
w has a finite level of unsafety. The proof is via induction
with respect to the level of unsafety λ(w, ψi,j ). We prove
that for each w there exists an accepting run with its length
equal to λ(w, ψi,j ) and we prove, that no accepting run over
w is shorter than λ(w, ψi,j ).
First, let λ(w, ψi,j ) = 0. Then w is accepted by Aψi,j
and therefore, from the construction of Aψi,j there exists an
accepting run of Aψi,j over w with its weight equal to 0. At
the same time, clearly no accepting run over w is shorter
than 0.
Second, let k ∈ N and let us assume that the lemma holds
for each w, such that λ(w, ψi,j ) ≤ k · $(ψi,j ). Consider
a word w0 , such that λ(w0 , ψi,j ) = (k + 1) · $(ψi,j ). Necessarily, there exist u, v ∈ (2AP )∗ , and σ ∈ 2AP , such that
λ(u·v, ψi,j ) = k·$(ψi,j ) and w0 = u·σ·v. Thus, from the induction assumption, there exists an accepting run q0 . . . q|u·v|
over u · v with its weight equal to k · $(ψi,j ). From the construction of Aψi,j there is a transition (q|u| , σ, q|u| ) ∈ δ i,j
with W (q|u| , σ, q|u| ) = $(ψi,j ). Thus, there exists an ac0
cepting run over w = u · σ · v with its weight equal to
k · $(ψi,j ) + $(ψi,j ) = (k + 1) · $(ψi,j ).
On the other hand, assume that there exists an accepting run q0 q1 . . . q|w0 |−1 q|w0 | over w0 with its weight equal to
l·$(ψi,j ), where l < k+1. Then, the run q0 q1 . . . q|w0 |−1 q|w0 |
has the property that (qxy , w0 (xy ), qxy +1 ) ∈ δ i,j \ δi,j for exactly l different indexes xy , where y ∈ {1, . . . , l}. Hence, the
word vanish(w0 , {x1 , . . . , xl }) = w0 (0) . . . w0 (x1 −1)w0 (x1 +1)
. . . w0 (xl − 1)w0 (xl + 1) . . . w0 (|w0 |) is accepted by automaton Aψi,j and thus the level of unsafety λ(w0 , ψi,j ) ≤ l which
contradicts the assumption. The proof is thus complete.
Third, following the ideas of automata-based approach to
model checking [24], we build a product automaton that
captures the traces of T satisfying the specification given by
AΨ while preserving the purpose of the weight function.
Definition 9 (Product automaton P)
We build the weighted product automaton
P = T ⊗ AΨ = (QP , qinit,P , δP , FP , WP )
as follows:
• QP = (S ∪ {init | init 6∈ S}) × Q
• qinit,P = (init, q init )
• (s, q), (s0 , q 0 ) ∈ δP and
WP (s, q), (s0 , q 0 ) = (W (q, L(s0 ), q 0 ), WT (s, s0 ))
if (s, s0 ) ∈ R, and (q, L(s0 ), q 0 ) ∈ δ
• (init, q), (sinit , q 0 ) ∈ δP and
WP (init, q), (sinit , q 0 ) = (W (q, L(s0 ), q 0 ), 0)
if (q, L(s0 ), q 0 ) ∈ δ
• FP = S × F
Second, we combine all automata Aψi,j , where ψi,j ∈ Ψi ∈
Ψ into a single weighted automaton AΨ capturing, through
its weight function, the level of unsafety with respect to the
whole set of safety rules with priorities (Ψ, $).
The following lemma summarizes the role of the product
automaton P.
Lemma 3 The shortest run (in the lexicographical ordering
with respect to WP ) p0 . . . pn in P from the state p0 = qinit,P
to a state pn ∈ FP , such that B ∈ L(pn ) projects onto a trace
τ = α(p0 . . . pn ) of T that is the solution to Problem 1.
Proof. The proof follows directly from Lemma 2 the
following two facts. (1) Given a trace τ = s0 , . . . , sn of
T that produces a word w(τ ), such that s0 = sinit and
B ∈ L(sn ), there exists an accepting run of P over w(τ ).
Furthermore, the weight of the shortest accepting run of P
over w(τ ) is equal to (λ(w(τ ), Ψ), WT (τ )). (2) Given an
accepting run p0 . . . pn = (q0 , s0 ) . . . (qn , sn ) of P, such that
p0 = qinit,P , pn ∈ FP , and B ∈ L(pn ) with the weight equal
to (λ(w(τ ), Ψ), WT (τ )), the trace τ = s0 . . . sn is a trace of
T that produces a word w(τ ) and q0 . . . qn is a run over w(τ )
with its weight equal to λ(w(τ ), Ψ)).
Definition 8 (Automaton AΨ ) The weighted finite automaton
AΨ = (Q, q init , 2AP , δ, F , W )
is defined as follows:
• Q = Q1,1 . . . × . . . Q1,m1 . . . × . . . Qn,1 . . . × . . . Qn,mn ;
• q init = (qinit,1,1 , . . . , qinit,n,mn );
• (p, σ, p0 ) ∈ δ and W ((p, σ, p0 )) = (x1 , . . . , xn ), if
0
0
p = (q1,1 , . . . , qn,mn ), p0 = (q1,1
, . . . , qn,m
),
n
0
(qi,j , σ, qi,j ) ∈ δ i,j , for all i ∈ {1, . . . , n}, j ∈ {i, . . . mi },
P i
0
and xi = m
j=1 W i,j (qi,j , σ, qi,j ).
• F = {(q1,1 , . . . , qn,mn ) | qi,j ∈ F i,j , for all
i ∈ {1, . . . , n}, j ∈ {i, . . . mi }}
Computation of the shortest path in P can be done with
the use of a slight modification of the well-known Dijsktra’s
shortest path algorithm [8], where all the comparisons in
the algorithm are based on the lexicographical ordering of
(n + 1)−tuples.
For convenience, the proposed algorithm that solves Problem 1 is summarized in Alg. 1.
Lemma 2 Let w be a word over 2AP . Then w is accepted
by AΨ and the weight of the shortest accepting run of AΨ
over w is equal to the level of unsafety λ(w, Ψ).
5
Algorithm 1 Solution to Problem 1
Input: A TS T = (S, sinit , R, AP , L, WT ); a region label B ∈ AP ; a set of safety rules with priorities
(Ψ = (Ψ1 , . . . , Ψn ), $) expressed as an FA Aψi,j =
(Qi,j , qinit,i,j , Σ, δi,j , Fi,j ) for each rule ψj ∈ Ψi .
Output: a trace of T that is solution to Problem 1
1: for all i ∈ {1, . . . , n}, ψj ∈ Ψi do
2:
build modified automaton Aψi,j (Def. 7)
3: end for
4: build modified automaton AΨ (Def. 8)
5: build product automaton P = T ⊗ AΨ (Def. 9)
6: path := shortest path(P, B)
7: trace := project onto first component(path)
8: return trace
4.2
modification lies in the definition of the weight function of
the product automaton: For each
WP (s, q),(s0 , q 0 ) =
W (q1 , L(s0 ), q10 ) · WT (s, s0 ), . . .
. . . ,W (qn , L(s0 ), qn0 ) · WT (s, s0 ) , WT (s, s0 ) ,
for all ((s, q), (s0 , q 0 )) ∈ δP , where q = (q1 , . . . , qn ) ∈ Q.
However, this approach also does not fit all the scenarios.
For instance, the safety rule formulated as “never enter the
left lane.” intuitively should not be influenced by the weights
of the transitions. Ideally, we would like to combine the
above two approaches and associate each safety rule with an
indicator determining whether the “regular” level of unsafety
(Def. 4) or the weighted level of unsafety (Def. 10) should
be used. Therefore, we interconnect both definitions and
introduce combined level of unsafety.
Correctness and Complexity
The correctness of the algorithm is stated in the following
theorem. The computational complexity of the algorithm
analyzed subsequently.
Definition 11 (Combined level of unsafety)
Combined level of unsafety λC (τ, Ψi ) of finite trace τ with
respect to the set of safety rules Ψi is
X
X
λC (τ, Ψi ) =
λ(τ, ψj ) +
λW (τ, ψj ),
Theorem 1 Alg. 1 returns a solution to Problem 1.
Proof. Follows directly from the proof of Lemma 3 and
the correctness of the Dijkstra’s shortest path algorithm.
j∈JR
where ψi,j such that j ∈ JR ⊆ {1, . . . mi } are the safety rules
associated with the level of unsafety (Def. 5) and ψi,j such
that j ∈ JW ⊆ {1, . . . mi } are the safety rules associated
with the weighted level of unsafety (Def. 10). Note, that
JR ∩ JW = ∅ and JR ∪ JW = {1, . . . , |Ψi |}.
Combined level of unsafety λ(τ, Ψ) of finite trace τ with
respect to the set of rules with priorities (Ψ, $) is a tuple
λC (τ, Ψ) = λC (τ, Ψ1 ), . . . , λC (τ, Ψn ) .
Let |T | denote the size of the input transition system, and
|AΨi,j | the size of the input automaton AΨi,j . The size of
the automaton Aψi,j is |AΨi,j | · |Σ| in the worst case and the
Q
size of AΨ is then up to Ψi,j ∈Ψ |AΨi,j | · |Σ|. The size of
Q
the product automaton P is |P| = |T | · Ψi,j ∈Ψ |AΨi,j | · |Σ|
and the modified Dijkstra’s algorithm runs in O(|P| log |P|).
4.3
An Alternative Problem Statement
Then, the problem differs from Problem 1 with the change
in objective (ii), where we aim to find a trace minimizing the
combined level of unsafety. To address the new problem, we
make only a single modification in the proposed algorithm,
which is to change the definition of the weight function of
the product
WP (s, q), (s0 , q 0 ) = (x1 , . . . , xn ), WT ((s, s0 )) ,
In case a weighted transition system is used as a model, it
is questionable, whether the definition of level of unsafety fits
our needs as it does not take into consideration the length of
the transitions leading into states that need to be vanished
from a trace in order to make the trace satisfying. For instance, if a safety rule says “do not stay in the left lane,” one
expects that the length of the transitions leading into states
violating these rules, i.e., distances or travel times spent in
the left lane, should impact the level of unsafety of the trace.
Let us introduce an alternative definition for the level of
unsafety.
with the property that
xi =
X
0
W i,j (qi,j , σ, qi,j
)+
Definition 10 (Weighted level of unsafety)
Weighted level of unsafety λW (τ, ψ) of finite trace τ with
respect to a safety rule ψ is
I⊆{0,...,n}|vanish(τ,I)|=ψ
0
W i,j (qi,j , σ, qi,j
) · WT ((s, s0 )),
such that Ai,j , where j ∈ JR ⊆ {1, . . . mi }, are the automata for rules associated with the level of unsafety, and
Ai,j , where j ∈ JW ⊆ {1, . . . mi }, are the automata for
rules associated with the weighted level of unsafety, for all
i ∈ {1, . . . , n}. Since such a product automaton is built, the
rest of the our algorithm remains the same.
λW (τ, ψ) =
X
X
j∈JW
j∈JR
min
j∈JW
W (si−1 , si ) · $(ψ).
i∈I
5.
The definition of weighted level of unsafety with respect to
a set of safety rules with priorities remains analogous to
the one in Def. 5. Problem 1 can be now formulated using
the weighted level of unsafety (Def. 10) instead of “regular”
level of unsafety (Def. 4). The proposed solution can also
be easily adapted to the resulting problem. In fact, the only
CASE STUDY
Consider a robotic vehicle in the partitioned environment
depicted in Fig. 1. The robot’s motion capabilities are modeled as a transition system. Each state of the transition
of the system is given by (i) the cell the robot occupies
and (ii) the robot’s direction within the cell. For simplicity,
only four directions N, E, S, W , i.e., North, East, South and
6
head in one of the allowed directions (direction rule) and (ii)
do not drive on a sidewalk (sidewalk rule). This might be
not possible if there are some (static) obstacles present on
the road. In such a case, we focus on finding a path that is,
in some sense as close as possible to obeying the rules, where
closeness is defined in terms of level of unsafety discussed in
Sec. 3. Here, driving on the sidewalk is considered less safe
than driving in a lane while heading in an incorrect direction. That is, the sidewalk rule belongs to a higher priority
class when compared to the direction rule.
Furthermore, we would like to prevent the vehicle from
performing dangerous maneuvers. For instance, consider
two obstacles present in the right lane close to each other.
The vehicle could pass the first obstacle, move back to the
right lane and then immediately switch back to the wrong
lane again in order to pass the second obstacle. However,
rather than that, we expect the vehicle to stay in the wrong
lane while passing both of the obstacles. Similar behavior is
expected when passing a sequence of obstacles using a sidewalk. We specifically set the dangerous maneuver as coming
back from heading in a wrong direction (or from a sidewalk)
into the right lane, staying in the right lane for up to 3 more
steps and entering the wrong lane (or a sidewalk, respectively) again. Such a maneuver is forbidden with a higher
priority as the direction rule (or the sidewalk rule, respectively). However, spending 10 steps heading in an incorrect
direction (or going on the sidewalk) is considered to be less
safe than performing the dangerous maneuver. Therefore,
we equip the dangerous maneuver rule with priority 3 and
the direction rule (or the sidewalk rule, respectively) with
priority 1. The level of unsafety of a trace with a single
dangerous maneuver is then 3,6, or 9, depending whether
the vehicle spends during the maneuver 1,2, or 3 steps in
the right lane, respectively. Note, that we could easily distinguish even between unsafety of different dangerous maneuvers by defining a dangerous maneuver of staying in the
right lane for up to 2, or even only 1 step and setting their
priority accordingly.
The rules that we describe above can be expressed formally using the LTL as follows.
Figure 1: A road-like environment partitioned into
cells. Each road segment has two lanes and the
purple-shaded area illustrates a sidewalk.
The
robot’s position and direction are depicted as the
blue arrow. The white arrows in the lane illustrate
the direction the vehicle should be heading when
present there. Note that the vehicle is allowed to
head in two different directions in each intersection
cell. The green-shaded area is the goal region.
West, respectively, are considered. The simulation environment depicted in Fig. 1 has 240 cells and 960 corresponding
states. Define Dir = {N, E, S, W }, Col = {1, . . . , 20}, and
Row = {1, . . . 12}, where Col and Row represent the column number as measured from left to right and the row
number as measured from bottom to top in Fig. 1, respectively. Then, the set of states of the transition system can
be described conveniently as
d
Q = {qc,r
| c ∈ Col, r ∈ Row, d ∈ Dir}.
For example, in this notation, the current state of the robot,
E
as depicted in Fig. 1, is q2,2
. Starting from any state, the
robot can move into the adjacent cell in front of it by keeping
its current direction or into the cell on its left-hand side or
its right-hand side by changing it’s direction accordingly (if
such cells exist in the environment). For instance, when the
E
E
current state is q2,2
, these transitions would lead into q3,2
,
N
S
q2,3 and q2,1 , respectively. The weight of each transition is
set to the distance between the adjacent cells, which equals
to 1 in this case.
Throughout the case studies, the set of atomic propositions is defined as
• Never be on the sidewalk.
ψ1,1 = G(¬sidewalk)
AP = {road X, car X, sidewalk, goal},
• Do not perform the dangerous sidewalk maneuver. In other
words, if coming back from a sidewalk to a road, stay in a
road for at least 4 steps.
X
qc,r
where X ∈ {N, E, S, W }. Each state
is labeled with
proposition car X. The states of the TS that correspond to
the road cells of the environment where the vehicle should
be positioned in direction X are labeled with road X. For
Y
instance, road E ∈ L(q2,r
), for all r ∈ {2, . . . , 19}, Y ∈ Dir
Y
and similarly road S ∈ L(qc,2
), for all c ∈ {2, . . . , 11}, Y ∈
Dir. The states that correspond to sidewalk cells (in purple)
of the TS are labeled with the proposition sidewalk. The
states corresponding to the goal region (shown in green in
Fig. 1) are labeled with the proposition goal. For instance,
W
W
the state q15,11
is labeled with L(q15,11
) = {road W, car W,
N
N
goal}, the state q15,11 with L(q15,11 ) = {road W, car N,
N
N
goal}, the state q20,1
with L(q20,1
) = {sidewalk, car N },
E
E
and the state q19,2 with L(q19,2 ) = {road N, road E, car E}.
As in Problem 1, the mission is to drive from the current
state into a goal state. At the same time, however, we require the vehicle to follow the rules of the road: (i) always
ψ1,2 = G sidewalk ∧ X ¬sidewalk ⇒
X (¬sidewalk ∧
X (¬sidewalk ∧
X (¬sidewalk ∧
X (¬sidewalk))))
• Never head in a wrong direction. Heading in an incorrect
direction is formalized as a Boolean combination of atomic
propositions car X ∧ ¬road X, for some X ∈ Dir, i.e., as
the vehicle heading in a different direction than expected in
the current cell. For instance, the vehicle heads in a wrong
W , q N , q E , or q S .
direction in states q11,2
11,2
10,4
11,4
ψ2,1 =
^
X∈Dir
7
G (car X ⇒ road X)
ordering) projects onto an optimal trace of the transition
system. The first two elements of the weight tuple represent the level of unsafety of the trace with respect to Ψ
and can be viewed also as penalties collected for violation
of the both sidewalk and both direction rules, respectively.
The third element is the trace weight, i.e., the total distance
travelled.
The results for the considered cases are captured in Fig. 49. The red cells depict the obstacles and the blue arrows
illustrate the computed robotic traces in the given environments.
• Do not do the dangerous wrong lane maneuver. In other
words, if coming back from heading in a wrong direction to
the right one, stay in the right lane for at least 4 steps.
^
ψ2,2 =
X,Y1 ,Y2 ,Y3 ,Y4 ∈Dir
G
¬(car X ∧ road X) ∧ X (car Y1 ∧ road Y1 ) ⇒
X (car Y1 ∧ road Y1 ∧
X (car Y2 ∧ road Y2 ∧
X (car Y3 ∧ road Y3 ∧
X (car Y4 ∧ road Y4 ))))
A. No obstacles.
Altogether, the set of rules with priorities is
(Ψ = (Ψ1 , Ψ2 , ), $) = (({ψ1,1 , ψ1,2 }, {ψ2,1 , ψ2,2 }), $),
where $(ψ1,1 ) = 1, $(ψ1,2 ) = 3, $(ψ2,1 ) = 1,$(ψ2,2 ) = 3.
The finite automata corresponding to the rules ψ1,1 and
ψ1,2 are depicted in Fig. 2 and 3, respectively. The finite
automata for the rules ψ2,1 and ψ2,2 are constructed analogously.
q1
¬sidewalk
Figure 4: Case A
Figure 2: Finite automaton A1,1 for the safety rule
ψ1,1 . The transition labeled with ¬sidewalk in fact
represents 2|AP|−1 transitions labeled with all the
subsets of atomic propositions that do not contain
proposition sidewalk.
¬sidewalk
q1
In this case, there were no obstacles present in this environment. The algorithm simply picked the trace of shortest distance, which can be either the path shown in Fig. 4,
or a trace that travels in the North lane of the middle SN road. The weight assigned to either of these paths was
WA =(0,0,20), i.e., the computed trace satisfies all formulas
in Ψ and its weight, i.e., the total distance traveled is 20.
sidewalk
sidewalk
q2
¬sidewalk
¬sidewalk
q3
B. Obstacles present in the right lane in both leftmost
and middle S-N roads.
¬sidewalk
q5
¬sidewalk
q4
Figure 3: Finite automaton A1,2 for the safety
rule ψ1,2 . Each transition labeled with sidewalk
in fact represents 2|AP|−1 transitions labeled with
all the subsets of atomic propositions that contain
proposition sidewalk and each transition labeled with
¬sidewalk represent 2|AP|−1 transitions labeled with
all the subsets of atomic propositions that do not
contain proposition sidewalk.
Figure 5: Case B
The obstacles present in this environment removed the options of traveling in the North lane of the middle S-N road
and in the North lane of the leftmost S-N road, the shortest
paths available for the environment. Considering these restrictions, the algorithm instead chose to travel in the North
lane of the rightmost S-N road. This decision was made in
lieu of attempting to switch lanes to get around one of the
obstacles. While this was not the trace of shortest distance,
it was the path of smallest weight, with WB =(0,0,30). This
path was unique in that there were no others paths whose
weight was equivalent.
Simulation Results
Below six different scenarios, each of which feature a different set of obstacles, are considered. In each simulation
E
example, the vehicle is started from the initial state, q2,2
.
This condition allows for the overall distance and maneuvering penalties to be compared uniformly across all examples.
A weighted product automaton was built for each of the
cases, whose transitions are weighted by 3-tuples. The shortest run of the product automaton (in the lexicographical
8
Figure 6: Case C
Figure 8: Case E
C. Obstacles present in each S-N road.
sen, because it only required the vehicle to go on the sidewalk to avoid the obstacles, as opposed to both switching
lanes and going on the sidewalk required by the middle SN road. The weight of the path along rightmost S-N road
was WE =(3,1,32), because the vehicle was on the sidewalk
for three units of distance and it was penalized once it returned to the North lane from the sidewalk with an incorrect
orientation.
The three obstacles in the environment effectively blocked
all paths which did not incur any sidewalk or direction rules
violation. In this case, the algorithm chose a lane switching
maneuver with the resulting weight equal to WC =(0,4,22).
The level of unsafety of the computed trace is 0 with respect
to the sidewalk rules Ψ1 and 4 with respect to the wrong direction rules Ψ2 . The four penalties accrued during this path
were a result of two lane switches which resulted in an incorrect (West and East) orientation in the South and North
lanes, respectively, and the two North transitions while in
the South lane. By inspection, this type of maneuvering on
the rightmost S-N road, would have incurred an identical
lane penalty, but would have had a larger weight due to the
overall distance metric.
F. Sidewalk needed to pass the obstacles.
D. Obstacles totally blocking the leftmost and the middle S-N roads and two obstacles close to each other in
the rightmost S-N road.
Figure 9: Case F
Because all roads were blocked by obstacles, in this case
it was required once again that the vehicle travel on the
sidewalk. Instead of returning to the North lane on the
middle S-N road, the vehicle chose to re-enter the highway
on the uppermost E-W road. The weight of the chosen path,
WF =(3,1,20) was a result of traveling on the sidewalk for
three units of distance and entering the uppermost E-W road
with an incorrect initial orientation. If the vehicle were to
return to the North lane of the middle S-N road instead of
directly enter the East lane of the uppermost E-W road, the
resulting weight would be (3, 1, 22).
Figure 7: Case D
In this case, the algorithm found a trace that involved lane
switching and no sidewalks. As expected from the definition
of the dangerous maneuver rule Ψ2,2 and its priority, the vehicle does not switch lanes in the presence of obstacles in the
same lane that are spaced four units of distance or less apart.
The path as shown in Fig. 7 has weight WD = (0, 7, 32). The
seven lane penalties were result of seven transitions with an
incorrect orientation in the South lane. In this case, the lane
switching does not cause increase in the level of unsafety as
the lane switching maneuvers happen in the intersection areas, where heading East and West is allowed in North and
South lanes, respectively.
The proposed algorithm was implemented in MATLAB
for experimental evaluation on this case study. In each of
the scenarios, the product automaton had 24000 states and
was built in approx. 8 minutes for each case. The time of the
computation of the Dijkstra’s shortest path algorithm varied
from approx. 1 minute to 20 minutes depending on the total
weight of the computed run of the product automaton. The
reported times were measured on a Macbook Pro laptop
with 2.3 GHz processor and 4GB memory.
6.
E. Sidewalk needed to pass the obstacles.
CONCLUSIONS
In this paper, we have considered the problem of control
strategy synthesis where the mission specification is to fulfill
the task of reach a goal state while abiding by a given set
of rules. We have focused on the case when the task is not
With the addition of extra obstacles in the middle S-N column, the vehicle was unable to finish any path without
entering the sidewalks. The rightmost S-N road was cho-
9
feasible without temporarily violating a subset of the rules.
We have proposed an algorithm that provably violates on
the lowest-priority rules for the shortest amount of time.
We have shown the correctness of the proposed algorithm,
and we have analyzed its complexity. Furthermore, we have
evaluated the algorithm in a case study involving a robotic
car navigating in an urban environment.
Future work will include addressing more complex task
specifications, other than “reaching a goal state.” Examples
may include liveness specifications, such as those that describe surveillance missions. Furthermore, we would like to
extend our techniques to non-deterministic systems that are
often obtained as discrete abstractions of hybrid systems.
[11] E. L. Gunter and D. Peled. Temporal debugging for
concurrent systems. In International Conference on
Tools and Algorithms for the Construction and
Analysis of Systems (TACAS), pages 431–444.
Springer-Verlag, 2002.
[12] K. Hauser. The minimum constraint removal problem
with three robotics applications. In Proceedings of the
International Workshop on the Algorithmic
Foundations of Robotics (WAFR), 2012.
[13] Karaman and Frazzoli. Sampling-based optimal
motion planning with deterministic µ-calculus
specifications. In Proceedings of the American Control
Conference (ACC), 2012.
[14] K. Kim and G. Fainekos. Approximate solutions for
the minimal revision problem of specification
automata. In Proceedings of the IEEE/RSJ
International Conference on Intelligent Robots and
Systems (IROS), 2012.
[15] K. Kim, G. Fainekos, and S. Sankaranarayanan. On
the revision problem of specification automata. In
Proceedings of the IEEE International Conference on
Robotics and Automation (ICRA), 2012.
[16] M. Kloetzer and C. Belta. A Fully Automated
Framework for Control of Linear Systems from
Temporal Logic Specifications. IEEE Transactions on
Automatic Control, 53(1):287–297, 2008.
[17] H. Kress-Gazit, G. E. Fainekos, and G. J. Pappas.
Temporal Logic-based Reactive Mission and Motion
Planning. IEEE Transactions on Robotics,
25(6):1370–1381, 2009.
[18] Z. Manna and A. Pnueli. Temporal Verification of
Reactive Systems: Safety. Springer, 1995.
[19] V. Raman and H. Kress-Gazit. Analyzing
unsynthesizable specifications for high-level robot
behavior using ltlmop. In Proceedings of International
Conference on Computer Aided Verification (CAV),
pages 663–668, 2011.
[20] V. Raman and H. Kress-Gazit. Automated feedback
for unachievable high-level robot behaviors. In
Proceedings of the IEEE International Conference on
Robotics and Automation (ICRA), pages 5156–5162,
2012.
[21] M. Sipser. Introduction to the Theory of Computation.
Course Technology, 3rd edition, 2012.
[22] S. L. Smith, J. Tumova, C. Belta, and D. Rus.
Optimal Path Planning for Surveillance with
Temporal Logic Constraints. International Journal of
Robotics Research, 30(14):1695–1708, 2011.
[23] A. Ulusoy, S. L. Smith, X. C. Ding, and C. Belta.
Robust multi-robot optimal path planning with
temporal logic constraints. In Proceedings of the IEEE
International Conference on Robotics and Automation
(ICRA), pages 4693–4698, 2012.
[24] M. Y. Vardi and P. Wolper. An automata-theoretic
approach to automatic program verification. In Logic
in Computer Science, pages 322–331, 1986.
[25] T. Wongpiromsarn, U. Topcu, and R. M. Murray.
Receding Horizon Control for Temporal Logic
Specifications. In Hybrid systems: Computation and
Control (HSCC), pages 101–110, 2010.
Acknowledgments
This work is supported in part by the National Research
Foundation of Singapore, through the Future Urban Mobility SMART IRG, by the US National Science Foundation,
grant CNS-1016213, ONR-MURI Award N00014-09-1-1051,
and grant LH11065 at Masaryk University, Czech Republic.
7.
REFERENCES
[1] C. Baier and J.-P. Katoen. Principles of Model
Checking. MIT Press, 2008.
[2] E. Bartocci, R. Grosu, P. Katsaros, C. R.
Ramakrishnan, and S. A. Smolka. Model repair for
probabilistic systems. In International Conference on
Tools and Algorithms for the Construction and
Analysis of Systems (TACAS), pages 326–340.
Springer-Verlag, 2011.
[3] C. Belta and L. C. G. J. M. Habets. Control of a class
of nonlinear systems on rectangles. IEEE Transactions
on Automatic Control, 51(11):1749–1759, 2006.
[4] F. Buccafurri, T. Eiter, G. Gottlob, and N. Leone.
Enhancing model checking in verification by AI
techniques. Artificial Intelligence, 112(1-2):57 – 104,
1999.
[5] A. Cimatti, M. Roveri, V. Schuppan, and
A. Tchaltsev. Diagnostic information for realizability.
In Proceedings of the International Conference on
Verification, Model Checking, and Abstract
Interpretation (VMCAI), pages 52–67, Berlin,
Heidelberg, 2008. Springer-Verlag.
[6] C. Courcoubetis and M. Yannakakis. Markov decision
processes and regular events. IEEE Transactions on
Automatic Control, 43:1399 – 1418, 1998.
[7] W. Damm and B. Finkbeiner. Does it pay to extend
the perimeter of a world model? In Proceedings of the
International Symposium on Formal Mehods (FM),
pages 12–26, Berlin, Heidelberg, 2011. Springer-Verlag.
[8] E. W. Dijkstra. A note on two problems in connexion
with graphs. Numerische Mathematik, 1:269–271,
1959.
[9] X. C. Ding, S. Smith, C. Belta, and D. Rus. Mdp
optimal control under temporal logic constraints. In
Proceedings of the IEEE Conference on Decision and
Control and European Control Conference
(CDC-ECC), pages 532 –538, 2011.
[10] G. E. Fainekos. Revising temporal logic specifications
for motion planning. In Proceedings of the IEEE
International Conference on Robotics and Automation
(ICRA), 2011.
10

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz