Collaborative models for autonomous systems controller synthesis
Formal Aspects of Computing
We show how detailed simulation models and abstract Markov models can be developed collaboratively to generate and implement effective controllers for autonomous agent search and retrieve missions. We introduce a concrete simulation model of an Unmanned Aerial Vehicle (UAV). We then show how the probabilistic model checker PRISM is used for optimal strategy synthesis for a sequence of scenarios relevant to UAVs and potentially other autonomous agent systems. For each scenario we demonstrate how
... it can be modelled using PRISM, give model checking statistics and present the synthesised optimal strategies. We then show how our strategies can be returned to the controller for the simulation model and provide experimental results to demonstrate the effectiveness of one such strategy. Finally we explain how our models can be adapted, using symmetry, for use on larger search areas, and demonstrate the feasibility of this approach. Collaborative models for autonomous systems controller synthesis 5. provide experimental results demonstrating the effectiveness of the controllers; 6. present an approach to extend the work to larger search areas, and provide experimental results for this approach; 7. discuss the limitations of our approach and the next steps to overcome them. This work is an extension of the conference paper [GHI + 18] in which we describe a suite of abstract Markov models for strategy synthesis. This extension includes: full details of a concrete simulation model (which was originally used to derive parameters for the first of our Markov models, and is referred to in [GHI + 18]); a description of how optimal strategies generated from the abstract MDP models can be returned to the concrete simulation model, together with experimental results; and an approach (together with experimental results) that uses symmetry to extend the work to generate controllers for searching larger areas. Related work. There have been many attempts to use formal verification for the verification and specification of robotic systems, see e.g. [LFD + 18] for a survey. Our work concerns: the use of discrete-time abstract models for controller synthesis; decision making for UAVs; and the link between simulation and model checking. We therefore concentrate on these three aspects. There has been significant work on using discrete-time abstract models, temporal logic specifications and formal methods for generating controllers of autonomous systems. These works differ in the temporal logic specifications and models used. These include approaches using the branching time logic PCTL [LAB15], linear time temporal logic LTL [WTM12, DSBR14], metric temporal logic [FT15], rewards [SM17], multi-objective queries [LK16, LPH17] and stochastic games [DFK + 15, SKC + 17, FWHT15 ]. The aim of these papers is the development of the required theory, rather than its application to a real system, which is the focus of our work. Also using discrete-time models are [Sha14, SCL + 15], where partially observable MDPs (POMDPs) and LTL are used to generate motion plans for autonomous agents. Unlike our approach, the focus here is on developing efficient algorithms for solving POMDPs. On the other hand, research using continuous-time models for generating controllers includes [BBFL18], where energy timed automata and Uppaal-Tiga [BCD + 07], an extension of the Uppaal model checker for timed automata [LPY97], are used for the synthesis of controllers for resource-aware systems. There are also a number of works using continuous-time models to formally verify the control software for a UAV. For example, in [LKM + 08] a continuous-time model is used to describe the dynamics of a UAV and is then used to verify the control system. Model checking of a continuous-time system is challenging, as the state-space of a continuous system is infinite in size. The use of hybrid automata is one solution to this problem [Hen96, CK00, KEPS99], however the formal verification techniques which are applicable to such a model are computationally expensive. To overcome this limitation, [FDW13, DFL + 16] develop a compositional based approach, where the discrete decision-making components can be analysed separately from the continuous hybrid aspects. In this paper we also separate components, but use model checking for controller synthesis rather than verifying existing controllers. Related work in which abstract models are derived from concrete simulation models for verification include the formal analysis of Simulink models [DH04]. For example, [MBR06, BBB + 12] verify discrete time Simulink blocks describing avionics/aerospace components using the NuSMV [CCGR99] and DiVinE [BBH + 13] model checkers respectively. In [Mil09], Simulink components are translated to the Lustre formal specification language [HCRP91], from which they can be verified using a variety of model checkers and theorem provers, while [ASK04] presents a translation from Simulink to hybrid automata. An automatic translation of real-time Simulink blocks to the input language of the Uppaal statistical model checker Uppaal-SMC [DDL + 12] is used to verify two automotive systems in [FMM + 16]. Alternative approaches in this area include [MMBC11, JYL + 16], which translate Stateflow diagrams to timed and hybrid automata respectively to allow formal verification. The first of these includes a discrete abstractionbased algorithm for synthesizing supervisory controllers, and the second uses Uppaal to verify aspects of a train controller system. Recently, an automatic and sound translation of robotic models specified in the G en • M 3 robotic framework to Uppaal-SMC [DDL + 12] for the verification of an autonomous UAV was considered in [FIS19]. In their approach templates representing functional components are formalised as timed transition systems (TTSs). These are translated to timed automata augmented with global urgencies and data (DUTA) which can then be automatically mapped into Uppaal and Uppaal-SMC. Their goal is the verification of real-time functional (schedulability and bounded response) properties rather than the generation of optimal strategies.