towards scalable proofs of robot swarm emerging behavior properties

Jüri VainTallinn University of Technology

J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09

ROBOSWARMROBOSWARM

J.Vain Doctoral course ’Advanced topics in Embedded

Systems’. Lyngby'09

Monday morning: (9:00 – 13.30)◦ 9:00 – 10:30 Intro: Model-Based Development and Validation of

Multirobot Cooperative System (MCS)◦ 10:30 – 12:00 MCS model construction and learning◦ 12:00 – 13:30 Model-based testing with reactive planning testers

Tuesday morning: (9:00 – 12.30)◦ 9:00 – 10:30 Towards scalable proofs of robot swarm emerging

behavior properties◦ 10:30 – 12:00 Hands-on: Distributed intruder capture protocol

How to characterize the swarms emerging behavior?

What makes the analysis difficult? How to handle the high complexity of swarm

analysis? Case study: dynamic cleaning problem


Systems’. Lyngby'09ROBOSWA

RMROBOSWA

RM

Integrated Service Quality - granted level of system service quality in the presence of faults, overload and other factors that may compromize the service quality.

For a distributed services we define the quality as a scalar that equals to the value of chosen service characteristic in the point of its lowest value.

We define the swarm mission being successful if the service quality during a preset mission time never exceeds the given critical threshold.



RMROBOSWA

RM

Y. Altshuler, A.M. Bruckstein, I.A. Wagner Swarm Robotics for a Dynamic Cleaning Problem. In “IEEE Swarm Intelligence Symposium”, pp. 209 – 216, June 2005.

J.Vain, T.Tammet, A.Kuusik, S.Juurik“Towards scalable proofs of robot swarm

dependability“. BEC2008.



RMROBOSWA

RM

Team Te (The environment):◦ Players of Te are distributed over the cleaning zones

evenly.◦ Each zone is considered as a service point (SP) for

queuing service requests from exactly one player of Te. ◦ Players of Te do not change their positions at SP-s. ◦ One step of deterioration of the zone corresponds to an

arrival of a service request from a player of team Te. ◦ The flow of service requests in each SP is stationary◦ Moves of players of Te are synchronized.

◦ The winning strategy of team Te results in the overflow of at least one service request queue during the mission.



RMROBOSWA

RM

Team Tc (cleaning swarm): ◦ Move of Tc player corresponds to cleaning of one

zone, i.e., processing a queue of SP requests. ◦ Players of Tc are mobile and able to coordinate

moves via messages left in SPs.

◦ The winning strategy of Tc : there is no overflow in any queue until the end of swarm mission time TH.

◦ Swarm mission is sicessful regarding given service

if it ensures the winning strategy of team Tc.



RMROBOSWA

RM

The cleaning zones in the service area are labeled with a RFID tag.

Every tag has unique ID that identifies the zone. RFID tag has data fields:

◦ Deterioration rate◦ Time-stamp of the latest cleaning◦ Bidding information about the highest priority robot

targeting the zone. Environment generates deterioration

dynamically with the rate depending on the zone:◦ 0 % corresponds to the clean room, ◦ 100 % is the maximum deterioration level

TR – treshold of acceptable (according to service quality requirement) deterioration level



RMROBOSWA

RM


A

B

C

D E

Legend: - Robot can see tags A and B;- B is more critical- robot moves to B

ROBOSWARM

ROBOSWARM


A

B

C

D E

Legend: - Robot can see tags C and B;- C is more critical- robot moves to C

ROBOSWARM

ROBOSWARM


A

B

C

D E

Legend: - Robot can see tags D, E, C and B;- C is the most critical- Robot reservs C and starts cleaning

ROBOSWARM

ROBOSWARM


A

BC

E

Legend :- Blue detects B as the most critial zone;- Blue writes its bid (id, job_list) on B - Blue starts moving towards B;

D

ROBOSWARM

ROBOSWARM


A

BC

E

Legend: - Green detects B, reads the Blue’s bid on B;- if the second critical in Green’s own joblist is more critical than the one on B

D

ROBOSWARM

ROBOSWARM


A

BC

E

Legend: - Green gives up B, i.e. moves towards its 2nd critical.

D

ROBOSWARM

ROBOSWARM


A

BC

E

Legend: - if the second critical in Green’s own job list is less critical than the one on B

D

ROBOSWARM

ROBOSWARM


A

BC

E

Legend: - the Green takes B over, i.e writes its bid on B instead

- moves towards B.

D

ROBOSWARM

ROBOSWARM


A

BC

E

Legend: - Blue periodically monitors its bid, - when Blue finds it’s bid overtaken - it gives up and moves towards its 2nd critical

D

ROBOSWARM

ROBOSWARM


A

BC

E

Legend: - Blue periodically monitors its bid, - when its finds it’s bid overtaken - it gives up and moves towards its 2nd critical

D

ROBOSWARM

ROBOSWARM

Simulation – incomplete Deductive proof – needs proper calculus,

general 1st order proof systems do not scale well, perhaps compositional methods and structural induction can help.

Model checking – partial solution at least for local proofs. Potential to scale up when combined with other techniques.



RMROBOSWA

RM

Reachability :◦ from the state where the deterioration level of all

zones is over the threshold TR, e.g., 80 %, the state where the soiling level is less than TR (e.g., TS = 30 %) is always reachable.

◦A<> forall (i : int[1,16]) tag[i] <TS Safety :

◦ Assuming the deterioration level is less than TS where TS < TR the deterioration level is always kept below the threshold TR.

◦ A[] forall (i: int[1,16]) tag[i]<TR && gclock < TH



RMROBOSWA

RM

Mudel_2_agenti_resolved.xml swarm_query1.q



Symmetry reduction works by identifying parts of the automaton that have equivalent behavior.

During the verification only one representative of the equivalent parts is used ◦ E.g., in case of an automaton consisting of two

identical parts the reduction in state space can be up to 50%.



Construct a bit field that can be used to identify if the current state has been visited.

Hash value of a state is used as the hash array index Because the state vector is n*10-n*100 of bytes, the

reduction in memory consumption can be up to 98% BSH reduces the accuracy: a state could be

mistakenly reported as visited due to a hash collision and is not stored in the hash array.

A state that would break the verification conditions may get unnoticed. However, all reported errors that are found are real error conditions.



DFA can reduce the memory requirements 10 but execution time is added.

Instead of hash table to store visited states a DFA is constructed to determine if a state has been visited before.

DFA is implemented in Spin. Since Promela (modelling language of SPIN) does

not include the concept of time, time passage has to be simulated indirectly by a global counter.



Hash table reaches a certain level of saturation

Saturation level is reached sooner when symmetry reduction is used.

Increasing model time horizon 10% the hash table size increases 300%



25 26 27 28 29 30 31 32 33 340

20

40

60

80

100

120

140

160

180

Elapsed time

No symmetrySymmetry

25 26 27 28 29 30 31 32 33 340

60

120

180

240

300

360

420

480

540

600

Elapsed time

No symmetrySymmetry

Proving emerging behavior properties of a swarm based on properties of individuals and their interaction is still unsolved problem.

Typically fully distributed symmetric coordination algorithms govern swarm behavior and are the prime target to formal verification.

Applying symmetry reduction, BSH, DFA for MC allows methods to scale up to certain limit but that is clearly insufficient for full system analysis.

New abstraction and deduction techniques are needed!



RMROBOSWA

RM

Thank you!



RMROBOSWA

RM

towards scalable proofs of robot swarm emerging behavior properties

Documents