Allen Linear Temporal LogicTranslation to LTL and

Monitor Synthesis

Grigore Rosu (University of Illinois at U-C)

Saddek Bensalem (VERIMAG)

2

On Temporal Reasoning

• Allen temporal algebra/logic (ATL): Allen’84– One of the “best established formalism for temporal

reasoning” (in AI) – Krokhin et al.’03 (J. of ACM)

• Linear temporal logic (LTL): Pnueli’77– One of the best-established formalisms in verification

• Between the two, so far …– No rigorous connection– No attempt to “systematically reuse” good features of

one in the context of the other (visual representation, formal verification, monitoring, etc.)

3

Overview

• Recall Allen temporal algebra/logic and LTL

• Define Allen linear temporal logic (ALTL)

• Translate ALTL into LTL– NP completeness of ALTL satisfiability

• Monitor ALTL

• Conclusion

• Future work

4

Allen Temporal Algebra/Logic (ATL)

• Framework dealing with incomplete relative temporal information– Event A is before or overlaps event B

• Very used in AI planning• Interval taken as primitive temporal quantity• 13 basic binary relations on intervals• ATL formula (aka compatibility)

– boolean (finite) combination of such relations

• ATL models are (dense) total orders– Intervals interpreted as convex subsets

5

ATL: Basic Interval Relations (I)

• Equals(i,j)

• Before(i,j) or After(j,i)

• Meets(i,j) or MetBy(j,i)

i

j

i j

i j

Exactly the same timepoints

Exactly the same timepoints

There are some timepoints between i and j

There are some timepoints between i and j

There are no timepoints between i and j

There are no timepoints between i and j

6

ATL: Basic Interval Relations (II)

• Overlaps(i,j) or OverlappedBy(j,i)

• Contains(i,j) or During(j,i)

• Starts(i,j) or StartedBy(j,i)

• Ends(i,j) or EndedBy(j,i)

ij

i j

i j

ij

7

ATL Models

• Total orders (T,<), dense or discrete

• Intervals interpreted as convex subsets : Intervals → Convex(T)– C Convex(T) iff (x,y) C when x < y in C

• Model (T,<, ) satisfies Overlaps(i,j) iff

(i) ∩ (j) ≠ and

x (j), y (i), x < (i), (j) < y

(i)(j)x y

8

ATL in Practice

• Extensively used in AI planning to reason about concurrency and temporal extent; very visual

• Intervals can express both action instances and states of attributes (state variables); aka tokens

• Example: McCarthy’s Monkey/Banana

9

NASA Ames GROMIT ModelExploration rover

10

DDL: A Formal ATL Language

• Domain-Description Language (DDL) in AI planning– NASA Remote Agent, EUROPA; used for plan synthesis

• GROMIT model has >1500 DDL lines of ATL spec:

11

ATL: Known Results and Evidence

• Allen introduced it in ’84; no theorems• NP-complete satisfiability (Vilain,Kautz,Beek’89)

– Not hard, but intricate

• Much research in tractable fragments– 18 tractable subalgebras(Krokhin,Jeavons,Jonsson’03 – J.ACM)

• Evidence– Visual and intuitive formalism– Easy to comprehend and explain– Large specifications relatively manageable

12

Linear Temporal Logic (LTL)• Pnueli introduced it in ’77• Sistla, Clarke ’85

– PSPACE-complete satisfiability– LTL□ is NP-complete

• Extensively used in verification, temp. DB• Calvanese, De Giacomo, Vardi ’02

– Propose LTL as a formalism for AI planning

• Yet, no formal connection between ATL and LTL has been investigated– we could use LTL verification tools and techniques in

AI planning, a domain lacking but in need of them …

13

From ATL to LTL (I)

Step 1• Relate models:

– Define Allen Linear Temporal Logic (ALTL), whose models are -sequences, like in LTL

• Theory:– Same complexity as the dense variant

• Practice:– Care needed to generate at least one

timepoint in each non-empty interval fragment

14

From ATL to LTL (II)Step 2

• Encode membership to intervals:– Add an atomic predicate i for each interval i

Step 3

• Enforce “interval behavior” (no “gaps”)– Non-emptiness: i for each interval i

– Convexity: ( (i (i i )))

jj j

j

15

From ATL to LTL (III)

Step 4• Encode interval relations; e.g.:

Overlaps(i,j) (j i (j i (j i )))

ij

j i j i

j i

16

From ATL to LTL:Theoretical Aspects

• Recent works in ATL, including the DDL language, work with an extended ATL– Add predicates and new relations

• Holds(p,i) and Occurs(p,i)

– New satisfiability is obviously still NP-hard• Extends propositional calculus

• Holds and Occurs can also be translated in LTL– Holds(p,i) is □ (i p)

– Occurs(p,i) is (p i )

• Four steps above give us– A reduction from ATL to LTL□, the latter NP-complete

• Therefore, the extended ATL is NP-complete

17

From ATL to LTL:Practical Aspects

• Implemented the four transformation steps above as a term rewrite system, in Maude

– [go to example in technical report]– Unfortunately, resulting LTL formulae are large

and hard to understand …

• But, at least in principle, one can now1) Use formal verification techniques in domains,

e.g., AI planning, whose requirements use ATL

2) Use ATL to specify system requirements and then formally verify them

18

Monitoring ATL (I)

• Importance of monitoring in autonomous systems cannot be overestimated:– Even if a plan is proved to satisfy its spec, many factors

can lead to violations of reqs: terrain, power, hardware

• We know how to monitor LTL “efficiently”– Monitors based on (non-deterministic) Buchi automata

• Can we use our ATL-to-LTL translation and then use LTL monitors to monitor ATL?– Buchi automata generation appears to be a bottle-neck– ATL-to-LTL-to-Buchi applied on the Monkey formula

yields several thousand nodes and ~ 60,000 edges(Oddoux&Gastin LTL2Buchi)

19

Specialized Monitoring Algorithm for ATL

• Idea: divide-and-conquer– Monitor each temporal relation “individually”– Combine the results within the “big-picture”– Check for satisfiability “from time to time”

Algorithm: Suppose ATL formula (r1, r2, …, rn) is a boolean formula … where– r1, r2, …, rn regarded as “dynamic” variables; they may

become true/false during monitoring– At each event, recalculate the “truth status” of variables

• Maintain a “little” monitor for each

– At critical timepoints, check satisfiability of

20

Monitors for Interval Relations

Overlaps(j,i) ji

There are also “little monitors” ensuring that intervals are non-empty and contiguous …

There are also “little monitors” ensuring that intervals are non-empty and contiguous …

21

GROMIT Experiment

• Applied the ATL monitor synthesis algorithm above on NASA Ames’ GROMIT specification

• ATL formula has more than 100 interval relations• We did not have access to the execution platform,

but were provided 100 execution traces, each containing several hundred events

• Both monitor synthesis and checking took negligible time– However, for each trace, we checked for satisfiability

only once, at the end

22

Conclusion

• Defined Allen linear temporal logic (ALTL)• Translated ALTL into LTL

– NP completeness of (extended) ALTL satisfiability– Allows using LTL tools and techniques in domains that

prefer (or cannot avoid) ATL specifications

• Explored monitoring problem for ATL– Showed that “blind use” of LTL monitors can be inefficient– Presented efficient, specialized ATL monitoring algorithm

23

Future Work, Questions …

• ATL is a “sugared fragment” of LTL– Monitoring ATL directly is more effective …– Can ATL (instead of general LTL) be used in certain

particular system verification efforts? Visual, easy!

• Formal verification techniques for ATL?– Theorem proving, model checking

• Extend ATL with repetition? Monitor it?

• There are many other interval logics (e.g., ITL, MTL)– Monitor synthesis for these?