automated software synthesis for complex … saha.pdfautomated software synthesis for complex...

Automated Software Synthesis forComplex Robotic Systems

Indranil Saha

Department of Computer Science and EngineeringIndian Institute of Technology Kanpur

Indranil Saha Automated Software Synthesis for Robotic Systems 1/48

Complex Robotic Systems


Complex Robotic Systems

The systems are mostlylife-critical or mission-critical


Embedded Control Software: The Weak LinkPlant

x' = f(x, u)

Controlleru = k(x)

xu

Actuator Sensor

Control System

Plant

Controller



x' = f(x, u)

Controlleru = k(x)

xu

Actuator Sensor

Control System

Plant

Controller

1962 – Mariner I Space Probe Malfunction



x' = f(x, u)

Controlleru = k(x)

xu

Actuator Sensor

Control System

Plant

Controller


1991 – The Patriot Missile Failure



x' = f(x, u)

Controlleru = k(x)

xu

Actuator Sensor

Control System

Plant

Controller



1995 – Ariane 5 Flight 501 Explosion



x' = f(x, u)

Controlleru = k(x)

xu

Actuator Sensor

Control System

Plant

Controller




2014 – Toyota Prius Recall


Embedded Control Software: The Weak Link

Today in aerospace industry, control software design, implementation, andtesting account for over 60% of the total development cost of an aircraft(Source: Lockheed Martin Aeronautics Company)

Plantx' = f(x, u)

Controlleru = k(x)

xu

Actuator Sensor

Control System

Plant

Controller




2014 – Toyota Prius Recall

....


Future Robotic SystemsAerospace

Automatic air-traffic controllerAutomotive

Self driving carDelivery

Delivery by UAVsHealthCare

Surgery by robot armsAgriculture

Automatic crop and fruit harvestatingEntertainment

Robot soccer, robot music band









More Automation.. More reliance on Software..









More Automation.. More reliance on Software..

Need of the hour: More Automation in Software Development


Research Goal

Research GoalTo devise tools and technologies to build high-assurancesoftware for complex robotic systems

FocusAutomated Software Synthesis


Example: Multi-Robot Motion Planning

I2

I1 I4

I3

F1

F2 F3

F4

x

y

Goal: I1→ F1, I2→ F2,I3→ F3, I4→ F4

Requirements:Maintain a rectangular formation

Maintain a precedence relationshipMaintain a minimum distance


Planning, Control and Computing Hierarchy

High-Level Planning

Control Algorithm

Design

Real-Time Software

Implementation

Artificial IntelligenceFormal Methods

Control Theory

Scheduling TheorySoftware Engineering

Compositional motionplanning for dynamicrobots

Synthesis of EmbeddedControl Software


Planning, Control and Computing Hierarchy

High-Level Planning

Control Algorithm

Design

Real-Time Software

Implementation

Artificial IntelligenceFormal Methods

Control Theory

Scheduling TheorySoftware Engineering

Compositional motionplanning for dynamicrobots


Research Focus

Automated Synthesiswith the aid of

Formal Methods + Control Theory + Scheduling Theory + Software Engineering


Outline

Background on Synthesis

Compositional Motion Planning

Control Software Synthesis

Ongoing and Future Work


Outline






Program Synthesis

Specification

SystemInformation

Program

SynthesisTool

(SMT Solver)


Program Synthesis

Specification

SystemInformation

Program

SynthesisTool

(SMT Solver)

Synthesized program is correct-by-construction


Program Synthesis - Specification

Specification

SystemInformation

Program

SynthesisTool

(SMT Solver)


Specification Language

R1

R3 R4

R2

3/2/15

Temporal logics as a task language

π1

π3 π4

π2

Should be expressive to capture temporal relationships amongthe events

Example: Visit area R2, then area R3, then area R4, and finally,return and remain in region R1 while avoiding areas R2 and R3

Linear Temporal Logic


Linear Temporal Logic (LTL)LTL Grammar:

φ ::= π | ¬φ | φ ∧ φ | © φ | � φ | ♦ φ | φ U φ

π - atomic proposition

Example: π1 - The robot is in Room 1

3/2/15

Go to goal (reachability)

Coverage

Sequencingπ1

π3 π4

π2

Reachability with avoidance

Recurrent Sequencing

“Visit area π2 then area π3 then area π4 and, finally, return and remain in region π1 while avoiding areas π2 and π3”


(next)©φ φ

(always)�φ φ φ φ φ

(eventually)♦φ φ

(until)φ1 U φ2 φ1 φ1 φ2


Examples of LTL Specifications

3/2/15

Go to goal (reachability)

Coverage

Sequencingπ1

π3 π4

π2

Reachability with avoidance

Recurrent Sequencing

“Visit area π2 then area π3 then area π4 and, finally, return and remain in region π1 while avoiding areas π2 and π3”


1 Reachabilityϕ = ♦π2

2 Coverageϕ = ♦π2 ∧ ♦π3 ∧ ♦π4

3 Sequencing♦(π2 ∧ ♦π3)

4 Reachability with avoidance(¬π2 ∧ ¬π3) U π4

5 Recurrent sequencing�♦(π2 ∧ ♦π3)

Visit area R2, then area R3, then area R4, and finally, return andremain in region R1 while avoiding areas R2 and R3

ϕ = ♦(π2 ∧ ♦(π3 ∧ ♦(π4 ∧ (¬π2 ∧ ¬π3) U �π1)))


Program Synthesis - SMT Solver

Specification

SystemInformation

Program

SynthesisTool

(SMT Solver)


SMT Solver

SAT solver: Checks satisfiability of Boolean formulas

Example: b1 ∧ b2 ∧ (b2→ ¬b1)

SMT Solver: SAT solver empowered with Theory solvers

Example Theories: LRA (Linear Real Arithmetic), EUF(Equality with Uninterpreted Functions), . . .Example: x0 = 0 ∧ y0 = 0 ∧ f (2, 1) = true ∧((x1 = x0 + 2) ∧ (y1 = y0 + 1)) ∨ ((x1 = x0 + 1) ∧ (y1 = y0 + 2))∧((x2 = x1 + 2) ∧ (y2 = y1 + 1)) ∨ ((x2 = x1 + 1) ∧ (y2 = y1 + 2))∧f (x1, y1) 6= true ∧ x2 ≥ 4 ∧ y2 ≥ 3

Formula is satisfiable⇒ generates a modelFormula is unsatisfiable⇒ generates an unsatisfiable core

An SMT solver can be used as an optimization engine- Iteratively search for better solution using binary search


Architecture of a Program Synthesis Tool

Specification

SystemInformation

Program

Constraint Generator

Specification Refinement Tool

SMT Solver

Constraints

Model

Program Generator

Unsat Core


Outline






Motion Plan Synthesis

High-Level Planning

Control Algorithm

Design

Real-Time Software

Implementation

Compositional motionplanning for dynamic robots



Motion Plan Synthesis

High-Level Planning

Control Algorithm

Design

Real-Time Software

Implementation



Specification

(LTL formula)

System Information

(Dynamics)

SynthesisTool

Program

(Motion Plan)


Motion PrimitivesShort, kinematically feasible motions forming the basis ofmovements of the robot

Components:u - a precomputed control input

τ - the duration for which the control signalis applied

qi - initial velocity configuration

qf - final velocity configuration

Xrf - relative final position

W - the set of relative blocks through whichthe robot may pass

cost - an estimated energy consumption forexecuting the control law

I F

I

(a) (b)

(c) (d)

F

I F

(a) (b)

I

(c) (d)

F

I F

I

(a) (b)

(c) (d)

F

I F

(a) (b)

I

(c) (d)

F

Note: Motion Primitives are position oblivious


Motion Planning Problem

An input problem instance P = 〈R, I,PRIM,Workspace, ξ,L〉

R - The set of robots

I - Initial state of the group of robots

PRIM = [PRIM1,PRIM2, . . . ,PRIM|R|]

Workspace - Workspace dimension, position of obstacles

ξ - Specification given in Linear Temporal Logic

L - Number of hops in the trajectory

Definition (Motion Planning Problem)

Given an input problem P, synthesize a trajectory of length L


Trajectory Synthesis via SMT Solving [IROS 2014]

Complan(COmpositional Motion PLANner)

http://www.cse.iitk.ac.in/∼isaha/complan.shtml

Φ(0)Prim1−−−→ Φ(1)

Prim2−−−→ Φ(2) . . .Φ(L− 1)PrimL−−−→ Φ(L)

Constraints: (Φ(0) ∈ I) ∧ ‖Transition‖ ∧ ‖Specification‖

Boolean combination of constraints from Linear Arithmetic andEquality with Uninterpreted Functions theories

Complan solves for the L motion primitives using an SMT solver


Example: Satisfy Invariants before Reaching Goal

I2

I1 I4

I3

A B

x

y

Goal: (I1 and I2)→ B(I3 and I4)→ A

Invariants:Maintain a rectangular or linearformation

Maintain a minimum distance



I2

I1 I4

I3

A B

x

y


Invariants:Maintain a rectangular or linearformation

Maintain a minimum distance

No motion plan that satisfies the formation constraint exists

Unsatisfiable Core helps us refining the specification



I2

I1 I4

I3

A B

x

y


Invariants:Maintain a minimum distance

The distance between two quadrotorsis always greater than one unit


Finding Optimal Trajectory

Find the least number of motion primitives that cangenerate a valid trajectory

Among all trajectories that use the least number of motionprimitives, find the one that incurs the least cost



I2

I1 I4

I3

A B

x

y


Invariants:Maintain a minimum distance

The distance between two quadrotorsis always greater than one unit


Example: Persistent Surveillance

I1

x

y

G1

G2G4

G3

U2

U1

0 1 2 3 4 5 6 7 8 9 10

1

2

3

4

5

6

7

8

10

11

12

13

14

15

16

9

11 12 13 14

0

U1U1

U2U2

15 16 1718

17

18

Each quadrotor has to repeatedly gatherdata from some data gathering location andupload the gathered data at a data uploadlocation.

ξ1 := A(�(♦(rXgather ∧ (♦rXupload))))


Motion Plan Synthesis for a Swarm of Robots [ICCPS 2016]

Specification: ¬obstacles U reach




Main Idea:Synthesize optimal trajectory for eachrobot independently




R2 R2'

R1

R1'

R2 R2'R1 R1'

Main Idea:Synthesize optimal trajectory for eachrobot independently




R2 R2'

R1

R1'

R2 R2'R1 R1'

Main Idea:Synthesize optimal trajectory for eachrobot independentlyFind a feasible ordering for the robots




R2 R2'

R1

R1'

R2 R2'R1 R1'

Main Idea:Synthesize optimal trajectory for eachrobot independentlyFind a feasible ordering for the robotsSynthesize final trajectories accordingto the assigned priorities

Treat the robots with higher prioritiesas dynamic obstaclesIntroduce minimum delay to executethe optional trajectory to avoidcollision




Implan(Incremental Motion PLANner)

R2 R2'

R1

R1'

R2 R2'R1 R1'

Main Idea:Synthesize optimal trajectory for eachrobot independentlyFind a feasible ordering for the robotsSynthesize final trajectories accordingto the assigned priorities

Treat the robots with higher prioritiesas dynamic obstaclesIntroduce minimum delay to executethe optional trajectory to avoidcollision


Motion Plan Synthesis for a Swarm of Robots

x

y

0 1 2 3 4 5 6 7 8 9 10

1

2

3

4

5

6

7

8

10

11

12

13

14

9

11 12 13 14

0

15

15 i1 i2

i3

i4

i5 i6

f1

f2

f3f4

f5

f4

f6

Ordering:1: R3 2: R6 3: R24: R4 5: R1 6: R5



x

y

0 1 2 3 4 5 6 7 8 9 10

1

2

3

4

5

6

7

8

10

11

12

13

14

9

11 12 13 14

0

15

15 i1 i2

i3

i4

i5 i6

f1

f2

f3f4

f5

f4

f6

Ordering:1: R3 2: R6 3: R24: R4 5: R1 6: R5

Challenge:What if an ordering does notexist?



x

y

0 1 2 3 4 5 6 7 8 9 10

1

2

3

4

5

6

7

8

10

11

12

13

14

9

11 12 13 14

0

15

15 i1 i2

i3

i4

i5 i6

f1

f2

f3f4

f5

f4

f6

Ordering:1: R3 2: R6 3: R24: R4 5: R1 6: R5

Challenge:What if an ordering does notexist?

R2 R2'

R1

R1'

R2 R2'R1 R1'


Example: Motion Planning in a Compact Workspace

Figure: caption

25 quadrotors movingin a closed place

Specification:¬obstacles U reach


Outline







High-Level Planning

Control Algorithm

Design

Real-Time Software

Implementation





High-Level Planning

Control Algorithm

Design

Real-Time Software

Implementation



Specification

(Stability)

System Information

(Model of the Plant)Synthesis

Tool

Program

(Controller Software)

Platform Information

(Number of Bits)


Specification for Ideal Controller: Exponential Stability

The plant converges to a desired behavior under the actions ofthe controller

I

ρ

R

II'

RR'


Specification for Ideal Controller: Exponential Stability

The plant converges to a desired behavior under the actions ofthe controller

I

ρ

R

II'

RR'

Example:In the steady state, the quadrotor will be at 4m away from

the x-axis and 6m away from the y-axis


Specification for Implemented Controller: PracticalStability

I

ρ

R

II'

RR'

Mathematical Model

I ρI

R

II'

RR'

Software Implementation

The state of the plant eventually reaches a bounded region andremains there under the action of the controller

Specification is given in terms of Region of Practical Stability


Specification for Implemented Controller: PracticalStability

I

ρ

R

II'

RR'

Mathematical Model

I ρI

R

II'

RR'


The state of the plant eventually reaches a bounded region andremains there under the action of the controller

Specification is given in terms of Region of Practical Stability

Example:In the steady state, the quadrotor will be between 3.9-4.1m away

from the x-axis and 5.8-6.2m away from the y-axisIndranil Saha Automated Software Synthesis for Robotic Systems 34/48

Verification Question [EMSOFT2010]

Given:Dynamics of the plantA stabilizing controllerThe number of bits of the target processorSpecification on practical stability

Verify: If the software implementation of the controller satisfiesthe specification on practical stability

Reduces to computing the upper bound on the region ofpractical stability


Bound on the Region of Practical Stability

I

ρ

R

II'

RR'

Mathematical Model

I ρI

R

II'

RR'




I

ρ

R

II'

RR'

Mathematical Model

I ρI

R

II'

RR'


Theorem[EMSOFT2010] If γ is the L2-Gain of a control system, b is abound on the implementation error, then

ρ ≤ γ × b



I

ρ

R

II'

RR'

Mathematical Model

I ρI

R

II'

RR'


Theorem[EMSOFT2010] If γ is the L2-Gain of a control system, b is abound on the implementation error, then

ρ ≤ γ × b

Separation of concerns:

Compute L2-gain from the mathematical model(standard problem in control theory)

Compute the bound on implementation error(analysis of the implementation)


Example of Controller Program

Control Law (Vehicle Steering) :u = 0.81× (In1− In2)− 1.017× In3

Real-valued programReal In1, In2, In3;Real Subtract, Gain, Gain2, Out1;

static void output(void) {Subtract = In1 - In2;Gain = 0.81 * Subtract;Gain2 = 1.017 * In3;Out1 = Gain - Gain2;

}

Fixed-point implementation (16-bit):short int In1, In2, In3;short int Subtract, Gain, Gain2, Out1;

static void output(void) {Subtract = (short int)(In1 - In2);Gain = (short int)(26542 * Subtract� 15);Gain2 = (short int)(16663 * In3� 14);Out1 = (short int)(((Gain� 1) - Gain2)� 1);

}


Example of Controller Program

Control Law (Vehicle Steering) :u = 0.81× (In1− In2)− 1.017× In3

Real-valued programReal In1, In2, In3;Real Subtract, Gain, Gain2, Out1;

static void output(void) {Subtract = In1 - In2;Gain = 0.81 * Subtract;Gain2 = 1.017 * In3;Out1 = Gain - Gain2;

}

Fixed-point implementation (16-bit):short int In1, In2, In3;short int Subtract, Gain, Gain2, Out1;

static void output(void) {Subtract = (short int)(In1 - In2);Gain = (short int)(26542 * Subtract� 15);Gain2 = (short int)(16663 * In3� 14);Out1 = (short int)(((Gain� 1) - Gain2)� 1);

}

What is the bound on the error?

Can be formulated as an SMT solving problem over Booleancombination of linear arithmetic constraints


Controller Stability Analyzer: Costan

An automatic tool to computethe bound on the region ofpractical stability

Supports both linear andnonlinear controllers, fornonlinear controllers bothpolynomial implementation andlookup table basedimplementation

Model of

Plant

ModelOf

Controller

Fixed-point Code generator

ImplementationOf

Controller

StrongestPost-conditionComputation

L2 Gain Computation

Error-boundComputation

Bound onStability Region

Computation

Computed Bound

Control Theory


Synthesis Question [EMSOFT 2012]

Is it possible to synthesize a controller that minimizes the regionof practical stability?


Synthesis Question [EMSOFT 2012]

Is it possible to synthesize a controller that minimizes the regionof practical stability?

Traditionally, controllers are synthesized minimizing LQR costfunction

LQR cost = state cost + control coststate cost = sum of the deviations of the states from their desiredvaluescontrol cost = energy expended by the control action


ExampleModel of a Vehicle Steering:[

ξ̇1

ξ̇2

]=

[0 g

h1 0

] [ξ1ξ2

]+

[10

](υ + ω)

y =[

av0bh

v20

bh

] [ ξ1ξ2

]+ ν

LQR Controller:

K1 = [5.1538, 12.9724]

LQR cost function is 264.1908

Another Controller:

K2 = [3.0253, 12.6089]

LQR cost function is 284.1578


Example (Cont.)

0 5 10 15−0.5

0

0.5

1

y

5 10 150

0.005

0.01

0.015

time

y

K2 and L2K1 and L1

K2 and L2K1 and L1

There is a trade-off between LQR cost and the region of practicalstability


Problem Statement

Design a controller optimizing the following objectives:

The LQR cost

The bound on the region of practical stability


Controller Synthesis Tool: Ocsyn

Co-optimizes LQR cost and the bound on region ofpractical stability

Employs stochastic optimization — needs to compute thevalue of the objective functions for many differentcontrollers

Employs a convex optimization tool to compute LQR cost

Uses Costan to compute the region of practical stability

Synthesizes controller

with significant improvement on the bound on region ofpractical stability

without significant degradation on the LQR cost

Example: vehicle steeringA factor of 10 improvement in the region of practical

stability with only 10% degradation in LQR costIndranil Saha Automated Software Synthesis for Robotic Systems 43/48

Outline






Ongoing Research

Complan:

New class of properties

Timing specification

New System Model

Mixed Logical Dynamical SystemTime varying motion primitives

Implan:

Linear Temporal Logic Motion Planning for large number ofrobots


Reactive, Robust and Distributed Motion Planning

Goal: Devise tools and techniques for synthesizing motionplanner that is

ReactiveSelf-Driven Car, Robocup

RobustPath planning for a drone in the presence of gust of wind

DistributedPath planning for an aircraft in a congested airspace

Challenges:How to make existing solvers more amenable to solveplanning problems?How to build domain specific solvers? (e.g., a solver thathas control theoretic intelligence)


Big Data Analytics and Security for CPS

Application of Big Data analytics in cyber-physical systemsAutomatic air-traffic controllerReal-time decision making by unmanned vehicles

Security for cyber-physical systemsDevise defense against attacks on unmanned aerialvehicles


Thank You!!http://www.cse.iitk.ac.in/∼isaha


automated software synthesis for complex … saha.pdfautomated software synthesis for complex...

Documents