320 likes | 431 Views
Towards scalable proofs of robot swarm emerging behavior properties. Jüri Vain Tallinn University of Technology. Syllabus. Monday morning: (9:00 – 13.30) 9:00 – 10:30 Intro: Model-Based Development and Validation of Multirobot Cooperative System (MCS)
E N D
Towards scalable proofs of robot swarm emerging behavior properties Jüri Vain Tallinn University of Technology J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
Syllabus • Monday morning: (9:00 – 13.30) • 9:00 – 10:30 Intro: Model-Based Development and Validation of Multirobot Cooperative System (MCS) • 10:30 – 12:00 MCS model construction and learning • 12:00 – 13:30 Model-based testing with reactive planning testers • Tuesday morning: (9:00 – 12.30) • 9:00 – 10:30 Towards scalable proofs of robot swarm emerging behavior properties • 10:30 – 12:00 Hands-on: Distributed intruder capture protocol J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Outline • How to characterize the swarms emerging behavior? • What makes the analysis difficult? • How to handle the high complexity of swarm analysis? • Case study: dynamic cleaning problem J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM How to characterize the swarm emerging behavior? • Integrated Service Quality - granted level of system service quality in the presence of faults, overload and other factors that may compromize the service quality. • For a distributedservices we define the quality as a scalar that equals to thevalue of chosen service characteristic in the point of itslowest value. • We define the swarm mission beingsuccessful if the service quality during a preset missiontime never exceeds the given critical threshold. J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Case study: Dynamic cleaning problem • Y. Altshuler, A.M. Bruckstein, I.A. Wagner Swarm Robotics for a Dynamic Cleaning Problem.In “IEEE Swarm Intelligence Symposium”, pp. 209 – 216, June 2005. • J.Vain, T.Tammet, A.Kuusik, S.Juurik “Towards scalable proofs of robot swarm dependability“. BEC2008. J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Dynamic cleaning as 2 teams’ discreteantagonistic game (1) • TeamTe (Theenvironment): • Players of Tearedistributed over the cleaning zones evenly. • Each zone isconsidered as a service point (SP) for queuing servicerequests from exactly one player of Te. • Players of Te donot change their positions at SP-s. • Onestep of deterioration of the zone corresponds to an arrivalof a service request from a player of team Te. • The flow of service requests in each SP is stationary • Moves of players of Te are synchronized. • The winning strategy of team Teresults in the overflow of at least one service requestqueue during the mission. J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Dynamic cleaning as 2 teams’ discreteantagonistic game (2) • Team Tc (cleaning swarm): • Move ofTc player corresponds to cleaning of one zone,i.e., processing a queue of SP requests. • Players of Tcare mobile and able tocoordinate moves via messages left in SPs. • The winning strategy of Tc : there is no overflow in any queue until the end of swarm mission time TH. • Swarm mission is sicessful regarding given service if it ensures the winning strategy of team Tc. J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Dynamic cleaning problem – solution with ROBOSWARM • The cleaning zones in the service area are labeledwith a RFID tag. • Every tag has unique ID that identifiesthe zone. • RFID tag has data fields: • Deterioration rate • Time-stamp ofthe latest cleaning • Biddinginformation about the highest priority robot targeting the zone. • Environment generatesdeterioration dynamically with the rate depending onthe zone: • 0 %corresponds to the clean room, • 100 % is the maximum deteriorationlevel • TR – treshold of acceptable (according to service quality requirement) deterioration level J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Scenario 1: (conflict free) selection of the cleaning zone E D A C B Legend: - Robot can see tags A and B; - B is more critical - robot moves to B J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Scenario 1: (conflict free) selection of a cleaning zone E D A C B Legend: - Robot can see tags A and B; - B is more critical - robot moves to B J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Scenario 1: (conflict free) selection of a cleaning zone D E A C B Legend: - Robot can see tags C and B; - C is more critical - robot moves to C J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Scenario 1: (conflict free) selection of a cleaning zone D E A C B Legend: - Robot can see tags C and B; - C is more critical - robot moves to C J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Scenario 1: (conflict free) selection of a cleaning zone D E A C B Legend: - Robot can see tags D, E, C and B; - C is the most critical - Robot reservs C and starts cleaning J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Scenario 2: conflict resolution protocol E D A C B Legend : - Blue detects B as the most critial zone; - Blue writes its bid (id, job_list) on B - Blue starts moving towards B; J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Scenario 2: conflict resolution protocol E D A C B Legend: - Green detects B, reads the Blue’s bid on B; - if the second critical in Green’s own joblist is more critical than the one on B J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Scenario 2: conflict resolution protocol E D A C B Legend: - Green gives up B, i.e. moves towards its 2nd critical. J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Scenario 2: conflict resolution protocol E D A C B Legend: - if the second critical in Green’s own job list is less critical than the one on B J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Scenario 2: conflict resolution protocol E D A C B Legend: - the Green takes B over, i.e writes its bid on B instead - moves towards B . J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Scenario 2: conflict resolution protocol E D A C B Legend: - Blue periodically monitors its bid, - when Blue finds it’s bid overtaken - it gives up and moves towards its 2nd critical J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Scenario 2: conflict resolution protocol E D A C B Legend: - Blue periodically monitors its bid, - when Blue finds it’s bid overtaken - it gives up and moves towards its 2nd critical J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Scenario 2: conflict resolution protocol E D A C B Legend: - Blue periodically monitors its bid, - when its finds it’s bid overtaken - it gives up and moves towards its 2nd critical J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Scenario 2: conflict resolution protocol E D A C B Legend: - Blue periodically monitors its bid, - when its finds it’s bid overtaken - it gives up and moves towards its 2nd critical J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM How to prove emerging behavior properties? • Simulation – incomplete • Deductive proof – needs proper calculus, general 1st order proof systems do not scale well, perhaps compositional methods and structural induction can help. • Model checking – partial solution at least for local proofs. Potential to scale up when combined with other techniques. J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM How to express self-stabilization property of the service quality? • Reachability : • from the state where the deterioration level of all zones is over the thresholdTR, e.g., 80 %, the state where the soiling level is less than TR (e.g., TS = 30 %) is always reachable. • A<> forall (i : int[1,16]) tag[i] <TS • Safety : • Assuming the deterioration level is less than TS whereTS < TR the deterioration level is always kept below the threshold TR. • A[] forall (i: int[1,16]) tag[i]<TR && gclock < TH J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
Demo • Mudel_2_agenti_resolved.xml • swarm_query1.q J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
State space reduction techniques: Symmetry reduction • Symmetry reduction works by identifying parts of the automaton that have equivalent behavior. • During the verification only one representative of the equivalent parts is used • E.g., in case of an automaton consisting of two identical parts the reduction in state space can be up to 50%. J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
State space reduction techniques: Bit state hashing (R. Morris) • Construct a bit field that can be used to identify if the current state has been visited. • Hash value of a state is used as the hash array index • Because the state vector is n*10-n*100 of bytes, the reduction in memory consumption can be up to 98% • BSH reduces the accuracy: a state could be mistakenly reported as visited due to a hash collision and is not stored in the hash array. • A state that would break the verification conditions may get unnoticed. However, all reported errors that are found are real error conditions. J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
State vector compression and minimized DFA (Holzmann and Puri) • DFA can reduce the memory requirements 10 but execution time is added. • Instead of hash table to store visited states a DFA is constructed to determine if a state has been visited before. • DFA is implemented in Spin. • Since Promela (modelling language of SPIN) does not include the concept of time, time passage has to be simulated indirectly by a global counter. J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
Hash table size dependancy on verification time • Hash table reaches a certain level of saturation • Saturation level is reached sooner when symmetry reduction is used. • Increasing model time horizon 10% the hash table size increases 300% J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Conclusions and discussion • Proving emerging behavior properties of a swarm based on properties of individuals and their interaction is still unsolved problem. • Typically fully distributed symmetric coordination algorithms govern swarm behavior and are the prime target to formal verification. • Applying symmetry reduction, BSH, DFA for MC allows methods to scale up to certain limit but that is clearly insufficient for full system analysis. • New abstraction and deduction techniques are needed! J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09
ROBOSWARM Thank you! J.Vain Doctoral course ’Advanced topics in Embedded Systems’. Lyngby'09