Automatic Deployment of Distributed Teams of Robots From Temporal Logic Motion Specifications

Download as pdf or txt
Download as pdf or txt
You are on page 1of 14

IEEE TRANSACTIONS ON ROBOTICS 1

Automatic deployment of distributed teams of


robots from temporal logic motion specifications
Marius Kloetzer, and Calin Belta, Member, IEEE

Abstract— We present a computational framework for au- local interaction rules, thought to be true in natural systems
tomatic synthesis of decentralized communication and control [5] (e.g., schools of fish, swarms of bees) or designed from
strategies for a robotic team from global specifications given first principles [6], are shown to produce emergent behaviors
as temporal and logic statements about visiting regions of
interest in a partitioned environment. We consider a purely at global level (largely known as “consensus algorithms” [7],
discrete scenario where the robots move among the vertices of a [8]). However, the inverse (top-down) problem, which seems
graph. However, by employing recent results on invariance and more relevant to robotics, remains largely unanswered: “Can
facet reachability for dynamical systems in environments with we automatically generate provably correct local communi-
polyhedral partitions, the framework from this paper can be cation and control strategies from global task specifications
directly implemented for robots with continuous dynamics. While
allowing for a rich specification language and guaranteeing the given in rich and natural language over regions of interest in
correctness of the solution, our approach is conservative, in the an environment?”
sense that we might not find a solution even if one exists. The The starting point for this paper is the observation that
overall amount of required computation is large. However, most “rich” and “human-like” task specifications, such as the tempo-
of it is performed off-line before the deployment. Illustrative ral and logic statements about the reachability of regions of in-
simulations and experimental results are included.
terest given above, translate naturally to formulas of temporal
Index Terms— Mobile robot motion planning, Distributed con- logics, such as Linear Temporal Logic (LTL) and Computation
trol, Cooperative systems, Temporal logic Tree Logic (CTL) [9]. Such logics and corresponding model
checking algorithms are normally used to specify and check
I. I NTRODUCTION the correctness of computer programs, which can be seen as
The goal in motion planning and control is to be able continuously operating, reactive (concurrent) systems [10].
to specify a motion task in a rich, high level language and Inspired by this, and enabled by recent results on the
have the robot(s) automatically convert this specification into construction of feedback controllers for facet reachability
a set of low level primitives, such as feedback controllers and invariance in polytopes [11]–[13], we consider a purely
and communication protocols, to accomplish the task [2]–[4]. discrete problem, in which n agents can move among the
This work is motivated by two disadvantages of the current vertices of a graph, which can be interpreted as the quotient of
approaches to robot motion planning and control. First, in most a partitioned environment. We model the robot communication
of the existing works, the motion planning problem is simply constraints as a graph, which can in general vary in time to
specified as “go from A to B while avoiding obstacles” [2]. capture proximity or line-of-sight communication constraints.
This is not rich enough to describe a large class of tasks The motion of each robot is modelled as a transition system
of interest in practical applications. The accomplishment of over the graph modelling the environment, whose transitions
the mission might require the attainment of either A or B, capture the robot control constraints (e.g., due to under-
convergence to a region (“reach A eventually and stay there actuation, a robot cannot move from a region to a particular
for all future times”), visiting targets sequentially (“reach A, adjacent region in a partitioned environment). We present a
and then B, and then C”), surveillance (“reach A and then framework for automatic generation of local control strategies
B infinitely often”), or the satisfaction of more complicated from a task specification given as an arbitrary LTL formula
temporal and logic conditions about the reachability of regions over the set of vertices. The solution to this purely discrete and
of interest (e.g.,, “Never go to A. Don’t go to B unless C or finite dimensional problem is readily implementable for robots
D were visited.”). Second, most current approaches to multi- with (continuous) dynamics moving in (infinite) environments
robot planning and control are bottom-up, in the sense that partitioned using popular schemes such as triangulations and
rectangular grids, as already demonstrated for the one-robot
M. Kloetzer is with the Technical University of Iasi, Romania, E-mail : case in our previous work [14], [15].
[email protected] The use of temporal logic for task specification and con-
C. Belta is with the Department of Mechanical Engineering, Division
of Systems Engineering, and the Bioinformatics Graduate Program, Boston troller synthesis in mobile robotics has been advocated as far
University, 15 St. Mary’s Street, Brookline, MA 02446, USA, E-mail : back as [16], and more recent works include [15], [17]–[20].
[email protected] As opposed to [15], [20], here we consider teams, rather than
Some preliminary results of this work were presented at the ICRA 2008 [1].
However, this manuscript contains a new algorithm allowing for distributed just single agents. In the robotics literature, the closest related
executions with no communication. In addition, it contains revised notation, works are [18], [19], which treat the problem of deployment
definitions, more technical details, examples, and experimental results. of robotic teams from temporal logic specifications. In [18],
This work was partially supported by NSF CAREER 0447721, AFOSR YIP
FA9550-09-1-020, ARO W911NF-09-1-0088, NSF CNS-0834260 at Boston the authors consider a team of robots interacting among
University. themselves and with a dynamic environment. The system in
IEEE TRANSACTIONS ON ROBOTICS 2

which all control actions are allowed is model checked with semantics of LTL formulas is beyond the scope of this paper.
respect to a timed CTL specification using UPPAAL. If the Informally, LTL formulas are recursively defined over a set of
system is correct, a witness trajectory, which can be optimal atomic propositions Π, by using the standard boolean operators
in either the number of discrete steps or in the total time, and a set of temporal operators. The boolean operators are ¬
is generated. In [19], the policy for producing robot actions (negations), ∨ (disjunction), ∧ (conjunction), and some tem-
is obtained by applying a game-theoretic framework [21]. poral operators that we use include U (standing for “until”),
While this allows for accommodating environmental events,  (“always”), ♦ (“eventually”). LTL formulas are interpreted
the specification language is limited to formulas in the GR(1) over infinite words over the set 2Π , like those generated by
fragment of LTL. As opposed to both these works, in this paper transition system T . Assume that φ1 and φ2 are two LTL
the specifications are global (i.e., over environmental features), formulas over Π and w is a word produced by T . Formula
with no subtask-robot pre-assignment. However, in the present φ1 U φ2 intuitively means that (over word w) φ2 will eventually
version, our framework does not capture environmental events. become true and φ1 is true until this happens. Formula ♦φ
Arguably, the closest related works are recent results in means that φ becomes eventually true, whereas φ indicates
concurrency theory (see [22] for a review), where global that φ is true at all positions of w. More expressiveness can
specifications given as languages over a set of actions are be achieved by combining the above operators.
checked for implementability by a set of agents jointly owning The expressivity of LTL makes it suited for specifying
the actions and synchronizing on them. However, in these motion tasks, such as reachability (“reach π1 eventually”,
works, the expressivity of the specifications is restricted to written as ♦π1 ), reachability and obstacle avoidance (“reach
a subset of regular languages. In addition, in the robotics π1 eventually, while always avoiding π2 ”, written as ♦π1 ∧
problem that we consider, the specification is given over ¬π2 ), convergence tasks (“reach π1 eventually and stay there
features in the environment, and we couldn’t find a general for all future times” - ♦π1 ), etc. Moreover, if more robots
method for mapping these features to robot actions. Our are available, the attainment of disjoint regions at the same
approach also relates to (and draws inspiration from) control time might be of interest, as in “reach π1 and π2 eventually”
of discrete event systems from specifications given in terms (♦(π1 ∧ π2 )).
of languages [23]. Remark 1: Classical LTL allows for an additional temporal
The remainder of the paper is organized as follows. Some operator called “next”. We do not allow for the “next” operator
preliminaries necessary throughout the paper are given in because, as shown in our previous work [15], it is meaningless
Section II. The problem is stated in Section III. The solution when abstracting a continuous system to a finite discrete one,
is presented in Sections IV and V. We discuss the complexity as considered in this paper. On the other hand, LTL without
and conservativeness of our approach in Section VI. The need the “next” operator cannot distinguish between words with
for communication among the robots is discussed in Section different numbers of finitely many consecutive repetitions of
VII, together with an algorithm for finding distributed imple- a symbol. For example π1 π2 π2 π3 ... satisfies exactly the same
mentations that do not require moving robots to communicate formulas as π1 π2 π3 .... As a consequence, for a transition
for all times. Section VIII makes the connection between the system T as in Definition 1 we will only consider words
purely discrete framework central to this paper and robots without finitely many consecutive repetitions of any symbol.
with continuous dynamics and presents a simple experimental Checking whether the language of a transition system T
result. Final remarks and discussions on the applicability of satisfies an LTL formula φ over its set of propositions Π is
the method are presented in Section IX. called model checking. Available off-the-shelf packages for
LTL model checking include NuSMV [24] and SPIN [25].
In short, given a transition system T and an LTL formula
II. P RELIMINARIES
φ over its set of propositions, a model checker will return
Definition 1: A transition system is a tuple T = (Q, Q0 , → the initial states for which the language satisfies the formula.
, Π, ), where Q is a set of states, Q0 ⊆ Q is a set of initial If the language generated from a state does not satisfy the
states, →⊆ Q × Q is a transition relation, Π is a finite set formula, the model checker returns a certificate in the form
of atomic propositions (or observations), and ⊆ Q × Π is a of a counterexample, i.e., a run violating the formula. Among
satisfaction relation. the several runs of T satisfying a formula φ , there are some
For an arbitrary state q ∈ Q, let Πq = {π ∈ Π | q  π}, with a particular structure of a prefix followed by infinitely
Πq ∈ 2Π , denote the set of all atomic propositions satisfied many repetitions of a suffix. A prefix is a finite trajectory from
at q. A trajectory or run of T starting from q is an infinite the initial state to an ending state (excluding this latter state),
sequence r = r(1)r(2)r(3) . . . with the property that r(1) = q, while a suffix starts and ends at the above ending state. If
r(i) ∈ Q, and (r(i), r(i + 1)) ∈→, for all i ≥ 1. A trajectory there exists a run of T satisfying φ starting from an initial
r = r(1)r(2)r(3) . . . defines a word over the set 2Π , w = state, then there always exists a run with the above particular
w(1)w(2)w(3) . . ., where w(i) = Πr(i) . The set of all words prefix-suffix structure from that state [26]. Such a run is of
that can be generated by T is called the (ω-) language of T . particular interest to us, as it will become clear in Section V.
In this paper, we consider motion specifications given as In this paper, the problem of finding runs of T satisfying
formulas of a fragment of Linear Temporal Logic (LTL) a formula φ is of special interest. To this goal, one can use
[9] called LT L−X , which we will simply denote by LTL an off-the-shelf model checker. Indeed, by feeding T and ¬φ
throughout the paper. A formal definition for the syntax and into a model checker, if the formula is not satisfied at a state,
IEEE TRANSACTIONS ON ROBOTICS 3

the model checker will return that initial state together with a • Qi = P is the set of states;
counterexample, which is a run satisfying φ . However, the user • q0i ∈ Qi is the initial location of agent i (a singleton);
does not have any control over the structure of the produced • →i ⊂ P × P is a reflexive transition relation satisfying
counterexamples. They can be very long, or not even satisfy →i ⊆→G ∪kj=1 (p j , p j ) and →i ⊆→C ;
the particular structure defined in Remark 1. An attractive • Πi = P;
alternative is to use our previously developed tool for model • i is the trivial satisfaction relation (q, π) ∈i if and only
checking and control of transition systems [15], tool that we if q = π.
will use in the approaches from this paper. In short, given a
In other words, the motion of robot i among the vertices of
formula φ and a transition system T , we would first derive a
G is restricted by the transition relation →i . We assume that
Büchi automaton Bφ , and then construct a product automaton
each robot can stay at a vertex and can only move between
A = T × Bφ , whose language projected onto T satisfies φ .
adjacent vertices. However, it is not necessary that a robot can
Then, in this transition system, we can search for runs with any
move between any adjacent vertices. In addition, in order to
imposed structure. In particular, we can look for runs in the
be able to avoid collision with other robots, we assume that a
prefix-suffix form, for runs which are “minimal” with respect
robot can only transit from a current vertex to a vertex with
to the overall length of prefix and suffix (or overall cost if
which communication is possible.
weights are attached to the transitions of T ), for runs that do
Note that the only differences between the transition systems
not have finitely many consecutive repetitions of a symbol, etc.
Ti are given by their initial states and possibly by their transi-
The obtained run can then be easily projected back to obtain
tion relations (for agents with different movement capabilities).
a satisfying run of T .
Also, for this particular definition of a transition system,
trajectories are equivalent to words. According to Remark 1, it
III. P ROBLEM F ORMULATION is enough to consider words without finitely many consecutive
Let repetitions of a symbol. A motion of robot i on the graph G
G = (P, →G ) (1) is such an (infinite) word produced by Ti . The occurrence of
a vertex in the motion of robot i means that the vertex is
be a graph, where P = {p1 , . . . , pk } is the set of vertices
visited and then left. Infinitely many consecutive repetitions
and →G ⊂ P × P is a symmetric relation modelling the set
of a vertex means that the robot stays at that vertex for all
of edges. As an exemplification of a mobile agent framework,
future times. A control strategy for robot i is an algorithm
G can be the quotient graph of a partitioned environment,
that, for each state q ∈ Qi , determines what allowed transition
where P is a set of labels for the regions in the partition,
the robot should take, and what the robot should communicate
and →G is the corresponding adjacency relation. Assume we
with the other robots in its communication range.
have a team of n, n < k, robots that can move instantaneously
Remark 2: The finite and purely discrete framework in-
between adjacent vertices of G. We assume that the agents
troduced above represents a formal abstraction of a realistic
have identical communication capabilities, which are induced
multi-robot scenario. Indeed, as already mentioned, G can
by the environment. Explicitly, the set of communication
be the quotient of a partitioned environment (obtained using,
constraints is defined as
for example, triangulations or rectangular grids). The commu-
C = (P, →C ), (2) nication constraints formulated above can restrict the robots
to communicate only when they are in adjacent regions, or
where →C ⊂ P × P is a symmetric and reflexive relation. In “close” to each other. Alternatively, G can be a visibility
other words, if two robots are at pi and p j , respectively, then graph, and the inter-robot communication constraints might
they can directly communicate if and only if (pi , p j ) ∈→C . refer to line of sight. The “motion capacity” relation →i
The assumption that →C is reflexive means that any robot can captures our capability to design controllers guaranteeing that
communicate with itself at all times. While this does not make robot i can be either kept in a region or driven to a neighbor
sense from an application point of view (i.e., it is obviously region, regardless of the initial position of the robot in the
true), it is assumed for technical reasons to become clear later. current region. Note that here we assume that the first type
While it is natural to assume that either →G ∪kj=1 (p j , p j ) =→C of controller can always be found, i.e., →i is reflexive - the
(i.e., two robots can directly communicate if and only if they need for this assumption will become clear later in the paper.
are in adjacent vertices) or →G ∪kj=1 (p j , p j ) ⊆→C (i.e., two Computationally efficient algorithms for the construction of
robots can directly communicate when in adjacent vertices), such controllers exist for triangular and rectangular partitions
neither of these assumptions are necessary. We assume that and robot dynamics ranging from fully actuated point-like
the communication is instantaneous, and each robot can act as robots to unicycles of non-negligible size [14] (see Section
a communication relay. In other words, any two robots in a VIII for more details and an example).
connected component of C can instantaneously communicate.
Definition 2: The behavior of the team of robots is an
We model the motion capabilities of each robot i, i = 1, . . . , n
infinite sequence of sets {p11 , . . . , p1n }, {p21 , . . . , p2n }, . . ., where
on the graph G using a transition system Ti , defined as follows:
pij ∈ P and pij 6= pkj for i 6= k and j = 1, 2, . . .. Each entry
Ti = (Qi , q0i , →i , Πi , i ), i = 1, . . . , n, (3) {p1j , . . . , pnj }, j = 1, 2, . . . denotes the set of vertices of G
occupied by the n robots. The first entry corresponds to the
where initial positions of the robots {p11 , . . . , p1n } = {q01 , . . . , q0n }. A
IEEE TRANSACTIONS ON ROBOTICS 4

set {p1j , . . . , pnj }, j ≥ 2 is added to the sequence whenever at


least one robot changes its position. An infinite number of
identical entries {p1j , . . . , pnj } is added to the sequence if the
set of vertices {p1j , . . . , pnj } is reached and never left.
According to Section II, the semantics of LTL formulas over
P can be defined over team behaviors. We are now ready to
formulate the main problem we consider in this paper:
Problem 1: Given a team of n agents with motion capabil-
ities (3) and communication constraints (2) on a graph (1),
their initial non-overlapping positions, and a task specified as
an LTL formula φ over P, find individual control strategies
such that the behavior of the team satisfies the specification.
In addition, no two robots are allowed to overlap at a vertex
or to swap vertices at any time.
Remark 3: Since, as required in Problem 1, no two robots
can swap vertices at a time, there will be a change in the set
of vertices occupied by the robots (i.e., a new entry added to
the behavior from Definition 2) whenever at least one robot
moves to a different vertex.
The solution to Problem 1 will be one generic algorithm, Fig. 1. Partitioned environment and the region labels for the case study
considered throughout the paper.
which will be run by each robot. From an implementation
point of view, this means that the robots will be first pro-
grammed and then deployed in the environment and simul- IV. F INDING A D ISTRIBUTABLE S OLUTION
taneously powered on. Once the agents are programmed and
started, they will autonomously evolve and interact with each To provide a solution to Problem 1, we proceed as follows.
other according to the imposed communication constraints. First, we construct a transition system Tg which captures all
There will be no supervising controller for the team during possible motions of the group of robots, while guaranteeing
the execution of the task. that no two robots ever overlap at a vertex or transit at
Case study: For illustration, throughout this paper, we the same time between adjacent vertices (swap vertices). In
consider the example shown in Fig. 1. A planar environment addition, Tg requires that moving robots communicate and
is partitioned into a set of k = 16 rectangles, labelled from the move simultaneously. The group transition system Tg is then
set P = {p1 , . . . , p16 }. Two vertices pi , p j are adjacent, i.e., pruned to produce a set of transition systems Tr , which have
(pi , p j ) ∈→G if and only if the corresponding rectangles share the property that all their runs are implementable by the
a facet. We consider a team of n = 3 identical robots, with robots in a distributed manner. Runs of Tr satisfying the LTL
initial positions in regions p1 , p3 , and p13 , respectively. Two specification are then projected to individual runs of Ti , which
robots can communicate when they are in rectangles that share are then implemented in each robot.
an edge (rectangles diagonally placed do not communicate). In Let Qg be the set of all ordered n-tuples with elements from
other words, the communication relation is given by →C =→G P with no repeated entries (see Definition 3). Let
∪16j=1 (p j , p j ). M : Qg × Qg → 2{1,...,n} , (4)
The motion of each robot is modelled as a transition system
with 16 states, where each state corresponds to a rectangle be a function such that M (q, q0 ) gives the set of indices of
from the partition. The initial states are q01 = p1 , q02 = p3 agents that occupy different regions in configurations q and
and q03 = p13 . We assume that the robots have identical motion q0 (e.g., if we have 3 agents, M ((p2 , p6 , p7 ), (p2 , p7 , p5 )) =
capabilities and, from every vertex, can move to all adjacent {2, 3}). Obviously, function M can be easily computed for
vertices. In other words, →1 =→2 =→3 =→G ∪16 j=1 (p j , p j ).
all its possible inputs.
The only differences among T1 , T2 and T3 are their initial Furthermore, we define
states.
C : Qg × {1, . . . , n} → 2{1,...,n} , (5)
We want to accomplish the following task: “Do not visit
any yellow region (p8 , p10 , p16 ) until all these three regions where C (q, i) is the set of all agents communicating with
are simultaneously visited, and always avoid the grey regions robot i when the configuration of the team is q. As already
(p4 , p6 , p15 )” Note that the nature of the task clearly implies mentioned, C (q, i) captures more than direct communication
a cooperation in the form of synchronization between robots between robots (i.e., the robots can act as communication
(all yellow regions must be simultaneously visited). The above relays). The set C (q, i) can be computed for any q ∈ Qg ,
specification immediately translates to the following LTL i ∈ {1, . . . , n} by using the communication graph C (Definition
formula: 2) as follows. First, we construct the adjacency matrix Aq
of the subgraph of C induced by the vertices contained in
φ = ¬(p8 ∨ p10 ∨ p16 )U (p8 ∧ p10 ∧ p16 ) ∧ ¬(p4 ∨ p6 ∨ p15 )
q. Second, we find the largest connected component of this
graph that includes robot i. This can be easily done by raising
IEEE TRANSACTIONS ON ROBOTICS 5

Aq at the (n − 1)th power and finding the indices of non-zero communicating robots to synchronously take transitions with
elements on the ith row (this is true because every node has the others is, of course, incorrect, since non-communicating
a self loop, and since n is small, the involved computation is robots cannot synchronize. However, we use this definition of
not time consuming). Tg for mathematical convenience. As it will become clear in
Definition 3: The transition system Tg = (Qg , Qg0 , →g Section V, self-transitions for non-communicating robots will
, Πg , g ) capturing the behavior of the group of n agents is in fact mean “doing nothing”. Robots will need to synchronize
defined as: only when moving from a region to another.
• Qg ⊂ Q1 × . . . × Qn , where (q1 , . . . , qn ) ∈ Qg if and only Once we have Tg and a specification given as an LTL
if qi 6= q j for i 6= j, formula φ over P, we can try to find a solution to Problem
• Qg0 = (q01 , . . . , q0n ), 1 by using off-the-shelf model checking (see Section II). If a
• →g ⊂ Qg × Qg is defined by (q, q0 ) ∈→g , with q = counterexample for ¬φ in the prefix-suffix form is produced,
(q1 , . . . , qn ) and q0 = (q01 , . . . , q0n ), if and only if (1) then we can collapse possible finitely many consecutive repe-
(qi , q0i ) ∈→i , i = 1, . . . , n, (2) ∀i, j = 1, . . . , n with i 6= j, if titions of a symbol in both prefix and suffix to produce a run
q0i = q j , then q0j 6= qi , and (3) ∀i ∈ M (q, q0 ), M (q, q0 ) ⊆ r. Alternatively, as mentioned in Section II, we can use our
C (q, i), model checking tool to produce a run r satisfying an optimality
• Πg = P, criterion, in addition to the two conditions mentioned above.
• g ⊂ Qg × Πg is defined by ((q1 , . . . , qn ), π) ∈g if π ∈ Once a run r is determined through one of the two methods
{q1 , . . . , qn }. presented above, it can be projected to the individual robots.
In other words, the states of the transition system Tg The transition relation from Tg guarantees that, for every
capture all possible ways in which the k vertices of G can transition from r, the moving agents can communicate, and
be occupied by the n robots. The configurations in which therefore synchronize.
two agents overlap (occupy the same vertex) are excluded, However, there is an additional restriction that the runs r
thus guaranteeing the avoidance of inter-robot collisions. The should satisfy: in order for a moving group of robots to know
possible motions of the team are modelled by the transi- when to take their next transitions, they need to know when
tion relation →g . A transition of Tg occurs when all agents the previously moving group completed their transition. For a
synchronously take allowed transitions (requirement (1) of better understanding, consider the following simple example:
Definition 3), and we exclude the case when two agents swap assume we have only two agents and we somehow obtained
positions, since this could cause collision (requirement (2)). a run of Tg , r = q, q0 , q00 , . . . (with q = (q1 , q2 ), q0 = (q01 , q2 ),
Moreover, requirement (3) shows that all moving agents should q00 = (q01 , q02 )), producing a word that satisfies φ . Note that
communicate. This last requirement is implied by the fact that the agents do not have to communicate in order to take each
only communicating agents can synchronize when changing individual transition from run r, since only one of them moves
their currently occupied locations. Note that the moving agents at a time. However, once agent 1 completed its movement
should communicate only while the team is in the config- (transition) from q1 to q01 , agent 2 should be informed about
uration to be left (denoted by q = (q1 , . . . , qn ) in Definition this fact, in order to move from q2 to q02 . This is possible if
3), and they are not restricted to communicate when the next and only if agents 1 and 2 were able to communicate while the
configuration (denoted by q0 = (q01 , . . . , q0n )) is reached. This team is in configuration (q01 , q2 ) (fact which is not captured
is because the synchronization when leaving configuration by the communication restrictions for individual transitions
q guarantees that the corresponding locations from q0 are of Tg ). We will refer to this requirement as transitivity of
synchronously hit. In requirement (3), i ∈ M (q, q0 ) can be communication, stating that a run of Tg can be decentralized if
arbitrarily chosen, since ∀i1 , i2 ∈ M (q, q0 ), C (q, i1 ) = C (q, i2 ), any two successive active communicating sets have nonempty
and we call the set C (q, i) the active communicating set. intersection. Formally, a run r = r(1)r(2)r(3) . . . of Tg satisfies
Finally, each team configuration is equipped with n predicates the transitivity of communication property if, for any position
enumerating the locations occupied by the agents (satisfied i = 1, 2, . . ., we have:
propositions), without explicitly specifying the exact position
C (r(i), j) ∩ C (r(i + 1), k) 6= 0,
/
of each agent. (6)
∀ j ∈ M (r(i), r(i + 1)), ∀k ∈ M (r(i + 1), r(i + 2))
Remark 4: According to Remark 1, it is enough to consider
only words of Tg with no finitely many consecutive repetitions One could try to use off-the-shelf model checking as
of an entry. Under this assumption, any word produced by suggested above and check whether the runs r obtained as
Tg according to Definition 3 is a valid behavior satisfying counterexamples satisfy (6). However, this procedure might be
Definition 2. time consuming, or it might not produce a result at all, since
Remark 5: Some comments are in order regarding the “syn- we do not have any control over the structure of the produced
chronization” in Definition 3. Since moving agents are re- counterexamples. In addition, even if a satisfying run is found,
quired to communicate, then they can execute transitions syn- it might be too “long”, i.e., it might involve unnecessary robot
chronously. However, non-communicating and communicating transitions. Alternatively, if our model checking approach is
but non-moving robots take self transitions synchronously with used, then one would have to find runs satisfying (6) in the
the moving robots. For the latter category this is not a prob- product automaton A (see Section II). However, it is not clear
lem, since they can communicate (and therefore synchronize how to modify a standard model checker or our own model
their self-transitions) with the moving robots. Asking non- checking approach such that requirement (6) is satisfied by the
IEEE TRANSACTIONS ON ROBOTICS 6

returned run. Therefore, in this paper we propose a different Qg0 to (p1 , p4 , p13 ), but not to (p2 , p4 , p13 )). Tg has a total
approach. number of 55344 transitions linking its 3360 states, and its
We will cut transitions in Tg such that the obtained reduced construction took about 45 seconds on a medium performance
transition system, called Tr , has only runs satisfying (6). Then, laptop. The first reduced transition system Tr is constructed by
by using our model checking approach described above, we considering C0 = {3} The obtained reduced transition system
will find runs satisfying the specification φ . To obtain Tr from Tr has only 28583 transitions, and it was created in 64 seconds.
Tg , we proceed as follows. First, we find all the disjoint sets A run satisfying the formula was obtained (in 23 seconds)
of communicating agents in the initial state Qg0 . For each of and thus we don’t have to create any other Tr . The obtained
these sets, a different Tr can be created as follows. Consider run is depicted in Fig. 2. It has a prefix of length 7, namely
one of these sets to be the active communicating set, denoted the sequence of states (p1 , p3 , p13 ) (p1 , p3 , p9 ) (p1 , p3 , p5 )
by C0 , and start with Tr = Tg . From all outgoing transitions (p2 , p3 , p1 ) (p3 , p7 , p2 ) (p7 , p11 , p3 ) (p11 , p12 , p7 ), and a suf-
of Qg0 in Tr , keep only the self-loop and those for which fix consisting of infinitely many repetitions of configuration
the set of moving agents is included in C0 . Then, for all the (p10 , p16 , p8 ). By design, this run of Tg satisfies both the
new states that can be visited by taking these transitions, keep desired specification and the transitivity of communication
only the self-loops and the outgoing transitions for which the property. Initially agent 3 moves towards agent 1, then they
intersection between their active communicating set and C0 start to communicate and both move towards robot 2, and
is nonempty. The process is repeated for each newly visited eventually all three agents reach configuration (p11 , p12 , p7 ),
state, by updating C0 to be the active communicating set for from where they can simultaneously enter the yellow regions
the currently considered outgoing transition. The algorithm (p8 , p10 , p16 ). Fig. 2 presents the successive configurations that
finishes when no new (not yet visited) states are reached. In are visited along the obtained run. The decentralized solution,
the end, the obtained Tr is guaranteed by construction to have showing what actions are performed by each robot such that
only runs satisfying property (6). the global behavior of the team is the one from Fig. 2, is
Once Tr is constructed, we search for a run r satisfying for- presented in the next section. We mention that in this case a
mula φ by using our model checking [15] procedure described solution would be obtained no matter what set C0 was initially
in Section II. If we find one, then this is also guaranteed to chosen for obtaining Tr . For example, if we choose C0 = {1},
be a run of Tg . Indeed, since the set of transitions of Tr is the obtained run has a prefix of length 9 and the same suffix as
a subset of the set of transitions of Tg , the language of Tr above. The prefix shows that agent 1 moves towards agent 3,
is included in the language of Tg . To choose among several then they move together towards robot 2, and eventually the
possible satisfying runs, we select one corresponding to a team reaches configuration (p11 , p12 , p7 ). In this case there
minimum overall number of robot movements (total number are more robot movements than in the case depicted by Fig.
of transitions in prefix and suffix of all Ti , without counting 2, because the obtained Tr is different.
self-loops). If a run cannot be found, we construct another
Tr , by considering another initial C0 , and we search for a run
V. D ISTRIBUTED I MPLEMENTATION
in the new Tr . If we do not obtain a run for at least one Tr ,
we conclude that we cannot find a solution to Problem 1 by In this section, we show how any run r with a prefix-suffix
using this approach. Assuming a run is obtained, we have to structure of Tg obtained as described in Section IV can be
implement it in a decentralized manner, as described in Section implemented on the robots in a distributed manner, i.e., while
V. observing the communication constraints. The implementation
Remark 6: We could have used a less conservative ap- will consist of a generic algorithm running on each robot.
proach for obtaining a run of Tg satisfying the transitivity Given a run r, robot-specific inputs will be generated for
of communication property. In short, this approach would the algorithm running on each robot. After the agents are
resemble counter-example guided model checking, and would programmed and placed in their initial vertices, the (local)
consist of the iterative application of the following steps: (1) executions of the algorithms will produce a team behavior
obtain a run r of Tg satisfying formula φ , (2) find sequences which coincides with the word produced by the run r on Tg .
of transitions from r that do not satisfy the transitivity of Algorithm 1 presents the steps that are infinitely iterated by
communication property, (3) modify φ such that it includes each robot. The main idea in the decentralized implementation
the avoidance of those sequences of states, and reiterate from of a run r is to have a token owned by a single robot at
(1). These steps should be iterated until a run satisfying the any given time. The robot owning the token initiates the next
desired property is obtained (or no run exists). The algorithm synchronous movement of some communicating robots (next
is guaranteed to terminate (because we keep adding restrictions transition in the run r). Thus, there will be no simultaneous
to formula φ , and thus we restrict the set of possible runs to be movements of non-communicating robots. Each robot contin-
returned). However, such an approach would be very expensive uously broadcasts its identity and the vertex it occupies in
computationally, because the augmented LTL formula might its communication range, and listens for possible commands.
become very long. Note that even the robot with token has to listen for commands,
Case study revisited: For our example shown in Fig. 1, because it can send a command to itself. There are two
the obtained Tg has 3360 states, and its initial state is Qg0 = types of commands that a robot can receive: a synchronized
(p1 , p3 , p13 ). There are three communicating (singleton) sets moving command, showing the next location to be reached
in Qg0 , namely {1}, {2}, and {3}. (e.g., Tg can transit from and the group of robots to synchronize with, and a token
IEEE TRANSACTIONS ON ROBOTICS 7

Fig. 2. Successive configurations of the team for the proposed example. The regions occupied by the three robots are red, blue and green, respectively. The
regions to be simultaneously reached are yellow (p8 , p10 , p16 ), and the regions to be always avoided are grey.

Fig. 3. Diagram presenting the token passing and the queue memory of robots receiving the token. Edges between the big ellipses represent the team
configuration when the token is passed and the robot receiving the token.

command, showing which robot will next own the token. one just treated) is deleted, and if position = su f f ix, the first
Unless a moving command is received, each agent remains entry is moved to the end of the queue (implying infinitely
in the current location. many repetitions of suffix of r). The robot that initiated the
The memory of each agent is organized as a first-in first- transition detects its completion based on the following: either
out (FIFO) queue. An entry in this queue stores the following it receives the new locations occupied by robots in M , or, if
information: position, which can be ’prefix’ or ’suffix’, shows it cannot communicate anymore with some robots from M , it
if the current configuration of the team is in the prefix or the concludes that those robots completed their moving command.
suffix of the run; M ⊆ {1, . . . , n}, giving the set (identities) of We find robot-specific inputs for Algorithm 1 by scanning
moving robots for the next transition from r to be taken; N p the positions of run r. Because of the prefix-suffix structure
(an ordered tuple with |M | elements from P), containing the of the run, we only have to scan a finite number of positions.
next location that each robot from M should visit; nexttok ∈ The memory queues are created based on the schedule for
{1, . . . , n}, giving the index of the robot that will receive the robots receiving the token. Let r(i), i = 1, . . . be a position
token once the currently scheduled transition from r is taken. from run r, and assume that r(i) 6= r(i + 1), r(i + 1) 6= r(i + 2).
A robot reads the first entry of its queue each time it receives This means that, if the suffix consists from a single infinitely
the token, and then sends moving commands to robots from repeating configuration, the current position r(i) is at least 2
the current set M , such that the next transition from r occurs. transitions before the suffix of run. For each i = 1, . . ., we
Once the transition is taken, the robot passes the token to robot first choose the agent that will receive the token for initiating
nexttok (which may be the same robot) and it updates the queue transition r(i) to r(i + 1). This agent can be any from the set
memory as follows: if position = pre f ix, the first entry (the C (r(i), j) ∩ C (r(i + 1), k), for arbitrary j ∈ M (r(i), r(i + 1))
IEEE TRANSACTIONS ON ROBOTICS 8

Algorithm 1 Operations iterated by each agent i = 1, . . . , n


I listen and execute received commands
I broadcast index i and location occupied
if agent has token then
I read first entry from queue memory: position, M , N p ,
nexttok
I send to agents from M the next location to be visited
(corresponding position from N p ), and set to synchronize
with (M )
I wait for agents from M to complete their task
if position = pre f ix then
I delete first entry from queue memory
else
I move first entry from queue memory to end
end if
I send token to agent nexttok
end if

Fig. 4. Environment, regions of interest (grey, yellow and green), and initial
and k ∈ M (r(i + 1), r(i + 2)) (property (6) guarantees the deployment of agents (red filled regions) for the example in Section VI.
non-emptiness of this set). In our implementation, the robot
with the smallest index from the mentioned set is picked.
Let us denote the identity of this robot by ti . Using run relax this assumption is presented in Section VII). Second, by
r, we create the inputs position, M , and N p to be added reducing Tg to Tr in Section IV, it is possible that no solution
at the end of the queue memory of robot ti . The value for satisfying property (6) be found, even though such a solution
nexttok is determined when we find robot ti+1 initiating the might exist in Tg . Also, an optimal solution with respect to
next transition (from r(i + 1) to r(i + 2)). Note that, when the number of robot movements in Tr , does not guarantee
the team reaches configuration r(i + 1), robot ti communicates optimality with respect to the same criterion for Tg .
with ti+1 , so it can pass the token (ti ,ti+1 ∈ C (r(i + 1), k), From a complexity point of view, the bottlenecks of the
k ∈ M (r(i + 1), r(i + 2))). If run r has a suffix consisting from presented approach are the construction of Tg , which has
only one state, once we reached a position r(i) that is only one k!/(k − n)! states, the reduction of Tg to Tr , and finding
transition far from the suffix, the token stays with the same satisfying runs in Tr . Indeed, as stated in Section II, as part of
robot (ti−1 = ti = ti+1 ). This is because the above mentioned finding a satisfying run in Tg , we need to construct a Büchi
approach would not work, since there are no moving robots automaton for the specification φ . This computation scales
from configurations r(i+1) to r(i+2) (suffix). Moreover, once exponentially in the size of the LTL formula (i.e., number
such a suffix is reached, the sets M , N p are empty in the last of propositions appearing in the formula)1 . This being said,
entry of the queue memory of agent ti . In this case, only the note that all this expensive computation is performed off-line,
token is passed to the same robot to ensure the correctness of before the deployment of the robots. The algorithm that is run
Algorithm 1. by each robot during the execution (Algorithm 1) of the task
Case study revisited: The diagram from Fig. 3 gives a is quite simple, and requires a small amount of memory.
global overview of the token passing among agents and of Example To illustrate the increase of the computation time
the queue memory of each agent receiving the token. For with the size of the problem, here we consider a more complex
simplicity, only the diagram guiding through the first three example. We consider a team of 4 agents initially deployed
configurations of the team is presented. Initially, robot 3 has in a partitioned environment as in Fig. 4. The motion and
the token (t1 = 3), since it is the first one to move, as already communication capabilities are possible between rectangular
shown in Fig. 2. Once configuration (p1 , p3 , p9 ) is reached, regions sharing an edge (as in the case study introduced in
robot 3 deletes the first entry in its queue memory, and sends Section III). The task requires that “always avoid grey regions,
the token back to itself (t2 = 3). One can observe that agent eventually visit the yellow regions, and do not visit any green
2 never receives the token, so it has an empty queue memory region until all of them are simultaneously entered”, and it is
(all its movements are initiated by agent 1). translated to the LTL formula φ = ¬(p7 ∨ p15 ∨ p22 ∨ p25 ) ∧
♦(p4 ∧ p5 ) ∧ ¬(p8 ∨ p11 ∨ p16 ∨ p23 )U(p8 ∧ p11 ∧ p16 ∧ p23 ).
VI. C ONSERVATISM AND C OMPLEXITY Transition system Tg has 303600 states. As compared to the
previous case study, Tg has 1000 times more states and the
Our approach to solving Problem 1 is conservative because Büchi automaton has twice the number of states.
of two main reasons. First, we assume that only one group of A run satisfying the formula in a reduced transition system
communicating agents can move at a time, rather than allowing Tr corresponding to the situation in which the token was
multiple non-communicating groups of locally communicating
agents to move simultaneously (an approach allowing us to 1 This theoretical upper bound is rarely achieved in applications.
IEEE TRANSACTIONS ON ROBOTICS 9

Fig. 5. Successive configurations of the team for the example from Section VI (the initial configuration is shown in Fig. 4). The regions occupied by the
four agents are red. Grey regions should be avoided, yellow regions should be visited, and green regions should be entered simultaneously.

initially given to R1 (see Fig. 4) is shown in Fig. 5. This states q0i , since they have identical motion capabilities →i .
run consists of 10 different configurations of the team: the Requirement (3) of Definition 3 becomes redundant, because
first configuration is the one from Fig. 4, and the last one the fully centralized communication architecture guarantees its
is the suffix, which has length 1 and is repeated infinitely fulfilment. In addition, there is no need to reduce Tg to Tr for
often. The overall computation took about 80 hours, from guaranteeing property (6), because it is already satisfied by any
which the construction of Tg , the construction of Tr , and run of Tg . In our previous work [27], by using bisimulation
finding a satisfying run in Tr took about 8%, 33%, and 58%, quotients, we show that the transition system Tg can be
respectively. equivalently reduced to a system with k!/((k − n)!n!) states.
Another situation in which the amount of computation can
It is important to note that a significant decrease in com- decrease significantly is when no synchronization is necessary
plexity can be achieved for the particular case when the to accomplish the task, which is discussed in Section VII.
robots are all identical and can all communicate with each
other (they maintain a connected communication graph for It is important to note that the speed of computation is not
all times). In such a case, the only difference between the the emphasis in this work. All the given computation times,
transition systems Ti , i = 1, . . . , n, is given by their initial which are too large to be useful in a real deployment problem,
IEEE TRANSACTIONS ON ROBOTICS 10

(s) (s) (s)


should be interpreted as relative to one another, just to give an where state (q1 , q2 , . . . , qn ) is the suffix and is
idea on how the methods scale with the size of the problem and infinitely repeated, then the individual run of agent i is
(1) (2) (s) (s)
how they compare to each other. Most importantly, note that ri = qi , qi , . . . , qi , qi , . . ., i = 1, . . . , n. Next, in each
we used a “classical” in-house model checker. A significant individual run, we collapse all finite successive repetitions
decrease in the computation time (several orders of magnitude) of the same symbol (except for the suffix, which consists
can be obtained if a symbolic model checker is used [28]. of infinitely many repetitions) into a single occurrence (i.e.,
Alternatively, a significant decrease can be obtained with ( j) ( j+1)
if ∃i ∈ {1, . . . , n}, j ∈ {1, . . . , s − 1} such that qi = qi ,
on-the-fly LTL model checking [29] or by restricting the then we remove qi
( j+1)
from ri , and repeat until no such i
specifications to fragments of LTL for which more efficient and j can be found). This is motivated by the fact that the
algorithms exist. As already mentioned, all the computation agents do not synchronize while moving, and the removed
was performed on a medium-performance laptop. The use repetitions correspond to synchronizations in run r modeling
of a more powerful computer would result in significantly an agent that waits in the same location until other agents
reduced computation times. If several processors are available, reach some specific locations. For simplicity, let each
the computation can be also accelerated through parallelizing individual run (without successive repetitions) be denoted by
the construction of the several possible Tr ’s. This being said, ri = qi1 , qi2 , . . . , qisi , . . ., where qisi is infinitely repeated (the
we expect that the method developed in this paper can only runs might now have prefixes of different lengths, because of
be relevant for “simple” applications (e.g., 3 robots moving in the performed collapsing).
an environment with 20 features of interest). Next we construct the set of all possible n-tuples that
can be generated by the team of agents, while each agent i
VII. O N THE NEED FOR SYNCHRONIZATION
individually (without synchronization) follows run ri . For this,
As already emphasized, the main limitation of the approach we first construct a small transition system T si for each agent,
presented above is that robots can move (i.e., make progress and then we construct a special kind of product automaton of
towards the completion of the task) only if they can commu- all these transition systems, with the guarantee that the set of
nicate. In this section, we present an approach allowing us words generated by the obtained product will be exactly the
to determine if the agents can satisfy the LTL task without desired set of tuples.
communicating anytime they change locations. They will at Definition 4: The transition system T si = (Qsi , Qsi0 , →si
most need to communicate locally for avoiding collisions. The , Πsi , si ), i = 1, . . . , n, is defined as:
main idea is the following. First, we find a run of Tg satisfying
• Qsi = {qi1 , qi2 , . . . , qis } ⊂ P is the set of states,
the LTL formula. Second, we find the set of all possible agent i
• Qsi0 = qi1 = q0i is the initial location of agent i,
executions that, without synchronization, map to the satisfying
• →si ⊂ Qsi × Qsi is defined by (qi j , qi j ) ∈→si , ∀ j ∈
run of Tg . This will be described as the language of a transition
system. Then we test if this language violates the LTL formula {1, . . . , si }, and (qi j , qi j+1 ) ∈→si , ∀ j ∈ {1, . . . , si − 1},
• Πsi = P,
(by using our model checking tool [15]). If there is no word
• si ⊂ Qsi × Πsi is the trivial satisfaction relation
violating the formula, we conclude that synchronization is not
necessary and the individual agent runs provide a solution to (q, π) ∈si if and only if q = π.
Problem 1. If the formula is violated by at least one word, then Each transition system T si , i = 1, . . . , n, corresponds to agent
we decide that synchronization is necessary, and the approach i following run ri (transitions exist only between successive
involving the reduction of Tg to Tr (Section IV) has to be states of ri , together with self-loops in any state). The self-
followed to find a solution. Alternatively, we could try to find loops are included to correctly create the product transition
another run of Tg that can be implemented by the team without system from Definition 5. Informally, agent i takes a self
the need for synchronization. This would follow the same lines transition if it is slower than other moving agents - this is
as described in Remark 6, but where step (2) would involve necessary since there is no synchronization.
using the current run (the one that could not be implemented) Definition 5: The product of T si , i = 1, . . . , n is defined as
to adjust Tg before producing a new candidate run. However, Tp = (Qp, Qp0 , → p , Π p ,  p ), where:
this extra step would add more computational overhead to an • Qp ⊂ Qs1 × . . . × Qsn is defined by (q1 , . . . , qn ) ∈ Qp if
already expensive method, and we decided not to pursue it. and only if qi 6= q j for i 6= j,
In the following, we describe the above ideas formally. • Qp0 = (q11 , . . . , qn1 ),
Assume that by using the tool from [15] with inputs Tg and • → p ⊂ Qp × Qp is defined by (q, q0 ) ∈→ p , with q =
φ we obtain a run r of Tg starting from the initial state (q1 , . . . , qn ) and q0 = (q01 , . . . , q0n ), if and only if (1)
and satisfying the LTL formula φ . If no such run exists, (qi , q0i ) ∈→si , i = 1, . . . , n, and (2) q 6= q0 or q = q0 =
we conclude that Problem 1 is unfeasible (by using Tr as in (q1s1 , . . . , qnsn ),
Section IV we will also get no run, since the language of Tr • Π p = P,
is a subset of the language of Tg ). Furthermore, for simplicity •  p ⊂ Qp × Π p is defined by ((q1 , . . . , qn ), π) ∈ p if π ∈
of exposition, we assume that the run r has a suffix of length {q1 , . . . , qn }.
one (if this is not the case, the definitions for T si and Tp given Transition system Tp captures all possible transitions that
below become more complicated). can appear in any T si , i.e., all possible configurations that can
If the run r is of form r = be attained by the team, while each robot follows its run on
(1) (1) (1) (2) (2) (2) (s) (s) (s)
(q1 , q2 , . . . , qn )(q1 , q2 , . . . , qn ) . . . (q1 , q2 , . . . , qn ) . . ., its own (without synchronization). This fact is guaranteed by
IEEE TRANSACTIONS ON ROBOTICS 11

requirement (1) from the transition relation of Tp . As already


mentioned, the self-loops at all states of all T si allow some
agents to remain in their locations (take self-loops) while other
agents move from one location to another. Requirement (2)
from the transition relation of Tp eliminates self-loops in all
states of Tp , except for the state corresponding to suffixes of
runs ri . This is because we use LT L−X formulas (see Remark
1) and there is no need to capture finitely many successive
repetitions of the same tuple in the generated word.
Note that in the construction of Qp in Definition 5, we
exclude the situations in which two or more agents occupy
the same location, thus achieving collision avoidance in the
formalism that we use. However, for satisfying this require-
ment when implementing an obtained strategy, the agents
must have some local collision avoidance controllers. More
specifically, all agents must to be able to sense if the next
(adjacent) location is free before moving from the current
location. If the next location is occupied, the agent needs to
wait until the location becomes free. This sensing capacity
Fig. 6. Partition for the example in Section VII.
can, of course, be implemented if the agents can communicate
when in adjacent regions. Since there is no synchronization
when different agents change locations, the probability of
two agents taking transitions to exactly the same location at time is about 50 hours from which the construction of Tg ,
exactly the same time is zero, and thus the described simple the construction of Tr , and finding a satisfying run in Tr
protocol guarantees collision avoidance. Such a protocol was takes about 14%, 55%, and 30%, respectively. Note that these
not necessary in the approach from Sections IV and V, since numbers are different than those in the example concluding
collision avoidance was guaranteed by the global construction Section VI, because the LTL task is different. The decen-
of the team run. Finally, note that the “move-only-when- tralized solution consists of 8 different team configurations
communicate” restriction from the run r of Tg disappears as (first, agent 1 moves to locations p3 , p4 , p9 , establishes
a result of collapsing identical successive repetitions from its communication with agent 2, they synchronously move to
projections to individual agents. locations p14 and p9 respectively, and then the whole team
By construction, the language of Tp contains all and only communicates and synchronously moves through configura-
the words that can be generated by the unsynchronized team tions (p14 , p9 , p19 , p24 ), (p13 , p8 , p18 , p19 ), (p12 , p13 , p17 , p18 ),
movement when each agent i follows its run ri , i = 1, . . . , n. (p11 , p8 , p16 , p23 ), by remaining in the last configuration).
If the language of Tp satisfy formula φ , then we conclude If, instead of computing Tr , we use the approach from this
that the unsynchronized movement (with collision avoidance, section in order to decide if synchronization is necessary, the
as mentioned above) is a solution to Problem 1. If this is not overall time is 34 hours. The run has 8 states in prefix and
the case, we conclude that synchronization is necessary, and 1 in suffix, namely: (p2 , p10 , p19 , p24 ), (p1 , p10 , p19 , p24 ),
therefore the approach from Sections IV and V is necessary. (p1 , p9 , p19 , p24 ), (p1 , p8 , p19 , p24 ), (p1 , p8 , p18 , p23 ),
Example: We consider a team of 4 agents evolving in the (p1 , p8 , p17 , p23 ), (p1 , p8 , p16 , p23 ), (p6 , p8 , p16 , p23 ),
environment from Fig. 6. The agents are initially placed in (p11 , p8 , p16 , p23 ) (the last configuration being the suffix). By
locations p2 , p10 , p19 , p24 (as in example concluding Section projecting this run to individual runs and by collapsing the
VI), and the motion and communication capabilities are as identical successive repetitions, we obtain r1 = p2 , p1 , p6 , p11 ,
in the case study introduced in Section III (i.e., motion and r2 = p10 , p9 , p8 , r3 = p19 , p18 , p17 , p16 , r4 = p24 , p23 . The
communication are possible between rectangles sharing an transition system Tp has 96 states, and by using the model-
edge). The task is “always avoid grey regions and eventually checking approach we conclude that all its generated words
occupy all the green regions at the same time (but not nec- satisfy the formula. Thus, each agent can individually follow
essarily simultaneously)”, and it can be translated to the LTL its run, without synchronizing with other agents (note that in
formula φ = ¬(p7 ∨ p15 ∨ p22 ∨ p25 )∧♦(p8 ∧ p11 ∧ p16 ∧ p23 ). this example, no collision is possible). All steps after finding
Transition system Tg is the same as in example concluding run r took about 5 seconds.
Section VI (it has 303600 states). However, note that this task By using the approach from this section for the case studies
is different than the task from the example at the end of Section from Sections III and VI, we obtain that synchronization is
VI (even ignoring the yellow regions), because here the agents necessary, which is in accordance with the nature of the LTL
may enter the green regions at different time instants, and in tasks (they both require to simultaneously enter some regions).
any order, whereas in the example from Section VI, the robots The involved computation time was about 30 seconds for the
were required to enter the green regions simultaneously. example from Section III and 49 hours for the example from
If we use the approach from Sections IV and V, with Section VI, from which more than 99% was used for finding
token initially given to agent 1, the overall computational a run of Tg .
IEEE TRANSACTIONS ON ROBOTICS 12

To conclude, our proposed approach to Problem 1 is a two- and obstacles (see Fig. 7). Each robot is a differential drive
step process. We first check if synchronization is necessary and its size is about the size of a CD. A central computer
by using the approach proposed in this section. If the answer performs all the computation and sends the individual plans
is negative, then a solution is automatically generated. In (runs) to the robots through Bluetooth. An overhead video
this solution, the robots do not have to wait for each other, camera is used for robot localization. The robots are covered
except for collision avoidance. If the answer is positive, then with white disks, which contain certain dot patterns for robot
the (more expensive) approach described in Sections IV and identification. When computing the robot control inputs, each
V can provide a solution to the problem. Note that there robot is abstracted to its observable, which is an off-axis point
is still a gap in between the two approaches and we do on the white disk. To design desired velocities for the reference
not accommodate cases in which several non-communicating point, we use triangulations and construction of affine vector
groups of communicating robots move independently and fields as described in [14]. To generate velocities for the
communicate only when necessary. While this gap could be robot wheels, we use a unicycle model and solve an input-
reduced by extending the ideas from this section to groups output regulation problem as proposed in [30]. We assume
of robots, this would add some computation overhead to an that the robots can communicate for all times. Since they are
already computationally expensive framework. also identical, the off-line computation before deployment is
relatively cheap by using the reduction described at the end
of Section VI.
VIII. D EPLOYMENT OF ROBOTS WITH CONTINUOUS
We consider a task specification given as the following LTL
DYNAMICS AND EXPERIMENTAL RESULTS
formula:
As already suggested, by using results on the construction φ = ¬(bluetriangle ∨ blue pentagon ∨ red ∨ green)U
of finite quotients for continuous and hybrid systems [11],  (7)
red ∧ green ∧ ♦(bluetriangle ∨ blue pentagon ) ,
[13], [15], the framework developed here for finite models of
robot motion (i.e., finite transition systems) can be directly Formula φ requires that all regions be avoided until the
used to deploy robots described by “realistic” continuous green and red regions are simultaneously entered, and after
dynamical models. The underlying idea is a certain notion of that either of the blue regions be visited. Several snapshots
“equivalence” between an infinite control system (ẋ = f (x, u)) taken with the overhead video camera during the motion of the
describing the motion of a robot in a partitioned environment robots, as well as motion traces of both robots, are presented
and a finite transition system describing the motion of a in Fig. 7. The movies corresponding to this experiment can be
robot between the vertices of a graph. The graph on which downloaded from http://iasi.bu.edu/∼software/
the transition system evolves is the partition quotient of the LTL-examples.htm, or from the multimedia attachment
environment. The transitions →i of each Ti are constructed of the current paper.
based on computationally efficient procedures for designing
feedback controllers in each region such that either the region IX. D ISCUSSION AND FUTURE WORK
is left in finite time through a desired facet, or the region is an We presented a fully automated computational framework
invariant for the trajectories of the continuous control system for decentralized deployment of a team of robots from task
[12], [13]. If only such feedback controllers are used for the specifications given in high-level and rich language consisting
continuous control system, then the finite transition system of temporal logic statements about visiting regions of interest
is a bisimulation quotient for an infinite transition system in a partitioned environment. While we focused on a purely
embedding the closed loop continuous control system. discrete problem, the implementation of the algorithm is
Once a finite representation in the form (3) is constructed immediate for robots with continuous dynamics moving in en-
for each robot, the discrete strategy presented in this paper vironments with triangular or rectangular partitions, and with
can be almost directly applied to the initial robots described communication constraints induced by physical proximity.
by continuous control systems. Indeed, a ”discrete” transition The approach was implemented as a software package under
between two adjacent vertices p1 and p2 corresponds to the Matlab, which is freely downloadable from http://iasi.
application of a feedback controller driving all initial states of bu.edu/∼software/LTL-decentr.htm, and tested in
the continuous system from the region labelled by p1 to the an experimental platform based on Khepera III.
region labelled by p2 through their separating facet in finite While allowing for provably correct distributed implemen-
time. Robots that are not required to move in the discrete tations from rich, human-like motion specifications, our ap-
scenario apply feedback controllers making the corresponding proach has five main disadvantages. First, it is very expensive.
regions invariants. Of course, the motion is not instantaneous This is mainly due to the construction of the synchronous
anymore in the continuous case. The synchronization will product capturing the motion of the team. To deal with this
occur on the boundaries of the regions when crossing from issue, in the future we will pursue a hierarchical approach
a region to another, and the synchronizing robots will have to in which the global specification will be first mapped to
“wait” for each other on the boundaries. local (abstract) behaviors (following the ideas reviewed in
In the rest of this section, we present experimental results [22]). The latter will serve as motion specifications for each
showing the automatic deployment of two Khepera III robots agent. However, even in this approach, we expect that the
(http://www.k-team.com) in a 80” × 60” rectangular applicability of these types of techniques will be restricted
environment with polygonal regions of interest, such as targets to “simple” environments and small teams of robots with
IEEE TRANSACTIONS ON ROBOTICS 13

Fig. 7. Experimental results for the deployment of two robots in a rectangular environment with polygonal regions of interest. Left to right and top to
bottom: The first figure presents the testbed. The second figure presents the initial deployment of the two robots, while the next ones show snapshots of their
motion. The last figure shows their motion traces (white for the first robot and yellow for the second).

significant computation capabilities. Second, our approach is [3] H. Choset, K. Lynch, S. Hutchinson, G. Kantor, W. Burgard, L. Kavraki,
not completely decentralized, in the sense that the solution and S. Thrun, Principles of Robot Motion: Theory, Algorithms, and
Implementations. Boston, MA: MIT Press, 2005.
is found in a “centralized” manner and it is executed in a [4] S. M. LaValle, Planning algorithms. Cambridge, UK: Cambridge
distributed manner. Of course it would be desirable to have University Press, 2006.
a completely decentralized solution in which the global task [5] V. Gazi and K. M. Passino, “Stability analysis of swarms,” IEEE
Transactions on Automatic Control, vol. 48, no. 4, pp. 692–696, 2003.
is given to all agents and they find the distributed solution [6] N. E. Leonard and E. Fiorelli, “Virtual leaders, artificial potentials, and
through a negotiation process during the execution of the task. coordinated control of groups,” in 40th IEEE Conference on Decision
We expect that “on the fly” model checking algorithms [29] and Control, Orlando, FL, December 2001, pp. 2968 – 2973.
for distributable temporal logics will be relevant to this issue. [7] A. Jadbabaie, J. Lin, and A. S. Morse, “Coordination of groups of mobile
autonomous agents using nearest neighbor rules,” IEEE Transactions on
Third, our approach is conservative, or incomplete, in the Automatic Control, vol. 48, no. 6, pp. 988–1001, 2003.
sense that even if a solution exists, we might fail to find it. As [8] R. Olfati-Saber and R. M. Murray, “Distributed cooperative control of
already stated, we could approach this issue through some multiple vehicle formations using structural potential functions,” in IFAC
World Congress, Barcelona, Spain, July 2002.
extra computation. However, this would add to an already [9] E. M. M. Clarke, D. Peled, and O. Grumberg, Model checking. MIT
expensive algorithm. Fourth, it cannot accommodate changes Press, 1999.
in the environment, external events, and it is not robust to [10] Z. Manna and A. Pnueli, The temporal Logic of Reactive and Concurrent
Systems: Specification. Berlin: Springer-Verlag, 1992.
failures, e.g., token loss, incorrect messages, etc. A reactive [11] L. Habets and J. van Schuppen, “A control problem for affine dynamical
approach [21] can be used to accommodate “well behaved” systems on a full-dimensional polytope,” Automatica, vol. 40, pp. 21–35,
external events, as recommended in [19]. Mission changes 2004.
[12] L. Habets, P. Collins, and J. van Schuppen, “Reachability and control
could be handled by restricting the specification to flat LTL synthesis for piecewise-affine hybrid systems on simplices,” IEEE Trans.
[31], as recommended in [32]. Aut. Control, vol. 51, pp. 938–948, 2006.
Fifth, the method proposed here does not capture any [13] C. Belta and L. Habets, “Control of a class of nonlinear systems on
measurement and control uncertainty. Indeed, we assume that rectangles,” IEEE Transactions on Automatic Control, vol. 51, no. 11,
pp. 1749 – 1759, 2006.
the robots can determine exactly when crossing from one [14] C. Belta, V. Isler, and G. J. Pappas, “Discrete abstractions for robot
region to another and what happens after the application of a planning and control in polygonal environments,” IEEE Trans. on
control action, i.e., the transition to next region is guaranteed. Robotics, vol. 21, no. 5, pp. 864–874, 2005.
[15] M. Kloetzer and C. Belta, “A fully automated framework for control of
Relaxing these assumptions leads to the problem of controlling linear systems from temporal logic specifications,” IEEE Transactions
a Partially Observed Markov Decision Process (POMDP) from on Automatic Control, vol. 53, no. 1, pp. 287–297, 2008.
a temporal logic specification, which is currently not well [16] M. Antoniotti and B. Mishra, “Discrete event models + temporal logic =
supervisory controller: Automatic synthesis of locomotion controllers,”
understood. Note that control strategies for Markov Decision in IEEE International Conference on Robotics and Automation, May
Processes (MDP) from formulas of probabilistic temporal 1995.
logic can be, in principle, obtained by adapting existing [17] S. G. Loizou and K. J. Kyriakopoulos, “Automatic synthesis of mul-
tiagent motion tasks based on LTL specifications,” in 43rd IEEE
probabilistic model checkers, such as PRISM [33]. Conference on Decision and Control, December 2004.
[18] M. M. Quottrup, T. Bak, and R. Izadi-Zamanabadi, “Multi-robot motion
R EFERENCES planning: A timed automata approach,” in Proceedings of the 2004 IEEE
International Conference on Robotics and Automation, New Orleans,
[1] M. Kloetzer and C. Belta, “Distributed implementation of global tem- LA, April 2004, pp. 4417–4422.
poral logic motion specifications,” in IEEE International Conference on [19] H. K. Gazit, G. Fainekos, and G. J. Pappas, “Where’s waldo? sensor-
Robotics and Automation, Pasadena, CA, 2008. based temporal logic motion planning,” in IEEE Conference on Robotics
[2] J. C. Latombe, Robot Motion Planning. Kluger Academic Pub., 1991. and Automation, Rome, Italy, 2007.
IEEE TRANSACTIONS ON ROBOTICS 14

[20] G. E. Fainekos, H. Kress-Gazit, and G. J. Pappas, “Hybrid controllers for


path planning: a temporal logic approach,” in Proceedings of the 2005
IEEE Conference on Decision and Control, Seville, Spain, December
2005.
[21] N. Piterman, A. Pnueli, and Y. Saar, “Synthesis of reactive(1) designs,”
in VMCAI, Charleston, SC, 2006, pp. 364–380.
[22] M. Mukund, “From global specifications to distributed implementa-
tions,” in Synthesis and control of discrete event systems. Kluwer,
2002, pp. 19–34.
[23] R. Kumar and V. K. Garg, Modeling and Control of Logical Discrete
Event Systems. Boston: Kluwer Academic Publishers, 1995.
[24] A. Cimatti, E. Clarke, E. Giunchiglia, F. Giunchiglia, M. Pistore,
M. Roveri, R. Sebastiani, and A. Tacchella, “Nusmv version 2: An
opensource tool for symbolic model checking,” in Proc. International
Conference on Computer-Aided Verification (CAV 2002), ser. LNCS, vol.
2404. Copenhagen, Denmark: Springer, July 2002.
[25] G. Holzmann, “The model checker spin,” in IEEE Transactions on
Software Engineering, vol. 25, no. 5, May 1997, pp. 279–295.
[26] ——, The Spin Model Checker, Primer and Reference Manual. Reading,
Massachusetts: Addison-Wesley, 2004.
[27] M. Kloetzer and C. Belta, “LTL planning for groups of robots,” in
IEEE International Conference on Networking, Sensing, and Control,
Ft. Lauderdale, FL, 2006.
[28] J. R. Burch, E. M. Clarke, K. L. Mcmillan, D. L. Dill, and L. J. Hwang,
“Symbolic model checking: 10 20 states and beyond,” Information and
Computation, vol. 98, no. 2, pp. 142–170, 1990.
[29] J. Geldenhuys and A. Valmari, “More efficient on-the-fly ltl verification
with tarjan’s algorithm,” Theor. Comput. Sci., vol. 345, no. 1, pp. 60–82,
2005.
[30] J. Desai, J. Ostrowski, and V. Kumar, “Controlling formations of
multiple mobile robots,” in Proc. IEEE Int. Conf. Robot. Automat.,
Leuven, Belgium, 1998.
[31] D. Dams, “Flat fragments of ctl and ctl? : Separating the expressive and
distinguishing powers,” Logic Journal of the IGPL, vol. 7, no. 1, pp.
55–78, 1999.
[32] G. Fainekos, S. Loizou, and G. J. Pappas, “Translating temporal logic to
controller specifications,” in IEEE Conference on Decision and Control,
San Diego, CA, 2006.
[33] A. Hinton, M. Kwiatkowska, G. Norman, and D. Parker, “Prism: A
tool for automatic verification of probabilistic systems,” in Proc. 12th
International Conference on Tools and Algorithms for the Construction
and Analysis of Systems (TACAS’06), ser. LNCS, vol. 3920. Springer,
2006, pp. 441–444.

You might also like