Specification Patterns for Robotic Missions

01/07/2019
by   Claudio Menghi, et al.
0

Mobile and general-purpose robots increasingly support our everyday life, requiring dependable robotics control software. Creating such software mainly amounts to implementing their complex behaviors known as missions. Recognizing the need, a large number of domain-specific specification languages has been proposed. These, in addition to traditional logical languages, allow the use of formally specified missions for synthesis, verification, simulation, or guiding the implementation. For instance, the logical language LTL is commonly used by experts to specify missions, as an input for planners, which synthesize the behavior a robot should have. Unfortunately, domain-specific languages are usually tied to specific robot models, while logical languages such as LTL are difficult to use by non-experts. We present a catalog of 22 mission specification patterns for mobile robots, together with tooling for instantiating, composing, and compiling the patterns to create mission specifications. The patterns provide solutions for recurrent specification problems, each of which detailing the usage intent, known uses, relationships to other patterns, and---most importantly---a template mission specification in temporal logic. Our tooling produces specifications expressed in the LTL and CTL temporal logics to be used by planners, simulators, or model checkers. The patterns originate from 245 realistic textual mission requirements extracted from the robotics literature, and they are evaluated upon a total of 441 real-world mission requirements and 1251 mission specifications. Five of these reflect scenarios we defined with two well-known industrial partners developing human-size robots. We validated our patterns' correctness with simulators and two real robots.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

02/11/2019

Reactive Control Meets Runtime Verification: A Case Study of Navigation

This paper presents an application of specification based runtime verifi...
10/18/2019

Signal-Based Properties: Taxonomy and Logic-based Characterization

The behavior of a cyber-physical system (CPS) is usually defined in term...
08/28/2019

Modular Verification of Autonomous Space Robotics

Ensuring that autonomous space robot control software behaves as it shou...
04/27/2019

Enabling Open-World Specification Mining via Unsupervised Learning

Many programming tasks require using both domain-specific code and well-...
07/31/2019

Aquarium: Cassiopea and Alewife Languages

This technical report describes two of the domain specific languages use...
07/31/2019

Aquarium Technical Report Preprint

In this technical report, we present the core calculi for two of the dom...
07/25/2021

Neural Circuit Synthesis from Specification Patterns

We train hierarchical Transformers on the task of synthesizing hardware ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Mobile robots are increasingly used in complex environments aiming at autonomously realizing missions [1]. The rapid pace of development in robotics hardware and technology demands software that can sustain this growth [2, 3, 4, 5]. Increasingly, robots will be used for accomplishing tasks of everyday life by end-users with no expertise and knowledge in computer science, robotics, mathematics or logics. Providing techniques that support robotic software development is a major software-engineering challenge [2, 6, 7, 8, 9, 10].

The mission describes the high-level tasks the robotic software must accomplish [11]. Among the different ways of describing missions that were proposed in the literature [12, 13, 14, 15, 16, 17, 18], in this work, we consider declarative specifications [19]. These describe the final outcome the software should achieve—rather than describing how to achieve it—and are prominently used in the robotics domain [20, 21, 22, 23, 24, 25, 26, 27, 17, 28, 10]. Precisely specifying missions and transforming them into a form useful for automatic processing are among the main challenges in engineering robotics software [29, 30, 31, 32, 9]. On the one hand, missions should be defined with a notation that is high-level and user-friendly [33, 34, 11]. On the other hand, to enable automatic processing, the notation should be unambiguous and provide a formal and precise description of what robots should do in terms of movements and actions [35, 36, 37].

Typically, when engineering robotics software, the missions are first expressed using natural-language requirements. These are then specified using domain-specific languages, many of which have been proposed over the last decades [12, 13, 14, 38]. These languages are often integrated with development environments that are used to generate code that can be executed within simulators or real robots [15, 16, 17]. However, these languages are typically bound to specific types of robots and support a limited number and type of missions. Other works, especially coming from the robotics domain, advocate to formally specify missions in temporal logics [28, 26, 39, 20]. Unfortunately, defining temporal logic formulae is complicated. As such, the definition of mission specifications is laborious and error-prone, as widely recognized in the software-engineering and robotics communities (e.g.,[40, 41, 9, 42]).

Conceptually, defining a robotic mission entails two problems. First, ambiguities in mission requirements that prevent precise and unambiguous specifications must be resolved [43, 38, 42]. Consider the very simple mission requirement “the robot shall visit the kitchen and the office.” This can be interpreted as “visit the kitchen” and also that at some point the robot should “visit the office” or visit “the kitchen and the office in order.” This highlights the ambiguity in natural language requirements formulation, and common mistakes may be introduced when diverse interpretations are given [37, 44, 45, 46]. Second, creating specifications that correctly capture requirements is hard and error prone [40, 41, 9, 42]. Assume that the correct intended behavior requires that “the kitchen and the office are visited in order,” which is a common mission specification problem [47, 48]. When transforming this requirement into a precise mission specification, an expert might come up with the following formula in temporal logic:

,

where and signify that robot is in the kitchen and office, respectively, and denotes finally. Now, recall that the actual requirement is that the robot reaches the kitchen before the office. Unfortunately, the logical formula still admits that the robot reaches the office before entering the kitchen, which may be an unintended behavior. Mitigating this problem requires defining additional behavioral constraints. A correct formula, among others, is the following:

,

where stands for until. The additional constraint requires the office to not be visited before the kitchen, recalling a specification pattern for temporal logics known as the absence pattern [49]. Rather than conceiving such specifications recurrently in an ad hoc way with the risk of introducing mistakes, engineers could re-use validated solutions to existing mission requirements.

Specification patterns are a popular solution to the specification problem. While precise behavioral specifications in logical languages enable reasoning about behavioral properties [50, 51], specification is hard and error prone [52, 53]. The problem is exacerbated, since practitioners are often unfamiliar with the intricate syntax and semantics of logical languages [49]. For instance, Dwyer et al. [49] introduced patterns for safety properties, later extended by Grunske [54] and Konrad et al. [55] to address real-time and probabilistic quality properties. Autili et al. [56] consolidated and organized these patterns into a comprehensive catalog. Bianculli et al. [57] applied specification patterns to the domain of Web services. All these patterns provide template solutions that can be used to specify the respective properties. However, none of these pattern catalogs focuses on the robotic software domain to solve the mission specification problem.

We propose a pattern catalog and supporting tooling that facilitates engineering missions for mobile robots, which implements the original, high level idea that we had recently presented [58]. We focus on robot movement as one of the major aspects considered in the robotics domain [59, 60, 61], as well as on how robots perform actions as they move within their environment. For each pattern we provide usage intent, known uses, relationships to other patterns, and—most importantly—a template mission specification in temporal logic. The latter relies on LTL and CTL as the most widely used formal specification languages in robotics [20, 21, 22, 23, 24, 25, 26, 27, 17, 28, 10]. The catalog has been produced by analyzing 245 natural-language mission requirements systematically retrieved from the robotics literature. From these requirements we identified recurrent mission specification problems and conceived solutions were organized as patterns in a catalog. Our patterns provide a formally defined vocabulary that supports robotics developers in defining mission requirements. Relying on the usage of the pattern catalog as a common vocabulary allows mitigating ambiguous natural language formulations [41]. Our patterns also provide validated mission specifications for recurrent mission requirements, facilitating the creation of correct mission specifications [27].

We implemented the tool PsAlM (Pattern bAsed Mission specifier) [62] to further support developers in rigorous mission design. PsAlM allows (i) specifying a mission requirement through a structured English grammar, which uses patterns as basic building blocks and operators that allow composing these patterns into complex missions, and (ii) automatically generating specifications from mission requirements. PsAlM is robot-agnostic and integrated with: Spectra [63] (a robot development environment), a planner [26], NuSMV [64] (a model checker), and Simbad [65] (a simulator for education and research). The pattern catalog and the PsAlM tool are available in an online appendix [66].

We evaluated the benefits obtained by the usage of our pattern support in rigorous and systematic mission design. We collected mission requirements in natural language: obtained from robotic development environments used by practitioners (i.e., Spectra [63] and LTLMoP [39, 42]), and five defined in collaboration with two well-known robotics companies developing commercial, human-size service robots (BOSCH and PAL Robotics). We show that most of the mission requirements were ambiguous, expressible using the proposed patterns, and that the usage of the patterns reduces ambiguities. We then evaluated the coverage of mission specifications. We collected LTL and CTL mission specifications, from robotic development environments used by practitioners (i.e., Spectra [63] and LTLMoP [39, 42]) and research publications (i.e., [67]) and show that almost all the specifications can be obtained using the proposed patterns ( over ). We also generated the specifications for the five mission requirements defined in collaboration with the two robotic companies and fed them into an existing planner. The produced plans were correctly executed by real robots, showing the benefits of the pattern support in real scenarios.

To ensure the correctness of the proposed patterns we manually inspected their template mission specifications. We additionally tested patterns correctness on a set of randomly generated models representing buildings where the robot is deployed. We considered ten mission requirements (each obtained by combining three patterns), converted the mission requirements into LTL mission specifications and used those to generate robots’ plans. We used the Simbad [65] simulator, to verify that the plans satisfied the intended mission requirement. We subsequently generated both LTL and CTL specifications from the considered mission requirements. We verified that the same results are obtained when they are checked on the randomly generated models, confirming the correspondence among the CTL and LTL specifications.

Ii Background

In this section, we present the terminology used in the remainder and introduce the temporal logics LTL and CTL we used for defining the patterns’ template solutions.

Recall that for communication and further refinement, the requirements of a software system are typically expressed in natural language or informal models. Refining these requirements into more formal representations avoids ambiguity, allowing automated processing and analysis. Such practices also emerged in the robotics engineering domain.

Mission Requirement: a description in a natural language or in a domain-specific language of the mission (also called “task”) the robots must perform [68, 43, 38, 20].
Mission Specification: a formulation of the mission in a logical language with a precise semantics  [21, 22, 23, 26, 27, 28].
Mission Specification Problem: the problem of generating a mission specification from a mission requirement.
Mission Specification Pattern: a mapping between a recurrent mission-specification problem to a template solution and a description of the usage intent, known uses, and relationships to other patterns.
Mission Specification Pattern Catalog: a collection of mission specification patterns organized in a hierarchy aiding at browsing and selecting patterns, in order to support decision making during mission specification.

We consider LTL (Linear Temporal Logic) [69] and CTL (Computation Tree Logic) [70], since they are commonly used to express mission specifications in the robotic domain and are utilized extensively by the community (e.g., [20, 21, 22, 23, 24, 25, 26, 27, 17, 28, 10]). A temporal logic specification can be used for several purposes, such as (i) for producing plans through the use of planners, (ii) for analysing the mission satisfaction though the use of model checkers, and (iii) to design a robotic application.

We now briefly recall the LTL and CTL syntax and semantics. Let be a set of atomic propositions, LTL’s syntax is the following:

(LTL)  where .

The semantics of LTL is defined over an infinite sequence of truth assignments to the propositions . The formula expresses that is true in the next position in a sequence, and the formula expresses the property that is true until holds.

CTL’s syntax is the following:

(CTL)  , where and .

CTL allows the specification of properties that predicate on a branching sequence of assignments. Specifically, when a position of a sequence has several successors, CTL enables the specification of a property that must hold for all or one of the paths that start from that position. For this reason, CTL includes two types of formulae: state formulae that must hold in one position of the sequence and path formulae that predicate on paths that start from a position. The operator (resp. ) asserts that must hold on all paths (resp. on one path) starting from the current position, while and are defined as for LTL.

Iii Methodology

We derived our pattern catalog in three main steps.

Collection of Mission Requirements. We collected mission requirements from scientific papers in the field of robotics. We additionally considered the software engineering literature, but noted a general absence of robotic mission specifications. We chose major venues based on consultation with domain experts and by considering their impact factor. Specifically, we analyzed mission specifications published in the four major [71] robotics venues over the last five years, in line with similar studies for pattern identification [49, 55, 54]. We analyzed all papers published within a venue with two inclusion criteria (considered in order): (i) the paper title implies some notion of robotic movement-related concept, (ii) the paper contains at least one formulation of a mission requirement involving a robot that concerns movement. When the paper contained more than one mission requirement, each was considered separately.

Robotics Venue

2017

2016

2015

2014

2013

Total

Intl. Conf. Robotics & Autom. 9(14) 16 (11) 17 (18) 27 (22) 16 (15) 85 (80)
Intl. J. of Robotics Research 4(8) 13 (12) 12 (11) 13 (8) 17 (12) 59  (51)
Trans. on Robotics 2(6) 12 (9) 5 (1) 8 (2) 4 (2) 31  (20)
Intl. Conf. on Int. Robots & Sys. 10(23) 55 (26) 13 (8) 20 (16) 33 (21) 131 (94)
Table I: Papers and (requirements) analyzed per venue and year

Robotic Missions Specification Patterns

Avoidance/Invariant

Conditional/Limited

Pastavoidance

Globalavoidance

Futureavoidance

Restricted

LowerRestrictedAvoidance

ExactRestrictedAvoidance

UpperRestrictedAvoidance

Trigger

Wait

Reaction

Instant.Reaction

DelayedReaction

FastReaction

Bind

BoundReaction

BoundDelay

Core Movement Patterns

Coverage

Visit

SequencedVisit

OrderedVisit

StrictOrderedVisit

FairVisit

Surveillance

Patrolling

SequencedPatrolling

OrderedPatrolling

StrictOrderedPatrolling

FairPatrolling
Figure 1: Mission specification pattern catalog. Filled nodes: patterns, non-filled nodes: categories.

Altogether we obtained 306 papers, through which, matching our inclusion criteria, we obtained 245 mission requirements. Table I shows the venues included in our analysis, together with the number of scientific publications and mission requirements obtained per year. The considered software engineering venues (ICSE, FSE, and ASE) are not present, since they did not contain any paper matching the inclusion criteria.

Identification of Mission Specification Problems. We identified these problems as follows.

(Step.1) We divided the collected mission requirements among two of the authors, who labeled them with keywords that describe the mission specification problems they describe. For example, the mission requirement “The robot has to autonomously patrol the site and measure the state of valve levers and dial gauges at four checkpoints in order to decide if some machines need to be shut down” (occuring in Schillinger et al. [72]) was associated with the keywords “patrol,” since the robot has to patrol the site, and “instantaneous reaction,” since when a valve is reached its level must be checked.

(Step.2) We created a graph structure representing semantic relations between keywords. Each keyword is associated with a node of the graph structure. Two nodes were connected if their keywords identify two similar mission specification problems. For example, the keywords “visit” and “reach” are related since in both cases the robot has to visit/reach a location.

(Step.3) Since our interest was not a mere classification of actions and movements that are executed by a robots, but rather detecting mission specification problems that concern how actions and movements are executed by a robot behavior over time, nodes that contain keywords that only refer to actions are removed (e.g., balance).

(Step.4) Nodes that were connected through edges and contained keywords that identify to the same mission specification problem, e.g., visit and reach, were merged.

(Step.5) We organized the mission specification problems into a catalog represented through a tree structure that facilitates browsing among mission specification problems.

The material produced in these steps can be found in our online appendix [66].

Pattern Formulation. We formulated patterns by following established practices in the literature [49, 54, 56]. A pattern is characterized by (i) a name; (ii) a statement that captures the pattern intent (i.e., the mission requirement); (iii) a template instance of the mission specification in LTL and CTL; (iv) variations describing possible minor changes that can be applied to the pattern; (v) examples of known uses; (vi) relationships of the pattern to others and; (vii) occurrences of the pattern in literature. For each LTL pattern we also designed a Büchi Automaton (BA) that unambiguously describes the behaviors of the system allowed by the mission specification. The mission specification was designed by consulting specifications encoding requirements already present in the papers surveyed, by crosschecking them, and consulting specification patterns already proposed in the software-engineering literature [56]. If the proposed specification was related (or corresponded) with one of an already existing pattern, we indicated this in the relationships of the pattern to others, meaning that the pattern presented in literature is useful also to solve the identified mission specification problem.

Iv Mission Specification Patterns

In this section, we present our catalog of mission specification patterns and briefly present one of them (Section IV-A). We also present PsAlM, a tool that supports developers in systematic mission design. PsAlM supports the description of mission requirements through the proposed patterns and the automatic generation of mission specifications (Section IV-B).

Description Example Formula ( are location propositions)
Visit Visit a set of locations in an unspecified order. Locations , , and must be visited. is an example trace that satisfies the mission requirement.

Sequenced Visit Visit a set of locations in sequence, one after the other. Locations , , must be covered following this sequence. The trace violates the mission since does not follow . The trace satisfies the mission requirement.

Ordered Visit Sequence visit does not forbid to visit a successor location before its predecessor, but only that after the predecessor is visited the successor is also visited. Ordered visit forbids a successor to be visited before its predecessor. Locations , , must covered following this order. The trace does not satisfy the mission requirement since preceeds . The trace satisfies the mission requirement.


Strict Ordered Visit Ordered visit pattern does not avoid a predecessor location to be visited multiple times before its successor. Strict ordered visit forbids this behavior. Locations , , must be covered following the strict order , , . The trace does not satisfy the mission requirement since occurs twice before . The trace satisfies the mission requirement.

Fair Visit The difference among the number of times locations within a set are visited is at most one. Locations , , must be covered in a fair way. The trace does not perform a fair visit since it visits three times while and are visited once. The trace performs a fair visit since it visits locations , , and twice.

Patrolling Keep visiting a set of locations, but not in a particular order. Locations , , must be surveilled. The trace ensures that the mission requirement is satisfied. The trace represents a violation, since is not surveilled.

Sequenced Patrolling Keep visiting a set of locations in sequence, one after the other. Locations , , must be patrolled in sequence. The trace satisfies the mission requirement since globally any will be followed by and by . The trace violates the mission requirement since after visiting , the robot does not visit .

Ordered Patrolling Sequence patrolling does not forbid to visit a successor location before its predecessor. Ordered patrolling ensures that (after a successor is visited) the successor is not visited (again) before its predecessor. Locations , , and must be patrolled following the order , , and . The trace violates the mission requirement since precedes . The trace satisfies the mission requirement

Strict Ordered Patrolling Ordered patrolling pattern does not avoid a predecessor location to be visited multiple times before its successor. Strict Ordered Patrolling ensures that, after a predecessor is visited, it is not visited again before its successor. Locations , , must be patrolled following the strict order , , and . The trace violates the mission requirement since is visited twice before . The trace satisfies the mission requirement.

Fair Patrolling Keep visiting a set of locations and ensure that the difference among the number of times locations within a set are visited is at most one. Locations , , and must be fair patrolled. The trace violates the mission requirements since the robot patrols more than and . The trace satisfies the mission requirement since locations , , and are patrolled fairly.

Table II: Core movement patterns
Description Example Formula

Past

avoidance

A condition has been fulfilled in the past. If the robot enters location , then it should have not visited location before. The trace satisfies the mission requirement since location is not entered before location .

, where and

Global

avoidance

An avoidance condition globally holds throughout the mission. The robot should avoid entering location . Trace , satisfies the mission requirement since the robot never enters .

, where

Future

avoidance

After the occurrence of an event, avoidance has to be fulfilled. If the robot enters , then it should avoid entering in the future. The trace does not satisfy the mission requirement since is entered after .

, where and

Upper Rest.

Avoidance

A restriction on the maximum number of occurrences is desired. A robot has to visit at most times. The trace violates the mission requirement since is visited four times. The trace satisfies the mission requirement.

, where

Lower Rest.

Avoidance

A restriction on the minimum number of occurrences is desired. A robot to enter location at least times. The trace violates the mission requirement since location is never entered. The trace satisfies the mission requirement.

, where

Exact Rest.

Avoidance

The number of occurrences desired is an exact number. A robot must enter location exactly times. The trace violates the mission requirement. The trace satisfies the mission requirement since location is entered exactly times.

, where

Inst.

Reaction

The occurrence of a stimulus instantaneously triggers a counteraction. When location is reached action must be executed. The trace satisfies the mission requirement since when location is entered condition is performed. The trace does not satisfy the mission requirement since when is reached is not executed. , where and

Delayed

Reaction

The occurrence of a stimulus triggers a counteraction some time later When occurs the robot must start moving toward location , and is subsequently finally reached. The trace satisfies the mission requirement, since after occurs the robot starts moving toward location , and location is finally reached. The trace does not satisfy the mission requirement since occurs when the robot is in , and is not finally reached.

, where and

Prompt

Reaction

The occurrence of a stimulus triggers a counteraction promptly, i.e. in the next time instant. If occurs is reached in the next time instant. The trace satisfies the mission requirement, since after occurs is reached within the next time instant. The trace does not satisfy the mission requirement.

, where and

Bound

Reaction

A counteraction must be performed every time and only when a specific location is entered. Action is bound though a delay to location . The trace satisfies the mission requirement. The trace does not satisfy the mission requirement since is executed in location .

, where and

Bound

Delay

A counteraction must be performed, in the next time instant, every time and only when a specific location is entered Action is bound to location . The trace satisfies the mission requirement. The trace does not satisfy the mission requirement.

, where and

Wait

Inaction is desired till a stimulus occurs. The robot remains in location until condition is satisfied. The trace violates the mission requirement since the robot left before condition is satisfied. The trace satisfies the mission requirement. , where and
Table III: Avoidance and Trigger patterns.

Iv-a Mission Specification Pattern Catalog

Our catalog of robotic mission specification patterns comprises patterns organized into a pattern tree as illustrated in Fig. 1. Leaves of the tree represent mission specification patterns. Intermediate nodes facilitate browsing within the hierarchy and aid pattern selection and decision making. Patterns identified by following the procedure described in Sec. III are graphically indicated with a solid border.

Due to space limits, we provide a high-level description of all patterns identified, examples of application, and the corresponding LTL mission specifications. The interested reader may refer to our online appendix [66], which contains additional examples, occurrences of patterns in the literature, relations among the patterns and additional CTL mission specifications.

Name: Strict Ordered Patrolling

Intent: A robot must patrol a set of locations following a strict sequence ordering. Such locations can be, e.g., areas in a building to be surveyed.
Template: The following formula encodes the mission in LTL for locations and a robot (% is the modulo arithmetic operator):

Example with two locations.

where and are expressions that indicate that a robot is in locations and , respectively.
Variations: A developer may want to allow traces in which sequences of consecutive () are allowed, that is strict ordering is applied on sequences of non consecutive (). In this case, traces in the form are admitted, while traces in the form are not admitted. This variation can be encoded using the following specification:

This specification allows for sequences of consecutive () since the left side of the implication () is only triggered when () is exited.
Examples and Known Uses: A common usage example of the Strict Ordered Patrolling pattern is a scenario where a robot is performing surveillance in a building during night hours. Strict Sequence Patrolling and Avoidance often go together. Avoidance patterns are used to force robots to avoid obstacles as they guard a location. Triggers can also be used in combination with the Strict Sequence Patrolling pattern to specify conditions upon which Patrolling should start or stop.
Relationships: The Strict Ordered Patrolling pattern is a specialisation of the Ordered Patrolling pattern, forcing the strict ordering.
Occurrences: Smith et. al. [73] proposed a mission specification forcing a robot to not visit a location twice in a row before a target location is reached.

Figure 2: The Strict Ordered Patrolling pattern

Preliminaries. To aid comprehension of behavior and facilitate precise pattern definitions, we introduce the following notation. Given a finite set of locations and robots , is a set of location propositions, each indicating that a robot is in a specific location of the environment. Given a finite set of conditions of the environment , we indicate as a set of propositions such that is true if and only if condition holds. Given a finite set of actions that the robots can perform , we indicate as a set of propositions such that is true if and only if action is performed by robot . We define the set of propositions of a robotic application as . A trace is an infinite sequence where indicate a trace in which holds after , and holds after . For example, is a trace where the element in position of the trace indicates that the robot is in location , then the element in position indicates that the robot is in location and condition holds (indicating, for example, that an obstacle is detected), and then the element in position indicates that condition holds and robot is executing action . In the following, with a slight abuse of notation, when a set is a singleton we will omit brackets. We use the notation , where , to indicate a sequence that occurs infinitely. We use the notation to indicate any location, e.g., indicates that a robot visits location , afterwards any location, and then location . We use the notation , where , to indicate any possible location not in , e.g., indicates that visits , then any location except is visited, and finally .

Patterns. Patterns are organized in three main groups – core movement (Table II), triggers (Table III), and avoidance (Table III), explained in the following. For simplicity, in Tables II and III, we assume that a single robot is considered during the mission specification and we use the notation as shortcut for . The examples assume that the environment is made by four locations, namely , , , and .

Core movement patterns. How robots should move within an environment can be divided in two major categories representing locations’ coverage and locations’ surveillance. Coverage patterns require a robot to reach a set of locations of the environment. Surveillance patterns require a robot to keep reaching a set of locations of the environment.

Avoidance patterns. Robot movements may be constrained in order to avoid occurrence of some behavior (Table III). Avoidance may reflect a condition or be a bound to the occurrence of some event. Conditional avoidance generally holds globally (i.e., for the entire behavior) and applies when avoidance of locations or obstacles is sought that depends on some condition. For example, a cleaning robot may avoid visiting locations that have been already cleaned. In the restricted avoidance case, avoidance does not hold globally but accounts for a number of occurrences of an avoidance case. Depending on the number of occurrences being a maximum, minimum or exact number, upper, exact or lower restricted avoidance is yielded. For example, a cleaning robot may avoid cleaning a room more than three times.

Trigger patterns. Robot’s reactive behaviour based on stimuli, or robot’s inaction until a stimulus occurs are expressed as trigger patterns in Table III.

As an example, the definition of the Strict Ordered Patrolling mission specification pattern is presented in Fig. 2. The patterns in detail are available in our online appendix [66].

Iv-B Specification Pattern Tool Support

We used the proposed pattern catalog to express robotic missions requirements and to automatically generate their mission specifications. To support developers in mission design we implemented the tool PsAlM [62], which allows creating complex mission requirements by composing patterns with simple operators. PsAlM transforms mission requirements (i.e., composed patterns) into mission specifications in LTL or CTL. Figure 3 illustrates the components of PsAlM.

Figure 3: Main components of the PsAlM tool

PsAlM provides a GUI

1
that allows the definition of robotic missions requirements through a structured English grammar, which uses patterns as basic building blocks and AND and OR logic operators to compose these patterns. The structured English grammar and the PsAlM tool are provided in our online appendix [66]. The SE2PT component extracts from a mission requirement the set of patterns that are composed through the AND and OR operators

2
. The PT2LTL

3
and PT2CTL

4
components automatically generate LTL and CTL specifications from these patterns.

The produced LTL specifications can be used in different ways – three possible usages are presented in Fig. 3. The LTL formulae are (i) fed into an existing planner and used to generate plans that satisfy the mission specification

5
; (ii) converted into Deterministic Büchi automata used as input to the widely used Spectra [63] robotic application modeling tool

6
; and (iii) converted into the NuSMV [64] input language to be used as input for model checking

7
. The plans produced using the planner are (i) used as inputs by the Simbad [65] simulation package

10
, which is an autonomous robot simulation package for education and research; and (ii) performed by actual real robots

9
, as also illustrated in the following section. Produced CTL specifications are also converted into the NuSMV [64] input language to be used as input for model checking

7
.

V Evaluation

Our evaluation addressed the following two questions. RQ1: How effective is the pattern catalog in capturing mission requirements and producing mission specifications? RQ2: Are the proposed mission specifications correct?

SC Description Patterns
SC1 A robot is deployed within a supermarket and reports about the absence of sold items within a set of locations (i.e. , , , and ). Furthermore, if in location (where water supplies are present) a human is detected, it has to perform a collaborative grasping action and help the human in placing new water supplies. Ordered Patrolling,
Instantaneous Reaction
SC2 Three robots are deployed within an hospital environment: a mobile platform (Summit [74]), a manipulator (PA10 [75]) and a mobile manipulator (Tiago [76]), identified in the following as MP, M and MM, respectively. The robot M is deployed in hospital storage; when items (e.g., towels) are needed by a nurse or doctors, M has to load them on the MP. MP should reach the location where the nurse is located. If the item is heavy (e.g., heavy medical equipment), MM should reach the location where the nurse is to help unloading the equipment. When MP and MM are not required for shipping items they are patrolling a set of locations to avoid unauthorized people entering restricted areas of the hospital (e.g., radiotherapy rooms). Patrolling,
Instantaneous Reaction,
Ordered Visit,
Wait
SC3 A robot is developed within a university building to deliver coffee to employees. The robot reaches the coffee machine, uses the coffee machine to prepare the coffee and delivers it to the employee. Strict Ordered Visit,
Instantaneous Reaction
SC4 A robot is deployed within a shop to check the presence of intruders during night time. It has to iteratively check for intruders and report on their presence Patrolling,
Instantaneous Reaction
SC5 A robot is deployed within a company to notify employees in presence of a fire alarm. If a fire is detected, the robot is send to different areas of the company to ask employees to leave the building. Visit,
Instantaneous Reaction
Table IV: Mission specification patterns for Exp1. Labels SC1, SC2, …SC5 identify the considered scenarios.

Coverage of Real-World Missions (RQ1). We investigated (i) how the pattern catalog supports the specification of mission requirements and (ii) how the pattern catalog reduces ambiguities in mission requirements.

Exp1. We checked how the pattern catalog supports the formulation of mission requirements (and the generation of mission specifications) in real-world robotic scenarios. To this end, we defined five scenarios (Table IV) in collaboration with our industrial partners (BOSCH and PAL Robotics).

Spectra Robotic Application
1 2 3 4 5 6 7 8 9 10 11 MP Total
MR 29 2 22 5 1 159 4 32 47 53 74 8 436
NE 3 0 0 0 0 47 0 0 7 1 8 0 66
A 3 0 2 1 0 35 0 10 12 32 7 0 102
C 13 0 11 2 1 29 4 8 11 8 20 5 112
NC 10 2 9 2 0 48 0 14 17 12 39 3 156
Table V: Results of experiment Exp2. Lines contain the total number of mission requirements (MR), the number of not expressible (NE) and ambiguous (A) mission requirements and the number of cases that lead to a consensus (C) and no consensus (NC).

The pattern catalog supported the creation of mission requirements using the patterns listed in Table IV for the different scenarios. In all the scenarios, PsAlM allowed the automatic creation of LTL mission specifications from the mission requirements without any human intervention. The mission specifications were then executed by the robots by relying on existing planners (see Fig. 3). Videos of the robots performing the described missions are available in our dedicated website [66]. The pattern catalog effectively supports the creation of mission requirements and specifications in realistic, industry-sourced scenarios.

Exp2. We collected mission requirements in natural language from available requirements produced from Spectra [63] and LTLMoP [39, 42]. Spectra is a tool that supports the design of the robotic applications. LTLMoP is a software package designed to assist in the development, implementation, and testing of high-level robot controllers. We checked how the pattern catalog may have supported developers in the definition of the mission requirements.

In the case of Spectra, we used the Spectra files to extract mission requirements for robotic systems. In total, 11 robotic applications were considered. Note that mission requirements are realistic since they were finally executed with real robots [77]. We automatically extracted  mission requirements from the Spectra file. The number of mission requirements (MR) per robotic application is reported in Table V. In the case of LTLMoP, requirements were extracted from the corresponding research papers [39, 42] (Table V MP column).

Pattern Occ Pattern Occ Pattern Occ Pattern Occ Pattern Occ
Visit 25 SeqVisit 1 OrdVisit 1 InstReact 127 GlobAvoid 25
PastAvoid 60 DelReact 50 Wait 3 FutAvoid 48 SeqVisit 1
StrictOrdPat 1 OrdVisit 1 ExactRest 1
Table VI: Results of experiment Exp2. Number of occurrences of each pattern in the considered mission requirements.

Each mission requirement was independently analyzed by two of the authors. The authors checked whether it is possible to express the mission requirement using the mission specification patterns. If one the authors stated that the requirement is not expressible the requirement is marked as not expressible (NE). The number of not expressible mission requirements is presented in Table VI under the column with header NE. If at least one of the authors found the mission requirement is ambiguous she marked it with the flag . Otherwise, the mission requirement is labeled with the mission specification patterns needed to express the mission requirement. Then, the mission specification patterns used to express the mission requirement are considered. If the authors used the same mission specification patterns to express the mission requirement, a consensus is reached. The number of mission requirements that leads to consensus (resp. no consensus) is indicated in the row labeled C (resp. NC). The number of occurrences of each pattern is indicated in Table VI.

The results show that most of the mission requirements ( over ) were expressible using the pattern catalog, which is a reasonable coverage for pattern catalog usage. The mission requirements that are not covered suggested the introduction of new patterns identified in Fig. 1 with a dashed border. It also shows that the pattern catalog is effective in real case scenarios. In cases the mission requirements were ambiguous, meaning that different interpretations can be given to the proposed mission requirement. In these cases, alternative combinations of patterns have been proposed by the authors to express the mission requirement. Each of these alternatives represents a possible way of expressing it in a non-ambiguous manner. In cases, while the authors judged that the requirement was not ambiguous, different pattern combinations were proposed. The combinations of patterns encode possible ways of expressing the mission requirement in a non-ambiguous manner.

Exp3. We analyzed the mission specifications contained in the Spectra examples collected in Exp2. We collected  distinct LTL mission specifications and we analyzed each of these specifications111This number differs from the one of Exp2, since some specifications were not related with a mission requirement in the form of natural language.. We verified whether it is possible to obtain the mission specifications starting from the proposed patterns, by performing the following steps.

(Step.1) For each property we automatically checked whether it was an instance of a mission specification pattern or a simple combination of mission specification patterns. Results are shown in Table VII. Among  mission specifications  were obtainable from the proposed patterns.

(Step.2) We considered the properties that did not match any of the proposed patterns. of these properties are simple statements on the initial state of the system (no temporal operator is used), and thus did not match any of the proposed patterns. formulae concern properties that refer to variation of the trigger patterns that we have added to the pattern catalogue. formulae still did not match any of the proposed patterns. After analysis, among them were expressed using past temporal operators, which are not used in the mission specifications proposed in this work. In step 3 we checked whether these specifications might be reformulated without the past operators. of these properties, while they can be rewritten using the proposed patterns, they are written as complex LTL formulae and thus they do not match any of our patterns or combination of them.

(Step.3) We considered the properties expressed using past temporal operators and we designed mission specifications for them. We found that of the proposed LTL formulae match one of the proposed pattern, while are complex LTL formulae that did not match any of the patterns. Thus, the final coverage of the proposed pattern catalog is .

We then analyzed mission specifications expressed in the form of LTL properties considered in [67] and PCTL properties considered in [67], transformed in CTL by replacing the probabilistic operator () with the universal quantifier (). Given the small number of mission specifications we manually checked the presence of patterns in the formulae (Step 1 in Table VII). The results show that the pattern system was able to generate almost all mission specifications ( over ).

LTL CTL
Pattern Spectra [67] [67]
Step 1 Instantaneous reaction 318 0 0
Visit 52 0 0
Patrolling 0 1 0
Strict Ordered Visit 0 9 18
Wait 0 1 2
Avoidance/Invariant 21 0 0
Visit and Instantaneous reaction 18 0 0
Strict Ordered Visit and Global Avoidance 0 0 1
Reaction chain (chain of instantaneous reactions) 15 0 0
Non matching 792 1 1
Step 2 Init 127 - -
Fast reaction 379 - -
Binded reaction 36 - -
Binded delay 27 - -
Non matching for past 155 - -
Actual non matching 69 - -
Step 3 Fast reaction 103 - -
Binded delay 26 - -
Actual non matching 26 - -
Table VII: Results of experiment Exp3. Pattern occurrence in the considered mission specifications.
Exp4 Exp5 Exp6
Mission Requirement
OrdPatrol,UpperRestAvoid,Wait 2 10 1 11 1 11
FairVisit,ExactRestAvoid,DelReact 5 7 0 12 4 8
StrOrdVisit,GlobalAvoid,InstReact 3 9 1 11 1 11
SeqVisit,FutAvoid,BindDel 1 11 0 12 2 10
OrdVisit,PastAvoid,InstReact 3 9 1 11 1 11
Visit,LowRestAvoid,BindReact 3 9 1 11 1 11
StrictOrdPatrol,FutAvoid,Wait 1 11 1 11 1 11
Patrol,LowRestAvoid,InstReact 3 9 1 11 1 11
FairPatrol,ExactRestAvoid,DelReact 3 9 0 12 4 8
SeqPatrol,UpperRestAvoid,FastReact 1 11 0 12 2 10
Table VIII: Results of experiments Exp4, Exp5 and Exp6. For Exp4 columns contain the number of times a plan is found () and not found (). For Exp5 and Exp6 columns contain the number of times the mission requirement is satisfied () and violated ().

Summary. The pattern catalog is effective in supporting developers in defining mission requirements and in generating mission specifications. Exp1 and Exp2 show that the pattern catalog effectively supports the definition of mission requirements. and that helps in reducing ambiguities in available mission requirements. Exp1 and Exp3 show that the pattern catalog effectively supports the generation of mission specifications. Exp1 shows how the pattern catalog can be used to generate precise, unambiguous, and formal mission specifications in industry sourced scenarios.

Correctness of the Patterns (RQ2). To verify the mission specifications (LTL and CTL formulas) we manually reviewed them and performed a random testing to confirm that the specifications do not permit undesired system behaviors that were not detected during the manual check.

Manual check. We manually inspected instances of the patterns obtained by fixing the number of locations to be visited, conditions to be considered etc. For LTL formulae we used SPOT [78] to generate Büchi automata (BA) encoding the traces of the system allowed and forbidden by the specification. We manually inspected the BA of all the proposed patterns.

Random testing. We performed some testing by exploiting a set of randomly generated models: a widespread technique to evaluate artifacts in the software engineering community [79, 80, 81, 82, 83, 84, 85], also used in the robotic community [20, 86, 87, 88, 89]. We generated scenarios representing the structure of buildings containing locations, where a robot is deployed. The building has been generated by allocating traversable locations and locations that cannot be crossed, on a matrix. Identifiers are randomly assigned to the traversable locations. In of the scenarios the robot can move among adjacent cells that are traversable, while it cannot move within not crossable locations. In the other scenarios the robot can cross the adjacent cells by respecting the following rules: (i) it can move from a traversable cell with coordinate to a traversable cell with coordinate and ; (ii) it can move from a traversable cell with coordinate to another with coordinate , where (resp. ) is the maximum (resp. minimum) row index of a cell that corresponds to a traversable location and (resp. ) is the maximum (resp. minimum) column index of the traversalble locations at row (resp. ). Conditions and actions are treated by considering whether a box is present in a location ( in the following), and the capability of the robot in changing its color ( in the following). We randomly select traversable locations in which is true and locations in which can be performed.

For each scenario we considered different mission requirements; each obtained by randomly combining a core movement, a trigger and an avoidance pattern, and by ensuring that each pattern is used in at least one mission requirement. In total we generated mission requirements (Table VIII). Core movement patterns are parametrized with locations . The upper, exact and lower restricted avoidance patterns are parametrized by forcing the robot to visit location , at most, exactly, and at least times, respectively. The global avoidance pattern forces the robot to not visit , while the future and past avoidance force the robot to not visit after and before condition is satisfied, i.e., a room that contains a box is visited. The wait pattern forces the robot to wait in location if a box is not present. The other trigger patterns are parametrized with the action that must be executed by the robot in relation with the occurrence of condition . We subsequently performed the following experiments.

Exp4. We generated the LTL specifications of the considered mission requirements. We (i) negated the LTL specification; (ii) encoded the specification and the model of the scenario in NuSMV [64]; (iii) used NuSMV to check whether the models contained a path that satisfied the mission specification (violates its negation). If a plan was present we used Simbad [65] to simulate the robot executing the plan. We verified whether the results were correct: when we expected a plan to not be present in the given model, NuSMV was not able to compute it, and, when a plan was expected to be present it was computed by NuSMV. We also checked the correctness of the generated plans using the Simbad simulator. Results confirm the correctness of the LTL mission specifications. The column labeled with the (resp. ) symbol of Table VIII contains the number of cases in which a plan was (resp. was not) present.

Exp5. We generated LTL and CTL specifications for the considered mission requirements. We (i) encoded the LTL and CTL specifications and the model of the scenario in NuSMV [64]; (iii) we used NuSMV to check whether the verification of the specifications returned the same results. Table VIII contains the number of cases in which the mission requirement was satisfied () and not satisfied (). Mission requirements were generally not satisfied, since for being satisfied they have to hold on all the paths of the models. NuSMV always returned the same results for LTL and CTL specifications confirming the correctness of CTL specifications.

Exp6. We investigated why in several cases the mission requirement was always not satisfied. In these cases we relaxed the mission requirements, by removing the patterns marked with the symbol in Table VIII. We executed the same steps of Exp4. Table VIII confirmed that by relaxing the mission requirements there were cases in which the mission requirement was actually satisfied. This is a further confirmation that the mission specifications are correct.

Vi Discussion and Related Work

We discuss the proposed patterns and present related work.

Methodology. The number of mission requirements analyzed is in line with other approaches in the field [49, 54, 55, 56, 57]. These requirements usually come from exemplar scenarios used to provide evaluation about effectiveness of research-intensive works. As such, we believe that the scope of the pattern system is quite wide. Our study is certainly not exhaustive, as (i) formal specification in robotic application spreads, and (ii) the types of mission specifications change over time. As shown in the evaluation, patterns will grow over time as specifications that do not belong to the catalog are provided.

Patterns. While the presented patterns are mainly conceived to address needs of robotic mission specification, they are more generic and can be applied when the need is to specify some “ordering” among events or action execution. Rather than predicate on robots reaching a set of actions, coverage and surveillance patterns may also include propositions that refer to generic events. In this sense, the proposed patterns can be considered as an extension of the property specification patterns [90, 49] that explicitly address different ordering among the occurrence of a set of events. While in this paper we proposed a direct encoding in LTL and CTL, they may also be expressed in terms of standard property specification patterns. The instantaneous reaction pattern may be obtained from the response pattern scoped with the global operator. The precedence chain and the response chains [90, 49] (that illustrate the 2 cause-1 effect and 1 cause-2 effects chain), can be composed with the precedence and response patterns to specify different ordering among a set of events.

Evaluation. The Spectra tool only supports specifications captured by the GR(1) LTL fragment used to describe three types of guarantees: initial, safety, and liveness. Initial guarantees constraint the initial states of the environment. Safety guarantees start with the temporal operator and constraints the current and next state. Liveness guarantees start with the temporal operators and may not include the operator. These constraints justify the prevalence of patterns presented in Tables VIVII, and VIII. While the proposed patterns can be expressed using deterministic Büchi automata (DBA), which can be translated in GR(1) formulae [28], a manual encoding of the proposed patterns in GR(1) is complex and error prone. This is confirmed by the fact that analysis on the standard property specification patterns that can be expressed in GR(1), and an automatic procedure to map these patterns on formulae that are in the GR(1) fragment has been recently conducted [28]. All of the patterns proposed in this work are expressible using GR(1) formulae, and the automatic procedure presented in [28] can be integrated in PsAlM to generate Spectra formulae.

Related work. Temporal logic specification patterns are a well-known solution to support developers in requirement specification [49, 55, 54, 56, 91, 92, 93]. Property specification patterns use in specific domains have been investigated in literature, including service-based applications [57], safety [94] and security [95]. However, at the best of our knowledge, no work has considered mission patterns for robotic applications.

Domain Specific Languages (DSLs) [96, 97, 18, 33, 98] have been proposed for various purposed including production and analysis of behaviour descriptions, property verification and planning. However, features incorporated within DSLs are usually arbitrarily chosen by relying on the domain-specific experience of robotic engineers. Instead, specification patterns presented in this paper are collected from missions encountered in scientific literature, evaluated in industrial uses, and aim at supporting a wide range of robotic needs. We believe that the presented patterns consist of basic building blocks that can be reused within existing and new robotic DSLs. Moreover, support for developers on solving the mission specification problem is also provided in literature by graphical tools that simplify the specification of LTL formulae [35, 36, 37]. Our work is complementary with those; graphical logic mission specifications can also be integrated within PsAlM.

Vii Conclusion

We proposed a pattern catalog for mission specification of mobile robots. We identified patterns by analyzing mission requirements that have been systematically collected from scientific publications. We presented PsAlM, a tool that uses the proposed patterns to support developers in designing complex missions. We evaluated (ii) the support provided by the catalog in the definition of real-world missions; (ii) the correctness of the mission specifications contained in our pattern catalog.

Future extensions of our mission specification pattern catalog will consider also time, space, and probability. We will also investigate the use of spatial logics 

[99, 100, 101, 102, 103] to express more complex spatial robotic behaviours and perform user studies.

References

  • [1] IFR, “World Robotic Survey,” https://ifr.org/ifr-press-releases/news/world-robotics-survey-service-robots-are-conquering-the-world-, 2016.
  • [2] D. Brugali, Software engineering for experimental robotics.   Springer, 2007, vol. 30.
  • [3] E. A. Lee, “Cyber physical systems: Design challenges,” in Symposium on Object Oriented Real-Time Distributed Computing (ISORC).   IEEE, 2008, pp. 363–369.
  • [4] J. Pérez, N. Ali, J. A. Carsı, I. Ramos, B. Álvarez, P. Sanchez, and J. A. Pastor, “Integrating aspects in software architectures: Prisma applied to robotic tele-operated systems,” Information and Software Technology, vol. 50, no. 9-10, pp. 969–990, 2008.
  • [5] N. Gamez and L. Fuentes, “Architectural evolution of famiware using cardinality-based feature models,” Information and Software Technology, vol. 55, no. 3, pp. 563–580, 2013.
  • [6] D. Brugali and E. Prassler, “Software engineering for robotics,” IEEE Robotics Automation Magazine, vol. 16, no. 1, pp. 9–15, March 2009.
  • [7] S. Götz, C. Piechnick, and A. Wortmann, “Report on the 4th international workshop on model-driven robot software engineering (MORSE),” ACM SIGSOFT Software Engineering Notes, 2018.
  • [8] M. Luckcuck, M. Farrell, L. Dennis, C. Dixon, and M. Fisher, “Formal specification and verification of autonomous robotic systems: A survey,” arXiv preprint arXiv:1807.00048, 2018.
  • [9] S. Maoz and J. O. Ringert, “On the software engineering challenges of applying reactive synthesis to robotics,” in Workshop on Robotics Software Engineering, ser. RoSE ’18.   ACM, 2018.
  • [10] S. Maoz and J. O. Ringert, “On well-separation of GR(1) specifications,” in Foundations of Software Engineering (FSE).   ACM, 2016.
  • [11] C. Lignos, V. Raman, C. Finucane, M. Marcus, and H. Kress-Gazit, “Provably correct reactive control from natural language,” Autonomous Robots, vol. 38, no. 1, pp. 89–105, 2015.
  • [12] http://www.lego.com/eng/education/mindstorms/default.asp, “Lego.com educational division, mindstorms for schools.” 2018.
  • [13] Softbankrobotics. Choregraph. http://doc.aldebaran.com/1-14/dev/tools/robot-simulation.html. Accessed: 2018-06-20.
  • [14] A. Nordmann, N. Hochgeschwender, and S. Wrede, “A survey on domain-specific languages in robotics,” in Simulation, Modeling, and Programming for Autonomous Robots.   Springer, 2014.
  • [15] R. Arkin, “Missionlab v7. 0,” 2006.
  • [16] T. Balch, “Teambots,” 2004. [Online]. Available: www.teambots.org
  • [17] S. Maoz and Y. Sa’ar, “Aspectltl: an aspect language for ltl specifications,” in International conference on Aspect-oriented software development.   ACM, 2011.
  • [18] D. D. Ruscio, I. Malavolta, P. Pelliccione, and M. Tivoli, “Automatic generation of detailed flight plans from high-level mission descriptions,” in Model Driven Engineering Languages and Systems, ser. MODELS.   ACM, 2016.
  • [19] M. Broy, “Declarative specification and declarative programming,” in Software Specification and Design.   IEEE, 1991.
  • [20] C. Menghi, S. Garcia, P. Pelliccione, and J. Tumova, “Multi-robot LTL planning under uncertainty,” in International Symposium on Formal Methods (FM).   Springer, 2018.
  • [21] A. Ulusoy, S. L. Smith, X. C. Ding, C. Belta, and D. Rus, “Optimal multi-robot path planning with temporal logic constraints,” in International Conference on Intelligent Robots and Systems (IROS).   IEEE, 2011.
  • [22] G. E. Fainekos, A. Girard, H. Kress-Gazit, and G. J. Pappas, “Temporal logic motion planning for dynamic robots,” Automatica, vol. 45, no. 2, pp. 343–352, 2009.
  • [23] M. Guo, K. H. Johansson, and D. V. Dimarogonas, “Revising motion planning under linear temporal logic specifications in partially known workspaces,” in International Conference on Robotics and Automation (ICRA).   IEEE, 2013.
  • [24] E. M. Wolff, U. Topcu, and R. M. Murray, “Automaton-guided controller synthesis for nonlinear systems with temporal logic,” in International Conference on Intelligent Robots and Systems (IROS).   IEEE, 2013.
  • [25] H. Kress-Gazit, “Robot challenges: Toward development of verication and synthesis techniques [errata],” I