Reactive mission and motion planning with deadlock resolution avoiding dynamic obstacles
Abstract
In the near future mobile robots, such as personal robots or mobile manipulators, will share the workspace with other robots and humans. We present a method for mission and motion planning that applies to small teams of robots performing a task in an environment with moving obstacles, such as humans. Given a mission specification written in linear temporal logic, such as patrolling a set of rooms, we synthesize an automaton from which the robots can extract valid strategies. This centralized automaton is executed by the robots in the team at runtime, and in conjunction with a distributed motion planner that guarantees avoidance of moving obstacles. Our contribution is a correctbyconstruction synthesis approach to multirobot mission planning that guarantees collision avoidance with respect to moving obstacles, guarantees satisfaction of the mission specification and resolves encountered deadlocks, where a moving obstacle blocks the robot temporally. Our method provides conditions under which deadlock will be avoided by identifying environment behaviors that, when encountered at runtime, may prevent the robot team from achieving its goals. In particular, (1) it identifies deadlock conditions; (2) it is able to check whether they can be resolved; and (3) the robots implement the deadlock resolution policy locally in a distributed manner. The approach is capable of synthesizing and executing plans even with a high density of dynamic obstacles. In contrast to many existing approaches to mission and motion planning, it is scalable with the number of moving obstacles. We demonstrate the approach in physical experiments with walking humanoids moving in 2D environments and in simulation with aerial vehicles (quadrotors) navigating in 2D and 3D environments.
Keywords
Multirobot systems Formal methods Mission specification Motion planning Deadlock resolution Dynamic environments1 Introduction
Planning for multiagent systems has been explored extensively in the past. Many have focused on approaches for local motion planning (van den Berg et al. 2009; AlonsoMora et al. 2010) that offer collision avoidance in cluttered, dynamic environments. While these approaches are effective for pointtopoint navigation, the planning is myopic and could fail when applied to complex tasks in complex workspaces. On the other hand, it has been demonstrated that correctbyconstruction synthesis from linear temporal logic (LTL) specifications has utility for composing basic (atomic) actions to guarantee the task in response to sensor events (KressGazit et al. 2009; Ehlers et al. 2015; Liu et al. 2013; Wongpiromsarn et al. 2012). Such approaches are naturally conducive to mission specifications written in structured English (KressGazit et al. 2008), which are translatable into LTL formulas over variables representing the atomic actions and sensor events associated with the task.
In the surveillancecleaning scenario of Fig. 1, the motion (moving between rooms), atomic actions (e.g., “remove garbage”, “identify a subject”), and binary sensors (e.g. “intruder sensing”, “garbage sensing”) are assumed to be perfect: they are treated as black boxes that always return the correct result and hence admit a discrete abstraction that is appropriate for the task and workspace. A major challenge underpinning this approach is in creating atomic elements holding guarantees for correct execution of the discrete abstraction. To guarantee motion fulfillment, researchers have explored combining LTLbased planners with grid planners (Bhatia et al. 2010), samplingbased planners (Karaman and Frazzoli 2009), or planners for multiple robots predicated on motion primitives (Saha et al. 2016). Such approaches are able to guarantee motion in cluttered environments but do not readily extend these guarantees to cases where the environment is dynamic in nature. Solutions have been sought that, in a computationally expensive manner, partition the workspace finely (Livingston et al. 2013; Wongpiromsarn et al. 2012) or recompute the motion plan (Bhatia et al. 2010), or else apply conservative constraints forbidding the robot to occupy the same region as an adversarial agent (KressGazit et al. 2008).
1.1 Approach
In the approach introduced in this paper, we alleviate such difficulties by considering an integration of a highlevel mission planner with a local planner that guarantees collisionfree motion in three dimensional workspaces when faced with both static and dynamic obstacles, under the assumption that the dynamic obstacles are not intentionally adversarial. In this context, “intentionally adversarial” means that the dynamic obstacles may behave in a way that may temporarily prevent the robot from achieving a goal, but cannot move in a way that actively always prevents the robot from achieving its goals, for instance by blocking the robot forever. Our integration involves two components: an offline algorithm for plan synthesis adopting the benefit of an LTL formalism, and an online local planning algorithm for executing the plan. Our approach is centralized for the robots in the team, which execute the highlevel specification, and decentralized with respect to moving obstacles, i.e. we do not control the moving obstacles yet perform decentralized avoidance and deadlock resolution strategies. While the robots are able to measure the position and velocity of moving obstacles, they only need to do so within a local range of the robot—the key assumption in this paper is that the robots are not required to have global knowledge of their environment.
The basis of the offline synthesis is a novel discrete abstraction of the problem that applies simple rules to resolve physical deadlocks, between two or more robots in a team or between a robot and a dynamic obstacle. This abstraction is composed with a specification of a multiagent task to synthesize a strategy automaton encoding the mission plan. In contrast to approaches that would require onthefly replanning upon encountering a physical deadlock (Bhatia et al. 2010; Maly et al. 2013; Karaman and Frazzoli 2009), the approach we propose automatically generates alternative plans within the synthesized automaton. As with any reactive task, there may exist no mission plan that guarantees the task, due to the conservative requirement that a mission plan must execute under all possible environment behaviors. To address this conservatism, our approach automatically identifies for which environment behaviors the mission is guaranteed to hold. These additional assumptions are transformed succinctly into a certificate of task infeasibility that is explained to the user.
The online execution component is based on a local planner that can optimally avoid dynamic obstacles in two or threedimensions, executed as a service called during execution of the strategy automaton. Given a dynamic model of the robots and a coarse description of the moving agents (e.g. their maximum velocities) our local planner computes a plan that guarantees collisionfree motion between the robot and static and dynamic obstacles. The collisionavoidance feature obviates the need for collision avoidance to be taken care of by the discrete abstraction. It furthermore allows our local planner to preserve the behaviors of the strategy automaton, by preventing a robot from entering unintended regions as it carries out its task. To the authors’ knowledge, this is the first endtoend system that has been devised to guarantee multiagent missionlevel tasks in dynamic environments using optimizationbased local planners.

Our approach establishes proof for task success without requiring a costly replanning step or fine workspace discretization, as long as the environment that causes deadlocks behaves according to the generated assumptions.

Our approach comes with proof that admissible deadlocks are always resolved and livelocks (the situation where a robot is free to move but unable to reach a goal) never occur.

The fully automated nature of our approach has practical utility, since the user does not need to intervene to debug specifications. In fact, our approach explains, in an intelligible way, any additional environment assumptions it has added.

Another practical feature of our approach is that, unlike related planners (Livingston et al. 2013; KressGazit et al. 2008), we do not require global knowledge of the obstacles. As we show, this allows our approach to scale to an arbitrary number of dynamic obstacles, as long as the aggregate behavior of the obstacles adhere to all specified assumptions.
The certificates provide, at synthesis time, a set of rules defining situations which could make it impossible for the robot to achieve its goals, with the purpose of creating a layer of cooperation between the user (i.e. the human that performs the controller synthesis and deploys the system) and the robots. This frees a user from having to come up with assumptions that characterize the environment’s behavior, a difficult proposition in practice. If these assumptions are broken at runtime, then this signifies that the task is no longer strictly guaranteed. Our approach also aims to reduce situations where members of the robot team become deadlocked with one another, by adopting a coordination strategy in the specification preventing actions that may induce deadlocks.The synthesized controller is certified for this task, if any encountered deadlock between the robot and a dynamic obstacle in the hallway resolves eventually.
A more detailed overview of the approach is given in Sect. 4, right after formalizing the problem in Sect. 3.
1.2 Contribution

A holistic synthesis approach to provably achieve collisionfree behaviors in dynamic environments with an arbitrary number of moving obstacles that does not require mutual exclusion. The approach leverages (a) reactive mission planning to globally resolve deadlocks and achieve the specified task, and (b) online local motion planning to guarantee collision free motion and respect the robot kinodynamics.

An automatic means for encoding tasks that resolve deadlock based on automaticallygenerated revisions to a specification. Our approach automatically generates humancomprehensible assumptions in LTL that, if satisfied by the controlled robots and the dynamic obstacles, would ensure correct behavior. We show that our revision approach is sufficient in making the original specification realizable.
In a preliminary version of this work (DeCastro et al. 2015), a strategy was developed for synthesizing controllers for guaranteed collisionfree motion of a robot team. In this paper, we extend those results by presenting a complete description of the proposed abstraction method and offline controller synthesis procedure, solidify details on the mathematical derivation for the constraints of the local motion planner, and provide indepth evaluation of our proposed synthesis techniques aided by both simulation and physical experiments. Additionally, we enhance the approach in two ways. First, our approach reasons about the geometry of workspace regions in order to avoid preventable deadlock. For instance, if a corridor is only wide enough for one robot, we offer an approach that coordinates the actions of two robots so that they do not head in opposite directions in the corridor. Second, we present a general approach that allows a richer set of deadlock resolution rules to be chosen at synthesis time.
1.3 Related work
1.3.1 Reactive synthesis for mission planning
A number of approaches are suited to automatic synthesis of correctbyconstruction controllers from mission specifications written as temporal logic formulas (Bhatia et al. 2010; Karaman and Frazzoli 2009; Loizou and Kyriakopoulos 2004). Reactive synthesis (KressGazit et al. 2009; Wongpiromsarn et al. 2012) extends these capabilities to tasks in which the desired outcome depends on uncontrolled events in the environment and changing sensor inputs, and is especially compelling given the complex nature of multiagent scenarios. For instance, Ulusoy et al. (2013) synthesized control and communication for producing optimal multirobot trajectories, Chen et al. (2012) distributed a specification among a robot team, and Raman and KressGazit (2014), Raman (2014) synthesized centralized reactive controllers based on analytically constructed multirobot motion controllers. Distributed and decompositionbased planning approaches tackle the complexity problem when scaling to a large number of robots. For instance, Tumova and Dimarogonas (2015) construct distributed controllers from a specifications already separated into coordinating and noncoordinating tasks, while Schillinger et al. (2016) automatically decompose a specification into independent, distributed task specifications. In most approaches, moving obstacles are modeled in a discrete manner as part of the abstraction, leading to overconservative restrictions like requiring robots to be at least one region apart. In contrast, our method only requires local awareness of the robot’s surroundings, and guarantees collisionavoidance via a local planner.
Reactive synthesis in dynamicallychanging environments presents a crucial dilemma: explicitly modeling the state of all other agents can be computationally prohibitive, but incomplete models of the environment destroy task satisfaction guarantees. To address the stateexplosion problem while tracking the state of uncontrollable agents, Wongpiromsarn et al. (2013) formulated an incremental synthesis procedure that started with a set number of agents assumed observable, and added more agents to this set depending on available computational resources; however, unlike our approach, they still required global knowledge of the external agents. The authors in Livingston et al. (2013), on the other hand, made local modifications to the synthesized strategy when new elements of the environment were discovered that violated the original assumptions. While we also update our specification, we differ from Livingston et al. (2013) in that no resynthesis step is needed at runtime, thereby preserving guarantees before runtime.
Our goal is different in that we assume a centralized highlevel controller that guarantees the specification through deadlock resolution by choosing environment assumptions to avoid both deadlock and livelock.
1.3.2 Specification revisions
Recent efforts in reactive synthesis have focused on automatically identifying certain environment assumptions that may prevent the existence of a controller that satisfies the task. Approaches to assumptionmining have provided techniques that enable automatic specification debugging for specifications of any structure (Alur et al. 2013; Li et al. 2011). While providing the ability to automate the debugging process, they still requires input from the user, for instance the variables the user desires and a final selection of candidate assumptions generated by the algorithm, which has drawbacks for realizing a fullyautomated robotic mission planner. An assumptionmining approach to certify the necessary environment assumptions for a given task and robot dynamics was introduced in DeCastro et al. (2016), however, the dynamicsbased abstraction do not extend naturally to multiagent scenarios. This proposed approach obviates the need for the user to intervene during the planning process.
We propose a novel approach in which assumptions on the environment are generated to identify likely deadlock situations. These added assumptions may be interpreted as restricting the mobility of the uncontrolled agents and are relaxed, when possible, by identifying when they may be violated, if only on a temporary basis. In this regard, our approach is inspired by works on error resilience (Ehlers and Topcu 2014) and recovery (Wong et al. 2014) in reactive synthesis.
1.3.3 Motion planning in dynamic environments
Collisionfree (and deadlockfree) motion planning for multirobot teams has been successfully demonstrated via nonconvex optimization, as proposed in Bento et al. (2013) and Mellinger et al. (2012), but these approaches did not account for dynamic obstacles, nor could be computed in realtime. On the other hand, convex optimization approaches for collision avoidance, such as van den Berg et al. (2009) and AlonsoMora et al. (2010), are online and account for dynamic obstacles, but cannot reason globally to resolve deadlocks. In this work, we extend these works to enforce collision avoidance and motion constraints over a short time horizon, where the global execution is given by a discrete controller synthesized from a mission specification.
Also relevant to our efforts are the works in deadlock resolution. The authors of Knepper and Rus (2012) applied pedestrianavoidance principles to deadlock resolution in narrow passageways. While our approach is similarly reactive to the environment, we additionally reason about situations that cannot be locally resolved (e.g. a blocked corridor). Along similar lines, Cirillo et al. (2014) described a centralized graph search technique for motion planning, but did not consider dynamic obstacles, and required a rich underlying graph to represent multirobot motions with kinematic constraints. In contrast, our proposed local planning approach presents a more concise discrete abstraction and also applies to 3D environments. Traditional motion planning approaches such as RRT (LaValle and Kuffner 2001), PRM (Hsu et al. 2007) and lattice based planners (Pivtoraiko et al. 2009) can also be applied to compute collision—and deadlock—free motions for a single robot. But, in contrast to our synthesis approach, they do not typically reason about the mission strategy of multiple robots, nor encode logical constraints representing mission specifications.
1.4 Organization
The remainder of this paper is structured as follows. The required concepts for offline synthesis and online motion planning are described in Sect. 2. We formalize the problem in Sect. 3 and give an overview of the method in Sect. 4. In Sect. 5, we introduce a strategy for mission planning for resolving deadlock at runtime, while, in Sect. 6, we introduce an automated approach for generating runtime certificates and a coordination scheme for mission planning. In Sect. 7, we describe the online motion planner. We provide theoretical guarantees of the integrated approach in Sect. 8. In Sect. 9, we present extensive simulation and experimental results. Conclusions and future work are provided in Sect. 10.
2 Preliminaries
Throughout this paper scalars are denoted in italics, x, and vectors in bold, \(\mathbf{x}\in {\mathbb {R}}^n\), with n denoting the dimension of the workspace. The robot’s current position is denoted by \(\mathbf{p }\in {\mathbb {R}}^n\) and its current velocity by \(\mathbf{v }= \dot{\mathbf{p }}\). A map of the workspace \(W\subset {\mathbb {R}}^n\) is considered, and formed by a set of static obstacles, given by a list of polytopes, \(\mathcal {O}\subset {\mathbb {R}}^n\). For mission synthesis the map is abstracted by a set of discrete regions \(\mathcal{R}= \{R_{1},\ldots , R_{p}\}\), and their topological connections, covering the obstaclefree workspace \(F = {\mathbb {R}}^n{\setminus }\mathcal {O}\), where the open sets \(R_{\alpha }\subseteq W\).
We consider robots moving in \({\mathbb {R}}^3\) and approximate them by their smallest enclosing cylinder of radius r and height 2h, denoted by \(\textit{V}\). Its \(\varepsilon \)additive dilation of radius \(\bar{r} = r + \varepsilon \) and height \(\bar{h} = h + \varepsilon \) is denoted by \(\textit{V}_\varepsilon \). For a set \(X \subset {\mathbb {R}}^n\) we denote the collision set by \(X + \textit{V} = \{ \mathbf p \in {\mathbb {R}}^n \,  \, X \cap \textit{V}(\mathbf p ) \ne \emptyset \} \), with \(\textit{V}(\mathbf p )\) a volume \(\textit{V}\) at position \(\mathbf p \). Throughout, the notation \(\Vert \cdot \Vert \) is used to denote the Euclidean norm.
We consider a set of dynamic obstacles DO and denote the volume occupied by a dynamic obstacle \(i\in DO\), at position \(\mathbf{p }_i\), by \(\textit{V}_i(\mathbf p _i)\). To be able to prove safety in dynamic environments, we assume that all moving obstacles either maintain a constant velocity during the planning horizon (a couple of seconds), or that they employ an identical algorithm for collision avoidance as our robots, as introduced in the Reciprocal Velocity Obstacles literature (AlonsoMora et al. 2015). In this work we do not treat the case where moving obstacles seek collisions and are capable of overtaking the robots. Instead, we assume a fair environment—one where it is always possible for the robots to avoid collisions—such as the case when operating with humans or other riskadverse agents.
2.1 Linear temporal logic
LTL formulas are defined over the set AP of atomic (Boolean) propositions by the recursive grammar \(\varphi \,{{:}{:}{=}}\,\pi \in AP \mid \varphi _1 \wedge \varphi _2 \mid \lnot \varphi \mid {{\mathrm{\bigcirc }}}\varphi \mid \varphi _1~\mathcal {U}~\varphi _2.\) From the Boolean operators \(\wedge \) “conjunction” and \(\lnot \) “negation”, and the temporal operators \({{\mathrm{\bigcirc }}}\) “next” and \(\mathcal{U}\) “until”, the following operators are derived: “disjunction” \(\vee \), “implication” \(\Rightarrow \), “equivalence” \(\Leftrightarrow \), “always” \({{\mathrm{\Box }}}\), and “eventually” Open image in new window . We refer the reader to Vardi (1996) for a description of the semantics of LTL. Let AP represent the set of atomic propositions, consisting of environment propositions (\(\mathcal{X}\)) corresponding to thresholded sensor values, and system propositions (\(\mathcal{Y}\)) corresponding to the robot’s actions and location with respect to a partitioning of the workspace. The value of each \(\pi \in \mathcal{X}\cup \mathcal{Y}\) is the abstracted binary state of a lowlevel component. These might correspond to, for instance, thresholded sensor values, discrete actions that a robot can take, or a discrete region (e.g. room in a house).
Definition 1

\(\varphi _i^e,\,\varphi _i^s\) are formulas for the initial conditions free of temporal operators.

\(\varphi _t^e,\,\varphi _t^s\) are the safety conditions (transitions) to be satisfied always, and are of the form \({{\mathrm{\Box }}}\psi \), where \(\psi \) is a Boolean formula constructed from subformulas in \(AP \cup {{\mathrm{\bigcirc }}}AP\).

\(\varphi _g^e,\,\varphi _g^s\) are the liveness conditions (goals) to be satisfied infinitely often, with each taking the form Open image in new window , with \(\psi \) a Boolean formula constructed from subformulas in \(AP \cup {{\mathrm{\bigcirc }}}AP\).
A strategy automaton that realizes a reactive mission specification \(\varphi \) is a deterministic strategy that, given a finite sequence of truth assignments to the variables in \(\mathcal{X}\) and \(\mathcal{Y}\), and the next truth assignment to variables in \(\mathcal{X}\), provides a truth assignment to variables in \(\mathcal{Y}\) such that the resulting infinite sequence satisfies \(\varphi \). If such a strategy can be found, \(\varphi \) is realizable. Otherwise, it is unrealizable. Using a fragment of LTL known as generalized reactivity(1), a strategy automata for \(\varphi \) of the form above can be efficiently synthesized (Bloem et al. 2012), and converted into hybrid controllers for robotic systems by invoking atomic controllers (KressGazit et al. 2009). These controllers are reactive: they respond to sensor events at runtime.
2.2 LTL encoding for multirobot tasks
We adopt a LTL encoding of a centralized multirobot mission that is robust to the inherent variability in the duration of interregion robot motion in continuous environments (Raman et al. 2013). Let \( AP _\mathcal{R}= \{\pi ^i_{\alpha } \mid R_\alpha \in \mathcal{R}\}\) be the set of Boolean propositions representing the workspace regions, such that \(\pi ^i_{\alpha }\in AP _\mathcal{R}\) is \(\mathtt{True}\) when robot i is physically in \(R_{\alpha }\) for \(\alpha \in [1,\ldots ,p]\). We call \(\pi ^i_{\alpha }\) in \( AP _\mathcal{R}\subseteq \mathcal{X}\) a completion proposition, signaling when robot i is physically inside \(R_{\alpha }\). We also define the set \( AP ^{ act }_\mathcal{R}\subseteq \mathcal{Y}\) that captures robot commands that initiate movement between regions. We call \(\pi ^i_{ act ,\alpha }\) in \( AP ^{ act }_\mathcal{R}\) an activation variable for moving to \(R_{\alpha }\) (but has not necessarily completed motion to \(R_{\alpha }\)). Nonmotion actions are handled similarly. Observe that \(\pi ^i_\alpha \) and \(\pi ^i_{ act , \alpha '}\) may be true at the same time if robot i is in \(R_{\alpha }\) and is moving toward \(R_{\alpha '}\), where \(R_{\alpha }\) and \(R_{\alpha '}\) are adjacent regions. Also note that this is sufficient for the special case \(\pi ^i_\alpha \) and \(\pi ^i_{ act , \alpha }\) (the robot stays put). We assume reasonably that nonmotion actions are independent of motion, so that actions themselves do not involve moving within any particular region and, if it is possible to execute a particular action within a region, it can be performed anywhere within that region.
We now solidify the semantics of the LTL formulas in the context of robot mission and motion planning. Let T denote a particular fixed time step at which the strategy automaton is updated with sensory information and supplies a new input to the local planner (as described in Sect. 4.3). A proposition \(\pi \in AP\) is Open image in new window at time \(t>0\) iff \({{\mathrm{\bigcirc }}}\pi \in {{\mathrm{\bigcirc }}}AP\) is Open image in new window at \(t + T\).
Definition 2
We note that it is shown in Ehlers (2013) that complexity of synthesis under the generalized reactivity(1) fragment is polynomial in the size of the state space of the game structure that is, in turn, at most exponential in the total number of propositions. Considering motion alone, the formulas effectively impose restrictions to the allowed state transitions to only consider those that are physically adjacent, effectively reducing the size of the synthesis problem.
3 Problem formulation
This work combines global planning with local motion planning to produce a correctbyconstruction synthesis method that avoids collisions locally yet is able to resolve deadlocks. Synthesis is carried out in a fullyautomated way; when modifications to the original specification are necessary, these are explained to the user in an intelligible manner. We provide an example to motivate our correctbyconstruction synthesis method.
Example 1
Our approach, shown in Fig. 3c, relies on a local motion planner to allow several agents per region and avoid dynamic obstacles, as in Fig. 3a. Furthermore, it is able to resolve encountered deadlocks that may arise. In this example, when one of the robots encounters deadlock, it reverses its motion to allow the other one to pass into Goal 1, ultimately taking another route to Goal 2.
Definition 3
(Collision) A robot at position \(\mathbf{p }\) is in collision with a static obstacle if \(\textit{V}(\mathbf{p }) \cap \mathcal {O}\ne \emptyset \). The robot is in collision with a dynamic obstacle i at position \(\mathbf{p }_i\) and of volume \(\textit{V}_i(\mathbf{p }_i)\) if \(\textit{V}(\mathbf{p }) \cap \textit{V}_i(\mathbf{p }_i) \ne \emptyset \).
Denote by \(\mathbf{p }(t)\) the position of a robot at time t and by \(\mathbf{p }_i(t)\) the position of a dynamic obstacle i at time t. The trajectory of the dynamic obstacles is estimated between the current time \(t_k\) and a time horizon \(\tau \). In our model we consider constant velocity.
Definition 4
Definition 5
(Deadlock) In this work we consider motion related deadlocks. A robot at position \(\mathbf{p }\) is said to be in a deadlock if it is not in a collision, it has not achieved the target given by the automaton and it can not make progress towards the goal, i.e. it is not moving, for a prespecified amount of time.
The goal of this work is to solve a set of problems as follows.
Problem 1
(Local collision avoidance) Given the dynamics for each robot in the team, construct an online local planner that guarantees collision avoidance with static and dynamic (moving) obstacles.
Problem 2
(Synthesis of strategy automaton with deadlock resolution) Given a topological map, a local motion planner that solves Problem 1 and a realizable mission specification \(\varphi \) that ignores collisions, automatically construct a specification \(\varphi '\) that includes both \(\varphi \) and a model of deadlock between robots and unmodeled dynamic obstacles. Use \(\varphi '\) to synthesize a controller that satisfies \(\varphi '\).
This synthesized controller will reroute the robots to resolve deadlocks (should they occur), while satisfying the reactive mission specification and remaining livelock free. For mission specifications that consider the presence of possible deadlocks, there may be no satisfying controller. We therefore synthesize environment assumption revisions as additional LTL formulas to identify cases where dynamic obstacles may trigger deadlock and trap the system from achieving its goals. These formulas are significant because they offer certificates explaining the required behaviors of the environment that, if followed, guarantee that the robot team will carry out the task. Such certificates must be conveyed to the user in a clear, understandable manner. An example of such a condition is: “the environment will never cause deadlock if robot 1 is in the kitchen and moving to the door”. This leads to the following Problem.
Problem 3
(Revising environment assumptions) Given an unrealizable reactive mission specification \(\varphi '\), synthesize environment assumption revisions \([\varphi _t^e]^{ rev }\) such that the specification \(\varphi ''\) formed by replacing \(\varphi _t^e\) with \([\varphi _t^e]^{ rev }\) is realizable, and provide the user with a humanreadable description of these revisions as certificates for guaranteeing the task.
4 Approach
4.1 Offline
The inputs for the offline part of the method are: (a) a user given mission specification, (b) a discrete topological map of the workspace (which ignores dynamic obstacles) and (c) the dynamic model and controller of the robots in the team. The offline part of the method consists of two independent parts.
4.1.1 Mission planning
In this step we synthesize a centralized controller, or finite state machine, that will guide the robots in the team through the topological map. This controller considers possible physical deadlocks between robots in the team as well as with moving obstacles. Since the position of the moving obstacles is not known at synthesis time, environment assumptions are iteratively revised as necessary. The resulting strategy automaton with the revisions included accommodate deadlocks wherever they may occur at runtime, and fulfillment of the specification is guaranteed as long as the environment behaves according to the assumptions explained to the user in the revisions generation step. We also adopt a recovery scheme (Wong et al. 2014) that synthesizes a strategy that allows violations of environment safety assumptions to be tolerated, retaining satisfaction guarantees as long as the violation is transient.
The mission planning part of the offline synthesis approach is described in detail in Sects. 5 and 6.
4.1.2 Motion planning
The automaton is agnostic to the robot’s dynamics, which are instead accounted for by the local planner. For a given robot model and controller a set of motion constraints, or tracking errors, are precomputed at synthesis time. This part is described in Sect. 7.2.
During execution, the local planner is fed, at runtime, a set of constraints that are then solved for in an efficient manner. These constraints include region boundaries, static and dynamic obstacles and kinodynamic model of the robot.
4.2 Online
At each time step of the execution, the synthesized strategy automaton provides a desired goal for each controlled robot in the team. Then, each robot independently computes a local trajectory that achieves its goal while avoiding other agents.
If a physical deadlock is sensed, an alternative goal is extracted for the robot from the synthesized strategy automaton. The existence of such an alternative in the automaton is guaranteed by construction if the environment assumptions are satisfied. The local planner builds on AlonsoMora et al. (2015) by adopting a convex optimization approach as described in Sect. 7.
4.3 Integration of mission and motion planning
The proposed method consist of two interconnected parts, the mission planner and the motion planner. Figure 4 highlights the components and their interconnections.
The mission planner is computed offline, prior to execution. It requires a topological map of the environment given by a description of the regions, such as rooms, and their connections. It creates a finite state machine or automaton that achieve the highlevel specification and from which the robots in the team can extract a strategy at runtime. Note that we do not optimize the mission planner in this work, but our framework allows us to readily adopt techniques for optimal execution such as Jing et al. (2013) to extract an optimal strategy automaton.
At each time instance in the execution, a target motion is extracted from the automaton. The motion planner computes a collisionfree motion to make progress towards the target. If a physical deadlock is sensed, an alternative strategy is extracted from the automaton.
The motion planner requires a local map of the environment W, containing all the static and moving obstacles. The regions in the free space F of the local map—used at runtime—must be labeled to match the regions \(\mathcal{R}\) of the topological map—used for offline synthesis.
If the automaton commands a robot to transition between two connected regions, a path is computed from the current position of the robot to the border of the destination region and then is followed by the local planner. If the automaton commands a robot to remain in a region, the local planner moves the robot towards the middle point of the region.
5 Offline synthesis: resolving deadlock
In this section, we discuss how to synthesize a strategy automaton given a mission specification and a topological map of the environment, provided that, at runtime, a lowlevel control strategy is applied that guarantees collisionfree motion. We assume that the task specification \(\varphi \) ignores collisions, but we allow the possibility that deadlocks can occur at any time during the robot’s execution. Deadlocks can trap the robot from achieving its goals, rendering the specification unrealizable. The crux of this work is an approach that systematically modifies the specification with additional behaviors that redirect the robot team in order to resolve deadlocks, whenever possible. If a satisfying mission plan does not exist, the approach iteratively adds assumptions on the deadlock behavior to the specification until a satisfying strategy can be found for the robot team. By focusing on deadlock rather than the positioning of dynamic obstacles, it allows our approach to be valid for any number of dynamic obstacles, as long as they fulfill the stated assumptions returned by our synthesis approach. It also removes the need to globally track the positions of every obstacle at runtime.
5.1 Deadlock resolution
We declare a robot to be physically in deadlock with another agent if it has not reached its goal but cannot move. This can happen when an agent becomes blocked either by another agent or by a dynamic obstacle. To keep track of which robot is in deadlock, we introduce Boolean input signals \(x^{ij}\in \mathcal{X}\), where \(i=1,\ldots ,n_{ robots }\) and \(j=0,\ldots ,n_{ robots }\) (the index \(j=0\) representing a dynamic obstacle). Without loss of generality, we consider only deadlock between pairs of agents at a time. For the case where a robot is in deadlock while in proximity to a dynamic obstacle, we let \(j=0\) and refer to this case as singleton deadlock. Otherwise, the robot is in deadlock with another robot on its team, \(j\ne 0\), and is considered to be in a state of pairwise deadlock. The proposition \(x^{i0}\) is \(\mathtt{True}\) iff robot i is in singleton deadlock and \(x^{ij}\) is \(\mathtt{True}\) iff robots i and j are in pairwise deadlock. We defer detailing our approach for detecting deadlock at runtime to Sect. 7.
Resolving deadlock by redirecting the robot’s motion based on the instantaneous value of \(x^{ij}\) alone may result in livelock, where the robot may be trapped from achieving its goals as a result of repeated deadlock status changes. For this reason, our scheme automatically introduces additional memory propositions that are set when deadlock is sensed, and reset once the robot moves a predefined discrete radius, denoted m, defining the a deadlock resolution horizon (i.e. it traverses m regions away from the region where deadlock occurred in order for the deadlock to be considered “resolved”).
Definition 6
(Discrete radius) Let \(\pi ^i_{ curr (k_i)} \in AP _{\mathcal{R}}\) and \(\pi ^i_{ act , curr (k_i1)} \in AP ^{ act }_{\mathcal{R}}\) be, respectively, the configuration and action taken by robot i, where \(k_i = 1,2,\ldots \) represents an event that is incremented when robot i enters a new region, i.e. \(k_i\) is incremented at the time instant when \( curr (k_i1) \leftarrow curr (k_i)\). The current region index \( curr (\cdot )\in [1,p]\) is defined recursively, initialized such that \(\pi ^i_{ curr (1)}\) is the robot’s completion when deadlock was recorded and \(\pi ^i_{ act , curr (0)}\) is the robot’s action when deadlock was recorded. Then, the discrete radius m is the number of successive steps \(k_i \in [1,m]\) for which we impose the restriction \(\pi ^i_{ act , curr (k_i)}\in AP ^{ act }_{\mathcal{R}} \backslash \{\pi ^i_{ act , curr (k_i1)}\}\) on the robot’s actions. This ensures that the robot makes a move that does not reenter the region just visited.
The concept behind the proposed deadlock resolution approach is to force the robot to actively alter its strategy to overcome a deadlock by imposing a small number of constraints without directly prescribing the path the robot is required to take. The path is derived once a strategy automaton is synthesized from the specification augmented with these revisions. For instance, as illustrated in Fig. 5, for the case \(m = 1\) (resp. \(m = 3\)), if a deadlock is sensed at point (2), the revisions forbid the robot from crossing the red line until it reaches the green line (resp. cyan line). As a result, different choices of m will lead to the synthesis of strategies that give rise to different subsequent paths to goal region R8 and decisions whether or not to revisit the location where deadlock had occurred.
We first introduce an approach where resolution occurs when the robot leaves its current region, then generalize this approach to allow the user to choose any number of discrete steps, \(m \ge 0\), to be taken by the robot before deadlock is declared as resolved. In this work, we assume m to be chosen ahead of time.
5.2 Resolving deadlock when \(m = 0\)
5.3 Resolving deadlock when \(m = 1\)
Conjuncting the conditions (4)–(8) with \(\varphi _t^s\) yields a modified formula \([\varphi _t^s]'\) over the set AP, and the new abstracted specification \(\varphi ^{\textit{abstr}} = \varphi _i^e \wedge \varphi _t^e \wedge \varphi _g^e \implies [\varphi _i^s]' \wedge [\varphi _t^s]' \wedge \varphi _g^s\). The initial conditions are modified by setting the additional propositions \(x^{ij}, y^i_\alpha \) to \(\mathtt{False}\).
5.4 Resolving deadlock when \(m > 1\)
In some cases, having a deadlock resolution strategy in which multiple discrete steps must be made away from any encountered deadlock may result in different behavior than a strategy in which deadlock is resolved when moving away just one step. Considering Fig. 5, the case \(m = 3\) results in greater exploration of the workspace, whereas the case \(m = 1\) results in confinement to a smaller portion of the workspace.
We generalize the strategy presented in Sect. 5.3 by considering the case where deadlock is resolved once \(m > 1\) discrete moves have been taken away from the last encountered deadlock. In what follows, the same formulas as in Sect. 5.3 apply; here, we only describe modifications to this setup. To ensure each robot moves away from deadlock a discrete radius, we require \(m1\) propositions (for robot \(i,\,y_{ out , 1}^{i}, \ldots , y_{ out , m1}^{i}\)) that are set and reset in a chain in order to memorize the robot’s position from the encountered deadlock. \(y_{ out , k}^{i}\) are initially \(\mathtt{False}\) for all \(i,\,k\).
The safety revisions restrict the system’s moves in the execution sequence be ones that actively take it m away from the location where the deadlock flag was raised. Since waiting in a region is disabled in (4), and reentering a region is disabled in (11), these safety revisions will cause the system to move m steps away from deadlock in finite time.
In general, setting m large, could lead to behavior that “explores” more of the workspace, but also could result in unrealizability. Consider again the scenario in Fig. 5, but with R2 always blocked. In this case, \(m=3\) would result in an unrealizable specification because the robot cannot make three discrete steps away from R6 without entering R2. Such design tradeoffs therefore depend on the workspace and its partitioning. Automatic selection of m for a given specification and collection of regions is the subject of future work, as is the use of Open image in new window liveness formulas to resolve livelock in a more direct manner similarly to DeCastro et al. (2016) and Alur et al. (2013) while remaining scalable to the number of robots on the team.
6 Offline synthesis: environment assumptions and coordination
If the specification \(\varphi ^{\textit{abstr}}\) is synthesizable, then Problem 2 has been solved and no further modifications to the abstracted specification are necessary. But, the possible presence of humans or other uncontrollable agents in some parts of the environment may cause the abstracted specification to be unrealizable. Then, it becomes necessary to solve Problem 3 to find a minimal set of environment assumptions that restores the guarantees.
We automatically generate assumptions on the environment’s behavior in cases where the modified specification is unrealizable. To prevent any unreasonable assumptions (assumptions that the robot can overcome deadlock when it is impossible to do so), we provide a means for coordinating robot actions to prevent such assumptions from being given to the user. Combining the encoding and revisions approach, we formally show that the synthesized automaton is guaranteed to fulfill the task under these assumptions, showing that our approach also removes the possibility of deadlock and livelock from occurring.
6.1 Runtime certificates for the environment
We note that the dynamic obstacles are uncontrollable agents, and lacking behavioral information, so altering environment assumptions does nothing to characterize their behavior. Rather, we may still provide the user with a certificate under which the environment’s behavior will guarantee that the team can achieve all its goals without being trapped permanently in a state of deadlock or livelock. Such assumptions can be given to the user to allow him/her to be mindful of any condemning situations when coinhabiting the robots’ environment. As such, we call these added assumptions runtime certificates.
When a specification is unrealizable, there exist environment behaviors (called environment counterstrategies) that prevent the system from achieving its goals safely. Here we build upon the work of Alur et al. (2013), DeCastro et al. (2016) and Li et al. (2011), processing synthesized counterstrategies to mine the necessary assumptions. Rather than synthesize assumptions from the counterstrategy as in Alur et al. (2013), which requires specification revision templates to be specified by hand, we automate the counterstrategy search by searching for all deadlock occurrences, then store the corresponding conditions as assumptions.
We denote \(\mathcal{C}_{\varphi ^{\textit{abstr}}}\) as an automaton representing the counterstrategy for \(\varphi ^{\textit{abstr}}\). Specifically, a counterstrategy is the tuple \(\mathcal{C}_{\varphi ^{\textit{abstr}}} = (\mathcal{Q},\mathcal{Q}_0,\mathcal{X},\mathcal{Y},\delta ,\gamma _\mathcal{X},\gamma _\mathcal{Y})\), where \(\mathcal{Q}\) is the set of counterstrategy states; \(\mathcal{Q}_0 \subseteq \mathcal{Q}\) is the set of initial counterstrategy states; \(\mathcal{X},\,\mathcal{Y}\) are sets of propositions in AP; \(\delta {:}\,\mathcal{Q}\times 2^{\mathcal{Y}} \rightarrow 2^{\mathcal{Q}}\) is a transition relation returning the set of possible successor states given the current state and valuations of robot commands in \(\mathcal{Y}\); \(\gamma _\mathcal{X}{:}\,\mathcal{Q}\rightarrow 2^\mathcal{X}\) is a labelling function mapping states to the set of environment propositions that are \(\mathtt{True}\) for incoming transitions to that state; and \(\gamma _\mathcal{Y}{:}\,\mathcal{Q}\rightarrow 2^\mathcal{Y}\) is a labelling function mapping states to the set of system propositions that are \(\mathtt{True}\) in that state. We compute \(\mathcal{C}_{\varphi ^{\textit{abstr}}}\) using the slugs synthesis tool (Ehlers and Raman 2016).
In practice, many of the added environment safety statements can be violated by dynamic obstacles at runtime without consequence, if these violations can be assumed to be temporary. For this reason, we introduce a recovery scheme that synthesizes a strategy that allows environment safety assumption violations to be tolerated. We refer the reader to Wong et al. (2014) for these technical details of the details of this strategy. Note that we modify the approach to attempt a recovery only for violations of the newly added assumption \(\varphi ^e_{rev}\), rather than for the entire formula \([\varphi _t^e]'\), since our goal is to only make assertions on the environment’s behavior with respect to deadlock and not all behaviors in general. The requirement for temporary deadlock is less restrictive than the requirement that deadlocks should never occur, but it nonetheless places additional requirements on the environment’s behaviors, i.e. that the dynamic obstacles cannot infinitely often cause deadlock. Hence such conditions are displayed to the user in an easilyinterpretable form.
Runtime certificates are displayed to the user in a format such as: The task is guaranteed as long as for robot 1 any singleton deadlock in the kitchen while heading to the door is eventually resolved on its own. In this specific case, dynamic obstacles may enter deadlock with robot 1, but the obstacles are obligated to eventually resolve deadlock. If the dynamic obstacle is a person, the certificate may have no impact on the true behavior of the environment, as social norms deem it natural for people to resolve deadlocks on their own. If the dynamic obstacle is a door, then the certificate could alert that the door should eventually be opened to allow the robot to pass through. On the other hand, if the door never opens, then the certificate could help to explain that the door being closed as the reason the task remains unfulfilled.
It is possible that many such certificates are required, which may overwhelm the user. We address this in two ways. First, we project the found certificates onto the set of propositions relating to motion only, eliminating any propositions that do not relate to motion. Second, we use a graphical visualization of the certificates overlaid on a map of the physical workspace. In addition to the above provisions, the work in DeCastro et al. (2016) offers an approach that can be adopted to further reduce the number of revisions fed to the user. There, a method is introduced for grouping regions that share the same properties for the revisions, and convey to the user metric information that is necessary for fulfilling the added revisions. Such an integration is left for future work. We refer the reader to Sect. 9 for implementation details.
We point out that (12) gives revisions that are possibly conservative. The formula is created from a counterstrategy that is extracted from a game structure capturing the environment’s behaviors for every possible behavior of the system (DeCastro et al. 2016). In the current implementation, the counterstrategy is computed without regard to the number of revisions that could be generated. Future iterations of the approach could make use of an optimality criterion to extract a counterstrategy with a minimal number of revisions. Another cause for conservatism is due to the fact that the approach abstracts away the actual behavior of the dynamic obstacles, neglecting the physical behavior of the dynamic obstacles. This can be improved by enhancing the existing approach with LTL formulas that impose physical constraints on the environment, for instance mutual exclusion conditions on deadlocks.
6.2 Coordination between robots
Since the strategy for the robots’ motion is completely determined at synthesis time, the controllers we synthesize should not lead to deadlocks if they can be safely avoided. For instance, two robots on the team should not enter a narrow doorway from opposite ends, only to become deadlocked there. This motivates the creation of a method for automatically inserting dimensionrelated information into the specification based on the workspace geometry and the volume of the robot so that the robots can precoordinate, at synthesis time, to avoid unneeded deadlock. This precoordination serves two purposes: (1) it allows to eliminate any environment assumptions between two robots in a region where there is high likelihood of deadlock if both are occupying that region, and (2) it changes the behavior of the agents to actively avoid potential deadlock in such highrisk regions, such as oneway corridors.
The modification considers the restrictions on what robots are allowed to do in certain regions, based on the dimension of the region and the size of the robot. We introduce an encoding of LTL formulas that eliminate the actions of robots that would result in deadlock. Specifically, we consider two cases: (1) a robot will not enter a region if the move will exceed the region’s capacity and, (2) it will be prevented that two or more robots enter through opposite sides a oneway narrow region. We then create a new specification \(\varphi ^{ abstr,coord }\) with precoordination of robots, and apply Algorithm 1 on \(\varphi ^{ abstr,coord }\) by swapping out \(\varphi ^{\textit{abstr}}\) in line 1.
7 Online local motion planning
In this section we describe the local planner that links the mission plan with the physical robot (recall Fig. 4). The offline synthesis and generated state machine are agnostic to the local planner, which can be substituted as long as avoidance of unmodeled moving obstacles is guaranteed. Our online local planner does account for the robot dynamics, which were abstracted for highlevel synthesis.
7.1 Overview
We build on the work on distributed Reciprocal Velocity Obstacles with motion constraints (AlonsoMora et al. 2014), and its recent extension to aerial vehicles (AlonsoMora et al. 2015).
As described by AlonsoMora et al. (2014), the method follows two ideas. (a) The radius of the robot is enlarged by a predefined and typically fixed value \(\varepsilon > 0\) for collision avoidance. This value depends on the kinodynamic model of the robot and can be reduced in real time without having to recompute the stored maximum tracking errors. And, (b) in run time, the local trajectories are limited to those with a tracking error below \(\varepsilon \) with respect to their reference trajectory. Recall that the tracking errors were precomputed in the offline process.
At each timestep an optimal reference velocity \(\mathbf{u }^*\in {\mathbb {R}}^n\) is obtained by solving a convex optimization in reference velocity space. The associated local trajectory is guaranteed to be collisionfree, satisfies the motion constraints and minimizes a cost function. The cost function minimizes the deviation to a preferred velocity \(\bar{\mathbf{u }}\), corrected by a small repulsive velocity \(\mathring{\mathbf{u }}\) inversely proportional to the distance to the neighboring obstacles when in close proximity. As described by AlonsoMora et al. (2015) this additional term introduces a desired separation between robots and obstacles. Note that the avoidance guarantees arise from the constrained optimization and not from the repulsive velocity.
7.2 Robot dynamics
Letting \(t \in {\mathbb {R}}_+\) denote time and \(t_k\) the current time instant, we define the relative time \(\tilde{t} = t  t_k \in [0, \ldots , \infty )\) and the time horizon of the local planner \(\tau > 0\), greater than the required time to stop if moving at maximum speed. Note that different robots may present different dynamic models. We denote the state of a robot by \(\mathbf z =[\mathbf{p },\dot{\mathbf{p }},\ddot{\mathbf{p }},\dots ]\), which includes its position and velocity and may include additional terms such as acceleration and orientation. Given a control input \(\nu (t)\) the dynamical model is \(\dot{\mathbf{z }} = g(\mathbf z , \nu )\).
7.3 Constraints
To define the motion and interagent avoidance constraints we build on the approach in AlonsoMora et al. (2015). We additionally introduce constraints for avoiding static obstacles. For completeness, we give an overview of each of the constraints.
7.3.1 Robot dynamics
7.3.2 Avoidance of other agents
7.3.3 Avoidance of static obstacles
7.3.4 Avoiding incorrect region transitions
The local planner prevents incorrect region transitions (for instance, avoiding entering another region if the robot’s local goal is within the current one) by introducing “virtual” doors at borders between workspace regions. These virtual doors may be closed or opened depending on the desired transition. A closed door is introduced as an obstacle in \(\mathcal {O}\).
7.4 Optimization
The optimization cost is given by two parts. As described in Sect. 7.2, the first one is a regularizing term, weighted by a design constant \(\bar{\alpha }\), and the second one is a minimizer with respect to a preferred velocity.
7.5 Deadlock detection
8 Theoretical guarantees
We provide proofs for the guarantees inherent to our synthesized controller. The following three subsections are sufficient to show that, under the collisionfree guarantees provided by the local planner, the synthesized strategy realizes the reactive task specification and resolves deadlocks.
8.1 Correctness with respect to robot dynamics
By construction of the local planner, the controller is guaranteed correct with respect to the lowlevel controller \(f(\mathbf z ,\mathbf{u },\tilde{t})\), which is continuous on the initial state of the robot and respects its dynamics. We do assume that the model of the robot is accurate and that there are no external disturbances.
8.2 Collisionfree motion
Theorem 1
The local planner of Sect. 7 yields collisionfree motion in dynamic environments, under the constant velocity assumption.
If (15) is feasible, collisionfree motion is guaranteed for the local trajectory up to time \(\tau \) with the assumption that all interacting agents maintain a constant velocity.
Proof
Avoidance of dynamic obstacles was shown in our previous work (AlonsoMora et al. 2015). Here we reproduce it for the case of a dynamic obstacle maintaining a constant velocity, and it extends to the case where all agents do reciprocal collision avoidance.
If the assumptions are violated, e.g. the moving obstacles quickly change their velocity, the constrained optimization of Eq. (15) can be infeasible. In that case, no collisionfree solution exists that respects all of the constraints and a collision may arise. In this case the robot decelerates at its maximum deceleration rate until full stop or a feasible collisionfree trajectory is found. In practice, since this computation is performed at a high frequency, each individual robot is able to adapt to changing situations, and the resulting motion is collisionfree if the moving obstacles behave fairly (i.e. never cause collisions).
8.3 Correctness with respect to the task specification
Since the local planner is myopic, it provides guarantees up to a time horizon \(\tau \) and consequently may result in deadlock and livelock. However, as we have shown, the planner’s local guarantees allow a discrete abstraction that the strategy automaton can use to resolve deadlocks and avoid livelocks. Here we formally prove the guarantees on the execution provided by our synergistic online and offline synthesis.
Proposition 1
Given a task specification \(\varphi \) that ignores collisions, if the resulting specification \(\varphi ^{\textit{abstr}}\) defined in Sect. 5 is realizable, then the corresponding strategy automaton also realizes \(\varphi \).
Proof
Assume given \(\varphi = \varphi _i^e \wedge \varphi _t^e \wedge \varphi _g^e \implies \varphi _i^s \wedge \varphi _t^s \wedge \varphi _g^s\). Recall that \(\varphi ^{\textit{abstr}} = \varphi _i^e \wedge \varphi _t^e \wedge \varphi _g^e \implies [\varphi _i^s]' \wedge [\varphi _t^s]' \wedge \varphi _g^s\), where \([\varphi _i^s]'\) and \([\varphi _t^s]'\) contain \(\varphi _i^s\) and \(\varphi _t^s\) as subformulas, respectively. Suppose that strategy automaton \(\mathcal{A}_{\varphi ^{\textit{abstr}}}\) realizes \(\varphi ^{\textit{abstr}}\). This means that the resulting controller is guaranteed to fulfill the requirement \([\varphi _i^s]' \wedge [\varphi _t^s]' \wedge \varphi _g^s\) as long as the environment fulfills the assumption \(\varphi _i^e \wedge \varphi _t^e \wedge \varphi _g^e\). This implies that \(A_{\varphi ^{\textit{abstr}}}\) fulfills \(\varphi _i^s \wedge \varphi _t^s \wedge \varphi _g^s\) as long as the environment fulfills the assumption \(\varphi _i^e \wedge \varphi _t^e \wedge \varphi _g^e.\) \(\square \)
Proposition 2
Given a task specification \(\varphi \) that ignores collisions, if \(\varphi \) is realizable but the resulting specification \(\varphi ^{\textit{abstr}}\) is not realizable, then the revision procedure in Sect. 6.1 will find an assumption \(\varphi ^e_{ rev }\) to add to \(\varphi ^{\textit{abstr}}\) that renders the resulting specification \(\varphi ^{ rev }\) realizable and the resulting strategy \(\mathcal{A}_{\varphi ^{ rev }}\) free of deadlock and livelock.
Proof
Suppose \(\varphi \) is realizable by strategy \(\mathcal{A}_\varphi \), but \(\varphi ^{\textit{abstr}}\) is not realizable, admitting counterstrategy \(\mathcal{C}_{\varphi ^{\textit{abstr}}} = (\mathcal{Q},\ldots )\). It suffices to show that the set \(S_{ cuts }\) is nonempty. Assume by way of contradiction that \(S_{ cuts }\) is empty. Then the rising edge of deadlock \(\theta _s^i\) never occurs for any i, so no robot transitions are ever disabled. Since we assume that deadlock does not occur in the initial state, this means that \(x^{ij}\) is always False for every i,j. Therefore \([\varphi _i^s]' \wedge [\varphi _t^s]' \wedge \varphi _g^s\) defined in Sect. 5 reduces to \(\varphi _i^s \wedge \varphi _t^s \wedge \varphi _g^s\). The lack of deadlock means that any region transition contained in \(\mathcal{A}_\varphi \) is still admissible, and therefore \(\mathcal{A}_\varphi \) can be used as a strategy to realize \(\varphi ^{\textit{abstr}}\), a contradiction. Therefore, there must be deadlock and \(S_{ cuts }\) is not empty. Now, upon addition of the assumptions \(\varphi ^{\textit{abstr}}\), existence of \(\mathcal{A}_{\varphi ^{ rev }}\) that satisfies \(\varphi ^{\textit{abstr}}\) implies, by construction, that \(\mathcal{A}_{\varphi ^{ rev }}\) is livelockfree. \(\square \)
8.4 Computational complexity
For a given choice of m, the offline reactive synthesis algorithm used in this work is exponential in the number of propositions (Bloem et al. 2012; Ehlers and Raman 2016). Using our encoding, the problem scales linearly with \(n_{ robots }\)—no worse than existing approaches (e.g. Ulusoy et al. 2013). When one or more dynamic obstacles are considered, the number of propositions does not change. As stated in Sect. 6, \(2^{(\vert \mathcal{Y}\vert +\vert \mathcal{X}\vert )}\) iterations of the main loop in Algorithm 1 are needed in the worst case, yielding a theoretical complexity that is doubly exponential in the number of propositions.
For the online component, a convex program is solved independently for each robot, with the number of constraints linear in the number of neighboring robots. The runtime of the iterative computation of the convex volume in free space barely changes with the number of obstacles, up to tens of thousands (Deits and Tedrake 2014), and a timeout can be set, with the algorithm returning the best solution found.
9 Experiments and simulations
We present results of our endtoend approach both in simulation and on hardware. Our evaluation is meant to illustrate the various parts of the synthesis and execution process, and provide a statisticallygrounded evaluation of the approach when placed in a difficult environment that does not necessarily behave according to the automaticallygenerated environment assumptions. In this context, our results reveal that our approach has merit in dealing with such environments to execute the task successfully. We furthermore show that our approach is scalable to any number of dynamic obstacles, and that the local planner applies to 3D workspaces. Lastly, we show that our approach may be executed in real time on actual hardware.
The synthesis procedure described in Sect. 5 was implemented with the slugs synthesis tool (Ehlers and Raman 2016), and executed with the LTLMoP toolkit (Finucane et al. 2010). The local motion planner (Sect. 7), was implemented with the IRIS toolbox (Deits and Tedrake 2014) and an offtheshelf convex optimizer. We assume the dynamic obstacles are cooperative in avoiding collisions, therefore, each one is controlled by a local planner. Many of the experiments presented in this section are available in the accompanying video.
In what follows, we consider a “garbage collection” scenario, upon which we synthesize a strategy automaton.
Example 2
The system propositions are actions to move between regions (\(\pi ^i_{ act , LR },\ldots ,\pi ^i_{ act , BR }\)) and to pick up (\(\pi ^i_{ act , pickup }\)). The environment propositions are sensed garbage (\(\pi ^i_{ garb }\)), region completions (\(\pi ^i_{ LR },\ldots ,\pi ^i_{ BR }\)), and pick up completion (\(\pi ^i_{ pickup }\)).
We implement the above example using humanoid robots (able to rotate in place, move forward and along a curve) and simulated quadrotor UAVs.
9.1 Synthesis and revisions
Upon synthesizing a controller for single robot, we obtain 16 revisions to the environment assumptions. These are displayed to the user as runtime certificates. One example is: Deadlock should not occur when the robot is in the Hall moving toward the Living Room and had already been blocked from entering the Bedroom. Note that, with each robot added to the team, the number of revisions grows combinatorially. In contrast to the singlerobot case, there are a total of 1306 statements given to the user in the case of two robots. In these cases, we display the revisions graphically, by projecting over the variables of interest: the current region and action for each robot. Rather than displaying all 1306 statements, we show the projection consisting of 45 statements projected onto the set of each robot’s motion and activation propositions. Satisfying these 45 statements implies that we also satisfy the 1306 statements. To further aid the user, we display them graphically on the workspace as shown in Fig. 7.
9.2 Scalability with respect to dynamic obstacles
Considering Example 2, the specification for the singlerobot case consists of 14 propositions, while that for the tworobot case consists of 29 propositions. The specification is invariant to the number of dynamic obstacles in either case.
One could also consider a tworobot team controlled by a baseline strategy that relies on mutual exclusion (one robot per region) to be kept with other robots and dynamic obstacles (DO). That strategy required 20 propositions for the case without DOs. One additional proposition is added for each region for each DO (producing 25 for one DO, 35 for three DO, 60 propositions for eight DO, etc.). Because the obstacles are assumed to behave in an adversarial manner, they can violate mutual exclusion if they enter a neighboring region of the robot. Hence, the baseline synthesis procedure is not realizable for one or more dynamic obstacles.
In contrast, our approach is realizable independently of the number of dynamic obstacles and requires fewer propositions than the case with two or more DO.
9.3 Performance evaluation
Each test case consisted of 133 min of data obtained over multiple simulation runs lasting 200 s each. The simulation was terminated before 200 s if none of the controlled robots reached their goal, but none had been moving (their velocity falls below a threshold) for 100 s or longer. Any such runs were flagged as unresolved deadlock, at which point the robots are deemed unable to continue their task. The robots in the team were initialized randomly at different regions in the workspace.
In the “counterflow” example of Fig. 10, 100% of the simulation runs without the proposed deadlock resolution approach eventually enter unresolved deadlock at some point during the run. In contrast, when the proposed approach is used, deadlock is able to be resolved, resulting in more goals being visited. In the singlerobot case, only 5% of the runs lead to unresolved deadlock. In all such runs, the DOs had violated a runtime certificate (note that the DOs were not programmed to satisfy any such certificates); in some cases the DOs surrounded the robot. In the tworobot case, nearly 20% of the runs lead to unresolved deadlock. This number is higher than in the onerobot case because there is more than one robot whose motion could be blocked by the DOs, leading to more encountered deadlocks. Additionally, when one robot has already become deadlocked, the objects in the environment effectively act as static obstacles to the remaining robot, increasing the chance it will become deadlocked as compared with moving, dynamic obstacles. The combined effect of these two factors is the reason why there is a fourfold increase in the number of encountered deadlocks.
The “random waypoints” cases are included to evaluate the performance of the proposed approach where the DOs do not all move in the same direction, but instead move randomly in the workspace. In the case of a single robot, deadlock resolution allows the robots to find alternate routes around deadlocks, and thus the robot is able to visit 40% more goals than the case without deadlock resolution. In the case of two robots, the team is able to achieve 136% more goals than without resolution. As may be observed in the supplementary videos, deadlock resolution gives the robots an ability to exploit areas of the workspace containing a lower density of dynamic obstacles to achieve their goals. The cases where deadlock resolution is included results in greater likelihood of task achievement over a 200s interval. As compared with the counterflow cases, there are fewer cases of unresolved deadlock because the random nature of the DOs allows the robots to move more freely in some cases than in others.
9.4 3D problem domain
9.5 Physical experiments
To demonstrate effectiveness in a physical setting, we employ two Aldebaran Nao robots to carry out the planar garbage collection scenario, with a teleoperated KUKA youBot serving as the dynamic obstacle. The model for the Nao robots is one where the robots are able to rotate in place, move forward, and move along a curve at a constant velocity. The size of the field is 5 m by 3 m, and the sensing range for the local planner is 1 m. The size is such that only one Nao robot may fit through the Hall and Door at a time. The positions of each robot are measured through a motion capture system. The local planner is implemented on a laptop computer communicating via a WiFi connection to the robots. In the local planner, the Nao robots are taken to have a circular footprint with effective radius of 0.2 m.
We carried out experiments using two robots on the team, using the workspace shown in Fig. 7. The revisions for these two robots are pictured in the figure for the synthesized mission plan. As demonstrated in the snapshots in Fig. 12, the Naos can execute the task, by avoiding collisions and resolving deadlocks with one another and with the dynamic obstacle (the KUKA youBot). At the particular deadlock event shown in Fig. 12b, the youBot must eventually move away from the Door region, as the assumption pictured in Fig. 7 states that ‘only temporary deadlock is allowed’ when either of the robots are trying to enter it from the Kitchen. The experiments demonstrate that the approach is effective at deadlock resolution and at achieving collision free motion, thereby satisfying the mission specification.
10 Conclusion
We present a framework for synthesizing a strategy automaton and collisionfree local planner that guarantees completion of a task specified in linear temporal logic, where we consider reactive mission specifications abstracted with respect to basic locomotion, sensing and actuation capabilities. Our approach is less conservative than current approaches that impose a separation between agents, and is computationally cheaper than explicitly modeling all possible obstacles in the environment. If no controller is found that satisfies the specification, the approach automatically generates the needed assumptions on deadlock to render the specification realizable and communicates these to the user. The approach generates controllers that accommodate deadlock between robots or with dynamic obstacles independently of the precise number of obstacles present, and we have shown that the generated controllers are correct with respect to the original specification. Experiments with ground and aerial robots demonstrate collision avoidance with other agents and obstacles, satisfaction of a task, deadlock resolution and livelockfree motion. Future work includes optimizing the set of revisions and decentralizing the synthesis.
Supplementary material
References
 AlonsoMora, J., Breitenmoser, A., Rufli, M., Beardsley, P., & Siegwart, R. (2010). Optimal reciprocal collision avoidance for multiple nonholonomic robots. In Proceedings of the international symposium on distributed autonomous robotics systems.Google Scholar
 AlonsoMora, J., Gohl, P., Watson, S., Siegwart, R., & Beardsley, P. (2014). Shared control of autonomous vehicles based on velocity space optimization. In IEEE international conference on robotics and automation (ICRA).Google Scholar
 AlonsoMora, J., Naegeli, T., Siegwart, R., & Beardsley, P. (2015). Collision avoidance for aerial vehicles in multiagent scenarios. Autonomous Robots, 39(1), 101–121.CrossRefGoogle Scholar
 Alur, R., Moarref, S., & Topcu, U. (2013). Counterstrategy guided refinement of GR(1) temporal logic specifications. In Formal methods in computeraided design (FMCAD) (pp. 26–33).Google Scholar
 Bento, J., Derbinsky, N., AlonsoMora, J., & Yedidia, J. S. (2013). A messagepassing algorithm for multiagent trajectory planning. In Annual conference on neural information processing systems (NIPS).Google Scholar
 Bhatia, A., Kavraki, L., & Vardi, M. (2010). Samplingbased motion planning with temporal goals. In IEEE international conference on robotics and automation (ICRA).Google Scholar
 Bloem, R., Jobstmann, B., Piterman, N., Pnueli, A., & Sa’ar, Y. (2012). Synthesis of reactive (1) designs. Journal of Computer and System Sciences, 78(3), 911–938.MathSciNetCrossRefMATHGoogle Scholar
 Chen, Y., Ding, X. C., Stefanescu, A., & Belta, C. (2012). Formal approach to the deployment of distributed robotic teams. IEEE Transactions on Robotics, 28(1), 158–171.CrossRefGoogle Scholar
 Cirillo, M., Uras, T., & Koenig, S. (2014). A latticebased approach to multirobot motion planning for nonholonomic vehicles. In Proceedings of the IEEE/RSJ international conference on intelligent robots and systems (IROS). Chicago.Google Scholar
 DeCastro, J., Ehlers, R., Rungger, M., Balkan, A., & KressGazit, H. (2016). Automated generation of dynamicsbased runtime certificates for highlevel control. Discrete Event Dynamic Systems. doi: 10.1007/s1062601602327.
 DeCastro, J. A., AlonsoMora, J., Raman, V., Rus, D., & KressGazit, H. (2015). Collisionfree reactive mission and motion planning for multirobot systems. In Proceedings of the international symposium on robotics research (ISRR).Google Scholar
 Deits, R., & Tedrake, R. (2014). Computing large convex regions of obstaclefree space through semidefinite programming. In Workshop on the algorithmic fundamentals of robotics.Google Scholar
 Dimarogonas, D. V., Frazzoli, E., & Johansson, K. (2012). Distributed eventtriggered control for multiagent systems. IEEE Transactions on Automatic Control, 57(5), 1291–1297.MathSciNetCrossRefGoogle Scholar
 Ehlers, R. (2013). Symmetric and efficient synthesis, Ph.D. thesis. Saarland University.Google Scholar
 Ehlers, R., Knighofer, R., & Bloem, R. (2015). Synthesizing cooperative reactive mission plans. In Intelligent robots and systems (IROS), 2015 IEEE/RSJ international conference on.Google Scholar
 Ehlers, R., & Raman, V. (2016). Slugs: Extensible GR(1) synthesis. In Computer aided verification—28th international conference, CAV 2016, Toronto, ON. Proceedings, Part II (pp. 333–339). doi: 10.1007/9783319415406_18.
 Ehlers, R., & Topcu, U. (2014). Resilience to intermittent assumption violations in reactive synthesis. In Proceedings of the international conference on Hybrid systems: Computation and control.Google Scholar
 Finucane, C., Jing, G., & KressGazit, H. (2010). LTLMoP: Experimenting with language, temporal logic and robot control. In Proceedings of the IEEE/RSJ international conference on intelligent robots and systems.Google Scholar
 Hsu, D., Latombe, J. C., & Kurniawati, H. (2007). On the probabilistic foundations of probabilistic roadmap planning. The International Journal of Robotics Research, 25(7), 627–643.CrossRefMATHGoogle Scholar
 Jing, G., Ehlers, R., & KressGazit, H. (2013). Shortcut through an evil door: Optimality of correctbyconstruction controllers in adversarial environments. In 2013 IEEE/RSJ international conference on intelligent robots and systems (pp. 4796–4802). doi: 10.1109/IROS.2013.6697048.
 Karaman, S., & Frazzoli, E. (2009). Samplingbased motion planning with deterministic \(\mu \)calculus specifications. In IEEE conference on decision and control (CDC).Google Scholar
 Knepper, R. A., & Rus, D. (2012). Pedestrianinspired samplingbased multirobot collision avoidance. In ROMAN (pp. 94–100). IEEE.Google Scholar
 KressGazit, H., Conner, D. C., Choset, H., Rizzi, A. A., & Pappas, G. J. (2008a). Courteous cars. IEEE Robotics Automation Magazine, 15(1), 30–38.CrossRefGoogle Scholar
 KressGazit, H., Fainekos, G. E., & Pappas, G. J. (2008b). Translating structured english to robot controllers. Advanced Robotics, 22(12), 1343–1359.CrossRefGoogle Scholar
 KressGazit, H., Fainekos, G. E., & Pappas, G. J. (2009). Temporal logic based reactive mission and motion planning. IEEE Transactions on Robotics, 25(6), 1370–1381.CrossRefGoogle Scholar
 LaValle, S. M., & Kuffner, J. J. (2001). Randomized kinodynamic planning. The International Journal of Robotics Research, 20(5), 378–400.CrossRefGoogle Scholar
 Li, W., Dworkin, L., & Seshia, S. A. (2011). Mining assumptions for synthesis. In IEEE/ACM international conference on formal methods and models for codesign.Google Scholar
 Liu, J., Ozay, N., Topcu, U., & Murray, R. M. (2013). Synthesis of reactive switching protocols from temporal logic specifications. IEEE Transactions on Automatic Control, 58(7), 1771–1785.MathSciNetCrossRefGoogle Scholar
 Livingston, S. C., Prabhakar, P., Jose, A. B., & Murray, R. M. (2013). Patching tasklevel robot controllers based on a local \(\mu \)calculus formula. In Proceedings of the IEEE international conference on robotics and automation (ICRA). Karlsruhe.Google Scholar
 Loizou, S. G., & Kyriakopoulos, K. J. (2004). Automatic synthesis of multiagent motion tasks based on LTL specifications. In Proceedings of IEEE conference on decision and control (CDC).Google Scholar
 Maly, M., Lahijanian, M., Kavraki, L. E., KressGazit, H., & Vardi, M. Y. (2013). Iterative temporal motion planning for hybrid systems in partially unknown environments. In Proceedings of the ACM international conference on hybrid systems: Computation and control (HSCC) (pp. 353–362). Philadelphia, PA: ACM.Google Scholar
 Mellinger, D., Kushleyev, A., & Kumar, V. (2012). Mixedinteger quadratic program trajectory generation for heterogeneous quadrotor teams. In IEEE international conference on robotics and automation.Google Scholar
 Pivtoraiko, M., Knepper, R. A., & Kelly, A. (2009). Differentially constrained mobile robot motion planning in state lattices. Journal of Field Robotics, 26(3), 308–333.CrossRefGoogle Scholar
 Raman, V. (2014). Reactive switching protocols for multirobot highlevel tasks. In IEEE/RSJ international conference on intelligent robots and systems.Google Scholar
 Raman, V., & KressGazit, H. (2014). Synthesis for multirobot controllers with interleaved motion. In IEEE international conference on robotics and automation.Google Scholar
 Raman, V., Piterman, N., & KressGazit, H. (2013). Provably correct continuous control for highlevel robot behaviors with actions of arbitrary execution durations. In IEEE international conference on robotics and automation.Google Scholar
 Saha, I., Ramaithitima, R., Kumar, V., Pappas, G. J., & Seshia, S. A. (2016). Implan: Scalable incremental motion planning for multirobot systems. In Proceedings of the 7th international conference on cyberphysical systems (ICCPS).Google Scholar
 Schillinger, P., Bürger, M., & Dimarogonas, D. V. (2016). Decomposition of finite LTL specifications for efficient multiagent planning. In 13th international symposium on distributed autonomous robotic systems. Springer Tracts in Advanced Robotics.Google Scholar
 Tumova, J., & Dimarogonas, D. V. (2015). Decomposition of multiagent planning under distributed motion and task LTL specifications. In 54th IEEE conference on decision and control, CDC 2015. Osaka: IEEE (pp. 7448–7453). doi: 10.1109/CDC.2015.7403396,
 Ulusoy, A., Smith, S. L., Ding, X. C., Belta, C., & Rus, D. (2013). Optimality and robustness in multirobot path planning with temporal logic constraints. The International Journal of Robotics Research, 32(8), 889–911.CrossRefGoogle Scholar
 van den Berg, J., Guy, S. J., Lin, M., & Manocha, D. (2009). Reciprocal nbody collision avoidance. In International symposium on robotics research (ISRR).Google Scholar
 Vardi, M. Y. (1996). An automatatheoretic approach to linear temporal logic. In Logics for concurrency (pp. 238–266). Berlin: Springer.Google Scholar
 Wong, K. W., Ehlers, R., & KressGazit, H. (2014). Correct highlevel robot behavior in environments with unexpected events. In Proceedings of robotics science and systems.Google Scholar
 Wongpiromsarn, T., Topcu, U., & Murray, R. (2012). Receding horizon temporal logic planning. IEEE Transactions on Automatic Control, 57(11), 2817–2830.MathSciNetCrossRefMATHGoogle Scholar
 Wongpiromsarn, T., Ulusoy, A., Belta, C., Frazzoli, E., & Rus, D. (2013). Incremental synthesis of control policies for heterogeneous multiagent systems with linear temporal logic specifications. In IEEE international conference on robotics and automation (ICRA).Google Scholar
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.