A Component-Based Simplex Architecture for High-Assurance Cyber-Physical Systems
Dung Phan, Junxing Yang, Matthew Clark, Radu Grosu, John D. Schierman, Scott A. Smolka, Scott D. Stoller
AA Component-Based Simplex Architecture forHigh-Assurance Cyber-Physical Systems
Dung Phan ∗ , Junxing Yang ∗ , Matthew Clark † , Radu Grosu ‡ , John Schierman § , Scott Smolka ∗ and Scott Stoller ∗∗ Department of Computer ScienceStony Brook University, Stony Brook, NY, USA † Air Force Research Laboratory, Dayton, OH, USA ‡ Department of Computer ScienceVienna University of Technology, Vienna, Austria § Barron Associates Inc., Charlottesville, VA, USA
Abstract —We present
Component-Based Simplex Architecture (CBSA), a new framework for assuring the runtime safety ofcomponent-based cyber-physical systems (CPSs). CBSA inte-grates Assume-Guarantee (A-G) reasoning with the core princi-ples of the Simplex control architecture to allow component-basedCPSs to run advanced, uncertified controllers while still providingruntime assurance that A-G contracts and global properties aresatisfied. In CBSA, multiple Simplex instances, which can becomposed in a nested, serial or parallel manner, coordinate toassure system-wide properties.Combining A-G reasoning and the Simplex architecture is achallenging problem that yields significant benefits. By utilizingA-G contracts, we are able to compositionally determine theswitching logic for CBSAs, thereby alleviating the state explosionencountered by other approaches. Another benefit is that wecan use A-G proof rules to decompose the proof of system-widesafety assurance into sub-proofs corresponding to the component-based structure of the system architecture. We also introduce thenotion of coordinated switching between Simplex instances, a keycomponent of our compositional approach to reasoning aboutCBSA switching logic.We illustrate our framework with a component-based controlsystem for a ground rover. We formally prove that the CBSA forthis system guarantees energy safety (the rover never runs outof power), and collision freedom (the rover never collides witha stationary obstacle). We also consider a CBSA for the roverthat guarantees mission completion : all target destinations visitedwithin a prescribed amount of time.
Index Terms —Simplex architecture; Assume-guarantee rea-soning; Component-based system architecture; Cyber-physicalsystems; Collision avoidance
I. I
NTRODUCTION
Simplex [1]–[3] is a software architecture for high-assuranceprocess-control systems. It traditionally consists of a phys-ical plant and two versions of the controller: an advancedcontroller (AC) and a baseline controller (BC). The AC isin control of the plant under nominal operating conditions,and is designed to achieve high-performance according tocertain metrics (e.g., maneuverability, fuel economy, mission-completion time). The BC is pre-certified to keep the plantwithin a prescribed safety region , i.e., a region of safe op-eration. A decision module (DM), which is also pre-certified,continually monitors the state of the plant and switches controlof the plant to the BC should the plant be in imminent danger(i.e., within the next update period) of exiting the safety region. As such, Simplex is a very powerful architecture. It assuresthat the plant is properly controlled even if the advanced con-troller has bugs. As advanced controllers are increasingly morecomplex, more adaptive with the use of unverified algorithmssuch as machine-learning’s, runtime assurance techniques likeSimplex are becoming more important. Figure 1 illustrates theSimplex architecture.
Fig. 1. The Simplex architecture. The Decision Module and BaselineController are pre-certified.
The Simplex architecture was developed 20 years ago. Sincethen, control systems have evolved to take on a more complexstructure consisting of multiple controllers, each with a distinctfunctionality. For example, an autonomous vehicle might havea hierarchical control system consisting of controllers for (inorder of decreasing level of abstraction) mission-planning,guidance, navigation, and inner-loop control. A system ofthis form is illustrated in Fig. 2. Furthermore, some of thesecontrollers themselves may have a hierarchical or nestedstructure.Advanced control systems are not necessarily hierarchical,but are better understood as having a component-based ar-chitecture. A “component” may be a software module or thedistinguished physical-plant node (we do not consider multiplephysical plants, because a physical plant can be arbitrarilycomplex). It is important to have runtime assurance techniquesfor component-based control systems that are equally modular,to reduce their associated complexity and cost.Components may have different update periods (or ex-ecution periods ). For the autonomous-vehicle example, themission-planning component’s update period may be a multi-ple of navigation’s, which in turn may be a multiple of inner- a r X i v : . [ c s . S Y ] A p r oop’s. The composition of these components is a multi-rate component. Our framework allows this multi-rate characteris-tic to be modeled explicitly.Adapting the Simplex architecture to component-basedsystems is non-trivial. On the one hand, wrapping a largemonolithic Simplex instance around the entire control systemviolates modularity principles, making the design and verifica-tion of the system more difficult. On the other hand, naivelywrapping each component of the system in an independentSimplex container is inadequate to ensure system-wide prop-erties, because of interactions between components.For example, to guarantee that a ground rover never runsout of power, the mission-planning controller might changethe current target to the most recently observed power stationwhen it detects that the battery level is low. It needs to relyon specific properties of other components to ensure that therover can reach the power station in question before depletingthe battery, and these properties might not be assured by theadvanced controllers of those components. This example alsohighlights the need for a compositional proof technique, sincea property is assured not by a single Simplex instance, butrather by multiple cooperating instances.Assume-Guarantee (A-G) reasoning [4]–[6] is a powerfulcompositional proof technique. With this approach, to provethat a system composed of components M and M satisfiesa property q , one shows that M satisfies q under assumptions p and that M satisfies p . Assumption p and guarantee q of M are specified in M ’s A-G contract . A-G contracts specifya component’s behavior for a single time step, and inductivereasoning about contracts is used to prove system-wide in-variants. Furthermore, this approach is applicable to arbitrarysafety properties, as a safety property can be expressed as aninvariant by adding auxiliary variables [7].
Contributions.
In this paper, we present
Component-BasedSimplex Architecture (CBSA), a new framework for assuringthe runtime safety of component-based cyber-physical sys-tems. CBSA integrates Assume-Guarantee reasoning with thecore principles of the Simplex control architecture to allowcomponent-based control systems to run advanced, uncertifiedcontrollers while still being able to provide runtime assurancethat A-G contracts, and the global invariants they imply, aresatisfied.A novelty of CBSA is that by utilizing A-G contracts, weare able to compositionally determine Simplex switching logic,thereby alleviating the state explosion problem encountered byother approaches. Prior methods [8]–[10] for deriving Simplexswitching logic are not designed to be modular, so componentswould need to be composed into a monolithic system beforeapplying these approaches. In contrast, we compositionallyderive Simplex switching logic for a component using assump-tions it makes about its environment. These assumptions arethen discharged by the guarantees specified in A-G contractsof other components.Another feature of CBSA is its use of A-G reasoning asa proof technique for runtime assurance. In CBSA, Simplex instances are used to guarantee local, component-based A-Gcontracts. These contracts specify, for each component, theassumptions it makes about its environment and the guaranteesit provides if the environment satisfies those assumptions. A-Greasoning, based on A-G proof rules, is used at compile timeto provide runtime assurance of global safety properties fromthe locally assured A-G contracts.CBSA also introduces the notion of coordinated switching among Simplex-based components. This is needed when theviolation of a contract in one component leads to a cascade ofcontract violations in other components, thereby necessitatingsynchronized switching to ensure that the desired systemproperties are not violated.Another contribution of the paper is a detailed case studythat thoroughly illustrates the principles of CBSA. In particu-lar, we show how to apply our framework to a component-based control system for the
Quickbot ground rover [11].The Quickbot control system includes a
Mission Planning component, which selects targets (i.e., destinations), and a
Navigation component, which steers the rover to its next targetdestination.We use A-G reasoning to formally prove that the CBSAfor this system guarantees two safety properties: (i) energysafety (ES), which ensures the rover never runs out of power,and (ii) collision freedom (CF), which ensures the rovernever collides with an obstacle. This example illustrates theunique characteristics of CBSA. The switching logic in allSimplex instances is designed to guarantee component-basedA-G contracts. Moreover, coordinated switching between theMission Planning and Navigation components is required toensure ES.The ES property illustrates how we use A-G contracts tocompositionally construct Simplex switching logic. To ensureenergy safety, the rover backtracks to the most recently visitedpower station when the battery level drops below a threshold.We compositionally derive this threshold for the
MissionPlanning ’s switching logic by using a guarantee in the contractof the
Navigation component. This guarantee assures that theenergy the rover needs to backtrack to the most recentlyvisited power station will not exceed the forward energy ithas expended to travel from this power station to the currentposition.
Navigation assures this guarantee by using a Simplex in-stance that must switch in tandem with
Mission Planning ’s in-stance. Therefore, we enforce a coordinated switching between
Mission Planning and
Navigation to ensure the satisfaction ofboth components’ A-G contracts and the global energy safety property they imply.We additionally consider a
Mission Completion (MC) prop-erty for the Quickbot system, i.e., all target destinations arevisited within a prescribed amount of time. This property isinteresting not only because it is a (bounded) liveness property,a type of property not traditionally handled by Simplex, butalso because it is a higher-level mission-oriented propertyseveral layers of control removed from the physical plant. TheMC property is also more software-oriented in nature, as itevolves around a software data structure (a list of missiontargets).The rest of the paper is organized as follows. Section IIconsiders related work. Section III formally introduces ourCBSA framework. Sections IV and V present the Quickbotcase studies. Section VI offers our concluding remarks anddirections for future work.II. R
ELATED W ORK
The relationship of our work with the classical Simplexarchitecture is discussed in Section I.Schierman et al . developed a runtime assurance techniquesimilar to Simplex, known simply as RTA [12], [13]. RTA canbe applied to component-based systems, but each RTA wrapper(i.e., each Simplex-like instance) independently ensures a localsafety property of a component. For example, in [12], RTAinstances for an inner-loop controller and a guidance systemare uncoordinated and thereby operate independently. Theirwork does not consider A-G contracts or cooperation betweencomponents to ensure global properties like we do in thispaper.Schierman et al . recently extended their work on RTA byshowing how it can be used to ensure that components satisfyA-G contracts [14]. They apply RTA to, and give A-G con-tracts for, several components in an Unmanned Aerial Vehicle(UAV) flight control system. They do not use formal A-G proofrules to derive global invariants. Instead, they reason about theoverall safety of the system using Goal-Structuring Notation(GSN), which is less formal. They discuss the potential needfor coordinated switching, but coordinated switching is notused in their case study.A-G reasoning has been extensively studied for the compo-sitional verification of complex systems (e.g., [4]–[6], [15]–[19]). There is also significant tool support for A-G reasoning,including AGREE [20], OCRA [21], and Safety ADD [22].AGREE is a framework that supports A-G reasoning onarchitectural models specified in AADL. OCRA supports thespecification of A-G contracts using temporal logic and canalso be used to verify the correctness of contract refinements.Safety ADD is a tool for defining A-G contracts and verifyingthat all guarantee-assumption pairs match and there are nounfulfilled assumptions. A-G reasoning has also been used forcompositionally checking source code for preservation of thedesign’s correctness [23].In [24], compositional barrier functions are used to provablyguarantee the simultaneous satisfaction of composed objec-tives. They rely on a single controller and an optimizationbased approach to correct the controller when violations ofsafety are imminent, which has limited capability and lessflexibility compared to Simplex.None of these approaches, however, consider the possi-bility of pairing A-G reasoning with techniques for runtimeassurance of system properties. Our approach integrates A-G reasoning with the core principles of Simplex, allowingcomponent-based systems to run advanced, uncertified con-trollers while still being able to provide runtime assurance that A-G contracts, and the global invariants they imply, aresatisfied.A comparison between our work and the Simplex switching-logic-derivation techniques in [8]–[10] is given in Section I.Without A-G contracts and our concept of coordinated switch-ing, those approaches could be extended as follows to applyto systems with multiple Simplex instances. Suppose thereare n Simplex instances, and s is the decision period. Aglobal decision module can choose among n possible con-troller configurations (baseline or advanced for each Simplexinstance). For each of these n configurations, do backwardreachability analysis [9] with an unbounded time horizonfor the system composed from the selected controllers andthe plant, using maximally nondeterministic models for theadvanced controllers, to obtain a recoverable region for thatconfiguration. At each decision time, the global decisionmodule checks whether (1) all states reachable in time at most s using the current controller configuration are safe, and (2) allstates reachable in time exactly s using the current controllerconfiguration are in the recoverable region of the currentcontroller configuration. If so, the decision module continuesto use the current configuration; otherwise, it switches to acontroller configuration for which these two conditions hold.III. C OMPONENT -B ASED S IMPLEX A RCHITECTURE
A. Multi-rate Components
Definition 1. A multi-rate component M is a tuple ( x, u, y,S ) , where x = { x , ..., x m } is the set of state variables , u = { u , ..., u k } is the set of input variables , y = { y , ..., y n } isthe set of output variables , and S = { ( f , g , s ) , ..., ( f l , g l ,s l ) } is a sequence whose i -th element is a triple of a next-statefunction f i , an output function g i , and their update period s i ,which is a positive integer multiplier of the global clock tick dt . The sets of input and output variables are disjoint. Thebehavior of M at tick i is defined as follows. (cid:26) x ( i ) = f j ( x ( i − , u ( i )) , ∀ j ∈ [1 ..l ] : i mod s j = 0 y ( i ) = g j ( x ( i ) , u ( i )) , ∀ j ∈ [1 ..l ] : i mod s j = 0 where the set assignment A = B means only the variablesin A ∩ B are assigned the corresponding values in B . Thevariables in A that are not updated at tick i retain the valuesthey had at tick i − .We give examples of components in Section IV-B. B. Composition with Feedback
For simplicity, we make the following assumptions aboutmulti-rate components.1) Components communicate via shared variables. After acomponent writes a shared variable, the updated value isinstantly available to be read by all components.2) If a component writes and another component reads ashared variable at the same tick, then there must be apredetermined order of execution of the two components.The order of execution of M (cid:107) M is M , M . Thismeans the composition operator (cid:107) is associative but notnecessarily commutative.) The execution time of a component is negligible.4) A 1-tick delay is introduced in feedback loops to breakcircularity. A feedback loop exists between two compo-nents M = ( x , u , y , S ) and M = ( x , u , y , S ) if y ∩ u (cid:54) = ∅ and y ∩ u (cid:54) = ∅ . If the order of execution is M , M then the variables in y that feed back into u are delayed by one tick; i.e., y ( i − is supplied to f i and g i of M instead of y ( i ) .Two components M = ( x , u , y , S ) and M = ( x , u ,y , S ) are composable if x ∩ x = ∅ and y ∩ y = ∅ . Definition 2.
Let M and M be composable. Then their composition M (cid:107) M is the component ( x, u, y, S ) , where x = x ∪ x ∪ ( y ∩ u ) ∪ ( y ∩ u ) , u = ( u ∪ u ) − ( y ∪ y ) , y = y ∪ y , and S = S ∪ S .Functions f i and g i of M (cid:107) M ignore variables in x and u that are not their original arguments. Note that the connectedinputs ( y ∩ u ) ∪ ( y ∩ u ) are hidden from u and added to x . This is necessary to ensure functions f i , g i can still accesstheir required variables. The variables in x ∩ y are synchronizedand updated by functions g i . Because the order of execution is M , M , functions f i and g i in S are executed before thosein S . Remark.
Our definition of component is similar to [25] exceptwe have multi-rate. Our form of non-commutative compositioncan be regarded as a shorthand for a combination of cascadecomposition and feedback composition in [25]. For example,suppose component M reads variable x and writes variable y ,and component M reads y and writes x . To obtain a systemequivalent to our composition M (cid:107) M using the combinatorsin [25], one can first construct a cascade composition of M , M , and a unit delay state machine M D that delays x by onetick, and then perform a feedback composition on the resultingcomponent. C. Assume-Guarantee Contracts
To prove system properties in CBSA, we use A-G reasoningin the form of A-G contracts [26]. That is, with every com-ponent M of a CBSA, we associate a contract of the form C = ( I, O, A, G ) , where I is a set of typed input variables, O is a set of typed output variables, A is an assumptions predicate, and G is a guarantees predicate. Note that a contractcannot guarantee a system-wide property involving a (global)variable that does not belong to the contract. A contractshould only talk about the assumptions and guarantees ofits inputs and outputs. A-G contracts allow compositionalreasoning about CBSAs using the A-G reasoning rule given inSection III-D. In CBSA, the switching logic for the Simplexinstance of a component is based on determining whether theactive AC might violate the component’s guarantees in the nextdecision period. Furthermore, the composition of all activecontrollers must imply the safety properties of the system.This principle results in a requirement that the composition ofall BCs in a CBSA must imply the safety properties of thesystem in case all components must switch to their BCs. D. Assume-Guarantee Proof Rule An assume-guarantee triple of the form (cid:104) p (cid:105) M [ s ] (cid:104) q (cid:105) meanscomponent M guarantees the satisfaction of property q up toand including time t + s · dt under the assumption that property p is satisfied at time t , where s is an update period of M , t is the beginning of the current update period, and dt is theglobal tick. By induction over time, (cid:104) true (cid:105) M [ s ] (cid:104) p (cid:105) implies M always satisfies p .The choice of update period s in (cid:104) p (cid:105) M [ s ] (cid:104) q (cid:105) is guidedby the property q . If q is given in terms of the variables ofa single-rate sub-component of M , then the update periodof that sub-component is an appropriate choice for s . If q involves variables from multiple sub-components, then theshortest update period of these sub-components is a goodchoice for s .We use the following Assume-Guarantee rule as a formalproof rule for multi-rate systems because it is general enoughto handle most cases of interest, including our case studies.The rule we use is asymmetric in the sense that only onecomponent makes assumptions about the other component.Other A-G proof rules, including symmetric ones (e.g. [27]),can also be used with our framework. Rule AG. (cid:104) p (cid:105) M [ s ] (cid:104) q (cid:105)(cid:104) true (cid:105) M [ s ] (cid:104) p (cid:105)(cid:104) true (cid:105) ( M (cid:107) M ) [ s ] (cid:104) q (cid:105) Rule AG allows one to prove that a system composed ofcomponents M and M satisfies a property q by provingthat (1) component M guarantees q under assumption p , and(2) component M assures p unconditionally. E. Coordinated SwitchingCoordinated switching is when a switch from AC to BCin one component forces another component to also switchfrom AC to BC. Suppose components M and M useSimplex to ensure their contracts C = ( I , O , A , G ) and C = ( I , O , A , G ) , respectively. Assuming A = true and G | = A , where φ | = ϕ means φ entails ϕ , we have M (cid:107) M | = G by applying Rule AG. Let AC i and BC i bethe AC and BC, respectively, of M i . A typical situation thatrequires coordinated switching is as follows. Suppose G isthe implication φ ⇒ φ , and φ involves a shared variablethat M modifies when switching from AC to BC such that φ changes from false to true as a result. Suppose BC ensures φ but AC does not. When M uses AC , G is vacuouslytrue. When M uses BC , M must use BC to satisfy G .Thus, if M is using AC when M switches to BC , then M must perform a coordinated switch to BC .Coordinated switching is required in our case study. The Mission Planning component has a BC called the rechargecontroller, which tells the rover to go back to the mostrecently visited power station to recharge. When
MissionPlanning switches to its BC, it assumes that the
Navigation component can steer the rover to that power station within acertain energy budget. The BC in the
Navigation componentuarantees this energy constraint, but the AC does not. Thus,when the
Mission Planning component switches to its BC,the
Navigation component must also switch to its BC. In thisexample, the shared variable in φ that communicates the needfor the Navigation component to switch is the variable ctlr ,which explicitly indicates which controller is in control of the
Mission Planning component.Coordinated switching can be generalized to be between modes . A component may have multiple modes with differentguarantees. Each mode can use a Simplex instance to assureits guarantees. When a component M switches modes, it mayrequire component M to switch to another mode so thatit can use the guarantee that M ’s new mode provides. Inour example above, we can view Mission Planning as havingtwo modes, named go-to-target and recharge, and
Navigation as having two modes, named go-to-target and backtrack.When
Mission Planning switches to recharge mode, it requires
Navigation to switch to backtrack mode. In our case study,recharge mode and backtrack mode use certified controllers,so we do not need to nest Simplex instances in them.IV. T HE Q UICKBOT C ASE S TUDY
Mission Planning , Navigation , Inner-Loop & Plant ; see Fig. 2.
Mission Plan-ning ’s update period s MP is a multiple of Navigation ’s s Nav ,which in turn is a multiple of
Inner-Loop & Plant ’s s ILP . TheQuickbot system composed of these components is therefore amulti-rate component.
Mission Planning sends the next targetposition T to the Navigation component.
Navigation steers therover to T while avoiding obstacles. It does this by computingan appropriate target linear velocity vector ( v T ) and targetangular velocity ( ω T ) at each time step. The pair of velocities ( v T , ω T ) is sent to Inner-Loop & Plant , which computes andactuates the appropriate rotational speeds for each of the twowheels to reach the desired velocities.The rover is equipped with infrared (IR) sensors, twowheel encoders (which count revolutions of the wheels), apower-station sensor, and a battery-level sensor.
Inner-Loop & Plant converts the raw sensor data into the rover’s currentposition ( p ), linear velocity vector ( v ), angular velocity ( ω ), IRdistances ( ir ) to obstacles, location of the last-detected powerstation ( P S ), and battery level ( B ).We use MP , Nav and
ILP to denote the
Mission Planning , Navigation and
Inner-Loop & Plant components, respectively,and QB to denote the entire Quickbot system. QB is theparallel composition of MP , Nav , and
ILP , i.e., QB = MP (cid:107) Nav (cid:107)
ILP . ILP is implicitly the parallel composition of the
Inner-Loop Control component and the physical plant.
Fig. 2. Component-based Simplex architecture for Quickbot rover.
A. Problem Statement and Assumptions
We design a CBSA whose mission is to visit the specifiedtargets while ensuring the following safety properties.1)
Energy safety (ES): the rover never runs out of power.2)
Collision freedom (CF): the rover never collides with anobstacle.We make the following assumptions about the rover.1) The rover does not have a map of the environment.2) There are gaps (blind spots) between the fields-of-viewof the distance sensors.3) The distance sensors have a limited sensing range [0 , R s ] .4) The rover can stop instantaneously.5) The linear speed v is bounded by v ∈ [0 , v max ] .6) The rotational speed ω is bounded by ω ∈ [ − ω max , ω max ] .7) The rover can reach any pair of values ( v, ω ) instanta-neously, provided they are within bounds.8) The rover starts at a power station.9) The rover can detect a power station when passing withindistance d PS of it.10) The rover can recharge when it is within distance d PS ofa power station.11) The power consumption of the rover is a monotonicallyincreasing function of the rotational speeds of the twowheels.We make the following assumptions about the environment.1) Obstacles are stationary polyhedra.2) There is a known lower bound on the internal anglesbetween edges of an obstacle.3) There is a known lower bound on the edge lengths of anobstacle.4) The separation between obstacles is such that whenevertwo adjacent sensors simultaneously detect an obstacle,they are detecting the same obstacle.Assumptions 1-7 about the rover and 1-4 about obstaclesare the same as in [28]. This allows us to reuse the Simplexinstance in [28] to help ensure the CF property. Let A P denotethe conjunction of the above assumptions about the rover. Weassume ILP satisfies A P . . Quickbot CBSA The architecture of the Quickbot CBSA is shown in Fig. 2.A novelty of our case study is that we apply the Simplexarchitecture to the
Mission Planning component; Simplex istraditionally applied to lower-level controllers that interactdirectly with the plant. In our component-based architecture,
Mission Planning controls a virtual plant comprising the
Navigation component, the
Inner-Loop Control component,and the physical plant.
Quickbot Components
We illustrate Definition 1 with theQuickbot components. The single-rate
Mission Planning com-ponent is MP = ( x MP , u MP , y MP , S MP ) , where x MP = { T,ctlr } , u MP = { p, B, PS , W } , y MP = { T, ctlr } , and S MP =( f MP , g MP , s MP ) . Here f MP and g MP are the next-state andoutput functions representing the algorithm for MP describedlater in this section, and s MP is the update period of MP . Thebehavior of MP at global tick i is specified by: (cid:26) x MP ( i ) = f MP ( x MP ( i − , u MP ( i )) if i mod s MP = 0 y MP ( i ) = g MP ( x MP ( i ) , u MP ( i )) , if i mod s MP = 0 The single-rate
Navigation component is
Nav = ( x Nav ,u Nav , y
Nav , S
Nav ) , where x Nav = { v T , ω T , W } , u Nav = { T,ctlr, p, v, ω, ir } , y Nav = { v T , ω T , W } , and S Nav = ( f Nav ,g Nav , s
Nav ) . Here f Nav and g Nav are the next-state and outputfunctions representing the algorithm for
Nav described laterin this section, and s Nav is the update period of
Nav . Thebehavior of
Nav at global tick i is specified by: (cid:26) x Nav ( i ) = f Nav ( x Nav ( i − , u Nav ( i )) if i mod s Nav = 0 y Nav ( i ) = g Nav ( x Nav ( i ) , u Nav ( i )) , if i mod s Nav = 0
The single-rate
Inner-Loop & Plant component is
ILP =( x ILP , u
ILP , y
ILP , S
ILP ) , where x ILP = { p, v, ω, ir, P S, B } , u ILP = { v T , ω T } , y ILP = { p, v, ω, ir, P S, B } , and S ILP =( f ILP , g
ILP , s
ILP ) . Here f ILP and g ILP are the next-state andoutput functions representing the dynamics and sensing of
ILP ,and s ILP is the update period of
ILP . The behavior of
ILP atglobal tick i is specified by: (cid:26) x ILP ( i ) = f ILP ( x ILP ( i − , u ILP ( i )) if i mod s ILP = 0 y ILP ( i ) = g ILP ( x ILP ( i ) , u ILP ( i )) , if i mod s ILP = 0 where f ILP and g ILP are the next-state and output functionsrepresenting the dynamics and sensing of
ILP . The order ofexecution is MP and then Nav (in time steps when they bothexecute) and then
ILP . We assume s MP is a multiple of s Nav ,and s Nav is a multiple of s ILP . Quickbot Controllers
Recall that we assume that the rovercan detect a power station within distance d PS , for example,by using a camera to read a QR code or by using an RFIDreader to read a tag. When the rover passes near a powerstation, it can determine with IR sensors whether the powerstation is accessible from its current location; i.e., there are nointervening obstacles. If the power station is accessible, therover remembers it as the last-visited (i.e., the most recentlypassed) power station. The Mission Planning
AC informs the
Navigation compo-nent of the next target to be visited to fulfill the mission goals,while the BC (the recharge controller) instructs the
Navigation component to navigate to the most recently detected powerstation. We say that the rover is in recharge mode when DM has switched control to the recharge controller. To guaranteethat recharge mode will drive the rover to a power stationwithout depleting the battery, we need a certified backtrack-to-power-station controller in the Navigation component. Sincethe rover lacks a map of the environment, backtracking is themost realistic way to guarantee that the rover can reach apower station without running out of power.We also briefly considered a variant of the problem inwhich the rover has a map showing locations of powerstations. If the rover does not also have a map of obstacles,backtracking to the last-visited power station might still benecessary, because nearby power stations could be blockedby unknown obstacles that would take too much power tocircumnavigate. More complex strategies for the AC in the
Mission Planning component could help avoid backtracking.For example, instead of going as directly as possible to thetargets, it might add waypoints that are slightly out of theway but help the rover determine accessibility of nearby powerstations.Note that there is coordinated switching between the
Mis-sion Planning component and the
Navigation component.When
Mission Planning switches to the recharge controller,
Navigation must switch to the backtrack controller. Therecharge controller in
Mission Planning assumes that the
Navigation component can navigate the rover to a powerstation using at most a specified amount of energy. The go-to-target controller does not provide such guarantees, whereasthe backtrack-to-power-station controller (backtrack controller,for short) does. This cascading switch is implemented byhardwiring a decision signal from
Mission Planning ’s DM to
Navigation ’s DM, as shown in Fig. 2.We introduce a recorder module that records the positionsand heading angles (waypoints) at every time step of
Naviga-tion . When in recharge mode, the backtrack controller tracksthese recorded positions in reverse order. We also want thebacktrack controller to preserve the CF property so that therover is guaranteed not to collide with any static obstacles onthe way back to the last-visited power station. We considerthree designs for the backtrack controller.1) Instead of recording waypoints, we can record the controlinputs ( v, ω ) for ILP in every
Navigation time step. Whenbacktracking, we replay ( v, − ω ) . This controller willtrace the forward path exactly provided that there are noactuation or state estimation errors. Otherwise, the errorwill accumulate.2) The rover can backtrack from its current position to arecorded waypoint by first turning in place to point tothe target waypoint and then moving in a straight line toit. This approach is robust, but it is slow, consumes moreenergy, and replaces a curve in the forward trajectoryith a line segment in the backward trajectory. Sucha discrepancy could lead to collisions unless the avoid-obstacles controller is invoked.3) The rover can backtrack from its current position to arecorded waypoint by computing the appropriate valuesof ( v, ω ) . This means we need to solve the inversekinematics problem , which in general has no analyticalsolution. We can, however, obtain the least-squares so-lution, which has several benefits. If there are no errorsthen the least-squares solution is an exact solution; i.e.,this approach falls back to the first one. If there are errors,the errors will be minimized in the least-squares sense andbounded, instead of accumulating. Assuming the errorsare small, the trajectory during backtracking is alwaysclose to the forward trajectory, and the energy consumedduring backtracking is within a bounded margin of theenergy consumed going forward. We adopt this approachfor the backtrack controller because of these benefits.The rover can backtrack from its current position to a recordedwaypoint by computing the appropriate values of ( v, ω ) . Itcan do this by solving the inverse kinematics problem for theleast-squares solution. Suppose the rover is currently at point A = ( x , y , θ ) and wants to reach a recorded waypoint B =( x , y , θ ) in one Navigation time step t Nav . The kinematicsequation is given below. x = x + (cid:82) t + t Nav t v cos( θ + ωt ) dty = y + (cid:82) t + t Nav t v sin( θ + ωt ) dtθ = θ + ωt Nav (1)The solution in the trivial case where θ = θ is ω = 0 and v = AB /t Nav . If θ (cid:54) = θ , Eq. 1 becomes: x = x + vω (sin θ − sin θ ) y = y + vω (cos θ − cos θ ) θ = θ + ωt Nav (2)We solve Eq. 2 for the least-squares solution using thestandard least-squares method.We reuse the Simplex instance in [28] to help ensure theCF property. We nest this instance inside the AC of theSimplex instance in
Navigation . The intuition behind thisnested composition of Simplex instances is that the backtrackcontroller also helps ensure the CF property, because it re-traces a collision-free path the rover has already traveled.Therefore, the Simplex instance involving AC and BC inFig. 2 assures the CF property. Contracts of Quickbot Components
Based on the aboveanalysis, we specify the following contracts. The
MissionPlanning component’s contract is:Inputs: p, PS , B, W Outputs:
T, ctlr
Assumption: ctlr = BC ⇒ BE ( p, PS , W ) ≤ (1 + (cid:15) BE ) FE ( PS , p ) Guarantee:
B > E ( p, PS ) where BE ( p, PS , W ) is the energy needed to backtrack fromthe current position p to the most recently visited power station PS going through the sequence of recorded waypoints W ; (cid:15) BE is a constant defined in Section IV-C; FE ( PS , p ) is theenergy expended on the forward path from PS to p ; E ( p, PS ) is the energy needed to go from p to PS , including theamount of energy needed to turn 180 ◦ before backtracking.The Navigation component’s contract is:Inputs:
T, ctlr, p, ir, v, ω
Outputs: v T , ω T , W Assumption: A P Guarantee: ( d o > ∧ ( ctlr = BC ⇒ BE ( p, PS , W ) ≤ (1 + (cid:15) BE ) FE ( PS , p )) where d o is the shortest distance to an obstacle. The Inner-Loop & Plant ’s contract is:Inputs: v T , ω T Outputs: p, PS , B, ir, v, ω Assumption: true
Guarantee: A P The input and output variables of each component are shownin Fig. 2.
C. Switching Logic for the ES Property
The ES property can be formally expressed as G ( B > ,where G is the always (global) operator in linear temporallogic. In our design, this is ensured by having the roverrecharge at a power station whenever the battery level is low.So, we enforce the stricter property that the rover always hasenough energy to return to the last-visited power station. Thisproperty is formalized as G ( B > E ( p, PS )) , where E ( p, PS ) is the amount of energy needed to go from the current position p to the last-visited power station PS , including the amountof energy needed to turn 180 ◦ ( E ) before going back.Hereafter, we refer to G ( B > E ( p, PS )) as the ES property.We assume the following constants are known:1) (cid:15) BE : a constant such that the backtracking energy BE (p, PS , W) needed to backtrack from the current position p to the last-visited power station PS through a sequenceof recorded waypoints W is bounded by (1 + (cid:15) BE ) timesthe forward energy FE ( PS , p) expended since P S waslast visited, i.e., BE ( p, PS , W ) ≤ (1 + (cid:15) BE ) FE ( PS , p ) .If there are no errors in actuation or state estimation, wecan take (cid:15) BE = 0 .2) E MP : the worst-case energy expended in one updateperiod of Mission Planning by an arbitrary controller.3) E : the energy needed to turn in place by 180 ◦ .4) BE MP : a bound on the energy needed to backtrack fromthe rover’s position at the end of the next update periodof Mission Planning to the current position.Let E MP be the amount of energy expended when both wheelsrotate at maximum rotational speed for one update period of Mission Planning . BE MP equals E MP .The DM in the Mission Planning component decideswhether to continue to go forward or to return to PS . If itdecides to go forward, it must ensure that the ES propertyholds at its next decision point. The worst-case amount ofenergy needed to travel to a position within one update periodnd then backtrack from that position to PS is E MP + E + BE MP + (1 + (cid:15) BE ) FE ( PS , p ) . The switching condition isthus: B ≤ E MP + E + BE MP + (1 + (cid:15) BE ) FE ( PS , p ) (3)This switching condition is derived compositionally byrelying on Mission Planning ’s assumption, an assumptionthat is later discharged by composing
Mission Planning with
Navigation . We do not need to consider implementation detailsof other components in the derivation process.
D. Proof Outlines of ES and CF
Lemma 1.
For any property φ , (cid:104) A P (cid:105) Nav [ s Nav ] (cid:104) φ (cid:105) ⇒(cid:104) true (cid:105) ( Nav (cid:107)
ILP ) [ s Nav ] (cid:104) φ (cid:105) . Proof.
The proof follows from our assumptions and oneapplication of Rule AG. (cid:104) A P (cid:105) Nav [ s Nav ] (cid:104) φ (cid:105)(cid:104) true (cid:105) ILP [ s ILP ] (cid:104) A P (cid:105)(cid:104) true (cid:105) Nav (cid:107)
ILP [ s Nav ] (cid:104) φ (cid:105) Theorem 1. (cid:104) true (cid:105) QB [ s MP ] (cid:104) ES (cid:105) Proof outline
1) We prove (cid:104) A BE (cid:105) MP [ s MP ] (cid:104) ES (cid:105) , where A BE is theassumption in MP ’s contract given in Section IV-B.2) We prove (cid:104) A P (cid:105) Nav [ s Nav ] (cid:104) A BE (cid:105) . By Lemma 1, thisimplies (cid:104) true (cid:105) ( Nav (cid:107)
ILP ) [ s Nav ] (cid:104) A BE (cid:105) .3) Applying Rule AG, we conclude that (cid:104) true (cid:105) ( MP (cid:107) Nav (cid:107)
ILP ) [ s MP ] (cid:104) ES (cid:105) . Theorem 2. (cid:104) true (cid:105) QB [ s MP ] (cid:104) CF (cid:105) Proof outline
1) We prove (cid:104) A P (cid:105) Nav [ s Nav ] (cid:104) CF (cid:105) . By Lemma 1, thisimplies (cid:104) true (cid:105) ( Nav (cid:107)
ILP ) [ s Nav ] (cid:104) CF (cid:105) .2) Applying Rule AG, we conclude that (cid:104) true (cid:105) ( MP (cid:107) Nav (cid:107)
ILP ) [ s MP ] (cid:104) CF (cid:105) .The full proofs of the ES and CF properties are providedin Appendix A. E. Experimental Results
We implemented the CBSA for the Quickbot rover inMatlab using the following parameter values: (1) number ofdistance sensors N = 8 ; (2) angle of detection of the sensors β s = 5 ◦ ; (3) maximum range of the sensors R s = 0 . m ;(7) radius of the wheels r = 0 . m ; (8) distance betweenthe centers of the two wheels l = 0 . m ; (9) maximumlinear velocity v max = 0 . m/s ; (10) maximum angular ve-locity ω max = 7 π rad/s ; (11) power station sensor detectionrange d PS = 0 . m ; (12) maximum battery level B max = 100 .We use a power model that is an affine function of the angularvelocities of the two wheels: P ( ω l , ω r ) = p ( | ω l | + | ω r | ) + p ,where p and p are constants and ω l , ω r are the rotational speeds of the two wheels. These are calculated from linearvelocity v and angular velocity ω as follows. (cid:26) ω l = v − ωl r ω r = v + ωl r (4)In our experiments, we use p = 0 . , p = 0 . . Theconstants used in Eq. 3 are E MP = BE MP = 2 . , and E = 1 . , which are computed based on v max and ω max . We also choose (cid:15) BE = 0 as we assume there are noerrors. The global tick is dt = 0 . s . The update periods of Mission Planning , Navigation , and
Inner-Loop & Plant are dt, dt and dt , respectively. We adopt the algorithm from theCoursera course “Control of Mobile Robots” for the go-to-target controller. The avoid-obstacles controller simply stopsthe rover, as in [28]. The backtrack controller implements theleast-squares approach described in Section IV-B. In MissionPlanning , the choose-next-target controller picks the nexttarget in a sequence of pre-determined target locations whenthe rover arrives at the previous target. The recharge controllersimply sets T = PS .Fig. 3 shows the complete trajectory the rover takes withthe following configuration. The rover’s starting position is P = PS = ( − , , , its initial heading angle is θ = 0 ,and the targets are T = (1 . , and T = (0 . , . , whichmust be visited in that order. The power stations are locatedat PS = ( − , , PS = (0 . , − . , PS = (0 . , . .The black lines represent the forward paths and the red linerepresents the backward path. The rover is able to reach T without having to recharge. At position BT = (0 . , . on its way from T to T , the battery level drops to B = 29 . ,triggering recharge mode. The rover re-traces the forward pathsegment PS BT exactly (the red and black lines are indistin-guishable) to recharge at power station PS . The battery levelwhen it reaches PS is B = 0 . , indicating a tight switchingcondition. After recharging to full capacity at PS , the rovertakes a different path to the last target T . A video of thesimulation can be viewed at https://youtu.be/i8WGVD5Vk7U. Fig. 3. Snapshot from a simulation showing the trajectory the rover takes tovisit targets T and T while ensuring the ES and CF properties. . Q UICKBOT M ISSION C OMPLETION
The Simplex architecture is not intended for assuring gen-eral liveness properties. This is reflected by the fact that aDecision Module looks ahead one update period to determineif the (safety) property in question is about to be violated; assuch, it will not be able to detect a violation of a livenessproperty if the property’s time horizon is unbounded. As weshow here, however, the Simplex architecture can be madeto work with bounded liveness properties. In particular, wedesign a CBSA for the Quickbot that assures a property called
Mission Completion (MC).Recall that the mission of the Quickbot rover is to visit asequence of predetermined targets. The MC property ensuresthat the rover completes its mission within a given amount oftime. This property is interesting in the context of Simplexnot only because it is a (bounded) liveness property, butalso because it is a higher-level mission-oriented property,several layers of control removed from the physical plant.The only physical parameter of the plant in question is(real) time. The MC property is also more software-orientedin nature, as it revolves around a data structure (a list ofmission targets). The MC property can be formally expressedas G ( F Inner-Loop & Plant . The main objective of the Mission Planning component is to inform Navigation wherethe next target is. The BC for Mission Planning simply outputsone target after another, whereas the AC can generate inter-mediate waypoints in between targets. The Mission Planning component does not output the next waypoint or target untilthe rover arrives at the current waypoint/target.The AC can choose waypoints to optimize some criteriaaccording to its path-planning algorithm. Since the algorithmused by AC can be uncertified, it may generate a time-consuming path that violates the MC property. Another factorthat may cause a violation of MC is the manner in which Navigation ’s AC drives the rover through the waypoints toget to targets.The Navigation component steers the rover to the targetor waypoint computed by the Mission Planning component.As such, it plays an important role in assuring the MCproperty. Navigation alone, however, cannot guarantee MCbecause it does not know the sequence of targets. Whatit can do is to guarantee a bound on the time needed to move from one location to another on the map when MissionPlanning activates its BC. The BC in Navigation is designedto guarantee this bound.The DM in Mission Planning uses the bound to checkwhether a violation of MC is imminent. We say the roveris about to violate the MC property if, in the next time step,it may end up at a location from which the Navigation ’s BCis unable to navigate through the remaining targets in time.When Mission Planning ’s DM decides to switch, the switchingis cascaded to Navigation .The contracts for Mission Planning and Navigation are asfollows. The Mission Planning component’s contract is:Inputs: p Outputs: T, ctlr Assumption: ctlr = BC ⇒∀ ( p , p ) , t ( p , p ) ≤ tu ( p , p ) Guarantee: t ( p, T seq ) ≤ remaining time where p is the current position of the rover, T is the outputwaypoint or target, ctlr ∈ { AC , BC } indicates which con-troller is active in Mission Planning , t ( p , p ) is the actualtime needed to go from location p to p , tu ( p , p ) is theupper bound on t ( p , p ) and is based on Navigation ’s BC, T seq is the sequence of remaining targets, t ( p, T seq ) is theactual time needed to complete the mission from p , i.e., t ( p, T seq ) = t ( p, T seq [1]) + (cid:80) n − i =1 t ( T seq [ i ] , T seq [ i + 1]) where n is the size of T seq , and remaining time is thetime until the mission completion deadline. The Navigation component’s contract is:Inputs: T, ctlr, p, ir, v, ω Outputs: v T , ω T Assumption: A P Guarantee: ctlr = BC ⇒∀ ( p , p ) , t ( p , p ) ≤ tu ( p , p ) where ir, v, ω, v T , and ω T are as described in Section IV, A P is the conjunction of assumptions 2-7 about the rover given inSection IV.The Inner-Loop & Plant ’s contract is similar to the onein Section IV. For the actual implementation of Navigation ’sBC, we can use the A* algorithm [29] to generate a collision-free path between two points on the map. To bound the time tu ( p , p ) needed to traverse this path, the BC can rely on justtwo motion primitives: turning in-place and moving straightahead at a constant speed. The Mission Planning ’s DM needsa bound on the time needed for Navigation ’s BC to completethe entire mission. It can use tu ( p , p ) for this bound, whichcan be calculated on-the-fly. If the map is not too large, we candivide the map into grid cells and pre-compute the maximumtime needed for mission completion from each cell.The switching condition is then derived as follows. Wefirst compute the region reachable by the rover in one updateperiod of Mission Planning . We then compute the maximal t ( p (cid:48) , T seq ) , for p (cid:48) in the reachable region. The switchingcondition is then t ( p (cid:48) , T seq ) < remaining time − s MP dt ,where s MP dt is the update period of Mission Planning . Wenow provide a proof outline of the MC property. heorem 3. (cid:104) true (cid:105) QB [ s MP ] (cid:104) MC (cid:105) Proof outline 1) We prove (cid:104) A TU (cid:105) MP [ s MP ] (cid:104) MC (cid:105) , where A TU is theassumption in MP ’s contract given above.2) We prove (cid:104) A P (cid:105) Nav [ s Nav ] (cid:104) A TU (cid:105) . By Lemma 1, thisimplies (cid:104) true (cid:105) ( Nav (cid:107) ILP ) [ s Nav ] (cid:104) A TU (cid:105) .3) Applying Rule AG, we conclude that (cid:104) true (cid:105) ( MP (cid:107) Nav (cid:107) ILP ) [ s MP ] (cid:104) MC (cid:105) .VI. C ONCLUSIONS We have presented a component-based Simplex architecturefor assuring the runtime safety of component-based cyber-physical systems, and a detailed case study that illustrates howour proposed CBSA helps the Quickbot ground rover assuretwo safety properties: energy safety and collision freedom. Wealso presented a CBSA for Quickbot that ensures a boundedliveness property called mission completion. As futurework, we plan to extend our case study to accommodateuncertainties in actuation and sensor readings, and toinvestigate the application of our component-based Simplexarchitecture to UAVs and squadrons of UAVs. Anotherdirection for future work is to develop a design process forCBSA that can be used to determine what guarantees eachcomponent should provide to ensure a global property.A CKNOWLEDGMENT This work is supported in part by AFOSR Grant FA9550-14-1-0261, NSF Grants CNS-1421893, and CCF-1414078, andONR Grant N00014-15-1-2208. Any opinions, findings, andconclusions or recommendations expressed in this material arethose of the author(s) and do not necessarily reflect the viewsof these organizations. R EFERENCES[1] D. Seto, B. Krogh, L. Sha, and A. Chutinan, “The Simplex architecturefor safe online control system upgrades,” in Proc. 1998 AmericanControl Conference , vol. 6, 1998, pp. 3504–3508.[2] ——, “Dynamic control system upgrade using the simplex architecture,” Control Systems, IEEE , vol. 18, no. 4, pp. 72–80, Aug 1998.[3] L. Sha, “Using simplicity to control complexity,” IEEE Software , vol. 18,no. 4, pp. 20–28, 2001.[4] M. Abadi and L. Lamport, “Conjoining specifications,” ACM Trans.Program. Lang. Syst. , vol. 17, no. 3, pp. 507–535, May 1995.[5] K. L. McMillan, “A compositional rule for hardware design refinement,”in Proceedings of the 9th International Conference on Computer AidedVerification , ser. CAV ’97, 1997, pp. 24–35.[6] E. W. Stark, “A proof technique for rely/guarantee properties,” in FifthConf. on Foundations of Software Technology and Theoretical ComputerScience , ser. Lecture Notes in Theoretical Computer Science, vol. 206.Springer-Verlag, Dec. 1985, pp. 369–391.[7] F. B. Schneider, On Concurrent Programming . Springer-Verlag, 1997.[8] S. Bak, T. T. Johnson, M. Caccamo, and L. Sha, “Real-time reachabilityfor verified simplex design,” in . Rome, Italy:IEEE Computer Society, Dec. 2014.[9] S. Bak, K. Manamcheri, S. Mitra, and M. Caccamo, “Sandboxingcontrollers for cyber-physical systems,” in Proc. 2011 IEEE/ACM In-ternational Conference on Cyber-Physical Systems ICCPS . IEEEComputer Society, 2011, pp. 3–12. [10] D. Seto, D. Seto, L. Sha, L. Sha, N. L. Compton, and L. Col, “A casestudy on analytical analysis of the inverted pendulum real-time controlsystem,” 1999.[11] “QuickBot MOOC v2,” 2014. [Online]. Available: http://o-botics.org/robots/quickbot/mooc/v2/[12] M. Aiello, J. Berryman, J. Grohs, and J. Schierman, “Run-time assurancefor advanced flight-critical control systems*,” in Guidance, Navigation,and Control and Co-located Conferences . American Institute ofAeronautics and Astronautics, Aug 2010, 0.[13] J. Schierman, D. Ward, B. Dutoi, A. Aiello, J. Berryman, M. DeVore,W. Storm, and J. Wadley, “Run-time verification and validation forsafety-critical flight control systems,” in Guidance, Navigation, andControl and Co-located Conferences . American Institute of Aeronauticsand Astronautics, Aug 2008.[14] J. D. Schierman, M. D. DeVore, N. D. Richards, N. Gandhi, J. K. Cooper,K. R. Horneman, S. D. Stoller, and S. A. Smolka, “Runtime assuranceframework development for highly adaptive flight control systems,”SBIR Phase III Final Report AFRL-RQ-WP-TR-2016-0001, Dec. 2015.[15] R. Alur and T. A. Henzinger, “Reactive modules,” Form. Methods Syst.Des. , vol. 15, no. 1, pp. 7–48, Jul. 1999.[16] K. M. Chandy, Parallel Program Design: A Foundation . Boston, MA,USA: Addison-Wesley Longman Publishing Co., Inc., 1988.[17] E. Clarke, D. Long, and K. McMillan, “Compositional model checking,”in Proc. of the Fourth Annual Symp. on Logic in Computer Science ,1989, pp. 353–362.[18] O. Grumberg and D. E. Long, “Model checking and modular verifica-tion,” ACM Trans. Program. Lang. Syst. , vol. 16, no. 3, pp. 843–871,May 1994.[19] A. Pnueli, “Logics and models of concurrent systems,” K. R. Apt, Ed.,1985, ch. In Transition from Global to Modular Temporal ReasoningAbout Programs, pp. 123–144.[20] D. Cofer, A. Gacek, S. Miller, M. W. Whalen, B. LaValley, and L. Sha,“Compositional verification of architectural models,” in Proceedingsof the 4th International Conference on NASA Formal Methods , ser.NFM’12, 2012, pp. 126–140.[21] A. Cimatti, M. Dorigatti, and S. Tonetta, “OCRA: A tool for checkingthe refinement of temporal contracts,” in Automated Software Engineer-ing (ASE), IEEE/ACM 28th Inter. Conf. on , Nov 2013, pp. 702–705.[22] F. Warg, B. Vedder, M. Skoglund, and A. S¨oderberg, “Safety ADD:A tool for safety-contract based design,” in Proceedings of the 2014IEEE International Symposium on Software Reliability EngineeringWorkshops , ser. ISSREW ’14, 2014, pp. 527–529.[23] D. Giannakopoulou, C. S. Pasareanu, and J. M. Cobleigh, “Assume-guarantee verification of source code with design-level assumptions,” in Proceedings of the 26th International Conference on Software Engineer-ing , ser. ICSE ’04, 2004, pp. 211–220.[24] L. Wang, A. D. Ames, and M. Egerstedt, “Multi-objective compositionsfor collision-free connectivity maintenance in teams of mobile robots,” ArXiv e-prints , Aug. 2016.[25] E. Lee and P. Varaiya, Structure and Interpretation of Signalsand Systems . Addison-Wesley, 2003. [Online]. Available: https://books.google.com/books?id=R2mBQgAACAAJ[26] A. Benveniste, B. Caillaud, D. Nickovic, R. Passerone, J.-B.Raclet, P. Reinkemeier, A. Sangiovanni-Vincentelli, W. Damm,T. Henzinger, and K. G. Larsen, “Contracts for system design,”INRIA, Research Report RR-8147, Nov. 2012. [Online]. Available:https://hal.inria.fr/hal-00757488[27] H. Barringer, D. Giannakopoulou, and C. S. Pasareanu, “Proof rules forautomated compositional verification through learning,” in Proc. of the2nd Workshop on Specification and Verification of Component-BasedSystems (SAVCBS’03) , Helsinki, Finland, 2003.[28] D. Phan, J. Yang, D. Ratasich, R. Grosu, S. A. Smolka, and S. D.Stoller, “Collision avoidance for mobile robots with limited sensing andlimited information about the environment,” in Proc. 15th InternationalConference on Runtime Verification (RV 2015) , ser. Lecture Notes inComputer Science. Springer-Verlag, Sep. 2015.[29] P. E. Hart, N. J. Nilsson, and B. Raphael, “A formal basis for the heuristicdetermination of minimum cost paths,” IEEE Transactions on SystemsScience and Cybernetics , vol. 4, no. 2, pp. 100–107, July 1968. A PPENDIX The proofs below follow the proof outlines given in Sec-tion IV-D. . Proof of ES property Proof of (cid:104) A BE (cid:105) MP [ s MP ] (cid:104) ES (cid:105) We prove (cid:104) A BE (cid:105) MP [ s MP ] (cid:104) ES (cid:105) by showing that if the ES propertyholds at the end of time step i , then it holds at the endof time step i + s MP , i.e., the next period of MP , where i mod s MP = 0 . The proof is easily extended to showthat the ES property holds continuously during the timestep. Let B (cid:48) , p (cid:48) , W (cid:48) , ctlr (cid:48) denote the values of B, p, W, ctlr ,respectively, at the end of time step i + s MP . We prove that if B > E ( p, P S ) then B (cid:48) > E ( p (cid:48) , P S ) . Since the rover tracesthrough a sequence of recorded waypoints W when goingback to P S , we have E ( p, P S ) = (cid:26) E + BE ( p, P S, W ) , if ctlr = AC BE ( p, P S, W ) , if ctlr = BC (5)There are four cases: Case 1: ctlr = BC and ctrl (cid:48) = BC. The rover is in rechargemode. The backtracking energy needed to backtrack fromcurrent position p to the next position p (cid:48) is BE ( p, p (cid:48) , W ) .Therefore the battery level at the end of the next decisionperiod of MP is B (cid:48) = B − BE ( p, p (cid:48) , W ) (6)We assume that the ES property holds at current time, i.e., B > BE ( p, PS , W ) (7)We want to prove that the ES property still holds at end ofthe next decision period of MP i.e., B (cid:48) > BE ( p (cid:48) , PS , W (cid:48) ) (8)The backtracking energy from current position p to P S canbe partitioned into BE ( p, p (cid:48) , W ) and BE ( p (cid:48) , PS , W (cid:48) ) , i.e., BE ( p, PS , W ) = BE ( p, p (cid:48) , W ) + BE ( p (cid:48) , PS , W (cid:48) ) (9)Re-arranging this equation gives: BE ( p (cid:48) , PS , W (cid:48) ) = BE ( p, PS , W ) − BE ( p, p (cid:48) , W ) (10)Combining Eq. 7 and Eq. 10, we have: BE ( p (cid:48) , PS , W (cid:48) ) < B − BE ( p, p (cid:48) , W ) (11)Combining Eq. 6 and Eq. 11, we have: BE ( p (cid:48) , PS , W (cid:48) ) < B (cid:48) (12)According to Eq. 5, E ( p (cid:48) , P S ) = BE ( p (cid:48) , PS , W (cid:48) ) , therefore: B (cid:48) > E ( p (cid:48) , P S ) . (13) Case 2: ctlr = AC and ctrl (cid:48) = AC. The energy needed to gofrom current position p to the next position p (cid:48) is FE ( p, p (cid:48) ) ≤ E MP . The battery level at the end of the next decision periodof MP is: B (cid:48) ≥ B − E MP (14)We assume that the ES property holds at the current time, i.e., B > E + BE ( p, PS , W ) (15) We want to prove that the ES property still holds at the endof the next decision period of MP i.e., B (cid:48) > E + BE ( p (cid:48) , PS , W (cid:48) ) (16)Note that if the rover detects a new power station PS (cid:48) onthe way from p to p (cid:48) then the ES property still holds at theend of the next decision period, because BE ( p (cid:48) , PS (cid:48) , W (cid:48) ) ≤ BE ( p (cid:48) , PS , W (cid:48) ) . ctrl = AC means the switching condition isfalse, i.e., B > E MP + E + BE MP + (1 + (cid:15) BE ) FE ( PS , p ) (17)Since BE ( p, PS , W ) ≤ (1 + (cid:15) BE ) FE ( PS , p ) , we have: B > E MP + E + BE MP + BE ( p, PS , W ) (18)Combining Eq. 14 with Eq. 18, we have: B (cid:48) > E + BE MP + BE ( p, PS , W ) (19) BE ( p (cid:48) , PS , W (cid:48) ) can be partitioned into BE ( p (cid:48) , p, W (cid:48) ) and BE ( p, PS , W ) , i.e., BE ( p (cid:48) , PS , W (cid:48) ) = BE ( p (cid:48) , p, W (cid:48) ) + BE ( p, PS , W ) (20)Energy needed to backtrack from p (cid:48) to p is bounded by BE MP ,thus: BE ( p (cid:48) , PS , W (cid:48) ) ≤ BE MP + BE ( p, PS , W ) (21)Combining Eq. 19 with Eq. 21, we have: B (cid:48) > E + BE ( p (cid:48) , PS , W (cid:48) ) (22)According to Eq. 5, E ( p (cid:48) , PS ) = E + BE ( p (cid:48) , PS , W (cid:48) ) ,therefore, B (cid:48) > E ( p (cid:48) , PS ) . (23) Case 3: ctlr = AC and ctrl (cid:48) = BC. The rover is switchingfrom AC to BC, which means it must turn 180 ◦ beforebacktracking. The battery level in the next decision periodof MP is: B (cid:48) = B − E − BE ( p, p (cid:48) , W ) (24)We assume that the ES property holds at the current time, i.e., B > E + BE ( p, PS , W ) (25)We want to prove that the ES property still holds at the endof the next decision period of MP i.e., B (cid:48) > BE ( p (cid:48) , PS , W (cid:48) ) (26)Observe that if we let B = B − E then Case 3 becomesCase 1 with the same proof. Case 4: ctlr = BC and ctrl (cid:48) = AC. When MP switches fromBC to AC, the switching condition must evaluate to false, i.e., B > E MP + E + BE MP + (1 + (cid:15) BE ) FE ( PS , p ) (27)Thus, this case folds back to Case 2 with the same proof. Proof of (cid:104) A P (cid:105) Nav [ s Nav ] (cid:104) A BE (cid:105) Since the decision ctlr from MP is hardwired to the switchin Nav , we only need to prove that the backtrack controllern Nav satisfies BE < (1 + (cid:15) BE ) FE ( PS , p ) . As discussed inSection IV-B, the sequence of values of ( v, ω ) on the backtrackpath will have the same magnitudes as the ones on the forwardpath. Therefore the backtrack energy will be the same as theforward energy. B. Proof of CF Property Proof of (cid:104) A P (cid:105) Nav [ s Nav ] (cid:104) CF (cid:105) We prove (cid:104) A P (cid:105) Nav [ s Nav ] (cid:104) CF (cid:105) by proving that (cid:104) A P (cid:105) AC s Nav ] (cid:104) CF (cid:105) and (cid:104) A P (cid:105) BC s Nav ] (cid:104) CF (cid:105) . SinceAC2 is the same Simplex instance in [28], the proof of (cid:104) A P (cid:105) AC s Nav ] (cid:104) CF (cid:105) is already available there. We showthat (cid:104) A P (cid:105) BC s Nav ] (cid:104) CF (cid:105) . Similar to the proof of (cid:104) A P (cid:105) Nav [ s Nav ] (cid:104) A BE (cid:105) , BC2 will track the forward pathexactly, in the reverse direction. Since the forward path iscollision-free as guaranteed by the proof that AC2 satisfiesthe CF property, it immediately follows that the backtrackingpath is collision-free as well, i.e., (cid:104) A P (cid:105) BC s Nav ] (cid:104) CF (cid:105)(cid:105)