Model Checking for Decision Making System of Long Endurance Unmanned Surface Vehicle
Hanlin Niu, Ze Ji, Al Savvaris, Antonios Tsourdos, Joaquin Carrasco
MModel Checking for Decision Making System of Long EnduranceUnmanned Surface Vehicle
Hanlin Niu, Ze Ji, Al Savvaris, Antonios Tsourdos, and Joaquin Carrasco
Abstract — This work aims to develop a model checkingmethod to verify the decision making system of UnmannedSurface Vehicle (USV) in a long range surveillance mission. Thescenario in this work was captured from a long endurance USVsurveillance mission using C-Enduro®, an USV manufacturedby ASV Ltd. The C-Enduro USV may encounter multiple non-deterministic and concurrent problems including lost commu-nication signals, collision risk and malfunction. The vehicle isdesigned to utilise multiple energy sources from solar panel,wind turbine and diesel generator. The energy state can beaffected by the solar irradiance condition, wind condition, statesof the diesel generator, sea current condition and states of theUSV. In this research, the states and the interactive relationsbetween environmental uncertainties, sensors, USV energy sys-tem, USV and Ground Control Station (GCS) decision makingsystems are abstracted and modelled successfully using Kripkemodels. The desirable properties to be verified are expressedusing temporal logic statement and finally the safety propertiesand the long endurance properties are verified using the modelchecker MCMAS, a model checker for multi-agent systems.The verification results are analyzed and show the feasibilityof applying model checking method to retrospect the desirableproperty of the USV decision making system. This method couldassist researcher to identify potential design error of decisionmaking system in advance.
I. I
NTRODUCTION
Unmanned Surface Vehicles can be defined as unmannedvehicles, which execute missions in a variety of hydroenvironments with least human operation. The guidance,navigation and control systems (GNC) of USV [1] allowthe marine vessels to follow predefined paths and avoidhazards autonomously [2] [3] [4] [5], relieving the operatorsfrom the heavy and tedious manual operations. Furtherdevelopment of USVs are expected to produce tremendousbenefits, such as lower operation costs, improved energy ef-ficiency, personnel safety and security, extended operationalreliability and precision, as well as increased flexibility incomplex environments, including so called dirty, dull, harsh,and dangerous missions [6] [7]. To improve the operatingendurance, USVs powered by multiple sources of energyare developed, utilising solar energy, wave energy or windenergy [8] [9]. *This work was partially supported by EPSRC project No.EP/S03286X/1and EPSRC RAIN project No. EP/R026084/1. (Corresponding author:Hanlin Niu)
H. Niu and J. Carrasco are with the Department of Electrical &Electronic Engineering, The University of Manchester, Manchester, UK. { [email protected] } Z. Ji is with the School of Engineering, Cardiff University, Cardiff, UK. { [email protected] } A. Savvaris and A. Tsourdos are with the School of Aerospace,Transport and Manufacturing, Cranfield University, Cranfield, UK. { [email protected] } Because of the critical nature of USV decision makingsystem in long endurance missions, it is important to ensurethe correctness of the decision making system. Verificationis the process of verifying the correctness of the systemby checking against the specifications [10] [11] [12] [13].Typical verification processes include simulation, testing,deductive verification, and model checking [14]. Simulationis implemented using the abstract model of the system andtesting is performed on the real system. The simulation andtesting are a cost effective way to identify bugs. However,it is not practically possible to check all cases exhaustively.Deductive verification is proof-based and it is well recog-nised by computer scientists. However, it is time-consumingand can only be performed by the experts in logics andmathematics. Model checking is a kind of formal verificationmethods that are usually used for exhaustive system analysesautomatically to check whether the model of the systemsatisfies the desirable properties.Model checking has been implemented in the verificationof autonomous systems [15] [16] [17] . NASA has developedmodel checking techniques for multiple rovers or satellites[18] [19]. In the work of [20], timed automata have been ap-plied to model multiple robotic systems, where the propertiesare expressed in CTL (Computational Tree Logic) and finallyverified by the Uppaal model checker. The Kripke modelof a single UAV (Unmanned Aerial Vehicle) performinga search mission was modelled in [21] and the propertiesexpressed in CTL have been verified using Symbolic ModelChecker(SMV). Subsequently, the scenario was extendedto a multiple UAV searching scenario in [22]. A multipleUAV system monitoring road networks was modelled andverified in [10]. A group of robots operate with minimalcommunication with no priori knowledge of the environmenthas been modelled using the Kripke model [23]. The desir-able properties of co-operation were expressed using LinearTemporal Logic(LTL) and the properties were finally verifiedusing SPIN. The integration of model checking methods withUAV mission planning systems was proposed in [24] and itenables the autonomy to make decisions by human intentand provides better feedback to the human when problemsarise. Another USV mission plan verification for a VIP escortmission was presented in [25] that, in this scenario, multipleUAVs should monitor and navigate a ground-based VIPvehicle to follow a road network. The model was built usingPROcess MEta LAnguage(PROMELA), and the propertieswere expressed using LTL and verified using SPIN, whichis a multi-threaded model checker.The main contribution of this paper is the implementation a r X i v : . [ c s . F L ] F e b f the model checking method on the verification of thereal USV system. The mission considered was capturedfrom the C-Enduro USV [26] surveillance case, which wasfunded by the UK government-backed Small Business Re-search Initiative (SBRI). This paper presents the process ofmodelling the behaviours and the complex reactive relationsamong multiple environmental factors, the correspondingsensors, the energy system, the USV and the GCS decisionmaking systems. The complex environment is discretisedand abstracted using the Kripke model, which is a formaland intuitive model in the form of a directed graph [14][27]. The behaviours of the USV are also classified basedon the energy required. The desirable properties of thedecision making system are expressed precisely using CTL .Finally, the feasibility of using the model checker MCMASto verify the safety property and the long-endurance/energy-saving property of the USV decision making system isdemonstrated. The remainder of this paper has the followingstructure: The USV mission scenario is presented in sectionII. Section III introduces the Kripke models of the environ-mental factors and the autonomous systems. In section IV,the desirable properties are expressed using
CTL and verifiedusing MCMAS. Finally, the conclusion and future work aregiven in section V.II. M
ISSION S CENARIO
The mission scenario and decision making system consid-ered in this paper were captured from the long enduranceUSV, C-Enduro, as depicted in Fig. 1. USV is commandedby GCS to execute a long range surveillance mission byfollowing a list of waypoints, which are generated by anenergy efficient path planning algorithm [28] [29] of theGCS. While USV is following the path, it sends images to theGCS for analysis. USV may encounter problems includingcommunication signal loss, collision risk and malfunction.The decision making systems of the USV and GCS arerequired to ensure safety and also maximise the utilisationof natural energy for long endurance operations by adaptiveUSV behaviours.
Collision risk
Fault Communication loss
USV
GCS
Wind Energy
Solar Energy
Diesel Energy
Fig. 1: The USV mission with multiple energy sources [26] III. K
RIPKE M ODELLING
During the long range marine mission, to model thecomplex environment in terms of communication, traffic,malfunction and energy, we present an approach to discretiseand abstract the environments using non-energy-related andenergy related models, which helps in reducing the statespace. Finally, the Kripke models of the the USV decisionmaking system and the GCS decision making system arepresented.
A. Kripke models of non-energy-related environmental un-certainties and the corresponding USV sensors
Non-energy-related environmental factors interacting withthe USV system include communication signal and trafficinformation. Malfunction of USV is also modelled as an en-vironmental factor. The states of the communication signalscan be identified by using heart-beat messages and we callthis signal detection mechanism the communication detector.Traffic information can be detected by AIS (Automatic Iden-tification System) sensors. It is assumed that malfunction canbe detected by the USV online and we call this mechanismas fault detector. In this research, we assume the sensors candetect the corresponding environmental factors accurately.
1) Kripke models for communication signal and commu-nication detector:
In Fig. 2, the behaviours of the communi-cation channel between the USV and the GCS can be definedas two states: communication state and communication loststate , which are represented by symbol S . The commu-nication channel is treated as a non-deterministic system,which means each state at a specific moment may havemultiple possible consequential transitions. For example, the communication state has two allowed transitions, namely t and t , which transit the current state to communication state or communication lost state respectively. Similarly, at themoment of communication lost state , it can also have twotransitions, namely t and t , with the next state as either communication state or communication lost state . This non-deterministic model obeys the real situation that the state ateach specific moment may transit to multiple possible states. Communication state (S ) Communication lost (S ) t t t t Fig. 2: Kripke model for the communication channelThe conditions for state transitions are given as follow: • t , t : If the communication is normal. • t , t : If the communication state is lost.The states of the communication channel can be detectedby the communication detector. The states of the communi-cation detector are defined as communication state detected and communication lost state detected . The transitions ofdetector will take place with the changes of communicationstates. ) Kripke model for collision risks and AIS: Collisionrisks can be classified into two categories according to COL-REGS (International Regulations for Preventing Collisionsat Sea) [30], namely give-way collision risk and stand-on collision risk . The give-way collision risk and stand-oncollision risk represent the collision scenarios that the USVshould give its way to or keep the way to avoid collision withthe encountered vessel, respectively. Therefore, the trafficsituation can be modelled using three states including nocollision risk , give-way collision risk and stand-on collisionrisk . The traffic situation is also a non-deterministic system.The traffic information can be detected by AIS sensors. Thestates of the AIS are defined as no collision risk detected , give-way collision risk detected and stand-on collision riskdetected . The state transitions of the AIS are triggered bythe transitions of traffic information.
3) Kripke model for fault event and fault detector:
Thestates of fault events include severe fault , fault and non-fault .During the long range mission, the USV may encountermalfunction but can still have the collision avoidance ca-pabilities. Therefore, a distinction between severe fault and fault is required to improve the safety of the USV. Thestate severe fault is defined to represent that the USV cannotoperate anymore and it will go to standby immediately. Thestate fault event is emitted when the USV cannot executethe path following command but still execute the collisionavoidance command. In this situation, the USV will remainat the station keeping state. Non-fault means the USV is innormal operation state. The fault event is also treated as anon-deterministic system. The states of fault detector include
Severe Fault detected , Fault detected and
Non-fault detected .State transitions happen with corresponding changes of thefault events.
B. Kripke models of energy-related environmental uncertain-ties and the USV energy system
Energy-related environmental factors have impact on theenergy generation and include the solar irradiance and thewind conditions in this work. Instead of modelling thesetwo factors separately, we name these two factors’ modelas the energy generation condition model by referring tothe total influence of them on the energy system. Sincethe vehicle in this work is powered by solar panel, windturbine and diesel generator using the natural resources orthe fuel, we name these three equipments as the energygeneration module. The environmental factors that have thelargest impact on the energy consumption is the sea currentthat the USV encounters. We modelled the sea currentcondition as energy consumption condition model. The statesof the energy generation module and energy consumptionmodule will contribute to the transitions of the battery level.Therefore, the whole energy model can be divided into fivesub-models: energy generation condition model, energy gen-eration module model, energy consumption condition model,energy consumption module model and battery model.The energy generation module can be affected by theenergy generation conditions and battery level. The diesel generator will be turned on or off subject to the status ofbattery level. The states of the energy consumption modulemodel can be affected by the energy consumption condition(sea current condition) and USV behaviours. Therefore itis necessary to classify the USV behaviours based on theenergy consumption characteristics. The states of the energygeneration module and the energy consumption module willcontribute to the transitions of the battery level. Finally,the states of the energy generation module, the energyconsumption module and the battery will affect the decisionmaking system of the USV.The energy model used in this scenario is proposedby referring to the energy consumption specifications andenergy generation specifications of the C-Enduro USV. Weabstracted and discretised the energy consumption model,energy generation model and battery model by using integersto represent the amount of the energy, which helps inreducing the computational state space.
1) Energy generation:
Four energy generation condi-tions are modelled:
Very Low Energy Generation Condi-tion (VLEGC), Low Energy Generation Condition (LEGC),Medium Energy Generation Condition (MEGC) and
HighEnergy Generation Condition (HEGC) . The energy genera-tion condition can change from one state to its neighbourstate randomly, as shown in Fig. 3. Correspondingly, thereare four states with the energy generation module:
VeryLow Energy Generation (VLEG)(+0), Low Energy Gener-ation (LEG)(+1), Medium Energy Generation (MEG)(+2) and
High Energy Generation (HEG)(+3) . These four statesof energy generation module correspond to the amount ofenergy generation that will be added to the battery level. Forinstance, when the energy generation condition is in
VLEGC state, the state of the energy generation will be
VLEG correspondingly and the energy added to the battery willbe 0. Note that when the diesel generator is on, the energygeneration state is always
HEG . This is defined according tothe specification of the C-Enduro diesel generator.
VLEGC(S ) LEGC(S ) MEGC (S ) t t t t t t t ) t t t Fig. 3: Kripke model for energy generation condition
2) Energy consumption:
The energy consumption state ismodelled by discretising the energy consumption conditionstate (the sea current state) and classifying the USV state.The states of the environmental energy consumption condi-tions and the behaviours of the USV will determine the statesof the energy consumption module. Three environmental en-ergy consumption conditions are modelled:
Low Energy Con-sumption Condition (LECC), Medium Energy ConsumptionCondition (MECC) and
High Energy Consumption Condition(HECC) . The energy consumption condition can transit fromone state to its nearby state randomly. The behaviours ofhe USV can be classified into three groups according tothe amount of the corresponding energy consumption, whichincludes
Low Energy Consumption Behaviour (LECB) ( Sta-tion Keeping (SK) ), Medium Energy Consumption Behaviour(MECB) , (
Path Following (PF), Collision Avoidance (CA)) and
High Energy Consumption Behaviour (HECB) (PathFollowing in High Speed (PFH)) . Note that other USVbehaviours, including
Standby (SB), Ready (RE), Dispatched(DP), Arrive (AR) , are treated separately because they con-sume very little energy and the energy consumption effectwill be negligible by the environmental factors. For simpli-fication, we assume that the energy consumption amount ofthese behaviours is 0.Various kinds of combinations of the energy consumptionconditions and behaviours of the USV will lead to the corre-sponding state transitions of the energy consumption module,including the amount of the battery level to be subtracted andthe states of the energy consumption module. The amount ofenergy consumption is given as following:
Very Low EnergyConsumption (VLEC) (-0), Low Energy Consumption (LEC)(-1), Medium Energy Consumption (MEC) (-2), High EnergyConsumption (HEC) (-3) and
Very High Energy Consumption(VHEC) (-4) . The relations between the energy consumptioncondition, the USV behaviour and the energy consumptionamount is shown in Table I, which is self-explanatory. Forinstance, when the USV is in
Low Energy ConsumptionBehaviour (LECB) and the energy consumption conditionis also
Low Energy Consumption Condition (LECC) , theconsumed energy will be
Very Low Energy Consumption(VLEC) .TABLE I: The relations between energy consumption con-ditions, USV behaviours and energy consumption amount
LECC MECC HECCLECB VLEC (0)
LECC (-1)
MECC (-2)
MECB LEC (-1)
MEC (-2)
HEC (-3)
HECB MEC (-2)
HEC (-3)
VHEC (-4)
3) Battery:
The battery level is represented by an integerfrom 0 to 10. The accumulation of the energy consump-tion amount and the energy generation amount will be thechanging amount of the battery level. For example, if thecurrent state of the battery level is 5, the state of the energygeneration module is
Low Energy Generation (LEG, +1) and the state of the energy consumption module is
MediumEnergy Consumption (MEC, -2) , then the next state of thebattery level will be updated to be (5 + 1 − . C. Kripke model for USV
The behaviours of the USV are defined as follows:
SB,RE, DP, PF, PFH, CA, SK, SFA(Severe Fault), FA(Fault) and AR . In this mission scenario, the battery level is taken intoaccount in the decision making system. When the batterylevel is 0 and 1, the USV should be in SB or SFA stateand the diesel generator will be triggered to generate power.When the battery level is 2, the USV can be SK , CA , SB or SFA state and turn off the diesel generator. When the batterylevel is above 3, the USV can be in
PF, SK, CA, RE, DP, SB or FA state. When the battery level is above 9 and the energyconsumption condition is LECC and the energy generationcondition is
HEGC , the USV will choose
PFH state otherthan PF for maximising the utilisation of natural energy. Thetransitions and the corresponding conditions are described asfollows: Dispatched(S ) Standby(S ) Path Following(S )Collision Avoidance(S ) Station Keeping(S ) Arrive(S ) Severe Fault(S ) t t t t t t t t t t t t Ready(S ) t t t t t t t Path Following in High Speed(S ) t t t t t t t t t t Fig. 4: Kripke model for the USV • t : If the USV received the mission from the GCS, nofault is detected and battery level is above 2. • t : If the USV received the launching command fromGCS and no fault is detected. • t : If the USV has been dispatched and no fault isdetected. • t : If the USV arrived the destination. • t , t , t , t : If the USV is in PF , PFH , CA or SK ,no giving-way collision risk is detected; communicationchannel is in good status; no fault is detected; and thebattery level is above 2. • t , t , t , t : If the USV is in PF , PFH , CA or SK ,a giving-way collision risk is detected; communicationchannel is in good status; no fault is detected; and thebattery level is above 1. • t , t , t , t : If the USV is in PF , PFH , CA or SK ,no giving-way collision risk detected; communicationchannel is lost; no severe fault is detected; and thebattery level is above 1; or fault event is detected andno collision risk is detected; or no fault is detected; thebattery level is 2; and no collision risk is detected. • t , t , t , t , t , t : If the USV has detected severefaults. • t : If the USV is in the SFA state. • t , t : If the USV battery level is 0 or 1. • t , t , t , t : If there is no give-way collision risk;no fault detected; battery is above 8; and the energygeneration is higher than energy consumption. D. Kripke model for GCS
The behaviours of the GCS are defined as follows:
PathPlanning (PP), Send Waypoints (SW), Launch CommandLC), Situation Analysis (SiA), Path Re-planning (PR) and
Send New Waypoint (SN) . Fig. 5 shows the Kripke model ofthe GCS behaviours. The transitions and the correspondingconditions are described as follows:
Send
Waypoints(S )Path Planning(S ) Launch command(S ) Situation analysis(S ) Path replanning(S )Send new waypoint (S ) t t t t t t t t t t t t Fig. 5: Kripke model for the GCS • t : If the GCS is in PP state and the USV is in SB state. • t : If the GCS is in SW and the USV is in the DP state. • t : If the GCS is in LC state and the USV is in the PF state. • t : If the GCS is in the SiA state, the USV is in the SK state and the communication state gets recovered. • t : If the GCS is in the PR state. • t : If the GCS is in the SN state and the USV is in the PF mode. • t , t , t , t , t , t : If the USV has detected fault andthe communication status is normal.IV. M ODEL C HECKING WITH
MCMASThe Kripke models are translated into the ISPL code,the modelling language of MCMAS, which is an open-source model checker designed for verification of Multi-Agent Systems. The desirable properties are expressed using
CT L formulaes and implemented into the
Evaluation and
Formulae part of MCMAS. Finally the properties are verifiedusing MCMAS. The details are presented in the followingsubsections.
A. MCMAS model
MCMAS uses its own language ISPL to describe thesystem model. ISPL has six essential parts including
Envi-ronment Agent, Agent, InitStates, Evaluation , and
Formulae .In the
Environment Agent and
Agent , the possible states, thelabelling function and transitions of the Kripke model can beparsed using state variables , actions , protocols and evolution .The InitStates defines the initial states of all agents. Theatomic propositions of the properties to be verified are de-clared in
Evaluation . These propositions and
CTL are used todescribe how the behaviours of the system unfold over time.The properties that we want to verify are expressed in the
Formulae part. The states of the
Agents are described in
Vars .Each
Agent is allowed to perform some
Actions , which arevisible by other
Agents . The
Actions correspond to the atomicpropositions of the Kripke model. The
Protocols of the Agentcorrespond to the labelling function of Kripke model. The
Protocols describe which actions can be performed in each Fig. 6: ISPL code for Evaluation, Formulae and InitStatesstate, and that corresponds to which atomic proposition thosehold in each state. The
Evolution functions for an agentdescribes how the states transit as a result of the actionsperformed by all other agents, which correspond to thetransition relations of the Kripke model that describe thecondition of the state transitions. Following this principle, theKripke models of communication, communication detectortraffic information, AIS, fault event, fault detector, the USVand the GCS were translated into the ISPL code.
B. Modelling of properties to be verified
Considering the real world missions of the C-Enduro USV,there are fourteen properties verified, given as below:1) After the USV received the mission (ready state), ifthe communication state is good; no fault detected bythe USV; and the USV battery level is above 2, thenthe GCS sends the launching command and the USVwill transit to DP .2) When the USV is in PF ; no fault is detected; the USVbattery level is above 2; and a give-way collision riskis detected, then the USV will always change its wayto avoid collision.3) If the give-way collision does not appear, the USV willnever alter its way to avoid the collision.4) After the USV avoided the collision risk, if the com-munication state is good; no give-way collision riskand fault are detected; and the USV battery level isabove 2, then the USV will always continue to followthe path at its normal speed.5) When the USV is in SK ; no fault is detected; GCS is inthe situation analysis state under good communicationstate, the GCS will re-plan the path. Formula 5 is usedfor checking if the GCS can perform path replanningbehaviours successfully when the communication getsrecovered.6) When the USV is in PF , if there is no give-waycollision risk and fault event detected; the USV batterylevel is above 2; and the communication is lost, theUSV will change to station keeping state. Formula 6is for checking the part of safety property that whenthe USV lost communication signals, it will transit to SK until the signal gets recovered.7) When the USV is in SK , if the communication state isgood and the USV battery level is above 2, after theGCS send the new waypoints, the USV will change toath following state.8) When the USV is in PF and no fault detected, ifcommunication lost is detected, the USV will changeto SK .9) If the communication is not lost or the USV batterylevel is not below 3 or there is no fault detected, theUSV will not station keeping. Formula 9 means theUSV will only trigger the SK behaviour under the rightsituations (Communication lost, battery level is low orfault detected).10) If communication is lost, the USV will change to SB or SK . Formula 10 is used for checking the safetyproperty.11) If the USV is in severe fault state, the USV will changeto the SB state directly. Formula 11 represents thatunder the severe fault event situation, the USV willtransit to SB directly for safety.12) If the battery level is less than 2, the USV will notfollow the path.13) When the USV is in PF or CA ; the battery level is9; energy generation is high; energy consumption islow; no give-way collision risk detected; and no faultdetected, the USV will change to PFH .14) If the battery level is not above 8, the USV will nevertransit to
PFH .The
CTL
Formula of the first property is given below fordemonstration: AG (( U SV.state = RE ∧ Communicationdetector.state = DCS ∧ F aultdetector.state = DN F ∧ GCS.state = LC ∧ Battery.state> → AX ( U SV.state = DP )) Note that AG and AX are CTL operator: AG ( p ) meansalong All paths p holds Globally; AX ( p ) means along Allpaths, p holds in the neXt state. The verification of Formula1 and initial states are expressed in Evaluation , Formulae and
InitStates , as shown in Fig. 6. Other Formulas were alsotranslated from their
CTL accordingly.
C. Verification result and analysis
The program was executed on a 2.7 GHz Intel Corei7-6820HK processor with 16.0 GB RAM. The numberof reachable states approached 209286 when the decisionmaking system was verified and the execution time was 0.632seconds. The verification results are shown in Fig. 7. Inthe verification results, Formula 4, Formula 7 and Formula8 have FALSE result and the other Formulas have TRUEresults. Formula 1 acquires the TRUE result and it shows thatthe launching behaviour can perform well. The verificationresults of Formula 2 and 3 show that the collision avoidancecommand can be executed properly. The verification resultsof Formula 12, 13 and 14 show that the USV possesses thelong endurance/energy saving properties: When the batterylevel is low, the USV will be in SB or SK ; When the battery Fig. 7: Verification results -------- State 14 -------- Agent
Environment state = CS
Agent
Communicationdetector state = DCS
Agent
Collision state = NC
Agent
AIS state = DNC
Agent
Fault state = NF
Agent
FaultDetector state = DNF
Agent
EGC state = HEGC
Agent
EGM state = HEG
Agent
ECC state = MECC
Agent
ECM state = LEC
Agent
Battery state = 10
Agent
GCS state = SN
Agent
USV state = CA -------- State 15 --------
Agent
Environment state = CS
Agent
Communicationdetector state = DCS
Agent
Collision state = NC
Agent
AIS state = DNC
Agent
Fault state = NF
Agent
FaultDetector state = DNF
Agent
EGC state = MEGC
Agent
EGM state = MEG
Agent
ECC state = HECC
Agent
ECM state = HEC
Agent
Battery state = 10
Agent
GCS state = SN
Agent
USV state = PFH
Fig. 8: Counterexample of Formula 4level is high, and the energy generation is higher than theenergy consumption, the USV will be in
PFH ; If the batterylevel is not above 8, the USV will never travel in high speed.Using the show counterexample/witness option, the errortrace of Formula 4, Formula 7 and Formula 8 can beacquired. By checking the counterexample of Formula 4,as shown in Fig. 8, we found the USV transits to
PFH instead of PF , because the record shows that the battery levelwas 10 and the energy generation was higher than energyconsumption. It is reasonable to accelerate to maximise theutilisation of the natural energy. When Formula 4 is changedto “USV will transit to PF or PFH ”, the verification resultbecame TRUE. The verification record of Formula 7 showsthat after the GCS sent a new waypoint and the USV detecteda collision risk, so it is transited to collision avoidance stateinstead of path following to ensure USV safety. Therefore,this counterexample is reasonable. The verification resultof Formula 8 shows that when the USV is following thepath, and the communication is lost and it also detected thegive-way collision risk at the same time, it will transit tocollision avoidance state first instead of the station keepingstate, compliant with the safety design of the decision makingsystem. V. C
ONCLUSION AND F UTURE W ORK
This research tackled the problem of applying modelchecking method for verifying the decision-making be-haviours of a long endurance USV, which may encounterommunication lost, collision risk, malfunction and max-imising energy utilisation problems. The Kripke model and
CTL were applied to construct the model of environmentalfactors and autonomous systems. Finally, both the safetyproperties and the long endurance properties of the decisionmaking behaviours under concurrent and non-deterministicuncertainties were verified using MCMAS. The short pro-gram executing time (0.632 seconds) also implies that morecomplex scenario and more agents can be handled by modelchecker MCMAS. In the future work, multiple USVs cooper-ation or UAVs-USVs cooperation can be taken into accountin complex scenarios. State space reduction techniques maybe required for saving computing resources. A translationprogramme which transforms a system design to a modelchecker language will reduce the potential mistakes from thedesigner. R
EFERENCES[1] Z. Ren, B. Zhao, and D. T. Nguyen, “Finite-Time Backstepping ofa Nonlinear System in Strict-Feedback Form: Proved by BernoulliInequality,”
IEEE Access , vol. 8, pp. 47 768–47 775, 2020.[2] H. Niu, Y. Lu, A. Savvaris, and A. Tsourdos, “Efficient Path Plan-ning Algorithms for Unmanned Surface Vehicle,”
IFAC-PapersOnLine ,vol. 49, no. 23, pp. 121–126, 2016.[3] M. Zhu, W. Sun, A. Hahn, Y. Wen, C. Xiao, and W. Tao, “Adaptivemodeling of maritime autonomous surface ships with uncertainty usinga weighted ls-svr robust to outliers,”
Ocean Engineering , vol. 200, p.107053, 2020.[4] M. Zhu, A. Hahn, Y.-Q. Wen, and W.-Q. Sun, “Optimized support vec-tor regression algorithm-based modeling of ship dynamics,”
AppliedOcean Research , vol. 90, p. 101842, 2019.[5] M. Zhu, A. Hahn, and Y.-Q. Wen, “Identification-based controllerdesign using cloud model for course-keeping of ships in waves,”
Engineering Applications of Artificial Intelligence , vol. 75, pp. 22–35, 2018.[6] V. Bertram, “Unmanned surface vehicles-a survey,”
Skibsteknisk Sel-skab, Copenhagen, Denmark , vol. 1, pp. 1–14, 2008.[7] H. Niu, A. Savvaris, A. Tsourdos, and Z. Ji, “Voronoi-visibilityroadmap-based path planning algorithm for unmanned surface vehi-cles,”
Journal of Navigation , vol. 72, no. 4, pp. 850–874, 2019.[8] A. Makhsoos, H. Mousazadeh, and S. S. Mohtasebi, “Evaluation ofsome effective parameters on the energy efficiency of on-board pho-tovoltaic array on an unmanned surface vehicle,”
Ships and OffshoreStructures , vol. 14, no. 5, pp. 492–500, 2019.[9] Z. Ren, R. Skjetne, A. S. Verma, Z. Jiang, Z. Gao, and K. H. Halse,“Active heave compensation of floating wind turbine installation usinga catamaran construction vessel,”
Marine Structures , vol. 75, no.102868, 2021.[10] G. Sirigineedi, A. Tsourdos, B. White, and R. Zbikowski, “Kripkemodelling and model checking of a multiple UAV system monitoringroad network,” in
Proceedings of the AIAA Guidance, Navigation, andControl Conference , vol. 4, 2010.[11] M. Webster, N. Cameron, M. Fisher, and M. Jump, “Generatingcertification evidence for autonomous unmanned aircraft using modelchecking and simulation,”
Journal of Aerospace Information Systems ,vol. 11, no. 5, pp. 258–279, 2014.[12] J. Ezekiel, A. Lomuscio, L. Molnar, S. M. Veres, and M. Peabody,“Verifying fault tolerance and self-diagnosability of an autonomousunderwater vehicle,”
IJCAI-11 : 22nd International Joint Conferenceon Artificial Intelligence Workshop. AIl in Space: Intelligence beyondPlanet Earth, Barcelona, Spain. 15 - 21 Jul 2011. 6 pp , 2011.[13] L. Molnar and S. Veres, “System verification of autonomous underwa-ter vehicles by model checking,” in
OCEANS 2009-EUROPE . IEEE,2009, pp. 1–10.[14] E. M. Clarke and B.-H. Schlingloff, “Handbook of AutomatedReasoning,” A. Robinson and A. Voronkov, Eds. Amsterdam, TheNetherlands, The Netherlands: Elsevier Science Publishers B. V.,2001, ch. Model Checking, pp. 1635–1790. [Online]. Available:http://dl.acm.org/citation.cfm?id=778522.778533 [15] J. Choi, S. Kim, and A. Tsourdos, “Verification of heterogeneousmulti-agent system using MCMAS,”
International Journal of SystemsScience , vol. 46, no. 4, pp. 634–651, 2015.[16] M. Barbier, A. Renzaglia, J. Quilbeuf, L. Rummelhard, A. Paigwar,C. Laugier, A. Legay, J. Iba˜nez-Guzm´an, and O. Simonin, “Validationof perception and decision-making systems for autonomous drivingvia statistical model checking,” in . IEEE, 2019, pp. 252–259.[17] E. M. Clarke, T. A. Henzinger, H. Veith, and R. Bloem,
Handbook ofmodel checking . Springer, 2018, vol. 10.[18] G. Brat and A. Jonsson, “Challenges in verification and validation ofautonomous systems for space exploration,” in
Neural Networks, 2005.IJCNN’05. Proceedings. 2005 IEEE International Joint Conference on ,vol. 5. IEEE, 2005, pp. 2909–2914.[19] C. Pecheur, “Verification and validation of autonomy software atNASA,” National Aeronautics and Space Administration, Tech. Rep.,08 2000.[20] M. M. Quottrup, T. Bak, and R. Zamanabadi, “Multi-robot planning:A timed automata approach,” in
Robotics and Automation, 2004.Proceedings. ICRA’04. 2004 IEEE International Conference on , vol. 5.IEEE, 2004, pp. 4417–4422.[21] G. Sirigineedi, A. Tsourdos, B. A. White, and R. Zbikowski, “To-wards verifiable approach to mission planning for multiple UAVs,”in
Proceedings of AIAA Infotech@ Aerospace Conference and AIAAUnmanned.. Unlimited Conference , 2009.[22] G. Sirigineedi, A. Tsourdos, B. A. White, and R. ˙Zbikowski, “Kripkemodelling and verification of temporal specifications of a multipleUAV system,”
Annals of Mathematics and Artificial Intelligence ,vol. 63, no. 1, pp. 31–52, 2011.[23] S. Jeyaraman, A. Tsourdos, R. ˙Zbikowski, and B. White, “Kripkemodelling approaches of a multiple robots system with minimalistcommunication: a formal approach of choice,”
International journalof systems science , vol. 37, no. 6, pp. 339–349, 2006.[24] L. Humphrey and M. Patzek, “Model checking human-automationUAV mission plans,” in
Proceedings of the AIAA Guidance, Navi-gation, and Control (GNC) Conference , 2013.[25] L. Humphrey, “Model checking UAV mission plans,” in
Proceedingsof AIAA Conference on Modeling and Simulation Technologies
Logic in Computer Science: Modelling andreasoning about systems . Cambridge university press, 2004.[28] H. Niu, Y. Lu, A. Savvaris, and A. Tsourdos, “An energy-efficient pathplanning algorithm for unmanned surface vehicles,”
Ocean Engineer-ing , vol. 161, pp. 308–321, 2018.[29] H. Niu, Z. Ji, A. Savvaris, and A. Tsourdos, “Energy efficient pathplanning for unmanned surface vehicle in spatially-temporally variantenvironment,”
Ocean Engineering , vol. 196, p. 106766, 2020.[30] A. Savvaris, H. Niu, H. Oh, and A. Tsourdos, “Development ofcollision avoidance algorithms for the c-enduro usv,” in