Chapter IV: Directive-response Assume-guarantee Contracts for an Auto-

4.3 Mathematical Formulation

Definition 4.3.1(Path). Apathis a continuous map 𝑝: [0,1] → R². 𝑝(0)is called the start point of 𝑝 and 𝑝(1) is called the end point of 𝑝. For each path 𝑝, let 𝑝_ℎ : [0,1] → (−180,180] be such that 𝑝_ℎ(𝑠) is the heading angle measured in degrees from the abscissa to 𝑝⁰(𝑠), the derivative vector of 𝑝with respect to𝑠. For 𝑡 ∈ [0,1], let ˜𝑝(𝑡) denote the element 𝑝(𝑡) × 𝑝_ℎ(𝑡)ofR³.

We will denote the set of all paths byPand, by abuse of notation, we will also use 𝑝to denote 𝑝( [0,1]), the image of [0,1]under 𝑝.

Definition 4.3.2 (Curvature feasibility). Given 𝜅 > 0 and a path 𝑝, 𝜅-feasible(𝑝) is set to True if and only if 𝑝 is twice differentiable on [0,1], and its curvature

|det(𝑝⁰(𝑠), 𝑝⁰⁰(𝑠)) |

k𝑝⁰(𝑠) k³ < 𝜅 for𝑠 ∈ [0,1].

Definition 4.3.3 (𝛿-corridor). Let B B {True,False}. If 𝑝 ∈ P, and 𝛿 : P × [0,1] ×R³→Bis such that the corresponding subset:

Γ𝛿(𝑝) B Ø

𝑠∈[0,1]

Γ𝛿(𝑝, 𝑠),

whereΓ𝛿(𝑝, 𝑠) B {(𝑥 , 𝑦, 𝜃) ∈ R³ | 𝛿(𝑝, 𝑠,(𝑥 , 𝑦, 𝜃)) = True} such thatΓ𝛿(𝑝, 𝑠) is open and contains ˜𝑝(𝑠), then we say thatΓ𝛿(𝑝) is a𝛿-corridorfor 𝑝.

AVP World Building Blocks

In this section, we will introduce naming symbols for objects that exist in the AVP world.

Definition 4.3.4(AVP World). TheAVP worldconsists of the following:

1. A distinguished set of indexing symbolsT:={𝑡 , 𝑡⁰, 𝑡⁰⁰, ...} denoting time.

2. A set of typed variablesUto denote actions, states, channels, etc.

3. The following set of constants: C,Gwhere

a) C, a set of symbols, is called the customer set.

b) G, a set of symbols, is called the garage set containing the following constant values:

i. G.𝑑𝑟 𝑖 𝑣 𝑎 𝑏𝑙 𝑒_𝑎𝑟 𝑒 𝑎 ⊆ R³, the set of configurations that vehicles are allowed to be in;

ii. G.𝑤 𝑎𝑙 𝑘 𝑎 𝑏𝑙 𝑒_𝑎𝑟 𝑒 𝑎 ⊆ R², the area that pedestrians are allowed to walk on;

iii. G.𝑒𝑛𝑡𝑟 𝑦_𝑐𝑜𝑛 𝑓 𝑖𝑔𝑢𝑟 𝑎𝑡𝑖 𝑜𝑛𝑠 ⊆ R³, a set of configurations that the customers can deposit their car in;

iv. G.𝑟 𝑒𝑡 𝑢𝑟 𝑛_𝑐𝑜𝑛 𝑓 𝑖𝑔𝑢𝑟 𝑎𝑡𝑖 𝑜𝑛𝑠 ⊆ R³, a set of configurations that the car should be returned in;

v. G. 𝑝 𝑎𝑟 𝑘 𝑖𝑛𝑔_𝑠 𝑝 𝑜𝑡 𝑠 ∈ N, the number of parking spots available in the parking lot;

vi. G.𝑖𝑛𝑡 𝑒𝑟 𝑖 𝑜𝑟 ⊆ R², the area inside the parking garage.

Directive-Response Message Types

Each channel in the system is associated with a unique message type. The following are all the message types in our AVP system.

1. A(·), directive types:

a) A(CustomerInterface) B {Park,Retrieve}, b) A(Supervisor) BR⁶,

c) A(Planner) B P,

d) A(Tracker) BI ⊆ R², the set of all control inputs.

2. B(·), response types:

a) B(CustomerInterface) B {Failed},

b) B(Supervisor) B {Rejected,Accepted,Returned},

c) B(Planner) =B(Tracker) B {Blocked,Failed,Completed}.

For each typeT, we will denote by ˜Tthe product typeT×Cwhich will be used to associate a message of type Twith a specific customer inC. In addition, we will useIdto denote the set of message IDs.

Behavior

For each variable 𝑢 ∈ U, we denote by type(𝑢) thetype of 𝑢, namely, the set of values that it can take. The types of elements ofTare taken to beR≥0.

Definition 4.3.5 (Behavior). Let 𝑍 be an ordered subset of variables in U. A 𝑍-behavior is an element of B (𝑍) B (Î

𝑧∈𝑍 type(𝑧))^R≥0. Given 𝜎_𝑍 ∈ B (𝑍) and 𝜏 ∈T, we will call𝜎_𝑍(𝜏)thevaluationof𝑍at time𝜏. If𝑧 ∈ 𝑍, we will also denote by𝑧(𝜏)the value of𝑧at time𝜏.

Note that each behavior in𝑍 ⊆ Ucan be “lifted” to a set of behaviors inUby letting variables that are not contained in 𝑍 assume all possible values in their domains.

Additionally, the set of behaviorsB (𝑍)can be lifted to a set of behaviors in B (U) in a similar way. To ease notational burden for the reader, we will take the liberty of not explicitly making any reference to the “lifting” operation when they are in use unless there is any ambiguity that may result from doing so.

Definition 4.3.6(Constraint). A constraint 𝑘 on a set of variables 𝑍 is a function that maps each behavior of 𝑍 to an element of B, the Boolean domain. In other words,𝑘 ∈B^{B (𝑍)}.

Note that by “lifting”, a constraint on a set of variables𝑍 is also a constraint onU. Definition 4.3.7(Channel variables). For each component𝑋and another component 𝑌, we can define two types ofchannel variables:

• 𝑋_←𝑌, denoting an incoming information flow from𝑌 to 𝑋,

• 𝑋_→𝑌, denoting an outcoming information flow from 𝑋 to𝑌.

In this work, we assume that𝑋_→𝑌 is always identical to𝑌_←𝑋. Each channel variable must have a well-defined message type and each message 𝑚 has an ID denoted by id(𝑚) ∈ Id. If the message has value𝑣, then we will denote it by[𝑣 ,id(𝑚)], but we will often refer to it as[𝑣]whereby we omit the ID part to simplify the presentation.

Intuitively, given a behavior, a channel variable𝑥is a function that maps each time step to the message the associated channel is broadcasting at that time step.

Definition 4.3.8(System). Asystem𝑀 consists of a set of each of the following 1. internal variables/constants var^𝑀_𝑋,

2. output channel variables var_𝑌^𝑀, 3. input channel variables var_𝑈^𝑀,

4. constraints con𝑀 on var^𝑀_𝑋 ∪var_𝑌^𝑀∪var_𝑈^𝑀.

A behavior of a system 𝑀 is an element of the set of behaviors that correspond to var^𝑀_𝑋 ∪var_𝑌^𝑀∪var_𝑈^𝑀 subject to con𝑀. This is denoted byB (𝑀).

Directive-response

Before introducing directive-response systems, for any predicates𝐴and𝐵, we define the following syntax:

𝐴 { 𝐵 B∀𝑡 :: 𝐴(𝑡) ⇒ ∃𝑡⁰≥ 𝑡 :: 𝐵(𝑡⁰). (“leads to”) 𝐴 𝐵 B∀𝑡 :: 𝐵(𝑡) ⇒ ∃𝑡⁰ ≤𝑡 :: 𝐴(𝑡⁰). (“precedes”) ^≥𝑡𝐴 B∀𝑡⁰≥ 𝑡 :: 𝐴(𝑡⁰). (“always from𝑡”) starts_at(𝐴, 𝑡) B 𝐴(𝑡) ∧ ∀𝑡⁰< 𝑡 ::¬𝐴(𝑡⁰). (4.1) If𝑀 is a set-valued variable, then we define

persistent(𝑀) B∀𝑡 ::∀𝑚 ::𝑚 ∈ 𝑀(𝑡) ⇒ ^≥𝑡(𝑚 ∈ 𝑀). (4.2) Definition 4.3.9 (Directive-response system). A directive-response system 𝑀 is a system such that for each output (resp., input) channel variable 𝑐 ℎ𝑎𝑛 there is an internal variablesend𝑐 ℎ𝑎𝑛 (resp.,receive𝑐 ℎ𝑎𝑛) whose domain is a collection of sets of messages that are of the type associated with𝑐 ℎ𝑎𝑛. If𝑐 ℎ𝑎𝑛is an output channel variable, there is a causality constraint𝑘_{𝑐 ℎ𝑎𝑛} ∈con𝑀 defined by

𝑘_{𝑐 ℎ𝑎𝑛} B𝑚 ∈send𝑐 𝑚 =𝑐 ℎ𝑎𝑛. (4.3)

That is, a message must be sent before it shows in the channel. Otherwise if𝑐 ℎ𝑎𝑛 is an input channel variable, then

𝑘_{𝑐 ℎ𝑎𝑛} B 𝑚 =𝑐 ℎ𝑎𝑛 𝑚 ∈receive𝑐 ℎ𝑎𝑛. (4.4)

Namely, a message cannot be received before it is broadcasted.

Definition 4.3.10(Lossless directive-response system). A lossless directive-response system is a directive-response system such that if𝑐 ℎ𝑎𝑛 is an output channel, then

persistent(send𝑐 ℎ𝑎𝑛) ∧ (𝑚 ∈send𝑐 ℎ𝑎𝑛 {𝑚 =𝑐 ℎ𝑎𝑛), (4.5) and if𝑐 ℎ𝑎𝑛is an input channel

persistent(receive𝑐 ℎ𝑎𝑛) ∧ (𝑚=𝑐 ℎ𝑎𝑛 { 𝑚 ∈receive𝑐 ℎ𝑎𝑛). (4.6) Definition 4.3.11(Assume-guarantee contracts for directive-response systems). An assume-guarantee contract C for a directive-response system 𝑀 consists of a pair of behaviors 𝐴, 𝐺 of 𝑀 and denoted byC = (𝐴, 𝐺). An environment forC is any set of all behaviors that are contained in 𝐴while an implementation ofCis any set of behaviors that is contained in 𝐴 ⇒𝐺. Cis said to be saturated if the guarantee part satisfies𝐺 = (¬𝐴∨𝐺) = (𝐴⇒𝐺).

Note that any contract can be converted to the saturated form without changing its sets of environments and implementations. The saturated form is useful in making contract algebra less cumbersome in general. If 𝑀 is a system, then we say 𝑀 satisfies Cif B (𝑀) ⊆ (𝐴 ⇒ 𝐺). Furthermore, the system composition 𝑀₁× 𝑀₂ of𝑀₁and𝑀₂is a system whose behavior is equal toB (𝑀₁) ∩ B (𝑀₂).

Definition 4.3.12 (Customer). A customer is an element of C. Corresponding to each𝑐 ∈ Cis a set ofU variables var(𝑐) that include𝑐 .𝑥, 𝑐 . 𝑦 (the coordinates of the customer him/herself), 𝑐 .𝑐𝑎𝑟 .𝑥, 𝑐 .𝑐𝑎𝑟 . 𝑦, 𝑐 .𝑐𝑎𝑟 .𝜃 (the coordinates and heading of the customer’s car), 𝑐 .𝑐𝑎𝑟 . ℎ𝑒 𝑎𝑙 𝑡 ℎ 𝑦, whether the car is healthy, 𝑐 .𝑐𝑜𝑛𝑡𝑟 𝑜𝑙 𝑠.𝑣, 𝑐 .𝑐𝑜𝑛𝑡𝑟 𝑜𝑙 𝑠. 𝜑(the velocity and steering inputs to the vehicle),𝑐 .𝑐𝑎𝑟 .ℓ(the length of the car),𝑐 .𝑐𝑎𝑟 .𝑡 𝑜𝑤 𝑒 𝑑 (whether the car is being towed). We will use the shorthand 𝑐 .𝑐𝑎𝑟 .𝑠𝑡 𝑎𝑡 𝑒to mean the 3-tuple (𝑐 .𝑐𝑎𝑟 .𝑥 , 𝑐 .𝑐𝑎𝑟 . 𝑦, 𝑐 .𝑐𝑎𝑟 .𝜃).

For each behavior inB (U), we require each𝑐 ∈Cfor which𝑐 .𝑐𝑎𝑟 .𝑡 𝑜𝑤 𝑒 𝑑isFalse to satisfy the following constraints that describe the Dubins car model:

𝑑(𝑐 .𝑐𝑎𝑟 .𝑥) 𝑑 𝑡

(𝑡) =𝑐 .𝑐𝑜𝑛𝑡𝑟 𝑜𝑙 𝑠.𝑣(𝑡)cos(𝑐 .𝑐𝑎𝑟 .𝜃(𝑡)) 𝑑(𝑐 .𝑐𝑎𝑟 . 𝑦)

𝑑 𝑡

(𝑡) =𝑐 .𝑐𝑜𝑛𝑡𝑟 𝑜𝑙 𝑠.𝑣(𝑡)sin(𝑐 .𝑐𝑎𝑟 .𝜃(𝑡)) 𝑑(𝑐 .𝑐𝑎𝑟 .𝜃)

𝑑 𝑡

(𝑡) = 𝑐 .𝑐𝑜𝑛𝑡𝑟 𝑜𝑙 𝑠.𝑣(𝑡) 𝑐 .𝑐𝑎𝑟 .ℓ

tan(𝑐 .𝑐𝑜𝑛𝑡𝑟 𝑜𝑙 𝑠. 𝜑(𝑡)).

(4.7)

Table 4.1: CustomerInterfacedirective-response system.

Internal variables/constantsvar𝑋

C The set of all customers in the AVP world.

Outputsvar𝑌

CustomerInterface→Supervisor An output channel of type ˜A(CustomerInterface). Inputsvar𝑈

CustomerInterface←Supervisor An input channel of type ˜B(Supervisor).

CustomerInterface_←Tracker An input channel of type ˜A(Tracker).

Constraintscon𝑀

Vehicle dynamics See (4.7)

Car and pedestrian limits (4.8) and (4.9).

AVP System

By treating theCustomerInterfaceas an external component, the AVP system con- sists of three internal components: Supervisor, Planner, and Tracker. These systems are described below.

CustomerInterface

The environment in which the system shall operate consists of the customers and the pedestrians which we will call a CustomerInterface. A customer drops off the car at the drop-off location and is assumed to make a request for the parked car back from the garage eventually. The pedestrians are also controlled by the environment.

When a pedestrian was generated by the environment, they start walking on the crosswalks. Pedestrians are confined to the pedestrian path, meaning they will not leave the crosswalk and walkway areas and their dynamics are continuous, meaning no sudden jumps. The cars move according to their specified dynamics. This includes a breaking distance depending on their velocity and maximum allowed curvature. For a formal description, refer to Table 4.1. Below are some constraints we impose on this module.

∀𝑐 ∈C::(𝑣_min ≤ 𝑐 .𝑐𝑜𝑛𝑡𝑟 𝑜𝑙 𝑠.𝑣∧𝑐 .𝑐𝑜𝑛𝑡𝑟 𝑜𝑙 𝑠.𝑣 ≤ 𝑣_max

∧𝜑_min ≤ 𝑐 .𝑐𝑜𝑛𝑡𝑟 𝑜𝑙 𝑠. 𝜑∧𝑐 .𝑐𝑜𝑛𝑡𝑟 𝑜𝑙 𝑠. 𝜑 ≤ 𝜑_max) (4.8)

∀𝑐∈C::∀𝑠.

𝑑(𝑐 .𝑥) 𝑑 𝑡

(𝑠),

𝑑(𝑐 . 𝑦) 𝑑 𝑡

(𝑠)

≤ 𝑣_{𝑝 𝑒 𝑑 ,max}. (4.9) Supervisor

A Supervisor component is responsible for the high level decision making in the process. It receives theCustomerInterface: requests and processes them by sending

Table 4.2: Supervisordirective-response system.

Internal variables/constantsvar𝑋

G.∗ AllGobjects.

𝑛𝑢𝑚_𝑎 𝑐𝑡𝑖 𝑣 𝑒_𝑐𝑢 𝑠𝑡 𝑜𝑚 𝑒𝑟 𝑠 The number of cars currently being served in the parking lot.

Outputsvar𝑌

Supervisor→CustomerInterface An output channel of type ˜B(Supervisor).

Supervisor_→Planner An output channel of type ˜A(Supervisor).

Inputsvar𝑈

Supervisor←CustomerInterface An input channel of type ˜A(CustomerInterface). Supervisor_←Planner An input channel of type ˜B(Planner).

Constraintscon𝑀

Parking lot topology Any specific geometric constraints onG.∗.

Number of active customers 𝑛𝑢𝑚_𝑎 𝑐𝑡𝑖 𝑣 𝑒_𝑐𝑢 𝑠𝑡 𝑜𝑚 𝑒𝑟 𝑠must be equal to the num- ber of cars that have been accepted but not yet left the parking lot.

Table 4.3: Plannerdirective-response system.

Interval variables/constantsvar𝑋

G.∗ AllGobjects.

{𝑐 .𝑐𝑎𝑟 .𝑥 , 𝑐 .𝑐𝑎𝑟 . 𝑦, 𝑐 .𝑐𝑎𝑟 .𝜃|𝑐∈C} The configurations of all cars in AVP world.

𝜅 Maximum allowable curvature.

Outputsvar𝑌

Planner→Supervisor An output channel of type ˜B(Planner).

Planner_→Tracker An output channel of type ˜A(Planner).

Inputsvar𝑈

Planner←Supervisor An input channel of type ˜A(Supervisor).

Planner_←Tracker An input channel of type ˜B(Tracker).

Constraintscon𝑀

Parking lot topology Any specific geometric constraints onG.∗.

𝜅 Maximum allowable curvature given car dynamics

and input constraints.

the appropriate directives to thePlannerto fulfill a task. ASupervisordetermines whether a car can be accepted into the garage or rejected. It also receives responses from thePlanner. ASupervisoris to be aware of the reachability, the vacancy, and occupied spaces in the lot, as well as the parking lot layout. Formally, aSupervisor is a lossless directive-response system described by Table 4.2.

Planner

A Planner system receives directives from the Supervisor to make a car reach a specific location in the parking lot. APlannersystem may have access to a planning graph determined from the parking lot layout, and thus can generate executable trajectories for the cars to follow. ThePlanneris aware of the locations of the agents and the obstacles in the parking lot from the camera system. APlanneris a lossless directive-response system described by Table 4.3.

Table 4.4: Trackerdirective-response system.

Interval variables/constantsvar𝑋

𝛿 Corridor map.

𝜀_{min, 𝑐 𝑎𝑟} Minimum safety distance to other cars.

𝜀_min, 𝑝 𝑒𝑜 𝑝𝑙 𝑒 Minimum safety distance to pedestrians.

Outputsvar𝑌

Tracker_→Planner An output channel of type ˜B(Tracker).

Tracker→CustomerInterface An output channel of type ˜A(Tracker).

Inputsvar𝑈

Tracker_←Planner An input channel of type ˜A(Planner).

Constraintscon𝑀

Corridor constraints In our implementation, we define the𝛿-corridor for any path𝑝to be the open set containing points whose distance to the closest point in𝑝does not exceed 3 meters.

𝜀_{min, 𝑐 𝑎𝑟},𝜀_min, 𝑝 𝑒𝑜 𝑝𝑙 𝑒 These values are determined based on the dynamics and the uncertaintyΔ𝐶 𝑎𝑟.

l Figure 4.2: Contracts between the components of the AVP system.

Tracker

A Tracker system is responsible for the safe control of cars that are accepted into the garage by a Supervisor. It receives directives from a Planner consisting of executable paths to track and send responses based on the task status to aPlanner.

See Table 4.4.