Execution Monitoring of High-Level Robot Programs

Imagine a robot that is executing a program on line and insofar as it is reasonable to do so it wishes to continue with this on line program execution no matter what exoge nous events occur in the world Execution monitoring is the robot s process of observ ing the world for discrepancies between the actual world and its internal representation of it and recovering from such discrepancies We provide a situation calculus based ac count of such on line program executions with monitoring This account relies on a speci cation for a single step interpreter for the logic programming language Golog The theory is supported by an implementation that is illustrated by a standard blocks world in which a robot is executing a Golog pro gram to build a suitable tower The moni tor makes use of a simple kind of planner for recovering from malicious exogenous actions performed by another agent After perform ing the sequence of actions generated by the recovery procedure the robot eliminates the discrepancy and resumes executing its tower building program We also indicate how within the formalism one can formulate various correctness prop erties for monitored systems Introduction and motivation Imagine a robot that is executing a program on line and insofar as it is reasonable to do so it wishes to continue with this on line program execution no mat ter what exogenous events occur in the world An ex ample of this setting which we treat in this paper is a robot executing a program to build certain towers of blocks in an environment inhabited by a some times malicious agent who might arbitrarily move Author names are alphabetical some block when the robot is not looking The robot is equipped with sensors so it can observe when the world fails to conform to its internal representation of what the world would be like in the absence of ma licious agents What could the robot do when it ob serves such a discrepancy between the actual world and its model of the world There are at least three possibilities It can give up trying to complete the execution of its program It can call on its programmer to give it a more so phisticated program one that anticipates all pos sible discrepancies between the actual world and its internal model and that additionally instructs it what to do to recover from such failures It can have available to it a repertoire of gen eral failure recovery methods and invoke these as needed One such recovery technique involves planning whenever it detects a discrepancy the robot computes a plan that when executed will restore the state of the world to what it would have been had the exogenous action not occurred Then it executes the plan after which it resumes execution of its program Execution monitoring is the robot s process of observ ing the world for discrepancies between physical re ality and its mental reality and recovering from such perceived discrepancies The approach to execu tion monitoring that we take in this paper is option above While option certainly is valuable and impor tant we believe that it will be di cult to write pro grams that take into account all possible exceptional cases It will be easier especially for inexperienced programmers to write simple programs in a language likeGolog and have a sophisticated execution monitor written by a di erent presumably more experienced programmer keep the robot on track in its actual ex ecution of its program In general we have the following picture The robot is executing a program on line By this we mean that it is physically performing actions in sequence as these are speci ed by the program After each execution of a primitive action or of a program test action the exe cution monitor observes whether an exogenous action has occurred If so the monitor determines whether the exogenous action can a ect the successful outcome of its on line execution If not it simply continues with this execution Otherwise there is a serious discrep ancy between what the robot sensed and its internal world model Because this discrepancy will interfere with the further execution of the robot s program the monitor needs to determine corrective action in the form of another program that the robot should con tinue executing on line instead of its original program So we will understand an execution monitor as a mech anism that gets output from sensors compares sensor measurements with its internal model and if neces sary produces a new program whose on line execution will make things right again Our purpose in this paper is to provide a situation calculus based account of such on line program execu tions with monitoring To illustrate the theory and implementation we consider a standard blocks world as an environment in which a robot is executing a Golog program to build a suitable tower The mon itor makes use of a simple kind of planner for recov ering from malicious exogenous actions performed by another agent After the robot performs the sequence of actions generated by the recovery procedure the discrepancy is eliminated and the robot can resume building its goal tower The Situation Calculus and Golog The version of the situation calculus that we use here has been described in and elsewhere The situation calculus is a second order language speci cally designed for representing dynamically changing worlds All changes to the world are the result of named actions A possible world history which is sim ply a sequence of actions is represented by a rst order term called a situation The constant S is used to de note the initial situation namely the empty history Non empty histories are constructed using a distin guished binary function symbol do do s denotes the successor situation to s resulting from performing the action Actions may be parameterized For ex ample put x y might stand for the action of putting object x on object y in which case do put A B s denotes that situation resulting from placing A on B when the history is s In the situation calculus ac tions are denoted by rst order terms and situations world histories are also rst order terms For exam ple do putdown A do walk L do pickup A S is the situation denoting the world history consisting We allow nondeterministic programs so that even by itself this idea of an on line execution of a program is problematic See Section below of the sequence of actions pickup A walk L put down A Notice that the sequence of actions in a his tory in the order in which they occur is obtained from a situation term by reading o the actions from right to left Relations whose truth values vary from situation to situation are called relational uents They are de noted by predicate symbols taking a situation term as their last argument Similarly functions whose values vary from situation to situation are called functional uents and are denoted by function symbols taking a situation term as their last argument For exam ple isCarrying robot p s meaning that a robot is carrying package p in situation s is a relational u ent location robot s denoting the location of robot in situation s is a functional uent For simplicity we shall not treat functional uents in this paper To axiomatize the primitive actions and uents of a domain of application one must provide the following axioms Action precondition axioms one for each primi tive action A x having the syntactic form Poss A x s A x s where A x s is a formula with free variables among x s and whose only situation term is s Action precondition axioms characterize via the formula A x s the conditions under which it is possible to execute action A x in situation s In addition to these one must provide suitable unique names axioms for actions Successor state axioms one for each uent F hav ing the syntactic form F x do a s F x a s where F x a s is a formula with free variables among x a s and whose only situation term is s Successor state axioms embody the solution to the frame problem of Reiter Axioms describing the initial situation what is true initially before any actions have occurred This is any nite set of sentences that mention only the situation term S or that are situation independent