Intelligent Modeling and Verification 2014View this Special Issue
Research Article | Open Access
A Case Study on Formal Analysis of an Automated Guided Vehicle System
This paper considers a hybrid I/O automata model for an automated guided vehicle (AGV) system. A set of key properties of an AGV system are characterized for the correctness of the system. An abstract model is constructed from the hybrid automata model to simplify the proof of the constraints. The two models are equivalent in terms of bisimulation relation. We derive the constraints to ensure the correctness of the properties. We validate the system by analyzing the parameters of the constraints of the AGV system.
Complex systems cannot be described by a pure discrete model or a continuous model [1–3]. Hybrid models have become increasingly popular in the last few decades as systems become increasingly complex. A hybrid system is a dynamic system with interacting continuous time triggered and discrete event triggered dynamics [1, 2, 4–6]. Many applications involve hybrid systems, such as embedded controllers , robotics [8, 9], mobile computing , and process control , in which high reliability is a requirement . To model such a system, we need to describe and analyze it with the rigorous use of mathematics. An I/O automaton is used to model concurrent and distributed discrete event systems . A hybrid input/output automaton (HIOA)  is a framework, which is developed by Lynch et al. and extended from hybrid automata for modeling complex hybrid systems. This is done by dividing the state variables of a HIOA into two sets, classified as internal variables and external variables, where the external variables include input variables and output variables. Discrete transitions and continuous trajectories can change the states of a system. An extremely important feature of the hybrid I/O automaton framework is that the hybrid system is divided into multiple modules. These modules are described so that the hybrid system can be modeled easily. The hybrid I/O automaton uses the external variables, input variables, and output variables to communicate among the automatons.
Automated guided vehicles (AGVs) are robots that move on the floor of a facility directed by a combination of software and sensor-based guidance systems. Earlier inventions on AGVs can be dated back to Barrett Electronics in 1953. One of the oldest publications on AGV can be found in . In the past, AGVs were typically deployed to manufacturing facilities due to their efficiency, accuracy, and flexibility. Nowadays, AGVs are also used in warehouses, distribution centers and transshipment terminals, and so forth for repeated transportation tasks [14, 15]. The tracking path for the AGV can be designed as a circle, ellipse, sine wave, or other shapes such as arbitrary curves [16, 17]. The tracking trajectory is very important as many papers develop effective approaches to solve it, but our AGV is an example of applying HIOA modeling. Our modeling is inspired by . But unlike  which uses a straight line orbit that can be approximated to one-dimension, we investigate a two-dimensional problem where an automated guided vehicle moves along a circular painted orbit.
The first contribution of this paper is the formal modeling of an automated guided vehicle system using hybrid I/O automata. The second contribution of this paper is a set of important constraints which are characterized to ensure the correctness of the properties of the vehicle system. In order to simplify the model, we abstract a model from the hybrid automata of the AGV and establish a bisimulation relation between the two automata.
This paper is organized as follows. In Section 2, an automated guided vehicle system is introduced. In Section 3, the HIOA framework is introduced. In Section 4, we present a HIOA model of the AGV system and abstract a model from HIOA model. We prove that the two models have a bisimulation relation. In Section 5, we extract the key properties and deduce the corresponding constraints to ensure the correctness of the properties. We analyze the parameters of the AGV system at the end of Section 6. Finally, we point out some directions for future work.
2. An Automated Guided Vehicle System
We introduce the structure and behavior of a vehicle. The vehicle consists of five components: the left wheels, the right wheels, chassis, sensor, and controller. Figure 1 shows a circular orbit tracking of our vehicle which is the focus of the remainder of this paper. The vehicle has two degrees of freedom. One is the velocity such that, at any time , it can move forward with a speed of , with the restriction that mph (miles per hour). The other degree of freedom is the circular movement of the vehicle such that at any time the vehicle can rotate its body via the wheels with an angular speed of rad/s (radians per second). Ignoring the inertia of the vehicle, we assume that we can instantaneously change the velocity or angular speed. The sensor measures the displacement between the center of the vehicle and the center of the track using an array of photodiodes. As the AGV passes over the track, the diode directly above the track generates more current than the other diodes. If the vehicle is close enough to the track, it will move forward. When the vehicle strays too far to the left, it will steer to the right; and when the vehicle strays too far to the right, it will steer to the left. The vehicle can be stopped at any time as long as it receives the control signal. If the vehicle is too far away from the track that it is difficult to follow the track, then it moves backward.
3. Hybrid I/O Automata Framework
In this section, we first introduce some basic notions about the model we use and then consider the definitions and theories of hybrid automata, hybrid I/O automata, and their operations . More detailed discussion of the hybrid I/O automata can be found in .
3.1. Basic Notions
Hybrid behaviors, including discrete behavior, continuous behavior, and information flows into the system, are often described using static and dynamic variables, trajectories, and hybrid sequences. First, we introduce several basic notions involved in hybrid behavior. A location of the internal state of a system or a location of a connection between a component of a system and a component of another system can be represented as a variable, which may be static in type and denote a set of values of the variable, or dynamic in type and indicate a set of trajectories of the variable. A set of variables can be changed by discrete transitions, which are taken via discrete actions when they are enabled or by trajectories over a time interval. A hybrid sequence represents a series of changes that occur instantaneously along with the evolution of time and may be finite or infinite.
3.2. Hybrid Automata
As hybrid I/O automata are an extension of hybrid automata, we define the structure of hybrid automata first in order to describe the hybrid I/O automata. The definition of hybrid automata is given below, where denotes mathematical definition. For a more detailed description, see .
Definition 1. A hybrid automaton (HA) is an eight-tuple , where (i) is a set of external variables,(ii) is a set of internal variables, and is the disjunction that represent all variables,(iii) is a set of states,(iv) is a nonempty set of initial states,(v) is a set of external actions,(vi) is a set of internal actions, and is the union of and ,(vii) is a set of discrete transitions,(viii) is a set of trajectories for . For every and (domain of ), we have , where is the restriction of to ; that is, the function with such that . We require the following axioms:(A1)for all for all ;(A2)for all for all where denotes ;(A3)suppose is a sequence of trajectories in ; if is closed and , where , is not the last trajectory of the hybrid sequence, then , where .
The execution fragment of a hybrid automaton is a hybrid sequence , where , where is a nonnegative integer and is defined in Definition 1; and if is not the last trajectory, then , where represents the last state and denotes the first state. Any input trajectory of the composition can be accepted by the composition, and we say that the components of the composition are strongly compatible HIOAs. Trace is the external behavior of a hybrid I/O automaton. Concatenation represents two hybrid sequences linked together. Let and be hybrid sequences and closed, with the concatenation being denoted by .
3.3. Hybrid I/O Automata
We described the hybrid automata above. Here, we present the behavior and structure of a HIOA. A HIOA is used to model a complex hybrid system. The discrete state of the controller can be modeled by control modes, represented as internal variables. Each mode observes an invariant condition. The internal variables can be changed in two ways: in a discrete transition or in a continuous trajectory. External variables, including input variables and output variables, are used to exchange information between two automatons. Here is the definition of a hybrid input/output automaton. For a more detailed description, see .
Definition 2. A hybrid I/O automaton (HIOA) is a five-tuple , where (i) is a hybrid automaton,(ii) is a set of input variables,(iii) is a set of output variables,(iv) is a set of input actions,(v) is a set of output actions,(vi)the following axioms are satisfied:(A1)for all for all such that ,(A2)let denote the set of all trajectories for , for all for all such that , and either(a), or(b) is closed and some is enabled in , where represents such that, has .
We further define (i) is a set of variables that are locally controlled, and(ii) is a set of actions that are locally controlled.
Typically, it is difficult to model a complex system in one shot. HIOA can decompose a hybrid system into multiple components, model the modules as HIOAs, respectively, and then compose them in the end. We introduce a very important operation to compose two HIOAs, denoted as symbol . For the proof of Theorem 3 and Lemma 4, see .
Theorem 3. is a hybrid I/O automaton when and are strongly compatible hybrid I/O automata and .
Another important operation is hiding external variables in HIOA. Suppose , , , and .
Lemma 4. If is a HIOA and , then is a HIOA.
Definition 5 (simulation relations). For all states and of and , given two comparable HIOAs, from to there exists a simulation relation (denoted as ) when the following three conditions are met: (i)knowing that and suppose there exists a state such that , where is the set of initial states of and is the set of initial states of ;(ii)suppose and an execution fragment of ; execution fragment , meets ; there exists a closed execution fragment in that meets , , and ;(iii)suppose and an execution fragment of has ; there exists a closed execution fragment in that meets , , and .
Corollary 6. Given two comparable HAs and , and a simulation from to denoted as , then .
Definition 7 (bisimulation). Given two comparable HIOAs and , for all pairs among all reachable states of and , in , and in . If all reachable states in have , this implies the existence of a state in such that . At the same time, all reachable states in have , implying that there exists a state in such that . Under these circumstances, we say that and have a bisimulation relation.
4. Modeling the AGV System
We model the AGV system using HIOA. Inspired by , the AGV system is modeled as a network of hybrid automata as shown in Figure 2. The model consists of five parts: chassis, left wheels, right wheels, sensor, and controller, respectively. The five components communicate via shared variables. In Figure 2, variables and are the angles of the left and right wheels relative to the -axis positive direction of globe coordinate, respectively. Variables and represent the chassis coordinates with respect to the global coordinate frame. Variable is the distance from which the center of the AGV deviates from the center of the track at time . The variable is used to communicate between the sensor and the controller. The controller receives the variable , sends control signals to the left wheel and the right wheel, and then changes the mode of the AGV.
XOY is the global coordinate frame. is the forward velocity of the car. is the sampling time. is the angular speed of the vehicle. is the displacement of the center of the vehicle from the track at time . is the threshold indicating that the AGV is close enough to the center of the track that the AGV can move straight ahead in a forward mode. is the threshold indicating that there is too great a distance between the center of the AGV and the center of track, and that the vehicle must therefore be steered to the other side. is the threshold denoting that the vehicle has strayed so far from the center of track that the vehicle is in an unsafe condition and must be moved back via switching to the back mode. is the maximum angle of vehicle velocity direction to the tangential direction of the center point on the track, where . is the angle of the vehicle velocity direction to the -axis positive direction. is the angle of the vehicle velocity direction to the tangential direction of the center point on the track, where . is the radius of the track.
The AGV system is decomposed into five components and modeled as hybrid automata: chassis, LWheel, RWheel, sensor, and controller, respectively.
4.1. Component Chassis
The chassis secures the position of each component. The state is composed of three state variables: where is the -coordinate of the center of the vehicle; is the -coordinate of the center of the vehicle; and is the angle of the vehicle velocity direction to the -axis positive direction. We use differential algebraic equations (DAEs) to describe the dynamic of the chassis. Initially, we ensure that the vehicle moves forward, and the initial condition is
From Figure 2, the chassis secures the wheels. Hence the left wheels, right wheels, and the chassis have the same angles. We obtain the following algebraic equation:
4.2. Component LWheel
We model the behavior of left wheels as the hybrid automaton LWheel. The left wheel has external variables: , which gives the -coordinate of the left wheel; , which gives the -coordinate of the right wheel; and , which is the angle of the moving direction of the left wheel to the -axis positive direction. The types of these variables are real. This hybrid automaton model has no actions or discrete transitions, just satisfied trajectories. It communicates with the controller via the Boolean variable and . We obtain differential equations for the left wheel as follows:
4.3. Component RWheel
Since the left wheels and right wheels are symmetrical, we omit the description of the right wheels.
4.4. Component Sensor
We model the behavior of the sensor as the hybrid automaton sensor, whose output at time , for all , gives the center position of the AGV relative to the center of the track, shown in Figure 1. The sensor communicates with the controller through the variable , which equals . Since the hybrid automaton sensor has no internal variables, and there are neither actions nor discrete transitions, only the following algebraic equation is met for the trajectories of the sensor:
4.5. Component Controller
The controller can be divided into two levels. The supervisory controller determines the structure of the mode transition and guards the enabled transitions. The low-level controller determines the time-based inputs to the system. We are modeling the behavior of the controller as a hybrid automaton controller, whose input is the sensor value and the output the control signals to the left and right wheels that determine the operation of the wheels. There is a clock built into the controller for measuring the time interval since the last sampling. We use the variable to represent this clock. A clock can be modeled as a first-order differential equation, and the clock variable is defined as follows: where is the rate of the clock, is the variable of time, and . In our model, the value of can be a constant 1.
The controller has a variable , which gets its value from the sensor. There are two variables recording the value of the sensor: variable , used to record the latest sample value, and variable , used to record the last sample value. In order to ensure that the vehicle moves forward, the initial states should satisfy:
We define a transition as occurring when a guard in an outgoing transition from the current state becomes enabled. This control logic is captured in the mode transitions. The outputs are the pure signals , , and . There are three Boolean variables recording the outputs, , , and , respectively. We use an asterisk to represent the next sample value. When the internal action clock transitions is taken, each state transition that is enabled will be taken: where denotes the event trigger.
For trajectories we require that for all time between clock transitions; that is, for all .
The will record the new value from the sensor:
For every state, the following equations must hold:
The control logic determines the change in the state of the controller. Our AGV is running on the circular track. Since the circle is symmetrical, it suffices for us to just consider the situation of the first quadrant. The refinement of the mode gives the dynamic behavior of the output as a function of the input. We know that the displacement is the function of and and that the control logic guards the transitions whether enabled or not. They are as follows:
Since the left wheels, the right wheels, and the chassis have no output, they cannot be regarded as hybrid I/O automata. Since and are the internal variables of wheels, we are modeling the three components as the hybrid I/O automaton Plant by hiding these variables. In our model, Plant, , , and are inputs, and and are outputs:
Likewise, the sensor can be regarded as a hybrid I/O automaton, for which the inputs are and , and the output is . The controller can also be viewed as a hybrid I/O automaton for which the input is , and the outputs are , , and . According to Theorem 3 and Lemma 4, all of the components of the system are HIOAs and the composition also an HIOA. We have obtained a complete hybrid I/O automaton of the AGV system by hiding the external variables:
We expect that the AGV is always moving forward and never moves backward and use (14) to describe this situation. We select the appropriate threshold and ensure that the vehicle moves in the way we expect by specifying parameter constraints for all reachable states of the hybrid I/O automata :
In addition, we hope that the forward mode occurs infinitely often:
In order to simplify the model, we abstract a model from the previous model . Then, we use model instead of . We find the constraints we need from model to guarantee the correctness of the properties that we expect. Here, we simplify the model in several ways, as follows.
Based on (8), we know that the value of the variable sample remains unchanged during the interval after the current sampling and before the next sampling. Therefore we can easily prove that (14) is satisfied. We cannot consider the influence of the clock variable . Furthermore, we assume that the vehicle is at the initial state at the time 0:
We find that the variables and are ruled out in our abstract model. Now, we use the refinements of the five modes of AGV to describe the dynamic behavior of an AGV. The formulas of the five modes are given as , respectively; is the disjunction of the five:
Now we get the abstract model of the AGV system. Since the abstract model omits the time variable, it is simpler than the original model. We will derive and verify the properties using the abstract model. There are two kinds of typical errors in formal verification, one is true error, where errors exist in the physical system, but the result of formal verification is correct. The reason of first kind of error is because we abstract a model from our original model, and the details we omitted may lead to the errors of original model being omitted, so we get a passing proof. The other is false error which do not exist in the physical system but the result of formal verification is incorrect. The reason is that abstract model omitted the details of original model. The abstract model cannot express the original system due to lack of information from the original system, and then the result of formal verification is incorrect.
In order to ensure the two kinds of errors never occur, we prove the original model and the abstract model have a bisimulation equivalence relationship.
Lemma 8. Let be a set of all reachable states of , for all ; one has
Theorem 9. The two comparable HIOAs and have a bisimulation relation.
Proof. Owing to the limitation of space, we do not provide a detailed proof of Theorem 9, but the key step will be given. and satisfy the following condition:
For all state pairs among all reachable states of and , and , if states of state pair hold the weakest condition of labeled transition system respectively, we say the pair is bisimulation equivalent. If each initial state of bisimulates an initial state of , and there exists an execution fragment from to , where in has , implying the existence of a transition according to the transition predicate of from to in , such that . At the same time, there exists a transition according to the transition predicate of from to , where in has , implying the existence of an execution fragment from to , where in , such that . We can then use Definition 5, Corollary 6, and Definition 7 to prove Theorem 9.
5.1. The Desired Properties of
For a system, we often hope that bad things will never happen, a situation called safety, that good things will eventually happen, and that they will happen infinitely often, a situation called fairness. We express the properties via invariants. For our system, we expect the displacement from the center of the AGV to the center of the track to never be larger than the threshold , and never be less than the threshold . At the same time, we ensure that lies in the interval .
Property 1. The vehicle always moves forward and never moves backward. It can be described as
Property 2. The vehicle moves forward infinitely often. It can be described using the temporal logic formula
5.2. Parameter Constraints of the AGV System
In this section, we will give several parameter constraints for our AGV system. They are indispensable to guaranteeing the correctness of the properties of safety (20) and fairness (21). We define them in (22).
Parameter Constraints. Consider the following
Theorem 11. If , , and are met, then the property is an invariant of ; that is,
Proof. In the first step, we prove that holds. Since the circle is symmetrical, we only need to consider the situation of the first quadrant. In order to guarantee that is met in all cases of outside the circle track, we consider the most extreme case of the outside of the circle. First of all, suppose that the vehicle moves on the outside of the circle shown in Figure 3. The vehicle is very close to point at the time of the current sampling, and . The vehicle then moves forward to with at the next sampling; the reaches the largest displacement. We use to illustrate that holds for . The derivations in (24) show that .
Deriving from . Consider the following:
Since the vehicle moves on the outside of the circle, . Therefore, .
In the second step, we prove that holds. In order to guarantee that in all cases inside the track of the circle, we consider the most extreme case inside. First of all, suppose that the vehicle moves on the inside of the circle shown in Figure 4. The vehicle is very close to point at the time of the current sampling, with , and then moves forward to with at the next sampling, where the vehicle reaches the farthest to the track. We use to illustrate that holds for . The derivations in (25) show that .
Deriving from . Consider the following:
Since the vehicle moves on the inside of the circle, . Therefore, .
In the third step, we prove that holds. Constraint is required to guarantee that is always in the interval . First of all, we consider the scenario shown in Figure 5. We build a coordinate frame shown in Figure 5. If the vehicle reaches point in the current sampling, the vehicle will steer to the left. The angle (the angle between and ), relative to the coordinate frame , is at the next sampling. If , then . If the vehicle reaches point in the current sampling, the vehicle will steer to the left. The angle (the angle between and ), relative to the coordinate frame , is at the next sampling. If , then , and we will get . We have proved that .
Therefore, is proved.
Theorem 12. If holds for , then the property of is an invariance of ; that is, .
Proof. In order to ensure that the vehicle moves forward infinitely often, we avoid the situation of always steering to left after steering to right, and steering to right after steering to left. We consider the scenario shown in Figure 6. The center of the vehicle is very close to point A in the current sampling, and , with the velocity direction approximate parallel to the direction of the tangent of point , shown as a dashed line. The vehicle steers to the left, moves along the arc , and we look at as a straight line . Suppose that , at the next sampling and that the vehicle switches to the forward mode. From , we can derive the following:
6. Analysis of Constraints
In this section, we analyze the parameters of our AGV system. We rewrite the constraints as shown in (27).
Rewrite Constraints. Consider the following:
We assume that the value range of is from to , is from to , is from to , is from to , is from to , is from to , is from to , and is from to . The inequalities shown in (28) need to be met to ensure that the parameter constraints hold.
Inequalities Needed for the Parameter Constraints. Consider the following:
It is obvious that the parameters do not appear in the constraint inequalities. Therefore, we increase and from the minimum and decrease from the maximum. We do not know the exact values of such parameters as , and can measure their values only by operating the vehicle. Errors cannot be avoided when we obtain these parameters. We can write the predicate logic formula asserting safety as follows:
Parameters and can be viewed as the internal variables of the vehicle.
In this paper, we have modeled an AGV system using a hybrid I/O system and investigated a two-dimensional problem where the vehicle moves in a circular orbit. We derived and proved the constraints of the parameters of the AGV system so that the vehicle always move forward closely following the circular track and never moves backward. We have also analyzed the constraints of the parameters and the range of the parameters. Future research can extend this formulation from circular track to arbitrary complex curves, consider slopes or hilly terrains, and reason about multiple vehicle systems.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
The research for this study was supported by the NSFC (61373034, 61170304) and the International S&T Cooperation Program of China (2011DFG13000) (KZ201210028036).
- M. S. Branicky, “Introduction to hybrid systems,” in Handbook of Networked and Embedded Control Systems, D. Hristu-Varsakelis and W. S. Levine, Eds., Control Engineering, pp. 91–116, Birkhäuser Boston, Boston, Mass, USA, 2005.
- A. Fehnker, F. Vaandrager, and M. Zhang, “Modeling and verifying a Lego car using hybrid I/O automata,” in Proceedings of the 3rd International Conference on Quality Software (QSIC '03), pp. 280–289, IEEE Computer Society, 2003.
- L. Balbis, A. W. Ordys, M. J. Grimble, and Y. Pang, “Tutorial introduction to the modelling and control of hybrid systems,” International Journal of Modelling, Identification and Control, vol. 2, no. 4, pp. 259–272, 2007.
- N. Lynch, R. Segala, and F. Vaandrager, “Hybrid I/O automata,” Information and Computation, vol. 185, no. 1, pp. 105–157, 2003.
- T. A. Henzinger, “Theory of hybrid automata,” in Proceedings of the 11th Annual IEEE Symposium on Logic in Computer Science (LICS '96), pp. 278–292, IEEE Computer Society, July 1996.
- J. Lygeros, G. Pappas, and S. Sastry, “An introduction to hybrid systems modeling, analysis and control,” in Proceedings of the 1st Nonlinear Control Network Pedagogical School, pp. 307–329, Athens, Greece, 1999.
- A. Balluchi, L. Benvenuti, M. D. D. I. Benedetto, S. Member, C. Pinello, and A. Luigi, “Automotive engine control and hybrid systems: challenges and opportunities,” Proceedings of the IEEE, vol. 88, no. 7, pp. 888–912, 2000.
- R. Alur, R. Grosu, Y. Hur, V. Kumar, and I. Lee, “Modular specification of hybrid systems in charon,” in Hybrid Systems: Computation and Control, N. Lynch and B. Krogh, Eds., vol. 1790 of Lecture Notes in Computer Science, pp. 6–19, Springer, Berlin, Germany, 2000.
- M. Song, T. Tarn, and N. Xi, “Integration of task scheduling, action planning, and control in robotic manufacturing systems,” Proceedings of the IEEE, vol. 88, no. 7, pp. 1097–1107, 2000.
- M. Katara, “Hybrid models for mobile computing,” in Coordination Languages and Models, A. Porto and G. C. Roman, Eds., vol. 1906 of Lecture Notes in Computer Science, pp. 216–231, Springer, Berlin, Germany, 2000.
- B. Lennartson, M. Tittus, B. Egardt, and S. Pettersson, “Hybrid systems in process control,” IEEE Control Systems Magazine, vol. 16, no. 5, pp. 45–56, 1996.
- N. A. Lynch and M. R. Tuttle, “An introduction to input/output automata,” CWI Quarterly, vol. 2, no. 3, pp. 219–246, 1989.
- T. Muller, Automated Guided Vehicles, IFS, Kempston, UK, 1983.
- T. Le-Anh and M. B. M. de Koster, “A review of design and control of automated guided vehicle systems,” European Journal of Operational Research, vol. 171, no. 1, pp. 1–23, 2006.
- I. F. A. Vis, “Survey of research in the design and control of automated guided vehicle systems,” European Journal of Operational Research, vol. 170, no. 3, pp. 677–709, 2006.
- W. Kang, N. Xi, and J. Tan, “Analysis and design of non-time based motion controller for mobile robots,” in Proceedings of the IEEE International Conference on Robotics and Automation (ICRA '99), pp. 2964–2969, May 1999.
- J. Tan, N. Xi, and W. Kang, “Non-time based tracking controller for mobile robots,” in Proceedings of the 1999 IEEE Canadian Conference on Electrical and Computer Engineering, pp. 919–924, May 1999.
- R. Milner, Communication and Concurrency, Prentice-Hall, 1989.
- D. Park, “Concurrency and automata on infinite sequences,” in Theoretical Computer Science, P. Deussen, Ed., vol. 104 of Lecture Notes in Computer Science, pp. 167–183, Springer, Berlin, Germany, 1981.
Copyright © 2014 Jie Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.