La conmemoración de Mayo y los llamados de unidad

Suppose we have a solar-powered autonomous aircraft that stores energy in a system of batteries. The robot gains more energy when flying in clear sky than when flying

7.1 Resource Threshold Constraints 105

(a) Most probable long-term trajectory

between g1and g2

(b) Most probable path starting from g2with ini-

tial battery level 30 percent

(c) Most probable path continuing back to g2 (d) Most probable path continuing to g1

Figure 7.10 – Most probable path using an optimal policy for a solar-powered surveil-

lance aircraft launched with 30 percent battery level from g2 without the consid- eration of emergency flights plans at the synthesis level. Surveillance locations are shown in (a). Several snapshots of the mission are shown in (b-d).

under clouds. When the battery is full, no further energy can be stored. There is an emergency battery pack, initially fully charged but with low capacity, that overrides the primary one in the event of a system failure.

The mission is to travel repeatedly between two locations and to be able to land safely in one of several emergency landing zones at any time with the secondary battery pack. The resource of interest is the battery level percentage. The mission fails when the battery level is zero, and the battery level cannot exceed 100 percent. The battery charges in sunny regions and discharges in dark regions. The resource bounds are h = [0, 1) for all states except the target locations g1 ∈ L



(s43, d∗)

(a) Most probable long-term trajectory

between g1and g2, with emergency land-

ing locations e

(b) Most probable path from g2 with initial bat-

tery level 30 percent.

(c) Most probable path continuing back to g2 (d) Most probable path continuing to g1

Figure 7.11 – Most probable path analogous to Figure 7.10, but with emergency

landing locations as shown in (a) and g2 ∈ L



(s78, d∗)



, which have h = [0.3, 1) for safety purposes. The synthesis is to maximise the probability of successfully travelling to each target location within 30 time steps each. Control policy π1 is for reaching g1 and policy π2 is for reaching g2. Note that the synthesis only provides optimality for each control policy and its mission specification independently.

The synthesis specification without considering the emergency flight plan is shown in Equation 7.8 and the most probable paths are shown in Figure 7.10. Note that the z-axis of the figure represents the battery level in this example. The long-term trajectory tends to spend more time in sunny areas than the dark areas to keep the battery level high enough. The glider has two modes of operation; it can choose to

7.1 Resource Threshold Constraints 107 0 10 20 30 40 50 60 70 80 90 100 0 10 20 30 40 50 60 70 80 90 100

Battery Level (in %)

Probability of Mission Success (in %)

Piecewise Probability Functions at (s78, d4) PPF synthesised with Emergency Plan

PPF synthesised without Emergency Plan

Figure 7.12 – Probabilities of satisfaction with respect to primary battery level at

state (s₇₈, d4) within a 30-step time horizon. PPFs for policies with and without

emergency plans are shown where that with the emergency plan is analytically computed and that without the emergency plan is simulated. Probabilities are evaluated for the specification that requires the aircraft to be able to reach an emergency landing location at all times. The policy that does not consider emer- gency landing may cause the aircraft to fail in the event of an on-board emergency. execute π1 to reach g1 and execute π2 to reach g2.

Φ4 = Pmaxx:[0.3,1)  F≤30g1 π1 ∧ P_maxx:[0.3,1)  F≤30g2 π2 (7.8)

The surveillance mission with an emergency flight plan is specified in Equation7.9and its paths are shown in Figure 7.11. The goal of the synthesis is to reach emergency landing zones within a certain time using the emergency battery when the aircraft has encountered a system failure during its surveillance mission. The secondary battery has capacity equal to 15 percent of the primary battery and the probability of safely reaching the emergency zones within 10 time steps should be greater than 90 percent. The glider in this scenario has two modes of normal operations (π1 and π2) and an

emergency mode which is activated in the event of emergency (πe). If a state is sat-

isfied with the composite formula Φ5 for the given conditions (i.e., battery capacity),

the glider can always execute the contingency plan during its normal operation if the resource meets the condition. We also assume that the switching to a contingency plan occurs fast that there is no delay.

Φ5 =Pmaxx:[0.3,1)  P_>0.90.15:[0,1)[F≤10e]πe_U≤30_g 1 π1 ∧P_maxx:[0.3,1)  P_>0.90.15:[0,1)[F≤10e]πe_U≤30_g 2 π2 (7.9)

Unlike the long-term trajectory without contingency planning, the trajectory in Fig- ure 7.11a passes closer to the darker areas where the emergency landing zones are located. The synthesis naturally balances between maintaining the battery level and the safety of reaching emergency zones when maximising the probability of satisfac- tion of the mission.

Figure7.12shows thePPFs of the aircraft moving from g2to g1 with and without the emergency plan considered at the synthesis level. ThePPFwith the emergency plan is computed analytically whereas that without the plan is simulated by randomly intro- ducing failure and observing how well the aircraft reaches the contingency destination as soon as the failure occurs (F≤10e). The probability of satisfying the surveillance mission as well as the emergency procedure is much greater when the control pol- icy is synthesised with the emergency plan. The plan without the consideration of contingency plans may be more efficient in normal operation, but the figure shows that such a plan would fail miserably in the event of an emergency. Note that the

PPFs provide a quantitative performance guarantee on satisfying both the normal and contingency missions.