Formal Methods for Robotic System Control Software

Motivation In many instances, programs are concerned only with processing or manipulating data and displaying them to a user, who becomes the agent that ends up taking physical action. However, in some instances, we create software to control other analog devices or machinery directly. We call these hybrid systems because they exhibit a mixture of discrete behavior from the software and continuous behavior from the analog physics of the device being controlled. From an engineering perspective, creating zerodefect control software for hybrid systems has unique challenges. On one hand, for an engineering system consisting only of analog devices, we can use continuous mathematics to model it and prove that its design satisfies our requirements. On the other hand, for software that only processes data, we can begin to apply the formal methods (i.e., program logics) that we have developed to prove properties about software-only sysreating software for controlling robotic machinery has unique challenges. This article describes a formal method called differential-dynamic logic (dL) that can help produce zero-defect algorithms for robotic systems. We take the reader through an example of applying dL to a version of a control algorithm used in an experimental surgical robot. This case study is a simplif ied variant of an existing control algorithm. It shows how this tool can be useful and illustrates general principles that readers can use when applying this technique to other systems. We describe how to model a control algorithm for the robot and are able to prove that it safely enforces tool movement for a single boundary. Our proof provides a guarantee of the control algorithm’s safe behavior for all possible inputs and is far more comprehensive than what is possible by using testing alone. Formal Methods for Robotic System Control Software