Honeywell LaboratoriesCarnegie Mellon UniversityDavid J. MuslinerHåkan L. S. Younes

Probabilistic Plan Verification through Acceptance Sampling

Introduction

Probabilistic extension to CIRCA Efficient plan verification algorithm

Monte Carlo simulation Acceptance sampling

Guaranteed error bounds

Planning via Model Checking

Planner Model checker

candidate plan

verification result

objectives,environment safety constraints

World Model

States…

normal pathno threat

normal pathradar threat

evasive pathradar threat

evasive pathno threat

FAILURE

World Model

States + events = environment

normal pathno threat

radar threatExp(150)

hitExp(50) + 120

safeU(50,100)

normal pathradar threat

evasive pathradar threat

evasive pathno threat

FAILURE

World Model

A plan maps states to actions

normal pathno threat

radar threatExp(150)

hitExp(50) + 120

safeU(50,100)

end evasiveU(25,50)

begin evasiveU(25,50)

normal pathradar threat

evasive pathradar threat

evasive pathno threat

FAILURE

Sample Execution Paths

normal pathno threat

normal pathradar threat

evasive pathradar threat

evasive pathno threat

normal pathno threat

radar threat begin evasive safe end evasive

41.9 45.8 93.5 43.4 …

normal pathno threat

normal pathradar threat

evasive pathradar threat FAILURE

begin evasive hitradar threat

44.1 48.7 92.2

Plan Safety

Two parameters Failure probability threshold: θ Maximum execution time: tmax

A plan is safe if the probability of reaching a failure state within tmax time units is at most θ

Safety Over Sample Execution Paths

Given tmax = 200:

normal pathno threat

normal pathradar threat

evasive pathradar threat

evasive pathno threat

normal pathno threat

radar threat begin evasive safe end evasive

41.9 45.8 93.5 43.4 …+ + + > 200

Safe!

Safety Over Sample Execution Paths

Given tmax = 200:

normal pathno threat

normal pathradar threat

evasive pathradar threat FAILURE

begin evasive hitradar threat

44.1 48.7 92.2+ + ≤ 200

Not safe!(safe if tmax < 185)

Verifying Plan Safety

Symbolic Methods Pro: Exact solution Con: Works only for restricted class of

models Sampling

Pro: Works for any model that can be simulated

Con: Uncertainty in correctness of solution

Our Approach

Use simulation to generate sample execution paths

Use sequential acceptance sampling to verify plan safety

Error Bounds

Probability of false negative: ≤α We say that a plan is not safe when it is

Probability of false positive: ≤β We say that a plan is safe when it is not

Acceptance Sampling

Test hypothesis Pr≤θ(X) In our case

θ is the failure probability threshold X is the proposition that a failure state is

reached within the time limit

Sequential Acceptance Sampling

Test hypothesis Pr≤θ(X)True, false,or anothersample?

Performance of Test

Actual failure probability of plan

Prob

abili

ty o

f ac

cept

ing

Pr≤

θ (X

) as

tru

e

θ

1 – α

β

Ideal Performance

False positives

Actual failure probability of plan

Prob

abili

ty o

f ac

cept

ing

Pr≤

θ (X

) as

tru

e

θ

1 – α

β

False negatives

Actual Performance

θ – δ θ + δActual failure probability of plan

Prob

abili

ty o

f ac

cept

ing

Pr≤

θ (X

) as

tru

e

θ

1 – α

βFalse positives

False negatives

Indifference region

Graphical Representation of Sequential Test

Number of samples

Num

ber

ofne

gativ

e sa

mpl

es

Graphical Representation of Sequential Test

We can find an acceptance line and a rejection line given θ, δ, α, and β

Accept

Reject

Continue sampling

Number of samples

Num

ber

ofne

gativ

e sa

mpl

es

Graphical Representation of Sequential Test

Accept hypothesis

Accept

Reject

Continue sampling

Number of samples

Num

ber

ofne

gativ

e sa

mpl

es

Graphical Representation of Sequential Test

Reject hypothesis

Accept

Reject

Continue sampling

Number of samples

Num

ber

ofne

gativ

e sa

mpl

es

Example

Verify plan with θ=0.05, δ=0.01, α=β=0.05, tmax=200

normal pathno threat

radar threatExp(150)

hitExp(50) + 120

safeU(50,100)

end evasiveU(25,50)

begin evasiveU(25,50)

normal pathradar threat

evasive pathradar threat

evasive pathno threat

FAILURE

Example

Verify plan with θ=0.05, δ=0.01, α=β=0.05, tmax=200

Simulator

150100 200

2

6

Number of samples

8

Neg

ativ

e sa

mpl

es

50

4

10

12

14

16

18

Performance

Failure probability

Aver

age

num

ber

of s

ampl

es

δ = 0.01, α = β = 0.05δ = 0.01, α = β = 0.10δ = 0.02, α = β = 0.05δ = 0.02, α = β = 0.10

0

200

400

600

800

1000

0 0.02 0.04 0.06 0.08 0.1θ

Summary

Probabilistic extension to CIRCA Allows for plans with non-zero failure

probability Efficient plan verification algorithm

based on acceptance sampling Guaranteed error bounds Easy to trade efficiency for accuracy

Future Work

Sensitivity analysis Using verification result to guide plan

generation “Generalized semi-Markov Decision

Processes”