Goal-constrained Planning Domain Model Verification of Safety Properties

The verification of planning domain models is crucial to ensure the safety, integrity and correctness of planning-based automated systems. This task is usually performed using model checking techniques. However, unconstrained application of model checkers to verify planning domain models can result in false positives, i.e.counterexamples that are unreachable by a sound planner when using the domain under verification during a planning task. In this paper, we discuss the downside of unconstrained planning domain model verification. We then introduce the notion of a valid planning counterexample, and demonstrate how model checkers, as well as state trajectory constraints planning techniques, should be used to verify planning domain models so that invalid planning counterexamples are not returned

Automated Testing of Planning Models

Abstract – Automated planning systems (APS) are maturing to the point that they have been used in experimental mode on both the NASA Earth Orbiter 1 satellite and the Deep Space 1 spacecraft. One challenge is to improve the test coverage of APS to ensure that no unsafe plans can be generated. Unsafe plans can cause wasted resources or damage to hardware. Model checkers can be used to increase test coverage for large complex distributed systems and to prove the absence of certain types of errors. In this work we have built a generalized tool to convert the input models of an APS to Promela, the modeling language of the Spin model checker. We demonstrate on a mission sized APS input model, that we can explore the space of possible plans in Promela and use Spin to verify with high probability the absence of unsafe plans