Formal Design of Robot Integrated Task and Motion Planning*
Rafael Rodrigues da Silva1,2, Bo Wu1 and Hai Lin1
Abstract— Integrated Task and Motion Planning (ITMP) for
mobile robots becomes a new trend. Most existing methods for
ITMP either restrict to static environments or lack performance
guarantees. This motivates us to use formal design methods for
mobile robots ITMP in a dynamic environment with moving
obstacles. Our basic idea is to synthesize a global integrated
task and motion plan through composing simple local moves
and actions, and to achieve its performance guarantee through
modular and incremental veriﬁcations. The design consists
of two steps. First, reactive motion controllers are designed
and veriﬁed locally. Then, a global plan is built upon these
certiﬁed controllers by concatenating them together. In partic-
ular, we model the controllers and verify their safety through
formulating them as Differential Dynamic Logic (dL) formula.
Furthermore, these proven safe controllers are abstracted
in Counter Linear Temporal Logic over Constraint System
CLTLB(D) and composed based on an encoding to Satisﬁability
Modulo Theories (SMT) that takes into account the geometric
constraints. Since dL allows compositional veriﬁcation, the
sequential composition of the safe motion primitives also
preserves safety properties. Illustrative examples are presented
to show the effectiveness of the method.
I. INTRODUCTION
Traditionally, task and motion planning for mobile robots
are designed separately, and they work in a hierarchical
manner with a task planner sitting on top of motion planners
[14]. Task planning is usually carried on symbolically based
on an abstracted view of physical environments that ignores
details in geometric or physical constraints. Hence, it is
possible that there is no feasible trajectories to achieve the
derived mission plans. Therefore, a recent trend is towards an
Integrated Task and Motion Planning (ITMP), see e.g., [4],
[8], [25], [12], [13], [24], [15], [11], [20], [9] and references
therein.
Earlier efforts in ITMP, such as Asymov [4] and SMAP
[21], were still based on abstractions of the working envi-
ronment and used a symbolic planner to provide a heuristic
guidance to the motion planner. Recent work, such as [16]
and [6], introduced a “semantic attachment,” i.e. a predi-
cate that is solved by a motion planner, to the symbolic
planner. An overview of the recent developments in the
symbolic motion planning can be found in [15], where the
task planning problem is reduced to model checking. Since
these methods are based on abstracted symbolic models
of the environments, it is a common assumption that the
*The ﬁnancial supports from NSF-CNS-1239222, NSF-CNS-1446288
and NSF- EECS-1253488 for this work are greatly acknowledged.
1
All
authors
are
with
Department
of
Electrical
Engineering,
University
of
Notre
Dame,
Notre
Dame,
IN
46556,
USA.
(rrodri17@nd.edu; bwu3@nd.edu; hlin1@nd.edu)
2 The ﬁrst author would like to appreciate the scholarship support by
CAPES/BR, BEX 13242/13-0
working environment is known or static and the robot is
the only moving object (or the robot itself carries other
movable objects). However, in practice, a robot often shares
its workspace with others robots or even humans, and the
environment often changes over time in a way that is hard to
predict. This motivates us to investigate the ITMP problem
for mobile robots in a dynamic environment with moving
obstacles.
Inspired by behavior based robotics [19], we adopt a hi-
erarchical planner consisting of two layers: global and local.
Our basic idea is to synthesize a global and integrated task
and motion plan through composing simple local moves and
actions, and to achieve its performance guarantee through
modular incremental veriﬁcations. The design consists of
two steps. First, basic motion primitives are designed with
veriﬁed performances. Then, a global plan is built upon these
certiﬁed motion primitives. Since the method proposed here
is of bottom-up and compositional nature, so we call it as
CoSMoP (Composition of Safe Motion Primitives).
In the ﬁrst step, we propose to use a formally veriﬁed
motion controllers that we call safe motion primitives. These
primitives are designed ofﬂine, modeled and veriﬁed in
Differential Dynamic Logic (dL) [22], for which veriﬁcation
software tools are available, e.g., KeYmaera [22]. In partic-
ular, we use the Dynamic Window Approach (DWA) [7] as
obstacle avoidance motion primitives in this paper. DWA is
a widely adopted and efﬁcient approach for mobile robots
to avoid collisions in uncertain and dynamic environments.
The safety of an extended DWA on collision avoidance for
moving obstacles has been formally proved in [18] using
dL and hybrid system veriﬁcation. With this proof, we can
abstract them to the global layer, where the task and motion
plans are integrated.
In the second step, those safe motion primitives are
encoded to a Satisﬁability Modulo Theories (SMT) solver
as motion primitive constraints. This layer synthesizes a
composition of pairs of actions (i.e. safe motion primitives)
and waypoints (i.e. terminal positions), which is the sequen-
tial execution of actions that the robot must perform to
ensure a task speciﬁcation formally. The CoSMoP encodes
an ITMP problem to the SMT by extending the Bounded
Satisﬁability Checking (BSC) [23] and using the Counter
Linear Temporal Logic over Constraint System CLTLB(D)
[2] language, a Linear Temporal Logic (LTL) extension. The
BSC models consist of temporal logic rather than transition
systems; thus, the problem encoding is more compact and
elegant. Moreover, it was also shown that if the constraint
system D is decidable, then so is the CLTLB(D), and it
can be encoded to SMT [2]. Therefore, encoding the ITMP
arXiv:1604.05657v2  [cs.RO]  15 Dec 2016
problem using CLTLB(D) language allows the description
of a wide range of system properties in a problem that is
decidable.
In summary, the contribution of this work is to provide an
automatic synthesis that is provably safe even for unexpected
moving obstacles that, to the best of our knowledge, has not
been attempted before for ITMP:
• Unlike [19], where the motion plan is not formally ver-
iﬁed, in our approach, the performance of the resulting
integrated task and motion plan is formally guaranteed.
• Unlike [24], [15], we do not assume static environment
and complete knowledge of the other moving agents
that is required for veriﬁcation of symbolic partitioned
environments.
• Unlike [20], [16], [15], [9], we do not assume a static
environment where the robot is the only moving agent,
which is assumed in these others ITMP approaches.
• Unlike [3], [19], [18], [1], [10], where only motion
speciﬁcations are considered, we combine task and
motion speciﬁcations that allow speciﬁcations such as
moving objects in the environment.
• Unlike [23], [2], we use CLTLB(D) for automatic
synthesis instead of model checking.
The rest of the paper is organized as follows. Section II
presents some background for understanding CoSMoP ap-
proach and deﬁnes the scenario used in this work. Section III
introduces the CoSMoP design procedure and formulates the
problem. Section IV presents the design of motion primitives
for the scenario proposed here. Section V presents how to
synthesize a global and integrated plan using SMT solver.
Section VI studies which parameters affect the execution
time the most. Section VII concludes the paper with a
discussion and proposes possible future works.
II. PRELIMINARIES
A. Differential Dynamic Logic
The Differential Dynamic Logic dL veriﬁes a symbolic
hybrid system model, and, thus, can assist in verifying and
ﬁnding symbolic parameters constraints. Most of the time,
this turns into an undecidable problem for model checking
[22]. Yet, the iteration between the discrete and continuous
dynamics is nontrivial and leads to nonlinear parameter
constraints and nonlinearities in the dynamics. Hence, the
model checking approach must rely on approximations. On
the other hand, the dL uses a deductive veriﬁcation approach
to handling inﬁnite states, it does not rely on ﬁnite-state
abstractions or approximations, and it can handle those
nonlinear constraints.
The hybrid systems are embedded to the dL as hybrid pro-
grams, a compositional program notation for hybrid systems.
Deﬁnition 1 (Hybrid Program). A hybrid program [22] (α
and β) is deﬁned as:
α, β ::=
(
x1 := θ1, ..., xn := θn |?χ | α; β | α ∪β | α∗|
x′
1 := θ1, ..., x′
n := θn&χ
where:
• x is a state variable and θ a ﬁrst-order logic term.
• χ is a ﬁrst-order formula.
• x1 := θ1, ..., xn := θn are discrete jumps, i.e. instanta-
neous assignments of values to state variables.
• x′
1 := θ1, ..., x′
n := θn&χ is a differential equation
system that represents the continuous variation in sys-
tem dynamics. x′
i := θi is the time derivative of state
variable xi, and &χ is the evolution domain.
• ?χ tests a ﬁrst-order logic at current state.
• α; β is a sequential composition, i.e. the hybrid program
β will start after α ﬁnishes.
• α ∪β is a nondeterministic choice.
• α∗is a nondeterministic repetition, which means that α
will repeat for ﬁnite times.
Thus, we can deﬁne the dL formula, which is a ﬁrst-order
dynamic logic over the reals for hybrid programs.
Deﬁnition 2 (dL formulas). A dL formula [22] (φ and ψ)
is deﬁned as:
φ, ψ ::= χ | ¬φ | φ ∧ψ | ∀xφ | ∃xφ | [α]φ | ⟨α⟩φ
where:
• [α]φ holds true if φ is true after all runs of α.
• ⟨α⟩φ holds true if φ is true after at least one runs of α.
dL uses a compositional veriﬁcation technique that per-
mits the reduction of a complex hybrid system into several
subsystems [22]. This technique divides a system ψ →[α]φ
in an equivalent formula ψ1 →[α1]φ1 ∧ψ2 →[α2]φ2,
where each ψi →[αi]φi can be proven separately. In
our approaches we use this technique backwards, we prove
a set of dL formulas ψi →[αi]φi, where each one is
the ith motion primitive model, and we use the SMT to
compose an equivalent ψ →[α]φ that satisﬁes a mission
task. Therefore, the synthesized hybrid system performance
is formally proven.
B. Counter Linear Temporal Logic Over Constraint System
We express the speciﬁcation of an autonomous mobile
robot using Counter Linear Temporal Logic Over Con-
straint System CLTLB(D) deﬁned in [2]. This language
is interpreted over Boolean terms p ∈AP or arithmetic
constraints R ∈R belong to a general constraint system
D, where AP is a set of atomic propositions and R is
a set of arithmetic constraints. Thus, the semantics of a
CLTLB(D) formula is given in terms of interpretations of
a ﬁnite alphabet Σ ∈{AP, R} on ﬁnite traces over a ﬁnite
sequence ρ of consecutive instants of time with length K,
meaning that ρ(k) is the interpretation of Σ at instant of
time k ∈Nρ, Nρ = {0, ..., K}. Moreover, the arithmetic
terms of an arithmetic constraint R ∈R are variables x over
a domain D ∈{Z, R} valuated at instants i and, thus, are
called arithmetic temporal terms a.t.t.,
Deﬁnition 3 (Arithmetic Temporal Term). A CLTLB(D)
arithmetic temporal term (a.t.t.) ϕ is deﬁned as:
ϕ ::= x | ⃝ϕ | ⃝−1ϕ
where ⃝and ⃝−1 stands for next and previous operator.
Therefore, a CLTLB(D) formula is a LTL formula over
the a.t.t. deﬁned as below.
Deﬁnition 4 (Formula). A CLTLB(D) formula (φ, φ1 and
φ2) is deﬁned as,
φ, φ1, φ2 ::=
(
p | R(ϕ1, ..., ϕn) | ¬φ | φ1 ∧φ2 |
⃝φ | ⃝−1φ | φ1Uφ2 | φ1Sφ2
where,
• p ∈AP is a atomic proposition, and R ∈R is a relation
over the a.t.t. such as, for this work, we limit it to linear
equalities or inequalities, i.e. R(ϕ1, ..., ϕn) ≡Pn
i=1 ci ·
ϕi#c0, where # ≡⟨=, <, ≤, >, ≥⟩and ci, ϕi ∈D.
• ⃝, ⃝−1, U and S stands for usual next, previous, until
and since operators on ﬁnite traces, respectively.
Based on this grammar, it can also use others common
abbreviations, including:
• Standard boolean, such as true, false, ∨and →.
• ♦φ that stands for trueUφ, and it means that φ even-
tually holds before the last instant (included).
• □φ that stands for ¬♦¬φ, and it means that φ always
holds until the last instant.
• Last[φ] that stands for ♦(¬⃝true)∧φ, where ¬⃝true
on ﬁnite trace is only true at last instant. Thus, it means
that φ is true at the last instant of the sequence ρ.
A CLTLB(D) formula is veriﬁed in a Bounded Satisﬁabil-
ity Checking (BSC) [23]. Hence, it is interpreted on a ﬁnite
sequence ρ with length K. Therefore, ρ(k) ⊨p means that
p holds true in the sequence ρ at instant k (p ⊢ρ(k)).
Deﬁnition 5 (Semantics). The semantics of a CLTLB(D)
formula φ at an instant k ∈Nρ is as follow:
• ρ(k) ⊨p ⇐⇒p ⊢ρ(k).
• ρ(k) ⊨R(ϕ1, ..., ϕn) ⇐⇒R(ϕ1, ..., ϕn) ⊢ρ(k).
• ρ(k) ⊨¬φ ⇐⇒ρ(k) ⊭φ.
• ρ(k) ⊨φ1 ∧φ2 ⇐⇒ρ(k) ⊨φ1 ∧ρ(k) ⊨φ2.
• ρ(k) ⊨⃝φ ⇐⇒ρ(k + 1) ⊨φ.
• ρ(k) ⊨⃝−1φ ⇐⇒ρ(k −1) ⊨φ.
• ρ(k) ⊨φ1Uφ2 ⇐⇒
(
∃i ∈[k, K] : ρ(i) ⊨φ2∧
∀j ∈[k, i −1] : ρ(j) ⊨φ1
.
• ρ(k) ⊨φ1Sφ2 ⇐⇒
(
∃i ∈[0, k] : ρ(i) ⊨φ2∧
∀j ∈[i + 1, k] : ρ(j) ⊨φ1
.
C. Scene Description
As a motivating example, we consider a building with two
way doors that an assistant robot needs to move objects with
its gripper. The robot shares its workspace with other robots
and humans, and we call this scenario Clean Up. The robot
should be able to ﬁnd and move those objects to designated
areas through doors while stay inside the workspace.
In this scenario, each state robot state qr is a triple ⟨x, y, α⟩
representing the robot pose in 2D, where (x, y) ∈Z2 is the
position in mm and α ∈R is the heading angle in degrees.
Yet, each object j state qj
b is a triple ⟨x, y, p⟩representing
Fig. 1.
A example of blueprint for the clean up scenario.
its 2D position (x, y) ∈Z2 in mm and a proposition p ∈
AP that holds true when the robot is carrying this object.
Based on a given scenario, scene description provides basic
information on robots and the environment they work in.
Deﬁnition 6 (Scene Description). Scene description is a
tuple M = ⟨O, D, A, B, W⟩:
• Obstacles O: a set of rectangular obstacles in parallel
to the axis oj ∈O : j ∈NO = {1, ..., |O|} speciﬁed by
two points oj = ⟨(xi, yi), (xf, yf)⟩describing a pair of
diagonal vertexes;
• Doors D: a set of doors dj ∈D : j ∈ND = {1, ..., |D|}
that describe two robot poses q1 and q2 necessary to
push and pass through this door, i.e. dj = ⟨q1, q2⟩:
q1 = q2 = ⟨x, y, α⟩.
• Agent a: the robot a = ⟨l⟩is abstracted as a square
with length l.
• Objects B: a set of movable objects bj ∈B : j ∈NB =
{1, ..., |B|} and bj = ⟨l⟩that is abstracted as a square
with length l.
• Workspace W = ⟨x, y, l⟩: the workspace dimension
description, which is assumed to be a square with center
at position (x, y) and length l.
Now, we can deﬁne the scene description for this particular
scenario as shown below.
Example
1.
Consider
the
workspace
shown
in
Fig.
1.
This
scene
description
has
two
obstacles
O
=
{⟨(−1500, −2500), (−1500, 2500)⟩, ⟨(−1500, 0), (2500, 0)⟩}
that refer to two walls that Door 1 (also Door 2) and
Door 3 are located. The Door 1 is described by d1 =
⟨(−2000, −500, 0o), (−1000, −500, 180o)⟩, the Door 2 by
d2
= ⟨(−2000, 1000, 0o), (−1000, 1000, 180o)⟩, and the
Door 3 by d3 = ⟨(−1000, 500, 270o), (−1000, −500, 90o)⟩.
There are two objects abstracted as a square of 100mm (i.e.
b1.l = b2.l = 100) initially at q1
b = ⟨1900, −1000, false⟩
and q2
b
= ⟨2000, −1000, false⟩, where initially neither
of the two objects is picked up. The robot is abstracted
as a square of 400mm (i.e. a.l = 400) and starts at
qr = ⟨−2000, 0, 0.0⟩.
Fig. 2.
CoSMoP framework.
III. COSMOP FRAMEWORK
This section describes a formal bottom-up approach that
features a two-layer hierarchical ITMP architecture as shown
in Fig. 2. The local layer implements reactive motion con-
trollers such as the DWA that realize motion planning incor-
porating all kinematic and geometric constraints for dynamic
environment with moving obstacles. These controllers are
designed ofﬂine and are abstracted to the global layer as
motion primitives speciﬁcations φP(M), in CLTLB(D). The
global layer generates a constraint system in the Constraint
Generator based on scene description M and the task speci-
ﬁcation φG, in CLTLB(D), and encode it to a SMT solver. If
this constraint system is satisﬁable, a plan that is a roadmap
for the local layer is extracted to the local layer. We assume
that M have geometric details about the environment enough
for global layer to search for a satisﬁable plan. Let Qr, Qb
and Qπ be a sequence of assigned values to robot and object
states and assigned motion primitive at each instant k ∈Nρ,
respectively, we can formulate our problem as follows.
Problem 1. Given a scene description M, initial conditions,
a task speciﬁcation φG, the trace length K, design a set
U of the reactive motion controllers in the local layer
and respective motion primitives speciﬁcations φP(M) and
check if the speciﬁcation φG is satisﬁable in the scene M
using the controllers U. If yes, ﬁnd a trace s with length K,
where s(k) = ⟨qr(k), π(k)⟩at instant k ∈N = {1, ..., K},
qr(k) ∈Qr is a robot state and π(k) ∈Qπ is a motion
primitives at instant k such as π(k) deﬁnes what controller
u ∈U to take at qr(k −1) to go to qr(k).
Note that we are restricted to take at most K actions for
the task, therefore it is a bounded time planning problem.
The motion primitives are abstract actions that a robot can
execute, such as moving to some place, picking up objects
and so on.
Deﬁnition 7 (Motion Primitive). The Motion Primitive Π ∈
P is formally deﬁned as ⟨u, φΠ⟩, where P is a set of abstract
actions available to the global layer. The symbol u ∈U is
a reactive motion controller. The speciﬁcation φΠ constrains
the states q(k −1) and q(k) such as q(k) ∈[qr(k) ∈Qr] ∪
[qj
b(k) ∈Qb] ∪[π(k) ∈Qπ] based on the Scene Description
M when the robot takes u.
Basically the framework needs to solve three subproblems.
First, we design reactive motion controllers ui ∈U : i ∈
NU = {1, ..., |NU|} to provide enough maneuvers for the
robot to complete the given task. If it is needed, the design
criterion is that each controller modeled as a hybrid program
αui must formally ensure a safety property φsafe
ui
after any
execution, if the initial state is safe and satisﬁes the initial
condition φinitial
ui
, i.e. φinitial
ui
∧φsafe
ui
→[αui]φsafe
ui
in dL.
Second, we abstract these controllers from the local to the
global layer, i.e. to design the speciﬁcation φΠ, in CLTLB(D)
formulas, to enforce safety requirement after concatenation
of designed motion primitives. We do so by ensuring that for
any plan s of size K, where ∀π(k) ∈Qπ : π(k) ∈P, u(k) ∈
π(k), the following two conditions hold.
• For each i ∈N, φsafe
u(k) is satisﬁable for at least one
trajectory between qr(k −1) and qr(k).
• For each i ∈N, qr(k −1) ⊨φinitial
u(k)
.
This speciﬁcation depends on the scene description M and
the conjunction of all speciﬁcations φΠ is called the motion
primitives speciﬁcation φP(M). Since the output of global
layer is a sequence s, where each π(k) ∈Qπ assigns
one of Π ∈P. If φP(M) constraints s to satisfy both
conditions, then the reachable states after any execution of
the controller u(k) will be constraint to satisﬁes φsafe
u(k) and it
will satisfy φinitial
u(k+1) ∧φsafe
u(k+1) before execute the next con-
troller u(k + 1). Therefore, the hybrid program of resulting
plan s is φinitial
u(1)
∧φsafe
u(1) →[αu(1); ?(φsafe
u(1) ); ?(φinitial
u(2)
∧
φsafe
u(2) ); αu(2); ...; αu(K)]φsafe
u(K). The following theorem for-
mally proves that the composition of those motion primitives
will also guarantee the safety properties ∀k ∈N : φsafe
u(k) ,
after executing a plan.
Theorem 1. If a plan s has size K, and satisﬁes s ⊨φP(M)
and V
∀i∈NU φinitial
ui
∧φsafe
ui
→[αui]φsafe
ui
is valid, then it
will also satisfy all safety properties s ⊨V
k∈N φsafe
u(k) , where
s(k) = ⟨qr(k), π(k)⟩at instant k ∈N and u(k) ∈π(k).
Proof. The dL formula of s that satisﬁes the speciﬁcation
φP(M) is φinitial
u(1)
∧φsafe
u(1) →[αu(1); ?(φsafe
u(1) ); ?(φinitial
u(2)
∧
φsafe
u(2) ); αu(2); ...; αu(K)]φsafe
u(K). By applying the rules [; ],
[?] and →
r
[22], we ﬁnd the equivalent formula
V
∀k∈N φinitial
u(k)
∧φsafe
u(k) →[αu(k)]φsafe
u(k) . Therefore, if we
ensure that ∀i ∈NU : φinitial
ui
∧φsafe
ui
→[αui]φsafe
ui
, the run
s will satisfy safety property of all motion primitives.
Finally, the global layer encodes the CLTLB(D) task spec-
iﬁcations φG and φP(M) into forms that are solvable by an
SMT solver such as Z3[5], in the Constraint Generator shown
in Fig. 2. Encoding the ITMP problem using CLTLB(D)
language allows the description of a wide range of system
properties that the satisﬁability problem is decidable. If the
global layer speciﬁcation is satisﬁable, a plan s is then
generated and extracted to the Motion Primitives Supervisor
that enforces a sequential execution of this plan. In the
following sections we will describe our framework in detail
using the Clean Up example.
IV. MOTION PRIMITIVES
In the Clean Up scenario, four motion controllers are
needed so U = {u1, ..., u4} where u1 = go to, u2 = push the
door, u3 = pick up and u4 = leave. The following subsec-
tions will introduce how to design their motion primitives.
A. Go To
The ﬁrst controller u to be designed is the local navigation
function which avoids obstacles that can be moving at a
velocity up to V . Since the global layer does not take into
account the environment kinematics, the safety property must
be veriﬁed at a local layer. We implement a Dynamic Win-
dow Approach [7] (DWA) algorithm based on the veriﬁcation
presented by Mitsch et. al. [18].
At every cycle time, based on the robot’s sensor read-
ings about its current position and surrounding obstacles,
the DWA uses circular trajectories determined uniquely by
the robot translational vr and rotational ωr velocities. In
summary, the algorithm is organized in two steps. (i) First it
searches for a range of admissible (vr, ωr) pair that results
in safe trajectories that the robot can realize in a short time
frame, which is called dynamic window. (ii) Then, it chooses
a (vr, ωr) pair in the dynamic window that maximizes the
progress towards the goal.
The safety property that the DWA must satisfy is called
Passive Safety Property φps[17]. This property means that
the robot will never collide with the obstacle, or it will stop
before collision.
φps ≡

vr = 0

∨

∥pr −po ∥> v2
r
2b + V vr
b

where b is the maximum deceleration, and pr and po are the
position of the robot and the obstacle, respectively.
Finally, Mitsch et. al. [18] veriﬁed if this model ensures
the Passive Safety Property φps using KeYmaera.
Theorem 2. If the DWA algorithm modeled with the hybrid
program dwps starts in a state that satisﬁes φps, it will
always satisﬁes it.
φps →[dwps]φps
where dwps is presented in the Model 1 in [18].
An example of such trajectories is sketched in Fig. 3.
One robot passes in front of other robot executing the DWA
algorithm. The DWA assigns circular trajectories to avoid the
collision with the other robot, and the translational velocity
is reduced based on the proximity to this robot.
Now we move from the local layer to the global layer to
abstract this controller. Since the safety property φps is an
invariant property as well, it can be used as a constraint to
ensure the safe motion primitive composition. Details like
moving obstacles are omitted in the global layer, so we can
assume that the minimum robot velocity is zero (vr > 0),
and the known obstacles are static (V = 0), thus:
Fig. 3.
An example of safe circular trajectory for moving obstacles. The
vehicles drive from the gray to the red in the dashed line, and the vehicle
moving in straight line is the moving obstacle and the other is an executing
DWA algorithm.
Corollary 2.1. If there is a trajectory between the current
and next states (qr and ⃝qr), in which the robot can ﬁts
into, then there is, at least, one possible DWA passively safe
trajectory.
Proof. If vr > 0 and V = 0, thus, if ∥pr −po ∥> 0, then
there exist at least one trajectory that can be executed by the
DWA algorithm that φps holds true.
Hence, the Go To speciﬁcation φΠ in CLTLB(D) should
guarantee that there exists a trajectory free of obstacles
if the initial qr and goal ⃝qr states should be to the
left, right, below or above of all obstacles (i.e. rj
left,o ≡

max(⃝qr.x, qr.x) ≤min(oj.xi, oj.xf) −a.l
2

, rj
right,o ≡

min(⃝qr.x, qr.x) ≥max(oj.xi, oj.xf) + a.l
2

, rj
below,o ≡

max(⃝qr.y, qr.y) ≤min(oj.yi, oj.yf) −a.l
2

, rj
above,o ≡

min(⃝qr.y, qr.y) ≥max(oj.yi, oj.yf) + a.l
2

),
φO
GoT o ≡∀j ∈NO :□
h
(π = GoTo) →
rj
left,o ∨rj
right,o ∨rj
bellow,o ∨rj
above,o
i
.
And similarly we have φB
GoT o to avoid colliding into
objects that are not being carried (i.e. ¬qj
b.p). Thus, the initial
qr and goal ⃝qr states should be to the left, right, below
or above of all objects (i.e. rj
left,b ≡

max(⃝qr.x, qr.x) ≤
qj
b.x −lj
, rj
right,b ≡

min(⃝qr.x, qr.x) ≥qj
b.x + lj
,
rj
below,b ≡

max(⃝qr.y, qr.y) ≤qj
b.y −lj
, rj
above,b ≡

min(⃝qr.y, qr.y) ≥qj
b.y + lj
, where lj = bj.l+a.l
2
),
φB
GoT o ≡∀j ∈NB : □
h
(π = GoTo) ∧¬qj
b.p →
rj
left,b ∨rj
right,b ∨rj
bellow,b ∨rj
above,b
i
.
Additionally,
the
robot
can
only
move
inside
the
workspace (i.e. rinx ≡(W.x −W.l
2
+ a.l
2
≤⃝qr.x ≤
W.x+ W.l
2 −a.l
2 ) and riny ≡(W.y −W.l
2 + a.l
2 ≤⃝qr.y ≤
W.y + W.l
2
−a.l
2 )) and won’t change any object state (i.e.
pl
static ≡⃝ql
b.p = ql
b.p when executing GoTo, so, we have,
φGoT o ≡□
h
π = GoTo →
^
l∈NB
pl
static ∧rinx ∧riny
i
∧
φO
GoT o ∧φB
GoT o
B. Push the Door
Another reactive motion controller u is to push the door,
a straight movement in the direction of the door until it
is pushed and the robot completely passes through it. The
safety property φP ush is that the robot must start at the
initial position and go to ﬁnal position (i.e. pushj ≡

qr =
dj.q1 ∧⃝qr.x = dj.q2.x ∧⃝qr.y = dj.q2.y

∨

qr =
dj.q2 ∧⃝qr.x = dj.q1.x ∧⃝qr.y = dj.q1.y

), so, we have,
φP ush ≡∀j ∈ND : □
h
π = Pushj →
^
l∈NB
pl
static ∧pushji
C. Pick up and Leave
Finally, the pick up and leave motion primitives describe
the robot and objects dynamics. The safety property for those
controllers does not depend on the robot or environment
kinematics, so it does not require a veriﬁcation in KeYmaera
neither. So, we assume that the robot can pick up the object
with the posing at 0◦. Hence, to pick an object up, the robot
cannot be carrying any object (i.e. ¬ql
b.p) and will carry
the object j (i.e. ⃝pj,l
carry ≡(j = l →⃝ql
b.p) ∧(j ̸=
l →¬ ⃝ql
b.p)). Also, the robot states will not change (i.e.
rstatic ≡(qr.x = ⃝qr.x) ∧(qr.y = ⃝qr.y) ∧(qr.α =
⃝qr.α)) and it will be posing in front of object (i.e. rj
object ≡
(qr.α = 0) ∧(qr.y = qj
b.y) ∧(qr.x = qj
b.x −lj)),
φP ickUp ≡∀j ∈NB : □
h
π = PickUpj →
^
∀l∈NB

¬ql
b.p ∧⃝pj,l
carry

∧rstatic ∧rj
object
i
.
Correspondingly, we leave the object at the same angle.
Thus, to drop an object off, the robot should be carrying the
object j (i.e. pl
carry ≡(j = l →ql
b.p) ∧(j ̸= l →¬ql
b.p))
and then drops it off (i.e. ¬ ⃝ql
b.p). Moreover, the robot
will not change the initial and ﬁnal states (i.e. ri
static) and
the object will be left next to it at 0o (i.e. bj
left ≡(qr.α =
0.0) ∧(⃝qj
b.y = qr.y) ∧(⃝qj
b.x = qr.x + lj)). However,
we cannot leave the object over other objects. Therefore, the
next object position should not have overlap with any other
objects (i.e. bj,l
left,b ≡

⃝qj
b.y ≤⃝ql
b.y −lj,l
b

, bj,l
right,b ≡

⃝qj
b.y ≥⃝ql
b.y + lj,l
b

, bj,l
below,b ≡

⃝qj
b.x ≤⃝ql
b.x −
lj,l
b

, bj,l
above,b ≡

⃝qj
b.x ≥⃝ql
b.x + lj,l
b

, where lj,l
b
=
bj.l+bl.l
2
),
φB
Leave ≡∀j, l ∈NB, j ̸= l : □
h
π = Leavej ∧¬ql
b.p →
bj,l
left,b ∨bj,l
right,b ∨bj,l
below,b ∨bj,l
above,b
i
.
And neither over an obstacle, (i.e. bj,l
left,o
≡

⃝
qj
b.y
≤
min(o.xi, o.xf) −
bj.l
2

,
bj,l
right,o
≡

⃝
qj
b.y
≥
max(o.xi, o.xf) +
bj.l
2

,
bj,l
below,o
≡

⃝
qj
b.x ≤min(o.yi, o.yf) −bj.l
2

, bj,l
above,o ≡

⃝qj
b.x ≥
max(o.yi, o.yf) + bj.l
2

),
φO
Leave ≡∀j ∈B, l ∈O : □
h
π = Leavej →
bj,l
left,o ∨bj,l
right,o ∨bj,l
below,o ∨bj,l
above,o
i
.
Hence,
φLeave ≡∀j ∈NB : □
h
π = Leavej →
^
∀l∈NB

pj,l
carry ∧¬ ⃝ql
b.p

∧rstatic ∧bj
left
i
∧
φB
Leave ∧φO
Leave.
Finally, if π ̸= Leavej, the object does not change
position (i.e. bj
static ≡(⃝qj
b.x = qj
b.x) ∧(⃝qj
b.y = qj
b.y)

).
φcarry ≡∀j ∈NB : □
h
(π ̸= Leavej) →bj
static
i
.
V. COMPOSITION OF MOTION PRIMITIVES
The Motion Primitive Speciﬁcations φP(M) are the con-
junctions of the speciﬁcations from each single motion
primitive. For the Clean Up scenario, this speciﬁcation is,
φClean
P
(M) ≡φGoT o ∧φP ush ∧φP ickUp ∧φLeaveb ∧φcarry
Now we can compose the motion primitives by encoding
the Task Speciﬁcation φG and the Motion Primitive Speciﬁ-
cations φP(M) to Z3 SMT solver. If the speciﬁcations are
satisﬁable, the SMT solver will output a feasible plan s.
We encode only CLTLB(D) formulas with no nested path
quantiﬁers, but it is possible to encode nested formulas as
well [2]. Since Z3 is a decision procedure for the combi-
nation of quantiﬁer-free ﬁrst-order logic with theories for
linear arithmetic [5], we encode each state variable as an
array whose size depends on the length of the trace K. For
example, each robot state qr.x(k) ∈Qr will be encoded
as an array such that qr.x[k]. Each object state is a two
dimensional array such that each element is qb[j].x[k] :
j ∈NB. Additionally, each motion primitives π(k) ∈Qπ
will be an array such that each element is π[k]. Hence, the
a.t.t. operator ⃝can be encoded by adding or subtracting
the array index, for instance, ⃝qr.x ≡qr.x[k + 1] at
instant k. Therefore, a state formula ψ, deﬁned as ψ ≡
p | R(ϕ1, ϕ2, ..., ϕn) | ¬ψ | ψ1 ∧ψ2, can be encoded to
quantiﬁer-free ﬁrst-order logic formulas Ψ[k], where k ∈Nρ
is the instant that ψ holds true. For instance, if ψ ≡q0
b.p,
then Ψ[2] holds true if q0
b.p holds true at instant 2.
Encoding temporal logic quantiﬁers to ﬁrst order logic
requires quantiﬁers ∀and ∃in relation to the time instants.
The quantiﬁer ∀k ∈Nρ : Ψ[k] can be implemented using
for loop. The ∃k ∈Nρ : Ψ[k] can be encoded by using an
auxiliary variable j such as ∀k ∈Nρ : (k = j) →Ψ[k]∧j ∈
Nρ and, then, also encoded using a for loop. Therefore, we
can encode CLTLB(D) quantiﬁers to Z3, for example,
• ⃝jψ ⇐⇒j ∈Nρ ∧Ψ[j]
• ψ1Uψ2 ⇐⇒



 V
k∈Nρ
h
(k < j →Ψ1[k])∧
(k = j →Ψ2[k])
i
∧j ∈Nρ
• □ψ ⇐⇒V
k∈Nρ Ψ[k]
• ♦ψ ⇐⇒V
k∈Nρ
h
k = j →Ψ[k]
i
∧j ∈Nρ
• Last[ψ] ⇐⇒Ψ[K]
Finally,
let
ϕ1
and
ϕ2
be
a.t.t.’s,
the
functions
max(ϕ1, ϕ2) and min(ϕ1, ϕ2) are encoded with SMT func-
tion ite, i.e. max(ϕ1, ϕ2) ≡ite(ϕ1 > ϕ2, ϕ1, ϕ2) and
min(x, y) ≡ite(ϕ1 < ϕ2, ϕ1, ϕ2). Now, we can deﬁne a
task speciﬁcation in CLTLB(D) and ﬁnd an integrated task
and motion plan s for the scenario in the Example 1 as shown
below.
Example 2. A task can be any temporal logic describing
how the robot or the objects should move in the envi-
ronment. For example, it could be to bring the objects in
the workspace of Fig. 1 to the temporary rectangular area
Qj
temp ≡(−1500 ≤qj
b.x ≤−500) ∧(−2500 ≤qj
b.y ≤
−1000)∧¬qj
b.p (which can be represented by the coordinates
of its upper-left and lower-right vertices) and later leave
them in the state Qgoal
b
≡q1
b = ⟨1900, 1000, false⟩∧q2
b =
⟨2000, 1000, false⟩. The speciﬁcation of this task is,
φClean
G
≡
^
∀j∈NB
♦
h
Qj
temp
i
∧Last
h
Qgoal
b
i
If we set the trace length K = 24 and encode the formula
φClean
G
∧φClean
P
(M) to a SMT solver, we can ﬁnd the
following satisﬁable plan,
s = {⟨Π1, (−2000, −500, 0)⟩, ⟨Π2, (−1000, −500, 0)⟩,
⟨Π1, (1650, −1000, 0)⟩, ⟨Π3, (1650, −1000, 0)⟩,
⟨Π1, (−998, −1251, 0)⟩, ⟨Π4, (−998, −1251, 0)⟩,
⟨Π1, (−999, −999, 0)⟩, ⟨Π1, (1750, −1000, 0)⟩,
⟨Π3, (1750, −1000, 0)⟩, ⟨Π1, (−751, −1001, 0)⟩,
⟨Π4, (−751, −1001, 0)⟩, ⟨Π3, (−751, −1001, 0)⟩,
⟨Π1, (−1000, −500, 90)⟩, ⟨Π2, (−1000, 500, 90)⟩,
⟨Π1, (1750, 1000, 0)⟩, ⟨Π4, (1750, 1000, 0)⟩,
⟨Π1, (−1000, 500, 270)⟩, ⟨Π2, (−1000, 500, 270)⟩,
⟨Π1, (−998, −1251, 0)⟩, ⟨Π3, (−998, −1251, 0)⟩,
⟨Π1, (−1000, −500, 90)⟩, ⟨Π2, (−1000, 500, 90)⟩,
⟨Π1, (1650, 1000, 0)⟩, ⟨Π4, (1650, 1000, 0)⟩}
where Π1 = go to, Π2 = push the door, Π3 = pick up and Π4 =
leave motion primitives.
Note that this plan is safe to moving obstacles as well
because the motion primitive Go To can handle it in the local
layer. For example, when executing ⟨Π1, (−2000, −500, 0)⟩,
if a human appears moving inside the robot straight trajectory
to position (−2000, −500), it will reduce the velocity prop-
erly and try another circular trajectory that does not leads
to a collision, shown in Fig. 3. If the robot cannot avoid
the collision, it is formally proven that it will be stopped
before it. Therefore, if the moving obstacle can and chooses
to avoid the collision too, the robot will be always safe. It
allows the robot always to ﬁnd a new plan s in a receding
horizon strategy. Hence, if the moving obstacles change the
environment in a way that the plan is not feasible, we can
always update the scene description M to search for a new
satisﬁable plan at current state.
Fig. 4.
Environment framework used in the execution time experiments.
TABLE I
BENCHMARKS INCREASING THE ENVIRONMENT SIZE.
Environment (m)
# Rooms
K
Time (avg ± std)
4 × 4
9
14
30.2ms ± 0.0067
8 × 8
9
14
30.9ms ± 0.0057
16 × 16
9
14
30.2ms ± 0.0088
32 × 32
9
14
30.6ms ± 0.019
64 × 64
9
14
30.7ms ± 0.0052
128 × 128
9
14
30.1ms ± 0.056
256 × 256
9
14
30.0ms ± 0.0047
VI. SIMULATION/EXPERIMENTAL RESULTS
The purpose of the experiments in this section is to
determine which parameters can affect the computation time
of the framework. The benchmarks shown here are relevant
to designing an optimization algorithm that ﬁnds the best
path using CoSMoP motion planning. All the experiments
were executed on Linux with an Intel i7 processor and 8GB
memory.
The environment is one ﬂoor of a building with square
layout. It has multiple rooms with push-pull doors that permit
the robot to move between rooms, shown in the Fig. 4. The
robot starts in the room marked with S, and it needs to reach
the room with G. All doors permit the robot to move in
the direction of the goal. To increase the complexity of the
environment, we can increase its size and the number of
rooms. It is executed 35 times for each scene description.
The time average and standard variation are then calculated.
To increase the environment size does not seem to af-
fect the execution time, as shown in table I. However, it
expressively increases when we raise the number of rooms,
see table II. It suggests that the environment complexity
to solve the trajectory is only affected by the number of
obstacles and doors in the workspace. Moreover, we can
assert that the precision on the robot state integer variables
won’t change the execution time, for example, if we change
the position precision from mm to µm. The size of the
trace K also increases the execution time as it increases,
as shown in the table III. Although, the number of rooms
(i.e. obstacles and doors) can affect the size of satisﬁable
trace K, the table IV shows that CoSMoP ﬁnds a reachable
trajectory in a reasonable time for a signiﬁcantly complex
Scene Description.
TABLE II
BENCHMARKS INCREASING THE NUMBER OF ROOMS.
Environment (m)
# Rooms
K
Time (avg ± std)
32 × 32
9
50
121.5ms ± 0.020
32 × 32
25
50
434.3ms ± 0.13
32 × 32
49
50
1007.0ms ± 0.94
32 × 32
81
50
3994.1ms ± 12
TABLE III
BENCHMARKS INCREASING THE SIZE OF THE TRACE K.
Environment (m)
# Rooms
K
Time (avg ± std)
32 × 32
25
26
181.6ms ± 3.0
32 × 32
25
32
284.9ms ± 0.031
32 × 32
25
38
290.4ms ± 0.027
32 × 32
25
44
344.4ms ± 0.034
32 × 32
25
50
369.1ms ± 0.032
VII. CONCLUSION
We proposed the CoSMoP, an ITMP approach using
formal bottom-up design for mobile robot planning. It syn-
thesizes a sequential execution of motion primitives that
ensures the task speciﬁcation and safety properties even
under a dynamic environment with moving obstacles. The
main advantage of our approach is that we can handle the
moving obstacles dynamics and some uncertainties about
the environment at local motion primitive, which increase
its robustness. Additionally, we evaluated CoSMoP in a
motivating example showing that the ITMP can synthesize a
correct plan, we also studied how different parameters affect
the execution time. Future works includes implementation on
real robot and extensions to multiple robots.
REFERENCES
[1] Matthias Althoff and John M Dolan. Online veriﬁcation of automated
road vehicles using reachability analysis. Robotics, IEEE Transactions
on, 30(4):903–918, 2014.
[2] Marcello M Bersani, Achille Frigeri, Angelo Morzenti, Matteo
Pradella, Matteo Rossi, and Pierluigi San Pietro. Bounded reachability
for temporal logic over constraint systems. In Temporal Representation
and Reasoning (TIME), 2010 17th International Symposium on, pages
43–50. IEEE, 2010.
[3] Sara Bouraine, Thierry Fraichard, and Hassen Salhi. Provably safe
navigation for mobile robots with limited ﬁeld-of-views in dynamic
environments. Autonomous Robots, 32(3):267–283, 2012.
[4] St´ephane Cambon, Fabien Gravot, and Rachid Alami. Overview of
asymov: Integrating motion, manipulation and task planning. In Intl.
Conf. on Automated Planning and Scheduling Doctoral Consortium,
2003.
[5] Leonardo De Moura and Nikolaj Bjørner. Z3: An efﬁcient SMT solver.
In Tools and Algorithms for the Construction and Analysis of Systems,
pages 337–340. Springer, 2008.
TABLE IV
BENCHMARKS INCREASING THE PROBLEM COMPLEXITY.
Environment (m)
# Rooms
K
Time (avg ± std)
32 × 32
9
14
34.7ms ± 0.0051
32 × 32
16
20
69.3ms ± 0.026
32 × 32
25
26
298.2ms ± 0.28
32 × 32
36
32
461.6ms ± 0.59
32 × 32
49
38
856.2ms ± 0.63
32 × 32
64
44
1126.9ms ± 0.26
32 × 32
81
50
3909.3ms ± 1.7
[6] Christian Dornhege, Patrick Eyerich, Thomas Keller, Sebastian Tr¨ug,
Michael Brenner, and Bernhard Nebel.
Semantic attachments for
domain-independent planning systems.
In Towards Service Robots
for Everyday Environments, pages 99–115. Springer, 2012.
[7] Dieter Fox, Wolfram Burgard, Sebastian Thrun, et al. The dynamic
window approach to collision avoidance. IEEE Robotics & Automation
Magazine, 4(1):23–33, 1997.
[8] Cipriano Galindo, Juan-Antonio Fernandez-Madrigal, and Jose Gon-
zalez.
Improving efﬁciency in mobile robot task planning through
world abstraction. Robotics, IEEE Transactions on, 20(4):677–690,
2004.
[9] Caelan Reed Garrett, Tom´as Lozano-P´erez, and Leslie Pack Kaelbling.
Ffrob: An efﬁcient heuristic for task and motion planning.
In
Algorithmic Foundations of Robotics XI, pages 179–195. Springer,
2015.
[10] Daniel Heß, Matthias Althoff, and Thomas Sattel. Formal veriﬁcation
of maneuver automata for parameterized motion primitives. In Intelli-
gent Robots and Systems (IROS 2014), 2014 IEEE/RSJ International
Conference on, pages 1474–1481. IEEE, 2014.
[11] William NN Hung, Xiaoyu Song, Jindong Tan, Xiaojuan Li, Jie Zhang,
Rui Wang, and Peng Gao. Motion planning with satisﬁability modulo
theories. In Robotics and Automation (ICRA), 2014 IEEE International
Conference on, pages 113–118. IEEE, 2014.
[12] Leslie Pack Kaelbling and Tom´as Lozano-P´erez. Hierarchical task and
motion planning in the now. In Robotics and Automation (ICRA), 2011
IEEE International Conference on, pages 1470–1477. IEEE, 2011.
[13] Andrew Kimmel, Andrew Dobson, Zakary Littleﬁeld, Athanasios
Krontiris, James Marble, and Kostas E Bekris. Pracsys: an extensible
architecture for composing motion controllers and planners. In Sim-
ulation, Modeling, and Programming for Autonomous Robots, pages
137–148. Springer, 2012.
[14] Jean-Claude Latombe. Robot motion planning, volume 124. Springer
Science & Business Media, 2012.
[15] Hai Lin. Mission accomplished: An introduction to formal methods
in mobile robot motion planning and control.
Unmanned Systems,
2(02):201–216, 2014.
[16] Zakary Littleﬁeld, Athanasios Krontiris, Andrew Kimmel, Andrew
Dobson, Rahul Shome, and Kostas E Bekris. An extensible software
architecture for composing motion and task planners. In Simulation,
Modeling, and Programming for Autonomous Robots, pages 327–339.
Springer, 2014.
[17] Kristijan Macek, Dizan Alejandro Vasquez Govea, Thierry Fraichard,
and Roland Siegwart.
Towards safe vehicle navigation in dynamic
urban scenarios. Automatika, 2009.
[18] Stefan Mitsch, Khalil Ghorbal, and Andr´e Platzer.
On provably
safe obstacle avoidance for autonomous robotic ground vehicles. In
Robotics: Science and Systems, 2013.
[19] Danial Nakhaeinia and Babak Karasﬁ.
A behavior-based approach
for collision avoidance of mobile robots in unknown and dynamic
environments. Journal of Intelligent & Fuzzy Systems, 24(2):299–311,
2013.
[20] Srinivas Nedunuri, Shashank Prabhu, Maciej Moll, Swarat Chaudhuri,
and Lydia E Kavraki.
Smt-based synthesis of integrated task and
motion plans from plan outlines. In Robotics and Automation (ICRA),
2014 IEEE International Conference on, pages 655–662. IEEE, 2014.
[21] Erion Plaku and Gregory D Hager. Sampling-based motion and sym-
bolic action planning with geometric and differential constraints. In
Robotics and Automation (ICRA), 2010 IEEE International Conference
on, pages 5002–5008. IEEE, 2010.
[22] Andr´e Platzer. Logical analysis of hybrid systems: proving theorems
for complex dynamics. Springer Science & Business Media, 2010.
[23] Matteo Pradella, Angelo Morzenti, and Pierluigi San Pietro. Bounded
satisﬁability checking of metric temporal logic speciﬁcations. ACM
Transactions on Software Engineering and Methodology (TOSEM),
22(3):20, 2013.
[24] Indranil Saha, Rattanachai Ramaithitima, Vijay Kumar, George J
Pappas, and Sanjit A Seshia.
Automated composition of motion
primitives for multi-robot systems from safe LTL speciﬁcations. In
Intelligent Robots and Systems (IROS 2014), 2014 IEEE/RSJ Interna-
tional Conference on, pages 1525–1532. IEEE, 2014.
[25] Jason Wolfe, Bhaskara Marthi, and Stuart J Russell. Combined task
and motion planning for mobile manipulation. In ICAPS, pages 254–
258, 2010.