Chuchu Fan,Bolun Qi,Sayan Mitra

DOI: https://doi.org/10.48550/arXiv.1704.06406

2017-04-21

Systems and Control

Abstract:We present an overview of recently developed data-driven tools for safety analysis of autonomous vehicles and advanced driver assist systems. The core algorithms combine model-based, hybrid system reachability analysis with sensitivity analysis of components with unknown or inaccessible models. We illustrate the applicability of this approach with a new case study of emergency braking systems in scenarios with two or three vehicles. This problem is representative of the most common type of rear-end crashes, which is relevant for safety analysis of automatic emergency braking (AEB) and forward collision avoidance systems. We show that our verification tool can effectively prove the safety of certain scenarios (specified by several parameters like braking profiles, initial velocities, uncertainties in position and reaction times), and also compute the severity of accidents for unsafe scenarios. Through hundreds of verification experiments, we quantified the safety envelope of the system across relevant parameters. These results show that the approach is promising for design, debugging and certification. We also show how the reachability analysis can be combined with statistical information about the parameters, to assess the risk level of the control system, which in turn is essential, for example, for determining Automotive Safety Integrity Levels (ASIL) for the ISO26262 standard.

Stefan Mitsch,Grant Olney Passmore,Andre Platzer

DOI: https://doi.org/10.1007/s11786-014-0176-y

2014-10-04

Abstract:Hybrid systems with both discrete and continuous dynamics are an important model for real-world cyber-physical systems. The key challenge is to ensure their correct functioning w.r.t. safety requirements. Promising techniques to ensure safety seem to be model-driven engineering to develop hybrid systems in a well-defined and traceable manner, and formal verification to prove their correctness. Their combination forms the vision of verification-driven engineering. Often, hybrid systems are rather complex in that they require expertise from many domains (e.g., robotics, control systems, computer science, software engineering, and mechanical engineering). Moreover, despite the remarkable progress in automating formal verification of hybrid systems, the construction of proofs of complex systems often requires nontrivial human guidance, since hybrid systems verification tools solve undecidable problems. It is, thus, not uncommon for development and verification teams to consist of many players with diverse expertise. This paper introduces a verification-driven engineering toolset that extends our previous work on hybrid and arithmetic verification with tools for (i) graphical (UML) and textual modeling of hybrid systems, (ii) exchanging and comparing models and proofs, and (iii) managing verification tasks. This toolset makes it easier to tackle large-scale verification tasks.

Logic in Computer Science,Software Engineering

Megan Strauss,Stefan Mitsch

2023-05-16

Abstract:Technology advances give us the hope of driving without human error, reducing vehicle emissions and simplifying an everyday task with the future of self-driving cars. Making sure these vehicles are safe is very important to the continuation of this field. In this paper, we formalize the Responsibility-Sensitive Safety model (RSS) for self-driving cars and prove the safety and optimality of this model in the longitudinal direction. We utilize the hybrid systems theorem prover KeYmaera X to formalize RSS as a hybrid system with its nondeterministic control choices and continuous motion model, and prove absence of collisions. We then illustrate the practicality of RSS through refinement proofs that turn the verified nondeterministic control envelopes into deterministic ones and further verified compilation to Python. The refinement and compilation are safety-preserving; as a result, safety proofs of the formal model transfer to the compiled code, while counterexamples discovered in testing the code of an unverified model transfer back. The resulting Python code allows to test the behavior of cars following the motion model of RSS in simulation, to measure agreement between the model and simulation with monitors that are derived from the formal model, and to report counterexamples from simulation back to the formal model.

Logic in Computer Science,Software Engineering,Systems and Control

Eun-Young Kang,Dongrui Mu,Li Huang,Qianqing Lan

DOI: https://doi.org/10.48550/arXiv.1803.06103

2018-03-16

Software Engineering

Abstract:The software development for Cyber-Physical Systems (CPS), e.g., autonomous vehicles, requires both functional and non-functional quality assurance to guarantee that the CPS operates safely and effectively. EAST-ADL is a domain specific architectural language dedicated to safety-critical automotive embedded system design. We have previously modified EAST-ADL to include energy constraints and transformed energy-aware real-time (ERT) behaviors modeled in EAST-ADL/STATEFLOW into UPPAAL models amenable to formal verification. Previous work is extended in this paper by including support for SIMULINK and an integration of Simulink/Stateflow within a same tool-chain. Simulink/Stateflow models are transformed, based on extended ERT constraints in EAST-ADL, into verifiable UPPAAL models with stochastic semantics and integrate the translation with formal statistical analysis techniques: Probabilistic extension of EAST-ADL constraints is defined as a semantics denotation. A set of mapping rules is proposed to facilitate the guarantee of translation. Formal analysis on both functional- and non-functional properties is performed using SIMULINK DESIGN VERIFIER/UPPAAL-SMC. The analysis techniques are validated and demonstrated on the autonomous traffic sign recognition vehicle case study.

Mohammed Al-Nuaimi,Sapto Wibowo,Hongyang Qu,Jonathan Aitken,Sandor Veres

DOI: https://doi.org/10.3390/jsan10030042

2021-06-29

Journal of Sensor and Actuator Networks

Abstract:The evolution of driving technology has recently progressed from active safety features and ADAS systems to fully sensor-guided autonomous driving. Bringing such a vehicle to market requires not only simulation and testing but formal verification to account for all possible traffic scenarios. A new verification approach, which combines the use of two well-known model checkers: model checker for multi-agent systems (MCMAS) and probabilistic model checker (PRISM), is presented for this purpose. The overall structure of our autonomous vehicle (AV) system consists of: (1) A perception system of sensors that feeds data into (2) a rational agent (RA) based on a belief–desire–intention (BDI) architecture, which uses a model of the environment and is connected to the RA for verification of decision-making, and (3) a feedback control systems for following a self-planned path. MCMAS is used to check the consistency and stability of the BDI agent logic during design-time. PRISM is used to provide the RA with the probability of success while it decides to take action during run-time operation. This allows the RA to select movements of the highest probability of success from several generated alternatives. This framework has been tested on a new AV software platform built using the robot operating system (ROS) and virtual reality (VR) Gazebo Simulator. It also includes a parking lot scenario to test the feasibility of this approach in a realistic environment. A practical implementation of the AV system was also carried out on the experimental testbed.

Simon Foster,Mario Gleirscher,Radu Calinescu

DOI: https://doi.org/10.1109/ICECCS51672.2020.00020

2020-06-16

Abstract:The use of autonomous vehicles in real-world applications is often precluded by the difficulty of providing safety guarantees for their complex controllers. The simulation-based testing of these controllers cannot deliver sufficient safety guarantees, and the use of formal verification is very challenging due to the hybrid nature of the autonomous vehicles. Our work-in-progress paper introduces a formal verification approach that addresses this challenge by integrating the numerical computation of such a system (in GNU/Octave) with its hybrid system verification by means of a proof assistant (Isabelle). To show the effectiveness of our approach, we use it to verify differential invariants of an Autonomous Marine Vehicle with a controller switching between multiple modes.

Software Engineering,Systems and Control

Hao Luo,Chun Shi,Linlin Qin,Gang Wu

DOI: https://doi.org/10.1145/3690931.3690970

2024-01-01

Abstract:The complexity and functionality of software systems in electric vehicles are progressively advancing, necessitating compliance with stringent safety standards. Utilizing formal methods for verification during the software design and testing phases can significantly improve the safety and reliability of these systems. This study examines the dual-redundant hill-start assist system in electric vehicles, focusing on both hydraulic braking and motor stall scenarios. We developed a timed automaton model for a multi-process concurrent system, which includes components such as the HillStart controller, motor, hydraulic brake, power battery, brake pedal, accelerator pedal, and DNR switch. Considering the real-time performance required by the system, we refined them into TCTL specifications. Model checking was performed using UPPAAL. The findings confirm the reliability of the control system's state machine design.

Horel, Jean-Baptiste,Ledent, Philippe,Marsso, Lina,Muller, Lucie,Mateescu, Radu,Renzaglia, Alessandro,Serwe, Wendelin

DOI: https://doi.org/10.1007/s10846-023-01808-3

2023-04-22

Journal of Intelligent and Robotic Systems: Theory and Applications

Abstract:Autonomous driving technology is safety-critical and thus requires thorough validation. In particular, the probabilistic algorithms employed in perception systems of autonomous vehicles (AV) are notoriously hard to validate due to the wide range of possible critical scenarios. Such critical scenarios cannot be easily addressed with current manual validation methods, thus there is a need for an automatic and formal validation technique. To this end, we propose a new approach for perception component verification that, given a high-level and human-interpretable description of a critical situation, generates relevant AV scenarios and uses them for automatic verification. To achieve this goal, we integrate two recently proposed methods for the generation and the verification that are based on formal verification tools. First, we use formal conformance test generation tools to derive, from a verified formal model, sets of scenarios to be run in a simulator. Second, we model check the traces of the simulation runs to validate the probabilistic estimation of collision risks. Using formal methods brings the combined advantages of an increased confidence in the correct representation of the chosen configuration (temporal logic verification), a guarantee of the coverage and relevance of automatically generated scenarios (conformance testing), and an automatic quantitative analysis of the test execution (verification and statistical analysis on traces).

Romain Cuer,Laurent Piétrac,Eric Niel,Saidou Diallo,Nicoleta Minoiu-Enache,Christophe Dang-Van-Nhan

DOI: https://doi.org/10.1016/j.ress.2018.01.014

2018-06-01

Abstract:The autonomous vehicle is meant to drive by itself, without any driver intervention (for the levels 4 and 5 of automated driving, according to the National Highway Traffic Safety Administration(NHTSA)). This car includes a new function, called Autonomous Driving (AD) function, in charge of driving the vehicle when it is authorized. This function may be in different states (basically active or inactive), that shall be managed by a sub-function, named supervision. The main focus of this work is to ensure that the supervision of a function, performed by a safety critical embedded automotive control system (controlled systems are not considered), respects functional and safety requirements. Usually two processes are involved in the system design: the systems engineering process and the safety one. The first process defines the functional requirements on the function while the safety one specifies redundant sub-functions (realizing together the function) allowing to ensure a continuous service under failure. Since two different aspects of the system are specified, it is a major challenge to make all requirements consistent, from the outset of the design process. In this paper, a method is precisely proposed to address this issue. A progressive reinforcement of the treated requirements is achieved by means of formal state models. In fact, the proposed approach permits to build state models from requirements initially expressed in natural language. Potential ambiguities, incompletenesses or undertones in requirements are in this way gradually deleted. The enrichment of conventional formal verification of control properties with safety requirements constitutes the main originality of the deployed method and contributes to solve inconsistencies between functional and safety verification processes. In addition, the application of the method to the design of AD function supervision highlights its efficiency in an industrial context.

engineering, industrial,operations research & management science

Aaditya Prakash Chouhan,Gourinath Banda

DOI: https://doi.org/10.3390/s20164506

IF: 3.9

2020-08-12

Sensors

Abstract:Autonomous vehicles are gaining popularity throughout the world among researchers and consumers. However, their popularity has not yet reached the level where it is widely accepted as a fully developed technology as a large portion of the consumer base feels skeptical about it. Proving the correctness of this technology will help in establishing faith in it. That is easier said than done because of the fact that the formal verification techniques has not attained the level of development and application that it is ought to. In this work, we present Statistical Model Checking (SMC) as a possible solution for verifying the safety of autonomous systems and algorithms. We apply it on Heuristic Autonomous Intersection Management (HAIM) algorithm. The presented verification routine can be adopted for other conflict point based autonomous intersection management algorithms as well. Along with verifying the HAIM, we also demonstrate the modeling and verification applied at each stage of development to verify the inherent behavior of the algorithm. The HAIM scheme is formally modeled using a variant of the language of Timed Automata. The model consists of automata that encode the behavior of vehicles, intersection manager (IM) and collision checkers. To verify the complete nature of the heuristic and ensure correct modeling of the system, we model it in layers and verify each layer separately for their expected behavior. Along with that, we perform implementation verification and error injection testing to ensure faithful modeling of the system. Results show with high confidence the freedom from collisions of the intersection controlled by the HAIM algorithm.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Chuchu Fan,Bolun Qi,Sayan Mitra,Mahesh Viswanathan

DOI: https://doi.org/10.48550/arXiv.1702.06902

2017-02-23

Abstract:We present the DRYVR framework for verifying hybrid control systems that are described by a combination of a black-box simulator for trajectories and a white-box transition graph specifying mode switches. The framework includes (a) a probabilistic algorithm for learning sensitivity of the continuous trajectories from simulation data, (b) a bounded reachability analysis algorithm that uses the learned sensitivity, and (c) reasoning techniques based on simulation relations and sequential composition, that enable verification of complex systems under long switching sequences, from the reachability analysis of a simpler system under shorter sequences. We demonstrate the utility of the framework by verifying a suite of automotive benchmarks that include powertrain control, automatic transmission, and several autonomous and ADAS features like automatic emergency braking, lane-merge, and auto-passing controllers.

Systems and Control

Paolo Burgio,Angelo Ferrando,Marco Villani

DOI: https://doi.org/10.4204/EPTCS.411.13

2024-11-22

Abstract:In the realm of autonomous driving, the development and integration of highly complex and heterogeneous systems are standard practice. Modern vehicles are not monolithic systems; instead, they are composed of diverse hardware components, each running its own software systems. An autonomous vehicle comprises numerous independent components, often developed by different and potentially competing companies. This diversity poses significant challenges for the certification process, as it necessitates certifying components that may not disclose their internal behaviour (black-boxes). In this paper, we present a real-world case study of an autonomous driving system, identify key open challenges associated with its development and integration, and explore how formal verification techniques can address these challenges to ensure system reliability and safety.

Software Engineering,Artificial Intelligence,Distributed, Parallel, and Cluster Computing,Robotics

Cotnelius Buerkle,Fabian Oboril,Kay-Ulrich Scholl,Cornelius Buerkle

DOI: https://doi.org/10.1109/itsc45102.2020.9294273

2020-09-20

Abstract:Ensuring safety for highly automated vehicles (AVs) using complex algorithms including artificial intelligence is still an open research question. A first step towards the goal of achieving safe operation is the Responsibility Sensitive Safety (RSS) model proposed by Intel/Mobileye, which addresses the decision making of an AV system. However, RSS requires a correct environment model. Hence, to have a comprehensive overall AV safety case, additional solutions and argumentation are required, to verify correctness of the environment model. For this purpose we propose in this paper a novel solution, that uses a Monitor-Recovery approach based on a dynamic occupancy grid. The grid is used to verify the object information (Monitor) provided to RSS, and if required to correct wrong information (Recovery). Our results show that with this approach we can detect common failures of a perception system and successfully recover from those errors.

Shai Shalev-Shwartz,Shaked Shammah,Amnon Shashua

DOI: https://doi.org/10.48550/arXiv.1708.06374

2018-10-27

Abstract:In recent years, car makers and tech companies have been racing towards self driving cars. It seems that the main parameter in this race is who will have the first car on the road. The goal of this paper is to add to the equation two additional crucial parameters. The first is standardization of safety assurance --- what are the minimal requirements that every self-driving car must satisfy, and how can we verify these requirements. The second parameter is scalability --- engineering solutions that lead to unleashed costs will not scale to millions of cars, which will push interest in this field into a niche academic corner, and drive the entire field into a "winter of autonomous driving". In the first part of the paper we propose a white-box, interpretable, mathematical model for safety assurance, which we call Responsibility-Sensitive Safety (RSS). In the second part we describe a design of a system that adheres to our safety assurance requirements and is scalable to millions of cars.

Robotics,Artificial Intelligence,Machine Learning

Yi Deng,Agung Julius

DOI: https://doi.org/10.4204/EPTCS.174.1

2015-01-23

Abstract:For the design and implementation of engineering systems, performing model-based analysis can disclose potential safety issues at an early stage. The analysis of hybrid system models is in general difficult due to the intrinsic complexity of hybrid dynamics. In this paper, a simulation-based approach to formal verification of hybrid systems is presented.

Systems and Control

Nan Li,Dave W. Oyler,Mengxuan Zhang,Yildiray Yildiz,Ilya Kolmanovsky,Anouck R. Girard

DOI: https://doi.org/10.1109/tcst.2017.2723574

IF: 4.8

2018-09-01

IEEE Transactions on Control Systems Technology

Abstract:Autonomous driving has been the subject of incre- ased interest in recent years both in industry and in academia. Serious efforts are being pursued to address legal, technical, and logistical problems and make autonomous cars a viable option for everyday transportation. One significant challenge is the time and effort required for the verification and validation of the decision and control algorithms employed in these vehicles to ensure a safe and comfortable driving experience. Hundreds of thousands of miles of driving tests are required to achieve a well calibrated control system that is capable of operating an autonomous vehicle in an uncertain traffic environment where interactions among multiple drivers and vehicles occur simultaneously. Traffic simulators where these interactions can be modeled and represented with reasonable fidelity can help to decrease the time and effort necessary for the development of the autonomous driving control algorithms by providing a venue where acceptable initial control calibrations can be achieved quickly and safely before actual road tests. In this paper, we present a game theoretic traffic model that can be used to: 1) test and compare various autonomous vehicle decision and control systems and 2) calibrate the parameters of an existing control system. We demonstrate two example case studies, where, in the first case, we test and quantitatively compare two autonomous vehicle control systems in terms of their safety and performance, and, in the second case, we optimize the parameters of an autonomous vehicle control system, utilizing the proposed traffic model and simulation environment.

Tong Zhao,Ekim Yurtsever,Joel Paulson,Giorgio Rizzoni

DOI: https://doi.org/10.1109/TIV.2022.3170517

2022-03-03

Abstract:Challenges related to automated driving are no longer focused on just the construction of such automated vehicles (AVs), but in assuring the safety of their operation. Recent advances in Level 3 and Level 4 autonomous driving have motivated more extensive study in safety guarantees of complicated AV maneuvers, which aligns with the goal of ISO 21448 (Safety of the Intended Functions, or SOTIF), i.e. minimizing unsafe scenarios both known and unknown, as well as Vision Zero -- eliminating highway fatalities by 2050. A majority of approaches used in providing safety guarantees for AV motion control originate from formal methods, especially reachability analysis (RA), which relies on mathematical models for the dynamic evolution of the system to provide guarantees. However, to the best of the authors' knowledge, there have been no review papers dedicated to describing and interpreting state-of-the-art of formal methods in the context of AVs. In this work, we provide both an overview of the safety verification, validation and certification process, as well as review formal safety techniques that are best suited to AV applications. We also propose a unified scenario coverage framework that can provide either a formal or sample-based estimate of safety verification for full AVs. Finally, remaining challenges and future opportunities beyond the scope of current published research for assured AV safety are presented.

Systems and Control

Tobias Schmid,Stefanie Schraufstetter,Jonas Fritzsch,Dominik Hellhake,Greta Koelln,Stefan Wagner

DOI: https://doi.org/10.48550/arXiv.2101.07307

2021-01-19

Abstract:A fail-operational system for highly automated driving must complete the driving task even in the presence of a failure. This requires redundant architectures and a mechanism to reconfigure the system in case of a failure. Therefore, an arbitration logic is used. For functional safety, the switch-over to a fall-back level must be conducted in the presence of any electric and electronic failure. To provide evidence for a safety argumentation in compliance with ISO 26262, verification of the arbitration logic is necessary. The verification process provides confirmation of the correct failure reactions and that no unintended system states are attainable. Conventional safety analyses, such as the failure mode and effect analysis, have its limits in this regard. We present an analytical approach based on formal verification, in particular model checking, to verify the fail-operational behaviour of a driving system. For that reason, we model the system behaviour and the relevant architecture and formally specify the safety requirements. The scope of the analysis is defined according to the requirements of ISO 26262. We verify a fail-operational arbitration logic for highly automated driving in compliance with the industry standard. Our results show that formal methods for safety evaluation in automotive fail-operational driving systems can be successfully applied. We were able to detect failures, which would have been overlooked by other analyses and thus contribute to the development of safety critical functions.

Software Engineering,Systems and Control

Yuting Fu,Andrei Terechko,Jan Friso Groote,Arash Khabbaz Saberi

DOI: https://doi.org/10.4271/12-05-01-0002

2022-01-17

SAE International Journal of Connected and Automated Vehicles

Abstract:Modern Automated Driving (AD) systems rely on safety measures to handle faults and to bring the vehicle to a safe state. To eradicate lethal road accidents, car manufacturers are constantly introducing new perception as well as control systems. Contemporary automotive design and safety engineering best practices are suitable for analyzing system components in isolation, whereas today’s highly complex and interdependent AD systems require a novel approach to ensure resilience to multiple-point failures. We present a holistic and cost-effective safety concept unifying advanced safety measures for handling multiple-point faults. Our proposed approach enables designers to focus on more pressing issues such as handling fault-free hazardous behavior associated with system performance limitations. To verify our approach, we developed an executable model of the safety concept in the formal specification language mCRL2. The model behavior is governed by a four-mode degradation policy-controlling distributed processors, redundant communication networks, and virtual machines (VMs). To keep the vehicle as safe and cost effective as possible, our degradation policy can reduce driving comfort or AD system’s availability using additional low-cost driving channels. We formalized five safety requirements in the modal μ-calculus and proved them against our mCRL2 model, which is intractable to accomplish exhaustively using traditional road tests or simulation techniques. In conclusion, our formally proven safety concept defines a holistic and cost-effective design pattern for AD systems.

Adnan Rashid,Umair Siddique,Sofiene Tahar

DOI: https://doi.org/10.48550/arXiv.2003.03729

2020-03-08

Abstract:Due to major breakthroughs in software and engineering technologies, embedded systems are increasingly being utilized in areas ranging from aerospace and next-generation transportation systems, to smart grid and smart cities, to health care systems, and broadly speaking to what is known as Cyber-Physical Systems (CPS). A CPS is primarily composed of several electronic, communication and controller modules and some actuators and sensors. The mix of heterogeneous underlying smart technologies poses a number of technical challenges to the design and more severely to the verification of such complex infrastructure. In fact, a CPS shall adhere to strict safety, reliability, performance and security requirements, where one needs to capture both physical and random aspects of the various CPS modules and then analyze their interrelationship across interlinked continuous and discrete dynamics. Often times however, system bugs remain uncaught during the analysis and in turn cause unwanted scenarios that may have serious consequences in safety-critical applications. In this paper, we introduce some of the challenges surrounding the design and verification of contemporary CPS with the advent of smart technologies. In particular, we survey recent developments in the use of theorem proving, a formal method, for the modeling, analysis and verification of CPS, and overview some real world CPS case studies from the automotive, avionics and healthtech domains from system level to physical components.

Logic in Computer Science