Amel Mammar,Marc Frappier,Régine Laleau

DOI: https://doi.org/10.1007/s10009-024-00748-z

2024-05-16

International Journal on Software Tools for Technology Transfer

Abstract:This paper introduces an Event-B formal model of the adaptive exterior light system for cars, a case study proposed in the context of the ABZ2020 conference. The system describes the different provided lights and the conditions under which they are switched on/off in order to improve the visibility of the driver without dazzling the oncoming ones. The system can be viewed as a lights controller that reads different information form the available sensors (key state, exterior luminosity, etc.) and takes the adequate actions by acting on the actuators of the lights in order to ensure a good visibility for the driver according to the information read. Our model is built using stepwise refinement with the Event-B method. We consider all the features of the case study, all proof obligations have been discharged using the Rodin provers. Our model has been validated using ProB by applying the different provided scenarios. This validation has permitted us to point out and correct some mistakes, ambiguities and oversights in the first versions of the case study description document.

computer science, software engineering

Jingyi Wang,Jun Sun,Shengchao Qin,Cyrille Jegourel

DOI: https://doi.org/10.1109/tse.2018.2886898

IF: 7.4

2018-01-01

IEEE Transactions on Software Engineering

Abstract:Precisely modeling complex systems like cyber-physical systems is challenging, which often renders model-based system verification techniques like model checking infeasible. To overcome this challenge, we propose a method called LAR to automatically ‘verify’ such complex systems through a combination of learning, abstraction and refinement from a set of system log traces. We assume that log traces and sampling frequency are adequate to capture ‘enough’ behaviour of the system. Given a safety property and the concrete system log traces as input, LAR automatically learns and refines system models, and produces two kinds of outputs. One is a counterexample with a bounded probability of being spurious. The other is a probabilistic model based on which the given property is ‘verified’. The model can be viewed as a proof obligation, i.e., the property is verified if the model is correct. It can also be used for subsequent system analysis activities like runtime monitoring or model-based testing. Our method has been implemented as a self-contained software toolkit. The evaluation on multiple benchmark systems as well as a real-world water treatment system shows promising results.

DOI: https://doi.org/10.1007/s10009-024-00749-y

2024-05-16

International Journal on Software Tools for Technology Transfer

Abstract:This paper presents an Event-B model of a speed control system, a part of the case study provided in the ABZ2020 conference. The case study describes how the system regulates the current speed of a car according to a set of criteria like the driver's desired speed, the position of a possible preceding vehicle, but also a given speed limit that the driver must not exceed. For that purpose, this controller reads different information from the available sensors (key state, desired speed) and takes adequate actions by acting on the actuators of the car's speed according to the information read. To formally model this system, we adopt a stepwise refinement approach with the Event-B method. We consider most of the features of the case study. All proof obligations of the invariant properties have been discharged using the Rodin provers. Our model has been validated using ProB by applying the different provided scenarios. This validation has permitted us to point out and correct some mistakes, ambiguities and oversights contained in the first versions of the case study.

computer science, software engineering

Jonas Fritzsch,Tobias Schmid,Stefan Wagner

DOI: https://doi.org/10.1109/ICST49551.2021.00049

2020-11-20

Abstract:In the age of autonomously driving vehicles, functionality and complexity of embedded systems are increasing tremendously. Safety aspects become more important and require such systems to operate with the highest possible level of fault tolerance. Simulation and systematic testing techniques have reached their limits in this regard. Here, formal verification as a long established technique can be an appropriate complement. However, the necessary preparatory work like adequately modeling a system and specifying properties in temporal logic are anything but trivial. In this paper, we report on our experiences applying model checking to verify the arbitration logic of a Vehicle Control System. We balance pros and cons of different model checking techniques and tools, and reason about our choice of the symbolic model checker NuSMV. We describe the process of modeling the architecture, resulting in ~1500 LOC, 69 state variables and 38 LTL constraints. To handle this large-scale model, we automate and optimize the model checking procedure for use on multi-core CPUs and employ Bounded Model Checking to avoid the state explosion problem. We share our lessons learned and provide valuable insights for architects, developers, and test engineers involved in this highly present topic.

Software Engineering,Hardware Architecture,Systems and Control

Martin Treiber,Arne Kesting

DOI: https://doi.org/10.48550/arXiv.1408.5498

2014-08-23

Abstract:Vehicle-infrastructure communication opens up new ways to improve traffic flow efficiency at signalized intersections. In this study, we assume that equipped vehicles can obtain information about switching times of relevant traffic lights in advance. This information is used to improve traffic flow by the strategies 'early braking', 'anticipative start', and 'flying start'. The strategies can be implemented in driver-information mode, or in automatic mode by an Adaptive Cruise Controller (ACC). Quality criteria include cycle-averaged capacity, driving comfort, fuel consumption, travel time, and the number of stops. By means of simulation, we investigate the isolated strategies and the complex interactions between the strategies and between equipped and non-equipped vehicles. As universal approach to assess equipment level effects we propose relative performance indexes and found, at a maximum speed of 50 km/h, improvements of about 15% for the number of stops and about 4% for the other criteria. All figures double when increasing the maximum speed to 70 km/h.

Physics and Society

Chuchu Fan,Bolun Qi,Sayan Mitra

DOI: https://doi.org/10.48550/arXiv.1704.06406

2017-04-21

Systems and Control

Abstract:We present an overview of recently developed data-driven tools for safety analysis of autonomous vehicles and advanced driver assist systems. The core algorithms combine model-based, hybrid system reachability analysis with sensitivity analysis of components with unknown or inaccessible models. We illustrate the applicability of this approach with a new case study of emergency braking systems in scenarios with two or three vehicles. This problem is representative of the most common type of rear-end crashes, which is relevant for safety analysis of automatic emergency braking (AEB) and forward collision avoidance systems. We show that our verification tool can effectively prove the safety of certain scenarios (specified by several parameters like braking profiles, initial velocities, uncertainties in position and reaction times), and also compute the severity of accidents for unsafe scenarios. Through hundreds of verification experiments, we quantified the safety envelope of the system across relevant parameters. These results show that the approach is promising for design, debugging and certification. We also show how the reachability analysis can be combined with statistical information about the parameters, to assess the risk level of the control system, which in turn is essential, for example, for determining Automotive Safety Integrity Levels (ASIL) for the ISO26262 standard.

Philipp Berger,Johanna Nellen,Joost-Pieter Katoen,Erika Abraham,Md Tawhid Bin Waez,Thomas Rambow

DOI: https://doi.org/10.48550/arXiv.1906.07083

2019-06-17

Logic in Computer Science

Abstract:In industrial model-based development (MBD) frameworks, requirements are typically specified informally using textual descriptions. To enable the application of formal methods, these specifications need to be formalized in the input languages of all formal tools that should be applied to analyse the models at different development levels. In this paper we propose a unified approach for the computer-assisted formal specification of requirements and their fully automated translation into the specification languages of different verification tools. We consider a two-stage MBD scenario where first Simulink models are developed from which executable code is generated automatically. We (i) propose a specification language and a prototypical tool for the formal but still textual specification of requirements, (ii) show how these requirements can be translated automatically into the input languages of Simulink Design Verifier for verification of Simulink models and BTC EmbeddedValidator for source code verification, and (iii) show how our unified framework enables besides automated formal verification also the automated generation of test cases.

Tobias Schmid,Stefanie Schraufstetter,Jonas Fritzsch,Dominik Hellhake,Greta Koelln,Stefan Wagner

DOI: https://doi.org/10.48550/arXiv.2101.07307

2021-01-19

Abstract:A fail-operational system for highly automated driving must complete the driving task even in the presence of a failure. This requires redundant architectures and a mechanism to reconfigure the system in case of a failure. Therefore, an arbitration logic is used. For functional safety, the switch-over to a fall-back level must be conducted in the presence of any electric and electronic failure. To provide evidence for a safety argumentation in compliance with ISO 26262, verification of the arbitration logic is necessary. The verification process provides confirmation of the correct failure reactions and that no unintended system states are attainable. Conventional safety analyses, such as the failure mode and effect analysis, have its limits in this regard. We present an analytical approach based on formal verification, in particular model checking, to verify the fail-operational behaviour of a driving system. For that reason, we model the system behaviour and the relevant architecture and formally specify the safety requirements. The scope of the analysis is defined according to the requirements of ISO 26262. We verify a fail-operational arbitration logic for highly automated driving in compliance with the industry standard. Our results show that formal methods for safety evaluation in automotive fail-operational driving systems can be successfully applied. We were able to detect failures, which would have been overlooked by other analyses and thus contribute to the development of safety critical functions.

Software Engineering,Systems and Control

Paolo Arcaini,Silvia Bonfanti,Angelo Gargantini,Elvinia Riccobene,Patrizia Scandurra

DOI: https://doi.org/10.1007/s10009-024-00751-4

2024-05-19

International Journal on Software Tools for Technology Transfer

Abstract:Modern automotive systems with adaptive control features require rigorous analysis to guarantee correct operation. We report our experience in modeling the automotive case study from the ABZ2020 conference using the ASMETA toolset, based on the State Machine formal method. We adopted a seamless system engineering method: from an incremental formal specification of high-level requirements to increasingly refined ASMETA models, to the C++ code generation from the model. Along this process, different validation and verification activities were performed. We explored modeling styles and idioms to face the modeling complexity and ensure that the ASMETA models can best capture and reflect specific behavioral patterns. Through this realistic automotive case study, we evaluated the applicability and usability of our formal modeling approach.

computer science, software engineering

Yuvaraj Selvaraj,Wolfgang Ahrendt,Martin Fabian

DOI: https://doi.org/10.48550/arXiv.2204.06873

2022-04-14

Abstract:The challenges in providing convincing arguments for safe and correct behavior of automated driving (AD) systems have so far hindered their widespread commercial deployment. Conventional development approaches such as testing and simulation are limited by non-exhaustive analysis, and can thus not guarantee correctness in all possible scenarios. Formal methods is an approach to provide mathematical proofs of correctness, using a model of a system, that could be used to give the necessary arguments. This paper investigates the use of differential dynamic logic and the deductive verification tool KeYmaera X in the development of an AD feature. Specifically, formal models and safety proofs of different design variants of a Decision & Control module for an in-lane AD feature are presented. In doing so, the assumptions and invariant conditions necessary to guarantee safety are identified, and the paper shows how such an analysis helps during the development process in requirement refinement and formulation of the operational design domain. Furthermore, it is shown how the performance of the different models is formally analyzed exhaustively, in all their allowed behaviors.

Systems and Control

Niklas Braun,Markus Steimle,Martin Törngren,Markus Maurer

2024-07-31

Abstract:As simulation is increasingly used in scenario-based approaches to test Automated Driving Systems, the credibility of simulation results is a major concern. Arguably, credibility depends on the validity of the simulation setup and simulation models. When selecting appropriate simulation models, a trade-off must be made between validity, often connected to the model's fidelity, and cost of computation. However, due to the large number of test cases, expert-based methods to create sufficiently valid simulation setups seem infeasible. We propose using design contracts in order to semi-automatically compose simulation setups for given test cases from simulation models and to derive requirements for the simulation models, supporting separation of concerns between simulation model developers and users. Simulation model contracts represent their validity domains by capturing a validity guarantee and the associated operating conditions in an assumption. We then require the composition of the simulation model contracts to refine a test case contract. The latter contract captures the operating conditions of the test case in its assumption and validity requirements in its guarantee. Based on this idea, we present a framework that supports the compositional configuration of simulation setups based on the contracts and a method to derive runtime monitors for these simulation setups.

Systems and Control

Daniel Becker,Guido Küppers,Lutz Eckstein

2023-08-01

Abstract:Automated driving functions (ADFs) have become increasingly popular in recent years. However, their safety must be assured. Thus, the verification and validation of these functions is still an important open issue in research and development. To achieve this efficiently, scenario-based testing has been established as a valuable methodology among researchers, industry, as well as authorities. Simulations are a powerful way to test those scenarios reproducibly. In this paper, we propose a method to automatically test a set of scenarios in many variations. In contrast to related approaches, those variations are not applied to traffic participants around the ADF, but to the road network to show that parameters regarding the road topology also influence the performance of such an ADF. We present a continuous tool chain to set up scenarios, variate them, run simulations and finally, evaluate the performance with a set of key performance indicators (KPIs).

Software Engineering

Mohammad Abboush,Christoph Knieke,Andreas Rausch

DOI: https://doi.org/10.3390/s24123733

IF: 3.9

2024-06-09

Sensors

Abstract:To validate safety-related automotive software systems, experimental tests are conducted at different stages of the V-model, which are referred as "X-in-the-loop (XIL) methods". However, these methods have significant drawbacks in terms of cost, time, effort and effectiveness. In this study, based on hardware-in-the-loop (HIL) simulation and real-time fault injection (FI), a novel testing framework has been developed to validate system performance under critical abnormal situations during the development process. The developed framework provides an approach for the real-time analysis of system behavior under single and simultaneous sensor/actuator-related faults during virtual test drives without modeling effort for fault mode simulations. Unlike traditional methods, the faults are injected programmatically and the system architecture is ensured without modification to meet the real-time constraints. Moreover, a virtual environment is modeled with various environmental conditions, such as weather, traffic and roads. The validation results demonstrate the effectiveness of the proposed framework in a variety of driving scenarios. The evaluation results demonstrate that the system behavior via HIL simulation has a high accuracy compared to the non-real-time simulation method with an average relative error of 2.52. The comparative study with the state-of-the-art methods indicates that the proposed approach exhibits superior accuracy and capability. This, in turn, provides a safe, reliable and realistic environment for the real-time validation of complex automotive systems at a low cost, with minimal time and effort.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Christian Berger,Delf Block,Sönke Heeren,Christian Hons,Stefan Kühnel,André Leschke,Dimitri Plotnikov,Bernhard Rumpe

DOI: https://doi.org/10.48550/arXiv.1509.02654

2015-09-09

Abstract:Context: Since 2014 several modern cars were rated regarding the performances of their active safety systems at the European New Car Assessment Programme (EuroNCAP). Nowadays, consumer tests play a significant role for the OEM's series development with worldwide perspective, because a top rating is needed to underline the worthiness of active safety features from the customers' point of view. Furthermore, EuroNCAP already published their roadmap 2020 in which they outline further extensions in today's testing and rating procedures that will aggravate the current requirements addressed to those systems. Especially Autonomous Emergency Braking/Forward Collision Warning systems (AEB/FCW) are going to face a broader field of application as pedestrian detection or two-way traffic scenarios. Objective: This work focuses on the systematic generation of test scenarios concentrating on specific parameters that can vary within certain tolerance ranges like the lateral position of the vehicle-under-test (VUT) and its test velocity for example. It is of high interest to examine the effect of the tolerance ranges on the braking points in different test cases representing different trajectories and velocities because they will influence significantly a later scoring during the assessments and thus the safety abilities of the regarding car. Method: We present a formal model using a graph to represent the allowed variances based on the relevant points in time. Now, varying velocities of the VUT will be added to the model while the vehicle is approaching a target vehicle. The derived trajectories were used as test cases for a simulation environment. Selecting interesting test cases and processing them with the simulation environment, the influence on the system's performance of different test parameters will be investigated.

Software Engineering

Eun-Young Kang,Dongrui Mu,Li Huang,Qianqing Lan

DOI: https://doi.org/10.48550/arXiv.1803.06103

2018-03-16

Software Engineering

Abstract:The software development for Cyber-Physical Systems (CPS), e.g., autonomous vehicles, requires both functional and non-functional quality assurance to guarantee that the CPS operates safely and effectively. EAST-ADL is a domain specific architectural language dedicated to safety-critical automotive embedded system design. We have previously modified EAST-ADL to include energy constraints and transformed energy-aware real-time (ERT) behaviors modeled in EAST-ADL/STATEFLOW into UPPAAL models amenable to formal verification. Previous work is extended in this paper by including support for SIMULINK and an integration of Simulink/Stateflow within a same tool-chain. Simulink/Stateflow models are transformed, based on extended ERT constraints in EAST-ADL, into verifiable UPPAAL models with stochastic semantics and integrate the translation with formal statistical analysis techniques: Probabilistic extension of EAST-ADL constraints is defined as a semantics denotation. A set of mapping rules is proposed to facilitate the guarantee of translation. Formal analysis on both functional- and non-functional properties is performed using SIMULINK DESIGN VERIFIER/UPPAAL-SMC. The analysis techniques are validated and demonstrated on the autonomous traffic sign recognition vehicle case study.

Eric Armengaud,Sebastian Frager,Stephen Jones,Alexander Massoner,Alejandro Ferreira Parrilla,Niklas Wikström,Georg Macher

DOI: https://doi.org/10.48550/arXiv.1906.10009

IF: 4.729

2019-06-18

Signal Processing

Abstract:Increasingly sophisticated function development is taking place with the aim of developing efficient, safe and increasingly Automated Driving Functions. This development is possible with the use of diverse data from sources such as Navigation Systems, eHorizon, on-board sensor data, Vehicle-to-Infrastructure (V2I) and Vehicle-to-Vehicle (V2V) communication. Increasing challenges arise with the dependency on large amounts of real-time data coming from off-board sources. At the core of addressing these challenges lies the concept of a Digital Dependability Identity (DDI) of a component or system. DDIs are modular, composable, and executable components in the field, facilitating: $\bullet$ efficient synthesis of component and system dependability information, $\bullet$ effective evaluation of information for safe and secure composition of highly distributed and autonomous Cyber Physical Systems. In AVL's Connected Powertrain (TM), Automated Driving Functions are tailored to Powertrain Control Strategies that predictively increase energy efficiency according to the powertrain type and its component efficiencies. Simultaneously, the burden on the driver is reduced by optimizing the vehicle velocity, whilst minimizing any journey time penalty.In this work, the development of dependable Automated Driving Functions is exemplified by the Traffic Light Assistant, an adaptive strategy that utilizes predictions of preceding traffic, upcoming road curvature, inclination, speed limits, and especially traffic light signal phase and timing information to increase the energy efficiency in an urban traffic environment. A key aspect of this development is the possibility for seamless and simultaneous development; from office simulation to human-in-the-loop and to real-time tests that include vehicle and powertrain hardware. Driver's acceptance and comfort is rated in an advanced diver simulator mounted on a hexapod, capable of emulating longitudinal and lateral acceleration of a real vehicle. Test results from real-time function validation on a Powertrain Testbed are shown, including real traffic light signal phasing information and traffic flow representation on Graz city roads.

Raheleh Biglari,Joachim Denil

2023-03-14

Abstract:Designing a Cyber-Physical System (CPS), including modeling the control components and services, is a challenging task. Using models and simulations during run-time is crucial for successfully implementing advanced control and prediction components. The complexity of designing an effective CPS system increases due to real-time constraints. Generating accurate predictions and making decisions using detailed models in various contexts is %can be computationally demanding and complex to manage within the available computational resources. Employing approximated models and switching to the most suited model adaptively at run-time is an effective technique. But an approximated model is most probable not valid in all the different contexts the system will be in. This experience report uses the Validity Frame concept to enable %this adaptation at run-time. In each environment, some influencing factors are outside the model's control, but these properties influence the model's behavior. By defining Validity Frames, based on specific contexts and related models, we present a possible perspective to address the issue of selecting the more appropriate model in various contexts. Furthermore, we discuss the insights and lessons obtained and determine future challenges.

Other Computer Science,Systems and Control

Delf Block,Sönke Heeren,Stefan Kühnel,André Leschke,Bernhard Rumpe,Vladislavs Serebro

DOI: https://doi.org/10.1145/2559627.2559633

2014-08-14

Abstract:This article discusses new challenges for series development regarding the vehicle safety that arise from the recently published AEB test protocol by the consumer-test-organisation EuroNCAP for driver assistance systems [6]. The tests from the test protocol are of great significance for an OEM that sells millions of cars each year, due to the fact that a positive rating of the vehicle-under-test (VUT) in safety relevant aspects is important for the reputation of a car manufacturer. The further intensification and aggravation of the test requirements for those systems is one of the challenges, that has to be mastered in order to continuously make significant contributions to safety for high-volume cars. Therefore, it is to be shown how a simulation approach may support the development process, especially with tolerance analysis. This article discusses the current stage of work, steps that are planned for the future and results that can be expected at the end of such an analysis.

Software Engineering

Aaditya Prakash Chouhan,Gourinath Banda

DOI: https://doi.org/10.3390/s20164506

IF: 3.9

2020-08-12

Sensors

Abstract:Autonomous vehicles are gaining popularity throughout the world among researchers and consumers. However, their popularity has not yet reached the level where it is widely accepted as a fully developed technology as a large portion of the consumer base feels skeptical about it. Proving the correctness of this technology will help in establishing faith in it. That is easier said than done because of the fact that the formal verification techniques has not attained the level of development and application that it is ought to. In this work, we present Statistical Model Checking (SMC) as a possible solution for verifying the safety of autonomous systems and algorithms. We apply it on Heuristic Autonomous Intersection Management (HAIM) algorithm. The presented verification routine can be adopted for other conflict point based autonomous intersection management algorithms as well. Along with verifying the HAIM, we also demonstrate the modeling and verification applied at each stage of development to verify the inherent behavior of the algorithm. The HAIM scheme is formally modeled using a variant of the language of Timed Automata. The model consists of automata that encode the behavior of vehicles, intersection manager (IM) and collision checkers. To verify the complete nature of the heuristic and ensure correct modeling of the system, we model it in layers and verify each layer separately for their expected behavior. Along with that, we perform implementation verification and error injection testing to ensure faithful modeling of the system. Results show with high confidence the freedom from collisions of the intersection controlled by the HAIM algorithm.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Daniel Becker,Sanath Konthala,Lutz Eckstein

DOI: https://doi.org/10.1109/ICECCME55909.2022.9988312

2024-06-24

Abstract:As automation in the field of automated driving (AD) progresses, ensuring the safety and functionality of AD functions (ADFs) becomes crucial. Virtual scenario-based testing has emerged as a prevalent method for evaluating these systems, allowing for a wider range of testing environments and reproducibility of results. This approach involves AD-equipped test vehicles operating within predefined scenarios to achieve specific driving objectives. To comprehensively assess the impact of road network properties on the performance of an ADF, varying parameters such as intersection angle, curvature and lane width is essential. However, covering all potential scenarios is impractical, necessitating the identification of feasible parameter ranges and automated generation of corresponding road networks for simulation. Automating the workflow of road network generation, parameter variation, simulation, and evaluation leads to a comprehensive understanding of an ADF's behavior in diverse road network conditions. This paper aims to investigate the influence of road network parameters on the performance of a prototypical ADF through virtual scenario-based testing, ultimately advocating the importance of road topology in assuring safety and reliability of ADFs.

Robotics