Daniel Jackson,Valerie Richmond,Mike Wang,Jeff Chow,Uriel Guajardo,Soonho Kong,Sergio Campos,Geoffrey Litt,Nikos Arechiga

DOI: https://doi.org/10.48550/arXiv.2104.06178

2021-03-29

Abstract:Widespread adoption of autonomous cars will require greater confidence in their safety than is currently possible. Certified control is a new safety architecture whose goal is two-fold: to achieve a very high level of safety, and to provide a framework for justifiable confidence in that safety. The key idea is a runtime monitor that acts, along with sensor hardware and low-level control and actuators, as a small trusted base, ensuring the safety of the system as a whole. Unfortunately, in current systems complex perception makes the verification even of a runtime monitor challenging. Unlike traditional runtime monitoring, therefore, a certified control monitor does not perform perception and analysis itself. Instead, the main controller assembles evidence that the proposed action is safe into a certificate that is then checked independently by the monitor. This exploits the classic gap between the costs of finding and checking. The controller is assigned the task of finding the certificate, and can thus use the most sophisticated algorithms available (including learning-enabled software); the monitor is assigned only the task of checking, and can thus run quickly and be smaller and formally verifiable. This paper explains the key ideas of certified control and illustrates them with a certificate for LiDAR data and its formal verification. It shows how the architecture dramatically reduces the amount of code to be verified, providing an end-to-end safety analysis that would likely not be achievable in a traditional architecture.

Robotics,Logic in Computer Science,Software Engineering,Systems and Control

Maryam Nezami,Hossam Seddik Abbas,Georg Schildbach,Georg Mannel

DOI: https://doi.org/10.23919/ecc54610.2021.9655155

2021-06-29

Abstract:This paper presents a novel, safe control architecture (SCA) for controlling an important class of systems: safety-critical systems. Ensuring the safety of control decisions has always been a challenge in automatic control. The proposed SCA aims to address this challenge by using a Model Predictive Controller (MPC) that acts as a supervisor for the operating controller, in the sense that the MPC constantly checks the safety of the control inputs generated by the operating controller and intervenes if the control input is predicted to lead to a hazardous situation in the foreseeable future invariably. Then an appropriate backup scheme can be activated, e.g., a degraded control mechanism, the transfer of the system to a safe state, or a warning signal issued to a human supervisor. For a proof of concept, the proposed SCA is applied to an autonomous driving scenario, where it is illustrated and compared in different obstacle avoidance scenarios. A major challenge of the SCA lies in the mismatch between the MPC prediction model and the real system, for which possible remedies are explored.

Dongyoon Kim,Sen Yang,Wenjun Zou,Bin Shuai,Dezhao Zhang,Fang Zhang,Chang Liu,Shengbo Eben Li

DOI: https://doi.org/10.1109/iv55156.2024.10588553

2024-01-01

Abstract:Real-time safety-critical control is essential for high-level autonomous driving. Existing methods usually formulate safety-critical control as a constrained optimal control problem (COCP), and suffer from high computational complexity of the underlying iterative optimization processes. To address the issue of complexity, this paper presents an explicit safety-critical control method called the Control Safety Function (CSF) approach, which can replace online optimization with an analytical control law, dramatically enhancing real-time control capabilities. The CSF is formulated as the weighted sum of Control Lyapunov Function (CLF) and Control Barrier Functions (CBFs), with the value of CSF increasing to infinity as the state approaches the boundary of a safe set. The explicit control law is then derived from the gradient of CSF and system dynamics. Different from existing explicit controllers that can only apply to systems of relative degree one, the CSF method provides an approach to enforce safety constraints to systems with high relative degree, making CSF especially suitable for autonomous driving. The CSF approach is evaluated in a vehicle path-tracking scenario with multiple obstacles, accompanied by a comparative analysis against the Model Predictive Control (MPC) method. Simulation results indicate that CSF achieves control accuracy comparable to MPC, with significant reduction in computation time - approximately 3.23 ms per step, which is about 94.0% faster. These results suggest that CSF is a promising approach for real-time safety-critical control of high-level autonomous driving.

Shengduo Chen,Yaowei Sun,Dachuan Li,Qiang Wang,Qi Hao,Joseph Sifakis

DOI: https://doi.org/10.48550/arXiv.2109.13446

2021-09-28

Abstract:Providing safety guarantees for Autonomous Vehicle (AV) systems with machine-learning-based controllers remains a challenging issue. In this work, we propose Simplex-Drive, a framework that can achieve runtime safety assurance for machine-learning enabled controllers of AVs. The proposed Simplex-Drive consists of an unverified Deep Reinforcement Learning (DRL)-based advanced controller (AC) that achieves desirable performance in complex scenarios, a Velocity-Obstacle (VO) based baseline safe controller (BC) with provably safety guarantees, and a verified mode management unit that monitors the operation status and switches the control authority between AC and BC based on safety-related conditions. We provide a formal correctness proof of Simplex-Drive and conduct a lane-changing case study in dense traffic scenarios. The simulation experiment results demonstrate that Simplex-Drive can always ensure operation safety without sacrificing control performance, even if the DRL policy may lead to deviations from the safe status.

Robotics,Systems and Control

Adina Aniculaesei,Iqra Aslam,Daniel Bamal,Felix Helsch,Andreas Vorwald,Meng Zhang,Andreas Rausch

DOI: https://doi.org/10.48550/arXiv.2307.06258

2023-07-12

Abstract:Automated driving systems can be helpful in a wide range of societal challenges, e.g., mobility-on-demand and transportation logistics for last-mile delivery, by aiding the vehicle driver or taking over the responsibility for the dynamic driving task partially or completely. Ensuring the safety of automated driving systems is no trivial task, even more so for those systems of SAE Level 3 or above. To achieve this, mechanisms are needed that can continuously monitor the system's operating conditions, also denoted as the system's operational design domain. This paper presents a safety concept for automated driving systems which uses a combination of onboard runtime monitoring via connected dependability cage and off-board runtime monitoring via a remote command control center, to continuously monitor the system's ODD. On one side, the connected dependability cage fulfills a double functionality: (1) to monitor continuously the operational design domain of the automated driving system, and (2) to transfer the responsibility in a smooth and safe manner between the automated driving system and the off-board remote safety driver, who is present in the remote command control center. On the other side, the remote command control center enables the remote safety driver the monitoring and takeover of the vehicle's control. We evaluate our safety concept for automated driving systems in a lab environment and on a test field track and report on results and lessons learned.

Robotics,Software Engineering

Zehang Zhu,Yuning Wang,Tianqi Ke,Zeyu Han,Shaobing Xu,Qing Xu,John M. Dolan,Jianqiang Wang

2024-09-23

Abstract:Safety is one of the most crucial challenges of autonomous driving vehicles, and one solution to guarantee safety is to employ an additional control revision module after the planning backbone. Control Barrier Function (CBF) has been widely used because of its strong mathematical foundation on safety. However, the incompatibility with heterogeneous perception data and incomplete consideration of traffic scene elements make existing systems hard to be applied in dynamic and complex real-world scenarios. In this study, we introduce a generalized control revision method for autonomous driving safety, which adopts both vectorized perception and occupancy grid map as inputs and comprehensively models multiple types of traffic scene constraints based on a new proposed barrier function. Traffic elements are integrated into one unified framework, decoupled from specific scenario settings or rules. Experiments on CARLA, SUMO, and OnSite simulator prove that the proposed algorithm could realize safe control revision under complicated scenes, adapting to various planning backbones, road topologies, and risk types. Physical platform validation also verifies the real-world application feasibility.

Robotics,Systems and Control

Marius Bozga,Joseph Sifakis

2024-05-20

Abstract:Developing safe autonomous driving systems is a major scientific and technical challenge. Existing AI-based end-to-end solutions do not offer the necessary safety guarantees, while traditional systems engineering approaches are defeated by the complexity of the problem. Currently, there is an increasing interest in hybrid design solutions, integrating machine learning components, when necessary, while using model-based components for goal management and planning. We study a method for building safe by design autonomous driving systems, based on the assumption that the capability to drive boils down to the coordinated execution of a given set of driving operations. The assumption is substantiated by a compositionality result considering that autopilots are dynamic systems receiving a small number of types of vistas as input, each vista defining a free space in its neighborhood. It is shown that safe driving for each type of vista in the corresponding free space, implies safe driving for any possible scenario under some easy-to-check conditions concerning the transition between vistas. The designed autopilot comprises distinct control policies one per type of vista, articulated in two consecutive phases. The first phase consists of carefully managing a potentially risky situation by virtually reducing speed, while the second phase consists of exiting the situation by accelerating. The autopilots designed use for their predictions simple functions characterizing the acceleration and deceleration capabilities of the vehicles. They cover the main driving operations, including entering a main road, overtaking, crossing intersections protected by traffic lights or signals, and driving on freeways. The results presented reinforce the case for hybrid solutions that incorporate mathematically elegant and robust decision methods that are safe by design.

Multiagent Systems

Fan Yang,Haoqi Li,Maolong Lv,Jiangping Hu,Qingrui Zhou,Bijoy K. Ghosh

2024-01-22

Abstract:The safety of autonomous driving systems, particularly self-driving vehicles, remains of paramount concern. These systems exhibit affine nonlinear dynamics and face the challenge of executing predefined control tasks while adhering to state and input constraints to mitigate risks. However, achieving safety control within the framework of control input constraints, such as collision avoidance and maintaining system states within secure boundaries, presents challenges due to limited options. In this study, we introduce a novel approach to address safety concerns by transforming safety conditions into control constraints with a relative degree of 1. This transformation is facilitated through the design of control barrier functions, enabling the creation of a safety control system for affine nonlinear networks. Subsequently, we formulate a robust control strategy that incorporates safety protocols and conduct a comprehensive analysis of its stability and reliability. To illustrate the effectiveness of our approach, we apply it to a specific problem involving adaptive cruise control. Through simulations, we validate the efficiency of our model in ensuring safety without compromising control performance. Our approach signifies significant progress in the field, providing a practical solution to enhance safety for autonomous driving systems operating within the context of affine nonlinear dynamics.

Systems and Control

Romain Cuer,Laurent Piétrac,Eric Niel,Saidou Diallo,Nicoleta Minoiu-Enache,Christophe Dang-Van-Nhan

DOI: https://doi.org/10.1016/j.ress.2018.01.014

2018-06-01

Abstract:The autonomous vehicle is meant to drive by itself, without any driver intervention (for the levels 4 and 5 of automated driving, according to the National Highway Traffic Safety Administration(NHTSA)). This car includes a new function, called Autonomous Driving (AD) function, in charge of driving the vehicle when it is authorized. This function may be in different states (basically active or inactive), that shall be managed by a sub-function, named supervision. The main focus of this work is to ensure that the supervision of a function, performed by a safety critical embedded automotive control system (controlled systems are not considered), respects functional and safety requirements. Usually two processes are involved in the system design: the systems engineering process and the safety one. The first process defines the functional requirements on the function while the safety one specifies redundant sub-functions (realizing together the function) allowing to ensure a continuous service under failure. Since two different aspects of the system are specified, it is a major challenge to make all requirements consistent, from the outset of the design process. In this paper, a method is precisely proposed to address this issue. A progressive reinforcement of the treated requirements is achieved by means of formal state models. In fact, the proposed approach permits to build state models from requirements initially expressed in natural language. Potential ambiguities, incompletenesses or undertones in requirements are in this way gradually deleted. The enrichment of conventional formal verification of control properties with safety requirements constitutes the main originality of the deployed method and contributes to solve inconsistencies between functional and safety verification processes. In addition, the application of the method to the design of AD function supervision highlights its efficiency in an industrial context.

engineering, industrial,operations research & management science

Dasa Kusnirakova,Barbora Buhnova

DOI: https://doi.org/10.48550/arXiv.2303.09388

2023-03-16

Abstract:With the increasing complexity of software permeating critical domains such as autonomous driving, new challenges are emerging in the ways the engineering of these systems needs to be rethought. Autonomous driving is expected to continue gradually overtaking all critical driving functions, which is adding to the complexity of the certification of autonomous driving systems. As a response, certification authorities have already started introducing strategies for the certification of autonomous vehicles and their software. But even with these new approaches, the certification procedures are not fully catching up with the dynamism and unpredictability of future autonomous systems, and thus may not necessarily guarantee compliance with all requirements imposed on these systems. In this paper, we identified a number of issues with the proposed certification strategies, which may impact the systems substantially. For instance, we emphasize the lack of adequate reflection on software changes occurring in constantly changing systems, or low support for systems' cooperation needed for the management of coordinated moves. Other shortcomings concern the narrow focus of the awarded certification by neglecting aspects such as the ethical behavior of autonomous software systems. The contribution of this paper is threefold. First, we discuss the motivation for the need to modify the current certification processes for autonomous driving systems. Second, we analyze current international standards used in the certification processes towards requirements derived from the requirements laid on dynamic software ecosystems and autonomous systems themselves. Third, we outline a concept for incorporating the missing parts into the certification procedure.

Software Engineering,Computers and Society

H M Sabbir Ahmad,Ehsan Sabouni,Akua Dickson,Wei Xiao,Christos G. Cassandras,Wenchao Li

2024-03-25

Abstract:We address the security of a network of Connected and Automated Vehicles (CAVs) cooperating to safely navigate through a conflict area (e.g., traffic intersections, merging roadways, roundabouts). Previous studies have shown that such a network can be targeted by adversarial attacks causing traffic jams or safety violations ending in collisions. We focus on attacks targeting the V2X communication network used to share vehicle data and consider as well uncertainties due to noise in sensor measurements and communication channels. To combat these, motivated by recent work on the safe control of CAVs, we propose a trust-aware robust event-triggered decentralized control and coordination framework that can provably guarantee safety. We maintain a trust metric for each vehicle in the network computed based on their behavior and used to balance the tradeoff between conservativeness (when deeming every vehicle as untrustworthy) and guaranteed safety and security. It is important to highlight that our framework is invariant to the specific choice of the trust framework. Based on this framework, we propose an attack detection and mitigation scheme which has twofold benefits: (i) the trust framework is immune to false positives, and (ii) it provably guarantees safety against false positive cases. We use extensive simulations (in SUMO and CARLA) to validate the theoretical guarantees and demonstrate the efficacy of our proposed scheme to detect and mitigate adversarial attacks.

Systems and Control

Charles Dawson,Sicun Gao,Chuchu Fan

DOI: https://doi.org/10.1109/tro.2022.3232542

IF: 7.8

2023-01-01

IEEE Transactions on Robotics

Abstract:Learning-enabled control systems have demonstrated impressive empirical performance on challenging control problems in robotics, but this performance comes at the cost of reduced transparency and lack of guarantees on the safety or stability of the learned controllers. In recent years, new techniques have emerged to provide these guarantees by learning certificates alongside control policiesthese certificates provide concise data-driven proofs that guarantee the safety and stability of the learned control system. These methods not only allow the user to verify the safety of a learned controller but also provide supervision during training, allowing safety and stability requirements to influence the training process itself. In this article, we provide a comprehensive survey of this rapidly developing field of certificate learning. We hope that this article will serve as an accessible introduction to the theory and practice of certificate learning, both to those who wish to apply these tools to practical robotics problems and to those who wish to dive more deeply into the theory of learning for control.

robotics

Chiao Hsieh,Keyur Joshi,Sasa Misailovic,Sayan Mitra

DOI: https://doi.org/10.48550/arXiv.2111.05534

IF: 3.7

2021-11-10

Robotics

Abstract:Convolutional Neural Networks (CNN) for object detection, lane detection, and segmentation now sit at the head of most autonomy pipelines, and yet, their safety analysis remains an important challenge. Formal analysis of perception models is fundamentally difficult because their correctness is hard if not impossible to specify. We present a technique for inferring intelligible and safe abstractions for perception models from system-level safety requirements, data, and program analysis of the modules that are downstream from perception. The technique can help tradeoff safety, size, and precision, in creating abstractions and the subsequent verification. We apply the method to two significant case studies based on high-fidelity simulations (a) a vision-based lane keeping controller for an autonomous vehicle and (b) a controller for an agricultural robot. We show how the generated abstractions can be composed with the downstream modules and then the resulting abstract system can be verified using program analysis tools like CBMC. Detailed evaluations of the impacts of size, safety requirements, and the environmental parameters (e.g., lighting, road surface, plant type) on the precision of the generated abstractions suggest that the approach can help guide the search for corner cases and safe operating envelops.

Tamas G. Molnar,Gabor Orosz,Aaron D. Ames

2023-09-01

Abstract:Connected automated vehicles have shown great potential to improve the efficiency of transportation systems in terms of passenger comfort, fuel economy, stability of driving behavior and mitigation of traffic congestions. Yet, to deploy these vehicles and leverage their benefits, the underlying algorithms must ensure their safe operation. In this paper, we address the safety of connected cruise control strategies for longitudinal car following using control barrier function (CBF) theory. In particular, we consider various safety measures such as minimum distance, time headway and time to conflict, and provide a formal analysis of these measures through the lens of CBFs. Additionally, motivated by how stability charts facilitate stable controller design, we derive safety charts for existing connected cruise controllers to identify safe choices of controller parameters. Finally, we combine the analysis of safety measures and the corresponding stability charts to synthesize safety-critical connected cruise controllers using CBFs. We verify our theoretical results by numerical simulations.

Systems and Control,Robotics,Dynamical Systems

Dasa Kusnirakova,Barbora Buhnova

2023-08-21

Abstract:As software becomes increasingly pervasive in critical domains like autonomous driving, new challenges arise, necessitating rethinking of system engineering approaches. The gradual takeover of all critical driving functions by autonomous driving adds to the complexity of certifying these systems. Namely, certification procedures do not fully keep pace with the dynamism and unpredictability of future autonomous systems, and they may not fully guarantee compliance with the requirements imposed on these systems. In this paper, we have identified several issues with the current certification strategies that could pose serious safety risks. As an example, we highlight the inadequate reflection of software changes in constantly evolving systems and the lack of support for systems' cooperation necessary for managing coordinated movements. Other shortcomings include the narrow focus of awarded certification, neglecting aspects such as the ethical behavior of autonomous software systems. The contribution of this paper is threefold. First, we analyze the existing international standards used in certification processes in relation to the requirements derived from dynamic software ecosystems and autonomous systems themselves, and identify their shortcomings. Second, we outline six suggestions for rethinking certification to foster comprehensive solutions to the identified problems. Third, a conceptual Multi-Layer Trust Governance Framework is introduced to establish a robust governance structure for autonomous ecosystems and associated processes, including envisioned future certification schemes. The framework comprises three layers, which together support safe and ethical operation of autonomous systems.

Software Engineering

Qiang Wang,Dachuan Li,Joseph Sifakis

DOI: https://doi.org/10.48550/arXiv.2008.04080

2020-10-03

Abstract:We study a novel principle for safe and efficient collision avoidance that adopts a mathematically elegant and general framework abstracting as much as possible from the controlled vehicle's dynamics and of its environment. Vehicle dynamics is characterized by pre-computed functions for accelerating and braking to a given speed. Environment is modeled by a function of time giving the free distance ahead of the controlled vehicle under the assumption that the obstacles are either fixed or are moving in the same direction. The main result is a control policy enforcing the vehicle's speed so as to avoid collision and efficiently use the free distance ahead, provided some initial safety condition holds. The studied principle is applied to the design of two discrete controllers, one synchronous and another asynchronous. We show that both controllers are safe by construction. Furthermore, we show that their efficiency strictly increases for decreasing granularity of discretization. We present implementations of the two controllers, their experimental evaluation in the Carla autonomous driving simulator and investigate various performance issues.

Systems and Control,Formal Languages and Automata Theory,Software Engineering

Shai Shalev-Shwartz,Shaked Shammah,Amnon Shashua

DOI: https://doi.org/10.48550/arXiv.1708.06374

2018-10-27

Abstract:In recent years, car makers and tech companies have been racing towards self driving cars. It seems that the main parameter in this race is who will have the first car on the road. The goal of this paper is to add to the equation two additional crucial parameters. The first is standardization of safety assurance --- what are the minimal requirements that every self-driving car must satisfy, and how can we verify these requirements. The second parameter is scalability --- engineering solutions that lead to unleashed costs will not scale to millions of cars, which will push interest in this field into a niche academic corner, and drive the entire field into a "winter of autonomous driving". In the first part of the paper we propose a white-box, interpretable, mathematical model for safety assurance, which we call Responsibility-Sensitive Safety (RSS). In the second part we describe a design of a system that adheres to our safety assurance requirements and is scalable to millions of cars.

Robotics,Artificial Intelligence,Machine Learning

Behdad Chalaki,Andreas A. Malikopoulos

DOI: https://doi.org/10.48550/arXiv.2203.16418

2022-03-30

Systems and Control

Abstract:In this paper, we extend a framework that we developed earlier for coordination of connected and automated vehicles (CAVs) at a signal-free intersection by integrating a safety layer using control barrier functions. First, in our motion planning module, each CAV computes the optimal control trajectory using simple vehicle dynamics. The trajectory does not make any of the state, control, and safety constraints active. A vehicle-level tracking controller employs a combined feedforward-feedback control law to track the resulting optimal trajectory from the motion planning module. Then, a barrier-certificate module, acting as a middle layer between the vehicle-level tracking controller and physical vehicle, receives the control law from the vehicle-level tracking controller and using realistic vehicle dynamics ensures that none of the state, control, and safety constraints becomes active. The latter is achieved through a quadratic program, which can be solved efficiently in real time. We demonstrate the effectiveness of our extended framework through a numerical simulation.

Zhizhen Qin,Tsui-Wei Weng,Sicun Gao

DOI: https://doi.org/10.48550/arXiv.2207.13891

IF: 3.7

2022-07-28

Robotics

Abstract:Path-tracking control of self-driving vehicles can benefit from deep learning for tackling longstanding challenges such as nonlinearity and uncertainty. However, deep neural controllers lack safety guarantees, restricting their practical use. We propose a new approach of learning almost-barrier functions, which approximately characterizes the forward invariant set for the system under neural controllers, to quantitatively analyze the safety of deep neural controllers for path-tracking. We design sampling-based learning procedures for constructing candidate neural barrier functions, and certification procedures that utilize robustness analysis for neural networks to identify regions where the barrier conditions are fully satisfied. We use an adversarial training loop between learning and certification to optimize the almost-barrier functions. The learned barrier can also be used to construct online safety monitors through reachability analysis. We demonstrate effectiveness of our methods in quantifying safety of neural controllers in various simulation environments, ranging from simple kinematic models to the TORCS simulator with high-fidelity vehicle dynamics simulation.

Hongchao Zhang,Shiyu Cheng,Luyao Niu,Andrew Clark

DOI: https://doi.org/10.48550/arXiv.2208.05944

2022-08-12

Abstract:Autonomous Cyber-Physical Systems (CPS) fuse proprioceptive sensors such as GPS and exteroceptive sensors including Light Detection and Ranging (LiDAR) and cameras for state estimation and environmental observation. It has been shown that both types of sensors can be compromised by malicious attacks, leading to unacceptable safety violations. We study the problem of safety-critical control of a LiDAR-based system under sensor faults and attacks. We propose a framework consisting of fault tolerant estimation and fault tolerant control. The former reconstructs a LiDAR scan with state estimations, and excludes the possible faulty estimations that are not aligned with LiDAR measurements. We also verify the correctness of LiDAR scans by comparing them with the reconstructed ones and removing the possibly compromised sector in the scan. Fault tolerant control computes a control signal with the remaining estimations at each time step. We prove that the synthesized control input guarantees system safety using control barrier certificates. We validate our proposed framework using a UAV delivery system in an urban environment. We show that our proposed approach guarantees safety for the UAV whereas a baseline fails.

Systems and Control