Fei Gao,Cheng Luo,Fangyuan Shi,Xianqing Chen,Zhenhai Gao,Rui Zhao

DOI: https://doi.org/10.1109/access.2023.3300423

IF: 3.9

2023-09-06

IEEE Access

Abstract:Addressing decision safety in the unpredictable arena of complex traffic scenarios represents a significant hurdle for autonomous driving systems. Considering the inherent spatial-temporal uncertainties associated with the future actions of surrounding traffic participants, real-time safety verification of autonomous driving decisions is crucial to maintaining vehicular safety. Existing online verification methodologies, such as Responsibility Sensitive Safety (RSS) and Safety Force Field (SFF), ensure driving safety by formalizing human safe-driving rules and constraining the vehicle to maintain safe lateral and longitudinal distances in real-time. While these methods effectively prevent collisions instigated by the autonomous vehicle itself, they lack sufficient foresight and often result in less smooth driving trajectories. To address these limitations, we propose an innovative, interpretable, formal safety verification framework. This approach integrates both explicit and implicit traffic rules to anticipate all legally acceptable transitions of traffic scenarios. It builds the lawful, short-term reachable region for each vehicle, and verifies the safety of autonomous vehicle decisions by assessing whether the regions these vehicles inhabit, in accordance with the expected trajectory, overlap with the accessible zones of other vehicles. Furthermore, in scenarios presenting potential danger, a backup smooth safety trajectory is derived from the autonomous vehicle's legal reachability domain as a preventive measure to degrade safety threats. As a cornerstone of safety for autonomous vehicles, our proposed method ensures a continual safe trajectory in all traffic scenarios, provided that other participants adhere to traffic rules. Experimental outcomes, grounded in the ISO 34502 standard and real-world critical safety scenarios, demonstrate the method's efficacy in identifying potentially dangerous decisions and mitigating aut- nomous vehicle-induced traffic accidents.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ran Tian,Anjian Li,Masayoshi Tomizuka,Liting Sun

DOI: https://doi.org/10.48550/arxiv.2106.02737

2021-01-01

Abstract: Safety assurance is a critical yet challenging aspect when developing self-driving technologies. Hamilton-Jacobi backward-reachability analysis is a formal verification tool for verifying the safety of dynamic systems in the presence of disturbances. However, the standard approach is too conservative to be applied to self-driving applications due to its worst-case assumption on humans' behaviors (i.e., guard against worst-case outcomes). In this work, we integrate a learning-based prediction algorithm and a game-theoretic human behavioral model to online update the conservativeness of backward-reachability analysis. We evaluate our approach using real driving data. The results show that, with reasonable assumptions on human behaviors, our approach can effectively reduce the conservativeness of the standard approach without sacrificing its safety verification ability.

Juozas Vaicenavicius,Tilo Wiklund,Austė Grigaitė,Antanas Kalkauskas,Ignas Vysniauskas,Steven Keen

DOI: https://doi.org/10.4271/12-04-01-0004

2021-04-12

Abstract:In this paper, we present a rigorous modular statistical approach for arguing safety or its insufficiency of an autonomous vehicle through a concrete illustrative example. The methodology relies on making appropriate quantitative studies of the performance of constituent components. We explain the importance of sufficient and necessary conditions at the component level for the overall safety of the vehicle as well as the cost-saving benefits of the approach. A simple concrete automated braking example studied illustrates how separate perception system and operational design domain statistical analyses can be used to prove or disprove safety at the vehicle level.

Applications,Artificial Intelligence,Probability

Horel, Jean-Baptiste,Ledent, Philippe,Marsso, Lina,Muller, Lucie,Mateescu, Radu,Renzaglia, Alessandro,Serwe, Wendelin

DOI: https://doi.org/10.1007/s10846-023-01808-3

2023-04-22

Journal of Intelligent and Robotic Systems: Theory and Applications

Abstract:Autonomous driving technology is safety-critical and thus requires thorough validation. In particular, the probabilistic algorithms employed in perception systems of autonomous vehicles (AV) are notoriously hard to validate due to the wide range of possible critical scenarios. Such critical scenarios cannot be easily addressed with current manual validation methods, thus there is a need for an automatic and formal validation technique. To this end, we propose a new approach for perception component verification that, given a high-level and human-interpretable description of a critical situation, generates relevant AV scenarios and uses them for automatic verification. To achieve this goal, we integrate two recently proposed methods for the generation and the verification that are based on formal verification tools. First, we use formal conformance test generation tools to derive, from a verified formal model, sets of scenarios to be run in a simulator. Second, we model check the traces of the simulation runs to validate the probabilistic estimation of collision risks. Using formal methods brings the combined advantages of an increased confidence in the correct representation of the chosen configuration (temporal logic verification), a guarantee of the coverage and relevance of automatically generated scenarios (conformance testing), and an automatic quantitative analysis of the test execution (verification and statistical analysis on traces).

Thomas Drage,Kai Li Lim,Joey En Hai Koh,David Gregory,Craig Brogle,Thomas Bräunl,Thomas Braunl

DOI: https://doi.org/10.1109/iv48863.2021.9575662

2021-07-11

Abstract:This paper presents an approach to specifying a modularised safety system which comprehensively addresses the safety requirements for highly autonomous (SAE Level 3+) road vehicles featuring advanced sensing and automated navigation. As these requirements are often overlooked in similar autonomous driving system proposals, we present a method of hazard and risk analysis which investigates hardware failures, environmental perception limitations, human interaction and functional requirements for artificial intelligence. We then define a system design which implements the required safeguards and examines the application on two electric autonomous vehicle testbeds: a race car and a shuttle bus. The close-coupling of a safety-oriented architecture and multi-regime Hazard and Risk Assessment process was tested to measure the system's ability to detect and react to pedestrian stimuli, resulting in accurate detections and reactions, thereby confirming its ability to design safety systems for autonomous research vehicles in a scalable and easily assured fashion.

Megan Strauss,Stefan Mitsch

2023-05-16

Abstract:Technology advances give us the hope of driving without human error, reducing vehicle emissions and simplifying an everyday task with the future of self-driving cars. Making sure these vehicles are safe is very important to the continuation of this field. In this paper, we formalize the Responsibility-Sensitive Safety model (RSS) for self-driving cars and prove the safety and optimality of this model in the longitudinal direction. We utilize the hybrid systems theorem prover KeYmaera X to formalize RSS as a hybrid system with its nondeterministic control choices and continuous motion model, and prove absence of collisions. We then illustrate the practicality of RSS through refinement proofs that turn the verified nondeterministic control envelopes into deterministic ones and further verified compilation to Python. The refinement and compilation are safety-preserving; as a result, safety proofs of the formal model transfer to the compiled code, while counterexamples discovered in testing the code of an unverified model transfer back. The resulting Python code allows to test the behavior of cars following the motion model of RSS in simulation, to measure agreement between the model and simulation with monitors that are derived from the formal model, and to report counterexamples from simulation back to the formal model.

Logic in Computer Science,Software Engineering,Systems and Control

Mohammed Al-Nuaimi,Sapto Wibowo,Hongyang Qu,Jonathan Aitken,Sandor Veres

DOI: https://doi.org/10.3390/jsan10030042

2021-06-29

Journal of Sensor and Actuator Networks

Abstract:The evolution of driving technology has recently progressed from active safety features and ADAS systems to fully sensor-guided autonomous driving. Bringing such a vehicle to market requires not only simulation and testing but formal verification to account for all possible traffic scenarios. A new verification approach, which combines the use of two well-known model checkers: model checker for multi-agent systems (MCMAS) and probabilistic model checker (PRISM), is presented for this purpose. The overall structure of our autonomous vehicle (AV) system consists of: (1) A perception system of sensors that feeds data into (2) a rational agent (RA) based on a belief–desire–intention (BDI) architecture, which uses a model of the environment and is connected to the RA for verification of decision-making, and (3) a feedback control systems for following a self-planned path. MCMAS is used to check the consistency and stability of the BDI agent logic during design-time. PRISM is used to provide the RA with the probability of success while it decides to take action during run-time operation. This allows the RA to select movements of the highest probability of success from several generated alternatives. This framework has been tested on a new AV software platform built using the robot operating system (ROS) and virtual reality (VR) Gazebo Simulator. It also includes a parking lot scenario to test the feasibility of this approach in a realistic environment. A practical implementation of the AV system was also carried out on the experimental testbed.

Yuvaraj Selvaraj,Wolfgang Ahrendt,Martin Fabian

DOI: https://doi.org/10.48550/arXiv.2204.06873

2022-04-14

Abstract:The challenges in providing convincing arguments for safe and correct behavior of automated driving (AD) systems have so far hindered their widespread commercial deployment. Conventional development approaches such as testing and simulation are limited by non-exhaustive analysis, and can thus not guarantee correctness in all possible scenarios. Formal methods is an approach to provide mathematical proofs of correctness, using a model of a system, that could be used to give the necessary arguments. This paper investigates the use of differential dynamic logic and the deductive verification tool KeYmaera X in the development of an AD feature. Specifically, formal models and safety proofs of different design variants of a Decision & Control module for an in-lane AD feature are presented. In doing so, the assumptions and invariant conditions necessary to guarantee safety are identified, and the paper shows how such an analysis helps during the development process in requirement refinement and formulation of the operational design domain. Furthermore, it is shown how the performance of the different models is formally analyzed exhaustively, in all their allowed behaviors.

Systems and Control

Yuting Fu,Andrei Terechko,Jan Friso Groote,Arash Khabbaz Saberi

DOI: https://doi.org/10.4271/12-05-01-0002

2022-01-17

SAE International Journal of Connected and Automated Vehicles

Abstract:Modern Automated Driving (AD) systems rely on safety measures to handle faults and to bring the vehicle to a safe state. To eradicate lethal road accidents, car manufacturers are constantly introducing new perception as well as control systems. Contemporary automotive design and safety engineering best practices are suitable for analyzing system components in isolation, whereas today’s highly complex and interdependent AD systems require a novel approach to ensure resilience to multiple-point failures. We present a holistic and cost-effective safety concept unifying advanced safety measures for handling multiple-point faults. Our proposed approach enables designers to focus on more pressing issues such as handling fault-free hazardous behavior associated with system performance limitations. To verify our approach, we developed an executable model of the safety concept in the formal specification language mCRL2. The model behavior is governed by a four-mode degradation policy-controlling distributed processors, redundant communication networks, and virtual machines (VMs). To keep the vehicle as safe and cost effective as possible, our degradation policy can reduce driving comfort or AD system’s availability using additional low-cost driving channels. We formalized five safety requirements in the modal μ-calculus and proved them against our mCRL2 model, which is intractable to accomplish exhaustively using traditional road tests or simulation techniques. In conclusion, our formally proven safety concept defines a holistic and cost-effective design pattern for AD systems.

Tong Zhao,Ekim Yurtsever,Joel Paulson,Giorgio Rizzoni

DOI: https://doi.org/10.1109/TIV.2022.3170517

2022-03-03

Abstract:Challenges related to automated driving are no longer focused on just the construction of such automated vehicles (AVs), but in assuring the safety of their operation. Recent advances in Level 3 and Level 4 autonomous driving have motivated more extensive study in safety guarantees of complicated AV maneuvers, which aligns with the goal of ISO 21448 (Safety of the Intended Functions, or SOTIF), i.e. minimizing unsafe scenarios both known and unknown, as well as Vision Zero -- eliminating highway fatalities by 2050. A majority of approaches used in providing safety guarantees for AV motion control originate from formal methods, especially reachability analysis (RA), which relies on mathematical models for the dynamic evolution of the system to provide guarantees. However, to the best of the authors' knowledge, there have been no review papers dedicated to describing and interpreting state-of-the-art of formal methods in the context of AVs. In this work, we provide both an overview of the safety verification, validation and certification process, as well as review formal safety techniques that are best suited to AV applications. We also propose a unified scenario coverage framework that can provide either a formal or sample-based estimate of safety verification for full AVs. Finally, remaining challenges and future opportunities beyond the scope of current published research for assured AV safety are presented.

Systems and Control

Marius Bozga,Joseph Sifakis

2024-05-20

Abstract:Developing safe autonomous driving systems is a major scientific and technical challenge. Existing AI-based end-to-end solutions do not offer the necessary safety guarantees, while traditional systems engineering approaches are defeated by the complexity of the problem. Currently, there is an increasing interest in hybrid design solutions, integrating machine learning components, when necessary, while using model-based components for goal management and planning. We study a method for building safe by design autonomous driving systems, based on the assumption that the capability to drive boils down to the coordinated execution of a given set of driving operations. The assumption is substantiated by a compositionality result considering that autopilots are dynamic systems receiving a small number of types of vistas as input, each vista defining a free space in its neighborhood. It is shown that safe driving for each type of vista in the corresponding free space, implies safe driving for any possible scenario under some easy-to-check conditions concerning the transition between vistas. The designed autopilot comprises distinct control policies one per type of vista, articulated in two consecutive phases. The first phase consists of carefully managing a potentially risky situation by virtually reducing speed, while the second phase consists of exiting the situation by accelerating. The autopilots designed use for their predictions simple functions characterizing the acceleration and deceleration capabilities of the vehicles. They cover the main driving operations, including entering a main road, overtaking, crossing intersections protected by traffic lights or signals, and driving on freeways. The results presented reinforce the case for hybrid solutions that incorporate mathematically elegant and robust decision methods that are safe by design.

Multiagent Systems

Xingyu Zhao,Kizito Salako,Lorenzo Strigini,Valentin Robu,David Flynn

DOI: https://doi.org/10.1016/j.infsof.2020.106393

IF: 3.9

2020-12-01

Information and Software Technology

Abstract:<p><strong>Context</strong>: Demonstrating high reliability and safety for safety-critical systems (SCSs) remains a hard problem. Diverse evidence needs to be combined in a rigorous way: in particular, results of operational testing with other evidence from design and verification. Growing use of machine learning in SCSs, by precluding most established methods for gaining assurance, makes evidence from operational testing even more important for supporting safety and reliability claims.</p><p><strong>Objective</strong>: We revisit the problem of using operational testing to demonstrate high reliability. We use Autonomous Vehicles (AVs) as a current example. AVs are making their debut on public roads: methods for assessing whether an AV is safe enough are urgently needed. We demonstrate how to answer 5 questions that would arise in assessing an AV type, starting with those proposed by a highly-cited study.</p><p><strong>Method</strong>: We apply new theorems extending our Conservative Bayesian Inference (CBI) approach, which exploit the rigour of Bayesian methods while reducing the risk of involuntary misuse associated (we argue) with now-common applications of Bayesian inference; we define additional conditions needed for applying these methods to AVs.</p><p><strong>Results</strong>: Prior knowledge can bring substantial advantages if the AV design allows strong expectations of safety before road testing. We also show how naive attempts at conservative assessment may lead to over-optimism instead; why extrapolating the trend of disengagements (take-overs by human drivers) is not suitable for safety claims; use of knowledge that an AV has moved to a "less stressful" environment.</p><p><strong>Conclusion</strong>: While some reliability targets will remain too high to be practically verifiable, our CBI approach removes a major source of doubt: it allows use of prior knowledge without inducing dangerously optimistic biases. For certain ranges of required reliability and prior beliefs, CBI thus supports feasible, sound arguments. Useful conservative claims can be derived from limited prior knowledge.</p>

computer science, information systems, software engineering

Clovis Eberhart,Jérémy Dubut,James Haydon,Ichiro Hasuo

DOI: https://doi.org/10.1109/IV55152.2023.10186763

2023-08-21

Abstract:Safety architectures play a crucial role in the safety assurance of automated driving vehicles (ADVs). They can be used as safety envelopes of black-box ADV controllers, and for graceful degradation from one ODD to another. Building on our previous work on the formalization of responsibility-sensitive safety (RSS), we introduce a novel program logic that accommodates assume-guarantee reasoning and fallback-like constructs. This allows us to formally define and prove the safety of existing and novel safety architectures. We apply the logic to a pull over scenario and experimentally evaluate the resulting safety architecture.

Robotics,Logic in Computer Science

Karen Leung,Sushant Veer,Edward Schmerling,Marco Pavone

DOI: https://doi.org/10.48550/arXiv.2210.02761

IF: 3.7

2022-10-06

Robotics

Abstract:Evaluating the safety of an autonomous vehicle (AV) depends on the behavior of surrounding agents which can be heavily influenced by factors such as environmental context and informally-defined driving etiquette. A key challenge is in determining a minimum set of assumptions on what constitutes reasonable foreseeable behaviors of other road users for the development of AV safety models and techniques. In this paper, we propose a data-driven AV safety design methodology that first learns ``reasonable'' behavioral assumptions from data, and then synthesizes an AV safety concept using these learned behavioral assumptions. We borrow techniques from control theory, namely high order control barrier functions and Hamilton-Jacobi reachability, to provide inductive bias to aid interpretability, verifiability, and tractability of our approach. In our experiments, we learn an AV safety concept using demonstrations collected from a highway traffic-weaving scenario, compare our learned concept to existing baselines, and showcase its efficacy in evaluating real-world driving logs.

Nima Roohi,Ramneet Kaur,James Weimer,Oleg Sokolsky,Insup Lee

DOI: https://doi.org/10.48550/arXiv.1806.08810

2018-06-20

Abstract:Industrial cyber-physical systems are hybrid systems with strict safety requirements. Despite not having a formal semantics, most of these systems are modeled using Stateflow/Simulink for mainly two reasons: (1) it is easier to model, test, and simulate using these tools, and (2) dynamics of these systems are not supported by most other tools. Furthermore, with the ever growing complexity of cyber-physical systems, grows the gap between what can be modeled using an automatic formal verification tool and models of industrial cyber-physical systems. In this paper, we present a simple formal model for self-deriving cars. While after some simplification, safety of this system has already been proven manually, to the best of our knowledge, no automatic formal verification tool supports its dynamics. We hope this serves as a challenge problem for formal verification tools targeting industrial applications.

Logic in Computer Science,Robotics,Systems and Control

Romain Cuer,Laurent Piétrac,Eric Niel,Saidou Diallo,Nicoleta Minoiu-Enache,Christophe Dang-Van-Nhan

DOI: https://doi.org/10.1016/j.ress.2018.01.014

2018-06-01

Abstract:The autonomous vehicle is meant to drive by itself, without any driver intervention (for the levels 4 and 5 of automated driving, according to the National Highway Traffic Safety Administration(NHTSA)). This car includes a new function, called Autonomous Driving (AD) function, in charge of driving the vehicle when it is authorized. This function may be in different states (basically active or inactive), that shall be managed by a sub-function, named supervision. The main focus of this work is to ensure that the supervision of a function, performed by a safety critical embedded automotive control system (controlled systems are not considered), respects functional and safety requirements. Usually two processes are involved in the system design: the systems engineering process and the safety one. The first process defines the functional requirements on the function while the safety one specifies redundant sub-functions (realizing together the function) allowing to ensure a continuous service under failure. Since two different aspects of the system are specified, it is a major challenge to make all requirements consistent, from the outset of the design process. In this paper, a method is precisely proposed to address this issue. A progressive reinforcement of the treated requirements is achieved by means of formal state models. In fact, the proposed approach permits to build state models from requirements initially expressed in natural language. Potential ambiguities, incompletenesses or undertones in requirements are in this way gradually deleted. The enrichment of conventional formal verification of control properties with safety requirements constitutes the main originality of the deployed method and contributes to solve inconsistencies between functional and safety verification processes. In addition, the application of the method to the design of AD function supervision highlights its efficiency in an industrial context.

engineering, industrial,operations research & management science

Chiao Hsieh,Keyur Joshi,Sasa Misailovic,Sayan Mitra

DOI: https://doi.org/10.48550/arXiv.2111.05534

IF: 3.7

2021-11-10

Robotics

Abstract:Convolutional Neural Networks (CNN) for object detection, lane detection, and segmentation now sit at the head of most autonomy pipelines, and yet, their safety analysis remains an important challenge. Formal analysis of perception models is fundamentally difficult because their correctness is hard if not impossible to specify. We present a technique for inferring intelligible and safe abstractions for perception models from system-level safety requirements, data, and program analysis of the modules that are downstream from perception. The technique can help tradeoff safety, size, and precision, in creating abstractions and the subsequent verification. We apply the method to two significant case studies based on high-fidelity simulations (a) a vision-based lane keeping controller for an autonomous vehicle and (b) a controller for an agricultural robot. We show how the generated abstractions can be composed with the downstream modules and then the resulting abstract system can be verified using program analysis tools like CBMC. Detailed evaluations of the impacts of size, safety requirements, and the environmental parameters (e.g., lighting, road surface, plant type) on the precision of the generated abstractions suggest that the approach can help guide the search for corner cases and safe operating envelops.

Chuchu Fan,Bolun Qi,Sayan Mitra,Mahesh Viswanathan

DOI: https://doi.org/10.48550/arXiv.1702.06902

2017-02-23

Abstract:We present the DRYVR framework for verifying hybrid control systems that are described by a combination of a black-box simulator for trajectories and a white-box transition graph specifying mode switches. The framework includes (a) a probabilistic algorithm for learning sensitivity of the continuous trajectories from simulation data, (b) a bounded reachability analysis algorithm that uses the learned sensitivity, and (c) reasoning techniques based on simulation relations and sequential composition, that enable verification of complex systems under long switching sequences, from the reachability analysis of a simpler system under shorter sequences. We demonstrate the utility of the framework by verifying a suite of automotive benchmarks that include powertrain control, automatic transmission, and several autonomous and ADAS features like automatic emergency braking, lane-merge, and auto-passing controllers.

Systems and Control

Aditya Dixit,Ramesh Kumar Chidambaram,Zaheer Allam

DOI: https://doi.org/10.3390/vehicles3030036

2021-09-15

Vehicles

Abstract:The autonomous vehicle (AVs) market is expanding at a rapid pace due to the advancement of information, communication, and sensor technology applications, offering a broad range of opportunities in terms of energy efficiency and addressing climate change concerns and safety. With regard to this last point, the rate of reduction in accidents is considerable when switching safety control tasks to machines from humans, which can be noted as having significantly slower response rates. This paper explores this thematic by focusing on the safety of AVs by thorough analysis of previously collected AV crash statistics and further discusses possible solutions for achieving increased autonomous vehicle safety. To achieve this, this technical paper develops a dynamic run-time safe assessment system, using the standard autonomous drive system (ADS), which is developed and simulated in case studies further in the paper. OpenCV methods for lane detection are developed and applied as robust control frameworks, which introduces the factor of vehicle crash predictability for the ego vehicle. The developed system is made to predict possible crashes by using a combination of machine learning and neural network methods, providing useful information for response mechanisms in risk scenarios. In addition, this paper explores the operational design domain (ODD) of the AV’s system and provides possible solutions to extend the domain in order to render vehicle operationality, even in safe mode. Additionally, three case studies are explored to supplement a discussion on the implementation of algorithms aimed at increasing curved lane detection ability and introducing trajectory predictability of neighbouring vehicles for an ego vehicle, resulting in lower collisions and increasing the safety of the AV overall. This paper thus explores the technical development of autonomous vehicles and is aimed at researchers and practitioners engaging in the conceptualisation, design, and implementation of safer AV systems focusing on lane detection and expanding AV safe state domains and vehicle trajectory predictability.

Eun-Young Kang,Dongrui Mu,Li Huang,Qianqing Lan

DOI: https://doi.org/10.48550/arXiv.1803.06103

2018-03-16

Software Engineering

Abstract:The software development for Cyber-Physical Systems (CPS), e.g., autonomous vehicles, requires both functional and non-functional quality assurance to guarantee that the CPS operates safely and effectively. EAST-ADL is a domain specific architectural language dedicated to safety-critical automotive embedded system design. We have previously modified EAST-ADL to include energy constraints and transformed energy-aware real-time (ERT) behaviors modeled in EAST-ADL/STATEFLOW into UPPAAL models amenable to formal verification. Previous work is extended in this paper by including support for SIMULINK and an integration of Simulink/Stateflow within a same tool-chain. Simulink/Stateflow models are transformed, based on extended ERT constraints in EAST-ADL, into verifiable UPPAAL models with stochastic semantics and integrate the translation with formal statistical analysis techniques: Probabilistic extension of EAST-ADL constraints is defined as a semantics denotation. A set of mapping rules is proposed to facilitate the guarantee of translation. Formal analysis on both functional- and non-functional properties is performed using SIMULINK DESIGN VERIFIER/UPPAAL-SMC. The analysis techniques are validated and demonstrated on the autonomous traffic sign recognition vehicle case study.