Correct-by-Construction Tactical Planners for Automated Cars
Licentiate thesis, 2019
One goal of developing automated cars is to completely free people from driving tasks. Automated cars that require no human driver need to handle all traffic situations that a human driver is expected to handle, and possibly more. Although human drivers cause a lot of traffic accidents, they still have a very low accident and failure rate that automated systems must match.
Tactical planners are responsible for making discrete decisions during the coming seconds or minute. As with all subsystems in an automated car, these planners need to be supported with a credible and convincing argument of their correctness. The planners' decisions affect the environment and the planners need to interact with other road users in a feedback loop, so the correctness of the planners depend on their behavior in relation to other drivers and the environment over time. One possibility to ascertain their correctness is to deploy the planners in real traffic. To be sufficiently certain that a tactical planner is safe by that methods, it needs to be tested on 255 million miles without having an accident.
Formal methods can, in contrast to testing, mathematically prove that the requirements are fulfilled. Hence, they are a promising alternative for making credible arguments of tactical planners' correctness. The topic of this thesis is how formal methods can be used in the automotive industry to design safe tactical planners. What is interesting is both how automotive systems should be modeled in formal frameworks, and how formal methods can be used practically within the automotive development process.
The main findings of this thesis are that it is natural to express desired properties of tactical planners in formal languages and use formal methods to prove their correctness. Model Checking, Reactive Synthesis, and Supervisory Control Theory have been used in the design and development process of tactical planners, and all three methods have their benefits, depending on the application.
Formal synthesis is an especially interesting class of formal methods because they can automatically generate a planner based on requirements and models. Formal synthesis removes the need to manually develop and implement the planner, so the development efforts can be directed to formalizing good requirements on the planner and good assumptions on the environment. However, formal synthesis has two limitations: the resulting planner is a black box that is difficult to inspect, and it is difficult to find a level of abstraction that allows detailed requirements and generic planners.
Tactical planners are responsible for making discrete decisions during the coming seconds or minute. As with all subsystems in an automated car, these planners need to be supported with a credible and convincing argument of their correctness. The planners' decisions affect the environment and the planners need to interact with other road users in a feedback loop, so the correctness of the planners depend on their behavior in relation to other drivers and the environment over time. One possibility to ascertain their correctness is to deploy the planners in real traffic. To be sufficiently certain that a tactical planner is safe by that methods, it needs to be tested on 255 million miles without having an accident.
Formal methods can, in contrast to testing, mathematically prove that the requirements are fulfilled. Hence, they are a promising alternative for making credible arguments of tactical planners' correctness. The topic of this thesis is how formal methods can be used in the automotive industry to design safe tactical planners. What is interesting is both how automotive systems should be modeled in formal frameworks, and how formal methods can be used practically within the automotive development process.
The main findings of this thesis are that it is natural to express desired properties of tactical planners in formal languages and use formal methods to prove their correctness. Model Checking, Reactive Synthesis, and Supervisory Control Theory have been used in the design and development process of tactical planners, and all three methods have their benefits, depending on the application.
Formal synthesis is an especially interesting class of formal methods because they can automatically generate a planner based on requirements and models. Formal synthesis removes the need to manually develop and implement the planner, so the development efforts can be directed to formalizing good requirements on the planner and good assumptions on the environment. However, formal synthesis has two limitations: the resulting planner is a black box that is difficult to inspect, and it is difficult to find a level of abstraction that allows detailed requirements and generic planners.
Reactive Synthesis
tactical planning
formal verification
formal synthesis
Formal methods
Model Checking
Supervisory Control Theory.
automated cars
Room ED, Hörsalsvägen 11
Opponent: Associate Professor Jana Tumová, Department of Robotics, Perception, and Learning, KTH Royal Institute of Technology, Sweden.
Author
Jonas Krook
Chalmers, Electrical Engineering, Systems and control
Design and Formal Verification of a Safe Stop Supervisor for an Automated Vehicle
2019 International Conference on Robotics and Automation (ICRA),;(2019)p. 5607-5613
Paper in proceeding
Comparative Case Studies of Reactive Synthesis and Supervisory Control
2019 18TH EUROPEAN CONTROL CONFERENCE (ECC),;(2019)p. 1752-1759
Paper in proceeding
Modeling and Synthesis of the Lane Change Function of an Autonomous Vehicle
IFAC-PapersOnLine,;Vol. 51(2018)p. 133-138
Paper in proceeding
Krook, J. Kianfar, R. Fabian, M. Formal Synthesis of Safe Stop Tactical Planners for an Automated Vehicle
Areas of Advance
Transport
Subject Categories
Embedded Systems
Robotics
Computer Systems
Ex - Institutionen för signaler och system, Chalmers tekniska högskola
Publisher
Chalmers
Room ED, Hörsalsvägen 11
Opponent: Associate Professor Jana Tumová, Department of Robotics, Perception, and Learning, KTH Royal Institute of Technology, Sweden.