Formal Methods and Safety for Automated Vehicles: Modeling, Abstractions, and Synthesis of Tactical Planners
Doctoral thesis, 2022
Tactical planners are responsible for making discrete decisions for the coming seconds or minutes. As with all subsystems in an automated vehicle, these planners need to be supported with a credible and convincing argument of their correctness. The planners interact with other road users in a feedback loop, so their correctness depends on their behavior in relation to other drivers and road users over time. One way to ascertain their correctness is to test the vehicles in real traffic. But to be sufficiently certain that a tactical planner is safe, it has to be tested on 255 million miles with no accidents.
Formal methods can, in contrast to testing, mathematically prove that given requirements are fulfilled. Hence, these methods are a promising alternative for making credible arguments for tactical planners’ correctness. The topic of this thesis is the use of formal methods in the automotive industry to design safe tactical planners. What is interesting is both how automotive systems can be modeled in formal frameworks, and how formal methods can be used practically within the automotive development process.
The main findings of this thesis are that it is viable to formally express desired properties of tactical planners, and to use formal methods to prove their correctness. However, the difficulty to anticipate and inspect the interaction of several desired properties is found to be an obstacle. Model Checking, Reactive Synthesis, and Supervisory Control Theory have been used in the design and development process of tactical planners, and these methods have their benefits, depending on the application. To be feasible and useful, these methods need to operate on both a high and a low level of abstraction, and this thesis contributes an automatic abstraction method that bridges this divide.
It is also found that artifacts from formal methods tools may be used to convincingly argue that a realization of a tactical planner is safe, and that such an argument puts formal requirements on the vehicle’s other subsystems and its surroundings.
automated vehicles
Formal methods
formal synthesis
tactical planning
supervisory control theory
automatic abstraction.
safety case
model checking
formal verification
reactive synthesis
Author
Jonas Krook
Chalmers, Electrical Engineering, Systems and control
On How to Not Prove Faulty Controllers Safe in Differential Dynamic Logic
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),;Vol. 13478(2022)p. 281-297
Paper in proceeding
Design and Formal Verification of a Safe Stop Supervisor for an Automated Vehicle
Proceedings - IEEE International Conference on Robotics and Automation,;(2019)p. 5607-5613
Paper in proceeding
Comparative Case Studies of Reactive Synthesis and Supervisory Control
2019 18th European Control Conference, ECC 2019,;(2019)p. 1752-1759
Paper in proceeding
Modeling and Synthesis of the Lane Change Function of an Autonomous Vehicle
IFAC-PapersOnLine,;Vol. 51(2018)p. 133-138
Paper in proceeding
Formal Synthesis of Safe Stop Tactical Planners for an Automated Vehicle
IFAC-PapersOnLine,;Vol. 53(2020)p. 445-452
Paper in proceeding
For automated vehicles, on the other hand, collisions are unacceptable. They must drive such that the reactive system can always prevent accidents. As an example, when approaching a traffic light that turns from green to amber, a reactive system of a vehicle may either decide to continue and pass during the amber period, or brake to ensure that the traffic light is not passed until it turns green again. The vehicle must drive in a manner that ensures that one of these two options are viable for the reactive system, or else risk an accident at the traffic light.
Automated vehicles’ actions at one point in time affect available actions and possible outcomes seconds or minutes in the future. As automated vehicles are complex systems subject to a multitude of requirements, it is hard to understand how low-level decisions affect the possibility to fulfill the requirements in the future. By the same reason, it is difficult to test that the requirements are fulfilled at all times.
This thesis explores how automatic logic reasoning can be used as a tool to ensure and prove that the requirements are fulfilled. It is found that logic reasoning can be used to guarantee correctness of the actions taken by an automated vehicle, but that there are difficulties in representing their behaviors correctly.
Areas of Advance
Transport
Subject Categories (SSIF 2011)
Embedded Systems
Robotics
Control Engineering
Computer Systems
ISBN
978-91-7905-731-2
Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 5197
Publisher
Chalmers