Formal Methods and Safety for Automated Vehicles: Modeling, Abstractions, and Synthesis of Tactical Planners
Doctoral thesis, 2022

One goal of developing automated road vehicles is to completely free people from driving tasks. Automated vehicles with no human driver must handle all traffic situations that human drivers are expected to handle, possibly more. Though human drivers cause a lot of traffic accidents, they still have a very low accident and failure rate that automated vehicles must match.

Tactical planners are responsible for making discrete decisions for the coming seconds or minutes. As with all subsystems in an automated vehicle, these planners need to be supported with a credible and convincing argument of their correctness. The planners interact with other road users in a feedback loop, so their correctness depends on their behavior in relation to other drivers and road users over time. One way to ascertain their correctness is to test the vehicles in real traffic. But to be sufficiently certain that a tactical planner is safe, it has to be tested on 255 million miles with no accidents.

Formal methods can, in contrast to testing, mathematically prove that given requirements are fulfilled. Hence, these methods are a promising alternative for making credible arguments for tactical planners’ correctness. The topic of this thesis is the use of formal methods in the automotive industry to design safe tactical planners. What is interesting is both how automotive systems can be modeled in formal frameworks, and how formal methods can be used practically within the automotive development process.

The main findings of this thesis are that it is viable to formally express desired properties of tactical planners, and to use formal methods to prove their correctness. However, the difficulty to anticipate and inspect the interaction of several desired properties is found to be an obstacle. Model Checking, Reactive Synthesis, and Supervisory Control Theory have been used in the design and development process of tactical planners, and these methods have their benefits, depending on the application. To be feasible and useful, these methods need to operate on both a high and a low level of abstraction, and this thesis contributes an automatic abstraction method that bridges this divide.

It is also found that artifacts from formal methods tools may be used to convincingly argue that a realization of a tactical planner is safe, and that such an argument puts formal requirements on the vehicle’s other subsystems and its surroundings.

automated vehicles

Formal methods

formal synthesis

tactical planning

supervisory control theory

automatic abstraction.

safety case

model checking

formal verification

reactive synthesis

HC2, Hörsalsvägen 14
Opponent: Associate Prof. Necmiye Özay, University of Michigan, USA

Author

Jonas Krook

Chalmers, Electrical Engineering, Systems and control

On How to Not Prove Faulty Controllers Safe in Differential Dynamic Logic

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics),; Vol. 13478(2022)p. 281-297

Paper in proceeding

Design and Formal Verification of a Safe Stop Supervisor for an Automated Vehicle

Proceedings - IEEE International Conference on Robotics and Automation,; (2019)p. 5607-5613

Paper in proceeding

Comparative Case Studies of Reactive Synthesis and Supervisory Control

2019 18th European Control Conference, ECC 2019,; (2019)p. 1752-1759

Paper in proceeding

Modeling and Synthesis of the Lane Change Function of an Autonomous Vehicle

IFAC-PapersOnLine,; Vol. 51(2018)p. 133-138

Paper in proceeding

Formal Synthesis of Safe Stop Tactical Planners for an Automated Vehicle

IFAC-PapersOnLine,; Vol. 53(2020)p. 445-452

Paper in proceeding

Collision avoidance systems in modern vehicles are reactive systems that take action when the driver is judged not to be able to avoid a collision. Collision avoidance systems must not activate when there is no danger, but it is accepted that they do not prevent all accidents.

For automated vehicles, on the other hand, collisions are unacceptable. They must drive such that the reactive system can always prevent accidents. As an example, when approaching a traffic light that turns from green to amber, a reactive system of a vehicle may either decide to continue and pass during the amber period, or brake to ensure that the traffic light is not passed until it turns green again. The vehicle must drive in a manner that ensures that one of these two options are viable for the reactive system, or else risk an accident at the traffic light.

Automated vehicles’ actions at one point in time affect available actions and possible outcomes seconds or minutes in the future. As automated vehicles are complex systems subject to a multitude of requirements, it is hard to understand how low-level decisions affect the possibility to fulfill the requirements in the future. By the same reason, it is difficult to test that the requirements are fulfilled at all times.

This thesis explores how automatic logic reasoning can be used as a tool to ensure and prove that the requirements are fulfilled. It is found that logic reasoning can be used to guarantee correctness of the actions taken by an automated vehicle, but that there are difficulties in representing their behaviors correctly.

Areas of Advance

Transport

Subject Categories

Embedded Systems

Robotics

Control Engineering

Computer Systems

ISBN

978-91-7905-731-2

Doktorsavhandlingar vid Chalmers tekniska högskola. Ny serie: 5197

Publisher

Chalmers

HC2, Hörsalsvägen 14

Online

Opponent: Associate Prof. Necmiye Özay, University of Michigan, USA

More information

Latest update

11/8/2023