Conference Paper

APEX: Autonomous Vehicle Plan Verification and Execution

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... To further reduce the effort in simulation-based testing, research on the formalization of traffic rules is conducted to automatically determine whether the ego vehicle caused a crash [11]. Testing efforts can be further reduced by formal methods, which exhaustively consider uncertainties from initial states, disturbances, and sensor noise; either during design time [12], [13] or runtime [14]. Nevertheless, formal methods also require interesting driving situations for validation purposes. ...
... If the model of a vehicle does not have velocity as a state (e.g., when it is an input), we make the obvious changes to (12). The minimization of (10) together with the constraints in (12) results in a quadratic program, for which efficient solvers exist [42]. ...
... Various approaches [8,6,10,12], relying on formal methods, address the modelling and analysis of multi-agent systems in a context similar to ours. In particular, bounded model checking approaches [4,3,13] have been used for studying temporal logic properties. ...
... Finally, let us consider a second variant, in which t 4 is replaced by t 4 (in green in the figure), with a time interval of [6,8]. In that scenario, the current action zone is still [a 2 , b 1 ], which enables t 1 , t 2 and t 3 . ...
Preprint
We formalise and study multi-agent timed models MAPTs (Multi-Agent with timed Periodic Tasks), where each agent is associated to a regular timed schema upon which all possibles actions of the agent rely. MAPTs allow for an accelerated semantics and a layered structure of the state space, so that it is possible to explore the latter dynamically and use heuristics to greatly reduce the computation time needed to address reachability problems. We apply MAPTs to explore state spaces of autonomous vehicles and compare it with other approaches in terms of expressivity, abstraction level and computation time.
... The aforementioned testing methods are important and necessary before AV deployment, but they cannot help with design exploration and automated fault detection at early development stages. Such problems are addressed by modelbased verification [28], [29], model based test generation [30], [31], [32], [33], [34], [35], [36], or a combination thereof [37], [38]. It is important to also highlight that these methods typically ignore or use simple models to abstract away proximity sensors and, especially, the vision systems. ...
Preprint
Autonomous vehicles are complex systems that are challenging to test and debug. A requirements-driven approach to the development process can decrease the resources required to design and test these systems, while simultaneously increasing the reliability. We present a testing framework that uses signal temporal logic (STL), which is a precise and unambiguous requirements language. Our framework evaluates test cases against the STL formulae and additionally uses the requirements to automatically identify test cases that fail to satisfy the requirements. One of the key features of our tool is the support for machine learning (ML) components in the system design, such as deep neural networks. The framework allows evaluation of the control algorithms, including the ML components, and it also includes models of CCD camera, lidar, and radar sensors, as well as the vehicle environment. We use multiple methods to generate test cases, including covering arrays, which is an efficient method to search discrete variable spaces. The resulting test cases can be used to debug the controller design by identifying controller behaviors that do not satisfy requirements. The test cases can also enhance the testing phase of development by identifying critical corner cases that correspond to the limits of the system's allowed behaviors. We present STL requirements for an autonomous vehicle system, which capture both component-level and system-level behaviors. Additionally, we present three driving scenarios and demonstrate how our requirements-driven testing framework can be used to identify critical system behaviors, which can be used to support the development process.
... The time perspective also plays a key role in a broad range of concurrent systems. The proper functioning of real-life concurrent systems is critically dependent on time taken by activities and also the ability to manage with delays and safety distances of time between these activities [27]. The two main extensions of time-dependent Petri nets, describing temporal properties, are timed Petri nets [28] and time Petri nets [23]. ...
Article
This paper provides a true-concurrency approach for the specification and verification of systems of concurrent communicating agents with durable actions. We present high-level Petri nets with durable actions (DaHL) to cope with various details in such complex systems. We define a DaHL module as an open variant of time-dependent colored Petri nets. A DaHL system is a fused set of modules for systems consisting of concurrent agents which can interact with each other. We also introduce hybrid-based reachability graph that covers the entire state space of DaHL systems with a true-concurrency semantics. We show that such reachability graph allows us to check important properties such as deadlock-freeness, liveness, home space, and reversibility, and also to predict timing properties prior to real implementation. A case study is used to model and analyze a simple scenario where autonomous vehicles are able to transport containers freely in an enterprise environment.
... Autonomous vehicle planning and control frameworks [15,19] often follow the hierarchical planning architecture outlined by Firby [9] and Gat [11]. The key idea here is to separate the complications involved in low-level hardware control from high-level planning decisions to accomplish the navigation objective. ...
Article
A constant-rate multi-mode system is a hybrid system that can switch freely among a finite set of modes, and whose dynamics is specified by a finite number of real-valued variables with mode-dependent constant rates. Alur, Wojtczak, and Trivedi have shown that reachability problems for constant-rate multi-mode systems for open and convex safety sets can be solved in polynomial time. In this paper, we study the reachability problem for non-convex state spaces and show that this problem is in general undecidable. We recover decidability by making certain assumptions about the safety set. We present a new algorithm to solve this problem and compare its performance with the popular sampling based algorithm rapidly-exploring random tree (RRT) as implemented in the Open Motion Planning Library (OMPL).
... O'Kelly et al. [161] present their verification tool APEX that internally uses the SMT-solver dReach. They distinguish between the behavioral planner (represented as a formal model in form of a finite transition system) and the motion planner (represented as a black-box that just provides a trajectory). ...
Article
Full-text available
When will automated vehicles come onto the market? This question has puzzled the automotive industry and society for years. The technology and its implementation have made rapid progress over the last decade, but the challenge of how to prove the safety of these systems has not yet been solved. Since a market launch without proof of safety would neither be accepted by society nor by legislators, much time and many resources have been invested into safety assessment in recent years in order to develop new approaches for an efficient assessment. This paper therefore provides an overview of various approaches, and gives a comprehensive survey of the so-called scenario-based approach. The scenario-based approach is a promising method, in which individual traffic situations are typically tested by means of virtual simulation. Since an infinite number of different scenarios can theoretically occur in real-world traffic, even the scenario-based approach leaves the question unanswered as to how to break these down into a finite set of scenarios, and find those which are representative in order to render testing more manageable. This paper provides a comprehensive literature review of related safety-assessment publications that deal precisely with this question. Therefore, this paper develops a novel taxonomy for the scenario-based approach, and classifies all literature sources. Based on this, the existing methods will be compared with each other and, as one conclusion, the alternative concept of formal verification will be combined with the scenario-based approach. Finally, future research priorities are derived.
... Dans [32], les systèmes hybrides sont utilisés pour modéliser des véhicules autonomes. Avec ce formalisme, combinant à la fois des variables d'état continues et des modes de fonctionnement discrets, leur modèle permet d'obtenir une représentation réaliste de la physique des véhicules, similaire à celle que l'on peut trouver dans les simulations (angle de glissement, taux de lacet, etc.). ...
Thesis
Cette thèse est motivée par la questionde la validation de propriétés dans un systèmecomposé de plusieurs agents mobiles prenants individuellementdes décisions en temps réel. Chaqueagent a une perception de l’environnement qui lui estpropre et peut communiquer avec les autres agentsà proximité. L’application qui a été choisie commecas d’étude est celle des véhicules autonomes, quidu fait du large nombre de variables impliquées dansla représentation de tels systèmes, rend impossibledes approches naïves. Les problématiques traitéesconcernent, d’une part, la modélisation d’un tel système,notamment le choix du formalisme et du niveaud’abstraction du modèle, et d’autre part, la mise enplace d’un protocole d’évaluation de la prise de décisiondes véhicules. Ce dernier point inclut la questionde l’efficacité de l’exploration de l’espace d’états dumodèle. La thèse présente un ensemble de travaux,pouvant être complémentaires, visant à traiter cesproblématiques. Tout d’abord, le système, composédes véhicules autonomes et de leur environnement,est défini avec précision. Il permet notamment d’observerl’impact des communications entre véhiculessur leur comportement. Le cadre logiciel VERIFCARdédié à l’analyse de prise de décision de véhiculesautonomes communicants est ensuite présenté.Il inclut un modèle paramétrique d’automates temporisésoffrant la possibilité de vérifier des propriétésde logique temporelle. Une méthodologie d’analyseutilisant ces propriétés est présentée. On proposeégalement une approche complémentaire permettantdans certains cas une meilleure efficacité et une plusgrande expressivité. Elle est fondée sur le formalismedes MAPTs (Multi-Agent with timed Periodic Tasks),qui a été conçu pour la modélisation de systèmestemps réel d’agents coopératifs. Des algorithmes permettantune exploration dynamique des états de cetype de modèles (c’est à dire sans que l’espace d’étatsne doive être préalablement construit) sont présentés.Enfin, une méthode combinée alliant la simulationaux outils de vérification de modèle afin de contrôlerle niveau de réalisme est décrite et appliquée aucas d’étude.
... In [23] hybrid systems are used to model autonomous vehicles. With this formalism, combining both continuous state variables and discrete operating modes, their model achieves a realistic representation of vehicles physics, similar to those which may be found in simulations (slip angle, yaw rate, etc.). ...
Article
Full-text available
This paper presents a framework, called VerifCar, devoted to the validation of decision policies of communicating autonomous vehicles (CAVs). The approach focuses on the formal modeling of CAVs by means of timed automata, allowing a formal and exhaustive analysis of the behaviors of vehicles. VerifCar supports a parametric modeling of CAV systems as a network of timed automata tailored for verification and limiting the well-known state space explosion. As an illustration, VerifCar is applied to check robustness and efficiency, as well as to asses the impact of communication delays on the decision algorithms of CAVs, on well chosen case studies representing real-life critical situations.
... Formal Verification: Verification has been employed in a variety of safety-critical domains such as aerospace [5], and automotive [24,26,34]. In the automotive field, prior work has focused on time-bounded behaviors and simple motion primitives rather than verification of controlled systems over complex, structured environments. ...
Article
Recent advances in autonomous driving have raised the problem of safety to the forefront and incentivized research into establishing safety guarantees. In this paper, we propose a safety verification framework as a safety standard for driving controllers with full or shared autonomy based on compositional and contract-based principles. Our framework enables us to synthesize safety guarantees over entire road networks by first building a library of locally verified models, and then composing local models together to verify the entire network. Composition is achieved using assume-guarantee contracts that are synthesized concurrently during verification. Thus, we can reuse local models within and across networks, add additional models to cover local road geometries without re-verifying the entire library, and perform all computations in a parallel and distributed way, which enables computational tractability. Furthermore, we employ controller contracts such that any controller satisfying them can be certified safe. We demonstrate the practical effectiveness of our framework by certifying controllers over parts of the Manhattan road network. Keywords: Verification, Safety, Autonomous Car, Composition, Contracts
Conference Paper
Full-text available
We present the DryVR framework for verifying hybrid control systems that are described by a combination of a black-box simulator for trajectories and a white-box transition graph specifying mode switches. The framework includes (a) a probabilistic algorithm for learning sensitivity of the continuous trajectories from simulation data, (b) a bounded reachability analysis algorithm that uses the learned sensitivity, and (c) reasoning techniques based on simulation relations and sequential composition, that enable verification of complex systems under long switching sequences, from the reachability analysis of a simpler system under shorter sequences. We demonstrate the utility of the framework by verifying a suite of automotive benchmarks that include powertrain control, automatic transmission, and several autonomous and ADAS features like automatic emergency braking, lane-merge, and auto-passing controllers.
Article
In this paper, we introduce a design methodology to develop reliable and secure industrial control systems (ICSs) based on the behavior of their computational resources (i.e., process/application) and underlying physical resources (e.g., the controlled plant). The methodology has three independent, but complementary, components that employ novel approaches and techniques in the design of reliable and secure ICSs. First, we introduce reliable-and-secure-by-design development of secure industrial control applications through stepwise sound refinement of an executable specification, employing deductive synthesis to enforce functional and nonfunctional (e.g., security and safety) properties of ICS applications. Second, we present a runtime security monitor at the middleware level of ICSs that protects ICS operation in the field through comparison of the application execution and the application specification execution in real time; the runtime security monitor can be synthesized from the executable specification. Finally, based on the specification, we perform a vulnerability analysis for false data injection (FDI) attacks, which leads to ICS application designs that are resilient to this type of attacks. We demonstrate the methodology through its application to a basic and typical ICS example application, describing all the tools used and ARMET, the middleware monitor that constitutes the core component of the methodology.
Conference Paper
A constant-rate multi-mode system is a hybrid system that can switch freely among a finite set of modes, and whose dynamics is specified by a finite number of real-valued variables with mode-dependent constant rates. Alur, Wojtczak, and Trivedi have shown that reachability problems for constant-rate multi-mode systems for open and convex safety sets can be solved in polynomial time. In this paper we study the reachability problem for non-convex state spaces, and show that this problem is in general undecidable. We recover decidability by making certain assumptions about the safety set. We present a new algorithm to solve this problem and compare its performance with the popular sampling based algorithm rapidly-exploring random tree (RRT) as implemented in the Open Motion Planning Library (OMPL).
Chapter
Full-text available
Autonomous vehicles are expected to be able to avoid static and dynamic obstacles automatically, along their way. However, most of the collision-avoidance functionality is not formally verified, which hinders ensuring such systems’ safety. In this paper, we introduce formal definitions of the vehicle’s movement and trajectory, based on hybrid transition systems. Since formally verifying hybrid systems algorithmically is undecidable, we reduce the verification of nonlinear vehicle behavior to verifying discrete-time vehicle behavior overapproximations. Using this result, we propose a generic approach to formally verify autonomous vehicles with nonlinear behavior against reach-avoid requirements. The approach provides a Uppaal timed-automata model of vehicle behavior, and uses Uppaal STRATEGO for verifying the model with user-programmed libraries of collision-avoidance algorithms. Our experiments show the approach’s effectiveness in discovering bugs in a state-of-the-art version of a selected collision-avoidance algorithm, as well as in proving the absence of bugs in the algorithm’s improved version.
Chapter
In this paper, a novel model related to the safety of autonomous vehicles (AVs) is presented. A simulation platform is designed to analyze the environment and the trajectory of AVs within a given Operational Design Domain (ODD). This platform relies on model-based systems and includes the environment model, safety rules and their priorities, and execution scenarios. The goal is to create a simulation environment that enables safety experts to detect rule breaches by analyzing problems at run-time using generated monitors. Therefore, this platform will help to reevaluate the existing rules in two ways: either by reconsidering rule priorities or by proposing new rules to be integrated into the existing safety model. The validation and verification of the generated rules will follow a process based on the history of the executed scenarios. All the aforementioned work is carried out by using the GEMOC initiative tool to coordinate models using logical time.
Chapter
Recent advances in autonomous driving have raised the problem of safety to the forefront and incentivized research into establishing safety guarantees. In this paper, we propose a safety verification framework as a safety standard for driving controllers with full or shared autonomy based on compositional and contract-based principles. Our framework enables us to synthesize safety guarantees over entire road networks by first building a library of locally verified models, and then composing local models together to verify the entire network. Composition is achieved using assume-guarantee contracts that are synthesized concurrently during verification. Thus, we can reuse local models within and across networks, add additional models to cover local road geometries without re-verifying the entire library, and perform all computations in a parallel and distributed way, which enables computational tractability. Furthermore, we employ controller contracts such that any controller satisfying them can be certified safe. We demonstrate the practical effectiveness of our framework by certifying controllers over parts of the Manhattan road network.
Conference Paper
This paper presents a method for the validation of communicating autonomous vehicles (CAVs) systems. The approach focuses on the formal modeling of CAVs by means of timed automata, to allow the formal analysis through model-checkers of the vehicle behavior, including their fault tolerance due to various kinds of injected faults.We also present our case studies results, based on implementations of our CAVs’ model in Uppaal.
ResearchGate has not been able to resolve any references for this publication.