Proving Safety of Traffic Manoeuvres on
Country Roads
Martin Hilscher, Sven Linker, Ernst-Rüdiger Olderog
Department of Computing Science, University of Oldenburg
September 2013
Motivation Model MLSL Controller Safety Future Work
The Challenge
Prove safety (collision freedom) of
traffic on country roads including overtaking:
A
E
2/22
C
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
The Challenge
Prove safety (collision freedom) of
traffic on country roads including overtaking:
A
E
C
Hybrid system verification problem:
car dynamics + car controller(s) + assumptions |= safety
2/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Our Approach
Abstract model of multi-lane road traffic
based on spatial properties hiding car dynamics.
3/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Our Approach
Abstract model of multi-lane road traffic
based on spatial properties hiding car dynamics.
Properties expressed in a Multi-Lane Spatial Logic inspired by:
3/22
I
Moszkowski’s interval temporal logic [Mos85]
I
Zhou, Hoare and Ravn’s Duration Calculus [ZHR91]
I
Schäfer’s Shape Calculus [Sch07]
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Model
3
B
A
2
b=1
0
E
C
D
F
Preliminaries:
4/22
I
Car identifiers globally unique: A, B, . . .
Set of all car identifiers: I
I
Infinite road (R)
I
Lanes: L = {0, . . . , N}
Border: b ∈ L
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Model
3
B
b=1
0
A
claim E
2
E
F
C
spd(E), acc(E)
D
pos(E)
A traffic snapshot is a structure TS = (res, clm, pos, spd, acc), where
5/22
I
res : I → P(L) reserved lanes,
I
clm : I → P(L) claimed lanes,
I
pos : I → R car positions,
I
spd : I → R current speeds,
I
acc : I → R current accelerations.
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Transitions
TS−
→TS0 for an action α of the following type:
α
t
TS→
− TS0
acc(C ,a)
TS−−−−−→TS0
c(C ,n)
TS−−−−→TS0
wd c(C )
TS−−−−−→TS0
r(C )
TS−−→TS0
wd r(C ,n)
TS−−−−−−→TS0
6/22
time passes
accelerate
claim
withdraw claim
reserve
withdraw reservation
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Local View
3
B
b=1
0
A
claim E
2
C
E
F
spd(E), acc(E)
pos(E)
D
view of E
View V = (L, X , E ), where
7/22
I
L = [m, n] subinterval of L,
I
X = [r , t] subinterval of R,
I
E ∈ I identifier of car under consideration.
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Local View
3
B
2
b=1
0
A
claim E
C
E
spd(E), acc(E)
F
pos(E)
D
standard view of E
Standard view Vs = (L, X , E ), where
I
L = L,
I
X = [pos(E ) − h, pos(E ) + h],
I
E ∈ I,
and h is the horizon.
7/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Sensor Function
3
B
b=1
0
A
claim E
2
C
E
F
spd(E), acc(E)
size
safety envelope
D
view of E
pos(E)
Sensor function covering directions:
ΩE : I × TS → R
e.g., perfect knowledge
ΩE (I , TS) ≡ se(I , TS).
8/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Syntax: MLSL + `
Multi-Lane Spatial Logic with length measurements:
I
I
Car variables: c, d, special variable ego
Real variables: x, y
Real-valued terms θ
θ ::= r | x | f (c1 , . . . , cn ) | g (θ1 , . . . , θn ),
Formulae φ
φ ::= true | c = d | ` = θ | free | re(c) | cl(c)
| φ1 ∧ φ2 | ¬φ1 | ∃c : φ1
| φ1 a φ2 |
9/22
(FOL)
φ2
φ1
M. Hilscher, S. Linker, E.-R. Olderog
(Atoms)
(Spatial)
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Semantics
C
E
E
φ≡
10/22
true
free a re(ego) a free
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Semantics
C
E
E
φ≡
10/22
true
free a re(ego) a free
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Semantics
C
E
E
φ≡
10/22
true
free a re(ego) a free
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Example: Collision Check

Somewhere:
11/22

true
hφ i ≡ true a  φ  a true
true
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Example: Collision Check

Somewhere:

true
hφ i ≡ true a  φ  a true
true
E
C
hre(ego) ∧ re(c)i
11/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Example: Collision Check

Somewhere:

true
hφ i ≡ true a  φ  a true
true
E
C
hre(ego) ∧ re(c)i
11/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Example: Collision Check

Somewhere:

true
hφ i ≡ true a  φ  a true
true
E
C
hre(ego) ∧ re(c)i
cc ≡ ∃c : c 6= ego ∧ hre(ego) ∧ re(c)i
11/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Example: Collision Check

Somewhere:

true
hφ i ≡ true a  φ  a true
true
E
C
cc ≡ ∃c : c 6= ego ∧ hre(ego) ∧ re(c)i
Safety from ego’s perspective:
11/22
M. Hilscher, S. Linker, E.-R. Olderog
¬cc
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Controller: General Idea
I
Perfect knowledge, i.e.,
sensors return full safety envelopes of all cars
I
Instantaneous broadcast communication
I
Timed automaton with data variables:
I
I
I
I
I
12/22
variable n: original lane,
variable `: target lane,
clock x,
guards and invariants:
MLSL formulae and clock/data constraints,
actions:
transitions of cars, clock/data updates.
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Protocol for Overtaking
A
E
C
1. LC
idle
13/22
2. Pass
1. change lane
M. Hilscher, S. Linker, E.-R. Olderog
3. CB
2. pass
Safety of Country Roads
3. change back
Motivation Model MLSL Controller Safety Future Work
Aim: Safety of Overtaking
A traffic snapshot safe if it satisfies
Safe ≡ ∀c, d : c 6= d ⇒ ¬ hre(c) ∧ re(d)i .
14/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Aim: Safety of Overtaking
A traffic snapshot safe if it satisfies
Safe ≡ ∀c, d : c 6= d ⇒ ¬ hre(c) ∧ re(d)i .
Assumptions:
A1. There is an initial safe traffic snapshot.
A2. Every car C is equipped with a distance controller.
A3. Every car is equipped with a contoller implementing
the protocol for overtaking.
A4. The horizon in the standard view is sufficiently large.
14/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Aim: Safety of Overtaking
A traffic snapshot safe if it satisfies
Safe ≡ ∀c, d : c 6= d ⇒ ¬ hre(c) ∧ re(d)i .
Assumptions:
A1. There is an initial safe traffic snapshot.
A2. Every car C is equipped with a distance controller.
A3. Every car is equipped with a contoller implementing
the protocol for overtaking.
A4. The horizon in the standard view is sufficiently large.
Safety of Overtaking
Under the assumptions A1 to A4,
the protocol specifying the overtaking procedure is safe.
14/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Lane Change on Non-Borders
A
b
C
claim E
E
D
Relevant traffic in one direction as on motorways: [HLOR11]
15/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Lane Change on Non-Borders
I
pc ≡ ∃c : c 6= ego ∧ hre(c) ∧ cl(ego)i
Potential collision:
C
claim E
E
15/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Lane Change on Non-Borders
pc/
wd c(ego)
q0 : ¬cc
q1
¬pc/
req!ego; x := 0
n + 1 ≤ b/
c(ego, n + 1);
l := n + 1
q2 :
¬pc
x ≤ to
pc ∧ x ≥ to/
r(ego); x := 0
pc ∨ no?c : ego = c/
wd c(ego)
x ≥ tlc /
wd r(ego, l); n := l
15/22
M. Hilscher, S. Linker, E.-R. Olderog
q3 : x ≤ tlc
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Lane Change into Opposing Traffic
A
b
E
C
1. LC
16/22
2. Pass
M. Hilscher, S. Linker, E.-R. Olderog
3. CB
Safety of Country Roads
dmax
Motivation Model MLSL Controller Safety Future Work
Lane Change into Opposing Traffic
A
b
E
C
1. LC
2. Pass
3. CB
dmax
k1
I
Enough space on original lane:
esol(c) ≡ re(ego) a (free a re(c) a free)k1 a free dlcb
where φ θ ≡ φ ∧ ` = θ .
16/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Lane Change into Opposing Traffic
A
claim E
b
E
C
1. LC
2. Pass
3. CB
k2
I
Enough space on target lane:
estl(c) ≡
16/22
cl(ego) a free k2
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
d
max
Motivation Model MLSL Controller Safety Future Work
Lane Change into Opposing Traffic
pc∨
¬(∃c : estl(c) ∧ esol(c))/
¬pc∧
wd c(ego)
∃c : estl(c)∧
esol(c)
q1
q0 : ¬cc
n = b/
c(ego, n + 1);
l := n + 1
q2 :
pc ∨ ¬(∃c : estl(c) ∧ esol(c))/wd c(ego)
q4
16/22
x ≥ tlc /wd r(ego, l); n := l
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
¬pc∧
∃c : estl(c) ∧ esol(c)
¬pc∧
∃c : estl(c)∧
esol(c)/
r(ego); x := 0;
att!ego
q3 : x ≤ tlc
Motivation Model MLSL Controller Safety Future Work
Additional Helper Controller
A
b
E
att
C
no
req
D
Inside car C in the role of ego:
q0
att?e ∧ hre(e) a free a re(ego)i /
h := e
hre(ego) a free a re(h)i
17/22
M. Hilscher, S. Linker, E.-R. Olderog
q1
req?d ∧ hre(ego) a free a cl(d)i /
c := d
q2 : U
no!c
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Pass and Change Back
A
E
C
1. LC
2. Pass
3. CB
Simple controllers for phases 2 and 3
18/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Safety of Overtaking
A traffic snapshot TS safe if it satisfies
Safe ≡ ∀c, d : c 6= d ⇒ ¬ hre(c) ∧ re(d)i .
Assumptions:
A1. There is an initial safe traffic snapshot TS0 .
A2. Every car C is equipped with a distance controller that
keeps Safe invariant under time and accelaration transitions.
A3. Every car is equipped with a contoller implementing
the protocol for overtaking.
A4. The horizon in the standard view is h = se max + 2 · dmax .
19/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Theorem (Safety of Overtaking)
Under the assumptions A1 to A4,
the protocol specifying the overtaking procedure is safe.
20/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Theorem (Safety of Overtaking)
Under the assumptions A1 to A4,
the protocol specifying the overtaking procedure is safe.
Proof idea.
We show that every traffic snapshot TS that is reachable from TS0
by time and acceleration transitions and transitions allowed by
the controller implementing the overtaking protocol is safe.
20/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Future and Further Work
I
Here: perfect knowledge
Next: limited sensor functions, where
each car E sees own safety envelope and the size of other cars:
ΩE (I , TS) ≡ if I = E then se(I , TS) else size(I ) fi.
Done for motorways in [HLOR11].
21/22
I
Link to car dynamics
I
Proof theory of MLSL: see [LH13] at ICTAC 2013,
towards automatic verification
I
Visual specification: S. Linker
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
Related Work
California PATH project: car platoons including lane change
I
Lygeros et al. [LGS98]: sketch of safety proof
taking car dynamics into accout, admitting safe collisions.
Lane Change Manoeuvres
I
Platzer et al. [LPN11]: Quantified differential dynamic Logic QdL
expresses car dynamics and creation of new cars.
Controller design for hybrid systems
22/22
I
Raisch et al. [MRD03]: abstraction and refinement for
hierarchical design of hybrid control systems.
I
Van Schuppen et al. [HCvS06]: synthesis of control laws for
piecewise-affine hybrid systems based on simplices.
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
References
L. C. G. J. M. Habets, P.J. Collins, and J.H. van Schuppen.
Reachability and control synthesis for piecewise-affine hybrid systems on simplices.
IEEE Trans. on Automatic Control, 51(6):938–948, June 2006.
Jifeng He, C. A. R. Hoare, M. Fränzle, M. Müller-Olm, E.-R. Olderog, M. Schenke,
M. R. Hansen, A. P. Ravn, and H. Rischel.
Provably correct systems.
In H. Langmaack, W. P. de Roever, and J. Vytopil, editors, FTRTFT, volume 863 of
LNCS, pages 288–335. Springer, 1994.
M. Hilscher, S. Linker, E.-R. Olderog, and A.P. Ravn.
An abstract model for proving safety of multi-lane traffic manoeuvres.
In Shengchao Qin and Zongyan Qiu, editors, Int’l Conf. on Formal Engineering
Methods (ICFEM), volume 6991 of LNCS, pages 404–409. Springer, 2011.
J. Lygeros, D. N. Godbole, and S. S. Sastry.
Verified hybrid controllers for automated vehicles.
IEEE Transactions on Automatic Control, 43(4):522–539, 1998.
S. Linker and M. Hilscher.
Proof theory of a multi-lane spatial logic.
In Zhiming Liu, Jim Woodcock, and Huibiao Zhu, editors, Int’l Conf. on Theoret.
Aspects of Comput. (ICTAC), volume 8049 of LNCS, pages 231–248. Springer, 2013.
22/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads
Motivation Model MLSL Controller Safety Future Work
S. M. Loos, A. Platzer, and L. Nistor.
Adaptive cruise control: Hybrid, distributed, and now formally verified.
In M. Butler and W. Schulte, editors, FM 2011: Formal Methods, volume 6664 of
LNCS, pages 42–56. Springer, 2011.
B. Moszkowski.
A temporal logic for multilevel reasoning about hardware.
Computer, 18(2):10–19, 1985.
T. Moor, J. Raisch, and J.M Davoren.
Admissiblity criteria for a hierarchical design of hybrid systems.
In Proc. IFAD Conf. on Analysis and Design of Hybrid Systems, pages 389–394, St.
Malo, France, 2003.
A. Schäfer.
Axiomatisation and decidability of multi-dimensional duration calculus.
Information and Computation, 205:25–64, 2007.
C. Zhou, C.A.R. Hoare, and A.P. Ravn.
A calculus of durations.
Information Processing Letters, 40(5):269–276, 1991.
22/22
M. Hilscher, S. Linker, E.-R. Olderog
Safety of Country Roads