1. No category

An Abstract Model for Proving Safety of Multi

An Abstract Model for Proving Safety of
Multi-Lane Traffic Manoeuvres
Martin Hilscher1 Sven Linker1
Ernst-Rüdiger Olderog1 Anders P. Ravn2
1
Carl von Ossietzky University of Oldenburg
2
Aalborg University
27th Oct. 2011
Motivation
E
C
automated cars driving on motorways
I safety = collision freedom
I safety of distance controllers examined
I lane change?
I
PATH project: game-theoretic approach, allowing for safe collision
van Schuppen, 2006: safety of controllers by safe transitions
I consideration of full dynamics needed
I
I
2/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Motivation
E
E
C
automated cars driving on motorways
I safety = collision freedom
I safety of distance controllers examined
I lane change?
I
PATH project: game-theoretic approach, allowing for safe collision
van Schuppen, 2006: safety of controllers by safe transitions
I consideration of full dynamics needed
I
I
2/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Motivation
E
C
automated cars driving on motorways
I safety = collision freedom
I safety of distance controllers examined
I lane change?
I
PATH project: game-theoretic approach, allowing for safe collision
van Schuppen, 2006: safety of controllers by safe transitions
I consideration of full dynamics needed
I
I
2/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Motivation
D
E
C
automated cars driving on motorways
I safety = collision freedom
I safety of distance controllers examined
I lane change?
I
PATH project: game-theoretic approach, allowing for safe collision
van Schuppen, 2006: safety of controllers by safe transitions
I consideration of full dynamics needed
I
I
2/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Motivation
E
E
D
C
automated cars driving on motorways
I safety = collision freedom
I safety of distance controllers examined
I lane change?
I
PATH project: game-theoretic approach, allowing for safe collision
van Schuppen, 2006: safety of controllers by safe transitions
I consideration of full dynamics needed
I
I
2/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Approach
I
abstract from dynamics during reasoning
I
reduce global property to local problem
I
define spatial logic suited for problem: MLSL
I
for lane-change distinguish between
I
I
I
assume safe distance-controller, concerning reservations
I
develop controllers for lane-change manoeuvre
I
different models of sensors
1
2
C
3/19
reservation, i.e. space used as safety envelope of car
claim, i.e. communication of desired envelope extension
all reservations/claims are visible to all participants
own reservation/claim visible, position/physical size of others
E
D
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Approach
I
abstract from dynamics during reasoning
I
reduce global property to local problem
I
define spatial logic suited for problem: MLSL
I
for lane-change distinguish between
I
I
I
assume safe distance-controller, concerning reservations
I
develop controllers for lane-change manoeuvre
I
different models of sensors
1
2
C
3/19
reservation, i.e. space used as safety envelope of car
claim, i.e. communication of desired envelope extension
all reservations/claims are visible to all participants
own reservation/claim visible, position/physical size of others
E
D
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Abstract Road Model TS
I
dense, infinite extension (R)
I
arbitrary, finite number of lanes (N ∈ N)
I
infinite, countable number of cars
I
I
I
position
speed
acceleration
I
all cars drive in same direction
I
reservation: space occupied by car
I
claim: space to be occupied after lane change
I
length of reservation/claim determined by size and braking distance
C
...
n
A
...
4/19
...
B
...
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Operational Behaviour
5/19
t
passing of time
TS→
− TS0
setting new acceleration
TS−−−−−→TS0
create claim
TS−−−→TS0
withdraw claim
TS−−−−→TS0
create reservation
TS−−→TS0
withdraw reservation
TS−−−−−→TS0
acc(C ,a)
c(C ,n)
wd c(C )
r(C )
wd r(C ,n)
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Views
V = ( L, X , E )
6/19
I
L: connected subset of lanes
I
X : finite part of road
I
E: car associated with view (owner)
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Views
V = ( L, X , E )
I
L: connected subset of lanes
I
X : finite part of road
I
E: car associated with view (owner)
I
V restricts cars visible to owner
C
...
...
E
...
...
A
...
6/19
B
...
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Formulae
Terms
I
Car variables c , d
I
Special variable ego: always evaluated to E
Syntax
φ ::= true | c = d | free | re(c ) | cl (c )
| φ1 ∧ φ2 | ¬φ1 | ∃c : φ1
| φ1 a φ2 |
7/19
φ2
φ1
(Atoms)
(FOL)
(Spatial )
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Semantics
|= free
free space
A
|= re(A)
reservation of the car A
A
|= cl (A)
claim of the car A
8/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Semantics
A
re(A) a free
Horizontal chop operation
9/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Semantics
E
C
E


free
φ ≡  free a re(C ) a free a cl (ego) a free 
free a re(ego) a free
10/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Semantics
E
C
E


free
φ ≡  free a re(C ) a free a cl (ego) a free 
free a re(ego) a free
10/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Semantics
E
C
E


free
φ ≡  free a re(C ) a free a cl (ego) a free 
free a re(ego) a free
10/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Semantics
E
C
E


free
φ ≡  free a re(C ) a free a cl (ego) a free 
free a re(ego) a free
10/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Semantics
E
C
E
0
φ ≡
10/19
true
free a re(ego) a free
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Semantics
E
C
E
0
φ ≡
10/19
true
free a re(ego) a free
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Semantics
E
C
E
0
φ ≡
10/19
true
free a re(ego) a free
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Abbreviations
I
Boolean Abbreviations, Universal quantification

I
true
hφ i ≡ true a  φ
Somewhere:

 a true
true
I
11/19
Occupied by c:
c ≡ re(c ) ∨ cl (c )
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Example
C
E
E
12/19
ego
ego
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Example
C
E
E
12/19
ego
ego
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Examples
potential collision check: pc (c ) ≡ c 6= ego ∧ hcl (ego) ∧ c i
13/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Examples
potential collision check: pc (c ) ≡ c 6= ego ∧ hcl (ego) ∧ c i
I
13/19
car c is different from ego
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Examples
potential collision check: pc (c ) ≡ c 6= ego ∧ hcl (ego) ∧ c i
13/19
I
car c is different from ego
I
and ego’s claim overlaps with the reservation/claim of c
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Examples
potential collision check: pc (c ) ≡ c 6= ego ∧ hcl (ego) ∧ c i
I
car c is different from ego
I
and ego’s claim overlaps with the reservation/claim of c
potential helper check: ph(c ) ≡ hre(c ) a free a cl (ego)i
I
13/19
c is driving behind the claim of ego
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Controller LCP: General Idea
14/19
1
Claim a lane (time may pass)
2
Check for collisions
3
Reserve the lane (two lanes are reserved!)
4
Change lane (time passes up to tlc )
5
Remove reservation of old lane
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Controller LCP: General Idea
1
Claim a lane (time may pass)
2
Check for collisions
3
Reserve the lane (two lanes are reserved!)
4
Change lane (time passes up to tlc )
5
Remove reservation of old lane
Formalization
(Extended) timed automaton with data variables:
14/19
I
Guards and Invariants:
formulae of MLSL and clock/data constraints,
I
Actions: transitions of cars, clock/data updates.
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Assumptions/Abbreviations
Assumptions for LCP
I
Perfect knowledge, i.e., sensors return full safety envelopes of cars
I
instantaneous communication
I
`: contains current lane
I
x: clock
Abbreviations
I
collision check cc:
cc ≡ ∃c : c 6= ego ∧ hre(ego) ∧ re(c )i
I
potential collision check pc (c ):
pc (c ) ≡ c 6= ego ∧ hcl (ego) ∧ c i
15/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Automaton for Lane Change Manouevre
∃c : pc (c )
/wd c(E )
q0 : ¬cc
¬∃c : pc (c )
/x := 0
q1
`+1 ≤ N
/c(E , ` + 1);
n := ` + 1
0 ≤ `−1
/c(E , ` − 1);
n := ` − 1
q2 :
¬∃c : pc (c )
x < to
¬∃c : pc (c )
/r(E ); x := 0
∃c : pc (c )
/wd c(E )
x ≥ tlc /
wd r(E , l ); ` := n
16/19
q3 : x < tlc
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Automaton for Lane Change Manouevre
∃c : pc (c )
/wd c(E )
q0 : ¬cc
¬∃c : pc (c )
/x := 0
q1
`+1 ≤ N
/c(E , ` + 1);
n := ` + 1
0 ≤ `−1
/c(E , ` − 1);
n := ` − 1
q2 :
¬∃c : pc (c )
x < to
¬∃c : pc (c )
/r(E ); x := 0
∃c : pc (c )
/wd c(E )
x ≥ tlc /
wd r(E , l ); ` := n
1
16/19
q3 : x < tlc
Claim a lane (time may pass)
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Automaton for Lane Change Manouevre
∃c : pc (c )
/wd c(E )
q0 : ¬cc
¬∃c : pc (c )
/x := 0
q1
`+1 ≤ N
/c(E , ` + 1);
n := ` + 1
0 ≤ `−1
/c(E , ` − 1);
n := ` − 1
q2 :
¬∃c : pc (c )
x < to
¬∃c : pc (c )
/r(E ); x := 0
∃c : pc (c )
/wd c(E )
x ≥ tlc /
wd r(E , l ); ` := n
2
16/19
q3 : x < tlc
Check for collisions
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Automaton for Lane Change Manouevre
∃c : pc (c )
/wd c(E )
q0 : ¬cc
¬∃c : pc (c )
/x := 0
q1
`+1 ≤ N
/c(E , ` + 1);
n := ` + 1
0 ≤ `−1
/c(E , ` − 1);
n := ` − 1
q2 :
¬∃c : pc (c )
x < to
¬∃c : pc (c )
/r(E ); x := 0
∃c : pc (c )
/wd c(E )
x ≥ tlc /
wd r(E , l ); ` := n
3
16/19
q3 : x < tlc
Reserve the lane
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Automaton for Lane Change Manouevre
∃c : pc (c )
/wd c(E )
q0 : ¬cc
¬∃c : pc (c )
/x := 0
q1
`+1 ≤ N
/c(E , ` + 1);
n := ` + 1
0 ≤ `−1
/c(E , ` − 1);
n := ` − 1
q2 :
¬∃c : pc (c )
x < to
¬∃c : pc (c )
/r(E ); x := 0
∃c : pc (c )
/wd c(E )
x ≥ tlc /
wd r(E , l ); ` := n
4
16/19
q3 : x < tlc
Change lane
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Automaton for Lane Change Manouevre
∃c : pc (c )
/wd c(E )
q0 : ¬cc
¬∃c : pc (c )
/x := 0
q1
`+1 ≤ N
/c(E , ` + 1);
n := ` + 1
0 ≤ `−1
/c(E , ` − 1);
n := ` − 1
q2 :
¬∃c : pc (c )
x < to
¬∃c : pc (c )
/r(E ); x := 0
∃c : pc (c )
/wd c(E )
x ≥ tlc /
wd r(E , l ); ` := n
5
16/19
q3 : x < tlc
Remove reservation of old lane
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Proof Idea of ¬∃c : c 6= ego ∧ hre(c ) ∧ re(ego)i
q2 :
¬∃c : pc (c )
x < to
¬∃c : pc (c )
/r(E ); x := 0
I
only transition creating a reservation
I
invariant of q2 prohibits overlaps of
claim and other reservation
I
the same holds for guard of transition
I
instantaneous creation of reservation +
communication of new reservation
I
distance controller prohibits other
reservations overlap afterwards
q3 : x < tlc
Holds for all cars, hence no overlapping reservations
17/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Proof Idea of ¬∃c : c 6= ego ∧ hre(c ) ∧ re(ego)i
q2 :
¬∃c : pc (c )
x < to
¬∃c : pc (c )
/r(E ); x := 0
I
only transition creating a reservation
I
invariant of q2 prohibits overlaps of
claim and other reservation
I
the same holds for guard of transition
I
instantaneous creation of reservation +
communication of new reservation
I
distance controller prohibits other
reservations overlap afterwards
q3 : x < tlc
Holds for all cars, hence no overlapping reservations
17/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Proof Idea of ¬∃c : c 6= ego ∧ hre(c ) ∧ re(ego)i
q2 :
¬∃c : pc (c )
x < to
¬∃c : pc (c )
/r(E ); x := 0
I
only transition creating a reservation
I
invariant of q2 prohibits overlaps of
claim and other reservation
I
the same holds for guard of transition
I
instantaneous creation of reservation +
communication of new reservation
I
distance controller prohibits other
reservations overlap afterwards
q3 : x < tlc
Holds for all cars, hence no overlapping reservations
17/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Proof Idea of ¬∃c : c 6= ego ∧ hre(c ) ∧ re(ego)i
q2 :
¬∃c : pc (c )
x < to
¬∃c : pc (c )
/r(E ); x := 0
I
only transition creating a reservation
I
invariant of q2 prohibits overlaps of
claim and other reservation
I
the same holds for guard of transition
I
instantaneous creation of reservation +
communication of new reservation
I
distance controller prohibits other
reservations overlap afterwards
q3 : x < tlc
Holds for all cars, hence no overlapping reservations
17/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Conclusion
I
purely spatial reasoning about traffic situations
I
definition of lane-change controllers X
I
I
I
with perfect knowledge
with more realistic knowledge
proof of safety of controllers X
Future Work
18/19
I
add temporal aspects
I
connect MLSL-semantics with dynamics (Raisch et. al)
I
more complex situations (two-way traffic, urban scenarios)
I
different topologies of lanes (air traffic)
I
connection to existing spatial logics (S4, Shape Calculus, . . . )
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres
Thank you
An Abstract Model for Proving Safety of
Multi-Lane Traffic Manoeuvres
Martin Hilscher
MARTIN . HILSCHER @ INFORMATIK . UNI - OLDENBURG . DE
Sven Linker
SVEN . LINKER @ INFORMATIK . UNI - OLDENBURG . DE
Ernst-Rüdiger Olderog
OLDEROG @ INFORMATIK . UNI - OLDENBURG . DE
Anders P. Ravn
APR @ CS . AAU. DK
19/19
Hilscher, Linker, Olderog, Ravn Model for Proving Safety of Multi-Lane Manoeuvres

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz