I.
T RAFFIC F LOW M ERGE FAIRNESS
Currently, each input of the traffic flow merge component
has to assume that the other input is active all the time, which
in turn means that none of them actually ever assumes any
outflow. To overcome this issues, one can introduce a fairness
criterion by means of a fairness factor X that indicates to
which degree each input participates in the production of the
actual outflow.
A. Variant 1 – Fixed Ratios
We used KeYmaera to verify that Proposition 1—i. e., dL
formula (8)—holds for the fair traffic flow merge component
of Model 1. The introduction of fairness provides us with less
strict condition for the proposition.
1) Infinite Time: For a plain traffic flow merge component
infinite time load safety cannot be guaranteed A fair traffic
flow merge component however, is load safe for infinite-time,
if omax · (1 − X) ≥ i1max and omax · X ≥ i2max .
B. Variant 2 – Minimum Outfow
One way of introducing such a factor is, to fix the ratio to
which the roads contribute to the outflow, namely set X (with
0 ≤ X ≤ 1) as outflow from the first road, and 1 − X from
the second road.
Algorithm 1 Model of traffic flow in a fair traffic flow merge
component
∗
tfmf ≡ (ctrltfmf ; planttfmf )
ctrltfmf ≡ i1act := ∗; ?(0 ≤ i1act ≤ i1max );
i2act := ∗; ?(0 ≤ i2act ≤ i2max );
if (l1 > 0 ∨ l2 > 0) then oact := omax
else oact := Min(i1act + i2act , omax ) fi;
planttfmf ≡ l10 = i1act − oact · (1 − X),
(1)
(2)
(3)
(4)
(5)
(6)
l20 = i2act − oact · X, t0 = 1
(7)
An alternative definition of a fairness is, to use the factor
X as the minimum rate of the outflow that is guaranteed for
each of the inputs. This way, the road distribution road is still
set non-deterministically, but restricted by X.
Algorithm 2 Alternative model of traffic flow in a fair traffic
flow merge component
∗
tfmf ≡ (ctrltfmf ; planttfmf )
ctrltfmf ≡ road := ∗; ?(X ≤ road ≤ (1 − X));
i1act := ∗; ?(0 ≤ i1act ≤ i1max );
i2act := ∗; ?(0 ≤ i2act ≤ i2max );
if (l1 > 0 ∨ l2 > 0) then oact := omax
else oact := Min(i1act + i2act , omax ) fi;
planttfmf ≡ l10 = i1max − omax · (1 − road),
l20 = i2max − omax · road, t0 = 1
The resulting model (cf. Model 1) sets the actual flows
in (2) to (5). Apart from that it is rather static as the road
distribution is fixed to 1−X and X in the continuous evolution,
cf. (6) to (7).
To introduce this factor into the proposition, we have to
extend the proposition considering X.
Proposition 1 (Fair Merge Load Safety – 1): We want the
fair traffic flow merge component to be load-safe in order to
avoid an overflow which would result in a traffic breakdown.
A flow component with two inputs and one output is load safe
if
l (In1 , t, imax (In1 ) , {omax (Out1 )}) ≤ c (In1 )
and
l (In2 , t, imax (In2 ) , {omax (Out1 )}) ≤ c (In2 ) .
Thus, a fair traffic flow merge is safe (ψtfmf ) if it is load-safe
for up to a maximum time T .
ψtfmf ≡ t ≤ T → (l1 ≤ c1 ∧ l2 ≤ c2)
When started in a safe initial state φtfmf , a fair traffic flow
merge component tfmf ensures load safety ψtfmf
φtfmf → [tfmf]ψtfmf
with
φtfmf ≡ t = 0 ∧ i1max > 0 ∧ i2max > 0 ∧ omax > 0
∧ 0 ≤ X ∧ X ≤ 1 ∧ l1 = l2 = 0
∧ c1 ≥ T · (i1max − omax · (1 − X))
∧ c2 ≥ T · (i2max − omax · X) .
(8)
(9)
(10)
(11)
(12)
(13)
(14)
(15)
(16)
The resulting program (cf. Model 2) assigns a new nondeterministic road distribution road in the allowed interval
(i. e., X ≤ road ≤ (1 − X), with 0 ≤ X ≤ 0.5) in (10).
This results in a minimum outflow used by each input of at
least omax · X. The actual flows are set in (11) to (14). The
continuous evolution in (15) to (16) updates the load according
to the road distribution.
To introduce this factor into the proposition, we have to
extend the proposition considering X.
Proposition 2 (Fair Merge Load Safety – 2): We want the
fair traffic flow merge component to be load-safe in order to
avoid an overflow which would result in a traffic breakdown.
A flow component with two inputs and one output is load safe
if
l (In1 , t, imax (In1 ) , {omax (Out1 )}) ≤ c (In1 )
and
l (In2 , t, imax (In2 ) , {omax (Out1 )}) ≤ c (In2 ) .
Thus, a fair traffic flow merge is safe (ψtfmf ) if it is load-safe
for up to a maximum time T .
ψtfmf ≡ t ≤ T → (l1 ≤ c1 ∧ l2 ≤ c2)
When started in a safe initial state φtfmf , a fair traffic flow
merge component tfmf ensures load safety ψtfmf
φtfmf → [tfmf]ψtfmf
(17)
with
φtfmf ≡ t = 0 ∧ i1max > 0 ∧ i2max > 0 ∧ omax > 0
∧ 0 ≤ X ∧ X ≤ 0.5 ∧ l1 = l2 = 0
∧ c1 ≥ T · (i1max − omax · X)
∧ c2 ≥ T · (i2max − omax · X) .
The advantage of this alternative is that the flows are not
static, but can still vary within the bounds as restricted by X.
Still, the introduction of fairness provides us with less strict
condition for the proposition.
1) Infinite Time: A fair traffic flow merge component
following this definition is load safe for infinite-time, if
omax · X ≥ i1max and omax · X ≥ i2max .