Getting Out of the Way – Safety Verification without Compromise Theodore P. Pavlic, Sai Prathyusha Peddi, Paolo A.G. Sivilotti, and Bruce W. Weide Department of Computer Science & Engineering The Ohio State University {pavlic.3, peddi.2, sivilotti.1, weide.1}@osu.edu Abstract Safety is often viewed as a quantity to be traded off for better performance. In our work, we look to provide safety verification tools and techniques that enhance rather than compromise on performance. Here, we examine two examples. Modern adaptive cruise control technologies are designed to improve the comfort or safety of the driver; however, no safety guarantees are asserted by these designs. Furthermore, existing theoretical work in the safety verification of adaptive cruise control algorithms require both discrete braking modes and overly conservative separation distances to make such safety guarantees. Thus, existing work in safety verification both risks reducing driver comfort while also eliminating any of the performance gains typically associated with automated highways. Our work extends verification of automated highway systems to mitigate both of these problems. Motivated by optimal control and verification of software systems, we have developed safety conditions for adaptive cruise control algorithms that do not require discontinuous braking and also allow for substantially lower following distances than existing work in the verification of autonomous highway systems. Moreover, we demonstrate a novel approach for verifying software in hybrid systems by embedding the continuous dynamics into the software specifications. The result is a verified software paradigm consistent with the vision of Hoare’s verifying compiler. Finally, we shift gears to consider how variable yellow timing and a new encoding of traffic light signals can be used to guarantee safe intersections that also reduce fuel consumption. Keywords: verification; hybrid systems; safety; adaptive cruise control; signal coordination and timing; yellow light Adaptive Cruise Control (ACC) Conventional Verification of ACC: WCS • Assume global upper and lower braking bounds • Assume worst-case scenario (WCS) – Leader uses strongest braking behavior – Follower uses weakest braking behavior • Safe distance grows with braking interval Time(s) Distancefromfollowerstartposition(ft) Possiblebehaviorsusingworst-casebounds Specifications using worst-case stopping distances • Worst-case and best-case scenarios are shown. In each: – Leader is solid blue – Follower is dashed red • WCS is depicted by intersecting lines – Automated proof of safety is relatively simple • For realizations where follower braking is con- trolled as opposed to unknown, the WCS safe- braking distance is overly conservative Heterogeneous ACC with Braking Control • Follower’s weakest braking bound is controlled • Upper bound on each leader is inferred – e.g., plate tag indicates braking category • Safety does not follow from stopping distances . . . . . . Time(s) Distancefromfollowerstartposition(ft) Collisionscenariodespitesafebrakingdistance Collision Although Safe Stopping-Distance • Non-trivial braking constraints for follower – Verification is more challenging . . . . . . Time(s) Distancefromfollowerstartposition(ft) Boundedaccelerationpreventscollision Marginally Safe Stop after Evasive Acceleration Mixed-Traffic Adaptive Cruise Control Verifying Cyber-Physical Systems Conventional verification: either model or software Physical portion of real system Control software portion of real system sensing and actuation Mathematical model of physical behavior Control software Mathematical model of allowed behavior abstraction and modeling identity model verification software verification CPS Concrete–Abstract Correspondence To combine the two: havoc dt assume 0.0 < dt and dt < rho physical loop maintains bl = #bl and bf = #bf and afMax = #afMax and rho = #rho and af = #af and dt = #dt and 0.0 <= t and t < rho + dt and vl = VEL(#vl, -bl, t) and xl = POS(#xl, #vl, -bl, t) and vf = VEL(#vf, af, t) and xf = POS(#xf, #vf, af, t) and xl >= xf while IsGreater (rho, t) do variable zero, dv, dx: Real dv := Replica (dt) Multiply (dv, bl) Subtract (vl, dv) if IsGreater (zero, vl) then Clear (vl) end if dx := Replica (dt) Multiply (dx, vl) Add (xl, dx) dv := Replica (dt) Multiply (dv, af) Add (vf, dv) if IsGreater (zero, vf) then Clear (vf) end if dx := Replica (dt) Multiply (dx, vf) Add (xf, dx) Add (t, dt) end loop Augment Annotated Code with Physical Loop Prove: VEL (vl 4 , -bl 0 ,t 11 ) - dt 9 × bl 0 = VEL (vl 4 , -bl 0 ,t 11 + dt 9 ) Given: 0.0 < bl 0 0.0 < bf 0 0.0 < afMax 0 bf 0 ≤ bl 0 0.0 < rho 0 MINGAP (vl 2 , bl 0 , vf 2 , bf 0 , afMax 0 , rho 0 ) ≤ xl 2 - xf 2 0.0 ≤ vl 2 0.0 ≤ vf 2 0.0 ≤ vl 4 0.0 ≤ vf 4 MINGAP (vl 4 , bl 0 , vf 4 , bf 0 , afMax 0 , rho 0 ) ≤ xl4 - xf4 -bf 0 ≤ af 8 af 8 ≤ afMax 0 MINGAP (VEL (vl 4 , -bl 0 , rho 0 ), bl 0 , VEL (vf 4 , af 8 , rho 0 ), bf 0 , afMax 0 , rho 0 ) ≤ POS (xl 4 - xf 4 , vl 4 , -bl 0 , rho 0 ) - POS (0.0, vf 4 , af 8 , rho 0 ) 0.0 < dt 9 dt 9 < rho 0 t 11 < rho 0 0.0 ≤ t 11 t 11 < rho 0 + dt 9 POS (xf 4 , vf 4 , af 8 ,t 11 ) ≤ POS (xl 4 , vl 4 , -bl 0 ,t 11 ) 0.0 ≤ VEL (vl 4 , -bl 0 ,t 11 ) ≤ dt 9 × bl 0 VEL (vf 4 , af 8 ,t 11 ) + dt 9 × af 8 < 0.0 Example Verification Condition (VC) Urban Traffic Control Safe Efficient Intersection Crossing Guards With little vehicle-to-infrastructure communication, physical inertia can be used to project mutual ex- clusion distances (i.e., reachability sets). • Signalling guards can be designed that maintain safety with minimal yellow-time losses. • The system can operate in mixed environments of human and autonomous drivers. • With introduction of one additional signal color, fuel efficiency can be improved by preventing un- necessary deceleration. Safety invariants are guaranteed, which provides the opportunity for separating designs for safety and optimization. Yellow Guards for Variable Cycle Times Goal: Minimize simultaneous red Access direction <crossing guard> → <light> t> 0 ∨ x + v 2 /(2b) ≤ i x → green t ≤ 0 ∧ x + v 2 /(2b) >i x → yellow (a simplified example) Yellow light times are minimized while still allowing cycle times to vary to ensure safety invariants. Blue Lights for Fixed Cycle Times Goal: Maximize simultaneous green Blocked direction <crossing guard> → <light> t MUTEX >t ∨ (t ARR ≥ t ∧ t DEP <t + T ) → blue t MUTEX ≤ t ∧ (t ARR <t ∨ t DEP ≥ t + T ) → red (an overly simplified example) When cycle times are fixed, red lights waste the fuel for vehicles whose reachability sets are far from the intersection. Consequently, a blue color can be introduced to the blocked direction that indicates when braking behavior is not warranted. Given Safety, Compare Performance Once guards are provided that guarantee safety in- variants, alternate switching protocols can be com- pared either theoretically or empirically to improve throughput or fuel performance of intersections. Supported by NSF Grant ECCS-0931669. ICCPS 2012, Third International Conference on Cyber-Physical Systems – WIP poster session, Beijing, China mailto:pavlic.3@osu.edu http://cps.osc.edu/