Embed Size (px)
Citation preview
AVACS – Automatic Verification and Analysis of Complex Systems
REPORTSof SFB/TR 14 AVACS
Editors: Board of SFB/TR 14 AVACS
Can we build it: Formal Synthesis of control strategies for
cooperative driver assistance system,
by
Werner Damm Jan Rakow Bernd Westphal
AVACS Technical Report No. 73Mai 2011
ISSN: 1860-9821
Publisher: Sonderforschungsbereich/Transregio 14 AVACS(Automatic Verification and Analysis of Complex Systems)
Editors: Bernd Becker, Werner Damm, Bernd Finkbeiner, Martin Franzle,Ernst-Rudiger Olderog, Andreas Podelski
ATRs (AVACS Technical Reports) are freely downloadable from www.avacs.org
Copyright c© Mai 2011 by the author(s)
Author(s) contact: Werner Damm ([email protected]).
Can we build it: Formal Synthesis of control strategies for
cooperative driver assistance system⋆,⋆⋆
Werner Damm1, Jan Rakow2, and Bernd Westphal3
1 Carl von Ossietzky Universitat Oldenburg, Interdisciplinary Research Centre on Safety CriticalSystems and OFFIS Transportation, Germany, [email protected]
2 Carl von Ossietzky Universitat Oldenburg, Germany, [email protected] Albert-Ludwigs-Universitat Freiburg, Germany, [email protected]
Abstract. We propose a design- and verification-methodology supporting the early phasesof system design for cooperative driver assistance systems, focussing on realizability of newautomotive functions. Specifically, we focus on applications where drivers are supported incomplex driving tasks by safe strategies involving coordinated movements of multiple vehi-cles to successfully complete the driving task. We propose a divide and conquer approach forformally verifying timed probabilistic requirements on successful completion of the drivingtask and collision freedom, based on formal specifications of a set of given manoeuvring andcommunication capabilities of the car, allowing in particular to assess, whether these aresufficient to implement strategies for successful completion of the driving task.
1 Introduction
Future driver assistance systems will increasingly employ Car2X [BBD+07] communication capa-bilities and X-by wire driving capabilities to support drivers in complex driving tasks or collisionavoidance in either proposing or automatically carrying out coordinated manoeuvres involvingmultiple vehicles [FBWB08,Lee08,Bas09]. This paper proposes a design and verification method-ology for the early phases of system design, focussing on realizability of such new functions on agiven platform of vehicle communication- and manoeuvring-capabilities. In particular, we analyse,if a given set of vehicle capabilities form a sufficient basis for supporting the implementation ofa given new driving function, and if so, synthesize a cooperation strategy allowing to successfullycomplete the given driving task.
We will demonstrate our approach using an automated highway-entry assistance system, wherethe task is to assure that an ego-car will be able to enter the highway within a specified time-bound and a given probability under specified assumptions characterizing traffic density, throughengaging into a coalition with cars on the highway. These, willing to adapt their driving behaviouraccording to a synthesized strategy, allow the ego-car to access the highway within the desiredtime-bound and probability, while ensuring collision avoidance. Typical communication servicespecifications take the form of timed probabilistic guarantees of message transmissions undergiven activation and invariant conditions characterizing distance and overall communication load(see e.g. [Eic09]). Typical platform manoeuvring services include maintaining a given distance toa lead car, lane changes, and automated cruise control with head distance control, following pre-computed parameterized trajectories, with parameter and trajectory dependent characterizationsof minimal and maximal latencies from service initiation time to service completion. Manoeuvreservice specifications include activation conditions characterizing traffic situations under whichthis service may be invoked, assumptions on traffic environments which must hold throughout thespecified latency (violation of such invariants will lead to controlled abortion of the service), andinvariants guaranteed by service. Violations of assumptions may be caused by irregular behaviourof other cars (e.g. due to not contained failures, or irregular driver behaviour), or unforeseen road
⋆ This research was partially supported by the German Science Foundation within the TransregionalCollaborative Research Center TR14 AVACS and the VW-Vorab Research Group IMOST.
⋆⋆ Under consideration for publication in Math. Struct. in Comp. Science – please do not circulate.
conditions (e.g. unforeseen icy conditions, obstacles on the road e.g. by unsecured truck-cargo).We assume that an autonomous layer provides for both sufficient detection and reaction to suchrare events, and reduce the visible effect of these on the coordination-strategy to abortion signals.
The underlying mathematical framework requires high expressivity. Classical game theory andATL synthesis procedures for winning strategies [AHK02,HP06] are not capable of taking intoaccount the hybrid dynamics of vehicle movements, nor do they cater for probabilistic reasoning[HJ94,BdA95,HKNP06,KKZ05]. To express the different dimensions of vehicle dynamics, stochas-tic delays in Car2X communications, and strategy synthesis for vehicles dynamically enteringcoalitions, we propose as semantic domain timed probabilistic hybrid topology-labelled [BTW07]game structures. While such a semantic domain can be formally defined, the main result of the pa-per is the derivation of a proof-rule braking down the formal proof of the existence of cooperationstrategies meeting the given timeliness and success-rate requirements for driving tasks to a set ofcomputationally tractable verification resp. synthesis problems, each focussing on few dimensionsof expressivity. To this end we propose a layered design structure for advanced cooperative driverassistance systems (ADAS), completely decoupling the determination of a cooperative controlstrategy from the realization of the dynamic control strategy of individual driving tasks. In par-ticular, the cooperation strategy determines coalition partners based on current traffic situation,initiates Car2Car communication to establish the coalition, and determines, based on the obser-vation of cars outside the coalition, for each car inside the coalition the initiation of services of theautonomous control layer. We provide an abstraction of the traffic environment around a repre-sentative highway segment, such as an entry ramp, which gives a discrete safe over-approximationof the traffic environment around the ego car within a pre-determined distance, and dynamicallycreates respectively, hides cars outside this perimeter. We prove that winning strategies synthe-sized in this abstract setting yield winning strategies in any concrete traffic environment, anduse a simple off-line analysis to quantify the effect of message loss on the likelihood to establishthe desired coalition in a given time window. Jointly, these steps allow reducing the verification oftime-bounded probabilistic requirements on successful completion of driving-tasks to strategy syn-thesis in abstract traffic environments and local verification of controller-realizations for dynamiccontrol, all of which can be fully automated.
The main contribution of this paper is in providing a design methodology for cooperativedriver assistance systems allowing to capitalize on recent advances in the automatic analysisof complex systems. In particular, it links results from game theory [AHK02], spotlight ab-straction [Wes08,WW07]4, probabilistic verification [BdA95], and verification of hybrid systems[ACHH92,DDH+06b] into a design approach for cooperative driver assistance systems, which onone side offers abstractions natural to designers of such systems, while at the same time provid-ing a modularization of formal verification steps to tractable subproblems, such as ATL strategysynthesis to determine global cooperation strategies, and verification of hybrid controllers againsttheir service specifications to address the purely local dynamic control capabilities invoked by thecooperation strategy.
Early research on intelligent cooperating vehicles includes the California PATH Project [HESV91],where control strategies for the autonomous control layer have been proposed and verified againstmultiple prioritized requirements such as safety, comfort and efficiency [TPL+96,TLS98]. In partic-ular, a layered approach was first proposed in the PATH project [BV97], though there restrictedto the formation of platoons on intelligent highways using centralized roadside control throughsegment controllers. The technical report [LTS97] gives a detailed design of the cooperation layerand the autonomous control layer for the leader and establishes safety, comfort, and efficiencyrequirements using a third-order dynamic model of vehicle dynamics using zero-sum dynamicgames. [LTS97] gives a fully analytic treatment, whereas we propose a design methodology aimingat automatic verification.
While our treatment is so far restricted to time-bounded reachability and safety, we haveinvestigated in [DF11] the synthesis of optimal remorse-free strategies for a prioritized set of
4 allowing to reduce reasoning about systems with an unbounded number of subsystems and dynamicallychanging communication topology to reasoning about a finite number of subsystems
objectives given as LTL formulas, and will in later work integrate this into the proposed designmethodology.
On-line predictive control has been proposed [ASB07,ASB08] to anticipate trajectories ofsurrounding vehicles to determine actions of the ego-car, such as in the large scale collabora-tive research centre SFB-TR 28 on cognitive vehicles5, and the AMICI project in the Nether-lands [BDD06]. In our approach, the strategy is synthesised at design-time, using a full assessmentof the dynamics of all vehicles in the perimeter of the ego-car in a sufficiently precise finite ab-straction, employing invariants reflecting normal driving behaviours; we cater for the deviationsbetween the real dynamic traffic situation and the abstraction used for the strategy synthesis (suchas caused by traffic-rule violations, failures, or rare events) through incorporating a reflex-layerprotecting a safety envelope around each vehicle, forcing abortion of manoeuvring services (whichare otherwise guaranteed to complete) and autonomous correcting actions in case of risk of vi-olation of such safety envelopes, and by allowing the strategy to re-determine both, the desiredcoalition, and the selection of manoeuvring services in case of abortion. In contrast, [FB10] searchfor strategies controlling all vehicles, and employ heuristic methods from artificial intelligencesuch as tree-search to determine strategies for coordinated vehicle movements. An excellent sur-vey for alternative methods for controlling all vehicles to perform collision free driving tasks isgiven in [Fre10]. Both methods share the restriction of the analysis to a small number of vehicles,in contrast to our approach, which is based on safe abstractions guaranteeing collision freedom inachieving the driver’s objectives taking into account the complete traffic situation.
In the aerospace domain, high-level objectives such as maximising throughput and energy effi-ciency while maintaining safety have lead to new concepts for air-traffic control, such as free flight.There is a significant body of work on the verification of the safety of such control strategies as wellas on design rules that ensure safety [TPK+98,LL98,LTS97,RH02,DDH+06a,DDH+07]. While theproblem is a priori higher dimensional as compared to coordinated vehicle movements, the addi-tional constraints for ground traffic coordination coming from expected and unexpected obstaclesand closer proximity and the drastically less regulated behaviour of drivers make automatic vehicletraffic coordination much more challenging.
The paper is structured as follows. Section 2 provides the application background on advanceddriver assistance systems illustrated by an example used throughout the paper, a highway-entryassistance system. Section 2.2 describes the proposed design methodology, including a formal def-inition of service specifications for communication and manoeuvre platform capabilities, as well asof what we call cooperation skeletons. Section 3 gives a formal mathematical model allowing toreason about the capabilities of a coalition of vehicles to perform driving tasks based on vehiclecapabilities characterised by service specifications in an arbitrary traffic environment. Section 4contains the main result of this paper: it proves that existence of winning strategies for timebounded probabilistic completions of driving tasks can be demonstrated by lifting winning strate-gies in a certain finite abstract domain to the setting of unbounded traffic environments, allowingto reduce the overall design problem into verification and synthesis problems, which on one sidehave natural interpretations from an application perspective, and at the same time are computa-tionally tractable with current verification technology. The conclusion assesses the achieved resultsfrom an industrial perspective and points out directions for further research.
2 Driver Assistance Systems
Advanced driver assistance systems are seen as a key instrument to reach the objectives of theEuropean commission of drastically reducing road fatalities. Figure 1 below shows source of roadaccidents in Germany based on statistics of BASt6 from 2002, and how various classes of driverassistance systems are seen to be capable of coping with the particular class of road accidents.
5 see www.kognimobil.org6 http://www.bast.de
Fig. 1. Source of road accidents in Germany 2002
Various projects7 are developing prototypes of such systems and evaluate their effect on con-tributing to the reduction of road accidents. We consider in this paper as illustrating examplethe design of a highway entry assistance system HWYASSIST, carried out jointly in the IMOSTproject on Integrated Modelling for Safe Transportation8 with the DLR institute of transportationsystem9, which focuses on methods and tools for the design of advanced driver assistance systems.Such systems can range in functionality from pure warning systems, alerting the driver about risksstemming from recognized driver intent to cause an accident, to systems, which take over controlautonomously in driving situations where the driver can no longer prevent an accident, to the nextgeneration, so called advanced cooperative driver assistance systems, exploiting Car2X networkingwhere multiple cars assist the so-called ego car to successfully complete a manoeuvre. In all thesescenarios, the driver maintains the right to always take over control, as required by the Viennaconvention. This entails significant additional complexity compared to fully autonomous drivingscenarios, excluding interferences of drivers.
2.1 Towards Formalizing Requirements for Driver Assistance Systems
We first highlight some of the intricacies in requirement formalization for advanced driver assis-tance systems. This section uses an incremental refinement of an informal high-level functionalrequirement for HWYASSIST to motivate the choice of a particular class of probabilistic timedATL formula reasoning about an unbounded number of traffic agents used in the following sectionsas formal requirement specification for ADAS.
Consider first a typical high-level functional requirement for HWYASSIST:
Whenever the driver enters the ramp, the driver is safely guided onto the highway. (R0)
The term “guided” suggests, that an implementation, which guarantees safety by just stoppingthe car on the highway access, is not accepted. Let us explicate this in a way already leaning towards
7 such as the Integrated Project Prevent, see http://www.prevent-ip.org for its publicly available finalreport
8 see http://imost.informatik.uni-oldenburg.de9 see http://www.dlr.de/fs/en
LTL. Note that both from the drivers expectation and the finite length of the ramp the ego carshould be able to enter the car at latest at some time t after entering the ramp.
� (ego.ramp =⇒ ((ego.safe ∧ ego.ramp)U≤t (ego.safe ∧ ego.highway ))) (R1)
ego
(a)
ego
A1
(b)
ego
A1 A2(c)
Fig. 2. Traffic situations an ADAS may encounter.
This requirement is in general not implementable – just consider the situation, where thereis a traffic accident on the highway causing a traffic jam (cf. Figure 2 (a)). We thus refine ourrequirement by introducing predicates characterizing traffic situations. The formal model discussedin Section 3 will allow to express properties such as “there is a gap of sufficient size with relativedistance d to the ego car moving with relative speed s”, it will allow to refer to cars beforeand behind the gap, it will allow to observe, whether the adjacent lane is completely free, orotherwise characterize situations where cars on this lane might potentially themselves change laneand occupy a gap convenient for the ego car. In general, a traffic situation is given by a predicateψ(ego, A1, . . . , An) ranging over variables of type car, where ego refers to the car initiating amanoeuvre. For each car C, we can observe its position C.pos , its lane C.l, its speed C.v and itsacceleration C.a. Formally, a traffic situation is an expression in a first-order logic (cf. Section 3.4)which is defined over a signature induced by the data-types underlying the formal model of trafficenvironments described in Section 3. For the case of HWYASSIST, the formal model subsumesan a-priori unbounded extension of the highway to the left and to the right of the ramp, andthe ramp itself, discretized into a grid consisting of grid fields of fixed size at the infinitely manypositions and finitely many lanes. We assume that the size of the positions is chosen such that carscompletely fit into a grid field. Traffic situations can thus express conditions on the highway beyondwhat can be observed by the ego car itself using only on board sensors. This expressivity can beseen as an abstraction of the situational awareness which can created by Car2X communication,where cars extend their purely local view of the traffic situation by information provided either bythe roadside infrastructure or other cars to gain a sufficiently precise internal model of the relevanttraffic environment. Distributed algorithms achieving such sufficiently precise and up-to-date localviews are outside the scope of this paper, see e.g. [Bas09].
The predicates ego.ramp, ego.safe , ego.highway used in (R1) are particular instances of trafficsituations. As an example, ego.safe would demand that a speed-dependent number of grid fieldsbehind and ahead of the ego car on the same lane as the ego car is free. The two other predicatesare specific to the application supported by HWYASSIST. In general, we assume some set Mof manoeuvres, and assume that the completion of a manoeuvre m is expressible by a trafficpredicate ego.succm. Drivers can initiate a particular manoeuvre at any time, causing the predicate
ego.startm to be true in this time step. The manoeuvre will then remain active (ego.activem) untilcompleted or aborted.
We will now restate our top-level requirement for an arbitrary manoeuvre m, taking the abovediscussion into account.
�∀ ego, A1, . . . , An : Car • ψ(ego, A1, . . . , An) ∧ ego.safe ∧ ego.startm
=⇒ ((ego.activem ∧ ego.safe)U≤t ego.succm)(R2)
This requirement is still not implementable. As an example, the traffic situation characterizedby ψ might be as depicted in Figure 2, where the right lane of the highway is empty around theramp area, and there is no other than a single car C on the adjacent lane, albeit in a sectionparallel to the ramp. Drivers obedient to traffic rules would stay in the lane, while an aggressivedriver in C might choose to consciously prevent the ego car from entering the highway. In ourformal model, such situations would not be a priori excluded: at any point in time, the driver of acar can initiate a manoeuvre, such as in this particular case initiating a lane change. While driverassistance systems must be designed to also cater for such worst-case environment behaviour,they cannot possibly provide user guidance based on worst-case dynamics of the environmentof the ego car because of customer acceptance. Indeed, the driver assistance system should onthe planning level mimic human drivers, which would base planning on expected traffic evolutionaround the ego car, rather then worst case behaviour. We thus distinguish between nominal trafficevolution, and abnormal traffic evolution, under which we subsume drivers violating traffic rules,failures of the car electronics, obstacles suddenly appearing on the highway, etc.. In particular,nominal driving entails that cars adjacent to a car’s next lane do not change lanes, hence thecombination of nominal traffic evolution and validity of C.safe jointly entail maintainability ofsafety envelope around each car, which will only be intruded under abnormal conditions. In ourformal development we assume a predicate ψabnormal and will only require successful completionof a manoeuvre if during the complete time window until expected completion time no abnormalconditions occur.
�∀ ego, A1, . . . , An : Car•
ψ(ego, A1, . . . , An) ∧ ego.safe ∧ ego.startm ∧�≥tψ(¬ψabnormal )
=⇒ ((ego.activem ∧ ego.safe)U≤t ego.succm)
(R3)
While (R3) now captures precisely the conditions under which a successful completion of themanoeuvre can be required, the bounded look-ahead for t time units excluding abnormal behaviouris not implementable. Indeed, with which sensors would one be able to predict, that, as in theexample scenario above, a driver will turn aggressive in some future point in time?
There are three approaches to address this problem.The first, discussed in the paper [DF11], acknowledges up front that finding strategies for
driver assistance systems able to guarantee (R2) is – for reasons discussed above – impossible, andproposes to replace the key concept of winning strategies by the notion of remorse-free strategies.Basically, a strategy is called remorse-free, if in situations where the strategy failed to complete themanoeuvre, no other strategy could have done better. The paper then provides a formal frameworkordering strategies according to remorse-freedom, and discusses synthesis of optimal strategies wrt.this ordering.
Alternatively, the particular causes for abnormal traffic behaviour can be quantified basedon empirical data, and we can require time-bounded probabilistic reachability. In this paper, wewill demonstrate viability of this approach, but restrict ourselves to one particular cause, that ofmessage loss. We revisit this after discussing the third variant.
The third alternative revisits the “aggressive driver” scenario, and illustrates the strength ofcooperative driver assistance systems. In cooperative driver assistance systems, the ego car buildsa coalition with few, traffic situation dependent cars in its environment. In situation (b) and (c),
depicted in Figure 2, such coalitioners are A1 and {A1, A2}, respectively. By accepting to entera coalition, a car enters a contract: whenever there are multiple possibilities for next moves, thecar will choose one, which benefits the objective of the ego-car to complete its manoeuvre. Thiscontract thus eliminates the risk that, for example the car A1 in (b) chooses to block the right laneof the highway helping the ego car to enter the highway10. Other examples of helpful choices areaccelerating respectively braking to form a gap of sufficient size, or to change lane. In general, thechoice of coalition partners will depend on the traffic situation: with increasing traffic density thenumber of coalition partners required to enforce a timely successful completion of the manoeuvrewill grow. In our setting, we assume that experts propose for a given traffic situation ψ and amanoeuvre m a coalition cψ ⊆ {ego, A1, . . . , An} of cars in the neighbourhood of the ego car tojointly achieve a successful completion of m.
The formalization of the latter two proposals motivates the transition to timed probabilisticalternating logic to formulate our requirement. Recall that in alternating logic the eventualityoperator “♦ψ” is prefixed by a list of logical variables denoting the systems forming a coalitiontowards establishing the formula ψ.
Taking into account loss of messages required to establish such a coalition, we will request thatthe manoeuvre can be completed within time-window t with some probability p. This motivatesthe following requirement formalization.
� ∀ ego, A1, . . . , An : Car •
ψ(ego, A1, . . . , An) ∧ ego.safe ∧ ego.startm ∧ (�≥tψ¬ψabnormal)
=⇒ 〈〈cψ〉〉≥p(
ego.safe U≤tψ ego.safe ∧ ego.succm)
(R4)
We refer in the sequel to (R4) as the requirement specification for manoeuvre m in trafficsituation ψ, denoted by R(m,ψ). In general, the full specification for manoeuvre m, R(m), will begiven by a conjunction of such formulae R(m,ψ) for different traffic situations ψ.
2.2 Layered Design of Driver Assistance Systems
We are interested in cooperative driver assistance strategies, where cars are dynamically engag-ing into coalitions to achieve a particular driving objective in a given time frame. Coalitions areformed depending on driving objective and traffic situations, and resolved either upon meeting thedriving objective, or upon abortion of manoeuvres (due to unforeseen events, see below). Strategicroadmaps for the transportation sector (cf. [Lee08]) see such intelligent cooperating vehicles asa major enabling technology for addressing today’s transportation challenges such as traffic con-gestion, emission reduction, and increased passenger safety. The previous section has motivatedthe formalisation of requirements for cooperative driver assistance system, and introduced thehighway-entry assistance system as our running example. This section proposes a layered designstructure supporting platform-based design, component re-use, and layered verification, in partic-ular decomposing the overall task of establishing R(m) into computationally tractable synthesis-resp. verification tasks.
The Autonomous Layer. Driving capabilities such as lane change, automatic cruise control,headway control, lane control or emergency breaking are realized as services within what we callthe autonomous layer in a layered architecture of the car’s electronic system. The term autonomousreflects the fact, that such capabilities are executed without driver intervention.
Implementations of services will typically base on hybrid automata (sees e.g. [HHWt96])11.Figure 3 depicts a controller capable of adjusting the car’s acceleration in order to maintain the
10 On a more detailed level, there is the need to differentiate between two types of driver interventionsto be provided by the driver interface. In emergency interventions, the driver is requiring to take overcontrol, thus overriding the contract in which “his” driver assistance system is engaged. In all otherinterventions, the contractual requirements from entering the coalition are maintained.
11 see references for papers on the efficient verification of hybrid controllers implementing such services
setpoint: v ∼εvvgoal
actuator: accctrl; influences: v, dist;sensor: v, βori, offsetconst: acccomf, decelcomf, εv, Fmax, lanewidth
KeepVelocityController
WaitToAccelerate
accctrl = 0
(v < vgoal ∧
¬accIsFeasible(v,acccomf,βori, offset))
Accelerate
accctrl = acccomf
(v < vgoal ∧
accIsFeasible(v,acccomf, βori, offset))
Keep
accctrl = 0
vgoal − εv ≤ v ≤ vgoal + εv
Decelerate
accctrl = decelcomf
v > vgoal
v = vgoal / accctrl:=0v < vgoal / accctrl:=acccomfv < vgoal ∧
¬accIsFeasible/accctrl:=0
v > vgoal /accctrl:=decelcomf
v ≥ vgoal /accctrl:=0
v < vgoal − εv /accctrl:= acccomf
¬accIsFeasible/accctrl := 0
accIsFeasible/accctrl:=acccomf
v ≤ vgoal /accctrl:= 0
v > vgoal + εv /accctrl:= decelcomf
Fig. 3. Hybrid automaton of a keep velocity controller, cf. [WSRR11].
set point of the car’s velocity close to vgoal . The controller reacts to changes of its real-valuedsensor variables, tracks the car’s velocity and its placement on the lane, with an adaptation ofthe current control mode. In mode “Keep”, for example, there is no acceleration or decelerationuntil the velocity leaves its tolerated region and the mode’s invariant vgoal − ǫv ≤ v ≤ vgoal + ǫvis violated, to then enter in dependence to velocity v either the “Accelerate” or the “Decelerate”mode.
In order to support platform based design processes, which aim to maximise re-use of auto-motive functions across multiple platforms, we abstract from concrete implementations of hybridautomata and describe services of the autonomous layer by so called service specifications thatprovide an assume-guarantee framework for temporal reasoning on traffic agent motion. Industrialdesign processes will use Matlab-Simulink/Stateflow from the Mathworks for developing controllerdescriptions that can be used for tool based generation of hybrid automata representations (seee.g. [SRKC00]). We refer the reader to the rich literature on hybrid system verification for methodsand tools allowing to verify hybrid automata against service specifications and by this to proofthe controllers compliance to be used as a suitable implementation of the specification.
Formally, we assume that the autonomous layer offers a finite set of Srv = Srv tbnd ∪ Srvcont
of time-bounded and continuous services. A time-bounded service f ∈ Srv tbnd changes the car’sdynamics and position to achieve a certain post-condition within a fixed time frame, such asachieving a target acceleration or changing the lane to the adjacent right-hand lane. We assumethat each service f ∈ Srv tbnd is formally described by a service specification
spec(f) = (pre(f), ass(f), inv(f), post(f), tmin(f), tmax(f))
where tmin(f) ≤ tmax(f) are minimal and maximal completion times, and the activation conditionpre(f) and the post-condition post(f) are expression describing traffic situations (cf. Section 3.4),which in particular refer to the position and dynamics of the ego car. The activation conditionpre(f) characterizes traffic conditions under which the service f can be started, the post-conditionpost(f) characterises the effect of the service on the car’s dynamics and position.
The (safety) assumption ass(f) and the (guaranteed) invariant inv(f) give, for for each timeoffset 0 ≤ d ≤ tmax(f), expressions ass(f, d) and inv(f, d) which may refer to the spatial positionthe car assumed when the service was started. Successful completion of service f is guaranteed iffor each point in time d between initiation and completion of the service, ass(f, d) is satisfied bythe traffic situation on the highway. For instance, the destination lane needs to be free in orderto successfully complete the change lane service. In case of a violation of ass(f, d), the service isaborted but it is still guarantees that the ego car satisfies inv (f). The invariant inv (f, d) gives
guarantees for the car’s dynamics and physical position if service f is currently active for d timeunits.
Continuous services g ∈ Srvcont are activated with a set-point such as desired speed, requiringthe controller implementing the service to stabilize vehicle dynamics at the given set point, and re-main active until disabled. Each continuous service g ∈ Srvcont is characterized by a pre-conditionpre(g) and a post-condition post(g) only. This inductively defines the progress achieved after ttime units relative to the pre-condition.
Additionally, each service is required to maintain the invariant ego.safe, where ego refers tothe car in which the service is incorporated.
t0 t tmind
pre(fLCL)
ass(fLCL, d)
inv(fLCL, d)
post(fLCL)
OOOOOO O OOOOOO O OOFig. 4. Intuitive service specification for time bounded service “lane change left”.
t0 t0 + t
pre(g)
post(g)
OOOOO OFig. 5. Intuitive service specification for continuous service “keep velocity”.
Figure 4 gives a service specification of a time bounded service fLCL for a lane change tothe adjacent left lane in form of a visual representation which we in following call tiling. Theprecondition pre(fLCL) requires that on the current and the destination lane there is a safe gap.We use “ ” tiles to depict the required absence of other cars than the ego car, white fields may beoccupied or free. The safety assumptions ass(f, d) change over time as the car moves away fromthe anchor, that is, the point in space where the service was started (referred to by “O”). Closeto completion of the service the assumption requires that the destination lane is sufficiently free.The guaranteed invariant inv(fLCL, d) changes similarly to the assumption. We use “ ” tiles toindicate the positions possibly occupied by the car, that is, white fields ensure that these fieldsare not occupied by the car. In the example, the tilings indicates that during the service, the carfirstly only occupies the source lane, then both, and towards completion of the service only thedestination lane. In the example, the post-condition post(fLCL) coincides with the last invariant.
Note that in particular inv(fLCL, d) need not change over time and for example, could state thatthe car constantly may occupy the two involved lanes and that longitudinal acceleration doesn’tchange throughout the service.
In the following, we assume that any invariant inv(f, d) allows us to deduce the cars positionrelative to the anchor field at position possrv and lane lsrv , where the car’s position need not beexact in the sense that the car may occupy only a subset of fields indicated by inv(f, d).
While time-bounded services are assumed to terminate within a certain time frame, contin-uous services are not required to terminate and characterised by a simpler service specification(pre(g), post(g)), where safety assumption (the pre-condition) and guaranteed invariant (the post-condition) are independent from time offsets, thus expressed relative to the ego car. An automaticcruise control system which keeps a desired speed if possible could be characterised as a continu-ous service, cf. Figure 5. The pre-condition states that safety distances to front cars are kept, thepost-condition indicates that the ego car is located in the region of “ ” tiles.
It is worthwhile to point to the difference between a change-lane service and the manoeuvrelane change as supported by a driver assistance system. The latter will determine a coalition anda strategy building on a sequence of services executed by cars in the coalition to complete themanoeuvre. The former, in contrast, “blindly” follows the service specification in achieving itsinvariant and its post-condition, and reacts to violations of assumptions.
Figure 10 illustrates a generic skeleton of an autonomous layer, formulated in terms of servicespecifications thus abstracting from the actual hybrid automata services.
While in the hierarchical state ADAS a finite set of time-bounded and continuous services,such as a lane change service fLCL ∈ Srv tbnd , are provided, the state ‘Manual’ represents driverbehaviour. Intuitively, the latter state allows low-level access to the car’s actuators resulting in amuch less restricted behaviour compared to services of the ADAS state.
In the ADAS state a service is invoked by a dedicated startf message. Given that the acti-vation condition pre(f) of the service holds, iteratively, the guaranteed invariants (inv(f, d)) areapplied and assumptions (ass(f, d)) are checked, until either the service is completed timely or anassumption was violated, e.g. due to an unforeseen appearance of a car in the region assumed tobe free by ass(f, d). In such cases the control is returned to the cooperation layer (coop), describedbelow, that as reaction may call another suitable service. The identifier coop can be consideredas link-typed local variable of the automaton that stores the unique process identity of the carscooperation layer process. It is here used to address the cooperation layer as the receiver in sendedges.
The physical environment is considered as a process (hw , cf. Section 3.2) that keeps trackof the traffic situation and in particular provides an interface to check (chk ) pre-conditions andassumptions of a service as well as to apply (app) effects given by post-conditions and invariants.
The Communication Layer. In traditional driver assistance systems, capabilities at the au-tonomous layer are activated and de-activated by the driver. Cooperative driver assistance strate-gies rely on their perception of traffic situations build from on-car sensors, inter-vehicle and ve-hicle2infrastructure communication to pursue a shared strategy in activating and de-activatingservices of the autonomous layer to achieve successful completion of the supported manoeuvrein the prescribed time interval. Car2X communication serves multiple purposes in such applica-tions [BBD+07]:
– They enhance a car’s “perception capabilities”, in that locally available information about thecurrent traffic condition (acquired through e.g. radar, video-camera, lidar, . . . ) is enhancedwith other cars’ perception of its view on traffic condition (allowing e.g. to extend the horizonaround curves, or to identify cars whose view is temporarily blocked through e.g. a truck).Such mental maps then serve as basis for identifying possible coalition partners to meet driver-specified objectives (such as entering a high-way).
– They allow negotiating the formation of a coalition.– They allow synchronisation during cooperative execution of agreed strategies.– They allow to inform about abnormal events encountered during manoeuvre execution.
COOP
Manoeuvre Driver Helper
[x ≤ tm]
? startmaut ! chgM
[complm] aut ! chgD
? takeover aut ! chgD
[x ≥ tm]
[complm]
? req(tm, ce)/x := 0
Fig. 6. Cooperation layer skeleton.
Manoeuvre
[ψn]
[ψ1] com ! req(c1ψ1, tm)
? fail
? compl
com ! req(c2ψ1, tm)
? fail
? compl
aut ! startf1aut ! startfn
? failfn
? complfn
...
. . .
...
Fig. 7. Cooperation layer skeleton – Manoeuvre.
Helper
aut ! startf1aut ! startfn
? failfn
? complfn
...
Fig. 8. Cooperation layer skeleton– Helper.
COM
ws
wf
? req(crcv, tm) crcv!reqext(tm, coop)
coop ! compl
coop ! fail
? reqext (tm,c)/ce := c
coop !req(tm, ce)
? reqext(tm, c)/ce := c
Fig. 9. Communication layer skeleton.
AUT
ADASManual
? startfLCLfACC
fLCR
fLCL
hw !chk (prefLCL) ?yes/d=1
?no ?updt
hw !app(invdfLCL
)
[d ≤ tfLCLmax ]hw !chk(assdfLCL)
[tfLCLmin ≤ d
∧d ≤ tfLCLmax ]hw ! app(postfLCL)
?yes/d++
?nocoop ! compl
coop ! fail
? startfLCL
? chgM
? chgD
Fig. 10. Autonomous layer skeleton.
Following the principle of platform based design, the communication services are shared acrossmultiple applications, and hence encapsulated in a separate unit, which we call the communicationlayer. This supports in particular timed probabilistic transmission guarantees for point-to-pointcommunication using the communication standard provided by the Car2Car Consortium. For thepurpose of this paper, the actual communication protocols employed are of no relevance. See [Eic09]for an excellent mathematical analysis of the Car2Car communication protocol leading to suchservice specifications.
Figure 7 shows a simple communication layer skeleton. Analogous to the abstraction of thehybrid behaviour to service specifications in the autonomous layer, the presented skeleton can beseen as the result of an abstraction from a timed probabilistic automaton derived from the Car2Carstandard. The skeleton is supposed to be read as the (syntactical) cross-product of the two givenautomata. Intuitively, the communication skeleton is by reception of the message req asked totransmit message reqext to a particular process with the identity attached to the message by thelink-typed parameter crcv. The receiver is informed about the cooperation layer (coop) that issuedthe request and a time budget (tm) for manoeuvre execution. Note that the external message reqextis used between different communication layers, only. With a certain probability defined by weightsws and wf the transmission succeeds and fails, respectively. In the latter case, the communicationlayer takes a transition to a state where no synchronisation with the other communication layerprocess takes place. In case of a successful transmission, the received message and its parametersare forwarded by the addressed communication layer to the cooperation layer assigned to it (i.e.the one that is stored in its link-typed variable coop).
The Cooperation Layer. Services of the autonomous and the communication layer provide a re-usable platform on which an ADAS supporting a particular manoeuvre can be build. In this section,we provide a generic skeleton of a cooperation layer, which employs the standardized interfaces ofthe autonomous and communication layer and which is customized to a particular ADAS (suchas HWYASSIST) by giving a coordination strategy. Intuitively, this strategy determines for eachchange in traffic situations and for each car in the coalition activation time and duration of time-bounded services, activation time and set-point for continuous services, and calls of communicationservices, such as for building a coalition. Figure 6 gives a high level view of the top modes of thecooperation layer.
Initially, the coordination layer is in ‘Driver’ mode, where activation and de-activation ofservices of the autonomous layer is under complete driver control. The driver may, in particular,request the support of the ADAS to to perform manoeuvre m, such as entering the highway, bycalling startm. Upon the completion of the manoeuvre ([complm]) or an intervention of the drivertaking over the control (takeover), the driver mode is activated. Alternatively, the ADAS canbe engaged in a coalition to support some ego car in performing a manoeuvre, thus taking the‘Helper’ role. The above architecture implies, that a car cannot be simultaneously in the role ofthe ego car and partner of a coalition of another ego car.
For the ‘Manoeuvre’ mode, Figure 7 gives a generic skeleton of its internal structure, essentiallyconsisting of a non-deterministic choice invoking the services of the autonomous and the communi-cation layer. In particular, whenever a service returns control to the cooperation layer by sending adedicated fail or compl message, the automaton instantaneously calls a new service. Note that wecut off the presentation at locations with dashed outline in order to highlight the general structure– for this reason details such as an upper bound on retries for inter vehicle communication usingthe communication layer are also omitted. The internal structure of the ‘Helper’ mode, depictedin Figure 7, offers a non-deterministic choice of the services provided by the autonomous layer.Typically here the choice is restricted to result in more comfortable driving – ruling out extremeacceleration for example – compared to the choice available in the ‘Manoeuvre’ mode.
It is the task of the coordination strategy to resolve the non-determinism inherent in the ADAScontrolled modes ‘Manoeuvre’ and ‘Helper’. Such strategies can be custom-designed, or synthesizedautomatically, using a sufficiently precise representation of traffic situations. This paper proposesto use automatic synthesis tools for determining coordination strategies. From an industrial per-
spective, such automatically synthesised strategies serve as evidence of the realizability of a newADAS system for supporting a set of requirement specifications R(m1) to R(mn), and thus usedearly in the concept validation phase. If it is impossible to synthesize such a coordination strategy,then potentially the proposed set of coalitioners (or helpers) is too weak, or the platform is not suf-ficient to support this new class of manoeuvres. Later design phases could systematically derive aStateflow representation from automatically synthesized strategies, leading to input-deterministicautomata for both the ‘Helper’ mode and the ‘Manoeuvre’ modes.
3 A Formal Model for Cooperative Driver Assistance Systems
As discussed in the introduction and in the previous section, a faithful and comprehensive modelof cooperative cars, their continuous dynamics, and the traffic environment would need to takeinto account the following aspects:
– the vehicle dynamics as controlled by the autonomous layer exhibit behaviour which needshybrid automata as a model: the autonomous layer switches between discrete modes, withinmodes, there is continuous movement on the highway space in dense time,
– the wireless car-to-car communication infrastructure is facing probabilistic loss of packages,– the cars consisting of cooperation, autonomous, and communication layer freely enter and leave
the highway without a known fixed upper bound on the number of cars simultaneously in thehighway system, and in addition, there are dynamic relations between cooperation layers. Thecooperation layer in a car conducting a manoeuvre keeps track of the cars taking the helperrole and vice versa,
– the design problem discussed in this paper reduces to a game theoretic problem, namely,whether a coalition of cars is able to enforce success of a manoeuvre against a set of opponents,thus a complete model needs to distinguish who controls existing non-determinism, where incase of traffic agents the coalition consists of a set of cars.
Supporting the development of cooperative driver assistance systems in such a rich and fullmodel is out of scope. Thus we propose to approach the problem by a decomposition into tractablesubclasses.
In Section 2.2, we have argued that we can assume local descriptions of the behaviour of thedifferent layers executed in each car. The hybrid behaviour of the autonomous layer is reducedto a collection of service specifications with discrete variables and a discrete notion of time (cf.Section 2.2).
The probabilistic behaviour of the car-to-car communication infrastructure is supposed tobe reduced to the essential information with what probability the communication necessary toacquire a helper succeeds in the absence of race conditions. This information can be obtained byprobabilistic analysis of the employed protocol stack, it does not depend on the autonomous orcooperation layer (cf. Section 2.2)
In order to model the remaining aspects, we introduce Dynamic Concurrent Probabilistic GameStructures (DCPGS) in Section 3.1, an untimed model of unbounded creation of agents where eachagent has
– a unique identity,– a behaviour determined by a finite state description with non-determinism and probabilistic
branching,– a finite set of local variables (possibly of infinite range) plus link-valued variables which carry
identities of other agents,– a finite set of moves,
but where at each point in time only finitely many agents are alive.In Section 3.2, we lay out how to obtain a DCPGS from the local descriptions of the behaviour
of the three layers as presented in Section 2. Note that we don’t formalise each of the local
behaviour descriptions as DCPGS but we sketch how an overall model of traffic environmentswith an a-priori unbounded number of cars in form of a game structure can be obtained from thelocal behaviour descriptions. To this end we assume zero-time rendezvous communication betweenthe agents. One transition of the game structure will correspond to a finite number of zero-timeagent communications.
In Section 2.1, we have elaborated on the formalisation of requirements on driver assistancesystems using temporal logic with an intuitive understanding. In the following Section 3.3, weintroduce a probabilistic variant of Alternating-Time Temporal Logic (ATL) for systems with adynamically growing number of agents. The formulae of this logic are interpreted over DCPGS asintroduced in Section 3.1.
In Section 3.4, we observe that requirement (R4) from Section 2.1 is a formula in our logic overthe formal model of a driver assistance system from Section 3.2.
3.1 Dynamic Concurrent Probabilistic Game Structures.
Definition 1 (Dynamic Concurrent Probabilistic Game Structure). Let I be a countableset of agent identities. A dynamic concurrent probabilistic timed game structure (DCPGS) overI is a quintuple
S = (S, sinit, A, Γ, δ)
where
– S is a set of game states on which supp : S → 2Ifin is a function that indicates the (finite) setof agents alive in a given game state,
– sinit ∈ S is the initial state,– A is a set of game actions,– M ⊆ I×A is the set of agent moves,– Γ : S → 2M is a function that assigns to a given game state the set of available moves, and– δ : S×2M → (2µ(S) \∅) is the transition function that assigns a game state and a set of moves
a set of probability distributions on the game states, where µ(Q) denotes the set of all finitediscrete probability distributions over a set Q, i.e. for each P ∈ µ(Q),
∑
q∈Q P (q) = 1 and{q ∈ Q | P (q) > 0} is finite,
such that the following well-formedness constraints hold:
1. In each game state s ∈ S at least one action is available to each alive agent, i.e. for each agentu ∈ supp(s), there is an action a ∈ A such that (u, a) ∈ Γ (s).
2. The transition function ensures monotonic growth of the set of agents alive in states, i.e.for states s, s′ ∈ S and a set of moves κ ⊆ M , for each P ∈ δ(s, κ), P (s′) > 0 impliessupp(s′) ⊇ supp(s) (“monotone frame semantics”). ♦
The course of the game played on a given dynamic concurrent probabilistic game structureproceeds as follows. The game begins in the initial state sinit. When the game is in a states ∈ S, all alive agents simultaneously and independently propose their moves. Hereby, each agentu ∈ supp(s) selects an available move (u, a) from Γ (s) choosing his action a ∈ A. Let κ denote theset of moves selected by the alive agents. The set κ determines a set of probability distributionsby δ(s, κ), each P ∈ δ(s, κ) determines the probability to reach a certain successor state.
A finite (or infinite) path of the DCPGS S = (S, sinit, A, Γ, δ) starting in game state s0 ∈ S isa finite (or infinite) sequence
ω = s0κ1−→ s1
κ2−→ s2κ3−→ . . .
with si ∈ S and κi ⊆ Γ (si− 1) for i ∈ N+. We write ω(k) to denote sk, the k-th game state of ω,
ω0..k to denote the prefix of ω up to and including the k-th game state of ω, and ω/k to denotethe suffix from and including the k-th state of ω. For a finite path ω, we use last(ω) to denotethe last state of ω. By FinPth(s) (InfPth(s)) we denote the set of finite (infinite) paths starting ins ∈ S.
We call a set of moves κ ⊆ M complete wrt. to a set I ⊆ I of identities if and only if κ hasexactly one move per agent, i.e. for each u ∈ I, |κ ∩ ({u} ×A)| = 1.
A strategy starting at game state s is a function
π : FinPth(s) → 2M ,
such that π(ω) ⊆ Γ (last(ω)). That is, a strategy assigns to any finite path ω starting in s a set ofmoves that are available in the last state of ω.
We say strategy π starting at s ∈ S is a strategy for team T ⊆ I if and only if π(ω) is completewrt. T for each ω ∈ FinPth(s). A strategy π is called counter-strategy against team T if and only ifπ(ω) is complete wrt. the complement of team T , that is, complete wrt. supp(last(ω)) \T for eachω ∈ FinPth(s). Note that the complement team in our dynamic games may grow along finite pathω in accordance to the monotone frame semantics. For the more general case of a dynamicallygrowing team consider [EHM+11]. A scheduler starting at game state s ∈ S is a function
πsc : FinPth(s)× (2µ(S) \ ∅) → µ(S)
which resolves remaining non-determinism, i.e. for each finite path ω and each non-empty set ofprobability distributions P ⊆ µ(S), πsc(ω,P) is a probability distribution P ∈ P .
Let π be a strategy for team T , π a counter-strategy against T , and πsc a scheduler, all threestarting in game state s ∈ S. The set Outcomes(s, π, π, πsc) comprises all paths starting in s thatmay arise when the team chooses its moves according to strategy π, the complement of the teamchooses its moves according to π, and any remaining non-determinism is resolved by the schedulerπsc.
Formally, Outcomes(s, π, π, πsc) is the set of infinite paths
ω = s0κ1−→ s1
κ2−→ s2κ3−→ . . .
s.t. s0 = s and for all i ∈ N0, κi+1 = πsc(ω0..i, π(ω0..i) ∪ π(ω0..i)) and P (si+1) > 0 for P =πsc(ω0..i, δ(si, κi+1)).
Following [EHM+11], we define the probability measure P on sets of paths as follows. Let
Outcomesfin(s, π, π, πsc)
be the set of all finite prefixes of paths in Outcomes(s, π, π, πsc). Let Fπ,π,πscs be the smallest
σ-algebra on Outcomes(s, π, π, πsc) which contains the sets
{ω ∈ Outcomes(s, π, π, πsc) | ω0..|ω′| = ω′}
for all ω′ ∈ Outcomesfin(s, π, π, πsc). Then
Prob : Outcomesfin(s, π, π, πsc) → [0, 1]
is inductively defined by
Prob(ω) =
{
1 , iff |ω| = 1,
P rob(ω′) · πsc(δ(last(ω′), κ))(s′) , iff ω = ω′ κ−→ s′.
The measure P on Fπ,π,πscs is now the unique measure such that
P ({ω ∈ Outcomes(s, π, π, πsc) | ω0..|ω′| = ω′} = P (ω′).
Note that, we may choose the set of identities I to be finite and that we may have a transitionfunction δ which yields only trivial probability distributions, i.e. each P ∈ δ(s, κ) is of the form{s′ 7→ 1.0} for some s′ ∈ S. In this case, a DCPGS is a classical concurrent game structure withsome uncontrollable non-determinism.
3.2 Formalising the Behaviour of the Driver Assistance System IncorporatingVehicle Dynamics and Traffic Environment
Formally, a cooperative driver assistance system is a DCPGS S over a countably infinite set ofidentities
I = ICOOP ∪ IAUT ∪ ICOM ∪ IHW ∪ ISP
which is equally partitioned into identities for five agent types, COOP , AUT , COM , HW , andSP . An agent identity from ICOOP , for instance, models an instance of the COOP automatonfrom Section 2. We assume exactly one instance of HW , a highway agent, which together withAUT realises a minimal plant model. The particular role of HW is to provide a unified view onthe physical highway situation to all AUT instances.
For technical reasons, we assume exactly one instance of SP , a spawn agent, which is creatingnew cars, consisting of interlinked instances of triples of COOP , AUT , and COM . Furthermore,SP provides uncontrollable non-deterministic effects such as interactions by the driver. Even ifa car is part of the coalition, the driver is not, thus this cannot be modelled simply by non-determinism in the cooperation layer. In the model, it must still be possible that the driver takesover at any time and thereby inhibits success of a manoeuvre.
A BC
(a) Situation of a highway with three cars which is modelled by the game state shownin Figure 11(b) below.
COM
COOP
AUT
COM
COOP
AUT
COM
COOP
AUT
HW SP
hw
hw hw
hw
hw
hw
aut coop aut coop aut coop
comcoop comcoop comcoop
A B C
(b) Visualisation of a game state corresponding to the highway situation shownin Figure 11(a) above. Each solid rectangle represents an agent, it is labelledwith the local behaviour description it instantiates. Blue, single-headed edgesindicate fixed links, red edges indicate dynamic links. Each car A,B,C is mod-elled by three interlinked agents, one for each layer, in the game structure. Inaddition, there is exactly one instance of HW and SP .
Fig. 11. Architecture of the formal model of multi-agent traffic systems.
Game States of the ADAS Model. We assume that the set of game states S of S consists ofstructures which provide valuations for the following local variables of the alive agents:
1. COOP :
(a) the current location in the local behaviour description (cf. Figure 6),(b) link-valued variables of COOP -type which keep track of helpers in the own coalition or an
other car which is currently helped (cf. Figure 11),(c) link-valued variables aut and com of type AUT and COM which provide the connection
to the underlying layers in the car. They are established at construction time of the carand remains unchanged over the car’s lifetime.
2. AUT :(a) the current location in the local behaviour description,(b) the currently active service srv ,(c) the anchor position of the currently active service consisting of integer position possrv and
lane lsrv ranging over 0, . . . , L(d) the time dsrv , i.e., the number of steps for which the current service is active ranging over
0, . . . , tmax(srv)(e) in addition, the autonomous layer may keep track of (discretised) physical parameters such
as lateral and longitudinal velocity and acceleration, v↔ and vl, and a↔ and al rangingover finite lists of intervals.These variables are assumed to be part of the AUT instances (instead of in HW , forinstance) in order to simplify the update procedure.
(f) a link-valued variable coop of type COOP which provides the connection back to theoverlying cooperation layer. It is established at construction time of the car and remainsunchanged over the car’s lifetime.
(g) one link-valued variable hw of type HW which provides the connection to the sharedresource,
3. COM :(a) the current location in the local behaviour description,(b) possibly link-valued variables of type COM which are employed to realise communication
between COM layers of different cars and change over the lifetime of a car,(c) one link-valued variable coop of type COOP which provides the connection back to the
overlying cooperation layer. It is established at construction time of the car and remainsunchanged over the car’s lifetime.
4. HW :(a) possibly a current location in a local behaviour description,(b) conceptionally a mapping from position/lane pairs (pos , l) to sets of COOP identities,
thereby the HW instance provides a unified view on the physical situation of all (finitelymany) cars currently on the highway.We do not make particular assumptions on how this information is stored. Note that thephysical position of each car can uniquely be reconstructed from the triple consisting ofthe current service, the anchor position, and the time spent in the service so far.
5. SP :(a) possibly a current location in a local behaviour description,(b) a variable coop of type set-of-COOP which is carrying the identities of all currently alive
COOP agents.
Game Actions and Moves of the ADAS Model. The set of game actions A of S is determinedby the capabilities of the five kinds of agents. In the given setting, we basically only model theactions of the COOP instances as actions. At each game state, a COOP can issue at most oneservice request to each, the car’s AUT and the car’s COM layer. A request to AUT is a requestfor the start of a service (which automatically stops the currently running) service. A requestto COM is a request for a communication with a COM identity passed over as a parameter. Inaddition, there is a dedicated no-op(eration) request τ , which is asking AUT , or COM , or bothto continue with the current service.
For simplicity, we assume that at each point in time, AUT is executing exactly one service.Autonomous layers which offer the execution of multiple services in parallel can be modelled byadding one services for each combination of parallely executable services.
The agents modelling AUT , COM , HW , and SP instances only have τ -actions available whichcorrespond to the non-deterministic choice in the local behaviour descriptions.
Available Moves Function of the ADAS Model. The available moves function Γ and thedestination function δ can be constructed from the local behaviour descriptions as follows. As out-lined above, we assume that the local behaviour descriptions employ a rendezvous communicationwhich is executed in zero-time and that a finite sequence of interleaved zero-time synchronisationsmake up one transition of the game structure S (cf. Section 3.2). Regarding the behaviour, weassume that
1. HW
(a) can be queried for whether an assumption of an active service given in form of ass(f) isconsistent with the invariants of the services active in all cars on the highway, as given byinv (f) per car (cf. Section 2.2);
In Figure 10 on page 11, this query is issued by the autonomous layer in form of synchro-nisation chk , expecting responses yes or no,
(b) can receive updates of anchor positions,
(c) can be queried for the identities of cars at certain highway positions in order to model thesensor-based detection of other cars,
2. COM
(a) provides, in addition to requests for service, a synchronisation for reporting back to itsCOOP instance whether communication was successful or failed,
(b) can engage in synchronisation with other COM layers which may ask for joining a coalition.
There is a possible source for conflicts (or race conditions). It may be the case that twocars want to ask the same third car for help in a manoeuvre, and it may even be thecase that two cars want to ask each other for joining into a coalition. We assume that inthis case one communication successful, that is, exactly one, non-deterministically chosenrequest is positively acknowledged, all other receive negative acknowledgements.
3. AUT
(a) provides, in addition to requests for service, a synchronisation for reporting back to itsCOOP instances that there was a failure due to unsatisfied service assumptions or that aservice was successfully completed,
(b) uses the functions of HW ,
Note that the hybrid automaton modelling the autonomous layer is assumed to be (input)deterministic, that is, with the same service requests and under the same environmental con-ditions, it ensures the same behaviour. Yet viewed from its COOP layer, the autonomouslayer does not behave deterministically as it reacts on the behaviour of other cars on the high-way, and the behaviour of these other cars may in particular be determined by their (highlynon-deterministic) drivers.
In the model proposed here, the plant non-determinism (wind, elevation of the road, etc.) isintegrated into AUT , thus AUT is non-deterministic.
4. COOP
(a) is sensitive for driver interaction issued by SP
(b) uses the functions of AUT and COM
5. SP
(a) non-deterministically creates cars in form of three interlinked layers at highway entryramps.
(b) via the coop link, non-deterministically interacts with any COOP instance in order tomodel driver interaction. That is, it is the SP agent which synchronises on takeover withinstances of COOP (cf. Figure 6).
Driver interaction is not modelled as part of the cooperation layer, because from theperspective of an assistence system, the driver is part of the opponents: if the driver takesover, the assistence system can no longer control the success of the manoeuvre. Instead ofhaving an additional driver agent in the model, we propose to locate the non-determinismstemming from the driver in SP .
We assume that local behaviour descriptions are input enabled, that is, at each point in timethey provide transitions for all synchronisations they possibly engage in. These transitions may inparticular not have any effect on the local state of the agent, i.e. the agent may effectively simplyignore certain synchronisations in certain local states. Thereby, synchronisation between agentsnever blocks, there may only be races (cf. (2b) above) which are represented in S by the set-valuedtransition function δ and resolved by a scheduler πsc (cf. Section 3.1).
u3 : COOP
u2 : COM
u1 : COM
u4 : COOP
u5 : AUT
u6 : HW
s s′ s′′κ−→
κ′
−→
Fig. 12. Game states represent stable situations between finite sequences of zero-time syn-chronisations and local transitions of the alive agents.The diagram shown above can be viewed as a sequence chart rotated by 90 degrees. Each horizontal linerepresents one agent. The horizontal lines begin and end dashed as they are supposed to show three con-secutive game states in a longer path. Arrows represent zero-time synchronisation between agents. Thickarrows become moves of the agent.The example shows a game state s with alive agents {u1, . . . , u6} ⊆ supp(s). Starting from s, the localbehaviour descriptions of COOP , AUT , COM interact with each other and HW in any possible inter-leaving. For instance, the COOP instance u4 may first query HW for the current highway situation, e.g.the identity of a near car. Then u4 switches its AUT instance u5 to a certain service. Afterwards u4 askits COM instance u1 to contact the just detected car, which takes place via the COM instance u2 ofthe destination instance. Before the communication, AUT instance u5 updates the car position (the AUTinstance of u3 is not shown). Here, the move of u4 in κ would consist of the two thick arrows correspondingto services, the move of u3 consists of two no-ops, the other agents have τ actions available.In the example, u5 continues to execute the service without intervention from u4 while the interactionbetween u3 and u2 will be part of the move of u3 in κ′.
Destination Function of the ADAS Model. Let s be a game state and let κ be a set of movesproviding one move for each alive agent. First of all, the possible resolutions of conflicts betweenCOM layer instances (cf. (2b) above) can be enumerated. For each resolution, there will be oneprobability distribution P in δ(s, κ). Let s′ ∈ S. We set P (s′) to the probability of reaching s′ byexecuting a finite number of zero-time synchronisations and local transitions in the alive agentsuntil a dedicated stable situation is reached again (cf. Figure 12).
Time invariants and guards as shown in Figure 6 in “Helper” mode and on the transition backto “Driver” are understood as counting steps in S, that is, we assume that a counter is introducedwhich counts steps in S and, e.g., takes the transition back to “Driver” if the corresponding guardover the counter is satisfied.
Note that a probability less than one can only stem from the behaviour of the COM layer andthat we assume that in one transition of S at most one non-trivial probabilistic transition of COMis involved.
The set Γ (s) of moves available at game state s is determined by the local states of theagents alive in s and the local behaviour descriptions as discussed in Section 2. The relevantcommunications from COOP to AUT and COM can be extracted and merged into a pair, usingthe no-op action if no communication is taking place in the considered transition.
In the following we assume that there is a fixed and given correspondence between the unit oftime modelled by single transitions in S and the time the communication employed for building a
coalition takes, that is, sending out a request to the prospective helper and receiving a (positiveor negative) acknowledgement.
3.3 Dynamic, Probabilistic Alternating-Time Temporal Logic
Having introduced dynamic concurrent probabilistic game structures as the semantic domain oftraffic agent systems in Section 3.1, we, in this section, introduce a dynamic probabilistic variantof ATL [AHK02]. The presented logic is in particular expressive enough to provide a formalunderpinning of the requirement (R4) from Section 2.1. Our logic is inspired by the well-knownlogics ATL, PCTL [HJ94] and METT [BSTW06], enriched by an abstract expression languagethat allows to refer to an agent’s state. The presentation in this section follows [EHM+11].
Expression Language.Let (v ∈) V be a set of typed logical variables and let (U ∈) U ⊆ V be a finite set of agent
types. We assume an expression language which may in particular refer to local variables of agents(cf. Section 3.2). We assume at least the following:
– A is an expression of agent-type U if A is a logical variable of agent type U,– expr1 = expr2 is a boolean expression if expr1, expr2 are expressions of agent type U,– if x is a local variable with type T in agents of type Ui and if expr1 is an expression of typeUi or of type set-of-Uj, then expr .x is an expression of type T ,
– if x is a local variable with agent-type Uj in agents of type Ui, and if expr is an expression oftype Ui or of type set-of-Uj, then expr .x is an expression and its type is set-of-Uj-agents,
In addition, there is a set of typed function symbols of arity n,
f(expr1, . . . , exprn),
including constants true and false , constants corresponding to the domain of the finite localvariables types, basic arithmetics, and predicates such as “=” and “≤” , and “<” on the arithmetictypes.
We assume a function D which gives for each type T a semantical domain D(T ). An expressionover agent types U1, . . . , Un can be evaluated for DCPGSs over I where D(Ui) ⊆ I, 1 ≤ i ≤ n. Inthe following, we assume such a DCPGS S.
In the following, we assume an interpretation I for the function symbols in the expressionlanguage and we assume that we can access the value of local variable x of agent u, such aslocation or velocity (cf. 3.2), in game state s as s[u].x. Let β be a type-consistent valuation ofthe logical variables. We define the interpretation of expression expr in a game state s of S undervaluation β inductively over the structure of expressions:
– IJvK(s, β) = β(v)– IJexpr 1 = expr2K(s, β) = true if and only if IJexpr 1K(s, β) = IJexpr 2K(s, β)– IJexpr .xK(s, β) = s[u].x if and only if expr is an expression of type Ui, and if u = IJexpr K(s, β).– IJexpr .xK(s, β) = s[u].x if and only if expr is an expression of type set-of-Uj, and if IJexpr K(s, β)
is the singleton set {u}.IJexpr .xK(s, β) is undefined otherwise.
The interpretation of expressions using function symbols is defined inductively as usual. With theexception that the interpretation of an expression is undefined in case the semantical value of oneof the sub-expression is not defined.
There are sufficient syntactic criteria on the description of the local behaviour which ensurethat a set-typed link variable is a singleton. In the following, we assume that the interpretation ofexpressions is always defined.
State and Path Formulae. The set of state formulae is defined wrt. an expression language.
– expr is a state formula if and only if expr is a boolean expression from the expression language,– ¬ϕ1 and ϕ1 ∨ ϕ2 are state formulae if and only if ϕ1 and ϕ2 are state formulae,– ∀ v : T •ϕ1 is a state formula if and only if v ∈ V is a logical variable of type T and ϕ1 a state
formula,– 〈〈A1, . . . , An〉〉≥p ψ is a state formula if and only if A1, . . . , An ∈ U are logical variables of
agent type, p ∈ [0, 1] is a probability bound, and ψ is a path formula.
The set of path formulae is analogously defined wrt. an expression language.
– Any state formula ϕ1 is a path formula.– ¬ψ1 and ψ1 ∨ ψ2 are path formulae if and only if ψ1 and ψ2 are path formulae.– Xψ1 is a path formula if and only if ψ1 is a path formula.– ψ1 U ψ2 is a path formula if and only if ψ1 and ψ2 are path formulae.
We may use the usual abbreviations for logical connectives, and �ψ and ♦ψ for true U ψ and¬�¬ψ. In addition, we may use the bounded liveness operator ♦≤tψ as an abbreviation for
∨
0≤i≤t
Xi ψ
and the bounded invariant operator �≥tψ as an abbreviation for∧
0≤i≤t
Xi ψ.
Furthermore, we may use [ψ]≥p as abbreviation for 〈〈∅〉〉≥p ψ.
Let s be a game state of S and β a valuation of the logical variables. The satisfaction relationbetween game states, valuations, and state formulae is defined inductively over the structure ofpath formulae:
– s, β |= expr if and only if IJexpr K(s, β) = true– s, β |= ¬ϕ1 if and only if s, β 6|= ϕ1
– s, β |= ϕ1 ∨ ϕ2 if and only if s, β |= ϕ1 or s, β |= ϕ2
– s, β |= ∀ v : T • ϕ1 if and only if for all u ∈ I, u ∈ supp(s) ∧ u ∈ D(T ) =⇒ s, β[v := u] |= ϕ1,– s, β |= 〈〈A1, . . . , An〉〉≥p ψ if and only if there is a strategy π starting in s for team T = {β(Ai) |
1 ≤ i ≤ n} such that for any counterstrategy π and any scheduler πsc starting in s we have
Prob(Outcomes(s, π, π, πsc) ∩ {ω ∈ InfPth(s) | ω, β |= ψ}) ≥ p.
Let ω be an infinite path of S and β a valuation of the logical variables. The satisfaction relationbetween game states, valuations, and path formulae is defined inductively over the structure ofpath formulae:
– ω, β |= ϕ1 if and only if ω(0), β |= ϕ1,– ω, β |= ¬ψ1 if and only if ω, β 6|= ψ1,– ω, β |= ψ1 ∨ ψ2 if and only if ω, β |= ψ1 or ω, β |= ψ2,– ω, β |= Xψ1 if and only if ω/1, β |= ψ1,– ω, β |= ψ1Uψ2 if and only if there exists k ∈ N0 such that ω/k, β |= ψ2 and for each 0 ≤ j < k,ω/j, β |= ψ1.
We write S |= ψ if and only if for each strategy π for the empty team T = ∅, each counter-strategy π, and each scheduler πsc, all starting in sinit ∈ S,
∀ω ∈ Outcomes(sinit, π, π, πsc) : ω, ∅ |= ψ.
Note that the semantical value of state and path formulae will always be well-defined becauseof the assumption of monotone frame semantics and the definition of quantification which rangesover the alive agents, and due to our assumptions on SP in Section 3.2, namely that it createscars with regular singleton interlinking.
In contrast to [EHM+11], we don’t explicitly assign newly created agents to the coalition or tothe set of opponents. In our case study, the coalition never spawns agents, only the opponents do(in form of SP), and these new agents are implicitly assigned to the opponents in our semantics.
3.4 Formalising the Requirements on the Driver Assistance System
To become able to rephrase the top-level requirement (R4) from Section 2.1 in the just introducedlogic in Section 3.4, we next construct the necessary “vocabulary” in form of car observables inSection 3.4. We can then formally define the traffic situations referred to in (R4) as expressionsover car observables in Section 3.4.
Car Observables. In the following, we assume a number of expressions to refer to particularaspects of the local state of a car.
First of all, we assume a predicate nominal (C) which holds if and only if the car dynamicscurrently classify as nominal, it is considered abnormal otherwise (cf. Section 2.1). We assumea predicate driverint(C) which holds if and only if the current state of car C was reached bydriver interaction. That is, this predicate in particular holds when the driver forces abortion ofa manoeuvre. Technically, these properties can be observed within the local state of a COOPinstance.
We assume that predicate incoalition(C) holds if and only if car C is currently participatingin some coalition. The predicate established(C1, . . . , Cn) is assumed to hold if and only if carsC1, . . . , Cn are currently participants of the same coalition, the whole coalition may be larger.Technically, these two properties can be expressed in terms of the corresponding link-valued vari-ables of COOP instances. At least the car initiating the coalition has a link which keeps track ofthe cars which already joined the coalition.
We assume that for each manoeuvre m ∈ M offered by cars, there are predicates startm(C),succm(C), and activem(C) which hold when car C just changed from “cruise” mode to the modecorresponding to manoeuvre m , when that manoeuvre was successfully completed, that is, justbefore returning to “cruise” mode, and in between the latter two. These conditions can be observedby means of local states of the manoeuvre mode.
For readability, we may write C.pred instead of pred(C) for unary predicates.We assume that we can refer to the physical situation of cars by expressions expr .posmin ,
expr .posmax , and expr .lmin and expr .lmax where expr is of agent type AUT . There is in general nounique position and lane as the description by service specifications introduce a certain vagueness.
As we can navigate from a COOP instance to the associated AUT instance via the aut link,we may write, e.g., A.posmin instead of A.aut .posmin if A is of type COOP . Furthermore, we useA.l = c as an abbreviation for A.lmin = A.lmax = c.
From these observables, we can construct more complex expressions to refer to the physicalsituation of cars on the highway (cf. Table 1), starting from the lateral and longitudinal dis-tance between two cars, ranging over the characterisation of a safe situation by SAFE→(A,B), toexpressions referring to the relative position of cars.
ego
A B
empty
A.lmin = A.lmax = 1
ego.lmin = ego.lmax = 0
Fig. 13. Example traffic situation. The ego car is on the entry ramp and on the neighbouring lanethere are at least two cars A and B which are the spatially nearest cars behind and in front of ego on thatlane. There may be other cars behind A and in front of B. The presence or absence of cars on other thanthese two lanes is not restricted.
Traffic Situations. Formally, a traffic situation is an expression
ψ(ego, A1, . . . , An)
δ→(A,B) := B.posmin − A.posmax , δ←(A,B) := A.posmin −B.posmax
δ↔(A,B) := min(max(0, δ→(A,B)),max(0, δ←(A,B)))
δ↑(A,B) := B.lmin − A.lmax , δ↓(A,B) := A.lmin −B.lmax
δl(A,B) := min(max(0, δ↑(A,B)),max(0, δ↓(A,B)))
SAFE→(A,B) :=∧
1≤j≤n
A.v = cj ∧ δ→(A,B) > 0 =⇒ δ→(A,B) > distj
BEFORE (A,B, c) := A 6= B ∧ (B.lmin = c ∨B.lmax = c)
∧ ∀C : COOP • C 6= A ∧ C 6= B ∧ (C.lmin = c ∨ C.lmax = c)
∧ δ→(A,C) > 0 =⇒ δ→(A,C) ≥ δ→(A,B)
BEFORE (A,B) := ∃ c • BEFORE (A,B, c)
SAFE→(A) := ∀B : COOP • BEFORE (A,B) =⇒ SAFE→(A,B)
SAFE GAP(A, k) := ∀B : COOP • B 6= A
=⇒ (BEFORE(A,B, k) =⇒ SAFE→(A,B)) ∧ (BEHIND(A,B, k) =⇒ SAFE←(A,B))
Table 1. Abbreviations to refer to car distances and positions.
with free logical variables ego, A1, . . . , An of agent type COOP .Traffic situation expressions may be restricted to refer to local variables representing physical
properties such as position and speed (local variables of the AUT instance linked to the denotedCOOP instance), but it may also be necessary to refer to information like whether a car is currentlyin a coalition as visible in form of link-typed local variables of COOP instances.
For example, Figure 13 depicts a game state which satisfies the traffic situation
∃ c : 0, . . . , L • ego.l = c ∧ BEFORE (ego, A1, c+ 1) ∧ BEHIND(ego, A2, c+ 1). (1)
We assume that for each traffic situation ψ, there is a proposal cψ for a coalition in form of asubset of the free logical variables in ψ, i.e. cψ ⊆ {ego, A1, . . . , An}.
We further assume that a traffic situation expression implies that the logical variables ego, A1, . . . , Anare bound to different cars. In (1), this is ensured implicitly by the definition of BEFORE andBEHIND .
Formalizing the Requirements for Driver Assistance Systems. Now we can revisit re-quirement (R4) from Section 2.1 as a formula of the just defined logic over the just introduced carobservables.
The task is to check whether
S |= � ∀ ego, A1, . . . , An : COOP •
ψ(ego, A1, . . . , An) ∧ ego.safe ∧ ego.startm ∧ (�≥tψ¬ψabnormal )
=⇒ 〈〈cψ〉〉≥p(
ego.safe U≤tψ ego.safe ∧ ego.succm)
(2)
where S is the cooperative driver assistance system constructed from COM , AUT , COOP , HWand SP as detailed in Section 3.2. Note that the logical variables in (2) now range over COOPagents, instead of the ad-hoc notation Car in Section 2.1. By Section 3.2, each car consists ofthree interlinked agents, one COOP , one AUT , and one COM instance. From the intuition, theCOOP agents which are forming the coalition and playing against all agents in other cars andalso against the own AUT and COM layers because the non-determinisms in AUT and COMstem from the integration of an environment model into AUT and the characteristics of unreliablecommunication in COM , which are both not controllable by the cooperation layer.
The maximally admitted time for manoeuvre m in traffic situation ψ is tψ . The expressionψabnormal concretises to
(∃C : COOP • near(ego, C) =⇒ C.incoalition) (3)
∨
(
∃C : COOP •∨
m∈M
(¬(C.startm =⇒ C = ego)U established(cψ))
)
(4)
∨ ♦≤tψ
(
∃C : COOP • near(ego, C) ∧ ¬C.nominal
∨ driverint .ego ∨ driverint .A1 ∨ · · · ∨ driverint .An) (5)
where the predicate near(ego, C) characterises a certain spatial neighbourhood around the ego carwhich will play a role when constructing the final abstraction of the system.
Disjunct (3) assumes that certain cars are not yet in a coalition (as observed by incoalition).Disjunct (4) assumes that, until the desired coalition as given by cψ is established, at most
ego is starting any manoeuvre. The idea is that there is an area (possibly marked by traffic signs)where seeking coalitions is forbidden. For other cars on the entry lane, we can assume a “first comefirst serve” principle by which the next following car could be notified by the first car when itcan start to build its coalition, or where the next following car simply perceives a different trafficsituation which may indicate when it is time to start building the own coalition.
Thus at most ego is possibly looking for coalition partners in its neighbourhood, and thusthere will be no race conditions for coalition requests. Under this assumption, all requests tojoin a coalition will be granted. This corresponds to the “most helpful” scheduler as consideredin probability theory, so we effectively refer to the probability of manoeuvre success where onlyunreliable communication is responsible for not meeting a probability bound.
Finally, Disjunct (5) requires that all relevant cars behave nominal during manoeuvre time tψand that no driver interaction takes place. Driver interaction releases the assistance system fromthe obligation to successfully complete the manoeuvre.
4 Formal Realizability Analysis
4.1 Approach
Recall the overall property (R4) from Section 2 in the precise form from Section 3.4:
S |= � ∀ ego, A1, . . . , An : COOP •
ψ(ego, A1, . . . , An) ∧ ego.safe ∧ ego.startm ∧ (�≥tψ¬ψabnormal )
=⇒ 〈〈cψ〉〉≥p(
ego.safe U≤tψ ego.safe ∧ ego.succm)
(6)
As we assume that some reflex functionality of the autonomous layer ensures safety of cars (cf.Section 2), we continue without considering the safety of the ego car explicitly, that is,
S |= � ∀ ego, A1, . . . , An : COOP •
ψ(ego, A1, . . . , An) ∧ ego.startm ∧ (�≥tψ¬ψabnormal )
=⇒ 〈〈cψ〉〉≥p ♦≤tψego.succm.
(7)
We split the problem into a probabilistic and a game theoretic problem by distinguishing twophases:
1. Establishing the coalition by (unreliable) communication, prospective coalition members donot work “in favour” of ego yet.
2. Conducting the actual manoeuvre in the established coalition without communication, startingfrom the traffic situations possibly reachable after the first phase.
t0 t0 + t1 t0 + tψ
Fig. 14. Time budgeting. Between t0 and t0 + t1, the coalition is established, during this time the trafficsituation evolves into possibly multiple situations which can be precomputed. Between t0 + t1 and t0 +t1 + t2 = t0 + tψ the manoeuvre is conducted.
We assume that both phases are assigned amounts of time t1, t2 > 0 such that t1 + t2 = tψ (cf.Figure 14).
Then we firstly establish that the likelihood of a successful coalition formation is at least p,i.e. we establish
S |= � ∀ ego, A1, . . . , An : COOP •
ψ(ego, A1, . . . , An) ∧ ego.startm ∧ (�≥t1¬ψabnormal )
=⇒ [♦≤t1established(cψ)]≥p
(8)
by an off-line analysis (cf. Section 4.2).Secondly, we check, from the traffic situations possibly evolving out of ψ within t1 time units,
characterised by predicate
ψ + t1
whether
S |= � ∀ ego, A1, . . . , An : COOP •
(ψ + t1)(ego, A1, . . . , An) ∧ ego.activem ∧ established(cψ) ∧ (�≥tψ¬ψabnormal )
=⇒ 〈〈cψ〉〉♦≤t2ego.succm
(9)
Equation (9) refers to an infinite state transition system because S imposes no bound on thenumber of agents and the grid in the HW instance is infinite. Therefore we establish
S# |= � ∀ ego, A1, . . . , An : COOP •
(ψ + t1)(ego, A1, . . . , An) ∧ ego.activem ∧ established (cψ) ∧ (�≥tψ¬ψabnormal )
=⇒ 〈〈cψ〉〉♦≤t2ego.succm
(10)
where S# is a finite abstraction of S, Section 4.3 details the construction of S# from S.Equation (10) is a classical finite synthesis problem, i.e. discrete, non-hybrid, finite, and non-
probabilistic. In particular the logical variables now range over a finite set of identities Ifin . Bysymmetry12, we even only need to consider a single variable valuation β of ego, A1, . . . , An whichbinds these n + 1 logical variables to different COOP agent identities from Ifin because traffic
12 The behaviour of an agents does not depend on its identity as the local behaviour descriptions referto identities only symbolically. Identities can be stored and compared, but an agent can not determinewhether it’s identity is the value u1 or u2 and change its behaviour accordingly. Therefore, undesiredbehaviour can be observed for pairwise different cars u1, . . . , un if and only if undesired behaviour canbe observed for any other set of pairwise different identities u′1, . . . , u
′n, if creation is assumed to assign
identities to newly created agents fully non-deterministic. See [Wes08] for details.
situations are required to ensure that the different logical variables denote different agents (cf.Section 3.4). That is, the single synthesis task
S#, β |=
�(
(ψ + t1)(ego, A1, . . . , An) ∧ ego.activem ∧ established(cψ) ∧ (�≥tψ¬ψabnormal)
=⇒ 〈〈cψ〉〉♦≤t2ego.succm)
(11)
is equivalent to (10).By Section 4.4, we can conclude from (10) to (9). From (8) and (9) we can conclude to (7)
because we can obtain the strategy required in (7) by prefixing the deterministic coalition estab-lishing procedure of COOP (cf. Section sec:analysis:prob) to the strategy obtained from (9). From(7) we obtain (R4).
Note that in the two-phases setting, the approach proposed here is exact if all possible timebudgets are enumerated, which are finitely many in our discrete time model.
4.2 Determining the Likelihood of Coalition Formation
For the following off-line analysis, we assume that there is a deterministic procedure in COOPwhich tries to establish coalition cψ when the manoeuvre is started.
By the assumptions in (8), the probability for successful establishment of the coalition isexclusively determined by communication reliability because the condition ¬ψabnormal excludesraces: there is no competition for helpers during t1.
Thus we can compute the probability of successful coalition establishment for this procedureas follows:
– Assume that the start of the manoeuvre as indicated by ego.startm corresponds to a locationloc in the COOP description.
– Assume that successful establishment of the coalition is indicated by a unique second locationloc′.
– As COM gives the probability of successful inter-car communication in one step of the gamestructure, we can substitute the probabilistic edges from COM into the procedure in COOPand compute the probability for reaching loc′ by the sum of the products of probability alongthe paths from loc to loc ′.
The obtained probability p is a lower bound for the probability to successfully complete ma-noeuvre m in traffic situation ψ. The overall lower bound can possibly be increased by consideringother time budgets, i.e., other times t′1, t
′2 with t′1 + t′2 = tψ. If necessary, by enumerating all
possible time budgets, it is possible to improve the lower bound.
4.3 A Safe Finite Abstraction of the Infinite Grid
In Section 4.3, we provide a definition of a finite abstraction of S in terms of S, which is in generalnot an effective procedure. In Section 4.3, we outline a procedure how to effectively obtain thefinite abstraction by a modification of the agents HW and SP .
Definition in Terms of the Infinite System. Let pos left < posright be positions on the gridsuch that a representative entry ramp is covered and that the neighbourhood of ego-cars on theramp is included (cf. Section 3.4).
Let w be the maximal spatial length of a service, i.e. the maximal distance between the anchorpoint and the rightmost field referred to by an expression from a service specification. In the servicespecification example in Section 2.2, this would be the horizontal distance between anchor and anylight or dark gray tile. In the following, we call the highway positions from pos left to posright the
v
vv
w
posleft posright
Fig. 15. The highway segment is the part of the highway ranging from position pos left −w to posright andsupposed to include an entry ramp.
highway segment (cf. Figure 15). The length w will be added to the left of the highway segmentto provide sufficient place for anchors.
Let S be a game structure over I, partitioned into identities for HW , SP , COOP , AUT , andCOM as introduced in Section 3.2. Let Ifin be a finite set of identities providing
– at least as many identities for COOP , AUT , COM such that a grid of size (posright −pos left +w) ·L where L is the number of lanes, in order to have enough identities to cover each field ofthe area between pos left − w and posright with a car,
– and at least one identity for SP , and HW instances.
for simplicity, we assume that cars inside the chosen area never have relations to cars outside thearea – this is not a principal problem, in order to treat it a dedicated “other” identity is introducedper agent type.
Let s, s′ ∈ S be two states of S. By in(s, s′) we denote the set of cars which firstly appear inthe highway segment in game state s′, that is, the set of u ∈ ICOOP such that the set of currentlypossible positions of car u as given by an instantiation of the invariant of the current services[u].srv with service duration time s[u].dsrv and anchor position (s[u].possrv , s[u].lsrv ), i.e.
inv(s[u].srv , s[u].dsrv )(s[u].possrv , s[u].lsrv ),
has an empty intersection with the highway segment, and the set of positions possible in gamestate s′ as given by
inv(s′[u].srv , s′[u].dsrv )(s′[u].possrv , s
′[u].lsrv )
has a non-empty intersection with the highway segment.We use In(s, s′) to denote the set of quadruples
(srv , possrv , lsrv , dsrv )
such that there exists an identity u ∈ in(s, s′) with s[u].srv = srv , s[u].possrv = possrv , s[u].lsrv =lsrv , and s[u].dsrv = dsrv .
We assume that no two different cars have the same service configuration and anchor at thesame point in time as this would imply collision, a case which is excluded by the assumption ofproperty (10).
By out(s, s′) we correspondingly denote the set of cars which last appear in the highwaysegment in game state s, that is, the set of u ∈ ICOOP such that the set of currently possiblepositions of u in s,
inv(s[u].srv , s[u].dsrv )(s[u].possrv , s[u].lsrv ),
has a non-empty intersection with the highway segment, and the set of currently possible positionsin s′,
inv (s′[u].srv , s′[u].dsrv )(s′[u].possrv , s
′[u].lsrv),
has an empty intersection with the highway segment. We use Out(s, s′) to denote the set ofquadruples
(srv , possrv , lsrv , dsrv )
such that there exists u ∈ out(s, s′) with s′[u].srv = srv , s′[u].possrv = possrv , s′[u].lsrv = lsrv ,
and s′[u].dsrv = dsrv .
The abstract game structure S# is constructed as follows. The game states S# are the statesfrom S projected onto Ifin for a reasonable definition of projection, e.g. if we view s ∈ S asfunction mapping agent identities to valuations of the local variables of agents, then s# is thefunction restriction of this function to Ifin .
We write s ⊇ s# if and only if s# is the result of projecting s onto Ifin . Note that local variablesstoring the anchor position need now only range over (posright − pos left +w) ·L, thus we obtain a
finite state system. The initial state s#init is the projection of sinit onto Ifin .The set of actions A# coincides with A, the set of moves in S# comprises the moves of S
projected onto Ifin , i.e. M# =M ∩ (Ifin ×A).
The available moves are obtained similarly as Γ#(s#) = Γ (s) ∩ M#. It is well-defined byconstruction, as the available moves per agent depend only on the local state of the traffic agent,not on others.
The abstract destination function
δ# : S# × 2M#
→ (2µ(S#) \ ∅)
is constructed in a multi-step procedure, following the classical approach to provide at least oneabstract transition for each transition in the concrete system S. In addition, we eliminate prob-abilistic edges because for the realisability analysis, it is only important that coalitions can beestablished, not the probability thereof.
Let s# ∈ S# be an abstract state and κ# a moveset in S#. Let s ⊇ s# and κ ⊇ κ# beconcretisations of s# and κ#. For each P ∈ δ(s, κ), add
{s#′ 7→ 1.0}
to δ# – that is, we substitute all probabilistic branching by non-determinism – where s# is obtainedas follows (cf. Figure 16):
– project s′ onto supp(s#), that is, onto the agents that have already been on the highwaysegment in s#,
– remove the COOP , AUT , and COM instances given by out(s, s′),– for each service state
(srv , possrv , lsrv , dsrv ) ∈ In(s, s′)
choose an unused identity (possibly from the just removed ones) from Ifin for COOP , AUT ,and COM , and construct a car which corresponds to a car which started the service srv atanchor position (possrv , lsrv ) at dsrv time units ago.13
The choice is possible because of the assumption on the size of Ifin above.
That is, the moves of SP and HW are practically disregarded. Their effects are still visible: carsare created on the entry ramps which lie within the highway segment.
The transition system S# has a finite representation which is, although it is strictly speakinga probabilistic and dynamic game structure, actually an ordinary game structure, so existingprocedures apply.
Constructive Definition of the Finite Abstraction. The declarative construction given inSection 4.3 can also be obtained by an effective procedure where we define SP with correspondingcreate actions.
We need to mimic the over-approximation at the right side of the highway segment by “modifiedsensors”. A modified grid HW is supposed to give any possible answer to queries regarding conflictsbetween assumptions and invariants (cf. Section 3.2).
13 By symmetry, we can choose the identities in ascending order to optimise the size of the state space.
O u1 O u0O u2
Ou3
O u1 O u0O u2
Ou3O u4O
OO u1O u0O u2
Ou3O u4OO
O u1O u0O u2
O u3
s#:
s′:
s:
s#′:
Fig. 16. Definition of the abstract transition relation. In S#, there is a transition from s# to s#′
because (i) s# can in particular be extended to s. Note that the car identities in s# and s coincide withinthe highway segment, outside the highway segment, cars may carry any other identity from I or Ifin . (ii)There is a transition from s to s′ in S , note that car identities don’t change during this transition. (iii) s#′
is a projection of s′ on Ifin in the following sense. We remove u3 from s′ because it now lies completelyoutside the highway segment. The cars from I \ Ifin are removed in any case. Note that u4 (which weassume to be from I \ Ifin for the example) is in In(s, s′). It enters the highway segment in the transitionfrom s to s′. To obtain s#′, we create u3 – that is we re-use the just removed identity – with the sameconfiguration as found with car u4.
OO OO
Ono collision/
free
collision/
not free
Fig. 17. Blurred sensors by non-deterministic replies from HW . If there is a concretisation of s# such thata tiling extending beyond the right border has a non-empty overlap with another tiling, HW is supposedto give a positive answer to queries for overlap (lower case). As the region to the right of the right bordermay always be empty, a negative answer is always possible if there are not already overlaps in the highwaysegment.
Similarly, at the left border pos left for tilings which reach beyond the left border, HW non-deterministically gives any possible answer to conflict queries. This may lead to cars running intoaccidents, but if they do, then the ¬ψabnormal premise no longer holds, so the case is effectivelynot considered in the analysis of the property (10).
O O O OO OOO
O
in1
in3
.
.
.
in2
one new
many new
no new
Fig. 18. Enter/Leave Segment
Behaviour at the left border can be over-approximated by creation which may range from “fullchaos” where new cars are created, possibly in the middle of a service, possibly in collision situation.Collision situations are not considered in the analysis by the constraints in the considered property.Alternatively cars may be created sensibly, in particular avoiding crashes. In this approach it ismore difficult to ensure that S# is an over-approximation of S.
4.4 Lifting Bounded-horizon Strategies to Unbounded Traffic Environments
Simulation Relation. Let S = (S, sinit, A, Γ, δ) and S# = (S#, s#init, A#, Γ#, δ#) be dynamic
concurrent probabilistic timed game structures over I and Ifin ⊆ I. We in particular assumethat S# is trivial regarding probabilism. This can easily be achieved by replacing probabilisticbranching by true non-determinism.
A relation h ⊆ S × S# is called simulation relation if and only if for each (s, s#) ∈ h
1. for each well-typed boolean expression expr ,
s#, β |= expr =⇒ s, β |= expr
if expr is link-local to Ifin under β, that is, for each sub-expression expr1 of type Ui or set-of-Ui, we have IJexpr 1K(s
#, β) ∈ Ifin or IJexpr 1K(s#, β) ⊆ Ifin , thus in particular β binds logical
variables of agent type only to identities from Ifin , i.e. β(A) ∈ Ifin for each A ∈ U .2. Let T = {u1, . . . , un} ⊆ Ifin be a team which is alive in s, then the team has to be alive in s#.
Let κ ⊆ Γ (s) be a set of moves, let κT := {γ1, . . . , γn} be the moves of the team, then
sκ−→ s′
implies that there exists κ# ⊆ Γ (s#) such that κ#T = κT and that there exists s#′ such that
s#κ#
−−→ s#′
and (s′, s#′).
We say S# simulates S if and only if S and S# are dynamic concurrent probabilistic timedgame structures over I and Ifin ⊆ I and there exists a simulation relation h as defined above.
The Finite Abstraction Simulates the Infinite System For S,S# from Section 4.3,
h = {(s, s#) ∈ S × S# | s ⊇ s#}
is a simulation relation.
Let expr be an expression which is link-local to Ifin under a valuation β of the logical variablesin expr . As the interpretation of expressions is defined inductively on the structure, it is sufficientto consider the agent and set-of-agent typed expressions:
– IJvK(s#, β) = β(v) = IJvK(s, β)– IJexpr .xK(s#, β) = s#[IJexpr K(s#, β)].x = s[IJexpr K(s#, β)].x because expr is link-local to
Ifin and s# and s coincide on Ifin
Let (s, s#) ∈ h. Let T = {u1, . . . , un} ⊆ Ifin be a team which is alive in s. The team is alive ins# because s ⊇ s#.
Let κ ⊆ Γ (s) be a set of moves comprising the team moves κT := {γ1, . . . , γn} and let
sκ−→ s′.
Set
κ# = {(u, a) ∈ κ | u ∈ Ifin},
then κ# ⊇ κT and κ# ∈ Γ#(s#) by construction of Γ#. Use s#′ as constructed above based onIn(s, s′) and Out(s, s′). Then
s#κ−→ s#′
by construction of δ#.
Lifting Theorem.
Theorem 1. Let S and S# be dynamic concurrent trivially probabilistic timed game structuressuch that S# simulates S and let
ϕ = �expr1 ∧ (�≥texpr2) =⇒ 〈〈ego, A1, . . . , An〉〉♦≤texpr3 (12)
be a state formula with free logical variables ego, A1, . . . , An.If ϕ is link-local to Ifin under valuation β, then
S#, β |= ϕ =⇒ S, β |= ϕ. (13)
Proof. Let S# simulate S and let ϕ be a state formula with a structure as given above. Let β bea valuation of the logical variables ego, A1, . . . , An such that ϕ is link-local to Ifin under β.
Assume S#, β |= ϕ. By the semantics of state formulae (cf. Section 3.3), there exists, for eachgame state s# ∈ S# such that
s#, β |= expr1 ∧ (�≥texpr2), (14)
a strategy π# starting in s# for team
T = {β(ego)} ∪ {β(Ai) | 1 ≤ i ≤ n}
such that for any counter-strategy π# and any scheduler π#sc starting in s# we have
Prob(Outcomes(s#, π#, π#, π#sc) ∩ {ω ∈ InfPth(s#) | ω#, β |= ψ}) ≥ 1.0.
Let s ∈ S be a game state such that
s, β |= expr1 ∧ (�≥texpr 2).
As ϕ is link-local, there exists s# ∈ S# such that s ⊇ s# and (s, s#) ∈ h.Construct a strategy π : FinPth(s) in S from π# from s# as follows. Let
ω = s0κ1−→ s1 . . .
κn−−→ sn ∈ FinPth(s).
Because S# simulates S, there is
ω# = s#0κ#1−−→ s#1 . . .
κ#n−−→ s#n ∈ FinPth(s#).
Set π(ω) = π#(ω#). We obtain a strategy in S because π# gives moves for the team, which is thesame in S by definition of β.
Assume π is not a winning strategy from s in S. That is, there exists a counter-strategy π, ascheduler πsc, and a path
ω = s0κ1−→ s1 . . .
κt−→ st · · · ∈ Outcomes(s, π, π, πsc)
such thatω, β 6|= ♦≤texpr 3,
hencesi, β 6|= expr3, 0 ≤ i ≤ t.
By the simulation relation between S and S#, there is a path
ω# = s#0κ#1−−→ s#1 . . .
κ#t−−→ s#t . . .
where the coalition T follows strategy π#, that is, π#(ω0..i) ⊆ κ#i .From ω#, we can construct a counter-strategy π# and a scheduler π#
sc by considering thecomplement of the team moves. Then we have
ω# ∈ Outcomes(s#, π#, π#, π#sc)
and, by the simulation property,
s#i , β 6|= expr3, 0 ≤ i ≤ t,
thusω#, β 6|= ♦≤texpr3,
and thus π# is not winning in contradiction to the assumption.
The desired relation is now obtained as follows.
Corollary 1. (10) implies (9).
Proof. (10) is link-local if β maps logical variables of agent type only to identities from Ifin . Bysymmetry, we can choose a representative β with that property.
5 Conclusion
The key application domain targeted in this paper, cooperative driver assistance systems, is gener-ally seen as a key enabler to achieve safe and fuel-efficient driving. We have shown how to formalizeboth requirements and models for such classes of applications, demanding an expressivity in theunderlying mathematical models going beyond what can be reasonably analysed. But how can webuild such applications, if we cannot analyse these?
The answer elaborated in this paper exploits the well established engineering principles oflayered, platform based design allowing to decompose the overall verification complexity intotractable subproblems, each of which have intuitive meaning and relevance in the applicationdomain itself:
Service Verification. The development and characterization of components of the platform interms of the services they offer, for re-use in multiple car models, is part of product-line devel-opment related activities. From the mathematical analysis side, these lead to well defined prob-lems for verification of hybrid systems. Numerous approaches addressing the scalability of hy-brid verification tools have been developed recently [Fre05,Fre06,Fre08,TPL04,HMP01,DISS11][DDD+11]; in particular, one of the co-authors has [DDOP10] established in joint work withthe late Amir Pnueli a component based approach to hybrid system design supporting com-positional, incremental verification of both safety and stability of hybrid systems.
Synthesis of Cooperation Strategies. The key design question is then: assuming these plat-form services, can we build on top of these cooperation strategies guaranteeing timely comple-tion of driver initiated manoeuvres with guaranteed probabilities,this in spite of lossy Car2Carcommunication? We have reduced this problem to a setting, where winning strategies, if theseexist, can be synthesized automatically. These determine, for each car in the coalition andeach traffic situation which service of the platform should be activated.
Factoring out Abnormal Situations. Our approach allows such synthesis to work on expectedbehaviours, mimicking a human drivers approach in planning driving tasks, in that dealingwith abnormal behaviours (such as aggressive driver behaviours, failing components) is com-pletely encapsulated by the autonomous layer. We see this as a key asset for gaining customeracceptance of cooperative driver assistance systems.
References
[ACHH92] Rajeev Alur, Costas Courcoubetis, Thomas A. Henzinger, and Pei-Hsin Ho. Hybrid automata:An algorithmic approach to the specification and verification of hybrid systems. In Robert L.Grossman, Anil Nerode, Anders P. Ravn, and Hans Rischel, editors, Hybrid Systems, volume736 of Lecture Notes in Computer Science, pages 209–229. Springer, 1992.
[AHK02] Rajeev Alur, Thomas A. Henzinger, and Orna Kupferman. Alternating-time temporal logic.Journal of the ACM, 49(5):672–713, 2002.
[ASB07] M. Althoff, O. Stursberg, , and M. Buss. Online verificati- of cognitive car decisions. InIntelligent Vehicles Symposium, pages 728–733. IEEE, 2007.
[ASB08] M. Althoff, O. Stursberg, and M. Buss. Verification of uncertain embedded systems by com-puting reachable sets based on zonotopes. In In Proc. of the 17th IFAC World Congress, pages5125–5130, 2008.
[Bas09] Dhevi Baskar. Traffic Management and Control in Intelligent Vehicle Highway Systems. PhDthesis, PhD Thesis University of Delft, Delft, Dec 2009.
[BBD+07] Roberto Baldessari, Bert Boedekker, Matthias Deegener, Andreas Festag, Walter Franz,C. Christopher Kellum, Timo Kosch, Andras Kovacs, Massimiliano Lenardi, Cornelius Menig,Timo Peichl, Matthias Roeckl, Dieter Seeberger, Markus Strassberger, Hannes Stratil, Hans-Joerg Voegel, Benjamin Weyl, and Wenhui Zhang. Car-2-car communication consortium -manifesto, Apr 2007.
[BdA95] Andrea Bianco and Luca de Alfaro. Model checking of probabilistic and nondeterministic sys-tems. In P. Thiagarajan, editor, Foundations of Software Technology and Theoretical ComputerScience, volume 1026 of Lecture Notes in Computer Science, pages 499–513. Springer Berlin/ Heidelberg, 1995.
[BDD06] T. Bellemans, B. De Schutter, and B. De Moor. Model predictive control for ramp meteringof motorway traffic: A case study. Control Engineering Practice, 14(7):757–767, July 2006.
[BSTW06] Jorg Bauer, Ina Schaefer, Tobe Toben, and Bernd Westphal. Specification and verification ofdynamic communication systems. Application of Concurrency to System Design, InternationalConference on, 0:189–200, 2006.
[BTW07] Jorg Bauer, Tobe Toben, and Bernd Westphal. Mind the shapes: abstraction refinement viatopology invariants. In Proceedings of the 5th international conference on Automated technol-ogy for verification and analysis, ATVA’07, pages 35–50, Berlin, Heidelberg, 2007. Springer-Verlag.
[BV97] M. Broucke and P. Varaiya. The automated highway system: A transportation technology forthe 21st century. Control Engineering Practice, 5(11):1583–1590, Nov 1997.
[DDD+11] W. Damm, H. Dierks, S. Disch, W. Hagemann, F. Pigorsch, C. Scholl, U. Waldmann, andB. Wirtz. Exact and fully symbolic verification of linear hybrid automata with large discretestate spaces,. Science of Computer Programming, Special Issue on Automated Verification ofCritical Systems, 2011. Accepted for publication.
[DDH+06a] W. Damm, S. Disch, H. Hungar, J. Pang, F. Pigorsch, C. Scholl, U. Waldmann, and B. Wirtz.Automatic verification of hybrid systems with large discrete state space. In Proceedings ofthe 4th Symposium on Automated Technology for Verification and Analysis, volume 4218 ofLecture Notes in Computer Science, pages 276–291. Springer, 2006.
[DDH+06b] Werner Damm, Stefan Disch, Hardi Hungar, Jun Pang, Florian Pigorsch, Christoph Scholl,Uwe Waldmann, and Boris Wirtz. Automatic verification of hybrid systems with large discretestate space. In Susanne Graf and Wenhui Zhang, editors, ATVA, volume 4218 of Lecture Notesin Computer Science, pages 276–291. Springer, 2006.
[DDH+07] Werner Damm, Stefan Disch, Hardi Hungar, Swen Jacobs, Jun Pang, Florian Pigorsch,Christoph Scholl, Uwe Waldmann, and Boris Wirtz. Exact state set representations in theverification of linear hybrid systems with large discrete state space. In Proceedings of the5th international conference on Automated technology for verification and analysis, ATVA’07,pages 425–440, Berlin, Heidelberg, 2007. Springer-Verlag.
[DDOP10] Werner Damm, Henning Dierks, Jens Oehlerking, and Amir Pnueli. Towards component baseddesign of hybrid systems: Safety and stability. In Zohar Manna and Doron Peled, editors,Essays in Memory of Amir Pnueli, volume 6200 of Lecture Notes in Computer Science, pages96–143. Springer, 2010.
[DF11] Werner Damm and Bernd Finkbeiner. Does it pay to extend the perimeter of a world model?In Proceedings of the 17th International Symposium on Formal Methods. to appear, 2011.
[DISS11] W. Damm, C. Ihlemann, and Viorica Sofronie-Stokkermans. Decidability and complexity forthe verification of safety properties of reasonable linear hybrid automata. In Emilio Frazzoliand Radu Grosu, editors, HSCC, Lecture Notes in Computer Science. Springer, 2011. toappear.
[EHM+11] Rudiger Ehlers, E. Moritz Hahn, Martin Mehlmann, Hans-Jorg Peter, Jan Rakow, Tobe To-ben, and Bernd Westphal. Dynamic communicating probabilistic timed automata playinggames. 2011.
[Eic09] S. Eichler. Solutions for Scalable Communication and System Security in Vehicular NetworkArchitectures. PhD thesis, PhD Thesis Technische Universitat Munchen, Arcisstr. 21, 80333Munchen, Dec 2009.
[FB10] Christian Frese and Jurgen Beyerer. Planning cooperative motions of cognitive automobilesusing tree search algorithms. In Rudiger Dillmann, Jurgen Beyerer, Uwe D. Hanebeck, andTanja Schultz, editors, KI 2010: Advances in Artificial Intelligence, volume 6359 of LectureNotes in Artificial Intelligence, pages 91–98, Karlsruhe, September 2010. Springer.
[FBWB08] C. Frese, T. Batz, M. Wieser, and J. Beyerer. Life cycle management for cooperative groups ofcognitive automobiles in a distributed environment. In Intelligent Vehicles Symposium, 2008IEEE, pages 1125 –1130, 2008.
[Fre05] Goran Frehse. Phaver: Algorithmic verification of hybrid systems past hytech. In ManfredMorari and Lothar Thiele, editors, HSCC, volume 3414 of Lecture Notes in Computer Science,pages 258–273. Springer, 2005.
[Fre06] Goran Frehse. On timed simulation relations for hybrid systems and compositionality. InEugene Asarin and Patricia Bouyer, editors, FORMATS, volume 4202 of Lecture Notes inComputer Science, pages 200–214. Springer, 2006.
[Fre08] Goran Frehse. Phaver: algorithmic verification of hybrid systems past hytech. STTT,10(3):263–279, 2008.
[Fre10] Christian Frese. A comparison of algortihms for planning cooperative motions. TechnicalReport IES-2010-14, Lehrstuhl fur Interaktive Echtzeitsysteme, 2010.
[HESV91] A. Hsu, F. Eskafi, S. Sachs, and P. Varaiya. The design of platoon maneuver protocols forIVHS. PATH Report UCB-ITS-PRR-91-6, U. California, April 1991.
[HHWt96] Thomas A. Henzinger, Pei-Hsin Ho, and Howard Wong-toi. Algorithmic analysis of nonlinearhybrid systems. IEEE Transactions on Automatic Control, 43:225–238, 1996.
[HJ94] Hans Hansson and Bengt Jonsson. A logic for reasoning about time and reliability. FormalAspects of Computing, 6:102–111, 1994.
[HKNP06] A. Hinton, M. Kwiatkowska, G. Norman, and D. Parker. PRISM: A tool for automaticverification of probabilistic systems. In H. Hermanns and J. Palsberg, editors, Proc. 12th In-ternational Conference on Tools and Algorithms for the Construction and Analysis of Systems(TACAS’06), pages 441–444. Springer Lect. Notes Comp. Sci. (3920), 2006.
[HMP01] Thomas A. Henzinger, Marius Minea, and Vinayak S. Prabhu. Assume-guarantee reasoningfor hierarchical hybrid systems. In Maria Domenica Di Benedetto and Alberto L. Sangiovanni-Vincentelli, editors, HSCC, volume 2034 of Lecture Notes in Computer Science, pages 275–290.Springer, 2001.
[HP06] Thomas A. Henzinger and Vinayak S. Prabhu. Timed alternating-time temporal logic. InEugene Asarin and Patricia Bouyer, editors, FORMATS, volume 4202 of LNCS, pages 1–17.Springer, 2006.
[HS98] Thomas A. Henzinger and Shankar Sastry, editors. Hybrid Systems: Computation and Con-trol, First International Workshop, HSCC’98, Berkeley, California, USA, April 13-15, 1998,Proceedings, volume 1386 of Lecture Notes in Computer Science. Springer, 1998.
[KKZ05] J.-P. Katoen, M. Khattri, and I. S. Zapreev. A Markov reward model checker. In QuantitativeEvaluation of Systems (QEST), pages 243–244, Los Alamos, CA, USA, 2005. IEEE ComputerSociety.
[Lee08] K. Lee. Advanced research for integrated active transportation system. In The NationalWorkshop on New Research Directions for High Confidence Transportation Cyber PhysicalSystems, Washington, D.C., USA, Dec 2008.
[LL98] John Lygeros and Nancy A. Lynch. Strings of vehicles: Modeling and safety conditions. InHenzinger and Sastry [HS98], pages 273–288.
[LTS97] John Lygeros, Claire Tomlin, and Shankar Sastry. Multiobjective hybrid controller synthesis.In Oded Maler, editor, HART, volume 1201 of Lecture Notes in Computer Science, pages109–123. Springer, 1997.
[RH02] A. Richards and J.P. How. Aircraft trajectory planning with collision avoidance using mixedinteger linear programming. In American Control Conference, 2002. Proceedings of the 2002,volume 3, pages 1936 – 1941 vol.3, 2002.
[SRKC00] B. Silva, K. Richeson, B. Krogh, and A. Chutinan. Modeling and verifying hybrid dynamicsystems using CheckMate. In Proc. Conf. on Automation of Mixed Processes: Hybrid DynamicSystems, pages 323–328, 2000.
[TLS98] Claire Tomlin, John Lygeros, and Shankar Sastry. Synthesizing controllers for nonlinear hybridsystems. In Henzinger and Sastry [HS98], pages 360–373.
[TPK+98] Claire Tomlin, George Pappas, Jana Kosecka, John Lygeros, and Shankar Sastry. Advanced airtraffic automation: A case study in distributed decentralized control. In Bruno Siciliano andKimon Valavanis, editors, Control Problems in Robotics and Automation, volume 230 of Lec-ture Notes in Control and Information Sciences, pages 261–295. Springer Berlin / Heidelberg,1998. 10.1007/BFb0015088.
[TPL+96] Claire Tomlin, George J. Pappas, John Lygeros, Datta N. Godbole, and Shankar Sastry.Hybrid control models of next generarion air traffic management. In Panos J. Antsaklis, WolfKohn, Anil Nerode, and Shankar Sastry, editors, Hybrid Systems, volume 1273 of LectureNotes in Computer Science, pages 378–404. Springer, 1996.
[TPL04] Paulo Tabuada, George J. Pappas, and Pedro U. Lima. Compositional abstractions of hybridcontrol systems. Discrete Event Dynamic Systems, 14(2):203–238, 2004.
[Wes08] Bernd Westphal. Specification and Verification of Dynamic Topology Systems. PhD thesis,Carl von Ossietzky Universitat Oldenburg, May 2008.
[WSRR11] B. Wirtz, T. Strazny, A. Rakow, and J. Rakow. A lane change assistance system: Cooperationand hybrid control. Reports of SFB/TR 14 AVACS, to appear, SFB/TR 14 AVACS, 2011.
[WW07] Bjorn Wachter and Bernd Westphal. The spotlight principle. on combining process-summarising state abstractions. In Byron Cook and Andreas Podelski, editors, VMCAI,volume 4349 of Lecture Notes in Computer Science, pages 182–198. Springer-Verlag, 2007.
