TOWARDS FORMAL VERIFICATION IN AUTOMOTIVE APPLIED TO THE AUTONOMOUS DRIVING SUPERVISION FUNCTION ERTS 2020 - 30 JANUARY Authors : • YASMINE ASSIOUA, RENAULT SOFTWARE LABS & TELECOM PARIS • RABEA AMEUR-BOULIFA, TELECOM PARIS • PATRICIA GUITTON-OUHAMOU, RENAULT SOFTWARE LABS Renault Confidential C
TOWARDS FORMAL VERIFICATION IN AUTOMOTIVE AGENDA 03 MODEL’S CONSTRUCTION 01 CONTEXT THE DIFFERENT STEPS TO TRANSFORM INFORMAL INTRODUCTION REQUIREMENT INTO A FORMAL MODEL (STATE MACHINE) FOR FORMAL VERIFICATION APPLIED TO AD (AUTONOLOUS DRIVING) SUPERVISION 02 APPROACH 04 VERIFICATION THE USE OF FORMAL SPECIFICATION AND FORMAL THE USE OF A MODEL CHECKER (UPPAAL) TO VERIFY IF THE VERIFICATION TO PROVE THE RELIABILITY OF THE STUDIED GENERATED MODEL USING PROPERTIES AND SIMULATION SYSTEMS 05 CONCLUSION ACHIEVEMENTS & PERSPECTIVES ERTS 2020 Renault Confidential C
01 CONTEXT Introduction ERTS 2020 Renault Confidential C
CONTEXT INTRODUCTION Rapid development of autonomous vehicles Complex system evolving in an unpredictable environment Comply to strict standards and norms (AUTOSAR, ISO26262) ERTS 2020 4 Renault Confidential C
CONTEXT BUG CONSEQUENCES • A failure can cause severe accidents • High cost (Brand, Recall, Bug’s correction,…) • Essential to ensure the quality of the requirements Critical System = deal with scenarios that may lead to loss of life , serious personal injury, or damage to the natural environment ERTS 2020 5 Renault Confidential C
CONTEXT REDUCE BUGS Early Validation Rigorous Model-Based approach Using formal methods Goal: • Improve SW quality • Reduce time to market The V-Model: Systems development lifecycle • Reduce costs Source : Software engineering environments: concepts and technology Robert N. Charette ERTS 2020 6 Renault Confidential C
02 APPROACH The use of formal specification and formal verification to prove the reliability of the studied systems ERTS 2020 Renault Confidential C
APPROACH THE APPROACH NATURAL LANGUAGE SEMI FORMAL LANGUAGE • Document analysis • Identify the different concepts (states, conditions, • FORMAL MODEL Syntax key words ,…) • Semantic • Patterns • Automata • Model checking • Properties verification ERTS 2020 8 Renault Confidential C
APPROACH OUR FRAMEWORK Grammar & semantic ERTS 2020 9 Renault Confidential C
03 MODEL CONSTRUCTION The different steps to transform informal requirement into a formal model (state machine) for formal verification applid to AD (Autonomous driving supervision) ERTS 2020 Renault Confidential C
MODEL CONSTRUCTION CASE STUDY THE AUTONOMOUS DRIVING (AD) FUNCTION SPECIFIES A SELF DRIVING CAR Control function specifies the Autonomous driving function behavior Surpervision function gives or takes back the control from AD_Control ERTS 2020 11 Renault Confidential C
MODEL CONSTRUCTION STEPS The model construction follows different steps: Guard Guard Completion Plausibility Model Requirement Requirement Elaboration Regroupement check construction Selection Analysis DIFFICULTIES Some steps are recursive ERTS 2020 12 Renault Confidential C
MODEL CONSTRUCTION REQUIREMENTS ANALYSIS “The lateral jerk requested by the AD - function shall be limited to a threshold” ( FR1 ) “AD - function shall be available at dawn and dusk” ( FR2 ) “AD - function shall be available on verified road sections” ( FR3 ) “IF AD -function is not available and vehicle is in Germany or in France, then AD-function shall be available” ( FR4 ) Function’s name State’s name Condition Key words ERTS 2020 13 Renault Confidential C
MODEL CONSTRUCTION REQUIREMENT SELECTION “The lateral jerk requested by the AD - function shall be limited to a threshold” ( FR1 ) “AD - function shall be available at dawn and dusk” ( FR2 ) “AD - function shall be available on verified road sections” ( FR3 ) “IF AD -function is not available and vehicle is in Germany or in France, then AD-function shall be available” ( FR4 ) Function’s name State’s name Condition Key words ERTS 2020 14 Renault Confidential C
MODEL CONSTRUCTION MODEL CONSTRUCTION <Function> SHALL BE < State> <Condition> <Condition> <State> <Function> <Condition> IF <Function> is in <Initial State> <Initial State> AND <Condition> THEN <Function> SHALL BE <Final State> <Final State> <Function> ERTS 2020 15 Renault Confidential C
MODEL CONSTRUCTION GUARDS ELABORATION “AD - function shall be available at dawn and dusk” (FR3) AT DAWN AND DUSK VALUES CREATION VARIABLE CREATION - Dawn DAY_TIME - Dusk …(?) - DAY-TIME = dawn OR DAY-TIME = dusk ERTS 2020 16 Renault Confidential C
MODEL CONSTRUCTION COMPLETION Possible states : OFF, NOT_AVAILABLE, AVAILABLE, ACTIVABLE, ACTIVE AD-function shall be available IF DAY-TIME = dawn OR DAY-TIME = dusk ERTS 2020 17 Renault Confidential C
MODEL CONSTRUCTION PLAUSIBILTY CHECK CORRECTION Using the Plausibilty Table ERTS 2020 18 Renault Confidential C
MODEL CONSTRUCTION GUARDS REGROUPEMENT “AD -function shall be available IF DAY-TIME = dawn OR DAY- TIME=dusk” G1 G2 “AD -function shall be available IF ROAD- SECTION=ok” OR G1 G2 G1 AND G2 <AVAILABLE <AVAILABLE ERTS 2020 19 Renault Confidential C
MODEL CONSTRUCTION FORMAL MODEL ERTS 2020 20 Renault Confidential C
04 VERIFICATION The use of a model checker (UPPAAL) to verify the generated model using properties and simulation ERTS 2020 Renault Confidential C
VERIFICATION FORMAL VERIFICATION Use automatic model checker UPPAAL http://www.uppaal.org/ REACHABILITY PROPERTIES DEADLOCK PROPERTY ERTS 2020 22 Renault Confidential C
VERIFICATION SIMULATION & FUNCTIONAL DIAGRAM Dynamic behavior Visualise the function’s evolution ERTS 2020 23 Renault Confidential C
06 CONCLUSION Achievements & perspectives ERTS 2020 Renault Confidential C
CONCLUSION ACHIVEMENTS & PERSPECTIVES Extend the set of analysed requirements Framework - Time Non functional properties Proof of concept on: - APA ( Automatic Park Assist ) Validate the whole framework https://hal.telecom-paristech.fr/hal-02269614 - AD (Autonomous Driving supervion’s function) ERTS 2020 25 Renault Confidential C
Renault Confidential C
MODEL CONSTRUCTION COMPLETION AD-function shall be available IF DAY-TIME = dawn OR DAY-TIME = dusk Possible states : OFF, NOT_AVAILABLE, AVAILABLE, ACTIVABLE, ACTIVE ASSOCIATED STATE MACHINE IF AD-function is in …. AND DAY-TIME = dawn OR DAY-TIME = dusk THEN AD-function shall be available … ERTS 2020 27 Renault Confidential C
MODEL’S CONSTRUCTION PLAUSIBILTY CHECK ERTS 2020 28 Renault Confidential C
MODEL’S CONSTRUCTION GUARDS REGROUPEMENT “AD -function shall be available IF DAY-TIME = dawn OR DAY- TIME=dusk” “AD -function shall be available IF ROAD- SECTION=ok” GuardInAvailable = (DAY-TIME=dawn OR DAY-TIME=dusk) OR // AND ( ROAD-SECTION=ok) SAFETY ERTS 2020 29 Renault Confidential C
CONCLUSION Approach Proof of concept Finalise step 2 : how it impact on the model Focus on the patterns 30 Renault Confidential C ERTS 2020
APPROACH OBJECTIVE Suggest a methodology for early validation on requirements Help engineers in the validation phase Improve the product’s quality Gain confidence on products Reduce bugs and their cost Minimize time to market ERTS 2020 31 Renault Confidential C
CONTEXT AUTOMOBILE’S EVOLUTION - 40-60 embedded systems in a classic vehicle - 80 embedded systems in a premium vehicle Softwares representes more than 40% of the vehicle market value - COMPLEXITY CRITICAL SYSTEM Deal with scenarios that may lead to loss of life , - COST serious personal injury, or damage to the natural environment 32 Renault Confidential C ERTS 2020
MODEL’S CONSTRUCTION COMPLETION AD-function shall be available IF DAY-TIME = dawn OR DAY-TIME = dusk Possible states : OFF, NOT_AVAILABLE, AVAILABLE, ACTIVABLE, ACTIVE IF AD-function is OFF AND DAY-TIME = dawn OR DAY-TIME = dusk THEN AD-function shall be available IF AD-function is NOT_AVAILABLE AND DAY-TIME = dawn OR DAY-TIME = dusk ASSOCIATED STATE MA THEN AD-function shall be available … ERTS 2020 33 Renault Confidential C
Department / Redactor / Date 34 Renault Confidential C
Recommend
More recommend
