towards formal verification of
play

Towards Formal Verification of Freeway Traffic Control Stefan Mitsch - PowerPoint PPT Presentation

Towards Formal Verification of Freeway Traffic Control Stefan Mitsch Sarah Loos, and Andr Platzer Information Systems Group Computer Science Department Johannes Kepler University Carnegie Mellon University April 19, 2012 How Can We Prove


  1. Towards Formal Verification of Freeway Traffic Control Stefan Mitsch Sarah Loos, and André Platzer Information Systems Group Computer Science Department Johannes Kepler University Carnegie Mellon University April 19, 2012

  2. How Can We Prove Complex Highways? 2/22

  3. How Can We Prove Complex Highways? observed by local sensor range Traffic centers aim at global functioning and safety. 3/22

  4. How Can We Prove Complex Highways? Traffic centers aim at global functioning and safety. Open-loop control systems (give advice, e.g., speed limits) 3/22

  5. How Can We Prove Complex Highways? Traffic centers aim at global functioning and safety. Open-loop control systems (give advice, e.g., speed limits) Closed-loop: use car information and feed advice as set values into car controllers 3/22

  6. Traffic Control: Outline Variable Speed Moving Incident Moving Incident Limit Control Warning Control Warning Control w/ Zeno Avoidance 1 vehicle 1 vehicles 1 vehicle 1 incident 1 incident n traffic advice n traffic advice n traffic advice, 1 warning 4/22

  7. Traffic Control: Variable Speed Limit Variable Speed Moving Incident Moving Incident Limit Control Warning Control Warning Control w/ Zeno Avoidance 1 vehicle 1 vehicles 1 vehicle 1 incident 1 incident n traffic advice n traffic advice n traffic advice, 1 warning 4/22

  8. Variable Speed Limit Challenges Traffic center: intelligent speed adaptation system • Global decisions beyond local sensor range • Multiple , sequentially issued speed limits In-car driver assistance systems: traffic sign detection • Find design parameters (camera resolution, etc.) 5/22

  9. Di Different ntial Dyna l Dynami mic L Logic * * * The he s sho hort v version. n. Initial Conditions → [Model] Requirements 6/22

  10. Di Different ntial Dyna l Dynami mic L Logic Initial Conditions → [Model] Requirements 6/22

  11. Di Different ntial Dyna l Dynami mic L Logic Initial Conditions → [Model] Requirements logical formula logical formula 6/22

  12. Di Different ntial Dyna l Dynami mic L Logic Initial Conditions → [Model] Requirements logical formula logical formula 6/22

  13. Di Different ntial Dyna l Dynami mic L Logic Initial Conditions → [Model] Requirements logical formula logical formula 6/22

  14. Di Different ntial Dyna l Dynami mic L Logic Initial Conditions → [Model] Requirements logical formula hybrid program logical formula 6/22

  15. Di Different ntial Dyna l Dynami mic L Logic discrete control continuous dynamics Initial Conditions → [Model] Requirements logical formula hybrid program logical formula 6/22

  16. Di Different ntial Dyna l Dynami mic L Logic discrete control continuous dynamics → [(ctrl;dyn) * ] logical formula hybrid program logical formula 6/22

  17. Di Different ntial Dyna l Dynami mic L Logic continuous dynamics discrete control → [(ctrl; x’= ¡v; ¡v’= ¡a ) * ] logical formula hybrid program logical formula 6/22

  18. Traffic Control: Speed Limit Compliance Car is able to follow a speed limit advice if . 7/22

  19. Traffic Control: Speed Limit Compliance Car is able to follow a speed limit advice if . 7/22

  20. Traffic Control: Speed Limit Compliance Car is able to follow a speed limit advice if . car already follows speed limit advice 7/22

  21. Traffic Control: Speed Limit Compliance Car is able to follow a speed limit advice if . car is still able to brake car already follows speed limit advice 7/22

  22. Traffic Control: Speed Limit Compliance To Prove: Initial Conditions → [Model] Requirements 8/22

  23. Traffic Control: Speed Limit Compliance To Prove: ✔ h Initial Conditions → [Model] Requirements 8/22

  24. Design Implications (Traffic center) Traffic center must be able to measure or estimate car parameters • Position, current velocity • Maximum acceleration, braking power Communication delay must be bounded • May not be possible with wireless communication: fault-tolerant design 9/22

  25. Design Implications (Driver assistance 1/2 ) Image size • Adjust 60 km/h to 50 km/h speed limit braking at 2 m/s 2 takes 26m braking distance • Camera features: • Speed limit sign: width = 12 pixels Image processing tradeoff (higher resolution vs. processing speed) (2011) 10/22

  26. Design Implications (Driver assistance 2/2 ) Image processing tradeoff Requirement : 20px width (a) Replace 63mm lens with 102mm (b) Increase algorithm performance 1040px instead of 640px image (c) Keep lens/camera, but brake harder braking at 3.4m/s ² instead of 2m/s ² gives braking distance of 16m 11/22

  27. Traffic Control: Incident Warning Variable Speed Moving Incident Moving Incident Limit Control Warning Control Warning Control w/ Zeno Avoidance 1 vehicle 1 vehicles 1 vehicle 1 incident 1 incident n traffic advice n traffic advice/warnings n traffic advice, 1 warning 12/22

  28. Incident Warning Challenges Traffic center: long-term incident warning (e.g., accidents, traffic jams, wrong-way drivers) • Motion towards car • May exceed local sensor coverage In-car driver assistance systems: short-term • Find design parameters (camera resolution, etc.) • Estimate system performance (e.g., speed reduction) 13/22

  29. Traffic Control: Incident Warning Car is able to react to an incident warning if . 14/22

  30. Traffic Control: Incident Warning Car is able to react to an incident warning if . Requirements inside or As before: speed outside warning area limit compliance 14/22

  31. Traffic Control: Incident Warning Car is able to react to an incident warning if . Outside warning area After incident Car can still brake before warning area, keeping in mind that incident may move towards car 14/22

  32. Traffic Control: Incident Warning Car is able to react to an incident warning if . Inside warning area Warning is in front Car will reach warning Car already of incident faster than incident passed warning 14/22

  33. Traffic Control: Incident Warning To Prove: Initial Conditions → [Model] Requirements 15/22

  34. Traffic Control: Incident Warning To Prove: ✔ h Initial Conditions → [Model] Requirements 15/22

  35. Design Implications (Traffic center) Traffic center must be able to measure or estimate incident parameters • Position and velocity of incident Assume reasonable car behavior • Car is not allowed to wait for incident • Unreasonably small minimum velocity results in large warning area 16/22

  36. Design Implications (Driver assistance) Fast-moving incidents exceed local sensor range • 30m/s car and incident (e.g., wrong-way driver) • 4m/s ² accel., 9m/s ² braking, 0.1s reaction • 163m sensor range for a complete stand still 17/22

  37. Traffic Control: Incident Warning Variable Speed Moving Incident Moving Incident Limit Control Warning Control Warning Control w/ Zeno Avoidance 1 vehicle 1 vehicles 1 vehicle 1 incident 1 incident n traffic advice n traffic advice/warnings n traffic advice, 1 warning 18/22

  38. Traffic Control: Incident Warning Avoid Zeno-type effects when warning cars 19/22

  39. Conclusions Closed-loop traffic control: cope with limited local sensor coverage globally in traffic centers • Incidents, may move towards cars Traffic control models are formally verified Derive design decisions from verified models • Image processing performance, camera resolution, etc. • Local sensor range 20/22

  40. Future Work • Dedicated up- and downlinks for communication • Multiple control decisions during one communication roundtrip • Advanced physical models (curves, road conditions, etc.) • Collaborative, global control actions in a fleet of cars (V2V communication) 21/22

  41. Conclusions Reference For the full paper see: Stefan Mitsch, Sarah M. Loos, and André Platzer. Towards Formal Verification of Freeway Traffic Control. In International Conference on Cyber-Physical Systems, ICCPS, Beijing, China , April 17-19. 2012. 22/22

Recommend


More recommend