towards formal verification of freeway traffic controlaplatzer/pub/trafficcenter... · 2020. 6....
TRANSCRIPT
![Page 1: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/1.jpg)
Sarah Loos, and André Platzer Computer Science Department
Carnegie Mellon University
Towards Formal Verification of Freeway Traffic Control
Stefan Mitsch Information Systems Group Johannes Kepler University
April 19, 2012
![Page 2: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/2.jpg)
How Can We Prove Complex Highways?
2/22
![Page 3: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/3.jpg)
How Can We Prove Complex Highways?
Traffic centers aim at global functioning and safety.
3/22
observed by
local sensor range
![Page 4: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/4.jpg)
How Can We Prove Complex Highways?
3/22
Traffic centers aim at global functioning and safety. Open-loop control systems (give advice, e.g., speed limits)
![Page 5: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/5.jpg)
How Can We Prove Complex Highways?
3/22
Traffic centers aim at global functioning and safety. Open-loop control systems (give advice, e.g., speed limits) Closed-loop: use car information and feed advice as set values into car controllers
![Page 6: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/6.jpg)
Traffic Control: Outline
Variable Speed Limit Control
Moving Incident Warning Control
Moving Incident Warning Control
w/ Zeno Avoidance
1 vehicle n traffic advice
1 vehicle 1 incident n traffic advice
1 vehicles 1 incident n traffic advice, 1 warning
4/22
![Page 7: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/7.jpg)
Traffic Control: Variable Speed Limit
Variable Speed Limit Control
Moving Incident Warning Control
Moving Incident Warning Control
w/ Zeno Avoidance
1 vehicle n traffic advice
1 vehicle 1 incident n traffic advice
1 vehicles 1 incident n traffic advice, 1 warning
4/22
![Page 8: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/8.jpg)
Variable Speed Limit Challenges
Traffic center: intelligent speed adaptation system • Global decisions beyond local sensor range • Multiple, sequentially issued speed limits In-car driver assistance systems: traffic sign detection • Find design parameters (camera resolution, etc.)
5/22
![Page 9: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/9.jpg)
Differential Dynamic Logic*
Initial Conditions → [Model] Requirements
*The short version.
6/22
![Page 10: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/10.jpg)
Initial Conditions → [Model] Requirements
Differential Dynamic Logic
6/22
![Page 11: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/11.jpg)
Initial Conditions → [Model] Requirements
logical formula logical formula
Differential Dynamic Logic
6/22
![Page 12: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/12.jpg)
Initial Conditions → [Model] Requirements
logical formula logical formula
Differential Dynamic Logic
6/22
![Page 13: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/13.jpg)
Initial Conditions → [Model] Requirements
logical formula logical formula
Differential Dynamic Logic
6/22
![Page 14: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/14.jpg)
Initial Conditions → [Model] Requirements
logical formula logical formula hybrid program
Differential Dynamic Logic
6/22
![Page 15: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/15.jpg)
Initial Conditions → [Model] Requirements
logical formula logical formula hybrid program
discrete control continuous dynamics
Differential Dynamic Logic
6/22
![Page 16: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/16.jpg)
logical formula logical formula hybrid program
→ [(ctrl;dyn)*]
discrete control continuous dynamics
Differential Dynamic Logic
6/22
![Page 17: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/17.jpg)
logical formula logical formula hybrid program
→ [(ctrl; x’= v; v’= a)*]
discrete control continuous dynamics
Differential Dynamic Logic
6/22
![Page 18: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/18.jpg)
Traffic Control: Speed Limit Compliance
7/22
Car is able to follow a speed limit advice if .
![Page 19: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/19.jpg)
Traffic Control: Speed Limit Compliance
Car is able to follow a speed limit advice if .
7/22
![Page 20: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/20.jpg)
Traffic Control: Speed Limit Compliance
car already follows speed limit advice
Car is able to follow a speed limit advice if .
7/22
![Page 21: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/21.jpg)
Traffic Control: Speed Limit Compliance
car is still able to brake
Car is able to follow a speed limit advice if .
car already follows speed limit advice
7/22
![Page 22: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/22.jpg)
Traffic Control: Speed Limit Compliance
Initial Conditions → [Model] Requirements
To Prove:
8/22
![Page 23: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/23.jpg)
Traffic Control: Speed Limit Compliance
Initial Conditions → [Model] Requirements
To Prove:
8/22
h
✔
![Page 24: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/24.jpg)
Design Implications (Traffic center)
9/22
Traffic center must be able to measure or estimate car parameters • Position, current velocity • Maximum acceleration, braking power Communication delay must be bounded • May not be possible with wireless
communication: fault-tolerant design
![Page 25: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/25.jpg)
Design Implications (Driver assistance 1/2)
10/22
Image size • Adjust 60km/h to 50km/h speed limit
braking at 2m/s2 takes 26m braking distance
• Camera features:
• Speed limit sign: width = 12 pixels Image processing tradeoff (higher resolution vs. processing speed)
(2011)
![Page 26: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/26.jpg)
Design Implications (Driver assistance 2/2)
Image processing tradeoff Requirement: 20px width (a) Replace 63mm lens with 102mm (b) Increase algorithm performance
1040px instead of 640px image (c) Keep lens/camera, but brake harder
braking at 3.4m/s² instead of 2m/s² gives braking distance of 16m
11/22
![Page 27: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/27.jpg)
Traffic Control: Incident Warning
Variable Speed Limit Control
Moving Incident Warning Control
Moving Incident Warning Control
w/ Zeno Avoidance
1 vehicle n traffic advice
1 vehicle 1 incident n traffic advice/warnings
1 vehicles 1 incident n traffic advice, 1 warning
12/22
![Page 28: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/28.jpg)
Incident Warning Challenges
Traffic center: long-term incident warning (e.g., accidents, traffic jams, wrong-way drivers) • Motion towards car • May exceed local sensor coverage In-car driver assistance systems: short-term • Find design parameters (camera resolution, etc.) • Estimate system performance (e.g., speed reduction)
13/22
![Page 29: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/29.jpg)
Traffic Control: Incident Warning
14/22
Car is able to react to an incident warning if .
![Page 30: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/30.jpg)
Traffic Control: Incident Warning
As before: speed limit compliance
Requirements inside or outside warning area
14/22
Car is able to react to an incident warning if .
![Page 31: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/31.jpg)
Traffic Control: Incident Warning
Car can still brake before warning area, keeping in mind that
incident may move towards car
Outside warning area
After incident
14/22
Car is able to react to an incident warning if .
![Page 32: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/32.jpg)
Traffic Control: Incident Warning
Inside warning area
Warning is in front of incident
Car will reach warning faster than incident
Car already passed warning
14/22
Car is able to react to an incident warning if .
![Page 33: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/33.jpg)
Traffic Control: Incident Warning
Initial Conditions → [Model] Requirements
To Prove:
15/22
![Page 34: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/34.jpg)
Traffic Control: Incident Warning
Initial Conditions → [Model] Requirements
To Prove:
15/22
h
✔
![Page 35: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/35.jpg)
Design Implications (Traffic center)
Traffic center must be able to measure or estimate incident parameters • Position and velocity of incident Assume reasonable car behavior • Car is not allowed to wait for incident • Unreasonably small minimum velocity
results in large warning area
16/22
![Page 36: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/36.jpg)
Design Implications (Driver assistance)
Fast-moving incidents exceed local sensor range • 30m/s car and incident (e.g., wrong-way
driver) • 4m/s² accel., 9m/s² braking, 0.1s reaction • 163m sensor range for a complete stand
still
17/22
![Page 37: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/37.jpg)
Traffic Control: Incident Warning
Variable Speed Limit Control
Moving Incident Warning Control
Moving Incident Warning Control
w/ Zeno Avoidance
1 vehicle n traffic advice
1 vehicle 1 incident n traffic advice/warnings
1 vehicles 1 incident n traffic advice, 1 warning
18/22
![Page 38: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/38.jpg)
Traffic Control: Incident Warning
Avoid Zeno-type effects when warning cars
19/22
![Page 39: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/39.jpg)
Conclusions
Closed-loop traffic control: cope with limited local sensor coverage globally in traffic centers • Incidents, may move towards cars Traffic control models are formally verified Derive design decisions from verified models • Image processing performance, camera resolution, etc. • Local sensor range
20/22
![Page 40: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/40.jpg)
Future Work
• Dedicated up- and downlinks for communication • Multiple control decisions during one
communication roundtrip • Advanced physical models (curves, road
conditions, etc.) • Collaborative, global control actions in a fleet of
cars (V2V communication)
21/22
![Page 41: Towards Formal Verification of Freeway Traffic Controlaplatzer/pub/trafficcenter... · 2020. 6. 16. · Conclusions Closed-loop traffic control: cope with limited local sensor coverage](https://reader036.vdocuments.site/reader036/viewer/2022071413/610ad60f73b81f24c314e810/html5/thumbnails/41.jpg)
Conclusions Reference
22/22
For the full paper see:
Stefan Mitsch, Sarah M. Loos, and André Platzer. Towards Formal Verification of Freeway Traffic Control. In International Conference on Cyber-Physical Systems, ICCPS, Beijing, China, April 17-19. 2012.