Safe Collaborative Driving SystemsNSF 1035178 and 1329593

Nick MaxemchukColumbia University

Engineering is the Art of Managing ComplexityPhotograph courtesy of NASA

Example – A Collaborative Merge Protocol

• Car 1 signals its intent to merge between cars 2 and 3• Car 2 uses intelligent cruise control to maintain a safe gap behind both cars F and B• Car 3 increases the gap to car 3 to 2*safe gap + car length• Car 1 uses intelligent cruise control to maintain a safe gap behind car B and create

a safe gap behind car 2 • When the gaps are safe, the driver in car 1 receives a signal to merge.

Objective: To prove that the protocol will not cause an accident for combinations of failures, including 1) mechanical failures, 2) loss of communications, 3) unexpected obstacles in the roadway, 4) non-participating drivers who move into the gap, …

Managing Complexity

1. An architecture that partitions the problem into smaller, more manageable pieces

2. Eliminate ambiguities -- replace timers that are initiated over an unreliable channel with deadlines based on synchronized clocks

3. Reducing pairwise verification of a large number of implementations by checking a single model and a single conformance test of each implementation

Objectives of an ArchitectureLessons from Communications Architectures

• Break a big design problem into smaller, more manageable modules– A stack architecture with well defined interfaces

• Stack Architectures– A subset of possible modular architectures– Re-use the modules in many applications– Modify modules independently – as long as services are preserved

• Stacks also partition testing into smaller pieces The services provided by a layer are verified.

o A higher layer is verified assuming the services from the lower layer Black box conformance testing at the service interfaces

An Intelligent Vehicle Architecture

Multiple Stack architecture with Well Defined Interfaces One stack for each interaction with the physical world

Use services from lower layer in the same stack or any layer in another stack• In order to guarantee that we can design, verify and modify

components independently, we must verify that there are no loops• Example:

o There is an implicit loop between anti-lock braking and measurements. Feed back control must be considered when designing anti-lock brakes

o If a broadcast protocol transmits messages at specified times, and the broadcast protocol is used to synchronize clocks, then the implementations must be designed together.

• Services are provided to specific protocols in a layer, not to the layero The figure shows the services in the merge protocol

Architecture

Synchronized Clocks1. Time is a critical component in coordinated driving maneuvers

– Vehicles must start and complete maneuvers according to a planned schedule– In the merge protocol, cars commit to the operation for a specified time, and

abort the maneuver if the gap isn’t created by a deadline before the end of the commit time

2. Recent advances make synchronized clocks the new capability in protocols– Inexpensive, accurate, atomic clocks are distributed by GPS– Crystal oscillators maintain clocks while GPS isn’t available– NTP and PTP can synchronize nearby vehicles when necessary

3. Synchronization can reduce the possible protocol sequences– Timers that are set over an unreliable communications channel can start at

different times in different vehicles – which results in different execution sequences

– Synchronized clocks can guarantee a unique sequences– For instance, attacking armies synchronize their watches

4. Synchronization can provide guarantees that cannot be obtained without synchronization– A Lock Protocol

A Safe Lock Protocol –Using Synchronized Clocks

• Before merge protocol is used, 3 cars must obtain a lock– Each Accepts only 1 lock

• Simultaneously Release the lock at an absolute time deadline• Merging car – the master - does not use the lock without receiving acks from the other

two

Proving the Safety of Intelligent Vehicles1. The case for model checking and conformance testing rather

than pair wise testing– The number of different manufacturers, models per manufacturer, and

model years (generations per model) will make pair wise testing unsustainable

– N different implementations of a system with k participants may require Nk pair wise tests. Formal methods require 1 model check and N conformance tests – procedure used for the telephone network

– Formal testing procedures allow us to only test the new components in an architecture, rather than the entire vehicle

2. The case for probabilistic testing rather than test tracks– You cannot operate a vehicle on a test track for a day and guarantee

that it will not crash in the real world less than once every 10 or 20 years

– Probabilistic verification is a directed simulation that has guaranteed less than one failure per 100 years in communications protocols

Pair Wise Testing of Implementations vs. Model checking + Conformance Testing of Implementations

4 Makes

3 Models

Pairwise Verification

Pairwise Verification

FSM Specification

Conformance Testing

Method: Model Checking and Conformance Testing of Protocols

1. Unambiguous model of the interactions between users• Finite state machines (FSM, EFSM) – component machine

(Also SDL, Pseudo code, Petri nets, …)

2. Verification of the model• Look at sequences of interactions - (Instead of proof systems)

• Composite Machine - 4 participants with 10 states each may have 10,000 states (Number of execution sequences is much larger)

• Differs from program verification (both execution sequences and data values)

3. Conformance testing • Prove that the implementation of the component machine for

each user correctly and completely implements the model• Argue that all N implementations will work together because they

all implement the same model, that has been verified

Engineering Applied To VerificationHow to solve problems that mathematicians consider intractable

1. Probabilistic Verification:• Explore most likely sequences first

Don’t reconsider high probability paths many times As in simulations and on test tracks

• Upper bound on probability that an unexplored sequence will occur Unexplored paths are unlikely in the life-time of the machine

2. Multi-dimensional Architecture:• Partition verification into smaller, more manageable pieces

The services provided by a layer are verified. The next layer is verified assuming those services

3. Time Synchronized Protocols:• Removes time from the finite state machine

Continuous values of time is similar to data in program verification

• Reduces the number of sequences that must be explored

Example: Probabilistic Checking of an ARQ protocol

•Composite Machine – Combination of all interactions•Search the sequence without errors only once•If P <= 10-3, one message is transmitted every 1 sec, and we search 5 levels, Each unexplored path occurs less than once every 100 billion years

Conformance Testing

Objective: To guarantee that the hardware or software implementation of a protocol matches the model that has been verified

• Test that every edge from every state in the FSM is initiated by the proper input, issues the proper output, and leads to the proper state.

The final state is tested using a UIO sequence, that ends in another state. A minimal test sequence is constructed with the Rural Chinese Postman

Algorithm

• When an implementation matches the model it will interoperate with any other implementation that matches the model

The implementations of a protocol by different manufacturers will operate together

For N implementations, interoperability is guaranteed with N tests of the component machine, instead of Ni i-party tests (composite machine)

Conformance Testing in Intelligent Vehicles

• We test the component machine (one vehicle) rather than the composite machine ( the interaction between a number of vehicles)

• We test the the procedures in one layer in one stack by applying the inputs and observing the outputs across the well defined interfaces, rather than the entire vehicle– Since the same communications routine is used for every collaborative

application,( cooperative braking, merges, intelligent cruise control), it isn’t necessary to check the communications multiple times.

• Problem: The postman algorithm that was used for communications protocols does not consider time critical events– The only timers were for retransmissions. The timer was set and the

machine stayed in the state until a message was received or a timeout occurred

Time in Conformance TestsIf the transition between two states occurs because of a time-out, in order to test the

edge we must:1) Execute a transfer sequence to the edge where the time-out is set, and set the time out2) Execute a transfer sequence to the state where the time out occurs. 3) Wait for the timer to expire– The transfer sequences may also contain edges with time-outs that need to be set and

waited for. The sequence that can successfully exercise the current time out may be difficult to find, and the waits may be excessive

A strategy with accurate clocks:1) A shared memory between processes stores the time of occurrence for all time related

events – timeouts are set as outputs from a module2) In any module, timeouts are an external input from the shared memory3) To test an edge, the input to the module is just the input that is received from the

shared memory

We are designing a shared memory for timeouts, sensor readings, …• Each memory elements has guarantees for the elementWhich participants definitely have the value, which participants know which other

participants have the element, …

Result: A Fail Safe Assisted Merge Protocol

Operation: Notify the driver when there is a safe gap.If there is uncertainty about safety, notify the

driver and implement automated spacing, and lane maintenance Dependent on:• Intelligence cruise control:

– Maintains distance to more than one car – spacing between cars can be set

• A shared memory of the map of vehicles and the deadlines• The lock protocol• A fail-safe, reliable broadcast protocol

– If anyone cannot recover a message, everyone knows -- quickly– Scheduled message and ack transmissions – token passing– If a scheduled message is not recovered, stop transmitting, so that no one

can recover your scheduled message.