Verified Hybrid Controllers for Automated Vehicles...

522 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 43, NO. 4, APRIL 1998

Verified Hybrid Controllers for Automated VehiclesJohn Lygeros,Member, IEEE, Datta N. Godbole,Member, IEEE, and Shankar Sastry,Fellow, IEEE

Abstract—The objective of an Automated Highway System(AHS) is to increase the safety and throughput of the existinghighway infrastructure by introducing traffic automation. AHSis an example of a large scale, multiagent complex dynamicalsystem and is ideally suited for a hierarchical hybrid controller.We discuss the design of safe and efficient hybrid controllersfor regulation of vehicles on an AHS. We use game theoretictechniques to deal with the multiagent and multiobjective natureof the problem. The result is a hybrid controller that by designguarantees safety, without the need for further verification. Thecalculations also provide an upper bound on the performancethat can be expected in terms of throughput at various levels ofcentralization.

Index Terms— Automated highway systems, game theory,safety.

I. INTRODUCTION

H YBRID systems, i.e., systems involving the interactionof discrete and continuous dynamics, pose challenging

problems which have attracted the attention of researchersfrom a number of diverse fields. Considerable research efforthas been devoted to fundamental topics such asmodeling[1]–[6] and simulation[7]–[9] of hybrid systems. The model-ing effort has produced formalisms that allow one to synthesizecontrollers and verify properties of the closed-loop systemperformance. Forcontroller synthesisthe tools that havebeen proposed extend techniques from discrete-event control[10]–[13] and optimal control [5], [14], [15]. Forverification,on the other hand, some progress was made in extendingconventional analysis tools such as Lyapunov methods forstability analysis [5], [16]; however, most research has concen-trated on extending discrete methodologies, in particular modelchecking [1], [2], [17], [18] and deductive [6], [19] techniques.For model checking, the emphasis has been on systems andproperties that can be algorithmically verified. A number ofcomputer-aided tools have been developed for systems wherethe model checking approach is applicable [20], [21]. Fordeductive reasoning, the emphasis has been on developingmodels that provide formal semantics for composition andabstraction and support proofs based on induction on the lengthof the system executions, invariant assertions, and simulationrelations. Semi-automated tools (using, for example, automatic

Manuscript received August 2, 1996. Recommended by Associate Editor,P. J. Antsaklis. This work was supported in part by the Army ResearchOffice under Grants DAAH 04-95-1-0588 and DAAH 04-96-1-0341 and bythe California PATH program, Institute of Transportation Studies, Universityof California, Berkeley, under Grant MOU-238.

The authors are with the Department of Electrical Engineering and Com-puter Sciences, University of California, Berkeley, CA 94720-1770 USA(e-mail: [email protected]).

Publisher Item Identifier S 0018-9286(98)02662-2.

theorem provers) have been implemented to support thisapproach [22].

Much of the research on hybrid systems has been moti-vated by applications such as automotive electronics, real-time software, communication protocols, and transportation.One application that has attracted considerable attention isAutomated Highway Systems (AHS). The goal is to improvethe throughput of the highway system while maintaining (atleast) the same level of safety and passenger comfort as thecurrent system. This is to be achieved by automating trafficwithout building new highways. Clearly, an AHS poses a verycomplex control problem. Part of the complication comes fromits distributed nature. The system consists of a large number ofagents (the vehicles) equipped with sensing, communication,and control capabilities that are trying to make efficient use of acommon, scarce resource (the highway). Difficulties also arisefrom the multiple control requirements. The controller has tostrive to satisfy many specifications, some of them conflicting.For example, the requirement for increased throughput impliesthat the vehicles should be traveling fast and close to oneanother, while the requirement for safety implies that theyshould be traveling slowly and with large spacings.

In [15] we introduced a methodology for dealing with suchmultiagent, multiobjective problems. Our method assumesthat the requirements are prioritized; in the AHS case safetyshould be more important than throughput, for example. Then,assumptions are made about the flow of information betweenthe agents. Typically the system is initially assumed to be fullydecentralized, i.e., each agent has only access to local infor-mation, available through its sensors. The controller design isthen seen as a game between the controller of each agent andthe disturbance generated by the environment, which includesthe actions of other agents. The design process establishes thelimits of performance that can be achieved in “safety”; thelower priority requirements are then optimized within thoselimits. The resultingemergent behaviorof the system (in theAHS case the throughput) is then extracted. If the level ofperformance is unsatisfactory, some centralization needs to beintroduced. This is achieved by communication of informationbetween the agents. Our calculations suggest what the mostimportant pieces of information are. The effect of this moreglobal knowledge is to reduce the set of possible disturbancesgenerated by other agents. The process can be repeated: thenew “biased” game is solved to determine the limits of safety,the low priority requirements are optimized within those limits,and the new emergent behavior is extracted.

In this paper we apply this methodology to the AHS prob-lem. We first consider a decentralized design involving com-pletely autonomous vehicles and then see how performance

0018–9286/98$10.00 1998 IEEE

LYGEROS et al.: VERIFIED HYBRID CONTROLLERS FOR AUTOMATED VEHICLES 523

can be improved by allowing semi-autonomous vehicles thatcan form platoons. In either case our game theoretic approachis used to design controllers that are guaranteed to satisfythe safety requirements. The calculations also provide upperbounds on the throughput that can be expected in each case.Here we mainly address the problem of maintaining safety inthis multiagent setting. The multiobjective nature of the systemis also briefly discussed, but for more details the reader isreferred to [23]. For application of similar techniques to AirTraffic Management Systems see [24].

The question of safety is one of the most important issuesfor AHS and has therefore attracted considerable attention. Inthe context of platooning, the issue of controller design andsafety for platoon followers has been addressed extensively in[25]. For autonomous vehicles and platoon leaders a numberof controllers have been proposed [26]–[28], some without ex-plicit safety guarantees. Reference [29] highlighted problems,due primarily to the hybrid nature of the system, that mayarise if such guarantees are not provided. The work of [30]and [31] explicitly address the issue of safety in terms of thecontinuous dynamics, assuming the deceleration capability ofall vehicles is uniform and without taking into account thediscrete disturbances generated by possible vehicle collisions.Similar calculations for different deceleration capabilities canbe found in [28] and [32]. The work presented here extendspreliminary results reported in [33].

In Section II, we give a brief overview of the modelingformalism introduced in [34] and use it to model the vehicles.In Section III our design methodology is applied to the caseof autonomous vehicles. We derive conditions for safety andupper bounds on the throughput that can be expected. InSection IV we show how the throughput can be increased byintroducing partial centralization and discuss the concept ofplatooning. Sufficient conditions that guarantee the safety ofan AHS that supports platooning are given in Section V. In theconcluding Section VI we discuss some of the key points ofour design methodology and some directions for future work.To maintain the flow of the paper some of the more technicalproofs are given in Appendix B.

II. PROBLEM FORMULATION

A. Modeling Formalism and Dynamic Games

We briefly present the hybrid system modeling formalismthat will be used to describe various components of the system.For more details the reader is referred to [34].

Definition 1: A hybrid automaton is a collection, with

and , where are, respectively,open subsets of for some finite values ofand are countable sets.

and are referred to as the state, input, and outputspaces. represents the tangent space of . We use

to denote the input variables, to denotethe output variables, and to denotethe state variables. We assume that discrete sets are given

the discrete topology while continuous sets are given theEuclidean topology. Without loss of generality we assume that

is time invariant.A hybrid system describes the evolution of the variables

over time. We assume a set of times of interest of the form. The variables will evolve either continuously or

in instantaneous jumps. Therefore, the evolution of the systemwill be over sets of the form with

for all and for all. The implication is that are the times

where discrete jumps occur. We will use to denote the setof all such “super-dense” time trajectories andto denote anelement of .

Definition 2: A run of the hybrid dynamical system overan interval is a collection with

andsatisfying the following.

1) Initial Condition: .2) Discrete Evolution: for all either

and or.

3) Continuous Evolution: for all with and for all

and .4) Output Evolution: for all

.

It should be noted that existence and/or uniqueness of runscannot be guaranteed. In fact, one can very easily constructhybrid automata that for some initial conditions and/or inputsaccept multiple runs or no runs at all. These issues are oftheoretical interest but need not concern us in this paper; theautomata used to model the vehicles will accept unique runs.

Let be a collection of hybrid automata. We can write the inputs and outputs

in vector form as and. Let

Definition 3: An interconnectionof a collection ofautomata is a partial map .

The interpretation is that an interconnection constrains someinput variables to have the same value as some output vari-ables. It can be shown that under some mild consistencyassumptions an interconnection of hybrid automata defines anew hybrid automaton whose state space is the product of thestate spaces of the original automata, its output space is theproduct of the output spaces, and its input space is the productof the input spaces minus the pre-image of.

To simplify the subsequent discussion we introduce a specialkind of boolean variable, called anevent. The event is saidto occur whenever its value changes from “True” to “False”or vice versa. In the computer science literature events aretypically associated with discrete transitions in the state of anautomaton. Here events are treated as discrete input and output


Fig. 1. Typical transition of a hybrid automaton.

variables as in [35] and play the role of the input and output“actions” of [6]. It is easy to show that for a given hybridautomaton , one can construct a new automatonwhoseevolution is identical to that of with the exception thatan event occurs upon particular transitions. This can be doneby adding a boolean state and a boolean output variable foreach event. Similarly, by adding boolean input and a booleanstate variable an automaton can be forced to take an enabledtransition upon the occurrence of an event. Note that theaddition of each event doubles the cardinality of .

If is finite, the hybrid automaton is typically presentedas a directed graph [1], [2] whose nodes are indexed by theelements of . While the discrete state is “in a node”, thecontinuous state evolves along a vector field,

with . To each node we associatean invariant ;the interpretation is that the system can remain in nodeifand only if . The discrete evolution is capturedby transitions between the nodes. To the transition from node

to node we associate a guard; the interpretation is that the

transition can take place if and only if . To eachtransition we also associate a set valued map

; the interpretation is that ifthe transition takes place from , then after the transitionthe state can find itself in any with .A typical edge of the graph is shown in Fig. 1. By convention,the guard appears first and the reset relation (denoted byor

) appears second. To simplify the figures we list an inputevent Event that triggers a transition (if any) togetherwith the transition guard and an output eventEventtriggered by a transition together with the transition resetmap. Figures like these will be used subsequently as formaldefinitions of hybrid automata. On some occasions we will usesimilar figures informally to convey an idea rather than definea system. In this case we will use circles instead of squares todistinguish the informal automata from the formal ones.

Motivated by [36] we consider the following type of two-player zero sum games.

Definition 4: A two-player zero sum dynamic gameconsists of a time interval ,

a trajectory space , an input space , a disturbance space,an output space , a hybrid automaton , and a cost function

. Player 1 is said to control the inputwhile player 2 is said to control the disturbance .

A collection of is anadmissibleplay if there exists for which is arun of .

We will assume that thereward of player 1 for a givenplay is , while the reward of player 2 is ;player 1 is trying to minimize while player 2 is tryingto maximize it. We will also assume aclosed-loop perfectstate information structure; when called upon to decide theirstrategy at time, both players have access to the entire statetrajectory up to that point. For simplicity we therefore set

.If the hybrid automaton admits a unique run for every

initial condition, input, and disturbance trajectory, one canwrite the cost function as simply

For this class of games we will be interested in the followingtype of solutions.

Definition 5: A global saddle solutionto the two-playerzero sum game is a pair of input and disturbance trajectories

such that for all , all ,and all

A saddle solution is such that any unilateral deviation from itleaves the player who decided to deviate in worse condition.The games considered in this paper turn out to have uniquesaddle solutions. Existence and uniqueness of solutions cannotbe guaranteed in general, however.

B. Vehicle Model

Consider a number of vehicles moving on an AHS (Fig. 2).1

We try to capture the evolution of the pair and useand to isolate them from the rest of the lane. Vehicles inadjacent lanes will only come into play during lanechanges. The model we develop is hybrid: the continuousdynamics reflect the movement of the vehicles, while thediscrete dynamics reflect possible collisions between them. Inour safety calculations we impose the following restrictions.

Assumption 1:The operation of all vehicles is normal, allvehicle parameters are known, and lateral control is perfect.Each vehicle is equipped with sensors that provide noiselesscontinuous measurements of its velocity and acceleration aswell as distance and relative velocity with respect to vehiclesin front, both in the same and in adjacent lanes. Sensing andactuation delays are negligible.

The assumption of normal operation is crucial in provingsafety. If faults or adverse environmental conditions are al-lowed, the design of safe controllers becomes substantiallymore complicated [37]. Knowledge of the vehicle param-eters (aerodynamic coefficients, mass, etc.) is needed forfeedback linearization of the vehicles dynamics (see [38]).This assumption can be relaxed by an adaptive [38], robust,or sliding mode controller [39]. Under normal conditionsnear-perfect lateral control has been shown to be possibleboth for lane keeping and for lane changing in [40] and[41]. We further assume that perfect lateral operation can bemaintained even in the presence of collisions. Finally, theassumed sensor arrangement is realistic for current technology.

1We will keep referring to the notation of Fig. 2 throughout the paper.


Fig. 2. The model setup.

The calculations presented here easily generalize to vehiclemodels with sensing and actuation delays, lags, and smalladditive noise [42]. We assume that the sensor ranges are largeenough to maintain safety.

The automaton describing the evolution of the pairhas three discrete states and fourcontinuous states. In vehicle is moving without touchingvehicle , in vehicles and are moving while pushingagainst one another, and in vehicle has stopped. Letdenote the length of vehicleand its position from a fixedroadside reference. The dynamics and the safety requirementsdo not depend on the absolute position of the vehicles.Therefore, to reduce the size of the continuous state spacewe introduce a variable to keep trackof the spacing between vehicles and . Following [27],we assume that (after feedback linearization) the controllerof vehicle can directly set thejerk throughbrakes and accelerator actuators. By Assumption 1 vehicle

is equipped with sensors to measure its own velocity andacceleration and the spacing and relative velocity with respectto vehicle . The acceleration of vehicle is assumed to beunknown to vehicle and is treated as a disturbance. Thecontinuous dynamics in states and can now be describedby a state vector with

(1)

In state , the continuous dynamics can be more complicated.While vehicles and are touching, the acceleration ofvehicle depends not only on the jerk commanded by itscontroller, but also on the contact forces exerted by vehicle

. State is not safety critical however, as it is impossiblefor vehicles and to collide while they are touching eachother. We will therefore not model the continuous dynamicsin state in detail, we will just assume that they are of the

form for some function which isLipschitz continuous in and continuous in and .To simplify the notation, we drop the subscripts wheneverit is clear we are referring to the pair and use and

to denote the continuous state of the pairand to denote the input of vehicle. Physical considerationsimpose constraints on the continuous state and inputs

To ensure our model is realistic, we impose some minimalassumptions on the constraints.

Assumption 2: and.

The transitions of the discrete state are governed by theobvious invariants, guards, and reset relations. Additionaldiscrete dynamics arise because of possible collisions betweenthe vehicles. For simplicity we assume the following.

Assumption 3:All collisions are elastic and all vehicleshave equal masses.

The case of partially inelastic collisions and unequal massescan be included by introducing some additional notation andminor changes in the subsequent calculations. Three kinds ofcollisions affect the pair . Collisions between vehicles

and take place whenever and willbe used to determine the safety of the system. Upon theiroccurrence an output event is issued, is reset to

, and is reset to . Collisions between vehiclesand , and between vehicles and , are treated as

disturbances by vehicle. They are modeled by an input event(respectively, ) and a continuous input

(respectively, ). Upon their occurrence, is resetto (respectively, is reset to andis reset to ). Clearly the value of isof interest only at the times when occur. Weuse to denote the overalldisturbance trajectory for vehicle. The subscript of willagain be omitted when the context is clear.


Fig. 3. The plant automaton.

Without loss of generality we assume that a trajectory startsat time from an initial condition .

Proposition 1: For every and every andpiecewise continuous the plant automaton accepts a unique

trajectory.Note that piecewise continuous is equivalent to piecewise

constant under the discrete topology.A standard requirement for automated vehicles is that they

will not be allowed to drive in reverse. This requirement caneasily be added to our model.

Lemma 1: If for all vehicles and implies, then for all . In this case can

never occur in states and and the set of disturbancesgenerated by vehicles and is contained in

piecewise continuous

We use to denote the class of controllers that applywhenever . All controllers designed in this paper willbelong to the class . Under the conditions of Lemma 1 thedynamics of the pair are summarized in Fig. 3. Theinvariants, guards, and reset relations omitted in the figureare given in Appendix A. Our analysis is primarily concernedwith safety, therefore (unless otherwise stated) we will assume

in subsequent analysis, as the vehicles cannot collideotherwise.

Lemma 1 suggests that is a conservative estimate of thedisturbances that vehicle may face. Therefore, if controllersare shown to be safe with respect to, they are guaranteed tobe safe for the real system. Further restrictions can be imposedon through interconnections of the plant automaton withthe outputs of appropriate automata that model the behaviorof the controllers of vehicles and . In our design wewill make use of a restriction that allows a single anda single event and limits the relative velocity of thecorresponding collisions to and , respectively. In thiscase the overall disturbance can be compactly parameterizedby , whereis the time occurs. The class of allowable

disturbances has the form

piecewise continuous

(2)

C. Design Specifications

Ideally, we want no collisions to occur on the AHS. Ouranalysis will indicate that this requirement may be too restric-tive in terms of throughput. Previous studies [43] suggest thatcollisions with small relative velocities are not likely to resultin serious damage to the vehicles or injury to the passengers.This motivates the following definition.

Definition 6: A safe collisionbetween two vehicles is onewhere the relative velocity at impact is less than a threshold

. An Automated Highway System where vehicles experienceonly safe collisions is called asafe AHS.

Based on the analysis of [43], we set ms in ourcalculations.

For each vehicle we treat the controller design as a two-player zero sum game between the vehicle controllerand thedisturbance . The game is over a number of cost functionsthat reflect the various requirements imposed on the controller.The top priority requirement is, of course, safety. Wheneverpossible, we would like the vehicles not to collide at all. Thisrequirement can be encoded by a cost function

(3)

A controller is safe with respect to if it can guaranteethat m. The limiting case of “nocollision” corresponds to two vehicles touching each otherwith zero relative velocity.

In our calculations we will also have to deal with situationswhere a collision is unavoidable. In this case, the goal of thecontroller is to minimize the relative velocity at impact. Thisalternative safety requirement can be encoded by

(4)


where . A controller will be safe with respect toif it can guarantee that ms .

Whenever safety is not an issue, the controller is requiredto provide a comfortable ride for the passengers. We assumethat comfort implies small control inputs.2 We encode comfortusing the cost function

(5)

A maneuver will be comfortable ifms .

If neither safety nor comfort are at stake, we would likethe controller to converge to a steady-state spacing from thevehicle in front and a desired velocity . These performancerequirements can be encoded by anefficiencycost function

(6)

where reflects the desired spacing and velocity andis apositive semidefinite matrix.

The design methodology of [15] allows us to deal with allthe cost functions discussed above by solving a sequence ofnested games. In this paper, we are primarily concerned withthe issue of safety and will therefore discuss the issues ofpassenger comfort and efficiency only briefly.

III. A UTONOMOUS VEHICLES

We first derive safety conditions for the simplest possibleautomated highway system, a decentralized design where nocollisions take place. We refer to this design as anautonomousvehicle AHS. We start with a single lane highway and concen-trate on an arbitrary vehicle. Our goal is to avoid collisionsaltogether, therefore we treat the safety problem as a gamebetween the control (action of vehicle) and the disturbance(actions of vehicles and ) over cost function . Thesafety calculation proceeds by assuming no collisions arepossible, designing safe controllers under this assumption, andthen verifying that if the resulting controller is used, the “nocollision” assumption is indeed satisfied.

A. Autonomous Vehicle Safety

Consider an arbitrary vehicle. If no collisions take place,the only disturbance to vehicle comes from , i.e.,

. Formally this is equivalent to an interconnection of theand input events with the outputs of an automaton

that never generates and . Consider the candidatefeedback saddle solution given by

ifif

and

ifif

(7)

Clearly . Let denote thevalue of the state at timeunder starting at .

2This is a necessary but not sufficient condition for comfort, as low-frequency speed variations can also result in an uncomfortable ride.

Proposition 2 (Saddle Solution for Autonomous Operation):If , then for all . is aglobal saddle solution for cost .

Proof: Verify that for all and[32].

The saddle solution allows us to determine the set ofsafestatesand classify all thesafe controls. Let denote theinterior and the boundary of a subset of and define

(8)

ifififif

(9)

Lemma 2 (Safe States and Safe Controls for AutonomousOperation): If and for all

then and vehicles andwill not collide. If , then for any there existsa trajectory that results in a collision.

Proof: The first part follows from the properties of thesaddle solution and the definitions of and . For thesecond part, assume and for all consider

. The conclusion follows by the propertiesof the saddle solution and the definition of.

is what is known as acontrol invariant set, a set that canbe rendered invariant by, despite the actions of. Lemma 2indicates that is the largest control invariant set for whichsafety can be guaranteed. is the least restrictive class ofcontrols that renders invariant.

The saddle solution calculations allow us to algebraicallydetermine the set of safe states (and hence the set of safecontrols ). For can be encoded by a function

that returns the minimum spacing required for no collision fora given choice of initial velocity, acceleration, and relativevelocity. is parameterized by and .

Theorem 1 (Autonomous Vehicle Safety):A single laneAHS populated by a finite number of vehicles all of whichsatisfy and for allis safe.

Proof: From Lemma 2 and an induction argument on thenumber of vehicles it follows that no collisions are obtainedon such an AHS. Therefore, the AHS is safe.

The analysis generalizes to a multilane highway by addingsimple lane change protocols and control laws. Section V-A3describes how can be used to derive conditions underwhich a lane change can be executed in safety for a morecomplicated AHS design that involves platooning. The resultstrivially generalize to the autonomous vehicle case.

B. Passenger Comfort and Efficiency

Having established conditions for safety, we now turn ourattention to passenger comfort and efficiency. Formally, the


Fig. 4. Hybrid controller automaton.

comfort requirement can be treated as a game betweenandover cost function . We seek a saddle solution

The requirement that implies that such a saddlesolution is safe but can only exist if . The saddlesolution itself is not very important in this case, all we needis the set of safe and comfortable controls, given by

ifififif

(10)

To complete the design, the requirement for efficiencyshould also be addressed. We will not go into the detailsof the efficient design. This problem can be approached ina number of ways and the solution does not affect safety inany way. One possible design could make use of the saddlesolution , for cost function with ;other designs like the ones in [27] and [28] may be evenmore appropriate. To make sure the design is reasonable, wewill only assume that the desired steady-state spacing satisfies

and that the desired velocity is neverexceeded. These objectives can be achieved by a controller thatswitches between tracking spacing and tracking, based onstate information [27]. The resulting safe, comfortable, andefficient controller can be implemented by a hybrid automaton(Fig. 4). The controller automaton has no continuous state. Itsinput and its output are provided from/to the plantautomaton through the obvious interconnection.

C. Autonomous Vehicle Throughput

Calculating the expected throughput for a proposed AHSdesign is a very challenging task. Our analysis can be usedto obtain an upper bound on the steady-state throughput.Lemma 2 provides the minimum spacing required for safetyif a steady-state velocity is maintained. This quantity givesrise to what is known in the transportation literature as thepipeline throughput, the steady state per lane capacity of thehighway in the absence of lateral flow (lane changes, entry,and exit). Assuming all vehicles have the same length ,the pipeline throughput (in vehicles per lane per unit time)is given by

(11)

This is clearly a very optimistic estimate. Even if the demandis high enough, the actual value of the throughput is likelyto be much smaller because of safety margins (added totoaccount for delays, sensor noise, etc.) and lateral flow dis-turbances. Pipeline throughput can nonetheless provide usefulinformation. Assume that the vehicles have no knowledge oftheir deceleration capability but know that it is boundedin an interval . Then, to maintain safety, they need tofollow each other at a spacing

(recall that is parameterized by the model constants). The resulting throughput for

ms , ms , , and m isshown in Fig. 8 (case ). With minimal changes theestimate can be refined to allow for sensing and actuationdelays, safety margins, and different information structures(e.g., vehicles estimating on line) [42]. The results of


our calculations can also directly be used in more elaboratethroughput estimates that take into account lateral flow (see[44]).

IV. PLATOONS OF VEHICLES

A. The Platooning Concept

Can we somehow exceed the maximum throughput of theautonomous AHS? The calculations of Section III indicate thatthis cannot be done unless either the vehicles are allowedto collide or some centralization is introduced (more globalinformation is made available to them). We now try to deriveconditions for a safe AHS on which collisions are possible; itwill soon become apparent that some degree of centralizationis needed in this case to guarantee that all collisions aresafe.

Consider again the pair and assume that initially. A crucial observation [45] (which can also be inferred

from the calculations in this paper) is that in the presenceof differences in deceleration capability and/or sensing andactuation delays, collisions will be at low relative velocitiesif either the vehicles are far enough from one another (inwhich case they can come to a stop before colliding) or theyare close enough (in which case a collision happens almostinstantaneously and therefore the relative velocity is low).This observation gives rise to theplatooning concept, whereit is envisioned that vehicles will travel in platoons, followingeach other very closely with spacings of the order of 2–4 m.Platoons are separated by large spacings to avoid interplatooncollisions. In addition to safety, the large interplatoon spacinghelps attenuate disturbances as they propagate down a stringof platoons.

In [46] a control hierarchy was proposed to organize trafficin platoons. The hierarchy involves controllers both on thevehicles and on the roadside. The goal of the roadside con-trollers is to maximize the flow of the highway system byappropriately routing traffic. A number of designs have beenproposed for the roadside controller, making use of traffic flowmodels [47], [48], the concept of highway work [49], and theconcept of highway space-time [50].

The hierarchy of [46] calls for an on-board vehicle con-troller organized in two layers: thecoordination layerand theregulation layer. It is envisioned that the regulation layer willconsist of primarily continuous controllers for maintaining safespacing between the vehicles, tracking desired velocities, etc.The coordination layer on the other hand will be primarilydiscrete and will be responsible for the intervehicle commu-nication necessary to ensure safety. Our goal in the remainderof this paper is to produce regulation layer controllers andspecifications for the coordination layer so that the hybrid on-board controller is guaranteed to be safe. We then use ourresults to obtain an upper bound on the throughput that can beachieved in safety on a platoon-based AHS.

B. Discrete Aspects

To motivate the design process we first describe informallythe operation of a vehicle on an AHS that supports platooning.

Fig. 5. Automated vehicle operation.

The vehicle can find itself in one of two discrete modes: theleader modeand thefollower mode.3 The state of the vehicleis also indexed by its discrete lane. Assume that the automatedlanes are assigned numbers, increasing from right to left, withone representing the right-most lane, and let lane number zeroindicate that the vehicle is off the AHS. The discrete state of anautomated vehicle can be summarized by a pair (mode, lane)with mode leader, follower andlane This is asomewhat coarse description of the discrete state (for examplewe do not keep track of the exact position of a vehicle in theplatoon), but it will suffice for our purposes.

The evolution of the discrete state of an automated vehiclecan be represented informally by the automaton of Fig. 5. Thefigure suggests the tasks that the regulation layer controllerwill be called upon to perform: tracking the desired spacingfor the two modes and executing the transitions. The transitionsbetween the discrete states are achieved by means of fivemaneuvers:join, split, lane change, entry, and exit. The joinmaneuver is used to join two platoons in a single lane toform a bigger platoon. The trailing platoon accelerates to catchup with the leading platoon. The split maneuver is used tobreak a platoon into two smaller platoons. The trailing platoondecelerates to safe interplatoon distance. The lane changemaneuver is used to move a vehicle from one lane to another.Finally, the entry and exit maneuvers allow the vehicle to geton/off the automated highway.

In [51] communication protocols were designed to imple-ment the discrete aspects of these maneuvers. The protocolsare in the form offinite state machines, a special class ofhybrid automata with no continuous state. Some simplifyingassumptions were made; for example, it was assumed thata platoon can only be engaged in one maneuver at a timeand that only single vehicles (free agents) can change lanes.The performance of the proposed protocols was verified usingCOSPAN [52], a finite-state machine model checker. Theverification concerned only discrete aspects of the protocoloperation, such as absence of deadlocks. Here we establishconditions on the protocol transitions that allow us to extendthe verification to continuous aspects of the system operation,in particular safety with respect to collisions.

3The ensuing discussion will reveal that besides the obvious differencein desired spacing, the two modes also differ in the information needed forcontrol.


C. The Follower Mode

Some of the issues that arise in the regulation layer designare not addressed here. Besides the limitations of scopeintroduced in Assumption 1, we will not address the designof control laws for the follower mode. This problem is partic-ularly challenging and has received considerable attention inrecent years [25], [38]. The most obvious difficulty is regu-lating to the constant follower spacing at all speeds, withoutrunning into the preceding vehicle. In [25] it was shown thatto achieve this objective a vehicle needs information about theacceleration of the preceding vehicle, in addition to the spacingand relative velocity information available through the sensors.It is envisioned that this information will be communicatedamong adjacent vehicles in a platoon using a point-to-pointinfrared link. Another problem is that small disturbances (e.g.,a transient change in the velocity of the platoon leader) mayget amplified as they propagate from one follower to thenext, possibly resulting in collisions down the string. In [25]it was shown that to avoid thisslinky effect, followers alsoneed information about the state of the platoon leader inaddition to information about the vehicle immediately aheadof them. Because the delays of point-to-point communicationincrease with the size of the platoon, this information has tobe broadcast by the leader (using a radio link for example).Finally, in [25] it was shown that the follower control law willresult in amplification of the control effort exerted by followersfurther back in the platoon. This imposes restrictions on theoperation of the leader. If, for example, the braking force isamplified by a factor of , then, in a platoon of identicalvehicles with deceleration capability , the deceleration ofthe lead vehicle should not exceed in order to avoidactuator saturation and the possibility of collisions within theplatoon.

Here we circumvent these complications by assuming that afollower control law , a safe set of initial conditions in thefollower state space , and a time (possibly dependenton the size of the platoon) have been determined, such thatwe have the following assumption.

Assumption 4 (Platoon String Stability Under Collisions):Assume that all followers apply , that at time the state ofall but one of the followers is in , and that a safe collisionoccurs between the exceptional follower and the vehicle aheadof it. For any , if no interplatoon collisionsoccur in the interval , then at time the state ofall followers is in , no intraplatoon collisions occur in

, while in all intraplatoon collisionsare safe and the first and last vehicles experience at most onecollision.

The assumption is intended to capture the situation of Fig. 6.Two platoons moving at slightly different speeds collide andbecome one platoon. If the intraplatoon spacing is small andAssumption 3 is satisfied, after a finite number of intraplatooncollisions the vehicle velocities will still be close to the initialvelocities, but arranged in decreasing order. The work of [25]and [53] and intuition from basic collision dynamics suggestthat this is not an unrealistic assumption. We are currentlyworking on casting the follower control problem in the design

Fig. 6. A safe platoon collision(v2 2 [v1; v1 + va]).

framework discussed here and proving Assumption 4 as atheorem.

V. PLATOONING IN SAFETY

A. Regulation Layer Design

To implement an AHS that supports platooning, continuouscontrol laws are needed for the leader and follower modesand for the join, split, lane change, entry, and exit maneuvers.The design of the follower law was discussed in Section IV-C. Here we describe the design of the remaining controllers.We restrict our attention to safety; passenger comfort andefficiency are assumed to be treated as in Section III-B. Thecontrollers for the lead mode and the various maneuvers differfrom one another in the cost function used to encode safetyand in the disturbances that they have to guard against. Thereason for these differences will become apparent in the nextsection, when the coordination protocols are discussed. Thecontrollers for the leader mode and the lane change, entry,and exit maneuvers will be required to prevent collisionsaltogether; therefore, the cost function used in their designwill be . The join and split controllers on the other handwill allow safe collisions; therefore, the cost function used intheir design will be . The disturbances experienced by eachcontroller will differ in the severity of and . Thecoordination protocols will be such that a vehicle in theleader mode may face (one safe collision between

and and one safe collision between and ), a vehicleexecuting a join or a split may face (no collisionby either or ), while during a lane change, entry, or exitvehicles may face either or .

1) Leader Law: We treat the design of the controller forthe lead mode as a game betweenand over costfunction . Consider the candidate saddle solutionwhere and aregiven by (7) and

and . Clearly .Let denote the state at timeunder the inputs

starting at .Proposition 3 (Leader Saddle Solution):If , then

for all . is a global saddle solutionfor cost .

As for the autonomous vehicle case, the saddle solutionallows us to calculate the set of safe states and classify the


Fig. 7. Level sets ofsL for q0= q1 and x

0

3= 20; 30; and 40 m.

safe controls. Define

(12)

ififif

(13)

As before, for can be encoded by a function. Three level sets of this function are shown

in Fig. 7.Proposition 4: is monotone with respect to ,

in the sense that if thenfor all .

Proof: The proof follows by the fact that is linear in.Let the controller for the leader mode be any feedback

controller satisfying the .Lemma 3 (Leader Safety):If

and for all , then vehicles andwill not collide.

Proof: The proof follows by Proposition 3 and the prop-erties of the saddle solution.

Lemma 3 requires that , therefore at mostone and at most one events are allowed. Thisrequirement is imposed because these events can push thestate outside . If more events of the same kind occur while

, a collision may be possible. The requirement canbe relaxed to allow more and/or events oncereturns to .

Lemma 4: There exists a finite such that iffor some , no or

events occur in and for all, then either

or .Lemma 3 provides safety guarantees for the leader mode,

while Lemma 4 provides “liveness” guarantees. If the distur-bance is such that any two or events are separatedby , then a vehicle under will not collide with the vehicleahead of it, and it will either stop or its state will return to

infinitely often.2) Join and Split Laws:We treat the design of the con-

trollers for the join and split maneuvers as a game betweenand over cost function .

Proposition 5 (Join/Split Saddle Solution):At any time thesaddle inputs and take on either theminimum or the maximum value allowed by the constraints.Each trajectory may involve at most one switching from themaximum to the minimum and at the time of impact bothand are at their minimum values. can take on itsmaximum value only when does.

The proof of Proposition 5 (Appendix B) suggests that ifvehicle can decelerate harder than vehicleand a collisiontakes place before vehicle stops, then the worst disturbancevehicle can generate may involve hard acceleration (in anattempt to increase the distance to vehicle) followed by hardbraking. In extreme cases the best response for vehiclemayalso involve hard acceleration (in an attempt to keep up withvehicle ) followed by hard braking. These predictions wereverified in [54] by numerical experiments.


Unlike the leader and autonomous cases, the calculation ofthe safe sets and controls has to be done numerically in thiscase, as it is difficult to express the saddle solution in feedbackform and solve the corresponding equations.4 From the point ofview of safety, the join and split controllers can be treated verysimilarly. Clearly the rest of the controller design will have tobe different, as the objectives of the two maneuvers differ.The design can be completed using the techniques outlinedin Section III or by using other controllers proposed for thispurpose in the literature [27], [28]. As before, define

(14)

ififif

(15)

Let the controllers for the join and split maneuvers, and, be feedback controllers satisfying

and .Lemma 5 (Join/Split Safety):If

and for all, then

and vehicles and will either not collide or willexperience a safe collision.

Proof: By the properties of the saddle solution and thedefinitions of safe states and controls.

3) Lane Change, Entry, and Exit Laws:We assume thelane change policy of [51], where a vehicle is a free agentboth before and after the lane change. Assume free agent

wishes to move to the lane where platoonsand aremoving. The lane change can be decomposed in two phases.In the first phase and/or decelerate so that is alignedwith an appropriate gap in the target lane. In the second phasethe actual move of from the origin to the target lane takesplace. For the purpose of safety, entry and exit from theautomated highway will be treated as a simplified version ofa lane change. In particular, entry will be modeled as a lanechange from the on-ramp to an automated lane, with vehicles

and missing. Exit will be modeled as a lane changefrom an automated lane to an off ramp, with vehicles

and missing.Specialized controllers are needed for vehiclesand

( and , respectively) for the lane change maneuver.

4Analytical calculation is possible in the join/split case, under slightlydifferent assumptions [28].

During the alignment phase makes use of andto keep safe with respect to while bringing it sufficientlyfar away from for the lane change to take place. Duringthe move phase ensures that remains safe with respectto both and . Likewise, during the alignment phasemakes use of and to keep safe from whilecreating a gap for . During the move phase, ensures that

remains safe with respect to bothand . The coordinationprotocols will guarantee that while a vehicle is applyingit will not be hit from behind (no disturbance) and thatwhile it is applying it will not be hit from behind, andthe lane changing vehicle will not experience a collision (no

or disturbance). The protocols will also requirethat a vehicle should not collide with the vehicle ahead of itwhile applying or . We therefore treat the design of

as a game between and and the designof as a game between and , both over costfunction . By the proof of Proposition 3, it is immediatelyapparent that the saddle solution in the first case is the sameas with , and in the second case it is thesame as with . Let and

denote these saddle solutions and define

and

Consider the two classes of controllers shown at the bottomof the page. Note that depends only on and ;therefore, and

. Let and be feedback controllerssatisfying and

.Lemma 6 (Lane Change Safety):If

and forall

, then vehicles and (and ) will not collide. If in addition

and vehiclechanges lane, then vehicles and and will not

collide.Proof: Assume . Note that is

applied whenever . The definition ofand the properties of the saddle solution imply that

vehicles and will not collide. The proof forand is similar.

The first sentence of Lemma 6 provides conditions underwhich the alignment phase of the lane change is safe, while

ififif

ififif


the second sentence provides conditions under which the movephase is safe. During the alignment phaseneed not worryabout colliding with , and need not worry about collidingwith . Therefore, and can apply a milder controlinput instead of when and when

, respectively. During the move phase, however,is needed in both these cases to guarantee safety. The protocoldesign will be such that during the lane change vehiclewill be applying . Therefore, throughout the movephase is safe with respect to both and (by Lemma 6),

is safe with respect to both the and (by Lemma 6),and is safe with respect to both and (by Lemma 3 andProposition 4). Hence, the lane change can be safely abortedat any stage. This is a very desirable property as it allows us todecouple the lanes. Proposition 4 also implies that occlusionof vehicles during a lane change does not affect safety. Forexample, vehicle can remain safe with respect to vehicle

even though it has sensory information about it only aftervehicle has effectively left the lane.

Note that once enters , it remains therethroughout the lane change. However,and can leave the set due to collisions ofvehicles or . A “liveness” guarantee, similar to Lemma 4,can be also be given for the lane change.

Lemma 7: If for some ,no or events occur in , and for all

, theneither or

. A similar claim holds for and forunder

.Proof: The proof is virtually identical to the proof of

Lemma 4.

B. Coordination Layer Specifications

We describe a set of requirements imposed on the coordina-tion layer so that its interaction with the regulation layer con-trol laws is guaranteed to be safe. The discussion in this sectionis informal and provides only the information necessary forstating and proving the platooning safety theorem. The discretesteps we assume are consistent with the protocols specifiedin [51], while the discrete/continuous interface aspects areconsistent with the design of [55]. The formal analysis carriedout in these two papers provides performance guarantees forthe discrete dynamics of the system.

All followers are assumed to apply and, unless otherwisestated, the leaders are assumed to apply. Assumption 4allows us to ignore the follower dynamics for the most part.By abuse of notation, let and (Fig. 2) represent platoonsof and vehicles, respectively, and let denote thedistance between the leader ofand the last follower of .Following [51] we assume all communication and coordinationis handled by the platoon leader.

First consider what happens whenjoins . The maneuveris initiated by , whose leader checks that the platoon is notalready engaged in another maneuver and that . Ifthis is the case, the leader declares the platoon engaged in a

join maneuver and sends a join request to the leader of.Upon receiving the maneuver request, the leader of platoonchecks if it is already engaged in another maneuver. If this isthe case, the request is declined. A message is sent to the leaderof who aborts the join (is no longer engaged in the maneuverand remains a leader). Otherwise, the leader ofswitchesto the set , corresponding to the deceleration capabilityit would have if and were to join successfully (recallthat the deceleration of a leader is limited by the decelerationcapabilities of all the followers). Even if initiallyfor the new , the design of is such that after a finiteamount of time , either stops or . In theformer case the join request is declined, while in the latter themaneuver is accepted by. An appropriate message is sentto which accordingly either aborts the maneuver or checksif still . If this is the case, the leader of applies

until either or the leader of collides with thelast vehicle of . In either case, intraplatoon coordination isestablished, the leader of starts applying , and and

begin operating as a single vehicle platoon. Ifthere was no collision the new platoon declares the maneuvercomplete and is no longer engaged in it. Otherwise, the newplatoon waits until for all followers (guaranteed to bethe case by at most time units) and then a further intime units before declaring the maneuver complete. The extratime is added to allow to return to , which it mayhave left as a result of the collision. Note that thereis no guarantee that the join will successfully terminate in afinite amount of time (though this is likely to be the case inmost realistic situations).

Now assume represents the last vehicles and thefirst vehicles of a platoon of size , and considerwhat happens if wants to split from . The leader checksthat the platoon is not already engaged in another maneuver,that , and that . If this is the case itdeclares the platoon as engaged in a split maneuver and the“leader” of applies . If collides with , the maneuveris aborted following the same process as a join termination.If at some point or if stops the maneuver iscompleted, the leader of starts applying and the leaderof switches to the set corresponding to the new platoonsize. Both and declare themselves as no longer engagedin the split maneuver.

Finally, consider a free agent wishing to move to thelane where platoons and are moving. first ensuresthat it is not already engaged in another maneuver and that

. If this is the case it sends a lane change requestto vehicles and . If platoon is engaged in anothermaneuver or if , the lane change is aborted.Otherwise, commits to not change lanes in betweenand

and a message is sent toto proceed. and applyand until either stops or

and (one of the two is boundto happen by time units). If stops, the maneuver isaborted. Otherwise, starts moving to the new lane, while itapplies and applies . When reaches the targetlane the lane change is declared complete andand revertto .


Fig. 8. Pipeline throughput for platoons of sizeN (N = 1 autonomous vehicles).

C. Platooning Safety

Theorem 2 (Platoon Safety):An AHS populated by a finitenumber of vehicles following the proposed coordination andregulation requirements will be safe.

Proof: The proof involves the lemmas of Section V-A, the coordination requirements of Section V-B, and aninduction argument on the number of vehicles. Consider againthe vehicles of Fig. 2.5 First consider joining or splittingfrom . In this case the coordination requirements ensurethat and belong to . Therefore,Assumption 4 and Lemmas 3 and 6 ensure that vehiclewill not experience any collision disturbances. According toLemma 5, platoon may experience a safe collision withplatoon . After the collision, all vehicles in platoon startapplying . By Assumption 4, all followers return toafter a finite number of safe collisions and the first vehicle ofplatoon and the last vehicle of platoon experiencing atmost one collision.

Now consider applying the leader control law. Ajoin/split maneuver between vehicles and may produceone collision disturbance for vehicle . Thecoordination specification of Section V-B also permitstojoin/split from . This maneuver can also potentially result insafe collisions. Still, Lemma 3 guarantees that vehiclewillnot collide with vehicle . When and/or occur,the state of vehicle may leave the set . According toLemma 4, will be the maximum time it takes for the state

5By Assumption 5A; � � � ;H may in fact represent entire platoons.

to return to in this case, i.e., a lower bound on the timeseparation between two successive collisions of the same kindthat can be tolerated by . The coordination requirement onthe join and split maneuvers guarantees that if the maneuverresults in collision, a new join or split will not be initiatedbefore all intraplatoon collisions subside and an extra interval

elapses. This timing requirement on join/split guaranteesthat the assumptions of Lemma 3 are satisfied, implyingthat vehicle will not collide with vehicle under .A similar argument indicates that a vehicle executing a lanechange maneuver (and consequently an entry or an exit) willnot collide with the vehicle ahead of it.

Note that the limitation of “one maneuver per vehicle at atime” imposed by the coordination layer [51] ensures that thefront vehicle of a joining or splitting pair will be in the leadermode, while the trailing vehicle will either be followed by avehicle in the leader mode or by one executing a lane change.The additional timing constraint ensures that the platoons haveenough time to recover from the collisions before a new join orsplit is initiated. Overall, collisions due to joining and splittingare guaranteed not to propagate beyond the platoons engagedin the maneuver.

Corollary 1 (Individual Maneuver Safety):Any collisionsthat take place during the join or split maneuvers or in thefollower mode will be safe. A vehicle will never collide whileexecuting a lane change (and hence an entry or an exit). Avehicle in the leader mode will never collide with the vehicleahead of it.


TABLE I

D. Platooning Throughput

In addition to the lane change, entry, and exit disturbances,the calculation of the throughput for an AHS that supportsplatoons is further complicated by the presence of disturbancesdue to the formation and dissipation of platoons. Pipelinethroughput estimates can again provide an upper bound. As-sume an AHS is populated entirely by platoons of sizemoving at velocity at steady state. Let denote thefollower spacing. It is easy to see that the throughput of suchan AHS in vehicles per lane per unit time is given by

(16)

As for the autonomous vehicle case, assume that vehiclesdo not know their deceleration capability but know that it isbounded in a range . Following [25], we can model thefact that the deceleration of the leader is limited by that ofthe followers by assuming that platoons follow each other atspacings of

where for andrespectively. The resulting throughput for

is shown in Fig. 8. Note that as platoon leaders have to beable to tolerate , whereas autonomous vehicles onlyhave to deal with , the platooning throughput can besmaller at low speeds.

VI. CONCLUDING REMARKS

We presented a methodology for the design of hybrid on-board controllers for automated vehicles. The methodologywas based on techniques from game theory and optimalcontrol. Assuming a particular policy for intervehicle in-formation exchange, these techniques allow us to quantifythe safe behaviors of the system. Moreover, the calculations

suggest ways in which the intervehicle information exchangecan be modified to improve the system performance. Thesafety conditions obtained by solving the gaming problems areclearly sufficient. They are also necessary in the sense of being“tight.” The properties of the saddle solution imply that if thesafety conditions are violated (e.g., an autonomous vehiclefinds itself closer than from the preceding vehicle), thereexist disturbance trajectories (e.g., acceleration trajectoriesof the preceding vehicle) that will result in a collision. Wedemonstrated our approach by designing safe controllers foran AHS based on autonomous vehicles and an AHS that allowsintervehicle cooperation and supports platooning.

One advantage of the proposed methodology is that itprovides considerable insight into the system that can be usefulin contexts other than controller design. We showed howlimits on pipeline throughput can directly be inferred fromour calculations. The calculations can also be used to infertechnological requirements such as sensor ranges. A vehicleneeds to be safe even if a stopped vehicle appears at the limit ofits sensor range; therefore, the minimum sensor range neededfor safe steady-state operation with speedis .Our results also indicate what pieces of information wouldimprove performance. For example, it is easy to see thatknowledge of the vehicles deceleration capability can greatlyreduce the average following distance and hence increasethroughput [42].

In our framework, the role of interagent coordination is toreduce the set of allowable disturbances. This has the effectof “biasing” the game in favor of the controller and henceincreasing the range of conditions under which game winningcontrols exist and improving the overall system performance.The intervehicle coordination was used to limit both thediscrete (collisions) and continuous (acceleration) disturbancesto produce safe join and split controllers.

Our calculations deal with only a class of safety problems ofimportance for AHS. There are still a number of questions tobe answered. For example, the safety of the follower operation


was taken for granted here, even in the presence of collisions.More work is needed to show Assumption 4 can indeed besatisfied and to relax it if possible. An even more challengingproblem is relaxing the “normal operation” assumption toallow faults and adverse environmental conditions. This mayrequire not only extending the architecture with fault detectioncapabilities [37] and new controllers [56] but also changing themethodology of the verification. Here, our objective was toshow that no unsafe collisions are possible. In the presence offaults it is easy to construct scenarios where unsafe collisionsare possible whatever the controller does [56]. A possiblesolution would be to introduce probabilistic analysis andrequire that the probability of unsafe collisions is small.Formulating such proofs will require considerable extensionof our design methodology.

Probabilistic analysis can also be used to produce less con-servative “normal mode” controllers. The design methodologypresented in this paper assumes that theworst disturbancemaybe produced by neighboring vehicles at any time, thereby lead-ing to somewhat conservative designs with smaller throughput.If we use parameters corresponding to manual driving in ourmodels, the resulting controllers would yield less throughputthan the one observed on existing highways. The fairly smallnumber of collisions on the current highway system indicatesthat the probability of the worst disturbance arising must besmall. A probabilistic analysis methodology that takes intoaccount the process of disturbance generation can be usedto further analyze the safety/capacity tradeoff in an AHS.Probabilistic safety analysis also has the potential to providecontrol designs for partially automated vehicles operating inmixed automated-manual traffic, which is perhaps the mostchallenging problem in this area.

APPENDIX ADISCRETE DYNAMICS OF THE PLANT AUTOMATON

See Table I.

APPENDIX BADDITIONAL PROOFS

Proof of Proposition 1: Existence and uniqueness duringcontinuous evolution is guaranteed by the linear dynamics instates and and the assumptions on. Existence for thediscrete evolution is guaranteed, as for each value ofthedisjunction of the invariant and the guards of the outgoingtransitions is true. Uniqueness for the discrete evolution isguaranteed, as for each value ofthe pairwise conjunction ofthe guards of the outgoing transitions among themselves andwith the invariant is false.

Proof of Lemma 1:By assumption, no vehicles are movingbackward in the beginning of the run. We show that thisproperty is preserved by showing that if it holds in a givenstate it also holds for all states that can be reached from thereeither by discrete transitions or by continuous evolution; theclaim follows by induction on the length of the run of theautomaton.

Assume that no vehicles are moving backward in a givenstate. Consider first the states that can be reached from

that state by discrete transitions. Transition increases, while transitions and

leave it unaffected. Therefore, if is truebefore any of these transitions, it will also be true afterwards.After transition is reset to . This is the valueof before , which satisfies by the inductionhypothesis.

Now consider a continuous trajectory that at timesatisfies, and assume for the sake of contradiction that there

exists with . By continuity this is possibleonly if there exists such that . At timethe discrete state transitions to and are reset to zero. Byassumption, if the system evolves continuously from this state,then and therefore cannot decrease any further as

and . This contradicts the hypothesisthat there exists with .

The claim that in this case can never occur in statesand follows (in fact the part is true even if the

lemma assumptions are violated). The setsimply restrictsto be nonnegative. It therefore contains all disturbances

allowed by the lemma assumptions and possibly more, asis only required to be piecewise continuous whereas in fact itis piecewise differentiable.

Proof of Proposition 3: The first part is a straightforwardcalculation. For the second part we show that a unilateralchange in strategy leaves the player who decided to changein worse condition. Let denote the time reachesand the time reaches zero under and notethat

First, fix and let vary. Let denote the state attime under the inputs . Then

We need to distinguish two cases.

1) : The bounds on imply that ,therefore .

2) : Recall that is piecewise constant.Therefore and are piecewise differentiable,with derivatives and , respectively. Bydefinition of . Therefore, as

.

In either case . Using thefact that and integrating leads to

.Next, fix and allow to vary. Let denote the state

at time under the inputs . Then


where is the step function at time .Note that and imply that

for all (as ). If , thesame is true for the term . If ,then (recall that ), and therefore

(once vehicle stops it never starts movingagain under ). But, (as ) and

(as does not depend on ). Therefore,if for all .

For the integral term we need to distinguish two cases.

1) : The bounds on imply that ,therefore .

2) : By definition of. The state constraints imply that(vehicle does not go backward), therefore

. Subtracting,.

The stopping time for under will always be greater thanthe stopping time under . In both cases, we are able toconclude that . Integrating thisinequality and using the fact that gives

.Overall for all

and . By definition, is globally a saddle solution.Proof of Lemma 4:Assume, for the sake of contradic-

tion, that can exit and never re-enter, without thevehicle stopping. Note that is applied while(i.e., vehicle decelerates as hard as possible). By Lemma 3vehicles and will not collide. Therefore, if remainsoutside , vehicle will eventually stop. This contradictsour original assumption. Let denote the time it takes avehicle to stop under . A simple calculation indicates that

depends on and the model constants. Taking

(17)

provides a (finite) upper bound on the time it takes for thestatement to become true.

Proof of Proposition 5: We write as an integral costfunction, assume that optimal controls exist, and proceed toclassify them using the Maximum Principle [57]. At the timeof impact , the relative velocity will be negative, therefore

Define the Lagrangian as . For a giveninitial condition, the extrema of occur at the

extrema of . Optimization is subjectto input constraintsand state constraints and .Define functions and

. The state constraints are satisfied as longas for . Following [57] we differentiate

the constraint equations until the inputs appear

Let and form the Hamiltonian

with if if andare chosen so that if . As theterms in and decouple, we take the min–max ofto obtain a saddle solution . Let

, where

ififif

(18)ififif

(19)

The Euler–Lagrange equation foris

which, with the boundary condition forsome leads to

and for .The solution is not completely specified at this stage. There

are two parameters and to be determined from theboundary conditions and

. Here only we try to determine conditions under whichthe optimal controls take on the maximal value allowedby the constraints. For this purpose we use the condition

. As if orand if , the condition simplifies to

(20)

As the case is covered by Proposition 3, wefurther restrict our attention to . We distinguish twocases. If , then . Therefore,and , and the controls assume the minimum valueallowed by the constraints for all .

If , then . If ,and ; therefore, the controls assume the minimumvalue allowed by the constraints for all . If

, then for all while forand for . Therefore,


assumes first the maximum and then the minimum valueallowed by the constraints, while assumes the minimumvalue allowed by the constraints for all . Finally, if

, then for andfor while forand for . Therefore andboth assume the maximum value allowed by the constraintsfirst, then switches to the minimum value, and finallyswitches to the minimum value. A nonzero amount of timeelapses between the two switches.

ACKNOWLEDGMENT

The authors would like to thank Dr. P. Varaiya for hisinvaluable insight into the AHS problem and Dr. J. Ben-Asherfor his helpful comments on the proof of Proposition 5.

REFERENCES

[1] X. Nicollin, A. Olivero, J. Sifakis, and S. Yovine, “An approach to thedescription and analysis of hybrid systems,” inHybrid System, LectureNotes in Computer Science, no. 736, R. L. Grossman, A. Nerode, A.P. Ravn, and H. Rischel, Eds. New York: Springer Verlag, 1993, pp.149–178.

[2] R. Alur, C. Courcoubetis, T. A. Henzinger, and P. H. Ho, “Hybridautomaton: An algorithmic approach to the specification and verificationof hybrid systems,” inHybrid System, Lecture Notes in ComputerScience, no. 736, R. L. Grossman, A. Nerode, A. P. Ravn, and H.Rischel, Eds. New York: Springer Verlag, 1993, pp. 209–229.

[3] R. W. Brockett, “Hybrid models for motion control system,” inPer-spectives in Control, H. Trentelman and J. Willems, Eds. Boston, MA:Birkhauser, 1993.

[4] A. Nerode and W. Kohn, “Models for hybrid system: Automata,topologies, controllability, observability,” inHybrid System, LectureNotes in Computer Science, no. 736, R. L. Grossman, A. Nerode, A.P. Ravn, and H. Rischel, Eds. New York: Springer Verlag, 1993, pp.317–356, 1993.

[5] M. S. Branicky, “Control of hybrid systems,” Ph.D. dissertation, MIT,Cambridge, MA, 1994.

[6] N. Lynch, R. Segala, F. Vaandrager, and H. B. Weinberg, “Hybrid I/Oautomata,” inHybrid Systems III, Lecture Notes in Computer Science,no. 1066. New York: Springer Verlag, 1996, pp. 496–510.

[7] L. Tavernini, “Differential automata and their simulators,”NonlinearAnalysis, Theory, Methods and Appl., vol. 11, no. 6, pp. 665–683, 1987.

[8] A. Deshpande, A. Gollu, and L. Semenzato, “The SHIFT programminglanguage and run-time system for dynamic networks of hybrid au-tomata,” Inst. Transportation Studies, Univ. California, Berkeley, Tech.Rep. UCB-ITS-PRR-97-7, 1997.

[9] M. Anderson, D. Bruck, S. E. Mattsson, and T. Schonthal, “Omsim—Anintegrated interactive environment for object-oriented modeling andsimulation,” in Proc. IEEE/IFAC Joint Symp. Computer Aided ControlSystem Design, 1994, pp. 285–290.

[10] M. Lemmon, J. A. Stiver, and P. J. Antsaklis, “Event identification andintelligent hybrid control,” inHybrid System, Lecture Notes in ComputerScience, no. 736, R. L. Grossman, A. Nerode, A. P. Ravn, and H.Rischel, Eds. New York: Springer Verlag, 1993, pp. 268–296.

[11] O. Maler, A. Pnueli, and J. Sifakis, “On the synthesis of discretecontrollers for timed systems,” inTheoretical Aspects of ComputerScience, Lecture Notes in Computer Science, no. 900. New York:Springer Verlag, 1995.

[12] M. Heymann, F. Lin, and G. Meyer, “Control synthesis for a classof hybrid systems subject to configuration-based safety constraints,” inHybrid and Real Time Systems, Lecture Notes in Computer Science, no.1201. New York: Springer Verlag, 1997, pp. 376–391.

[13] H. Wong-Toi, “The synthesis of controllers for linear hybrid automata,”in Proc. IEEE Conf. Decision and Control, 1997.

[14] A. Nerode and W. Kohn, “Multiple agent hybrid control architecture,”in Hybrid System, Lecture Notes in Computer Science, no. 736, R. L.Grossman, A. Nerode, A. P. Ravn, and H. Rischel, Eds. New York:Springer Verlag, 1993, pp. 297–316.

[15] J. Lygeros, D. N. Godbole, and S. Sastry, “Multiagent hybrid systemdesign using game theory and optimal control,” inProc. IEEE Conf.Decision and Control, 1996, pp. 1190–1195.

[16] L. Hou, A. Michel, and H. Ye, “Stability analysis of switched systems,”in IEEE Conf. Decision and Control, 1996, pp. 1208–1214.

[17] R. Alur and D. Dill, “A theory of timed automata,”Theoretical Com-puter Sci., vol. 126, pp. 183–235, 1994.

[18] T. Henzinger, P. Kopke, A. Puri, and P. Varaiya, “What’s decidableabout hybrid automata,” inProc. 27th Annu. Symp. Theory of Computing,STOC’95. ACM, 1995, pp. 373–382.

[19] Z. Manna and A. Pnueli,Temporal Verification of Reactive Systems:Safety. New York: Springer-Verlag, 1995.

[20] C. Daws, A. Olivero, and S. Yovine, “Verifying ET-LOTOS programswith KRONOS,” in Proc. 7th IFIP WG G.1 Int. Conf. Formal De-scription Techniques, FORTE’94, Formal Description Techniques VII,D. Hogrefe and S. Leue, Eds. Bern, Switzerland: Chapman & Hall,1994, pp. 227–242.

[21] T. A. Henzinger, P. H. Ho, and H. W. Toi, “A user guide to HYTECH,”in Proc. TACAS 95: Tools and Algorithms for the Construction andAnalysis of Systems, Lecture Notes in Computer Science, no. 1019, E.Brinksma, W. Cleaveland, K. Larsen, T. Margaria, and B. Steffen, Eds.New York: Springer Verlag, 1995, pp. 41–71.

[22] Z. Manna and the STep group, “STeP: The Stanford temporal prover,”Computer Science Dept., Stanford Univ., Tech. Rep. STAN-CS-TR-94-1518, July 1994.

[23] J. Lygeros, C. Tomlin, and S. Sastry, “Multi-Objective hybrid controllersynthesis,” inProc. HART’97, Lecture Notes in Computer Science, no.1201, O. Maler, Ed. Berlin: Springer Verlag, 1997, pp. 109–123.

[24] C. Tomlin, G. Pappas, and S. Sastry, “Conflict resolution for air trafficmanagement: A case study in multi-agent hybrid systems,” ElectronicResearch Laboratory, Univ. California, Berkeley, Tech. Rep. UCB/ERLM96/38, 1996.

[25] D. Swaroop, “String stability of interconnected systems: An applicationto platooning in automated highway systems,” Ph.D. dissertation, Dept.Mechanical Engineering, Univ. California, Berkeley, 1994.

[26] P. Ioannou and C. Chien, “Autonomous intelligent cruise control,”IEEETrans. Veh. Technol., vol. 42, pp. 657–672, 1993.

[27] D. N. Godbole and J. Lygeros, “Longitudinal control of the lead car ofplatoon,” IEEE Trans. Veh. Technol., vol. 43, pp. 1125–1135, 1994.

[28] P. Li, L. Alvarez, R. Horowitz, P.-Y. Chen, and J. Carbaugh, “Safevelocity tracking controller for AHS platoon leader,” inProc. IEEEConf. Decision and Control, 1996, pp. 2283–2288.

[29] D. N. Godbole, J. Lygeros, and S. Sastry, “Hierarchical hybrid control:An IVHS case study,” inHybrid Systems II, Lecture Notes in ComputerScience, no. 999, P. Antsaklis, W. Kohn, A. Nerode, and S. Sastry, Eds.New York: Springer Verlag, 1995, pp. 166–190.

[30] J. Frankel, L. Alvarez, R. Horowitz, and P. Li, “Safety orientedmaneuvers for IVHS,” inProc. American Control Conf., 1995, pp.668–672.

[31] E. Dolginova and N. Lynch, “Safety verification for automated platoonmaneuvers: A case study,” inProc. HART’97, Lecture Notes in Com-puter Science, no. 1201, O. Maler, Ed. Berlin: Springer Verlag, 1997,pp. 154–170.

[32] J. Lygeros, D. N. Godbole, and S. Sastry, “A game theoretic approachto hybrid system design,” Electronic Research Laboratory, Univ. Cali-fornia, Berkeley, Tech. Rep. UCB/ERL-M95/77, Oct. 1995.

[33] , “A verified hybrid controller for automated vehicles,” inProc.IEEE Conf. Decision and Control, 1996, pp. 2289–2294.

[34] J. Lygeros, “Hierarchical hybrid control of large scale systems,” Ph.D.dissertation, Dept. Electrical Eng., Univ. California, Berkeley, 1996.

[35] R. Alur and T. A. Henzinger, “Reactive modules,” inProc. 11th Annu.Symp. Logic in Computer Science. IEEE Computer Soc. Press, 1996,pp. 207–218.

[36] T. Basar and G. J. Olsder,Dynamic Non-Cooperative Game Theory, 2nded. New York: Academic, 1995.

[37] J. Lygeros, D. N. Godbole, and M. E. Broucke, “Extended architecturefor degraded modes of operation of IVHS,” inProc. American ControlConf., 1995, pp. 3592–3596.

[38] S. Sheikholeslam, “Control of a class of interconnected nonlineardynamical systems: The platoon problem,” Ph.D. dissertation, Dept.Electrical Eng., Univ. California, Berkeley, 1991.

[39] J. K. Hedrick, D. McMahon, V. Narendran, and D. Swaroop, “Longi-tudinal vehicle controller design for IVHS system,” inProc. AmericanControl Conf., 1991, pp. 3107–3112.

[40] H. Peng and M. Tomizuka, “Vehicle lateral control for highway automa-tion,” in Proc. American Control Conf., 1990, pp. 788–794.

[41] W. Chee and M. Tomizuka, “Lane change maneuver of automobiles forthe intelligent vehicle and highway systems (IVHS),” inProc. AmericanControl Conf., 1994, pp. 3586–3587.

[42] J. B. Michael, D. N. Godbole, R. Sengupta, and J. Lygeros, “Capacityanalysis of traffic flow over a single lane AHS,”ITS J., vol. 4, 1998.


[43] A. Hitchcock, “Casualties in accidents occurring during split and mergemaneuvers,” Inst. Transportation Studies, Univ. California, Berkeley,Tech. Rep., PATH Tech. Memo 93-9, 1993.

[44] J. A. Haddon, “Evaluation of AHS throughput using Smart Cap,” inProc. American Control Conf., 1997.

[45] S. Shladover, “Operation of automated guideway transit vehicles in dy-namically reconfigured trains and platoons,” U.S. Dept. Transportation,Tech. Rep. UMTA-MA-0085-79-3, 1979.

[46] P. Varaiya, “Smart cars on smart roads: Problems of control,”IEEETrans. Automat. Contr., vol. 38, pp. 195–207, Feb. 1993.

[47] B. S. Y. Rao and P. Varaiya, “Roadside intelligence for flow control inan IVHS,” Transportation Res. Part C, vol. 2, no. 1, pp. 49–72, 1994.

[48] P. Li, R. Horowitz, L. Alvarez, J. Frankel, and A. Robertson, “Trafficflow stabilization,” inProc. American Control Conf., 1995, pp. 144–149.

[49] R. W. Hall, “Longitudinal and lateral throughput on an idealizedhighway,” Transportation Sci., vol. 29, no. 2, pp. 118–127, 1995.

[50] M. E. Broucke and P. Varaiya, “A theory of traffic flow in automatedhighway systems,”Transportation Res. Part C, vol. 4C, no. 4, pp.181–210, 1996.

[51] A. Hsu, F. Eskafi, S. Sachs, and P. Varaiya, “Protocol design for anautomated highway system,”Discrete Event Dynamic Systems, vol. 2,no. 1, pp. 183–206, 1994.

[52] R. P. Kurshan,Computer-Aided Verification of Coordinating Processes:The Automata-Theoretic Approach. Princeton, NJ: Princeton Univ.Press, 1994.

[53] Y. Yang and B. Tongue, “Intra-platoon collision behavior during emer-gency operations,”Vehicle System Dynamics, vol. 23, no. 4, pp. 279–292,1994.

[54] J. Lygeros, “To brake or not to brake? Is there a question?,” inProc.IEEE Conf. Decision and Control, 1996, pp. 3723–3728.

[55] J. Lygeros and D. Godbole, “An interface between continuous anddiscrete event controllers for vehicle automation,”IEEE Trans. Veh.Technol., vol. 46, pp. 229–241, 1997.

[56] D. N. Godbole, J. Lygeros, E. Singh, A. Deshpande, and A. Lindsey,“Design and verification of coordination layer protocols for degradedmodes of operation of AHS,” inProc. IEEE Conf. Decision and Control,1995, pp. 427–432.

[57] A. E. Bryson and Y.-C. Ho,Applied Optimal Control. Hemisphere,1975.

John Lygeros(S’89–M’97) received the B.Eng. de-gree in electrical and electronic engineering in 1990and the M.Sc. degree in control and systems in 1991,both from Imperial College of Science Technology& Medicine, London, U.K. In 1996 he received thePh.D. degree in the electrical engineering from theUniversity of California, Berkeley.

From June to October 1996 he was a VisitingPostdoctoral Researcher with the California PATHproject, Institute of Transportation Studies, Univer-sity of California, Berkeley. Between November

1996 and September 1997 he was a Postdoctoral Research Associate at theLaboratory for Computer Science of the Massachusetts Institute of Technol-ogy. He is currently a Postdoctoral Researcher at the Electrical Engineeringand Computer Sciences Department of University of California, Berkeley. Hisresearch interests include hierarchical and hybrid systems, nonlinear controltheory and their applications to Automated Highway Systems, and Air TrafficManagement.

Dr. Lygeros is the corecipient (with Dr. D. N. Godbole) of the 1997Eliahu Jury award for “Excellence in Systems Research” awarded by theElectrical Engineering and Computer Sciences Department of the Universityof California, Berkeley.

Datta N. Godbole (M’95) received the B.E. degreein electrical engineering from the University ofPune, India, in 1987, the M. Tech. degree in systemsand control engineering from the Indian Institute ofTechnology, Bombay, India, in 1989, and the Ph.D.degree in the electrical engineering and computerscience department from the University of Califor-nia, Berkeley, in 1994.

Since 1995, he has been working as an Assis-tant Research Engineer with the California PATHprogram at the University of California, Berkeley.

His research interests include hybrid control systems, hierarchical control ofcomplex multi-agent systems, nonlinear control, and applications to intelligenttransportation systems and vehicle dynamics.

Dr. Godbole is a recipient of the 1987 University Gold Medal in engineeringfrom the University of Pune, India, and a co-recipient (with Dr. J. Lygeros) ofthe 1997 Eliahu Jury award for “Excellence in Systems Research” from theDepartment of Electrical Engineering and Computer Sciences at the Universityof California, Berkeley.

Shankar Sastry (S’79–M’80–SM’90–F’95), for photograph and biography,see this issue, p. 521.

Verified Hybrid Controllers for Automated Vehicles...

Documents

Transcript of Verified Hybrid Controllers for Automated Vehicles...