novel communication and system constructs for integrated … · platoons, vanets, clusters, …...
Post on 27-Jul-2020
2 Views
Preview:
TRANSCRIPT
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 1
Novel Communication and System Constructs
for Integrated Safety and Efficiency in
Intelligent Vehicular Networks
Gérard Le Lann
INRIA – IMARA Team
Gerard.Le_Lann@inria.fr
Intelligent Vehicular Networks
Platoons, VANETs, clusters, … comprising fully automated
cooperative « smart » vehicles
1st International Workshop on Vehicular Communications and Applications
Cyprus, 18 June 2012
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012
Presentation
0. Motivations – Safety requirements – System model 1. Safety and efficiency issues in stationary scenarios Problem and solution (cohorts) 2. Safety issues in transitory scenarios Problem and solution (groups)
3. Open problems & widespread beliefs (V2V communications)
Reliable Bcast, Mcast, Geocast, Convergecast protocols for safety-critical
scenarios
Weaknesses of existing/published MAC protocols for V2V/V2I safety-
critical communications
Hints for solutions
2
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 3
Efficiency
High vehicular network compactness, high asphalt utilization ratio,
small inter-vehicle spacing.
Safety (sécurité-innocuité)
Probability or likelihood of experiencing some “damage” while
using, or being part of, a system: lower than some infinitesimally
small threshold.
Mandatory in every safety-critical (SC) domain. Air transportation:
safety figures have a lower bound in the order of 1-10-9 per hour.
“Damage” is application-dependent (environmental catastrophes,
human casualties, destructions of species, of property,…).
Safety vs. Efficiency on Roads and Highways
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 4
Safety vs. Efficiency on Roads and Highways
≈ 120 km/h
What if B’s longitudinal telemetry function fails, and
R decelerates abruptly? (Beyond ISO 26262)
R ≈ 3 m spacing B
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 5
Criteria
Platoons
VANETs
Efficiency
yes
no
Safety % failuresSafety % failures
??
??
Strong features
rigorous definitions platoon is a structuring construct proofs (e.g., kinematics)
ad hoc mirrors reality communications an integral part of VANETs
Limitations
complexity communications are an add-on
no rigorous definitions (clusters, … ?) lack of structuring constructs simulations, few proofs
New constructs (building upon platoons and VANETs)
needed for reconciling efficiency and safety
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 6
Something else? We have been here before…
Lack of appropriate structuring concepts/constructs , definitions, is an
impediment to proving properties. Ex.: “vehicle cluster” ≡ ?
Recall the early days of (static) distributed computing? Cloud computing?
Fundamental concepts of “atomicity”, “transactions”, “concurrency control”, ...
can be usefully applied to (mobile) distributed cyber-physical systems ...
a cluster?
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 7
Something else? We have been here before…
► 2 distinct constructs
Time spent in single-lane scenarios significantly higher than time spent in
risky maneuvers (lane changes, steep breaking).
COHORTS
For “atomic” stationary (non safety-critical) scenarios
(considered in isolation from each other) GROUPS
For “interfering” cohorts, i.e. transitory (safety-critical)
scenarios
Yet another reason for distinguishing cohorts and groups separately.
Anticipated single-lane SC scenario
Change of inter-vehicle spacing ▬ Z: vehicle accelerating or decelerating
beyond nominal rate
Unanticipated single-lane SC scenarios
Brutal stopping ▬ Z: vehicle which stops abruptly (the “brick wall”
paradigm, e.g. collision with a deer) ▬ Z, Z’: vehicles involved in an
accident, 1 lane blocked
Emergency breaking ▬ Z: vehicle which decelerates abruptly (e.g.
obstacle or accident detected)
Imminent sudden stopping (fatal failure of vehicle equipment, of on-board
system) ▬ Z: vehicle which is about to stop abruptly
Sudden acceleration ▬ Z: vehicle which accelerates abruptly (failure of
vehicle equipment)
Categorization of SC scenarios (types F)
Anticipated multi-lane SC scenarios
On ramp merging ▬ Z: entrant vehicle
Individual lane change ▬ Z: vehicle which wants to change lane
Collective lane change ▬ Z: head of cohort wanting to move a cohort to a
different lane in a monolithic fashion
Overtaking ▬ Z: vehicle wanting to overtake (double inverted lane change)
Unanticipated multi-lane SC scenarios
Brutal stopping ▬ Z: vehicle which stops abruptly (the “brick wall” paradigm)
▬ Z, Z’: vehicles involved in an accident, blocking more than 1 lane
Imminent interleaved lane changes ▬ Z, Z’, and so on: vehicles wanting to
change lane(s) “immediately”, being interleaved with vehicles circulating on
the targeted lane(s)
Emergency stopping (individual multi-lane change) ▬ Z: vehicle wanting to
reach the emergency lane as soon as possible
Categorization of SC scenarios (types F)
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 10
Cohorts: States and state transitions internal to a cohort that
meet the cohort specification are not visible from outside: no lane
change(s), no more than r vehicles, no violation of nominal
bounds set for velocities, spacing, ac/dc,... rates, no fatal failure(s)
(nominal, risk-free, single-lane scenarios)
Groups: States and state transitions internal to a cohort that do
not meet the cohort specification are visible from outside
(risk-prone, safety-critical, single/multi-lane scenarios)
Intentional: lane change(s)
Unintentional (fatal failure, avoidance of obstacle/accident):
lane change(s), violation(s) of some nominal bound(s)
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 11
Safety concerns – Which obligations SO?
SO1. Realistic assumptions –Trustable modeling of system and adversaries
Every assumption has a coverage lower bound in the order of 1-10-9 per hour.
Adversaries: Mobility
Imprecise knowledge of physical variables (e.g., positioning)
Failures
SO2. Worst-case analyses and proofs
Properties shall be established for worst-case conditions or strategies deployed by
adversaries (assumed arbitrary smart).
An essential property: Strict, stringent, timeliness (“real time”) properties
Example: 1-hop SC message transmission delay < 100 ms
Mandatory: prior to proving (or simulating), demonstrate that you have identified
worst cases.
SO3. Designs/solutions that meet the 1-10-9 per hour lower bound requirement
Stochastic or deterministic approaches?
Among others …
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 12
Safety in the presence of failures?
We have been here before …
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 13
Impressive experience and knowledge accumulated in air transportation
(TACAS, …), aerospace, railways, nuclear power plants, …
System = {functions} “building blocks”
Every function shall be resilient (e.g., availability/reliability
figures no less than 1-10-7/hour) built out of redundant
“building blocks” (devices, software, …)
Every function shall be backed by at least one other function
No common failure mode functions that may back each other
shall be built out of different “building blocks”
Fundamental principle: diversified functional redundancy
Safety concerns – Which principles?
DSRC/WAVE System Architecture
Applications
1609.1,
et al.
1609.3
1609.4
802.11p
802.11p
LLC
Multi-Channel
Operation
IPv6
UDP / TCP
Management Plane Data Plane
OS
MLME
WSMP
PLME
Airlin
k
WAVE PHY
WAVE MAC
on
-bo
ard
sys
tem
co
re o
f
on
-bo
ard
sys
tem
MAC protocol(s)
distributed algorithms
for decision making
On-Board System Model
Bcast, Mcast, Geocast,
Convergecast,…
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012
No « longitudinal communications »?
What if some function fails? Safety proofs?
15
System Model
Vehicle On-Board Systems and Functions
Processing, I/Os, and storage (Emaps, …) Longitudinal telemetry: directional sensing-based technology (e.g., radars, infrared, free-space optics) for enforcing safe longitudinal inter-vehicle spacing Space-time localization and scene recognition: - 360° positioning and global time keeping (GPS/EGNOS/Galileo devices, …), worst-case inaccuracies γ (≈ 12 m) and τ (≈ 100 μs)
- 360° image processing (e.g., cameras, sensor fusion, AI) and lateral proximity detection (e.g., radars/lidars) 360° short-range omnidirectional radio communications (V2V and V2I), e.g. the IEEE 802.11p and IEEE 1609.x standards
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 16
Adversaries
Mobility (velocities, ac/dc, maneuvers, …)
Automated vehicles can be under control Enforced limits may depend on, e.g., type F for a SC scenario
Imperfect valuation of physical variables [e.g., space-time
coordinates: worst-case inaccuracies γ (≈ 12 m) and τ (≈ 100 μs)]
The best we can do is to minimize inaccuracy. Inaccuracy cannot be fully eliminated, and may vary with time, locations, conditions, …
Failures
The only possibility: redundancy time / space / coding redundancy
Detection-and-recovery Masking
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 17
Failures
Accidental (attacks not considered for this presentation)
Stop failures, omission failures
Transient or permanent
Tolerable vs. fatal Failures
OB system stop failure: fatal
Sensing-based function failures: tolerable (mandatory)
Radio antennas omission failures: tolerable (mandatory)
Ether/medium omission failures: tolerable (mandatory)
virtual radio links
While executing a SC scenario: up to f failures (any failure,
« anywhere ») may be experienced by participating vehicles
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012
1-hop V2V communications
SC scenarios may develop far away from an RSU (SO1)
No relaying/routing delays can be accommodated (timeliness!)
Send, Receive, primitives
No upper bounds for delays (MAC level, successful deliveries, …)
can be assumed (SO2)
1-hop multi-ary V2V communications
Bcast, Mcast, Geocast, Convergecast, primitives, no atomicity
assumed (SO1)
Communication model
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012
Presentation
0. Motivations – Safety requirements – System model 1. Safety and efficiency issues in stationary scenarios Problem and solution (cohorts) 2. Safety issues in transitory scenarios Problem and solution (groups)
3. Open problems & widespread beliefs (V2V communications)
Reliable Bcast, Mcast, Geocast, Convergecast protocols for safety-critical
scenarios
Weaknesses of existing/published MAC protocols for V2V/V2I safety-
critical communications
Hints for solutions
19
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 20
Cohorts on Roads and Highways
No lane changes
Bounds (some fixed, some variable)
r highest number of members (in a cohort)
v highest velocity
sxy safe spacing between contiguous cohort members X and Y
s° smallest safe inter-vehicle spacing
s highest inter-vehicle spacing
S° smallest safe inter-cohort spacing
α highest nominal acceleration rate (attainable by any vehicle)
δ highest nominal deceleration rate (attainable by any vehicle)
η threshold for nominal deceleration rates*, 0 < η < 1
*deceleration rate higher than ηδ start a SC scenario
Safety authorities stipulate nominal bounds
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012
Cohorts on Roads and Highways
21
vehicle motion
cohort head CH
inter-cohort spacing Sct/ch such that CH always stops without hitting CT…
… in the absence of telemetry failures
cohort tail CT
s° ≤ sxy ≤ s
inter-vehicle spacing sxy is safe … in the absence of telemetry failures
S° ≤ Sct/ch
X Y
(s° = s?)
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 22
≈ 120 km/h
How to avoid rear-end collisions whenever:
* B’s longitudinal telemetry function fails
* R decelerates abruptly
at the same time (SO2)
R ≈ 3 m spacing B
Problem
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 23
Fundamental principle: diversified functional redundancy
Solution: N2N bidirectional beaconing
Failures of longitudinal telemetry shall be tolerable, backed by longitudinal communications
Neighbor-to-neighbor (N2N) beaconing/messaging with
unidirectional very short range antennas
Assumption: no coincidental failures of longitudinal telemetry and N2N communications (SO1)
Why not V2V communications?
Compared to V2V omnidirectional communications, reduction of worst-case
number of contenders by a factor of ≈ 100
Do we need a “deterministic” MAC protocol for sorting out
≈ half-a-dozen contenders (SO2 & SO3)?
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 24
beacon(X, i)
X
beacon(Y, j)
Y
Neighbor-to-neighbor
(N2N) periodic bidirectional
beaconing (period π)
Functional diversification with N2N communications permits to
withstand V2V channel jamming or/and V2V antennas’ failures, in
addition to withstanding longitudinal telemetry failures
Cohort management (membership, coordination, agreement, …)
greatly facilitated with N2N messaging & beaconing
Solution: N2N bidirectional beaconing
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012
Worst-case analysis
25
vehicle motion
CH CT
σ° ≤ σxy ≤ σ
With N2N beaconing, inter-vehicle spacing σxy is safe in the presence of
telemetry failures
S° ≤ Sct/ch
What is σ°, counterpart of s° in the presence of telemetry failures?
X Y
N2N coms V2V coms
σ° = s° + c
In platoons, s° ≈ 3 m.
If c higher than ≈ 3 m, forget about efficiency.
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 26
Consider 2 cohort neighbors X and Y, Y following X Worst-case X decelerates, and Y’s telemetry fails. Beaconing period π. N2N beacon(X, i) sent to Y at t(i) carries:
- sequence number i and t(i)
- vx(i) , X’s velocity at t(i)
- x(i), averaged X’s decelerations over interval [t(i-1), t(i)]
● ● ● ● ●
Question: why not X’s space coordinates in beacon(X, i)?
Worst-case analysis
In Proc. IEEE Vehicular Networking Conference 2011, pp. 1-8
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012
interval of deceleration by Y
time
X
Y
π
time
new t(i) t(i+h-2) t(i-1) t(i+h-1)
T(i+1) T(i+h-1) T(i+h-2)
≈ π
beacon(X, i+2)
sequence of h N2N beacons(X, *) sent by X, processed by Y
t(i+1)
beacon(X, i+h-1)
θ
θ-π’: time of Y’s telemetry failure occurrence
T(i-1)
upstream
warning beacon(X, i)
beacon(X, i-1)
π'
Worst-case analysis Smallest safe spacing for withstanding telemetry failures
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 28
Nominal bounds essential here: δ and (0 < < 1)
Parameter defines the boundary between “non SC deceleration” and
“SC deceleration”. In non SC situations, a cohort member decelerates
at rate ηδ at most. Recall: any vehicle shall be able to decelerate at
rate δ at least.
(η and rate δ mandated/stipulated by safety authorities) Worst-case non SC scenario/conditions:
X and Y circulate at identical velocity v at θ-π,
X starts decelerating at θ-π, right after sending beacon(X, i-1)
quoting vx(i-1) = v (proof is by contradiction). At θ (worst-case), Y sends X a N2N warning message (“telemetry
down”). X resets its periodic time referential (current time ≈ θ = new
t(i)) and returns beacon(X, i)).
Worst-case analysis Smallest safe spacing for withstanding telemetry failures
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 29
At T(i) ≈ θ, in worst-case conditions: vy(i) = v and vx(i) = v-δηπ.
Lost X/Y spacing c’ in interval [θ-π, θ]: c’ = ηδπ2/2. Past T(i), X keeps decelerating continuously at highest rate ηδ,
while Y keeps decelerating at highest rate δ. Let c(t), t > θ, stand for
the distance travelled by Y minus the distance travelled by X during
interval [θ, t]. We have c(t) = δt{ηπ – t(1-η)/2}. Highest value of c(t) reached when its derivative w.r.t. t is 0, i.e. at
t* = ηπ/(1-η). Thus: c(t*) = δ(ηπ)2/2(1-η), and worst-case total lost
spacing c = c’+c(t*). Number of beaconing rounds: h = (1- )-1
c = π2δη/2(1-η) c does not depend on velocities Lower bound of σxy writes σ° = s° + c. Since bound s° holds for
velocities below v°, such is the case for σ°.
Worst-case analysis Smallest safe spacing for withstanding telemetry failures
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012
interval of deceleration by Y, rate ●
time
T(i-1) T(i+1) T(i+2)
beacon(X, i)
xy
beacon(X, i+1)
θ = T(i)
0
interval of deceleration by X, rate ●
vy = v
sxy
beacon(X, i+2)
c
s°
°
X/Y spacing
c
vx = 0 or vy = 0
Worst-case analysis Smallest safe spacing for withstanding telemetry failures
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 31
U.S. Department of Transportation, NHTSA
Safety Benefit Evaluation of a Forward Collision Warning System: Final Report
DOT HS 810 910 February 2008
By Virginia Tech Transportation Institute 3500 Transportation Research Plaza (0536)
Blacksburg, VA 24061. Document available to the public from the National Technical
Information Service, Springfield, Virginia 22161
Page 82, Eq. (45) gives critical warning distances for two contiguous
decelerating vehicles based on velocities and deceleration rates.
Converted in our notations, original Eq. (45) is as follows:
vy2 /δy < vx
2/δx – 2εvy + 2sxy (1)
where ε stands for Y’s lag time (radar latency), human driver reaction
latency set to 0 (we consider fully automated vehicles).
Worst-case analysis Can this solution and analysis match conventional safe spacing algorithms?
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 32
Applied to our N2N beaconing model and accounting for telemetry
failures, original Eq. (45) becomes:
vy2 /δy < vx
2/δx – 2πvy + 2σxy (2)
with π > ε, σxy standing for X/Y spacing at t(i), other variables
averaged over interval [t(i-1), t(i)], excepted δy computed for interval
[t(i), t(i+1)].
Condition under which (2) implies (1): (π–ε) vy ≥ c
Quadratic constraint in π. Roots (π’s bounds) are :
π° = (1-η)vy[1-λ]/δη, π = (1-η)vy[1+λ]/δη,
where λ2 = 1 – 2ηδε/(1-η)vy
Highest (smallest) bound values :: vy = v for π (vy = v° for π°). ε = 0.05, δ = 7.5, η = 0.77, and vy = 40 π° = 0.051, and π = 3.14.
Worst-case analysis Can this solution and analysis match conventional safe spacing algorithms?
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 33
Practical answer: much less/no more than ≈ s°!
c = π2δη/2(1-η)
Realistic values of parameters in c: δ = 7.5 m/s2, η = 0.77
With π = 100 ms (10 Hz) c = 0.13 m
With π = 400 ms c = 2.01 m
With π = 500 ms c = 3.14 m
Worst-case analysis Does this solution reconcile safety and efficiency?
What is σ°, counterpart of s°, in the presence of telemetry failures?
Back to open question:
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012
Presentation
0. Motivations – Safety requirements – System model 1. Safety and efficiency issues in stationary scenarios Problem and solution (cohorts) 2. Safety issues in transitory scenarios Problem and solution (groups)
3. Open problems & widespread beliefs (V2V communications)
Reliable Bcast, Mcast, Geocast, Convergecast protocols for safety-critical
scenarios
Weaknesses of existing/published MAC protocols for V2V/V2I safety-
critical communications
Hints for solutions
34
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012
X’s situational data stdX(t):
stdX(t) {X, sizeX, …, t, locX(t), vX(t), αX(t) or δX(t), …}
Examples of SC scenarios
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012
emergency lane
36
≈ 120 km/h
How to avoid (collective) collisions whenever risk-prone
maneuvers must be undertaken. Examples:
• Z1 decelerates abruptly
• Z2 needs to reach the emergency lane asap
≈ 3 m spacing Z1
Problem illustrated
Z2
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 37
A safety-critical (SC) scenario is always started by some vehicle (Z).
Early warning is possible despite obstacles, distances, …,
via V2V communications.
Solution: Groups & V2V communications
IVNs are cyber-physical systems A SC scenario comprises 5
phases, ratio physical/cyber from phase 1 to phase 5, involving:
• V2V communications, decision-making algorithms
• Coarse grain, fine grain, maneuvers.
► Knowing their respective roles earlier than when relying solely on
sensing-based capabilities (used for final “fine tuning”), participants
can adjust their motions early enough (“coarse tuning”).
Rationale for groups: SC maneuvers are undertaken under
(much) safer conditions (than without the group constructs)
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 38
► Phase 1:
Group forming started by Z, initiator of SC scenario {Z, F}.
Z does Geocast_MZ, MZ {stdZ(t), stdZ( ), F}, > t
group RZ,F comprises vehicles which receive MZ.
► Phase 2:
Group EZ,F comprises eligible vehicles, i.e. members of RZ,F which
match std predicates in MZ. These vehicles may have to take some
active part in {Z, F}.
Every eligible vehicle W does Bcast_EMW, EMW {stdW( ), Z, F},
and “adjusts” its velocity if necessary.
Group forming – Anatomy of a SC scenario (1)
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 39
► Phase 3:
Z computes the “winning group” AZ,F out of messages EM* received
from eligible vehicles decision message D(AZ,F, Z, F).
Actors group AZ,F subset of EZ,F. Z does Mcast_D(AZ,F, Z, F).
Actors do take an active part in {Z, F}.
Phase 4 (coarse grain maneuvers):
Z, as well as actors when they receive D(AZ,F, Z, F), adjust their
velocities accordingly – they may still be out-of-sight.
Phase 5 (fine grain maneuvers):
Via their sensing-based functions, Z and actors “fine tune” their
respective alignments. Other vehicles behave according to cohort
management rules.
Group forming – Anatomy of a SC scenario (2)
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 40
RZ,ORM
(not to scale)
AZ, ORM
EZ, ORM
Z on ramp
Q P
* Z processes messages received from members of EZ,ORM
* Z chooses P and Q
Roles are assigned: Z gets inserted on highway between P and Q
(velocities and motions adjusted accordingly)
Illustration with the On Ramp Merging SC scenario (type: ORM)
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 41
Hybrid IVNs (progressive migration towards increased automation)
How do heterogeneous vehicles (differing levels of automation or autonomy)
co-exist safely?
Shared/final authority
In “extreme” situations, who to trust? The automaton or the human (driver)?
“Automation addiction”
Slowly, humans may forget how to react correctly in “unusual” situations –
already a severe problem with pilots of commercial airplanes!
Legal issues
Who is to be held responsible in case of …
Other current limitations in relation to safety
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 42
Google’s first self-driving car accident (Aug. 2011)
There was "a huge screeching noise," according to Tiffany Winkelman, and Google's
Prius struck another Prius, which then struck her Honda Accord that her brother was
driving. That Accord then struck another Honda Accord, and the second Accord hit a
separate, non-Google-owned Prius.
Google's original statement reads: "Safety is our top priority. One of our goals is to
prevent fender-benders like this one, which occurred while a person was manually
driving the car."
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012
Presentation
0. Motivations – Safety requirements – System model 1. Safety and efficiency issues in stationary scenarios Problem and solution (cohorts) 2. Safety issues in transitory scenarios Problem and solution (groups)
3. Open problems & widespread beliefs (V2V communications)
Reliable Bcast, Mcast, Geocast, Convergecast protocols for safety-critical
scenarios
Weaknesses of existing/published MAC protocols for V2V/V2I safety-
critical communications
Hints for solutions
43
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 44
Open problems & widespread beliefs (V2V communications)
Major open problems with mobile wireless networks. Notably:
Can Can wewe reasonablyreasonably expectexpect green lights green lights fromfrom safetysafety authoritiesauthorities whenwhen assertingasserting
« We can develop safety arguments despite lack of
guaranteed message deliveries within « acceptable » delays »? …
« We can develop safety arguments despite lack of
proofs showing that periodic beaconing at 1Hz at least is always achievable »? …
« We can develop safety arguments despite lack of
guaranteed (worst-case) radio channel access delays »? …
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 45
Open problems & widespread beliefs (V2V communications)
ReliabilityReliability Which reliable Bcast/Mcast/Geocast/Convergecast/… protocols? Reliability implies “guaranteed” message deliveries. Best protocols are those achieving smallest termination delays. More precisely: best protocols match smallest worst-case upper bounds for
message delivery delays in the presence of message losses (f).
Most popular solutions: PAR or/and NAR protocols
Questions and observations
• What if number of recipients/participants is unknown?
• Acks may be lost, rather than messages. Retransmissions are useless,
wasting time and bandwidth.
• Inefficient even if f = 1 (timers T set to highest value)
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 46
7 members in EZ,ORM
Q P
Z
on ramp
Worst-case run for Bcast_MZ or Mcast_DZ
6 acks (returned by P) lost over link {Z, P}
message by Z sent 7 times
smallest number of acks returned = 6 + 7
f = 6 virtual link {Z,P} targeted by
the adversary
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 47
Open problems & widespread beliefs (V2V communications)
Worst-case run – Simplified numerical illustration
n: number of recipients f: maximum number of virtual link failures
m: message transmission time a: ack transmission time
c: time lost per message and per ack due to contention (MAC level) with N
surrounding vehicles (N > n)
n = 7, f = 6, m = 3 ms, a = 0.15 ms, c = 20 ms (not a worst-case figure)
T = highest duration of Bcast in the absence of failures:
T = m+c + 7(a+c) = 164 ms
Worst-case termination time of Bcast in the presence of failures:
7T = 1.148 s Unacceptably high!
Hints for better solutions
Masking rather than DetectionMasking rather than Detection--andand--RecoveryRecovery
Take advantage of cohort propertiesTake advantage of cohort properties
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 48
Worst-case analysis (SO2)
IEEE 802.11p radio interference radius ≈ 400 m
Road/highway curvatures max. longitudinal distance between
interfering vehicles ≈ 1.2 km
4 lanes, each way
High compactness
v vehicle size 7 m s spacing 4 m
1 vehicle every ≈ 11 m highest number of interfering vehicles ≈ 870
Open problems & widespread beliefs (V2V communications)
Periodic V2V beaconing for situational awarenessPeriodic V2V beaconing for situational awareness Frequencies quoted … frequently [1 Hz, 10 Hz] for 2D spaces.
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 49
X’s beacons carry stdX(t):
stdX(t) {X, sizeX, …, t, locX(t), vX(t), αX(t) or δX(t), …}
Beacon size: b
Beaconing period: π
IEEE 802.11p channel: 6 Mbits/s
Channel utilization ratio: ρ
Smallest achievable period π* = 870 b/6ρ 10-6
Numerical example: b = 2600 bits ρ = 1 (utopia) π* = 377 ms 10 Hz unfeasible, even with a perfect MAC protocol
Open problems & widespread beliefs (V2V communications)
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 50
Limit of ρ with CSMA-CA (pre-thrashing threshold) 0.25
π* 1.5 s
1 Hz unfeasible with IEEE 802.11p CSMA-CA protocol
Moreover, stochastic « guarantee » ( SO2)
Open problems & widespread beliefs (V2V communications)
Hints for better solutions
Take advantage of cohort propertiesTake advantage of cohort properties
deterministic MAC protocol (to be patented or published)deterministic MAC protocol (to be patented or published) Example: b = 2600 bits, π = 0.5 s
Every vehicle has exactly 2 (dynamically assigned) exclusive
slots every second for broadcasting its beacons
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 51
Open problems & widespread beliefs (V2V communications)
MAC level timelinessMAC level timeliness Which MAC protocols that would guarantee the existence of predictable strict upper bounds (worst-case) for radio channel
access delays (SO2) under realistic assumptions (SO1)? (SO3) deterministic MAC protocols
Bad news
No such protocols may exist (popular belief)
“Best-effort” deterministic protocols only
However, no impossibility proofs!
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 52
TDMA: inadequate for open, highly dynamic, sets of vehicles
CDMA: deterministic code assignments?
SDMA, LCA: rest on unrealistic (best case) assumptions:
universal grid of tiny cells, non varying number of road/highway lanes, highly accurate vehicle space-time coordinates* ( SO1)
* γ ≈ 0 and τ ≈ 0, rather than γ ≈ 12 m and τ ≈ 100 μs
MAC protocols based on “situational awareness”, gathered
through V2V beaconing: problematic circularities
Hopeless?Hopeless?
Open problems & widespread beliefs (V2V communications)
Published proposals for 2D spaces
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 53
Few “deterministic” DCR algorithms published
(DCR ≡ deterministic collision resolution) «« DeterministicDeterministic » Ethernets (the 80’s). The » Ethernets (the 80’s). The
802.3D protocol, a variation of plain Ethernet, 802.3D protocol, a variation of plain Ethernet,
based upon balanced tree searches (stack based upon balanced tree searches (stack
algorithm), patented by INRIA at the request of algorithm), patented by INRIA at the request of
the French Navy. the French Navy. Fielded Fielded in various places:in various places:
•• Nuclear aircraft carrier CharlesNuclear aircraft carrier Charles--dede--GaulleGaulle
•• Frigates and submarinesFrigates and submarines
•• Industrial sites (SaintIndustrial sites (Saint--Gobain, …)Gobain, …)
•• European spatial base (European spatial base (ArianeAriane launcher) in launcher) in
KourouKourou (French Guyana)(French Guyana)
Traditional CSMA-CD solutions (static wired networks)
J.-F. Hermant, G. Le Lann, "A protocol and
Correctness Proofs for Real-Time High-
Performance Broadcast Networks", 18th IEEE
International Conference on Distributed
Computing Systems (ICDCS 98), Amsterdam,
The Netherlands, 26-29 May, pp. 360-369.
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 54
Traditional CSMA-CD solutions (static wired networks)
Reliable Broadcast in Wireless Mobile Ad Hoc Networks
Mansoor Mohsin, David Cavin, Yoav Sasson, Ravi Prakash, André Schiper
http://www.computer.org/csdl/proceedings/hicss/2006/2507/09/index.html
Can be adapted to work in
mobile wireless networks
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 55
Hints for solutions
Take advantage of cohort and group propertiesTake advantage of cohort and group properties
Two classes of solutions:Two classes of solutions:
CDCD--DCR protocols (CD feasible with the group construct)DCR protocols (CD feasible with the group construct)
CollisionCollision--free protocolsfree protocols
Open problems & widespread beliefs (V2V communications)
Magic?
Recall:
1) Lack of appropriate structuring concepts/constructs is an impediment to proving
properties. Recall the early days of (static) distributed computing? Fundamental
concepts of “atomicity”, “transactions” , “concurrency control”, ... can be usefully
applied to (mobile) distributed cyber-physical systems
► 2 distinct constructs
G. Le Lann VCA Workshop 2012 COST IC0906 WiNeMO School 2012 56
Cohorts and groups, not initially devised to that end, are
essential cornerstones for solving these open problems.
Keep thinking …
… and stay tuned!
Questions?
Thus, no contradictions with widespread beliefs.
And it makes sense to dig deeper …
Open problems & widespread beliefs (V2V communications)
top related