1© 2017 The MathWorks, Inc.

Model-Based Design of Connected and Autonomous Vehicles

Akshay Rajhans, PhD

Senior Research ScientistAdvanced Research and Technology OfficeMathWorkshttps://arajhans.github.io

2nd IEEE Summer School on Connected and Autonomous Vehicles May 19, 2017

2

How do we design safe and reliable cyber-physical systems ?

3

Model-based design (MBD)

§ Analyze and understand the requirements specification§ Develop computational model(s) of the system

– Check the model against the real system § ``are you are building the right thing?'' (validation)

– Check the model against specifications§ ``are you building it right?'' (verification)

§ Build a prototype – test the prototype in the actual working environment

§ Production

4https://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/812384

5https://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/812384

6https://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/812384

7https://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/812384

?

?

8

Cooperative Intersection Collision Avoidance System: Stop-Sign Assist (CICAS-SSA)

http://www.dot.state.mn.us/guidestar/2006_2010/cicas/CICAS-SSA%20Report%202.pdf

Can we assist in the decision making?

99

gap lag

Y

n lanes

lag

Intersection areaInstrumented area

à

ß

Prototypical“heterogeneous”CPS• Sensing• Communication• Computation• Physicaldynamics

RoadsideUnit

Dynamicsignnexttostopsign

CICAS-SSA Schematic

Can we formally verify such a system?

10

Model Specification

Formal Verification

Analysis Procedure

NoYes Don’t Know

Withformalguarantee Counterexampleorsomefeedback

11

Model SpecificationFormal Verification

Analysis Procedure

NoYes Don’t Know

Withformalguarantee Counterexampleorsomefeedback

12

Heterogeneity in modeling formalisms and analysis techniques

• Differentformalismssuitedfordifferentaspectsofsystemdesign• Eachmodelrepresentssome designaspectwell• Modelsmakeinterdependentassumptions• Tools workonlywiththeirformalismsHowdoweensurecorrectnessofthesystem?

CICAS-SSA

13

Cyber-Physical System Architecture

Thereisnosystemmodel,butthereisasystemarchitecture

CPSarchitecturalstylepaletteinAcmeStudio

MPM‘09

14

Architectural views

14

Modelsasarchitecturalviews Structuralconsistencyusinggraphmorphisms

“Modelstructure vssystemstructure”Analysis:Consistency,completeness

ERTS2 ‘10 ICCPS‘11

15

Semantic domains of models and specifications

Model MAbehaviorb thatM exhibits

:“semanticinterpretation”ofM inabehaviordomainB

BehaviordomainsB preciselydefinedinbehavior formalisms B (e.g.,discretetraces,continuoustrajectories,hybridtraces)

Specification S

:“semanticinterpretation”ofS inB

1)“overshootisnomorethan1.3unitsandsettlingtimeislessthan𝜏”

2)□(x<1.3)∧⋄ τ (x ∈ [1±ϵ])

1.3

Abehaviorb thatS allows

±ϵ

τ

1

x

time

16

The semantic domain of a dynamic system

§ Points, [ ]– On N

– On R x N § Intervals, [ ñ (á ñ, á ])

– On R§ Hybrid point/interval

– On R

– On R x N

MATLAB, Stateflow

Discrete time Simulink

SimEvents

Simulink

Simulink, Simscape

Simulink, Simscape

17

Abstraction and Implication

§ Model M1 abstracts M0 in B, written

if

§ Specification S1 implies S0 in B, written

if

18

Mappings between semantic domains via behavior relations

§ Approach: Create “behavior relations” between domains

B0:1-dcontinuoustrajectoriesinx

R1⊆ B0XB1

B1={𝛼,𝛼,}*∪{𝛼,𝛼,}𝜔

GivenR1⊆ B0XB1set-basedinversemapR1-1 (‘α’)={c,d,…}

19

Heterogeneous Abstraction and Implication

§ Heterogeneous extensions of behavior-set inclusions

(inwords)

C

(pictorially)

Detailedlevel

HeterogeneousAbstractlevel

A

C

B

A

B

20

Multi-model Verification Problem

21

Multi-model conjunctive and disjunctive heterogeneous verification

Typicalusecase• Eachmodelcapturesadifferentsubsetof

behaviors,e.g.,aspecificnondeterministicchoice

Typicalusecase• Eachmodelcapturesadifferentaspect• Specspertaintoonlytherelevantone

HSCC‘12

22

Hierarchical Verification

Conjunctive and disjunctive verification constructs can be nested arbitrarily

23

Verification model with hybrid dynamics

Computation modelDriver behavior model(empirical information)

Sensing model Communication model

“Universal” system model(cannot be created in practice)

/\

/\ conjunctive abstraction\/ disjunctive coverage\/* discrete coverage with

inter-model switchingModel infoSpec

Communication delaySensing errorComputation timeDriver response time

SV and another car notin the intersectionat the same time

SV and another car not in the intersection at the same time

\/

N models withone lane each

/\ SV and POV notin the intersectionat the same time

/\ /\

\/*

POV SVDiscreteProtocol

/\

Time-to-exit-intersectionTime-to-

intersection Order

Single POV (POV initial condition safe)

Single POV (POV initial condition unsafeOnly stay stopped)(trivially safe)

SV and POV notin the intersectionat the same time

SV and POV notin the intersectionat the same time

… … …… ……

Heterogeneous Verification of CICAS

Node13

Node22Node21 Node23

24

Verification Problem

Verificationobjective:“SVandanothercarareneverintheintersectionatthesametime”

MN-dimensionalvector

-

-

-

-

25

Disjunctive Heterogeneous Verification

- -

-

-

-

-

26

Verification model with hybrid dynamics

Computation modelDriver behavior model(empirical information)

Sensing model Communication model

“Universal” system model(cannot be created in practice)

/\

/\ conjunctive abstraction\/ disjunctive coverage\/* discrete coverage with

inter-model switchingModel infoSpec

Communication delaySensing errorComputation time

Driver response time

SV and another car notin the intersectionat the same time

SV and another car not in the intersection at the same time

\/

N models withone lane each

/\ SV and POV notin the intersectionat the same time

/\ /\

\/*

POV SVDiscreteProtocol

/\

Time-to-exit-intersectionTime-to-

intersection Order

Single POV (POV initial condition safe)

Single POV (POV initial condition unsafeOnly stay stopped)(trivially safe)

SV and POV notin the intersectionat the same time

SV and POV notin the intersectionat the same time

… … …… ……

Node41

Node52

Node51 Node53

Heterogeneous verification of CICAS-SSA

27:

Conjunctive Heterogeneous Verification

Node41

Node52Node51 Node53

- -

28

Leveraging Compositionality for Heterogeneous Abstraction

28

Schematic

Objective: Concludeheterogeneousabstractionofthecompositionbyestablishingthatofthecomponents

Rationale: Component’slocalsemanticsdefinedinabehaviordomainofsmallerdimension

Need• Behaviorabstractionfunctions

A :behaviorrelationsthatarealsofunctions

• Mappingsbetweenlocal/globalbehaviordomainsofthesametype

• Mappingsbetweenlocal/globalabstractionfunctions

29

Compositionality Conditions

StartwithA,localize togetAP ,AQ

StartwithAP ,AQ,globalize togetA

IfglobalizationsofAP ,AQ areconsistent(callitA ),thencompositionalheterogeneousabstractionviaA holds

IflocalizationsofA are AP andAQ ,thencompositionalheterogeneousabstractionviaAholds

CentralizedDevelopment

DecentralizedDevelopment

“Modelsascompositionofcomponents”Analysis:CompositionalAbstraction

HSCC‘13

30

Semantic Assumptions as Parameter Constraints

30CDC‘11

Dependenciesthatcutacrossmodelingformalismscanbecapturedasparameterconstraints

Ensuressemantic(parameter)consistencyusingexternalSMTsolversorprovers

Problem• Semanticinterdependencies

acrossformalisms• Consistency

Challenge• Formalrepresentationthatis

universal toallmodelingformalisms

Approach• interdependenciesasan

auxiliaryconstraintonparameters

• Findeffectiveconstraint ongivenmodel/spec.parameters(existentialquantification)

• UseSMTsolversortheoremprovers toproveconsistency

NetworkVerificationPhysics-based SoftwareSenor(look-uptable)

Howfaroffaresensorreadings?

HowfastcantheSVaccelerate?

What’sthecomputationtime?

Howoldarethesensorreadings?

31

Parametric Verification of CICAS

31

HSCC‘12

1.Explicitlyidentifymodelparameterse.g.speedlimits,intersectiongeometry,minimumacceleration,andspec.parameters,e.g.,POVmin.time-to-intersection,SVmax.time-to-clear-intersection

2.Modelinterdependenciesasanauxiliaryconstrainte.g.,thosedictatedbyspeedlimits,newton’slaws andintersectiongeometry ontime-to-intersection,…

3.Projectglobalconstraintsandinterdependencies(aux.constraint)ontolocalsetsofparameters

/\

Provedsemanticconsistencyintheoremprover KeYmaera

32

Semantic and Structural Hierarchies

TAC’14(CPSSpecialIssue)

Semanticside Structuralside

33

Summary

Cyber-Physical Systems present a major paradigm shift with systems that are– Adaptive, Autonomous, Connected, and Collaborative

Model-based design critical for safe and efficient design process– Open-ness and heterogeneity pose research challenges

Contributions for supporting heterogeneity in MBD of CPS– Architectural modeling: high-level structural representation [MPM ‘09]– Model structures as architectural views for comparing structure [ERTS ’10]– Semantic mappings using behavior relations enable (compositional) heterogeneous

verification [HSCC ’12, HSCC ’13]– Constraint consistency for consistent simplifying assumptions [CDC ’11, HSCC ‘12]

Many challenges still remain

33

34

References*

34

MPM‘09

ERTS2 ‘10

ICCPS‘11 CDC‘11

HSCC‘12 HSCC‘13

TAC:CPS’13(submitted)

*Otherworkavailableathttps://arajhans.github.io

35

®