Adaptive Cruise Control:
?
Hybrid, Distributed, and Now Formally Verified
Sarah M. Loos, Andr
´
e Platzer, and Ligia Nistor
Carnegie Mellon University, Computer Science Department, Pittsburgh, PA, USA
{sloos|aplatzer|lnistor}@cs.cmu.edu
Abstract. Car safety measures can be most effective when the cars on a street
coordinate their control actions using distributed cooperative control. While each
car optimizes its navigation planning locally to ensure the driver reaches his des-
tination, all cars coordinate their actions in a distributed way in order to minimize
the risk of safety hazards and collisions. These systems control the physical as-
pects of car movement using cyber technologies like local and remote sensor data
and distributed V2V and V2I communication. They are thus cyber-physical sys-
tems. In this paper, we consider a distributed car control system that is inspired
by the ambitions of the California PATH project, the CICAS system, SAFESPOT
and PReVENT initiatives. We develop a formal model of a distributed car control
system in which every car is controlled by adaptive cruise control. One of the ma-
jor technical difficulties is that faithful models of distributed car control have both
distributed systems and hybrid systems dynamics. They form distributed hybrid
systems, which makes them very challenging for verification. In a formal proof
system, we verify that the control model satisfies its main safety objective and
guarantees collision freedom for arbitrarily many cars driving on a street, even
if new cars enter the lane from on-ramps or multi-lane streets. The system we
present is in many ways one of the most complicated cyber-physical systems that
has ever been fully verified formally.
1 Introduction
Because of its societal relevance, numerous parts of car control have been studied before
[1–18]. Major initiatives have been devoted to developing next generation individual
ground transportation solutions, including the California PATH project, the SAFESPOT
and PReVENT initiatives, the CICAS-V system, and many others. Chang et al. [1], for
instance, propose CICAS-V in response to a report that crashes at intersections in the
US cost $97 Billion in the year 2000. The promise is tempting. Current uncontrolled
car traffic is inefficient and has too many safety risks, which are caused, e.g., by traffic
jams behind curves, reduced vision at night, inappropriate reactions to difficult driving
conditions, or sleepy drivers. Next generation car control aims to solve these problems
?
This material is based upon work supported by National Science Foundation under NSF CA-
REER Award CNS-1054246 and Grant Nos. CNS-0926181, CNS-0931985, CNS-1035800,
CNS-1035813, and ONR N00014-10-1-0188. The first author was supported by an NSF
Graduate Research Fellowship. For proofs and interactive car system simulations, see http:
//www.ls.cs.cmu.edu/dccs/ online.
2 Sarah M. Loos, Andr
´
e Platzer, and Ligia Nistor
by using advanced sensing, wireless V2V (vehicle to vehicle) and V2I (vehicle to road-
side infrastructure) communication, and (semi)automatic driver assistance technology
that prevents accidents and increases economical and ecological efficiency.
Yet, there are several challenges that still need to be solved to make next genera-
tion car control a reality. The most interesting challenge for us is that it only makes
sense to introduce any of these systems after its correct functioning and reliability has
been ensured. Otherwise, the system might do more harm than good. This is the formal
verification problem for distributed car control, which we consider in this paper.
What makes this problem particularly exciting is its practical relevance. What makes
it particularly challenging is its complicated dynamics. Distributed car control follows a
hybrid dynamics, because cars move continuously along differential equations and their
behavior is affected by discrete control decisions like when and how strongly to brake
or to accelerate and to steer. It is in the very nature of distributed car control, however,
to go beyond that with distributed traffic agents that interact by local sensing, broadcast
communication, remote sensor data, or cooperative networked control decisions. This
makes distributed car control systems prime examples of what are called distributed
hybrid systems. In fact, because they form distributed cyber-physical multi-agent sys-
tems, the resulting systems are distributed hybrid systems regardless of whether they
are built using explicitly distributed V2V and V2I network communication infrastruc-
ture or just rely on the distributed effects of sensor readings about objects traveling at
remote locations (e.g., laser-range sensors measuring the distance to the car in front).
Cars reach maneuvering decisions locally in a distributed way. Is the global dynam-
ics that emerges from the various local choices safe? What can a car assume about other
cars in its maneuver planning? How do we ensure that multiple maneuvers that make
sense locally do not cause conflicts or collisions globally? Formal verification of dis-
tributed hybrid systems had been an essentially unsolved challenge until recently [19].
Our main contribution is that we develop a distributed car control system and a for-
mal proof that this system is collision-free for arbitrarily many cars, even when new
cars enter or leave a multi-lane highway with arbitrarily many lanes. Another contribu-
tion is that we develop a proof structure that is strictly modular. We reduce the proof
to modular stages that can be verified without the details in lower levels of abstraction.
We believe the principles behind our modular structure and verification techniques are
useful for other systems beyond the automotive domain. Further contributions are:
– This is the first case study in distributed hybrid systems to be verified with a generic
and systematic verification approach that is not specific to the particular problem.
– We identify a simple invariant that all cars have to obey and show that it is sufficient
for safety, even for emergent behavior of multiple distributed car maneuvers.
– We identify generic and static constraints on the input output parameters that any
controller must obey to ensure that cars always stay safe.
– We demonstrate the feasibility of distributed hybrid systems verification.
2 Related Work
Car control is a deep area that has been studied by a number of different communities.
The societal relevance of vehicle cooperation for CICAS intersection collision avoid-
Adaptive Cruise Control: Hybrid, Distributed, and Now Formally Verified 3
ance [11] and for automated highway systems [5, 8] has been emphasized. Horowitz
et al. [10] proposed a lane change maneuver within platoons. Varaiya [13] outlines the
key features of an IVHS (Intelligent Vehicle/Highway System). A significant amount
of work has been done in the pioneering California PATH Project. Our work is strongly
inspired by these systems, but it goes further and sets the groundwork for the modeling
and formal verification of their reliability and safety even in distributed car control.
Dao et al. [3, 4] developed an algorithm and model for lane assignment. Their sim-
ulations suggest [3] that traffic safety can be enhanced if vehicles are organized into
platoons, as opposed to having random space between them. Our approach considers
an even more general setting: we not only verify safety for platoon systems, but also
when cars are driving on a lane without following platooning controllers. Hall et al. [6]
also used simulations to find out what is the best strategy of maximizing traffic through-
put. Chee et al. [15] showed that lane change maneuvers can be achieved in automated
highway systems using the signals available from on-board sensors. Jula et al. [9] used
simulations to study the conditions under which accidents can be avoided during lane
changes and merges. They have only tested safety partially. In contrast to [3, 4, 6, 9, 15],
we do not use simulation but formal verification to validate our hypotheses.
Hsu et al. [7] propose a control system for IVHS that organizes traffic in platoons of
closely spaced vehicles. They specify this system by interacting finite state machines.
Those cannot represent the actual continuous movement of the cars. We use differential
equations to model the continuous dynamics of the vehicles and thus consider more
realistic models of the interactions between vehicles, their control, and their movement.
Stursberg et al. [12] applied counterexample-guided verification to a cruise control
system with two cars on one lane. Their technique can not scale to an arbitrary num-
ber of cars. Althoff et al. [17] use reachability analysis to prove the safety of evasive
maneuvers with constant velocity. They verify a very specific situation: a wrong way
driver threatens two autonomously driving vehicles on a road with three lanes.
Wongpiromsarn et al. [14] verify safety of the planner-controller subsystem of a
single autonomous ground vehicle. Their verification techniques restrict acceleration
changes to fixed and perfect polling frequency, while our model of an arbitrary number
of cars allows changes in acceleration at any point in time, with irregular sensor updates.
Damm et al. [2] give a verification rule that is specialized to collision freedom of
traffic agents. To show that two cars do not collide, they need to manually prove eighteen
verification conditions. Lygeros and Lynch [20] prove safety only for one deceleration
strategy for a string of vehicles: the leading vehicle applies maximum deceleration until
it stops, while at the same time, the cars following it in the string decelerate to a stop.
The instantaneous, globally synchronized reaction of the cars is an unrealistic assump-
tion that we do not make in our case study. Dolginova and Lynch [21] verify that no
collisions with big relative velocity can occur when two adjacent platoons do a merge
maneuver. This does not prove the absence of small relative velocity collisions, nor the
behavior of 3 platoons or when not merging. In contrast to the manual semantic rea-
soning of [2, 20, 21], our techniques follow a formal proof calculus [19], which can be
mechanized. In the case studies analyzed by [20, 21] safety is proved only for a partic-
ular scenario, while our modular formal proofs deal with the general case. In our case
study, the cars have more flexibility and an arbitrary number of control choices.
4 Sarah M. Loos, Andr
´
e Platzer, and Ligia Nistor
Unlike [2, 12, 14, 17], we prove safety for an arbitrary number of cars. Our tech-
niques and results are more general than the case-specific approaches [2, 12, 14, 17, 20,
21], as we prove collision-freedom for any number of cars driving on any finite num-
ber of lanes. None of the previously cited papers have proved safety for distributed car
control in which cars can dynamically enter the highway system, change lanes, and exit.
3 Preliminaries: Quantified Differential Dynamic Logic
Distributed car control systems are distributed hybrid systems, which we model by
quantified hybrid programs (QHPs) [19]. QHPs are defined by the grammar (α, β are
QHPs, θ a term, i a variable, f a function symbol, and H a formula of first-order logic):
α, β ::= ∀i : C f (i) := θ | ∀i : C f (i)
0
= θ & H | f (i) := ∗ | ?H | α ∪ β | α; β | α
∗
The effect of quantified assignment ∀i : C f (i) := θ is an instantaneous discrete jump
assigning θ to f (i) simultaneously for all objects i of type C. Usually i occurs in θ. The
effect of quantified differential equation ∀i : C f (i)
0
= θ & H is a continuous evolution
where, for all objects i of type C, all differential equations f (i)
0
= θ hold and (written &
for clarity) formula H holds throughout the evolution (the state remains in the region de-
scribed by H). Usually, i occurs in θ. Here f (i)
0
is intended to denote the derivative of the
interpretation of the term f (i) over time during continuous evolution, not the derivative
of f (i) by its argument i. For f (i)
0
to be defined, we assume f is an R-valued function
symbol. The effect of the random assignment f (i) := ∗ is to non-deterministically pick
an arbitrary number or object (of type the type of f (i)) as the value of f (i).
The effect of test ?H is a skip (i.e., no change) if formula H is true in the current state
and abort (blocking the system run by a failed assertion), otherwise. Non-deterministic
choice α ∪ β is for alternatives in the behavior of the distributed hybrid system. In the
sequential composition α; β, QHP β starts after α finishes (β never starts if α continues
indefinitely). Non-deterministic repetition α
∗
repeats α an arbitrary number of times ≥0.
For stating and proving properties of QHPs, we use quantified differential dynamic
logic QdL [19] with the grammar:
φ, ψ ::= θ
1
= θ
2
| θ
1
≥ θ
2
| ¬φ | φ ∧ ψ | ∀i : C φ | ∃i : C φ | [α]φ | hαiφ
In addition to all formulas of first-order real arithmetic, QdL allows formulas of the
form [α]φ with a QHP α and a formula φ. Formula [α]φ is true in a state ν iff φ is true in
all states that are reachable from ν by following the transitions of α; see [19] for details.
4 The Distributed Car Control Problem
Our approach to proving safety of a distributed car control system is to break the veri-
fication into modular pieces. In this way, we simplify what would otherwise be a very
large and complex proof. The ultimate result of this paper is a formally verified model
of any straight stretch of highway on which each car is following adaptive cruise con-
trol. On any highway, there will be an arbitrary number of lanes and an arbitrary number
of cars, and the system will change while it runs when cars enter and leave the highway.
Adaptive Cruise Control: Hybrid, Distributed, and Now Formally Verified 5
This would be an incredibly complex system to verify if we were to tackle it at this
level. Each lane has a group of cars driving on it. This group is constantly changing
as cars weave in and out of surrounding traffic. Each car has a position, velocity, and
acceleration, and must obey the laws of physics. On top of that, in order to ensure
complete safety of the system, every car must be certain at all times that its control
choices will not cause a collision anywhere else in the system at any time in the future.
These issues are compounded by the limits of the sensory and communications
networks. On a highway that stretches hundreds of miles, we could not hope for any car
to collect and analyze real-time data from every other car on the interstate. Instead, we
must assume each car is making decisions based on its local environment, e.g., within
the limitations of sensors, V2V and V2I communication, and real-time computation.
!
Fig. 1. Emergent highway collision
risk
Additionally, once you split your system into
reasonably local models, it is still difficult to rea-
son about how these local groups of cars inter-
act. For example, consider a local group of three
cars for a lane change maneuver: the car chang-
ing lanes, and the two cars that will be ahead and
behind it. It is tempting to signal the car ahead
to speed up and the car behind to slow down in
order to make space for the car changing lanes. This is perfectly reasonable on the local
level; however, Fig. 1 demonstrates a problem that appears when we attempt to compose
these seemingly safe local cases into a global system. Two cars are attempting safe and
legal lane changes simultaneously, but the car which separates the merging cars is at
risk. The car in the middle simultaneously receives requests to slow down and speed
up. It cannot comply, which could jeopardize the safety of the entire system.
To avoid complex rippling cases that could result in a situation similar to the one
in Fig. 1, we organize our system model as a collection of hierarchical modular pieces.
The smallest piece consists of only two cars on a single lane. We present a verification
of this model in Sect. 5 and build more complex proofs upon it throughout the paper.
In Sect. 6, we prove that a lane with an arbitrary number of cars driven by any
distributed homogeneous adaptive cruise control system is safe, assuming the system
has been proved safe for two cars. We generate our own verified adaptive cruise control
model for this system, but, due to the modular proof structure, it can be substituted with
any implementation-specific control system which has been proved safe for two cars.
The verification of this one lane system, as well as the verification we present in
Sect. 8 for a highway with multiple lanes, will hold independently with respect to the
adaptive cruise control specifications. In Sect. 7, we look at the local level of a multi-
lane highway system. We verify the adaptive cruise control for a single lane, where cars
are allowed to merge in and out of the lane. Finally in Sect. 8, we compose the lane
systems verified in Sect. 7 to provide a full verification of the highway system.
5 Local Lane Control
The local car dynamics problem that we are solving is: we have two cars on a straight
lane that can accelerate, coast or brake and we want to prove that they will not collide.
