JOURNAL OF XX, VOL. X, NO. X, JANUARY XXXX 1
Online Verification of Automated Road Vehicles
Using Reachability Analysis
Matthias Althoff and John M. Dolan, Member, IEEE
Abstract—An approach for formally verifying the safety of
automated vehicles is proposed. Due to the uniqueness of each
traffic situation, we verify safety online, i.e., during the operation
of the vehicle. The verification is performed by predicting the set
of all possible occupancies of the automated vehicle and other
traffic participants on the road. In order to capture all possible
future scenarios, we apply reachability analysis to consider all
possible behaviors of mathematical models considering uncertain
inputs (e.g. sensor noise, disturbances) and partially unknown
initial states. Safety is guaranteed with respect to the modeled
uncertainties and behaviors if the occupancy of the automated
vehicle does not intersect that of other traffic participants for
all times. The applicability of the approach is demonstrated by
test drives with an automated vehicle of the Robotics Institute
at Carnegie Mellon University.
Index Terms—Formal verification, reachability analysis, auto-
mated vehicles, autonomous cars, set-based computation.
I. INTRODUCTION
Automated driving will unquestionably provide a variety of
benefits. Among them are the reduction of traffic injuries and
fatalities, time savings when working in the vehicle, reduction
of traffic jams, and mobility for people that previously could
not drive. This vision can only be realized if the designers can
guarantee that the vehicle will never cause an avoidable crash.
In order to meet these high safety requirements, we propose
to use formal methods to verify the safety of automated cars.
The verification is based on dynamic models that describe
possible behaviors of the considered vehicle (ego vehicle)
and other surrounding traffic participants. We assume that
the uncertainties acting on those models can be chosen large
enough to capture all possible behaviors of the real world.
If the obtained results are too conservative, one can also
provide models that only capture the real behavior up to a
user-defined probability. In this work, reachability analysis is
used to guarantee the legal safety of planned maneuvers given
the aforementioned assumptions, meaning that we guarantee
not to cause a collision [1]. Note that it is generally impossible
to avoid a collision caused by other traffic participants, e.g.,
one cannot avoid a collision from behind when one is captured
in a traffic jam.
Reachability analysis computes the set of all states reachable
when the sets of initial states, sensor measurements, and
disturbances are uncertain. Reachable sets of the ego vehicle
and other traffic participants make it possible to compute the
set of occupied road sections over time. If the occupancy of
Matthias Althoff is with the Faculty of Computer Science, Technische Uni-
versit¨at M¨unchen, 85748 Garching, Germany, email: althoff@tum.de
John M. Dolan is with the Robotics Institute, Carnegie Mellon University,
Pittsburgh, PA 15213, USA, email: jmd@cs.cmu.edu
Manuscript received month day, year; revised month day, year.
the ego vehicle does not intersect that of all other relevant
traffic participants for all times, safety can be guaranteed.
Simulation techniques cannot guarantee safety, since infinitely
many possible future scenarios of a traffic scene exist and one
can only perform a finite number of simulations.
Simulation techniques can be extended for formal analysis
by guaranteeing that simulations starting in a δ-region of
the initial state stay in an ǫ-region of the simulation so that
a reachable set can be represented by a finite number of
simulations, see [2]. All simulation-based approaches have
the disadvantage that an exponential number of simulations is
required. Considering only the extreme cases requires 2
n+m+o
simulations, where n is the number of state variables, m is the
number of inputs, and o is the number of parameters. Note that
time-varying inputs (which may cause resonance) are not even
considered by looking only at the extreme cases.
Since every traffic situation is unique, it is necessary that
planned maneuvers be constantly verified during the operation
of the vehicle, which we call online verification. Parts of
this computation process can be precomputed and stored in a
database, such as time-critical evasive maneuvers. However, it
is not possible to store verification results of all possible traffic
situations. In order to meet computation time requirements,
most previous work in mobile robotics assumes knowledge of
the future behavior of other objects in the traffic scene or uses
simple models to predict their possible behaviors. The simplest
model for unknown holonomic behavior assumes intervals on
possible velocities in all directions (e.g. in [3]); more advanced
models assume intervals on the acceleration (e.g. in [4]), or
both (e.g. in [5]). More complicated non-holonomic models
are based on Dubin’s car [6], or a tricycle model [7].
All these works assume that the future motion of the ego
vehicle is perfectly known, which is a good assumption for
slow-moving indoor robots. However, fast maneuvers of auto-
mated cars on terrain of varying quality and in varying weather
conditions, influence of sensor errors, and the like, require
consideration of uncertainties in tracking planned trajectories.
It is especially important to consider these uncertainties when
systems require certification [8]. Most previous work avoids
considering uncertainties in trajectory following due to the
inherent challenges in verifying nonlinear dynamic systems
with several continuous state variables, as summarized in [9].
Most approaches for nonlinear reachability analysis abstract
the nonlinear dynamics to differential inclusions of simpler
dynamics, either by simplifying the dynamics within regions
of a fixed state space partition [10], [11], resulting in a hybrid
(mixed discrete/continuous) system, or by simplification in the
vicinity of the reachable set [12]–[14]. The latter approach
generally outperforms fixed state space partitions, since it
JOURNAL OF XX, VOL. X, NO. X, JANUARY XXXX 2
does not require the consideration of hybrid dynamics. Ap-
proaches which do not use abstraction are mostly based on
computationally demanding optimization techniques [15] or
on a reformulation of the reachability problem as Hamilton-
Jacobi equations, whose solution procedure has exponential
complexity in the number of continuous state variables [15]–
[17]. When the nonlinear system is monotonic, upper and
lower bounds on the reachable set can be easily computed
using simulations of corner cases [18], which is used for the
model of other traffic participants in the current work. For
chemical reaction equations, those upper and lower bounds
of the nonlinear system can also be computed efficiently,
but a special structure of the dynamics is required [19].
This procedure can still be applied when one can bound the
dynamics by monotone systems [20], which is also applied for
guaranteed parameter estimation [21].
An alternative to reachability analysis is automated theorem
proving, which has been applied to automated cruise control
[22]. In that work, it is assumed that all vehicles on the
road have to be automated. Additionally, automated theorem
proving requires human interaction, see [23, p. 3577], such
that it cannot be applied to online verification. The number
of required interactions, however, is expected to decrease in
coming years.
Constraints for safe vehicle movement, such as avoiding
other traffic participants and road boundaries, can also be
formulated in a robust model predictive control framework
[24]. In model predictive control, an optimal input is computed
based on solving an optimal control problem for a finite
time horizon, where only the first section of the optimal
input trajectory is executed. This procedure is repeated so
that the solution adapts to the current situation. In tube-based
model predictive control (tube-based MPC), concepts from
reachability analysis are mixed with model predictive control.
Most of the work on tube-based MPC considers linear systems
[25], [26], but concepts for nonlinear systems also exist [27].
However, nonlinear tube-based MPC approaches are compu-
tationally too expensive to be used for an online application
involving fast dynamics with several state variables, such as
the vehicle dynamics of this work.
Another line of work provides formal methods to synthesize
trajectories based on temporal logic specifications that are
provably correct. In [28] temporal logic specifications are used
to specify requirements on missions for unmanned aerial vehi-
cles. Trajectories for automated vehicles in static environments
are synthesized in [29] within a discretized environment. A
discrete environment is also used in [30] to synthesize plans
for teams of robots. Another work synthesizes robotic motion
for a point mass (double integrator) by bounding the error to
an abstract kinematic model and using the abstraction for the
planning task [31].
A completely different paradigm is to analyze planned paths
using stochastic methods. Most approaches of this category use
Monte-Carlo simulation [32], [33]. A disadvantage of Monte-
Carlo simulation is that the computed result differs for the
same situation depending on the sampling of possible future
scenarios. This is avoided by approaches that compute the
stochastic prediction deterministically [34]. Some approaches
combine set-based computations as presented in this work with
stochastic approaches, such that computationally expensive
stochastic dynamics can be restricted to traffic participants for
which the occupancy intersects with that of the ego vehicle
[35]. However, the set-based computations in [35] are heuristic
and thus not applicable to a formal analysis.
The reviewed literature shows that nonlinear continuous
systems are usually verified offline due to the complexity of the
problem. However, previous work of the authors [36] shows
that online verification is theoretically possible when applying
the efficient approach first published in [13]. In this work, we
present the following innovations compared to [36]:
• The approach is tested on a real vehicle (Cadillac SRX
research vehicle of Carnegie Mellon University);
• The vehicle model is validated by real world experiments;
• Instead of only considering the reachable set of the
ego vehicle, we also consider the computation of the
occupancy of other traffic participants on the road;
• The interaction of the maneuver planner with the verifi-
cation module is sketched;
• The vehicle controls are modified to fit the interface of
the Cadillac SRX;
• The reachability analysis is improved and presented in
more detail. Specifically, the computation of the lineariza-
tion error assumption is now automatically adapted.
The paper is organized as follows: The basic idea of our
verification concept is described in Sec. II. Mathematical
models of the ego vehicle and other traffic participants are
derived in Sec. III. The reachable set computation of the ego
vehicle is presented in Sec. IV and the occupancy computation
of other traffic participants is described in Sec. V. Results of
the test drive are summarized in Sec. VI.
II. BASIC IDEA AND ASSUMPTIONS
The safety concept presented in this paper is based on
the principle that plans are only executed when they are
verified for all times. This is achieved by first planning a
multidimensional trajectory ζ(·) the vehicle should follow,
where ζ(t
f
) is the reference vector at the final time t
f
of the
intended plan
1
. Note that the term trajectory is used since the
reference values are specified over time. In other applications,
it is sufficient to follow a set of points, referred to as a
path. However, paths are not sufficient for many automated
maneuvers, such as intersection crossing (one could traverse
the intersection arbitrarily slowly), making it necessary to use
trajectories [37]. The state of the vehicle x(t
f
) might be an
inevitable collision state, i.e., a state for which there exists
no control action that can possibly avoid a future collision
[5], [38], [39]. We prevent inevitable collision states by only
accepting intended plans with a subsequent maneuver that
brings the vehicle to a stop at a safe location, such that it
cannot cause a collision for all future times, see [40, Sec.
IV.E]. To focus on the verification aspect, it is assumed that a
reference trajectory is already planned by a standard approach
(e.g. [40]). Note that any kind of trajectory planner can be
combined with the proposed verification scheme.
1
We use reference trajectory, plan, and planned maneuver interchangeably.
JOURNAL OF XX, VOL. X, NO. X, JANUARY XXXX 3
The used trajectory planner should be adapted such that
new reference trajectories branch off previous ones at points
x(t
ver
) that are reached by the ego vehicle when the verifica-
tion of the new reference trajectory is completed, as illustrated
in Fig. 1. When the verification result is safe, the new reference
trajectory is chosen, and when it is unsafe, the vehicle stays
on the previous one. Thus, the braking maneuver leading to
the safe stop is only executed if the vehicle repeatedly is not
able to find a new safe trajectory. An upper bound of the time
for which the new reference trajectory should branch off is
easily obtained, since the worst-case verification time is linear
in the time required to follow the new reference trajectory
t
exec
, so that t
ver
= ν t
exec
, where ν is a constant describing
the efficiency of the implementation.
ego vehicle
occupancy at
t = [t
f −1
, t
f
]
occupancy at
t = [t
0
, t
1
]
position at
t
ver
= ν t
exec
old ref.
trajectory
new ref.
trajectory
braking
obstacle
other
vehicle
Fig. 1: Verification by checking occupancy intersection.
The verification of each reference trajectory is performed
by computing the reachable set of states of the ego vehicle
and other traffic participants based on a dynamic model and
uncertainties specified by bounded sets. The occupancy of the
ego vehicle on the road is determined by considering the size
of the vehicle and the projection of reachable sets on position
variables and orientation. If, for all times, the occupancy of
the ego vehicle does not intersect that of all other traffic
participants, and if the drivable area is not exited, the reference
trajectory is safe.
An alternative to computing the reachable set of the ego
vehicle based on the vehicle dynamics (under consideration
of a set of initial states, input trajectories, and a set of param-
eters), is to simply add a fixed deviation from the reference
trajectory. By doing so, one would not distinguish between
situations in which a vehicle has to slowly pass through a gap
versus those in which a vehicle has to perform an aggressive
evasive maneuver. For evasive maneuvers, the deviation from
the reference trajectory can easily become more than a meter,
as demonstrated in [41]. Even if we increase the occupancy
by less than one meter in each direction for the gap scenario
in Fig. 2, the safe maneuver will be classified as unsafe,
so that the vehicle cannot pass through the gap. Another
alternative is to use heuristics to model the dependency of
the reachable set on velocity, angular velocity, slip angle,
friction coefficient, shape of the reference trajectory, and so
on. However, considering all influences is difficult and the
result would not be overapproximative and thus not qualify
for formal verification and certification.
In order to conclude whether a planned trajectory is safe,
several assumptions are made in this work:
1) The vehicle sensors detect all traffic participants rel-
evant for the safety analysis. However, depending on
parked
vehicles
circular
deviation
enlarged
occupancy
vehicle
occupancy
Fig. 2: The ego vehicle intends to pass a narrow gap, which
cannot be passed when adding a fixed circular deviation.
the accuracy of the sensors, one can specify possible
uncertainties of measured data.
2) The models that predict the movement of the ego vehicle
and other traffic participants enclose all possible real
behaviors required to ensure that the ego vehicle does
not cause a crash (legal safety [1]). This is achieved
by considering bounded, but uncertain, values of sensor
noise, disturbances, driver inputs, and uncertain initial
states. Note that the time-varying behavior of inputs such
as sensor noise and disturbances is arbitrary, as long as
the values are within bounded sets.
3) It is assumed that either bounding uncertainties of the
sets are chosen large enough to capture all possible
values, or that the bounds capture all possible values
by a probability bound p
b
, e.g. p
b
= 99.999%. In the
latter case, the verification can only guarantee safety by
a certain probability, which depends on the choice of p
b
.
4) In order to obtain practical results, we assume that other
traffic participants respect traffic rules, as long as no
traffic rule violation is detected – corresponding traffic
rules are no longer considered once they are violated.
Based on this assumption we can guarantee that the ego
vehicle does not cause a crash (legal safety [1]).
Given the above assumptions, all possible behaviors are cap-
tured by the presented approach, which makes it possible to
prove that no collision can occur under the given assumptions.
For that reason, we qualify the approach as formal to em-
phasize the rigorousness within the mathematical framework
provided by the models.
If reachability analysis or another formal technique was
not applied, one would at least require a stability analysis
of the trajectory tracker. This, however, is challenging, since
the stability analysis depends on the reference trajectory and
typically requires finding a Lyapunov function for each refer-
ence trajectory (which are infinitely many). Only for special
control concepts, such as flatness-based control design, can
the dependence on the trajectory be ignored, as long as the
model perfectly matches the real behavior. Unfortunately, this
is rarely the case due to uncertain parameters (loading of
the vehicle, tire-road friction, etc.) and disturbances (road
imperfections, wind, slope, etc.) so that the stability analysis
of the undisturbed model becomes inconclusive.
III. MATHEMATICAL MODELING
This section introduces the dynamic models used for the
reachability analysis of the ego vehicle and the occupancy
prediction of other traffic participants.
JOURNAL OF XX, VOL. X, NO. X, JANUARY XXXX 4
A. Ego Vehicle Model
The vehicle model consists of equations representing the
lateral dynamics, the longitudinal dynamics, and the position
on the road. All variables of the vehicle are related to the
so-called bicycle model, which is the standard model for the
control design of yaw stabilization systems [42]. The model
ignores roll and pitch, such that it suffices to consider only
one front and one rear wheel as for a bicycle (see Fig. 3).
The authors have shown that effects of high-order models can
be captured by the presented low-order model when adding
uncertainty [43].
s
x
s
y
Ψ
β
l
r
l
f
δ
x
y
v
Fig. 3: Bicycle model.
For describing the vehicle dynamics, the cornering stiff-
nesses C
f
, C
r
and the distances l
f
, l
r
form the center of
gravity to the axes are introduced, where the indices f and
r refer to the front and rear axis. Further, we require the
vehicle mass m and the rotational inertia of the yaw axis I
z
.
The parameter values of the Cadillac SRX are obtained as
described in [44] and are listed in Tab. I. The state variables of
the bicycle model are the slip angle at the center of mass β, the
heading angle Ψ, the yaw rate
˙
Ψ, the velocity v, the x-position
s
x
, the y-position s
y
, and the angle of the front wheel δ, see
Fig. 3. Additionally, additive disturbance values y, where the
subscript denotes the disturbed variable, are introduced. Those
variables model rough roads, wind gusts, and the like. The
inputs to the system are the longitudinal acceleration a
x
and
the rotational speed of the steering angle v
w
. The differential
equations of the vehicle model are
˙
β =
C
r
l
r
− C
f
l
f
mv
2
− 1
˙
Ψ +
C
f
mv
δ −
C
f
+ C
r
mv
β + y
β
¨
Ψ =
l
r
C
r
− l
f
C
f
I
z
β −
l
2
f
C
f
+ l
2
r
C
r
I
z
˙
Ψ
v
+
l
f
C
f
I
z
δ + y
˙
Ψ
˙v =a
x
+ y
v
˙s
x
=v cos(β + Ψ) + y
s
x
˙s
y
=v sin(β + Ψ) + y
s
y
˙
δ =v
w
+ y
δ
(1)
The first two equations describe the lateral dynamics origi-
nating from force and moment equilibria due to the lateral
tire forces (see [42]). The third equation simply describes the
longitudinal dynamics by integrating the commanded longitu-
dinal acceleration to obtain the velocity of the vehicle. Using
the kinematics of the vehicle, the derivative of the positions in
x- and y-coordinates are obtained by the direction (β +Ψ) and
absolute value of the velocity v in the fourth and fifth equation.
Finally, the front wheel angle is obtained by integration of the
commanded steering wheel velocity.
B. Tracking Controller of the Ego Vehicle
The tracking controller in this work provides the com-
manded steering wheel velocity v
w
and the commanded lon-
gitudinal acceleration a
x
. We use a simple controller with
sufficient performance for the driving experiments. The pro-
posed controller is not designed for high performance, but
to demonstrate the verification approach. By replacing the
equations of the tracking controller, any other control can
potentially be considered, as long as the dynamics of the
controlled vehicle can be described by ordinary differential
equations.
For the tracking controller, we consider a frame that moves
along the reference trajectory, such that the x-axis is always
tangential and the y-axis is always perpendicular to the refer-
ence trajectory, see Fig. 4. Desired values provided by the
reference trajectory are denoted by the subscript d. For a
concise notation, we introduce the lateral and longitudinal
tracking error ǫ
x
and ǫ
y
:
ǫ
x
= cos(Ψ
d
)(s
x,d
− s
x
) + sin(Ψ
d
)(s
y,d
− s
y
),
ǫ
y
= − sin(Ψ
d
)(s
x,d
− s
x
) + cos(Ψ
d
)(s
y,d
− s
y
).
A desired front wheel angle is generated by weighting the
lateral tracking error and the errors of the yaw angle and rate:
δ
d
=
˜
k
1
ǫ
y
+
˜
k
2
(Ψ
d
− Ψ) +
˜
k
3
(
˙
Ψ
d
−
˙
Ψ).
The commanded angular velocity of the front wheel is ob-
tained by the proportional control v
w
= k
4
(δ
d
−δ). Weighting
the longitudinal tracking error and the velocity error results in
the commanded longitudinal acceleration:
a
x
= k
5
ǫ
x
+ k
6
(v
d
− v).
After introducing the gains k
i
= k
4
·
˜
k
i
for i ∈ {1, 2, 3} and
adding sensor noise, which we denote by w and the subscripted
disturbed variable, the final control equations are:
v
w
=k
1
cos(Ψ
d
)(s
y,d
− s
y
− w
y
) − sin(Ψ
d
)(s
x,d
− s
x
− w
x
)
+ k
2
(Ψ
d
− Ψ − w
Ψ
) + k
3
(
˙
Ψ
d
−
˙
Ψ − w
˙
Ψ
) − k
4
(δ − w
δ
),
a
x
=k
5
cos(Ψ
d
)(s
x,d
− s
x
− w
x
) + sin(Ψ
d
)(s
y,d
− s
y
− w
y
)
+ k
6
(v
d
− v − w
v
).
x
y
[s
x,d
, s
y,d
]
T
Ψ
d
[s
x
, s
y
]
T
ǫ
y
ǫ
x
Fig. 4: Moving frame for the used trajectory tracker.
C. Validation of the Ego Vehicle Model
Combining the equations of the vehicle model with those of
the tracking controller results in the model of the controlled
vehicle. The degree of conformity with real world behavior
JOURNAL OF XX, VOL. X, NO. X, JANUARY XXXX 5
TABLE I: Vehicle parameters.
vehicle parameters
m I
z
C
f
= C
r
l
f
l
r
2273 kg 4423 kg m
2
10.8e4 N/rad 1.292 m 1.515 m
control parameters
k
1
k
2
k
3
k
4
k
5
k
6
2 12 4 2 1 10
is shown in Fig. 5 for a double-lane-change maneuver that is
formally verified in Sec. VI. It is worth mentioning that double
lane change maneuvers are successfully used for validating
the lateral dynamics of vehicles, see e.g. [45]–[47]. The plots
in Fig. 5 compare the behavior for the yaw angle, the yaw
rate, the x- and y-position and the front wheel angle. It can
be seen that especially the yaw angle and the position are
very well modeled, while the yaw rate and the front wheel
angle (which are closely related) show a small deviation due to
unmodeled effects such as actuator dynamics and time delay.
However, this is no problem for the formal verification, as
model mismatches are considered by adding uncertainty.
2 4 6
2.5
2.6
2.7
2.8
2.9
3
Ψ
t
2 4 6
−0.2
0
0.2
0.4
˙
Ψ
t
60 80 100 120
5
10
15
20
25
30
s
x
s
y
2 4 6
−0.1
−0.05
0
0.05
0.1
0.15
δ
t
Fig. 5: Comparison of the controlled vehicle model with the
data obtained from the double-lane-change driving experiment.
The gray line shows the simulation result and the black line
the measured data.
D. Model of Other Traffic Participants
The model for other traffic participants is simpler compared
to models used for designing trajectory tracking controllers.
One reason is that parameters of other traffic participants are
typically unknown (unless transmitted via vehicle-to-vehicle
communication), so that complicated models requiring iden-
tified parameters are useless. The other reason is that the
main source of uncertainty is the model input (changing lane,
accelerating/decelerating) and not a potential inaccuracy of
the dynamic model. We propose a model that satisfies the
following constraints:
C1: positive longitudinal acceleration is stopped when a pa-
rameterized speed ˜v
max
is reached (˜v
max
could be set to
a certain percentage above the official speed limit).
C2: driving backwards in a lane is not allowed.
C3: positive longitudinal acceleration is inversely proportional
to speed above a parameterized speed v
S
(modeling a
maximum engine power).
C4: maximum absolute acceleration is limited by ˜a
max
.
C5: actions that cause leaving the road/lane/sidewalk/cross-
walk boundary are forbidden. Crossing lanes for traffic
in the same direction is allowed.
Constraints C3 and C4 are physical constraints, while the
other constraints originate from traffic rules as listed in
the Vienna Convention on Road Traffic [48]. The above
constraints are considered to be the most important ones
describing the uncertain behavior of traffic participants. It
should be mentioned that the absence of constraint results
in a larger occupancy of other traffic participants and thus
only verifies more conservative behaviors of the ego vehicle.
Thus, neglecting certain constraints does not result in an
unsound verification procedure. This is especially useful since
there are many traffic rules and many of them are specific to
specific countries. Further rules can be added without requiring
changing the basic principles of the presented approach. For
other road vehicles, all of the above constraints are potentially
active, while e.g. for pedestrians, only constraints C1 and C2
are enforced and C5 is applied to sidewalks and crosswalks
instead of road and lane boundaries. When it is sensed that
a constraint is violated, it is no longer considered for that
particular traffic participant. E.g. when a pedestrian crosses a
street where no crosswalk is present, constraint C5 is removed
and only constraints C1 and C2 are active. Another example
is that when it is sensed that the reversing lights of a vehicle
are on, e.g. to start a parallel parking maneuver, constraint C2
on driving backwards is removed. The removal of constraints
is presented for the considered examples in Sec. VI-B. To
describe the system dynamics, we use the same variable
symbols as for the ego vehicle, but add a tilde for distinction.
The dynamics of other traffic participants are modeled by a
point mass:
¨
˜s
x
(t) = ˜a
x
(t),
¨
˜s
y
(t) = ˜a
y
(t). (2)
In order to restrict ˜a
x
(t) and ˜a
y
(t) according to the constraints
C1-C5, we introduce unit vectors that point along the lon-
gitudinal and lateral directions of the vehicle: Φ
long
(t) =
1
˜v
[˜v
x
(t), ˜v
y
(t)]
T
, Φ
lat
(t) =
1
˜v
[−˜v
y
(t), ˜v
x
(t)]
T
, where ˜v =
k[˜v
x
, ˜v
y
]
T
k
2
. This makes it possible to formulate ˜a
x
, ˜a
y
by the
longitudinal acceleration ˜a
long
(t) and the lateral acceleration
˜a
lat
(t):
˜a
x
˜a
y
= Φ
long
˜a
long
+ Φ
lat
˜a
lat
The lateral acceleration is determined by the maximum ab-
solute acceleration ˜a
max
and a normalized steering input u
1
,
