Safe Collaborative Driving Systems

Intelligent vehicles monitor their environment and warn the driver of impending danger or operate braking and advanced cruise control systems. Google, Volvo, and others have constructed vehicles that can operate without a driver. The next step is vehicles that share their sensor readings and coordinate their operation. These systems will improve the operation of intelligent braking, make the operation of automated cruise control smoother, and make operations, such as lane changes, safer.

Our objective is to design and test the protocols that define the collaborative operations, and to guarantee that they will not cause an accident for all combinations of equipment failures and interference. We are applying the verification and testing techniques that we have used to test communications devices to these systems. The problem is that collaborative driving systems are much more complex than communications protocols. They interact with the physical world in several ways and have time critical operations. In addition, the penalty for failure is much higher. System failures may be measured in lost lives.

Engineering is the art of managing complexity. We are investigating three techniques to manage the complexity of these systems:
1) a multi-­‐dimensional, stack architecture,
2) synchronized clocks, and
3) a multi-­‐manufacturer verification technique that decomposes verification into model checking and conformance testing.

*1) The architecture has a dimension for each interaction with the physical world, and a dimension for the applications. Each dimension is organized as a stack, similar to the stack architecture used in communications. The architecture separates the physical properties of the dimension from the logic in an intelligent application.
*2) Timers that are initiated over an unreliable communications channel, which may require several transmissions before a message is received, can result in multiple execution sequences in the collaboration. An army would not coordinate an attack based upon the arrival time of runners, and neither should automobiles. GPS and other technologies make timers unnecessary.
*3) Intelligent automobiles must be able to collaborate safely with all of the other intelligent automobiles on a highway. Testing all combinations of implementations, for all of the automobile manufacturers can result in a very large numbers of tests. We decompose the verification process into model checking and conformance testing. Testing the collaboration between “N” implementations of “i” vehicles is reduced from Ni tests to one verification of the model and N conformance tests.