the long road from proof of concept to real-world · formal modeling for safety (mcrl2, …) 5....
TRANSCRIPT
![Page 1: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/1.jpg)
The long road from proofof concept to real-world autonomous driving
dr. ir. Karel Van Oudheusden
![Page 2: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/2.jpg)
Table of Contents
1. Introduction2. Engineering a Safer World3. Hazard and RISK Analysis4. Formal modeling for safety and security5. Conclusion
![Page 3: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/3.jpg)
Altreonic
Provides solutions for trustworthy systems engineering:
– VirtuosoNext Designer, a safe and secure distributed RTOS with programming tools
– GoedelWorks, a portal based environment to support Software Engineering, with embedded certification
Enabling advantage for the novel e-vehicle Kurt
![Page 4: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/4.jpg)
Kurt Gödel (1906 – 1978)
![Page 5: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/5.jpg)
Kurt Gödel Altreonic’s KURT vehicle platforms
![Page 6: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/6.jpg)
Table of Contents
1. Introduction2. Engineering a Safer World3. Hazard and RISK Analysis4. Formal modeling for safety and security5. Conclusion
![Page 7: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/7.jpg)
Engineering a safer world• What is safety?
• Absence of physical harm (being hurt of killed)• No loss of mission• …
• What is security?• Prevent maliciously injected fault, which causes harm• Protection of sensitive data• …
• Security is a subcase of safety• Safety includes man-machine interface issues
![Page 8: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/8.jpg)
Kurt roadmap: step by step
1. Redundant architecture• Only with electric propulsion!• Steer by wire
2. Obstacle detection/avoidance3. Remote steering4. Verified application software5. Semi-autonomous driving:
• Supervised, controlled environment6. Fully autonomous: maybe never?
![Page 9: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/9.jpg)
Kurt’s Remote Steering App
Manoeuvring by smartphone
Steer by web:
Camera input from Kurt
Operator steers using web client
Limited speed and acceleration
Authentication
![Page 10: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/10.jpg)
Table of Contents
1. Introduction2. Engineering a Safer World3. Hazard and RISK Analysis4. Formal modeling for safety and security5. Conclusion
![Page 11: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/11.jpg)
Hazard
Outdated steering commands, sent from the remote-control device to the Kurt are not discarded, causing undesired & unpredictable system behaviour.
![Page 12: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/12.jpg)
Hazard
Outdated steering commands, sent from the remote-control device to the Kurt are not discarded, causing undesired & unpredictable system behaviour.
The Kurt shall not execute outdated steering commands.
Additional Specification
![Page 13: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/13.jpg)
Table of Contents
1. Introduction2. Engineering a Safer World3. Hazard and RISK Analysis4. Formal modeling for safety and security5. Conclusion
![Page 14: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/14.jpg)
Table of Contents
1. Introduction2. Engineering a Safer World3. Hazard and RISK Analysis4. Formal modeling for safety and security (mCRL2, …)5. Conclusion
![Page 15: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/15.jpg)
mCRL2
![Page 16: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/16.jpg)
mCRL2L || K
![Page 17: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/17.jpg)
mCRL2L || K
L = inL . LWait(MAX1) + listen . L
LWait(0) = i . L
LWait(0 < n) = i . LWait(n-1) +
listen . (i + i . request) . L[0, 1]
![Page 18: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/18.jpg)
mCRL2L || K
L = inL . LWait(MAX1) + listen . L
LWait(0) = i . L
LWait(0 < n) = i . LWait(n-1) +
listen . (i + i . request) . L[0, 1]
K = inK . (i + i . broadcast) . KWait(MAX2)+advice.K[0,1]
KWait(0) = i . K
KWait(0 < n) = i . KWait(n-1) + advice . K [0, 1]
![Page 19: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/19.jpg)
“Outdated” #1
![Page 20: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/20.jpg)
“Outdated” #2
![Page 21: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/21.jpg)
“Outdated” #3
![Page 22: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/22.jpg)
The Kurt shall not execute outdated steering commands.
Additional Specification
Conceptual Clarity
Three notions of “outdated” steering commands.
![Page 23: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/23.jpg)
The Kurt shall not execute outdated steering commands.
Additional Specification
Conceptual Clarity
Three notions of “outdated” steering commands.
Did we Cover All Notions of “Outdated”?
![Page 24: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/24.jpg)
Denial of Service Attack New Hazard
![Page 25: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/25.jpg)
An Authentic Listener cannot send two consecutive steering requests to the Kurt without receiving an intermediate broadcast message from the Kurt.
New Hazard New Specification
![Page 26: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/26.jpg)
An Authentic Listener cannot send two consecutive steering requests to the Kurt without receiving an intermediate broadcast message from the Kurt.
New Hazard New Specification
[true* . cLK . (!cKL)* . cLK] false
![Page 27: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/27.jpg)
Finite State Machine
![Page 28: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/28.jpg)
Finite State Machine
[true* . cLK . (!cKL)* . cLK] false
![Page 29: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/29.jpg)
Finite State Machine
The property holds on the Finite State Machine
[true* . cLK . (!cKL)* . cLK] false
![Page 30: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/30.jpg)
Table of Contents
1. Introduction2. Engineering a Safer World3. Hazard and RISK Analysis4. Formal modeling for safety (mCRL2, …)5. Conclusion
![Page 31: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/31.jpg)
Table of Contents
1. Introduction2. Engineering a Safer World3. Hazard and RISK Analysis4. Formal modeling for safety (mCRL2, VirtuosoNext)5. Conclusion
![Page 32: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/32.jpg)
ScreenshotofVirtuosoNextDesigner
![Page 33: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/33.jpg)
Food for Thought
• Autonomous cars connected cars wireless communication formally verified SW/HW
![Page 34: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/34.jpg)
Food for Thought
• Autonomous cars connected cars wireless communication formally verified SW/HW
• Engine in conventional car = single point of failureneed redundant architecture
![Page 35: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/35.jpg)
Food for Thought
• Autonomous cars connected cars wireless communication formally verified SW/HW
• Engine in conventional car = single point of failureneed redundant architecture
• Dynamics: driver reading newspaper is a problem if he has less than 100ms to take over control supervised, controlled environments
![Page 36: The long road from proof of concept to real-world · Formal modeling for safety (mCRL2, …) 5. Conclusion. Table of Contents 1. Introduction 2. Engineering a Safer World 3. Hazard](https://reader034.vdocuments.us/reader034/viewer/2022042803/5f4a4639ccda2b7c39240068/html5/thumbnails/36.jpg)
Thank You!
karel.vanoudheusden (@) altreonic.com