Towards the Verification of Safety-critical Autonomous Systems in Dynamic Environments

TL;DR

This paper proposes a two-phase verification approach combining static formal methods and runtime monitoring to ensure safety and collision avoidance in autonomous systems operating in dynamic, uncertain environments.

Contribution

It introduces a hybrid verification framework that integrates UPPAAL-based formal modeling at design time with runtime monitoring for real-time safety assurance.

Findings

Formal models verified with UPPAAL ensure safety properties at design time.

Runtime monitors detect deviations from initial assumptions and trigger safe system states.

The approach enhances safety guarantees for autonomous systems in dynamic environments.

Abstract

There is an increasing necessity to deploy autonomous systems in highly heterogeneous, dynamic environments, e.g. service robots in hospitals or autonomous cars on highways. Due to the uncertainty in these environments, the verification results obtained with respect to the system and environment models at design-time might not be transferable to the system behavior at run time. For autonomous systems operating in dynamic environments, safety of motion and collision avoidance are critical requirements. With regard to these requirements, Macek et al. [6] define the passive safety property, which requires that no collision can occur while the autonomous system is moving. To verify this property, we adopt a two phase process which combines static verification methods, used at design time, with dynamic ones, used at run time. In the design phase, we exploit UPPAAL to formalize the autonomous system and its environment as timed automata and the safety property as TCTL formula and to verify the correctness of these models with respect to this property. For the runtime phase, we build a monitor to check whether the assumptions made at design time are also correct at run time. If the current system observations of the environment do not correspond to the initial system assumptions, the monitor sends feedback to the system and the system enters a passive safe state.