Formal Development of Safe Automated Driving using Differential Dynamic Logic

TL;DR

This paper demonstrates how differential dynamic logic and the KeYmaera X tool can be used to formally verify the safety of automated driving decision modules, ensuring correctness across all scenarios.

Contribution

It introduces a formal verification approach for an in-lane automated driving feature using differential dynamic logic, enhancing safety guarantees beyond traditional testing.

Findings

Formal safety proofs for different design variants

Identification of key assumptions and invariants

Exhaustive analysis of model performance across behaviors

Abstract

The challenges in providing convincing arguments for safe and correct behavior of automated driving (AD) systems have so far hindered their widespread commercial deployment. Conventional development approaches such as testing and simulation are limited by non-exhaustive analysis, and can thus not guarantee correctness in all possible scenarios. Formal methods is an approach to provide mathematical proofs of correctness, using a model of a system, that could be used to give the necessary arguments. This paper investigates the use of differential dynamic logic and the deductive verification tool KeYmaera X in the development of an AD feature. Specifically, formal models and safety proofs of different design variants of a Decision & Control module for an in-lane AD feature are presented. In doing so, the assumptions and invariant conditions necessary to guarantee safety are identified, and the paper shows how such an analysis helps during the development process in requirement refinement and formulation of the operational design domain. Furthermore, it is shown how the performance of the different models is formally analyzed exhaustively, in all their allowed behaviors.