Context-aware environment online monitoring for safety autonomous vehicle systems: an automata-theoretic approach

Linear Temporal Logic (LTL) is a type of Temporal Logic that represents time as a sequence of states and employs temporal operators to specify constraints that a system must satisfy in the past, present, and future, as well as the temporal relationships between events.

Since its inception, numerous scholars have thoroughly studied and developed LTL. Pnueli [6] first introduced LTL and proposed the syntax and semantics of linear temporal logic. His work laid the foundation for LTL in formal verification and provided a theoretical framework for subsequent research.LTL allows for a more precise expression of the desired system’s properties or constraints, given a set of atomic propositions denoted as AP. An LTL formula on the set AP can be recursively defined as follows:

In the above definition, \(p \in A P, \varphi , \varphi _{1}, \varphi _{2}\) are both LTL formulas.The standard operators logic and (\(\wedge\)), logic or (\(\vee\)), non (\(\lnot\)), and implication (\(\rightarrow\)) are propositional logic tokens. Operators X, U, F, G, and R are temporal operators, representing some properties of time [7].Suppose we have a sensor that periodically measures a certain variable, and we want to check whether that variable fluctuates with a certain periodicity. We can use LTL to represent this periodic behavior. For example, the following LTL formula indicates that the variable should fluctuate every 5 time steps.

Here, Time represents time steps, and Measurement is the measured value. This LTL formula ensures the periodic fluctuation property.

Büchi Automaton is a commonly used formal tool for describing and verifying behavioral specifications of systems. In past research, many scholars have extensively studied and applied Büchi Automaton. Vardi and Wolper [8] proposed the theoretical framework of Büchi Automaton and proved its equivalence to Linear Temporal Logic (LTL). Their work laid the foundation for the use of Büchi Automaton in model checking and runtime verification. Alur and Dill [9] introduced construction methods for deterministic Büchi Automaton and applied them to model checking. Their work has had a profound impact on automata theory and formal verification. Baier and Katoen [10] investigated the modeling of Büchi Automaton for stochastic systems. They explored how Büchi Automaton can be used to describe and verify systems with stochastic properties. Piterman et al. [11] introduced an enhanced version of Büchi Automaton called Aggressive Automaton. Their work aimed to improve the practicality and efficiency of Büchi Automaton in runtime verification. Joël D. Allred et al. [12] proposed a simple algorithm that complements Büchi automata by directly manipulating subsets of state sets (similar to slices) and generating deterministic automata. Büchi automaton is a tuple \(B=(Q, Q_0,\Pi ,\sigma , F)\), where

Runtime verification is a novel formal verification technique that relies less on the environment. Leucker and Schallhart [13] provide a concise introduction to runtime verification, discussing its foundations, techniques, and challenges. They highlight the role of runtime verification in complementing formal verification and testing methods. Like model checking, runtime verification employs a formal approach to describe the behavior constraints that software systems are expected to satisfy. Linear temporal logic (LTL) is a common formalism used for this purpose. In theory, runtime verification aims to monitor an infinite sequence w of the system and check whether it satisfies the constraint \(\varphi\). If w satisfies \(\varphi\), the result is true; otherwise, it is false.

Runtime verification can be divided into two applications based on the type of object being monitored by the monitor. The first application is real-time monitoring of the executing behavior sequence to verify whether the current behavior satisfies the property constraints. In case of a violation, an alert is triggered. This type of runtime verification is referred to as online verification. The second application involves monitoring the historical execution sequence and analyzing the stored execution paths offline. It is used in offline automatic evaluation testing and is known as offline verification [14]. For intelligent systems, it is crucial to detect behaviors that violate safety properties as early as possible, enabling proactive measures to be taken. Therefore, this paper focuses on the online verification approach.

Runtime verification is an effective approach for system safety verification, as it enables the evaluation and validation of systems. However, current methods often overlook the influence of the environment, which makes it challenging to ensure the security and reliability of the system in the face of environmental factors. Therefore, this paper aims to address the following issues:To tackle these challenges, this study proposes the method framework shown in Fig. 1.

According to the diagram of the validation framework, the environmental information is abstracted in this paper. The environmental abstract model can represent the influence relationship between the environment and the system, and the environmental model is transformed into a finite automaton. This study describes the properties of the system using linear temporal logic and transforms them into Buchi automata. Then the algorithm is designed to combine the two automata by cross-multiplication and optimize the search path to generate the optimal monitor code. Finally, the monitor code is inserted into the executive program to realize real-time monitoring.

The performance of an intelligent system may be influenced by the physical environment in which it operates. Factors such as temperature, humidity, and pressure can cause variations in system parameters, including input, output, and state, among others. These variations can impact the control system’s decision-making process and result in suboptimal actions. To eliminate such effects and enable the system to adapt to environmental changes, it is necessary to define and model the relationship between the environment and the system.

This paper adopts a method of establishing a relationship model between the environment and the system. Firstly, it is necessary to clarify the relationship between environmental changes and the system, delineate the boundaries between environmental information and the system, and subsequently model the environmental factors accordingly. There are various types of environmental information, and to facilitate distinction, this paper refers to the definition of environmental information provided in the reference [27].

Environmental information serves as a crucial foundation for intelligent systems to carry out perception, decision-making, and control actions. It enables the system to infer the current state and characteristics of the external environment, facilitating better adaptation and response to diverse situations. While the types and sources of environmental information may vary across different application scenarios, they share a common feature of providing real-time feedback on the external environment to intelligent systems, thereby aiding in making more accurate and rational decisions.

To facilitate the identification of data as environmental information, Table 1 presents specific classification methods. These methods assist in determining whether the given data information qualifies as environmental information.

Let’s illustrate an example of environment modeling using the Adaptive Cruise Control (ACC) system. ACC is a cruise control system that allows the vehicle to travel at a specified speed while maintaining a reasonable and safe distance from the vehicle ahead. The braking distance required by the vehicle may vary depending on the road and weather conditions. The road and weather conditions are assessed using the Road and Weather Index, which is a weather-based index that provides valuable information on road conditions by analyzing real-time weather data. It is categorized into five levels, as shown in Table 2.

According to the definition of the environmental model, \(E=\left\{ e_1, e_2, \ldots , e_n\right\}\) represents five states of road conditions, \(S=\left\{ s_1, s_2, \ldots , s_n\right\}\) represents the braking safety distance, and R=(r) represents the different braking safety distances caused by different road conditions. The functional relationship is expressed as \(s=v^2 / 2^* u^* g\).

The finite probabilistic automaton for the environmental model can be represented as shown in Fig. 2. \(D=\left\{ d_1, d_2, \ldots , d_n\right\}\) represents the transitions between five different levels in the environment, where \(d_1\) is the initial state. \(T=\left\{ t_1, t_2, \ldots , t_n\right\}\) represents different triggering transition events, and each transition is marked in the form of \(p{\backslash } t_i\), where p represents the probability of transition between states.

Traditional task formalization descriptions often use linear temporal logic to express goals, constraints, and operability in mathematical or logical expressions. However, traditional binary logic may not provide results when dealing with infinite paths. When monitoring a system in a runtime application, only the system’s running state and behavior can be obtained, and what will happen next is not yet determined. Therefore, monitoring the current state is necessary to evaluate whether the subsequent behavior satisfies safety properties. In this case, using ternary logic can more accurately express this description than binary logic. Therefore, extending linear time logic LTL with ternary semantics is necessary. For a property \(\varphi\) and its negation \(\lnot \varphi\), if the current prefix violates the property, the system does not satisfy the property \(\varphi\) and outputs false; otherwise, it outputs true. If the current prefix satisfies both \(\varphi\) and \(\lnot \varphi\), no correct judgment can be made, and the output is inconclusive. In summary, properties can be divided into three cases, illustrated with a finite path u and property \(\varphi\):The following is the formal task description of Adaptive Cruise Control (ACC). During automatic cruise mode, the vehicle will accelerate to the predetermined cruising speed (TLV) if there is no vehicle ahead or if the distance between vehicles is greater than the safe distance. However, if there is a vehicle in front and the distance between vehicles is less than the safe distance, the vehicle will decelerate until it reaches an appropriate cruising speed (VPL). The scenario description is shown in Fig. 3. The property specifications can be expressed as follows:

The formulas \(\varphi _1=G((! exist \vee (dis>S T)) \rightarrow F(\mid speed -T L V \mid <0.1))\) and \(\varphi _2=G(( exist \wedge dis \le S T) \rightarrow F(\mid speed -V P L \mid <0.1))\) ensure that the vehicle’s speed can be adaptively adjusted based on the distance and the vehicles ahead in the automatic cruise control mode. In this context, exist represents an obstacle ahead, dis represents the distance to the vehicle in front, ST represents the safe following distance, TLV represents the cruising speed, VPL represents the appropriate cruising speed, and \(\mid speed -V P L \mid <0.1\) represents increasing the vehicle speed to the cruising speed and maintaining it within a certain threshold range.

The article proposes a formal verification model that combines the environment model represented by CE and the system model represented by B, to enable unified verification of the system’s response to environmental influences in a feedback loop. The concept of synchronous labeling and synchronous labeling function is introduced.

Converting LTL to Büchi automaton can be divided into three steps as shown in Fig. 5. First, it is necessary to convert the LTL formula to an alternating automaton, which can represent all the semantics of the LTL formula. Secondly, by using the equivalence between generalized Büchi automata and alternating automata, the alternating automaton is converted to a generalized Büchi automaton. Finally, the generalized Büchi automaton needs to be converted to a Büchi automaton for more efficient runtime monitoring.

One method for combining two automata is through synchronous composition. Synchronous composition involves the merging of two automata in such a way that the resulting automaton can only be in an accepting state when both original automata are simultaneously in an accepting state. This process can be achieved through the following steps:

Firstly, the state sets of the two automata are used to compute the Cartesian product, yielding a new set of states. Then, a new transition function is defined based on the transition functions of the original automata. This new function ensures that the composite automaton only transitions when both automata satisfy the transition conditions simultaneously.

In addition, the initial and accepting states are defined by combining the initial states of the two original automata. Accepting states are determined by states where both automata are accepting simultaneously.

By following this systematic process, two valid-state automata can be effectively combined to create a new automaton. The resulting composite automaton seamlessly integrates the specifications of both original automata, requiring both automata to be in sync for the composite automaton to reach an accepting state.

Building upon this theoretical foundation, this section presents a comprehensive algorithm that combines the environment model CE and the Büchi automaton B, allowing verification within a feedback loop. To construct the comprehensive algorithm, the first step is to define synchronous labels.

Synchronous labels serve as interaction indicators between the environment model and the Büchi automaton, determining whether a state transition can occur at a specific time point. By defining synchronous labels, it becomes possible to combine the environment model and the Büchi automaton into a new representation. In this new model, the combination of states from the environment model and the Büchi automaton forms the states, and the synchronous labels define the transition conditions between states. Additionally, formal verification techniques can be applied to validate the interaction behavior between the environment model and the Büchi automaton and ensure compliance with specific properties.

Below is the definition of the combination of the environment model \(C E=\left\langle D, D_0, T, \Pi , \delta ,\mu _0\right\rangle\) and the Büchi automaton \(B=(Q, Q_0,\Pi ,\sigma , F)\).

Combining the environment model CE and Büchi automaton B results in CEB, which contains both the information of the operating environment and the property constraints of the LTL formula.

The combination of the environment model CE and Büchi automaton B is not strictly a Cartesian product because a simple Cartesian product may lead to invalid transitions. The synthesis algorithm described in Algorithm 1 is designed for a given environment model CE and Büchi automaton B. The algorithm initializes the current state node and the previous state node and then iterates over all nodes in the state set. The transition relationship between the current node and the previous state node is considered. If it does not satisfy the synchronization mapping, it is regarded as unreachable, and the automaton form and transition are modified. Otherwise, a new transition form is added.

In the context of formal system verification, the insertion of monitors is an important step. Inserting monitors allows for dynamic monitoring and verification of the system by inserting a runtime monitor into specific transitions of the system. The process of insertion is typically achieved by defining insertion points and insertion rules. The insertion points specify where the monitor should be inserted, while the insertion rules specify how the monitor is inserted at those points.

In the previous section, a monitor was constructed using the synthesis algorithm that combines the environmental model CE and the Büchi automaton B. To monitor the entire system, it is necessary to insert the monitor at appropriate locations. However, a generic insertion method that inserts the monitor after every executed statement would result in significant redundancy and overhead. In reality, many program statements, such as parameter initialization and variable assignments, do not affect the system’s behavior. Therefore, it is crucial to simplify the insertion algorithm. To reduce the complexity of verification, this paper introduces the concept of visible variables VisibleVar.

\(L(system)\cup L(CEB)=\varnothing\) represents that when the value at the current execution point of the system changes, it does not affect the values in the monitor. By using visible variables to identify the visible set of the program, it clearly defines which data and which parts of the program are necessary. The monitor can only access them in specific contexts, thereby avoiding erroneous data access, reducing the time required for evaluations, and improving efficiency and safety.

Through optimization, the goal is to assess the impact of runtime verification on system performance while maintaining accuracy and completeness in the verification process. Removing unnecessary insertion points and only instrumenting at critical locations makes it possible to significantly reduce the size of the state space and improve the system’s runtime speed. Specifically, the instrumentation process is depicted in Fig. 8. The insertion points specify where the monitor is inserted, allowing instrumentation only in the corresponding intersecting portions, which greatly reduces the scale of instrumentation.

Instrumenting monitors make it possible to dynamically monitor and verify the system, thus enhancing its reliability and security. Moreover, inserting the monitors only at appropriate locations within the system and evaluating properties based on violation cases means there is no need to insert the monitor program after every statement. This approach avoids unnecessary computations, significantly reducing the scale of verification and better addressing the complexity and practical requirements of the system.

CoppeliaSim is a powerful general-purpose robot simulation platform used in various fields such as robotics, mechanics, physics, and electronics. It provides a range of APIs and scripting interfaces, including Python, Lua, and C/C++, allowing developers to easily write their control programs or algorithms and interact with the simulation environment.

CoppeliaSim provides the ability to control each node in the vehicle (e.g., engine, shaft) by assigning names to them. By modifying the relevant kinematic parameters and calling the corresponding nodes, the vehicle can be controlled for motion. The kinematic model of the vehicle is shown in Fig. 9. The map coordinates of the vehicle’s location can be directly obtained from CoppeliaSim and represented as (x, y). The coordinates of the detected object are represented as \((x_i, y_i)\). In the model, d represents the distance between the center point of the vehicle and the object, \(\alpha\) represents the angle between the forward direction and the object, \(\beta\) represents the angle between the object direction and the horizontal axis, and \(\gamma\) represents the angle between the forward direction and the horizontal axis.

To create an accurate simulation environment in CoppeliaSim, it is necessary to set the parameters of the entities based on real-world values. Therefore, in the experiment, the simulation vehicle utilizes the intelligent car model. To improve the accuracy of the simulation, infrared sensors, and vision sensors are added to the vehicle during the experiment to simulate environmental perception in the real world. These measures enable better simulation of the vehicle’s movement and facilitate various tests and experiments. The simulation scene is depicted in Fig. 10.

The controller designed in this section is implemented using the Python programming language. By modifying the wheel dynamics parameters of the vehicle in the simulation environment through Python code, the vehicle’s motion can be controlled. The interaction between modules is illustrated in Fig. 11. After obtaining sensor data, it is processed, and control commands are generated to make decision control for the simulated vehicle.

The experimental design involves the operation of a moving vehicle in an automatic cruise mode, where each execution utilizes vision sensors and infrared sensors to perceive the surrounding environment. The designed safety property states that if there are no vehicles in front of the vehicle, or if there is a vehicle ahead and the distance is greater than the safety distance, the vehicle accelerates until it reaches the maximum cruise speed TLV. If there is a vehicle ahead and the distance is less than the safety distance, the ACC system controls the vehicle to decelerate until it reaches the safe cruising speed VPL.

Analyze the influence of different environmental factors on the safety braking distance in the safety property. Establish an environmental model with road and weather conditions that affect the safety braking distance and integrate it into the system model. Table 3 shows an experiment comparing the simulation results with and without the monitor and different environmental factors. The symbols \(\checkmark\) and \(\times\) in the table indicate whether the monitor was added. It can be concluded from the results that the addition of the monitor can effectively detect system violations and provide timely feedback and responses. The reasons for the occurrence of lessthansafedistance and collision in the table are that the simulated vehicles did not respond differently to different environments when detecting vehicles in front, resulting in the same strategy being applied, which led to inadequate braking distance.

To further analyze the reasons for the different simulation results, this paper will further elaborate on the simulation scenario situation based on Fig. 12, and obtain detailed data through the simxGetObjectPosition interface.

Figure 12a shows a schematic diagram in which the black car can maintain a safe distance from the red car after adding the monitor. The minimum distance between the red car and the black car is 19.831m, which always meets the minimum interval for a safe distance. Figure 12b shows that due to changes in environmental parameters, the black car brakes just in time when it reaches a close distance from the red car. At this time, the distance is already 10.386m, which is not enough to ensure a safe braking distance. Figure 12c shows a collision situation where the black car fails to adapt to changes in environmental parameters, leading to a collision with the front car due to the delayed braking.

As the monitor is inserted as a program into the system, this will cause more consumption during system operation. If the performance and efficiency of the monitor itself are not high, it will lead to inadequate monitoring or inaccurate monitoring, and thus cannot provide useful monitoring data and warning information, failing to effectively ensure the execution efficiency of the system.

As shown in Fig. 13, the time consumption issue caused by adding the monitor is demonstrated. The experiment was designed to run a fixed path length while obtaining the system’s relative time ticks and interpolating and smoothing the discrete points. It can be seen that as the number of monitors increases, the required time consumption will increase exponentially, and optimization of the monitor can effectively reduce the time consumption. Initially, adding an unoptimized monitor code requires about 23.6ms of time consumption, while adding 20 monitors requires 554.1ms. As the number of monitors increases, the time consumption does not increase linearly with a constant but shows an exponential trend. This is because when the number of monitors increases, the computational complexity of each monitor’s attribute verification will also increase, and storing data related to system behavior will increase memory requirements and reduce performance. After optimization, adding an optimized monitor takes about 13.9ms, and the average time consumption of an optimized monitor is about 41.1% of that before optimization.

Experimental analysis shows that after modeling the environment, the monitor formed by combining the environment model and system specification can still effectively monitor the system and make corrections in complex environments. This ensures the safety and reliability of the system when facing environmental influences.

In this paper, the RoboMaster EP launched by DJI Innovation Technology Co., Ltd. is adopted as the physical simulation platform. As shown in Fig. 14, The EP robot is equipped with open interfaces, sensor interfaces, and programmable components. Its control system is based on the Linux operating system, using ROS as middleware, providing a complete platform for robot control and programming. The experiment utilizes a platform communication mode, establishing a TCP/IP connection with the EP robot and enabling communication through a plaintext SDK. The running code is transmitted to the intelligent central controller. The monitoring algorithm proposed in this study is implemented in Python for monitoring through code instrumentation. All experiments were conducted on a machine with an Intel Xeon W-2225 CPU and 16GB RTX5000.

Figure 15 depicts the physical experimental setup. Due to the susceptibility of the robot’s operational state to environmental factors, it is crucial to monitor the robot’s behavior to promptly detect and address any issues that may arise. The experiment aims to assess whether the robot can maintain stability and make correct decisions when subjected to environmental changes. Therefore, the formulated property is \(G(V < speed)\), where V represents the robot’s velocity and speed denotes the desired speed threshold. This property ensures that the robot’s velocity remains consistently below the specified speed threshold, indicating that it is maintaining a stable and controlled motion. In this experiment, the environmental factors in the scene are set to random values representing different conditions such as slippery, normal, and sandy. Each weather condition is assigned acceptance values \((f_1, f_2, f_3)\) such that \(f_1 + f_2 + f_3 = 1\). A section of slippery terrain is introduced along the path of the EP robot to simulate the effects of environmental interference. Based on the contextual information, a monitor is constructed and inserted into the executing code.

Figure 16 illustrates the variations in the robot’s driving speed under the influence of environmental factors, considering the presence or absence of the monitor constraint. Since the vehicle’s speed can be sampled periodically, the global speed changes can be observed intuitively. To capture the speed changes within shorter time intervals, the experiment adopts a fixed step size for sampling. The arrows in the figure represent moments when the environmental information changes, impacting the robot’s driving speed. From the graph, it can be observed that the EP robot initially travels at a limited speed. However, upon entering the slippery terrain, the robot’s actual speed increases beyond the safe speed threshold. It is only after passing through the slippery terrain that the robot returns to a safe speed. With the addition of the monitor, safety property violations are promptly detected, allowing corrective actions to be taken regarding the behavior of the EP robot.