Introduction

History

One of the earliest attempts to formalize this method of reasoning is Hoare logic (Hoare, 1969). The verification of the assembled network is reduced to the application of inference rules to the component specifications.

Contributions

Outline of Thesis

A is the set of specification structures for the agent's environment, which is a subset of the set created by Definition 6.5.1. Poliforest defines the global order (priority) of the set of all agents𝔄∈𝔊based on the states of the agents.

The Contract Metatheory

What is a contract?

In the metatheory, we require ⊕ to be an associative and commutative binary operator on the set of components. Each contract "flavor" of the metatheory is defined by a set of components and how they can be assembled by ⊕.

An Example: Contracts on Image Annotating Functions

Iprog can be a series of computer programs that annotate any highway image with a box around each car present in it. Inn,box consists of a series of neural networks that annotate each image with a box around each traffic agent (car, motorcycle, bicycle, pedestrian).

Figure 2.3: A possible visualization of 𝑝 1 ⊕ 𝑝 2 ⊕ 𝑖 from 2.2.

Properties

Expresses the guarantee of the agent in the form of a single, predefined specification structure. One of our classification approaches where the set |K | trajectories are a function of the initial state of the medium.

A Model Interface Theory for Guarded Input/Output Automata . 13

Interface Contract Theory

Any action from this interface can belong to exactly one of the following three classes. Supervised modal interface contract C consists of a set of reference variables V and a tuple of the form 𝔄 = (𝑆, 𝑠0,𝔉, 𝐴,→,d), where𝑆, 𝑠0,𝔉, 𝐴 are defined as in the interface automaton object . and d are two transitive relations called must and may, respectively.

Figure 3.2: Contract design hierarchy pyramid.

An Application in Traffic Control

The input signal is?r_v, which indicates a safety check with the state of the lights in the north-south direction. The scheduler contract automaton has access to a variablelen (request_queue), which is the length of the request queue.

Figure 3.3: Reading from left to right, then top to bottom: C scheduler , C 𝑐𝑎𝑟 , C scheduler ⊗ C 𝑐𝑎𝑟 , C horizontal_lights , C pedestrian .

Conclusion

The planner is aware of the agents' location and the obstacles in the parking lot from the camera system. Thus, the set of anchors is a function of the agent's current speed, which helps ensure that anchors are dynamically feasible.

Directive-response Assume-guarantee Contracts for an Auto-

Introduction

The formal guarantee of safe and reliable behavior for modern cyber-physical systems has a scalability problem (Benveniste et al., 2018). Contract-based architectures have been demonstrated for various cyber-physical system applications (Damm, Hungar, et al., 2011; Damm, Votintseva, et al., 2005; Nuzzo et al., 2013; Maasoumy, Nuzzo, and A. Sangiovanni-Vincentelli. , 2015) .

Theoretical Background

Our contributions include formulating a formal contract structure for an automated valet parking system with multiple layers of abstraction and a directive response architecture for handling disruptions. We propose a contract-based design framework that includes a directive response architecture to enable reactivity to faults in the system.

Figure 4.1: Snapshot from our AVP implementation showing human agents and vehicles as well as the parking lot topology.

Mathematical Formulation

In addition, the set of behaviors B (𝑍) can be lifted to a set of behaviors in B (U) in a similar way. A constraint 𝑘 on a set of variables 𝑍 is a function that maps each behavior of 𝑍 to an element of B, the Boolean domain.

Table 4.1: CustomerInterface directive-response system.

AVP Contracts

If the car is healthy and the service has accepted it, it will be returned upon request:. Any route command from the Planner is always𝜅 executable, the corresponding corridor is drivable and the configuration of the car after receiving the command is in the initial part of the corridor:.

System Design

If the car is accepted, the customer leaves control of the car to the Tracker (satisfactory𝐺(4.12) and𝐺(4.13)). The CustomerInterface must then leave the control of the car to the Tracker with 𝐺(4.12) and 𝐺(4.13), and therefore satisfy 𝐴(4.38).

Figure 4.4: Possible initial car configuration along the entrance region (green) corresponding to a grid square as defined in Fig

Conclusion

That is, the set of behaviors of the interconnect consists only of those common to (or observed by) both implementations. It should be noted that the lifetime guarantees rely on the assumption that rerouting of the agent's motion plan is not supported.

Reactive Contracts

Introduction

For example, (Livingston et al., 2013) exploits “locality” to compute modal𝜇-calculus fixpoints (Arnold and Niwinski, 2001) that enable patching of system strategies in the presence of updated information about the game graph. To address these issues, we propose a contract formalism that explicitly considers the concept of uncertainty in the system being modeled and emphasizes its obligation to adapt to possible changes in the behavior of the environment.

Systems and Contracts

The theory of assume-guarantee contracts is a model of the meta-theory and can be described as follows. That is, if 𝑀 is an implementation of the conjunction ∧𝑖C𝑖containing𝜎 such that𝜎 ∈𝐸 where𝐸 is a neighborhood of ∧𝑖C𝑖, then there exists at least a 𝑘 ∈ {1,2,.

Reactive Contracts

In particular, when all assumptions are initially disjoint, we have the following generalization of Theorem 12. Since ΠA(𝑟) ∉ Δ2 by the initial disjointness of A and 𝑅2 is in canonical form, we have 𝑟 ∈ 𝑅2 and thus𝈝👟 ∝ 2.

Reactive Contracts for GR(1) Games

Each of these fixed point pairs is of the form (𝑆A, 𝑆G) where 𝑆A is the largest subgroup of A whose every element is realizable with all guarantees in the 𝑆G subgroup of G and vice versa. However, a chain in the guarantee mesh represents all possible guarantees that can be realized if the largest element of the chain is realizable.

Case Study: a Reactive GR(1) Contract on 3 Islands

The element A can be r1_home∧r2_far∧ bridge∧button1, which indicates the condition that the transporter robot r1 starts on the "home" island (the one with the black spot), the control robotr2 starts on the "far" island (the yellow spot), and the button on the island with a silver patch,. In the case of three islands, if we start from an initial configuration where at least one robot is not on the home island, 𝑔min is whatever and 𝐹 = {button1}, then Algorithm 2 will return a robust strategy with 𝛾0 =G0( all guarantees) that never allows , that both robots are on the "home" island at the same time (because if button1 fails, then neither robot will be able to leave the home island).

Figure 5.2: The brown bridge broke, the two robots are stranded.

Conclusion

Let Tc𝐴𝑔 represent the agent's number of tokens when he sent his request. We consider a set of trajectories dynamic if the trajectories it contains change as a function of the agent's current dynamic state.

Assume-guarantee Profiles 2

Introduction

However, in connected approaches, specifications for self-driving cars are often scenario-specific and designed independently of each other (Shalev-Shwartz, Shammah, & Shashua, 2017). Present a basic and consistent set of axioms for self-driving cars that can be improved and built upon.

Overview

Details of each agent's architecture to define its behavior are shown at the top. The guarantee we give in our acceptance and warranty agreement is that the self-driving car will perform according to the structure of the specification.

Evaluator and Evaluated Structure

To satisfy requirement 4, in order to preserve the partial order established in the poset, the consistent evaluation function 𝑓1 on the left and 𝑓2 on the right can, WLOG, assign all the nodes on the right branch of the poset to the indicated values . in Fig. Any 𝑓 estimator that assigns values ​​according to the bracketed values, shown in the figure, can easily.

Figure 6.2: A poset that does not admit a consistent evaluator. The values in parentheses denote the value of the singleton set containing that node given by the evaluator 𝑓 𝑖

Consistency and Coverage

Refinement is equivalent to adding dimensional properties (nodes) or comparisons (edges) to the specification structure in a way that preserves the gradation property of the specification structure. We now define how to properly add a node or edge to a specification structure in a way that preserves the mathematical properties of the specification structure.

Assume-Guarantee Profiling

This means that the guarantees of agent 𝑗 must be included in the assumptions of all other agents in the compatible set. If one agent 𝑖 has guarantees that correspond to a specification structure that is not included in the assumptions of another agent 𝑘, correct behavior cannot be guaranteed.

Some Examples and the Definition of Completeness

Let us first consider the case where the oracles on each of the cars match, and then consider the potential danger when the oracles of the cars differ. Now consider the case where the oracles provide incompatible beliefs about the environment, namely the state of traffic signals.

Figure 6.7: The game scenario when Player Y encounters debris on its side of the road

Conclusion

The protocol defines the agent's attributes, the region it must reason about (ie the bubble), how the agent chooses its intended action, and how it ultimately chooses which action to take. We represent the sequence of past observations for each agent as faded bounding boxes of the same color as the agent's current bounding box.

Rules of the Road 3

Introduction

The problem of fully ensuring the safety and liveliness of decision-making agents is particularly challenging because 1) agents often compete for the same set of resources (some region of the road network) and 2) agents must consider highly connected and complex interactions. with other agents. Moreover, we can ensure safety and liveliness if all agents act according to a certain decision strategy.

Overview

Dependence on this back-up plan action is what ultimately allows agent dependencies to be separated when they think about each other, while still allowing for strong global guarantees of safety and life. For each time step of the game, each agent first assigns a local priority according to the rules described in Section 7.4, thus establishing a consistent order (in a local way).

Quasi-Simultaneous Discrete-Time Multi-Agent Game

Sintersection: A set of grid points containing all grid points with more than one legal orientation. Road segments𝑅 𝑠(𝑔)is the set of all grid points that are in the same connected component as the grid point𝑔in the graph𝐺𝑅 𝑆.

Agent Protocol

In fact, the bubble of an agent should depend on its state and the properties of the agent and the dynamics of all agents in the game. 𝑂Progress forward(𝑠, 𝑎, 𝑢) is returned if an action𝑎from state𝑠 will improve the agent's progress towards the goal.

Figure 7.3: Shows different grid point occupancy associated with different discrete agent maneuvers.

Safety Guarantees

If all agents Ag ∈ 𝔄 in the quasi-simultaneous game choose actions in accordance with the Agent Protocol specified in Section 7.4, then we can show the security property𝑃⇒𝑄, where the statement𝑃 is an assertion that the state of the game is such that∀ 𝐴𝑔 , 𝑆Ag,

Liveness Guarantees

Under the Sparse Traffic Assumption given by Definition 7.6.2 and given all agents Ag ∈ 𝔄 in the quasi-simultaneous game select actions in accordance with the Agent Protocol specified in Section 7.4, liveness is guaranteed, i.e. there is no communication error in the conflict requests, token count queries, and the agent intent signals.

Simulation

Features of the Agent Protocol, such as fairness by resolving conflict clusters and the ultimate satisfaction of all oracles in the agent profile, are used for the arguments in the proof. Specifically, for the straight road segment, an average of 77%, 36%, and 43% reached their respective destinations on the respective maps by the end of the 250 time steps.

Conclusion

Argoverse: 3D Tracking and Prediction with Rich Maps.” In: IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Convolutional Social Clustering for Vehicle Path Prediction.” In: IEEE Conference on Computer Vision and Pattern Recognition (CVPR) Workshops, p.

Multi-modal Trajectory Prediction

Introduction

Furthermore, most state-of-the-art methods assume unconstrained positions (Cui, Radosavljevic et al., 2019; Chai et al., 2019; Hong, Sapp, & Philbin, 2019; Rhinehart, McAllister et al., 2019), which can result in trajectories that the agent cannot physically perform ((Cui, Nguyen, et al., 2019) is a recent exception). While (Cui, Nguyen et al., 2019) exploit similar insight for regression, we extend the use of dynamic representation to anchor box classification and regression.

Related Work

Later work has considered the multi-agent setting (Rhinehart, McAllister, et al., 2019) and uncertainty in the model itself (Henaff, LeCun, & Canziani, 2019). Although there are encouraging new developments in public datasets for trajectory prediction (Chang et al., 2019; . Hong, Sapp, & Philbin, 2019), there is no standard.

Method

This largely follows (Cui, Radosavljevic, et al., 2019), with the main difference in the output representation (see section 8.3). Contrary to previous work (Cui, Radosavljevic, et al., 2019; Chai et al., 2019), we choose not to learn an uncertainty distribution over space.

Figure 8.1: CoverNet overview. We generate a trajectory set (fixed or dynamic based on current state) that we classify over

Trajectory Sets

We can further shorten the construction of the dynamic trajectory sets in a similar way to how we dealt with the fixed trajectory sets in section 8.4. Namely, we use an analogous greedy procedure to cover the set of sample trajectories with a subset of control profiles (e.g., lateral and longitudinal accelerations as a function of time).

Experiments

Common measures include registration likelihood (Chai et al., 2019; Rhinehart, McAllister, et al., 2019), mean displacement error, and hit rate (Hong, Sapp, and Philbin, 2019). We focus on a) displacement error and b) hit rate, both calculated over a subset of the most likely modes. We use the notion of hit rate (see (Hong, Sapp and Philbin, 2019)) to simplify the interpretation of whether or not a prediction was "close enough". We define a Hit𝑘 ,𝛿for a single instance (agent at a given time) as 1 if min𝑘∈𝐾max

Figure 8.4: Best models of each type on the comparative dataset (6-second horizon).

Conclusion

Social GAN: Socially Acceptable Trajectories with Generative Adversarial Networks.” In: The IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Deep residual learning for image recognition.” In:2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp.

Conclusions

Summary

This dissertation considers a variety of theoretical frameworks and cyber-physical system applications of the contract-based design paradigm. In the second half of the thesis, we formulated a framework for behavioral contracts for autonomous agents and showed how we can apply it to the development of autonomous driving technologies, especially the distributed control of autonomous vehicles.

Future Directions

First, we constructed a metatheory-compatible contract theory for modal interface input/output automata with guards and presented an application of the framework in the design of a traffic intersection control system. To limit implementations from being "opportunistic" in the presence of a potential environmental error without sacrificing performance, we introduced the theory of reactive contracts and provided contract synthesis algorithms involving meta-specifications at the assume-guarantee level.