Periodic Reporting for period 1 - CertiCar (Automated Synthesis of Certifiable Control Software for Autonomous Vehicles)
Periodo di rendicontazione: 2024-02-01 al 2025-07-31
Road crashes remain a major societal challenge, and automated driving will only earn public trust if its software behaves safely and predictably in every situation—not just in typical tests. Today’s collision-avoidance features are largely validated by extensive road testing, which is costly, time-consuming, and cannot cover every rare but dangerous scenario. The result is a gap between what vehicles do in practice and the high level of assurance regulators, manufacturers, and road users expect at higher automation levels.
CertiCar addresses this gap partially by developing Advanced Collision Avoidance System (ACAS) software that is correct-by-design. Instead of relying mainly on after-the-fact testing, CertiCar encodes safety rules, comfort constraints, and traffic-law requirements in precise, machine-checkable form and then automatically generates the corresponding control software. The approach rigorously explores how the ego vehicle and surrounding traffic could evolve, taking into account uncertainty in sensors, models, and the behaviour of other road users. This delivers formal guarantees that the vehicle’s decisions (e.g. braking or evasive manoeuvres) keep it within specified safety limits while maintaining ride comfort and regulatory compliance.
To realize this, the project integrates a suite of developed tools that (i) accelerate heavy computations on modern hardware, (ii) compute mathematically sound bounds on how complex, high-dimensional systems can evolve, and (iii) synthesize software controllers from high-level specifications. Together, these capabilities make it feasible to bring formal methods out of theory and into practical ACAS design, helping the automotive ecosystem move beyond “test until failure is unlikely” toward provably safe operation by construction.
Overall objectives:
1- Capture ACAS requirements in formal, unambiguous terms that reflect safety, comfort, and traffic-rule compliance.
2- Automatically synthesize ACAS source code that implements those requirements with correctness guarantees.
3- Validate in realistic conditions, combining high-fidelity simulators and hardware testbeds to demonstrate safety across representative scenarios.
Expected impact:
1- Safety and trust: By guaranteeing correct behaviour rather than only testing for it, CertiCar targets a measurable reduction in crash risk, particularly in high-speed or complex edge cases.
2- Efficiency and cost reduction: Orders-of-magnitude fewer test miles are needed to reach confidence targets, shortening development cycles and lowering costs for industry.
3- Regulatory readiness: The method supports emerging safety-of-the-intended-functionality practices and helps align automated-driving software with rigorous assurance expectations.
CertiCar addresses this gap partially by developing Advanced Collision Avoidance System (ACAS) software that is correct-by-design. Instead of relying mainly on after-the-fact testing, CertiCar encodes safety rules, comfort constraints, and traffic-law requirements in precise, machine-checkable form and then automatically generates the corresponding control software. The approach rigorously explores how the ego vehicle and surrounding traffic could evolve, taking into account uncertainty in sensors, models, and the behaviour of other road users. This delivers formal guarantees that the vehicle’s decisions (e.g. braking or evasive manoeuvres) keep it within specified safety limits while maintaining ride comfort and regulatory compliance.
To realize this, the project integrates a suite of developed tools that (i) accelerate heavy computations on modern hardware, (ii) compute mathematically sound bounds on how complex, high-dimensional systems can evolve, and (iii) synthesize software controllers from high-level specifications. Together, these capabilities make it feasible to bring formal methods out of theory and into practical ACAS design, helping the automotive ecosystem move beyond “test until failure is unlikely” toward provably safe operation by construction.
Overall objectives:
1- Capture ACAS requirements in formal, unambiguous terms that reflect safety, comfort, and traffic-rule compliance.
2- Automatically synthesize ACAS source code that implements those requirements with correctness guarantees.
3- Validate in realistic conditions, combining high-fidelity simulators and hardware testbeds to demonstrate safety across representative scenarios.
Expected impact:
1- Safety and trust: By guaranteeing correct behaviour rather than only testing for it, CertiCar targets a measurable reduction in crash risk, particularly in high-speed or complex edge cases.
2- Efficiency and cost reduction: Orders-of-magnitude fewer test miles are needed to reach confidence targets, shortening development cycles and lowering costs for industry.
3- Regulatory readiness: The method supports emerging safety-of-the-intended-functionality practices and helps align automated-driving software with rigorous assurance expectations.
Activities performed
• Simulator evaluation and selection. We benchmarked CARLA and MORAI against scenario realism, sensor/traffic modelling, API maturity, and support for occupancy-grid perception. MORAI was selected and configured with maps, sensors, and traffic agents matching our target use cases.
• Digital-twin setup. We built a reproducible simulation stack in MORAI, including an occupancy-grid interface for the ego vehicle and a scenario library (overtake, merge, car-following, emergency braking).
• Embedded platform convergence. We surveyed automotive-class AI computers and converged on NVIDIA Jetson Orin as the reference on-board platform. We established the build/runtime toolchain and connected pFaces to the device for symbolic controller construction.
• Formal synthesis integration. We integrated our symbolic-abstraction and controller-synthesis pipeline with MORAI. Controllers use the simulator’s occupancy grid as input and produce steering/braking commands for the ego vehicle.
• Closed-loop experiments. With the above components, we executed closed-loop runs in MORAI in which pFaces-synthesized controllers governed the ego vehicle across representative traffic scenarios.
Main scientific and technical achievements
• End-to-end demonstrator. A requirements-to-controller workflow that starts from machine-checkable specifications and produces executable control software, exercised in a high-fidelity digital twin.
• Symbolic controllers on an embedded target. Practical pathway established from offline synthesis to on-device execution on Jetson Orin.
• Occupancy-grid–driven decision making. Integration of symbolic control with grid-based perception in MORAI, enabling robust maneuver logic under sensor and traffic uncertainty.
Outcomes at the end of the action
• Prototype ACAS-synthesis framework coupling pFaces with MORAI and a Jetson Orin deployment path, capable of turning formal requirements and vehicle models into deployable ACAS code with documented guarantees.
• Validated digital-twin results, showing correct closed-loop behaviour of the ego vehicle across representative scenarios using occupancy-grid inputs.
• Reusable scenario library and toolchain, enabling regression testing and paving the way for hardware-in-the-loop and on-track evaluations in the next phase.
• Simulator evaluation and selection. We benchmarked CARLA and MORAI against scenario realism, sensor/traffic modelling, API maturity, and support for occupancy-grid perception. MORAI was selected and configured with maps, sensors, and traffic agents matching our target use cases.
• Digital-twin setup. We built a reproducible simulation stack in MORAI, including an occupancy-grid interface for the ego vehicle and a scenario library (overtake, merge, car-following, emergency braking).
• Embedded platform convergence. We surveyed automotive-class AI computers and converged on NVIDIA Jetson Orin as the reference on-board platform. We established the build/runtime toolchain and connected pFaces to the device for symbolic controller construction.
• Formal synthesis integration. We integrated our symbolic-abstraction and controller-synthesis pipeline with MORAI. Controllers use the simulator’s occupancy grid as input and produce steering/braking commands for the ego vehicle.
• Closed-loop experiments. With the above components, we executed closed-loop runs in MORAI in which pFaces-synthesized controllers governed the ego vehicle across representative traffic scenarios.
Main scientific and technical achievements
• End-to-end demonstrator. A requirements-to-controller workflow that starts from machine-checkable specifications and produces executable control software, exercised in a high-fidelity digital twin.
• Symbolic controllers on an embedded target. Practical pathway established from offline synthesis to on-device execution on Jetson Orin.
• Occupancy-grid–driven decision making. Integration of symbolic control with grid-based perception in MORAI, enabling robust maneuver logic under sensor and traffic uncertainty.
Outcomes at the end of the action
• Prototype ACAS-synthesis framework coupling pFaces with MORAI and a Jetson Orin deployment path, capable of turning formal requirements and vehicle models into deployable ACAS code with documented guarantees.
• Validated digital-twin results, showing correct closed-loop behaviour of the ego vehicle across representative scenarios using occupancy-grid inputs.
• Reusable scenario library and toolchain, enabling regression testing and paving the way for hardware-in-the-loop and on-track evaluations in the next phase.
State-of-practice collision-avoidance functions are mainly tuned through extensive testing. Our project moves beyond this by delivering correct-by-design Advanced Collision Avoidance System (ACAS) software generated directly from machine-checkable requirements and exercised in a high-fidelity digital twin.
From requirements to code. We created a push-button workflow that takes formal safety/comfort/traffic-rule specifications and produces executable controllers via symbolic synthesis. This replaces ad-hoc prototyping with traceable artifacts tied to the original requirements.
Digital-twin validation at scale. After benchmarking CARLA and MORAI, we selected MORAI and built a configurable twin (maps, sensors, traffic, scenario library) to run large batches of closed-loop experiments before any road trials.
Embedded deployment path. We established real-time execution on NVIDIA Jetson Orin, demonstrating that synthesized controllers can run on automotive-class hardware and paving the way for hardware-in-the-loop and on-track testing.
From requirements to code. We created a push-button workflow that takes formal safety/comfort/traffic-rule specifications and produces executable controllers via symbolic synthesis. This replaces ad-hoc prototyping with traceable artifacts tied to the original requirements.
Digital-twin validation at scale. After benchmarking CARLA and MORAI, we selected MORAI and built a configurable twin (maps, sensors, traffic, scenario library) to run large batches of closed-loop experiments before any road trials.
Embedded deployment path. We established real-time execution on NVIDIA Jetson Orin, demonstrating that synthesized controllers can run on automotive-class hardware and paving the way for hardware-in-the-loop and on-track testing.