Formal Verification of Autonomous Vehicle Platooning

The coordination of multiple autonomous vehicles into convoys or platoons is expected on our highways in the near future. However, before such platoons can be deployed, the new autonomous behaviors of the vehicles in these platoons must be certified. An appropriate representation for vehicle platooning is as a multi-agent system in which each agent captures the"autonomous decisions"carried out by each vehicle. In order to ensure that these autonomous decision-making agents in vehicle platoons never violate safety requirements, we use formal verification. However, as the formal verification technique used to verify the agent code does not scale to the full system and as the global verification technique does not capture the essential verification of autonomous behavior, we use a combination of the two approaches. This mixed strategy allows us to verify safety requirements not only of a model of the system, but of the actual agent code used to program the autonomous vehicles.


Introduction
While "driverless cars" regularly appear in the media, they are neither "driverless" nor fully autonomous.Legal constraints ensure that there must always be a responsible human in the vehicle.However, although fully autonomous road vehicles remain futuristic, the automotive industry is working on what are variously called "road trains", "car convoys" or "vehicle platoons".Here, each vehicle autonomously follows the one in front of it on the road, with the front vehicle in the platoon/convoy/train being driven manually.This technology is being introduced by the automotive industry in order to improve both the safety and efficiency of vehicles on very congested roads [18].It is especially useful if the vehicles are trucks/lorries and if the road is a multi-lane highway.
In these platoons, each vehicle clearly needs to communicate with others, at least with the one immediately in front and the one immediately behind.Vehicle-to-vehicle (V2V) communication is used at a lower (continuous control system) level to adjust each vehicle's position in the lanes and the spacing between the vehicles.V2V is also used at higher levels, for example to communicate joining requests, leaving requests, or commands dissolving the platoon.So a traditional approach is to implement the software for each vehicle in terms of hybrid (and hierarchical) control systems and to analyse this using hybrid systems techniques.
However, as the behaviours and requirements of these automotive platoons become more complex there is a move towards much greater autonomy within each vehicle.Although the human in the vehicle is still responsible, the autonomous control deals with much of the complex negotiation to allow other vehicles to leave and join, etc. Traditional approaches involve hybrid automata [12] in which the continuous aspects are encapsulated within discrete states, while discrete behaviours are expressed as transitions between these states.A drawback of combining discrete decision-making and continuous control within a hybrid automaton is that it is difficult to separate the two (high-level decision-making and continuous control) concerns.In addition, the representation of the high-level decision-making can become unnecessarily complex.
As is increasingly common within autonomous systems, we use a hybrid autonomous systems architecture where not only is the discrete decision-making component separated from the continuous control system, but the behaviour of the discrete part is described in much more detail.In particular, the agent paradigm is used [26].This style of architecture, using the agent paradigm, not only improves the system design from an engineering perspective but also facilitates the system analysis and verification.Indeed, we use this architecture for actually implementing automotive platoons, and we here aim to analyse the system by verification.
Safety certification is an inevitable concern in the development of more autonomous road vehicles, and verifying the safety and reliability of automotive platooning is currently one of the main challenges faced by the automotive industry.The verification of such systems is challenging due to their complex and hybrid nature.Separating discrete and continuous concerns, as above, potentially allows us to reason about the decision-making components in isolation and ensure that no decision-making component ever deliberately chooses an unsafe state.However, the use of the 'agent' concept alone is not enough for our purposes, since this can still make its autonomous decisions in an 'opaque' way.In order to be able to reason about, and formally verify, the choices the system makes, we need a rational agent [27].This not only makes decisions, but has explicit representations of the reasons for making them, allowing us to describe not only what the autonomous system chooses to do, but why it makes particular choices [10].
The Belief-Desire-Intention (BDI) model is one of the most widely used conceptual models not only for describing rational agents but for actually implementing them [20].A BDI-style agent is characterised by its beliefs, desires and intentions: beliefs represent the agent's views about the world; desires represent the objectives to be accomplished; while intentions are the set of tasks currently undertaken by the agent to achieve its desires.A BDI-style agent has a set of plans, determining how an agent acts based on its beliefs and goals, and an event queue where events (perceptions from the environment and internal subgoals) are stored.In this paper, we use the GWEN-DOLEN programming language [4], developed for verifiable BDI-style programming, to implement agent-based decision-making for an automotive platoon.This captures the high-level, autonomous decision-making within each vehicle.
As part of safety certification, we need to verify the agent decisions, especially in combination with the other vehicles.An autonomous rational agent makes decisions about what actions to perform, etc, based on the beliefs, goals and intentions that the agent holds at that time.We use a model-checking approach to demonstrate that the rational agent always behaves in line with the platoon requirements and never deliberately chooses options that end up in unsafe states.We verify properties of the rational agent code using the AJPF model-checker [7], one of the very few model-checkers able to cope with complex properties of BDI agents.Unfortunately, there are two drawbacks to using AJPF: currently, AJPF does not support verification of timed behaviours; and AJPF is resource heavy and cannot be used to verify the whole system.Consequently, in this paper, we use a combined methodology for the verification of automotive platooning.To evaluate timing behaviour, we use a timed-automata abstraction and verify the system using the Uppaal model-checker; to evaluate autonomous decisions, we apply AJPF to the individual agents together with an abstraction of the other vehicles/agents.Furthermore, we describe how these two approaches to modeling, i.e.BDI models and timed-automata, can be combined to provide an appropriate basis for verifying the behaviour of both individual agents and the whole system.
The remainder of the paper is organised as follows.In Section 2 the automotive platoon and platoon requirements are presented.In Section 3 the hybrid agent architecture and the agent-based decision-making for automotive platoon are described.In Section 4 the analysis and verification of an automotive platoon is considered.Finally, in Section 5, concluding remarks are provided and future work is discussed.

Automotive Platoons
An automotive platoon, enabling road vehicles to travel as a group, is led by a vehicle which is driven by a professional driver [21,22,25].The following vehicles, i.e, members of the platoon, are controlled autonomously.These vehicles, equipped with low-level longitudinal (controlling speed) and lateral (controlling steering) control systems, travel in a platoon with pre-defined gaps between them.In addition, V2V communication also connects the vehicles at an agent level.The lead vehicle, via its agent, effectively carries out coordination over the platoon: setting parameters, creating certificates of joining and leaving, etc.Each individual vehicle observes its environment and follows incoming commands from the lead agent.In what follows, we outline the set of high-level automotive platoon concepts and procedures including how to join and leave a platoon [2].In addition, the initial requirements on these procedures for the development of safe and reliable platooning are explained.From these we derive the formal properties to be verified.

Joining the Platoon
A vehicle can join a platoon either at the end or in the middle with different control strategies being used.The joining procedure is as follows: • a non-member vehicle sends a joining request to the platoon leader, expressing the intended position in the platoon; • if the vehicle has requested to join from the rear, the leader sends back an agreement provided the maximum platoon length has not been reached and the platoon is currently in normal operation; • if the vehicle requests to join in front of (for example) vehicle X and the maximum platoon length has not been reached, the leader sends an "increase space" command to vehicle X, and when the leader is informed that enough spacing has been created (approx.17 metres), it sends back an agreement to the joining vehicle; • upon receipt of an agreement, the joining vehicle changes its lane (changing lane is a manual procedure which is performed by a driver); • once the vehicle is in the correct lane, its automatic speed controller is enabled and it approaches the preceding vehicle; • when the vehicle is close enough to the preceding vehicle (less than 20 metres), its automatic steering controller is enabled and it sends an acknowledgement to the leader; and, finally • the leader sends a "decrease space" command to vehicle X, and when the leader is informed that spacing has been back to normal (approximately 5 metres), it replies to the acknowledgement.
In order to ensure a safe joining operation, the following requirements should be preserved within the agent-based decision-making components of automotive platoon.
1.A vehicle must only initiate joining a platoon, i.e., changing lane, once it has received confirmation from the leader.
2. Before autonomous control is enabled, a joining vehicle must approach the preceding vehicle, in the correct lane.
3. Automatic steering controller must only be enabled once the joining vehicle is sufficiently close to the preceding vehicle.

Leaving the Platoon
A vehicle can request to leave platoon at any time.The leaving procedure is: • a platoon member sends a leaving request to the leader and waits for authorisation; • upon receipt of 'leave' authorisation, the vehicle increases its space from the preceding vehicle; • when maximum spacing has been achieved, the vehicle switches both its speed and steering controller to 'manual' and changes its lane; and, finally • the vehicle sends an acknowledgement to the leader.
The two following requirements are necessary in order to meet with the agent-based decision-making components of automotive platoon.
1. Except in emergency cases, a vehicle must not leave the platoon without authorisation from the leader.
2. When authorised to leave, autonomous control should not be disabled until the maximum allowable platoon spacing has been achieved.

Agent-based Development of Automotive Platoon
We employ a hybrid agent architecture based on [5] for each vehicle: Real-time continuous control of the vehicle is managed by feedback controllers, implemented in MATLAB, and observing the environment through its sensory input.This is called the Physical Engine.The Physical Engine, in turn, communicates with an Abstraction Agent that extracts discrete information from streams of continuous data and passes this on a Decision-Making Agent.The Decision-Making Agent is a rational agent which directs the Physical Engine by passing it instructions through the Abstraction Agent.Instructions from the Decision-Making Agent to the Abstraction Agent are interpreted into meaningful instructions for Physical Engine.
To provide the complex environment necessary for effective simulation and testing, we use an automotive simulator, TORCS [23], to implement the environment component of the architecture.The Physical Engine is implemented in MATLAB, while both Abstraction and Decision-Making Agents are programmed in the GWENDOLEN programming language.An interface between TORCS and MATLAB/Simulink has been developed that provides a means to control vehicles from MATLAB and Simulink.
Listing 1 shows some of the GWENDOLEN code from the Decision-Making Agent for the joining procedure for follower vehicle.The GWENDOLEN syntax that is needed for this example is summarised in Fig. 1.Essentially, GWENDOLEN is an extension of Prolog-style declarative programming, incorporating explicit representations of goals, beliefs, and plans.For example, the first plan in Listing 1 (Line 7-12) denotes that once the follower agent sets a goal to join the platoon, it sends a request to the leader and waits for an agreement belief to become true.The changing lane plan in Listing 1 (Line 14-19) can be executed if and only if the follower agent has the agreement belief.In each iteration, the follower agent then selects plan based on its goals and beliefs.
A GWENDOLEN agent can also perform deductive reasoning on its beliefs, expressed through its reasoning rules.In the 'joining' scenario, the follower agent deduces that its goal to join the platoon has been achieved if it believes all the prescribed joining steps have been performed.This is represented by the platoon-ok belief.Essentially, the decision-making agent's activity proceeds in sequence: the follower has a goal to successfully join the platoon; it initiates changing lane, if it believes it has received an agreement from the leader; and the follower achieves the joining goal if it believes it is in right lane and the automatic speed and steering controller are enabled.Changing lane is performed manually by a driver and as long as the speed and steering controllers are not switched to automatic, driver needs to control speed and steering.Listing 1: A Follower Vehicle's code Joining the platoon is described in GWENDOLEN as an 'achievement' goal, meaning that the agent continuously attempts the plans given in Listing 1 until it believes that platoon-ok is true.This belief, platoon-ok, denotes that not only is the vehicle in the right lane but that its automatic controllers are enabled.It also determines that the leader has received an acknowledgement from the vehicle, confirming it has successfully joined the platoon.Subsequently, the agent deduces from its reasoning rule (Line 2) that the joining goal has indeed been achieved.

Verification 4.1 Verification Methodology
We can visualise the overall system as: The agent is a GWENDOLEN program, the Comms component is a simple transfer protocol, and the vehicle represents the particular vehicular system that we interact with.This is typically an automotive control system together with environmental interactions, and we have validated this both in simulation (using the TORCS automotive simulation) and in physical vehicles (using Jaguar outdoor rover vehicles).
Limits to Modelling/Verification.We are not going to formally verify the vehicular control systems, and leave this to standard mathematical (usually analytic) techniques from the Control Systems field.These control components, for example involving following a prescribed path, avoiding local obstacles, keeping distance from object, etc, are well-established and standard.Instead, we will verify the autonomous decisions the vehicles make, captured within each vehicle's 'agent' [10].Each agent represents the autonomous decision-maker within each vehicle and corresponds, in part, to the human driver's decisions.These decisions involve deciding where to go, when to turn, when to stop, what to do in unexpected situations, etc.In the case of autonomous vehicle convoys/platoons, the agent's (and, hence, the vehicle's) decisions concern when to join the convoy, when to leave, what to do in an emergency, etc.So, we begin by abstracting from all the vehicle control systems and environmental interactions, representing these by one (potentially complex, depending on the vehicle/environment interactions) automaton.We also use an automaton to describe the simple transfer protocol that the vehicles use for their communication.In both these cases we will use Timed Automata [1].Simplified, our architecture is: In describing agent behaviour, the agent automaton comprises added (modal) dimensions of (at least) belief and intention.Thus, the formal structures that allow us to fully represent all the system above are quite complex, combining timed relations as well as relations for each of the belief and intention dimensions [1,19].We will not describe this formal model in detail but just note that it is a fusion [9,11,16] of timed and BDI structures, L, A, C, E, inv, R B , R I , l , where: L is a finite set of locations; A is a finite set of actions; C is a finite set of clocks; The logic then interpreted over such structures combines [11] the syntax of timed temporal logic, for example ♦ ≤5 finish, and the syntax of modal logics of belief, desire and intention, for example B x started (i.e."agent x believes that started is true").
In principle, though very complex, we could provide all our convoy requirements in such a logic, build structures of the above form for our convoy implementation, and then develop a model-checking approach for this combination [15].However, there are several reasons we choose to abstract and separate the timed/agent strands, as follows.
• For certification it is important that we verify the actual agent program used in each vehicle, not a derived model of this.Consequently, we utilise a program model checking [24] approach to assess the correctness of each agent program.For this formal verification of the agent's autonomous decisions, we use AJPF [7], an extension of the Java PathFinder (JPF) program model checker [14] for GWENDOLEN that allows verification of belief/intention properties.
• We do not have the detailed implementations of all the communications protocol, the vehicular control, and environmental interaction, and so use an abstract, formal model to describe these, rather than actual code.
• JPF is an explicit-state program-checker and is relatively slow; AJPF builds a BDI programming layer on top of JPF and is at least an order of magnitude slower.Consequently, AJPF cannot realistically be used for verification of the whole system.In addition, as AJPF does not yet have real-time capabilities, then verifying timing aspects within AJPF is difficult.
While these appear problematic, there are several useful simplifications in our context: • When verifying autonomous behaviour, the formal verification we carry out concerns the interaction of beliefs, intentions, etc, within each agent.These do not extend between agents and so, checking of beliefs, intentions, etc, can be localised within each agent.
• In the requirements to be checked, the timed and BDI formulae are quite separate, i.e. ♦ ≤5 finish ∧ B x started but never ♦ ≤5 B x started or B x ♦ ≤5 finish.
As the overall logic is a fusion, and since there are no explicit timing constraints within an agent program (agents have fast internal computation), then this allows us to deal with the dimensions separately.
So, given an overall system, S, over which we wish to check ϕ, then we reduce S |= ϕ to two problems: 1. for each individual agent, A i , within S, verify the agent properties from ϕ, i.e. ϕ a , on the agent within an untimed environment (an over-approximation); and 2. verify the timing properties from ϕ i.e. ϕ t , on the whole system where the agent program is replaced by an untimed automaton describing solely its input-output behaviour (abstracting from internal BDI reasoning).
We explain both of these in more detail, before giving the relevant theorems.
Timed Automaton −→ Untimed Automaton.This is achieved by the over-approximation as above and then allows us to verify V i Comms A i |= ϕ a using AJPF: Vi ABSTRACT Formal verification using Uppaal is then carried out on the whole system with all agents abstracted in this way.We now prove important properties of these abstractions.For simplicity, we assume that S consists of just two agents/vehicles; this result can then easily be generalised to greater numbers of agents/vehicles.
Similarly, (b) gives us V 2 A 2 Comms12 |= ϕ a .As the agent properties in ϕ a are local, we can compose these to give By (c) we know that V 1 A 1 Comms12 A 2 V 2 |= ϕ t yet, as A 1 and A 2 have no timed behaviour to begin with, we know that A 1 and A 2 give us exactly the same timed behaviours.Consequently, V 1 A 1 Comms12 A 2 V 2 |= ϕ t and so S |= ϕ t .
These two together give us S |= ϕ a ∧ ϕ t .
Proof.Since the timing behaviour of each A i is identical to each

Individual Agent Verification using AJPF
To verify agent properties, we use the AJPF model checker on our agent, written in the GWENDOLEN language, as above.For instance, we verify that: If a vehicle never believes it has received confirmation from the leader, then it never initiates joining to the platoon.
This safety property corresponds to the first requirement of joining a platoon, as given in Section 2, and can be defined as: Here G x y stands for a goal y that agent x tries to achieve, B x z stands for a belief z of agent x, and D x k stands for an action k that agent x performs/does.The standard LTL operators, such as 2 meaning "always in the future" and W meaning "unless", are used.An instance of the above , where the agent never receives a join agreement, is: To be able to check such a property, incoming perceptions/communications should be provided.We supply two automata: Comm , representing communication to/from the other agents; and V i , representing vehicle responses to agent actions.Under this configuration, we were able to carry out the agent verification in around 12 hours.We have verified a range of safety and liveness properties and we provide some joining/leaving examples below.Note that the following properties can also be similarly expressed in terms of the weak until operator, W ; however, we denote a particular instance of these properties for the sake of brevity.
If a vehicle ever sends a 'join' request to the leader and eventually receives the join agreement and it is not already in the correct lane, it initiates 'joining' the platoon by performing "changing lane".
Property 3 is a liveness property ensuring that eventually (using the LTL ♦ operator) the joining procedure initiates the changing lane control system once its condition is fulfilled.Similarly, we can verify other properties to show progress such as eventually the speed and steering controllers are switched to automatic if pre-conditions hold.Other verified properties ensuring safe operation of the platoon are as follows.
If a vehicle never believes it has changed its lane, then it never switches to the automatic speed controller.
If a vehicle never believes it has received a confirmation from the leader, then it never switches to the automatic speed controller.
If a vehicle never believes it is sufficiently close to the preceding vehicle, it never switches to the automatic steering controller.
If a vehicle never believes it has received a confirmation from the leader to leave the platoon, i.e., increasing spacing has been achieved, then it never disables its autonomous control.
Note that the leader sends back the 'leave' agreement to follower3 if, and only if, it received an acknowledgement from follower3 showing that spacing has been increased.
It is important to recall that perceptions and communications coming in to the agent are represented as internal beliefs.Hence the proliferation of belief operators.The AJPF program model checker explores all possible combinations of shared beliefs and messages and so, even with the relatively low number of perceptions above, the combinatorial explosion associated with exploring all possibilities is very significant.Therefore, verifying the whole multi-agent platooning system using AJPF is infeasible.
To verify the global properties of multi-agent platooning, we use a complementary approach.We manually generate a model of the whole system as timed-automata and use the Uppaal model checker to establish the (timed) correctness of multi-agent platooning.In the following, we review the relevant timed-automata and highlight some of the global safety properties of vehicle platooning that have been verified using Uppaal.

Timed Automata Model of Automotive Platoons
We model vehicle platooning in Uppaal as a parallel composition of identical processes describing the behaviour of each individual vehicle in the platoon along with an extra process describing the behaviour of the platoon leader (the leader automaton).Each of these vehicle processes is a parallel composition of two timed automata, vehicle and agent.The agent automaton, in turn, comprises both Comms and A i components, as given in Section 4.1 .
The vehicle automaton supplies incoming perceptions for the agent automaton.It describes the sensor models and action execution.The vehicle automaton receives, and responds to, the action commands of the corresponding agent through three pairs of binary channels modelling change-lane, set-space and join-distance commands and responses.To model timing behaviour, we define a clock for the vehicle automaton which models the time assessments for "changing lane", "setting space" and "joining distance" actions.Based on engineers' study, actions change-lane, set-space and joindistance take 20 ± 5, 10 ± 5 and 10 ± 5 seconds, respectively.
The agent automaton models an abstracted version of the GWENDOLEN agent by excluding all internal computations of the agent.The overall structure of an agent consists of 5 regions, shown in Fig. 2. If the automaton is in the IDLE region, which consists of only one location, then the agent does not perform any action at that moment.The regions JOIN, LEAVE, SET-SPACE and SW-STEERING represent the sequence of necessary communications with other agents (and the vehicle) in order to achieve the agent's goals.If a vehicle is part of the platoon it can leave the platoon or receive messages from the leader to set spacing or switch steering controller.If a vehicle is not part of the platoon, it can only join the platoon.Each agent automaton contains two binary channels join-r[i][0] and leave-r[i][0] to model the unicast sending of 'join' and 'leave' requests to the leader and two binary channels joined-suc[i][0] and leftsuc [i][0] to model the unicast sending of 'join' and 'leave' acknowledgements to the leader.These channels are used to model the message passing between the following agents and the leader, modelled in decision-making agent (Section.3).Furthermore, each agent automaton also contains channels to send commands to its vehicle and receive acknowledgements from its vehicle.The agent automaton has a clock processtime that is used to model the time consumption for achieving goals.
Next, we define a leader automaton to model the external behaviour of the leader agent (Fig. 3), where the coordination between agents is handled through unicast synchronisation channels.Upon receipt of a joining request, i.e., join-r[i][0]!, it sends a "set spacing" command to the preceding agent where the requested agent wants to be placed.The leader sends a joining agreement, i.e., join-agr-c[0][i]?, to the requested agent, if it has successfully set spacing between the two vehicles where the requested vehicle will be placed.Follower i synchronises with the leader via join-agr-c channel.Then the leader waits for an acknowledgement from the requested agent.It waits for at most the upper bound time for setting space, changing lane and getting close enough to the front vehicle.Upon receipt of the acknowledgement, the leader sends a confirmation to the agent and a "set spacing" command to the preceding agent to decrease its space with the front vehicle to complete the joining procedure.If it does not receive the acknowledgement in time, it sends a "set spacing" command to the preceding agent to decrease its space and waits for a spacing acknowledgement then goes back to the idle location, ready for the next request.The leader communicates with the agents through synchronisation channels.It passes messages to the follower through channels dedicated to the agreements, setting space and switching steering controller.For simplicity, we assume the leader handles only one request at any time.

Multi-agent Platooning Verification using Uppaal
Now we have timed automata representations of the platoon, we can carry out verification of their properties using Uppaal.For simplicity, we analyse the global and timing properties of a multi-agent platoon composed simply of a leader and three vehicles (with three corresponding) agents.We assume vehicles can always set spacing and joining distance in time, i.e., 10 ± 5, but can fail to change lane in time, i.e., less than 20 + 5.In the following, we first give examples of global properties involving the coordination between the leader and the followers.Second, we evaluate timing requirements: the safe lower and upper bounds for joining and leaving activities.We observed that the verification of these properties took less than 3 seconds using Uppaal.
If an agent ever receives a joining agreement from the leader, then the preceding agent has increased its space to its front agent.This property is formulated for agent a3 as follows (A represents "on all paths"): where a3 is the agent which is in the rdy_ch_lane location, i.e, the agent has received a joining agreement, variable joining_vehicle.front indicates the identification of the preceding agent, flag a2.incr_spacing models that the preceding agent has received an "increase space" command from the leader and, finally, flag a2.spacing_done models whether agent a2 has successfully increased its space.We can also verify this property for agents a2 and a4.Property 8 is a safety requirement ensuring that a vehicle initiates "changing lane" only if sufficient spacing is provided.The next property of interest is whether a joining request always ends up increasing space of the preceding vehicle.To express this property, we use the leads to property form, written ϕ ψ.It states that whenever ϕ is satisfied, then eventually ψ will be satisfied.Such properties are written as ϕ ψ in Uppaal.We verify the property (9) to show that whenever agent a3 is in the wait_ j_ agr location, i.e., has sent a joining request, and agent a2 is the preceding vehicle in the platoon, then eventually a3 will receive an increasing space command and will perform the action.
To ensure that the spacing always decreases after a joining procedure, i.e., platoon returns back to a normal state, we verify that if ever the leader receives a joining request, it eventually sends a decreasing space command to the preceding agent unless the joined agent is the final one in the platoon.
A2 ((a3.join_completed&& l.joining_vehicle.front== 2) imply ( !a2.incr_spacing && a2.spacing_done)) Given the required time for a vehicle to carry out "set spacing", "joining distance" and "changing lane" tasks, we are interested in verifying if an agent accomplishes joining the platoon within an expected interval: waiting time for agreement + changing lane + joining distance + waiting time for leader confirmation, represented in Property 11.
A2 (a2.join_completed imply (a2.process_time ≥ 50 && a2.process_time ≤ 90)) Similarly, we check if an agent leaves a platoon within an expected interval: waiting time for agreement + changing lane + waiting time for leader confirmation.Waiting time for agreement is equal to the time needed to set space and waiting time for leader confirmation is zero because we assume switching steering controllers is immediate.

Concluding Remarks
The verification of safety considerations for automotive platooning is quite complex and difficult.There are several reasons for this.
• These are non-trivial hybrid autonomous systems, with each vehicle mixing feedback controllers and agent decision-making.
• There is a strong requirement to verify the actual code used in the implementation, rather than extracting a formal model of the program's behaviour -this leads on to program model-checking, which is resource intensive.
• There are no other practical systems able to model check temporal and modal properties of complex BDI agents -thus we are led to AJPF.
• AJPF is very resource intensive (as we have seen, 12 hours for some agent properties) and cannot be practically used to verify whole system properties of automotive platooning.
• Especially when interacting with real vehicles we need to verify timed properties.
Thus it is perhaps not surprising that such formal verification has never been reported before.Safety verification of platooning in the contorl level was investigated extensively [13,17].A combined verification approach for vehicle platooning is proposed in [3] where the system behaviour is specified in CSP and B formal methods.A compositional verification approach for vehicle platooning is introduced in [8] where feedback controllers and agent decision-making are mixed.
In order to address all of the above concerns, we have adopted a twin strategy.We use AJPF to verify individual agent properties, given realistic abstractions of environmental interactions.We then abstract from the BDI code and produce an abstract agent automaton suitable for use in Uppaal verification.This then allows us to formally verify platoon requirements and safety considerations, a sample of which we have included.
It must be emphasised that the agent code that we verify is actually the code that controls the vehicle both in the TORCS simulation and in the real vehicle that we are developing.Thus, as long as the environmental abstractions are correct, we can be sure of the decisions made by the agent.
Future Work.There is clearly much future work to tackle.An obvious one is to continue efforts to improve the efficiency of AJPF.
Maintaining a safe platoon in case of recoverable latency and dissolving a platoon in the case of unrecoverable latency are two procedures that are not implemented in our verified agent code due to a shortcoming of AJPF.Adding these two procedures to the agent grows the system space to the extent that AJPF fails to verify any property.Thus, we are investigating an agent abstraction at the level of goals, beliefs and intentions in order to use AJPF for verification of more complex agents.
Since we are concerned with certification of automotive platooning in practice, we are aiming to extract a more comprehensive list of formal properties from official platoon requirement documents.Related to this, we are also in the process of porting the agent architecture on to a real vehicle and so testing the platooning algorithms in physical, as well as just simulation, contexts.
Finally, an important aspect of our two pronged strategy is to link the models used in Uppaal to the programs that AJPF uses.In this paper we generated the Uppaal models by hand, extracted temporal formulae to capture their (non-timed) behaviour, and then verified these temporal formulae on the agent code.This at least shows that the timed automata we built correspond to the agent code execution.We believe that all of this can be automated.In particular, we plan to use the AJPF framework to explore the agent code executions and so automatically build up the automaton that Uppaal can use [6].This would give a much stronger form of completeness and would improve efficiency.

Figure 1 :
Figure 1: GWENDOLEN [4] Syntax R e a s o n i n g R u l e s j o i n i n g (X, Y): − name (X) , p l a t o o n −ok P l a n s + !j o i n i n g (X, Y) [ a c h i e v e ] : {B name (X) , ~B j o i n _ a g r e e m e n t (X, Y) } <− + !s p e e d _ c o n t r ( 0 ) [ p e r f o r m ] , + !s t e e r i n g _ c o n t r ( 0 ) [ p e r f o r m ] , .s e n d ( l e a d e r , : t e l l , j o i n _ r e q (X, Y ) ) , * j o i n _ a g r e e m e n t (X, Y ) ; + !j o i n i n g (X, Y) [ a c h i e v e ] : {B name (X) , B j o i n _ a g r e e m e n t (X, Y) , ~B c h a n g e d _ l a n e , ~G s e t _ s p a c i n g ( Z ) [ a c h i e v e ] } <− + !s p e e d _ c o n t r ( 0 ) [ p e r f o r m ] , + !s t e e r i n g _ c o n t r ( 0 ) [ p e r f o r m ] , p e r f ( c h a n g i n g _ l a n e ( 1 ) ) , * c h a n g e d _ l a n e ; + !j o i n i n g (X, Y) [ a c h i e v e ] : {B name (X) , B j o i n _ a g r e e m e n t (X, Y) , B c h a n g e d _ l a n e , ~B s p e e d _ c o n t r , ~B s t e e r i n g _ c o n t r , ~B c l o s i n g _ e n o u g h , ~G s e t _ s p a c i n g ( Z ) [ a c h i e v e ] } <− + !s p e e d _ c o n t r ( 1 ) [ p e r f o r m ] , * j o i n i n g _ d i s t a n c e ; + !j o i n i n g (X, Y) [ a c h i e v e ] : {B name (X) , B j o i n _ a g r e e m e n t (X, Y) , B c h a n g e d _ l a n e , B s p e e d _ c o n t r , ~B s t e e r i n g _ c o n t r , B c l o s i n g _ e n o u g h , ~G s e t _ s p a c i n g ( Z ) [ a c h i e v e ] } <− + !s t e e r i n g _ c o n t r ( 1 ) [ p e r f o r m ] ; + !j o i n i n g (X, Y) [ a c h i e v e ] : {B name (X) , B j o i n _ a g r e e m e n t (X, Y) , B c h a n g e d _ l a n e , ~B s p e e d _ c o n t , ~B s t e e r i n g _ c o n t r , B c l o s i n g _ e n o u g h , ~G s e t _ s p a c i n g ( Z ) [ a c h i e v e ] } <− + !s p e e d _ c o n t r ( 1 ) [ p e r f o r m ] , + !s t e e r i n g _ c o n t r ( 1 ) [ p e r f o r m ] ; + !j o i n i n g (X, Y) [ a c h i e v e ] : {B name (X) , B j o i n _ a g r e e m e n t (X, Y) , B c h a n g e d _ l a n e , B s p e e d _ c o n t r , B s t e e r i n g _ c o n t r , B c l o s i n g _ e n o u g h , ~B p l a t o o n _ m , ~G s e t _ s p a c i n g ( Z ) [ a c h i e v e ] } <− .s e n d ( l e a d e r , : t e l l , m e s s a g e (X, j o i n e d _ s u c c ) , * p l a t o o n _ m , p l a t o o n −ok ; least in principle, leads to an overarching formal model: edges between locations; inv : L → Ψ(C) is a function associating each location with some clock constraint in Ψ(C); R B : Ag → (L × L), where Ag is the set of 'agents' and R B (a) provides the belief relation (corresponding to KD45 modal logic) for agent a between locations; R I : Ag → (L × L), where R B (c) provides the intention relation (KD) for agent c between locations; and l : L → 2 AP is a labelling function essentially capturing those propositions true at each location (AP is a set of atomic propositions).