Reachset Conformance and Automatic Model Adaptation for Hybrid Systems

: Model-based veriﬁcation uses a model to reason about the correctness of a real system. This requires the model and the system to be conformant, such that veriﬁcation results on the model can be transfered to the real system. Especially for hybrid systems, which combine discrete and continuous behavior, deﬁning and checking conformance is a difﬁcult task. In this work, we present reachset conformance for hybrid systems that transfers safety properties from a model to the real system. We show how a model can be adapted to be conformant to measurements of a real system and demonstrate this for a real autonomous vehicle. The obtained reachset conformant model can be used for the veriﬁcation of safety-critical properties, such as collision avoidance.


Introduction
The amount of technical systems operating autonomously and without human interference is continuously growing.It is of utmost importance to demonstrate that such autonomous systems cannot harm people, cause damage, or breach any other important specification.Autonomous vehicles and moving robots are examples of such safety-critical applications, where the discrete and continuous aspects are tightly intertwined-these systems are often referred to as hybrid systems.
Model-based formal verification is an important approach toward safer systems.In particular, reachability analysis computes the set of reachable states of a model and can be used to check whether unsafe states are possible [1,2].To include different possible behaviors of the real system, verification models for reachability analysis are non-deterministic.This means that at each point in time, there might be multiple evolutions of the model, and one has to reason about all of them.The basic assumption of model-based verification is that the model is related to the system in a way that the safety of the system can be implied if the safety of the model has been shown.We call a relation between a system and a model conformance relation and argue that it should also be defined formally.Otherwise, one cannot be sure that the used conformance relation allows to transfer safety properties from the model to the real system, which would make the formal verification effort useless.Hence, the conformance relation connects the formal world of reasoning with the real world.
A major challenge of a verification model is that it simultaneously has to be amenable to verification and conformance.This is challenging because (i) a model with significant non-determinism is conformant, but it might have too many reachable states to verify properties (model 1 in Figure 1) and (ii) a model with insignificant non-determinism is amenable for verification, but it might not be conformant to the real system because some states cannot be produced by the model (model 4 in Figure 1).Between these two extremes are the most useful models, amenable for both verification and conformance (model 2 and model 3 in Figure 1).We argue that an optimal model has just enough non-determinism such that reachset conformance holds to sustain the most freedom possible for verification.A method is needed to build verification models maximizing verification capabilities while ensuring conformance.The reachable states (gray area) of several verification models as well as the unsafe states (dotted area) are shown.For increasing determinism, the set of reachable states is becoming smaller.When the reachable set is too small to contain all possible states of the real system, it is no longer conformant.Also, when the reachable is too big, it intersects with the unsafe state, and thus, it cannot be used for successful verification.The optimal model has the most determinism while being conformant.
In a previous paper [3], we introduced reachset conformance and showed how to test it for a given (hybrid-system) model M and measurements of a (real) system S. Here, we extend these results in several aspects: Natural choice: We show that safety properties can be transfered from M to S exactly in the case when reachset conformance between M and S holds.Therefore, reachset conformance is the natural choice to transfer safety properties.
Quantified reachset conformance check: A robustness measure is introduced, which is based on the distance of a point to the boundary of a reachable set.In our setting, reachable sets are represented as zonotopes, and as a result, exclusion can be checked using linear programming techniques.This is computed for the measured data of the real system of some input and the output of the verification model for the same input, cf. Figure 2.
Model adaptation: We show how to automatically adapt the non-determinism of a model M, such that M becomes reachset-conformant to S. This is computed by identifying bounds on non-deterministic parameters.The bounds are optimized using Bayesian optimization to minimize the non-determinism while being conformant, Figure 1.In addition to building a reachset-conformant model, the method maximizes the verification capabilities of the model, cf.model 3 in Figure 2. Thus, our method helps to overcome the burden of building a formal verification model.

Autonomous vehicle application:
We apply our methods to a real automated vehicle and construct a verification model of the vehicle.Measured driving data of the automated vehicle were recorded, and our model adaptation was applied to identify the non-determinism of the verification model such that the model is reachset-conformant to the automated vehicle.Our verification model is amenable to verification, showing that our approach is applicable to the highly relevant use case of autonomous vehicles.This is the first work showing reachset conformance for a real (autonomous) vehicle.
The paper is structured as follows: First, we discuss related work on conformance and verification in Section 2. In Section 3, we present the underlying formalism of hybrid automata and other preliminaries.In Section 4, we present reachset conformance, prove that it is necessary and sufficient to transfer safety properties, and compare it to trace conformance, which is discussed in [4].In Section 5, we present a testing method for reachset conformance.In Section 6, we introduce our model adaptation algorithm.In Section 7, we apply the presented techniques to a real vehicle and build a reachset-conformant vehicle model.Finally, we give some conclusions and future directions.

Verification
An overview of safety verification for hybrid systems is provided by Guéguen et al. [1].Schupp et al. [5] give an overview of methods for the reachability analysis of hybrid systems and discuss their challenges with respect to verification.In this work, we focus on reachability-based verification techniques.In the context of our application example autonomous vehicles, the reachability analysis tool CORA [6] has been used for the verification of cooperative and non-cooperative maneuvers of autonomous vehicles [7].The reachability analysis computations are fast enough to allow online verification while the vehicle is driving [7].

Conformance
A variety of conformance relations have been defined.For brevity, we are only mentioning the most important ones here and refer to the survey by Roehm et al. [8] for a detailed overview of different conformance relations.Since properties are typically specified on output traces, one important notion of conformance is the trace conformance for hybrid automata [4] and similarly hybrid input-output conformance [9].It requires that all possible output traces of one system S are also output traces of the other system M. Trace conformance reflects the conventional notion of conformance of discrete automata where traces of one system also have to be traces of the other one [10].When trace conformance holds, universally quantified properties are transfered, such as metric temporal logic formulas [11].
Trace conformance has been generalized to approximate versions, which do not require the traces of one system to be included in the other but allow some deviation.The (τ, ε)closeness [12] allows for some value-differences as well as time-shifts.(τ, ε)-closeness testing is performed by using a robustness value as a heuristic to guide the testing to non-conformant behavior [13].ε-δ-similarity is a similar notion to (τ, ε)-closeness but does not allow local time disorder in the comparison of two traces [14].The ε-Skorokhod conformance [15] uses the Skorokhod metric to quantify the distance between traces.The Skorokhod distance can be also computed between reachpipes [16], which are for instance traces with an ε-ball around them.One problem is that approximate relations do not transfer properties directly, but the property alters on transference [11,15].
So far, we only reviewed conformance relations applied to the output space.On the contrary, there are a variety of other conformance relations relating states of the systems which are called simulation relations [17][18][19][20][21][22].The basic idea is that states of both systems are related such that evolutions from any state of one system can be mirrored by evolutions of a related state of the other system.There also exist approximative versions of simulation relations, which require the states to just be approximately similar [23][24][25].On one hand, simulation relations transfer more properties compared to trace conformance.On the other hand, they require the systems to be more similar to each other than trace conformance.Since simulation relations require knowledge of the states, real systems cannot be considered since their exact state is unaccessible, except when all states can be measured.Hence, we will focus on comparing the reachset conformance relation to trace conformance (cf.Section 4).For a discussion between simulation relation and reachset conformance, we refer to the survey by Roehm et al. [8].
While we have introduced reachset conformance in 2016 [3], there is already some work in the direction of identification of non-determinism for reachset conformance.Liu and Althoff [26] have published a method to identify non-determinism for dynamical systems to be reachset conformant and applied it to the reachset conformance of robots.Kochdumper et al. [27] have shown a synthesis algorithm for the reachset conformance of linear hybrid systems leveraging the internal structure of the hybrid system.Furthermore, methods to bound additive errors for discrete-time dynamical models have been published [28,29].Contrary to these methods, our method does not require any special knowledge on the hybrid system and is not restricted to a subclass of hybrid systems.
There exist methods for finding the parameters of a deterministic hybrid system to approximate measured data [30].Our work differ in that we are identifying the nondeterminism needed to include measurements in a non-deterministic model.

Preliminaries
In this paper, we use hybrid automata as a modeling formalism.A hybrid automaton can be seen as a finite automaton whose discrete states are annotated with differential inclusions that define the non-deterministic evolution of the continuous states [31].An overview of definitions of hybrid automata and their differences has been presented by Frehse [17].In our work, a (non-deterministic) hybrid automaton H consists of , where P (X) is the power set of X; A guard set guard((q, q )) for each transition (q, q ) ∈ T ; • A jump function jump (q,q ) : X → P (X) for each transition (q, q ) ∈ T ; For a given input function u : R + → U, which maps each point in time to an input value, a state trace x of H is x = (q 0 , x 0 (.))(q 1 , x 1 (.)) . . .
with discrete states q i ∈ Q, continuous state functions x i : [t i , t i+1 ] → X, and with the initial state (q 0 , x 0 (0)) ∈ I H .The transitions from q i to a new state q i+1 have to satisfy (q i , q i+1 ) ∈ T .The continuous state function x i (.) has to satisfy the invariant set x i (t) ∈ inv(q i ) and the differential inclusion ẋi (t) ∈ F H (q i , x i (t), u(t)).Upon a discrete transition (q i , q i+1 ), the continuous state satisfies x i (t i+1 ) ∈ guard((q i , q i+1 )) as well as x i+1 (t i+1 ) ∈ jump (q i ,q i+1 ) (x i (t i+1 )).Note that we have a non-deterministic initial state, non-deterministic flow and jump functions, so there are multiple state traces possible for a given input trajectory u(.).The set of state traces for a given hybrid automaton H with initial set I H under input u(.) is denoted by straces(H, u(.),I H ).
While state traces represent the internal states of the system, they are not observable.Instead, we are able to observe the output trace τ : R + → O which is the mapping of the state trace x onto the observable output space via the map out: The set of all output traces under an input trajectory u(.) and the initial set I H is denoted by otraces(H, u(.),I H ). Therefore, the set otraces(H, u(.),I H ) represents all possible observable behaviors over time for the given u(.) and I H .If otraces(H, u(.),I H ) has one element only for every u(.) and a single initial state, the hybrid automaton H is called deterministic and non-deterministic otherwise.
The already existing trace conformance, which we talked about in the overview section, can now be defined formally: Definition 1 (trace conformance [4]).Let S and M be two systems with the same input set and output space, and with the initial sets I S and I M , then S is trace conformant to M, which is denoted by S T M, if otraces(S, u(.),I S ) ⊆ otraces(M, u(.),I M ) holds for all u(.) ∈ U(.).
This means when trace conformance holds, all observable behavior over time of S is also observable of M. A safety property consists of a set of unsafe output states B t for every time t.If this set is never reachable, i.e., ∀τ ∈ otraces(H, u(.),I H ) ∀t ≥ 0 : then H is considered safe.Given such a safety property with B t and a model M, verification deals with algorithmically checking that (4) holds.When reasoning about the future evolution of a system H, one has to consider all-potentially infinitely many-output traces.With infinitely many traces, dealing with the output traces directly is intractable.One important approach to solve this problem is to use reachability analysis.For one point in time t, the reachable set (or shorter: reachset) of outputs of the hybrid automaton H at time t contains all output states which are possible at time t for a given input trajectory u(.): We call the sequence of these reachable sets Reach t (H, u(.),I H ) over time t as the reach sequence of H.Note that the elements of otraces are functions over time, whereas the set Reach t consists of output states for one point in time t only.Reachable sets can be used to reason about properties of H by verifying that no unsafe set B t of a safety property is reachable: ∀t ≥ 0 : Since the reach sequence is an abstraction of the output traces otraces(H, u(.),I H ), trace conformance is not the best relation for transference between reach sequences, as described in Section 4. Therefore, we present reachset conformance in the following section.
Let us now more formally and generally specify the problems addressed in this paper.Given a non-deterministic model M of a hybrid system S, the type of relation S M between S and M needed to transfer any safety property ψ from M to S is: where S |= ψ means system S has the property ψ.
Let us also introduce a Gaussian process (Section 6.4, [32]) with parameter vectors P = (p 1 , . . ., p n ) and V = (v 1 , . . ., v n ) as a function gp mapping the input p to a Gaussian distribution with mean m(p) and variance σ 2 (p).The (p 1 , v 1 ) are the samples, and the Gaussian process generalizes the mapping by estimating the similarity between different values for p.The functions m(p) and σ 2 (p) are defined as [32]: where T is the matrix transposition, and k(p, p ) is a kernel function defined (in our case) as k(p) T = (k(p 1 , p), . . ., k(p s , p)), c = (c 1 , . . ., c s ), and the matrix K contains the entries k(p i , p j ) in the i th row and j th column.The parameters θ i can be computed using hyperparameter optimization with P and V (Section 6.4.2, [32]).

Reachset Conformance
With the preliminaries from Section 3, we are now able to formally define the notion of reachset conformance.
Definition 2 (reachset conformance [3]).Let S and M be two systems with the same input space and output space.Let I S and I M be the initial sets of S and M, respectively; then, S is reachset-conformant to M, denoted by S R M, if for all possible inputs u(.) and t ≥ 0: Reachset conformance directly considers the non-determinism of models while still being able to transfer safety properties.Proposition 1.Let two systems S and M be given with S R M and initial sets I S and I M , respectively.Let a safety property with forbidden state sets B t be given for all t.For any input trajectory u(.), the following transference holds for every t: Proof.Since S is reachset conformant to M and thus Reach t (S, u(.),I S ) is a subset of Reach t (M, u(.),I M ) for all t, the proposition follows immediately.
The following theorem shows that reachset conformance is the natural choice for the transference of safety properties.
Theorem 1.Let two systems S and M be given.The transference of safety properties is equivalent to reachset conformance: (10) holds for all t and all possible B t ⇔ S R M.
Proof.One direction follows from Proposition 1.Let us assume that (10) holds for all t and all possible B t .Choosing B t := R m \ Reach t (M, u(.),I M ), which is the complement of the reachable set of M at time t, the intersection of B t and Reach t (M, u(.),I M ) is obviously empty.Since this property is transferable from M to S, the equation Reach t (S, u(.),I S ) ∩ (R m \ Reach t (M, u(.),I M )) = ∅ holds, and thus, Reach t (S, u(.),I S ) ⊆ Reach t (M, u(.),I M ).This works for every t, and thus, S is reachset conformant to M.
Although we are mainly interested in the transference of safety properties, there are temporal fragments which transfer with reachset conformance.For instance, temporal properties formalizable in reachset temporal logic, which were introduced by Roehm et al. [33].However, temporal properties cannot be transfered in general, as the reach sequence is an abstraction of the output traces.Reachset conformance is a weaker conformance notion than trace conformance: Theorem 2. Let S and M be two systems with the same input set and output space; then, holds.The converse holds if the system M (and thus S) is deterministic.
Proof.Let u(.) be an input trajectory, t be a point in time, y ∈ Reach t (S, u(.),I S ) and S T M.Then, there is a τ ∈ otraces(S, u(.),I S ) with τ(t) = y.From S T M, it follows that τ is also a trace of M and y ∈ Reach t (M, u(.),I M ).The proposition follows, because the aforementioned implication holds for all y, t, and u(.).When the system M is deterministic, there is only one trace in otraces(M, u(.),I M ), and the reachable set for any time consists of only one state.Hence, S has the same trace and is also deterministic.
This shows that reachset conformance is weaker compared to trace conformance and that we can transfer properties between reachsets in cases where trace conformance does not hold.

Reachset Conformance Testing
In this section, we show how to check the reachset conformance of a real system S against a model M. Additionally, we introduce a robustness measure which quantifies conformance.Since proving a physical model against the real world is not possible, the goal is to check if the non-conformance S R M can be shown by a counter-example for a given input u(.).Hence, we have to prove that the negation of ( 9) holds, which is ∃u(.) ∈ U(.) ∃t ≥ 0 : Reach t (S, u(.),I S ) ⊆ Reach t (M, u(.),I M ).
Our test to check reachset conformance consists of three steps: 1.
Obtain measurements of the system S as an underapproximation Reach u t (S, u(.),I S ) ⊆ Reach t (S, u(.),I S ) of the reachable states of S for a finite set T of points in time t ∈ T.

2.
Compute an overapproximation Reach o t (M, u(.),I M ) ⊇ Reach t (M, u(.),I M ) of the reachable set of M for all t ∈ T.

3.
Check if Reach u t (S, u(.),I S ) ⊆ Reach o t (M, u(.),I M ) holds for any t ∈ T. If for any t a non-inclusion is found, a counter-example is found, and non-conformance is proven.In the following, we discuss the steps in detail.

Obtain Measurements of S
Real measurements are subject to noise, and we assume there exists an error ε, which bounds the deviation of all measurements (t i , τ i ) to the true trace τ: In our case, we consider d 2 (.) to be the Euclidean 2-norm.Taking all runs of S for the same input u(.), this approach builds up reachable sets underapproximations.

Overapproximation of the Reachable Sets of M
An overapproximation of M can be efficiently computed using reachability analysis.Our work builds on the tool CORA [6] to compute reachable set overapproximations for hybrid automata with nonlinear continuous dynamics.CORA uses zonotopes to represent reachable sets due to their efficiency in linear transformations and Minkowski additions [34].

Definition 3 (Zonotope). An n-dimensional zonotope Z in generator representation (G-representation) is the set
where c ∈ R n is called the center and g 1 , . . ., g m ∈ R n are called the generators of Z.

Exclusion Check
For a given t ∈ T, we have to check if a given measurement τ i with t = t i is excluded from Reach o t (M, u(.),I M ).Since we consider the measurement error, we have to check that all possible candidates for the real value are not contained to prove exclusion.Hence, the ε ball around τ i has to be completely outside the reachable set to prove that a counterexample exists.
The distance is important information, which we will use for the model adaptation.Therefore, we are using support functions to define a distance metric (note that the approach using support functions can be applied to other convex (reach-)sets representations as well) [35].Definition 4 (robustness).Let a vector d ∈ R n \ {0}, a point x ∈ R n , and a zonotope Z with center c and m generators g i be given.Then is the directed robustness of Z and x in direction d.The robustness of x and Z is defined as ρ(Z, x) := min d ρ d (Z, X).
If the robustness metric ρ(Z, x) is negative, x lies outside of Z and the robustness gives the negative of the minimal distance between Z and x in the Euclidean norm.If x is contained in Z, the robustness is the distance of x to the surface of Z. Hence, the robustness metric enables us to check exclusion.Theorem 3. A point x ∈ R n is not contained in a zonotope Z if and only if the robustness is negative: Proof.Let us assume that x ∈ Z and Z has the generators g i .Then, there exists λ i with x = c + ∑ λ i g i and |λ i | ≤ 1.For any d holds The other direction follows analogously.
For a given point τ i with error ε, we are able to show exclusion of the real measurement by checking ρ(Z, τ i ) > ε (see Proposition 5,[3]).Hence, ρ(Z, τ i ) has to be computed.This can be achieved by sampling directions d and approximating the robustness, as shown in [3].Another approach is to use linear programming to find the direction d which minimizes ρ d (Z, x).

Model Adaptation
As the verification capabilities of a model are highly dependent on the sizes of the reachsets, the measure m ver (M) on the reachsets is used to determine the verification capabilities: m ver (M) = avg t Vol(Reach t (M, u(.),I M )), (16) where the volume function Vol is a metric on the reachable sets.Here, we are using the volume of the reachsets but the P-radius [36] and F-radius [37] can be used as well in case of computational limitations.Similarly, the conformance measure m con f (M) is defined as to show how robust the model is conformant for given measurements (t i , τ i ) of the real system S under input u(.) and initial condition I M .Hence, an optimal model M g (with respect to Figure 1) can be defined as where M is the set of all possible models.For computational feasibility, we assume that M can be represented by a parametrization that is a surjective projection π : R l → M, π(p) = M.The idea is to represent possible amounts of non-determinism by parameters as shown in the following example.

Example 1.
Let us consider the toy example of a bouncing ball.At one point in time, it has a certain height h over the ground and a velocity v.Over time, it is accelerated by the gravity and bounces off when reaching the ground.As non-determinism can be involved in the acceleration (continuous part) and the bouncing off (discrete part), the possible choices of the non-determinism can be modeled with parameters (p 1 , p 2 ) T ∈ R 2 resulting in the differential inclusions ḣ(t) = v(t), v(t) ∈ [−8.5 − p 1 , −8.5 + p 1 ] and jump function jump(h, v) = (−h, [0.75 − p 2 , 0.75 + p 2 ]v) with guard h = 0. Using measurements of a real bouncing ball, p 1 and p 2 can be obtained by solving (19).
In this paper, Equation ( 19) is solved using Gaussian processes (see Section 3) and Bayesian optimization with inequality constraints [38].The central idea of Bayesian optimization is to use existing function evaluations to build probabilistic regression models.These models are Gaussian processes and are used to select the next parameter to test.In our setting, the Gaussian processes gp con f and gp ver are built to approximate the conformance measure and the verification measure:

) and gp ver (p) ≈ m ver (π(p)).
As the most interesting region for gp con f is near zero, approximating the cube root instead of m con f (π(p)) has been shown beneficial in our application in Section 7 for the learning process.
The model adaptation works by executing the following steps: 1.
Initialize vectors P = p 1 , . . ., p n with random values and calculate the vectors Generate gp con f and gp ver using P, V, and C.
This iteration is completed iteratively until the probability is high that p j with v j = min i v i is the solution of (19).Using gp con f and gp ver , this is measured using as an end criterion.

Application of Reachset Conformance to an Autonomous Vehicle
Automated vehicles are an important application of hybrid systems.One main verification task for automated vehicles is to ensure safe operation without collisions with other traffic participants.Since there are too many real-world situations to verify all of them beforehand, methods have been created to verify the automated vehicle online [39,40].The verification approach is model-based, which creates the necessity to check that the model and the real vehicle are conformant such that verification results can be transfered.
The following demonstrates when to apply reachset conformance by measuring data of a real automated vehicle and building a reachset conformant model for it with the model adaptation method.As we have a limited amount of experimental data, one should increase the amount of measurements for real-world verification applications.

Experimental Setup
Four different types of maneuvers with a velocity of v x = 10 m/s and a maximum lateral acceleration a y = 2 m/s 2 have been considered.As visualized in Figure 3, the four maneuvers are 1.
Single lane-change maneuver: One single lane-change from a right lane to the left lane, which is a typical maneuver for automated vehicles.

2.
Double lane-change maneuver: After a single lane-change, the vehicle stays on the left lane for 4 s and switches back to the initial lane.This is a standard overtaking maneuver.

3.
Fast double lane-change maneuver: This maneuver is similar to the double-lane change maneuver, but it immediately switches back to the right lane when on the left lane.Such a maneuver occurs when avoiding obstacles on the road and is more dynamic than the double-lane change.

4.
Slalom maneuver: To challenge the model with measurements of a more dynamic maneuver, a slalom maneuver was additionally included.
These maneuvers were selected based on the experimental capabilities of the driving location and can be seen as basic maneuvers in an urban multilane setting.Each maneuver was repeated five times with the average duration of a maneuver being 14.16 s at a rate of 100 Hz.Overall, the total driven distance of the dynamic maneuvers within the measurement data was around 3 km.The data were collected by Deutsches Zentrum für Luft-und Raumfahrt (DLR) with their test vehicle (FASCar II, a Volkswagen Passat TDI), which is equipped with a combined differential GPS receiver (DGPS) and inertial navigation system (INS).All maneuvers used for conformance testing have been executed in automated driving mode, i.e., closed-loop tracking of a predefined reference trajectory, which is sent from a PC to a closed-loop tracking controller on a dSPACE Autobox.We estimate the sensor error for the position of the vehicle by 5 cm and for the orientation of the vehicle by an angle of 0.

Verification Model
The verification model contains of a steered vehicle model, which is combined with a tracking controller providing the steering inputs based on the ideal maneuver trajectory.Our vehicle model is based on the bicycle model [7,39].The state space of the vehicle model is 6-dimensional and has the states x = (p x , p y , ψ, v x , v y , ω) T , where p x , p y is the position of the vehicle's rear axle center in an earth-fixed coordinate system, and ψ is the orientation of the vehicle.The speed of the vehicle's rear axle center is given as (v x , v y ) T in the vehicle coordinate system.The velocity components are the respective projections to the vehicle's longitudinal and lateral axis.The vehicle's yaw rate is given as ψ = ω.The vehicle model's input vector u = (u a , u δ ) T contains the longitudinal acceleration and the steering angle.The differential equations of the vehicle model are ṗx = v x cos(ψ) − v y sin(ψ) + e x ṗy = v x sin(ψ) + v y cos(ψ) with constants J/m = 1.5, a = 1.16, b = 1.54, c f = 10.8, c r = 17.8, µ = 0.8, and g = 9.81.
The tracking controller by Hess et al. [41] was used consisting of a feed-forward controller and a PD feedback term for the deviation from the reference trajectory.
The state space of the combined model was divided into eight regions which represent the discrete states of the verification model.In each part, a Taylor expansion of the differential equations of the combined model is used as the differential equations of the verification model.Since the main dimensions of interest are the position p x , p y and orientation ψ of the vehicle, e.g., to detect possible collisions, these dimensions are used as the outputs and mapped onto this subspace with the output map out.The parameters e x , e y , and e ω are injected as additive non-determinism [−e x , e x ], [−e y , e y ], and [−e ω , e ω ] into the differential equations for x, y, and ω, respectively.

Reachset Conformance Testing
The initial points of all runs of a maneuver are used to build the initial set for the model for that maneuver.Since the measurements contain some sensor error, the bounding box of the initial points enlarged by the sensor errors is used as initial set I M of the model.The pairwise direction check as described by Roehm et al. [3] is used to check for the exclusion of measured data from the reachable sets of the three-dimensional output space, considering the sensor error.
The model adaptation method from Section 6 has been applied to the model and the measurements of the automated vehicle.The measure gp con f for the mapping from the parameters to the conformance measure after 30 iterations is visualized in Figure 4.In the figure, one can see the estimated robustness of each combination of non-deterministic bound parameters (e x , e y , e ω ).The red line consists of all parameters with m con f (M) = 0, which are the boundary between the conformant and non-conformanct parameter areas.All parameter combinations on the upper right side of the red line can be considered as conformant.
The white points represent the parameter combinations with which the exclusion check has been executed to compute the robustness for the conformance measure.These combinations were iteratively selected by gp con f and used to update gp con f .As one can see in the figure, the white points are not uniformly distributed, but the density of points is much higher near certain areas of the red line.This is a direct outcome of the model adaptation algorithm.First, parameter combinations in the whole space of parameter combinations are selected to obtain an initial understanding of the regions of interest.After some iterations, the confidence of gp con f increases, and more points near the expected parameter combinations of the optimal model M g are selected.Please note that the white points in all subfigures are only projections of the three parameters to two parameters.Even when the white points are sitting on the non-conformant side of the red line in the subfigure, the non-projected parameters may not.In (a) and (b) in Figure 4, the red line is winding in the lower part.This is due to approximation errors in gp con f .However, this is not a problem for the method, as these areas do not contain the optimal parameter combinations and thus are not explored further.
From Figure 4, the relation between the different parameters can be seen.The red line in the subfigures with e x are mainly horizontal and vertical.This shows that the non-determinism on x is independed to the non-determinism on y and ψ.Contrary, e y vs. e ω shows that when the lateral nondeterminism is increased, the nondeterminism of the yaw rate can be reduced and vice versa.This shows that both have a similar impact on the lateral movement of the vehicle in our maneuvers and is likely a result of the main direction of travel in the x direction.The verification measure with respect to the parameters is visualized in Figure 5.As in Figure 4, the verification measure is shown with the white points representing the parameter combinations used.The shape of all projections is looking quite similar.This is due to the monotonicity of the reachset sizes with respect to the non-determinism.When one parameter is increased, the overall non-determinism increases, and thus, so does the reachset size.In the origin, all parameters are zero, the model is deterministic, and the reach sequence reduces to a trace, cf.Theorem 2. The reachsets of the optimal model are visualized together with the measurement data in Figure 6.The optimal model has an interval width in the lateral position of 0.22 m and in the longitudinal position of 0.47 m, which can be considered as good enough for all considered driving tasks.Big uncertainty, such as over 0.5 m in the lateral position p y , may lead to situations where the vehicle could potentially be already on an adjacent lane and a collision may be possible.Hence, we have built a reachset-conformant model which is amenable for verification purposes.

Conclusions
In this paper, reachset conformance was presented that is able to relate a model to the system it models (and to other models as well).It was shown that reachset conformance is the natural conformance relation for safety properties, because safety properties transfer exactly in the case when reachset conformance does hold.Trace conformance implies reachset conformance and is the same in the case of deterministic systems.
Reachset conformance testing of a verification model is completed by searching for counter-examples with measurements of the real system.A robustness measure is introduced to estimate the distance of the model to be conformant or non-conformant based on the distance of a measurement to the reachable set of the verification model.Zonotopes are used as the representation of reachable sets which makes the computation of the robustness feasable.
A conformance measure is defined based on the robustness, and a verification measure is defined based on the size of the reachable sets and used to estimate the applicability of models for verification.The non-determinism of the model is considered as parametric, and a model adaptation algorithm is introduced to search for an optimal model, which minimizes the verification measure and has a positive value of the conformance measure.The algorithm uses Bayesian optimization to approximate the conformance measure and the verification measure and guides the search for the optimal parameters.
Finally, the presented methods are applied to an autonomous vehicle, for which data measurements of real driving maneuvers have been recorded.A parametric verification model is presented, and the methods of the paper are applied to find optimal parameters for that model to maximize the verification capabilities while ensuring conformance.Since the resulting reachable sets of the non-deterministic verification model have a size of at most 0.22 m in the lateral direction and 0.47 m in the longitudinal direction, the model produces small enough reachsets and can be used for verification purposes.
In future work, we want to collect extended amounts of driving data with a wider range of maneuvers and build a verified model that can be run online.This will combine multiple existing research directions and show how complicated it is to run the full pipeline for the verification of autonomous vehicles.

1 :Figure 1 .
Figure1.The reachable states (gray area) of several verification models as well as the unsafe states (dotted area) are shown.For increasing determinism, the set of reachable states is becoming smaller.When the reachable set is too small to contain all possible states of the real system, it is no longer conformant.Also, when the reachable is too big, it intersects with the unsafe state, and thus, it cannot be used for successful verification.The optimal model has the most determinism while being conformant.

Figure 2 .
Figure 2. Overview of the reachset conformance testing and model adaptation methods.

Figure 3 .
The planned trajectory (red) and the driving data (gray, shifted by multiples of 30 cm in p y for presentation purposes) for the maneuvers.(a) Single lane-change maneuver.(b) Double lane-change maneuver.(c) Fast double lane-change maneuver.(d) Slalom maneuver.

Figure 4 .
Conformance measure with respect to parameters as approximated by gp con f .The red line is the boundary between conformant and non-conformant parameters.(a) e x vs. e y , e ω constant.(b) e x vs. e ω , e y constant.(c) e y vs. e ω , e x constant.

Figure 5 .
Verification measure with respect to parameters as approximated by gp ver .(a) e x vs. e y , e ω constant.(b) e x vs. e ω , e y constant.(c) e y vs. e ω , e x constant.

Figure 6 .
Figure 6.Projection of the measurements (black lines) and the reachsets of the model (gray area) to the position for the single lane-change maneuver.(a) Overview.(b) Subfigure 1: Zoom on the initial set (white box).(c) Subfigure 2: Zoom on the point in time, where the measured data comes closest to the reachset boundary.