Formalizing Traffic Rules for Machine Interpretability
Autonomous vehicles need to be designed to abide by the same rules that humans follow. This is challenging, because traffic rules are fuzzy and not well defined, making them incomprehensible to machines. Satisfaction cannot be incorporated in a planning component without proper formalization, nor can it be monitored and verified during simulation or testing. However, no research work has provided a consistent set of machine-interpretable traffic rules for a given operational driving domain. In this paper, we propose a methodology for the legal study and formalization of traffic rules in a formal language. We use Linear Temporal Logic as a formal specification language to describe temporal behaviors, capable of capturing a wide range of traffic rules. We contribute a formalized set of traffic rules for dual carriageways and evaluate the effectiveness of our formalized rules on a public dataset.
Traffic regulations such as the Straßenverkehrsordnung (StVO) [BMJV2013], which is the German concretization of the Vienna Convention on Road Traffic [EconomicCommissionforEuropeInlandTransportCommittee1968], define rules all drivers should obey. These traffic rules are often fuzzy and subject to interpretation, encouraging the need for a formalized machine-interpretable definition of traffic rules. This formalization is essential for the development of a planning component, i.e. vehicles will adhere to the rules at all times. It may also support simulation-based verification or case-law.
The traditional approach in the planning community has been to represent legal aspects such as speed limits or traffic lights as geometric obstacles in space-time [Ajanovic2018], often forming spatio-temporal driving corridors that vehicles are allowed to operate. However, while such an approach works for static rules which can be easily mapped to constraints, it does not scale to more complex behavioral rules with multiple agents. To formalize legal aspects, natural language must be translated. Logical languages are a formal way to represent rules. A logical language needs (1) to be expressive enough to codify natural language and (2) to have a mechanism for model-checking the formulas (i.e. traffic rules). Previous works have identified Linear Temporal Logic (LTL) as a suitable formal language to specify traffic rules [ReyesCastro2013, Rizaldi2015, Esterle2019a]. Other works have used inequality constraints based on real numbers to formalize traffic rules [Vanholme2013, Decastro2018].
However, no work has yet provided a valid and consistent set of traffic rules for a restricted operational area. Likewise, there is no methodology to derive such rules. The contributions of this paper are a methodology to formalize traffic rules from legal texts to a formal language, and a formalized set of traffic rules for dual carriageways. We evaluate these rules on a public dataset, which helped us to identify errors in the predicates but eventually provides valuable insight into the extent to which humans follow these rules.
Ii Legal Analysis of German Traffic Rules on Dual Carriageways in On-Ramp Scenarios
At first, the operational design domain needs to be defined. We will analyze traffic rules for a passenger vehicle
Our interest is mainly focused on behavioral rules for road users, especially for multiple road users involved. We will not consider the following special cases:
Parking, breakdowns, and towing
Necessary post-accident actions including clearing
Signaling such as indicator signals or lighting
Regulatory signs, including lane markings, informatory signs, and traffic installations
To identify all relevant rules and remove ambiguity in them, we will use the following methodology:
Identify a rule and separate it into an initial premise and a conclusion. If there is no premise, start with \blockquotealways.
Identify all exceptions to the premise. Use negated exceptions to update the premise.
Decompose the premise and conclusion into labels or new rules.
Using Boolean laws, we can combine the initial premise and exceptions by conjunction. We will use a graphical representation for identification and aggregation. Implications are illustrated by an arrow. Exceptions are marked in red.
This section analyzes speed regulations.
Trafficrule 1 (Keep Control):\blockquote
A person operating a vehicle may only travel at a speed that allows them to be in constant control of their vehicle [§3(1) StVO].
Control is lost if vehicle tires cannot exert the required forces on the road. This happens when the lateral or longitudinal accelerations exceed the limits of the friction circle. Not to lose control is not only a rule but also a safety requirement for any autonomous vehicle. Hence control algorithms will limit the requested accelerations accordingly.
Trafficrule 2 (Above Minimum Speed):\blockquote
No motor vehicle must, without good reason, travel so slowly as to impede the flow of traffic [§3(2) StVO; VC 13.4].
Decastro2018 define \blockquoteimpeding the traffic flow as going below a speed difference threshold . While they define to be the average speed of the surrounding vehicles, it might be useful to damp this signal.
Trafficrule 3 (Below Speed Limit):
Adhere to the ”maximum permissible speed” [StVO 3(3)].
We assume the maximum speed limit to be available.
Trafficrule 4 (No Stopping):
On motorways and motor roads, \blockquotestopping is prohibited, including on verges [§18(8) StVO].
Motorways are defined as roads that are only allowed for motor vehicles, and they have specific entry and exit terminals [EconomicCommissionforEuropeInlandTransportCommittee1968]. They usually consist of separate carriageways for two-way traffic. We do not consider motor roads in this study, as they have no dual carriageway. We assume the road type to be available. Fig. 1 shows the codified speed limit rules.
Ii-B Use of Roads and Lanes (Lane Selection)
This section analyzes rules that specify which lanes should be used by motorists.
Trafficrule 5 (Keep Right):\blockquote
Keep as far to the right as possible [§2(2) StVO; VC 10.3].
This is often referred to as \blockquotestaying on the right. However, in dense traffic, drivers might ignore the keep-right directive:
Trafficrule 6 (Except. Dense Traffic with Multiple Lanes):\blockquote
This might be ignored on carriageways with several lanes for one direction, […] if traffic density justifies [§7(1) StVO].
Wuthishuwong2013 define traffic density as the number of vehicles per lane that measure to the length of the observed street. However, there are currently no traffic density values that autonomous vehicles can use.
Another exception is made within built-up areas on roads that are no motorways:
Trafficrule 7 (Except. Built-up Area):\blockquote
On carriageways with several marked lanes for one direction of traffic […] within built-up areas – with the exception of motorways – […], vehicles […] are free to choose their lane, even at no dense traffic [§7(3) StVO].
An exception to the keep right directive exists for outside built-up areas on roads with more than two lanes for one-way traffic. \blockquoteInside a built-up area is a synonym for inner-city.
Trafficrule 8 (Except. Outside Built-up Area With Three Or More Lanes):\blockquote
Outside built-up areas [with] three lanes for one direction of traffic, vehicles may, in derogation from the rule that they must keep as far to the right as possible, [stay in] the middle lane in places where – even if only now and then – a vehicle is stationary or moving in the nearside lane. On carriageways with more than three lanes marked in this way for one direction of traffic, the same applies to the second lane from the right [§7(3c) StVO].
However, this exception brings in a new rule. We summarize the new rule as \blockquotekeep outside the left-most lane and use the non-negated premise from the exception. Fig. 2 shows the codified lane selection rules.
The legal texts of the StVO and the Vienna Convention on Road Traffic are missing an explicit definition for overtaking. Whereas \citetRizaldi2017 define overtaking as the process of changing lane, passing a vehicle, and returning to your initial lane, court rulings have clarified that passing a vehicle is already considered as overtaking [BGH4.Strafsenat1968a]. We will follow this definition and replace overtaking with passing whenever necessary.
Trafficrule 9 (Speed Advantage during Overtaking):
Only overtake if the ego vehicle travels \blockquoteat a speed substantially higher than that of the vehicle to be overtaken [§5(2) StVO].
As the term \blockquotesubstantially higher speed is vague, court rulings have since clarified the minimal speed advantage for trucks to be [UberholenZweibrucken2009]. Missing other concrete values, we will use this value for passenger vehicles as well.
Trafficrule 10 (Overtaking Maneuver):\blockquote
Make sure that traffic approaching from behind is not endangered. [Keep] a sufficient lateral distance […] from other road users […]. Move back to the right-hand side of the road as soon as possible [§5(4) StVO, VC 11.2a; VC 11.4].
This rule can be divided into three parts. First, when changing to the outer lane, traffic shall not be jeopardized. \citetRizaldi2017 define this as keeping a safe distance to the new follower. Second, sufficient lateral space will be inherently satisfied by a motion planner. Thus, we will not consider it in this paper explicitly. Third, a vehicle shall move back as soon as possible. Following \citetRizaldi2017, the phrase \blockquoteas soon means when a safe distance to the new follower can be established. However, as stated before in Section II-B, there are multiple exceptions to this rule. We relax this rule in this work and interpret it as \blockquotedo not return to the initial lane before a safe distance can be established. This means that when performing a lane-change, a safe distance to the rear vehicle should be ensured.
Trafficrule 11 (No Right Overtaking):
Only \blockquoteovertake […] on the left [§5(1) StVO; VC 11.1].
We will interpret this as passing a vehicle. This rule then also implies that vehicles on the right lane should not travel faster than those on the left. However, there are several exceptions for special lane types:
Trafficrule 12 (Except. Diverging Lane):\blockquote
Where lanes diverge from the main carriageway […] vehicles turning off may […] travel faster than traffic on the main carriageway [§7a(1) StVO].
Trafficrule 13 (Except. Acceleration Lane):\blockquote
On motorways and other roads outside built-up areas, vehicles may travel faster in acceleration lanes than traffic on the main carriageway [§7a(2) StVO].
Trafficrule 14 (Except. Deceleration Lane):\blockquote
If traffic on the main carriageway is moving slowly or is stationary, vehicles in a deceleration lane may overtake at a moderate speed [§7a(3) StVO].
Another exception for built-up areas:
Trafficrule 15 (Except. Build-up Area):\blockquote
On carriageways with several marked lanes for one direction of traffic […] within built-up areas – with the exception of motorways – […], traffic on the right may move faster than traffic on the left [§7(3) StVO].
Also, there are exceptions for dense traffic:
Trafficrule 16 (Except. Dense Traffic):
In dense traffic, \blockquotetraffic on the right (nearside lane, middle lane) may move faster than traffic on the left [§7(2) StVO].
Trafficrule 17 (Except. Dense Traffic):
Vehicles queues at low speed or standstill may be overtaken \blockquoteon the right [§7(2a) StVO; VC 11.6].
We argue that the above two exceptions essentially have the same meaning if overtaking is interpreted as passing: In dense traffic, passing vehicles on the left side is allowed.
Fig. 3 shows the codified overtaking rules.
Ii-D Safe Distance
A driver shall always keep a safe distance to a preceding vehicle:
Trafficrule 18 (Safe Distance):\blockquote
A person operating a vehicle moving behind another vehicle must, as a rule, keep a sufficient distance from that other vehicle so as to be able to pull up safely even if it suddenly slows down or stops [§4(1) StVO; VC 13.5].
This rule has been treated frequently in literature [Vanholme2013, ReyesCastro2013, Rizaldi2016, Shalev-Shwartz2017], although implementations vary in the order of state derivatives used to calculate the distance. Estimating the maximum possible braking deceleration is also not clearly defined and may change depending on the road surface. Fig. 4 shows the codified distance rule.
Ii-E Being Overtaken
A vehicle being overtaken shall obey to the following:
Trafficrule 19 (Being Overtaken):
A vehicle \blockquotebeing overtaken must not increase the vehicle’s speed [§5(6) StVO].
We define being overtaken to be close to a vehicle on the left lane, which is similar to the definition used in [Decastro2018]. This is sufficient, as overtaking on the right is prohibited. Fig. 5 shows the codified rule when being overtaken.
This section deals with priority rules. Giving way means that a driver \blockquotecontinues or resumes his advance or maneuver if by so doing he might compel the drivers of other vehicles to change the direction or speed of their vehicle abruptly [EconomicCommissionforEuropeInlandTransportCommittee1968]. If a vehicle has the right of way, the other drivers shall be giving way.
Trafficrule 20 (Right of way):
On \blockquotemotorways and motor roads […] traffic on the main carriageway has the right of way [§18(3) StVO; VC 25.2].
Trafficrule 21 (Zipper Merge):\blockquote
If, on roads with several lanes for one direction, uninterrupted travel in one of the lanes is not possible, or if a lane comes to an end, vehicles traveling in the adjacent lane must allow vehicles in the other lane to change lanes immediately before the road narrows, in such a way as to let them join their line of traffic in turn after each vehicle traveling in the uninterrupted lane [§7(4) StVO].
The rule demands that vehicles should merge at the end of the lane in an alternating zip fashion from both lanes. Following the zipper merge has proved to reduce congestion while ensuring the safety of motorists, as the complexity in changing lanes is removed. Some US states have begun adopting this concept [Marshall2016].
If a driver in a continuing lane does not obey the zipper merge, a driver wishing to merge is not allowed to enforce it [ZipMergeAgDD2006]. Thus, if an accident occurs during the zipper merge, the blame is often shared [ZipMergeAgDD2006, ZipMergeMuenchen2008]. Right of way and zipper merge are dual and thus contradicting, as StVO does not specify the application of the zipper merge to be an exception to the right of way rule. Future updates to the regulation should clarify this. Fig. 6 shows the codified priority rules.
Iii Related Work
Works to formalize traffic rules have come from three different communities: First, the planning community, which tries to develop a planner that can follow all applicable rules. Here, the rules are checked on potential predicted outcomes [Vanholme2013, ReyesCastro2013, Esterle2019a]. Second, the safety community, which has tried to establish contracts consisting of a set of rules, which every vehicle should adhere to prove safety [Decastro2018, Shalev-Shwartz2017]. These approaches generally rely on inter-vehicle communication. Third, the legal community, which tries to analyze recorded traces to identify liability, which is relevant to insurance companies [Rizaldi2015, Rizaldi2016, Rizaldi2017]. We will now discuss related works in detail.
Vanholme2013 were the first to perform a detailed analysis of the applicable rules for highway driving based on the Vienna Convention on Road Traffic. They used inequality comparisons of real numbers to express the rules. However, they did not provide a concrete formalization for most of the behavioral rules, such as overtaking or right of way. Also, since the zipper merge is not part of the Vienna Convention on Road Traffic, the authors did not elaborate on it either. \citetReyesCastro2013 used LTL to express traffic rules. Since the authors focused on developing a planning algorithm, they only provided examples for formalized rules such as \blockquotedo not cross solid center lines or \blockquotedo not travel in the wrong direction, which only depend on the ego vehicle itself.
Decastro2018 formalized the rules as contracts between vehicles. They used inequality comparison of real numbers to formalize the rules regarding lane selection, overtaking (safe, on the left), etc. However, they did not consider rules such as \blockquoteright of way or \blockquotezipper merge, which are challenging because of the behavioral uncertainty of the agents involved. The Responsibility-Sensitivity Safety Model (RSS) defined by \citetShalev-Shwartz2017 has formalized the notion of a safe distance and the right of way. Their approach can only check rules between an ego agent and one other agent [Gassmann2019].
Rizaldi2015 used higher-order logic to formalize parts of the Vienna Convention on Road Traffic. They extended their work in [Rizaldi2016] to prove the correctness of the \blockquotesafe distance predicate from the StVO using a theorem prover. In [Rizaldi2017], they used the \blockquotesafe distance predicate for the safe overtaking rule from the StVO, formalized in LTL.
Others have used Signal Temporal Logic (STL) to obtain quantitative semantics about rule satisfaction [Cho2019, Arechiga2019]. Quantitive semantics might be beneficial for relaxing the requirements to satisfy a rule. \citetCho2019 formalize basic rules concerning a safety envelope such as staying in lane or speed boundaries in Signal Temporal Logic, while \citetArechiga2019 formalize the safe distance from the RSS model in STL.
Lanelet2, a map framework for highly automated driving, provides an interface called \blockquoteregulatory elements to retrieve traffic signs, traffic light, speed limits, and right of way [Poggenhans2018]. For the \blockquoteright of way, Lanelet2 provides the lanes on which vehicles have the right of way. More elaborate rules such as overtaking, distance keeping, or zipper merge are not included.
|– Lane Selection –|
|keep in right-most lane||X||IR(0)||–||–|
|keep outside left-most ln.||X||IR(0)||–||–|
|– Overtaking –|
|safe lane change||X||IR(2)||LTL(2)||–|
|no right passing||X||IR(1)||–||–|
|speed adv. during overtak.||–||–||–||–|
|safe distance (preced.)||IR(1)||IR(1)||LTL(1)||IR(1)|
|– Priorities –|
|right of way||X||–||–||IR(1)|
Table I summarizes our analysis, mapping the most relevant formalization works in literature to the identified rules from our legal analysis. We omit trivial rules e.g. \blockquoteno stopping or special cases e.g. \blockquotekeep outside left-most lane. Different techniques on how to model the rules have been employed. Formal logics such as LTL or STL, as well as real-value constraints, have been used. Presently, there is no comprehensive formalized set of traffic rules in literature.
Iv Formalizing Traffic Rules using Linear Temporal Logic
Following our legal analysis, we will now formalize those rules in a formal language. We will follow \citetRizaldi2017 to distinguish between codification (representing natural language specifications as logical entities) and concretization (concretely interpreting predicates).
Iv-a Linear Temporal Logic for Codification
During the legal analysis, conjunction, disjunction, negation, and implication proved to be powerful and useful tools for formalizing rules. As traffic rules such as overtaking consider temporal behaviors, we decided to use LTL.
Formally, the language of LTL formulas is defined as
where denotes an atomic proposition, (resp. , , ) denote the Boolean operators “not”, “and”, “or” and “implies”, and , (resp. , , ) denote the temporal operators “next”, “until”, “globally” (or “always”), “finally” (or “eventually”). Refer to [Baier2008] for definitions of the semantics.
We will separate the rules into premise and conclusion
It allows rules to be divided into a premise about the current state of the environment, i.e. when a rule applies, and the legal behavior of the ego agent in that situation (conclusion). Then, exceptions to the rules can be modeled to be part of the assumption.
Iv-B Predicates for Concretization
First, we need to identify suitable predicates, then, provide a function or formula to calculate them. For some labels, such as collision or speed limit violation, this is trivial. For others, such as the notion of safety, it is not. \citetRizaldi2016 thus used a theorem prover to prove the safe distance predicate.
Maps are currently an important part of automated driving. Map frameworks such as Lanelet2, provide location information (built-up vs. non-built-up) and road types (road, highway) [Poggenhans2018]. We assume special lane types such as diverging or accelerating lanes to be available.
|is closer than to or more agents|
|is the predecessor of|
|is to the right of|
|is to the left of|
|is in the front of|
|is behind of|
|has passed a static merging point, from which on a merge is not possible anymore|
|has a safe distance to the preceding vehicle|
|has a safe distance to the following vehicle|
|is colliding with road boundaries or any other agent or obstacle|
|is crossing a lane boundary|
|is closer than to|
|has less than remaining to the end of the lane|
|is faster than and some threshold|
|is within a built-up area|
|is on a road type: motorway|
|is on a lane type: diverging lane|
|is on a lane type: acceleration lane|
|no right passing|
|safe lane change||lane-change||sd-rear|
|speed advantage for overtaking|
|safe distance (preced.)||sd-front|
Table II shows the predicates. We evaluate them based on the observed scene (from simulation or dataset replay) before passing them to the rule monitor, which will evaluate the rule formula at each time step. The relational labels are calculated according to Fig. 7, i.e. in a partially overlapping manner.
Iv-C Codified Rules
Based on our previous legal analysis and the usage of De Morgan’s laws, we formalize three rules for overtaking (see Table III). Both \blockquoteno right passing and \blockquotespeed advantage during overtaking use the passing sequence behind – left – front. Note that in contrast to our previous work [Esterle2019a], we define the relational labels as partially overlapping, which changes the meaning of the rule from overtaking to passing. The third rule \blockquotesafe distance at each lane change covers the rules in [Rizaldi2017], where the authors defined overtaking as the process of changing lanes and passing, for which they imposed a safe rear distance at the beginning and finishing.
We formalize the rule to ensure a safe distance to any preceding vehicle, based on the calculation of the safe distance predicate in [Rizaldi2017].
We define \blockquotebeing overtaken as to be on the right and close to a vehicle. In such a situation, we prohibit to accelerate.
We describe a zipping situation as
where an agent is to the left of an agent in an ending or blocked lane, and is following another agent . Fig. 8 shows the naming conventions for this rule. If the assumption in Table III is fulfilled, the rule should guarantee that agent will not be directly in front of agent after the merging point, as agent from the other lane has merged in-between and has become the new predecessor of agent .
Evaluating the formalized rules on recorded drives of humans helps us to validate the rules, and, once the predicates are fixed, provides valuable insight in the extent to which humans follow the rules. We use the INTERACTION dataset [Zhan2019], which focuses on dense interactions, and analyze the compliance of each vehicle to the traffic rules. To the best of our knowledge, [Rizaldi2016] forms the only work that evaluated their formalized traffic rule to do so.
V-a Evaluation Methods and Dataset Processing
We study our approach in the benchmarking framework BARK proposed in [Bernhard2020]. We use Spot [Duret-Lutz2016], a C++ library for model checking, to translate the formalized LTL formula to a deterministic finite automaton, and to manipulate the automatons. Each rule is then captured in a RuleMonitor object, which we use to monitor rule compliance throughout the simulation, effectively replaying the dataset. We analyze the two-way merge scenario DR_DEU_Merging_MT and the three-lane road lower part of the Chinese highway merging scenario DR_CHN_Merging_ZS.
V-B Evaluation of Violation on Public Data
For evaluation, we set , , and . We set for the \blockquotezipper merge rule and for the \blockquotebeing overtaken rule. For the Chinese data, we use . For the German data, we use , as the lane gets thinner much earlier. We use the parameters in [Rizaldi2016] for the \blockquotesafe distance label, and set the reaction time to .
Once-per-agent violations We first study those rules, which premises contain temporal sequences, namely the \blockquoteno right passing, \blockquotezipper merge and \blockquotespeed advantage during overtaking. Fig. 9 shows the percentage of violation per agent. Once an agent violates a rule, that agent is flagged. About % of the vehicles in the German scenario violate the zipper merge. In the Chinese scenario, more than % do not merge according to the rule. The rule to have a significant \blockquotespeed advantage during overtaking is much more often violated in the Chinese scenario than in the German. This could either stem from the distinct regulations, different local interpretation of what significant speed advantage means, or is due to the differences of the traffic situations. To study this, finding correlations between traffic features such as traffic density and the specific rule violations will be subject of future works.
Violations per time For the other rules, we study the relative number of violations per time, see Fig. 10. We normalize the number of violations based on (1) the full dataset duration and (2) the duration when the premise was active. For the safe distance, the premise is always true, and thus the two violation metrics are identical. For others, the metric based on the premise being active is a more expressive violation metric. Violations close to % would probably indicate an error in the formalization. As the premise for \blockquotesafe lane change by our definition is only active at one time instant, no significant violations can be observed when normalizing it by the complete simulation time. However, Fig. 10 shows that roughly every fourth lane change does not keep a safe distance to the rear vehicle, which is similar for the German and Chinese Data. We observe that in the German scenario, drivers do not keep a safe distance at about % of the time. In China, this value drops to about %. Note that we observe many more violations of the safe distance than in [Rizaldi2016], which can be explained by the fact that we include the reaction time from [Rizaldi2017] in our calculation.
Vi Conclusion and Future Work
We have formalized traffic rules for dual carriageways according to German traffic regulations. For this, we presented a methodology for legal analysis, which allowed us to codify these rules. We identified definition gaps in the regulations, especially in the predicates. We hope to start a discussion to remove this ambiguity. Our evaluation on real data helped us to concretize the predicates iteratively, and it also showed that humans violate formal traffic rules to a varying extent. We plan to extend our evaluation to more scenarios. As a next step, false negatives and false positives need to be identified through a more elaborate evaluation, i.e. finding the correlations between rule violations. Also, the evaluation shall be extended to include lane selection rules and right of way. Our work lays the foundation for integrating traffic rules into a planning component and leveraging the benefits of formalization to evaluate the rules’ compliance. Future work needs to collaborate with legal experts to verify our legal analysis and extend it to cover all regulations.
- The vehicle does not exceed 3.5 tons, is legally allowed to drive on motorways, and has no trailer.
- An English translation of the StVO is available at