Search-based Test-Case Generation by Monitoring Responsibility Safety Rules

04/25/2020 ∙ by Mohammad Hekmatnejad, et al. ∙ Arizona State University toyota 0

The safety of Automated Vehicles (AV) as Cyber-Physical Systems (CPS) depends on the safety of their consisting modules (software and hardware) and their rigorous integration. Deep Learning is one of the dominant techniques used for perception, prediction, and decision making in AVs. The accuracy of predictions and decision-making is highly dependant on the tests used for training their underlying deep-learning. In this work, we propose a method for screening and classifying simulation-based driving test data to be used for training and testing controllers. Our method is based on monitoring and falsification techniques, which lead to a systematic automated procedure for generating and selecting qualified test data. We used Responsibility Sensitive Safety (RSS) rules as our qualifier specifications to filter out the random tests that do not satisfy the RSS assumptions. Therefore, the remaining tests cover driving scenarios that the controlled vehicle does not respond safely to its environment. Our framework is distributed with the publicly available S-TALIRO and Sim-ATAV tools.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 3

page 6

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

The development of safe, fully autonomous systems has become one of the seminal technological problems of our time. Their eventual development will have a significant impact on mobility, with solutions ranging from personal mobility, to mobility-on-demand systems. The potential of automation carries a plethora of environmental and financial benefits [nhtsa_ads].

Major components of these systems are developed to tackle problems of perception, decision making, and control, often using machine learning techniques such as Deep Neural Networks

[SiamEtAl2017itsc]. Ensuring that these components are bug-free is a challenging problem. To make the problem more difficult, emergent behavior that arises as a result of the complex interaction between these components is extremely difficult to detect [Lee2018ArsTechnica, JohnsonEtAl2015esv].

Physical testing has shown to be expensive, time consuming, and generally inefficient. In addition, there is no consensus on what constitutes an adequate metric in this area. It is questionable whether metrics such as miles driven and miles per disengagement, which are typically reported to governmental agencies [milesPerDiss2019], are sufficient since most of the testing and miles driven are conducted in carefully chosen locations and scenarios. As a result, these metrics fail to capture a wide array of conditions and scenarios that are typical in day-to-day passenger driving.

Recent research [TuncaliPF16itsc, CorsoEtAl2019itsc, dreossi2019verifai, majumdar2019paracosm, Abbas17Cyphy, KoschiEtAl2019itsc] supports simulation-based and virtual methods as a scalable alternative. Simulation enables inexpensive, quick testing for arbitrarily complex conditions and scenarios. It also speeds up development by enabling automakers to quickly iterate and support the rapid development of their systems. In addition, since simulation-based methods have been studied extensively in the testing and verification community (see [KapinskiEtAl2016csm] for an overview), it is only natural to attempt an extension to the autonomous vehicle domain.

In [fremont2019scenic], the authors develop a probabilistic programming language Scenic to define scenes, which are configurations of physical objects in traffic environments. The probabilistic component enables the assignment of behavior distributions to specific objects in the scene. In [tuncali2019requirements, TuncaliEtAl2018iv], the authors present Sim-ATAV, part of the [fainekos2019robustness] toolbox, for adversarial testing of autonomous vehicles with machine learning components. The tool enables the generation of test cases that falsify formal requirements expressed in Signal Temporal Logic (STL) [BartocciEtAl2018survey]. Frameworks like [dreossi2019verifai] and [AbbasKRM2017asme] and the corresponding toolchains provide similar functionality to Sim-ATAV for search-based test generation. A challenge encountered by all these methods is how to properly define what constitutes a violation of safe driving behaviors.

In this paper, Responsibility Sensitive Safety (RSS) [shalev2017formal, GassmannEtAl2019iv, KoopmanOW2019safecomp] rules are utilized for classifying and qualifying driving test data to determine ego-centric and meaningful driving scenarios. In order to achieve that, RSS specifications are formalized into STL to enable formal, algorithmic reasoning over them. In [hekmat2019memocode], RSS specifications were utilized to monitor naturalistic traffic data obtained from the CommonRoad library [althoff2017commonroad]. In this paper, the driving scenarios are generated through simulation. Given formal RSS specifications, a requirements-guided search through a stochastic optimization algorithm finds worst infractions of RSS specifications. The set of falsifying behaviors may be analyzed further by considering which part of the specification caused the falsification. This is beneficial since the root cause of failure may be determined and classified quickly. For example, using this approach, practitioners can return only the falsifying behaviors related to longitudinal distances between the ego car and other agents. To the best of the authors knowledge, this is the first time RSS specifications are formalized for testing vehicles in a simulated environment.

Ii preliminaries

Ii-a Signal Temporal Logic

Signal Temporal Logic (STL) [BartocciEtAl2018survey] was defined to express bounded time requirements over continuous-time (CT) signals. In this paper, we present the syntax and semantics of STL over discrete-time (DT) signals as resulting from simulations.

[STL Syntax for DT signals] Let

be a vector variable, i.e.,

, be a function over the reals, and be any non-empty interval of . The syntax for Signal Temporal Logic (STL) formulas is provided by the following grammar:

where is true, is the next sample operator, and is the until operator.

We utilize a quantitative interpretation for the STL semantics (see [BartocciEtAl2018survey] for an overview). In order to define quantitative semantics with a topological interpretation over arbitrary predicates , we will need to use a generalized quasi-metric [AbbasFSIG13tecs] (referred to simply as a metric for brevity in the following) to define a signed distance function: [Signed Distance] Let be a point, be a set and be a metric. Then, we define the Signed Distance from to to be

Intuitively, the distance function returns positive values when is in the set and negative values when is outside the set . We should point out that we use the extended definition of supremum () and infimum (). That is to say, the supremum of the empty set is defined to be the bottom element of the domain, while the infimum of the empty set is defined to be the top element of the domain. For example, when , then .

We review STL semantics that map a formula and a trace to a value drawn from a lattice . In this work, even though we need an arbitrary lattice of truth values to treat Boolean signals, in most of the examples, we assume that (with the usual negation (-) over the reals). We denote the robust valuation of the formula over the trace at sample by . The semantics for a predicate evaluated at time over trace is defined as the distance between and the set . Intuitively, this distance represents how robustly the point lies within (or is outside) the set . If this distance is zero, then the smallest perturbation of the point can affect the outcome of .

[Discrete-Time Robust Semantics] Consider an extended generalized quasi-metric space . Let be a trace, then the robust semantics of an STL formula with respect to at time sample is defined as:

where is the top element of the lattice, and .

Intuitively, the requirement states that should be true at the next sample, which should occur some time in the physical time interval . For example, consider and the formula , then is true () at sample since . However, for , would evaluate to false (). The operator states that should be satisfied at some time in the interval and until then should hold. The other common Boolean and temporal operators can be defined as syntactic abbreviations (see [BartocciEtAl2018survey]). For example, stands for eventually at some time in the time interval , should be true, and stands for always during the interval , should be true. When , we will be dropping from the notation, e.g., .

An important operator that we will be using in this work is the release operator , which states that should always hold during the time interval up to (but not including) the time when becomes true. In fact, we will need a slightly modified version of the release operator which does not require to happen at all if has happened in the past:

We refer to the above operator as non-strict release operator. In fact, any non-strict release formula such as can be rewritten as using the release operator.

Ii-B Robustness-guided Falsification of STL Specifications

The problem of determining whether a CPS satisfies a specification is an undecidable problem, i.e. there is no general algorithm that terminates and returns whether . Therefore, it is not possible to determine exactly the minimum robustness over all system behaviors. However, by repeatedly testing the system, we can check whether a behavior that does not satisfy the specification exists.

Falsification is the process of finding a counter-example or falsifying example that proves that the system does not satisfy the specification. The STL falsification problem is presented as follows:

[STL Falsification] Given an MTL formula and a system , find initial conditions and input signals such that, when given to , generate a falsifying trajectory for which (or with Boolean semantics ).

The robustness semantics of STL enable the development of an optimization framework that searches for falsifying behavior in a system. Specifically, the problem may be posed as a global non-linear optimization problem:

(1)

Here, is a system trajectory and is the set of all system behaviors. If the global optimization algorithm converges to some local minimize such that , then a counterexample (adversarial sample) has been identified, which can be used for debugging (or for training).

In order to solve this non-linear non-convex optimization problem, a number of stochastic search optimization methods can be applied (e.g., [AbbasFSIG13tecs] – for an overview see [KapinskiEtAl2016csm]). We leverage existing falsification methods to identify falsifying examples for an autonomous driving system.

Iii Rss

In this paper, our focus is to use the RSS specifications for monitoring the safety of driving behavior of an ego car [shalev2017formal]. In our test environment, non-ego cars’ behaviors are as unconstrained as possible. Hence, worst-case scenarios are not always meaningful. We utilize the RSS requirements to place constraints solely on the ego car’s behavior and not other vehicles in the road (referred to as agent vehicles from now on).

Before diving into a formal definition, we first informally describe the RSS requirements for an ego car driving on the highway, and then formally represent them in STL. A situation is unsafe if and only if the longitudinal and lateral distances among the ego vehicle and agent vehicles are unsafe. By lateral and longitudinal safe distances, we refer to the minimum required distances, which are calculated based on the current velocities of the ego car, ego’s maximum reaction time (), and the maximum/minimum allowed accelerations stated in Table III.

We illustrate the concept of safe longitudinal distance and predicates needed in our definitions in Fig. 1. Similarly, in Fig. 2, we illustrate the concept of safe lateral distance and related predicates. The idea is that if an ego car continuously preserves the minimum required safe distances with a leading agent vehicle until the distances become unsafe, then it can react responsibly and responsively in order to reach a safe state again. There are two significant restrictions on the ego’s driving behavior based on time. We use hesitation and reaction times to refer to times that fall in and , respectively. For all the hesitation times, the ego car cannot exceed a maximum lateral/longitudinal acceleration bound depending on which distance changed from safe to unsafe. For all reaction times, the ego car has to react responsibly. That is, the ego car has to start decelerating with the minimum required deceleration depending on which distance changed from safe to unsafe. For the case that a situation becomes unsafe laterally, there is another restriction on the velocity of the ego car. That is, in the reaction time, the ego car has to control its lateral velocity so that it never deviates more than a constant from its original lateral position when the situation became unsafe laterally. All the restrictions are lifted when an unsafe situation becomes safe again. For more details see [shalev2017formal] and [hekmat2019memocode].

symbol description
reaction time in
minimum lateral distance in
sampling time in
minimum required longitudinal braking in
maximum allowed longitudinal accelerating in
minimum required lateral braking in
maximum allowed longitudinal braking in
maximum allowed lateral accelerating in
TABLE I: The RSS parameter description in the safe lateral and longitudinal definitions.
Fig. 1: Longitudinal Safety. See Table I for the symbol definitions.
Fig. 2: Lateral Safety. See Table I for the symbol definitions.

In the rest of this section, we represent a slightly modified version of the formula from the Remark III.3 in [hekmat2019memocode]. For the sake of space and readability, for the lateral requirements, we assumed that the ego car is driving on the left side of the other car. Also, we assume that the car behind the front car is the ego car. [RSS formalization in STL for a single ego car driving in highway along other cars]

The below formula enforces the required RSS restrictions on the velocity and accelerations of an ego car driving on a highway.

where and are defined as

and the subformulas , and are defined as

By we mean that the lateral velocity of the ego car is less than or equal to zero.

Note that all the predicates’ definitions and assumptions can be found in [hekmat2019memocode]. The formula consists of four subformulas such as for each a unique trigger or response is defined. The subformula gets triggered if a safe longitudinal and an unsafe lateral distances become unsafe all together. We call the time that both lateral and longitudinal distances become unsafe, a dangerous time. If time is a new dangerous time and after that until the current time all times in are dangerous times, then we call the Dangerous Threshold time as in [shalev2017formal]. The desired response for this case enforces some longitudinal restrictions on the behavior of the ego car. Similarly, the subformula gets triggered if an unsafe longitudinal and a safe lateral distances become unsafe all together. The desired response for this case enforces some lateral restrictions on the behavior of the ego car.

Unlike the and subformulas, the next two subformulas and are designed to cover the cases that either a situation changes from completely safe to unsafe, or it starts completely unsafe. The desired response to both cases requires either or both responses of the two previous responses.

Iv RSS Application on Automated Test Generation and Classification

By using the formalized RSS requirements as STL formulas, we can collect more meaningful samples for testing purposes. More specifically, we are interested in screening test driving scenarios and classifying them based on safety conditions introduced by RSS. One advantage of automated and guided test generation and classification is to only generate automatically annotated tests for testing and training perception based systems in ADS.

In this section, we show how one can utilize the formalized RSS requirements to select useful scenarios among a set of arbitrarily generated driving scenarios for testing purposes. We used and Sim-ATAV in our experiments for monitoring and simulating trajectories, respectively [taliro_tools, fainekos2019robustness, tuncali2019requirements].

To show the effectiveness of our proposed framework, we represent and use a basic collision avoidance specification (CAS from now on) concerning the distances of an ego vehicle and other agent vehicles. We compare the result of monitored scenarios by using the CAS and the RSS requirements separately. We formalized the CAS requirements in STL representation in the following definition.

[Collision Avoidance Specification] We call two objects collided if and only if their shortest distance get closer than a . The STL version of the requirement is shown as below:

where Table II represents the symbol descriptions.

For the tests, we only considered highway traffic scenarios, which by design do not include intersections, and wherein all the self-driving vehicles are moving in the same direction. In the scenarios, there are two agent vehicles and one ego vehicle. We generated our test scenarios with some restrictions for the initial positions, orientations, and speeds of the vehicles. Also, we enable the two agent vehicles to drive along the highway and maneuver randomly. We used the information in Table III as our test generating configuration parameters.

Note that our approach is not restricted to the presented scenarios, and it applies to the more general traffic scenarios which are discussed in [shalev2017formal]. We used DP-TaLiRo [taliro_tools, fainekos2012verification] as our offline monitoring tool for computing the robustness of the traffic scenarios.

symbol description
longitudinal distance between the go vehicle and the adversarial vehicle 1
longitudinal distance between the go vehicle and the adversarial vehicle 2
lateral distance between the go vehicle and the adversarial vehicle 1
lateral distance between the go vehicle and the adversarial vehicle 2
a constant safe longitudinal distance
a constant safe lateral distance
TABLE II: The CAS symbol description in the safe lateral and longitudinal definitions. All distances are in meter.
parameter value range parameter value range
[0,5] [-1.5,4.5]
[-,] [10,25]
[20,40] [-3.5,-1.5]
[10,25] [1,4]
[5,15] [0,30]
[-5,0] [10,30]
[0,5] [4,20]
TABLE III: The parameter values in the case-study and experiments.
parameter value parameter value
0.5 0.4
0.01 4
4.5 3
2.5 3
TABLE IV: The RSS parameter values in the case-study and experiments.

Iv-a Vehicle Controller

In our experiments, we used an existing Sim-ATAV vehicle controller. The controller receives (provided by simulator) camera, LIDAR, and Radar sensor information as to its input signals. There is a perception system as part of the controller that performs sensor data processing and sensor fusion. The controller is capable of detecting object types (vehicle, pedestrian) and their predicted trajectories. The control algorithm sends signals to the throttle and steering actuators. The controller’s goal is to safely follow a predetermined path. For more information, we refer readers to [tuncali2019requirements]. We chose as the max and target velocity for the ego vehicle.

Iv-B Simulated Tests and Environment

In our experiments, the simulated environment consists of a straight highway with three lanes. The initial test conditions concern position, orientation, and velocity of the ego vehicle. The initial test conditions for the agent vehicles concern the same parameters as the ego vehicle, except that their orientations are fixed.

At each run of test generation, a uniform random sampler randomly chooses the initial conditions of all the vehicles. It also generates random trajectories for agent vehicles. In this experiment, we predetermined a fixed trajectory for the ego vehicle. However, the ego vehicle’s controller is free to do collision avoidance maneuvers. We ran a (hit-and-run) sampler to produce and store one thousand of sample scenarios for the test parameters shown in Table III. We chose the parameter values for demonstration purposes and they might not reflect realistic values. During the rest of the section, we refer to the code-base that controls test screening and classifying test control unit. The details of tasks in Fig. 3 are explained in the following:

  • (a): The very first step is to design test scenarios and assign range values for configurable parameters. For example, we used data in the Table III in our experiments. Also, we used Sim-ATAV to design driving scenarios.

  • (b): We use as our monitoring tool, and configure it based on the our test design. Two important tasks here are to formalize a desirable specification in STL form and define input signals. Here we use two STL formulas in Def. 2 and Def. IV for comparison purposes.

  • (c): The tool is equipped with random samplers and optimizers. We use the random-walk algorithm from the to generate uniformly random test data. When optimization is needed, we use Simulated Annealing with hit and run Monte Carlo sampling. The test data consists of all the initial values for the vehicles (as in Table III) that are needed to run the designed simulation. The test control unit passes the generated test to the Sim-ATAV through an interface. Sim-ATAV initializes the simulator (Webots) and makes it ready to run the test. When the simulation terminates, the Sim-ATAV passes the simulated trajectories of all the vehicles to the test control unit. Next, the test control unit translates the trajectories into the lane-based coordinate system that the RSS rules are defined based on. Lastly, using the translated trajectories, we compute the final input signals to the monitor. That is, each signal represents a corresponding predicate in the RSS formula such as safe distances or -lateral velocities.

  • (d): Our DP-TaLiRo monitor computes the robustness of the generated driving trajectories (input signal) for the ego vehicle given an STL specification formula. The positive or negative sign of the computed robustness value states if the specification is satisfiable or falsifiable, respectively. The magnitude of the robustness value determines the resistance of the signal against perturbations.

  • (e): In this experiment, we are interested in accumulating test scenarios that do not meet safety standards based on RSS rules. If the robustness of the RSS specification was negative, then the test driving scenario does not satisfy the RSS requirements, and, therefore, it is a useful sample.

Fig. 3: The flowchart represents the executing order of major tasks in our framework.

Iv-C Case Study

We chose some interesting scenarios to explain and analyze here. In these scenarios we show how the RSS specification helps to select useful tests for verifying the vehicle’s controller. The first scenario was test number 131 among 1000 uniformly generated tests. Figure 3(a) represents half of the trajectory in the test (from time to time ). The colors of boxes in each trace represents a vehicle in the simulation. The ego vehicle with yellow color drives in the middle lane. The two other vehicles in magenta and blue drive to the left and right of the ego vehicle. We highlighted the part of the trajectories that were close to the ego vehicle with red color. Also, under the trajectory diagram in Fig. 4, there are four snapshots taken from the simulation at different times.

We monitored the specification in Def. 2 for the above scenario. The robustness result was negative, and the monitor reported the in subformula as the predicate that caused the maximum negative robustness value. This was due to high acceleration by the ego vehicle in the beginning of the scenario. The ego vehicle starts braking as soon as its controller detects the leading vehicle and assigns a high level of caution to it.

However, during the hesitation period, it did exceed the required maximum acceleration. Interestingly, this case did not violate the RSS rules for the blue vehicle driving closely to the right, but because of the red vehicle on the left of it.

In Figure 5, we demonstrated two common scenarios in our previous experiments. A test scenario illustrated in Fig. 5(a) starts for the ego vehicle in the right-most lane. The ego vehicle planned to change lane into the middle lane, and stay in that lane. The other agent vehicle in front of it started in the middle lane and then starts changing lane into the right-most lane. The vehicle control in the ego vehicle detects the front vehicle and tries to reduce its speed but not its direction. The RSS requirements demands for safe steering behavior which in this case was not respected, and therefore this is a useful test. In another situation demonstrated in Fig. 5(b), the ego initially is very close to the blue vehicle in front of it, and then the blue vehicle turns in front of it unsafely and collides with it. This scenario is initially unsafe, and the ego vehicle should respond according to either of the lateral or longitudinal safety requirements. If the initial speed of the ego vehicle is not too high, then it can brake on-time and satisfying the RSS requirements. Otherwise, the ego vehicle cannot react on-time and contributes to the collision, which qualifies it to be collected as a useful test. We emphasize that this class of test case results, which are hard for a human to detect, were one of the motivations for us to propose this approach for test generation.

(a) A sample trajectory of three vehicles. The ego vehicle’s trajectory is shown in the middle lane and colored yellow. The red part of the vehicle’s trajectory in the lowest lane highlights the close distance to the ego vehicle. The (b),(c),(d), and (e) refer to the times that below snapshots are taken.
(b) first snapshot.
(c) second snapshot.
(d) third snapshot.
(e) forth snapshot.
Fig. 4: A sample traffic scenario taken from Webots.
(a) A scenario starts in an unsafe longitudinal and safe lateral situation, and then it also becomes unsafe laterally when the cars change their lane.
(b) A scenario starts unsafe laterally and longitudinally. The blue agent vehicle turns in front of the ego vehicle and causes a virtual collision.
Fig. 5: Two common unsafe scenarios.
description values description values
Total pos (RSS) 771 Total pos (CAS) 406
Total neg (RSS) 229 Total neg (CAS) 594
Total zeros (RSS) 0 Total zeros (CAS) 0
one-by-one comparison between RSS and CAS results
pos (RSS) pos (CAS) 387 neg (RSS) neg (CAS) 210
neg (RSS) pos (CAS) 19 pos (RSS) neg (CAS) 384
TABLE V: Statistical result about robustness of monitoring RSS and CAS specifications. We used “pos” as an abbreviation of positive and “neg” as an abbreviation for negative.
predicates # of violations description
2 safe longitudinal distance
23 safe lateral distance
67 maximum allowed lateral acceleration
0 minimum required lateral brake
68 zero lateral velocity
0 non-positive lateral velocity
33 maximum allowed longitudinal acceleration
36 minimum required longitudinal brake
Execution Statistics
violation % falsified percentage using the RSS rules
TABLE VI: The break down statistics of predicates that caused the highest negative robustness.
description values description values
Total pos (RSS) 406 Total pos (CAS) 20
Total neg (RSS) 594 Total neg (CAS) 980
Total zeros (RSS) 0 Total zeros (CAS) 0
one-by-one comparison between RSS and CAS results
pos (RSS) pos (CAS) 0 neg (RSS) neg (CAS) 574
neg (RSS) pos (CAS) 20 pos (RSS) neg (CAS) 406
TABLE VII: Statistical result about robustness of monitoring RSS and CAS specifications in mostly unsafe situations. We used “pos” as an abbreviation of positive (satisfying specifications) and “neg” as an abbreviation for negative (violating specifications).

In the next section, we discuss and present our experiments and their result.

Iv-D The necessity of RSS in testing

For all the experiments in this section, we used the values in Table IV and Table III. Also, the length of each simulated driving scenario is 10 seconds. In our first experiment, we generated and stored one thousand uniformly random driving scenarios. We do not precisely follow the executing sequences shown in Fig. 3 as we are going to compare the result of monitoring the same test data against two different STL formulas. Next, we computed the robustness of the test data against CAS specifications.

The result is demonstrated in the third and fourth columns of the upper part of Table V. About of the result did not violate their specification, and the other did violate their specifications. The result of computed robustness of the test data against RSS specifications is shown in the first and second columns of the upper part of the same table. The violated scenarios for the RSS case is noticeably less than the for the CAS case. The lower part of Table V represents the statistics of all combinations of positive and negative results of each specification for each test. Note that the total number of tests for which both specifications falsified and satisfied them is 210 and 387, respectively. The result suggests that 384 falsified tests by the CAS specifications are not of our interest. Furthermore, 19 tests were falsified with the RSS requirements, but not with the CAS requirements. This implies that the test scenarios were potentially dangerous and hence worth further analysis, but they did not necessarily lead to a collision. In this experiment, using the RSS specifications, we can disregard 384 meaningless and add 19 meaningful tests (about of the tests) that were misclassified by using a simple collision avoidance requirement (CAS). Table VI denotes the list of predicates in the RSS formula and the number of times that each one got falsified with the highest negative magnitude (most violating). A clustering algorithm can use the information about the falsified predicates to more tailor the test scenarios.

Iv-E Improving search-based testing through RSS

In another experiment, we followed exactly the flow in Fig. 3. We engaged the optimizer and used the CAS specification as its cost function (s.t. optimality means lower robustness for an input signal) to find more dangerous test driving scenarios. We let the optimizer to find the worst falsifying behavior for the CAS specifications for one thousand iterations and stored the samples and their robustness result. The result is presented in the third and fourth columns of the upper part of Table VII. Exactly of the result have positive robustness values, and the other have negative values. The high percentage of negative result is because of the optimization. The result of computed robustness of the stored test data against RSS specifications is shown in the first and second columns of the upper part of the same table. The negative robustness for the RSS case is substantially less than the for the CAS case. The lower part of Table VII represents the statistics of all combinations of positive and negative results of each specification for each test. Note that the total number of tests for which both specifications falsified and satisfied them is 574 and 0, respectively. The result suggests that 406 falsified tests by the CAS specifications are not of our interest. Furthermore, 20 tests were falsified with the RSS requirements but not with the CAS requirements. In this experiment, using the RSS specifications, we can disregard 406 meaningless and add 20 meaningful tests (about of the tests) that were misclassified by using a simple collision avoidance requirement.

Iv-F Falsification by RSS

In the last experiment, according to the diagram in Fig. 3 we engaged the optimizer and used the RSS specification as its cost function to find more relevant test driving scenarios. We let the optimizer to try to optimally falsify the RSS specifications for 350 iterations and stored the samples and their robustness result. Similar to what we did in the last two experiments, we repeated the process for the CAS specifications. The result are depicted in Table VIII and Table IX. The optimizer is especially helpful when falsification is the priority. An alternative approach could be running a script that screens all the randomly generated tests and computes and classifies their safeties. However, this approach can take longer to falsify the specifications in comparison to using an optimizer.

The predicate statistics in Table VI and Table IX suggests that we can further classify test scenarios based on their violated constraints. For example, we might only be interested in unsafe test scenarios in which the maximum allowed lateral acceleration denoted by predicate was violated by the controller.

description values description values
Total pos (RSS) 292 Total pos (CAS) 50
Total neg (RSS) 58 Total neg (CAS) 300
Total zeros (RSS) 0 Total zeros (CAS) 0
one-by-one comparison between RSS and CAS results
pos (RSS) pos (CAS) 49 neg (RSS) neg (CAS) 57
neg (RSS) pos (CAS) 1 pos (RSS) neg (CAS) 243
TABLE VIII: Statistical result about robustness of monitoring RSS and CAS specifications where we used the RSS rules for optimization. We used “pos” as an abbreviation of positive and “neg” as an abbreviation for negative.
predicates # of violations description
2 safe longitudinal distance
3 safe lateral distance
13 maximum allowed lateral acceleration
0 minimum required lateral brake
0 zero lateral velocity
0 non-positive lateral velocity
35 maximum allowed longitudinal acceleration
5 minimum required longitudinal brake
Execution Statistics
violation % falsified percentage using the RSS rules
TABLE IX: The break down statistics of predicates that caused the highest negative robustness in the last experiment.

V Conclusion

In this paper, we present an automated and qualification based method for generating driving test scenarios. The generated tests could be used for discovering control software bugs in autonomous vehicles.

We integrated the RSS requirements into our Sim-ATAV framework, which is publicly available as part of tool. Now it is possible to test the control and perception system stack against the RSS model.

References