automated testing of autonomous driving assistance...
TRANSCRIPT
![Page 1: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/1.jpg)
Automated Testing of Autonomous Driving Assistance Systems
Lionel Briand
TrustMeIA, 2019
![Page 2: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/2.jpg)
Acknowledgments
2
Raja Ben Abdessalem
Shiva Nejati AnnibalePanichella
![Page 3: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/3.jpg)
Introduction
3
![Page 4: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/4.jpg)
Cyber-Physical Systems
• Increasingly autonomous
• ML-based, e.g., DNN in perception layer
• Not just recommendations, act on the physical environment
• Safety implications
4
• A system of collaborating computational elements controlling physical entities
![Page 5: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/5.jpg)
CPS Development Process
5
Functional modeling: • Controllers• Plant• Decision
Continuous and discrete Simulink models
Model simulation and testing
Architecture modelling• Structure• Behavior• Traceability
System engineering modeling (SysML)
Analysis: • Model execution and
testing• Model-based testing• Traceability and
change impact analysis
• ...
(partial) Code generation
Deployed executables on target platform
Hardware (Sensors ...) Analog simulators
Testing (expensive)
Hardware-in-the-Loop Stage
Software-in-the-Loop StageModel-in-the-Loop Stage
![Page 6: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/6.jpg)
Formal Verification• Significant Research Formal
verification: Exhaustive, guarantees (deterministic or statistical) [Sheshiaet al. 2017]
• Models of system, environment, and properties in formalisms for which there are efficient decision procedures.
• Challenges: Undecidability, assumptions, scalability.
6
Seshia et al., Towards Verified AI
![Page 7: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/7.jpg)
Limitations of Formal Verification• Complexity and heterogeneity of CPS
• Non-Boolean properties
• Models capture continuous dynamics
• Not always easy or feasible to translate into low-level logic-based languages
• Models contain constructs that are not easy to handle such as non-algebraic arithmetics, third-party code (S-Functions).
7
![Page 8: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/8.jpg)
Testing• Focus on falsification (testing) and explanation.
• Automated testing with a focus on safety violations
• Explanation of safety violations è Risk assessment
• Testing takes place at different phases of development in CPS: MiL, SiL, HiL.
• Testing does not prove satisfiability: It finds safety violations or provide assurance cases (evidence)
8
![Page 9: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/9.jpg)
Testing Cyber-Physical Systems
• MiL and SiL testing: Computationally expensive (simulation of physical models)
• HiL: Human effort involved in setting up the hardware and analog simulators
• Number of test executions tends to be limited compared to other types of systems
• Test input space is often extremely large, i.e., determined by the complexity of the physical environment
• Traceability between system testing and requirements is mandated by standards
9
![Page 10: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/10.jpg)
Testing Advanced Driving Assistance Systems
10
![Page 11: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/11.jpg)
Problem Definition and State of Practice
11
![Page 12: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/12.jpg)
Advanced Driver Assistance Systems (ADAS)
12
Automated Emergency Braking (AEB)
Pedestrian Protection (PP)
Lane Departure Warning (LDW)
Traffic Sign Recognition (TSR)
![Page 13: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/13.jpg)
Advanced Driver Assistance Systems (ADAS)
Decisions are made over time based on sensor data
13
Sensors
Controller
Actuators Decision
Sensors/Camera
Environment
ADAS
![Page 14: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/14.jpg)
Automotive Environment• Highly varied environments, e.g., road topology, weather, building and
pedestrians …
• Huge number of possible scenarios, e.g., determined by trajectories of pedestrians and cars
• ADAS play an increasingly critical role in modern vehicles
• Systems must comply with functional safety standards, e.g., ISO 26262
• A challenge for testing
14
![Page 15: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/15.jpg)
ISO 26262
• Defines the vehicle safety as the absence of unreasonable risks that arise from malfunctions of the system.
• Requires safety goals, necessary to mitigate the risks.
• Provides requirements and recommendations to avoid and control random hardware failures and systematic system failures that could violate safety goals.
15
![Page 16: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/16.jpg)
SOTIF• ISO/PAS standard: Safety of the intended functionality (SOTIF).
• Autonomy: Huge increase in functionalities relying on advanced sensing, algorithms (ML), and actuation.
• SOTIF accounts for limitations and risks related to nominal performance of sensors and software:
• The inability of the function to correctly comprehend the situation and operate safely; this also includes functions that use machine learning algorithms;
• Insufficient robustness of the function with respect to sensor input variations or diverse environmental conditions.
16
![Page 17: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/17.jpg)
SOTIF: Scenes and Scenarios
17
Domain Conceptual Model (Terminology) [9]
![Page 18: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/18.jpg)
Temporal view of scenes, events, actions and situations in a scenario
18
![Page 19: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/19.jpg)
Verification in SOTIF
• Decision algorithm verification: “… ability of the decision-algorithm to react when required and its ability to avoid unwanted action.”
• Integrated system verification: “Methods to verify the robustness and the controllability of the system integrated into the vehicle …”
19
![Page 20: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/20.jpg)
Decision Algorithm Verification
20
© ISO 2017 – All rights reserved 33
Table 6: Decision Algorithm verification 779
Methods
A Verification of robustness to interference from other sources, e.g. white noise, audio frequencies, Signal-to-Noise Ratio degradation (e.g. by noise injection testing)
B Requirement-based test (e.g. classification, sensor data fusion, situation analysis, function)
C Verification of the architectural properties including independence, if applicable
D In the loop testing (e.g. SIL / HIL / MIL) on selected SOTIF relevant use cases and scenarios
E Vehicle level testing on selected SOTIF relevant use cases and scenarios
F Inject inputs into the system that trigger potentially hazardous behaviour
NOTE For test case derivation the method of combinatorial testing can be used [5]
780
10.4 Actuation verification 781
Methods to verify the actuators for their intended use and for their reasonably foreseeable misuse in 782 the decision algorithm can be applied as illustrated by Table 7. 783
Table 7: Actuation verification 784
785
786
10.5 Integrated system verification 787
Methods to verify the robustness and the controllability of the system integrated into the vehicle can be 788 applied as illustrated by Fehler! Verweisquelle konnte nicht gefunden werden.8. 789
Methods
A Requirements-based test (e.g. precision, resolution, timing constraints, bandwidth)
B Verification of actuator characteristics, when integrated within the vehicle environment
C Actuator test under different environmental conditions (e.g. cold conditions, damp conditions)
D Actuator test between different preload conditions (e.g. change from medium to maximum load)
E Verification of actuator ageing effects (e.g. accelerated life testing)
F In the loop testing (e.g. SIL / HIL / MIL) on selected SOTIF relevant use cases and scenarios
G Vehicle level testing on selected SOTIF relevant use cases and scenarios
![Page 21: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/21.jpg)
Integrated System Verification
21
34 © ISO 2018 – All rights reserved
Table 8: Integrated system verification 790
Methods
A Verification of robustness to Signal-to-Noise Ratio degradation (e.g. by noise injection testing)
B Requirement-based Test when integrated within the vehicle environment (e.g. range, precision, resolution, timing constraints, bandwidth)
C In the loop testing (e.g. SIL / HIL / MIL) on selected SOTIF relevant use cases and scenarios
D System test under different environmental conditions (e.g. cold, damp, light, visibility conditions)
E Verification of system ageing affects. (e.g. accelerated life testing)
F Randomized input tests a)
G Vehicle level testing on selected SOTIF relevant use cases and scenarios
H Controllability tests (including reasonably foreseeable misuse)
a) Randomized input tests can include erroneous patterns e.g. in the case of image sensors adding flipped images or altered image patches; or in the case of radar sensors adding ghost targets to simulate multi-path returns.
Annex D provides examples for the verification of perception systems. 791
11 Validation of the SOTIF (Area 3) 792
11.1 Objectives 793
The functions of the system and the components (sensors, decision-algorithms and actuators) shall be 794 validated to show that they do not cause an unreasonable level of risk in real-life use cases (see Area 3 795 of Figure 9). This requires evidence that the validation targets are met. 796
To support the achievement of this objective the following information can be considered: 797
- Validation strategy, as defined in Clause 9; 798
- Verification results in defined use cases, as defined in Clause 10; 799
- Functional concept, including sensors, actuators and decision-algorithm specification; 800
- System design specification; 801
- Validation targets, as defined in Clause 6; 802
- Vehicle design (e.g. sensor mounting position); and 803
- Analysis of triggering events results as described in Clause 7.2. 804
11.2 Evaluation of residual risk 805
Methods to evaluate the residual risk arising from real-life situations, that could trigger a hazardous 806 behaviour of the system when integrated in the vehicle, can be applied as illustrated by Fehler! 807 Verweisquelle konnte nicht gefunden werden.9. 808
![Page 22: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/22.jpg)
How to perform such testing efficiently and effectively?
22
![Page 23: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/23.jpg)
Research is needed
23
![Page 24: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/24.jpg)
MiL Testing of ADAS
![Page 25: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/25.jpg)
Recent Project• Developing an automated testing technique
for ADAS
25
• To help engineers efficiently and effectively explore the complex scenario space of ADAS
• To identify critical, failure-revealing test scenarios
• Characterization of input conditions that lead to most critical scenarios, e.g., safety violations
![Page 26: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/26.jpg)
26
Automated Emergency Braking System (AEB)
26
“Brake-request” when braking is needed to avoid collisions
Decision making
Vision(Camera)
Sensor
Brake Controller
Objects’ position/speed
![Page 27: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/27.jpg)
Example Critical Situation
• “AEB properly detects a pedestrian in front of the car with a high degree of certainty and applies braking, but an accident still happens where the car hits the pedestrian with a relatively high speed”
27
![Page 28: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/28.jpg)
Testing ADAS
28
A simulator based on physical/mathematical models
Time-consuming
Expensive
On-road testing
Simulation-based (model) testing
Unsafe
![Page 29: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/29.jpg)
Testing via Physics-based Simulation
29
ADAS(SUT)
Simulator (Matlab/Simulink)
Model (Matlab/Simulink)
▪ Physical plant (vehicle / sensors / actuators)▪ Other cars▪ Pedestrians▪ Environment (weather / roads / traffic signs)
Test input
Test output
time-stamped output
![Page 30: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/30.jpg)
AEB Domain Model
30
- intensity: RealSceneLight
DynamicObject
1- weatherType: Condition
Weather
- fog- rain- snow- normal
«enumeration»Condition
- field of view: Real
Camera Sensor
RoadSide Object
- roadType: RTRoad
1 - curved- straight- ramped
«enumeration»RT
- v0: RealVehicle
- x0: Real
- y0: Real
- θ: Real- v0: Real
Pedestrian
- x: Real- y: Real
Position
1
*
1
*
11
- state: BooleanCollision
Parked Cars
Trees- simulationTime: Real- timeStep: Real
Test Scenario
AEB
- certainty: RealDetection
11
11
11
11
«positioned»
«uses»1 1
- AWA
Output Trajectory
Environment inputsMobile object inputsOutputs
![Page 31: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/31.jpg)
ADAS Testing Challenges
• Test input space is multidimensional, large, and complex
• Explaining failures and fault localization are difficult
• Execution of physics-based simulation models is computationally expensive
31
![Page 32: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/32.jpg)
Our Approach• We use decision tree classification models
• We use multi-objective search algorithm (NSGAII)
• Objective Functions:
• Each search iteration calls simulation to compute objective functions
32
1. Minimum distance between the pedestrian and the field of view
2. The car speed at the time of collision3. The probability that the object detected is a pedestrian
![Page 33: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/33.jpg)
Multiple Objectives: Pareto Front
33
Individual A Pareto dominates individual B ifA is at least as good as B
in every objective and better than B in at
least one objective.
Dominated by x
F1
F2
Pareto frontx
• A multi-objective optimization algorithm (e.g., NSGA II) must:• Guide the search towards the global Pareto-Optimal front.• Maintain solution diversity in the Pareto-Optimal front.
![Page 34: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/34.jpg)
Search-based Testing Process
34
Test input generation (NSGA II)
Evaluating test inputs
- Select best tests- Generate new tests
(candidate) test inputs
- Simulate every (candidate) test- Compute fitness functions
Fitnessvalues
Test cases revealing worst case system behaviors
Input data ranges/dependencies + Simulator + Fitness functions
![Page 35: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/35.jpg)
Search: Genetic Evolution
35
Initial input
Fitness computation
Selection
Breeding
![Page 36: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/36.jpg)
Better Guidance
• Fitness computations rely on simulations and are very expensive
• Search needs better guidance
36
![Page 37: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/37.jpg)
Decision Trees
37
Partition the input space into homogeneous regions
All points Count 1200
“non-critical” 79%“critical” 21%
“non-critical” 59%“critical” 41%
Count 564 Count 636“non-critical” 98%“critical” 2%
Count 412“non-critical” 49%“critical” 51%
Count 152“non-critical” 84%“critical” 16%
Count 230 Count 182
vp0 >= 7.2km/h vp
0 < 7.2km/h
✓p0 < 218.6� ✓p0 >= 218.6�
RoadTopology(CR = 5,Straight,RH = [4� 12](m))
RoadTopology(CR = [10� 40](m))
“non-critical” 31%“critical” 69%
“non-critical” 72%“critical” 28%
![Page 38: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/38.jpg)
Genetic Evolution Guided by Classification
38
Initial input
Fitness computation
Classification
Selection
Breeding
![Page 39: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/39.jpg)
Search Guided by Classification
39
Test input generation (NSGA II)
Evaluating test inputs
Build a classification treeSelect/generate tests in the fittest regionsApply genetic operators
Input data ranges/dependencies + Simulator + Fitness functions
(candidate) test inputs
- Simulate every (candidate) test- Compute fitness functions
Fitnessvalues
Test cases revealing worst case system behaviors + A characterization of critical input regions
![Page 40: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/40.jpg)
NSGAII-DT vs. NSGAII
40
NSGAII-DT outperforms NSGAII
HV
0.0
0.4
0.8G
D
0.05
0.15
0.25
SP
20.6
1.0
1.4
6 10 14 18 22 24Time (h)
NSGAII-DTNSGAII
![Page 41: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/41.jpg)
Generated Decision Trees
41
Goo
dnes
sOfFit
Reg
ionS
ize
1 5 642 30.40
0.50
0.60
0.70
tree generations
(b) 0.80
71 5 642 30.00
0.05
0.10
0.15
tree generations
(a) 0.20
7
Goo
dnes
sOfFit-crt
1 5 642 3
0.30
0.50
0.70
tree generations
(c) 0.90
7
The generated critical regions consistently become smaller, more homogeneous and more precise over successive tree generations of
NSGAII-DT
![Page 42: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/42.jpg)
Usefulness
• The characterizations of the different critical regions can help with:
(1) Debugging the system model
(2) Identifying possible hardware changes to increase ADAS safety
(3) Providing proper warnings to drivers
42
![Page 43: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/43.jpg)
Testing for Feature Interactions
![Page 44: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/44.jpg)
Integration of Autonomous Features in ADAS
44
Automated Emergency Braking (AEB)
Pedestrian Protection (PP)
Lane Departure Warning (LDW)
Traffic Sign Recognition (TSR)
![Page 45: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/45.jpg)
45
……
Actuator Commands:- Steering- Acceleration- BrakingConflicts
Undesired Feature Interactions
Sensor/ Camera
Data
Autonomous Feature
Actuator Command
Sensor/ Camera
Data
Autonomous Feature
Actuator Command
Sensor/ Camera
Data
Autonomous Feature
Actuator Command
![Page 46: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/46.jpg)
Sensor/ Camera
Data
Autonomous Feature
Actuator Command
(Early) Function Modeling
46
……
Integration Component
Actuator Command
Software Under Test (SUT)Executable
Function Models (Matlab/Simulink)
Sensor/ Camera
Data
Autonomous Feature
Actuator Command
Sensor/ Camera
Data
Autonomous Feature
Actuator Command
![Page 47: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/47.jpg)
Example of Rules
47
Conditions Features
![Page 48: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/48.jpg)
Main challenge
• Resolving conflicts:
• Difficult task
• Requires extensive domain expertise and a thorough analysis of system requirements
• Problems:
• There might be mistakes, inaccuracies and bugs in the developed rules
48
![Page 49: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/49.jpg)
Problem Statement
49
How to automatically detect undesired feature interactions in self-driving systems at early stages of development?
![Page 50: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/50.jpg)
Testing Function Models
50
SUT
Physics-basedSimulators
sensors/cameras
(ego) carother carsactuators
pedestrians
environment (road, weather, etc)
sensor/camera data
Actuatorcommands
Time Stamped Vectors
… …
Integration "Component
Sensor/ Camera
Data
Autonomous Feature
Actuator Command
Sensor/ Camera
Data
Autonomous Feature
Actuator Command
Sensor/ Camera
Data
Autonomous Feature
Actuator Command
![Page 51: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/51.jpg)
Search-Based Solution• We do not know a priori which safety requirements may be
violated. Neither do we know in which branches of IntC the violations may be detected. Therefore, we search for any violation of system safety requirements that may arise when exercising any branch of IntC.
• A combination of three test objectives:
• Coverage-based
• Failure-based
• Unsafe Overriding
51
![Page 52: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/52.jpg)
Coverage-based Test Objective
52
F1
F2
Fn
… Integrationcomponent
SUT
Goal: Exercising as many branches of the integration component as possible
if (condition)
F1
![Page 53: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/53.jpg)
Branch Distance
• Many decision branches in IntC
• Branch coverage of IntC
• Fitness: Approach level and branch distance d (standard for code coverage)
• d(b,tc) = 0 when tc covers b
53
![Page 54: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/54.jpg)
Failure-based Test Objective
54
F1
F2
Fn
… Integrationcomponent
SUT
Example:- Requirement: No collision between
pedestrians and cars- Generating test cases that minimize
the distance between the car and the pedestrian
Goal: Revealing violations of system-level requirements
![Page 55: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/55.jpg)
Fitness: Failure Distance• Fitness functions based on the trajectory vectors for the ego
car, the leading car and the pedestrian, generated by the simulator
• PP fitness: Minimum distance between the car and the pedestrian during the simulation time.
• AEB fitness: Minimum distance between the car and the leading car during the simulation time.
55
![Page 56: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/56.jpg)
Distance Functions
56
When any of the functions yields zero, a safety failure corresponding to
that function is detected.
![Page 57: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/57.jpg)
Unsafe Overriding Test Objective
57
F1
F2
Fn
… Integrationcomponent
SUT
Goal: Finding failures that are more likely to be due to faults in the integration component rather faults in the features
Braking-F10 .3 .3 .6 .8 1 1
Braking - Final
F1 F1 F2 F2 F3 F3 F10 .3 .2 .2 .3 .3 1
Reward failures that could have been avoided if another feature had been prioritized by the integration logic
![Page 58: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/58.jpg)
Combining Test Objectives• Goal: Execute every branch of the integration component such that
while executing that branch, the component unsafely overrides every feature f and its outputs violate every safety requirement related to f
58
⌦j,l = Min{⌦j,l(i)}0iT
For every time step i, every branch j and every requirement l:If branch j is not covered :
⌦j,l(i) = Branchj(i) +max (Overriding) +max (Failure)ELSE If feature f is not unsafely overrides :
⌦j,l(i) = Overridingf (i) +max (Failure)ELSE
⌦j,l(i) = Failurel(i)
![Page 59: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/59.jpg)
Our Hybrid Test Objectives
59
⌦j,l(tc) > 2 tc does not cover Branch j
One hybrid test objective for every branch j and every requirement l⌦j,l
2 � ⌦j,l(tc) > 1 tc covers branch j but F is not unsafely overriden
1 � ⌦j,l(tc) > 0tc covers branch j and F is unsafely overriden but req l isnot violated
⌦j,l(tc) = 0 A feature interaction failure is likely detected
if (cnd)
F
![Page 60: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/60.jpg)
Search Algorithm• Optimal test suite covers all search objectives, i.e., for all IntC branches
and all safety requirements
• The number of test objectives is large:
# of requirements × # of branches
• Computing test objectives is computationally expensive
• Not a Pareto front optimization problem
• Objectives compete with each others, e.g., cannot have the car violating the speed limit after hitting the leading car in one test case
60
![Page 61: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/61.jpg)
MOSA: Many-Objective Search-based Test Generation
61
Objective 1
Objective 2
Not all (non-dominated) solutionsare optimal for the purpose of testing
These points arebetter than others
Panichella et. al.[ICST 2015]
![Page 62: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/62.jpg)
Case Study• Two Case Study systems from IEE
• Both systems consist of four self-driving features
• Adaptive Cruise Control (ACC)
• Automated Emergency Braking (AEB)
• Traffic Sign Recognition (TSR)
• Pedestrian Protection (PP)
• But, they use different rules to integrate feature actuator commands
• RQ: Does our Hybrid test objectives reveal more feature interaction failures compared to baseline test objectives (coverage-based and failure-based)?
62
![Page 63: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/63.jpg)
63
Hybrid test objectives reveal significantly more feature interaction failures (more than twice) compared to the baseline alternatives.
4 80 2 6 10 12Time (h)
(a) SafeDrive1
Num
ber o
f fea
ture
inte
ract
ion
failu
res
0
2
8
10
4
6
(b) SafeDrive2
0
2
8
10
4
6
Hybrid (mean)
Fail (mean)Cov (mean)HybridCoverage-basedFailure-based
![Page 64: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/64.jpg)
Feedback from Domain Experts
• The failures we found were due to undesired feature interactions
• The failures were not previously known to them
• We identified ways to improve the feature integration logic to avoid failures
64
![Page 65: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/65.jpg)
Summary• Problem: How to automatically detect undesired feature interactions
in self-driving systems at early stages of development?
• Context: Executable Function models and Simulated Environment
• Approach: A search-based testing approach
• Hybrid test objectives (coverage-based, failure-based, unsafe overriding)
• A tailored many-objective search algorithm
• We have evaluated and validated our approach: Promising results65
![Page 66: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/66.jpg)
Repairing Feature Interaction Failures
![Page 67: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/67.jpg)
Problem Statement
•How to automatically repair (some of the errors in) the feature integration logic?
67
![Page 68: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/68.jpg)
Types of errors in the developed Rules
• The conjunctive conditions on the left side of the rules may be wrong
• Issues in determining the order of conflict resolution rules
• There is a partial order over rules
• Different rule orderings lead to different system behaviors and it is not clear what order should be used
68
![Page 69: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/69.jpg)
Our Solution
•A Search-based Fault Localization and RepairingApproach for the Decision Rules of Self-Driving Systems
•Many-objective search: Minimize severity of failures until all test cases pass
69
![Page 70: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/70.jpg)
Program Repair
• Program repair process:
• Step 1- Fault Localization: identifies the locations of faults
• Step 2 - Patch generation: modifies the software in the faulty code locations
• Step 3 – Program validation: checks if the synthesized patch has actually repaired the software
70
Faulty Program Repair Tests
Fault Localization
Program Modification (Patch Generation)
Program Validation
Repaired Program
Valid
Step 1
Step 2
Step 3
No
Yes
Input
Output
Program Repair Process
• Repair Tests: Failing test cases (demonstrate a defect) + Passing test cases (satisfy system behavior)
Goal: automatically repair software systems
![Page 71: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/71.jpg)
State of the Art: Challenges
•Our errors span several lines of code
•Each test case covers most paths oversimulation steps
•High suspiciousness for most statements
71
![Page 72: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/72.jpg)
Our Approach
• Goal: Identify errors in the decision rules for self-driving systems and automatically repair these errors
72
Fault Localization (FL) Patch Generation
Focus on faulty statements that are related to the most severe failures
Define mutation operators to modify the decision rules
![Page 73: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/73.jpg)
if condition1(s1)if condition11 (s2)statement condition11(s3)end
else if condition2(s4)statement condition2(s5)
else if condition3(s6)if condition11 (s7)statement condition31(s8)end
else if condition4(s9)statement condition4(s10)
else if condition5(s11)statement condition5(s12)
else if condition6(s13)statement condition6(s14)::
FL - Illustrations
73
0 1 2 … t … Ts1s2s3s4s5s6s7…sn
Simulation time
Stat
emen
ts
if condition1(s1)if condition11 (s2)statement condition11(s3)end
else if condition2(s4)statement condition2(s5)
else if condition3(s6)if condition11 (s7)statement condition31(s8)end
else if condition4(s9)statement condition4(s10)
else if condition5(s11)statement condition5(s12)
else if condition6(s13)statement condition6(s14)::
Test Suite
tc1
tc2
tc3
x : if s is executed
Faulty ProgramDecision ruleConjunctive
conditions
Features
![Page 74: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/74.jpg)
FL - Illustrations
74
Simulation time
Stat
emen
ts
Test Suite
tc2
tc3Status
tc1 tc2 tc3
✗
tc1time of failure
Rule executed at the time of failure ⇡tc1
Faulty Programif condition1(s1)if condition11 (s2)statement condition11(s3)end
else if condition2(s4)statement condition2(s5)
else if condition3(s6)if condition11 (s7)statement condition31(s8)end
else if condition4(s9)statement condition4(s10)
else if condition5(s11)statement condition5(s12)
else if condition6(s13)statement condition6(s14)::
if condition1(s1)if condition11 (s2)statement condition11(s3)end
else if condition2(s4)statement condition2(s5)
else if condition3(s6)if condition11 (s7)statement condition31(s8)end
else if condition4(s9)statement condition4(s10)
else if condition5(s11)statement condition5(s12)
else if condition6(s13)statement condition6(s14)::
0 1 2 … tj … Ts1 xs2 xs3 xs4 xs5 xs6 xs7 x…sn x x
![Page 75: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/75.jpg)
Statustc1 tc2 tc3
FL - Illustrations
75
Simulation time
Stat
emen
ts
Test Suite
tc3x : if s is executed
✗
tc2Faulty Program
0 1 2 … t … Ts1 xs2 xs3 xs4 xs5 xs6 xs7 x…sn x x
if condition1(s1)if condition11 (s2)statement condition11(s3)end
else if condition2(s4)statement condition2(s5)
else if condition3(s6)if condition11 (s7)statement condition31(s8)end
else if condition4(s9)statement condition4(s10)
else if condition5(s11)statement condition5(s12)
else if condition6(s13)statement condition6(s14)::
![Page 76: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/76.jpg)
Statustc1 tc2 tc3
FL - Illustrations
76
Simulation time
Stat
emen
ts
Test Suite
✗
tc3
✗
time of failure
Rule executed at the time of failure
⇡tc3
Faulty Program
if condition1(s1)if condition11 (s2)statement condition11(s3)end
else if condition2(s4)statement condition2(s5)
else if condition3(s6)if condition11 (s7)statement condition31(s8)end
else if condition4(s9)statement condition4(s10)
else if condition5(s11)statement condition5(s12)
else if condition6(s13)statement condition6(s14)::
if condition1(s1) if condition11 (s2)statement condition11(s3)end
else if condition2(s4)statement condition2(s5)
else if condition3(s6)if condition11 (s7)statement condition31(s8)end
else if condition4(s9)statement condition4(s10)
else if condition5(s11)statement condition5(s12)
else if condition6(s13)statement condition6(s14)::
0 1 2 … tk … Ts1 x xs2 x xs3 x xs4 x xs5 x xs6 xs7 x…sn
![Page 77: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/77.jpg)
Ranking
• We define the suspiciousness of each statement sby considering both failure severity and faulty rules
77
Score(s) =X
tcj2TS
Itcj (s)Rules Score
s1 0.9s2 0.9s3 0.9s6 0.6s7 0.6s8 0.6s4 0s5 0…
!tcj : severity of failure exposed by tcj
• We select a statement among the most suspicious ones in a randomized way
Itcj =
⇢0 if s /2 faulty rule ⇡tcj
!tcj otherwise
![Page 78: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/78.jpg)
Probabilistic Fault Localization•For each failure, select in a randomized manner a
statement among most suspicious ones
•Select different statements in a probabilistic manner (suspiciousness) across search interactions
•Generate and apply a patch
78
![Page 79: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/79.jpg)
Generate a Patch
• Mutation operators
1. Modify operator
2. Shift operator
• Apply a sequence of randomly selected operators
• Evaluate the patch (run test simulations)
79
![Page 80: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/80.jpg)
Modify
80
1: if(TTC < TTCth && Dist(P/C) < Dist(P/C)th && object detected is pedestrian)
2: Apply PP (braking force = 100%)
3: else if(speed of the car > speed limit)
4: Apply TSR (braking force = 40%)
5: else if(TTC < TTCth && object detected is not pedestrian)
6: Apply AEB (braking force = 60%)
7: else if …
……
n: ……
Example1: if(TTC < TTCth && Dist(P/C) < Dist(P/C)th + 2 && object detected is pedestrian)
2: Apply PP (braking force = 100%)
3: else if(speed of the car > speed limit)
4: Apply TSR (braking force = 40%)
5: else if(TTC < TTCth && object detected is not pedestrian)
6: Apply AEB (braking force = 60%)
7: else if …
……
n: ……
• Modify operator: modify the condition of the faulty statement by changing a threshold value, altering the direction of a relational operator (e.g., > to <) or swapping arithmetic operations (e.g., + to - )
if condition1(s1) if condition11 (s2)statement condition11(s3)end
else if condition2(s4)statement condition2(s5)
else if condition3(s6)if condition11 (s7)statement condition31(s8)end
else if condition4(s9)statement condition4(s10)
else if condition5(s11)statement condition5(s12)
else if condition6(s13)statement condition6(s14)::
![Page 81: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/81.jpg)
if condition1(s1)if condition11 (s2)statement condition11(s3)end
else if condition2(s4)statement condition2(s5)
else if condition3(s6)if condition11 (s7)statement condition31(s8)end
else if condition4(s9)statement condition4(s10)
else if condition5(s11)statement condition5(s12)
else if condition6(s13)statement condition6(s14)::
Shift
• Shift operator: Change the order of rules
81
if condition1(s1)if condition11 (s2)statement condition11(s3)end
else if condition3(s6)if condition11 (s7)statement condition31(s8)end
else if condition2(s4)statement condition2(s5)
else if condition4(s9)statement condition4(s10)
else if condition5(s11)statement condition5(s12)
else if condition6(s13)statement condition6(s14)::
if condition1(s1)if condition11 (s2)statement condition11(s3)end
else if condition2(s4)statement condition2(s5)
else if condition5(s11)statement condition5(s12)
else if condition3(s6)if condition11 (s7)statement condition31(s8)end
else if condition4(s9)statement condition4(s10)
else if condition6(s13)statement condition6(s14)::
![Page 82: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/82.jpg)
Our Search-based Repairing Approach
82
Evaluate the Patch
Faulty Program
Repaired Program
Test Cases
Localize Fault
Archive
Generate a Patch
Faulty Program
good?yes
update the
archiveEvaluate the Patch
Faulty Program
Repaired Program
Test Cases
Localize Fault
Archive
Generate a Patch
good?yes
update the
archive
Best Patched Programs select a patch
from the archive
![Page 83: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/83.jpg)
Preliminary evaluation
• RQ: How effective and efficient is our approach in localizing and repairing faults?
83
![Page 84: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/84.jpg)
Results• Able to repair the decision rules (change the order of the rules
and change some threshold values)
• Able to find different correct versions of the decision rules
84 Time needed to repair errors
Our approach takes on average 5 hours to repair the decision rules of
self-driving systems
![Page 85: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/85.jpg)
Summary
• We proposed an automated approach to repair errors in the decision rules for self-driving systems
• A many-objective search-based testing approach
• Our approach effectively and efficiently localizes and repairs errors in decision rules
• Limitations: Cannot repair all kinds of errors, e.g., adding or removing rules
85
![Page 86: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/86.jpg)
Conclusions
86
![Page 87: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/87.jpg)
Other CPS Domains• Similar ISO standards
• With the rise of DNNs, they will develop SOTIF-like standards
• Most CPS are safety critical
• Most CPS follow similar development phases
• Different domain models, e.g., notion of scenes and scenarios
• Different, dedicated simulators
87
![Page 88: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/88.jpg)
Reflections
• Search-based solutions are versatile
• Help relax assumptions compared to exact approaches
• Help decrease modeling requirements
• Scalability, e.g., easy to parallelize
• Require massive empirical studies for validation
• Search is rarely sufficient by itself
88
![Page 89: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/89.jpg)
Reflections• Combine with machine learning to make the search more
effective and efficient
• Combine search with solvers, e.g., SMT, model checking, Constraint programming, on model fragments.
• Grey box approaches to search, i.e., use information from the Simulink models to better guide search.
• Impact of deep learning components in autonomous systems’ testing and verification
89
![Page 90: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/90.jpg)
The Impact of DNNs• Increasingly so, it is easier to learn behavior from data using
machine learning, rather than specify and code
• Some ADAS components rely on deep learning …
• Thousands of weights learned (Deep Neural Networks)
• No explicit code, no specifications
• Verification, testing?
• State of the art includes adequacy coverage criteria and mutation testing for DNNs
90
![Page 91: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/91.jpg)
Selected References• Briand et al. “Testing the untestable: Model testing of complex
software-intensive systems”, IEEE/ACM ICSE 2016, V2025
• Ben Abdessalem et al., " Testing Advanced Driver Assistance Systems using Multi-objective Search and Neural Networks, ASE 2016
• Ben Abdessalem et al., "Testing Vision-Based Control Systems Using Learnable Evolutionary Algorithms”, ICSE 2018
• Ben Abdessalem et al., "Testing Autonomous Cars for Feature Interaction Failures using Many-Objective Search”, ASE 2018
91
![Page 92: Automated Testing of Autonomous Driving Assistance Systemshomepages.laas.fr/guiochet/trustmeia/briand.pdf · models) •HiL: Human effort involved in setting up the hardware and analog](https://reader036.vdocuments.us/reader036/viewer/2022071019/5fd29fa7251b4d050547e351/html5/thumbnails/92.jpg)
Automated Testing of Autonomous Driving Assistance Systems
Lionel Briand
TrustMeIA, 2019