Verifiable Obstacle Detection

Ayoosh Bansal1\scalerel* —, Hunmin Kim2, Simon Yu1\scalerel* —, Bo Li1, Naira Hovakimyan1, Marco Caccamo3, Lui Sha1 1University of Illinois Urbana-Champaign {ayooshb2, jundayu, lbo, nhovakim, lrs}@illinois.edu, 2Mercer University kim_h@mercer.edu, 3Technical University of Munich mcaccamo@tum.de

Abstract

Perception of obstacles remains a critical safety concern for autonomous vehicles. Real-world collisions have shown that the autonomy faults leading to fatal collisions originate from obstacle existence detection. Open source autonomous driving implementations show a perception pipeline with complex interdependent Deep Neural Networks. These networks are not fully verifiable, making them unsuitable for safety-critical tasks.

In this work, we present a safety verification of an existing LiDAR based classical obstacle detection algorithm. We establish strict bounds on the capabilities of this obstacle detection algorithm. Given safety standards, such bounds allow for determining LiDAR sensor properties that would reliably satisfy the standards. Such analysis has as yet been unattainable for neural network based perception systems. We provide a rigorous analysis of the obstacle detection system with empirical results based on real-world sensor data.

Autonomous vehicles, Vehicle safety, Object detection

\DeclareUnicodeCharacter

2010-

I Introduction

Autonomous Vehicles (AV) will be among the most significant technological achievements of current times, with the potential to save and improve lives [av_imp_1, av_imp_2]. However, it is unclear at what point AV will be safer than the human-driven vehicles [dirty_dozen]. The imperfection of current AV is evident in the various crashes that have been attributed, in part, to the autonomous control of involved vehicles [tesla_2, ubercrash, tesla_3, tesla_4, tesla_1, tesla_1_1, tesla_japan, boudette2021happened, tesla_5, tesla_6, tesla_7, tesla_8, tesla_9, tesla_10, tesla_11, tesla_12].

Neural networks and artificial intelligence have enabled capabilities in cyber-physical systems that might have remained unachievable otherwise. Deep Neural Networks (DNN) for object detection, classification, and predictive tracking, are crucial for perceiving an AV’s environment in real-time and planning complex maneuvers an AV must execute. But these technologies are inherently unverifiable, i.e., incapable of being verified [koopman2016challenges, safety2016ieee, easy_fool_ai] that leads to, as yet unsolvable, safety concerns [koopman2018heavy, biggio2013evasion, amodei2016concrete, huang2017safety, tian2018deeptest, li2020deepdyve, willers2020safety]. Safety-critical software are required to be analyzable and verifiable [feiler2013four, heimdahl2016software], a role DNN solutions are not yet ready to fulfill [faa2016adaptive, jenn2020identifying, pereira2020challenges].

The impasse caused by the necessity of DNN solutions to enable AV’s mission capabilities and their unsuitability for safety-critical tasks can be resolved by decoupling the mission and safety requirements. The disassociated fulfillment of safety and mission requirements has been successful in system architectures like Simplex [simplex_early, simplex_original], leading to systems that work with high performance in typical cases but provide verifiable safe behavior in safety-critical conditions. But thus far, such a separation has not been achieved in AV.

In this work, we lay the foundation for decoupling of safety and mission responsibilities for AV. We describe a minimal set of requirements for safety-critical perception with a focus on obstacle existence detection in Section IV. Unlike the mission-critical requirement of perceiving obstacles and predicting their trajectories for complex maneuvers planning, the safety-critical requirement for collision avoidance is to reliably detect the existence of obstacles that the AV may collide with. The safety-critical obstacle existence detection can then be used in various ways, like to detect and correct faults in the mission critical perception systems, fused as an ensemble [wei2018fusion, gurel2021knowledge], or make control decisions like brake to stop if all else fails.

In the absence of verifiable DNN based solutions, we turn to classical obstacle detection algorithms, that are verifiable, i.e., capable of being fully analyzed and verified, to determine their ability to fulfill the safety-critical requirements. Traditional LiDAR based obstacle detection algorithms [wang2022review], based on geometric properties, are excellent candidates for verifiable safety-critical obstacle detection. LiDAR sensors have shown incredible promises for their use in autonomous driving [li2020lidar]. This has, in turn, accelerated the improvements in LiDAR sensor technology, increasing the range, scanning frequency, and resolution of the sensor [roriz2021automotive]. LiDAR sensors are also superior to stereo cameras for 3D obstacle detection as they only suffer a linear error growth with distance as compared to quadratic for stereo camera [wang2019pseudo]. These factors made the LiDAR sensor the natural choice for this work.

Depth Clustering [bogoslavskyi16iros, bogoslavskyi17pfg] a LiDAR based range image segmentation algorithm is chosen as the example algorithm in this work. The core component of the algorithm analyzed here is the ground removal i.e., separating the flat drivable ground from obstacles that need to be avoided. These bounds are referred to as the Detectability Model in this work. Such bounds satisfy the analyzability and verifiability requirements in safety-critical system engineering. The value of such a Detectability Model comes from the predictability of faults in obstacle existence detection and reliable mitigation. Given desired safety standards and properties of obstacles, algorithm parameters and LiDAR sensor parameters can be chosen to meet the safety standards reliably.

The contributions of this work can be summarized as:

Minimized sufficient requirements for safety-critical obstacle existence detection for collision avoidance ( $\lx@sectionsign$ IV).
Detectability model for an existing classical obstacle detection algorithm, Depth Clustering, with human perceptible bounds on capabilities and limitations ( $\lx@sectionsign$ VI).
An evaluation¹¹1https://github.com/CPS-IL/verifiable-OD based on real sensor data [sun2020scalability] ( $\lx@sectionsign$ VII).

Ii Motivation and Overview

Obstacle existence detection fault, i.e., False Negative (FN) in perception are a grave safety concern [yang2021introspective]. A survey of fatal collisions involving AV (Table I) points to recurring FN errors. Other fatalities involving AV [tesla_1, tesla_1_1, tesla_japan, boudette2021happened, tesla_5, tesla_6, tesla_7, tesla_8, tesla_9, tesla_10, tesla_11, tesla_12], excluded from Table I due to unavailability of investigation reports, seem to follow this pattern. These underlying safety concerns are the primary challenge in adopting complete autonomy [nhtsa_investigation, kalra2017challenges, penmetsa2021effects, li2022safety, r2022liability, jing4011917listen]. Learning from these incidents and acknowledging the impossibility of all encompassing safety on the road, we limit our focus to FN.

DNN verification, even for simple properties, is an NP-complete problem [katz2017reluplex]. Gharib et al. [gharib2018safety] describe the need and current lack of verification methods for machine learning components used in safety-critical applications. Empirical risk minimization, a foundational principle of modern statistical machine learning, fails to satisfy the high robustness requirements of safety-critical applications [varshney2016engineering]. There is still an open requirement for verification techniques that can validate the behavior of a trained network under all circumstances and not just expected safe input space [urban2021review]. The vastness of the input sets for real-world problems, like perception, renders reachability analysis impractical for the DNN used in AV.

Analyzability and verifiability are the crucial components of the certification process of safety-critical systems [feiler2013four, heimdahl2016software]. Verifiable algorithms, where the causality between the input parameters and the algorithm result can be established, are inherently suitable for safety-critical applications. This is in contrast to object detection DNN, trained using supervised learning, which effectively captures correlations between training input and labels. Consider the following simple example where $y$ is obstacle height, $x$ is obstacle distance from the AV, $a$ and $b$ are constant parameters based on LiDAR properties:

y \geq a x + b

(1)

If we want to establish that (1) is the detectability model, i.e., when the condition in (1) is met, obstacles are always detected by the AV, the following must be defined:

Requirements: A definition of minimal requirements for what it means to detect an obstacle ( $\lx@sectionsign$ IV).

Constraints: A set of well defined constraints that must be met for the model to be applicable ( $\lx@sectionsign$ V).

Verification: A deterministic analysis verifying the detectability model ( $\lx@sectionsign$ VI).

Let’s assume that an AV safety standard requires that the AV be able to detect all obstacles of a minimum height of $10$ $c m$ . Further, let’s assume all vehicles and structures on the road are also mandated to be taller than this minimum height by a road safety rule. Using LiDAR and AV parameters to determine $a$ and $b$ , the detectability model (1) can be used to determine the minimum distance at which such obstacles can be detected. This minimum distance, in conjunction with the braking capability of the AV, can then be used to determine the max speed at which the AV can safely travel. This example, admittedly simple, shows how a verified detectability model can bring together road safety rules, AV parameters and AV safety policies to provide deterministic collision safety.

Ref.	Autonomy Response ²²2The comments brief the driver assist system’s response during the incident and are not necessarily the causal faults for the incident.
[tesla_2]	A truck in the path of the vehicle was not detected and no evasive actions like braking or steering away were initiated.
[ubercrash]	Low confidence, unstable classifications of a pedestrian led to the perception system ignoring the existence of a pedestrian.
[tesla_3]	A crash attenuator in the path of the vehicle was not detected.
[tesla_4]	A white semi trailer in the path of the vehicle was not detected.

Table I: Survey of AV Involved Fatalities

Iii Related Work

Classical Obstacle Detection: An approach for long-range obstacle detection based on stereo cameras was proposed by Pinggera et al. [pinggera2015high]. While they successfully detect patches on most objects within a long range, it is unclear whether this approach is enough to avoid collisions and whether all obstacles that pose collision risk are detected. While the approach shows promise, its performance under common distortions like bright spots, etc., is not shown, and a further study on its limitations is required to use it in safety-critical tasks. Various LiDAR based geometric algorithms were considered as part of this work [himmelsbach2010fast, korchev2013real, asvadi2015detection, chu2017fast, zermas2017fast]. Each algorithm has a similar flow; identifying points on the ground vs. obstacles, followed by clustering, segmentation, and/or classification. Depth Clustering [bogoslavskyi16iros, bogoslavskyi17pfg] is chosen as the primary example due to its deterministic explainable behavior, flexible parameters to optimize tradeoffs, and public availability of an efficient C++ implementation with extremely low runtime of $40$ $m s$ on an embedded Jetson Xavier platform, using a single CPU core only, for a point cloud with $169, 600$ points [chen2021lidar]. The algorithm has also garnered interest in recent works in literature [liu2020removing, chen2021lidar, dang2021sensor, shen2021fast, tian2021unsupervised, vobecky2022drive].

Neural Network Verification: Albarghouthi [albarghouthi2021introduction] described the challenges for neural network verification, including scale, complexity, and dynamism of the environment, all applicable for their use in Autonomous Driving. Liu et al. [liu2019algorithms] survey existing verification methods and classify the verification methods into three categories: reachability, optimization, and search. They identify tradeoffs between scale and completeness of the verification methods. Even when the deep networks can be verified, it is done so for small input sets only [tran2020verification]. Another survey on the safety and trustworthiness of DNNs [huang2020survey] identified various challenges, including; a physical representation of the verification metrics, completeness of the verifiable properties, and scalability to complex DNN. Verification techniques have also been proposed to explore around available inputs by adding adversarial or context specific distortions [huang2017safety, tian2018deeptest], improving the input coverage. However, this does not imply complete verification and dependable predictability of behavior. Hardware reliability [li2020deepdyve] does not protect against algorithmic faults. Fully verifiable, analyzable and explainable DNNs performing real-world object detection in autonomous vehicles remain an elusive goal.

Collision Avoidance: This work complements typical collision avoidance systems by potentially providing additional triggers for the emergency braking systems to engage [seiler1998development, funke2016collision, cheng2019longitudinal], e.g., when comparing the output from the verifiable algorithm to the DNN, a safety-critical FN in DNN output is determined. Other collision avoidance systems leverage cooperative communication [lin2014active], however, our work focuses on all obstacles including human driven vehicles and pedestrians. Motion planning [wang2019crash, lee2019collision, tahir2019heuristic] and risk assessment [noh2017decision, noh2018decision, shin2018human, yu2019occlusion, li2021risk] based collision avoidance systems would be benefited by using a verifiable algorithm to detect obstacles in the environment.

Iv Minimal Requirements

Figure 1: Example scenes. (a) Role of obstacle height. (b) Distance and Occlusion of obstacles. (c) Projection of Obstacles.

In this section, we define the minimally sufficient, though not necessary and sufficient, requirements for safety-critical obstacle detection and collision avoidance. These requirements define a minimized set of features of an obstacle that the AV perception system should perceive to establish the existence of the obstacle. While some of the following observations are already well established, this work is the first to form a minimally sufficient set for safety-critical collision avoidance. Further, some requirements like object classification are typically considered crucial for all aspects of perception in AV, however, we show that while it is valuable for mission-critical requirements, it is not for safety-critical collision avoidance.

Iv-a Classification

We will use the mathematical problem formulation of reach-avoid control to justify why we do not need to classify obstacles for collision avoidance purposes. The current section is motivated by [summers2010verification, summers2011stochastic] but we simplify the notations and the problem in a deterministic setting while the references consider stochastic problem formulations. Let $x_{k} \in X$ be the 2D-position of the vehicle at discrete time instance $k \geq 0$ , where $X \subseteq R^{2}$ is the set of the state space. The set $D \subset X$ is the destination, and the sets $O_{i} (k) \subset X$ for $i \in M_{O} ≜ {1, 2, \dots, M}$ are obstacles, where $O_{i} (k)$ represents the $i^{t h}$ obstacle and $M_{O}$ is the index set for the obstacles. The set $O_{i} (k)$ could be time-varying but it is assumed that the obstacles do not overlap with the destination, i.e., $\cup_{i \in M_{O}} (D \cap O_{i} (k)) = \emptyset$ $\forall$ $k$ . For brevity, further mentions of $O_{i} (k)$ are reduced to $O_{i}$ . Now, the reach-avoid control problem is to drive the vehicle to the destination $D$ while avoiding obstacles $O_{i}$ for $i \in M_{O}$ within finite time horizon $N$ , given initial condition $x_{0}$ . The success of this mission can be characterized by the following index $r$ :

	$r$	$≜ \sum_{j = 0}^{N} (Π_{i = 1}^{M} Π_{t = 0}^{j - 1} 1_{X ∖ O_{i}} (x_{t})) 1_{D} (x_{j})$
		$= ⎧ ⎪ ⎨ ⎪ ⎩ \begin{matrix} 1, & i f \exists j \in [0, N] : x_{j} \in D \land \forall t \in [0, j - 1] : x_{t} \in \cap_{i = 1}^{M} X ∖ O_{i} 0, & o t h e r w i s e, \end{matrix}$		(2)

where $1_{S} (\cdot) : X \to {0, 1}$ is the indicator function for a set $S$ , and $\land$ is the logical AND. In short, $r = 1$ if and only if the objective is achieved. The index $r$ in (2) can be used as a cost function of the optimal control problem as in [summers2010verification, summers2011stochastic]. Therefore, one is required to evaluate the indicator functions in (2), which means that it is required to know the set $D$ and $X ∖ O_{i}$ for $i \in M_{O}$ .

However, index $r$ in (2) can be equivalently formulated as

r

= \sum_{j = 0}^{N} (Π_{t = 0}^{j - 1} 1_{X ∖ (\cup_{i \in M_{O}} O_{i})} (x_{t})) 1_{D} (x_{j})

(3)

and this expression can be used instead for the optimal reach-avoid control problem. The formulation (3) indicates that one could also address the control problem only with knowing $\cup_{i \in M_{O}} O_{i}$ , but not individual obstacle sets $O_{i}$ , i.e., one does not need to classify/distinguish individual obstacles for the reach-avoid control purpose.

It should be noted that classification adds valuable information that supports advanced features like predictive tracking, maneuver planning and improves AV performance. The argument here is only that object classification is not a necessity for obstacle avoidance and therefore not a part of minimal requirements for safety critical obstacle detection.

Iv-B Collision Risk

Collision avoidance involves many factors, from perception to vehicular control. While the dynamics and ethics of collision avoidance are complex [goodall2014ethical], the safety-critical obstacle detection system is required to detect all obstacles that can potentially collide with the AV. We utilize a physical model for collision risk from our prior work [9460196], where the potential risk of collision is determined by the overlap of the existence regions [schmidt2006research] of obstacles and AV within the AV’s time to stop.

Iv-C Height

The height of an obstacle is only useful in making a binary determination for collision avoidance, i.e., whether or not the obstacle is completely clear above the height of the AV. For example, in Figure 1 (a) the overhead road sign is completely above the AV, its exact height has no implication for collision avoidance. The box contains valuable information that is required to identify the obstacle within the box to be a vehicle, however as discussed in Section IV-A, such a recognition of the obstacle class is not a requirement for collision avoidance. Thus for safety-critical collision avoidance contains as much relevant information as . Therefore as long as an obstacle’s height is not erroneously detected to be above and clear of the AV, we can simply consider the top or bird’s eye view of the AV’s surroundings. While such a view of obstacles is not traditionally used in perception systems, however, path planning in AV, an inherently 2D problem, regularly uses this representation [ming2021survey].

Iv-D Distance

The distance to an obstacle must be accurately detected for the collision-free operation of the AV. For collision avoidance, this distance is the minimum distance between the perimeters of the obstacle and the AV. Many safety parameters like safe following distance, time to collision and time to stop, are a function of the distance between the AV and obstacles [seiler1998development, cheng2019longitudinal], and therein lies the difference in underestimation and overestimation error in distance detection.

Iv-D1 Underestimation Error

When obstacle distances are underestimated, i.e., obstacles are detected to be closer than they are, the performance of AV suffers, however, there is no negative impact for direct collision avoidance. An implicit effect of acceptance of all detection with a lower distance than the ground truth obstacle is that occluded obstacles become unnecessary to detect as long as the occluding obstacle is detected. An example for this is Figure 1 (a) and (b). A small wall exists to the left side of the AV in both images, separating traffic moving in the opposite direction to the AV. If the wall is detected as an obstacle, the AV would not need to detect the vehicles across the wall to avoid colliding with them. Avoiding collisions with the occluding obstacle (wall here) means avoiding collisions with occluded obstacles. Note that this only applies to completely occluded obstacles. Partial occlusion is discussed in Section IV-E.

Iv-D2 Overestimation Error

Overestimation of distance is a grave safety concern. Obstacles detected to be further than they are invalidate any safety decisions that would be based on this information. Since it is unrealistic that an obstacle detection system would always have no distance overestimation error, a strict bound on overestimation distance detection error is required. With an established max error bound, any distance-based safety guarantee can assume this error is always present, maintaining the safety guarantee in the worst case.

Iv-E Projection

We determine a projection signifying a line on the road that the AV cannot cross without colliding with the obstacle for each obstacle. Figure 1 (c) shows an example of this. A circle is drawn with its center at the AV’s sensor hub and radius equal to the closest point on the obstacle from AV. The projection of the obstacle is then found as a line segment, tangent to the point where the above circle touches the obstacle. This line segment is shown as a thick line segment in Figure 1 (c). This line segment is a representation of the obstacle. Note that as new sensor inputs come in over time, the AV and obstacle move relative to each other, and the projection moves accordingly. So the line segment only represents the obstacle in the current frame to make safety-critical decisions until the next sensor frame is received and processed.

With this minimal representation of the ground truth obstacles, containing only the minimal information about the obstacles as required for safety-critical collision avoidance, we can now determine when detected obstacles are sufficiently detected to avoid collisions.

Iv-F Coverage

Each detected obstacle that meets the distance criteria ( $\lx@sectionsign$ IV-D) and falls within the direction of an obstacle can now be used to determine if a ground truth obstacle is sufficiently covered by detected obstacles to avoid collisions with the ground truth obstacle. Detected obstacles are projected on the projection of the ground truth obstacle to determine what parts of the ground truth projection are covered by the detected obstacles, as shown in Figure 1 (d). The projected detection must provide enough information to avoid collisions for an obstacle to be considered as detected. As with distance ( $\lx@sectionsign$ IV-D) this coverage may not be perfect but should have bounded errors. A limited proportion of the ground truth projection must be covered. This is equivalent to the traditionally used intersection over union (IOU) limits. It should be noted that the error margin of coverage is less important than that of the distance. The minimum distance always tracks the distance between the closest points between the AV and the obstacle, changing with each sensor input frame.

Iv-G Summary

In this section we have discussed various features of obstacles a perception system may detect and detailed their relevance for safety-critical collision avoidance. Many properties of obstacles that are considered critical parts of perception in AV (e.g., class, 3D dimensions, road sign information), while indeed required for achieving the mission of autonomous driving, are not necessary for safety-critical collision avoidance. In brief, an obstacle is considered detected for safety-critical obstacle avoidance if the following are accurately determined (a) the distance of obstacle from AV, within bounded error margins. (b) a line on the road that the obstacle makes unsafe for the AV to cross. An obstacle detection system that reliably meets the above requirements can be used to detect safety-critical faults in perception by more complex perception systems, thus providing fault detection and collision avoidance system. The fusion of verifiable algorithms with DNN and the control decisions based on the verifiable algorithms have additional challenges that will be addressed in future works.

V Parameters and Constraints

Symbols	Description	Example Value
$N$	Count of lasers in vertical array	$64$
$ξ$	LiDAR Beam Angles set	$[- {2.4}^{o}, . . ., {17.6}^{o}]$
$H_{L}$	Height of LiDAR sensor	$2.184 m$
$\Uppsi$	LiDAR horizontal angle step	${0.136}^{o}$
$h_{o}$	Height of obstacle	Variable
$α_{o}$	Inclination of obstacle from ground	$[0^{o}, . . ., 8^{o}]$ [aashto2001policy]
$D_{m i n}$	Distance to first LiDAR return	$6.7 m$
$D_{m a x}$	Distance range of the sensor	$75 m$
$α_{t h}$	Threshold angle for ground removal	$10^{o}$

Table II: Symbols Summary

V-a LiDAR Parameters

A rotating LiDAR contains several lasers stacked vertically. Each laser is given an index $r \in 1... N$ , where $N$ is the number of lasers. Each laser has an inclination angle $ξ_{i}$ from the horizontal, positive below the horizontal, the set of which is represented by $ξ$ . The lowest laser below the horizontal is assigned index $r = 1$ and $r = N$ index represents the highest laser, usually inclined above the horizontal. The LiDAR is mounted on the vehicle at a height $H_{L}$ above the wheelbase. For rotating LiDAR, the horizontal step angle $\Uppsi$ is uniform and can be calculated as $360^{o} / S a m p l e s P e r R o t a t i o n$ . The sensor is considered the origin point for the coordinate system. At each rotation, a new column of N samples is recorded and indexed with $c$ . The sensor returns a range image, a 2D depth image of range values $Rr,c ∀ r∈1...N, c∈1...\Uppsi$ . While we assume the more prolific rotating LiDAR, a solid state LiDAR [roriz2021automotive] would have similar parameters. Table II and Figure 2, respectively, summarize and represent some of these parameters, using example values from real world dataset [sun2020scalability].

V-B Constraints

We assume the following constraints for the validity of the Detectability model in Section VI:

C1: All LiDAR beams encountering solid obstacles, including ground, within the max range of the LiDAR, return with strong enough intensity from the first obstacle they encounter so that the return is recorded. This assumption holds in real world except when; (a) there are physical impediments in the air like dust, smoke, fog or rain; or, (b) adversarial objects with extremely reflective, absorbent or transparent surfaces.

C2: The obstacle’s width, projected on a plane perpendicular to the LiDAR beams falling on the obstacle, must be enough to have LiDAR points returned from it. For example, a thin sheet aligned parallel to the LiDAR beam’s direction can never be detected. According to the formula for circle arc length, a conservative bound can be established:

Width Projected

≥\UppsiDπ/180o.

(4)

Since $\Uppsi$ is small, the arc length is approximately equal, though always greater than the chord length for the same points. Being a small value, this width is not a prohibitive constraint, e.g., using values from Table II the width constraint at max LiDAR range of $75$ $m$ is just $17$ $c m$ .

C3: At least one LiDAR point exists on the ground before the obstacle. This is an algorithmic constraint [bogoslavskyi17pfg]. While we focus on the primary Top LiDAR only in rest of this work, additional low height limited field of view (FOV) LiDAR sensors can be used for obstacles closer than $D_{m i n}$ , e.g., Front, Rear, Side-Left and, Side-Right LiDAR in Waymo Open Dataset [sun2020scalability].

Furthermore, the following are assumed initially ( $\lx@sectionsign$ VI-A) and relaxed in later sections:

A1: Obstacle touches the ground at $90^{o}$ , i.e., $α_{o} = 90^{o}$ . Relaxed in Sections VI-B and VI-C.

A2: There is no ground inclination change between the vehicle and the obstacle. Relaxed in Section VI-D.

A3: No noise in detected range. Relaxed in Section VI-E.

Vi Detectability Model

Figure 2: A representation of point segmentation to ground vs. obstacle based on $α$ thresholding when two points return from the obstacle.

A detectability model describes, given an obstacle’s properties, sensor parameters, and environment parameters, whether a given algorithm can detect the obstacle with a given set of algorithm parameters. The detectability model allows the conversion of safety standards into algorithm and sensor parameter requirements as described with the example in Section II. We now develop the detectability model for obstacle detection using a LiDAR. We use Depth Clustering [bogoslavskyi16iros, bogoslavskyi17pfg] as the example algorithm, which uses depth discontinuity to segment LiDAR points into ground vs. obstacles and then determine bounding boxes for obstacles. Table II contains a summary of the symbols used in this section with example values from Waymo Open Dataset [sun2020scalability] or chosen defaults.

Figure 3: Respresentation for $α$ thresholding with only one point on obstacle.

Vi-a Simple Model

We start with a simple system model, as shown in Figures 2 and 5, with Assumptions A1, A2 and A3.

Ground Removal: The primary part of the Depth Clustering algorithm is ground removal, i.e., determining which range image points are on obstacles vs. ground. FN errors can occur if points on obstacles are mistakenly considered part of the ground. Ground removal is based on vertical depth discontinuity using the inclination angles $α$ . Assuming the first point ( $r = 1$ ) to always be on the ground, a sharp change in $α$ above a threshold $α_{t h}$ indicates that a point is on an obstacle. The first point must lie on the ground for the subsequent comparisons to be meaningful (C3). Inclination angle is calculated from the range image, as designed by Bogoslavskyi and Stachniss [bogoslavskyi17pfg], shown in Figure 2, as

$α_{r, c}$	$= a t a n 2 (\| \| B C \| \|, \| \| A C \| \|) = a t a n 2 (Δ z, Δ x)$	(5)
$Δ z_{r, c}$	$= \| R_{r - 1, c} s i n ξ_{r - 1} - R_{r, c} s i n ξ_{r} \|$	(6)
$Δ x_{r, c}$	$= \| R_{r - 1, c} c o s ξ_{r - 1} - R_{r, c} c o s ξ_{r} \|$	(7)
$Δ α_{r, c}$	$= {\begin{matrix} 0^{o}, if r = 1 \| α_{r, c} - α_{r - 1, c} \|, otherwise \end{matrix}}$	(8)

The point $r, c$ is considered to not be on the ground if, $R_{r - 1, c}$ is on the ground, $α_{t h} < 45^{o}$ , and

Δ α_{r, c}

> α_{t h},

(9)

If $R_{r - 1, c}$ is not on ground then $R_{r, c}$ , is also considered to not be on ground. The lowest row of points $R_{0, c}$ are assumed to be on the ground ( $\lx@sectionsign$ V-B C3). The column index corresponds to a rotational position of the sensor. For brevity, the column index is omitted for points in the same column only.

At horizontal distance $D$ from the sensor, the height of a LiDAR beam $r$ can be calculated as:

H_{r} (D, ξ_{r}, H_{L}) = H_{L} - D * t a n (ξ_{r}) .

(10)

For brevity, $H_{r} (D, ξ_{r}, H_{L})$ is referred to as $H_{r} (D)$ from this point as $ξ_{r}$ and $H_{L}$ are constant once a LiDAR sensor is chosen and placed on an AV. Let us define $r = min {i | H_{i} (D) > 0^{o}}$ , i.e., $R_{r}$ is the first point on the obstacle.

With this background, we can determine the minimum height of an obstacle that can be detected when the obstacle is at a distance of $D$ from the sensor (Figure 2). It is required to check three consecutive LiDAR points to detect an obstacle, according to the ground removal algorithm presented in (5) through (9).

Theorem 1.

The obstacle is detected at distance $D$ , if and only if one of the following conditions are true:

$H_{r} (D) \leq h_{o} < H_{r + 1} (D)$ AND
$α_{t h} < a t a n 2 (H_{r} (D), | D - \frac{H_{L}}{t a n (ξ_{r - 1})} |)$ ;
$h_{o} \geq H_{r + 1} (D)$ .

Proof.

Sufficiency: Consider case 2), i.e., $h_{o} \geq H_{r + 1} (D)$ . Then the points $R_{r}$ and $R_{r + 1}$ are on the obstacle, as shown in Figure 2, and thus it holds that $α_{r + 1} = 90^{o}$ . Since we have

Δ α_{r} = α_{r} - 0^{o},

Δ α_{r + 1} = | 90^{o} - α_{r} |,

where $α_{r - 1} = 0^{o}$ by the definition of index $r$ , it follows that

max {Δ α_{r}, Δ α_{r + 1}} \geq 45^{o} > α_{t h},

which guarantees that the obstacle is detected at distance $D$ .

Now consider case 1), i.e., $H_{r} (D) \leq h_{o} < H_{r + 1} (D)$ as shown in Figure 5. By the assumption, there exists an index $r - 1$ that touches the ground. Since $h_{o} \geq H_{r} (D)$ , the angle $α_{r - 1}$ can be found by (5) as follows:

	$α_{r}$	$= a t a n 2 (H_{r} (D), \| R_{r - 1} c o s (ξ_{r - 1}) - R_{r} c o s (ξ_{r}) \|)$
		$= a t a n 2 (H_{r} (D), \| D - \frac{H_{L}}{t a n (ξ_{r - 1})} \|),$		(11)

where

R_{r - 1} s i n (ξ_{r - 1}) = H_{L},

R_{r} c o s (ξ_{r}) = D .

Since $α_{r - 1} = 0^{o}$ , the above equation and the angle condition in case 1) imply $α_{t h} < Δ α_{r}$ , i.e., the obstacle is detected at distance $D$ .

Necessity: If the obstacle is detected at a distance $D$ , then at least one point on the obstacle is at distance $D$ , i.e., $R_{r}$ is on the obstacle. This implies $h_{o} \geq H_{r} (D)$ . Furthermore, if the obstacle is detected, then

Δ α_{r} = α_{r} - α_{r - 1} = α_{r} > α_{t h} .

(12)

There are two cases: $α_{r + 1} = 90^{o}$ and $α_{r + 1} \neq 90^{o}$ . If $α_{r + 1} = 90^{o}$ , then $R_{r + 1}$ is on the obstacle, and thus we have $h_{o} \geq H_{r + 1} (D)$ . This implies the case 2). On the other hand, if $α_{r + 1} \neq 90^{o}$ , then the inequality in (12) must hold, which renders the condition $α_{t h} \leq a t a n 2 (H_{r} (D), | D - \frac{H_{L}}{t a n (ξ_{r - 1})} |)$ . This implies case 1). This completes the proof. ∎

Theorem 1 consists of two sets of conditions based on the obstacle’s height. The second set indicates that if the height of the obstacle is sufficiently large, then there will be more than two LiDAR points on the obstacle ( $α_{r + 1} = 90^{o}$ ). This allows us to detect the obstacle without further condition on the angle $Δ α_{r}$ . The first set is the case that, when the size of the obstacle is small, there is only one LiDAR point on the obstacle, which requires us to have an additional condition for the angle $Δ α_{r}$ .

The first condition set in Theorem 1 implies that the minimum height to be detected at distance $D$ satisfies

	$H_{r} (D) = h_{o}$
	$α_{t h} \leq a t a n 2 (h_{o}, \| D - \frac{H_{L}}{t a n (ξ_{r - 1})} \|),$		(13)

which depends on the distance $D$ and threshold $α_{t h}$ .

Vi-B Obstacle at Inclination

Assumptions: We maintain all assumptions from $\lx@sectionsign$ VI-A except part of A1, i.e., that the obstacle surface inclination angle is $α_{o} \neq 90^{o}$ . We assume $α_{o} > α_{t h}$ , otherwise the obstacle cannot be detected.

In this case, if $R_{i}$ is at the end of the inclined obstacle, then its height at a distance $D$ is found by

H_{i} (D) = h_{o} s i n (α_{o}) + h_{o} c o s (α_{o}) t a n (ξ_{i}) .

This height can be used to determine whether there are more than two LiDAR points on the obstacle. Further notice that the angle $α_{r}$ is found by reduced height $\frac{H_{r} (D)}{t a n (ξ_{r}) / t a n (α_{o}) + 1}$ and increased width $D + \frac{H_{r} (D)}{t a n (ξ_{r}) + t a n (α_{o})} - \frac{H_{L}}{t a n (ξ_{r - 1})}$ . This observations induce the following Corollary from Theorem 1.

Corollary 1.

The obstacle is detected at distance $D$ , if and only if one of the following conditions are true:

$H_{r} (D) \leq h_{o} s i n (α_{o}) + h_{o} c o s (α_{o}) t a n (ξ_{r + 1}) < H_{r + 1} (D)$ AND $α_{t h} < a t a n 2 (\frac{H_{r} (D)}{t a n (ξ_{r}) / t a n (α_{o}) + 1}, | D + \frac{H_{r} (D)}{t a n (ξ_{r}) + t a n (α_{o})} - \frac{H_{L}}{t a n (ξ_{r - 1})} |)$ ;
$h_{o} s i n (α_{o}) + h_{o} c o s (α_{o}) t a n (ξ_{r + 1}) \geq H_{r + 1} (D)$ .

Vi-C Obstacle not Touching Ground

Assumptions: We maintain all assumptions in $\lx@sectionsign$ VI-A except A1, i.e., that the obstacle surface no longer touches the ground. Instead, now the obstacle surface starts at height $h_{g}$ above the ground as shown in Figure 5.

We are interested in the first beam on the obstacle, where its index is defined by $r_{g} = min {i | H_{i} (D) > h_{g}}$ . Noticing the height of the obstacle tip is $h_{o} + h_{g}$ , we can reformulate Theorem 1 as the following corollary.

Corollary 2.

The obstacle is detected at distance $D$ , if and only if one of the following conditions are true:

$H_{r_{g}} (D) \leq h_{o} + h_{g} < H_{r_{g} + 1} (D)$ AND $α_{t h} < a t a n 2 (H_{r_{g}} (D), | D - \frac{H_{L}}{t a n (ξ_{r_{g} - 1})} |)$ ;
$h_{o} + h_{g} \geq H_{r_{g} + 1} (D, ξ, H_{L})$ .

The minimum detectable height for this case is found by

	$H_{r_{g}} (D) = h_{o} + h_{g}$
	$α_{t h} \leq a t a n 2 (h_{o} + h_{g}, \| D - \frac{H_{L}}{t a n (ξ_{r_{g} - 1})} \|) .$

(a) Simple Model ( $\lx@sectionsign$ VI-A)

(a) Simple Model ( $\lx@sectionsign$ VI-A)

Vi-D Inclined Ground

Assumptions: We maintain all assumptions in $\lx@sectionsign$ VI-A except A2, i.e., Ground inclination $α_{g}$ could be non-zero (Figure 5).

Ground inclination affects the detectability model only when relative inclination changes between the obstacle and the AV. This section assumes that ground inclination starts before the obstacle position, i.e., $d < D$ . There are two cases.

Case I: The inclination starts after the beam $R_{r - 1}$ , i.e.,

\frac{H_{L}}{t a n (ξ_{r - 1})} \leq d \leq \frac{H_{L}}{t a n (ξ_{r})} .

(14)

We can extend Corollary 1 to find the detectability condition. The first beam touching the obstacle must be higher than the ground at distance $D$ . Let us define

r_{f} = min {i | H_{i} (D) > (D - d) t a n (α_{g})} .

If $R_{r_{f} + 1}$ is at the end of the obstacle, then

	$H_{r_{f} + 1} (D)$	$= h_{o} c o s (α_{g}) - h_{o} s i n (α_{g}) t a n (ξ_{r_{f} + 1})$
		$+ (D - d) t a n (α_{g}),$

which is the threshold to determine whether $R_{r_{f} + 1}$ is on the obstacle. Furthermore, $α_{r_{f}}$ is found by increased height $\frac{H_{r_{f}} (D) - (D - d) t a n (α_{g})}{1 - t a n (ξ_{r_{f}}) t a n (α_{g})} + (D - d) t a n (α_{g})$ and decreased width $D + \frac{H_{r_{f}} (D) - (D - d) t a n (α_{g})}{t a n (ξ_{r_{f}}) - c o t (α_{g})} - \frac{H_{L}}{t a n (ξ_{r_{f} - 1})}$ . This observation induces the following Corollary.

Corollary 3.

The obstacle is detected at distance $D$ , if and only if one of the following conditions are true:

$H_{r_{f}} (D) \leq h_{o} c o s (α_{g}) - h_{o} s i n (α_{g}) t a n (ξ_{r_{f} + 1}) + (D - d) t a n (α_{g}) < H_{r_{f} + 1} (D)$ AND $α_{t h} < a t a n 2 (\frac{H_{r_{f}} (D) - (D - d) t a n (α_{g})}{1 - t a n (ξ_{r_{f}}) t a n (α_{g})} + (D - d) t a n (α_{g}), | D + \frac{H_{r_{f}} (D) - (D - d) t a n (α_{g})}{t a n (ξ_{r_{f}}) - c o t (α_{g})} - \frac{H_{L}}{t a n (ξ_{r_{f} - 1})} |)$ ;
$h_{o} c o s (α_{g}) - h_{o} s i n (α_{g}) t a n (ξ_{r_{f} + 1}) + (D - d) t a n (α_{g}) \geq H_{r_{f} + 1} (D)$ .

Case II: The inclination starts before the beam $R_{r - 1}$ , i.e.,

d < \frac{H_{L}}{t a n (ξ_{r - 1})} .

In this case, the beam point of $R_{r_{f} - 1}$ land on different point from that of the case II. This decreases relative height $H_{L} - R_{r_{f} - 1} s i n (ξ_{r_{f} - 1})$ and increases relative width $\frac{H_{L}}{t a n (ξ_{r_{f} - 1})} - R_{r_{f} - 1} c o s (ξ_{r_{f} - 1})$ between $R_{r_{f} - 1}$ and $R_{r_{f}}$ . This changes $α_{r_{f}}$ found in Corollary 3. It is also worth to notice that if

d < \frac{H_{L}}{t a n (ξ_{r - 2})},

then $α_{r_{f} - 1} = α_{g}$ , and thus we have $Δ α_{r} = α_{r} - α_{g}$ . Using these facts, one can find an extension of Corollary 3.

Vi-E Noise

Assumptions: We maintain all assumptions in $\lx@sectionsign$ VI-A except A3, i.e., there exists a depth detection error. Minor inaccuracies in depth detection can be a problem when finding $Δ x, Δ z$ . In particular, the $i^{t h}$ beam returns noisy measurement $y_{i} = R_{i} ϵ_{i}$ [wang2019pseudo] instead of its ground truth distance $R_{i}$ from the sensor to the obstacle where $ϵ_{i} \in [1 - ϵ, 1 + ϵ]$ is unknown noise with a known sensor error bound $ϵ$ , e.g., Velodyne HDL-64E S3 LiDAR has a range detection inaccuracy of $\pm 2$ $c m$ [velodynehdl64].

Under mild assumptions, Theorems 2 and 3 provide a bound of the first angle $α_{r}$ on the obstacle, and a bound of the angle $α_{i}$ between two consecutive points on the obstacle.

Theorem 2.

Assume $y_{r} c o s (ξ_{r}) \geq y_{r - 1} c o s (ξ_{r - 1})$ and $y_{r} s i n (ξ_{r}) \leq y_{r - 1} s i n (ξ_{r - 1})$ . Then, the angle $α_{r}$ is lower bounded by

	$α_{r}$	$\geq a t a n 2 ($	$R_{r - 1} (1 - ϵ) s i n (ξ_{r - 1}) - R_{r} (1 + ϵ) s i n (ξ_{r}),$
	$R_{r} (1 + ϵ) c o s (ξ_{r}) - R_{r - 1} (1 - ϵ) c o s (ξ_{r - 1}))$

and upper bounded by

	$α_{r}$	$\leq a t a n 2 ($	$R_{r - 1} (1 + ϵ) s i n (ξ_{r - 1}) - R_{r} (1 - ϵ) s i n (ξ_{r}),$
	$R_{r} (1 - ϵ) c o s (ξ_{r}) - R_{r - 1} (1 + ϵ) c o s (ξ_{r - 1})) .$

Proof.

Angle $α_{r}$ is found by (5). The assumptions $y_{r} c o s (ξ_{r}) \geq y_{r - 1} c o s (ξ_{r - 1})$ and $y_{r} s i n (ξ_{r}) \leq y_{r - 1} s i n (ξ_{r - 1})$ imply that

$α_{r}$	$= a t a n 2 ($	$\| y_{r} s i n (ξ_{r}) - y_{r - 1} s i n (ξ_{r - 1}) \|,$
$\| y_{r} c o s (ξ_{r}) - y_{r - 1} c o s (ξ_{r - 1}) \|)$
	$= a t a n 2 ($	$y_{r - 1} s i n (ξ_{r - 1}) - y_{r} s i n (ξ_{r}),$
$y_{r} c o s (ξ_{r}) - y_{r - 1} c o s (ξ_{r - 1})) .$

Considering the fact that $t a n$ is a strictly increasing function in the domain $[0^{o}, 90^{o})$ , we can find the lower bound and upper bounds presented in the theorem statement. ∎

Theorem 3.

Assume that two consecutive points $R_{i - 1}$ and $R_{i}$ land on the obstacle, and that $y_{i} s i n (ξ_{i}) \leq y_{i - 1} s i n (ξ_{i - 1})$ . Then, the angle $α_{i}$ is lower bounded by

	$α_{i}$	$\geq a t a n 2 ($	$R_{i} (1 + ϵ) s i n (ξ_{i}) - R_{i - 1} (1 - ϵ) s i n (ξ_{i - 1}),$
	$R_{i} (1 + ϵ) c o s (ξ_{i}) - R_{i - 1} (1 - ϵ) c o s (ξ_{i - 1}))$

and upper bounded by $90^{o}$ .

Proof.

The function $a t a n 2$ is upper bounded by $90^{o}$ in all domains. Similarly, the lower bound can be found with the proof of Theorem 2. Details omitted due to the space limit. ∎

The assumptions $y_{r} c o s (ξ_{r}) \geq y_{r - 1} c o s (ξ_{r - 1})$ and $y_{r} s i n (ξ_{r}) \leq y_{r - 1} s i n (ξ_{r - 1})$ are mild because $R_{r} c o s (ξ_{r}) \geq R_{r - 1} c o s (ξ_{r - 1})$ and $R_{r} s i n (ξ_{r}) \leq R_{r - 1} s i n (ξ_{r - 1})$ hold for most of the cases, and $ϵ_{i}$ is around $1$ . For the same reason, the assumption $y_{i} s i n (ξ_{i}) \leq y_{i - 1} s i n (ξ_{i - 1})$ is mild as well.

Vi-F Summary

Using $ξ$ and $H_{L}$ from the Waymo Open Dataset [sun2020scalability], (13) yields Figure (a)a for various $α_{t h}$ and $D$ (X-Axis). Figure (b)b shows the same when $α_{o} = 60^{o}$ as in Section VI-B. Figure (c)c is based on Section VI-C, assuming obstacle is $0.271$ $m$ above the ground, based on ground clearance of a sedan [matlab_sedan]. The varying nature of the colored plot is due to the discrete nature of LiDAR beams. To get a usable bound, like (1), we determine a linear max curve fit for each case, where the dashed line is always greater than or equal to the original plot. Shaded region is where the obstacle is always detected.

In this section, we have developed detectability model for the Depth Clustering algorithm. We find that not only is such analysis possible, but it also yields human perceptible bounds. This work stands as the first step in establishing the verifiability of classical obstacle detection algorithms and their use in AV for safety-critical obstacle avoidance.

Vii Evaluation

(a) Example showing 3D ground truth box extending too far beyond the obstacle.

GT extra size causing coverage (73.5% here) to fall just below the threshold (75%). — (a) Example showing 3D ground truth box extending too far beyond the obstacle.

Count	Category
98224	Total obstacles (Vehicles, Pedestrian, Cyclist, Unknown)
93030	Total without obstacles closer than $D_{m i n}$ (C3 $\lx@sectionsign$ V-B)
7565	Obstacles that pose collision risk ( $\lx@sectionsign$ IV-B) [9460196]
7402	Detected meeting minimally sufficient requirements ( $\lx@sectionsign$ IV)
153	Ground Truth larger than obstacle
10	Oversegmentation
0	Remaining FN count at 75% coverage.

Table III: Results for False Negative (FN) Evaluation

In this section, we evaluate the obstacle detection algorithm using real-world sensor data from Waymo Open Dataset [sun2020scalability]. We first determine if the algorithm meets the safety-critical requirements proposed in this work ( $\lx@sectionsign$ IV). For obstacle existence fault or FN evaluation we randomly select 16 clear weather scenes from the 202 scenes in the validation dataset. The random downsampling was necessitated by the manual effort involved in analyzing FN candidates. The scenes included various scenarios, including heavy to low traffic, residential with pedestrians, city and highway driving.

Table II summarizes the parameters used. $α_{t h}$ was set at $10^{o}$ . Distance overestimation error was bounded to $10$ $c m + 5 %$ of actual distance. The constant was chosen as a small value to keep the error bound low at close distances. However, since the depth perception accuracy reduces with distance an additional percentage-based threshold allows accommodation of sensor limits while having a low impact. A limited coverage threshold of $75 %$ was used as a threshold for True Positive (TP) detection, chosen to parallel the strict metric for IOU from COCO Dataset [coco]. All FN candidates were analyzed manually using a visualizer provided by Bogoslavskyi and Stachniss [bogoslavskyi17pfg]. We enhanced the visualizer to aid the manual inspection. Table III summarizes the results.

Vii-1 GT Counts

We first determine the total number of GT in the included scenes. All classes, excluding road signs, were counted to yield a total of 98224. Obstacles closer than first beam ( $R_{1, c}$ ) on the ground, i.e., closer than $D_{m i n}$ are removed as per C3 in Section V-B, reducing the count of GT to 93030. Obstacles that do not pose a risk of collision are also removed ( $\lx@sectionsign$ IV-B), leaving 7565 obstacles.

Vii-2 Automated Evaluation

We run the detection algorithm and evaluate results based on requirements described in Section IV. 7402 True Positives and 163 FN candidates were found. The FN candidates were then manually inspected.

Vii-3 GT Dimension Error

The most common reason for erroneous FN indication were inaccurate GT labels. This inaccuracy of GT was determined based on visual inspection of point clouds. The GT were visibly larger or offset from the actual obstacle. Figures (a)a and (b)b show such examples. Drawn as per the provided GT, the green box is clearly either larger or offset from the contained obstacle. Similarly, as shown in Figure (b)b, the GT inaccuracy is enough to bring the coverage below the $75 %$ threshold. In some cases, the error is small, e.g., Figure (c)c. However when close to the AV, the small GT error can still be larger than the distance overestimation error allowed. We consider these detections as TP after ascertaining that the detection bounding box meets the requirements. A total of 153 FN candidates were found to fall in this category.

Vii-4 Oversegmentation

Figure (d)d shows a case where the obstacle was adequately detected but segmented into more than one bounding box. Since the second bounding box did not meet the distance threshold, the automated analysis ignored it. However, given the presence of both bounding boxes, we argue that this detection should be considered True Positive. The points on the obstacle were not erroneously considered to be drivable ground. 10 instances of this scenario on the same vehicle were found in consecutive frames.

Vii-5 Obstacle Existence Fault

No FN, i.e., obstacle existence faults were found. This is not surprising given the low minimum height bounds determined in Section VI and Figure 9. The max curve fits in Figures (a)a, (b)b and (c)c are conservative linear approximations. Ignoring the max curve fits, the actual bounds in Figures (a)a, (b)b and (c)c were less than $0.5$ $m$ in all cases within the sensor range of $75$ $m$ .

Viii Discussion

Generality: The safety-critical requirements for collision avoidance are applicable to all ground based autonomous vehicles. The LiDAR parameters used apply broadly to all LiDAR sensors. The constraints are also generally applicable, except C3 which is based on the algorithm. Other verifiable algorithms may have different algorithmic constraints. The detectability model in this work is specific to the chosen algorithm. However, the analysis shows that it is indeed possible to derive strict human perceptible bounds on the detectability of these algorithms and serves as guidance for verification of similar algorithms.

Human Comprehensibility: As shown in this work, safety standards, policies and limitations of the example algorithm are in human comprehensible definitions. This makes such policies realistically implementable and enforceable. Human comprehensible limitations also implicitly protect against adversarial objects [cao2019adversarial, tu2020physically]. This is in contrast to the machine learning based solutions where requirements, faults and adversarial perturbations are not always expressible in human perceptible forms [huang2017safety].

Requirements: Section IV establishes a minimal set of requirements for collision avoidance in AV. However, additional features of obstacles, if determined in a verifiable manner, can improve the safety envelop, reducing overly conservative behaviors. For example, the collision risk model uses obstacle and AV velocity to determine if there is a potential risk of collision. If velocities cannot be determined reliably, a conservative default high velocity threshold must be used.

Adversarial Objects: The failure modes for analyzable algorithms are well defined and expressible in limitations like minimum height and slopes from ground. Whereas DNN based detectors can have varied failure modes, including fully or partially designed adversarial objects [cao2019adversarial, tu2020physically, abdelfattah2021adversarial, zhu2021can]. The difference in failure modes suggests than an ensemble of the two would be robust against attacks using adversarial designed objects.

Ix Future Work

Integration: In this work we focus on detection of faults in obstacle existence detection. However, the reaction to them, i.e., fault handling has its own challenges. The integration of verifiable algorithms within existing AV pipelines and fault handling built upon it are the focus of our future research.

Precision Improvements: The complete Depth Clustering algorithm includes methods for improving the detection precision. Future works will address the expansion of the detectability model to include these methods.

Verifiable Algorithms: Despite the necessity of DNN in AV, this work shows that there is a role for analyzable algorithms. Therefore further research is warranted to improve such physical model backed verifiable algorithms. Improvements like lower physical limitations bounds and lower FP rates within those bounds would make these algorithms have reduced impact to the performance of the AV while maintaining the same safety guarantees.

Weather: Impediments like rain, fog, dust or smoke distort the LiDAR returns and can result in LiDAR beams returning with low enough intensity to not be recorded or causing a false early return [heinzler2019weather, wallace2020full], i.e., violating C1 ( $\lx@sectionsign$ V-B). Detectability in the presence of such faults is an avenue for future research.

X Conclusion

This paper identifies requirements for safety-critical obstacle detection and presents a safety analysis of an obstacle detection algorithm. The results encourage a thorough separation of mission and safety-critical requirements in autonomous vehicles. Furthermore, verifiable algorithms could fulfill the critical safety requirements offloading that responsibility from DNN based solutions that remain inherently unverifiable.

Acknowledgment

The material presented in this paper is based upon work supported by the National Science Foundation (NSF) under grant no. CNS 1932529, ECCS 2020289, the Air Force Office of Scientific Research (AFOSR) under grant no. #FA9550-21-1-0411, the National Aeronautics and Space Administration (NASA) under grant no. 80NSSC20M0229, AWD-000577-G1, and University of Illinois Urbana-Champaign under grant no. STII-21-06. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the authors and don’t necessarily reflect the views of the sponsors.

Verifiable Obstacle Detection

Abstract

I Introduction

Ii Motivation and Overview

Iii Related Work

Iv Minimal Requirements

Iv-a Classification

Iv-B Collision Risk

Iv-C Height

Iv-D Distance

Iv-D1 Underestimation Error

Iv-D2 Overestimation Error

Iv-E Projection

Iv-F Coverage

Iv-G Summary

V Parameters and Constraints

V-a LiDAR Parameters

V-B Constraints

Vi Detectability Model

Vi-a Simple Model

Theorem 1.

Proof.

Vi-B Obstacle at Inclination

Corollary 1.

Vi-C Obstacle not Touching Ground

Corollary 2.

Vi-D Inclined Ground

Corollary 3.

Vi-E Noise

Theorem 2.

Proof.

Theorem 3.

Proof.

Vi-F Summary

Vii Evaluation

Vii-1 GT Counts

Vii-2 Automated Evaluation

Vii-3 GT Dimension Error

Vii-4 Oversegmentation

Vii-5 Obstacle Existence Fault

Viii Discussion

Ix Future Work

X Conclusion

Acknowledgment

References