Decomposition and Quantification of SOTIF Requirements for Perception Systems of Autonomous Vehicles

Abstract: Ensuring the safety of autonomous vehicles (AVs) is paramount before they can be introduced to the market. More specifically, securing the Safety of the Intended Functionality (SOTIF) poses a notable challenge; while ISO 21448 outlines numerous activities to refine the performance of AVs, it offers minimal quantitative guidance. This paper endeavors to decompose the acceptance criterion into quantitative perception requirements, aiming to furnish developers with requirements that are not only understandable but also actionable. This paper introduces a risk decomposition methodology to derive SOTIF requirements for perception. More explicitly, for subsystemlevel safety requirements, we define a collision severity model to establish requirements for state uncertainty and present a Bayesian model to discern requirements for existence uncertainty. For component-level safety requirements, we proposed a decomposition method based on the Shapley value. Our findings indicate that these methods can effectively decompose the system-level safety requirements into quantitative perception requirements, potentially facilitating the safety verification of various AV components.

• The paper introduces a novel methodology to decompose system-level SOTIF requirements into quantitative criteria for AV perception safety.
• It employs a collision severity model and Bayesian approach to quantify state and existence uncertainties in autonomous vehicles.
• Experimental analysis shows that using RSS models limits position errors to 17 meters and enhances collision avoidance in AVs.

Decomposition and Quantification of SOTIF Requirements for Perception Systems of Autonomous Vehicles

This essay explores the paper titled "Decomposition and Quantification of SOTIF Requirements for Perception Systems of Autonomous Vehicles" (2501.10097). The paper addresses notable challenges faced in ensuring the Safety of the Intended Functionality (SOTIF) of autonomous vehicles (AVs) by proposing methodologies for deriving quantitative perception requirements.

Introduction

The paper identifies a critical gap in ISO 21448, which lacks clear quantitative guidance for improving AV safety. By proposing methodologies to decompose acceptance criteria into actionable perception requirements, the paper aims to facilitate the verification and validation of autonomous vehicle components. The authors present a risk decomposition methodology to translate system-level safety goals into subsystem and component-level requirements, using models to address state and existence uncertainties.

Methodology

Decomposition Process

The proposed methodology decomposes system-level requirements into subsystem-level and component-level requirements. For subsystem-level safety, a collision severity model is used to derive state uncertainty requirements, and a Bayesian model is employed to discern requirements for existence uncertainty (Figure 1).

Figure 1: Requirements decomposition: a validation target is derived from a predefined Operational Design Domain (ODD) and then decomposed to requirements for subsystems or functions, which are finally verified and validated in the ODD.

Collision Severity Model

The collision severity model relates state uncertainty (e.g., position inaccuracy) to collision risk, quantified by $\Delta v$ (velocity difference at impact). This model aims to determine the maximum allowable uncertainty to ensure safe execution of the intended behavior (Figure 2).

Figure 2: The process to solve Delta v at the collision time stamp given a specific position error. Depending on the timing, two different kinematic models are employed to update the states of the ego and the object. The Delta v is solved when a collision occurs via simulations.

Bayesian Model

The Bayesian model quantifies existence uncertainty by assigning distance-based requirements, with stricter criteria for closer interactions. This approach ensures realistic and actionable safety requirements (Figure 3).

Figure 3: The concept of decomposing system-level risk into SOTIF requirements for perception.

Shapley Value-Based Method

For component-level safety, the Shapley value-based decomposition method optimizes safety requirements across AV components. This model-agnostic approach quantifies the influence of individual components on overall safety, facilitating efficient and fair allocation of requirements (Figure 4). MOT algorithm is treated as a function characterized by predefined input and output data evaluation metrics, where numerical inputs and outputs are used to reflect changes in algorithm performance.

Results

Experimental Analysis

The selection of intended behavior models emphasizes the crucial role of planning system performance in setting perception requirements. Both the RSS and FSM models were evaluated using the AD4CHE dataset, and the RSS model showed superior performance in preventing collisions in cut-in scenarios (Figure 5).

Figure 5: Results of FSM and CC Driver models in one cut-in scenario...

In deriving requirements for state uncertainty, position and velocity errors were analyzed within the context of the collision severity model. The analysis showed that the maximum allowable position error was 17 meters, ensuring safe AV operation under specified highway scenarios (Figure 6).

Figure 6: The relation between position errors and collision severity using the RSS model...

The Bayesian model addressed existence uncertainty by calculating false negative (FN) rates across different distance partitions, with strict criteria for closer partitions. The model effectively provided differentiated safety requirements based on partitioned scenarios (Figure 7).

Figure 7: The probability of relevant scenarios in different distance partitions considering the duration of an FN object.

Discussion

The paper's methodologies adeptly translate high-level safety criteria into precise subsystem and component-level requirements, enhancing the SOTIF framework. The proponents highlight the importance of tailored safety requirements to achieve efficient verification, reducing burdensome testing costs. Moreover, the unique integration of a Shapley value-based method for component-level requirements allocation promotes equitable safety standard distributions across AV components.

Nevertheless, the study emphasizes the ongoing need for extensive real-world data to enhance model validity and the potential recalibration of intended behavior models for specific applications.

Conclusion

This research presents significant strides towards comprehensive and structured methodologies for SOTIF requirements decomposition, advancing both theoretical safety frameworks and practical applications in autonomous vehicle development. Future studies could expand on non-collision scenarios and consider multi-component interactions to refine derived safety requirements further.