Grasping Causality for the Explanation of Criticality for Automated Driving
2025-05-06
0
0
1007.27KB
24 页
10玖币
侵权投诉
111
Grasping Causality for the Explanation of Criticality for
Automated Driving
TJARK KOOPMANN, German Aerospace Center (DLR) e.V., Germany
CHRISTIAN NEUROHR, German Aerospace Center (DLR) e.V., Germany
LINA PUTZE, German Aerospace Center (DLR) e.V., Germany
LUKAS WESTHOFEN, German Aerospace Center (DLR) e.V., Germany
ROMAN GANSCH, Robert Bosch GmbH, Germany
AHMAD ADEE, Technical University of Kaiserslautern, Germany
The verication and validation of automated driving systems at SAE levels 4 and 5 is a multi-faceted challenge
for which classical statistical considerations become infeasible. For this, contemporary approaches suggest
a decomposition into scenario classes combined with statistical analysis thereof regarding the emergence
of criticality. Unfortunately, these associational approaches may yield spurious inferences, or worse, fail to
recognize the causalities leading to critical scenarios, which are, in turn, prerequisite for the development
and safeguarding of automated driving systems. As to incorporate causal knowledge within these processes,
this work introduces a formalization of causal queries whose answers facilitate a causal understanding of
safety-relevant inuencing factors for automated driving. This formalized causal knowledge can be used to
specify and implement abstract safety principles that provably reduce the criticality associated with these
inuencing factors. Based on Judea Pearl’s causal theory, we dene a causal relation as a causal structure
together with a context, both related to a domain ontology, where the focus lies on modeling the eect of
such inuencing factors on criticality as measured by a suitable metric. As to assess modeling quality, we
suggest various quantities and evaluate them on a small example. Our main example is a causal relation for
the well-known inuencing factor of a reduced coecient of friction and its eect on longitudinal and lateral
acceleration as required by the driving task. As availability and quality of data are imperative for validly
estimating answers to the causal queries, we also discuss requirements on real-world and synthetic data
acquisition. We thereby contribute to establishing causal considerations at the heart of the safety processes
that are urgently needed as to ensure the safe operation of automated driving systems.
CCS Concepts:
•Mathematics of computing →Causal networks
;
•Computing methodologies →
Causal reasoning and diagnostics;Modeling methodologies.
ACM Reference Format:
Tjark Koopmann, Christian Neurohr, Lina Putze, Lukas Westhofen, Roman Gansch, and Ahmad Adee. 2018.
Grasping Causality for the Explanation of Criticality for Automated Driving. J. ACM 37, 4, Article 111
(August 2018), 24 pages. https://doi.org/XXXXXXX.XXXXXXX
Authors’ addresses: Tjark Koopmann, tjark.koopmann@dlr.de, German Aerospace Center (DLR) e.V., Institute of Systems
Engineering for Future Mobility, Oldenburg, Germany; Christian Neurohr, christian.neurohr@dlr.de, German Aerospace
Center (DLR) e.V., Institute of Systems Engineering for Future Mobility, Oldenburg, Germany; Lina Putze, lina.putze@dlr.de,
German Aerospace Center (DLR) e.V., Institute of Systems Engineering for Future Mobility, Oldenburg, Germany; Lukas
Westhofen, lukas.westhofen@dlr.de, German Aerospace Center (DLR) e.V., Institute of Systems Engineering for Future
Mobility, Oldenburg, Germany; Roman Gansch, Robert Bosch GmbH, Renningen, Germany, roman.gansch@de.bosch.com;
Ahmad Adee, Technical University of Kaiserslautern, Kaiserslautern, Germany, adee4102@gmail.com.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee
provided that copies are not made or distributed for prot or commercial advantage and that copies bear this notice and
the full citation on the rst page. Copyrights for components of this work owned by others than ACM must be honored.
Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires
prior specic permission and/or a fee. Request permissions from permissions@acm.org.
©2018 Association for Computing Machinery.
0004-5411/2018/8-ART111 $15.00
https://doi.org/XXXXXXX.XXXXXXX
J. ACM, Vol. 37, No. 4, Article 111. Publication date: August 2018.
arXiv:2210.15375v1 [cs.AI] 27 Oct 2022
111:2 Koopmann et al.
1 INTRODUCTION
Trac safety research is inherently tied to the investigation of causal questions such as ’which
chain of events led to the accident?’, ’could the accident have been prevented by a strong steering
maneuver?’ or ’are strict speed limits eective at increasing general safety in trac?’. In order to
prevent accidents, besides the practical aspects of operating a car, the theoretical part of teaching
humans to drive reasonably safe usually includes the numerous abstract classes of danger (’a wet
road surface’) combined with a causal explanation as to why an instance of this danger could
lead to a critical situation (’less available tire-to-road friction implies decreased maneuverability’).
Moreover, this abstract danger is accompanied by some safety principle (SP) to mitigate the potential
risk (’if road surface is wet, drive at reduced speed’). The human brain excels at identifying and
mitigating instances of such abstract dangers in the open context of the trac world due to
a causal understanding derived from prior experiences (e.g. knowledge obtained from driving
lessons or parents) leading to solid predictions even for unseen circumstances. Moreover, humans
intuitively perform counterfactual reasoning after trac incidents (or any incident) to learn from
those experiences and hence to avoid such incidents in the future.
Automated driving systems (ADSs) at SAE levels 4 and 5 [
1
] are complex systems which are
expected to safely navigate in open contexts in general, and specically through all instances of the
same abstract classes of dangers, just as humans do. Without obtaining a formalized understanding
of the underlying causalities, it is hardly possible to transfer this knowledge to ADSs. However, in
order to adapt the human learning process for automated driving, a rigorous process of identication
and formalization of the knowledge to be learned is necessary. Recent work proposes a methodical
criticality analysis for ADSs [
2
], aiming to systematically identify inuencing factors associated
with increased criticality in trac and analyze the underlying causal relations. In the work at hand,
we combine the framework of causal theory [
3
] with the criticality analysis as a novel approach to
tackle the problem of modeling and analyzing the causal relations of such criticality phenomena for
ADSs with formal rigor. Explaining these relations of contextual factors with increased criticality
by a causal model with formal semantics enables the derivation and implementation of SPs that
can be quantitatively proven to mitigate criticality. Finally, such evidence on criticality mitigation
can be generically leveraged in a quantitative safety argumentation.
The contributions of this work may be summarized as providing
•a formalization of causal queries within the criticality analysis,
•the application of causal theory for the formal modeling and analysis of causal relations,
•
the introduction of quantities to evaluate the modeling quality of such causal relations, and
•
siginicant modeling eorts towards the reduced coefficient of friction’s causal relation.
These contributions dier from contemporary approaches for understanding causality in the
context of vehicle development, e.g. fault tree analysis, in that they allow to cover the vast modeling
complexity as required by safety considerations for automated driving at SAE levels 4 and 5 while
providing a formal basis grounded in the theories of random variables and directed acyclic graphs.
The following Section 2 introduces the methodical foundations of the criticality analysis, as
introduced in [
2
], the required concepts from causal theory [
3
] and discusses how causal eects
can be estimated from data as well as other relevant related work. In Section 3 we explore how
causal theory can be applied to causal relations of criticality phenomena by representing them
as causal structures. We discuss requirements and modeling principles for causal structures that
lead to a rigorous denition of a causal relation and its plausibilization. As to assess the modeling
quality of causal relations, we introduce various indicator quantities and evaluate them on a small
example. Section 4 provides a detailed exemplication of the proposed modeling approach for the
criticality phenomenon reduced coefficient of friction. Further, we discuss in Section 5 how
J. ACM, Vol. 37, No. 4, Article 111. Publication date: August 2018.
Grasping Causal Explanations of Criticality 111:3
causal relations constructed in this way relate to requirement eliciation for data acquisition, for
real world data and in simulation environments, followed by ideas for future work in Section 6.
2 PRELIMINARIES
In this section, we briey present the foundations and preliminary work for the to-be-combined
aspects of this work, namely criticality analysis and causal theory.
2.1 Introduction to the Criticality Analysis for Automated Driving Systems
Any complex system that operates within highly complex, open and unpredictable contexts needs
to undergo a rigorous safety procedure before deployment [
4
]. For ADSs at SAE levels 4 and 5,
current scientic and industrial advances as e.g. driven by the PEGASUS family projects VVM and
SET Level
1
suggest an iterative scenario-based verication and validation process [
5
]. For this,
a suitable rst step can be a criticality analysis, where the operational domain (OD) is analyzed,
structured, decomposed and understood w.r.t. potentially safety-relevant inuencing factors [2].
Criticality can be roughly understood as the combined risk of all actors within a trac situation
or scenario [
2
, Denition 1]. The criticality analysis aims to identify factors within the open
context that are associated with increased criticality, called criticality phenomena, to understand the
underlying causalities and to derive generic principles preventing their occurrence or mitigating
their eects. Such SPs aim to reduce the causal eect of a criticality phenomenon (CP) on the
measurable aspects of criticality
2
, enabling ADS designers to safeguard the product. The main
artifacts are a) criticality phenomena b) their causal relations and c) safety principles.
As an exemplary CP, which will also serve as a running example throughout this work, consider
the reduced coefficient of friction between the road and the tires of an ADS-operated vehicle,
referred to as ego in the following. The criticality analysis collects a nite and managable list of
such factors in the OD. Their explanations can then become the basis for generic SPs – e.g. ’drive
carefully during rain and freezing temperatures’ –, mechanisms also taught to humans during
driving school. There, such advice rests upon the causal understanding of the driving teacher, that,
for example, the combination of rain and freezing temperatures can lead to ice on the road. This
is often causal for a reduced coecient of friction, which in turn can increase the probability of
experiencing unstable driving dynamics.
If causalities are understood during the design process of an ADS and specic versions of generic
SPs are implemented in the nal product, the machine inherits a causal understanding of trac
that is prerequisite to homologation. Using purely associative implementations, such as machine
learning algorithms, is prone to inecient and unsafe behavior in the eld. It is only by causal
understanding that a trac context becomes predictable and therefore safely managable.
This work closely examines the role of the mandatory causal analysis of criticality within an
open and complex context. The concept paper of the criticality analysis provides a rather syntactical
denition of a causal relation as a directed, acyclic graph
CR =(𝑃, 𝐸)
where
𝑃
is the set of nodes –
variables described by propositions on trac scenarios – and
𝐸⊆𝑃×𝑃
is the set of edges – causal links
between the variables [
2
, Denition 7]. This work aims at sharpening this denition using Pearl’s
causal theory. From the point of view of the criticality analysis, we focus on the method branch, as
introduced in [
2
, Figure 4], and extend it to incorporate SPs, leading to the basic process sketched in
Figure 1. Here, we start with a CP, ensure its observability and establish its associational relevance.
Thereafter, the causal analysis starts by determining the novelty of the phenomenon. A core part is
the creation of a causal relation, reecting the understanding of the analyst about the emergence
1https://vvm-projekt.de/en, https://setlevel.de/en
2
ISO 26262 denes ’safety mechanisms’, a related albeit narrower concept for fault corrections of functional components [
6
].
J. ACM, Vol. 37, No. 4, Article 111. Publication date: August 2018.
111:4 Koopmann et al.
of the CP as well as its eect on measured criticality. This causal relation enables predictions and
serves as a backbone for subsequent analyses and queries.
1. Identify & formalize CP:
CP is associated with
measured criticality (MC),
dene context of CP
Observable Criticality
Phenomenon CP
2. CP
associationally
relevant:
association with
MC or expert-
relevancy
given?
exit
3. CP novel:
CP not yet explained
by existing causal
relations?
exit
Q1
4. Causal modeling:
Create causal relation that models
causal understanding of emergence of
CP & its eect on MC
Causal Relation
(CR) for CP
5. Emergence
of CP explained:
predecessors of
CP explain causal
emergence of CP
suciently?
Q1
6. Emergence
of MC for
CP explained:
CP explains causal
emergence of MC
suciently?
Q3
7. CP
causally relevant:
causal eect of
CP on MC high
enough?
exit
Q2
8. CR analysis:
For all predecessors and successors of
CP in CR identify & assign
1) causal eect strengths
2) controllability estimates
Q2
9. Select candidate set of
mitigation/prevention variables:
Select candidate sets of variables with
strength & controllability that require
and allow for mitigation/prevention
10. Derive safety principles:
derive safety principles
for candidate set as interventions on
mitigation/prevention variables
(may excludes variables from ODD)
11.
SP
eective
intervention of SP
reduces causal
eect of CP on CM
suciently?
Q4
Safety Principles
(SP) for CP Safety Principles Causal Relations
Associative Analysis
Causal Analysis
Causal Analysis
Safety Principles
yes
yes
yes
yes yes
no
yes
no
no
yes
no
no
no
Fig. 1. The methodical part of the criticality analysis for unveiling causalities behind criticality and deriving
eective safety principles. Relevant steps are annotated with their respective causal queries Q1 to Q4.
Firstly, the causal relation is checked for plausibility: both in its assumptions on the emergence
as well as its measurable eect. Afterwards, the causal eect of the CP on measured criticality
is analyzed. If it is too low (e.g. due to a previously identied spurious association), we exit the
analysis. If this is not the case, we are presented with a CP that is both warranted for mitigation or
prevention as well as causally well understood. Hence, we analyze the causal relation w.r.t. the
variables that are suitable candidates for mitigation or prevention, i.e. variables that are sucient
J. ACM, Vol. 37, No. 4, Article 111. Publication date: August 2018.
Grasping Causal Explanations of Criticality 111:5
in causal eect and controllability at design- or runtime. Once candidate variables are identied,
we derive SPs in the form of interventions. Finally, it has to be decided whether the causal eect is
sucient, otherwise the candidate variables need to be rened.
This process intentionally relies on causal language. We condense the causal queries to the
following four aspects and indicate which steps of Figure 1 require their evaluation:
Q1 The explanation of a CP by a set of predecessors in a causal relation (steps 3, 5)
Q2 The causal eect of a CP on criticality as measured by a suitable metric (steps 7, 8)
Q3 The explanation of measured criticality by a CP (step 6)
Q4 The causal eect of SPs on reducing measured criticality (step 11)
A central aspect of this work, which is presented in Section 3, is the formalization of these
queries using the framework of the do-calculus, as introduced in Subsection 2.2. In the remainder
of this introduction, we will provide an intuitive understanding of the queries using the previously
sketched example as well as motivate the need for their formalization and for causal inference.
Recall that we are investigating the CP reduced coefficient of friction, where we for-
malize the coecient of friction
𝜇
being ’reduced’ as
𝜇≤0.4
. Suspecting that a reduced coef-
ficient of friction negatively impacts a vehicle’s maneuverability, we measure criticality by
max(STN,BTN), the maximum of the Steer resp. Brake Threat Number [7, Section 5.2].
Assuming that the CP is novel (
Q1
), i.e. it is not suciently explained by some existing causal
relation, e.g. for slick road surface, the analyst formalizes their understanding of the CP by causal
assumptions on the emergence of a reduced road-tire friction and its impact on BTN and STN.
We can now use this model to answer causal queries. As a rst step, it is imperative to validate
the causal assumptions: does the model explain the presence of
𝜇≤0.4
within the population (
Q1
),
e.g. by incorporating the inuences of weather, temperature, vehicle dynamics and vehicle tires,
appropriately? If so, we subsequently ask if
𝜇≤0.4
explains the increase of
max(STN,BTN)
to a satisfactory extent (
Q3
). If those queries have been investigated and successfully compared
to acceptable thresholds, it is essential to understand the strength of the eect of a reduced
coefficient of friction, i.e.
𝜇≤0.4
, on criticality as measured by
max(STN,BTN)
(
Q2
). This
gives us a notion of relevance – based on the amplitude of the causal eect, we can decide whether
to further examine the CP.
Assuming relevance of the CP, if the queries have been investigated and successfully compared
to acceptable thresholds, SPs that reduce the impact of reduced road-tire friction can be derived
from this causal model. Causal theory delivers us with formal tools in guiding such a process. By
examining the strength of the causal eect of predecessor and successor variables of the CP on the CP
resp. measured criticality in the causal model (
Q2
), we are able to identify suitable candidates. In our
example, we may decide that the set of mitigation/prevention variables
{precipitation, temperature}
has a large eect on
𝜇
and are controllable in the sense that it can be excluded from the ADS’s
operational design domain (ODD), i.e. the ADS shall not operate under those circumstances. A
derived
SP
then denes value ranges for the identied variables. For example, the ADS shall not
operate whenever precipitation ≥10 mm/h and temperature ≤0°C.
SP
s target the CP either by reducing its probability of occurrence or by mitigating its eects
downstream. Note that this diers from dening
SP
s independently of CPs. Consider a
SP
that
does not specically target the causal relation for the coecient of friction, but inuences the
BTN
and
STN
such as ’always hold a minimum distance of
5
m to other trac participants’. This
SP
reduces the
BTN
and
STN
as well, but is not based on specic causal ndings. This is problematic
as
(1)
we have no guarantee about the generalizability of the SP to situations with similar causalities
(e.g. swerving on icy roads without other trac participants),
J. ACM, Vol. 37, No. 4, Article 111. Publication date: August 2018.
摘要:
展开>>
收起<<
111GraspingCausalityfortheExplanationofCriticalityforAutomatedDrivingTJARKKOOPMANN,GermanAerospaceCenter(DLR)e.V.,GermanyCHRISTIANNEUROHR,GermanAerospaceCenter(DLR)e.V.,GermanyLINAPUTZE,GermanAerospaceCenter(DLR)e.V.,GermanyLUKASWESTHOFEN,GermanAerospaceCenter(DLR)e.V.,GermanyROMANGANSCH,RobertBosch...
声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!
相关推荐
-
【词汇变形总汇】2025高考词汇变形总汇 - 教师版VIP免费
2024-12-06 3 -
【超简37页】新课标高考英语考纲3500词汇VIP免费
2024-12-06 5 -
《高考英语3500词详解》(WORD版)VIP免费
2024-12-06 21 -
《高考英语3500词详解》VIP免费
2024-12-06 16 -
高中英语-[教师版]80天通关高考3500词汇VIP免费
2024-12-06 19 -
高中人教选修7课文逐句翻译VIP免费
2024-12-06 8 -
高中人教选修7课文原文及翻译VIP免费
2024-12-06 22 -
高中人教必修4课文逐句翻译VIP免费
2024-12-06 8 -
高中人教必修4课文原文及翻译VIP免费
2024-12-06 24 -
高考英语核心高频688词汇VIP免费
2024-12-06 11
分类:图书资源
价格:10玖币
属性:24 页
大小:1007.27KB
格式:PDF
时间:2025-05-06
作者详情
-
IMU2CLIP MULTIMODAL CONTRASTIVE LEARNING FOR IMU MOTION SENSORS FROM EGOCENTRIC VIDEOS AND TEXT NARRATIONS Seungwhan Moon Andrea Madotto Zhaojiang Lin Alireza Dirafzoon Aparajita Saraf10 玖币0人下载
-
Improving Visual-Semantic Embedding with Adaptive Pooling and Optimization Objective Zijian Zhang1 Chang Shu23 Ya Xiao1 Yuan Shen1 Di Zhu1 Jing Xiao210 玖币0人下载
相关内容
-
主题班会:责任与我同行(1)
分类:中学教育
时间:2025-06-01
标签:无
格式:PPT
价格:10 玖币
-
主题班会:责任——我们共同的需要ppt
分类:中学教育
时间:2025-06-01
标签:无
格式:PPT
价格:10 玖币
-
主题班会:预防爱滋病
分类:中学教育
时间:2025-06-01
标签:无
格式:PPT
价格:10 玖币
-
主题班会:远离毒品,珍爱生命ppt1
分类:中学教育
时间:2025-06-01
标签:无
格式:PPT
价格:10 玖币
-
韶关市2024届高三综合测试(一)英语答案
分类:中学教育
时间:2025-06-05
标签:无
格式:PDF
价格:10 玖币
渝公网安备50010702506394
