Formalizing and Evaluating Requirements of Perception Systems for Automated Vehicles using Spatio-Temporal Perception Logic

A data-object stream $\mathcal{D}$ is a sequence of data-objects representing objects in the ego vehicle’s environment. Such data objects could be the output of the perception system, or ground truth data, or even a combination of these. The ground truth can be useful to analyze the precision of the output of a perception system. That is, given both the output of the perception system and the ground truth, it is possible to write requirements on how much, how frequently, and under what conditions the perception system is allowed to deviate from the ground truth. In all the examples and case studies that follow, we assume that we are either given the output of the perception system, or the ground truth – but not both. In fact, we treat ground truth data as the output of a perception system in order to demonstrate our framework. Interestingly, in this way, we also discover inconsistencies in the labels of training data sets for AV/ADAS (see Fig. 4).

We refer to each dataset in the sequence as a frame. In each frame, objects are classified and stored in a data-object. Data-objects are abstract because in the absence of a standard classification format, the output of different perception systems are not necessarily compatible with each other. To simplify the presentation, we will also refer to the order of each frame in the data stream as a frame number. For each frame $i$, $\mathcal{D}(i)$ is the set of data-objects for frame $i$, where $i$ is the order of the frame in the data-object stream $\mathcal{D}$. We assume that a data stream is provided by a perception system, in which a function $\mathcal{R}$ retrieves data-attributes for an identified object. A data-attribute is a property of an object such as class, probability, geometric characteristics, etc. Some examples could be:

• •

  by $\mathcal{R}(\mathcal{D}(i),id).Class$, we refer to the class of an object identified by $id$ in the $i$’th frame,

• •

  by $\mathcal{R}(\mathcal{D}(i),id).Prob$, we refer to the probability that an object identified by $id$ in the $i$’th frame is correctly classified,

• •

  by $\mathcal{R}(\mathcal{D}(i),id).PC$, we refer to the point clouds associated with an object identified by $id$ in the $i$’th frame.

The function $\mathcal{OI}$ returns the set of identifiers for a given set of data-objects. By $\mathcal{OI}(\mathcal{D}(i))$, we refer to all the identifiers that are assigned to the data-objects in the $i$’th frame. Another important attribute of each frame is its time stamp, i.e., when this frame was captured in physical time. We represent this attribute for the frame $i$ by $\tau(i)$.

Finally, we remark that in offline monitoring, which is the application that we consider in this paper, the data stream $\mathcal{D}$ is finite. We use the notation $|\mathcal{D}|$ to indicate the total number of frames in the data stream.

Throughout the paper, we will be using $\mathbb{N}$ to refer to the set of natural numbers and $\mathbb{R}$ to real numbers. In the following, for completeness, we present some definitions and notation related to topological spaces and the $S4_{u}$ logic which are adopted from Gabelaia et al. (2005) and Kontchakov et al. (2007). Later, we build our $MTL\times S4_{u}$ definition on this notation.

We denote $\mathbf{C}$ (closure) as the dual operator to $\mathbf{I}$, such that $\mathbf{C}X={\Large{\mathbb{U}}}-\mathbf{I}({\Large{\mathbb{U}}}-X)$ for every $X\subseteq{\Large{\mathbb{U}}}$. Below we list some remarks related to the above definitions:

• •

  $\mathbf{I}X$ is the interior of a set $X$,

• •

  $\mathbf{C}X$ is the closure of a set $X$,

• •

  $X$ is called open if $X=\mathbf{I}X$,

• •

  $X$ is called closed if $X=\mathbf{C}X$,

• •

  If $X$ is an open set then its complement $\overline{X}={\Large{\mathbb{U}}}-X$ is a closed set and vice versa,

• •

  For any set $X\subseteq{\Large{\mathbb{U}}}$, its boundary is defined as $\mathbf{C}X-\mathbf{I}X$ ($X$ and its complement have the same boundary),

Even though our work is general and applies to arbitrary finite dimensional spaces, our main focus is on 2D and 3D spaces as encountered in perception systems in robotics. In the following, the discussion focuses on 2D image spaces with the usual pixel coordinate systems. In Figure 2 left, a closed set is illustrated as the light blue region, while its boundary is a dashed-line in darker blue.

Note that even though Def. II.3 considers the coordinates over the reals, i.e., $\mathbb{R}^{2}_{\geq 0}$, in practice, the image space is defined over the integers, i.e., $\mathbb{N}^{2}$ (pixel coordinates). The topological space in Figure 2 consists of the universe which is all the pixels that belong to the whole 2D gray-rectangle and the closure operator that for any set of regions includes their edges. Assume that the left-upper corner of the image is the origin of the $x-y$ Cartesian coordinate system, and the $x-axis$ and the $y-axis$ are along the width and height of the image, respectively. This is the standard coordinate system in image spaces. Then, any pixel that belongs to the universe has an order with respect to the other pixels. For example, consider $X=X_{1}\cup X_{2}$ in Fig. 2, then all the pixels that belong to $X_{2}$ have higher orders than those in $X_{1}$.

In Def. II.4, the notation $2^{A}$ for a set $A$ denotes the set of all subsets of $A$, i.e., the powerset of $A$. In Figure 2, we have identified the left-most, right-most, bottom-most, and right-most elements of the set $X$ using the $\mbox{\footnotesize{LM}}(X)$, $\mbox{\footnotesize{TM}}(X)$, $\mbox{\footnotesize{RM}}(X),$ and $\mbox{\footnotesize{BM}}(X)$ function definitions. The right rectangle in Figure 2 is the tightest bounding box for the set $X$, and it can be derived using only those four points.

Next, we introduce the logic MTL$\times S4_{u}$ over discrete-time semantics. MTL$\times S4_{u}$ is a combination of Metric Temporal Logic (MTL) (Koymans (1990)) with the $S4_{u}$ logic of topological spaces. From another perspective, it is an extension to the logic PTL$\times S4_{u}$ (see Gabelaia et al. (2005)) by adding time/frame intervals into the spatio-temporal operators. Even though MTL$\times S4_{u}$ is a new logic introduced in this paper, we present it in the preliminaries section in order to gradually introduce notation and concepts needed for STPL. In this paper, we use the Backus-Naur form (BNF) (see Perugini (2021)) which is standard for providing the grammar when we define the syntax of formal and programming languages.

In the following, we provide the formal definitions for MTL$\times S4_{u}$. Henceforth, the symbol $p$ refers to a spatial proposition, i.e., it represents a set in the topological space. In addition, the symbol $\mathcal{T}$ represents spatial expressions that evaluate to subsets of the topological space. We refer to $\mathcal{T}$ as a spatial term.

In the above definition, the grammar for MTL$\times S4_{u}$ consists of two sets of production rules $\mathcal{T}$ and $\varphi$. The spatial production rule $\mathcal{T}$ in Def. II.5 contains a mix of spatial ($\bar{\;},\sqcap,\mathbf{I}$) and spatio-temporal ($\,\mathcal{U}^{s}_{\mathcal{I}},\bigcirc^{s}_{\mathcal{I}}$) operators. Here, $\overline{\mathcal{T}}$ is the spatial complement of the spatial term $\mathcal{T}$, $\sqcap$ is the spatial intersection operator, and $\mathbf{I}$ is the spatial interior operator. The $\,\mathcal{U}^{s}_{\mathcal{I}}$ and $\bigcirc^{s}_{\mathcal{I}}$ operators are the spatio-temporal until and the spatio-temporal next, respectively. Here, the subscript $\mathcal{I}$ denotes a non-empty interval of $\mathbb{R}_{\geq 0}$ and captures any timing constraints for the operators. When timing constraints are not needed, then we can set $\mathcal{I}=[0,+\infty)$, or remove the subscript $\mathcal{I}$ from the notation. Intuitively, the spatio-temporal until and next operators introduce spatial operations over time. For instance, the expression $p_{1}\mathcal{U}^{s}_{[1,3]}p_{2}$ computes the union over all sets resulting by the intersection of each occurrence of set $p_{2}$ at some time in the interval $[1,3]$ with all the sets $p_{1}$ up to that time (see Def. II.6 for more details). We refer to the spatio-temporal operators $\mathcal{U}^{s}_{\mathcal{I}}$ and $\bigcirc^{s}_{\mathcal{I}}$, as Spatio-Temporal Evolving (STE) operators. Also, we call a formula STE if it has STE operators in it. Similarly, we call a spatio-temporal formula Spatial Purely Evolving (SPE) if there is no STE operator in the formula. For more information refer to the (OC) and (PC) definitions by Gabelaia et al. (2005).

In the production rule $\varphi$ in Def. II.5, the spatially exists $\exists$ checks if the spatial term following it evaluates to a non-empty set. That is, $\leavevmode\resizebox{7.22743pt}{}{\framebox{$\exists$}}\;\mathcal{T}$ checks if there exist some points in the set represented by $\mathcal{T}$. In $\varphi$, except for the spatially exists $\exists$ , the other operators are the same as in MTL. That is $\neg$, $\wedge$, $\,\mathcal{U}_{\mathcal{I}}$ and $\bigcirc_{\mathcal{I}}$ are the negation, conjunction, timed until, and next time operators, respectively (see the review by Bartocci et al. (2010)). As an example of a simple formula in MTL$\times S4_{u}$, the expression $\leavevmode\resizebox{7.22743pt}{}{\framebox{$\exists$}}p_{1}\,\mathcal{U}_{[0.5,2.5]}\leavevmode\resizebox{7.22743pt}{}{\framebox{$\exists$}}p_{2}$ is true if the set represented by $p_{2}$ is nonempty at some point in time between $[0.5,2.5]$ and until then the set represented by $p_{1}$ is non-empty.

In the following, we define the bounded discrete-time semantics for MTL$\times S4_{u}$. The definition uses the spatial semantics of $S4_{u}$ while extending the temporal fragment (PTL) with time constraints over finite traces as in MTL. The semantics are defined over a data-object stream $\mathcal{D}$. However, for consistency with PTL$\times S4_{u}$, we will assume the existence of a spatio-temporal valuation function ${\Large{\mathfrak{U}}}:\Pi\times\mathbb{N}\rightarrow 2^{{\Large{\mathbb{U}}}}$ that associates with every proposition $p$ and time frame $i$ a subset of the topological space. In the definition of STPL in Section IV, the sets ${\Large{\mathfrak{U}}}(p,i)$ will correspond to identified objects in the environment, i.e., bounding boxes, bounding rectangles, or even regions in semantic segmentation. In this section, the the sets ${\Large{\mathfrak{U}}}(p,i)$ are just arbitrary subsets of the universe.

The valuation function ${\Large{\mathbb{V}}}$ definition is straightforward for the spatial operations, i.e., $\bar{\;},\sqcap,\mathbf{I}$; ${\Large{\mathbb{V}}}$ is just applying the corresponding set theoretic operations, i.e., $\bar{\;},\cap,\mathbf{I}$. The more interesting cases are the spatio-temporal ($\,\mathcal{U}^{s}_{\mathcal{I}},\bigcirc^{s}_{\mathcal{I}}$) operators. The spatial-next operator $\bigcirc^{s}_{\mathcal{I}}\mathcal{T}$ first checks if the next sample $(i+1)$ satisfies the timing constraints, i.e., $\tau(i+1)\in(\tau(i)+\mathcal{I})$, and if so, it returns the set that $\mathcal{T}$ represents at time $(i+1)$. The spatial until is a little bit more involved and it is better explained through derived operators. In the following, we define some of the commonly used derived operators:

• •

  The spatially for all operator $\forall$ checks if the spatial expression $\mathcal{T}$ represents a set which is the same as the universe: $\leavevmode\resizebox{7.22743pt}{}{\framebox{$\forall$}}\;\mathcal{T}\equiv\neg\;\leavevmode\resizebox{7.22743pt}{}{\framebox{$\exists$}}\;\overline{\mathcal{T}},$

• •

  The spatial union operator: $\mathcal{T}_{1}\sqcup\mathcal{T}_{2}\equiv\overline{\overline{\mathcal{T}_{1}}\sqcap\overline{\mathcal{T}_{2}}},$

• •

  The spatial closure operator: $\mathbf{C}\;\mathcal{T}\equiv\overline{\mathbf{I}\;\overline{\mathcal{T}}},$

• •

  The spatial eventually operator: $\Diamond^{s}_{\mathcal{I}}\;\mathcal{T}\equiv{\Large{\mathbb{U}}}\;\,\mathcal{U}^{s}_{\mathcal{I}}\;\mathcal{T}$,

• •

  The spatial always operator: $\Box^{s}_{\mathcal{I}}\;\mathcal{T}\equiv\overline{\Diamond^{s}_{\mathcal{I}}\;\overline{\mathcal{T}}}$.

Notice that in the definition of the spatial eventually operator, we used the universe set ${\Large{\mathbb{U}}}$ as a terminal even though the syntax in Def. II.5 does not explicitly allow for that. The universe (${\Large{\mathbb{U}}}$) and the empty set ($\emptyset$) can be defined as derived spatial expressions, i.e., ${\Large{\mathbb{U}}}=p\sqcup\bar{p}$ and $\emptyset=p\sqcap\bar{p}$. Therefore, if we replace ${\Large{\mathbb{U}}}$ in the definition of ${\Large{\mathbb{V}}}$ for $\,\mathcal{U}^{s}_{\mathcal{I}}$, we can observe that $\Diamond^{s}_{\mathcal{I}}$ corresponds to the spatial union of the expression $\mathcal{T}$ over the time interval ${\mathcal{I}}$.

Given the definition of the valuation function ${\Large{\mathbb{V}}}$ for QTTM, we can proceed to define the semantics of MTL$\times S4_{u}$. Recall that the valuation of spatial expressions returns sets from some topological space. On the other hand, MTL$\times S4_{u}$ formulas are interpreted over Boolean values True ($\top$) / False ($\bot$), i.e., the formulas are satisfied or are not satisfied. To evaluate MTL$\times S4_{u}$ formulas, we use a valuation function $[\![\varphi]\!]$ which takes as an input an MTL$\times S4_{u}$ formula $\varphi$, a data stream $\mathcal{D}$, a sample $i$, and a timestamp function $\tau$, and returns True ($\top$) or False ($\bot$).

Notice that the definitions of the propositional and temporal operators closely match the definitions of the spatial and spatio-temporal operators where set operations (union and intersection) have been replaced by Boolean operations (disjunction and conjunction). Therefore, similar to the spatial expressions, we can define disjunction as $\varphi_{1}\vee\varphi_{2}\equiv\neg(\neg\varphi_{1}\wedge\neg\varphi_{2}$), eventually as $\Diamond_{\mathcal{I}}\varphi\equiv\top\,\mathcal{U}_{\mathcal{I}}\,\varphi$, and always as $\Box_{\mathcal{I}}\varphi\equiv\neg\Diamond_{\mathcal{I}}\neg\varphi$. Finally, the constant true is defined as $\top\equiv\leavevmode\resizebox{7.22743pt}{}{\framebox{$\forall$}}\,{\Large{\mathbb{U}}}$.

Given a data stream $\mathcal{D}$, we assume that a tracking perception algorithm uniquely assigns identifiers to classified objects for all the frames (see the work by Gordon et al. (2018)).

In order to relax this assumption, we need to enable probabilistic reasoning within the spatio-temporal framework, which is out of the scope of this work. However, our framework could do some basic sanity checks about the relative positioning of the objects during a series of frames to detect misidentified objects.

This assumption is only needed for some certain types of requirements and for the rest it can be lifted.

We define syntax and semantics of Spatio-Temporal Perception Logic (STPL) over sets of points in topological space, and quantifiers over objects. We build a monitoring algorithm over TPTL, MTL, and $S4_{u}$ and show the practicality, expressivity and efficiency of the algorithm by presenting examples. This is a powerful language and monitoring algorithm with many applications for verification and testing of complex perception systems. Our proposed language and its monitoring algorithm are different than prior works as we discussed in the introduction (see also related works in Section VIII), and briefly summarized below. STPL

• •

  reasons over spatial and temporal properties of objects through functions and relations;

• •

  extends the reasoning of prior set-based logics by equipping them with efficient offline monitoring algorithm tools;

• •

  focuses on expressing functional requirements for perception systems; and

• •

  is supported by open source monitoring tools.

The syntax of STPL is based on the syntax of TQTL (Dokhanchi et al. (2018a)) and ${\mathcal{S}}4_{u}$ (Gabelaia et al. (2005)).

In the context of STPL, the spatial propositions are the symbols that correspond to objects or regions in the perception dataset. We use the function symbol $\mathcal{\sigma}$ to map these objects to their corresponding sets. Hence, the syntax of spatial terms $\mathcal{T}$ in STPL is the same as in MTL$\times S4_{u}$, but the function symbols $\mathcal{\sigma}$ replace the spatial propositions $p$. In addition, we add grammar support under production rule $\mathcal{A}$ for area computation for spatial terms. Area computation is needed in standard performance metrics for 2D vision algorithms, for example to compute union over intersection (UoI). In the same spirit, we can also support volume computation for spatial terms in 3D spaces.

For many requirements, we also need to access other attributes of the objects in the datastream, e.g., classes, probabilities, estimated velocities, or even compute some basic functions on object attributes, e.g., distances between bounding boxes. For usability, we define some basic functions to retrieve data and compute the desired properties. The functions which are currently supported are: object class ($C$), class membership probability ($P$), latitude ($Lat$) and longitude ($Lon$) coordinates of a point ($CRT$), area of bounding box ($Area$), and distance ($Dist$) between two points ($CRT$). We provide the syntax for using such functions under the production rule $\Theta$.

This set of functions is sufficient to demonstrate the generality of our logic. However, a more general approach would be to define arithmetic expressions over user definable functions which can retrieve any desired data from the datastream. Such functionality support is going to be among the goals of future software releases.

The syntax of STPL is substantially different from the syntax of MTL$\times S4_{u}$. In the STPL syntax, $x.\phi$ stands for the freeze time quantifier. When this expression is evaluated, the corresponding frame $i$ is stored in the clock variable $x$. The prefix $\exists id$ in the rule $\exists id@x.\varphi$ or the rule $\exists id.\varphi$ is the Existential object quantifier. When the formula $\exists id@x.\varphi(id)$ is evaluated, then it is satisfied (true) when there is an object $id$ at frame/time $x$ that makes $\varphi(id)$ true. The formula $\exists id.\varphi(id)$ is also searching for an object that makes $\varphi(id)$ true, but in this case we do not need to refer to the time that the object was selected. Similarly, the Universal object quantifier is defined as $\forall id@x.\phi\equiv\neg(\exists id@x.\neg\phi)$ or $\forall id.\phi\equiv\neg(\exists id.\neg\phi)$. The universal quantifier requires that all the objects in a frame satisfy the subformula $\varphi$. Notice that the syntax of STPL cannot enforce that all uses of time or object variables are bound, i.e., declared before use. In practice, such errors can be detected after the parse tree of the formula has been constructed through a simple tree traversal.

In contrast to MTL$\times S4_{u}$, the timing constraints in STPL are not annotating the temporal operators, but rather they are explicitly stated as arithmetic expressions in the formulas. For example, consider the specification “There must exist a car now which will have class membership probability greater than 90% within 1.5 sec”. With timing constraints annotating the temporal operators, the requirement would be:

Since STPL uses time variables and arithmetic expressions to express timing constraints, the same requirement may be written as:

The use of time variables enables the requirements engineer to define more complex timing requirements and to refer to objects at specific instances in time. The time, frame, and object constraints of STPL formulas are in the form of $\tau-x>r$, $\mathcal{F}-x>n$, and $id=id$, respectively. We denote $\tau-x$ and $\mathcal{F}-x$ to refer to the elapsed time and frames, respectively. Note that we use the same variable to refer to the freeze time and frame, but distinguish their type based on how they are used in the constraints ($\tau$ represents the current time, and $\mathcal{F}$ represents the current frame number). The operator $\%$ in the expression $\mathcal{F}-x\;\%\;c\sim n$ is used to specify periodic constraints. For reasoning over the past time, we added $\varodot$ (previous) and $\mathcal{S}$ (since) operators as duality for the $\bigcirc$ and $\,\mathcal{U}$ operators, respectively.

For STPL formulas $\psi$, $\phi$, we define $\psi\wedge\phi\equiv\neg(\neg\psi\vee\neg\phi)$, $\bot\equiv\neg\top$ (False), $\psi\rightarrow\phi\equiv\neg\psi\vee\phi$ ($\psi$ Implies $\phi$), $\phi\;\mathcal{R}\;\psi\equiv\neg(\neg\phi\;\,\mathcal{U}\;\neg\psi)$ ($\phi$ releases $\psi$), $\phi\;\overline{\mathcal{R}}\;\psi\equiv\phi\;\mathcal{R}\;(\phi\vee\psi)$ ($\phi$ non-strictly releases $\psi$), $\Diamond\psi\equiv\top\;\,\mathcal{U}\;\psi$ (Eventually $\psi$), $\Box\psi\equiv\neg\Diamond\neg\psi$ (Always $\psi$) using syntactic manipulation.

In general, the monitoring problem for STPL formulas is PSPACE-hard (since STPL subsumes Timed Proposition Temporal Logic (TPTL); see Markey and Raskin (2006)). However, there exists a fragment of STPL which is efficiently monitorable (in polynomial time).

The authors in Dokhanchi et al. (2016) presented an efficient monitoring algorithm for TPTL formulas with an arbitrary number of independent time variables. Our definition of AAN formulas is adopted from their definition of encapsulated TPTL formulas that are TPTL formulas with only independent time variables in them.

Before getting into the semantics of the STPL, we represent spatio-temporal function definitions that are used in production rules $\mathcal{A},$ and $\Theta$. The definitions of these functions are independent of the semantics of the STPL language, and therefore, we can extend them to increase the expressivity of the language.