Inspite of sensors such as lidars offering an inventive approach to detecting anomalies while driving an autonomous vehicle, does vehicle intelligence extend to other unforeseen challenges to ensure complete vehicle safety?
Autonomous vehicle safety plays an essential role in the overall functioning of the navigation system. It is highly critical to have a robust and fool-proof safety system for a seamless driving experience.
Over the past couple of years, cars have undergone a lot of changes with respect to design that defines their navigation abilities. The initial L0 autonomy brought cars with minimal electronics. This feature required the driver to do everything. To improve it, L1 autonomy was introduced with adaptive cruise control (ACC) and lane-keeping assist (LKA).
Currently, L4 autonomy is the trending norm, which requires minimum human intervention. It has a restriction, though, in the form of autonomous activation only in certain geofenced areas. In the future, L5 autonomy will be prevalent whose attractive feature will be the ability to operate under any condition with the driver simply being optional.
These multiple stages of autonomy indicate that the level of transportation has gradually increased, allowing enhancements in security standards. With the imminent arrival of autonomous vehicles, the new standard needs to be even more robust to face any associated technical and regulatory challenges.
Automotive companies manufacture vehicles in compliance with the functional safety standard known as ISO26262. Although autonomy has significantly increased the safety level and ensured effective detection of any sensor failures for surrounding object localisation and categorisation, it remains a challenge with respect to minimising perception errors. Safety also plays an important role in ensuring that vehicle controls (engine, brakes, and steering systems) send out correct and timely actuator commands to the vehicle.
Functional safety only focuses on detecting system failures and reacting to them. But what about an unintended scenario caused not due to system failures but because of technological limitations in sensor performance or inadequate training datasets to address different operating conditions?
Due to extensive vehicle-to-vehicle (V2V) communication, vehicle-to-pedestrian (V2P) communication, or vehicle-to-infrastructure (V2I) communication, fleets and customers must be protected from cybersecurity attacks. Connectivity additions here include IT backend systems and control interfaces between connected vehicles and external information sources. People with malicious intentions have a considerable interest in attacking these platforms.
Verification and validation
It refers to measuring safety for a secure system and how far the validity can be given for it.
Proving customer safety
Before the on-road rollout of autonomous vehicles (AVs), customer safety should be subjected to rigorous testing. AVs are expected to reduce the crash rates, especially fatal ones, as compared to human-driven cars because machines operating them have less scope of errors. If AVs cannot justify this, there will be a significant setback to the adoption and rollout of AVs.
Current liability laws mandate manufacturers to be accountable for safety. Due to a steady shift in a vehicle’s operation from manual to autonomous, liability of the manufacturer is more than of the drivers. Developing unsafe products simply means that manufacturers have to be legally responsible for incidents involving their products.
Building AV conducive infrastructure
Here, the government has to closely monitor the development and evolution of AVs for determining impact on road infrastructure, cities, and communities.
These important points should be addressed before deploying AVs at scale on public roads.
Safety principles and strategies at design level
It is the ability to detect, diagnose, and safely mitigate a faulty automotive electrical and electronics (EE) condition, preventing potential fatalities.
It can be further divided based on the diagram shown in Fig. 1.
Malfunction of EE component. It comprises five scenarios:
- Unintended acceleration
- Unintended deceleration
- Unintended loss of acceleration
- Unintended loss of deceleration
- Unintended vehicle motion
For example, let us select unintended acceleration as a malfunction and work through the functional safety chain.
Hazard or unintended situation
Consider a situation where a car standing at a traffic light starts moving unintentionally into a crossing way, with crossing traffic, because of this malfunction.
Risk of harm/damage
After identifying the hazard, the next thing is to determine the risk factor based on severity, probability of exposure (likelihood of hazard), and controllability (how controllable the system is if a hazard occurs). External parameters such as vehicle speed, weather conditions, road conditions, and other driving situations also help determine the final risk factor.
Based on the above three parameters and any external information, the automotive safety integrity level (ASIL) rating is derived. It is on a five-point scale, going all the way from quality management to ASIL—A, B, C, D; defining the risk reduction measures for a particular function. Hence, the requirement for additional risk reduction measures increases as it goes from ASIL-A to ASIL-D.
While performing hazard analysis for the entire system, different ASIL ratings for different functions are obtained. On combining them only the highest one gets selected, which becomes the final ASIL rating of the system under consideration.
Safety of the intended functionality (SOTIF)
Functional safety sets the base for an overall safety strategy. But situations arising from technological limitations due to sensor performance constraints or inadequate datasets are not covered by functional safety. There are many uncertainties; functional safety is just not enough. This is where SOTIF comes into the picture. SOTIF guides automotive design, verification, and validation measures for achieving safety without failure.
SOTIF can be better understood by going through the divisions depicted in Fig. 2.
- Area 1 focuses on Known, Safe scenarios
- Area 2 focuses on Known, Unsafe scenarios
- Area 3 focuses on Unknown, Unsafe scenarios
- Area 4 focuses on Unknown, Safe scenarios
SOTIF’s goal is to maximise Area 1 and Area 4 for a safe system or function behaviour. It is also responsible for minimising Area 2 corresponding to known potentially dangerous behaviours. Some contributing measures for minimising are identifying where system/function improvements can be made, testing the overall system, and simulating the function in all scenarios.
Another goal is to minimise area 3 (unknown, unintended scenarios) to an acceptable level. Contributing measures for minimising it include endurance testing, driving test, close-course testing, and virtual simulation.
Extensive connectivity among automated driving vehicles, infrastructure, and pedestrians poses a challenge to protect fleets and customers from cyberattacks. The shift in vehicle autonomy from L2 to L3/L4 has made the automated driving functionalities critically reliant on external data that consists of sensor data, maps, localisation and positioning information. If the data integrity gets compromised, the automated driving function will use faulty data to manoeuvre the vehicle, resulting in inaccurate driving. With respect to cybersecurity, safety and security are tied in together. And it needs to be highly-robust.
Verification and validation of implemented design
In Fig. 3, the left-hand side is concerned with the design and requirement specifications. Verification of the safety requirements ensures that the known scenarios get covered. It may also lead to functional design improvements. Verification is an iterative process, which increases confidence in safety.
On the right side in Fig. 3 are different testing levels consisting of unit testing, integration testing (where different components are integrated), and vehicle level testing.
While the principle of safety by design is fundamental, it remains insufficient due to the inability to foresee unknown, unintended scenarios. Therefore, validation aims at confirming safety across both known and unknown scenarios with enough confidence.
Validation tests a verified automated system in uncertain scenarios that it would likely encounter with the help of closed-course testing or virtual environment simulation. Similar to verification, validation may also trigger changes to the functional design. It is also an iterative process and eventually increases confidence in safety.
Gearing up for the unanticipated
Thanks to the enhancements in electronics, especially sensors and computational systems, vehicle safety has witnessed a huge stride over the past few years. Although this has brought a great deal of comfort for people who drive, maintaining it in abrupt situations is quite challenging.
The good news is it can be reduced to a great extent by adhering to key safety principles that prove decisive in such conditions. Smart automotive safety can only be met when design and intelligence work hand-in-hand.
The article is based on the talk ‘Autonomous Vehicle Safety Overview – Challenges and Key Principles’ by Palak Talwar, Senior Safety Engineer, Lyft Level 5, which was presented at June edition of Tech World Congress 2021. It is prepared by Vinay Prabhakar Minj, a technology journalist at EFY.