Despite sensors such as lidar offering an innovative approach to detecting anomalies while driving a self-driving vehicle, does vehicle intelligence extend to other unexpected challenges to ensuring complete vehicle safety?
Autonomous vehicle safety plays an essential role in the overall performance of the navigation system. It is crucial to have a robust and anti-fog-resistant safety system for a smooth driving experience.
Over the past two years, cars have undergone a lot of changes in terms of design that define their mobility capabilities. The initial autonomy L0 brought cars with a minimum of electronics. This feature requires the driver to do everything. To improve it, the autonomy of the L1 was introduced with adaptive cruise control (ACC) and lane-keep assist (LKA).
Currently, L4 autonomy is the common norm, requiring minimal human intervention. It has limitations, though, in the form of independent activation only in geographically defined areas. In the future L5 autonomous driving will be prevalent whose attractive feature will be the ability to operate under any condition with the driver being optional.
These multiple stages of autonomy indicate that the level of transmission has gradually increased, allowing improvements in safety standards. With the imminent arrival of self-driving vehicles, the new standard must be even more robust to meet any associated technical and regulatory challenges.
Complexity management. Auto companies manufacture vehicles according to a functional safety standard known as ISO26262. Although the autonomy has significantly increased the level of security and ensured effective detection of any sensor faults to locate and classify the surrounding object, it is still a challenge in terms of minimizing perception errors. Safety also plays an important role in ensuring that the vehicle’s controls (engine, brakes and steering systems) send correct and timely operating commands to the vehicle.
technological limitations. Functional safety focuses solely on detecting and responding to system failures. But what about an unintended scenario not due to system failure but due to technological limitations in sensor performance or insufficient training data sets to address various operating conditions?
Electronic security. Due to intensive vehicle-to-vehicle communication (V2V), vehicle-to-vehicle communication (V2P), or vehicle-to-infrastructure (V2I) communication, fleets and customers must be protected from cybersecurity attacks. Connectivity additions here include IT backend systems and control interfaces between connected vehicles and external information sources. People with malicious intent have a great interest in attacking these platforms.
Verification and authentication. It refers to the safety measure of a secure system and the extent to which it can be given validity.
Customer Safety Proof
Before self-driving vehicles are put on the road, customer safety must undergo rigorous testing. Automated vehicles are expected to have lower collision rates, especially fatal ones, compared to human-driven vehicles because the machines they operate have a lower fault range. If auxiliary vehicles cannot justify it, there will be a major setback for their adoption and rollout.
Existing liability laws require manufacturers to be responsible for safety. Due to the steady shift in vehicle operation from manual to autonomous operation, the responsibility of the manufacturer is more than that of the drivers. Developing unsafe products simply means that manufacturers must be held legally responsible for accidents involving their products.
Building auxiliary infrastructure for vehicles
Here, the government has to closely monitor the development and evolution of utility vehicles to determine their impact on road infrastructure, cities and communities.
These important points must be addressed before motorized vehicles are widely deployed on public roads.
Safety principles and strategies at the design level
It is the ability to safely detect, diagnose, and mitigate a malfunctioning vehicle’s electrical and electronic equipment (EE) condition, preventing potential fatalities.
It can be further divided based on the graph shown in Figure 1.
Malfunction of the EE component. It consists of five scenarios:
- unintended acceleration
- unintended slowdown
- Unintended loss of acceleration
- Unintended loss of deceleration
- Unintended movement of the vehicle
For example, let’s select unintended acceleration as a defect and work through the functional safety chain.
Danger or unintended situation
Consider a situation where a vehicle parked at a traffic light inadvertently begins to move into a crossing road, with traffic, due to this malfunction.
risk of damage/damage
After the hazard has been identified, the next thing is to determine the risk factor based on its severity, exposure potential (likelihood of danger) and controllability (how well the system can be controlled if a hazard occurs). External parameters such as vehicle speed, weather conditions, road conditions and other driving conditions also help determine the final risk factor.
Based on the above three parameters and any external information, an Automotive Safety Level (ASIL) rating is derived. It is a five-point scale, running all the way from quality management to ASIL—A, B, C, D; Define risk reduction measures for a particular job. Hence, the need for additional risk reduction measures increases as you move from ASIL-A to ASIL-D.
While performing the risk analysis of the entire system, different ASIL ratings are obtained for the different jobs. When combined, only the highest is selected, which becomes the final ASIL assessment of the system under consideration.
Safety of Intended Job (SOTIF)
Functional safety lays the foundation for a comprehensive safety strategy. But situations arising from technological limitations due to sensor performance limitations or insufficient data sets are not covered by functional safety. There are many uncertainties. Functional safety is not enough. This is where SOTIF comes into the picture. SOTIF directs automotive design, verification and validation procedures to achieve safety without failure.
SOTIF can be better understood by going through the sections shown in Figure 2.
- Area 1 focuses on known and safe scenarios
- Region 2 focuses on known and unsafe scenarios
- Region 3 focuses on unknown and unsafe scenarios
- Domain 4 focuses on unknown and safe scenarios
SOTIF’s goal is to maximize region 1 and region 4 for a safe system or functional behavior. It is also responsible for decreasing Zone 2 corresponding to potentially dangerous behaviors. Some of the contributing measures to mitigation are determining where to make system/functional improvements, testing the overall system, and simulating the functionality in all scenarios.
Another goal is to reduce Region 3 (unknown and unintended scenarios) to an acceptable level. Contributing measures to its reduction include endurance testing, driving testing, close-course testing and virtual simulation.
Extensive communication between autonomous driving vehicles, infrastructure and pedestrians poses a challenge to protecting fleets and customers from cyberattacks. The shift in vehicle autonomy from L2 to L3/L4 has made automated driving functions critically dependent on external data consisting of sensor data, maps, positioning and positioning information. If the data integrity is compromised, the automated driving function will use the wrong data to maneuver the vehicle, resulting in inaccurate driving. In terms of cyber security, safety and security are linked together. It must be extremely powerful.
Validation and validation of the implemented design
In Figure 3, the left side is concerned with the design and requirements specification. Verification of safety requirements ensures that known scenarios are covered. It may also lead to improvements in functional design. Verification is an iterative process that increases confidence in safety.
On the right side in Figure 3 there are different test levels consisting of unit test, integration test (where different components are combined), and vehicle level test.
While the principle of safety by design is essential, it remains inadequate due to the inability to anticipate unknown and unintended scenarios. Therefore, validation aims to confirm safety across both known and unknown scenarios with sufficient confidence.
Validation tests a validated automated system in uncertain scenarios that it may encounter with the help of closed-cycle testing or virtual environment simulation. Similar to validation, validation may also bring about changes in functional design. It is also an iterative process and eventually leads to increased confidence in safety.
Prepare for the unexpected
Thanks to improvements in electronics, especially sensors and computational systems, vehicle safety has seen a major stride over the past few years. Although this has brought a great deal of comfort to people who drive, maintaining it in sudden situations is quite a challenge.
The good news is that it can be greatly reduced by adhering to basic safety principles that prove crucial in such circumstances. The safety of smart cars can only be achieved when design and intelligence work hand in hand.
The article is based on the talk “Autonomous Vehicle Safety Overview – Key Challenges and Principles” by Palak Talwar, Senior Safety Engineer, Lyft Level 5, presented at the June edition of the 2021 World Technology Conference. It was prepared by Vinay Prabhakar Ming, technical journalist at EFY .