Andrew Backhouse, a technical specialist in collision-avoidance threat assessment at Zenseact, discusses how to use validator design and SoTIF processes to address the million miles problem, ahead of his presentation on the same theme at the ADAS & Autonomous Vehicle Technology Expo California Conference, which takes place September 20 & 21, 2023, in Santa Clara.
After completing his PhD on video and image processing in 2010, Andrew has worked in the automotive industry on decision and control algorithms for active safety. Initially he worked at Volvo Cars on the design and implementation of the collision avoidance algorithms that handle intersection scenarios and scenarios with multiple targets. Since then he has worked on algorithms to ensure that a vehicle drives defensively, designed and developed functional safety concepts and SoTIF concepts for both perception and decision and control, and applied accidentology to prioritize and plan Zenseact’s active safety development.
Describe your presentation.
The “million miles problem” is not unique for AD design. It is an issue for ADAS too. Autonomous emergency steering (AES) and autonomous emergency braking (AEB) have the potential to cause harm and these faults cannot be addressed by functional safety alone. Perception and decision algorithms which are insufficiently robust can lead to hazardous situations. We will present validator concepts which can be used to design more robust ADAS. We will then also present how one can iterate the design to minimize the risk of functional insufficiencies and build an argument to motivate that the systems are safe.
What do you mean by the million miles problem, and how exactly does it relate to ADAS?
In the US in 2013 there were 1.23 injuries for every million miles driven. The risk of an injury being partially attributable to the poor performance of an ADAS system shall be negligible in comparison. ADAS systems have the capability to perform evasive maneuvers which, if performed at an inopportune moment for too long a duration, can be hazardous. For example, an unmotivated AEB intervention in an intersection could lead to a side collision. An AES intended to prevent a vehicle from drifting into oncoming traffic can be hazardous if it is triggered while overtaking a cyclist. To argue that an ADAS system is sufficiently robust against all edge cases requires either millions of miles of driving or alternatively a persuasive argumentation that allows one to extrapolate that the requirements will be met from much less data.
How are you approaching this problem – how does SoTIF help?
The SoTIF standard exists to help eliminate insufficiencies in the functional design which can lead to hazardous behaviour. For ADAS systems, the duration of undesired behaviour is a key factor in determining how hazardous the behaviour is. For example, an unmotivated AEB intervention which lasts less than 0.1 second is less hazardous than an unmotivated AEB intervention which is longer. This means that very short unmotivated interventions can be tolerated more frequently than slightly longer interventions.
We will present a validator concept which is designed to prevent prolonged unmotivated interventions. The validators look retrospective at the output from individual system elements and judge whether they were sufficiently accurate based on updated information. If the initial understanding of a scene which triggered the intervention is invalidated, then an appropriate countermeasure can be taken. By judging estimates and decisions retrospectively, more data is available to determine if the system elements behaved as intended. The validators act as safety mechanisms but have an additional purpose to work as onboard functional-insufficiency detectors. Whenever the output from a system element is invalidated, the scene can be analyzed to understand why this occurred and this knowledge can be used to improve the system.
How important are tolerant time intervals in SoTIF?
ISO 26262, the automotive standard for functional safety, describes fault tolerant time intervals as the minimum time span from the occurrence of a fault to a possible hazardous event if the safety mechanisms are not activated. In the SoTIF standard there is no equivalent concept for the activation of functional insufficiencies. However, understanding the importance that duration has on the risk of an unmotivated intervention is important. If one treats all unmotivated interventions as equally hazardous regardless of duration, then this places unnecessarily tough requirements on the system. The fact that short interventions are less hazardous provides an opportunity when designing the system. Mechanisms can be designed to detect the activation of a residual functional insufficiency and recover from an ongoing intervention within an appropriate time interval.
How do you use event scanners and tail distributions in the verification and validation of ADAS?
To be confident that the risk of hazardous behaviour is sufficiently small, one needs to be aware of any residual insufficiencies in the system and know that the system is sufficiently robust against them. The event scanners are used to identify the insufficiencies. Tail distributions are used to determine whether the system is sufficiently robust against the residual insufficiencies.
To understand the risk of rare events it is natural to represent the events in a distribution and then study the tail of the distribution. By fitting a model to the tail of the distribution it is then possible to estimate the risk of rare events. It is possible to apply this methodology to understand the risk from residual insufficiencies. During the operational phase, if one has field monitoring capability, one can analyze the tail distribution of the intervention duration. The events with longest duration correspond to insufficiencies which the system is the least robust to. The shape of the tail is informative when judging whether the system is sufficiently robust against these insufficiencies.
What is the key message you wish to convey to the audience in Santa Clara?
Understanding how the duration of an unintended behaviour impacts risk is an important consideration when designing an active safety system. The slower that risk increases, the more opportunity there is to correct behaviour before it leads to unacceptable risk. We present an approach using validators to retrospectively judge whether correct decisions have been made.
During the operational phase it is necessary to have a field monitoring process in place to monitor any residual insufficiencies. When selecting which of the incoming events to analyze in depth, the duration of the unwanted behaviour and the duration of functional insufficiencies should be one of the key selection criteria.
Don’t miss Andrew’s presentation, which is part of the ‘Strategies, innovations and requirements for the safe deployment of ADAS and autonomous technologies’ session, taking place on Day 1 (Sept 20) of the conference (rates apply), alongside the free-to-attend ADAS & Autonomous Vehicle Technology Expo California.