Editor’s Note: This posts on autonomous vehicle development was originally published here by EE Times and written by Junko Yoshida. While this post was published in 2020, the content is still relevant to AV development in 2021.
How many safety standards does it take to screw in the lightbulb in a highly automated vehicle? A few years ago, automotive market novices would have said, “None.” These days, the number seems to keep increasing as the industry finally comes to grips with the technical challenges of producing demonstrably safe autonomous vehicles.
Driven by the winner-takes-all Internet platform business model, autonomous vehicle (AV) zealots were racing to develop the industry’s first robocar. Their goal was simple. Dominate the AV platform so completely that everyone else in the industry would be forced to follow and license.
Fast forward to 2020. The go-it-alone, my-way-or-the-highway approach is driving on fumes. In contrast to a few years ago, leading automotive OEMs, Tier Ones and tech suppliers including chip vendors are more engaged in forming industry-wide coalitions to develop AV standards that have safety considerations at their core.
Close to ten industry initiatives are in the works, seeking to address different aspects of AV safety. Prominent among them are the existing ISO 26262 and SOTIF, and the newly-published UL 4600.
So, does this mean the automotive industry is finally coming together? Perhaps.
Collaboration is a new and alien concept for participants in the auto industry. When it comes to safety standards, of course, “everyone has different opinions,” said Stefan Poledna, CTO of TTTech Auto, in a recent interview with EE Times, but “this is the general direction.”
The industry achieved Level 2 / Level 2+ autonomy so quickly that it vastly underestimated how much more difficult it would be to take the next leap to Level 3-5 technology. It has finally dawned on the AV industry that developing a safety-related computing system for Level 3-5 autonomy is “a grand challenge that shouldn’t be addressed by a single player, but in an ecosystem,” Poledna noted.
When an L3, L4 or L5 vehicle goes the wrong way on a one-way street, it’s no longer the driver who’s responsible — it’s the carmaker. Poledna, trumpeting the obvious, said, “That’s a big deal.”
New ISO standard on horizon
Remember SaFAD (Safety First for Automated Driving)? It turns out the white paper published last July by 11 industry leaders (Aptiv, Audi, Baidu, BMW, Continental, Daimler, Fiat Chrysler Automobiles, HERE, Infineon, Intel and Volkswagen) is on its way to becoming a new ISO standard.
The white paper outlined “a comprehensive approach to safety relevant topics of automated driving.” The objective of the publication, the authors said, “is to systematically break down safety principles into safety by design capabilities, elements and architectures and then to summarize the verification & validation methods in order to demonstrate the positive risk balance.”
The ISO accepted that premise, allowing the industry to develop this into an ISO standard.
But what does it take to turn a “comprehensive approach” into a workable ISO standard? We asked SaFAD member Intel.
Jack Weast, Intel senior principal engineer and vice president of standards at Mobileye, explained, “First, we take the original SaFAD paper, clean it up, get rid of any color commentaries and reformat the technical meat of the document into the ISO standard.”
Looking for a faster turnaround, Simon Fürst, principal expert autonomous driving technologies at BMW Group, who heads the committee, announced in a webcast called “The Autonomous,” that his group is shooting for mid-2020 to publish its ISO Draft Technology Report (DTR) 4804.
Weast described the DTR as the first step for ISO standardization.
Several auto industry sources told us the new ISO standard might be a step in the right direction, but the caveat is that it takes years before it becomes the final standard. Further, they said that they find it too generic and too high-level to help automotive OEMs in the short term.
Intel’s Weast acknowledged the scope of the [ISO] document is “pretty broad.” But Weast defended it as “a big umbrella” covering discussions of “How would you define, derive, develop and test an automated driving system end to end.”
Noting that the document offers “a useful structure,” Weast said, “We are obviously supportive of the safety by design principles,” and the document provides “a very well-thought-out way of doing things.” Weast added, “This is why it’s great to have an ISO document, which explains, ‘hey, here’s a good methodology in doing so.’”
‘The Autonomous’: Going one or two levels down
TTTech Auto, which specializes in safe software and hardware systems for advanced vehicles, launched the initiative called “The Autonomous” (the webcast was named after the initiative).
TTTech Auto’s CTO Poledna told EE Times that TTTechAuto is convening many players in the automotive ecosystem at its own event to “brainstorm and discuss” development of “a proving ground” for car OEMs, Tier Ones and chip vendors to test out the safety of their AV systems. “They need to have certain exchanges amongst themselves,” he said, at a time when everyone is struggling to figure out what it takes to bring L3 and L4 cars that are safe to the market.
Poledna said that The Autonomous is fully aware of the many approaches — including different computing architecture, software algorithms and sensor fusions — pursued by different companies to ensure safety.
That’s part of the reason for launching The Autonomous. TTTech Auto contends that players in the automotive industry need solutions much more specific, more concrete and quicker on the trigger. The aim of The Autonomous is to go one or two levels downs from the upcoming ISO DTR 4804 standard, to conceive “a reference design implementation” the AV industry can use.
The goal isn’t about picking the winning black box, though.
Instead of building AVs around black boxes, carmakers would like to be able to mix and match different modules from different suppliers — safety modules, ‘checker’ modules (as in a ‘doer-checker’ model), calculation modules, etc. Assume one OEM opts for a safety module from Supplier A, which bears no resemblance, posing critical compatibility issues, to a safety module from Supplier B? Poledna argued that the AV industry must have “a common understanding of what the safety architecture would look like.” The industry should have a common approach and common understanding on “interfaces” and “data structures,” he explained.
On one hand, the ISO standard deemed too generic. On the other hand, too many players in the AV industry are already implementing different safety solutions on their own. How does The Autonomous plan to succeed as a “middle ground” solution?
Poledna said, “If we agree on ‘doer-and-checker’ as a generally acceptable safety approach, I’d consider it as a huge achievement.” Further, he noted that he’d like to see the industry come to a collegial understanding on data structure, interfaces, and a definition of free space. The Autonomous is holding a series of workshops focused on such issues as computing architecture, AI, security and regulation. While encouraging participants to share best practices, the goal for The Autonomous group is to foster amity among key automotive players and publish documents and technical papers reflecting state-of-the-art solutions in the industry.
If The Autonomous is clicking one or two levels down from the ISO standard, Weast said that IEEE P2846, a group that Weast chairs, is boring down farther into the details, with specific focus on “a very narrow area of decision-making capability.”
The benefit of being narrowly-focused is that “we can go much deeper,” he explained. In examining the decision-making process, “we also look at ‘what kinds of assumptions we’d make about other road users,” he said. Depending on the city where an AV is driving or on a situation (an intersection with an occluded view, for example), knowledge of the assumptions that apply in those specific cases is essential to creating a safety model for a decision-making block.
While the IEEE P2846 is focused on that decision-making block, AV safety standards in the end are likely to require close to a dozen different technical blocks for the industry to define and implement safety, Weast speculated. “We will need, for example, a safe operation block,” which could be addressed by ISO 26262 and SOTIF standards, for example. Others include a behavior and traffic block, “which maps well with what IEEE P2846 offers,” and things like a data recording block.
It is clear that “standards and interoperability are essential” to enable an ecosystem on which an entirely new market like AV can be built, Weast explained. However, he acknowledged that setting industry standards is always a balancing act. You need to create a robust market, but companies must feel free to differentiate.
Asked on what specific technologies the AV industry must come to agree, Weast said, it’s something — from different suppliers when made commonly available — that will benefit everyone and lift all boats equally.
Take, for example, IEEE P2846.
If AV companies can’t agree on what safety means (including a safe distance between cars, for example), they won’t be able to make convincing arguments to government regulators for the safety of autonomous vehicles, he explained. The same goes for operational design domains (ODD). If a common template isn’t applied to define ODD, the industry can’t explain what exactly a certain vehicle is capable of doing where, in what conditions.
Despite an epidemic that prevents many standards organization members, including IEEE P2846 members, from traveling, Weast said the group still wants to complete its draft by the end of this year or by early 2021.
To expedite the process, the group has broken the work into four subgroups. One is identifying safety-related scenarios in which there are assumptions about other road users. Another is examining the attributes of safety models used within decision making. The third group is aligning definitions and taxonomy with those used by other standards as the best possible. The fourth group is documenting how the standard fits or complements other standards, “so that we can resolve some confusion and questions” about IEEE P2846, explained Weast.
A bit of the good news on IEEE P2846 is the election, added Weast. While Weast is the chair, the group elected a person from Waymo to be the vice chair and an Uber representative as secretary. For Waymo, this is a first; until now the company has opted to go it alone. “We now have a good representation from the chip industry, companies in the mobility as a service business, to car OEMs, Tier Ones and robotics companies,” said Weast.
Its 20 members include: Aptiv, ARM, Baidu, Denso, Exponent, Fiat Chrysler (FCA), Google, Huawei, Horizon Robotics, Infineon, Intel, Kontrol, National Taiwan University, Nvidia, NXP, Qualcomm, Uber ATG, Valeo and Volkswagen.
Instead of prescribing how to do safety by following certain steps, UL 4600 offers a guide to “build the safety case” for an AV design, according to Phil Koopman, CTO of Edge Case Research, one of the authors of the standard. Acknowledging that no single standard can solve the world’s autonomous product problem, the authors of UL 4600 have fixed a starting point by asking autonomous product designers to make a safety argument.
Koopman stressed that Underwriters Laboratories created a diverse body of international stakeholders on its Standards Technical Panel (STP) to develop the document. The STP consists of 32 members with voting rights, including representatives of government agencies, academia, autonomous vehicle developers, technology suppliers, testing & standards organizations and insurance companies. Its STP members include: Uber, Nissan, Argo AI, Aurora Innovation, Locomotion, Zenuity, Intel, Infineon, Bosch, Renesas, Ansys, Liberty Mutural, AXA, US Department of Transportation, and others.