This is a guest post from Steve Neemeh, LSS President and Chief Solutions Architect, LHP Engineering Solutions. It originally appeared on the LHP blog. LHP is a partner of Jama Software.
Self-driving vehicles are coming. There’s a certain sense of inevitability. Mentions appear almost daily in the news with players such as Tesla, Uber, Google/Waymo, and Apple spending millions on development. Yet the public is uncertain of the value and safety of such vehicles.
If autonomous vehicles (AVs) are to find acceptance, the industry must produce vehicles worthy of trust. The characteristics on which trustworthiness depends, and the path for trustworthy AV development, are described below.
The Value of AVs
Just because such vehicles may be possible, is this evolution a good (or, the right) thing to do?
If implemented correctly and carefully, the move to fully-autonomous vehicles can provide real gains for society.
Highway safety – Automakers and civil engineers have made great strides in past decades in reducing highway injuries and deaths. Today’s cars include crumple zones, airbags, collapsible steering columns, and anti-lock brakes. Roadways have improved-traction surfaces, energy-absorbing barriers, and better signage and alert systems. The driver, however, remains the largest contributor to highway fatalities in the U.S. with 30% due to excessive speed, 30% from driving under the influence, and 16% attributed to distracted driving.
In the AV world, vehicles do not suffer from a human driver’s inattention, bad attitude, or inebriated operation. Instead, vehicles are under constant electronic guidance, in continual communication with the supporting infrastructure (e.g. GPS), and in a perpetual state of monitoring surrounding vehicles, obstacles, and environmental conditions. Vehicles, as a group, maintain proper positions and adequate spacing, resulting in significantly fewer injuries and deaths.
The functional safety standard ISO 26262 is a critical component of automotive development. Jama Software and LHP have teamed up to give developers an overview of the standard, and highlight its recent changes.
Traffic flow and roadway capacity – Highways and city streets can be expanded only so much to accommodate growing populations. AVs can make better use of available roadways.
In slow-moving traffic, human drivers tend to be selfish and jam too tightly together (“If I leave three car lengths open, everyone will pull in front of me”); yet, that space is exactly what is needed to allow more freedom to enter a freeway and to change lanes. AVs take the emotion out of driving decisions. On open, flowing highways, the safe following distance for human-operated vehicles could be reduced by a factor of five or more for AVs in close communication, thereby allowing more vehicles per mile.
Energy consumption – With communication between vehicles, the need to brake by one AV could be signaled to those nearby, allowing the group to slow as a whole and avoid the accordion effect which afflicts human-driven cars. This sort of coordinated action enables smoother transitions in speed and better energy usage.
Transport availability – Though services such as Uber and Lyft can provide door-to-door transportation for those unwilling or unable to drive, they do not always fit the situation. AVs can carry young teenagers to their destination without parents worrying about the integrity of a service driver. For people with physical limitations (blindness; health problems; physical disability), the AV can provide transport that is both familiar and appropriately outfitted to suit any special needs.
Simple convenience – The AV eliminates the need to drive. Passengers work or socialize as the vehicle moves along. Shoppers step out at the front of the store while the vehicle searches out a parking space on its own.
Though today’s consumers recognize the potential advantages of AVs, they are still cautious. Recent surveys (in 2017 and 2019) by the American Automobile Association showed that 55% of U.S. drivers feel that most cars will have the ability to self-drive by 2029. Yet, today, over 70% fear riding in a self-driving car and 54% feel that their safety is at risk if sharing the road with AVs. In a 2017 survey, insurer AIG found that over 70% of U.S. respondents had concerns about AV security (hackers taking control of vehicles) and privacy (loss of personal data).
As with previous technological evolutions, AVs cannot be pushed on the public; instead, people must find enough comfort to accept or even demand new devices, especially when their safety is involved.
Elisha Otis installed the first passenger elevator in 1857. It was more than a decade before potential passengers exhibited significant trust even though early elevators were manually controlled by a human operator who opened and closed the doors, put the car in motion, and brought it level with the floor where people were to exit. The driverless elevator was created in 1900, yet it was the 1940’s before it started to see wide acceptance.
Trust in elevators was built slowly with the addition of various devices intended to ensure safety (springs and latches that would catch a falling elevator; interlocks on doors preventing opening onto empty shafts) and comfort (a soothing voice issuing from speakers to calm the nervous rider).
Could collaborating with competitors boost autonomous vehicle development? Read our blog post.
Self-driving cars will likewise require demonstrations of safe operation, time, and familiarity to find trust and acceptance.
The process has already begun with the current rollout of driver assistance features such as lane departure warnings, adaptive headlights, and collision avoidance systems. Continued incremental steps will further enhance driver/passenger confidence in the technology’s abilities.
Another stage may be demonstration of AV performance in closed environments such as providing public transportation at airports or on a university or commercial campus.
A good user interface may also help. Studies at Intel, Stanford, and Northwestern University all suggest that trust is improved by visual or audio feedback. Passengers find more faith in the AV’s competence if the vehicle advises why it is taking specific actions (such as voice announcing that the vehicle is slowing for a pedestrian).
Unfortunately, trust is hard-won and easily lost. Two high-profile fatal accidents in 2018 involving self-driving technology raised immediate concerns in the minds of the public and governments.
Vehicles Worthy of Trust
To avoid such incidents and maintain growth in public acceptance, the makers of AVs must build systems that are worthy of trust.
This autonomous evolution is much more complex than previous technological advancements. AVs must be able to detect and respond to numerous factors including obstacles, traffic signals, and weather conditions. Humans can distinguish between a tumbleweed and a child entering the road. Humans can contend with other vehicles which might or might not be self-driving. However, autonomous systems are much better at optimizing the driving experience to vastly increase efficiency and safety. For example, the safest distance for following a vehicle is where the second one is nearly touching the bumper of the one in front of it. This level of driving accuracy cannot be achieved reliably with humans but may well be within the realm of possibility for autonomous systems. However, it is an enormous undertaking to place such responsibility and discretion into an electronic system with expectations of safe, lightning-fast, dependable decisions.
This AV trustworthiness requires holistic consideration of five characteristics:
Safety – Ensures that a system operates without unacceptable risk of physical injury or damage to the health of people.
Security – Protects a system from unintended or unauthorized access, modification, or misuse.
Reliability – The ability of a system or component to perform its required functions under stated conditions for a specified time duration.
Resilience – The ability of a system or component to maintain an acceptable level of service in the face of disruption. The main purpose of resilience is to prevent or at least reduce any serious impact of a disruption to the system by damage or loss of operation.
Privacy – Protects the right of individuals to control or influence what information related to them may be collected and stored and by whom and to whom that information may be disclosed.
These elements are generally considered as separate specialties, but should be engineered and managed as one integrated discipline because, if one piece is compromised, the overall integrity and trustworthiness of the system are undermined.
Convergence, Standardization, and Legislation
Work is progressing on each of the five characteristics to varying degrees but, unfortunately, in independent silos and in somewhat disparate directions. Though initial divergence is common with new technologies, the industry must begin to converge and standardize.
The airline industry and railroad systems both have strict standards and regulatory bodies. Automated highway vehicles must reach the same level. Currently, the industry has reached no agreement on conditions, abilities, or baselines that must be in place before an autonomous/connected vehicle is placed on the road.
A Fortune 100 semiconductor company is navigating the growing complexity of autonomous vehicles with modern requirements management.
A start has been made. ISO 26262 (Road Vehicles – Functional Safety) defines a process that will lead to high quality (trustworthy) results IF and only IF the industry can define the boundaries and requirements to be achieved. In autonomous driving, the variables and scenarios may number in the billions and are potentially non-static if artificial intelligence is used in design.
In addition, two new standards are under development:
- ISO 21434 (Automotive Cybersecurity) which builds on, and works in concert with, SAE J3061 (Cybersecurity Guidebook for Cyber-Physical Vehicle Systems)
- ISO/PAS 21448 (Road Vehicles – Safety of the Intended Functionality, or SOTIF) that attempts to provide guidance on design, verification, and validation measures to avoid risks resulting from functional insufficiencies and foreseeable misuse.
If the industry cannot move itself to effective standardization, the combined action of litigation, liability, and/or government regulation will likely intervene. This has happened before. In Ralph Nader’s “Unsafe at Any Speed”, his 1965 commentary on the automotive industry’s lackadaisical approach to safety caused a public uproar which led to the passage of seatbelt laws across the U.S. For AVs, a lack of convergence and standardization could likewise lead to design by legislation.
Ecosystem for Trustworthy AV Development
LHP Engineering Solutions provides expertise to the automotive industry on topics including embedded controls, telematics, and data analytics. LHP has defined an ecosystem consisting of seven necessary focus areas that, if pursued together, will place the development of autonomous vehicle technologies on the right track regarding safety, standardization, and automation.
AUTOSAR (AUTomotive Open System ARchitecture) – Founded in 2003, AUTOSAR is a “worldwide development partnership of vehicle manufacturers, suppliers, service providers and companies from the automotive electronics, semiconductor and software industry.” The association aims to standardize the software architecture for automotive electronic control units. This creates the opportunity to automate software testing which should result in improved software quality and reliability.
Functional Safety – Safety in autonomous driving is of the utmost importance and is key to trustworthiness. Functional Safety relates to a system or its components operating correctly in response to inputs, including the detection, mitigation, and/or correction of malfunctions.
Cybersecurity – Trustworthiness cannot be realized without a strong foundation in cyber security. Though systems may be designed for safety, resilience, and reliability, the public may experience havoc and hazards if those systems are compromised by a malicious series of attacks. Cyber security provides the basis for assuring the integrity of the safety, reliability, resilience, and privacy characteristics of automotive systems.
Model-Based Development – Simulation of on-road vehicles scenarios is essential to validation of self-driving vehicles. Developing software to simulate real-life environments allows testing to be done on the computer rather than on the road.
Application Lifecycle Management – ALM encompasses the methods and processes through which software is developed, managed, and controlled. A well-defined ALM system ensures that the development team is efficiently working toward a common goal and that the end user receives software suited for the purpose intended.
Test Systems – With millions of lines of code in AVs, establishment of automated testing systems and processes will be crucial considering the safety-critical environment.
Analytics – Vehicles communicating with each other and back to the design team will produce large amounts of data. Analytics incorporates the storage and interpretation of data and identification of consequential patterns.
Mankind can gain value from AVs, but only if the public perceives that the benefits outweigh the costs and potential hazards. Trust will be central to public acceptance.
To gain that trust, the industry must understand the characteristics of trustworthiness and should align on an ecosystem that can produce vehicles worthy of trust.
Please contact LHP Engineering Solutions, a Jama Software partner, for more information on how it can help your organization prepare for the future of the automotive industry.
ISO 26262 is an evolving standard for automotive development. Read how recent changes to the standard impact traceability, risk management, validation & verification in this joint white paper from Jama Software and LHP, “The Impact of ISO 26262 on Automotive Development.”
- Trustworthiness and the Autonomous Vehicle with the LHP Ecosystem - October 22, 2019