Providing the Safety Case: is Deterministic or Stochastic?
Providing the structure in which Self-driving Vehicle Safety Case can take place is the next challenge for the Government. It is the make-or-break of the entire industry.
In doing so, there are questions on the nature of safety to be answered. Are there?
There are two ways to understand the risks that AVs face. A deterministic system is one which can be fully calculated, leaving no room for uncertainty, provided we have precise model and sufficient computing power – if it is solved, we’ve got it. A stochastic system features inherent randomness. The deeper we dig, the more noise obscures the solution. The divide between these two polarises opinions as to the approach driving AV safety should take.
Understanding the AV System
As engineers, we need a solution that works for us, is simple, and we need it today. Solving the problem begins with understanding the system. An AV operates in a closed-loop system with its environment. As Fig. 1 presents, there are four control layers to an AV: Sensing, Perception, Planning, and Actuation.
Sensing is collecting the data about the environment, using radars, lidars or cameras, but also V2X connectivity.
Perception is about converting the raw sensor signal into a layout of the road situation, identifying the drivable surface, road signs, vehicles, pedestrians, their positions and velocities.
Planning is about making tactical sense of the situation, predicting future position, inferring the intentions of other road users, and finding a path that navigates the Ego Vehicle around the obstacles and towards the goal. This is the most unique challenge of AV, as road autonomy is more complex than any other use case.
Actuation is about turning the plan into reality, controlling the energy, motors and servos to interact with the Environment, but also about sending V2X communication.
Deterministic Safety Analysis
The AV architecture visualisation allows us to break the AV Safety problem into smaller, more digestible chunks. We can then employ very basic Failure Mode and Effect Analysis (FMEA) to come up with ‘what could go wrong’ scenarios. As such, a camera or lidar is susceptible to rain, dust, vibration, etc. Perception faults occur due to noise or erroneous readings, which are a function of environmental factors, and so on. Each of those affects it in a different way. Repeating the process for every component and every failure mode in a simulated environment completes the fault injection testing. The most challenging, Planning layer, features virtual testing thousands of road scenarios ensuring they are navigated correctly. This is Deterministic Safety Analysis (DSA).
Probabilistic Risk Assessment
However, we finished the list of threats with “etc.” – how can we be sure the list is complete?
Errors and faults that are obvious are not dangerous – simply because they can be fixed immediately. History shows, that the real danger is small errors and omissions, which managed to slip by attention of multiple checkers. Such threats linger and wait for an unfortunate combination of conditions that trigger a failure. The probability of occurrence may be unimaginably low, but with the sheer number of miles driven each year, it is enough to occur many times a year.
Understanding the probabilities of event sequences that lead to failures, and finding methods of identifying them is Probabilistic Risk Assessment (PRA).
Implementing AV Safety
We have outlined the opposite approaches and their use cases. Next step is to apply them to propose the Safety Case. But how much diligence is enough? How to be sure the process is precise enough and complete? It never is.
The Law Commission report on self-driving cars, suggests a creation of a public regulatory body, that oversees the AV Safety. Ultimately, whether we will manage to capture every single threat to public health, depends on the quality of the management structure that is to be proposed.
In order to handle the epistemic uncertainty, that is ‘not-knowing how much we know’, Fig. 2 outlines the known-unknown framework, with which one can imagine the concept of the unknown risks, and how to handle them.
So, is the testing domain finite or infinite? Are AVs deterministic or stochastic?
As engineers, we do not need to know. Safety is the priority. In assuring safety Probabilistic and Deterministic methods are interconnected. To visualise it, an overview of the DSA & PSA approach is presented in Fig. 3.
Written by: Dr Marcin Stryszowski – Lead Engineer
Please get in touch if you have any questions or have got a topic in mind that you would like us to write about. You can submit your questions / topics via: Tech Blog Questions / Topic Suggestion.