As part of a climbing duo, having lost the route, we were stuck 300 m above the ground at the middle of a vertical granite cliff, hanging on a rope swinging in the wind. To find our way forward I had to continue climbing and leave her behind, alone, in the stand. Before leaving I checked her harness, the fixes, the ropes (she had two attached to the rock), the knots, the carbines and the locks. Then I re-checked. I started climbing forward. After a couple of seconds I went back and attached her to the rock with one more additional rope. This was the first moment in our 5 hour climb when I felt she was safe.
About guarantees – Redundancy is at the heart of safety. This is true for climbing, true for the automotive industry and unquestionably true for self-driving. Automotive companies need new functionalities but also need safety guarantees. Innovative comfort and functional features are useless and valueless without such guarantees.
There are two kinds of guarantee: hard and soft ones. For example, while the (non)-existence hypothesis of obstacles in front of the vehicle should be 100% certain (hard guarantee), classification tasks could work with some uncertainty (soft guarantee). The vehicle must realize if something is (isn’t) in front of it but as long as it doesn’t hit the obstacle, it doesn’t really matter whether it stopped for a car or for a bus.
About self-driving systems – An autonomous vehicle relies solely on its own sensors to perceive the environment, and – from the system engineering perspective – is an open system receiving and reacting to unrestricted inputs from a world that is infinitely variable in terms of look and possible events. An open system requires a far higher level of safety certification than a closed one (a level that is challenging to achieve), or should be transformed into a closed system (i.e. with restricted inputs or with external, independent references supporting its sensing and decision making systems).
To simplify the situation, an autonomous car has two tasks: (a) Keep the car on the road; and (b) do not hit anything or anybody. Both require hard guarantees. Let’s see why redundancy is essential in the safe realization of these tasks.
Obstacle detection – Ideally, for obstacle detection one needs hard guarantees, i.e. an autonomous car should in theory be able to detect (the existence of) each and every possible obstacle in front of the vehicle with extremely high (100%) accuracy. While in the strict mathematical sense this might not be possible for an open system (a self-driving car cannot be transformed to a closed system unless we install radio transmitters into every object in the world, which is practically impossible) we still have to do our best to approximate the goal. The only way to do this is through sensory and algorithmic redundancy. The use of independent sensing technologies exponentially increases the obstacle detection confidence to a level, that is practically, economically and also development-time wise impossible to achieve with the continuous perfection of a single sensor. For example, even in a not-so extraordinary setup the use of 3 independent sensors – even if those are slightly correlated – could result in 1000-times higher detection confidence rates when compared to a single sensor based solution. There is no room to debate this issue.
Staying on the road – The problem of staying on the road and following lane markings is somewhat more difficult. Lane markings are best detected by cameras, and less characteristically are also visible in LIDAR-data. The issue with live sensory data processing is that current algorithms either (a) struggle to give reliable numbers about their own detection accuracy (AI), or (b) are bad at rejecting false alarms (CV). As such, it is – currently – difficult to provide hard guarantees for such detection tasks without external references. In all measurement science the only way to increase the confidence of a measurement is to be able to compare the result to an independent reference, being that data from another sensor or from a theoretical model.
Currently, for lane detection – since in this case LiDAR and camera are highly correlated – the only such independent reference is an HD map. HD maps should be handled just as another sensor. They may contain errors. One should not rely solely on one or the other (HD maps or on-the-fly detection) but through continuous comparison of the two functional and safe operation is easy to achieve. Furthermore, in this case a failure or error in the HD maps or in the cameras – since discrepancy between the two is evident immediately – will only result in limited/suspended operation and not an accident, as would be the case in a single sensor setup.
Why redundancy and not fusion? – When two or more independent input (sensor) sources are available to a measurement system there are two ways to proceed: (a) Fusing all raw data at a low level and processing it as a whole, creating a single unified decision/detection. (b) Or processing them independently creating multiple hypotheses, which are used to make a final decision. While mathematically speaking approach (a) (fusion) could theoretically always result in better capabilities, it eliminates the notion of redundancy, and is more sensitive to common failures. In contrast approach (b) will always have limited capabilities, but provides a more robust and safer system having significantly fewer unsafe failure modes. For these reasons the automotive industry continues to prefer redundancy to fusion, as safety will always be the priority, not impressive but unsafe capabilities.