Written by László Katona / Posted at 4/30/19
Open standards for safe automated driving
Standardization has always been a core method of increasing safety. Standards serve as a snapshot of the state-of-the-art technologies of a period and, in the automotive industry, provide a minimum set of activities to provide safe and reliable systems. Standardization also increases trust, by defining a unified approach to a problem through the collaboration of industry experts in a transparent way, for the benefit of the general public.
Countless standards in the automotive industry define the processes of designing and manufacturing a new product or vehicle. Naturally, these traditional standards are constantly evolving, incorporating the latest technological advancements. Nevertheless, the advent of automated driving has presented a new set of challenges, some of which these traditional standards simply are not equipped to solve. One example of such is the “ingenuity” with which drivers have opted to avoid safety measures built into driver assistance systems, as in the video below.
Reacting to the misuse of automated systems the automotive industry is now working to define a framework for the development, validation, and verification of ADAS and highly automated functionalities. The result is the Safety of the Intended Functionality (SOTIF) working group which is working on the ISO 21448 standard (which is currently published as a publicly available specification).
Over 80 automotive industry experts from 18 different countries are working to provide guidance for the design, verification, and validation of SAE level 1 and 2 ADAS solutions. The goal is to distinguish behavior that could be hazardous in non-fault conditions – i.e., when nothing in the system is broken. Two specific cases of this examined by the standard are technical limitations and operational domains; alongside the possibilities of end-user misuse.
While the work being done in the working group is invaluable to the deployment of self-driving technologies, SOTIF (or ISO/PAS 21448) has its limitations. Another fundamental standard for automated driving and the whole automotive industry is ISO 26262, which defines functional safety analysis, risk management, and verification and validation methods.
SOTIF builds on a different mentality and follows a different approach to ISO 26262 and it also contains fewer quantitative measures. However, at AImotive we feel there is demand in the safety-centric automotive industry for quantitative metrics. This is because without these and in its current form, SOTIF as a whole is, more difficult to apply to particular problems.
Furthermore, as SOTIF does not define the exact work products for the results of the development process, a product’s compliance with the standard cannot be obviously proven, while ISO 26262 provides direct criteria to ensure compliance. Furthermore, as ISO 26262 and SOTIF cover areas that are closely interconnected, at times, the requirements of the two standards are difficult to distinguish.
These slight inaccuracies or problems are to be expected in a developing standard. The main goal is to create systems that are as safe as possible, in other words, avoid or mitigate the effect of foreseeable risks.
At AImotive we have always believed in an approach that resonates with the fundamentals of SOTIF. Since work began on our self-driving software, aiDrive, we have had a team of automotive functional safety engineers working to mitigate the hazards of functional limitations or foreseeable misuses. As a result, safety aspects have been integrated into our development processes in the form of requirement definitions from the earliest phases of development.
We also have a strong scenario and use-case-based approach to development, a common vein with the developing SOTIF standard, as is our reliance on simulation as a tool for the validation and verification of self-driving solutions. Our engineers and development teams have reaped the benefits of having our purpose-built simulator, aiSim, readily available to test the newest code. Quick iteration and test-driven development with the support of an array of varied and changeable scenarios is a vital element of the SOTIF mentality.
Developing both the self-driving software and the virtual verification and validation environment is a progressive approach and means simulation can serve as a safety barrier before real-world public road tests begin, as detailed in our recent white paper. By creating a toolset and development pipeline that adheres to the fundamental mentality of SOTIF, we feel that AImotive is not only following and adopting these developing standards but actively contributing to them.
As a standard for a complex and constantly developing technology such as automated driving, SOTIF itself has many limitations, however, it is an important base for future standardization efforts. Thus, the SOTIF working group is pushing the industry in the direction of consensus on topics such as collaboratively developed training set for automotive neural networks and common simulated scenarios for validation. These, in turn, build trust towards autonomous technologies and support regulators and the industry in their efforts to increase road safety.
Initiatives such as the SOTIF working group, and the OpenGenesis project, are the next step for the automotive industry to reach a consensus regarding the safety of automated driving systems. At AImotive we believe collaboration and standardization is the only way to achieve accepted and safe self-driving, and we will continue to participate in all such discussions.