“We need to have redundancy” – Experts discussed safe Level 4 systems

The Autonomous’ flagship Main Event brought more than 500 global industry leaders and experts together in Vienna and online. On a dedicated panel, participants from Audi, Infineon, TTTech Auto, AEye and Carnegie Mellon University discussed how to make SAE Level 4 systems safe, what is holding the industry back and how to advance safe autonomous vehicles (AVs).

Under the overall maxim “It’s Time To ACT”, Ricky Hudi, Chairman of The Autonomous emphasized in his opening speech: “The safety of autonomous mobility is not an area to compete or compromise on. Safety is about getting it right!” And the automotive ecosystem should not “wait until harmful accidents force us to collaborate.”

How To Make L4 Systems Safe

“Level 4 is the most challenging question the auto industry has ever faced,” stated Jens Kötz, Connected Architecture, Energy, and Security Lead at Audi. “Because it’s the first time, that everything [including the infrastructure] is interconnected with the overall car and the system. The whole system – in-car and off-car – has to be evaluated in terms of safety requirements.”

Stefan Poledna: “We have to make sure that every single failure can be mitigated.”

“Automated driving systems need to work in open world scenarios without finite and complete requirements sets. Image understanding, image recognition, object recognition – these are all huge complexities”, said Stefan Poledna, CTO at TTTech Auto. “But it’s very clear that we need to have redundancy; no single chip, sensor or software component can do this alone. You have to make sure that every single failure can be mitigated.”

On the question ‘How safe is safe enough? ‘ Phil Koopman, Associate Professor at Carnegie Mellon College, replied, ‘It’s important to cover the rare cases. If your car works most of the time and drives well, safety is going to be dominated by the rare events to be at least as safe as a human. You also have to consider the distribution of fatalities: It’s not okay if fatalities are cut in half, but every single one is a pedestrian.“

Indu Vijayan: “We need a higher probability of a valid detection.”

Indu Vijayan, Director of Product Management at AEye, agreed, adding, “Another point to consider is, ‘What are the metrics to validate this?’ Is there a standard metric? Those are the missing things we need to work toward to make sure L4 systems are safe.” She emphasized that “the more different modalities are used to work in complementary fashion – the higher the probability of a valid detection will be.”

“The other underlying topic to solve is to make the systems safe, secure and highly available”, said Peter Schäfer, Executive Vice President and CMO of Automotive at Infineon, identifying another issue to consider: “We have to include features that allow the overall software architecture to find safe modes. If we have a wonderful Level 4 system and it’s not available, consumers will be disappointed and frustrated, ultimately losing trust in new systems.”

A safety architecture approach

Stefan Poledna proposed the so-called ‘doer/checker’ approach to achieve a diverse and highly safe architecture. In such a system, the ‘doer’ is the one who takes over the driving of an automated driving system. A checker would mean a separate channel that checks if the driving trajectory is safe in terms of not causing accidents or violating regulations. “If you are considering such a checker component, it can be built in other ways. It doesn’t generate your trajectory; it just checks if your trajectory is safe. These could be redundant software components as one would be on the driver side and the other represents the verification side of things. This adds a level of diversity to the system so you don’t have the same root cause.

Phil Koopman: “I am a fan of the doer/checker approach.”

Phil Koopman added, “I am a fan of the doer/checker approach” and stated, “The reason this approach is so important is that I think architectural choices cause problems when designed as a two-channel architecture to do the comparison twice and compare. This doesn’t work for many functions because there isn’t a single right answer. The doer/checker solves that by saying here is the plan and we going to have acceptance criteria to decide if this plan makes sense.”

Peter Schäfer summed up the need for collaboration towards standardization: “It is difficult to rally the entire industry in one group. To build a structure and then build a standard slows down the process. We therefore need spearheading working groups to define a feasible approach and to share it with the community. If the idea of sharing one’s findings to put them under scrutiny is seen as an asset, we will be on the right path of closing in on a standardized way. ”

Learn how The Autonomous Working Group Safety & Architecture is paving the way to the expected reference solution of a safe system architecture for self-driving vehicles:  https://www.the-autonomous.com/innovation/#working-group-safety-architecture.

Learn how about the design of a safe SAE Level 4 architecture here: https://www.tttech-auto.com/expert_insight/ee-architectures-sae-level-4-autonomous-driving

Ricky Hudi, Chairman of The Autonomous opens the Main Event