Intel, in collaboration with ten industry leaders in automotive and autonomous driving technology, published Tuesday “Safety First for Automated Driving,” a framework for the design, development, verification and validation of safe automated passenger vehicles (AVs). The paper builds on Intel’s model for safer AV decision-making known as Responsibility-Sensitive Safety (RSS).
Developing AVs that are verifiably safe by design is critical to enabling higher levels of autonomy on public roads. “Safety First for Automated Driving” brings together vast expertise from global automakers, suppliers and technology providers in comprehensive guidance for developing safe-by-design AVs.
The foundation of the paper is 12 guiding principles and the steps necessary to realize them. Each principle is refined into a series of capabilities that a safe AV must support; safety elements are then derived to implement the capabilities. (Descriptions of the principles begin on page five of the paper.)
Intel’s RSS model is highlighted under the Drive Planning Element that supports a capability to “create a collision-free and lawful driving plan.” This element achieves the top-level principle to behave safely as a means to understand, predict and manage the manners of AVs and help ensure they conform to the rules of the road.
A shared vision to reduce traffic fatalities through driverless technology has yielded a wide range of approaches throughout the industry. “Safety First for Automated Driving” reconciles the many different approaches into a cohesive whole where only the best and safest approach is taken.
RSS was proposed in 2017 as a technology-neutral starting point for the industry to align on what it means for an AV to drive safely.
RSS formalizes human notions of common sense driving into a set of mathematical formulas that are transparent and verifiable, providing a “safety envelope” around an AV’s decision-making capabilities.
“Safety First for Automated Driving” adds to the momentum behind the global acceptance of RSS, including recent support lent by technology vendors Baidu, automotive supplier Valeo, standards body China ITS and others.
The framework will among other elements include absolute GNSS position contributes to the automated vehicle system safety. Consequently, not only accurate but also trustful absolute GNSS positions are required for location-based ODD determination. A time window of GNSS position validity with integrity should be defined, as various levels of accuracy, integrity and availability will be in place while the automated vehicle is in operation. Continuity metric is no longer the main parameter of GNSS-based positioning with integrity.
A higher availability of GNSS-based positioning can be achieved by implementing multi-frequency and multi-constellation GNSS antennas and receivers, which is a prerequisite for interoperability and compatibility between GNSS constellations and radio frequency signals.
GNSS sensor functionality relies on the direct visibility of satellites. Consequently, GNSS-based positioning cannot have high continuity and availability due to environmental obstructions such as bridges or tunnels. In good GNSS conditions, position accuracy with high integrity, detection of loss of lock and fast convergence times after GNSS outages are therefore substantial for an automated driving system.
Reaching accuracies and integrity performance metrics simultaneously is enabled by GNSS receivers that can utilize data received from an adequate number of satellites and additional data from correction services. These services need to implement fast processing, frequent updates and dedicated correction sets to support a best possible GNSS positioning algorithm.
A further aspect to cover is the assessment of new signals with respect to interferences in ARNS/RNSS bands or other interferers or jammers that could harm GNSS positioning performance. Integrity can be given only if spoofing is addressed at the GNSS component level.
There is a variety of sensor fusion algorithms, each of which requires individual analysis with respect to hardware or software error robustness or input data error sensitivity, for instance. Thus, a carefully selected approach incorporating inductive, deductive and data-driven iterative design procedures, for example, should be followed.
Generally, input checks that determine the plausibility of individual sensor data, fusing multiple weighted input sources, and accumulating sensor data are possible strategies. Hardware and software diversity for the implementation of functionalities with the highest required error robustness should be considered.
While individual sensors can provide information about their current detection capabilities and range, sensor fusion can add substantial value in determining the current horizon of full sensor cluster perception, which may help to monitor the actual sensor performance. Regarded as a cross-referencing mechanism, sensor fusion can enable the detection of individual sensor limitations that are not detectable by the individual sensor itself.
“Industry collaboration on the safety of automated vehicles is key to realizing a safe and responsible autonomous future. We are proud to have contributed to the groundbreaking work to establish a framework for introducing automated vehicles that are safe by design,” said Jack Weast, Intel senior principal engineer and vice president of Automated Vehicle Standards at Mobileye, an Intel company. “We look forward to collaboration with additional industry partners on this comprehensive framework as well as on Intel’s RSS model.”
