This is the 370th original content of "Autobot Reference"
"Moving smart electric vehicles forward"
Whether it is an autonomous vehicle, or a solution, or a single module of software, algorithms, and hardware, the speed of mass production and landing has a significantly accelerated trend. In the development process, the requirements and control of safety are becoming more and more urgent, and the current industry divides autonomous driving safety into two parts: Safey (FuSa and Sotif) and Security, here to share some thoughts.
Review the Uber self-driving accident
In March 2018, an Uber driverless test vehicle caused a fatal accident in the United States, which once brought the entire industry to a standstill, and the post-mortem report analyzed the main reasons.
First of all, Uber's model of the perception of the surrounding environment assumes that only three types of objects will appear, including bicycles, pedestrians, and vehicles, and that these three types of objects will only travel along the lane line.
But the reality is that pedestrians push bicycles across the road, and according to the model's default, Uber will not classify and identify the above scenes under any circumstances.
The second is that the driver of the vehicle did not take over Uber in time (overconfidence) and did not take into account the human factor in the entire system design.
From this incident, it can be seen that the safety design of automatic driving, in addition to meeting the requirements of the existing specifications of Spec, needs to verify the adequacy of Spec.
A special challenge for autonomous driving safety
Deriving from the above cases, autonomous driving poses many challenges to safety.
First, autonomous driving is data-driven, and a large number of data sets are difficult to describe through requirements; second, the output of AI algorithms lacks interpretability and is difficult to verify through the traditional pass/no (yes/no) method; third, there are a large number of non-technical factors, including unreasonable layout of transportation systems, irregular behavior of traffic participants, etc.; and most importantly, there are a large number of random and unknown long-tail scenarios.
In order to meet the above challenges, the Safey field is mainly constrained by the two major standards of functional safety FuSa and expected functional safety Sotoif.
FuSa and Sotof are the two main doors of safety
Function safety focuses on the failure of the E/E electrical and electronic architecture itself, while the expected function (Sotif) solves the hazards of autonomous driving due to performance limitations, insufficient functionality and reasonably foreseeable personnel misuse (Harzard).
Functional safety is to assume that the specification of the Spe is correct under the premise of paying attention to whether the product has followed or implemented the relevant processes and standards; and the expected functional safety is more for the product specification of the Spe deficiencies, the two complement each other, is the two major lifelines of automatic driving safety.
On top of these two security, the requirements of cybersecurity (Cybersecurity) were born, and the relationship between the three can be represented by the following diagram.
For the danger, if it comes from its own system, it needs to follow functional safety; if it comes from outside the system and is deliberately misused, it belongs to the category of network security; other levels are all divided into the category of expected functional safety.
How FuSa and Sotof solve security problems
According to the type of safety and the degree of awareness, the autonomous driving scene can be divided into four areas.
Zone 1 is a known-safe scenario and Zone 4 is an unknown, safe scenario (Unkown-Safe), where self-driving cars can operate.
For Area 2, known-unsafe scenarios, it is necessary to consider the system design in advance.
For Area 3, it is Unknown-Unsafe, which can be understood as a long-tail scenario.
There are two ways to deal with the safety of zone 2 and zone 3, one is a conservative approach, that is, by limiting the ODD of the autonomous driving operation design domain, so that the automatic driving system can only operate in known and safe scenarios, but this is not a cure for the symptoms, and it is not conducive to the commercialization of the scale of automatic driving.
Another way of thinking is to try to narrow the scope of area 3, but since the unknown scenes are endless, no matter how they are reduced, they will always exist.
Further, Zone 3 can theoretically be seen as an "entropy increase" movement, and efforts to reduce entropy need to be maintained open, while external forces must work to reduce the degree of chaos and get out of balance.
Mapping to automatic driving, one is to let the system itself continuously learn and upgrade through the data closed loop; the other is to increase the line of sight through V2X and enhance the awareness of unknown scenes.
Autobot Reference Summary
Failures or hazards within the system can be controlled by functional safety, while failures or hazards outside the system can be controlled by expected functional safety and network security.
However, in essence, it has not solved the security problem in the long-tail scenario, and the traditional way of predicting probability and circumvention is no longer applicable, and it is still impossible to cover to 100% through the data closed loop, because the unexplained characteristics of AI itself will not lead to security is an unsolvable problem, which is worth exploring in the industry.
This article is the 370th original article for auto people reference, if you think the article is good, "recommendation and attention" is the biggest support for me, please feel free to communicate with me.