Safe Autonomy

The technical crux of the Tesla "Full Self Driving" naming and marketing dilemma is SAE J3016 Section 8.2  (J3016 is the standard that defines the Levels.) If the design intent for the Tesla FSD feature is to eventually operate without a human driver being required for safety, per SAE J3016 that makes it SAE Level 4 ("L4") -- even if today a human driver is required to ensure safety during beta testing.  That's the same concept that applies to all the other L4 testers out there. Either you are deploying an L2 feature, or you are testing an L4 feature. The difference matters, and per J3016 on a technical basis you can't have it both ways.  (See Myth#10 https://users.ece.cmu.edu/~koopman/j3016/#myth10 )  Tesla tells regulators they are SAE Level 2, which avoids Level 4 testing regulations. But an argument can be made based on public statements that their final production design intent for these vehicles is a no-driver-needed vehicle at SAE Level 4 or better. C

SAE J3016 defines vehicle automation levels, but is not a safety standard (nor does it claim to be). Levels 2 & 3 are especially problematic from a safety point of view. What they define if the standard is followed -- and no more -- is unlikely to provide acceptable safety in practice. To be clear: a vehicle said to be SAE Level 2 or SAE Level 3 might be safe. But if it only does the bare minimum required for J3016 conformance, it is unlikely to be safe. More is needed. (For more on the specifics of SAE J3016 Levels see this user guide (link)  including a detailed discussion of what is and is not required by the SAE Levels.) SAE Level 2 safety SAE Level 2 requires that the driver be responsible for the Object and Event Detection and Response (OEDR). The driving automation might or might not see some objects, and might or might not respond properly, thus requiring continuous driver vigilance. However, it is well known that human drivers do poorly at supervising automation. Paradoxi

The SAE J3016:2021 standard ( https://www.sae.org/standards/content/j3016_202104/ ) defines terminology for automated vehicles including the famous SAE Automation Levels. It is widely referenced in discussions, other standards, and even government regulations. Unfortunately, what is said about J3016 is too often inaccurate, misleading, or just plain incorrect. Misinterpreting the SAE Levels can lead to misunderstandings about what the standard actually says, the technology incorporated into a car, and a driver's expectations. It's important to get statements in standards and regulations right. Moreover, it's important when referring to J3016 to understand that it says what it says, not what some author might want it to say, what might seem optimal for safety, or what other documents state that it says. (While this might seem obvious, perpetuation of misunderstandings is rampant.) You can read the full user guide that explains the standard, its implications and debunks myths

 SAE J3016 Automation Levels are widely used, controversial -- and arguably not the right way to describe automation for anyone other than the engineers designing the systems. In the video below I give a summary of SAE J3016 terminology and the infamous Levels and provide an alternative description approach. I also cover some of the many myths that so many people think are true, but which are not actually part of that standard at all. I have also published a pretty thorough SAE J3016 User Guide that details more precise definitions and myths to help those who need to get things exactly right find the subtleties in the standard that are not apparent after only one (or two, or three) reads. User guide:  https://users.ece.cmu.edu/~koopman/j3016/ Terminology video:      https://youtu.be/Kykb75_41hY

Safety Performance Indicators (SPIs) are defined by chapter 16 of ANSI/UL 4600 in the context of autonomous vehicles as performance metrics that are specifically related to safety (4600 at 16.1.1.6.1). This is a fairly general definition that is intended to encompass both leading metrics (e.g., number of failed detections of pedestrians for a single sensor channel) and lagging metrics (e.g., number of collisions in real world operation).   However, it is so general that there can be a tendency to try to call metrics that are not related to safety SPIs when, more properly, they are really KPIs. As an example, ride quality smoothness when cornering is a Key Performance Indicator (KPI) that is highly desirable for passenger comfort. But it might have little or nothing to do with the crash rate for a particular vehicle. (It might be correlated -- sloppy control might be associated with crashes, but it might not be.) So we've come up with a more precise definition of SPI (with special t

This is a short course lecture series that runs about 5 hours total.  YouTube pointers: L100: Look Who's Driving ( PBS Nova )    L101: Intro (9 slides) -- Playlist | Single Video L102:Validating Machine Learning-Based Systems (13 slides) -- Playlist | Single Video L103:SOTIF & Edge Cases (11 slides) -- Playlist | Single Video L104:Implications of Removing the Human Driver (16 slides) -- Playlist | Single Video L105:Safety Architectures (14 slides) -- Playlist | Single Video L106:How Safe is Safe Enough? (11 slides) -- Playlist | Single Video L107:Building Trust (10 slides) -- Playlist | Single Video L108: Getting to Deployed + Safe (8 slides) -- Playlist | Single Video L109: UL 4600 Key Ideas -- Playlist | Single Video L120: Overview of Automated Vehicle Terminology and J3016 Levels -- Playlist | Single Video For those who don't have access to YouTube, an alternate source for these videos is archive.org: L101 / L102 / L103 / L104 / L105 / L106 / L107 / L10