Tuesday, September 18, 2018

Automotive Safety Practices vs. Accepted Principles (SAFECOMP paper)

I'm presenting this paper at SAFECOMP this today

2018 SAFECOMP Paper Preprint

Abstract. This paper documents the state of automotive computer-based system safety practices based on experiences with unintended acceleration litigation spanning multiple vehicle makers. There is a wide gulf between some observed automotive practices and established principles for safety critical system engineering. While some companies strive to do better, at least some car makers in the 2002-2010 era took a test-centric approach to safety that discounted nonreproducible and “unrealistic” faults, instead blaming driver error for mishaps. Regulators still follow policies from the pre-software safety assurance era. Eight general areas of contrast between accepted safety principles and observed automotive safety practices are identified. While the advent of ISO 26262 promises some progress, deployment of highly autonomous vehicles in a nonregulatory environment threatens to undermine safety engineering rigor.

See the full paper here:

Note that there is some pretty interesting stuff to be seen by following the links in the paper reference section.
Also see the expanded list of (potentially) deadly automotive defects.

Here are the accompanying slides:  https://users.ece.cmu.edu/~koopman/pubs/koopman18_safecomp_slides.pdf

Wednesday, September 12, 2018

Victoria Australia Is Winning the Race to ADS Testing Safety Regulations

Victoria Australia has just issued new guidelines regarding Automated Driving System (ADS) testing.  These should be required reading for anyone doing on-road testing elsewhere in the world. There is just too much good stuff here to miss.  And, the guidelines are accompanied by actual laws that are designed to make autonomy testing safe.

A look through the regulations and guidelines shows that there is a lot to like. The most intriguing points I noticed were:
  • It provides essentially unlimited technical flexibility to the companies building the ADS vehicles while still providing a way to ensure safety. The approach is a simple two-parter:
    1. The testing permit holders have to explain why they will be safe via a safety management plan.
    2. If the vehicle testing doesn't follow the safety management plan or acts unsafely on the roads, the testing permit can be revoked.
  • The permit holder rather than the vehicle supervisor (a.k.a. "safety driver" in the US) is liable when operating in autonomous mode.  In other words, if the safety driver fails to avoid a mishap, liability rests with the company running the tests, not the safety driver. That sounds like an excellent way to avoid a hypothetical strategy of companies using safety drivers as scapegoats (or expendable liability shields) during testing.
  • The permitting process requires a description of ODD/OEDR factors including not just geofencing, but also weather, lighting, infrastructure requirements, and types of other road users that could be encountered.
  • The regulators have broad, sweeping powers to inspect, assess, require tests, and in general do the right thing to ensure that on-road testing is safe. For example, a permit can be denied or revoked if the safety plan is inadequate or not being followed.
There are many other interesting and on-target discussions in the guidelines.  They include the need to reduce risk as low as reasonably practicable (ALARP); accounting for the Australian road safety approach of: safe speeds, safe roads, safe vehicles, safe people during testing; transition issues between ADS and supervisor; the need to drive in a predictable way to interact safely with human drivers; and a multi-page list of issues to be considered by the safety plan. There is also a list of other laws that come into play.

Here are some pointers for those who want to look further.
There are some legal back stories at work here as well. For example, it seems that under previous law a passenger in an ADS could have been found responsible for errors made by the ADS, and this has been rectified with the new laws.

The regulations were created according to the following criteria from a 2009 Transportation bill:
  • Transportation system objectives:
    • Social and economic inclusion
    • Economic prosperity
    • Environmental sustainability
    • Integration of transport and land use
    • Efficiency, coordination and reliability
    • Safety and health and well being
  •  Decision making principles:
    • Principle of integrated decision making
    • Principle of triple bottom line assessment
    • Principle of equity
    • Principle of the transport system user perspective
    • Precautionary principle
    • Principle of stakeholder engagement and community participation
    • Principle of transparency. 
(The principle of transparency is my personal favorite.)

Here is a list of key features of the Road Safety (Automated Vehicles) Regulations 2018:

  1. The purpose of an ADS permits scheme (see regulation 5):
    • For trials of automated driving systems in automated mode of public roads
    • To enable a road authority to monitor and  manage the use and impacts of the automated driving system on a highway
    • To enable VicRoads to perform its functions under the Act and the Transport Integration Act
  2. The permit scheme requires the applicant to prepare and maintain a safety management plan that (see regulation 9 (2)):
    • Identifies the safety risks of the ADS trials
    • Identifies the risks to the reliability, security and operation of the automated driving system to be used in the ADS trial
    • Specifies what the applicant will do to eliminate or reduce those risks so far as is reasonably practicable; and
    • Addresses the safety criteria set out in the ADS guidelines
  3. The regulations will require the ADS permit holder to submit a serious incident within 24 hours (see regulations 13 and 19). A serious incident means any:
    • accident
    • speeding, traffic light, give way and level crossing offence
    • theft or carjacking
    • tampering with, unauthorised access to, modification of, or impairment of an automated driving system
    • failure of an automated driving system of an automated vehicle that would impair the reliability, security or operation of that automated driving system.
I hope that US states (and the US DOT) have a look at these materials.  Right now I'd say VicRoads is ahead of the US in the race to comprehensive but reasonable autonomous vehicle safety regulations.

(I would not at all be surprised if there are issues with these regulations that emerge over time. My primary point is that it looks to me like responsible regulation can be done in a way that does not pick technology winners and does not unnecessarily hinder innovation. This looks to be excellent source material for other regions to apply in a way suitable to their circumstances.)