SAE J3016 defines vehicle automation levels, but is not a safety standard (nor does it claim to be). Levels 2 & 3 are especially problematic from a safety point of view. What they define if the standard is followed -- and no more -- is unlikely to provide acceptable safety in practice.
To be clear: a vehicle said to be SAE Level 2 or SAE Level 3 might be safe. But if it only does the bare minimum required for J3016 conformance, it is unlikely to be safe. More is needed.
(For more on the specifics of SAE J3016 Levels see this user guide (link) including a detailed discussion of what is and is not required by the SAE Levels.)
SAE Level 2 safety
SAE Level 2 requires that the driver be responsible for the Object and Event Detection and Response (OEDR). The driving automation might or might not see some objects, and might or might not respond properly, thus requiring continuous driver vigilance.
However, it is well known that human drivers do poorly at supervising automation. Paradoxically, the better the automation is, the worse they do. So something needs to be done to ensure that drivers are paying adequate attention to the driving, and avoid automation complacency. Driver monitoring is said to be "useful" in SAE J3016, but is completely optional.
This is a complex topic, but if you want to deploy a safe L2 system you need to address it with what I'll call "effective" driver monitoring (i.e., driver monitoring that makes sure you're paying enough attention). Maybe eye tracking and facial expression monitoring will be effective, but the jury is still out on real-world deployment at scale. We'll have to see. But specifying a particular technology won't solve the problem until we have that data. For now, we'll just say it has to be "effective" and that part needs to be worked out.
Finding 1: Safe SAE Level 2 vehicles need to meeting J3016 Level 2, plus the addition of effective driver monitoring.
SAE Level 3 safety
SAE Level 3 requires that the automated driving system (ADS) be able to completely handle the dynamic driving task (DDT), including both vehicle control and OEDR. (There is a common misconception that at Level 3 a driver is supposed to notice objects missed by the ADS. This is not true if the ADS is in a non-faulted state.)
SAE Level 3 puts the human driver in charge of fallback operations. If there is some sort of software or equipment failure the driver needs to bring the vehicle to a minimal risk condition (MRC), such as pulling over to a safe place at the side of the road. The ADS might help, but is not required to do so.
A crucial nuance in L3 is that the ADS is not required to notify the driver of all possible faults, and is not required to control the vehicle for long enough for the human driver to be able to resume control. For an ADS failure the requirement is only to give a "few" seconds warning. (For the ALKS standard it is 10 seconds, but it is clear that this is not going to be long enough for complex situations at higher speeds. Note that the current ALKS version is for low speed traffic jam operation, which might be a bit different than the more general case.) Moreover, in the event of an "evident" vehicle failure, there might be no warning at all from the ADS, and no grace period to regain control.
Telling human fallback drivers on the one hand that the vehicle drives itself, but on the other hand there are some failures that they need to react instantly to is a recipe for tragic loss events. One issue is that what is an "evident" failure to an automotive engineer might be meaningless to a civilian driver. (Have you ever seen a car driving with an obvious issue, such as billowing smoke pouring out the back from an engine burning itself up, a tire so low on air it is pulling the car to one side, or even a completely flat tire -- but the driver is oblivious? I have.) A driver who has been told not to pay attention might well be so engrossed in a video game, movie, or other distraction that "evident" failures go ignored.
Additionally, even if a human driver does feel the thump from a wheel falling off, consider that happening in high speed rush hour traffic. How long until the driver can grab the steering wheel, regain situational awareness, and react without hitting anything? Almost certainly longer than it takes to hit the first surrounding vehicle. To be sure J3016 does not prevent the ADS from trying to do better, but it does not require it. That means that a vehicle that says "SAE Level 3" on the nameplate, but does no more than that, is problematic from a safety point of view.
There are three ways to go with this. One is to make sure that the driver is paying attention well enough to react to vehicle failures, just as with Level 2. Except now the vehicle is even more capable and the driver has even less to do. So driver monitoring is even more problematic.
Finding 2: Safe SAE Level 3 might be achieved by a vehicle meeting J3016 Level 3, plus the addition of driver monitoring that is effective even when the driver is assigned no role in the DDT.
(This strategy could be made easier if the ADS always warns the driver of any possible failure rather than not alarming for vehicle failures beyond the scope of ADS failures. Call this Finding 2a if you like, but it ends up in the same place of designing the system so the driver can handle the assigned fallback role reliably.)
Another strategy is to run in an operational design domain (ODD) so constrained that an in-lane stop is likely to be safe enough if it doesn't happen too often, and then require the vehicle to always be capable of doing an in-lane stop. By splitting wording hairs you can align this with L3 by designating the MRC as pull to side of road if it can, and if it can't execute an in-lane stop while calling that a "failure mitigation strategy" rather than an MRC maneuver. (See SAE J3016:2021 Figure 14.) This seems to be the strategy taken for ALKS, with the implicit rational that an in-lane stop might be safe enough in a traffic jam due to low speed of other vehicles in the jam.
In-lane stops still do not deal with the issue of vehicle failures not detected by the ADS or catastrophic ADS failures. So to be safe the vehicle would additionally need to be sure to do something (MRC or in-lane stop) in response to all vehicle failures relevant to safe driving, even if the driver has fallen asleep. Even if you're in a slow traffic jam, hitting a leading car at up to 60 kph because the driver failed to take over within a set 10 second time limit is still not a good idea for safety.
Finding 3: Safe SAE Level 3 might be achieved by a vehicle meeting J3016 Level 3, plus a requirement that a failure mitigation strategy always results in an in-lane stop if an MRC cannot be achieved, plus an ODD limitation that makes in-lane stops acceptably safe, plus a requirement that all DDT-relevant vehicle failures are automatically detected and trigger at least a failure mitigation strategy.
Finding 3 sounds complicated, but that is more or less where ALKS seems to be trying to end up.
But, what if you can guarantee that the Level 3 ADS will always bring you to an MRC no matter what goes wrong? You'd like the driver to take over, but if the driver doesn't take over the vehicle still does the Right Thing. That sounds great. But it also is -- by definition -- a Level 4 capable system. (See generally Myth #15 and Myth #16 here.)
Finding 4: Or, you could just build an SAE Level 4 system.
This points out a different aspect of the J3016 levels. An SAE Level 4 capable system might pull itself to the side of the road every kilometer and expect a driver to be ready to resume operation to get back on the road and up to driving speed before Level 4 operation can be activated again. (Being in the breakdown lane waiting for a driver to wake up from a nap is not necessarily all that safe -- ask emergency responders.) Or it might be a robotaxi that never, ever has a failure as long as it stays inside its geofence. Dramatically different, but both might still be legitimate Level 4 capable systems.
A different approach
For a different take on the safety-relevant requirements for vehicle automation, see my work on Vehicle Automation Modes. This is a view from a different perspective that is compatible with the SAE Levels, but emphasizes more what it takes to make a driver-friendly automated vehicle.
Dr. Philip Koopman is a professor at Carnegie Mellon University. He works extensively in the area of automated vehicle safety.
Note: More is required to achieve safety beyond what is described in this article -- such as following industry-created functional, SOTIF, and system-level safety standards.
No comments:
Post a Comment
All comments are moderated by a human. While it is always nice to see "I like this" comments, only comments that contribute substantively to the discussion will be approved for posting.