Building a culture of safety is a prerequisite to building an autonomous vehicle. That’s one conclusion from the insightful Smart Driving Car Summit panel, Safe Enough in the Operational Design Domain. The moderator for this panel, Marjory Blumenthal Senior Policy Researcher, RAND Corporation is well versed in this topic, having recently published two reports on the importance of evaluating and communicating autonomous vehicle safety.¹
Safety Should Drive Engineering
Nat Beuse, Head of Safety, Aurora emphasizes that safety shouldn’t be a “checkbox” and that it should drive engineering. Echoing Beuse, Dan Smith, Assistant General Counsel (Regulatory) for Waymo, indicates that, “Safety is central to what Waymo does.”
Christopher Hart, Founder, Hart Solutions LLP, challenges the autonomous vehicle industry to learn from their cousins in the aviation world. As former Chairman of the NTSB (National Transportation Safety Board), he brings a perspective that covers air, ground, and water transportation.
One of those lessons is that aviation doesn’t compete on safety. As Hart says, “Every crash makes everyone skeptical of flying.” Hart suggests that public acceptance is not going to depend upon marginal improvements. The public has seen automation fail them in other domains (e.g. PC crashes, cyberattacks, etc.), so automated driving is going to have to be much better than human driving for people to perceive that it is “safe enough.”
Beuse is pleasantly surprised that the industry is coming together around this topic. He sees companies sending people to meetings on safety, which might not have happened 5 years ago. His concern is that all the players in the industry embrace a safety culture, particularly as the various players merge.
Implicit in the conversation was a distinction between human involvement (self-driving or SAE Level 3) and machine-driven (driverless or Level 4 in a defined Operational Design Domain, ODD). According to Smith, Waymo decided early on that Level 3 wouldn’t work. Employee testing of Google’s Level 3 driver-assistant led them to the discovery that humans become complacent and over-rely on automation.
The ODD’s Impact on Safety
Level 4 puts boundaries around driverless by placing restrictions on where, when, and what under what conditions a given vehicle can operate. As Beuse points out, the ODD means that AV developers don’t have to solve every challenge at once. Smith suggests the ODD approach allows a gradual improvement and expansion of the autonomous vehicles without sacrificing safety.
Waymo’s Smith describes the process for determining an ODD as
- Starting with human beings defining and figuring out the ODD in terms of boundaries, traffic laws, local driving customs, etc.
- Then, mapping the area, understanding the signage, where the tight points are.
- And, finally, working with safety drivers to drive the area in preparation for service and for providing real-data that can feed simulations for additional off-line testing.
Smith suggests there are nuances between ODDs. At some point in time, there will be transferability between ODDs, but today, each one has to be examined locally. Hart is optimistic about the highway trucking ODD being an early commercial deployment, as it has fewer edge cases than streets that share space with pedestrians and bicyclists.
As to the question of what is safe enough, it is really a question of perception. Beuse says there are fundamentally two groups of people that will judge the safety of autonomous vehicles:
- those who are passengers, and
- those who are interacting with the vehicle (other drivers, bikes, pedestrians, etc.)
Both of the AV developers, Beuse and Smith, agree that driverless might have to sacrifice performance to ensure that people’s perceptions are that it is safe.
It leads back to the idea of local customs as Hart recounted a story of an AV developer who said that people were rear-ending their vehicles that were following the speed limit laws.
Connected Vehicles – A Nice-to-Have, but Not a Must-Have for Safety
Do vehicles need a connection to each other and/or the infrastructure to be safe enough? Neither Aurora nor Waymo have a dependency on external communications for their respective vehicles to operate. Beuse explains that existing road infrastructure is less than perfect with potholes and signage that is sometimes suspect. Simply, both Aurora and Waymo felt it was better to get started than to wait for a perfect infrastructure that will probably never exist, except on paper.
All the panelists agreed that connectivity provides another input to fuse with a vehicle’s other sensors. This offers the potential to improve safety (e.g. being able to see beyond on-board sensors, receiving information from public safety authorities, etc.), assuming it is cost-effective, accurate, and reliable. A few of the questions around connectivity not addressed by the panel include:
- How much bandwidth is needed for connectivity? That is, is 30 MHz (5.895-5.925 GHz) versus the original 75 MHz (5.85-5.925 GHz) enough bandwidth to meet V2V and V2I connectivity needs?
- With the average vehicle life-span of 10+ years and limited DOT budgets, how long will it take to retrofit the fleet and infrastructure for V2V and V2I to start to have an impact?
- What is the need for GPS resiliency in ensuring the ongoing safe operation of autonomous vehicles?²³
- What security measures are in place to prevent issues, such as spoofing?
To these last two points, security in many ways is inseparable from safety. It has to part of the AV developer’s culture.
Tune in to next week’s Smart Driving Car Summit panel, Finally Doing It, to continue this ongoing conversation.
¹ Rand has a fascinating online tool that allows one to changes various parameters regarding how fast driving will change and how safety will evolve and see how the introduction of autonomous vehicles will impact annual fatalities. It compares this to a world where autonomous vehicles are not introduced. https://www.rand.org/pubs/tools/TL279/tool.html
² This overview of a November 2020 USDOT workshop on GPS spoofing in the maritime domain provides background on a real-world spoof. https://www.federalregister.gov/documents/2020/11/25/2020-26120/workshop-on-gps-jamming-and-spoofing-in-the-maritime-environment
³ The U.S. DOT NATIONAL TIMING RESILIENCE and SECURITY ACT ROADMAP to IMPLEMENTATION report to Congress is here https://www.transportation.gov/sites/dot.gov/files/2021-01/NTRSA%20Report%20to%20Congress_Final_January%202021.pdf and this TechCrunch article provides a good overview on the findings. https://techcrunch.com/2021/01/15/dot-evaluated-11-gps-replacements-and-found-only-one-that-worked-across-use-cases/