Autonomous driving safety is in the development stage. Whether on the highway or in a multi-story parking garage, highly automated driving features must perform safely and reliably in all situations. Parallel systems monitor the environment and determine what to do in key conditions.
Table of Contents
Three systems to keep self-driving car owners safe
This is called redundancy and is one of the ways developers from Porsche Engineering ensure safety in autonomous driving applications. The cargo of a truck in front of us is lost. Unloading a pallet causes it to tumble into the road, blocking the lane. What would frighten a human driver today would be easily handled by the highly automated cars of the future.
This is due to three parallel systems: the primary planner is in charge of typical driving operations and responds in a comfortable way. It gradually brakes and accelerates.
System two, the fallback planner, calculates a trajectory that, if required, swiftly moves the vehicle into a safe position. The supervisor, the third system, regularly evaluates whether the primary or backup pathways represent a danger and chooses the safest option in each circumstance.
This is why a pallet falling out of the truck unexpectedly would not be a problem for the highly automated vehicle – even if the main planner missed the obstacle, the vehicle would safely take evasive action or stop on the hard shoulder if it was not possible to drive around it thanks to the fallback planner.
Such a scenario might become a reality in the not-too-distant future. Porsche Engineering is putting forth a lot of effort to make highly automated driving (HAD) features as safe and dependable as possible. ‘Decomposition’ is a vital approach along the journey. Instead of a single system controlling the vehicle, numerous planners and supervisors collaborate in real-time.
“Together, the systems achieve a much higher level of fail-safety than a single one,” explains Jan Gutbrod, team leader for the development of driving assistance systems at Porsche Engineering.
To put it another way, the total system must be able to deal with a variety of vehicle kinds and driving styles, recognize various colored road markers – even when they are worn – and safely avoid known and unexpected obstacles. This necessitates a coordinated interaction between the three subsystems, which must be shown by testing and road trials.
Complete system separation is paramount
For a long time, parallel systems have been used in aviation. Their safety, on the other hand, is highly dependent on technological design. Representatives from Cariad, the Volkswagen Group‘s technology and software division, argue that copying systems isn’t enough to provide genuine redundancy for autonomous driving.
This implies that the instances must be technically separated from one another, with their own hardware, software, and data sources. This is the only approach to reduce common cause errors or failures caused by a common cause.
The supervisor solely utilizes object lists to create a picture of the environment in order to accomplish this technical separation. The vehicle’s sensors create these lists. A radar sensor, for example, delivers a list of all cars or objects spotted in the area, as well as their travel direction.
The primary and backup planners, on the other hand, deal with raw sensor data, such as point clouds from laser scanners (LiDAR), rather than item lists. Furthermore, certain components have access to map data that the supervisor does not.
The way data is processed varies from one system to the next. Sensor data fusion is used by main and backup planners, for example: if just one sensor detects an item in the area but all other sensors expressly do not, the algorithm of a sensor data fusion may decide to disregard this signal as a false detection.
The supervisor, on the other hand, looks at each sensor individually. Individual systems’ various functional principles guarantee that each may build its own representation of the circumstance. The systems’ combined strengths provide a safe reaction.
Driving dynamics are an important factor in autonomous driving systems
The supervisor’s job is to look for potential dangers in the pathways computed by the primary and backup planners. It regularly makes predictions with various time ranges for this purpose.
For the next few meters of travel, a so-called ‘ballistic approach’ may be used: the supervisor anticipates that the objects will essentially retain their direction of motion and velocity owing to inertia and mass. A second prediction is for a period of time that is many seconds in the future.
Highly complex algorithms with dozens of characteristics are necessary to anticipate traffic occurrences thus long in advance. Speed, road surface, weather conditions, previous motion profiles of nearby road users, and stopped autos are among the factors considered.
This projection serves as the foundation for the next decision: the supervisor incorporates the route planners’ trajectories into its future scenario.
The supervisor would disapprove and begin a route modification if, for example, the ‘sovereignty zone’ surrounding the vehicle, into which no item is authorized to penetrate, were to be breached on the scheduled course. As the creators put it, it “throws off a planner.”
The planning software must be very sensitive in order to do this. If the supervisor assigns a high priority to probable danger situations too fast, the vehicle will be overly cautious and hence hazardous. This phenomenon is referred regarded as ‘too soon too safe’ by developers. For example, if this happens, the brakes are applied far too early.
The supervisor must also recognize emergency scenarios in which a detour would waste time and perhaps result in undesirable consequences.
It’s also crucial to keep an eye on the defined dynamic driving limitations before taking any precautions. If like in the highway example, an impediment comes unexpectedly, the systems must respond so swiftly that the driver has enough time to safely stop. Paths might, in the future, have the option of flying an “emergency flag.”
In this instance, planners might approach the supervisor and request that measures be permitted that are not within the set limits.
Automated parking needs to deal with a new kind of unexpected circumstance. At IAA Mobility in September, Cariad showcased what this new function will be able to achieve in the future: a Porsche Cayenne E-Hybrid driver dropped down their SUV in a dedicated transition zone in the car park and gave the instruction to park by smartphone.
The Cayenne then began heading towards the available parking spot.
If the driver so desires, the vehicle will first drive to a charging station, where a robotic arm with a charging connector will dock automatically. It will then go to the real parking place on its own. If the driver wants the vehicle again, they may use the app to summon it back to the transfer zone.
The benefits to the driver include eliminating the time-consuming hunt for a parking spot and maneuvering, as well as the ability to utilize the time for recharging.
Automated parking may be accomplished in one of two ways: the car guides itself to the parking place, or the surrounding infrastructure takes over the controls. In the latter situation, the parking system would send radio signals to the car, instructing it to accelerate or decelerate as needed.
This was the strategy used in the Cariad demonstration at IAA Mobility. Which of the two options will prevail in automated parking, in the long run, remains to be seen.
“Control via the infrastructure is easier to implement and secure,” explains Albrecht Böttiger, Head of the ADAS/HAD Project House at Porsche AG. “On the other hand, vehicle-based automated parking allows more car parks to be used.”
As a result, it’s possible that a long-term trend toward total autonomy, especially in parking lots, may emerge.
If, on the other hand, parking is managed by infrastructure, redundant mechanisms must be utilized – exactly as they are in the car. As a result, the parking control system should be able to handle several concurrent instances.
Emergency scenarios, such as people unexpectedly emerging in front of the automobile, might be securely controlled in this manner. This is to be anticipated since autonomous and conventional cars will coexist in parking lots for some time.
The fail-safe safety insurance: emergency stop
“We will be closely examining the algorithms of the infrastructure operators,” says Sebastian Reikowski, project manager for parking systems at Porsche Engineering. “In order to implement externally controlled parking safely, however, extensive adjustments are also necessary in the vehicle. All communication with the infrastructure via 5G or WiFi must be encrypted to prevent unauthorised access,” explains Reikowski.
If the radio link fails, the car will come to a complete stop. A notion for an emergency stop is also required: if the main braking system fails, a backup system must step in to guarantee a safe stop. One possibility is to combine the electric motor’s recovery power with the parking brake and parking lock.
More coordination effort is required to develop a common communication standard; only then will cars from all manufacturers be able to utilize the parking service. A standard describing a vehicle-to-infrastructure interface is already in the works.
“In addition, lawmakers still have to define at what point responsibility is transferred from the vehicle to the infrastructure – at what point the parking garage would have to be liable for damage, for example,” adds Reikowski.
Continuous progress, like with highly automated driving in general, will be critical.
“A new mindset is needed: the software of vehicles will be continuously developed in the future – much like smartphones today,” emphasises system architect Andreas Nagler from Cariad.
This data-driven development’s objective is for fleets of test cars to continually gather data and send it to the cloud. The data will be utilized to enhance HAD algorithms there. A “huge data loop” is created as a result of this.
The Scene Selector, a specific algorithm in the test car, finds unexpected conditions or scenarios that have not before happened and sends them to a central server. The scenes are then utilized to further train the cut-in detection system’s neural network.
In conclusion, by allowing switching between multiple paths, redundant, carefully segregated systems make highly autonomous driving functions safe. The vehicle park itself may take over the controls in automatic parking. Even in this circumstance, the vehicle’s emergency systems provide safety in all conditions.