Today’s autonomous driving systems feature programs that learn and think like human beings to make the right decision for almost every situation. But, how can these programs be verified for safety?
Delivering an autonomous driving system, one that has the ability to understand every conceivable driving situation and make judgments to ensure the safety of vehicle occupants and pedestrians, is a complex and demanding task. For example, consider the challenge of developing rules for identifying any imaginable pedestrian, vehicle or other object that could appear on a city street. Conventional requirements-driven programming methods are not capable of mastering the huge number of potential situations that could occur on today’s roads and highways.
Hands-off autonomous driving systems rely upon deep learning algorithms that can be trained to develop human-like capabilities to recognize patterns without having to be exposed to every possible situation that could arise on a trip to the grocery store. These systems lack the defined detailed requirements and architecture that are used to validate conventional safety-critical software. Road testing is not a practical verification method because billions of miles would be required to demonstrate safety and reliability. The ANSYS ADAS/autonomous vehicle open simulation platform (ADAS = Advanced driver assistance systems) integrates physics, electronics, embedded systems and software simulation to accurately simulate complete autonomous driving systems. By linking the ANSYS simulation platform and ANSYS SCADE model-based development tools with Switchboard™ automated robustness testing technology from Edge Case Research (ECR), together with ANSYS medini functional safety analysis, it is possible to achieve end-to-end safety in autonomous driving systems, including those that use deep learning.
From ADAS to Autonomous Driving
Advanced driver assistance systems (ADAS) are increasingly being used in today’s automobiles to alert drivers to potential problems or even to take control of the vehicle to avoid a collision. These safety systems are normally validated using the system and embedded software lifecycle V-model defined in ISO 26262. The ANSYS SCADE Suite complete end-to-end model-based system engineering (MBSE) solution is used in the development of safety-related systems for leading automobile manufacturers.
Developing a fully autonomous driving system is much more sophisticated, and must be based on a combination of machine learning/deep learning and control logic to implement the full autonomous vehicle control loop. The control loop is composed of perception (what the car observes), motion planning (what behavior the car is planning) and motion execution (how the car will complete the plan). This control loop is executed in a cyclic fashion so that the vehicle can respond to constant changes in the environment. Therefore road testing is an essential part of the vehicle development process, but it is not the answer to safety validation. Road testing primarily consists of routine occurrences that are not difficult for human or autonomous drivers, which means billions of miles of road testing would be required to validate safety, and, even then, a failure or a change of code would potentially require starting over from zero.
Hands-off autonomous driving systems rely upon deep learning algorithms that can be trained to recognize patterns without having to be exposed to every possible situation.
Overcoming the Safety Verification Challenge
The ANSYS ADAS/autonomous vehicle open simulation platform can test many more scenarios in a fraction of the time and cost required for road testing.
The integration of all physics, embedded systems, software simulation and code generation enables developers of autonomous systems to accurately simulate the complete automated driving control loop on a single platform. The drive scenario model animates the motion of the test car and other vehicles and objects in a test drive. Sensor models observe the surroundings in the virtual world and output sensor signals. Signal processing models and deep learning identify objects and driving conditions from sensor data. Control algorithms make control decisions, generate actuator inputs, and display information and decisions to the passenger/operator. Vehicle component models use actuator inputs and compute the response of vehicle subsystems such as steering and braking. The vehicle dynamics model computes position, velocity and orientation of the test vehicle.
Safe Architecture for Safe Vehicles
Simulation does not on its own answer the question of how to verify the safety of the complex autonomy algorithms used for perception, motion planning and execution functions.
To get that answer, first engineers break down the overall autonomous vehicle software architecture into a meaningful set of components. Then, they design an architecture that will guarantee safety . This architecture is based on a DOER-CHECKER principle:
The primary algorithm (DOER) of the architecture is complex, needs frequent updates and is difficult to verify. The algorithm is also paired with a corresponding safing gate (CHECKER) that verifies ifthe outputs of the primary algorithm are correct. If the safing gate detects a problem, a safing channel algorithm takes control. This can be the basis for the two=channel architecture developed by members of the ECR team while at Carnegie Mellon University (see diagram). This architecture comprises a primary channel that produces a long-duration mission and a safing channel that produces a short-duration mission, such as pulling the car to the side of the road.
Using this architecture, the plan can be checked for safety during the planning phase. The primary algorithm need not satisfy safety objectives at the highest level (ASIL D in ISO 26262); rather, this responsibility is allocated to the safing gate. What makes this possible is that the detailed safety requirements of the safing gates can be established so that their implementation meets the objectives of ISO 26262 at ASIL D. This is depicted by the example shown, in which the car is going to stop because a double-parked car has been detected.
The ANSYS/ECR partnership can deliver a complete solution to verify and validate the safety of the most advanced autonomous driving systems.
Safety of perception
Assuring the safety of perception is more complex; it must be validated using different techniques. ECR Switchboard addresses this challenge (and some others) by providing automated robustness testing to find failures.
What is needed to prove perception safety is large-scale exposure to the difficult cases that can challenge autonomous driving systems (and often human drivers). ECR Switchboard uses a novel algorithm to cut through the potentially endless number of possible tests to quickly find test cases that cause software to fail and understand why the failure occurred. It bombards the automated driving system with a mixed stream of nominal and exceptional inputs until a failure occurs. The failures are then diagnosed by generalizing a single fault-triggering input to produce a set of inputs that serve as hints in implicating field-value assignments in triggering the failure. This approach is highly effective at finding edge cases that cause system failures.
Perhaps the greatest challenge remaining in the large-scale deployment of autonomous driving systems is testing and debugging machine learning and deep learning algorithms that work without defined requirements and design to ensure their robustness and safety. ANSYS has leveraged its vast experience in multiple physics simulation and simulating safety-critical embedded software to deliver a complete automatic driving simulation platform that includes the world’s only ISO 26262–compliant code generator. This platform is now integrated with the ECR Switchboard robustness testing platform. Hence the ANSYS/ECR partnership can deliver a complete solution to verify and validate the safety of the most advanced autonomous driving systems.