The General Motors (GM) 2018 Self-Driving Safety Report presents a good guide to the steps required to design a safe autonomous vehicle (AV), using its Cruise (Fig. 1) as an example. This Report covers the design of a safe AV based on operational design considerations. This Report was not intended to cover the system considerations for an AV, however, the system’s design issues are important and will be covered after reviewing the operational functions of an AV. (You can find the report here).
In this Report there are two key components that work together to enable the design of a safe vehicle:
· Safety through iterative design
· Safety through comprehensive risk management and deep integration
GM’s AV development process starts by analyzing the act of driving itself.
· They broke down every action necessary to safely navigate from point A to point B and determined how to execute each action in different locations and conditions.
· They challenged prototype after prototype through simulation and real-world testing to develop and refine how each of the vehicle’s systems work together to provide predictable, safe driving.
· They designed and built an AV to safely operate among aggressive drivers, jaywalkers, bicyclists, delivery trucks, construction, unprotected left turns, four-way stop signs and countless other factors that arise when driving in the city.
GM will test its AV in one of the most complex environments possible — San Francisco. This should ensure that the vehicle can drive safely even in the most unpredictable circumstances and conditions. This testing challenge will put vehicle safety systems through rigorous tests.
At the center of the vehicle’s self-driving capabilities are computers that perform the functions necessary to understand the world around the vehicle and make the driving decisions that safely transport passengers. Fig.2 shows the computers and the combination of subsystems that should work together.
In addition, each vehicle contributes to a shared knowledge base so that each vehicle can learn from the collective experiences of the entire fleet. If one car sees that a road is closed, the others automatically avoid it. Or, if there’s a dangerous road hazard, a single car can notify thousands of others to avoid a potentially unsafe situation. This fleet learning capability is just one of many advantages these vehicles have over human drivers. This combined data is used to improve each individual car’s performance and safety.
The Report said they are also learning from what doesn’t happen. They combine data gathered from their extensive testing with comprehensive safety analyses to identify additional potential challenges they may not have experienced on the road. Then, they determine how best to respond to those unseen challenges.
GM’s belief is that a safe AV must be built from the ground up, seamlessly integrating the self-driving system into the vehicle. That’s exactly what they did, starting with the all-electric Chevrolet Bolt EV.
Perception, Planning and Controls explain how GM’s Cruise AV senses its environment and makes driving decisions.
· It “Sees” by using sensors to monitor its environment. The sensors feed information to a computer that combines the sensor data with high-definition map data to localize the vehicle.
· It detects and classifies objects, determines their location and provides their speed and direction. It builds a three-dimensional model of the world that keeps track of important objects.
· It predicts the objects’ future motion — pedestrians and trucks have different predicted movements.
· It determines free, drivable space around the vehicle using a three-dimensional model and map data.
· It identifies other environmental uncertainties. For example, with knowledge of its location, perception knows where it must look for moving objects. If its view is blocked, perception will flag that area as unknown. If an object is hard to see because of rain or fog, or because it is hidden behind a truck, the computer brain knows that and adjusts its decision-making and performance accordingly. This allows prudent decision-making and operation based upon both what the sensors “see,” as well as what may be hidden from view.
To perform Perception functions, the vehicle has five LiDARs, 16 cameras and 21 radars, as shown in Fig. 3. Their combined data provides sensor diversity that enables viewing of complex environments. The LiDARs, radars and cameras all scan both long and short range with views 360 degrees around the vehicle. One LiDAR provides precise feedback using laser measurements for both fixed and moving objects. Radar is complementary to LiDAR because it uses electromagnetic pulse measurements and can see solid objects that have low light reflectivity. Both LiDAR and radar inputs measure the speed of moving objects, allowing quick, confident determinations of speed. Cameras complement the LiDAR by measuring the light intensity reflected off or emitted from objects, providing rich detail of the object. LiDAR and camera data combine to classify and track objects, making high confidence determinations more quickly. This helps, for example, identify pedestrians, vehicle types and road details such as lane lines, construction zones and signage. A complementary set of long range sensors track high-speed objects, such as oncoming vehicles, and the short-range sensors provide detail about moving objects near the vehicle such as pedestrians and bicycles.
· Determines the desired vehicle behavior. It accounts for road rules and plans routes for the car to travel from trip origin to destination. It chooses routes to optimize efficiency and safety and to route the car only on streets within its capabilities.
· Supports other road users’ predicted actions, traffic controls, road markings, rules of the road and other external factors.
· Identifies multiple paths, and constantly chooses the best one to meet changing road conditions and events.
· Includes multiple backup plans if something unexpected happens. For example, while preparing to change lanes to turn right at an intersection, another vehicle may aggressively cut into the destination lane, making the lane change unsafe.
· Provides an alternative route, for example, the vehicle could go around the block instead of blocking its current lane while waiting for an opening to change lanes.
· Implements the final path from planning, converting its commands for the actuators that control the steering, throttle, brake and drive unit.
· Gives the AV full vehicle maneuverability complete with stability, traction and anti-lock brake systems fully active.
GM’s System Safety program incorporates proven processes from engineering standards organizations, 100-plus years of its own experience, from other industries such as aerospace, pharmaceutical and medical, and from the military and defense industries. AVs require system diversity, robustness and redundancies similar to strategies used for the most advanced fighter planes and deep-space satellites. GM focuses on the capabilities of each system to give the vehicle’s computers full control of acceleration, braking and steering, and the ability to make the right decisions to drive safely on the road. This also requires thoroughly analyzing each system to identify the safety risks and challenges, and to eliminate or safely manage each one.
The GM Report covers only operational features for a safe AV, which are complex and sophisticated. The Report does not disclose how system issues are supported. However, there are many down-to-earth system design issues for all AVs that should be considered. For example, power management, which will become a major issue as all the sensors and computers are integrated into the system. The traction motor for an electric vehicle could be several hundred volts, whereas the computers and sensors will require a much lower voltage. Computers and sensors may require different operating voltages, so several different low voltage power supplies may be necessary.
Electromagnetic interference (EMI), both internal and external is a potential problem. This may require shielding as well as circuits and components to prevent EMI. In particular, multiple switching power supplies may cause EMI problems. Also, what should be done to the vehicle structure to prevent external EMI from affecting AV system operation?
Thermal management will undoubtedly be required because all the heat producing semiconductors and other devices. This may require unique packaging technologies. And, if there are various subsystems from different manufacturers it would be difficult to have a consistent packaging configuration. This could impact system costs and complicate system packaging and replacement parts.
Besides the power-related issues handling the vehicle’s widespread use of software, will undoubtedly require periodic updates. How will these updates be implemented? Will the Internet be used to update software on individual cars? Plus, subsystems from different manufacturers usually use their own software language. Will the subsystems be able to “talk” to each other or will it require additional hardware and software for this communication?
An important question could be will there be built-in test systems to check the vehicle before it hits the road? And, in mass production how much time should be allotted to test each vehicle to ensure it is working reliably before it is delivered? Will there be a “magic” button that you push to completely test the vehicle? Testing can be difficult when you want to find out whether the vehicle will react properly when confronted with dangerous road conditions, other vehicles, or pedestrians? Because of all the software involved, testing individual sensors won’t tell how they operate in a real application. It may be necessary to develop a special simulator that exercises all of the vehicle’s AV functions.
Will the manufacturer be able to provide these solutions before or after the AV system is designed and built? As you can see, there are many unanswered questions, so don’t expect to see widespread use of mass-produced AVs any time soon.