Sepeedeh Shahbeigiu Roudposhti, PhD Student, WMG - IV Sensors and Prof Valentina Donzella Sensor, Lead of the Intelligent Vehicles Research Group

The Promise of Automated Driving Systems

Driving can be more time and fuel efficient with automated or autonomous driving systems. By driving precisely at set speeds, avoiding abrupt lane changes, and keeping a certain distance from other vehicles, they can considerably minimise traffic congestion and emissions. Furthermore, they can improve accessibility and mobility. Above all, Automated Driving Systems (ADSs) can contribute to enhancing road safety by averting car accidents due to human drivers’ error, which are responsible for 90% of all traffic fatalities (more than 30,000 per year) and $230 billion in annual medical and lost-time expenditures in the United States alone.

The SAE autonomy levels and their implications

To delve deeper into the world of ADSs, it's important to understand the classification of driving autonomy levels provided by the Society of Automotive Engineers (SAE), see Table 1's classification of driving autonomy levels by the Society of Automotive Engineers (SAE). International. Levels 0 to 2 require the human driver to be attentive at all times, either driving themself or supervising the ADS in autonomous mode and taking control if necessary. Levels 3–5 are self-monitoring, and the driver is expected to take control only when requested by the system. Levels 0–4 provide partial automation under predefined driving modes and conditions, while Level 5 indicates complete autonomy. Now, the most advanced ADSs are Level 2. The transition from Level 2 to Level 3 is a notable step forward with critical implications for the confidence and comfort of human-machine interactions, the allocation of legal obligation between system and driver, and the technical challenges to overcome to ensure passenger safety.

Table 1 – SAE driving Autonomy Levels.

The role of integrity monitoring in ADS's

Several technical aspects developed over decades for automated flying in civil aviation industry could serve as a foundation for transition to level 3 autonomy in ADSs. This article focuses on localisation safety.

Localisation safety in aviation is quantified in terms of integrity (as well as accuracy, continuity, and availability). Integrity is the level of trust in sensor information. Integrity risk is the probability of undetected sensor errors resulting in unacceptably high positioning uncertainty. The uncertainty in the position is due to the noise in the sensors’ measurements. However, in real-world applications of an automated flying function, position errors are unknown, therefor an integrity monitoring system can be used to estimate a statistical upper-bound on the position error (called protection level). To ensure the safe operation, the output of the integrity monitoring system is compared to a safety threshold defined by certification authorities. This safety threshold in integrity concept is called alert limit which defines the maximum allowable position error. If the protection level is greater than alert limit an alarm is raised to inform the user\system that the automated function cannot be trusted. The same concept can be applied to the ADS. The ideal safe instance which depicts the relationship between position error, protection level and alert limit in both aviation and ADS applications are illustrated in figure 1. In this figure, the estimated protection level is bounding the position error and is smaller than the alert limit.

Figure 1- Position error, alert limit and protection level in aviation (left) and ADS (right).

During the operation of an automated driving function, there are times where the protection level is smaller than the alert limit, but it is not bounding the position error and in reality, the position error is greater than the alert limit (figure 3). In this case, the integrity monitoring system is providing a hazardous misleading information to the rest of the system since the user/system is not aware of the hazard. An integrity monitoring system aims at limiting the probability of these cases happening below the integrity risk.

Figure 2- Hazardous misleading event when position error is greater than alert limit, but protection level is smaller than alert limit.

Unfortunately, the methods previously developed for civil aviation cannot be directly applied to the ADSs. Since the environment, surrounding the operation of ADSs and in civil aviation is vastly different. The environment in which ADSs are deployed is sky-obstructed (with buildings and trees) and more unpredictably varied (i.e., including pedestrians and other vehicles). To overcome shortcomings raised due to this complexity, ADSs are usually equipped with other types of sensors as well as the GNSS. However, the previous integrity monitoring methods has been specifically developed for sky operating GNSS. Our integrity monitoring research aims to propose techniques appropriate for perception sensors on ADAS-equipped vehicles.

So far, we have been studying an integrity monitoring technique which detects the hazardous misleading events in a radar-based adaptive cruise control system (ACC). ACC is an intelligent cruise control ADAS technology that automatically adjusts the vehicle speed to keep a safe distance from vehicles ahead. Using our proposed integrity monitoring method on top of the ACC, will enable the system to distinguish the driving instances when the vehicle speed is estimated based on dangerously erroneous input data and cannot be trusted. The driver\ADS will then be alerted, and a consecutive safe decision will be made (either to request the driver to take over or to carry out a safe degradation manoeuvre). The block diagram of our proposed solution can be seen in figure 3. The successful application of this technique enables the transition of currently level 2 ACC to level 3 and above.

Figure 3- Our proposed integrity monitoring method.

If you are interested in learning more about WMG’s research into autonomous safety, please contact wmgbusiness@warwick.ac.uk.