Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AAMVA Talk: Ensuring the safety of self-driving car road testing

1,055 views

Published on

An update of my PennDOT AV Summit talk

Published in: Automotive
  • Be the first to comment

  • Be the first to like this

AAMVA Talk: Ensuring the safety of self-driving car road testing

  1. 1. Ensuring the Safety of Self-Driving Car Road Testing © 2018 Philip Koopman Prof. Philip Koopman AAMVA International Conference August 22, 2018
  2. 2. 2© 2018 Philip Koopman  State regulations emphasized:  Registration and vehicle identification  Insurance  FMVSS conformance or waiver  Driver credentials & registration  Safety driver in driver seat  Accident/incident reporting Were Testing Regulations Adequate? Elaine Herzberg Pre-impact dashcam image Tempe Police Dept. / March 18, 2018  Manufacturer determines critical safety factors:  Whether vehicle is safe to operate  Appropriate training for safety drivers
  3. 3. 3© 2018 Philip Koopman  NOT: Blame the victim  Pedestrian in road is expected  NOT: Blame the technology  Immature technology under test – Failures are expected!  NOT: Blame the driver  A solo driver drop-out is expected  The real lesson:  Ensure safety driver is engaged  Did We Learn The Right Lesson? https://goo.gl/aF1Hdi https://goo.gl/MbUvXZ https://goo.gl/MbUvXZ
  4. 4. 4© 2018 Philip Koopman  Safety Case: A structured written argument, supported by evidence, justifying system is acceptably safe for intended use.  AV Testing safety case: 1. Driver is actually paying attention 2. Driver has enough time to react to autonomy failures 3. Autonomy will respond to driver override  And … it actually works that way in practice – Show me the data! Safety Case Elements for AV Testing https://goo.gl/YUC5oU
  5. 5. 5© 2018 Philip Koopman  “We have a safety driver” doesn’t cut it as an argument  Driver Dropout is well known  Airline pilots (even if there are two!)  1990s-era Automated Highway System  Can’t just assume alert safety drivers  Questions to ask about safety drivers:  Are they trained?  How will you ensure they are alert/awake?  How will you monitor on-road performance? Is the Safety Driver Really In the Loop? 2009 https://goo.gl/5htvnP Fernando De la Torre CMU: https://goo.gl/bHDXLS
  6. 6. 6© 2018 Philip Koopman  Safety Driver Tasks:  Mental model of “normal” AV  Detect abnormal AV behavior  React & recover if needed  Example: obstructed lane  Does driver know when to take over?  Can driver brake in time? – Or is sudden lane change necessary?  Example: two-way traffic  What if AV commands sudden left turn into traffic? Can Safety Driver React In Time? https://goo.gl/vQxLh7 Jan 20, 2016; Handan, China
  7. 7. 7© 2018 Philip Koopman  Supervisory human process:  First detect AV problem; then react  Driver awareness of AV state  Does AV see a pedestrian?  Is AV planning to avoid obstacle?  Is AV accurately displaying its intended plan?  Difficult Human-Computer Interaction problem  Driver situational awareness  Must intervene before it’s too late to recover Keeping the Safety Driver in the Loop Edge Case Research
  8. 8. 8© 2018 Philip Koopman Safety driver(s) attentive  Safety driver training, qualification  Real-time driver alertness monitoring  Review of driver performance data Effective safety driver reaction  Leave margin for recovery  Don’t paint human driver into a corner AV disengagement mechanism really works  Follows safety engineering practices (ISO 26262) Example Safety Argument Sketch https://goo.gl/dBdSDM
  9. 9. 9© 2018 Philip Koopman  Two drivers above 25 mph  Can help with driver attentiveness  Written safety plan  Safety driver training objectives  Quality control that plan is followed  Disengagement complies with standards  For example, ISO 26262 safety standard  But, no independent checks and balances  Unable to get industry consensus in 90 day window July 2018 PennDOT Guidance https://goo.gl/1xnU1n
  10. 10. 10© 2018 Philip Koopman  Need more than “Trust Us” for safety  No need to disclose proprietary autonomy technology  Written, public safety case 1. Safety driver is paying adequate attention 2. Safety driver has time to react if needed 3. AV disengagement/safing actually works  Essential next steps  Independent checks and balances – Show someone else the data!  Road testing of autonomy with no driver Summary https://goo.gl/YUC5oU

×