The Automated Systems That Will Keep Drivers Out of Danger.
Highly automated driving functions must work safely and reliably in every situation – whether on the highway or in a multi-story car park. One of the ways developers achieve this is through ‘redundancy’; parallel systems observe the environment and decide what to do in critical situations.
A truck in front loses its load. An unloaded pallet suddenly falls onto the road and blocks the lane. What causes a moment of shock for a human driver today will be mastered with ease by the highly automated vehicles of the future. This is thanks to three parallel systems: the central planner handles normal driving operations and acts in a comfort oriented manner. For example, it brakes and accelerates gently. System two, the fallback planner, simultaneously calculates a trajectory that quickly manoeuvres the vehicle into a safe position if necessary. The third system, the supervisor, constantly checks whether a risk is posed by the main or fallback paths and selects the safest alternative in each case. This is why a pallet falling out of the truck unexpectedly would not be a problem for the highly automated vehicle – because even in the unlikely event that the main planner overlooked the obstacle, the vehicle would safely take evasive action thanks to the fallback planner or stop on the hard shoulder if it were not possible to drive around it.
Porsche Engineering says it is working hard to make highly automated driving (HAD) functions safe and reliable. The crucial strategy along the way is called ‘decomposition’. Instead of the vehicle being controlled by a single system, several planners and supervisors work together in parallel. “Together, the systems achieve a much higher level of fail-safety than a single one,” explains Jan Gutbrod, team leader for the development of driving assistance systems at Porsche Engineering.
“The biggest challenge is to master every last conceivable situation,” says Albrecht Böttiger, head of the ADAS/HAD Project House at Porsche AG. In other words: the overall system must be able to cope with different vehicle types and driving styles, recognise road markings in different colours – even when they are weathered – and safely avoid known and unknown obstacles. This requires a coordinated interaction of the three subsystems, proving itself in tests and road trials.
Parallel systems have been in use in aviation for a long time. Their safety, however, critically depends on the technical design. “To achieve true redundancy, it is important not to simply copy systems,” stresses Andreas Nagler, Head of Systems Engineering and Architecture at Cariad, the Volkswagen Group’s software and technology company. That means that the instances must be technically isolated from each other, i.e. each must have its hardware, software and data sources. This is the only way to minimise what are known as common cause errors – failures due to a shared cause.
To achieve this technical separation, the supervisor only uses object lists to make an image of the environment. The vehicle sensors generate these lists. A radar sensor, for example, provides a list of all vehicles or objects that can be detected in the vicinity, including their direction of movement. The main and fallback planners, on the other hand, do not work with object lists, but with the raw data from the sensors, for example point clouds from laser scanners (LiDAR). In addition, some components access map data – which the supervisor does not.
Data processing also differs between systems. Main and fallback planners, for example, apply what is known as sensor data fusion: if only a single sensor reports an object in the space, while all other sensors explicitly do not, the algorithm of a sensor data fusion may decide to assess this signal as a false detection and to discard it. The supervisor, on the other hand, considers all sensors strictly separately. The different functional principles of the individual systems ensure that each can form its own picture of the situation. The combined strengths of the systems ensure a safe response.
The supervisor's task is to check the paths calculated by the main and fallback planners for possible risks. For this purpose, it constantly generates forecasts with different time horizons. A so-called ‘ballistic approach’ can be used for the immediately upcoming metres of travel: the supervisor assumes that the objects will maintain their direction of motion and velocity due to inertia and mass. A second forecast extends several seconds into the future.
To predict traffic events so far ahead, highly complex software with thousands of parameters is required. Among other things, speed, road surface, weather conditions, historical motion profiles of surrounding road users and stationary cars are considered. This forecast forms the basis for the decision that now follows: “the supervisor puts the trajectories of the path planners into its future scenario,” Gutbrod explains. If, for example, the ‘sovereignty zone’ around the vehicle, into which no object is allowed to enter, were to be violated on the planned course, the supervisor would veto this and initiate a path change. It “throws off a planner” as the developers put it.
In doing so, the planning software must be very sensitive. If the supervisor classifies the criticality of potential hazard scenarios too high too quickly, the vehicle can act too cautiously and therefore also unsafely. Developers call this effect ‘too soon too safe’. If this occurs, the brakes are applied much too early. The supervisor must also recognise emergencies in which a path change would only cost unnecessary time and possibly have negative effects.
It is also important to keep an eye on the specified dynamic driving limits with all measures. If – as in the highway example – an obstacle suddenly appears, the systems must react so quickly that there is still time to brake comfortably. In the future, paths could, for example, have the option of raising an “emergency flag,” Gutbrod says. “In this case, planners could ask the supervisor to enable measures beyond the currently set limits.”
Automated parking has to cope with unexpected situations of a completely different kind. Cariad demonstrated what this new function will be able to do in the future at IAA Mobility last September: the driver of a Porsche Cayenne E-Hybrid dropped off their SUV in a special transition zone in the car park and issued the command to park via smartphone. The Cayenne then started moving towards the parking space.
If the driver wishes, the car will first drive to a charging station, where a robotic arm with a charging plug will automatically dock. Then it will automatically move on to the actual parking space. If the driver needs the car again, they can call it back to the transfer zone via the app. The advantages for the driver: the time-consuming search for a space and manoeuvring are eliminated, and they can also use the time for recharging.
In principle, automated parking can be implemented in two ways: either the vehicle steers itself to the parking space or the surrounding infrastructure takes over the controls. In the latter case, the parking system would give the vehicle the path via radio signals and accelerate or decelerate it as appropriate. The Cariad demonstration at IAA Mobility took this approach. Which of the two options will prevail in automated parking in the long run remains to be seen. "Control via the infrastructure is easier to implement and secure,” explains Böttiger. “On the other hand, vehicle-based automated parking allows more car parks to be used.” Therefore, it is conceivable that there will be a long-term trend towards complete autonomy, including in car parks.
If, on the other hand, parking is controlled by the infrastructure, redundant systems must be used here – just as in the vehicle itself. The parking control system should therefore work with several parallel instances. In this way, emergencies could be safely managed, for example pedestrians appearing suddenly in front of the car. This is to be expected, as autonomous and conventional vehicles will continue to share car parks for some time to come.
Ensuring safety is a task for everyone involved. “We will be closely examining the algorithms of the infrastructure operators,” says Sebastian Reikowski, project manager for parking systems at Porsche Engineering. However, to implement externally controlled parking safely, extensive adjustments are also necessary in the vehicle. “All communication with the infrastructure via 5G or WiFi must be encrypted to prevent unauthorised access,” explains Reikowski. If the radio connection breaks down, the vehicle stops automatically. An emergency stop concept is also needed: if the primary braking system fails, a secondary system would have to kick in and ensure a safe stop. One idea would be to use the recuperation power of the electric motor in conjunction with the parking brake and parking lock.
Further coordination work is needed for a common communication standard – only then could it be possible for vehicles from all manufacturers to use the parking service. A standard defining an interface between vehicles and infrastructure is already in the works (ISO 23374). “In addition, lawmakers still have to define at what point responsibility is transferred from the vehicle to the infrastructure – at what point the parking garage would have to be liable for damage, for example,” adds Reikowski.
As with highly automated driving in general, continuous improvement will be essential. “A new mindset is needed: the software of vehicles will be continuously developed in the future – much like smartphones today,” emphasises system architect Nagler from Cariad. The vision of this data-driven development: fleets of test vehicles will continuously collect data and transfer it to the cloud. There, the information will be used to improve HAD algorithms. This creates what is known as a “big data loop”. A special algorithm in the test vehicle, called the Scene Selector, detects unusual situations or scenarios that have not yet occurred and transmits them to a central server. There, the scenes are used further to train the neural network of the cut-in detection system. “This continuous learning is the path to robust systems,” Nagler emphasises.