At the World Knowledge Forum in Seoul, South Korea, Mobileye CEO and Intel Senior Vice President Amnon Shashua presented a white paper titled “On a Formal Model of Safe and Scalable Self-driving Cars,” which described a mathematical formula for ensuring that a self-driving vehicle operates in a responsible manner and does not cause accidents. An Intel press statement described the approach as a “common sense of fault” using mathematical equations.
Mobileye’s proposed “Responsibility Sensitive Safety” (RSS) model provides specific and measurable parameters for the human concepts of responsibility and caution. It defines a “Safe State,” where the autonomous vehicle cannot be the cause of an accident, no matter what action is taken by other vehicles. RSS also defines a “Default Emergency Policy,” a concept that defines the most aggressive evasive action that an autonomous vehicle can take to maintain or return to the Safe State.
The company claims that RSS use of autonomous vehicles will result in three orders of magnitude traffic fatality improvement: one for every billion hours of driving vs. the human-driven vehicle rate of one traffic fatality for every one million hours of driving (i.e., a US traffic fatality rate of about 40 per year compared to about 40,000 in 2016).
Mobileye acknowledges that complete avoidance of every accident scenario is impossible (in Fig. 1, for example, one of the human-driven cars on the outside makes an error and cuts in on the blue autonomous vehicle), and that any useful autonomous vehicle will be involved in situations that may lead to accidents, including mechanical failure and external forces. The answer, it believes, lies in setting clear rules for fault in advance based on a mathematical model. This approach attempts to formalize the set of driving scenarios, concepts of priority and give/take (e.g., yield) and equations involving speed, distance, etc. that combine into a formal mathematical model for determining fault.
Mobileye has coined the term “Cautious Command” to represent the complete set of commands that maintains the Safe State. RSS sets a hard rule that the autonomous vehicle will never make a command outside of the set of Cautious Commands, ensuring that the planning module itself will never cause an accident.
As an example Mobileye presents the case of two cars driving in the same lane, one behind the other, along a straight road (Fig. 2). If the front car brakes and the rear car cannot brake in time, the accident clearly is the fault of the rear car. RSS can calculate the exact distance corridor that the following car (blue) must leave to the lead car (red) to be in a Safe State. This calculation depends on data for certain variables, such as the difference in velocity between the two cars, which will be provided with high accuracy by the various sensors in the autonomous vehicle.
What if the front car in Fig. 2 performs a reckless cut into another car’s trajectory and the rear car then hits the front car from behind? Mobileye says RSS is equipped to deal with this scenario using the same principles. Based on a set of variables, a safe corridor exists around the autonomous vehicle (Fig. 3). If the human-driven vehicle (the red car in Fig. 3) violates that corridor before the collision occurs, it is that vehicle’s fault. Conversely, the autonomous vehicle can continuously calculate the safe corridor around other vehicles and will never make a command that violates that space.
Since the autonomous vehicle has a set of highly accurate sensors, with 360-deg. vision and fast reaction times, parameters such as road conditions and available braking power can be analyzed from the data available to evaluate the exact environment before and when the collision occurred. In combination with the formal rules for determining fault, this data can be used to quickly and conclusively determine responsibility, according to the company.
While the RSS decision-making software is designed to not allow decisions that would result in an accident that would be blamed on the autonomous vehicle’s driving policy, there could still be accidents caused by mistakes of the sensor system or mechanical failure. Here, the company proposes a Sensor Fusion system that includes three independently engineered systems, each relying on different technologies: 1) camera; 2) high-definition map; and 3) radar and LIDAR. Mobileye claims the system can be validated to a miniscule error rate with a “very reasonable data set of real-world miles driven—specifically 100,000 hours.”
Intel reports that it and subsidiary Mobileye have already begun work with BMW on a nonexclusive platform for autonomous vehicles that follows these concepts