Intel: Pushing for Higher Safety Standards

Article By : Junko Yoshida

Intel’s Weast chairs a group building a model around RSS to answer an ‘uncomfortable’ question.

Intel is pushing for Responsibility-Sensitive Safety (RSS), a mathematical model for autonomous-vehicle safety conceived by Mobileye (now an Intel company), to become an IEEE standard.

The company is spearheading a new working group, IEEE P2846, to pursue “A Formal Model for Safety Considerations in Automated Vehicle Decision Making.” The group’s first meeting is scheduled for late January in San Jose, Calif.

More specifically, the working group seeks to enable industry and government to “align on a common definition of what it means for an automated vehicle to drive safely balancing safety and practicability.”

Intel sees the initiative as a way to encourage autonomous-vehicle industry to ask — and grapple with answering — the hardest question of all in the AV era: How safe is safe enough?

It’s the AV industry’s “most uncomfortable topic,” working group chairman Jack Weast, Intel’s senior principal engineer and Mobileye’s vice president for autonomous vehicle standards, said in an interview with EE Times earlier this week.

2019 was the year leading car companies such as GM Cruise and Daimler announced delays or plans to scale back in their push toward robotaxis. The retreat made AV safety the central issue for the industry.

As safety insinuates itself into the conversation, some in the AV industry — who have resisted sharing any meaningful data with others in pursuit of winning the race to full autonomy — are coming to the table. They recognize that safety standards development for autonomous vehicles and systems must be a collaborative affair.

Is There Math for ‘Drive Cautiously’?

More safety standards in the offing

IEEE P2846 is not the only group taking on the nettlesome subject. A draft of UL4600, a “Standard for Safety for the Evaluation of Autonomous Products,” is publicly available and is being voted on right now. The ballot period closes Jan. 27.

“If we have consensus, we will move into comment resolution and recirculation,” Deborah Prince, program manager at Underwriters Laboratories, told EE Times. “I think we are still on target for publication in first-quarter 2020.”

Separately, IEEE in January will kick off another working group, IEEE P2851, with a goal to develop “Exchange/Interoperability Format for Safety Analysis and Safety Verification of IP, SoC and Mixed Signal ICs.”

Then there is ISO/PAS 21488, known as SOTIF. The standard focuses on guaranteeing the safety of the intended functionality in the absence of a fault. It thus stands in contrast to traditional functional safety, which aims at mitigating risk due to system failure. ISO 26262 is a functional-safety standard.

Also, SAE International, along with Ford, General Motors (GM) and Toyota, earlier this year launched the Automated Vehicle Safety Consortium (AVSC) to safely advance testing, precompetitive development, and deployment of SAE Level 4 and 5 automated vehicles.

As Intel’s Weast told us, “Certainly, one [safety] standard can’t cover everything. We can use 10 standards or more!” The other emerging safety standards for autonomous vehicles “are totally complementary” to the IEEE P2846 effort, he added.

What about perception?

Asked about IEEE P2846, Phil Koopman, CTO of Edge Case Research and assistant professor at Carnegie Mellon University, told us, “I think this is a very positive development. Standardizing things like how to handle the physics of vehicle interactions is a good idea.”

Koopman noted, however, that IEEE P2846 provides just a part of what “safe enough“ means in terms of vehicle motion control, given that perception and related functions are working properly. “This is important and very useful, and I’m delighted to see the group announced. But it is also important to realize that by design, this standard as currently described leaves it to some other standard how to establish the perception parts of ‘safe enough.’ ”

IEEE will depoliticize RSS

Asked about RSS, Ian Riches, vice president of the global automotive practice at Strategy Analytics, told us, “I’ve seen quite a lot of support, [for example, from] Valeo, Baidu, and China ITS. I haven’t really seen any out-and-out criticism. The most common not-entirely-positive reaction has been the usual concern and set of ‘political’ questions/worries when a solution is proposed by a single industry player. What are their motives? Does this change the competitive landscape? Who are the winners and losers? Regardless of whether or not this is a good technical idea, does it make business sense for me to join in?”

The creation of a working group eases those concerns, Riches said. “The decision [for Intel/Mobileye] to take it to IEEE pretty much overcomes all of those issues, and effectively de-politicizes it.”

One-on-one with Jack Weast

EE Times: I remember that Mobileye always talked about their desire to turn RSS into an industry standard. What took you so long?

Jack Weast, Intel’s senior principal engineer and Mobileye’s vice president for autonomous vehicle standards

Jack Weast: First, we’ve been looking for the right home for this standard. As you know, RSS requires math; it’s a formal mathematical model to prove the safety of autonomous vehicles decision-making. It’s not a lightweight standard.

EE Times: So why did you choose IEEE?

Weast: First, IEEE has a strong international reputation. It’s not just limited to the United States. Second, IEEE can handle detailed technical standards. Third, IEEE is uniquely positioned, as it is equipped with conformance test abilities. It can offer tools and assessment for companies [participating in standards activities] to see if their implementations match the spec.

EE Times: When a company places a project application request with IEEE, it usually needs sponsors.

Weast: Yes, IEEE P2846 is jointly sponsored by The IEEE Computer Society and The IEEE Vehicle Technology Society. Our PAR [Project Application Request] just got accepted in the first week of December. I will be the chair of the group. As with any IEEE standards groups, this will be a process open to anyone who wants to join. I just sent out an invitation this week.

EE Times: You’re planning to move ahead quickly with IEEE P2846, I suppose. When do you see the standard coming together?

Weast: The speedy process for standardization was another reason why we chose to work with IEEE. Compared to other standard-setting organizations such as ISO, which could take five to six years for updating the standard, IEEE can move much more quickly. I would like to see the 1.0, the first published version of the standard, by the end of 2020 or early 2021.

EE Times: As I said earlier, Mobileye has been floating the idea of turning RSS into the industry standard for some time. What sorts of reactions has Intel/Mobileye gotten on RSS thus far?

Weast: Yes, our end goal has always been making RSS into a standard. This is a side note, but China ITS [Intelligent Transportation Systems] just recently approved of mandating RSS 1.0 in China … So we’re already getting a lot of feedback from the industry.

EE Times: For example?

Weast: Since we published RSS, we’ve received a lot of positive support, along with some suggestions. Based on the suggestions, we’ve improved parts of our RSS — including things like coefficient frictions, braking capabilities that are likely to vary on different surfaces of roads [wet, snow, etc.], and other dynamic features of traffic.

So, first, we are making our RSS a starting point, and we are hoping to get smarter about it.

Second, we received positive responses from companies who told us that they, too, have developed ideas that are similar to RSS for internal use. They said they can’t wait to join us and share ideas.

Third, we understand that the toughest thing of all for the industry to do is to pick the numbers.

EE Times: I remember that in our previous interviews, you told me, “How do you make [being] cautious ‘machine interpretable,’ and how do you explicitly define it?”

You explained: “Human drivers can intuit these sorts of things, but to make human intuition comprehensible to a machine we need to formalize it mathematically, define it, and pick the number behind the definition — whether the result is deemed a ‘safe speed’ in a certain neighborhood or a safe following distance for AVs.” Is that what you mean by picking the numbers?

(Source: Intel)

(Source: Intel)

Weast: Yes. We need to strike a good balance here. We are most likely to publish [as an] appendix to the standard some numbers that can be used in assessing how safe is safe enough.

EE Times: That’s the crux of the issue, isn’t it? How do you define safety?

Weast: Yes, that’s the most uncomfortable topic for everyone. We all want to say that autonomous vehicles will mitigate traffic accidents, but there are limitations to the statement for non-zero chance of AV accidents. The truth is that there will be an accident. Of course, our goal is to make the chances for accidents as low as possible. But you can’t start AV development from the zero-accident position or by thinking one accident is one too many.

EE Times: How do you expect those in the AV industry to use IEEE P2846?

Weast: Several ways. First, people can implement the standard — logical rules, etc. — in their own software stacks.

For those who already developed their own stacks, they can leverage the standard’s conformance test capabilities.

We think IEEE P2846 is necessary because the decision-making capability of the AV’s computer is mostly hidden. A collection of artificial-intelligence algorithms, stored in a black box, is driving this capability.

In other words, the black-box nature of an AV’s driving policy makes it nearly impossible to comparatively judge the safety of the different vehicles.

IEEE P2846 is a technical neutral standard, and it is not married to specific chips or sensors. Still, the industry should be able to implement safety conformance in their autonomous vehicles.

So we believe that IEEE P2846 will be a useful tool for government regulators to see if autonomous vehicles are driving safely.

EE Times: Do you think conformance to IEEE P2846 will be mandated by regulators?

Weast: Each country has different regulatory systems. For example, in the United States, self-certification is the name of the game. But we believe that the new standard will be useful for third-party assessors.


Leave a comment