When a panel of experts at SAE China's AV conference were asked "which data or lessons are you willing to share with other automakers?" The question induced a long uncomfortable pause.
SHENZHEN, China — Experts in autonomous driving from many of the leading automotive OEMs gathered at the SAE China’s Automated Vehicle Security & Safety Technology Conference here this week to report on their progress with autonomous vehicle (AV) safety standards. Several years into the development of AVs, the experts detailed how to conform to various safety standards. A few also questioned if China's new EV startups have had enough time to digest standards, let alone putting a fundamental safety-by-design process in place.
The road to safe autonomous vehicles (AVs) has proven much tougher, and now looks a lot longer, than anyone in the AV industry anticipated just a few years ago.
On one hand, some car OEMs have cleared a hurdle by making AVs that conform to functional safety and security standards. On the other, developers’ desire to win the AV race is so fierce that most are now competing on safety claims — and that's an issue too.
At the conference, speakers offered presentations focused on automotive safety/security standards that range from functional safety (ISO 26262) to Safety of the Intended Functionality (SOTIF, or ISO/PAS 21448) and cybersecurity (ISO/SAE 21434). Many speakers also spent time connecting the dots among various standards, emphasizing that they are not isolated.
Pang Sung-Hoon, a specialist at the China FAW Group, discussed the significance of harmonizing ISO 26262 and SOTIF in his team’s first L3 Autonomous Vehicle design, which he said is near completion.
Matt Thrasher of Ford Autonomous Vehicles spoke about leveraging Systems Theoretic Process Analysis (STPA) for SOTIF and how best to use a model-based approach to facilitate early verification via simulation.
Timo van Roermund, director of automotive security at NXP Semiconductors, stressed that no carmakers can achieve safety without security. He said safety and security must be addressed at all levels from IC level to domain architecture and mobility services.
China today reportedly has close to fifty car OEMs, only ten classified as traditional automakers. Most are new EV startups. Many, including the newcomers to the automotive industry, appear to be cramming hard on the nuances and advancements of functional safety and security standards.
Nailing down functional standards is the first phase. AV developers in China are pushing toward phase two, as they engage in simulations, in test courses and on public roads — just like their peers in the United States.
During the SAE China conference, I moderated an AV system safety panel that included some of Asia’s most experienced automotive industry pros. One of the first questions I asked: “Of all the things you are learning from AV testing, which data or lessons are you willing to share with other automotive companies?”
The question induced a long pregnant pause. My panelists looked at one another uncomfortably. Finally, a few murmured that data sharing wouldn’t make financial sense. They explained that with each company investing so much in its own AV testing, why should they share the fruits of their research?
My perception was that each company believes that if it does enough testing, it can be the first to roll out commercial AVs. I asked a follow-up: “How do you know when you're done testing? How will you know your AVs are safe enough for commercial launch?”
In other words, when is enough testing enough?
Again, panelists strenuously avoided eye contact and kept mum. The audience also fell silent.
‘Safety shouldn't be a competitive advantage’
Michael Krutz, president of Wind River’s Japanese subsidiary finally spoke up. He said, “Actually, you’re never done with testing. Testing is a continuous process.”
Further, Krutz declared: “Every car should be safe. Safety shouldn't be a competitive advantage.”
Panelist Chengliang Yin, vice dean of Institute of Automotive Engineering at Shanghai Jiao Tong University, explained that China recently began issuing licenses to AV testing vehicles. Citing a glut of AV developers who want to do public road testing, he explained the importance of requiring permits before certain AV testing vehicles can hit the road. Yin acknowledged his role in designing the licensing system.
Will AVs then need to get licenses before commercial launch in China? Yin said no, that's not part of the plan. “We are talking about test vehicles.”
Ted Haung, CTO of Jiangling Motors, acknowledged that some information exchange is happening among members of an automotive alliance to which his company belongs. But in general, data sharing is sparse, he said, because data collection costs so much.
Krutz's suggestion that carmakers shouldn’t compete on AV safety resonated with both the panel and the audience.
A global problem
Jiangling Motors’ Huang noted that even SOTIF offers nothing like “standard sensor suites.” He acknowledged, “We are moving into uncharted territory in the AV business, with no bible, no guidelines for safety.”
Having no yardstick to assure themselves when their AVs are ready to go commercial isn’t a uniquely Chinese problem. It’s universal.
Phil Magney, founder and principal advisor at VSI Labs, told us, “There is no official standard or benchmark for certifying the safety of a highly automated vehicle.” A robo-taxi developer, for example, must determine unilaterally its vehicle is safe enough to deploy. “At the moment this is up to them.”
Put more bluntly, this is a classic model of the corporate “Trust Us” ethos, noted Phil Koopman, co-founder and CTO of Edge Case Research.
Of course, there are safety standards and guidlines already in place to deal with functional safety (ISO 26262) and ADAS safety (ISO/PAS 21448), Koopman added. “They apply to fully autonomous vehicles as well, but don’t cover everything needed.”
Even more troubling to Koopman is that “in the United States, there is no requirement to conform to even these standards. Most (not all) AV companies in fact do not claim conformance. Some companies do a roll call of safety standards in their public messaging, but we have no way of knowing what those statements really mean.”
Another issue that concerns Koopman is lack of oversight. He said that even if car OEMs decide when they are ready, it is in fact “up to companies to decide what checks and balances (if any) are placed on that decision-making process.” He said, “Some states have an approval process, but the ones I have seen from the United States are much more about administrative and logistic matters, not technical substance. The technical judgment calls are still at the discretion of the companies. The companies self-determine when they are ready without any independent technical oversight.”
Knowing where to collaborate
There is a huge distance between developing an AV compliant to safety and security standards and turning it into a safe-enough commercial AV.
First, the AV industry must “decide on areas to cooperate and compete,” said automotive consultant Juan Pimentel, one of the speakers at SAE China's conference. He suggested that AV designers also need to define a “worthwhile project.” A well-defined project is essential for them to build “a true partnership,” he said.
But, on what — exactly — should AV developers collaborate?
Right now, deciding on AV safety is up to individual companies. Koopman observed that these companies are having to create their own measurements internally. “Since the industry is not keen on sharing, there is a lot of duplication of effort, and no transparency as to whether the metrics are appropriate,” he added. Clearly, these confidences and redundancies are areas where the industry can collaborate to advance AV safety.
In Magney's opinion, the key to AV safety is “all about quality of coverage.”
That means, he explained: “Have you covered every conceivable situation and condition from which that vehicle will be exposed?” He said, “Any tool that can manage the quality of coverage and provide the supporting metrics will be the key.”
By “any tool,” Magney means “a tool chain supported with the best test scripts, the best scenario generator, the best physical models, the best environmental models.”
Ziv Binyamini, CEO of Foretellix, claims his company provides “a platform that enables the definition and measurement of such a benchmark.” This includes “definition and objective measurement of the verification plan, and within it the scenarios and their variants that need to be covered.”
But even the Foretellix platform could use developer collaborations, if it hopes to offer “definition and objective measurement of the various safety criteria.”
In the end, badly needed are fundamental changes automakers must make in the way they design AVs, pointed out Wind River's Krutz. The industry-wide cooperation in the best practices is a must.
"We should also leverage what other industries have already learned," Krutz added. When Boeing 737 MAX was found to have design flaws, Airbus never went out of its way to tout that Airbus is safer than Boeing. "It's because all airplanes must be safe. Safety shouldn't be a differentiator," he said.
If AV developers can't assure themselves of the safety of their AV models, "None of them can put their AVs on the commercial market," concluded Jiangling Motors' Huang.
When GM’s autonomous vehicle (AV) unit Cruise announced early July a decision to delay large-scale robo-taxi deployment originally planned for late 2019, GM won applause for doing the right thing. But if automakers are serious about selling AV safety to consumers — who don't trust self-driving vehicles — it’s time to acknowledge they’re still going it alone, flying blind and have no effective safety yardstick common to all AV developers.