A path to safe teleoperation of autonomous vehicles
The greatest contribution autonomous driving (AD) can bring to everyday lives is reducing road fatalities and including vehicular safety for everyone—drivers, passengers, and pedestrians. To test, validate, and improve new vehicles, the automotive industry has followed rigorous processes that are considered among the best in the world.
At Ottopia, we strongly believe in the potential of autonomous driving to increase road safety. Our work with customers and partners in the automotive industry inevitably leads to this topic—not just for our product or a particular use case, but for teleoperation across a broad range of applications and for autonomous vehicles in general.
Teleoperation means a human can remotely intervene when autonomous vehicles need assistance. Delivering safe teleoperation is our mission. Before delving into the details of our approach, we thought it convenient to put teleoperation safety in the broader context of AD safety.
Current state of autonomous driving safety: a brief take
Today’s safety frameworks and requirements will be necessary, but not sufficient guarantees, for AD safety: Autonomy is a major paradigm shift in human mobility, and therein lies the challenge in regulating its safety. The industry will need to transition from building safe and reliable products and holding human users to account for its safe operation to developing far more complex systems offering a service that is safe to use.
There are different layers of safety to be achieved and those will need to work in concert to guarantee safety for the full system. Recent advancements in electronic components that enable better sensing, computation, and connectivity are the foundation of today’s autonomous vehicles. The industry will need to meet safety requirements for these components individually (e.g., functional safety standards like ISO 26262), but also develop, collaborate on, and finalize other novel requirements.
The notion that human driving decisions can be replaced by a vehicle itself is a far greater change than better sensors or better chips. Doing this safely requires that the hardware such a system runs on be tested for reliability (not unlike the aerospace industry). But this is evidently not enough; minimizing failure in the hardware does not guarantee that driving decisions themselves are safe, reliable, and robust to myriad scenarios.
Functional safety will be a necessary but insufficient framework for AD safety regulation. Additional frameworks such as SOTIF (Safety of the Intended Functionality) (https://bit.ly/3dE39Qm) and UL 4600 (https://bit.ly/3bwSO7s) are being developed.
Teleoperation will be within the scope of AD safety, and a requirement in key markets: AD safety will be a broad field that will involve hardware reliability, software simulation and verification, and many other topics. Teleoperation will be no exception, and while there are no finalized public guidelines on how this subsystem will be treated, there is a growing body of evidence that it will form part of regulatory frameworks in key markets.
In the context of self-driving vehicles, high-level guidelines for teleoperation are being codified around the world at the national, state, and local level. At Ottopia, we had covered some of the major developments on that topic (https://bit.ly/3dMxTi0).
As regulatory bodies assert their priorities, teleoperation will have its own requirements. These will be a result of both general AD safety frameworks that govern any AD-related system, and of challenges that are specific to teleoperation.
Three takeaways for teleoperation safety
Functional safety is a good starting point: Functional safety verification of a teleoperation system is critical. Just like any other safety-related electronic system, understanding risk levels and probabilities of failure are necessary. After all, like most other systems in an autonomous vehicle, the integrity of the system relies on the integrity of its hardware components.
Teleoperation has unique limitations that drive specific requirements and solutions: There are specific limitations inherent to remote human assistance and control, which need to be effectively addressed by a teleoperation system.
- Situational awareness: The sensory information available to a remote operator can approximate, but never really match, the exact set of information that is available to in-vehicle drivers.
- Network latency: To exchange information between a vehicle and a remote operator, a data connection is needed. However that connection is made, it will be subject to some lag between what would be observed from inside the vehicle and what is observed remotely.
- Network reliability: Similarly, any system or technology used to carry data can be subject to variable performance, whether it’s 4G, 5G, or even 6G cellular networks. Any network has limitations, whether it be bandwidth, reliability, or competing traffic.
- Human error: Just like the millions of in-vehicle drivers on roads today, that remote operator can experience fatigue, distraction, or simply make mistakes.
Together, these limitations have specific implications for safe teleoperation, and must be addressed in a teleoperation system to be considered adequately designed and developed.
Teleoperation is safest when taking full advantage of the AD system’s capabilities: One important principle in enabling safe teleoperation is to take advantage of the resources available to the entire AD system. To operate autonomously, a vehicle contains sensing and computing capabilities that are unprecedented in the automotive and robotics worlds.
In the event that remote human assistance or intervention is needed, key elements of the AD stack should be used in service of safety. In other words, if the vehicle has a state-of-the-art sensing and computing stack, a teleoperation system should take advantage of them.
Today’s AD stacks offer their developers a toolkit for enabling safe autonomy, and those same stacks can enable safe teleoperation. But these are still toolkits—ingredients and components rather than recipes. They vary from company to company, and they vary from operating environment to environment.
Many environments, many solutions, limited resources
Within the world of AD there are very different operating environments, often referred to as operational design domains (ODDs), that will almost certainly result in different safety and regulatory needs.
Autonomous trips that take place exclusively on federal highways will need to contend with one set of regulatory bodies, scenarios, speeds, and behaviors. Autonomous trips performed by a yard tractor or forklift within a manufacturing plant will face entirely different regulations and requirements.
As companies mature working prototypes and minimum viable products into safe, commercial, autonomy solutions, shrewd prioritization and smart partnering can help them achieve a safer, viable solution faster.
And that is precisely Ottopia’s goal—to help AD companies focus on developing a safe AD stack while partnering with us for safe teleoperation.
To read more about the challenges to safe teleoperation, and how Ottopia is addressing them, we encourage our readers to visit our website at https://ottopia.tech.