Session: 14-04-01: Reliability and Safety in Transportation Systems

Paper Number: 69313

Start Time: Tuesday, 10:05 AM

69313 - A Hybrid Methodology for Risk Mitigation During Development of Safety-Critical Autonomy Features 

The autonomous vehicle industry faces a novel problem because the technology requires rapid prototyping and iteration, with testing in a relevant environment (public roads), all while maintaining a high safety standard to protect the public during testing.  As a relatively nascent field, engineers developing self-driving technology are pioneering solutions to complex problems.  Frequent performance feedback is needed to inform developers on whether algorithms are performing the driving task competently.  Further, because of the complexity of self-driving systems, it is most often lower risk to frequently test small, incremental changes instead of delaying testing and accumulating large, complex changes to the algorithms.  While simulation and closed course testing are useful and critically important tools, ultimately public roads driving is a necessary testing environment to truly understand system performance and identify potential edge cases.  Keeping the public safe, while performing the necessary incremental testing activity, is of paramount importance for the self-driving industry.

Safety-critical industries with long design and production cycles, such as aerospace or nuclear systems, typically use Waterfall development methodologies to ensure system performance, reliability, and safety.  Waterfall approaches have a long and intensive period of architecting the system and developing detailed requirements with very little flexibility once the project enters the implementation phase. This method is best suited for fields where the system has to perform exactly as intended in a fairly deterministic environment.  Waterfall methodologies have a demonstrated track record for safety, but do not inherently match well with the rapid prototyping and incremental testing needed for autonomous driving.

On the other hand the Agile method encourages a cyclical “develop and improve” mindset to allow for changes in requirements throughout the project life cycle. The method is best suited for fields where the best solution is not known apriori and system failures typically don’t have severe safety consequences, such as web development.

When it comes to maturing safety-critical autonomy features particularly for dynamic environments, such as in the case of autonomous vehicles, neither method is fitting: the Waterfall method is too slow and rigid, resulting in accumulating too many code changes and insufficient feedback to developers, while the Agile method is too fast and fluid, lacking the guardrails needed to ensure safety.  This paper presents a hybrid methodology that strikes a balance between speed and reliability for development and maturation of safety-critical autonomy features.

The core objective of the hybrid methodology is to provide a framework that enables rapid development of autonomous driving capabilities through distinct features, while managing the implementation and operational risks. The goal is to safely and quickly expose new features to public roads with the appropriate type and amount of testing during development. The proposed hybrid approach leverages the NASA Technology Readiness Level (TRL) which is a framework used to determine the level of readiness of hardware systems for use in space missions. New, never been used before systems at lower TRL are higher risk and merit additional attention such as proactive risk mitigation, schedule management, additional prototyping and testing, etc. Technologies with more flight heritage i.e. technologies that have flown in a relevant environment in space, are inherently lower risk and go through a more expedited process to get them ready for use in a space mission. While the activities needed to mature software features for autonomous vehicles is different from those needed to mature hardware systems for space missions, the general notion of well-defined levels with associated protocols is a valuable tool. This paper presents a methodology to assess feature risk and tailor the V&V to appropriately mitigate risks and ensure safety during testing.  A Feature Maturity Level (FML) rubric is presented to facilitate assessments of the novelty of the autonomous driving feature. Furthermore, Feature Risk Level (FRL) are presented to assess the criticality of the autonomous driving feature. Taken together, an Overall Risk Level (ORL) is assigned that corresponds to associated V&V protocols to support safe autonomy feature development and maturation.

Presenting Author: Pezhman Zarifian Toyota Research Institute

Authors:

Pez Zarifian Toyota Research Institute
Divya Garikapati Toyota Research Institute
Julia Pralle Toyota Research Institute
Jennifer Dawson Toyota Research Institute
Constantin Hubmann Toyota Research Institute
Brielle Reiff Toyota Research Institute
Raymond Tam Toyota Research Institute
Gopi Gaddamadugu Toyota Research Institute