Autonomous vehicles and advanced driver assistance systems (ADAS) are relying more and more on absolute positioning technology to safely navigate the busy world. A positioning solution within autonomous systems is only considered reliable if it is designed and certified to the necessary safety standards for overall vehicle-level functional safety.
Certification of precise positioning systems in functional safety requires the verification, validation and testing of the designs to all the possible operating conditions, including errors and faults that the vehicle may face in its global application. This validation and verification activity is often more critical and more complex than the design itself.
Achieving functional safety with integrity means ensuring the absence of unreasonable risks due to hazards caused by a malfunction in any of the solution’s sub-systems and components. This means all possible malfunctions and their associated risks must be taken into consideration during the design stage. Every component of a system must be verified, validated and certified to these possibilities for users to be confident in its application.
This blog post introduces the design and process concepts and approach used for positioning technology to achieve the appropriate functional safety within autonomous vehicles. This includes how the components and sub-systems of autonomous vehicles are tested and the role integrity plays when developing safety certified positioning solutions.
To achieve full autonomation of a vehicle, we must ensure and demonstrate the functional safety of both autonomous and positioning systems.
Integrity and functional safety for autonomous vehicles
Safety systems are becoming exponentially more complex as the technology in automotive applications evolves. Safety concepts of the basic antilock braking systems (ABS) or safety restraint systems (SRS) are considered closed-loop systems, so the functional safety analysis on these systems is common and well established. These commonplace systems have been developed and available for decades, resulting in many miles of field experience with a well-established understanding of functional safety.
Compare those commonplace systems with the relatively new development of the GNSS positioning system for a driverless car. This absolute positioning system continuously outputs position, velocity, heading and timing to aid the navigation of driverless systems, so the safety analysis becomes much more complex.
In order for an open-loop system like GNSS positioning to achieve an acceptable level of functional safety, the system must actively monitor conditions to output a protection level covering all operating conditions, faults and errors possible during that moment of operation.
This Stanford Diagram indicates Integrity Performance, and provides a robust methodology for engineers to test protection levels, integrity and confidence in the autonomous solution.
The systems’ protection level must be certified to a safety level defined by the overall vehicle-level functional safety target. The goal is that the protection level remains in the green or blue area seen in the Stanford Diagram on the left. We demonstrated this concept of functional safety with integrity at CES 2020 through our self-driving car using technologies to continuously monitor not only position but also potential errors, faults and risks of a GNSS positioning solution.
Key safety standards and ISO 26262
One of the key safety standards that uphold the functional safety for autonomous vehicles is ISO 26262. Meeting the ISO 26262 safety standard is critical for developing autonomous applications and the positioning systems used within those applications. ISO 26262 covers functional safety of the entire development process which includes design, implementation, integration, verification, validation and configuration.
ISO 26262 includes a risk classification scheme to describe the different standards each system component must meet. The Automotive Safety Integrity Level (ASIL) rubric allows a risk analysis of safety requirements of potential hazards and their severity, exposure and controllability.
ASIL includes four safety ratings: ASIL A, B, C and D, with D being the highest and A the lowest. Autonomous driving functions for an on-road vehicle would likely be classified with ASIL D, meaning an overall acceptable probability of system or component failure of one in a hundred million.
How autonomous systems are certified to functional safety standards
From system requirements to production processes, safety requirements need to be considered and included at every stage of the product’s development and life cycle. Verification and validation is vital throughout the design and development process. This ensures confidence in each component in delivering safety and considers all possible events that could trigger errors or faults.
There are far too many combinations of possible faults and errors in a GNSS positioning solution and its operating environment to rely on live testing alone. Fault injection, major simulation technology and proper quality and engineering processes must be employed for the entire development and product lifecycle to achieve safety certification.
Adverse weather conditions can affect the precision and reliability of autonomous systems. Whether clouds are blocking GNSS signals or snow is confusing LiDAR and cameras, positioning systems must maintain functional safety no matter the environmental conditions.
The errors and faults considered during this process range from environmental conditions to limitations of the electronic hardware components themselves. The process also includes faults from foreseeable misuse by the end-users.
For any unacceptable risks that are identified in the functional safety design process, the design is modified to avoid or mitigate those risks. This recursive process and improves the autonomous system’s performance and safety before being released to production.
Safe and reliable navigation requires consistent performance across all operating conditions, including all possible weather conditions. We’ve seen breakthroughs in GNSS positioning to deliver these needs, for example, in Todd Humphreys’ research in all-weather localization and positioning for self-driving cars.
We meet the lane-level performance requirements needed by on-road vehicles through enhanced hardware, corrections services that refine positioning data and advanced software and algorithms that enable the fusion of different sensor measurements with the GNSS position.
When demonstrating our autonomous vehicle at CES 2020, our monitor displayed how the positioning engine consistently and continuously monitored the environment through its many sensors. This visualized our adherence to ASIL safety standards and functional safety.
Sensor fusion and integrity for functional safety
An example of sensor fusion used in positioning is the integration of GNSS positioning data with inertial navigation systems (INS) using data from inertial measurement units (IMUs), vehicle wheel speed sensors or vehicle odometry data and vehicle steering wheel angles. Our work on sensor fusion illustrates how combining GNSS and INS measurements results in higher availability of increased integrity levels for autonomous systems.
When GNSS and INS measurements are fused, they provide the foundation for precise positioning and localization across different environments. When additional sensors like cameras, RADAR and LiDAR are included, like in our partnership and case study with AImotive and STMicroelectronics, autonomous vehicles reach the next level of reliability, consistency and confidence in safety for navigation and precise positioning.
We must consider the response of sensors, algorithms and actuators to all faults, failures and misuse to meet these standards fully. These residual risks are tested through randomized hardware-in-the-loop (HiL) and software-in-the-loop (SiL) modeling and simulations. All tests are designed to assure functional safety and minimize residual risks.
Integrity and functional safety in autonomy
Hexagon | NovAtel technologies work together to meet and support the highest functional safety for autonomous vehicles with consistency and reliability. GNSS positioning, combined with sensor fusion technologies using INS, LiDAR, RADAR and cameras, brings autonomy closer than ever before.
Experts from NovAtel, including Safety Critical Systems Geomatics Software Manager Lance de Groot and Segment Manager for Automotive and Safety Critical Systems Gord Heidinger, share details on safety, integrity and new safety standards in the webinar Autonomous Vehicle Safety: How to Test, How to Ensure.