Inside GNSS Media & Research

NOV-DEC 2017

Issue link:

Contents of this Issue


Page 43 of 67

44 Inside GNSS N O V E M B E R / D E C E M B E R 2 0 1 7 HAV SAFET Y us, HAVs require sensors in addi- tion to GNSS, including laser scanners, radars, cameras, and odometers. The parallel between aircraft and car applications in Figure 4 illustrates the significant challenge that lies ahead when bringing aviation safety standards to HAVs. It took decades of research and considerable resources to bring the alert limit requirement box down to 10 meters above and below the aircra using the FAA's GPS augmentation systems (the Wide-Area Augmentation System and the Local Area Augmentation System). For a car to stay in its lane, the alert limit requirement box must be an order of magnitude smaller, and has to maintain this level of safety in a more dynamic and unpredictable environment. HAV Taxonomy Creating a path to successful automated navigation requires an overall meth- odology to prioritize on imminently achievable objectives, and then expand to more challenging missions. First in this HAV taxonomy, a classification using six SAE autonomy levels has been presented in Table 1. is classification is further refined by segmenting a car's trip into basic driving competencies, and by specifying the conditions under which a given HAV shall achieve these competencies. A similar classification was made in the early days of GPS- based commercial aircraft navigation safety analysis, where distinctions were made between different phases of flight, weather conditions, vehicle equipment, and airport infrastructure capabilities. For example, in the early 1990's, 40% of aircra accidents were occurring dur- ing final approach and landing, and 26% during take-off and initial climb, which only represented an average of 4% and 2% of flight time, respectively. e FAA therefore concentrated their efforts on improving safety during these phases of f light. GPS augmentation systems were designed, with varying capabili- ties depending on airborne equipment and airport infrastructure, to guide the aircra under the cloud ceiling, or to bring it all the way to touch-down. Similarly, the "first and last mile" are identified as the most challenging parts of HAV operations, whereas highway auto-drive systems have already been developed and implemented. In its 2016 Federal Automated Vehicles Policy, NHTSA identifies 28 HAV behavioral competencies, which are particularly challenging to meet in the first and last miles of a typical trip. ese competen- cies are basic abilities that an HAV must have to complete nominal driving tasks; they include, for example, lane keeping, obeying traffic laws, and responding to other road users. To better describe an HAV's ability, the Federal Automated Vehicles Policy further specifies that basic driving com- petencies should be available under an HAV's predefined Operational Design Domain (ODD), described by its geo- graphical location, road type and con- dition, weather and lighting condition, vehicle speed, etc. e ODD captures the circumstances under which an HAV is supposed to operate safely. Such classification is key to safety analysis. It can allow HAVs at different stages of their development to be simul- taneously fielded, and for them to evolve by expanding their ODDs. e classifi- cation can also help in identifying geo- graphical areas where improved road infrastructure is needed for automated operation, similar to airports requiring equipment for instrument navigation to deal with higher traffic density. Furthermore, standards for electron- ic equipment, measured by Automotive Safety Integrity Levels, have been issued and compared with the aviation's Design Assurance Levels (DAL). And, overall system safety levels have been codified, which in aviation account for both the severity and probability of occurrence of an incident, and in automotive applica- tions account, in addition, for "controlla- bility", which is a measure of how likely an average driver is to maneuver out of a given imminent danger. All of the above elements: (a) HAV autonomy level, (b) basic driving com- petency, (c) operation design domain, (d) vehicle electronic equipment, and (e) overall safety risk requirement must be specified to carry out a formal HAV safety analysis. Still missing from the HAV documents are clear guidelines, or example methods, on how to implement these safety requirements. A Path Towards HAV Navigation Safety When quantifying the safety of HAV nav igation systems, such as in t he example displayed in Figure 5 , every component of the system including raw sensors, estimator and integrity moni- tor, and safety predictor, can potentially introduce risk. Unlike aircraft, HAVs require multiple and varied sensors to compensate for GPS signal blockages caused by buildings and trees. These sensor types must be integrated, and new methods to evaluate the integrity of multi-sensor systems must be developed. Furthermore, HAVs must have the abil- ity to continuously predict integrity in a dynamic HAV environment. In general, research on analytical evaluation of HAV navigation safety is sparse. For example, J. Lee et alia, Additional Resources use the concept of a "safe driving envelope," but the approach focuses mostly on collision avoidance. e paper by O. Le March- and, et alia, evaluates ground vehicle navigation, but shows an "approxi- mate radial-error" of tens of meters, far exceeding the necessary sub-meter alert limit. A multi-sensor augmented-GPS/ IMU system is used in the paper by R. Toledo-Moreo, et alia with "horizontal trust levels" of 7 meters to 10 meters, still an order-of-magnitude higher than the required HAV alert limit. Multi-sensor integrity is addressed by M. Brenner, Additional Resources, but for a sensor combination specific to aviation and insufficient for terrestrial mobile robots. Other approaches to multi-sensor integration show promise, but do not pro- vide rigorous proof of integrity. In fact, most publications use pose estimation error covariance as a measure of perfor- mance, which is understood as not being sufficient, but is the only metric currently available. Most critically, the metric does not account for fault modes introduced by feature extraction and data associa- tion, two algorithms commonly used in mobile robot localization (and discussed again below). Unlike GPS, which gives absolute position fixes, IMUs, LiDAR, radar, and

Articles in this issue

Links on this page

view archives of Inside GNSS Media & Research - NOV-DEC 2017