At 6pm in the evening, you get into a car and tell the restaurant you will have dinner. The car will drive itself there, while you may choose to read a book, surf the web, or take a nap. You may have once considered this a science fiction scene, but now it is becoming a reality as a result of rapid advances in autonomous vehicle (AV) technologies in the past years. In cities around the world, robotaxis that transport passengers in driverless vehicles have just begun operating. Nearly a dozen companies are developing autonomous trucks. For example, TuSimple has expanded its fleet of heavy-duty robotic tractors in the U.S., Europe, and China, and has driven a Class 8 truck for 80 miles on public roads with no human on board. In addition, NVIDIA’s Drive Orin systems-on-chip has been adopted by AV manufacturers like Mercedes, Volvo, JiDu, BYD, and Lucid Motors, as well as robotaxi services like Cruise, Zoox, and DiDi, and truck companies like Volvo, Navistar, and Plus.

AVs are considered promising to save lives, prevent injuries, and reduce costs associated with car accidents. However, to accomplish these in practice, AVs must satisfy rigorous safety requirements. In fact, proposals have been made to structure and model AV safety requirements. The U.S. Department of Transportation’s (DOT) final rule, to be effective in September, 2022, will amend safety standards to accommodate AVs. IEEE also created a P2846 draft standard this year to define assumptions for safety-related automated vehicle behavior and foreseeable scenarios that should be considered in the development of safety-related models for automated driving systems (ADS).

Industrial AV technology developers proposed several standards (e.g., ISO 26262, ISO/DIS 21448, UL 4600) for functional safety. Most of them define automotive safety integrity levels that offer (a) failure-in-time targets for AV hardware and (b) systematic processes for software development and testing that conform with appropriate systems engineering practices. Mobileye and NVIDIA recently developed the responsibility-sensitive safety (RSS) and the safety-force-field (SFF) models, respectively, to guarantee nominal safety by requiring AVs to make safe logical decisions provided hardware and software systems operate error-free.

However, most of these safety standards and models focus on high-level safety requirements and definitions or mathematical models. Very little exploration has been done to understand the safety requirements and trade-offs present in real AV computer system design, testing, and operation. Many questions therefore remain open. For instance, how can we bridge the high-level safety standards and models with an on-vehicle computing system design? How do computer system performance and design trade-offs affect the safety of AVs? As the exploration of safety-aware AV computer system design is still at the early stages of development, one approach may be to construct tools to assist us grasp the system better.

For example, to bridge the high-level safety models such as RSS and SFF with computer system design, we conducted a three-month field study by operating a fleet of industrial Level-4 AVs in different locations, road conditions, and traffic patterns. Based on extensive analysis of the collected data, we developed a new set of tools to model the relationship between AV safety and computer system design configuration. It turns out that the safety level has a non-linear correlation with the computer system latency, and this relationship is highly dependent on various external factors, such as the traffic density and distribution, the speed and acceleration of surrounding moving objects, road conditions, and the acceleration, velocity, and physical properties (e.g., braking). Furthermore, the latency is very sensitive to driving scenarios, each of which is a specific combination of surrounding objects (such as other vehicles, trees, and buildings) with varying density and distributions.

Since the variations in the driving scenarios (such as different speeds and maneuver timings) can be large, it is difficult to understand the trade-offs offered by different hardware/software design choices in a complex server-like system in an AV and the impact they may have on safety and system performance. As a result, identifying the safety impact of different component-level parameters (such as camera FPS and neural network model precision) is hard even for limited driving scenarios with specific settings (such as speeds that result in near collisions in a given operational design domain). To address the challenge, we developed an AV safety evaluation framework that can automatically analyze the safety impact of various component-level design decisions. The framework accelerates the discovery of trade-offs between performance and safety offered by different design options. Insights from the trade-offs and sensitivity analysis of component-level design decisions also enable AV engineers to better design systems for performance and safety.

Looking further out, connected autonomous vehicles (CAVs) are emerging, using technology to communicate with each other, connect with traffic lights, signs, and other road elements, or obtain data from the cloud. The exchange of information is envisioned to promote safety and improve traffic flow. This will present both opportunities and challenges for exploring tools that assist safety-aware CAV system design. In particular, vehicular edge computing enables vehicles to improve the performance and safety of vehicular applications by leveraging edge computing resources from adjacent vehicles or roadside units (RSUs). In addition to edge computing, in this rapidly changing digital world, it is no surprise that cloud computing is expanding to AV technology. Using the cloud, cars can update traffic information and maps, and wirelessly download new features developed in the data center. Furthermore, task offloading and computational resource sharing methods are explored to improve the latency. However, how to efficiently partition and offload the computing tasks according to the current channel conditions and the corresponding local and edge computing architectures remains an open question. Current AV designs perform almost all computation in the onboard computer system. This paradigm is becoming increasingly difficult to meet the safety requirement due to power and cost constraints. This also results in low utilization of the AV system, as the real-time AV system must be configured according to peak loads. Therefore, more tools need to be developed to help investigate the safety requirements of CAVs.

About the author: Jishen Zhao is an Associate Professor in the Computer Science and Engineering Department at University of California, San Diego. Her research spans and stretches the boundary between computer architecture and system software, with an emphasis on memory systems, machine learning for systems, and system support for smart applications.

Disclaimer: These posts are written by individual contributors to share their thoughts on the Computer Architecture Today blog for the benefit of the community. Any views or opinions represented in this blog are personal, belong solely to the blog author and do not represent those of ACM SIGARCH or its parent organization, ACM.