HAV SAFETY

Towards Navigation Safety for Autonomous Cars

Emerging technologies are bringing cars closer to the ultimate goal of fully autonomous operation. Shutterstock Promising new technology has recently emerged to increase the level of safety and autonomy in driving, including lane and distance keeping assist systems, automatic braking systems, and even highway auto-drive systems. Each of these technologies brings cars closer to the ultimate goal of fully autonomous operation. While it is still unclear, if and when safe, driverless cars will be released on the mass market, a comparison with the development of aircraft autopilot systems can provide valuable insight. This review article contains several Additional Resources at the end, including key references to support its findings. The article investigates a path towards ensuring safety for “self-driving” or “autonomous” cars by leveraging prior work in aviation. It focuses on navigation, or localization, which is a key aspect of automated operation.

here are many good reasons household’s yearly transportation bud- for getting excited about highly get, which currently ranges between automated vehicles, or HAVs, approximately $8,000 and $11,000 per Twhich is the acronym used by the car. HAVs carry promises not only in National Highway Traffic Safety Admin- improved road mobility, and accessibil- istration (NHTSA). HAVs can make ity, but also in producing architectural driving more fuel- and time-efficient. and societal changes that can make mass They can significantly reduce traffic parking spaces and personal car owner- congestion and emissions by driving a ship obsolete in urban areas. Above all, precise speed, minimizing lane changes, HAVs can help improve road safety by and maintaining an exact distance to preventing car accidents that cause more MATHIEU JOERGER neighboring cars. They can also increase than 30,000 deaths/year in the United UNIVERSITY OF ARIZONA. accessibility and mobility for disabled States alone, cost approximately $230 MATTHEW SPENKO and elderly persons. billion/year in medical and work loss ILLINOIS INSTITUTE OF TECHNOLOGY Sharing an HAV instead of owning costs, and are caused by humans 90% of is projected to dramatically reduce a the time.

40 InsideGNSS NOVEMBER/DECEMBER 2017 www.insidegnss.com Expectations Press articles in the 1950s and 1960s many indicators of HAVs predicted that autonomous cars and decreasing expec- Commercial “electronic highways” would become tations on HAVs UAVs widely available by 1975. Major mile- include a reduction stones in the use of new sensor, compu- in press coverage tation, and communication technology and the emergence have recently reenergized the eager- of first negative ness for HAVs. This first started with news stories, in par- Virtual Reality the 2005 “DARPA Grand Challenge”, ticular following the where four different HAVs designed by May 2016 crash of a teams of engineers from industry and Tesla Model S whose Innovation Peak of Trough of Plateau of Slope of Enlightenment academia completed a 132-mile trip autopilot failed to trigger Inated Disillusionment Productivity across the Mohave desert in less than 7.5 distinguish a white Expectations hours with no human intervention. The trailer truck from Time

2007 DARPA “Urban Challenge” saw six the bright Florida FIGURE 1 Gartner’s “Hype Cycle for Emerging Technologies”, As of July teams autonomously complete a 60-mile sky. The Model S 2016 [16]. course in an urban environment, while ran under the trail- following traffic laws. Most teams used er causing its roof to be torn off and In addition, human-machine interaction a combination of LiDAR, cameras, dif- the operator to lose its life. The car kept is at the heart of role confusion (is the ferential GPS, and computation power going full speed on the side of the road operator or the HAV in charge?) of mode that is multiple orders of magnitude through two fences until it hit a pole and confusion (is the HAV in autonomous higher than what is typically needed for came to a stop. or manual mode?) and of the operator’s a commercial passenger vehicle. In 2009, In parallel, until the end of 2016, trust in this multimodal system. Mis- Google (now Waymo) began designing Google was providing detailed reports interpretation may grow even wilder and testing “self-driving” cars, which of their self-driving car performance, because a given functionality will not have since accumulated more than three which were designed to operate in achieve the same level of performance million miles in autonomous mode. real-world urban environments. These across models and manufacturers, and Currently, most car manufactur- reports contain records of millions of operators may not be aware of the sys- ers have HAV prototype systems and miles driven autonomously, but also tems’ independently verified safety rat- Google, Uber, NuTonomy have HAV acknowledge “disengagements”, i.e., ings. And, within the next few years, pilot testing programs, including fully where the operator needed to take over operators will be expected to anticipate autonomous systems for public trans- control to avoid collisions. The data hazardous situations and take over portation, which, for now, are confined shows that HAVs are much more likely control. Thus, operating an HAV may to segregated lanes and geo-fenced areas. to be involved in collisions, even though require more education and different Multiple Tier-2 supplier companies have these collisions are often of lower sever- training than driving a car manually. emerged, which specialize in autono- ity than in conventional human driving mous car technology. In early 2017, 36 [HAVs typically get rear-ended because Current Safety Assessment Efforts companies were registered to test pro- of their unusual road behavior] (see B. To focus this article, first consider the totype HAV systems on public roads in Schoettle, and M. Sivak, “A Preliminary Society of Automotive Engineer (SAE) the state of California. Analysis of Real-World Crashes Involv- International’s classification of driving However, in Figure 1, Gartner’s “2016 ing Self-Driving Vehicles,” Additional autonomy levels in Table 1. Under Levels Hype Cycle for Emerging Technologies” Resources). Also, Uber’s autonomous 0 to 2, the human driver is responsible at shows that HAV technology might be taxis in Pittsburg have a reported rate all times, either for driving by himself, or at the “peak of inflated expectations”, of one disengagement per mile autono- for supervising the HAV in autonomous approaching the “trough of disillusion- mously driven. mode and taking control if needed. ment”. Hype cycle curves are non-scien- Moreover, the first fielded autono- Under Levels 3 to 5, the system is self- tific tools that have been empirically ver- mous systems have revealed new safety monitoring and the driver is expected to ified for multiple example technologies threats. In particular, the technology’s take control, but only if requested by the over many years. Two example emerging functionality, as perceived by the human system. Levels 0-4 provide partial auto- technologies, commercial unmanned operator, does not always match the mation under predefined driving modes aircraft systems (UAS) and virtual real- intended operational domain: for exam- and circumstances, whereas Level 5 is ity, are included in Figure 1 for illustra- ple, there have been cases of highway full autonomy. tion purposes. The curve’s time scale autopilots being used in urban areas and The most advanced private car sys- may differ for each technology. One of passing red lights without slowing down. tems are currently Level 2, and pilot pro- www.insidegnss.com NOVEMBER/DECEMBER 2017 InsideGNSS 41 HAV SAFETY

SAE Level Name Description 3,000 billion miles travelled each year Human driver monitors the driving environment on U.S. highways by human drivers, with 30,000 deaths caused by traffic 0 No Automation The human driver performs all driving tasks at all times. accidents; this corresponds to about 1 Driver Either steering or acceleration/deceleration task by the one fatality in traffic accidents per 100 Assistance system; driver expected to perform all other aspects of million miles driven in the U.S. But, this driving. number accounts for incidents on all 2 Partial Both steering and acceleration/deceleration tasks by the roads, in all weather conditions, and for Automation system; driver expected to perform all other aspects of all vehicle ages and types. Thus, a purely driving. experimental, complete proof that HAVs HAV monitors the driving environment match the level of safety of human 3 Conditional The HAV performs all driving tasks under limited, pre- driving would take about 400 years at Automation defined conditions, and can request the human driver to Google’s current testing rate (of approxi- intervene and take over control. mately 250,000 test miles per year), and 4 High The HAV performs all driving tasks under limited, would still take many decades if the test- Automation predefined conditions, without the expectation of any ing rate increased exponentially. This is human intervention. assuming that no fatalities occur during 5 Full Automation The HAV performs all driving tasks under all conditions. that time, that no major HAV upgrade is Table 1 Society of Automotive Engineer (SAE) International’s Levels of Driving Automation performed, and that the testing environ- ment is representative of all U.S. roads. Thus, while an experimental proof is conclusive, it is not practical. Other, analytical, methods must be employed to ensure HAV safety.

Research Challenges In HAV Navigation Safety Multiple technical aspects developed over decades for automated flying could serve as starting points for automated driving systems. Figure 2 shows research areas with overlap between aircraft (in blue) and car (in yellow) applications. Figure 2 is not intended to give a com- prehensive list of all aspects of auto- mation, but instead, it shows example technical areas that can be addressed using similar methods in aviation and automotive applications (in the green FIGURE 2 Example Similarities and Differences in Future Automated Flying versus Driving. The area). For example: figure shows technical aspects of future automation that may be common to aviation and automotive applications (in the center of the figure), versus others that are specific to each • performance standards set for soft- application (towards the edges). ware, communication, and electron- ic equipment are already being com- grams aim at achieving Level 3, although Level 2 HAV safety have been experi- pared for aircraft versus cars in the the mere presence of a kill-switch would mental testing campaigns by Google, NHTSA report by Q. D. Van Eikema imply that the system is actually Level Tesla and Uber. Google’s approach Hommes, Additional Resources. 2. The transition from Level 2 to 3 is a to have HAVs drive millions of miles • the design of aircraft cockpit has remarkable leap that has significant with minimal human intervention has been continuously improved over implications on trust and comfort of been documented up until 2015. At this the past few decades, especially for human-machine interactions, on legal time, Google cars have autonomously highly-automated Unmanned Air responsibility allocation between system travelled an impressive three million Systems (UAS) with a remote pilot and driver, and on technical challenges miles. Tesla’s autopilot is reported to “in-the-box”; few car manufactur- to overcome to guarantee passenger have driven more than 130 million ers envision futuristic car interiors safety. miles – on highways only – before it where humans do not participate Over the past four years, the most caused a fatality in May 2016. in driving, but as long as human- publicized approaches to demonstrate In parallel, NHTSA reports about machine interactions are needed,

42 InsideGNSS NOVEMBER/DECEMBER 2017 www.insidegnss.com lessons learned in cockpit design to Ad m i n ist r at ion Create a mathematically rigorous method to avoid information overload are key. (FAA) has devel- evaluate APV navigation integrity • while Automatic Dependent Sur- oped analytical veillance-Broadcast (ADS-B) will be methods to evaluate mandatory on all aircraft by 2020, a integrity. This pro- Identies Creates metric to Provides petition for proposed rule making vides the means to: unsafe compare and evaluate regulating has been issued to mandate Vehicle- • quantify safe- conditions APV safety across agencies to clear to-Vehicle (V2V) and Vehicle-to- ty of existing manufacturers metrics for Infrastructure (V2I) by the same multi-sensor APV certication date. (ADS-B is a situational aware- systems under a ness system for collision avoidance, variety of oper- through which aircraft share their ating environ- Reduces time to operational capability

positions with Air Traffic Control ments, thereby FIGURE 3 Motivation and outcomes for using analytical integrity evalu- and with other aircraft.) reducing the ation methods to quantify and predict safety. • GNSS/INS navigation systems, need for experi- which are extensively used in safety- mental testing Unfortunately, the same methods critical aircraft navigation, are also • allocate safety requirements to indi- do not directly apply to HAVs, because being investigated for HAVs. vidual system components to achieve ground vehicles operate under sky- • overall safety standards also have an overall target level of safety, there- obstructed areas where GNSS signals similarities for aircraft and HAVs, by enabling design for safety can be altered or blocked by buildings which are discussed again below. • perform risk prediction, which is and trees. In general, the HAV environ- The focus of this article is on navi- a key operational feature to enable ment is much more unpredictable than gation safety. In aviation navigation, hazard avoidance maneuvers the aircraft’s, for reasons that include: safety is assessed in terms of integrity Several methods have been estab- • a changing environment: traffic (as well as accuracy, continuity, and lished to predict the integrity risk in lights, construction, impact of rain availability, which are not discussed for GNSS-based aviation applications, on road adherence, sensor masking brevity). Integrity is a measure of trust which are instrumental in ensuring the and occlusions, in sensor information: integrity risk is safety of pilots and crew. As an example, • environmental diversity: intersection the probability of undetected sensor Figure 4 illustrates a simplified definition topography, road conditions, mark- errors causing unacceptably large posi- of the integrity risk for aircraft landing ings on ground, various traffic signs tioning uncertainty (See RTCA Special applications. The aircraft positioning • road users that may interfere with Committee 159, “Minimum Aviation prediction is uncertain because of sen- HAV motion: other cars, trucks, System Performance Standards for sor measurement noise. An alert limit pedestrians, bicyclists, etc. the Local Area Augmentation System (AL) requirement box is represented • comparatively large number of car (LAAS), Additional Resources”). This around the predicted aircraft position. manufacturers, equipment suppliers, top-level quantifiable performance This AL is set by the certification author- and vehicle models, as well as with metric is sensor- and platform-inde- ity, i.e., by the FAA in this application. shorter model cycles than aircraft, pendent, and can thus be used to set Simply put, the risk of the actual aircraft causing wide variations in vehicle certifiable requirements on individual position being outside the AL box is the age and maintenance levels system components to achieve and integrity risk. (In practice, the most • non-uniform vehicle and road regu- prove an overall level of safety. challenging part of risk prediction is to lations at both the state and federal The multiple separate efforts towards account for potentially undetected sen- levels in the U.S. coupled with dif- achieving Levels 3-to-5 HAVs reveal a sor faults, such as excessive GNSS satel- ferent international standardization compelling lack of coordination towards lite clock drift.) processes a common, uniform, quantifiable safety goal. Integrity can be used as an objec- Current Predicted Predicted future position Alert limit tive performance metric for open, trans- position Current time pose time pose requirement box parent comparison and categorization Alert Limit Requirement across manufacturers. It can also pro- vide a governmental regulating agency performance and testing standards for HAV certification, which would help accelerate the development, growth, and FIGURE 4 Safety Risk Prediction Concept. To ensure safety, the predicted vehicle position must maturation of such HAVs, as displayed be within a predefined acceptable limit called the “alert limit” (AL) box. Integrity is the proba- in Figure 3. bility of the vehicle being inside the box while accounting for both nominal sensor errors and Moreover, the Federal Aviation faults. The AL box is an order of magnitude smaller for HAV than it is for aircraft applications. www.insidegnss.com NOVEMBER/DECEMBER 2017 InsideGNSS 43 HAV SAFETY

Thus, HAVs require sensors in addi- of HAV operations, whereas highway example methods, on how to implement tion to GNSS, including laser scanners, auto-drive systems have already been these safety requirements. radars, cameras, and odometers. developed and implemented. In its 2016 The parallel between aircraft and Federal Automated Vehicles Policy, A Path Towards HAV Navigation Safety car applications in Figure 4 illustrates NHTSA identifies 28 HAV behavioral When quantifying the safety of HAV the significant challenge that lies ahead competencies, which are particularly navigation systems, such as in the when bringing aviation safety standards challenging to meet in the first and last example displayed in Figure 5, every to HAVs. It took decades of research and miles of a typical trip. These competen- component of the system including raw considerable resources to bring the alert cies are basic abilities that an HAV must sensors, estimator and integrity moni- limit requirement box down to 10 meters have to complete nominal driving tasks; tor, and safety predictor, can potentially above and below the aircraft using the they include, for example, lane keeping, introduce risk. Unlike aircraft, HAVs FAA’s GPS augmentation systems (the obeying traffic laws, and responding to require multiple and varied sensors to Wide-Area Augmentation System and other road users. compensate for GPS signal blockages the Local Area Augmentation System). To better describe an HAV’s ability, caused by buildings and trees. These For a car to stay in its lane, the alert limit the Federal Automated Vehicles Policy sensor types must be integrated, and requirement box must be an order of further specifies that basic driving com- new methods to evaluate the integrity of magnitude smaller, and has to maintain petencies should be available under an multi-sensor systems must be developed. this level of safety in a more dynamic HAV’s predefined Operational Design Furthermore, HAVs must have the abil- and unpredictable environment. Domain (ODD), described by its geo- ity to continuously predict integrity in a graphical location, road type and con- dynamic HAV environment. HAV Taxonomy dition, weather and lighting condition, In general, research on analytical Creating a path to successful automated vehicle speed, etc. The ODD captures the evaluation of HAV navigation safety navigation requires an overall meth- circumstances under which an HAV is is sparse. For example, J. Lee et alia, odology to prioritize on imminently supposed to operate safely. Additional Resources use the concept achievable objectives, and then expand Such classification is key to safety of a “safe driving envelope,” but the to more challenging missions. First in analysis. It can allow HAVs at different approach focuses mostly on collision this HAV taxonomy, a classification stages of their development to be simul- avoidance. The paper by O. Le March- using six SAE autonomy levels has been taneously fielded, and for them to evolve and, et alia, evaluates ground vehicle presented in Table 1. This classification by expanding their ODDs. The classifi- navigation, but shows an “approxi- is further refined by segmenting a car’s cation can also help in identifying geo- mate radial-error” of tens of meters, far trip into basic driving competencies, graphical areas where improved road exceeding the necessary sub-meter alert and by specifying the conditions under infrastructure is needed for automated limit. A multi-sensor augmented-GPS/ which a given HAV shall achieve these operation, similar to airports requiring IMU system is used in the paper by R. competencies. A similar classification equipment for instrument navigation to Toledo-Moreo, et alia with “horizontal was made in the early days of GPS- deal with higher traffic density. trust levels” of 7 meters to 10 meters, still based commercial aircraft navigation Furthermore, standards for electron- an order-of-magnitude higher than the safety analysis, where distinctions were ic equipment, measured by Automotive required HAV alert limit. made between different phases of flight, Safety Integrity Levels, have been issued Multi-sensor integrity is addressed by weather conditions, vehicle equipment, and compared with the aviation’s Design M. Brenner, Additional Resources, but for and airport infrastructure capabilities. Assurance Levels (DAL). And, overall a sensor combination specific to aviation For example, in the early 1990’s, 40% system safety levels have been codified, and insufficient for terrestrial mobile of aircraft accidents were occurring dur- which in aviation account for both the robots. Other approaches to multi-sensor ing final approach and landing, and 26% severity and probability of occurrence of integration show promise, but do not pro- during take-off and initial climb, which an incident, and in automotive applica- vide rigorous proof of integrity. In fact, only represented an average of 4% and tions account, in addition, for “controlla- most publications use pose estimation 2% of flight time, respectively. The FAA bility”, which is a measure of how likely error covariance as a measure of perfor- therefore concentrated their efforts on an average driver is to maneuver out of mance, which is understood as not being improving safety during these phases a given imminent danger. sufficient, but is the only metric currently of flight. GPS augmentation systems All of the above elements: (a) HAV available. Most critically, the metric does were designed, with varying capabili- autonomy level, (b) basic driving com- not account for fault modes introduced ties depending on airborne equipment petency, (c) operation design domain, by feature extraction and data associa- and airport infrastructure, to guide (d) vehicle electronic equipment, and tion, two algorithms commonly used in the aircraft under the cloud ceiling, or (e) overall safety risk requirement must mobile robot localization (and discussed to bring it all the way to touch-down. be specified to carry out a formal HAV again below). Similarly, the “first and last mile” are safety analysis. Still missing from the Unlike GPS, which gives absolute identified as the most challenging parts HAV documents are clear guidelines, or position fixes, IMUs, LiDAR, radar, and

44 InsideGNSS NOVEMBER/DECEMBER 2017 www.insidegnss.com Odometer GPS INS Laser Feature Extraction sequential estimators (e.g., Extended Kalman fil- ter or EKF), which has been readily used in many Data Landmark practical applications. Association Map There are several problems that the FE and DA algorithms are addressing. First, landmarks in the environment are unidentified, and their observa- tions are not tagged in a manner similar to a GNSS satellite signal’s Pseudo Random Noise (PRN) number. Thus, the feature extraction algorithm must isolate the few most consistently identifiable, Integrity Pose Monitor Estimator viewpoint-invariant landmarks in the raw sen- sor data. These features must be identifiable over Robot Controller repeated observations and distinguishable from one landmark to another. Features that are difficult Integrity Prediction Robot Dynamics to distinguish from each other can be found easily, but the possibility that the association is incorrect will greatly negatively impact the integrity risk. Alarm Integrity Map Second, range data based on extracted features must match those features with those from a fea- FIGURE 5 Example HAV Navigation System. Key Sensors are represented on top. Their measurements are processed to estimate HAV position, velocity and orientation, ture database or map. Data association algorithms and then to predict safety risk and send alerts if needed. accomplish this; however, incorrect associations commonly occur. These can lead to large naviga- cameras provide relative displacements with respect to a previ- tion errors, as illustrated in Figure 6, thereby representing a ous time-step, or with respect to a map. Thus, measurement threat to navigation integrity. time-filtering is required, which makes integrity risk evaluation FE and DA can be challenging in the presence of sensor more challenging since past-time sensor errors and undetected uncertainty. This is why many sophisticated algorithms have faults can now impact current-time safety. been devised. But, how can we prove whether these FE and DA methods are safe for life-critical HAV navigation applications, Example LiDAR Navigation Safety Evaluation and under what circumstances? These research questions are While safety quantification for GNSS and GNSS/INS has been currently unanswered. The most relevant publications on rigorously performed for aviation applications, and is being DA risk are found in literature on multi-target tracking. For researched for HAVs, navigation safety for LiDAR, radar, example, in the paper Y. Bar-Shalom and T. E. Fortmann, an camera, and multi-sensor navigation is a widely unexplored innovation-based nearest-neighbor DA criterion is introduced, research area. To provide a specific example on the research which serves as basis in many practical implementations. work that lies ahead, we have started developing safety risk The article by Y. Bar-Shalom, et alia, “The Probabilistic Data evaluation methods for LiDARs. We selected LiDARs because 160 of their prevalence in HAVs, of their market availability, and Measurement-domain Position-domain because of our prior experience. However, the techniques we Integration 140 Integration are developing are general enough that radar, cameras, or any 120 120 future sensor that returns range data can be substituted. 100 100 Raw range data must be processed before it can be used for navigation. One technique, visual odometry, establishes corre- 80 Misassociation lations between successive scans to estimate sensor changes in North (m) 60 60 pose (i.e., position and orientation). These processes are highly 40 40 computationally intensive, and have the same problems as other dead-reckoning techniques, such as wheel odometry over time. 20 estimated landmark location Thus, they can become inaccurate or cumbersome for HAVs 0 estimated moving over multiple time epochs. Although proprietary infor- vehicle trajectory –20 mation regarding the use of visual odometry by HAV manu- –60 –40 –20 020 reference traj. –20 02040 facturers is unavailable, the research literature suggests that East (m) East (m) it is only used for short time scale operations. A second class FIGURE 6 Impact of Incorrect Association on Vehicle Trajectory Estima- of algorithms provides sensor localization by extracting static tion. The position-domain integration scheme on the right-hand side experiences a missed association when the measurement- features from the raw sensor data and associating those features integration scheme on the left-hand side does not. In this case, the to a map. This is typically done in two steps, as illustrated in left-hand side can be considered truth reference trajectory; because Figure 6: feature extraction (FE) and data association (DA). The of the missed association, the flawed estimated right-hand side tra- jectory indicates that the vehicle drove into multiple building walls. resulting information can then be iteratively processed using www.insidegnss.com NOVEMBER/DECEMBER 2017 InsideGNSS 45 HAV SAFETY

Association Filter,” provides a detailed the presence of cluttered, poorly-distin- [2] Ackerman , E., “Self-Driving Cars Were Just Around the Corner—in 1960”, IEEE Spectrum, September 2016 derivation of the probability of correct guishable landmarks. Finally, being sur- [3] Ackerman, E., “After Mastering Singapore’s Streets, association given measurements. How- rounded by many landmarks increases NuTonomy’s Robo-taxis Are Poised to Take on New Cities,” IEEE Spectrum, 2016. ever, this Bayesian approach is not well the probability of continuous, uninter- [4] Areta, J., Y. Bar-Shalom, and R. Rothrock, “Misasso- suited for safety-critical applications rupted navigation. The next step of this ciation Probability in M2TA and T2TA,” J. of Advances in Information Fusion, Vol. 2, No. 2, 2007, pp. 113-127. due to the lack of risk prediction capa- research aims at dealing with unmapped [5] Bailey, T., Mobile Robot Localization and Mapping bility, and to the problem of bounding and non-static obstacles, and at quanti- in Extensive Outdoor Environments. PhD thesis, The University of Sydney, 2002. the a-posteriori probability of associa- fying the continuity risk of FE and DA. [6] Bailey, T., and J. Nieto. Scan-slam: Recursive mapping tion (a similar issue is encountered in and localization with arbitrary-shaped landmarks. In Workshop at the Institute of Electrical and Electronics the paper by F.C. Chan, et alia]). Anoth- Conclusion Engineers Robotics Science and Systems (IEEE RSS), er insightful approach is followed in the Looking at the emergence of future HAV 2008. [7] Bakhache, B., A Sequential RAIM Based on the Civil paper by J. Areta, et alia]. However, it technology with the prior experience of Aviation Requirements. In Proceedings of the 12th makes approximations that do not aircraft navigation safety provides the International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GPS 1999), pages necessarily upper-bound risks, hence means to scale up the challenges that 1201–1210, 1999. do not guarantee safe operation, and it lie ahead in the development of fully [8] Basnayake, C., M. Joerger, and J. Aulde, “Safety-Crit- ical Positioning for Automotive Applications”, Inside presents exact solutions that can only be autonomous (Level 4 and 5) driverless GNSS Webinar, 2016. evaluated using computationally expen- cars. Many parallels can already be [9] Bar-Shalom, Y., F. Daum, and J. Huang, “The Proba- bilistic Data Association Filter,” IEEE Control Systems sive numerical methods, not adequate drawn between aviation safety require- Magazine, 2009, pp. 82-100. for real-time navigation. Also, the risk ments and early HAV standards and [10] Bar-Shalom, Y., and T. E. Fortmann. Mathematics in Science and Engineering, chapter Tracking and Data of FE is not addressed. regulations. Still, the methods to fulfill Association. Academic Press, 1988. In response, we have been developing these standards and regulations have to [11] Bengtsson, O., and A.J. Baerveldt, “Robot localiza- tion based on scan-matching-estimating the covari- a new, computationally-efficient integ- be established. If analytical methods are ance matrix for the IDC algorithm,” Robotics and Auton- rity risk prediction method to ensure pursued, the following tasks need to be omous Systems, Vol. 44, 2003, pp. 29–40. [12] Bonanni, R., “WAAS – LPV Airport and Aeronautical safety of localization using LiDAR-based accomplished: (1) establish high-integ- Surveys”, ANM Airports Conference, 2006. FE and DA. We have derived a multi- rity raw sensor measurement error and [13] Bhuiyan, J., “Uber’s autonomous cars drove 20,354 miles and had to be taken over at every mile, accord- ple-hypothesis innovation-based DA fault models for non-GPS sensors; (2) ing to documents,” available online at https://www. method that provides the means to pre- develop analytical methods to quantify recode.net/2017/3/16/14938116/uber-travis-kalanick- self-driving-internal-metrics-slow-progress, 2016 dict the probability of incorrect associa- the safety risk of feature extraction and [14] Blom, H.A.P., and Y. Bar-Shalom. The interacting tions considering all potential landmark data association algorithms required in multiple model algorithm for systems with markovian switching coefficients. IEEE Transactions on Automatic permutations. (For more details on these LiDAR, radar, and other pre-processing Control, 33(8):780783, 1988. methods, see the following four papers in steps in camera-based localization; (3) [15] Brenner, M., Integrated GPS/Inertial Fault Detection Availability. NAVIGATION, Journal of The Institute of Naviga- Additional Resources, Nos. 31, 49, 50 and design multi-sensor pose estimators tion, 43(2):111–130, 1996. 51.) We also determined a probabilistic and integrity monitors to evaluate the [16] Chan, F.C., M. Joerger, S. Khanafseh, and B. Pervan, “Bayesian Fault-Tolerant Position Estimator and Integ- lower bound on the minimum feature impact of undetected sensor faults on rity Risk Bound for GNSS Navigation,” Journal of Navi- separation, which is guaranteed at FE, safety risk; and (4) derive, analyze, and gation of the RIN, available on CJO2014, doi:10.1017/ S0373463314000241, 2014. with pre-defined integrity risk allo- experimentally implement integrity risk [17] Chow, E., and A. Willsky. Analytical redundancy and cation. The separation bound can be prediction in dynamic environments. the design of robust failure detection systems. IEEE Transactions on Automatic Control, 29(7):603614, 1984. incorporated in an overall integrity risk If these challenges are overcome, [18] Choukroun, D., and J. Speyer. Mode estimation via equation. This new method was ana- one will be able to quantify and prove conditionally linear filtering: Application to gyro fail- ure monitoring. AIAA Journal of Guidance, Control, and lyzed and tested to quantify the impact the performance of an HAV’s naviga- Dynamics, 65(2):632644, 2012. of incorrect associations on integrity tion system — an essential part of safety. [19] Clot, A., C. Macabiau, I. Nikiforov, and B. Roturier. Sequential RAIM Designed to Detect Combined Step risk. It showed that the positioning Proving navigation system integrity will Ramp Pseudo-Range Error. In Proceedings of the 19th error covariance can be a misleading also help give humans more confidence International Technical Meeting of the Satellite Division of the Institute of Navigation (ION GNSS 2006), page safety performance metric since cases to trust HAVs, thus further develop- 26212633, 2006. were found where the contributions of ing the symbiotic relationship between [20] ooper, A.J., A Comparison of Data Association Tech- niques for Simultaneous Localization and Mapping. PhD incorrect associations to integrity risk humans and co-robots. Finally, as HAV thesis, Massachusetts Institute of Technology, 2005. far surpassed that of nominal errors technology progresses from driver’s aids [21] DARPA, “The Six Finishers of the DARPA Urban Challenge,” available online at http://archive.darpa. accounted for in the positioning error such as active brake assist to full autono- mil/grandchallenge/index.html, 2007. covariance. In addition, the following mous driving, this research is relevant [22] Defense Advanced Research Projects Agency (DARPA), “Robots conquer DARPA Grand Challenge,” key safety-tradeoff was illustrated: the now and will remain essential through- Press Release, U.S. Department of Defense (DoD), 2005. more measurements are extracted, the out the evolution of HAV technology. [23] Department of Transportation (DOT) National Highway Traffic Safety Administration (NHTSA) “Fed- lower the integrity risk contribution is eral Automated Vehicles Policy: Accelerating the Next under the correct association hypoth- Additional Resources Revolution In Roadway Safety,” 2016 [24] Diesel, J., and S. Luu. GPS/IRS AIME: Calculation of [1] Abuhashim, T.S., M.F. AbdelHafez, and M.-A. AlJarrah. esis, but the higher the other integrity Thresholds and Protection Radius Using Chi-Square Building a robust integrity monitoring algorithm for a Methods. In Proceedings of the 8th International Tech- risk contributions become because the low cost gps-aided-ins system. International Journal of nical Meeting of the Satellite Division of The Institute of Control, Automation, and Systems, 8(5):11081122, 2010. risk of incorrect associations increases in Navigation (ION GPS 1995), page 19591964, 1995.

46 InsideGNSS NOVEMBER/DECEMBER 2017 www.insidegnss.com HAV SAFETY

[25] Dionne, D., Y. Oshman, and D. Shinar. Novel adap- [50] Joerger, M., M. Jamoom, M. Spenko, and B. Pervan, ing (NPRM),” DoT NHTSA, 49 CFR Part 571, RIN 2127-AL55, tive generalized likelihood ratio detector with applica- “Integrity of Laser-Based Feature Extraction and Data 2016, available online at http://www.safercar.gov/v2v/ tion to maneuvering target tracking. AIAA Journal of Association,” Proc. IEEE/ION PLANS 2016, Savannah, GA, pdf/V2V%20NPRM_Web_Version.pdf Guidance, Control, and Dynamics, 29(2):465474, 2006. 2016, pp. 557-571. [71] NHTSA “Assessment of Safety Standards for Automo- [26] Diosi, A., and L. Kleeman, “Laser scan matching in [51] Joerger, M., B. Pervan, “Continuity Risk of Feature tive Electronic Control Systems”, DOT HS 812 285, 2016. polar coordinates with application to SLAM,” Proc. IEEE/ Extraction for Laser-Based Navigation,” Proceedings of [72] Nikiforov, I., New Optimal Approach to Global Posi- RSJ IROS, 2005. the 2017 International Technical Meeting of The Institute tioning System/Differential Global Positioning System [27] Dissanayake, G., P. Newman, S. Clark, H. Durrant- of Navigation, Monterey, California, January 2017, pp. Integrity Monitoring. AIAA Journal of Guidance, Control, Whyte, and M. Csorba. A Solution to the Simultaneous 839-855. and Dynamics, page 10231033, 1996. Localization and Map Building (SLAM) Problem. IEEE [52] Joerger, M., and B. Pervan, “Quantifying Safety for [73] Nunez, P., R. Vazquez-Martin, J.C. del Toro, and Transactions on Robotics Automation, 17(3):229–241, Laser-based Navigation,” submitted to IEEE TAES, 2017. A. Bandera. Feature extraction from laser scan data 2001. [53] Kalra, N., and S. Paddock, “Driving to safety: How based on curvature estimation for mobile robotics. [28] Dougherty, M., “Caltrans Leadership in Automated many miles of driving would it take to demonstrate In Proceedings of the Institute of Electrical and Electron- Vehicle Research,” Automated Vehicles Symposium 2017 autonomous vehicle reliability?” Technical Report RR- ics Engineers International Conference on Robotics and (AVS2017), San Francisco, CA, 2017. 1478-RC, Rand Corporation, 2016. Automation (IEEE ICRA), 2006. [29] Dragalin, V.P., A.G. Tartakovsky, and V.V. Veeravalli. [54] Kavanaugh-Brown, J., “Where the Research [74] Othman, N.A., and H. Ahmad. The analysis of The interacting multiple model algorithm for systems Meets the Road: Automated Highway Pass- covariance matrix for kalman filter based slam with with markovian switching coefficients. IEEE Transac- es the Test”, Government Technology, 1997. intermittent measurement. In Proceedings of the 2013 tions on Information Theory, 45(7):24482461, 1999. available at: http://www.govtech.com/featured/Where- International Conference on Systems, Control and Infor- [30] Dragalin, V.P., A.G. Tartakovsky, and V.V. Veeravalli. the-Research-Meets-the-Road.html matics, 2013. Multihypothesis sequential probability ratio tests. [55] Kelly, R., and J. Davis, “Required Navigation Perfor- [75] Page, E.S., Continuous inspection schemes. ii. accurate asymptotic expansions for the expected mance (RNP) for Precision Approach and Landing with Biometrika, 41(1-2):100–115, 1954. sample size. IEEE Transactions on Information Theory, GNSS Application,” NAVIGATION, 1994. [76] Parkinson, B.W., and P. Axelrad, “Autonomous GPS 46(4):13661383, July 2000. [56] Lee, Y.C., “Analysis of Range and Position Compari- Integrity Monitoring Using the Pseudorange Residual,” [31] Duenas-Arana, G., M. Joerger, and M. Spenko, “Mini- son Methods as a Means to Provide GPS Integrity in NAVIGATION, Vol. 35, No. 2, 1988. mizing Integrity Risk via Landmark Selection in Mobile the User Receiver,” Proc. of the 42nd Annual Meeting of [77] Pfister, S.T., K.L. Kriechbaum, S.I. Roumeliotis, and Robot Localization,” submitted to IEEE TRA, 2017. The Institute of Navigation, Seattle, WA, 1986. J.W. Burdick. Weighted range sensor matching algo- [32] FAA, “System Design and Analysis,” Advisory Circular [57] Lee, J., B. Kim, J. Seo, K. Yi, J. Yoon, and B. Ko. Auto- rithms for mobile robot displacement estimation. In AC 25.1309-1A, 1988. mated driving control in safe driving envelope based Proceedings of the Institute of Electrical and Electronics [33] FAA, “System Safety Design and Analysis for Part 23 on probabilistic prediction of surrounding vehicle Engineers International Conference on Robotics and Airplanes”, Advisory Circular AC 23.1309-1E, 2011. behaviors. Society of Automotive Engineers International Automation (IEEE ICRA), 2002. [34] fars.NHTSA.dot.gov, “Fatality analysis reporting sys- Journal of Passenger Cars - Electronic and Electrical Sys- [78] Pfister, S.T., S.I. Roumeliotis, and J.W. Burdick. tem,” Technical report, NHTSA, 2014. tems, 8(1):207–218, 2015. Weighted line fitting algorithms for mobile robot map [35] Federal Aviation Administration (FAA), “Automatic [58] Le Marchand, O., Philippe Bonnifait, Javier Ibaez- building and efficient data representation robotics and Dependent Surveillance-Broadcast Operations,” Advi- Guzmn, and David Btaille. Vehicle Localization Integrity automation. In Proceedings of the Institute of Electrical sory Circular AC No: 90-114A, DoT FAA, 2016. Based on Trajectory Monitoring. In IEEE/RSJ Internation- and Electronics Engineers International Conference on [36] Federal Highway Administration (FHWA), “Vehicle al Conference on Intelligent Robots and Systems, pages Robotics and Automation (IEEE ICRA), 2003. Positioning Trade Study for ITS Applications”, FHWA- 3453–3458, 2009. [79] Radio Technical Commission for Aeronautics JPO-12-064, 2012. [59] Leonard, J., and H. Durrant-Whyte. Directed Sonar (RTCA), “Minimum Operating Performance Standards [37] Fenton, R. E., and K. W. Olson “The electronic high- Sensing for Mobile Robot Navigation. Kluwer Academic (MOPS) for Universal Access Transceiver (UAT) Auto- way ” IEEE Spectrum, 1969. Publishers, 1992. matic Dependent Surveillance – Broadcast (ADS-B),” [38] Forsberg, http://www.forsbergservices.co.uk, [60] Li, Y., and Olson E.B. A general purpose feature RTCA ,Washington DC, 2009. “NovAtel Establishes Advanced Research Partnership extractor for light detection and ranging data. Sen- [80] RTCA Special Committee 159, “Minimum Aviation with Illinois Institute of Technology and the University sors, 10(11), 2010. System Performance Standards for the Local Area Aug- of Arizona,” press release, 2016, available at: http://www. [61] Lorden, G., Procedures for reacting to a change mentation System (LAAS),” RTCA/DO-245, 2004. forsbergservices.co.uk/index.php/2016/11/16/novatel- in distribution. The Annals of Mathematical Statistics, [81] RTCA Special Committee 159, “Minimum Opera- establishes-advanced-research-partnership-with-illinois- 42(6):18971908, 1971. tional Performance Standards for Global Positioning institute-of-technology-and-the-university-of-arizona/ [62] Lu, F., and E. Milios, “Globally Consistent Range Scan System/Wide Area Augmentation System Airborne [39] Gartner’s “2016 Hype Cycle for Emerging Tech- Alignment for Environment Mapping,” Autonomous Equipment,” RTCA/DO-229C, 2001. nologies” available online at http://www.gartner.com/ Robots 4, 1997, pp. 333-349. [82] Reimer, B., “Revisiting the Topic – The Future is newsroom/id/3412017 [63] Madhavan, R., H. Durrant-Whyte, and G. Dissanay- Autonomous Driving – But Are “We” on a Near Term [40] Gertler, J., A survey of model based failure detec- ake. Natural landmark-based autonomous navigation Collision Course?” Automated Vehicle Symposium 2017, tion and isolation in complex plants. IEEE Control Sys- using curvature scale space. In Proceedings of the Insti- (AVS2017), San Francisco, CA, 2017. tems Magazine, 8(6):3–11, 1988. tute of Electrical and Electronics Engineers International [83] Röfer, T., “Using Histogram Correlation to Create [41] Gitlin, J., “Prepare for the part-time self-driving car,” Conference on Robotics and Automation (IEEE ICRA), Consistent Laser Scan Maps,” Proc. IEEE IROS-2002, Lau- online at arstechnica.com, 2014. 2002. sanne, Switzerland, 2002, pp. 625-630. [42] Google, “Google self-driving car testing report [64] Malladi, D. P., and J. L. Speyer. A generalized shiry- [84] Rogowsky, M., “The Truth About Tesla’s Autopilot Is on disengagements of autonomous mode”, available ayev sequential probability ratio test for change detec- We Don’t Yet Know How Safe It Is” , Forbes, 2016. online at https://www.dmv.ca.gov/portal/wcm/connect/ tion and isolation. IEEE Transactions on Automatic Con- [85] SAE International, “Surface Vehicle Recommended dff67186-70dd-4042-bc8c-d7b2a9904665/GoogleDisen- trol, 44(8):1522–1534, 1999. Practice: Taxonomy and Definitions for Terms Related gagementReport2014-15.pdf?MOD=AJPERES, December [65] Maksarov, D., and H. Durrant-Whyte. Mobile Vehi- to Driving Automation Systems for On-Road Motor 2015. cle Navigation in Unknown environments: a Multiple Vehicles,” SAE Standard J3016, 2016. [43] Greenblatt, J. B., and S. Saxena, “Autonomous taxis Hypothesis Approach. In IEEE Proceedings on Control [86] Schoettle, B., and M. Sivak, “A Preliminary Analysis could greatly reduce greenhouse-gas emissions of us Theory Applications, volume 142, pages 385–400, 1995. of Real-World Crashes Involving Self-Driving Vehicles,” light-duty vehicles,” Nature Climate Change, 5:860–863, [66] National Transport Safety Board (NSTB), “Prelimi- Report No. UMTRI-2015-34, October 2015. 2015. nary Report, Highway HWY16FH018,” Accident Report [87] Sobel, M., and A.Wald. A sequential decision proce- [44] Greiling Keane, A., “U.S. highway deaths decline ID: HWY16FH018, 2016. available online at https:// dure for choosing one of three hypotheses concern- for a fifth year, longest streak since 1899,” Bloomberg, www.ntsb.gov/investigations/AccidentReports/Pages/ ing the unknown mean of a normal distribution. The Published December 08, 2011. HWY16FH018-preliminary.aspx Annals of Mathematical Statistics, 20(4):502522, 1949. [45] Halsey III, A., and M. Laris, “Blind man sets out alone [67] Neville, K., and K. Williams, “Integrating Remotely [88] Soloviev, A., D. Bates, and F. van Graas. Tight Cou- in Google’s driverless car,” The Washington Post, 2016. Piloted Aircraft Systems into the National Airspace Sys- pling of Laser Scanner and Inertial Measurements for a [46] Hewitson, S., and J. Wang. Extended Receiver tem,” Remotely Piloted Aircraft Systems: A Human Systems Fully Autonomous Relative Navigation Solution. NAVI- Autonomous Integrity Monitoring (eRAIM) for GNSS/ Integration Perspective, Wiley, 2017. GATION, Journal of The Institute of Navigation, 54(3):189 INS Integration. Journal of Surveying Engineering, [68] Nguyen, V., A. Martinelli, N. Tomatis, and R. Sieg- – 205, 2007. 136(1):13–22, 2010. wart. A comparison of line extraction algorithms using [89] Soloviev, A., Multi-Sensor Fusion for Navigation [47] Hype cycle curves available online at https:// 2d laser rangefinder for indoor mobile robotics. In Pro- of Autonomous Vehicles. In Proceedings of the 26th en.wikipedia.org/wiki/Hype_cycle ceedings of the Institute of Electrical and Electronics Engi- International Technical Meeting of The Satellite Division [48] International Organization for Standardization neers/ Robotics Society of Japan International Conference of the Institute of Navigation (ION GNSS+ 2013), pages (ISO), “Road vehicles - Functional safety”, ISO 26262, on Intelligent Robots and Systems (IEEE/RSJ IROS), 2005. 3615 – 3632, 2013. 2011. [69] NHTSA “National motor vehicle crash causation [90] Soloviev, A., C. Yang, M. Veth, and C. Taylor. Assured [49] Joerger, M., “Carrier Phase GPS Augmentation survey: Report to congress,” Technical Report DOT HS Vision Aided Inertial Localization. In Proceedings of the Using Laser Scanners and Using Low Earth Orbiting 811 059, U.S. Department of Transportation, 2008. 27th International Technical Meeting of The Satellite Satellites,” Ph.D. Dissertation, Illinois Institute of Tech- [70] NHTSA, “Federal Motor Vehicle Safety Standards; Division of the Institute of Navigation (ION GNSS+ 2014), nology, 2009. V2V Communications, Notice of Proposed Rulemak- pages 2160 – 2173, 2014.

48 InsideGNSS NOVEMBER/DECEMBER 2017 www.insidegnss.com [91] Sukkarieh, S., E.M. Nebot, and H.F. DurrantWhyte. [100] White, N. A., P.S. Maybeck, and S.L. DeVilbiss. Early Achievement Award. Dr. Joerger is currently A high integrity imu/gps navigation loop for autono- Detection of interference/jamming and spoofing assistant professor at the University of Arizona, mous land vehicle applications. IEEE Transactions on in a dgps-aided inertial system. IEEE Transactions on working on multi-constellation Advanced Receiv- Robotics and Automation, 51(3):572578, 1999. Aerospace and Electronic Systems, 34(4):12081217, 1998. er Autonomous Integrity Monitoring for civilian [92] Toledo-Moreo, R., M. A. Zamora-Izquierdo, B. beda [101] Wikipedia , “Automotive Safety Integrity Level,” Miarro, and A. F. Gmez-Skarmeta. High-Integrity IMM- 2017. available at: https://en.wikipedia.org/wiki/ aviation applications, and on multi-sensor integra- EKF-Based Road Vehicle Navigation With Low-Cost Automotive_Safety_Integrity_Level tion, fault detection and exclusion for ground GPS/SBAS/INS. IEEE Transactions on Aerospace and [102] Williams, S.B., G. Dissanayake, and H. Durrant- vehicle navigation. Electronic Systems, 8(3):491–511, 2007. Whyte. An efficient approach to the simultaneous Matthew Spenko is an [93] Tena Ruiz, I., Y. Petillot, D.M. Lane, and C. Salson. localization and mapping problem. In Proceedings of associate professor in the Feature extraction and data association for AUV con- the Institute of Electrical and Electronics Engineers Inter- Mechanical, Materials, current mapping and localization. In Proceedings of national Conference on Robotics and Automation (IEEE the Institute of Electrical and Electronics Engineers Inter- ICRA), 2002. and Aerospace Engineer- national Conference on Robotics and Automation (IEEE [103] Willsky, A. S., A Survey of Design Methods for ing Department at the ICRA), 2001. Failure Detection in Dynamic Systems. Automatica, Illinois Institute of Tech- [94] Thrun, S., W. Burgard, and D. Fox. A probabilistic 12:601–611, 1976. nology. Prof. Spenko approach to concurrent mapping and localization [104] Working Group C ARAIM Technical Subgroup, e a r n e d t h e B . S . for mobile robots. Machine Learning and Autonomous “Milestone 3 Report,” Technical report, EU-US Coopera- degree cum laude in Robots, 31(5):1–25, 1998. tion on Satellite Navigation, 2015. Mechanical Engineering from Northwestern Uni- [95] Thrun, S., W. Burgard, and D. Fox. A real-time algo- [105] Yoshida, J., “Another Tesla Crash, What It Teaches versity in 1999 and the M.S. and Ph.D. degrees in rithm for mobile robot mapping with applications to Us,” EE Times, 2016. multi-robot and 3d mapping. In Proceedings of the Mechanical Engineering from Massachusetts Insti- Institute of Electrical and Electronics Engineers Interna- tute of Technology in 2001 and 2005, respective- tional Conference on Robotics and Automation (IEEE Authors ly. He was an Intelligence Community Postdoc- ICRA), 2000. Mathieu Joerger toral Scholar in the Mechanical Engineering [96] Thrun, S., “Robotic Mapping: A Survey,” Exploring obtained a “Diplôme Department’s Center for Design Research at Stan- Artificial Intelligence in the New Millenium. Morgan d’Ingénieur” (2002) from ford University from 2005 to 2007. He has been a Kaufmann Publishers Inc., 2003. the Ecole Nationale faculty member at the Illinois Institute of Technol- [97] Thrun, S., “National Highway Traffic Safety Adminis- Supérieure des Arts et ogy since 2007 and received tenure in 2013. His tration (NHTSA),” keynote presentation, ION GNSS 2007, Industries de Strasbourg, Fort Worth, TX, 2007. research is in the general area of robotics with in France, and M.S. (2002) specific attention to mobility in challenging envi- [98] Van Eikema Hommes, Q. D., “Assessment of safety and Ph.D. (2009) in standards for automotive electronic control systems,” ronments. Prof. Spenko is a member of IEEE and NHTSA Report No. DOT HS 812 285, Washington, DC, Mechanical and Aero- an associate editor of the Journal of Field Robot- 2016. space Engineering from the Illinois Institute of ics. His work has been featured in popular media [99] Waymo, “We’ve reached 3 million miles of self- Technology in Chicago. He is the 2009 recipient of such as the New York Times, CNET, Engadget, and driving on public roads! That’s 1 million miles in just the Institute of Navigation (ION)’s Bradford Parkin- DiscoveryNews. 7 months,” available online at https://twitter.com/ son award, and the 2014 recipient of the ION’s Waymo?lang=en, 2017.

www.insidegnss.com NOVEMBER/DECEMBER 2017 InsideGNSS 49