The Mobileye Safety
Methodology

/

Background

The two critical components in
the engineering process of every AV are:

1

Perception: In order to operate, an AV must understand the surrounding environment. Detecting all relevant objects and road users, and for each one, what is its position and speed. A critical failure in the Perception System is one that will lead to an accident.

2

Driving Policy: Once the AV has a good understanding of its surroundings, it should decide what to do next. While Perception deals with understanding the present state of the world, Driving Policy requires a “what would happen next” type of reasoning. Furthermore, the prediction of the future is not constant but depends on the decisions the AV will make.

A failure in either the Perception System or the Driving Policy might lead to an accident.

Our first argument is that Perception failures and Driving Policy failures should be treated differently

Perception System

There is a clear ground truth and therefore a rather clear definition of “error”. For example, if there is a car in front of the AV and the Perception System fails to recognize it, it is a clear fact that the Perception System failed. Two humans will provide the same answer when they will be asked whether there is a car in front of the AV or not. Therefore, we can easily measure the performance of the Perception System by calculating how often it makes an error.

For the sensing, there is a clear monotonic relation between “safer AV” and “better AV”. That is, the fewer Perception mistakes the system will make, the “safer” and “better” the AV will be.

Driving Policy

Driving Policy depends on “what would happen next” reasoning, which is not factual. Two humans might provide two different answers when asked whether the AV should yield to a car at an intersection or take the right of way. One will say that he thinks it is safer to yield and the other will say he thinks it will be safer to take the right of way so as not to block traffic. So, there is no clear definition of “error”, but rather it is open to interpretation or judgement of the situation. Furthermore, this judgement often in retrospect, after an accident occurs, and with the advantage of knowing the future (that is, with the knowledge of “what happened next” and without the need to guess “what would happen next”).

For Driving Policy, being “safer” does not always mean being “better”. To make this point clear, consider for example a residential road, with parked vehicles on both sides. Since a pedestrian might run into the road, the “safest” AV system would drive very, very slowly, making sure that even if a kid with an electric bike driving extremely fast suddenly entered the road, the AV would manage to brake in time. However, such extremely slow driving will block traffic. In fact, no human drives so slowly in such a case. The reason is that as a society, we balance safety and efficiency, by determining what the “reasonable risk” we are willing to take is.

Perception System

Driving Policy

There is a clear ground truth and therefore a rather clear definition of “error”. For example, if there is a car in front of the AV and the Perception System fails to recognize it, it is a clear fact that the Perception System failed. Two humans will provide the same answer when they will be asked whether there is a car in front of the AV or not. Therefore, we can easily measure the performance of the Perception System by calculating how often it makes an error.

Driving Policy depends on “what would happen next” reasoning, which is not factual. Two humans might provide two different answers when asked whether the AV should yield to a car at an intersection or take the right of way. One will say that he thinks it is safer to yield and the other will say he thinks it will be safer to take the right of way so as not to block traffic. So, there is no clear definition of “error”, but rather it is open to interpretation or judgement of the situation. Furthermore, this judgement often in retrospect, after an accident occurs, and with the advantage of knowing the future (that is, with the knowledge of “what happened next” and without the need to guess “what would happen next”).

For the sensing, there is a clear monotonic relation between “safer AV” and “better AV”. That is, the fewer Perception mistakes the system will make, the “safer” and “better” the AV will be.

For Driving Policy, being “safer” does not always mean being “better”. To make this point clear, consider for example a residential road, with parked vehicles on both sides. Since a pedestrian might run into the road, the “safest” AV system would drive very, very slowly, making sure that even if a kid with an electric bike driving extremely fast suddenly entered the road, the AV would manage to brake in time. However, such extremely slow driving will block traffic. In fact, no human drives so slowly in such a case. The reason is that as a society, we balance safety and efficiency, by determining what the “reasonable risk” we are willing to take is.

Consequently, Mobileye believes that AV
regulation should address two topics

1

Defining what is considered
to be a failure

As we explained before, for the Perception System, this is clear since there is a notion of “ground truth”. For the Driving Policy, regulation must formally define the notion of “reasonable risk” and therefore set the balance between safety and efficiency. We note that regulation already partially perform this task. For example, when setting the speed limit at any given road, it partially tells human drivers that driving faster than the speed limit is too risky while driving below the speed limit is considered a reasonable risk. However, the current law is not complete since it doesn’t cover all aspects and all scenarios, and it also contains vague notions like “drive according to road conditions”.

2

Defining the acceptable
Mean-Time-Between-Failure (MTBF)

Defining the acceptable Mean-Time-Between-Failure (MTBF) Once a clear notion of a failure has been defined, the regulator should decide what is an acceptable frequency of failure. A convenient way to define this is by using MTBF, which is the average time a system can operate without any failure. A starting point is requiring that AVs have roughly the same MTBF as of human drivers. Evidence shows that the MTBF of a human driver is about 500,000 miles.

How is Mobileye addressing
those topics?

Mobileye separates the MTBF of the Perception System from the MTBF of the Driving Policy system. We define a Perception error as one that inevitably leads to a crash. Given the direct relationship between high MTBF of Perception to high fidelity (in terms of safety) of the AV our goal is to reach as high MTBF as possible. We employ four principles for achieving high MTBF:

1

Open-loop
Validation

/

Open-loop (offline) validation of perceptual components (like vehicle and pedestrian detection) allows us to harness data collection of ADAS customer functions over billions of miles.

2

True
Redundancy

Learn more

/

Applying the principle of “redundancy” of having critical functions developed and activated through different and separate channels. In practical terms, our perception system is broken down along sensor modalities: a camera-only subsystem and a Lidar/Radar subsystem. Creating subsystems along sensor modalities increases the “independence” in the sense that a probability of missing a critical object is the product of missing the object in each subsystem separately. In addition, within each subsystem we develop algorithmic redundancy where critical functions are developed using different algorithmic principles. For example, vehicle detection through pattern recognition (monocular) and through triangulation (multiple cameras). The redundancy approach serves two goals: (i) higher robustness of the design of the Perception system, and (ii) offline validation of critical functions are done separately for each sub-system at a much lower MTBF goal.

3

Road
Experience
Management

Learn more

/

Highly detailed and accurate maps for AV generated by our REM(TM) crowdsource technology, for robust understanding of the environment and to enhance MTBF

4

Responsibility
Sensitive
Safety

Learn more

/

The MTBF goal of the Driving Policy system is to have zero events (MTBF at infinity). This requires, first and foremost, to remove the need for a “what would happen next” reasoning which inevitably requires to predict human behavior - a task we believe is unwieldy. Second, is to create a formal setting through which the spectrum of “safety” versus “usefulness” can be defined and decided upon by regulatory bodies in each AV deployment territory. Those two goals are achieved by Mobileye’s Responsibility Sensitive Safety (RSS) model. To avoid reasoning “what would happen next”, RSS adopts the “worst case” scenario. Then, in order to have a “useful” Driving Policy (because “worst case” could lead to overly defensive driving) a framework of setting assumptions, in a parametric form, that define boundaries for keeping safe distances to other road users are established. RSS goes beyond a formal set of assumptions by providing “completeness” guarantees that following the definition of safe distances and “proper response” guarantees that accidents will never be caused by the AV agent (hence “zero events” of the Driving Policy system).