Relying on top-notch, highly expensive vehicle parts to make automated transport a reality may provide sufficient guarantees for a large-scale deployment, but such an expensive setup might discourage investors. To resolve this conundrum, the KARYON project has developed a technology capable of adapting its behaviour to the reliability of its sensors and connection with other vehicles.
If there is one upsetting thing in an increasingly connected world, it’s the absence, even for a short duration, of network connectivity under needy circumstances. But what if all cars and planes were also relying on such connections to work properly? Under such a scenario, which seems bound to happen if we consider self-driving vehicles as the future of the transport sector, the thought of a lost connectivity would make anybody’s blood run cold… which is the main reason why such vehicles are yet to be seen on our roads.
The EU-funded project KARYON (Kernel-based Architecture for safetY-critical cONtrol) was initiated with a view to overcoming this problem, thanks to a technology that would allow a connected car or plane to immediately contemplate a plan B when connectivity with other vehicles is not up to defined standards. From October 2011 to December 2014, the project team worked on a technology that will ultimately allow for a better use of road space through cross-vehicle communications and automated, sensor-based driving managed by a piece of technology called the Safety Kernel.
Thanks to the Kernel, which compiles rules on how to react to uncertainties and failures of wireless communication, the team has been able to rely on a set of commercially available sensors while ensuring maximum safety. The Kernel allows switches from cooperative to baseline, sensor-based functionality when data reliability is insufficient — for example by increasing distance between vehicles.
Antonio Casimiro, who coordinated the project for the University of Lisbon, tells us more about the project outcomes and what will come next.
On the project website we can read that wireless communication, although improving performance, also introduces new safety risks. How so?
If some of the vehicles’ autonomous control functions rely on information that they expect to receive wirelessly (which can be a good idea, because this information can be useful), then safety becomes dependent on how well the wireless network will perform, for instance, how well it is able to deliver messages on time and avoid message corruption and loss. This can jeopardise safety because the wireless network might fail, in this case at a rate which often implies a loss of information — think about losing connection with your mobile phone in a car or train.
In a nutshell, although wireless communication may be exploited for vehicle cooperation, and hence for improving the way in which autonomous functions are performed, the design must take into account the additional safety risks that are introduced.
What is the Safety Kernel and how does it work?
The Safety Kernel is a new element in the architecture of a smart cooperative vehicle. It is responsible for setting the mode of operation of autonomous control functions, so that the set of assumptions (we call them safety rules) on top of which the current mode of operation was designed are being satisfied.
For instance, consider that in a certain mode of operation the control system might have been designed to enforce a certain minimum safety distance to another vehicle, assuming some maximum communication delay with that vehicle. The Safety Kernel is responsible for continuously evaluating if this assumption is satisfied and, if not, trigger a change in the mode of operation so that the new mode of operation no longer requires (assumes) the same communication delay. As a consequence, the new mode of operation may enforce a larger minimum safety distance or a lower maximum speed, because it can no longer rely on the communication delay assumption. The same applies to other kinds of assumptions, namely on the quality of information collected from sensors.
How do you ensure that, when wireless communication between vehicles is faulty, the driverless model remains safe?
In the case of communication faults, it might still be possible to communicate even though the quality of this communication is undermined. So it might be possible to design a mode of operations that ensures safety based on the level of communication quality.
But let us assume that wireless communication is totally disrupted, and a vehicle can no longer communicate. In this case, the Safety Kernel will switch to a fully autonomous mode of operation, which does not rely on the wireless network and hence does not benefit from cooperation with other vehicles. Still, as long as this autonomous mode was designed to ensure a safe operation — which can be done by relying on information collected from local sensors (as current autonomous vehicles do) — the failure of the wireless communication will not impact safety.
Controlling cost is a major part of the project. How do you achieve this?
What is great with the approach we propose in KARYON is that it does not require all vehicle (safety-critical) components to always function perfectly (technically, they do not need to be certified with the highest safety integrity level, ASIL D if we consider automotive safety standards). Just like with wireless communication components, which do not require any special safety-related certification and hence are low-cost components, other parts may also be replaced by lower cost components, with a lower integrity certification, which can still provide the necessary service most of the time and, when they don’t, the system is capable of adapting the mode of operation to exclude these malfunctioning components from the safety path, at the cost of a reduced performance. Given that the cost of some components is extremely high due to the stringent certification requirements, the KARYON approach created conditions for these costs to be reduced considerably.
How did you manage to integrate current road and air traffic rules into the kernel model which seems to rely solely on the most efficient behaviour?
The concrete traffic rules have to be addressed at the application level, that is, when designing each mode of operation. Therefore, the proposed approach is generic in this respect and can be applied in both automotive and aeronautic cooperative applications. Interestingly, from a safety perspective, the existing safety standards in the two domains have many similarities, namely as concerns the definition of several safety integrity levels. Therefore, the concepts developed in KARYON are also applicable to both domains in this respect.
Now that the project has ended, what are your plans for the kernel technology? Are you planning for ‘real world’ trials?
In line with what was presented to the European Commission at the time of the proposal, the project did not yet have the expectation to reach the level of maturity needed to immediately use these results for the development of a final product. Nevertheless, we believe the project took the right track when we look ahead to what we believe will be the future requirements in terms of cost, safety and efficient use of roads and air space. We also believe that new business models will emerge, making use of vehicle autonomy, which will increase the needs for cooperation and adaptability that we have addressed in the project.
Concrete steps are being taken in order to bring the technology to a higher level of maturity, namely to Technical Readiness Level 7, for which we are in contact with major players in the car industry in order to create the right consortium, able to successfully perform the work ahead.