Article - Issue 62, March 2015
Response to: Autonomous vehicles
Christopher Poulin, Professor Neville A Stanton, Professor David Cebon FREng, Dr Wolfgang Epple
Posing the question in the December 2014 issue of Ingenia, ‘When will cars drive themselves?’ Professors Gordon and Lidberg consider what is needed before self-driving cars are likely to operate widely in unstructured driving environments. I would like to expand on one critical consideration about autonomous and semi-autonomous vehicles.
Cars are indeed getting smarter, essentially through increased communication with users, manufacturers and the outside environment. This communication involves complex electronic systems. In a typical modern high-end car this can involve up to 100 million lines of computer code, more than six times that of an aircraft such as the Boeing 787. Unfortunately, this complex code may include security holes that allow hackers to compromise safety and privacy.
Even a seemingly harmless function such as a tyre pressure monitoring system, which communicates telemetry between sensors in the tyres to the vehicle’s control network, provides an avenue of attack. Attackers could also access a vehicle’s electronics through communications channels such as onboard WiFi and Bluetooth, and vehicle-to-vehicle and vehicle-to-infrastructure systems. Remotely upgrading the code in electronic control units and other components, known as ‘firmware over the air’, must also be protected from tampering. Nor is wireless the only exposure to potential harm; simply inserting a CD or USB drive containing malware can modify some firmware.
These threats to safety and security can be mitigated though good engineering practice built on a system of systems approach. Considerations include designing in security for the lifetime of the vehicle, which is typically longer than most electronics, and adhering to certified standards from the start, treating security as a first-order requirement for each component and system. Related manufacturing and IT infrastructure must receive the same security consideration as the connected vehicle.
The security of connected vehicles is not, however, solely down to stringent engineering discipline. Security is a process that persists throughout the lifetime of the vehicle. From the moment the vehicle is loaded onto a car carrier or into a cargo hold, through provisioning at the dealer, delivery to the customer, visits to servicing facilities, customisation and upgrades of components, transfer of ownership, to compacting in a junkyard, the operation of the vehicle must be monitored to protect the safety and privacy of the owner and occupants.
One strategy for lifetime security is to monitor a vehicle’s operation by embedding data analysis tools that identify and contend with suspicious, or outright malicious, activity. Anomalous behavior must deal with interaction of components within the vehicle as well as human behaviour. For example, general policies can be set in a connected car – a window control module should not be able to send control messages to the engine. However, different drivers will exhibit varying driving patterns. Some may drive with one foot on the gas and the other on the brake while others may be hyper-aware of traffic ahead and use the brake sparingly, preferring to let up on the gas or change gear. Behavioral profiling must be able to determine what is normal in the context of the driver, road conditions, geography and other factors.
Automakers are used to operating in a closed community, often within their own brand. However, the collision of old school automotive mechanics and modern communications technology challenges their culture. It’s only a matter of time before they look to collaborative efforts within the industry, as well as with outside security specialists, to design, build and manage the assurance necessary to keep the consumers safe from cyber threats throughout the life of the vehicle.
Research Strategist, IBM Security Systems
Co author of Driving security –
The utopian vision of the motor vehicle will have an onboard auto-driver, similar to the autopilot in aircraft, take over the driving tasks allowing the human driver to work, rest or play. The catch-22 of vehicle automation is that, while car owners are stripped of the need to perform driving tasks, they are still required to monitor their auto-driver and take manual control if the situation demands.
However, when vehicles become fully autonomous, even the most observant human driver’s attention will begin to wane; it will be akin to watching paint dry. Their mind will wander, and they may start to mentally switch off from the job of driving. This is especially true if they are reading, answering emails and surfing the internet.
How can this extra activity be reconciled with the need to keep an eye on the vehicle? The truth is, nobody really knows. I have been conducting research into vehicle automation for the past 20 years, and it is clear that drivers of automated vehicles are generally not as effective in emergencies as drivers of manual vehicles. Up to a third of drivers of automated vehicles did not recover the situation in our simulator studies at the University of Southampton, and I have repeatedly witnessed the failure of drivers to intervene when systems fail in both driving simulators and test track studies. Whereas almost all drivers of manual vehicles recover in the same situation.
There is a concern that the driver and automated vehicle may become unsynchronised, for example if the driver believes the automated vehicle has detected the presence of another vehicle when, in fact, it has not. Our research has shown that if we design the vehicle to provide continuous relevant feedback to the driver (analogous to a chatty co-driver), we can reduce this kind of error substantially, but not completely.
We have found that drivers of automated vehicles take, on average, five times as long to respond to emergency braking when compared to manual drivers. Our research has also shown that if the driver is forced to continually monitor partial automation instead of driving manually, that this does not diminish their workload at all, and that they cannot sustain this monitoring for long periods of time. We have also observed that the attention of the driver decreases quite dramatically in fully automated vehicles.
If the driver’s attention is needed suddenly, they are ill-prepared to take over control from the automated vehicle. So we may be asking for the impossible, taking away all of the control from the driver but leaving all of the accountability.
Lessons from automation in aviation appear to be going unheeded. It seems drivers of the future will be held responsible for something they have no control over. This does not mean that vehicle automation should be halted. Quite the reverse: as the potential benefits to driving are substantial, the lessons need to be learned and applied from other domains, so that the advancement of vehicle automation can resolve these problems.
We need to design vehicle automation to have graduated and gradual hand-over and hand-back tasks if it is to successfully support human drivers. Vehicle automation needs to work towards providing a chatty co-pilot, not a silent auto-pilot!
Professor Neville A Stanton
Chair in the Human Factors of Transport
University of Southampton
In a car travelling at highway speed, the time between a malfunction and control action needed to avoid an accident can be very short – a second or two at most. This differs from an aircraft, where seconds or minutes can pass between a malfunction and the resulting crash.
Analysis from the black box recovered from the Atlantic of airliner Air France Flight 447 shows that prior to the 2009 accident, the aircraft was in routine flight at 35,000 ft. The experienced captain retired from the cockpit to sleep, leaving the craft under the control of the autopilot and two co-pilots. Shortly afterwards, a pitot tube used for air speed indication iced up. This confused the aircraft’s systems and baffled the co-pilots. The autopilot disengaged from the control system and sounded the first of many alarms. Because of the confusing speed signals the junior co-pilot, who was responsible for control at the time, pulled-up the nose of the aircraft a number of times and ignored countless stall alarms which he didn’t believe.
There followed a period of confusion and miscommunication between the two co-pilots, while the aircraft dropped rapidly, neither man understanding what was going on and neither believing the information displayed on the instrument panel. The captain was summoned and for a minute or so, he tried to decipher the array of displays and alarms, but by then it was too late. The aircraft had dropped below the 13,000 ft level at which it would theoretically have been possible to recover from the stall. It crashed into the ocean, killing all 228 on board.
Although the safety of aircraft has improved dramatically in recent years as a result of autonomous control systems, the authors of an Air France article noted that the ultimate causes of the crash were twofold: (i) de-skilling of the pilots meant that they could not fly the aircraft without computer assistance, and (ii) the autonomous systems are getting so sophisticated that they only fail in complex ‘edge cases’ that are impossible for the designers to foresee. Consequently pilots cannot be trained to handle them.
The effect of relieving car drivers of the control task in an autonomous vehicle is that they will use the journey time to do something productive: answer email, read a book, watch TV ... They will not be available to intervene quickly if something goes wrong – any more than the captain of AirFrance 447 could. Consequently, if there is a software glitch or a mechanical failure in their own vehicle or a nearby autonomous vehicle, or perhaps a malicious wireless attack on infrastructure-based control or communication systems, the drivers cannot be relied upon to respond in time.
The Google car approach – in which the autonomous vehicle has no controls for the driver apart from an on-off button – is not only pragmatic, but a recognition of the facts that in autonomous vehicles, humans will not be able to intervene in time, and will probably be de-skilled to the point where they will not be able to control the vehicle, even if they need to. Why do you need a licence to drive if all you have to do is press the ‘on’ button and set the destination? So if the systems are not perfectly reliable and bug free, there will be unavoidable accidents.
This de-skilling of people by technologyis profound. We are approaching an age in which drivers cannot find their way without the aid of satellite navigation systems and people cannot manage their own mobility without centralised computer control. The growing autonomy of vehicles is at the expense of the shrinking autonomy of their occupants. In the headlong dash towards autonomous vehicles, these fundamental issues are receiving very little air time.
Professor David Cebon FREng,
Professor of Mechanical Engineering
University of Cambridge
Transparent bonnet technology is one of the technologies being developed for the Land Rover Discovery
Where’s the fun in a driverless car? Indeed, why give the driver less?
As cars evolve in intelligence and capability, we are discovering the potential of how we might travel in the future. New technologies are already enabling cars to brake, keep in lane and park themselves. These will develop over the next decade into a suite of technologies that will ultimately allow customers to choose to drive autonomously.
Jaguar Land Rover (JLR) is part of UK Autodrive, a consortium of 12 local authorities, academic institutions and leading technology and automotive businesses that has won Innovate UK’s £10 million Introducing Driverless Cars competition. The consortium members will match the government’s funding to deliver a three-year programme of feasibility studies and practical demonstrations in Milton Keynes and Coventry, led by ARUP.
For our part, JLR will develop and test new advanced driver assistance (ADAS) technologies, including enhanced terrain sensing and displays, on a semi-autonomous. Range Rover research vehicle in real-world driving environments. The aim is not full autonomy, but a passenger car that is capable of being autonomous for part of the time. We will also develop the Human Machine Interface (HMI) strategy and lead the real world trials of lightweight, self-driving pods for use in pedestrianised urban spaces.
Our vision is to offer a seamless choice of an engaged or an autonomous drive. We want to assist and enhance the driver – and offer levels of autonomy to suit the driver’s mood or needs. A smarter car should not take away the fun of driving. Instead, it should enhance the driver’s experience both on- and off-road.
This means enhancing driver confidence through providing the right information at the right time, without distraction. As our cars become more capable, we want to increase driver confidence and awareness of the environment outside the car, to help them make the most of these enhancements. One area of research is to make the bonnet ‘transparent’ – using cameras in the vehicle’s grille to send video of the terrain to a HUD (Head Up Display) in the windscreen. As well as the benefits off road, it will give the driver awareness of road conditions, and make parking and manoeuvring that much easier.
We are also developing self-learning systems that allow our cars to learn from drivers’ behaviour and anticipate future actions, including destination prediction, fuel monitoring and auto-adaptive cruise control, based on historical usage.
Every technology we launch takes us one step nearer to the fully autonomous car. Each new feature also takes us towards better support for the driver and reduces accidents, which is the key reason for developing these new technologies. After all, 99% of accidents are caused by driver error. These new technologies will enable optimum efficiency, while not overpowering the love of driving.
Dr Wolfgang Epple,
Director Research and Technology,
Jaguar Land Rover