Jackie Erickson
You are listening to the Edge Case Research Self Driving Car Safety Series, and in the episode, Phil Koopman addresses different approaches to motion safety metrics that may be useful in quantifying risk for collision of self driving cars.

Now over to Phil.

Phil Koopman:

This is Phil Koopman from Edge Case Research with a series on self-driving car safety. This time, I’ll be talking about approaches to motion safety metrics. The general idea of a metric for motion safety is to determine how well a self-driving car is doing at not hitting things. One of the older pre-self-driving car metrics is called, time-to-collision. In its simplest form, this is how long it will take for two vehicles to collide if nothing changes. For example, if one car is following another and the trailing car is going faster than the leading car, eventually, if nothing changes, they’ll hit. And how long that will take depends on the relative closing speed and gives you the time-to-collision. The general idea is that the shorter the time, the higher the risk, because there’s less time for a human driver to react and intervene.

There are more complicated formulations of this concept that, for example, take into account acceleration and braking. But for all the time-to-collisions, the basic idea is how much reaction time is available to avoid a collision? This metric was originally developed for traffic engineering, and has used predicting some aspects of road safety for human drivers. Time-to-collision gets pretty complicated in a hurry because, in the real world, vehicles accelerate and decelerate, they change lanes, they encounter crossing traffic and so on. So we need something more sophisticated than a simple, “Here’s your reaction time for one vehicle following another.”

There are a number of proposals that address this such as Mobileye RSS, NVIDIA Force Fields, and the NHTSA Instantaneous Safety Metric. These ideas and more are at play in the IEEE Draft Standard Working Group P2846. Rather than go into the details of each of these individual approaches, let’s just sketch out some of the high-level characteristics, ideas, and issues.

The first big thing is this is just physics. No matter how you package it, Newton’s Laws Of Motion come into play. The rest of it is just about how to encode those laws and reason about them and apply them to everyday traffic. Some of these approaches attempt to provide mathematically proven guarantees of no collisions. And that can work, provided the assumptions behind the guarantees are correct.

While all this seems pretty straightforward in principle, when you try and apply it to real cars in the real world, things get a little bit more complicated. One of the things that you need to consider are the various geometries and situations. Sure, one car following another in the same lane of traffic is a good starting point, but you have to think about cross traffic at intersections, merging traffic, changing lanes, non-90 degree intersections, the list goes on. That means you need various different cases to work the math on.

You also have to consider the worst-case actions of other objects. For example, some objects can brake very quickly, some only slowly, some can turn quickly, some slowly, and characteristics tend to be different for different classes of objects such as trucks, or cars, or bicycles, or pedestrians. In general, one way or another, you have to consider all the possibilities of one of these objects making its maximum turning authority, or maximum braking authority, or maximum acceleration authority movement, or some combination, and where they might be, so you can avoid a collision.

Some situations are notoriously difficult to handle. One example is a so-called cutout maneuver. That’s where you’re following another car, the other car changes into the lane, revealing right in front of you a boulder that’s just sitting in the road. And it turns out if you look at the math, that’s worse than the car in front of you hitting the brakes, because the boulder’s already at zero. Another worst-case is when you have oncoming traffic, you have to worry that if the other vehicle swerves into your lane going the wrong way, there’s not a lot of time and not a lot of room to react. Now, in an ideal world, none of these things would happen because everything would be well behaved and boulders wouldn’t appear in roadways, but the real world is messy place and so these types of things have to be considered.

 Another thing to consider is environmental factors such as the coefficient of friction of the road surface, whether you’re on hills, whether you’re in bank turns. The ability of other vehicles to maneuver and your own ability to maneuver is limited by how much friction you can generate against the road surface.

You also need to consider operational edge cases. For example, if you’re following a truck up a hill, you might do Newtonian physics math that says as long as you’re going slower than the truck, everything’s fine. But that may not work if the truck ahead of you hits ice and actually slides backwards down the hill. It’s actually possible to hit something from behind, even if you’re at a stop, because it’s going backwards into you. Now you can say, “Okay, that’s a special case out of scope,” but those cases will happen and you need to do the analysis to decide what’s in scope and what’s out of scope for any assurances you’re making.

You’ll also need the ability to predict other system capabilities and decide what assumptions you’re going to make. For example, you might assume that a sprinter is not going to suddenly cross a four lane road in the middle of the block in front of you at 25 miles an hour. That would be faster than you might want to assume a typical human can cross the street. A related assumption is you might assume that the car in front of you is not able to brake faster than at 1g, one times the force of gravity, because if he can, your brakes may not be good enough to stop in time.

Now this one’s kind of interesting because it’s about other vehicles, and that might be controllable. You might say, “Well I’ll assume no one brakes at more than 1g,” or you might actually create regulations saying that when cars are being followed, they’re not allowed to brake at more than 1g. Now I’m not saying that that’s a regulation that should be passed, what I am saying though is that limitations on vehicle motion might play a role in cooperatively ensuring that vehicles can move safely. 

Some of the efforts in this area try and prove that you’re unconditionally safe. But you also need to consider what to do when it is not possible to guarantee you’re safe. A simple example is, you’re following another vehicle in the same lane with just enough following distance so that if the one in front panic brakes you can stop in time, and someone else cuts in front of you. Well, you don’t have enough following distance anymore. You can say that’s not your fault, but you still don’t want to have a crash.

So the question is, how do you behave when you’ve been placed in a situation that is provably unsafe in the worst case? To address that you probably not only need rules for ensuring you’re perfectly safe given assumptions, but also rules for reasonable behavior to restore safety or minimize the risk if you’re put in an unsafe situation and you have to operate there for a while. A bigger related issue is that in an extremely dense environment, you simply may not be able to unconditionally guarantee safety. If you’re going in a dense urban area and there are a bunch of pedestrian standing on the curb ready to cross the street, but you have the green light and you’re going through the intersection, it simply may not be possible to prove that if one of the pedestrians jump off the curve, you won’t hit them. 

Now, hopefully the higher levels of autonomy are doing things like assessing the risk that that will happen, but from a pure physics point of view, at some point it’s not possible to mathematically prove you’ll always be able to stop fast enough to avoid a collision, no matter what, if you actually want to navigate in a dense situation. 

This brings us to the idea of the trade-off between permissiveness and safety. Permissiveness is how much freedom of movement you have, and you often balance that against the amount of safety or amount of risk you want to take. Sure, you can be perfectly safe by leaving the car in the garage and never taking it out, but once you go out on the road, there’s always some non-zero risk something bad will happen, and the question is what’s the appropriate trade off in terms of the physics, and how much slack you leave to minimize the risk of collision.

Along these lines, you may come up with trade-offs, and I’ll give some hypothetical examples which might or might not be the right thing to do. But for example, you might say, “It’s okay if the car in front of me brakes at 1g, because that almost never happens, that I’m a little bit closer and I can hit at less than one mile an hour relative closing by the time the car stops.” In other words, a fender bender or a light tap on the bumper. You might say, “I can get increased road throughput by having the cars a little bit closer together, and really not worrying about the low-velocity impacts that are extremely unlikely to result in injuries or perhaps even serious property damage.”

Now, whether you go down this path is a public policy decision, and I’m not saying that one example is what you want to do, but the idea is that the world isn’t a perfect place and there is a nonzero chance of crashes, so you should think about what types of loss events are generally acceptable as long as they’re infrequent, and which types of loss events you want to absolutely guarantee never happened to the degree it’s at all possible.

Wrapping up, approaches to safety metrics for motion ultimately boil down to a combination of Newton’s laws. Implementation in the real world also requires the ability to understand, predict, and measure both the actions of others and the environmental conditions that you’re in. At some point, both you and other actors will have limits on their ability to accelerate, decelerate, and make high speed turns. Those limits can be used in your favor to plan, to minimize, or avoid the risk of collision, but you have to know what they are. Given that, your own planned actions also come into play, and link with planning metrics and scenario coverage metrics, which we’ll talk about another time.

Anytime you’re doing safety on public roads, there will be attention to increased permissiveness that might justifiably be at the expense of slight amounts of theoretical safety capability. The question is how to make that trade-off, and where to responsibly place the line to make sure you’re as safe as you need to be, but you’re still actually allowed to move around on the roads. For this trade off Newton’s laws provide the framework, but public policy provides the acceptable trade-off points.

Jackie Erickson

You have just heard from Phil Koopman address motion safety metrics.

A key takeaway from this episode – Companies not only need rules for ensuring self driving cars are safe given the assumptions, but also rules for reasonable behavior to restore safety or minimize risk if put into an unsafe situation.

To get more insight into our approaches to motion metrics, please visit our web page at and go to the resources tab. There you will find a publication titled: Autonomous Vehicles Meet the Physical World: RSS, Variability, Uncertainty, and Proving Safety, a publication co-authored by Jack Weast from Intel.

We thank you for listening and we look forward to working with you on delivering the promise of autonomy.