Back to First Principles

Background

In high school physics, the concept of “Keep It Simple, Stupid” (KISS) is introduced where the goal is to minimize everything to reduce failures. More formally, the concept of First Principles seeks to avoid assumptions in models - building from nothing but fundamentals. The takeaway in both cases is that simple designs are often the best.

Why are we talking about high school physics? Because we have observed a recent trend in the automotive and robotics communities which is worth discussing. Otherwise strong companies are forgetting that First Principles is a fundamental axiom in engineering. 

If the sensors on your robot rely on each other to work, the failure of one, takes down the other. The benefits (independence, redundancy, complementary) of having multiple sensors are negated by having one sensor rely on another.

Case Study from Automotive

In this thought exercise, we consider a current passenger vehicle with a (SAE Level 2) safety system like adaptive cruise control (your car follows the car in front of you, maintaining a safe distance to the car in front of you, and may include steering to keep your car centered in the lane). While the driver is required to be present in the vehicle, he or she increasingly won’t be paying attention when using these systems.

Many of these systems have redundant sensors - usually a camera and a RADAR or a camera and a LiDAR. Because there are two different sensors, it is tempting to assume that the system is safer than simply relying on one sensor. How do you characterize the risk?

The automotive industry has attempted to standardize this calculation of risk (ISO26262/ASIL, SOTIF, etc. ^{1 2} ) in order to have objective risk comparisons. Specifically, Automotive Safety Integrity Levels (ASIL) are one way of quantifying the risk of a failure. Trivializing this important and complicated body of regulation, the failure of the FM radio in a car presents a low risk whereas the failure of the brakes presents a high risk to occupant safety. 

The risk calculation for ASIL has two components, the severity and the probability of occurrence. For the safest vehicles we want to minimize risk. 

Risk = (expected loss in case of the accident) x (probability of the accident occurring) ³

By linking the calibration of the camera to the LiDAR the manufacturer in Scenario 1 has introduced a single point of failure. This represents a notably less reliable system than Scenario 2, where even in the event of the same incident (the disabling of LiDAR), the ADAS system remains operational and the vehicle can fail safely or fail silently⁵. The occupants of the vehicle in scenario 2 have a safer and objectively better experience, and can continue on to their destination unhindered.

In this example, we were considering an SAE Level 2 system like those offered by Tesla (Full Self Driving), BMW (Hands Off 60), and others. The contrast grows starker when you consider Level 3 and higher systems - where the vehicle occupants may be asleep, have imbibed alcohol, or not be in a place where they can physically take control of the vehicle.

Expanded Case Study

In these L3 and higher scenarios, if a sensor fails, the vehicle will try to perform a minimal risk maneuver (MRM) that takes the vehicle out of traffic safely and autonomously so that it can be towed/driven manually. An MRM is something like (autonomously) pulling to the emergency lane of the road, (autonomously) entering a parking lot, or simply (autonomously) stopping and engaging flashers on a small street.

In the original case study, where the LiDAR is disabled, if a manufacturer followed Scenario 1 then the camera can no longer calibrate to determine whether it has been affected. The vehicle may be unable to perform the MRM! Going back to the calculation of risk, the second component (probability of the accident occurring) has increased dramatically as a result of coupling the sensors together. This is a massively increased liability! 

In Scenario 2, the vehicle is unencumbered, the MRM is performed, and life moves on.

Conclusion

As engineers defining these systems, we need to return to First Principles. Maximizing sensor independence (or conversely, minimizing the system under test) minimizes the probability of failure. That is the lowest risk condition, a situation all automotive companies strive for.

We should not forget that system independence increases system mean time between failures (MTBF). While sometimes this redundancy requires expensive hardware systems, e.g. redundant steering systems, redundant power supplies to critical ECUs, or multiple modalities of sensors, there is no hardware cost in this case! We simply need to be smart in our software architecture decisions. ZeroClick software is the smart decision.

Our Solution

Our ZeroClick software is markerless, real-time, online calibration. ZeroClick is able to calibrate cameras around a vehicle or robot without relying on other sensors. That independence allows vehicles using our software to improve their safety, reliability, and therefore system uptime.

Want to try our Zero Click Software ?         Request Demo 

________________________________

¹ Wishart et al. Literature Review of Verification and Validation Activities of Automated Driving Systems. URL.

² Zhao et al. Genetic Algorithm-Based SOTIF Scenario Construction for Complex Traffic Flow. URL.

³ ASIL. URL.

⁴ We see multiple OEM, T1 and technology companies following approaches where sensors are calibrated to one another, to the point we have survey papers of so many methods e.g. by Li et al. Automatic targetless LiDAR–camera calibration: a survey. URL.  

⁵ MobilEye follows an independent sensor approach. URL.