Safety Q&A with Embedded Engineer Andy Saxsma

The terms "safe" or "safety" can seem unambiguous, but their interpretations depend on context. What do those words mean to an engineer working with automotive drive-by-wire systems?

No machine is perfect, so safety is all about reducing risk. No program has infinite time or resources, so risk reduction is always metered. By risk, we mean risk of personal or material harm. For the Embedded By-Wire Development Team, we continue to learn and evolve with each new by-wire platform our team develops. As we deploy more and more by-wire systems to the field, we continue to reduce risk through improvements such as increasingly more robust fault detection all while becoming more efficient at performing failure mode and effects analysis (FMEA) and by-wire system development. 

Technical safety specifications, such as the ISO 26262 Functional Safety Standard in the automotive industry, include rigorous assessments and highly detailed criteria. What metrics do the embedded engineering team consider when evaluating safety concerns? Are concepts such as "fail safe" or even ASIL D sufficient for driverless vehicles?

ASIL D of ISO 26262 is the “blue dot” as the market permits. As we approach the blue dot, today we think in terms of safety concepts and FMEA. Safety concepts consider hazardous scenarios and consequently define safety layers, and each safety layer in-turn defines unique requirements to detect and respond to the scenarios. FMEA considers potential faults to identify actions to better meet the requirements. FMEA evaluates relative severity, probability, and detectability for each potential fault, and the evaluation produces prioritized action items with each having a relative priority number (RPN). Today we use the inferential metrics of layers and RPNs, tomorrow we will add empirical metrics. The goal is always to fail safely, that is, “fail safe.”

What role does redundant actuation play in making autonomous vehicles safer?

Redundancy is basically implementing vehicle functions more than once, sometimes in different ways and at different layers in the architecture of the vehicle, filling the role of failure checking and functional backup. One redundant implementation can check the other, and under some circumstances, can provide backup. Two redundant implementations can generally provide both checking and backup. In this way, at no point in the overall system can a single failure, i.e. “single-point failure,” create a hazard. Thus, it is “fail safe.” Redundant implementations that reside at or span across different layers are what was mentioned earlier as “safety layers.” Redundancy provides other design conveniences and simplifications as well, such as reducing otherwise complicated checking schemes to simple comparisons between implementations.

For example, at a lower layer, the steering function of a vehicle generally has three implementations, two are similar electronic implementations that check one another and default to a third backup mechanical implementation should a failure be detected. The mechanical system interacts with the safety driver who, at a higher level, provides additional checking as well as backup. This vehicle function has two redundancies and two layers of safety, eliminating single point failures and mitigating hazards, thus making it fail safe.

Are there any common misconceptions around safety engineering? What would you most want people to understand about how drive-by-wire systems are made safer?

A misconception I had as a younger engineer is that we arrive at low risk products all at once. As I’ve “wizened up” over the years, I’ve discovered risk reduction is hard work that requires intense collaboration. To deliver safe products, we just need to keep our eyes on the goal, make every day count, and exercise patience.

When you think about safety as an embedded engineer working on a drive-by-wire system, how is it different from how a layperson might think about safety for autonomous vehicles?

Your average Joe, including me, jumps in his car, drives to work, and really doesn’t give a thought to all the little things that went right along the way. But like any do-it-yourselfer will tell you, when you’re the individual (many individuals when it comes to AVs) that builds it, you add up all those little things. When you arrive safely at the other end, you know you’ve just received a precious gift.