RSS EXPLAINED: THE FIVE RULES FOR AUTONOMOUS VEHICLE SAFETY

RSS EXPLAINED: THE FIVE RULES FOR AUTONOMOUS VEHICLE SAFETY

When we learn to drive, we’re taught the rules of the road. These rules typically take two forms:

> Explicit rules, like speed limits or what to do at a stop sign.
> Implicit rules, which are often cultural and lean heavily on common sense, like how to maintain a safe following distance and drive safely for the conditions.

For an autonomous vehicle (AV), following the explicit rules is easy. The AV will never exceed the speed limit and will always stop at a stop sign. Understanding of and adherence to implicit rules, however, is more difficult. The very definition of the rules is part of an implied understanding of acceptable driving practices that ensures the transportation system functions safely.

How, then, can a machine precisely interpret these subjective implicit rules of the road?

In 2017, Mobileye published an academic paper that proposed Responsibility-Sensitive Safety (RSS). The math-based AV safety model provides a framework for digitization of these implicit rules so self-driving cars can successfully integrate with human drivers on the road.

While we’ve accepted that human drivers with varying abilities (and degrees of common sense-based safe driving practices) can still be granted licenses to drive, there’s a far higher burden of proof for AVs. Without a verifiable way to demonstrate their ability to drive safely, AVs will never get a license to drive. Technology leaders, automakers, governmental bodies and society must collaboratively define a standard for what it means to drive safely, along with a metric that can be used for assessment and verification of autonomous vehicle safety. To this end, Intel contributed RSS’s technology-neutral framework as a starting point for the industry to align on what it means for an AV to drive safely.

What is Responsibility-Sensitive Safety?

RSS formalizes human notions of safe driving, using a set of mathematical formulas and logical rules that are transparent and verifiable. These rules define the common-sense behavioral characteristics that humans would characterize as leading to safe driving. The goal is that the AV should drive carefully enough so that it will not be the cause of an accident, and cautiously enough so that it can compensate for the mistakes of others.

RSS is compatible with other AV systems

RSS is technology-neutral in that it is compatible with any automated driving system, allowing for consistency in safety. To establish an AV safety standard that can be adopted around the world, Intel is committed to collaborating with all stakeholders across industry, governments, nongovernmental organizations, standards bodies, and academia.

RSS can enable AVs that can drive successfully alongside humans

RSS operates as a separate layer from artificial intelligence-based decision-makers. It deterministically defines decisions that are safe, enabling AVs to make cautious but assertive maneuvers that are within a precisely defined safety envelope – some that otherwise would have been thrown out under AI-based decision-makers that are often too-conservative. If the industry is not able to deliver an AV that drives naturalistically alongside human drivers, then society will not likely accept the annoying, super-conservative AVs that are the alternative.

To accomplish this, RSS adheres to five safety principles:

RULE 1. Do not hit the car in front (longitudinal distance)

New human drivers are taught to “leave 2 to 3 seconds’ worth of distance” between the car in front of them to provide the time and space to react. This simple guide works without requiring the driver to understand the math and physics behind the velocities of both cars, driver reaction times, and the front vehicle’s braking capability.

In RSS, we’ve formalized this rule into a mathematical calculation (pictured above). It means the moment the distance between the two cars is less than dmin, the automated vehicle will perform the proper response: braking until a safe following distance is restored or until the vehicle comes to a complete stop.

RULE 2. Do not cut in recklessly (lateral distance)

The safest human drivers maintain position in their designated lanes and avoid unsafe cut-ins when merging into other lanes. Rule 2 formalizes safe lateral distance, which enables AVs to be aware when their lateral safety may be compromised by unsafe drivers turning into their lanes.

This rule is formalized in a formula (pictured directly above) that also accounts for the natural lateral movement within a lane that is performed by human drivers.

For example, if another car moves into or occupies that space, a human first steers to avoid a collision, stopping the lateral velocity relative to the other car, then continues to move away laterally until a safe distance is restored. Similarly, this is the proper response for an AV if a violation is made in the safe lateral distance defined by RSS.

RULE 3. Right of way is given, not taken

On well-marked roads, the right of way is clear. Lane lines, signs, and traffic lights establish priorities for routes as they intersect one another. However, there are other times when the right of way is less clear, and human drivers must negotiate with one another. For AVs, this negotiation must be formalized so that machines can make that same negotiation and be sure to arrive at the same conclusion.

For example, the figure above shows a T-junction without a stop sign. If a stop sign existed, drivers are expected to give the right of way to vehicles without a stop sign. Sometimes they don’t. And if a car ran the stop sign and created a dangerous situation, the AV must still respond accordingly. It has right of way on paper but should not let a crash happen just because the rules give it the right of way.

RULE 4. Be cautious in areas with limited visibility

Many factors can aﬀect visibility while driving. Aside from the weather, factors such as road topography, buildings, and even other cars can obstruct views of the road and of other road users. Depending on the surroundings, humans naturally put bounds on their behavior to avoid unforeseen dangers.

On a main thoroughfare, it is not reasonable to expect that pedestrians will suddenly jump into the road. However, on a street near a school or neighborhood, it is much more likely. And, for drivers, it is reasonable to expect pedestrians to suddenly step into the road. Drivers must proceed cautiously, especially as they approach crosswalks or pass cars parked along the street. To ensure safety, AVs will have to make similar assumptions and exhibit caution in areas of occlusion.

RULE 5. If the vehicle can avoid a crash without causing another one, it must

Rules 1-4 create formal definitions to identify what a dangerous situation is and the proper response for the AV. Rule 5 covers scenarios where a dangerous situation may have been imposed so suddenly that a collision cannot be avoided unless a more evasive action is taken. Rule 5 states that if the AV can safely and legally avoid a crash without causing another one, it must do so.

For example, if a front car suddenly swerves into the next lane exposing an object in the road the following car’s time of exposure to this object is insufficient to stop in time. However, if the next lane is free, the following car can follow the front car and take evasive action to avoid the accident.

Going beyond miles-driven

RSS enables safety testing that can be verified without millions of miles of driving. Statistical argumentation is a last resort to claim the safety of an AV when its creators have no ability to formally verify the safety of the design. Because RSS is a formal mathematical model, it can be proven correct, so testing is needed only to ensure implementation matches specification, significantly reducing the validation burden.

Improving road safety today with RSS

RSS is a framework for how cars can safely drive themselves, but these formalized concepts can also be used to keep human drivers within the safety envelope. For example, using the same safety principles, RSS can be a proactive safety mechanism that improves automatic emergency braking (AEB). Called automatic preventive braking (APB), the application of RSS to traditional AEB systems would use formulas to determine the moment when a vehicle enters a dangerous situation. It would then use comfortable, subtle braking to help return the vehicle to a safer position without waiting for an imminent collision to engage maximum braking force. This preventive approach would provide a stopping distance buffer that could prevent a chain reaction of braking and swerving should an emergency stop occur.

RSS gaining support

Since RSS was proposed in 2017, Intel has engaged with governmental regulatory agencies and technology pioneers around the world to gather feedback on the model. Its real-world effectiveness has been demonstrated through Intel’s AV development fleet on the busy streets of Jerusalem. Support for RSS is gaining global acceptance among industry peers and standards organizations that have applauded Intel for taking the first step toward a verifiable safety framework.

> Baidu, the Chinese technology leader, adopted RSS as part of its Apollo autonomous driving platform, and in 2019 incorporated the world’s first open-source implementation of RSS.

> Valeo, the European-based automotive supplier, contributes to research of RSS as it collaborates on policies and technologies to enhance the adoption of AV safety standards across Europe, the U.S., and China.

> China ITS Alliance, the standards body under the China Ministry of Transportation, approved a proposal to use RSS as the framework for its forthcoming AV safety standard.

> RAND Corp., a leading think tank, cited RSS in a recent report as a leading measure that defines safety as an “envelope” around the AV – an important aspect for AVs to achieve “roadmanship.”

> Arizona Institute for Automated Mobility, a group established to explore and deliver AV safety, uses RSS as the foundation for its research and testing.

> Collaborative Research Institutes, in partnership with Intel Labs, have been set up in China and Europe to explore AV safety and reliability questions using RSS as a foundation for the research.

Want to go deeper into RSS? Read the full academic paper from Mobileye: Vision Zero: Can Roadway Accidents be Eliminated without Compromising Traffic Throughput?