By: The safety team
Article Summary
Vay is developing automotive-grade remote driving technology that enables new types of mobility services that increase convenience for customers. Teledriving passes the driving task to a trained professional teledriver, who remotely controls the vehicle. Our priority is to make this mobility experience safe for our customers. Therefore, we develop and operate our systems with a clear focus on safety as defined in our safety concept. This includes our safety – and security-by-design approach, our operational safety concept, and the way we consider regulations & standards. We do all this to pave the way to a safer future for mobility with our teledrive system, tackling main transportation problems in metropolitan areas.
1. Introduction
Remote driving or as we call it at Vay: ‘teledriving’ is reshaping mobility as we know it and we strongly believe it can help to provide safe and convenient means of transportation. Our teledrive technology allows a teledriver to drive a car remotely. This allows our electric fleet to be highly utilized. We can help to reduce CO2 emissions, and air and noise pollution. In February 2023, Vay was the first company to drive a car without any person inside the vehicle on European public streets. With the removal of the safety driver in the US in November 2023, Vay became a pioneer in teledriving cars on both continents: Europe and North America. These major milestones were a result of many years of deliberate and meticulous work by an experienced team of over 100 engineers combining industry experts from the automotive industry, safety, security, hardware, and software engineering. Since the inception of Vay in 2019, safety has been at the heart of everything we do. We’ve established a culture of safety within the company, and it is our highest goal to assure safety for customers, passengers, other road users, and pedestrians.
In this article, we introduce our teledrive technology and discuss our approach to safety. As we observe the diverse range of situations that can unfold in today’s urban settings, it is evident that operating a vehicle is not an easy task. Therefore, safety is at the core of what we do at Vay.
This article discusses how we assure safety across all relevant domains. With our solution, we keep a human-centered approach. However, we replace the common driver with a trained, professional ‘teledriver’. Through our safety-by-design approach, we ensure that our technology is built to ensure safety and that it adheres to industry standards and best practices. We work closely with regulators and government agencies in Europe and the US. To assure safety throughout the entire driving experience, we implemented a teledrive-specific operational safety approach.
2. The role of the human in the loop
Our concept relies primarily on the well-established concept of a human driver controlling and steering the car. However, we acknowledge that technology can enhance and improve this experience and performance. In teledriving, we take a remote-control approach. In this, the teledriver performs the entire Dynamic Driving Task (DDT) and directly controls the vehicle in the form of steering, throttle & braking, and performing secondary driving tasks like turn signaling, activating windshield wipers, and more. This DDT is done by the teledriver from what we call at Vay a ‘teledrive station’.
The teledrive station consists of screens to display the car surroundings. Road traffic sounds, such as emergency vehicles and other warning signals, are transmitted via microphones to the teledriver’s headphones. To perform the DDT, the teledrive station is equipped with automotive-grade steering wheel, gas, and brake pedal as well as a traditional instrument cluster representation. The teledriver can control the car from the teledrive station through the same commands a traditional driver operates a car from the driver seat.
Teledriving is still a human driving approach, we can leverage the proven and well-established experience of the drivers to control the vehicles remotely from the teledrive station. Thereby the teledriver can handle the operational risk that arises from external factors and safely navigate through the various arising traffic situations. Currently, we operate in urban areas which due to the variety of scenarios are rather complex. A more detailed description of our area of operation, the so-called Operational Design Domain (ODD) is provided in Section 4.1. Our teledrivers are trained and certified to operate safely in this ODD. In our training process, teledrivers learn to deal with complex and difficult driving situations. A more detailed description of our training process within our Vay Teledrive Academy is provided in Section 4.2.
3. Safety-by-design
Safety has been paramount in the development of our technology since the beginning. At Vay, we developed a remote driving system based on the latest safety standards and in line with existing regulatory and legal requirements. Our system architecture and our development process are based on safety and designed to encourage safety. The Vay system is integrated into an already type-approved vehicle. All interfaces of our Vay system are verified to ensure that the vehicle diagnostic features in all control devices and actuators operate in the same mode and context as they do in the vehicle before upgrading it with the Vay system. The system integrated into the vehicle interacts with our in-house developed teledrive station.
3.1 Teledrive System Development
The teledrive system consists of the vehicle with the addition of the Vay system and the teledrive station. The initial vehicle is equipped with additional sensors, our in-house developed safety controllers, and enhanced connectivity through antennas and modems. The teledrive station consists of screens, speakers, steering wheel, column switches, throttle, and brake pedal as well as controllers to process and interact with the Vay system in the vehicle.
Our development process takes into account the latest standards for Functional Safety (FuSa, ISO 26262), Safety of the intended functionality (SOTIF, ISO PAS 21488), and cybersecurity (e.g. ISO 21434). The technology within the teledrive station, the vehicle, and the interfacing remote functions are overseen by a pair of safety controllers. These controllers, one located in the teledrive station and the other within the vehicle, exhibit enhanced availability to manage commands between the teledrive station and the remote vehicle controller. Both of these safety controllers have been developed in-house at Vay based on state-of-the-art industry practices and approaches.
The components of our safety controllers are developed up to the Automotive Safety Integrity Level D (ASIL-D) rating. The controllers are based on proven multi-core controllers which are configured to achieve increased safety and availability. The operating system is based on aviation and automotive-proven safety principles, which assures active safety functions such as basic functions for our Minimal Risk Maneuvers (MRM). The Vehicle-To-X (V2X) architecture also provides increased availability through redundancy principles combined with increased diagnostics so that remote external vision and remote vehicle control always operate on priority tasks. If a particular failure occurs, the redundant channels within the system enable the vehicle to continue operating safely.
The internal development of requirements on hardware (HW) and software (SW) level as well as the assurance of a parallel verification process for all requirements with continuous integration tests, ensures the verifiability of the requirements. At any level of abstraction, we analyze the development of requirements and the architectural & design details. Based on these inputs, we apply safety analysis such as Fault-Tree-Analysis (FTA) and Failure Mode, Effect, and (Diagnostic) Analysis (FME(D)A).
3.2 Minimum Risk Maneuver
As stated earlier, the center of our safety approach remains a human driver, in our case a well-trained teledriver. The secondary safety measure is our Minimum Risk Maneuver (MRM) Strategy. MRM is a well-established approach in the development and operation of autonomous vehicles. Vay has a tailored MRM concept that handles potential failures, including the loss of connectivity between the teledriver and the vehicle. MRMs are system-initiated safety reactions. They ensure that in case of severe failures, our system reacts timely within milliseconds, and safely to mitigate hazardous situations that cannot be resolved by the teledriver alone. This concept enhances safety during operations.
3.3 Verification and Validation
The verification and validation process at Vay follows state-of-the-art industry approaches. We develop our technology in alignment to well established best practices in automotive and SW engineering, such as V-model, Continuous Integration & Continuous Deployment (CI/CD), and looking beyond standards that are not directly applicable to teledriving but can be used as reference, such as Validation Methods for Automated Driving (VMAD). This assures that we verify and validate the Vay system bottom up. This means we test every single line of code, the integrated software as a whole, and its integration on the hardware. This is followed by component tests and their integration into the system, and finally, we verify and validate the system as a whole.
To perform the verification and validation on the various test levels, we use the common and established test platforms appropriate for each level. Software-in-the-loop (SIL), Hardware-in-the-loop (HIL), and system-level tests in the vehicle and at the teledrive station. In addition, we have designed and tested our technology to ensure that the Vay system does not negatively impact the original vehicle platform. Through these measures, we obtain evidence that our vehicle is developed based on consideration of the functional safety standards (ISO 26262), the Safety Of The Intended Functionality (ISO 21448), Cybersecurity (ISO 21434, see our Journal article on Cybersecurity [1]), and overall behaves following our internal performance requirements.
4. Operational Safety
In order to ensure safety throughout our operations on public roads, various adequate measures are taken to mitigate potential operational risk. Three of the main concepts of our operational safety are the definition of our operational design domain (ODD), extensive teledriver training, and the definition of operational procedures.
4.1 Operational Design Domain (ODD)
The ODD is the operational area in which the Vay system can operate safely. While an ODD considers various environmental, geographical, and roadway characteristics, due to our teledrive approach, connectivity is one of the most important characteristics. In order to ensure our ODD only consists of areas with sufficient connectivity, we developed an ODD qualification process [2].
The ODD qualification process provides a structured procedure to qualify an ODD based on a defined set of evaluation criteria. This incrementally increases the area that we consider safe for remote operations. By clearly defining the boundaries of the teledrive technology, it can be ensured that the vehicles are only deployed in environments where they have been thoroughly tested and validated, further enhancing safety.
Aside from connectivity, a variety of considerations go into defining an appropriate ODD. Vay defines the ODD based on the PEGASUS method, which structures an ODD into six layers. We consider urban streets but exclude highways and interstates. Temporary changes in the ODD such as construction sides, accidents, and other limitations do affect us the same way human drivers are affected. We can deal with temporary traffic limitations, road blockages, and other occurrences, which is a great advantage of having a trained and professional human driver in the loop, who can understand, interpret, and react to surprising and unplanned events.
4.2 Specific Teledriver Training
Our whole teledrive operation is centered around the safe operation of vehicles and as such around our teledrivers. Therefore, we set very high standards for the training and certification of our teledrivers. The multi-stage training process prepares teledrivers to handle the different driving scenarios and traffic occurrences (see Vay article about Training for the backbone of our future mobility service – the Vay Teledrive Academy [3]). Two unique challenges for teledriving compared to conventional driving are driving in the setup of a teledrive station and dealing with the latency between the teledrive station and the car.
Our teledrivers undergo a rigorous training process at the Vay Teledrive Academy that Vay developed and constantly improves. In this training, after passing the requirements for being a Vay Teledrive Academy candidate, teledrivers are taught in the classroom, in the vehicle itself, and at the teledrive station. The actual driving training starts on private grounds where teledrivers are trained in various simulated traffic scenarios until they can safely pass the required tests and are cleared for driving on public roads. Once that is the case, they will teledrive on public roads while a safety operator oversees the driving task in the car and can intervene in case it is needed.
Throughout the training, our teledrivers learn how to deal with occurring latency between the vehicle and teledrive station. In a test sequence of more than 1000 tests on private grounds, we identified latency bands that allow the teledriver to safely control the vehicle. This was done by injecting different latencies, while the Teledrivers had to remotely drive different maneuvers, confirming the acceptable latency thresholds. Depending on the duration and latency magnitude, the vehicle detects this automatically and triggers respective minimum risk maneuvers (see Section 3.2) that slows down the vehicle up to a safe stop, when needed, while turning on the hazard lights to warn traffic participants. Our teledrivers are not only trained for the general driving task from a teledrive station, but also trained in a variety of challenging traffic situations like busy intersections, vulnerable road users (VRUs) on the road, and sudden changes in the traffic (hard braking and cut-ins of other cars).
4.3 Operational Procedures
When operating the service on public streets, it is crucial to define operational procedures on how to behave and react in certain traffic situations. These operations guidelines define incident and accident response. Our teledrivers can always get in contact with our operations manager when operating. The operations manager provides guidance and oversight in extreme situations and can help to resolve situations quickly and safely. Vay’s operational procedures are discussed and aligned with law enforcement and first responders to ensure that they can safely mitigate any arising situation. These processes aim to minimize the impact on traffic situations.
We actively engage and discuss with local law enforcement how teledriven cars can be safely implemented into existing traffic. Furthermore, Vay is training teledrivers to correctly engage with law enforcement and first responders in case of an emergency or if one of our fleet cars is simply pulled over.
5. Regulatory considerations and law enforcement
For all additions that are included in our Vay system we follow our safety by design and operational safety approach as described earlier. We ensure that our system is not only built and operated safely but also compliant with local laws and regulations. Vay is the first company in Germany to receive a special permit to remotely operate vehicles without safety drivers in the vehicle. We have worked closely with TÜV SÜD, an independent third-party assessor, for over four years. TÜV SÜD gave us a positive endorsement to teledrive cars on public roads (see Vay Press Release 21.12.2022 [4]/ TUV Press release [5]).
“The TÜV SÜD endorsement is the result of more than a year of testing the Vay system. Our experts reviewed the risk analyses and safety concepts at Vay […]. As a result, the functional safety and cybersecurity requirements relevant to this use case have been sufficiently met“, says Christian Gnandt, Global Head of Automated Driving at TÜV SÜD.
Based on that assessment Vay was the first company in Europe to operate and test remotely operated vehicles on public roads in February 2023. Today, we remotely drive vehicles in Hamburg with no driver present in the car. Our fleet in Berlin is equipped with safety drivers to oversee the teledriver who operates the car. In November 2023 we started our remote driving operations without safety driver in Las Vegas, Nevada. We are about to start our first commercial operation where customers will be able to request a rental car that is driven to them via teledriver. In this context, we also approached the National Highway Traffic Safety Association (NHTSA) to introduce our teledrive technology and our safety approach.
Our collaborative approach throughout the testing and first commercial phases is to keep an open and direct exchange with authorities in Germany and the United States. This allows us to ensure we are constantly in compliance while also providing feedback to legislators and authorities on what reasonable regulatory guardrails would look like. Such regulations would further assure customers that our systems are safe and developed by state-of-the-art development processes.
6. Conclusion
At Vay we develop teledriving solutions that allow us to operate cars remotely. We put safety at the core. It is in our culture and embedded in everything we do. In our approach, the human driver always stays in control. A human driver has remarkable proven capabilities when it comes to operating vehicles. On top of that, we train our drivers and enhance their capabilities with technology. They are specifically trained and dedicated to only that one task: Safely operating remote vehicles. We do safety by design. Our vehicles, the Vay system and our teledrive stations are built that way and designed with that in mind, and our verification and validation process provides evidence that the design requirements are fulfilled. Vay operates safely in a well-defined ODD, with trained, professional teledrivers that operate based on clearly defined operational procedures. We engage with third-party assessors, governmental agencies and customers to assure them that what we do is safe, compliant, and based on state-of-the-art development. We encourage regulatory guidance, interact with law enforcement and actively engage to pave the way to a safer future for mobility with our teledrive systems.
References
| [1] | M. Asgari: Safety First? The Role of Cybersecurity at Vay, Vay Technology, 28.06.2023. |
| [2] | O. Hans et al.: Operational Design Domain Qualification Framework for Remotely Driven Vehicles in Urban Environment, IEEE IAVVC, 18.10.2023. |
| [3] | Vay Technology: Training for the backbone of our future mobility service – the Vay Teledrive Academy, 08.09.2023. |
| [4] | Vay Technology: Teledriving enables driving without a driver in the car: Vay is the first company in Europe to be allowed on the road without a safety driver, Vay Technology, 21.12.2022. |
| [5] | TÜV Süd: REMOTE-CONTROLLED CARS? VAY RELIES ON TÜV SÜD FOR SAFETY, 22.12.2022 |