Domitilla Del Vecchio received the Ph. D. degree in Control and Dynamical Systems from the California Institute of Technology, Pasadena, and the Laurea degree in Electrical Engineering from the University of Rome at Tor Vergata in 2005 and 1999, respectively. From 2006 to 2010, she was an Assistant Professor in the Department of Electrical Engineering and Computer Science and in the Center for Computational Medicine and Bioinformatics at the University of Michigan, Ann Arbor. In 2010, she joined the Department of Mechanical Engineering and the Laboratory for Information and Decision Systems (LIDS) at the Massachusetts Institute of Technology (MIT), where she is currently an Associate Professor. She is a recipient of the Donald P. Eckman Award from the American Automatic Control Council (2010), the NSF Career Award (2007), the Crosby Award, University of Michigan (2007), the American Control Conference Best Student Paper Award (2004), and the Bank of Italy Fellowship (2000). Her research interests include analysis and control of networked dynamical systems with application to bio-molecular networks and transportation networks.
Luke Muehlhauser: In Verma & del Vecchio (2011), you and your co-author summarize some recent work in semiautonomous multivehicle safety from the perspective of hybrid systems control. These control systems will “warn the driver about incoming collisions, suggest safe actions, and ultimately take control of the vehicle to prevent an otherwise certain collision.”
I’d like to ask about the application of hybrid control to self-driving cars in particular. Presumably, self-driving cars will operate in two modes: “semi-autonomous” (human driver, with the vehicle providing warnings and preventing some actions) and “fully autonomous” (no human driver). Do you think hybrid control will be used for both purposes, in commercial self-driving cars released (e.g.) 10 years from now? Or do you think hybrid control will be competing with other approaches aimed at ensuring safe behavior in autonomous and semi-autonomous vehicles?
Domitilla Del Vecchio: Yes, I believe that hybrid control will be used in commercial vehicles both for autonomous and semi-autonomous functions within the next 10 years. Here is some background to support this belief. The decreasing costs of embedded computing and communication technologies are pushing several of today’s engineering systems toward increased levels of autonomy. Transportation systems are an obvious example, in which vehicles and infrastructure are being enriched with more computation, sensing, and communication every day, to increase safety, comfort, and efficiency. For life-critical systems, however, this enrichment raises the fundamental question of whether newly engineered systems with enhanced functionalities can be proven to be safe. A number of accidents have been reported, such as the unintended acceleration problem of a Toyota vehicle in 2008, so that initiatives, including the ISO 26262 for functional safety, have been taken by the auto industry world-wide to address this question. According to these new automotive functional safety standards, any design that affects life critical applications should be assured to be safe. This requirement for system assurance has led most car companies, both in the US and in Europe, to explore formal design and verification approaches so that safety guarantees can be provided on newly designed applications and old applications can be formally verified for safety. In the hybrid control literature, techniques to design mixed logical/dynamical systems under safety specifications have been developed since the 90s with the pioneering work of Tomlin and co-workers and the very well known California PATH project. Therefore, hybrid control approaches have a substantial potential to impact the current automotive technology as far as safety applications are concerned and in fact many companies world-wise are already initiating research programs to explore the promise of formal methods for design and verification. Many challenges, however, need to be overcome from a theoretical point of view, such as being able to handle in a safe and least restrictive way hidden information that arises from many sources, such as driver’s behavior, sensor and communication errors, and poorly known environments.
Luke: And do you think hybrid systems control will fill a particular niche in the market for high-assurance software for self-driving cars, or do you think hybrid control approaches will compete with other approaches to high-assurance software, or do you think in the end both hybrid control and other currently existing approaches will need to be replaced by other approaches?
Domitilla: If we intend hybrid control approaches broadly as formal design methodologies that carefully model dynamics and logic, then I do not think they will compete with other approaches but they will complement other approaches. Ultimately, I think a mixture of approaches will be considered, including formal design methods, AI-like methods, and engineering-based methods.
Luke: I’ve discussed formal design methods in several past interviews. Which kinds of AI-like methods and engineering-based do you expect will be brought to bear on the challenge of high-assurance software for self-driving cars?
Domitilla: There are a number of approaches that are often used in the development of autonomous vehicles mostly for checking collision with static and moving obstacles, such as the RTT and RTT* algorithms that were used in the Urban Grand Challenge by the MIT team, or more general path planning algorithms with obstacles. These are typically originating from the robotics community and are not usually concerned with formal safety guarantees although work often very well in practice. Along the same lines, questions of perception of the environment are obviously crucial in self-driving vehicles, such as recognizing whether something standing on the road side is a pedestrian or a small tree, which may involve different vehicle’s decisions for assuring safety. These type of questions have been mostly studied in the artificial intelligence community, including research in computer vision. By engineering-based approaches, I mostly mean the typical software development cycle in industry, which involves extensive testing to highlight possible system malfunctions or safety hazards.
Luke: The hybrid control approach used in Verma & del Vecchio (2011) had, in experiment, a success rate of 96.9%. I presume the success rate will need to be substantially higher before such systems are used to control autonomous cars in real road conditions? How much work might it take to push the success rate up to, say, 99.999%?
Domitilla: That is actually not true for systems that involve human drivers. In fact, automotive companies often prefer to tolerate an epsilon % of collision so they can have less conservative warning/controllers, which override drivers less frequently. From a practical standpoint, if human driver behavior needs to be accounted for, as in Verma and Del Vecchio (2011), 100% safety will most likely not be achievable just because human behavior can be modeled statistically as opposed to non-deterministically. In the paper, we truncated the Gaussian probability distributions that describe how drivers brake/accelerate in the proximity of the intersection in order to have bounded capture sets. Since the tails of the Gaussian probability distributions were not included, we may still have some (rare) instance in which the system cannot guarantee safety. In this sense, I think that when human behavior is accounted for, models and approaches will have to be stochastic and focus on providing probability of safety as opposed to 100%. This is a research direction we are pursuing right now.
Luke: What are the most interesting or important open problems in this area right now, to your mind?
Domitilla: There are many. A couple of ones that are particularly relevant especially from an application standpoint are computational complexity and the ability to provide design methods for stochastic safety. The first one is a problem that is always a challenge for implementing most formal safety approaches. Algorithms usually do not scale well with the size of the system and this limits real-time applicability. The second one is a challenging technical problem and methods to efficiently handle hidden decision making in a least conservative manner are very much needed.
Luke: What are your recommended readings on the latter challenge?
Domitilla: There are many readings that address several of the aspects involved in this problem. In the control theory community, we have seen recent papers by Abate’s and Lygeros’ groups, which address the stochastic reachability/verification problem. In the robotics community, there are also very related works, in which a vehicle has to be controlled to avoid stochastically moving agents, which can move according to a set of behaviors, with a given least probability (Jon How and colleagues). I believe there are a few more, and the ones cited here are not exhaustive, but these are those that come to mind now.
Luke: Thanks, Domitilla!