Rescue dogs like Lassie, self-driving cars, and single points of failure.
getty
The recent multi-hour-long outage of Facebook, Instagram, WhatsApp, and Messenger that impacted perhaps billions of users has reportedly been attributed to a potential single point of failure (said to be triggered via a configuration change in a backbone router).
This brings up the inherent dangers or at least vulnerabilities that exist when a complex system is designed by intent or via happenstance to embody a single point of failure aspect. The lurking weakness can seemingly mysteriously arise and leave dreadful troubles in its wake. Plus, trying to overcome the failure can be problematic, including that if it is not fully remediated then the same condition will potentially recur. That’s not good.
Speaking of single points of failure reminds me of something that you might not have previously considered as an illustrative example of how such matters can exist. The example has to do with a quite famous dog, perhaps you’ve heard of the wondrous canine named Lassie.
It seems that most people know the classic “Lassie saves the day” narrative.
Essentially, the beloved collie named Lassie is out on a wilderness romp with a human that happens to get trapped or somehow hurt, being unable to make their way back to civilization and safety. The person makes a plea for Lassie to rush home and alert the authorities. Lassie does exactly as requested, darts away on this grand quest, including heroically braving all sorts of troubles while seeking to get help.
Thankfully, Lassie ultimately reaches someone and guides them back to rescue the stranded person.
One gets teary-eyed at just thinking about this endearing and quite uplifting story.
Not wanting to cast aspersions on this revered tale, but suppose Lassie was unable to have gotten home and thus was unable to alert anyone about the woes of the doomed person?
That would have been a bad ending, for sure.
You might object to the premise since there doesn’t seem to be any reason to believe that Lassie would not have done precisely as requested.
Well, just supposing, imagine that Lassie got lost during the trek homeward and never found home (I realize this seems nearly impossible, given the amazing intelligence of this venerated collie). Or maybe Lassie takes longer than expected, and by the time that rescuers are summoned and make their way to the marooned person, it is already too late. We can even envision that Lassie did find someone as a potential rescuer, but the stubborn minded dolt does not grasp what Lassie is trying to do and fails to follow-up. Even despite Lassie likely barking fervently and trying to lead the rescuer back into the wilderness, the rescue attempt is rebuffed.
The crux of this troubling version of the classic story is that the stranded person relied on only one form of rescue or survival, namely hoping and betting on Lassie being able to save the day.
This is known as committing to a single point of failure (a cherished one, in this case).
Sometimes you do something and do not realize that you have set up a Single Point Of Failure (SPOF) circumstance. You might be oblivious to the notion and therefore only become cognizant of the dilemma once you’ve gotten yourself into a tight predicament.
In other cases, you might have purposely devised an approach that entails a single point of failure and are entrusting that at least the worst-case scenario won’t hopefully occur. You are betting that you will not get caught due to an adverse roll of the dice.
In the Lassie saga, perhaps the person stranded might have beforehand told others where to find them if they didn’t return on a timely basis. In that case, there is the possibility of using Lassie as a lifeline (per the traditional story), plus there is the chance that even if Lassie can’t make it home there will nonetheless be a search party sent out due to the prior agreed stipulation.
You could suggest that by establishing a dual path possibility, there is redundancy built into the situation. When a dire moment arises, there isn’t just a single point of rescue, there are two, and thus it provides for a greater chance of being saved. That is the basis for devising or constructing approaches that have more than one means of continuing when one particular strand falters.
A tough question to always consider involves how much redundancy is enough.
In the variant of the Lassie tale, there are now two paths of rescue. A modern-day version might add a third path, perhaps the person has taken a satellite portable phone with them. Upon getting stuck in the woods, the person can try the portable phone, plus they can try sending Lassie on the grand quest, and they can hope that upon not returning that a search party will be sent to find them.
Is that safe enough?
Well, it is hard to say.
Suppose Lassie is unable to find the way to get home. Suppose that those informed beforehand about the trip are lax and do not on a timely basis undertake a search effort. And suppose that darned satellite phone cannot get a signal or maybe has gotten smashed on a rock when the person that is now hurt fell down a cliff.
What a downer.
There are presumably only so many ways you can try to set up a series of protective measures, especially as bounded by the potential cost or effort involved in doing so.
It is conceivable to argue that the cost of the multiple paths has to be weighed against the benefits of those paths, along with the risks or probabilities associated with the paths breaking down or failing. In theory, a prudently devised redundancy ought to imply that it would be a very rare chance of all of them failing at essentially the same time.
Of course, the greater the risk of relying upon a single point of failure, the greater there ought to be of divining appropriate redundant paths, and particularly seemingly robust ones.
By robust, the idea is that the redundant paths should not be so entangled that if one goes then the rest are also likely to be busted too. Imagine a bridge with lots of suspension lines. You’ve undoubtedly seen those horrifying scenes wherein one-line snaps, and all the other lines start snapping too. It could be that the loss of one of the alleged redundant paths serves to gut the other forms of redundancy, in which case, the true efficacy of the redundancy is ostensibly rather low or quite weak in value.
Shifting gears, stories of the past are about Lassie saving the day, while tales of the future are sometimes portrayed as self-driving cars saving the day (though, for clarification, Lassie is a much more heartwarming tale!).
When human passengers get into an AI-based true self-driving car, they are assuming that the AI driving system is going to work and do so in a fashion that averts a potential calamity due to any single point of failure (see my coverage at this link here). I’m not suggesting that riders in a self-driving car are fully aware of single points of failure. The gist is that they assume that whoever devised the self-driving car has already figured out where single points of failure are and have done something prudent about those weaknesses.
That brings up an interesting matter to mull over.
Specifically, here’s the question to ponder: What kinds of single points of failure might exist within an AI-based true self-driving car and how can those be dealt with?
Let’s unpack the matter and see.
Understanding The Levels Of Self-Driving Cars
As a clarification, true self-driving cars are ones that the AI drives the car entirely on its own and there isn’t any human assistance during the driving task.
These driverless vehicles are considered a Level 4 and Level 5 (see my explanation at this link here), while a car that requires a human driver to co-share the driving effort is usually considered at a Level 2 or Level 3. The cars that co-share the driving task are described as being semi-autonomous, and typically contain a variety of automated add-on’s that are referred to as ADAS (Advanced Driver-Assistance Systems).
There is not yet a true self-driving car at Level 5, which we don’t yet even know if this will be possible to achieve, and nor how long it will take to get there.
Meanwhile, the Level 4 efforts are gradually trying to get some traction by undergoing very narrow and selective public roadway trials, though there is controversy over whether this testing should be allowed per se (we are all life-or-death guinea pigs in an experiment taking place on our highways and byways, some contend, see my coverage at this link here).
Since semi-autonomous cars require a human driver, the adoption of those types of cars won’t be markedly different than driving conventional vehicles, so there’s not much new per se to cover about them on this topic (though, as you’ll see in a moment, the points next made are generally applicable).
For semi-autonomous cars, it is important that the public needs to be forewarned about a disturbing aspect that’s been arising lately, namely that despite those human drivers that keep posting videos of themselves falling asleep at the wheel of a Level 2 or Level 3 car, we all need to avoid being misled into believing that the driver can take away their attention from the driving task while driving a semi-autonomous car.
You are the responsible party for the driving actions of the vehicle, regardless of how much automation might be tossed into a Level 2 or Level 3.
Self-Driving Cars And SPOF
For Level 4 and Level 5 true self-driving vehicles, there won’t be a human driver involved in the driving task.
All occupants will be passengers.
The AI is doing the driving.
Your first thought might be that there is nothing to worry about and you can simply trust that the AI won’t go haywire and all will be perfectly operating at all times.
Recall that earlier it was mentioned that the risk of having a single point of failure is a crucial factor in ascertaining whether a SPOF is worthy of rapt attention. In the case of a self-driving car, keep in mind that the vehicle can readily go at high speeds, in fact, you want it to do so when driving on a freeway and similar open highways. At high speeds, the risk of the car getting out-of-control and crashing is something we all ought to be worried about. Thus, if a single point of failure could lead to such a disastrous outcome, we need to be alert for such a possibility.
Okay, put on your Sherlock Holmes cap, and let’s take a look at the various ways that a single point of failure on a self-driving car ought to be dealt with.
First, we’ll start with the sensory apparatus of the self-driving car.
For most self-driving cars, there are a bunch of specialized sensors such as video cameras, radar, LIDAR, ultrasonic units, and the like, all acting as the kind-of eyes and ears for the AI driving system. Those sensors are collecting data about the surrounding environment and are fed into the AI system to try and ascertain the nature of the driving scene. For example, the cameras are providing visual images that can be examined to try and find where nearby cars are, and where pedestrians are standing, and so on.
Suppose a camera that is pointed forward and used to see the road ahead is suddenly unable to visually see the roadway.
How could that happen?
One means is that the camera lens gets smeared with say dust or mud, which is something I’d bet most of us have had happened to our own cameras. Another possibility is that the camera gets struck by a rock that got ricocheted off the street by a passing truck, and the lens is entirely cracked and no longer functioning. There is also the chance that the camera has just gone bad on its own, maybe it was defective to start with, or perhaps it has reached the end of its useful life, as it were.
The automaker or self-driving tech firm that has developed the AI driving system has presumably considered this kind of failure possibility.
Without that forward-looking camera, the AI driving system could potentially be blinded as to what is happening in front of the vehicle. That’s bad. That’s real bad. The AI might not realize that a car has pulled in front of the self-driving car and that the two are about to ram into each other. Or maybe a pedestrian has opted to run across the street and assumes that the AI will bring the car to a stop.
Your first thought about the camera going out is that the self-driving car should immediately come to a screeching halt.
This can be more daring than it seems. If there are other cars immediately behind the self-driving car, let’s say human-driven cars, and if the AI driving system merely jams on the brakes, this could start a cavalcade of car crashes.
In that case, maybe your refined way of thinking is that the self-driving car should gradually make its way to the side of the road, doing so cautiously and without disrupting other traffic. That is a seemingly better way to proceed, though the question arises as to how you can make your way to the side of the road and do so while completely blind to what is ahead of you. This seems like a tricky maneuver and one that even Houdini would shudder at trying to magically accomplish.
Astute designers and developers of self-driving cars are incorporating various precautions to try and cope with this potential single point of failure, doing so via the leveraging of redundancy.
For example, there might be more than just one camera that is pointing forward. Via having additional cameras, you can have the AI switchover to relying upon those other cameras, even when the mainstay camera goes amiss. Imagine similarly that you are driving a car and you suddenly get a fleck of something in your left eye. You would likely become attentive to now using just your right eye, and luckily have at-the-ready a built-in redundancy that allows you to do so.
Furthermore, part of the basis for having a multitude of sensor types is that it helps to detect the outside world in ways beyond only a visual mode. The radar can be used to gauge whether objects are in front of the vehicle. This is taking place throughout the course of a driving journey. If the forward cameras entirely went out, presumably if the radar is still working this would allow for some semblance of figuring out what is ahead of the vehicle (and allow for gradually getting over to the side of the road).
Realize though that the radar is not the same as the cameras, which means that you are not going to be gauging the driving scene in the same fuller way as you would with the cameras operating too. In that manner, the sensory capabilities of the AI driving system are sorely degraded and any further actions must incorporate the realization of that now limited facility.
An integral component of self-driving cars is the use of Multi-Sensory Data Fusion (MSDF). There is software within the AI driving system that is tasked with receiving the data from the sensory devices and then attempts to merge or align that data accordingly. The visual data from the cameras are compared in terms of what is spotted on the radar and to the LIDAR, and so on. A give-and-take must be devised since at times one form of the sensor is bound to be doing a better job at detection than another type of sensor.
Overall, you could say that the use of multiple types of sensors is a form of redundancy and a built-in means of trying to overcome any single point of failure.
There are though plenty of other avenues of single points of failure opportunities (or, more aptly stated, threats). Let’s consider another one.
The AI driving system is software and it is running on onboard hardware within the self-driving car.
Suppose the hardware falters. It could be that the processor chips go bad, or maybe the computer memory has a hiccup. You’ve likely had a laptop that had the hardware decide to give up on you. If the hardware of the self-driving car perchance hits a snag, this could mean that the AI driving system software can no longer operate.
This is the unguided missile concern of any self-driving car maker.
To try and overcome this potential single point of failure, the hardware typically has redundancy to cope with any particular hardware component failing. There are bound to be multiple chips, and thus a switchover to one that still seems to be working properly.
Here’s a tough question for you.
Is having two sets of onboard computing hardware setups sufficient as the needed redundancy to overcome a potential single point of failure?
It is tempting to perhaps indicate that this seems quite sufficient. On the other hand, there are lots of ways to undermine this redundancy. Suppose the hardware is positioned in nearly the same locale within the body of the vehicle. And, further, suppose the car gets hit by something that smashes that specific location. The redundancy of the hardware doesn’t buy you much if it can be obliterated by one strike and takes them out altogether.
Okay, you respond, we ought to have a third set, perhaps positioned elsewhere within the vehicle and thus reduce the odds of getting clobbered when the primary set is taken out. Sure, this can be done, and we can continue this logic by having a fourth set, a fifth set, etc.
Conclusion
This takes us back to the earlier point that there is a cost associated with trying to overcome a single point of failure. If a self-driving car is going to have a lot of hardware processing redundancy, there is an added cost to this capacity.
How much is sufficient?
The answer is somewhat amorphous.
You can try to estimate the risks and the probable outcomes, and then put in place an amount of hardware redundancy accordingly. Keep in mind that the “costs” involved include that of human lives and injuries.
Here’s what will likely occur with self-driving cars.
At some future point in time, there will be a car crash involving a self-driving car. A legal case might arise. During that legal case, one argument to be proffered will be that the AI driving system was not devised with sufficient redundancy and ended up getting snagged by some points of failures that should have been better anticipated.
Mark my words, this will indeed happen.
Meanwhile, though not covered herein, there many other aspects of the AI driving system that can potentially have points of failure, including the sensor fusion feature, the virtual world modeling elements, the driving controls commands issuance software, and a plethora of other facets. We are all assuming that the self-driving car tech and AI driving systems are being designed, developed, tested, and fielded in such a means that there is appropriate and sufficient redundancy.
I suppose that while riding in a self-driving car if it breaks down and you come to a safe stop, you hopefully had the presence of mind to bring Lassie with you, and away the collie would go, aiming to bring assistance to your stalled predicament (well, ignoring for sake of discussion the use of any on-board electronic communications, your cell phone, etc.).
Anyway, that’s Lassie for you, always the hero.