Driver Override for Safety-Critical Vehicles and Networks

Operator error is a primary cause of vehicle accidents, yet human ingenuity is critical to effectively react in situations automation is not prepared to handle. Human operators have always been the ultimate authority, but their decisions may or may not be safe. This paper explores the constraints and requirements of vehicle systems that support automation override of a human operator. We adopt the view that a human operator remains the ultimate authority until grave risk is encountered, at which time the automation overrides strictly to re-establish a safe operating state. An override system must continually monitor vehicle state, predict near-term risk levels, compute a strategy to mitigate substantial risk, and warn the operator of the impending risk given sufficient time. Override action must occur just-in-time to re-establish a safe state before risk increases beyond the “grave” threshold. Controlled flight into terrain and aircraft damage/failure override case studies are presented, along with a discussion of how such aircraft override technologies could translate to ground vehicle systems.