HITL: Heyang Huang

content/course/assignments/human-in-the-loop/huang-heyang.md

@@ -0,0 +1,95 @@
+# Human-in-the-Loop Under Communication Failure: 
+## Designing Safe Autonomy for Remote Teleoperated Autonomous Vehicles
+
+Modern autonomous systems often rely on human oversight to handle situations that exceed the capabilities of automated algorithms. This design paradigm is commonly referred to as a "human in the loop" (HITL) system. In many safety-critical applications such as autonomous driving, remote teleoperation allows human operators to intervene when the system encounters unexpected edge cases.
+
+However, HITL systems frequently assume that communication between the automated system and the human operator is always available and reliable. In real-world deployments, this assumption may fail due to network latency, communication disruptions, or environmental constraints. This paper analyzes how system design must adapt when the human operator becomes temporarily unavailable, using a remote-assisted autonomous vehicle as a case study.
+
+## Scenario Description
+Consider a self-driving vehicle that operates autonomously under normal conditions but relies on remote human operators to resolve difficult situations. For example, if the vehicle encounters a complex construction zone or an ambiguous traffic situation, it may request assistance from a remote operator who can provide teleoperation commands or high-level guidance.
+
+This architecture allows companies to deploy autonomous systems before achieving full autonomy. However, the system becomes vulnerable when communication with the remote operator is interrupted. If redundant data links fail or latency becomes excessive, the vehicle must continue operating without immediate human supervision.
+
+Similar communication recovery problems appear in mobile robot systems. In a previous robotics project involving a follow-me robot, temporary connection loss required the robot to enter a conservative standby mode until communication with the control system was restored. Although this system did not involve a human directly in the control loop, it illustrates the same design principle: the robot must remain safe and predictable even when external supervision disappears.
+
+In such scenarios, the system must be capable of maintaining safety while also preserving a clear boundary between automated decision-making and human authority.
+
+## Failing Safely
+When communication with the human operator is lost, the automated system must transition into a safe default state. This principle is often referred to as achieving a *minimal risk condition*.
+
+For an autonomous vehicle, possible fail-safe behaviors include:
+
+- Gradual deceleration
+- Activating hazard lights
+- Pulling over to the side of the road
+- Avoiding complex maneuvers such as lane changes or unprotected turns
+
+The key design principle is that the default behavior should reduce risk rather than attempt aggressive problem solving. Continuing to operate normally without human oversight could expose the system to situations it was not designed to handle.
+
+Additionally, the vehicle should continuously attempt to reestablish communication with the remote operator while maintaining this safe operating mode.
+
+## The Autonomy Boundary
+
+Designing a HITL system requires defining a clear boundary between decisions that the autonomous system can make independently and those that must be deferred to a human operator.
+
+A possible autonomy framework for this scenario might include three levels:
+
+**Level 1: Fully Autonomous Decisions**
+
+These actions can be safely handled by the system without human supervision.
+
+Examples include:
+
+- Basic perception and sensor fusion
+- Obstacle avoidance
+- Speed regulation
+- Maintaining lane position
+
+These behaviors must remain operational even if communication with the human operator fails.
+
+**Level 2: Conditional Autonomy**
+
+These decisions may normally involve human oversight but can be temporarily handled by the system if necessary.
+
+Examples include:
+
+- Route adjustments
+- Minor navigation decisions
+- Conservative obstacle detours
+
+The system should log these actions for later review once the human operator reconnects.
+
+**Level 3: Human-Required Decisions**
+
+Certain decisions should never be made without explicit human approval.
+
+Examples include:
+
+- Entering restricted or unclear areas
+- Performing complex maneuvers in highly uncertain environments
+- Overriding safety constraints
+
+If communication is unavailable, the system must delay these actions and maintain a safe state until the human operator reconnects.
+
+## Trust and Latency
+
+When communication is restored, the human operator must rapidly understand the system's state and make informed decisions. However, reconnecting operators may face a large backlog of system data, which can increase cognitive load and slow decision-making.
+
+To address this problem, the system should provide a structured summary of its recent behavior rather than raw logs. Key elements of this summary may include:
+
+- The current vehicle state (location, speed, operational mode)
+- A timeline of critical events that occurred during disconnection
+- The system's confidence in its perception and planning modules
+- Any safety constraints currently limiting the vehicle's behavior
+
+Additionally, the system should communicate uncertainty in a clear and interpretable way. For example, the vehicle could report localization confidence or obstacle detection probabilities, helping the operator understand how reliable the system's internal model is.
+
+By presenting concise summaries and uncertainty estimates, the system allows human operators to regain situational awareness quickly and make effective decisions even after a communication delay.
+
+## Conclusion
+
+Human-in-the-loop systems provide an important bridge between full automation and traditional human-operated systems. However, these architectures must be designed with the assumption that the human operator may not always be available.
+
+In the case of remote-assisted autonomous vehicles, communication failures require the system to maintain safety independently while respecting clearly defined autonomy boundaries. By implementing safe failure modes, carefully delegating decision authority, and designing effective communication interfaces, autonomous systems can remain reliable even under degraded connectivity conditions.
+
+These design principles are critical for deploying autonomous systems in real-world environments where communication latency, infrastructure limitations, or extreme conditions may disrupt the human operator's role in the control loop.