Capability spotlight: Fault management, part 2
Aurora Driver | February 15, 2023 | 4 min. read
Training the Aurora Driver to recover from faults and return to the road
When driving a truck—or any vehicle for that matter—on the road, any number of things can happen that cause it to experience a fault. Fortunately, most of these are rare and can be mitigated with maintenance, inspections, and good system health monitoring tools. But while they’re rare, faults do happen. To operate on the road, the driver—be it a human or a self-driving system—must be equipped to safely detect, respond to, and recover from faults without unduly impacting service. In other words, a fault-handling solution is necessary in order for an autonomous trucking product like Aurora Horizon to succeed at scale.
We shared an inside look at the first piece of the Aurora Driver’s fault management system, or FMS, last July, detailing how we’ve been training and testing the Aurora Driver to detect faults and safely pull over to the shoulder of the road. In December, with the release of Beta 5.0, we unlocked the capability to autonomously merge back into highway traffic from the shoulder of the road—the final piece of our end-to-end fault management solution. Together, these capabilities help us address key aspects within the Fail-Safe Principle of our Safety Case Framework, which outlines our evidence-based approach to demonstrating that Aurora Driver-powered vehicles are acceptably safe to operate on public roads.
The end-to-end solution
The Aurora Driver’s fault management solution consists of five stages: detection, diagnosis, response, recovery, and resumption.
1. Fault detection
The Aurora Driver’s FMS is designed to actively monitor the health of the vehicle, including the self-driving software, sensors, and onboard computer. Each component of the Aurora Driver is constantly reporting diagnostic health checks to the other components, ensuring that all components are meeting performance targets for autonomous operation. If one component fails to meet these conditions, it results in a fault. To test this safely, we inject faults artificially.
2. Fault diagnosis
Once a fault occurs and the FMS detects that there is an issue, the Aurora Driver diagnoses the fault and determines what type of response is necessary and executable given the current environment. For example, some faults might require an immediate stop while others might be less urgent and can wait until the Aurora Driver comes to a stop at a safe location off of the road. In most cases, the response will be pulling to the shoulder of the road since our redundant systems are designed to enable the vehicle to continue to operate until it is able to find a safe stopping location.
In parallel, the Aurora Driver initiates a session with a Command Center Specialist via Aurora Beacon. The Specialist receives a description of the fault, the state of the vehicle, and sensor feeds showing its environment.
3. Fault response
If the fault requires a “pull to shoulder” maneuver, the Aurora Driver turns on its hazard lights and executes. Once the Aurora Driver pulls the truck to a safe stop on the shoulder, the truck will remain stationary during the remote recovery process. The Command Center Specialist further confirms the truck is safely stopped before initiating the troubleshooting and recovery processes.
4. Remote recovery
While the truck is stopped, the Command Center Specialist reviews the state of the fault and assesses the health of the Aurora Driver’s systems. If the fault is remotely recoverable, the Specialist resolves the issue and the Aurora Driver verifies that its system has returned to a nominal state.
5. Resume mission
The Aurora Driver then begins signaling and looking for an opportunity to reenter traffic and continue the mission.
The reentry challenge
Why is merging back onto the highway from the shoulder of the road so difficult? When a driver is attempting to reenter a traffic lane after pulling their truck over to the side of the road, they must consider a couple factors:
- Rear incoming traffic (in both the target lane and other lanes, in case a vehicle cuts in right before passing by). If traffic is heavy, it might take a long time to find an opportunity to move off of the shoulder and successfully merge into the flow of traffic.
- Shoulder location. Drivers have to be careful to maintain enough space ahead for the truck to get up to an acceptable speed for reentry. On narrow or grassy shoulders, or areas with nearby onramps or offramps, this becomes more difficult.
Maneuvering a massive 70-foot-long, 80,000-pound semitruck while quickly making these judgment calls and adjusting to the ever-changing flow of traffic is no small task. However, the Aurora Driver has something human drivers don’t—long-range sensors.
Our multi-modal sensor pods (which include high-resolution cameras, imaging radar, and FirstLight lidar, our proprietary long-range FMCW lidar), are an important component that enable safe highway reentry. When vehicles are moving at highway speeds, it is especially important to perceive them from far away. This gives the Aurora Driver enough time to accurately predict gaps in traffic and to begin accelerating along the side of the road to get up to merging speed.
What’s more, the Aurora Driver’s computer can quickly calculate the other vehicles’ velocities. Where human truck drivers have to estimate how far and how fast another vehicle is, the Aurora Driver immediately knows the exact position and speed of every vehicle it sees within its sensing range.
By taking this guesswork out of highway reentry, the Aurora Driver is able to quickly determine the safest and most optimal way to merge back into the flow of traffic.
The countdown continues
Aurora Driver-powered trucks encounter all kinds of obstacles and challenges while hauling customer loads. Like the other capabilities we’ve unlocked in our beta releases, our return from shoulder capability (and our fault management capability, more generally) equips Aurora Driver-powered trucks with one of the features they need to autonomously deliver customer loads safely and on time.
Of course, faults are not the only reason the Aurora Driver may need to pull off of the road. If an extreme weather event like a snowstorm were to happen, or if a law enforcement officer were to signal a traffic stop, the Aurora Driver would need to be able to safely pull over and then reenter traffic once the situation had resolved.
In what we expect to be rare cases, remote recovery may not solve the issue, and the vehicle may require manual support. When this happens, a Roadside Assist team will be dispatched to the truck’s location to assess the issue and complete the mission.
We expect to reach our Feature Complete milestone soon—meaning we will have implemented all of the capabilities necessary for commercial launch and removed all policy interventions. Stay tuned for more!
Senior Director, Safety Engineering