Building for scale: When it comes to safety, it’s important to plan for expansion
December 02, 2021 | 4 min. read
Building a company and technology to transform an industry like transportation means planning for the long term. One of the most critical first steps for developing a generational product is to invest in the foundational elements that enable scalability. The expansive experience of our team has given us key insights that have driven an approach to development we’ve seen other industry players only recently begin to talk about—heavy investment in virtual development over massive on-road testing, long-range and multi-modal sensing, locally-optimal and rapidly-updatable maps, and deep partner integrations with leading auto manufacturers.
We see the fruits of our investments in our rate of progress—we were able to bring up our Peterbilt truck in just 12 weeks and reach the performance metrics that often require years of development within weeks of operating these trucks on a commercial route with a partner. Our partners see this tangible progress and we’re already expanding the scope of our pilot programs with them.
Another key area critical to delivering a product that can scale is investing in a Safety Case Framework. The rigorous development and implementation of a Safety Case Framework is ultimately how a company, and the public, can measure when the technology is acceptably safe enough to be on public roads without a human driver. As we have said before, Aurora will complete a fully tailored safety case before launching our driverless commercial trucking business, Aurora Horizon.
Why a Safety Case Framework is critical
No company that’s serious about pulling its driver and delivering this technology at scale can move forward without having a clear roadmap for safety. It’s not enough to just talk about safety, and it’s not enough to just have any Safety Case Framework (though that’s a great first step). A robust framework needs to be both comprehensive and built for scale. It needs to support the product and the company from early development to large-scale deployment. Ours does.
Aurora’s Safety Case Framework is the first Framework that applies to both autonomous trucks and passenger vehicles, and the only one that’s been shared publicly. A unique property of our Safety Case Framework, we believe, is that it is not targeted at just being able to conduct a safe demo once or twice; it’s about safely launching a commercial fleet and growing that to a very large scale.
Our comprehensive Safety Case Framework encompasses the entire development lifecycle of our vehicles, allowing us to accelerate our path to deployment and determine when our self-driving vehicles are acceptably safe for public roads. We introduced our Safety Case Framework to show how deeply we consider all of the aspects of safety and how our structured path to deploy without a human operator is supported with concrete evidence all the way to at-scale commercialization.
What does safety at scale look like?
In order for self-driving vehicles to be safely deployed at scale, a completed Safety Case Framework must include critical engineering, operational, and organizational considerations. Every company planning to pull their human driver with the promise to deliver a product at scale should be able to answer critical questions like the ones below. These questions highlight examples of how operational controls must work, empirical and analytical evidence is collected, and the burden of evidence must grow as exposure increases.
Through development and deployment, are you able to maintain traceability so that changes do not result in having to revalidate the entire self-driving system?
A comprehensive Safety Case Framework, like ours, enables a company to fully trace the impact that changes will have to ensure updates do not invalidate the safety case.
How should safety-critical faults and failures be resolved?
All autonomous vehicles need a comprehensive fault management system that is designed to address system faults and failures. For example, if a computer fails or a sensor goes down, the self-driving system needs to be able to respond and put the vehicle in a safe state. Moreover, this all needs to be done without endangering any vehicle occupants or road users.
Is your validation sufficient for the scale of operation your system must handle?
Hundreds of hours of brute force validation testing on a given hardware and software build may be sufficient for a simple demonstration. But it’s not enough to support operation at scale. Safe operation at large scale requires a significant body of evidence compiled from either on-road testing at extraordinary and impractical scale, or a carefully-crafted test strategy that leverages structured, unstructured, on-road, and virtually-derived testing.
Does your technology have the necessary capabilities for the operational design domain (ODD) you’re operating in?
The automated driving system’s sensors and capabilities need to be appropriate for the operating environment. For example, Aurora’s heavy investment in a tightly-integrated, multi-modal perception system was designed specifically to uniquely unlock safe, large-scale operation of heavy self-driving trucks at highway speeds.
Can your technology handle everything within an ODD without any human intervention?
During development, it is reasonable to expect aides, such as pilot vehicles or chase cars, to help simplify the ODD. In such instances, it is important to be explicit about the use of these development aides. However, in order to reach deployment, especially at scale, these “training wheels” will have to be removed and the automated driving system will have to perform throughout its entire ODD without such support or be explicit about how pilot vehicles or chase cars are used to limit ODD complexity.
Does your safety case and validation appropriately expand as the ODD expands?
A safety case (which is a tailored instance of a Safety Case Framework) is only fit for a specific ODD—once the ODD expands, the safety case needs to account for those changes in order to ensure its validity.
Do you have a functioning Safety Management System (SMS)?
Robust risk management, strong safety culture, and safety policies and assurance processes—key components of an SMS—are all essential to ensuring your organization is ready for deployment.
Are you capable of complying with traffic laws and do you know how to deal with unusual or rare situations?
Being capable of complying with the local traffic ordinances is a baseline requirement for self-driving systems, but it is also important to understand how other road actors behave. For example, in our Texas route, we have noticed that someone routinely walks his dog on the highway, which is now a scenario that the Aurora Driver accounts for. These unusual and rare situations can then be incorporated into a simulation environment and sampled across a much broader array of scenarios than one could reasonably expect to see in on-road testing with a finite fleet.
Aurora has been confidently pioneering key technological and methodological approaches to self-driving for years. And with these foundational investments we’ve been making, the devil is in the details. Whether it's implementing a rigorous Virtual Testing program, deep integrations with a partner, or building a comprehensive Safety Case Framework, it is not enough to simply state an intention. The work requires a nuanced understanding and comprehensive implementation, as well as a design that supports and scales alongside commercial deployment. In the spirit of transparency and collaboration, we will continue to share the way we approach these investments so others can also build and share scalable and comprehensive frameworks as we work towards safer roads for everyone.
Delivering the benefits of self-driving technology safely, quickly, and broadly.