Safe by design: The Safety Checklist process
January 31, 2023 | 3 min. read
We use two types of processes to manage the safety risks of vehicle operations at Aurora. One is the Safety Case, which covers autonomous operations on public roads with (and eventually without) an operator behind the wheel. The other is the Safety Checklist, which covers non-autonomous, manual operations on public roads and autonomous operations on closed tracks with an operator behind the wheel.
Every vehicle configuration is evaluated on a test track before we begin using it for autonomous public road tests with vehicle operators behind the wheel—and in this way, our Safety Checklist process functions as a precursor to our Safety Case process. We use two different safety processes because different operational contexts carry different types and levels of risk.
When autonomously hauling loads for our customers or testing autonomy capabilities on public roads surrounded by other road users, we verify the safety of our vehicles by satisfying hundreds of claims outlined in our Safety Case Framework. But it’s a different story if we’re testing these capabilities on a test track, where we have full control over the environment, or if the Aurora Driver is not autonomously operating the vehicle at all. For these lower-risk operational contexts, we rely on Safety Checklists.
What is a Safety Checklist?
Our Safety Checklist process is designed to verify that a vehicle configuration is acceptably safe for either manual operations on public roads or autonomous operations on a private test track.
We create a checklist for each new configuration of the Aurora Driver, which could include an update to the Driver hardware kit or integration with a new vehicle platform (such as Paccar’s Peterbilt 579 and Kenworth T680 trucks, Volvo’s VNL truck, and Toyota’s Sienna Autono-MaaS minivan).
Checklist items are constructed based on two key principles: “safe by design” and “safe as manufactured.” “Safe by design” checks are meant to confirm that the design of a configuration (considering both hardware integrations and functional implementations) does not introduce safety risks. “Safe as manufactured” checks are meant to confirm that we are building the necessary safety-critical components for the configuration, and that we have not inadvertently disabled any safety-critical systems native to the vehicle platform (such as the collision warning systems that are built into our partners’ trucks).
Like Safety Case claims, each Safety Checklist item must be satisfied with evidence, much of which is generated as a byproduct of the work our engineering, operations, and development teams already do.
Vehicle operators sometimes drive Aurora Driver-equipped vehicles around on public roads to collect data for the Atlas (our HD map) or our Virtual Testing Suite. Even though the Driver is not enabled on these missions and a vehicle operator is in control of the vehicle at all times, the vehicle has been modified and therefore must be checked for road safety.
Equipping our partners’ truck platforms with the Driver requires integrating new hardware components such as a computer, sensor kit, and human-machine interface (or “HMI,” which consists of visual signals like lights that indicate the vehicle’s state). This requires significant rewiring and can add weight. To ensure that the modifications do not adversely impact safety, the vehicle configuration goes through a series of safety checks, including hardware inspections, tests for HMI and emergency equipment functionality, and verification that the autonomy system is disabled and blocked from taking over control of the vehicle.
Before the Driver is allowed to autonomously drive a new vehicle configuration on public roads, it must first complete a course on private test tracks. With a vehicle operator behind the wheel and ready to take over control of the vehicle if necessary, the Driver must practice navigating various scenarios while our teams monitor the vehicle platform and autonomy system for issues.
Because all of this happens in a tightly controlled environment, we use a Safety Checklist to verify that the vehicle configuration is acceptably safe for track testing. In addition to many of the same checks that make up the manual road operations checklist, the autonomous track operations checklist includes checks designed to verify that the autonomy system is working properly. These include system health assessments, disengagement mechanism tests, and analysis of the interlockings between the autonomy system and the vehicle platform.
Safe when operating
Once the Safety Checklist for a vehicle configuration is approved, our vehicle operations teams have clearance to begin operating vehicles with that configuration. Our quality teams check each vehicle to ensure that it is functioning correctly and complying with the approved Safety Checklist. Every day, before each vehicle hits the road or track, our operations team also performs a pre-trip inspection. All of these checks give us confidence in the safety of our public manual operations and private autonomous operations.
Regardless of what stage a vehicle configuration is in, we hold our safety processes to high standards, just as we hold our people, business, and technology to high safety standards. For transparency and accountability, we will continue to share more about our safety practices as we approach the launch of our first product, Aurora Horizon.
Delivering the benefits of self-driving technology safely, quickly, and broadly.