Welcome to Safety Case 101
March 08, 2022 | 5 min. read
Last year, Aurora released our Safety Case Framework, an industry-first, evidence-supported argument for how we’ll demonstrate that our autonomous trucks and passenger vehicles are acceptably safe for public roads.
While we are deep into the implementation of this framework for driverless operations, we want to take a step back and provide context as to why this process isn’t just important, but essential to safely deploying self-driving vehicles at scale.
Welcome to Safety Case 101.
Let’s start by diving into the top six most important questions for understanding a safety case and why it’s important:
Lesson 1: What is a safety case?
A safety case is a logical argument, supported by evidence, to justify that a system is acceptably safe for a specific application in a specific operating environment. A structured safety case argument includes a specific claim—like that our self-driving vehicles are acceptably safe to operate on public roads—that is then distributed into multiple levels of subclaims that are supported by evidence.
For example, if we make a claim that we can sufficiently maintain and service our self-driving vehicles, then supporting evidence could include our maintenance requirements, procedures, guidelines, and other evidence related to driverless operations.
Safety cases are not a new concept, and have been widely used in other safety-critical industries like aviation, rail, and medical devices. The term safety case is also used in a variety of existing autonomous vehicle industry standards, such as ISO 26262 and UL 4600. In all these instances, the purpose of a safety case is to justify with evidence that a system is safe for its intended use. We have adapted our safety case approach based on the best practices of other industries, and applied it to developing and operating autonomous vehicles.
Lesson 2: Why is Aurora using a safety case-based approach?
Taking a safety case-based approach is an effective means of showing self-driving safety because:
A safety case can factor in the high complexity of autonomous vehicle systems and their many on-road interactions.
Safety cases can thoughtfully examine all aspects of safety across an organization, including in the product, company culture, operations, and more.
This approach contextualizes how the addition of new evidence strengthens our overall safety argument.
We take the responsibility for determining how to safely design, test, and operate autonomous vehicles incredibly seriously, and are building a safety case that makes clear the capabilities of our technology.
A completed safety case serves to:
- Ensure that all the necessary due diligence has been carried out in developing and deploying self-driving technology, thereby enabling the decision to remove vehicle operators and commence driverless operations; and
- Support the company in communicating to stakeholders, regulators, and partners about the extensive process taken to develop and deploy safe driverless vehicles.
Lesson 3: What does “acceptably safe” mean?
Risk is inherent in everything we do. Even the most common, frequent tasks we undertake, from taking a shower to driving around town, have inherent risk.
With this in mind, humans have developed means of mitigating those risks—our showers are designed to have anti-slip surfaces and our vehicles have seat belts, airbags, and other safety equipment. While these safety controls do not eliminate the risk entirely, they help ensure the activities we complete every day are acceptably safe—meaning risk is mitigated enough that we can complete everyday activities without posing significant risks to ourselves or those around us.
This applies to developing vehicles as well, autonomous or otherwise. At the end of the day, after we have completed all of our objectives, double- and triple-checked our work, and verified and validated the results, there will always still be some degree of residual risk. When developing the Aurora Driver, we’ve implemented our Safety Case Framework to show that we’re mitigating risk across a wide variety of claims that encompass our product, operations, and organization—enabling partners and customers to know our technology is acceptably safe for public road operations.
Lesson 4: How is a Safety Case Framework different than a safety case?
Aurora’s Safety Case Framework is built upon five principles that describe our approach to developing our self-driving technology – Proficient, Fail-Safe, Continuously Improving, Resilient, and Trustworthy. These principles are composed of hundreds of claims and subclaims that, when substantiated by evidence, provide proof that the Aurora Driver is acceptably safe to operate on public roads in a given context. These claims can be adapted to operations with and without a vehicle operator as well as to different vehicle platforms.
Ultimately, we will have multiple safety cases for each use case (like freight or passenger mobility), vehicle platform (like a semi-truck or passenger car), and operational design domain (like our Dallas to Houston freight route or operations within a certain city). For this discussion, we will explore two primary safety cases:
VO Road: Operating in autonomy with a vehicle operator on public roads
NVO Road: Operating in autonomy without a vehicle operator on public roads
With our VO Road safety case, satisfying the claims that our vehicles are acceptably safe to operate on public roads revolves around applying applicable industry standards, meeting our vehicle operator requirements (including their training and ability to control the vehicle), promoting and ensuring a strong organizational safety culture, instituting safety risk management, and implementing other safety policies around on-road operations. We have satisfied these claims and completed our VO Road safety case—which covers all our current on-road operations.
As we progress to operating without a vehicle operator in the NVO Road safety cases, we will provide proof for additional claims and subclaims that support our overall assertion that we can operate safely without the vehicle operator on public roads.
For example, if an Aurora-powered vehicle experienced a sensor failure with a vehicle operator on board, that operator could take control and safely bring the vehicle to a stop. To complete our safety case when we don’t have a vehicle operator on board, we need to be able to show evidence that our system has fail-safe capabilities—meaning our autonomous vehicles are designed to safely respond to system, sensor, or mechanical failures.
Lesson 5: How is the safety case used in operations at Aurora?
Departments across Aurora—including the non-engineering functions—have roles in providing evidence for claims within our safety cases. That means our team tests the work being done to develop and deploy the Aurora Driver based on the high standards of the safety case, and, once it meets those standards, uses it as evidence to transparently show how we’re building a safe self-driving product.
Our Safety Case Framework is designed to incorporate the diverse aspects of the work we do at Aurora. All employees and departments contribute to this effort—from our engineering teams to our business leaders. The comprehensive nature of the Safety Case Framework not only makes it effective, it enables us to account for broad, organizational safety needs, such as safety culture.
Lesson 6: What are the Principles of Aurora’s Safety Case Framework?
The Principles are the broad categories that guide and describe our goals for developing safe autonomous vehicles, including:
Proficient: The vehicle is acceptably safe during normal driving. Essentially, everything is working as intended.
Fail-Safe: The autonomous vehicle is acceptably safe when there is a fault or failure. We design our vehicles in such a way that, if some component fails (like if a sensor is damaged or a tire blows out), the vehicle should behave in a manner that does not endanger its passengers or other road users.
Continuously Improving: Aurora is committed to continuously improving. We are constantly learning and striving to identify, evaluate, and resolve anomalies that could affect the safety of the vehicle.
Resilient: Our vehicles are acceptably safe in the case of reasonably foreseeable misuse and unavoidable events. For example, our cybersecurity-related claims mostly reside under this principle.
Trustworthy: The public can have confidence in not only Aurora’s autonomous vehicles, but our entire company – that we not only design, build, and test our self-driving vehicles in a dependable manner, but also that we have a safety and organizational culture in place to quickly address and resolve issues.
This is just an introduction to how and why we’ve adopted a Safety Case Framework at Aurora. Soon, we’ll unpack each of the Safety Case Principles mentioned above – going into detail about how each helps ensure we’re responsibly developing our technology and that our autonomous vehicles are safe enough for public roads.
Delivering the benefits of self-driving technology safely, quickly, and broadly.