From the peak of the hype cycle through the depths of disillusionment, the question at the core of the self-driving technology industry remains unchanged: How safe is safe enough?
Most companies have attempted to answer that question with tangible statistics. Number of miles driven. Number of crashes. Rate of disengagements or interventions over number of miles tested. But these metrics have provided, at best, a snapshot glance at safety. At worst, they’re a proxy for actual progress.
What constitutes an appropriate level of safety for deployments of self-driving vehicles on public roads is still ambiguous.
“It’s almost like going back to English class and thinking about how you actually make a sentence,” said Nat Beuse, Aurora’s head of safety. “There’s an eerie similarity there. In order to construct a proper sentence, there’s a way you have to do it. And for a safety case, I think there’s a way you have to do it, too.”
At the top level of those diagrams, Aurora lays out five categories in which its vehicles must be deemed “acceptably safe” before they’re internally considered ready for public roads. They must be proficient, fail-safe, continuously improving, resilient and trustworthy. Under each category, the company adds further information that explains how it meets that metric.
Aurora says it’s the first safety case framework in the industry that covers both robotaxi and self-driving truck applications. It helps the company consider subtler differences in those operations, such as how trucks meet requirements to stop at weigh stations or place triangular hazard warnings behind a big rig stopped along the side of a road.
The general idea of safety case frameworks arose from another catastrophe, a series of explosions and fires that occurred on July 6, 1988, aboard the Piper Alpha oil platform off the coast of Scotland. The disaster killed 165 people. Safety case frameworks have since been used in the oil and gas, aviation and nuclear industries.
While at Uber Advanced Technologies Group, Beuse wrote the self-driving industry’s first safety case framework. It came in the wake of a fatal crash in Tempe, Ariz., between an Uber self-driving test vehicle and a pedestrian on March 18, 2018. This year, Aurora acquired Uber ATG, and Beuse brought the same general safety concepts to Aurora, which had been developing its own safety case framework.
Melding the two together was not difficult. But he cautions there is no final document. Rather, the framework is intended to be a structure which promotes ongoing thinking around risks and safety, and that gets updated on a regular basis.
“This is an iterative thing and not a final answer,” Beuse said. “This is kind of our first shot at where we are today. … One thing we are very cognizant of is that we cannot have this just be a checklist. You can’t claim, ‘Go do these five things,’ and you can check a box and say you’re done. Our teams are working very hard to understand these claims and think very deeply about how to support those claims.”
Across the industry, it’s a new way of thinking about establishing safety benchmarks. When considering the risks associated with this new technology, Mark Rosekind, chief of safety innovation at Zoox and former NHTSA administrator, offers a reminder that the state of road safety should be part of the consideration.
How safe is safe enough?
“How would you answer the same question for the current road safety model that we have right now,” Rosekind said during an appearance on the “Shift” mobility podcast this month. “We have 100 people dying every day. That’s not so good. And I point that out because in 100 years we haven’t figured out how to answer that question.”
Aurora’s safety case framework builds upon academic research, the Voluntary Safety Self Assessments requested by the federal government, best practices from other industries and benchmarks such as UL 4600, the safety standard established in October 2019 that provides a similar evaluation of autonomous-vehicle software and hardware.
While UL 4600 addresses standards for vehicles, Aurora wanted to evaluate safety beyond the vehicle itself. Aurora has considered the entire development life cycle of self-driving technology, safety across the organization and ultimately, how it conveys its approach to end customers.
“You can only write so many requirements,” Beuse said. “You need to really have these other pieces to really be able to say, ‘I am acceptably safe to put these things on the road in a commercially viable way.’ It’s one thing to do it in a demo. But it’s quite another to be running 24/7 operations and have all these things thought through and figured out.”