Autonomous Solutions
A 40 tonne fully loaded long-haul truck represents a significant amount of responsibility on the road. For a vehicle like the Volvo VNL Autonomous, which is developed for on-road applications without a driver in the cab, safety cannot depend on a single component or function. All safety-critical systems have to remain available, even when something fails.
The Volvo VNL Autonomous is therefore designed with back up capabilities for each safety-critical system, so that it can either continue to operate in a controlled way or bring itself to a safe stop. That is redundancy engineering.
Having a multitude of backups might sound futuristic and “high-tech”, but it is not. Redundancy is an old solution to an old problem: what happens when something goes wrong? And humans have been answering that question for thousands of years.
Murat Erdogan is Chief Safety Officer and Head of Product Safety at Volvo Autonomous Solutions.
Old problems, familiar solutions
The ancient Romans understood that a growing city cannot gamble with its water supply. As their population expanded, they did not build a single aqueduct and hope for the best. They constructed multiple aqueducts feeding the same city and occasionally even used dual channels so one could be taken out of service for cleaning while the other kept flowing. The result became a water system designed to function even if something went wrong.
Centuries later, early elevators made the mistake Rome had avoided. The lifting rope was the only thing holding a cab full of people above the floor. If the rope snapped, there was nothing left to catch them. Elisha Otis changed that with his mechanical safety elevator. He added a brake that gripped the rails if the rope suddenly lost tension. The everyday rider never saw it working, but the backup was there, silently waiting for failure.
Redundancy grew more sophisticated as mobility took to the skies. The first multi-engine airplanes showed that an aircraft did not need to fall out of the sky when one engine died. It could keep flying, perhaps with less performance, but still under control. That was redundancy not just for emergency stops, but for graceful degradation: the machine continued to do its job, even if some of its parts did not.
From aqueducts to elevators, and airplanes, the pattern is consistent. When failure is unacceptable, humans build a second way to keep vital functions alive. Autonomous trucks carry on that tradition.
The Volvo VNL Autonomous
Redundancy in practice
If we peek under the hood, there are many places where redundancy has been built into the Volvo VNL Autonomous. Our autonomous truck for on-road applications incorporates six key redundancy systems which act as backup in case of an emergency: braking, steering, communication, computation, energy and power, and vehicle motion control.
When we work in confined segments such as quarries or mines, we design redundancy into the surrounding infrastructure. We include external monitoring and site emergency-stop systems that can halt a vehicle if onboard sensing fails or if an unsafe situation is detected from the control room. Together with the safety systems on the vehicle, these measures allow the overall solution to reach a higher level of safety.
Behind these design choices sit a structured way of thinking about failure. The teams look at the operational design domain where the trucks will run and break down typical scenarios. They then trace these hazards to the components that could cause them, from sensors through software to actuators. For each chain, they design mitigations and redundancy, and then put those protections to the test, sometimes by deliberately injecting faults and observing how the system reacts. Only when there is enough evidence that the system responds safely do they move towards sign-off.
Not too little, not too much
When designing redundancy there is always a balance to be struck. Too little redundancy and you leave unacceptable single points of failure. Too much, or the wrong kind, and you risk building something so complex that it becomes harder to maintain and so could become potentially less safe. That is also where productivity comes in. A truck that is overengineered, constantly down for maintenance or too expensive to operate is not a safe solution in practice, because it will never scale into real transport systems. Our job is to design redundancy so the truck can do real work, day after day, while still maintaining a strong level of safety.
Finding that balance is a deliberate process, not a guess. Decisions about redundancy are made jointly across engineering and operations, based on a holistic view of safety that covers the entire operation and lifecycle of the solution. They are guided by Volvo’s long heritage and commitment to safety, and by the requirement that we can demonstrate, with data and testing, that what we put on the road is safe for its intended purpose. We have spent decades building vehicles with safety as a core value, and we are now bringing that experience into the autonomous era.
Proving that the chosen balance is good enough requires more than internal conviction. That is where the safety case comes in: a structured argument with supporting evidence that the truck is safe for its intended use. Crucially, it also records the residual risk that remain. The aim is transparency. Everyone involved should understand what has been done to manage risk and what still needs attention as the technology evolves.
Writing the next chapter
Redundancy will not disappear as autonomous technology evolves. If anything, it will grow more sophisticated. As we gather more experience from real operations, we can refine how components are duplicated, how failures are detected and how the truck transitions to a safe state when something goes wrong.
Future improvement in hardware, sensing and control will give us new options, but the core idea remains the same: critical functions must never rely on a single way of working. With the historical examples in mind, it is clear that when the outcome truly matters, humans rarely leave themselves only one option. We add a second channel, a safety brake, or a spare engine.
The Volvo VNL Autonomous is built in the same spirit. Redundancy is not an accessory to the technology, but a central tool that allows a driverless truck to operate responsibly among other road users.
