On the eve of a major industry milestone – fully driverless operations without a safety driver at Brønnøy Kalk in Norway – we sat down with Luca to discuss the question on everyone’s mind: when is it safe to remove the safety driver?
The solution at Brønnøy Kalk currently consists of a fleet of seven Volvo FH trucks equipped with hardware and software components that make it possible for the trucks to operate autonomously. These components are both on-board and off-board and allow for the trucks to sense their environment, plan what to do next, actuate the moves and work in unison.
A safe product or solution is one that doesn’t harm another human being. No one in the industry has so far defined the “perfect” criteria for when something is safe enough. There is no set of rules or universal guidelines that say now you are at a point where the product is “safe enough.” This ambiguity means that we need our own assessment of what “safe” might mean. In our approach, we perform a comprehensive risk analysis of the entire transport solution and apply recommendations from multiple standards, which can result in very complex work.
It is important to remember that every operation comes with a certain level of risk. This is because risk is an inherent fact of life and any activity poses some level of danger to life and health. When risks cannot be avoided altogether, we should focus on what an acceptable level of risk is.
When it comes to autonomous trucks and machines, we believe that a system needs to be at least as safe as a human driver in comparable conditions to be deployed. But that’s still only one part of the equation. While we may be able to use data about historical accidents and near-misses for both humans and machines, we may still be comparing apples to oranges. This is because although machines may avoid some errors (like those due to fatigue or incapacitation), they may make other mistakes or introduce a new category of errors.
While we cannot make broad claims about “safe enough,” what we can do is build rules and logic in the form of a comprehensive safety case. This is a hierarchy of claims supported by evidence about why a system can be considered safe. A structured safety case argument makes claims – for example that the brakes on our autonomous trucks will not fail during operation – which are supported by subclaims, i.e., because the braking system we use is based on existing and proven technology. We have plenty of data to support this, as it is the same braking system used in all Volvo trucks that we see on roads today.
We can also build claims based on data we get from ASIL (Automotive Safety Integrity Level) ratings which are a risk classification system the industry uses to qualify how often a single component can fail. Components with a higher ASIL rating (D for instance) have the biggest impact on the safety of the driver, passengers, pedestrians, and nearby vehicles. So, for example, an unintended inflation of an airbag would be rated ASIL D, and the control system would need to have an extremely low fail-rate. We can use these manufacturer-guaranteed failure rates as input to a claim we make about system safety.
Then there are simulations where we test our system in a variety of circumstances and conditions. Based on these simulations, claims can be made about how safely the trucks and machines behave in the most mundane or extraordinary situations. There is a wealth of data from real-world driving with a safety driver which allows us to validate the simulations, generate data about performance and determine parameters for safe braking distance, speed and so forth. By staying within those parameters, we can claim that our system will perform safely.
But a sound safety case is not just about how we are developing and testing products or software. It is also about how we approach processes, procedures, training and culture with risk-mitigation and safety in mind. This holistic perspective is in my view a real differentiator for V.A.S. and the right way to approach autonomy.
By building a sound safety case backed by data, we have shown that we are mitigating risks across a wide variety of claims that cover our product, operations, and organization. By laying out our claims in a clear and structured way, we have been able to communicate to regulators why our solution is safe and receive the green light to remove the safety driver. Today we are the only company to have obtained a permit from a road authority to run fully autonomous commercial transport operations in a confined area.
Every operational design domain is different, so we would need to create a new safety case to operate on highways. Having said that, many safety claims can be re-used. For example, in the Brønnøy project we have proven that our base vehicle is safe to use in this operational design domain (ODD). We can re-use some of that work in future projects and create efficiencies. We have also learned a lot in terms of how to work with regulators and shape legislation that will push the industry forward.
We need to work with governments and authorities to craft the necessary legislation. We acknowledge the fantastic work that’s already being done. In the US, for example, lawmakers are very proactive and in Europe they’re open to a dialogue and adapting to new technologies.
But authorities cannot change a law without data or evidence that a system works. The electronic stability program, for example, wasn’t mandated in the US until real data proved that it reduces the number and severity of accidents. This is no different for autonomous vehicles. We need to produce and share data that shows that autonomous vehicles can save lives and work with authorities to make meaningful legislation.
The other thing is transparency and collaboration. Safety is paramount in the transportation industry. It is important that we are open – the more we learn and share the better. When safety critical IP is developed, the technology should be accessible to all players. After all, aren’t we in the business of developing a technology that could one day save millions of lives?
There won’t be a specific date when people suddenly wake up to autonomous trucks on roads. I’d rather focus on what needs to happen before this goal is achieved. We must start operating on a smaller scale, with solutions that help us collect data and build safety cases over time. In this way we can show measurable progress and build a solution that is truly safe.