Autonomous Solutions

Doubling down on safety: understanding our approach to redundancy in autonomous vehicles

Shahrukh Kazmi
2024-07-09
Blog
Author
Shahrukh Kazmi
Chief Product Officer, Volvo Autonomous Solutions

The autonomous freight industry is in its early stages as a new and complementary transport mode, but it’s gaining momentum, and the technology is evolving rapidly. So far, autonomous trucks have been piloted with safety drivers, who are ready to take over in the unlikely event that there is a system failure.

 

As the industry matures and moves towards level 4 automation in the Hub-to-Hub segment, safety continues to be paramount. It’s the crucial consideration when removing the safety driver. And it’s one of the fears people have when they think about driverless trucks. How can we trust them? How can we ensure they are safe? This is where redundancy plays an important part.

 

What is redundancy?

When hearing the term redundancy, you might think about someone being laid off at work. But in engineering, redundancy means including extra backup components that enable a seamless operation in the case of failure within any of the primary components. Simply put, it means that certain parts, systems, and functionalities are duplicated to enhance safety and reliability.

 

As an example, redundancy is used in aircraft – and has been for decades – to ensure safe air travel. Airplanes often have multiple versions of each technical system, for example, there are backups to extend the landing gear in case the primary hydraulic system fails. Redundancy is not needed for the plane to function, but it’s always present in the background, ready to step in if an issue occurs with the primary systems.

 

Redundancy in autonomous vehicles

In a manual truck, you have electronic systems that assist with vehicle operation, like a smart brake system or assisted steering. Currently, laws require that the driver must be able to intervene if electronic components fail; for example, pulling the parking brake in case the smart brake system malfunctions. In a case like this, the parking brake system is designed to act as a backup brake system.

 

With Level 4 automation, we are working to ensure the same backup capabilities as manually driven trucks. By having redundant systems, autonomous vehicles can continue to operate safely even if certain primary systems or components fail. These backups are essential to ensure the safety of other road users and can be implemented at various levels in autonomous vehicles, from hardware and software to communication and computation.

Robust redundancy built into the new Volvo VNL Autonomous

True to the Volvo DNA, every design and engineering decision of the new Volvo VNL Autonomous has been made with safety in mind. Our engineering approach prioritizes safety by incorporating redundancy systems designed to mitigate emergency situations.

 

We built the Volvo VNL Autonomous from the ground up, integrating these redundancy systems to ensure that every safety-critical component is intentionally duplicated, thereby enhancing both safety and reliability. Let’s dive deeper into the robust redundancy systems within the Volvo VNL Autonomous.

 

Redundant brakes – Two brake systems assure braking and immobilization capabilities are present, which are required for a safe stop. The primary braking system is powered by one source, and the secondary by another. This increases the likelihood that we will be able to brake the truck, even if the primary brakes or the primary power source malfunction.

 

Redundant steering – If the primary steering fails, the secondary, identical redundant steering system is intended to ensure that we can steer the truck safely to a stop. As with the brakes, both steering systems are powered individually by two different power sources.

 

Redundant communication – Our two communication systems ensure we can avoid the loss of information flow if a failure occurs in a communication channel.

 

Redundant Automated Driving System (ADS) – Our autonomous driving partner, Aurora, has redundancy in place for their computer and sensor sets (known as their Virtual Driver). The combination of multiple cameras, lidars, and radars ensure that the primary and secondary computer is designed to capture a 360-degree view of the world around it. The ADS is also powered by two different sources.

 

Redundant computation – Two computes are intended to avoid the loss of safety-critical functions if a single ECU (Electronic Control Unit) fails. By having two computes, we can enter duplicate steering commands into our system. From there, that command goes into the two parallel computers and onto our two braking or steering systems. This ensures that both systems are at-the-ready to handle commands.

 

Redundant vehicle motion management – This is the coordination of everything that affects the vehicle’s motion. Our vehicle motion management centralizes the handling of different actuators, and the coordination of their tasks, to achieve a common motion control goal. This is duplicated to achieve equivalent capabilities on the redundant and primary actuators.

 

Redundant lights – Brake lights and hazard lights are partially duplicated. We’ve added light redundancy because if the primary lights fail, the hazard lights may be activated to allow the truck to come to a safe stop.

 

Redundant power and energy storage – If systems are not powered independently, a power failure would lead to a complete loss of these functions. Therefore, we have two sources of power which are completely separated and placed in different parts of the vehicle to promote safety and reliability.

 

How do we ensure our redundant systems are safe?

Fault injections

We comprehensively test every component of our trucks. First, we undertake testing of the primary and secondary components individually to ensure that the secondary side is as good as the primary. In addition to testing nominal performance, we also perform fault injections. So, as an example, we might disable the primary system and focus on the secondary one to make sure everything is working properly.

 

Once we’ve tested the systems on their own, we also test them together with the ADS (Automated Driving Systems) and the whole truck. We do this as we want to know that the truck will remain safe. This means we do fault injections on the whole truck; first on an isolated rig, then on a stationary truck, and eventually with a moving truck – always ensuring the safety of the testing personnel. The sky is the limit in terms of fault injections, and we do a lot of them. We also perform fault injections all the way down on a component level and on a subsystem level of the truck.

 

Simulations

Our partner Aurora has a simulation environment where we can simulate the sensor set, our trucks, and their subsystems. This robust virtual testing suite allows us to run millions of simulations daily, which is critical to give us the confidence that the Aurora Driver is ready to attempt any maneuver in the real world.

As an example, the Aurora Driver performed 2.27 million unprotected left turns in simulations before attempting one in the real world. We also leverage hyper-realistic worlds to test our vehicles in safety-critical situations.

 

Test tracks

We do test runs at our proving grounds AstaZero, Trollhättan and Hällered in Sweden, or in the U.S. at the Ohio Traffic Research Center. We can drive at any speed necessary for testing varying speeds and perform fault injections to see how the vehicles respond to challenges in the real world. And once we’re determined we’ve completed sufficient testing together with Aurora, we will launch the redundant vehicle on public roads, first with a safety driver.

 

What does the legislation say about redundant systems?

Today, there is no legal definition of a “redundant” truck, so it’s up to each manufacturer to determine what their redundancy looks like. In the U.S., there’s no federal mandate for autonomous vehicles, so Volvo’s approach has been to assume that our second brake system should act like a primary brake system.

 

Redundancy is a technical solution to improve safety, but it’s not legally mandated. Safety is a core value of the Volvo Group, and that is why we believe, and have invested heavily in robust redundancy systems to ensure that our trucks are as safe as they can be.

 

Our commitment to redundancy

Redundancy is crucial for autonomous vehicles, and it’s nothing new. It has been used as a technical solution for a very long time in many different industries. And it is something we’re actively choosing to incorporate in our autonomous solutions to ensure they are safe – even if current laws do not require it for autonomous vehicles.

 

Redundancy is a key enabler to safety. That’s why we put so much emphasis on having reliable, redundant systems. And it’s also why the Volvo VNL Autonomous has been purpose-built for autonomy, and why redundant systems have been part of its development since day one. We feel confident that robust redundant systems will be a key cornerstone for an autonomous future.

Do you wish to stay updated with the insights like this one? Subscribe to our newsletter.