Safety First (and Always) In Automated Driving Development

When an experimental automated Uber development vehicle struck and killed a pedestrian in Arizona in March 2018, questions immediately surfaced about how this could happen. Within days, Chandler police released the in-camera video. It showed that there had been multiple failures, both technical and human, that led to the tragedy.

Developing Safe Driverless Vehicles

I recently visited the new offices of automated driving company Argo AI (Argo’s technology was not used in the Uber vehicle mentioned above) to discuss some of the latest advances in the development of vehicles that don’t require a human driver.

Argo was formed by Waymo veteran and University of Pittsburgh alumni Bryan Salesky and former Uber engineer and Carnegie Mellon University alumni Pete Rander. In February 2017, Ford invested up to $1 billion for a majority stake in the startup and tasked it with developing the production version of the automated driving system for a new vehicle to be produced in 2021.

One of the key messages that popped up throughout the conversations with Salesky, Rander, and VP of Robotics Brett Browning was the emphasis on safety in everything that Argo and Ford are developing. This runs the gamut from the hardware engineering to the software architecture to the human processes.

Ford is developing the vehicle and handling the sensing and compute platform integration in close collaboration with Argo to ensure that sensors can reliably see the world around the car. Salesky emphasized the need to have multiple sensor types including cameras, radar, and lidar to provide both redundant and diverse information. While the current development path is using a pair of Velodyne lidar sensors, Argo has also acquired Princeton Lightwave, a company developing a sensor that uses eye-safe 1550-nm lasers and a Geiger effect photoreceptor that should provide significantly more useful range than the current 905-nm laser sensors.

A secondary compute platform serves as both a real-time check of the primary system and also provides the means to bring the vehicle to a minimum risk condition in the event of a failure detection.

“No single point of failure should ever put the vehicle into an unsafe condition,” said Salesky.

While Argo’s engineers are using deep neural network machine learning systems in many areas of the software that analyzes the sensor data, these are challenging to verify via static code analysis or human review. To aid analysis and validation and improve overall performance, Argo uses a mix of machine learning and classical software approaches where they each work best and used a modular decomposition architecture to facilitate the isolation of problems.

On the human side, Argo has also implemented high standards for the vehicle operators that conduct testing every day. There are currently three fleets of vehicles operating in Pittsburgh, Dearborn, and Miami with at least two operators in each vehicle at all times. Potential operators go through an extensive screening process to ensure they have both the attitude and aptitude for the job.

The three-phase training process starts with conventional driving, before proceeding to closed course testing and finally open-road testing. Aspiring operators are evaluated throughout the open-ended program with a timeline that is based solely on their demonstrated ability to do the job. Once approved to test, one operator sits behind the wheel ready to take over while the other monitors the data. Operator pairs are changed up daily to help minimize the chance for complacency.

The Argo leadership has been working on automated driving long enough to know that no single sensing system is ever likely to be perfect. That has taught them to build redundant systems that are fail-operational to mitigate the consequences when any system failures happen.