Laying the groundwork for self-driving vehicle safety
By: Eric Meyhofer, CEO of Uber Advanced Technologies Group
Around the world, regulators, technology developers, and industry standard-setting bodies are already working on a range of approaches to self-driving vehicle safety. However, the complexity of self-driving technology and the variety in development approaches across the industry means that, to date, no single standard or test alone can help the public understand how companies are addressing safety.
At Uber ATG, we feel a responsibility to foster open, public dialogue around our safety approach for the testing and development of self-driving vehicles. We publicly started this conversation last fall when we released our Voluntary Safety Self-Assessment, structured around our five Safety Principles: Proficient, Fail-Safe, Continuously Improving, Resilient, and Trustworthy. These principles are the foundation for Uber ATG’s Self-Driving Vehicle (SDV) Safety Case Framework. Today, we are sharing further details of that framework in conjunction with the annual Automated Vehicles Symposium, one of the largest cross-sectoral gatherings of leaders and innovators working to advance safe self-driving technologies.
We are putting forward a safety case framework for self-driving vehicles during development and into deployment with the goal of providing additional transparency around our safety approach. We are also open sourcing this with humble hope of aiding safety case development efforts within the industry, and potentially informing various voluntary standard-setting efforts already underway.
What is a safety case?
A safety case approach has often been employed by other safety-critical industries, including aerospace, rail, and medical devices. A safety case should communicate a comprehensive and defensible argument that, when coupled with articles of evidence convinces key stakeholders that the risk of harm from the system has been reduced to an acceptable level. A safety case should seek to establish that all aspects of designing, testing, and operating self-driving vehicles is done with minimum risk of harm. In developing our SDV Safety Case Framework, we relied on the Goal Structuring Notation approach to develop a graphical representation of our safety argument that makes it possible to show complex relationships and dependencies that may be difficult to communicate in text.
What is Uber ATG’s SDV Safety Case Framework?
The scope of Uber ATG’s SDV Safety Case Framework covers testing and development of our self-driving system, both with and without a Mission Specialist, as well as passenger operations on public roads. We have committed to a common safety case framework for both development and deployment because focusing on the potential safety of this technology in the future is not enough — we have an obligation to promote safety now, while still in development. We also know that this technology will not come to market overnight; there will be a lengthy transition period during which developers will be testing in some areas while running commercial operations in others, and safety must be a constant throughout.
Our safety case starts with a primary claim: our self-driving vehicles are acceptably safe to operate on public roads. From this claim we work top-down to define the argument structure that would be necessary to support the claim. This framework is intended to set out the full spectrum of conditions — from Mission Specialist hiring and training, to cybersecurity, to transparent reporting, to incorporation of legal requirements — that we believe should be considered as self-driving systems are built, tested, and brought to market.
The engineering processes for the development and testing of self-driving vehicles are still evolving. We have combined guidance from governments, established best practices from safety-critical industries, and voluntary industry standards with academic research and key learnings from our own development.
Operating a fleet of shared, self-driving vehicles gives rise to a number of important considerations that are not focused on safety, including, for example, data-privacy sensitivities. We will appropriately address these considerations, but they are outside the scope of this SDV Safety Case Framework.
Where to from here?
Today, we are placing into the public domain the first layers of our SDV Safety Case Framework under Creative Commons CC0, and we plan to put forth additional detail in the coming months. We want other developers and stakeholders of this technology to freely use and build on this framework, whether in partnership with us or independently. We also invite critical perspectives. We will directly engage stakeholders through further industry event participation and one-to-one collaboration, while also seeking indirect feedback through blog posts and other public communications.
Satisfying the conditions of this SDV Safety Case Framework is no small task, and we do not claim to have met all of them ourselves for fully driverless operations. We also recognize new or refined best practices may emerge over time, and we will consider these for incorporation into our SDV Safety Case Framework as they surface.
In order to realize the potential of self-driving technology to its fullest, we must come together and collaborate on safety. We hope you join us in the conversation.