Kodiak’s safety philosophy, in theory and in practice.
As entrepreneurs and engineers, we at Kodiak love building cutting edge, advanced, and just plain cool products. But we are also motivated by a more philosophical goal: to make transportation safer for all. Every year, over 40,000 Americans die on the roads. What’s more, estimates suggest that over 90% of traffic accidents involve human error.
Developing 80,000 pound computer-controlled vehicles is necessarily high stakes. Since the first engineers began tinkering with self-driving vehicles, they have debated how much risk they can ethically take. Some have believed that taking risks and moving quickly is worth the occasional close call, given the terrible toll of traffic accidents, which kill over 3,500 people globally every day. At the same time, others believed it necessary to maximize safety during development, even if it meant moving more slowly. They reasoned that nothing could justify the risk of directly causing an accident.
When Kodiak was founded two years ago, our team brought a new perspective to the decades-old debate on AV safety. Most importantly, our experience has taught us that the perceived tradeoff between safety and speed is a false dichotomy. We believe that, when implemented correctly, a strong safety process and culture actually accelerates development. We’ve built Kodiak’s safety program around this vision.
We believe our technology can transform people’s lives by making the roads safer for all drivers. But we cannot and will not take the risk of developing this technology in an unsafe manner. As we have built Kodiak over the last two years, we have led with our safety program, both to protect our team and our fellow drivers, and to accelerate development. We’ve drawn heavily upon our experience, as well as lessons learned from other safety-critical industries like traditional automotive, aerospace, and healthcare. We’ve broken down our safety philosophy into three main categories:
- Safety, Start to Finish
- Minimizing Risks to Maximize Reward, and
- Disciplined Innovation
Safety, start to finish
Since our founding, we have focused on building trucks ready for deployment, not for academic research. This goal requires us to take a comprehensive approach to the safety of our self-driving trucks, rather than narrowing our focus onto one particular aspect of our technology. We’ve worked to maximize safety from start to finish, from our testing and development programs, to the functional safety of our hardware and software components, to the safe behaviors the Kodiak Driver exhibits on the road.
We incorporate safety into our hardware processes by designing — and testing — for reliability. It doesn’t matter how smart your software is if a single hardware failure can easily cause an accident. We incorporate safety into our software by codifying defensive driving behaviors, and testing and retesting each piece of code to ensure it meets expectations and doesn’t introduce new bugs or safety regressions. We build safety into our operations program by making sure that we minimize the risks we take on the road. We even incorporate safety into how we run our company, by giving everyone a say in ensuring safe operations and working hard to make sure we leave no risks unexplored or unaddressed.
Kodiak’s software development approach promotes safety, start to finish. We chose to use simulation as the primary test medium for the Kodiak Driver. Simulation-first development allows us to learn more, faster — without the risks associated with on-road driving. The Kodiak Driver can practice negotiating many more complex situations in a well-structured set of simulations than it can in hundreds of miles on public roads. A few minutes in simulation can often teach the same lessons as an entire month in the real world. We chose to partner with Applied Intuition, an industry-leading third-party simulation provider to co-develop our simulation platform, customized to Kodiak’s unique technology stack. Our close relationship with Applied Intuition has allowed us to leverage our partner’s targeted technology, team, and infrastructure to build what we believe to be among the most powerful and flexible simulation platforms in the self-driving industry.
Of course, sometimes there’s just no substitute for the real world. When we need to evaluate new features, validate behaviors we see in simulation, or determine system behavior in unusual edge cases, we strive to use structured testing on test tracks to assess vehicle performance. Structured testing is particularly valuable for evaluating system behavior in uncommon edge cases, like pedestrians on the roadway. By using a test dummy, we can test system performance without actually having people walk in front of or around our trucks while in motion.
We believe it’s also important to test the Kodiak Driver on public roads. Such testing enables us to better understand the range of unpredictable events that can occur in the real world. By definition, simulations test the variables that you have already considered and built into the simulation model. No matter how extensive your model, the real world always finds new variables. Real-world tests help us uncover unexpected challenges and build the contextual understanding of our product that we will need to know when we can take the driver out of the cabin. We also use our on-road testing to build new simulation scenarios. This multiplies the development value of every mile we drive in the real world, and helps us enrich and improve our simulation platform to be a better proxy for real-world driving.
Minimizing risks to maximize reward
At the core of Kodiak’s safety approach is the recognition that there is no such thing as risk-free driving: anyone who gets inside any vehicle exposes themselves to some risk of an accident. We take this risk seriously, and though no one can ever completely eliminate such a possibility, we actively work to minimize it.
Our experience has taught us that safety work is done best when it’s decoupled from the pressures of milestones, demos, and adding features. We believe it’s critical that everyone at Kodiak sees safety as an individual responsibility, and that everyone is not only empowered but obligated to act to improve safety.
That’s why we put so much emphasis on our Safety Meeting, which I host. The Safety Meeting is an open forum where we follow through on our company’s safety culture, and prioritize critical thinking bout system safety over deadlines or metrics. It draws a cross-functional group of team members from the hardware, software, engineering, operations, and leadership teams. At the Safety Meeting, we carefully examine the potential risks associated with our operations schedule and tasks, and whether the data we’re collecting justifies the basic risk of being on the road. If we can’t justify an activity, we stop doing it. The Safety Meeting gives voice to a diverse set of viewpoints, and ensures we explore every angle of every decision that impacts our operational safety.
We also prioritize minimizing risks inside the vehicle. We encourage our Safety Drivers to disengage the Kodiak Driver whenever they feel necessary without feeling any pressure to justify that decision — this ensures that we avoid taking any unnecessary risks while conducting public road testing. And, as discussed above, we actually think that encouraging interventions helps us improve the Kodiak Driver: by carefully analyzing every intervention, we learn something from every disengagement. My colleague, Ryan Espinosa, elaborates in detail on the ways that we ensure safety inside the vehicle in a separate post.
Lastly, we view our commercial operations program as key to optimizing the value of the miles we drive on public roads, and maximizing the reward-risk ratio. Instead of hauling trailers full of sand, we conduct tests while carrying freight for commercial customers whenever possible. We see carrying freight as key to making every mile count. Because the freight needs to be delivered (either by a manual truck or one equipped with the Kodiak Driver), serving customers allows us to minimize the incremental number of miles we are adding to the overall freight network, and therefore minimizing the incremental risk to motorists.
At Kodiak, we believe that safety accelerates development because it forces us to make every mile count. We call this approach Disciplined Innovation: we want to make sure that we’re learning from every mile we drive, and that the Kodiak Driver is constantly increasing the breadth of scenarios it can handle without intervention.
At Kodiak, we never drive our trucks just for the sake of just logging more miles or in the hopes of collecting random data. Instead, we actively seek hard miles, or the complex driving environments that push the capabilities of the system. These hard miles help us collect valuable data, and enable rapid learning and progress while maximizing safety. Of course, this approach means we will probably never log as many test miles as some of our competitors — we see this not as a disadvantage, but as a sign of our commitment to safety.
Most people assume that for machine learning, more data is always better. Our experience suggests, however, that overloading on low-quality data does worse than generate diminishing returns — it can be actively counterproductive. Once the Kodiak Driver has been trained to recognize 5,000 SUVs, it learns little from the 5,001st, unless it’s particularly hidden or tricky to spot. And while it’s important to train the system to handle unusual, dangerous circumstances, such as a vehicle fire, on-road testing is the wrong way to conduct that training — you need to drive too many miles and take too many risks to find those examples “in the wild”. Instead, we rely on safer, more predictable simulations, manually-driven datasets, and structured testing to test system performance in those dangerous, unusual edge cases.
As described above, we encourage our safety drivers to disengage the vehicle whenever they feel it necessary. In fact, unlike many in the self-driving industry, we generally consider disengagements to be a good thing: driving too far without a disengagement suggests we are wasting miles and need to stress the Kodiak Driver more to show we’re still learning. By being disciplined in our testing approach, we can make rapid progress while maximizing safety.
As Kodiak continues to grow, the challenges we face will necessarily change. Our safety philosophy in turn will certainly continue to evolve. While we’ve begun to work on our safety case — our argument that our trucks are comprehensively safe — it will necessarily grow as we learn more about the Kodiak Driver and as industry standards and thinking develop. What’s critical is that we stay true to our values: Safety, Start to Finish, Minimize Risks to Maximize Results, and Disciplined Innovation, while learning from our experience and our peers in the industry.
Alongside the release of our 2020 Safety Report, we’ve crafted a series of Medium posts that explain how we’re safely making self-driving trucks a reality.