![Page 1: Safety and Automated Driving Systems Kyle Vogt, Cruise, October 28, 2015](https://reader036.vdocuments.us/reader036/viewer/2022062301/5697bfa61a28abf838c985a5/html5/thumbnails/1.jpg)
Safety and Automated Driving SystemsKyle Vogt, Cruise, October 28, 2015
![Page 2: Safety and Automated Driving Systems Kyle Vogt, Cruise, October 28, 2015](https://reader036.vdocuments.us/reader036/viewer/2022062301/5697bfa61a28abf838c985a5/html5/thumbnails/2.jpg)
The issue at hand: How do you know a vehicle is safe enough?
2
![Page 3: Safety and Automated Driving Systems Kyle Vogt, Cruise, October 28, 2015](https://reader036.vdocuments.us/reader036/viewer/2022062301/5697bfa61a28abf838c985a5/html5/thumbnails/3.jpg)
What exists? The Law
FMVSS
3
NHTSA / DMV
Turns out, it doesn’t tell us
![Page 4: Safety and Automated Driving Systems Kyle Vogt, Cruise, October 28, 2015](https://reader036.vdocuments.us/reader036/viewer/2022062301/5697bfa61a28abf838c985a5/html5/thumbnails/4.jpg)
What exists? Standards
4
Industry Standards
Best Practices
![Page 5: Safety and Automated Driving Systems Kyle Vogt, Cruise, October 28, 2015](https://reader036.vdocuments.us/reader036/viewer/2022062301/5697bfa61a28abf838c985a5/html5/thumbnails/5.jpg)
Digging deeper…Combine everything that exists Meet it or Beat it
5
AVs
Problem is you could follow what exists, and still end up with an unsafe product because ADS’s add complexity that the existing base does not address.
We have to do more.
![Page 6: Safety and Automated Driving Systems Kyle Vogt, Cruise, October 28, 2015](https://reader036.vdocuments.us/reader036/viewer/2022062301/5697bfa61a28abf838c985a5/html5/thumbnails/6.jpg)
c
Where are some of the holes?
6
c
Hazard Analysis MethodsLack of specificity
Behavioral Requirements
![Page 7: Safety and Automated Driving Systems Kyle Vogt, Cruise, October 28, 2015](https://reader036.vdocuments.us/reader036/viewer/2022062301/5697bfa61a28abf838c985a5/html5/thumbnails/7.jpg)
Why are traditional hazard analysis techniques not enough?
Bottom up approach misses system-level problems – component interactions
Rely on chain of event causation model
Not good for software
1
2
3
![Page 8: Safety and Automated Driving Systems Kyle Vogt, Cruise, October 28, 2015](https://reader036.vdocuments.us/reader036/viewer/2022062301/5697bfa61a28abf838c985a5/html5/thumbnails/8.jpg)
8
How to address those problems
Hazards
Design and implementation
Safety
STPA
![Page 9: Safety and Automated Driving Systems Kyle Vogt, Cruise, October 28, 2015](https://reader036.vdocuments.us/reader036/viewer/2022062301/5697bfa61a28abf838c985a5/html5/thumbnails/9.jpg)
Testing and Validation
9
What’s challenging about ADSs? Complexity
How do you build safe complex systems? Solid process and simulation
![Page 10: Safety and Automated Driving Systems Kyle Vogt, Cruise, October 28, 2015](https://reader036.vdocuments.us/reader036/viewer/2022062301/5697bfa61a28abf838c985a5/html5/thumbnails/10.jpg)
The path to driverless
10
Naturalistic testing is extremely useful, and key for validation, but cannot accomplish necessary coverage
To get on the road, the only legitimate way to know a system is safe will be through extensive simulation
![Page 11: Safety and Automated Driving Systems Kyle Vogt, Cruise, October 28, 2015](https://reader036.vdocuments.us/reader036/viewer/2022062301/5697bfa61a28abf838c985a5/html5/thumbnails/11.jpg)
Thank you.
11
![Page 12: Safety and Automated Driving Systems Kyle Vogt, Cruise, October 28, 2015](https://reader036.vdocuments.us/reader036/viewer/2022062301/5697bfa61a28abf838c985a5/html5/thumbnails/12.jpg)
Appendix A: Example of weakness of traditional hazard analysis
Bhopal accident• December 1984, pesticide
plant gas leak in Bhopal, India, exposing over 500,000 people to toxic gas
• None of the safety devices worked
• Seems incredibly unlikely that all safety systems would fail at once, but in reality, they were not independent failures
• Traditional methods only consider limited set of causes and miss the more systemic causes (e.g. financial pressure, poor hiring, failure to heed prior warnings)
12
![Page 13: Safety and Automated Driving Systems Kyle Vogt, Cruise, October 28, 2015](https://reader036.vdocuments.us/reader036/viewer/2022062301/5697bfa61a28abf838c985a5/html5/thumbnails/13.jpg)
Appendix B: Reactor example
Chemical reactor: • Computer controls (1) flow of catalyst
into reactor and (2) flow of water into reflux condenser to cool off reaction
• Sensors warn of problems• If fault detected, computer
programmed to leave variables as is, and simply sound alarm
13
![Page 14: Safety and Automated Driving Systems Kyle Vogt, Cruise, October 28, 2015](https://reader036.vdocuments.us/reader036/viewer/2022062301/5697bfa61a28abf838c985a5/html5/thumbnails/14.jpg)
Extra - actions taken from STPA results
Comprehensive analysis of specific social human driving behaviors
Crucial point is requirements, have to have top notch requirements that are derived from safety constraints
Create behavioral situations that you can test against, and Test them, extensive simulation
Real world experience
14