1. Proficient
A Self-Driving Vehicle cannot be considered safe to operate on public roads unless it is suitably proficient. Proficiency includes the design, engineering, and testing necessary to develop a product. This safety principle contains the Self-Driving Vehicle performance requirements for nominal, off nominal, and corner cases of Self-Driving Vehicle behaviors.
2. Fail-Safe
The fail-safe principle addresses how the Self-Driving Vehicle behaves in the presence of faults and failures. No system is ever 100% perfect; components will wear out or have premature failures from time to time. The Aurora Driver is designed to detect and safely mitigate these failures. This safety principle contains all of the fault detection, mitigation, and notifications built into the vehicle.
3. Continuously Improving
The continuously improving principle outlines how we are enshrining the concept of continual improvement into the development of our system. A Self-Driving Vehicle is equipped with sensors, and a fleet of Self-Driving Vehicles captures significant amounts of data from just a single day’s operations. We are able to harness the power of this data to enable continuous improvement. This field data feeds a comprehensive data analysis effort that calculates safety performance indicators and also considers data collected during design and development. This approach to systematically collecting and analyzing data allows us to spot trends, regressions from the mean, and emergent behaviors. Aurora also takes a proactive approach to continuous improvement, using risk identification techniques to proactively identify risks.
4. Resilient
Self-Driving Vehicles are designed to safely operate on public roads, but this does not isolate them from malicious actors or unavoidable events. The resilient principle showcases how the Aurora Driver is capable of withstanding adverse events and intentional misuse and abuse.
5. Trustworthy
Aurora’s Self-Driving Vehicle may be Proficient, Fail-Safe, Continuously Improving, and Resilient, but without the trust of the public and governmental regulators, we cannot fully realize our top level claim. The trustworthy safety principle addresses how Aurora plans to gain trust through public, government, and stakeholder engagement, safety transparency, safety culture, as well as external review and advisory activities.
Decomposition of Safety Principles
Now that our top-level claim is defined in terms of the safety principles covering the scope of safe operations, we will break down each safety principle using a breadth first, depth second approach.
Each safety principle is broken down through layers of intermediate arguments, contexts, and strategies. The lowest level claims are ultimately satisfied by evidence produced by our employees. This approach enables the tracing of each safety argument as a logical decomposition from a broad concept down to specific tangible evidence supporting the claims.
The evidence used to support a claim will come in two forms — product evidence and process evidence. Product evidence includes deliverables such as technical specifications, test plans, and test results. Process-related evidence demonstrates that the product evidence was generated in a systematic manner with sufficient rigor, review, and independence. This evidence may include informal internal audit reports confirming that we are following our established processes. Both types of evidence are needed to sufficiently address the claims in the safety case.
Across the Product Lifecycle
Aurora defines the product lifecycle as starting with our product team, and progressing through engineering, design, development, testing, manufacturing, operations, and finally ending with decommissioning. Aurora has scoped the Safety Case Framework to consider safety across the full lifecycle. This means that we are developing safety cases for our development vehicles on the roads today with vehicle operators, as well as for our future driverless commercial operations.
Across the Enterprise
The Aurora Safety Case Framework is scoped to Aurora as an entire enterprise. This means we are considering more than just the Self-Driving Vehicle in the scope of our safety cases. We are including the off-board systems, people, processes, and culture of the organization bringing the Self-Driving Vehicle to the public roads. This enterprise-wide approach ensures that we are not only considering how the self-driving vehicle itself performs, but also how we, as a company, are able to iterate on its development and refinement.