By: Nat Beuse, Head of Safety at Uber Advanced Technologies Group
In July 2019, the team at Uber ATG released our first, open-sourced Safety Case Framework, which clearly organizes the goals, claims, and evidence necessary to substantiate that our self-driving vehicles (SDVs) are acceptably safe to operate on public roads. The framework charted an outline for prioritizing safety during testing and development with Mission Specialists behind the wheel, but it also projected Uber ATG’s safety argument to support future use cases, including eventual driverless operations.
Committing to the public release of our Safety Case Framework is a key component of our overall safety strategy, as transparency in our current and future safety operations is key to building trust and identifying areas for improvement. Through the lens of the Safety Case Framework, internal and external safety discussions have become more specific and tangible. The Framework has facilitated and will continue to facilitate productive conversations with regulators, industry partners, and others in the self-driving space.
Having started this conversation in 2019, today we are pleased to announce that we have significantly expanded our Safety Case Framework in both depth and breadth, with the intent to bring further clarity to industry self-driving safety dialogue.
Influence on the Safety Case Framework
Quite a few events have transpired since the 2019 release of the Safety Case Framework that informed the content found in our latest release.
Following last year’s release, ATG participated in the creation of the UL4600 standard, which was published in April 2020. This standard embodies the spirit and intent of the Safety Case Framework by encouraging the development of a safety case for all SDV developers. UL4600 harmonizes existing industry safety standards and brings a comprehensive look at safety across the entire SDV lifecycle. This version of the Safety Case Framework seeks to incorporate lessons from the UL4600 standard by fully mapping the UL4600 standard to the Framework. It is worth noting that this Framework is broader and deeper than UL4600 in a few key areas, specifically operations with a Mission Specialist and in the content related to the fifth safety principle, “Trustworthy.”
At Uber ATG, we are developing our own self-driving technology while simultaneously developing resources to enable other self-driving vehicle developers to share and verify their approach to safety to help responsibly onboard their SDVs to the Uber network. The Framework helps clarify expectations for SDV companies seeking to operate on the Uber network by sharing it publicly. It provides a technology agnostic yardstick for our self-driving partners to gauge and develop their safety case prior to seeking access to the Uber network. This process also helps inform Uber ATG’s evaluation of the safety posture of a potential partner.
This version of the Framework also reflects Safety Management System (SMS) concepts, which we’ve been implementing over the last several years. We have incorporated a variety of SMS elements in this version of our Framework, as we see the value of this approach for different self-driving developers and use cases to promote safe operations.
What has changed?
Since the July 2019 release, our Safety Case Framework has expanded in both depth and breadth. We have retained our five safety principles of:
- Proficiency
- Fail Safe
- Continuously Improving
- Resilient
- Trustworthy
The first release of the framework broke down the principles into another 2–3 levels. In the current release, the safety principles are addressed at an even more granular level — in some cases, reflecting an additional 5 levels of specificity often supported by example evidence wherever appropriate. This example evidence is indicative of what would be required to substantiate that an individual claim has been satisfied.
In the above example claim for the latency of the Motion Planning software, you can see an approach by which five pieces of evidence would be needed to justify the claim. This evidence is intended to define, justify, verify and validate the claim of the safety case is true.
Additionally, the breadth of the claims have expanded since the last release of the Safety Case Framework. This increased precision in the language of The Framework reduces ambiguity and increases transparency. In the example above, the Safety Case Framework G2.1.3.1 is expanded to over twenty “child” claims. The child claim breakdown in this way supports the claim of G2.1.3.1 that all identified risks and hazards have been appropriately mitigated.
With this additional specificity, the Safety Case Framework has grown in size by a factor of roughly six. We feel this increased level of detail increases developer and stakeholder ability to meaningfully discuss safety by providing specificity around the safety argument.
Validation of the Safety Case Framework
The review and evaluation of the Safety Case Framework by others is a strategic objective of Uber ATG. We have sought multiple independent industry experts to review and scrutinize the content of the Safety Case Framework. Through these reviews, we elicited feedback on the logic of the argument, on the soundness of the relationship between parent and child claims (i.e., that the child claims provided a valid roadmap to proving up the higher-level parent claims), and on the sufficiency of the evidence used to support the claims. Lastly, we sought feedback on how well the Safety Case Framework maps and aligns with UL4600. To support this alignment, Uber ATG enlisted the support of Edge Case Research, whose team of independent experts reviewed the Safety Case Framework and provided valuable feedback over a three month review period. This in-depth review improved the clarity and completeness of the Safety Case Framework.
Furthermore, Uber ATG engaged our Self-Driving Safety & Responsibility Advisory (SARA) Board for their review and assessment of the Safety Case Framework. The SARA Board includes a diverse set of experts in areas ranging from academia, automotive, aerospace, and non-governmental agencies.
How will the Safety Case Framework be used?
At Uber ATG, the Safety Case Framework is the basis for developing our internal safety cases — meaning, specific accumulations of evidence that substantiate the safety for a particular program and/or stage of operation (e.g., operations with two Mission Specialists; operations with passengers; etc.). We utilize the Framework today, tailoring it to address the scope and objectives of a particular project or program by focusing on the elements of the Framework that are most relevant to a given project or program, and assembling supporting evidence for that use case. The result provides a blueprint for our teams to develop our technology safely and responsibly. Our internal work plans, objectives, and deliverables align to create evidence to support the safety case. A complete safety case is required prior to SDV operation for any use case, including operations on public roads and on our test track.
Looking Ahead
With the update of the Safety Case Framework, we recommit to leading on safety through transparency. We encourage the use of the Safety Case Framework by others without license or attribution. The Safety Case Framework is licensed for use by all under Creative Commons Zero. We will continue to develop and refine the Safety Case Framework based on our lessons learned as we test and deploy new vehicles, while always keeping in mind the evolution of self-driving vehicle standards.