Automotive electronic control systems that potentially impact safety have always had fault detection and alert systems. But as automated driving systems (ADS) start to get commercially deployed, they require fault management systems (FMS) that have far more capability than the basic diagnostics that have existed for decades. Pittsburgh-based Aurora Innovations is now rolling out beta 3.0 of the Aurora Driver platform and it now includes a full FMS as the company moves toward full commercialization.
Going back to systems like anti-lock brakes that debuted in the late-1970s, diagnostic capabilities have always been part of the system. Code that looks for anomalous behavior in the wheel speed sensors, brake pedal switch or hydraulic actuators has been a key component. However, systems like ABS, traction control or stability control are just driver assist systems, where a human is still intended to be operating the vehicle. The systems are only designed to modulate some control inputs to help the driver. When a fault is detected, the system is deactivated and a warning light is illuminated in the instrument cluster to let the driver know something needs service.
But what happens in a vehicle where there is no human driver to maintain control when something goes wrong? That’s where something like Aurora’s FMS comes into play. The FMS was developed to address some of the challenges raised in the safety case framework that was published in 2021. The safety case documents all of the areas that are essential to ensuring that an ADS can in fact operate safely on public roads. This includes everything from simulation and real world testing for functionality, to anticipating the things that can potentially go wrong and implementing features to mitigate any potential harm.
Unlike the fault response for an ABS, an ADS needs to be able to keep functioning at least at a reduced level in the absence of a human to take over. An ADS needs to be able to bring the vehicle to a safe stop in a minimum risk condition that minimizes potential harm to other road users.
If a tire blows out, or a rock thrown up by another vehicle smashes the lens on a camera or lidar sensor, the ADS can’t just switch off. It has to make decisions about what functionality is still available and how to stop safely. One thing Aurora isn’t doing is immediately calling home for help. Aurora assumes that the vehicle may be in a location where connectivity is spotty or non-existent as part of its safety case.
If one or more sensors are disabled, the ADS relies on what is left and starts slowing down and looking for a safe place to pull over. Finding that safe location is important, because not all highway shoulders are created alike. A gravel shoulder is riskier than a paved shoulder and could lead to more harm if control is lost, so if possible the vehicle might continue traveling until a safer spot is found.
For now, Aurora is focused on stopping the vehicle as soon as possible. However, as development of the FMS continues, engineers will be evaluating the impact of all possible faults and they will have the option for other decisions. For example, if there is a rest area, layby or exit a few miles down the road and the vehicle can still operate at an adequate level of safety, it may continue to one of those locations before stopping. It may also continue to its final destination but at a reduced speed. The FMS was built to enable multiple options.
Aurora is planning to commercialize automated trucks first before deploying robotaxis and urban delivery vehicles. The FMS has been developed to address the challenges of dealing with 40 ton trucks at highway speeds and should be capable of working just fine with lighter vehicles operating at lower speeds.
Testing of the FMS has been ongoing for more than a year in simulation and private track testing and more recently on public roads. In-vehicle testing involves having an engineer or technician injecting faults into the system. For example, they may have a board with switches that can be used to simulate a sensor failure or use software to send a corrupted sensor signal into the ADS software. The response to these faults is then evaluated to ensure it meets the requirements.
Aurora is now deploying the beta 3.0 driver with the FMS to its test fleet in multiple locations in California, Texas and Pennsylvania.