The autonomous freight industry is in its early stages as a new and complementary transport mode, but it’s gaining momentum, and the technology is evolving rapidly. So far, autonomous trucks have been piloted with safety drivers ready to take over in the unlikely event of a system failure.
As the industry matures and moves towards level 4 automation in the Hub-to-Hub segment, safety continues to be paramount. It’s the crucial consideration when removing the safety driver. And it’s one of the fears people have when they think about driverless trucks. How can they be trusted? How can it be ensured they are safe? This is where redundancy plays an important part.
What is Redundancy?
When hearing the term redundancy, one might think about someone being laid off at work. But in engineering, redundancy means including extra backup components that enable seamless operation in the case of failure within any of the primary components. Simply put, it means that certain parts, systems, and functionalities are duplicated to enhance safety and reliability.
As an example, redundancy is used in aircraft – and has been for decades – to ensure safe air travel. Airplanes often have multiple versions of each technical system; for example, there are backups to extend the landing gear in case the primary hydraulic system fails. Redundancy is not needed for the plane to function, but it’s always present in the background, ready to step in if an issue occurs with the primary systems.
Redundancy in Autonomous vehicles
In a manual truck, there are electronic systems that assist with vehicle operation, like a smart brake system or assisted steering. Currently, laws require that the driver must be able to intervene if electronic components fail; for example, pulling the parking brake in case the smart brake system malfunctions. In a case like this, the parking brake system is designed to act as a backup brake system.
With Level 4 automation, the goal is to ensure the same backup capabilities as manually driven trucks. By having redundant systems, autonomous vehicles can continue to operate safely even if certain primary systems or components fail. These backups are essential to ensure the safety of other road users and can be implemented at various levels in autonomous vehicles, from hardware and software to communication and computation.
Robust redundancy built into the new Volvo VNL Autonomous
True to the Volvo DNA, every design and engineering decision of the new Volvo VNL Autonomous has been made with safety in mind. The engineering approach prioritizes safety by incorporating redundancy systems designed to mitigate emergency situations.
The Volvo VNL Autonomous was built from the ground up, integrating these redundancy systems to ensure that every safety-critical component is intentionally duplicated, thereby enhancing both safety and reliability. Let’s dive deeper into the robust redundancy systems within the Volvo VNL Autonomous.
Redundant brakes: Two brake systems assure braking and immobilization capabilities are present, which are required for a safe stop. The primary braking system is powered by one source, and the secondary by another. This increases the likelihood that the truck can be braked, even if the primary brakes or the primary power source malfunction.
Redundant steering: If the primary steering fails, the secondary, identical redundant steering system is intended to ensure that the truck can be steered safely to a stop. As with the brakes, both steering systems are powered individually by two different power sources.
Redundant communication: Two communication systems ensure the avoidance of information flow loss if a failure occurs in a communication channel.
Redundant Automated Driving System (ADS): The autonomous driving partner, Aurora, has redundancy in place for their computer and sensor sets (known as their Virtual Driver). The combination of multiple cameras, lidars, and radars ensures that the primary and secondary computer is designed to capture a 360-degree view of the world around it. The ADS is also powered by two different sources.
Redundant computation: Two computes are intended to avoid the loss of safety-critical functions if a single ECU (Electronic Control Unit) fails. By having two computes, duplicate steering commands can be entered into the system. From there, that command goes into the two parallel computers and onto the two braking or steering systems. This ensures that both systems are at-the-ready to handle commands.
Redundant vehicle motion management: This is the coordination of everything that affects the vehicle’s motion. The vehicle motion management centralizes the handling of different actuators and the coordination of their tasks to achieve a common motion control goal. This is duplicated to achieve equivalent capabilities on the redundant and primary actuators.
Redundant lights: Brake lights and hazard lights are partially duplicated. Light redundancy is added because if the primary lights fail, the hazard lights may be activated to allow the truck to come to a safe stop.
Redundant power and energy storage: If systems are not powered independently, a power failure would lead to a complete loss of these functions. Therefore, there are two sources of power which are completely separated and placed in different parts of the vehicle to promote safety and reliability.
How are redundant systems ensured to be safe?
Fault injections: Every component of the trucks is comprehensively tested. First, testing of the primary and secondary components individually is undertaken to ensure that the secondary side is as good as the primary. In addition to testing nominal performance, fault injections are also performed. For example, the primary system might be disabled to focus on the secondary one to make sure everything is working properly.
Once the systems are tested on their own, they are also tested together with the ADS (Automated Driving Systems) and the whole truck. This is done to ensure that the truck will remain safe. This means fault injections are done on the whole truck; first on an isolated rig, then on a stationary truck, and eventually with a moving truck – always ensuring the safety of the testing personnel. The sky is the limit in terms of fault injections, and a lot of them are performed. Fault injections are also performed all the way down on a component level and on a subsystem level of the truck.
Simulations: The partner Aurora has a simulation environment where the sensor set, trucks, and their subsystems can be simulated. This robust virtual testing suite allows running millions of simulations daily, which is critical to give the confidence that the Aurora Driver is ready to attempt any maneuver in the real world.
For example, the Aurora Driver performed 2.27 million unprotected left turns in simulations before attempting one in the real world. Hyper-realistic worlds are also leveraged to test vehicles in safety-critical situations.
Test tracks: Test runs are done at proving grounds AstaZero, Trollhättan, and Hällered in Sweden, or in the U.S. at the Ohio Traffic Research Center. Driving at any speed necessary for testing varying speeds and performing fault injections to see how the vehicles respond to challenges in the real world is possible. And once sufficient testing is determined to be completed together with Aurora, the redundant vehicle will be launched on public roads, first with a safety driver.
What does the legislation say about redundant systems?
Today, there is no legal definition of a “redundant” truck, so it’s up to each manufacturer to determine what their redundancy looks like. In the U.S., there’s no federal mandate for autonomous vehicles, so Volvo’s approach has been to assume that the second brake system should act like a primary brake system.
Redundancy is a technical solution to improve safety, but it’s not legally mandated. Safety is a core value of the Volvo Group, and that is why they believe, and have invested heavily in robust redundancy systems to ensure that their trucks are as safe as they can be.
Commitment to redundancy
Redundancy is crucial for autonomous vehicles, and it’s nothing new. It has been used as a technical solution for a very long time in many different industries. And it is something actively chosen to be incorporated in autonomous solutions to ensure they are safe – even if current laws do not require it for autonomous vehicles.
Redundancy is a key enabler to safety. That’s why so much emphasis is put on having reliable, redundant systems. And it’s also why the Volvo VNL Autonomous has been purpose-built for autonomy, and why redundant systems have been part of its development since day one. There is confidence that robust redundant systems will be a key cornerstone for an autonomous future.
0:00
Tester