- The paper presents a comprehensive methodology emphasizing a layered safety approach to evaluate architectural, behavioral, and operational hazards.
- The paper employs industry standards like ISO 26262, ISO 21448, and UL 4600 combined with simulations and historical data for continuous safety monitoring.
- The paper details a structured claim-subclaim framework with top-down and bottom-up credibility assessments to robustly mitigate risks.
Waymo's Safety Case Methodology: Ensuring the Absence of Unreasonable Risk
Introduction
The paper "Building a Credible Case for Safety: Waymo's Approach for the Determination of Absence of Unreasonable Risk" (2306.01917) outlines Waymo's meticulous approach to developing a safety case for its Autonomous Driving System (ADS). Established on a decade-long framework of safety practices, Waymo illustrates how it integrates its internal methodologies with industry standards to demonstrate the absence of unreasonable risk (AUR) in deploying its SAE Level 4 ADS, known as the Waymo Driver™. The paper’s focus is not merely on the safety case presentation but rather on explicating the methodologies and processes underpinning its formulation, aiming to foster industry collaboration and trust.
Layered Safety Approach
Defining Absence of Unreasonable Risk
In defining AUR, the paper employs a systematic risk assessment methodology rooted in industry standards such as ISO 26262, ISO 21448, and UL 4600. AUR predicates upon the explicit definition of acceptance criteria linked to safety performance indicators, ensuring the risk is maintained at a tolerable level. Waymo identifies three principal hazard categories, each requiring tailored acceptance criteria: architectural, behavioral, and in-service operational hazards.
Decomposing AUR
Waymo’s layered safety approach decomposes the AUR determination by categorizing hazards into architectural (e.g., sensor blind spots), behavioral (e.g., proximity issues with road users), and in-service operational hazards (e.g., vehicle security breaches). This decomposition facilitates targeted risk mitigation strategies, affirming the evidence provided is comprehensive and confidence-inducing.
Acceptance Criteria Framework
Waymo introduces a multifaceted framework to evaluate behavioral hazards, highlighting key dimensions such as severity potential, conflict role, behavioral capabilities, ADS functionality status, and levels of aggregation. This framework allows developers to map their methodologies onto a structured acceptance criteria space, encompassing critical indicators necessary for credible risk evaluation.
Dynamic Safety Approach
Safety Determination Lifecycle
The paper delineates a dynamic safety determination lifecycle encompassing product development stages, readiness reviews, and ongoing in-use monitoring. Safety is conceptualized as a continuous cycle, emphasizing emergent development properties, predictive assessments, and perpetual confidence growth. Waymo leverages extensive historical data and simulations to enhance model predictions and ensure prudent scale expansion, thus reducing residual risk and assuring high confidence in safety performance pre and post-deployment.
Credible Safety Approach
Case Credibility Assessment
Waymo's Case Credibility Assessment (CCA) plays a pivotal role in validating the credibility of both evidence and argumentation within the safety case. The CCA integrates a top-down approach ensuring the reasonableness and sufficiency of acceptance criteria, alongside a bottom-up approach ensuring methodological evidence is reliable and robust. Incorporating feedback loops enables continuous evaluation and enhancement of safety methodologies.
The paper details the structured format for generating safety claims, employing a clear claim-subclaim paradigm. This approach enables a systematic linking of acceptance criteria to evidence and arguments, with each methodology situated within a defined acceptance criteria framework, facilitating comprehensive risk coverage assessments.
Conclusion
Waymo’s paper underscores the necessity of a well-articulated safety case, providing transparency and fostering trust within the ADS industry. Waymo’s multifaceted approach, encompassing layered, dynamic, and credible safety perspectives, illustrates a mature pathway for demonstrating AUR while encouraging feedback and dialogue to meet societal and regulatory expectations. Although the paper represents a methodological exposition rather than definitive results, it highlights ongoing refinement and confidence growth crucial for responsible ADS deployment. By sharing practices and strategies, Waymo contributes significantly to the broader discourse on autonomous vehicle safety assurance, setting a benchmark for subsequent developments in the field.
