Google waymo 2017 automatic driving safety technology report (1)

Time:2020-9-17

In October 2017, Google waymo submitted a 43 page safety report to the U.S. Department of transportation, which details how waymo equips and trains autonomous vehicles to avoid common and accidental driving situations. This report gives a detailed interpretation of waymo’s autopilot technology, hoping to bring some inspiration to the autopilot practitioners.

The necessity of automatic driving technology

Google waymo 2017 automatic driving safety technology report (1)

In 2013, 1.2 million people died in traffic accidents around the world; in 2016, 37461 people died in road traffic accidents in the United States; in 2015, 2.4 million people were injured in traffic accidents in the United States; 94% of the traffic accidents in the United States were caused by human errors; 2 / 3 of the people suffered at least one drunk driving accident in their lifetime; automatic driving technology can prevent thousands of people from dying in traffic accidents every year.

1.How Our Self-Driving Vehicle Sees the World and How it Works

The four problems to be solved are:

1.Where am I;

2.What’s around me;

3.What will happen next;

4.What should I do;

1.1 Where am I

Waymo’s autopilot does not depend on GPS. It crossover the real time sensor data with the pre fabricated 3D high precision map to verify the exact location of the autopilot car in the road.

As shown in the figure below, the 3D high-precision map includes road attributes, road shoulders, crosswalks, lane lines, traffic lights, stop sign, etc.

Google waymo 2017 automatic driving safety technology report (1)

1.2 What’s Around Me

Waymo automatic driving vehicle sensors and software continuously scan the ambient information within 300 meters range: pedestrians, vehicles, motor vehicles, non motorized vehicles, road construction, road obstacles, etc., and constantly read traffic control information from the traffic lights and the temporary Stop Sign of railway crossing.

Google waymo 2017 automatic driving safety technology report (1)

1.3 What Will Happen Next

For each dynamic object on the road, the software system will predict the future movement according to their current speed and trajectory; different types of road traffic participants, their behavior is very different, so the software system will predict multiple possible paths of their next step according to different types of dynamic objects (pedestrians or bicycles, etc.) as autonomous vehicles Waymo’s software system also considers the impact of changes in road environment (such as lane congestion ahead) on the behavior of surrounding vehicles.

Google waymo 2017 automatic driving safety technology report (1)

1.4 What Should I Do

Waymo autopilot software system can calculate the optimal driving strategy according to all the information obtained, such as accurate track, speed, lane, driving direction, etc. Because the self driving vehicle can observe the road environment 360 degrees continuously and predict the future behavior of other road users, it can deal with any road events quickly and safely.

Google waymo 2017 automatic driving safety technology report (1)

2.Our System Safety Program – safety by design

Waymo has a complex system safety process: safety by design. Safety by design means that safety factors should be considered in every link of design, development, test and verification. This set of process mechanism derived the design of many key safety functions of waymo, such as the key redundant safety system that enables the unmanned vehicle to stop safely in case of technical failure, the sensor system with overlapping vision, the ubiquitous test system and so on.

Waymo’s system safety program includes five types: behavioral safety, functional safety, crash safety, operational safety, and non-proliferation safety.

2.1 Behavioral Safety

Behavioral safety refers to the driving decision and driving behavior of autonomous vehicles on the road. Like human drivers, autonomous vehicles must obey traffic rules and deal with all kinds of unexpected and unexpected scenarios. Waymo uses functional analysis, simulation tools, and on-the-road verification to understand the challenges faced in odd (operational design domain), design security requirements and conduct multi pronged testing and verification process.

2.2 Functional Safety

Functional safety ensures safe driving in case of system failure or abnormality. This means that a standby redundant system is needed to deal with unexpected situations. For example, our automatic driving system is equipped with redundant computing system, which can take over quickly when the main computing system fails, so that the automatic driving vehicle can be anchored to the safe area. Each automatic driving vehicle has spare steering wheels and brakes, and a lot of redundant systems.

2.3 Crash Safety

Crash safety refers to the ability of the vehicle to protect the passengers in the vehicle through various measures, such as the structural design of protecting the personnel in the vehicle to the functions of seat restraint and air bag to reduce injury or prevent death. Crash safety in the United States is covered by the federal motor vehicle safety standard (FMVSS) issued by the National Highway Traffic Safety Administration (NHTSA). Vehicle manufacturers must certify that their basic vehicles meet the applicable FMVSS requirements.

2.4 Operational Safety

Operational safety refers to the interaction between vehicles and passengers. By operating safely, we can ensure that users have a safe and comfortable experience on the vehicle. Waymo builds safe product capabilities through hazard analysis, existing safety standards, extensive testing, and best practices from various industries. For example, waymo has developed an interactive system that enables passengers to clearly indicate their destination, direct vehicles to pull over and contact waymo for help and support through the early test ride mechanism.

2.5 Non-Collision Safety

We emphasize the safety of people interacting with vehicles. For example, avoid potential hazards that electrical systems or sensors may cause to passengers, vehicle technicians, test drivers, bystanders.

3. How Waymo’s Self-Driving Vehicles Work

Unlike the adaptive cruise control and lane keeping systems on the market, our automatic driving system integrates software and hardware that can replace all driving functions of human drivers in specific areas and under specific constraints, without human drivers. This technology is called Level 4 level automatic driving in the definition of the automatic driving system of the International Automotive Engineers Association (SAE). Our technology is different from the lower level automatic driving system (Level 1, Level2, Level3). The Level level automatic driving system can enable the vehicle to stop safely in any system failure (that is, the minimum risk condition, minimal risk condition) without the need of a human driver to take over.

3.1 Our Vehicle Sensors

To meet the complex needs of autonomous driving, waymo has developed a range of sensors that allow our vehicles to see 360 degrees of view during the day and at night, and to see beyond three football fields. The waymo multi-level sensor suite seamlessly integrates to produce a detailed 3D world image, including all dynamic and static objects (such as pedestrians, cyclists, other vehicles, traffic lights, building cones and other road features).

Google waymo 2017 automatic driving safety technology report (1)

LiDAR (Laser) System

Lidar (light detection and ranging) system works 360 degrees day and night, emits millions of laser pulses per second, and measures the time required to reflect back to the vehicle from the obstacle surface. The Waymo autopilot system consists of three kinds of internal developed lidar: short range lidar, high resolution medium range lidar, and a new generation of long-range lidar that can see three football fields away.

Vision (Camera) System

Vision system is designed to perceive the surrounding environment through the visual system like human beings. It has a 360 degree field of vision, which is far more than 120 degree driving vision of human drivers. Because our high-resolution vision system can detect colors, it can help us identify traffic lights, building areas, school buses and emergency vehicle flashlights. Waymo’s vision system consists of several sets of high-resolution cameras that work well over long distances, daylight and low light conditions.

Radar System

Radars use wavelengths to sense objects and motion. Its wavelength can penetrate small obstacles, which makes it work in rain, fog, snow or night. Waymo’s radar system has a 360 degree continuous view, so it can track the speed of road users in front of, behind and on both sides of the vehicle.

Supplemental Sensors

Waymo vehicles are also equipped with a number of additional sensors, including an audio detection system, which can hear police and emergency vehicle alarms hundreds of feet away; GPS, which complements our vehicle’s perception of the location in global space.

3.2 Our Self-Driving Software

Autopilot software is the “brain” of our cars. It can understand the information from sensors and use this information to make the best driving decisions in various scenarios. Waymo spent eight years building and improving our software using machine learning and other advanced engineering technologies, training and testing our software through billions of miles of simulated driving and more than 3.5 million miles of road driving.

Our autopilot software system can not only detect the presence of obstacles, but also determine the types of obstacles, how the obstacles may move, and how their movement affects the behavior of our vehicles on the road.

Although our autopilot software system consists of many different modules, here we mainly introduce three main modules: perception, behavior prediction, and planner.

PERCEPTION

Perception can detect and classify objects on the road and estimate their speed, heading and acceleration. Perception module can not only help our automatic driving vehicles distinguish pedestrians, cyclists, motorcyclists, vehicles, etc., but also distinguish the color of static objects (such as traffic lights). Perception enables our system to understand the situation around our vehicles at a semantic level (e.g. whether the traffic lights are green and allow the vehicle to continue to drive, whether the lane is blocked by cones).

BEHAVIOR PREDICTION

We can understand the intention of each object through prediction and behavior. Thanks to waymo’s millions of miles of driving experience, our vehicle model is very accurate and can accurately reflect the behavior of different road users. For example, our software understands that although pedestrians, cyclists, and motorcyclists look similar, their behavior can be quite different: pedestrians move slower than cyclists or motorcyclists, but they can suddenly change direction.

PLANNER

Planner uses all the information collected from the perception module and behavior prediction module to plan a road for autonomous vehicles. In our experience, the best drivers are defensive drivers, which is why we adopt defensive driving behaviors, such as avoiding the blind spots of other drivers and leaving extra space for cyclists and pedestrians. Waymo’s planner module also makes some driving predictions in advance. For example, if our software system finds that the lane ahead is closed due to construction, and predicts that cyclists on the construction Lane will take the motorway, the planner module will slow down or make room for cyclists in advance. Using the actual road driving experience, we are also constantly improving our driving behavior, so that the automatic driving vehicle on the road is smooth and comfortable, the passengers in the car feel comfortable, and other road users feel natural and predictable.

3.3 Operational Design Domain

Google waymo 2017 automatic driving safety technology report (1)

Operational Design Domain (ODD) refers to the conditions that the automatic driving system can run safely. Waymo’s odd includes geographic location, road type, speed range, weather, time, and state and local traffic regulations.

Operational design domain (odd) can be very limited, such as setting up a fixed route on a low-speed public street or private site under mild weather conditions during the day. However, waymo is currently developing autonomous driving technology that can be used to drive urban streets in a wide geographical area under various conditions, such as driving in bad weather (such as light rain to moderate rain), daytime and night driving, etc.

Waymo’s system is designed not to run outside of its permitted operational design domain (odd). For example, passengers can’t choose a destination outside of the geographical area we allow; our software doesn’t create a route to travel outside the “geofenced” area. In addition, our automated driving system can automatically detect sudden changes in safe driving (such as Blizzard) in its ODD, and stop safely before conditions improve.

Our automated driving system is able to comply with federal, state and local laws governing the operation area. All the requirements of the law and all changes in the law will be incorporated into our automatic driving system as a safety requirement, including speed limits, traffic signs and signal lights. Every time our self driving vehicles go to a new test site, they will try to understand the unique local road rules or driving habits, and then update these contents to our software system, so that our vehicles can handle these scenarios safely.

Waymo’s operational design domain (odd) continues to evolve. Our ultimate goal is to develop fully automated driving technology that can deliver passengers from a to B at any time, anywhere and under any conditions. As our automated system capabilities grow, we will continue to expand our operational design domain (odd) to bring our automated driving capabilities to more people.

3.4 Minimal Risk Condition (Fallback): Ensuring the Vehicle Can Transition to a Safe Stop

If the situation on the road becomes too complex for the low-level automatic driving vehicle, or the technology itself fails, the manual driver is required to take back the control right. As a fully automatic driving system, Waymo technology must be strong enough to handle these situations independently.

If our autonomous vehicle cannot continue to run as planned, it must be able to perform a safe stop, i.e. “minimum risk condition” or fallback. This may include problems encountered in automatic driving systems, vehicle collisions or changes in environmental conditions, thus affecting safe driving in our ODD. Waymo’s autopilot system automatically detects these scenes at thousands of frequencies per second, finds system faults, and provides a series of redundant backup for key systems, such as sensors, computation and braking. The automatic driving system determines appropriate response according to the road type, traffic condition and technical fault degree, such as side parking, safe parking, etc., to ensure the safety of vehicles and passengers.

![Our Vehicles’ Redundant Safety-Critical Systems
](https://upload-images.jianshu…

3.5 How We Build a Map for a Self-Driving Vehicle

Before the autonomous vehicle is on the road, our mapping team will first create a highly detailed 3D map using the sensors we have installed on the test vehicle. Different from satellite images or online maps, waymo’s maps provide a very detailed semantic understanding of the physical environment for autonomous vehicles: road type, road length and other terrain features.

Google waymo 2017 automatic driving safety technology report (1)

We add traffic control information such as crosswalks, traffic lights and related signs on the basis of the above data.

Google waymo 2017 automatic driving safety technology report (1)

Using these map data, our autopilot system can focus on the dynamic environment around it (such as other road users). Our system can detect road changes by cross referencing real-time sensor data and on-board 3D maps. If a road change is detected (e.g., a road intersection is closed due to a collision ahead), our vehicles can reroute within the system’s odd and alert our operation center so that other vehicles in the fleet can avoid the area Domain.

3.6 Data Recording and Post-Crash Behavior

Waymo has a powerful system for collecting and analyzing data encountered on the road, and anything learned from a car’s experience can be applied to the entire fleet. When Waymo happens, the automatic driving system of the Waymo can detect and notify the operation center automatically. Then, our trained experts can activate the post collision procedure, including the procedures that interact with the law enforcement authorities and the first responders, and the procedures for sending our team members to the scene. At the same time, our operation center also has experts trained with regularity through the audio system inside the car. Communicate with passengers.

After the collision, we analyze all available data (including video and other sensor data) to assess the factors that may have contributed to the accident, and make necessary modifications and upgrades to the software system, and update each vehicle in the fleet accordingly. The damaged vehicles in the accident will return to the fleet after being repaired and verified by the safety system.

3.7 Self-Driving Vehicle Cybersecurity

Waymo has developed a powerful process to identify, prioritize and mitigate cyber security threats, and our security practices are based on Google’s security. To help develop future best security practices, waymo has also joined auto ISAC, an industry operations initiative aimed at enhancing cyber security awareness and collaboration in the global automotive industry.

Google waymo 2017 automatic driving safety technology report (1)

We have conducted a comprehensive review of all potential security access points for the self driving system, both internally and externally, and have taken measures to limit the number and function of these access points.

Our OEM partners communicate with each other to identify potential weaknesses of the vehicle, and fully consider the known threats in the software development and vehicle design process to ensure the safety of the autopilot system. New software releases must undergo extensive peer review and adequate validation processes, in which hazard analysis and risk assessment processes are designed to identify and mitigate risks that may affect safety. In the vehicle design, the safety critical components (such as steering, braking, controller, etc.) of waymo vehicle are isolated from external communication; the key calculation modules and on-board 3D maps that determine the vehicle movement are completely shielded and cannot be accessed from the wireless connection and system of the vehicle.

We also consider the security of wireless communication. Waymo autonomous vehicles do not rely on a continuous network connection for safe operation, and all communications between vehicles on the road and waymo, such as redundant cellular connections, are encrypted, including those between waymo’s operational support staff and our passengers.

These protective measures help to prevent any person (whether passengers or malicious actors nearby) from contacting our self driving vehicles, damaging or changing their safety behaviors. At the same time, we have different mechanisms to detect abnormal behaviors and analyze the internal process of these incidents. If we are aware that someone is trying to damage the safety of our vehicles, waymo will initiate a company wide incident response process, including impact assessment, containment, recovery and remediation.

Complete waymo autopilot Safety Report

https://storage.googleapis.com/sdc-prod/v1/safety-report/waymo-safety-report-2017-10.pdf

Related articles

Automatic driving high precision map – overview and analysis

Waymo – automatic driving long tail challenge (2019)


Google waymo 2017 automatic driving safety technology report (1)

Personal website address: http://www.banbeichadexiaojiu…