Handling Failure, Gracefully

While a Voyage car drives itself, it processes information from its many vision sensors 10 times per second. This information is processed on its primary compute cluster powered by its primary power source. Within those 100 milliseconds, our self-driving technology executes its primary set of vision algorithms on the sensor data, outputting rich information about objects around us. We engineer each primary vision algorithm to be unique in their approach, to minimize common failures.

Almost all of the time, our primary vision algorithms enable our self-driving technology to intelligently and safely navigate the world, but hardware is complex and the world is chaotic. As such, we design our safety-critical systems with failure in mind. What if all of our primary vision algorithms miss an object? And what if that object is in the path of our self-driving car?

Enter Shield, an independent system to reliably detect critical objects in the path of the vehicle and, if necessary, hit the brakes (hard!) early enough to come to a safe stop. Shield operates on its own powerful compute, power source, with a secondary set of vision algorithms and sensors, complete with a low-latency connection to actuate the brakes of the vehicle with full authority.

To responsibly deploy Shield and our self-driving technology, we initially limit our operational speed to 25mph. Speed is the crucial variable for safety — by reducing it, we reduce the system’s complexity. No hardware or software system can claim perfection, but the chances of any common failure between our self-driving technology and Shield is astronomically low, and our speed limitation further strengthens our safety story.