Introducing Voyage Shield
A supercharged automatic emergency braking system
Meet Shield
Voyage Shield is a supercharged automatic emergency braking system, designed from the ground up for driverless cars. Shield utilizes high-resolution depth sensors, state-of-the-art algorithms, and automotive-grade compute to make intelligent decisions about emergency braking events. We are excited to begin sharing more information about this safety-critical system.
Composing a Safety-Critical System
Why did we build Shield? While engineering any safety-critical system, whether hardware or software, it is vital you construct it with multiple layers of redundancy to avoid any single point of failure. A correctly composed safety-critical system assumes any layer can fail at any time, and ensures that each failure mode is handled (i.e. no silent failures). Shield is one of those mission-critical layers within our self-driving technology, and ensures our vehicle comes to a stop for critical objects (e.g. pedestrians, bicyclists, vehicles) in the path of our self-driving car.
You may be asking “Isn’t the whole purpose of a self-driving car to stop for critical objects?” You’d be correct, but delivering on this promise is a complex undertaking. If you inspect the results of many of the Automatic Emergency Braking (AEB) systems installed on consumer vehicles today, you’ll note that although some systems do prevent collisions proactively, many systems instead optimize for reducing the impact of collisions (i.e. hitting the brakes when a collision is unavoidable). This design decision is due in large part to the complexity of reliably detecting objects with low-resolution sensors, and the safety issues involved with high-speed braking events caused by false positives. An AEB system designed from the ground up for self-driving cars, complete with advanced sensors, algorithms, and compute, can and should do better.
Handling Failure, Gracefully
While a Voyage car drives itself, it processes information from its many vision sensors 10 times per second. This information is processed on its primary compute cluster powered by its primary power source. Within those 100 milliseconds, our self-driving technology executes its primary set of vision algorithms on the sensor data, outputting rich information about objects around us. We engineer each primary vision algorithm to be unique in their approach, to minimize common failures.
Almost all of the time, our primary vision algorithms enable our self-driving technology to intelligently and safely navigate the world, but hardware is complex and the world is chaotic. As such, we design our safety-critical systems with failure in mind. What if all of our primary vision algorithms miss an object? And what if that object is in the path of our self-driving car?
Enter Shield, an independent system to reliably detect critical objects in the path of the vehicle and, if necessary, hit the brakes (hard!) early enough to come to a safe stop. Shield operates on its own powerful compute, power source, with a secondary set of vision algorithms and sensors, complete with a low-latency connection to actuate the brakes of the vehicle with full authority.
To responsibly deploy Shield and our self-driving technology, we initially limit our operational speed to 25mph. Speed is the crucial variable for safety — by reducing it, we reduce the system’s complexity. No hardware or software system can claim perfection, but the chances of any common failure between our self-driving technology and Shield is astronomically low, and our speed limitation further strengthens our safety story.
How Shield Works
Shield is a technology comprised of three components:
- Automotive-grade compute
- Reliable sensors and perception algorithms
- Stringent testing and validation methods
Automotive-Grade Compute
While our primary vision algorithms operate on the compute cluster that power our self-driving technology, Shield operates on an entirely independent compute (NVIDIA Drive AGX) and power source.
The Drive AGX AI compute platform is built to automotive-grade specifications (ISO 26262/ASIL-D, ISO/PAS 21448), providing the reliability we need for such a safety-critical application. In addition, the performance delivered blows away compute typically used for AEB systems. NVIDIA Xavier SoC delivers 30 TOPS of performance while consuming only 30 watts of power, giving Shield ample processing power.
“With the combination of high performance and energy efficiency, the scalable NVIDIA DRIVE compute platform is designed to handle the entire range of autonomous driving capabilities, from AI-assisted driving to fully driverless operation,” said Rishi Dhall, Vice President of Business Development for Autonomous Vehicles at NVIDIA. “Voyage’s autonomous vehicle fleet is a prime use case that leverages AI to significantly improve the safety of everyday driving.”
Shield was architecturally influenced by the design of the Space Shuttle, which had four primary computers, with a fifth backup computer built and programmed in an orthogonal fashion. Shield’s compute and software is intentionally differentiated from our primary self-driving technology, to eliminate the possibility of common mistakes occurring from a chain reaction of complex events.
A Reliable Set of Eyes
Running on our reliable, automotive-grade compute is Shield’s intelligent software, which has a simple mission: always detect critical objects in-front of the vehicle and, if necessary, apply the brakes. Although this is a simple mission, it is an incredibly complex undertaking, requiring state-of-the-art algorithms and system design to accomplish.
We begin by placing our high-resolution Shield sensor at the very front of the vehicle, giving Shield’s software the best vantage point to reliably detect objects of small size. High-resolution lidar (like the ultra-reliable Velodyne Ultra Puck VLP-32C) is the perfect choice for a supercharged AEB system like Shield. The Ultra Puck produces an incredible amount of data about its surroundings, while operating flawlessly during the day, night, and with the weather conditions we consider for our self-driving car service.
“Voyage has utilized Velodyne’s smart, powerful lidar solution for years in the deployment of their self-driving vehicles. By utilizing our Ultra Puck sensor as an essential component in their Shield system, Voyage continues to advance their AV technology, creating safer vehicles in a wide variety of roadway scenarios.” — Laura Wrisley, Director of Sales, Velodyne Lidar.
With the dense output from our Shield sensor, we must now reliably detect objects. With the sensor positioned so close to the ground at the front of the vehicle, this presents an interesting algorithmic challenge: we must infer what sensor output is from the ground and what is not. Simply put: any output that is not ground, and is in front of the vehicle, is an object Shield pays close attention to.
An important subtlety within our algorithms is that Shield’s perception system does not utilize a pre-recorded, high-resolution map. Although our self-driving technology does utilize a map to reliably navigate the world, we do not believe a safety-critical system like Shield should have a dependency on a map that could be days old.
Testing & Validating Mission-Critical Components
As with any safety-critical component, testing and validation is imperative. We test Shield’s hardware and software with a variety of variables, such as speed, acceleration, turning, elevation changes, wet road, and from dawn to dusk. We re-create critical scenarios involving very large and very small objects, both stationary as well as in-motion. The Shield system is designed to be robust in all of the operating conditions for which our self-driving cars are designed.
Not only do we stress-test Shield, we take it one step further: tests conducted on our closed track are designed to purposely inject failures, in order to validate that Shield properly handles the worst case issues. These tests measure our ability to detect, respond, and mitigate any failures of the sensors, computers, wiring, or software within an appropriate time period.
In addition to stress testing, we collect miles every day with our fleet of G2 self-driving cars. This data is monitored and reviewed to perfect our system calibration. These insights can be achieved in normal driving conditions by using a shadow mode for measurement only, without triggering an actual braking event.
We are currently in the process of rigorously validating Shield according to automotive-grade guidelines, and we’ll update you as we make our way through this process.
A Safer Self-Driving Car
In this driverless world, the biggest barrier to consumer adoption of self-driving technology is trust. A self-driving company will not succeed if consumers do not trust their technology, and inversely we will see self-driving companies thrive if they are trusted above others. Building trust is not simple, but at Voyage we believe it all begins with transparency, and I hope this overview of Shield proved useful towards that goal. We will continue to share more about Shield and the many other safety-critical technologies we’re working on.
Want to work on Shield at Voyage? Join our fast-growing team!
