Skip to main content
Meet our Trucking Industry Advisory Council
Careers

Fallback: Our “what if?” plan

Felix Duvallet

|

Drone image of the Kodiak truck performing a fallback

Launching a driver out autonomous truck is more than being able to handle edge cases: the complex and unusual circumstances that are most difficult to predict and hard to navigate. It is about ensuring that if something goes wrong the truck is always able to take a safe action.

When building the Kodiak Driver’s hardware, we have worked to harden it so it can handle the real-world rigors of long-haul trucking by considering every sensor mounting location, bolting down every connection, and doing in-depth vibration analyses to determine how vibrations will lead to wear and tear, and more. But it’s inevitable that after driving millions of miles, something will go wrong. Maybe a piece of roadway debris will bounce up and knock off one of the truck’s sensors, leaving the truck without access to a key tool for how it sees the world. Or perhaps a truck may run over that same piece of debris, causing a tire to go flat. The Kodiak Driver must have an answer to every possible “what if” situation. For example, what if somebody were to accidentally cut a sensor cable in the cab, as in the video below? Our answer is fallback.

The fundamental challenge of tackling these cases is that the Kodiak Driver must know what to do before such an event occurs; by the time something is damaged, it’s too late to be figuring out what to do. That’s why we have architected the Kodiak Driver from the start to always have a backup plan. This backup plan, known as a fallback, must go beyond low-level strategies such as blindly applying the brakes or randomly pulling over: fallbacks must be carefully planned maneuvers designed to bring a truck to a controlled stop in a safe location. Think of it as a “rainy day” contingency made ahead of time: in the extremely rare occurrence that a major fault does occur, the Kodiak Driver will detect it, and spring immediately into action based on its fallback plan. Fallbacks should almost never be used, but they are critical to ensuring safety.

The key to Kodiak’s fallback system is how we have architected our planner, which is responsible for planning where the Kodiak Driver will go (for both nominal trajectories and fallback trajectories) and our controller, which is responsible for actuating the truck and executing a trajectory. We have built our controller to run on a custom designed safety computer: the Actuation Control Engine, or ACE. The ACE is being validated to automotive-grade, which means it is designed to work no matter what – just like the computer that actuates the brakes on your car. Each Kodiak truck will include two ACE units for redundancy and additional safety. This architecture ensures that the Kodiak Driver’s controller is able to achieve a fallback no matter what the universe throws at it.

Just as important as being able to achieve a fallback is knowing when one is necessary. The Kodiak Driver’s health monitoring system is always checking the health of the entire system to ensure every component of our system is running as expected. These checks include the truck platform (for example oil level and tire pressure), the hardware installed on the truck (e.g. sensors, wiring, and computers), and of course the health of the autonomy software itself. All told, our system evaluates over 1,000 safety-critical components continuously. Our controller is able to swing into action immediately upon detecting a fault. We transition from executing the nominal trajectory to executing the fallback trajectory, and the truck is brought to a stop safely.

The key to safely and efficiently building fallback technology is including it in our technical architecture from the very beginning. It is very technically difficult to add fallback capabilities as an afterthought, since the hardware architecture used for fallbacks so deeply influences controller software. The system needs to know if sensor inputs are out of spec, if timing checks fail, or if hardware components have faults. Next, the system needs to determine what actions each fault requires. Adding these functions at the end of a development cycle inevitably leads to challenges. This is why at Kodiak, we have architected our system to take fallback into account from day one.

Of course, it can be a challenge to test and validate fallback functionality, since it will very rarely be used on the road (by design, of course, fallbacks are only for emergencies). This is one of the areas where Kodiak’s investments in simulation and structured track testing have paid off. We leverage large-scale simulation capabilities to constantly simulate fallbacks. Similarly, we have designed complex scenarios for testing at track: we perform fault injection to trigger a fallback maneuver in all sorts of conditions: near objects, on curves, and of course in nominal driving conditions. Together, these give us confidence in the Kodiak Driver’s ability to safely perform fallbacks before going on the highway.

At Kodiak, we’re building the world’s safest driver. Safely and reliably performing fallbacks is critical to that goal, and a key step towards launching an autonomous truck that can make the roads safer for everyone.

Safe and sound journeys!

Categories

More like this

Kodiak Establishes Industry Advisory Council, Taps Leaders from Walmart, UPS, and Beyond to Help Guide Development and Deployment of Autonomous Trucks

Kodiak Partners with Martin Brower to Autonomously Move Freight for Quick Service Restaurants