NTSB Highway Accident Report
39
2.2.1 Uber ATG Safety Risk Management
The ADS that controlled the test vehicle at the time of the crash was a developmental
system. As of the time of this report, there are no production-level automated vehicles on public
roads that do not require the operator to monitor the driving environment or rely on a driver to take
over the driving task if necessary.
ADS development, with the reliance on still-evolving technology and machine learning, is
an iterative process that is expected to contain errors and failures and to expose limitations. This
is also an expectation of a development process for any product or technology. A crucial distinction
in ADS development is that the technology is tested on public roads, among other settings. As
such, developers must anticipate potential system failures and their effects on safety and
implement strategies and countermeasures to minimize the safety risks. Robust mechanisms for
managing safety risk would include multiple layers of safety redundancy designed to control
potential risks that may exist in the environment where such systems are tested.
2.2.1.1 Precrash ADS Functionality. As a developmental system, the ATG ADS had
limitations in several areas, including its ability to detect pedestrians and predict their trajectories
and its handling of emergency situations, as described below.
Pedestrian Detection. At the time of the Tempe crash, the ATG ADS did not have the
functionality to anticipate pedestrians crossing midblock outside a marked crosswalk; although it
could detect and identify pedestrians, it would not assign them an inherent goal of jaywalking.
Rather, to predict a pedestrian’s trajectory, the system relied on consistent tracking and
classification of the pedestrian as such. In the crash, the ADS sensory and imaging systems—lidar,
radar, and camera—detected an object 5.6 seconds before impact, when the pedestrian was in the
middle of where the northbound road’s two left-turn lanes began forming. However, the system
never correctly classified the pedestrian. The ADS changed the pedestrian’s classification several
times, alternating between vehicle, bicycle, and other. Furthermore, with each change in object
classification, the ADS perceived the pedestrian as a new object without considering its location
history. Because (1) the system was unable to correctly identify the pedestrian as such, (2) the
ADS design did not rely on tracking history for nonpersisting objects—those with changed
classifications—to predict a path, and (3) the system lacked the functionality to assign a goal of
jaywalking, the system was unable to correctly predict the pedestrian’s path.
At the time of the crash, the ATG fleet of test vehicles had traveled the route on which the
crash occurred about 50,000 times. When interviewed, ATG vehicle operators reported
occasionally encountering pedestrians crossing a road midblock, and ATG’s training of vehicle
operators included preparation for hazardous situations such as jaywalking pedestrians.
Pedestrians crossing a road midblock should be an anticipated safety risk when testing in urban
environments. Because object identification is a challenging task for any ADS, the system was
never able to correctly classify the pedestrian as such. However, such limitations should be
anticipated and managed by additional layers of safety redundancy. The NTSB concludes that the
Uber ATG did not adequately manage the anticipated safety risk of its ADS’s functional
limitations, including the system’s inability in this crash to correctly classify and predict the path
of the pedestrian crossing the road midblock.