Safe driving for everyone.

Our mission is to build safe self-driving. A world where cars are so capable, people are free to do something else behind the wheel. A world without crashes, where everyone gets home safely no matter who is driving.

From vehicle systems to artificial intelligence software to lifecycle operations, we are engineering novel technologies that advance the state-of-the-art for autonomous driving performance, reliability, and safety.

We are guided by a set of safety principles incorporated into every aspect of our company – from our working environment, to our test track operations, to our product. Our development process is a joint endeavor with OEM partners, designed to ensure safety at every phase, as we continuously test and validate our product from the first line of code all the way to the last mile on public roads.
END-TO-END SAFETY

Ghost Safety Program

We are building a living set of processes and testing methodologies to support the development of the Ghost Autonomy Engine, which will be implemented into new vehicles in concert with OEM partners.

The Ghost Safety Program is an end-to-end framework for analyzing autonomous vehicle safety, and for developing and executing safety verification and validation procedures. Divided into three layers, the program encompasses the base Vehicle Systems, the Autonomy Software, and Operations, Monitoring, and Reporting for both test and production fleets.

Vehicle Systems

Ensure reliability, performance, integrity, and fault tolerance of the hardware, software, and base vehicle components of the Ghost Autonomy Engine.

Base Vehicle
Compute
Fault Tolerance
Controls
Sensors
Runtime OS
Logging & Audit
Cybersecurity
Comms & OTA Updates

Testing Methodologies

  • Formal software verification

  • Fault injection testing

  • Software unit, system, and release testing

  • Hardware-in-the-loop testing

  • Vehicle integration testing

  • Security penetration testing

Autonomy Software

Ensure accurate perception and understanding of road actors and the driving environment and appropriate and safe execution of the driving task within specified domain.

Obstacle Perception
Depth Estimation
Scene Perception
Drive Planning
Drive Execution
Minimal Risk Condition
Driver Intent
ODD Enforcement

Testing Methodologies

  • Perception NN validation

  • Scene NN validation

  • Driving program validation

  • Driver intent model validation

  • Scenario simulation

  • Track testing and replay

  • Road testing and replay

  • Collision avoidance testing

Operations, Monitoring, and Reporting

Ensure real-time understanding of test and production fleet operations, rapid issue and incident response, and continuous learning from road activity.

Operations Monitoring
Call Home - Events, Logs, and Diagnostics
OTA Software & ODD Updates
Test Driver Training
Incident Response

Testing Methodologies

  • Data integrity testing

  • Site and service uptime monitoring

  • Test driver reporting, monitoring, and fatigue management

  • Incident simulation and response

COMPONENT SAFETY

Vehicle Systems

The Vehicle Systems layer consists of all the underlying hardware, software, and base vehicle components required to operate the Ghost Autonomy Engine on the road. The Ghost Reference Hardware incorporates multiple layers of redundancies and a vehicle controller meeting the highest level of safety assurance. We conduct safety analyses and follow an end-to-end testing protocol to ensure its reliability, performance, integrity, and fault tolerance.

Vehicle Systems include:

Base Vehicle
Compute
Fault Tolerance
Controls
Sensors
Runtime OS
Logging & Audit
Cybersecurity
Comms & OTA
Developed with OEM partners
The Ghost Autonomy Engine will be deployed in vehicles that are designed and manufactured by OEM partners, leveraging their decades of experience in development, testing, and validation of new automotive safety technologies. Ghost is architected to preserve most existing safety systems, including ABS, DSC, and other ADAS features. The integration of Ghost’s runtime platform and sensor suite into new vehicles will be co-designed with OEMs to facilitate end-to-end testing of the entire vehicle complete with the Ghost Autonomy Engine.
Hardware and software reliability, built for scale
The Ghost reference hardware stack is composed of readily available components that are produced, tested, and proven to perform at massive scale in consumer products -- and that have been packaged specifically to meet auto-grade temperature, shock, and vibration specifications. Ghost’s fail-operational design leverages redundant sensors, compute, vehicle controls, and power supply to enable continuous operation in the event of component failure. Ghost’s runtime operating system is hardened for security and reliability and is verified to ensure proper logic and bug-free execution, leveraging formal software verification methods pioneered in aerospace and defense applications.
Testing and validation methodologies
Ghost employs standard and advanced safety analyses, including failure analyses, functional testing, fault injection testing, hardware-in-the-loop testing, and simulation in our data center. Our analyses are designed to incorporate industry best practices and to meet applicable standards for hardware, radar, and other aspects of our system. We apply formal verification methods to our software to avoid bugs and ensure proper logic and use simulation and advanced mathematical approaches to ensure the completeness of our neural network training.
SAFETY INNOVATION SPOTLIGHT

Formal software verification

Many existing self-driving systems rely on conventional software development processes that use statistical sampling methods, such as measuring code coverage, that are prone to potential missed bugs or errors in logic. The larger and more complex the code base, the greater the risk that code which is probabilistically tested will contain errors in infrequently exercised code paths or from unexpected inputs. The exceptional complexity of self-driving software means that it is particularly susceptible to such errors.

Ghost is solving this critical problem by adopting a software testing process based on formal verification, an engineering technique that uses mathematical reasoning to validate that software accomplishes its design specifications. As a result, Ghost can mathematically prove that its software is operating as designed – both correct in logic and free of bugs.

PERCEPTION AND DRIVING SAFETY

Autonomy Software

Ghost’s perception pipeline and driving program must accurately perceive the environment, understand complex scenes, and reliably determine and execute safe driving maneuvers. We are designing a simulation, testing, and validation suite that incorporates principles of Safety of the Intended Functionality (SOTIF) and more traditional hazard-based analyses to validate the safety of our software and algorithms.

Autonomy Software includes:

Obstacle Perception
Depth Estimation
Scene Perception
Drive Planning
Drive Execution
Minimal Risk Condition
Driver Intent
ODD Enforcement
Simulation, track testing, and public road testing
Ghost follows an ordered testing progression for every new feature or release. First, individual features are unit tested and complete builds are evaluated via automated software regression testing. Release candidates are then tested extensively via simulation on Ghost Driving Computers installed in the data center, measuring overall system performance against replays of real driving scenarios captured from the road at scale, including edge cases and extreme scenarios.

Next, software is validated in-car in the garage and then tested on a private test track, where it is subjected to a battery of challenging and adversarial scenarios.

Finally, software will be tested at increasing scale on public roads under the supervision of dual safety test drivers before being transitioned to OEMs for integration into their vehicles.
Neural network validation
Neural networks are responsible for interpreting visual and radar data streams for obstacle perception, depth estimation, scene understanding, and driver intent. As neural networks are probabilistic models, they cannot be formally verified as their inputs and outputs are not discrete. To ensure their safe and reliable execution, Ghost has developed techniques incorporating a layered approach to validation that reduces the risk of vulnerability to potential edge cases.
Path planning and vehicle controls validation
To safely plan and execute a driving path, the driving program computes possible trajectories for every actor in the scene based upon their motion paths, speed, and the scene configuration dozens of times per second. This enables swift reactions to safety-critical changes in the environment. The Driving program then provides control instructions for acceleration, braking, and steering via a vehicle controller, which is formally verified to guarantee that the instructions are executed correctly. The vehicle controller also enforces constraints on vehicle control inputs to prevent unsafe maneuvers.
Operational design domain enforcement
Ghost ensures that autonomous driving capabilities are only available within eligible environmental and geographic conditions and that the vehicle is traveling on appropriate roads and at legal speeds. GPS and maps will be used to evaluate whether the vehicle is within an available operational design domain (ODD). The driver will receive communication when autonomous driving can be activated or if the vehicle is nearing an ODD boundary and the driver needs to retake control. The ODD can be updated in near real-time if select road segments or conditions are found to be unsafe for autonomy. If environmental conditions change or the system detects an approaching construction zone or emergency vehicle, Ghost will alert the driver and take appropriate fallback actions to mitigate risk, including invoking a minimal risk condition (MRC) if necessary.
Fallback scenario management
Ghost is designed to be an L4 autonomous driving system that does not require human intervention to drive safely or fallback to a minimal risk condition (MRC). The Perception pipeline and Driving program are continuously monitored for faults, occlusions, or failures. Redundant sensor and compute components enable most faults to be managed without interrupting the drive. In the event of a major fault, the vehicle controller includes an independent ASIL-D failsafe system capable of navigating the vehicle to a MRC based upon a predefined exit path. If the system can no longer continue on its intended path, it will bring the vehicle to a controlled stop in a safe location.
Safety Innovation Spotlight

Universal obstacle detection with physics-based neural networks

Existing systems rely on image-based object recognition to determine the presence of obstacles and then use estimates of their probable size to reason about their distance, velocity, and predicted behavior. But object recognition can be unreliable, as it is impossible to train neural networks on the infinite long tail of potential objects and scenarios.

Ghost is solving this critical problem by developing a new approach to artificial intelligence that does not require object recognition to drive safely. These breakthrough neural networks can generalize and understand the physics of obstacles in motion regardless of their type, speed, or arrangement in three-dimensional space, effectively eliminating the long tail of edge cases. This enables Ghost to detect and avoid objects universally, removing the risk of crashes or inaccurate distance estimation that stem from object recognition and sizing errors.

LIFECYCLE SAFETY

Operations, Monitoring,
and Reporting

Ghost closely monitors both its test and production fleet operations to ensure safe performance on the road. This requires near real-time visibility into all Ghost-enabled vehicles, rapid response to issues or incidents, and continuous learning and improvement across the entire fleet for ongoing lifecycle management.

Operations, Monitoring, and Reporting includes:

Operations Monitoring
Call Home - Events, Logs, and Diagnostics
OTA Software & ODD Updates
Test Driver Training
Incident Response
Monitoring and logging
All Ghost-enabled vehicles are equipped with LTE communications capabilities to send operations data via Ghost Connect or through OEM partner infrastructure. This data provides near real-time fault and incident reporting, access to detailed system logging, and video and radar replay capabilities from all sensors.
Over-the-air updates and software version enforcement
The Ghost operating model is designed to promote the rapid advancement of software capabilities by enabling the deployment of over-the-air (OTA) updates to vehicles on an ongoing basis. The Ghost Connect infrastructure is responsible for managing this update cycle and is equipped to help resolve potential safety issues, including facilities for deploying required software updates and enforcing acceptable software versions. If abnormalities arise within a given operational design domain, such as an issue with a precise location or a set of driving conditions, Ghost Connect can push a required OTA update in near real-time to restrict Ghost functionality within the ODD until the underlying concern is resolved.
Safety driver program management
Ghost is developing a rigorous safety test driver program including extensive background checks, training, and ongoing performance monitoring to ensure safe operations of its test vehicle fleet. Ghost has also built a program to identify and mitigate potential risks in test track and public road testing, encompassing both risk mitigation and incident response procedures.