Why Analyze Failures?
In aviation, every serious incident becomes an opportunity to make the entire system safer. Autonomous vehicles need the same discipline: study edge cases, identify failure modes, and turn them into clearer engineering and policy guardrails.
| Incident Type | Primary Failure Mode | Key Mitigation |
|---|---|---|
| Uber Tempe (2018) | Classification delay and disabled emergency braking | Driver monitoring, active AEB, and safer testing guardrails |
| Phantom Braking | False positive object detection | Sensor fusion, scenario testing, and cleaner perception inputs |
| Robotaxi Stalls | Edge cases that trigger a Minimum Risk Condition | Controlled pullovers, better fallback planning, and clearer incident reporting |
| Level 3 Handoffs | Delayed human takeover | Escalating alerts, driver monitoring, and graceful fallback behavior |
Case Study 1: The Uber ATG Incident (Tempe, AZ)
Key Failures Identified
- Classification delay: The system repeatedly reclassified the pedestrian instead of committing to a reliable trajectory prediction.
- Disabled braking safeguards: Emergency braking protections were weakened during testing, leaving too much responsibility on the human safety driver.
- Human-factor failure: The fallback driver was not maintaining adequate attention to the road.
Industry Lessons
The case underscored the need for driver-monitoring systems, better safety-driver protocols, and stronger rules around when core braking safeguards can be suppressed in testing.
Case Study 2: Phantom Braking Investigations
The Real-World Impact
False-positive braking creates a serious rear-end collision risk and has repeatedly triggered consumer complaints, defect probes, and product scrutiny across the ADAS market.
The lesson is broader than any single manufacturer: perception stacks need stronger validation around difficult lighting, roadside clutter, and ambiguous highway geometry.
Mitigation Strategies
- Sensor fusion: Cross-check camera, radar, and other perception inputs before commanding hard braking.
- Scenario testing: Validate against glare, overpasses, construction zones, and other edge cases that create false positives.
- Rider tip: Keep cameras and sensors clean. Dirty inputs make already-difficult perception cases worse.
Case Study 3: The "Stalled" Robotaxi
The Minimum Risk Condition
When an automated driving system can no longer safely proceed, it should enter a Minimum Risk Condition (MRC). The safest MRC is usually a controlled pullover, not an indefinite stop in an active lane.
The Policy and Ops Challenge
A vehicle that stops safely for itself can still create risk for traffic flow, emergency access, and curb operations. That is why cities and operators need shared reporting, clearer fallback behaviors, and faster remote-assistance playbooks.
Mitigations and Reporting
- Fleet action: Build slow-roll and pullover behaviors instead of defaulting to an in-lane stop whenever possible.
- City action: Share construction feeds, curb closures, and emergency detours so vehicles can reroute before stalling.
- Rider tip: If a vehicle stalls, stay belted, contact support through the vehicle interface, and wait for guidance unless emergency personnel tell you otherwise.
Case Study 4: Level 3 Handoff Failure
Risk Pattern
The most dangerous phase is the handoff. If the driver is distracted or disengaged, there can be a gap where neither the human nor the machine is effectively managing the vehicle.
Mitigations
- Driver monitoring: Eye tracking and attention checks should ramp alerts from visual to audio to haptic cues.
- Graceful fallback: If the driver does not respond, the system needs a controlled degradation path instead of an abrupt stop.
- Operator education: Treat Level 3 as conditional automation, not a permission slip to disengage completely.
How do we select these case studies?
These case studies are selected based on verified public reports, including NTSB investigations, DMV filings, and NHTSA data. We prioritize incidents that highlight systemic challenges in autonomy. For a deep dive into our selection process, data sources, and limitations, please read our full methodology.
Frequently Asked Questions
What is phantom braking in automated vehicles?
Phantom braking happens when driver-assistance or automated-driving systems misread shadows, bridges, roadside objects, or sensor noise as hazards and brake unexpectedly.
What is the Minimum Risk Condition (MRC) for robotaxis?
The Minimum Risk Condition is the fallback behavior an automated vehicle uses when it can no longer safely continue. The safest implementations favor controlled pullovers over stopping in an active lane whenever possible.
Who holds liability in a Level 3 handoff failure?
Liability typically remains with the manufacturer while the Level 3 system is operating as intended, but responsibility can shift when the driver ignores a valid takeover request and fails to resume control.
How should cities evaluate robotaxi stall reports?
Cities should track where stalls happen, whether vehicles can reach a safe pullover location, how quickly remote support responds, and whether the operator publishes consistent incident and disengagement reporting.
How to Use These Case Studies
- Brief riders and city partners on expected behaviors, especially MRC pullovers.
- Turn lessons into engineering checklists for perception, fallback, and takeover.
- Publish incident learnings in your VSSA to build public trust.