Safety Relevant Guidance For On Road Testing Of Sae Level 3 4 And 5 Prototype Automated Driving System Ads Operated Vehicles

This document provides safety-relevant guidance for on-road testing of vehicles being operated by prototype conditional, high, and full (Levels 3 to 5) ADS, as defined by SAE J3016. It does not include guidance for evaluating the performance of post-production ADS-equipped vehicles. Moreover, this guidance only addresses testing of ADS-operated vehicles as overseen by in-vehicle fallback test drivers (IFTD).These guidelines do not address: Remote driving, including remote fallback test driving of prototype ADS-operated test vehicles in driverless operation. (Note: The term "remote fallback test driver" is included as a defined term herein and is intended to be addressed in a future iteration of this document. However, at this time, too little is published or known about this type of testing to provide even preliminary guidance.) Testing of driver support features (i.e., Levels 1 and 2), which rely on a human driver to perform part of the dynamic driving task (DDT) and to supervise the driving automation feature's performance in real time. (Refer to SAE J3016.) Closed-course testing. Simulation testing (except for training purposes). Component-level testing. This document provides general safety-relevant guidance for testing prototype automated driving systems (ADS) equipped on test vehicles operated in mixed-traffic environments on public roads (hereafter, prototype ADS-operated vehicles). This document is being substantially updated in order to incorporate lessons-learned based on accumulated field experience in testing prototype ADS-operated vehicles on public roads, and to make it compatible with related SAE documents.It is assumed that the prototype ADS-operated vehicles that are the subject of this guidance have been developed using standardized methods for safer product development including, but not limited to: A systems engineering approach (i.e., V-model). Adherence to a recognized functional safety process, such as ISO 26262, for identifying hazards and implementing strategies for mitigating them. Implementation of an electrical/electronic (E/E) architecture (system/hardware/software levels) capable of implementing hazard mitigation concepts and strategies. Analysis and testing of identified hazard mitigation strategies (hardware and software).Prototype ADS-operated vehicles that are based on existing production vehicles rely on the existing vehicle's E/E architecture, as adapted for ADS. Prototype ADS technology provided via added hardware and software modules that are not integrated according to the vehicle manufacturer's specifications, should be checked to ensure that they do not interfere with base vehicle hardware or software systems. As such, they should abide by the following general principles: All hardware and software interfaces between production- and development-level hardware and software should be analyzed and tested for operational integrity, including analysis of failure modes and effects. All developmental software added to a vehicle (including that equipped on added hardware modules) should be monitored and/or include self-diagnostics for safety-critical functions, which should be verified for efficacy prior to on-road testing.Proper test program/operations management plays a key role in helping to maintain safety while conducting on-road testing of prototype ADS-operated vehicles. Unexpected behaviors (including incidents) should be reported accurately and consistently for later root-cause analysis and resolution. A manager in charge of prototype ADS-operated vehicle testers should explain to them the organization's specific rules about testing and documentation, as well as any hardware/software updates that impact the performance of the ADS-operated vehicles. Novice testers should be paired with more experienced testers to learn the appropriate reactions in various situations.Real-time calibration/tuning of ADS software during testing should be allowed only after evaluation by qualified personnel (e.g., development engineer, lead calibrator, and/or designated safety engineer), indicating that the change does not pose unacceptable risk for on-road testing.

This document provides preliminary1 safety-relevant guidance for in-vehicle fallback test driver training and for on-road testing of vehicles being operated by prototype conditional, high, and full (Levels 3 to 5) ADS, as defined by SAE J3016. It does not include guidance for evaluating the performance of post-production ADS-equipped vehicles. Moreover, this guidance only addresses testing of ADS-operated vehicles as overseen by in-vehicle fallback test drivers (IFTD).These guidelines do not address: Remote driving, including remote fallback test driving of prototype ADS-operated test vehicles in driverless operation. (Note: The term "remote fallback test driver" is included as a defined term herein and is intended to be addressed in a future iteration of this document. However, at this time, too little is published or known about this type of testing to provide even preliminary guidance.) Testing of driver support features (i.e., Levels 1 and 2), which rely on a human driver to perform part of the dynamic driving task (DDT) and to supervise the driving automation feature's performance in real time. (Refer to SAE J3016.) Closed-course testing. Simulation testing (except for training purposes). Component-level testing.These guidelines also do not address prototype vehicle and IFTD performance data collection and retention. The collection of data invokes various legal and risk management considerations that users of this document should nevertheless bear in mind, such as: Maintaining auditable procedures and documentation. Adhering to applicable privacy laws and principles. Ensuring adequate data collection and recording integrity to support post-crash forensic analysis. This document provides safety-relevant guidance for in-vehicle fallback test driver training and for testing prototype automated driving systems (ADS) equipped on test vehicles operated in mixed-traffic environments on public roads (hereafter, prototype ADS-operated vehicles). This document is being substantially updated in order to incorporate content from Automated Vehicle Safety Consortium (AVSC) publication 00001201911: "AVSC Best Practice for In-Vehicle Fallback Test Driver Selection, Training, and Oversight Procedures for Automated Vehicles Under Test" and to re-classify this document as an SAE Recommended Practice, rather than an SAE Information Report.It is assumed that the prototype ADS-operated vehicles that are the subject of this guidance have been developed using standardized methods for safer product development including, but not limited to: A systems engineering approach (i.e., V-model). Adherence to a recognized system safety process(es) for identifying hazards and implementing strategies for mitigating them. Implementation of an electrical/electronic (E/E) architecture (system/hardware/software levels) capable of implementing hazard mitigation concepts and strategies. Analysis and testing of identified hazard mitigation strategies (hardware and software).Prototype ADS-operated vehicles that are based on existing production vehicles rely on the existing vehicle's E/E architecture, as adapted for ADS. Prototype ADS technology provided via added hardware and software modules that are not integrated according to the vehicle manufacturer's specifications, should be checked to ensure that they do not interfere with base vehicle hardware or software systems. As such, they should abide by the following general principles: All hardware and software interfaces between production- and development-level hardware and software should be analyzed and tested for operational integrity, including analysis of failure modes and effects. Developmental software added to a vehicle (including that equipped on added hardware modules) should be monitored and/or include self-diagnostics for safety-critical functions, which should be verified for efficacy prior to on-road testing. Alternatively, system-level approaches to ensuring developmental software safety (e.g., shadow mode testing) is also acceptable.Test program/operations management plays a key role in helping to maintain safety while conducting on-road testing of prototype ADS-operated vehicles. Unexpected behaviors (including incidents) should be reported accurately and consistently for later root-cause analysis and resolution. A manager in charge of prototype ADS-operated vehicle testers should explain to them the organization's specific rules about testing and documentation, as well as any hardware/software updates that impact the performance of the ADS-operated vehicles. Novice testers should be paired with more experienced testers to learn the appropriate reactions in various situations.Real-time calibration/tuning of ADS software during testing should be allowed only after evaluation by qualified personnel (e.g., development engineer, lead calibrator, and/or designated safety engineer), indicating that the change does not pose unacceptable risk for on-road testing.

This book takes a look at fully automated, autonomous vehicles and discusses many open questions: How can autonomous vehicles be integrated into the current transportation system with diverse users and human drivers? Where do automated vehicles fall under current legal frameworks? What risks are associated with automation and how will society respond to these risks? How will the marketplace react to automated vehicles and what changes may be necessary for companies? Experts from Germany and the United States define key societal, engineering, and mobility issues related to the automation of vehicles. They discuss the decisions programmers of automated vehicles must make to enable vehicles to perceive their environment, interact with other road users, and choose actions that may have ethical consequences. The authors further identify expectations and concerns that will form the basis for individual and societal acceptance of autonomous driving. While the safety benefits of such vehicles are tremendous, the authors demonstrate that these benefits will only be achieved if vehicles have an appropriate safety concept at the heart of their design. Realizing the potential of automated vehicles to reorganize traffic and transform mobility of people and goods requires similar care in the design of vehicles and networks. By covering all of these topics, the book aims to provide a current, comprehensive, and scientifically sound treatment of the emerging field of “autonomous driving".

This SAE Information Report classifies and defines a harmonized set of safety principles intended to be considered by ADS and ADS-equipped vehicle development stakeholders. The set of safety principles herein is based on the collection and analysis of existing information from multiple entities, reflecting the content and spirit of their efforts, including: SAE ITC AVSC Best Practices CAMP Automated Vehicle Research for Enhanced Safety - Final Report RAND Report - Measuring Automated Vehicle Safety: Forging a Framework U.S. DOT: Automated Driving Systems 2.0 - A Vision for Safety Safety First for Automated Driving (SaFAD) UNECE WP29 amendment proposal UNECE/TRANS/WP.29/GRVA/2019/13 On a Formal Model of Safe and Scalable Self-Driving Cars (Intel RSS model) SAE J3018This SAE Information Report provides guidance for the consideration and application of the safety principles for the development and deployment of ADS and ADS-equipped vehicles. This SAE Information Report is not intended to encompass all aspects of system-level safety for an ADS-equipped vehicle, including communication with other traffic participants. Addressing all identified safety principles is intended to support, but not fully ensure, comprehensive system-level safety.As an SAE Information Report, this document is non-normative, imposes no requirements, and does not address: Requirements for methodology, metrics, and/or acceptance thresholds. Ethics-related safety principles, or any link between the safety principles defined in this document and ethical studies/frameworks. Conformance with safety principles for purposes of liability and/or fault assignment.As ADS technology and deployment are expanded in the future, this document may be reconsidered for future revision including normative requirements. For automated driving systems (ADSs) and ADS-equipped vehicles, there are many interpretations of what constitutes a "safety principle." Some principles focus on design and development, some on behavior, and others on maintenance and support of ADS-equipped vehicles. With the variety of information and attempts at defining ADS safety principles available for industry and public alike, the need for clarification on classification and definitions of safety principles has become urgent.The clarification on classification and definitions will enable the industry to have a common taxonomy and terminology when discussing safety principles and will serve to facilitate ADS developers in applying and adhering to appropriate principles for safer design, development, and deployment of ADS-equipped vehicles.In addition to the recognized need for ADS safety principles by the industry itself, the National Highway Traffic Safety Administration (NHTSA) has also called upon SAE to define and develop a set of safety principles for industry use. This document is intended to respond to these needs.

RAND researchers analyzed three approaches to assessing the safety of automated vehicles (AVs)--measurements, processes, and thresholds--and how they interact. Researchers also explored the elements of effective communications regarding AV safety.

The main topics of this book include advanced control, cognitive data processing, high performance computing, functional safety, and comprehensive validation. These topics are seen as technological bricks to drive forward automated driving. The current state of the art of automated vehicle research, development and innovation is given. The book also addresses industry-driven roadmaps for major new technology advances as well as collaborative European initiatives supporting the evolvement of automated driving. Various examples highlight the state of development of automated driving as well as the way forward. The book will be of interest to academics and researchers within engineering, graduate students, automotive engineers at OEMs and suppliers, ICT and software engineers, managers, and other decision-makers.

"A Vision for Safety replaces the Federal Automated Vehicle Policy released in 2016. This updated policy framework offers a path forward for the safe deployment of automated vehicles by: encouraging new entrants and ideas that deliver safer vehicles; making Department regulatory processes more nimble to help match the pace of private sector innovation; and supporting industry innovation and encouraging open communication with the public and with stakeholders."--Introductory message.