On April 1, 2020, Underwriters Laboratories (UL) announced that it published UL 4600 as an American National Standard. With its publication, UL 4600 became the auto industry’s first dedicated standard for fully autonomous-vehicle (AV) safety. Consumers who are familiar with UL safety certifications might assume that the 281-page UL 4600 document would prescribe the necessary technology and testing required to ensure AV safety. But this standard instead focuses on the quality of the safety argument.
“We’re not standardizing the product,” said Phil Koopman, chief technology officer at Edge Case Research (ECR) and associate professor of electrical and computer engineering at Carnegie Mellon University. “We’re standardizing the safety case.”
Koopman was the lead technical contributor to UL 4600. He explained that standards focusing on building a safety case, rather than prescriptive product features or testing benchmarks, are also used for medical devices. For example, a standard for infusion pumps helps ensure that a list of possible hazards is not overlooked. UL 4600 allows companies producing SAE Level 4 and 5 autonomous vehicles to build whatever type of vehicle they choose—using any sensors, compute and logic they deem appropriate.
The industry has yet to deploy mass-market self-driving vehicle and has not settled on a specific technology or testing regimen. As a result, UL elected to create a standard with flexibility on how to achieve an acceptable level of safety — for whatever type of AV is developed. “What you don’t have flexibility in is in how you describe that it’s safe,” said Koopman. “You have to follow the rules of the standard for us to believe that your description of why it’s safe is true.”
Added Jack Pokrzywa, SAE International’s ground vehicle standards director: “The automated vehicle technology inspires many activities around the world, among them standardization. The practices developed by committees in various regions must be harmonized to avoid confusion and duplication of efforts. SAE International and Underwriters Labs have recently agreed to work together and apply aspects of UL 4600 into the standards developed by the SAE On-Road Automated Driving committee.”
Building a safety argument
UL’s standard begins with definitions, as well as guidance on how an AV company should structure its safety case. The bulk of the content takes the form of a long list of principles, processes, conditions, risks and pitfalls that need to be considered when evaluating the safety of a vehicle with no human driver.
“It’s a comprehensive list of all the ‘Did you think of that?’ things to consider,” said Koopman. The list is impressive in its scope, including everything from lightning striking a moving vehicle to detecting black tire treads on a freshly paved black road. Listing all the cases, including the rare Black Swan occurrences, would require hundreds of pages—exactly what UL 4600 provides.
The genesis of the project was the UL Ventures Day on April 26, 2018. Mike Wagner, chief executive of Edge Case Research, was a guest presenter giving a talk about the landscape of AV development. The event was held one month after a self-driving Uber prototype vehicle struck a pedestrian in Tempe, Arizona. That accident was the first recorded traffic fatality involving an autonomous vehicle.
After the event, Deborah Prince, standards program manager at Underwriters Laboratories, started speaking with Wagner about launching a project to develop a standard. She knew from the beginning that people would assume that the standard would prescribe A, B, and C. “UL 4600 is technology-neutral,” she said. “It doesn’t say, for example, that you have to use lidar for sensing.”
AV makers aren’t compelled to address every line item in those hundreds of pages, Koopman explained. “People misunderstand. They say, ‘Oh, it’s so thick. There is all this stuff we have to do now. But you only have to do the stuff that matters. We’re trying to make sure you don’t miss something that matters.”
Nat Beuse, head of safety at Uber ATG, was among the first members to join the UL 4600 Standards Technical Panel (STP). “You can’t pick up UL 4600 and design a vehicle to it,” he said. In a sense, it serves a higher purpose. “It forces you to put together the pieces of a safety argument in a structured way such that you can honestly deliver on your top-level claim,” said Beuse. “Our top-level claim is that our vehicles are sufficiently safe to be on public roads.”
Each clause of the document represents a requirement, with a set of relevant “prompt elements” that follow. The prompts are identified as either mandatory, required, highly recommended, or recommended. The STP, consisting of an international body of 31 experts, ultimately voted to approve the document after receiving hundreds of stakeholder comments. The panelists came from leading organizations, including Argo AI, Aurora Innovation, Center for Auto Safety, Intel, Liberty Mutual Insurance, Uber, U.S. Department of Transportation, Nissan and several academic institutions.
Don’t start from scratch
AV producers already commonly produce a set of internal safety guidelines. “When UL started, we said, ‘Hey, we have a lot to contribute here because we had already been on this journey for some time,’” said Uber’s Beuse. On July 16, 2019, Uber ATG published its “Safety Case Framework” and placed it into the public domain under Creative Commons. “We’re not claiming we know everything,” said Beuse. “Anybody who picks up UL 4600 has work to do.”
The practice of AV safety requires not only building the safety case according to UL 4600, but considering more prescriptive guidelines outlined by organizations such as SAE’s Automated Vehicle Safety Consortium, the Institute of Electrical and Electronics Engineers (IEEE), and International Organization for Standardization (ISO). There are also rules established by international governments. “You ingest all of that and try to understand how that applies to what you’re building,” Beuse said.
Conformance with UL 4600 is established in a self-audit and through an independent assessment. It’s okay for the independent assessor to be an employee of the company, although Koopman encourages a third-party entity like TUV, UL.com, Intertek, or Lloyd’s Register to serve that role. Achieving UL 4600 compliance does not earn a special certification for the AV company. A company might not even announce that it complies. “The finish line is when the independent assessor signs off, but the only people that know about it are the people in the room,” said Koopman.
Beuse, who previously worked for NHTSA on its five-star safety rating system, believes that a robust, defensible safety case for AVs is an ongoing process—not a matter of declaring that a test has been passed or an award granted. “There’s always that initial appeal to say ‘Oh, I got some stamp,’” he said. “But our safety framework is about building trust.”
Moreover, compliance with UL 4600 does not promise that crashes won’t happen. “‘Acceptably safe’ means that the loss rate is acceptably low, but it’s not going to be zero,” Koopman said. “There are things you can’t prevent. No one’s perfect, right?” The shopULstandards website allows UL 4600 to be viewed page-by-page for free. There is a range of purchase options for digital and print copies, as well as one- and three-year subscriptions to retain access to future updated versions. UL expects to update the AV safety standard about once a year.Continue reading »