Safety-Relevant Guidance for On-Road Testing of Prototype Automated Driving System (ADS)-Operated Vehicles
This document provides preliminary1 safety-relevant guidance for in-vehicle fallback test driver training and for on-road testing of vehicles being operated by prototype conditional, high, and full (Levels 3 to 5) ADS, as defined by SAE J3016. It does not include guidance for evaluating the performance of post-production ADS-equipped vehicles. Moreover, this guidance only addresses testing of ADS-operated vehicles as overseen by in-vehicle fallback test drivers (IFTD).
These guidelines do not address:
Remote driving, including remote fallback test driving of prototype ADS-operated test vehicles in driverless operation. (Note: The term “remote fallback test driver” is included as a defined term herein and is intended to be addressed in a future iteration of this document. However, at this time, too little is published or known about this type of testing to provide even preliminary guidance.)
Testing of driver support features (i.e., Levels 1 and 2), which rely on a human driver to perform part of the dynamic driving task (DDT) and to supervise the driving automation feature’s performance in real time. (Refer to SAE J3016.)
Simulation testing (except for training purposes).
These guidelines also do not address prototype vehicle and IFTD performance data collection and retention. The collection of data invokes various legal and risk management considerations that users of this document should nevertheless bear in mind, such as:
Maintaining auditable procedures and documentation.
Adhering to applicable privacy laws and principles.
Ensuring adequate data collection and recording integrity to support post-crash forensic analysis.
This document provides safety-relevant guidance for in-vehicle fallback test driver training and for testing prototype automated driving systems (ADS) equipped on test vehicles operated in mixed-traffic environments on public roads (hereafter, prototype ADS-operated vehicles). This document is being substantially updated in order to incorporate content from Automated Vehicle Safety Consortium (AVSC) publication 00001201911: “AVSC Best Practice for In-Vehicle Fallback Test Driver Selection, Training, and Oversight Procedures for Automated Vehicles Under Test” and to re-classify this document as an SAE Recommended Practice, rather than an SAE Information Report.
It is assumed that the prototype ADS-operated vehicles that are the subject of this guidance have been developed using standardized methods for safer product development including, but not limited to:
A systems engineering approach (i.e., V-model).
Adherence to a recognized system safety process(es) for identifying hazards and implementing strategies for mitigating them.
Implementation of an electrical/electronic (E/E) architecture (system/hardware/software levels) capable of implementing hazard mitigation concepts and strategies.
Analysis and testing of identified hazard mitigation strategies (hardware and software).
Prototype ADS-operated vehicles that are based on existing production vehicles rely on the existing vehicle’s E/E architecture, as adapted for ADS. Prototype ADS technology provided via added hardware and software modules that are not integrated according to the vehicle manufacturer’s specifications, should be checked to ensure that they do not interfere with base vehicle hardware or software systems. As such, they should abide by the following general principles:
All hardware and software interfaces between production- and development-level hardware and software should be analyzed and tested for operational integrity, including analysis of failure modes and effects.
Developmental software added to a vehicle (including that equipped on added hardware modules) should be monitored and/or include self-diagnostics for safety-critical functions, which should be verified for efficacy prior to on-road testing. Alternatively, system-level approaches to ensuring developmental software safety (e.g., shadow mode testing) is also acceptable.
Test program/operations management plays a key role in helping to maintain safety while conducting on-road testing of prototype ADS-operated vehicles. Unexpected behaviors (including incidents) should be reported accurately and consistently for later root-cause analysis and resolution. A manager in charge of prototype ADS-operated vehicle testers should explain to them the organization’s specific rules about testing and documentation, as well as any hardware/software updates that impact the performance of the ADS-operated vehicles. Novice testers should be paired with more experienced testers to learn the appropriate reactions in various situations.
Real-time calibration/tuning of ADS software during testing should be allowed only after evaluation by qualified personnel (e.g., development engineer, lead calibrator, and/or designated safety engineer), indicating that the change does not pose unacceptable risk for on-road testing.