This document provides safety-relevant guidance for in-vehicle fallback test driver training and for testing prototype automated driving systems (ADS) equipped on test vehicles operated in mixed-traffic environments on public roads (hereafter, prototype ADS-operated vehicles). This document is being substantially updated in order to incorporate content from Automated Vehicle Safety Consortium (AVSC) publication 00001201911: “AVSC Best Practice for In-Vehicle Fallback Test Driver Selection, Training, and Oversight Procedures for Automated Vehicles Under Test” and to re-classify this document as an SAE Recommended Practice, rather than an SAE Information Report.
It is assumed that the prototype ADS-operated vehicles that are the subject of this guidance have been developed using standardized methods for safer product development including, but not limited to:
-
A systems engineering approach (i.e., V-model).
-
Adherence to a recognized system safety process(es) for identifying hazards and implementing strategies for mitigating them.
-
Implementation of an electrical/electronic (E/E) architecture (system/hardware/software levels) capable of implementing hazard mitigation concepts and strategies.
-
Analysis and testing of identified hazard mitigation strategies (hardware and software).
Prototype ADS-operated vehicles that are based on existing production vehicles rely on the existing vehicle’s E/E architecture, as adapted for ADS. Prototype ADS technology provided via added hardware and software modules that are not integrated according to the vehicle manufacturer’s specifications, should be checked to ensure that they do not interfere with base vehicle hardware or software systems. As such, they should abide by the following general principles:
-
All hardware and software interfaces between production- and development-level hardware and software should be analyzed and tested for operational integrity, including analysis of failure modes and effects.
-
Developmental software added to a vehicle (including that equipped on added hardware modules) should be monitored and/or include self-diagnostics for safety-critical functions, which should be verified for efficacy prior to on-road testing. Alternatively, system-level approaches to ensuring developmental software safety (e.g., shadow mode testing) is also acceptable.
Test program/operations management plays a key role in helping to maintain safety while conducting on-road testing of prototype ADS-operated vehicles. Unexpected behaviors (including incidents) should be reported accurately and consistently for later root-cause analysis and resolution. A manager in charge of prototype ADS-operated vehicle testers should explain to them the organization’s specific rules about testing and documentation, as well as any hardware/software updates that impact the performance of the ADS-operated vehicles. Novice testers should be paired with more experienced testers to learn the appropriate reactions in various situations.
Real-time calibration/tuning of ADS software during testing should be allowed only after evaluation by qualified personnel (e.g., development engineer, lead calibrator, and/or designated safety engineer), indicating that the change does not pose unacceptable risk for on-road testing.