This document provides general safety-relevant guidance for testing prototype automated driving systems (ADS) equipped on test vehicles operated in mixed-traffic environments on public roads (hereafter, prototype ADS-operated vehicles). This document is being substantially updated in order to incorporate lessons-learned based on accumulated field experience in testing prototype ADS-operated vehicles on public roads, and to make it compatible with related SAE documents.
It is assumed that the prototype ADS-operated vehicles that are the subject of this guidance have been developed using standardized methods for safer product development including, but not limited to:
-
A systems engineering approach (i.e., V-model).
-
Adherence to a recognized functional safety process, such as ISO 26262, for identifying hazards and implementing strategies for mitigating them.
-
Implementation of an electrical/electronic (E/E) architecture (system/hardware/software levels) capable of implementing hazard mitigation concepts and strategies.
-
Analysis and testing of identified hazard mitigation strategies (hardware and software).
Prototype ADS-operated vehicles that are based on existing production vehicles rely on the existing vehicle’s E/E architecture, as adapted for ADS. Prototype ADS technology provided via added hardware and software modules that are not integrated according to the vehicle manufacturer’s specifications, should be checked to ensure that they do not interfere with base vehicle hardware or software systems. As such, they should abide by the following general principles:
-
All hardware and software interfaces between production- and development-level hardware and software should be analyzed and tested for operational integrity, including analysis of failure modes and effects.
-
All developmental software added to a vehicle (including that equipped on added hardware modules) should be monitored and/or include self-diagnostics for safety-critical functions, which should be verified for efficacy prior to on-road testing.
Proper test program/operations management plays a key role in helping to maintain safety while conducting on-road testing of prototype ADS-operated vehicles. Unexpected behaviors (including incidents) should be reported accurately and consistently for later root-cause analysis and resolution. A manager in charge of prototype ADS-operated vehicle testers should explain to them the organization’s specific rules about testing and documentation, as well as any hardware/software updates that impact the performance of the ADS-operated vehicles. Novice testers should be paired with more experienced testers to learn the appropriate reactions in various situations.
Real-time calibration/tuning of ADS software during testing should be allowed only after evaluation by qualified personnel (e.g., development engineer, lead calibrator, and/or designated safety engineer), indicating that the change does not pose unacceptable risk for on-road testing.