Demonstrating the safety of autonomous vehicles (AVs) is crucial to making them a mass market reality. Existing safety standards provide a starting point by addressing functional safety, as well as safety of the intended functionality. Now UL 4600, a new complementary standard, helps establish a strong, flexible safety case approach for AVs. By defining a safety case and validating their design’s performance against that case, engineers can use UL 4600 as a roadmap to accelerate their autonomous vehicle development safety efforts.
Automated driving continues to be a primary area of focus for the world’s automotive industry, with enormous investments being made. Allied Market Research estimates that the worldwide market for autonomous vehicles, valued at $54.23 billion in 2019, will grow to $556.67 billion by 2026 ― a compound annual growth rate of nearly 40%.
These investments already seem to be paying off. The National Safety Council recently released preliminary estimates for motor vehicle deaths in 2019, which represent a 2% decline from 2018 and a 4% decrease over 2017. Industry experts attribute this trend, at least in part, to the introduction of automated driving features such as such as automatic emergency braking, lane departure warning systems and intelligent headlights.
The Importance of a Strong Safety Case
While the industry is making impressive progress in commercializing individual automated driving technologies, there is still a central challenge to overcome before fully autonomous vehicles can be commercialized. AV engineering teams must demonstrate that their vehicles will work reliably under an enormous range of traffic conditions, weather, lighting levels and road terrains. Self-driving cars must recognize and respond, immediately and appropriately, to a spectrum of visual phenomena ― from pedestrians and other vehicles to road signs, traffic lights and lane markings.
There are industry standards to guide the efforts to achieve safety for road vehicles, including the functional safety standard ISO 26262. This standard addresses hazards that are caused by system- or component-level failures (such as random hardware faults) or systematic issues (such as undiscovered software bugs). A newer standard, ISO 21448, focuses on safety of the intended functionality (SOTIF). It identifies and addresses potentially hazardous performance shortfalls in autonomous vehicle systems that occur even in the absence of system failures. SOTIF analysis reveals, for instance, any performance limitations of perception sensors or object recognition systems ― as well as unexpected events in the environment that are not properly recognized and managed by the AV.
These and a variety of other industry standards in-the-making share one foundational goal: Achieving acceptable safety for autonomous vehicle designs under real-world operating conditions, so the vehicle can be commercially launched. However, tying all these pieces together to make sure nothing has been left out requires a strong safety case ― i.e., a structured argument, supported by evidence, intended to justify that the system is acceptably safe.
While this is a huge, complex undertaking, today a new complementary standard can help guide the process of defining this safety case, then proving that the autonomous vehicle design can meet its demands, via a step-by-step process.
"By making safety goals, arguments and evidence explicit at an early stage, UL 4600 accelerates the validation process and can be a critical precursor to other certifications.”
― Bernard Dion, CTO, systems business unit, Ansys.
UL 4600: Making the Case for Autonomous Vehicle Safety
To support a flexible path to AV safety assessment and validation, Ansys has been participating in an industry-wide effort to define a new standard for the development of AVs. Published in April 2020, UL 4600 focuses not on specific engineering methods or technologies, but on the end goal of demonstrating a strong safety case for a given AV product.
UL 4600, called Standard for Safety for the Evaluation of Autonomous Products, encompasses fully autonomous systems that move, such as self-driving cars and lightweight unmanned aerial vehicles (UAVs). It addresses the ability of autonomous products to perform safely and as intended ― with no human intervention ― based on their technology infrastructure and capabilities, including their ability to correctly sense and respond to real-world operating conditions.
"UL 4600 is designed to let you know that you have done enough work on safety. It ensures that you have defined an appropriately rigorous safety case for your AV design, then it asks you to demonstrate your compliance with that safety case in a measurable way."
― Dr. Philip Koopman, CTO, Edge Case Research
The development of the standard was led by Underwriters Laboratories and Edge Case Research (Edge Case). Based in Pittsburgh, Edge Case has been a long-time strategic partner of Ansys, helping to develop robust risk-modeling and simulation capabilities for Ansys SCADE Vision, Ansys medini and other solutions. Because Edge Case’s specialty is identifying those edge cases where AV perception software exhibits inconsistent, potentially unsafe behavior, the company was a natural collaborator with Underwriters Laboratories in developing UL 4600.
A Practical, Goal-Based Process
Dr. Philip Koopman, Edge Case Research’s co-founder and Chief Technology Officer, as lead author guides technical content for the UL 4600 Standard Technical Panel (STP). An internationally recognized expert on AV safety with more than 20 years of research experience, Koopman reports that the new standard was defined with a very practical purpose: Finding a flexible way to ensure that autonomous vehicles are acceptably safe, without hindering technical evolution and deployment.
“You could road test an autonomous vehicle for billons of miles, but that’s simply not smart or practical,” says Koopman. “Beyond a practical amount of testing, you also need good engineering rigor, comprehensive feedback from field operations and a strong safety culture. Explaining that you have done all these things in combination is how we’ll establish a basis of trust among stakeholders that AVs are safe.
“UL 4600 is designed to let you know that you have done enough work on safety,” Koopman states. “It ensures that you have defined an appropriately rigorous safety case for your AV design, then it asks you to demonstrate your compliance with that safety case in a measurable way. It is goal-based, not process-based.”
New Flexibility for Models and Simulations
“Regardless of where AV engineering teams are in the development process, it’s essential that their work is based on making, and proving, performance-based safety claims,” notes Bernard Dion, Chief Technical Officer for the systems business unit at Ansys. “UL 4600 lays out a step-by-step path for accomplishing this. It ensures that the development team is moving in the right direction with regard to safety.
“The beauty of this standard is that the specific proof points are flexible,” he continues. “For example, engineering simulations can be defined and conducted in the manner that makes the most practical sense for a given design. This gives AV development teams the ability to fully leverage the power of modeling and simulation tools, with few restrictions.
“UL 4600 is not intended to replace any existing standards, but to complement them. By making safety goals, arguments and evidence explicit at an early stage, UL 4600 accelerates the validation process and can be a critical precursor to other certifications,” concludes Dion. He notes that Ansys is uniquely positioned to help companies apply UL 4600, because it offers a complete toolchain for AV modeling, simulation and validation.
Accelerating on the Road to Autonomy
As autonomous driving technologies continue to demonstrate their ability to save lives, Koopman notes that the UL 4600 standard represents an effort to accelerate their commercialization, safely. “Most industry standards take years to develop, but UL 4600 was launched in one year,” he points out. “We are already discussing the next iteration of the standard. That is the degree of speed we need to get self-driving cars into the marketplace sooner rather than later.
“By allowing engineering teams to work more nimbly, choosing from an array of safety analysis tools and methods, UL 4600 acknowledges the complexity, and the importance, of the AV challenge,” he adds. “It will position the industry to achieve fully autonomous vehicle designs faster, without compromising safety.”
A Three-Step Approach
The new UL 4600 standard defines a broad, three-step approach for assessing and validating AV safety:
1. Making a measurable safety claim. An example might be: “Our AV design is engineered to avoid a collision with pedestrians with an acceptable, extremely high probability.”
2. Making an argument that proves the claim is true. In this step, engineers describe various perception technologies that detect pedestrians, as well as the systems that will be triggered to avoid them (e.g., emergency braking).
3. Providing evidence that the system will actually perform as expected. This is the stage where engineers provide simulation results, road test outcomes and other proof that the AV will perform reliably with regard to the specific claim.