Impacts of Laws and Regulations on CV and AV Technology Introduction in Transit Operations (2017)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

SAFETY 29 S A F E T Y

SAFETY 30 USDOT Automated Vehicle Safety Initiatives NHTSA Federal Policy Guidelines for Automated Vehicles In September of 2016 the National Highway Traffic Safety Administration of the U.S. Department of Transportation released a major policy document titled Federal Automated Vehicles Policy – Accelerating the Next Revolution in Roadway Safety.21 Safe Design of Highly Automated Vehicles (HAVs) – NHTSA has made the following statement in the September 2016 policy document (p. 11, ref. footnote 1. above) concerning the self-certification of safety by HAV developers/manufacturers. It should be noted that with respect to the safe design of AV technology for any type of public roadway testing and deployment, NHTSA retains the requirements for compliance with the FMVSS. Under current law, manufacturers bear the responsibility to self-certify that all of the vehicles they manufacture for use on public roadways comply with all applicable Federal Motor Vehicle Safety Standards (FMVSS). Therefore, if a vehicle is compliant within the existing FMVSS regulatory framework and maintains a conventional vehicle design, there is currently no specific federal legal barrier to an HAV being offered for sale. However, manufacturers and other entities designing new automated vehicle systems are subject to NHTSA’s defects, recall and enforcement authority. DOT anticipates that manufacturers and other entities planning to test and deploy HAVs will use this Guidance, industry standards and best practices to ensure that their systems will be reasonably safe under real-world conditions. In establishing a framework within which each vehicle developer/manufacturer is to design for safe HAV operations, the September 2016 policy document identifies these three realms of guidance for design performance (Figure 8): • NHTSA Guidance – Scope and process • Automation Functional Key Areas – Specific to each HAV system • Cross-Cutting Areas – Applicable across all automated equipment/subsystems The operational design domain (ODD) defines a particularly relevant set of criteria which is discussed further in Chapter 5 with respect to considerations for HAV applications in public transit service. Also important is the definition NHTSA gives to the “fall back minimum risk condition”: The fall back minimal risk condition portion of the framework is also specific to each HAV system. Defining, testing, and validating a fall back minimal risk condition ensures that the vehicle can be put in a minimal risk condition in cases of HAV system failure or a failure in a human driver’s response when transitioning from automated to manual control. 21 http://www.nhtsa.gov/nhtsa/av/

Several i including Also, par electron • U M h • A h /2 These te processe rulemaki 22 CAMP – Consortiu Figure 8. N mportant art published a ticularly note ic control s SDOT/NHT otor Vehicle ttp://www.nh ssessment o ttp://www.nh 016/812285 chnical docu s that provid ng changes Crash Avoid m http://www HTSA Frame icles and re rticles by au worthy are ystems for SA Report t s” tsa.gov/Law f Safety Sta tsa.gov/DO _Electronic ments prov e a benchm and addition ance Metrics -esv.nhtsa.d work for Gui ports have b tomobile m several NH vehicle auto o Congress s-&-Regula ndards for T/NHTSA/N sReliabilityR ide valuable ark for con s to its safe Partnership ot.gov/Proce dance of and een referen anufacturers TSA reports mation. : “Electronic tions/NHTS Automotive VS/Crash% eport.pdf information tinuing decis ty regulatio (CAMP) Aut edings/24/file Safe HAV D ced in the N active in th that are spe Systems Pe A-Reports-S Electronic C 20Avoidanc on safety m ions by NH ns for HAV r omated Vehic s/24ESV-000 esign Perform HTSA polic e CAMP Co cifically add rformance ent-To-Con ontrol Syste e/Technical ethodologi TSA as it m oadway veh le Research 451.PDF SAFE ance y documen nsortium22. ressing in Passenge gress ms %20Publica es and oves toward icles. (AVR) TY 31 t, r tions

SAFETY 32 Federal Motor Vehicle Safety Standards and Regulations Since the 1970s the National Highway Traffic Safety Administration has been establishing and maintaining safety standards known as the Federal Motor Vehicle Safety Standards and Regulations for the automobile industry in the United States23. Other countries around the world have followed suit with their own very similar safety requirements. As summarized in the referenced article, the three series of automobile safety requirements that are best known are as follows: 1. Crash avoidance (100-series) 2. Crashworthiness (200-series) 3. Post-crash survivability (300-series) NHTSA also has defined a battery of tests and test acceptance criteria to monitor compliance with the FMVSS. NHTSA performs tests and rates the demonstration of compliance of every vehicle model sold in the United States though a five-star rating system. These traditional safety requirements will likely be gradually expanded to include HAV technology safety tests. Currently, a process is underway to assess the applicability of FMVSS standards to AV technology24. Through this ongoing review process, NHTSA is identifying which standards may need to be changed to properly address highly automated roadway vehicles, as well as identifying what new FMVSS standards will need to be added to test and confirm the adequate safe design of both light and heavy vehicle AV products and other automation conversions (such as aftermarket AV “kits”) that will likely be brought to the US marketplace. FTA National Public Transportation Safety Program The USDOT Federal Transit Administration has been preparing for a new Public Transportation Safety Program since 2013 when FTA introduced the transit industry to fundamental changes to the federal transit safety program authorized by MAP–21. The final rulemaking was published as 49 CFR Part 670 in the August 11, 2016 Federal Register and established the new Safety Program – now in effect as of September 12, 201625. Overall, the new rules establish new requirements for Safety Plans and Safety Plan Documentation and Record Keeping, as well as providing more specific guidance for hazard analysis, management and the related risk assessments through a Safety Management System. Safety Management System – One of the central elements of the FTA Safety Program is the new Safety Management System (SMS) framework26, which has been introduced in 2016 through FTA outreach. SMS is now being publicized and explained by FTA on multiple fronts, 23 James Martin, et al; University of North Carolina, Certification for Autonomous Vehicles https://www.cs.unc.edu/~anderson/teach/comp790a/certification.pdf 24 http://ntl.bts.gov/lib/57000/57000/57076/Review_FMVSS_AV_Scan.pdf 25 https://www.gpo.gov/fdsys/pkg/FR-2016-08-11/pdf/2016-18920.pdf 26 https://www.transit.dot.gov/sites/fta.dot.gov/files/docs/FTA_SMS_Framework.pdf

SAFETY 33 beginning with the most safety-critical operations of rail/fixed guideway public transit systems. Applicability to bus operations is also being discussed by FTA with even smaller transit industry bus operators, as noted above. Eventually the SMS framework will be advocated to any size transit operator for application to their entire public transportation service. State Safety and Security Oversight – One of the key tenets of FTA’s safety regulations was established 25 years ago, when the individual states were given responsibility for safety oversight of fixed guideway and rail systems. In the 1991 Intermodal Surface Transportation Efficiency Act (‘‘ISTEA’’), Congress determined that the States, not FTA, should be the principal oversight authorities for rail transit within their jurisdictions, given that public transportation is an inherently local activity which, with few exceptions, does not cross state boundaries. Known as State Safety and Security Oversight (SSO) program, a new Rule 49 CFR Part 674 was finalized in March 2016 that provides the latest update to the requirements27. Under this regulation, each state is required to identify a state safety oversight agency (SSOA), examples of which are the Public Utility Commission in California and the Department of Transportation in Florida. Vehicle-Focused Safety Standards and Methodologies NHTSA has been comparing and assessing the attributes of several safety standards, methodologies and guidelines as they progress toward becoming the regulator of the various levels of AV technology. Their specific focus has been on the electronic and computer systems that assume the decision-making process for driving the AV along its path:28 MIL STD-882E: Department of Defense Standard Practice, System Safety – This system safety standard practice identifies the Department of Defense systems engineering approach to eliminating hazards, where possible, and minimizing risks where those hazards cannot be eliminated. MIL STD-882E is a required practice as part of military systems automation design. DO-178C: Software Considerations in Airborne Systems and Equipment Certification – This is an industry-accepted guidance for software in airborne systems and equipment used in the Aviation industry. With the earlier advancement of flight control automation and the important lessons learned within avionics, this standard for automation control software is an important reference for NHTSA. ISO 26262: Road Vehicles, Functional Safety – This voluntary industry standard is the first comprehensive and voluntary automotive safety standard that addresses the functional 27 https://www.gpo.gov/fdsys/pkg/FR-2016-03-16/pdf/2016-05489.pdf A history of the related federal regulations is covered first in the Federal Register record, followed by commentary on comments received to the proposed rulemaking. The actual new Part 674 begins on page 28 of the pdf document. 28 Text combined from the descriptions found to NHTSA reports, with web links provided in Section 1 above – see page 2 in NHTSA Assessment of Safety Standards for Automotive Electronic Control Systems, and pp. 7-9 in NHTSA Report to Congress: “Electronic Systems Performance in Passenger Motor Vehicles”.

SAFETY 34 safety of electrical and/or electronic (E/E) and software-intensive features in road vehicles. ISO26262 has been developed from the original IEC 61508 machine automation safety standards and from other machine automation safety standards for different manufacturing industries. ISO26262 is a key element of SAE automotive safety standards. FTA New Bus Testing Process – As part of 49 CFR Part 665, all new bus models must undergo testing at FTA’s Altoona Bus Testing Facility. These procedures include tests for performance at maximum gross vehicle weight (speeds on grades, parking brake operations), maintainability testing, noise, fuel economy, emissions, and safety tests. Safety tests include basic braking distance tests on a variety of surfaces, structural integrity of the vehicle chassis when stressed in different manners. New tests for AV sensors and actions would likely need to be developed and it would be likely that other test criteria may need to be applied for smaller AV transit vehicles that are not the same size as a standard coach. Machine Automation Functional Safety Standards In the automated guideway transit industry, there has been a growing interest in the application of a functional approach to defining and analyzing safety of the equipment and subsystems. IEC 61508 – Functional System Safety defines functional safety in terms of the requirements and analysis methodologies for electrical/electronic/ programmable electronic (E/E/PE) safety- related systems. This is a product design standard that has had major impact on the automotive industry, and by extension the future safety standards for AV Transit. Safety Integrity Levels (SIL) – One of the most important contributions of the IEC 61508 functional safety standard was the concept of safety integrity levels (SILs). This use of SIL criteria to define functional safety is specifically oriented toward manufactured products that have specific product design requirements that must be met. Within the 61508 framework, the assessment of safe design must be certifiable for specific components, assemblies/subsystems and entire electronic/programmable control systems. SIL ratings are used to specify the target level of safety integrity. A benefit is that the approach using quantifiable SIL criteria makes failure rate probability calculations easier for third party verification and validation. Through commercial use of the IEC 61508 standards-based analysis methodology, off-the-shelf supply of pre-certified components can be established. ISO 26262 Road Vehicles – Functional Safety The automotive industry has also applied the SIL methodology in a comprehensive manner using specific Automotive Safety Integrity Levels (ASIL) criteria in ISO 26262. Note again that ISO 26262 is one of the key safety standards that NHTSA has been evaluating as part of the Model Policy and regulatory role. This automotive safety standard is specifically defined from the overall framework of functional safety methodologies defined in IEC 61508. Automotive Industry applications of ISO 26262 are being used internationally and adopted by the SAE. These vehicle-focused safety methodologies are highly relevant to connected and automated vehicle technology development and manufacturing, including the supply of public transit vehicles.

SAFETY 35 Standards Program of the Society of Automotive Engineers A series of new standards under the auspices of the SAE have been in development for several years which are intended for application to AV technology. Some of these standards deal with communications links for inter-vehicle communications and for vehicle-to-roadway infrastructure and internet “cloud-based” functionality. The standards are divided into two topical groups. The Part 1 topical group comprises 16 standards covering Terms & Definitions; Interoperability; and Vehicle & System Performance Requirements. Within this Part 1 group, standards are being developed on topics such as (selected examples): • Automatic Emergency Braking Test Methods and Performance Assessment (SAE J3097) • Automated Driving Reference Architecture (SAE J3131) • AV Definitions: Key Terms Related to Human Interaction with Automated Driving Systems (SAE J3088) Part 2 topical group deals specifically with safety, and has sub-groupings of Functional Safety; Safety & Reliability; Active Safety; Safety & Human Factors; and Other Safety. Selected examples from Part 2 are: • Design FMEA (Potential Failure Mode & Effect Analysis) and Process FMEA (SAE J1739) • Adaptive Cruise Control Operating Characteristics & User Interface (SAE J2399) • DSRC Requirements for V2V Safety Awareness (SAE J2945/2) • Recommended Practices for Signal Preemption Message Development (SAE J2945/10) Product Orientation of Vehicle-Focused Safety Methodology NHTSA has embraced the SAE standards program as a key element of the USDOT policy for highly automated vehicles. Therefore, it is anticipated that the vehicle manufacturers will be using these standards as the primary source of the vehicle-focused safety methodology from this point-in-time forward, within the functional safety framework based on ISO 26262. By utilizing this set of standards for functional safety that allow a more precise and “transferable” calculation of the SIL level for components, assemblies and subsystems, manufacturers of AVs can supply products that are certifiable with respect to their safe design. With this expectation of product certification, it is important to consider that the safety integrity levels and the associated methodologies are product oriented, and as such have “safety” criteria defined by design objectives and product failure norms. Per the NHTSA report referenced above29, the definitions of safety in ISO 26262 are the “absence of unreasonable 29 Table 1 Definition of Safety and Hazard, p. 11; NHTSA Assessment of Safety Standards for Automotive Electronic Control Systems; DOT HS 812 285, June 2016

SAFETY 36 risk.” The definition of hazards is based on operating conditions for the manufactured components, assemblies and control systems – conditions in which failures are characterized by control system response that has “unintended behavior of an item with respect to its design intent.” Transit System-Focused Safety Standards and Methodologies The new initiatives by FTA to emphasize SMS are timely in that they begin to create a safety culture within each transit operating agency and authority. However, the details of the FTA requirements within the SMS framework are mostly in the form of guidelines which generally have intended application to fixed guideway/rail systems. The applicability of SMS methodologies to bus operating agencies is also highly relevant – especially with respect to safety risks of transit vehicle interactions with pedestrians and other traffic. To put the topic of system-level safety analysis in perspective, it is helpful to understand that the systems engineering practices and the related safety engineering methodologies generally referenced in the fixed guideway transit industry have been drawn from the standards guiding the automation of military and avionics systems over the past 50 years. The transit industry was simultaneously advancing the applications of automated systems when the first fully automated transit systems were deployed in the 1960s. Safety engineering in these parallel fields began with a principal focus on the hazardous implications of failure modes which could result in “catastrophic” accidents. Safety was viewed in this context to assess and mitigate the risks of serious equipment damage, personal injury or fatalities resulting from such hazardous conditions. MIL Standard 882 The approach to safety defined by MIL Std. 882 starts with a Hazard Analysis process that can begin in an early conceptual stage. Hazard Analysis combines the severity of the accident and the probability of occurrence of the hazard to create the risk index for the system. The most recent versions of MIL Std. 882 add considerable information about the safety analyses of software from its importance in the control of the system – defined as a “software control category.” The FTA began to adapt the processes and methodologies of the military programs as the safety analysis of transit systems began to match the complexities of aerospace systems. During the 1980s and 1990s MIL Std. 882B and its successor 882C (i.e., version “C”) became a specific document that transit agencies and system designers/suppliers called for in technical specifications and project requirements. The “system-level” approach to a safety analysis from MIL Std. 882C System Safety Program Requirements proved very effective for guiding the increasingly more automated train control technologies that were being applied in the fixed guideway transit industry during the 1970s, 80s and 90s. System-Focused Risk Assessment and Hazard Resolution Process – The Automated People Mover Standards Committee of the ASCE determined in the review process for the 2005 update to ASCE 21 there was a need to codify the processes of MIL Std. 882C as it had been

SAFETY 37 applied to transit systems in a manner that disconnected the text from the continually evolving Military Standards process. Because of this initiative, the essential content of MIL Std. 882C was adapted to a specific application for purposes of the APM Standard, and included in the ASCE-21 as Annex A: System Safety Program Requirements. The System Safety Program (Annex A) of the APM Standards now covers the essential requirements for: • System Safety Program Plan • Preliminary Hazard Analysis • Subsystem Hazard Analysis • System Hazard Analysis • Operating and Support Hazard Analysis A distinguishing characteristic of the system-focused approach to the safety analysis is that the whole operating system is addressed, including vehicles, guideways, stations, surrounding right- of-way and all places and ways that people interact with the system. This process includes full documentation of the hazard resolution activities through a Hazard Tracking System. This Hazard Tracking System is used to manage and record identified hazards, associated mishaps, risk assessments, identified risk mitigation measures, selected mitigation measures, hazard status, verification of risk reductions, and risk acceptance. This is a document that is maintained from the early design phase of the system notionally updated throughout the lifecycle. Safety Standards for Software-Controlled Functions – Highly relevant to modern automation technology is the use of computers to control many functions of machines, including where software performs vital, safety-critical functions. In the case of the ASCE 21 APM Standard, several means of using software-based computer controls are identified. More recently multiple new standards have been advanced to specifically address safety of software-controlled systems, including the latest version of MIL Std. 882E which has a specific section addressing software control functions for military systems. Also, the avionics industry has produced an important software standard – DO-178C: Software Considerations in Airborne Systems and Equipment Certification. Both software standards have been evaluated by NHTSA in the referenced NHTSA report from June 2016 and a useful comparison of the basic tenets of each of these standards for electronic and computer processor software controls has been made with ISO 62626 and other software safety standards. FTA Rules, Methods, and Guidelines Drawn from MIL Standard 882 FTA Safety Program Requirements provide a general process that applies to all rail transit systems. Drawing from MIL Std. 882, FTA requires that an organized process be undertaken to perform a suitable safety analysis for any transit “system” project as a condition of receiving federal funding. Rule 49 CFR Part 673 Public Transportation Agency Safety Plan establishes the requirements for Safety Plans, Safety Management Systems, and Safety Plan Documentation and Recordkeeping. As part of these updated program requirements, a further structuring of this

SAFETY 38 process has been established under the new SMS requirements (see Chapter 2) in which the conducting of a hazards analysis process is central to the requirements. Although FTA does not specifically address automated train control or other signaling, communications, electronic subsystems, or software, there are typically other such standards that are identified, such as: • American Railway Engineering and Maintenance of Right-of-way Association (AREMA) Communications and Signals Manual of Recommended Practices • IEEE 1483 for safety verification • IEEE 1012 for software Verification & Validation This process of referring to other standards for complex control system requirements establishes a potential model for the incorporation of AV technology to public transit applications under the FTA guidelines and program requirements. Automated Guideway Transit System Safety Standards In the United States, a complete functional and operational standard that includes specific safety requirements has been developed under the auspices of the ASCE (See Figure 9). The ASCE 21 Automated People Mover Standard (as discussed above) has had multiple updates of the past 20 years, and continues to be actively improved by representatives from APM technology system suppliers, owner/operator entities, and academia from around the world. In 2009 the International Electrotechnical Commission published a new safety standard for Automated Urban Guided Transport (AUGT) which is structured slightly differently from the ASCE standard (See Figure 9). IEC 62267 is specifically directed toward full regional unmanned metro systems.

Figure 9. Two Internationa l Standards for Fully Automated Guideway Transit SAFE Systems TY 39

Added to prepared related s Safety an analyses ASCE 21 its conten continuo follows th standard testing re The docu while stil systems. Figure 1 comparis also used SIL 4 is s deemed 21 Autom Figure IEC 6226 first publ transport small sca “… the sa who wou 30 http://a 31 In Figur these two i and mainta afety guideli d Security A throughout Automate t and make usly since th e ASCE sta addresses quirements ment has b l maintaining 0 illustrates on to the IE in the ISO hown to be to be Unacc ated Peopl 10. Safety In Haz 7 Automat ished in 200 ” is intended le “people m fety require ld otherwise scelibrary.or e 10, PFH = nternational ined under t nes for EN s nalysis. Th the life cycl d People M editorial im e first versio ndards com minimum fu and operati een develop acceptable this ASCE 2 C 61508 SIL 26262 safet the equivale eptable in th e Mover Sta tegrity Levels ardous Event ed Urban G 9. As the na to address overs”. Thi ments need be respons g/doi/book/10 “probable fail standards a he Europea tandards a ese guidelin e of a transi over Stand provements n was publ mittee crite nctional des ng requirem ed to span requiremen 1 maximum criteria for y standard nt level of p e transit sy ndard31. Defined in IE s for Automa uided Tran me indicate safety requ s IEC stand ed to comp ible for som .1061/97807 ures per hou re the comp n Union’s C re called MO es are inten t system. ard30 – The of the ASC ished by AS ria that ensu ign requirem ents for fully as many gu ts for both s unsafe fail functional s for automob robability of stem-focuse C 61508 wit ted Train Con sport Safet s, this stand irements for ard is specif ensate for th e or all of tr 84412985 r” and MTBH rehensive r enelec EN p D Safe – M ded for haz committee E-21 APM S CE in 1996. re a balanc ents, safety automated ideway-base mall and la ure rate for t afety in mac iles. The thr dangerous d methodol h Compariso trol Systems y Requirem ard for “aut large, urba ically target e absence ain operatio E = “mean tim ailway syste rogram. A odular Urba ard assessm that continu tandard has The work o ed consens requireme guideway t d technolog rge fully aut he ATC sys hine autom eshold betw failure cond ogy prescrib n to the Mean in ASCE 21 ents – This omated urba n metro sys ed toward: of a driver o n functions. e between h SAFE m standard noted set of n Transport ents and s es to enhan worked f the comm us process. nts, accepta ransit syste ies as poss omated tem in ation – crite een SIL 3 a ition that is ed in the AS Time Betwe standard w n guided tems and no r attendant ” azardous ev TY 40 s afety ce ittee The nce ms. ible, ria nd CE- en as t staff ents”

SAFETY 41 This limitation of the intended “scope” of the IEC 62267 AUGT safety requirements to only those functions that are assumed by the automation in replacement of a “driver” makes it not directly comparable to standards that encompass all aspects of an operating transit line – such as ASCE 21. Further, the organization of the IEC standard content is by driver/attendant functions which are assumed by the automated system. An important supplemental safety document to IEC 62267 was published as a separate technical report following the publishing of the standard. This work involved an international working group that developed a consensus statement of a “generic system-level hazard analysis”. Published under the same IEC number, the special study document carry’s the designation as a “Part 2” technical report – IEC 62267-2. European Standards for Railway Applications – European railway standards called Cenelec EN standards address Reliability, Availability, Maintainability and Safety (RAMS) in an integrated and cohesive manner, and have strong correspondence to many of the IEC standards. Relevant EN standards for fully automated fixed guideway transit systems include: • CENELEC EN 50126 – Railway Applications – The specification and demonstration of Reliability, Availability, Maintainability and Safety • CENELEC EN 50128 – Railway Applications – Communications, signaling and processing systems – Software for railway control & protection systems • CENELEC EN 50129 – Railway Applications – Communications, signaling and processing systems – Electronic systems for signaling European standards, as well as the IEC standard 62267, are designed specifically to assist operating agencies that have manually or semi-automated railways in the orderly process of migrating them to full automation of the transit line. Another key difference of the EN safety program in the railway standards when compared to ASCE 21 is that safety risk is assessed based on functions rather than components – with similarity to the principles of functional safety. The safety criticality of a function determines the Tolerable Hazard Rate (THR) for that function, and the corresponding SIL that needs to be achieved. This determines the acceptable failure rates and development processes for the hardware and software that support each function. There is also an EN compatible set of safety assessment and analysis guidelines developed under the auspices of the European Union known as MOD Safe, or Modular Urban Transport Safety and Security Analysis. The work evaluated where there were deficiencies of standardization for technical safety functions when applying the safety process over the complete project life cycle and multiple guideline documents have been prepared for progressive use.

SAFETY 42 Process Orientation of System-Focused Safety Methodology NHTSA’s assessment of electronic control system safety standards concludes that MIL Std. 882 is “not a safety certification standard.” Rather MIL Std. 882 is a process of safety analysis and documentation that can support appropriate oversight through reviews and audits, while still allowing flexibility to the project program manager and contractors to determine the details of the safety design32. It remains a system-focused safety analysis process that is structured to protect human life and property. In addition, the NHTSA report from June 2016 that assessed multiple different safety analysis methodologies described the difference between MIL Std. 882 and other methodologies in the following way. ISO 26262 and DO-178C both make safety engineering an integral part of the product development process. On the other hand, MIL STD-882E specifies a system safety engineering process separate from but parallel to the product development process.33 It is reasonable, therefore, to use a different characterization of the system-focused process of safety analyses and assessments for transit applications of automation technology, when compared with methodologies that focus on the functional safety of machines and manufactured products leading to “safety certification.” Considerations of AV Transit Safety Assurance For consideration of the safety analysis process suitable for AV roadway vehicle technology deployment in public transit service, the focus of the methodology should be placed on the whole operating system throughout the project life cycle. However, this system focus does not obviate the need for operating vehicles that have been safely designed as products intended for use in public transit service. This process of comprehensive safety assurance methodology means that all aspects of the specific site deployment must be addressed with each project. Further, there is an important complication to the safety assurance process for AV transit with the reality that there will be a progressive application of different levels of automation, particularly for bus operations. This will inherently create different and important new dimensions of hazards and risks that analysis processes must address. The best approach appears to be a blending of automotive and transit system safety methodologies discussed in the previous chapters. The discussion that follows provides considerations of how these and other factors may play into a comprehensive safety assurance process for AV transit systems. 32 P. 23, Section 3.11 Review, Audit, and Certification; NHTSA Assessment of Safety Standards for Automotive Electronic Control Systems; DOT HS 812 285, June 2016 33 P. 9, Section 3.1.1 Process Prescription, Ibid

SAFETY 43 Nature of Hazards and Risks in the AV Transit Operating Environment Each project and local site application of automated roadway vehicles will necessitate specific attention to the operating environment and inherent hazards that could be faced for that specific transit service. Applying an appropriate system safety assurance process is essential, along with the overall planning and execution of the system safety program in accord with the FTA SMS guidelines. A definition by NHTSA of design criteria for “highly automated vehicles” would include the ODD (refer to Figure 8 above) – operational conditions that also have corresponding vehicle-related failures and hazards for which the vehicle design must safely mitigate. From these requirements, the vehicle manufacturers will assess the probability of a hazardous event occurring from which unacceptable failures could occur that are outside the vehicle’s intended design. This SAE compliant design will be done within an AV manufacturer’s self-certification process and the corresponding safety assessment letter submitted to NHTSA. The “cross-cutting” areas and automation functions that are to be addressed in the letter are summarized in Table 2, which is taken from p. 34 of the recently released USDOT/NHTSA policy document.

Based on product d the overa along wit off-line st safety as througho sense, th certificati One item public tra prescript Table 2 this premis esign, the A ll safety ass h other syst ations, fenc surance pro ut the desig e safety ass on provided to be consi nsit applica ion of analyt . Applicability to SA e of vehicle V transit sy urance prog ems (such a es, etc.) to a gram would n, implemen urance proc by the vehi dered in the tions and th ical method of Federal A E Level 2-5 A -focused sa stem operat ram that wo s transit sig ssess haza begin with tation and o ess of the o cle manufac application e overall saf ology for the utomated Ve utomated Ve fety certifica or and the a uld include nal priority o rds and risk the initial pla ngoing ope perating ag turer. of the NHT ety assuran hazard ana hicle Policy hicle System tion inheren uthority hav the vehicle r preemptio s for the en nning of the rations of th ency wraps SA vehicle s ce process lysis and ri Guidance Are s tly addresse ing jurisdict ’s design sa n, roadway tire transit o system, an e AV transit around the elf-certificat is that there sk assessm SAFE as d by the ve ion will cond fety certifica lane markin peration. Th d continue system. In safety ion process is no ent in ISO TY 44 hicle uct tion gs, is a in

SAFETY 45 26262. Various methodologies such as a Hazard and Operability Analysis (HAZOP), Failure Modes and Effects Analysis (FMEA), and System Theoretic Process Analysis (STPA)34 are allowed regarding the vehicle’s electronic control system at the discretion of the vehicle manufacturer. Driving Tasks in Transit Vehicle Operation – In considering the criteria defining the ODD of public transit vehicles, it important to recognize that automated operation of transit vehicles within a fully automated system imposes more than automation of just the driving functions within the responsibilities of the “machine-operator.” Note that the automated transit operations tasks that should be included in the automation based on IEC automated train operations include the following items not addressed by the CAMP automated driving tasks: • Supervising passenger transfer (i.e., the boarding and alighting process), • Operating a train to and from storage locations or the maintenance depot, and • Detection/management of emergency situations. These are tasks that are complex and impose different kinds of hazardous situations from those tasks of driving the vehicle. New vehicle subsystems not typically provided with regular automotive applications of AV technology may be required, such as systems to monitor the doorways of the vehicle to ensure that passengers have passed safely through the doorways. Such requirements may dictate a different set of operational design domains for public transit applications of Level 4 automation when the vehicle is certified by the vehicle manufacturer to operate in an unmanned mode. Although multiple formal variations in the NHTSA ODD definitions given to the AV manufacturers for purposes of self-certification are not necessarily proposed, a range of operational design domains for public transit applications may be appropriate to define. Complexities of AV Transit Hazards and Risk Assessments – The breadth of the AV transit vehicle and system safety assurance process must encompass failures and hazardous conditions overall that include: • Roadway infrastructure design and maintenance o Lane markings, signage, lane geometry o Signal systems and V2I o Communications system backbones • Environmental conditions and variations • Pedestrian, bicycle and non-automated vehicle interactions • Vehicle Hardware system failures • Vehicle Electronic control systems & detection/sensing system failures o Multi-signal sensor/detector interpretation & harmonization • Vehicle Programmable software-based control & monitoring systems failures o Failures and programming anomalies, obsolescence 34 https://www.nhtsa.gov/DOT/NHTSA/NVS/Public%20Meetings/SAE/2015/2015SAE-Hommes- SafetyAnalysisApproaches.pdf

SAFETY 46 • Vehicle Human-Machine interfaces and interactions/response conditions o Alertness, understanding, knowledge, ability to act (SAE Level 2-4) o ADA passenger boarding/alighting provisions, visual and audio announcements, wheelchair restraint systems, etc. • Malicious, capricious security breaches and manipulations It is also important to recognize that automated roadway vehicle systems in transit service is considerably more complex than any such train control systems applied to automation in fixed guideway transit. This is particularly true within the automated roadway vehicle’s control system which employs multiple sensor systems, electronic and software driven control systems, and (perhaps) artificial intelligence. While ISO 26262 provides a clear process for functional safety, automated driving sensors provide inputs that are now effectively infinite as the range of environments that a given AV can navigate is uncontrollable. Machine learning and pattern recognition systems that process the inputs can produce non-deterministic and un-provable responses to a given set of inputs, resulting in a system that can’t reasonably be verified to do “action X” in response to “input set Y”. These conditions are more complex than anything that has been attempted in the safety assurance processes developed in the automated fixed guideway transit field. Operating Authority’s Involvement in Risk Assessment – The various standards and FTA SMS safety program approach generally follows the safety assurance process derived from the MIL Std. 882 methodology. This process of assessing risks through the system safety assurance process, with the Authority Having Jurisdiction directly involved, will reasonably include:  Local safety-culture considerations  Risk comparisons to human-operated transit  Cost considerations of implementing the possible hazard mitigations  Adjusting the ODD or system deployment approach to eliminate the hazard These scenarios for system failure, and the potential for hazardous conditions becoming more probable due to human intervention to override safety functions, requires implementation of strong procedures and protocols that must first be defined and vetted through the hazards and risk assessment process while the system is in the conceptual design phase. AV transit operating plans and associated protocol for actions by onboard backup operators or roving operations “recovery” personnel must be an integral part of the SMS hazard analysis and resolution process. Both of the following must be part of the safety assurance plan for the specific transit system deployment:  the vehicle response to a failure or hazardous condition that reverts to what NHTSA calls a “fallback” action, and  the operations personnel failure response rules and protocols. Comprehensive Approach to AV Transit Safety Assurance A comprehensive approach to developing the US transit industry’s approach to safety assurance can help speed this disruptive technology revolution. A cooperative effort between

SAFETY 47 the USDOT/State government sector, the automotive/transit vehicle manufacturers and AV technology development sector, and the public transit industry sector will yield the best result. Taking a proactive approach in the consensus process will have substantial benefits over delaying until one or the other sectors takes the next step or simply reacting to the direction the technology is heading. Functional Safety is provided through self-certification by the manufacturers/vehicle supplier using the approach in the SAE/ISO 62626 standards. The Safety Assurance Process building from the FTA SMS principles then would wrap around the vehicle technology and add other physical elements and subsystem equipment such as the right-of-way, roadway infrastructure wayside V2I communications equipment, supervisory dispatch control systems, and the fixed facilities and associated station equipment. Benefits of Industry Consensus Standards for AV Transit – Taking a comprehensive approach to developing an industry norm for AV transit systems will not only involve the methodologies described, and not only the expansive system elements mentioned, but also creating a suitable consensus standard(s) that addresses the whole transit system’s safety requirements. Such an industry definition of methodology and a generic framework of hazard definitions will not remove the need for the safety assurance process to be applied to every new project to address unique hazards that are present in each site-specific location. If properly developed, the industry norms will facilitate each local authority’s application of the methodologies for their local projects. In developing a transit industry consensus standard, a key issue would be to addresses the system failure response that “falls back” to a “minimum acceptable risk condition”. Safety criteria suitable for the transit industry would have to be defined with respect to a product manufacturer’s minimum design requirements, particularly with how exactly an AV responds to defined hazards to provide an “absence of unreasonable risk” in accord with a manufacturer’s “design intent.” Although the suggestion of a consensus standard is possibly a disruptive idea in the current free market of AV development, such an endeavor would need the full involvement of SAE, both federal and state government agencies, and the transit industry through entities like American Public Transportation Association (APTA) in North America and possibly the International Association of Public Transport (UITP) in Europe. Safety Assurance Process Roles and Responsibilities There are many parties that typically would have a role to play in the deployment and operation of an AV public transit system, including the governmental bodies, local transit authority or bus operator, as well as the employee unions and insurance companies. But not all have a direct responsibility for the implementation of a comprehensive safety assurance program. Roles and responsibilities with respect to safety assurance, contractual obligations/liability, system planning/design/implementation, as well as vehicle/system testing and acceptance will need to be defined. All of the following entities should have responsibilities resulting from an AV transit safety assurance program:

SAFETY 48  Local Authority Having Jurisdiction for Safety Assurance o Legal responsibility  System Equipment/Facilities Manufacturers, Suppliers and Constructors o AV Manufacturer/Supplier  Vehicle safety o System Integration Contractor  Cybersecurity of ITS systems, V2V/V2I communications systems, vehicle dispatch and operations command and control (supervisory control system)  Safety of station systems and equipment o General Contractor(s)  Safety of physical transit stations, Maintenance/Operations Facilities, and Transitways/Roadways  Local and State Government Agency o Safety of roadway design/maintenance and traffic signal system  Local Government(s) responsible for multimodal transportation infrastructure o street parking, street lighting, street furniture, signage and lane markings o building codes and land use ordinances, roadway system right-of-way planning and complete street/pedestrian/bicycle facilities design provisions  State Safety Oversight Agency (e.g., State Department of Transportation) o Implementation of safety management system  NHTSA o FMVSS o ODD certification (potential)  FTA  Industry Groups Providing Consensus Standards o SAE o APTA o Others as they become involved A comprehensive approach to AV transit system safety assurance starting at the project level through the involvement of the local and state parties, combined with a comprehensive approach to developing regulations and standards at the national and international levels, offers the best promise for a fast and effective deployment of AV technology. For much more detail on this important element of the future of AV transit, refer to Working Paper #2 of this project. Findings on AV Transit System Safety NHTSA Policy – The Federal AV Policy established an initial process whereby automobile manufacturers and AV developers can submit a written assertion of their safe design, using SAE standards as their primary basis of certification – a standard regiment that is supported by the ISO 62626 Road Vehicle Functional Safety standard. Within that safety standard a process of certification documentation is established, although the precise calculation details in hazard analysis and risk assessment are allowed through several different methodologies (such as Failure Modes and Effects Analysis or System Theoretic Process Analysis). FTA Policy – Transit system safety has been addressed by the FTA through the timely establishment of a new Safety Management System rulemaking. The SMS is very like a process

SAFETY 49 also adopted by FAA, and is well suited to serve as a foundation for future safety assurance processes that will be necessary for complex AV deployments in transit service. Vehicle-Focused Methodologies – Safety methodologies that use an approached based on “functional safety” are derived from an original machine automation IEC 61508 standard which defined a process of assessing “functional safety”, from which numerous industry sector specific application standards have been prepared. In the automotive industry, the resulting functional safety standard is the ISO 62626 standard that has become the principal safety methodology written into the SAE standards for automated vehicles. System-Focused Methodologies – Originally applied as MIL Std. 882, the basic methodology of following a set program of safety methods, beginning with the performance of a hazards analysis and risk assessment. The methodology then continues with the conducting of a systematic program to identify, mitigate and manage the risk of any unacceptable accidents which could result in a hazardous event that is unacceptable – i.e. resulting in fatalities, injury and/or significant equipment damage. In addition, several safety standards written specifically for automated guideway transit systems also follow in this line of methodology, including ASCE 21 Automated People Mover Standard, IEC 62267 Safety Requirements for Automated Urban Guided Transport, and the set of Cenelec EN standards for railways applicable to fully automated railways. AV Transit Safety Assurance Considerations – The operation of an automated transit system requires a comprehensive safety assurance approach, with assessment of safety impacts of hazards beginning in the conceptual design phase, and continuing throughout the life cycle of the project. Hazardous conditions that are possible and which must be assessed for risk and then through design (or other means of risk mitigation) the hazard must be reasonably mitigated. This process must extend from the AV technology to the transitway on which the vehicles would operate, the V2I communications equipment, the stations and facilities of the system and the whole range of possible operating conditions. Guidance of AV Transit Deployments – Many stakeholders have a role in the process of safely planning, designing and deploying an AV Public Transit system. Multiple federal government agencies, state government agencies, and local government agencies affect the preparation and execution of a safety assurance program by the local public transit operator. The most important consideration that these agencies address is the fact that safety analyses which focus only on the driving automation systems and the other vehicle safety features are not sufficient. Only a blended approach of the vehicle-focused and system-focused methodologies can comprehensively provide operational safety of automated transit systems. The role of a conventional transit vehicle’s human operator goes well beyond just “driving the bus.” The management of passengers and the situations that they can bring into the operating system cannot be addressed by vehicle automation technology alone. Human oversight and associated supervisory systems also perform key functions in safety and security of public transit. Research Projects on AV Transit Safety – There are significant matters to be addressed in the near to medium term regarding the safety analyses required for AV transit deployment in passenger service, especially when automation levels reach L4 full automation. The following key research projects, which are based on the discussions and findings of this working paper, would be beneficial:

SAFETY 50 1. Definition of Complete Transit Functions to be Automated – Research that would assemble a comprehensive definition of tasks/functions typically performed by a human operator or attendant in a conventional transit vehicle/train would be beneficial. The study could also perform a detailed evaluation of automation prospects for those tasks/functions not included in the SAE J3016 defined dynamic driving task (DDT) and ODD. 2. Categories of Hazards and Risks – Assessment of categories for hazards and risks as defined by MIL Std. 882 and its derivatives (e.g., ASCE-21, per Table 2 above) would be beneficial in a technical study, while considering the necessary criteria and operating environments to assess whether scenarios with any fatality or injury are always Unacceptable for any AV transit application. Further, the study could assess whether there are scenarios where one or more fatalities could be categorized as Undesirable or Acceptable for some AV transit applications or circumstances. Subsequently, the study could provide a definition of associated operating environment, level of automation, conditions of other vehicle access control, etc. for the scenarios as defined. 3. Generic Hazards Analysis – Preparation of a Generic Hazard Analysis for each type of operating environment and level of automation is a recommended study, beginning with IEC 62267, Part 2 as an initial template of methodology and types of hazards and then expanding the analysis to represent conditions of AV transit deployment. 4. New Consensus Standard for AV Transit Systems – Research that would perform an adaptation of an existing automated guideway transit safety standard, or alternatively creation of a totally new standard, with full involvement of the transit industry (operating agencies and system equipment suppliers), governmental authorities, and AV technology researchers/developers would be informative. 5. Transit Operational Design Domain – Development of the parameters, criteria, and characteristics of the AV transit specific operational design domain is needed in a form compatible with the ODD defined by the SAE for non-transit applications.