By Michelle Chaka
Locomation’s Director of Safety Assurance & Standards
Note: The following is excerpted from our recently posted Voluntary Safety Self-Assessment.
Safety is incorporated in everything we do: from design, development, verification, validation, manufacturing, and operation. Industry best practices, tools, and standards are used to help minimize potential safety risks in every step of the process. Locomation’s ARC system must—and will—be transparent and verifiably safe. To achieve this, Locomation is creating a Safety Case to prove that the ARC system is acceptably safe: defined as free from unreasonable risk of harm to humans and/or property. The Safety Case provides Locomation with a clear, actionable, and responsible path to product delivery.
THE ARC SAFETY CASE
A safety case is a structured argument based on evidence to justify that a system is safe for specific uses and operating conditions. Safety-critical industries such as nuclear, aerospace, and rail have demonstrated the benefit of similar approaches. Locomation’s ARC system is leveraging the UL 4600, Standard for Safety for the Evaluation of Autonomous Products to guide the creation of our Safety Case.
Locomation’s Safety Case is centered around our single, top-level objective: the ARC system shall be acceptably safe (i.e., free of unreasonable risk of harm to humans and/or property) to operate on public roads.
From there, our team developed a structured plan to establish the evidence to demonstrate that we engineer, manufacture, operate and improve our technology in a safe manner.
Locomation is using a variety of metrics to measure and analyze the safety performance of our system. These measures include predictive metrics (e.g., maintaining a safe distance around our convoy) and more traditional metrics capturing safety outcomes (e.g., crashes and compliance traffic laws). The safety performance data will provide the initial evidence that we engineered and manufactured the system right and will continue to serve as a way to monitor the manufacturing and operation of our system to ensure we improve it right.
We leverage a variety of applicable standards and tools in our system safety and engineering processes to produce the work products that substantiate our Safety Case argument. Especially important to our safety engineering work are Functional Safety (FuSa) and Safety of the Intended Functionality (SOTIF), which introduce analyses including Failure Modes and Effects Analysis (FMEA), Hazard Identification and Risk Evaluation (HIRE), Hazard Analysis and Risk Assessment (HARA), and Fault Tree Analysis (FTA). Applying these tools and standards help us identify and mitigate or prevent malfunctions, functional insufficiencies, systematic failures, as well as designing for Fault Management Safety to keep the system performing safely.
Additionally, socio-technical analysis methods are being used to engineer and evaluate the human-machine coordination aspects of the ARC system in order to ensure appropriate context is considered for autonomous operations.
One of the most critical aspects of the Safety Case is proving that we’ve established the right safety culture, which is all about the way safety is perceived, valued, and prioritized in our company. One of the ways we achieve this is by establishing an effective Safety Management System (SMS) program. SMS programs are used for aviation to create a systematic approach to organizational safety and have begun to be used for automated automotive technologies.
Locomation has a pilot SMS program in place and a Safety Review Board to support our development testing. The SMS program will continue to be refined and expanded as we progress towards production. Our Quality Management System (QMS) is built under the guidance of ISO 9001 and IATF 16949 and aligned with Locomation’s purpose and strategic direction. As we have implemented policies and resources, this enables our organization to adopt standard practices and ensure consistent quality.
Our QMS complements the SMS program and provides oversight to our lifecycle processes and requirements.
Our “human-in-the-loop” solution is a key part of our system and its safe operation including during the testing stages. The development is guided by our Safety Case plan and system safety engineering practices are used to safely conduct our test program. We also apply a careful progression to our development stages that includes a combination of simulation and test-track testing along with expert reviews prior to advancing to on-road testing.
The ARC prototype is designed and tested to ensure that the safety driver can assume manual driving control of the vehicle at all times during the testing and that the automated driving system will not perform any unsafe actions that cannot be controlled by its safety driver. Autonomy requires a simple, multi-step process to arm and engage the system to help avoid unintended activation. When armed, the system performs a self-health check before allowing the safety driver to engage autonomy controlled driving. Any engagement of the manual operated driving controls (e.g., steering wheel and brakes) automatically disengages autonomy. There is also an emergency-stop button within arms-reach of the safety driver and test engineer.
Each ARC prototype is equipped with a driver monitoring system to make sure the safety drivers keep their primary focus on the driving task. Locomation’s policies (e.g., Driver Distraction Policy), testing protocols/procedures and training are aimed at making sure Locomation has the safest drivers and test engineers on the road.
For example, our testing protocol for lateral autonomy requires the safety driver to have a light touch on the steering wheel at all times to allow for quick manual steering recovery.
Most importantly, every employee at Locomation is responsible for reporting issues and can initiate a fleet and crew grounding at any time. There is no retribution for initiating a grounding in good faith, and all reported issues are acted on promptly and tracked to make sure that all issues are properly resolved.
System safety brings together all of the safety elements to provide a holistic safety approach to the development, verification, and validation of the ARC system. Central to this approach is ensuring that as prototype development evolves, the correct assignment of driving functions between human drivers and autonomy is made.
Additionally, the context in which these driving functions are exercised is considered when determining when it is appropriate for a safety driver to take over.
Together, we believe this approach gives Locomation the rigor we need to ensure we will be introducing no unreasonable risk to safety in the testing, development and ultimately the deployment of our technology.