UL 4600 FAQ *
Eventually. The draft standard will be reviewed by the STP as part of the preliminary review and will likely go through several iterations before being moving onto the formal balloting and public review process. However, we encourage any stakeholders to apply to join the STP in order to make sure their voices are heard. The STP will be limited due to size and balance, however, those who are not appointed to the STP will be added as a stakeholder. Stakeholders will receive the draft standard for review and comment once it moves to the formal balloting phase.
Scoping and writing of the standard began in 2018, and the goal is to have a completed standard published by the end of 2019 or early 2020. If the time frame to create this standard seems fast, that is one of the benefits of the UL standards development process. The UL standard development process uses a small drafting committee to create the first draft version of the standard. That drafting committee includes UL standards experts and a small number of subject matter experts. Once that first draft standard is completed, a group of diverse industry stakeholders and a broader group of subject matter experts will be recruited to review and provide feedback on the draft standard. This group, the Standards Technical Panel (STP) is a consensus voting committee and is being formed in Spring 2019. The STP will begin the first review upon the completion of the first draft standard. Once the approved standard is published, it will be under continuous maintenance, meaning we expect there will be periodic updates to keep up with technological advances as often as every six months.
The proposed UL 4600 standard is the first comprehensive safety standard for autonomous products. UL 4600 will address safety principles and processes for the evaluation of autonomous products. The standard will address the ability of autonomous products to perform the intended function without human intervention based on their current state and sensing of the operating environment, and other safety aspects of the autonomous will also be addressed. The Standard will encompass fully autonomous systems that move, such as self-driving cars, but also vehicles for mining, agriculture, maintenance, and lightweight unmanned aerial vehicles. The first version will be specific to autonomous self-driving cars that do not depend upon humans to perform or supervise driving (e.g., SAE Level 4). It is envisioned that future end product standards will tailor UL 4600 to address specialized applications such as warehouse robots.
UL 4600 is initially aimed at fully autonomous operation of passenger vehicles within a restricted operational design domain (SAE Level 4). It is planned that a subsequent version of the standard will include other autonomous systems such as factory warehouse robots. The standard permits human operation of vehicles but excludes safety during human supervision and human operation of vehicles from its scope.
No. This standard is focused on building a safety case for the deployment of SAE Level 4/5 vehicles, not for practices related to on-road testing. The practices involved are sufficiently different that a separate standard is required for on-road testing safety.
UL 4600 uses a safety case approach. A safety case is a written document that gives a methodical explanation of why a system is acceptably safe. It contains claims (what does it mean to be “safe”), argumentation (why should we believe it is acceptably safe), and evidence (what data supports the argumentation). This is a non-prescriptive approach in that there is no set requirement for building the system in a certain way or using particular components. Rather, the emphasis is on making sure that the safety case does not leave out important parts of the explanation.
What is the relationship between UL 4600 and other standards such as ISO 26262 and ISO 21448-SOTIF?
The proposed UL 4600 standard focuses on ensuring that a comprehensive safety case is in place including safety claims, argumentation, and evidence. It is intended to cover computer-based system aspects of autonomous operation. It is specifically designed to build upon the strengths of existing standards such as ISO 26262, and evolving standards such as ISO 21448-SOTIF. It is not a competing standard to those and other standards being developed. UL 4600 permits claiming appropriate credit for conforming to those standards while ensuring autonomy-specific gaps are filled.
Areas of specific emphasis include safety practices for machine learning based approaches, functionality for which complete requirements are not available, addressing “unknown unknowns” in safety argumentation, and ensuring that adequate fault mitigation capabilities are present in systems that do not have human driver oversight. We anticipate that many users of the standard will, in fact, build upon existing ISO 26262 and newly created ISO 21448-SOTIF conformance strategies, and we believe these standards are complementary to UL 4600.
The standard requires that the designers clearly define the Operational Design Domain (ODD) they plan to operate in, and then show that they have handled all the hazards relevant to that ODD (as well as other issues such as what happens when the system exits the ODD). Therefore, the standard permits each design team to solve only the problems that they need to solve to ensure safety for their specific system.
The bulk of the standard is concerned with ensuring that safety cases include all relevant considerations for deploying a fully autonomous vehicle (e.g., SAE Level 4). That means the standard does not tell anyone how to build a vehicle. Rather, it makes sure that safety has been considered in a comprehensive way during the design and test of the vehicle. As a simple example, it does not require the use of a certain number and type of cameras, lidars, and radars. Rather, it requires that the designer show that whatever sensors have been used provide a sufficient, robust ability to detect and classify all objects relevant to the system’s intended operational design domain. We further expect that a fast update cycle (less than a year, if need be) will permit the standard to evolve quickly as required to keep up with emerging technical challenges.
The STP is the voting committee that determines the final content of the initial standard and maintains the revision process. The STP application period ends on April 22nd. Stakeholders not on the STP can apply to receive and comment upon draft versions as non-voting members after that date. Requests for application to STP membership and stakeholder group membership should be sent to: Deb Prince at UL at <Deborah.Prince@ul.com>
The initial UL standard will be accredited as a National Standard in the U.S. and Canada. However, as a voluntary third-party standard, this can be used in any region or country. UL intends to pursue international standardization and/adoption as they have for other standards after the first version of the standard is completed. The Standards Technical Panel (STP) is expected to include representatives from the US, Canada, Europe, and Asia. Additional non-voting stakeholder representatives are welcome from around the world.
Edge Case Research was formed by leading autonomy and software safety experts from Carnegie Mellon University who believe that safety should be built into all software products from the ground up. The co-founders of ECR have been involved with autonomous vehicle safety for almost as long as autonomous vehicle development has been going on. Over the past several years, our team has been working on and helping to define best practices in autonomous vehicle and robotic safety for numerous clients and partners.
*Disclaimer – All statements concerning the draft standard are subject based on the feedback from the Standard Technical Panel (STP).