UL 4600
UL CSDS Proposal
Edition 2
Published Date: January 20, 2023
Last Revision: October 06, 2022
Scope
046000-000000-0000002 Scope
1 Scope summary
2 1.1 This standard covers the safety principles,
risk
mitigation, tools, techniques, and lifecycle processes for building and evaluating a safety argument
for vehicles that can operate in an autonomous
mode, whether the item
is individual or part of a team such as a platoon
.
2 1.2 Operation is assumed to occur without human supervision and without expectation of human intervention in performing and supervising the dynamic driving task and other normal system operations based upon the current
item
state and ability to sense and otherwise interpret the operating environment. Human contributions to safety in other than normal operation are considered (e.g., maintenance), as are interactions with humans who are not operating the item
(e.g., pedestrians).
2 1.3 This standard generally uses the term “
item
” rather than “system” or “product” when referring to the scope of the safety case
as well as the operation of the item
. This approach is in recognition of the possibility that the safety of the item
might rely upon infrastructure, services, support processes, and other factors that might not normally be considered part of a system such as a vehicle per se, but which materially affect its safety and therefore are all considered within the scope of the item
being assessed for conformance
. For a team of vehicles the item
might be scoped as an individual vehicle that is a member of a team or instead the item
might be designed to function as a team as a whole without reducing the safety of any one vehicle.
2 1.4 This standard assumes that the
item
autonomously operates starting at some well-defined initial state to some other well-defined end state without human intervention. Human input might influence the selection of desirable states (e.g., via an occupant requesting a destination). However, the extent to which human operators mitigate
or introduce risk
by performing or supervising a dynamic control task (e.g., by driving or taking responsibility for monitoring system operation) is outside the scope of the standard. Similarly, the extent to which human operator performance or non-performance is involved in risks
related to transferring human driver control to or from the item
is also outside the scope of the standard. However, ensuring that the item
itself properly performs any change of control functions if and when it is supposed to is generally within the scope of the standard since it can adversely affect operation in fully autonomous
mode as well. Thus, while portions of this standard might be helpful for addressing less than fully autonomous
vehicles, issues involving human driver responsibilities, vigilance, and ability to properly accept responsibility for vehicle control are out of scope for this standard.
2 1.5 While information security is an essential topic, the details of that area are out of scope for this standard beyond a general requirement for a Security Plan and
prompt elements
that are possibly unique to autonomous
vehicle operation in comparison to other vehicular security requirements. Reasonably foreseeable misuse and abuse as well as physical attacks (e.g., physical sensor damage) are in scope.
2 1.6 The requirements of this standard are considered to be at a necessary, but possibly not sufficient, level of completeness and rigor to create an acceptably well-formed and acceptably complete
item
safety case
. In particular, prompt element
lists are considered non-exhaustive, with an expectation that design teams will include additional items
as relevant to the item
and its operational design domain
.