RNS
Browse Projects > Detailed View

Framework for Generic Hazard Analysis of Automated Roadway Vehicles in Transit Service

Description:

The Federal Transit Administration (FTA) has established a priority in the establishment of safe transit system design, implementation and operations throughout the life of the system. Federal Circular FTA C 5800.1 describes the requirement that a federal funding recipient establish and maintain a System Safety and Security Management Plan (SSMP). In Chapter IV Required SSMP Contents, Section 4 Safety and Security Analysis, the requirements state: The recipient must have a program in place to: (1) identify known hazards and vulnerabilities, (2) categorize them as to their potential severity and probability of occurrence, (3) analyze them for potential impact, and (4) resolve them by design, engineered features, warning devices, procedures and training, or other methods. The recipient must also identify the level of hazards and vulnerabilities the recipient’s project management finds acceptable. The basis of this proposed research project is to establish a “framework” for the necessary hazard analysis for a fully automated system deploying roadway vehicle technology within the system. This Hazard Analysis framework will provide guidance for the process of identifying known hazards and vulnerabilities, and assist the authority having jurisdiction in the preliminary identification of the level of hazards and vulnerabilities which they find acceptable. Full automation in fixed guideway transit systems has evolved gradually over many decades since the first know research program in the 1960’s. The designs of the relatively few system suppliers have encompassed the safe design and integration of all subsystems under one comprehensive system safety plan – typically including operations following the initiation of passenger service. Evolution of each supplier’s design has been gradual, based on many years of operating conditions and safe design validation. These system suppliers have each conducted detailed safety analyses that begin with appropriate hazard analyses (HA) for each of the automated systems that have been designed and built throughout the world. Even so, recent initiatives of the International Electrotechnical Commission (IEC) have led to the development of a generic hazard analysis that is intended for use and reference as specific project safety analyses and risk assessments are performed for Automated Urban Guided Transport systems. This generic hazard analysis was published in 2011 as IEC TR 62267-2. In contrast, the rapid development and deployment of automated/connected roadway vehicle (AV/CV) designs by numerous technology and automotive companies could create a design environment where hazards are not uniformly analyzed. The proposed integration of communications links between vehicles and other vehicles vehicle-to-vehicle (V2V) and between vehicles and the roadway Intelligent Transportation System (ITS) infrastructure vehicle-to-infrastructure (V2I) could possibly result in very different definitions of hazards, and different assumptions of proper equipment and control response across the transportation/automotive industry. In particular, assumptions regarding variations in human interactions/response during incidents and failure conditions among the spectrum of subsystem suppliers (e.g., AV/CV suppliers, ITS equipment suppliers, and ATMS system integrators), and the resulting hazards that result from these factors could vary widely among the various AV and ITS equipment designs and software programming. The resulting patchwork of hazard mitigations and solutions will not address some important hazards for AV technology applications in transit service. Further, some hazards may not be comprehensively addressed in software and hardware designs, nor well-coordinated in deployment across the various design interfaces. When hazard mitigations are suitably addressed by “procedures” that involve human interactions, the potential for non-uniform assumptions about these procedures may lead to confusion and delays in full deployment of the AV technology. The accomplishment of a generic safety analysis would greatly benefit the deployment of AV/CV technology. Complex operating environments involving automated equipment in transit service have typically begun with a thorough and complete analysis of hazards. Hazards are defined as conditions which could trigger an accident that would injury people or damage equipment, systems and/or facilities. During the course of design for specific installations of automated systems, the subsequent detailed safety analyses flow from this initial assessment of hazards. Most importantly, if certain hazards are overlooked or if the acceptable means of mitigating the hazard are not suitably defined, the safety analysis that follows could therefore be deficient. This fact underscores the greatest benefit of this proposed HA research program: the establishment of a framework for HA that comprehensively and consistently guides the initial assumptions and requirements for an AV/CV transit project’s complete safety analysis process.

Objective:

Conducting of a generic hazard analysis (HA) in a manner similar to that accomplished in . In conducting this HA, the form and information included in this reference document shall be adapted and expanded to include a generic analysis of automated/connected roadway vehicles operating in a protected transitway environment. The work shall include the definition of the distinct and plausible hazards (including software hacking and communications system malicious intervention/disruption), and the definition/assessment of the range of appropriate response/mitigation of the automated system equipment. From this generic HA framework, accidents or potentially unsafe incidents which could occur that threaten significant injury to persons or significant damage to equipment/systems/facilities would be properly addressed in the subsequent safety analysis process.

In consideration of the application of automated/connected roadway vehicles in transit applications, elements of the transitway operating environment which are to be addressed in addition to those covered in the existing content of the IEC 62267-2 reference document include:

  1. _Lane following guidance _

  2. On-line and off-line stations

    • Merge/diverge guidance

      • Precision station docking
  3. Platooning of transit vehicles

  4. Transition of AV to/from manually operations when entering/leaving automated transitway By its nature, the preparation of the HA will involve a consensus building process involving developers/designers, system integrators, operators and regulators. The agreement of the definition of hazards/threats and the associated responses/mitigations to suitably resolve the hazards forms the basis for the generic framework that will be useful for the eventual evolutionary development of consensus standards.

Benefits:

User Community: Many parties will benefit from the availability of such a generic HA framework:


Researchers and technology practitioners could use the HA to:


Mitigate the risk of expensive redesign to comply with eventual new standards.


Consider a suitable architecture with early coordination of communications interfaces between AV and wayside ITS/ATMS Systems.


The automotive industry and ITS/ATMS suppliers, integrators and roadway facility operators could use the HA to:


Lower risk of user confusion due to different production designs of AV functional controls and safety provisions between vehicle manufacturers.


Provide risk mitigation of expensive redesign to comply with eventual new AV standards.


Ensure faster AV industry progress toward deployment of managed facilities providing high speed/high capacity operations.


The agencies responsible for roadway and transitway design, operational safety and overall security in public spaces could use the HA to:


Establish the HA framework with Federal/State safety oversight regulators and security officers fully involved in the definition of AV functional/safety requirements.


Guide the provision of AV technology to roadway users in a suitably and controlled process that ensures reasonable uniformity of AV functions and man/machine interfaces.


Provide an informed and progressive deployment that would allow policy makers, legislators and insurers to keep pace with advances in AV technology.

Implementation:

The implementation of the RNS could be accomplished in tandem with the initial work on protected fully automated vehicle operations within protected transitways, performed under the auspices of an ACRP project addressing the affirmation and adaptation of the IEC 62267-2 generic hazard analysis process for airport automated people mover systems.

The work will begin with a review of the application/adaptation of IEC Hazards Analysis Table from IEC 62267-2 as it was originally developed for fixed guideway systems, and then to develop and adapt this framework to apply to automated/connected roadway vehicles:

The following progressive round of meetings and documentation of findings/conclusions will guide the initial phase of work. These meetings will obtain comments, observations and critique of IEC 62267-2, and receive comments/recommendations with respect to safety initiatives already underway within the AV/CV industry. Representatives from the following sectors of the transportation industry will be consulted:

·
Automated guideway transit industry

·
Automotive industry

·
AV/CV custom vehicle control industry

·
Intelligent Transportation System (ITS) and automated traffic management system (ATMS) industry

·
Governmental Agencies and Industry Associations (e.g., State DOTs, FHWA, FTA, ASHTO, etc.)

The information obtained from these industry meetings will be assembled and an initial list of the most important areas of coverage of the generic HA for AV/CV applications to transitway service, including the new aspects relevant to roadway vehicles that are not physically guided along the transitway:

a. Address both AV On-board and Supervisory Control Systems

b. Include appropriate provisions for:


i.
Lane following guidance


ii.
On-line and off-line stations

1.
Merge/diverge guidance

2.
Precision station docking


iii.
Platooning of transit vehicles


iv.
Transition of AV to/from manually operations when entering/leaving automated transitway

Based on these preliminary phases of work, a working group of public and private entities that represent the automated guideway transit, automated vehicle, connected vehicle infrastructure, public roadway and transit industries will be assembled to prepare the initial draft of the generic hazard analysis for AV/CV application within protected transitways.

The final phase of implementation will involve follow-up meetings with all industry groups and governmental agencies involved in the initial phases of work to review and refine the resulting generic HA document.

Related Research:

A companion research project that would substantially benefit this proposed project which is oriented toward automated/connected roadway vehicle transit would be related project focused on the review and affirmation/adaptation of the IEC 62267-2 reference document for airport automated people mover systems. Within the United States, almost all deployments of fully automated guideway transit systems have been in or connecting to major airports. A companion research project is being developed for submittal as a research needs statement that would be funded through the Airport Cooperative Research Program (ACRP). This related work would benefit the interpretation and adaptation of the IEC generic hazard analysis process to AV/CV applications.

As an extension of the initial generic hazard analysis for automated/connected roadway vehicles operating within exclusive and semi-exclusive transitways (i.e., the objective of this research study), the same methodology and work product could be extended to address transit and automated/connected roadway vehicle applications in progressively more expansive environments. The following AV operating environments suggest the progressive development of the associated HA project work products:

1.2.

Expand HA for transit, shared-ride and “automated taxi” AV applications in appropriately “controlled” non-guideway environments, such as:

  1. * *for low speed AV operating conditions with provisions for mixed operations among non-AVs, pedestrians and bicycles (such as university campuses, military bases, medical complexes and airports).

  2. * *for high speed, high capacity operations with connected AV and advisory ATMS.1.

Advance the Generic HA to cover non-connected, fully autonomous vehicle operations within unsupervised roadway environments of common streets/arterials and highways/freeways, with characteristics of:

Rural and urban settings with pedestrian and bicycle mixed flow among AVs when pedestrians and bicycles are moving through appropriate lanes and crosswalks.

Tasks:

Implementation:

The implementation of the RNS could be accomplished in tandem with the initial work on protected fully automated vehicle operations within protected transitways, performed under the auspices of an ACRP project addressing the affirmation and adaptation of the IEC 62267-2 generic hazard analysis process for airport automated people mover systems.

The work will begin with a review of the application/adaptation of IEC Hazards Analysis Table from IEC 62267-2 as it was originally developed for fixed guideway systems, and then to develop and adapt this framework to apply to automated/connected roadway vehicles:

The following progressive round of meetings and documentation of findings/conclusions will guide the initial phase of work. These meetings will obtain comments, observations and critique of IEC 62267-2, and receive comments/recommendations with respect to safety initiatives already underway within the AV/CV industry. Representatives from the following sectors of the transportation industry will be consulted:

· Automated guideway transit industry

· Automotive industry

· AV/CV custom vehicle control industry

· Intelligent Transportation System (ITS) and automated traffic management system (ATMS) industry

· Governmental Agencies and Industry Associations (e.g., State DOTs, FHWA, FTA, ASHTO, etc.)

The information obtained from these industry meetings will be assembled and an initial list of the most important areas of coverage of the generic HA for AV/CV applications to transitway service, including the new aspects relevant to roadway vehicles that are not physically guided along the transitway:

a. Address both AV On-board and Supervisory Control Systems

b. Include appropriate provisions for:

_ i. _Lane following guidance

_ ii. _On-line and off-line stations

1. _Merge/diverge guidance_

2. _Precision station docking_

_ iii. _Platooning of transit vehicles

_ iv. _Transition of AV to/from manually operations when entering/leaving automated transitway

Based on these preliminary phases of work, a working group of public and private entities that represent the automated guideway transit, automated vehicle, connected vehicle infrastructure, public roadway and transit industries will be assembled to prepare the initial draft of the generic hazard analysis for AV/CV application within protected transitways.

The final phase of implementation will involve follow-up meetings with all industry groups and governmental agencies involved in the initial phases of work to review and refine the resulting generic HA document.

Implementation:

The implementation of the RNS could be accomplished in tandem with the initial work on protected fully automated vehicle operations within protected transitways, performed under the auspices of an ACRP project addressing the affirmation and adaptation of the IEC 62267-2 generic hazard analysis process for airport automated people mover systems.

The work will begin with a review of the application/adaptation of IEC Hazards Analysis Table from IEC 62267-2 as it was originally developed for fixed guideway systems, and then to develop and adapt this framework to apply to automated/connected roadway vehicles:

The following progressive round of meetings and documentation of findings/conclusions will guide the initial phase of work. These meetings will obtain comments, observations and critique of IEC 62267-2, and receive comments/recommendations with respect to safety initiatives already underway within the AV/CV industry. Representatives from the following sectors of the transportation industry will be consulted:

  • Automated guideway transit industry

  • Automotive industry

  • AV/CV custom vehicle control industry

  • Intelligent Transportation System (ITS) and automated traffic management system (ATMS) industry

  • Governmental Agencies and Industry Associations (e.g., State DOTs, FHWA, FTA, ASHTO, etc.)

The information obtained from these industry meetings will be assembled and an initial list of the most important areas of coverage of the generic HA for AV/CV applications to transitway service, including the new aspects relevant to roadway vehicles that are not physically guided along the transitway:

  1. Address both AV On-board and Supervisory Control Systems

  2. Include appropriate provisions for:

Based on these preliminary phases of work, a working group of public and private entities that represent the automated guideway transit, automated vehicle, connected vehicle infrastructure, public roadway and transit industries will be assembled to prepare the initial draft of the generic hazard analysis for AV/CV application within protected transitways.

The final phase of implementation will involve follow-up meetings with all industry groups and governmental agencies involved in the initial phases of work to review and refine the resulting generic HA document.

Relevance:

Urgency/Priority: An inadequate amount of development work has been done to fully assess the potential hazards across all subsystems in the envisioned automated/connected vehicle environment. This is mainly due to the lack of a well-defined, and accepted generic hazard analysis (HA) framework that is tailored to the uniqueness of automated/connected roadway vehicles (AV/CV). A priority must be set to establish a definition of hazards and a list of triggers and safeguards that could be universally used by AV and transit suppliers and operators, such as AV/CV software developers and on-board vehicle control system designers, ITS equipment designers, transit and ATMS signaling and transit supervisory system designers, State DOTs and USDOT. Without this framework, specific designs and project applications will be unable to comprehensively extend the safety analysis to adequately analyze and mitigate potential loss due to failures/accidents, or to forecast the probability of the occurrence of unsafe events when automated/connected roadway vehicles are to be applied in transit service.

Equally important is the fostering of a design and deployment process for AV/CV transit applications which is effectively accomplished within the FTA funding requirements for a comprehensive, system-level Safety and Security Program Plan. Without such, the federal funding process to advance the test and prototyping of fully automated roadway vehicle transit systems may be obstructed, and the realization of AV/CV deployment overall may be delayed.

Sponsoring Committee:AP050, Bus Transit Systems
Research Period:24 - 36 months
Research Priority:High
RNS Developer:J. Sam Lott
Source Info:This work was created at the summer TRB/AUVSI automated vehicle symposium at afternoon sessions, workshops spearheaded by Dr. Stan Young
Submitted by: J. Sam Lott, Kimley-Horn and Associates, Inc.; Ronald Boenau, Federal Transit Administration; Stan Young, University of Maryland
Date Posted:02/16/2015
Date Modified:07/07/2015
Index Terms:Intelligent vehicles, Vehicle to infrastructure communications, Vehicle to vehicle communications, Automated highways, Mobile communication systems, Hazard analysis, Intelligent transportation systems, Guideways,
Cosponsoring Committees: 
Subjects    
Highways
Public Transportation
Administration and Management
Safety and Human Factors
Policy

Please click here if you wish to share information or are aware of any research underway that addresses issues in this research needs statement. The information may be helpful to the sponsoring committee in keeping the statement up-to-date.