This paper details the development and onboard evaluation of an Unmanned Aerial System (UAS) specifically designed for maritime firefighting and rescue operations on roll-on/roll-off (ro-ro) ships. Emphasizing the use of open hardware and software, the study focuses on the operational practicality and legal fesibility of a UAS prototype. The assessment of the UASs performance is multifaceted, incorporating expert surveys and a SWOT analysis. Key findings demonstrate the significant potential of UASs in augmenting maritime safety and emergency response capabilities. The paper provides insights into broader opportunities for integrating UAS technology in maritime operations, highlighting its role in enhancing the efficiency and effectiveness of critical maritime functions.

Connected automated vehicles (CAVs) are—compared conventional vehicles—expected to provide more efficient, accessible, and safer transport solutions in on-road use cases as well as confined areas such as mines, construction sites or harbours. As development of such vehicles has proved more difficult than anticipated, especially when it comes to ensuring safety, more cautious strategies for introduction are now being pursued. An approach where new automated features are initially released with more basic performance to enable successful safety assurance, followed by gradual expansion of performance and number of use-cases using an iterative development process as the confidence in the solution increases, e.g., due to more available field data, improved machine learning algorithms, or improved verification, is highly interesting. Hence a key research question targeted by the SALIENCE4CAV project was: How to ensure the safety of CAVs while enabling frequent updates for automated driving systems with their comprising elements? Today, many of the used methods and practices for safety analysis and safety assurance are not adequate for continuous deployment. In addition, the project has investigated several open questions raised by the predecessor project ESPLANADE and from needs identified by the industry partners; this includes how to handle safety assurance for machine learning components, use of quantitative risk acceptance criteria as a key part of the safety argument, safety for collaborative CAVs including use in mixed traffic environments, the role of minimal risk manoeuvres, and interaction with human operators.

Some key results are: investigation of safety assurance methods and gaps with regards to frequent updates and other challenges for CAV safety assurance; use of safety contracts as an enabler for continuous integration, continuous deployment and DevOps; a method for human interaction safety analysis; application of the principle of precautionary safety for meeting a quantitative risk norm and using field data for continuous improvements; definition of classes of cooperative and collaborative vehicles and their respective characteristics and definition of minimal risk manoeuvre and minimal risk condition strategies for individual, cooperative and collaborative vehicles; use of out-of-distribution detection for safety of machine learning; a simulation-aided approach for evaluating machine learning components; and methods for variational safety using high-dimensional safety contracts.

The SALIENCE4CAV project ran from January 2021 to December 2023 with the partners Agreat, Comentor, Epiroc Rock Drills, KTH Royal Institute of Technology, Qamcom Research and Technology, RISE Research Institutes of Sweden, Semcon Sweden, Veoneer (during the project acquired by Magna) and Zenseact. Coordination was done by RISE.

This final report is a summary of the project results and contains summaries of content from the project deliverables and publications.

The emergence of Automated Driving Systems (ADSs) has transformed the landscape of safety assessment. ADSs, capable of controlling a vehicle without human intervention, represent a significant shift from traditional driver-centric approaches to vehicle safety. While traditional safety assessments rely on the assumption of a human driver in control, ADSs require a different approach that acknowledges the machine as the primary driver. Before market introduction, it is necessary to confirm the vehicle safety claimed by the manufacturer. The complexity of the systems necessitates a new comprehensive safety assessment that examines and validates the hazard identification and safety-by-design concepts and ensures that the ADS meets the relevant safety requirements throughout the vehicle lifecycle. The presented work aims to enhance the effectiveness of the assessment performed by a homologation service provider by using assessment templates based on refined requirement attributes that link to the operational design domain (ODD) and the use of Key Enabling Technologies (KETs), such as communication, positioning, and cybersecurity, in the implementation of ADSs. The refined requirement attributes can serve as safety-performance indicators to assist the evaluation of the design soundness of the ODD. The contributions of this paper are: (1) outlining a method for deriving assessment templates for use in future ADS assessments; (2) demonstrating the method by analysing three KETs with respect to such assessment templates; and (3) demonstrating the use of assessment templates on a use case, an unmanned (remotely assisted) truck in a limited ODD. By employing assessment templates tailored to the technology reliance of the identified use case, the evaluation process gained clarity through assessable attributes, assessment criteria, and functional scenarios linked to the ODD and KETs.

During the last decade, there has been significant increase in research focused on automated vehicles (AVs) and ensuring safe operation of these vehicles. However, challenges still remain, some involving the cooperation and collaboration of multiple AVs, including when and how to perform a minimal risk manoeuvre (MRM), leading to a minimal risk condition (MRC) when an AV within one of these systems is unable to complete its original goal. As most literature is focused on individual AVs, there is a need to adapt and extend the knowledge and techniques to these new contexts. Based on existing knowledge of individual AVs, this paper explores MRM strategies involving cooperative and collaborative AV systems with different capabilities. Specifically, collaborative systems have the potential to enact local MRCs, allowing continued productivity despite having one (or several) of its constituents encounter a fault. Definitions are provided for local and global MRCs, alongside discussions of their implications for MRMs. Illustrative examples are also presented for each type of system.

The automotive industry is moving towards increased automation, where features such as automated driving systems typically include machine learning (ML), e.g. in the perception system. [Question/Problem] Ensuring safety for systems partly relying on ML is challenging. Different approaches and frameworks have been proposed, typically where the developer must define quantitative and/or qualitative acceptance criteria, and ensure the criteria are fulfilled using different methods to improve e.g., design, robustness and error detection. However, there is still a knowledge gap between quality methods and metrics employed in the ML domain and how such methods can contribute to satisfying the vehicle level safety requirements. In this paper, we argue the need for connecting available ML quality methods and metrics to the safety lifecycle and explicitly show their contribution to safety. In particular, we analyse Out-of-Distribution (OoD) detection, e.g., the frequency of novelty detection, and show its potential for multiple safety-related purposes. I.e., as (a) an acceptance criterion contributing to the decision if the software fulfills the safety requirements and hence is ready-for-release, (b) in operational design domain selection and expansion by including novelty samples into the training/development loop, and (c) as a run-time measure, e.g., if there is a sequence of novel samples, the vehicle should consider reaching a minimal risk condition. [Contribution] This paper describes the possibility to use OoD detection as a safety measure, and the potential contributions in different stages of the safety lifecycle. © 2023, The Author(s)

The overarching goal of the ROADVIEW project is performance improvements in perception and decision-making subsystems for connected automated vehicles (CAVs) under harsh weather conditions such as rain, fog, or snow, which is necessary to enable the widespread use of automated vehicles. In support of this overarching goal, this deliverable (D2.1) describes complex environments—including levels of harsh weather conditions and density of heterogeneous traffic—to be used for the R&D activities and evaluations in WPs 3 – 8. The environment descriptions are in the form of operational design domain (ODD) definitions meant to be combined with the use cases defined in D2.2. The ODD definitions are specified by using and extending the ODD taxonomy defined in ISO 34503 [3], considering the needs of the ROADVIEW use cases, and the environmental conditions especially relevant for the sensor types investigated in the project. This deliverable first defines terminology related to driving automation systems, ODDs, and testing—where a key purpose is to verify that the CAV operates safely within its ODD. Then harsh weather conditions and the main sensor types intended to be used in the project are discussed. Sensors are investigated with respect to which weather conditions and which metrics for these conditions are relevant to perform verification against the defined ODD (e.g., rain metrics can be intensity specified in mm/h and droplet size distribution). Next follows a discussion on particularly relevant ODD attributes and why we have chosen certain metrics and classifications, and in some instances added new attributes not mentioned in ISO 34503. Finally, ODD definitions are developed for the different types of road environments, or drivable areas, defined in D2.2, i.e., highway, urban traffic, and rural road. D2.2 also defines several use cases for automated vehicles that are relevant for these drivable areas and will be used by the other WPs, together with the ODD definitions from this deliverable, to create test scenarios. Objectives The main objective of this deliverable is to create ODD definitions for the use cases investigated in the project, especially detailing harsh weather conditions with a focus on rain, fog, and snow. By combining these harsh conditions with use cases defined in D2.2, the project will have the basis for working on perception and decision-making improvements for such conditions, and for defining relevant test cases to apply in different test environments used in the project (simulation, x-in-the-Loop, weather test facilities, test tracks, and open-road tests). Together, D2.1 and D2.2 aim to fulfil ROADVIEW Objective 1: Define complex environmental conditions and use case specifications. Methodology and implementation Since the overarching goal of ROADVIEW is to improve performance for CAVs in harsh weather conditions, this deliverable aims to specify an ODD taxonomy specifically including (1) operational conditions relevant for harsh weather conditions with respect to the design and verification of advanced environmental sensors and decision-making systems, and (2) operational conditions relevant for the specific use-cases to be evaluated in the project. The methodology was to, as far as possible, make sure the project uses ODD taxonomy and other terminology from existing sources, in particular existing or soon-to-be-released standards [1][2][3][4][6], to make sure we use terms in a way already established in the automotive domain and avoid inventing new terms where there are already existing alternatives. Given this starting point, a group of experts in sensor technology, test environments, and the providers of use cases have collected and analysed what kind of harsh conditions should be included, and if there is a need to refine the existing ODD taxonomy with new or more detailed attributes or new metrics. Finally, an ODD definition is developed corresponding to each of the three types of drivable areas defined in D2.2. Outcomes This deliverable provides initial ODD definitions covering the drivable areas developed in deliverable D2.2—urban (city) traffic, (multi-lane) highway, and (single-lane) rural road, with and without infrastructure extensions—given our knowledge in the early phases of the ROADVIEW project. Refinements that may be necessary during the project will be described in later project deliverables. Next steps The use cases are further defined in deliverable D2.2. The further work towards the overarching goal performed in ROADVIEW WP 3-8 will use the ODD taxonomy and use case specifications as input for the evaluation and demonstration of the improvements developed in the project. Evaluation of the system prototypes used in the project is part of the integration and demonstration work package (WP8).

Safety assurance of cooperative, connected, and automated mobility (CCAM) systems is crucial for their successful adoption in society. To demonstrate that such systems are safe in their complete operational design domains (ODDs) requires robust safety argumentation. The aim of the SUNRISE project is to develop and demonstrate a safety assurance framework (SAF) for the test and safety validation of a varied scope of such systems. Scenario-based testing methods is believed to become an important part of the safety assessment approach for automated driving systems (ADSs). The SUNRISE project’s forerunner project HEADSTART developed a methodology for safety validation of connected and automated vehicles centred around scenario-based testing, a methodology that SUNRISE will develop further and integrate as a part of the SUNRISE SAF. Focus for Work Package 3 of the SUNRISE project is to define and condense an overall methodology to support the safety argumentation using data- and knowledge-driven, scenario-based testing. This report presents a literature study and baseline tracking of the existing scenario-based methodologies, especially, based on the knowledge and literature review of the HEADSTART project. First, the SUNRISE SAF and scenario-based methodologies are introduced including a suitable taxonomy. Second, the HEADSTART method is summarized in detail. Third, scenario-based methodologies from other projects are described. Fourth, an overview of relevant standardization efforts is presented with a particular focus on the ISO 3450X series “Road vehicles – Test scenarios for automated driving systems”. Fifth, other initiatives related to scenario-based safety assessment (mainly outside the EU) are described. Sixth, an extensive analysis is presented comparing the HEADSTART methodology with the other described initiatives. Seventh and final, the findings are summarised in the conclusions. The SUNRISE methodology will use the HEADSTART methodology as input complemented with other existing best practices documented in this report. For areas that was in focus for the HEADSTART project, such as scenario concept, test scenario selection and test scenario allocation, the HEADSTART method is concluded to be well defined for future development. Important is that the SUNRISE scenario concept need to be versatile and adoptable for scenario concepts used in all relevant existing scenario databases. As far as possible the scenario concept should also be adoptable for possible future relevant scenario concepts. Other areas, like scenario sources, scenario generation, and scenario databases, were not in focus for HEASTART and only conceptually defined. The SUNRISE data framework is essential to solve these parts as SUNRISE, like HEADSTART, relays on external scenario databases. Further, the HEADSTART methodology needs to be complemented with elements like risk assessment, monitoring in order to identify unknown scenarios, and qualitative and quantitative metrics to determine the completeness of a scenario database.

Safety assurance of cooperative, connected, and automated mobility (CCAM) systems is crucial for their successful adoption in society, and it is necessary to demonstrate reliability in their complete operational design domains (ODD). For higher level of automation, i.e., when the vehicle takes over the responsibility from the human driver, it is commonly accepted that validation only by means of real test-drives would be infeasible. Instead, a mixture of physical and virtual testing is seen as a promising approach, in which the virtual part accelerates testing procedure and significantly reduces cost. This in turn accelerates the time to market. The SUNRISE project aims to develop a Safety Assurance Framework (SAF) for scenario-based safety validation of CCAM systems, covering a broad portfolio of use cases and comprehensive test and validation tools. Part of this project focuses onto developing a harmonised verification and validation (V&V) simulation framework for CCAM systems. To overcome the limitations of virtual simulation, the targeted SAF also will include hybrid and real-world testing and validation approaches. This deliverable presents the findings from the task to identify relevant subsystems of a harmonised V&V simulation framework for virtual validation of CCAM systems applying a scenario-based testing methodology. The involved partners have together identified and agreed on a non-exclusive list of relevant subsystems: (1) test case manager, (2) environment, (3) subject vehicle, (4) traffic agents, (5) connectivity, and (6) simulation model validation. The subject vehicle subsystems include blocks for sensors, AD function, and vehicle dynamics and the AD function block includes subblocks for perception, planning, and control and act. This deliverable primarily focuses on virtual simulations, but the SAF also covers XiL tests, were some of the listed subsystems can be replaced with the real components. After the subsystems are described, the subsystem requirements are analysed form the perspective of requirements on tools, interfaces, V&V of the simulation framework, and model fidelity. Many of the participants have experience in simulation tools, but the presented work is mainly theoretical, and the actual development of the simulation framework is done in subsequent tasks of WP4. The intention is that the definition of the simulation framework and the listed subsystems shall be versatile and adoptable for future technology development.

As more parts of the power grid become connected to the internet, the risk of cyberattacks increases. To identify the cybersecurity threats and subsequently reduce vulnerabilities, the common practice is to carry out a cybersecurity risk assessment. For safety classified systems and products, there is also a need for safety risk assessments in addition to the cybersecurity risk assessment in order to identify and reduce safety risks. These two risk assessments are usually done separately, but since cybersecurity and functional safety are often related, a more comprehensive method covering both aspects is needed. Some work addressing this has been done for specific domains like the automotive domain, but more general methods suitable for, e.g., Intelligent Distributed Grids, are still missing. One such method from the automotive domain is the Security-Aware Hazard Analysis and Risk Assessment (SAHARA) method that combines safety and cybersecurity risk assessments. This paper presents an approach where the SAHARA method has been modified in order to be more suitable for larger distributed systems. The adapted SAHARA method has a more general risk assessment approach than the original SAHARA. The proposed method has been successfully applied on two use cases of an intelligent distributed grid.

As more parts of the power grid become connected to the internet, the risk of cyberattacks increases. To identify the cybersecurity threats and subsequently reduce vulnerabilities, the common practice is to carry out a cybersecurity risk assessment. For safety classified systems and products, there is also a need for safety risk assessments in addition to the cybersecurity risk assessment to identify and reduce safety risks. These two risk assessments are usually done separately, but since cybersecurity and functional safety are often related, a more comprehensive method covering both aspects is needed. Some work addressing this has been done for specific domains like the automotive domain, but more general methods suitable for, e.g., Intelligent Distributed Grids, are still missing. One such method from the automotive domain is the Security-Aware Hazard Analysis and Risk Assessment (SAHARA) method that combines safety and cybersecurity risk assessments. This paper presents an approach where the SAHARA method has been modified to be more suitable for larger distributed systems. The adapted SAHARA method has a more general risk assessment approach than the original SAHARA. The proposed method has been successfully applied on two use cases of an intelligent distributed grid.