Torben Stolte,Gerrit Bagschik,Andreas Reschka,Markus Maurer

DOI: https://doi.org/10.48550/arXiv.1704.06140

2018-05-05

Abstract:For future application of automated vehicles in public traffic, ensuring functional safety is essential. In this context, a hazard analysis and risk assessment is an important input for designing functionally vehicle automation systems. In this contribution, we present a detailed hazard analysis and risk assessment (HARA) according to the ISO 26262 standard for a specific Level 4 application, namely an unmanned protective vehicle operated without human supervision for motorway hard shoulder roadworks.

Robotics

Robert Graubohm,Torben Stolte,Gerrit Bagschik,Markus Maurer

DOI: https://doi.org/10.1109/IV47402.2020.9304780

2021-01-13

Abstract:The complex functional structure of driverless vehicles induces a multitude of potential malfunctions. Established approaches for a systematic hazard identification generate individual potentially hazardous scenarios for each identified malfunction. This leads to inefficiencies in a purely expert-based hazard analysis process, as each of the many scenarios has to be examined individually. In this contribution, we propose an adaptation of the strategy for hazard identification for the development of automated vehicles. Instead of focusing on malfunctions, we base our process on deviations from desired vehicle behavior in selected operational scenarios analyzed in the concept phase. By evaluating externally observable deviations from a desired behavior, we encapsulate individual malfunctions and reduce the amount of generated potentially hazardous scenarios. After introducing our hazard identification strategy, we illustrate its application on one of the operational scenarios used in the research project UNICAR$agil$.

Systems and Control

Camila Correa-Jullian,Marilia Ramos,Ali Mosleh,Jiaqi Ma

DOI: https://doi.org/10.1177/1748006x241233863

2024-02-28

Proceedings of the Institution of Mechanical Engineers Part O Journal of Risk and Reliability

Abstract:Proceedings of the Institution of Mechanical Engineers, Part O: Journal of Risk and Reliability, Ahead of Print. The safety of Automated Driving Systems (ADS) operating as Mobility as a Service (MaaS) depends on multiple factors in addition to the vehicle's functionality, reliability, and performance. Currently, no comprehensive approach has been formally developed to identify operational safety hazards and define the operational safety responsibilities of the key agents involved in Level 4 (L4) ADS MaaS operations. This work develops and applies a structured hazard identification methodology for this operation. The methodology leverages and complements the strengths of various hazard identification and modeling methods, including Event Sequence Diagram (ESD), Concurrent Task Analysis (CoTA), System-Theoretic Process Analysis (STPA), and Fault Tree Analysis (FTA). The methodology is applied to analyze the operation of a fleet of L4 ADS vehicle fleets without a safety driver, monitored and supervised by remote operators. The results highlight the fleet operator's role in ensuring the correct vehicle operation and preventing and mitigating incidents. The analysis demonstrates the developed methodology's strengths and suitability for operational safety analysis of complex systems' operations, considering the inherent complexity of the interactions between multiple human and machine agents.

engineering, industrial, multidisciplinary,operations research & management science

Asim Abdulkhaleq,Stefan Wagner,Daniel Lammering,Hagen Boehmert,Pierre Blueher

DOI: https://doi.org/10.48550/arXiv.1703.03657

2017-03-10

Software Engineering

Abstract:Safety has become of paramount importance in the development lifecycle of the modern automobile systems. However, the current automotive safety standard ISO 26262 does not specify clearly the methods for safety analysis. Different methods are recommended for this purpose. FTA (Fault Tree Analysis) and FMEA (Failure Mode and Effects Analysis) are used in the most recent ISO 26262 applications to identify component failures, errors and faults that lead to specific hazards (in the presence of faults). However, these methods are based on reliability theory, and they are not adequate to address new hazards caused by dysfunctional component interactions, software failure or human error. A holistic approach was developed called STPA (Systems-Theoretic Process Analysis) which addresses more types of hazards and treats safety as a dynamic control problem rather than an individual component failure. STPA also addresses types of hazardous causes in the absence of failure. Accordingly, there is a need for investigating hazard analysis techniques like STPA. In this paper, we present a concept on how to use STPA to extend the safety scope of ISO 26262 and support the Hazard Analysis and Risk Assessments (HARA) process. We applied the proposed concept to a current project of a fully automated vehicle at Continental. As a result, we identified 24 system- level accidents, 176 hazards, 27 unsafe control actions, and 129 unsafe scenarios. We conclude that STPA is an effective and efficient approach to derive detailed safety constraints. STPA can support the functional safety engineers to evaluate the architectural design of fully automated vehicles and build the functional safety concept.

Gerrit Bagschik,Marcus Nolte,Susanne Ernst,Markus Maurer

DOI: https://doi.org/10.1109/itsc.2018.8569398

2018-11-01

Abstract:With an increasing degree of automation, automated vehicle systems become more complex in terms of functional components as well as interconnected hardware and software components. Thus, holistic systems engineering becomes a severe challenge. Emergent properties like system safety are not solely arguable in singular viewpoints such as structural representations of software or electrical wiring (e.g. fault tolerant). This states the need to get several viewpoints on a system and describe correspondences between these views in order to enable traceability of emergent system properties. Today, the most abstract view found in architecture frameworks is a logical description of system functions which structures the system in terms of information flow and functional components. In this article we extend established system viewpoints towards a capability-based assessment of an automated vehicle and conduct an exemplary safety analysis to derive behavioral safety requirements. These requirements can afterwards be attributed to different viewpoints in an architecture frameworks and thus be integrated into a development process for automated vehicles.

Thomas Drage,Kai Li Lim,Joey En Hai Koh,David Gregory,Craig Brogle,Thomas Bräunl,Thomas Braunl

DOI: https://doi.org/10.1109/iv48863.2021.9575662

2021-07-11

Abstract:This paper presents an approach to specifying a modularised safety system which comprehensively addresses the safety requirements for highly autonomous (SAE Level 3+) road vehicles featuring advanced sensing and automated navigation. As these requirements are often overlooked in similar autonomous driving system proposals, we present a method of hazard and risk analysis which investigates hardware failures, environmental perception limitations, human interaction and functional requirements for artificial intelligence. We then define a system design which implements the required safeguards and examines the application on two electric autonomous vehicle testbeds: a race car and a shuttle bus. The close-coupling of a safety-oriented architecture and multi-regime Hazard and Risk Assessment process was tested to measure the system's ability to detect and react to pedestrian stimuli, resulting in accurate detections and reactions, thereby confirming its ability to design safety systems for autonomous research vehicles in a scalable and easily assured fashion.

Mario Gleirscher,Stefan Kugele

DOI: https://doi.org/10.48550/arXiv.1802.08327

2018-02-22

Software Engineering

Abstract:Vehicle safety depends on (a) the range of identified hazards and (b) the operational situations for which mitigations of these hazards are acceptably decreasing risk. Moreover, with an increasing degree of autonomy, risk ownership is likely to increase for vendors towards regulatory certification. Hence, highly automated vehicles have to be equipped with verified controllers capable of reliably identifying and mitigating hazards in all possible operational situations. To this end, available methods for the design and verification of automated vehicle controllers have to be supported by models for hazard analysis and mitigation. In this paper, we describe (1) a framework for the analysis and design of planners (i.e., high-level controllers) capable of run-time hazard identification and mitigation, (2) an incremental algorithm for constructing planning models from hazard analysis, and (3) an exemplary application to the design of a fail-operational controller based on a given control system architecture. Our approach equips the safety engineer with concepts and steps to (2a) elaborate scenarios of endangerment and (2b) design operational strategies for mitigating such scenarios.

Mohammad Hejase,Arda Kurt,Tunc Aldemir,Umit Ozguner

DOI: https://doi.org/10.4204/EPTCS.269.6

2018-04-12

Abstract:The level of autonomous functions in vehicular control systems has been on a steady rise. This rise makes it more challenging for control system engineers to ensure a high level of safety, especially against unexpected failures such as stochastic hardware failures. A generic Backtracking Process Algorithm (BPA) based on a deductive implementation of the Markov/Cell-to-Cell Mapping technique is proposed for the identification of critical scenarios leading to the violation of safety goals. A discretized state-space representation of the system allows tracing of fault propagation throughout the system, and the quantification of probabilistic system evolution in time. A case study of a Hybrid State Control System for an autonomous vehicle prone to a brake-by-wire failure is constructed. The hazard of interest is collision with a stationary vehicle. The BPA is implemented to identify the risk significant scenarios leading to the hazard of interest.

Systems and Control,Software Engineering

Marcus Nolte,Gerrit Bagschik,Inga Jatzkowski,Torben Stolte,Andreas Reschka,Markus Maurer

DOI: https://doi.org/10.1109/ITSC.2017.8317814

2017-08-09

Abstract:The development of fully automated vehicles imposes new challenges in the development process and during the operation of such vehicles. As traditional design methods are not sufficient to account for the huge variety of scenarios which will be encountered by (fully) automated vehicles, approaches for designing safe systems must be extended in order to allow for an ISO~26262 compliant development process. During operation of vehicles implementing SAE Levels 3+ safe behavior must always be guaranteed, as the human driver is not or not immediately available as a fall-back. Thus, the vehicle must be aware of its current performance and remaining abilities at all times. In this paper we combine insights from two research projects for showing how a skill- and ability-based approach can provide a basis for the development phase and operation of self-aware automated road vehicles.

Systems and Control

Simon Hoffmann,Dr. Frank Diermeyer

DOI: https://doi.org/10.48550/arXiv.2104.06795

2021-04-14

Systems and Control

Abstract:Teleoperation is becoming an essential feature in automated vehicle concepts, as it will help the industry overcome challenges facing automated vehicles today. Teleoperation follows the idea to get humans back into the loop for certain rare situations the automated vehicle cannot resolve. Teleoperation therefore has the potential to expand the operational design domain and increase the availability of automated vehicles. This is especially relevant for concepts with no backup driver inside the vehicle. While teleoperation resolves certain issues an automated vehicle will face, it introduces new challenges in terms of safety requirements. While safety and regulatory approval is a major research topic in the area of automated vehicles, it is rarely discussed in the context of teleoperated road vehicles. The focus of this paper is to systematically analyze the potential hazards of teleoperation systems. An appropriate hazard analysis method (STPA) is chosen from literature and applied to the system at hand. The hazard analysis is an essential part in developing a safety concept (e.g., according to ISO26262) and thus far has not been discussed for teleoperated road vehicles.

Robert Graubohm,Marvin Loba,Marcus Nolte,Markus Maurer

DOI: https://doi.org/10.1515/auto-2022-0164

2024-03-11

Abstract:Developers have to obtain a sound understanding of existing risk potentials already in the concept phase of driverless vehicles. Deductive as well as inductive SOTIF analyses of potential triggering conditions for hazardous behavior help to achieve this goal. In this regard, ISO 21448 suggests conducting a System-Theoretic Process Analysis (STPA). In this article, we introduce German terminology for SOTIF considerations and critically discuss STPA theory in the course of an example application, while also proposing methodological additions. -- --

Systems and Control

J. Fabian,Stephan Reinhofer,Markus Ernst,Adam Schnellbach

DOI: https://doi.org/10.17758/ur.u0915115

2015-09-07

Abstract:Ongoing advances in mechatronic components and power electronics help to improve control systems within automotive applications. New developed or designed components enable more efficient system architectures and control. The management of several parameters of future drive architectures, such as high torque and power output, high system efficiency, low mass, low energy consumption, very low exhaust gas emissions, and low costs is essential for future propulsion concepts. Based on these development trends, mechatronic systems within automotive engineering are gaining more and more importance. At the same time, quality and safety requirements become challenging for automotive manufacturers as well as their suppliers regarding the reduction of the initial risk and increase of component reliability in a high degree. Therefore, safety-relevant aspects in the development of modern mechatronic systems have to be considered thoroughly. The high number of technical properties and complex connections of mechatronics systems in the development of modern vehicles are very challenging for state-of-the-art analysis methods. For this reason, new and innovational safety concepts are required to optimize existing safety concepts using conventional components and methods in combination. This paper includes a detailed comparison of different analysing methods to identify systematic and random failures, as well as safety standards such as IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems) and ISO 26262 (Road vehicles - Functional safety). To fulfil safety standards nowadays for complex mechatronic systems, several different analysis methods have to be applied. Only the connection of a safe fault recognition with a safe fault reaction enables a system to avoid harmful consequences. Regarding product development, there is an ongoing change from routine tests (durability tests) to testing selected parts of a safety function (fault injection tests). How action is taken is changing, with a trend towards a further development of IT tools, supporting functional safe systems holistically, including hazard analysis and risk assessment, integrated system analysis of systematic and random failures, and hardware metrics. The publication closes with an overview of a functional safety concept and presents an outlook to future trends of safety systems analysis

Engineering

Erwin de Gelder,Olaf Op den Camp

DOI: https://doi.org/10.1016/j.ssci.2023.106233

2023-09-05

Abstract:The development of Automated Driving Systems (ADSs) has made significant progress in the last years. To enable the deployment of Automated Vehicles (AVs) equipped with such ADSs, regulations concerning the approval of these systems need to be established. In 2021, the World Forum for Harmonization of Vehicle Regulations has approved a new United Nations regulation concerning the approval of Automated Lane Keeping Systems (ALKSs). An important aspect of this regulation is that "the activated system shall not cause any collisions that are reasonably foreseeable and preventable." The phrasing of "reasonably foreseeable and preventable" might be subjected to different interpretations and, therefore, this might result in disagreements among AV developers and the authorities that are requested to approve AVs. The objective of this work is to propose a method for quantifying what is "reasonably foreseeable and preventable". The proposed method considers the Operational Design Domain (ODD) of the system and can be applied to any ODD. Having a quantitative method for determining what is reasonably foreseeable and preventable provides developers, authorities, and the users of ADSs a better understanding of the residual risks to be expected when deploying these systems in real traffic. Using our proposed method, we can estimate what collisions are reasonably foreseeable and preventable. This will help in setting requirements regarding the safety of ADSs and can lead to stronger justification for design decisions and test coverage for developing ADSs.

Robotics

Liangliang Sun,Yan-Fu Li,Enrico Zio

DOI: https://doi.org/10.1115/1.4051940

2022-01-01

Abstract:As autonomous vehicle (AV) intelligence for controllability continues to develop, involving increasingly complex and interconnected systems, the maturity level of AV technology increasingly depends on the systems reliability level, also considering the interactions among them. Hazard analysis is typically used to identify potential system risks and avoid loss of AV system functionality. Conventional hazard analysis methods are commonly used for traditional standalone systems. New hazard analysis methods have been developed that may be more suitable for AV system-of-systems complexity. However, a comprehensive comparison of hazard analysis methods for AV systems is lacking. In this study, the traditional hazard analysis methods, hazard and operability (HAZOP) and failure mode and effects analysis (FMEA), as well as the most recent methods, like functional resonance analysis method (FRAM) and system-theoretic process analysis (STPA), are considered for implementation in the automatic emergency braking system. This system is designed to avoid collisions by utilizing the surrounding sensors to detect objects on the road, warning drivers with alerts about any collision risk, and actuating automatic partial/full braking through calculated adaptive braking deceleration. The objective of this work is to evaluate the methods with the unified theory of acceptance and use of technology (UTAUT) approach, in terms of their applicability to AV technologies. The advantages of HAZOP, FMEA, FRAM, and STPA, as well as the possibility of combining them to achieve systematic risk identification in practice, are discussed.

Naveen Mohan,Martin Törngren,Sagar Behere

DOI: https://doi.org/10.48550/arXiv.1912.03178

2019-12-06

Systems and Control

Abstract:With the advent of ISO 26262 there is an increased emphasis on top-down design in the automotive industry. ISO 26262 lacks detailed requirements for its various constituent phases. The lack of guidance becomes evident for the reuse of legacy components and subsystems, leaving vehicle architects and safety engineers to rely on experience without methodological support for their decisions. This poses challenges in the industry which is undergoing many significant changes due to new features like connectivity, electrification and automation. Here we focus on automated driving where multiple subsystems, both new and legacy, need to coordinate to realize a safety-critical function. This paper introduces a method to support consistent design of an ISO 26262 work product, the Functional Safety Concept (FSC). The method addresses a need within the industry for architectural analysis, rationale management and reuse of legacy subsystems. The method makes use of an existing work product, the diagnostic specifications of a subsystem, to assist in performing a systematic assessment of the influence a human driver, in the design of the subsystem. The output of the method is a report with an abstraction level suitable for a vehicle architect, used as a basis for decisions related to the FSC such as generating a Preliminary Architecture (PA) and building up argumentation for verification of the FSC. The proposed method is tested in a safety-critical braking subsystem at one of the largest heavy vehicle manufacturers in Sweden, Scania C.V. AB. The results demonstrate the benefits of the method including (i) reuse of pre-existing work products, (ii) gathering requirements for automated driving functions while designing the PA and FSC, (iii) the parallelization of work across the organization on the basis of expertise, and (iv) the applicability of the method across all types of subsystems.

J. Ploeg,E. de Gelder,M. Slavík,E. Querner,T. Webster,N. de Boer

DOI: https://doi.org/10.48550/arXiv.2112.09366

2021-12-17

Abstract:Automated vehicles (AVs) are expected to increase traffic safety and traffic efficiency, among others by enabling flexible mobility-on-demand systems. This is particularly important in Singapore, being one of the world's most densely populated countries, which is why the Singaporean authorities are currently actively facilitating the deployment of AVs. As a consequence, however, the need arises for a formal AV road approval procedure. To this end, a safety assessment framework is proposed, which combines aspects of the standardized functional safety design methodology with a traffic scenario-based approach. The latter involves using driving data to extract AV-relevant traffic scenarios. The underlying approach is based on decomposition of scenarios into elementary events, subsequent scenario parametrization, and sampling of the estimated probability density functions of the scenario parameters to create test scenarios. The resulting test scenarios are subsequently employed for virtual testing in a simulation environment and physical testing on a proving ground and in real life. As a result, the proposed assessment pipeline thus provides statistically relevant and quantitative measures for the AV performance in a relatively short time frame due to the simulation-based approach. Ultimately, the proposed methodology provides authorities with a formal road approval procedure for AVs. In particular, the proposed methodology will support the Singaporean Land Transport Authority for road approval of AVs.

Robotics

Víctor J. Expósito Jiménez,Helmut Martin,Christian Schwarzl,Georg Macher,Eugen Brenner

DOI: https://doi.org/10.1007/978-3-031-14862-0_1

2023-02-01

Abstract:Safety in the automotive domain is a well-known topic, which has been in constant development in the past years. The complexity of new systems that add more advanced components in each function has opened new trends that have to be covered from the safety perspective. In this case, not only specifications and requirements have to be covered but also scenarios, which cover all relevant information of the vehicle environment. Many of them are not yet still sufficient defined or considered. In this context, Safety of the Intended Functionality (SOTIF) appears to ensure the system when it might fail because of technological shortcomings or misuses by users. An identification of the plausibly insufficiencies of ADAS/ADS functions has to be done to discover the potential triggering conditions that can lead to these unknown scenarios, which might effect a hazardous behaviour. The main goal of this publication is the definition of an use case to identify these triggering conditions that have been applied to the collision avoidance function implemented in our self-developed mobile Hardware-in-Loop (HiL) platform.

Software Engineering

Thomas Ponn,Matthias Breitfuß,Xiao Yu,Frank Diermeyer

DOI: https://doi.org/10.48550/arXiv.2008.11609

2020-08-26

Abstract:For a successful market launch of automated vehicles (AVs), proof of their safety is essential. Due to the open parameter space, an infinite number of traffic situations can occur, which makes the proof of safety an unsolved problem. With the so-called scenario-based approach, all relevant test scenarios must be identified. This paper introduces an approach that finds particularly challenging scenarios from real driving data (\RDDwo) and assesses their difficulty using a novel metric. Starting from the highD data, scenarios are extracted using a hierarchical clustering approach and then assigned to one of nine pre-defined functional scenarios using rule-based classification. The special feature of the subsequent evaluation of the concrete scenarios is that it is independent of the performance of the test vehicle and therefore valid for all AVs. Previous evaluation metrics are often based on the criticality of the scenario, which is, however, dependent on the behavior of the test vehicle and is therefore only conditionally suitable for finding "good" test cases in advance. The results show that with this new approach a reduced number of particularly challenging test scenarios can be derived.

Robotics

Abderraouf Boussif,Abhimanyu Tonk,Julie Beugin,Simon Collart Dutilleul

DOI: https://doi.org/10.1080/09617353.2023.2226965

2023-07-13

Safety and Reliability

Abstract:The level of automation in transportation systems is steadily on the rise, particularly in railways. However, this increase in automation implies a review of the previously established safety assessments, safety cases, and safety principles. Concretely, to ensure the overall safety of automated systems, it is crucial to provide conclusive assurance not only for their functional systems but also for any potential operational interactions that may arise unexpectedly. In this paper, we propose a risk assessment method to deal with the operational safety of the remote driving of freight trains. The established approach is based on the GAME principle (i.e. the French safety principle ' Globally at least equivalent '), which tends to assure the non-regression of the railway safety level. Firstly, the approach aims to perform a risk gap analysis with respect to driver's handbook procedures to identify the (operational) hazards and dangerous situations/scenarios generated by remote driving on the rail system. This analysis is completed by the identification of hazards due to the fact that the remote driving is not able to fully comply with the requirements of the driver's handbook. Then, the methodology is used to identify the risk control measures and the safety requirements to meet safety targets (i.e. maintaining the safety level at least equivalent to that obtained so far with in-cab driver). The obtained results are presented and structured in a table inspired by the preliminary operational hazards analysis (P-OHA) process.

Christian Reichenbächer,Jochen Hipp,Oliver Bringmann

2024-04-09

Abstract:Ensuring the safety of road vehicles at an acceptable level requires the absence of any unreasonable risk arising from all potential hazards linked to the intended au-tomated driving function and its implementation. The assurance that there are no unreasonable risks stemming from hazardous behaviours associated to functional insufficiencies is denoted as safety of intended functionality (SOTIF), a concept outlined in the ISO 21448 standard. In this context, the acquisition of real driving data is considered essential for the verification and validation. For this purpose, we are currently developing a method with which data collect-ed representatively from production vehicles can be modelled into a knowledge-based system in the future. A system that represents the probabilities of occur-rence of concrete driving scenarios over the statistical population of road traffic and makes them usable. The method includes the qualitative and quantitative ab-straction of the drives recorded by the sensors in the vehicles, the possibility of subsequent wireless transmission of the abstracted data from the vehicles and the derivation of the distributions and correlations of scenario parameters. This paper provides a summary of the research project and outlines its central idea. To this end, among other things, the needs for statistical information and da-ta from road traffic are elaborated from ISO 21448, the current state of research is addressed, and methodical aspects are discussed.

Robotics,Systems and Control