2019年自動駕駛安全第一白皮書（英文版）(157頁).pdf

1、2019 SAFETY FIRST FOR AUTOMATED DRIVING I II AUTHORS Matthew Wood, M.Sc. Dr. Philipp Robbel Dr. Michael Maass Dr. Radboud Duintjer Tebbens Marc Meijs, M.Sc. Mohamed Harb, M.Sc. Jonathon Reach, B.Sc. Karl Robinson David Wittmann, M.Sc. david.wittmannaudi.de Toshika Srivastava, M.Sc. Dr.-Ing. Mohamed

2、Essayed Bouzouraa Siyuan Liu, BS, MBA Yali Wang, MA Dr.-Ing. Christian Knobel christian.knobelbmw.de Dipl.-Inf. David Boymanns david.boymannsbmw.de Dr.-Ing. Matthias Lhning Dr. Bernhard Dehlink Dirk Kaule, M.Sc. Dipl.-Ing. Richard Krger Dr. Jelena Frtunikj Dr. Florian Raisch Dipl.-Math. Miriam Grube

3、r Jessica Steck, M.Sc. Dipl.-Psych. Julia Mejia-Hernandez Dipl.-Ing. Sandro Syguda sandro.sygudacontinental- Dipl.-Ing. Pierre Blher Dr.-Ing. Kamil Klonecki Dr. Pierre Schnarz Dr. Thomas Wiltschko Dipl.-Inf. Stefan Pukallus Dr.-Ing. Kai Sedlaczek Neil Garbacik, M.Sc. David Smerza, BSAE Dr. Dalong Li

4、 Dr. Adam Timmons Marco Bellotti Michael OBrien, BS Michael Schllhorn Dipl.-Ing. Udo Dannebaum Jack Weast, BS, M.Sc. Alan Tatourian, BS Dr.-Ing. Bernd Dornieden bernd.dorniedenvolkswagen.de Dr.-Ing. Philipp Schnetter Dr.-Ing. Dipl.-Wirt.Ing. Philipp Themann Dr.-Ing. Thomas Weidner Dr. rer. nat. Pete

5、r Schlicht III ABSTRACT This publication summarizes widely known safety by design and verification and validation (V AUDI AG; Bayrische Motoren Werke AG; Beijing Baidu Netcom Science Technology Co., Ltd; Continental Teves AG Daimler AG; FCA US LLC; HERE Global B.V.; Infineon Technologies AG; Intel;

6、Volkswagen AG. All rights reserved. The document and information contained herein is not a license, either expressly or impliedly, to any intellectual property owned or controlled by any of the authors or developers of this publication, and license to this document and information should not be cons

7、idered to be have been made available to parties receiving and/or reviewing this document and information. The information contained herein is provided on an “AS IS” basis, and to the maximum extent permitted by applicable law, the authors and developers of this document hereby disclaim all other wa

8、rranties and conditions, either express, implied or statutory, including but not limited to, any (if any) implied warranties, duties or conditions of merchantability, of fitness for a particular purpose, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses,

9、 of lack of negligence. THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, OR NON-INFRINGEMENT. IV Contents 1 INTRODUCTION NCSA, 2015, p. 142). 1.3.2 The Twelve Principles of Automated Driving Automated driving will improve performance in most situations compared to that

10、of human drivers. However, it will not completely eliminate the risk of accidents or crashes. The goal of this publication is to present a generic approach for tackling the risks introduced by automated vehicles. While this common generic approach should be interpreted as a baseline for safe automat

11、ed driving, it does not define a specific product that is complete and safe. 7 7 SECURITY When providing an automated driving system, steps shall be taken to protect the automated driving system from security threats. SAFE OPERATION DEALING WITH DEGRADATION If safety-related functions or system comp

12、onents become hazardous (e.g. unavailable), the automated driving system shall: Be capable of compensating and transferring the system to a safe condition/state (with acceptable risk). Ensure a sufficient time frame for the safe transition of control to the vehicle operator. FAIL-OPERATIONAL (limite

13、d to the safety- related function or component) The loss of safety-related functions or system components shall not lead to a safety-related situation. OPERATIONAL DESIGN DOMAIN ODD DETERMINATION As soon as system limits that restrict the safe functionality of the automated system are recognized, th

14、e system shall react to compensate or shall issue a driver takeover request with a sufficient time frame for the takeover. MANAGE TYPICAL SITUATIONS The automated driving system shall take into account situations that can typically be expected in the ODD and address possible risks. VEHICLE OPERATER-

15、INITIATED HANDOVER Engaging and disengaging the automated driving system shall require an explicit interaction from the vehicle operator, indicating a high confidence of intent. 8 8 USER RESPONSIBILITY To promote safety, the users state (i.e. state of alertness) must be suitable for a responsible ta

16、keover procedure. The system should be able to recognize the users state and keep them informed about their responsibilities concerning the required users task. It should also be able to inform the respective operator about safety-relevant driving situations in unmanned driving services. RESPONSIBIL

17、ITIES The aspects of the driving task which remain under the users responsibility must be clear to the user. MODE AWARENESS The automated function must ensure that the currently active driving mode can be recognized explicitly and unmistakably at any time. In addition, a change in driving mode must

18、be clearly apparent to the user as well. VEHICLE-INITIATED HANDOVER MINIMAL RISK CONDITION If the vehicle operator does not comply with a takeover request, the automated driving system must perform a maneuver to minimize risk, resulting in a minimal risk condition. This maneuver depends on the situa

19、tion and the current performance of the automated driving system. TAKEOVER REQUESTS Vehicle-initiated handovers shall be clearly understandable and manageable for the vehicle operator. INTERDEPENDENCY BETWEEN THE VEHICLE OPERATOR AND THE ADS The overall evaluation of system safety needs to take effe

20、cts on the driver due to automation into account, even when they occur immediately after the period of automated driving has ended and when a direct link to the automated driving part of the journey can be drawn. 9 9 SAFETY ASSESSMENT Verification and validation shall be used to ensure that the safe

21、ty goals are met so as to reach a consistent improvement of the overall safety. DATA RECORDING Automated vehicles shall record the relevant data pertaining to the status of the automated driving system when an event or incident is recognized in manner that complies with the applicable data privacy l

22、aws. PASSIVE SAFETY CRASH SCENARIOS The vehicle layout should accommodate modifications to crash scenarios resulting from vehicle automation. ALTERNATIVE SEATING POSITIONS Occupant protection shall be ensured even when the customer has new uses for the interior that are made possible through automat

23、ed driving systems. BEHAVIOR IN TRAFFIC MANNERS ON THE ROAD The behavior of the automated function needs to not only be easy-to-understand for surrounding (vulnerable) road users, but also predictable and manageable. CONFORMING TO RULES The applicable traffic rules are to be taken into account by th

24、e automated driving system. The above principle User Responsibility“ describes the remaining user responsibilities. 1010 SAFE LAYER The automated driving system shall recognize system limits, especially those that do not allow the safe transition of control to the vehicle operator, and react to mini

25、mize the risk. The generic approach of this publication is based on the twelve principles presented above, comprising a collection of publications and recommendations from mainly public authorities or consumer associations (IWG, 2017; ABI NTSB, 2017; NCSA, 2015; BMVI, 2017; StVG, 2018). These princi

26、ples provide a foundation for deriving a baseline for the overall safety requirements and activities necessary for the different automated driving functions under consideration of a positive risk balance. The purpose of this publication is to highlight safety and security-relevant aspects of develop

27、ing, producing, operating and maintaining automated driving vehicles; the combination of which lead to a safe product on the road. The aspects brought forward should contribute toward a foundation for the safety of automated driving vehicles. The consortium partners of this publication share the com

28、mon goal of their automated driving vehicles being better than the average human driver during automated guidance and slightly before or after transitioning to human guidance within the same ODD in terms of avoiding or mitigating related hazards with elevated severity, e.g. collisions or roadway dep

29、arture crashes. At the same time, a slightly negative safety balance of the automated driving system in rare improbable scenarios may still be acceptable, providing a positive risk balance is maintained across all situations. 10 Chapter 02 SYSTEMATICALLY DEVELOPING DEPENDABILITY TO SUPPORT SAFETY BY

30、 DESIGN 12 2 Systematically Developing Dependability to Support Safety by Design This chapter describes how the three dependability domains safety of the intended functionality (SOTIF), functional safety and cybersecurity work together and how to combine them to create a dependable system. The chapt

31、er begins by introducing each domain and deriving automated driving capabilities from dependability. It then provides elements that can implement these capabilities. Lastly, it combines all elements by introducing a generic logical architecture (see Figure 2). Systematic Development of Dependability

32、 Capabilities derived from Dependability Generic Architecture Elements Purpose of the Capabilities Guideline Check Capabilities Connect the elements to a generic logical architecture Generic Examples Capab. Check Elements Figure 2: Systematic Development of Dependability 13 2.1 Deriving Capabilities

33、 of Automated Driving from Dependability Domains Deriving capabilities from dependability domains begins with an overview of different international legal frameworks for automated driving vehicles to identify the requirements that capabilities should cover in addition to the twelve principles. The c

34、apabilities cover both SOTIF, which deals with human factors, and functional safety. Security works on the logical and technical architecture and provides input requirements for both. As there is currently no approved legislation or international standardization on automotive cybersecurity available

35、, this section provides advice on security approaches and measures. 2.1.1 Legal Frameworks for Automated Driving Vehicles Rules that explicitly address automated vehicles need to be fulfilled as well as those that apply to vehicles and road users in general, e.g. road traffic laws. All automated dri

36、ving systems should comply with the legal regulations applicable to their ODD. This may include a set of federal, national and international regulations such as the following: THE EU, JAPAN, REST OF THE WORLD (UN REGULATIONS) The Vienna Convention of 1968 states that the driver must be in control of

37、 their vehicle at all times (United Nations, 1969). In 2014, the UNECE amended the regulation to include highly automated systems, provided that these continue to have a driver who is ready to take over driving functions and who can override the system and switch it on and off. However, this still p

38、resupposes that every vehicle must have a driver. UNECE WP.1 has already affirmed that the 1949 and 1968 Conventions apply to all driving situations, except those situations where the vehicle is moved exclusively by vehicle systems without the driver assuming any role at all. UNECE WP.1 is currently

39、 working on a draft resolution regarding the deployment of highly and fully automated vehicles in road traffic, which includes recommendations to contracting parties of the 1949/1968 Conventions on how to safely deploy such new technology (ECE/TRANS/WP.1/165, 2018). US The U.S. DOT Federal Automated

40、 Vehicles Policy of 2016 (U.S. DOT, 2016), replaced with the Automated Driving Systems: A Vision for Safety (NHTSA, 2017), provides the industry and states with a framework to analyze and communicate a safety strategy using a Voluntary Safety Self-Assessment on automated driving systems for SAE Auto

41、mation Levels 35. This framework highlights a wide range of demands on the development and safety verification and validation of automated driving systems that are also based on twelve principles. In order to realize the appropriate legal frameworks, automated driving system regulations at the inter

42、national, national, regional and local levels must coexist and coordinate with 14 minimal conflict while taking into account existing automobile legal frameworks. There is a need for one legal framework at the national level that may provide the base framework for automated driving system regulation

43、. This would form the foundation for the development of new Federal Motor Vehicle Safety Standards (FMVSS) by the National Highway Traffic Safety Administration (NHTSA). There is currently an opportunity and the need for the governments of the world to analyze their present automobile legislation to

44、 understand the areas that require adaptation. Doing so will promote and enable the mass production of the different levels of automated driving systems and will, in particular, facilitate regulation of the safety of near-future SAE L3 and L4 technology. CHINA The Ministry of Industry and Informatio

45、n Technology of the Peoples Republic of China released the Guidelines for the Construction of the National Internet of Vehicle Industry Standard System (Intelligent it can also be compromised by an overly conservative, overly complex or flawed safety mechanism design, flawed system design, insuffici

46、ent sensor diversity regarding modality and redundancy, environmental factors, human mode confusion arising from poorly designed HMI, or automation effects (interdependency between the vehicle operator and the ADS). To achieve the balance between fail-safe and availability, the design is analyzed an

47、d built from the top down. The first analysis is carried out irrespective of the generic logical architecture. The process includes risk assessments to determine the safety requirements of the system being designed. Ultimately, this evolves into a safety concept, defining safety mechanisms to suppor

48、t the safety goals. 17 2.1.3 Safety of the Intended Functionality The basic concept of the safety of the intended functionality (SOTIF) approach is to introduce an iterative function development and design process that includes validation and verification and that leads to an intended function that

49、could be declared safe. Several activities will be derived based on an approach that argues that these activities are adequate for developing an automated functionality that is safe. This approach assumes that there is an area of known scenarios with safe system behavior and an unknown area with potential harm. In reality, these areas overlap as visualized in Figure 4