2019SAFETY FIRST FORAUTOMATED DRIVING
AUTHORSMatthew Wood, M.Sc.Dr.-Ing. Christian KnobelNeil Garbacik, [email protected] Philipp RobbelDipl.-Inf. David BoymannsDavid Smerza, r. Dalong LiDr. Michael MaassDr.-Ing. Matthias LöhningDr. Adam TimmonsDr. Radboud Duintjer TebbensDr. Bernhard DehlinkMarco BellottiMarc Meijs, M.Sc.Dirk Kaule, M.Sc.Mohamed Harb, M.Sc.Dipl.-Ing. Richard KrügerJonathon Reach, B.Sc.Dr. Jelena FrtunikjKarl RobinsonDr. Florian RaischMichael O‘Brien, BSDipl.-Math. Miriam [email protected] Steck, M.Sc.Michael SchöllhornDavid Wittmann, M.Sc.Dipl.-Psych. Julia [email protected] Srivastava, M.Sc.Dr.-Ing. Mohamed EssayedDipl.-Ing. Sandro SygudaDipl.-Ing. Udo [email protected] Pierre BlüherSiyuan Liu, BS, MBADr.-Ing. Kamil [email protected] Pierre SchnarzJack Weast, BS, M.Sc.Yali Wang, [email protected]@baidu.comAlan Tatourian, BSDr. Thomas [email protected] Stefan PukallusDr.-Ing. Kai SedlaczekDr.-Ing. Bernd [email protected] Philipp SchnetterDr.-Ing. Dipl.-Wirt.Ing. PhilippThemannDr.-Ing. Thomas WeidnerDr. rer. nat. Peter SchlichtII
ABSTRACTThis publication summarizes widely known safety by design and verification and validation (V&V) methods of SAEL3 and L4 automated driving. This summary is required for maximizing the evidence of a positive risk balance ofautomated driving solutions compared to the average human driving performance. There is already a vast arrayof publications focusing on only specific subtopics of automated driving. In contrast, this publication promotesa comprehensive approach to safety relevant topics of automated driving and is based on the input of OEMs, tieredsuppliers and key technology providers. The objective of this publication is to systematically break down safetyprinciples into safety by design capabilities, elements and architectures and then to summarize the V&V methods inorder to demonstrate the positive risk balance. With Level 3 and 4 automated driving systems still under development,this publication represents guidance for potential methods and considerations in the development and V&V. Thispublication is not intended to serve as a final statement or minimum or maximum guideline or standard for automateddriving systems. Instead, the intent of this publication is to contribute to current activities working towards the industrywide standardization of automated driving.REFERENCED STANDARDSISO/PAS 21448:2019Road Vehicles – Safety of the intended functionality (SOTIF)ISO 26262:2018Road Vehicles – Functional safetyISO/SAE CD 21434Road Vehicles – Cybersecurity engineeringISO 19157:2013Geographic information – Data qualityISO/TS 19158:2012Geographic information – Quality assurance of data supplyISO/TS 16949:2009 Quality management systems – Particular requirements for the application ofISO 9001:2008 for automotive production and relevant service part organizationsISO/IEC 2382-1:1993Information technology – Vocabulary – Part 1: Fundamental termsISO/IEC/IEEE 15288:2015Systems and software engineering – System life cycle processes Copyright 2019 by Aptiv Services US, LLC; AUDI AG; Bayrische Motoren Werke AG; Beijing Baidu Netcom Science Technology Co., Ltd; ContinentalTeves AG & Co oHG; Daimler AG; FCA US LLC; HERE Global B.V.; Infineon Technologies AG; Intel; Volkswagen AG. All rights reserved.The document and information contained herein is not a license, either expressly or impliedly, to any intellectual property owned or controlled byany of the authors or developers of this publication, and license to this document and information should not be considered to be have been madeavailable to parties receiving and/or reviewing this document and information. The information contained herein is provided on an “AS IS” basis,and to the maximum extent permitted by applicable law, the authors and developers of this document hereby disclaim all other warranties andconditions, either express, implied or statutory, including but not limited to, any (if any) implied warranties, duties or conditions of merchantability,of fitness for a particular purpose, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses, of lack ofnegligence. THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, OR NON-INFRINGEMENT.III
Contents1INTRODUCTION & MOTIVATION. 21.1Scope of this Publication. 21.2 Structure of and Development Examples Used in this Publication. 41.3Safety Vision. 61.3.1 Background. 61.3.2 The Twelve Principles of Automated Driving. 62SYSTEMATICALLY DEVELOPING DEPENDABILITY TO SUPPORT SAFETYBY DESIGN. . 122.1 Deriving Capabilities of Automated Driving from Dependability Domains. 132.1.1 Legal Frameworks for Automated Driving Vehicles. 132.1.2 Applying the Related Safety Standards. 142.1.3 Safety of the Intended Functionality. 172.1.4 Functional Safety. 202.1.5 Automotive Cybersecurity. 220.127.116.11 Why is Cybersecurity so Important for Safety?. 18.104.22.168Cybersecurity Approach and Measures. 242.1.6 Capabilities of Automated Driving. 222.214.171.124Initial Derivation of Capabilities. 2126.96.36.199Overview of the Capabilities. 302.1.7 Minimal Risk Conditions and Minimal Risk Maneuvers. 342.2Elements for Implementing the Capabilities. 362.2.1 Implementing the Capabilities. 3188.8.131.52FS 1: Determine location . 3184.108.40.206FS 2: Perceive relevant static and dynamic objects in proximity tothe automated vehicle. 3220.127.116.11 FS 3: Predict the future behavior of relevant objects. 318.104.22.168 FS 4: Create a collision-free and lawful driving plan. 402.2.1.5 FS 5: Correctly execute and actuate the driving plan. 422.214.171.124 FS 6: Communicate and interact with other (vulnerable) road users. 4126.96.36.199 FS 7: Determine if specified nominal performance is not achieved. 4188.8.131.52FD 1: Ensure controllability for the vehicle operator. 4184.108.40.206 FD 2: Detect when degraded performance is not available. 4220.127.116.11 FD 3: Ensure safe mode transitions and awareness. 418.104.22.168FD 4: React to insufficient nominal performance and other failuresvia degradation. 45IV
22.214.171.124 FD 5: Reduce system performance in the presence of failure forthe degraded mode. 4126.96.36.199 FD 6: Perform degraded mode within reduced system constraints. 462.2.2 Elements. 4188.8.131.52Environment Perception Sensors. 4184.108.40.206A-Priori Perception Sensors . 4220.127.116.11V2X. 518.104.22.168Sensor Fusion . 522.214.171.124Interpretation and Prediction . 5126.96.36.199Localization . 5188.8.131.52ADS Mode Manager . 5184.108.40.206Egomotion . 5220.127.116.11Drive Planning . 518.104.22.168 Traffic Rules. 522.214.171.124Motion Control . 5126.96.36.199 Motion Actuators . 5188.8.131.52 Body Control with Secondary Actuators. 5184.108.40.206 Human-Machine Interaction . 5220.127.116.11 User State Determination. 618.104.22.168 Vehicle State. 622.214.171.124 Monitors (Nominal and Degraded Modes). 6126.96.36.199 Processing Unit. 642.3188.8.131.52Power supply. 6184.108.40.206Communication Network. 65Generic Logical Architecture. 65VERIFICATION AND VALIDATION. 723.1 The Scope and Main Steps of V&V for Automated Driving Systems. 723.2 Key Challenges for V&V of L3 and L4 Systems. 753.3 V&V Approach for Automated Driving Systems. 763.3.1 Defining Test Goals & Objectives (Why & How Well). 773.3.2 Test Design Techniques (How). 773.3.3 Test Platforms (Where). 783.3.4 Test Strategies in Response to the Key Challenges. 793.4Quantity and Quality of Testing . 833.4.1 Equivalence Classes and Scenario-Based Testing . 843.5Simulation . 853.5.1 Types of Simulation. 873.5.2 Simulation Scenario Generation. 88V
3.5.3 Validating Simulation. 893.5.4 Further Topics in Simulation. 893.6V&V of Elements. 903.6.1 A-Priori Information and Perception (Map). 913.6.2 Localization (Including GNSS). 923.6.3 Environment Perception Sensors, V2X and Sensor Fusion. 923.6.4 Interpretation and Prediction, Drive Planning and Traffic Rules. 933.6.5 Motion Control. 933.6.6 Monitor, ADS Mode Manager (Including the Vehicle State). 933.6.7 Human-Machine Interaction. 943.7 Field Operation (Monitoring, Configuration, Updates). 943.7.1 Testing Traceability. 943.7.2 Robust Configuration and Change Management Process. 953.7.3 Regression Prevention. 953.7.4 Security Monitoring and Updates. 963.7.5 Continuous Monitoring and Corrective Enforcement.