-
Showcasing Automated Vehicle Prototypes: A Collaborative Release Process to Manage and Communicate Risk
Authors:
Marvin Loba,
Robert Graubohm,
Markus Maurer
Abstract:
The development and deployment of automated vehicles pose major challenges for manufacturers to this day. Whilst central questions, like the issue of ensuring a sufficient level of safety, remain unanswered, prototypes are increasingly finding their way into public traffic in urban areas. Although safety concepts for prototypes are addressed in literature, published work hardly contains any dedica…
▽ More
The development and deployment of automated vehicles pose major challenges for manufacturers to this day. Whilst central questions, like the issue of ensuring a sufficient level of safety, remain unanswered, prototypes are increasingly finding their way into public traffic in urban areas. Although safety concepts for prototypes are addressed in literature, published work hardly contains any dedicated considerations on a systematic release for their operation. In this paper, we propose an incremental release process for public demonstrations of prototypes' automated driving functionality. We explicate release process requirements, derive process design decisions, and define stakeholder tasks. Furthermore, we reflect on practical insights gained through implementing the release process as part of the UNICAR$agil$ research project, in which four prototypes based on novel vehicle concepts were built and demonstrated to the public. One observation is the improved quality of internal risk communication, achieved by dismantling information asymmetries between stakeholders. Design conflicts are disclosed - providing a contribution to nurture transparency and, thereby, supporting a valid basis for release decisions. We argue that our release process meets two important requirements, as the results suggest its applicability to the domain of automated driving and its scalability to different vehicle concepts and organizational structures.
△ Less
Submitted 24 April, 2024;
originally announced April 2024.
-
Identifikation auslösender Umstände von SOTIF-Gefährdungen durch systemtheoretische Prozessanalyse
Authors:
Robert Graubohm,
Marvin Loba,
Marcus Nolte,
Markus Maurer
Abstract:
Developers have to obtain a sound understanding of existing risk potentials already in the concept phase of driverless vehicles. Deductive as well as inductive SOTIF analyses of potential triggering conditions for hazardous behavior help to achieve this goal. In this regard, ISO 21448 suggests conducting a System-Theoretic Process Analysis (STPA). In this article, we introduce German terminology f…
▽ More
Developers have to obtain a sound understanding of existing risk potentials already in the concept phase of driverless vehicles. Deductive as well as inductive SOTIF analyses of potential triggering conditions for hazardous behavior help to achieve this goal. In this regard, ISO 21448 suggests conducting a System-Theoretic Process Analysis (STPA). In this article, we introduce German terminology for SOTIF considerations and critically discuss STPA theory in the course of an example application, while also proposing methodological additions. -- --
Um bereits in der Konzeptphase autonomer Fahrzeuge einen fundierten Eindruck bestehender Risikopotenziale zu erhalten, werden im Zuge von deduktiven und induktiven SOTIF-Analysen mögliche auslösende Umstände für gefährliches Verhalten untersucht. In diesem Zusammenhang wird in der ISO 21448 die Durchführung einer systemtheoretischen Prozessanalyse (STPA) vorgeschlagen. In diesem Beitrag führen wir deutsche Terminologie für SOTIF-Betrachtungen ein und setzen uns im Zuge einer Anwendung kritisch mit der STPA-Theorie auseinander, wobei wir begleitend methodische Ergänzungen anregen.
△ Less
Submitted 11 March, 2024;
originally announced March 2024.
-
On Assumptions with Respect to Occlusions in Urban Environments for Automated Vehicle Speed Decisions
Authors:
Robert Graubohm,
Nayel Fabian Salem,
Marcus Nolte,
Markus Maurer
Abstract:
Automated driving systems are subject to various kinds of uncertainty during design, development, and operation. These kinds of uncertainty lead to an inherent risk of the technology that can be mitigated, but never fully eliminated. Situations involving obscured traffic participants have become popular examples in the field to illustrate a subset of these uncertainties that developers must deal w…
▽ More
Automated driving systems are subject to various kinds of uncertainty during design, development, and operation. These kinds of uncertainty lead to an inherent risk of the technology that can be mitigated, but never fully eliminated. Situations involving obscured traffic participants have become popular examples in the field to illustrate a subset of these uncertainties that developers must deal with during system design and implementation. In this paper, we describe necessary assumptions for a speed choice in a situation in which an ego-vehicle passes parked vehicles that generate occluded areas where a human intending to cross the road could be obscured. We develop a calculation formula for a dynamic speed limit that mitigates the collision risk in this situation, and investigate the resulting speed profiles in simulation based on example assumptions. This paper has two main results: First, we show that even without worst-case assumptions, dramatically reduced speeds would be driven to avoid collisions. Second, we highlight that design decisions regarding occlusion treatment are directly related to the risk that automated vehicles pose to pedestrians in urban environments. In this respect, we conclude that there needs to be a broader discussion about acceptable assumptions.
△ Less
Submitted 14 February, 2024; v1 submitted 15 May, 2023;
originally announced May 2023.
-
Risk Management Core -- Towards an Explicit Representation of Risk in Automated Driving
Authors:
Nayel Fabian Salem,
Thomas Kirschbaum,
Marcus Nolte,
Christian Lalitsch-Schneider,
Robert Graubohm,
Jan Reich,
Markus Maurer
Abstract:
While current automotive safety standards provide implicit guidance on how unreasonable risk can be avoided, manufacturers are required to specify risk acceptance criteria for Automated Driving Systems (SAE Level 3 and higher). However, the 'unreasonable' level of risk of Automated Driving Systems is not yet concisely defined. Solely applying current safety standards to such novel systems could po…
▽ More
While current automotive safety standards provide implicit guidance on how unreasonable risk can be avoided, manufacturers are required to specify risk acceptance criteria for Automated Driving Systems (SAE Level 3 and higher). However, the 'unreasonable' level of risk of Automated Driving Systems is not yet concisely defined. Solely applying current safety standards to such novel systems could potentially not be sufficient for their acceptance. As risk is managed with implicit knowledge about safety measures in existing automotive standards, an explicit alignment with risk acceptance criteria is challenging. Hence, we propose an approach for an explicit representation and management of risk, which we call the Risk Management Core. The proposal of this process framework is based on requirements elicited from current safety standards and is applied to the task of specifying safe behavior for an Automated Driving System in an example scenario.
△ Less
Submitted 8 March, 2024; v1 submitted 15 February, 2023;
originally announced February 2023.
-
Designing an Automated Vehicle: Strategies for Handling Tasks of a Previously Required Accompanying Person
Authors:
Tobias Schräder,
Robert Graubohm,
Nayel Fabian Salem,
Markus Maurer
Abstract:
When using a conventional passenger car, several groups of people are reliant on the assistance of an accompanying person, for example when getting in and out of the car. For the independent use of an automatically driving vehicle by those groups, the absence of a previously required accompanying person needs to be compensated. During the design process of an autonomous family vehicle, we found th…
▽ More
When using a conventional passenger car, several groups of people are reliant on the assistance of an accompanying person, for example when getting in and out of the car. For the independent use of an automatically driving vehicle by those groups, the absence of a previously required accompanying person needs to be compensated. During the design process of an autonomous family vehicle, we found that a low-barrier vehicle design can only partly contribute to the compensation for the absence of a required human companion. In this paper, we present four strategies we identified for handling the tasks of a previously required accompanying individual. The presented top-down approach supports developers in identifying unresolved problems, in finding, structuring, and selecting solutions as well as in uncovering upcoming problems at an early stage in the development of novel concepts for driverless vehicles. As an example, we consider the hypothetical exit of persons in need of assistance. The application of the four strategies in this example demonstrates the far-reaching impact of consistently considering users in need of support in the development of automated vehicles.
△ Less
Submitted 22 September, 2022;
originally announced September 2022.
-
Ein Beitrag zur durchgängigen, formalen Verhaltensspezifikation automatisierter Straßenfahrzeuge
Authors:
Nayel Fabian Salem,
Veronica Haber,
Matthias Rauschenbach,
Marcus Nolte,
Jan Reich,
Torben Stolte,
Robert Graubohm,
Markus Maurer
Abstract:
Assuring safety of automated vehicles (SAE Level 3+) requires specifying and validating the behavior of such a vehicle in its operational environment. In order to argue and support assumptions that are made during the behavior specification within scenarios, a traceable documentation of design decisions is required. With the introduction of the \textit{semantic norm behavior analysis} a method is…
▽ More
Assuring safety of automated vehicles (SAE Level 3+) requires specifying and validating the behavior of such a vehicle in its operational environment. In order to argue and support assumptions that are made during the behavior specification within scenarios, a traceable documentation of design decisions is required. With the introduction of the \textit{semantic norm behavior analysis} a method is proposed, which contributes to a traceable map** of concerns towards the behavior of an automated vehicle in its operational environment to a formal rule system of semantic concepts for considered scenarios. In this work, a semantic norm behavior analysis is conducted in two selected example scenarios. Thereby, an example of the formalization of behavioral rules from an excerpt of the German traffic code is given.
--
Die Absicherung automatisierter Straßenfahrzeuge (SAE Level 3+) setzt die Spezifikation und Überprüfung des Verhaltens eines Fahrzeugs in seiner Betriebsumgebung voraus. Um Annahmen, welche bei der Verhaltensspezifikation innerhalb von Szenarien getroffen werden, begründen und belegen zu können, ist eine durchgängige Dokumentation dieser Entwurfsentscheidungen erforderlich. Mit der Einführung der \textit{semantischen Normverhaltensanalyse} wird eine Methode vorgeschlagen, mithilfe derer Ansprüche an das Verhalten eines automatisierten Fahrzeugs in seiner Betriebsumgebung durchgängig auf ein formales Regelsystem aus semantischen Konzepten für ausgewählte Szenarien abgebildet werden können. Eine semantische Normverhaltensanalyse wird in dieser Arbeit in zwei ausgewählten Szenarien durchgeführt. Hierfür werden Verhaltensregeln aus einem Auszug der Straßenverkehrsordnung exemplarisch formalisiert.
△ Less
Submitted 15 September, 2022;
originally announced September 2022.
-
Compensating for the Absence of a Required Accompanying Person: A Draft of a Functional System Architecture for an Automated Vehicle
Authors:
Tobias Schräder,
Torben Stolte,
Inga Jatzkowski,
Robert Graubohm,
Marcus Nolte,
Markus Maurer
Abstract:
A major challenge in the development of a fully automated vehicle is to enable a large variety of users to use the vehicle independently and safely. Particular demands arise from user groups who rely on human assistance when using conventional cars. For the independent use of a vehicle by such groups, the vehicle must compensate for the absence of an accompanying person, whose actions and decision…
▽ More
A major challenge in the development of a fully automated vehicle is to enable a large variety of users to use the vehicle independently and safely. Particular demands arise from user groups who rely on human assistance when using conventional cars. For the independent use of a vehicle by such groups, the vehicle must compensate for the absence of an accompanying person, whose actions and decisions ensure the accompanied person's safety even in unknown situations. The resulting requirements cannot be fulfilled only by the geometric design of the vehicle and the nature of its control elements. Special user needs must be taken into account in the entire automation of the vehicle. In this paper, we describe requirements for compensating for the absence of an accompanying person and show how required functions can be located in a hierarchical functional system architecture of an automated vehicle. In addition, we outline the relevance of the vehicle's operational design domain in this context and present a use case for the described functionalities.
△ Less
Submitted 30 August, 2022;
originally announced August 2022.
-
A Taxonomy to Unify Fault Tolerance Regimes for Automotive Systems: Defining Fail-Operational, Fail-Degraded, and Fail-Safe
Authors:
Torben Stolte,
Stefan Ackermann,
Robert Graubohm,
Inga Jatzkowski,
Björn Klamann,
Hermann Winner,
Markus Maurer
Abstract:
This paper presents a taxonomy that allows defining the fault tolerance regimes fail-operational, fail-degraded, and fail-safe in the context of automotive systems. Fault tolerance regimes such as these are widely used in recent publications related to automated driving, yet without definitions. This largely holds true for automotive safety standards, too. We show that fault tolerance regimes defi…
▽ More
This paper presents a taxonomy that allows defining the fault tolerance regimes fail-operational, fail-degraded, and fail-safe in the context of automotive systems. Fault tolerance regimes such as these are widely used in recent publications related to automated driving, yet without definitions. This largely holds true for automotive safety standards, too. We show that fault tolerance regimes defined in scientific publications related to the automotive domain are partially ambiguous as well as taxonomically unrelated. The presented taxonomy is based on terminology stemming from ISO 26262 as well as from systems engineering. It uses four criteria to distinguish fault tolerance regimes. In addition to fail-operational, fail-degraded, and fail-safe, the core terminology consists of operational and fail-unsafe. These terms are supported by definitions of available performance, nominal performance, functionality, and a concise definition of the safe state. For verification, we show by means of two examples from the automotive domain that the taxonomy can be applied to hierarchical systems of different complexity.
△ Less
Submitted 12 July, 2022; v1 submitted 21 June, 2021;
originally announced June 2021.
-
Towards Efficient Hazard Identification in the Concept Phase of Driverless Vehicle Development
Authors:
Robert Graubohm,
Torben Stolte,
Gerrit Bagschik,
Markus Maurer
Abstract:
The complex functional structure of driverless vehicles induces a multitude of potential malfunctions. Established approaches for a systematic hazard identification generate individual potentially hazardous scenarios for each identified malfunction. This leads to inefficiencies in a purely expert-based hazard analysis process, as each of the many scenarios has to be examined individually. In this…
▽ More
The complex functional structure of driverless vehicles induces a multitude of potential malfunctions. Established approaches for a systematic hazard identification generate individual potentially hazardous scenarios for each identified malfunction. This leads to inefficiencies in a purely expert-based hazard analysis process, as each of the many scenarios has to be examined individually. In this contribution, we propose an adaptation of the strategy for hazard identification for the development of automated vehicles. Instead of focusing on malfunctions, we base our process on deviations from desired vehicle behavior in selected operational scenarios analyzed in the concept phase. By evaluating externally observable deviations from a desired behavior, we encapsulate individual malfunctions and reduce the amount of generated potentially hazardous scenarios. After introducing our hazard identification strategy, we illustrate its application on one of the operational scenarios used in the research project UNICAR$agil$.
△ Less
Submitted 13 January, 2021; v1 submitted 22 April, 2020;
originally announced April 2020.