Towards Efficient Hazard Identification in the Concept Phase of Driverless Vehicle Development

The complex functional structure of driverless vehicles induces a multitude of potential malfunctions. Established approaches for a systematic hazard identification generate individual potentially hazardous scenarios for each identified malfunction. This leads to inefficiencies in a purely expert-based hazard analysis process, as each of the many scenarios has to be examined individually. In this contribution, we propose an adaptation of the strategy for hazard identification for the development of automated vehicles. Instead of focusing on malfunctions, we base our process on deviations from desired vehicle behavior in selected operational scenarios analyzed in the concept phase. By evaluating externally observable deviations from a desired behavior, we encapsulate individual malfunctions and reduce the amount of generated potentially hazardous scenarios. After introducing our hazard identification strategy, we illustrate its application on one of the operational scenarios used in the research project UNICAR$agil$.Comment: Published in 2020 IEEE Intelligent Vehicles Symposium (IV), Las Vegas, NV, USA, October 19-November 13, 202

Functional Safety Concept Generation within the Process of Preliminary Design of Automated Driving Functions at the Example of an Unmanned Protective Vehicle

Structuring the early design phase of automotive systems is an important part of efficient and successful development processes. Today, safety considerations (e.g., the safety life cycle of ISO 26262) significantly affect the course of development. Preliminary designs are expressed in functional system architectures, which are required to form safety concepts. Thus, mapping tasks and work products to a reference process during early design stages is an important part of structuring the system development. This contribution describes the systematic creation and notation of the functional safety concept within the concept phase of development of an unmanned protective vehicle within the research project aFAS. Different stages of preliminary design and dependencies between them are displayed by the work products created and used. The full set of functional safety requirements and an excerpt of the safety argument structure of the SAE level 4 application are presented

Designing an Automated Vehicle: Strategies for Handling Tasks of a Previously Required Accompanying Person

When using a conventional passenger car, several groups of people are reliant on the assistance of an accompanying person, for example when getting in and out of the car. For the independent use of an automatically driving vehicle by those groups, the absence of a previously required accompanying person needs to be compensated. During the design process of an autonomous family vehicle, we found that a low-barrier vehicle design can only partly contribute to the compensation for the absence of a required human companion. In this paper, we present four strategies we identified for handling the tasks of a previously required accompanying individual. The presented top-down approach supports developers in identifying unresolved problems, in finding, structuring, and selecting solutions as well as in uncovering upcoming problems at an early stage in the development of novel concepts for driverless vehicles. As an example, we consider the hypothetical exit of persons in need of assistance. The application of the four strategies in this example demonstrates the far-reaching impact of consistently considering users in need of support in the development of automated vehicles

On Assumptions with Respect to Occlusions in Urban Environments for Automated Vehicle Speed Decisions

Automated driving systems are subject to various kinds of uncertainty during design, development, and operation. These kinds of uncertainty lead to an inherent risk of the technology that can be mitigated, but never fully eliminated. Situations involving obscured traffic participants have become popular examples in the field to illustrate a subset of these uncertainties that developers must deal with during system design and implementation. In this paper, we describe necessary assumptions for a speed choice in a situation in which an ego-vehicle passes parked vehicles that generate occluded areas where a human intending to cross the road could be obscured. We develop a calculation formula for a dynamic speed limit that mitigates the collision risk in this situation, and investigate the resulting speed profiles in simulation based on example assumptions. This paper has two main results: First, we show that even without worst-case assumptions, dramatically reduced speeds would be driven to avoid collisions. Second, we highlight that design decisions regarding occlusion treatment are directly related to the risk that automated vehicles pose to pedestrians in urban environments. In this respect, we conclude that there needs to be a broader discussion about acceptable assumptions.Comment: Accepted to be published in 2023 IEEE 26th International Conference on Intelligent Transportation Systems (ITSC), Bilbao, Spain, September 24-28, 202

Identifikation ausl\"osender Umst\"ande von SOTIF-Gef\"ahrdungen durch systemtheoretische Prozessanalyse

Developers have to obtain a sound understanding of existing risk potentials already in the concept phase of driverless vehicles. Deductive as well as inductive SOTIF analyses of potential triggering conditions for hazardous behavior help to achieve this goal. In this regard, ISO 21448 suggests conducting a System-Theoretic Process Analysis (STPA). In this article, we introduce German terminology for SOTIF considerations and critically discuss STPA theory in the course of an example application, while also proposing methodological additions. -- -- Um bereits in der Konzeptphase autonomer Fahrzeuge einen fundierten Eindruck bestehender Risikopotenziale zu erhalten, werden im Zuge von deduktiven und induktiven SOTIF-Analysen m\"ogliche ausl\"osende Umst\"ande f\"ur gef\"ahrliches Verhalten untersucht. In diesem Zusammenhang wird in der ISO 21448 die Durchf\"uhrung einer systemtheoretischen Prozessanalyse (STPA) vorgeschlagen. In diesem Beitrag f\"uhren wir deutsche Terminologie f\"ur SOTIF-Betrachtungen ein und setzen uns im Zuge einer Anwendung kritisch mit der STPA-Theorie auseinander, wobei wir begleitend methodische Erg\"anzungen anregen.Comment: The final publication is available at www.degruyter.com, published in at - Automatisierungstechnik, in Germa

Risk Management Core -- Towards an Explicit Representation of Risk in Automated Driving

While current automotive safety standards provide implicit guidance on how unreasonable risk can be avoided, manufacturers are required to specify risk acceptance criteria for automated driving systems (SAE Level 3+). However, the 'unreasonable' level of risk of automated driving systems (SAE Level 3+) is not yet concisely defined. Solely applying current safety standards to such novel systems could potentially not be sufficient for their acceptance. As risk is managed with implicit knowledge about safety measures in existing automotive standards, an explicit alignment with risk acceptance criteria is challenging. Hence, we propose an approach for an explicit representation and management of risk, which we call the Risk Management Core. The proposal of this process framework is based on requirements elicited from current safety standards and apply the Risk Management Core to the task of specifying safe behavior for an automated driving system in an example scenario.Comment: 16 pages, 6 figure

Integration of a Vehicle Operating Mode Management into UNICARagil’s Automotive Service-oriented Software Architecture

Automated vehicles require a central decision unit in order to coordinate the responsibility for the driving task between multiple operating modes. Additionally, other nondriving related tasks such as operation of an automatic door system must be coordinated as well. In this paper, we will motivate the usefulness of such a central decision unit at the example of the operating mode management of the UNICARagil project. We will describe its integration with UNICARagil’s Automotive Service-oriented Software Architecture and how modularity of this service-oriented software architecture is ensured. An example from the project’s context will further illustrate the functioning principle of the operating mode management in combination with the service orchestration of the Automotive Service-oriented Software Architecture

Towards Safety Concepts for Automated Vehicles by the Example of the Project UNICARagil

Striving towards deployment of SAE level 4+ vehicles in public traffic, researchers and developers face several challenges due to the targeted operation in an open environment. Due to the absence of a human supervisor, ensuring and validating safety while driving automatically is one of the key challenges. The arising complexity of the technical system must be handled during the entire research and development process. In this contribution, we outline the coherence of different safety-activities in the research project UNICARagi/. We derive high-level safety requirements and present the central safety mechanisms applied to automated diriving. Moreover, we outline the approaches of the project UNICARagi/ to address the validation challenge for automated vehicles. In order to demonstrate the overall approach towards a coherent safety argumentation, the connection of high-level safety requirements, safety mechanisms, as weil as validation approaches is illustrated by means of a selected example scenario