Systematic Identification and Analysis of Hazards for Automated Systems

The introduction of automation into technical systems promises many benefits, including performance increase, improved resource economy, and fewer harmful accidents. In particular, in the automotive sector, automated driving is seen as one key element in Vision Zero by eliminating common accident causes such as driving under the influence, reckless behavior, or distracted drivers. However, this is contrasted by new failure modes and hazards from the latest technologies. In this article, we address the problems of finding common sources of criticality for specific application classes and identifying and quantitatively assessing new sources of harm within particular automated driving systems

Expressing best practices in (risk) analysis and testing of safety-critical systems using patterns

The continuing pervasion of our society with safety-critical cyber-physical systems not only demands for adequate (risk) analysis, testing and verification techniques, it also generates growing experience on their use, which can be considered as important as the tools themselves for their efficient use. This paper introduces workflow patterns to describe such best practices in a systematic way that efficiently represents this knowledge, and also provides a way to relate different patterns, making them easier to identify and use, and cover as wide a range of experiences as possible. The value of the approach is demonstrated using some pattern examples from a collection developed in the Artemis-project MBAT. Finally, the paper presents a wiki-based approach for developing and maintaining the pattern collection

Criticality Metrics for Automated Driving: A Review and Suitability Analysis of the State of the Art

The large-scale deployment of automated vehicles on public roads has the potential to vastly change the transportation modalities of today's society. Although this pursuit has been initiated decades ago, there still exist open challenges in reliably ensuring that such vehicles operate safely in open contexts. While functional safety is a well-established concept, the question of measuring the behavioral safety of a vehicle remains subject to research. One way to both objectively and computationally analyze traffic conflicts is the development and utilization of so-called criticality metrics. Contemporary approaches have leveraged the potential of criticality metrics in various applications related to automated driving, e.g. for computationally assessing the dynamic risk or filtering large data sets to build scenario catalogs. As a prerequisite to systematically choose adequate criticality metrics for such applications, we extensively review the state of the art of criticality metrics, their properties, and their applications in the context of automated driving. Based on this review, we propose a suitability analysis as a methodical tool to be used by practitioners. Both the proposed method and the state of the art review can then be harnessed to select well-suited measurement tools that cover an application's requirements, as demonstrated by an exemplary execution of the analysis. Ultimately, efficient, valid, and reliable measurements of an automated vehicle's safety performance are a key requirement for demonstrating its trustworthiness

Simulation of Abstract Scenarios: Towards Automated Tooling in Criticality Analysis

While the introduction of automated vehicles to public roads promises various ecological, economical and societal benefits, reliable verification & validation processes that guarantee safe operation of automated vehicles are subject to ongoing research. As automated vehicles are safety-critical complex systems, operating in an open context, the uncountable infinite set of potentially critical situations renders traditional, distance-based approaches to verification & validation infeasible. Leveraging the power of abstraction, current scenario-based approaches aim at reducing this complexity by elic-itation of representative scenario classes while simultaneously shifting significant analysis and testing efforts to virtual environments. In this work we bridge the gap between high-level, abstract scenario specifications and state-of-the-art detailed vehicle and traffic simulators. While the first allow for coverage argumentation with the definition of finite and well manageable sets of scenario classes the latter is necessary for a in-depth assessment of the vehicle implementation and its interaction with the physical environment. We present a method and prototypical implementation based on constraint solving techniques to generate (sets of) concrete simulation tasks defined in the well established OpenDRIVE/OpenSCENARIO formats from abstract scenarios specified as Traffic Sequence Charts. The feasibility is demonstrated using a highway parallel overtaking scenario as a running example

Probabilistic Model-Based Safety Analysis

Model-based safety analysis approaches aim at finding critical failure combinations by analysis of models of the whole system (i.e. software, hardware, failure modes and environment). The advantage of these methods compared to traditional approaches is that the analysis of the whole system gives more precise results. Only few model-based approaches have been applied to answer quantitative questions in safety analysis, often limited to analysis of specific failure propagation models, limited types of failure modes or without system dynamics and behavior, as direct quantitative analysis is uses large amounts of computing resources. New achievements in the domain of (probabilistic) model-checking now allow for overcoming this problem. This paper shows how functional models based on synchronous parallel semantics, which can be used for system design, implementation and qualitative safety analysis, can be directly re-used for (model-based) quantitative safety analysis. Accurate modeling of different types of probabilistic failure occurrence is shown as well as accurate interpretation of the results of the analysis. This allows for reliable and expressive assessment of the safety of a system in early design stages

On Quantification for SOTIF Validation of Automated Driving Systems

Automated driving systems are safety-critical cyber-physical systems whose safety of the intended functionality (SOTIF) can not be assumed without proper argumentation based on appropriate evidences. Recent advances in standards and regulations on the safety of driving automation are therefore intensely concerned with demonstrating that the intended functionality of these systems does not introduce unreasonable risks to stakeholders. In this work, we critically analyze the ISO 21448 standard which contains requirements and guidance on how the SOTIF can be provably validated. Emphasis lies on developing a consistent terminology as a basis for the subsequent definition of a validation strategy when using quantitative acceptance criteria. In the broad picture, we aim to achieve a well-defined risk decomposition that enables rigorous, quantitative validation approaches for the SOTIF of automated driving systems

Adding value to automotive models

Abstract. We report on how implementing a Model Based Automotive SW Engineering Process in an industrial setting can ensure the correctness of automotive applications when a process based on formal models is used. We show how formal methods, in particular model checking, can be used to ensure consistency of the models and can prove that the models satisfy selected functional and safety requirements. The technique can also be used to automatically generate test vectors from the model. Hence we show how in many ways formal verification techniques can add value to the models used for different purposes in developing automotive applications.

Contract-Based Design of Embedded Systems Integrating Nominal Behavior and Safety

The distributed design process for safety-critical embedded systems has become an increasingly difficult challenge: Electronic Control Units (ECUs) in vehicles, for instance, participate in many vehicle functions, while each vehicle function, in turn, is spread across several ECUs. Many suppliers participate in systems design and many partial functions are reused from past projects, not always knowing the assumptions at the time of their development. In particular, efficient allocation of safety mechanisms and a sound safety case are difficult tasks for original equipment manufacturers (OEMs). Contract-based development has gained popularity as an approach for supporting distributed development by explicitly annotating assumptions and guarantees to components, but an integrated process covering specification of nominal behavior and safety has not been described so far. We present such an integrated development approach that encompasses the systematic breakdown of nominal system behavior using contracts, the consistent derivation of safety analysis by interpreting several types of contract violations as a specification for failure modes, and the subsequent integration of safety mechanisms that cover these failure modes through safety contracts. The approach equally fits hardware and software and is therefore applicable on the system level. We demonstrate it by an electric drive example. The extensibility of our approach towards Cyber Physical Systems, which compose themselves at runtime, is briefly outlined at the end of the article