Towards Efficient Hazard Identification in the Concept Phase of Driverless Vehicle Development

The complex functional structure of driverless vehicles induces a multitude of potential malfunctions. Established approaches for a systematic hazard identification generate individual potentially hazardous scenarios for each identified malfunction. This leads to inefficiencies in a purely expert-based hazard analysis process, as each of the many scenarios has to be examined individually. In this contribution, we propose an adaptation of the strategy for hazard identification for the development of automated vehicles. Instead of focusing on malfunctions, we base our process on deviations from desired vehicle behavior in selected operational scenarios analyzed in the concept phase. By evaluating externally observable deviations from a desired behavior, we encapsulate individual malfunctions and reduce the amount of generated potentially hazardous scenarios. After introducing our hazard identification strategy, we illustrate its application on one of the operational scenarios used in the research project UNICAR$agil$.Comment: Published in 2020 IEEE Intelligent Vehicles Symposium (IV), Las Vegas, NV, USA, October 19-November 13, 202

Designing an Automated Vehicle: Strategies for Handling Tasks of a Previously Required Accompanying Person

When using a conventional passenger car, several groups of people are reliant on the assistance of an accompanying person, for example when getting in and out of the car. For the independent use of an automatically driving vehicle by those groups, the absence of a previously required accompanying person needs to be compensated. During the design process of an autonomous family vehicle, we found that a low-barrier vehicle design can only partly contribute to the compensation for the absence of a required human companion. In this paper, we present four strategies we identified for handling the tasks of a previously required accompanying individual. The presented top-down approach supports developers in identifying unresolved problems, in finding, structuring, and selecting solutions as well as in uncovering upcoming problems at an early stage in the development of novel concepts for driverless vehicles. As an example, we consider the hypothetical exit of persons in need of assistance. The application of the four strategies in this example demonstrates the far-reaching impact of consistently considering users in need of support in the development of automated vehicles

On Assumptions with Respect to Occlusions in Urban Environments for Automated Vehicle Speed Decisions

Automated driving systems are subject to various kinds of uncertainty during design, development, and operation. These kinds of uncertainty lead to an inherent risk of the technology that can be mitigated, but never fully eliminated. Situations involving obscured traffic participants have become popular examples in the field to illustrate a subset of these uncertainties that developers must deal with during system design and implementation. In this paper, we describe necessary assumptions for a speed choice in a situation in which an ego-vehicle passes parked vehicles that generate occluded areas where a human intending to cross the road could be obscured. We develop a calculation formula for a dynamic speed limit that mitigates the collision risk in this situation, and investigate the resulting speed profiles in simulation based on example assumptions. This paper has two main results: First, we show that even without worst-case assumptions, dramatically reduced speeds would be driven to avoid collisions. Second, we highlight that design decisions regarding occlusion treatment are directly related to the risk that automated vehicles pose to pedestrians in urban environments. In this respect, we conclude that there needs to be a broader discussion about acceptable assumptions.Comment: Accepted to be published in 2023 IEEE 26th International Conference on Intelligent Transportation Systems (ITSC), Bilbao, Spain, September 24-28, 202

Functional Safety Concept Generation within the Process of Preliminary Design of Automated Driving Functions at the Example of an Unmanned Protective Vehicle

Structuring the early design phase of automotive systems is an important part of efficient and successful development processes. Today, safety considerations (e.g., the safety life cycle of ISO 26262) significantly affect the course of development. Preliminary designs are expressed in functional system architectures, which are required to form safety concepts. Thus, mapping tasks and work products to a reference process during early design stages is an important part of structuring the system development. This contribution describes the systematic creation and notation of the functional safety concept within the concept phase of development of an unmanned protective vehicle within the research project aFAS. Different stages of preliminary design and dependencies between them are displayed by the work products created and used. The full set of functional safety requirements and an excerpt of the safety argument structure of the SAE level 4 application are presented

Risk Management Core -- Towards an Explicit Representation of Risk in Automated Driving

While current automotive safety standards provide implicit guidance on how unreasonable risk can be avoided, manufacturers are required to specify risk acceptance criteria for automated driving systems (SAE Level 3+). However, the 'unreasonable' level of risk of automated driving systems (SAE Level 3+) is not yet concisely defined. Solely applying current safety standards to such novel systems could potentially not be sufficient for their acceptance. As risk is managed with implicit knowledge about safety measures in existing automotive standards, an explicit alignment with risk acceptance criteria is challenging. Hence, we propose an approach for an explicit representation and management of risk, which we call the Risk Management Core. The proposal of this process framework is based on requirements elicited from current safety standards and apply the Risk Management Core to the task of specifying safe behavior for an automated driving system in an example scenario.Comment: 16 pages, 6 figure

Integration of a Vehicle Operating Mode Management into UNICARagil’s Automotive Service-oriented Software Architecture

Automated vehicles require a central decision unit in order to coordinate the responsibility for the driving task between multiple operating modes. Additionally, other nondriving related tasks such as operation of an automatic door system must be coordinated as well. In this paper, we will motivate the usefulness of such a central decision unit at the example of the operating mode management of the UNICARagil project. We will describe its integration with UNICARagil’s Automotive Service-oriented Software Architecture and how modularity of this service-oriented software architecture is ensured. An example from the project’s context will further illustrate the functioning principle of the operating mode management in combination with the service orchestration of the Automotive Service-oriented Software Architecture

Towards Safety Concepts for Automated Vehicles by the Example of the Project UNICARagil

Striving towards deployment of SAE level 4+ vehicles in public traffic, researchers and developers face several challenges due to the targeted operation in an open environment. Due to the absence of a human supervisor, ensuring and validating safety while driving automatically is one of the key challenges. The arising complexity of the technical system must be handled during the entire research and development process. In this contribution, we outline the coherence of different safety-activities in the research project UNICARagi/. We derive high-level safety requirements and present the central safety mechanisms applied to automated diriving. Moreover, we outline the approaches of the project UNICARagi/ to address the validation challenge for automated vehicles. In order to demonstrate the overall approach towards a coherent safety argumentation, the connection of high-level safety requirements, safety mechanisms, as weil as validation approaches is illustrated by means of a selected example scenario

A Taxonomy to Unify Fault Tolerance Regimes for Automotive Systems: Defining Fail-Operational, Fail-Degraded, and Fail-Safe

This paper presents a taxonomy that allows defining the fault tolerance regimes fail-operational, fail-degraded, and fail-safe in the context of automotive systems. Fault tolerance regimes such as these are widely used in recent publications related to automated driving, yet without definitions. This largely holds true for automotive safety standards, too. We show that fault tolerance regimes defined in scientific publications related to the automotive domain are partially ambiguous as well as taxonomically unrelated. The presented taxonomy is based on terminology stemming from ISO 26262 as well as from systems engineering. It uses four criteria to distinguish fault tolerance regimes. In addition to fail-operational, fail-degraded, and fail-safe, the core terminology consists of operational and fail-unsafe. These terms are supported by definitions of available performance, nominal performance, functionality, and a concise definition of the safe state. For verification, we show by means of two examples from the automotive domain that the taxonomy can be applied to hierarchical systems of different complexity.Comment: 12 pages, 4 figures, 1 table, accepted to appear in IEEE Transactions on Intelligent Vehicle

Development of an Autonomous Family Vehicle using a Scenario-Based Design Approach

One major challenge when designing autonomous vehicles is to enable independent and safe use by a wide range of users, including those who are reliant on an accompanying person when using a conventional car. In this paper, we present the use of a scenario-based design approach for the development of a novel autonomous vehicle, which is intended for the use within a multigenerational family. With the help of hypothetical scenarios that describe the use of a driverless vehicle by different user types, we concretize requirements that were previously formulated at a higher level of abstraction. Moreover, the presentation of proposed solutions in concrete scenarios helps to identify weaknesses of the intended concepts and challenges that arise from the independent use of autonomous vehicles by certain user groups. The resulting requirements, which significantly depend on assumptions regarding potential user restrictions, have a far-reaching influence on the entire vehicle design