第1页 / 共157页
第2页 / 共157页
第3页 / 共157页
第4页 / 共157页
第5页 / 共157页
第6页 / 共157页
第7页 / 共157页
第8页 / 共157页
自动驾驶safety白皮书.pdf
Introduction & Motivation
Scope of this Publication
Structure of and Development Examples Used
in this Publication
Safety Vision
Background
The Twelve Principles of Automated Driving
Systematically Developing Dependability
to Support Safety by Design
Deriving Capabilities of Automated Driving
from Dependability Domains
Legal Frameworks for Automated Driving Vehicles
Applying the Related Safety Standards
Safety of the Intended Functionality
Functional Safety
Automotive Cybersecurity
Why is Cybersecurity so Important for Safety?
Cybersecurity Approach and Measures
Capabilities of Automated Driving
Initial Derivation of Capabilities
Overview of the Capabilities
Minimal Risk Conditions and Minimal Risk Maneuvers
Elements for Implementing the Capabilities
Implementing the Capabilities
FS_1: Determine location
FS_2: Perceive relevant static and dynamic objects in proximity to
the automated vehicle
FS_3: Predict the future behavior of relevant objects
FS_4: Create a collision-free and lawful driving plan
FS_5: Correctly execute and actuate the driving plan
FS_6: Communicate and interact with other (vulnerable) road users
FS_7: Determine if specified nominal performance is not achieved
FD_1: Ensure controllability for the vehicle operator
FD_2: Detect when degraded performance is not available
FD_3: Ensure safe mode transitions and awareness
FD_4: React to insufficient nominal performance and other failures
via degradation
FD_5: Reduce system performance in the presence of failure for
the degraded mode
FD_6: Perform degraded mode within reduced system constraints
Elements
Environment Perception Sensors
A-Priori Perception Sensors
V2X
Sensor Fusion
Interpretation and Prediction
Localization
ADS Mode Manager
Egomotion
Drive Planning
Traffic Rules
Motion Control
Motion Actuators
Body Control with Secondary Actuators
Human-Machine Interaction
User State Determination
Vehicle State
Monitors (Nominal and Degraded Modes)
Processing Unit
Power supply
Communication Network
Generic Logical Architecture
Verification and Validation
The Scope and Main Steps of V&V for Automated Driving Systems
Key Challenges for V&V of L3 and L4 Systems
V&V Approach for Automated Driving Systems
Defining Test Goals & Objectives (Why & How Well)
Test Design Techniques (How)
Test Platforms (Where)
Test Strategies in Response to the Key Challenges
Quantity and Quality of Testing
Equivalence Classes and Scenario-Based Testing
Simulation
Types of Simulation
Simulation Scenario Generation
Validating Simulation
Further Topics in Simulation
V&V of Elements
A-Priori Information and Perception (Map)
Localization (Including GNSS)
Environment Perception Sensors, V2X and Sensor Fusion
Interpretation and Prediction, Drive Planning
and Traffic Rules
Motion Control
Monitor, ADS Mode Manager
(Including the Vehicle State)
Human-Machine Interaction
Field Operation
(Monitoring, Configuration, Updates)
Testing Traceability
Robust Configuration and Change Management Process
Regression Prevention
Security Monitoring and Updates
Continuous Monitoring and Corrective Enforcement.
Conclusion and Outlook
Appendix A: Development Examples
L3 Traffic Jam Pilot (TJP)
Nominal Function Definition
Minimal Risk Conditions
Minimal Risk Maneuver
L3 Highway Pilot (HWP)
Nominal Function Definition
Degraded Mode/Minimal Risk Conditions
Minimal Risk Maneuvers
L4 Urban Pilot (UP)
Nominal Function Definition
Degraded Mode/Minimal Risk Conditions
Minimal Risk Maneuvers
L4 Car Park Pilot (CPP)
Nominal Function Definition
Degraded Mode/Minimal Risk Conditions
Minimal Risk Maneuver
Selection of the Discussed Elements
Sensing Elements for FS_1 Localization
Sensing Elements for FS_2 Perceive Relevant Objects
Interpretation and Prediction in FS_3 Predict Future Movements
Acting Elements in FS_5 Execute Driving Plan and FD_6 Perform Degraded Mode
ADS Mode Manager in FS_7 Detect Nominal Performance and FD_4 React to Insufficient Performance
User State Determination in FD_1 Ensure Controllability for Operator
HMI in FD_1 Ensure Controllability for Operator and FD_6 Perform Degraded Mode
Monitors in FS_7 and FD_2
Appendix B:
Using Deep Neural Networks to Implement Safety-Related Elements for Automated Driving Systems
Motivation and Introduction:
Machine Learning in Automated Driving
Define (What and Why)
Specify (How)
Defining and Selecting the Data
Architecture Design for DNNs
Develop and Evaluate
Deploy and Monitor
DNN Safety Artifacts
Glossary
References
2019
SAFETY FIRST FOR
AUTOMATED DRIVING
I
AUTHORS
APTIV
Matthew Wood, M.Sc.
matthew.wood@aptiv.com
Dr. Philipp Robbel
philipp.robbel@aptiv.com
Dr. Michael Maass
Dr. Radboud Duintjer Tebbens
Marc Meijs, M.Sc.
Mohamed Harb, M.Sc.
Jonathon Reach, B.Sc.
Karl Robinson
AUDI
David Wittmann, M.Sc.
david.wittmann@audi.de
Toshika Srivastava, M.Sc.
Dr.-Ing. Mohamed Essayed
Bouzouraa
BAIDU
Siyuan Liu, BS, MBA
liusiyuan01@baidu.com
Yali Wang, MA
wangyali05@baidu.com
BMW
Dr.-Ing. Christian Knobel
christian.knobel@bmw.de
Dipl.-Inf. David Boymanns
david.boymanns@bmw.de
Dr.-Ing. Matthias Löhning
Dr. Bernhard Dehlink
Dirk Kaule, M.Sc.
Dipl.-Ing. Richard Krüger
Dr. Jelena Frtunikj
Dr. Florian Raisch
Dipl.-Math. Miriam Gruber
Jessica Steck, M.Sc.
Dipl.-Psych. Julia Mejia-Hernandez
CONTINENTAL
Dipl.-Ing. Sandro Syguda
sandro.syguda@continental-
corporation.com
Dipl.-Ing. Pierre Blüher
Dr.-Ing. Kamil Klonecki
Dr. Pierre Schnarz
DAIMLER
Dr. Thomas Wiltschko
thomas.t.wiltschko@daimler.com
Dipl.-Inf. Stefan Pukallus
Dr.-Ing. Kai Sedlaczek
FCA
Neil Garbacik, M.Sc.
neil.garbacik@fcagroup.com
David Smerza, BSAE
Dr. Dalong Li
Dr. Adam Timmons
Marco Bellotti
HERE
Michael O‘Brien, BS
michael.obrien@here.com
Michael Schöllhorn
INFINEON
Dipl.-Ing. Udo Dannebaum
udo.dannebaum@infineon.com
INTEL
Jack Weast, BS, M.Sc.
jack.weast@intel.com
Alan Tatourian, BS
VOLKSWAGEN
Dr.-Ing. Bernd Dornieden
bernd.dornieden@volkswagen.de
Dr.-Ing. Philipp Schnetter
Dr.-Ing. Dipl.-Wirt.Ing. Philipp
Themann
Dr.-Ing. Thomas Weidner
Dr. rer. nat. Peter Schlicht
II
ABSTRACT
This publication summarizes widely known safety by design and verification and validation (V&V) methods of SAE
L3 and L4 automated driving. This summary is required for maximizing the evidence of a positive risk balance of
automated driving solutions compared to the average human driving performance. There is already a vast array of
publications focusing on only specific subtopics of automated driving. In contrast, this publication is a comprehensive
approach to safety relevant topics of automated driving and is based on the input of OEMs, tiered suppliers and key
technology providers. The approach of this publication is to systematically break down safety principles into safety by
design capabilities, elements and architectures and then to summarize the V&V methods in order to demonstrate the
positive risk balance. This publication is intended to contribute to current activities working towards the industry-wide
standardization of automated driving.
REFERENCED STANDARDS
ISO/PAS 21448:2019
ISO 26262:2018
ISO/SAE CD 21434
ISO 19157:2013
ISO/TS 19158:2012
ISO/TS 16949:2009
Road Vehicles – Safety of the intended functionality (SOTIF)
Road Vehicles – Functional safety
Road Vehicles – Cybersecurity engineering
Geographic information – Data quality
Geographic information – Quality assurance of data supply
Quality management systems – Particular requirements
ISO 9001:2008 for automotive production and relevant service part organizations
ISO/IEC 2382-1:1993
Information technology – Vocabulary – Part 1: Fundamental terms
ISO/IEC/IEEE 15288:2015 Systems and software engineering – System life cycle processes
for
the application of
© Copyright 2019 by Aptiv Services US, LLC; AUDI AG; Bayrische Motoren Werke AG; Beijing Baidu Netcom Science Technology Co., Ltd; Continental
Teves AG & Co oHG; Daimler AG; FCA US LLC; HERE Global B.V.; Infineon Technologies AG; Intel; Volkswagen AG. All rights reserved.
The document and information contained herein is not a license, either expressly or impliedly, to any intellectual property owned or controlled by
any of the authors or developers of this publication, and license to this document and information should not be considered to be have been made
available to parties receiving and/or reviewing this document and information. The information contained herein is provided on an “AS IS” basis,
and to the maximum extent permitted by applicable law, the authors and developers of this document hereby disclaim all other warranties and
conditions, either express, implied or statutory, including but not limited to, any (if any) implied warranties, duties or conditions of merchantability,
of fitness for a particular purpose, of accuracy or completeness of responses, of results, of workmanlike effort, of lack of viruses, of lack of
negligence. THERE IS NO WARRANTY OR CONDITION OF TITLE, QUIET ENJOYMENT, QUIET POSSESSION, OR NON-INFRINGEMENT.
III
Contents
1
2
INTRODUCTION & MOTIVATION ...................................................................................... 2
1.1
Scope of this Publication ................................................................................................ 2
Structure of and Development Examples Used in this Publication .................................. 4
1.2
Safety Vision .................................................................................................................. 6
1.3
1.3.1 Background ......................................................................................................... 6
1.3.2 The Twelve Principles of Automated Driving ........................................................ 6
SYSTEMATICALLY DEVELOPING DEPENDABILITY TO SUPPORT SAFETY
BY DESIGN ....................................................................................................................... 12
2.1
Deriving Capabilities of Automated Driving from Dependability Domains ...................... 13
2.1.1
Legal Frameworks for Automated Driving Vehicles ............................................ 13
2.1.2 Applying the Related Safety Standards .............................................................. 14
2.1.3 Safety of the Intended Functionality ................................................................... 17
2.1.4 Functional Safety ............................................................................................... 20
2.1.5 Automotive Cybersecurity .................................................................................. 21
Why is Cybersecurity so Important for Safety? ................................... 22
2.1.5.1
2.1.5.2 Cybersecurity Approach and Measures .............................................. 24
2.1.6 Capabilities of Automated Driving ...................................................................... 27
2.1.6.1
Initial Derivation of Capabilities .......................................................... 27
2.1.6.2 Overview of the Capabilities .............................................................. 30
Minimal Risk Conditions and Minimal Risk Maneuvers ....................................... 34
2.1.7
Elements for Implementing the Capabilities .................................................................. 36
Implementing the Capabilities ............................................................................ 36
2.2.1
2.2.1.1
FS_1: Determine location ................................................................. 37
FS_2: Perceive relevant static and dynamic objects in proximity to
2.2.1.2
the automated vehicle ........................................................................ 38
2.2.1.3
FS_3: Predict the future behavior of relevant objects ......................... 39
FS_4: Create a collision-free and lawful driving plan .......................... 40
2.2.1.4
FS_5: Correctly execute and actuate the driving plan ........................ 41
2.2.1.5
2.2.1.6
FS_6: Communicate and interact with other (vulnerable) road users .... 41
FS_7:Determineifspecifiednominalperformanceisnotachieved .... 42
2.2.1.7
FD_1: Ensure controllability for the vehicle operator .......................... 43
2.2.1.8
2.2.1.9
FD_2: Detect when degraded performance is not available ............... 44
2.2.1.10
FD_3: Ensure safe mode transitions and awareness ......................... 44
2.2.1.11 FD_4:Reacttoinsufficientnominalperformanceandotherfailures
via degradation .................................................................................. 45
2.2
IV
2.2.1.12 FD_5: Reduce system performance in the presence of failure for
2.2.1.13
the degraded mode ............................................................................ 46
FD_6: Perform degraded mode within reduced system constraints .... 46
2.2.2 Elements ........................................................................................................... 47
2.2.2.1 Environment Perception Sensors ....................................................... 47
2.2.2.2 A-Priori Perception Sensors .............................................................. 48
2.2.2.3 V2X ................................................................................................... 51
2.2.2.4 Sensor Fusion .................................................................................. 51
2.2.2.5
Interpretation and Prediction ............................................................. 52
2.2.2.6
Localization ...................................................................................... 53
2.2.2.7 ADS Mode Manager ......................................................................... 53
2.2.2.8 Egomotion ........................................................................................ 54
2.2.2.9 Drive Planning .................................................................................. 55
2.2.2.10 TrafficRules ....................................................................................... 56
2.2.2.11 Motion Control .................................................................................. 56
2.2.2.12 Motion Actuators ............................................................................... 57
2.2.2.13 Body Control with Secondary Actuators ............................................. 58
2.2.2.14 Human-Machine Interaction .............................................................. 58
2.2.2.15 User State Determination ................................................................... 61
2.2.2.16 Vehicle State ..................................................................................... 64
2.2.2.17 Monitors (Nominal and Degraded Modes) .......................................... 64
2.2.2.18 Processing Unit ................................................................................. 64
2.2.2.19
Power supply .................................................................................... 65
Communication Network ................................................................... 65
2.2.2.20
2.3 Generic Logical Architecture......................................................................................... 65
3
VERIFICATION AND VALIDATION .................................................................................. 72
The Scope and Main Steps of V&V for Automated Driving Systems ............................. 72
3.1
3.2
Key Challenges for V&V of L3 and L4 Systems ............................................................ 75
V&V Approach for Automated Driving Systems ............................................................. 76
3.3
3.3.1 DefiningTestGoals&Objectives(Why&HowWell) .......................................... 77
3.3.2 Test Design Techniques (How) ........................................................................... 77
3.3.3 Test Platforms (Where) ...................................................................................... 78
3.3.4
Test Strategies in Response to the Key Challenges ........................................... 79
3.4 Quantity and Quality of Testing .................................................................................... 83
3.4.1
Equivalence Classes and Scenario-Based Testing ............................................ 84
Simulation ................................................................................................................... 85
3.5.1 Types of Simulation ........................................................................................... 87
3.5.2 Simulation Scenario Generation ........................................................................ 88
3.5
V
4
5
3.6
3.7
3.5.3 Validating Simulation ......................................................................................... 89
3.5.4 Further Topics in Simulation ............................................................................... 89
V&V of Elements .......................................................................................................... 90
3.6.1 A-Priori Information and Perception (Map) ......................................................... 91
3.6.2 Localization (Including GNSS) ........................................................................... 92
3.6.3
Environment Perception Sensors, V2X and Sensor Fusion ................................ 92
3.6.4
InterpretationandPrediction,DrivePlanningand TrafficRules .......................... 93
3.6.5 Motion Control ................................................................................................... 93
3.6.6
Monitor, ADS Mode Manager (Including the Vehicle State) ................................ 93
3.6.7 Human-Machine Interaction ............................................................................... 94
FieldOperation(Monitoring,Configuration,Updates) ................................................... 94
3.7.1 Testing Traceability ............................................................................................ 94
3.7.2
RobustConfigurationandChangeManagementProcess .................................. 95
3.7.3 Regression Prevention ...................................................................................... 95
3.7.4 Security Monitoring and Updates ....................................................................... 96
Continuous Monitoring and Corrective Enforcement. ......................................... 97
3.7.5
CONCLUSION AND OUTLOOK ..................................................................................... 100
5.2
APPENDIX A: DEVELOPMENT EXAMPLES ................................................................. 104
5.1
L3TrafficJamPilot(TJP) ........................................................................................... 104
5.1.1 NominalFunctionDefinition ............................................................................. 104
5.1.2 Minimal Risk Conditions .................................................................................. 104
5.1.3 Minimal Risk Maneuver.................................................................................... 104
L3 Highway Pilot (HWP) ............................................................................................. 104
5.2.1 NominalFunctionDefinition ............................................................................. 104
5.2.2 Degraded Mode/Minimal Risk Conditions ........................................................ 104
5.2.3 Minimal Risk Maneuvers .................................................................................. 104
L4 Urban Pilot (UP) .................................................................................................... 104
5.3.1 NominalFunctionDefinition ............................................................................. 105
5.3.2 Degraded Mode/Minimal Risk Conditions ........................................................ 105
5.3.3 Minimal Risk Maneuvers .................................................................................. 105
L4 Car Park Pilot (CPP) ............................................................................................. 105
5.4.1 NominalFunctionDefinition ............................................................................. 105
5.4.2 Degraded Mode/Minimal Risk Conditions ....................................................... 105
5.4.3 Minimal Risk Maneuver.................................................................................... 105
Selection of the Discussed Elements .......................................................................... 107
5.5.1 Sensing Elements for FS_1 Localization .......................................................... 107
Sensing Elements for FS_2 Perceive Relevant Objects ................................... 108
5.5.2
5.5
5.3
5.4
VI
Interpretation and Prediction in FS_3 Predict Future Movements ..................... 109
Degraded Mode ................................................................................................110
5.5.3
5.5.4 Acting Elements in FS_5 Execute Driving Plan and FD_6 Perform
5.5.5 ADS Mode Manager in FS_7 Detect Nominal Performance and FD_4 React
5.5.6
5.5.7 HMI in FD_1 Ensure Controllability for Operator and FD_6 Perform
Degraded Mode ................................................................................................113
5.5.8 Monitors in FS_7 and FD_2 ..............................................................................113
toInsufficientPerformance ............................................................................... 111
User State Determination in FD_1 Ensure Controllability for Operator ..............112
6
7
8
APPENDIX B: USING DEEP NEURAL NETWORKS TO IMPLEMENT SAFETY-RELATED
ELEMENTS FOR AUTOMATED DRIVING SYSTEMS ....................................................116
6.1
Motivation and Introduction: Machine Learning in Automated Driving .........................116
6.2 Define(WhatandWhy) ...............................................................................................118
6.3
Specify (How) ............................................................................................................. 120
6.3.1 DefiningandSelectingtheData ....................................................................... 120
6.3.2 Architecture Design for DNNs .......................................................................... 123
6.4 Develop and Evaluate ................................................................................................ 125
6.5 Deploy and Monitor .................................................................................................... 128
6.6 DNN Safety Artifacts .................................................................................................. 130
GLOSSARY ..................................................................................................................... 134
REFERENCES ................................................................................................................ 142
VII
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
