Introduction & Motivation
Scope of this Publication
Structure of and Development Examples Used
in this Publication
Safety Vision
Background
The Twelve Principles of Automated Driving
Systematically Developing Dependability
to Support Safety by Design
Deriving Capabilities of Automated Driving
from Dependability Domains
Legal Frameworks for Automated Driving Vehicles
Applying the Related Safety Standards
Safety of the Intended Functionality
Functional Safety
Automotive Cybersecurity
Why is Cybersecurity so Important for Safety?
Cybersecurity Approach and Measures
Capabilities of Automated Driving
Initial Derivation of Capabilities
Overview of the Capabilities
Minimal Risk Conditions and Minimal Risk Maneuvers
Elements for Implementing the Capabilities
Implementing the Capabilities
FS_1: Determine location
FS_2: Perceive relevant static and dynamic objects in proximity to
the automated vehicle
FS_3: Predict the future behavior of relevant objects
FS_4: Create a collision-free and lawful driving plan
FS_5: Correctly execute and actuate the driving plan
FS_6: Communicate and interact with other (vulnerable) road users
FS_7: Determine if specified nominal performance is not achieved
FD_1: Ensure controllability for the vehicle operator
FD_2: Detect when degraded performance is not available
FD_3: Ensure safe mode transitions and awareness
FD_4: React to insufficient nominal performance and other failures
via degradation
FD_5: Reduce system performance in the presence of failure for
the degraded mode
FD_6: Perform degraded mode within reduced system constraints
Elements
Environment Perception Sensors
A-Priori Perception Sensors
V2X
Sensor Fusion
Interpretation and Prediction
Localization
ADS Mode Manager
Egomotion
Drive Planning
Traffic Rules
Motion Control
Motion Actuators
Body Control with Secondary Actuators
Human-Machine Interaction
User State Determination
Vehicle State
Monitors (Nominal and Degraded Modes)
Processing Unit
Power supply
Communication Network
Generic Logical Architecture
Verification and Validation
The Scope and Main Steps of V&V for Automated Driving Systems
Key Challenges for V&V of L3 and L4 Systems
V&V Approach for Automated Driving Systems
Defining Test Goals & Objectives (Why & How Well)
Test Design Techniques (How)
Test Platforms (Where)
Test Strategies in Response to the Key Challenges
Quantity and Quality of Testing
Equivalence Classes and Scenario-Based Testing
Simulation
Types of Simulation
Simulation Scenario Generation
Validating Simulation
Further Topics in Simulation
V&V of Elements
A-Priori Information and Perception (Map)
Localization (Including GNSS)
Environment Perception Sensors, V2X and Sensor Fusion
Interpretation and Prediction, Drive Planning
and Traffic Rules
Motion Control
Monitor, ADS Mode Manager
(Including the Vehicle State)
Human-Machine Interaction
Field Operation
(Monitoring, Configuration, Updates)
Testing Traceability
Robust Configuration and Change Management Process
Regression Prevention
Security Monitoring and Updates
Continuous Monitoring and Corrective Enforcement.
Conclusion and Outlook
Appendix A: Development Examples
L3 Traffic Jam Pilot (TJP)
Nominal Function Definition
Minimal Risk Conditions
Minimal Risk Maneuver
L3 Highway Pilot (HWP)
Nominal Function Definition
Degraded Mode/Minimal Risk Conditions
Minimal Risk Maneuvers
L4 Urban Pilot (UP)
Nominal Function Definition
Degraded Mode/Minimal Risk Conditions
Minimal Risk Maneuvers
L4 Car Park Pilot (CPP)
Nominal Function Definition
Degraded Mode/Minimal Risk Conditions
Minimal Risk Maneuver
Selection of the Discussed Elements
Sensing Elements for FS_1 Localization
Sensing Elements for FS_2 Perceive Relevant Objects
Interpretation and Prediction in FS_3 Predict Future Movements
Acting Elements in FS_5 Execute Driving Plan and FD_6 Perform Degraded Mode
ADS Mode Manager in FS_7 Detect Nominal Performance and FD_4 React to Insufficient Performance
User State Determination in FD_1 Ensure Controllability for Operator
HMI in FD_1 Ensure Controllability for Operator and FD_6 Perform Degraded Mode
Monitors in FS_7 and FD_2
Appendix B:
Using Deep Neural Networks to Implement Safety-Related Elements for Automated Driving Systems
Motivation and Introduction:
Machine Learning in Automated Driving
Define (What and Why)
Specify (How)
Defining and Selecting the Data
Architecture Design for DNNs
Develop and Evaluate
Deploy and Monitor
DNN Safety Artifacts
Glossary
References