Missing no Interaction Using STPA for Identifying Hazardous Interactions of Automated Driving Systems

Similar documents
STPA Systems Theoretic Process Analysis John Thomas and Nancy Leveson. All rights reserved.

Basic STPA Tutorial. John Thomas

Performing Hazard Analysis on Complex, Software- and Human-Intensive Systems

Systems Theoretic Process Analysis (STPA)

Basic STPA Exercises. Dr. John Thomas

Systems Theoretic Process Analysis (STPA)

Collision Avoidance based on Camera and Radar Fusion. Jitendra Shah interactive Summer School 4-6 July, 2012

Introducing STAMP in Road Tunnel Safety

Safety Critical Systems

STAMP/STPA Beginner Introduction. Dr. John Thomas System Engineering Research Laboratory Massachusetts Institute of Technology

Safety-critical systems: Basic definitions

Proposal for amendments to Regulation No. 79 to include ACSF > 10 km/h

Using STPA in the Design of a new Manned Spacecraft

DEVELOPMENT OF A MICRO-SIMULATION MODEL TO PREDICT ROAD TRAFFIC SAFETY ON INTERSECTIONS WITH SURROGATE SAFETY MEASURES

Pedestrian Dynamics: Models of Pedestrian Behaviour

D-Case Modeling Guide for Target System

Intelligent Decision Making Framework for Ship Collision Avoidance based on COLREGs

Emergency Rides. Driving Simulators Research Development Production. 1. General. Rev

Driver Training School Instructor Curriculum Requirements for Student Learning & Performance Goals

Evaluation of the ACC Vehicles in Mixed Traffic: Lane Change Effects and Sensitivity Analysis

Distributed Control Systems

A systematic hazard analysis and management process for the concept design phase of an autonomous vessel.

BTW Lesson 5. Traffic Flow

A study on the relation between safety analysis process and system engineering process of train control system

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Exemplary Conditional Automation (Level 3) Use Case Description Submitted by the Experts of OICA as input to the IWG ITS/AD

Tools for safety management Effectiveness of risk mitigation measures. Bernhard KOHL

Proposal for amendments to Regulation No. 79 to include ACSF > 10 km/h

HAZARD ANALYSIS PROCESS FOR AUTONOMOUS VESSELS. AUTHORS: Osiris A. Valdez Banda Aalto University, Department of Applied Mechanics (Marine Technology)

Application of Dijkstra s Algorithm in the Evacuation System Utilizing Exit Signs

Fail Operational Controls for an Independent Metering Valve

Transformational Safety Leadership. By Stanley Jules

AN AUTONOMOUS DRIVER MODEL FOR THE OVERTAKING MANEUVER FOR USE IN MICROSCOPIC TRAFFIC SIMULATION

Development and Evaluations of Advanced Emergency Braking System Algorithm for the Commercial Vehicle

Series 3730 and Series 3731 EXPERTplus Valve Diagnostics with Partial Stroke Test (PST)

Global Journal of Engineering Science and Research Management

Analysis of Car-Pedestrian Impact Scenarios for the Evaluation of a Pedestrian Sensor System Based on the Accident Data from Sweden

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

Modeling of the Safety and the Performance of Railway Operation via Stochastic Petri Nets

AutonoVi-Sim: Modular Autonomous Vehicle Simulation Platform Supporting Diverse Vehicle Models, Sensor Configuration, and Traffic Conditions

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

Modeling and Hazard Analysis Using Stpa

Failure Management and Fault Tolerance for Avionics and Automotive Systems

if all agents follow RSS s interpretation then there will be zero accidents.

OBSERVATION OF GAP ACCEPTANCE DURING INTERSECTION APPROACH

Ranger Walking Initiation Stephanie Schneider 5/15/2012 Final Report for Cornell Ranger Research

Collision Avoidance System using Common Maritime Information Environment.

DMC5 Inverter safety unit (ISU) Handout

Influence of Human Factor on Marine Casualties

Advanced Driver Assist Systems


Human Factors for Limited-Ability Autonomous Driving Systems

OBJECTIFICATION TECHNOLOGY OF PERCEIVED SAFETY & COMFORT DURING ASSISTED DRIVING

Software Reliability 1

Real Time Bicycle Simulation Study of Bicyclists Behaviors and their Implication on Safety

Integrated control system for ship motion in inland navigation

Real-Time & Embedded Systems

Determining the Limit Performance of a GP2 Race Car: from Reality to Multibody and Analytical Simulation - Part II.

Fuzzy Logic in Traffic Control

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

A Novel Approach to Evaluate Pedestrian Safety at Unsignalized Crossings using Trajectory Data

Understanding safety life cycles

REQUIREMENTS AND HAND-OVER DOCUMENTATION FOR ENERGY-OPTIMAL DEMAND-CONTROLLED VENTILATION

Situations that a B2/ALKS highway system may encounter

Prof. Dr. Karl Viktor Schaller Director of Engineering and Purchasing MAN Nutzfahrzeuge AG

YAN GU. Assistant Professor, University of Massachusetts Lowell. Frederick N. Andrews Fellowship, Graduate School, Purdue University ( )

Data Sheet T 8389 EN. Series 3730 and 3731 Types , , , and. EXPERTplus Valve Diagnostic

Operational Comparison of Transit Signal Priority Strategies

Draft Regulation on Driver Assist Systems to Avoid Blind Spot Accidents Proposal for Regulation Text

DOI /HORIZONS.B P23 UDC : (497.11) PEDESTRIAN CROSSING BEHAVIOUR AT UNSIGNALIZED CROSSINGS 1

TRAFFIC CHARACTERISTICS. Unit I

BHATNAGAR. Reducing Delay in V2V-AEB System by Optimizing Messages in the System

Using MATLAB with CANoe

An STPA Tool. Dajiang Suo, John Thomas

Active Pedestrian Safety: from Research to Reality

Self-Driving Vehicles That (Fore) See

Identification of emergent hazards and behaviour Shifting the boundary between unimaginable and imaginable hazards. Hans de Jong and Henk Blom (NLR)

HUMAN (DRIVER) ERRORS

SUMMARY OF SAFETY INVESTIGATION REPORT

A Conceptual Approach for Using the UCF Driving Simulator as a Test Bed for High Risk Locations

PL estimation acc. to EN ISO

MOBILEYE SHIELD + COLLISION AVOIDANCE SYSTEM OUR VISION. YOUR SAFETY.

Module 3 Developing Timing Plans for Efficient Intersection Operations During Moderate Traffic Volume Conditions

Every things under control High-Integrity Pressure Protection System (HIPPS)

#19 MONITORING AND PREDICTING PEDESTRIAN BEHAVIOR USING TRAFFIC CAMERAS

Some interesting questions of traffic signal control

Business owner or commercial property owner in Arlington, 8. Visitor in Arlington, 17

Observation-Based Lane-Vehicle Assignment Hierarchy

Automated Proactive Road Safety Analysis

At each type of conflict location, the risk is affected by certain parameters:

Officer Safety Webinar

Pedestrian Scenario Design and Performance Assessment in Driving Simulations

FMEA- FA I L U R E M O D E & E F F E C T A N A LY S I S. PRESENTED BY: AJITH FRANCIS

Safety Criticality Analysis of Air Traffic Management Systems: A Compositional Bisimulation Approach

Using what we have. Sherman Eagles SoftwareCPR.

RAMP CROSSWALK TREATMENT FOR SAN DIEGO AIRPORT, TERMINAL ONE

1. Functional description. Application program usage. 1.1 General. 1.2 Behavior on bus voltage loss and bus voltage. 1.

Grover 1 EMERGENCY LANE KEEPING (ELK) SYSTEM TEST DEVELOPMENT. Colin, Grover Matthew, Avery Thatcham Research UK. Paper Number ABSTRACT

Quantitative risk assessment and risk-based decision making

Transcription:

Bitte decken Sie die schraffierte Fläche mit einem Bild ab. Please cover the shaded area with a picture. (24,4 x 11,0 cm) Missing no Interaction Using STPA for Identifying Hazardous Interactions of Automated Driving Systems Asim Abdulkhaleq, University of Stuttgart, Germany Markus Baumeister, Systems & Technology, Continental Chassis & Safety Division Chassis & Safety

Agenda 1 2 3 4 Motivation Safety in Automated Driving Safety in Use vs. Functional Safety Safety in Use Analysis Applying STPA for Safety in Use 5 Results 6 Conclusion & Future Work 2

Automated Driving Safe and Dynamic Driving towards Vision Zero 3

Motivation Automotive architecture trend Continuously growing complexity, number of functions and networked ECUs results in: Increased chance for random & systematic failures to cause behaviour deviations of functions Increased potential of functions to be unsafe as specified Source: WRC Market Report E/E Architecture 2013 4

Motivation Safety for automated driving Starting with AD L3: Driver may distract himself No immediate human fallback! Thus most intelligent, independently powered safety mechanism no longer available Partial fail-operational (or fail-degraded) mechanisms necessary Functional Safety Specified behaviour must work in all situations Safety in Use Relationship between Functional Safety and Safety in Use Functional Safety vs. Safety in Use 5

Agenda 1 2 3 4 Motivation Safety in Automated Driving Safety in Use vs. Functional Safety Safety in Use Analysis Applying STPA for Safety in Use 5 Results 6 Conclusion & Future Work 6

F a i l u r e s b e t w e e n Realization Failures between Specification Safety in Use vs. Functional Safety Location in the development cycle Collision Avoidance Example Potential failures Safety in Use Real World Item Definition Function Spec Objects can occur in front of the car and should not be hit Evasion maneuver by function, Required actuator performance, Required sensor performance Sensor performance insufficient for planned maneuver Not all situation might allow evasion, breaking maneuver missing Driver might countersteer maneuver No interface for function to influence steering; wrong granularity of values Functional Safety Architecture Implementation Module and Interface specification Allocation of SW to Components Executable and Parameterization Hardware components Function running on too slow MCU SW steers in wrong direction Environmental model orders objects incorrectly OS executes SW only every 2 nd cycle SW was disabled by application driver Sensor breaks (e.g. no video) Bit flip in parameters disables function Execution Behaviour in the field Bit flip in memory causes steering in wrong direction 7

Safety in Use vs. Functional Safety Different Definitions [from Böhmert, Blüher 2016] Availability 1 ) [readiness for correct service] Reliability 1 ) [continuing for correct service] Safety²) [absence of unreasonable risk] Roadworthiness (Operational Safety) [property or ability of a car, bus, truck or any kind of automobile to be in a suitable operating condition or meeting acceptable standards for safe driving and transport of people, baggage or cargo in roads or streets] In this presentation: Safety in Use Functional safety²) [absence of unreasonable risk due to hazards caused by malfunctioning behaviour of E/E systems] Integrity (Functional) [absence of unreasonably hazardous functionality] Safety in use [absence of hazards due to human errors] Maintainability 1 ) [ability to undergo modifications and repairs] Source: 1 ) Diagram: Basic Concepts and Taxonomy of Dependable and Secure Computing (IEEE Transactions on dependable and secure computing, Vol.1 No.1, January-March-2004; 2 ) Definition Safety: ISO26262-1:2011 first edition 8

Safety in Use vs. Functional Safety Safety in Use and interactions Specification failures often happen due to missed potential interactions 1. Driver Human-and-Driver Human Interaction (HIH) misunderstanding, aggression, 2. Driver Human-and-Driver Machine Interaction (HIM) confusion, misuse, inaction,. 3. Driver Human-and-other Traffic Participants Interaction (HIP) bad estimations,. 4. Automated Driving System-and-its Environment Interaction (AIE) overload, missing participants,. 5. Automated Driving System-and-other Traffic Participants (AIP) feedback loops, different behaviour, 6. Automated Driving System and other Driver Humans (AID) 9

Agenda 1 2 3 4 Motivation Safety in Automated Driving Safety in Use vs. Functional Safety Safety in Use Analysis Applying STPA for Safety in Use 5 Results 6 Conclusion & Future Work 10

Safety in Use Analysis Approach at Continental Situation + Behaviour = potentially hazardous scenario Keyword-guided brainstorming of situations Dependent on experience of analyst Evaluation of risk Similar to HARA for functional safety Is there a method less dependent on inspiration? 11

Safety in Use Analysis Excerpt of SiU Results for Lane Change Four (out of six) SiU requirements mainly relevant for Lane Change functionality: ID SiUA-Requirements Cause of hazard SIUR-16 Lane changes shall only be conducted when the vehicle can determine sufficient length of the new lane for at least a brake to standstill. Potential violation of known requirement in seldom situation SIUR-33 There shall be no automated lane change while handing over control to the driver (Take over Request). Normal behaviour causing hazard by mode interaction. SIUR-38 SIUR-45 Motorcycles overtaking on the lane markings (i.e. between the lanes) shall be observed during lane changes. The automated vehicle shall not block a formed corridor for emergency vehicles while changing lanes. Potential violation of known requirement in seldom situation Normal behaviour causing hazard in special situation Will STPA find these requirements or others? 12

Agenda 1 2 3 4 Motivation Safety in Automated Driving Safety in Use vs. Functional Safety Safety in Use Analysis Applying STPA for Safety in Use 5 Results 6 Conclusion & Future Work 13

Environment Perception (Sensors) Prototype Realization of Automated Driving Layered Functional Architecture World Model Planning Environment Interpretation Mode Manager Environment Model Driving Strategy Human-Machine Interface (HMI) Map and Localization Trajectory Planner Vehicle Dynamics Controller Longitudinal Control Lateral Control Ego-Vehicle Representation 14

Change Lane Function by Ego Vehicle Cruising Chauffeur Examples of the Traffic Situations of Change Lane We apply STPA to identify the hazardous situations of the lane change function and develop detailed safety requirements/controls. Our main question: Can STPA derive the Safety in Use requirements (SiU)? 15

Agenda 1 2 3 4 Motivation Safety in Automated Driving Safety in Use vs. Functional Safety Safety in Use Analysis Applying STPA for Safety in Use 5 Results 6 Conclusion & Future Work 16

STPA Results STPA Step 0: Establish the fundamentals of analysis We identify one accident which automated driving can lead to (lane change function). We identify 12 hazards which can lead to this accident and We translate these 12 hazards into system-level safety constraints. Accident AC-1: The ego vehicle cruising chauffeur collides with a vehicle during the lane change procedure and people dies/ are harmed. ID Hazards H-1 The Cruising Chauffeur system did not estimate correctly the position and velocity of the other traffic participants in the lane. H-2 The Cruising Chauffeur system did not recognize the lane markings. H-3 The Cruising Chauffeur system did not turn on the light of the direction indicators. H-4 The Cruising Chauffeur system steered the ego vehicle in the wrong direction. 17

STPA Results STPA Step 0: Safety-Control Structure Diagram 18

STPA Results STPA Step 1: Unsafe Control Actions Control Action Lane Change Not providing causes hazard Providing incorrect causes hazard *The CC system did UCA1.1 The CC not provide the lane system provided change when it is incorrect lane involved due to an change request to emergency the motion control to situation (e.g. change lane while accident occurred before the Ego vehicle). *[Not Hazardous] Wrong timing or Stopped too soon or order causes Applied too long hazard UCA1.5. Too early: UCA1.8. Stopped too The CC system soon: The CC system started the lane provided a lane change function change request too too early while the short to the motion gap has not been control that was not there is no gap in reached yet. enough to change the the target lane. vehicle to the target lane. [H-1][H-2][H-7] [H-8] [H-1] [H-2] [H-4] [H-4] [H-5] [H-9] [H-12] [H-5] [H-10] Interaction: AIE AIP AIE, AIP AIP Each unsafe control action is translated into a corresponding safety constraint. 19

STPA Results STPA Step 2: Causal Factor Analysis Unsafe Control Action: UCA1.1 The CC provided incorrect lane change request to the motion control to change lane while there is no gap in the target lane. Associated Hazards: [H-1][H-2][H-7] [H-8] [H-9] [H-12] Component Causal Factors Cruising chauffeur System Process model incorrect: The CC estimated a wrong position of other traffic participant in the adjacent lane (target lane). The CC incorrectly believes that there is an enough gap to change lane in the target lane. The CC received a wrong ego vehicle width. The CC incorrectly estimated the traffic conditions. Control input wrong: The driver is request a lane change in nonhighway road. Safety Constraints/Controls 1. Make the CC system able to be a self-adaptive system to the traffic changes during the lane change procedure. 2. If the backend or V2x communication unit is unavailable, the CC system should be immediately warned the driver to take over control and transited automatically to inactive status. Notes / Rationale 20

Mapping STPA Results to Safety in Use Requirements Mapping SiU Results We identify 41 STPA safety requirements for the lane change function. We evaluated the resulting safety requirements against the requirements created in the SiU analysis ID SiUA-Requirements Mapping Cause of hazard SIUR-16 SIUR-33 SIUR-38 SIUR-45 Lane changes shall only be conducted when the vehicle can determine sufficient length of the new lane for at least a brake to standstill. There shall be no automated lane change while handing over control to the driver (ToR). Motorcycles overtaking on the lane markings (i.e. between the lanes) shall be observed during lane changes. The automated vehicle shall not block a formed corridor for emergency vehicles while changing lanes. (SR 1.6) No mapping No mapping (SR 1.1) Potential violation of known requirement in seldom situation Normal behaviour causing hazard by mode interaction. Potential violation of known requirement in seldom situation Normal behaviour causing hazard in special situation Overall six SiU requirements were analyzed and for three of them a mapping towards STPA requirements could be found. 21

Mapping STPA Results to Safety in Use Requirements Mapping STPA Results We evaluated the 41 STPA safety requirements against the requirements created in the SiU analysis ID STPA Safety Requirement Type * Mapping Interaction SR 0.5 SR 0.7 SR 0.8 SR 0.10 SR 1.1 SR 1.6 The traffic markings must be in a good quality and visibly. CC must not lose the detection of other traffic participants while CC changes lanes CC must not steer the ego vehicle in the wrong direction. CC must estimate the lane velocity correctly. The CC must not send a lane change request to the motion control while it is not allowed due to the traffic road conditions. CC must abort a lane change due to unexpected changes in the prerequisites of the lane change function.? Special AIE FuSa & SiU No mapping Overall 41 STPA requirements were found on different analysis levels, Many of these are related to the basic driving task as SR0.8 und SR 0.10. AIP FuSa N/A AIE FuRe & N/A AIP FuSa SiU (SIUR-45) AIE/AIP SiU (SIUR-16) AIE *Legends: FuSa (Functional Safety), SiU (Safety in Use), FuRe (Functional Requirements),? Difficult to classify 22

Discussion Quantity: STPA created safety requirements also outside the domain of SiU in the form of functional safety requirements, and normal functional requirements. Abstractness: Many STPA safety requirements describing SiU issues are relatively abstract with respect to the involved hazard. Level of analysis: On detailed analysis level (i.e. causal factor analysis), the discovered STPA safety requirements are in a great majority not SiU-related due to analyzing the malfunction of some system component. Scenarios: Whereas STPA analyzed only the two traffic situations, the SiU analysis typically has analyzed a different scenario for each resulting requirement. 23

The Safety-in-Use Approach based on STPA We proposed an extension to STPA for safety in use analysis by including the traffic situation analysis as a part of the STPA Step 0 to help the safety in use analysis engineers to focus the time and efforts only on safety in use aspect. We include also a step for identifying design requirements at the end of each STPA steps to help the safety in use engineers to identify/refine their design based on the STPA results. 24

Agenda 1 2 3 4 Motivation Safety in Automated Driving Safety in Use vs. Functional Safety Safety in Use Analysis Applying STPA for Safety in Use 5 Results 6 Conclusion & Future Work 25

STPA for Safety in Use Analysis Conclusion and Future Work We investigated the application of the STPA approach in identifying the safety in use requirements. We applied STPA to the Cruising Chauffeur at Continental. We found that the STPA approach can address different kinds of the interaction between the automated driving system and others. We found also STPA is a useful approach for identifying more types of the detailed requirements, including safety in use One challenge is that the STPA approach is not specific for any safety aspects (functional safety or system-level safety). Therefore, output of STPA includes different types of safety requirements. As a future work, we plan to improve our first proposed extension to STPA for safety in use to help the safety in use experts in addressing only the safety in use requirements. 26

Thank you for your attention! With contribution from Hagen Boehmert (Continental, Frankfurt) Prof. Dr. Stefan Wagner (University of Stuttgart) 27

28

Introduction to STAMP/STPA Safety Analysis Approach Systems Theoretic Process Analysis (STPA) Sees hazards as a control problem (based on STAMP =Systems-Theoretic Accident Model and Processes) Modells process control cycles within system Searches for inadequate control actions Identifies causal factors and flaws leading to them Results in safety constraints for system [Abdulkhaleq 2017] 29

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback