Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Safety Standard Approach for Fully Autonomous Vehicles

580 views

Published on

WAISE 2019 paper co-authored with Uma Ferrell, Frank Fratrik, and Mike Wagner of MITRE and Edge Case Research

Published in: Technology
  • Be the first to comment

A Safety Standard Approach for Fully Autonomous Vehicles

  1. 1. 1© 2019 Philip Koopman A Safety Standard Approach for Fully Autonomous Vehicles Phil Koopman, Uma Ferrell, Frank Fratrik, Mike Wagner WAISE 2019, Turku, Finland @PhilKoopman
  2. 2. 2© 2019 Philip Koopman Relevant safety standards AV safety standard challenges Overview of Draft UL 4600  Safety case-based approach  Key features: –Feedback loops –Emphasis on safety case assessment –Component support Overview https://on.gei.co/2r2rjzg
  3. 3. 3© 2019 Philip Koopman Some Relevant Safety Guidance  ISO 26262: vehicle functional safety  Conventional Automotive Safety Integrity Levels (ASIL)  Emphasis on internal system faults and failures  ISO/PAS 21448: Safety Of The Intended Function (SOTIF)  Emphasis on ADAS systems – Scope revision for full autonomy in progress  Emphasis more on what is “outside” the system’s design – Performance limitations & sensing robustness – Gaps in design corresponding to unknowns  SaFAD white paper: Safety First for Automated Driving  Initial description of AV design practices _
  4. 4. 4© 2019 Philip Koopman Identifying & Mitigating Hazards  ISO 26262: Hazard and Risk Analysis (HARA)  Identify and mitigate risks in accordance with ASIL requirements  ISO/PAS 21448: Identify and mitigate unsafe scenarios  Reduce “unknown unsafe” area – Mitigate risks – Restrict ODD if needed  Deploy at acceptable residual risk _
  5. 5. 5© 2019 Philip Koopman Some Technical Challenges  No human driver  More than “dynamic driving task”  System-level view of safety is needed  Complex, non-deterministic behaviors  Passing a test once does not prove safety  Difficult to design tests for such systems  Completeness is a challenge  More than handling all driving + obstacle combinations – Example: perception edge cases  Uncertainty as to residual risks at initial deployment _ https://bit.ly/2GvDkUN
  6. 6. 6© 2019 Philip Koopman Standardization Challenges  Quickly evolving technology  Monthly innovation vs. multi-year standard update process  Changing environment and deployment  Historical automotive “self-certification”  Reluctance to disclose technical details  Approach: acceptance criteria for a safety case  Is the safety case well formed?  Are there inconsistencies in argumentation and/or evidence? _ Boss: Circa 2007
  7. 7. 7© 2019 Philip Koopman  Feedback used to mitigate risk of unknowns  Within product: incidents trigger safety case update  At Assessment: updates trigger assessments  Standards Process: emergent issues trigger ~yearly standard update Feedback Loops
  8. 8. 8© 2019 Philip Koopman  Two-layer assessment  Self-assessment required  Independent assessor checks self-assessment results  Emphasizes assessment  Emphasis on safety case integrity rather than subjective assessor belief  Extensive prompts of items to consider in safety case  Includes whether lessons learned have been considered (“pitfalls”)  Component support  Design-by-contract approach to component safety case interface Other Key Features
  9. 9. 9© 2019 Philip Koopman  Safety case & argumentation  Risk Assessment  Human interaction  Autonomy & machine learning  Software & system development process  Dependability & redundancy management  Verification, Validation & testing  Data and networking  Tool and component qualification  Lifecycle and operational concerns  Maintenance  Safety metrics  Assessment process  Security plan required at high level Primary UL 4600 Topics _
  10. 10. 10© 2019 Philip Koopman  Travel infrastructure EXAMPLES: types of road surfaces, road geometries, bridge restrictions  Object coverage (i.e., objects within ODD)  Event coverage EXAMPLES: interactions with infrastructure  Behavioral rules EXAMPLES: traffic laws, system path conflict resolution priority, local customs, justifiable rule breaking for safety  Environmental effects EXAMPLES: weather, illumination  Vulnerable populations EXAMPLES: pedestrians, motorcycles, bikes, scooters, other at-risk road users, other road users  Seasonal effects EXAMPLES: foliage changes, sun angle changes, seasonally-linked events (e.g., Oktoberfest)  Support infrastructure, if any is relied upon EXAMPLES: types of traffic signs, travel path geometry restrictions, other markings  Localization support, if relied upon EXAMPLES: GNSS availability, types of navigation markers, DSRC, other navaids  Compliance strategy for traffic rules EXAMPLE: enumeration of applicable traffic regulations and ego vehicle behavioral constraints  Special road user rules EXAMPLES: bicycles, motorcycles/lane splitting, construction systems, oversize systems, snowplows, sand/salt trucks, emergency response systems, street sweepers, horse-drawn systems  Road obstructions EXAMPLES: pedestrian zone barriers, crowd control barriers, police vehicles intentionally blocking traffic, post-collision vehicles and associate debris, other road debris, other artificial obstructions UL 4600 ODD Prompt Excerpts
  11. 11. 11© 2019 Philip Koopman  ISO 26262 – starting point  Still relevant to the extent it can be applied  Assumes traceability of tests to design with “V”  ISO/PAS 21448 & SaFAD – how  Design and validation process framework  UL 4600 – #DidYouThinkofThat?  Safety case organizes arguments & evidence  Minimum criteria for complete coverage + feedback requirement  Lists of positive and negative lessons learned  Objective assessment criteria for safety case Relationship with Other Guidance Unusual pedestrian clothing
  12. 12. 12© 2019 Philip Koopman  Underwriter Laboratories – safety standards for 125 years  Initially: electrical fire safety for insurance companies  Already working in automotive industry  Two companies: UL LLC non-profit handles standards  Produces North America standards; path to internationalization  Initial draft reviewed by Standards Technical Panel (STP)  ~ 30 members – OEM(s), full stack autonomy, first tier suppliers, chips – Insurance, government, consumer, assessors, academic, legal – US, Europe, Asia – Automotive industry, but some military, aviation, other experience UL Standards Process
  13. 13. 13© 2019 Philip Koopman  Public-facing information: UL4600.com  To become a stakeholder: Deborah.Prince@ul.org  Next events:  Sept 2019: More extensive tutorial at AutoSens  October 2019: stakeholder “public” draft available (approx. 250 – 300 pages)  Late 2019: voting draft (goal)  Early 2020: standard issued (goal)  2020: other domains beyond automotive (?) More On UL 4600

×