Integrating functional safety into a system is possible by adding hardware and software components which influence the functional operation little. These safety functions should detect and eliminate failures and keep the operational range as high as possible. To detect degraded performance caused by internal and external events, a self-perception is necessary. To determine the impact of those a self- representation is necessary. This can be done based on skills and abilities. To restore performance, reconfiguration and other self-healing methods can be used.
6.3.1 Related Work
A system-wide safety concept for SAE Level 4 and 5 automation is not known to the authors and thus, it is only possible to discuss publications which cover parts of such a concept. For automated vehicles (H€orwick and Siedersberger 2010) presented a safety concept for parts of the system and without considering the development process. This concept is one of the first for automated vehicles with SAE Level 3 automation and is applied to a traffic jam assist function which controls the vehicle in traffic jams up to a speed of 60 km/h (H€orwick2011). The system is capable of reducing the driving risk by stopping the vehicle on the current lane with the usage of action plans. As the system is used in traffic jams only, the automated vehicle is likely followed by others in a traffic jam and therefore high relative speeds to others are not very probable. A main difference to driverless vehicles unsupervised by humans is the availability of a human driver, if the system reaches its functional system boundaries. In the proposed safety concept several monitoring instances are integrated into the EE system which monitor the operation of system components. However, the concept is not directly applicable to driverless
vehicles, because of a missing fallback solution if the traffic jams ends. Further- more, the proposed concept is a technical safety concept without considering the development process of the EE system and a methodology for identifying func- tional requirements to identify critical situations.
The research and development project aFAS (German project title:
Automatisches fahrerlos fahrendes Absicherungsfahrzeug für Arbeitsstellen auf Autobahnen, English translation: Automated driverless protective vehicle for motorway hard shoulder road works) is one of the first projects which aims at a real world usage of an unmanned vehicle in public traffic (Ohl et al.2012; Stolte et al.2015a,b). Although the use case is limited to the hard shoulder of motorways, the unmanned operation without permanent monitoring is new to the automotive industry. In the project, a study on the applicability of the ISO 26262 standard to fully automated driverless vehicles is one of the research goals. As the prototype is not yet operated unmanned, no real-world results are available. The resulting system will enable SAE Level 4 automation and the safety concept is subject to our future work.
In Maurer (2012) and Reschka et al. (2015) a development process for collision avoidance and mitigation systems is described, which is applied in current devel- opment of the automotive industry. The chapter focuses on a development process, which is driven by the customer needs, technologically feasible, and economic constraints. Due to the technological difficulties that can arise in the development process of Advanced Driver Assistance Systems, an iterative approach could possibly avoid expensive restarts of development phases. This iterative approach will likely be necessary in the aFAS project as well and also for our future work in the Stadtpilot project.
A first approach based on the ISO 26262 standard has been presented in Reschka et al. (2011) for the Stadtpilot project. This approach was used to develop and test a prototype automated vehicle for operation in public traffic. The main focus was the approval process of the control software. In Reschka et al. (2012a,b) a monitoring concept has been introduced in the Stadtpilot project, which allowed basic system monitoring based on heartbeats, timing monitoring, and the calculation of aggre- gated performance criteria for certain system functions. This concept has to be improved further to deal with all aspects of higher levels of driving automation, especially concerning the absence of a human driver.
6.3.2 Utilizing Ability Graphs to Improve Safety of Operation
During operation of an automated road vehicle, a self-representation of the vehicle is necessary to improve safety of driving decisions. This self-representation is implemented with the Ability Graph, which is derived from the Skill Graph. The current performance of each ability is measured with a performance metric. In combination with the monitoring of hard- and software components these perfor- mance metrics are collected in the self-representation. In addition, skill specific
metrics are passed to depending skills. With this concept, complex abilities can identify functional deficits and thus are able to consider this reduced performance level in decision tasks. The overall system performance can be identified at the top level ability(ies).
The Ability Graph is a qualitative representation of the abilities necessary for vehicle guidance. These abilities can be compared to the required abilities of the current driving situation including a safety margin. The difference is a metric for the risk of operation in the current situation. If the capabilities are sufficient, the situation can be mastered safely. If one or more abilities have a low performance value, the situation can be dangerous and thus, immediate actions to reduce the risk are necessary, either by reducing the “difficulty” of the driving situation or by increasing the vehicle’s ability levels.
The self-perception and self-representation and other safety functionalities require additional hard- and software components. These components must not or at most in a tolerable manner affect the functional components of the vehicle guidance system. Functional degradation or self-healing methods can be further safety functionalities.
6.3.3 Self-Perception
The self-perception process collects data from all sensors and stores this data for safety purposes like building a self-representation and for functional purposes where the information is used in the functional components. In today’s series vehicles self-diagnosis functions are integrated in the components of the vehicle.
Some of the diagnosis functions signalize issues to the driver in the dashboard, others force emergency operation modes of components, e.g., the limp home mode for an engine (Volkswagen 2011). Jerhot et al. (2009) describe an environment perception system with self-diagnosis capabilities. Jerhot et al. (2009) introduce a probabilistic approach for monitoring and an adaptation of the vehicle’s functional capabilities. This approach is capable of monitoring track quality, dropouts, track- ing time, association success, state prerequisites, distance, azimuth, and speed. It is introduced for the environment perception components of Advanced Driver Assis- tance Systems. It’s applicability to automated vehicles seems possible.
As Dietmayer (2016) points out the testing process of perception systems for automated vehicles has to be done by a mathematical description of so called episodes (a set of situations) and, e.g., Monte-Carlo-Simulations for identifying those critical situations. Field-tests with a large number of driven kilometers are not sufficient because the probability of occurrence is not high enough (Wachenfeld and Winner 2016). Dietmayer also argues that an online monitoring of the perception-performance (consisting of state-, existence-, and classification- uncertainty) is barely possible with state-of-the-art systems. Although a prediction of the performance (in case of sudden failures) is currently impossible. The chapter points out the need for a hardware- and functional-redundant hardware setup for
achieving a minimal level of performance in case of sudden failures to fulfill ASIL D requirements. With such setup, a driverless system will not come into (technical) unsolvable situations and can achieve a permanent safe state of operation.
The self-perception is a database of vehicle and system information. Sensors are used to determine vehicle dynamics and actuator values. Additionally, hardware and software heartbeats and cycle times are collected. More sophisticated values are calculated by integrated safety methods in the software components and smaller units. These values are algorithm specific and can only be generated by the functional modules themselves, e.g., a covariance matrix for probabilistic tracking algorithms contains information about the current state of the estimation.
6.3.4 Self-Representation
The self-representation uses the self-perception data and the Ability Graph to determine the current capabilities of the vehicle. Several values from the self- perception are aggregated for providing more complex performance metrics. In this step, the focus of monitoring switches from software and functional modules to the more abstracted ability view. Additionally, a prediction of future capabilities is possible to drive more adapted to the current situation and by that avoid dangerous situations with a high risk level in future maneuvers (Bergmiller 2014;
Siedersberger2003). By comparing current performance and estimating the neces- sary performance for the current and future situations, system boundaries can be detected and reaching those can be avoided.
The proposed concept should enable automated driving and an early version presented in Reschka et al. (2012a) enabled the first automated driving demonstra- tions in Germany in the Stadtpilot project in 2010 (Nothdurft et al.2011).