-
Safety Blind Spot in Remote Driving: Considerations for Risk Assessment of Connection Loss Fallback Strategies
Authors:
Leon Johann Brettin,
Niklas Braun,
Robert Graubohm,
Markus Maurer
Abstract:
As part of the overall goal of driverless road vehicles, remote driving is a major emerging field of research of its own. Current remote driving concepts for public road traffic often establish a fallback strategy of immediate braking to a standstill in the event of a connection loss. This may seem like the most logical option when human control of the vehicle is lost. However, our simulation resu…
▽ More
As part of the overall goal of driverless road vehicles, remote driving is a major emerging field of research of its own. Current remote driving concepts for public road traffic often establish a fallback strategy of immediate braking to a standstill in the event of a connection loss. This may seem like the most logical option when human control of the vehicle is lost. However, our simulation results from hundreds of scenarios based on naturalistic traffic scenes indicate high collision rates for any immediate substantial deceleration to a standstill in urban settings. We show that such a fallback strategy can result in a SOTIF relevant hazard, making it questionable whether such a design decision can be considered acceptable. Therefore, from a safety perspective, we would call this problem a safety blind spot, as safety analyses in this regard seem to be very rare.
In this article, we first present a simulation on a naturalistic dataset that shows a high probability of collision in the described case. Second, we discuss the severity of the resulting potential rear-end collisions and provide an even more severe example by including a large commercial vehicle in the potential collision.
△ Less
Submitted 14 February, 2025;
originally announced February 2025.
-
A Review of Conceptualizations of Safety and Risk in Current Automated Driving Regulation
Authors:
Marcus Nolte,
Leon Johann Brettin,
Hans Steege,
Nayel Salem,
Marvin Loba,
Robert Graubohm,
Markus Maurer
Abstract:
"Safety" and "Risk" are key concepts for the design and development of automated vehicles. For the market introduction or large-scale field tests, both concepts are not only relevant for engineers developing the vehicles, but for all stakeholders (e.g., regulators, lawyers, or the general public) who have stakes in the technology. In the communication between stakeholder groups, common notions of…
▽ More
"Safety" and "Risk" are key concepts for the design and development of automated vehicles. For the market introduction or large-scale field tests, both concepts are not only relevant for engineers developing the vehicles, but for all stakeholders (e.g., regulators, lawyers, or the general public) who have stakes in the technology. In the communication between stakeholder groups, common notions of these abstract concepts are key for efficient communication and setting mutual expectations. In the European market, automated vehicles require Europe-wide type approval or at least operating permits in the individual states. For this, a central means of communication between regulators and engineers are regulatory documents. Flawed terminology regarding the safety expectations for automated vehicles can unnecessarily complicate relations between regulators and manufacturers, and thus hinder the introduction of the technology. In this paper, we review relevant documents at the UN- and EU-level, for the UK, and Germany regarding their (implied) notions of safety and risk. We contrast the regulatory notions with established and more recently developing notions of safety and risk in the field of automated driving. Based on the analysis, we provide recommendations on how explicit definitions of safety and risk in regulatory documents can support rather than hinder the market introduction of automated vehicles.
△ Less
Submitted 10 February, 2025;
originally announced February 2025.
-
An Ontology-based Approach Towards Traceable Behavior Specifications in Automated Driving
Authors:
Nayel Fabian Salem,
Marcus Nolte,
Veronica Haber,
Till Menzel,
Hans Steege,
Robert Graubohm,
Markus Maurer
Abstract:
Vehicles in public traffic that are equipped with Automated Driving Systems are subject to a number of expectations: Among other aspects, their behavior should be safe, conforming to the rules of the road and provide mobility to their users. This poses challenges for the developers of such systems: Developers are responsible for specifying this behavior, for example, in terms of requirements at sy…
▽ More
Vehicles in public traffic that are equipped with Automated Driving Systems are subject to a number of expectations: Among other aspects, their behavior should be safe, conforming to the rules of the road and provide mobility to their users. This poses challenges for the developers of such systems: Developers are responsible for specifying this behavior, for example, in terms of requirements at system design time. As we will discuss in the article, this specification always involves the need for assumptions and trade-offs. As a result, insufficiencies in such a behavior specification can occur that can potentially lead to unsafe system behavior. In order to support the identification of specification insufficiencies, requirements and respective assumptions need to be made explicit. In this article, we propose the Semantic Norm Behavior Analysis as an ontology-based approach to specify the behavior for an Automated Driving System equipped vehicle. We use ontologies to formally represent specified behavior for a targeted operational environment, and to establish traceability between specified behavior and the addressed stakeholder needs. Furthermore, we illustrate the application of the Semantic Norm Behavior Analysis in a German legal context with two example scenarios and evaluate our results. Our evaluation shows that the explicit documentation of assumptions in the behavior specification supports both the identification of specification insufficiencies and their treatment. Therefore, this article provides requirements, terminology and an according methodology to facilitate ontology-based behavior specifications in automated driving.
△ Less
Submitted 15 November, 2024; v1 submitted 10 September, 2024;
originally announced September 2024.
-
Showcasing Automated Vehicle Prototypes: A Collaborative Release Process to Manage and Communicate Risk
Authors:
Marvin Loba,
Robert Graubohm,
Markus Maurer
Abstract:
The development and deployment of automated vehicles pose major challenges for manufacturers to this day. Whilst central questions, like the issue of ensuring a sufficient level of safety, remain unanswered, prototypes are increasingly finding their way into public traffic in urban areas. Although safety concepts for prototypes are addressed in literature, published work hardly contains any dedica…
▽ More
The development and deployment of automated vehicles pose major challenges for manufacturers to this day. Whilst central questions, like the issue of ensuring a sufficient level of safety, remain unanswered, prototypes are increasingly finding their way into public traffic in urban areas. Although safety concepts for prototypes are addressed in literature, published work hardly contains any dedicated considerations on a systematic release for their operation. In this paper, we propose an incremental release process for public demonstrations of prototypes' automated driving functionality. We explicate release process requirements, derive process design decisions, and define stakeholder tasks. Furthermore, we reflect on practical insights gained through implementing the release process as part of the UNICAR$agil$ research project, in which four prototypes based on novel vehicle concepts were built and demonstrated to the public. One observation is the improved quality of internal risk communication, achieved by dismantling information asymmetries between stakeholders. Design conflicts are disclosed - providing a contribution to nurture transparency and, thereby, supporting a valid basis for release decisions. We argue that our release process meets two important requirements, as the results suggest its applicability to the domain of automated driving and its scalability to different vehicle concepts and organizational structures.
△ Less
Submitted 4 April, 2025; v1 submitted 24 April, 2024;
originally announced April 2024.
-
Identifikation auslösender Umstände von SOTIF-Gefährdungen durch systemtheoretische Prozessanalyse
Authors:
Robert Graubohm,
Marvin Loba,
Marcus Nolte,
Markus Maurer
Abstract:
Developers have to obtain a sound understanding of existing risk potentials already in the concept phase of driverless vehicles. Deductive as well as inductive SOTIF analyses of potential triggering conditions for hazardous behavior help to achieve this goal. In this regard, ISO 21448 suggests conducting a System-Theoretic Process Analysis (STPA). In this article, we introduce German terminology f…
▽ More
Developers have to obtain a sound understanding of existing risk potentials already in the concept phase of driverless vehicles. Deductive as well as inductive SOTIF analyses of potential triggering conditions for hazardous behavior help to achieve this goal. In this regard, ISO 21448 suggests conducting a System-Theoretic Process Analysis (STPA). In this article, we introduce German terminology for SOTIF considerations and critically discuss STPA theory in the course of an example application, while also proposing methodological additions. -- --
Um bereits in der Konzeptphase autonomer Fahrzeuge einen fundierten Eindruck bestehender Risikopotenziale zu erhalten, werden im Zuge von deduktiven und induktiven SOTIF-Analysen mögliche auslösende Umstände für gefährliches Verhalten untersucht. In diesem Zusammenhang wird in der ISO 21448 die Durchführung einer systemtheoretischen Prozessanalyse (STPA) vorgeschlagen. In diesem Beitrag führen wir deutsche Terminologie für SOTIF-Betrachtungen ein und setzen uns im Zuge einer Anwendung kritisch mit der STPA-Theorie auseinander, wobei wir begleitend methodische Ergänzungen anregen.
△ Less
Submitted 11 March, 2024;
originally announced March 2024.
-
On Assumptions with Respect to Occlusions in Urban Environments for Automated Vehicle Speed Decisions
Authors:
Robert Graubohm,
Nayel Fabian Salem,
Marcus Nolte,
Markus Maurer
Abstract:
Automated driving systems are subject to various kinds of uncertainty during design, development, and operation. These kinds of uncertainty lead to an inherent risk of the technology that can be mitigated, but never fully eliminated. Situations involving obscured traffic participants have become popular examples in the field to illustrate a subset of these uncertainties that developers must deal w…
▽ More
Automated driving systems are subject to various kinds of uncertainty during design, development, and operation. These kinds of uncertainty lead to an inherent risk of the technology that can be mitigated, but never fully eliminated. Situations involving obscured traffic participants have become popular examples in the field to illustrate a subset of these uncertainties that developers must deal with during system design and implementation. In this paper, we describe necessary assumptions for a speed choice in a situation in which an ego-vehicle passes parked vehicles that generate occluded areas where a human intending to cross the road could be obscured. We develop a calculation formula for a dynamic speed limit that mitigates the collision risk in this situation, and investigate the resulting speed profiles in simulation based on example assumptions. This paper has two main results: First, we show that even without worst-case assumptions, dramatically reduced speeds would be driven to avoid collisions. Second, we highlight that design decisions regarding occlusion treatment are directly related to the risk that automated vehicles pose to pedestrians in urban environments. In this respect, we conclude that there needs to be a broader discussion about acceptable assumptions.
△ Less
Submitted 14 February, 2024; v1 submitted 15 May, 2023;
originally announced May 2023.
-
Risk Management Core -- Towards an Explicit Representation of Risk in Automated Driving
Authors:
Nayel Fabian Salem,
Thomas Kirschbaum,
Marcus Nolte,
Christian Lalitsch-Schneider,
Robert Graubohm,
Jan Reich,
Markus Maurer
Abstract:
While current automotive safety standards provide implicit guidance on how unreasonable risk can be avoided, manufacturers are required to specify risk acceptance criteria for Automated Driving Systems (SAE Level 3 and higher). However, the 'unreasonable' level of risk of Automated Driving Systems is not yet concisely defined. Solely applying current safety standards to such novel systems could po…
▽ More
While current automotive safety standards provide implicit guidance on how unreasonable risk can be avoided, manufacturers are required to specify risk acceptance criteria for Automated Driving Systems (SAE Level 3 and higher). However, the 'unreasonable' level of risk of Automated Driving Systems is not yet concisely defined. Solely applying current safety standards to such novel systems could potentially not be sufficient for their acceptance. As risk is managed with implicit knowledge about safety measures in existing automotive standards, an explicit alignment with risk acceptance criteria is challenging. Hence, we propose an approach for an explicit representation and management of risk, which we call the Risk Management Core. The proposal of this process framework is based on requirements elicited from current safety standards and is applied to the task of specifying safe behavior for an Automated Driving System in an example scenario.
△ Less
Submitted 8 March, 2024; v1 submitted 15 February, 2023;
originally announced February 2023.
-
Ein Beitrag zur durchgängigen, formalen Verhaltensspezifikation automatisierter Straßenfahrzeuge
Authors:
Nayel Fabian Salem,
Veronica Haber,
Matthias Rauschenbach,
Marcus Nolte,
Jan Reich,
Torben Stolte,
Robert Graubohm,
Markus Maurer
Abstract:
Assuring safety of automated vehicles (SAE Level 3+) requires specifying and validating the behavior of such a vehicle in its operational environment. In order to argue and support assumptions that are made during the behavior specification within scenarios, a traceable documentation of design decisions is required. With the introduction of the \textit{semantic norm behavior analysis} a method is…
▽ More
Assuring safety of automated vehicles (SAE Level 3+) requires specifying and validating the behavior of such a vehicle in its operational environment. In order to argue and support assumptions that are made during the behavior specification within scenarios, a traceable documentation of design decisions is required. With the introduction of the \textit{semantic norm behavior analysis} a method is proposed, which contributes to a traceable mapping of concerns towards the behavior of an automated vehicle in its operational environment to a formal rule system of semantic concepts for considered scenarios. In this work, a semantic norm behavior analysis is conducted in two selected example scenarios. Thereby, an example of the formalization of behavioral rules from an excerpt of the German traffic code is given.
--
Die Absicherung automatisierter Straßenfahrzeuge (SAE Level 3+) setzt die Spezifikation und Überprüfung des Verhaltens eines Fahrzeugs in seiner Betriebsumgebung voraus. Um Annahmen, welche bei der Verhaltensspezifikation innerhalb von Szenarien getroffen werden, begründen und belegen zu können, ist eine durchgängige Dokumentation dieser Entwurfsentscheidungen erforderlich. Mit der Einführung der \textit{semantischen Normverhaltensanalyse} wird eine Methode vorgeschlagen, mithilfe derer Ansprüche an das Verhalten eines automatisierten Fahrzeugs in seiner Betriebsumgebung durchgängig auf ein formales Regelsystem aus semantischen Konzepten für ausgewählte Szenarien abgebildet werden können. Eine semantische Normverhaltensanalyse wird in dieser Arbeit in zwei ausgewählten Szenarien durchgeführt. Hierfür werden Verhaltensregeln aus einem Auszug der Straßenverkehrsordnung exemplarisch formalisiert.
△ Less
Submitted 15 September, 2022;
originally announced September 2022.
-
A Taxonomy to Unify Fault Tolerance Regimes for Automotive Systems: Defining Fail-Operational, Fail-Degraded, and Fail-Safe
Authors:
Torben Stolte,
Stefan Ackermann,
Robert Graubohm,
Inga Jatzkowski,
Björn Klamann,
Hermann Winner,
Markus Maurer
Abstract:
This paper presents a taxonomy that allows defining the fault tolerance regimes fail-operational, fail-degraded, and fail-safe in the context of automotive systems. Fault tolerance regimes such as these are widely used in recent publications related to automated driving, yet without definitions. This largely holds true for automotive safety standards, too. We show that fault tolerance regimes defi…
▽ More
This paper presents a taxonomy that allows defining the fault tolerance regimes fail-operational, fail-degraded, and fail-safe in the context of automotive systems. Fault tolerance regimes such as these are widely used in recent publications related to automated driving, yet without definitions. This largely holds true for automotive safety standards, too. We show that fault tolerance regimes defined in scientific publications related to the automotive domain are partially ambiguous as well as taxonomically unrelated. The presented taxonomy is based on terminology stemming from ISO 26262 as well as from systems engineering. It uses four criteria to distinguish fault tolerance regimes. In addition to fail-operational, fail-degraded, and fail-safe, the core terminology consists of operational and fail-unsafe. These terms are supported by definitions of available performance, nominal performance, functionality, and a concise definition of the safe state. For verification, we show by means of two examples from the automotive domain that the taxonomy can be applied to hierarchical systems of different complexity.
△ Less
Submitted 12 July, 2022; v1 submitted 21 June, 2021;
originally announced June 2021.
-
Towards Efficient Hazard Identification in the Concept Phase of Driverless Vehicle Development
Authors:
Robert Graubohm,
Torben Stolte,
Gerrit Bagschik,
Markus Maurer
Abstract:
The complex functional structure of driverless vehicles induces a multitude of potential malfunctions. Established approaches for a systematic hazard identification generate individual potentially hazardous scenarios for each identified malfunction. This leads to inefficiencies in a purely expert-based hazard analysis process, as each of the many scenarios has to be examined individually. In this…
▽ More
The complex functional structure of driverless vehicles induces a multitude of potential malfunctions. Established approaches for a systematic hazard identification generate individual potentially hazardous scenarios for each identified malfunction. This leads to inefficiencies in a purely expert-based hazard analysis process, as each of the many scenarios has to be examined individually. In this contribution, we propose an adaptation of the strategy for hazard identification for the development of automated vehicles. Instead of focusing on malfunctions, we base our process on deviations from desired vehicle behavior in selected operational scenarios analyzed in the concept phase. By evaluating externally observable deviations from a desired behavior, we encapsulate individual malfunctions and reduce the amount of generated potentially hazardous scenarios. After introducing our hazard identification strategy, we illustrate its application on one of the operational scenarios used in the research project UNICAR$agil$.
△ Less
Submitted 13 January, 2021; v1 submitted 22 April, 2020;
originally announced April 2020.
