Agenda / Overview of the work

• The study: a road platooning system = A Cooperative Autonomous Drive Systems (ADS)
• A distributed conceptual architecture is proposed and discussed.
• We presents a novel approach in analysing and assessment of the risks for cooperative (ADS).
• The analysis of the item is done according to a novel approach using a quantitative risk norm (QRN) and incident classification, instead of traditional hazard analysis and risk assessment (HARA).

A conceptual architecture for cooperative ADS

• Strategic, Tactical, Operational decision levels
• Separation of concerns
• Note that we have not made an allocation here

Distributed item elements and boundary

• The conceptual architecture is allocated into a distributed item.
• Tactical functions are allocated distributed among participants. This implies that individual vehicles make tactical decisions taking into account how this will affect other vehicles and actors
• Operational functions are made in the vehicle systems.
• Strategic functions are always centralised, e.g. in “the cloud”, and include e.g. where to go, what to do, who can participate.

A cooperative item definition

• An item is implemented as a system or array of systems to realise a function.
• The item hence encompasses all systems to enable the function (platooning), including vehicles and infrastructure.
• 26262 definition: “..item is a function at vehicle level..” needs to be changed/adjusted to accommodate for cooperative / distributed function.

DD – Operational Design Domain

ODD Categories:

• Dynamic Elements
• Scenery
• Connectivity
• Actions and Events, Other Actors
• Goals and Values – Permanent & Transient
• Functional Range • Fallback Ready User
• ODD = operating conditions under which a given ADS is specially designed to function within, and a general scenario of usage of this system.
• The ODD defines the limits of the ADS
• An ADS can only operate within its ODD.
• While inside the ODD, the ADS always ”knows what to do”, i.e. can fully perform the DDT.
• It cannot be allowed to enter conditions that are outside the ODD, i.e. ODD-exit.
• ODD-exit shall be avoided e.g. by tactical manoeuvre (such as reduction of speed)
• Gyllenhammar, et al “Towards an operational design domain that supports the safety argumentation of an automated driving system”. ERTS 2020
• BSI PAS 1883:2020 Operational Design Domain (ODD) taxonomy for an automated driving system (ADS) – Specification
• Guidelines for designing automated vehicle control systems

Risk Analysis using the QRN Approach

• HARA centers around enumerating operational situations and then arguing completeness of these. This is intractable for ADS due to the complexity of the function.
• The QRN approach essentially relates to a budget of acceptable frequencies of incidents or accidents in specified consequence classes, i.e. incident classification.
• Each incident shares the budget for the particular class. The consequence classes can be e.g. either quality- or safety related.
• Safety goals, that can be used in an ISO 26262 process, are found through the QRN approach.
• These state a maximal frequency of occurrence, rather than a mainly qualitative integrity target as in ISO 26262.

Conclusions

• HARA centers around enumerating operational situations and then arguing completeness of these.
• This is intractable for ADS due to the complexity of the function.
• QRN is a quantitative approach that sets budgets on unwanted/dangerous events.
• ISO 26262 lacks system-level metrics of these events.
• The QRN approach could require a new development framework to replace or amend ISO 26262 for ADS
• The development framework requires new quantitative methods

This work is supported by (Swedish) VINNOVA via the FFI ESPLANADE project (ref 2016-04268).