Concept and Risk Analytis for Cooperative and Automated Highway Platooning System.

Agenda / Overview of the work

  • The study: a road platooning system = A Cooperative Autonomous Drive Systems (ADS)
  • A distributed conceptual architecture is proposed and discussed.
  • We presents a novel approach in analysing and assessment of the risks for cooperative (ADS).
  • The analysis of the item is done according to a novel approach using a quantitative risk norm (QRN) and incident classification, instead of traditional hazard analysis and risk assessment (HARA).

A conceptual architecture for cooperative ADS

  • Strategic, Tactical, Operational decision levels
  • Separation of concerns
  • Note that we have not made an allocation here

Distributed item elements and boundary

  • The conceptual architecture is allocated into a distributed item.
  • Tactical functions are allocated distributed among participants. This implies that individual vehicles make tactical decisions taking into account how this will affect other vehicles and actors
  • Operational functions are made in the vehicle systems.
  • Strategic functions are always centralised, e.g. in “the cloud”, and include e.g. where to go, what to do, who can participate.

A cooperative item definition

  • An item is implemented as a system or array of systems to realise a function.
  • The item hence encompasses all systems to enable the function (platooning), including vehicles and infrastructure.
  • 26262 definition: “..item is a function at vehicle level..” needs to be changed/adjusted to accommodate for cooperative / distributed function.

DD – Operational Design Domain

ODD Categories:

  • Dynamic Elements
  • Scenery
  • Connectivity
  • Actions and Events, Other Actors
  • Goals and Values – Permanent & Transient
  • Functional Range • Fallback Ready User
  • ODD = operating conditions under which a given ADS is specially designed to function within, and a general scenario of usage of this system.
  • The ODD defines the limits of the ADS
  • An ADS can only operate within its ODD.
  • While inside the ODD, the ADS always ”knows what to do”, i.e. can fully perform the DDT.
  • It cannot be allowed to enter conditions that are outside the ODD, i.e. ODD-exit.
  • ODD-exit shall be avoided e.g. by tactical manoeuvre (such as reduction of speed)
  • Gyllenhammar, et al “Towards an operational design domain that supports the safety argumentation of an automated driving system”. ERTS 2020
  • BSI PAS 1883:2020 Operational Design Domain (ODD) taxonomy for an automated driving system (ADS) – Specification
  • Guidelines for designing automated vehicle control systems

Risk Analysis using the QRN Approach

  • HARA centers around enumerating operational situations and then arguing completeness of these. This is intractable for ADS due to the complexity of the function.
  • The QRN approach essentially relates to a budget of acceptable frequencies of incidents or accidents in specified consequence classes, i.e. incident classification.
  • Each incident shares the budget for the particular class. The consequence classes can be e.g. either quality- or safety related.
  • Safety goals, that can be used in an ISO 26262 process, are found through the QRN approach.
  • These state a maximal frequency of occurrence, rather than a mainly qualitative integrity target as in ISO 26262.


  • HARA centers around enumerating operational situations and then arguing completeness of these.
  • This is intractable for ADS due to the complexity of the function.
  • QRN is a quantitative approach that sets budgets on unwanted/dangerous events.
  • ISO 26262 lacks system-level metrics of these events.
  • The QRN approach could require a new development framework to replace or amend ISO 26262 for ADS
  • The development framework requires new quantitative methods

This work is supported by (Swedish) VINNOVA via the FFI ESPLANADE project (ref 2016-04268).

Carl Bergenhem
System Safety Expert