Concept and Risk Analytis for Cooperative and Automated Highway Platooning System.
Concept and Risk Analytis for Cooperative and Automated Highway Platooning System.
Agenda / Overview of the work
- The study: a road platooning system = A Cooperative Autonomous Drive Systems (ADS)
- A distributed conceptual architecture is proposed and discussed.
- We presents a novel approach in analysing and assessment of the risks for cooperative (ADS).
- The analysis of the item is done according to a novel approach using a quantitative risk norm (QRN) and incident classification, instead of traditional hazard analysis and risk assessment (HARA).
A conceptual architecture for cooperative ADS
- Strategic, Tactical, Operational decision levels
- Separation of concerns
- Note that we have not made an allocation here
Distributed item elements and boundary
- The conceptual architecture is allocated into a distributed item.
- Tactical functions are allocated distributed among participants. This implies that individual vehicles make tactical decisions taking into account how this will affect other vehicles and actors
- Operational functions are made in the vehicle systems.
- Strategic functions are always centralised, e.g. in “the cloud”, and include e.g. where to go, what to do, who can participate.
A cooperative item definition
- An item is implemented as a system or array of systems to realise a function.
- The item hence encompasses all systems to enable the function (platooning), including vehicles and infrastructure.
- 26262 definition: “..item is a function at vehicle level..” needs to be changed/adjusted to accommodate for cooperative / distributed function.
DD – Operational Design Domain
ODD Categories:
- Dynamic Elements
- Scenery
- Connectivity
- Actions and Events, Other Actors
- Goals and Values – Permanent & Transient
- Functional Range • Fallback Ready User
- ODD = operating conditions under which a given ADS is specially designed to function within, and a general scenario of usage of this system.
- The ODD defines the limits of the ADS
- An ADS can only operate within its ODD.
- While inside the ODD, the ADS always ”knows what to do”, i.e. can fully perform the DDT.
- It cannot be allowed to enter conditions that are outside the ODD, i.e. ODD-exit.
- ODD-exit shall be avoided e.g. by tactical manoeuvre (such as reduction of speed)
- Gyllenhammar, et al “Towards an operational design domain that supports the safety argumentation of an automated driving system”. ERTS 2020
- BSI PAS 1883:2020 Operational Design Domain (ODD) taxonomy for an automated driving system (ADS) – Specification
- Guidelines for designing automated vehicle control systems
Risk Analysis using the QRN Approach
- HARA centers around enumerating operational situations and then arguing completeness of these. This is intractable for ADS due to the complexity of the function.
- The QRN approach essentially relates to a budget of acceptable frequencies of incidents or accidents in specified consequence classes, i.e. incident classification.
- Each incident shares the budget for the particular class. The consequence classes can be e.g. either quality- or safety related.
- Safety goals, that can be used in an ISO 26262 process, are found through the QRN approach.
- These state a maximal frequency of occurrence, rather than a mainly qualitative integrity target as in ISO 26262.
Conclusions
- HARA centers around enumerating operational situations and then arguing completeness of these.
- This is intractable for ADS due to the complexity of the function.
- QRN is a quantitative approach that sets budgets on unwanted/dangerous events.
- ISO 26262 lacks system-level metrics of these events.
- The QRN approach could require a new development framework to replace or amend ISO 26262 for ADS
- The development framework requires new quantitative methods
This work is supported by (Swedish) VINNOVA via the FFI ESPLANADE project (ref 2016-04268).