2019自动驾驶安全第一白皮书（英文版）

哥兜裏有煙

2019自动驾驶安全第一白皮书（英文版）
Contents
1 INTRODUCTION & MOTIVATION....................................................................................... 2
1.1 Scope of this Publication................................................................................................. 2
1.2 Structure of and Development Examples Used in this Publication................................... 4
1.3 Safety Vision................................................................................................................... 6
1.3.1 Background.......................................................................................................... 6
1.3.2 The Twelve Principles of Automated Driving......................................................... 6
2 SYSTEMATICALLY DEVELOPING DEPENDABILITY TO SUPPORT SAFETY
BY DESIGN........................................................................................................................ 12
2.1 Deriving Capabilities of Automated Driving from Dependability Domains....................... 13
2.1.1 Legal Frameworks for Automated Driving Vehicles............................................. 13
2.1.2 Applying the Related Safety Standards............................................................... 14
2.1.3 Safety of the Intended Functionality.................................................................... 17
2.1.4 Functional Safety................................................................................................ 20
2.1.5 Automotive Cybersecurity................................................................................... 21
2.1.5.1 Why is Cybersecurity so Important for Safety?.................................... 22
2.1.5.2 Cybersecurity Approach and Measures............................................... 24
2.1.6 Capabilities of Automated Driving....................................................................... 27
2.1.6.1 Initial Derivation of Capabilities........................................................... 27
2.1.6.2 Overview of the Capabilities............................................................... 30
2.1.7 Minimal Risk Conditions and Minimal Risk Maneuvers........................................ 34
2.2 Elements for Implementing the Capabilities................................................................... 36
2.2.1 Implementing the Capabilities............................................................................. 36
2.2.1.1 FS_1: Determine location .................................................................. 37
2.2.1.2 FS_2: Perceive relevant static and dynamic objects in proximity to
the automated vehicle......................................................................... 38
2.2.1.3 FS_3: Predict the future behavior of relevant objects.......................... 39
2.2.1.4 FS_4: Create a collision-free and lawful driving plan........................... 40
2.2.1.5 FS_5: Correctly execute and actuate the driving plan......................... 41
2.2.1.6 FS_6: Communicate and interact with other (vulnerable) road users..... 41
2.2.1.7 FS_7: Determine if specified nominal performance is not achieved..... 42
2.2.1.8 FD_1: Ensure controllability for the vehicle operator........................... 43
2.2.1.9 FD_2: Detect when degraded performance is not available................ 44
2.2.1.10 FD_3: Ensure safe mode transitions and awareness.......................... 44
2.2.1.11 FD_4: React to insufficient nominal performance and other failures
via degradation................................................................................... 45
2.2.1.12 FD_5: Reduce system performance in the presence of failure for
the degraded mode............................................................................. 46
2.2.1.13 FD_6: Perform degraded mode within reduced system constraints..... 46
2.2.2 Elements............................................................................................................ 47
2.2.2.1 Environment Perception Sensors........................................................ 47
2.2.2.2 A-Priori Perception Sensors ............................................................... 48
2.2.2.3 V2X.................................................................................................... 51
2.2.2.4 Sensor Fusion ................................................................................... 51
2.2.2.5 Interpretation and Prediction .............................................................. 52
2.2.2.6 Localization ....................................................................................... 53
2.2.2.7 ADS Mode Manager .......................................................................... 53
2.2.2.8 Egomotion ......................................................................................... 54
2.2.2.9 Drive Planning ................................................................................... 55
2.2.2.10 Traffic Rules........................................................................................ 56
2.2.2.11 Motion Control ................................................................................... 56
2.2.2.12 Motion Actuators ................................................................................ 57
2.2.2.13 Body Control with Secondary Actuators.............................................. 58
2.2.2.14 Human-Machine Interaction ............................................................... 58
2.2.2.15 User State Determination.................................................................... 61
2.2.2.16 Vehicle State...................................................................................... 64
2.2.2.17 Monitors (Nominal and Degraded Modes)........................................... 64
2.2.2.18 Processing Unit.................................................................................. 64
2.2.2.19 Power supply..................................................................................... 65
2.2.2.20 Communication Network.................................................................... 65
2.3 Generic Logical Architecture......................................................................................... 65
3 VERIFICATION AND VALIDATION................................................................................... 72
3.1 The Scope and Main Steps of V&V for Automated Driving Systems.............................. 72
3.2 Key Challenges for V&V of L3 and L4 Systems............................................................. 75
3.3 V&V Approach for Automated Driving Systems.............................................................. 76
3.3.1 Defining Test Goals & Objectives (Why & How Well)........................................... 77
3.3.2 Test Design Techniques (How)............................................................................ 77
3.3.3 Test Platforms (Where)....................................................................................... 78
3.3.4 Test Strategies in Response to the Key Challenges............................................ 79
3.4 Quantity and Quality of Testing ..................................................................................... 83
3.4.1 Equivalence Classes and Scenario-Based Testing ............................................. 84
3.5 Simulation .................................................................................................................... 85
3.5.1 Types of Simulation............................................................................................ 87
3.5.2 Simulation Scenario Generation......................................................................... 88
3.5.3 Validating Simulation.......................................................................................... 89
3.5.4 Further Topics in Simulation................................................................................ 89
3.6 V&V of Elements........................................................................................................... 90
3.6.1 A-Priori Information and Perception (Map).......................................................... 91
3.6.2 Localization (Including GNSS)............................................................................ 92
3.6.3 Environment Perception Sensors, V2X and Sensor Fusion................................. 92
3.6.4 Interpretation and Prediction, Drive Planning and Traffic Rules........................... 93
3.6.5 Motion Control.................................................................................................... 93
3.6.6 Monitor, ADS Mode Manager (Including the Vehicle State)................................. 93
3.6.7 Human-Machine Interaction................................................................................ 94
3.7 Field Operation (Monitoring, Configuration, Updates).................................................... 94
3.7.1 Testing Traceability............................................................................................. 94
3.7.2 Robust Configuration and Change Management Process................................... 95
3.7.3 Regression Prevention....................................................................................... 95
3.7.4 Security Monitoring and Updates........................................................................ 96
3.7.5 Continuous Monitoring and Corrective Enforcement........................................... 97
4 CONCLUSION AND OUTLOOK...................................................................................... 100
5 APPENDIX A: DEVELOPMENT EXAMPLES.................................................................. 104
5.1 L3 Traffic Jam Pilot (TJP)............................................................................................ 104
5.1.1 Nominal Function Definition.............................................................................. 104
5.1.2 Minimal Risk Conditions................................................................................... 104
5.1.3 Minimal Risk Maneuver.................................................................................... 104
5.2 L3 Highway Pilot (HWP).............................................................................................. 104
5.2.1 Nominal Function Definition.............................................................................. 104
5.2.2 Degraded Mode/Minimal Risk Conditions......................................................... 104
5.2.3 Minimal Risk Maneuvers................................................................................... 104
5.3 L4 Urban Pilot (UP)..................................................................................................... 104
5.3.1 Nominal Function Definition.............................................................................. 105
5.3.2 Degraded Mode/Minimal Risk Conditions......................................................... 105
5.3.3 Minimal Risk Maneuvers................................................................................... 105
5.4 L4 Car Park Pilot (CPP).............................................................................................. 105
5.4.1 Nominal Function Definition.............................................................................. 105
5.4.2 Degraded Mode/Minimal Risk Conditions ........................................................ 105
5.4.3 Minimal Risk Maneuver.................................................................................... 105
5.5 Selection of the Discussed Elements........................................................................... 107
5.5.1 Sensing Elements for FS_1 Localization........................................................... 107
5.5.2 Sensing Elements for FS_2 Perceive Relevant Objects.................................... 108
5.5.3 Interpretation and Prediction in FS_3 Predict Future Movements...................... 109
5.5.4 Acting Elements in FS_5 Execute Driving Plan and FD_6 Perform
Degraded Mode.................................................................................................110
5.5.5 ADS Mode Manager in FS_7 Detect Nominal Performance and FD_4 React
to Insufficient Performance................................................................................111
5.5.6 User State Determination in FD_1 Ensure Controllability for Operator...............112
5.5.7 HMI in FD_1 Ensure Controllability for Operator and FD_6 Perform
Degraded Mode.................................................................................................113
5.5.8 Monitors in FS_7 and FD_2...............................................................................113
6 APPENDIX B: USING DEEP NEURAL NETWORKS TO IMPLEMENT SAFETY-RELATED
ELEMENTS FOR AUTOMATED DRIVING SYSTEMS.....................................................116
6.1 Motivation and Introduction: Machine Learning in Automated Driving ..........................116
6.2 Define (What and Why)................................................................................................118
6.3 Specify (How).............................................................................................................. 120
6.3.1 Defining and Selecting the Data........................................................................ 120
6.3.2 Architecture Design for DNNs........................................................................... 123
6.4 Develop and Evaluate................................................................................................. 125
6.5 Deploy and Monitor..................................................................................................... 128
6.6 DNN Safety Artifacts................................................................................................... 130
7 GLOSSARY...................................................................................................................... 134
8 REFERENCES................................................................................................................. 142