general aspects of safety evaluation for the deployment … · cicv 2019 / fisita - general aspects...
TRANSCRIPT
FISITA Intelligent Safety ConferenceBeijing | 29.05.2019
Dr. Jan-Erik Mü ller
GENERAL ASPECTS OF SAFETY EVALUATION FOR THE DEPLOYMENT OF AUTOMATED DRIVING.
自动驾驶部署安全评价的一般要素.
Page 2CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.
GENERAL ASPECTS OF SAFETY EVALUATION FOR AD DEPLOYMENT. 自动驾驶部署安全评价的一般要素。KEY TOPICS FOR THE SAFE DEVELOPMENT OF LEVEL 3/4 VEHICLES. 3/4级车辆安全开发的关键主题。
- Assistance vs. Automation → Paradigm shift辅助与自动化→模式转换
- Consideration of mixed traffic考虑混合交通
- Transfer of control initially restricted to specific traffic scenarios最初仅限于特定交通场景的控制权转移
- Driver remains fallback solution for L3 vehicles对于L3级车辆,驾驶员仍然是后备解决方案
- Consideration of the time budget for the transition process考虑过渡过程的时间预算
- Primary target: maintain high level of safety also while operating in automated mode主要目标:在自动模式下运行时,也要保持较高的安全水平。
→Automated driving specific approach for safety evaluation is needed prior to L3/4 vehicles deployment
在部署L3/4级车辆之前,需要使用自动驾驶特定方法进行安全评价
Page 3CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.
GENERAL ASPECTS OF SAFETY EVALUATION FOR AD DEPLOYMENT.自动驾驶部署安全评价的一般要素。BMW’S GUIDELINES FOR AUTOMATED DRIVING SYSTEMS.宝马的自动驾驶系统指南。
Driver‘s Responsibilities 驾驶员的责任
Safe Function (Redundancy) 安全功能(冗余)
Operational Design Domain 操作设计域
Behavior in Traffic 交通中的行为
Security 安全
Safety Layer 安全层
Driver Initiated Transfer 驾驶员发起移交
Vehicle Initiated Take-over 车辆发起接管
Effects of Automation 自动化的影响
Safety Certificate 安全证书
Data Recording 数据记录
Passive Safety 被动安全
Page 4CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.
The automated function must ensure that the currently active driving mode can be recognized explicitly and unmistakably at any time. If the driver must react, this must be clearly communicated.
自动功能必须确保可以在任何时间明确无误地识别当前有效的驾驶模式。如果驾驶员必须做出反应,必须清楚地传达。
Mode Awareness 模式意识
The portions of the driving task which remain under the driver’s responsibility must be clearly communicated to him/her.驾驶任务中由驾驶员负责的部分必须清楚地传达给他/她。
Responsibilities 责任
To promote safety, systems need to be integrated that support the driver to recognize driver conditions which are not acceptable.
为了提高安全性,需要集成系统以支持驾驶员识别不可接受的驾驶员状况。
Driver‘s state驾驶员的状态
BMW’S GUIDELINES FOR AUTOMATED DRIVING SYSTEMS. 宝马的自动驾驶系统指南。EXAMPLE: DRIVER RESPONSIBILITY. 示例:驾驶员责任。
Driver‘s Responsibilities 驾驶员的责任
Safe Function (Redundancy) 安全功能(冗余)
Operational Design Domain 操作设计域
Behavior in Traffic 交通中的行为
Security 安全
Safety Layer 安全层
Driver Initiated Transfer 驾驶员发起移交
Vehicle Initiated Take-over 车辆发起接管
Effects of Automation 自动化的影响
Safety Certificate 安全证书
Data Recording 数据记录
Passive Safety 被动安全
Page 5CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.
MACHINE
机器
HUMAN人
LEVEL 2
Partial Automation
部分自动化
LEVEL 3
Conditional
Automation
有条件的自动化
PA
RA
DIG
M S
HIF
T
模式
转换
RE
SP
ON
SI
BI
LI
TY
责任
BMW’S GUIDELINES FOR AUTOMATED DRIVING SYSTEMS. 宝马的自动驾驶系统指南。PARADIGM SHIFT IN DRIVER’S RESPONSIBILITY. 驾驶员责任的模式转换。
LEVEL 3
Vehicle is responsible in specific scenarios with
expectation that fallback-ready user is receptive to
ADS-issued requests to intervene.车辆在特定情况下负责,期望接管用户能够接受ADS发出的干预请求。
LEVEL 2
Driver is always responsible for control of the vehicle.
驾驶员始终负责控制车辆。
Page 6CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.
CONTROLLABILITY可控性
DRIVER STATE MONITORING驾驶员状态监控
TAKE OVER TIMES接管时间
MODE AWARENESS模式意识
UTILISATION OF DRIVE TIME
驾驶时间的利用
HUMAN-MACHINE INTERACTION
人机交互
TRUST IN AUTOMATION对自动化的信任
FUNCTIONAL LAYOUT功能布局
BMW’S GUIDELINES FOR AUTOMATED DRIVING SYSTEMS. 宝马的自动驾驶系统指南。PARADIGM SHIFT LEADS TO NEW CUSTOMER CENTRIC QUESTIONS.模式转变导致了新的以客户为中心的问题。
Page 7CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.
Verification and validation shall be used to ensure that the safety goals are met, in order to reach a consistent improvement of the overall safety balance, while minimizing new risks induced by the automation system.
应使用验证和确认来确保满足安全目标,以实现整体安全平衡的持续改进,同时尽量减少自动化系统带来的新风险。
Safety Certificate安全证书Driver‘s Responsibilities 驾驶员的责任
Safe Function (Redundancy) 安全功能(冗余)
Operational Design Domain 操作设计域
Behavior in Traffic 交通中的行为
Security 安全
Safety Layer 安全层
Driver Initiated Transfer 驾驶员发起移交
Vehicle Initiated Take-over 车辆发起接管
Effects of Automation 自动化的影响
Safety Certificate 安全证书
Data Recording 数据记录
Passive Safety 被动安全
BMW’S GUIDELINES FOR AUTOMATED DRIVING SYSTEMS. 宝马的自动驾驶系统指南。EXAMPLE: SAFETY CERTIFICATE. 示例:安全证书。
Page 8CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.
Tools
Field Test
现场试验Test Track / Simulator
测试跟踪/模拟器
Simulation
模拟
Accidents without System 系统不工作时发生的事故
Accidents with System系统工作时发生的事故Reduced Risks
降低风险
Added Risks
附加风险
Multi-dimensional Situation Space
多维态势空间Traffic Situations
交通状况
Tools
工具
Safety Evaluation
安全评价
BMW’S GUIDELINES FOR AUTOMATED DRIVING SYSTEMS. 宝马的自动驾驶系统指南。METHODS FOR SAFETY EVALUATION: MULTI-PILLAR APPROACH. 安全评价方法:多支柱法。
Page 9CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.
LOCATIONS地点
EXECUTION执行
Market
市场Numbers
编号Location
地点
USA
China
▪ N = 20 participants per market
N =每个市场20个参与者▪ 5 test vehicles per Market
每个市场5台试验车辆
Beijing 北京
West Coast / East Coast
西/东海岸
Munich 慕尼黑
China 中国
USA 美国
Germany 德国
Brazil 巴西 Countrywide 全国▪ 1 test vehicle
▪ 1台试验车辆
METHOD DEVELOPMENT
方法开发SETUP
设置PHASE 1
第1阶段PHASE 2
第2阶段PHASE 3
第3阶段ANALYSIS
分析PHASE 4
第4阶段
3 MONTHS
3个月3 MONTHS
3个月3 MONTHS
3个月3 MONTHS
3个月
13 MONTHS
13个月
1 MONTH
1个月
5 MONTHS
5个月
SAFETY FOR HIGHLY AUTOMATED DRIVING. 高度自动驾驶的安全性。VALIDATION: FIELD OPERATIONAL TEST (FOT). 验证:现场操作测试(FOT)。
Page 10CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.
Categories
分类
Requirements
要求
Technical Solution/Implementation
技术解决方案/实施
GB/T AD Level, GB/T ADAS Terms and Definitions, GRVA IWG ACSF, SAE Level
GB/T自动驾驶等级, GB / T先进驾驶辅助系统术语和定义,GRVA IWG ACSF, SAE 等级
Government, Committees政府,委员会
Governmentand Industry政府和行业
Industry行业
SAC/TC114, ECE R79 NHTSA AV Policy Guidelines, BMW Safety Guidelines
SAC / TC114,ECE R79,NHTSA自动驾驶车辆政策指南,宝马安全指南
Component Specifications by Manufacturer/Supplier
制造商/供应商的零部件规范
GENERAL ASPECTS OF SAFETY EVALUATION FOR AD DEPLOYMENT.自动驾驶部署安全评价的一般要素。LEVELS OF AD POLICY DEVELOPMENT.自动驾驶政策发展水平。
Page 11CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.
▪ New AD functions lead to a paradigm shift
新的自动驾驶功能导致模式转变
▪ This necessitates new requirements for development and new validation processes
这就需要对开发和新的验证流程提出新的要求
▪ BMW‘s AD development process is based on 12 Safety Guidelines
宝马的自动驾驶开发流程以12项安全指南为基础
▪ The accompanying validation process uses a Multi-Pillar Approach
随附的验证过程采用多支柱方法
▪ One of the pillars is the field testing in our core markets, especially China
其中一个支柱是我们核心市场的现场测试,特别是中国的现场测试。
▪ BMW appreciates the world-wide harmonization of the AD categories and requirements between governments and industry
宝马赞赏政府与行业之间的自动驾驶类别和要求在世界范围内的协调
▪ Self-assessment approaches allow for a fast and safety-oriented deployment of AD vehicles
自我评估方法允许快速、以安全为导向的自动驾驶车辆部署
GENERAL ASPECTS OF SAFETY EVALUATION FOR AD DEPLOYMENT.自动驾驶部署安全评价的一般要素。CONCLUSION.结论。
THANK YOU !
谢谢 !
SAFE AUTOMATED DRIVING !
开启安全自动驾驶新旅程 !
BACKUP
Page 14CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.
SAFETY FOR HIGHLY AUTOMATED DRIVING.BMW 5 SERIES – ADVANCED DRIVER ASSISTANCE SYSTEMS.
STEER- UND LANE-KEEPING ASSIST INCL. LANE CHANGE ASSIST.
REMOTE PARKING.
SURROUND VIEW
AKTIVE CRUISE CONTROL(ACC)
SPEED LIMIT ASSIST
AUTOMATIC EMERGENCY STEERING
WRONG-WAY ASSIST
INTERSECTION WARNING
REMOTE 3D VIEW.
LANE KEEP ASSIST WITH ACTIVE SIDE COLLISION PROTECTION
FRONT-COLLISION WARNING WITH (CITY-) BRAKE-FUNCTION
PEDESTRIAN WARNING WITH CITY-BRAKE-FUNCTION
Page 15CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.
SAFETY FOR HIGHLY AUTOMATED DRIVING.ADEQUATE TRUST IN AUTOMATION FOR LEVEL 2 AND 3.
MANUAL DRIVE LEVEL 3LEVEL 2 LEVEL 3 MANUAL DRIVELEVEL 2
FactualResponsibility-
Distribution
PerceivedResponsibility-
Distribution
HU
MA
NM
AC
HIN
E
LEVEL 2
Study design of several BMW internalsimulator studies:• Level 3 up to 130 km/h.• Perfect level 2 w/o driver
observation.• Transition from
• Level 3 to level 2 only driver intended (i.e. drive over maneuver with gas throttle).
• Level 3 to Level 0:Driver intended ortake over request
Gain driver’s understanding to clearly distinguish between level 2 and level 3:• Clear differentiation within functional implementation.• Transparent communication of system boundaries.