FISITA Intelligent Safety ConferenceBeijing | 29.05.2019

Dr. Jan-Erik Mü ller

GENERAL ASPECTS OF SAFETY EVALUATION FOR THE DEPLOYMENT OF AUTOMATED DRIVING.

自动驾驶部署安全评价的一般要素.

Page 2CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.

GENERAL ASPECTS OF SAFETY EVALUATION FOR AD DEPLOYMENT. 自动驾驶部署安全评价的一般要素。KEY TOPICS FOR THE SAFE DEVELOPMENT OF LEVEL 3/4 VEHICLES. 3/4级车辆安全开发的关键主题。

- Assistance vs. Automation → Paradigm shift辅助与自动化→模式转换

- Consideration of mixed traffic考虑混合交通

- Transfer of control initially restricted to specific traffic scenarios最初仅限于特定交通场景的控制权转移

- Driver remains fallback solution for L3 vehicles对于L3级车辆，驾驶员仍然是后备解决方案

- Consideration of the time budget for the transition process考虑过渡过程的时间预算

- Primary target: maintain high level of safety also while operating in automated mode主要目标：在自动模式下运行时，也要保持较高的安全水平。

→Automated driving specific approach for safety evaluation is needed prior to L3/4 vehicles deployment

在部署L3/4级车辆之前，需要使用自动驾驶特定方法进行安全评价

Page 3CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.

GENERAL ASPECTS OF SAFETY EVALUATION FOR AD DEPLOYMENT.自动驾驶部署安全评价的一般要素。BMW’S GUIDELINES FOR AUTOMATED DRIVING SYSTEMS.宝马的自动驾驶系统指南。

Driver‘s Responsibilities 驾驶员的责任

Safe Function (Redundancy) 安全功能（冗余）

Operational Design Domain 操作设计域

Behavior in Traffic 交通中的行为

Security 安全

Safety Layer 安全层

Driver Initiated Transfer 驾驶员发起移交

Vehicle Initiated Take-over 车辆发起接管

Effects of Automation 自动化的影响

Safety Certificate 安全证书

Data Recording 数据记录

Passive Safety 被动安全

Page 4CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.

The automated function must ensure that the currently active driving mode can be recognized explicitly and unmistakably at any time. If the driver must react, this must be clearly communicated.

自动功能必须确保可以在任何时间明确无误地识别当前有效的驾驶模式。如果驾驶员必须做出反应，必须清楚地传达。

Mode Awareness 模式意识

The portions of the driving task which remain under the driver’s responsibility must be clearly communicated to him/her.驾驶任务中由驾驶员负责的部分必须清楚地传达给他/她。

Responsibilities 责任

To promote safety, systems need to be integrated that support the driver to recognize driver conditions which are not acceptable.

为了提高安全性，需要集成系统以支持驾驶员识别不可接受的驾驶员状况。

Driver‘s state驾驶员的状态

BMW’S GUIDELINES FOR AUTOMATED DRIVING SYSTEMS. 宝马的自动驾驶系统指南。EXAMPLE: DRIVER RESPONSIBILITY. 示例：驾驶员责任。

Driver‘s Responsibilities 驾驶员的责任

Safe Function (Redundancy) 安全功能（冗余）

Operational Design Domain 操作设计域

Behavior in Traffic 交通中的行为

Security 安全

Safety Layer 安全层

Driver Initiated Transfer 驾驶员发起移交

Vehicle Initiated Take-over 车辆发起接管

Effects of Automation 自动化的影响

Safety Certificate 安全证书

Data Recording 数据记录

Passive Safety 被动安全

Page 5CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.

MACHINE

机器

HUMAN人

LEVEL 2

Partial Automation

部分自动化

LEVEL 3

Conditional

Automation

有条件的自动化

PA

RA

DIG

M S

HIF

T

模式

转换

RE

SP

ON

SI

BI

LI

TY

责任

BMW’S GUIDELINES FOR AUTOMATED DRIVING SYSTEMS. 宝马的自动驾驶系统指南。PARADIGM SHIFT IN DRIVER’S RESPONSIBILITY. 驾驶员责任的模式转换。

LEVEL 3

Vehicle is responsible in specific scenarios with

expectation that fallback-ready user is receptive to

ADS-issued requests to intervene.车辆在特定情况下负责，期望接管用户能够接受ADS发出的干预请求。

LEVEL 2

Driver is always responsible for control of the vehicle.

驾驶员始终负责控制车辆。

Page 6CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.

CONTROLLABILITY可控性

DRIVER STATE MONITORING驾驶员状态监控

TAKE OVER TIMES接管时间

MODE AWARENESS模式意识

UTILISATION OF DRIVE TIME

驾驶时间的利用

HUMAN-MACHINE INTERACTION

人机交互

TRUST IN AUTOMATION对自动化的信任

FUNCTIONAL LAYOUT功能布局

BMW’S GUIDELINES FOR AUTOMATED DRIVING SYSTEMS. 宝马的自动驾驶系统指南。PARADIGM SHIFT LEADS TO NEW CUSTOMER CENTRIC QUESTIONS.模式转变导致了新的以客户为中心的问题。

Page 7CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.

Verification and validation shall be used to ensure that the safety goals are met, in order to reach a consistent improvement of the overall safety balance, while minimizing new risks induced by the automation system.

应使用验证和确认来确保满足安全目标，以实现整体安全平衡的持续改进，同时尽量减少自动化系统带来的新风险。

Safety Certificate安全证书Driver‘s Responsibilities 驾驶员的责任

Safe Function (Redundancy) 安全功能（冗余）

Operational Design Domain 操作设计域

Behavior in Traffic 交通中的行为

Security 安全

Safety Layer 安全层

Driver Initiated Transfer 驾驶员发起移交

Vehicle Initiated Take-over 车辆发起接管

Effects of Automation 自动化的影响

Safety Certificate 安全证书

Data Recording 数据记录

Passive Safety 被动安全

BMW’S GUIDELINES FOR AUTOMATED DRIVING SYSTEMS. 宝马的自动驾驶系统指南。EXAMPLE: SAFETY CERTIFICATE. 示例：安全证书。

Page 8CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.

Tools

Field Test

现场试验Test Track / Simulator

测试跟踪/模拟器

Simulation

模拟

Accidents without System 系统不工作时发生的事故

Accidents with System系统工作时发生的事故Reduced Risks

降低风险

Added Risks

附加风险

Multi-dimensional Situation Space

多维态势空间Traffic Situations

交通状况

Tools

工具

Safety Evaluation

安全评价

BMW’S GUIDELINES FOR AUTOMATED DRIVING SYSTEMS. 宝马的自动驾驶系统指南。METHODS FOR SAFETY EVALUATION: MULTI-PILLAR APPROACH. 安全评价方法：多支柱法。

Page 9CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.

LOCATIONS地点

EXECUTION执行

Market

市场Numbers

编号Location

地点

USA

China

▪ N = 20 participants per market

N =每个市场20个参与者▪ 5 test vehicles per Market

每个市场5台试验车辆

Beijing 北京

West Coast / East Coast

西/东海岸

Munich 慕尼黑

China 中国

USA 美国

Germany 德国

Brazil 巴西 Countrywide 全国▪ 1 test vehicle

▪ 1台试验车辆

METHOD DEVELOPMENT

方法开发SETUP

设置PHASE 1

第1阶段PHASE 2

第2阶段PHASE 3

第3阶段ANALYSIS

分析PHASE 4

第4阶段

3 MONTHS

3个月3 MONTHS

3个月3 MONTHS

3个月3 MONTHS

3个月

13 MONTHS

13个月

1 MONTH

1个月

5 MONTHS

5个月

SAFETY FOR HIGHLY AUTOMATED DRIVING. 高度自动驾驶的安全性。VALIDATION: FIELD OPERATIONAL TEST (FOT). 验证：现场操作测试（FOT）。

Page 10CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.

Categories

分类

Requirements

要求

Technical Solution/Implementation

技术解决方案/实施

GB/T AD Level, GB/T ADAS Terms and Definitions, GRVA IWG ACSF, SAE Level

GB/T自动驾驶等级, GB / T先进驾驶辅助系统术语和定义，GRVA IWG ACSF, SAE 等级

Government, Committees政府，委员会

Governmentand Industry政府和行业

Industry行业

SAC/TC114, ECE R79 NHTSA AV Policy Guidelines, BMW Safety Guidelines

SAC / TC114，ECE R79，NHTSA自动驾驶车辆政策指南，宝马安全指南

Component Specifications by Manufacturer/Supplier

制造商/供应商的零部件规范

GENERAL ASPECTS OF SAFETY EVALUATION FOR AD DEPLOYMENT.自动驾驶部署安全评价的一般要素。LEVELS OF AD POLICY DEVELOPMENT.自动驾驶政策发展水平。

Page 11CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.

▪ New AD functions lead to a paradigm shift

新的自动驾驶功能导致模式转变

▪ This necessitates new requirements for development and new validation processes

这就需要对开发和新的验证流程提出新的要求

▪ BMW‘s AD development process is based on 12 Safety Guidelines

宝马的自动驾驶开发流程以12项安全指南为基础

▪ The accompanying validation process uses a Multi-Pillar Approach

随附的验证过程采用多支柱方法

▪ One of the pillars is the field testing in our core markets, especially China

其中一个支柱是我们核心市场的现场测试，特别是中国的现场测试。

▪ BMW appreciates the world-wide harmonization of the AD categories and requirements between governments and industry

宝马赞赏政府与行业之间的自动驾驶类别和要求在世界范围内的协调

▪ Self-assessment approaches allow for a fast and safety-oriented deployment of AD vehicles

自我评估方法允许快速、以安全为导向的自动驾驶车辆部署

GENERAL ASPECTS OF SAFETY EVALUATION FOR AD DEPLOYMENT.自动驾驶部署安全评价的一般要素。CONCLUSION.结论。

THANK YOU !

谢谢 !

SAFE AUTOMATED DRIVING !

开启安全自动驾驶新旅程 !

BACKUP

Page 14CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.

SAFETY FOR HIGHLY AUTOMATED DRIVING.BMW 5 SERIES – ADVANCED DRIVER ASSISTANCE SYSTEMS.

STEER- UND LANE-KEEPING ASSIST INCL. LANE CHANGE ASSIST.

REMOTE PARKING.

SURROUND VIEW

AKTIVE CRUISE CONTROL(ACC)

SPEED LIMIT ASSIST

AUTOMATIC EMERGENCY STEERING

WRONG-WAY ASSIST

INTERSECTION WARNING

REMOTE 3D VIEW.

LANE KEEP ASSIST WITH ACTIVE SIDE COLLISION PROTECTION

FRONT-COLLISION WARNING WITH (CITY-) BRAKE-FUNCTION

PEDESTRIAN WARNING WITH CITY-BRAKE-FUNCTION

Page 15CICV 2019 / FISITA - General Aspects of Safety for AD Deployment.

SAFETY FOR HIGHLY AUTOMATED DRIVING.ADEQUATE TRUST IN AUTOMATION FOR LEVEL 2 AND 3.

MANUAL DRIVE LEVEL 3LEVEL 2 LEVEL 3 MANUAL DRIVELEVEL 2

FactualResponsibility-

Distribution

PerceivedResponsibility-

Distribution

HU

MA

NM

AC

HIN

E

LEVEL 2

Study design of several BMW internalsimulator studies:• Level 3 up to 130 km/h.• Perfect level 2 w/o driver

observation.• Transition from

• Level 3 to level 2 only driver intended (i.e. drive over maneuver with gas throttle).

• Level 3 to Level 0:Driver intended ortake over request

Gain driver’s understanding to clearly distinguish between level 2 and level 3:• Clear differentiation within functional implementation.• Transparent communication of system boundaries.