主题介绍
本演讲首先综述了SOTIF工程的研究现状以及Ansys的观点,结合案例的启发,介绍了安全工程的构成及其新挑战,并对最重要的标准现状作了简要概述,比如对主要标准ISO 21448与其他相关标准如UL 4600和“自动驾驶安全第一”技术报告进行了比较。 此外,本演讲还将介绍ISO 21448 技术的应用现状和经验,并对SOTIF领域研究课题的难点进行总结。
如有任何问题请点击以下链接进入答疑室与我们的技术专家进行交流互动
https://v.ansys.com.cn/live/a3059007
演讲人介绍
Bernhard Kaiser Ansys首席安全咨询
他有非常丰富的工作经验,担任嵌入式系统和软件开发人员和项目负责人,安全领域的研究人员。Bernhard曾经在一家大型工程服务公司担任安全和系统工程能力中心主管大约10年。在这个职位上,他与许多主要的原始设备制造商和供应商一起致力于汽车领域的功能安全,ADAS和自动驾驶。Bernhard目前在Ansys负责自动驾驶安全解决方案,包括SOTIF分析和仿真。
-
00:00:00.00 - 00:00:02.58 10
女士们 先生们大家好
-
00:00:02.58 - 00:00:05.07 17
我是Bernhard Kaiser
-
00:00:05.16 - 00:00:09.09 14
我将和大家一起讨论SOTIF
-
00:00:09.18 - 00:00:13.40 12
其现状 挑战以及未来方向
-
00:00:13.40 - 00:00:15.29 2
首先
-
00:00:15.29 - 00:00:18.27 9
我来为大家介绍一下
-
00:00:18.27 - 00:00:18.53 8
什么是SOTIF
-
00:00:18.60 - 00:00:20.33 10
以及为什么我们需要它
-
00:00:23.24 - 00:00:26.83 7
传统功能安全性
-
00:00:26.83 - 00:00:27.15 7
简写为FuSa
-
00:00:27.15 - 00:00:31.11 9
将E/E系统的故障
-
00:00:31.11 - 00:00:31.64 6
视为危险原因
-
00:00:31.73 - 00:00:33.50 6
软件中的错误
-
00:00:33.50 - 00:00:37.52 13
晶体管中的偏移 损毁的线路
-
00:00:37.52 - 00:00:41.34 10
以及屏幕上的中断消息
-
00:00:41.34 - 00:00:44.59 8
但这对于ADAS
-
00:00:44.59 - 00:00:44.67 2
以及
-
00:00:44.74 - 00:00:45.17 4
自动驾驶
-
00:00:45.17 - 00:00:48.31 11
的所有这些方面已经足够
-
00:00:48.31 - 00:00:51.36 10
我们凭借经验能够知道
-
00:00:51.36 - 00:00:52.04 7
事故发生的原因
-
00:00:52.10 - 00:00:55.16 8
可能是规格不匹配
-
00:00:55.16 - 00:00:56.44 9
或者系统基于的假设
-
00:00:56.51 - 00:00:59.56 3
不成立
-
00:00:59.56 - 00:01:00.31 12
以及可能遇到各种驾驶场景
-
00:01:00.31 - 00:01:03.08 5
的真实环境
-
00:01:05.60 - 00:01:08.48 8
传感器的标称性能
-
00:01:08.48 - 00:01:10.21 10
与感知算法会受到限制
-
00:01:10.21 - 00:01:13.04 5
例如 视场
-
00:01:13.04 - 00:01:14.53 4
顺序感知
-
00:01:14.53 - 00:01:15.14 2
范围
-
00:01:15.14 - 00:01:18.39 10
或者即使在黑暗环境中
-
00:01:18.48 - 00:01:20.24 9
也能检测物体的功能
-
00:01:20.24 - 00:01:23.82 5
而且它也会
-
00:01:23.82 - 00:01:24.94 12
受到环境条件的进一步损害
-
00:01:24.94 - 00:01:26.55 8
例如雾气或者下雨
-
00:01:29.19 - 00:01:32.09 7
当今的感知算法
-
00:01:32.09 - 00:01:34.10 10
通常基于机器学习算法
-
00:01:34.10 - 00:01:37.02 5
但机器学习
-
00:01:37.02 - 00:01:37.73 13
可能会表现出无法解释的行为
-
00:01:37.73 - 00:01:41.62 7
因此就安全标准
-
00:01:41.62 - 00:01:42.31 2
而言
-
00:01:42.40 - 00:01:44.13 7
它很难实现安全
-
00:01:44.13 - 00:01:46.74 10
最后但同样重要的一点
-
00:01:46.74 - 00:01:49.55 9
是人类与机器之间的
-
00:01:49.55 - 00:01:51.11 7
误解和模式混淆
-
00:01:51.17 - 00:01:53.36 8
总是需要人为操纵
-
00:01:53.36 - 00:01:56.08 10
即便对于自动驾驶汽车
-
00:01:56.08 - 00:01:57.93 8
也有可能导致危险
-
00:01:57.93 - 00:02:01.58 11
而且它们甚至可能被误用
-
00:02:01.58 - 00:02:02.15 7
而且是故意误用
-
00:02:02.23 - 00:02:05.65 12
例如来自互联网的著名案例
-
00:02:05.65 - 00:02:09.27 7
有些人将可乐罐
-
00:02:09.27 - 00:02:09.75 6
放在方向盘上
-
00:02:09.83 - 00:02:13.45 4
为了愚弄
-
00:02:13.45 - 00:02:14.01 6
ADAS系统
-
00:02:14.09 - 00:02:14.66 9
的人类手动驾驶识别
-
00:02:19.57 - 00:02:22.76 6
我来解释一下
-
00:02:22.76 - 00:02:24.03 11
规格和真实情况的不匹配
-
00:02:24.10 - 00:02:26.94 8
如何能够造成危险
-
00:02:27.01 - 00:02:30.20 13
即便不存在故障 在该案例中
-
00:02:30.20 - 00:02:30.70 4
甚至没有
-
00:02:30.70 - 00:02:32.19 7
限制传感器性能
-
00:02:32.19 - 00:02:35.11 11
而这也是问题的原因所在
-
00:02:35.19 - 00:02:37.79 11
这是一个真实发生的案例
-
00:02:37.79 - 00:02:40.69 10
您在这里可以看到的是
-
00:02:40.69 - 00:02:40.95 5
位于德国的
-
00:02:41.02 - 00:02:41.73 10
一个高速公路出口场景
-
00:02:41.73 - 00:02:44.01 13
这里我们有这些大的金属标志
-
00:02:44.01 - 00:02:46.37 22
箭头指向右侧的标志上写着德语Ausfahrt
-
00:02:46.37 - 00:02:48.87 5
意思是出口
-
00:02:48.87 - 00:02:51.54 2
当然
-
00:02:51.54 - 00:02:51.66 8
您正处在减速匝道
-
00:02:51.66 - 00:02:54.31 4
因此您将
-
00:02:54.31 - 00:02:54.67 11
非常快速的接近这个标志
-
00:02:54.72 - 00:02:56.32 11
而且雷达能够识别该标志
-
00:02:56.32 - 00:02:58.59 11
因此不会有任何感知问题
-
00:02:58.59 - 00:03:01.69 7
所以人类驾驶员
-
00:03:01.69 - 00:03:02.11 11
在这种情况下会进行制动
-
00:03:02.11 - 00:03:05.05 7
但不会十分强力
-
00:03:05.12 - 00:03:06.38 9
以至于在标志前停车
-
00:03:06.38 - 00:03:06.82 5
我的意思是
-
00:03:06.82 - 00:03:09.66 7
显然因为驾驶员
-
00:03:09.66 - 00:03:09.78 4
根本无意
-
00:03:09.85 - 00:03:10.79 2
停车
-
00:03:10.79 - 00:03:13.43 10
他知道道路向右侧拐弯
-
00:03:13.49 - 00:03:16.31 6
并且他只希望
-
00:03:16.31 - 00:03:16.50 6
沿着弯道行驶
-
00:03:16.56 - 00:03:19.38 10
才会减速到合适的速度
-
00:03:19.38 - 00:03:19.63 2
例如
-
00:03:19.63 - 00:03:20.98 7
50千米每小时
-
00:03:20.98 - 00:03:23.46 10
系统此时正在考虑的是
-
00:03:23.53 - 00:03:26.56 9
道路上有一个障碍物
-
00:03:26.56 - 00:03:27.03 7
驾驶员正在刹车
-
00:03:27.03 - 00:03:29.72 11
但驾驶员的刹车不够强力
-
00:03:29.72 - 00:03:30.26 10
因此我应该帮助驾驶员
-
00:03:30.31 - 00:03:33.00 13
所以ABS系统就会发挥作用
-
00:03:33.00 - 00:03:33.24 1
并
-
00:03:33.30 - 00:03:35.99 8
造成完全紧急制动
-
00:03:35.99 - 00:03:36.71 5
从而让车辆
-
00:03:36.71 - 00:03:39.76 9
在到达标志之前停下
-
00:03:39.76 - 00:03:41.51 9
当然 通过这个行为
-
00:03:41.51 - 00:03:43.57 10
当然是出于善意的行为
-
00:03:43.57 - 00:03:45.75 8
系统只会制造危险
-
00:03:45.75 - 00:03:48.54 15
因为如果您突然在出口匝道上停车
-
00:03:48.54 - 00:03:51.27 13
那么这意味着后面的另一辆车
-
00:03:51.27 - 00:03:51.99 2
将会
-
00:03:52.05 - 00:03:53.27 8
直接与您的车相撞
-
00:03:57.15 - 00:03:59.58 8
传感器性能的缺点
-
00:03:59.58 - 00:04:00.49 9
和局限性是多方面的
-
00:04:00.49 - 00:04:02.92 8
他们具有标称性能
-
00:04:02.92 - 00:04:03.89 13
例如一些对比分辨率的限制场
-
00:04:03.89 - 00:04:07.06 4
光敏感性
-
00:04:07.06 - 00:04:10.40 6
传感器性能会
-
00:04:10.40 - 00:04:12.11 12
受到天气条件的进一步影响
-
00:04:12.19 - 00:04:13.83 6
例如雾和大雨
-
00:04:13.83 - 00:04:16.59 10
传感器很容易受到干扰
-
00:04:16.59 - 00:04:17.76 7
使它们无法识别
-
00:04:17.82 - 00:04:19.60 10
或者容易受欺骗 例如
-
00:04:19.60 - 00:04:22.35 5
炫目的阳光
-
00:04:22.35 - 00:04:23.27 10
可能会让摄像头传感器
-
00:04:23.33 - 00:04:26.08 4
处于饱和
-
00:04:26.08 - 00:04:26.33 12
或道路上的可乐罐发生反射
-
00:04:26.39 - 00:04:29.14 14
这可能在雷达看来就像一堵高墙
-
00:04:29.14 - 00:04:29.26 3
并可能
-
00:04:29.26 - 00:04:31.25 4
导致停车
-
00:04:31.25 - 00:04:34.06 12
然后算法同样也有其局限性
-
00:04:34.06 - 00:04:35.00 4
不仅仅是
-
00:04:35.06 - 00:04:35.56 3
传感器
-
00:04:35.56 - 00:04:37.96 9
存在一定的假阴性率
-
00:04:37.96 - 00:04:39.81 10
假阳性率也有可能出现
-
00:04:39.81 - 00:04:42.59 10
感知算法基于您的网络
-
00:04:42.59 - 00:04:45.38 6
假阴性意味着
-
00:04:45.38 - 00:04:45.82 12
无法检测到实际存在的物体
-
00:04:45.88 - 00:04:48.67 6
假阳性意味着
-
00:04:48.67 - 00:04:49.61 5
报告了一个
-
00:04:49.67 - 00:04:50.60 7
并不存在的物体
-
00:04:50.60 - 00:04:52.33 13
我们将这种物体称为幽灵物体
-
00:04:55.48 - 00:04:57.95 4
机器学习
-
00:04:57.95 - 00:04:58.45 11
是很多感知算法的一部分
-
00:04:58.45 - 00:05:01.37 10
尤其是与摄像头结合时
-
00:05:01.37 - 00:05:06.06 16
在这里我们看到两张几乎相同的照片
-
00:05:06.06 - 00:05:07.31 1
由
-
00:05:07.42 - 00:05:10.24 9
卡耐基梅隆大学提供
-
00:05:10.24 - 00:05:12.29 11
您几乎发现不了任何差异
-
00:05:12.29 - 00:05:13.79 7
但如果您仔细看
-
00:05:13.79 - 00:05:16.32 5
有一点雾霾
-
00:05:16.32 - 00:05:16.49 5
被添加到了
-
00:05:16.54 - 00:05:17.73 2
右图
-
00:05:17.73 - 00:05:20.70 9
现在看一下性能参数
-
00:05:20.70 - 00:05:21.89 3
左图上
-
00:05:21.96 - 00:05:22.29 9
对于行人的检测强度
-
00:05:22.29 - 00:05:25.49 5
您可以看到
-
00:05:25.49 - 00:05:26.49 7
一个行人在这里
-
00:05:26.56 - 00:05:28.63 9
摆出特别奇怪的姿势
-
00:05:28.63 - 00:05:31.68 6
其值接近于1
-
00:05:31.68 - 00:05:33.79 7
而在右侧图片上
-
00:05:33.79 - 00:05:34.93 6
其值接近于0
-
00:05:34.93 - 00:05:38.25 10
因此该网络已经失去了
-
00:05:38.35 - 00:05:42.63 7
所有的检测功能
-
00:05:42.63 - 00:05:44.34 8
作为一名人类观众
-
00:05:44.43 - 00:05:46.15 10
您甚至看不到任何差异
-
00:05:46.15 - 00:05:48.93 4
另一方面
-
00:05:48.93 - 00:05:49.55 4
左图中的
-
00:05:49.61 - 00:05:50.66 4
假阳性率
-
00:05:50.66 - 00:05:53.69 5
增加了很多
-
00:05:53.69 - 00:05:56.60 2
因此
-
00:05:56.72 - 00:05:58.37 10
我们如何测试一些事物
-
00:05:58.37 - 00:06:01.04 7
如果对测试案例
-
00:06:01.04 - 00:06:01.87 12
做出几乎看不到的微小调整
-
00:06:01.93 - 00:06:03.78 11
能够得到完全不同的结果
-
00:06:07.09 - 00:06:11.66 8
为了解决ADAS
-
00:06:11.66 - 00:06:12.38 7
和自动驾驶系统
-
00:06:12.48 - 00:06:14.11 7
的所有这些问题
-
00:06:14.11 - 00:06:18.94 16
我们开发了一种全新的安全性子学科
-
00:06:18.94 - 00:06:22.17 7
预期功能安全性
-
00:06:22.17 - 00:06:24.17 10
或者缩写为SOTIF
-
00:06:24.17 - 00:06:27.84 8
是安全性的一部分
-
00:06:27.84 - 00:06:29.07 12
能够处理电气和电子系统中
-
00:06:29.15 - 00:06:31.76 10
并非由技术故障引起的
-
00:06:31.76 - 00:06:33.98 6
不适宜的行为
-
00:06:36.49 - 00:06:40.28 7
SOTIF学科
-
00:06:40.28 - 00:06:41.21 2
涵盖
-
00:06:41.29 - 00:06:41.55 8
由特别罕见的场景
-
00:06:41.55 - 00:06:44.87 5
导致的危险
-
00:06:44.87 - 00:06:46.72 5
而这些场景
-
00:06:46.79 - 00:06:49.09 11
在规格和设计中并未考虑
-
00:06:49.09 - 00:06:52.54 6
因此车辆无法
-
00:06:52.61 - 00:06:53.01 6
处理这些场景
-
00:06:53.01 - 00:06:56.28 7
传感器标称性能
-
00:06:56.28 - 00:06:57.87 5
和感知算法
-
00:06:57.95 - 00:06:59.55 7
的局限性和缺点
-
00:06:59.55 - 00:07:02.59 6
由于环境条件
-
00:07:02.59 - 00:07:04.21 6
对感知造成的
-
00:07:04.28 - 00:07:05.23 5
干扰和损害
-
00:07:05.23 - 00:07:08.49 6
例如天气条件
-
00:07:08.49 - 00:07:10.10 5
离开ODD
-
00:07:10.10 - 00:07:13.96 10
也就是系统主要针对的
-
00:07:14.05 - 00:07:16.66 6
设计运行范围
-
00:07:16.66 - 00:07:20.78 4
同时使用
-
00:07:20.78 - 00:07:20.88 9
自动化特性进行驾驶
-
00:07:20.88 - 00:07:22.02 3
最后是
-
00:07:22.02 - 00:07:24.31 4
人类误解
-
00:07:24.31 - 00:07:28.51 12
模式混淆 甚至是故意误用
-
00:07:31.93 - 00:07:35.65 51
SOTIF和FuSa即功能安全性 00:07:35.651 --> 00:07:36.395 正如
-
00:07:36.47 - 00:07:37.05 9
我们之前了解的那样
-
00:07:37.05 - 00:07:40.71 4
是互补的
-
00:07:40.71 - 00:07:42.51 14
并且是技术安全性的相关子学科
-
00:07:47.14 - 00:07:49.17 8
让我们简单看一下
-
00:07:49.17 - 00:07:51.25 10
SOTIF的适用标准
-
00:07:53.73 - 00:07:57.30 17
首先是全新的ISO 21448标准
-
00:07:57.30 - 00:08:02.29 2
这是
-
00:08:02.29 - 00:08:02.63 12
全球主要的SOTIF标准
-
00:08:02.63 - 00:08:07.05 16
它旨在补充ISO 26262标准
-
00:08:07.05 - 00:08:10.84 9
而且很多术语和用词
-
00:08:10.84 - 00:08:11.77 5
都是通用的
-
00:08:15.89 - 00:08:18.75 7
他们的发布计划
-
00:08:18.75 - 00:08:22.27 13
ISO PAS 21448
-
00:08:22.27 - 00:08:22.66 5
PAS属于
-
00:08:22.74 - 00:08:23.83 4
公用规范
-
00:08:23.83 - 00:08:26.80 7
这是一种预标准
-
00:08:26.80 - 00:08:28.87 3
在去年
-
00:08:28.87 - 00:08:32.00 4
已经出现
-
00:08:32.00 - 00:08:36.54 12
并且旨在用于ASAS系统
-
00:08:36.54 - 00:08:37.05 3
只针对
-
00:08:37.15 - 00:08:37.86 7
L1级和L2级
-
00:08:37.86 - 00:08:40.65 11
从那之后发生了很大变化
-
00:08:40.65 - 00:08:44.14 4
所以今天
-
00:08:44.14 - 00:08:44.92 12
我不会再推荐您使用此标准
-
00:08:44.99 - 00:08:45.62 2
我们
-
00:08:45.62 - 00:08:47.31 5
自去年冬天
-
00:08:47.31 - 00:08:50.59 14
就颁布了一个委员会草案或CD
-
00:08:50.68 - 00:08:53.22 20
用于缩短发布ISO 21448标准的周期
-
00:08:53.22 - 00:08:58.11 8
这是一个即将发布
-
00:08:58.11 - 00:08:58.77 3
的版本
-
00:08:58.77 - 00:09:01.39 10
一些细节可能还会改变
-
00:09:01.39 - 00:09:04.37 9
因此目前正在讨论中
-
00:09:04.37 - 00:09:08.06 12
预计将于2020年底发布
-
00:09:08.14 - 00:09:09.62 8
由于新冠肺炎疫情
-
00:09:09.62 - 00:09:13.33 4
我宁愿说
-
00:09:13.33 - 00:09:13.50 8
它将于2021年
-
00:09:13.50 - 00:09:17.78 16
发布最终的ISO 21448标准
-
00:09:17.78 - 00:09:19.28 8
与过去的版本不同
-
00:09:19.28 - 00:09:21.16 4
它将解决
-
00:09:21.22 - 00:09:22.35 9
所有等级的自动驾驶
-
00:09:22.35 - 00:09:23.22 8
不仅仅是ADAS
-
00:09:27.53 - 00:09:32.36 17
让我们来看一下 ISO 21448
-
00:09:32.47 - 00:09:33.49 4
工作流程
-
00:09:33.49 - 00:09:36.69 15
您可以看到这是一个循环工作流程
-
00:09:36.69 - 00:09:39.97 5
从初始规范
-
00:09:39.97 - 00:09:40.26 5
和设计开始
-
00:09:40.26 - 00:09:42.26 8
此处有第一个循环
-
00:09:42.26 - 00:09:45.51 6
这是分析循环
-
00:09:45.51 - 00:09:46.59 7
包含危险性分析
-
00:09:46.66 - 00:09:49.90 2
识别
-
00:09:49.90 - 00:09:50.77 8
潜在的功能充分性
-
00:09:50.77 - 00:09:54.33 6
以及触发条件
-
00:09:54.33 - 00:09:56.30 13
而下一个循环 即第二个循环
-
00:09:56.30 - 00:09:59.31 5
是验证循环
-
00:09:59.31 - 00:10:01.25 15
发生在常见的确认和验证计划之后
-
00:10:01.25 - 00:10:04.25 3
这就是
-
00:10:04.25 - 00:10:05.18 11
评估所有已知的危险场景
-
00:10:05.25 - 00:10:06.39 6
以及所有需求
-
00:10:06.39 - 00:10:09.80 6
我们将会验证
-
00:10:09.80 - 00:10:10.64 13
系统是否符合我们规定的一切
-
00:10:10.71 - 00:10:13.07 6
从而确保安全
-
00:10:13.07 - 00:10:16.10 6
但仍然有发生
-
00:10:16.10 - 00:10:16.78 7
未知情况的风险
-
00:10:16.84 - 00:10:19.88 16
这些情况可能发生在真实道路测试中
-
00:10:19.88 - 00:10:20.08 8
而且目前尚未考虑
-
00:10:20.15 - 00:10:22.72 9
所以这是第三个闭环
-
00:10:22.72 - 00:10:24.47 7
也就是验证循环
-
00:10:24.47 - 00:10:26.84 9
它涉及大量道路测试
-
00:10:26.84 - 00:10:29.57 11
但可以确定的是 在未来
-
00:10:29.57 - 00:10:30.60 13
将会出现越来越多的仿真场景
-
00:10:32.79 - 00:10:36.29 11
如果您通过了前一个循环
-
00:10:36.37 - 00:10:38.63 12
就只能继续前往下一个循环
-
00:10:38.63 - 00:10:42.03 5
这里有一些
-
00:10:42.03 - 00:10:42.56 3
决策点
-
00:10:42.64 - 00:10:46.05 10
如果您没有通过此循环
-
00:10:46.05 - 00:10:46.58 2
那么
-
00:10:46.65 - 00:10:47.64 6
您就必须返回
-
00:10:47.64 - 00:10:51.97 8
进行一些功能修改
-
00:10:51.97 - 00:10:53.32 11
从而降低SOTIF风险
-
00:10:53.41 - 00:10:56.21 9
随后进入下一个循环
-
00:10:56.21 - 00:10:59.33 3
实际上
-
00:10:59.33 - 00:10:59.54 7
还有第四个循环
-
00:10:59.54 - 00:11:01.72 7
就在右侧的此处
-
00:11:01.72 - 00:11:03.97 8
位于研发循环之后
-
00:11:03.97 - 00:11:05.67 5
在运行期间
-
00:11:05.67 - 00:11:07.51 9
您仍需执行现场操作
-
00:11:07.58 - 00:11:10.38 7
并检查附加风险
-
00:11:14.84 - 00:11:18.36 10
我们应该比较的第一个
-
00:11:18.36 - 00:11:20.09 4
适用标准
-
00:11:20.16 - 00:11:23.69 15
显然是 ISO 26262标准
-
00:11:23.69 - 00:11:23.85 4
与全新的
-
00:11:23.93 - 00:11:24.48 11
ISO 21448标准
-
00:11:24.48 - 00:11:25.24 2
当然
-
00:11:25.24 - 00:11:27.03 7
很多人或许会问
-
00:11:27.08 - 00:11:28.12 10
我需要进行两次比较吗
-
00:11:30.22 - 00:11:31.46 3
乍一看
-
00:11:31.46 - 00:11:34.65 12
这两个标准看起来差异很大
-
00:11:34.65 - 00:11:38.01 13
首先ISO 26262标准
-
00:11:38.08 - 00:11:38.79 4
更加详尽
-
00:11:38.79 - 00:11:41.37 4
更加庞大
-
00:11:41.37 - 00:11:44.58 13
包括12个部分 12个卷宗
-
00:11:44.58 - 00:11:45.37 13
而且对一切事情都有非常具体
-
00:11:45.44 - 00:11:46.23 3
的指南
-
00:11:46.23 - 00:11:47.73 4
硬件研发
-
00:11:47.73 - 00:11:49.31 4
软件研发
-
00:11:49.31 - 00:11:50.46 4
系统测试
-
00:11:50.46 - 00:11:53.69 4
支持流程
-
00:11:53.69 - 00:11:53.98 6
例如配置管理
-
00:11:53.98 - 00:11:57.21 6
在更为简短的
-
00:11:57.21 - 00:11:57.28 12
ISO 21448标准中
-
00:11:57.35 - 00:11:57.86 4
您找不到
-
00:11:57.86 - 00:11:58.21 3
这一切
-
00:11:58.50 - 00:12:01.27 15
此外我们在这里还看到经典V模型
-
00:12:01.34 - 00:12:04.54 7
这在目前存在的
-
00:12:04.54 - 00:12:05.39 8
大多数安全标准中
-
00:12:05.46 - 00:12:05.96 6
都是很常见的
-
00:12:05.96 - 00:12:09.43 2
当然
-
00:12:09.43 - 00:12:10.05 11
它与我们这里的循环模型
-
00:12:10.13 - 00:12:11.52 2
不同
-
00:12:11.52 - 00:12:12.91 7
但是在另一方面
-
00:12:12.91 - 00:12:15.67 5
您可以看到
-
00:12:15.67 - 00:12:15.97 4
V模型中
-
00:12:16.04 - 00:12:16.77 6
总是存在循环
-
00:12:16.77 - 00:12:19.55 11
如果您在测试期间发现了
-
00:12:19.55 - 00:12:19.61 4
什么问题
-
00:12:19.61 - 00:12:22.32 10
您必须返回循环的左边
-
00:12:22.38 - 00:12:25.23 15
因此循环存在 只会没有绘制出来
-
00:12:25.23 - 00:12:25.95 4
无论如何
-
00:12:25.95 - 00:12:28.38 9
请记住这些只是模型
-
00:12:28.38 - 00:12:31.27 6
实际的流程中
-
00:12:31.27 - 00:12:32.18 17
同时具有循环模型和V模型方法的元素
-
00:12:32.24 - 00:12:35.14 14
无论任何 这些方法都针对产品
-
00:12:35.14 - 00:12:36.17 6
或者针对公司
-
00:12:39.37 - 00:12:42.37 9
另一个有趣的资源是
-
00:12:42.37 - 00:12:44.90 13
技术报告 自动驾驶安全第一
-
00:12:44.90 - 00:12:47.83 13
如果进行比较 我们将会发现
-
00:12:47.90 - 00:12:50.90 9
对于不同的周期而言
-
00:12:50.90 - 00:12:51.63 8
同样存在循环方法
-
00:12:51.63 - 00:12:54.46 10
内部的一个是分析循环
-
00:12:54.46 - 00:12:57.45 7
然后是认证循环
-
00:12:57.45 - 00:12:58.58 4
验证循环
-
00:12:58.65 - 00:13:01.64 11
现场操作 现场观查循环
-
00:13:01.64 - 00:13:02.84 5
更重要一些
-
00:13:02.84 - 00:13:05.84 8
在此我们必须设计
-
00:13:05.84 - 00:13:05.98 8
这也是该标准中的
-
00:13:06.05 - 00:13:07.65 6
一个重要方面
-
00:13:07.65 - 00:13:09.18 5
该标准规定
-
00:13:09.18 - 00:13:11.32 5
设计安全性
-
00:13:11.38 - 00:13:14.19 16
与验证安全性之间必须存在一个平衡
-
00:13:14.19 - 00:13:17.79 5
因为您不能
-
00:13:17.79 - 00:13:18.11 8
只测试系统的质量
-
00:13:18.11 - 00:13:21.46 7
其功能要略强于
-
00:13:21.46 - 00:13:22.06 7
此处的隐藏设计
-
00:13:22.13 - 00:13:24.67 6
以及改进周期
-
00:13:24.67 - 00:13:28.64 5
但两种标准
-
00:13:28.64 - 00:13:29.00 4
非常匹配
-
00:13:29.00 - 00:13:29.82 4
如您所见
-
00:13:29.82 - 00:13:31.65 9
这里有一个直接对应
-
00:13:31.65 - 00:13:32.14 2
而且
-
00:13:32.14 - 00:13:34.51 4
关注设计
-
00:13:34.57 - 00:13:35.12 9
或许是最重要的提示
-
00:13:35.12 - 00:13:38.73 10
但也有其他不错的提示
-
00:13:38.73 - 00:13:39.29 2
关于
-
00:13:39.37 - 00:13:40.90 8
您可以考虑的标准
-
00:13:40.90 - 00:13:44.04 18
最后但同样重要的是 这里有一个新标准
-
00:13:44.04 - 00:13:47.77 12
同样将于今年 2020年
-
00:13:47.77 - 00:13:48.76 11
由美国认证组织UL发布
-
00:13:48.84 - 00:13:52.41 12
或许您对这个组织有所耳闻
-
00:13:52.41 - 00:13:55.69 14
该公司主要处理自动驾驶系统的
-
00:13:55.69 - 00:13:56.72 6
整体安全情况
-
00:13:56.72 - 00:13:57.60 8
不仅仅是道路车辆
-
00:13:57.60 - 00:14:00.53 6
还有空中车辆
-
00:14:00.53 - 00:14:01.47 2
例如
-
00:14:01.47 - 00:14:04.03 10
它以安全性案例为中心
-
00:14:04.10 - 00:14:05.56 5
安全性案例
-
00:14:05.56 - 00:14:08.00 17
基本由 ISO 26262标准定义
-
00:14:08.00 - 00:14:11.16 9
这是一个结构化参数
-
00:14:11.16 - 00:14:12.90 10
包括声明 参数和证据
-
00:14:12.90 - 00:14:15.29 13
但关于好的参数还有更多压力
-
00:14:15.36 - 00:14:18.62 4
不仅仅是
-
00:14:18.62 - 00:14:19.34 2
列出
-
00:14:19.42 - 00:14:20.72 6
测试报告中的
-
00:14:20.72 - 00:14:21.37 4
所有文档
-
00:14:23.42 - 00:14:26.53 7
或许它对于研发
-
00:14:26.53 - 00:14:27.57 9
安全的自动驾驶系统
-
00:14:27.64 - 00:14:28.67 4
尚且不够
-
00:14:28.67 - 00:14:32.39 11
但它是最佳实践和检查表
-
00:14:32.39 - 00:14:33.13 8
的一个不错的来源
-
00:14:33.22 - 00:14:36.93 6
您也可以考虑
-
00:14:36.93 - 00:14:37.68 8
用于您的公司流程
-
00:14:37.68 - 00:14:40.71 12
因此我们需要遵循大量标准
-
00:14:40.78 - 00:14:43.95 8
这里还有一些其他
-
00:14:43.95 - 00:14:44.52 9
我还没有谈到的标准
-
00:14:44.59 - 00:14:47.76 8
例如起始位置标准
-
00:14:47.76 - 00:14:49.24 12
某些自动化功能的性能标准
-
00:14:49.24 - 00:14:52.46 10
例如AEB ACC
-
00:14:52.46 - 00:14:53.17 2
等等
-
00:14:53.17 - 00:14:56.38 5
因此您不能
-
00:14:56.38 - 00:14:56.59 9
以一名研发者的身份
-
00:14:56.66 - 00:14:57.38 8
解决所有这些标准
-
00:14:57.38 - 00:15:00.73 10
您必须找到自己的方式
-
00:15:00.73 - 00:15:01.62 8
考虑所有这些标准
-
00:15:01.70 - 00:15:05.05 10
这对于您而言势在必行
-
00:15:05.05 - 00:15:05.72 6
而且要根据您
-
00:15:05.80 - 00:15:09.15 8
在供应链中的位置
-
00:15:09.15 - 00:15:10.57 10
定义您公司的特定流程
-
00:15:10.57 - 00:15:14.02 11
很大程度上 它看起来像
-
00:15:14.02 - 00:15:14.09 5
V模型循环
-
00:15:14.17 - 00:15:17.62 3
的混合
-
00:15:17.62 - 00:15:18.47 13
当然这里的循环位于右半部分
-
00:15:18.54 - 00:15:19.85 7
与左半部分之间
-
00:15:19.85 - 00:15:23.55 6
但极有可能还
-
00:15:23.55 - 00:15:25.60 8
是分析与设计方法
-
00:15:25.68 - 00:15:28.73 14
以及左边的早期验证之间的循环
-
00:15:28.73 - 00:15:31.06 11
这就是您必须要做的事情
-
00:15:31.06 - 00:15:33.56 16
可能需要一些咨询公司来应用这一点
-
00:15:36.58 - 00:15:38.81 5
到目前为止
-
00:15:38.81 - 00:15:39.50 15
通过在实践中部署这种全新的标准
-
00:15:39.55 - 00:15:41.49 9
我们获得了哪些经验
-
00:15:44.79 - 00:15:46.70 4
当您首次
-
00:15:46.70 - 00:15:48.76 4
在实践中
-
00:15:48.84 - 00:15:49.76 14
部署ISO 21448标准时
-
00:15:49.76 - 00:15:53.14 6
首先要做的是
-
00:15:53.14 - 00:15:53.60 7
更加详尽地阐述
-
00:15:53.67 - 00:15:55.86 4
分析方法
-
00:15:58.13 - 00:16:01.07 8
如果您还记得原图
-
00:16:01.07 - 00:16:04.96 9
那里只有一个分析框
-
00:16:04.96 - 00:16:10.59 9
除了我曾经称之为的
-
00:16:10.59 - 00:16:12.09 4
危险识别
-
00:16:12.09 - 00:16:15.26 18
我顺便提一下ISO 26262 标准
-
00:16:15.26 - 00:16:15.54 5
因为实际上
-
00:16:15.61 - 00:16:17.94 12
在此我并未看出有什么不同
-
00:16:17.94 - 00:16:21.07 12
稍后我将对此进行详细描述
-
00:16:21.07 - 00:16:25.65 6
但现在我们先
-
00:16:25.65 - 00:16:25.86 8
来看看这条模块链
-
00:16:25.86 - 00:16:28.02 3
一开始
-
00:16:28.02 - 00:16:28.33 8
这里只有一个模块
-
00:16:28.33 - 00:16:31.07 9
找到您的系统的缺点
-
00:16:31.07 - 00:16:31.19 2
以及
-
00:16:31.25 - 00:16:32.59 4
触发条件
-
00:16:32.59 - 00:16:35.22 9
但到底该如何继续呢
-
00:16:35.22 - 00:16:38.23 3
我认为
-
00:16:38.30 - 00:16:39.28 13
以危险原因分析开始非常有用
-
00:16:39.28 - 00:16:42.32 16
通常我会采用故障树分析执行此操作
-
00:16:42.32 - 00:16:45.48 11
但您也可以使用故障网路
-
00:16:45.48 - 00:16:45.62 5
或STPA
-
00:16:45.62 - 00:16:48.79 9
这意味着从危险开始
-
00:16:48.79 - 00:16:49.21 4
我要返回
-
00:16:49.21 - 00:16:50.93 7
查看原因是什么
-
00:16:50.93 - 00:16:53.83 14
稍后我们将会介绍一个相关案例
-
00:16:53.83 - 00:16:56.96 4
这有助于
-
00:16:56.96 - 00:16:57.93 10
更加接近技术抽象水平
-
00:16:58.00 - 00:17:01.13 6
传感器和算法
-
00:17:01.13 - 00:17:01.34 5
将发挥作用
-
00:17:01.34 - 00:17:04.26 6
因此我了解到
-
00:17:04.26 - 00:17:07.01 10
AEB系统的被迫制动
-
00:17:07.01 - 00:17:07.20 5
可能是由于
-
00:17:07.26 - 00:17:08.18 7
幽灵物体导致的
-
00:17:08.18 - 00:17:09.99 10
然后说起来就更加容易
-
00:17:09.99 - 00:17:10.17 2
好了
-
00:17:10.17 - 00:17:12.80 6
我必须找一下
-
00:17:12.87 - 00:17:13.79 11
可以创建幽灵物体的课程
-
00:17:13.79 - 00:17:16.74 9
例如在雷达传感器上
-
00:17:16.74 - 00:17:19.74 5
下一个事情
-
00:17:19.74 - 00:17:20.21 3
我放在
-
00:17:20.27 - 00:17:23.28 9
触发条件的识别之前
-
00:17:23.28 - 00:17:24.48 11
那就是局限性和缺陷分析
-
00:17:24.48 - 00:17:28.51 9
这看起来与FEMA
-
00:17:28.51 - 00:17:28.96 8
或者危险指南分析
-
00:17:29.05 - 00:17:30.31 4
非常类似
-
00:17:30.31 - 00:17:33.44 11
我正在分析不同的传感器
-
00:17:33.44 - 00:17:35.46 9
它们的物理工作原理
-
00:17:35.53 - 00:17:38.67 3
并问道
-
00:17:38.67 - 00:17:39.50 13
是什么让这些传感器行为不当
-
00:17:39.50 - 00:17:41.58 12
如果我知道雷达的工作原理
-
00:17:41.58 - 00:17:44.72 9
我就会想到金属反射
-
00:17:44.72 - 00:17:45.06 9
能够让雷达无法识别
-
00:17:45.13 - 00:17:48.27 4
并且显示
-
00:17:48.27 - 00:17:48.97 3
实际上
-
00:17:49.04 - 00:17:49.46 7
并不存在的物体
-
00:17:49.46 - 00:17:51.40 13
如果我了解摄像头的工作原理
-
00:17:51.40 - 00:17:54.37 16
那么我就可以说 黑暗可能是个问题
-
00:17:54.37 - 00:17:56.51 8
反射可能是个问题
-
00:17:56.51 - 00:17:58.86 12
炫目的阳光也可能是个问题
-
00:17:58.86 - 00:18:01.96 11
这对我了解缺陷大有帮助
-
00:18:01.96 - 00:18:04.95 12
我可以更好的猜测触发条件
-
00:18:04.95 - 00:18:06.81 6
最终触发条件
-
00:18:06.81 - 00:18:09.32 20
将会成为ISO21448标准中的核心术语
-
00:18:09.39 - 00:18:12.62 4
还会连接
-
00:18:12.62 - 00:18:13.12 5
测试和仿真
-
00:18:13.19 - 00:18:16.41 6
因为触发条件
-
00:18:16.41 - 00:18:18.49 6
属于环境因素
-
00:18:18.49 - 00:18:19.65 4
能够激活
-
00:18:19.65 - 00:18:24.40 5
感知的缺陷
-
00:18:24.40 - 00:18:25.35 4
或局限性
-
00:18:25.35 - 00:18:28.47 8
从而创建一些东西
-
00:18:28.47 - 00:18:28.54 7
因此如果您正在
-
00:18:28.61 - 00:18:31.74 8
明亮的阳光下行驶
-
00:18:31.74 - 00:18:32.44 9
摄像头的光敏感度低
-
00:18:32.51 - 00:18:33.83 5
并不是问题
-
00:18:33.83 - 00:18:38.67 9
但如果您在夜间行驶
-
00:18:38.67 - 00:18:39.10 9
这就会成为一个问题
-
00:18:39.10 - 00:18:40.88 9
在剩下的循环时间里
-
00:18:40.88 - 00:18:43.85 9
我不会做出很大改变
-
00:18:43.85 - 00:18:44.38 6
因为我更愿意
-
00:18:44.45 - 00:18:47.42 7
专注于分析技术
-
00:18:47.42 - 00:18:49.47 10
而不是验证与确认技术
-
00:18:53.85 - 00:18:56.78 13
接下来我们必须解决的问题是
-
00:18:56.78 - 00:18:56.84 4
如何处理
-
00:18:56.91 - 00:18:57.76 3
ODD
-
00:18:57.76 - 00:19:01.47 9
也就是设计运行范围
-
00:19:01.47 - 00:19:04.80 7
这是系统的目标
-
00:19:04.80 - 00:19:05.69 4
操作空间
-
00:19:05.69 - 00:19:09.00 5
当然这也是
-
00:19:09.00 - 00:19:09.45 6
各种危险分析
-
00:19:09.52 - 00:19:11.29 5
的重要基础
-
00:19:11.29 - 00:19:13.99 8
对于验证也是如此
-
00:19:13.99 - 00:19:17.96 9
我们必须找到所有的
-
00:19:17.96 - 00:19:18.66 9
相关方面并进行分区
-
00:19:18.75 - 00:19:19.46 2
然而
-
00:19:19.46 - 00:19:22.73 10
一个明显的解决方案是
-
00:19:22.73 - 00:19:23.82 12
使用Medini中提供的
-
00:19:23.90 - 00:19:27.17 5
的场景目录
-
00:19:27.17 - 00:19:27.61 8
它一直被用来进行
-
00:19:27.68 - 00:19:28.34 4
危险分析
-
00:19:28.34 - 00:19:31.64 5
和风险评估
-
00:19:31.64 - 00:19:32.45 5
并将其用于
-
00:19:32.52 - 00:19:32.96 6
ODD的规范
-
00:19:32.96 - 00:19:36.26 8
因此我们在该表中
-
00:19:36.26 - 00:19:36.85 6
有不同的位置
-
00:19:36.92 - 00:19:37.73 6
例如乡村小道
-
00:19:37.73 - 00:19:41.05 4
高速公路
-
00:19:41.05 - 00:19:41.12 9
或者山口等特定地点
-
00:19:41.12 - 00:19:43.94 15
我们有道路条件 铺设的潮湿道路
-
00:19:43.94 - 00:19:44.54 7
下雪或结冰路面
-
00:19:44.54 - 00:19:47.90 8
我们有不同的环境
-
00:19:47.90 - 00:19:48.95 8
例如不同的可见性
-
00:19:49.03 - 00:19:50.45 6
或者天气条件
-
00:19:50.45 - 00:19:54.20 9
交通和人 工具使用
-
00:19:54.20 - 00:19:55.36 13
只有Maneuver 制动
-
00:19:55.36 - 00:19:59.10 9
正常驾驶 速度范围
-
00:19:59.10 - 00:20:01.84 12
还能选择性地扩展情景属性
-
00:20:01.84 - 00:20:05.59 17
我们可以依据ISO 26262标准
-
00:20:05.59 - 00:20:06.43 8
指定一个暴露参数
-
00:20:06.43 - 00:20:11.09 9
因为在未来的工作中
-
00:20:11.09 - 00:20:11.30 5
我们同样会
-
00:20:11.40 - 00:20:12.65 3
用到它
-
00:20:12.65 - 00:20:15.46 11
该方法存在的一个问题是
-
00:20:15.46 - 00:20:16.33 4
组合爆炸
-
00:20:16.33 - 00:20:19.10 15
因此我们还采用了另一个解决方案
-
00:20:21.27 - 00:20:24.59 3
那就是
-
00:20:24.59 - 00:20:24.66 18
使用Medini检查表进行ODD定义
-
00:20:24.66 - 00:20:27.95 12
我们准备了一个检查表模板
-
00:20:27.95 - 00:20:29.70 10
该模板具有不同的目录
-
00:20:29.77 - 00:20:32.33 8
似乎对我们很重要
-
00:20:32.33 - 00:20:33.28 8
例如目标车辆类型
-
00:20:33.28 - 00:20:36.58 7
自动驾驶功能的
-
00:20:36.58 - 00:20:37.46 6
适用道路类型
-
00:20:37.46 - 00:20:39.14 6
车辆速度范围
-
00:20:39.14 - 00:20:41.42 5
允许车道数
-
00:20:41.42 - 00:20:44.59 11
必须有紧急停车的路肩吗
-
00:20:44.59 - 00:20:48.22 2
等等
-
00:20:48.30 - 00:20:49.84 10
我们可以在此填入参数
-
00:20:49.84 - 00:20:53.46 2
例如
-
00:20:53.46 - 00:20:53.94 14
速度范围在0到80千米每小时
-
00:20:54.02 - 00:20:55.79 8
或者至少两个车道
-
00:20:55.79 - 00:20:58.34 9
是的 必须要有路肩
-
00:21:03.34 - 00:21:07.39 6
我们还注意到
-
00:21:07.39 - 00:21:08.20 6
HARA流程
-
00:21:08.29 - 00:21:09.83 6
存在一些差异
-
00:21:09.83 - 00:21:12.02 3
基本上
-
00:21:12.02 - 00:21:15.81 9
我们的第一个方法是
-
00:21:15.81 - 00:21:15.89 7
使用相同类型的
-
00:21:15.98 - 00:21:18.76 16
HARA实现FuSa和SOTIF
-
00:21:18.76 - 00:21:21.79 9
实际上这非常适用于
-
00:21:21.79 - 00:21:22.33 3
L1级
-
00:21:22.40 - 00:21:23.62 8
和L2级自动化的
-
00:21:23.62 - 00:21:25.54 6
ADAS系统
-
00:21:25.54 - 00:21:27.92 9
因此我们的传统方法
-
00:21:27.92 - 00:21:30.64 9
开始于一种功能定义
-
00:21:30.72 - 00:21:34.55 4
和ODD
-
00:21:34.55 - 00:21:35.91 10
以及第一个控制结构图
-
00:21:35.91 - 00:21:39.76 11
我们在此列出了项目功能
-
00:21:39.84 - 00:21:41.81 13
所有这些都在传统方法中执行
-
00:21:41.81 - 00:21:45.69 22
而且根据ISO 26262标准进行了项目定义
-
00:21:45.69 - 00:21:49.54 16
因此无论如何您都要从功能开始执行
-
00:21:49.63 - 00:21:51.93 6
从而找出故障
-
00:21:51.93 - 00:21:55.15 10
您可以使用引导词列表
-
00:21:55.15 - 00:21:57.57 7
例如过高 过低
-
00:21:57.57 - 00:22:01.58 11
错误的方式 意外 等等
-
00:22:01.58 - 00:22:04.42 8
而故障或车辆等级
-
00:22:04.42 - 00:22:05.15 7
随后会进行研究
-
00:22:05.15 - 00:22:08.85 11
如果它们能导致一场事故
-
00:22:08.93 - 00:22:12.38 9
如果它们能造成损伤
-
00:22:12.46 - 00:22:13.70 10
那么它们就是危险事件
-
00:22:13.70 - 00:22:14.30 2
当然
-
00:22:14.30 - 00:22:16.66 7
为了解决这一点
-
00:22:16.72 - 00:22:18.05 10
我们必须考虑运行情况
-
00:22:18.05 - 00:22:20.02 8
也就是这里的路径
-
00:22:20.02 - 00:22:22.59 12
还有其他问题需要我们回答
-
00:22:22.59 - 00:22:23.32 2
例如
-
00:22:23.32 - 00:22:26.04 7
哪些可能的伤害
-
00:22:26.04 - 00:22:26.46 4
将会决定
-
00:22:26.52 - 00:22:27.73 4
强度系数
-
00:22:27.73 - 00:22:30.44 9
什么潜在的人为干预
-
00:22:30.44 - 00:22:31.58 8
能够避免事故发生
-
00:22:31.64 - 00:22:34.30 7
即便出现了故障
-
00:22:34.30 - 00:22:37.01 9
这就涉及到控制功能
-
00:22:37.01 - 00:22:38.64 14
对于 ISO 26262标准
-
00:22:38.64 - 00:22:42.00 11
我可以计算ASIL等级
-
00:22:42.00 - 00:22:42.23 3
而这点
-
00:22:42.30 - 00:22:45.67 12
对于SOTIF是不需要的
-
00:22:45.67 - 00:22:45.82 2
而且
-
00:22:45.89 - 00:22:46.34 6
从危险事件中
-
00:22:46.34 - 00:22:49.08 15
我可以将其反转并实现安全性目标
-
00:22:49.08 - 00:22:52.47 12
那就是最高级别的安全约束
-
00:22:52.47 - 00:22:53.68 6
或者安全要求
-
00:22:53.68 - 00:22:56.79 18
顺便说一下 该条款属于26262标准
-
00:22:56.79 - 00:22:58.49 16
而不是在ISO 21448标准中
-
00:22:58.49 - 00:23:01.08 11
但无论如何我们需要它们
-
00:23:01.08 - 00:23:02.69 8
因此我们将会详述
-
00:23:02.69 - 00:23:05.66 5
这就是我们
-
00:23:05.66 - 00:23:10.77 9
传统的危险分析流程
-
00:23:10.77 - 00:23:14.14 13
但当我们进行尝试将其应用到
-
00:23:14.22 - 00:23:16.24 19
更高的自动化等级时 例如L3级至L5级
-
00:23:16.24 - 00:23:20.58 12
更高的辅助率 会发生什么
-
00:23:20.58 - 00:23:23.44 4
我们发现
-
00:23:23.44 - 00:23:24.27 6
定义单个功能
-
00:23:24.33 - 00:23:24.97 8
将会变得更加困难
-
00:23:24.97 - 00:23:26.17 8
还记得这个部分吗
-
00:23:26.17 - 00:23:28.59 6
这是功能定义
-
00:23:28.65 - 00:23:30.05 6
以及找出故障
-
00:23:30.05 - 00:23:33.44 7
因为您再也无法
-
00:23:33.44 - 00:23:34.35 6
分离单个功能
-
00:23:34.35 - 00:23:37.39 15
例如 如果您有一个高速汽车司机
-
00:23:37.39 - 00:23:40.04 12
前方有一辆速度更慢的汽车
-
00:23:40.04 - 00:23:41.81 7
您可以选择减速
-
00:23:41.81 - 00:23:44.77 11
或者如果旁边的车道可用
-
00:23:44.84 - 00:23:47.46 12
也可以变更车道并超过前车
-
00:23:47.46 - 00:23:50.25 13
因此您说不出来该功能是什么
-
00:23:50.25 - 00:23:53.37 13
该功能是什么呢 避让是功能
-
00:23:53.37 - 00:23:53.78 5
制动是功能
-
00:23:53.78 - 00:23:56.51 7
转向呢 转向呢
-
00:23:56.51 - 00:23:59.59 8
因此我们必须考虑
-
00:23:59.59 - 00:24:00.41 4
相关场景
-
00:24:00.48 - 00:24:03.56 12
当然由我们的标准场景目录
-
00:24:03.56 - 00:24:04.52 7
以及ODD定义
-
00:24:04.59 - 00:24:06.03 2
启发
-
00:24:06.03 - 00:24:09.05 10
而且对于每个相关场景
-
00:24:09.05 - 00:24:12.63 7
我们都必须描述
-
00:24:12.63 - 00:24:13.59 7
什么是期望行为
-
00:24:13.67 - 00:24:17.25 6
或者可接受的
-
00:24:17.25 - 00:24:17.89 7
车辆行为或反应
-
00:24:17.89 - 00:24:21.52 8
这里甚至有一系列
-
00:24:21.52 - 00:24:21.76 7
可以接受的行为
-
00:24:21.76 - 00:24:23.66 5
制动或避让
-
00:24:23.66 - 00:24:26.16 8
然后我们有了起点
-
00:24:26.24 - 00:24:30.12 8
从而找到车辆可能
-
00:24:30.12 - 00:24:32.19 4
会作出的
-
00:24:32.28 - 00:24:32.54 8
不适当的行为反应
-
00:24:32.54 - 00:24:35.12 10
如果您想 您可以在此
-
00:24:35.18 - 00:24:37.21 14
使用该方法进行指导 比如功能
-
00:24:37.21 - 00:24:39.64 10
接下来的案例是一样的
-
00:24:39.64 - 00:24:42.40 6
因此我们发现
-
00:24:42.40 - 00:24:42.96 11
存在不同的HARA方法
-
00:24:43.02 - 00:24:45.53 4
但不是由
-
00:24:45.53 - 00:24:48.32 16
FuSa与SOTIF的问题划分的
-
00:24:48.32 - 00:24:48.69 3
而是由
-
00:24:48.69 - 00:24:50.58 14
自动化的等级是哪种问题来划分
-
00:24:55.34 - 00:24:56.93 4
除此之外
-
00:24:56.93 - 00:25:00.22 4
我们发现
-
00:25:00.31 - 00:25:04.80 8
将现有的分析技术
-
00:25:04.80 - 00:25:06.89 7
例如故障树分析
-
00:25:06.99 - 00:25:09.78 16
转移到SOTIF的新领域非常简单
-
00:25:09.78 - 00:25:10.46 2
当然
-
00:25:10.46 - 00:25:13.14 11
随后我们就不是处理故障
-
00:25:13.14 - 00:25:16.22 4
而是处理
-
00:25:16.22 - 00:25:17.11 8
不适当行为的缺陷
-
00:25:17.11 - 00:25:20.07 10
但除此之外 完全一样
-
00:25:20.07 - 00:25:23.08 11
因此我们可以从危险开始
-
00:25:23.15 - 00:25:24.72 10
我们在危险分析中发现
-
00:25:24.72 - 00:25:25.68 2
例如
-
00:25:25.68 - 00:25:29.23 13
高速公路驾驶员不合理的制动
-
00:25:29.23 - 00:25:32.59 10
然后我们可以查找课程
-
00:25:32.59 - 00:25:32.96 4
例如检测
-
00:25:33.04 - 00:25:34.68 9
一个并不存在的物体
-
00:25:34.68 - 00:25:38.05 8
错误定位或者分类
-
00:25:38.05 - 00:25:39.25 7
真正存在的物体
-
00:25:39.25 - 00:25:40.97 8
或者做出制动决策
-
00:25:40.97 - 00:25:44.04 11
此外还会报告危险的物体
-
00:25:44.04 - 00:25:47.38 9
我们可以进一步划分
-
00:25:47.38 - 00:25:48.64 13
例如这里错误的定位或者分类
-
00:25:48.72 - 00:25:52.06 7
报告的速度差异
-
00:25:52.06 - 00:25:53.76 2
高于
-
00:25:53.84 - 00:25:54.95 3
实际值
-
00:25:54.95 - 00:25:58.38 8
因此我们正在考虑
-
00:25:58.38 - 00:25:59.30 5
设置更高的
-
00:25:59.38 - 00:26:00.22 7
实际碰撞临界值
-
00:26:00.22 - 00:26:02.85 7
或者报告的物体
-
00:26:02.85 - 00:26:03.32 8
将会影响本车车道
-
00:26:03.32 - 00:26:06.09 6
尽管没有交叉
-
00:26:06.09 - 00:26:07.01 7
或者报告的物体
-
00:26:07.07 - 00:26:09.65 7
比实际距离更近
-
00:26:09.71 - 00:26:11.99 16
您可以看到 这当然可能与故障相关
-
00:26:11.99 - 00:26:15.56 6
但也可能会与
-
00:26:15.56 - 00:26:15.87 8
速度检测的不准确
-
00:26:15.95 - 00:26:19.53 8
或者此处幽灵物体
-
00:26:19.53 - 00:26:20.00 7
的假阳性率相关
-
00:26:20.00 - 00:26:21.73 11
因此这对两种情况都适用
-
00:26:21.73 - 00:26:22.95 7
实际上我们发现
-
00:26:22.95 - 00:26:24.80 4
在更高的
-
00:26:24.87 - 00:26:27.74 7
功能抽象等级上
-
00:26:27.74 - 00:26:28.45 7
您可以同时执行
-
00:26:28.51 - 00:26:31.14 14
FuSa 和 SOTIF分析
-
00:26:31.14 - 00:26:34.26 10
当然随后在技术层面上
-
00:26:34.26 - 00:26:37.56 5
您必须区分
-
00:26:37.56 - 00:26:39.10 15
感知系统的故障以及缺陷和局限性
-
00:26:39.17 - 00:26:42.25 3
下一步
-
00:26:42.25 - 00:26:45.59 4
就是缺陷
-
00:26:45.59 - 00:26:45.67 6
和局限性分析
-
00:26:45.67 - 00:26:48.99 8
我们的引导词分析
-
00:26:48.99 - 00:26:49.29 8
我们知道来自危险
-
00:26:49.36 - 00:26:49.73 2
而且
-
00:26:49.73 - 00:26:53.65 6
我们已经用于
-
00:26:53.65 - 00:26:54.60 15
发现最高级别的故障 效果非常好
-
00:26:54.69 - 00:26:58.35 5
因此在左侧
-
00:26:58.35 - 00:27:01.90 11
我们有一些传感器的特征
-
00:27:01.90 - 00:27:05.65 17
在我们的案例中 这是一个通用摄像头
-
00:27:05.65 - 00:27:07.07 8
特征是正常的视场
-
00:27:07.15 - 00:27:10.57 10
视觉范围 对比分辨率
-
00:27:10.57 - 00:27:12.07 5
光学敏感度
-
00:27:12.07 - 00:27:15.82 5
色彩分辨率
-
00:27:15.82 - 00:27:16.07 6
而在水平栏上
-
00:27:16.15 - 00:27:19.90 7
您有不同的目录
-
00:27:19.90 - 00:27:20.32 7
和不同的引导词
-
00:27:20.32 - 00:27:24.09 10
例如 气候是一个目录
-
00:27:24.09 - 00:27:24.68 5
然后我们有
-
00:27:24.76 - 00:27:25.85 5
多云 小雨
-
00:27:25.85 - 00:27:28.91 12
大雨 雨夹雪 小雪 大雪
-
00:27:28.91 - 00:27:31.86 5
您可以看到
-
00:27:31.93 - 00:27:35.01 13
大雨对于摄像头而言是个问题
-
00:27:35.01 - 00:27:35.22 10
在标准的色彩分辨率下
-
00:27:35.29 - 00:27:38.24 10
它们会发现此处的缺陷
-
00:27:38.24 - 00:27:40.49 7
此标志代表缺陷
-
00:27:40.49 - 00:27:43.54 7
降低色彩分辨率
-
00:27:43.54 - 00:27:43.81 8
而且在视野范围内
-
00:27:43.81 - 00:27:46.84 10
当然在大雨天气条件下
-
00:27:46.84 - 00:27:47.31 6
您的视野范围
-
00:27:47.37 - 00:27:49.92 6
将会大大减小
-
00:27:49.92 - 00:27:52.97 8
因此这很容易就能
-
00:27:52.97 - 00:27:53.51 10
找出这些局限性和缺陷
-
00:27:53.51 - 00:27:56.56 2
然后
-
00:27:56.56 - 00:27:56.76 4
我们需要
-
00:27:56.76 - 00:27:58.85 2
结合
-
00:27:58.85 - 00:28:02.59 9
故障或者不适当行为
-
00:28:02.59 - 00:28:04.75 6
进行因果分析
-
00:28:04.83 - 00:28:08.57 9
最后我们要分析的是
-
00:28:08.57 - 00:28:08.65 2
触发
-
00:28:08.74 - 00:28:10.57 2
条件
-
00:28:13.71 - 00:28:15.83 9
现在让我们讨论一下
-
00:28:15.83 - 00:28:19.77 8
如何确定触发条件
-
00:28:19.77 - 00:28:23.44 4
触发条件
-
00:28:23.44 - 00:28:24.75 15
也是ISO 21488标准中的
-
00:28:24.83 - 00:28:25.08 4
核心术语
-
00:28:25.08 - 00:28:29.77 6
它们表示事件
-
00:28:29.77 - 00:28:31.75 11
或者环境中的一系列事物
-
00:28:31.75 - 00:28:36.55 11
能够激发一直存在的缺陷
-
00:28:36.55 - 00:28:39.76 10
从而导致不当行为结果
-
00:28:43.40 - 00:28:45.25 10
正如我前面解释的那样
-
00:28:45.25 - 00:28:48.30 4
触发条件
-
00:28:48.37 - 00:28:49.56 10
可以通过因果分析发现
-
00:28:49.56 - 00:28:52.77 7
这是此处应用的
-
00:28:52.85 - 00:28:53.82 8
两种方法中的一个
-
00:28:53.82 - 00:28:56.46 14
例如 因果分析可以成为故障树
-
00:28:56.46 - 00:29:02.03 5
这里我们有
-
00:29:02.03 - 00:29:05.30 6
自动驾驶功能
-
00:29:05.30 - 00:29:06.53 10
和感知功能的错误行为
-
00:29:06.61 - 00:29:07.62 3
尤其是
-
00:29:07.62 - 00:29:10.62 10
对于一个物体检测较弱
-
00:29:10.62 - 00:29:13.44 12
当然您可以在故障树中看到
-
00:29:13.51 - 00:29:14.36 3
一个门
-
00:29:14.36 - 00:29:17.32 4
这意味着
-
00:29:17.32 - 00:29:17.78 5
有两个东西
-
00:29:17.85 - 00:29:18.44 6
必须一起出现
-
00:29:18.44 - 00:29:21.61 12
这与功能安全性的不同之处
-
00:29:21.61 - 00:29:22.67 7
在于通常您只有
-
00:29:22.74 - 00:29:25.85 15
一个根本原因 一个破损电子部件
-
00:29:25.85 - 00:29:28.35 8
一个位翻转存储器
-
00:29:28.35 - 00:29:28.74 6
而这将会损害
-
00:29:28.79 - 00:29:29.02 3
摄像头
-
00:29:29.02 - 00:29:31.97 5
但在此您有
-
00:29:31.97 - 00:29:32.43 11
两个必须一起出现的东西
-
00:29:32.49 - 00:29:33.09 3
这里也
-
00:29:33.09 - 00:29:35.08 5
存在局限性
-
00:29:35.08 - 00:29:39.36 15
减少了摄像头在黑暗区域中的检测
-
00:29:39.36 - 00:29:43.67 7
以及弱照明条件
-
00:29:43.67 - 00:29:45.19 9
因此在明亮的日光下
-
00:29:45.19 - 00:29:48.15 10
该缺陷将不会成为问题
-
00:29:48.15 - 00:29:50.85 7
但在夜间则不然
-
00:29:50.85 - 00:29:53.54 8
您可以使用故障树
-
00:29:53.61 - 00:29:54.82 12
或者您也可以使用因果网络
-
00:29:54.82 - 00:29:56.08 7
两者都可能实现
-
00:29:58.48 - 00:30:02.07 3
但或许
-
00:30:02.07 - 00:30:02.39 7
这并不足以发现
-
00:30:02.39 - 00:30:06.41 9
所有种类的触发条件
-
00:30:06.41 - 00:30:09.68 10
看一下右边的这个示例
-
00:30:09.68 - 00:30:09.82 4
这是一个
-
00:30:09.89 - 00:30:12.66 7
真实发生的事情
-
00:30:12.66 - 00:30:17.24 12
之前已经训练过的神经网络
-
00:30:17.24 - 00:30:18.67 5
在感知人类
-
00:30:18.77 - 00:30:19.90 2
方面
-
00:30:19.90 - 00:30:22.72 11
通常会表现出良好的性能
-
00:30:22.72 - 00:30:26.07 13
但随后就会系统性地遗漏人类
-
00:30:26.07 - 00:30:28.04 9
例如这里的修路工人
-
00:30:28.04 - 00:30:31.77 11
穿着一件黄色的警示背心
-
00:30:31.77 - 00:30:34.67 10
这对人类而言不难解释
-
00:30:34.67 - 00:30:35.77 4
因为通常
-
00:30:35.84 - 00:30:38.16 14
黄色的警示背心能够提高可见性
-
00:30:38.16 - 00:30:41.08 15
但对于神经网络而言情况并非如此
-
00:30:41.08 - 00:30:41.40 5
您永远无法
-
00:30:41.47 - 00:30:43.28 11
在故障树中找到这类东西
-
00:30:43.28 - 00:30:46.16 12
因此通常只有结合两种方法
-
00:30:46.16 - 00:30:47.37 4
才能保证
-
00:30:47.44 - 00:30:50.32 4
您的分析
-
00:30:50.32 - 00:30:50.77 10
能够实现足够的完整度
-
00:30:54.95 - 00:30:58.01 9
为了总结这部分内容
-
00:30:58.01 - 00:31:01.14 10
我想为您提供一些案例
-
00:31:01.14 - 00:31:01.84 2
关于
-
00:31:01.91 - 00:31:03.52 12
设计改进的SOTIF机制
-
00:31:03.52 - 00:31:06.30 10
SOTIF的概念术语
-
00:31:06.30 - 00:31:06.98 3
并没有
-
00:31:07.04 - 00:31:07.23 3
出现在
-
00:31:07.23 - 00:31:07.59 9
ISO 21448
-
00:31:07.59 - 00:31:07.81 3
标准中
-
00:31:07.81 - 00:31:10.99 8
但存在清晰的要求
-
00:31:11.06 - 00:31:11.86 7
以不断改进系统
-
00:31:11.86 - 00:31:17.08 10
直到您的自动驾驶功能
-
00:31:17.08 - 00:31:19.52 5
风险足够低
-
00:31:19.52 - 00:31:22.33 8
这里只选择了一些
-
00:31:22.33 - 00:31:22.40 8
您可以实现的东西
-
00:31:22.40 - 00:31:23.20 2
首先
-
00:31:23.20 - 00:31:25.56 8
关于更好的传感器
-
00:31:25.63 - 00:31:27.06 6
涉及检测功能
-
00:31:27.06 - 00:31:27.72 3
准确性
-
00:31:27.72 - 00:31:28.60 3
鲁棒性
-
00:31:28.60 - 00:31:31.54 11
以及其他质量属性 例如
-
00:31:31.54 - 00:31:34.68 12
一个更昂贵的摄像头可能比
-
00:31:34.68 - 00:31:35.38 7
更便宜的摄像头
-
00:31:35.45 - 00:31:38.59 8
具有更好的信噪比
-
00:31:38.59 - 00:31:39.22 10
或者更庞大的雷达天线
-
00:31:39.29 - 00:31:40.55 10
能够提供更好的分辨率
-
00:31:40.55 - 00:31:43.07 12
下一个主题是传感器多样性
-
00:31:43.07 - 00:31:44.22 2
例如
-
00:31:44.22 - 00:31:48.54 6
摄像头和雷达
-
00:31:48.54 - 00:31:49.02 10
在检测功能上是互补的
-
00:31:49.12 - 00:31:53.44 10
在对环境条件的感知上
-
00:31:53.44 - 00:31:56.42 4
也是如此
-
00:31:56.42 - 00:31:59.14 13
例如 摄像头在雾天性能较差
-
00:31:59.14 - 00:32:02.18 10
但雷达可以起帮助作用
-
00:32:02.25 - 00:32:05.51 14
在一个有大量金属反射的隧道里
-
00:32:05.51 - 00:32:05.73 8
雷达的性能会受损
-
00:32:05.73 - 00:32:09.47 9
但摄像头仍能够拍摄
-
00:32:09.47 - 00:32:10.20 4
一般而言
-
00:32:10.20 - 00:32:12.40 2
有时
-
00:32:12.40 - 00:32:12.45 10
这还与其他传感器有关
-
00:32:12.45 - 00:32:15.11 7
当然这也伴随着
-
00:32:15.11 - 00:32:15.58 5
系统额外的
-
00:32:15.64 - 00:32:16.06 2
成本
-
00:32:16.06 - 00:32:19.13 13
如果摄像头和雷达结合在一起
-
00:32:19.13 - 00:32:19.82 6
性能仍然不够
-
00:32:19.82 - 00:32:22.90 13
那么您可能希望添加激光雷达
-
00:32:22.90 - 00:32:23.58 7
或者红外摄像头
-
00:32:23.58 - 00:32:27.01 8
这是个有趣的选择
-
00:32:27.01 - 00:32:29.69 6
因为这些能够
-
00:32:29.69 - 00:32:30.46 5
弥补您当前
-
00:32:30.52 - 00:32:31.00 7
检测轮廓的不足
-
00:32:31.00 - 00:32:31.71 2
例如
-
00:32:31.71 - 00:32:34.35 14
在雾天 普通的摄像头无法工作
-
00:32:34.35 - 00:32:35.06 6
但红外摄像头
-
00:32:35.12 - 00:32:37.76 8
依然能够提供信息
-
00:32:37.76 - 00:32:38.58 3
道路上
-
00:32:38.64 - 00:32:38.94 4
是否有人
-
00:32:41.30 - 00:32:42.92 10
在所有这些传感器之间
-
00:32:42.92 - 00:32:44.87 9
一定存在传感器融合
-
00:32:44.87 - 00:32:48.35 12
或者至少有一些跨功能检测
-
00:32:48.35 - 00:32:49.24 2
例如
-
00:32:49.24 - 00:32:52.22 10
您可以指定ABE系统
-
00:32:52.29 - 00:32:55.64 9
完全紧急制动的授权
-
00:32:55.64 - 00:32:56.83 3
只针对
-
00:32:56.90 - 00:33:00.25 9
至少两个不同传感器
-
00:33:00.25 - 00:33:00.92 7
同时认证的物体
-
00:33:00.92 - 00:33:01.75 3
接下来
-
00:33:01.75 - 00:33:04.62 14
与ISO 26262标准类似
-
00:33:04.62 - 00:33:06.99 10
那就是传感器自我诊断
-
00:33:06.99 - 00:33:09.14 8
这次不是针对故障
-
00:33:09.14 - 00:33:12.52 6
而是针对错位
-
00:33:12.52 - 00:33:13.35 7
或者类似的事情
-
00:33:13.35 - 00:33:14.25 2
例如
-
00:33:14.25 - 00:33:17.40 7
算法可以检测到
-
00:33:17.48 - 00:33:19.06 9
污损或破旧的摄像头
-
00:33:19.06 - 00:33:22.50 6
或者可以检测
-
00:33:22.50 - 00:33:23.03 10
由于眩光引起的饱和度
-
00:33:23.11 - 00:33:26.55 13
然后功能会转换到另一个模式
-
00:33:26.55 - 00:33:27.85 6
并请求驾驶员
-
00:33:27.93 - 00:33:31.37 4
收回控制
-
00:33:31.37 - 00:33:31.90 13
或者其他传感器系统接替控制
-
00:33:31.90 - 00:33:35.37 2
当然
-
00:33:35.37 - 00:33:36.45 3
接下来
-
00:33:36.53 - 00:33:37.37 8
是检测算法的改进
-
00:33:37.37 - 00:33:41.76 3
尤其是
-
00:33:41.76 - 00:33:42.74 8
训练机器学习算法
-
00:33:42.74 - 00:33:43.44 2
例如
-
00:33:43.44 - 00:33:46.08 8
如果您偶然发现了
-
00:33:46.08 - 00:33:47.20 4
检测缺陷
-
00:33:47.20 - 00:33:49.40 21
对于摆出不寻常的姿势或身着不寻常衣物的行人
-
00:33:49.40 - 00:33:52.38 7
然后您应该选择
-
00:33:52.38 - 00:33:53.11 8
增加您的神经网络
-
00:33:53.17 - 00:33:54.50 4
培训数据
-
00:33:54.50 - 00:33:56.65 8
从而包括这些案例
-
00:33:56.65 - 00:33:58.87 7
这里有更多选项
-
00:33:58.87 - 00:34:02.73 6
当然可以用来
-
00:34:02.73 - 00:34:03.24 4
改进系统
-
00:34:03.33 - 00:34:05.05 5
并降低风险
-
00:34:05.05 - 00:34:08.25 8
为了总结我的讨论
-
00:34:08.32 - 00:34:11.60 6
我想为您描述
-
00:34:11.60 - 00:34:12.11 14
一些SOTIF潜在的未来方向
-
00:34:15.16 - 00:34:19.54 2
首先
-
00:34:19.54 - 00:34:19.83 6
必须改进的是
-
00:34:19.92 - 00:34:24.30 7
集成不同的技术
-
00:34:24.30 - 00:34:25.38 5
设计 分析
-
00:34:25.38 - 00:34:28.37 10
仿真及其他类型的验证
-
00:34:28.37 - 00:34:29.43 5
在早期阶段
-
00:34:29.50 - 00:34:32.22 9
在V模型的左半部分
-
00:34:32.29 - 00:34:35.28 5
您可以看到
-
00:34:35.28 - 00:34:35.35 5
通过象形图
-
00:34:35.35 - 00:34:38.19 12
我在V模型中绘制的小循环
-
00:34:38.19 - 00:34:41.22 10
这看起来是什么样子呢
-
00:34:41.22 - 00:34:41.62 2
需求
-
00:34:41.62 - 00:34:42.01 3
工程师
-
00:34:42.01 - 00:34:45.47 4
需求征集
-
00:34:45.47 - 00:34:46.24 9
会定义第一个功能吗
-
00:34:46.24 - 00:34:49.44 5
系统工程师
-
00:34:49.44 - 00:34:50.01 9
正在创建首个版本的
-
00:34:50.09 - 00:34:53.30 4
功能架构
-
00:34:53.30 - 00:34:55.29 11
然后立即进行安全性分析
-
00:34:55.29 - 00:34:58.50 18
当然如果您拥有基于安全分析工具的模型
-
00:34:58.57 - 00:35:01.78 6
这是一项优势
-
00:35:01.78 - 00:35:02.99 10
该模型将可以直接研究
-
00:35:03.06 - 00:35:05.20 8
架构的系统L模型
-
00:35:05.20 - 00:35:08.44 5
安全分析师
-
00:35:08.44 - 00:35:09.23 9
将会发现潜在的缺陷
-
00:35:09.23 - 00:35:10.31 7
或许是FuSa
-
00:35:10.31 - 00:35:13.33 16
或许是 SOTIF并提出改进建议
-
00:35:13.33 - 00:35:15.06 8
全新的安全性要求
-
00:35:15.06 - 00:35:17.43 5
架构的改进
-
00:35:17.43 - 00:35:20.78 8
因此这是一个循环
-
00:35:20.78 - 00:35:21.00 7
并再次进行分析
-
00:35:21.07 - 00:35:24.42 9
该循环将会不断进行
-
00:35:24.42 - 00:35:25.32 9
直到解决了所有问题
-
00:35:25.32 - 00:35:28.97 14
技术层面上将会重复同样的循环
-
00:35:28.97 - 00:35:32.53 11
但能够为验证提供帮助的
-
00:35:32.53 - 00:35:33.56 6
不仅仅是分析
-
00:35:33.56 - 00:35:37.08 10
我们必须在闭环仿真中
-
00:35:37.08 - 00:35:37.16 8
尽早开始使用模型
-
00:35:37.24 - 00:35:40.76 6
浏览大量场景
-
00:35:40.76 - 00:35:41.86 3
并发现
-
00:35:41.93 - 00:35:45.46 8
新功能是否发挥了
-
00:35:45.46 - 00:35:46.32 6
它应有的作用
-
00:35:46.32 - 00:35:49.82 10
以及安全性诱发的改进
-
00:35:49.82 - 00:35:50.68 7
是否取得了成功
-
00:35:54.48 - 00:35:57.41 9
在此您可以看到一个
-
00:35:57.41 - 00:35:58.13 2
分析
-
00:35:58.20 - 00:35:59.64 10
与验证技术的集成案例
-
00:36:02.72 - 00:36:06.02 16
Medini的安全性分析人员认为
-
00:36:06.02 - 00:36:08.93 4
某些场景
-
00:36:08.93 - 00:36:09.58 7
可能会导致危险
-
00:36:09.58 - 00:36:10.35 2
例如
-
00:36:10.35 - 00:36:12.99 7
我害怕另一辆车
-
00:36:13.06 - 00:36:15.95 9
近距离汇入我的车道
-
00:36:15.95 - 00:36:16.02 9
可能会造成检测太晚
-
00:36:16.02 - 00:36:18.25 8
您可以帮我检查吗
-
00:36:20.54 - 00:36:23.30 7
然后您要做的是
-
00:36:23.37 - 00:36:26.34 11
定义触发条件和逻辑场景
-
00:36:26.34 - 00:36:29.41 17
停车 停车并不是一个完全指定的场景
-
00:36:29.41 - 00:36:32.46 5
它只是表明
-
00:36:32.46 - 00:36:33.40 8
该场景中除了本车
-
00:36:33.47 - 00:36:34.75 7
还有哪些参与者
-
00:36:34.75 - 00:36:36.31 5
位置是什么
-
00:36:36.31 - 00:36:38.87 7
车辆的相对位置
-
00:36:38.94 - 00:36:40.83 10
速度以及正在发生什么
-
00:36:40.83 - 00:36:44.38 7
采取了什么策略
-
00:36:44.38 - 00:36:44.54 8
这里没有具体参数
-
00:36:44.54 - 00:36:49.81 7
雷达参数范围为
-
00:36:49.81 - 00:36:50.87 4
本车之后
-
00:36:50.98 - 00:36:52.16 11
50米到200米的车辆
-
00:36:52.16 - 00:36:55.20 11
这被输入到场景生成器中
-
00:36:55.20 - 00:36:56.21 5
场景生成器
-
00:36:56.28 - 00:36:59.32 8
能够从大数据库中
-
00:36:59.32 - 00:37:00.40 7
提取真实的场景
-
00:37:00.46 - 00:37:02.49 8
构建大量驾驶策略
-
00:37:02.49 - 00:37:04.91 8
以及环境条件等等
-
00:37:04.91 - 00:37:08.74 10
并从中构建具体的场景
-
00:37:08.74 - 00:37:10.65 8
但还有另一个分支
-
00:37:10.65 - 00:37:13.84 8
它是关于监控条件
-
00:37:13.84 - 00:37:13.99 1
.
-
00:37:13.99 - 00:37:17.02 8
这些都来源于危险
-
00:37:17.02 - 00:37:19.12 7
我在害怕什么呢
-
00:37:19.12 - 00:37:20.85 7
例如 追尾碰撞
-
00:37:20.85 - 00:37:23.76 5
您也可以说
-
00:37:23.76 - 00:37:23.96 5
本车与前车
-
00:37:24.02 - 00:37:25.83 7
之间的距离为0
-
00:37:25.83 - 00:37:29.26 12
这就是碰撞 应该受到监控
-
00:37:29.26 - 00:37:32.54 8
因为仿真必须知道
-
00:37:32.54 - 00:37:32.76 4
需要报告
-
00:37:32.83 - 00:37:35.25 4
哪些事情
-
00:37:35.25 - 00:37:37.98 9
因此将会生成观察器
-
00:37:40.31 - 00:37:43.12 4
具体场景
-
00:37:43.12 - 00:37:44.25 6
随后将会导入
-
00:37:44.31 - 00:37:45.31 10
我们工具集的仿真引擎
-
00:37:45.31 - 00:37:48.00 16
VRXPERIENCE驾驶仿真器
-
00:37:48.00 - 00:37:50.76 6
一个抽象场景
-
00:37:50.84 - 00:37:54.29 5
可能会导致
-
00:37:54.29 - 00:37:54.99 11
需要执行数百个具体场景
-
00:37:54.99 - 00:37:57.73 9
Ansys正在参与
-
00:37:57.73 - 00:37:58.70 19
ASAM OpenSCENARIO计划
-
00:37:58.70 - 00:38:01.28 2
研发
-
00:38:01.28 - 00:38:04.02 5
比之前标准
-
00:38:04.02 - 00:38:04.44 8
更正式且更强大的
-
00:38:04.50 - 00:38:05.60 8
标准开放场景工具
-
00:38:05.60 - 00:38:09.17 5
而这将用于
-
00:38:09.17 - 00:38:09.41 2
集成
-
00:38:09.49 - 00:38:09.97 5
我们的工具
-
00:38:09.97 - 00:38:12.01 8
每当观察器启动时
-
00:38:12.01 - 00:38:14.67 4
这意味着
-
00:38:14.75 - 00:38:15.43 7
违反了关键条件
-
00:38:15.43 - 00:38:18.80 12
随后这将被记录到锁定文件
-
00:38:18.80 - 00:38:18.95 6
然后锁定文件
-
00:38:19.02 - 00:38:22.39 21
将会反馈到 Medini Analyze中
-
00:38:22.39 - 00:38:22.91 1
并
-
00:38:22.99 - 00:38:25.24 12
在安全性分析中进一步考虑
-
00:38:28.65 - 00:38:31.18 9
我看到的下一个主题
-
00:38:31.18 - 00:38:31.74 5
是定量方法
-
00:38:31.80 - 00:38:34.34 6
或者统计方法
-
00:38:34.34 - 00:38:34.96 8
展现足够的低风险
-
00:38:37.05 - 00:38:39.53 2
目前
-
00:38:39.53 - 00:38:40.42 13
在ISO 21448标准中
-
00:38:40.42 - 00:38:45.42 6
我们没有任何
-
00:38:45.42 - 00:38:45.76 9
强制性统计目标矩阵
-
00:38:45.76 - 00:38:48.01 17
正如在ISO 26262标准中那样
-
00:38:48.01 - 00:38:51.74 10
我们有硬件稳定性矩阵
-
00:38:51.74 - 00:38:55.73 9
我们需要在此展示的
-
00:38:55.73 - 00:38:55.99 4
只有定性
-
00:38:55.99 - 00:38:58.96 11
因此我们要采取两个措施
-
00:38:59.03 - 00:39:02.00 11
一个是将未知的危险情况
-
00:39:02.00 - 00:39:03.78 9
变成已知的危险情况
-
00:39:03.84 - 00:39:06.81 4
然后表明
-
00:39:06.81 - 00:39:07.27 5
您可以掌控
-
00:39:07.27 - 00:39:09.55 9
所有已知的危险情况
-
00:39:09.55 - 00:39:12.93 10
当然没有绝对的安全性
-
00:39:12.93 - 00:39:14.90 6
也没有零风险
-
00:39:14.90 - 00:39:18.10 10
这里有一个明显的问题
-
00:39:18.10 - 00:39:20.34 7
多好才算足够好
-
00:39:20.34 - 00:39:22.97 9
如何定量剩余的风险
-
00:39:22.97 - 00:39:23.26 7
以及我们在何时
-
00:39:23.32 - 00:39:24.38 4
完成测试
-
00:39:26.69 - 00:39:28.92 10
ISO 2626标准
-
00:39:28.92 - 00:39:29.24 7
中的目标风险值
-
00:39:29.24 - 00:39:32.86 6
或许并不适合
-
00:39:32.86 - 00:39:33.35 5
传感器系统
-
00:39:33.43 - 00:39:34.64 3
的性能
-
00:39:34.64 - 00:39:36.05 9
但我们还能用什么呢
-
00:39:36.05 - 00:39:38.32 10
哪些目标是可以实现的
-
00:39:38.32 - 00:39:38.78 7
如何证明它们呢
-
00:39:40.92 - 00:39:43.32 11
SOTIF中的定量方法
-
00:39:43.32 - 00:39:44.34 9
目前还不是最先进的
-
00:39:44.34 - 00:39:47.09 10
但正在进行激烈讨论中
-
00:39:47.09 - 00:39:50.18 9
该标准的信息附录C
-
00:39:50.18 - 00:39:51.34 5
提供了一些
-
00:39:51.41 - 00:39:53.27 9
关于统计方法的指标
-
00:39:53.27 - 00:39:55.90 11
而且必须要完成一些工作
-
00:39:55.90 - 00:39:56.26 8
我们才能在实践中
-
00:39:56.31 - 00:39:58.37 7
使用统计学方法
-
00:40:02.06 - 00:40:04.86 10
如果我们想要统计信心
-
00:40:04.86 - 00:40:08.81 6
需要做的工作
-
00:40:08.81 - 00:40:08.90 6
就是不断测试
-
00:40:08.98 - 00:40:12.85 6
直到我们获得
-
00:40:12.85 - 00:40:15.21 6
大量统计证据
-
00:40:15.21 - 00:40:16.85 7
看一下这个案例
-
00:40:16.85 - 00:40:19.19 8
假设我们想要证明
-
00:40:19.27 - 00:40:22.79 6
自动驾驶系统
-
00:40:22.79 - 00:40:23.96 8
等于或者优于人类
-
00:40:23.96 - 00:40:25.38 4
如果人类
-
00:40:25.38 - 00:40:28.22 20
在1亿英里的路程中发生1.09次死亡事故
-
00:40:28.22 - 00:40:30.78 7
这来自统计数据
-
00:40:30.78 - 00:40:33.80 15
如果我们希望借助95%的置信度
-
00:40:33.80 - 00:40:37.35 10
以及80%的功耗证明
-
00:40:37.35 - 00:40:38.14 10
自动驾驶系统的故障率
-
00:40:38.14 - 00:40:42.05 11
要低于人类驾驶员20%
-
00:40:42.05 - 00:40:47.08 13
那么我们就需要测试500年
-
00:40:47.08 - 00:40:49.24 7
这根本无法实现
-
00:40:49.24 - 00:40:51.98 8
因此我们迫切需要
-
00:40:51.98 - 00:40:52.78 10
一种智能和稳定的方法
-
00:40:52.84 - 00:40:55.10 16
用于车辆ADAS ATE功能验证
-
00:40:58.48 - 00:41:01.90 9
这是整个方法的草图
-
00:41:01.90 - 00:41:05.39 13
目标值可能源自事故统计数据
-
00:41:05.39 - 00:41:08.87 3
但必须
-
00:41:08.87 - 00:41:10.03 6
根据驾驶环境
-
00:41:10.11 - 00:41:13.59 15
根据事故的种类和严重性进行分类
-
00:41:13.59 - 00:41:14.90 9
就像您在这里看到的
-
00:41:14.98 - 00:41:17.07 6
在这张图表上
-
00:41:17.07 - 00:41:18.11 5
我们有城市
-
00:41:18.11 - 00:41:21.31 9
乡村和高速公路场景
-
00:41:21.38 - 00:41:21.90 8
以及重大财产损失
-
00:41:21.90 - 00:41:22.87 4
轻度受伤
-
00:41:22.87 - 00:41:26.00 10
重度受伤或死亡的分类
-
00:41:26.00 - 00:41:30.69 14
因此我们需要更加精细的目标值
-
00:41:30.69 - 00:41:34.36 8
然后我们可以应用
-
00:41:34.36 - 00:41:36.07 6
定量统计方法
-
00:41:36.15 - 00:41:38.11 17
就像我们之前在FuSa中操作的那样
-
00:41:38.11 - 00:41:39.58 9
例如定量故障树分析
-
00:41:39.58 - 00:41:42.34 2
好了
-
00:41:42.42 - 00:41:46.08 7
如果要考虑故障
-
00:41:46.08 - 00:41:47.30 11
不会检测到十字路口车辆
-
00:41:47.38 - 00:41:50.55 6
由于正常性能
-
00:41:50.55 - 00:41:53.37 10
在该点上并非由于故障
-
00:41:53.37 - 00:41:55.21 10
然后我们可以进行分解
-
00:41:55.21 - 00:41:57.89 7
究竟是什么原因
-
00:41:57.97 - 00:42:01.57 8
车辆没有被检测到
-
00:42:01.57 - 00:42:05.84 17
或者检测到的低于实际行驶速度的车辆
-
00:42:05.84 - 00:42:06.41 9
或者来自不同的角度
-
00:42:06.51 - 00:42:07.94 6
而对于此案例
-
00:42:07.94 - 00:42:11.19 7
我们可以将什么
-
00:42:11.19 - 00:42:11.41 2
视为
-
00:42:11.48 - 00:42:12.50 4
一种故障
-
00:42:12.50 - 00:42:15.06 11
即使它与SOTIF相关
-
00:42:15.06 - 00:42:18.31 5
关键点在于
-
00:42:18.31 - 00:42:19.18 8
检测到的车辆速度
-
00:42:19.25 - 00:42:19.90 9
低于30千米每小时
-
00:42:19.90 - 00:42:23.60 9
尽管实际上要快得多
-
00:42:23.60 - 00:42:25.24 14
我们需要关于我们的新型传感器
-
00:42:25.32 - 00:42:29.01 8
的统计准确性数据
-
00:42:29.01 - 00:42:29.84 11
以检测相对速度的准确性
-
00:42:29.92 - 00:42:33.61 4
并且可以
-
00:42:33.61 - 00:42:33.78 5
计算该案例
-
00:42:33.78 - 00:42:37.93 10
另一个方法是执行仿真
-
00:42:37.93 - 00:42:39.40 4
从而找到
-
00:42:39.50 - 00:42:42.27 10
不执行期望行为的概率
-
00:42:42.27 - 00:42:45.37 5
但问题在于
-
00:42:45.37 - 00:42:45.51 7
我们有很多参数
-
00:42:45.51 - 00:42:49.50 6
还有大量变量
-
00:42:49.50 - 00:42:50.04 7
我们不能仅使用
-
00:42:50.12 - 00:42:51.46 7
一种强力计算法
-
00:42:51.46 - 00:42:54.61 9
我们需要一些小技巧
-
00:42:54.61 - 00:42:55.38 8
以执行敏感度分析
-
00:42:55.38 - 00:42:57.79 7
关键参数是什么
-
00:42:57.79 - 00:43:00.07 8
不相关参数是什么
-
00:43:00.07 - 00:43:02.07 7
临界水平是什么
-
00:43:02.07 - 00:43:05.15 4
因此当您
-
00:43:05.22 - 00:43:05.99 6
到达一定水平
-
00:43:05.99 - 00:43:09.13 10
并且稍微修改一个参数
-
00:43:09.13 - 00:43:09.76 6
然后您将进入
-
00:43:09.83 - 00:43:11.64 4
危险区域
-
00:43:11.64 - 00:43:14.74 29
因此我们需要借助类似Ansys OptiSLang 的工具
-
00:43:14.74 - 00:43:15.09 10
该工具能够执行此优化
-
00:43:15.16 - 00:43:18.26 4
并且可以
-
00:43:18.26 - 00:43:19.43 4
大大减少
-
00:43:19.50 - 00:43:20.33 7
仿真案例的数量
-
00:43:24.00 - 00:43:27.89 2
但这
-
00:43:27.89 - 00:43:28.41 11
并不仅仅是行驶的里程数
-
00:43:28.41 - 00:43:31.79 8
左边示例中的里程
-
00:43:31.79 - 00:43:32.84 4
肯定不会
-
00:43:32.91 - 00:43:36.29 5
等于右图中
-
00:43:36.29 - 00:43:36.60 8
空旷街道上的里程
-
00:43:36.60 - 00:43:39.76 7
因此很大程度上
-
00:43:39.76 - 00:43:40.11 7
不仅仅是里程数
-
00:43:40.18 - 00:43:42.43 9
来证明我们是否安全
-
00:43:42.43 - 00:43:45.61 6
我们必须找到
-
00:43:45.61 - 00:43:45.83 7
关键场景是什么
-
00:43:45.83 - 00:43:48.12 8
如何进行加权测试
-
00:43:48.12 - 00:43:50.89 4
如何确保
-
00:43:50.96 - 00:43:54.09 10
我花费精力完成的事情
-
00:43:54.09 - 00:43:54.92 5
会真正提供
-
00:43:54.99 - 00:43:55.55 6
有意义的结果
-
00:43:58.85 - 00:44:02.56 6
这给我们带来
-
00:44:02.56 - 00:44:07.13 11
定义和构建ODD的挑战
-
00:44:07.13 - 00:44:09.45 12
找到一个分类法 找到类别
-
00:44:09.45 - 00:44:13.44 5
找到等价类
-
00:44:13.44 - 00:44:14.51 7
并找到覆盖矩阵
-
00:44:14.51 - 00:44:17.49 6
我们必须列出
-
00:44:17.56 - 00:44:18.44 13
ODD中可能发生的一切事情
-
00:44:18.44 - 00:44:21.81 9
我们必须处理连续值
-
00:44:21.81 - 00:44:25.05 11
因此总覆盖是无法实现的
-
00:44:25.05 - 00:44:26.34 5
因为连续值
-
00:44:26.41 - 00:44:29.14 7
可能设置为3米
-
00:44:29.14 - 00:44:31.71 15
3.5米 10米 任何值都可以
-
00:44:31.71 - 00:44:35.53 8
所以我们必须找到
-
00:44:35.53 - 00:44:37.40 11
充分具有代表性的等价类
-
00:44:37.40 - 00:44:39.64 11
那么有很多问题需要解决
-
00:44:39.64 - 00:44:42.22 9
什么是合适的等价类
-
00:44:42.22 - 00:44:43.19 4
以及代表
-
00:44:43.19 - 00:44:45.75 10
什么是合适的覆盖矩阵
-
00:44:45.75 - 00:44:47.00 7
以及剩余风险的
-
00:44:47.06 - 00:44:48.14 6
可接受目标值
-
00:44:48.14 - 00:44:50.70 6
在所有组合中
-
00:44:50.70 - 00:44:51.83 4
是否存在
-
00:44:51.89 - 00:44:53.03 11
比强力仿真更高效的方法
-
00:44:53.03 - 00:44:55.45 11
知道它们大多数非常无聊
-
00:44:55.45 - 00:44:57.65 6
还是非常无趣
-
00:44:57.65 - 00:45:01.50 9
对于这种罕见的事件
-
00:45:01.50 - 00:45:02.10 4
我们有时
-
00:45:02.18 - 00:45:04.24 15
将其称为黑天鹅事件 您怎么看呢
-
00:45:04.24 - 00:45:06.68 8
就像一个骑马的人
-
00:45:06.68 - 00:45:09.24 11
恶劣天气中的一辆大马车
-
00:45:09.24 - 00:45:12.92 9
一个伪装成动物的人
-
00:45:12.92 - 00:45:15.83 11
我们是否应该将所有这些
-
00:45:15.83 - 00:45:16.02 9
都放入ODD描述中
-
00:45:16.09 - 00:45:19.00 7
而且ODD描述
-
00:45:19.00 - 00:45:19.98 7
将变得非常复杂
-
00:45:19.98 - 00:45:22.78 4
是否应该
-
00:45:22.78 - 00:45:23.84 7
将这些全部纳入
-
00:45:23.90 - 00:45:24.34 8
统计矩阵的定量中
-
00:45:24.34 - 00:45:26.90 10
又或者 我们是否应该
-
00:45:26.97 - 00:45:27.59 11
将他们标记为一种检查表
-
00:45:27.59 - 00:45:29.80 16
您是否尝试过这个 是否尝试过那个
-
00:45:29.80 - 00:45:32.58 14
这里是否应该有一个不断增长的
-
00:45:32.58 - 00:45:33.20 11
跨区域和跨企业的数据库
-
00:45:33.26 - 00:45:36.04 6
每个人都可以
-
00:45:36.04 - 00:45:37.22 8
把事件导入数据库
-
00:45:37.28 - 00:45:40.06 14
然后它们可以用来测试未来系统
-
00:45:40.06 - 00:45:40.18 2
因此
-
00:45:40.18 - 00:45:43.00 4
我们可以
-
00:45:43.00 - 00:45:43.44 16
从其他人之前所犯的错误中有所收获
-
00:45:43.44 - 00:45:46.25 2
这些
-
00:45:46.25 - 00:45:46.76 11
都是需要我们解决的问题
-
00:45:46.76 - 00:45:48.29 8
类似问题还有很多
-
00:45:48.29 - 00:45:50.25 3
但现在
-
00:45:50.25 - 00:45:51.14 10
我必须对演讲作出总结
-
00:45:54.07 - 00:45:55.84 19
非常感谢您的关注 现在欢迎大家提出问题
-
00:00:00.00 - 00:00:02.58 27
Hello ladies and gentlemen,
-
00:00:02.58 - 00:00:05.07 27
I'm Bernhard Kaiser and I'm
-
00:00:05.16 - 00:00:09.09 36
going to give a talk about SOTIF the
-
00:00:09.18 - 00:00:13.40 46
Status, challenges and the future directions.
-
00:00:13.40 - 00:00:15.29 9
To begin.
-
00:00:15.29 - 00:00:18.27 44
Let's give you an introduction on what SOTIF
-
00:00:18.27 - 00:00:18.53 2
is
-
00:00:18.60 - 00:00:20.33 26
and why we need it anyway.
-
00:00:23.24 - 00:00:26.83 41
Traditional functional safety or FuSa for
-
00:00:26.83 - 00:00:27.15 6
short,
-
00:00:27.15 - 00:00:31.11 43
considers failures of E/E systems as hazard
-
00:00:31.11 - 00:00:31.64 9
causes, a
-
00:00:31.73 - 00:00:33.50 20
bug in the software,
-
00:00:33.50 - 00:00:37.52 39
a drift in a transistor, a broken wire,
-
00:00:37.52 - 00:00:41.34 36
and corrupted message on the canvas.
-
00:00:41.34 - 00:00:44.59 43
But if this is enough for all these aspects
-
00:00:44.59 - 00:00:44.67 2
of
-
00:00:44.74 - 00:00:45.17 4
ADAS
-
00:00:45.17 - 00:00:48.31 23
and autonomous driving.
-
00:00:48.31 - 00:00:51.36 45
We know from experience that accidents can be
-
00:00:51.36 - 00:00:52.04 9
caused by
-
00:00:52.10 - 00:00:55.16 45
a misfit between the specification or between
-
00:00:55.16 - 00:00:56.44 18
the assumptions on
-
00:00:56.51 - 00:00:59.56 40
which the system is based and the actual
-
00:00:59.56 - 00:01:00.31 19
environment that it
-
00:01:00.31 - 00:01:03.08 41
encounters in various driving situations.
-
00:01:05.60 - 00:01:08.48 38
The nominal performance of sensors and
-
00:01:08.48 - 00:01:10.21 33
perception algorithms is limited.
-
00:01:10.21 - 00:01:13.04 31
For example, the field of view,
-
00:01:13.04 - 00:01:14.53 18
or the perception,
-
00:01:14.53 - 00:01:15.14 6
range,
-
00:01:15.14 - 00:01:18.39 36
or the ability to detect things even
-
00:01:18.48 - 00:01:20.24 20
in dark environment.
-
00:01:20.24 - 00:01:23.82 33
And it can be further impaired by
-
00:01:23.82 - 00:01:24.94 26
environment al conditions.
-
00:01:24.94 - 00:01:26.55 17
Like fog or rain.
-
00:01:29.19 - 00:01:32.09 43
Perception algorithms today are often based
-
00:01:32.09 - 00:01:34.10 31
on machine learning algorithms,
-
00:01:34.10 - 00:01:37.02 46
but machine learning can exhibit unexplainable
-
00:01:37.02 - 00:01:37.73 9
behavior,
-
00:01:37.73 - 00:01:41.62 45
so it's really hard to argue with safety with
-
00:01:41.62 - 00:01:42.31 7
respect
-
00:01:42.40 - 00:01:44.13 20
to safety standards.
-
00:01:44.13 - 00:01:46.74 19
Last but not least.
-
00:01:46.74 - 00:01:49.55 45
Misunderstandings, mode confusion between the
-
00:01:49.55 - 00:01:51.11 25
human and the machine and
-
00:01:51.17 - 00:01:53.36 35
there will always be humans around,
-
00:01:53.36 - 00:01:56.08 28
even for automated vehicles,
-
00:01:56.08 - 00:01:57.93 18
can cause hazards.
-
00:01:57.93 - 00:02:01.58 46
And they can go even up to misuse, intentional
-
00:02:01.58 - 00:02:02.15 6
misuse
-
00:02:02.23 - 00:02:05.65 42
like the famous example from the Internet,
-
00:02:05.65 - 00:02:09.27 45
where somebody put a Coke can on the steering
-
00:02:09.27 - 00:02:09.75 5
wheel
-
00:02:09.83 - 00:02:13.45 44
in order to fool the hands-on recognition by
-
00:02:13.45 - 00:02:14.01 8
the ADAS
-
00:02:14.09 - 00:02:14.66 7
system.
-
00:02:19.57 - 00:02:22.76 44
Let me explain how mismatch of specification
-
00:02:22.76 - 00:02:24.03 18
and real situation
-
00:02:24.10 - 00:02:26.94 40
can lead to a hazard even if there is no
-
00:02:27.01 - 00:02:30.20 38
failure and in this example not even a
-
00:02:30.20 - 00:02:30.70 13
limitation of
-
00:02:30.70 - 00:02:32.19 19
sensor performance,
-
00:02:32.19 - 00:02:35.11 39
which is the cause for the trouble. And
-
00:02:35.19 - 00:02:37.79 38
This is a case that actually happened.
-
00:02:37.79 - 00:02:40.69 39
What you can see here is a highway exit
-
00:02:40.69 - 00:02:40.95 9
situation
-
00:02:41.02 - 00:02:41.73 11
in Germany.
-
00:02:41.73 - 00:02:44.01 35
We have these big metal signs here.
-
00:02:44.01 - 00:02:46.37 48
The arrows going to the right saying “Ausfahrt”,
-
00:02:46.37 - 00:02:48.87 17
which means exit.
-
00:02:48.87 - 00:02:51.54 41
And of course you are on the deceleration
-
00:02:51.54 - 00:02:51.66 5
ramp,
-
00:02:51.66 - 00:02:54.31 42
so you are approaching this sign very fast
-
00:02:54.31 - 00:02:54.67 8
and this
-
00:02:54.72 - 00:02:56.32 27
is recognized by the radar,
-
00:02:56.32 - 00:02:58.59 38
so there's no problem with perception,
-
00:02:58.59 - 00:03:01.69 40
so the human driver was breaking in this
-
00:03:01.69 - 00:03:02.11 10
situation.
-
00:03:02.11 - 00:03:05.05 42
But not strong enough to come to a stop in
-
00:03:05.12 - 00:03:06.38 18
front of the sign.
-
00:03:06.38 - 00:03:06.82 7
I mean,
-
00:03:06.82 - 00:03:09.66 45
obviously because the driver had no intention
-
00:03:09.66 - 00:03:09.78 2
to
-
00:03:09.85 - 00:03:10.79 15
come to a stop.
-
00:03:10.79 - 00:03:13.43 42
He knows that the road makes a bend to the
-
00:03:13.49 - 00:03:16.31 44
right and he just wanted to follow the curve
-
00:03:16.31 - 00:03:16.50 3
and
-
00:03:16.56 - 00:03:19.38 38
decelerate to an appropriate speed for
-
00:03:19.38 - 00:03:19.63 8
example,
-
00:03:19.63 - 00:03:20.98 23
50 kilometers per hour.
-
00:03:20.98 - 00:03:23.46 36
What the system was thinking is that
-
00:03:23.53 - 00:03:26.56 45
there's an obstacle on the road the driver is
-
00:03:26.56 - 00:03:27.03 9
Breaking,
-
00:03:27.03 - 00:03:29.72 50
but the driver’s breaking is not strong enough so
-
00:03:29.72 - 00:03:30.26 8
I should
-
00:03:30.31 - 00:03:33.00 45
help the driver and so the ABS system engaged
-
00:03:33.00 - 00:03:33.24 3
and
-
00:03:33.30 - 00:03:35.99 41
caused a full emergency breaking to bring
-
00:03:35.99 - 00:03:36.71 14
the vehicle to
-
00:03:36.71 - 00:03:39.76 34
a stop before it reaches the sign.
-
00:03:39.76 - 00:03:41.51 28
Of course, by this behavior,
-
00:03:41.51 - 00:03:43.57 32
well meaning behavior of course,
-
00:03:43.57 - 00:03:45.75 35
the system just created the hazard,
-
00:03:45.75 - 00:03:48.54 45
because if you suddenly stop on an exit ramp,
-
00:03:48.54 - 00:03:51.27 39
this can mean that another vehicle from
-
00:03:51.27 - 00:03:51.99 17
behind will crash
-
00:03:52.05 - 00:03:53.27 20
right into your car.
-
00:03:57.15 - 00:03:59.58 40
The weaknesses and limitations of sensor
-
00:03:59.58 - 00:04:00.49 27
performance are many folds.
-
00:04:00.49 - 00:04:02.92 44
They have their nominal performance like the
-
00:04:02.92 - 00:04:03.89 17
restriction field
-
00:04:03.89 - 00:04:07.06 46
of few contrast resolution, light sensitivity.
-
00:04:07.06 - 00:04:10.40 46
The sensor performance can be further impacted
-
00:04:10.40 - 00:04:12.11 21
by weather conditions
-
00:04:12.19 - 00:04:13.83 23
like fog or heavy rain.
-
00:04:13.83 - 00:04:16.59 44
Sensors are susceptible to disturbances that
-
00:04:16.59 - 00:04:17.76 19
can make them blind
-
00:04:17.82 - 00:04:19.60 30
or can fool them, for example,
-
00:04:19.60 - 00:04:22.35 45
blinding sun that drives the camera sensor in
-
00:04:22.35 - 00:04:23.27 14
the saturation
-
00:04:23.33 - 00:04:26.08 46
or reflection from a Coke can on the road that
-
00:04:26.08 - 00:04:26.33 3
may
-
00:04:26.39 - 00:04:29.14 41
look to radar like a massive wall and may
-
00:04:29.14 - 00:04:29.26 5
cause
-
00:04:29.26 - 00:04:31.25 7
a stop.
-
00:04:31.25 - 00:04:34.06 46
Then the algorithms have their limitations too
-
00:04:34.06 - 00:04:35.00 12
not just the
-
00:04:35.06 - 00:04:35.56 8
sensors.
-
00:04:35.56 - 00:04:37.96 38
There's a certain false negative rate,
-
00:04:37.96 - 00:04:39.81 30
false positive rate for, yeah,
-
00:04:39.81 - 00:04:42.59 44
perception algorithm based on your networks.
-
00:04:42.59 - 00:04:45.38 44
False negative means not to detect an object
-
00:04:45.38 - 00:04:45.82 7
that is
-
00:04:45.88 - 00:04:48.67 46
actually there, false positive means to report
-
00:04:48.67 - 00:04:49.61 14
an object that
-
00:04:49.67 - 00:04:50.60 15
does not exist,
-
00:04:50.60 - 00:04:52.33 28
we call this a ghost object.
-
00:04:55.48 - 00:04:57.95 45
Machine learning is a part of many perception
-
00:04:57.95 - 00:04:58.45 11
algorithms,
-
00:04:58.45 - 00:05:01.37 42
in particular in combination with cameras.
-
00:05:01.37 - 00:05:06.06 45
And here we see two almost identical pictures
-
00:05:06.06 - 00:05:07.31 11
provided by
-
00:05:07.42 - 00:05:10.24 27
Carnegie Mellon University.
-
00:05:10.24 - 00:05:12.29 36
You will barely notice a difference,
-
00:05:12.29 - 00:05:13.79 26
but if you look carefully,
-
00:05:13.79 - 00:05:16.32 42
there's a little bit of haze that has been
-
00:05:16.32 - 00:05:16.49 5
added
-
00:05:16.54 - 00:05:17.73 21
to the right picture.
-
00:05:17.73 - 00:05:20.70 37
Now look to the performance parameter
-
00:05:20.70 - 00:05:21.89 25
detection strength on the
-
00:05:21.96 - 00:05:22.29 4
left
-
00:05:22.29 - 00:05:25.49 42
picture for that pedestrian, you can see a
-
00:05:25.49 - 00:05:26.49 17
little pedestrian
-
00:05:26.56 - 00:05:28.63 29
here in a quite unusual pose,
-
00:05:28.63 - 00:05:31.68 25
is still very close to 1.
-
00:05:31.68 - 00:05:33.79 23
On the right side it is
-
00:05:33.79 - 00:05:34.93 12
almost zero,
-
00:05:34.93 - 00:05:38.25 34
so the network has lost all of its
-
00:05:38.35 - 00:05:42.63 45
detection capabilities and you don't even see
-
00:05:42.63 - 00:05:44.34 17
any difference as
-
00:05:44.43 - 00:05:46.15 18
a human spectator.
-
00:05:46.15 - 00:05:48.93 45
Other way around the false positive rate that
-
00:05:48.93 - 00:05:49.55 9
was quite
-
00:05:49.61 - 00:05:50.66 16
good on the left
-
00:05:50.66 - 00:05:53.69 24
picture increased a lot.
-
00:05:53.69 - 00:05:56.60 18
So how can we test
-
00:05:56.72 - 00:05:58.37 12
something if
-
00:05:58.37 - 00:06:01.04 42
a barely visible minor modification to the
-
00:06:01.04 - 00:06:01.87 15
test case leads
-
00:06:01.93 - 00:06:03.78 31
to a totally different outcome.
-
00:06:07.09 - 00:06:11.66 42
To address all of these issues of ADAS and
-
00:06:11.66 - 00:06:12.38 9
automated
-
00:06:12.48 - 00:06:14.11 16
driving systems,
-
00:06:14.11 - 00:06:18.94 44
a new safety subdiscipline has been created.
-
00:06:18.94 - 00:06:22.17 37
Safety of the intended functionality,
-
00:06:22.17 - 00:06:24.17 24
or SOTIF, as an acronym,
-
00:06:24.17 - 00:06:27.84 35
is a part of safety that deals with
-
00:06:27.84 - 00:06:29.07 25
inappropriate behavior of
-
00:06:29.15 - 00:06:31.76 31
electric and electronic systems
-
00:06:31.76 - 00:06:33.98 38
that is not due to technical failures.
-
00:06:36.49 - 00:06:40.28 43
The discipline of SOTIF covers hazards that
-
00:06:40.28 - 00:06:41.21 10
are caused
-
00:06:41.29 - 00:06:41.55 2
by
-
00:06:41.55 - 00:06:44.87 45
situations in particular rare situations that
-
00:06:44.87 - 00:06:46.72 24
have not been considered
-
00:06:46.79 - 00:06:49.09 31
by the specification or design.
-
00:06:49.09 - 00:06:52.54 44
So that the vehicle is not able to cope with
-
00:06:52.61 - 00:06:53.01 5
them.
-
00:06:53.01 - 00:06:56.28 41
Limitations and weaknesses of the nominal
-
00:06:56.28 - 00:06:57.87 26
performance of sensors and
-
00:06:57.95 - 00:06:59.55 22
perception algorithms,
-
00:06:59.55 - 00:07:02.59 45
disturbances and impairment of perception due
-
00:07:02.59 - 00:07:04.21 23
to the circumstances of
-
00:07:04.28 - 00:07:05.23 14
the situation.
-
00:07:05.23 - 00:07:08.49 32
For example, weather conditions.
-
00:07:08.49 - 00:07:10.10 16
Leaving the ODD,
-
00:07:10.10 - 00:07:13.96 42
which is the operational design domain for
-
00:07:14.05 - 00:07:16.66 29
which the system is intended,
-
00:07:16.66 - 00:07:20.78 45
while driving with enabled automation feature
-
00:07:20.78 - 00:07:20.88 1
.
-
00:07:20.88 - 00:07:22.02 12
And finally,
-
00:07:22.02 - 00:07:24.31 23
human misunderstanding,
-
00:07:24.31 - 00:07:28.51 42
mode confusion or even intentional misuse.
-
00:07:31.93 - 00:07:35.65 42
So different FuSa the functional safety as
-
00:07:35.65 - 00:07:36.39 10
we knew it
-
00:07:36.47 - 00:07:37.05 6
before
-
00:07:37.05 - 00:07:40.71 35
are complementary and inter related
-
00:07:40.71 - 00:07:42.51 36
subdiscipline s of technical safety.
-
00:07:47.14 - 00:07:49.17 24
Let's have a brief look.
-
00:07:49.17 - 00:07:51.25 37
On the applicable standards of SOTIF.
-
00:07:53.73 - 00:07:57.30 40
First of all there is the new ISO 21448,
-
00:07:57.30 - 00:08:02.29 45
which is the main worldwide standard on SOTIF
-
00:08:02.29 - 00:08:02.63 1
.
-
00:08:02.63 - 00:08:07.05 38
It's intended to complement ISO 26262.
-
00:08:07.05 - 00:08:10.84 49
And many of the terminology and wordings are used
-
00:08:10.84 - 00:08:11.77 10
in common.
-
00:08:15.89 - 00:08:18.75 23
Their release planning.
-
00:08:18.75 - 00:08:22.27 36
The ISO PAS 21448, PAS is for public
-
00:08:22.27 - 00:08:22.66 9
available
-
00:08:22.74 - 00:08:23.83 14
specification.
-
00:08:23.83 - 00:08:26.80 30
It's a kind of a pre-standard,
-
00:08:26.80 - 00:08:28.87 12
has appeared
-
00:08:28.87 - 00:08:32.00 18
already last year.
-
00:08:32.00 - 00:08:36.54 40
And was targeted to ADAS systems only so
-
00:08:36.54 - 00:08:37.05 9
level one
-
00:08:37.15 - 00:08:37.86 7
or two.
-
00:08:37.86 - 00:08:40.65 29
A lot has changed since then.
-
00:08:40.65 - 00:08:44.14 48
So I wouldn’t recommend to use this standard any
-
00:08:44.14 - 00:08:44.92 11
more today.
-
00:08:44.99 - 00:08:45.62 8
We have,
-
00:08:45.62 - 00:08:47.31 17
since last winter
-
00:08:47.31 - 00:08:50.59 36
a committee draft or CD for short of
-
00:08:50.68 - 00:08:53.22 23
the upcoming ISO 21448.
-
00:08:53.22 - 00:08:58.11 42
This is already a version that is close to
-
00:08:58.11 - 00:08:58.77 8
release.
-
00:08:58.77 - 00:09:01.39 40
Some details of course may still change,
-
00:09:01.39 - 00:09:04.37 30
so it is now under discussion.
-
00:09:04.37 - 00:09:08.06 45
And then it was promised for late 2020 due to
-
00:09:08.14 - 00:09:09.62 18
the Corona crisis,
-
00:09:09.62 - 00:09:13.33 41
I would rather say that it will appear in
-
00:09:13.33 - 00:09:13.50 5
2021,
-
00:09:13.50 - 00:09:17.78 29
the final ISO 21448 standard.
-
00:09:17.78 - 00:09:19.28 24
Unlike the past version,
-
00:09:19.28 - 00:09:21.16 29
it will address all levels of
-
00:09:21.22 - 00:09:22.35 18
automated driving,
-
00:09:22.35 - 00:09:23.22 14
not just ADAS.
-
00:09:27.53 - 00:09:32.36 34
Let's have a look at the ISO 21448
-
00:09:32.47 - 00:09:33.49 9
workflow.
-
00:09:33.49 - 00:09:36.69 43
You can see that this is a cyclic workflow.
-
00:09:36.69 - 00:09:39.97 41
Coming from the initial specification and
-
00:09:39.97 - 00:09:40.26 7
design,
-
00:09:40.26 - 00:09:42.26 29
there is the first loop here,
-
00:09:42.26 - 00:09:45.51 44
which is the analytic loop which consists of
-
00:09:45.51 - 00:09:46.59 15
hazard analysis
-
00:09:46.66 - 00:09:49.90 45
and identification of potential functional in
-
00:09:49.90 - 00:09:50.77 12
sufficiency,
-
00:09:50.77 - 00:09:54.33 26
and triggering conditions.
-
00:09:54.33 - 00:09:56.30 29
The next cycle, second cycle,
-
00:09:56.30 - 00:09:59.31 40
is the verification cycle after a common
-
00:09:59.31 - 00:10:01.25 33
verification validation planning.
-
00:10:01.25 - 00:10:04.25 45
There is the evolution of all known hazardous
-
00:10:04.25 - 00:10:05.18 13
scenarios and
-
00:10:05.25 - 00:10:06.39 17
all requirements.
-
00:10:06.39 - 00:10:09.80 42
We will verify if the system complies with
-
00:10:09.80 - 00:10:10.64 13
everything we
-
00:10:10.71 - 00:10:13.07 31
have specified to make it safe.
-
00:10:13.07 - 00:10:16.10 39
But then there is still risk of unknown
-
00:10:16.10 - 00:10:16.78 15
situations that
-
00:10:16.84 - 00:10:19.88 43
can occur in real road testing and have not
-
00:10:19.88 - 00:10:20.08 4
been
-
00:10:20.15 - 00:10:22.72 39
considered yet, so there is a 3rd Loop.
-
00:10:22.72 - 00:10:24.47 28
That is the validation loop,
-
00:10:24.47 - 00:10:26.84 40
and this involves a lot of road testing,
-
00:10:26.84 - 00:10:29.57 42
but certainly, in the future more and more
-
00:10:29.57 - 00:10:30.60 20
simulated scenarios.
-
00:10:32.79 - 00:10:36.29 45
You can only proceed to the next cycle if you
-
00:10:36.37 - 00:10:38.63 29
have passed the cycle before.
-
00:10:38.63 - 00:10:42.03 43
There are decision points here and here and
-
00:10:42.03 - 00:10:42.56 8
here and
-
00:10:42.64 - 00:10:46.05 43
whenever you are not passing the cycle then
-
00:10:46.05 - 00:10:46.58 8
you have
-
00:10:46.65 - 00:10:47.64 13
to look back.
-
00:10:47.64 - 00:10:51.97 41
Do some functional modification to reduce
-
00:10:51.97 - 00:10:53.32 15
SOTIF risks and
-
00:10:53.41 - 00:10:56.21 29
then enter in the next cycle.
-
00:10:56.21 - 00:10:59.33 41
There is actually something like a fourth
-
00:10:59.33 - 00:10:59.54 6
cycle.
-
00:10:59.54 - 00:11:01.72 31
This is here on the right side.
-
00:11:01.72 - 00:11:03.97 32
This is after development cycle.
-
00:11:03.97 - 00:11:05.67 25
This is during operation.
-
00:11:05.67 - 00:11:07.51 26
You still have to do field
-
00:11:07.58 - 00:11:10.38 41
operation and check for additional risks.
-
00:11:14.84 - 00:11:18.36 43
The first comparison we should make between
-
00:11:18.36 - 00:11:20.09 23
applicable standards is
-
00:11:20.16 - 00:11:23.69 37
clearly between ISO 26262 and the new
-
00:11:23.69 - 00:11:23.85 3
ISO
-
00:11:23.93 - 00:11:24.48 6
21448.
-
00:11:24.48 - 00:11:25.24 14
And of course,
-
00:11:25.24 - 00:11:27.03 32
many people are asking do I have
-
00:11:27.08 - 00:11:28.12 19
to do things twice?
-
00:11:30.22 - 00:11:31.46 16
At first glance,
-
00:11:31.46 - 00:11:34.65 40
these two standards look much different.
-
00:11:34.65 - 00:11:38.01 40
First of all, the ISO 26262 is much more
-
00:11:38.08 - 00:11:38.79 9
detailed,
-
00:11:38.79 - 00:11:41.37 25
much bigger. There are 12
-
00:11:41.37 - 00:11:44.58 43
parts 12 volumes and you have very specific
-
00:11:44.58 - 00:11:45.37 13
guidelines on
-
00:11:45.44 - 00:11:46.23 11
everything.
-
00:11:46.23 - 00:11:47.73 21
Hardware development,
-
00:11:47.73 - 00:11:49.31 21
software development,
-
00:11:49.31 - 00:11:50.46 15
system testing,
-
00:11:50.46 - 00:11:53.69 37
supporting process like configuration
-
00:11:53.69 - 00:11:53.98 11
management.
-
00:11:53.98 - 00:11:57.21 38
You don't find all of this in the much
-
00:11:57.21 - 00:11:57.28 7
shorter
-
00:11:57.35 - 00:11:57.86 3
ISO
-
00:11:57.86 - 00:11:58.21 5
21448
-
00:11:58.21 - 00:11:58.50 1
.
-
00:11:58.50 - 00:12:01.27 38
Also here we see the classical V model
-
00:12:01.34 - 00:12:04.54 44
that is common to most safety standards that
-
00:12:04.54 - 00:12:05.39 12
have existed
-
00:12:05.46 - 00:12:05.96 7
so far.
-
00:12:05.96 - 00:12:09.43 47
And of course it is different than the cyclical
-
00:12:09.43 - 00:12:10.05 5
model
-
00:12:10.13 - 00:12:11.52 18
that we have here.
-
00:12:11.52 - 00:12:12.91 22
But on the other hand,
-
00:12:12.91 - 00:12:15.67 42
you should see that there have always been
-
00:12:15.67 - 00:12:15.97 8
loops in
-
00:12:16.04 - 00:12:16.77 12
the V model.
-
00:12:16.77 - 00:12:19.55 46
If you find something during testing, an issue
-
00:12:19.55 - 00:12:19.61 1
.
-
00:12:19.61 - 00:12:22.32 40
You have to loop back to the left leg so
-
00:12:22.38 - 00:12:25.23 45
the cycles are there, they’re just not drawn.
-
00:12:25.23 - 00:12:25.95 11
And anyway,
-
00:12:25.95 - 00:12:28.38 36
remember that these are just models.
-
00:12:28.38 - 00:12:31.27 39
The actual process has elements of both
-
00:12:31.27 - 00:12:32.18 19
cyclical and model
-
00:12:32.24 - 00:12:35.14 44
Approach, and is anyway product specific and
-
00:12:35.14 - 00:12:36.17 17
company specific.
-
00:12:39.37 - 00:12:42.37 45
Another interesting resource is the technical
-
00:12:42.37 - 00:12:44.90 43
reports safety first for automated driving,
-
00:12:44.90 - 00:12:47.83 44
if you compare it, we will find that this is
-
00:12:47.90 - 00:12:50.90 44
also cyclical approach with different cycles
-
00:12:50.90 - 00:12:51.63 11
for cycles.
-
00:12:51.63 - 00:12:54.46 42
The inner one is the analysis cycle again,
-
00:12:54.46 - 00:12:57.45 42
then the verification cycle the validation
-
00:12:57.45 - 00:12:58.58 19
cycle and the field
-
00:12:58.65 - 00:13:01.64 46
operation field observation cycle a little bit
-
00:13:01.64 - 00:13:02.84 17
more prominently.
-
00:13:02.84 - 00:13:05.84 37
Here we have to design and this is an
-
00:13:05.84 - 00:13:05.98 9
important
-
00:13:06.05 - 00:13:07.65 24
aspect in this standard.
-
00:13:07.65 - 00:13:09.18 23
The standard says that.
-
00:13:09.18 - 00:13:11.32 31
there must be a balance between
-
00:13:11.38 - 00:13:14.19 42
safety by design and safety by validation,
-
00:13:14.19 - 00:13:17.79 41
because you cannot just test quality into
-
00:13:17.79 - 00:13:18.11 7
system.
-
00:13:18.11 - 00:13:21.46 38
That is a little bit stronger than the
-
00:13:21.46 - 00:13:22.06 14
somehow hidden
-
00:13:22.13 - 00:13:24.67 34
design and improvement cycle here,
-
00:13:24.67 - 00:13:28.64 41
but both standards matched together quite
-
00:13:28.64 - 00:13:29.00 5
well.
-
00:13:29.00 - 00:13:29.82 15
As you can see,
-
00:13:29.82 - 00:13:31.65 32
there's a direct correspondence,
-
00:13:31.65 - 00:13:32.14 9
and yeah,
-
00:13:32.14 - 00:13:34.51 42
the focusing on design is perhaps the most
-
00:13:34.57 - 00:13:35.12 15
Important hint,
-
00:13:35.12 - 00:13:38.73 38
but there are other good hints at that
-
00:13:38.73 - 00:13:39.29 13
standard that
-
00:13:39.37 - 00:13:40.90 19
you could consider.
-
00:13:40.90 - 00:13:44.04 43
Last but not least, there's a new standard.
-
00:13:44.04 - 00:13:47.77 43
It also appeared this year 2020 from the US
-
00:13:47.77 - 00:13:48.76 13
certification
-
00:13:48.84 - 00:13:52.41 45
organization UL you probably have heard them.
-
00:13:52.41 - 00:13:55.69 39
It deals with a holistic safety case of
-
00:13:55.69 - 00:13:56.72 19
autonomous systems,
-
00:13:56.72 - 00:13:57.60 13
not just road
-
00:13:57.60 - 00:14:00.53 39
vehicles can also be airborne vehicles,
-
00:14:00.53 - 00:14:01.47 13
for instance,
-
00:14:01.47 - 00:14:04.03 34
and it puts the safety case in the
-
00:14:04.10 - 00:14:05.56 21
center. Safety cases,
-
00:14:05.56 - 00:14:08.00 33
basically defined as in ISO 26262
-
00:14:08.00 - 00:14:11.16 39
it's a structured argument with claims,
-
00:14:11.16 - 00:14:12.90 24
arguments and evidences,
-
00:14:12.90 - 00:14:15.29 32
but there is much more stress on
-
00:14:15.36 - 00:14:18.62 42
good argument and not just listing all the
-
00:14:18.62 - 00:14:19.34 12
documents of
-
00:14:19.42 - 00:14:20.72 18
your test reports,
-
00:14:20.72 - 00:14:21.37 9
whatever.
-
00:14:23.42 - 00:14:26.53 45
Perhaps it is not sufficient alone to develop
-
00:14:26.53 - 00:14:27.57 14
safe automated
-
00:14:27.64 - 00:14:28.67 15
driving system,
-
00:14:28.67 - 00:14:32.39 44
but it's a good source of best practices and
-
00:14:32.39 - 00:14:33.13 9
checklist
-
00:14:33.22 - 00:14:36.93 45
that you could also consider for your company
-
00:14:36.93 - 00:14:37.68 8
process.
-
00:14:37.68 - 00:14:40.71 43
So we have a lot of standards to follow and
-
00:14:40.78 - 00:14:43.95 41
there are other standards that I have not
-
00:14:43.95 - 00:14:44.52 11
even talked
-
00:14:44.59 - 00:14:47.76 45
about like home location standards, standards
-
00:14:47.76 - 00:14:49.24 21
on the performance of
-
00:14:49.24 - 00:14:52.46 48
certain automation function like a AEB or ACC or
-
00:14:52.46 - 00:14:53.17 9
whatever,
-
00:14:53.17 - 00:14:56.38 43
so you cannot work with all these standards
-
00:14:56.38 - 00:14:56.59 4
as a
-
00:14:56.66 - 00:14:57.38 10
developer.
-
00:14:57.38 - 00:15:00.73 41
You have to find your way considering all
-
00:15:00.73 - 00:15:01.62 15
these standards
-
00:15:01.70 - 00:15:05.05 42
that are mandatory for you and define your
-
00:15:05.05 - 00:15:05.72 11
own company
-
00:15:05.80 - 00:15:09.15 43
specific process depending on your position
-
00:15:09.15 - 00:15:10.57 20
in the supply chain.
-
00:15:10.57 - 00:15:14.02 42
Most probably it will look like a blend of
-
00:15:14.02 - 00:15:14.09 5
The V
-
00:15:14.17 - 00:15:17.62 38
model with cycles of course cycle here
-
00:15:17.62 - 00:15:18.47 17
between the right
-
00:15:18.54 - 00:15:19.85 17
and the left leg,
-
00:15:19.85 - 00:15:23.55 37
but most probably also cycles between
-
00:15:23.55 - 00:15:25.60 32
analytical and design techniques
-
00:15:25.68 - 00:15:28.73 37
and early validation in the left leg.
-
00:15:28.73 - 00:15:31.06 41
This is something you will have to do and
-
00:15:31.06 - 00:15:33.56 45
probably need some consultancy to apply this.
-
00:15:36.58 - 00:15:38.81 44
What experience have we made so far with the
-
00:15:38.81 - 00:15:39.50 14
implementation
-
00:15:39.55 - 00:15:41.49 39
of this brand new standard in practice?
-
00:15:44.79 - 00:15:46.70 21
When implementing ISO
-
00:15:46.70 - 00:15:48.76 24
21448 for the first time
-
00:15:48.84 - 00:15:49.76 12
in practice,
-
00:15:49.76 - 00:15:53.14 42
first thing I did was elaborating a little
-
00:15:53.14 - 00:15:53.60 8
bit more
-
00:15:53.67 - 00:15:55.86 29
on the analytical techniques.
-
00:15:58.13 - 00:16:01.07 37
If you remember the original picture.
-
00:16:01.07 - 00:16:04.96 39
There was just one analytical box here,
-
00:16:04.96 - 00:16:10.59 43
apart from the hazard identification that I
-
00:16:10.59 - 00:16:12.09 13
used to call.
-
00:16:12.09 - 00:16:15.26 39
HARA by the way as in ISO 26262 because
-
00:16:15.26 - 00:16:15.54 8
actually
-
00:16:15.61 - 00:16:17.94 33
I don't see much difference here.
-
00:16:17.94 - 00:16:21.07 44
I will elaborate on this a little bit later,
-
00:16:21.07 - 00:16:25.65 46
but let's now look at this chain of the blocks
-
00:16:25.65 - 00:16:25.86 1
.
-
00:16:25.86 - 00:16:28.02 34
Originally there is just one block
-
00:16:28.02 - 00:16:28.33 5
here,
-
00:16:28.33 - 00:16:31.07 42
find out the weaknesses of your system and
-
00:16:31.07 - 00:16:31.19 3
the
-
00:16:31.25 - 00:16:32.59 22
triggering conditions,
-
00:16:32.59 - 00:16:35.22 27
but how to proceed exactly?
-
00:16:35.22 - 00:16:38.23 43
I think it is useful to start with a hazard
-
00:16:38.30 - 00:16:39.28 15
cause analysis.
-
00:16:39.28 - 00:16:42.32 43
Usually I do this with fault tree analysis,
-
00:16:42.32 - 00:16:45.48 46
but you could use failure nets or STPA as well
-
00:16:45.48 - 00:16:45.62 1
.
-
00:16:45.62 - 00:16:48.79 40
This means starting from the hazard I go
-
00:16:48.79 - 00:16:49.21 10
backwards,
-
00:16:49.21 - 00:16:50.93 24
say what are the causes.
-
00:16:50.93 - 00:16:53.83 41
Later we will present an example on that.
-
00:16:53.83 - 00:16:56.96 41
This helps to get closer to the technical
-
00:16:56.96 - 00:16:57.93 17
abstraction level
-
00:16:58.00 - 00:17:01.13 42
where the sensors and algorithms come into
-
00:17:01.13 - 00:17:01.34 5
play.
-
00:17:01.34 - 00:17:04.26 21
So I when I know that
-
00:17:04.26 - 00:17:07.01 46
forced breaking of an AEB system can be caused
-
00:17:07.01 - 00:17:07.20 2
by
-
00:17:07.26 - 00:17:08.18 15
a ghost object.
-
00:17:08.18 - 00:17:09.99 29
Then it's much easier to say,
-
00:17:09.99 - 00:17:10.17 3
OK,
-
00:17:10.17 - 00:17:12.80 42
I have to look for courses that can create
-
00:17:12.87 - 00:17:13.79 15
a ghost object,
-
00:17:13.79 - 00:17:16.74 32
for example on the radar sensor.
-
00:17:16.74 - 00:17:19.74 37
Next thing that I put in front of the
-
00:17:19.74 - 00:17:20.21 14
identification
-
00:17:20.27 - 00:17:23.28 44
of the triggering conditions is a limitation
-
00:17:23.28 - 00:17:24.48 18
weakness analysis.
-
00:17:24.48 - 00:17:28.51 45
This can look quite similar to FMEA or hazard
-
00:17:28.51 - 00:17:28.96 5
guide
-
00:17:29.05 - 00:17:30.31 14
word analysis.
-
00:17:30.31 - 00:17:33.44 40
I'm analyzing my different sensors their
-
00:17:33.44 - 00:17:35.46 31
physical working principles and
-
00:17:35.53 - 00:17:38.67 46
ask the question what could make these sensors
-
00:17:38.67 - 00:17:39.50 10
misbehave?
-
00:17:39.50 - 00:17:41.58 31
So if I know how a radar works,
-
00:17:41.58 - 00:17:44.72 45
I can think about a metal reflection that can
-
00:17:44.72 - 00:17:45.06 4
make
-
00:17:45.13 - 00:17:48.27 43
the radar blind and suggest objects that do
-
00:17:48.27 - 00:17:48.97 10
not really
-
00:17:49.04 - 00:17:49.46 6
exist.
-
00:17:49.46 - 00:17:51.40 27
If I know how camera works,
-
00:17:51.40 - 00:17:54.37 42
I can say OK, darkness could be a problem.
-
00:17:54.37 - 00:17:56.51 30
Reflection could be a problem,
-
00:17:56.51 - 00:17:58.86 32
blinding sun could be a problem.
-
00:17:58.86 - 00:18:01.96 44
This helps a lot when I know the weaknesses.
-
00:18:01.96 - 00:18:04.95 41
I can better guess triggering conditions.
-
00:18:04.95 - 00:18:06.81 26
The triggering conditions,
-
00:18:06.81 - 00:18:09.32 38
finally are a very central term in ISO
-
00:18:09.39 - 00:18:12.62 41
21448 and also make the connection to the
-
00:18:12.62 - 00:18:13.12 7
testing
-
00:18:13.19 - 00:18:16.41 45
and simulation, because triggering conditions
-
00:18:16.41 - 00:18:18.49 29
are things in the environment
-
00:18:18.49 - 00:18:19.65 10
that could
-
00:18:19.65 - 00:18:24.40 41
activate the weakness or limitation of my
-
00:18:24.40 - 00:18:25.35 10
perception
-
00:18:25.35 - 00:18:28.47 43
to create something. So a camera that has a
-
00:18:28.47 - 00:18:28.54 3
low
-
00:18:28.61 - 00:18:31.74 43
light sensitivity is not a problem when you
-
00:18:31.74 - 00:18:32.44 11
are driving
-
00:18:32.51 - 00:18:33.83 19
in bright sunlight,
-
00:18:33.83 - 00:18:38.67 42
but it is a problem when you're driving at
-
00:18:38.67 - 00:18:39.10 6
night.
-
00:18:39.10 - 00:18:40.88 26
For the rest of the cycle,
-
00:18:40.88 - 00:18:43.85 38
I didn't change a lot because I rather
-
00:18:43.85 - 00:18:44.38 14
specialized on
-
00:18:44.45 - 00:18:47.42 40
the analytical techniques and not on the
-
00:18:47.42 - 00:18:49.47 35
validation verification techniques.
-
00:18:53.85 - 00:18:56.78 41
Next question we had to address is how to
-
00:18:56.78 - 00:18:56.84 4
deal
-
00:18:56.91 - 00:18:57.76 13
with the ODD,
-
00:18:57.76 - 00:19:01.47 39
which is the operational design domain.
-
00:19:01.47 - 00:19:04.80 48
This is the operating space for which the system
-
00:19:04.80 - 00:19:05.69 12
is intended,
-
00:19:05.69 - 00:19:09.00 43
and of course it is an important foundation
-
00:19:09.00 - 00:19:09.45 7
for all
-
00:19:09.52 - 00:19:11.29 24
kind of hazard analysis,
-
00:19:11.29 - 00:19:13.99 28
but also for the validation.
-
00:19:13.99 - 00:19:17.96 40
We have to find all relevant aspects and
-
00:19:17.96 - 00:19:18.66 12
partition it
-
00:19:18.75 - 00:19:19.46 8
somehow.
-
00:19:19.46 - 00:19:22.73 44
One obvious solution was using the situation
-
00:19:22.73 - 00:19:23.82 15
catalog that we
-
00:19:23.90 - 00:19:27.17 44
have in Medini that has always been used for
-
00:19:27.17 - 00:19:27.61 6
hazard
-
00:19:27.68 - 00:19:28.34 8
analysis
-
00:19:28.34 - 00:19:31.64 35
risk assessment and to use this for
-
00:19:31.64 - 00:19:32.45 20
specification of the
-
00:19:32.52 - 00:19:32.96 4
ODD.
-
00:19:32.96 - 00:19:36.26 38
So we have here in the table different
-
00:19:36.26 - 00:19:36.85 14
locations like
-
00:19:36.92 - 00:19:37.73 13
country road,
-
00:19:37.73 - 00:19:41.05 45
freeway or specific things like mountain pass
-
00:19:41.05 - 00:19:41.12 1
,
-
00:19:41.12 - 00:19:43.94 41
we have road condition, paved, wet roads,
-
00:19:43.94 - 00:19:44.54 12
snow or ice.
-
00:19:44.54 - 00:19:47.90 44
We have different environment like different
-
00:19:47.90 - 00:19:48.95 13
visibility or
-
00:19:49.03 - 00:19:50.45 19
weather conditions.
-
00:19:50.45 - 00:19:54.20 35
Traffic and people, item uses, just
-
00:19:54.20 - 00:19:55.36 20
Maneuvers, breaking,
-
00:19:55.36 - 00:19:59.10 45
general driving, speed ranges, and optionally
-
00:19:59.10 - 00:20:01.84 34
also further situation properties.
-
00:20:01.84 - 00:20:05.59 45
We can assign an exposure parameter according
-
00:20:05.59 - 00:20:06.43 10
ISO 26262.
-
00:20:06.43 - 00:20:11.09 40
Because we're going to use this also for
-
00:20:11.09 - 00:20:11.30 3
the
- 00:20:11.40 - 00:20:12.65 12