Scenarios for Development, Test and Validation of Automated Vehicles.pdf

Libria

345

7页

0次

2021-02-22

50墨值下载

Scenarios for Development, Test and Validation

of Automated Vehicles

Till Menzel, Gerrit Bagschik and Markus Maurer

Institute of Control Engineering

Technische Universität Braunschweig

Braunschweig, Germany

Email: {menzel, bagschik, maurer}@ifr.ing.tu-bs.de

Abstract—The latest version of the ISO 26262 standard from

2016 represents the state of the art for a safety-guided develop-

ment of safety-critical electric/electronic vehicle systems. These

vehicle systems include advanced driver assistance systems and

vehicle guidance systems. The development process proposed in

the ISO 26262 standard is based upon multiple V-models, and de-

ﬁnes activities and work products for each process step. In many

of these process steps, scenario based approaches can be applied

to achieve the deﬁned work products for the development of

automated driving functions. To accomplish the work products of

different process steps, scenarios have to focus on various aspects

like a human understandable notation or a description via state

variables. This leads to contradictory requirements regarding

the level of detail and way of notation for the representation of

scenarios. In this paper, the authors discuss requirements for the

representation of scenarios in different process steps deﬁned by

the ISO 26262 standard, propose a consistent terminology based

on prior publications for the identiﬁed levels of abstraction, and

demonstrate how scenarios can be systematically evolved along

the phases of the development process outlined in the ISO 26262

standard.

I. INTRODUCTION

Driver assistance systems and automated systems reaching

SAE Levels 1 and 2 [1] have already been introduced to

the market. Level 3 (conditional automation) and 4 (high

automation) systems are announced to follow (Audi trafﬁc

jam pilot [2] or Waymo self driving cars [3]). A challenge

for the introduction of higher levels of automation is to assure

that these vehicle systems behave in a safe way. For driver

assistance systems, this proof is furnished by driving many

test kilometers on test grounds and public roads. However, for

higher levels of automation a distance-based validation is not

an economically acceptable solution [4].

As an alternative to the distance-based validation we in-

troduce a scenario-based approach. The key idea is to pur-

posefully vary and validate the operating scenarios of the

automated vehicle. Therefore, the systematic derivation of

scenarios and further assumptions have to be documented

along the development process to ensure a traceable scenario

generation.

The ISO 26262 standard is a guideline for the development

of safety-critical electric/electronic vehicle systems and thus

provides a framework for the development of vehicle guidance

systems under the aspect of functional safety. According to the

ISO 26262 standard, scenarios can be utilized to support the

development process. For instance, scenarios can help to derive

requirements, to develop the necessary hardware and software

components, and to prove the safety of these components in the

test process. When creating test cases, scenarios are necessary

for generating consistent input data for the test object in any

case. Nevertheless, these different applications of scenarios

result in distinct requirements for scenario representation in

each development phase of the ISO 26262 standard.

This contribution proposes three abstraction levels for sce-

narios along a V-model-based development process. In this

way, scenarios can be identiﬁed on a high level of abstraction

in the concept phase and be detailed and concretized along

the development process. This allows a structured approach,

starting from the item deﬁnition according to the ISO 26262

standard, followed by the hazard analysis and risk assessment

(HARA), and ending up with the necessary test cases for

safety veriﬁcation and validation. Thus, the authors suggest

an extended deﬁnition of the term ‘scenario’ based on the

deﬁnition of Ulbrich et al. [5] and introduce the abstraction

levels of functional, logical, and concrete scenarios. A German

version of this paper has been published at a workshop on

driver assistance systems [6].

The paper is structured as follows: Section II gives a

short motivation based on selected related work regarding

scenarios in the development process for automated driving

functions, utilized levels of abstraction for scenarios, and

existing deﬁnitions of the term scenario. Section III derives

and analyzes requirements for the representation and usage of

scenarios in the development process of the ISO 26262 stan-

dard. Afterwards, section IV deﬁnes three layers of abstraction

for scenarios and shows how these scenario representations can

be converted into each other along the development process.

Finally, section V gives a short conclusion.

II. RELATED WORK

Ulbrich et al. [5] analyze the term scenario across multiple

disciplines and propose a consistent deﬁnition for the domain

of automated vehicles. In this paper, the authors use the term

scenario referring to the deﬁnition of Ulbrich et al. [5].

2018 IEEE Intelligent Vehicles Symposium (IV)

Changshu, Suzhou, China, June 26-30, 2018

Go and Carroll [7] point out that scenarios have a different

use across various disciplines, but the elements utilized to

describe a scenario are similar in all cases. Thereby, scenarios

can be described in several levels of detail and different forms

of notation. Scenarios may be expressed in formal, semi-

formal, or informal notation [7]. This distinction hints at mul-

tiple levels of abstraction of scenarios along the development

process for automated vehicles.

Bergenhem et al. [8] point out that complete requirements

for vehicle guidance systems

can only be achieved by a

consistent, traceable, and veriﬁable process of requirements

engineering in accordance with the V-model.

Several publications suggest approaches which utilize sce-

narios to generate work products along the development pro-

cess for automated vehicles. Bagschik et al. [9] develop a

procedure for the generation of potentially hazardous scenarios

within the process step of a hazard analysis and risk assess-

ment, as suggested by the ISO 26262 standard. This procedure

utilizes an abstract description of the trafﬁc participants and

the scenery in natural language. All possible combinations of

scenario elements are analyzed incorporating descriptions of

functional failures in a limited use case of an SAE Level 4

[1] vehicle guidance system within the scope of the project

Unmanned Protective Vehicle for Highway Hard Shoulder

Road Works (aFAS

) [10].

Schuldt et al. [11] motivate a scenario-based test process

and present a systematic test case generation by use of a 4-

layer-model.

Bach et al. [12] propose a model-based scenario representa-

tion with spatial and temporal relations as a general scenario

notation along the development process of the ISO 26262

standard. This scenario representation is implemented prototy-

pically for scenarios of an ACC-system on motorways and the

results are presented.

The mentioned publications utilize scenarios with different

levels of abstraction for the functional and safety development

of vehicle guidance systems. The term ‘scenario’ has not

been deﬁned uniformly, which makes it difﬁcult to achieve a

consistent understanding regarding the role of scenarios in the

development process. For this reason, the authors will derive

and analyze requirements on scenarios in the following part.

III. SCENARIO-BASED DESIGN AND TEST PROCESS

REFERRING TO THE ISO 26262 STANDARD

The ISO 26262 standard from 2016 [13] represents the

state of the art for developing vehicle guidance systems with

regard to functional safety

. An overview of the development

process proposed in the ISO 26262 standard is shown in Fig. 1.

The process steps which may utilize scenarios to generate the

demanded work products are highlighted in red.

To the authors’ opinion, it is impossible to generate a complete set of

requirements for higher levels of automation.

This abbreviation is derived from the German project name.

The overall system development for vehicle guidance systems includes

additional parallel development processes, which cover other aspects like

function development.

Scenarios may support the whole development process of

the ISO 26262 standard from the concept phase via the techni-

cal product development through to the system veriﬁcation and

validation. Hence, it is mandatory to deﬁne the requirements

on scenarios resulting from the different process steps. These

requirements allow a consistent deﬁnition of abstraction levels

for the use of scenarios throughout the whole development

lifecycle. The following sections refer to the work products of

the development process deﬁned by the ISO 26262 standard

and derive requirements on scenarios for the highlighted

process steps.

A. Scenarios in the concept phase

Prior to the technical development, the concept for the item

under development is speciﬁed. During the concept phase of

the ISO 26262 standard (part 3) the item is deﬁned, a hazard

analysis and risk assessment is conducted, and a functional

safety concept is developed.

The item deﬁnition shall include a description of the functi-

onal concept, system boundaries, the operational environment,

the legal requirements, and the dependencies on other items.

Based on this information, possible operating scenarios can

be derived. Reschka [14] proposes to identify safe driving

states and specify the nominal behavior based on the operating

scenarios. The operating scenarios in this process step shall be

described in an abstract level of detail and be represented in

a human understandable way (textual description).

The next process step deﬁned by the ISO 26262 standard

which uses scenarios is the hazard analysis and risk assess-

ment. The hazard analysis and risk assessment consists of

two steps: the situation analysis and the hazard identiﬁcation,

and the classiﬁcation of hazardous events. In the situation

analysis, all operational situations

and operating modes in

which malfunctioning behavior will result in a hazardous event

shall be described. Whereby, malfunctioning behavior can be

interpreted as deviation from the speciﬁed nominal behavior.

Afterwards, hazardous scenarios, which include a combination

of operational scenarios and malfunctioning behavior, will be

rated using the automotive safety integrity level (ASIL). The

parameters for the ASIL classiﬁcation are the exposure of

the operational scenario, the possible severity, and the con-

trollability of the hazardous scenario

. In order to determine

these parameters, the description of hazardous scenarios has

to include the stationary surroundings (scenery) and all trafﬁc

participants which may interact with the automated vehicle.

According to the actual state of the art, the analysis of

hazardous scenarios is performed by experts. Hence, hazar-

dous scenarios have to be formulated in natural language.

Depending on their area of expertise, human experts vary in

the level of detail regarding the terms they use to describe

The authors point out that the term ‘operational situation’ as it is used in

the ISO 26262 standard should be declared as ‘operational scenario’ according

to Ulbrich et al. [5].

The controllability of a scenario includes the controllability by the dri-

ver/passenger of the automated vehicle and the controllability by other trafﬁc

participants.

1822