Embed Size (px)
Citation preview
PAGE 1
AmardeepSidhuShabinMahadevan
STPA Analysis of Safety Measures for Zenuity’s Auto Valet Parking Demo
PAGE 2
Zenuity - set up
VolvoCarswilldirectlysourcetheAD,ADASsoAware
ZenuitydevelopsAD,andADASsoAwarereferenceplaDorm(hardwareagnosGc)
Veoneermarkets,licenses,&adaptstocustomerneeds
Safety Agility Flexibility
PAGE 3
Background
• AutonomousValetParking(AVP)feature
• AVPdemoatConsumerElectronicsShow(CES)Jan2019
PAGE 4
• EvaluatesafetymeasuresforautonomousvaletparkingandsummonduringZenuity’sAVPdemo
• Informeddecisiononmanned(safetydriver)vs.driverlessdemo
• STPAwaschosentoevaluatethesafetydueto:• MulG-agentnatureofthedemo• ComplexinteracGons
Objectives & Rationale
PAGE 5
System under study: ConOps DemoPhasesAutonomousparkingmaneuverstart AutonomousparkingmaneuverendAutonomoussummonmaneuverstart AutonomoussummonmaneuverendHumanActors>Demomanager(DM) >E-stopoperator(ESO)>VehicleSignalMonitor(VSM) >Maintenanceteam
1 2
3 4
4demovehiclesrunningloop+1sta6onarysafetyvehicle
1 2 3 4
PAGE 6
Zooming into the E-stop system OneSafetyvehicle
E-stopoperator(ESO)Signalmonitor(SM)
FourDemoVehicles
Verbal
VisualSignals
E-stoptransmi]erdevice
Actua6on&LEDfeedback E-stopreceiverdevice
• SafetyvehiclehastwopairsofSMandESO• EachSMandESOpairisassignedtotwodemovehicles
PAGE 7
STPA Step 1: defining purpose of the analysis
• L-1=AVcollisionwithvulnerableroaduser(VRU)• L-2=AVgetsdamaged• L-3=LossofreputaGon
Losses
• H-1=AVdoesnotmaintainsafedistancetoVRU[L-1,L-3]• H-2=AVleavesthedesignateddemozone[L-1,L-2,L-3]• H-3=AVdoesnotmaintainsafedistancetoanotherAV[L-2,L-3]• H-4=AVdoesnotmaintainsafedistancetostructure[L-2,L-3]• H-5=AVacGvateswithoutrequestduringautonomousmaneuver[L-3]• H-6=AVacGvatesduetoincorrectrequestduringautonomousmaneuver[L-3]• H-7=AVdoesnotrespondtorequestsduringautonomousmaneuver[L-1,L-2,L-3]
Hazards
• EmergencysituaGon:Yes,No• Vehicle:StaGonary,Moving
Processmodelvariables
PAGE 8
STPA Step 2: modeling the control structure
PAGE 9
STPA Step 3: identifying unsafe control actions
CommandEmergency AV
Notprovidingcauseshazard
Providingcauseshazard
Tooearly,toolate
Stoppedtooearlyappliedtoosoon
Sr.No. UCA ControllerConstraint
E-stopbu]onpress
Yes moving H-1,H-2,H-3,H-4 - - - 1
E-stopisnotprovidedwhenanemergencyisobservedandthevehicleismoving
E-stopmustberealizedwhenanemergencyisobservedandthevehicleismoving
PAGE 10
STPA Step 4: identify loss scenarios (UCA-1) UCA-1:E-stopisnotprovided
whenanemergencyisobservedandthevehicleismoving[H-1,H-2]
UCA-1.S1:E-stopoperatordoesnotknowitisanemergencyduetomissing/incompletesignalsavailabletotheE-stopoperator.
PAGE 11
STPA Step 4: identify loss scenarios (C-1)
C-1.S3:CommercialcontrollerfailstoconvertE-stopbrakerequesttobrakecommand
C-1:E-stopmustberealizedwhenanemergencyisobservedandthevehicleismoving[UCA-1]
PAGE 12
1. Derivednon-materialsoluGons(operaGonalrequirements)• NothavingmorethanonemovingAVinthedemozoneatanygivenGme
2. IdenGfiedtheneedforadedicatedengineer(signalmonitor)tocomplementESO• MonitoringvehiclesignalsnotvisibletotheE-stopoperator
3. IdenGfiedtheneedforaredundantbrakeimplementaGon• Singlepointfailuresofoff-the-shelfintermediatecontroller
4. RecommendedprotectedaccesstotheAVPmobileapp
5. DemochecklistwithrolesandexpectaGonswerecreatedfordemotraining• Forstakeholdersbothinternal(Zenuity)andexternal(Veoneer)
6. SystemsengineeringandSTPAarGfactsfromthisanalysiswereinstrumentalindrivingclarityandacommonlanguageacrosstheorganizaGon• ConOps,funcGonalcontrolstructures,controldiagrams
Key results
PAGE 13
Video from CES Demo (1.5x)
PAGE 14
Next Steps
• ExtendingsystemboundarytoconsideraddiGonalcontrolloopsintheAVPfeature
• IntegraGngSTPAintoZenuity’ssystemsengineeringprocess
• ImprovehumancontrolleranalysisusingtheSTPAEngineeringforHumansextension
