Embed Size (px)
Citation preview
Toward a Comprehensive Assurance Argument for the Release of Automated Vehicles Challenges, Insights, and First Results from the Research Project “VVMethods”
Marcus Nolte1, Jan Reich2, Tino Brade3, Roland Galbas3, Thomas Goeppel3, Frank Junker3, Thomas Kirschbaum3, Thomas Corell4, Björn Filzek4
1 TU Braunschweig, Institut f. Regelungstechnik, 2 Fraunhofer IESE, 3 Robert Bosch GmbH, 4 Continental Teves AG & Co. oHG
Several industry players have recently started offering services implemented by automated vehicles
Safety remains key question
Needs to be built-in, not bolt-on!
“How safe is safe enough?” is still not fully answered.
Motivation
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
2
VV-METHODS PEGASUS family – Publicly-funded projects in Germany
The PEGASUS Family focuses on development / testing methods and tools for AD systems on highways and in urban environments
20192016+ future projects of the PEGASUS Family
• Scope: Basic methodological framework• Use-Case: L3/4 on highways• Partners: 17
Time
PEGASUShttps://www.pegasusprojekt.de/en/home
SET Level 4to5• Scope: Simulation platform, toolchains,
definitions for simulation-based testing• Use-Case: L4/5 in urban environments• Partners: 20 partners• Timeline: 03/2019 – 08/2022
VV-Methods• Scope: Methods, toolchains,
specifications for technical assurance• Use-Case: L4/5 in urban environments• Partners: 23 partners• Timeline: 07/2019 – 06/2023
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
3
VV-METHODS – Project setup
OEM
Tier-1
Eval
Science
Tech
Funded by Ministry of Economics and Technology (BMWi) Start, Runtime 07/2019, 4 years Budget total 47M€Partners
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
4
Systematic control of test spaceMethods to optimize (and reduce) the testparameter space to a manageable minimum
Consistent interfaces for assurance argumentation, systems and components across the supply chain
Definition of incremental tests of subsystems and overall systems
Significant shift from real-world testing to simulationMethods for seamless testing across all test instances
…and a coherent assurance argument linking the developed methods.
VV-METHODS – Main goals
∞→ n
HIL
SIL
MIL
VEH
Sim
ulat
ion
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
5
incompleterequirements
based on(Winner & Wachenfeld, 2013)
based on(Lefèvre et al., 2014)
measurementuncertainty
uncertain behaviorof others
Automated vehicles will NOT be infallible!
Risk
incompleteknowledge
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
6
possibly incompleteV&V process
Our current traffic system is an open system
Largely works, because human drivers accept the risk that comes with moving in traffic
This inherent risk is obviously accepted by society. A principle of trust (most often) applies for human drivers: „Do not always expect the unexpected.“ Worst-case assumptions lead to blocked roads!
risk
partially based on (Gasser & Frey 2018), IfR „Oberseminar“
uncertainty
incompleteness
What does apply to automated agents?
“Safe enough” = “Safer than a human”?
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
7
How can we argue for the abscence of unreasonable risk in an open context?
…in a comprehensible manner for a variety of stakeholders?
… to ensure (& enhance) public trust in the technology?
…while not knowing what „reasonable“ really means?
Challenges for a coherent assurance argument
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
8
Traceable decomposition & continuous validation of claims
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
interpretationof claims
continuousV&V
of claims
Daten von OpenStreetMap - Veröffentlicht unter ODbL
Enable argumentation that safety case will remain valid, even if system context changes.
Traceable decomposition / interpretation of claims (assumptions)Continuous post-release verification & validation w.r.t new findings: Do assumptions still hold?
9
There is more to an assurance argument than an ISO 21448- / UL4600-compliant notation
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
claim
argument
sub claim
argument
evi-dence
sub claim
argument
sub claim
argument
evi-dence
evi-dence
Not necessarily self-explaining, i.e. accessible for every stakeholder
No direct connection between the argument’sstructure & processes for evidence generation
VVM addresses:Methods for a structured decomposition of claimsMethods for generating evidence to support arguments
methods, processes
artefacts
How do we link methods, artefacts, evidence & argumentation structure?
? ? ?
10based on (Reich, 2021)
claim
data
What does VVM do?
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
claim
data
arguments claim
data
arguments
sub claim
sub claim
providesevidence
providesevidence
methods for a structuredargumentation for (sub) claims
methods for a structuredgeneration of evidence to
support arguments
based on (Reich, 2021), (Brade, 2021)11
claim
data
What does VVM do?
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
claim
data
arguments claim
data
arguments
sub claim
sub claim
providesevidence
providesevidence
methods for a structuredargumentation for (sub) claims
methods for a structuredgeneration of evidence to
support arguments
based on (Reich, 2021), (Brade, 2021)
positive risk balance achieved
risk balance is positive if accident
rate of AD system is lower than given
reference
enables the comparison so that we can say whether risk balance
is positive or not
Accident rate of reference system is comparable with AD
system
accident rate of reference system
has been measured /w sufficient
integrity
12
What we found, we need to connect methods, artefacts, evidence & argumentation structure:
A suitable level of abstraction to argue thedecomposition of the open context
Possibility to argue for available evidence from a positive & negative perspective
Separation of concerns to provide overview &allow deep dives where neccessary
(System- / Enterprise-) architecture as integral partof the safety argument
Compliance to relevant industry standards
Requirements for a coherent, comprehensible and traceable safetyargument
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
„slicing the elephant“
13
StandardsOperational Concept
Vehicle in traffic Verification & ValidationVehicle as a productCon Op. Interpretation / Decomposition
system / organizational
capabilities
Engineering Layer
Execution/Real World Layer
Capability Layer
High level assurance argument structure
interpretation / decomposition
evidencefor release
claims & open context V&V concept
realization and V&V of capabilities in a “controlled” environment
realization and V&V of capabilities in the real environment
interfaces to existing
standards
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
14(Reich, 2021)
StandardsOperational Concept
Vehicle in traffic Verification & ValidationVehicle as productCon Op. Interpretation / Decomposition
system / organizational
capabilities
Engineering Layer
Execution/Real World Layer
Capability Layer
High level assurance argument structure
interpretation / decomposition
evidencefor release
claims & open context V&V concept
realization and V&V of capabilities in a “controlled” environment
realization and V&V of capabilities in the real environment
interfaces to existing
standards
consistent intra-layer argument
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
15
consistent intra-layer argument
consistent intra-layer argument
StandardsOperational Concept
Vehicle in traffic Verification & ValidationVehicle as productCon Op. Interpretation / Decomposition
system / organizational
capabilities
Engineering Layer
Execution/Real World Layer
Capability Layer
High level assurance argument structure
interpretation / decomposition
evidencefor release
claims & open context V&V concept
realization and V&V of capabilities in a “controlled” environment
realization and V&V of capabilities in the real environment
interfaces to existing
standards
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
16
traceablerealization ofcapabilities &
inter-layerargument
traceablerealization ofcapabilities &
inter-layerargument
Capability Layer: Linking enterprise & individual vehicle
„capability architecture“ is anestablished concept in manyEnterprise Architecture Frameworks(DoDAF, MODAF, NAF, UAF,…)
How can an OEM / mobility serviceprovider safely design & operatea(n) (fleet of) automated vehicle(s)?
bridging enterprise architecture & systems engineeringby leveraging a duality between system & enterprise‘s capabilities
Which capabilities does the vehicle need to safely operate in traffic?Which capabilities does the enterprise need to monitor safe operation?
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
17
Standards
ISO
214
48
ISO
262
62
ISO
508
3
Operational Concept
Vehicle in traffic Verification & Validation
Strategic V&V Concept
V&VEvaluation
Vehicle as productCon Op. Interpretation / Decomposition
Architectural Design&
Technical Realization
Technical V&V Design&
RealizationEngineering Layer
All capabilities needed for product development and operation
Physical Designfor
Interaction with Real World & Open Context“Real World” V&VExecution/Real World Layer
Claims (§ Law, Society,
Market, Economy)
Operational Domain (OD)
State of the art
Top Goals (Compliance, Market..)
Sub goals (Safety Security, Reliability, Privacy…)
ODD
Capabilities required for system’s
target behavior in traffic sub use-case
Capability Layer
Capabilities for Organization
to design & monitor system's target behavior
Details…
Target Behavior in Traffic Sub-Use Case
Traffic Sub-Use Case
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
18
Focus on capability layerfinding a suitable level of abstraction for the formulation of capabilitiesconnecting organizational & system capabilitiesincluding capabilities as integral part of the safety case
Integrating developed methods in the project with the 3-layer structure
Assigning evidence generated by those methods to the 3-layer structure
Connecting existing standards to the 3-layer structure
Current work
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
19
Structure seems to provide a helpful „bridge“ to fulfill the project goals w.r.t coming up with a coherent & traceable safety argument, acknowledging the challenges of the open context!
There is more to a coherent assurance argument than the notation of a safety case
VVM contributes by
Tackeling the complexity of the assurance argument by means of separation of concernsLinking methods, artefacts, evidence and argumentation structure in a structured & traceable manner.Implementing a capability-based concept that allows for a coherent argument across claims, architecture, evidence in an open context on an organizational & system level
Conclusion
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
20
Vielen Dank für Ihre Aufmerksamkeit!
Kontakt:Marcus NolteTU BraunschweigInstitut für Regelungstechnik
[email protected] +49 531 391 3827https://www.researchgate.net/profile/Marcus_Nolte
https://www.linkedin.com/in/marcus-nolte-95974a143/
Literatur
04.06.2021 | 28. SafeTRANS INDUSTRIAL DAY | Marcus Nolte
22
Lefèvre, S., Vasquez, D. & Laugier, C. (2014) A survey on motion prediction and risk assessment for intelligent vehicles. Robomech J 1, 1 https://doi.org/10.1186/s40648-014-0001-z
Winner, H., Wachenfeld, W. (2013). Absicherung automatischen Fahrens. 6. FAS-Tagung München.
Gasser, T., Frey, A. (2018), Oberseminar am IfR, Braunschweig
Reich, J., Galbas, R., Kirschbaum, T., Junker, F., Corell, T., Filzek, B. (2021) Herausforderungen und Lösungsansätze für die durchgängige Freigabeargumentation von automatisierten Fahrfunktionen – Erste Ergebnisse aus dem BMWi „V&V Methoden“-Projekt. TÜV SÜD safe.tech Tagung
Brade, T. (2021) Insights into the VVM Argumentation Chain (internal presentation)
