CN111103866A - Adaptive cruise development and test method based on expected functional safety - Google Patents
Adaptive cruise development and test method based on expected functional safety Download PDFInfo
- Publication number
- CN111103866A CN111103866A CN201911321150.1A CN201911321150A CN111103866A CN 111103866 A CN111103866 A CN 111103866A CN 201911321150 A CN201911321150 A CN 201911321150A CN 111103866 A CN111103866 A CN 111103866A
- Authority
- CN
- China
- Prior art keywords
- acc
- expected
- risk
- dangerous
- functional safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000011161 development Methods 0.000 title claims abstract description 27
- 238000010998 test method Methods 0.000 title claims abstract description 12
- 230000003044 adaptive effect Effects 0.000 title claims description 19
- 238000000034 method Methods 0.000 claims abstract description 13
- 230000006870 function Effects 0.000 claims description 60
- 230000006399 behavior Effects 0.000 claims description 37
- 238000012360 testing method Methods 0.000 claims description 32
- 230000000694 effects Effects 0.000 claims description 20
- 238000012795 verification Methods 0.000 claims description 14
- 230000006378 damage Effects 0.000 claims description 6
- 230000003466 anti-cipated effect Effects 0.000 claims description 5
- 230000015556 catabolic process Effects 0.000 claims description 5
- 238000006731 degradation reaction Methods 0.000 claims description 5
- 238000013461 design Methods 0.000 claims description 4
- 230000007613 environmental effect Effects 0.000 claims description 4
- 230000004313 glare Effects 0.000 claims description 3
- 230000006872 improvement Effects 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 3
- 230000007774 longterm Effects 0.000 claims description 3
- 230000000116 mitigating effect Effects 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 3
- 238000004088 simulation Methods 0.000 claims description 3
- 230000003631 expected effect Effects 0.000 claims description 2
- 230000008569 process Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000000593 degrading effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000008054 signal transmission Effects 0.000 description 1
- 238000012549 training Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0208—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the configuration of the monitoring system
- G05B23/0213—Modular or universal configuration of the monitoring system, e.g. monitoring system having modules that may be combined to build monitoring program; monitoring system that can be applied to legacy systems; adaptable monitoring system; using different communication protocols
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0208—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the configuration of the monitoring system
- G05B23/0216—Human interface functionality, e.g. monitoring system providing help to the user in the selection of tests or in its configuration
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Entrepreneurship & Innovation (AREA)
- Automation & Control Theory (AREA)
- Strategic Management (AREA)
- Economics (AREA)
- Educational Administration (AREA)
- Human Computer Interaction (AREA)
- Game Theory and Decision Science (AREA)
- Development Economics (AREA)
- Marketing (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Traffic Control Systems (AREA)
Abstract
The invention discloses a self-adaptive cruise development and test method based on expected functional safety, which comprises the following steps: the method comprises the following steps: firstly, standardizing the expected functional content of an ACC; step two, identifying and evaluating hazards due to the expected functionality of the ACC; step three, identifying and evaluating a trigger event of the ACC; step four, improving the expected function of the ACC to reduce the risk; fifthly, verifying the known risk of the ACC; step six, verifying the risk of unknown ACC; and seventhly, confirming the expected functional safety of the ACC. Has the advantages that: the safety and the reliability of the ACC are guaranteed, and the safety risk caused by the fact that the system function is not expected under the non-failure condition of the ACC is reduced.
Description
Technical Field
The invention relates to a self-adaptive cruise development and test method, in particular to a self-adaptive cruise development and test method based on expected functional safety.
Background
At present, for the automatic driving automobile, not all the vehicle safety problems are caused by system errors and failures, the vehicle is controlled by the system, and the quality of the control effect is a factor which must be considered. Many times, in complex systems, the issue of system security arises from environmental influences that bring unexpected security issues. In the traditional automotive field, the appearance of failure often stems from failure of the system. However, in an autonomous vehicle, even if the system does not fail, the function may be deviated due to uncertainty of factors such as the output of a neural network black box, and traffic damage may be caused. The safety risk caused by the unexpected system function in such a non-failure situation is the problem to be solved by the expected function safety.
The safety of road vehicles during the operating phase is a major concern in the road vehicle industry. In recent years, the number of advanced functions in automobiles has increased dramatically. These rely on sensing, complex algorithmic processing, and implementation and actuation by an electronic-electrical (E/E) system. Unreasonable risks due to every hazard associated with the intended function and its implementation, especially those not due to faults (e.g. due to performance limitations), must be avoided to provide an acceptable level of safety for road vehicles. ISO26262 has no requirement for the nominal performance of E/E systems, nor for the functional performance standards of these systems (for example: adaptive cruise, etc.), and in order to solve the hazards to human bodies caused by non-failure reasons of the systems, the International organization for standardization issued in 2019 the draft International Standard ISO21448 for the safety of road vehicles with expected functions, which is established on the basis of the ISO26262 standard and is intended to solve the known and unknown risks of autonomous vehicles caused by non-failure reasons of the systems.
Currently, most of the middle and high-grade automobiles in the world are equipped with an adaptive cruise system (ACC), which can enable the automobile to keep the speed (expected speed) set by a driver, and also enable the automobile and a front automobile to keep the distance (inter-vehicle time distance) set by the driver and measured by time. However, some problems may occur with the ACC, the radar sensor may have a limited detectable range, and the radar sensor may not detect the vehicle, or may delay the time of detecting the vehicle such as: automobiles in curves, motorcycles outside the range monitored by radar sensors, vehicles changing lanes, turning vehicles and vehicles ahead in a stopped state, etc., there are some unexpected and unexpected accidents that may cause the system to delay or brake unexpectedly, causing the ACC to pose a hazard. How to ensure that known and unknown risks are identified and the performance of the ACC is improved when the ACC is developed and tested is a problem that needs to be solved at present.
Disclosure of Invention
The invention aims to provide an adaptive cruise development and test method based on expected functional safety, which is used for ensuring that known and unknown risks are identified and the performance of an ACC is improved when the ACC is developed and tested.
The invention provides an adaptive cruise development and test method based on expected functional safety, which comprises the following steps:
firstly, standardizing the expected functional content of an ACC;
step two, identifying and evaluating hazards due to the expected functionality of the ACC;
step three, identifying and evaluating a trigger event of the ACC;
step four, improving the expected function of the ACC to reduce the risk;
fifthly, verifying the known risk of the ACC;
step six, verifying the risk of unknown ACC;
and seventhly, confirming the expected functional safety of the ACC.
In step one, evidence containing information sufficient to initiate the expected functional safety-related activities of the ACC needs to be compiled and created, and after each iteration of the expected functional safety-related activities, the evidence is updated as needed, with the functional specification of the ACC including the target of the expected function; use cases to activate and deactivate the intended functionality of the ACC; description of the intended function of the ACC; vehicle dynamic automation/authority levels; in the ACC function, the interrelationships of drivers, passengers, pedestrians, and other road users, the system specifications of the ACC include descriptions of the systems and elements that implement the desired functionality of the ACC; description and behavior of installed sensors, controllers, and actuators used by the intended function of the ACC; assumptions about how the expected functionality of the ACC uses input from other elements; assumptions about how other elements utilize the output of the expected functionality of the ACC; limitations of ACC and its countermeasures; concept of degradation of ACC; warning policies for the ACC; vehicle dependency and interaction on other functions and systems.
In step two, it is necessary to identify and evaluate possible dangerous events caused by the ACC function leading to potentially dangerous behavior and its potential consequences, while defining acceptance criteria for evaluating the design in the development and verification phase of the ACC, such as: the method comprises the steps of verifying a target and identifying risk of the ACC, firstly determining known and unknown trigger events occurring in the whole service life, confirming potential dangerous behaviors, confirming dangerous events caused by the dangerous behaviors, confirming controllability of the dangerous events, and finally obtaining the severity of the dangerous events, wherein the risk caused by the risk of the ACC is evaluated in a given scene, considering the severity and controllability of the potential dangerous behaviors to determine whether acceptable damage can be caused, and considering performance limits of expected functions of the ACC to judge whether the controllability or the severity is acceptable.
In the third step, the triggering event of the ACC is identified and evaluated, and the factors that the ACC can cause the potentially dangerous behavior need to be identified; and evaluating the acceptance degree of the expected functional safety, and when analyzing the triggering event, starting from the following two aspects: known limits of system components to determine situations that may result in dangerous behavior due to these limits; the determined environmental conditions and the foreseeable misuse to determine the system limitations that may trigger potentially dangerous behavior of the system, the triggering events related to the algorithm of the ACC can be analyzed from the following categories: environment and location, road infrastructure, city infrastructure, road infrastructure, driver behavior, expected behavior of other drivers/road users, driving scenarios, algorithm limits, triggering events related to sensors and actuators of the ACC can be analyzed from the following categories: weather conditions, mechanical disturbances, electromagnetic disturbances, disturbances from other vehicles or other sources, acoustic disturbances, glare, low quality reflections, accuracy, range, response time, durability and authority capabilities, a triggering event may be acceptable when the probability of a dangerous event occurring with the ACC system is below a specified verification target value, while for vehicles that are likely to cause a dangerous event, there cannot be an unacceptable condition on the ACC system.
In step four, a functional modification development activity to reduce risk associated with the ACC should determine measures to avoid, reduce or mitigate risk associated with the ACC's intended functional safety while estimating the impact of the associated measures on the ACC's intended function, the measures to improve the ACC's intended functional safety addressing explicit system constraints that lead to security violations, the improvement measures comprising:
(a) improving the system to avoid or reduce risks associated with safety of intended functions: improving sensor performance/accuracy; performance/accuracy of the actuator is improved; the performance of the recognition and decision algorithm is improved; improving the testability of the components of the system;
(b) functional limitations on the intended function to reduce or mitigate safety-related risks for the intended function: limiting the expected functionality of the ACC specific use case; permissions that limit the expected functionality of ACC specific use cases; overall permissions that limit the intended functionality of a particular use case;
(c) and transferring the authority of a certain system to a driver to improve the controllability of the influence of the key operation condition: improving a human-computer interface; perfecting an early warning and degradation strategy;
(d) reducing or mitigating the effects of misuse as reasonably foreseen: improving the information provided to the driver regarding the intended functionality of the ACC; improving a human-computer interface; implementing a monitoring and pre-warning system.
In step five, the known risks of the ACC must be verified, the systems and components of the ACC must be verified to show that they show the expected effect in known dangerous situations and reasonably foreseeable misuse situations, the correct functional performance, timing, accuracy and robustness to the intended use of the sensor are first verified, then the verification of the algorithm is performed, the decision algorithm is included in all parts of the functional chain, the ability of the decision algorithm to react when needed and its ability to avoid unnecessary actions need to be verified, then the method of the intended use and reasonably foreseeable misuse of the actuator in the decision algorithm can be applied, and finally the robustness and controllability of the vehicle integrated system is verified.
Step six, verifying unknown risks of the ACC, wherein functions of systems and components of the ACC need to be verified to prove that the systems and the components of the ACC do not cause unreasonable risks in practical use cases, the unknown risks can be understood as residual risks, and the residual risks can be reduced in robustness through verification of signal-to-noise ratio; verifying architectural attributes, including independence; random input testing; carrying out cycle testing; testing the whole vehicle; long-term vehicle testing; testing from field experience; testing for extreme conditions and reasonably anticipated misuse; comparison with existing systems; selecting scene simulation; a worst case analysis; reasonably predictable misuse tests.
Step seven, confirming the expected function safety of the ACC, examining the activity of the expected function safety, considering the result of the expected function safety activity, evaluating the acceptability of the residual risk, and confirming that all specified use cases in the expected function range are considered by the verification strategy; the expected functionality achieves a minimum fallback risk condition; make sure that the risk is not unreasonable; in the event of unexpected behavior that could lead to a dangerous event, there is evidence that there is no unreasonable risk.
The invention has the beneficial effects that:
according to the adaptive cruise development and test method based on the expected functional safety, in the process of developing the ACC, functional specifications and system specifications of the expected functional safety of the ACC are defined in detail, hazards caused by the expected functions of the ACC are identified and evaluated, the severity of the hazards is analyzed in combination with ISO26262, meanwhile, triggering events which can cause potential dangerous behaviors of the ACC are identified, the acceptance degree of the triggering events on the expected functional safety is evaluated, and the expected functions of the ACC are improved according to the analysis, so that the dangers caused by failure of the non-fault reasons of the ACC are reduced. In the testing stage of the ACC, firstly, the system and components of the ACC are verified, the ACC is guaranteed not to cause danger under the known dangerous condition and the reasonably foreseeable misuse condition, then the risk unknown to the ACC is verified through a series of methods, the remaining risk of the ACC is guaranteed to be acceptable, and the risk of relevant personnel is not caused. The safety and the reliability of the ACC are guaranteed, and the safety risk caused by the fact that the system function is not expected under the non-failure condition of the ACC is reduced.
Drawings
FIG. 1 is a flow chart of an adaptive cruise development and testing method according to the present invention.
Fig. 2 is a schematic diagram of the ACC expected function security development process according to the present invention.
Fig. 3 is a flow chart of decision logic for validating the safety of the expected functionality of the ACC according to the present invention.
Detailed Description
Please refer to fig. 1 to 3:
the invention provides an adaptive cruise development and test method based on expected functional safety, which comprises the following steps:
firstly, standardizing the expected functional content of an ACC;
step two, identifying and evaluating hazards due to the expected functionality of the ACC;
step three, identifying and evaluating a trigger event of the ACC;
step four, improving the expected function of the ACC to reduce the risk;
fifthly, verifying the known risk of the ACC;
step six, verifying the risk of unknown ACC;
and seventhly, confirming the expected functional safety of the ACC.
In step one, evidence containing information sufficient to initiate the anticipated functional safety-related activities of the ACC needs to be compiled and created, and after each iteration of the anticipated functional safety-related activities, the evidence is updated as needed. The functional specification of the ACC includes a target of the intended function; use cases to activate and deactivate intended functions; a description of the intended function; vehicle dynamic automation/authority levels; in the ACC function, the driver, passengers, pedestrians and other road users are interrelated. The system specification of the ACC includes descriptions of systems and elements that implement the intended functionality of the ACC; description and behavior of installed sensors, controllers, and actuators used by the intended function of the ACC; assumptions about how the expected functionality of the ACC uses input from other elements; assumptions about how other elements utilize the output of the expected functionality of the ACC; limitations of ACC and its countermeasures; concept of degradation of ACC; warning policies for the ACC; vehicle dependency and interaction on other functions and systems.
In step two, dangerous events that may occur due to ACC functions leading to potentially dangerous behavior and its potential consequences need to be identified and evaluated. While providing for acceptance criteria (e.g., verification goals) for evaluating the design during the development verification phase of the ACC. Identifying the risk of the ACC by first determining known and unknown trigger events occurring throughout the lifetime, identifying potential dangerous behaviour, identifying dangerous events resulting from the dangerous behaviour, and identifying the controllability of the dangerous event, to obtain the severity of the dangerous event. Assessing risk of the ACC considers the severity and controllability of potentially dangerous behavior in a given scenario to determine if acceptable damage will result, while considering performance limitations of the ACC intended function to determine if controllability or severity is acceptable. And if the harm and the risk are acceptable, accepting the risk, and if the harm and the risk are not acceptable, continuing to perform the step three.
In the third step, the triggering event of the ACC is identified and evaluated, and the factors that the ACC can cause the potentially dangerous behavior need to be identified; and assess its acceptance for the safety of the intended function. When analyzing the trigger event, the following two aspects can be started: known limits of system components to determine situations that may result in dangerous behavior due to these limits; determined environmental conditions and predictable misuse to determine system limitations that may trigger potentially dangerous behavior of the system. The triggering events related to the algorithm of the ACC can be analyzed from the following categories: environment and location, road infrastructure, city infrastructure, highway infrastructure, driver behavior (including reasonably predictable driver misuse), expected behavior of other drivers/road users, driving scenarios (e.g., worksite, accident, emergency lane traffic congestion, misdriving), algorithmic limitations (e.g., ability to handle possible scenarios, or uncertain behavior). The triggering events related to the sensors and actuators of the ACC can be analyzed from the following categories: weather conditions, mechanical disturbances (including installation, design location, signal transmission), electromagnetic interference, interference from other vehicles or other sources (e.g., radar or lidar), acoustic interference, glare, low quality reflections, accuracy, range, response time, durability, and authority capabilities (applicable to actuators). When the probability of dangerous events occurring in the ACC system is lower than a specified verification target value; (derived from traffic data statistics and machine learning training) and trigger events are acceptable when there cannot be an unacceptable situation on the ACC system for vehicles that are likely to cause a dangerous event. And when the trigger event can not be accepted, performing the step four, and when the trigger event can be accepted, performing the step five and the step six.
In step four, a functional modification development activity to reduce the risk associated with the ACC should determine measures to avoid, reduce or mitigate the risk associated with the safety of the ACC intended function while evaluating the impact of the associated measures on the ACC intended function. Measures to improve the expected functional security of the ACC address explicit system limitations that lead to security violations. The improvement measures comprise:
(a) improving the system to avoid or reduce risks associated with expected functional safety: improving sensor performance/accuracy; performance/accuracy of the actuator is improved; the performance of the recognition and decision algorithm is improved; improving the testability of the components of the system;
(b) functional limitations on the intended function to reduce or mitigate SOTIF-related risks: limiting the expected functionality of the ACC specific use case; permissions that limit the expected functionality of ACC specific use cases; limiting the overall authority of the intended function for a particular use case.
(c) The authority of a certain system is handed over to the driver to improve the controllability of the influence of the key operating conditions (the conversion itself is controllable and does not represent additional risks to the driver): improving a human-computer interface; and perfecting the early warning and degrading strategies.
(d) Reducing or mitigating the effects of misuse, as reasonably foreseen: improving the information provided to the driver regarding the intended functionality of the ACC; improving a human-computer interface; implementing a monitoring and pre-warning system.
In step five, the known risks of the ACC must be verified, and the systems and components (sensors, algorithms and actuators) of the ACC must be verified to show that they are expected to perform in known dangerous situations and in reasonably predictable misuse situations. The correct functional performance, timing, accuracy and robustness to the intended use of the sensor is first verified. Verification of the algorithm is then performed, with decision-making algorithms being included in all parts of the function chain (e.g. classification, sensor data fusion, condition analysis, function), the need to verify the ability of the decision-making algorithm to react when needed and its ability to avoid unnecessary actions. Methods to verify the intended use of the actuator in the decision algorithm and to reasonably anticipate misuse may then be applied. And finally, verifying the robustness and controllability of the whole vehicle integrated system. Step four is performed when the behavior of the known ACC system and components is not as expected, and step six is performed when expected.
And step six, verifying the unknown risk of the ACC, wherein the functions of the system and components (sensors, decision-making algorithms and actuators) of the ACC need to be verified so as to prove that the risk cannot cause unreasonable risk in practical use cases. The unknown risk can be understood as a residual risk, which can be verified by verifying the robustness of the signal-to-noise reduction; verifying architectural attributes, including independence; random input testing; carrying out cycle testing; testing the whole vehicle; long-term vehicle testing; testing from field experience; testing for extreme conditions and reasonably anticipated misuse; comparison with existing systems; selecting scene simulation; a worst case analysis; and (4) reasonably foreseeable misuse tests are used for evaluation, and when the system and the components cannot cause unreasonable risks in a real scene, the step seven is carried out, and when the system and the components can cause unreasonable risks, the step four is carried out.
And step seven, confirming the expected functional safety of the ACC, examining the activity of the expected functional safety, and considering the result of the activity of the expected functional safety to evaluate the acceptability of the residual risk. The validation verification strategy takes all specified use cases in the expected function range into consideration; the expected functionality achieves a minimum fallback risk condition; make sure that the risk is not unreasonable; in the event of unexpected behavior that could lead to a dangerous event, there is evidence that there is no unreasonable risk. And when the remaining risk is acceptable, accepting the risk, and when the remaining risk is not acceptable, performing the step four.
As shown in fig. 2, the adaptive cruise development and test method based on expected functional safety provided by the present invention has the effect of reducing the known danger of the area 2 and the unknown danger of the area 3 as much as possible, changing the area 2 into the known safety of the area 1, changing the area 3 into the area 2 and then into the area 1 through a series of activities, and reducing the remaining risk to an acceptable range, and for the sake of completeness, the unknown safety of the area 4 is cited, but the area 4 does not need to be considered in the method.
The invention provides an adaptive cruise development and test method based on expected functional safety. By standardizing the ACC functions and systems, identifying and evaluating hazards caused by expected functions, evaluating and identifying trigger events of the ACC, improving the ACC functions to reduce risks associated with safety of the expected functions, verifying known unsafe expected functions of the ACC, verifying unknown unsafe expected functions of the ACC, confirming and improving known and unknown risks of the ACC during development and testing, and confirming the expected functional safety of the ACC. The expected functions of the ACC are more stable, and the life safety of a driver is guaranteed. The beneficial effects of the application of the invention are as follows: in the process of developing the ACC, a function specification and a system specification of the expected functional safety of the ACC are defined in detail, hazards caused by the expected function of the ACC are identified and evaluated, the severity of the hazards is analyzed in combination with ISO26262, meanwhile, triggering events which can cause potential dangerous behaviors are identified, the acceptance degree of the triggering events on the expected functional safety is evaluated, and the expected function of the ACC is improved according to the analysis, so that the danger caused by failure of non-fault reasons of the ACC is reduced. In the testing stage of the ACC, firstly, the system and components of the ACC are verified, the ACC is guaranteed not to cause danger under the known dangerous condition and the reasonably foreseeable misuse condition, then the risk unknown to the ACC is verified through a series of methods, the remaining risk of the ACC is guaranteed to be acceptable, and the risk of relevant personnel is not caused. The safety and the reliability of the ACC are guaranteed, and the safety risk caused by the fact that the system function is not expected under the non-failure condition of the ACC is reduced.
Claims (8)
1. An adaptive cruise development and test method based on expected functional safety is characterized in that: the method comprises the following steps:
firstly, standardizing the expected functional content of an ACC;
step two, identifying and evaluating hazards due to the expected functionality of the ACC;
step three, identifying and evaluating a trigger event of the ACC;
step four, improving the expected function of the ACC to reduce the risk;
fifthly, verifying the known risk of the ACC;
step six, verifying the risk of unknown ACC;
and seventhly, confirming the expected functional safety of the ACC.
2. The adaptive cruise development and testing method based on expected functional safety according to claim 1, characterized in that: in the first step, evidence containing information sufficient to initiate the expected functional safety-related activities of the ACC needs to be compiled and created, and after each iteration of the expected functional safety-related activities, the evidence is updated as needed, with the functional specification of the ACC including the target of the expected function; use cases to activate and deactivate the intended functionality of the ACC; description of the intended function of the ACC; vehicle dynamic automation/authority levels; in the ACC function, the interrelationships of drivers, passengers, pedestrians, and other road users, the system specifications of the ACC include descriptions of the systems and elements that implement the desired functionality of the ACC; description and behavior of installed sensors, controllers, and actuators used by the intended function of the ACC; assumptions about how the expected functionality of the ACC uses input from other elements; assumptions about how other elements utilize the output of the expected functionality of the ACC; limitations of ACC and its countermeasures; concept of degradation of ACC; warning policies for the ACC; vehicle dependency and interaction on other functions and systems.
3. The adaptive cruise development and testing method based on expected functional safety according to claim 1, characterized in that: in said second step, it is necessary to identify and evaluate possible dangerous events caused by the ACC function leading to potentially dangerous behavior and its potential consequences, while defining acceptance criteria for evaluating the design in the development and verification phase of the ACC, such as: the method comprises the steps of verifying a target and identifying risk of the ACC, firstly determining known and unknown trigger events occurring in the whole service life, confirming potential dangerous behaviors, confirming dangerous events caused by the dangerous behaviors, confirming controllability of the dangerous events, and finally obtaining the severity of the dangerous events, wherein the risk caused by the risk of the ACC is evaluated in a given scene, considering the severity and controllability of the potential dangerous behaviors to determine whether acceptable damage can be caused, and considering performance limits of expected functions of the ACC to judge whether the controllability or the severity is acceptable.
4. The adaptive cruise development and testing method based on expected functional safety according to claim 1, characterized in that: in the third step, the triggering event of the ACC is identified and evaluated, and the factors that the ACC can cause the potentially dangerous behavior need to be identified; and evaluating the acceptance degree of the expected functional safety, and when analyzing the triggering event, starting from the following two aspects: known limits of system components to determine situations that may result in dangerous behavior due to these limits; the determined environmental conditions and the foreseeable misuse to determine the system limitations that may trigger potentially dangerous behavior of the system, the triggering events related to the algorithm of the ACC can be analyzed from the following categories: environment and location, road infrastructure, city infrastructure, road infrastructure, driver behavior, expected behavior of other drivers/road users, driving scenarios, algorithm limits, triggering events related to sensors and actuators of the ACC can be analyzed from the following categories: weather conditions, mechanical disturbances, electromagnetic disturbances, disturbances from other vehicles or other sources, acoustic disturbances, glare, low quality reflections, accuracy, range, response time, durability and authority capabilities, a triggering event may be acceptable when the probability of a dangerous event occurring with the ACC system is below a specified verification target value, while for vehicles that are likely to cause a dangerous event, there cannot be an unacceptable condition on the ACC system.
5. The adaptive cruise development and testing method based on expected functional safety according to claim 1, characterized in that: in the fourth step, in order to reduce the risk associated with the ACC, a measure should be determined to avoid, reduce or mitigate the risk associated with the safety of the expected functionality of the ACC, and to estimate the impact of the relevant measure on the expected functionality of the ACC, and the measure for improving the safety of the expected functionality of the ACC solves the clear system constraint that causes the security violation, and the improvement measure includes:
(a) improving the system to avoid or reduce risks associated with safety of intended functions: improving sensor performance/accuracy; performance/accuracy of the actuator is improved; the performance of the recognition and decision algorithm is improved; improving the testability of the components of the system;
(b) functional limitations on the intended function to reduce or mitigate safety-related risks for the intended function: limiting the expected functionality of the ACC specific use case; permissions that limit the expected functionality of ACC specific use cases; overall permissions that limit the intended functionality of a particular use case;
(c) and transferring the authority of a certain system to a driver to improve the controllability of the influence of the key operation condition: improving a human-computer interface; perfecting an early warning and degradation strategy;
(d) reducing or mitigating the effects of misuse as reasonably foreseen: improving the information provided to the driver regarding the intended functionality of the ACC; improving a human-computer interface; implementing a monitoring and pre-warning system.
6. The adaptive cruise development and testing method based on expected functional safety according to claim 1, characterized in that: in said fifth step, the known risks of the ACC are verified, the systems and components of the ACC must be verified to show their expected effect in known dangerous situations and in reasonably predictable misuse situations, first the correct functional performance, timing, accuracy and robustness to the intended use of the sensor is verified, then the verification of the algorithm is performed, the decision algorithm is included in all parts of the functional chain, the ability of the decision algorithm to react when needed and its ability to avoid unnecessary actions needs to be verified, then the intended use of the actuator in the decision algorithm and the reasonably predictable misuse method can be applied, and finally the robustness and controllability of the integrated system of the whole vehicle are verified.
7. The adaptive cruise development and testing method based on expected functional safety according to claim 1, characterized in that: in the sixth step, the unknown risk of the ACC is verified, the functions of the system and components of the ACC need to be verified to prove that they do not cause unreasonable risk in practical use cases, the unknown risk can be understood as residual risk, and the residual risk can be verified to reduce the robustness of the signal-to-noise ratio; verifying architectural attributes, including independence; random input testing; carrying out cycle testing; testing the whole vehicle; long-term vehicle testing; testing from field experience; testing for extreme conditions and reasonably anticipated misuse; comparison with existing systems; selecting scene simulation; a worst case analysis; reasonably predictable misuse tests.
8. The adaptive cruise development and testing method based on expected functional safety according to claim 1, characterized in that: step seven, confirming the expected functional safety of the ACC, examining the activity of the expected functional safety, considering the result of the activity of the expected functional safety, evaluating the acceptability of the residual risk, and confirming that all the specified cases in the expected functional range are considered by the verification strategy; the expected functionality achieves a minimum fallback risk condition; make sure that the risk is not unreasonable; in the event of unexpected behavior that could lead to a dangerous event, there is evidence that there is no unreasonable risk.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911321150.1A CN111103866B (en) | 2019-12-20 | 2019-12-20 | Self-adaptive cruise development and test method based on expected functional safety |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911321150.1A CN111103866B (en) | 2019-12-20 | 2019-12-20 | Self-adaptive cruise development and test method based on expected functional safety |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111103866A true CN111103866A (en) | 2020-05-05 |
CN111103866B CN111103866B (en) | 2024-07-12 |
Family
ID=70423079
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911321150.1A Active CN111103866B (en) | 2019-12-20 | 2019-12-20 | Self-adaptive cruise development and test method based on expected functional safety |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111103866B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112348334A (en) * | 2020-10-26 | 2021-02-09 | 安徽江淮汽车集团股份有限公司 | Security analysis process generation method, device, equipment and storage medium |
CN112418711A (en) * | 2020-12-07 | 2021-02-26 | 安徽江淮汽车集团股份有限公司 | Method, device, storage medium and device for evaluating damage of expected function of vehicle |
CN112612288A (en) * | 2020-12-29 | 2021-04-06 | 清华大学苏州汽车研究院(相城) | Expected function safety risk assessment method for error/omission identification of automatic driving vehicle |
CN112631257A (en) * | 2020-12-29 | 2021-04-09 | 清华大学苏州汽车研究院(相城) | Expected function safety test evaluation method for misoperation of automatic driving vehicle |
CN113111501A (en) * | 2021-03-31 | 2021-07-13 | 中汽研(天津)汽车工程研究院有限公司 | Functional safety and expected functional safety fusion analysis method |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107458376A (en) * | 2017-07-31 | 2017-12-12 | 北京新能源汽车股份有限公司 | Self-adaptive cruise control method and device and automobile |
CN108297880A (en) * | 2017-01-11 | 2018-07-20 | 丰田自动车工程及制造北美公司 | Divert one's attention driver notification system |
CN109885870A (en) * | 2019-01-09 | 2019-06-14 | 同济大学 | A kind of verification method and system for autonomous driving vehicle expectation function safety |
CN110070139A (en) * | 2019-04-28 | 2019-07-30 | 吉林大学 | Small sample towards automatic Pilot environment sensing is in ring learning system and method |
CN110333730A (en) * | 2019-08-12 | 2019-10-15 | 安徽江淮汽车集团股份有限公司 | Verification method, platform and the storage medium of automatic Pilot algorithm expectation function safety |
RU2704357C1 (en) * | 2018-12-24 | 2019-10-28 | Федеральное государственное унитарное предприятие "Центральный ордена Трудового Красного Знамени научно-исследовательский автомобильный и автомоторный институт "НАМИ" (ФГУП "НАМИ") | Control method of vehicle active safety system operation |
-
2019
- 2019-12-20 CN CN201911321150.1A patent/CN111103866B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108297880A (en) * | 2017-01-11 | 2018-07-20 | 丰田自动车工程及制造北美公司 | Divert one's attention driver notification system |
CN107458376A (en) * | 2017-07-31 | 2017-12-12 | 北京新能源汽车股份有限公司 | Self-adaptive cruise control method and device and automobile |
RU2704357C1 (en) * | 2018-12-24 | 2019-10-28 | Федеральное государственное унитарное предприятие "Центральный ордена Трудового Красного Знамени научно-исследовательский автомобильный и автомоторный институт "НАМИ" (ФГУП "НАМИ") | Control method of vehicle active safety system operation |
CN109885870A (en) * | 2019-01-09 | 2019-06-14 | 同济大学 | A kind of verification method and system for autonomous driving vehicle expectation function safety |
CN110070139A (en) * | 2019-04-28 | 2019-07-30 | 吉林大学 | Small sample towards automatic Pilot environment sensing is in ring learning system and method |
CN110333730A (en) * | 2019-08-12 | 2019-10-15 | 安徽江淮汽车集团股份有限公司 | Verification method, platform and the storage medium of automatic Pilot algorithm expectation function safety |
Non-Patent Citations (2)
Title |
---|
尚世亮;李波;: "车辆电控系统预期功能安全技术研究", 中国标准化, no. 10, 5 September 2016 (2016-09-05) * |
毛向阳;尚世亮;崔海峰;: "自动驾驶汽车安全影响因素分析与应对措施研究", 上海汽车, no. 01, 10 January 2018 (2018-01-10) * |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112348334A (en) * | 2020-10-26 | 2021-02-09 | 安徽江淮汽车集团股份有限公司 | Security analysis process generation method, device, equipment and storage medium |
CN112418711A (en) * | 2020-12-07 | 2021-02-26 | 安徽江淮汽车集团股份有限公司 | Method, device, storage medium and device for evaluating damage of expected function of vehicle |
CN112418711B (en) * | 2020-12-07 | 2024-08-09 | 安徽江淮汽车集团股份有限公司 | Method, device, storage medium and apparatus for evaluating expected functional hazard of vehicle |
CN112612288A (en) * | 2020-12-29 | 2021-04-06 | 清华大学苏州汽车研究院(相城) | Expected function safety risk assessment method for error/omission identification of automatic driving vehicle |
CN112631257A (en) * | 2020-12-29 | 2021-04-09 | 清华大学苏州汽车研究院(相城) | Expected function safety test evaluation method for misoperation of automatic driving vehicle |
CN112612288B (en) * | 2020-12-29 | 2022-05-31 | 清华大学苏州汽车研究院(相城) | Expected function safety risk assessment method for error/omission identification of automatic driving vehicle |
CN113111501A (en) * | 2021-03-31 | 2021-07-13 | 中汽研(天津)汽车工程研究院有限公司 | Functional safety and expected functional safety fusion analysis method |
CN113111501B (en) * | 2021-03-31 | 2023-06-02 | 中汽研(天津)汽车工程研究院有限公司 | Functional safety and expected functional safety fusion analysis method |
Also Published As
Publication number | Publication date |
---|---|
CN111103866B (en) | 2024-07-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111103866B (en) | Self-adaptive cruise development and test method based on expected functional safety | |
CN110300686B (en) | Data analysis device and storage medium | |
Webb et al. | Waymo's safety methodologies and safety readiness determinations | |
Koopman et al. | Credible autonomy safety argumentation | |
Koopman et al. | Safety argument considerations for public road testing of autonomous vehicles | |
Abdulkhaleq et al. | Using STPA in compliance with ISO 26262 for developing a safe architecture for fully automated vehicles | |
CN110686906B (en) | Automatic driving test method and device for vehicle | |
KR101835344B1 (en) | Monitoring vehicle status system | |
CN110325410B (en) | Data analysis device and storage medium | |
Schöner | Challenges and approaches for testing of highly automated vehicles | |
CN116061974A (en) | Data processing method and device for automatic emergency braking system | |
KR20150080336A (en) | Decision system for error of car using the data analysis and method therefor | |
Bock et al. | Mathematical test effort estimation for dependability assessment of sensor-based driver assistance systems | |
Jianyu et al. | Model-based systemic hazard analysis approach for connected and autonomous vehicles and case study application in automatic emergency braking system | |
Karunakaran et al. | Parameterisation of lane-change scenarios from real-world data | |
Schoener et al. | Testing for Tactical Safety of Autonomous Vehicles | |
Bours et al. | A method for developing aeb systems based on integration of virtual and experimental tools | |
Marko et al. | Challenges of engineering safe and secure highly automated vehicles | |
Pimentel et al. | Numerical Evaluation of the Safety of Self-Driving Vehicles: Functionality Involving Vehicle Detection | |
Cassel et al. | On perception safety requirements and multi sensor systems for automated driving systems | |
Krishnan et al. | Validation Challenges of Safety of the Intended Functionalities (SOTIF) Risks/Hazards | |
CN113987751A (en) | Scheme screening method and device, electronic equipment and storage medium | |
Ciuffo et al. | Interpretation of EU Regulation 2022/1426 on the Type Approval of Automated Driving Systems | |
CN117933833A (en) | Method and system for building intelligent driving system architecture based on expected functional safety | |
Putze et al. | Systematic Identification and Analysis of Hazards for Automated Systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |