DE102019213797A1 - Method for evaluating a sequence of representations of at least one scenario - Google Patents

Abstract

A method for evaluating a sequence of representations of at least one scenario of a plurality of scenarios of an at least partially automated mobile platform is proposed, the sequence of the representations of the plurality of scenarios being based on data sequences from at least one sensor that are provided to the mobile platform with the Steps: identifying a security goal in the at least one scenario; determining at least one security-relevant value for the security goal; forming a plurality of validation points, each of the plurality of validation points being formed with a corresponding instance of a plurality of instances of the scenario with the following steps: determining a sequence of the at least one security-relevant value by means of dynamic extrapolation of a corresponding representation sequence of an instance of the scenario by means of the data sequences that are provided to the mobile platform; E determining a sequence of the at least one safety-relevant reference value by means of dynamic extrapolation of a reference representation sequence of the instance of the scenario; determining an accumulated deviation of the sequence of the safety-relevant reference value from the sequence of the safety-relevant value within a specified time range for the instance of the scenario Forming a validation point by assigning the accumulated deviation to the associated at least one safety-relevant reference value of the instance of the scenario; Analysis of correlations of the plurality of validation points formed in a coordinate space of the validation points in order to evaluate the sequence of representations of the at least one scenario of the mobile platform.

Description

The invention relates to a method for evaluating a sequence of representations of at least one scenario of a plurality of scenarios of an at least partially automated mobile platform, the sequence of representations of the plurality of scenarios being based on data sequences from at least one sensor provided to the mobile platform.

State of the art

The realization of the perception or representation of the environment is of great importance for the implementation of at least partially automated driving with an at least partially automated platform, but also increasingly for driver assistance systems. The surroundings are recorded by means of sensors and determined, for example using a pattern recognition method.
In this way, the data from the sensors are converted into a symbolic and semantic description of relevant aspects of the environment. This symbolic and semantic description of the environment then forms a basis for executing actions in the environment described in this way or for an application or a purpose with, for example, an at least partially automated mobile platform. A typical example of a symbolic description of the environment is to describe static and / or dynamic objects using attributes that characterize, for example, the location, shape, size, speed, etc. of the respective object and give these objects, for example, an ethical, legal, etc. Ä. Assign meaning. The objects can, for example, be obstacles with which a collision must be avoided.

Validating highly automated driving, which is based in particular on such a representation of the environment, is associated with a great deal of effort. From automation level 3 onwards, the expenditure on resources for validating systems for highly automated driving is estimated at 80% for validation, with the expenditure for development being estimated at 20%. This is primarily due to the safeguarding of the highly complex system, so that a validation must also be checked with regard to previously unknown and unspecified hazardous situations. For this purpose, highly developed offline tools and simulations, in particular to validate the representation of the environment of such an at least partially automated platform, as well as function development are used.

Disclosure of the invention

Metrics that enable such a validation to quantitatively describe a hazardous situation in a simulated or measured scenario represent a basis for such a validation. Statistical evaluations for a quantitative validation can be made on such a basis. It is particularly important to consider multiple sources of danger and to map all safety goals as far as possible.

The present invention discloses a method for evaluating a sequence of representations of at least one scenario, an apparatus, a computer program and a machine-readable storage medium, according to the features of the independent claims. Advantageous configurations are the subject matter of the dependent claims and the following description.

The invention is based on the knowledge that a difference between security-relevant values, which are determined both by an at least partially automated mobile platform and by a reference system, and the corresponding security-relevant value of the reference system, enables a basis for a quantitative evaluation of sequences of representation can.

According to one aspect, a method for evaluating a sequence of representations of at least one scenario of a plurality of scenarios of an at least partially automated mobile platform is proposed, the sequence of representations of the plurality of scenarios being based on data sequences from at least one sensor provided to the mobile platform.

• In einem Schritt zum Bilden eines Validierungspunktes wird eine Sequenz des mindestens einen sicherheitsrelevanten Wertes mittels dynamischer Extrapolation einer entsprechenden Repräsentations-Sequenz einer Instanz des Szenarios mittels der Datensequenzen, die der mobilen Plattform bereitgestellt sind, ermittelt.

In one step, a security goal is identified in the at least one scenario. In a further step, at least one security-relevant value is determined for the security goal. In a further step, a large number of validation points are formed, each of the large number of validation points being formed with a corresponding instance of a large number of instances of the scenario using the following steps:

• In a step for forming a validation point, a sequence of the at least one security-relevant value is determined by means of dynamic extrapolation of a corresponding representation sequence of an instance of the scenario using the data sequences provided to the mobile platform.

In a further step, a sequence of the at least one safety-relevant reference value is determined by means of dynamic extrapolation a reference representation sequence of the instance of the scenario is determined. In a further step, an accumulated deviation of the sequence of the security-relevant reference value from the sequence of the security-relevant value is determined within a specified time range for the instance of the scenario. In a further step, a validation point is formed by assigning the accumulated deviation to the associated at least one safety-relevant reference value of the instance of the scenario.

With a multiplicity of validation points formed in this way, in a further step for evaluating the sequence of representations, at least one scenario of the mobile platform correlations of the multiplicity of validation points formed is analyzed in a coordinate space of the validation points.

In this entire description of the invention, the sequence of method steps is shown in such a way that the method is easy to understand. However, the person skilled in the art will recognize that many of the method steps can also be carried out in a different order and lead to the same result. In this sense, the sequence of the method steps can be changed accordingly and is thus also disclosed.

With this procedure it is possible to validate important steps of a highly automated driving (HAD) with one procedure. To determine the security-relevant value, a minimum number of security-relevant objects can be determined for the different scenarios. Both geometric and dynamic descriptions of the behavior of the safety-relevant objects are taken into account in the dynamic extrapolation. Examples of such scenarios are possible narrow driving past, possible narrow cutting in, or safe lane keeping.

As will be described further below, with this method, with the dynamic extrapolation of a movement prediction, which is mapped via a sequence of reference representations, both a mitigation possibility of the host vehicle and a “worst-case” behavior of at least one object involved can be taken into account in order to determine a safety-relevant value or a safety-relevant reference value. In the method, a distance until the security goal is violated is evaluated by means of a metric with which the security-relevant value is determined.

And the risk level determined by the ego vehicle or the at least partially automated mobile platform, which is quantified with the safety-relevant value, can be compared with a reference risk level, which is quantified with the safety-relevant reference value. This method can be applied to a large number of relevant security objectives of a scenario or to a large number of scenarios.

The advantage of this method comes into play in particular with the "open world" problem or "open context" interaction of HAF systems or service robotics and the associated complexity, since a validation of such an HAF system is extremely time-consuming and therefore cost-intensive. With this method, sequences of representations can be assessed in different scenarios and with different security goals. With this method, starting with an abstract problem description of the HAF system, an analysis of a scenario can be carried out by means of the correlations of the large number of validation points in a validation plot in relation to a safety goal. An inadequacy in the system (according to SOTIF ISO 21448) as well as hardware or software errors (according to ISO 26262), which is described with an accumulated deviation of the sequence of the safety-relevant reference value from the sequence of the safety-relevant value, can be detected by means of the analysis Correlations of the number of validation points formed are identified and corrected.

The method allows a quantitative validation of the safety goals of a HAD function on the basis of differently generated data from simulations, test drives on test tracks or an endurance run of the system under investigation, through dynamic extrapolation of safety-relevant values. Since the safety-relevant values for the dynamic extrapolation are based on the safety goals and thus combine individual analyzes, the effort for subsequent analyzes is reduced. This method thus supports a validation for a release of a HAD function. By repeatedly applying this procedure, a large number of different security goals can be mapped and assessed.

This continuous, double evaluation of the current situation in the instances of the scenarios with regard to the safety goals makes it possible to record the extent to which neglects, i.e. accumulated deviations of the VuT, lead to real sub-critical events or even accidents without intensive subsequent analyzes.

In particular, the sequence of representations of the plurality of scenarios can be based on data sequences from at least one sensor and at least one interpretation algorithm Based on meaning capture, which are provided to the mobile platform.

According to a further aspect, it is proposed that, for the analysis of correlations, validation points are filtered from the plurality of validation points whose cumulative deviation is smaller than a first deviation limit value and whose safety-relevant reference value is less critical than a reference limit value.

This allows the validation points to be filtered out of the validation points that have been correctly assessed but are not associated with any danger with regard to a safety goal. This improves the analysis of the correlation of the large number of validation points formed, since these points are of no importance for a relevant correlation analysis.

According to a further aspect, it is proposed that, for the analysis of correlations, validation points are filtered from the plurality of validation points whose cumulative deviation is greater than the first deviation limit value and whose safety-relevant reference value is less critical than the reference limit value.

As a result, the validation points can be filtered out of the validation points, which, although incorrectly assessed, are not associated with any danger with regard to a safety goal. This further improves the analysis of the correlation of the large number of validation points formed, since these points are also of no significance for a relevant correlation analysis. For a validation of a system, the occurrence of these validation points can be precisely examined and remedied, since, due to these incorrectly assessed security-relevant values, a representation of an environment and / or its interpretation and / or a behavioral implementation of the mobile platform based on it can be faulty.

According to a further aspect, it is proposed that, for the analysis of correlations, validation points are filtered from the plurality of validation points whose cumulative deviation is smaller than a second deviation limit value and whose safety-relevant reference value is particularly critical.

For an improved correlation analysis, this aspect of the method is used to filter out validation points of a single event, for example, in which the safety-relevant value was correctly assessed, but represents or has represented a great danger in relation to a safety goal. The occurrence of this danger or the event cannot be related to a sequence of representation, since the corresponding safety-relevant value was correctly assessed.

According to a further aspect, it is proposed that a correlation analysis be carried out with a large number of filtered and / or a large number of unfiltered validation points in order to determine a trend of the validation points for evaluating the sequence of representations.

As already explained above, filtering out validation points that can be causally traced back to other relationships improves the correlation analysis, since weak correlations, which can only be identified with a large number of relevant validation points, can be detected with the remaining validation points.

According to a further aspect, it is proposed that, in order to evaluate the sequence of representations, an extrapolation of the validation points up to a critical safety-relevant reference value is determined with the specific trend of the correlation analysis.

With such a trend from the correlation analysis, it is possible to quantitatively estimate the number of recorded instances of a scenario after which a security goal is likely to be violated. With such a trend curve, a break-through point with regard to the safety goal can be determined.

According to a further aspect, it is proposed that, in order to evaluate the sequence of representations, an extreme value analysis is carried out by means of the validation points in order to quantitatively evaluate the sequence of representations of the at least one scenario.

An extreme value analysis is improved by this method, since on the one hand irrelevant validation points can be filtered out and on the other hand a conference interval can be defined with the specific trend from the correlation analysis, with which the relevant validation points can be identified.

According to a further aspect, it is proposed that the at least one security-relevant value characterize a spatial and / or temporal relation of two objects in the scenario.

This means that the safety-relevant value can be transferred to the real world and geometric factors such as vehicle dimensions can be taken into account.

According to a further aspect, it is proposed that the two objects are each dynamic objects or that one of the two objects is a static object.

According to a further aspect, it is proposed that the accumulated deviation of the sequence of the safety-relevant reference value from the sequence of the safety-relevant value is determined by a sum of individual deviations of the corresponding values.

The values that were determined for the same point in time correspond. Alternatively, the integral can also be determined using the individual deviations: $$\Delta TT\mathrm{C.}{\mathrm{E.}}_{accum}={\displaystyle \underset{t_{val}}{\overset{0}{\int }}\left(TT\mathrm{C.}{\mathrm{E.}}_{ref}-TT\mathrm{C.}{\mathrm{E.}}_{VuT}\right)dt}$$

According to a further aspect, it is proposed that when determining the sequence of the at least one security-relevant value by means of dynamic extrapolation of a corresponding representation sequence, a mitigation option of the at least partially automated platform is taken into account in the dynamic extrapolation.

In this description, the host vehicle corresponds to the at least partially automated mobile platform.

When taking into account the mitigation for the dynamic extrapolation of a representation sequence, a possible, in particular reasonable, evasive behavior of a participating host vehicle or a participating mobile platform is taken into account in the dynamic extrapolation in order to improve a validation with this method that comes closer to reality . This means, for example, that a host vehicle tries to avoid an accident with a vehicle in front that is braking hard, for example, by initiating a braking maneuver itself. In the case of such reasonable evasive behavior, it is taken into account that no self-endangering maneuver is carried out with it or that a danger to third parties is provoked.

According to a further aspect, it is proposed that when determining the sequence of the at least one safety-relevant value by means of dynamic extrapolation of a corresponding representation sequence, a worst-case behavior of a scenario object is taken into account in the dynamic extrapolation.

In the worst-case behavior, it is taken into account that actions are also taken into account for the behavior of the object in a scenario that are possible from the point of view of the driving dynamics of the object and which endanger compliance with the safety goal.

A method is proposed in which, based on the evaluation of the sequence of representations of at least one scenario of the plurality of scenarios of the at least partially automated mobile platform, a configuration of the at least partially automated mobile platform is adapted.

The term “based on” is to be understood broadly in relation to the feature that a configuration of the at least partially automated mobile platform is adapted based on the evaluation of the sequence of representations of at least one scenario of the plurality of scenarios of the at least partially automated mobile platform. It is to be understood that the evaluation of the sequence of representations is used for any determination or calculation of an adaptation of a configuration of the mobile platform, whereby this does not exclude that other quantities and / or calculations are also used for the adaptation of the configuration of the mobile platform can be used.

The configuration of the at least partially automated mobile platform can for example relate to a configuration of sensors, control devices, transmission channels and / or programs for controlling the mobile platform.

In particular, based on the evaluation of at least one sequence of representations of at least one scenario, the sensor configuration can be adapted if, for example, a modified sensor configuration leads to a better evaluation of the sequence of representations of at least one scenario.

Another example would be a modification of a device of at least one control device as a function of an evaluation of at least one sequence of representations of at least one scenario. Such a control device can be set up, depending on identified scenarios, to carry out a different fusion of sensor data, so that an improved evaluation of a sequence of representations is achieved in the respective scenario.

Correspondingly, a configuration of the mobile platform can be made by adapting transmission channels and / or by modifying control and / or regulation programs for controlling the mobile platform, depending on the evaluation of at least one sequence of representations.

A device is specified which is set up to carry out one of the methods as described above. With such a device, the method can easily be integrated into different systems.

A computer program is specified which comprises instructions which, when the computer program is executed by a computer, cause the computer to carry out one of the methods described above. Such a computer program enables the described method to be used in different systems.

A machine-readable storage medium is specified on which the computer program described above is stored.

A mobile platform can be understood to mean an at least partially automated system which is mobile and / or a driver assistance system of a vehicle. An example can be an at least partially automated vehicle or a vehicle with a driver assistance system. That is, in this context, an at least partially automated system includes a mobile platform with regard to an at least partially automated functionality, but a mobile platform also includes vehicles and other mobile machines including driver assistance systems. Further examples of mobile platforms can be driver assistance systems with several sensors, mobile multi-sensor robots such as robotic vacuum cleaners or lawn mowers, a multi-sensor monitoring system, an aircraft, a ship, a production machine, a personal assistant or an access control system. Each of these systems can be a fully or partially automated system.

Figure list

• 1 ein Ablaufdiagramm der Bewertung einer Sequenz von Repräsentationen;
• 2a ein Beispiel einer Sequenz eines sicherheitsrelevanten Referenz-Wertes;
• 2b ein Beispiel einer Sequenz eines sicherheitsrelevanten Wertes;
• 3 ein Beispiel zur Bestimmung eines sicherheitsrelevanten Wertes;
• 4 ein Validierungsplot bei dem sicherheitsrelevante Referenz-Werte über akkumulierten Abweichungen als Validierungswerte aufgetragen sind.

Embodiments of the invention will be described with reference to 1 to 4th and explained in more detail below. Show it:

• 1 a flow diagram of the evaluation of a sequence of representations;
• 2a an example of a sequence of a safety-relevant reference value;
• 2 B an example of a sequence of a security-relevant value;
• 3 an example for determining a safety-relevant value;
• 4th a validation plot in which safety-relevant reference values are plotted as validation values over accumulated deviations.

In general, the specification for a safe behavior of a highly automated driving function (HAF system) in level 3 (SAE) and higher, here the so-called traffic jam pilot (STP), i.e. a function that automatically drives the vehicle in a traffic jam situation, requires a means of determination and validation of safety-relevant values of different driving scenarios, which could lead to dangerous and undesirable behavior of the STP by violating defined SOTIF safety goals.

A deductive SOTIF expert analysis forms the basis for such a validation, from which a direct derivation of the minimum number of security-relevant objects, as well as an assignment to a minimum set of security goals in product-specific scenarios for a certain HAD system is determined or identified.

This upstream deductive analysis reduces the dynamic and / or static objects, such as vehicles or lanes etc., and their attributes in the area around the vehicle to a small number. This reduction can be carried out in such a way that only situation-specific object characteristics that are absolutely necessary for assessing the predictive metrics are present. Each of the object characteristics can be linked to one or more SOTIF security objectives, such as: no collisions; tight passages; Keeping track, be linked. For this purpose, for example, features of the lane as well as a small number of vehicles driving ahead and potential cut-ins can be considered.

A distance to the safety goals is formulated as a predictive distance measure, such as a safety-relevant value until a collision or a narrow drive past is predicted or dynamically extrapolated.

Such a dynamic extrapolation of the behavior of the vehicles takes into account mitigation possibilities (e.g. braking) of an ego vehicle, as well as critical, reasonable ("worst-case") behavior of other road users (e.g. narrow cut in).

The method can be further explained with the following driving scenario: A host vehicle drives in its lane and another object, i.e. another vehicle, cuts in at such a small distance in front of the host vehicle that a safety goal is seriously endangered
A safety-relevant reference value should be determined according to the scenario and a safety goal either in a moving reference system of the HAF system or in a spatially fixed reference system in order to provide an objective perspective for the scenario under consideration. Thus, on this basis, a safety-relevant value can be evaluated in comparison to the safety-relevant reference value. The validation of the STP includes the evaluation of its behavior in an observed driving scenario with regard to safety. Finding all the causes that lead and could lead to unsafe driving behavior requires the analysis of all those driving scenarios that the STP is supposed to master. Unsafe is synonymous here with the violation of the defined SOTI F security goals by the STP.

An example of a driving scenario for which a safety-relevant value of a safety goal is to be determined can be a follow-up trip. This means that the STP follows a vehicle in front on a straight line. It is then identified which security goals could be violated by, for example, SOTIF security goals in the scenario and which static and / or dynamic objects are relevant. As an example, the SOTIF objective “avoid frontal collision” could be violated. The relevant objects are then the vehicle and the vehicle in front (“target object”).

A safety-relevant value can then be the TTCE (time to closest encounter) time according to the two reference systems. One TTCE time is derived on the one hand from a corresponding representation sequence of an instance of the scenario by means of the data sequences that were made available to the mobile platform. So the TTCE is derived from a subjective perspective of the HAF system. On the other hand, a reference representation sequence of the instance of the scenario is determined.

In the calculation of the two safety-relevant values, i.e. the TTCE _VuT and the TTCE _ref , the movement models of the ego vehicle, with the assumption of the best possible mitigation of the ego vehicle, as well as the vehicle in front with the assumption that this is a maximally undesirable and shows dangerous (worst-case ‟) behavior.

For example, mitigation possibilities of the ego vehicle can be limited by its maximum deceleration and its maximum steering angle, as well as its coefficient of friction. In the worst case, the vehicle ahead could accelerate negatively with its maximum possible braking effect.

An accumulated deviation of a TTCE _VuT (that TTCE that is calculated in the perception of the STP) from the TTCE _ref (that TTCE that is calculated in the reference system) can then be determined by adding up or by calculating the integral. $$\Delta TT\mathrm{C.}{\mathrm{E.}}_{accum}={\displaystyle \underset{t_{val}}{\overset{0}{\int }}\left(TT\mathrm{C.}{\mathrm{E.}}_{ref}-TT\mathrm{C.}{\mathrm{E.}}_{VuT}\right)dt}$$

The value ΔTTCE _{accum should be} smaller than a limit value to be determined, the limit value zero meaning at least one contact between the two vehicles. With a limit value to be determined, a safety margin can be maintained accordingly.

The variable t represents the time and tval an observation period during which an evaluation, for example, of the critical value of the ego vehicle, i.e. the at least partially automated platform, and the comparison with the safety-critical reference value takes place. This integral thus indicates the accumulated deviation of the calculation of the host vehicle from reality.

With the safety-relevant reference value determined in this way, here TTCE _ref and the accumulated deviation ΔTTCE _accum , which can be plotted as a validation value in a validation plot for a large number of instances of the scenario, causes can be analyzed in accordance with SOTIF and ISO 26262, the ΔTTCE _accum > 0 result.

The 1 shows a flow chart of a method 100 for evaluating a sequence of representations of a scenario of an at least partially automated mobile platform. The sequence of representations that is to be evaluated is based on data sequences from at least one sensor that are provided to the mobile platform. This can therefore be data sequences that are generated by sensors that the mobile platform itself has, it can also be data sequences from other sensors to which the mobile platform has access and which can be used to represent the scenario, as they can, for example, at least parts of the Map scenarios. Such a scenario can describe static and / or dynamic objects, for example.

In a previous step 110 of the method, a selected scenario is analyzed deductively, in accordance with, for example, SOTIF requirements (safety of the intended function), for a highly automated driving function (HAD), in order to identify a safety goal S1 .

Critical static and / or dynamic objects result from this analysis 120 and there can be geometric and dynamic descriptions 130 for the safety goal can be derived in order to determine at least one safety-relevant value for the safety goal S2 . Thus, the resulting critical static and / or dynamic objects 120 linked to the safety goal in relation to the safety-relevant value. With the method described, a large number of sequences of representations of different scenarios can be assessed. Here a sequence is selected to be evaluated as an example.

For such an evaluation of a sequence of representation, a multiplicity of validation points are formed S3, each of the multiplicity of validation points being formed with a corresponding instance of a multiplicity of instances of the scenario. The instances of the scenario are thus different, actually determined or simulated sequences of scenes with static and / or dynamic objects, which can be categorized with the defined scenario.

To create one of the validation points, a sequence of the security-relevant value is calculated for an instance of the scenario. For this purpose, a representation sequence of the instance is created using the data sequences by means of dynamic extrapolation 140 provided to the mobile platform S4 .

In the calculation of the two safety-relevant values, for example the TTCE _VuT and the TTCE _ref , an assumption for the best possible mitigation can be made in the movement model of the ego vehicle 150 of the ego vehicle, as well as an assumption in the movement model of the vehicle in front that this shows a maximally undesirable and dangerous (“worst-case”) behavior.

In addition, a sequence of a safety-relevant reference value is created by means of dynamic extrapolation of a reference representation sequence 145 of the instance of the scenario S5 .

An accumulated deviation of the sequence of the safety-relevant reference value from the sequence of the safety-relevant value within a defined time range is then determined S6 for the instance of the scenario.

The safety-relevant values are determined twice, once as reference values that were recorded, for example, with an extended validation sensor system (ground truth), and secondly as the vehicle's own measurements with the on-board sensor system to be validated for the function (i.e. "VuT “-Data: Version under test,) was recorded, or at least was available to the vehicle's own system. Distance measures to the safety goals, i.e. the safety-relevant values, are accordingly evaluated twice, as a reference value and a value for the ego vehicle.

A validation point is formed by assigning the accumulated deviation to the associated at least one safety-relevant reference value M of the instance of the scenario S7 .

Such a method for evaluating a sequence of representations can be repeated with a multitude of different scenarios and a multitude of different security goals with a corresponding number of dynamically extrapolated security-relevant values with sequences of representations and reference representations in order to fully validate a VuT.

With a large number of validation points determined in this way from a large number of instances of the scenario, correlations of the validation points are analyzed S8 in a coordinate space of the validation points in order to evaluate the sequence of representations of the at least one scenario of the mobile platform. This method can be carried out for a large number of scenarios as described here in order to evaluate sequences of representations from other scenarios as well.

In the 2a is an example of an instance of a sequence 200 an exemplary safety-relevant value TTC, which is represented with safety-relevant reference values. The safety-relevant value (in this example TTC: time to collision) is plotted over the time t in seconds.

In the 2 B is an example of the same instance of the sequence in which 2a reproduced, safety-relevant value 220 plotted over time t, the sequence having been determined with data provided to the mobile platform.

In comparison of the 2a and 2 B it can be seen that, especially in the critical area in which the TTC is reduced to almost 5 seconds, the course of the two sequences are also very similar in terms of the absolute value. However, the mobile platform also generates security-relevant values that are not confirmed by the security-relevant reference values. This comparison can be seen as the basis for the method described.

The 3 outlines intermediate results of the calculation steps for determining a safety-relevant value S4 , S5 . This is in a diagram 300 shown, for example, on the one hand in the step S4 a representation sequence 310 and on the other hand in the step S5 a reference representation sequence 310 of a host vehicle dynamically extrapolated values can be determined in relation to their x and y coordinates (xcoord; ycoord). In addition, on the one hand, in the step S4 a representation sequence 320 or on the other hand in the step S5 a reference representation sequence of an object 320 an instance of the scenario to which a corresponding safety-relevant value can be traced back, with reference to the x and y coordinates of this object, extrapolated dynamically to the safety-relevant value 330 to determine. The security-relevant value 330 in this case is a DCE value (distance to closest encounter), ie the minimum distance from the dynamic extrapolation of the center of gravity of the host vehicle compared to a dynamic extrapolation of a dynamic object from the two representation sequences 310 , 320 can be determined. The values of the two sequences assigned to one another over time are here 310 , or. 320 connected with a thin line representing the distance and from this graph 300 can be the minimum distance 130 can be read.

The 4th shows a validation plot 400 , in which a large number of validation points are plotted in the coordinate system of the validation points. That is to say, safety-relevant reference values are plotted against the accumulated deviation of the sequence of the safety-relevant reference value from the sequence of the safety-relevant value, the correspondingly determined safety-relevant values. By determining the validation points and entering the validation points in the validation plot 400 For the analysis of the correlations of the validation points in the coordinate space of the validation points, four different regions of the validation plot can be distinguished at a glance. In region A there are validation points that are provided with the sensor data provided by the platform and that have been correctly determined, since the delta _{battery, i.e.} the deviation of the safety-relevant reference value from the safety-relevant value, is small. Since the validation points in region A are very close to the safety-relevant reference value 0, i.e. the minimum distance between the host vehicle and the object is very small or zero, these validation points are very dangerous with regard to the safety goal.

In region B, the validation points are in a region in which the safety-relevant values were essentially correctly determined due to the tolerable deviation from the safety-relevant reference value, and which are not associated with any risk, since the respective extra polished minimum distance is still is very big.

In region C there are safety-relevant values that were incorrectly determined due to the large deviation from the safety-relevant reference value, but which do not indicate any danger. Because of the large deviation from the safety-relevant reference value, safety-relevant reference values that are in region C in the validation plot must be examined more closely, since situations or scenarios may be represented incorrectly on the basis of these values.

If the validation values of regions A, B and C are filtered from the multitude of validation values, values of region D can still remain with which a trend for evaluating the sequences of representation can be determined. A trend curve, for example, can be used for this purpose 410 until the occurrence of the danger (M = 0) can be extrapolated in order to determine at which accumulated error, for example of a sensor system, a danger occurs. This makes it possible, for example, to compare different sensor systems quantitatively or to quantify the success of an improvement in a sensor system.

In a subsequent step, an extreme value analysis can also be carried out using the validation values determined in this way and, if necessary, filtered.

Claims (15)

Method (100) for evaluating a sequence of representations of at least one scenario of a plurality of scenarios of an at least partially automated mobile platform, the sequence of the representations of the plurality of scenarios being based on data sequences from at least one sensor that are provided to the mobile platform, with the steps : Identifying a security goal (S1) in the at least one scenario; Determining at least one safety-relevant value (S2) for the safety goal; Formation of a multiplicity of validation points (S3), each of the multiplicity of validation points being formed with a corresponding instance of a multiplicity of instances of the scenario with the following steps: Determining a sequence of the at least one security-relevant value (S4) by means of dynamic extrapolation of a corresponding representation sequence of an instance of the scenario by means of the data sequences (140) which are provided to the mobile platform; Determining a sequence of the at least one safety-relevant reference value (S5) by means of dynamic extrapolation of a reference representation sequence (145) of the instance of the scenario; Determining an accumulated deviation (S6) of the sequence of the safety-relevant reference value from the sequence of the safety-relevant value within a specified time range for the instance of the scenario; Formation of a validation point (S7) by assigning the accumulated deviation to the associated at least one safety-relevant reference value of the instance of the scenario; Analysis of correlations (S8) of the plurality of validation points formed in a coordinate space of the validation points in order to evaluate the sequence of representations of the at least one scenario of the mobile platform. Method (100) according to Claim 1 , whereby for the analysis of correlations (S8) validation points are filtered from the plurality of validation points, the accumulated deviation of which is smaller than a first deviation limit value and the safety-relevant reference value of which is less critical than a reference limit value. Method (100) according to Claim 1 or 2 , wherein for the analysis of correlations (S8) validation points are filtered from the plurality of validation points whose cumulative deviation is greater than the first deviation limit value and whose safety-relevant reference value is less critical than the reference limit value. Method (100) according to one of the preceding claims, wherein for the analysis (S8) of correlations, validation points are filtered from the plurality of validation points whose cumulative deviation is smaller than a second deviation limit value and whose safety-relevant reference value is particularly critical. Method (100) according to one of the preceding claims, wherein a correlation analysis is carried out with a plurality of filtered and / or a plurality of unfiltered validation points in order to determine a trend of the validation points for evaluating the sequence of representations. Method (100) according to Claim 5 , wherein, in order to evaluate the sequence of representations, an extrapolation of the validation points up to a critical safety-relevant reference value is determined with the specific trend of the correlation analysis. Method (100) according to Claim 5 or 6th wherein, in order to evaluate the sequence of representations, an extreme value analysis is carried out by means of the validation points in order to quantitatively evaluate the sequence of representations of the at least one scenario. Method (100) according to one of the preceding claims, wherein the at least one security-relevant value characterizes a spatial and / or temporal relation of two objects of the scenario. Method (100) according to one of the preceding claims, wherein the accumulated deviation of the sequence of the safety-relevant reference value from the sequence of the safety-relevant value is determined by a sum of individual deviations of corresponding values. Method (100) according to one of the preceding claims, wherein when determining the sequence of the at least one security-relevant value by means of dynamic extrapolation of a corresponding representation sequence, a mitigation option (150) of the at least partially automated mobile platform is taken into account in the dynamic extrapolation. Method (100) according to one of the preceding claims, wherein when determining the sequence of the at least one safety-relevant value by means of dynamic extrapolation of a corresponding representation sequence, a worst-case behavior of a scenario object is taken into account in the dynamic extrapolation. Method (100) according to one of the preceding claims, in which, based on the evaluation of the sequence of representations of at least one scenario of the plurality of scenarios of the at least partially automated mobile platform, a configuration of the at least partially automated mobile platform is adapted. Device which is set up, a method according to one of the Claims 1 to 12th perform. Computer program, comprising instructions which cause the computer program to be executed by a computer, the method according to one of the Claims 1 to 12th to execute. Machine-readable storage medium on which the computer program is based Claim 14 is stored.

Images