FUnctional Safety and Evolvable

architectures for autonomy

–

Final Seminar 2016-09-23

The Problem – Project Challenge

Today, most common accident cause :

Driver misjudgments

Tomorrow: Autonomous driving

Make sure that autonomous driving is safe

2FUSE Final Seminar 2Rolf Johansson2016-09-23

But, what does it mean?And, what does it imply?

Driving is Safe?

Safe Driver & Safe Vehicle

Each one fulfilling its Responsibility

FUSE Final Seminar 3Rolf Johansson2016-09-23

versus

Manual Driver Vehicle functionality

General responsible

Dividing the safety responsibility today

may assume thatResponsible to safely

fulfil what it claims

Functional safety

FUSE Final Seminar 4Rolf Johansson2016-09-23

Manual Driver

Vehicle base

functionality

Introducing an Autopilot

Hand over of responsibility

Automated Driver

Still general

responsible

may assume that

Responsible to safely

fulfil what it claims

Responsible to

safely fulfil what is needed(!)

FUSE Final Seminar 5Rolf Johansson2016-09-23

Functional safety

HMIResponsible to

implement safe transition

Arguing Safety of Autonomous Vehicle

Show all of:

� Base functionality

proven safe

� Automated Driver

functionality proven safe

� Agreement between

manual driver and

automated driver proven

safe

FUSE Final Seminar 6Rolf Johansson2016-09-23

7

Three Dimensions of Autonomy

Fully automated

Driver only

Highly automated

Assisted Driver

Semi-automated

Autonomy in how much?

How much autonomy?

The ITS environment (source: ETSI)

Autonomy of how much?

One function Set of related functions All functions (no driver)

City SafetyAutopilot

ACC CMbB

FUSE Final SeminarRolf Johansson2016-09-23

Autonomous Driving?

8

Towards More Autonomy in More

What happens to Functional Safety when passing the dotted line?

- How to define it? (Lacking definitions in ISO 26262)

- How to achieve it? (Demand for architectural patterns, and division of responsibility)

- How to prove it? (Demand for new compositional safety arguing)8FUSE Final Seminar

Rolf Johansson2016-09-23

Summarizing FUSE10:45:

• Safe Transitions of

Responsibility in highly

automated Driving

9FUSE Final Seminar 9Rolf Johansson2016-09-23

Make the responsibility

explicit!

11:00:

• How to make a complete risk assessment of autonomous vehicles

Make the responsibility

implementable!

12:45:

• Evolving or disruptive E/E

architectures for

autonomous vehicles

Divide overall responsibility!

14:20:

• A functional safety

concept for

autonomous carsMake sure all safety

requirements are there! 15:10:

• Correctness and Completeness in Requirement engineering

But what if?

15:25:

• Don’t believe what

you read on

Internet: Why self-

driving cars don’t

have to choose

whom to kill

Activities and Results

10FUSE Final Seminar 10Rolf Johansson2016-09-23

High focus on interaction

• co-organized workshops

• invited talks

• peer-reviewed punblications

Interface to many disciplines

• Legal

• HMI design

• Robotics

• ADL (architecture domain languages)

• Requirements engineering

• Agile methodology

• Formal logic

• ….

•Architectures for Autonomous Machines, in cooperation with ICES - KTH, January 14th 2014, Stockholm.

•Joint Project Workshop with EU FP7 project KARYON , May 7th 2014, Göteborg.

•Joint Project Workshop with FFI project SYNLIGARE, May 15th 2015, Göteborg.

•Safety and Automated Driving, in cooperation with IQPC, November 26th 2015, Düsseldorf.

•Winter Workshop, in cooperation with ICES - KTH, January 22nd 2016, Stockholm.

•Joint Project Workshop with European space research project CATSY, March 15th 2016, Stockholm.

•Joint Project Workshop with FFI projects SYNLIGARE and HEAVY ROAD, May 18th 2016, Göteborg.

Activities and Results

11FUSE Final Seminar 11Rolf Johansson2016-09-23

publications•Architecture challenges for intelligent autonomous machines: An industrial perspective. IAS 2014.

•A Functional Architecture for Autonomous Driving. WASA 2015.

•How to Reach Complete Safety Requirement Refinement for Autonomous Vehicles. CARS 2015.

•The Importance of Active Choices in Hazard Analysis and Risk Assessment. CARS 2015.

•Reference Architectures for Highly Automated Driving. Doctoral thesis 2016.

•Efficient Identification of Safety Goals in the Automotive E/E Domain. ERTS2 2016.

•A Functional Brake Architecture for Autonomous Heavy Commercial Vehicles. SAE World Congress 2016.

•Challenges in architecting fully automated driving; with an emphasis on heavy commercial vehicles. WASA 2016.

•The Need for an Environment Perception Block to Address all ASIL Levels Simultaneously. IV 2016.

•Safe Transitions of Responsibility in Highly Automated Driving. Depend 2016.

•Disarming the Trolley Problem – Why Self-driving Cars do not Need to Choose Whom to Kill. CARS 2016.

•Functional Safety and Evolvable Architectures for Autonomy. Book chapter 2016 (to appear).

•Systems engineering and architecting for autonomous driving. Book chapter 2016 (to appear).

•Defining Autonomous Functions Using Iterative Hazard Analysis and Requirements Refinement. SASSUR 2016.

•Functional Safety for Self-Driving Cars. Safetronic 2016 (to appear).

•A functional reference architecture for autonomous driving. Journal of Information and Software Technology (to appear).

12FUSE Final Seminar 12Rolf Johansson2016-09-23

http://www.fuse-project.se/ rolf.johansson@sp.se