This paper explains the methodological approach of policy labs as used in applied research projects on autonomous vehicles in Sweden. While introducing new technologies we need to ensure that regulations and policies keep up with the fast-paced technological development. Policy labs is one way of managing the perceived conflict between technological innovation and existing regulations. Within a policy lab, a wide range of stakeholders gather to solve the bottlenecks for innovations together. We show through three different R&D projects how the policy lab approach can be applied and which results, improvements and challenges it revealed for introducing autonomous vehicles.
Safety-critical systems are subject to rigorous assurance and certification processes to guarantee that they do not pose unreasonable risks to people, property, or the environment. The associated activities are usually complex and time-consuming, thus they need adequate support for their execution. The activities are further becoming more challenging as the systems are evolving towards open, interconnected systems with new features, e.g. Internet connectivity, and new assurance needs, e.g. compliance with several assurance standards for different dependability attributes. This requires the development of novel approaches for cost-effective assurance and certification. With the overall goal of lowering assurance and certification costs in face of rapidly changing features and market needs, the AMASS project has created and consolidated the de-facto European-wide open solution for assurance and certification of critical systems. This has been achieved by establishing a novel holistic and reuse-oriented approach for architecture-driven assurance, multi-concern assurance, and for seamless interoperability between assurance and engineering activities along with third-party activities. This paper introduces the main elements of the AMASS approach and how to use them and benefit from them.
he increased importance of cybersecurity in autonomous machinery is becoming evident in the forestry domain. Forestry worksites are becoming more complex with the involvement of multiple systems and system of systems. Hence, there is a need to investigate how to address cybersecurity challenges for autonomous systems of systems in the forestry domain. Using a literature review and adapting standards from similar domains, as well as collaborative sessions with domain experts, we identify challenges towards CE-certified autonomous forestry machines focusing on cybersecurity and safety. Furthermore, we discuss the relationship between safety and cybersecurity risk assessment and their relation to AI, highlighting the need for a holistic methodology for their assurance.
The performance of low-cost RTK(real-time kinematic)GPS receivers hasbeen compared to a state-of-the-art system as well to each other. Both static and dynamic performanceshavebeen compared. The dynamic performance has been evaluated using a vehicle with driving robot on the AstaZero proving ground.The assembly of the low-cost RTK GPS receivers is presented, and the test set-ups described. Besides having a lower data output frequency, two of the low-cost receivers have static and dynamic performance not far fromthat of the state-of-the-art system.
Implementing AUTOSAR-based embedded systems that adhere to ISO 26262 is not trivial. High-level safety goals have to be refined to functional safety requirements and technical HW and SW safety requirements. SW safety requirements allocated to the application as well as the underlying AUTOSAR platform. Finding relevant safety requirements on the AUTOSAR basic software are a challenge. AUTOSAR specifications provide incomplete lists of requirements which might be relevant. In this paper we address this challenge by providing tool support to automatically extract relevant functional requirements for given safety scenarios. A conservative estimation gives that the safety-relevant part of the overall requirements can be as small as 30%, which reduce the necessary rigid testing effort. An electronic parking brake example is presented as a demonstration of concept.
Connected and AutomatedD riving (CAD) features rely on s e v er al key technologies to function safelyat the vehicle and compone nt level. HEADSTART (Harm onised European Solutions fo r TestingAutomated Road Transport) is a research project fund ed by the European Union tha t aims to definetesting and validation pro c e d ur e s for CAD features with a focus on three K ey Enabling Technologi es(KETs): Vehicle to eve rything (V2X) communication, Positioning and Cyber security. This paperpresent s the technical and functional requ i rements for these three KETs including w h a t is n e eded forthese technol ogies to work corre ctly (at vehicle and c omponent level) and what is needed to verify andvali d ate them in proving ground and simulation environment. The final aim is to satisfy t h e safetyrequirements to protect the veh i c l e i ts e lf and the other road users.
An evaluation of safety and security properties performed by an independent organisation can be an important step towards establishing trust in Automated Driving Systems (ADS), bridging the gap between the marketing portrayal and the actual performance of such systems in real operating conditions. However, due to the complexity of an ADS’s behaviour and dangers involved in performing real environment security attacks, we believe assessments that can be performed with a combination of simulation and validation at test facilities is the way forward.In this paper, we outline an approach to derive test suites applicable to generic ADS feature classes, where classes would have similar capabilities and comparable assessment results. The goal is to support black box testing of such feature classes as part of an independent evaluation. By the means of co-simulation of post-attack behaviour and critical scenarios, we derive a representative set of physical certification tests, to gain an understanding of the interplay between safety and security. During the initial tests an ADS is subjected to various attacks and its reactions recorded. These reactions such as reduced functionality, fall back etc., together with relevant scenarios for the class is further analysed to check for safety implications.
Standardisation has a primary role in establishing commonground and providing technical guidance on best practices. However, asthe methods for Autonomous Driving Systems design, validation andassurance are still in their initial stages, and several of the standardsare under development or have been recently published, an establishedpractice for how to work with several complementary standards simultaneouslyis still lacking. To bridge this gap, we present a uni ed chartdescribing the processes, artefacts, and activities for three road vehiclestandards addressing di erent concerns: ISO 26262 - functional safety,ISO 21448 - safety of the intended functionality, and ISO 21434 - cybersecurityengineering. In particular, the need to ensure alignment betweenthe concerns is addressed with a synchronisation structure regarding contentand timing.
When introducing automated driving systems (ADS), it is imperative that there exist mutual agreements between the ADS and stakeholders – such as the ADS equipped vehicle user, other road users, and society at large – on how the ADS should behave. Lacking such agreements, the ADS may antagonize stakeholders and, even worse, pose severe safety risks. The ADS needs a complete and unambiguous set of machine-interpretable properties describing these interactions, while the human stakeholders need to understand and accept how the ADS is designed to behave. We propose to make these considerations explicit in the form of agreements. The completeness problem is tackled by cataloguing and categorizing all agreements that need to be considered during the lifetime of an ADS in a systematic way.
The complexity of developing embedded electronic systems has been increasing especially in the automotive domain due to recently added functional requirements concerning e.g., connectivity. The development of these systems becomes even more complex for products - such as connected automated driving systems – where several different quality attributes (such as functional safety and cybersecurity) need to also be taken into account. In these cases, there is often a need to adhere to several standards simultaneously, each addressing a unique quality attribute. In this paper, we analyze potential synergies when working with both a functional safety standard (ISO 26262) and a cybersecurity standard (first working draft of ISO/SAE 21434). The analysis is based on a use case developing a positioning component for the automotive domain. The results regarding the use of multi-concern development lifecycle is on a high level, since most of the insights into co-engineering presented in this paper is based on process modeling. The main findings of our analysis show that on the design-side of the development lifecycle, the big gain is completeness of the analysis when considering both attributes together, but the overlap in terms of shared activities is small. For the verification-side of the lifecycle, much of the work and infrastructure can be shared when showing fulfillment of the two standards ISO 26262 and ISO/SAE 21434.
The emergence of Automated Driving Systems (ADSs) has transformed the landscape of safety assessment. ADSs, capable of controlling a vehicle without human intervention, represent a significant shift from traditional driver-centric approaches to vehicle safety. While traditional safety assessments rely on the assumption of a human driver in control, ADSs require a different approach that acknowledges the machine as the primary driver. Before market introduction, it is necessary to confirm the vehicle safety claimed by the manufacturer. The complexity of the systems necessitates a new comprehensive safety assessment that examines and validates the hazard identification and safety-by-design concepts and ensures that the ADS meets the relevant safety requirements throughout the vehicle lifecycle. The presented work aims to enhance the effectiveness of the assessment performed by a homologation service provider by using assessment templates based on refined requirement attributes that link to the operational design domain (ODD) and the use of Key Enabling Technologies (KETs), such as communication, positioning, and cybersecurity, in the implementation of ADSs. The refined requirement attributes can serve as safety-performance indicators to assist the evaluation of the design soundness of the ODD. The contributions of this paper are: (1) outlining a method for deriving assessment templates for use in future ADS assessments; (2) demonstrating the method by analysing three KETs with respect to such assessment templates; and (3) demonstrating the use of assessment templates on a use case, an unmanned (remotely assisted) truck in a limited ODD. By employing assessment templates tailored to the technology reliance of the identified use case, the evaluation process gained clarity through assessable attributes, assessment criteria, and functional scenarios linked to the ODD and KETs.
To aim for market introduction and sustainability of automated vehicles requires technology innovation towards safe products and policy innovation to enable testing on open roads and type approvals. Further, it needs an enabling infrastructure to provide reliable connectivity, business models and increased public acceptance of this new technology. The project SCAT – Safety Case for Autonomous Trucks contributed to this transmission by looking at new policy strategies and system tests to prove how to handle vehicles when introducing this new technology safely. Main objective of the project was to investigate more systematically – from a legal and technical perspective – how to safely operate remote controlled vehicles in mixed traffic and with higher velocity. A safety case for the selected traffic environment has been described and explorative tests have been performed at the AstaZero test site in Sweden. This allowed us to investigate limiting parameters and stress testing the system's boundaries under real conditions with higher velocity – before the actual demo will be run. With regards to policy, we addressed which obligations drivers and road users have according to today's regulations and which of those may need to be handled through technological development, but also through adaptation of legislation in terms of new roles, tasks, and liability when a vehicle is driven automatically. We looked also at if and how these issues are treated in national and international legislation, in Sweden, France and the USA. What we learned from exploring the safety case contributes to practical improvement, theory building and recommendations on how to safely operate the vehicles. Together the partners have developed an approach to advanced argumentation for safety. In our approach, we combined policy lab methodology and an investigation of the technical safety aspects that helped to identify gaps and tests for improved safety. The approach provides step-by-step guidance before future trials. The project was running from October 2020 until September 2022. The consortium consisted of the partners AstaZero, Einride, Ericsson, RISE (coordinator), Telia as well as reference partners in France and the USA.
This paper describes an approach to better link legal and technical perspectives when investigating how to safely operate remote assisted vehicles in mixed traffic and higher velocities. This approach is applied to prepare for automated trucks in Gothenburg, Sweden. We argue that the challenges we see for the market introduction and sustainability of such vehicles require innovation from a system perspective. Such system innovation includes different dimensions: technology/products, policy/regulations, infrastructure, behavior/values as well as business models, whereas we focus mainly on the first two perspectives here. The proposed innovations support cross border integration for the more comprehensive market introduction of automated goods transport; the approach further includes the legal/policy framework in Sweden, France and the US.
Safety ADD is a tool for working with safety contracts for software components. Safety contracts tie safety related properties, in the form of guarantees and assumptions, to a component. A guarantee is a property the component promises to hold, on the premise that the environment provides its associated assumptions. When multiple software components are integrated in asystem, Safety ADD is used to verify that the guarantees and assumptions match when there are safety-related dependencies between the components. The initial goal of Safety ADD is to investigate how safety contracts can be managed and used efficiently within the software design process. It is implemented as an Eclipse plug in. The tool has two main functions. It gives designers of software components a way to specify safety contracts, which are stored in an XML format and shall be distributed together with the component. It also gives developers who integrate multiple software components in their systems a tool to verify that the safety contracts are fulfilled. A graphical editor is used to connect guarantees and assumptions for dependent components, and an algorithm traverses all such connections to make sure they match.
One of the major challenges of automated drivingsystems (ADS) is showing that they drive safely. Key to ensuringsafety is eliciting a complete set of top-level safety requirements(safety goals). This is typically done with an activity called hazardanalysis and risk assessment (HARA). In this paper we argue thatthe HARA of ISO 26262:2018 is not directly suitable for an ADS,both because the number of relevant operational situations maybe vast, and because the ability of the ADS to make decisionsin order to reduce risks will affect the analysis of exposure andhazards. Instead we propose a tailoring using a quantitative risknorm (QRN) with consequence classes, where each class has alimit for the frequency within which the consequences may occur.Incident types are then defined and assigned to the consequenceclasses; the requirements prescribing the limits of these incidenttypes are used as safety goals to fulfil in the implementation.The main benefits of the QRN approach are the ability to showcompleteness of safety goals, and make sure that the safetystrategy is not limited by safety goals which are not formulatedin a way suitable for an ADS.
Showing that dependable embedded systems fulfil vital quality attributes, e.g. by conforming to relevant standards, can be challenging. For emerging and increasingly complex functions, such as connected automated driving (CAD), there is also a need to ensure that attributes such as safety, cybersecurity, and availability are fulfilled simultaneously. Furthermore, such systems are often designed using existing parts, including 3rd party components, which must be included in the quality assurance. This paper discusses how to structure the argument at the core of an assurance case taking these considerations into account, and proposes patterns to aid in this task. The patterns are applied in a case study with an example automotive function. While the aim has primarily been safety and security assurance of CAD, their generic nature make the patterns relevant for multi-concern assurance in general.
Connected and automated vehicles with a large variety in operating modes and operational contexts are now emerging. A vital safety assurance issue, also stressed by recent standards and guidelines, is the safety of human-machine interaction (HMI). This paper proposes, and shows a small example of using, a framework for human interaction safety analysis. It is intended for integration in an iterative development lifecycle and to be used in conjunction with relevant standards. In the framework, an analysis is first conducted to elicit all agreements between humans and the automated function, then an interaction analysis method is used to find potential problems with proposed interfaces affecting each agreement. Risk assessment is conducted to determine if risk reduction is necessary, and verification and validation activities are used to provide support for the analysis results and evidence of HMI safety for an assurance case.