code of practice for development, validation and market...
TRANSCRIPT
RESPONSE 3, München, 04.04. 2006 1www.prevent-ip.org
Code of Practice for development, validation and market introduction of ADAS
Dr. Juergen Schwarz (DaimlerChrysler AG)
RESPONSE 3, München, 04.04. 2006 2www.prevent-ip.org
Consortium Partner
RESPONSE 3, München, 04.04. 2006 3www.prevent-ip.org
Overview
• Safety Benefit and Product Safety of Driver Assistance Systems
• Challenges and Consequences for OEM and suppliers developing ADAS
• Rationale of the Project RESPONSE 3
• Legal aspects of a Code of Practice (CoP)
• Scope and content of the CoP
• Timeline RESPONSE 3, what’s your job
RESPONSE 3, München, 04.04. 2006 4www.prevent-ip.org
Safety Benefit of Driver Assistance Systems
Other causes
1,2%
Technical defects
0,7%
Environment / Weather
conditions
4,6%
Human failure
93,5%Driving Accidents: After series introduction of ESP, a significant
decrease of accident numbers within MB-cars
10
11
12
13
14
15
16
1996 1997 1998 1999 2000 2001
year of registration
Pe
rce
nta
ge
of
dri
vin
g a
cc
ide
nts
%
Mercedes-Benz
other brands
Safety Benefit of
Driver Assistance SystemsAARU / VW / Gidas data base
• Vehicle Safety in good shape
• Driver‘s Performance can and should beassisted
RESPONSE 3, München, 04.04. 2006 5www.prevent-ip.org
Product Safety of Driver Assistance Systems
Environment
Task 2: Manoevring
Mental determination
of a collision-free
Corridor
Task1: Navigation
Determination of
Destination and
Travel Time
Main focus
of ADAS
Main focus
of IVIS
Task3: Stabilisation
Operation of throttle,
brakes, steering wheel,
gear change,...
Vehicle
ABS,
ESP/DSC,..
DistractionESoP
SafetyapprovedRisk Issues?
??? ???
RESPONSE 3, München, 04.04. 2006 6www.prevent-ip.org
Safety Topics of Driver Assistance Systems
Environment
Task 2: Manoevring
Mental determination
of a collision-free
Corridor
Task1: Navigation
Determination of
Destination and
Travel Time
Main focus
of ADAS
Main focus
of IVIS
Task3: Stabilisation
Operation of throttle,
brakes, steering wheel,
gear change,...
Vehicle
ABS,
ESP/DSC,..
Human MachineInterface,
Nomadic Device
TechnicalSafety Concept
Human MachineInteraction
RESPONSE 3, München, 04.04. 2006 7www.prevent-ip.org
ADAS Definition (1)
Advanced Driver Assistance Systems
Driver Assistance Systems
NavigationKnowledge based
Information systems (IVIS)
e.g. Navigation System
StabilisationSkill based
Systems of active safety
e.g. ABS, ESP
ManeuveringRule based
Assistance of normal driving
e.g. Lane Change Assist
Assistance in
emergency situations e.g.
Automatic Emergency Brake
Advanced Driver Assistance Systems
Driver Assistance Systems
NavigationKnowledge based
Information systems (IVIS)
e.g. Navigation System
StabilisationSkill based
Systems of active safety
e.g. ABS, ESP
ManoeuvringRule based
Assistance of normal driving
e.g. Lane Change Assist
Assistance in
emergency situations e.g.
Automatic Emergency Brake
RE
SP
ON
SE
3, M
ün
ch
en
, 04
.04
. 20
06
8w
ww
.pre
ve
nt-ip
.org
pre
ve
nt@
ma
il.ertic
o.c
om
AD
AS
De
finitio
n (2
)
Na
vig
atio
nM
an
eu
ve
ring
Sta
bilis
atio
n
Navigation Aid
Information
Acquisition
Information
Processing
Action
Taking
Dual Mode Route Guidance
Adaptive Cruise Control (ACC)
Lane Keeping Assist
Su
pp
orte
dL
eve
l of
Driv
ing
Ta
sk
Le
ve
l of A
uto
ma
tion
Sta
ge
of S
up
po
rted
Driv
er’s
Info
rma
tion
Pro
ce
ss
ing
Cruise Control
Electronic Stability Program (ESP)
Anti Blocking System (ABS)
Lane Change Assist
Automatic Emergency Brake
AD
AS
Na
vig
atio
nM
an
eu
ve
ring
Sta
bilis
atio
n
Navigation Aid
Information
Acquisition
Information
Processing
Action
Taking
Dual Mode Route Guidance
Adaptive Cruise Control (ACC)
Lane Keeping Assist
Su
pp
orte
dL
eve
l of
Driv
ing
Ta
sk
Le
ve
l of A
uto
ma
tion
Sta
ge
of S
up
po
rted
Driv
er’s
Info
rma
tion
Pro
ce
ss
ing
Cruise Control
Electronic Stability Program (ESP)
Anti Blocking System (ABS)
Lane Change Assist
Automatic Emergency Brake
AD
AS
RESPONSE 3, München, 04.04. 2006 9www.prevent-ip.org
Challenges for OEMs and Suppliers
Development and introduction of Advanced Driver Assistance Systems means:
• Supporting and/or substituting the driver in his driving task
• Therefore: complex interaction of system and driver
in multiple traffic situations
• Therefore new challenges for system safety due to– functional complexity (software; human errors in
development)
– more complex driver system interaction,
– lack of experience and unknown user reactions (human errors in usage)
RESPONSE 3, München, 04.04. 2006 10www.prevent-ip.org
Consequences for OEMs and Suppliers bymarket introduction of ADAS
• possible business case but there are
also financial risks based on:
– possible damage of brand image, if ADAS
doesn’t meet consumer expectations
– possible recall campaigns, if ADAS doesn’t
meet consumer expectations or shows
malfunctions
– product liability, if ADAS doesn’t meet
requirements of a safe product
RESPONSE 3, München, 04.04. 2006 11www.prevent-ip.org
ADAS risks - Driver Acceptance
10
8
6
4
2
0,1 1 [h] 10 100 1000
☺ ☺
When it is functioning and
when it is not functioning?
All right, a few weaknesses,
but else a smacher!
Does it work
at all?
It is really working!
Fascinating!!
Unfortunately it is not
working all the time
_
_
_
_
_
_____ * from H. Winner, TU Darmstadt
Explain your customer:It‘s not a bug,it‘s a feature!
ACC: Developed as comfort - functions: focus on high availability
Satisfaction index (ACC) over time of usage
RESPONSE 3, München, 04.04. 2006 12www.prevent-ip.org
ADAS Risks - Sensor Limits
Radar Lidar
How to explain these limits to a customer?How will the customer create a mental model?
RESPONSE 3, München, 04.04. 2006 13www.prevent-ip.org
Rationale for RESPONSE 3
• What can be done about legal risks
linked to ADAS?
– How to prove, that the product is
reasonably safe?
– How to prove, that the manufacturer has
fulfilled his duty of care?
– What is the state of the art for development
and validation of ADAS?
Code of Practice as a solution?
RESPONSE 3, München, 04.04. 2006 14www.prevent-ip.org
Code of Practice - Legal Requirements
• A product is defective, if
– it does not provide the safety that can reasonably beexpected taking into account all circumstances,
• in particular the presentation of the product,
• the use of the product that can be expected in faith
• Codes of practice already play a role on a European level in product safety law.
• Can therefore contribute to the assessment of “safe product“/”non-defective product“ on the same level as other voluntary rules/ guidelines / recommendations.
• Code of Practice should integrate existing elements of state of art/state of science and art such as standards, recommendations etc, and fill the gaps not yet covered.
RESPONSE 3, München, 04.04. 2006 15www.prevent-ip.org
Importance of Validation EffortLegal Consideration of a CoP
• Safety Levels:
• Product Liability Law: State of science and art
• Product Safety Law: State of art and technology– (1) Community provisions (European legislation)
– (2) Rules of national law
– (3) National standards giving effect to a European standard
– (4) Community technical specifications
– (5) National standards
– (6) Code of good practice
– (7) State of art and technology
– (8) Safety which consumers reasonably expect
A Code of Practice will be legally relevant
RESPONSE 3, München, 04.04. 2006 16www.prevent-ip.org
Scope of the Draft CoP
• This COP specifies a procedure for
assisting the assessment of safety
issues of ADAS, focussing Human-
Machine-Interaction. It addresses
- Risk identification within specification
work of ADAS
- Performing hazard and risk analyses
- Assessment methodology for ADAS
RESPONSE 3, München, 04.04. 2006 17www.prevent-ip.org
Scope of the Draft CoP (2)
TheIntegratedApproach
Syste
m A
spects
Level of Support
Safety
Reliability &Robustness
Performance
Driver AspectsHuman-Machine-Integration
Cognition Emotion/Motivation
Psychomotoric Performance
Product Use & Responsibility
Legal A
spects
Traffic Law / Type Approval
Product Liability Law /Tort Law
Insurance Law
Criminal Law
RESPONSE 1
ISO TC22/SC3/WG16
ControllabilityConcept
RESPONSE 3, München, 04.04. 2006 18www.prevent-ip.org
Definition of Controllability
Controllability:
Likelihood that the driver
can cope with driving situations
including ADAS assisted driving,
system limits and
system failures.
RESPONSE 3, München, 04.04. 2006 19www.prevent-ip.org
Controllability Concept
Controllability is related to
…the possibility and capability to perceive the criticality of the situation
…the capability to decide on an appropriatecountermeasure (e.g. override capabilities, complexity of the system switch-off procedure)
…the driver’s ability to perform the chosencountermeasure (e.g. reaction time, sensory-motor speed, accuracy)
RESPONSE 3, München, 04.04. 2006 20www.prevent-ip.org
Elements of a safety process and controllability aspects
Testing
Concept Phase Series Development
Definition phaseConcept
competition
Proof of
Concept
Validation
&Sign off
ControllabilityConfirmation
final proof
Detailed
Design
Hazard analysis and risk assessment
SafetyRequirements
Proof of Safety
ControllabilityAssessment
ControllabilitySafety
Concept
Elements of a
General Safety ProcessActivities regarding Controllability
Draft HMIconcept
Definition and
Comparison ofHMI concepts
Detailed HMISpecification
HMIVerification
HMIValidation
Activities regarding
Human machine interaction
HMI Realisation
Controll.Prelim. Sign
off
Sign off& SoP
HMIconceptfreeze
RE
SP
ON
SE
3, M
ün
ch
en
, 04
.04
. 20
06
21
ww
w.p
reve
nt-ip
.org
pre
ve
nt@
ma
il.ertic
o.c
om
Stru
ctu
reo
f req
uire
me
nts
CoP
Introduction
Definitions
Develop. Proc.
Controllability
ADAS
Requ. & Recom.
Annexes
Defin
itions
and
pre
sum
ptio
ns
Checklis
t and m
eth
od
descrip
tions
Defintion phase
Concept
competition
Proof of concept
Detailed design
Validation
and sign-off
Defintion phase
Concept
competition
Proof of concept
RESPONSE 3, München, 04.04. 2006 22www.prevent-ip.org
Content - Overview
Specification Framework
Estimation of controllability problems
Identification of possible risky situations
Evaluation of controllability
Controllability
final proof
☺5. Is a misinterpretation of a system message possible?
☺4. Can system output and information be perceived by
the driver quickly enough to enable him to react appropriately? (e. g. take over request from adaptive cruise
control)
☺3. Does the system provide timely feedback about
system reaction in a given traffic situation? (e. g. take over request from adaptive cruise control)
☺2. Is it necessary to support system feedback using additional information channels? (e. g. acoustic in
addition to optical display)
☺1.Is it possible that the driver may fail to perceive a
system message?
CommentsNot
suit-able
NoYesPerceptibility (message transfer to driver)
☺5. Is a misinterpretation of a system message possible?
☺4. Can system output and information be perceived by
the driver quickly enough to enable him to react appropriately? (e. g. take over request from adaptive cruise
control)
☺3. Does the system provide timely feedback about
system reaction in a given traffic situation? (e. g. take over request from adaptive cruise control)
☺2. Is it necessary to support system feedback using additional information channels? (e. g. acoustic in
addition to optical display)
☺1.Is it possible that the driver may fail to perceive a
system message?
CommentsNot
suit-able
NoYesPerceptibility (message transfer to driver)
RESPONSE 3, München, 04.04. 2006 23www.prevent-ip.org
Timeline of RESPONSE 3 – What‘s your job?
Start in10/2004
WS on Draft CoP11/2005
WS on Final CoP09/2006
Preparation Phase Validation Phase and Update
• Preparation of Draft CoP byRESPONSE 3 partners
• Wider Application of Draft CoP bypartners and also members of Consensus team
• Collecting feedback about use of the Draft CoP
•Useability•Missing content•Objections to the content
RESPONSE 3, München, 04.04. 2006 24www.prevent-ip.org
Summary of RESPONSE 3: Code of Practice for ADAS
• Translating the key issues of “reasonable safety” and “duty of care” into engineering practice
• Basis for a definition of "safe" ADAS development and testing also from a legal point of view
• Agreement on these development guidelines between all stakeholders as basis for company internal translation and/or optimisation of system design specifications and complementary verification methods.