自動車安全のためのHMI概念モデル：DESH-G

Masao Ito NIL Software Corp.

21/Oct/2016

HMI Abstract Model for Automotive Safety Based on DESH-G

伊藤昌夫 株式会社ニルソフトウェア nil@nil.co.jp

1

Abstract

2

▪ Now, it becomes more important that the relationship between the car and the driver, because we have to think about it partially in the autonomous car era.

▪ There is little industrial experience in this field, especially as for safety. Because;

▪ Most of the driver usually are NOT professional operator (conf. power plant)

▪ The circumstances around the car are very complicated (conf. airplane, railway)

▪ We propose an approach to design the abstract HMI model in the concept phase, especially from the viewpoint of safety.

2

Relating Works

3

▪ Finding Hazards and Threats ▪ Masao Ito: Finding threats with hazards in the concept phase of product

development. In European Conference on Software Process Improvement, Springer Berlin Heidelberg. pp. 277-284,2014

▪ Driver Model ▪ Masao Ito: Controllability in ISO 26262 and Driver Model. In European

Conference on Software Process Improvement (pp. 313-321). Springer International Publishing. pp. 313-321, 2015

▪ Preliminary Architecture ▪ Masao Ito, How can we deal with the concept phase in the functional

safety standard for automobiles ?, in proceedings of Safety-Critical Systems Symposium 2016 (SSS'16), 2016

All works were mainly for the concpt phase of ISO 26262 (Part 3)

3

item ?

4

• The “item” is not the system in the meaning of ISO 26262 standard; It is an abstract object, and a system is generated from the item. For example; – The auto-cruise control

system is an item – The ACC implemented in

the X type of a car is a system

• As for system, we have many analyzing methods, but there is little for the “item”.

Item Function

System

Component

HW-Part/SW-Unit

ISO 26262 Part 10 Fig. 3

4

DESH-G model

5

▪ DESH-G schema covers the environment, driver and goal as well as hardware and software.

Goal

Driver

Software & Hardware

Environment Scenario

D

E S

H

G

driver skill driver state

factors (road, traffic, weather ...) Activity Action Operation

ACTV A

TASK_AOP_A1

OP_A2

TASK_B

OP_B1

OP_B2

OP_B3

OP_B4

Activity Action Operation

ACTV A

TASK_AOP_A1

OP_A2

TASK_B

OP_B1

OP_B2

OP_B3

OP_B4

5

DESH-G model

5

Safety vs. Harm Situation as for controllability

6

Task

De

ma

nd／

Driv

er C

ap

ab

ility

Task Demand @ t = tn+1

Driver Capability @ t = tm+1

Break point for accident @ t = tn+1

degradation of driver capability

Hazardous event occurred

Variation of Individuals

Task Demand @ t = tn

Driver Capability @ t = tm

System Limit

Task Demand vs. Driver Capability

Break point for accident @ t = tn

D-zone

S-zone

6

DESH-G interfaces

7

▪ Basic schema

7

[0]S

D

E

S

H

Im

Ii

Id

Is

G

information

maneuvering

sensing

driving

HMI

Interface Schema (basic)

Ii: Interface for information provision

Im: Interface for maneuvering

Is: Interface for sensing the environment

Id: Interface for reaching out to the environment

7

D

E

S

H

Im

Ii

Id

Is

G

information

maneuvering

sensing

driving

D

E

S

H

Im

Ii

Id

Is

G

information

maneuvering

sensing

driving

Self-Car Forward-Car

HMI 通信

DESH-G interfaces

8

▪ In CACC, we have another interface to comunicate with the other system

8

[2]S∿d

Otherinteface(Communicationchannel)

Interface Schema (CACC)

[1]S1∿S2

8

D

E

S

H

Im

Ii

Id

Is

G

sensing

driving

Im

DIi

GHMI

デバイス

maneuvering

information

DESH-G interfaces

9

▪ In RPA (Remote Parking Assist), the driver is outside of a car. The system communicates with the mobile device.

9

[2]S∿d

Interface Schema (RPA)

[2]S∿d

9

Preliminary Architecture

10

▪ Preliminary architcture comes from the interface with which we argued like;

10Meta-architecture w/safety mechanism

Refined Controller

Input

Output

Error

aController

Input Checker

Output Checker

Runtime Checker (Fault Detection) （Transit to safe state）

Compose of three check blocks

Controller

10

Discussion

11

▪ False alarm

▪ a misconception on the user’s part leads her to find evidence of an error in her actions where none exists.

▪ Garden path

▪ a misconception on the user’s part produces an error in her action with respect to the prescribed procedure, the presence of which is masked.

Suchman,Lucy:Human-machinereconfigurations:Plansandsituatedactions.CambridgeUniversityPress(2007)

Communication Breakdowns

There is a long history of the human computer interaction in the field of the software system.

11

Sample implementing DESH-G

12

[2]S∿d

Driver State

Car States and Environment

Self-Car

Rear-Car

Comm. Link

リンク確立時のドライバ

状態および先行車周辺環境

Possible Information is displayed without connection

Foward-Car

Display (via Ii) w/Information from other interface

E S D

12

Summary

13

▪ We identified four interfaces (i.e. Ii, Im, Is, Id) in the DESH-G model. In order to think about the automobile safety, consolidation of those interfaces is important especially in the concept phase of system development.

▪ This idea also allows us to find the hazards and introduce the preliminary architecture.

▪ Time duration is important for the driver to make the correct decision, if the system doesn’t show its plan in an appropriate manner, driver might be in the state of “false alarm” or “garden path” especially being in the D-zone.

▪ We can use the finding in the design of HCI of the computer system when thinking about the HMI of the car.

[2]S∿d

13