The following feature is a shortened, edited version of a rough draft extraction from 7FM Design for Functional Safety, the Concept Design Phase, by John Lindland, presented in association with ADAS & Autonomous Vehicle International, and available to download in its original, full length, here.
When this step (Part 2) is complete, the HARA will be a tractable project for managing, studying, documenting and summarizing all risks.
All domains can be compressed into a definable model that includes all risks. Solving the risk of this model solves the risk of the ODD. An AV cannot drive on a road segment until it has solved all the technical challenges/risks of the segments.
When traffic flow is laminar it is inherently safe. Situational flow has minor/moderate turbulence caused by cross flow patterns and flow constraints. A precrash scenario is turbulent flow where risk is controlled by exposure (a random uncontrolled variable) and risk managing responses (designed to avoid all risks).
7FM considers the levels of autonomy to be the complexity of each applied solution and specific to the need of the domain. Each domain contains its own specific and transition risks as well as within representative road segment risks. This means that each solution cannot be transferred to a new or expanded domain without performing an impact analysis (a partial HARA) to find and solve the new risks. L1/L2 solutions are general-domain, closed-loop control systems. L3 solutions are narrow-domain, first-order solutions with direct first-order responses. L4 solutions are second-order solutions with second-order responses and full adaptive controls and path planning. An L5 solution is a second-order solution that is third order as necessary to solve a complex point on the ODD map. It is fully adaptive and fully predictive as necessary. It also has risk-reduction full-path planning.
Terms:
AV: autonomous vehicle.
VLF: vehicle level function.
ASIL: automotive safety integrity level.
Harm: injury to a human.
Hazard: precrash scenario involving human exposure to harm.
HazOb: hazard objects are vehicles, pedestrians and cyclists.
Animal: a precrash scenario that causes unplanned swerving which creates a hazard.
ODD: operational domain definition.
MAIS: maximum abbreviated injury scale.
Deterministic realm: stable perception object categorization (a car is a category of car, as is a human or a cyclist).
Nondeterministic realm: unstable object categorization.
Part 1 covered the ISO 26262 requirement for the HARA and then expanded into road types, situation analysis and an overview of hazards (precrash scenario). This Part 2 compresses the ODD into a model that contains all technical challenges and risks that must be solved. The ODD comprises functional road classifications. The most complex risks of each road classification can be represented by strategically selected road segments, their transitions and specific point risks. All knowable and findable risks are documented, summarized and ready to be linked to their vehicle-level function-failure modes (see Part 3) to begin the assignment of safety goals, functional safety requirements and technical functional safety requirements.
Driving environment complexities will consider 1) laminar flow, 2) situational flow and 3) turbulent flow. Laminar flow is inherently safe driving. There is a smooth acceptance/obeyance of right-of-way rules and regulations. Situations have one or more small pockets of turbulence caused by flow exchanges and restrictions.
The AV will make choices about road grade access and mobility (Figure 3.0). Access is defined by the point/reason at which occupants exit a vehicle (e.g. business, parking, shopping, eating, drinking). Occupants become pedestrians and cyclists and will move toward or away from the flow of traffic. Mobility reduces travel time, so there are fewer traffic redirections, flow crossings, situations or cross flow risks. Mobility roads are designed to support safe laminar traffic flow, at elevated speeds, over extended distances.
The theater of testing includes actors, stage and props. The theater must make the AV believe it is in the actual driving environment. Actors: AV and HazObs, each with road segment entrances, navigation actions and exits. Theater: The physical structure of the road with control devices, signs, markings and so on. The actors play their parts as they enter, move across and exit the stage. This creates entrance risks, cross flow risks and exit risks. Exit risks are transitions to a new segment’s entrance protocol (requirements, risks and risk mitigation responses). It is also the general/specific point protocol for turns. Props and positions/response from the HazObs recreate the patterns of a recognizable driving situation/scenario. It must produce recognizable patterns of road structure, control devices, location/movement of HazObs and static/dynamic flow restrictions, as required to redirect the flow into its situation/scenario. The AV and HazObs are trying to reach their respective destinations.
There are homogeneous sections of roads with high-volume shopping, shows, entertainment, bars, museums and so on. This leads to being able to prove that one city block is the same as the last city block, or one mile of country freeway driving is like the last 50. Master all the conditions in one mile, and 51 miles of road have been studied, mastered and validated.
This is the collapsing of the ODD. A safety driver would be in the AV as it drove every single situation/scenario in the ODD as part of the final AV validation. Prior to this every risk has been validated on the track. All the risks of each representative segment, transition and specific points have been individually validated on the road with a test driver, after being validated on a test track/closed-off road. This is specific safety management before general risk management. The HARA knows where to find every situation/scenario in a public environment.
Qualified safety – society’s safety goal. When the AV is statistically safer than a human driver based on a nation’s crash database (e.g. NHTSA) and the AV experience is embraced by its customers.
ODDs are an accumulation of functional road classifications and allowable drivable surfaces (Figures 3.25 and 3.4). The ODD includes society’s interface with the AV. Roads are assigned functional classifications by NHTSA. These classifications define and control how the AV and HazObs access the various levels of drivable surfaces. Each classification has its own crash statistics table and will be reviewed later. Each line between classifications is a transition point where risks can significantly change. All roads are designed to control road-grade access. This means that each access point can produce a considerable change in the nature and/or type of through-traffic and cross-traffic flow patterns.
The most granular classification provides road-grade access to residential homes. The least granular limits the use of freeways/expressways to vehicles that are powerful enough to keep up with traffic. Pedestrians, cyclists and vehicles under a certain size are not allowed on freeways/expressways. This is a permanent reduction of risk. Each road classification has its own unique exit/entrance risks. Each has its own groups of destinations that gather and split choices toward pass through rather than access.
Each classification produces representative segments, their transition risks and specific point risks. Each must have its own set of HazOb digital signature matches (priori) listed from most to least probable (technical functional safety requirement). The map must contain the most likely situations and resulting precrash scenario patterns, prioritized from most to least likely for each road segment (technical functional safety requirement). This produces an entry protocol of restriction, relative HazOb positions, flow density, flow movement and intercept patterns to match (just pattern from now on), each linked with their prioritized list of safe responses to each pattern. The AV will be able to emulate a human driver who has learned to be aware of risks associated with a given or specific road segment.
Transition is when the next road segment offers risks in a different way from the last road segment. It is also the points on the map with specific risks. This is the new segment’s safety protocol.
A system must properly assess and respond to the driving environment, monitor all its system level functions for failure modes/fault states, monitor the vehicle for failures, and transition to the most appropriate safe state before a precrash scenario develops.
Fatality, injury and property damage. Time and distance are safety-critical constraints. Each scenario will define the probability of property damage, injury or death. Probability is the exposure. The risk of harm is the combination of hazard energy in motion, physical overlap and the nature of the HazOb struck. Severity is its negative impact on the probability of injury or fatality. For example, Table 2.23 shows that roughly 70.9% of all crashes cause only property damage, 28.6% cause injury and 0.5% are fatal. Based on a Maximum Abbreviated Injury Scale (Table 3.24), the injuries will average out to 92.1% minor to moderate (Severity = S1), 6.9% serious to severe (Severity = S2), and 1% Critical to fatal (Severity = S3).
The NHTSA precrash scenario. Table 3.21 was produced from NHTSA’s database. It is based on a light vehicle that either fails to respond or selects an inappropriate response to an event, resulting in a precrash scenario linked to each crash.
Six precrash scenario produce 80% of fatalities (red). The next set accounts for 15% of the fatalities (yellow). The remainder accounts for 5% of fatalities. The highest fatality rate is 2.31 deaths per billion miles. This is scenario number 5, Road Edge Departure/No Maneuver, which means there was no driver response (i.e., not created by a response maneuver). The AV must never drive on a surface it cannot safely define (technical functional safety requirement). The AV must never drive on a surface where right-of-way is unknown (technical functional safety requirement). The AV must never drive unless the path is on an authorized safe driving surface (technical functional safety requirement). The AV has already been assigned the safety goal of creating and being capable of safely managing the path. This is assigned to the path team and is part of the core design.
The Venn diagram, Figure 3.25, shows where the lines of situations and precrash scenarios overlap. For example, a situation common to L1-L5 is a vehicle is driving at the right-most edge of its lane. It drifts to the right. There is no shoulder on the road’s edge. The vehicle’s front right tire leaves the drivable surface and instantly enters into a ‘lane departure’ single-vehicle crash. Situation: Riding the right-hand side of the lane combined with excessive lateral variation, or a path that drifts right for some reason (e.g., GPS drift or following an incorrect line) creates an unacceptably high probability of road departure. The Hazard Variation is wider than the Hazard Distance, which is the edge of the road. Every now and then the AV will leave its lane and cause a lane-departure related precrash scenario. This is the same analysis applied to all lanes of all roads. Lane departure is a Level 2 Mastery of Functions (maneuvers) failure. It is a failure for all L2-L5 designs. It is a variation-at-speed related risk as well as dynamic change in road force such as a very low road force after cresting a hill, a very high road force caused by a compression caused when down becomes up. It is also the centripetal forces created around each corner. The AV will view the world from all combinations of dynamic changes in forces caused by each change in throttle, steering, braking, road surface and road geometry (the basis of all maneuvers and responses). This is the second level of design required for L3-L5 designs. This is dynamic control of bodies in motion, kinetic energy, momentum, axial rotation and changes in road friction. Road friction must be able to react and develop all equal and opposite forces.
The combined knowledge and understanding in a team’s experience defines what is knowable and foreseeable by a team. The required knowledge will be from perception, object recognition, object attributes, object tracking, current/future motion constraints, emergency avoidance paths, stability prediction, motion planning, dynamic control and calibrated vehicle control. Mapping and localization support most of these teams.
Twenty percent of causes produce 80% of effects (Pareto principle). Think of the AVs that are testing and failing on public roads today. They are in the news because they are failing at high rates. Simple and everyday causes are contained in this 20%. Basic and obvious failures are causes in this group.
Eighty percent of causes are found and avoided by a solid qualified team. This is the level of solid designs with loyal customers – a design that has reached full maturity. It will be competitive with anything currently on the market. The remaining causes all have extended mean time between failures. Users will not remember the last time their product failed and the very few that fail will be the only one in a large group. Failures will be singular and a bad reputation cannot develop. This is roughly the minimum analysis required to pass the Five Levels of Mastery of Function and be explicitly proved as statistically safe.
Ninety-five percent of causes – the level of autonomy. Autonomous vehicle teams require the best and most experienced team members. A team of experts can identify and avoid well over 80% and approach 95% of causes. Anything not found has not yet occurred in their collective experience (blue moon/force majeure). This is best-in-class and the design will be years ahead of the competition.
Each road classification has its own mixture of risks. These potential patterns are between ‘HARA Relationships’ and ‘Precrash Scenario’. There are three relational strengths: 9-strong is a first-order relationship, 3-medium is a second-order relationship, and 1-some is a weak, third-order or E/E hardware-caused relationship. There are eight first-order relationships (Figure 4.19) that directly surround the AV. In a first-order relationship only one thing has to happen. A second-order relationship requires two things to occur at the same time. This is when a secondary HazOb pushes a first-order HazOb into the AV. Think of the AV being in the center of the circle of potentially direct risks.
Crashes versus road classification. Table 3.38 details crashes versus the Roadway Function Class. The table includes hazardous cargo and other vehicles.
Rural fatal crashes in descending order of occurrence are: Principal Arterial Other (29%), Minor Arterial (21%), Major Collector (20%), Principal Arterial Interstate (12%), Local (11%), Minor Collector (4%) and Principle Arterial Freeway/Expressway (2%).
Urban Fatal Crash roads are prioritized as Principal Arterial Other (36%), Minor Arterial (23%), Principal Arterial Interstate (16%), Local (10%), Major Collector (8%), Principal Arterial Freeway/Expressway (6%), and Minor Collector (2%). This allows a point-to-point route to be identified on a map, on which the risks related to the selected driving segments can be overlaid. While analyzing a given segment, the percent of crashes for the road segment is divided/allocated to specific risks based on their percent contribution (e.g., left-hand turn, number of lanes, intersection). If a forward collision risk is 20,000 crashes and 10% of forward crashes occur on Major Collectors, 2,000 of the forward collision crashes occur on Major Collectors. Each refinement moves the study one step closer to a single police report.
L1/L2 solutions are general domain solutions. There is no deep analysis or ODD to solve. There are only limits of effective avoidance to determine. These are general first-order hazard risks. The lane keeping/lane centering must reduce the risk of lane departure (side collisions, opposite direction head-on collisions and road departure). Dynamic cruise control can range from stop to a set speed and must avoid any forward collision in its crash avoidance zone. Forward crash avoidance might include steering avoidance into an open space. This would be the same discussion for all forward crashes identified in the crash tables in this article. From this point, the discussion will focus on L3-L5 autonomy solutions. Specific L1/L2 relationships will be pointed out if relevant.
An L3 solution is a road segment group and road classification specific. The desired active segments are the domains that are studied and collapsed. The solution must solve right-of-way driving challenges in its ODD. It must manage all rights of way. It must have passed all Mastery of Function Level 3 validation (mastery of right of way). It must be able to detect a pre-situation, pre-scenario or precrash scenario. The L3 will have rudimentary responses to sudden emergents. The L3 is a direct response solution (a first-order solution domain). The suggested order to consider is: 1-slow/stop, 2-arc-swerve, 3-slow/stop-swerve, 4-accelerate/accelerate-swerve (the eight directions of choice). All available solutions are always solved. An L3 can solve only these direct near-path solutions (send-return to lane or send-continue new lane responses).
Sudden emergent HazObs can occur on any part of any road segment. The ability to safely avoid a sudden emergent HazOb is controlled by sensor/processing time and the time required for the vehicle to complete a response.
Sudden emergents are violations of the AV’s right of way and are in a category with its own set of teams. Every flow of traffic in any lane on any road is at risk of some type of sudden emergent in front of or behind the AV. There may also be a sudden side emergent. A sudden emergent can occur with and without warning. The responses are in one of the precalculated free-of-motion-constraint eight directions of choice.
Safe precalculated emergency avoidance stopping and swerving paths are all constraint-free paths or will be constraint-free when activated. However, an emergent might occur when there are no statistically acceptable answers. The lowest hazard of the worst Cpk paths must be chosen.
Potential emergency avoidance paths must be listed from the most to the least optimal choices (technical functional safety requirement). If an emergency path solution is a Cpk ≥ 2.0 it is free from unreasonable risks, belongs with preauthorized responses and the AV is offering zero risk to society.
An emergent intrusion can instantly change a minimum forward path Cpk of 9.6 to 0.31 with a probability of p = 0.18 that a crash will occur (184,060 crashes in 1,000,000 passes/stops). This is from the normal distribution and is well within ±3sx,y,z,v/t. This is the normal distribution’s strongest and most useful prediction range. The AV will travel between 0.0 and 0.69 capability distance (0.0-2.1 standard deviations) past the point of contact (through the HazOb). At the point of contact the AV will transfer kinetic energy into the HazOb before reaching a full stop. This would be a maximum 0.0-0.69 standard deviation distance through the HazOb. Hazard transfer energy is ½MV2 of the AV at the moment of contact, while velocity reduces to zero. A Cpk = 1.0 means time/distance is consumed by AV variation and there is little to no energy transferred after touching/crashing slightly. Transfer energy is Hazard/Harm energy and is the cause of property damage, injury and fatality.
Optimizing Goals. Planning will have several potential choices to reach the AV’s destination. Choices require the ability to weigh and prioritize. The following four priorities are offered in a descending order of importance. They are 1) select a safe choice, 2) obey the law/right of way, 3) on-time arrival, and 4) lowest cost. Obeying the law must be a high priority, yet if the choice is to crash while following the right of way or to exit the drivable surface (legal violation) where there are no HazObs, the choice is to exit the drivable surface and avoid a crash. An expert driver would not hesitate to drive off a road and across someone’s front yard before returning to the road. They are always ready for an off-road path.
There are many ways to make the right choice while safely failing to obey the law or violate the right of way of others. For example, winter conditions might cover the road with snow/ice so that drivers cannot see the road. When this happens, drivers slow down and follow the tracks of the vehicle in front. Staying centered in the lane is an option for an L3-5 solution, even though the lines/edges cannot be seen. GPS/RTK/IMU combined with perception and mapping means that cameras do not need to see road lines or edges (team: localization, perception, motion constraints, motion planning).
The AV must never be out of context with human drivers (safety goal). The AV must automatically default to a human driving strategy where the lane is defined by either the forward vehicle or tire tracks on the surface (same team). Human drivers use arbitrary lane parameters whereby they do not fall off the edge of the road on one side and avoid crashing into oncoming traffic on the other. The AV would create a precrash scenario if it followed the ground-truth lane center. The AV’s driving rules cannot be out of context with human driving rules.
Vehicle degradation/changes. The AV must be able to detect mechanical degradation. This includes tire pressure and the stability metrics of roll-rotation about the x-axis, pitch or tip-in/out (rotation about the y-axis) and yaw (rotation about the z-axis). Tracking and studying stability responses will detect sudden and gradual structural failures/degradations of the vehicle. A single corner of the vehicle might be permanently low or its travel might be slow and extended (rides like a boat). Steering can become unstable when components wear. Steering vibration can be matched with steering angle. Road vibration is transient. Vehicle vibration tends to be cyclical in magnitude and repeatable in nature (a growl, chatter, thump, tone and so on). This would likely require a team of mechanics and engineers to decide on the few mechanical failures that produce 80% of crashes and develop detection and response strategies. The remaining many that produce 20% of crashes are ignored in the first design. AVs do not design the vehicles they command. The AV must detect the most dominant electric, mechanical and structural failures as well as a human and execute a predefined safe response (technical functional safety requirement).
Discussion about pedestrians. Pedestrians include walker/hikers, runners, skaters, scooter riders, skateboarders, wheelchairs users and any other form of non-bicycle-based transportation. Performance wheelchairs are included with cyclists in the low-profile bicycle category. NHTSA’s Figure 4 (DOT HS 812 312, August 2016) shows that a vehicle going straight ahead with a pedestrian crossing the road, in the road or on the road’s edge, accounts for 52% of pedestrian crashes and 90% of fatalities. Turning left and crashing into a pedestrian crossing the road accounts for 25% of crashes and 4% of fatalities. Turning right accounts for 9% of crashes and 1% of fatalities. Backing up accounts for 4% of crashes and 1% of fatalities (aggressive reverse). Changing lanes accounts for 1% of crashes and 2% of fatalities.
Pedestrian attributes. Human body language that telegraphs intent comes from the direction of their eyes, eye movement, head movement, chest direction, arm movements, hand movements, finger movements and the movement of their knees, which tends to commit the pedestrian to a direction. When the pedestrian does anything like this, they are telling the driver they have enough time to stop because they are going to cross in front of them. These are sequential pattern recognition of an emergent HazOb.
There are many studies that conclude that an extremely large percentage of pedestrians seek eye contact with the driver as they walk/run before the vehicle. Eye contact is the line perpendicular to the center of the ocular plane of the pedestrian’s eye. They would look at the AV’s headrest.
One human can glance at another and instantly know where they are looking. The AV must be as good. How close does a camera have to be to the eye to return the direction of an eye (signal to noise)? This will relate to critical distance and time and is something that will be covered in the system phase discussion. The longer version, which is available for download, is 60 pages and describes in depth the spatial and time sequence patterns of predicting the emergent or sudden emergent human crossing in front of the AV. Does the AV need to show a ‘Do Not Walk’ warning even though the AV has the right of way? Or would the AV manufacturer’s legal counsel call that an admission of guilt? This is not criticism; it is part of the world in which we live. Design for capable safety and send the warning. Be able to statistically prove all choices.
Critical distances for objects and their attributes. What does Perception need to understand from the HARA? What does a 300m iRadar, lidar and camera actually mean? Risk assessment requires spatial and time sequence patterns that predict a HazOb’s immediate intent.
Perception begins with an object/obstacle. The first is “Is something real there?” followed by “What is there?” At what distance must HazOb attributes be understood in order to predict behavior – the current and future state of each HazOb? The team must never conclude that a sensor cannot detect what is needed. This technical limitation requires working with sensor providers in a development interface agreement relationship (DIA) involving shared/overlapped safety cases. Your team receives better capability and the sensor provider receives almost free research, a more marketable sensor, and a story of its first application. Never use the lack of a sensor as an excuse for not having sufficient risk attributes to make safe decisions.
Safety Critical Metric (SCM); the capability of forced choices. A sudden emergent restricts the safe planned path and no other path is risk free. The planned path’s Cpk is reduced to less than 2.0. The other seven choices are all Cpk < 2.0.
Risk free plan: Planned path and precalculated response paths all have Cpk ≥ 2.0: Free from unreasonable risk. Normal trip records.
Forced choice-risky: A forced activation of a 2.0 > Cpksc ≥ 1.0: No risk near 2.0 and low to moderate risk near 1.0. The type of HazOb avoided becomes safety critical near Cpk = 1.0. A Safety Critical Metric and decision factor record is required.
Forced choice-hazardous: A forced activation of a Cpksc < 1.0 solution path. Property damage near Cpksc = 1.0 transitioning to full HazOb Energy transfer at Cpksc = 0.0. An automatically generated Safety Critical Metric, Statistic and Safety Report record is required (retention is 15 years past the end of the decommissioning of the AV’s production line).
Figure 4.49 shows that knowing the nature, magnitude and energy in motion at any moment of time, the probability of physical overlap can be used to estimate the maximum expected severity of each pass/stop. Energy in motion is the kinetic energy of the AV, which is ½MV2. What is the worst-case relative velocity damage – full and worst-case energy transfer? Will it knock someone over, throw them spinning, cause property damage, injury, permanent degradation of life or death? Is there enough energy to modify the HazOb’s vehicle such that it moves into an occupant and causes harm? Is the HazOb a vehicle, pedal cyclist or pedestrian? Which of the partially constrained escape path HazOb is postured near the lowest hazard energy transfer into critical body regions: organs, senses, neck, spine, or brain? In general terms, these would be vehicle (lowest risk), pedal cyclist (medium risk) and pedestrian (highest risk). Yet, each of these have specific positions/risks at the moment of choice. This means that all first order emergency escape paths must always be calculated so the choice is pure energy transfer mathematics. Each choice must retain all records of each choice.
The SCM is the closest measured pass distance, Dsc, of each HazObsc. It has a distance and a time statistic. The distance (miss) statistic is the smallest measured distance of the HazObsc pass/stop minus the forced selection path’s Cpksc estimated miss distance, which is the Cpksc’s numerator DCpk. The prediction is at the forced moment of decision. The confirmation is the sensor measured closest distance at passing/stopping.
Pedestrian caused fatalities. Table 3.32 Shows that 29% of fatalities were caused by the pedestrian failing to yield the right of way to a vehicle. Pedestrians walk and move as they do because they think they are safe. Many people believe that pedestrians always have the right of way. Pedestrians can become absent minded and step in front of a vehicle. Sometimes a pedestrian will step in front of a vehicle as if they are daring the vehicle to strike them. It is rare that a pedestrian will display zero attribute warnings/body-language signals of intent. This means no warning attributes and late detection. This is a sudden emergent situation. The AV must be able to model the risk of any pedestrian that might enter the critical zone (technical functional safety requirement – current and future motion constraints). Risk analysis requires that either historical attributes from AV memory or new near-term attributes must be gathered.
Discussion about cyclists. Pedal cycles include any wheeled structure that uses pedals/gears to transfer force from hands or feet to the wheels. This includes the elliptic-cycles (stand and walk/ride). A safety-critical consideration is the expected height and position of the pedal cyclist’s body and head. The body of an average cycle design places the critical body parts above the plane of most impacts. The critical organ/head exposure of the average pedal-cyclist position is less exposed than an average pedestrian. This is a specific risk-mitigating attribute when making a ‘Which HazOb has the least risk’ decision. If the rear wheel is struck, the pedestrian is moved before the vehicle strike. A head that is low to the ground is more exposed to fatality than a body standing. Expect that a low-profile bicycle as well as a performance wheelchair will be driven over rather than thrown aside (specific HazObs with higher risks avoidance rules – specific responses to pattern match).
Table 3.39 covers pedal cyclists killed and injured. It shows that 58.6% of pedal cyclists are not at an intersection when they are killed. This means that they were on or near the road riding in available spaces or riding along the side of the road in a designated cycle path and so on. 51% of pedal cyclists are injured at an intersection. 25.5% are injured while are not at an intersection. This is a similar discussion regarding vehicle speed as with pedestrians. The AV must have early pedal-cyclist risk matches sufficient to slow the AV and provide a capable intercept miss/passing for all cyclists at all relative passing speeds/vectors – to/from any direction. Vehicles are likely to drive more slowly at intersections with signs and control lights. Drivers are likely to be more prepared to brake and avoid a pedal cyclist at or near an intersection. The category ‘other’ means that the scenario was uniquely different. It also means there were no witnesses and no facts available to explain any portion of the crash but the end. Some police reports lacked content. Cycle lanes that are along the side of the road are exposed vehicle strikes. The AV or pedal cyclist can depart from their lane. ‘Other’ is a significant 10.5% pedal cyclists killed and 19.1% injured. 28.6% of pedal cyclists are killed at intersections. All sensing, tracking and reaction conversations for pedestrians apply to pedal cyclists.
Pedal cyclist caused fatalities. Table 3.41 shows crashed caused by pedal cyclists. These are emergent (response) or sudden emergent (safety critical response) based on the ability to pattern match attributes. The AV cannot know that a pedal cyclist is under the influence of sickness or the many forms of legal and illegal substances. Only the pedal cyclist’s behavior is observable and detectable.
Discussion about vehicle crashes. Table 3.35 shows that 38.1% of injury crashes and 63% of fatal crashes occur at non-junctions/intersections. This suggests a relationship between speed and driver attentiveness. Junction/intersections are HazOb exit/enter points. Intersections range from simple to extremely complex. Junctions and intersections with or without control devices have a limited number of physical combinations. These can be studied and grouped for common technical challenges and risks.
Intersections, with and without control devices, are a specific set of challenges common to all road segments. Representative samples are selected and validated to contain all challenges and are studied by the Intersection/Cross Flow teams. Otherwise, every team will be working on intersection solutions and will solve the same problem with different technical solutions. The common problem of protected and unprotected turns across traffic belongs to a single set of teams. Bicycle path and pedestrian path crossings are subsets of this team’s work.
Driving straight and on curves is the statistical capability to define and maintain a lane (mastery of function level 2). This is the start of the core design. Mastery of function level 3 has the statistical capability to master all normal right of way driving challenges. The L3 must be statistically capable of producing a safe path and safe first-order limited emergent response path. This is one of the eight direct positions surrounding the AV. Level 4 must be capable of all first-order, second-order and pattern-match emergent responses. Level 5 is Level 4 with a broader general open start/stop domain.
The same is true for continuous flow intersections such as roundabouts and any type of entrance/exit ramps. Some intersections will be a unique point risk, such as a five-point intersection controlled by lights with a fire station exiting one of the points. Protocol affinities/similarities will create natural groups of homogeneous risks. Intersections that do not fit into a group are specific risks.
Thirty percent of injury crashes and 19.8% of fatalities occur at junction intersections. 21.7% of injury crashes and 8.6% fatalities are at junction-intersection related locations. Drivers are more aware when they approach or maneuver through an intersection. Most drivers are prepared to slow down, swerve and stop (emergent responses with Cpk ≥ 2.0 preapproved paths). 35% of injuries and 79% of fatalities do not involve traffic-control devices. Precrash scenarios are defined by the AV motion and the physical constraints caused by HazOb positions, road geometry and other factors common in any police accident report. This will help explain why crashes develop differently at intersections versus non-intersections.
Functional road classification risks. Table 3.36 shows exposure and severity for road classifications that are/are not divided and with multiple lanes. Cross-traffic flow patterns are a subset team of Flow. The Flow team defines the flow and exchanges of HazObs throughout each representative road segment. This defines how HazObs enter and exit each representative road segment. This provides a probability of exiting a road segment, turning onto a new road segment, changing lanes to flow through the road segment. Each of these are probabilistic. The probability approaches 1.0 or passes to 0.0 depending upon each HazOb’s positioning as they interface with the road and other HazObs, including the AV. This includes motion constraints and motion planning supported by traffic pattern recognition and flow models. Flow reduction is a specific risk regardless of the number of lanes at the reduction or road classification (e.g., 5 to 4 lanes or 2 to 1). Flow reduction of lanes is a specific set of solutions defined by a subset of the flow team. Reduction rules for the AV become the starting model for each representative road segment’s reduction, including new construction. This is solved once by the team and modified for specific risks as needed. Otherwise, each representative road segment team will solve the same set of risks over and over.
Sixty-three percent of fatalities occur on two-lane roads, 13% on three-lane roads, 11% on four-lane roads and 10% on more than four-lane roads. 62% are not divided and 35% are divided. One-way and entrance/exit ramps each have 1% of occurrences.
Every lane and turn is designed with right-of-way rules. The goal is to minimize flow restrictions and sort traffic between access and mobility. This is a combination of metered and natural flow relationships. Metered flow gathers and releases groups. Every lane has a finite number of ways it can be entered or exited.
The driving environment complexity increases with the number of lanes. Lane position is a suggestion of intent. On a two-lane road, the right-hand lane suggests a local access exit or a turn onto a connecting road to the right. The left-hand lane is for through traffic and left turns and exiting on the left. A vehicle in a left lane voluntarily moving to the right lane without forward constraint is going to slow and turn right soon, or drive through. Someone who enters the right lane, accelerates, and moves to the left lane is going to flow through or turn left. A vehicle that joins the forward group intends to flow through. A vehicle that hangs back will make a relaxed and safe decision to continue or turn left. When the left turn is from the left lane, flow-through traffic will change to the right lane, pass the turner, and move back into the left lane. A HazOb will either follow or change lanes. Both are intentional.
There are emergent and sudden emergent responses. All must be precalculated. A response is always to minimize risk. Slowing allows more time and often is all that is needed to resolve a risk back into laminar flow. This is one of only eight first order or direct changes in kinetic energy. Another choice would be to change lanes (move left, speed up and move left, slow down and move left) as the HazOb changes lane. If a vehicle is passing the AV on its left to pass its forward vehicle on its right, it cuts right in front of the AV. The AV might already be slowing for a stopped vehicle that the HazOb cannot see. This causes a sudden loss of stopping distance for the AV. The HazOb will have to slam on its brakes and still might crash into the stopped vehicle. The left lane is now open for the AV to escape the predictable loss of stopping distance. A first order escape path to the left would mean following the HazOb’s old constraint past the stopped vehicle that caused the sudden slow down. Another choice would be to change lanes more aggressively than the HazOb and slow at the same time in case the HazOb changes their mind to avoid the stopped vehicle. It is predictable that they might steer hard left and rush back into their old spot. This eliminates the risk for both the AV and HazOb. It removes the need to risk a hazardous stop. If the HazOb swerves hard back behind its old forward vehicle it will immediately accelerate after its old lead vehicle. It will accelerate and follow the forward vehicle. This choice is the most optimal. Decision: there are only two driving surface emergent responses, which are stop in lane, or go left and slow down more quickly than the HazOb. It would be a specific technical functional safety requirement – pattern match response: slow down if safe, change lanes and slow down if not. Changing lanes is 2% of fatality crashes. A Cpksc ≥ 1.0 hazard escape path estimates that the 2% is not present. There are only so many patterns created by these eight first-level or direct to the AV constraints/responses. The free directions are available for responses.
The AV must be able to recognize/match the patterns-of-constraints, patterns-of-situations, and patterns-of-precrash scenarios with its free-of-constraint and almost free-of-constraint response choices. How HazObs will respond to restrictions is predictable. The team must document a prioritized list of preferred responses for each situation and precrash scenario (technical functional safety requirement assigned to motion constraints and motion planning).
L3 solutions are responsible for evaluating and responding to the driving environment. This means that the driver’s mind is not engaged. It is a ‘mind off’ solution. A human mind cannot respond to any sudden emergent intrusion into the L3’s planned path. L3 solutions, initially, must be limited to joined road segments of mostly laminar-flow and homogeneous transition risks. This would be limited to a specific lane assignment on a single road classification of validated and nearly homogeneous risks. The L3 must be designed to be capable of every ‘mind-off’ dynamic driving challenge. This includes all normal and predictable emergent risks or surprises that any driver handles effortlessly. This limits the solution to a defined domain string of nearly homogeneous common risk road segments. The L3 must prove statistical capability of its planned path and first order (the right direction) of emergent or small surprise responses.
All Driver Controllability assumptions (L1-L3) must be supported by a design capability analysis that includes takeover response time in all conditions and after long delays, by normal drivers. Controllability is the quickness and correctness of a driver’s response. Capability of path and time are studied together as a single test and provide information for both capabilities. The studies must be designed to produce explicit evidence of safety of path and time response (objective evidence of capability).
The risk of maneuvers. Table 3.37 shows the risks of Vehicle Maneuvers.
Most of this table belongs to the core design team. The core design is the capability to define and follow safe planned and managing all safe response maneuvers for all driving challenges in the ODD (third level of Mastery of Functions). This is the requirement of an L3 solution-with the emergency stop requirements added.
HazObs will fail these maneuvers and place their vehicle in a position to be struck by the AV. The AV must recognize restriction patterns, time sequence patterns and out-of-context patterns (new construction, forward crash, new traffic control devices, vehicles not following lane lines and so on).
Always have a safe way out. This is one of the Smith CDL safe-driving rules. There are only eight first escape choices. Maintain path would mean that the current path, however unsafe, is the least hazardous. It is not a choice that lowers risk. The choices are to speed up, slow down/stop, speed up and go right, speed up and go left, go right, go left, slow and go left, and slow and go right. Which of these need to be strung together to stay safe? How much physical passing distance will there be while escaping the situation?
Is the AV responsible for the HazOb’s reactions to the AV’s safe way out choices? In the form of offering the safest of all possible choices, yes. Most HazObs will have a dependent move away from the AV. This is the dependent HazOb’s risk-reduction response to an intrusion. There is the cause of the precrash scenario and there is the cause of the crash. They are not always the same. However, no solution can depend on HazOb responses. The AV will encroach. The HazOb will respond. This is a ‘given’ or dependent statistical relationship (AV|HazOb or HazOb|AV).
The driver must be in control before a situation turns into a precrash scenario. Work very hard on pre-situation matches (both spatial and time sequence matches) and the driver must assume control of all situations. This way controllability changes from responding to an emergency and becomes responding to a developing situation. An L3 solution must never enter a precrash scenario (technical functional safety requirement). The L3 must exit normal driving and stop off the driving surface before a precrash scenario develops (technical functional safety requirement). The driver can be allowed to assume control during a controlled stop. They must not be allowed to take over during a sudden emergent stop.
The Society of Automotive Engineers identified two minimum risk conditions (MRC) when catastrophic system failures occur. There are four meaningful combinations of this covered in the 7FM System Design Phase. In short these are catastrophic failure with/without power and with/without sensors and the discussion is very detailed.
One of SAE’s suggested MRCs is the highest and deadliest NHTSA precrash scenario (stop in lane). The second MRC recommendation removes the AV from all risks. This is to stop off the driving surface (elimination of all risks). Stopping in lane is safer than driving blindly out of control and it is a legally and ethically defensible choice compared with the hazards it would otherwise create. What if the AV executes a stop in lane and there was an off the driving surface solution? The first answer is that the choice satisfied the AV designer’s intent. The second is it did not conform to automotive safety practices of what is objectively safest. The choice created a fully avoidable rear-end collision.
The safety mechanism ‘Stop in a Traffic Lane’ represents 1.4% of fatalities, 10.6% injuries and 12.7% property damage. The safety mechanism commands ‘Slow in Traffic Lane’ relates to risks of 0.8% of fatalities, 4.7% injury and 5% property damage. The term ‘minimum risk condition’ states that the final decision is the lowest of available decisions. It is not the safest response of those developed so far. It is knowing that there is a safer solution and requiring it be solved and validated. Stopping in lane is only minimum risk when there is no parking available off the active driving surface.
Figure 3.5 shows that Mastery of Maneuvers is the second level of mastery of functions. Maneuvers are how well two or more functions work together. Following a planned path requires linking maneuvers into a seamless time series of safe vehicle level commands. L3 is the design that achieves the first portion of the third Level of Mastery of Functions. Going straight, negotiating a curve, and turning left account for 90% of all fatal crashes, 78% of all injury crashes, and 71% of property damage. Merging/changing lanes accounts for an additional 2% of fatal injuries, 7% injuries and 5% property damage. Passing another vehicle adds 2% more fatal crashes, 5% of injury crashes and 6% more property damage. The third level means that the AV can plan, execute and honor all right-of-way decisions. It has solved all complex driving within its ODD with the exception of sudden emergent responses. This is the mastery for L3 autonomy for the roads authorized. This means it can manage limited transitions.
Situation analysis and hazard identification (ISO 26262 Part 3 clause 6.4.2). Each road classification and how it controls the flow of traffic defines the lowest possible risks for a road segment. Poorly designed road structures receive bad reputations from local residents. Really poor road segments are close to a situation and ready to tip into a precrash scenario at all times. For example, freeway entrances/exits designed in 1957 still exist in the USA. These are often short 25mph (40km/h) clover-leaf entrance ramps to a freeway that has a posted speed of 65mph+ (105km/h) has an unsafe speed differential at all times. Every entrance with traffic on the freeway is a situation that is on the close edge of a precrash scenario. The 25mph is speed limited by its very small and curvature which is a hard arc. Only performance cars are equipped to take the corner at high speeds. The AV would honor the 25mph entrance and become a forward sudden emergent into the right lane of the freeway causing a rear-end crash. The speed differential at insertion (zipper maneuver) is unsafe. To make matters worse, it is often a blind entrance where the freeway cannot be seen until 50yds (46m) of entrance ramp remains. And it might get worse, as the freeway exit ramp is a traffic exchange that uses the same 50yds entrance ramp as its exit ramp. The exit clover leaf is 25mph shortly after the 50yds. There is no way for an AV to plan a safe accelerating insertion. It is a specific risk that must be avoided at times. The only choices are: 1) Accelerate as much as possible and be ready to drive past the end of the 50yd entrance on the trouble strip/shoulder until an insertion can be achieved. If the AV stops, it will have to accelerate from a stop using the emergency strip anyway. 2) Stop, wait and hope for a long open gap. The AV must be able to safely manage this entrance if it is within the ODD. This is a third-level Mastery of Function with low traffic (right-of-way driving) and a fourth-level complex scenario with medium or higher traffic. The AV must know when there is a conditional moment of time when there are no solutions, the protocol for waiting, and the protocol for proceeding. Rush hour traffic causes a line-up of cars stopped on this ramp waiting to attempt to insert into 65mph+ traffic from a stop, with less than 50m to accelerate. At the same time, some vehicles are trying to get past stopped vehicles to exit. This is a specific point on the map that, until it is solved, must be ‘blacked out’ as a path option between the hours of 7-8:30am and 4:30-6:30pm (estimate from the study). This means that the AV cannot manage the risks, so it avoids becoming a known cause of a precrash scenario and resulting crash. This should result in some type of geofenced restricted entrance based on the AV’s estimated time of arrival at the entrance waypoint. The AV does not know this path is available and produces a safe solution (avoids known problems).
Vehicle integrity. The driver/human caused crashes from NHTSA scenario address 94% of precrash scenarios. The remaining 6% of crashes are caused by vehicle structural and electro-mechanical failures.
An extremely good driver can detect small changes in the vehicle response to their commands. The vehicle must suffer a sudden and catastrophic failure to cause an expert to fail (e.g., catastrophic control-arm or a ball-joint failure at freeway speeds, causing control loss of a front wheel). The expert driver perceives by feel, sight, smell and hearing the slightest change from the norm. They are like a gymnast who has perfect center of mass, moment of inertia and body control. The expert driver’s senses include the body in motion of the vehicle. Most of the time the expert can identify the likely failing components.
To emulate the extremely good driver, the AV can monitor VLF responses for signs of degradation. The AV sends throttle, steering and brake commands. The vehicle sends back sensor feedback from these commands. The IMU/GPS/RTK sensors and vehicle sensors provide a six-axis response feedback. The TPMS sends the tire pressure from all wheels. The vehicle has sensors for measuring the actual steering wheel angle. The IMU measures linear acceleration on all three linear axes. The IMU measures rotational position, velocity and acceleration around the three linear axes (x,y,z). Steering, throttle and braking commands are controllable factors. These can be correlated to vehicle sensor feedback, the AV’s IMU/ GPS/RTK, each of which provides precise vehicle response feedback. This returns extremely clear statistical response models. Changes can be detected extremely quickly. Brake degradation to a given percent command can be measured. All normal responses can be modelled: changes in acceleration, deceleration, steering and braking (the commanded functions) and their linear and rotational responses estimated. Drifts in these responses suggest that the vehicle is going through normal or unexpected degradations. When vehicle integrity is in question, autonomy of any type is in question. Time response, linearity of response, bias and magnitude of these responses can be monitored using statistical process control, and significant shifts, drifts and catastrophic changes can be detected with an extreme level of statistical sensitivity for both changes in the variation of response and shifts in the expected value of the response. The AV can detect and predict most vehicle-level mechanical and electro-mechanical failures.
Reliability. After the five levels of Mastery of Function have been passed, the AV is statistically safe for all defined risks. A final reliability test is needed to prove the results will be stable and predictable over time. Work with a reliability/statistical expert and determine an efficient final system reliability validation.
The following assumes that the System V-Diagram required validation of components before assembly, validation of assemblies before the system, and validation of the system outside the vehicle. There are many reliability distributions that fit known applications. Reparable systems; exponential distribution – mechanical assemblies, valves and solenoids; Rayleigh distribution – electronics; log-normal distribution and so on. The question is: What is a reasonable sample size to look for something that is in all likelihood not going to be found? This was extremely true for the Chrysler Pacifica, which followed this strategy very well. Much of the automotive world uses the assumption of the Rayleigh distribution and applies it to a system or assembled vehicle or a more complex AV. The sample size is based on the Rayleigh distribution. The data is analyzed with a Weibull analysis, which will fit the AV’s actual model (not assumed to be Rayleigh for the analysis), unless it is log-normal. The goal was to have and validate a decision model. The Rayleigh’s sample size is ‘in the middle’ of the many potential models. Its strengths and weaknesses are known and it has proved useful in practice.
How big does the fleet need to be and how many AV design lives does it need to survive for example three years and 100,000 miles in its expected environment (the AV system, not the vehicle)? A design ages because of the normal energy that passes through the system as well as the degradation energy that shortens life (temperature, vibration, chemicals, inert debris and radiated energy). How much of each type of energy will cause the design to age prematurely? The starting test is a Reliability of 95% with a 90% level of confidence (R95:C90). It requires a fleet of 45 units each surviving one design life with no failures. This is a required and final challenge of all new element relationships – mechanical, electro-mechanical and E/E device interfaces through one design life’s accumulation of energy. If all 45 units pass and there are no indications of degradation or pending future failure, the test passes. Analyzing the variation of all safety-critical functions at 0%, 25%, 50%, 75% and 100% of life and looking for function drifts and increases in variation is extremely powerful and statistically efficient (plot and review all results). The AVs can automatically perform these calculations while it is in service (system design phase topic) and the company would actually have population statistics at all times on variation, degradation of function and reliability. There is always a tear down and inspection of each and every system element regardless of pass or fail. Teardown inspections are required to detect indications of damage accumulation over time. Do not tear down purchased components or E/E devices. These must have been validated at ISO 26262 and IATF 16949 automotive requirements before purchase. System-vehicle validation reliability is of the interface functions between elements. It is not what is inside a box. This will be covered in detail, with alternate considerations, in 7FM Design for Functional Safety, the System Design Phase.
In closing summary, this article covered a strategy to summarize/compress all ODD risks into sets of representative road segments, transition and specific point risks. More importantly, everything the design must solve is documented and how it must be solved clearly defined. There are no blank sheets of paper or bare screens at which to stare. This is the single most important activity of any AV design. Define and understand what must be designed. Any well-defined problem is just about solved. Another extremely important point is that 7FM is an active process used to understand and create designs that are the best in the world. The practices begin with concept, are performed throughout all phases of the design, and are followed into production. The methods are seamless and no effort is wasted. 7FM is continuously applied throughout design and production. In other words, it is a continuous process. It is not a form that is filled out. Solid design, manufacturing and production practices never stop. Perform this well and the total design time will be more than cut in half and wasted money and time will all but be eliminated.
Driving complexities/risks consider 1) laminar flow, 2) situational flow and 3) turbulent flow (the start of a precrash scenario). Laminar flow is inherently safe driving. There is a smooth acceptance/obeyance of right of way rules and regulations. This is the third level of Mastery of Functions. Situations have the beginning pockets of turbulence caused by flow restrictions that evenly or unevenly collect into groups of HazObs. Turbulent flow is the moment that laminar or situational flow becomes one or more of the precrash scenarios. Mastery of Functions through all precrash scenarios, sudden emergents and weather is the fourth level of Mastery of Functions.
Severity and exposure risks are assigned from the NHTSA tables for vehicles, pedestrians and pedal cyclists. The risk of vehicle level functions is the inverse of each function’s statistical capability and reliability. The HARA is the primary source used to develop the system-vehicle integration Design Verification Plan and Report (DVP&R). The DVP&R will produce explicit evidence that the AV is capable of safely defining and following a planned path even while experiencing each and every system-level failure mode/fault state.
Part 3 of three of the HARA series produces the understanding required to construct a nearly flawless design from the start. The final and third part of this HARA series will provide a relational table that directly correlates every vehicle-level function-failure mode/fault state to their related precrash scenarios (hazards). These will link to each function-failure sequence from sensors to VLFs.
Part 3 relates each throttle, brake and steering fault state/failure mode to each situation, scenario and precrash scenario. Each representative road segment might have several ways that each of NHTSA’s precrash scenario can develop. Each form is a single study of a precrash scenario of a single representative sample. Risk is defined by exposure or estimated percentage that a HazOb is present, severity of hazard energy transfer and controllability by driver intervention for any sudden emergent risk. L3 solutions must call for driver intervention for a situation before a scenario develops into a precrash scenario. Autonomy solutions Levels 3-5 have zero controllability by driver intervention at the moment of any sudden emergent risk determinations as well as requirements for each element of the design. Potential responses are also documented. The HARA analysis form from Part 3 has a secondary table that defines the information needed to fill out a police report as if a crash actually occurred. Each response to avoid or minimize risk has an individual safety goal. Individual safety goals form affinity patterns and become the AV Safety Goals and the full set of risks that must be addressed by the Functional Safety Concept. Once this has been completed, the team has an extremely strong starting point to engage the System Design Phase. An extremely strong resource requirements and design plan can then be developed.