Torben Stolte

Gerrit Bagschik, Andreas Reschka, Torben Stolte et al.

The project Automated Unmanned Protective Vehicle for Highway Hard Shoulder Road Works (aFAS) aims to develop an unmanned protective vehicle to reduce the risk of injuries due to crashes for road workers. To ensure functional safety during operation in public traffic the system shall be developed following the ISO 26262 standard. After defining the functional range in the item definition, a hazard analysis and risk assessment has to be done. The ISO 26262 standard gives hints how to process this step and demands a systematic way to identify system hazards. Best practice standards provide systematic ways for hazard identification, but lack applicability for automated vehicles due to the high variety and number of different driving situations even with a reduced functional range. This contribution proposes a new method to identify hazardous events for a system with a given functional description. The method utilizes a skill graph as a functional model of the system and an overall definition of a scene for automated vehicles to identify potential hazardous events. An adapted Hazard and Operability Analysis approach is used to identify system malfunctions. A combination of all methods results in operating scenes with potential hazardous events. These can be assessed afterwards towards their criticality. A use case example is taken from the current development phase of the project aFAS.

Torben Stolte, Tianyu Liao, Matthias Nee et al.

Level 3+ automated driving implies highest safety demands for the entire vehicle automation functionality. For the part of trajectory tracking, functional redundancies among all available actuators provide an opportunity to reduce safety requirements for single actuators. Yet, the exploitation of functional redundancies must be well argued if employed in a safety concept as physical limits can be reached. In this paper, we want to examine from a trajectory tracking perspective whether such a concept can be used. For this, we present a model predictive fault-tolerant trajectory tracking approach for over-actuated vehicles featuring wheel individual all-wheel drive, brakes, and steering. Applying this approach exemplarily demonstrates for a selected reference trajectory that degradations such as missing or undesired wheel torques as well as reduced steering dynamics can be compensated. Degradations at the physical actuator limits lead to significant deviations from the reference trajectory while small constant steering angles are partially critical.

Marvin Loba, Robert Graubohm, Niklas Braun et al.

Despite the growing number of automated vehicles on public roads, operating such systems in open contexts inevitably involves incidents. Developing a defensible case that the residual risk is reduced to a reasonable (societally acceptable) level is hence a prerequisite to be prepared for potential liability cases. A "safety argumentation" is a common means to represent this case. In this paper, we contribute to the state of the art in terms of process guidance on argumentation creation and maintenance - aiming to promote a safety-argumentation-by-design paradigm, which mandates co-developing both the system and argumentation from the earliest stages. Initially, we extend a systematic design model for automated driving functions with an argumentation layer to address prevailing misconceptions regarding the development of safety arguments in a process context. Identified limitations of this extension motivate our complementary design of a dedicated argumentation life cycle that serves as an additional process viewpoint. Correspondingly, we define literature- and expert-based process requirements. To illustrate the safety argumentation life cycle that we propose as a result of implementing these consolidated requirements, we demonstrate principles of the introduced process phases (baselining, evolution, continuous maintenance) by an argumentation example on an operational design domain exit response.

Torben Stolte

The advent of automated vehicles operating at SAE levels 4 and 5 poses high fault tolerance demands for all functions contributing to the driving task. At the actuator level, fault-tolerant vehicle motion control, which exploits functional redundancies among the actuators, is one means to achieve the required degree of fault tolerance. Therefore, we give a comprehensive overview of the state of the art in actuator fault-tolerant vehicle motion control with a focus on drive, brake, and steering degradations, as well as tire blowouts. This review shows that actuator fault-tolerant vehicle motion is a widely studied field; yet, the presented approaches differ with respect to many aspects. To provide a starting point for future research, we survey the employed actuator topologies, the tolerated degradations, the presented control approaches, as well as the experiments conducted for validation. Overall, and despite the large number of different approaches, the covered literature reveals the potential of increasing fault tolerance by fault-tolerant vehicle motion control. Thus, besides developing novel approaches or demonstrating real-time applicability, future research should aim at investigating limitations and enabling comparison of fault-tolerant motion control approaches in order to allow for a thorough safety argumentation.

Marcus Nolte, Marcel Rose, Torben Stolte et al.

Research in the field of automated driving has created promising results in the last years. Some research groups have shown perception systems which are able to capture even complicated urban scenarios in great detail. Yet, what is often missing are general-purpose path- or trajectory planners which are not designed for a specific purpose. In this paper we look at path- and trajectory planning from an architectural point of view and show how model predictive frameworks can contribute to generalized path- and trajectory generation approaches for generating safe trajectories even in cases of system failures.

Marcus Nolte, Gerrit Bagschik, Inga Jatzkowski et al.

The development of fully automated vehicles imposes new challenges in the development process and during the operation of such vehicles. As traditional design methods are not sufficient to account for the huge variety of scenarios which will be encountered by (fully) automated vehicles, approaches for designing safe systems must be extended in order to allow for an ISO~26262 compliant development process. During operation of vehicles implementing SAE Levels 3+ safe behavior must always be guaranteed, as the human driver is not or not immediately available as a fall-back. Thus, the vehicle must be aware of its current performance and remaining abilities at all times. In this paper we combine insights from two research projects for showing how a skill- and ability-based approach can provide a basis for the development phase and operation of self-aware automated road vehicles.

Torben Stolte, Gerrit Bagschik, Andreas Reschka et al.

For future application of automated vehicles in public traffic, ensuring functional safety is essential. In this context, a hazard analysis and risk assessment is an important input for designing functionally vehicle automation systems. In this contribution, we present a detailed hazard analysis and risk assessment (HARA) according to the ISO 26262 standard for a specific Level 4 application, namely an unmanned protective vehicle operated without human supervision for motorway hard shoulder roadworks.