Richard Schubert

Marvin Loba, Robert Graubohm, Niklas Braun et al.

Despite the growing number of automated vehicles on public roads, operating such systems in open contexts inevitably involves incidents. Developing a defensible case that the residual risk is reduced to a reasonable (societally acceptable) level is hence a prerequisite to be prepared for potential liability cases. A "safety argumentation" is a common means to represent this case. In this paper, we contribute to the state of the art in terms of process guidance on argumentation creation and maintenance - aiming to promote a safety-argumentation-by-design paradigm, which mandates co-developing both the system and argumentation from the earliest stages. Initially, we extend a systematic design model for automated driving functions with an argumentation layer to address prevailing misconceptions regarding the development of safety arguments in a process context. Identified limitations of this extension motivate our complementary design of a dedicated argumentation life cycle that serves as an additional process viewpoint. Correspondingly, we define literature- and expert-based process requirements. To illustrate the safety argumentation life cycle that we propose as a result of implementing these consolidated requirements, we demonstrate principles of the introduced process phases (baselining, evolution, continuous maintenance) by an argumentation example on an operational design domain exit response.

Ole Reuter, Richard Schubert, Marvin Loba et al.

Automated driving systems require monitoring mechanisms to ensure operation as intended, especially when system elements degrade and/or fail. Hence, capability monitoring is crucial in order to evaluate the system's remaining performance and implement capability-based behavior. In this paper, we investigate the dynamics of a highly over-actuated automated vehicle under actuator degradations and failures, affecting the vehicle's motion control capabilities. We propose a lightweight prediction model based on conformalized quantile regression that predicts whether an automated vehicle can be controlled with sufficiently low lateral deviation from a planned trajectory under nominal, degraded, and failed actuator conditions. We recognize that statistical guarantees should hold not only across all data (marginal coverage) but also for different regimes within the data (conditional coverage). We therefore employ equalized coverage methods to address this challenge. During runtime behavior generation our predictor can provide a heuristic for determining the admissible action space. Its application and limitations are discussed in this paper.

Richard Schubert, Marvin Loba, Alexander Blödel et al.

This paper presents a process for coordinating stakeholders in their consideration of performance indicators and respective interface requirements for automated vehicles. These performance indicators are obtained and processed based on the system's self-perception and enable the realization of self-aware and self-adaptive vehicles. This is necessary to allow SAE Level 4 vehicles to handle external disturbances as well as internal degradations and failures at runtime. Without such a systematic process for stakeholder coordination, architectural decisions on realizing self-perception become untraceable and effective communication between stakeholders may be compromised. Our process-oriented approach includes necessary ingredients, steps, and artifacts that explicitly address stakeholder communication, traceability, and knowledge transfer through clear documentation. Our approach is based on the experience gained from applying the process in the autotech.agil project, from which we further present lessons learned, identified gaps, and steps for future work.