CASCAD. (Causal Analysis using STAMP for Connected and Automated Driving) Stephanie Alvarez, Yves Page & Franck Guarnieri

Similar documents
Can STPA contribute to identify hazards of different natures and improve safety of automated vehicles?

ENGINEERING FOR HUMANS STPA ANALYSIS OF AN AUTOMATED PARKING SYSTEM

STPA in Automotive Domain Advanced Tutorial

Automated Driving - Object Perception at 120 KPH Chris Mansley

Application of STPA to a Shift by Wire System (GM-MIT Research Project)

Új technológiák a közlekedésbiztonság jövőjéért

Systems-Theoretic Process Analysis: AUTOMOBILE FEATURES FOR LANE MANAGEMENT

Automated Commercial Motor Vehicles: Potential Driver and Vehicle Safety Impacts

WHITE PAPER Autonomous Driving A Bird s Eye View

An Introduction to Automated Vehicles

Highly Automated Driving: Fiction or Future?

2015 STPA Conference. A s t u d y o n t h e f u s i o n o f S T P A a n d N i s s a n ' s S y s t e m s E n g i n e e r i n g

STPA based Method to Identify and Control Software Feature Interactions. John Thomas Dajiang Suo

Intuitive Driving: Are We There Yet? Amine Taleb, Ph.D. February 2014 I 1

Applying STPA to Automo0ve Adap0ve Cruise Control System. Dr. Qi Van Eikema Hommes April 18, 2012

Aria Etemad Volkswagen Group Research. Key Results. Aachen 28 June 2017

Contributory factors of powered two wheelers crashes

A Presentation on. Human Computer Interaction (HMI) in autonomous vehicles for alerting driver during overtaking and lane changing

AUTONOMOUS DRIVING A REAL PERSPECTIVE

Automated Vehicles AOP-02

Unit 1 - Driving, Mobility and Laws. Chapter 1 - Driving and Mobility

Agenda. Puerto Rico s Highway System. An Overview of Puerto Rico

Status of the Informal Working Group on ACSF

Overview of Regulations for Autonomous Vehicles

Development of California Regulations for Testing and Operation of Automated Driving Systems

ZF Mitigates Rear-End Collisions with New Electronic Safety Assistant for Trucks

Tenth International Conference on Managing Fatigue: Abstract for Review

Devices to Assist Drivers to Comply with Speed Limits

Compatibility of STPA with GM System Safety Engineering Process. Padma Sundaram Dave Hartfelder

Deep Learning Will Make Truly Self-Driving Cars a Reality

GOVERNMENT STATUS REPORT OF JAPAN

CSE 352: Self-Driving Cars. Team 14: Abderrahman Dandoune Billy Kiong Paul Chan Xiqian Chen Samuel Clark

Safety Considerations of Autonomous Vehicles. Darren Divall Head of International Road Safety TRL

VEHICLE AUTOMATION. CHALLENGES AND POTENTIAL FOR FUTURE MOBILITY.

Dr. Mohamed Abdel-Aty, P.E. Connected-Autonomous Vehicles (CAV): Background and Opportunities. Trustee Chair

Active Safety Systems in Cars -Many semi-automated safety features are available today in new cars. -Building blocks for automated cars in the future.

Enhancing Safety Through Automation

State-of-the-Art and Future Trends in Testing of Active Safety Systems

Automated Vehicles: Terminology and Taxonomy

Press Information. Volvo Car Group. Originator Malin Persson, Date of Issue

Brain on Board: From safety features to driverless cars

China Intelligent Connected Vehicle Technology Roadmap 1

Automated Driving: The Technology and Implications for Insurance Brake Webinar 6 th December 2016

Siemens ADAS. Collision avoidance as the first step towards autonomous driving

Mac McCall VTTI Motorcycle Research Group September 28, 2017

EMERGING TRENDS IN AUTOMOTIVE ACTIVE-SAFETY APPLICATIONS

Our Approach to Automated Driving System Safety. February 2019

Economic and Social Council

Northeast Autonomous and Connected Vehicle Summit

Autonomous Vehicles in California. Brian G. Soublet Deputy Director Chief Counsel California Department of Motor Vehicles

Model Legislation for Autonomous Vehicles (2018)

Assisted and Automated Driving DEFINITION AND ASSESSMENT: SUMMARY DOCUMENT

State and Local Implications for Connected and Automated Vehicles. James Pol, PE, PMP. AASHTO SCOHTS Meeting

Automobile Body, Chassis, Occupant and Pedestrian Safety, and Structures Track

Statistics and Facts About Distracted Driving

Quarterly Content Guide Driver Education/Traffic Safety Classroom (Course # )

The Future is Bright! So how do we get there? Council of State Governments West Annual Meeting August 18, 2017

Cooperative brake technology

AUTONOMOUS VEHICLES AND THE TRUCKING INDUSTRY

ROAD INFRASTRUCTURE SUPPORT LEVELS

Comparison of in-depth accident analysis data from three European countries using the Driving Reliability and Error Analysis Method

The intelligent Truck safe, autonomous, connected. N. Mustafa Üstertuna Mercedes-Benz Türk A.Ş.

THE FAST LANE FROM SILICON VALLEY TO MUNICH. UWE HIGGEN, HEAD OF BMW GROUP TECHNOLOGY OFFICE USA.

Public to U.S. Senate: Pump the Brakes on Driverless Car Bill. July 2018

WHITE PAPER. Preventing Collisions and Reducing Fleet Costs While Using the Zendrive Dashboard

Study on V2V-based AEB System Performance Analysis in Various Road Conditions at an Intersection

AUTONOMOUS VEHICLES: PAST, PRESENT, FUTURE. CEM U. SARAYDAR Director, Electrical and Controls Systems Research Lab GM Global Research & Development

Euro NCAP: Saving Lives with Safer Cars

Stop Sign Gap Assistance At Rural Expressway Intersections

SEGMENT 2 DRIVER EDUCATION Risk Awareness

ADVANCED EMERGENCY BRAKING SYSTEM (AEBS) DISCLAIMER

A R T I C L E S E R I E S

FOLLOWING DISTANCE RISK ENGINEERING

Ensuring the safety of automated vehicles

Analyzing Feature Interactions in Automobiles. John Thomas, Ph.D. Seth Placke

The Fourth Phase of Advanced Safety Vehicle Project - technologies for collision avoidance -

CONNECTED AUTOMATION HOW ABOUT SAFETY?

Intelligent Vehicle Systems

Applications of Machine Learning for Autonomous Driving & Challenges in Testing & Verifications. Ching-Yao Chan Nokia Workshop January 11, 2018

APCO International. Emerging Technology Forum

ACTIVE SAFETY 3.0. Prof. Kompaß, VP Fahrzeugsicherheit, 14. April 2016

NHTSA Role in The Future of Automated Vehicles

Target Zero: Underutilized Strategies in Traffic Safety That Work

Autonomous Driving. AT VOLVO CARS Jonas Ekmark Manager Innovations, Volvo Car Group

FOR SHARING THE ROAD WITH TRUCKS

ADVANCED DRIVER ASSISTANCE SYSTEMS, CONNECTED VEHICLE AND DRIVING AUTOMATION STANDARDS, CYBER SECURITY, SHARED MOBILITY

Sight Distance. A fundamental principle of good design is that

Tenk om bilene ikke kolliderer lenger

BIENVENUE ASSEMBLÉE ANNUELLE 2018 DU CCATM WELCOME TO THE 2018 CCMTA ANNUAL MEETING QUÉBEC

Camera-based Active Real-Time Driver Monitoring Systems

Automated Vehicles: Driver Knowledge, Attitudes & Practices

Security for the Autonomous Vehicle Identifying the Challenges

Outsource Practices & Policies OPP

2017 MDTSEA Manual - How it Corresponds to the ADTSEA 3.0 Curriculum for Segment 1 and 2 Classroom Education

NTSB Recommendations to Reduce Speeding-Related Crashes

FUEL ECONOMY STANDARDS: THERE IS NO TRADEOFF WITH SAFETY, COST, AND FLEET TURNOVER. July 24, 2018 UPDATE. Jack Gillis Executive Director

18th ICTCT Workshop, Helsinki, October Technical feasibility of safety related driving assistance systems

The Highway Safety Manual: Will you use your new safety powers for good or evil? April 4, 2011

Women In Transportation Seminar The Future of Transportation How Do We Get There. US Department of Transportation NHTSA Julie J Kang

Defensive and Safe Driving Accidents. Why must we maintain defensive and safe driving practices?

Transcription:

CASCAD (Causal Analysis using STAMP for Connected and Automated Driving) Stephanie Alvarez, Yves Page & Franck Guarnieri

Introduction: Vehicle automation will introduce changes into the road traffic system and bring new causal factors HUMAN DRIVER MONITORS DRIVING ENVIRONMENT 0 1 2 3 4 5 No Automation Driver Assistance Partial Automation Conditional Automation AUTOMATED DRIVING SYSTEM MONITORS DRIVING ENVIRONMENT High Automation Full Automation SAE levels of vehicle automation The road safety community must prepare for the analysis of crashes involving automated driving by finding appropriate accident analysis methods CAST is appropriate for the analysis of these crashes but it is not specific to road safety and may not meet practitioner s needs

Aim: The aim of this work was to extend CAST into a method called CASCAD which incorporates road safety-specific elements and automated driving, to assist a more complete analysis of crashes involving vehicle automation

Approach: Identify elements specific to road safety Build CASCAD Illustrate CASCAD using the Tesla crash Develop elements to facilitate the application of CAST on ADS

Elements specific to road safety: HFF DREAM Identify elements specific to road safety Build CASCAD Illustrate CASCAD using the Tesla crash Develop elements to facilitate the application of CAST on ADS

Elements specific to road safety: Crash Description HFF DREAM Taxonomy for human failures/ errors Contributory factors Degree of involvement

Elements specific to road safety: Crash Description HFF DREAM Driving Phase Rupture Phase Emergency Phase Impact Phase Normal driving Unexpected event Avoidance maneuvers Nature of impact Taxonomy for human failures/ errors Contributory factors Degree of involvement

Elements specific to road safety: Crash Description HFF DREAM Driving Phase Rupture Phase Emergency Phase Impact Phase Normal driving Unexpected event Avoidance maneuvers Nature of impact Taxonomy for human failures/ errors Contributory factors 6 types of general failures 20 types of specific failures List of explanatory factors related to the human driver, the road, the traffic and the vehicle Phenotypes Timing Speed Distance Direction Force Classification scheme Genotypes Human Technology Organization Observation Interpretation Planning Personal factors Vehicle Traffic environment Organization Maintenance Vehicle design Road design Degree of involvement

Elements specific to road safety: Crash Description HFF DREAM Driving Phase Rupture Phase Emergency Phase Impact Phase Normal driving Unexpected event Avoidance maneuvers Nature of impact Taxonomy for human failures/ errors Contributory factors 6 types of general failures 20 types of specific failures List of explanatory factors related to the human driver, the road, the traffic and the vehicle Phenotypes Timing Speed Distance Direction Force Classification scheme Genotypes Human Technology Organization Observation Interpretation Planning Personal factors Vehicle Traffic environment Organization Maintenance Vehicle design Road design Degree of involvement a) Primary active b) Secondary active c) Non-active d) Passive NA

Elements to facilitate the application of CAST: HFF DREAM Identify elements specific to road safety Crash description Taxonomy Causal Factors Involvement Build CASCAD Illustrate CASCAD using the Tesla crash Develop elements to facilitate the application of CAST on ADS

Elements to facilitate the application of CAST: HFF DREAM Identify elements specific to road safety -Crash description -Taxonomy -Causal Factors -Involvement Build CASCAD Illustrate CASCAD using the Tesla crash Develop elements to facilitate the application of CAST on ADS

Elements to facilitate the application of CAST: CAST steps 1. Define accidents, system hazards and safety constraints 2. Identify failures and unsafe interactions at the physical level 3. Analyze the direct controllers (i.e. road users and automation) 4. Analyze the indirect controllers (entire road transport system) Control structure at the physical level Control flaw classification for direct controllers Control structure of the road transport system 5. Issue recommendations

Elements to facilitate the application of CAST: Control structure at the physical level 1 2 3 Vehicle A Vehicle B Vehicle A Vehicle A Pedestrian Infrastructure Infrastructure Infrastructure Feedback Control actions

Elements to facilitate the application of CAST: Control flaw classification for direct controllers Control structure of an automated vehicle an a nonautomated vehicle Examine the interactions of direct controllers Identify control flaws: Perception (feedback) Mental Models Decision-making Action Execution (Leveson, 2011; Leveson et al. 2013)

Elements to facilitate the application of CAST: Control flaw classification for direct controllers Vehicle A Vehicle B F h2 Human Driver D h M h Decision-making Mental Models F h1 F h1 Human Driver D M Decisionmaking h Mental h Models Fh2 CA h2 F h3 HMI F h3 CA HMI F HMI CA h1 CA a CA h1 Actuators CA v Automated Controller A a Control Algorithm Process Models F a2 Vehicle M a F a1 F a3 Sensors F s3 F s2 F s1 CA v Actuators Vehicle Networks Infrastructure (Leveson, 2011; Leveson et al. 2013)

Elements to facilitate the application of CAST: Control flaw classification for direct controllers Control structure of an automated vehicle and a nonautomated vehicle Examine the interactions of direct controllers Identify control flaws: Perception (feedback) Mental Models Decision-making Action Execution 58 control flaws for the human driver controller 48 control flaws for the automated controller Human Driver Controller Category Control flaw Example SAE level 0 1-2 3 4 Perception Other road users Human Driver HMI F h1 F h3 F HMI Automated Controller Missing human perception of feedback on another road user (F h1 ) Incorrect information provided by automation (F HMI ) Missing human perception of HMI feedback (F h3 ) The human driver does not perceive a road user in the adjacent lane Automation provides the HMI with incorrect info relative to the speed of another vehicle A human driver does not perceive a takeover request Excerpt from the control flaws table associated to the human driver controller x x x x x x x x

Control structure of the road transport system

Elements to facilitate the application of CAST: HFF DREAM Identify elements specific to road safety -Crash description -Taxonomy -Causal Factors -Involvement Build CASCAD Illustrate CASCAD using the Tesla crash Develop elements to facilitate the application of CAST on ADS -Control structure (physical level) -Classification of control flaws -Control structure (road transport)

Building CASCAD: HFF DREAM Identify elements specific to road safety -Crash description -Taxonomy -Causal Factors -Involvement Build CASCAD Illustrate CASCAD using the Tesla crash Develop elements to facilitate the application of CAST on ADS -Control structure (physical level) -Classification of control flaws -Control structure (road transport)

Building CASCAD: 1. Define accidents, system hazards and safety constraints 2. Identify failures and unsafe interactions at the physical level Crash description Control structure at the physical level Control flaw classifications 3. Analyze the direct controllers (i.e. road users and automation) Contributory factors Degree of involvement 4. Analyze the indirect controllers (entire road transport system) Control structure of the road transport 5. Issue recommendations

Illustrating CASCAD: HFF DREAM Identify elements specific to road safety -Crash description -Taxonomy -Causal Factors -Involvement Build CASCAD Illustrate CASCAD using the Tesla crash Develop elements to facilitate the application of CAST on ADS -Control structure (physical level) -Classification of control flaws -Control structure (road transport)

Tesla crash description 16h40 on Saturday May 7 th in central Florida (US27A) Daylight with clear and dry weather conditions Tesla 2015 Tesla S 40 year old male Autopilot was engaged AEB did not brake Truck 2014 Freightliner Cascadia truck + semitrailer 63 year old male (Okemah Express) Manual driving mode (A. Singhvi & K. Russell 2016)

Tesla crash description (National Transportation Board 2016) (A. Singhvi & K. Russell 2016) (National Transportation Board 2016)

Illustrating CASCAD: 1 2 3 4 5 1. Define accidents, system hazards and safety constraints 2. Identify failures and unsafe interactions at the physical level Crash description Control structure at the physical level Control flaw classifications 3. Analyze the direct controllers (i.e. road users and automation) Contributory factors Degree of involvement 4. Analyze the indirect controllers (entire road transport system) Control structure of the road transport 5. Issue recommendations

Illustrating CASCAD: 1 2 3 4 5 1. Define accidents, system hazards and safety constraints 2. Identify failures and unsafe interactions at the physical level Crash description Control structure at the physical level Control flaw classifications 3. Analyze the direct controllers (i.e. road users and automation) Contributory factors Degree of involvement 4. Analyze the indirect controllers (entire road transport system) Control structure of the road transport 5. Issue recommendations

Illustrating CASCAD: 1 2 3 4 5 1 Define accidents, system hazards and safety constraints Accident Human loss due to a vehicle collision System Hazard System Safety Constraint Violation of minimal safety distance between the Tesla and the truck The safety control structure must prevent the violation of minimal distance between a vehicle and a truck

Illustrating CASCAD: 1 2 3 4 5 1. Define accidents, system hazards and safety constraints 2. Identify failures and unsafe interactions at the physical level Crash description Control structure at the physical level Control flaw classifications 3. Analyze the direct controllers (i.e. road users and automation) Contributory factors Degree of involvement 4. Analyze the indirect controllers (entire road transport system) Control structure of the road transport 5. Issue recommendations

Illustrating CASCAD: 1 2 3 4 5 2 Identify failures and unsafe interactions at the physical level Crash description Vehicle Driving phase Rupture phase Emergency phase Crash phase The Tesla is travelling on a highway on a Saturday at 4:40 pm. The truck is travelling on a highway on a Saturday at 4:40 pm to deliver blueberries The Tesla does not slow down as it approaches an uncontrolled intersection The truck estimates that it can engage a left turn maneuver The Tesla violates the minimal safety distance to the truck and does not decrease the speed of the vehicle The truck engages a left turn maneuver and does not have the time to stop as the Tesla approaches at 119 km/h. The front of the Tesla strikes the trailer of the truck with a 90 angle at 119 km/h, passes underneath the trailer, leaves the road and hits two fences and a pole before rotating counterclockwise and coming to rest The bottom of the truck s semitrailer is hit by the Tesla

Illustrating CASCAD: 1 2 3 4 5 2 Identify failures and unsafe interactions at the physical level Tesla Uncontrolled Intersection Truck Physical failures? None Unsafe interactions at the physical level: The truck made a left turn too soon at a highway intersection when it did not have the right of way The Tesla vehicle did not slow down/stop the car when the safety distance to a truck was violated

Illustrating CASCAD: 1 2 3 4 5 1. Define accidents, system hazards and safety constraints 2. Identify failures and unsafe interactions at the physical level Crash description Control structure at the physical level Control flaw classifications 3. Analyze the direct controllers (i.e. road users and automation) Contributory factors Degree of involvement 4. Analyze the indirect controllers (entire road transport system) Control structure of the road transport 5. Issue recommendations

Illustrating CASCAD: 1 2 3 4 5 3 Analyze the direct controllers (automation and human drivers) Direct Controllers Analysis TESLA Tesla driver Automation TRUCK Truck driver Truck A. Unsafe Control Action B. Control flaws C. Context in which decisions were made Control flaw classifications Contributory factors Tesla Degree of involvement

Illustrating CASCAD: 1 2 3 4 5 A. UCA: Automation did not apply brakes when the vehicle violated the safety distance to the truck Control algorithm Driver monitoring Hands on the wheel Automation Model Traffic Driver Tesla vehicle No obstacle No obstacle No obstacle Radar Camera Obstacle Road environment B. CONTROL FLAWS (Automation) Category Control flaw Description Contributory factors Perception Model of process Measurement inaccuracies on road users feedback provided by sensors Inadequate or incorrect feedback provided by sensors Inadequate model of the traffic situation Inadequate model of the human driver Camera provided inaccurate measures due to the white trailer being against bright sky The radar provided incorrect feedback because it tuned out the data on the truck obstacle to avoid false braking events (overhead traffic signs). The autopilot and the AEB module were unaware of the presence of the truck due to incorrect feedback Automation was unaware that the driver was distracted because the driver monitoring system does not detect when drivers have their eyes off the road Bright sky influence on camera s detection False positives Reliability and performance of the perception system Design of the driver monitoring system C. Context: Daylight with clear weather conditions, no known problems with truck detection Degree of involvement: Secondary active

Illustrating CASCAD: 1 2 3 4 5 A. UCA: The human driver did not override automation and apply brakes when the vehicle violated the safety distance to the truck Driver Decision- Making Mental Model Traffic Automation No truck B. CONTROL FLAWS (Human Driver) Category Control flaw Description Contributory factor Automation Sensors Perception Model of process Missing human perception of feedback on another road user Inadequate model of the traffic situation The driver did not perceive the truck because he was distracted The driver was unaware of the presence of the truck -Distraction -Secondary non-driving related task -Misuse -Priority feeling Tesla vehicle Road environment Inadequate model of automation Driver believed that automation s monitoring was enough for safe operation -Overreliance -Misuse C. Context: Driver had the right of way, he was a Tesla fan

Illustrating CASCAD: 1 2 3 4 5 1. Define accidents, system hazards and safety constraints 2. Identify failures and unsafe interactions at the physical level Crash description Control structure at the physical level Control flaw classifications 3. Analyze the direct controllers (i.e. road users and automation) Contributory factors Degree of involvement 4. Analyze the indirect controllers (entire road transport system) Control structure of the road transport 5. Issue recommendations

Illustrating CASCAD: 1 2 3 4 5 Control structure of Florida s Road Transport System Automotive Industry Vehicles Tesla Driver Congress DOT NHTSA FHWA State Government FLHSMV FDOT Driving education Road infra (US27) Automation Tesla Truck Driver Federal govt State of Florida Truck DOT: Department of Transportation NHTSA: National Highway Traffic Safety Administration FHWA: Federal Highway Administration FLHSMV: Florida Highway Safety and Motor Vehicles FDOT: Florida Department of Transportation

Illustrating CASCAD: 1 2 3 4 5 4 Analyze the indirect controllers (entire transport system) Automotive industry (Tesla) Safety requirements Design, build and commercialize vehicles that can be safely operated Unsafe Control actions Mental Model Flaws Context in which decisions were made Commercialized a BETA version of an SAE 2 automated driving system that can be (mis)used as an SAE 3 automated driving system, and engaged on highway sections with uncontrolled intersections. Believed that customers were going to monitor the driving environment Thought that customers driving info is very valuable for enhancing automation and therefore BETA versions are worth the risk A lot of pressure to be a cutting edge tech company and bring vehicle automation in the market Legislation and regulatory gaps for vehicle automation

Illustrating CASCAD: 1 2 3 4 5 1. Define accidents, system hazards and safety constraints 2. Identify failures and unsafe interactions at the physical level Crash description Control structure at the physical level Control flaw classifications 3. Analyze the direct controllers (i.e. road users and automation) Contributory factors Degree of involvement 4. Analyze the indirect controllers (entire road transport system) Control structure of the road transport 5. Issue recommendations

Illustrating CASCAD: 1 2 3 4 5 5 Issue recommendations Tesla company Evaluate how design assumptions are being made and validated (radar tuning out info, data fusion choices, etc.) Redesign system to accurately detect when drivers are not monitoring the road environment and to show the driver what automation is perceiving. Redesign autopilot to only be engaged in the environments of its design limits (start to disengage autopilot when it approaches highway sections with intersections/exits) Question the company s Roadmap relative to customers safety.

Conclusions CAST represents a suitable method for the accident analysis of crashes involving automated driving, however its lack of specificity to road safety may prevent practitioners from adopting it. CAST was extended into a method called CASCAD which incorporates road safetyspecific elements and elements to facilitate the application of CAST to crashes involving automated driving. Some elements from traditional crash analysis methods are still relevant for the analysis of automated driving. Also, STAMP can be applied on an automated driving system in order to generate usage guidance elements for road safety practitioners. These elements are able to coexist with CAST. The methodology proposed in CASCAD was illustrated using data from the Tesla crash in May 2016.

Perspectives: To develop more guidance elements, especially for the contributory factors related to the human behavior in automated driving and the factors that influence automation. To apply CASCAD on crash investigations involving automated driving and to compare it with traditional methods in order to validate CASCAD s contribution to a more complete understanding. To talk with road safety practitioners to identify if CASCAD meets their needs and potential improvements.

2024 © autodocbox.com Privacy Policy | Terms of Service | Feedback