CN116755417A - Automatic driving danger analysis and risk assessment method, device, equipment and medium - Google Patents
Automatic driving danger analysis and risk assessment method, device, equipment and medium Download PDFInfo
- Publication number
- CN116755417A CN116755417A CN202310443009.9A CN202310443009A CN116755417A CN 116755417 A CN116755417 A CN 116755417A CN 202310443009 A CN202310443009 A CN 202310443009A CN 116755417 A CN116755417 A CN 116755417A
- Authority
- CN
- China
- Prior art keywords
- risk
- analysis
- risk assessment
- hazard
- functional
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012502 risk assessment Methods 0.000 title claims abstract description 208
- 238000000034 method Methods 0.000 title claims abstract description 69
- 238000004458 analytical method Methods 0.000 title claims abstract description 36
- 230000006870 function Effects 0.000 claims description 40
- 238000004590 computer program Methods 0.000 claims description 16
- 231100001267 hazard identification Toxicity 0.000 claims description 14
- 238000011156 evaluation Methods 0.000 claims description 11
- 230000008859 change Effects 0.000 description 12
- 238000010586 diagram Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 8
- 238000011076 safety test Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 230000006399 behavior Effects 0.000 description 5
- 230000006378 damage Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 238000013461 design Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 208000027418 Wounds and injury Diseases 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 2
- 230000007812 deficiency Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 208000014674 injury Diseases 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008447 perception Effects 0.000 description 2
- 238000004445 quantitative analysis Methods 0.000 description 2
- 238000009781 safety test method Methods 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 231100000041 toxicology testing Toxicity 0.000 description 2
- 208000000418 Premature Cardiac Complexes Diseases 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000012854 evaluation process Methods 0.000 description 1
- 238000011985 exploratory data analysis Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- IPEHBUMCGVEMRF-UHFFFAOYSA-N pyrazinecarboxamide Chemical compound NC(=O)C1=CN=CC=N1 IPEHBUMCGVEMRF-UHFFFAOYSA-N 0.000 description 1
- 238000013139 quantization Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 230000028838 turning behavior Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0208—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the configuration of the monitoring system
- G05B23/0213—Modular or universal configuration of the monitoring system, e.g. monitoring system having modules that may be combined to build monitoring program; monitoring system that can be applied to legacy systems; adaptable monitoring system; using different communication protocols
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24065—Real time diagnostics
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Traffic Control Systems (AREA)
Abstract
The application discloses an automatic driving risk analysis and risk assessment method, an automatic driving risk analysis and risk assessment device, electronic equipment and a storage medium. The method comprises the following steps: defining related items and preselected scene indexes of the automatic driving vehicle; determining a functional failure form of the related item based on the hazard and operability analysis, and identifying a hazard event matched with the related item; according to the functional failure form and the preselected scene index, carrying out risk analysis and risk assessment on the hazard event, determining the safety integrity level of the hazard event, and generating a risk analysis and risk assessment form; wherein the risk analysis and risk assessment includes a functional safety risk analysis and risk assessment and a risk analysis and risk assessment of an intended functional safety. The technical scheme solves the problems of imperfect automatic driving risk analysis and risk assessment methods and the like in the prior art, and can improve the reliability of automatic driving risk analysis and risk assessment.
Description
Technical Field
The application relates to the technical field of automatic driving tests, in particular to an automatic driving risk analysis and risk assessment method, an automatic driving risk analysis and risk assessment device, electronic equipment and a storage medium.
Background
Currently, the automotive industry is expanding in the development of highly automated driving (Highly Automated Driving, HAD) functions and/or automated driving systems (Autonomous Driving System, ADS). Autopilot considers safety as the highest priority, and HAD and ADS vehicles typically have autonomous longitudinal and lateral maneuver capability, or can assist the driver in driving. The areas of interest for HAD and ADS are not limited to the automotive capabilities of vehicles, but include security applications. Therefore, to ensure safe driving of ADS vehicles on roads, the overall safety of ADS has been the focus of research. One of the benefits of ADS technology is increased safety for car users. The core of the autopilot car system design is to achieve overall safety, including functional safety (Functional Safety, fuSa), predetermined functional safety (Safety Of The Intended Functionality, SOTIF) and network safety. Of these, fuSa and SOTIF are an integral part, and ISO 26262 and ISO 21448 are industry standards for functional safety and intended functional safety of automotive electronic/electrical systems.
According to ISO 26262, fusa refers to "no risk of unreasonable resulting from the presence of a hazard caused by a dysfunctional performance of an electrical and electronic system", which hazard is defined as "potential source of injury resulting from a dysfunctional performance of the relevant item". According to ISO PAS 21448:2019, a SOTIF is defined as "no unreasonable risk due to insufficient expected function or due to reasonably foreseeable human mishandling", whereas a triggering event is defined as a specific condition of the driving scenario, as a cause of a subsequent system chain reaction, possibly leading to a jeopardy event.
In SOTIF, the functional limitations of ADS vehicles need to be emphasized, i.e., there is no unreasonable risk of inadequate intended function, and reasonably foreseeable personnel mishandling. FuSa protects against EEA (Electrical/Electronic Architecture, electronic Electrical architecture) failure behavior of ADS vehicles. The state of the art provides different methods and procedures to ensure the safety of automobiles. In order to increase the robustness of ADS, it is necessary to apply corresponding security methods at different stages of development. However, a problem with the prior art is whether the security method supports identifying all possible security boundary conditions, and whether the security method is sufficient to ensure the security of the ADS. Furthermore, how to remedy the deficiency of HAD functionality remains a challenge. Due to the complexity of ADS, new security methods need to be developed to meet application needs or further expansion.
Disclosure of Invention
The application provides an automatic driving risk analysis and risk assessment method, an automatic driving risk analysis and risk assessment device, electronic equipment and a storage medium, which are used for solving the problems that an automatic driving risk analysis and risk assessment method is imperfect and the like in the prior art and improving the reliability of the automatic driving risk analysis and risk assessment.
According to an aspect of the present application, there is provided an automated driving risk analysis and risk assessment method, the method comprising:
defining related items and preselected scene indexes of the automatic driving vehicle;
determining a functional failure form of the related item based on the hazard and operability analysis, and identifying a hazard event matched with the related item;
according to the functional failure form and the preselected scene index, carrying out risk analysis and risk assessment on the hazard event, determining the safety integrity level of the hazard event, and generating a risk analysis and risk assessment form; wherein the risk analysis and risk assessment includes a functional safety risk analysis and risk assessment and a risk analysis and risk assessment of an intended functional safety.
According to another aspect of the present application, there is provided an automated driving risk analysis and risk assessment apparatus, the apparatus comprising:
the related item definition module is used for defining related items and preselected scene indexes of the automatic driving vehicle;
the hazard event identification module is used for determining the functional failure form of the related item based on hazard and operability analysis and identifying the hazard event matched with the related item;
the evaluation form generation module is used for carrying out risk analysis and risk evaluation on the hazard event according to the functional failure form and the preselected scene index, determining the safety integrity level of the hazard event and generating a risk analysis and risk evaluation form; wherein the risk analysis and risk assessment includes a functional safety risk analysis and risk assessment and a risk analysis and risk assessment of an intended functional safety.
According to another aspect of the present application, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the automated driving risk analysis and risk assessment method according to any one of the embodiments of the present application.
According to another aspect of the present application, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the automated driving risk analysis and risk assessment method according to any one of the embodiments of the present application when executed.
According to the technical scheme, related items and preselected scene indexes of the automatic driving vehicle are defined; determining a functional failure form of the related item based on the hazard and operability analysis, and identifying a hazard event matched with the related item; according to the functional failure form and the preselected scene index, carrying out functional safety risk analysis and risk assessment and expected functional safety risk analysis and risk assessment on the hazard event, determining the safety integrity level of the hazard event, and generating a risk analysis and risk assessment table. The automatic driving risk analysis and risk assessment method solves the problems that automatic driving risk analysis and risk assessment methods are imperfect and the like in the prior art, and can improve reliability of automatic driving risk analysis and risk assessment.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the application or to delineate the scope of the application. Other features of the present application will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an automated driving risk analysis and risk assessment method according to a first embodiment of the present application;
FIG. 2A is a flowchart of an automatic driving risk analysis and risk assessment method according to a second embodiment of the present application;
FIG. 2B is a schematic diagram illustrating analysis of related items to hazard scenarios according to a second embodiment of the present application;
FIG. 2C is a diagram illustrating related item definitions according to a second embodiment of the present application;
FIG. 2D is a schematic diagram of a scenario-based extended HARA identification procedure provided in accordance with a second embodiment of the present application;
fig. 3 is a schematic structural diagram of an automatic driving risk analysis and risk assessment device according to a third embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device implementing an automatic driving risk analysis and risk assessment method according to an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, apparatus, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus. The technical scheme of the application obtains, stores, uses, processes and the like the data, which all meet the relevant regulations of national laws and regulations.
Example 1
Fig. 1 is a flowchart of an automatic driving risk analysis and risk assessment method according to an embodiment of the present application, where the method may be implemented by an automatic driving risk analysis and risk assessment device, and the device may be implemented in hardware and/or software, and the device may be configured in an electronic device. As shown in fig. 1, the method includes:
s110, defining related items and preselected scene indexes of the automatic driving vehicle.
The solution may be performed by a safety testing system of an autonomous vehicle. The safety test system may predefine relevant items and preselected scene indicators for the autonomous vehicle. The related items are used for screening functions of the automatic driving vehicle, and the preselected scene indexes are used for screening risk scenes with danger occurrence possibility.
S120, determining a functional failure form of the related item based on the risk and operability analysis, and identifying a risk event matched with the related item.
The safety testing system may determine a form of functional failure of the related item based on the hazard and operability analysis (Hazard and Operability, HAZOP) and identify a hazard event that matches the related item of the autonomous vehicle. The HAZOP analysis is an exploratory analysis method for identifying and evaluating the abnormal performance of related items, helping to structurally and systematically check the operation condition of related items at the whole vehicle level, and presuming different abnormal performance thereof by adding an appropriate guide word to each function of related items, which may cause damage to drivers of target vehicles, other vehicles and their passengers in driving scenes, or other at-risk persons such as pedestrians, cyclists or maintenance personnel near the target vehicles, etc., potentially injuring each other.
In this scenario, hazard identification may include hazard identification based on functional safety as well as hazard identification based on intended functional safety. The underlying scenario of hazard identification may be the same, with insufficient triggering events delivered by the function to identify hazards. Through HAZOP analysis of the autopilot volume function, the safety test system may discover failure modes, such as sensor failures, control unit failures, etc., that may lead to dangerous events.
S130, performing risk analysis and risk assessment on the hazard event according to the functional failure form and the preselected scene index, determining the safety integrity level of the hazard event, and generating a risk analysis and risk assessment form.
The safety test system may perform scene-based hazard identification, hazard analysis and risk assessment (Hazard Analysis and Risk Assessment, HARA) of the hazard event based on the form of the functional failure and the preselected scene indicator to obtain a safety integrity rating (Automotive Safety Integrity Level, ASIL) of the hazard event. Wherein the risk analysis and risk assessment includes a functional safety risk analysis and risk assessment and a risk analysis and risk assessment of an intended functional safety. After the risk analysis and risk assessment, the security test system can generate a risk analysis and risk assessment table according to the information of related items, the functional failure form, the risk source, the risk level and the like.
Scenario-based HARA is a general evaluation process from functions to ADS applications. Scenario-based HARA describes the relationship of the current state of an autonomous vehicle to traffic conditions (the position of the vehicle itself and other road users, traffic signals, roadside signs, etc.), environment (road type, road surface, weather, etc.), and infrastructure (construction sites, tunnels, gas stations, etc.). The information perceived by an autonomous vehicle through sensors may change as the vehicle and other road users change in certain actions and external events. The security test system may react the final perception to a possible hazard triggering event based on the initial perception and analyze the potential hazard.
ISO 26262 identifies four ASIL-A, B, C and D. ASIL a represents the lowest level of automotive hazard and ASIL D represents the highest level of automotive hazard. Airbags, antilock braking systems and power steering systems must reach the ASIL D class, which is the most severe class applied to safety assurance because of the highest risk of failure. The lowest level of the safety level range, such as a back light and other components, only needs to reach ASIL A level. The headlights and brake lights are typically of the ASIL B class, while the cruise control is typically of the ASIL C class. Risk factors are graded by Severity (S), exposure (E), and controllability (C) to determine the ASIL rating of a jeopardized event. In this scenario, the hazard event may be caused by a system failure of the EEA (Electrical/Electronic Architecture, electronic/Electrical architecture) and/or a limitation of the functional unit (SOTIF area).
The technical scheme is that related items and preselected scene indexes of the automatic driving vehicle are defined; determining a functional failure form of the related item based on the hazard and operability analysis, and identifying a hazard event matched with the related item; according to the functional failure form and the preselected scene index, carrying out functional safety risk analysis and risk assessment and expected functional safety risk analysis and risk assessment on the hazard event, determining the safety integrity level of the hazard event, and generating a risk analysis and risk assessment table. The automatic driving risk analysis and risk assessment method solves the problems that automatic driving risk analysis and risk assessment methods are imperfect and the like in the prior art, and can improve reliability of automatic driving risk analysis and risk assessment.
Example two
Fig. 2A is a flowchart of an automatic driving risk analysis and risk assessment method according to a second embodiment of the present application, which is based on the above embodiment. As shown in fig. 2A, the method includes:
s210, defining related items and preselected scene indexes of the automatic driving vehicle.
In this solution, the necessity of the relevant item is to find out a system or combination of systems that has an impact on the safety of the autonomous vehicle and that needs to be applied in a safe life cycle. In each relevant item, one or a portion of the vehicle functions need to be implemented. The main functions of an autonomous vehicle, such as steering, acceleration, and deceleration, can be defined as related terms. Meanwhile, the safety test system may consider driving scenes of vehicles, such as urban roads, highways, complex intersections, etc., in the scene-based HARA to determine the use environment and driving situation of the vehicles.
S220, determining the functional failure form of the related item based on the risk and operability analysis, and identifying the risk event matched with the related item.
According to the scene combination of FuSa and SOTIF, the HAZOP keyword method responds according to a preselected driving scene. The FuSa category focuses on hazard recognition of driving scenarios and vehicle maneuvers, erroneous vehicle behavior based on HAZOP keywords. The SOTIF category focuses on hazard identification of vehicle functional units and ADS functional descriptions, based on insufficient functionality of HAZOP keywords.
Based on the preselected scene index of the HAZOP keyword, it is determined whether the hazard event is related to the HAZOP keyword. The preselected scene index may be collected by hazard events affecting ADS hazards in SOTIF and FuSa.
Specifically, the hazard events comprise a whole vehicle-level hazard event and a functional-level hazard event;
the determining the functional failure form of the related item based on the risk and operability analysis, and identifying the risk event matched with the related item comprises the following steps:
determining a form of functional failure of the associated item based on the hazard and operability analysis;
according to the functional failure form of the related item, hazard identification is carried out on driving scenes and vehicle operation and control, and a complete vehicle-level hazard event matched with the related item is determined;
and according to the function failure form of the related item, hazard identification is carried out on the vehicle function unit and the driving function, and the function level hazard event is determined.
It is readily appreciated that the safety test system may determine the form of functional failure of the relevant item based on the HAZOP analysis. According to the function failure form of the related item, the safety test system can perform hazard identification on driving scenes and vehicle operation and control to determine a complete vehicle-level hazard event, and can also perform hazard identification on a vehicle functional unit and a driving function to determine a functional-level hazard event.
In one possible implementation, the determining, based on the risk and operability analysis, a functional failure mode of the related item includes:
analyzing keywords through danger and operability, and determining the functional failure form of the related item; wherein the risk and operability analysis keywords include loss of function, functional errors, unexpected functions, and output stuck at a fixed value.
It will be appreciated that the safety test system, when performing the HAZOP analysis, determines the form of functional failure of the associated item, primarily by analyzing keywords for risk and operability. The risk and operability analysis keywords include keywords of the type such as loss of function, malfunction, unexpected function, output stuck on a fixed value, and the like. Wherein loss of function means that no function is provided when there is a demand; functional errors include providing one of more than expected, less than expected, and opposite in direction of function when needed; unexpected functional representations provide functionality when not required; output stuck at a fixed value indicates that the function cannot be updated as expected.
Taking a lane change as an example during vehicle travel, consider lane change behavior of an autonomous vehicle. In the FuSa aspect, errors that may occur when the HAZOP keyword method and the vehicle make a lane change are shown in table 1.
Table 1:
| HAZOP keywords | Interpretation of HAZOP keywords at the whole vehicle level (FuSa) |
| Without any means for | The necessary lane change operation is not performed |
| Too early/too late | The necessary lane change operation is performed too early/too late |
| Too early end | The necessary lane change operation is finished executing too early |
| Takes too long time | The necessary lane change operation is time consuming to end executionLong length |
| Too slow/too fast | The necessary lane change operation is finished executing too slowly/too fast |
In SOTIF, the HAZOP keyword method is used to identify functional deficiencies or limitations of functional units (e.g., complex sensors, sensor fusion, complex algorithms, etc.). Due to the complexity of the environment sensor architecture, it is necessary to examine the "input-logic-output" of the functional unit. Failure of each link of the functional unit may trigger a hazard. At the beginning of development, this investigation can help not only to understand the scene situation, but also to select a reasonable environmental sensor. Table 2 shows output-based sensor defects, the output signals shown in the table being likely to introduce a hazard event.
Table 2:
| HAZOP keywords | Interpretation of HAZOP keywords at functional Unit level (SOTIF) |
| Without any means for | The camera module does not output signals |
| Too much/too little | More/less camera module output signal than expected |
| Premature beat | The timing of outputting the signal by the camera module is earlier than expected |
| Is not present in | Camera module output signal error is not available |
| Takes too long time | The timing of outputting the signal by the camera module is later than expected |
S230, performing risk analysis and risk assessment on the hazard event according to the functional failure form and the preselected scene index, determining the safety integrity level of the hazard event, and generating a risk analysis and risk assessment form.
In this scheme, optionally, according to the functional failure form and the pre-selected scene index, performing risk analysis and risk assessment on the hazard event, and determining the safety integrity level of the hazard event includes: according to the functional failure form and the preselected scene index, carrying out risk analysis and risk assessment on the hazard event through severity, exposure probability and controllability; the safety integrity level of the hazard event is determined based on the severity, the probability of exposure, and the controllability of the hazard event. Based on the above scheme, the risk analysis and risk assessment for the hazard event according to the functional failure form and the pre-selected scene index through severity, exposure probability and controllability comprises the following steps: according to the operation mode of the automatic driving vehicle, the driving condition of the driver and the driving environment, a driving scene is determined, and the severity, the exposure probability and the controllability of the hazard event are determined. In a preferred embodiment, the risk analysis and risk assessment form includes at least one piece of assessment information; the assessment information includes functional failure mode, driving scenario, severity, exposure probability, controllability, and safety integrity level.
The safety integrity level may be calculated from the exposure (E) of the occurrence of a dangerous event, the controllability (C) of avoiding difficulties or damages over time, and the severity (S) of potential injuries or damages. The computational formula for the security integrity level may be expressed as: risk r=f (E, C, S). The risk level of a hazard event may be represented by 5 levels (QM, A, B, C and D) of ASIL. The higher the risk, the higher the requirement for risk reduction, and the higher the ASIL rating. QM class means that there is no risk, i.e. risk can be minimized as long as there is quality of management. Table 3 is a hierarchical classification of severity (S), exposure (E), and controllability (C). Table 4 shows the severity of the hazard event, the probability of exposure, and the correspondence of controllability to safety integrity level.
Table 3:
table 4:
s240, determining a safety target of the automatic driving vehicle according to the risk analysis and risk assessment table.
And extracting a safety target of the automatic driving vehicle based on a risk analysis and risk assessment table obtained by the extended HARA quantitative analysis of the scene. The safety target is used for guiding subsequent safety design and development work and ensuring that the safety performance of the automatic driving vehicle meets the requirements of related standards and regulations.
The above scheme analyzes the ratings through HARA quantization and outputs a complete and objective HARA form. The method solves the defects of lack of functional safety targets, strong subjectivity of rating and the like in the traditional HARA analysis, and provides reference for design and improvement of an automatic driving system.
Fig. 2B is an analysis schematic diagram of related item-to-hazard scenario according to a second embodiment of the present application. Fig. 2C is a schematic diagram of related item definition according to a second embodiment of the present application. Fig. 2D is a schematic diagram of a scenario-based extended HARA identification process according to a second embodiment of the present application. In a specific example, as shown in fig. 2B, 2C, and 2D, the steps for risk analysis and risk assessment are as follows:
step 1: defining related items and corresponding functional scenes of the related items;
the steering behavior in the lane change of the vehicle in the lateral guidance assistance of the ADS vehicle will be described as an example. The auxiliary lane changing system collects surrounding environment information of the automatic driving vehicle through the vehicle body camera and the environment sensor, sends the surrounding environment information of the automatic driving vehicle to the decision making system of the automatic driving vehicle, and the decision making system determines driving decisions after calculating and evaluating the environment information and sends the driving decisions to the transverse guiding auxiliary system so as to realize driving behaviors such as steering, acceleration, deceleration and the like. The driving scene is that the automatic driving vehicle runs at a constant speed in the urban road, has the lane-changing steering intention, and has clear weather.
Step 2: determining a functional failure form by utilizing a HAZOP keyword method so as to identify dangerous events of related items of the vehicle;
event scenarios include unrelated events, possible hazards, presence of threats, top-level dangerous events. By preselecting scene indexes, scenes which need to be analyzed and contain different potential danger degrees are selected. Taking a top-level dangerous event as an example, the top-level dangerous event represents a driving scene that can trigger a serious safety accident in a short time, for example, a steering function is triggered prematurely, and meanwhile, steering action is executed for too long, which can lead to side collision danger of a vehicle. Table 5 shows preselected scene indexes and table 6 shows the hazard event evaluation results based on the HAZOP keywords.
Table 5:
table 6:
step 3: acquiring ASIL grades based on risk analysis and risk assessment of scene-based extended HARA;
the scene-based extended HARA combines functional safety and expected functional safety, further analyzes according to the functional failure form obtained in the step 2, selects a driving scene according to a vehicle operation mode, a driver driving condition and a vehicle driving environment condition, and determines the exposure rate, the severity and the controllability of a hazard event, thereby obtaining the ASIL level.
Step 4: outputting a HARA table; extracting a safety target of an automatic driving system based on an extended HARA quantitative analysis table of the scene;
table 7 is a HARA table, and for turning behavior in a lane change of a vehicle, the safety objective is to eliminate all failure modes of the steering wheel, and the ASIL grade is ASIL D.
Table 7:
the technical scheme is that related items and preselected scene indexes of the automatic driving vehicle are defined; determining a functional failure form of the related item based on the hazard and operability analysis, and identifying a hazard event matched with the related item; according to the functional failure form and the preselected scene index, carrying out functional safety risk analysis and risk assessment and expected functional safety risk analysis and risk assessment on the hazard event, determining the safety integrity level of the hazard event, and generating a risk analysis and risk assessment table. The automatic driving risk analysis and risk assessment method solves the problems that automatic driving risk analysis and risk assessment methods are imperfect and the like in the prior art, and can improve reliability of automatic driving risk analysis and risk assessment.
Example III
Fig. 3 is a schematic structural diagram of an automatic driving risk analysis and risk assessment device according to a third embodiment of the present application. As shown in fig. 3, the apparatus includes:
a related item definition module 310 for defining related items and preselected scene indicators of an autonomous vehicle;
a hazard event identification module 320, configured to determine a functional failure form of the related item based on the hazard and operability analysis, and identify a hazard event matched with the related item;
the evaluation form generation module 330 is configured to perform risk analysis and risk evaluation on the hazard event according to the functional failure form and the pre-selected scene index, determine the safety integrity level of the hazard event, and generate a risk analysis and risk evaluation form; wherein the risk analysis and risk assessment includes a functional safety risk analysis and risk assessment and a risk analysis and risk assessment of an intended functional safety.
In this scheme, optionally, the hazard event includes a whole vehicle-level hazard event and a functional-level hazard event;
the hazard event identification module 320 includes:
a failure form determination unit for determining a functional failure form of the related item based on the risk and operability analysis;
the vehicle-level hazard event determining unit is used for carrying out hazard identification on driving scenes and vehicle operation and control according to the functional failure form of the related item and determining a vehicle-level hazard event matched with the related item;
and the function level hazard event determining unit is used for carrying out hazard identification on the vehicle function unit and the driving function according to the function failure form of the related item, and determining the function level hazard event.
Based on the above scheme, the failure form determining unit is specifically configured to:
analyzing keywords through danger and operability, and determining the functional failure form of the related item; wherein the risk and operability analysis keywords include loss of function, functional errors, unexpected functions, and output stuck at a fixed value.
In one possible implementation, the evaluation form generation module 330 includes a security integrity level determination unit configured to:
according to the functional failure form and the preselected scene index, carrying out risk analysis and risk assessment on the hazard event through severity, exposure probability and controllability;
the safety integrity level of the hazard event is determined based on the severity, the probability of exposure, and the controllability of the hazard event.
Based on the above scheme, the safety integrity level determining unit is specifically configured to determine a driving scenario according to an operation mode of an autonomous vehicle, a driving condition of a driver, and a driving environment, and determine severity, exposure probability, and controllability of a hazard event.
In this embodiment, optionally, the risk analysis and risk assessment table includes at least one piece of assessment information; the assessment information includes functional failure mode, driving scenario, severity, exposure probability, controllability, and safety integrity level.
In this aspect, optionally, the apparatus further includes:
and the safety target determining module is used for determining the safety target of the automatic driving vehicle according to the risk analysis and risk assessment table.
The automatic driving risk analysis and risk assessment device provided by the embodiment of the application can execute the automatic driving risk analysis and risk assessment method provided by any embodiment of the application, and has the corresponding functional modules and beneficial effects of the execution method.
Example IV
Fig. 4 shows a schematic diagram of an electronic device 410 that may be used to implement an embodiment of the application. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the applications described and/or claimed herein.
As shown in fig. 4, the electronic device 410 includes at least one processor 411, and a memory, such as a Read Only Memory (ROM) 412, a Random Access Memory (RAM) 413, etc., communicatively connected to the at least one processor 411, wherein the memory stores computer programs executable by the at least one processor, and the processor 411 may perform various suitable actions and processes according to the computer programs stored in the Read Only Memory (ROM) 412 or the computer programs loaded from the storage unit 418 into the Random Access Memory (RAM) 413. In the RAM 413, various programs and data required for the operation of the electronic device 410 may also be stored. The processor 411, the ROM 412, and the RAM 413 are connected to each other through a bus 414. An input/output (I/O) interface 415 is also connected to bus 414.
Various components in the electronic device 410 are connected to the I/O interface 415, including: an input unit 416 such as a keyboard, a mouse, etc.; an output unit 417 such as various types of displays, speakers, and the like; a storage unit 418, such as a magnetic disk, optical disk, or the like; and a communication unit 419 such as a network card, modem, wireless communication transceiver, etc. The communication unit 419 allows the electronic device 410 to exchange information/data with other devices through a computer network such as the internet and/or various telecommunication networks.
The processor 411 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 411 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 411 performs the various methods and processes described above, such as automated driving risk analysis and risk assessment methods.
In some embodiments, the automated driving risk analysis and risk assessment method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 418. In some embodiments, some or all of the computer program may be loaded and/or installed onto the electronic device 410 via the ROM 412 and/or the communication unit 419. When the computer program is loaded into RAM 413 and executed by processor 411, one or more steps of the automated driving risk analysis and risk assessment method described above may be performed. Alternatively, in other embodiments, the processor 411 may be configured to perform the automated driving risk analysis and risk assessment method in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present application may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present application, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present application may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present application are achieved, and the present application is not limited herein.
The above embodiments do not limit the scope of the present application. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present application should be included in the scope of the present application.
Claims (10)
1. An automated driving risk analysis and risk assessment method, the method comprising:
defining related items and preselected scene indexes of the automatic driving vehicle;
determining a functional failure form of the related item based on the hazard and operability analysis, and identifying a hazard event matched with the related item;
according to the functional failure form and the preselected scene index, carrying out risk analysis and risk assessment on the hazard event, determining the safety integrity level of the hazard event, and generating a risk analysis and risk assessment form; wherein the risk analysis and risk assessment includes a functional safety risk analysis and risk assessment and a risk analysis and risk assessment of an intended functional safety.
2. The method of claim 1, wherein the hazard event comprises a whole vehicle-level hazard event and a functional-level hazard event;
the determining the functional failure form of the related item based on the risk and operability analysis, and identifying the risk event matched with the related item comprises the following steps:
determining a form of functional failure of the associated item based on the hazard and operability analysis;
according to the functional failure form of the related item, hazard identification is carried out on driving scenes and vehicle operation and control, and a complete vehicle-level hazard event matched with the related item is determined;
and according to the function failure form of the related item, hazard identification is carried out on the vehicle function unit and the driving function, and the function level hazard event is determined.
3. The method of claim 2, wherein determining the form of functional failure of the associated item based on the risk and operability analysis comprises:
analyzing keywords through danger and operability, and determining the functional failure form of the related item; wherein the risk and operability analysis keywords include loss of function, functional errors, unexpected functions, and output stuck at a fixed value.
4. The method of claim 1, wherein the hazard event risk analysis and risk assessment based on the form of the functional failure and the pre-selected scenario indicator, determining the safety integrity level of the hazard event, comprises:
according to the functional failure form and the preselected scene index, carrying out risk analysis and risk assessment on the hazard event through severity, exposure probability and controllability;
the safety integrity level of the hazard event is determined based on the severity, the probability of exposure, and the controllability of the hazard event.
5. The method of claim 4, wherein the hazard event hazard analysis and risk assessment by severity, exposure probability, and controllability according to the form of functional failure and the pre-selected scenario indicator, comprises:
according to the operation mode of the automatic driving vehicle, the driving condition of the driver and the driving environment, a driving scene is determined, and the severity, the exposure probability and the controllability of the hazard event are determined.
6. A method according to claim 3, wherein the risk analysis and risk assessment form comprises at least one piece of assessment information; the assessment information includes functional failure mode, driving scenario, severity, exposure probability, controllability, and safety integrity level.
7. The method of claim 1, wherein after generating the risk analysis and risk assessment table, the method further comprises:
and determining a safety target of the automatic driving vehicle according to the risk analysis and the risk assessment table.
8. An automated driving hazard analysis and risk assessment device, the device comprising:
the related item definition module is used for defining related items and preselected scene indexes of the automatic driving vehicle;
the hazard event identification module is used for determining the functional failure form of the related item based on hazard and operability analysis and identifying the hazard event matched with the related item;
the evaluation form generation module is used for carrying out risk analysis and risk evaluation on the hazard event according to the functional failure form and the preselected scene index, determining the safety integrity level of the hazard event and generating a risk analysis and risk evaluation form; wherein the risk analysis and risk assessment includes a functional safety risk analysis and risk assessment and a risk analysis and risk assessment of an intended functional safety.
9. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the automated driving risk analysis and risk assessment method of any of claims 1-7.
10. A computer readable storage medium storing computer instructions for causing a processor to perform the automated driving risk analysis and risk assessment method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310443009.9A CN116755417A (en) | 2023-04-23 | 2023-04-23 | Automatic driving danger analysis and risk assessment method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310443009.9A CN116755417A (en) | 2023-04-23 | 2023-04-23 | Automatic driving danger analysis and risk assessment method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116755417A true CN116755417A (en) | 2023-09-15 |
Family
ID=87959682
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310443009.9A Pending CN116755417A (en) | 2023-04-23 | 2023-04-23 | Automatic driving danger analysis and risk assessment method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116755417A (en) |
-
2023
- 2023-04-23 CN CN202310443009.9A patent/CN116755417A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110807436B (en) | Dangerous driving behavior recognition and dangerous event prediction method, device and storage medium | |
| EP4151979A2 (en) | Test method and test apparatus for automatic driving, and storage medium | |
| CN111739344B (en) | Early warning method and device and electronic equipment | |
| CN111311914B (en) | Vehicle driving accident monitoring method and device and vehicle | |
| CN110606093A (en) | Vehicle performance evaluation method, device, equipment and storage medium | |
| US20220035733A1 (en) | Method and apparatus for checking automatic driving algorithm, related device and storage medium | |
| CN114021327A (en) | Quantitative evaluation method for performance of automatic driving automobile sensing system | |
| CN110986938A (en) | Bumpy road identification method and device and electronic equipment | |
| Ponn et al. | Identification of challenging highway-scenarios for the safety validation of automated vehicles based on real driving data | |
| JP2022532941A (en) | Devices and methods for processing vehicle signals to calculate behavioral risk measures | |
| US9315176B2 (en) | Assessment support program and assessment support device for automatic braking system | |
| CN116957344B (en) | Safety evaluation method, device, equipment and medium for automatic emergency braking system | |
| CN113052047A (en) | Traffic incident detection method, road side equipment, cloud control platform and system | |
| CN116755417A (en) | Automatic driving danger analysis and risk assessment method, device, equipment and medium | |
| JP7382304B2 (en) | Risk management device, risk management method and risk management system | |
| CN113987751A (en) | Scheme screening method and device, electronic equipment and storage medium | |
| CN114651190A (en) | Method, device and computer program for approving the use of a sensor system for detecting objects in the environment of a vehicle | |
| CN116894225B (en) | Driving behavior abnormality analysis method, device, equipment and medium thereof | |
| CN116401111B (en) | Function detection method and device of brain-computer interface, electronic equipment and storage medium | |
| CN112183151A (en) | Driving behavior detection method and device | |
| Ahmad et al. | Driving analytics–Data science approach based on smartphone vehicle telematic data | |
| CN112100030B (en) | Method, device, computer system and storage medium for evaluating automatic driving technology | |
| CN117519647A (en) | Hierarchical-based security requirement index determination and verification method, equipment and medium | |
| CN115563955A (en) | Text processing method, device, equipment and medium | |
| CN117538070A (en) | Automatic emergency braking system testing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |