Informal Document: ACSF-11-08

Slides:



Advertisements
Similar presentations
Quality Risk Management ICH Q9 Annex I: Methods & Tools
Advertisements

1 Inspection of LCPs: System for Inspection. ECENA Training Workshop Bristol, March 2008.
Definition for Levels of Automation
DG Enterprise and Industry Philippe JEAN Sustainable Mobility & Automotive Industry Unit WP.29 Enforcement Working Group meeting 27 June update.
WORKSHOP, Nicosia 2-3rd July 2008 “Extension of SAFETY & QUALITY Common Requirements to the EMAC States” Item 3 : Regulatory Context Peter Stastny EUROCONTROL.
© 2011 Underwriters Laboratories Inc. All rights reserved. This document may not be reproduced or distributed without authorization. ASSET Safety Management.
1 ACSF Test Procedure Draft proposal – For discussion OICA and CLEPA proposal for the IG Group ACSF Tokyo, 2015, June Informal Document ACSF
Specific Safety Requirements on Safety Assessment and Safety Cases for Predisposal Management of Radioactive Waste – GSR Part 5.
SAFETY MANAGEMENT SYSTEM IN TURKISH STATE RAILWAYS (TCDD)
Agreement concerning the adoption of uniform conditions for periodical technical inspections of wheeled vehicles and the reciprocal recognition of such.
Gdansk International Air & Space Law Conference November 2013 Authority and Organisation Requirements “effective management systems for authorities and.
Common Understanding on Major Horizontal Issues and Legal Obstacles Excerpts from the relevant sections of the ToR: II. Working items to be covered (details.
Abstract A step-wise or ‘tiered’ approach has been used as a rational procedure to conduct environmental risk assessments in many disciplines. The Technical.
1 6th ACSF meeting Tokyo, April 2016 Requirements for “Sensor view” & Environment monitoring version 1.0 Transmitted by the Experts of OICA and CLEPA.
ELA Forum The basis, objective and content of SNEL - EN81-80 The basis, objective and content of SNEL - EN81-80 Michael Savage.
Transmitted by the Experts of TRL (EC)
OICA „Certification of automated Vehicles“
Submitted by FIA Document No. ITS/AD-10-06
POST APPROVAL CHANGE MANAGEMENT PROTOCOLS IN THE EUROPEAN UNION
Informal document GRRF-84-32
Suggestion for Summarizing Process of the Principles
Introduction TRL’s study was performed in the context of ACSF updates to UN Regulation No 79. Focus: Ensure safe system function in all real-world driving.
Security of In-Vehicle Software
Common Understanding on Major Horizontal Issues and Legal Obstacles
OICA input on software updates to UN TF CS/OTA
Submitted by the expert form Japan Document No. ITS/AD-09-12
Initial project results: Annex 6 – 20 Sept 2016
Chapter 18 Maintaining Information Systems
Regulation (EU) No 2015/1136 on CSM Design Targets (CSM-DT)
Concept of ACSF TAN (Type Approval Number)
FMEA.
Suggestion on software update
California Automated Vehicle Regulations Update
UN Task Force on Cyber Security and OTA issues
Outcome TFCS-11// February Washington DC
Obstacles and lessons learnt by the SRVSOP
Outcome TFCS-11// February Washington DC
Automated vehicles Horizontal regulation Preliminary considerations
Outcome of TFCS-12 - summary slides - (detailed meeting minutes will be provided separately) April The Shilla Seoul, ROK.
Informal document GRRF-86-36
Summary of software update progress
Submitted by OICA Document No. ITS/AD-14-07
Status of the Informal Working Group on ACSF
Proposals from the Informal Working Group on AEBS
Status of the Informal Working Group on ACSF
ASEP IWG Report to GRB 65th
Transmitted by the expert from ISO
Conformity of Production (COP)
ASEP, from 2005 to 2019 Background informations and future works
Submitted by the experts of OICA
Status report from UNECE Task Force on Cyber Security &
Submitted by OICA Document No. ITS/AD Rev1
Safety Assessment of Automated Vehicles
New Assessment & Test Methods
EU Tyre Industry comments on document ECE/TRANS/WP.29/GRB/2019/6
Replies by the Task Force to the comments provided by GRVA members
Status report of TF-CS/OTA
Safety concept for automated driving systems
Software Update - Type approval related issues -
Overview of the recommendations on software updates
Highlights of the 177th WP.29 session and
5.b3 Monitoring & Reporting 2019
Issues identified in connection with the work of TF-CS/OTA
ACSF-17 – Industry Preparation
A proposal for approach to proceed work in Cybersecurity TF
ACSF B2 SAE Level 2 and/or Level 3
National Legislation in the Pressure Sector and the PED
Access to data requirementS
HSE Requirements for Pipeline Operations GROUP HSE GROUPE (CR-GR-HSE-414) EXECUTIVE SUMMARY This rule defines the minimum HSE requirements related to the.
FIA position on Lifecycle of a vehicle type* vs. Lifetime of a vehicle
Presentation transcript:

Informal Document: ACSF-11-08 Submitted by the experts of Europ. Commission Informal Document: ACSF-11-08 EC study on Assessment and certification of automated vehicles – Main findings

Introduction TRL’s study was performed in the context of ACSF updates to UN Regulation No 79. Focus: Ensure safe system function in all real-world driving situations. The study identified five safety-relevant areas that might need attention: Interpretation of the existing assessment procedure for the safety of complex electronic systems (“CEL annex”). Operational safety of ACSF under all real-world driving conditions. Driver monitoring to prevent foreseeable misuse. Real-world safety performance after approval (“In-service safety performance”). Over-the-air (OTA) software updates. The main findings are summarised on the following slides as identified issues and proposed solutions for each of these five areas.

CEL Annex - Issues Annex 6 of UN Regulation No. 79 regulates the safety of complex electronic systems. This “CEL annex” is also included in other regulations. It prescribes an analysis of the development life cycle or design methodology = effectively an audit by the technical service. Aim is to show safety of the design (with verification) and in particular that ‘the system’ does not adversely affect the function of the main steering system in non-fault (i.e. normal) and fault operating conditions. It does not enforce any specific performance requirements. Issue identified by TRL’s analysis: The CEL Annex assessment is not applied in a consistent manner across technical services.

CEL Annex - Solutions TRL identified the current ‘best practice’ application and developed a proposal for amendments to Annex 6. Main items proposed: Involve technical service (TS) early-on in the development process. Ensure traceability of the work of the TS. TS to perform a document ‘audit’ of the safety approach at both concept (e.g. HAZOP) and system level (e.g. FMEA, FTA): Check existence of documents, their history and (to a certain extent) their content. TS to assess resistance to environmental influence: Inspect type and scope of tests on climate, mechanical resistance and electromagnetic compatibility. Possibly include report template in CEL Annex to ensure all aspects are addressed.

Operational safety - Issues Aim: Ensure safety under all real-world scenarios. ‘Hands-off’ systems (such as, category B2 and E) will allow the driver to be ‘out of the loop’ for significant periods of time - up to about 3 minutes according to an ACSF IWG proposal. The system must be capable of controlling the vehicle entirely for this period of time. Issue: The currently proposed requirements are based on the assumption of an SAE level 2 system (driver supervising driving environment). TRL think that requirements similar to those appropriate for an SAE Level 3 system should be imposed (driver is only supervising the system).

Operational safety - Solutions TRL propose to require a comprehensive assessment to assure safe operation in the full range of real-world conditions which may occur in the operational design domain (ODD). A list of areas to be considered for assessment has been developed: Roadway types, geographic area, speed range, environmental conditions (weather, daytime / nighttime, etc.) Driver complacency and misuse (and effective countermeasures). Object and event detection and response (e.g. stopped or rapidly slowing vehicle , roadworks, emergency vehicles, animals/pedestrians in road, …). Minimal risk manoeuvre (MRM). These areas could be assessed based on: Submission of documentation (describing OEM process for the assessment, testing and validation of ‘operational safety’); and Signed declaration by an authorised company official. These requirements could be implemented within Regulation 79 or more logically in a new horizontal regulation for automated vehicles.

Driver monitoring - Issues The proposed requirements for driver monitoring in ACSF regulation draft are: For Category B1 systems: ‘Hands-on detection’. For Category B2 systems: ‘Driver activity detection’. The main issues identified by TRL’s analysis: Hands-on detection leaves room for potential misuse of Category B1 systems. (For example, phone-related activities using one hand which would draw attention away from the driving environment.) Draft requirements for ‘driver activity detection’ are considered too unspecific and underdeveloped to ensure safe operation.

Driver monitoring - Solutions TRL performed a technology review to determine current state of the art of driver monitoring systems. Proposed regulatory solution for the short term: Potential driver misuse should be evaluated and addressed by manufacturers during system development (HAZOP to cover foreseeable misuse). This step should be checked by the technical service during the CEL Annex assessment (if TRL’s proposed changes to the Annex are implemented). In the longer term: Include specific driver monitoring requirements to ensure a similar standard of misuse prevention between different systems. This will require additional regulatory work to develop appropriate requirements (don’t exist at the moment). Should ideally be placed into a horizontal regulation on driver monitoring that can be called upon by different regulations and can be updated and developed further independently.

In-service safety performance - Issues For ‘hands-off systems’ (such as B2 and E) it is impossible to test at the time of type-approval all real-world scenarios that may be encountered. Therefore, the approach currently being developed for type-approval is: To check a limited number of scenarios; and to audit aspects of the system development process, in particular the safety concept. Issue: This leaves a potential for safety-relevant issues which are not detected during type-approval in the future.

In-service safety performance - Solutions Solution could be to not only add more scrutiny up-front, but also ensure that safety issues in real-world use are detected and resolved early. In-service safety performance monitoring coupled with recall action to address any safety issues identified could be implemented. Measures could be put in place in UN Regulation to enable the use of the three approaches: Enhanced requirements for operational safety checked by authorities at type-approval level, Self-declaration by the manufacturer on some design aspects, and Proactive in-use safety monitoring. A first step would be a requirement for the collection of “event, incident, and crash data, for the purposes of recording the occurrence of malfunctions, degradations, or failures in a way that can be used to establish the cause of any such issues”. DSSA requirements could be expanded to include collection of data for events, incidents and road accidents sufficient for use to establish the cause of any such issues and any related system defects.

OTA updates - Issues Over-the-air (OTA) software updates can offer large benefits to the automotive industry and the consumers. However, OTA software updates can also: Cause safety or emissions problems; and make a vehicle non-compliant with its initial type-approval and registration certificate. Particularly relevant if OTA updates provide new functions subject to type-approval which were not initially type-approved.

OTA updates – Solutions (1/2) For pre-registration/production vehicles, OTA updates could follow the current practice for a type-approval update: OEM to inform type-approval authorities. Authorities to decide if this should be considered as revision/extension or as new type-approval. For post-registration software updates, the situation is more complex: Modifications to registered vehicles are covered by national legislation. EU type-approval framework could be extended to updates affecting approved systems. (Similar to UN regulations on retrofitting of LPG/CNG vehicles or for replacement parts.) Updates could be validated by type-approval authorities. Updates could then be deployed by OEMs under their responsibility. Potentially in combination with an individual approval/periodic technical inspection (depending on the scope of the update).

OTA updates – Solutions (2/2) Main considerations for implementation: Responsibility should be clarified: Today under most of national rules, it is the vehicle owner (not manufacturer) who is responsible for maintaining the vehicle in compliance with legislation. OTA updates could be limited to non-critical functions. For critical functions a physical inspection (by the manufacturer, authorities) could be required. Updates not impacting type-approved functions could be left out from the type-approval framework. Software / firmware versions could also be checked at PTI: Potential introduction via Implementing Act for Directive 2014/45/EU. But: First PTI only occurs after a number of years (4 years in many member states). Cyber-security is still a major issue and much work is being performed on it at present, (e.g. WP.29 ITS/AD working group).

Thank you for you attention For further information please contact: Study available publicly here: https://circabc.europa.eu/sd/a/b6f6de76-184e-4967-93dd-9d7f1e1e3984/item%204-2017-01%20Commission%20study%20on%20vehicle%20certification.pdf Contacts: Commission: Antony Lagrange (antony.lagrange@ec.europa.eu) TRL: Meryn Edwards (medwards@trl.co.uk) and Matthias Seidl (mseidl@trl.co.uk)