AUTONOMOUS DRIVING RADAR REQUIREMENTS - prospect … · AUTONOMOUS DRIVING RADAR REQUIREMENTS...

AUTONOMOUS DRIVING RADAR REQUIREMENTS

PRESENTER:

Dr.-Ing. Martin KunertRobert Bosch GmbHAdvanced Engineering Sensor SystemsLeonberg / GermanyE-Mail: [email protected]

Highly Automated Driving (HAD) introduction

Key Performance Indicators for HADCoverage azimuth, elevation; Resolution and accuracy

Safety concepts for HADReliability and redundancy


Introduction

Chassis Systems Control | CC/ENA2 | 01.07.2016

© Robert Bosch GmbH 2016. Alle Rechte vorbehalten, auch bzgl. jeder Verfügung, Verwertung, Reproduktion, Bearbeitung, Weitergabe sowie für den Fall von Schutzrechtsanmeldungen.3

How does the autonomous car of the future looks like?

Source: internet

Introduction



Let‘s have a look back in history …..

Source: GM Motorama Exhibition 1956 – Videoclip “Your key to greater value”

Introduction



The General Motor requirements for HAD in 1956

Radio communication Driver HMI A human supervisor Dedicated lanes

Navigation maps Auto Pilot system Synchronized Big DataManual mode with a

steering wheel

And what of them do we needed today ?

Source: General Motors Motorama Video

Introduction



Todays prerequisites for automated driving – high level overview

Source: Robert Bosch GmbH| V. Denner

Introduction



Transportation in the far future, only science fiction or … ?

Source:

The fifth element

(Fantasy film 1997)

Introduction



Transportation in the mid future, a more realistic picture?

Source:

MIT Senseable city lab

Slot-based intersections

Introduction



Transportation in the mid future, a more realistic picture?

Source:

MIT Senseable city lab

Slot-based intersections

diverging diamond intersection

Introduction



Automotive mobility in the next two decades, a realistic forecast

Source: Thatcham Research – the future of autonomous driving

Introduction



First cost indications and market forecast for HAD

2600

1920

2300

3220

1700

2400

2800

4500

4000

6600

5000

2500

3500

4000

10000

0 5000 10000 15000

BMW

MB

Audi

GM

Ford

Lexus

Volvo

Google

AD Package

ADAS Package

Price ($)

Source: Frost & Sullivan analysis

HAD: Highly Automated Driving AD: Automated Driving ADAS: Advanced Driver Assistance System

Introduction



The paradigm change in business models caused by HAD

Source: Morgan Stanley (2015) / www.driverless-future.com

Introduction



The shift in transport modality caused by HAD

Source: ERTRAC website

Introduction



The long transition time to fully deployed HAD in traffic

Source: EPOSS website

Autonomous vehicle sales, fleet and travel projections

Introduction



The necessary HAD performance for a sucessful market entry

Source: UMTRI_AD_Benefit_estimation_zero.pdf

Better than Case 3 is needed for a success story of HAD

Key Performance Indicators for HAD



The functional & application portfolio for HAD

Many ADAS features are already on the road or in the pipeline !

What sensors and

technologies are needed

to realize the current and

future HAD demands?

Source: PreVent EU funding project




Including the existing ADAS features also in HAD development

Downward compatibility is an absolute must (no feature loss is allowed)

Source: Robert Bosch GmbH




The necessary sensor technology portfolio

Adaptive Cruise Control

Blind Spot

Detection

Lane Change

Assist

Park Mate

Lane

Departure

Warning

Traffic Sign

Recognition

High Beam

Assist

Full Speed Range ACC

Collision Warning

Lane Keeping

Night Vision

Collision Mitigation

Emergency Braking

Homezone Assist

Driver

Attention

Back-up Aid

What sensors are needed for HAD?

UltrasonicRadarLIDARNight VisionCamera C2X GPS & Map





Development steps towards automated driving - driver responsibility





Development steps towards automated driving – data fusion




The operational radar frequency bandwidth requirements

The best performance in the allocated vehicular radar frequency bands is at 79 GHz !

Legend:

V: Speed separation

R: Range separation

j: Angle separation

j

V

R

j

24 GHzNarrow-Band

V

R

24 / 26 GHzUWB (5 GHz BW)

V

R

j

77 GHz(1 GHz BW)

V

R

j

79 GHz(4 GHz BW)

Evolution of Sensor Performance(Note: the smaller the cube volume, the better the performance)

Source: Functional Requirements of Future Automotive Radar Systems, R. Rasshofer, EURAD 2007




360 degree observation zone around the car

Full awareness and perception everywhere around the car is needed !





The environmental robustness requirements

For HAD level 4 and 5 100% availability is needed !

Source: Radar4FAD – German funding project




Angular separation and resolution requirements

At least 1° in azimuth and ~5° in elevation is needed !

Source: Robert Bosch GmbH (CC/ENA2)




Velocity resolution requirements

High Doppler speed resolution for target classification is needed !





Multi-target detection and tracking capbility

The usage of a high resolution radar requires many tracking points per target !Source: Robert Bosch GmbH (CC/ENA2)

Safety concepts for HAD



Perception and safety requirements for the 5 automation levels

Higher automation levels need higher ASIL grades !

Automation

Level

Functional

Description

Driver

Interaction

Perception

Redundancy

Dependability Safety

Level

Level 0 no automation high none fail-silent QM

Level 1 driver

assistance

medium-high complementary fail-silent ASIL A or B

Level 2 partial

automation

medium combining fail-safe ASIL B

Level 3 conditional

automation

moderate partial overlap fail-safe ASIL C

Level 4 high

automation

seldom large overlap fail-operational

(single error)

ASIL C or D

Level 5 full

automation

none full overlap fail operational

(multi-error)

ASIL D

ASIL: Automotive safety Integrity Level QM: Quality Management





The Automotive Safety Integrity Level

“Item”: Vehicle function e.g. ACC (adaptive cruise control)

Malfunction: Unintended braking initiated by ACC due to an E/E architecture failure

Risk classification based on

Severity of the potential harm of involved persons

Exposure probability of the risk to appear while driving

Controllability of the hazardous situation

ASIL classification of the function

Derivation of appropriate safety goals with according ASIL to prevent the malfunction

E/E: Electric/Electronic

Source: ISO 26262 documentation




ISO 26262 International standard

Adaptation of IEC 61508 to comply with the specific needs of E/E systems in road vehicles

Applies to all activities during the safety lifecycle of safety-related systems comprised of electrical, electronic, and software components

The scope is limited to passenger cars with max. gross weight of 3.500 kg

The ISO 26262 V-Cycle

ISO 26262 addresses the complete product safety lifecycle:

The standard consists of 10 parts

Each part is dedicated to a certain aspect of the production process in the V-lcycle

Part 1: Vocabulary

Part 2: Management of functional safety

Part 3: Concept phase

Part 4: Product development: system level

Part 5: Product development: hardware level

Part 6: Product development: software level

Part 7: Production and operation

Part 8: Supporting processes

Part 9: ASIL-oriented and safety-oriented analyses

Part 10: Guidelines on ISO 26262 (informative)




The ASIL process and the different FIT-levels

The safety goal: Determine the max. FIT occurrence on vehicle function level according to

ASIL safety risk classification

safety concept/architecture/design

with requirements to achieve safety

goal by using corresponding ASIL

Analysis of safety concept by

FMEA

FMEDA

FTA

DRBFM

….

for random HW

failures only

1 FIT = 1 Failure in Time = 10-9 failures / hour

QM no safety relevance

ASIL A: 1.001 – 10.000 FIT low risk classification

ASIL B: 101 - 1000 FIT

ASIL C: 11 - 100 FIT

ASIL D: <10 FIT high risk classification

QM: Quality Management FMEA: Failure Mode and Effects Analysis FMEDA: Failure Mode Effect and Diagnostic Analysis FTA: Fault Tree Analysis DRBFM: Design Review Based on Failure Mode




ASIL level decomposition and sensor redundancy concepts

In case b) the unique ASIL C sensor can be replaced with an ASIL B and ASIL A sensor

Different safety concepts are possible to achieve a required ASIL

Independent, redundant elements, e.g. for a sensor function, can reduce the ASIL of the individually involved sensor ASIL decomposition




The limit of ISO 26262 scope and impact on radar sensors

Failure rate: λ = λE/E + λE

FITE = FITM + FITI

FITE: Environmental influence failures

FITI: Critical interference failures

FITM: Critical misinterpretation failures

ISO 26262:

Functional safety due to detection and/ or

mitigation of failures in the E/E-architecture,

the influence of the environment is out of

scope.

failure rate λ for HW failures of E/E

Further Radar sensor failure impacts:

Functional safety depends both on the E/E-

architecture and the capability to detect

failures caused by environmental influences

(e.g. sensor detection performance).

Extension of the failure rate λ needed ?

FIT: Failure in Time

Safe-state and uncritical failures don’t have any impact or influence on FIT or λSource: MOSARIM EU-project




The additional failure domains for perception sensors

Failures regarding detection performance of

automotive perception sensors

Wrong data/information

w.r.t. environment situation

Interference or Disturbance(environment or other systems)

Misinterpretation

of road situation

Failure leading

directly to

violation of

safety goal

Failure de-

tected, failure

handled or

system disabled

Failure not

detected,

system still

enabled

Failure detected,

countermeasure

applied or

system disabled

Failure leading

directly to

violation of

safety goal

Failure not

detected, system

still enabled

critical,

relevant for

FITM rate

critical,

relevant for

FITM rate

critical,

relevant for

FITI rate

critical,

relevant for

FITI rate

uncritical,

not FITI -

relevant

uncritical,

not FITM -

relevant

„safe state“,

not FITM -

relevant

„safe state“,

not FITI -

relevant

Interference DomainInterpretation Domain

The handling of FITM and FITI contributions is still an open issue !

Source: MOSARIM EU-project

Safety concepts for HAD – Interpretation



Compensating the weakness of orthogonal sensor technologies

Video sensor:

high lateral accuracy

Radar sensor:

high longitudinal accuracy

video

camera

radar

sensor

Significant improvements on sensor-intrinsic shortcomings have to be done before an effective

and robust sensor data fusion is possible !

Radar sensors have to improve lateral resolution performance while

video sensors have to increase longitudinal distance estimation and object speeds !




Compensating the weakness of orthogonal sensor technologies

downpoors

fog and smog

heavy snow

dazzling by sun or headlights

sensor blockage by dirt, ice or mud

road spray or towing water

Environmental robustness is crucial for all-time operation and is best fulfilled by radar sensors

!




The redundancy concepts and challenges

Sensor technology A

Sensor technology B

Complementary sensor data fusion Redundant sensor data fusion

Redundancy only, when both technologies have the same performance and working zone !




Monitoring wrong interpretation and false alarms

Example Pedestrian Protection System:

The trade-off dilemma between efficiency and unjustified system response !

Safety concepts for HAD – Interference



The traffic dependent radar interference situations

interferred vehicle interferring vehicle neutral vehicleSource: MOSARIM EU-project

Safety concepts for HAD– Interference



The radar interference mitigation techniques and countermeasures

The mitigation margin differs from domain to domain and is typically

between 15 dB and infinity (i.e. total radar interference suppression)



Polarization Time Frequency Coding Space Strategic

key words

- linear,

circular,

elliptical

- co/cross

polarization

key words

- duty cycle

- receiver time

- random time

key words

- sub-bands

- random

frequency

hopping

key words

- code length

- reception

ordering

- orthogonality

key words

- azimuth,

elevation

- FOV, range

- scanning

key words

- detection

- avoid, omit,

repair

-communicate

f

t

f

t

f

t

f

t

Safety concepts for HAD– Interference



The ASIL impact on max. allowed I/N limit

A further I/N apportionment between mutual and incumbent frequency users is needed !

Driver assistantfunction portfolio

Lower requirements(Collision warning,

Blind Spot Monitoring.Lane change assistance)

Higher requirements(Adaptive cruise control,

Collision mitigation,VRU protection)

exact relation still open

exact relation still open

Max. allowed I/Nmutual: xx dB mutual: yy dBincumbent: xx – zx dB incumbent: yy – zy dB

QM ASIL A ASIL B ASIL C ASIL DASIL level




Final conclusions and discussion points

Highly automated driving needs redundant and robust perception concepts

The ISO 26262 is only dedicated to E/E failures

Non-E/E failures shall use the same methodology (is still an open item)

Wrong interpretation of the traffic scenario, mutual and incumbent

interference or harsh environmental shortcomings are sporadic hazards

and difficult to handle and classify as critical errors (e.g. FIT rating)

Discussion points:

What kind of redundancy is needed for perception systems?

How to cope with non E/E failures?

HAD impact on market and business models

How to bridge the long transition time of simultaneous drivers and HAD?

The pros and cons of different HAD roll-out scenarios

Vielen Dank für Ihre Aufmerksamkeit !

AUTONOMOUS DRIVING RADAR REQUIREMENTS - prospect … · AUTONOMOUS DRIVING RADAR REQUIREMENTS...

Documents

Transcript of AUTONOMOUS DRIVING RADAR REQUIREMENTS - prospect … · AUTONOMOUS DRIVING RADAR REQUIREMENTS...