STPA Analysis of Safety Measures for Zenuity’s Auto Valet...
Transcript of STPA Analysis of Safety Measures for Zenuity’s Auto Valet...
![Page 1: STPA Analysis of Safety Measures for Zenuity’s Auto Valet ...psas.scripts.mit.edu/home/wp-content/uploads/2019/... · 4/1/2019 · 5. Demo checklist with roles and expectaons were](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43ce40dbdf6160b24ca415/html5/thumbnails/1.jpg)
PAGE 1
AmardeepSidhuShabinMahadevan
STPA Analysis of Safety Measures for Zenuity’s Auto Valet Parking Demo
![Page 2: STPA Analysis of Safety Measures for Zenuity’s Auto Valet ...psas.scripts.mit.edu/home/wp-content/uploads/2019/... · 4/1/2019 · 5. Demo checklist with roles and expectaons were](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43ce40dbdf6160b24ca415/html5/thumbnails/2.jpg)
PAGE 2
Zenuity - set up
VolvoCarswilldirectlysourcetheAD,ADASsoAware
ZenuitydevelopsAD,andADASsoAwarereferenceplaDorm(hardwareagnosGc)
Veoneermarkets,licenses,&adaptstocustomerneeds
Safety Agility Flexibility
![Page 3: STPA Analysis of Safety Measures for Zenuity’s Auto Valet ...psas.scripts.mit.edu/home/wp-content/uploads/2019/... · 4/1/2019 · 5. Demo checklist with roles and expectaons were](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43ce40dbdf6160b24ca415/html5/thumbnails/3.jpg)
PAGE 3
Background
• AutonomousValetParking(AVP)feature
• AVPdemoatConsumerElectronicsShow(CES)Jan2019
![Page 4: STPA Analysis of Safety Measures for Zenuity’s Auto Valet ...psas.scripts.mit.edu/home/wp-content/uploads/2019/... · 4/1/2019 · 5. Demo checklist with roles and expectaons were](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43ce40dbdf6160b24ca415/html5/thumbnails/4.jpg)
PAGE 4
• EvaluatesafetymeasuresforautonomousvaletparkingandsummonduringZenuity’sAVPdemo
• Informeddecisiononmanned(safetydriver)vs.driverlessdemo
• STPAwaschosentoevaluatethesafetydueto:• MulG-agentnatureofthedemo• ComplexinteracGons
Objectives & Rationale
![Page 5: STPA Analysis of Safety Measures for Zenuity’s Auto Valet ...psas.scripts.mit.edu/home/wp-content/uploads/2019/... · 4/1/2019 · 5. Demo checklist with roles and expectaons were](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43ce40dbdf6160b24ca415/html5/thumbnails/5.jpg)
PAGE 5
System under study: ConOps DemoPhasesAutonomousparkingmaneuverstart AutonomousparkingmaneuverendAutonomoussummonmaneuverstart AutonomoussummonmaneuverendHumanActors>Demomanager(DM) >E-stopoperator(ESO)>VehicleSignalMonitor(VSM) >Maintenanceteam
1 2
3 4
4demovehiclesrunningloop+1sta6onarysafetyvehicle
1 2 3 4
![Page 6: STPA Analysis of Safety Measures for Zenuity’s Auto Valet ...psas.scripts.mit.edu/home/wp-content/uploads/2019/... · 4/1/2019 · 5. Demo checklist with roles and expectaons were](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43ce40dbdf6160b24ca415/html5/thumbnails/6.jpg)
PAGE 6
Zooming into the E-stop system OneSafetyvehicle
E-stopoperator(ESO)Signalmonitor(SM)
FourDemoVehicles
Verbal
VisualSignals
E-stoptransmi]erdevice
Actua6on&LEDfeedback E-stopreceiverdevice
• SafetyvehiclehastwopairsofSMandESO• EachSMandESOpairisassignedtotwodemovehicles
![Page 7: STPA Analysis of Safety Measures for Zenuity’s Auto Valet ...psas.scripts.mit.edu/home/wp-content/uploads/2019/... · 4/1/2019 · 5. Demo checklist with roles and expectaons were](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43ce40dbdf6160b24ca415/html5/thumbnails/7.jpg)
PAGE 7
STPA Step 1: defining purpose of the analysis
• L-1=AVcollisionwithvulnerableroaduser(VRU)• L-2=AVgetsdamaged• L-3=LossofreputaGon
Losses
• H-1=AVdoesnotmaintainsafedistancetoVRU[L-1,L-3]• H-2=AVleavesthedesignateddemozone[L-1,L-2,L-3]• H-3=AVdoesnotmaintainsafedistancetoanotherAV[L-2,L-3]• H-4=AVdoesnotmaintainsafedistancetostructure[L-2,L-3]• H-5=AVacGvateswithoutrequestduringautonomousmaneuver[L-3]• H-6=AVacGvatesduetoincorrectrequestduringautonomousmaneuver[L-3]• H-7=AVdoesnotrespondtorequestsduringautonomousmaneuver[L-1,L-2,L-3]
Hazards
• EmergencysituaGon:Yes,No• Vehicle:StaGonary,Moving
Processmodelvariables
![Page 8: STPA Analysis of Safety Measures for Zenuity’s Auto Valet ...psas.scripts.mit.edu/home/wp-content/uploads/2019/... · 4/1/2019 · 5. Demo checklist with roles and expectaons were](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43ce40dbdf6160b24ca415/html5/thumbnails/8.jpg)
PAGE 8
STPA Step 2: modeling the control structure
![Page 9: STPA Analysis of Safety Measures for Zenuity’s Auto Valet ...psas.scripts.mit.edu/home/wp-content/uploads/2019/... · 4/1/2019 · 5. Demo checklist with roles and expectaons were](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43ce40dbdf6160b24ca415/html5/thumbnails/9.jpg)
PAGE 9
STPA Step 3: identifying unsafe control actions
CommandEmergency AV
Notprovidingcauseshazard
Providingcauseshazard
Tooearly,toolate
Stoppedtooearlyappliedtoosoon
Sr.No. UCA ControllerConstraint
E-stopbu]onpress
Yes moving H-1,H-2,H-3,H-4 - - - 1
E-stopisnotprovidedwhenanemergencyisobservedandthevehicleismoving
E-stopmustberealizedwhenanemergencyisobservedandthevehicleismoving
![Page 10: STPA Analysis of Safety Measures for Zenuity’s Auto Valet ...psas.scripts.mit.edu/home/wp-content/uploads/2019/... · 4/1/2019 · 5. Demo checklist with roles and expectaons were](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43ce40dbdf6160b24ca415/html5/thumbnails/10.jpg)
PAGE 10
STPA Step 4: identify loss scenarios (UCA-1) UCA-1:E-stopisnotprovided
whenanemergencyisobservedandthevehicleismoving[H-1,H-2]
UCA-1.S1:E-stopoperatordoesnotknowitisanemergencyduetomissing/incompletesignalsavailabletotheE-stopoperator.
![Page 11: STPA Analysis of Safety Measures for Zenuity’s Auto Valet ...psas.scripts.mit.edu/home/wp-content/uploads/2019/... · 4/1/2019 · 5. Demo checklist with roles and expectaons were](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43ce40dbdf6160b24ca415/html5/thumbnails/11.jpg)
PAGE 11
STPA Step 4: identify loss scenarios (C-1)
C-1.S3:CommercialcontrollerfailstoconvertE-stopbrakerequesttobrakecommand
C-1:E-stopmustberealizedwhenanemergencyisobservedandthevehicleismoving[UCA-1]
![Page 12: STPA Analysis of Safety Measures for Zenuity’s Auto Valet ...psas.scripts.mit.edu/home/wp-content/uploads/2019/... · 4/1/2019 · 5. Demo checklist with roles and expectaons were](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43ce40dbdf6160b24ca415/html5/thumbnails/12.jpg)
PAGE 12
1. Derivednon-materialsoluGons(operaGonalrequirements)• NothavingmorethanonemovingAVinthedemozoneatanygivenGme
2. IdenGfiedtheneedforadedicatedengineer(signalmonitor)tocomplementESO• MonitoringvehiclesignalsnotvisibletotheE-stopoperator
3. IdenGfiedtheneedforaredundantbrakeimplementaGon• Singlepointfailuresofoff-the-shelfintermediatecontroller
4. RecommendedprotectedaccesstotheAVPmobileapp
5. DemochecklistwithrolesandexpectaGonswerecreatedfordemotraining• Forstakeholdersbothinternal(Zenuity)andexternal(Veoneer)
6. SystemsengineeringandSTPAarGfactsfromthisanalysiswereinstrumentalindrivingclarityandacommonlanguageacrosstheorganizaGon• ConOps,funcGonalcontrolstructures,controldiagrams
Key results
![Page 13: STPA Analysis of Safety Measures for Zenuity’s Auto Valet ...psas.scripts.mit.edu/home/wp-content/uploads/2019/... · 4/1/2019 · 5. Demo checklist with roles and expectaons were](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43ce40dbdf6160b24ca415/html5/thumbnails/13.jpg)
PAGE 13
Video from CES Demo (1.5x)
![Page 14: STPA Analysis of Safety Measures for Zenuity’s Auto Valet ...psas.scripts.mit.edu/home/wp-content/uploads/2019/... · 4/1/2019 · 5. Demo checklist with roles and expectaons were](https://reader033.fdocuments.in/reader033/viewer/2022050105/5f43ce40dbdf6160b24ca415/html5/thumbnails/14.jpg)
PAGE 14
Next Steps
• ExtendingsystemboundarytoconsideraddiGonalcontrolloopsintheAVPfeature
• IntegraGngSTPAintoZenuity’ssystemsengineeringprocess
• ImprovehumancontrolleranalysisusingtheSTPAEngineeringforHumansextension