Second Conference Day | Wednesday, 1 April 2020

8:00 am - 8:25 am Registration and welcome coffee

8:30 am - 8:40 am Opening remarks from the Chairman

8:40 am - 9:10 am Panel Discussion between ISO26262:2018 and ISO21448:2019 experts

While ISO 26262 in now in its second edition, SOTIF just reached the CD status in October. Having originated from ISO 26262, SOTIF is supposed to complement this standard and the key question for those within the safety community is how to deal with performance requirements for both standards at once. Key areas to be discussed:
> How to integrate both standards to optimize safety
> How to adapt existing development processes to SOTIF

9:10 am - 9:40 am SOTIF background

Originally started as part 14 of ISO 262626, SOTIF became a standard on its own in 2018. ISO 21448:2019 safety of the intended functionality (SOTIF) is meant to complete ISO 26262’s view on E/E system malfunctioning by a look into hazards due to the environment or unintentional misuse.
• Background: how ISO 21448 was born
• Difference between the two standards and why they are important
• Why both standards are needed parallel to each other

9:40 am - 10:10 am A Systems Approach to Autonomous Vehicle Safety using STPA

• New systems-based safety techniques like System Theoretic Process Analysis (STPA) are being used for today‘s increasingly complex and automated safety-critical systems
• As a top-down analysis, STPA emphasizes the system‘s dynamic behavior including automation interactions and human behavior
• This talk will demonstrate STPA applied to autonomous vehicles to identify potential design flaws, missing requirements, human interactions, and unsafe software behaviors

10:10 am - 10:35 am Smart Testing of an Autonomous System

Michael Schlenkrich - Senior Director Product Management, MSC Software GmbH
Simulating environments and subsystems for the development and validation of ADAS and AD systems is a challenging task which scales exponentially with the realism and fidelity of the individual simulated components. This presentation will highlight the means to start on a massive scale with a scanning of the event space by minimizing the risks and maximizing the autonomous vehicle development efficiency. It will point out how to narrow in on "interesting" edge cases that justify the use of highly realistic and detailed models that consume considerable time and computational resources. In the virtual world, the edge case detection is done by analyzing the millions of scenarios with thousands of parallel processes for billions of miles, faster than real-time simulation enabling the increased speed to deployable systems.

Michael Schlenkrich

Senior Director Product Management
MSC Software GmbH

10:35 am - 11:10 am Coffee break and networking

11:10 am - 11:40 am Continuous automotive software development process tailoring to standards evolution for safety critical system from ISO 26262 to ISO 21448 (SOTIF – Autonomous driving) without forgetting their efficiency

To fulfil the safety requirements for the Commercial Vehicle, the Embedded Software development process for the Engine Control Unit must be robustness, efficient, automatic and safety compliance. Considering that the ISO 26262 addresses only unreasonable risks due to the E/E system failures, a new topic called “Safety of Intended functionality” (SOTIF), referred as ISO PAS 21448, is becoming a hot topic in the automotive industry to address the other unreasonable risks in the absence of the malfunctions of the E/E system in vehicles. Therefore, we are thinking new enhancement actions of our Software development process, mainly to have an iterative safety SW verification phase, looking the system (environment + product) and considering sensor limitations, decision algorithms, misuses.

11:40 am - 12:10 pm Towards safety assurance for automated driving – a GSN-based approach

Advancing to automated driving (AD) of SAE L3 and beyond poses much higher requirements for the development and validation of safe automated driving systems. Based on the 3-circles model of validation, we propose to build an assurance argument in goal structuring notation (GSN).
• Validation problem for open context systems
• Data-driven validation methods
• Simulation-based methods

12:10 pm - 12:40 pm The impact of SOTIF on L3 AD ODD and FAW‘s roadmap in it

Now automatic driving may not be as mature as the publicity. When we finish the SOTIF analysis, we may find that many unacceptable risks cannot be solved. At this time, what should we do? Maybe we have to change the odd. So when we develop SOTIF, we add the impact of sotif on the odd.
• The method we used to analyze SOTIF
• The method we used to test SOTIF
• What ODD changes we may make

12:40 pm - 1:10 pm A case study of reasonably foreseeable misuses analysis

This presentation focus on a case study analysis of reasonably foreseeable misuses and will address:
• The difference between direct and indirect misuses
• How to analyze both types
• Use a case study to explain how to run the analysis and propose a counter measure to reduce the risk related to misuse

1:10 pm - 2:40 pm Luncheon and networking

2:40 pm - 3:10 pm Safety First for Automated Driving: Development and Design Considerations for Safe DNN

Machine learning algorithms, especially Deep Neural Networks (DNNs), are becoming more widespread in the automotive industry particularly in computer vision applications such as perception due to their powerful performance. However, the question how to ensure safety of DNNs is still an open question. This presentation aims to:
• Analyze the development steps of DNNs i.e. Define, Specify, Develop and Evaluate, and Deploy and Monitor, from safety perspective.
• Discuss which safety measures need to be performed and which safety artifacts need to be generated in each development step.
• Discuss about strategies as redundancy and ensemble concepts at architectural level in order to meet the safety requirements of the overall system.

3:10 pm - 3:40 pm SOTIF & the semiconductor industry

The more complexity we add to automotive systems, the more important it becomes to have a strong communication, as well as corporation all along the value chain – including the semiconductor companies. IP design can in fact lead to triggering conditions, which is why the semiconductor companies need to be included into the SOTIF discussion. Furthermore, simulation ahead of silicon availability will be critical to keep the cost of the AV technology to a reasonable level. This presentation will cover:
• How SOTIF impacts the semiconductor industry
• Overcoming performance weakness of IP design

3:40 pm - 4:10 pm Can there be a SEooC for SOTIF?

- Necessary interaction along supply chain to collaboratively achieve SOTIF
- Value by hardware, virtual prototypes, tooling ecosystem, …
- Impact of SOTIF on use case and performance assumptions
- Opportunities arising from SOTIF: Field observation, data recording, misuse identification, driver monitoring, HMI

4:10 pm - 4:40 pm Refreshment break

4:40 pm - 5:10 pm Control loop modelling - STPA for SOTIF

ISO/PAS 21448 applies to functionality that requires proper situational awareness in order to be safe. The standard is concerned with guaranteeing safety of the intended functionality — SOTIF — in the absence of a fault. For highly autonomous driving SAE L3 functions, the derived control loop under analysis is not as straight forward as in L1 or L2 systems where driver is majorly responsible for the vehicle control. This control loop involves more than 3 loops depending on the features that are intended for implementation (documented in operational concept). This presentation involves the possibility of modelling such loops for ADS systems and challenges/problems associated with unsafe control action analysis, modelling control structure with process model or analyzing causal factors.
• Conventional control loop
• Modelling of control loops for SAE Level L3 Autonomous driving
• Understanding challenges in deriving constraints with an example

5:10 pm - 6:00 pm Mix & Discuss | Session together with ISO 26262

A1 | Adapting the SAFe (Scaled Agile Framework) to Support Compliance to ISO 26262 Jo
A2 | Challenges in Validating Autonomous Systems
A3 | Safety Challenges in a Multi-Sensor Fusion System
A4 | Developing A Robust Safety-Culture
B1 | How safe is safe enough? Challenge in defining what is “sufficiently safe”
B2 | The impact of legislation on SOTIF and the impact of SOTIF on legislation
B3 | The interplay of safety and security
B4 | Collaboration along the value chain – discussing an industry-wide scenario data base and a cross-industry collaboration on safety analysis (e.g. HARA)

6:00 pm - 6:10 pm Closing remarks by conference both chairmen