707
自动驾驶公司Aurora于2021年8月推出了有史以来第一个适用于自动驾驶卡车和乘用车的安全案例框架(Safety Case Framework)初始版本,解决了自动驾驶卡车和乘用车的安全问题。这使Aurora成为目前业内唯一一家公开分享其安全案例框架的自动驾驶公司。本文介绍Aurora自动驾驶安全框架的行业意义、5个安全原则、以及应用。
安全案例框架的意义
Aurora使用基于安全案例的方法,评估自动驾驶车辆何时能够安全地在公共道路上行驶,并评估它们是否不会对机动车安全造成不合理的风险。
安全案例框架是安全取消安全驾驶员的最有效途径,对于任何希望在没有安全驾驶员的情况下运营并安全交付大规模商用自动驾驶车辆的公司来说,它都是必不可少的组成部分。Aurora安全案例框架评估了车辆的整个开发生命周期,够加快部署的速度,并确定何时可以接受自动驾驶车辆在公共道路上的安全性。
Aurora将安全视为一个持续的过程,而不是一个静态的待办事项清单,基于证据的方法在内部和外部都至关重要。在公司内部,安全案例框架是我们如何根据内部标准不断审查证据和评估Aurora driver的表现和发展,以确保我们有信心在有或没有车辆操作员的情况下将自动驾驶车辆上路。在外部,安全案例框架使我们能够有效地与合作伙伴、客户、监管机构和公众分享我们的方法和进展。这种透明度有助于建立信任,这在部署任何新技术时都很重要。
Aurora安全案例框架介绍
Aurora采用了基于安全案例的方法,因为这是展示和解释Aurora如何确定自动驾驶车辆在公共道路上运行的可接受安全性的最合理和最有效的方式。该框架的核心是一个结构化的论点,并有证据证明为什么我们的车辆是可接受的安全。自动驾驶车辆中的许多要素之间存在复杂的相互作用和关系。没有任何一项单一证据能够证明安全的整体性。基于安全案例的方法以合乎逻辑的方式将这证据与主张两个基本概念结合在一起,以有效地展示我们为确定车辆在公共道路上安全行驶所做的工作。
Aurora开发该框架的目的是为了帮助评估Aurora卡车运输和客运产品的整个开发生命周期,以便向合作伙伴和客户提供安全且可扩展的产品。
Aurora安全案例框架结合了政府组织的指南、安全关键行业的最佳实践、非强制性行业标准和联盟、学术研究以及组织在自身工作中所学到的知识。在自动驾驶汽车行业中,它是开发在公共道路上安全行驶的自动驾驶车辆并将这些车辆交付给合作伙伴、客户和公众的重要工具。
Aurora的安全案例框架覆盖了对评估公共道路上自动驾驶车辆的安全开发、测试和运行至关重要的不同要素。该框架的设计涵盖了与车辆操作员的测试,也包括没有操作员的测试。同时,它是为适应环境而构建的,因此可以根据不同的场景和环境对其进行定制。能够将安全案例声明改编为适用于不同的车辆平台、有操作员的车辆、试车跑道上的车辆以及公共道路上的车辆。
Aurora的安全案例框架有助于评估Aurora driver的设计和开发,并与产品开发路线图保持一致。对于每个主要的产品里程碑,我们将检查哪些声明是相关的,并开发相应的证据。声明是我们正在做出的一种论断,例如“G3.1安全性能指标被测量、分析并用于监控安全性。” Aurora正在内部积极开发的适当证据将被定制以证实每个单独的声明,可能包括测试结果、同行评审、,审计或评估。
目前只是第一个版本,随着不断学习并将测试操作扩展到新的环境和平台,Aurora的框架将不断发展。这Aurora正在分享框架的前4个级别,因为Aurora的合作伙伴、客户和公众了解为什么我们对交付Aurora driver的进展充满信心是很重要的。进一步开发将遵循一个迭代过程,随着框架的发展,Aurora将继续分享它的更新。
最高级别目标
Aurora安全案例框架围绕着“我们的自动驾驶车辆在公共道路上运行是可接受的安全性”这一最高级别的声明展开。使用整个安全案例来证实这一最高级别的声明,并将这一主张分解为五个安全原则或子原则。
G1:精通/Proficient
自动驾驶车辆在正常运行期间具备可接受的安全。
除非具备适当的熟练程度,否则自动驾驶车辆在公共道路上行驶是不安全的。熟练程度包括开发产品所需的设计、工程和测试。本安全原则包含自动驾驶车辆标称、非标称及边界案例(corner cases)情况下的自动驾驶车辆性能要求。
G2:故障安全/Fail-safe
自动驾驶车辆在出现故障和失效时具备可接受的安全。
故障安全原则解决了自动驾驶车辆在出现失效和故障时的行为。没有一个系统是百分之百完美的,部件有时会磨损或出现过早故障。Aurora driver旨在检测并安全地缓和这些故障。此安全原则包含车辆内置的所有故障检测、缓和和通知。
G3:不断改进/Continuously improving
对构成不合理安全风险的所有已识别潜在安全问题进行评估,并采取适当的纠正和预防措施予以解决。
持续改进原则概述了如何将持续改进的概念融入到系统的开发中。自动驾驶车辆配备有传感器,一组自动驾驶车辆仅从一天的运行中就捕获大量数据。我们能够利用这些数据的力量实现持续改进。该现场数据为综合数据分析工作提供数据,该工作计算安全性能指标,并考虑设计和开发期间收集的数据。这种系统收集和分析数据的方法使我们能够发现趋势、均值回归和紧急行为。Aurora还采取积极主动的方法进行持续改进,使用风险识别技术积极主动地识别风险。
G4:有弹性的/Resilient
在可合理预见的误用和不可避免的事件情况下,自动驾驶车辆具备可接受的安全。
自动驾驶车辆设计用于在公共道路上安全行驶,但这并不能将其与恶意行为者或不可避免的事件隔离开来。弹性原则展示了Aurora driver如何能够承受不良事件和故意误用和滥用。
G5:值得信赖的/Trustworthy
自动驾驶企业应是值得信赖的。
Aurora的自动驾驶汽车可能是熟练的、故障安全的、不断改进的和有弹性的,但如果没有公众和政府监管机构的信任,我们就无法完全实现我们的最高要求。值得信赖的安全原则涉及Aurora计划如何通过公众、政府和利益相关者的参与、安全透明度、安全文化以及外部审查和咨询活动获得信任。
安全原则的分解
顶级声明是根据涵盖安全操作范围的安全原则定义的,使用广度优先、深度第二的方法分解每个安全原则。
每个安全原则都被分解为中间论点、上下文和策略的层次。最低级别的声明最终由我们的员工提供的证据予以满足。这种方法可以将每个安全论点作为逻辑分解进行追踪,从广义概念到支持声明的具体有形证据。
安全原则分解示例
用于支持声明的证据有两种形式——产品证据和过程证据。产品证据包括可交付成果,如技术规范、测试计划和测试结果。过程相关证据表明,产品证据是以系统的方式生成的,具有足够的严谨性、审查性和独立性。这些证据可能包括非正式的内部审计报告,确认我们正在遵循既定流程。这两种类型的证据都需要充分处理安全案例中的声明。
框架的应用
安全案例框架是一个工具,Aurora使用它来通知数百名Aurora员工在开发Aurora driver的过程中的日常活动。
安全案例框架旨在适应不同的车辆、场景和环境。我们将使用安全案例框架创建一个特定的安全案例,注意在每个实例中定义其特定的上下文和应用。将框架视为生成各种特定安全案例的通用蓝图。例如,为特定车辆和车辆配置(卡车和乘用车平台)以及特定运行设计域(例如公路)创建安全案例。因此,将有多个单独的安全案例,涵盖各种配置、平台和操作领域,而不是涵盖我们自动驾驶车辆所有用途的单一安全案例。
还将根据我们是否在道路上测试、车辆操作员是否监控Aurora driver、是否在没有操作员的私人封闭车道上或者是在没有操作员的公共道路上,来定制安全案例。鉴于这种情况,某些原则不适用于无车辆操作员的情况。因此,虽然安全案例框架可能是通用的,但裁剪是必不可少的。
制造商用自动驾驶汽车是一项复杂的工程。Aurora的安全案例框架是一个强大的工具,可用于定义和管理这一复杂挑战。该框架还可用于以理性和逻辑的方式传达假设和意图,以帮助读者理解和消化固有的复杂性。与许多其他工具一样,结果最终取决于用户如何使用框架。
附件:《Aurora自动驾驶安全案例框架》
| 英文 | 参考中文 |
| G1:Proficient:
The self-driving vehicle is acceptably safe during nominal operation |
G1:精通:
自动驾驶车辆在正常操作期间具备可接受的安全: |
| G1.1:The self-driving enterprise uses appropriate development processes for a complex safety critical system | G1.1:自动驾驶企业对复杂的安全关键系统使用适当的开发流程 |
| G1.1.1.1.1:Systems engineering follows a defined process | G1.1.1.1.1:系统工程遵循规定的过程 |
| G1.1.1.1.2:Systems engineers are trained and continually educated on the systems engineering process | G1.1.1.1.2:系统工程师接受系统工程过程的培训和持续教育 |
| G1.1.1.1.3:Systems engineering process compliance audits are completed for all appropriate functions / sub-systems | G1.1.1.1.3:完成所有适当功能/子系统的系统工程过程合规性审核 |
| G1.1.1.1.4:The Systems engineering process is appropriate for safety critical design | G1.1.1.1.4:系统工程过程适用于安全关键设计 |
| G1.1.1.1:Systems engineering process is established, standardized across engineering, and there is evidence that the process is being used:S1.1.1:Risk is reduced through a defined process approach | G1.1.1.1:建立系统工程过程,并在整个工程中标准化,有证据表明该过程正在使用:S1.1.1:通过已定义的过程方法降低风险 |
| G1.1.1.2.1:Hardware engineering follows a defined process | G1.1.1.2.1:硬件工程遵循规定的过程 |
| G1.1.1.2.2:Hardware engineers are trained and continually educated on the hardware engineering process | G1.1.1.2.2:硬件工程师接受硬件工程过程的培训和持续教育 |
| G1.1.1.2.3:Hardware development process compliance audits are completed for all appropriate functions / sub-systems. | G1.1.1.2.3:完成所有适当功能/子系统的硬件开发过程合规性审核。 |
| G1.1.1.2.4:The Hardware development process is appropriate for safety critical design | G1.1.1.2.4:硬件开发过程适用于安全关键设计 |
| G1.1.1.2:Hardware development process is established, standardized across engineering, and there is evidence that the process is being used. | G1.1.1.2:硬件开发过程已建立,并在整个工程中标准化,并且有证据表明该过程正在使用。 |
| G1.1.1.3.1:Manufacturing follows a defined process | G1.1.1.3.1:制造遵循规定的过程 |
| G1.1.1.3.2:Manufacturing and production processes are established for externally sourced system hardware | G1.1.1.3.2:为外部采购的系统硬件建立制造和生产流程 |
| G1.1.1.3.3:Manufacturing engineers are trained and continually educated on the manufacturing process | G1.1.1.3.3:制造工程师接受制造工艺方面的培训和持续教育 |
| G1.1.1.3.4:Manufacturing process compliance audits are completed for all appropriate functions | G1.1.1.3.4:完成所有适当功能的制造过程合规性审核 |
| G1.1.1.3.5:The manufacturing process is appropriate for safety critical design | G1.1.1.3.5:制造工艺适用于安全关键设计 |
| G1.1.1.3:Manufacturing process is established, standardized, and there is evidence the process is being used | G1.1.1.3:制造工艺已建立、标准化,且有证据表明该工艺正在使用 |
| G1.1.1.4.1:Maintenance and service follows a defined process | G1.1.1.4.1:维护和保养遵循规定的流程 |
| G1.1.1.4.2:Maintenance and service personnel are trained and continually educated on the process | G1.1.1.4.2:对维护和服务人员进行工艺培训和持续教育 |
| G1.1.1.4.3:Maintenance and service process compliance audits are completed for all appropriate functions | G1.1.1.4.3:完成所有适当功能的维护和服务过程合规性审核 |
| G1.1.1.4.4:The maintenance process is appropriate for safety critical design | G1.1.1.4.4:维护过程适用于安全关键设计 |
| G1.1.1.4:Maintenance / Service processes is established, standardized, and there is evidence the process is being used. | G1.1.1.4:维护/服务流程已建立、标准化,且有证据表明该流程正在使用。 |
| G1.1.1.5.1:Software engineering follows a defined process | G1.1.1.5.1:软件工程遵循定义的过程 |
| G1.1.1.5.2:Software engineers are trained and continually educated on the software development process | G1.1.1.5.2:软件工程师接受有关软件开发过程的培训和持续教育 |
| G1.1.1.5.3:Software development process compliance audits are completed for all appropriate functions / sub-systems. | G1.1.1.5.3:完成所有适当功能/子系统的软件开发过程合规性审核。 |
| G1.1.1.5.4:The software development process is appropriate for safety critical design | G1.1.1.5.4:软件开发过程适用于安全关键设计 |
| G1.1.1.5:Software development process is established, standardized across engineering, and there is evidence that the process is being used. | G1.1.1.5:软件开发过程已建立,并在整个工程中标准化,并且有证据表明该过程正在使用。 |
| G1.1.1.6.1:Quality management follows a defined process | G1.1.1.6.1:质量管理遵循规定的过程 |
| G1.1.1.6.2:Quality management measures are effective in controlling quality | G1.1.1.6.2:质量管理措施有效控制质量 |
| G1.1.1.6.3:Quality management ensures all defined processes are followed | G1.1.1.6.3:质量管理确保遵循所有规定的过程 |
| G1.1.1.6.4:The quality management process is appropriate for safety critical design | G1.1.1.6.4:质量管理过程适用于安全关键设计 |
| G1.1.1.6:Quality management process is established, effective, standardized across engineering, and there is evidence that the process is being used | G1.1.1.6:质量管理过程已在整个工程中建立、有效、标准化,并且有证据表明该过程正在使用 |
| G1.1.1.7.1:Supply chain teams follow a defined process | G1.1.1.7.1:供应链团队遵循定义的流程 |
| G1.1.1.7.2:Supply chain staff are trained and continually educated on the process | G1.1.1.7.2:对供应链员工进行流程培训和持续教育 |
| G1.1.1.7.3:Supply chain process compliance audits are completed for all appropriate functions / sub-systems | G1.1.1.7.3:完成所有适当功能/子系统的供应链流程合规性审核 |
| G1.1.1.7.4:The supply chain process is appropriate for safety critical design | G1.1.1.7.4:供应链流程适用于安全关键设计 |
| G1.1.1.7:Supply chain processes is established, standardized, and there is evidence the process is being used. | G1.1.1.7:供应链流程已建立、标准化,且有证据表明该流程正在使用。 |
| G1.1.1.8.1:Vehicle operations teams follow a defined process | G1.1.1.8.1:车辆运行团队遵循规定的流程 |
| G1.1.1.8.2:Vehicle operations personnel are trained and continually educated on the process | G1.1.1.8.2:对车辆操作人员进行培训,并持续对其进行流程教育 |
| G1.1.1.8.3:Vehicle operations process compliance audits are completed for all appropriate functions | G1.1.1.8.3:完成所有适当功能的车辆运行过程合规性审核 |
| G1.1.1.8.4:The vehicle operations process is appropriate for safety critical design | G1.1.1.8.4:车辆运行过程适用于安全关键设计 |
| G1.1.1.8:Vehicle operations processes is established, standardized, and there is evidence the process is being used. | G1.1.1.8:车辆操作流程已建立、标准化,且有证据表明该流程正在使用。 |
| G1.1.1.9.1:System safety engineering follows a defined process | G1.1.1.9.1:系统安全工程遵循规定的过程 |
| G1.1.1.9.2:System safety engineers are trained and continually educated on the system safety development process | G1.1.1.9.2:系统安全工程师接受有关系统安全开发过程的培训和持续教育 |
| G1.1.1.9.3:System safety process compliance audits are conducted | G1.1.1.9.3:进行系统安全过程合规性审核 |
| G1.1.1.9.4:The system safety engineering process is appropriate for safety critical design | G1.1.1.9.4:系统安全工程过程适用于安全关键设计 |
| G1.1.1.9:System safety engineering process is established, standardized across engineering, and there is evidence that the process is being used. | G1.1.1.9:建立系统安全工程过程,并在整个工程中标准化,有证据表明该过程正在使用。 |
| G1.2:The self-driving vehicle is acceptably performant to operate in the defined ODD | G1.2:自动驾驶车辆在规定的ODD内运行的性能合格 |
| G1.2.1.1.1:The product requirements address all lifecycle stages of the product. | G1.2.1.1.1:产品要求涉及产品的所有生命周期阶段。 |
| G1.2.1.1.2:The product requirements define the concept of operations for the product | G1.2.1.1.2:产品要求定义了产品的操作概念 |
| G1.2.1.1.3:The product requirements define the conceptual operational design domain in which the product will operate in | G1.2.1.1.3:产品要求定义了产品将在其中运行的概念运行设计域(conceptual operational design domain) |
| G1.2.1.1:The product requirements sufficiently define the full scope and entire lifecycle of the product | G1.2.1.1:产品要求充分定义了产品的整个范围和整个生命周期 |
| G1.2.1.10:The product requirements meet or exceed the operational design domain (ODD) | G1.2.1.10:产品要求满足或超过运行设计域(ODD) |
| G1.2.1.2.1:The system requirements considers the needs of all external actors (e.g. Riders, Pedestrians, Motorists, Law Enforcement) | G1.2.1.2.1:系统要求考虑了所有外部参与者(例如骑行人、行人、驾驶员、执法人员)的需求 |
| G1.2.1.2.2:The system requirements considers the needs of all internals actors (e.g. System Maintainers, Engineers, Testers) | G1.2.1.2.2:系统要求考虑了所有内部参与者(如系统维护人员、工程师、测试人员)的需求 |
| G1.2.1.2.3:System requirements appropriately address nominal operation | G1.2.1.2.3:系统要求适当表现标称运行 |
| G1.2.1.2.4:System requirements appropriately address off-nominal operation | G1.2.1.2.4:系统要求适当表现非标称运行 |
| G1.2.1.2.5:Traceability confirms the system requirements satisfy the product and safety requirements | G1.2.1.2.5:可追溯性确认系统要求满足产品和安全要求 |
| G1.2.1.2:The system requirements sufficiently define a system that can operate in the defined ODD | G1.2.1.2:系统要求充分定义了一个系统,该系统可以在规定的ODD范围内运行 |
| G1.2.1.3.1:Functional hazard analysis sufficiently identifies system functions that are safety critical / relevant | G1.2.1.3.1:功能危害分析充分识别安全关键/相关的系统功能 |
| G1.2.1.3.10:All safety requirements have analysis justifying the metrics, thresholds, or margins used in the requirements | G1.2.1.3.10:所有安全要求都有分析,证明要求中使用的度量、阈值或裕度是合理的 |
| G1.2.1.3.11:Safety requirements are verified for gaps and omissions | G1.2.1.3.11:验证安全要求的差距和遗漏 |
| G1.2.1.3.12:Safety requirements are verified to be internally and externally consistent | G1.2.1.3.12:验证安全要求内部及外部一致 |
| G1.2.1.3.2:Verification reviews of functional hazard analysis appropriately confirm correctness of the analysis | G1.2.1.3.2:功能危害分析的验证评审适当地确认了分析的正确性 |
| G1.2.1.3.3:Hazards associated with each [Safety Function] have been thoroughly identified | G1.2.1.3.3:已彻底识别与每个[安全功能]相关的危险 |
| G1.2.1.3.4:Hazards associated with [AV operations] have been thoroughly identified | G1.2.1.3.4:已彻底识别与[AV操作]相关的危险 |
| G1.2.1.3.5:All identified fault-based hazards are ranked | G1.2.1.3.5:对所有已识别的基于故障的危险进行排序 |
| G1.2.1.3.6:All identified non-fault based hazards are ranked | G1.2.1.3.6:对所有已识别的非故障危害进行排序 |
| G1.2.1.3.7:All identified non-fault misuse based hazards are ranked | G1.2.1.3.7:所有已识别的基于非故障误用的危险都进行了排序 |
| G1.2.1.3.8:All hazard rankings are re-evaluated periodically | G1.2.1.3.8:定期重新评估所有危险等级 |
| G1.2.1.3.9:Safety requirements comprehensively mitigate identified hazards and scenario / situation / triggering event | G1.2.1.3.9:安全要求全面缓和已识别的危险和场景/情况/触发事件 |
| G1.2.1.3:The safety requirements sufficiently define the allowable behavior of the system to ensure safe operation in the defined ODD | G1.2.1.3:安全要求充分规定了系统的允许行为,以确保在规定的条件下安全运行 |
| G1.2.1.4.1:System requirements are comprehensive | G1.2.1.4.1:系统要求全面 |
| G1.2.1.4.2:System requirements are verified for gaps and omissions | G1.2.1.4.2:验证系统要求是否存在差距和遗漏 |
| G1.2.1.4.3:System requirements are verified to be internally and externally consistent | G1.2.1.4.3:验证系统要求内部和外部一致 |
| G1.2.1.4.4:Requirements errors follow a systematic process for root cause and mitigation | G1.2.1.4.4:需求错误遵循根本原因和缓和的系统过程 |
| G1.2.1.4.5:An accurate, complete, configuration-managed system architecture model is developed and maintained | G1.2.1.4.5:开发并维护准确、完整、配置管理的系统架构模型 |
| G1.2.1.4:System requirements are appropriately developed from product requirements | G1.2.1.4:根据产品要求适当制定系统要求 |
| G1.2.1.5.1:Hardware requirements are comprehensive | G1.2.1.5.1:硬件要求全面 |
| G1.2.1.5.2:Hardware requirements are verified for gaps and omissions | G1.2.1.5.2:验证硬件要求是否存在差距和遗漏 |
| G1.2.1.5.3:Hardware requirements are verified to be internally and externally consistent | G1.2.1.5.3:验证硬件要求内部和外部一致 |
| G1.2.1.5.4:Requirements errors follow a systematic process for root cause and mitigation | G1.2.1.5.4:需求错误遵循根本原因和缓和的系统过程 |
| G1.2.1.5.5:An accurate, complete, configuration-managed hardware architecture model is developed and maintained | G1.2.1.5.5:开发并维护准确、完整、配置管理的硬件体系结构模型 |
| G1.2.1.5:Hardware requirements are appropriately developed from system and safety requirements | G1.2.1.5:硬件要求根据系统和安全要求适当制定 |
| G1.2.1.6.1:Software requirements are comprehensive | G1.2.1.6.1:软件需求是全面的 |
| G1.2.1.6.2:Software requirements are verified for gaps and omissions | G1.2.1.6.2:验证软件需求是否存在差距和遗漏 |
| G1.2.1.6.3:Software requirements are verified to be internally and externally consistent | G1.2.1.6.3:验证软件需求内部和外部一致 |
| G1.2.1.6.4:Requirements errors follow a systematic process for root cause and mitigation | G1.2.1.6.4:需求错误遵循根本原因和缓和的系统过程 |
| G1.2.1.6.5:An accurate, complete, configuration-managed software architecture model is developed and maintained | G1.2.1.6.5:开发并维护准确、完整、配置管理的软件架构模型 |
| G1.2.1.6:Software requirements are appropriately developed from safety and system and safety requirements | G1.2.1.6:根据安全和系统及安全要求,适当制定软件要求 |
| G1.2.1.7.1:System safety requirements are comprehensive | G1.2.1.7.1:系统安全要求全面 |
| G1.2.1.7.2:System safety requirements are verified for gaps and omissions | G1.2.1.7.2:验证系统安全要求是否存在漏洞和遗漏 |
| G1.2.1.7.3:System safety requirements are verified to be internally and externally consistent | G1.2.1.7.3:验证系统安全要求内部和外部一致 |
| G1.2.1.7.4:Requirements errors follow a systematic process for root cause and mitigation | G1.2.1.7.4:需求错误遵循根本原因和缓和的系统过程 |
| G1.2.1.7.5:System safety requirements are allocated to components within the self-driving enterprise | G1.2.1.7.5:系统安全要求分配给自动驾驶企业内的部门 |
| G1.2.1.7:System safety requirements are sufficient | G1.2.1.7:系统安全要求足够 |
| G1.2.1.8.1:Manufacturing requirements are comprehensive | G1.2.1.8.1:制造要求是全面的 |
| G1.2.1.8.2:Manufacturing requirements are verified for gaps and omissions | G1.2.1.8.2:验证制造要求是否存在差距和遗漏 |
| G1.2.1.8.3:Manufacturing requirements are verified to be internally and externally consistent | G1.2.1.8.3:验证制造要求内部和外部一致 |
| G1.2.1.8.4:Requirements errors follow a systematic process for root cause and mitigation | G1.2.1.8.4:需求错误遵循根本原因和缓和的系统过程 |
| G1.2.1.8.5:An accurate, complete, configuration-managed manufacturing process / architecture model is developed and maintained | G1.2.1.8.5:开发并维护准确、完整、配置管理的制造过程/架构模型 |
| G1.2.1.8:Requirements for manufacturing are sufficient | G1.2.1.8:制造要求足够 |
| G1.2.1.9.1:Maintenance / service requirements are comprehensive | G1.2.1.9.1:维护/服务要求全面 |
| G1.2.1.9.2:Maintenance / service requirements are verified for gaps and omissions | G1.2.1.9.2:验证维护/服务要求是否存在缺口和遗漏 |
| G1.2.1.9.3:Maintenance / service requirements are verified to be internally and externally consistent | G1.2.1.9.3:验证维护/服务要求内部和外部一致 |
| G1.2.1.9.4:Requirements errors follow a systematic process for root cause and mitigation | G1.2.1.9.4:需求错误遵循根本原因和缓和的系统过程 |
| G1.2.1.9.5:An accurate, complete, configuration-managed maintenance / service process architecture model is developed and maintained | G1.2.1.9.5:开发并维护准确、完整、配置管理的维护/服务过程架构模型 |
| G1.2.1.9:Requirements for maintenance / service are sufficient | G1.2.1.9:维护/服务要求足够 |
| G1.2.1:The self-driving vehicle is designed to safely operate in the intended operational design domain (ODD) | G1.2.1:自动驾驶车辆设计为在预期运行设计域(ODD)内安全运行 |
| G1.2.2.1:The self-driving vehicle maintains appropriate reserve vehicle dynamic capability | G1.2.2.1:自动驾驶车辆保持适当的备用车辆动态能力 |
| G1.2.2.2:The frequency and duration of reduced vehicle dynamic reserve capability is low | G1.2.2.2:车辆动态储备能力降低的频率和持续时间较低 |
| G1.2.2:The self-driving vehicle is operated with appropriate vehicle dynamics safety margins | G1.2.2:自动驾驶车辆在适当的车辆动力学安全裕度下运行 |
| G1.2.3.1.1:Self-driving vehicle sensors provide acceptably correct, complete, and current data | G1.2.3.1.1:自动驾驶车辆传感器提供可接受的正确、完整和当前数据 |
| G1.2.3.1.2:The design of perception systems are suitably robust | G1.2.3.1.2:感知系统的设计具有适当的鲁棒性 |
| G1.2.3.1.3:The performance of the perception system is suitable for the ODD | G1.2.3.1.3:感知系统的性能适用于ODD |
| G1.2.3.1.4:The AI / machine learning approaches used provide acceptable performance for the ODD | G1.2.3.1.4:使用的AI/机器学习方法为ODD提供了可接受的性能 |
| G1.2.3.1:Perception provides acceptable functional performance in the defined ODD | G1.2.3.1:Perception在规定的ODD范围内提供可接受的功能性能 |
| G1.2.3.2.1:The design of prediction systems are suitably robust | G1.2.3.2.1:预测系统的设计具有适当的鲁棒性 |
| G1.2.3.2.2:The prediction system performance is suitable for the ODD | G1.2.3.2.2:预测系统性能适用于ODD |
| G1.2.3.2.3:The AI / machine learning approaches used provide acceptable performance for the ODD | G1.2.3.2.3:使用的AI/机器学习方法为ODD提供了可接受的性能 |
| G1.2.3.2:Prediction provides acceptable functional performance in the defined ODD | G1.2.3.2:预测在规定的ODD范围内提供可接受的功能性能 |
| G1.2.3.3.1:The design of the motion planning system is suitably robust | G1.2.3.3.1:运动规划系统的设计具有适当的鲁棒性 |
| G1.2.3.3.2:Motion planning performance is suitable for the ODD | G1.2.3.3.2:运动规划性能适用于ODD |
| G1.2.3.3.3:The AI / machine learning approaches used provide acceptable performance for the ODD | G1.2.3.3.3:所使用的AI/机器学习方法为ODD提供了可接受的性能 |
| G1.2.3.3:Motion planning provides acceptable functional performance in the defined ODD | G1.2.3.3:运动规划在规定的ODD范围内提供可接受的功能性能 |
| G1.2.3.4.1:Localization design and performance is documented | G1.2.3.4.1:记录定位设计和性能 |
| G1.2.3.4.2:Localization performance is suitable for the ODD | G1.2.3.4.2:定位性能适用于ODD |
| G1.2.3.4.3:Map performance is suitable for the ODD | G1.2.3.4.3: Map性能适用于ODD |
| G1.2.3.4:Localization provides acceptable functional performance in the defined ODD | G1.2.3.4:定位可在规定的范围内提供可接受的功能性能 |
| G1.2.3.5.1:Vehicle control design and performance is documented | G1.2.3.5.1:记录车辆控制设计和性能 |
| G1.2.3.5.2:Vehicle control performance is suitable for the ODD | G1.2.3.5.2:车辆控制性能适用于ODD车辆 |
| G1.2.3.5:Vehicle control provides acceptable functional performance in the defined ODD | G1.2.3.5:车辆控制在规定的ODD范围内提供可接受的功能性能 |
| G1.2.3.6.1:Notifications communicate a clear message or status | G1.2.3.6.1:通知传达明确的信息或状态 |
| G1.2.3.6.2:Notifications are suitably robust | G1.2.3.6.2:通知具有适当的鲁棒性 |
| G1.2.3.6.3:Notifications are suitable for the ODD | G1.2.3.6.3:通知适用于ODD |
| G1.2.3.6.4:Notifications are suitbly effective | G1.2.3.6.4:通知非常有效 |
| G1.2.3.6:System notifications provide acceptable functional performance in the defined ODD | G1.2.3.6:系统通知在定义的ODD中提供可接受的功能性能 |
| G1.2.3.7:System timings and system latency provide acceptable functional performance in the defined ODD | G1.2.3.7:系统计时和系统延迟在规定的ODD范围内提供可接受的功能性能 |
| G1.2.3:Self-driving vehicle subsystems provide acceptable functional performance in the defined ODD | G1.2.3:自动驾驶车辆子系统在规定的ODD范围内提供可接受的功能性能 |
| G1.2.4:Off-board systems provide acceptable functional performance in the defined ODD | G1.2.4:非车载系统在规定的ODD范围内提供可接受的功能性能 |
| G1.3:The self-driving vehicle is appropriately tested and released for self-driving operations | G1.3:对自动驾驶车辆进行适当测试并发布,以进行自动驾驶操作 |
| G1.3.1.1:Traceability of testing demonstrates comprehensive requirements coverage:S1.3.1:Traceability will be used to demonstrate all requirements have been tested. Peer review, test phases of unit test, subsystem test, and vehicle testing combined industry best practice on test case development are used to demonstrate appropriate rigor in the tests have been performed. Industry best practices will address functional, regression testing, and stress testing. The combination of traceability and rigor arguments meet the parent goal. This efficacy in meeting this goal is measured by the frequency of hazardous events measured during testing. The following process follows for the initial development and the ongoing update and enhancement of the self-driving enterprise. | G1.3.1.1:测试的可追溯性证明了全面的需求覆盖范围:S1.3.1:可追溯性将用于证明所有需求均已测试。同行评审、单元测试的测试阶段、子系统测试和车辆测试结合了测试用例开发的行业最佳实践,用于证明测试的适当严谨性。行业最佳实践将涉及功能测试、回归测试和压力测试。可跟踪性和严格性参数的组合满足父级目标。通过测试期间测量的危险事件频率来衡量达到该目标的有效性。以下流程用于自动驾驶企业的初始开发以及持续更新和增强。 |
| G1.3.1.2:Peer review minimizes human error in work product development | G1.3.1.2:同行评审将工作产品开发中的人为错误降至最低 |
| G1.3.1.3:All anomalies are analyzed to ensure requirements are comprehensive | G1.3.1.3:分析所有异常,以确保要求全面 |
| G1.3.1.4:The self-driving vehicle is comprehensively evaluated on a set of validated and representative tests | G1.3.1.4:通过一组验证和代表性试验对自动驾驶车辆进行综合评估 |
| G1.3.1.5:The frequency of potentially harmful events (PHE) are below a target metric(s) | G1.3.1.5:潜在有害事件(PHE:potentially harmful events)的频率低于目标指标 |
| G1.3.1.6:All identified hazards have been appropriately mitigated | G1.3.1.6:已适当缓和所有已识别的危险 |
| G1.4:The self-driving vehicle is operated in accordance with its operational concept | G1.4:自动驾驶车辆按照其运行概念运行 |
| G1.4.1.1.1:Manual control of the vehicle steering can be achieved | G1.4.1.1.1:可实现车辆转向的手动控制 |
| G1.4.1.1.2:Manual control of the vehicle braking can be achieved | G1.4.1.1.2:可实现车辆制动的手动控制 |
| G1.4.1.1.3:Manual control of the vehicle accelerator pedal can be achieved | G1.4.1.1.3:可手动控制车辆油门踏板 |
| G1.4.1.1.4:The vehicle operator can request a safe stop with high assurance | G1.4.1.1.4:车辆操作员可以要求高保证的安全停车 |
| G1.4.1.1:The vehicle operator can take control of the self-driving vehicle (SDV) at any time | G1.4.1.1:车辆操作员可随时控制自动驾驶车辆(SDV) |
| G1.4.1.10.1:Fault injection testing demonstrates vehicle operator's control capability during a fault | G1.4.1.10.1:故障注入测试证明车辆操作员在故障期间的控制能力 |
| G1.4.1.10.2:The vehicle operator is appropriately continually evaluated for required level of performance | G1.4.1.10.2:针对所需的性能水平,对车辆操作员进行适当的持续评估 |
| G1.4.1.10:The vehicle operator demonstrates ability to plan and execute correct driving responses | G1.4.1.10:车辆操作员展示了计划和执行正确驾驶响应的能力 |
| G1.4.1.2:The vehicle operator hiring process accepts suitable candidates | G1.4.1.2:车辆操作员招聘流程接受合适的候选人 |
| G1.4.1.3:Only vehicle operators with appropriate driving licenses are allowed to operate the vehicle | G1.4.1.3:只有持有适当驾驶执照的车辆操作员才允许操作车辆 |
| G1.4.1.4.1:The vehicle operator is properly authenticated and identifiable to both the self-driving vehicle (SDV) and the business/security infrastructure. | G1.4.1.4.1:车辆操作员已通过自动驾驶车辆(SDV)和业务/安全基础设施的适当认证和识别。 |
| G1.4.1.4.2:Access to vehicles and vehicle keys are restricted to qualified vehicle operators | G1.4.1.4.2:只有合格的车辆操作员才能使用车辆和车钥匙 |
| G1.4.1.4:Only vehicle operators are able to operate self-driving vehicles | G1.4.1.4:只有车辆操作员才能操作自动驾驶车辆 |
| G1.4.1.5:The vehicle operator has an appropriate set of responsibilities when operating a self-driving vehicle (SDV) | G1.4.1.5:当操作自动驾驶车辆(SDV)时,车辆操作员承担一套适当的责任 |
| G1.4.1.6:The vehicle operator is appropriately trained for manual driving | G1.4.1.6:车辆操作员经过适当的手动驾驶培训 |
| G1.4.1.7:The vehicle operator is appropriately trained in support of safe self-driving vehicle (SDV) monitoring / operation | G1.4.1.7:车辆操作员经过适当培训,以支持安全自动驾驶车辆(SDV)监控/操作 |
| G1.4.1.8:The vehicle operator is effectively informed of expected system behavior, including self-driving vehicle (SDV) capabilities and limitations | G1.4.1.8:有效地通知车辆操作员预期的系统行为,包括自动驾驶车辆(SDV)能力和限制 |
| G1.4.1.9.1:A driver monitoring system alerts the vehicle operator to inattention | G1.4.1.9.1:驾驶员监控系统提醒车辆操作员注意 |
| G1.4.1.9.2:The self-driving vehicle is designed to prevent undue vehicle operator distraction | G1.4.1.9.2:自动驾驶车辆旨在防止车辆操作员过度分心 |
| G1.4.1.9.3:The vehicle operator is capable of identifying and mitigating operational design domain (ODD) and operational domain (OD) mismatch | G1.4.1.9.3:车辆操作员能够识别和缓和运行设计域(ODD)和运行域(OD)不匹配 |
| G1.4.1.9:The vehicle operator is alert and attentive to the road environment | G1.4.1.9:车辆操作员对道路环境保持警惕和关注 |
| G1.4.1:During testing and development, vehicle operators enforces the operational concept and reduces safety risk to acceptable level | G1.4.1:在测试和开发过程中,车辆操作员执行操作概念,并将安全风险降低到可接受的水平 |
| G1.4.2.1:Departures from the operational design domain are detected | G1.4.2.1:检测到偏离运行设计域ODD |
| G1.4.2.2:Departures from the operational design domain are safely mitigated | G1.4.2.2:安全缓和对运行设计域的偏离 |
| G1.4.2:The self-driving vehicle is operated within a defined operational domain (OD) within the system's operational design domain | G1.4.2:自动驾驶车辆在系统运行设计范围内的规定运行域(OD)内运行 |
| G1.4.3:A set of operational safety policies and procedures support safe operations | G1.4.3:一套操作安全政策和程序支持安全操作 |
| G1.4.3.1:Set of operational safety policies and procedures support safe test track operations | G1.4.3.1:一套运行安全政策和程序支持安全测试车道运行 |
| G1.4.3.2:Operational safety policies are reviewed and version controlled | G1.4.3.2:审查运行安全政策并控制版本 |
| G1.4.3.3:Set of operational safety policies and procedures support safe on-road operations | G1.4.3.3:一套操作安全政策和程序支持安全的道路操作 |
| G1.5:The self-driving vehicle addresses all applicable legal requirements and guidance through compliance or justification of non-compliance | G1.5:自动驾驶车辆通过合规性或不合规理由满足所有适用的法律要求和指导 |
| G1.5.1.1:The self-driving vehicle is designed to comply with all appropriate local, state, federal regulation | G1.5.1.1:自动驾驶车辆的设计符合所有适当的地方、州、联邦法规 |
| G1.5.1.2:The self-driving vehicle is evaluated for compliance with all appropriate local, state, federal regulation | G1.5.1.2:评估自动驾驶车辆是否符合所有适当的地方、州、联邦法规 |
| G1.5.1.3:All federal, state, and local regulations without compliance have appropriate justification, documentation and approval | G1.5.1.3:所有未遵守的联邦、州和地方法规都有适当的理由、文件和批准 |
| G1.5.1:The self-driving vehicle complies or justifies non-compliance with applicable local, state, federal regulation | G1.5.1:自动驾驶车辆符合或证明不符合适用的地方、州、联邦法规 |
| G1.5.3:Non-regulatory guidance is reviewed and implemented where appropriate | G1.5.3:在适当的情况下,审查并实施非监管指南 |
| G2:Fail-Safe
The self-driving vehicle is acceptably safe in presence of faults and failures |
G2:故障安全
自动驾驶车辆在出现故障和故障时是可接受的安全 |
| G2.1.1:The rate of failure of the system is reasonably low:S2.1:We mitigate hazards by identifying faults and failure modes and ensuring the system is able to detect them and take action to minimize safety risk when they occur and by engineering and design activities to ensure the overall failure rate of the system is acceptably low. | G2.1.1:系统的故障率相当低:S2.1:我们通过识别故障和故障模式,确保系统能够检测到故障和故障模式,并在发生时采取措施将安全风险降至最低,以及通过工程和设计活动,以确保系统的整体故障率低到可接受的程度,从而减轻危害。 |
| G2.1.1.1:The frequency of unplanned / unexpected minimum risk maneuvers (MRM) is sufficiently low | G2.1.1.1:计划外/意外最小风险机动(MRM)的频率足够低 |
| G2.1.1.2:The self-driving vehicle systems are designed to robustly operate in their intended ODD | G2.1.1.2:自动驾驶车辆系统设计为在其预期的ODD模式下稳健运行 |
| G2.1.1.3:The self-driving vehicle is tested against industry standards and best practices for reliability | G2.1.1.3:根据行业标准和最佳实践对自动驾驶车辆进行可靠性测试 |
| G2.1.1.4:Identified Faults and Failure Modes are systematically tracked | G2.1.1.4:系统跟踪已识别的故障和故障模式 |
| G2.1.2:The effectiveness of fault mitigation is acceptably high | G2.1.2:故障缓和的有效性相当高 |
| G2.1.2.1.1:Diagnostic coverage is acceptably high | G2.1.2.1.1:诊断覆盖率较高 |
| G2.1.2.1.2:The fault management system provides dependable fault detection | G2.1.2.1.2:故障管理系统提供可靠的故障检测 |
| G2.1.2.1:The rate of successful fault detection and response activation is acceptably high | G2.1.2.1:故障检测和响应激活的成功率相当高 |
| G2.1.2.2.1:The system transitions to the specified fault response state (e.g. degraded mode) within the applicable time interval | G2.1.2.2.1:系统在适用的时间间隔内过渡到规定的故障响应状态(例如降级模式) |
| G2.1.2.2.2:Minimum risk maneuvers are reliably executed when triggered | G2.1.2.2.2:触发时可靠执行最小风险机动 |
| G2.1.2.2.3:The minimal risk maneuver(s) used to respond to the fault are reasonably low in risk | G2.1.2.2.3:用于响应故障的最低风险策略的风险相当低 |
| G2.1.2.2.4:The system does not have an unreasonable level of safety risk when executing an MRM with a system fault present. | G2.1.2.2.4:在存在系统故障的情况下执行MRM时,系统没有不合理的安全风险水平。 |
| G2.1.2.2:The selected fault response is effective in reducing safety risk to acceptable levels | G2.1.2.2:所选故障响应有效地将安全风险降低到可接受的水平 |
| G3:Continuously Improving
All identified potential safety issues posing an unreasonable risk to safety are evaluated, and resolved with appropriate corrective and preventative actions |
G3:持续改进
评估对安全构成不合理风险的所有已识别潜在安全问题,并采取适当的纠正和预防措施予以解决 |
| G3.1:Safety performance indicators are measured, analyzed, and used to monitor safety | G3.1:安全性能指标被测量、分析并用于监控安全 |
| G3.1.1:Safety performance indicators are defined for all safety related functional areas of the self-driving enterprise | G3.1.1:为自动驾驶企业的所有安全相关功能领域定义了安全性能指标 |
| G3.1.2:Safety performance indicators are defined for safety-related performance of the autonomy system | G3.1.2:安全性能指标是为自治系统的安全相关性能定义的 |
| G3.1.3:Safety performance indicators are defined for the self-driving enterprise and off-board functions | G3.1.3:为自动驾驶企业和非车载功能定义了安全性能指标 |
| G3.1.4:Safety performance indicators are defined for self-driving enterprise safety culture | G3.1.4:为自动驾驶企业安全文化定义了安全性能指标 |
| G3.1.5:Safety performance indicators are measured appropriately | G3.1.5:适当测量安全性能指标 |
| G3.1.6:Safety performance indicators are appropriately analyzed | G3.1.6:适当分析安全性能指标 |
| G3.1.7:Safety performance indicators are effective | G3.1.7:安全性能指标有效 |
| G3.2.1:The company employs a safety risk management process and evidence the process is being used:S3.2:Strategy 1: Utilize proactive safety risk identification and resolution processes in place throughout testing, development and production in order to minimize anomalies. | G3.2.1:公司采用了安全风险管理流程,并证明该流程正在使用:S3.2:策略1:在整个测试、开发和生产过程中,利用积极主动的安全风险识别和解决流程,以尽量减少异常情况。 |
| G3.2.1.1:An internal safety concern reporting system and resolution process exists supporting anomaly identification | G3.2.1.1:存在支持异常识别的内部安全问题报告系统和解决流程 |
| G3.2.1.2:All functional areas of the self-driving enterprise identify safety risk | G3.2.1.2:自动驾驶企业的所有功能区域都识别安全风险 |
| G3.2.1.3:Thresholds for safety risk level decision making and criteria are defined | G3.2.1.3:定义了安全风险等级决策的阈值和标准 |
| G3.2.1.4.1:The safety risk register is updated for all mitigation actions | G3.2.1.4.1:更新所有缓和措施的安全风险登记 |
| G3.2.1.4.2:The company performs safety risk monitoring | G3.2.1.4.2:公司进行安全风险监控 |
| G3.2.1.4.3:The company performs an internal evaluation program for compliance to safety risk management process | G3.2.1.4.3:公司执行内部评估计划,以符合安全风险管理流程 |
| G3.2.1.4:All identified safety risks are sufficiently mitigated | G3.2.1.4:所有已识别的安全风险均得到充分缓和 |
| G3.2.1.5.1:The company has defined safety risk owners and an accountable executive | G3.2.1.5.1:公司已确定安全风险负责人和负责人 |
| G3.2.1.5.2:The company safety risk owners are empowered to affect change | G3.2.1.5.2:公司安全风险负责人有权影响变更 |
| G3.2.1.5.3:The company cross-functionally reviews safety risks | G3.2.1.5.3:公司跨职能部门审查安全风险 |
| G3.2.1.5.4:The safety risk stakeholder review outputs are communicated to affected stakeholders | G3.2.1.5.4:将安全风险利益相关者审查结果传达给受影响的利益相关者 |
| G3.2.1.5:The company has a defined safety risk management process | G3.2.1.5:公司有明确的安全风险管理流程 |
| G3.2.1.6:The company measures efficacy of the safety risk management processes | G3.2.1.6:公司测量安全风险管理过程的有效性 |
| G3.2.2:Metrics proactively identify trends for continuous improvement | G3.2.2:指标主动识别持续改进的趋势 |
| G3.3.1:Appropriate resolution processes identify and appropriately resolve all observed / reported anomalies:S3.3:Strategy 2: Utilize reactive anomaly identification and resolution processes in place throughout testing, development, service, operations, and production in order to decrease recurrence of anomalies | G3.3.1:适当的解决过程识别并适当解决所有观察到的/报告的异常:S3.3:策略2:在整个测试、开发、服务、运营和生产过程中利用反应性异常识别和解决过程,以减少异常的再次发生 |
| G3.3.2:Anomaly health status is appropriately reviewed by relevant internal stakeholders | G3.3.2:异常健康状态由相关内部利益相关者进行适当审查 |
| G4:Resilient
The self-driving vehicle is acceptably safe in case of reasonably foreseeable misuse and unavoidable events |
G4:弹性
在可合理预见的误用和不可避免的事件情况下,自动驾驶车辆具备可接受的安全 |
| G4.1:Potential harm incurred during and after a vehicle collision is mitigated | G4.1:减轻车辆碰撞期间和之后产生的潜在伤害 |
| G4.1.1:Vehicle platform safety features reduce potential harm | G4.1.1:车辆平台安全功能可减少潜在危害 |
| G4.1.2:The Aurora Driver functions appropriately during and after a vehicle collision. | G4.1.2:Aurora驾驶员在车辆碰撞期间和之后能够正常工作。 |
| G4.1.3.1:Incident Response procedures are documented | G4.1.3.1:记录事件响应程序 |
| G4.1.3.2:Personnel operating the vehicles are trained on incident response. | G4.1.3.2:对操作车辆的人员进行事故响应培训。 |
| G4.1.3:Personnel operating SDE vehicles can appropriately respond to self-driving vehicle (SDV) emergency situations | G4.1.3:操作SDE车辆的人员可适当响应自动驾驶车辆(SDV)紧急情况 |
| G4.1.4:The self-driving vehicle detects when a vehicle collision occurred | G4.1.4:自动驾驶车辆在发生车辆碰撞时进行检测 |
| G4.1.5:Public safety officials have information to be able to appropriately respond to self-driving vehicle emergency situations | G4.1.5:公共安全官员掌握信息,能够适当应对自动驾驶车辆紧急情况 |
| G4.1.6:Riders can appropriately respond to self-driving vehicle emergency situations | G4.1.6:乘客可以适当地应对自动驾驶车辆的紧急情况 |
| G4.2:Potential harm from reasonably foreseeable misuse is mitigated | G4.2:减轻合理可预见的误用的潜在危害 |
| G4.2.1.1:Reasonably foreseeable misuse mitigations are verified | G4.2.1.1:验证合理可预见的误用缓和措施 |
| G4.2.1.2:Reasonably foreseeable misuse mitigations are validated | G4.2.1.2:验证合理可预见的误用缓和措施 |
| G4.2.1:Reasonably foreseeable misuse mitigations are designed and implemented | G4.2.1:设计并实施合理可预见的误用缓和措施 |
| G4.2.2.1:Mitigations for insider threat are verified | G4.2.2.1:验证内部威胁的缓和措施 |
| G4.2.2.2:Mitigations for insider threat are validated | G4.2.2.2:验证内部威胁的缓和措施 |
| G4.2.2:Insider threat mitigations are designed and implemented | G4.2.2:设计并实施内部威胁缓和措施 |
| G4.3:Potential harm from cyber intrusion is appropriately mitigated | G4.3:适当减轻网络入侵的潜在危害 |
| G4.3.1.1:An inventory of all assets is created and maintained | G4.3.1.1:创建并维护所有资产的清单 |
| G4.3.1.2:A threat analysis is conducted on all assets | G4.3.1.2:对所有资产进行威胁分析 |
| G4.3.1:Operational safety risk assessments identify threats and their feasibility | G4.3.1:运行安全风险评估确定威胁及其可行性 |
| G4.3.2.1:Passive event monitoring within components of the self-driving enterprise identify anomalous behavior | G4.3.2.1:自动驾驶企业部门内的被动事件监控以识别异常行为 |
| G4.3.2.2:Active event monitoring of self-driving enterprise behavior identify anomalous behavior | G4.3.2.2:自动驾驶企业行为的活动事件监控以识别异常行为 |
| G4.3.2:The self-driving enterprise detects when a cyber intrusion has occurred | G4.3.2:自动驾驶企业在发生网络入侵时进行检测 |
| G4.3.3:Defensive measures are implemented to reduce the likelihood of a cyber intrusion | G4.3.3:采取防御措施以降低网络入侵的可能性 |
| G4.3.4:Reactive measures are implemented during a cyber intrusion to limit harm | G4.3.4:在网络入侵期间实施应对措施,以限制损害 |
| G4.3.5:Permanent corrective actions and lessons learned are put in place after a cyber intrusion to avoid recurrence | G4.3.5:在网络入侵后采取永久性纠正措施并吸取教训,以避免再次发生 |
| G5:Trustworthy
The self-driving enterprise is trustworthy |
G5:值得信赖
自动驾驶企业是值得信赖的 |
| G5.1.1.1.1:Safety culture and personnel are appropriate for safety-critical systems:S5.1.1.1:Argument is based on addressing competence alongside safety culture, remaining current with the state of the industry | G5.1.1.1.1:安全文化和人员适用于安全关键系统:S5.1.1.1:论点基于体现安全文化的能力,并与行业最新现状保持一致 |
| G5.1.1.1.2:Persons developing the self-driving enterprise have the required competencies corresponding to their responsibilities | G5.1.1.1.2:开发自动驾驶企业的人员具有与其职责相对应的所需能力 |
| G5.1.1.1.3:Prevailing industry best practices and standards are reviewed and adherence documented, on a continual basis | G5.1.1.1.3:持续审查当前行业最佳实践和标准,并记录遵守情况 |
| G5.1.1.1.4:Persons developing the self-driving enterprise are engaged in broader applicable industry proceedings | G5.1.1.1.4:开发自动驾驶企业的人员参与更广泛适用的行业程序 |
| G5.1.1:The organizational environment is appropriate for safety-critical systems:S5.1:If the organizational environment is appropriate for system safety, stakeholders are engaged participatively, external communication about the self-driving enterprise is appropriate and verifiable then the claims made in G1-G4 are more likely to be accurate. | G5.1.1:组织环境适用于安全关键系统:S5.1:如果组织环境适用于系统安全,利益相关者参与,关于自动驾驶企业的外部沟通是适当且可验证的,则G1-G4中的声明更可能准确。 |
| G5.1.2.1:Stakeholders are identified with defined interaction relationships | G5.1.2.1:通过定义的交互关系确定利益相关者 |
| G5.1.2.2:Stakeholders are consulted at appropriate stages of testing and development of the self-driving enterprise | G5.1.2.2:在自动驾驶企业的测试和开发的适当阶段咨询利益相关者 |
| G5.1.2.3:Stakeholders are partnered with at appropriate stages of testing and development of the self-driving enterprise | G5.1.2.3:在自动驾驶企业的测试和开发的适当阶段,与利益相关者合作 |
| G5.1.2.4:Stakeholders are informed at appropriate stages of testing and development of the self-driving enterprise | G5.1.2.4:在自动驾驶企业的测试和开发的适当阶段通知利益相关者 |
| G5.1.2:Stakeholders are engaged regularly throughout the lifecycle of the self-driving enterprise | G5.1.2:利益相关者在自动驾驶企业的整个生命周期内定期参与 |
| G5.1.3:Appropriate, verifiable evidence of safety and performance is provided outside the self-driving enterprise | G5.1.3:在自动驾驶企业外部提供适当、可验证的安全和性能证据 |
| G5.1.3.1:Multimodal communication methods are used | G5.1.3.1:使用多模式通信方法 |
| G5.1.3.2:A Safety Case framework for the self-driving enterprise is publicly available | G5.1.3.2:自动驾驶企业的安全案例框架可公开获取 |
| G5.1.3.3:Credible periodic reports and updates are published or released at key points of transition, testing, and development of the self-driving enterprise | G5.1.3.3:在自动驾驶企业的过渡、测试和开发关键点发布或提供可信的定期报告和更新 |
| G5.1.3.4:Verifiable evidence that the self-driving enterprise is capable of appropriately complying with applicable rules, regulations, and guidance is maintained | G5.1.3.4:保留自动驾驶企业能够适当遵守适用规则、法规和指南的可验证证据 |
| G5.1.4:The Self-Driving Enterprise is independently reviewed and audited | G5.1.4:对自动驾驶企业进行独立审查和审计 |
| G5.1.4.1:A safety advisory board of third-party experts is established | G5.1.4.1:成立第三方专家安全咨询委员会 |
| G5.1.4.2:The self-driving enterprise is appropriately reviewed and audited both internally and externally | G5.1.4.2:对自动驾驶企业进行适当的内部和外部审查和审计 |
阅读全文
下载ECAD模型
-1.jpg?x-oss-process=image/resize,m_fill,w_128,h_96)
-2.jpg?x-oss-process=image/resize,m_fill,w_128,h_96)
.jpg?x-oss-process=image/resize,m_fill,w_128,h_96)
.jpg?x-oss-process=image/resize,m_fill,w_128,h_96)
-%E5%89%AF%E6%9C%AC.jpg?x-oss-process=image/resize,m_fill,w_128,h_96)
