Modeling the System Environment

The system environments have to be explicitly considered in the systems development of the lane change assistant because the environments have a significant impact on the system behavior. The environments of earlier E/E system, e.g., ESC, could be completely specified and modeled because these systems did not autonomously operate in the real world (cf. [Ben+14]). ESC could be developed under the closed-world assumption because the system solely interacts with components within its functional domain inside vehicles (cf. Definition 2.4). Values and semantics of signals and message data from other internal components are available at design time. The closed-world assumption is not applicable for the lane change assistant because the assistant has to operate in the real world autonomously. The real world continuously changes, and the lane change assistant does not control these changes — they occur autonomously and unpredictable (cf. [FGT11]). The environment of the lane change assistant — the real world — is considered in its development as environment models. This does especially apply to the requirements analysis, safety analysis, and verification of the lane change assistant in simulations (cf. Sections 3.2, 3.4 and 3.6). Engineers and stakeholders implicitly assume a model of the real world for the definition of requirements in the requirements analysis and the identification of risks in safety analysis (cf. Sections 3.2 and 3.4). In the verification (cf. Section 3.6), models of traffic situations and included objects are explicitly defined. All models have inherent artificial natures and are abstractions of the real world. However, environment models still have to sufficiently represent the real environment of the lane change assistant for feasible results in requirements analysis, safety analysis and verification(cf. Sections 3.2, 3.4 and 3.6). Environment models must not impose more restriction than are present in the real world. All real-world objects which have an impact on the behavior of the lane change assistant, have to to be modeled in sufficient

(a) A model of a Volkswagen Golf MK4. (b) A real Volkswagen Golf MK4.

Figure 3.20.: Representations of a Volkswagen Golf MK4.

detail. The modeling of these objects includes positions, movements, and characteristics of real-world objects, e.g., cars, pedestrians, roads, or signs. Otherwise, all development results will not be applicable for the later operation of lane change assistant. Insufficient modeling of the environment in requirement analysis and safety analysis will impact all further development activities (cf. Section 3.1.2). Insufficient results from simulations of the verification cannot be assumed as safety evidence for the operation of in the real world.

The number and variations of objects which have an impact on the behavior of the lane change assistant are vast — if not infinite. This enormous complexity of the real world makes it difficult to specify fully and model the environment of the lane change assistant and imposes a significant threat to the safety of the lane change assistant. The lane change assistant has to be developed under the open-world assumption (cf. [BNG06]). The open-world assumption assumes that possible interactions of the system with its environment in the vast environmental situations cannot be fully considered at design time (cf. Definition 2.4). Any logic for the open-world problem include some assumptions about the real world which reduce its complexity (cf. [JBS13; NM08; Str16]). Traffic situations will remain in which the behavior of the lane change assistant has not been specified nor verified. This underspecification introduces uncertainty about the lane change assistant and its operation in the real world which has to be considered throughout the whole development process (cf. Section 3.1.2).

Real world objects are represented in environment models by corresponding object models. Each object model reduces the corresponding real object to a set of defined characteristics. No object model will ever wholly represent all physical characteristics and their small deviations of corresponding real-world objects in all situations. Nevertheless, the object models have to sufficiently represent all characteristic of real-world objects which have an impact on the functionality of the lane change assistant.

For example, vehicles of the type Golf MK4 (cf. Fig. 3.20b6_{) may slightly deviate from}

each other in their appearances due to scratches and paint quality. The insufficient

6

taken from: https://upload.wikimedia.org/wikipedia/commons/f/f7/VW_Golf_IV_front _20071205.jpg (accessed: 28.6.2017)

3.8. Problem Analysis of the Development Methodology

(a) Scenario 1: Wrong-way driver on the left lane.

(b) Scenario 2: Motor boat on the road.

Figure 3.21.: Safety critical but irrational traffic scenarios.

consideration of reflection properties for vehicles by sensor models in simulations might result in behavior by the lane change assistant in simulations which diverge from the behavior of the lane change assistant in the real world (cf. Fig. 3.20).

The traffic situations which the lane change assistant may encounter during operation in the real world, are vast — if not infinite — and challenging — if not impossible — for engineers and stakeholders to envisage in the requirements and safety analysis (cf. Sections 3.2 and 3.4) as well as to be verified and validated in the simulations and field operational tests (cf. Section 3.6). Even if we assume, that the system specification has fully captured all possible situations at one point in time, the evolution of the real world will lead to new entities, objects, and situations which have not yet been considered at some point in the future (cf. [FGT11]).

For the lane change assistant, traffic scenarios can be constructed which are less likely to be anticipated in the requirements and safety analysis (cf. Sections 3.2 and 3.4) but which are still critical for the overall safety of the lane change assistant. Both scenarios of Fig. 3.21 describe unusual situations which the lane change assistant might encounter in the real world but are less likely to be anticipated for its environment modeling. In the first scenario (cf. Fig. 3.21a), a wrong-way driver is driving towards the automated vehicle on the left lane. A lane change to the left lane would result in a collision of both vehicles. In the second scenario (cf. Fig. 3.21b), a boat resides on the road. The automated vehicle has to identify this boat and avoid it. For the safe behavior of the lane change assistant in either scenario, the object models with appropriate characteristics have to be considered in the development of the lane change assistant. For the second, a boat model has to be explicitly defined and included in the development. For the wrong-way driver, vehicle models have considered the possibility to drive against the intended driving direction. If the directions of vehicles have been restricted in environment models for the lane change assistant to match the way of highways, then the wrong-way driver of Fig. 3.21a) would not have been considered in the development of the lane change assistant.

The following section discusses the shortcomings of the development activities for the lane change assistant from the system point of view. It addresses problems for the environment perception and discusses the decision making and its shortcomings.