A Systematic Approach of Reduced Scenario-based Safety Analysis for

Highly Automated Driving Function

Marzana Khatun

, Michael Glaß

and Rolf Jung

Electrical Engineering,Kempten University of Applied Sciences, Kempten, Bavaria, Germany

Institute of Embedded Systems/Real-Time Systems, Ulm University, Ulm, Germany

Keywords:

HADF, FuSa, SOTIF, Scenario Reduction, Scenario Modeling.

Abstract:

This paper investigates the scenario catalog generation and scenario reduction approaches for a complete

Highly Automated Driving Function (HADF). Such approaches focus on the clustering and/or grouping of

scenarios by applying a simple stochastic process at an early stage of development. Dealing with an enormous

number of scenarios considering Functional Safety (FuSa), Safety Of The Intended Functionality (SOTIF)

including cybersecurity desires intelligent approaches for HADF’s scenario reduction. The reduction of sce-

narios in HADF is a challenge for automotive researchers since it relates to a large number of parameters

(like environmental aspects). The main contributions of the scenario generation and reduction approach pro-

posed in this work are the following: (1) contribution to a complete scenario catalog for a dedicated HADF, (2)

logical scenario optimization with parameter distribution, and (3) optimize discretization step for ﬁnding semi-

concrete scenarios that can be executed. Furthermore, the optimization method incorporating the Monte-Carlo

(MC) experiment with the CarMaker simulation yields a systematic approach to modeling reduced scenarios

without redundancy to support safety.

1 INTRODUCTION

Various safety-related technical approaches are pro-

posed and used in the area of HADFs. Ensuring the

overall safety of the vehicle is a top priority in soci-

ety and industry. The investigation of HADF focuses

on Automation level 3, L3 (conditional automation

driver has to take control at all the times with notice)

and higher automation level 4, L4 (high automation)

and/or L5 (Fully automation) (NHTSA, 2017).

Hazard Analysis and Risk Assessment (HARA) is

one of the major analysis methods widely used in dif-

ferent safety-related sectors like road vehicle safety to

capture critical scenarios, robotics, aero, rail, etc. A

scenario-based extension of the HARA can be used to

extend the area of consideration and to reduce misun-

derstandings during the development phase (Khatun

et al., 2020). On the one hand, such scenario-based

analysis can consider the electrical and/or electronic

(E/E) malfunction and/or the functional insufﬁcien-

cies in terms of identifying safety-relevant scenarios

(known-safe and known-unsafe). On the other hand,

indicates the necessity of tool support to ﬁnd a set of

unknown-unsafe scenarios by implementing parame-

ter variation for a speciﬁc use case or set of scenarios.

For an Operation Design Domain (ODD) of a HADF

like Transverse Guidance is studied to establish a sce-

nario catalog. Although scenario-based safety analy-

sis is beneﬁcial in so many aspects, the main draw-

back of scenario-based hazard analysis is the tremen-

dous increase of scenarios according to functional

and logical expressions with an exploding parameter

space (the combination of logical scenarios parame-

ters).

From the aspect mentioned above, this paper de-

scribes a research effort that aims to establish a

systematic process for scenario generation, model-

ing, and scenario reduction approach applicable to

HADFs deal with higher automation levels (L3 and/or

higher).

The key contributions of this paper for a safety-

relevant systematic approach are for scenario gener-

ation, scenario modeling, scenario reduction, and pa-

rameter variation as follows:

(1) How can grouping and clustering methods be ap-

plied in contribution to a completer scenario catalog

at the very beginning of the concept phase? For ex-

ample, parameters and inﬂuencing factors are con-

sidered to cluster the scenarios at the very begin-

ning of the scenario-based safety analysis. (2) How

Khatun, M., Glaß, M. and Jung, R.

A Systematic Approach of Reduced Scenario-based Safety Analysis for Highly Automated Driving Function.

DOI: 10.5220/0010397403010308

In Proceedings of the 7th International Conference on Vehicle Technology and Intelligent Transport Systems (VEHITS 2021), pages 301-308

ISBN: 978-989-758-513-5

301

can a scenario reduction method be used systemati-

cally for HADF during the safety analysis process?

There are some reduction methods like hierarchical,

continuous-based, distribution-based, etc. available.

An appropriate reduction method will be proposed

with modiﬁcations that can be applied to reduce the

scenarios in the HADF safety analysis process. (3)

What methods can be used to model a scenario and

simulate (e.g. CarMaker, Monte-Carlo) the scenario

in terms of the safety-critical parameter range?

The structure of this paper is as follows, section 2

provides the current status of FuSa and SOTIF. Next,

section 3 describes the scenario catalog generation

process during the research investigation. Afterward,

section 4 introduces a proposed scenario reduction

method in a systematic way for safety development.

Later, section 5 exhibits the scenario modeling and

analysis. Consecutively, section 6 demonstrates the

simulation approach and results based on the method

proposed in previous sections. Finally, section 7 sum-

marizes the outcomes and gives an outlook for further

work.

2 STATE OF THE ART

Safety is the main reason that there is no autonomous

vehicle currently available on the market. The driver

is still responsible for controlling the vehicle featured

with advanced assist systems which exhibit the lim-

itation of systems function and doubt about safety

undermost functional safety and performance limita-

tions. The standard ISO 26262:2018 is state of the

art for road vehicle’s FuSa. FuSa deﬁnes as “the ab-

sence of unreasonable risk due to hazards caused by

malfunctioning behavior of E/E systems” (ISO26262,

2018). ISO/PAS 21448:2019 describe SOTIF as “ab-

sence of unreasonable risk due to hazards resulting

from functional insufﬁciencies of the intended func-

tionality or from reasonably foreseeable misuse by

persons” (ISO/PAS21448, 2019). Nonetheless, both

of them are developed only for L2 vehicles, not for

HADFs (L3, L4, and L5).

Scenario-based safety analysis is necessary for

HADFs in respect of environmental, trafﬁc situation

consideration, and homologation purpose. It is widely

understood that FuSa is not enough and SOTIF in the

matter of functional inefﬁciencies including security

need to be considered for assuring the overall safety

of the HADF. Scenario-based safety analysis is not

new and several research projects are investigating

this area like (Galizia et al., 2018), (Mazzega, 2019),

(Leither et al., 2020). But, none of them present a full

set of scenarios for the safety analysis process for any

speciﬁc HADF.

However, the challenge is to implement the FuSa

and SOTIF process in a scenario-based HADF. The

amount of scenarios is increasing together with the

complexity of the system architecture if scenario-

based safety analysis is considered. The existing

scenario-based safety analysis method (e.g. HARA)

with some modiﬁcation to a complete HADF like

Transverse Guidance Assist System (TGAS) is al-

ready examined(Khatun et al., 2020). The outcome of

this investigation provides the great necessity of sys-

tematic approaches of scenario reduction for model-

ing and simulation of HADF scenarios.

A Functional scenario is a basis for any scenario-

based analysis. According to author Menzel,“ func-

tional scenarios include operating scenarios on a se-

mantic level including linguistic scenario notation.

The description of functional scenarios is speciﬁc for

the use case” (Menzel et al., 2018). The deﬁnition for

logical scenario is, “it includes operating scenarios

on a state space level can express with the help of pa-

rameter ranges in the state space. A logical scenario

includes a formal notation of the scenario” (Kalis-

vaart et al., 2019). Furthermore, concrete scenario-

“a concrete scenario is fully deﬁned sequence. It de-

scribes a single instance from a logical scenario.”

(Kalisvaart et al., 2019).

At the very beginning (Functional scenarios) of

the safety development phase for HADF can be based

on (a) risk analysis, (b) an accident database, and (c)

virtual & long term vehicle test as described in (Gal-

izia et al., 2018),(Damm et al., 2020) and (Fadhloun

et al., 2020) but no scenario reduction approach is

included explicitly. However, The parameter space

explosion relates to factors like inﬂuence parameters,

systematic test case. Based on Amersbach and Win-

ner, choosing the correct discretization step is a chal-

lenge yet to be overcome (Amersbach and Winner,

2019).

The stochastic approach for scenario reduction,

such as scenario tree reduction for multistage stochas-

tic programs is proposed and developed with a sound

theoretical basis with numerical experiences, keep-

ing in mind the optimization model for electricity

portfolios (Holger and Werner, 2009). Stochastic

programming-based scenario reduction approach is

used in electrical load in a power management model

(Holger and Werner, 2003). But, these approaches are

not formulated for an exemplary case of any HADF’s

scenario reduction.

The focus of our work is to implement the simple

stochastic approach to reduce scenarios at the concept

phase (left side of the V model) of a HADF.

VEHITS 2021 - 7th International Conference on Vehicle Technology and Intelligent Transport Systems

302

3 GENERATING SCENARIO

CATALOG

The scenario catalog provides a set of use cases for

HADF safety analysis and is a base for further de-

velopment. Based on the use cases, test runs can be

generated. The scenario catalog provides support to

deﬁne logical scenarios and concrete scenarios. The

ODD is one of the characterization approaches to gen-

erate a scenario catalog. Society of Automotive En-

gineers (SAE), deﬁnes the ODD as “operating con-

ditions under which a given driving automation sys-

tem or feature thereof is speciﬁcally designed to func-

tion, including, but not limited to, environmental, ge-

ographical, and time-of-day restrictions, and/or the

requisite presence or absence of certain trafﬁc or

roadway characteristics” (SAEJ3016, 2018). It is ob-

vious that deﬁning the area outside ODD is difﬁcult

and less informative regarding the vast area that is out

of the scope for HADF. It would rather make more

sense to identify the area inside the ODD which re-

duces the observation area to analyze the functional

boundaries of the system.

During scenario-based safety analysis, the num-

ber of functional scenarios is increasing tremendously

and lead to the necessity of a scenario reduction

approach for HADF. Moreover, ﬁnding new safety-

relevant scenarios from virtual tests with parameter

variation is in the scope of our research. By pa-

rameter variation, unknown-unsafe areas will be de-

termined as simulation will be run considering opti-

mization methods. Then, the unknown-unsafe area

will be turned into a known-unsafe area as the area is

found by simulation, hence, not unknown anymore.

Author Georg graphically represented the reduction

of unknown-unsafe area in his paper but didn’t men-

tioned the evaluation process (Macher et al., 2019).

If the area is known, safety measures can be imple-

mented to make the area safe so it’s turning into a

known safe area based on optimization results. Thus,

we can enlarge the ODD area for HADF gradually

and the safety-relevant scenario catalog will keep

growing and tools like CarMaker is used for scenario

modeling and simulation. Therefore, the ﬁrst key con-

tribution of this paper is realized (modeled scenario

catalog). Figure 1 gives a glimpse of the process as

Figure 1: Safety relevant Scenario catalog-ﬂow diagram.

Figure 2: Proposed Scenario Clustering Approach.

described above in a simple block diagram.

For the implementation of Scenario-based HARA

in a speciﬁc HADF such as TGAS can be used

(Khatun et al., 2020). We realized that restriction

of ODD is necessary to deal with the huge number

of scenarios focusing on vehicle malfunction (FuSa)

and SOTIF (functional insufﬁciency) at function level

for a complete HADF. To show the completeness of a

scenario-based HARA, restricted ODD for the TGAS

of the HADF is examined (like a logical scenario, lane

change in the highway). Hence, a targeted use case

is analyzed, assessed, and a scenario catalog is pro-

posed. In detail, the ODD is restricted by considering

highly automated lane change function in the highway

with other road users (3 road users) in a good environ-

mental condition. The basic scenario is based on two

vehicle functions (like turning left and turning right)

with functional units of ego vehicle (such as solid ob-

ject detection, moving object detection, etc).

4 SCENARIO REDUCTION

METHOD

The combination of different parameters (e.g road

type, environment, ego vehicle breaking) for a single

functional scenario leads to a high number of logical

scenarios. From the investigation of scenario-based

hazard analysis (Khatun et al., 2020), the functional

scenario ”lane change” around 537,602 possible sce-

narios were derived by full factorial combination of

parameters based on the 6 layer model (as described

in section 5) without applying parameter discretiza-

tion steps. The clustering of scenarios at the top level

is possible in connection with the context and sim-

ilarity of the assessment. Safety-relevant parameters

are grouped based on the scenario classiﬁcation to im-

plement the clustering approach for scenario reduc-

tion. After that, for a speciﬁc safety-relevant parame-

ter, variation is applied and collision result is analyzed

to establish a reduced set for concrete scenarios. The

proposal is illustrated in Figure 2. In the simulation,

the selection of the correct discretization width step

for parameter variation is an observation oriented (ex-

periment and/or study based) approach at the logical

scenario. The overall range is compromised by ODD.

A Systematic Approach of Reduced Scenario-based Safety Analysis for Highly Automated Driving Function

303

Computation time for large number of parame-

ters of scenario-based analysis is a challenge yet to

be solved. To support the scenario reduction, the

stochastic approach is estimated to optimize the criti-

cal scenarios at the early stage of development. Based

on the research (Dupa

cov

a and Kozm

ık, 2015), the

random parameters in stage t= 2, ...T as ξ

, where

T is a given horizon, and ξ is a situation (parameter

set) are assumed. The random elements are estimated

based on simulation, distribution, or from known ﬁeld

tests. The parameters of the ﬁrst stage, ξ

= (c

, A

), are assumed to be known based on decision x

(like lane change function will activate when colli-

sion free lane change is possible otherwise not). The

random parameters at stage t, ξ

contain cost coefﬁ-

cients c

, constraint matrix A

, the recourse matrix B

and constraints coefﬁcient b

. For example, the cost

for performing a lane change differing from different

(desire) velocity, recourse matrix reﬂect the safety pa-

rameters (e.g. safe distance) and weather condition

and/or road type (highway) can be considered as con-

straints parameters. For ﬁrst stage, the probability dis-

tribution is known for simulation.

The components of ξ and the decisions x are as-

sumed to be random vectors and deﬁned on some

probability triple (Ω, F , P). Here, Ω is a set of all pos-

sible outcomes (possible lane change situation from

safety analysis) and F is a set of events (collision with

the vehicle in-front or side or behind). An event is be-

ing a set of outcomes in the sample space (only con-

sider the collision with the vehicle in-front). Let, F

⊆ F be the σ-ﬁeld generated by the projection of the

stochastic data process ξ. The sequence of decisions

and observations is

, ξ

, x

, ξ

), ...., x

T −1

, ξ

, ....ξ

) (1)

In scenario reduction assumptions, P is the discrete

probability distribution carried by a ﬁnite number of

scenarios (ξ

, ξ

,....,ξ

) with probability p

> 0, i =

1,....,N (

∑

= 1) and Q is the discrete probability

distribution with a lower number of atoms (scenar-

ios). Generally, atoms of the reduced distribution do

not need to correspond with atoms of the original dis-

tribution (Dupa

cov

a and Kozm

ık, 2015).

For the ﬁrst run, the statistical data approximation

of P and a subset of the atom of P is carried by Q. The

number of reduced scenarios are denoted as j ∈ J ⊂

{1,....,N}. In statistical distance d (P, Q) variation, the

distance between two probabilities is measured from

the ﬁrst simulation result. This approach can be ap-

plied with multiple stages (multistage stochastic) for

HADF in light of the functional scenarios to logical

scenarios regarding the inﬂuences of parameters like

distance with realtive speed of two vehicles. The opti-

mization of parameter’s range at the ﬁrst stage (func-

tional scenario) is the focus of this paper which can

support limiting the logical scenarios.

The accident samples and testing phase are lim-

ited(Kopestinsky, 2021). The simulation-based op-

timization considering the available accident statis-

tics of L2 vehicle’s are taken as distributed input pa-

rameters. To overcome the discretization step (cor-

rect range) of parameters from functional scenario to

logical scenario, normal distribution of the parame-

ters (e.g. distance between vehicles) is assumed us-

ing mean, median, and standard deviation of discrete

parameter distribution for the ﬁrst probability exper-

iment (MC) and veriﬁed by CarMaker simulation.

Hence, a possible precise range of parameter bound-

aries can be achieved by two steps: ﬁrst, by proba-

bility estimation and second, by parameter variation

based on the outcomes of the ﬁrst step.

This section contributes to the functional scenar-

ios reduction regarding parameter variation and clus-

tering. One functional scenario can be described with

different safety-critical levels caused by a different

range of one parameter and/or combination of pa-

rameters. Parameters can be selected by vehicle pa-

rameters (e.g. Speed), road type (e.g. highway, ur-

ban), safety measures (e.g. distance), etc. To trace

the meaningful reduced functional scenarios utilizing

relation between function units (camera, radar, etc)

and vehicle’s functions are realized by pre-selection

of the triggering events. The combination of FuSa

and SOTIF safety analysis is done by developing a

generic HARA focus on both FuSa and SOTIF as-

pect (Khatun et al., 2020). During the investigation,

based on a HADF (TGAS) in an ODD, around 786

scenarios are observed for HARA analysis for the use

case (as described in section 3). The pre-selection ap-

proach is able to reduce the total number of scenar-

ios to around 444 which is about 43% achieved from

hazard analysis. But, the number is still huge and

an additional reduction process is required. The pre-

selection approach is, each possible triggering events

has been estimated with vehicle malfunction and the

vehicle’s functional insufﬁciencies for a speciﬁc func-

tion to support validation. For example, function like

detection of a moving object is only possible if a cam-

era is providing the correct signal to the the function-

ally safe vehicle. Consequently, clustering and group-

ing are applied to reduce the scenarios as well. Addi-

tionally, a simple scenario reduction approach is de-

scribed to conﬁrm the second and the third key con-

tribution of the paper. This paper does not focus on

a further reduction approach for particular test cases

and test criteria but investigates the simulation results

to collect a reduced set of reduced logical scenarios

only.

VEHITS 2021 - 7th International Conference on Vehicle Technology and Intelligent Transport Systems

304

5 SCENARIO MODELING AND

ANALYSIS

Modeling the scenario in HADF has great beneﬁt by

means of:

• visualizing the scenario

• parameter variation

• identifying the possible unknown-unsafe area

• optimizing discretization step

To start with the scenario modeling, a systematic

description of the scenario (lane change) is layered

as proposed in the Pegasus project (Mazzega, 2019).

But, only ﬁve layers (from layer 1 to Layer 5) are con-

sidered for modeling scenarios in this paper. The last

Layer (Layer 6- digital information) is out of scope

for the scenario modeling. All layered information is

combined and a list of scenarios is estimated using

simple simulations as described: For each scenario,

layers L

(Layer1 = L1, Layer2 = L2, Layer3 = L3,

Layer4= L4, Layer5 = L5), where i = {1, 2, ...5}; as

only 5 layers are assumed. So, the total functional

scenario set is:

Functional Scenario =

∏

i=1

(2)

where each layer assign with a different cardinal-

ity set in terms of different categories and/or types.

Assumed, L1={1l

, 1l

...1l

}; L2={2l

, 2l

...2l

};

L3={3l

, 3l

...3l

}; L4={4l

, 4l

...4l

}; L5={5l

...5l

}. The symbols a, b, c, d, e deﬁne the ﬁnite

cardinality number of each layer. A simple represen-

tation is shown in Table 1.

Table 1: Layer-based Scenario modeling.

Layer Description of Layer with elements

Layer1 (L1) Road level

(straight,cruved,uphill...)

Layer2 (L2) Trafﬁc Infrastructure

(construction site, road sign,...)

Layer3 (L3) Combination of L1 and L2

(single lane same direction, ...)

Layer4 (L4) Objects

(Other trafﬁc, solid object, ...)

Layer5 (L5) Environment

(Sunny, cloudy, rainy, snow,...)

The total possible set of functional scenarios

can be constructed by associating every element of

one set with each element of another set by us-

ing the cartesian product.Thus, the Equation 2 can

be expressed for a single functional scenario as

(1l

, 2l

, 3l

, 4l

, 5l

) | 1l

∈ L1; 2l

∈ L2; 3l

∈ L3;

∈ l4; 5l

∈ L5.

Layer information is used as a basis for the mod-

eling of any HADF functional scenario. The layer-

based approach is easy to understand, but challenging

to model because the layer-based approach describes

the scenario as semantics. Therefore, for efﬁciently

modeling the scenario (re-usability) parameter-based

clustering is assumed. Four major steps, to insert the

parameters in a scenario are:

• Ego vehicle parameters

• Road type parameters

• Road trafﬁc and Environment Parameters

For modeling the scenarios, tools like CarMaker

are used. Figure 3 overlays the scenario modeling ap-

proach with four steps.

Figure 3: Scenario Modeling steps (in CarMaker).

One of the goals for parameter-based modeling is

to reuse the modeled scenario (partly or fully) in the

next level of analysis like analyzing the logical sce-

nario for the selection of the discretization step. Al-

though, modeling scenario consumes some amount of

time, but it is necessary to simulate the scenario at

concept phase to identify the safety-relevant parame-

ters. The re-usability of the scenario model will pro-

vide great help and make the process faster for further

(new) scenario generation.

To reduce the effort of modeling scenarios in tools

(e.g. CarMaker) and to optimize the possible bound-

ary of parameters from a probability distribution, a

simple Monte-Carlo (MC) experiment is applied in a

HADF’s lane change use case scenario. The opti-

mization technique is chosen for HADF analysis as

concrete ﬁeld test data are not available for research.

However, a high-performance computing system is

demanded for such type of experiment (to minimize

the computing time), but it’s still possible to get the

result of collision probability with the leading vehicle

by varying a speciﬁc parameter (speed) over a certain

boundary in the use case.

Initial parameters are assumed based on research,

ﬁeld experiment results like probability distribution

((Gyllenhammar et al., 2020), (Hassan et al., 2014),

A Systematic Approach of Reduced Scenario-based Safety Analysis for Highly Automated Driving Function

305

Figure 4: Monte Carlo Simulation for Parameter Optimiza-

tion.

(Cana et al., 2008), etc). So, a ﬁnite number of sce-

narios are weighed as reﬂects (ξ

, ....,ξ

) and discrete

probability distribution with a lower number of atoms

(Q) is optimized in the MC experiment. Based on the

ﬁrst run (1st simulation) result, parameter adjustment

has been done in the later revisions of the MC ex-

periment. The goal for this experiment is to get the

collision probability concerning parameters (distance

between vehicles, speed). A model-based approach

of the experiment process is represented in Figure 4.

6 SCENARIO SIMULATION

The goal is to ﬁnd the critical parameters to realize

the HADF by simulation. No longer a vehicle with

HADF can be validated and veriﬁed for a limited

set of use cases. Unusual situations can arise while

driving and test case numbers are increasing drasti-

cally. So, to conﬁrm vehicle’s performance and ﬁnd-

ing the key parameters and/or combination of param-

eters, scenario-based simulation with optimization is

performed. The key concept of our investigation is to

reduce the area for modeling scenarios in an efﬁcient

way.

This section divides the scenario simulation into

two parts to explain the fourth key contribution of this

paper. The ﬁrst part demonstrates the optimization of

a parameter by MC simulation. The second part pro-

vides the modeled scenario with parameter variation

to optimize the boundary range for a Logical scenario.

The complex stochastic approach will be applied to

the logical scenario to reduce the scenarios. Each log-

ical scenario can exponentially increase the number

of concrete scenarios with respect to parameter vari-

ation (x

with j = {1,2,...,N}) which can be shown in

the equation:

Logical Scenario =

∏

i=1

∏

j=1

∗ x

(3)

The process of the modeling scenarios and exper-

iment of scenarios is highlighted by a ﬂow diagram in

Figure 5.

Figure 5: Scenario Simulation Flow Diagram.

As described in section 3, probability triple (Ω,

F , P) is described where Ω is a set of all possible out-

comes. The functional scenario image is created in

2D which is enough for MC simulation as represented

in Figure 6 where a straight highway with three other

road users are considered for the experiment. The ego

vehicle is marked as yellow color (V1) and other road

vehicles are marked with different light colors like

carolina blue (V1), dusty blue (V2), and aqua (V3).

The scenario is that the ego vehicle is turning from

the right lane to the left lane of the road and over-

taking vehicle V3 and then back to the previous lane

again.

Figure 6: Functional Scenario (Lane Change of HADF

Level 3 automation).

Based on the described scenario the MC experi-

ment is done for HADF. It is well known that statisti-

cal data for HADF is not well established and limited

up to L2 for certain cases. The discrete probability of

parameter distribution is found for L2 vehicles which

are assumed to be the same for L3 vehicles at the be-

ginning of the experiment to optimize the parameter

range ((Gyllenhammar et al., 2020), (Hassan et al.,

2014), (Cana et al., 2008), etc). For simplicity of the

simulation, a continuity correlation (Normal approx-

imation) is used by a given mean and standard devi-

ation to approximate the discrete distribution by con-

tinuous distribution. The result of the simulation is a

discrete probability distribution of the occurrence of

an accident over parameters (like distance with other

VEHITS 2021 - 7th International Conference on Vehicle Technology and Intelligent Transport Systems

306

vehicles). The approximation of the input parame-

ters is shown in Figure 7. The probability distribu-

tion describes the possible values and likelihood that

a random variable can be taken within a given range.

The ranges can be bounded as a minimum and max-

imum possible values. To identify the precise possi-

ble value, the distribution factor needs to be plotted.

These factors include the mean, median, and standard

deviation. So, probability distribution is considered

as input for parameters like vehicle’s in-between dis-

tance (V1 and V2, V2 and V3 and V3 and V4).

Figure 7: Input parameters approximation for Monte-Carlo

Simulation.

The output of the experiment provides the proba-

bility of an accident in percent over the distance be-

tween the ego vehicle (V2) and leading vehicle (V3)

as exhibited in Figure 8. To build conﬁdence and get-

ting an acceptable optimization value, several thou-

sand Monte-Carlo runs are examined. To utilize MC,

several sets of MC run (Like, 800 MC runs, 1000 MC

runs and 30000 MC runs) has been computed and op-

timize the probability of the accident. Although, the

computational costs are high for the MC scenario sim-

ulation and improvement can be possible. However,

MC helps to assess the safety and to estimate reduced

boundary of the safety critical parameters. Further-

more, the paper tries to propose a concept that sup-

ports reducing the scenarios up to a level and provide

evidence by probability assumption not enforcing the

accuracy of the performance of the experiment. Al-

though, a future research aspect is to compare the re-

sult with completely different tools like CarMaker for

optimizing the acceptable result. Based on the acci-

dent probability result, the distance range and speed

of the vehicles are considered for parameter variation

with discretization steps in CarMaker simulation.

From the MC experiment, optimized boundary pa-

rameters are used in CarMaker scenario modeling and

simulation. To build the conﬁdence of the optimized

result and determining the accuracy from the MC ex-

periment, the same scenario is modeled in CarMaker,

and results are compared.

The discretized steps are considered as a variation

of parameter in CarMaker as variation as illustrated in

Figure 9. Ego vehicle’s speed is considered as a pa-

Figure 8: Monte-Carlo Simulation output (Probability of

accident).

Figure 9: Parameter Variation in a Logical scenario.

rameter for variation and the simulation result is ob-

served. CarMaker simulation is a repetitive approach

to ﬁnding possible collision scenarios with speciﬁc

parameters. Undoubtedly, the simulation results sup-

port the scenario catalog (by listing a possible group

of use cases) and the concrete scenario generation.

The concrete scenario set can be used for further test

case application.

7 CONCLUSIONS

The reason for applying the same optimization

method to two different tools is to compare the out-

comes with no redundancy which supports safety val-

idation and veriﬁcation. Our scenario-reduction ap-

proach will downsize the modeling effort by opti-

mized parameter’s boundary. Further reduction in

logical scneario is possible by implementing MC in

logical scenarios modeled in CarMaker (using tool in-

terference like Matlab). It is ssumed that by observing

the simulation with parameter variation, unknown-

unsafe scenarios can be realized which are carried in

the scenario catalog and provides support to complete

the scenario catalog for a HADF.

The proposed pre-selection approach for an ODD

of TGAS shows the functional scenario reduced about

A Systematic Approach of Reduced Scenario-based Safety Analysis for Highly Automated Driving Function

307

43% during scenario-based hazard analysis (at the

early stage by clustering and grouping) is counted as

an outcome of this paper for supporting a complete

HADF scenario set. Furthermore, using a stochas-

tic program to optimize the safety-relevant parame-

ter’s boundary reduces the number of logical scenar-

ios which reduce the effort of modeling scenarios.

A simple stochastic program is advantageous at the

function level to deal with a large number of scenar-

ios and uphold to sustain a systematic approach that

supports the safety aspect of HADF. This approach

supports in general to build conﬁdence in simulation-

based scenario investigation in HADF development

which can be cost-effective and time-efﬁcient. Al-

though, a further scenario reduction approach is re-

quired from a logical scenario to concrete scenario

determination.

In our future research, we would like to focus on

the complete scenario database for a complete HADF

and propose a reduced set of concrete scenarios based

on simulation results that can support to provide ev-

idence for safety approval (homologation). Approxi-

mation techniques that reduce more scenarios in each

step of clustering and/or grouping at function level

may be improved by other types of stochastic pro-

grams like a multistage program. Interesting is to ob-

serve the accuracy rate of the experiment and simu-

lation result by studying a huge number of scenarios

which has to be investigated.

REFERENCES

Amersbach, C. and Winner, H. (2019). A contribution to

overcome the parameter space explosion during vali-

dation of highly automated driving. Taylor & Francis,

20th edition.

Cana, R., Ferrares, P., Townsend, E., Jost, G., Janitzek, T.,

Pogorelov, E., Popolizio, M., Simcic, G., and Berg,

Y. (2008). Speedfact sheet. German Autobahn: The

Speed Limit Debate.

Damm, W., M

ohlmann, E., and Rakow, A. (2020). Valida-

tion and Veriﬁcation of Automated Systems. Springer

Nature Switzerland AG., European Union, 1st edition.

Dupa

cov

a, J. and Kozm

ık, V. (2015). SDDP for multistage

stochastic programs: preprocessing via scenario re-

duction. Springer.

Fadhloun, K., Rakha, H., Loulizi, A., and Wang, J.

(2020). A validation study of the fadhloun-rakha car-

following model. In Proceedings of the 6th Interna-

tional Conference on Vehicle Technology and Intel-

ligent Transport Systems - Volume 1: VEHITS,. IN-

STICC, SciTePress.

Galizia, A. D., Bracquemon, A., and Arbaretier, E. (2018).

A scenario-based risk analysis oriented to manage

safety critical situations in autonomous driving. Safety

and Reliability – Safe Societies in a Changing World,

pages 1357–1362.

Gyllenhammar, M., Johansson, R., Warg, F., Chen, D.,

Heyn, H., Sanfridson, M., and Ursing, S. (2020). To-

wards an operational design domain that supports-

the safety argumentation of an automated driving sys-

tem. 10th European Congress on Embedded Real

Time Software and Systems (ERTS2020).

Hassan, S., Puan, O., Mashros, N., and N.Sukor (2014).

Factors affecting overtaking behaviour on single car-

riageway road: Case study at jalan kluang-kulai. Spe-

cial Issue on Highway and Transportation Engineer-

ing Part 1.

Holger, H. and Werner, R. (2003). Scenario Reduction Al-

gorithm in Stochastic Programming. Springer.

Holger, H. and Werner, R. (2009). Scenario tree reduction

for multistage stochastic programs. Springer.

ISO26262 (2018). Road vehicles — Functional safety. ISO,

2nd edition.

ISO/PAS21448 (2019). Road vehicles — Safety of the in-

tended functionality. ISO, 1st edition.

Kalisvaart, S., Slavik, Z., and Camp, O. (2019). Valida-

tion and Veriﬁcation of Automated Systems. Springer,

Cham., Switzerland, 1st edition.

Khatun, M., Glaß, M., and Jung, R. (2020). Scenario-based

extended hara incorporating functional safety and so-

tif for autonomous driving. 30th European Safety and

Reliability Conference.

Kopestinsky, A. (2021). 25 astonishing self-driving car

statistics for 2021. Policy Advice.

Leither, A., Watzenig, D., and Ibanez, J. (2020). Valida-

tion and Veriﬁcation of Automated Systems. Springer

Nature Switzerland AG., European Union, 1st edition.

Macher, G., Druml, N., Veledar, O., and Reckenzaun,

J. (2019). Safety and Security Aspects of Fail-

Operational Urban Surround perceptION (FUSION).

IEEE2018, China.

Mazzega, J. (2019). Pegasus method: An overview. PE-

GASDU Symphony.

Menzel, T., Bagschik, G., and Maurer, M. (2018). Scenar-

ios for development, test and validationof automated

vehicles. 2018 IEEE Intelligent Vehicles Symposium

(IV), Changshu.

NHTSA (2017). Automaed Driving Systems-A Vision for

Safety. u.s Depertment of transportation, U.S, 2nd edi-

tion.

SAEJ3016 (2018). Taxonomy and deﬁnitions for terms re-

lated to driving automation systems for on-road motor

vehicles. 30th European Safety and Reliability Con-

ference.

VEHITS 2021 - 7th International Conference on Vehicle Technology and Intelligent Transport Systems

308