ISO/TR 4804:2020
(Main)Road vehicles — Safety and cybersecurity for automated driving systems — Design, verification and validation
Road vehicles — Safety and cybersecurity for automated driving systems — Design, verification and validation
This document describes steps for developing and validating automated driving systems based on basic safety principles derived from worldwide applicable publications. It considers safety- and cybersecurity-by-design, as well as verification and validation methods for automated driving systems focused on vehicles with level 3 and level 4 features according to SAE J3016:2018. In addition, it outlines cybersecurity considerations intersecting with objectives for safety of automated driving systems.
Véhicules routiers — Sécurité et cybersécurité pour les systèmes de conduite automatisée — Conception, vérification et validation
General Information
Relations
Buy Standard
Standards Content (Sample)
TECHNICAL ISO/TR
REPORT 4804
First edition
2020-12
Road vehicles — Safety and
cybersecurity for automated driving
systems — Design, verification and
validation
Véhicules routiers — Sécurité et cybersécurité pour les systèmes de
conduite automatisée — Conception, vérification et validation
Reference number
©
ISO 2020
© ISO 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2020 – All rights reserved
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General approach and overview .11
4.1 Introduction and motivation .11
4.2 Overview of this document .11
4.3 Structure and development examples used in this document .12
4.4 Safety vision .13
4.4.1 Background.13
4.4.2 Positive risk balance and avoidance of unreasonable risk .14
4.4.3 Principles of safety and cybersecurity for automated driving .14
5 Systematically developing dependability to support safety by design .17
5.1 General .17
5.2 Deriving capabilities of automated driving from dependability domains .18
5.2.1 Applying the related safety standards .18
5.2.2 ISO/PAS 21448 - Safety of the intended functionality .19
5.2.3 ISO 26262 series - Functional safety .19
5.2.4 ISO/SAE 21434 - Automotive cybersecurity .20
5.2.5 Capabilities of automated driving .21
5.2.6 Minimal risk conditions and minimal risk manoeuvres .25
5.3 Elements for implementing the capabilities .27
5.3.1 Implementing the capabilities .27
5.3.2 Elements .33
5.3.3 Generic logical architecture.45
6 Verification and validation .48
6.1 General .48
6.2 The scope and main steps of verification and validation for automated driving systems.49
6.3 Key challenges for verification and validation of SAE L3 and SAE L4 automated
driving systems .50
6.3.1 Challenge 1: Statistical demonstration of avoidance of unreasonable risk
and a positive risk balance without driver interaction .51
6.3.2 Challenge 2: System safety with driver interaction (especially in takeover
manoeuvres) . .51
6.3.3 Challenge 3: Consideration of scenarios currently not known.51
6.3.4 Challenge 4: Validation of various system configurations and variants .51
6.3.5 Challenge 5: Validation of (sub)systems that are based on machine learning .51
6.4 Verification and validation approach for automated driving systems .51
6.4.1 Defining test goals and objectives (why and how well) .52
6.4.2 Test design techniques (how) .52
6.4.3 Test platforms (where) .53
6.4.4 Test strategies in response to the key challenges .53
6.5 Quantity and quality of testing .57
6.5.1 Equivalence classes and scenario-based testing .58
6.6 Simulation .58
6.6.1 Types of simulation .60
6.6.2 Simulation scenario generation .61
6.6.3 Validating simulation .61
6.6.4 Further applications of simulation.62
6.7 Verification and validation of elements .62
6.7.1 A-priori information and perception (map) .63
6.7.2 Localization (including GNSS) .63
6.7.3 Environment perception sensors, V2X and sensor fusion .64
6.7.4 Interpretation and prediction, drive planning and traffic rules.64
6.7.5 Motion control .65
6.7.6 Monitor, ADS mode manager (including the vehicle state) .65
6.7.7 Human machine interaction and user state monitor .65
6.8 Field operation (monitoring, configuration, updates) .65
6.8.1 Testing traceability .65
6.8.2 Robust configuration and change management process .66
6.8.3 Regression prevention .67
6.8.4 Cybersecurity monitoring and updates .67
6.8.5 Continuous monitoring and corrective enforcement .67
Annex A (informative) Development examples .69
Annex B (informative) Using deep neural networks to implement safety-related elements
for automated driving systems .80
Annex C (informative) Principles of safety and cybersecurity for automated driving .92
Annex D (informative) List of proposed standards .95
Bibliography .107
iv © ISO 2020 – All rights reserved
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 22, Road Vehicles.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
Introduction
Automated driving is one of the key modern technologies. In addition to offering broader access to
mobility, it may also help to reduce the number of road traffic related accidents and crashes. When
doing so, the safe operation of automated driving vehicles is one of the most important factors. Designed
to supplement existing standards and publications on various aspect
...
TECHNICAL ISO/TR
REPORT 4804
First edition
2020-12
Road vehicles — Safety and
cybersecurity for automated driving
systems — Design, verification and
validation
Véhicules routiers — Sécurité et cybersécurité pour les systèmes de
conduite automatisée — Conception, vérification et validation
Reference number
©
ISO 2020
© ISO 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2020 – All rights reserved
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General approach and overview .11
4.1 Introduction and motivation .11
4.2 Overview of this document .11
4.3 Structure and development examples used in this document .12
4.4 Safety vision .13
4.4.1 Background.13
4.4.2 Positive risk balance and avoidance of unreasonable risk .14
4.4.3 Principles of safety and cybersecurity for automated driving .14
5 Systematically developing dependability to support safety by design .17
5.1 General .17
5.2 Deriving capabilities of automated driving from dependability domains .18
5.2.1 Applying the related safety standards .18
5.2.2 ISO/PAS 21448 - Safety of the intended functionality .19
5.2.3 ISO 26262 series - Functional safety .19
5.2.4 ISO/SAE 21434 - Automotive cybersecurity .20
5.2.5 Capabilities of automated driving .21
5.2.6 Minimal risk conditions and minimal risk manoeuvres .25
5.3 Elements for implementing the capabilities .27
5.3.1 Implementing the capabilities .27
5.3.2 Elements .33
5.3.3 Generic logical architecture.45
6 Verification and validation .48
6.1 General .48
6.2 The scope and main steps of verification and validation for automated driving systems.49
6.3 Key challenges for verification and validation of SAE L3 and SAE L4 automated
driving systems .50
6.3.1 Challenge 1: Statistical demonstration of avoidance of unreasonable risk
and a positive risk balance without driver interaction .51
6.3.2 Challenge 2: System safety with driver interaction (especially in takeover
manoeuvres) . .51
6.3.3 Challenge 3: Consideration of scenarios currently not known.51
6.3.4 Challenge 4: Validation of various system configurations and variants .51
6.3.5 Challenge 5: Validation of (sub)systems that are based on machine learning .51
6.4 Verification and validation approach for automated driving systems .51
6.4.1 Defining test goals and objectives (why and how well) .52
6.4.2 Test design techniques (how) .52
6.4.3 Test platforms (where) .53
6.4.4 Test strategies in response to the key challenges .53
6.5 Quantity and quality of testing .57
6.5.1 Equivalence classes and scenario-based testing .58
6.6 Simulation .58
6.6.1 Types of simulation .60
6.6.2 Simulation scenario generation .61
6.6.3 Validating simulation .61
6.6.4 Further applications of simulation.62
6.7 Verification and validation of elements .62
6.7.1 A-priori information and perception (map) .63
6.7.2 Localization (including GNSS) .63
6.7.3 Environment perception sensors, V2X and sensor fusion .64
6.7.4 Interpretation and prediction, drive planning and traffic rules.64
6.7.5 Motion control .65
6.7.6 Monitor, ADS mode manager (including the vehicle state) .65
6.7.7 Human machine interaction and user state monitor .65
6.8 Field operation (monitoring, configuration, updates) .65
6.8.1 Testing traceability .65
6.8.2 Robust configuration and change management process .66
6.8.3 Regression prevention .67
6.8.4 Cybersecurity monitoring and updates .67
6.8.5 Continuous monitoring and corrective enforcement .67
Annex A (informative) Development examples .69
Annex B (informative) Using deep neural networks to implement safety-related elements
for automated driving systems .80
Annex C (informative) Principles of safety and cybersecurity for automated driving .92
Annex D (informative) List of proposed standards .95
Bibliography .107
iv © ISO 2020 – All rights reserved
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 22, Road Vehicles.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
Introduction
Automated driving is one of the key modern technologies. In addition to offering broader access to
mobility, it may also help to reduce the number of road traffic related accidents and crashes. When
doing so, the safe operation of automated driving vehicles is one of the most important factors. Designed
to supplement existing standards and publications on various aspect
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.