Risk Management Core -- Towards an Explicit Representation of Risk in Automated Driving

TL;DR

This paper argues that current automotive safety standards provide implicit risk guidance insufficient for SAE Level 3+ automated driving. It introduces the Risk Management Core (RMC), a process framework integrating risk analysis, risk evaluation, and risk treatment, underpinned by risk assessment and risk treatment ontologies, to explicitly align ADS risk with predefined risk-acceptance criteria. The authors demonstrate an application to behavior specification, using the Phenomenon-Signal Model (PSM) and a hazard log in an urban crossing scenario to produce a risk-based refinement of target behavior and safety goals. They discuss how the RMC supports transparent safety argumentation and communication with stakeholders, while outlining limitations (e.g., societal acceptance of criteria, need for risk modeling, and cybersecurity considerations) and outlining directions for future work to integrate with standards and expand to broader life-cycle processes.

Abstract

While current automotive safety standards provide implicit guidance on how unreasonable risk can be avoided, manufacturers are required to specify risk acceptance criteria for Automated Driving Systems (SAE Level 3 and higher). However, the 'unreasonable' level of risk of Automated Driving Systems is not yet concisely defined. Solely applying current safety standards to such novel systems could potentially not be sufficient for their acceptance. As risk is managed with implicit knowledge about safety measures in existing automotive standards, an explicit alignment with risk acceptance criteria is challenging. Hence, we propose an approach for an explicit representation and management of risk, which we call the Risk Management Core. The proposal of this process framework is based on requirements elicited from current safety standards and is applied to the task of specifying safe behavior for an Automated Driving System in an example scenario.