安全案例框架的意義

Aurora使用基于安全案例的方法，評估自動駕駛車輛何時(shí)能夠安全地在公共道路上行駛，并評估它們是否不會對機(jī)動車安全造成不合理的風(fēng)險(xiǎn)。

安全案例框架是安全取消安全駕駛員的最有效途徑，對于任何希望在沒有安全駕駛員的情況下運(yùn)營并安全交付大規(guī)模商用自動駕駛車輛的公司來說，它都是必不可少的組成部分。Aurora安全案例框架評估了車輛的整個(gè)開發(fā)生命周期，夠加快部署的速度，并確定何時(shí)可以接受自動駕駛車輛在公共道路上的安全性。

Aurora將安全視為一個(gè)持續(xù)的過程，而不是一個(gè)靜態(tài)的待辦事項(xiàng)清單，基于證據(jù)的方法在內(nèi)部和外部都至關(guān)重要。在公司內(nèi)部，安全案例框架是我們?nèi)绾胃鶕?jù)內(nèi)部標(biāo)準(zhǔn)不斷審查證據(jù)和評估Aurora driver的表現(xiàn)和發(fā)展，以確保我們有信心在有或沒有車輛操作員的情況下將自動駕駛車輛上路。在外部，安全案例框架使我們能夠有效地與合作伙伴、客戶、監(jiān)管機(jī)構(gòu)和公眾分享我們的方法和進(jìn)展。這種透明度有助于建立信任，這在部署任何新技術(shù)時(shí)都很重要。

Aurora安全案例框架介紹

Aurora采用了基于安全案例的方法，因?yàn)檫@是展示和解釋Aurora如何確定自動駕駛車輛在公共道路上運(yùn)行的可接受安全性的最合理和最有效的方式。該框架的核心是一個(gè)結(jié)構(gòu)化的論點(diǎn)，并有證據(jù)證明為什么我們的車輛是可接受的安全。自動駕駛車輛中的許多要素之間存在復(fù)雜的相互作用和關(guān)系。沒有任何一項(xiàng)單一證據(jù)能夠證明安全的整體性?；诎踩咐姆椒ㄒ院虾踹壿嫷姆绞綄⑦@證據(jù)與主張兩個(gè)基本概念結(jié)合在一起，以有效地展示我們?yōu)榇_定車輛在公共道路上安全行駛所做的工作。

Aurora開發(fā)該框架的目的是為了幫助評估Aurora卡車運(yùn)輸和客運(yùn)產(chǎn)品的整個(gè)開發(fā)生命周期，以便向合作伙伴和客戶提供安全且可擴(kuò)展的產(chǎn)品。

Aurora安全案例框架結(jié)合了政府組織的指南、安全關(guān)鍵行業(yè)的最佳實(shí)踐、非強(qiáng)制性行業(yè)標(biāo)準(zhǔn)和聯(lián)盟、學(xué)術(shù)研究以及組織在自身工作中所學(xué)到的知識。在自動駕駛汽車行業(yè)中，它是開發(fā)在公共道路上安全行駛的自動駕駛車輛并將這些車輛交付給合作伙伴、客戶和公眾的重要工具。

Aurora的安全案例框架覆蓋了對評估公共道路上自動駕駛車輛的安全開發(fā)、測試和運(yùn)行至關(guān)重要的不同要素。該框架的設(shè)計(jì)涵蓋了與車輛操作員的測試，也包括沒有操作員的測試。同時(shí)，它是為適應(yīng)環(huán)境而構(gòu)建的，因此可以根據(jù)不同的場景和環(huán)境對其進(jìn)行定制。能夠?qū)踩咐暶鞲木帪檫m用于不同的車輛平臺、有操作員的車輛、試車跑道上的車輛以及公共道路上的車輛。

Aurora的安全案例框架有助于評估Aurora driver的設(shè)計(jì)和開發(fā)，并與產(chǎn)品開發(fā)路線圖保持一致。對于每個(gè)主要的產(chǎn)品里程碑，我們將檢查哪些聲明是相關(guān)的，并開發(fā)相應(yīng)的證據(jù)。聲明是我們正在做出的一種論斷，例如“G3．1安全性能指標(biāo)被測量、分析并用于監(jiān)控安全性?！?Aurora正在內(nèi)部積極開發(fā)的適當(dāng)證據(jù)將被定制以證實(shí)每個(gè)單獨(dú)的聲明，可能包括測試結(jié)果、同行評審、，審計(jì)或評估。

目前只是第一個(gè)版本，隨著不斷學(xué)習(xí)并將測試操作擴(kuò)展到新的環(huán)境和平臺，Aurora的框架將不斷發(fā)展。這Aurora正在分享框架的前4個(gè)級別，因?yàn)锳urora的合作伙伴、客戶和公眾了解為什么我們對交付Aurora driver的進(jìn)展充滿信心是很重要的。進(jìn)一步開發(fā)將遵循一個(gè)迭代過程，隨著框架的發(fā)展，Aurora將繼續(xù)分享它的更新。

最高級別目標(biāo)

Aurora安全案例框架圍繞著“我們的自動駕駛車輛在公共道路上運(yùn)行是可接受的安全性”這一最高級別的聲明展開。使用整個(gè)安全案例來證實(shí)這一最高級別的聲明，并將這一主張分解為五個(gè)安全原則或子原則。

G1：精通／Proficient

自動駕駛車輛在正常運(yùn)行期間具備可接受的安全。

除非具備適當(dāng)?shù)氖炀毘潭?，否則自動駕駛車輛在公共道路上行駛是不安全的。熟練程度包括開發(fā)產(chǎn)品所需的設(shè)計(jì)、工程和測試。本安全原則包含自動駕駛車輛標(biāo)稱、非標(biāo)稱及邊界案例（corner cases）情況下的自動駕駛車輛性能要求。

G2：故障安全／Fail－safe

自動駕駛車輛在出現(xiàn)故障和失效時(shí)具備可接受的安全。

故障安全原則解決了自動駕駛車輛在出現(xiàn)失效和故障時(shí)的行為。沒有一個(gè)系統(tǒng)是百分之百完美的，部件有時(shí)會磨損或出現(xiàn)過早故障。Aurora driver旨在檢測并安全地緩和這些故障。此安全原則包含車輛內(nèi)置的所有故障檢測、緩和和通知。

G3：不斷改進(jìn)／Continuously improving

對構(gòu)成不合理安全風(fēng)險(xiǎn)的所有已識別潛在安全問題進(jìn)行評估，并采取適當(dāng)?shù)募m正和預(yù)防措施予以解決。

持續(xù)改進(jìn)原則概述了如何將持續(xù)改進(jìn)的概念融入到系統(tǒng)的開發(fā)中。自動駕駛車輛配備有傳感器，一組自動駕駛車輛僅從一天的運(yùn)行中就捕獲大量數(shù)據(jù)。我們能夠利用這些數(shù)據(jù)的力量實(shí)現(xiàn)持續(xù)改進(jìn)。該現(xiàn)場數(shù)據(jù)為綜合數(shù)據(jù)分析工作提供數(shù)據(jù)，該工作計(jì)算安全性能指標(biāo)，并考慮設(shè)計(jì)和開發(fā)期間收集的數(shù)據(jù)。這種系統(tǒng)收集和分析數(shù)據(jù)的方法使我們能夠發(fā)現(xiàn)趨勢、均值回歸和緊急行為。Aurora還采取積極主動的方法進(jìn)行持續(xù)改進(jìn)，使用風(fēng)險(xiǎn)識別技術(shù)積極主動地識別風(fēng)險(xiǎn)。

G4：有彈性的／Resilient

在可合理預(yù)見的誤用和不可避免的事件情況下，自動駕駛車輛具備可接受的安全。

自動駕駛車輛設(shè)計(jì)用于在公共道路上安全行駛，但這并不能將其與惡意行為者或不可避免的事件隔離開來。彈性原則展示了Aurora driver如何能夠承受不良事件和故意誤用和濫用。

G5：值得信賴的／Trustworthy

自動駕駛企業(yè)應(yīng)是值得信賴的。

Aurora的自動駕駛汽車可能是熟練的、故障安全的、不斷改進(jìn)的和有彈性的，但如果沒有公眾和政府監(jiān)管機(jī)構(gòu)的信任，我們就無法完全實(shí)現(xiàn)我們的最高要求。值得信賴的安全原則涉及Aurora計(jì)劃如何通過公眾、政府和利益相關(guān)者的參與、安全透明度、安全文化以及外部審查和咨詢活動獲得信任。

安全原則的分解

頂級聲明是根據(jù)涵蓋安全操作范圍的安全原則定義的，使用廣度優(yōu)先、深度第二的方法分解每個(gè)安全原則。

每個(gè)安全原則都被分解為中間論點(diǎn)、上下文和策略的層次。最低級別的聲明最終由我們的員工提供的證據(jù)予以滿足。這種方法可以將每個(gè)安全論點(diǎn)作為邏輯分解進(jìn)行追蹤，從廣義概念到支持聲明的具體有形證據(jù)。

安全原則分解示例

用于支持聲明的證據(jù)有兩種形式——產(chǎn)品證據(jù)和過程證據(jù)。產(chǎn)品證據(jù)包括可交付成果，如技術(shù)規(guī)范、測試計(jì)劃和測試結(jié)果。過程相關(guān)證據(jù)表明，產(chǎn)品證據(jù)是以系統(tǒng)的方式生成的，具有足夠的嚴(yán)謹(jǐn)性、審查性和獨(dú)立性。這些證據(jù)可能包括非正式的內(nèi)部審計(jì)報(bào)告，確認(rèn)我們正在遵循既定流程。這兩種類型的證據(jù)都需要充分處理安全案例中的聲明。

框架的應(yīng)用

安全案例框架是一個(gè)工具，Aurora使用它來通知數(shù)百名Aurora員工在開發(fā)Aurora driver的過程中的日?；顒?。

安全案例框架旨在適應(yīng)不同的車輛、場景和環(huán)境。我們將使用安全案例框架創(chuàng)建一個(gè)特定的安全案例，注意在每個(gè)實(shí)例中定義其特定的上下文和應(yīng)用。將框架視為生成各種特定安全案例的通用藍(lán)圖。例如，為特定車輛和車輛配置（卡車和乘用車平臺）以及特定運(yùn)行設(shè)計(jì)域（例如公路）創(chuàng)建安全案例。因此，將有多個(gè)單獨(dú)的安全案例，涵蓋各種配置、平臺和操作領(lǐng)域，而不是涵蓋我們自動駕駛車輛所有用途的單一安全案例。

還將根據(jù)我們是否在道路上測試、車輛操作員是否監(jiān)控Aurora driver、是否在沒有操作員的私人封閉車道上或者是在沒有操作員的公共道路上，來定制安全案例。鑒于這種情況，某些原則不適用于無車輛操作員的情況。因此，雖然安全案例框架可能是通用的，但裁剪是必不可少的。

制造商用自動駕駛汽車是一項(xiàng)復(fù)雜的工程。Aurora的安全案例框架是一個(gè)強(qiáng)大的工具，可用于定義和管理這一復(fù)雜挑戰(zhàn)。該框架還可用于以理性和邏輯的方式傳達(dá)假設(shè)和意圖，以幫助讀者理解和消化固有的復(fù)雜性。與許多其他工具一樣，結(jié)果最終取決于用戶如何使用框架。

附件：《Aurora自動駕駛安全案例框架》

英文

參考中文

G1：Proficient：

The self－driving vehicle is acceptably safe during nominal operation

G1：精通：

自動駕駛車輛在正常操作期間具備可接受的安全：

G1．1：The self－driving enterprise uses appropriate development processes for a complex safety critical system

G1．1：自動駕駛企業(yè)對復(fù)雜的安全關(guān)鍵系統(tǒng)使用適當(dāng)?shù)拈_發(fā)流程

G1．1．1．1．1：Systems engineering follows a defined process

G1．1．1．1．1：系統(tǒng)工程遵循規(guī)定的過程

G1．1．1．1．2：Systems engineers are trained and continually educated on the systems engineering process

G1．1．1．1．2：系統(tǒng)工程師接受系統(tǒng)工程過程的培訓(xùn)和持續(xù)教育

G1．1．1．1．3：Systems engineering process compliance audits are completed for all appropriate functions ／ sub－systems

G1．1．1．1．3：完成所有適當(dāng)功能／子系統(tǒng)的系統(tǒng)工程過程合規(guī)性審核

G1．1．1．1．4：The Systems engineering process is appropriate for safety critical design

G1．1．1．1．4：系統(tǒng)工程過程適用于安全關(guān)鍵設(shè)計(jì)

G1．1．1．1：Systems engineering process is established， standardized across engineering， and there is evidence that the process is being used：S1．1．1：Risk is reduced through a defined process approach

G1．1．1．1：建立系統(tǒng)工程過程，并在整個(gè)工程中標(biāo)準(zhǔn)化，有證據(jù)表明該過程正在使用：S1．1．1：通過已定義的過程方法降低風(fēng)險(xiǎn)

G1．1．1．2．1：Hardware engineering follows a defined process

G1．1．1．2．1：硬件工程遵循規(guī)定的過程

G1．1．1．2．2：Hardware engineers are trained and continually educated on the hardware engineering process

G1．1．1．2．2：硬件工程師接受硬件工程過程的培訓(xùn)和持續(xù)教育

G1．1．1．2．3：Hardware development process compliance audits are completed for all appropriate functions ／ sub－systems．

G1．1．1．2．3：完成所有適當(dāng)功能／子系統(tǒng)的硬件開發(fā)過程合規(guī)性審核。

G1．1．1．2．4：The Hardware development process is appropriate for safety critical design

G1．1．1．2．4：硬件開發(fā)過程適用于安全關(guān)鍵設(shè)計(jì)

G1．1．1．2：Hardware development process is established， standardized across engineering， and there is evidence that the process is being used．

G1．1．1．2：硬件開發(fā)過程已建立，并在整個(gè)工程中標(biāo)準(zhǔn)化，并且有證據(jù)表明該過程正在使用。

G1．1．1．3．1：Manufacturing follows a defined process

G1．1．1．3．1：制造遵循規(guī)定的過程

G1．1．1．3．2：Manufacturing and production processes are established for externally sourced system hardware

G1．1．1．3．2：為外部采購的系統(tǒng)硬件建立制造和生產(chǎn)流程

G1．1．1．3．3：Manufacturing engineers are trained and continually educated on the manufacturing process

G1．1．1．3．3：制造工程師接受制造工藝方面的培訓(xùn)和持續(xù)教育

G1．1．1．3．4：Manufacturing process compliance audits are completed for all appropriate functions

G1．1．1．3．4：完成所有適當(dāng)功能的制造過程合規(guī)性審核

G1．1．1．3．5：The manufacturing process is appropriate for safety critical design

G1．1．1．3．5：制造工藝適用于安全關(guān)鍵設(shè)計(jì)

G1．1．1．3：Manufacturing process is established， standardized， and there is evidence the process is being used

G1．1．1．3：制造工藝已建立、標(biāo)準(zhǔn)化，且有證據(jù)表明該工藝正在使用

G1．1．1．4．1：Maintenance and service follows a defined process

G1．1．1．4．1：維護(hù)和保養(yǎng)遵循規(guī)定的流程

G1．1．1．4．2：Maintenance and service personnel are trained and continually educated on the process

G1．1．1．4．2：對維護(hù)和服務(wù)人員進(jìn)行工藝培訓(xùn)和持續(xù)教育

G1．1．1．4．3：Maintenance and service process compliance audits are completed for all appropriate functions

G1．1．1．4．3：完成所有適當(dāng)功能的維護(hù)和服務(wù)過程合規(guī)性審核

G1．1．1．4．4：The maintenance process is appropriate for safety critical design

G1．1．1．4．4：維護(hù)過程適用于安全關(guān)鍵設(shè)計(jì)

G1．1．1．4：Maintenance ／ Service processes is established， standardized， and there is evidence the process is being used．

G1．1．1．4：維護(hù)／服務(wù)流程已建立、標(biāo)準(zhǔn)化，且有證據(jù)表明該流程正在使用。

G1．1．1．5．1：Software engineering follows a defined process

G1．1．1．5．1：軟件工程遵循定義的過程

G1．1．1．5．2：Software engineers are trained and continually educated on the software development process

G1．1．1．5．2：軟件工程師接受有關(guān)軟件開發(fā)過程的培訓(xùn)和持續(xù)教育

G1．1．1．5．3：Software development process compliance audits are completed for all appropriate functions ／ sub－systems．

G1．1．1．5．3：完成所有適當(dāng)功能／子系統(tǒng)的軟件開發(fā)過程合規(guī)性審核。

G1．1．1．5．4：The software development process is appropriate for safety critical design

G1．1．1．5．4：軟件開發(fā)過程適用于安全關(guān)鍵設(shè)計(jì)

G1．1．1．5：Software development process is established， standardized across engineering， and there is evidence that the process is being used．

G1．1．1．5：軟件開發(fā)過程已建立，并在整個(gè)工程中標(biāo)準(zhǔn)化，并且有證據(jù)表明該過程正在使用。

G1．1．1．6．1：Quality management follows a defined process

G1．1．1．6．1：質(zhì)量管理遵循規(guī)定的過程

G1．1．1．6．2：Quality management measures are effective in controlling quality

G1．1．1．6．2：質(zhì)量管理措施有效控制質(zhì)量

G1．1．1．6．3：Quality management ensures all defined processes are followed

G1．1．1．6．3：質(zhì)量管理確保遵循所有規(guī)定的過程

G1．1．1．6．4：The quality management process is appropriate for safety critical design

G1．1．1．6．4：質(zhì)量管理過程適用于安全關(guān)鍵設(shè)計(jì)

G1．1．1．6：Quality management process is established， effective， standardized across engineering， and there is evidence that the process is being used

G1．1．1．6：質(zhì)量管理過程已在整個(gè)工程中建立、有效、標(biāo)準(zhǔn)化，并且有證據(jù)表明該過程正在使用

G1．1．1．7．1：Supply chain teams follow a defined process

G1．1．1．7．1：供應(yīng)鏈團(tuán)隊(duì)遵循定義的流程

G1．1．1．7．2：Supply chain staff are trained and continually educated on the process

G1．1．1．7．2：對供應(yīng)鏈員工進(jìn)行流程培訓(xùn)和持續(xù)教育

G1．1．1．7．3：Supply chain process compliance audits are completed for all appropriate functions ／ sub－systems

G1．1．1．7．3：完成所有適當(dāng)功能／子系統(tǒng)的供應(yīng)鏈流程合規(guī)性審核

G1．1．1．7．4：The supply chain process is appropriate for safety critical design

G1．1．1．7．4：供應(yīng)鏈流程適用于安全關(guān)鍵設(shè)計(jì)

G1．1．1．7：Supply chain processes is established， standardized， and there is evidence the process is being used．

G1．1．1．7：供應(yīng)鏈流程已建立、標(biāo)準(zhǔn)化，且有證據(jù)表明該流程正在使用。

G1．1．1．8．1：Vehicle operations teams follow a defined process

G1．1．1．8．1：車輛運(yùn)行團(tuán)隊(duì)遵循規(guī)定的流程

G1．1．1．8．2：Vehicle operations personnel are trained and continually educated on the process

G1．1．1．8．2：對車輛操作人員進(jìn)行培訓(xùn)，并持續(xù)對其進(jìn)行流程教育

G1．1．1．8．3：Vehicle operations process compliance audits are completed for all appropriate functions

G1．1．1．8．3：完成所有適當(dāng)功能的車輛運(yùn)行過程合規(guī)性審核

G1．1．1．8．4：The vehicle operations process is appropriate for safety critical design

G1．1．1．8．4：車輛運(yùn)行過程適用于安全關(guān)鍵設(shè)計(jì)

G1．1．1．8：Vehicle operations processes is established， standardized， and there is evidence the process is being used．

G1．1．1．8：車輛操作流程已建立、標(biāo)準(zhǔn)化，且有證據(jù)表明該流程正在使用。

G1．1．1．9．1：System safety engineering follows a defined process

G1．1．1．9．1：系統(tǒng)安全工程遵循規(guī)定的過程

G1．1．1．9．2：System safety engineers are trained and continually educated on the system safety development process

G1．1．1．9．2：系統(tǒng)安全工程師接受有關(guān)系統(tǒng)安全開發(fā)過程的培訓(xùn)和持續(xù)教育

G1．1．1．9．3：System safety process compliance audits are conducted

G1．1．1．9．3：進(jìn)行系統(tǒng)安全過程合規(guī)性審核

G1．1．1．9．4：The system safety engineering process is appropriate for safety critical design

G1．1．1．9．4：系統(tǒng)安全工程過程適用于安全關(guān)鍵設(shè)計(jì)

G1．1．1．9：System safety engineering process is established， standardized across engineering， and there is evidence that the process is being used．

G1．1．1．9：建立系統(tǒng)安全工程過程，并在整個(gè)工程中標(biāo)準(zhǔn)化，有證據(jù)表明該過程正在使用。

G1．2：The self－driving vehicle is acceptably performant to operate in the defined ODD

G1．2：自動駕駛車輛在規(guī)定的ODD內(nèi)運(yùn)行的性能合格

G1．2．1．1．1：The product requirements address all lifecycle stages of the product．

G1．2．1．1．1：產(chǎn)品要求涉及產(chǎn)品的所有生命周期階段。

G1．2．1．1．2：The product requirements define the concept of operations for the product

G1．2．1．1．2：產(chǎn)品要求定義了產(chǎn)品的操作概念

G1．2．1．1．3：The product requirements define the conceptual operational design domain in which the product will operate in

G1．2．1．1．3：產(chǎn)品要求定義了產(chǎn)品將在其中運(yùn)行的概念運(yùn)行設(shè)計(jì)域（conceptual operational design domain）

G1．2．1．1：The product requirements sufficiently define the full scope and entire lifecycle of the product

G1．2．1．1：產(chǎn)品要求充分定義了產(chǎn)品的整個(gè)范圍和整個(gè)生命周期

G1．2．1．10：The product requirements meet or exceed the operational design domain （ODD）

G1．2．1．10：產(chǎn)品要求滿足或超過運(yùn)行設(shè)計(jì)域（ODD）

G1．2．1．2．1：The system requirements considers the needs of all external actors （e．g． Riders， Pedestrians， Motorists， Law Enforcement）

G1．2．1．2．1：系統(tǒng)要求考慮了所有外部參與者（例如騎行人、行人、駕駛員、執(zhí)法人員）的需求

G1．2．1．2．2：The system requirements considers the needs of all internals actors （e．g． System Maintainers， Engineers， Testers）

G1．2．1．2．2：系統(tǒng)要求考慮了所有內(nèi)部參與者（如系統(tǒng)維護(hù)人員、工程師、測試人員）的需求

G1．2．1．2．3：System requirements appropriately address nominal operation

G1．2．1．2．3：系統(tǒng)要求適當(dāng)表現(xiàn)標(biāo)稱運(yùn)行

G1．2．1．2．4：System requirements appropriately address off－nominal operation

G1．2．1．2．4：系統(tǒng)要求適當(dāng)表現(xiàn)非標(biāo)稱運(yùn)行

G1．2．1．2．5：Traceability confirms the system requirements satisfy the product and safety requirements

G1．2．1．2．5：可追溯性確認(rèn)系統(tǒng)要求滿足產(chǎn)品和安全要求

G1．2．1．2：The system requirements sufficiently define a system that can operate in the defined ODD

G1．2．1．2：系統(tǒng)要求充分定義了一個(gè)系統(tǒng)，該系統(tǒng)可以在規(guī)定的ODD范圍內(nèi)運(yùn)行

G1．2．1．3．1：Functional hazard analysis sufficiently identifies system functions that are safety critical ／ relevant

G1．2．1．3．1：功能危害分析充分識別安全關(guān)鍵／相關(guān)的系統(tǒng)功能

G1．2．1．3．10：All safety requirements have analysis justifying the metrics， thresholds， or margins used in the requirements

G1．2．1．3．10：所有安全要求都有分析，證明要求中使用的度量、閾值或裕度是合理的

G1．2．1．3．11：Safety requirements are verified for gaps and omissions

G1．2．1．3．11：驗(yàn)證安全要求的差距和遺漏

G1．2．1．3．12：Safety requirements are verified to be internally and externally consistent

G1．2．1．3．12：驗(yàn)證安全要求內(nèi)部及外部一致

G1．2．1．3．2：Verification reviews of functional hazard analysis appropriately confirm correctness of the analysis

G1．2．1．3．2：功能危害分析的驗(yàn)證評審適當(dāng)?shù)卮_認(rèn)了分析的正確性

G1．2．1．3．3：Hazards associated with each ［Safety Function］ have been thoroughly identified

G1．2．1．3．3：已徹底識別與每個(gè)［安全功能］相關(guān)的危險(xiǎn)

G1．2．1．3．4：Hazards associated with ［AV operations］ have been thoroughly identified

G1．2．1．3．4：已徹底識別與［AV操作］相關(guān)的危險(xiǎn)

G1．2．1．3．5：All identified fault－based hazards are ranked

G1．2．1．3．5：對所有已識別的基于故障的危險(xiǎn)進(jìn)行排序

G1．2．1．3．6：All identified non－fault based hazards are ranked

G1．2．1．3．6：對所有已識別的非故障危害進(jìn)行排序

G1．2．1．3．7：All identified non－fault misuse based hazards are ranked

G1．2．1．3．7：所有已識別的基于非故障誤用的危險(xiǎn)都進(jìn)行了排序

G1．2．1．3．8：All hazard rankings are re－evaluated periodically

G1．2．1．3．8：定期重新評估所有危險(xiǎn)等級

G1．2．1．3．9：Safety requirements comprehensively mitigate identified hazards and scenario ／ situation ／ triggering event

G1．2．1．3．9：安全要求全面緩和已識別的危險(xiǎn)和場景／情況／觸發(fā)事件

G1．2．1．3：The safety requirements sufficiently define the allowable behavior of the system to ensure safe operation in the defined ODD

G1．2．1．3：安全要求充分規(guī)定了系統(tǒng)的允許行為，以確保在規(guī)定的條件下安全運(yùn)行

G1．2．1．4．1：System requirements are comprehensive

G1．2．1．4．1：系統(tǒng)要求全面

G1．2．1．4．2：System requirements are verified for gaps and omissions

G1．2．1．4．2：驗(yàn)證系統(tǒng)要求是否存在差距和遺漏

G1．2．1．4．3：System requirements are verified to be internally and externally consistent

G1．2．1．4．3：驗(yàn)證系統(tǒng)要求內(nèi)部和外部一致

G1．2．1．4．4：Requirements errors follow a systematic process for root cause and mitigation

G1．2．1．4．4：需求錯(cuò)誤遵循根本原因和緩和的系統(tǒng)過程

G1．2．1．4．5：An accurate， complete， configuration－managed system architecture model is developed and maintained

G1．2．1．4．5：開發(fā)并維護(hù)準(zhǔn)確、完整、配置管理的系統(tǒng)架構(gòu)模型

G1．2．1．4：System requirements are appropriately developed from product requirements

G1．2．1．4：根據(jù)產(chǎn)品要求適當(dāng)制定系統(tǒng)要求

G1．2．1．5．1：Hardware requirements are comprehensive

G1．2．1．5．1：硬件要求全面

G1．2．1．5．2：Hardware requirements are verified for gaps and omissions

G1．2．1．5．2：驗(yàn)證硬件要求是否存在差距和遺漏

G1．2．1．5．3：Hardware requirements are verified to be internally and externally consistent

G1．2．1．5．3：驗(yàn)證硬件要求內(nèi)部和外部一致

G1．2．1．5．4：Requirements errors follow a systematic process for root cause and mitigation

G1．2．1．5．4：需求錯(cuò)誤遵循根本原因和緩和的系統(tǒng)過程

G1．2．1．5．5：An accurate， complete， configuration－managed hardware architecture model is developed and maintained

G1．2．1．5．5：開發(fā)并維護(hù)準(zhǔn)確、完整、配置管理的硬件體系結(jié)構(gòu)模型

G1．2．1．5：Hardware requirements are appropriately developed from system and safety requirements

G1．2．1．5：硬件要求根據(jù)系統(tǒng)和安全要求適當(dāng)制定

G1．2．1．6．1：Software requirements are comprehensive

G1．2．1．6．1：軟件需求是全面的

G1．2．1．6．2：Software requirements are verified for gaps and omissions

G1．2．1．6．2：驗(yàn)證軟件需求是否存在差距和遺漏

G1．2．1．6．3：Software requirements are verified to be internally and externally consistent

G1．2．1．6．3：驗(yàn)證軟件需求內(nèi)部和外部一致

G1．2．1．6．4：Requirements errors follow a systematic process for root cause and mitigation

G1．2．1．6．4：需求錯(cuò)誤遵循根本原因和緩和的系統(tǒng)過程

G1．2．1．6．5：An accurate， complete， configuration－managed software architecture model is developed and maintained

G1．2．1．6．5：開發(fā)并維護(hù)準(zhǔn)確、完整、配置管理的軟件架構(gòu)模型

G1．2．1．6：Software requirements are appropriately developed from safety and system and safety requirements

G1．2．1．6：根據(jù)安全和系統(tǒng)及安全要求，適當(dāng)制定軟件要求

G1．2．1．7．1：System safety requirements are comprehensive

G1．2．1．7．1：系統(tǒng)安全要求全面

G1．2．1．7．2：System safety requirements are verified for gaps and omissions

G1．2．1．7．2：驗(yàn)證系統(tǒng)安全要求是否存在漏洞和遺漏

G1．2．1．7．3：System safety requirements are verified to be internally and externally consistent

G1．2．1．7．3：驗(yàn)證系統(tǒng)安全要求內(nèi)部和外部一致

G1．2．1．7．4：Requirements errors follow a systematic process for root cause and mitigation

G1．2．1．7．4：需求錯(cuò)誤遵循根本原因和緩和的系統(tǒng)過程

G1．2．1．7．5：System safety requirements are allocated to components within the self－driving enterprise

G1．2．1．7．5：系統(tǒng)安全要求分配給自動駕駛企業(yè)內(nèi)的部門

G1．2．1．7：System safety requirements are sufficient

G1．2．1．7：系統(tǒng)安全要求足夠

G1．2．1．8．1：Manufacturing requirements are comprehensive

G1．2．1．8．1：制造要求是全面的

G1．2．1．8．2：Manufacturing requirements are verified for gaps and omissions

G1．2．1．8．2：驗(yàn)證制造要求是否存在差距和遺漏

G1．2．1．8．3：Manufacturing requirements are verified to be internally and externally consistent

G1．2．1．8．3：驗(yàn)證制造要求內(nèi)部和外部一致

G1．2．1．8．4：Requirements errors follow a systematic process for root cause and mitigation

G1．2．1．8．4：需求錯(cuò)誤遵循根本原因和緩和的系統(tǒng)過程

G1．2．1．8．5：An accurate， complete， configuration－managed manufacturing process ／ architecture model is developed and maintained

G1．2．1．8．5：開發(fā)并維護(hù)準(zhǔn)確、完整、配置管理的制造過程／架構(gòu)模型

G1．2．1．8：Requirements for manufacturing are sufficient

G1．2．1．8：制造要求足夠

G1．2．1．9．1：Maintenance ／ service requirements are comprehensive

G1．2．1．9．1：維護(hù)／服務(wù)要求全面

G1．2．1．9．2：Maintenance ／ service requirements are verified for gaps and omissions

G1．2．1．9．2：驗(yàn)證維護(hù)／服務(wù)要求是否存在缺口和遺漏

G1．2．1．9．3：Maintenance ／ service requirements are verified to be internally and externally consistent

G1．2．1．9．3：驗(yàn)證維護(hù)／服務(wù)要求內(nèi)部和外部一致

G1．2．1．9．4：Requirements errors follow a systematic process for root cause and mitigation

G1．2．1．9．4：需求錯(cuò)誤遵循根本原因和緩和的系統(tǒng)過程

G1．2．1．9．5：An accurate， complete， configuration－managed maintenance ／ service process architecture model is developed and maintained

G1．2．1．9．5：開發(fā)并維護(hù)準(zhǔn)確、完整、配置管理的維護(hù)／服務(wù)過程架構(gòu)模型

G1．2．1．9：Requirements for maintenance ／ service are sufficient

G1．2．1．9：維護(hù)／服務(wù)要求足夠

G1．2．1：The self－driving vehicle is designed to safely operate in the intended operational design domain （ODD）

G1．2．1：自動駕駛車輛設(shè)計(jì)為在預(yù)期運(yùn)行設(shè)計(jì)域（ODD）內(nèi)安全運(yùn)行

G1．2．2．1：The self－driving vehicle maintains appropriate reserve vehicle dynamic capability

G1．2．2．1：自動駕駛車輛保持適當(dāng)?shù)膫溆密囕v動態(tài)能力

G1．2．2．2：The frequency and duration of reduced vehicle dynamic reserve capability is low

G1．2．2．2：車輛動態(tài)儲備能力降低的頻率和持續(xù)時(shí)間較低

G1．2．2：The self－driving vehicle is operated with appropriate vehicle dynamics safety margins

G1．2．2：自動駕駛車輛在適當(dāng)?shù)能囕v動力學(xué)安全裕度下運(yùn)行

G1．2．3．1．1：Self－driving vehicle sensors provide acceptably correct， complete， and current data

G1．2．3．1．1：自動駕駛車輛傳感器提供可接受的正確、完整和當(dāng)前數(shù)據(jù)

G1．2．3．1．2：The design of perception systems are suitably robust

G1．2．3．1．2：感知系統(tǒng)的設(shè)計(jì)具有適當(dāng)?shù)聂敯粜?/p>

G1．2．3．1．3：The performance of the perception system is suitable for the ODD

G1．2．3．1．3：感知系統(tǒng)的性能適用于ODD

G1．2．3．1．4：The AI ／ machine learning approaches used provide acceptable performance for the ODD

G1．2．3．1．4：使用的AI／機(jī)器學(xué)習(xí)方法為ODD提供了可接受的性能

G1．2．3．1：Perception provides acceptable functional performance in the defined ODD

G1．2．3．1：Perception在規(guī)定的ODD范圍內(nèi)提供可接受的功能性能

G1．2．3．2．1：The design of prediction systems are suitably robust

G1．2．3．2．1：預(yù)測系統(tǒng)的設(shè)計(jì)具有適當(dāng)?shù)聂敯粜?/p>

G1．2．3．2．2：The prediction system performance is suitable for the ODD

G1．2．3．2．2：預(yù)測系統(tǒng)性能適用于ODD

G1．2．3．2．3：The AI ／ machine learning approaches used provide acceptable performance for the ODD

G1．2．3．2．3：使用的AI／機(jī)器學(xué)習(xí)方法為ODD提供了可接受的性能

G1．2．3．2：Prediction provides acceptable functional performance in the defined ODD

G1．2．3．2：預(yù)測在規(guī)定的ODD范圍內(nèi)提供可接受的功能性能

G1．2．3．3．1：The design of the motion planning system is suitably robust

G1．2．3．3．1：運(yùn)動規(guī)劃系統(tǒng)的設(shè)計(jì)具有適當(dāng)?shù)聂敯粜?/p>

G1．2．3．3．2：Motion planning performance is suitable for the ODD

G1．2．3．3．2：運(yùn)動規(guī)劃性能適用于ODD

G1．2．3．3．3：The AI ／ machine learning approaches used provide acceptable performance for the ODD

G1．2．3．3．3：所使用的AI／機(jī)器學(xué)習(xí)方法為ODD提供了可接受的性能

G1．2．3．3：Motion planning provides acceptable functional performance in the defined ODD

G1．2．3．3：運(yùn)動規(guī)劃在規(guī)定的ODD范圍內(nèi)提供可接受的功能性能

G1．2．3．4．1：Localization design and performance is documented

G1．2．3．4．1：記錄定位設(shè)計(jì)和性能

G1．2．3．4．2：Localization performance is suitable for the ODD

G1．2．3．4．2：定位性能適用于ODD

G1．2．3．4．3：Map performance is suitable for the ODD

G1．2．3．4．3： Map性能適用于ODD

G1．2．3．4：Localization provides acceptable functional performance in the defined ODD

G1．2．3．4：定位可在規(guī)定的范圍內(nèi)提供可接受的功能性能

G1．2．3．5．1：Vehicle control design and performance is documented

G1．2．3．5．1：記錄車輛控制設(shè)計(jì)和性能

G1．2．3．5．2：Vehicle control performance is suitable for the ODD

G1．2．3．5．2：車輛控制性能適用于ODD車輛

G1．2．3．5：Vehicle control provides acceptable functional performance in the defined ODD

G1．2．3．5：車輛控制在規(guī)定的ODD范圍內(nèi)提供可接受的功能性能

G1．2．3．6．1：Notifications communicate a clear message or status

G1．2．3．6．1：通知傳達(dá)明確的信息或狀態(tài)

G1．2．3．6．2：Notifications are suitably robust

G1．2．3．6．2：通知具有適當(dāng)?shù)聂敯粜?/p>

G1．2．3．6．3：Notifications are suitable for the ODD

G1．2．3．6．3：通知適用于ODD

G1．2．3．6．4：Notifications are suitbly effective

G1．2．3．6．4：通知非常有效

G1．2．3．6：System notifications provide acceptable functional performance in the defined ODD

G1．2．3．6：系統(tǒng)通知在定義的ODD中提供可接受的功能性能

G1．2．3．7：System timings and system latency provide acceptable functional performance in the defined ODD

G1．2．3．7：系統(tǒng)計(jì)時(shí)和系統(tǒng)延遲在規(guī)定的ODD范圍內(nèi)提供可接受的功能性能

G1．2．3：Self－driving vehicle subsystems provide acceptable functional performance in the defined ODD

G1．2．3：自動駕駛車輛子系統(tǒng)在規(guī)定的ODD范圍內(nèi)提供可接受的功能性能

G1．2．4：Off－board systems provide acceptable functional performance in the defined ODD

G1．2．4：非車載系統(tǒng)在規(guī)定的ODD范圍內(nèi)提供可接受的功能性能

G1．3：The self－driving vehicle is appropriately tested and released for self－driving operations

G1．3：對自動駕駛車輛進(jìn)行適當(dāng)測試并發(fā)布，以進(jìn)行自動駕駛操作

G1．3．1．1：Traceability of testing demonstrates comprehensive requirements coverage：S1．3．1：Traceability will be used to demonstrate all requirements have been tested． Peer review， test phases of unit test， subsystem test， and vehicle testing combined industry best practice on test case development are used to demonstrate appropriate rigor in the tests have been performed． Industry best practices will address functional， regression testing， and stress testing． The combination of traceability and rigor arguments meet the parent goal． This efficacy in meeting this goal is measured by the frequency of hazardous events measured during testing． The following process follows for the initial development and the ongoing update and enhancement of the self－driving enterprise．

G1．3．1．1：測試的可追溯性證明了全面的需求覆蓋范圍：S1．3．1：可追溯性將用于證明所有需求均已測試。同行評審、單元測試的測試階段、子系統(tǒng)測試和車輛測試結(jié)合了測試用例開發(fā)的行業(yè)最佳實(shí)踐，用于證明測試的適當(dāng)嚴(yán)謹(jǐn)性。行業(yè)最佳實(shí)踐將涉及功能測試、回歸測試和壓力測試。可跟蹤性和嚴(yán)格性參數(shù)的組合滿足父級目標(biāo)。通過測試期間測量的危險(xiǎn)事件頻率來衡量達(dá)到該目標(biāo)的有效性。以下流程用于自動駕駛企業(yè)的初始開發(fā)以及持續(xù)更新和增強(qiáng)。

G1．3．1．2：Peer review minimizes human error in work product development

G1．3．1．2：同行評審將工作產(chǎn)品開發(fā)中的人為錯(cuò)誤降至最低

G1．3．1．3：All anomalies are analyzed to ensure requirements are comprehensive

G1．3．1．3：分析所有異常，以確保要求全面

G1．3．1．4：The self－driving vehicle is comprehensively evaluated on a set of validated and representative tests

G1．3．1．4：通過一組驗(yàn)證和代表性試驗(yàn)對自動駕駛車輛進(jìn)行綜合評估

G1．3．1．5：The frequency of potentially harmful events （PHE） are below a target metric（s）

G1．3．1．5：潛在有害事件（PHE：potentially harmful events）的頻率低于目標(biāo)指標(biāo)

G1．3．1．6：All identified hazards have been appropriately mitigated

G1．3．1．6：已適當(dāng)緩和所有已識別的危險(xiǎn)

G1．4：The self－driving vehicle is operated in accordance with its operational concept

G1．4：自動駕駛車輛按照其運(yùn)行概念運(yùn)行

G1．4．1．1．1：Manual control of the vehicle steering can be achieved

G1．4．1．1．1：可實(shí)現(xiàn)車輛轉(zhuǎn)向的手動控制

G1．4．1．1．2：Manual control of the vehicle braking can be achieved

G1．4．1．1．2：可實(shí)現(xiàn)車輛制動的手動控制

G1．4．1．1．3：Manual control of the vehicle accelerator pedal can be achieved

G1．4．1．1．3：可手動控制車輛油門踏板

G1．4．1．1．4：The vehicle operator can request a safe stop with high assurance

G1．4．1．1．4：車輛操作員可以要求高保證的安全停車

G1．4．1．1：The vehicle operator can take control of the self－driving vehicle （SDV） at any time

G1．4．1．1：車輛操作員可隨時(shí)控制自動駕駛車輛（SDV）

G1．4．1．10．1：Fault injection testing demonstrates vehicle operator＇s control capability during a fault

G1．4．1．10．1：故障注入測試證明車輛操作員在故障期間的控制能力

G1．4．1．10．2：The vehicle operator is appropriately continually evaluated for required level of performance

G1．4．1．10．2：針對所需的性能水平，對車輛操作員進(jìn)行適當(dāng)?shù)某掷m(xù)評估

G1．4．1．10：The vehicle operator demonstrates ability to plan and execute correct driving responses

G1．4．1．10：車輛操作員展示了計(jì)劃和執(zhí)行正確駕駛響應(yīng)的能力

G1．4．1．2：The vehicle operator hiring process accepts suitable candidates

G1．4．1．2：車輛操作員招聘流程接受合適的候選人

G1．4．1．3：Only vehicle operators with appropriate driving licenses are allowed to operate the vehicle

G1．4．1．3：只有持有適當(dāng)駕駛執(zhí)照的車輛操作員才允許操作車輛

G1．4．1．4．1：The vehicle operator is properly authenticated and identifiable to both the self－driving vehicle （SDV） and the business／security infrastructure．

G1．4．1．4．1：車輛操作員已通過自動駕駛車輛（SDV）和業(yè)務(wù)／安全基礎(chǔ)設(shè)施的適當(dāng)認(rèn)證和識別。

G1．4．1．4．2：Access to vehicles and vehicle keys are restricted to qualified vehicle operators

G1．4．1．4．2：只有合格的車輛操作員才能使用車輛和車鑰匙

G1．4．1．4：Only vehicle operators are able to operate self－driving vehicles

G1．4．1．4：只有車輛操作員才能操作自動駕駛車輛

G1．4．1．5：The vehicle operator has an appropriate set of responsibilities when operating a self－driving vehicle （SDV）

G1．4．1．5：當(dāng)操作自動駕駛車輛（SDV）時(shí)，車輛操作員承擔(dān)一套適當(dāng)?shù)呢?zé)任

G1．4．1．6：The vehicle operator is appropriately trained for manual driving

G1．4．1．6：車輛操作員經(jīng)過適當(dāng)?shù)氖謩玉{駛培訓(xùn)

G1．4．1．7：The vehicle operator is appropriately trained in support of safe self－driving vehicle （SDV） monitoring ／ operation

G1．4．1．7：車輛操作員經(jīng)過適當(dāng)培訓(xùn)，以支持安全自動駕駛車輛（SDV）監(jiān)控／操作

G1．4．1．8：The vehicle operator is effectively informed of expected system behavior， including self－driving vehicle （SDV） capabilities and limitations

G1．4．1．8：有效地通知車輛操作員預(yù)期的系統(tǒng)行為，包括自動駕駛車輛（SDV）能力和限制

G1．4．1．9．1：A driver monitoring system alerts the vehicle operator to inattention

G1．4．1．9．1：駕駛員監(jiān)控系統(tǒng)提醒車輛操作員注意

G1．4．1．9．2：The self－driving vehicle is designed to prevent undue vehicle operator distraction

G1．4．1．9．2：自動駕駛車輛旨在防止車輛操作員過度分心

G1．4．1．9．3：The vehicle operator is capable of identifying and mitigating operational design domain （ODD） and operational domain （OD） mismatch

G1．4．1．9．3：車輛操作員能夠識別和緩和運(yùn)行設(shè)計(jì)域（ODD）和運(yùn)行域（OD）不匹配

G1．4．1．9：The vehicle operator is alert and attentive to the road environment

G1．4．1．9：車輛操作員對道路環(huán)境保持警惕和關(guān)注

G1．4．1：During testing and development， vehicle operators enforces the operational concept and reduces safety risk to acceptable level

G1．4．1：在測試和開發(fā)過程中，車輛操作員執(zhí)行操作概念，并將安全風(fēng)險(xiǎn)降低到可接受的水平

G1．4．2．1：Departures from the operational design domain are detected

G1．4．2．1：檢測到偏離運(yùn)行設(shè)計(jì)域ODD

G1．4．2．2：Departures from the operational design domain are safely mitigated

G1．4．2．2：安全緩和對運(yùn)行設(shè)計(jì)域的偏離

G1．4．2：The self－driving vehicle is operated within a defined operational domain （OD） within the system＇s operational design domain

G1．4．2：自動駕駛車輛在系統(tǒng)運(yùn)行設(shè)計(jì)范圍內(nèi)的規(guī)定運(yùn)行域（OD）內(nèi)運(yùn)行

G1．4．3：A set of operational safety policies and procedures support safe operations

G1．4．3：一套操作安全政策和程序支持安全操作

G1．4．3．1：Set of operational safety policies and procedures support safe test track operations

G1．4．3．1：一套運(yùn)行安全政策和程序支持安全測試車道運(yùn)行

G1．4．3．2：Operational safety policies are reviewed and version controlled

G1．4．3．2：審查運(yùn)行安全政策并控制版本

G1．4．3．3：Set of operational safety policies and procedures support safe on－road operations

G1．4．3．3：一套操作安全政策和程序支持安全的道路操作

G1．5：The self－driving vehicle addresses all applicable legal requirements and guidance through compliance or justification of non－compliance

G1．5：自動駕駛車輛通過合規(guī)性或不合規(guī)理由滿足所有適用的法律要求和指導(dǎo)

G1．5．1．1：The self－driving vehicle is designed to comply with all appropriate local， state， federal regulation

G1．5．1．1：自動駕駛車輛的設(shè)計(jì)符合所有適當(dāng)?shù)牡胤?、州、?lián)邦法規(guī)

G1．5．1．2：The self－driving vehicle is evaluated for compliance with all appropriate local， state， federal regulation

G1．5．1．2：評估自動駕駛車輛是否符合所有適當(dāng)?shù)牡胤?、州、?lián)邦法規(guī)

G1．5．1．3：All federal， state， and local regulations without compliance have appropriate justification， documentation and approval

G1．5．1．3：所有未遵守的聯(lián)邦、州和地方法規(guī)都有適當(dāng)?shù)睦碛?、文件和批?zhǔn)

G1．5．1：The self－driving vehicle complies or justifies non－compliance with applicable local， state， federal regulation

G1．5．1：自動駕駛車輛符合或證明不符合適用的地方、州、聯(lián)邦法規(guī)

G1．5．3：Non－regulatory guidance is reviewed and implemented where appropriate

G1．5．3：在適當(dāng)?shù)那闆r下，審查并實(shí)施非監(jiān)管指南

G2：Fail－Safe

The self－driving vehicle is acceptably safe in presence of faults and failures

G2：故障安全

自動駕駛車輛在出現(xiàn)故障和故障時(shí)是可接受的安全

G2．1．1：The rate of failure of the system is reasonably low：S2．1：We mitigate hazards by identifying faults and failure modes and ensuring the system is able to detect them and take action to minimize safety risk when they occur and by engineering and design activities to ensure the overall failure rate of the system is acceptably low．

G2．1．1：系統(tǒng)的故障率相當(dāng)?shù)停篠2．1：我們通過識別故障和故障模式，確保系統(tǒng)能夠檢測到故障和故障模式，并在發(fā)生時(shí)采取措施將安全風(fēng)險(xiǎn)降至最低，以及通過工程和設(shè)計(jì)活動，以確保系統(tǒng)的整體故障率低到可接受的程度，從而減輕危害。

G2．1．1．1：The frequency of unplanned ／ unexpected minimum risk maneuvers （MRM） is sufficiently low

G2．1．1．1：計(jì)劃外／意外最小風(fēng)險(xiǎn)機(jī)動（MRM）的頻率足夠低

G2．1．1．2：The self－driving vehicle systems are designed to robustly operate in their intended ODD

G2．1．1．2：自動駕駛車輛系統(tǒng)設(shè)計(jì)為在其預(yù)期的ODD模式下穩(wěn)健運(yùn)行

G2．1．1．3：The self－driving vehicle is tested against industry standards and best practices for reliability

G2．1．1．3：根據(jù)行業(yè)標(biāo)準(zhǔn)和最佳實(shí)踐對自動駕駛車輛進(jìn)行可靠性測試

G2．1．1．4：Identified Faults and Failure Modes are systematically tracked

G2．1．1．4：系統(tǒng)跟蹤已識別的故障和故障模式

G2．1．2：The effectiveness of fault mitigation is acceptably high

G2．1．2：故障緩和的有效性相當(dāng)高

G2．1．2．1．1：Diagnostic coverage is acceptably high

G2．1．2．1．1：診斷覆蓋率較高

G2．1．2．1．2：The fault management system provides dependable fault detection

G2．1．2．1．2：故障管理系統(tǒng)提供可靠的故障檢測

G2．1．2．1：The rate of successful fault detection and response activation is acceptably high

G2．1．2．1：故障檢測和響應(yīng)激活的成功率相當(dāng)高

G2．1．2．2．1：The system transitions to the specified fault response state （e．g． degraded mode） within the applicable time interval

G2．1．2．2．1：系統(tǒng)在適用的時(shí)間間隔內(nèi)過渡到規(guī)定的故障響應(yīng)狀態(tài)（例如降級模式）

G2．1．2．2．2：Minimum risk maneuvers are reliably executed when triggered

G2．1．2．2．2：觸發(fā)時(shí)可靠執(zhí)行最小風(fēng)險(xiǎn)機(jī)動

G2．1．2．2．3：The minimal risk maneuver（s） used to respond to the fault are reasonably low in risk

G2．1．2．2．3：用于響應(yīng)故障的最低風(fēng)險(xiǎn)策略的風(fēng)險(xiǎn)相當(dāng)?shù)?/p>

G2．1．2．2．4：The system does not have an unreasonable level of safety risk when executing an MRM with a system fault present．

G2．1．2．2．4：在存在系統(tǒng)故障的情況下執(zhí)行MRM時(shí)，系統(tǒng)沒有不合理的安全風(fēng)險(xiǎn)水平。

G2．1．2．2：The selected fault response is effective in reducing safety risk to acceptable levels

G2．1．2．2：所選故障響應(yīng)有效地將安全風(fēng)險(xiǎn)降低到可接受的水平

G3：Continuously Improving

All identified potential safety issues posing an unreasonable risk to safety are evaluated， and resolved with appropriate corrective and preventative actions

G3：持續(xù)改進(jìn)

評估對安全構(gòu)成不合理風(fēng)險(xiǎn)的所有已識別潛在安全問題，并采取適當(dāng)?shù)募m正和預(yù)防措施予以解決

G3．1：Safety performance indicators are measured， analyzed， and used to monitor safety

G3．1：安全性能指標(biāo)被測量、分析并用于監(jiān)控安全

G3．1．1：Safety performance indicators are defined for all safety related functional areas of the self－driving enterprise

G3．1．1：為自動駕駛企業(yè)的所有安全相關(guān)功能領(lǐng)域定義了安全性能指標(biāo)

G3．1．2：Safety performance indicators are defined for safety－related performance of the autonomy system

G3．1．2：安全性能指標(biāo)是為自治系統(tǒng)的安全相關(guān)性能定義的

G3．1．3：Safety performance indicators are defined for the self－driving enterprise and off－board functions

G3．1．3：為自動駕駛企業(yè)和非車載功能定義了安全性能指標(biāo)

G3．1．4：Safety performance indicators are defined for self－driving enterprise safety culture

G3．1．4：為自動駕駛企業(yè)安全文化定義了安全性能指標(biāo)

G3．1．5：Safety performance indicators are measured appropriately

G3．1．5：適當(dāng)測量安全性能指標(biāo)

G3．1．6：Safety performance indicators are appropriately analyzed

G3．1．6：適當(dāng)分析安全性能指標(biāo)

G3．1．7：Safety performance indicators are effective

G3．1．7：安全性能指標(biāo)有效

G3．2．1：The company employs a safety risk management process and evidence the process is being used：S3．2：Strategy 1： Utilize proactive safety risk identification and resolution processes in place throughout testing， development and production in order to minimize anomalies．

G3．2．1：公司采用了安全風(fēng)險(xiǎn)管理流程，并證明該流程正在使用：S3．2：策略1：在整個(gè)測試、開發(fā)和生產(chǎn)過程中，利用積極主動的安全風(fēng)險(xiǎn)識別和解決流程，以盡量減少異常情況。

G3．2．1．1：An internal safety concern reporting system and resolution process exists supporting anomaly identification

G3．2．1．1：存在支持異常識別的內(nèi)部安全問題報(bào)告系統(tǒng)和解決流程

G3．2．1．2：All functional areas of the self－driving enterprise identify safety risk

G3．2．1．2：自動駕駛企業(yè)的所有功能區(qū)域都識別安全風(fēng)險(xiǎn)

G3．2．1．3：Thresholds for safety risk level decision making and criteria are defined

G3．2．1．3：定義了安全風(fēng)險(xiǎn)等級決策的閾值和標(biāo)準(zhǔn)

G3．2．1．4．1：The safety risk register is updated for all mitigation actions

G3．2．1．4．1：更新所有緩和措施的安全風(fēng)險(xiǎn)登記

G3．2．1．4．2：The company performs safety risk monitoring

G3．2．1．4．2：公司進(jìn)行安全風(fēng)險(xiǎn)監(jiān)控

G3．2．1．4．3：The company performs an internal evaluation program for compliance to safety risk management process

G3．2．1．4．3：公司執(zhí)行內(nèi)部評估計(jì)劃，以符合安全風(fēng)險(xiǎn)管理流程

G3．2．1．4：All identified safety risks are sufficiently mitigated

G3．2．1．4：所有已識別的安全風(fēng)險(xiǎn)均得到充分緩和

G3．2．1．5．1：The company has defined safety risk owners and an accountable executive

G3．2．1．5．1：公司已確定安全風(fēng)險(xiǎn)負(fù)責(zé)人和負(fù)責(zé)人

G3．2．1．5．2：The company safety risk owners are empowered to affect change

G3．2．1．5．2：公司安全風(fēng)險(xiǎn)負(fù)責(zé)人有權(quán)影響變更

G3．2．1．5．3：The company cross－functionally reviews safety risks

G3．2．1．5．3：公司跨職能部門審查安全風(fēng)險(xiǎn)

G3．2．1．5．4：The safety risk stakeholder review outputs are communicated to affected stakeholders

G3．2．1．5．4：將安全風(fēng)險(xiǎn)利益相關(guān)者審查結(jié)果傳達(dá)給受影響的利益相關(guān)者

G3．2．1．5：The company has a defined safety risk management process

G3．2．1．5：公司有明確的安全風(fēng)險(xiǎn)管理流程

G3．2．1．6：The company measures efficacy of the safety risk management processes

G3．2．1．6：公司測量安全風(fēng)險(xiǎn)管理過程的有效性

G3．2．2：Metrics proactively identify trends for continuous improvement

G3．2．2：指標(biāo)主動識別持續(xù)改進(jìn)的趨勢

G3．3．1：Appropriate resolution processes identify and appropriately resolve all observed ／ reported anomalies：S3．3：Strategy 2： Utilize reactive anomaly identification and resolution processes in place throughout testing， development， service， operations， and production in order to decrease recurrence of anomalies

G3．3．1：適當(dāng)?shù)慕鉀Q過程識別并適當(dāng)解決所有觀察到的／報(bào)告的異常：S3．3：策略2：在整個(gè)測試、開發(fā)、服務(wù)、運(yùn)營和生產(chǎn)過程中利用反應(yīng)性異常識別和解決過程，以減少異常的再次發(fā)生

G3．3．2：Anomaly health status is appropriately reviewed by relevant internal stakeholders

G3．3．2：異常健康狀態(tài)由相關(guān)內(nèi)部利益相關(guān)者進(jìn)行適當(dāng)審查

G4：Resilient

The self－driving vehicle is acceptably safe in case of reasonably foreseeable misuse and unavoidable events

G4：彈性

在可合理預(yù)見的誤用和不可避免的事件情況下，自動駕駛車輛具備可接受的安全

G4．1：Potential harm incurred during and after a vehicle collision is mitigated

G4．1：減輕車輛碰撞期間和之后產(chǎn)生的潛在傷害

G4．1．1：Vehicle platform safety features reduce potential harm

G4．1．1：車輛平臺安全功能可減少潛在危害

G4．1．2：The Aurora Driver functions appropriately during and after a vehicle collision．

G4．1．2：Aurora駕駛員在車輛碰撞期間和之后能夠正常工作。

G4．1．3．1：Incident Response procedures are documented

G4．1．3．1：記錄事件響應(yīng)程序

G4．1．3．2：Personnel operating the vehicles are trained on incident response．

G4．1．3．2：對操作車輛的人員進(jìn)行事故響應(yīng)培訓(xùn)。

G4．1．3：Personnel operating SDE vehicles can appropriately respond to self－driving vehicle （SDV） emergency situations

G4．1．3：操作SDE車輛的人員可適當(dāng)響應(yīng)自動駕駛車輛（SDV）緊急情況

G4．1．4：The self－driving vehicle detects when a vehicle collision occurred

G4．1．4：自動駕駛車輛在發(fā)生車輛碰撞時(shí)進(jìn)行檢測

G4．1．5：Public safety officials have information to be able to appropriately respond to self－driving vehicle emergency situations

G4．1．5：公共安全官員掌握信息，能夠適當(dāng)應(yīng)對自動駕駛車輛緊急情況

G4．1．6：Riders can appropriately respond to self－driving vehicle emergency situations

G4．1．6：乘客可以適當(dāng)?shù)貞?yīng)對自動駕駛車輛的緊急情況

G4．2：Potential harm from reasonably foreseeable misuse is mitigated

G4．2：減輕合理可預(yù)見的誤用的潛在危害

G4．2．1．1：Reasonably foreseeable misuse mitigations are verified

G4．2．1．1：驗(yàn)證合理可預(yù)見的誤用緩和措施

G4．2．1．2：Reasonably foreseeable misuse mitigations are validated

G4．2．1．2：驗(yàn)證合理可預(yù)見的誤用緩和措施

G4．2．1：Reasonably foreseeable misuse mitigations are designed and implemented

G4．2．1：設(shè)計(jì)并實(shí)施合理可預(yù)見的誤用緩和措施

G4．2．2．1：Mitigations for insider threat are verified

G4．2．2．1：驗(yàn)證內(nèi)部威脅的緩和措施

G4．2．2．2：Mitigations for insider threat are validated

G4．2．2．2：驗(yàn)證內(nèi)部威脅的緩和措施

G4．2．2：Insider threat mitigations are designed and implemented

G4．2．2：設(shè)計(jì)并實(shí)施內(nèi)部威脅緩和措施

G4．3：Potential harm from cyber intrusion is appropriately mitigated

G4．3：適當(dāng)減輕網(wǎng)絡(luò)入侵的潛在危害

G4．3．1．1：An inventory of all assets is created and maintained

G4．3．1．1：創(chuàng)建并維護(hù)所有資產(chǎn)的清單

G4．3．1．2：A threat analysis is conducted on all assets

G4．3．1．2：對所有資產(chǎn)進(jìn)行威脅分析

G4．3．1：Operational safety risk assessments identify threats and their feasibility

G4．3．1：運(yùn)行安全風(fēng)險(xiǎn)評估確定威脅及其可行性

G4．3．2．1：Passive event monitoring within components of the self－driving enterprise identify anomalous behavior

G4．3．2．1：自動駕駛企業(yè)部門內(nèi)的被動事件監(jiān)控以識別異常行為

G4．3．2．2：Active event monitoring of self－driving enterprise behavior identify anomalous behavior

G4．3．2．2：自動駕駛企業(yè)行為的活動事件監(jiān)控以識別異常行為

G4．3．2：The self－driving enterprise detects when a cyber intrusion has occurred

G4．3．2：自動駕駛企業(yè)在發(fā)生網(wǎng)絡(luò)入侵時(shí)進(jìn)行檢測

G4．3．3：Defensive measures are implemented to reduce the likelihood of a cyber intrusion

G4．3．3：采取防御措施以降低網(wǎng)絡(luò)入侵的可能性

G4．3．4：Reactive measures are implemented during a cyber intrusion to limit harm

G4．3．4：在網(wǎng)絡(luò)入侵期間實(shí)施應(yīng)對措施，以限制損害

G4．3．5：Permanent corrective actions and lessons learned are put in place after a cyber intrusion to avoid recurrence

G4．3．5：在網(wǎng)絡(luò)入侵后采取永久性糾正措施并吸取教訓(xùn)，以避免再次發(fā)生

G5：Trustworthy

The self－driving enterprise is trustworthy

G5：值得信賴

自動駕駛企業(yè)是值得信賴的

G5．1．1．1．1：Safety culture and personnel are appropriate for safety－critical systems：S5．1．1．1：Argument is based on addressing competence alongside safety culture， remaining current with the state of the industry

G5．1．1．1．1：安全文化和人員適用于安全關(guān)鍵系統(tǒng)：S5．1．1．1：論點(diǎn)基于體現(xiàn)安全文化的能力，并與行業(yè)最新現(xiàn)狀保持一致

G5．1．1．1．2：Persons developing the self－driving enterprise have the required competencies corresponding to their responsibilities

G5．1．1．1．2：開發(fā)自動駕駛企業(yè)的人員具有與其職責(zé)相對應(yīng)的所需能力

G5．1．1．1．3：Prevailing industry best practices and standards are reviewed and adherence documented， on a continual basis

G5．1．1．1．3：持續(xù)審查當(dāng)前行業(yè)最佳實(shí)踐和標(biāo)準(zhǔn)，并記錄遵守情況

G5．1．1．1．4：Persons developing the self－driving enterprise are engaged in broader applicable industry proceedings

G5．1．1．1．4：開發(fā)自動駕駛企業(yè)的人員參與更廣泛適用的行業(yè)程序

G5．1．1：The organizational environment is appropriate for safety－critical systems：S5．1：If the organizational environment is appropriate for system safety， stakeholders are engaged participatively， external communication about the self－driving enterprise is appropriate and verifiable then the claims made in G1－G4 are more likely to be accurate．

G5．1．1：組織環(huán)境適用于安全關(guān)鍵系統(tǒng)：S5．1：如果組織環(huán)境適用于系統(tǒng)安全，利益相關(guān)者參與，關(guān)于自動駕駛企業(yè)的外部溝通是適當(dāng)且可驗(yàn)證的，則G1－G4中的聲明更可能準(zhǔn)確。

G5．1．2．1：Stakeholders are identified with defined interaction relationships

G5．1．2．1：通過定義的交互關(guān)系確定利益相關(guān)者

G5．1．2．2：Stakeholders are consulted at appropriate stages of testing and development of the self－driving enterprise

G5．1．2．2：在自動駕駛企業(yè)的測試和開發(fā)的適當(dāng)階段咨詢利益相關(guān)者

G5．1．2．3：Stakeholders are partnered with at appropriate stages of testing and development of the self－driving enterprise

G5．1．2．3：在自動駕駛企業(yè)的測試和開發(fā)的適當(dāng)階段，與利益相關(guān)者合作

G5．1．2．4：Stakeholders are informed at appropriate stages of testing and development of the self－driving enterprise

G5．1．2．4：在自動駕駛企業(yè)的測試和開發(fā)的適當(dāng)階段通知利益相關(guān)者

G5．1．2：Stakeholders are engaged regularly throughout the lifecycle of the self－driving enterprise

G5．1．2：利益相關(guān)者在自動駕駛企業(yè)的整個(gè)生命周期內(nèi)定期參與

G5．1．3：Appropriate， verifiable evidence of safety and performance is provided outside the self－driving enterprise

G5．1．3：在自動駕駛企業(yè)外部提供適當(dāng)、可驗(yàn)證的安全和性能證據(jù)

G5．1．3．1：Multimodal communication methods are used

G5．1．3．1：使用多模式通信方法

G5．1．3．2：A Safety Case framework for the self－driving enterprise is publicly available

G5．1．3．2：自動駕駛企業(yè)的安全案例框架可公開獲取

G5．1．3．3：Credible periodic reports and updates are published or released at key points of transition， testing， and development of the self－driving enterprise

G5．1．3．3：在自動駕駛企業(yè)的過渡、測試和開發(fā)關(guān)鍵點(diǎn)發(fā)布或提供可信的定期報(bào)告和更新

G5．1．3．4：Verifiable evidence that the self－driving enterprise is capable of appropriately complying with applicable rules， regulations， and guidance is maintained

G5．1．3．4：保留自動駕駛企業(yè)能夠適當(dāng)遵守適用規(guī)則、法規(guī)和指南的可驗(yàn)證證據(jù)

G5．1．4：The Self－Driving Enterprise is independently reviewed and audited

G5．1．4：對自動駕駛企業(yè)進(jìn)行獨(dú)立審查和審計(jì)

G5．1．4．1：A safety advisory board of third－party experts is established

G5．1．4．1：成立第三方專家安全咨詢委員會

G5．1．4．2：The self－driving enterprise is appropriately reviewed and audited both internally and externally

G5．1．4．2：對自動駕駛企業(yè)進(jìn)行適當(dāng)?shù)膬?nèi)部和外部審查和審計(jì)

－ End －