The ISO 26262 standard defines functional safety for road vehicles through risk assessments based on Severity, Exposure, and Controllability, grounded in a human-driven vehicle paradigm. In the context of autonomous vehicles (AVs), the absence of a human driver necessitates revisiting these principles. This paper decomposes the Controllability placeholder into two auditable evidence dimensions of ISO 26262 by introducing two measurable sub-concepts: Transferability and Predictability. Transferability extends Controllability to capture AV systems' ability to hand off control to dedicated fallback safety mechanisms, while Predictability captures how easily external agents can anticipate AV behavior. Predictability is formally defined from human-robot interaction-inspired principles, and a mathematical framework is provided to quantify it. A designed-versus-achievable gap is introduced to distinguish architectural fallback claims from scene-conditioned achievable fallback capability. The proposed metrics align with ISO 26262 and ISO/PAS 21448 (SOTIF), rendering fallback and interaction claims falsifiable and traceable across ODD slices. These dimensions complement rather than replace existing standards, and the enhancements preserve the structure of ISO 26262 while extending its applicability to driverless automated systems operating at SAE Levels 4 and 5.
翻译:ISO 26262标准基于以人类驾驶车辆为范式的风险评估,通过严重性、暴露度和可控性来定义道路车辆的功能安全。在自动驾驶汽车情境下,由于缺乏人类驾驶员,需要重新审视这些原则。本文通过引入两个可测量的子概念——可转移性与可预测性——将ISO 26262中的可控性占位符分解为两个可审计的证据维度。可转移性扩展了可控性,以捕捉自动驾驶系统将控制权移交给专用后备安全机制的能力;而可预测性则刻画了外部主体预测自动驾驶行为的能力。本文依据人机交互启发原则正式定义了可预测性,并提供了量化其值的数学框架。引入了设计值与可实现值之间的差距,以区分架构性后备声明与场景条件决定的可实现后备能力。所提出的度量指标与ISO 26262及ISO/PAS 21448(预期功能安全)保持一致,使得后备与交互声明在运行设计域切片上可证伪且可追溯。这些维度补充而非替代现有标准,且在保持ISO 26262结构的同时,将其适用性扩展至运行于SAE L4级和L5级的无人驾驶自动化系统。