ISO 26262 requires a controllability assessment for the hazard and risk analysis of automotive E/E systems. Depending on the verifiable controllability, a function may be limited in terms of its intervention options and intensity. For Active Safety Systems this limits their accident-avoidance/-mitigation potential. An analysis of the applicability of ISO 26262 for these systems reveals that it does not address unintended reactions due to incorrect situational analysis of a surrounding perception system, even if the situation for the driver is similar to some of the failure modes. Additionally, the result of the risk assessment depends on the situations chosen. As numerous factors define a driving situation, the possible detailing of these factors is unlimited. Detailing decreases the rate of occurrence of single situations and thereby lowers the required overall safety level. Hence, a method is needed that allows a systematic, verifiable derivation of test situations, including traceability of the detailing. Based on this, for an objective controllability assessment with limited test effort, the minimal sufficient set of relevant scenarios for testing has to be identified.

These scenarios need to have a high probability and impact on controllability. Both factors have to be quantified and evaluated. Based on the analysis of a controllability situation, a strategy is developed to assess the relevance of situations. To quantify the change of uncontrollability in real testing, an objective assessment criterion has to be designed. As a start, the method is applied to emergency braking functions in longitudinal traffic.

The approach begins with the base case and categorizes the factors of a controllability situation. These are weighted with a relevance factor derived from the probability and the controllability. The factor for controllability depends on an assumed or measured increase of uncontrollability caused by the specific situational parameter. By increasing the detailing level, the overall relevance factor for the parameter is derived, to be used on the next less- detailed level.

The assessment criterion for uncontrollability is based on the remaining distance to the point where a crash is unavoidable, the “Point-of-No-Return” (PoNR), and the braking deceleration by the driver. Depending on the driver’s braking force, the PoNR is postponed until the crash will no longer occur. To prove the feasibility of the assessment method, a decelerating leading-vehicle situation is defined. Different deceleration strategies with and without switch-off are used. After initial simulation, the situation is implemented in a real test setup and experiments with naïve drivers are conducted. The results of the objective and subjective evaluation are analyzed and discussed.

The methodology allows the systematic identification of the minimum set of test scenarios for controllability assessment of Active Safety Systems. It quantifies the relevance of influencing factors and in combination with the controllability criterion, can reduce the test effort and increase transferability.

The methodology enhances the controllability assessment according to ISO 26262 [1] to support a systematic choice of controllability test scenarios for Active Safety Systems. A more reliable controllability assessment allows the limits of these systems to be enhanced, increasing the overall traffic safety.