Conventionally, research has been conducted on a system having an autonomous function has the means for measuring the situation of the operation environment, and determines and adjusts autonomous operation according to a built-in program without requiring intervention of the operator. However, in spite of long-term technical development, such system has been introduced only in a limited operation environment, and this situation has not changed until today.
The system has not been introduced because of the following reason. Although all the processing steps of external recognition, situation determination, and system control are implemented with control software, existing designs and procedures for inspection and certification are not made to detect failures before the introduction of the system on the basis of the operation of the system in an open operation environment.
The fundamental reason for this is that an implicit assumption that the situation at the time of failure, which should be necessary to quantitatively show the reliability of the system, can be reliably or probabilistically reproduced reliably does not hold in an open environment. Therefore, it is not possible to uniquely identify the cause or it is difficult to show the effectiveness of measures even though investigation of causes and countermeasures are required from the time when an issue occurs in which it is suspected that the function actually implemented by control software does not perform an unintended operation. This is the reason why countermeasures are required that are fundamentally different from the current recall factor such as accidental faults and deterioration due to aging of machine parts.
For example, PTL 1 discloses a method in which a vehicle system equipped with an automatic driving function determines the presence or absence of hazard due to a contact with other vehicles around the vehicle in question. This Literature discloses a method for determining the safety nature of the course of the vehicle in question by using a predicted course of another vehicle. However, the course of another vehicle is expected to be determined based on the driver's free will while satisfying constraint of traffic regulations, and it is difficult to guarantee the validity and the safety of the predicted course and the design of software that implements its calculation method, and there is still a possibility that a hazard would occur without satisfying the safety requirement because of a behavior of deviation from the predicted course.
From a technical point of view, if there is no factor that leads to hazard, the means to prove it is missing, and if there is a factor that leads to hazard, there is no way to reproduce the concrete situation. Existing test methods that lack comprehensiveness are not useful as any of these means. Therefore, the existing test methods are inadequate as a verification evidence used in asserting the reliability of the system.