[Author]

Samuel WENG

BMW iNEXT SAE Level-3 ADS safetyassessment report comments following:

1.Good choice of cyber securitysafety impact involved into safety assessment

2. Good choice of ISO 9241, butmore information and SOFA can also come from US or so, some times if the humancentered it had to rely on the human state and not in distracted driving, wehave too further to see BMW their DMS system design in system safety.there aresome papers dedicating for how people react comfortably towards HMI, and nottoo much warnings signals, SOFA for the DMS is not very good hints the falsepositive, negative shall come to be lower than 3% as preliminary acceptableSOTIF level. or the O value shall be lower.

3.Good design for hints of driverresponsibilities, but one problem remains only this circumstances will makecolour or is it as well the human misuse for mistaken for manually control butexactly it is the machine control？

4.OEDR actually not includeslocalization or navigation based on SOTIF, as well the V2X feature will not beadded here as OEDR？

5.For OEDR, high definition mapis more in reliability redundancy but not in safety. If OEM using LIDAR and HDmap for 3d real scene establisgment, then it may be common cause, we have todeal with combination of such status, including the real time

6. For sensor fusion even for 4kinds of sensors, the fusion result may not be the ranking highest, especiallyfor adverse weather

7.performance limitation ofsensor fusion shall be highlighted and introduced

8.fusion of sensor plus map data,real time and latency big problem, processor shall be fast enough and theprecision shall be high, as well design for offline or tunnel mode and then werely on GPS IMU

9.Objects here not containpedestrian decision criteria, SORTA not good to judge this

10.One remark for ODD, thedetection way of one ODD variable, only one type, then the reliability andavailability shall be ensured in deeper way.

11. Risk mitigation Manuervermeasure quite SOTA and only one comments if others will speed up and as wellwill cut in ？we have todeal with suck problem as the emergency Operarion are in some kinds ofperformance degradation

12. One problem in Uber 2018 isbraking limitation time for 1s, BMW has this setting？

13.Fallback reliability andavailability problem we have to check as well in the Level3 safety assessment,not included here

14. eCALL data shall be in GDPRrequirements, and highlights in cyber security assessment

15. data collection here maybeuse edge computing, backend may not be able.

16.Technical SOTIF and human userSOTIF, so the technical SOTIF mainly in system itself？ scope with Ul4600？

17. P41 design redundancy notconsider the control loop and non-fault factors

18. Figure24 similar egas 3layer,are there the control priority not seem yet

19.AI safe guarded bydeterministed safety layer, good example but the assessment report shall digmore

20.Admired the cyber securityprocess and overall described in safety assessment, I take security assystematic problems

21.Good illustration for AutoISAC

22. SW repro and HW repro hasgood example here due to potential hazardius scene not in close loop

[REF]

BMW Group Safety AssessmentReport: SAE Level 3 Automated Driving System