安全案例框架的意義

Aurora使用基于安全案例的方法，評估自動駕駛車輛何時能夠安全地在公共道路上行駛，并評估它們是否不會對機動車安全造成不合理的風險。

安全案例框架是安全取消安全駕駛員的最有效途徑，對于任何希望在沒有安全駕駛員的情況下運營并安全交付大規模商用自動駕駛車輛的公司來說，它都是必不可少的組成部分。Aurora安全案例框架評估了車輛的整個開發生命周期，夠加快部署的速度，并確定何時可以接受自動駕駛車輛在公共道路上的安全性。

Aurora將安全視為一個持續的過程，而不是一個靜態的待辦事項清單，基于證據的方法在內部和外部都至關重要。在公司內部，安全案例框架是我們如何根據內部標準不斷審查證據和評估Aurora driver的表現和發展，以確保我們有信心在有或沒有車輛操作員的情況下將自動駕駛車輛上路。在外部，安全案例框架使我們能夠有效地與合作伙伴、客戶、監管機構和公眾分享我們的方法和進展。這種透明度有助于建立信任，這在部署任何新技術時都很重要。

Aurora安全案例框架介紹

Aurora采用了基于安全案例的方法，因為這是展示和解釋Aurora如何確定自動駕駛車輛在公共道路上運行的可接受安全性的最合理和最有效的方式。該框架的核心是一個結構化的論點，并有證據證明為什么我們的車輛是可接受的安全。自動駕駛車輛中的許多要素之間存在復雜的相互作用和關系。沒有任何一項單一證據能夠證明安全的整體性?；诎踩咐姆椒ㄒ院虾踹壿嫷姆绞綄⑦@證據與主張兩個基本概念結合在一起，以有效地展示我們為確定車輛在公共道路上安全行駛所做的工作。

Aurora開發該框架的目的是為了幫助評估Aurora卡車運輸和客運產品的整個開發生命周期，以便向合作伙伴和客戶提供安全且可擴展的產品。

Aurora安全案例框架結合了政府組織的指南、安全關鍵行業的最佳實踐、非強制性行業標準和聯盟、學術研究以及組織在自身工作中所學到的知識。在自動駕駛汽車行業中，它是開發在公共道路上安全行駛的自動駕駛車輛并將這些車輛交付給合作伙伴、客戶和公眾的重要工具。

Aurora的安全案例框架覆蓋了對評估公共道路上自動駕駛車輛的安全開發、測試和運行至關重要的不同要素。該框架的設計涵蓋了與車輛操作員的測試，也包括沒有操作員的測試。同時，它是為適應環境而構建的，因此可以根據不同的場景和環境對其進行定制。能夠將安全案例聲明改編為適用于不同的車輛平臺、有操作員的車輛、試車跑道上的車輛以及公共道路上的車輛。

Aurora的安全案例框架有助于評估Aurora driver的設計和開發，并與產品開發路線圖保持一致。對于每個主要的產品里程碑，我們將檢查哪些聲明是相關的，并開發相應的證據。聲明是我們正在做出的一種論斷，例如“G3．1安全性能指標被測量、分析并用于監控安全性。” Aurora正在內部積極開發的適當證據將被定制以證實每個單獨的聲明，可能包括測試結果、同行評審、，審計或評估。

目前只是第一個版本，隨著不斷學習并將測試操作擴展到新的環境和平臺，Aurora的框架將不斷發展。這Aurora正在分享框架的前4個級別，因為Aurora的合作伙伴、客戶和公眾了解為什么我們對交付Aurora driver的進展充滿信心是很重要的。進一步開發將遵循一個迭代過程，隨著框架的發展，Aurora將繼續分享它的更新。

最高級別目標

Aurora安全案例框架圍繞著“我們的自動駕駛車輛在公共道路上運行是可接受的安全性”這一最高級別的聲明展開。使用整個安全案例來證實這一最高級別的聲明，并將這一主張分解為五個安全原則或子原則。

G1：精通／Proficient

自動駕駛車輛在正常運行期間具備可接受的安全。

除非具備適當的熟練程度，否則自動駕駛車輛在公共道路上行駛是不安全的。熟練程度包括開發產品所需的設計、工程和測試。本安全原則包含自動駕駛車輛標稱、非標稱及邊界案例（corner cases）情況下的自動駕駛車輛性能要求。

G2：故障安全／Fail－safe

自動駕駛車輛在出現故障和失效時具備可接受的安全。

故障安全原則解決了自動駕駛車輛在出現失效和故障時的行為。沒有一個系統是百分之百完美的，部件有時會磨損或出現過早故障。Aurora driver旨在檢測并安全地緩和這些故障。此安全原則包含車輛內置的所有故障檢測、緩和和通知。

G3：不斷改進／Continuously improving

對構成不合理安全風險的所有已識別潛在安全問題進行評估，并采取適當的糾正和預防措施予以解決。

持續改進原則概述了如何將持續改進的概念融入到系統的開發中。自動駕駛車輛配備有傳感器，一組自動駕駛車輛僅從一天的運行中就捕獲大量數據。我們能夠利用這些數據的力量實現持續改進。該現場數據為綜合數據分析工作提供數據，該工作計算安全性能指標，并考慮設計和開發期間收集的數據。這種系統收集和分析數據的方法使我們能夠發現趨勢、均值回歸和緊急行為。Aurora還采取積極主動的方法進行持續改進，使用風險識別技術積極主動地識別風險。

G4：有彈性的／Resilient

在可合理預見的誤用和不可避免的事件情況下，自動駕駛車輛具備可接受的安全。

自動駕駛車輛設計用于在公共道路上安全行駛，但這并不能將其與惡意行為者或不可避免的事件隔離開來。彈性原則展示了Aurora driver如何能夠承受不良事件和故意誤用和濫用。

G5：值得信賴的／Trustworthy

自動駕駛企業應是值得信賴的。

Aurora的自動駕駛汽車可能是熟練的、故障安全的、不斷改進的和有彈性的，但如果沒有公眾和政府監管機構的信任，我們就無法完全實現我們的最高要求。值得信賴的安全原則涉及Aurora計劃如何通過公眾、政府和利益相關者的參與、安全透明度、安全文化以及外部審查和咨詢活動獲得信任。

安全原則的分解

頂級聲明是根據涵蓋安全操作范圍的安全原則定義的，使用廣度優先、深度第二的方法分解每個安全原則。

每個安全原則都被分解為中間論點、上下文和策略的層次。最低級別的聲明最終由我們的員工提供的證據予以滿足。這種方法可以將每個安全論點作為邏輯分解進行追蹤，從廣義概念到支持聲明的具體有形證據。

安全原則分解示例

用于支持聲明的證據有兩種形式——產品證據和過程證據。產品證據包括可交付成果，如技術規范、測試計劃和測試結果。過程相關證據表明，產品證據是以系統的方式生成的，具有足夠的嚴謹性、審查性和獨立性。這些證據可能包括非正式的內部審計報告，確認我們正在遵循既定流程。這兩種類型的證據都需要充分處理安全案例中的聲明。

框架的應用

安全案例框架是一個工具，Aurora使用它來通知數百名Aurora員工在開發Aurora driver的過程中的日常活動。

安全案例框架旨在適應不同的車輛、場景和環境。我們將使用安全案例框架創建一個特定的安全案例，注意在每個實例中定義其特定的上下文和應用。將框架視為生成各種特定安全案例的通用藍圖。例如，為特定車輛和車輛配置（卡車和乘用車平臺）以及特定運行設計域（例如公路）創建安全案例。因此，將有多個單獨的安全案例，涵蓋各種配置、平臺和操作領域，而不是涵蓋我們自動駕駛車輛所有用途的單一安全案例。

還將根據我們是否在道路上測試、車輛操作員是否監控Aurora driver、是否在沒有操作員的私人封閉車道上或者是在沒有操作員的公共道路上，來定制安全案例。鑒于這種情況，某些原則不適用于無車輛操作員的情況。因此，雖然安全案例框架可能是通用的，但裁剪是必不可少的。

制造商用自動駕駛汽車是一項復雜的工程。Aurora的安全案例框架是一個強大的工具，可用于定義和管理這一復雜挑戰。該框架還可用于以理性和邏輯的方式傳達假設和意圖，以幫助讀者理解和消化固有的復雜性。與許多其他工具一樣，結果最終取決于用戶如何使用框架。

附件：《Aurora自動駕駛安全案例框架》

英文

參考中文

G1：Proficient：

The self－driving vehicle is acceptably safe during nominal operation

G1：精通：

自動駕駛車輛在正常操作期間具備可接受的安全：

G1．1：The self－driving enterprise uses appropriate development processes for a complex safety critical system

G1．1：自動駕駛企業對復雜的安全關鍵系統使用適當的開發流程

G1．1．1．1．1：Systems engineering follows a defined process

G1．1．1．1．1：系統工程遵循規定的過程

G1．1．1．1．2：Systems engineers are trained and continually educated on the systems engineering process

G1．1．1．1．2：系統工程師接受系統工程過程的培訓和持續教育

G1．1．1．1．3：Systems engineering process compliance audits are completed for all appropriate functions ／ sub－systems

G1．1．1．1．3：完成所有適當功能／子系統的系統工程過程合規性審核

G1．1．1．1．4：The Systems engineering process is appropriate for safety critical design

G1．1．1．1．4：系統工程過程適用于安全關鍵設計

G1．1．1．1：Systems engineering process is established， standardized across engineering， and there is evidence that the process is being used：S1．1．1：Risk is reduced through a defined process approach

G1．1．1．1：建立系統工程過程，并在整個工程中標準化，有證據表明該過程正在使用：S1．1．1：通過已定義的過程方法降低風險

G1．1．1．2．1：Hardware engineering follows a defined process

G1．1．1．2．1：硬件工程遵循規定的過程

G1．1．1．2．2：Hardware engineers are trained and continually educated on the hardware engineering process

G1．1．1．2．2：硬件工程師接受硬件工程過程的培訓和持續教育

G1．1．1．2．3：Hardware development process compliance audits are completed for all appropriate functions ／ sub－systems．

G1．1．1．2．3：完成所有適當功能／子系統的硬件開發過程合規性審核。

G1．1．1．2．4：The Hardware development process is appropriate for safety critical design

G1．1．1．2．4：硬件開發過程適用于安全關鍵設計

G1．1．1．2：Hardware development process is established， standardized across engineering， and there is evidence that the process is being used．

G1．1．1．2：硬件開發過程已建立，并在整個工程中標準化，并且有證據表明該過程正在使用。

G1．1．1．3．1：Manufacturing follows a defined process

G1．1．1．3．1：制造遵循規定的過程

G1．1．1．3．2：Manufacturing and production processes are established for externally sourced system hardware

G1．1．1．3．2：為外部采購的系統硬件建立制造和生產流程

G1．1．1．3．3：Manufacturing engineers are trained and continually educated on the manufacturing process

G1．1．1．3．3：制造工程師接受制造工藝方面的培訓和持續教育

G1．1．1．3．4：Manufacturing process compliance audits are completed for all appropriate functions

G1．1．1．3．4：完成所有適當功能的制造過程合規性審核

G1．1．1．3．5：The manufacturing process is appropriate for safety critical design

G1．1．1．3．5：制造工藝適用于安全關鍵設計

G1．1．1．3：Manufacturing process is established， standardized， and there is evidence the process is being used

G1．1．1．3：制造工藝已建立、標準化，且有證據表明該工藝正在使用

G1．1．1．4．1：Maintenance and service follows a defined process

G1．1．1．4．1：維護和保養遵循規定的流程

G1．1．1．4．2：Maintenance and service personnel are trained and continually educated on the process

G1．1．1．4．2：對維護和服務人員進行工藝培訓和持續教育

G1．1．1．4．3：Maintenance and service process compliance audits are completed for all appropriate functions

G1．1．1．4．3：完成所有適當功能的維護和服務過程合規性審核

G1．1．1．4．4：The maintenance process is appropriate for safety critical design

G1．1．1．4．4：維護過程適用于安全關鍵設計

G1．1．1．4：Maintenance ／ Service processes is established， standardized， and there is evidence the process is being used．

G1．1．1．4：維護／服務流程已建立、標準化，且有證據表明該流程正在使用。

G1．1．1．5．1：Software engineering follows a defined process

G1．1．1．5．1：軟件工程遵循定義的過程

G1．1．1．5．2：Software engineers are trained and continually educated on the software development process

G1．1．1．5．2：軟件工程師接受有關軟件開發過程的培訓和持續教育

G1．1．1．5．3：Software development process compliance audits are completed for all appropriate functions ／ sub－systems．

G1．1．1．5．3：完成所有適當功能／子系統的軟件開發過程合規性審核。

G1．1．1．5．4：The software development process is appropriate for safety critical design

G1．1．1．5．4：軟件開發過程適用于安全關鍵設計

G1．1．1．5：Software development process is established， standardized across engineering， and there is evidence that the process is being used．

G1．1．1．5：軟件開發過程已建立，并在整個工程中標準化，并且有證據表明該過程正在使用。

G1．1．1．6．1：Quality management follows a defined process

G1．1．1．6．1：質量管理遵循規定的過程

G1．1．1．6．2：Quality management measures are effective in controlling quality

G1．1．1．6．2：質量管理措施有效控制質量

G1．1．1．6．3：Quality management ensures all defined processes are followed

G1．1．1．6．3：質量管理確保遵循所有規定的過程

G1．1．1．6．4：The quality management process is appropriate for safety critical design

G1．1．1．6．4：質量管理過程適用于安全關鍵設計

G1．1．1．6：Quality management process is established， effective， standardized across engineering， and there is evidence that the process is being used

G1．1．1．6：質量管理過程已在整個工程中建立、有效、標準化，并且有證據表明該過程正在使用

G1．1．1．7．1：Supply chain teams follow a defined process

G1．1．1．7．1：供應鏈團隊遵循定義的流程

G1．1．1．7．2：Supply chain staff are trained and continually educated on the process

G1．1．1．7．2：對供應鏈員工進行流程培訓和持續教育

G1．1．1．7．3：Supply chain process compliance audits are completed for all appropriate functions ／ sub－systems

G1．1．1．7．3：完成所有適當功能／子系統的供應鏈流程合規性審核

G1．1．1．7．4：The supply chain process is appropriate for safety critical design

G1．1．1．7．4：供應鏈流程適用于安全關鍵設計

G1．1．1．7：Supply chain processes is established， standardized， and there is evidence the process is being used．

G1．1．1．7：供應鏈流程已建立、標準化，且有證據表明該流程正在使用。

G1．1．1．8．1：Vehicle operations teams follow a defined process

G1．1．1．8．1：車輛運行團隊遵循規定的流程

G1．1．1．8．2：Vehicle operations personnel are trained and continually educated on the process

G1．1．1．8．2：對車輛操作人員進行培訓，并持續對其進行流程教育

G1．1．1．8．3：Vehicle operations process compliance audits are completed for all appropriate functions

G1．1．1．8．3：完成所有適當功能的車輛運行過程合規性審核

G1．1．1．8．4：The vehicle operations process is appropriate for safety critical design

G1．1．1．8．4：車輛運行過程適用于安全關鍵設計

G1．1．1．8：Vehicle operations processes is established， standardized， and there is evidence the process is being used．

G1．1．1．8：車輛操作流程已建立、標準化，且有證據表明該流程正在使用。

G1．1．1．9．1：System safety engineering follows a defined process

G1．1．1．9．1：系統安全工程遵循規定的過程

G1．1．1．9．2：System safety engineers are trained and continually educated on the system safety development process

G1．1．1．9．2：系統安全工程師接受有關系統安全開發過程的培訓和持續教育

G1．1．1．9．3：System safety process compliance audits are conducted

G1．1．1．9．3：進行系統安全過程合規性審核

G1．1．1．9．4：The system safety engineering process is appropriate for safety critical design

G1．1．1．9．4：系統安全工程過程適用于安全關鍵設計

G1．1．1．9：System safety engineering process is established， standardized across engineering， and there is evidence that the process is being used．

G1．1．1．9：建立系統安全工程過程，并在整個工程中標準化，有證據表明該過程正在使用。

G1．2：The self－driving vehicle is acceptably performant to operate in the defined ODD

G1．2：自動駕駛車輛在規定的ODD內運行的性能合格

G1．2．1．1．1：The product requirements address all lifecycle stages of the product．

G1．2．1．1．1：產品要求涉及產品的所有生命周期階段。

G1．2．1．1．2：The product requirements define the concept of operations for the product

G1．2．1．1．2：產品要求定義了產品的操作概念

G1．2．1．1．3：The product requirements define the conceptual operational design domain in which the product will operate in

G1．2．1．1．3：產品要求定義了產品將在其中運行的概念運行設計域（conceptual operational design domain）

G1．2．1．1：The product requirements sufficiently define the full scope and entire lifecycle of the product

G1．2．1．1：產品要求充分定義了產品的整個范圍和整個生命周期

G1．2．1．10：The product requirements meet or exceed the operational design domain （ODD）

G1．2．1．10：產品要求滿足或超過運行設計域（ODD）

G1．2．1．2．1：The system requirements considers the needs of all external actors （e．g． Riders， Pedestrians， Motorists， Law Enforcement）

G1．2．1．2．1：系統要求考慮了所有外部參與者（例如騎行人、行人、駕駛員、執法人員）的需求

G1．2．1．2．2：The system requirements considers the needs of all internals actors （e．g． System Maintainers， Engineers， Testers）

G1．2．1．2．2：系統要求考慮了所有內部參與者（如系統維護人員、工程師、測試人員）的需求

G1．2．1．2．3：System requirements appropriately address nominal operation

G1．2．1．2．3：系統要求適當表現標稱運行

G1．2．1．2．4：System requirements appropriately address off－nominal operation

G1．2．1．2．4：系統要求適當表現非標稱運行

G1．2．1．2．5：Traceability confirms the system requirements satisfy the product and safety requirements

G1．2．1．2．5：可追溯性確認系統要求滿足產品和安全要求

G1．2．1．2：The system requirements sufficiently define a system that can operate in the defined ODD

G1．2．1．2：系統要求充分定義了一個系統，該系統可以在規定的ODD范圍內運行

G1．2．1．3．1：Functional hazard analysis sufficiently identifies system functions that are safety critical ／ relevant

G1．2．1．3．1：功能危害分析充分識別安全關鍵／相關的系統功能

G1．2．1．3．10：All safety requirements have analysis justifying the metrics， thresholds， or margins used in the requirements

G1．2．1．3．10：所有安全要求都有分析，證明要求中使用的度量、閾值或裕度是合理的

G1．2．1．3．11：Safety requirements are verified for gaps and omissions

G1．2．1．3．11：驗證安全要求的差距和遺漏

G1．2．1．3．12：Safety requirements are verified to be internally and externally consistent

G1．2．1．3．12：驗證安全要求內部及外部一致

G1．2．1．3．2：Verification reviews of functional hazard analysis appropriately confirm correctness of the analysis

G1．2．1．3．2：功能危害分析的驗證評審適當地確認了分析的正確性

G1．2．1．3．3：Hazards associated with each ［Safety Function］ have been thoroughly identified

G1．2．1．3．3：已徹底識別與每個［安全功能］相關的危險

G1．2．1．3．4：Hazards associated with ［AV operations］ have been thoroughly identified

G1．2．1．3．4：已徹底識別與［AV操作］相關的危險

G1．2．1．3．5：All identified fault－based hazards are ranked

G1．2．1．3．5：對所有已識別的基于故障的危險進行排序

G1．2．1．3．6：All identified non－fault based hazards are ranked

G1．2．1．3．6：對所有已識別的非故障危害進行排序

G1．2．1．3．7：All identified non－fault misuse based hazards are ranked

G1．2．1．3．7：所有已識別的基于非故障誤用的危險都進行了排序

G1．2．1．3．8：All hazard rankings are re－evaluated periodically

G1．2．1．3．8：定期重新評估所有危險等級

G1．2．1．3．9：Safety requirements comprehensively mitigate identified hazards and scenario ／ situation ／ triggering event

G1．2．1．3．9：安全要求全面緩和已識別的危險和場景／情況／觸發事件

G1．2．1．3：The safety requirements sufficiently define the allowable behavior of the system to ensure safe operation in the defined ODD

G1．2．1．3：安全要求充分規定了系統的允許行為，以確保在規定的條件下安全運行

G1．2．1．4．1：System requirements are comprehensive

G1．2．1．4．1：系統要求全面

G1．2．1．4．2：System requirements are verified for gaps and omissions

G1．2．1．4．2：驗證系統要求是否存在差距和遺漏

G1．2．1．4．3：System requirements are verified to be internally and externally consistent

G1．2．1．4．3：驗證系統要求內部和外部一致

G1．2．1．4．4：Requirements errors follow a systematic process for root cause and mitigation

G1．2．1．4．4：需求錯誤遵循根本原因和緩和的系統過程

G1．2．1．4．5：An accurate， complete， configuration－managed system architecture model is developed and maintained

G1．2．1．4．5：開發并維護準確、完整、配置管理的系統架構模型

G1．2．1．4：System requirements are appropriately developed from product requirements

G1．2．1．4：根據產品要求適當制定系統要求

G1．2．1．5．1：Hardware requirements are comprehensive

G1．2．1．5．1：硬件要求全面

G1．2．1．5．2：Hardware requirements are verified for gaps and omissions

G1．2．1．5．2：驗證硬件要求是否存在差距和遺漏

G1．2．1．5．3：Hardware requirements are verified to be internally and externally consistent

G1．2．1．5．3：驗證硬件要求內部和外部一致

G1．2．1．5．4：Requirements errors follow a systematic process for root cause and mitigation

G1．2．1．5．4：需求錯誤遵循根本原因和緩和的系統過程

G1．2．1．5．5：An accurate， complete， configuration－managed hardware architecture model is developed and maintained

G1．2．1．5．5：開發并維護準確、完整、配置管理的硬件體系結構模型

G1．2．1．5：Hardware requirements are appropriately developed from system and safety requirements

G1．2．1．5：硬件要求根據系統和安全要求適當制定

G1．2．1．6．1：Software requirements are comprehensive

G1．2．1．6．1：軟件需求是全面的

G1．2．1．6．2：Software requirements are verified for gaps and omissions

G1．2．1．6．2：驗證軟件需求是否存在差距和遺漏

G1．2．1．6．3：Software requirements are verified to be internally and externally consistent

G1．2．1．6．3：驗證軟件需求內部和外部一致

G1．2．1．6．4：Requirements errors follow a systematic process for root cause and mitigation

G1．2．1．6．4：需求錯誤遵循根本原因和緩和的系統過程

G1．2．1．6．5：An accurate， complete， configuration－managed software architecture model is developed and maintained

G1．2．1．6．5：開發并維護準確、完整、配置管理的軟件架構模型

G1．2．1．6：Software requirements are appropriately developed from safety and system and safety requirements

G1．2．1．6：根據安全和系統及安全要求，適當制定軟件要求

G1．2．1．7．1：System safety requirements are comprehensive

G1．2．1．7．1：系統安全要求全面

G1．2．1．7．2：System safety requirements are verified for gaps and omissions

G1．2．1．7．2：驗證系統安全要求是否存在漏洞和遺漏

G1．2．1．7．3：System safety requirements are verified to be internally and externally consistent

G1．2．1．7．3：驗證系統安全要求內部和外部一致

G1．2．1．7．4：Requirements errors follow a systematic process for root cause and mitigation

G1．2．1．7．4：需求錯誤遵循根本原因和緩和的系統過程

G1．2．1．7．5：System safety requirements are allocated to components within the self－driving enterprise

G1．2．1．7．5：系統安全要求分配給自動駕駛企業內的部門

G1．2．1．7：System safety requirements are sufficient

G1．2．1．7：系統安全要求足夠

G1．2．1．8．1：Manufacturing requirements are comprehensive

G1．2．1．8．1：制造要求是全面的

G1．2．1．8．2：Manufacturing requirements are verified for gaps and omissions

G1．2．1．8．2：驗證制造要求是否存在差距和遺漏

G1．2．1．8．3：Manufacturing requirements are verified to be internally and externally consistent

G1．2．1．8．3：驗證制造要求內部和外部一致

G1．2．1．8．4：Requirements errors follow a systematic process for root cause and mitigation

G1．2．1．8．4：需求錯誤遵循根本原因和緩和的系統過程

G1．2．1．8．5：An accurate， complete， configuration－managed manufacturing process ／ architecture model is developed and maintained

G1．2．1．8．5：開發并維護準確、完整、配置管理的制造過程／架構模型

G1．2．1．8：Requirements for manufacturing are sufficient

G1．2．1．8：制造要求足夠

G1．2．1．9．1：Maintenance ／ service requirements are comprehensive

G1．2．1．9．1：維護／服務要求全面

G1．2．1．9．2：Maintenance ／ service requirements are verified for gaps and omissions

G1．2．1．9．2：驗證維護／服務要求是否存在缺口和遺漏

G1．2．1．9．3：Maintenance ／ service requirements are verified to be internally and externally consistent

G1．2．1．9．3：驗證維護／服務要求內部和外部一致

G1．2．1．9．4：Requirements errors follow a systematic process for root cause and mitigation

G1．2．1．9．4：需求錯誤遵循根本原因和緩和的系統過程

G1．2．1．9．5：An accurate， complete， configuration－managed maintenance ／ service process architecture model is developed and maintained

G1．2．1．9．5：開發并維護準確、完整、配置管理的維護／服務過程架構模型

G1．2．1．9：Requirements for maintenance ／ service are sufficient

G1．2．1．9：維護／服務要求足夠

G1．2．1：The self－driving vehicle is designed to safely operate in the intended operational design domain （ODD）

G1．2．1：自動駕駛車輛設計為在預期運行設計域（ODD）內安全運行

G1．2．2．1：The self－driving vehicle maintains appropriate reserve vehicle dynamic capability

G1．2．2．1：自動駕駛車輛保持適當的備用車輛動態能力

G1．2．2．2：The frequency and duration of reduced vehicle dynamic reserve capability is low

G1．2．2．2：車輛動態儲備能力降低的頻率和持續時間較低

G1．2．2：The self－driving vehicle is operated with appropriate vehicle dynamics safety margins

G1．2．2：自動駕駛車輛在適當的車輛動力學安全裕度下運行

G1．2．3．1．1：Self－driving vehicle sensors provide acceptably correct， complete， and current data

G1．2．3．1．1：自動駕駛車輛傳感器提供可接受的正確、完整和當前數據

G1．2．3．1．2：The design of perception systems are suitably robust

G1．2．3．1．2：感知系統的設計具有適當的魯棒性

G1．2．3．1．3：The performance of the perception system is suitable for the ODD

G1．2．3．1．3：感知系統的性能適用于ODD

G1．2．3．1．4：The AI ／ machine learning approaches used provide acceptable performance for the ODD

G1．2．3．1．4：使用的AI／機器學習方法為ODD提供了可接受的性能

G1．2．3．1：Perception provides acceptable functional performance in the defined ODD

G1．2．3．1：Perception在規定的ODD范圍內提供可接受的功能性能

G1．2．3．2．1：The design of prediction systems are suitably robust

G1．2．3．2．1：預測系統的設計具有適當的魯棒性

G1．2．3．2．2：The prediction system performance is suitable for the ODD

G1．2．3．2．2：預測系統性能適用于ODD

G1．2．3．2．3：The AI ／ machine learning approaches used provide acceptable performance for the ODD

G1．2．3．2．3：使用的AI／機器學習方法為ODD提供了可接受的性能

G1．2．3．2：Prediction provides acceptable functional performance in the defined ODD

G1．2．3．2：預測在規定的ODD范圍內提供可接受的功能性能

G1．2．3．3．1：The design of the motion planning system is suitably robust

G1．2．3．3．1：運動規劃系統的設計具有適當的魯棒性

G1．2．3．3．2：Motion planning performance is suitable for the ODD

G1．2．3．3．2：運動規劃性能適用于ODD

G1．2．3．3．3：The AI ／ machine learning approaches used provide acceptable performance for the ODD

G1．2．3．3．3：所使用的AI／機器學習方法為ODD提供了可接受的性能

G1．2．3．3：Motion planning provides acceptable functional performance in the defined ODD

G1．2．3．3：運動規劃在規定的ODD范圍內提供可接受的功能性能

G1．2．3．4．1：Localization design and performance is documented

G1．2．3．4．1：記錄定位設計和性能

G1．2．3．4．2：Localization performance is suitable for the ODD

G1．2．3．4．2：定位性能適用于ODD

G1．2．3．4．3：Map performance is suitable for the ODD

G1．2．3．4．3： Map性能適用于ODD

G1．2．3．4：Localization provides acceptable functional performance in the defined ODD

G1．2．3．4：定位可在規定的范圍內提供可接受的功能性能

G1．2．3．5．1：Vehicle control design and performance is documented

G1．2．3．5．1：記錄車輛控制設計和性能

G1．2．3．5．2：Vehicle control performance is suitable for the ODD

G1．2．3．5．2：車輛控制性能適用于ODD車輛

G1．2．3．5：Vehicle control provides acceptable functional performance in the defined ODD

G1．2．3．5：車輛控制在規定的ODD范圍內提供可接受的功能性能

G1．2．3．6．1：Notifications communicate a clear message or status

G1．2．3．6．1：通知傳達明確的信息或狀態

G1．2．3．6．2：Notifications are suitably robust

G1．2．3．6．2：通知具有適當的魯棒性

G1．2．3．6．3：Notifications are suitable for the ODD

G1．2．3．6．3：通知適用于ODD

G1．2．3．6．4：Notifications are suitbly effective

G1．2．3．6．4：通知非常有效

G1．2．3．6：System notifications provide acceptable functional performance in the defined ODD

G1．2．3．6：系統通知在定義的ODD中提供可接受的功能性能

G1．2．3．7：System timings and system latency provide acceptable functional performance in the defined ODD

G1．2．3．7：系統計時和系統延遲在規定的ODD范圍內提供可接受的功能性能

G1．2．3：Self－driving vehicle subsystems provide acceptable functional performance in the defined ODD

G1．2．3：自動駕駛車輛子系統在規定的ODD范圍內提供可接受的功能性能

G1．2．4：Off－board systems provide acceptable functional performance in the defined ODD

G1．2．4：非車載系統在規定的ODD范圍內提供可接受的功能性能

G1．3：The self－driving vehicle is appropriately tested and released for self－driving operations

G1．3：對自動駕駛車輛進行適當測試并發布，以進行自動駕駛操作

G1．3．1．1：Traceability of testing demonstrates comprehensive requirements coverage：S1．3．1：Traceability will be used to demonstrate all requirements have been tested． Peer review， test phases of unit test， subsystem test， and vehicle testing combined industry best practice on test case development are used to demonstrate appropriate rigor in the tests have been performed． Industry best practices will address functional， regression testing， and stress testing． The combination of traceability and rigor arguments meet the parent goal． This efficacy in meeting this goal is measured by the frequency of hazardous events measured during testing． The following process follows for the initial development and the ongoing update and enhancement of the self－driving enterprise．

G1．3．1．1：測試的可追溯性證明了全面的需求覆蓋范圍：S1．3．1：可追溯性將用于證明所有需求均已測試。同行評審、單元測試的測試階段、子系統測試和車輛測試結合了測試用例開發的行業最佳實踐，用于證明測試的適當嚴謹性。行業最佳實踐將涉及功能測試、回歸測試和壓力測試。可跟蹤性和嚴格性參數的組合滿足父級目標。通過測試期間測量的危險事件頻率來衡量達到該目標的有效性。以下流程用于自動駕駛企業的初始開發以及持續更新和增強。

G1．3．1．2：Peer review minimizes human error in work product development

G1．3．1．2：同行評審將工作產品開發中的人為錯誤降至最低

G1．3．1．3：All anomalies are analyzed to ensure requirements are comprehensive

G1．3．1．3：分析所有異常，以確保要求全面

G1．3．1．4：The self－driving vehicle is comprehensively evaluated on a set of validated and representative tests

G1．3．1．4：通過一組驗證和代表性試驗對自動駕駛車輛進行綜合評估

G1．3．1．5：The frequency of potentially harmful events （PHE） are below a target metric（s）

G1．3．1．5：潛在有害事件（PHE：potentially harmful events）的頻率低于目標指標

G1．3．1．6：All identified hazards have been appropriately mitigated

G1．3．1．6：已適當緩和所有已識別的危險

G1．4：The self－driving vehicle is operated in accordance with its operational concept

G1．4：自動駕駛車輛按照其運行概念運行

G1．4．1．1．1：Manual control of the vehicle steering can be achieved

G1．4．1．1．1：可實現車輛轉向的手動控制

G1．4．1．1．2：Manual control of the vehicle braking can be achieved

G1．4．1．1．2：可實現車輛制動的手動控制

G1．4．1．1．3：Manual control of the vehicle accelerator pedal can be achieved

G1．4．1．1．3：可手動控制車輛油門踏板

G1．4．1．1．4：The vehicle operator can request a safe stop with high assurance

G1．4．1．1．4：車輛操作員可以要求高保證的安全停車

G1．4．1．1：The vehicle operator can take control of the self－driving vehicle （SDV） at any time

G1．4．1．1：車輛操作員可隨時控制自動駕駛車輛（SDV）

G1．4．1．10．1：Fault injection testing demonstrates vehicle operator＇s control capability during a fault

G1．4．1．10．1：故障注入測試證明車輛操作員在故障期間的控制能力

G1．4．1．10．2：The vehicle operator is appropriately continually evaluated for required level of performance

G1．4．1．10．2：針對所需的性能水平，對車輛操作員進行適當的持續評估

G1．4．1．10：The vehicle operator demonstrates ability to plan and execute correct driving responses

G1．4．1．10：車輛操作員展示了計劃和執行正確駕駛響應的能力

G1．4．1．2：The vehicle operator hiring process accepts suitable candidates

G1．4．1．2：車輛操作員招聘流程接受合適的候選人

G1．4．1．3：Only vehicle operators with appropriate driving licenses are allowed to operate the vehicle

G1．4．1．3：只有持有適當駕駛執照的車輛操作員才允許操作車輛

G1．4．1．4．1：The vehicle operator is properly authenticated and identifiable to both the self－driving vehicle （SDV） and the business／security infrastructure．

G1．4．1．4．1：車輛操作員已通過自動駕駛車輛（SDV）和業務／安全基礎設施的適當認證和識別。

G1．4．1．4．2：Access to vehicles and vehicle keys are restricted to qualified vehicle operators

G1．4．1．4．2：只有合格的車輛操作員才能使用車輛和車鑰匙

G1．4．1．4：Only vehicle operators are able to operate self－driving vehicles

G1．4．1．4：只有車輛操作員才能操作自動駕駛車輛

G1．4．1．5：The vehicle operator has an appropriate set of responsibilities when operating a self－driving vehicle （SDV）

G1．4．1．5：當操作自動駕駛車輛（SDV）時，車輛操作員承擔一套適當的責任

G1．4．1．6：The vehicle operator is appropriately trained for manual driving

G1．4．1．6：車輛操作員經過適當的手動駕駛培訓

G1．4．1．7：The vehicle operator is appropriately trained in support of safe self－driving vehicle （SDV） monitoring ／ operation

G1．4．1．7：車輛操作員經過適當培訓，以支持安全自動駕駛車輛（SDV）監控／操作

G1．4．1．8：The vehicle operator is effectively informed of expected system behavior， including self－driving vehicle （SDV） capabilities and limitations

G1．4．1．8：有效地通知車輛操作員預期的系統行為，包括自動駕駛車輛（SDV）能力和限制

G1．4．1．9．1：A driver monitoring system alerts the vehicle operator to inattention

G1．4．1．9．1：駕駛員監控系統提醒車輛操作員注意

G1．4．1．9．2：The self－driving vehicle is designed to prevent undue vehicle operator distraction

G1．4．1．9．2：自動駕駛車輛旨在防止車輛操作員過度分心

G1．4．1．9．3：The vehicle operator is capable of identifying and mitigating operational design domain （ODD） and operational domain （OD） mismatch

G1．4．1．9．3：車輛操作員能夠識別和緩和運行設計域（ODD）和運行域（OD）不匹配

G1．4．1．9：The vehicle operator is alert and attentive to the road environment

G1．4．1．9：車輛操作員對道路環境保持警惕和關注

G1．4．1：During testing and development， vehicle operators enforces the operational concept and reduces safety risk to acceptable level

G1．4．1：在測試和開發過程中，車輛操作員執行操作概念，并將安全風險降低到可接受的水平

G1．4．2．1：Departures from the operational design domain are detected

G1．4．2．1：檢測到偏離運行設計域ODD

G1．4．2．2：Departures from the operational design domain are safely mitigated

G1．4．2．2：安全緩和對運行設計域的偏離

G1．4．2：The self－driving vehicle is operated within a defined operational domain （OD） within the system＇s operational design domain

G1．4．2：自動駕駛車輛在系統運行設計范圍內的規定運行域（OD）內運行

G1．4．3：A set of operational safety policies and procedures support safe operations

G1．4．3：一套操作安全政策和程序支持安全操作

G1．4．3．1：Set of operational safety policies and procedures support safe test track operations

G1．4．3．1：一套運行安全政策和程序支持安全測試車道運行

G1．4．3．2：Operational safety policies are reviewed and version controlled

G1．4．3．2：審查運行安全政策并控制版本

G1．4．3．3：Set of operational safety policies and procedures support safe on－road operations

G1．4．3．3：一套操作安全政策和程序支持安全的道路操作

G1．5：The self－driving vehicle addresses all applicable legal requirements and guidance through compliance or justification of non－compliance

G1．5：自動駕駛車輛通過合規性或不合規理由滿足所有適用的法律要求和指導

G1．5．1．1：The self－driving vehicle is designed to comply with all appropriate local， state， federal regulation

G1．5．1．1：自動駕駛車輛的設計符合所有適當的地方、州、聯邦法規

G1．5．1．2：The self－driving vehicle is evaluated for compliance with all appropriate local， state， federal regulation

G1．5．1．2：評估自動駕駛車輛是否符合所有適當的地方、州、聯邦法規

G1．5．1．3：All federal， state， and local regulations without compliance have appropriate justification， documentation and approval

G1．5．1．3：所有未遵守的聯邦、州和地方法規都有適當的理由、文件和批準

G1．5．1：The self－driving vehicle complies or justifies non－compliance with applicable local， state， federal regulation

G1．5．1：自動駕駛車輛符合或證明不符合適用的地方、州、聯邦法規

G1．5．3：Non－regulatory guidance is reviewed and implemented where appropriate

G1．5．3：在適當的情況下，審查并實施非監管指南

G2：Fail－Safe

The self－driving vehicle is acceptably safe in presence of faults and failures

G2：故障安全

自動駕駛車輛在出現故障和故障時是可接受的安全

G2．1．1：The rate of failure of the system is reasonably low：S2．1：We mitigate hazards by identifying faults and failure modes and ensuring the system is able to detect them and take action to minimize safety risk when they occur and by engineering and design activities to ensure the overall failure rate of the system is acceptably low．

G2．1．1：系統的故障率相當低：S2．1：我們通過識別故障和故障模式，確保系統能夠檢測到故障和故障模式，并在發生時采取措施將安全風險降至最低，以及通過工程和設計活動，以確保系統的整體故障率低到可接受的程度，從而減輕危害。

G2．1．1．1：The frequency of unplanned ／ unexpected minimum risk maneuvers （MRM） is sufficiently low

G2．1．1．1：計劃外／意外最小風險機動（MRM）的頻率足夠低

G2．1．1．2：The self－driving vehicle systems are designed to robustly operate in their intended ODD

G2．1．1．2：自動駕駛車輛系統設計為在其預期的ODD模式下穩健運行

G2．1．1．3：The self－driving vehicle is tested against industry standards and best practices for reliability

G2．1．1．3：根據行業標準和最佳實踐對自動駕駛車輛進行可靠性測試

G2．1．1．4：Identified Faults and Failure Modes are systematically tracked

G2．1．1．4：系統跟蹤已識別的故障和故障模式

G2．1．2：The effectiveness of fault mitigation is acceptably high

G2．1．2：故障緩和的有效性相當高

G2．1．2．1．1：Diagnostic coverage is acceptably high

G2．1．2．1．1：診斷覆蓋率較高

G2．1．2．1．2：The fault management system provides dependable fault detection

G2．1．2．1．2：故障管理系統提供可靠的故障檢測

G2．1．2．1：The rate of successful fault detection and response activation is acceptably high

G2．1．2．1：故障檢測和響應激活的成功率相當高

G2．1．2．2．1：The system transitions to the specified fault response state （e．g． degraded mode） within the applicable time interval

G2．1．2．2．1：系統在適用的時間間隔內過渡到規定的故障響應狀態（例如降級模式）

G2．1．2．2．2：Minimum risk maneuvers are reliably executed when triggered

G2．1．2．2．2：觸發時可靠執行最小風險機動

G2．1．2．2．3：The minimal risk maneuver（s） used to respond to the fault are reasonably low in risk

G2．1．2．2．3：用于響應故障的最低風險策略的風險相當低

G2．1．2．2．4：The system does not have an unreasonable level of safety risk when executing an MRM with a system fault present．

G2．1．2．2．4：在存在系統故障的情況下執行MRM時，系統沒有不合理的安全風險水平。

G2．1．2．2：The selected fault response is effective in reducing safety risk to acceptable levels

G2．1．2．2：所選故障響應有效地將安全風險降低到可接受的水平

G3：Continuously Improving

All identified potential safety issues posing an unreasonable risk to safety are evaluated， and resolved with appropriate corrective and preventative actions

G3：持續改進

評估對安全構成不合理風險的所有已識別潛在安全問題，并采取適當的糾正和預防措施予以解決

G3．1：Safety performance indicators are measured， analyzed， and used to monitor safety

G3．1：安全性能指標被測量、分析并用于監控安全

G3．1．1：Safety performance indicators are defined for all safety related functional areas of the self－driving enterprise

G3．1．1：為自動駕駛企業的所有安全相關功能領域定義了安全性能指標

G3．1．2：Safety performance indicators are defined for safety－related performance of the autonomy system

G3．1．2：安全性能指標是為自治系統的安全相關性能定義的

G3．1．3：Safety performance indicators are defined for the self－driving enterprise and off－board functions

G3．1．3：為自動駕駛企業和非車載功能定義了安全性能指標

G3．1．4：Safety performance indicators are defined for self－driving enterprise safety culture

G3．1．4：為自動駕駛企業安全文化定義了安全性能指標

G3．1．5：Safety performance indicators are measured appropriately

G3．1．5：適當測量安全性能指標

G3．1．6：Safety performance indicators are appropriately analyzed

G3．1．6：適當分析安全性能指標

G3．1．7：Safety performance indicators are effective

G3．1．7：安全性能指標有效

G3．2．1：The company employs a safety risk management process and evidence the process is being used：S3．2：Strategy 1： Utilize proactive safety risk identification and resolution processes in place throughout testing， development and production in order to minimize anomalies．

G3．2．1：公司采用了安全風險管理流程，并證明該流程正在使用：S3．2：策略1：在整個測試、開發和生產過程中，利用積極主動的安全風險識別和解決流程，以盡量減少異常情況。

G3．2．1．1：An internal safety concern reporting system and resolution process exists supporting anomaly identification

G3．2．1．1：存在支持異常識別的內部安全問題報告系統和解決流程

G3．2．1．2：All functional areas of the self－driving enterprise identify safety risk

G3．2．1．2：自動駕駛企業的所有功能區域都識別安全風險

G3．2．1．3：Thresholds for safety risk level decision making and criteria are defined

G3．2．1．3：定義了安全風險等級決策的閾值和標準

G3．2．1．4．1：The safety risk register is updated for all mitigation actions

G3．2．1．4．1：更新所有緩和措施的安全風險登記

G3．2．1．4．2：The company performs safety risk monitoring

G3．2．1．4．2：公司進行安全風險監控

G3．2．1．4．3：The company performs an internal evaluation program for compliance to safety risk management process

G3．2．1．4．3：公司執行內部評估計劃，以符合安全風險管理流程

G3．2．1．4：All identified safety risks are sufficiently mitigated

G3．2．1．4：所有已識別的安全風險均得到充分緩和

G3．2．1．5．1：The company has defined safety risk owners and an accountable executive

G3．2．1．5．1：公司已確定安全風險負責人和負責人

G3．2．1．5．2：The company safety risk owners are empowered to affect change

G3．2．1．5．2：公司安全風險負責人有權影響變更

G3．2．1．5．3：The company cross－functionally reviews safety risks

G3．2．1．5．3：公司跨職能部門審查安全風險

G3．2．1．5．4：The safety risk stakeholder review outputs are communicated to affected stakeholders

G3．2．1．5．4：將安全風險利益相關者審查結果傳達給受影響的利益相關者

G3．2．1．5：The company has a defined safety risk management process

G3．2．1．5：公司有明確的安全風險管理流程

G3．2．1．6：The company measures efficacy of the safety risk management processes

G3．2．1．6：公司測量安全風險管理過程的有效性

G3．2．2：Metrics proactively identify trends for continuous improvement

G3．2．2：指標主動識別持續改進的趨勢

G3．3．1：Appropriate resolution processes identify and appropriately resolve all observed ／ reported anomalies：S3．3：Strategy 2： Utilize reactive anomaly identification and resolution processes in place throughout testing， development， service， operations， and production in order to decrease recurrence of anomalies

G3．3．1：適當的解決過程識別并適當解決所有觀察到的／報告的異常：S3．3：策略2：在整個測試、開發、服務、運營和生產過程中利用反應性異常識別和解決過程，以減少異常的再次發生

G3．3．2：Anomaly health status is appropriately reviewed by relevant internal stakeholders

G3．3．2：異常健康狀態由相關內部利益相關者進行適當審查

G4：Resilient

The self－driving vehicle is acceptably safe in case of reasonably foreseeable misuse and unavoidable events

G4：彈性

在可合理預見的誤用和不可避免的事件情況下，自動駕駛車輛具備可接受的安全

G4．1：Potential harm incurred during and after a vehicle collision is mitigated

G4．1：減輕車輛碰撞期間和之后產生的潛在傷害

G4．1．1：Vehicle platform safety features reduce potential harm

G4．1．1：車輛平臺安全功能可減少潛在危害

G4．1．2：The Aurora Driver functions appropriately during and after a vehicle collision．

G4．1．2：Aurora駕駛員在車輛碰撞期間和之后能夠正常工作。

G4．1．3．1：Incident Response procedures are documented

G4．1．3．1：記錄事件響應程序

G4．1．3．2：Personnel operating the vehicles are trained on incident response．

G4．1．3．2：對操作車輛的人員進行事故響應培訓。

G4．1．3：Personnel operating SDE vehicles can appropriately respond to self－driving vehicle （SDV） emergency situations

G4．1．3：操作SDE車輛的人員可適當響應自動駕駛車輛（SDV）緊急情況

G4．1．4：The self－driving vehicle detects when a vehicle collision occurred

G4．1．4：自動駕駛車輛在發生車輛碰撞時進行檢測

G4．1．5：Public safety officials have information to be able to appropriately respond to self－driving vehicle emergency situations

G4．1．5：公共安全官員掌握信息，能夠適當應對自動駕駛車輛緊急情況

G4．1．6：Riders can appropriately respond to self－driving vehicle emergency situations

G4．1．6：乘客可以適當地應對自動駕駛車輛的緊急情況

G4．2：Potential harm from reasonably foreseeable misuse is mitigated

G4．2：減輕合理可預見的誤用的潛在危害

G4．2．1．1：Reasonably foreseeable misuse mitigations are verified

G4．2．1．1：驗證合理可預見的誤用緩和措施

G4．2．1．2：Reasonably foreseeable misuse mitigations are validated

G4．2．1．2：驗證合理可預見的誤用緩和措施

G4．2．1：Reasonably foreseeable misuse mitigations are designed and implemented

G4．2．1：設計并實施合理可預見的誤用緩和措施

G4．2．2．1：Mitigations for insider threat are verified

G4．2．2．1：驗證內部威脅的緩和措施

G4．2．2．2：Mitigations for insider threat are validated

G4．2．2．2：驗證內部威脅的緩和措施

G4．2．2：Insider threat mitigations are designed and implemented

G4．2．2：設計并實施內部威脅緩和措施

G4．3：Potential harm from cyber intrusion is appropriately mitigated

G4．3：適當減輕網絡入侵的潛在危害

G4．3．1．1：An inventory of all assets is created and maintained

G4．3．1．1：創建并維護所有資產的清單

G4．3．1．2：A threat analysis is conducted on all assets

G4．3．1．2：對所有資產進行威脅分析

G4．3．1：Operational safety risk assessments identify threats and their feasibility

G4．3．1：運行安全風險評估確定威脅及其可行性

G4．3．2．1：Passive event monitoring within components of the self－driving enterprise identify anomalous behavior

G4．3．2．1：自動駕駛企業部門內的被動事件監控以識別異常行為

G4．3．2．2：Active event monitoring of self－driving enterprise behavior identify anomalous behavior

G4．3．2．2：自動駕駛企業行為的活動事件監控以識別異常行為

G4．3．2：The self－driving enterprise detects when a cyber intrusion has occurred

G4．3．2：自動駕駛企業在發生網絡入侵時進行檢測

G4．3．3：Defensive measures are implemented to reduce the likelihood of a cyber intrusion

G4．3．3：采取防御措施以降低網絡入侵的可能性

G4．3．4：Reactive measures are implemented during a cyber intrusion to limit harm

G4．3．4：在網絡入侵期間實施應對措施，以限制損害

G4．3．5：Permanent corrective actions and lessons learned are put in place after a cyber intrusion to avoid recurrence

G4．3．5：在網絡入侵后采取永久性糾正措施并吸取教訓，以避免再次發生

G5：Trustworthy

The self－driving enterprise is trustworthy

G5：值得信賴

自動駕駛企業是值得信賴的

G5．1．1．1．1：Safety culture and personnel are appropriate for safety－critical systems：S5．1．1．1：Argument is based on addressing competence alongside safety culture， remaining current with the state of the industry

G5．1．1．1．1：安全文化和人員適用于安全關鍵系統：S5．1．1．1：論點基于體現安全文化的能力，并與行業最新現狀保持一致

G5．1．1．1．2：Persons developing the self－driving enterprise have the required competencies corresponding to their responsibilities

G5．1．1．1．2：開發自動駕駛企業的人員具有與其職責相對應的所需能力

G5．1．1．1．3：Prevailing industry best practices and standards are reviewed and adherence documented， on a continual basis

G5．1．1．1．3：持續審查當前行業最佳實踐和標準，并記錄遵守情況

G5．1．1．1．4：Persons developing the self－driving enterprise are engaged in broader applicable industry proceedings

G5．1．1．1．4：開發自動駕駛企業的人員參與更廣泛適用的行業程序

G5．1．1：The organizational environment is appropriate for safety－critical systems：S5．1：If the organizational environment is appropriate for system safety， stakeholders are engaged participatively， external communication about the self－driving enterprise is appropriate and verifiable then the claims made in G1－G4 are more likely to be accurate．

G5．1．1：組織環境適用于安全關鍵系統：S5．1：如果組織環境適用于系統安全，利益相關者參與，關于自動駕駛企業的外部溝通是適當且可驗證的，則G1－G4中的聲明更可能準確。

G5．1．2．1：Stakeholders are identified with defined interaction relationships

G5．1．2．1：通過定義的交互關系確定利益相關者

G5．1．2．2：Stakeholders are consulted at appropriate stages of testing and development of the self－driving enterprise

G5．1．2．2：在自動駕駛企業的測試和開發的適當階段咨詢利益相關者

G5．1．2．3：Stakeholders are partnered with at appropriate stages of testing and development of the self－driving enterprise

G5．1．2．3：在自動駕駛企業的測試和開發的適當階段，與利益相關者合作

G5．1．2．4：Stakeholders are informed at appropriate stages of testing and development of the self－driving enterprise

G5．1．2．4：在自動駕駛企業的測試和開發的適當階段通知利益相關者

G5．1．2：Stakeholders are engaged regularly throughout the lifecycle of the self－driving enterprise

G5．1．2：利益相關者在自動駕駛企業的整個生命周期內定期參與

G5．1．3：Appropriate， verifiable evidence of safety and performance is provided outside the self－driving enterprise

G5．1．3：在自動駕駛企業外部提供適當、可驗證的安全和性能證據

G5．1．3．1：Multimodal communication methods are used

G5．1．3．1：使用多模式通信方法

G5．1．3．2：A Safety Case framework for the self－driving enterprise is publicly available

G5．1．3．2：自動駕駛企業的安全案例框架可公開獲取

G5．1．3．3：Credible periodic reports and updates are published or released at key points of transition， testing， and development of the self－driving enterprise

G5．1．3．3：在自動駕駛企業的過渡、測試和開發關鍵點發布或提供可信的定期報告和更新

G5．1．3．4：Verifiable evidence that the self－driving enterprise is capable of appropriately complying with applicable rules， regulations， and guidance is maintained

G5．1．3．4：保留自動駕駛企業能夠適當遵守適用規則、法規和指南的可驗證證據

G5．1．4：The Self－Driving Enterprise is independently reviewed and audited

G5．1．4：對自動駕駛企業進行獨立審查和審計

G5．1．4．1：A safety advisory board of third－party experts is established

G5．1．4．1：成立第三方專家安全咨詢委員會

G5．1．4．2：The self－driving enterprise is appropriately reviewed and audited both internally and externally

G5．1．4．2：對自動駕駛企業進行適當的內部和外部審查和審計

－ End －