dealing with functional safety requirements for automotive ... · department of mathematics and...

Dealing with Functional Safety Requirements for Automotive Systems:

A Cyber-Physical-Social Approach

Mohamad Gharib, Paolo Lollini, Andrea Ceccarelli, and Andrea Bondavalli

University of Florence Department of Mathematics and Informatics

Florence, Italy

CRITIS 2017, Lucca, Italy M. Gharib

Problem statement

► Road transport system is an essential infrastructure in the world, where the majority of the population uses its facilities on a daily basis.

► That is why ensuring their safety has been always a growing concern for most authorities.

I2V

V2I

Vehicle-to-Vehicle

(V2V) communication

Infrastructure-to-Vehicle (I2V)

communication

Vehicle-to-Infrastructure

(V2I) communication

I2V

Cross-road light

Gas station


Problem statement

► The complexity of automotive systems have increased significantly in terms of their functionalities.

► The automotive industry is already aware of that, and the ISO 26262 a standard has been developed.

ISO 26262 covers E/E systems of vehicles with almost no emphasis on the driver itself

I2V

V2I

Vehicle-to-Vehicle

(V2V) communication


communication


(V2I) communication

I2V

Cross-road light

Gas station

ADAS – ACC

System

ADAS – Collision

Avoidance System

ADAS – RADAR/LIDAR

based System

ADAS – Vision

based System

ADAS –

LDW System


Problem statement

► The complexity of automotive systems have increased significantly in terms of their functionalities.

► The automotive industry is already aware of that, and the ISO 26262 a standard has been developed.

ISO 26262 covers E/E systems of vehicles with almost no emphasis on the driver itself

► Integrating social and technical components is essential for developing safer automotive systems.

I2V

V2I

Vehicle-to-Vehicle

(V2V) communication


communication


(V2I) communication

I2V

Cross-road light

Gas station

ADAS – ACC

System

ADAS – Collision

Avoidance System

ADAS – RADAR/LIDAR

based System

ADAS – Vision

based System

ADAS –

LDW System


ISO 26262

► ISO 26262 [1] is a functional safety standard applicable to all road vehicles with a weight under 3500 kg.

► ISO 26262 has been developed with a main objective to provide guidelines and best practices to increase the safety of E/E systems in vehicles.

[1] ISO: 26262: Road vehicles-Functional safety. IS ISO/FDIS 26262 (2011).


Cyber-Physical-Social Systems (CPSSs)

Braking system

Steering system

Engine

Cyber System

► A Cyber system is a system consisting only of technical components.



Fuel injector

(actuator)

Pedestrian detector(sensor)

Emergency braking control

(actuator)

Braking system

Steering system

Engine

Rear Collision

radar (sensor)

Cyber-Physical System

Cyber System


► A Cyber-Physical System (CPS) is a system consisting of cyber systems and controlled objects.



Fuel injector

(actuator)



(actuator)

Braking system

Steering system

Engine

Rear Collision

radar (sensor)


Cyber System

Fuel injector

(actuator)



(actuator)

Braking system

Steering system

Engine

Rear Collision

radar (sensor)

Cyber-Physical-Social System


Cyber System


► A Cyber-Physical System (CPS) is a system consisting of cyber systems and controlled objects.

► A Cyber-Physical-Social System (CPSS) is a system consisting of cyber systems, controlled objects and interacting humans.


A Holistic Approach to Deal with FSR

for Automotive Systems

► The process underlying our approach consists of eight main activities: – Activities 1, 2, 3, 4, and 8 are based on ISO 26262 clauses C.3-5, C.3-6, C.3-7, C.4-6, and

C.4-9 respectively, and they have been extended to consider the driver behavior.

– Activities 5 & 6 are based on clauses C.5-6 and C.6-6 respectively.

– Activity 7 is a new activity that focuses mainly on the specification of social safety requirements.

[P.3] Concept phase [P.4] Product

development

at the system level

5- [C.5-6] Specification of

HW safety requirements

[P.5] Product development

at the HW level

6- [C.6-6] Specification of

SW safety requirements

[P.6] Product development

at the SW level

7- Specification of social

safety requirements

4- [C.4-6]

Technical safety

concept

1- [C.3-5] Item

definition

2- [C.3-6] Hazard

analysis and risk

assessment

3- [C.3-7]

Functional safety

concept

8-[C.4-9]

Safety

validation


Example: Maneuver Assistance System

► Maneuver Assistance System (MAS) is expected to increase the driver's safety by monitoring its behaviour, detecting unintended maneuvers, and respond in a way that guarantees the highest possible level of driver safety.


Braking control

(actuator)

Forward Collision

radar (sensor)

Pedal/foot (sensor)

Hands location (sensor)

Head pose (sensor) Rear

Collision radar

(sensor)

Speedometer (sensor)

Surround monitoring

system (sensor)



► 1. [C.3-5] Item definition: The main function of MAS is to allow/prevent intended/unintended drivers’ tactical and operational maneuvers when the vehicle is moving faster than 50 km/h.

– FR_01. Allow intended drivers’ tactical/operational maneuvers when the vehicle.

– FR_02. Prevent unintended drivers’ tactical/operational maneuvers when the vehicle.

ADAS

– MAS

FR_01

FR_02



► 2. [C.3-6] HARA: Hazard analysis and risk assessment.

2.1. Hazard identification

– H_01. Preventing an intended maneuver when the vehicle.

– H_02. Allowing an unintended maneuver to be performed.

ADAS

– MAS

FR_01

FR_02

H_01

H_02




2.1. Hazard identification & 2.2. Risk assessment



ADAS

– MAS

FR_01

FR_02

H_01

H_02

SeverityS0-S3

Exposure E0-E4

Controllability C0-C3

+

+

= QMASIL A B C D

ASIL C

ASIL C




2.1. Hazard identification & 2.2. Risk assessment


– SG_01. A driver unintended maneuver shall be prevented


ADAS

– MAS

FR_01

FR_02

H_01

H_02

SeverityS0-S3

Exposure E0-E4


+

+

= QMASIL A B C D

ASIL C

ASIL C

SG_01



► 3. [C.3-7] Functional safety concept is developed by deriving functional safety requirements from safety goals.

– FSR_01. MAS shall be able to verify whether the driver’s maneuver is intended within an appropriate time.

– FSR_02. MAS shall prevent unintended maneuvers.

ADAS

– MAS

FR_01

FR_02

H_01

H_02

SeverityS0-S3

Exposure E0-E4


+

+

= QMASIL A B C D

ASIL C

ASIL C

SG_01 FSR_01

FSR_02



► 4. [C.3-6] Technical safety concept aims to specify the technical implementation of the functional safety concept.

– TSR_01. MAS shall be able to verify whether the driver’s operation maneuvers are needed within an appropriate time.

– TSR_02. MAS shall prevent unneeded operational maneuvers.

ADAS

– MAS

FR_01

FR_02

H_01

H_02

SeverityS0-S3

Exposure E0-E4


+

+

= QMASIL A B C D

ASIL C

ASIL C

SG_01 FSR_01

FSR_02

TSR_01

TSR_02

TSR_03

TSR_04



► 5. [C. 5-6]/6.[C. 6-6] Specification of Hardware/Software/SoCial Safety Requirements (HWSRs)/(SWSRs).

– SHWSR_01. Lock actuator should be tested and verified efficient in an environment complying with the same real environmental it might function in.

– SSWSR_01. Lock actuator software concerning timely response should be tested and verified efficient in an environment complying with the same real environmental it might function in.

ADAS

– MAS

FR_01

FR_02

H_01

H_02

SeverityS0-S3

Exposure E0-E4


+

+

= QMASIL A B C D

ASIL C

ASIL C

SG_01 FSR_01

FSR_02

TSR_01

TSR_02

TSR_03

TSR_04

SHWSR_01

SSWSR_01



► 7. Specification of SoCial Safety Requirements (SCSRs).

– SSCSR_01. MAS shall be able to fuse all available cues information to determine whether an operational maneuver is needed with respect to the driver state, vehicle and its environment within appropriate time.

ADAS

– MAS

FR_01

FR_02

H_01

H_02

SeverityS0-S3

Exposure E0-E4


+

+

= QMASIL A B C D

ASIL C

ASIL C

SG_01 FSR_01

FSR_02

TSR_01

TSR_02

TSR_03

TSR_04

SHWSR_01

SSWSR_01

SSCSR_01



► 8. Safety validation.

– V&V for SSCSR_01. Each mechanism used for acquisition and fusion of cues information to determine the driver awareness, predicting and evaluating whether its operational maneuver is intended should be tested and verified efficient in an environment complying with the same real environmental it might function in.

ADAS

– MAS

FR_01

FR_02

H_01

H_02

SeverityS0-S3

Exposure E0-E4


+

+

= QMASIL A B C D

ASIL C

ASIL C

SG_01 FSR_01

FSR_02

TSR_01

TSR_02

TSR_03

TSR_04

SHWSR_01

SSWSR_01

SSCSR_01

+V&V

+V&V

+V&V


Conclusions and Future Work

► Conclusions – We discussed the limitation in the current standard (ISO 26262) for developing

functional safety systems for vehicles, which mainly cover E/E systems of vehicles.

– We proposed a holistic approach built based on the ISO 26262 standard and considers both the E/E systems and the driver's behaviour.

► Future Work – We intend to formalize all the previously introduced concepts and develop SysML

profiles based on them, which allows for modeling FSRs, derive the TSRs, and then derive the HWSRs, SWSRs, and SCSRs from TSRs.

– We are planning to propose a set of Object Constraint Language (OCL) constraints for specifying rigorous rules for the derivation of HWSRs, SWSRs, and SCSRs from TSRs, and the derivation of TSRs from FSRs.

THANK YOU

for your attention

21

dealing with functional safety requirements for automotive ... · department of mathematics and...

Documents