In vehicles equipped with Advanced Driver Assistance Systems (ADAS) or in Autonomous Driving (AD) vehicles, the driver (human) relies on Electrical/Electronic systems for control of the vehicle. The ADAS/AD systems perform critical actions of maneuvering / driving the vehicle in traffic, on various kinds of roads (highway/city), and in different environmental conditions like day/night/rain/fog, etc. Thus, it is very important to make these ADAS/AD systems very robust so that the user can depend on them.
Man-made systems can be designed to be reliable for the intended functionality but cannot be fault-free. There can be deterioration of the system components either mechatronic, electrical, electronic or due to corruption of the information flowing within or from outside the vehicle systems. For example, a sensor malfunction may provide incorrect data, or a cyber-attack could intervene and cause a failure. Thus, engineers must find possibilities by which a system can fail, implement mechanisms to detect the failures, and perform in-time appropriate actions to take the system to a safe state. A simple example of this could be the failure/malfunction of a camera sensor in an ADAS vehicle. As soon as the camera malfunction is detected, the system must inform the driver and ask him/her to take control of the vehicle and shut down the ADAS system.
Aspects to detect and mitigate all possible failures in the system once considered along with the functional design can make the system safe and avoid probable hazards or accidents.
A systematic method to analyze and identify different root causes by which an Electric/Electronic (E/E) system in a vehicle can fail is termed as Functional Safety analysis of the system. In the automotive domain, ISO26262 standards provide guidelines to make the system functionally safe against malfunctions.
Let’s look at how Functional Safety – ISO26262 implementation makes a system safe against malfunctions
A typical automotive product development life cycle starts with vehicle level concept development, system design, hardware, and software design, implementation and ends with verification and validation of each phase of development.
At each stage of this product development maturity, one must carry out safety analysis activities to identify loopholes or dependencies that may lead to a hazardous situation or violate a safety requirement derived in the previous phase of the development cycle.
Figure 1: Product Development Life Cycle
Let us consider that we are developing the ADAS feature ‘Highway Assist (HWA)’. At the concept stage of development, we analyze the HWA system based on vehicle level function failures e.g., loss of vehicle deceleration /braking function. These vehicle level function failures in combination with different driving conditions can lead to multiple hazardous situations with varying degrees of severity.
The ISO 26262 standard provides a guideline to assess severity (Severity Classes) of all situations and also provides a safety rating system (ASIL). Engineers must use a combination of Severity Classes and ASIL ratings mentioned in Fig 2 and Fig 3 below, to develop appropriate ‘Safety Goals’. For instance, in the above-mentioned example ‘loss of vehicle deceleration for Highway assist, the safety goal will be to avoid ‘unintended deceleration.’
Figure 2 : Guidelines to asses severity of a hazardous situation
The ASIL Levels – Automotive Safety Integrity Levels
Figure 3: ASIL Classification
At the next stage of the analysis, we check different possibilities of malfunctions that may cause unintended deceleration.
Based on preliminary architecture (Fig 4) a Fault Tree Analysis -FTA (Fig 5) is carried out to identify possible root causes contributing to violation of the safety goal i.e., unintended deceleration
Figure 4: HWA Preliminary Architecture
Figure 5: Partial sample of Fault Tree Analysis on preliminary architecture for SG- “Avoid unintended deceleration of the vehicle”
Thus, based on the derived safety goals engineers analyze the preliminary architecture to identify all dependencies which can trigger a safety goal violation and derive ‘functional safety requirements’ and ‘functional safety concept.’
Below are two examples of Functional Safety Requirements (FSR)
Safety requirements are requirements addressing what the system must perform to detect a
fault, and what actions the system should perform on fault detection; so that the subsequent
hazard can be timely avoided.
Safety requirements ensure that on detection of a fault the system transitions to a safe state
before the hazard occurs. All these safety requirements from fault detection to fault handling to
timely transitioning to a safe state and required updates in the current
concept/architecture/design form a safety concept.
Hence at each level of product development maturity, we identify dependencies violating the
safety goal or former development stage safety requirement to create a respective level of safety
requirements and safety concepts.
Like Fault Tree Analysis (FTA), we also use other safety analysis methodologies like Failure
Mode and Effects Analysis (FMEA), and Dependent Failure Analysis (DFA) for more detailed
analysis at subsequent product development stages.
The three kinds of safety requirements are showcased in Figure 6 below
Figure 6: Three kinds of safety requirements
The Functional Safety Standard ISO 26262 also provides additional guidelines for components being developed out of context and the Fail-Safe Operation Concept
One of the challenges for organizations that specialize in developing software components is that they need to develop safety compliant software components without any system context for e.g. while developing software components like AUTOSAR/ Middleware or Operating systems the software development team may not know in which ADAS/AD application or system their software component will be used. For such software development situations some system context assumptions must be made during development to comply with safety standards. The ISO26262 Functional Safety standard provides guidelines for such an approach under Safety Element out of Context (SEooC)
For ADAS vehicles up to Level 3, there is a human driver present and once a failure is detected the human driver can be asked to take control of the vehicle to bring the vehicle to a safe stop.
But in higher levels of autonomy i.e., Level 3+ or Level 4/5 there may be no human driver to take control of the vehicle in case of a failure. In such scenarios, the system must be capable to detect and operate the vehicle with a minimum risk motion and stop the vehicle at a safe position.
These aspects of safety are analyzed and designed using the Fail Safe Operational concept. In this process, one must perform Dependent failure analysis, freedom from interference analysis, and develop a redundant system to ensure operation of the vehicle even in a critical malfunction situation i.e. the system must have redundancy by means of a secondary camera or the use of other sensors (Radar/Lidar) to bring the vehicle to a safe state (park to the side)
In summary at every development stage from concept, system, hardware, and software respective stage verification and validation of the safety requirements and its implementation is performed. This ensures that development at each stage complies with safety requirements and processes helping develop a safe robust product.
At KPIT, our safety experts implement a stringent process for all aspects of Functional Safety from the beginning of the product development process. The team works with our global clients to help create Dependable Software for ADAS/ AD vehicles. functional safety activities.
Senior Solution Architect
Connect with us
KPIT Technologies is a global partner to the automotive and Mobility ecosystem for making software-defined vehicles a reality. It is a leading independent software development and integration partner helping mobility leapfrog towards a clean, smart, and safe future. With 10000+ automobelievers across the globe specializing in embedded software, AI, and digital solutions, KPIT accelerates its clients’ implementation of next-generation technologies for the future mobility roadmap. With engineering centers in Europe, the USA, Japan, China, Thailand, and India, KPIT works with leaders in automotive and Mobility and is present where the ecosystem is transforming.
Rajiv Gandhi Infotech Park,
Hinjawadi, Pune – 411057
Phone: +91 20 6770 6000
Frankfurter Ring 105b,80807
Phone: +49 89 3229 9660
Fax: +49 89 3229 9669 99
KPIT and KPIT logo are registered trademarks | © Copyright KPIT for 2018-2023
|cookielawinfo-checbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|