Development of a Collision Avoidance Truck System from a Functional Safety Perspective

Ortman, Victor, Gradin, Petter

January 2011

ISO 26262 is a functional safety standard under development at the time of this thesis. It is an adaptation of the functional safety standard IEC 61508, aimed at development of automotive electrical/electronic systems. The version of ISO-26262 that was used and discussed in this thesis is the final draft released in January 2011. In this thesis, a subset of ISO-26262 is applied in the development of a safety critical driver assistance system for a Scania vehicle. The parts of ISO-26262 that are treated are Part 3: Concept phase, Part 4: Product development at the system level and Part 5: Product development at the hardware level. Throughout the thesis we evaluate ISO-26262 and report our experience of working with it. The driver assistance system under development, which ISO-26262 is applied to, is Collision Avoidance by Steering, a system that aims to avoid or mitigate rear-end collisions with vehicles in front by automatic steering of the vehicle.

ISO-26262

functional safety

collision avoidance

Analysis and Specification of an AUTOSAR based ECU in compliance with ISO 26262 Functional Safety Standard

Layal, Vibhu

01 November 2016

Safety has been always been an important part, irrespective of the field of work that it accounts for. The functional safety standard that is currently being used in the automotive domain is the ISO 26262. This is an adaptation of the IEC 61508 safety standard. It is directed as a basic functional safety standard for a variety of industries. The version of ISO 26262 that is used in this thesis is the final draft released in January, 2011. In this thesis, various parts of the ISO 26262 functional safety standard are considered in order to understand the differences and interdependencies between them. The parts of ISO 26262 that are treated are as follows; Part 1: Vocabulary, Part 3: Concept phase, Part 4: Product development at the system level, Part 6: Product development at the software level and Part 9: Automotive Safety Integrity Level (ASIL)-oriented and safety-oriented analysis. During the entire course of this thesis the ISO 26262 standard is evaluated and the experience gained from it is jotted down. The understanding gained during this thesis about the ISO 26262 can be applied to ongoing or new development processes. As safety can never be overlooked, the wisdom that belongs to the ISO 26262 can be generously used into embedded systems that demand certain levels of safety.

ISO 26262

ASIL

Software

Autosar

ISO 26262

ASIL

software

Autosar

ddc:000

Informatik

Software

AUTOSAR

Sicherheit

Optimization approach for the critical automotive embedded systems / Méthodologie d'optimisation de l'architecture des systèmes embarqués critiques dans l'industrie automobile

Dhouibi, Mohamed Slim

21 March 2016

La conception des systèmes embarqués est une tâche complexe. Les ingénieurs sont confrontés à divers contraintes liées à la technologie, au coût,à la complexité et aux contraintes de sécurité. Toutes ces contraintes ont un grand impact sur l’architecture du système et par conséquence sur le coût final. Nous proposons dans cette thèse une approche pour la conception des système et l’optimisation de l’architecture guidée par les contraintes de sécurité et de coût. Elle s’agit d’une approche de synthèse de l’architecture qui prend en compte les contraintes de sécurité dans le contexte du standard ISO 26262. Elle permet, d’une part, d’atteindre une architecture préliminaire du système en choisissant les éléments de l’architecture permettant de réduire le coût global. D’autre part, elle conduit à une allocation des fonctions aux éléments de l’architecture qui respecte les contraintes liées aux niveaux de sécurité et les défaillances de ces éléments. Nous utilisons des algorithmes exhaustive et génétique pour l’exploration de l’espace de conception. En l’appliquant sur un cas d’étude industriel, nous démontrons sa contribution pour parvenir à la conception conforme et sa capacité à réduire les coûts entraîne par les contraintes de sécurité / The embedded system design is a challenging task. The engineers are faced with technological, cost, complexity and safety constraints. These constraints have a big impact on the system architecture and consequently on the final cost. we propose in this thesis an approach for system design and architecture optimization driven by safety and cost constraints. It consists of an architecture synthesis approach that takes into account the safety constraints in the ISO 26262 context. It allows, at one hand, to reach a system preliminary architecture by choosing the architecture elements that reduce the overall cost. On the other hand, it leads to a functions mapping that respects the safety constraints related to the integrity levels and to the dependent failures. We use exhaustive and genetic algorithm for the design space exploration. By applying it on an industrial study-case we demonstrate its contribution in reaching compliant design and its capability in reducing the safety constraints costs.

Synthèse d’architecture

Optimization

Systèmes embarqués

Iso 26262

Architecture Synthesis

Design optimization

Iso 26262

Embedded Systems

620

Ontology centric design process : Sharing a conceptualization / Démarche de conception formelle pour systèmes mécatroniques critiques automobiles

Taofifenua, Ofaina

10 July 2012

Dans le marché mondial fortement concurrentiel, un constructeur automobile doit offrir à ses clients des services innovants, respectueux de l'environnement et sûrs de fonctionnement. Tout cela doit être fait à des coûts très compétitifs tout en respectant des réglementations et des délais de plus en plus stricts. Ces travaux répondent à ces défis et visent à améliorer le processus de conception des systèmes mécatroniques critiques automobile. Ils montrent que l'utilisation de modèles formels et informels peuvent se rapporter à un modèle sémantique commun, i.e., une ontologie système et sécurité, qui permet d'assurer la cohérence du processus de conception tout en respectant la norme ISO 26262. Les concepts de ces travaux ont été appliquées sur un système de freinage régénératif hybride intégré dans un véhicule électrique. L'application a démontré que l'ontologie réalisée permet d'enregistrer l'information produite lors de la conception et que l'utilisation d'ontologies permet effectivement de détecter les incohérences sémantiques ce qui améliore la qualité des informations de conception, favorise la réutilisation et assure la conformité à l'ISO 26262. / In the strongly competitive worldwide market of today, a car manufacturer has to offer to its customersrelevant, innovative, reliable, environment friendly and safe services. All this must be done at verycompetitive costs while complying with more and more stringent regulations and tighter deadlines. Thiswork addresses these challenges and aims at improving the design process for automotive safety criticalmechatronics systems. It shows that the use of formal and informal models can commit to a commonsemantic model, i.e., a system and safety ontology, that enables to ensure the consistency of the wholedesign process and compliance with standard ISO 26262. The concepts in this work have been appliedon a regenerative hybrid braking system integrated into an electrical vehicle. It demonstrated that therealized ontology enables to record the information produced during design and that using ontologieseffectively enables to detect semantic inconsistencies which improves design information quality, promotesreuse and ensures ISO 26262 compliance.

Ontologie

Ingénierie des systèmes

Iso 26262

Ontology

Systems engineering

Iso 26262

004

Säkerhetskritiska standarder och FPGA / FPGA and safety critical standards

Stymne, Petter

January 2013

IEC 61508, ISO 26262, DO-254 och CENELEC EN 5012x är alla standarder för utveckling av säkerhetskritiska system. Dessa fyra är applicerbara på bilar upp till 3.5 ton (ISO 26262), flyg (DO-254), tåg (Cenelec EN 5012x) samt IEC 61508 vilket är en standard för flertalet industrigrenar. När ett säkerhetskritiskt system skall implementeras i en FPGA så kan problem uppstå. Detta för att en FPGA ibland räknas till hårdvara men utvecklingen följer samma mönster som mjukvaruutveckling. Detta examensarbetes huvuduppgift är att klargöra hur de olika standarderna ser på FPGA utveckling samt verifiering med hjälp av utökad funktionell verifiering. Uppsatsen är uppdelad i två delar. Den första delen behandlar de säkerhetskritiska standarderna. Vi kommer att gå igenom dessa för att få en översikt samt visa vilka skillnader likheter som finns. Hur ställer de sig till FPGA, hårdvara eller mjukvara. Del två går igenom ett projekt i enlighet med IEC 61508, inklusive metoder för funktionell verifiering ingå. Dessa metoder är ABV (Assertion Based Verification) samt täckningsgrad för verifieringen. Har vi verifierat tillräckligt och vilka krav ställs på ett projekt enligt IEC 61508. I den här delen går vi även igenom hur de olika standarderna ser på FPGA:er samt några rekommendationer gällande FPGA utveckling och säkerhetskritiska system.

FPGA

ISO 26262

DO-254

IEC 61508

CENELEC EN 5012x

SystemVerilog

Building a Safety Case in Compliance with ISO 26262 for Fuel LevelEstimation and Display System

Dardar, Raghad

January 2014

Nowadays, road vehicles, including trucks, are characterized by an increasedcomplexity due to a greater variety of software, and a greater number of sensorsand actuators. As a consequence, there is an increased risk in termsof software or hardware failures that could lead to unacceptable hazards.Thus safety, more precisely functional safety, is a crucial property that mustbe ensured to avoid or mitigate these potential unacceptable hazards. Inthe automotive domain, recently (November 2011), the ISO-26262 safetystandard has been introduced to provide appropriate requirements and processes.More specically, the standard denes the system development processthat must be carried out to achieve a system that can be consideredacceptably safe. To be released on the market, systems must be certied,proofs that the systems are acceptably safe must be provided in terms of astructured argument, known as safety case, which inter-relates evidence andclaims. Certication authorities are in charge of evaluating the validity ofsuch safety cases. In the automotive domain, certication and compliancewith the standard ISO-26262 is becoming mandatory. By now, trucks donot have to be compliant with the standard. However, it is likely that by2016 they will have to. Scania is one of the leading companies in trucksdevelopment. To be ready by 2016, Scania is interested in investigatingISO-26262 as well as safety case provision. Thus this thesis focuses on theprovision of a safety case in the context of ISO-26262 for Fuel Level Estimationand Display System (FLEDS), which is one of the safety-criticalsystems in Scania.1

ISO 26262

Safety case

Fuel Level Estimation and Display System

Functional Safety Assessment in Autonomous Vehicles

Shastry, Akshay Kumar

07 June 2018

Autonomous vehicles (AVs) are a class of safety-critical systems that are capable of decision-making and operate with little or no human intervention. For such complex systems designed to function in diverse operational domains such as rain, snow, freeway, urban roads, etc., system safety is paramount. Management of the system's safety throughout its life-cycle, from the conceptualization stage to the end of the lifecycle, is of primary importance. We describe a revision of functional safety standard ISO 26262 to support autonomous vehicles and the underlying electronic/electrical control architecture. There is a need to modify the Automotive Safety Integrity Levels (ASILs) defined in the ISO 26262 as "Controllability", a factor in determining an ASIL, is no longer applicable; the driver is no longer in a position to control the vehicle. The vehicle has taken over the responsibility of evaluating the environment and determines its next course of action to complete its current mission. These decisions have a tremendous impact on the overall safety of the system during a hazardous event and can be the difference between a successful journey and a traffic incident. To better enable the designers of such systems, we introduce a new method to assess the functional safety and derive safety goals, which are the top level safety requirement. We present a new metric-Risk Mitigation Factor to assess the decision making capability of the vehicle and to replace controllability in the ASIL definition. The case study presented highlights the advantages of using the introduced metric in defining safety goals for the autonomous vehicle. / Master of Science

Functional Safety

Autonomous Vehicles

ISO 26262

Risk Mitigation

From safety analysis to experimental validation by fault injection - Case of automotive embedded systems / Des analyses de sécurité à la validation expérimentale par injection de fautes - Le cas des systèmes embarqués automobile

Pintard, Ludovic

28 May 2015

En raison de la complexité croissante des systèmes automobiles embarqués, la sûreté de fonctionnement est devenue un enjeu majeur de l’industrie automobile. Cet intérêt croissant s’est traduit par la sortie en 2011 de la norme ISO 26262 sur la sécurité fonctionnelle. Les défis auxquelles sont confrontés les acteurs du domaine sont donc les suivants : d’une part, la conception de systèmes sûrs, et d’autre part, la conformité aux exigences de la norme ISO 26262. Notre approche se base sur l’application systématique de l’injection de fautes pour la vérification et la validation des exigences de sécurité, tout au long du cycle de développement, des phases de conception jusqu’à l’implémentation. L’injection de fautes nous permet en particulier de vérifier que les mécanismes de tolérance aux fautes sont efficaces et que les exigences non-fonctionnelles sont respectées. L’injection de faute est une technique de vérification très ancienne. Cependant, son rôle lors de la phase de conception et ses complémentarités avec la validation expérimentale, méritent d’être étudiés. Notre approche s’appuie sur l’application du modèle FARM (Fautes, Activations, Relevés et Mesures) tout au long du processus de développement. Les analyses de sûreté sont le point de départ de notre approche, avec l'identification des mécanismes de tolérance aux fautes et des exigences non-fonctionnelles, et se terminent par la validation de ces mécanismes par les expériences classiques d'injection de fautes. Enfin, nous montrons que notre approche peut être intégrée dans le processus de développement des systèmes embarqués automobiles décrits dans la norme ISO 26262. Les contributions de la thèse sont illustrées sur l’étude de cas d’un système d’éclairage avant d’une automobile. / Due to the rising complexity of automotive Electric/Electronic embedded systems, Functional Safety becomes a main issue in the automotive industry. This issue has been formalized by the introduction of the ISO 26262 standard for functional safety in 2011. The challenges are, on the one hand to design safe systems based on a systematic verification and validation approach, and on the other hand, the fulfilment of the requirements of the ISO 26262 standard. Following ISO 26262 recommendations, our approach, based on fault injection, aims at verifying fault tolerance mechanisms and non-functional requirements at all steps of the development cycle, from early design phases down to implementation. Fault injection is a verification technique that has been investigated for a long time. However, the role of fault injection during design phase and its complementarities with the experimental validation of the target have not been explored. In this work, we investigate a fault injection continuum, from system design validation to experiments on implemented targets. The proposed approach considers the safety analyses as a starting point, with the identification of safety mechanisms and safety requirements, and goes down to the validation of the implementation of safety mechanisms through fault injection experiments. The whole approach is based on a key fault injection framework, called FARM (Fault, Activation, Readouts and Measures). We show that this approach can be integrated in the development process of the automotive embedded systems described in the ISO 26262 standard. Our approach is illustrated on an automotive case study: a Front-Light system.

Injection de fautes

Automobile

Systèmes Embarqués

Sécurité

Vérification

ISO 26262

Fault Injection

Automotive

Embedded Systems

Safety

Verification

ISO 26262

Design and Safety Analysis ofEmergency Brake System forAutonomous Formula Car : In Reference to Functional Safety ISO 26262

Böhlander, Marcus

January 2018

The engineering competition Formula Student has introduced a Driverless Vehicle (DV)class, which requires the students to develop a car that can autonomously make its wayaround a cone track. To ensure the safety of such a vehicle, an Emergency Brake System(EBS) is required. The EBS shall ensure transition to safe state for detection of a singlefailure mode. This thesis work covers the design of the EBS for KTH Formula Student(KTH FS).Due to the safety critical character of this system, the software part of the EBS, calledEBS Supervisor, has been analyzed in accordance with the safety standard ISO 26262 tosee if an improved safety could be achieved. The analysis has been perform according toPart 3: Concept phase of ISO 26262 with an item definition, Hazard Analysis and RiskAssessment (HARA), Functional Safety Concept (FSC) and Technical Safety Concept(TSC).The result of the analysis showed that the EBS Supervisor requires extensive redundanciesin order to follow ISO 26262. This includes an additional CPU as well as signal checksof inputs and outputs. Due to limited resources in terms of money and time within theKTH FS team, these redundancies will not be implemented. The process of working withthe safety standard did however inspire an increased safety mindset. / Ingenjörstävlingen Formula Student har introducerat en förarlös tävlingsklass (eng:Driverless Vehicle) som innebär att studenterna ska utveckla en bil som autonomt kan tasig runt en konbana. För att försäkra sig om säkerheten för ett sådant fordon krävs ettnödbromssystem (eng: Emergency Brake System (EBS)). EBS:en skall försäkra att enövergång till ett säkert tillstånd sker då ett singulärt fel upptäcks. Det här examensarbetetbehandlar designen av EBS:en för KTH Formula Student.På grund av den säkerhetskritiska karaktären hos detta system har mjukvarudelen avEBS:en, kallad EBS Supervisor, blivit analyserad utifrån säkerhetsstandarden ISO 26262för att se om en förbättrad säkerhet kunde uppnås. Analysen har blivit genomfördenligt Del 3: Konceptfas av ISO 26262 med item definition, Hazard Analysis and RiskAssessment, Functional Safety Concept och Technical Safety Concept.Resultatet av analysen visade att EBS Supervisor kräver omfattande redundanser föratt uppfylla ISO 26262. Detta inkluderar en extra CPU såväl som kontroller av inochutsignaler. På grund av begränsade resurser i form av pengar och tid inom KTHFS, valdes dessa redundanser att inte implementeras. Processen av att arbeta medsäkerhetsstandarden har dock inspirerat ett ökat säkerhetstänk.

Emergency Brake System

Formula Student

Functional Safety

ISO 26262

Nödbromssystem

Formula Student

funktionell säkerhet

ISO 26262

Vehicle Engineering

Farkostteknik

Specifying Safety-Critical Heterogeneous Systems Using Contracts Theory

Westman, Jonas

January 2016

Requirements engineering (RE) is a well-established practice that is also emphasized in safety standards such as IEC 61508 and ISO 26262. Safety standards advocate a particularly stringent RE where requirements must be structured in an hierarchical manner in accordance with the system architecture; at each level, requirements must be allocated to heterogeneous (SW, HW, mechanical, electrical, etc.) architecture elements and trace links must be established between requirements. In contrast to the stringent RE in safety standards, according to previous studies, RE in industry is in general of poor quality. Considering a typical RE tool, other than basic impact analysis, the tool neither gives feedback nor guides a user  when specifying, allocating, and structuring requirements. In practice, for industry to comply with the stringent RE in safety standards, better support for RE is needed, not only from tools, but also from principles and methods. Therefore, a foundation is presented consisting of an underlying theory for specifying heterogeneous systems and complementary principles and methods to specifically support the stringent RE in safety standards. This foundation is indeed suitable as a base for implementing guidance- and feedback-driven tool support for such stringent RE; however, the fact is that the proposed theory, principles, and methods provide essential support  regardless if tools are used or not. The underlying theory is a formal compositional contracts theory for heterogeneous systems. This contracts theory embodies the essential RE property of separating requirements on a system from assumptions on its environment. Moreover, the contracts theory formalizes the stringent RE effort of structuring requirements hierarchically with respect to the system architecture. Thus, the proposed principles and methods for supporting the stringent RE in safety standards are well-rooted in formal concepts and conditions, and are thus, theoretically sound. Not only that, but the foundation is indeed also tailored to be enforced by both existing and new tools considering that the support is based on precise mathematical expressions that can be interpreted unambiguously by machines. Enforcing the foundation in a tool entails support that guides and gives feedback when specifying heterogeneous systems in general, and safety-critical ones in particular. / Kravhantering är en väletablerad praxis som ocksåbetonas i säkerhetsstandarder såsom IEC 61508 och ISO 26262. Säkerhetsstandarder förespråkar en särskilt noggrann kravhantering där krav skall struktureras på ett hierarkiskt sätt i enlighet med systemarkitekturen; på varje nivå så skall krav allokeras till heterogena (SW, HW, mekaniska, elektriska, etc.) arkitekturelement och spårlänkar skall upprättas mellan kraven. I motsats till den noggranna kravhanteringen i säkerhetsstandarder så är kravhantering i industrin av allmänt dålig kvalitet enligt tidigare studier. Ett typisk kravverktyg ger inte mycket mer stöd än grundläggande konsekvensanalyser, d.v.s.\ verktyget ger varken återkoppling eller vägledning för att formulera, allokera, och strukturera krav. Bättre stöd behövs för att industrin i praktiken skall kunna förverkliga den noggranna kravhanteringen i säkerhetsstandarder -- inte bara stöd från verktyg, men också från kravhanteringsprinciper och metoder. Därför presenteras ett fundament bestående av en underliggande teori för specifiering av heterogena system, samt kompletterande principer och metoder för att stödja den noggranna kravhanteringen i säkerhetsstandarder. Detta fundament är lämplig som en bas för att kunna implementera verktyg som ger återkoppling och vägledning för kravhantering; likväl så ger den föreslagna teorin, principerna och metoderna essentiellt stöd oavsett om verktyg används eller inte. Den underliggande teorin är en kompositionell och formell kontraktsteori för heterogena system. Denna kontraktsteori ger konkret form åt den centrala kravhanteringsegenskapen att separera kraven på ett system från antaganden på dess omgivning. Dessutom så formaliserar kontraksteorin den noggranna uppgiften att hierarkiskt strukturera krav i enlighet med systemarkitekturen. Således så är de föreslagna principerna och metoderna för att stödja den noggranna kravhanteringen i säkerhetsstandarder välförankrade i formella begrepp och villkor och är därmed också teoretiskt sunda. Det erbjudna stödet är dessutom välanpassat för att kunna verkställas av såväl befintliga som nyaverktyg med tanke på att stödet är grundat på exakta matematiska uttryck som kan tolkas entydigt av maskiner. Verkställandet av fundamentet av ett verktyg medför stöd i form av vägledning och återkoppling vid specifiering av heterogena system i allmänhet, och säkerhetskritiska sådana i synnerhet. / <p>QC 20160909</p> / ESPRESSO

Contracts

Heterogeneous Systems

Safety

Architecture

Requirements

Specification

Elements

Compositional

IEC 61508

ISO 26262

Kontrakt

Heterogena System

Säkerhet

Arkitektur

Kravhantering

Specifiering

Element

Kompositionell

IEC 61508

ISO 26262