Modelling of Safety Concepts for Autonomous Vehicles using Semi-Markov Models

Bondesson, Carl

January 2018

Autonomous vehicles is soon a reality in the every-day life. Though before it is used commercially the vehicles need to be proven safe. The current standard for functional safety on roads, ISO 26262, does not include autonomous vehicles at the moment, which is why in this project an approach using semi-Markov models is used to assess safety. A semi-Markov process is a stochastic process modelled by a state space model where the transitions between the states of the model can be arbitrarily distributed. The approach is realized as a MATLAB tool where the user can use a steady-state based analysis called a Loss and Risk based measure of safety to assess safety. The tool works and can assess safety of semi-Markov systems as long as they are irreducible and positive recurrent. For systems that fulfill these properties, it is possible to draw conclusions about the safety of the system through a risk analysis and also about which autonomous driving level the system is in through a sensitivity analysis. The developed tool, or the approach with the semi-Markov model, might be a good complement to ISO 26262.

Semi-Markov processes

continuous-time Markov chains

safety

steady-state distribution

dependability

ISO 26262

Embedded Systems

Inbäddad systemteknik

Building a safety case for a small sized product line of Fuel Level Display Systems

Gallucci, Antonio

January 2013

ISO 26262 is an international standard valid for the automotive domain. It regulates all the activities to perform for developing safety critical systems in such domain. To be compliant with ISO 26262, all the required activities have to be performed and all the required work products have to be provided. Furthermore, in addition to develop a system in a safe way, following the safety standard guidelines, the achieved safety has also to be demonstrated. This is done through a safety case, a structured argument showing that a system is acceptably safe. ISO 26262 focuses on single systems and does not contain guidelines for product lines. Product line engineering is a valid approach to systematize reuse, aimed at reducing the effort needed to develop similar systems. But, it loses its strength when dealing with safety critical systems, since it is not aligned with safety standards. Hence, when developing a safety critical product line in the automotive domain, the work products required by ISO 26262 have to be provided every time from scratch, including the safety case, for each single system of the product line. This thesis work focuses on providing an approach for building and modeling a safety case for safety critical product lines in the automotive domain. Furthermore, the considered product line engineering approach is aligned with ISO 26262, through the inclusion of safety activities in the product line development process. Giving in this way, the concrete possibility to overtake to the current limitations, reducing the effort needed to develop and certificate each single system of a safety critical product line. To illustrate the validity of the proposed approach a safety critical product line developed by Scania is used as case study.

ISO 26262

Safety-critical product lines

Reusability

Variability management

Families of safety cases

GSN for product lines

Software Engineering

Programvaruteknik

Model-Implemented Fault Injection for Robustness Assessment

Svenningsson, Rickard

January 2011

The complexity of safety-related embedded computer systems is steadilyincreasing. Besides verifying that such systems implement the correct functionality, it is essential to verify that they also present an acceptable level of robustness. Robustness is in this thesis defined as the resilience of hardware, software or systems against errors that occur during runtime. One way of performing robustness assessment is to carry out fault injection, also known as fault insertion testing from certain safety standards. The idea behind fault injection is to accelerate the occurrence of faults in the system to evaluate its behavior under the influence of anticipated faults, and to evaluate error handling mechanisms. Model-based development is becoming more and more common for the development of safety-related software. Thus, in this thesis we investigate how we can benefit from conducting fault injection experiments on behavior models of software. This is defined as model-implemented fault injection in this thesis, since additional model artifacts are added to support the injection of faults that are activated during simulation. In particular, this thesis addresses injection of hardware fault effects (e.g. bit-level errors in microcontrollers) into Simulink® models. To evaluate the method, a fault injection tool has been developed (called MODIFI), that is able to perform fault injection into Simulink behavior models. MODIFI imports tailored fault libraries that define the effects of faults according to an XML-schema. The fault libraries are converted into executable model blocks that are added to behavior models and activated during runtime to emulate the effect of faults. Further, we use a method called minimal cut sets generation to increase the usefulness of the tool. During the work within MOGENTES, an EU 7th framework programme project that focused on model-based generation of test cases for dependable embedded systems, fault injection experiments have been performed on safety related models with the MODIFI tool. Experiments were also performed using traditional fault injection methods, and in particular hardware-implemented fault injection, to evaluate the correlation between the methods. The results reveal that fault injection on software models is efficient and useful for robustness assessment and that results produced with MODIFI appear to be representative for the results obtained with other fault injection methods. However, a software model suppresses implementation details, thus leading to fewer locations where faults can be injected. Therefore it cannot entirely replace traditional fault injection methods, but by performing model-implemented fault injection in early design phases an overview of the robustness of a model can be obtained, given these limitations. It can also be useful for testing of error handling mechanisms that are implemented in the behavior model. / QC 20111205

Fault Injection

Model-Implemented Fault Injection

Robustness

Assessment

ISO 26262

ISO 61508

Software

Embedded Systems

Inbäddad systemteknik

Creating An Editor For The Implementation of WorkFlow+: A Framework for Developing Assurance Cases

Chiang, Thomas

January 2021

As vehicles become more complex, the work required to ensure that they are safe increases enormously. This in turn results in a much more complicated task of testing systems, subsystems, and components to ensure that they are safe individually as well as when they are integrated. As a result, managing the safety engineering process for vehicle development is of major interest to all automotive manufacturers. The goal of this research is to introduce a tool that provides support for a new framework for modeling safety processes, which can partially address some of these challenges. WorkFlow+ is a framework that was developed to combine both data flow and process flow to increase traceability, enable users to model with the desired granularity safety engineering workflow for their products, and produce assurance cases for regulators and evaluators to be able to validate that the product is safe for the users and the public. With the development of an editor, it will bring WorkFlow+ to life. / Thesis / Master of Applied Science (MASc)

Assurance Case

Safety Engineering

Model-Driven Engineering

Domain Specific Language

ISO 26262

Workflow+

Sirius

Eclipse Modeling Framework

Ecore

Safety Case

Evaluation of an Adaptive AUTOSAR System in Context of Functional Safety Environments

Massoud, Mostafa

08 November 2017

The rapidly evolving technologies in the automotive industry have been defining new challenges, setting new goals and consenting to more complex systems. This steered the AUTOSAR community toward the independent development of the AUTOSAR Adaptive Platform with the intention of addressing and serving the demands defined by the new technology drivers. The use of an already existing software based on an open-source development - specifically GNU/Linux - was recognized as a matching candidate fulfilling the requirements defined by AUTOSAR Adaptive Platform as its operating system. However, this raises new challenges in addressing the safety aspect and the suitability of its implementation in safety-critical environments. As safety standards do not explicitly handle the use of open-source software development, this thesis proposes a tailoring procedure that aims to match the requirements defined by ISO 26262 for a possible qualification of GNU/Linux. And while very little is known about the behavior specification of GNU/Linux to appropriate its use in safety-critical environments, the outlined methodology seeks to verify the specification requirements of GNU/Linux leveraging its claimed compliance to the POSIX standard. In order to further use GNU/Linux with high pedigree of certainty in safety-critical applications, a software partitioning mechanism is implemented to provide control over the resource consumption of the operating system –specifically computation time and memory usage- between different criticality applications in order to achieve Freedom from Interference. The implementation demonstrates the ability to avoid interference concerning required resources of safety-critical applications.

Adaptives AUTOSAR

Open Source Entwicklungsumgebungen

Eingebettetes Linux

AUTOSAR Adaptive Platform

Open Source Development Environments

Embedded Linux

Functional Safety (ISO 26262)

ddc:004

Informatik

AUTOSAR

Open Source

LINUX

Investigation of an OSLC-domain targeting ISO 26262 : Focus on the left side of the Software V-model

Castellanos Ardila, Julieth Patricia

January 2016

Industries have adopted a standardized set of practices for developing their products. In the automotive domain, the provision of safety-compliant systems is guided by ISO 26262, a standard that specifies a set of requirements and recommendations for developing automotive safety-critical systems. For being in compliance with ISO 26262, the safety lifecycle proposed by the standard must be included in the development process of a vehicle. Besides, a safety case that shows that the system is acceptably safe has to be provided. The provision of a safety case implies the execution of a precise documentation process. This process makes sure that the work products are available and traceable. Further, the documentation management is defined in the standard as a mandatory activity and guidelines are proposed/imposed for its elaboration. It would be appropriate to point out that a well-documented safety lifecycle will provide the necessary inputs for the generation of an ISO 26262-compliant safety case. The OSLC (Open Services for Lifecycle Collaboration) standard and the maturing stack of semantic web technologies represent a promising integration platform for enabling semantic interoperability between the tools involved in the safety lifecycle. Tools for requirements, architecture, development management, among others, are expected to interact and shared data with the help of domains specifications created in OSLC.This thesis proposes the creation of an OSLC tool-chain infrastructure for sharing safety-related information, where fragments of safety information can be generated. The steps carried out during the elaboration of this master thesis consist in the identification, representation, and shaping of the RDF resources needed for the creation of a safety case. The focus of the thesis is limited to a tiny portion of the ISO 26262 left-hand side of the V-model, more exactly part 6 clause 8 of the standard:  Software unit design and implementation. Regardless of the use of a restricted portion of the standard during the execution of this thesis, the findings can be extended to other parts, and the conclusions can be generalize.This master thesis is considered one of the first steps towards the provision of an OSLC-based and ISO 26262-compliant methodological approach for representing and shaping the work products resulting from the execution of the safety lifecycle, documentation required in the conformation of an ISO-compliant safety case. / Espresso 2 / Gen&ReuseSafetyCases

ISO 26262

Documentation Management

Safety case

RDF constraint languages

Resource Shape (ReSh)

Shape Expressions (ShEx)

Shape Constraint Language (SHACL)

Software Engineering

Programvaruteknik

Evaluation of an Adaptive AUTOSAR System in Context of Functional Safety Environments

Massoud, Mostafa

21 September 2017

The rapidly evolving technologies in the automotive industry have been defining new challenges, setting new goals and consenting to more complex systems. This steered the AUTOSAR community toward the independent development of the AUTOSAR Adaptive Platform with the intention of addressing and serving the demands defined by the new technology drivers. The use of an already existing software based on an open-source development - specifically GNU/Linux - was recognized as a matching candidate fulfilling the requirements defined by AUTOSAR Adaptive Platform as its operating system. However, this raises new challenges in addressing the safety aspect and the suitability of its implementation in safety-critical environments. As safety standards do not explicitly handle the use of open-source software development, this thesis proposes a tailoring procedure that aims to match the requirements defined by ISO 26262 for a possible qualification of GNU/Linux. And while very little is known about the behavior specification of GNU/Linux to appropriate its use in safety-critical environments, the outlined methodology seeks to verify the specification requirements of GNU/Linux leveraging its claimed compliance to the POSIX standard. In order to further use GNU/Linux with high pedigree of certainty in safety-critical applications, a software partitioning mechanism is implemented to provide control over the resource consumption of the operating system –specifically computation time and memory usage- between different criticality applications in order to achieve Freedom from Interference. The implementation demonstrates the ability to avoid interference concerning required resources of safety-critical applications.

info:eu-repo/classification/ddc/004

ddc:004

Informatik; AUTOSAR; Open Source; LINUX

Architecting Safe Automated Driving with Legacy Platforms

Mohan, Naveen

January 2018

Modern vehicles have electrical architectures whose complexity grows year after year due to feature growth corresponding to customer expectations. The latest of the expectations, automation of the dynamic driving task however, is poised to bring about some of the largest changes seen so far. In one fell swoop, not only does required functionality for automated driving drastically increase the system complexity, it also removes the fall-back of the human driver who is usually relied upon to handle unanticipated failures after the fact. The need to architect thus requires a greater rigour than ever before, to maintain the level of safety that has been associated with the automotive industry. The work that is part of this thesis has been conducted, in close collaboration with our industrial partner Scania CV AB, within the Vinnova FFI funded project ARCHER. This thesis aims to provide a methodology for architecting during the concept phase of development, using industrial practices and principles including those from safety standards such as ISO 26262. The main contributions of the thesis are in two areas. The first area i.e. Part A contributes, (i) an analysis of the challenges of architecting automated driving, and serves as a motivation for the approach taken in the rest of this thesis, i.e. Part B where the contributions include, (ii) a definition of a viewpoint for functional safety according to the definitions of ISO 42010, (iii) a method to systematically extract information from legacy components and (iv) a process to use legacy information and architect in the presence of uncertainty to provide a work product, the Preliminary Architectural Assumptions (PAA), as required by ISO 26262. The contributions of Part B together comprise a methodology to architect the PAA.   A significant challenge in working with the industry is finding the right fit between idealized principles and practical utility. The methodology in Part B has been judged fit for purpose by different parts of the organization at Scania and multiple case studies have been conducted to assess its usefulness in collaboration with senior architects. The methodology was found to be conducive in both, generating the PAA of a quality that was deemed suitable to the organization and, to find inadequacies in the architecture that had not been found earlier using the previous non-systematic methods. The benefits have led to a commissioning of a prototype tool to support the methodology that has begun to be used in projects related to automation at Scania. The methodology will be refined as the projects progress towards completion using the experiences gained. A further impact of the work is seen in two patent filings that have originated from work on the case studies in Part B. Emanating from needs discovered during the application of the methods, these filed patents (with no prior publications) outline the future directions of research into reference architectures augmented with safety policies, that are safe in the presence of detectable faults and failures. To aid verification of these ideas, work has begun on identifying critical scenarios and their elements in automated driving, and a flexible simulation platform is being designed and developed at KTH to test the chosen critical scenarios. / Efterfrågan på nya funktioner leder till en ständigt ökande komplexitet i moderna fordon, speciellt i de inbyggda datorsystemen. Införande av autonoma fordon utgör inte bara det mest aktuella exemplet på detta, utan medför också en av de största förändringar som fordonsbranschen sett. Föraren, som ”back-up” för att hantera oväntade situationer och fel, finns inte längre där vid höggradig automation, och motsvarande funktioner måste realiseras i de inbyggda system vilket ger en drastisk komplexitetsökning. Detta ställer systemarkitekter för stora utmaningar för att se till att nuvarande nivå av funktionssäkerhet bibehålls. Detta forskningsarbete har utförts i nära samarbete med Scania CV AB i det Vinnova (FFI)-finansierade projektet ARCHER. Denna licentiatavhandling har som mål att ta fram en metodik för konceptutveckling av arkitekturer, förankrat i industriell praxis och principer, omfattande bl.a. de som beskrivs i funktionssäkerhetsstandards som ISO 26262. Avhandlingen presenterar resultat inom två områden. Det första området, del A, redovisar, (i) en analys av utmaningar inom arkitekturutveckling för autonoma fordon, vilket också ger en motivering för resterande del av avhandlingen. Det andra området, del B, redovisar, (ii) en definition av en ”perspektivmodell” (en s.k. ”viewpoint” enligt ISO 42010) för funktionssäkerhet, (iii) en metod för att systematiskt utvinna information från existerande komponenter, och (iv) en process som tar fram en arbetsprodukt för ISO 26262 – Preliminära Arkitektur-Antaganden (PAA). Denna process använder sig av information från existerande komponenter – resultat (iii) och förenklar hantering av avsaknad/osäker information under arkitekturarbetet. Resultaten från del B utgör tillsammans en metodik för att ta fram en PAA. En utmaning i forskning är att finna en balans mellan idealisering och praktisk tillämpbarhet. Metodiken i del B har utvärderats i flertalet industriella fallstudier på Scania i samverkan med seniora arkitekter från industrin, och har av dessa bedömts som relevant och praktiskt tillämpningsbar. Erfarenheterna visar att metodiken stödjer framtagandet av PAA’s av   lämplig kvalitet och ger ett systematiskt sätt att hantera osäkerhet under arkitekturutvecklingen. Specifikt så gjorde metoden det möjligt att identifiera komponent-felmoder där arkitekturen inte var tillräcklig för åstadkomma önskad riskreducering, begränsningar som inte hade upptäckts med tidigare metoder. Ett prototypverktyg för att stödja metodiken har utvecklats och börjat användas på Scania i projekt relaterade till autonoma fordon. Metodiken kommer sannolikt att kunna förfinas ytterligare när dessa projekt går mot sitt slut och mer erfarenheter finns tillgängliga. Arbetet i del B har vidare lett till två patentansökningar avseende koncept som framkommit genom fallstudierna. Dessa koncept relaterar till referensarkitekturer som utökats med policies för personsäkerhet (Eng. ”safety”) för att hantera detekterbara felfall, och pekar ut en riktning för framtida forskning. För att stödja verifiering av dessa koncept har arbete inletts för att identifiera kritiska scenarios för autonom körning. En flexibel simuleringsplattform håller också på att designas för att kunna testa kritiska scenarios. / Vinnova-FFI funded Project ARCHER

architectures

automated driving

autonomous vehicles

methods

processes

tools

functional safety

ISO 26262

diagnostic specifications

platform based design

legacy integration

functional safety concept

preliminary architectural assumptions

uncertainty management

design decisions

Embedded Systems

Inbäddad systemteknik

Computer Systems

Datorsystem