Dr. Brian Murray March 4, 2011

Similar documents
A System-safety process for by-wire automotive systems

ASSESSMENT OF THE ISO STANDARD, ROAD VEHICLES FUNCTIONAL SAFETY

Identifying and Understanding Relevant System Safety Standards for use in the Automotive Industry

A System-Safety Process For By-Wire Automotive Systems

ISO Functional Safety Draft International Standard for Road Vehicles: Background, Status, and Overview

JEREMY SALINGER Innovation Program Manager Electrical & Control Systems Research Lab GM Global Research & Development

ISO Introduction

Testimony of Ann Wilson House Energy & Commerce Committee Subcommittee on Commerce, Manufacturing and Trade, October 21, 2015

Introduction CHAPTER 1

Does the Federal government require them? No, the Federal government does not require manufacturers to install EDRs.

Best Practices for Verification, Validation, and Test in Model- Based Design

Effective Application of Software Safety Techniques for Automotive Embedded Control Systems SAE TECHNICAL PAPER SERIES

Intelligent development tools Design methods and tools Functional safety

STATEMENT THE ALLIANCE OF AUTOMOBILE MANUFACTURERS APRIL 14, 2016 PRESENTED BY:

Advanced Safety. Driver Vehicle Interface Collision Avoidance & Mitigation Vehicle Communications. Helping industry engineer safe vehicles

TÜ V Rheinland Industrie Service

Introduction of ISO/DIS (ISO 26262) Parts of ISO ASIL Levels Part 6 : Product Development Software Level

SOFTWARE VERIFICATION RESEARCH CENTRE SCHOOL OF INFORMATION TECHNOLOGY THE UNIVERSITY OF QUEENSLAND. Queensland 4072 Australia TECHNICAL REPORT

Developing software for Autonomous Vehicle Applications; a Look Into the Software Development Process

Improving Driving Safety Through Automation

Integrating System Safety and Software Assurance

Functional Safety and Automotive SW - Engineering Introduction ISO Daimler

2014 Annual General Meeting

The Growing Role of Electronics in Automobiles A Timeline of Electronics in Cars June 2, 2011

On the road toward the autonomous truck

TRW Automotive TRW Automotive Profile 2012

How to Upgrade SPICE-Compliant Processes for Functional Safety

Functional Safety with ISO Principles and Practice Dr. Christof Ebert, Dr. Arnulf Braatz Vector Consulting Services

NHTSA s Oversight of Vehicle Safety Defects and Highway Safety Grants

Software Production. Industrialized integration and validation of TargetLink models for series production

Collision Avoidance. The car we couldn t crash! The future for drivers. Compare the technologies. research news

SmartTrac Stability Control Systems

System Safety Process Applied to Automotive High Voltage Propulsion Systems

Safety Issues in Automotive Software

University of Paderborn Software Engineering Group II-25. Dr. Holger Giese. University of Paderborn Software Engineering Group. External facilities

Building a Safety Case in Compliance with ISO for Fuel Level Estimation and Display System

Impact of Safety Standards to Processes and Methodologies. Dr. Herbert Eichfeld

Crucial Role of ICT for the Reinvention of the Car

Impact of Car Sharing, Automated Driver Assistance, Autonomous Cars on Insurance

Understanding Safety Integrity Levels (SIL) and its Effects for Field Instruments

Aria Etemad Arne Bartels Volkswagen Group Research. A Stepwise Market Introduction of Automated Driving. Detroit 10 September 2014

Safety Integrity Levels

Medical Device Software Standards for Safety and Regulatory Compliance

TOP 3 STRATEGIES TO REDUCE RISK IN AUTOMOTIVE/IN-VEHICLE SOFTWARE DEVELOPMENT

Volvo On Call. An OEM view on European ecall

Reduce Medical Device Compliance Costs with Best Practices.

Xavier University of Louisiana. General Requirements for the Use of Vehicles

Safety and security related features in AUTOSAR

A Methodology for Safety Critical Software Systems Planning

Balancing Active and Passive Safety

Car Connections. Johan Lukkien. System Architecture and Networking

INDUSTRY REPORT ON AIRBAG INDUSTRY

Risk Analysis of a CBTC Signaling System

SAFE SOFTWARE FOR SPACE APPLICATIONS: BUILDING ON THE DO-178 EXPERIENCE. Cheryl A. Dorsey Digital Flight / Solutions cadorsey@df-solutions.

Science Fiction to Reality: The Future of Automobile Insurance and Transportation Technology

Safety-Critical Systems: Processes, Standards and Certification

Level Crossing Crash Taxonomy for Connected Vehicle Safety Research

An integrated approach to implement system engineering and safety engineering processes: SASHA Project

AAA AUTOMOTIVE ENGINEERING

Hybrid System for Driver Assistance

Functional Safety Hazard & Risk Analysis

2008 Bateman Case Study Competition. Project Brief

AUTONOMOUS VEHICLE TECHNOLOGY: CONSIDERATIONS FOR THE AUTO INSURANCE INDUSTRY

Rigorous Methods for Software Engineering (F21RS1) High Integrity Software Development

Existing safety technology is the driverless vehicle already here? Matthew Avery Safety Research Director

Smart features like these are why Ford F-Series has been America s best-selling truck for 37 years and America s best-selling vehicle for 32 years

The relevance of cyber-security to functional safety of connected and automated vehicles

CONSUMER COLLISION REPAIR AWARENESS MESSAGE

Automotive Black Box Data Recovery Systems

Automated Trucks. The next big disruptor in the automotive industry? Roland Berger study

POLICY INVOLVING VEHICLE USE ON OFFICIAL COLLEGE BUSINESS AUTOMOBILES & OTHER MOTORIZED VEHICLES Last update: August 9, 2011

Insurance & Liability Breakout Session - TRB Symposium July 2015 Insuring Autonomous Vehicles Changes? Challenges? Opportunities?

Autoliv The Worldwide Leader in Automotive Safety

EB Automotive Driver Assistance EB Assist Solutions. Damian Barnett Director Automotive Software June 5, 2015

Vetting Smart Instruments for the Nuclear Industry

Controlling Risks Safety Lifecycle

INFORMATION SUBMISSION FOR NAS. December Office Vehicle Safety Research National Highway Traffic Safety Administration

Federal Motor Carrier Safety Administration SAFETY AWARENESS Kentucky Freight Conference

COLLISION AVOIDANCE FEATURES: INITIAL RESULTS

Advanced In-Wheel Electric Propulsion Technology

Performance Study based on Matlab Modeling for Hybrid Electric Vehicles

Presentation Overview. Istwaan Knijff EMC & Safety themadag - 03 oktober Sensata Technologies Almelo. What about EMC?

Every mile in real-time. Introducing ZONAR

ACHIEVING FUNCTIONAL SAFETY OF AUDI DYNAMIC STEERING USING A STRUCTURED DEVELOPMENT PROCESS

BUSINESS SERVICES POLICIES AND PROCEDURES

ID# BLACKBOX - PROJEKT V&V MD ČR

SUCCESSFUL INTERFACE RISK MANAGEMENT FROM BLAME CULTURE TO JOINT ACTION

ISO 26262:2011 Functional Safety Assessment Report. Texas Instruments Richardson, TX USA. Project: TDA2X ADAS SoC. Customer:

WORKSHOP RC EVI Integração de Sistemas Junho de 2011 Eng. Nelson José Wilmers Júnior

Acquisition of Novero. Investor presentation 18th December 2015

"Insurance Services Office, Inc. Copyright"

Testing the Internet of Things

IBM Rational Rhapsody

SEMINAR REPORT 2004 HANDFREE DRIVING FOR AUTOMOBILES

EVITA-Project.org: E-Safety Vehicle Intrusion Protected Applications

Design of automatic testing tool for railway signalling systems software safety assessment

Russian Automotive Industry: Governmental Policies and Priorities

CONNECTED CARS A RISING TREND IN THE GLOBAL AUTOMOBILE SECTOR. Thematic Report by Jay Thakker Senior Research Analyst.

Safety and functional safety A general guide

What Every Driver Must Know Review Assignment

Transcription:

Event that could lead to an accident GM Autonomy HAZARD 1 Q=6e-7 Event that could lead to a hazard Control to prevent HAZARDOUS EVENT 1 HAZARDOUS EVENT 1 HAZARD CONTROL 1 r=6e-008 Q=0.0006 Q=0.001 Q=0.001 National Geographic, 2002 Software Safety Assurance Processes and Challenges in the Automotive and Aviation Industries Dr. Brian Murray March 4, 2011

United Technologies Business units Pratt & Whitney aerospace systems Sikorsky Carrier power solutions UTC Power Hamilton Sundstrand UTC Fire & Security building systems Otis 2

Brief Bio Brian Murray Education 1982 Albion College, BA physics and mathematics 1984 Duke University, MSEE, IC manufacturing 1994 University of Michigan, Ph.D., computer engineering 25 years in automotive industry, 1.5 years United Technologies Research Center (aerospace and buildings) Auto industry General Motors and Delphi Corp. Researcher IC design tools, especially for testing Project manager future engine controller architecture Project manager for system safety process development Manager systems engineering for drive-by-wire, including embedded systems Manager advanced vehicle dynamics and active safety Manager system safety for electric power steering Currently Manager embedded systems and networks UTRC Principle investigator investigating design of complex systems Professional (Relevant) Safety-Critical Systems Session organizer/session chair, SAE Congress, 10 years 3

Outline Views of system safety Safety-critical systems in the automotive industry Some comparisons of system and software safety standards Some comparisons of automotive and aerospace systems Addressing safety issues of active safety systems Future of design for complex systems Issues to consider 4

What is System Safety? What are Safety-Critical Systems? Any system with the potential to cause harm A system defined both by what it is supposed to do and by what it is NOT supposed to do Functional Requirements (What system is supposed to do) Design Process Concept Safety Process Safety Requirements (What system is NOT supposed to do) Product in Service System Safety is the application of systems engineering principles to ENABLE the development of safety-critical systems by managing safety risk 5

What is System Safety? Identify problems Convincingly show that the problems are covered Find a way to fix the problems 6

Model for System Safety Theory & Practice Safety-Critical Systems Safety Cases Safety Concepts Identify problems Convincingly show that the problems are covered Find a way to fix the problems 7

Key Principles of System Safety Identify Hazards Avoid Hazards Evaluate Residual Risk Risk Acceptable? Yes Deploy Add Hazard Controls No Risk is a function of the severity and likelihood of a mishap Hazards are conditions that could lead to a mishap Caused by failures or other conditions Hazard Controls mitigate the risk of a hazard Standards dictate how residual risk should be evaluated Hazard avoidance goals must be captured as realizable engineering requirements 8

System Safety (Safety Case View) Argument Safety Case Generic Safety Process Steps Evidence Evidence Customer Requirements Safety Case Evidence that safety requirements are understood Evidence that safety requirements are met Argument for acceptance of residual risk based on the evidence For all stakeholders OEMs, Suppliers, Society System Safety Process Sequence of tasks leading to the development and acceptance of a safety case, usually involves: Safety Requirements Safety Concept Safety Case Resolution of stakeholder requirements related to safety 9

System Safety (Process View Work Products) Conceptual Design Requirements Analysis Arch. Design Detailed Design Verification & Validation Production & Deploy. System Safety Program Plan Preliminary Hazard Analysis Hazard Control Specifications (Safety Requirements) Safety Concept & Detailed Hazard Analysis Hazard Control Specifications (Diagnostics, Design Safety Margins, ) Safety Verification Safety Case 10

Other Dependability Attributes: Reliability and Availability vs Safety Reliability focuses on reducing overall failure probability Availability focuses on maximizing up-time Safety focuses on identifying and minimizing risks associated with hazards and avoiding mishaps May identify controls for potential undesired effects rather than focus on causes Still require credible scenarios Safety may decrease reliability and availability Diagnostics and shutdown mechanisms Reliable systems may not be safe Uncovered hazards in ultra-reliable systems may be severe Serious accidents have occurred when all system components were functioning exactly as specified (without failure) Safety programs prioritize concerns With finite design time and resources, focus on issues of biggest concern first Safety Reliability Safety Reliability 11

Motivations for System Safety in the Automotive Industry Technology Enablers Solid-state cameras Network communication systems Safety-critical computing platforms Actuators capable of autonomous control Society Drivers Cars Are Safety- Critical Systems Safety, Energy, Infotainment Society more risk averse over time Reduction in deaths and injuries due to seat belts, etc. has leveled off Business Drivers Inflation-adjusted price of vehicles has declined for several years Auto companies seek to identify value-adding features to gain price as well as market share 12

Safety-Critical Chassis Systems Enable Active Safety Front Steering: Electric Power Steering Active Front Steering Steer by Wire Rear Steering: Active Rear Steer Engine: Torque Management Controlled Suspension: Controlled Dampers Active Stabilizer Bar Braking: Electronic Stability Control Electric Brake by Wire 13

Active Safety Path Increasing system autonomy Sensor-fusion Integrated Systems Driver Support system Collision warning & mitigation Pre-crash & mitigation Lane-change assist Lane-keeping Advanced Stability Control Coordination of ESC and other chassis systems Stand-alone systems Adaptive Cruise Control Lane/Roadway departure Side detection Backup Aid ESC & RSE 360 surround sensing & autonomous vehicle control collision warning system collision avoidance system GPS/Maps Vehicle-to-Vehicle communication Intersection/Roadway Infrastructure Satellite-linked communication Time 14

Attributes of Automotive Systems High expectations for quality Less than 1 ppm 10yrs, 100,000 -> 20yrs, 250,000 -> Lifetime Low expectations for maintenance Efficiency Engineers fight over inches of space and pennies of cost Safety In the US alone, the total vehicle miles traveled is measured in billions Around the world there are about 806 million cars and light trucks on the road Goal: zero traffic deaths Electronics market driver High production volumes and user populations In 2007, 71.9 million new automobiles were sold worldwide Large diversity of users In countries with the highest growth, many people have never even driven cars Complexity Configuration complexity Brands, models, dozens of controllers per vehicle System complexity Until now moderate complexity New active safety systems are rapidly growing in complexity Automotive market has not driven the electronics market since the 1980s 15

Attributes of Aerospace Systems High expectations for safety Focused on very low failure rates for critical components, e.g., 10-9 Continuous maintenance Efficiency Engineers fight over inches of space but worry less about cost Electronics market driver Very low production volumes but high passenger populations Low diversity of users only highly trained pilots Complexity High and growing system complexity Specialty electronics Driven to, but reluctant to use COTS 16

System Safety Standards & Guidelines System/SW Safety Process Mechanical Electrical/ Electronics FMVSS 135 Regulations Software MISRA ISO 26262 VDA FMEA IEC 61508 Analysis MIL-Std-882C/D DO-178B DEF Std 00-56 00-55 Mil-Hdbk-217 SAE FMEA RDF 2000/UTEC 80810 Reliability NUREG 0492 FTA

One Page History of System Safety Standards in Automotive 1990 Motor Industry Software Reliability Association (MISRA) publishes guidelines for safety-critical automotive software Very influential, but not a safety process 1993 MIL-STD-882C published primary strategy for system safety in US 1998 MIL-STD-882C used within US automotive industry 1998 IEC 61508 safety standard published Very influential in Europe Framework standard Adopted by European vehicle manufacturers July 2009 Draft International Standard ISO 26262 June 2011 Final DIS (FDIS) ISO 26262 expected 18

IEC 61508 IEC 61508 developed by IEC Industrial-Process Measurement Committee Electrical/Electronic/Programmable Electronic System EUC Control System Safety-Related System EUC Control System & Safety-Related System Safety Functions Equipment Under Control (A) Separate SafetyRelated System Equipment Under Control (B) Integrated SafetyRelated System Focus of IEC 61508

ISO 26262 vs IEC 61508 IEC 61508: Framework standard Scope: functional aspects of electronic, electrical and software systems Implied context of Process/Automation industries (where validation is done after install) Safety Integrity Levels, SIL SIL 1 SIL 4 Focus on safety functions Architectural metrics Defines acceptable software process elements according to SIL ISO CD 26262: IEC 61508 Automotive Sector adaptation Brings in some concepts of MIL-STD882 Applies to passenger vehicles Automotive SIL, ASIL Expands SIL1-3 to four (ASIL A-D) SIL4 not applicable No top-level probability associated with an ASIL Focus on safety goals Adds required work products New architectural metrics Defines acceptable software process elements according to ASIL 20

DO 178B vs ISO 26262 International: jointly developed by US RTCA SC-167 and the European Organization for Civil Aviation Equipment (EUROCAE) WG-12 DO 178B Provides guidelines for the production of software for airborne systems and equipment Design Assurance Levels A-E Increasing number of software process objectives and independence with level Highest level includes suggestions for software coverage techniques such as MCDC Addresses software requirements only Focused toward suppliers of electronic systems Highly detailed but not prescriptive Implies high degree of documentation ISO CD 26262: Focused on automotive industry Automotive Safety Integrity Levels A-D Includes notion of controllability Increasing number of software process objectives with level Highest level includes suggestions for software coverage techniques such as MCDC Addresses functional safety associated with electronic controllers hardware and software Addresses both design faults in hardware and software as well random failures in hardware Addresses both OEM and supplier issues Highly detailed sometimes prescriptive Many work packages, may imply high 21 degree of documentation

Proposed Automotive Active Safety System Taxonomy and Examples* System Classification Driver Interaction Type Driver Information Expected Driver Responsibility Potential Safety Risk Example Feature Monitor / Supervise Non Safety Related NA No Monitoring / No Supervision Non Safety Related Monitor / Supervise Non Safety Related No Monitoring / No Supervision Non Safety Related Monitor / Supervise Non Safety Related No Monitoring / No Supervision Non Safety Related Driver Warning Vehicle Action / Control Safety Related Safety Related Safety Related Safety Related Safety Related Safety Related Rear back up camera NA Engine Temperature NA Rear back up alert NA Red Brake Tell Tale NA Lane Keeping System NA Automated Steering System *B. Czerny, B. Murray, J. D Ambrosio, Safety Implications of Automotive Active Safety Systems,, SAE Congress, 2008

Emerging Guideline: PReVENT/RESPONSE 3 Project European project to develop an Advanced Driver Assistance Systems Code of Practice CoP describes a methodology for evaluating and assessing interactions between the driver (and vehicle occupants) and the system being controlled Provides guidance to help ensure potential issues of concern are identified and resolved during development Coupling CoP and ISO 26262 CoP helps identify safety-related requirements 26262 helps ensure safety requirements are implemented with high integrity Helps ensure the safety-critical aspects of active safety systems are handled appropriately

Thoughts on Future of Complex Embedded Systems All products (not just automotive or aerospace) are increasingly adding autonomous features adding functional complexity Modularity and networking provide opportunity for creating new systems but also add complexity Testing all of the states of these systems is impractical Increasing trend toward Model-Based Design Inspiration is the integrated circuit industry Design proceeds through series of abstraction levels Models are the primary design artifact (as opposed to code or drawings) Verification and validation primarily aimed at models and aided by automated reasoning Code and hardware synthesized from models, in some cases correct-byconstruction Testing aimed at confirmation Safety cases (certification packages, ) should become modular and incremental Appropriate reasoning about need and type of verification and validation for all design modifications off Discrete control inputs on regen Dynamics Guard condition based on state Hybrid Dynamic System 24

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information