Guoqi Xie,Gang Zeng,Jiyao An,Renfa Li,Keqin Li

DOI: https://doi.org/10.1145/3162052

2018-01-01

ACM Transactions on Cyber-Physical Systems

Abstract:Automotive functional safety standard ISO 26262 aims to avoid unreasonable risks due to systematic failures and random hardware failures caused by malfunctioning behavior. Automotive functions involve distributed end-to-end computation in automotive cyber-physical systems (ACPSs). The automotive industry is highly cost-sensitive to the mass market. This study presents a resource-cost-aware fault-tolerant design methodology for end-to-end functional safety computation on ACPSs. The proposed design methodology involves early functional safety requirement verification and late resource cost design optimization. We first propose the functional safety requirement verification (FSRV) method to verify the functional safety requirement consisting of reliability and response time requirements of the distributed automotive function during the early design phase. We then propose the resource-cost-aware fault-tolerant optimization (RCFO) method to reduce the resource cost while satisfying the functional safety requirement of the function during the late design phase. Finally, we perform experiments with real-life automotive and synthetic automotive functions. Findings reveal that the proposed RCFO and VFSR methods demonstrate satisfactory resource cost reduction compared with other methods while satisfying the functional safety requirement.

Guoqi Xie,Yanwen Li,Yunbo Han,Yong Xie,Gang Zeng,Renfa Li

DOI: https://doi.org/10.1109/tii.2020.2978889

IF: 12.3

2020-01-01

IEEE Transactions on Industrial Informatics

Abstract:Guaranteeing safety is always a prerequisite in the process of realizing various automotive applications. However, the automotive functional safety design has been challenged by multiple factors, such as the complexity of the new generation automotive electrical and electronic (E/E) architecture, the continuous release and update of automotive functional safety standard International Standardization Organization (ISO) 26262, the release of new AUTOSAR adaptive platform standard, and the increase in different types of costs. In this article, we summarize the recent advances of automotive functional safety design methodologies through analysis, design, optimization, and runtime phases, respectively: 1) functional safety analysis; 2) functional safety guarantee; 3) safety-aware cost optimization; and 4) safety-critical multifunctional scheduling. Then, we provide the future trends in functional safety design methodologies that will be directly oriented to autonomous vehicles and adapt to the next generation functional safety standard ISO 21448.

Guoqi Xie,Wei Wu,Gang Zeng,Renfa Li,Shiyan Hu

DOI: https://doi.org/10.1109/tits.2020.3027469

IF: 8.5

2021-06-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:Vehicle design has entered a new stage, namely, Software Defined Vehicles (SDV), where functional safety is required to be guaranteed for risk control, and development cost needs to be optimized for profit maximization. This paper targets to optimize the development cost under the functional safety requirement for a safety-aware SDV, based on the automotive safety integrity level (ASIL) decomposition defined in ISO 26262. For this, a two-stage solution is proposed, which includes functional safety risk assessment and development cost optimization. The first stage develops a new fast risk assessment (FRA) algorithm to assess the functional safety risk, including the joint reliability risk and the real-time risk, of the SDV functionality. The second stage proposes a dual requirement guarantee (DRG) algorithm to optimize the development cost considering reliability and real-time requirements jointly. Our experiments demonstrate that the proposed two-stage solution guarantees the functional safety requirement while reducing the development cost by 20%-24%.

engineering, electrical & electronic,transportation science & technology, civil

Naveen Mohan,Martin Törngren,Sagar Behere

DOI: https://doi.org/10.48550/arXiv.1912.03178

2019-12-06

Systems and Control

Abstract:With the advent of ISO 26262 there is an increased emphasis on top-down design in the automotive industry. ISO 26262 lacks detailed requirements for its various constituent phases. The lack of guidance becomes evident for the reuse of legacy components and subsystems, leaving vehicle architects and safety engineers to rely on experience without methodological support for their decisions. This poses challenges in the industry which is undergoing many significant changes due to new features like connectivity, electrification and automation. Here we focus on automated driving where multiple subsystems, both new and legacy, need to coordinate to realize a safety-critical function. This paper introduces a method to support consistent design of an ISO 26262 work product, the Functional Safety Concept (FSC). The method addresses a need within the industry for architectural analysis, rationale management and reuse of legacy subsystems. The method makes use of an existing work product, the diagnostic specifications of a subsystem, to assist in performing a systematic assessment of the influence a human driver, in the design of the subsystem. The output of the method is a report with an abstraction level suitable for a vehicle architect, used as a basis for decisions related to the FSC such as generating a Preliminary Architecture (PA) and building up argumentation for verification of the FSC. The proposed method is tested in a safety-critical braking subsystem at one of the largest heavy vehicle manufacturers in Sweden, Scania C.V. AB. The results demonstrate the benefits of the method including (i) reuse of pre-existing work products, (ii) gathering requirements for automated driving functions while designing the PA and FSC, (iii) the parallelization of work across the organization on the basis of expertise, and (iv) the applicability of the method across all types of subsystems.

Naveen Mohan,Martin Törngren

DOI: https://doi.org/10.4271/2019-01-0126

2019-12-02

Abstract:Automated Driving is revolutionizing many of the traditional ways of operation in the automotive industry. The impact on safety engineering of automotive functions is arguably one of the most important changes. There has been a need to re-think the impact of the partial or complete absence of the human driver (in terms of a supervisory entity) in not only newly developed functions but also in the qualification of the use of legacy functions in new contexts. The scope of the variety of scenarios that a vehicle may encounter even within a constrained Operational Design Domain, and the highly dynamic nature of Automated Driving, mean that new methods such as simulation can greatly aid the process of safety engineering. This paper discusses the need for early verification of the Functional Safety Concepts (FSCs), details the information typically available at this stage in the product lifecycle, and proposes a co-simulation platform named AD-EYE designed for exploiting the possibilities in an industrial context by evaluating design decisions and refining Functional Safety Requirements based on a reusable scenario database. Leveraging our prior experiences in developing FSCs for Automated Driving functions, and the preliminary implementation of co-simulation platform, we demonstrate the advantages and identify the limitations of using simulations for refinement and early FSC verification using examples of types of requirements that could benefit from our methodology.

Robotics,Systems and Control

Guoqi Xie,Gang Zeng,Renfa Li

DOI: https://doi.org/10.1109/tpds.2020.2984719

IF: 5.3

2020-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:In distributed automotive embedded systems, safety issues run through the entire life cycle, and safety mechanisms for error handling are desirable for risk control. This article focuses on safety enhancement (i.e., safety mechanisms for error handling) for a safety-critical automotive application within its deadline. A stable stopping approach used for safety enhancement for an automotive application is proposed based on the static recovery mechanism provided in ISO 26262. The Stable Stopping-based Safety Enhancement (SSSE) approach is proposed by combining known backward recovery, proposed forward recovery, and proposed forward-and-backward recovery through primary-backup repetition. The stable stopping (i.e., SSSE) approach is a convergence algorithm, which means that when the reliability value reaches a steady state and the algorithm can stop. Experimental results reveal that the exposure level defined in ISO 26262 drops from E3 to E1 after using SSSE, and such improvement enables a safety guarantee of higher level.

Sangeeth Kochanthara,Niels Rood,Arash Khabbaz Saberi,Loek Cleophas,Yanja Dajsuren,Mark van den Brand

DOI: https://doi.org/10.1016/j.jss.2021.110991

IF: 3.5

2021-09-01

Journal of Systems and Software

Abstract:<p>The scope of automotive functions has grown from a single vehicle as an entity to multiple vehicles working together as an entity, referred to as cooperative driving. The current automotive safety standard, ISO 26262, is designed for single vehicles. With the increasing number of cooperative driving capable vehicles on the road, it is now imperative to systematically assess the functional safety of architectures of these vehicles. Many methods are proposed to assess architectures with respect to different quality attributes in the software architecture domain, but to the best of our knowledge, functional safety assessment of automotive architectures is not explored in the literature. We present a method, that leverages existing research in software architecture and safety engineering domains, to check whether the functional safety requirements for a cooperative driving scenario are fulfilled in the technical architecture of a vehicle. We apply our method on a real-life academic prototype for a cooperative driving scenario, platooning, and discuss our insights.</p>

computer science, theory & methods, software engineering

Fei Gao,Cheng Luo,Fangyuan Shi,Xianqing Chen,Zhenhai Gao,Rui Zhao

DOI: https://doi.org/10.1109/access.2023.3300423

IF: 3.9

2023-09-06

IEEE Access

Abstract:Addressing decision safety in the unpredictable arena of complex traffic scenarios represents a significant hurdle for autonomous driving systems. Considering the inherent spatial-temporal uncertainties associated with the future actions of surrounding traffic participants, real-time safety verification of autonomous driving decisions is crucial to maintaining vehicular safety. Existing online verification methodologies, such as Responsibility Sensitive Safety (RSS) and Safety Force Field (SFF), ensure driving safety by formalizing human safe-driving rules and constraining the vehicle to maintain safe lateral and longitudinal distances in real-time. While these methods effectively prevent collisions instigated by the autonomous vehicle itself, they lack sufficient foresight and often result in less smooth driving trajectories. To address these limitations, we propose an innovative, interpretable, formal safety verification framework. This approach integrates both explicit and implicit traffic rules to anticipate all legally acceptable transitions of traffic scenarios. It builds the lawful, short-term reachable region for each vehicle, and verifies the safety of autonomous vehicle decisions by assessing whether the regions these vehicles inhabit, in accordance with the expected trajectory, overlap with the accessible zones of other vehicles. Furthermore, in scenarios presenting potential danger, a backup smooth safety trajectory is derived from the autonomous vehicle's legal reachability domain as a preventive measure to degrade safety threats. As a cornerstone of safety for autonomous vehicles, our proposed method ensures a continual safe trajectory in all traffic scenarios, provided that other participants adhere to traffic rules. Experimental outcomes, grounded in the ISO 34502 standard and real-world critical safety scenarios, demonstrate the method's efficacy in identifying potentially dangerous decisions and mitigating aut- nomous vehicle-induced traffic accidents.

computer science, information systems,telecommunications,engineering, electrical & electronic

Lei He,Junyi Chen,Xiucai Zhang,Jun Li,Jingquan Tian

DOI: https://doi.org/10.1109/access.2024.3349964

IF: 3.9

2024-01-01

IEEE Access

Abstract:In recent years, autonomous driving technology has been developing rapidly, but there is still a certain gap from commercial production, in which the safety issue is one of the important factors. In the working of most companies and colleges, the Traffic Jam Pilot (TJP), serving as a prototypical Level 3 autonomous driving function, has predominantly focused on functional implementation and enhancement, prioritizing functional completeness and user comfort. However, the aspect of functional safety in the system has received comparatively less attention. To guarantee the safety of the driver’s life and property, it is essential to consider the functional safety aspect regarding automobile operation after system function failure. In this paper, according to the functional safety development process and related regulations in ISO 26262, the functions and operation environment of the TJP system are defined in detail, and the longitudinal function is taken as an example to be developed following the functional safety process and verified by simulation. Simulation verification results show that the control algorithm is safe and reliable, and can ensure the safety and stability of the vehicle during operation. The research in this paper further explores the combination of functional safety and high-level automated driving function, providing some ideas for their practical application in industry.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tobias Schmid,Stefanie Schraufstetter,Jonas Fritzsch,Dominik Hellhake,Greta Koelln,Stefan Wagner

DOI: https://doi.org/10.48550/arXiv.2101.07307

2021-01-19

Abstract:A fail-operational system for highly automated driving must complete the driving task even in the presence of a failure. This requires redundant architectures and a mechanism to reconfigure the system in case of a failure. Therefore, an arbitration logic is used. For functional safety, the switch-over to a fall-back level must be conducted in the presence of any electric and electronic failure. To provide evidence for a safety argumentation in compliance with ISO 26262, verification of the arbitration logic is necessary. The verification process provides confirmation of the correct failure reactions and that no unintended system states are attainable. Conventional safety analyses, such as the failure mode and effect analysis, have its limits in this regard. We present an analytical approach based on formal verification, in particular model checking, to verify the fail-operational behaviour of a driving system. For that reason, we model the system behaviour and the relevant architecture and formally specify the safety requirements. The scope of the analysis is defined according to the requirements of ISO 26262. We verify a fail-operational arbitration logic for highly automated driving in compliance with the industry standard. Our results show that formal methods for safety evaluation in automotive fail-operational driving systems can be successfully applied. We were able to detect failures, which would have been overlooked by other analyses and thus contribute to the development of safety critical functions.

Software Engineering,Systems and Control

Chuchu Fan,Bolun Qi,Sayan Mitra

DOI: https://doi.org/10.48550/arXiv.1704.06406

2017-04-21

Systems and Control

Abstract:We present an overview of recently developed data-driven tools for safety analysis of autonomous vehicles and advanced driver assist systems. The core algorithms combine model-based, hybrid system reachability analysis with sensitivity analysis of components with unknown or inaccessible models. We illustrate the applicability of this approach with a new case study of emergency braking systems in scenarios with two or three vehicles. This problem is representative of the most common type of rear-end crashes, which is relevant for safety analysis of automatic emergency braking (AEB) and forward collision avoidance systems. We show that our verification tool can effectively prove the safety of certain scenarios (specified by several parameters like braking profiles, initial velocities, uncertainties in position and reaction times), and also compute the severity of accidents for unsafe scenarios. Through hundreds of verification experiments, we quantified the safety envelope of the system across relevant parameters. These results show that the approach is promising for design, debugging and certification. We also show how the reachability analysis can be combined with statistical information about the parameters, to assess the risk level of the control system, which in turn is essential, for example, for determining Automotive Safety Integrity Levels (ASIL) for the ISO26262 standard.

Georg Schildbach

DOI: https://doi.org/10.48550/arXiv.1804.04349

2018-04-12

Systems and Control

Abstract:Research on automated vehicles has experienced an explosive growth over the past decade. A main obstacle to their practical realization, however, is a convincing safety concept. This question becomes ever more important as more sophisticated algorithms are used and the vehicle automation level increases. The field of functional safety offers a systematic approach to identify possible sources of risk and to improve the safety of a vehicle. It is based on practical experience across the aerospace, process and other industries over multiple decades. This experience is compiled in the functional safety standard for the automotive domain, ISO 26262, which is widely adopted throughout the automotive industry. However, its applicability and relevance for highly automated vehicles is subject to a controversial debate. This paper takes a critical look at the discussion and summarizes the main steps of ISO 26262 for a safe control design for automated vehicles.

Mohammad Abboush,Christoph Knieke,Andreas Rausch

DOI: https://doi.org/10.3390/s24123733

IF: 3.9

2024-06-09

Sensors

Abstract:To validate safety-related automotive software systems, experimental tests are conducted at different stages of the V-model, which are referred as "X-in-the-loop (XIL) methods". However, these methods have significant drawbacks in terms of cost, time, effort and effectiveness. In this study, based on hardware-in-the-loop (HIL) simulation and real-time fault injection (FI), a novel testing framework has been developed to validate system performance under critical abnormal situations during the development process. The developed framework provides an approach for the real-time analysis of system behavior under single and simultaneous sensor/actuator-related faults during virtual test drives without modeling effort for fault mode simulations. Unlike traditional methods, the faults are injected programmatically and the system architecture is ensured without modification to meet the real-time constraints. Moreover, a virtual environment is modeled with various environmental conditions, such as weather, traffic and roads. The validation results demonstrate the effectiveness of the proposed framework in a variety of driving scenarios. The evaluation results demonstrate that the system behavior via HIL simulation has a high accuracy compared to the non-real-time simulation method with an average relative error of 2.52. The comparative study with the state-of-the-art methods indicates that the proposed approach exhibits superior accuracy and capability. This, in turn, provides a safe, reliable and realistic environment for the real-time validation of complex automotive systems at a low cost, with minimal time and effort.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Biao Hu,Shengjie Xu,Zhengcai Cao,Mengchu Zhou

DOI: https://doi.org/10.1109/tits.2020.3030607

IF: 8.5

2022-04-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:It is important to sufficiently guarantee an automotive system's safety, because otherwise terrible consequences may happen. Generally the safety in an automotive system includes two aspects: reliability and timeliness. Previous studies have proposed many approaches to how to improve them. However, few of them consider the development cost along with their improvement. In this study, we aim to propose a method that can build a safety-guaranteed and development cost-minimized schedule for functionality modeled as a directed acyclic graph running on an automotive system. Unlike previous studies that tightly couple the development cost minimization with other requirements together, we start by building a schedule with the minimum development cost by ignoring safety requirement. Then, reliability and real-time requirements are subsequently taken into consideration. Together with automotive safety integrity level decomposition options provided by International Standard called ISO 26262, the decomposition is evaluated for each task to improve its safety, and tasks are then successively chosen to adjust the schedule, such that its safety can be maximized with incurring the least extra development cost. This procedure continues until a schedule that meets safety requirement is built. Experiments on a real-life automotive benchmark and extensive synthetic functionality demonstrate that our proposed heuristics outperform the state-of-the-art heuristic algorithm, and a typical intelligent optimization algorithm.

engineering, electrical & electronic,transportation science & technology, civil

Felipe Franco,Max Mauro,Sergio Stevan,Alexandre Baratella Lugli,Weslley Torres

DOI: https://doi.org/10.1109/induscon.2014.7059430

2014-12-01

Abstract:Model-Based Development is a design methodology used for automotive embedded software, where the engineering process involving OEM and suppliers can bring benefits providing an efficient exchange of information, workflow and tool chain adequately and standardized. Despite, with the growing demand for new functions for next generation of vehicles, we encounter with a complex system that yet require the use a functional safety standard as defined by the ISO 26262. This way, we present the design of a model-based functional safety system accomplished for a software function at automobile of type power window system which will be hosted on electronic control unit. The function was developed and tested at the model-in-the-loop phase as part of model-based design methodology, of the supplier side, only with the purpose demonstrate that in this preliminary phase of design is very important adopt this approach to define the controller strategy and find possible bugs sooner being able generate a software to be embedded in a target system. The proposed approach considers that the software tool for verification and validation of the function is used with a set of test case which validates the preliminary requirements.

Zong-hua GU,Chao WANG,Zheng SUN,Hong LI

DOI: https://doi.org/10.3969/j.issn.1000-3428.2013.07.020

2013-01-01

Abstract:AUTomotive Open System ARchitecture(AUTOSAR) is an open and standardized automotive software architecture which is widely adopted by the automotive industry.This paper presents a simulation tool for AUTOSAR design models verification before deployment on the target hardware platform.The tool aims to ensure maximum faithfulness of the software by simulating software on the target electronic control unit at the source-code level.The results show that the simulator can give the developer more confidence on the correctness of the overall software stack than traditional simulation techniques,and improves the efficiency of system development.

Kang Meng,Rui Zhou,Zhiheng Li,Kai Zhang

DOI: https://doi.org/10.3390/app13063494

2023-01-01

Applied Sciences

Abstract:With the rapid development of intelligent vehicle safety verification, scenario-based testing methods have received increasing attention. As the space of driving scenarios is vast, the challenge in scenario-based testing is the generation and selection of high-value testing scenarios to reduce the development and validation time. This paper proposes a method for generating challenging test scenarios. Our method quantifies the challenges in these scenarios by estimating the risks based on ISO 26262. We formulate the problem as a Markov decision process and quantify the challenges in the current state using the three risk factors provided in ISO 26262: exposure, severity, and controllability. We then employ reinforcement learning algorithms to identify the challenges and use the state–action value matrix to select motions for a background vehicle to generate critical scenarios. The effectiveness of the approach is validated by testing the generated challenge scenarios using a simulation model. The results show that our method can ensure both accuracy and coverage, and the larger the state space is, the more accident-prone the generated scenarios are. Our proposed method is general and easily adaptable to other cases.

Bryan Olmos,Daniel Gerl,Aman Kumar,Djones Lettnin

2024-10-24

Abstract:The design of Systems on Chips (SoCs) is becoming more and more complex due to technological advancements. Missed bugs can cause drastic failures in safety-critical environments leading to the endangerment of lives. To overcome these drastic failures, formal property verification (FPV) has been applied in the industry. However, there exist multiple hardware designs where the results of FPV are not conclusive even for long runtimes of model-checking tools. For this reason, the use of High-level Equivalence Checking (HLEC) tools has been proposed in the last few years. However, the procedure for how to use it inside an industrial toolchain has not been defined. For this reason, we proposed an automated methodology based on metamodeling techniques which consist of two main steps. First, an untimed algorithmic description written in C++ is verified in an early stage using generated assertions; the advantage of this step is that the assertions at the software level run in seconds and we can start our analysis with conclusive results about our algorithm before starting to write the RTL (Register Transfer Level) design. Second, this algorithmic description is verified against its sequential design using HLEC and the respective metamodel parameters. The results show that the presented methodology can find bugs early related to the algorithmic description and prepare the setup for the HLEC verification. This helps to reduce the verification efforts to set up the tool and write the properties manually which is always error-prone. The proposed framework can help teams working on datapaths to verify and make decisions in an early stage of the verification flow.

Hardware Architecture,Artificial Intelligence

Guo Haitao,Yang Xianhui

DOI: https://doi.org/10.3969/j.issn.1001-4160.2007.04.019

2007-01-01

Abstract:For enhancing functional safety management on safety instrumented systems, a design of functional safety management software is presented based on the analysis of safety integrity level(SIL),safety requirement specification and safety integrity verification, which are included in safety life cycle. Hazard matrix and risk graph are two typical methods for SIL selection. Safety integrity verification uses Markov models and architecture constraints are also taken into account. The software is developed using C#. It can be used to assess not only safety but also availability for safety instrumented functions. Several types of report can be generated. The functional safety management software is a good tool and reference for correct functional safety management, helping users understanding the safety and availability of safety instrumented systems.

Carlos Conejo,Vicenç Puig,Bernardo Morcego,Francisco Navas,Vicente Milanés

2024-10-03

Abstract:The rapid advancements in autonomous vehicle software present both opportunities and challenges, especially in enhancing road safety. The primary objective of autonomous vehicles is to reduce accident rates through improved safety measures. However, the integration of new algorithms into the autonomous vehicle, such as Artificial Intelligence methods, raises concerns about the compliance with established safety regulations. This paper introduces a novel software architecture based on behavior trees, aligned with established standards and designed to supervise vehicle functional safety in real time. It specifically addresses the integration of algorithms into industrial road vehicles, adhering to the ISO 26262. The proposed supervision methodology involves the detection of hazards and compliance with functional and technical safety requirements when a hazard arises. This methodology, implemented in this study in a Renault Mégane (currently at SAE level 3 of automation), not only guarantees compliance with safety standards, but also paves the way for safer and more reliable autonomous driving technologies.

Robotics,Systems and Control