Guoqi Xie,Yanwen Li,Yunbo Han,Yong Xie,Gang Zeng,Renfa Li

DOI: https://doi.org/10.1109/tii.2020.2978889

IF: 12.3

2020-01-01

IEEE Transactions on Industrial Informatics

Abstract:Guaranteeing safety is always a prerequisite in the process of realizing various automotive applications. However, the automotive functional safety design has been challenged by multiple factors, such as the complexity of the new generation automotive electrical and electronic (E/E) architecture, the continuous release and update of automotive functional safety standard International Standardization Organization (ISO) 26262, the release of new AUTOSAR adaptive platform standard, and the increase in different types of costs. In this article, we summarize the recent advances of automotive functional safety design methodologies through analysis, design, optimization, and runtime phases, respectively: 1) functional safety analysis; 2) functional safety guarantee; 3) safety-aware cost optimization; and 4) safety-critical multifunctional scheduling. Then, we provide the future trends in functional safety design methodologies that will be directly oriented to autonomous vehicles and adapt to the next generation functional safety standard ISO 21448.

Guoqi Xie,Gang Zeng,Jiyao An,Renfa Li,Keqin Li

DOI: https://doi.org/10.1145/3162052

2018-01-01

ACM Transactions on Cyber-Physical Systems

Abstract:Automotive functional safety standard ISO 26262 aims to avoid unreasonable risks due to systematic failures and random hardware failures caused by malfunctioning behavior. Automotive functions involve distributed end-to-end computation in automotive cyber-physical systems (ACPSs). The automotive industry is highly cost-sensitive to the mass market. This study presents a resource-cost-aware fault-tolerant design methodology for end-to-end functional safety computation on ACPSs. The proposed design methodology involves early functional safety requirement verification and late resource cost design optimization. We first propose the functional safety requirement verification (FSRV) method to verify the functional safety requirement consisting of reliability and response time requirements of the distributed automotive function during the early design phase. We then propose the resource-cost-aware fault-tolerant optimization (RCFO) method to reduce the resource cost while satisfying the functional safety requirement of the function during the late design phase. Finally, we perform experiments with real-life automotive and synthetic automotive functions. Findings reveal that the proposed RCFO and VFSR methods demonstrate satisfactory resource cost reduction compared with other methods while satisfying the functional safety requirement.

Guoqi Xie,Gang Zeng,Yan Liu,Jia Zhou,Renfa Li,Keqin Li

DOI: https://doi.org/10.1109/tie.2017.2762621

IF: 7.7

2018-01-01

IEEE Transactions on Industrial Electronics

Abstract:Both response time and reliability are important functional safety properties that must be simultaneously satisfied learning from the automotive functional safety standard ISO 26262. Safety verification pertains to checking if an application meets a safe set of design specifications and complies with regulations. Introducing verification in the early design phase not only complies with the latest automotive functional safety standard but also avoids unnecessary design effort or reduces the design burden of the late design optimization phase. This study presents a fast functional safety verification (FFSV) method for a distributed automotive application during the early design phase. The first method FFSV1 finds the solution with the minimum response time under the reliability requirement, and the second method FFSV2 finds the solution with the maximum reliability under the response time requirement. We combine FFSV1 and FFSV2 to create union FFSV (UFFSV), which can obtain acceptance ratios higher than those of current methods. Experiments on real-life and synthetic distributed automotive applications show that UFFSV can obtain higher acceptance ratios than their existing counterparts.

Georg Schildbach

DOI: https://doi.org/10.48550/arXiv.1804.04349

2018-04-12

Systems and Control

Abstract:Research on automated vehicles has experienced an explosive growth over the past decade. A main obstacle to their practical realization, however, is a convincing safety concept. This question becomes ever more important as more sophisticated algorithms are used and the vehicle automation level increases. The field of functional safety offers a systematic approach to identify possible sources of risk and to improve the safety of a vehicle. It is based on practical experience across the aerospace, process and other industries over multiple decades. This experience is compiled in the functional safety standard for the automotive domain, ISO 26262, which is widely adopted throughout the automotive industry. However, its applicability and relevance for highly automated vehicles is subject to a controversial debate. This paper takes a critical look at the discussion and summarizes the main steps of ISO 26262 for a safe control design for automated vehicles.

Biao Hu,Shengjie Xu,Zhengcai Cao,Mengchu Zhou

DOI: https://doi.org/10.1109/tits.2020.3030607

IF: 8.5

2022-04-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:It is important to sufficiently guarantee an automotive system's safety, because otherwise terrible consequences may happen. Generally the safety in an automotive system includes two aspects: reliability and timeliness. Previous studies have proposed many approaches to how to improve them. However, few of them consider the development cost along with their improvement. In this study, we aim to propose a method that can build a safety-guaranteed and development cost-minimized schedule for functionality modeled as a directed acyclic graph running on an automotive system. Unlike previous studies that tightly couple the development cost minimization with other requirements together, we start by building a schedule with the minimum development cost by ignoring safety requirement. Then, reliability and real-time requirements are subsequently taken into consideration. Together with automotive safety integrity level decomposition options provided by International Standard called ISO 26262, the decomposition is evaluated for each task to improve its safety, and tasks are then successively chosen to adjust the schedule, such that its safety can be maximized with incurring the least extra development cost. This procedure continues until a schedule that meets safety requirement is built. Experiments on a real-life automotive benchmark and extensive synthetic functionality demonstrate that our proposed heuristics outperform the state-of-the-art heuristic algorithm, and a typical intelligent optimization algorithm.

engineering, electrical & electronic,transportation science & technology, civil

F. Duerr,J. Ziehn,R. Kohlhaas,M. Roschani,M. Ruf,J. Beyerer

DOI: https://doi.org/10.1109/ITSC45102.2020.9294578

2024-05-14

Abstract:In the event of a critical system failures in auto-mated vehicles, fail-operational or fail-safe measures provide minimum guarantees for the vehicle's performance, depending on which of its subsystems remain operational. Various such methods have been proposed which, upon failure, use different remaining sets of operational subsystems to execute maneuvers that bring the vehicle into a safe state under different environmental conditions. One particular such method proposes a fail-safe emergency stop system that requires no particular electric or electronic subsystem to be available after failure, and still provides a basic situation-dependent emergency stop maneuver. This is achieved by preemptively setting parameters to a hydraulic / mechanical system prior to failure, which after failure executes the preset maneuver "blindly". The focus of this paper is the particular challenge of implementing a lightweight planning algorithm that can cope with the complex uncertainties of the given task while still providing a globally optimal solution at regular intervals, based on the perceived and predicted environment of the automated vehicle.

Robotics,Systems and Control,Numerical Analysis

Fardin Abdi,Chien-Ying Chen,Monowar Hasan,Songran Liu,Sibin Mohan,Marco Caccamo

DOI: https://doi.org/10.48550/arXiv.1705.01520

2017-05-04

Abstract:Many physical plants that are controlled by embedded systems have safety requirements that need to be respected at all times - any deviations from expected behavior can result in damage to the system (often to the physical plant), the environment or even endanger human life. In recent times, malicious attacks against such systems have increased - many with the intent to cause physical damage. In this paper, we aim to decouple the safety of the plant from security of the embedded system by taking advantage of the inherent inertia in such systems. In this paper we present a system-wide restart-based framework that combines hardware and software components to (a) maintain the system within the safety region and (b) thwart potential attackers from destabilizing the system. We demonstrate the feasibility of our approach using two realistic systems - an actual 3 degree of freedom (3-DoF) helicopter and a simulated warehouse temperature control unit. Our proof-of-concept implementation is tested against multiple emulated attacks on the control units of these systems.

Cryptography and Security

J. Fabian,Stephan Reinhofer,Markus Ernst,Adam Schnellbach

DOI: https://doi.org/10.17758/ur.u0915115

2015-09-07

Abstract:Ongoing advances in mechatronic components and power electronics help to improve control systems within automotive applications. New developed or designed components enable more efficient system architectures and control. The management of several parameters of future drive architectures, such as high torque and power output, high system efficiency, low mass, low energy consumption, very low exhaust gas emissions, and low costs is essential for future propulsion concepts. Based on these development trends, mechatronic systems within automotive engineering are gaining more and more importance. At the same time, quality and safety requirements become challenging for automotive manufacturers as well as their suppliers regarding the reduction of the initial risk and increase of component reliability in a high degree. Therefore, safety-relevant aspects in the development of modern mechatronic systems have to be considered thoroughly. The high number of technical properties and complex connections of mechatronics systems in the development of modern vehicles are very challenging for state-of-the-art analysis methods. For this reason, new and innovational safety concepts are required to optimize existing safety concepts using conventional components and methods in combination. This paper includes a detailed comparison of different analysing methods to identify systematic and random failures, as well as safety standards such as IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems) and ISO 26262 (Road vehicles - Functional safety). To fulfil safety standards nowadays for complex mechatronic systems, several different analysis methods have to be applied. Only the connection of a safe fault recognition with a safe fault reaction enables a system to avoid harmful consequences. Regarding product development, there is an ongoing change from routine tests (durability tests) to testing selected parts of a safety function (fault injection tests). How action is taken is changing, with a trend towards a further development of IT tools, supporting functional safe systems holistically, including hazard analysis and risk assessment, integrated system analysis of systematic and random failures, and hardware metrics. The publication closes with an overview of a functional safety concept and presents an outlook to future trends of safety systems analysis

Engineering

Naveen Mohan,Martin Törngren,Sagar Behere

DOI: https://doi.org/10.48550/arXiv.1912.03178

2019-12-06

Systems and Control

Abstract:With the advent of ISO 26262 there is an increased emphasis on top-down design in the automotive industry. ISO 26262 lacks detailed requirements for its various constituent phases. The lack of guidance becomes evident for the reuse of legacy components and subsystems, leaving vehicle architects and safety engineers to rely on experience without methodological support for their decisions. This poses challenges in the industry which is undergoing many significant changes due to new features like connectivity, electrification and automation. Here we focus on automated driving where multiple subsystems, both new and legacy, need to coordinate to realize a safety-critical function. This paper introduces a method to support consistent design of an ISO 26262 work product, the Functional Safety Concept (FSC). The method addresses a need within the industry for architectural analysis, rationale management and reuse of legacy subsystems. The method makes use of an existing work product, the diagnostic specifications of a subsystem, to assist in performing a systematic assessment of the influence a human driver, in the design of the subsystem. The output of the method is a report with an abstraction level suitable for a vehicle architect, used as a basis for decisions related to the FSC such as generating a Preliminary Architecture (PA) and building up argumentation for verification of the FSC. The proposed method is tested in a safety-critical braking subsystem at one of the largest heavy vehicle manufacturers in Sweden, Scania C.V. AB. The results demonstrate the benefits of the method including (i) reuse of pre-existing work products, (ii) gathering requirements for automated driving functions while designing the PA and FSC, (iii) the parallelization of work across the organization on the basis of expertise, and (iv) the applicability of the method across all types of subsystems.

Zheng Zhu,Liang Li

DOI: https://doi.org/10.1109/tiv.2024.3478792

IF: 8.2

2024-01-01

IEEE Transactions on Intelligent Vehicles

Abstract:With the development of automotive intelligence, drive-by-wire system has attracted extensive attention from academia and industry. However, the architectural design of electro-mechanical-brake (EMB) systems has not been emphasized enough, especially in the context of functional safety concept. In view of this, based on ISO 26262, this paper extends the system boundary of functional safety for the first time, and combines EMB system with other systems of the vehicle to build a 4-way redundant EMB system architecture. Furthermore, detailed qualitative and quantitative analysis results are given by using state transition location diagram and quantitative fault tree analysis (FTA) respectively, and the braking failure rate is Q 0 ≈ 2.0003×10 -10 < 10 -8 meets the failure rate requirements of ASIL-D, which prove the security and reliability of the proposed architecture. This paper provides guidance and reference for the design and analysis of EMB system for subsequent researchers, and guarantees the safe development of autonomous vehicles from the safety and reliability of the system.

Guoqi Xie,Wei Wu,Gang Zeng,Renfa Li,Shiyan Hu

DOI: https://doi.org/10.1109/tits.2020.3027469

IF: 8.5

2021-06-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:Vehicle design has entered a new stage, namely, Software Defined Vehicles (SDV), where functional safety is required to be guaranteed for risk control, and development cost needs to be optimized for profit maximization. This paper targets to optimize the development cost under the functional safety requirement for a safety-aware SDV, based on the automotive safety integrity level (ASIL) decomposition defined in ISO 26262. For this, a two-stage solution is proposed, which includes functional safety risk assessment and development cost optimization. The first stage develops a new fast risk assessment (FRA) algorithm to assess the functional safety risk, including the joint reliability risk and the real-time risk, of the SDV functionality. The second stage proposes a dual requirement guarantee (DRG) algorithm to optimize the development cost considering reliability and real-time requirements jointly. Our experiments demonstrate that the proposed two-stage solution guarantees the functional safety requirement while reducing the development cost by 20%-24%.

engineering, electrical & electronic,transportation science & technology, civil

Yufeng Li,Wenqi Liu,Qi Liu,Xiangyu Zheng,Ke Sun,Chengjian Huang

DOI: https://doi.org/10.3390/s24061848

IF: 3.9

2024-03-14

Sensors

Abstract:A cyber-physical system (CPS) integrates communication and automation technologies into the operational processes of physical systems. Nowadays, as a complex CPS, an intelligent connected vehicle (ICV) may be exposed to accidental functional failures and malicious attacks. Therefore, ensuring the ICV's safety and security is crucial. Traditional safety/security analysis methods, such as failure mode and effect analysis and attack tree analysis, cannot provide a comprehensive analysis for the interactions between the system components of the ICV. In this work, we merge system-theoretic process analysis (STPA) with the concept phase of ISO 26262 and ISO/SAE 21434. We focus on the interactions between components while analyzing the safety and security of ICVs to reduce redundant efforts and inconsistencies in determining safety and security requirements. To conquer STPA's abstraction in describing causal scenarios, we improved the physical component diagram of STPA-SafeSec by adding interface elements. In addition, we proposed the loss scenario tree to describe specific scenarios that lead to unsafe/unsecure control actions. After hazard/threat analysis, a unified risk assessment process is proposed to ensure consistency in assessment criteria and to streamline the process. A case study is implemented on the autonomous emergency braking system to demonstrate the validation of the proposed method.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Fei Gao,Cheng Luo,Fangyuan Shi,Xianqing Chen,Zhenhai Gao,Rui Zhao

DOI: https://doi.org/10.1109/access.2023.3300423

IF: 3.9

2023-09-06

IEEE Access

Abstract:Addressing decision safety in the unpredictable arena of complex traffic scenarios represents a significant hurdle for autonomous driving systems. Considering the inherent spatial-temporal uncertainties associated with the future actions of surrounding traffic participants, real-time safety verification of autonomous driving decisions is crucial to maintaining vehicular safety. Existing online verification methodologies, such as Responsibility Sensitive Safety (RSS) and Safety Force Field (SFF), ensure driving safety by formalizing human safe-driving rules and constraining the vehicle to maintain safe lateral and longitudinal distances in real-time. While these methods effectively prevent collisions instigated by the autonomous vehicle itself, they lack sufficient foresight and often result in less smooth driving trajectories. To address these limitations, we propose an innovative, interpretable, formal safety verification framework. This approach integrates both explicit and implicit traffic rules to anticipate all legally acceptable transitions of traffic scenarios. It builds the lawful, short-term reachable region for each vehicle, and verifies the safety of autonomous vehicle decisions by assessing whether the regions these vehicles inhabit, in accordance with the expected trajectory, overlap with the accessible zones of other vehicles. Furthermore, in scenarios presenting potential danger, a backup smooth safety trajectory is derived from the autonomous vehicle's legal reachability domain as a preventive measure to degrade safety threats. As a cornerstone of safety for autonomous vehicles, our proposed method ensures a continual safe trajectory in all traffic scenarios, provided that other participants adhere to traffic rules. Experimental outcomes, grounded in the ISO 34502 standard and real-world critical safety scenarios, demonstrate the method's efficacy in identifying potentially dangerous decisions and mitigating aut- nomous vehicle-induced traffic accidents.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xuewu Ji,Jingguang Ge,Hongliang Tian

DOI: https://doi.org/10.1109/QR2MSE.2013.6625550

2013-01-01

Abstract:Electric power steering (EPS) systems have been more and more widely used in medium and large cars. As a safety-critical system, its safety and reliability are uttermost important. ISO 26262 adapted from IEC 61508 provides a V-model as a reference process model for different phases of product development. In this paper, DFMEA (design failure mode and effects analysis) and FTA (fault tree analysis) complied with ISO 26262 are taken to analyze the safety aspects of EPS so as to enhance the safety and reliability of EPS. Firstly, the EPS system is decomposed into subsystems and components, and the familiar failure modes and undesired top events are separately divided into several categories. Then a comprehensive DFMEA for every single potential failure mode is carried out without omission as far as possible. The qualitative FTA is put into practice to identify the weak link as well. Since the DFMEA and FTA for EPS are finished, countermeasures for each potential hazard should be taken to guarantee the safety and reliability of EPS which are always achieved by fault detection and fault isolation algorithms of EPS hardware and software. Besides, some preventive actions are also taken in the early design stage to find out the potential causes.

Lei He,Junyi Chen,Xiucai Zhang,Jun Li,Jingquan Tian

DOI: https://doi.org/10.1109/access.2024.3349964

IF: 3.9

2024-01-01

IEEE Access

Abstract:In recent years, autonomous driving technology has been developing rapidly, but there is still a certain gap from commercial production, in which the safety issue is one of the important factors. In the working of most companies and colleges, the Traffic Jam Pilot (TJP), serving as a prototypical Level 3 autonomous driving function, has predominantly focused on functional implementation and enhancement, prioritizing functional completeness and user comfort. However, the aspect of functional safety in the system has received comparatively less attention. To guarantee the safety of the driver’s life and property, it is essential to consider the functional safety aspect regarding automobile operation after system function failure. In this paper, according to the functional safety development process and related regulations in ISO 26262, the functions and operation environment of the TJP system are defined in detail, and the longitudinal function is taken as an example to be developed following the functional safety process and verified by simulation. Simulation verification results show that the control algorithm is safe and reliable, and can ensure the safety and stability of the vehicle during operation. The research in this paper further explores the combination of functional safety and high-level automated driving function, providing some ideas for their practical application in industry.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sangeeth Kochanthara,Niels Rood,Arash Khabbaz Saberi,Loek Cleophas,Yanja Dajsuren,Mark van den Brand

DOI: https://doi.org/10.1016/j.jss.2021.110991

IF: 3.5

2021-09-01

Journal of Systems and Software

Abstract:<p>The scope of automotive functions has grown from a single vehicle as an entity to multiple vehicles working together as an entity, referred to as cooperative driving. The current automotive safety standard, ISO 26262, is designed for single vehicles. With the increasing number of cooperative driving capable vehicles on the road, it is now imperative to systematically assess the functional safety of architectures of these vehicles. Many methods are proposed to assess architectures with respect to different quality attributes in the software architecture domain, but to the best of our knowledge, functional safety assessment of automotive architectures is not explored in the literature. We present a method, that leverages existing research in software architecture and safety engineering domains, to check whether the functional safety requirements for a cooperative driving scenario are fulfilled in the technical architecture of a vehicle. We apply our method on a real-life academic prototype for a cooperative driving scenario, platooning, and discuss our insights.</p>

computer science, theory & methods, software engineering

Sohag Kabir,Ioannis Sorokos,Koorosh Aslansefat,Yiannis Papadopoulos,Youcef Gheraibia,Jan Reich,Merve Saimler,Ran Wei

DOI: https://doi.org/10.1007/978-3-030-32872-6_22

2019-01-01

Abstract:In the automotive industry, modern cyber-physical systems feature cooperation and autonomy. Such systems share information to enable collaborative functions, allowing dynamic component integration and architecture reconfiguration. Given the safety-critical nature of the applications involved, an approach for addressing safety in the context of reconfiguration impacting functional and non-functional properties at runtime is needed. In this paper, we introduce a concept for runtime safety analysis and decision input for open adaptive systems. We combine static safety analysis and evidence collected during operation to analyse, reason and provide online recommendations to minimize deviation from a system’s safe states. We illustrate our concept via an abstract vehicle platooning system use case.

Fardin Abdi,Renato Mancuso,Rohan Tabish,Marco Caccamo

DOI: https://doi.org/10.48550/arXiv.1705.02412

2017-05-06

Abstract:Embedded systems in safety-critical environments are continuously required to deliver more performance and functionality, while expected to provide verified safety guarantees. Nonetheless, platform-wide software verification (required for safety) is often expensive. Therefore, design methods that enable utilization of components such as real-time operating systems (RTOS), without requiring their correctness to guarantee safety, is necessary. In this paper, we propose a design approach to deploy safe-by-design embedded systems. To attain this goal, we rely on a small core of verified software to handle faults in applications and RTOS and recover from them while ensuring that timing constraints of safety-critical tasks are always satisfied. Faults are detected by monitoring the application timing and fault-recovery is achieved via full platform restart and software reload, enabled by the short restart time of embedded systems. Schedulability analysis is used to ensure that the timing constraints of critical plant control tasks are always satisfied in spite of faults and consequent restarts. We derive schedulability results for four restart-tolerant task models. We use a simulator to evaluate and compare the performance of the considered scheduling models.

Systems and Control

Chuchu Fan,Bolun Qi,Sayan Mitra

DOI: https://doi.org/10.48550/arXiv.1704.06406

2017-04-21

Systems and Control

Abstract:We present an overview of recently developed data-driven tools for safety analysis of autonomous vehicles and advanced driver assist systems. The core algorithms combine model-based, hybrid system reachability analysis with sensitivity analysis of components with unknown or inaccessible models. We illustrate the applicability of this approach with a new case study of emergency braking systems in scenarios with two or three vehicles. This problem is representative of the most common type of rear-end crashes, which is relevant for safety analysis of automatic emergency braking (AEB) and forward collision avoidance systems. We show that our verification tool can effectively prove the safety of certain scenarios (specified by several parameters like braking profiles, initial velocities, uncertainties in position and reaction times), and also compute the severity of accidents for unsafe scenarios. Through hundreds of verification experiments, we quantified the safety envelope of the system across relevant parameters. These results show that the approach is promising for design, debugging and certification. We also show how the reachability analysis can be combined with statistical information about the parameters, to assess the risk level of the control system, which in turn is essential, for example, for determining Automotive Safety Integrity Levels (ASIL) for the ISO26262 standard.

Junsung Kim,Praful Puranik,Ragunathan Rajkumar,Ragunathan (Raj) Rajkumar

DOI: https://doi.org/10.1145/2583687.2583695

2013-12-01

ACM SIGBED Review

Abstract:Advances in real-time, embedded and distributed systems along with control and communication theory have catalyzed the rapid emergence of cyber-physical systems such as a self-driving car. The importance of fault-tolerance support on a cyber-physical system (CPS) has been greatly emphasized by recent research due to the nature of CPS that senses its surroundings, processes sensor data, and reacts using its actuators. In order to tackle this challenge, we proposed SAFER (System-level Architecture for Failure Evasion in Real-time Applications) in our previous work. SAFER is able to tolerate fail-stop processor and/or task failures for distributed embedded real-time systems. One of its limitations, however, is that SAFER is not capable of tolerating a failure of a processor with a dedicated connection to an actuator. This paper provides a method that relaxes this limitation by (1) deploying a small piece of hardware to avoid a dedicated connection between a processor and an actuator, (2) adding a software module that monitors and controls the hardware, and (3) enhancing the failure detection and recovery mechanisms of SAFER to support these changes. The detailed implementation and evaluation of the SAFER extension is on-going work.