Bitte decken Sie die schraffierte Fläche mit einem Bild ab. Please cover the shaded area with a picture. (24,4 x 11,0 cm) Using STPA in Compliance with ISO26262 for developing a Safe Architecture for Fully Automated Vehicles Automotive-Safety and Security 2017, Mai 31 th 2017 Asim Abdulkhaleq, Daniel Lammering www.continental-automotive.com Corporate Systems & Technology
34
Embed
Using STPA in Compliance with ISO26262automotive2017.de/programm/Vortraege/S4V2 Lammering... · HARA & ISO26262 Lifecycle ConceptPhase (ISO 26262-part 3) 10 Item Definition Initiation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Bitte decken Sie die schraffierte Fläche mit einem Bild ab.Please cover the shaded area with a picture.
(24,4 x 11,0 cm)
Using STPA in Compliance with ISO26262for developing a Safe Architecture for Fully Automated Vehicles
Automotive-Safety and Security 2017, Mai 31th 2017Asim Abdulkhaleq, Daniel Lammering
www.continental-automotive.com Corporate Systems & Technology
Operational Safety in Automotive Domain Ensuring a high level of operational safety
7
Functional safety[absence of unreasonable risk due to hazards
caused by malfunctioning behavior of E/E systems]
Safety in use[absence of hazards due to human error]
Safety of the intended functionality[absence of unreasonably hazardous functionality]
Safety[absence of unreasonable risk] Roadworthiness
(Operational Safety)
[property or ability of a car, bus, truck or any kind of automobile to be in a suitable operating condition or meeting acceptable standards for safe driving and transport of people, baggage or cargo in roads or streets]
Source: N. G. Leveson. Engineering A Safer World: Systems Thinking Applied to Safety, MIT Press. Cambridge, MA. 2011.
STPA (System-Theoretic Process Analysis)Technique based on systems thinking by a STAMP model
Introduction to STAMP/STPAMethodology
17
› Based on system theory rather than reliability theory › Integrates safety into system engineering and can also
analyze hazards in existing design› Drive the earliest design decisions (Safety by Design)› Identify unexpected accident scenarios› In systems theory, instead of breaking systems into
interacting components, systems are viewed (modeled) as a hierarchy of organizational levels.
Controller
Controlledprocess
Control Actions Feedback
Process model
Source: N. G. Leveson. Engineering A Safer World: Systems Thinking Applied to Safety, MIT Press.
Methodology & ResultsSTPA Step 1: Unsafe Control Actions
28
› We identify the unsafe control actions of the fully automated driving platform
› We translate each unsafe control action into a corresponding safety constraint
Safety-critical control action CA-1: Trajectory
Unsafe control action UCA-1: The fully automated driving function platform does not provide a valid trajectory to motion control while driving too fast on a highway [HA-1]
Corresponding safety constraint SC-1: The fully automated driving function platform must always provide a valid trajectory to motion control while driving too fast on a highway
Methodology & ResultsSTPA Step 2: Causal Factors and Scenarios
29
› We use the results of the situation analysis to determine the process model of AD
› We identify the causal factors and scenarios of each unsafe control action
Process Model Variables PMV: road_type (highway, parking, intersection, mountain, city, urban) throttle position, brake friction, etc.
Unsafe control action UCA-1: The fully automated driving function platform does not provide a valid trajectory to motion control while driving too fast on a highway [HA-1]
Causal Factor: Lack of CommunicationCausal Scenario CS-1: The fully automated driving function platform receives wrong signals from backend due to the lack of communication while driving too fast on a highway
Safety Constraint SC-1: The fully automated driving function platform must always provide the trajectory to enable motion control to adjust the throttle position and apply brake friction when the vehicle is driving too fast on a highway and there is traffic ahead to avoid a potential collision.
› The integration of STPA into HARAactivities still needs modification in theassumptions and terms of both STPAand HARA to directly map the results ofSTPA into HARA
› STPA has no guidance on how to definethe process model and its variables.
› Our tool support XSTAMPP does notsupport the HARA activities
› We used STPA as a assessmentapproach for the functional architectureof automated driving vehicle.
› We show how to use STPA incompliance with ISO 26262 to extendthe safety scope of ISO 26262
› We provide a guidance on how use theSTPA into the ISO 26262 lifecycle.
› We found that STPA and HARA can beapplied with a little bit knowledge aboutthe detailed design of the system atearly stage of development.
STPA will be recommended in the next version of ISO 26262 (2018)
STPA in compliance with ISO 26262 Future Work
33
› Use of STPA as a qualitative analysis in an advanced development project (e.g. fully automated driving vehicle)
› We plan to explore the use of STPA approach in compliance withISO 26262 at different levels of the fully automated drivingarchitecture (e.g. software level) to develop detailed safetyrequirements.
› We plan to develop an extension to our tool XSTAMPP to support the HARA activities.
› We plan to conduct empirical case study evaluating our proposedconcept with functional safety engineers at Continental tounderstand the benefits and limitations.
Joint work with› Prof. Dr. Stefan Wagner, University of Stuttgart, Stuttgart, Germany › Pierre Blüher, Hagen Boehmert, Continental Teves AG & Co. oHG, Frankfurt am Main, Germany