ATRIUM -- Architecting Under Uncertainty for ISO 26262 compliance

The ISO 26262 is currently the dominant standard for assuring functional safety of electrical and electronic systems in the automotive industry. The Functional Safety Concept (FSC) subphase in the standard requires the Preliminary Architectural Assumptions (PAA) for allocation of functional safety requirements (FSRs). This paper justifies the need for, and defines a process ATRIUM, for consistent design of the PAA. ATRIUM is subsequently applied in an industrial case study for a function enabling highly automated driving at one of the largest heavy vehicle manufacturers in Europe, Scania CV AB. The findings from this study, which contributed to ATRIUM's institutionalization at Scania, are presented. The benefits of the proposed process include (i) a fast and flexible way to refine the PAA, and a framework to (ii) incorporate information from legacy systems into safety design and (iii) rigorously track and document the assumptions and rationale behind architectural decisions under uncertain information. The contributions of this paper are the (i) analysis of the problem (ii) the process ATRIUM and (iii) findings and the discussion from the case study at Scania. Keywords: ISO 26262, functional safety, automation, HCV, HGV, architectures, highly automated driving, ATRIUM, decision making, architecting, uncertainty managementComment: Added preprint copyright notic

AD-EYE: A Co-simulation Platform for Early Verification of Functional Safety Concepts

Automated Driving is revolutionizing many of the traditional ways of operation in the automotive industry. The impact on safety engineering of automotive functions is arguably one of the most important changes. There has been a need to re-think the impact of the partial or complete absence of the human driver (in terms of a supervisory entity) in not only newly developed functions but also in the qualification of the use of legacy functions in new contexts. The scope of the variety of scenarios that a vehicle may encounter even within a constrained Operational Design Domain, and the highly dynamic nature of Automated Driving, mean that new methods such as simulation can greatly aid the process of safety engineering. This paper discusses the need for early verification of the Functional Safety Concepts (FSCs), details the information typically available at this stage in the product lifecycle, and proposes a co-simulation platform named AD-EYE designed for exploiting the possibilities in an industrial context by evaluating design decisions and refining Functional Safety Requirements based on a reusable scenario database. Leveraging our prior experiences in developing FSCs for Automated Driving functions, and the preliminary implementation of co-simulation platform, we demonstrate the advantages and identify the limitations of using simulations for refinement and early FSC verification using examples of types of requirements that could benefit from our methodology.Comment: 12 pages, single column in this preprin

Architecting Safe Automated Driving with Legacy Platforms

Modern vehicles have electrical architectures whose complexity grows year after year due to feature growth corresponding to customer expectations. The latest of the expectations, automation of the dynamic driving task however, is poised to bring about some of the largest changes seen so far. In one fell swoop, not only does required functionality for automated driving drastically increase the system complexity, it also removes the fall-back of the human driver who is usually relied upon to handle unanticipated failures after the fact. The need to architect thus requires a greater rigour than ever before, to maintain the level of safety that has been associated with the automotive industry. The work that is part of this thesis has been conducted, in close collaboration with our industrial partner Scania CV AB, within the Vinnova FFI funded project ARCHER. This thesis aims to provide a methodology for architecting during the concept phase of development, using industrial practices and principles including those from safety standards such as ISO 26262. The main contributions of the thesis are in two areas. The first area i.e. Part A contributes, (i) an analysis of the challenges of architecting automated driving, and serves as a motivation for the approach taken in the rest of this thesis, i.e. Part B where the contributions include, (ii) a definition of a viewpoint for functional safety according to the definitions of ISO 42010, (iii) a method to systematically extract information from legacy components and (iv) a process to use legacy information and architect in the presence of uncertainty to provide a work product, the Preliminary Architectural Assumptions (PAA), as required by ISO 26262. The contributions of Part B together comprise a methodology to architect the PAA. <read full abstract in pdf