Workflow between ISO 26262 and ISO 21448 Standards for Autonomous Vehicles

Assuring safety is important in autonomous vehicles. The safety related to autonomous vehicles can be primarily viewed from two perspectives: the functional safety (FuSa) perspective and the safety of the intended functionality (SOTIF) perspective. While FuSa ensures the system has an acceptable risk with respect to malfunctions of electrical and electronic components, SOTIF ensures the system has an acceptable risk with respect to functional insufficiencies and performance limitations. ISO 26262 and ISO 21448 are the state-of-the-art international standards used to ensure compliance with FuSa and SOTIF for autonomous automotive systems, respectively. The ISO 21448 standard mentions the need for alignment of ISO 26262 activities with the ISO 21448 activities and describes the mapping at a very high level. However, given the iterative nature of SOTIF activities in ISO 21448, the workflow between the two standards is not a direct one-toone mapping. Hence, we need a clear understanding how we can align ISO 26262 and ISO 21448 activities, and on how analysis done in one standard can impact the other. To achieve this, in this paper we propose a detailed workflow between ISO 26262 and ISO 21448 standards. We discuss guidelines on how to find if a change to design due to SOTIF modification can affect FuSa analysis and vice versa. We also discuss the aspects we need to consider for agile development when we want to ensure the system bein

Towards Identifying and closing Gaps in Assurance of autonomous Road vehicleS - a collection of Technical Notes Part 1

This report provides an introduction and overview of the Technical Topic Notes (TTNs) produced in the Towards Identifying and closing Gaps in Assurance of autonomous Road vehicleS (Tigars) project. These notes aim to support the development and evaluation of autonomous vehicles. Part 1 addresses: Assurance-overview and issues, Resilience and Safety Requirements, Open Systems Perspective and Formal Verification and Static Analysis of ML Systems. Part 2: Simulation and Dynamic Testing, Defence in Depth and Diversity, Security-Informed Safety Analysis, Standards and Guidelines

Review of the Latest Developments in Automotive Safety Standardization for Driving Automation Systems

The ISO 26262: Functional Safety – Road Vehicles Standard has been the de-facto automotive functional safety standard since it was first released in 2011. With the introduction of complex driving automation systems, new standardization efforts to deal with safety of these systems have been initiated to address emerging gaps such as the human/automation roles and responsibilities in the presence/absence of the driver/user, the impact of the technological limitations and the verification and validation needs of automation systems to name a few. This paper highlights some of these gaps and introduces some of the latest developments in automotive safety standardization for driving automation systems

Risk Management Core -- Towards an Explicit Representation of Risk in Automated Driving

While current automotive safety standards provide implicit guidance on how unreasonable risk can be avoided, manufacturers are required to specify risk acceptance criteria for automated driving systems (SAE Level 3+). However, the 'unreasonable' level of risk of automated driving systems (SAE Level 3+) is not yet concisely defined. Solely applying current safety standards to such novel systems could potentially not be sufficient for their acceptance. As risk is managed with implicit knowledge about safety measures in existing automotive standards, an explicit alignment with risk acceptance criteria is challenging. Hence, we propose an approach for an explicit representation and management of risk, which we call the Risk Management Core. The proposal of this process framework is based on requirements elicited from current safety standards and apply the Risk Management Core to the task of specifying safe behavior for an automated driving system in an example scenario.Comment: 16 pages, 6 figure

Controlling Concurrent Change - A Multiview Approach Toward Updatable Vehicle Automation Systems

The development of SAE Level 3+ vehicles [{SAE}, 2014] poses new challenges not only for the functional development, but also for design and development processes. Such systems consist of a growing number of interconnected functional, as well as hardware and software components, making safety design increasingly difficult. In order to cope with emergent behavior at the vehicle level, thorough systems engineering becomes a key requirement, which enables traceability between different design viewpoints. Ensuring traceability is a key factor towards an efficient validation and verification of such systems. Formal models can in turn assist in keeping track of how the different viewpoints relate to each other and how the interplay of components affects the overall system behavior. Based on experience from the project Controlling Concurrent Change, this paper presents an approach towards model-based integration and verification of a cause effect chain for a component-based vehicle automation system. It reasons on a cross-layer model of the resulting system, which covers necessary aspects of a design in individual architectural views, e.g. safety and timing. In the synthesis stage of integration, our approach is capable of inserting enforcement mechanisms into the design to ensure adherence to the model. We present a use case description for an environment perception system, starting with a functional architecture, which is the basis for componentization of the cause effect chain. By tying the vehicle architecture to the cross-layer integration model, we are able to map the reasoning done during verification to vehicle behavior

A simulation-based methodology for aiding advanced driver assistance systems hazard analysis and risk assessment

The increasing complexity of the Advanced Driver Assistance Systems (ADAS) is making more difficult to perform the Hazard Analysis and Risk Assessment (HARA). These items require high-performance Electronic Control Units (ECU) with extensive software functionalities. To correctly operate they interact with the driver, environment and other vehicle functions through high-speed in-vehicle networks, as well as a wide range of sensors and actuators. As a result, they implement complex behaviors whose outcome in presence of faults is not trivial to identify and classify as requested by the concept phase included in the most recent functional safety standards. In this paper we present a simulation-based methodology to perform the HARA of a vehicle function by mixing the usual industrial approach, based on the designers' knowledge, with one that makes use of a vehicle-level simulator. The simulation-based approach provides an automatic and systematic method to assess the complex interaction of the item under analysis with other vehicle functions in possibly complex operational situations, thus making the prediction of hazards easier. We choose to demonstrate the approach by applying it to a well-known automotive industry case study: an Advanced Emergency Braking System (AEBS). In this way, it is possible to analyze the effects of the function provided by the item, keeping into account the simulations results and comparing them to similar situations analysis available in literature. Thanks to the obtained simulation-based results, safety engineers can formulate a more objective hypothesis, in particular during the hazard classification subphase