15 research outputs found
Functional safety methods for developing automated driving functions
TNO works on developing safety critical automated driving functions. This study aims to address the problem of integrating functional safety into the development process and the way of working of TNO. The ISO 26262 standard is used as the reference for functional safety in this study. This problem can be addressed from different aspects. Namely, development process, methodology, tools, and system architecture are the aspects that have been considered in this research. This project is divided into two major phases: Methodology design, and Case study phases. The design problem is tackled during the Methodology design phase. To solve the design problem, the CAFCR method is implicitly used. In the Case study phase the proposed solutions are tested in a small scale case study in order to validate applicability of the results. As part of the Design methodology phase of this project, the problem of integrating functional safety in TNO’s way of working is analyzed in more detail. Specifically, the two sides of the problem, i.e. ISO 26262 and TNO’s way of working are analyzed in this chapter. The significant aspects of the two sides are combined and connected using CAFCR method. These aspects are converted into requirements which can be used for designing the methodology. This phase resulted in Functional Safety Methodology (FSM), which combines the proposed integrated design process, and Architecture Framework for Functional Safety (A2FS). Furthermore, in the second phase of this project, i.e. the Case study phase, the proposed solutions put into test in practice. A small-scale project has been chosen to act as the pilot project. The case study showed promising results for the methods
Evaluation of safety indicators for truck platooning
This paper addresses safety indicators for truck platooning at short inter-vehicle distances (with a time gap of 0.5 s). The aim of a safety indicator is to determine the correct moment for initiating a Collision Avoidance brake action to prevent a collision with the preceding truck in threatening situations. Three safety indicators are selected for an evaluation: the intended acceleration of the preceding truck, which is shared via Vehicle-to-Vehicle (V2V) communication, the Brake Threat Number (BTN — based on simple vehicle models and an emergency brake assumption of the lead), and the Time-To-Collision (TTC — based on a constant velocity assumption). The latter two do not rely on V2V communication, but are obtained via on-board signals. Requirements for the amount of false negatives (missing a threatening situation) and the false positives (identifying a safe situation as threatening) are derived from a functional safety perspective. To find thresholds for the safety indicators that minimize the false negative rate, emergency brake tests are used. To evaluate the number of false positives, a set of data of two trucks driving in a platoon at 0.5 s at mixed-traffic highways in Belgium and the Netherlands, collected during 8 hours of automated driving in a platoon, is used. The results indicate that the communicated intended acceleration of the preceding truck might be able to distinguish safe and threatening situations in a vehicle platoon. Furthermore, for situations without V2V, both the BTN and the TTC are not capable to distinguish between threatening and safe situations. The amount of false positives found in the safe driving data-set does not fulfill the requirements derived from functional safety perspective
Evaluation of safety indicators for truck platooning
This paper addresses safety indicators for truck platooning at short inter-vehicle distances (with a time gap of 0.5 s). The aim of a safety indicator is to determine the correct moment for initiating a Collision Avoidance brake action to prevent a collision with the preceding truck in threatening situations. Three safety indicators are selected for an evaluation: the intended acceleration of the preceding truck, which is shared via Vehicle-to-Vehicle (V2V) communication, the Brake Threat Number (BTN — based on simple vehicle models and an emergency brake assumption of the lead), and the Time-To-Collision (TTC — based on a constant velocity assumption). The latter two do not rely on V2V communication, but are obtained via on-board signals. Requirements for the amount of false negatives (missing a threatening situation) and the false positives (identifying a safe situation as threatening) are derived from a functional safety perspective. To find thresholds for the safety indicators that minimize the false negative rate, emergency brake tests are used. To evaluate the number of false positives, a set of data of two trucks driving in a platoon at 0.5 s at mixed-traffic highways in Belgium and the Netherlands, collected during 8 hours of automated driving in a platoon, is used. The results indicate that the communicated intended acceleration of the preceding truck might be able to distinguish safe and threatening situations in a vehicle platoon. Furthermore, for situations without V2V, both the BTN and the TTC are not capable to distinguish between threatening and safe situations. The amount of false positives found in the safe driving data-set does not fulfill the requirements derived from functional safety perspective
A systematic approach and tool support for GSN-based safety case assessment
Context. In safety-critical domains, safety cases are widely used to demonstrate the safety of systems. A safety case is an argumentation for showing confidence in the claimed safety assurance of a system, which should be comprehensible and well-structured. Typically, safety cases can be represented in plain text or graphic way, such as Goal Structuring Notation (GSN). After safety cases are developed, assessment of safety cases needs to be performed to check the quality of them. Besides, different roles are involved during this process: safety case developers and safety case assessors. Objective. During the safety case assessment process, safety case assessors are required to evaluate the validity of a safety case and discuss their judgement with safety case developers. Currently, the outcome of a safety case assessment and the way of providing judgement are not systematically supported, which may cause inconsistent outcomes and wrong judgements. Therefore a systematic process of safety case assessment is required. Moreover, to support safety case assessment in an efficient and effective way, tool support is needed. Recently, a number of safety case editors are developed to support safety case development with the GSN. These editors support the development and management of safety cases. However, only a few editors offer limited functionalities for safety case assessment which is one of the crucial phases of the safety assurance process. This motivates us to develop a tool to support safety case assessment. Method. In this paper, we first identify two research questions. Resulting in two directions for further study have been identified: formalising the safety case assessment process and developing safety case tooling. First, we carried out a study on the state of art on safety case assessment and safety case tooling. Based on our findings, we formalize the safety assessment process by identifying the typical steps in safety case assessment. This assessment process can guide assessors to assess a safety case from a general level to a detailed level and provide reliable and understandable feedback to developers. Finally two industrial case studies are carried out to validate the proposed assessment process. Results. To support the proposed process, a prototype tool for safety case assessment was developed. A number of required features are implemented in the prototype tooling, among other it provides a complete and self-contained evaluation system to measure the quality of the safety case. Moreover, the case study validations show potential for facilitating safety assessment in practice. Conclusions. In this paper, two research questions are identified and the solutions of them are discussed. Then we propose a systematic approach for safety case assessment. For demonstration, a tool support is also developed. For validation two industrial case studies have been carried out to show the effectiveness of the proposed process
An architecture pattern for safety critical automated driving applications: design and analysis
Introduction of automated driving increases complexity of automotive systems. As a result, architecture design becomes a major concern for ensuring non-functional requirements such as safety, and modifiability. In the ISO 26262 standard, architecture patterns are recommended for system development. However, the existing architecture patterns may not be able to answer requirements of automated driving completely. When applying these patterns in the automated driving context, modification and analysis of these patterns are needed. In this paper, we present a novel architecture pattern for safety critical automated driving functions. In addition, we propose a generic approach to compare our pattern with a number of existing ones. The comparison results can be used as a basis for project specific architectural decisions. Our Safety Channel pattern is validated by its implementation for a real-life truck platooning application