Early safety evaluation of design decisions in E/E architecture according to ISO 26262

Rupanov, Vladimir; Buckl, Christian; Fiege, Ludger; Armbruster, Michael; Knoll, Alois; Spiegelberg, Gernot

doi:10.1145/2304656.2304658

Cited by 17 publications

(8 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The authors agree with the views expressed in [22] in the importance of early safety evaluation and see incomplete PAAs as a major obstacle in this regard.…”

Section: Related Worksupporting

confidence: 80%

ATRIUM — Architecting under uncertainty: For ISO 26262 compliance

Mohan¹,

Roos²,

Svahn³

et al. 2017

2017 Annual IEEE International Systems Conference (SysCon)

View full text Add to dashboard Cite

The ISO 26262 is currently the dominant standard for assuring functional safety of electrical and electronic systems in the automotive industry. The Functional Safety Concept (FSC) sub-phase in the standard requires the Preliminary Architectural Assumptions (PAA) for allocation of functional safety requirements (FSRs).This paper justifies the need for, and defines a process ATRIUM, for consistent design of the PAA. ATRIUM is subsequently applied in an industrial case study for a function enabling highly automated driving at one of the largest heavy vehicle manufacturers in Europe, Scania CV AB. The findings from this study, which contributed to ATRIUM's institutionalization at Scania, are presented.The benefits of the proposed process include (i) a fast and flexible way to refine the PAA, and a framework to (ii) incorporate information from legacy systems into safety design and (iii) rigorously track and document the assumptions and rationale behind architectural decisions under uncertain information.The contributions of this paper are the (i) analysis of the problem (ii) the process ATRIUM and (iii) findings and the discussion from the case study at Scania.

show abstract

“…The authors agree with the views expressed in [22] in the importance of early safety evaluation and see incomplete PAAs as a major obstacle in this regard.…”

Section: Related Worksupporting

confidence: 80%

ATRIUM — Architecting under uncertainty: For ISO 26262 compliance

Mohan¹,

Roos²,

Svahn³

et al. 2017

2017 Annual IEEE International Systems Conference (SysCon)

View full text Add to dashboard Cite

show abstract

“…The importance of early safety evolution in design is a well-known concept [17] and research has been done in the field of risk analysis and similar ideas as discussed in this paper, about functional failure propagation can be found in papers such as [18]. However in early phases of design, not many details are known about final implementation and requirements are constantly evolving requiring decisions to be made under uncertain information.…”

Section: Related Workmentioning

confidence: 88%

A Method towards the Systematic Architecting of Functionally Safe Automated Driving- Leveraging Diagnostic Specifications for FSC design

Mohan¹,

Törngren²,

Behere³

2017

SAE Technical Paper Series

View full text Add to dashboard Cite

With the advent of ISO 26262 there is an increased emphasis on top-down design in the automotive industry. While the standard delivers a best practice framework and a reference safety lifecycle, it lacks detailed requirements for its various constituent phases. The lack of guidance becomes especially evident for the reuse of legacy components and subsystems, the most common scenario in the cost-sensitive automotive domain, leaving vehicle architects and safety engineers to rely on experience without methodological support for their decisions. This poses particular challenges in the industry which is currently undergoing many significant changes due to new features like connectivity, servitization, electrification and automation. In this paper we focus on automated driving where multiple subsystems, both new and legacy, need to coordinate to realize a safety-critical function.This paper introduces a method to support consistent design of a work product required by ISO 26262, the Functional Safety Concept (FSC). The method arises from and addresses a need within the industry for architectural analysis, rationale management and reuse of legacy subsystems. The method makes use of an existing work product, the diagnostic specifications of a subsystem, to assist in performing a systematic assessment of the influence a human driver, in the design of the subsystem. The output of the method is a report with an abstraction level suitable for a vehicle architect, used as a basis for decisions related to the FSC such as generating a Preliminary Architecture (PA) and building up argumentation for verification of the FSC.The proposed method is tested in a safety-critical braking subsystem at one of the largest heavy vehicle manufacturers in Sweden, Scania C.V. AB. The results demonstrate the benefits of the method including (i) reuse of pre-existing work products, (ii) gathering requirements for automated driving functions while designing the PA and FSC, (iii) the parallelization of work across the organization on the basis of expertise, and (iv) the applicability of the method across all types of subsystems. RQ: How can detailed domain specific information about legacy subsystems be best extracted from the platform for the purposes of design of the FSC?The paper addresses this question in two steps, first by defining heuristics to analyse the influence of human vehicle drivers (from here on abbreviated as "driver") on the subsystem, in the form of a structured method. The second step is to collect the information generated by the domain expert's application of the method in a subsystem report. The subsystem report serves as a basis for architects to make their decisions. The paper further applies this method as part of an industrial case study using one of the most critical subsystems in the vehicle, the service brakes, and demonstrates the effectiveness of the method in providing relevant critical information to the system architects.The method thus aims to provide a well-defined baseline of information from the platform, ab...

show abstract

“…While most of the ideas discussed in this paper have their basis in existing state of the art or state of practice, we have not found another paper that discusses the challenges of designing the PAA and the FSC in an automotive context that provides a tangible solution. Publications such as [19] emphasize the need for early evaluation of safety but do not go into the details of what can be achieved in the early stages. Others discuss the importance of early reduction of risk [20], the use of scenario databases has been discussed in other projects such as the European project PEGASUS [21], [22] but not in the context of architecting.…”

Section: Current Status and Discussionmentioning

confidence: 99%

AD-EYE: A Co-Simulation Platform for Early Verification of Functional Safety Concepts

Mohan¹,

Törngren²

2019

SAE Technical Paper Series

View full text Add to dashboard Cite

Automated Driving is revolutionizing many of the traditional ways of operation in the automotive industry. The impact on safety engineering of automotive functions is arguably one of the most important changes. There has been a need to re-think the impact of the partial or complete absence of the human driver (in terms of a supervisory entity) in not only newly developed functions but also in the qualification of the use of legacy functions in new contexts. The scope of the variety of scenarios that a vehicle may encounter even within a constrained Operational Design Domain, and the highly dynamic nature of Automated Driving, mean that new methods such as simulation can greatly aid the process of safety engineering. This paper discusses the need for early verification of the Functional Safety Concepts (FSCs), details the information typically available at this stage in the product lifecycle, and proposes a co-simulation platform named AD-EYE designed for exploiting the possibilities in an industrial context by evaluating design decisions and refining Functional Safety Requirements based on a reusable scenario database.Leveraging our prior experiences in developing FSCs for Automated Driving functions, and the preliminary implementation of co-simulation platform, we demonstrate the advantages and identify the limitations of using simulations for refinement and early FSC verification using examples of types of requirements that could benefit from our methodology.

show abstract

Early safety evaluation of design decisions in E/E architecture according to ISO 26262

Cited by 17 publications

References 18 publications

ATRIUM — Architecting under uncertainty: For ISO 26262 compliance

ATRIUM — Architecting under uncertainty: For ISO 26262 compliance

A Method towards the Systematic Architecting of Functionally Safe Automated Driving- Leveraging Diagnostic Specifications for FSC design

AD-EYE: A Co-Simulation Platform for Early Verification of Functional Safety Concepts

Contact Info

Product

Resources

About