No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Improved Pattern for ISO 26262 ASIL Decomposition with Dependent Requirements
... For instance, a function with ASIL D can be decomposed into ASIL A of D and ASIL C of D, denoted by ASIL A(D) and ASIL C(D), respectively. The ASIL decomposition [14] enlarges design space in the SWC design process. ...
... This SWC model enabled timing verification with periods and deadlines of runnables and ports used by runnables in SWC designs prior to the integration without mapping runnables to tasks. Zhang et al. [14] also formalized a SWC model to reduce the design space for optimization of deploying SWCs to ECUs with verification of schedulability. ...
Temporal isolation without consideration of spatial isolation has been attained for mixed-criticality systems, while spatial isolation is required more strictly in the automotive industry. Moreover, tasks with different criticality levels sharing the same resources are a common requirement for safety-critical automotive applications. Such tasks are more challenging to spatially isolate due to context sharing to access the same resources. Nevertheless, safety certification cannot be received without addressing spatial isolation. This paper argues that traditional real-time locking solutions are unsuitable for mixed-criticality applications within the automotive open system architecture (AUTOSAR). We adopted the server task named resource server for spatial isolation within AUTOSAR limitations. We formalized a software component model for reducing design space and proposed the mapping algorithms. Properties of resource servers within AUTOSAR were formally analyzed for blocking delays, task priority assignment, and utilization analysis. Case studies in a powertrain domain of an electric vehicle were carried out to assess the proposed solutions.
... For instance, a function with ASIL D can be decomposed into ASIL A of D and ASIL C of D, denoted ASIL A(D) and ASIL C(D), respectively. The ASIL decomposition [13] enlarges design space in the SWC design process. Another common problem is mutual exclusion, assuming that two ADC functions have different criticality levels (figure 5). ...
... The ISO26262 standard presents an ASIL decomposition technique to reduce the safety requirement of parts of the system into redundant components. The authors of [6] improve the technique by adding additional checking elements to prove that the original Functional Safety Requirements (FSRs) are met. These additional checks can be found also in [3] and [4], where we define splitter and merger functionality to manage the redundant parts of the application. ...
Safety-critical systems such as Advanced Driving Assistance Systems and Autonomous Vehicles require redundancy to satisfy their safety requirements and to be classified as fail-operational. Introducing redundancy in a system with high data rates and processing requirements also has a great impact on architectural design decisions. The current self-driving vehicle prototypes do not use a standardized system architecture but base their design on existing vehicles and the available components. In this work, we provide a novel analysis framework that allows us to qualitatively and quantitatively evaluate an in-vehicle architecture topology and compare it with others. With this framework, we evaluate different variants of two common topologies: domain and zone-based architectures. Each topology is evaluated in terms of total cost, failure probability, total communication cable length, communication load distribution, and functional load distribution. We introduce redundancy in selected parts of the systems using our automated process provided in the framework, in a safety-oriented design process that enables the ISO26262 Automotive Safety Integrity Level decomposition technique. After every design step, the architecture is re-evaluated. The advantages and disadvantages of the different architecture variants are evaluated to guide the designer towards the choice of correct architecture, with a focus on the introduction of redundancy.
... Literature experience describe main design criteria for such applications, including appropriate system topology, and the testing procedures needed to quantify their functional reliability, fault tolerance and applicability on road vehicles [5,6]. In this context, ISO2626 provides a solid framework for system development which is applicable to x-by-wire analysis, possibly integrated with modeling activities [7,8,9,10,11,12]. ...
Newly electric vehicle architectures require intensive virtual and physical testing for safety assessment, due to the increasing relevance of By-Wire systems and the presence of innovative control algorithms for ordinary driving scenario, potential emergency situations or Advanced Driver-Assistance Systems implementation purpose. To reduce the development time while increasing system reliability and the a priori knowledge about its safety requirements, the evaluation of such aspects should be performed. In accordance to ISO26262 standard, authors propose a systematic approach based on Virtual FMEA, in order to assess the functional safety level of hybrid brake plant. Plant modification and securing strategy as been presented and implemented in target vehicle model, evaluating their performances in simulation environments, in order to met required Automotive Safety Integrity Level. This work is developed in the ambit of OBELICS European Project.
The development of integrated brake system for hybrid and electric vehicles poses new challenges and opportunities for functional safety analysis, design and validation. Integrated brake system is advanced brake-by-wire system that integrates booster brake function, extern brake function, anti-lock brake function, electronic stability function, and other related brake functions into one compact unit. Integrated brake system is complex and has more interaction relationships among different modules than conventional brake systems. Therefore, ensuring the safety of integrated brake system is essential and requires systematic approach. This paper presents a systematic approach for functional safety analysis, design and validation of intelligent brake system. The purposed approach consists of an integrated system safety framework, which includes the following steps: system design, hazard analysis, and risk assessment, safety requirements specification, safety design and system test. The approach is applied to intelligent brake system, safety design and tests are performed. The system test includes fault injection experiments under critical driving scenario to validate the designed safety mechanism. This paper verifies that the proposed safety framework can effectively guarantee the functional safety of integrated brake system and enhance the braking performance.
(No need to ask for full text. To be obtained via Springer.) ------------------ Developing safety-critical software components incurs significantly higher costs compared to non-safety ones, urging an emphasis on minimizing their number and complexity, as per safety standards. While GNU/Linux offers a rich set of features, its original design lacks a safety-centric focus. Ensuring safety in Linux-based systems poses challenges due to the kernel's diverse interaction capabilities, requiring meticulous attention to safety requirements. Addressing safety starts with defining the technology device's intended function, encompassing user experience and essential services like device maintenance. Functional safety extends beyond individual components, necessitating system-wide consideration, even for “safety elements out of context.” Integrating safety-related and non-safety software demands careful design to prevent adverse impacts on safety modules. Proposed solutions must address functional safety, cybersecurity, and long-term maintenance obligations, essential for compliance with regulations. This talk explores architectural considerations and necessary precautions for leveraging GNU/Linux in safety applications, facilitating robust software systems that meet stringent safety standards.
The automotive industry is moving ahead to introduce drive-by-wire (DBW) electronic systems to replace mechanical controls and linkages that have changed little since cars were first introduced. Electronic drive-by-wire systems offer enormous potential to improve vehicle performance and safety, but matching the dependability of simple mechanical components with electronics will be a challenge. Highly dependable electronic controls require a fault-tolerant approach with both a primary and a backup system as a minimum. Aircraft fly-by-wire systems go beyond this, using triple and quadruple redundant electronics to tolerate more than one failure during the same flight. Automobile drive-by-wire must also provide some capability to allow the car to be driven safely to a repair facility after a failure occurs. This paper examines some possible drive-by-wire systems architectures, presents a mathematical analysis of the predicted dependability (expressed as the probability the system will fail in a given time period) of these alternatives and investigates the impact of how the vehicle is operated and maintained on its dependability. Architectural alternatives considered include both dual and triple redundant systems. The mathematical analysis builds on techniques developed to analyze aircraft systems using Markov reliability modeling. The uncertainty associated with such predictions will be discussed along with comparisons to acceptable risk levels for other established technologies.
In functional safety standards such as ISO 26262 and IEC 61508, Safety Integrity Levels (SILs) are assigned to top-level safety requirements on a system. The SILs are then either inherited or decomposed down to safety requirements on sub-systems, such that if the sub-systems are sufficiently reliable in fulfilling their respective safety requirements, as specified by the SILs, then it follows that the system is sufficiently reliable in fulfilling the top-level safety requirement. Present contract theory has previously been shown to provide a suitable foundation to structure safety requirements, but does not include support for the use of SILs. An extension of contract theory with the notion of SILs is therefore presented. As a basis for structuring the breakdown of safety requirements, a graph, called a contract structure, is introduced that provides a necessary foundation to capture the notions of SIL inheritance and decomposition in the context of contract theory.
This paper examines the ISO 26262 approach to ASIL decomposition, more appropriately called “requirements decomposition”, and how it may be applied correctly during the requirements analysis and architectural design of a safety-related automotive control system.
Driver-centred Motion Control of Heavy Trucks
- tagesson
Differentials, the Theory and Practice
- edwards