Project topics and materials
Get Complete Project Material File(s) Now! »
Automotive Systems Safety & ISO 26262
Since the beginning of the 21th century, the integration of E/E systems in automotive vehicles has started to rise up the problem of multi-critical systems. Indeed, developed systems integrate both critical and non-critical functions. A function is considered as critical if it could lead to an Undesired Event (which causes an accident). Moreover, many actors are involved in the development process of a car: car manufacturer and several suppliers (Tier 1, Tier 2…) which develop the products of the system defined by the OEM. Each company has its own development process; therefore it is necessary to define and follow robust design rules with documents and processes ensuring traceability. Before 2011, as there were no directives on functional safety in the automotive industry, only a few com-panies decided to adhere (voluntary) to the state of the art defined in the IEC 61508 (IEC 61508, 2010). IEC 61508 focuses on the overall development process of a system and the steps that have to be respected in order to achieve functional safety of electrical components. Particularly, it defines achievable goals for the specification, the design, the implementation and assessment of electrical/electronic programmable systems.
Since 2011, a derived version called ISO 26262 (ISO 26262, 2011) is used. This Standard is the result of the work between the major companies of the automotive domain in order to specify best practices for the documentation, the interactions between actors and the methods and techniques to justify the functional safety of automotive systems. This facilitates exchanges between OEMs and Suppliers by giving require-ments to achieve. Safety is divided into non-functional safety and functional safety:
– Functional safety addresses possible hazards caused by malfunctioning behavior of E/E systems including interaction of these systems. Typical examples of functional hazards are: steering column
lock, engine racing and loss of front lighting.
– Undesired events such as electric shock, fire, smoke, heat, radiation, toxicity, flammability, reactivity, corrosion, release of energy, are considered as non-functional unless directly caused by malfunctioning behavior of E/E safety-related systems.
Technical measures considered in a design to cope with non-functional safety UEs are generally only based on fault avoidance (suppression of potential root causes). Automotive Safety : State of Practices Technical solutions to cope with functional safety UEs are based on fault avoidance and fault tolerance (avoid faults propagation).
The scope of ISO 26262 is on functional safety of automotive E/E systems. The standard defines functional safety as “absence of unreasonable risks due to hazards caused by malfunctioning behavior of E/E systems” Our work deals with the Part 4 and Part 5 which give all the safety requirements for the development of hardware automotive system. However, other parts are also very helpful for the understanding of these requirements and their application especially Part 10.
Basic Concepts of Dependability & ISO 26262
Dependability is a key concept of any critical system. It could be seen as the aptitude to avoid the failures that occur during a service delivering. This service corresponds to the behavior perceived by the users (hu-man or not) in interaction with the service. Dependability is a well-documented concept, on which has been defined a complete taxonomy (Avizienis, et al., 2004). Indeed, dependability is defined by 6 main attributes, three treats and four categories of means.
From Dependability Attributes to Automotive Safety Integrity Levels
In order to characterize the quality of a delivered service, dependability takes in the following attributes:
Automotive Safety : State of Practices
• Availability: readiness for correct service;
• Reliability: continuity of correct service;
• Safety: absence of catastrophic consequences on the user(s) and the environment;
• Confidentiality: absence of unauthorized disclosure of information;
• Integrity: absence of improper system alterations;
• Maintainability: ability to undergo modifications and repairs.
Depending on the industrial field, the significance of each attribute varies. This choice is based on the ob-jectives that should be achieved by the developed service. For example, in transportation fields, reliability and safety are of prime priority; although, the rise of connected vehicles challenges increases the confiden-tiality importance. In other fields, like communications, prime priority is given availability, reliability. Particularly, automotive systems are mainly focused on safety, availability and reliability attributes.
Automotive Safety-Integrity Level
In ISO 26262 Standard, a functional Undesired Event (UE) is rated according to its criticality on a five level scale (QM, ASIL A, ASIL B, ASIL C and ASIL D). The least critical effects are rated QM (Quality Management) and no specific safety requirement are associated to it in the standard. The most critical effects are rated ASIL D. A system functional UE with an ASIL is also called a hazard. When assigning these levels, three parameters must be taken into account, see:
– Severity: Based on the severity of the potential injured or killed persons in the incident or accident
(S1: Light and moderate injuries, S2: Severe and life-threatening injuries (survival probable) S3 Life-threatening injuries (survival uncertain), fatal injuries);
– Probability of exposure: Occurrence of the use case: E1: very low probability, E2: Low probability
E3: Medium probability, E4: High probability;
– Controllability: It is a subjective concept that is based on the abilities of the driver to handle the
hazard (C1: Simply controllable, C2: Normally controllable, C3: Difficult to control or uncontrolla-ble). The objective of these levels is to characterize the “safety” the system should be designed to ensure its functions correctly. The more the system is safety critical, the more the ASIL is high and the efforts required by the norm are stringent.
FMEA generation from functional models
This approach focuses on the extension of functional models with safety related data. However, previous experiences have proven that simulating the functional and failure behavior of a system needs a huge com-puting time which exponentially increases when the size of the system grows. Various works propose methods to overcome this problematic. For example, Papadopoulos proposes methods and tools (HiP-HOPS) which consist in adding local failure data to Simulink diagrams at various levels, then, using the structure of these diagrams to propagate these failure data through the model. This information is then used to build fault trees. The fault trees are then converted into tables containing: The parts failures, their direct effects on the system and the effect that Automotive Safety : State of Practices they can cause by combining them. This table is finally used to generate Single point fault FMEA (critical), and multiple point fault FMEA (Papadopoulos & Parker, 2004) (Papadopoulos & Parker, 2005).
Table of contents :
Remerciements
Abstract
Keywords
Résumé
Mots-clés
List of Figures
List of Tables
Chapter 1 Introduction
1.1 Context Presentation
1.2 Thesis subject presentation
Chapter 2 Automotive Safety : State of Practices
2.1 Automotive Systems Safety & ISO 26262
2.2 Basic Concepts of Dependability & ISO 26262
2.2.1 From Dependability Attributes to Automotive Safety Integrity Levels
2.3 Valeo Safety Methodology
2.3.1 Safety Analyses
2.4 State of the Art
2.4.1 FMEA generation from functional models
2.4.2 FMEA generation from architectural models
2.4.3 FMEA generation based on safety models
2.4.4 Discussion
2.5 Thesis Approach
Chapter 3 Setting the Foundation: Safety related Elements Behavior
3.1 Two Typical Examples of Safety Mechanisms
3.1.1 Vehicle Management Unit for Inversion
3.1.2 Electric Driver Seat Controls
3.1.3 Discussion
3.2 Generic Markov Models
3.2.1 Case of a Hardware Block protected by a First Order Safety Mechanism Based on Error Detection
3.2.2 Case of a Hardware Block protected by First Order Mechanism based on Error Detection and a Second Order Safety Mechanism
3.2.3 Case of a Hardware Block protected by a First Order Safety Mechanism based on Inhibition and a Second Order Safety Mechanism.
3.3 Experimental Study for Detection Based Safety Mechanisms
3.3.1 Realistic Values of the Parameters
3.3.2 Most Influential Parameters
3.3.3 Influence of Other Parameters
3.3.4 Wrap-Up
3.4 Related Works
3.5 Conclusion
Chapter 4 Making it Practical : Fault Trees Approximations
4.1 Fault Tree Patterns Presentation
4.1.1 FT Model with Classic SM Representation for SM2
4.1.2 FT Model with Maintenance
4.1.3 FT Model with Periodic Tests
4.1.4 FT Model without SM2
4.2 Experimental Study
4.2.1 Realistic Values and Test Sample Description
4.2.2 Experimentation Results
4.2.3 Synthesis
4.3 Conclusion
Chapter 5 Specific Developments for ISO26262 Safety Analyses
5.1 Overall Process
5.2 Coverage Gate
5.3 Architectural metrics calculation
5.3.1 ISO 26262 Architectural Metrics presentation
5.3.2 Architectural Metrics Calculation from fault trees
5.3.3 Application Example
5.4 FMEDA Generation Methodology
5.4.1 Qualitative & Quantitative FMEDA Templates
5.4.2 Qualitative FMEDA Coherence regarding Fault Trees Report
5.4.3 Quantitative FMEDA Generation from Tagged Fault Trees
5.4.4 Complete FMEDA Generation
5.5 About the Implementation
5.6 Conclusion
Chapter 6 Toward a model based generation of the safety analyses
6.1 AltaRica 3.0 Models
6.2 AltaRica 3 Models for the Vehicle Management Unit for Inversion
6.3 AltaRica 3 Models for Electric Driver Seat Control
6.4 Reachability Graphs
6.5 Conclusion
Chapter 7 Conclusion
Annex A FMEDA Generation Example
References .
