Applying(STPA(to(Automo0ve(...

24
Applying STPA to Automo0ve Adap0ve Cruise Control System Dr. Qi Van Eikema Hommes [email protected] April 18, 2012

Transcript of Applying(STPA(to(Automo0ve(...

Page 1: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

Applying  STPA  to  Automo0ve  Adap0ve  Cruise  Control  System  

Dr.  Qi  Van  Eikema  Hommes  [email protected]  

April  18,  2012  

Page 2: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

Enhancing Automotive System Safety •  Roadway and driver (1889 – 1960s)

–  Better roads, speed limit

–  Driver license 1913

–  Blaming the “nut behind the wheel”

•  Vehicle design for crash survival and defective vehicle recalls (1960s – Today)

–  Blame the large automotive companies

–  NHTSA and Recall

–  Federal Motor Vehicle Safety Standards (FMVSS)

•  Vehicle design for crash avoidance & driver override (Today and Tomorrow?)

–  http://www.cbc.ca/video/#/Shows/The_National/1242568525/ID=2210171357 (5’57” Mercedes, and 8’30” Lincoln parallel parking)

©4/18/12   Qi  D.  Van  Eikema  Hommes   2  

Page 3: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

Automo0ve  Systems  Today  and  Tomorrow  

•  Cyber  Physical  Systems-­‐complex  embedded  devices  networked  to  control  physical  hardware  components.  

•  SoOware  intensive.  •  Automa0ng  many  human  tasks.  

•  The  development  teams  are  mul0disciplinary  and  globally  distributed.  

©4/18/12   Qi  D.  Van  Eikema  Hommes   3  

Page 4: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

4

The  Powertrain  Control  SoOware  System  

©4/18/12   Qi  D.  Van  Eikema  Hommes  

!"# $!"# %!"# &!"# '!"# (!!"# ($!"#

)*+,-#

./0*112#

3/456762*+#8/+76/1#9/:4265#

;<6/=15#>/?@#9@A75B#C+75D62E/+#

;<6/=15#>/?@#F5A*D+#

826#F//6#

G*6H62:#I+D*+5#

!"#$%&#'(')*'+),-).#./0'!1#2/#3'45'%'6#07&.'+8%.&#'

!" #" $" %" &" '!" '#" '$"

()*+,"

-./)001"

2.345651)*"7.*65.0"8.93154"

:;5.<04"=.>?"8?@64A"B*64C51D.*"

:;5.<04"=.>?"E4@)C*"

715"E..5"

F)5G519"H*C)*4"

!"#$%&#'()*+#$',-'.,//#01,/2'3#$'(,4#'

Hommes,  DETC2008-­‐DTM-­‐49140  

•     1  produc0on-­‐level  soOware    •     117  soOware  modules  (red  dots)  •     1423  interac0ons  (black  lines)  •     39  such  produc0on  soOware  releases  per  year  •     <2  weeks  per  release  

Page 5: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

Adap0ve  Cruise  Control  Design  

!!

5  

Hommes,  IDETC  2012  -­‐  70527  

©4/18/12   Qi  D.  Van  Eikema  Hommes   5  

Page 6: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

Accident,  Hazard  

•  Accident:  vehicle  occupants  are  injured  while  ACC  is  engaged.  

•  Hazards:    •  H1:  ACC  did  not  maintain  a  safe  distance  from  the  object  in  the  front,  resul0ng  in  collision.  

•  H2:  ACC  slows  down  the  vehicle  too  abruptly,  and  vehicle  is  rear-­‐ended.  

 6  ©4/18/12   Qi  D.  Van  Eikema  Hommes   6  

Page 7: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

System  Safety  Constraints  and  Requirements  

•  Design  constraints:    •  ACC  should  not  let  the  vehicle  gets  in  contact  with  the  object  ahead.  

•  ACC  should  not  brake  too  abruptly.  •  Design  requirements:    

•  ACC  shall  maintain  a  TBD  amount  of  distance  between  the  vehicle  and  the  object  in  front  when  engaged.  

•  ACC  shall  limit  vehicle  decelera0on  to  no  more  than  TBD  m/s^2.  

©4/18/12   Qi  D.  Van  Eikema  Hommes   7  

Page 8: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

Control  Structure  

8  ©4/18/12   Qi  D.  Van  Eikema  Hommes   8  

Operator  

Instrument  Cluster  

ACC  Module  

Engine  Control  Module  

Radar  Lead  

Vehicle  

Accelerator  Pedal  

Brake  Pedal  

Brake  Control  Module  

Electronic  Throdle  Body  

Brake  

Tac0le  input  Tac0le  input  

Tac0le  input  Visual  Feedback  

Accelera0on  Signal  

Braking    Signal  

CAN  Message   ACC  Status  

Distance  Braking  Signal  

Target  Vehicle  Speed  

Braking  Status  Vehicle  Speed  

Braking    Signal  

Vehicle  

Throdle  Posi0on  Throdle  opening  

Fric0on  

Air  

Wheel    Speed  

Page 9: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

Example:  ACC  –  BCM  Control  Loop    

9  ©4/18/12   Qi  D.  Van  Eikema  Hommes   9  

Operator  

Instrument  Cluster  

ACC  Module  

Engine  Control  Module  

Radar  Lead  

Vehicle  

Accelerator  Pedal  

Brake  Pedal  

Brake  Control  Module  

Electronic  Throdle  Body  

Brake  

Tac0le  input  Tac0le  input  

Tac0le  input  Visual  Feedback  

Accelera0on  Signal  

Braking    Signal  

CAN  Message   ACC  Status  

Distance  Braking  Signal  

Target  Vehicle  Speed  

Braking  Status  Vehicle  Speed  

Braking    Signal  

Vehicle  

Throdle  Posi0on  Throdle  opening  

Fric0on  

Air  

Wheel    Speed  

Page 10: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

Reformaded  Control  Loop  

©4/18/12   Qi  D.  Van  Eikema  Hommes   10  

ACC  

BCM  

Brake  

Vehicle  

BCM  

Wheel  Speed  Sensors  

Control  Ac0on:  Brake  Signal  from  ACC  to  BCM  

Page 11: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

STPA  Step  1:  Unsafe  Control  Ac0ons  

11  ©4/18/12   Qi  D.  Van  Eikema  Hommes   11  

!"#$%"&'()$*"#+"$',%"-*.*#/'!01232'4050%.

,%"-*.*#/'!01232'4050%.

6%"#/'7*8*#/'"%'9%.3%'!01232'

4050%.

:$";;3.'$""':""#'"%'(;;&*3.'7""'

<"#/

!"#$%&'()*#+&,"-.&/00&1-&!02

3%4(5+%&6-%7&*-1&8"#$%&94%*&14%&6(71#*5%&1-&14%&

+%#6&:%4(5+%&(7&+%77&14#*&14%&:#+;%&7%1&8<&14%&-=%"#1-">&

?@AB

0-..#*6%6&6%55%+%"#1(-*&#.-;*1&(7&1--&7.#++&94%*&14%&

:%4(5+%&(7&1--&5+-7%&1-&14%&-8C%51&(*&14%&

,"-*1>&?@AB

!"#$(*)&(7&5-..#*6%6&1--&+#1%&94%*&14%&6(71#*5%&1-&14%&

+%#6&:%4(5+%&(7&1--&5+-7%>&&?@AB

!"#$(*)&71-=7&8%,-"%&14%&7#,%1<&6(71#*5%&8%19%%*&14%&:%4(5+%7&#"%&"%#54%6>&&?@AB

!"#$(*)&(7&5-..%*1%6&94%*&14%&6(71#*5%&1-&14%&+%#6&:%4(5+%&(7&

+#")%"&14#*&14%&7%1&:#+;%>&?@DB!"#$(*)&(7&1--&

,#71E4#"74&94%*&14%&6(671#*5%&1-&14%&+%#6&:%4(5+%&(7&+%77&14#*&14%&7%1&

:#+;%>&?@DB

Page 12: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

STPA  Step  2:  Causal  Analysis  with  Guidewords  

©4/18/12   Qi  D.  Van  Eikema  Hommes   12  Leveson  2012  

Page 13: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

!

Causal  Analysis  Results  

©4/18/12   Qi  D.  Van  Eikema  Hommes   13  

Unsafe  Control  Ac:on:  Vehicle  does  not  brake  when  the  distance  to  the  object  in  front  is  less  than  preset  value.  

Page 14: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

!

Delayed  Opera0on  

Causal  Analysis  Results  (2)  

©4/18/12   Qi  D.  Van  Eikema  Hommes   14  

Unsafe  Control  Ac:on:  Vehicle  does  not  brake  when  the  distance  to  the  object  in  front  is  less  than  preset  value.  

Page 15: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

!

Causal  Analysis  Results  (3)  

©4/18/12   Qi  D.  Van  Eikema  Hommes   15  

•  Misalignment  of  brake  shoes/pads.  •  Missing  fluid  pressure  for  hydraulic  lines.  •  No  current/voltage  to  actuator.  

Unsafe  Control  Ac:on:  Vehicle  does  not  brake  when  the  distance  to  the  object  in  front  is  less  than  preset  value.  

Page 16: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

!

Causal  Analysis  Results  (4)  

©4/18/12   Qi  D.  Van  Eikema  Hommes   16  

Incorrect  or  no  informa0on  provided,  

measurement  inaccuracy,  

feedback  delays  

Unsafe  Control  Ac:on:  Vehicle  does  not  brake  when  the  distance  to  the  object  in  front  is  less  than  preset  value.  

Page 17: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

!

Causal  Analysis  Results  (5)  

©4/18/12   Qi  D.  Van  Eikema  Hommes   17  

•  Dirt  accumula0on  on  wheel  rota0on  sensor.  

•  Wire  disconnec0on.  •  Communica0on  bus  faults,  

overload,  message  priority.  

Unsafe  Control  Ac:on:  Vehicle  does  not  brake  when  the  distance  to  the  object  in  front  is  less  than  preset  value.  

Page 18: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

Assess  the  Effec0veness  of  STPA  

•  The  outcome  of  STPA  was  a  list  of  component  design  requirements  that  will  ensure  top  level  safety  goal.  

•  Compare  with  actual  industry  design  specifica0ons.  – Unable  to  do  so  because  of  proprietary  nature  of  the  design  specifica0ons.  

18  ©4/18/12   Qi  D.  Van  Eikema  Hommes   18  

Page 19: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

Assess  STPA  (2)  •  Compared  with  ISO  22179  and  SAE  J2399.  

– Many  more  detailed  requirements  than  what  is  in  the  standards.  

–  Industry  standards  are  the  lowest  common  denominators  among  the  manufacturers.  

– Can  only  compare  with  categories  of  requirements.  

•  Compared  with  actual  implementa:on  in  produc:on  vehicles.  – Warning  signals  among  manufacturers  – Warnings  in  driver’s  manual  

©4/18/12   Qi  D.  Van  Eikema  Hommes   19  

Page 20: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

Categories  of  Requirements  Missing  in  Industry  Standards  

•  Driver  control  authority  vs.  computer  automa0on  authority  – The  importance  of  vehicle  state  feedback  informa0on  (warning  lights/sounds/icons)  for  driver  

– Driver  mental  model  inconsistency  with  vehicle  state  (complacency  and  distracted  driving)  

•  Sensor  and  actuator    – Hardware  quality  – Degrada0on  

20  ©4/18/12   Qi  D.  Van  Eikema  Hommes   20  

Page 21: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

Categories  of  Requirements  Missing  in  Industry  Standards  (2)  

•  Communica0on  bus  – Delays  – Signal  priority  

•  Controls  soOware  errors  – Delay  in  processing  inputs  – Parameter  calibra0on  errors  – Control  soOware  algorithm  process  model  – SoOware  handling  of  signal  priority  

•  Service  and  maintenance  requirements  

©4/18/12   Qi  D.  Van  Eikema  Hommes   21  

Page 22: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

Comparison  with  Implementa0on  1.  Significant  difference  in  the  implementa0on  of  

warning  messages  and  signals  among  OEM’s  and  across  models.  

22  ©4/18/12   Qi  D.  Van  Eikema  Hommes  

Porsche   Toyota   Volvo   Nissan  

2.  Leaving  a  lot  of  the  limita0ons  of  ACC  in  the  drivers’  manual.  

–  NISSAN  INFINITI  EX  2010,  21  pages  (ACC  feature),  16  warnings  and  1  cau0on.  

–  Ford  Lincoln  MKX  2010,  7  pages  (ACC  feature),  10  warnings.  

Example:  ACC  Malfunc0on  Lights  (Credit:  Zoepf)  

22  

Page 23: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

Summary  •  This  was  our  first  adempt  to  apply  STPA  to  a  modern  automo0ve  electronics  feature.  

•  The  method  works.  •  The  analysis  iden0fied  many  more  safety  cri0cal  requirements  than  what  is  iden0fied  in  the  industry  standards.  

•  STPA  can  be  a  very  powerful  method  to  iden0fy  safety  cri0cal  design  requirements,  and  prevent  accidents  in  the  first  place.  

•  Industry  collabora0on  will  further  improve  our  understanding  of  the  effec0veness  of  the  method,  and  how  to  integrate  it  with  the  current  product  development  process.  

©4/18/12   Qi  D.  Van  Eikema  Hommes   23  

Page 24: Applying(STPA(to(Automo0ve( Adap0ve(Cruise(Control(System(psas.scripts.mit.edu/...Qi...Cruise-Control-System.pdf · Applying(STPA(to(Automo0ve(Adap0ve(Cruise(Control(System(Dr.(Qi(Van(EikemaHommes(qhommes@mit.edu(April(18,2012

Thank  you!  Ques0on?  

Qi  D.  Van  Eikema  Hommes  [email protected]