Applying(STPA(to(Automo0ve(...
Transcript of Applying(STPA(to(Automo0ve(...
Applying STPA to Automo0ve Adap0ve Cruise Control System
Dr. Qi Van Eikema Hommes [email protected]
April 18, 2012
Enhancing Automotive System Safety • Roadway and driver (1889 – 1960s)
– Better roads, speed limit
– Driver license 1913
– Blaming the “nut behind the wheel”
• Vehicle design for crash survival and defective vehicle recalls (1960s – Today)
– Blame the large automotive companies
– NHTSA and Recall
– Federal Motor Vehicle Safety Standards (FMVSS)
• Vehicle design for crash avoidance & driver override (Today and Tomorrow?)
– http://www.cbc.ca/video/#/Shows/The_National/1242568525/ID=2210171357 (5’57” Mercedes, and 8’30” Lincoln parallel parking)
©4/18/12 Qi D. Van Eikema Hommes 2
Automo0ve Systems Today and Tomorrow
• Cyber Physical Systems-‐complex embedded devices networked to control physical hardware components.
• SoOware intensive. • Automa0ng many human tasks.
• The development teams are mul0disciplinary and globally distributed.
©4/18/12 Qi D. Van Eikema Hommes 3
4
The Powertrain Control SoOware System
©4/18/12 Qi D. Van Eikema Hommes
!"# $!"# %!"# &!"# '!"# (!!"# ($!"#
)*+,-#
./0*112#
3/456762*+#8/+76/1#9/:4265#
;<6/=15#>/?@#9@A75B#C+75D62E/+#
;<6/=15#>/?@#F5A*D+#
826#F//6#
G*6H62:#I+D*+5#
!"#$%&#'(')*'+),-).#./0'!1#2/#3'45'%'6#07&.'+8%.&#'
!" #" $" %" &" '!" '#" '$"
()*+,"
-./)001"
2.345651)*"7.*65.0"8.93154"
:;5.<04"=.>?"8?@64A"B*64C51D.*"
:;5.<04"=.>?"E4@)C*"
715"E..5"
F)5G519"H*C)*4"
!"#$%&#'()*+#$',-'.,//#01,/2'3#$'(,4#'
Hommes, DETC2008-‐DTM-‐49140
• 1 produc0on-‐level soOware • 117 soOware modules (red dots) • 1423 interac0ons (black lines) • 39 such produc0on soOware releases per year • <2 weeks per release
Adap0ve Cruise Control Design
!!
5
Hommes, IDETC 2012 -‐ 70527
©4/18/12 Qi D. Van Eikema Hommes 5
Accident, Hazard
• Accident: vehicle occupants are injured while ACC is engaged.
• Hazards: • H1: ACC did not maintain a safe distance from the object in the front, resul0ng in collision.
• H2: ACC slows down the vehicle too abruptly, and vehicle is rear-‐ended.
6 ©4/18/12 Qi D. Van Eikema Hommes 6
System Safety Constraints and Requirements
• Design constraints: • ACC should not let the vehicle gets in contact with the object ahead.
• ACC should not brake too abruptly. • Design requirements:
• ACC shall maintain a TBD amount of distance between the vehicle and the object in front when engaged.
• ACC shall limit vehicle decelera0on to no more than TBD m/s^2.
©4/18/12 Qi D. Van Eikema Hommes 7
Control Structure
8 ©4/18/12 Qi D. Van Eikema Hommes 8
Operator
Instrument Cluster
ACC Module
Engine Control Module
Radar Lead
Vehicle
Accelerator Pedal
Brake Pedal
Brake Control Module
Electronic Throdle Body
Brake
Tac0le input Tac0le input
Tac0le input Visual Feedback
Accelera0on Signal
Braking Signal
CAN Message ACC Status
Distance Braking Signal
Target Vehicle Speed
Braking Status Vehicle Speed
Braking Signal
Vehicle
Throdle Posi0on Throdle opening
Fric0on
Air
Wheel Speed
Example: ACC – BCM Control Loop
9 ©4/18/12 Qi D. Van Eikema Hommes 9
Operator
Instrument Cluster
ACC Module
Engine Control Module
Radar Lead
Vehicle
Accelerator Pedal
Brake Pedal
Brake Control Module
Electronic Throdle Body
Brake
Tac0le input Tac0le input
Tac0le input Visual Feedback
Accelera0on Signal
Braking Signal
CAN Message ACC Status
Distance Braking Signal
Target Vehicle Speed
Braking Status Vehicle Speed
Braking Signal
Vehicle
Throdle Posi0on Throdle opening
Fric0on
Air
Wheel Speed
Reformaded Control Loop
©4/18/12 Qi D. Van Eikema Hommes 10
ACC
BCM
Brake
Vehicle
BCM
Wheel Speed Sensors
Control Ac0on: Brake Signal from ACC to BCM
STPA Step 1: Unsafe Control Ac0ons
11 ©4/18/12 Qi D. Van Eikema Hommes 11
!"#$%"&'()$*"#+"$',%"-*.*#/'!01232'4050%.
,%"-*.*#/'!01232'4050%.
6%"#/'7*8*#/'"%'9%.3%'!01232'
4050%.
:$";;3.'$""':""#'"%'(;;&*3.'7""'
<"#/
!"#$%&'()*#+&,"-.&/00&1-&!02
3%4(5+%&6-%7&*-1&8"#$%&94%*&14%&6(71#*5%&1-&14%&
+%#6&:%4(5+%&(7&+%77&14#*&14%&:#+;%&7%1&8<&14%&-=%"#1-">&
?@AB
0-..#*6%6&6%55%+%"#1(-*&#.-;*1&(7&1--&7.#++&94%*&14%&
:%4(5+%&(7&1--&5+-7%&1-&14%&-8C%51&(*&14%&
,"-*1>&?@AB
!"#$(*)&(7&5-..#*6%6&1--&+#1%&94%*&14%&6(71#*5%&1-&14%&
+%#6&:%4(5+%&(7&1--&5+-7%>&&?@AB
!"#$(*)&71-=7&8%,-"%&14%&7#,%1<&6(71#*5%&8%19%%*&14%&:%4(5+%7&#"%&"%#54%6>&&?@AB
!"#$(*)&(7&5-..%*1%6&94%*&14%&6(71#*5%&1-&14%&+%#6&:%4(5+%&(7&
+#")%"&14#*&14%&7%1&:#+;%>&?@DB!"#$(*)&(7&1--&
,#71E4#"74&94%*&14%&6(671#*5%&1-&14%&+%#6&:%4(5+%&(7&+%77&14#*&14%&7%1&
:#+;%>&?@DB
STPA Step 2: Causal Analysis with Guidewords
©4/18/12 Qi D. Van Eikema Hommes 12 Leveson 2012
!
Causal Analysis Results
©4/18/12 Qi D. Van Eikema Hommes 13
Unsafe Control Ac:on: Vehicle does not brake when the distance to the object in front is less than preset value.
!
Delayed Opera0on
Causal Analysis Results (2)
©4/18/12 Qi D. Van Eikema Hommes 14
Unsafe Control Ac:on: Vehicle does not brake when the distance to the object in front is less than preset value.
!
Causal Analysis Results (3)
©4/18/12 Qi D. Van Eikema Hommes 15
• Misalignment of brake shoes/pads. • Missing fluid pressure for hydraulic lines. • No current/voltage to actuator.
Unsafe Control Ac:on: Vehicle does not brake when the distance to the object in front is less than preset value.
!
Causal Analysis Results (4)
©4/18/12 Qi D. Van Eikema Hommes 16
Incorrect or no informa0on provided,
measurement inaccuracy,
feedback delays
Unsafe Control Ac:on: Vehicle does not brake when the distance to the object in front is less than preset value.
!
Causal Analysis Results (5)
©4/18/12 Qi D. Van Eikema Hommes 17
• Dirt accumula0on on wheel rota0on sensor.
• Wire disconnec0on. • Communica0on bus faults,
overload, message priority.
Unsafe Control Ac:on: Vehicle does not brake when the distance to the object in front is less than preset value.
Assess the Effec0veness of STPA
• The outcome of STPA was a list of component design requirements that will ensure top level safety goal.
• Compare with actual industry design specifica0ons. – Unable to do so because of proprietary nature of the design specifica0ons.
18 ©4/18/12 Qi D. Van Eikema Hommes 18
Assess STPA (2) • Compared with ISO 22179 and SAE J2399.
– Many more detailed requirements than what is in the standards.
– Industry standards are the lowest common denominators among the manufacturers.
– Can only compare with categories of requirements.
• Compared with actual implementa:on in produc:on vehicles. – Warning signals among manufacturers – Warnings in driver’s manual
©4/18/12 Qi D. Van Eikema Hommes 19
Categories of Requirements Missing in Industry Standards
• Driver control authority vs. computer automa0on authority – The importance of vehicle state feedback informa0on (warning lights/sounds/icons) for driver
– Driver mental model inconsistency with vehicle state (complacency and distracted driving)
• Sensor and actuator – Hardware quality – Degrada0on
20 ©4/18/12 Qi D. Van Eikema Hommes 20
Categories of Requirements Missing in Industry Standards (2)
• Communica0on bus – Delays – Signal priority
• Controls soOware errors – Delay in processing inputs – Parameter calibra0on errors – Control soOware algorithm process model – SoOware handling of signal priority
• Service and maintenance requirements
©4/18/12 Qi D. Van Eikema Hommes 21
Comparison with Implementa0on 1. Significant difference in the implementa0on of
warning messages and signals among OEM’s and across models.
22 ©4/18/12 Qi D. Van Eikema Hommes
Porsche Toyota Volvo Nissan
2. Leaving a lot of the limita0ons of ACC in the drivers’ manual.
– NISSAN INFINITI EX 2010, 21 pages (ACC feature), 16 warnings and 1 cau0on.
– Ford Lincoln MKX 2010, 7 pages (ACC feature), 10 warnings.
Example: ACC Malfunc0on Lights (Credit: Zoepf)
22
Summary • This was our first adempt to apply STPA to a modern automo0ve electronics feature.
• The method works. • The analysis iden0fied many more safety cri0cal requirements than what is iden0fied in the industry standards.
• STPA can be a very powerful method to iden0fy safety cri0cal design requirements, and prevent accidents in the first place.
• Industry collabora0on will further improve our understanding of the effec0veness of the method, and how to integrate it with the current product development process.
©4/18/12 Qi D. Van Eikema Hommes 23
Thank you! Ques0on?
Qi D. Van Eikema Hommes [email protected]