Challenges and trends for automotive safety assurance
Mike Barnett and Dave Higham Delphi Powertrain Engineering
Overview
• Introduction
• The “Big Picture”� State of play
� Trends
� ISO 26262 Road vehicle functional safety
• MISRA guidelines for safety cases
• Comment and observations
Delphi, a leading automotive technology company
126manufacturing
sites
15major global
technical centers
19,000engineers
and scientists
$16.5B2013 revenue
.... .........
..
.....
..
.
..
...
.
... ......
.
..
... .
.....
.......
...... ..
..
.... ....
........... .....
..............
......
...... ........... ...
more than
160,000people in
32 countries
$1.7 Bin
Research &Development
Delphi, a leading automotive technology company
• Market relevant portfolio aligned to megatrends
• Superior engineering and system integration
• Collaborative innovation
• Leading-edge technology
• Quality products and services
• Award winning performance
• Global, precision manufacturing capabilities
• World-class customer support
Safe
Connected
Green
Delphi - Portfolio of Safety solutions
Safe
Green
Connected
• 360 degree sensing• Front, rear and side
detection• Suite of radar and vision
sensing systems• RACam radar and camera
fusion
Automated Driving
Systems
• Fatigue/drowsiness• Distraction
Safety
Electronics
• Airbag control units• Multi-domain controllers
Occupant Classification
Systems
• Full and Infant-only Suppression
• Seat Belt Reminder
Driver
Assistance
• Collision avoidance• Cross traffic alert• Blind spot detection• Lane departure warning• Lane centering• Automatic headlight control• Traffic sign recognition• Forward collision warning• Automatic emergency
braking• Adaptive cruise control
Driver State Alerts &
Workload Management
The “Big Picture”
A Societal Challenge – A Worldwide View of Road Traffic Injuries
Source WHO Global status report on road safety 2013
• in 2010• 50% vulnerable road users• 2020: estimated 1.9 million deaths if no
action taken
1.3 million deaths
• But with only 53% of the vehicles• Only 28 countries (7% population) have
adequate laws relating to five key risk factors
92% in low- and middle-income
countries
• 2010 estimated cost$100 billion
UN “Decade of Action for Road Safety” (2011-2020) aims to save 5 million lives.
Vehicle recalls make safety a top priority
Page 8
US dataSource: http://www.businessweek.com/articles/2014-06-12/the-king-of-auto-recalls-isnt-gm-dot-its-toyota
Safety vision: a society that sees zero fatalities, zero injuries and zero accidents
Fatalities per 100 million miles
Airbags
Seat belts
Seat beltmandates
Occupantdetection
Child seats Side / curtain
airbags
Energy-absorbing bumpers
Active safety
1965 1985 2005 2025
1
2
3
4
5
6
Active suspensions
Active safety is seen a major contributor to road safety. ‘An extra ½ second of warning can mitigate 60% of crashes’
Delphi – changing the way transportation is delivered
In the next 10 years:
50% more vehicles on the road
Stricter fuel economy regulations @ 54.5 MPG by 2025 (USA)
Automated driving/V2V/V2I
35% market growth in active safety technologies
Even today, in high-end cars we can find more than 100 electronic control units (ECUs) executing around 100 million lines of code.
Rapidly evolving technology – value and opportunity, but a moving target for safety
11
Back-end ServerInfotainment
MapTrafficEntertainment
Advanced Driver Assistance systemsVehicle topogyDynamic Zones
Vehicle DataSpeedPositionLocationDiagnosticsEtc.
Vehicle DataParking infoSignageEtc..
Vehicle DataAcceleration Status
WarningsPosition
Vehicle-to-Vehicle (V2V)Vehicle-to-Infrastructure (V2I)
Personal Device
Albert Einstein: “We cannot solve our problems with the same thinking
we used when we created them.”
A quick look at automotive functional safety standard ISO 26262
ISO 26262: Functional Safety standard for road vehicles.
Scope:
• “electrical and/or electronic (E/E) systems….in series production passenger cars with a maximum gross vehicle mass up to 3 500 kg”.
• “addresses possible hazards caused by malfunctioning behaviour of E/E safety-related systems”
• Excludes “the nominal performance of E/E systems”
• Published Nov. 2011. 2nd edition planned for 2018 for all road vehicles.
� ISO 26262 not mandated (yet!) by existing vehicle homologation framework.
� Largely process based standard with qualitative hazard analysis and risk assessment
Concept(3):Initiation;H&R assessment;Safety goals;Functional Safety concept.
System Development(4):
Technical safety concept;System design;
Production release;Safety assessment;Safety validation;Integration and test
HW Development(5):
HW safety reqs;HW design;HW architectural metrics;Evaluation of safety goal violation due to random HW failures;HW integration and test
Production and Operation (7)
SW Development(6):
Vocabulary(1), Supporting Processes(8),
ASIL Oriented Safety Analysis(9) , Informative Guideline(10)
SW safety reqs;SW architectural design;SW unit design and test;SW integration and test;Verification of SW safety reqs;
ISO 26262: 10 parts (474 pages) with over 1500 requirements
Safety Management(2)
Safety
Case
ISO 26262 assurance measures
ISO 26262: “provides requirements for validation and confirmation measures to ensure a sufficient and acceptable level of safety being achieved”
• Confirmation measures –
� Work product focused.
� review; audit (process) and assessment (product)
• Safety Validation –
� Vehicle focused.
� Demonstrate safety goals are correct, complete and fully achieved
� compliance with safety goals and that safety concepts are appropriate.
• Safety assessment based on the safety case
� Judgement on the level of functional safety achieved prior to production.
ISO 26262 safety case
• Development and assessment of a ‘Safety Case’ is required….
• ….but requirements regarding its development and safety assessment are scarce
“…the safety case should progressively compile the work products that are generated during the safety lifecycle.”
And that’s all!
• Independent Safety Assessment is dependent on the contents of the Safety Case.
• But what form should an Automotive Safety Case take??
• Our first step towards rigorous and consistent safety assessment is to define an approach to creating the Safety Case
16
MISRA Safety Case Guidelines
MISRA Activities
• Continued work to revise and update
– MISRA C and MISRA C++
– MISRA Autocode series
• The MISRA Safety Case Working Group began its work in 2011
• The Safety Case Working Group partners:
MISRA Safety Case Guideline Content
• Key concepts used within the guidelines document� Safety Argument layers
� Safety evidence tables
� A generic safety argument framework
� “Typical Topics” and Examples
Safety Argument Layers
Core – Rationale
• Why do we have confidence that the requirements are right?
• Which evidence indicates that the requirements are complete and correct?
Layer 1 – Satisfaction
• Why do we have confidence that the requirements have been implemented correctly?
• Which evidence demonstrates that the correct implementation has been verified?
Layer 2 – Means
• Why do we have confidence that an adequate process has been used to develop the work product?
• Which evidence demonstrates that the right people have used the correct methods?
Layer 3 – Environment
• Why do we have confidence in the environment in which the safety activities were undertaken?
• Which evidence demonstrates that the organisation has a good safety culture?
A Layered Model for Structuring Automotive Safety ArgumentsEDCC 2014, UK (May 2014)
Product and Confidence Arguments
rationale
satisfaction means
Environment
Safety Case Argument
Product Argument Confidence Argument
Core Argument
Layer 1 Argument
Layer 2Argument
Layer 3Argument
More information???
• Communication of progress / concepts
• SAFECOMP, France (September 2013),
• IQPC ISO 26262 , Germany (March 2014) and
• EDCC 2014, UK (May 2014)
Planning 2015
� Release draft guidelines for public review
� Generic GSN framework
� “Typical Topics”
� Safety argument layers
� Safety argument tables
� Publish first version of the above
� On-line examples
Challenges for Automotive Assessment
• Modular safety Cases
� How do we combine safety cases/assessment based on automotive distributed development?
• Intellectual Property (IP) protection
� How to ensure we protect evidence (designs) in a competitive market
• Degree of Rigour
� How much is enough? E.g. scalability vs risk (ASIL)
• Competency of Assessors
� Today we have auditors for process, but assessment also requires technical (domain) competency.
• Methodology for assessments
� tools and techniques
� Relationship/interface with audits e.g. which aspects of ISO 26262 apply for assessment
23
Frame work for ISA from the ‘Independent Safety Assurance’ working group
• Cross industry group of safety professionals providing guidance to Independent Safety Assessors (ISA)
� Code of practice
� Competency framework
� Guidance of the use of accident stats
� Assessment Framework for ISAs Evaluating Safety-Related Compliance Claims
� Annual workshop
24
Final remarks
• ISO 26262 has been a catalyst to initiate safety practices (and discussion)
• Plenty of challenges as technology, complexity and systems boundaries grow.
� safety practices have to keep in pace with these changes.
• This will put much more emphasis on assurance and is likely to lead to enhanced regulation and standardisation.
• We therefore face exciting yet demanding times ahead for the automotive industry
25
Thanks for your time, any questions?
• ‘Insanity: doing the same thing over and over again and expecting different results’ – Albert Einstein
• ‘The prevention of hazards shall not be seen as following law, but merely as an act of human responsibility and economic reason’ – Werner von Siemens, 1880
Mike BarnettFunctional Safety [email protected]
Dave HighamHead of Functional [email protected]
Top Related