Search Results

Autonomous vehicles and advanced driver assistance systems have functionality realized across numerous distributed systems that interact with a dynamic cyber-physical environment. This complexity raises the potential for emergent behaviours which are not intended for the system’s operational use. The need to analyze the intended functionality of these emergent behaviours for potential hazards, which may occur in absence of faults, are aspects of the ISO PAS 21448, Safety of the Intended Functionality (SOTIF) [1]. The Safety of the Intended Functionality or SOTIF is a framework for developing systems which are free from unreasonable risk due to the intended functionality or performance limitations of a system which is free from faults. This is meant to complement Functional Safety which is covered in ISO 26262 [2]. The major focus of SOTIF is to aid in the functional development of a system.

Developing requirements for automotive electric/electronic systems is challenging, as those systems become increasingly software-intensive. Designs must account for unintended interactions among software features, combined with unforeseen environmental factors. In addition, engineers have to iteratively make architectural tradeoffs and assign responsibilities to each component in the system to accommodate new safety requirements as they are revealed. ISO 26262 is an industry standard for the functional safety of automotive electric/electronic systems. It specifies various processes and procedures for ensuring functional safety, but does not limit the methods that can be used for hazard and safety analysis. System Theoretic Process Analysis (STPA) is a new technique for hazard analysis, in the sense that hazards are caused by unsafe interactions between components (including humans) as well as component failures and faults.

The safety monitor is a high integrity control that monitors the health and performance of safety related computer controlled functions in vehicles. The integrity of the safety monitor code is critical to the overall performance of the control software. Traditionally, once monitor requirements are understood, then the safety monitor is hand coded or created in a modeling environment. New practices such as ISO 26262 prescribe formal or semiformal methods are used against certain classes of foreseeable faults. Recently, a new tool, which is capable of auto-generating C-code based on safety monitor formal functional requirements is available from BTC Company. Ford Motor Company investigated the tool using an application example from a powertrain control feature safety monitor.