Search Results

Machine Learning (ML) based technologies are increasingly being used to fulfill safety-critical functions in autonomous and advanced driver assistance systems (ADAS). This change has been spurred by recent developments in ML and Artificial Intelligence techniques as well as rapid growth of computing power. However, demonstrating that ML-based systems achieve the necessary level of safety integrity remains a challenge. Current research and development work focused on establishing safe operation of ML-based systems presents individual techniques that might be used to gain confidence in these systems. As a result, there is minimal guidance for supporting a safety standard such as ISO 26262 - Road Vehicles - Functional Safety, to enable the development of ML-based systems. This paper presents a survey of recent ML literature to identify techniques and methods that can contribute to meeting ISO 26262 requirements.

ASIL decomposition is a method described in the ISO 26262 standard for the assignment of ASILs to redundant requirements. Although ASIL decomposition appears to have similar intent to the hardware fault tolerance concept of IEC 61508-2, ASIL decomposition is not intended to reduce ASIL assignments to hardware elements for random hardware failures, but instead focuses on functions and requirements in the context of systematic failures. Based on our participation in the development of the standard, the method has been applied in different ways in practice, not all of which are fully consistent with the intent of the standard. Two potential reasons that may result in the use of “modified” ASIL algebra include the need of OEMs to partition a system and specify subsystem requirements to suppliers and the need for designers to construct systems bottom up.

Vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications are gaining increasing importance in automotive research and engineering domains. The novel communication scheme is targeted to improve driver safety (e.g., forward collision warnings) and comfort (e.g., routing to avoid congestion, automatic toll collection, etc.). Features exploiting these communication schemes are still in the early stages of research and development. However, growing attention to system wide infrastructure - in terms of OEM collaboration on interface standardization, protocol standardization, and government supported road/wireless infrastructure - will lead to popularity of such features in the future. This paper focuses on evaluating reliability and safety/integrity of data communicated over the wireless channels for early design verification. Analysis of a design can be done based on formal models, simulation, emulation, and testing.

The auto industry has had decades of experience with designing safe vehicles. The introduction of highly integrated features brings new challenges that require innovative adaptations of existing safety methodologies and perhaps even some completely new concepts. In this paper, we describe some of the new challenges that will be faced by all OEMs and suppliers. We also describe a set of generic top-level potential hazards that can be used as a starting point for the Preliminary Hazard Analysis (PHA) of a vehicle software-intensive motion control system. Based on our experience with the safety analysis of a system of this kind, we describe some general categories of hazard causes that are considered for software-intensive systems and can be used systematically in developing the PHA.

We investigate and analyze the concept of “missed detection” and its application to the design of architectures that integrate multiple safety/mission critical functions. The analysis is based on considering different design alternatives with varying levels of missed fault detection of the components constituting the functions or subsystems. The overall system reliability and availability in a fault tolerant architecture relies as heavily on the ability to detect a fault as it does on being able to prevent a fault as one would attempt by having multiple levels of redundancy and/or improved reliability of the components in such an architecture. In short, the safety of a particular architecture depends not only on component reliability, and fault tolerance, expressed as redundancy, but also on fault detectability.

We investigate and analyze the concept of “shared redundancy” and its application to the design of architectures that integrate multiple safety/mission critical functions or subsystems. The analysis is based on considering different design alternatives with varying levels of physical redundancy of the components constituting the functions or subsystems. Under a set of assumptions, we show that the overall system reliability and availability in a shared redundancy based architecture can be improved without increasing the levels of physical redundancy for the components employed at the subsystem level. However, such an improvement will be limited by the component(s) with the minimal level of redundancy.

By-wire systems have the potential of augmenting the normal capabilities of human drivers as well as serving as enablers for emerging safety technologies. To achieve these features, these systems must be carefully designed, analyzed, and verified for safety because they are new, complex, and potentially exhibit new and different failure modes and effects. Duplication may be required to ensure that safety margins are met in the presence of faults. Full duplication of every system may not lead to a cost effective implementation, especially if multiple independent by-wire systems are placed on a single vehicle. Other architectural approaches for the integration of by-wire systems need to be considered and analyzed. These architectures should meet if not exceed the safety requirements while providing a more cost effective implementation than a fully duplicated architecture.