Functional Safety for Cooperative Systems 2013-01-0197

This paper investigates what challenges arise when extending the scope of functional safety for road vehicles to also include cooperative systems. Two generic alternatives are presented and compared with one another. The first alternative is to use a vehicle centric perspective as is the case in the traditional interpretation of ISO 26262 today. Here, an “item” (the top level system or systems for which functional safety is to be assured) is assumed to be confined to one vehicle. In the vehicle centric perspective inter-vehicle communication is not an architectural element and is therefore not a candidate for redundancy as part of the functional safety concept. The second alternative is to regard a cooperative system from a cooperative perspective. This implies that one item may span over several vehicles. The choice of perspective has implications in several ways. We investigate the implications for the cooperative item and in what ways the results may differ when going through the reference life cycle of ISO 26262. In particular we look at classification of hazardous events where severity is significantly higher since the cooperative system involves multiple rather than one single vehicle. We therefore suggest an additional severity class and as a consequence introduce a new automotive safety integrity level, ASIL E. The cooperative perspective includes the inter-vehicle communication as a candidate for redundancy. ASIL E can therefore be achieved using ASIL decomposition and the currently recommended product development phases for ASIL A to ASIL D. As an example for illustrating we use platooning.