ISO26262 –
Challenges for OEMs during Driver Assistance System development
Edith Holland
Project Engineer
EESE Functional Safety
1
AGENDA
• Functional Safety traditionally in the automotive industry
• Introduction to ADAS features
• Functional Safety and ADAS
• Summary
2
FUNCTIONAL SAFETY ON TRADITIONAL VEHICLE SYSTEMS
• Domain based (steering/braking/propulsion)
• Hazards related to actuator behaviour in case of
failures
• Safety Concepts address hazards through detection of
relevant failures and transitions into safe states
• Safety Targets decided by OEM within domain/CoC &
implemented by supplier with domain specific
knowledge
ASIL = f(S,E, C)
3
WHAT IS DRIVING THE DEVELOPMENT OF ADAS SYSTEMS?
• Customer Expectations (Comfort/Efficiency)
• NCAP requirements
• Safety Improvements!
90 % or more of all traffic accidents are due to driver errors.
Driver Assistance Systems
4
CURRENT JLR ADAS FEATURES
Lane Keep Assist
Traffic Sign Recognition
Park Assist
e.g. Jaguar XE
Advanced Emergency Braking
Adaptive Cruise Control
Discovery Sport
5
WHY IS FUNCTIONAL SAFETY SO IMPORTANT FOR ADAS
• Complexity & Interactions
• Risk Classification
• Controllability
• Safety of the ADAS feature
6
COMPLEXITY (1)
• 1st generation ADAS features
 Assist driver in one aspect of vehicle control
 Limited interaction between vehicle systems
• Next generation of features to enhance functionality
 Control more than one aspect of vehicle motion
 More and more complex interaction between vehicle systems
7
COMPLEXITY (2)
8
COMPLEXITY (3)
9
FS CHALLENGES - COMPLEXITY
• Current JLR development process is centred around feature
• Increase in feature count means increased number of safety concepts
REQUIRES COORDINATION OF SAFETY CONCEPTS
(slide 11/12)
 Conflicts between Safety concepts need to be resolved at vehicle level
REQUIRES COLLABORATION ACROSS CoCs (slide 11-12)
 Interaction between features and driver needs to be considered for
functionality and safety aspects
VEHICLE LEVEL ANALYSIS (slide 13)
CoC = Centre of Competence
10
FS CHALLENGES – COMPLEXITY
How to structure interacting Safety Concepts and Safety Requirements?
 ISO26262 only contains linear approach
FSC -> TSC - > Hw SR & Sw SR
 Leads to extensive cross-referencing between safety concepts
 Safety measures may support several safety goals
 Safety measures may be allocated across the item
 Safety Concepts for all features need to align
 Additional step required after independent analysis of features to
coordinate, combine and resolve conflict between safety concepts
before allocation to individual systems
11
FS CHALLENGES - COMPLEXITY
12
FS CHALLENGES - COMPLEXITY
• Breakdown of FS “items” needs to be managed
• For ADAS team, this includes interaction of ADAS features with Driver
13
RISK CLASSIFICATION (1)
• ADAS features stretch existing ISO26262 standard
• Risk Classification based on Controllability of Hazardous Event
Controllability: ability to avoid a specified harm
or damage through the timely
reactions of the persons involved possibly with support from external measures
NOTE 1: Persons involved can include the driver, passengers or persons in the vicinity of the
vehicle's exterior.
C0 of Controllability
C1
• Definition
Controllable in general
C2
C3
Simply controllable
Normally controllable
Difficult to control or
uncontrollable
99 % or more of all
drivers or other traffic
participants are usually
able to avoid harm
90 % or more of all
drivers or other traffic
participants are usually
able to avoid harm
Less than 90 % of all
drivers or other traffic
participants are usually
able, or barely able, to
avoid harm
14
SAFETY DUE TO MALFUNCTION VS SAFETY DUE TO FUNCTION
• Autonomous Driving definitions
• Increase of authority of ADAS features over vehicle
• From “Assist Feature” to “Pilot Feature” to “Chauffeur Feature”
• Current legislation not in line with proposed technology (Vienna
Convention)
• Current definition of Controllability needs some interpretation
15
RISK CLASSIFICATION (2)
• Interpretation of Controllability is changing
 previously: driver skill, strength & awareness
 now: above + driver attentiveness based on anticipated driver
behaviour with ADAS features
• Increasing Human Factors understanding required
• We are trying to predict how customers will use (and abuse) the
feature
16
SAFETY DUE TO MALFUNCTION VS SAFETY DUE TO FUNCTION
• Current assumption:
Vehicle system is inherently safe.
e.g. ABS, EMS
• Vehicle system fulfils a purpose and is required to make the
vehicle function for the driver to carry out the driving task
• Functional Safety activities focus on analysis of malfunctions and
required mitigation
17
SAFETY DUE TO MALFUNCTION VS SAFETY DUE TO FUNCTION
• Considerations for ADAS:
Is the function safe?
- for the host vehicle driver
- for other traffic participants
Example: Emergency Braking Function
Safety of the Intended Function (SOTIF)
• ADAS system sits on top of primary vehicle systems
• ADAS system performs some of the driver’s task rather than a
function required for the vehicle to function.
18
FUNCTIONAL SAFETY OF ADAS FEATURES
Who is in control of the vehicle and
what can be expected from the driver?
• ADAS development as
glidepath towards Autonomous
Driving addresses individual
specific driving situations
• BUT: Current Features have
limitations of their capabilities
due to feature scope
19
FUNCTIONAL SAFETY OF ADAS FEATURES
• Limitations have safety implications that need to be addressed and
considered either by
o
o
o
Feature definition
HMI design
Driver information
• Safety Implications if the driver’s expectations do not match feature
capability
• Example: Radar-based ACC
- limitations of objects that can be detected due to sensor technology:
Radar detection impaired by environmental conditions.
- limitations of objects that can be detected due to feature design:
Radar object identification limited to 4 wheel vehicles
- limitations of actuator authority (max allowed braking)
Feature cannot perform emergency stop
20
CONCLUSION
• ADAS features cannot be delivered without completion of functional
safety activities
• ADAS poses new challenges for FS
• Collaboration across the company is a must
 Domain knowledge required
 Human Factors knowledge required
 Legal aspects need addressing
• This is still ongoing work
21
SUMMARY
• Functional Safety before ADAS
• ADAS and Functional Safety
• Challenges
THANK YOU
22