6.2 Process to Develop a Functional Safety Concept
6.2.2 Defining the Scope of an Item
Before starting the Item Definition it is necessary to identify the item to be developed in the process of the ISO 26262 standard. For automated vehicles it is imaginable to determine the whole system as one item. Common practice in current development of ADAS is to divide the overall system into multiple subsystems and to develop a functional safety concept connecting those subsystems. The selected view on the whole system, either as one or multiple items, is fundamental for the following development process. Before the functionality of the item can be defined, it has to be clarified, if the whole system or subsystems are defined as items.
According to the ISO 26262 standard an Item Definition shall contain complete specifications to other items, dependencies on and to other items and possible influences on the function of other items. By defining multiple items, the overhead due to multiple descriptions in each Item Definition would be difficult to handle. On the other hand, a complete system defined as one item has a very large Item Definition and more complex process steps for each development phase. Addition- ally, the layer which is used to define subsystems has to be chosen. It is possible to define subsystems on a functional level, a skill level, a hardware level, or on another level based on expert knowledge.
The ISO 26262 standard defines each system (not the Item) as a
“set of elements (1.32)that relates at least a sensor, a controller and an actuator with one another” (ISO 262622011, Part 1).
The sensor(s) or actuator(s) can then only be a part of a system and not be systems themselves. This results in an item, consisting of several systems including perception, functional logic and actuators, which can basically sense, plan and act.
It has to be mentioned, that, e.g., an environment perception system cannot be defined as an item according to the ISO 26262 standard, because it does not have an actuator and features only data acquisition and data processing. The lack of an actuator results in an impossible determination of an “Automotive Safety Integrity Level” (ASIL), because, if following the ISO 26262 standard strictly, no harm can be done by a system without an actuator. An ASIL is a requirement level used to classify safety goals, which result in different necessary measures to ensure the correct implementation of safety requirements for the system (ISO 26262 2011, Part 1).
The common practice in the automotive industry is to define the items based on the responsibilities of involved companies, e.g., an ACC system is divided into the functional EE items “ACC”, “Electronic Stability Control”, and “engine control” as all of them can be developed from different companies (Kriso et al. 2013). The
ACC item includes the environment perception and the functional logic. This results in an item ACC, which has no actuator in its scope, but is connected to the other items, which are actuators. This breaks with the definition of an item com- posed of sensor, controller, and actuator in the ISO 26262 standard, but is possible due to the option to define actuators as systems and items themselves. This possibility of being an item differentiates actuators from sensors in the scope of the ISO 26262 standard.
Another approach for the Item Definition could define all ACC relevant com- ponents, which can be parts of the systems Electronic Stability Control and engine control, in one singular item (Kriso et al.2013). The result are different effects on hardware metrics and further process steps demanded by functions with high ASIL classification. Kriso et al. (2013) discusses this issue more detailed.
As the systems up to today are monitored by a driver permanently, the percep- tion is assisted by the human perception skills and the functional logic is limited to adapting the vehicle speed to other traffic participants in front of the equipped vehicle. This results in lower ASIL for safety goals of the items ACC and engine control). The safety goals of the breaking system which ensure the ability to overrule the system for the driver and the absence of unintended braking result in high ASIL classification. The related hazards would be rated with high severity and low controllability for the driver and other traffic participants.
For an automated vehicle, where no driver is needed, the reduction of the ASIL for the functional logic including the perception and the engine control is not applicable. Thus, either defining the whole system as an item or dividing the system into multiple items seems to result in an ASIL D classification. Additionally, actuators like the wiper, the windshield washer system, the lighting, the brake lights, the indicator, the horn and others have to be considered as well, because they have to be controlled by the vehicle guidance system.
In case of the DISTRONIC PLUS with steering assist from Mercedes-Benz, technically the system is divided into an ACC and a LKS. The ACC could be developed as described above. The LKS features a safety critical steering system to counteract departure of the current lane. As the driver monitors the system and the system only assists and does not take over the whole steering task, again the perception, functional logic, and motor control is not as safety critical as in a system which does not have to be monitored permanently. Nevertheless, the steering torque must be controllable for the driver at any time, which results in a higher ASIL classification for the limitation function. If using these subsystems for an automated vehicle it is probable, that they have higher safety requirements, because the controllability by a driver is not applicable.
To sum this up, one approach to determine ASIL to functional requirements could be to define a vehicle guidance system as one item and its components as elements. This holistic approach results in an Item Definition, which has to cover all aspects of the vehicle guidance system. The follow-up processes will treat the item in the same manner and so the Hazard Analysis and Risk Assessment and the functional safety concept are for the whole vehicle guidance system. A main benefit of this approach is to identify risks and harms for the whole system. A main deficit
is the complexity and the fact that for a complex system functionality an open set of situations has to be considered. It is quite easy to find situations, which require reliable functionality determining ASIL D (highest). Assumed that every necessary functional component can be realized in ASIL D somehow, functional deficits result in a reduced usability compared to the possibilities of human drivers.
Figure 6.3 illustrates a left turn situation from the city ring road in Braun- schweig, Germany. The ego vehicle is approaching from the top left corner (Cyriaksring) in the green lane. At the red area in front of the tram rails vehicles turning left into Luisenstraòe typically stop. If an automated vehicle would have to turn left, the vehicle could have to stop there as well, because approaching vehicles from the bottom right in the opposite direction of Cyriaksring could approach. As illustrated in Fig.6.3, the distance from the stopping point to the stop line for the opposite direction is about 44 m. Although exceeding the speed limit is not allowed by traffic rules, it is common in this situation that vehicles approaching drive up to 20 m/s. Thus, the ego vehicle would have only about 2.2 s to cross the opposite lanes and drive into Luisenstraòe. As there is a pedestrian crosswalk and a bicycle path, both depicted as orange area in Luisenstraòe, the ego vehicle could have to stop at the second red area. As a result the vehicle guidance system in the ego vehicle faces high functional requirements regarding viewing distance and reliable dynamic object tracking. Especially important within the context of this chapter,
Fig. 6.3 Exemplary situation, Geographic data©2015 GeoBasis-DE/BKG (@2009), Google
high reliability requirements for the whole system arise, because a failure or a misinterpretation in this situation could cause a severe accident. The illustrated situation is not artificial and can likely be encountered in almost every drive with the automated vehicle. In our understanding of safety requirements, this would result in an ASIL D for all of the components of the vehicle guidance system involved in solving this situation safely.