The technological race between major OEMs can be seen in the field of autonomous driving, which brings a lot of new challenges not only in the technical field, but also in terms of law, ethics, and sociological aspects. Our customer wanted to take part in this venture by developing systems for an autonomous bus classified as level 5. The idea was that the vehicle will operate on a predefined route.
One of the key areas which Spyrosoft contributes to during the concept phase of developing this product was the creation of hazard analysis with a risk assessment aspect. In terms of functional safety, such an analysis is called HARA. It was the first attempt by Spyrosoft to perform an analysis of this kind, with the customer, for a fully autonomous vehicle.
Read more about our automotive audit and assessment services.
It is all about the risk
For obvious reasons, it isn’t possible to anticipate every possible risk factor related to driving on a road. Risk analysis methods and techniques aim to systematically approach and identify possible hazards during a vehicle’s journey. The goal is to minimise the risk to an acceptable level by creating a robust design. We chose to follow the HARA methodology described in the automotive safety standard ISO 26262. Iis the methodology recommends to formulating top level safety requirements called Safety Goals (SG). To perform this activity, the behavior and functionality of the vehicle should be described. Automotive Safety Integrity Levels (ASILs) should be assigned to corresponding functionalities.
Spyrosoft suggested that we should start with the definition of possible states in which vehicles could operate. The anticipation of hazards at this stage of the analysis is crucial, as it affects further analysis results. That is why the engineers decided to support this stage with the HAZOP approach. After the first drafts, a fault tree analysis was conducted to check that the defined goals were consistent and reasonable. Moreover, FTA brought some additional hazards, which were not found initially. This methodology was then followed for every safety goal as it was agreed to be the optimal choice.
As we are dealing with a pre-defined vehicle mission, possible road scenarios were defined. During the mission, road conditions could change in unpredictable ways. As a result, a safe state must always be defined to react to possible hazards which can occur not only by failure in the system, but also by unpredictable road conditions. The vehicle is supposed to operate in heavy industrialised environments, which creates the challenge of detecting and classifying many dynamic and static objects. However, it is made easier is case of a vehicle will drive on defined route.
Because we are analysing potential risks, from the perspective of a passenger bus, the major impact is related to the safety of the people involved in potential malfunctions. That is why assessing one of the most important aspects: severity (S0-S3) level is based on human injuries. Only hazards associated with the malfunctioning behaviour of the designed vehicle are considered. Other road participants are presumed to be functioning correctly. The risk assessment of hazardous events focuses on the harm to each person potentially at risk, I.e., the driver or the passengers of the vehicle causing the hazardous event. Moreover, other people potentially influenced by the considered vehicle malfunction, like cyclists, pedestrians or even occupants of other vehicles, should be taken into consideration. Another important aspect of the hazardous event risk assessment is the probability of exposure (E0 to E4) which is used to determine the considered risks.
The last parameter is controllability (C0-C3). The evaluation of this parameter is an estimate of the probability that someone or something can gain sufficient control of the hazardous event (when it’s already happened). In the case of a self-driving vehicle, this parameter is rigorously assessed as high and does not go beneath three.
Brainstorming and teamwork
As the result of regular meetings and workshops between Spyrosoft and the customer, several safety goals were established with their possible violation scenarios. Additionally, a respective Safe State of the vehicle regarding each Safety Goal violation scenario was specified. In defining the safety behaviour in self driving environments, some aspects which go beyond ISO 26262 perspective also matter. Possible examples are Cybersecurity and Safety of the Intendent Functionality (SOTIF). Information from both guideline perspectives, help to detail already defined goals and even create some others.
When the documentation was assumed to be ready for review, it needed to be verified. HARA pre-assessment was conducted by the external company, to find any weak points in the approach and to establish confidence in the quality of the work produced.
To guarantee proper vehicle behaviour, some safety mechanisms must be defined in order to detect, prevent or mitigate risk. The optimal solution is to handle possible faults relatively fast, to prevent their propagation into the system. That is why safety measures were addressed on both systems (customer) and software (Spyrosoft) levels, which correspond to pre-defined safety goals.
Spyrosoft’s tasks in this project were not only the development of software components responsible for processing data from different sensors to establish a collision free drivable trajectory but also the support of domain knowledge in terms of software development, toolchain definition, Functional Safety processes and quality assurance.