STPA in Automotive Domain Advanced Tutorial

Similar documents
Integrating State Machine Analysis with STPA

Application of STPA to a Shift by Wire System (GM-MIT Research Project)

ENGINEERING FOR HUMANS STPA ANALYSIS OF AN AUTOMATED PARKING SYSTEM

Compatibility of STPA with GM System Safety Engineering Process. Padma Sundaram Dave Hartfelder

Applying STPA to Automo0ve Adap0ve Cruise Control System. Dr. Qi Van Eikema Hommes April 18, 2012

2015 STPA Conference. A s t u d y o n t h e f u s i o n o f S T P A a n d N i s s a n ' s S y s t e m s E n g i n e e r i n g

Can STPA contribute to identify hazards of different natures and improve safety of automated vehicles?

STPA based Method to Identify and Control Software Feature Interactions. John Thomas Dajiang Suo

Analyzing Feature Interactions in Automobiles. John Thomas, Ph.D. Seth Placke

CASCAD. (Causal Analysis using STAMP for Connected and Automated Driving) Stephanie Alvarez, Yves Page & Franck Guarnieri

Adaptive Cruise Control System Overview

Systems-Theoretic Process Analysis: AUTOMOBILE FEATURES FOR LANE MANAGEMENT

OnGuard Display Operating Instructions

Adaptive cruise control (ACC)

Functional Safety Analysis of Automated Vehicle Lane Centering Control Systems. Volpe The National Transportation Systems Center

An approach based on Engineering a Safer World Systems Thinking Applied to Safety Leveson (2011)

The TIMMO Methodology

International A26 (2017)

Adaptive cruise control (ACC)

18th ICTCT Workshop, Helsinki, October Technical feasibility of safety related driving assistance systems

Functional Algorithm for Automated Pedestrian Collision Avoidance System

Adaptive cruise control (ACC)

Új technológiák a közlekedésbiztonság jövőjéért

Vehicle Dynamics Models for Driving Simulators

The Brake Assist System

Items to specify: 4. Motor Speed Control. Head Unit. Radar. Steering Wheel Angle. ego vehicle speed control

University Of California, Berkeley Department of Mechanical Engineering. ME 131 Vehicle Dynamics & Control (4 units)

Performing a More Realistic and Complete Safety Analysis by Means of the Six-Variable Model. Nelufar Ulfat-Bunyadi, Denis Hatebur, Maritta Heisel

Legal Aspects of Active Safety Systems. Tom Gasser, Bundesanstalt für Straßenwesen (BASt) interactive Final Event

WHITE PAPER Autonomous Driving A Bird s Eye View

Dr. Mohamed Abdel-Aty, P.E. Connected-Autonomous Vehicles (CAV): Background and Opportunities. Trustee Chair

Problem Definition Review

EMERGING TRENDS IN AUTOMOTIVE ACTIVE-SAFETY APPLICATIONS

INFRASTRUCTURE SYSTEMS FOR INTERSECTION COLLISION AVOIDANCE

In 04/2000, active cruise control (system supplier: BOSCH) was installed for the first time in a BMW as special equipment for the E38.

IMPLEMENTATION OF A VEHICLE-IN-THE-LOOP DEVELOPMENT AND VALIDATION PLATFORM

GUI Customization with Abaqus. Abaqus 2017

Discovery of Design Methodologies. Integration. Multi-disciplinary Design Problems

Using Virtualization to Accelerate the Development of ADAS & Automated Driving Functions

Automated Driving is the declared goal of the automotive industry. Systems evolve from complicated to complex

Higher, Faster, Further. damping control for turntable ladders. dspace Magazine 2/2009 dspace GmbH, Paderborn, Germany

Autonomous cars navigation on roads opened to public traffic: How can infrastructure-based systems help?

The necessity of New Regulations for New Technologies regarding R79

Traffic Operations with Connected and Automated Vehicles

Stereo-vision for Active Safety

Development of California Regulations for Testing and Operation of Automated Driving Systems

Purpose of the System...3. System Components...3 Instrument Cluster Display...4

CONNECTED AUTOMATION HOW ABOUT SAFETY?

Our Approach to Automated Driving System Safety. February 2019

Automated Driving - Object Perception at 120 KPH Chris Mansley

The MathWorks Crossover to Model-Based Design

Smart Control for Electric/Autonomous Vehicles

2015 The MathWorks, Inc. 1

DRIVING. Honda Sensing *

ecomove EfficientDynamics Approach to Sustainable CO2 Reduction

Applying STAMP/STPA to Human Safety System for Four Wheel Drive Power-train

A Presentation on. Human Computer Interaction (HMI) in autonomous vehicles for alerting driver during overtaking and lane changing

AND CHANGES IN URBAN MOBILITY PATTERNS

State-of-the-Art and Future Trends in Testing of Active Safety Systems

LiDAR Teach-In OSRAM Licht AG June 20, 2018 Munich Light is OSRAM

C A. Right on track to enhanced driving safety. CAPS - Combined Active & Passive Safety. Robert Bosch GmbH CC/PJ-CAPS: Jochen Pfäffle

Siemens ADAS. Collision avoidance as the first step towards autonomous driving

Course Code: Bendix Wingman Fusion System Overview Study Guide

Low Carbon Technology Project Workstream 8 Vehicle Dynamics and Traction control for Maximum Energy Recovery

Cooperative Autonomous Driving and Interaction with Vulnerable Road Users

SAFERIDER Project FP SAFERIDER Andrea Borin November 5th, 2010 Final Event & Demonstration Leicester, UK

Dynamic Behaviour of a Fuel Cell with Ultra Capacitor Peak Power Assistance for a Light Vehicle

ACTIVE SAFETY 3.0. Prof. Kompaß, VP Fahrzeugsicherheit, 14. April 2016

Highly Automated Driving: Fiction or Future?

Simulink as a Platform for Full Vehicle Simulation

Smart Testing of Smart Charging

Incorporating Drivability Metrics into Optimal Energy Management Strategies for Hybrid Vehicles. Daniel Opila

Momentu. Brake-by-Wire Gathers. HIL Test System for Developing a 12-V Brake-by-Wire System BRAKE-BY-WIRE SYSTEMS

Advanced emergency braking systems for commercial vehicles

Pressing and holding the + RES switch, when the Cruise Control System is engaged, will allow the vehicle to

Electromechanical Tilting Systems for Passenger Trains

Good Winding Starts the First 5 Seconds Part 2 Drives Clarence Klassen, P.Eng.

Integrated ADAS HIL System with the Combination of CarMaker and Various ADAS Test Benches. Jinjong Lee, Konrad Yu-Mi Song, Hyundai-Autron

Objective Testing of Autonomous Emergency Braking Systems for the EuroNCAP AEB rating

AD07.61-P-4000AC ME-SFI fuel injection and ignition system (ME), DTC memory Possible cause Note Fault code description

Detailed Design Review

EPSRC-JLR Workshop 9th December 2014 TOWARDS AUTONOMY SMART AND CONNECTED CONTROL

Special GRRF Session on

Model based development of Cruise Control for Mercedes-Benz Trucks

B60W. Definition statement. Relationships with other classification places CPC - B60W

Vehicle Dynamics and Drive Control for Adaptive Cruise Vehicles

Hardware-in-the-Loop Testing of Connected and Automated Vehicle Applications

Highly dynamic control of a test bench for highspeed train pantographs

The competitiveness of the European automotive software industry

Near-Term Automation Issues: Use Cases and Standards Needs

Accident Reconstruction & Vehicle Data Recovery Systems and Uses

RIDE AND HANDLING OPTIMIZATION

Maneuver based testing of integrated vehicle safety systems

Status of the Informal Working Group on ACSF

Potential Electronic Causes of Unintended Acceleration

Knorr-Bremse Systems for Commercial Vehicles India welcomes to Efficient Braking Technologies for Safety improvement Febraury 2013

Vehicle Integration of multiple ADAS HMI Concept and Architecture

EcoCar3-ADAS. Project Plan. Summary. Why is This Project Important?

ADVANCED EMERGENCY BRAKING SYSTEM (AEBS) DISCLAIMER

Identification of tyre lateral force characteristic from handling data and functional suspension model

Transcription:

www.uni-stuttgart.de The Second European STAMP Workshop 2014 STPA in Automotive Domain Advanced Tutorial Asim Abdulkhaleq, Ph.D Student Institute of Software Technology University of Stuttgart, Germany Joint work with: Prof. Dr. Stefan Wagner ESW 2014, Stuttgart, Germany 22. September, 2014 2014 UNIVERSITÄT Stuttgart FAKULTÄT FÜR INFORMATIK, ELEKTROTECHNIK und INFORMATIONSTECHNIK INSTITUT FÜR SOFTWARETECHNOLOGIE 1/38

Agenda Automotive Domain STAMP/STPA Background STPA Steps in Practice STPA Group Exercise Wrap-Up Participants Questions Current Research Trends 2/38

Systems Approach to Safety Engineering Accidents are more than a chain of events, they involve complex dynamic processes. Treat accidents as a control problem, not a failure problem. STAMP Model Prevent accidents by enforcing constraints on component behaviour and interactions. Captures more causes of accidents: Component failure accidents Unsafe interactions among components Complex human, software behaviour Design errors Flawed requirements esp. software-related accidents. Leveson (2003); Leveson (2011) 3/38

STPA (Systems-Theoretic Process Analysis) STPA: A new hazard analysis technique built on STAMP. The same goal as fault trees or any other hazard analysis techniques but starts from hazards and looks at more than component failures and finds more types of accident scenarios. STPA Hazard Analysis How do we find inadequate control in a system? STAMP Model Accidents are caused by inadequate control 4/38

Basic Control Loop 5/38

Example: Water Safety Control Structure Leveson et al. (2011) 6/38

STPA Steps in Practice Identify fundamentals (accidents, hazards, safety constraints, etc.) Construct the control structure Identify major components and controllers Label the control/feedback arrows Step 1: Identify Unsafe Control Actions (UCAs) Create Control Table: Action required but not provided, Unsafe action provided, wrong timing or order, stopped too soon/applied too long Create corresponding safety constraints Step 2: Identify causal factors Identify controller process models Analyze controller, control path, feedback path, process. 7/38

Step1: Identify Unsafe Control Actions Unsafe Control Action Table: Each control action should be documented with four hazardous action types. Control Actions Action required but not provided Unsafe action provided Incorrect Timing/Order Stopped too soon/applied too long 8/38

Step 1: Identify Unsafe Control Actions A more rigorous approach by John Thomas Control Actions Process Model Variable 1 Process Model Variable 2 Process Model Variable 3 Hazardous? 9/38

Step 2: STPA Control Flaws Unsafe Control Algorithms Unsafe Inputs from Higher Levels Incorrect Process Models Incorrect Process Implementation Feedback wrong or missing 10/38

Agenda STAMP/STPA Background STPA Steps in Practice STPA Group Exercise Wrap-UP Participant Questions Current Research Trends 11/38

Adaptive Cruise Control System Definition: ACC is a radar-based system that can monitor the vehicle in front (up to 600 feet) and adjust the speed of the vehicle to keep it at a preset distance behind the lead vehicle, even in most fog and rain conditions. [http://corporate.ford.com/] 12/38

STPA Steps in Practice Identify fundamentals (accidents, hazards, safety constraints, etc.) Construct the control structure Identify major components and controllers Label the control/feedback arrows Step 1: Identify Unsafe Control Actions (UCAs) Create Control Table: Not given, given incorrectly, wrong timing, stopped too soon Create corresponding safety constraints Step 2: Identify causal factors Identify controller process models Analyze controller, control path, feedback path, process. 13/38

Identifying Accidents and Hazards Accidents:? The ACC vehicle crashes with a vehicle in front when the ACC system is active. Hazards:? H.1: ACC did not keep safe distance between ACC vehicle and vehicle in front. H.2: ACC did not illuminate brake light to warn vehicle in the behind. H.3: ACC estimated wrong values of distance and speed of vehicle ahead. H.4: ACC slow down the vehicle too suddenly, and vehicle is rear-ended. H.5: The driver is able to override the ACC system at any time by activating the brake or accelerator pedal. Qi (2012), Abdulkhaleq et al. (2013) 14/38

STPA Steps in Practice Identify fundamentals (accidents, hazards, safety constraints, etc.) Construct the control structure Identify major components and controllers Label the control/feedback arrows Step 1: Identify Unsafe Control Actions (UCAs) Create Control Table: Not given, Given incorrectly, wrong timing, stopped too soon. Create corresponding safety constraints Step 2: Identify causal factors Identify controller process models Analyze controller, control path, feedback path, process. 15/38

Control Structure High-level (simple) Control Structure Main components and controllers????? 16/38

Control Structure High-level (simple) Control Structure Main components and controllers? Driver ACC System Radar Vehicle 17/38

Control Structure High-level (simple) Control Structure What commands are sent? Driver?? ACC System? Radar?? Vehicle 18/38

Control Structure High-level (simple) Control Structure On/Off? Desired Configuration? Driver ACC System Feedback? Distance? Radar Braking Signal? Feedback? Vehicle 19/38

Control Structure More Complex Control Structure Tactile Input Driver Tactile Input Brake Pedal Tactile Input Desired Configuration Driver Interface Visual Feedback Accelerator Pedal Braking Signal Brake Control Module CAN Message ACC Status Braking Status Vehicle Speed ACC Module Distance Radar Braking Signal Brake Vehicle Speed ACC Status Target Speed Engine Control Module Air Brake Switch Acceleration Signal Friction Wheel Speeds Vehicle 20/38

STPA Steps in Practice Identify fundamentals (accidents, hazards, safety constraints, etc.) Construct the control structure Identify major components and controllers Label the control/feedback arrows Step 1: Identify Unsafe Control Actions (UCAs) Create Control Table: Not given, Given incorrectly, wrong timing, stopped too soon. Create corresponding safety constraints Step 2: Identify causal factors Identify controller process models Analyze controller, control path, feedback path, process. 21/38

Identify Unsafe Control Actions Unsafe Control Table Control Actions Action required but not provided Unsafe action provided Incorrect Timing/Order Stopped too soon Radar Data Radar Sensor does not provide relative speed and distance of objects ahead of vehicle [H3] Radar sensor provides incorrect data of target vehicle speed [H1, H3] The data of radar sensor comes too late when the distance to a forward vehicle is too close [H1,H3] Radar sensor is stopped too soon that the ACC module does not get the relative data signal [H1]. Brake Signal from ACC to BCM 22/38

Identify Unsafe Control Actions Unsafe Control Table Control Actions Action required but not provided Unsafe action provided Incorrect Timing/Order Stopped too soon Radar Data Radar Sensor does not provide relative speed and distance of objects ahead of vehicle [H3] Radar sensor provides incorrect data of target vehicle speed [H1, H3] The data of radar sensor comes too late when the distance to a forward vehicle is too close [H1,H3] Radar sensor is stopped too soon that the ACC module does not get the relative data signal [H1]. Brake Signal from ACC to BCM Vehicle does not brake when the distance to the lead vehicle is less than the value set by the driver [H1, H2] Braking is commented when the distance to the lead vehicle is larger than the set value [H1, H2] Early: Braking is commanded to early when the distance to the target vehicle is too far [H1, H4]. Braking stops too soon before the safety distance to target vehicle reached [H1] Late: Braking is commended too late when the distance to the target vehicle is too close [H1] 23/38

Defining Safety Constraints Safety Constraints Table Unsafe Control Action Vehicle does not illuminate the brake light to warn vehicle behind. Brake light command illuminate late after vehicle has stopped. Vehicle does not brake when the vehicle has detected a slowed or stopped object in its path. Vehicle does not brake due to the driver has ignored all of the warnings. Safety Constraints Vehicle must illuminate the brake light to warn vehicle in the back. Brake light command must illuminate early within X- seconds before stopping vehicle. Vehicle must brake when vehicle detected slowed or stopped object (at a few X-meters within the preset value of the safety distance) in its path. The intervention between ACC system and driver should be limited to the traffic environment and conditions. 24/38

STPA Steps in Practice Identify fundamentals (accidents, hazards, safety constraints, etc.) Construct the control structure Identify major components and controllers Label the control/feedback arrows Step 1: Identify Unsafe Control Actions (UCAs) Create Control Table: Not given, Given incorrectly, wrong timing, stopped too soon. Create corresponding safety constraints Step 2: Identify causal factors Identify controller process models Analyze controller, control path, feedback path, process. 25/38

Causal Factors Hazard: ACC did not keep safe distance between ACC vehicle and vehicle in front. Unsafe Control Action: Vehicle does not brake when the distance to the object in front is less than preset value Controller Distance Actuator Braking Signal Brake Control Module ACC Module Process Model Vehicle Speed Sensors Sensors How could this action be caused by: Process Model Feedback Sensors Etc? Controlled Process Brake Command Vehicle Wheel Speed Unidentified or out-of-range disturbance 26/38

Hint: Causal Factors Unsafe Control Algorithms Unsafe Inputs from Higher Levels Incorrect Process Models Incorrect Process Implementation 27/38

Causal Factors Hazard: ACC did not keep safe distance between ACC vehicle and vehicle in front. 28/38

Agenda Automotive Domain STAMP/STPA Background STPA Steps in Practice STPA Group Exercise Warp-Up Participants Questions Current Research Trends 29/38

A-STPA Tool Support (Automated STPA) A-STPA is: implemented in Java as an open-source tool based on the Eclipse platform to assess safety analysts in performing STPA. developed as a student project in the software engineering programme of the university of Stuttgart. The project started in April 2013 and finished in 28 th February 2014. Our team consisted of 9 students and 3 teaching assistants. supports different operating systems: Windows (32bit, 64bit), Linux and Mac OS X. To download A-STPA Tool: Fill out the form on A-STPA website: http://www.iste.uni-stuttgart.de/en/se/werkzeuge/a-stpa.html 30/14

STPA Group Exercise Analysing the Anti-Lock Braking System. ABS is a safety system on motor vehicles which prevents the wheels from locking while braking The ABS Architecture: Electronic Control Unit (ECU) Hydraulic Control Unit (HCU) Modulator Valves Wheel speed Sensors (up to 4) How does it work? The controller monitors the speed sensors all the times. When the controller detects rapid decelerations in the wheel, the controller reduces the pressure to that brake until it sees an acceleration, then it increases the pressure until it sees the deceleration again. 31/38

Demo 32/38

STPA Group Exercise Identify fundamentals (accidents, hazards, safety constraints, etc.)» 15 minutes Construct the control structure» 15 minutes Identify major components and controllers Label the control/feedback arrows Step 1: Identify Unsafe Control Actions (UCAs)» 30 minutes Create Control Table: Not given, Given incorrectly, wrong timing, stopped too soon. Create corresponding safety constraints Step 2: Identify causal factors» 30 minutes Identify controller process models Analyze controller, control path, feedback path, process. 33/38

Discussion Discussion & Questions 34/34

Notes of Discussion Main notes about Step 1: Correctness, Completeness, Control Structure diagram Rules, Categories of hazards, Amount of information and knowledge of system 35/34

Notes of Discussion Issue: The level of control structure of system in automotive domain Detailed diagram vs. Abstract diagram 36/34

2024 © autodocbox.com Privacy Policy | Terms of Service | Feedback