Identification of Risk Significant Automotive Scenarios Under Hardware Failures
MM. Gleirscher, S. Kugele, S. Linker (Eds.): 2nd InternationalWorkshop on Safe Control of Autonomous Vehicles (SCAV 2018)EPTCS 269, 2018, pp. 59–73, doi:10.4204 / EPTCS.269.6
Identification of Risk Significant Automotive Scenarios UnderHardware Failures
Mohammad Hejase, Arda Kurt, Umit Ozguner
Department of Electrical and Computer EngineeringThe Ohio State UniversityColumbus, Ohio, USA [email protected], [email protected]
Tunc Aldemir
Department of Mechanical and Aerospace EngineeringThe Ohio State UniversityColumbus, Ohio, USA [email protected]
The level of autonomous functions in vehicular control systems has been on a steady rise. This risemakes it more challenging for control system engineers to ensure a high level of safety, especiallyagainst unexpected failures such as stochastic hardware failures. A generic Backtracking ProcessAlgorithm (BPA) based on a deductive implementation of the Markov / Cell-to-Cell Mapping tech-nique is proposed for the identification of critical scenarios leading to the violation of safety goals.A discretized state-space representation of the system allows tracing of fault propagation throughoutthe system, and the quantification of probabilistic system evolution in time. A case study of a HybridState Control System for an autonomous vehicle prone to a brake-by-wire failure is constructed. Thehazard of interest is collision with a stationary vehicle. The BPA is implemented to identify the risksignificant scenarios leading to the hazard of interest.
Emerging cars in todays markets have tens of interconnected Electronic Control Units (ECUs) that haveto realize possibly thousands of features [10]. As the level of autonomous functions in cars keep increas-ing, the need for alternatives to physical testing for ensuring safe operation of these functions increases.Ensuring safe operation of an engineered system is accomplished by inferring conditions and causesthat could lead to the violation of safety goals (safety analysis). Johansson [21] discusses a method thatensures completeness of safety goals definition through the definition of hazardous events. The methodreduces the problem of providing an assurance case that supports controller compliance to safety goals toproviding proof that contributions of modeled uncertainties and behaviors only lead to hazardous eventswithin an acceptable risk. Quantitative analysis methods are typically used for estimating likelihoodsof reaching hazardous events, or violating safety goals under certain system failures. Among the mostcommon methods for quantitative analysis in the automotive industry are quantitative Failure Mode andE ff ect Analysis (FMEA), quantitative Fault Tree Analysis (FTA), Markov Models, and Reliability BlockDiagrams [27, 36].Over the past few years, research towards the development of tools and methods that provide compliantquantitative assurance cases for autonomous vehicle features have intensified. Takeichi et al. [35] de-scribe a priority FTA calculation approach for latent faults. Das and Taylor [12] demonstrate a structuredand systematic quantitative FTA which shows various techniques for the calculation of fault tree metrics.0Zhang et al. [40] present a case study for applying combinations of FTA and FMEA techniques forthorough model based hazard analysis of autonomous systems. Cherfi et al. [11] use Markov chains tomodel behaviors of a large class of automotive systems protected by safety mechanisms. Ho ff man andScharfenberg [19] show, via an example, compliance of a standard cell balancing circuit with require-ments set by industry standards with respect to random failures.Traditionally, reachability analysis has been a widely used analytical tool for verification of automatedvehicle safety using simulation techniques [1, 6, 23, 33]. Reachability analysis works by computing theset of all reachable states when sensor measurements, disturbances, and initial vehicle states are uncer-tain. Safety is ensured by computationally confirming that none of the reachable states violate a safetygoal. Authors of [1, 6, 23, 33], utilize reachability analysis as a proof to compliance with safety goalsfor various scenarios and case studies. Limiting features to this type of analysis, however, as noticed inthe aforementioned work, are typically challenges associated with using high fidelity nonlinear modelswhich lead to long computation times. It is also challenging to develop a generic approach based onreachability analysis that can be used on a wide spectrum of scenarios.Hybrid system analysis techniques have been proposed for the verification of control functions in cyber-physical systems. Such methods are powerful tools as they can provide formal verification of large-scalesystems. Loos et al. [24] developed a formal model of a distributed car control system in which anarbitrary number of vehicles sharing a highway use adaptive cruise control. The authors performed a fullverification of the system by utilizing a modular proof structure. Mitsch et al. [26] also use hybrid stateanalysis to formally prove safety of robot vehicles under sensor uncertainty and actuator perturbation.Such techniques are ideal use in systems with known dynamics and behaviors. However, these tech-niques have challenges when incorporating random hardware failures or using high-fidelity simulatorsthat have dynamics without explicit analytic forms, such as look-up tables.Currently, software development in the automotive industry follows the V process [37]. In the V process,testing is left to the latter stages of development. New standards are being developed that emphasize ontesting in the earlier stages of design.One common way of testing in the early design stages is done by assigning specifications to Model BasedDesigns (MBDs) of autonomous features, and testing using simulation techniques, including fault simu-lation [7, 25, 30, 38]. The use of MBDs allows for system testing via accurate simulation. This approacheliminates the high costs of testing over extensive distances in various environments and locations.In this paper, a generic Backtracking Process Algorithm (BPA) algorithm is proposed for the determina-tion of quantitative metrics that probabilistically rank scenarios leading to user specified Top Events (e.g.hazardous events) by risk significance [39]. Within the context of this paper, a risk significant scenariois defined as a sequence of events that lead to an undesirable consequence with probability higher than auser-specified threshold. An event is defined as a change in system dynamic behavior and configurationthat occurs over time. The BPA is a deductive and memory e ffi cient implementation of a Markov Cell-to-Cell Mapping Technique (CCMT) [5] that is used for risk informed identification and quantificationof critical scenarios leading to undesirable consequences (Top Events). Markov / CCMT allows for theglobal analysis of dynamic systems under both epistemic and aleatory uncertainties. Probabilistic systemevolution is quantified in time, and fault propagation is traced throughout the system. Markov / CCMThas mostly been used in literature for the failure analysis and diagnostics of process control systemsunder uncertainties [2, 3, 4, 5, 9, 8, 13, 39]. More specifically, BPA is proposed to solve the problem oftracing fault propagation in systems with complex dynamics and varying configuration, such as randomhardware failures of system components. Generally speaking, existing approaches either have challengeswith accurately capturing high-fidelity system dynamics, or when incorporating possible random com-ponent failures and configuration changes. The algorithm has already been used in a validation and . Hejase, A. Kurt, T. Aldemir, and U. Ozguner / CCMT, andthe BPA. Section 4 presents the case study under consideration in this paper, the definition of the di ff erentpossible types of brake failures, and the hazard of interest. Section 5 illustrates the use of the BPA inidentifying the risk significant scenarios. Section 6 provides a discussion on the identified challenges andfuture directions. Section 7 gives the conclusions of the study. Based on the model based validation and verification framework described in [14, 15] , a similar frame-work was constructed for the validation and verification of an autonomous ground vehicle controller. Theframework, depicted in Fig. 1, is made up of six main elements,Figure 1: Model Based Validation and Verification Framework (adapted from [14, 15])1)
Definition of Control System Functional Hierarchy : The control system functional hierarchy isdesigned based on the work of Ozguner [31]. This allows for the initial definition of system and missionrequirements and specifications, and the subsequent decomposition into mission phase specific function-ality.2)
Design of a Finite State Machine : A Finite State Machine (FSM) representation of the high level2mission controller is designed based on the control system functional hierarchy. Each state of the FSMcorresponds to a di ff erent phase of the mission, and transitions between those states are determined viathe definition of event based rules.3) Development of Risk Prioritized Scenarios : The system top level safety goals are first determined.A safety case goal and evidence tree model reflecting risk prioritized scenarios encompassing nominal,contingency, and emergency conditions and actions is developed using Goal Structure Notation (GSN)[22]. This model allows breaking up each of the top level safety goals into a set of hazards, where col-lectively avoiding these hazards represent the safety goals.4)
FSM Augmentation with Emergency and Contingency Actions : Based on the determined hazards,contingency and emergency actions are defined and incorporated into the FSM.5)
Expansion of Risk Prioritized Scenarios for Details Analysis : Each of the specified hazards, whichcan be thought of as the consequence of a risk significant scenario, is expanded upon with Markov / CCMTfor detailed analysis under relevant hardware failures. The aim of this analysis is to provide an assurancecase for system compliance with a target probability metric for hardware failures. Physical motion of thesystem is represented in this step via the use of a high-fidelity simulator.6)
Produce Evidence of Control Action Coverage of Risk Scenarios : The results produce evidence ofcontrol action coverage of prioritized operational and risk scenarios, supporting a controller assurancecase.
Section 3.1 presents an overview of Markov / CCMT and the required assumptions, along with the re-quired assumptions. In Section 3.2, BPA is illustrated and described in detail.
Markov / CCMT is a logic tool used to provide quantified metrics for system reliability and safety [39, 5,3, 9, 8, 2, 4, 13]. Theoretical basis of BPA is presented in the work of Yang and Aldemir [39]. Systemevolution in time is represented through a series of discrete-time transitions among computational cellsthat partition the system state-space in a manner similar to finite element or finite di ff erence methods.Each cell can be regarded as accounting for the uncertainty in the system location at a given point in time.A transition probability from one system cell to another is determined via system dynamics, controllerbehavior, or system constituent malfunction. Such transitions reflect a probabilistic mapping of thesystem state-space onto itself, including system hardware normal or faulted states, over a user definedtime-step ∆ t .Two assumptions are placed on the system of interest in order to employ Markov / CCMT:1. The system components configurations are fixed over [ t , t + ∆ t ), but can change at t + ∆ t .2. Transitions among cells or hardware states do not depend on system history.The first assumption means that the system components can only fail or change their mode of opera-tion once during the interval ∆ t . Through proper selection of the time-step ∆ t , the system configurationchanges and the probabilities of those changed can be realistically modeled and captured. The secondassumption leads to the system having Markov property. However, the second assumption can be relaxedvia the use of su ffi cient number of auxiliary state variables. . Hejase, A. Kurt, T. Aldemir, and U. Ozguner BPA is depicted in Fig. 2. The system continuous state-space is first discretized, and system compo-nents / configurations are defined. The combination of the discretized state-space, and the system config-urations form the complete space of the system. Using a simulator, a cell-to-cell mapping of the completespace is constructed under a user-specified time-step. A Top Event of interest is specified, and sequen-tial paths of risk significance leading to the Top Event for a user-specified search depth are identified.Probabilities are associated to each of the identified sequences.Figure 2: BPA flowchart (adapted from [17])In Section 3.2.1, System discretization into a cell space is described. Section 3.2.2 contains themethod of cell-to-cell transition probability calculation. An equal weight quadrature scheme is includedin Section 3.2.3. Section 3.2.4 describes the process for the identification of risk significant event se-quences. The continuous L dimensional state space is represented by X (cid:44) R L . The M dimensional discrete statespace of the system components is represented by N (cid:44) Z M . The space X (cid:44) R L is discretized by partitioningeach continuous variable x l ( l = , . . . , L ) into intervals of J l partitions and considering combinations ofthose partitions to form the cells. Knowledge of the state-space upper bounds x , and lower bounds x isrequired for the partitioning. The cells can be regarded as means to accommodate epistemic uncertainties(such as model uncertainties) or aleatory uncertainties (such as process noise and minor environmentaldisturbances).4 The possible states of each hardware component M of interest are then defined (e.g. operational,degraded, failed), with each component m , having N m possible states, each denoted by n m ( m = , . . . , M ).The unique combinations of the partitioned X (cid:44) R L along with the discrete system component con-figurations forms the complete state-space of the system, denoted by V . Each cell in the cell spaceis represented by an ( L + M ) dimensional vector (cid:2) j n (cid:3) ≡ [ j , . . . , j l , · · · , j L , n , . . . , n m , · · · , n M ], where( j l = , , . . . , J l ; l = , . . . , L ) enumerate the partitioning of the interval x l ≤ x l < x l , and n m represents thestate of component m ( n m = , . . . , N m ; m = , . . . , M ). The cell space V is composed of J × N uniquecells with J = J ×· · ·× J L and N = N × · · · × N M .Let V X (cid:44) Z L be a subspace of V containing the vectors j . Let V N (cid:44) Z M be a subspace of V containingthe vectors n . Note that V X ∪V N = V .The discretized system, along with the relevant notations is illustrated in Fig. 3.Figure 3: Illustration of Discretized System Using the Markov property, and as derived in [20], the cell-to-cell probabilities over a single time-steptransition ∆ t can be calculated from q (cid:0) j , n | j (cid:48) , n (cid:48) , ∆ t (cid:1) = h (cid:0) n | n (cid:48) , j (cid:48) → j , ∆ t (cid:1) × g (cid:0) j | j (cid:48) , n (cid:48) , ∆ t (cid:1) (1)where g ( j | j (cid:48) , n (cid:48) , ∆ t )represents the transition probability from cell j (cid:48) to j over ∆ t under configuration n (cid:48) ,and h ( n | n (cid:48) , j (cid:48) → j , ∆ t ) quantifies the system configuration transition probabilities over ∆ t.For each component of interest m , a component state transition probability matrix H n m is constructed.Contents of this matrix represent the probability of component state transitions over ∆ t. These probabil-ities can be based on hardware component data, such as failure rates, or expert opinion in the absence ofreliable data. An example of such a matrix can be seen in Table 1 where λ n (cid:48) m , n m denotes the transition ratefrom n (cid:48) m to n m .Using the Chapman-Kolmogorov equation under the assumptions stated earlier, the system cell-to-cell state transition probabilities g ( j | j (cid:48) , n (cid:48) , ∆ t ) over a single time-step can be found from [3] g (cid:0) j | j (cid:48) , n (cid:48) , ∆ t (cid:1) = v j (cid:48) (cid:90) v j (cid:48) u j (cid:2) x(x (cid:48) , n (cid:48) , ∆ t ) (cid:3) dx (cid:48) (2) u j (cid:2) x(x (cid:48) , n (cid:48) , ∆ t ) (cid:3) = (cid:40) i f x ∈ v j otherwise (3) . Hejase, A. Kurt, T. Aldemir, and U. Ozguner H n m Final System Configuration StateNormal State Failure State 1 ... FailureState N(N) ( F ) ... ( F N )Initial System Normal State (N) λ N , N ∆ t λ N , F ∆ t ... λ N , F N ∆ t Configuration State Fail 1 State ( F ) λ F , N ∆ t λ F , F ∆ t ... λ F , F N ∆ t ... ... ... - ... Fail N State ( F N ) λ F N , N ∆ t λ F N , F ∆ t ... λ F N , F N ∆ t where v j is the volume of the cell j , x(x (cid:48) , n (cid:48) , ∆ t ) = (cid:90) t +∆ tt f (cid:0) x (cid:0) t (cid:48) (cid:1) , n (cid:48) (cid:1) d t (cid:48) + x (cid:48) (4)and f ( x ( t (cid:48) ) , n (cid:48) ) represents the equations describing system dynamics. When it is not practical or possible to evaluate (4), an equal weight quadrature approximation schemecan employed via the use of a high fidelity simulator. System location in the state space is assumed to beuniformly distributed within each cell. Multiple points are sampled to represent each cell, and are passedto the simulator to compute transitions over ∆ t . Then (2) can be approximated as g (cid:0) j | j (cid:48) , n (cid:48) , ∆ t (cid:1) = o f sampled points in cell j (cid:48) arriving in cell J over ∆ t o f points sampled f rom cell j (cid:48) (5) While, in principle, backtracking can be accomplished through P k = (cid:104) Q T Q (cid:105) − Q T P k + (6)The BPA avoids the challenges associated with (6) by using the search tree that is obtained from aprobabilistic map of the system state-space onto itself. This search tree structure is achieved by recursiveenumeration of sub-trees emanating from Top Event in decreasing time and the traversal of possible pathsthrough a branching process. In order to avoid a numerical catastrophe, only risk significant scenarioswith probabilities above a user-specified cut-o ff value are identified.In this study, an undesirable event E is assumed to be defined through the specification of eventupper bounds e , event lower bounds e in terms of the continuous variables in the state-space, and the setof event system configurations e s as stated in (7)-(9): e = (cid:8)(cid:2) e , · · · , e l , · · · e L (cid:3) (cid:12)(cid:12)(cid:12) e l ≤ x l , e l > x l } (7) e = (cid:110) (cid:104) e , · · · , e l , · · · , e L (cid:105) | e l ≥ x l , e l < x l (cid:111) (8) e n = (cid:8)(cid:2) e n , . . . , e n M (cid:3) | (cid:2) e n , . . . , e n M (cid:3) ⊂V N (cid:9) (9)6 However, event definition can include a specific system configuration as well, in general. Sequentialpaths with non-zero transition probabilities that span backwards by a search depth of k time-steps fromthe event of interest to cells contained in the cell space are then identified. Fig. 4 graphically illustratesan algorithm for the BPA. Only the paths with probabilities greater than a user-specified probabilitytruncation value (cid:15) are kept in the Prune Out process.Figure 4: Algorithm for Path Probability Calculation (adapted from [39])
A high-fidelity simulator for an Autonomous Ground Vehicle (AGV) based on the full 4-wheel modelfrom the work of Ozguner et al. [32] was constructed in Matlab / Simulink environment. The states of thevehicle used in the analysis are the forward velocity, sideward velocity, yaw rate, yaw, x -position, andthe y -position. The control surfaces that a ff ect the vehicle are the engine traction force, the braking force,and the steering angle. Vehicle parameters were taken to be those of the 2009 Lincoln MKS.A Hybrid State Control System was used for the decision making and control of the AGV. Twoenvironments are taken into consideration, an urban environment, and a highway environment, withvarious phases modeled for each of the two environments. The design procedure found in [18] wasused for the design and construction of the Hybrid State Control System. Low-level controllers weredesigned using LQR controllers to control the body rates, and a PI controller to control Euler positionsand angles. A FSM that serves as a high-level controller which guides the AGV through the di ff erentphases of possible scenarios was constructed.The hazard of interest (i.e. Top Event) is taken to be a collision with a stationary vehicle in anurban environment. This hazard was selected and modeled based on a list of selected pre-crash scenariospublished by the U.S. Department of Transportation [28]. For the sake of simplicity in illustrating BPA,it is assumed that in such a scenario the brake-by-wire is the only system component that is prone torandom hardware failures. Based on the hazard of interest, the FSM was augmented with emergency and . Hejase, A. Kurt, T. Aldemir, and U. Ozguner λ = (2 × − ) / h which is fairly consistent with some ofcomponent failure probabilities in literature [34]. The failures are assumed to be permanent ones.Table 2: Brake States Transition ProbabilitiesFinal Brake StateNormal State Minor Fault Major FaultInitial Brake Normal State (N) ≈ − / h 2 x 10 − / hState Minor Fault 0 1 0Major Fault 0 0 1The host AGV is initially assumed to be on the road at a positon of (0, 0) in a single lane urbanenvironment with a posted speed limit of 15m / s ( ≈ = c des = t gapdes × v host , and is 20m. Once the time-gap from the target vehicle is less than the desired time-gap(i.e. c h − t < c des ), the vehicle switches to collision avoidance and comfortably brakes at -0.3g. If the time-gap from the target is within less than half the desired time-gap (i.e. c h − t < c des ), the vehicle applies astrong brake at -0.8g.8 The event, or hazard of interest, is when the AGV reaches an x-position of 500m or greater. Thiswould indicate that a collision took place with the target vehicle. An illustration of the constructedscenario with the hazard of interest can be seen in Fig. 6.Figure 6: Illustration of Autonomous Vehicle Scenario in the Proposed Case StudyThe aim of this analysis is to identify the risk significant scenarios that lead to a hazard, or a violationof the safety goal. Emergency and contingency actions can then be modified based on the identifiedscenarios. This process can then be iteratively used to modify contingency actions, until results ensurethat scenarios only lead to the violation of a safety goal within acceptably low probabilities. Results based on user inputs from Table III to BPA over a search depth of 2 ∆ t with a truncation ofscenarios occurring with probabilities < − can be seen in Fig. 7. Each time step was taken to be 2 / < × − . The truncationprobability is used to remove risk insignificant values from the search tree. The probabilities displayedin the search tree are used as probabilistic metrics that rank risk significance of scenarios in comparisonto one another. Recall from Section 4 that system at hand has six continuous states (i.e., forward velocity,sideward velocity, yaw rate, yaw, x -position, and the y -position, and one system hardware configuration(i.e. brake-by-wire). This means that each cell in the discretized space is represented by 7 integers. Thefirst 6 integers represent the segment number of the partitioned continuous variables based on the systemdiscretization, and the 7 th integer represents the brake condition. Each node in the tree of Figs. 7-8contains 7 integers and an associated probability.Taking the first sequence from the left in Fig. 7 as an example sequence to interpret results frombranch the search tree,[4 1 1 122 1 1 ] P = × − → [3 1 1 124 1 1 ] P = . → Collision (10)we can make the following observations:1. [4 1 1 122 1 1 ]– The AGV initially has a forward velocity of 12 to 16 m / s, a sideward velocityof -0.5 to 0.5m / s, a yaw rate of -0.5 to 0.5 rad / s, an x-position of 488-492, an y-Position of -6 to6m, and a Yaw angle of – π / π /
3. The brake state was Normal.2. [3 1 1 124 1 1 ]– One time step later, the AGV had a forward velocity of 20 to 25 m / s, a sidewardvelocity of -0.5 to 0.5m / s, a yaw rate of -0.5 to 0.5 rad / s, an x-position of 496 – 500m, an y-Positionof -6 to 6m, and a Yaw angle of – π / π /
3. The brake experienced a Minor Brake Fault. . Hejase, A. Kurt, T. Aldemir, and U. Ozguner N i [3]systemComponentStateNames [Normal, Minor Brake Fault, Major Brake Fault]variableUpperBounds x [20,5,0.5,600,6,pi / x [0,-5,-0.5,0,-6, 0-pi / J i [5,1,1,150,1,1,3]sysConfTransProb H n m ≈ e − e −
70 1 00 0 1 eventUpperBounds e [20,0.5,0.5,600,6,pi / e [0,-0.5,-0.5,500,-6, 0-pi / Collision – One time step later the AGV collides with the stationary vehicle located at an x-positionthat is greater than 500m, leading to a violation of the safety goal.Upon investigation of the sequences in the search tree of Fig. 7, it is also observed that the safetygoal is violated once a brake failure occurs. In an e ff ort to address this observation, the contingencyactions were modified. The time-gap was changed to 2s, such that a Light Brake contingency action isemployed once the host vehicle is within 30m clearance from the target vehicle, rather than 20m. TheStrong Brake contingency action is employed once the host vehicle is within 15m of the target vehicle,rather than 10m. Based on these modifications in the contingency actions, with all other parameters fromTable 3 kept the same. The BPA was run again over a search depth of 3 ∆ t and truncation of branches withprobabilities < − . A search depth of 3 ∆ t was selected since this amounts to 2 seconds, the time-gap atwhich contingency actions begin. No paths of risk significance leading to the Top Event were identified,which means that the proposed contingency actions managed to bring the system to a safe state withinan acceptable risk level, even under the occurrence of the assumed hardware failures. This example alsoillustrates how BPA can be used towards a safer design. The ultimate goal of the described methodology is the design of a generic quantitative risk assess-ment scheme that is capable of providing information on risk-significant sequences of events that violatesafety goals. Safety assurance of control systems being developed for automotive scenarios has multiplechallenges. Two main challenges are identified by the authors: 1) Large-scale scenarios that involve highlevels of autonomy and many hardware components do not typically have a single domain expert thatis able to accurately set-up BPA parameters for the overall scenario. 2) For autonomous systems witha large state-space, such as platoons of vehicles, combinatorial and computational issues are prone toappear.Future work of BPA is directed towards solving the identified challenges. A possible solution toChallenge 1 is running phase-specific implementations of BPA, and integrating results of analysis ob-tained from the multiple phases. The authors are already in the process of developing a generalizedscheme for such a solution, with a preliminary approach described in [16]. The nature of BPA equipsit with tools that can naturally help alleviate problems faced due to Challenge 2. Through selection oflarger cell sizes (a more coarse partitioning scheme), and sampling more cells from each cell, the size ofthe system cell-to-cell map can be reduced. Noting that the reduction in size is compensated by samplingmore points from each cell. This in turn reduces the computations needed to identify risk significant pathsequences. Additionally, careful and intelligent selection of the truncation value parameter can lead toreduced wastage of computational resources on risk insignificant event sequences.
The need for generic and well defined procedures and methods for the assurance of autonomousground vehicle functions with respect to safety goals in the early design stage is of vital importance. Inthis paper, the BPA approach based on a deductive implementation of Markov / CCMT has been proposedfor the identification of scenarios that lead to safety goal violations. The scenarios were ranked by risksignificance via probabilistic quantification of the scenarios that violate the safety goals. A case study ofa hybrid state autonomous vehicle prone to random hardware failures in the braking system was takeninto consideration. Simulation results displayed the risk significant scenarios leading to collisions with . Hejase, A. Kurt, T. Aldemir, and U. Ozguner
71a static vehicle under possible brake failure in a search tree format. The simulated scenarios indicatedthat even though the contingency actions work as required under nominal brake conditions, they didnot adequately avoid the risk of collision under sub-nominal brake conditions. It was also shown that,based on the modification of the contingency actions, no paths of risk significance leading to the TopEvent were identified. Future work will involve the definition of a broader and more realistic set ofcontingency actions and hardware failures for various phases of the scenario. Future work will alsoinvestigate the applicability of the BPA to current standards such as ISO 26262 [20]. As a final note, itshould be indicated that while BPA, in principle, may lead to combinatorial increase in the number ofscenarios to be investigated, an upper limit can be imposed on this number through the specification ofprobability bounds in defining what is regarded as risk significant. This probability bound can be relaxedin new BPA runs once the initially identified scenarios of high risk significance are mitigated.
Acknowledgement
The work is partially funded by the National Science Foundation (NSF) Cyber-Physical Systems (CPS)project under contract 60046665. An application BPA to Unmanned Aircraft Systems (UAS) was de-veloped with ASCA Inc. as part of a project funded by the NASA Ames Research Center (ARC).Discussions in that project with Drs. Sergio Guarro, and Michael Yau from ASCA Inc., and Dr. MattKnudson from NASA ARC are gratefully acknowledged.
References [1] Assad Alam, Ather Gattami, Karl H Johansson & Claire J Tomlin (2014):
Guaranteeing safety for heavyduty vehicle platooning: Safe set computations and experimental evaluations . Control Engineering Practice
24, pp. 33–41, doi:10.1016 / j.conengprac.2013.11.003.[2] T Aldemir & P Wang (1999): The Use of the Cell-to-Cell Mapping Technique as a Model-Based DiagnosticTool .[3] Tunc Aldemir (1987):
Computer-assisted Markov failure modeling of process control systems . IEEE Trans-actions on reliability / TR.1987.5222318.[4] Tunc Aldemir, Mohamed Belhadj & Laurian Dinca (1996):
Process reliability and safety under uncertainties . Reliability Engineering & System Safety / Probabilistic risk assessment modeling of digitalinstrumentation and control systems using two dynamic methodologies . Reliability Engineering & SystemSafety / j.ress.2010.04.011.[6] Matthias Altho ff & John M Dolan (2014): Online verification of automated road vehicles using reachabilityanalysis . IEEE Transactions on Robotics / TRO.2014.2312453.[7] Sanket Amberkar, Joseph G D’Ambrosio, Brian T Murray, Joseph Wysocki & Barbara J Czerny (2000):
A system-safety process for by-wire automotive systems . Technical Report, SAE Technical Paper,doi:10.4271 / Probabilistic analysis of asymptotic reactor dynamics and the cell-to-cellmapping technique . Transactions of the American Nuclear Society;(United States)
The Cell to Cell Mapping technique and Chapman-Kolmogorov representa-tion of system dynamics . Journal of sound and vibration / jsvi.1995.0166.[10] Manfred Broy (2006): Challenges in automotive software engineering . In:
Proceedings of the 28th interna-tional conference on Software engineering , ACM, pp. 33–42, doi:10.1145 / [11] Abraham Cherfi, Michel Leeman, Florent Meurville & Antoine Rauzy (2014): Modeling automotivesafety mechanisms: A Markovian approach . Reliability Engineering & System Safety / j.ress.2014.04.013.[12] Nabarun Das & William Taylor (2016): Quantified fault tree techniques for calculating hardware fault met-rics according to ISO 26262 . In:
Product Compliance Engineering Proceedings (ISPCE), 2016 IEEE Sym-posium on , IEEE, pp. 1–8, doi:10.1109 / ISPCE.2016.7492848.[13] Laurian Dinca, Tunc Aldemir & Giorgio Rizzoni (1999):
Fault detection and identification in dynamic sys-tems with noisy data and parameter / modeling uncertainties . Reliability Engineering & System Safety / S0951-8320(98)00077-5.[14] Sergio B Guarro, Michael K Yau, Umit Ozguner, Tunc Aldemir, Arda Kurt, Mohammad Hejase &Matt D Knudson (2017):
Formal Framework and Models for Validation and Verification of Software-Intensive Aerospace Systems . In:
AIAA Information Systems-AIAA Infotech@ Aerospace , p. 0418,doi:10.2514 / Risk Informed Safety Case Framework for Unmanned Aircraft System Flight SoftwareCertification . SYSTEM / Dynamic Probabilistic Risk Assessment of Unmanned Aircraft Adaptive Flight Control Systems .In: , p. 1982, doi:10.2514 / Quantitative and Risk-Based Framework for Unmanned Aircraft Control System Assurance . Journal of Aerospace Information Systems , pp. 1–15, doi:10.2514 / A Hierar-chical Hybrid State System Based Controller Design Approach for an Autonomous UAS Mission . In: , p. 3294, doi:10.2514 / Random Hardware failure compliance of a cell balancingcircuit with the requirements of automotive functional safety . In:
Applied Electronics (AE), 2015 Interna-tional Conference on , IEEE, pp. 61–66.[20] ISO26262 ISO (2011): . International Standard ISO / FDIS
The Importance of Active Choices in Hazard Analysis and Risk Assessment . In:
CARS 2015-Critical Automotive applications: Robustness & Safety .[22] Tim Kelly & Rob Weaver (2004):
The goal structuring notation–a safety argument notation . In:
Proceedingsof the dependable systems and networks 2004 workshop on assurance cases , Citeseer.[23] Andreas Lawitzky, Anselm Nicklas, Dirk Wollherr & Martin Buss (2014):
Determining states of inevitablecollision using reachability analysis . In:
Intelligent Robots and Systems (IROS 2014), 2014 IEEE / RSJInternational Conference on , IEEE, pp. 4142–4147, doi:10.1109 / IROS.2014.6943146.[24] Sarah M Loos, Andr´e Platzer & Ligia Nistor (2011):
Adaptive cruise control: Hybrid, distributed, and nowformally verified . In:
International Symposium on Formal Methods , Springer, pp. 42–56, doi:10.1007 / An approach for improving fault-tolerancein automotive modular embedded software . In: , pp. 132–147.[26] Stefan Mitsch, Khalil Ghorbal, David Vogelbacher & Andr´e Platzer (2017):
Formal verification of obstacleavoidance and navigation of ground robots . The International Journal of Robotics Research / System Reliability Analysis . In:
Reli-ability Engineering and Risk Analysis: A Practical Guide , CRC Press, pp. 173–242. . Hejase, A. Kurt, T. Aldemir, and U. Ozguner [28] Wassim G Najm, John D Smith & Mikio Yanagisawa (2007): Pre-crash scenario typology for crash avoid-ance research . In:
DOT HS , Citeseer.[29] Jonas Nilsson, Jonas Fredriksson & Anders CE ¨Odblom (2014):
Verification of collision avoidance systemsusing reachability analysis . IFAC Proceedings Volumes / Safety evaluation of automotiveelectronics using virtual prototypes: State of the art and research challenges . In:
Design Automation Con-ference (DAC), 2014 51st ACM / EDAC / IEEE , IEEE, pp. 1–6, doi:10.1145 / Coordination of hierarchical systems . In:
Intelligent Control, 1990. Proceedings., 5thIEEE International Symposium on , IEEE, pp. 2–7, doi:10.1109 / ISIC.1990.128431.[32] ¨Umit ¨Ozg¨uner, Tankut Acarman & Keith Alan Redmill (2011):
Autonomous ground vehicles . Artech House.[33] Jaeyong Park, Arda Kurt & ¨Umit ¨Ozg¨uner (2014):
Hybrid Systems Modeling and Reachability-Based Controller Design Methods for Vehicular Automation . Unmanned Systems / S2301385014500071.[34] Purnendu Sinha (2011):
Architectural design and reliability analysis of a fail-operational brake-by-wiresystem from ISO 26262 perspectives . Reliability Engineering & System Safety / j.ress.2011.03.013.[35] Masahiko Takeichi, Yoshinobu Sato, Koichi Suyama & Takuya Kawahara (2011): Failure rate calculationwith priority FTA method for functional safety of complex automotive subsystems . In:
Quality, Reliability,Risk, Maintenance, and Safety Engineering (ICQR2MSE), 2011 International Conference on , IEEE, pp. 55–58, doi:10.1109 / ICQR2MSE.2011.5976568.[36] Ajit Kumar Verma, Srividya Ajit & Durga Rao Karanki (2016):
Probabilistic Safety Assessment . In:
Relia-bility and Safety Engineering , Springer, pp. 333–372, doi:10.1007 / Automotive development processes . 303, Springer, doi:10.1007 / Quantitative Eval-uation of the Safety of X-by-Wire Architecture subject to EMI Perturbations . In:
Emerging Tech-nologies and Factory Automation, 2005. ETFA 2005. 10th IEEE Conference on , 1, IEEE, pp. 8–pp,doi:10.1109 / ETFA.2005.1612601.[39] Jun Yang & Tunc Aldemir (2016):
An algorithm for the computationally e ffi cient deductive implementa-tion of the Markov / Cell-to-Cell-Mapping Technique for risk significant scenario identification . ReliabilityEngineering & System Safety / j.ress.2015.08.013.[40] Hongkun Zhang, Wenjun Li & Wei Chen (2010): Model-based hazard analysis method on automotive pro-grammable electronic system . In:
Biomedical Engineering and Informatics (BMEI), 2010 3rd InternationalConference on , 7, IEEE, pp. 2658–2661, doi:10.1109 //