Rolf Johansson

Safety contract based design of software components

In this paper we discuss how to use a modified design methodology for contract based design (CBD) intended for development of software and component based systems by use of so called safety contracts. The primary purpose is to make a proposal on how to integrate safety contracts in a, for a tool, implementable way for automatic safety contract verification. This development technique is called safety contract based design (SCBD) in this paper. Focus is to discuss the similarities and differences between the actual contents in conventional CBD-contracts and safety contracts, and rules for how to verify agreements of safety contracts and how to ensure safety contract validity.

V2V Communication Quality: Measurements in a Cooperative Automotive Platooning Application

This paper presents measurements on Vehicle to Vehicle (V2V) communication between participants in a platooning application. Platooning, according to the SARTRE concept, implies several vehicles travelling together in tight formation, with a manually driven heavy lead vehicle. The platoon being studied consists of five vehicles; two trucks in the lead and three passenger cars. The V2V-communication node in each vehicle contains an 802.11p radio at 5,9 GHz. It is used to send messages between vehicles to coordinate movements and maintain safety in the platoon. Another cooperative application that relies on V2V-communication is multiple UAVs flying in formation; as investigated in KARYON. This project also investigates cooperative autonomous vehicles. In both applications, V2V-communication is an enabling technology. Two metrics are studied to quantify the V2V-communication quality: system packet error rate and consecutive packet loss. These two metrics characterize the communication quality in the different tests (speed, antenna position and two tracks). The paper draws general conclusions on the performance of V2V-communication. The presented test results supports comparison of the tested antenna placements on the trucks and the communication quality related to speed and track.

The need for an environment perception block to address all ASIL levels simultaneously

In order to perform safety assessment of vehicles for highly automated driving, it is critical that the vehicle can be proven to adapt its driving according to the sensed objects that might become a hinder. There is a complicated relation between the confidence of what hinders that might exist coming out of an environment perception block, and the tactical decisions about the driving style done by the autonomous vehicle. A good strategy that enables safety assessment according to ISO26262 implies that the environment perception block should address its safety requirements for all the ASIL attribute values simultaneously. In this paper we argue why every functional safety requirement allocated to an environment perception block should preferable be instantiated four times, each with a different ASIL value.

Defining Autonomous Functions Using Iterative Hazard Analysis and Requirements Refinement

Autonomous vehicles are predicted to have a large impact on the field of transportation and bring substantial benefits, but they present new challenges when it comes to ensuring safety. Today the standard ISO 26262:2011 treats each defined function, or item, as a complete scope for functional safety; the driver is responsible for anything that falls outside the items. With autonomous driving, it becomes necessary to ensure safety at all times when the vehicle is operating by itself. Therefore, we argue that the hazard analysis should have the wider scope of making sure the vehicle’s functions together fulfill its specifications for autonomous operation. The paper proposes a new iterative work process where the item definition is a product of hazard analysis and risk assessment rather than an input. Generic operational situation and hazard trees are used as a tool to widen the scope of the hazard analysis, and a method to classify hazardous events is used to find dimensioning cases among a potentially long list of candidates. The goal is to avoid dangerous failures for autonomous driving due to the specification of the nominal function being too narrow.

Measurements on V2V Communication Quality in a Vehicle Platooning Application

This paper presents results from measurements on Vehicle to Vehicle (V2V) communication between participants in a cooperative application: vehicle platooning. The platoon being studied consists of four vehicles; one truck in the lead and three passenger cars following. The V2V-communication node in each vehicle contains an 802.11p radio tuned to 5.9 GHz. It is used to send messages between vehicles to coordinate movements and maintain safety in the platoon. In cooperative applications, V2V-communication is an enabling technology. The V2V-communication quality is studied according to packet error rate. This is measured in tests with different speeds, antenna position and on two tracks. The paper draws general conclusions on the performance of V2V-communication and presents a comparison of the tested antenna placements on the truck.

Use of quality metrics for functional safety in systems of cooperative vehicles

Looking at functional safety of vehicles, we have seen an evolution from federated to integrated E/E architectures. When extending the way of specifying and analysing functional safety to also address cooperative functionality, it is not possible to keep a static view of the boundaries of the system for which to ensure safety. This is because the set of vehicles realizing a cooperative function may change a lot during the execution of the cooperative function. In this work in progress paper we suggest to move part of the task to show safety, from design time to run time. This implies that it will become necessary to monitor the system at run time, continuously calculate its quality and share that information between the individual vehicles to assert that the system is safe. In order to accomplish this, appropriate metrics are needed, both during design time and run time. Inspired by information theory, this paper sketches some common properties for metrics, and indicates how that can be beneficial.

A novel modelling pattern for establishing failure models and assisting architectural exploration in an automotive context

With the introduction of the automotive functional safety standard ISO 26262, several challenges related to the representation of dependability information has emerged. This paper addresses how safety requirements can be formalized; which is mandatory for high-integrity requirements. Particular focus is given to asymmetric failures. Such a failure can be caused by a communication fault, and implies that data in a distributed system will be inconsistent among system outputs or within the system (incorrect, corrupt or omitted, etc.). We investigate along two lines; 1) The EAST-ADL automotive architecture description language is extended with a capability to represent asymmetric faults and failures. 2) The Compute-Distribute Results (CDR) pattern is introduced to assist reasoning about distributed systems, in particular potential inconsistencies. We show how this can support architectural decisions regarding selection of communication topology and communication technology for a given distributed system. A brake-by-wire application and FlexRay bus are analysed to illustrate the concepts.

Functional Safety and Evolvable Architectures for Autonomy

The presented paper presents the ongoing Swedish national research project FUSE (FUnctional Safety and Evolvable architectures for autonomy). Some of the research questions addressed in this project are summarized. The research questions are related both to functional safety and the E/E architecture of vehicles aimed for higher degrees of automation, including fully autonomous ones.

Checking Verification Compliance of Technical Safety Requirements on the AUTOSAR Platform Using Annotated Semi-formal Executable Models

Implementing AUTOSAR-based embedded systems that adhere to ISO 26262 is not trivial. High-level safety goals have to be refined to functional safety requirements and technical HW and SW safety requirements. SW safety requirements allocated to the application as well as the underlying AUTOSAR platform. Finding relevant safety requirements on the AUTOSAR basic software are a challenge. AUTOSAR specifications provide incomplete lists of requirements which might be relevant. In this paper we address this challenge by providing tool support to automatically extract relevant functional requirements for given safety scenarios. A conservative estimation gives that the safety-relevant part of the overall requirements can be as small as 30%, which reduce the necessary rigid testing effort. An electronic parking brake example is presented as a demonstration of concept.