Summary
At present, more and more electronic control systems are used in automobiles. This greatly increases the complexity of the vehicle design and leads to an increase in the failure of the system, and the safety issue due to the failure is becoming a new challenge. Based on the IEC 61508 standard related to functional safety of electrical/electronic/programmable electronics, the ISO 26262 standard for the automotive industry was first formulated in 2011 and a revised version was released in 2018. ISO 26262 covers failures caused by system failures, and ISO 21448 is proposed to deal with unexpected failures caused by changes in the surrounding environment, etc. ISO 26262 specifies safety-related requirements for the entire life cycle. Functional safety analysis includes FTA (Fault Tree Analysis), FMEA (Failure Mode and Effects Analysis) and HAZOP (Hazard and Operability). These analyzes are limited in handling failures or errors caused by complex interrelationships because it assumes that failures or errors affecting risk are caused by specific components. To overcome this limitation, it is necessary to apply the STPA (System Theoretic Process Analysis) technique.
1 Introduction
Recently, the use of electrical/electronic control systems has been increasing not only in the automotive industry but also in various industries. Increased use of such electrical/electronic control systems has greatly increased the complexity of system design, which has led to increased system failures, and social security issues due to such failures are becoming a subject.
1.1 Background and necessity
The radiation medical device Therac-25 accident in 1985 is an example of a failure leading to an accident, and the automotive industry is no exception. Just like the Toyota accident in Japan in 2009, there was a problem with the software of the control system, which caused the accident. In the automotive industry, the international standard for automotive functional safety "ISO 26262 - Functional Safety of Road Vehicles" was formulated in 2011 on the basis of the IEC 61508 international standard, and the second edition was revised and supplemented in 2018. The purpose of ISO 26262 is to prevent risks arising from system and component failures and to improve functional safety and reliability. However, hazardous situations can occur even when systems or components are not defective. For example, an image sensor is not malfunctioning, but may lose its recognition function due to sudden changes in illuminance. Therefore, failures may occur and unexpected risks may exist. To solve this problem, a new functional safety standard called "ISO/PAS 21448 – SOTIF – Functional Safety of Intended Functions" was proposed.
ISO 26262 proposes safety-related requirements throughout the entire life cycle. Representative risk analysis techniques include FTA (Fault Tree Analysis), FMEA (Failure Mode and Effects Analysis) and HAZOP (Hazard and Operability). This method of analysis is a chain of events model, which is a theory of accidents due to successive faults of components. These analytical techniques consider the failure of specific components as a risk. However, as systems have become more complex in recent years, the ability to handle failures or errors due to component failures as well as complex interrelationships or external environmental factors has become increasingly limited. In order to deal with errors caused by the interaction between modern complex systems, Leveson proposed the STPA (System Theoretic Process Analysis) method on the basis of the STAMP (System Theoretic Accident Model and Process) model. STPA technology identifies risks by identifying UCAs (Unsafe Control Actions) through the interaction of system components.
1.2 Problem Definition
Someone obtained a new method by combining STPA and FMEA. However, combining these two analysis methods complicates the procedure and consumes a lot of analysis time. People proposed STPA as a risk analysis method in ISO 26262, which proved that STPA is an effective and efficient method for deriving security constraints. The feasibility and practicality of this approach in the initial system design phase has also been evaluated. But the method still needs improvement in how it models and analyzes the system.
For the scope and goal of this paper, as shown in Figure 1, STPA is selected in the risk analysis method. We analyzed the feasibility of ensuring the reliability of STPA, combined with an application example of the AEB (Automatic Emergency Braking) system, verified the efficiency of STPA, and confirmed its feasibility.
Figure 1. Scope and objectives of this paper
Following the sequence in Figure 2, we first describe ISO 26262 and ISO/PAS 21448 (SOTIF). Then, the limitation of risk analysis such as FTA, FMEA, HAZOP and the necessity of STPA are explained. Applying STPA to the automatic emergency braking (AEB) system confirmed the feasibility.
Figure 2. The process of this paper
1.3 The composition of this paper
The paper is organized as follows: Section 2 describes the theoretical background. Through comparative risk analysis such as FTA, FMEA, and HAZOP, limitations are proposed and the necessity of STPA is discussed. Section 3 discusses the application of STPA in AEB systems. Finally, Section 4 describes the conclusions and limitations of this study and future work.
2. Reliability design analysis based on ISO 26262 and STPA
2.1 Comparison between ISO 26262 and ISO/PAS 21448
ISO 26262 is an international standard for functional safety developed by ISO, which aims to prevent accidents caused by functional system errors in electrical and electronic systems in the automotive field. ISO 26262 presents safety-related requirements throughout the entire life cycle from development to production and end-of-life. The goal of ISO 26262 is to achieve safety goals, this safety goal comes with ASIL (Automotive Safety Integrity Level), divided into QM, A, B, C, D. After setting safety goals, FMEA, FTA, HAZOP, etc. are used for safety analysis.
SOTIF handles non-fault situations. SOTIF is divided into four main areas. 1) known safe scene (area1), 2) known unsafe scene (area2), 3) unknown safe scene (area4), and 4) unknown unsafe scene (area3). Figure 3 shows the visualization of the four regions of SOTIF. The purpose of SOTIF is to reduce unknown or unsafe situations.
Figure 3. Visualization of known/unknown and safe/unsafe scenarios
2.2 Comparison of risk analysis methods FTA, FMEA, HAZOP
FTA is the use of combinations of logic gates to find the cause of a fault. Faults and fault causes consist of a tree with the fault at the top and the ultimate cause of the fault at the bottom (root). All the reasons can be expressed by various logical combinations, and the probability of failure can be calculated as the final combination. Figure 4 shows the implementation process of FTA.
Figure 4. FTA process
FMEA is a qualitative and inductive fault analysis technique, the most used and most famous technique in the field of reliability methodology. FMEA is a technique used to identify potential failure modes and causes of system components during initial development. FMEA measures severity, frequency of occurrence, and probability of detection to calculate results for identified failure modes. Figure 5 shows the process of performing an FMEA.
Figure 5. FMEA process
HAZOP is a technique that derives all deviations of a system or process and analyzes risks, and is a qualitative risk analysis technique to identify whether deviations occur or occur due to deviations from design intent. HAZOP uses guide words to analyze possible risks. Figure 6 shows the process of HAZOP.
Figure 6. HAZOP process
Table 1. Comparison of Risk Analysis Methods
2.2 Procedures for implementing STPA
FTA is an existing risk analysis method that requires professional knowledge such as statistics and probability. Its limitation is that the larger the scale of the analysis system, the larger the cost and time. The limitation of FMEA is that it is difficult to consider complex interactions and reflects the subjective opinion of the authors. In addition, since HAZOP uses only guide words for analysis, it relies on the experience of experts and has the limitation of consuming time and money. These risk analyzes focus on component failures.
With the increase of electrical and electronic control systems in recent years, the proportion of software has increased, and the system has become more complex, making it difficult to analyze using existing risk analysis methods. To overcome this, Leveson proposed the Systems Theoretic Accident Model and Process (STAMP) model based on systems theory. STPA (System Theoretic Process Analysis) is a STAMP-based risk analysis method that analyzes systems from a control perspective and identifies improper controls that may lead to risks. In addition to SW and HW, STPA has the advantage of analyzing risk by expressing all factors related to system development and operation as a model, such as factors such as human and environment. Figure 7 shows the STPA program, which is a STAMP-based risk analysis method.
Figure 7. STPA process
Phase 1 defines incidents and hazards. Definition is subdivided into steps such as defining ideas, defining system-level risks, and deriving system-level security constraints. The accident definition stage defines the scope of the accident and gives an ID to facilitate the tracking of the accident. In system-level risk definition, select the target system, define the scope, and define the risk. System-level security constraints derive a state or action that prevents a previously defined risk from occurring.
In Phase 2, a control structure diagram is drawn, which consists of subjects, objects, controls, and responses.
In Phase 3 UCA (Unsafe Controls) derivation, we analyze risks by identifying unstable controls that may lead to systemic risks into four types, as shown in Table 2.
Table 2. Unsafe control structures that can lead to hazards
In the fourth stage of causal scenario derivation, the causes of the 4 UCAs deduced above were analyzed. It can be roughly divided into two types, the first is to deduce the cause of unsafe control output. The second is to analyze the reasons for improper or uncontrolled control. Finally, based on these reasons, create a causal scenario.
3. Apply STPA to AEB system
The AEB system is an automatic emergency braking system that recognizes obstacles in front of a moving vehicle, predicts a collision, and automatically operates the brakes to prevent a collision. The sequence of operation of the AEB system is as follows. 1) It receives target information through sensor information, and detects obstacles ahead by fusing information from ECU (Electronic Control Unit). 2) Based on the ego vehicle, TTC (time to collision) is calculated by calculating the relative speed and distance to the vehicle in front. 3) Control the movement according to the calculated TTC value so that the vehicle does not collide.
Defining Stage 1 Accidents and Hazards results in the following: An accident occurs when an occupant is injured or killed while driving and the vehicle is damaged. The risk is when a passenger is in danger while driving or does not maintain a minimum safe distance from the vehicle in front.
Table 3. Definition of Incidents
Table 4. Risk Definitions
The schematic diagram of the control structure of the second stage is shown in Fig. 8 . The information obtained from the sensors calculates the speed and distance and transmits the information, and issues instructions to the vehicle accordingly.
Figure 8. Control structure of AEB system
Table 4 shows the Stage 3 unsafe control operations. There is a situation that a braking command is requested during driving, but the braking command is not executed, or the braking command request time is too late.
Table 5. Risk Definitions
Stage 4 cause scenarios are as follows. The reason why UCA1 does not execute the braking command while driving may be that the current position value of the vehicle is not provided correctly or the sensor measurement value is not correct. Alternatively, there may be a reason why the brake command itself was not received. Possible causes of UCA2 are incorrect car current location values or incorrect sensor data being supplied.
Table 6. Causal scenarios for deriving UCA
4 Conclusion
In the past, FTA, FMEA, HAZOP, etc. were used for specific components that were the cause of the accident. However, with the recent increase in the use of software, the system has become more complex. As a result, there is an increased risk of mishaps such as external environment rather than system or component errors. Furthermore, there has been an increase in failures not only caused by components but also due to interactions between components or systems. Therefore, the ISO/PAS 21448 standard was established to prevent the risk of accidents, and the STPA technique was developed to deal with failures or errors caused by component interactions.
In this paper, the necessity of the ISO/PAS 201448 international standard and the STPA analysis method is described. STPA analysis provides structured scenario analysis. In addition, among the many systems of the car, STPA is applied to the emergency automatic control system AEB system to analyze risks and draw cause scenarios. We confirm that STPA is effective in identifying hazards or risks. In the future, objectivity will be ensured by deriving scenarios for various systems using STPA.