Comparing Different Levels of Technical Systems for a Modular Safety Approval—Why the State of the Art Does Not Dispense with System Tests Yet

While systems in the automotive industry have become increasingly complex, the related processes require comprehensive testing to be carried out at lower levels of a system. Nevertheless, the final safety validation is still required to be carried out at the system level by automotive standards like ISO 26262. Using its guidelines for the development of automated vehicles and applying them for field operation tests has been proven to be economically unfeasible. The concept of a modular safety approval provides the opportunity to reduce the testing effort after updates and for a broader set of vehicle variants. In this paper, we present insufficiencies that occur on lower levels of hierarchy compared to the system level. Using a completely new approach, we show that errors arise due to faulty decomposition processes wherein, e.g., functions, test scenarios, risks, or requirements of a system are decomposed to the module level. Thus, we identify three main categories of errors: insufficiently functional architectures, performing the wrong tests, and performing the right tests wrongly. We provide more detailed errors and present examples from the research project UNICARagil. Finally, these findings are taken to define rules for the development and testing of modules to dispense with system tests.

Fault-Tolerance by Resilient State Transition for Collaborative Cyber-Physical Systems

Collaborative Cyber-Physical Systems (CCPS) are systems where several individual cyber-physical systems collaborate to perform a single task. The safety of a single Cyber-Physical System (CPS) can be achieved by applying a safety mechanism and following standard processes defined in ISO 26262 and IEC 61508. However, due to heterogeneity, complexity, variability, independence, self-adaptation, and dynamic nature, functional operations for CCPS can threaten system safety. In contrast to fail-safe systems, where, for instance, the system leads to a safe state when an actuator shuts down due to a fault, the system has to be fail-operational in autonomous driving cases, i.e., a shutdown of a platooning member vehicle during operation on the road is unacceptable. Instead, the vehicle should continue its operation with degraded performance until a safe state is reached or returned to its original state in case of temporal faults. Thus, this paper proposes an approach that considers the resilient behavior of collaborative systems to achieve the fail-operational goal in autonomous platooning systems. First, we extended the state transition diagram and introduced additional elements such as failures, mitigation strategies, and safe exit to achieve resilience in autonomous platooning systems. The extended state transition diagram is called the Resilient State Transition Diagram (R-STD). Second, an autonomous platooning system’s perception, communication, and ego-motion failures are modeled using the proposed R-STD to check its effectiveness. Third, VENTOS simulator is used to verify the resulting resilient transitions of R-STD in a simulation environment. Results show that a resilient state transition approach achieves the fail-operational goal in the autonomous platooning system.

Functional Safety BMS Design Methodology for Automotive Lithium-Based Batteries

The increasing use of lithium batteries and the necessary integration of battery management systems (BMS) has led international standards to demand functional safety in electromobility applications, with a special focus on electric vehicles. This work covers the complete design of an enhanced automotive BMS with functional safety from the concept phase to verification activities. Firstly, a detailed analysis of the intrinsic hazards of lithium-based batteries is performed. Secondly, a hazard and risk assessment of an automotive lithium-based battery is carried out to address the specific risks deriving from the automotive application and the safety goals to be fulfilled to keep it under control. Safety goals lead to the technical safety requirements for the next hardware design and prototyping of a BMS Slave. Finally, the failure rate of the BMS Slave is assessed to verify the compliance of the developed enhanced BMS Slave with the functional safety Automotive Safety Integrity Level (ASIL) C. This paper contributes the design methodology of a BMS complying with ISO 26262 functional safety standard requirements for automotive lithium-based batteries.