Tailored Functional Saftey Process For Prototype Vehicles

Functional Safety

2. January 2019 | Engineering Service

For the functional safety of series production road vehicles, the standard ISO26262 specifies a comprehensive development process from concept to production. For prototype and demonstrator vehicles, no dedicated functional safety standard is available and ISO26262 is not applicable, because the development efforts would by far exceed the scope of a prototype build-up. Nevertheless, it is necessary to consider functional safety for prototype vehicles in order to protect operators, passengers and persons nearby the vehicle from any harm caused by a malfunction. An according documentation is essential, because it proves that the safety has been taken into account and safety measures have been implemented.
Therefore, FEV has developed a tailored functional safety process for prototype vehicles, which is based on the main tasks as defined in the concept phase of ISO26262, but with reduced complexity. These tasks are the preliminary item definition, a high-level hazard analysis and risk assessment and the definition of safety mechanisms which shall be implemented in the prototype vehicle. Furthermore, an iteration loop is included in the process, in order to re-assess the remaining risk in combination with the defined safety mechanisms (Figure 1).

Fig. 1: Iterative process for risk mitigation by safety mechanisms

Preliminary item definition

In this article, the transformation of a conventional powertrain into a P2 hybrid powertrain is chosen as an example for the prototype application. Besides the integration of a high-voltage system, the powertrain modification itself is safety-related, too, as will be shown for one its main functions, electric driving. The preliminary item definition describes all functionalities, operating modes, interfaces and operating conditions of the system of scope, i.e. the P2 hybrid system in our example. This information is an essential input for the identification of potential risks resulting from malfunctions of the item.

High-level hazard analysis and risk assessment

Main steps of the hazard analysis and risk assessment (HARA) are the selection of relevant use cases for the prototype vehicle, the functional hazard analysis (FHA) and the risk assessment of the resulting hazardous situations. The FHA assigns standard malfunctions (does not, too much, not enough, wrong direction/distribution, unintended, stuck) to each function. Combined with the respective use cases, these malfunctions result in hazardous situations. One example for the e-drive function of the prototype vehicle is:

  • Function: Electric drive
  • Use case: Vehicle is stopped at red traffic light or at cross roads
  • Malfunction: Unintended torque
  • Hazardous situation: unintended vehicle movement, resulting in crash with crossing vehicle

The risk assessment of such a hazardous situation is based on three criteria as defined in ISO26262. Exposure (E) represents the frequency of the use case – not of the hazardous situation. Severity (S) is the rating for the harm that can be caused to somebody. And controllability (C) is a measure for the ability of the vehicle driver to avoid the hazard by his intervention. Since the exact determination of these criteria is quite time-consuming, a simplified, conservative rating catalogue is applied for the prototype application and a risk level is calculated instead of an Automotive Safety Integrity Level (ASIL) as defined in ISO26262 (Figure 2).
The initial rating for the above mentioned example will be as follows:

  • Exposure for standing at traffic light / cross roads: E = 3
  • Severity for crash with crossing traffic: S = 3
  • Controllability for unintended movement: C = 2

The C-rating is depending on certain boundary conditions. In the example, the maximum wheel torque that the electric machine can generate is lower than the brake torque which the vehicle driver can realize by pressing the brake pedal. If such boundary condition is not fulfilled or if it cannot be ensured, a more conservative rating has to be chosen.

With E + C = 5 and S = 3, a “Medium” risk level is resulting, which requires safety measures as described in the following paragraph.

Derivation of safety measures

In order to achieve the risk level “Acceptable”, safety measures have to be defined for the risk levels “Low”, “Medium” and “High” as shown in Figure 2.

Fig. 2: Simplified rating scheme for the risk evaluation

For example, the “Medium” risk level can be reduced to “Acceptable” by several steps. The first step is the installation of an emergency stop button, which switches off the electric propulsion system. The driver has to be trained in its use, e.g. by inducing the fault on the test track. Only trained drivers will be allowed to operate the vehicle in urban traffic, which has to be documented e.g. by an according logbook in the vehicle. The C-rating is reduced from 2 to 1 with this measure. This will result in a “Low” risk according to Figure 2, so that an additional measure is needed. For example, the use of the prototype vehicle could be restricted to drive cycles with less than 1 percent of operating time at traffic lights and cross roads. This would reduce the E-rating from 3 to 2, resulting in an “Acceptable” risk. Since the example described in this article represents only one situation out of numerous other scenarios, there might be other risks that are rated as “High” and therefore demand further safety measures like monitoring algorithms. Such safety measures could then also be used for the mitigation of lower rated risks and allow to avoid restrictions like the limitation of use cases or operation of the vehicle by trained drivers only.

Fig. 3: Risk level and type of safety measure

For the completion of the simplified functional safety process, it is important to ensure that the defined safety measures are implemented and tested before the actual investigations with the prototype vehicle start. This can be supported by check lists and tests of the vehicle on the test track.
Besides the achievement of technical targets, a strict compliance with a safety-related development and release process is mandatory also for prototype applications. FEV has developed the described prototype process for this purpose and successfully applied it in several projects.