Dr David Ward, Head of Functional Safety, HORIBA MIRA Ltd
The unique safety demands of autonomous cars will undoubtedly be a challenge for the automotive sector, but the emergence of new international standards is setting the direction the sector will have to take.
One of the big topics in road transport at the moment is the move towards self-driving cars – otherwise known as “autonomous” vehicles. The industry is rapidly accelerating its development efforts, driven by both traditional automotive companies as well as new entrants. Traditional automotive companies are introducing more “driving support” features as steps towards full autonomy, whilst new entrants such as Google are directly targeting fully automated vehicles.
Driving support and autonomy are often touted as improving efficiency and safety of road transport, however they do bring their own unique safety concerns. One particular area of interest is the “functional safety” of such systems. Functional safety in its broadest sense is the part of the overall safety of a system that depends on it operating correctly in response to its inputs. Specifically in automotive, it is concerned with helping avoid the incorrect functioning of an electronic system that could impact on the overall safety of the vehicle. Functional safety is already well-established in the electronic systems that control the basic movement of a vehicle, such as powertrain, braking and steering, through application of the international standard ISO 26262. ISO 26262 is therefore concerned with addressing safety concerns that may arise from the malfunctioning behaviour of electronic systems.
As functional safety will play a large part in ensuring robust autonomous systems, standards such as ISO 26262 will need to address autonomy. In the first edition of the standard there was very little specific content related to autonomy. The perspective of the writers was constrained by the Vienna Convention requirement for the driver to maintain control of the vehicle at all times and with an assumption that electronic systems could therefore "fail silent" in the case of a malfunction.
Now with Edition 2 of the standard under development, targeted for release in early 2018, has this changed? One area of improvement being considered in the new edition is related to "fail operational" systems, as some control systems may require a degree of availability in order to maintain safe operation. It is proposed that the standard will consider how to design systems that can continue operation in the presence of failures. Another development area, for inclusion in a later revision of the standard, is around "safety of the intended functionality" – how factors such as sensor performance can be addressed; for example, a false-positive detection of an obstacle by a forward-looking radar. For a function such as autonomous emergency braking (AEB) we want to avoid an undemanded brake application. One potential cause of this event is that the radar sensor reports the presence of an object that isn’t another vehicle, for instance, a metal plate on the road during construction works. The challenge is in how we ensure that the sensor correctly discriminates between targets that should cause brake application, and those that should not.
Despite these improvements, ISO 26262 is still firmly grounded in the constraints of a traditional vehicle. As such, there is further work that needs to be done before it fully addresses the unique requirements brought about by autonomy. This includes hazard analysis and availability. Hazard analysis considers driver "controllability", which needs reinterpreting for a highly automated function. During hazard analysis, functional safety engineers consider whether an average driver will be able to maintain control or take some action to mitigate the effects of a failure if one occurs. For a highly automated function, the driver may not be able to take action within a reasonable period of time. As such, a different approach to hazard analysis may be required. Furthermore, additional consideration must focus on the architectures and concepts for assuring the availability of autonomous systems. As vehicles become fully autonomous, this requirement will stretch from an extended period of time to the extent of a complete arbitrary vehicle journey.
Coupled with these changes is the potential shift in liabilities – autonomous systems are being publicised as removing driver error, cited as being the most common cause of traffic accidents. If such a system fails, however, to whom does this responsibility shift? Some manufacturers are already suggesting they might assume liability in the event of a highly automated system failing – the practicality of this will require further consideration – whilst others are taking a more cautious view. In either case, this only underlines the need to have a high degree of assurance and resilience in the systems that deliver highly automated driving functions.
In summary, we are on the road to making fully autonomous vehicles a reality, and while ISO 26262 sets out the basis on which such systems will be developed, there is more work to do to extend its concepts to deal with such vehicles’ unique safety requirements. In the meantime, expert guidance and adaptation to existing standards is required to cover the development and testing of these systems.
David Ward, Head of Functional Safety at HORIBA MIRA, has 25 years’ experience in the safety and reliability of embedded electronic systems with specialities in functional safety, automotive cybersecurity, automotive electronics and electric and hybrid vehicles. He has extensive experience advising on automotive standards as both a contributor, author and expert practitioner. He acts as the UK principal technical expert to the international ISO 26262 committee and is a contributor to SAE J2980 and SAE J3061.