This article is translated from the “2017 IEEE International Conference on Vehicular Electronics and Safety (ICVES)”
Included article: Safety Assessment of Automated Vehicle Functions by Simulation-based Fault Injection
Original authors: Garazi Juez, Estibaliz Amparan
Editor’s Note
When analyzing the concept phase of automotive functional safety based on the existing version of ISO 26262, theoretical methods such as FMEA (Failure Mode and Effects Analysis), FTA (Fault Tree Analysis), and DFA (Dependent Failure Analysis) are often used to analyze failure impacts, leading to safety objectives and safety requirements. However, in the face of the complex system of automated vehicles, the impact of a failure may not be known in advance. To address this issue, under the premise of known failure types, the authors introduce fault injection (Fault Inject, FI) simulation tests as a supplement to the aforementioned safety analysis methods, improving the understanding of failure impacts, safety objectives, and safety requirements based on test data.
Abstract: With the development of automated vehicles, ensuring vehicle safety in the event of faults has become increasingly important. This article proposes a simulation-based fault injection method (Sabotage) to complement traditional safety analysis methods at the concept phase of ISO 26262, obtaining failure impacts based on test data and refining safety objectives and safety requirements. This method is then applied to the safety analysis of the lateral control system of automated vehicles, deriving the impacts of faults that occur in its model, obtaining the fault tolerant time interval (Fault Tolerant Time Interval, FTTI) based on maximum lateral error and steering saturation*, and deducing safety objectives and safety requirements.
*Steering saturation: refers to the inability to continue turning once the steering control reaches saturation.
1. Control Architecture of Automated Vehicles
This article is a study on functional safety for Highly Automated Vehicles (HAV). The HAV architecture is mainly divided into lateral and longitudinal control. This research focuses on the lateral control system, which aims to guide the vehicle along the optimal path and consists of three basic functions:
-
Behavior planning: selecting the best path based on vehicle behavior (such as lane keeping, lane changing, or obstacle avoidance).
-
Trajectory control: calculating and maintaining the vehicle on the correct trajectory through control algorithms.
-
Steering: controlling the steering wheel to ensure the vehicle follows the planned path, with inputs from the trajectory control module’s correction values.
2. SABOTAGE Framework Based on ISO 26262
1
Framework: SABOTAGE
The existing version of ISO 26262’s concept phase primarily conducts safety assessments through safety analysis methods such as FMEA. Due to the complexity of automated vehicle systems, the impact of a specific failure may not be known in advance, leading to incomplete analysis results. Fault injection provides an effective supplementary method for assessing the safety and controllability of advanced automated systems. Under the condition of known failure types, fault injection can obtain the impact of a failure occurring during system operation and related fault data. Figure 1 illustrates the automated vehicle functional safety analysis method based on fault injection simulation. This method can serve as a supplementary means to assess the safety of a certain architecture in the early design stage. By analyzing simulation data, trade-offs and selections can be made among several optimal safety concepts.
Figure 1: Sabotage: Simulation-based Fault Injection Framework
Based on this framework, the general process of the Sabotage method proposed in this study is as follows:
Step 1: Identify failure modes. First, the main functions and failure types of the relevant items must be known. Then, correctly identify functional failure modes to obtain data regarding their impacts (at the system/vehicle level). This means that if these failure modes are defined at the system level, their impacts will be reflected at the vehicle level. These faults/failure modes are associated with general fault models (Omission, Frozen, Delay, Invert, Oscillation, Random) stored in a common fault model library. These general fault models are preset and are specific fault models for simulating any component/system functional failure modes.
Step 2: Configure fault injection tests. After preliminary analysis of the system, fault injection tests must be configured as part of the workload generator, which includes setting up tests and driving scenarios, as well as generating a list of faults:
-
Objective: Where to inject faults?
-
Fault model: What is the best fault model representing the functional failure mode?
-
Trigger: How to trigger the fault in the system?
-
What are the observation points for fault impacts?
-
How to define the conditions under which the vehicle loses its controllability?
For each fault the user wants to inject, the fault list must clearly specify the involved fault model, target signal (fault localization), fault trigger conditions based on time or path position coordinates (X,Y), and fault duration. This information forms the basis for generating the fault injector (Saboteur). The fault injector is a component added to the system behavior model for fault injection. Each time a target signal is generated, a fault is injected.
The test configuration includes the selection of the vehicle and the definition of operational situations:
-
Location: highway, city;
-
Road conditions: uphill, curve;
-
Environmental conditions: good, heavy rain;
-
Traffic conditions: smooth;
-
Vehicle speed;
-
Behavior: stopping, overtaking, lane keeping;
-
Potential risk participants: driver, passengers, pedestrians;
The test scenarios are selected by the scenario configurator based on previously defined operational conditions to load the best driving scenarios into the Dynacar platform (a real-time vehicle dynamics simulation system).
Step 3: Create the Faulty System Under Test. For this, the fault injector module creates fault generator code based on the information from the fault list and general fault model templates. This process can be automated based on data from libraries and lists.
Step 4: Compare the simulation results of the faulty system with those of the fault-free system, analyze the fault impacts, and derive appropriate safety objectives and safety requirements.
2
Using Sabotage in the ISO 26262 Concept Phase
The Sabotage method mentioned in the previous section can be applied in the concept phase of ISO 26262. Under the premise of knowing the functions and failure types of relevant items, fault injection simulations can yield the impacts of a specific fault during hazard analysis and risk assessment processes, refining safety objectives based on this and deducing safety requirements in the functional safety concept process. Its specific applications are:
1. Hazard identification through fault injection rather than safety analysis methods like FMEA. The Dynacar virtual environment allows intuitive visibility of hazards (e.g., the vehicle does not turn when it should).
2. Refining safety objectives based on simulation results and hazard identification.
3. Determining FTTI and safety states. As shown in Figure 2, FTTI is the time from when a fault is injected to when a hazard occurs. For advanced automated systems, FTTI determines the level of fault tolerance required to prevent the vehicle from losing control (e.g., redundancy, functional degradation).
4. Comparing the simulation results of fault-free and faulty systems, safety requirements can be derived from the maximum differences between the two simulations.
5. Based on previous results, safety requirements will be integrated into the functional safety concept.
Figure 2: Fault-Error-Failure Chain and Definition of FTTI
3. Safety Assessment of the Lateral Control System
This section provides an instance of applying Sabotage to the safety assessment of an existing lateral control system (part of the lane-keeping function of advanced automated vehicles) based on the ISO 26262 concept phase. Since this model lacks appropriate safety mechanisms, analyzing FI simulation results can address the following issues:
-
Obtaining impact data for specific faults at the vehicle and relevant item levels based on fault injection simulation results.
-
Completing safety analysis: determining safety objectives (including FTTI values and safety states), functional safety requirements, and safety concepts.
The following is the analysis process and results of this study in the ISO 26262 concept phase:
1. Definition of Relevant Items
As stated in Chapter 2, the application premise of the method proposed in this article is to clarify the functions and failure types of relevant items in the definition process of ISO 26262: lateral control relevant items can be decomposed into multiple functions and sub-functions, with failures including: steering (Omission, Commission), trajectory control (Omission or Commission), behavior planner (unnecessary local planning, unnecessary perception, unnecessary decision-making).
2
Hazard Analysis and Risk Assessment
FI simulation results can serve as a supplementary method outside safety analysis methods for this process, primarily based on simulation for hazard identification and obtaining safety objectives (mainly FTTI values).
The FI simulation test conducted in this study involved a vehicle traveling at a constant speed of 45 km/h with the lane-keeping function activated in a smoothly flowing urban environment. When the vehicle was navigating a curve, faults were triggered, replicating functional failure modes related to differential GPS (DGPS) and the steering system. The fault list set in the experiment is shown in Table 1.
Table 1: Example Fault List*
*This table is only a partial example of the fault list in this study and does not correspond one-to-one with Table 2
Following the steps outlined in Chapter 2, the fault generator automatically injects faults based on the previously established fault list. To generate the most severe impact, these faults are triggered at several curve points to achieve the most significant effect. Since the primary objective of our simulation is to calculate the FTTI value for lateral control, the observed signals are lateral error and steering saturation. Figure 3 depicts the calculation principle of FTTI for steering control.
Figure 3: Calculation Principle of FTTI
The maximum lateral error, defined by the following formula, serves as the standard for system loss of control:
Table 2 describes the hazard identification information obtained from the FI-based simulation results. Using general fault models to model failures at different relevant item levels, we can measure their impacts at the vehicle level and the resulting hazardous behavior.
Table 2: Impact of Vehicle-Level Failures
Based on Table 2 and simulation test data, partial results of the hazard analysis and risk assessment can be derived, as shown in Table 3, which includes the most severe failure modes (represented as fault models) for specific functions calculated based on Figures 2 and 3. The fault duration is the time taken to handle the fault appropriately (transitioning to a safe state). For example, failures related to the trajectory controller can exist in the system for 400 ms before a hazard event occurs: 240 ms for detection and reaction, and 160 ms for controlling the fault, thus not violating safety objectives. The specific safety objective definitions in Table 3 are shown in Table 4.
Table 3: Hazard Analysis and Risk Assessment
Table 4: Safety Objectives
3. Functional Safety Concept
Based on the safety objectives derived from the previous process, functional safety requirements are deduced in conjunction with FI simulation results, as shown in Table 5. The calculation formula for maximum lateral error is as follows:
Table 5: Safety Requirements
Thus, the functional safety requirements are obtained through simulation data rather than traditional dependent failure analysis (DFA). The main conclusion is that the current lateral control design cannot ensure the system is unaffected by disturbances; therefore, its architecture needs to be redesigned to ensure this attribute, meaning that the steering system should be redundant to achieve the required availability level. Specifically, based on the data in Table 3, to prevent hazardous occurrences, faults related to steering functions must be controlled within 196 ms. If the vehicle rolls over or rotates, passengers may be injured; therefore, the steering function must be available within 70 ms. For failures related to behavior planning, such as failures caused by DGPS faults, the reaction time is 155 ms, which may require appropriate functional degradation. Finally, different functions must be correctly partitioned to avoid cascading failures.
4. Conclusion
This article introduced a simulation-based fault injection method for assessing the safety of automated vehicle functions and applied this method to a case of urban vehicles embedded with automated lateral control functions. The focus was on determining the FTTI values of permanent faults based on maximum lateral error and steering saturation. One of the main advantages of the proposed method is that it can serve as a supplementary safety analysis method, achieving an ISO 26262 compliant safety assessment process.
Contact Phone
021-69589225
Contact Email
Contact Person
Mr. Li
Long press the QR code on the right
Follow us►
