Products

Safety programming and distributed development required by ISO 26262 (Part 4)

By Editor

By Takao Futagami, TOYO Corporation

Part 4: Some Final Thoughts


I hope you have found the information in this series of posts useful. Please feel free to leave a comment. I will finish up the series with two sections from the Appendix of the paper on which the series is based.

Why Driver in the Loop Measurement?


TOYO CorporationThe control unit development for automobiles has accomplished the recent development with the technology of directly generating control programs from models after model-based simulation. Also, for the subtle issues that cannot be observed in simulation, even simulation tests at the same level as HILS are carried out with the hardware operated in experiment rooms. These methods are indispensable for the test subjects such as airplanes which are unstable by nature (the in-flight shutdown of an engine means a crash) and for the tests whose failure costs are huge.

In the case of the test subjects which are relatively stable such as automobiles, simply making and driving them made more sense than performing the tests of such level. However, in the recent trend, airplane development methods including HILS are adopted in the automobile development as much as possible.

But, this progress in the development methods lacks one thing, and that is the Driver in the Loop Measurement. To be more exact, if we want to guarantee the safety in actual driving, we are required to grasp the safety as mutual effects between the automobiles and the surrounding environment. Experts in the functional safety development have realized long ago that this measurement needs to be thoroughly performed. We therefore believe that an increasing number of passenger cars will have driving recorders in the future and that the automobile manufacturers will request that the data be provided to them. If you purchase a DVD recorder now, you almost automatically agreed to the license policy of various open source software modules. In the case of automobiles, the driving routes have to be treated carefully like the privacy of communications so as not to violate personal privacy, but this trend will be the mainstream from now on.

Auto drive and social risk


However, when the current momentum of electric control instrument development is put together with the convenience derived from it, it is inevitable that, with the conventional safety guarantee methods, various problems will be caused by the misunderstanding between product manufacturers and the users.

In an American TV drama, there was a scene in which an FBI investigator excitedly talks to the man in the passenger seat while driving a car on a wide jammed road in NY. The man in the passenger seat says “Watch where you drive”, but the investigator just answers “It’s ok, the car will automatically stop, if there is any danger.” And, the pre-crash system is activated at the exact moment and stops the car safely while both of them are crashed forward against the seat belts. This is an electronic control pitfall foreseen by ISO 26262. There is no guarantee that someone who watched this drama will never do the same thing while driving a car at 60 miles per hour. The balance between excessive expectations on auto-control functions and merits in automation is delicate.

With that said, there will be no doubt that the pre-crash system will decrease whiplash injuries caused by car accidents every year. Although we have seen some tragic accidents caused by the misunderstanding between the human and the airplane autopilot system, it is also true that today’s autopilot system has been contributing to prevent a much larger number of tragedies. The same thing can be said about the auto-control functions of automobiles. Therefore we must measure the degree of contribution by driver in the loop measurement now under safe condition of actual drivers.


Editor’s Note:
Takao Futagami specializes in risk analysis at TOYO Corporation, Polarion Software’s country partner for Japan

Previous articles: Part 1, Part 2, Part 3,


Functional Safety in ISO 26262 banner image

YOU MAY ALSO BE INTERESED IN:
On-demand Webinar: Hazard Analysis and Risk Assessment According to ISO 26262
Free Whitepaper: Polarion Automotive Solutions

Leave a Reply

This article first appeared on the Siemens Digital Industries Software blog at https://blogs.sw.siemens.com/polarion/safety-programming-and-distributed-development-required-by-iso-26262-part-4/