Development of Safety Process in Model-Based Design Platform for Safety-Critical Systems Jing-Xiang Peng
Department ofElectrical Engineering National Taipei University New Taipei City, Taiwan
[email protected]
Yung-Yuan Chen
Department ofElectrical Engineering National Taipei University New Taipei City, Taiwan
[email protected]
Abstract-The
reliability
and
robustness
of
a
approach by fault-tolerant design can be developed to enhance the system robustness and safety.
safety-related
system can be ensured by using international standards, such as ISO 26262, to develop and verify the functional safety of the
ISO 26262 is based on IEC 61508 standard. It sets the functional safety requirements for automotive electronic system. This standard also designates the required supportive actions within each stage of the safety lifecycle according to the automotive system development process. A hazard analysis and risk assessment is also described in detail to set the Automotive Safety Integrity Level (ASIL). During safety design, all aspects of the ASIL must be met to achieve the desired safety level [4].
system. This research proposes a safety validation and risk reduction (SVRR) process based on ISO 26262 safety standards for decreasing risk and validating safety in model-based design platform.
The proposed safety process can be employed to
identify the crucial components in the system, and the effects of such crucial components' failures on the functional safety can be effectively
mitigated
through
fault-tolerant
mechanism
protection. An emergency brake control algorithm and brake-by wire system was developed through the SVRR process built in NI and dSPACE system design platform. Simulation-based fault injection
campaigns
were
performed
and
the
In this research, we will propose an effective systemized safety validation and risk reduction (SVRR) process following ISO 26262 in model-based design platform for safety-critical systems. A model-based fault injection method is developed to analyze the system with faults by simulating injected faults that interfere with the simulation model of the built system, including the detailed simulation model itself, the sensor and control process used. Throughout the fault injection experiments, the degree of robustness and safety can be verified. If the system safety level is not adequate, the risk reduction process, which consists of the vulnerability analysis and fault-robust design, is activated to raise the safety to the required level. For the complicated ECU-based automotive drive-by-wire systems, it is unpractical and not cost-effective to protect the entire system. Analyzing the vulnerability of system can help designers not only invest limited resources on the most crucial regions but also understand the gain derived from the investments.
experimental
results show the degree of severity of the components' failures to the system and the robustness of the system. We then employ a fault-tolerant
mechanism
to
protect
the
most
vulnerable
component to improve the system safety.
Keywords- safety lifecycle; FMEA, ISO 26262, model-based design platform, fault injection, safety process 1.
INTRODUCTION
Intelligent automotive systems are often accomplished by distributed control-by-wire system to replace the traditional mechanical and hydraulic systems [1]. This alternative has the benefits of saving the cost/energy and improving the performance as well as safety. However, electronic control systems have higher probability of incurring fatal interferences such as electromagnetic interference or radiation-induced error than mechanical and hydraulic systems. Therefore, the safety and robustness issues must be addressed during the development of safety-critical electronic automotive systems. This is the main issue and challenge for distributed control systems by wire. Taking safety/reliability and fault tolerance metrics into control system design will further raise the design complexity for the entire design process. Therefore an effective safety design and verification process should be proposed to help decrease the design and verification complexities. By incorporating the international functional safety standard, such as IS026262 [2], into design process, a safety-critical system can be developed more efficiently to meet the functional safety standards. According to [3], the process of using FMEA and enforcing fault analysis in the initial stage of system design can identifY the vulnerability in design and a feasible risk reduction
An emergency brake control algorithm and brake-by-wire system was developed through the SVRR process built in NI and dSPACE system design platform. Fault injection were performed in model-based and the experimental results show the degree of severity of the components' failures to the system and the robustness of the system. We then employ a fault tolerant mechanism to protect the most vulnerable component to improve the system robustness/safety. The effect of fault tolerant mechanism on the robustness/safety of the overall system is analyzed. The remaining paper is organized as follows: In Section 2, SVRR process is proposed. The risk model for vulnerability analysis and risk assessment is proposed in the following
978-1-4673-5000-6/13/$31.00 ©2013 IEEE
627
section. In Section 4, based on the SVRR process, the dSPACE ASM [5] and NI PXI [6] were utilized to build a system safety verification platform, which employs the dynamic software fault injection method to analyze the robustness and safety of the brake-by-wire system. The experimental results as well as how to enforce brake-by-wire automotive system robustness using fault-tolerant mechanism is shown in Section 5 and conclusions appear in Section 6. IT.
,_1; _tt1I�","
3·S
item definition
3.6
initiation of the safety lifccyclc
3·7
hazard analvsls and risk assessment
---------
----�=�=3�=� IJi��J: lilkll!l� II
SAFETY VALIDATION AND RISK REDUCTION PROCESS
--------
!I· :. :
External measures
IdentIfy pcsslble In.te rfe.rences; Jef�s tOo the o�aljon.. '
:
: I �te ',�
'
I
�i:
•
.
!. , L': t : : �
..
�
:
According to ISO 26262-3 in the safety concept stage, safety validation and risk reduction process is proposed. With this process a highly safe electronic system can be designed. The SVRR process is classified into three stages as shown in Figure 1:
I
it
situations and Clp.:oratlng modes;
develop fault Injection strategy to t n in erference-( du�ed
Controllilbilitv
Pl2'rionn
fault injection
campaoigns
Identify faiture modes As�� ri:si.-priority number
Lot:at� ait'ic:al components to
protect-t'd
be
�,: _�O� lh '� "�'� �M �IO�g� ;�_�
�:. ;. : �
,
I I
""""
L
add fault-tolerant des�1'\ tOo improve the r-cbustness af critical cDmponerm. IdentJtled In
���S� �
___
_ __________________
�
; J
Figure 1. Safety Validation and Risk Reduction Process
Phase 1 (hazard defmition): this phase is to identifY the potential interferences and develop the fault injection strategy to emulate the faults and interference-induced errors that could possibly occur during the system operation. This stage defines and describes error behaviors with hazards that may occur within the safety life cycle, as well as the risks that may occur by the interference of fault injection during system operation.
can be effectively increased under limited resources to prevent unnecessary investments. In this section, a risk model is proposed to quickly assess the vulnerability of the brake-by wire system implemented in the Simulink® model-based design level. Conceptually speaking, using the FMEA-based risk model, the fault injection method is used to verify the brake-by-wire system robustness. From the results of the risk assessment, the vulnerability ranking of components or modules can be deduced from the probability distribution of failure modes caused by the faults/errors occurring in the components or modules. The concepts used in the risk model are described below.
Phase 2 (vulnerability analysis and risk assessment): vulnerability analysis and risk assessment is for confirming and classifYing of danger items and set related prevention or safety goals to mitigate these risks, to prevent risks that may cause system failure. This phase is to perform the fault injection campaigns based on the Phase 1 fault analysis. Throughout the fault injection campaigns, we can identity the failure modes of the system, which are caused by the faults/errors injected into the system while the system is in operation. The probability distribution of failure modes can be derived from the fault injection campaigns. The risk-priority number (RPN) is then calculated for the components inside the electronic system. A component's RPN aims to rate the risk of the consequence caused by component's failure. RPN can be used to locate the critical components to be protected. The robustness of the system is computed based on the adopted robustness criterion, such as automotive safety integrity level (ASIL) defmed in the ISO 26262 [2]. If the robustness of the system meets the safety requirement, the system passes the validation; else the robustness/safety is not adequate, so Phase 3 is activated to enhance the system robustness/safety.
A.
Hazard Definition
In a model-based design method, the faults resulting in the hazards are classified into covered and uncovered faults. Covered faults mean the faults that are covered in those defmed by the system and effectively solved by effective fault-tolerant technology. Uncovered faults are those that have yet to be found or solved with systemized mechanisms. In system faults, the most common faults are software flaws, and soft errors in flip-flop, registry file, memory system, and EMI in communication bus. In this study, only singular faults will be used to derive the failure modes and hazards appearing in the system. B.
Failure Mode
Using fault injection, the potential failure behaviors of the system can be analyzed. Errors can be injected into a specific module to analyze the effect of a fault on this component on the entire system. Finally after all errors had been injected into all modules in the system, the failure modes that occurred within the system can be classified. In this paper, the classification of the software errors is proposed according to [7], which are timing errors, control-flow errors and data errors. The failure behaviors of the software are classified into severe, significant, in-significant and non-effective. Therefore, the four types of software failure modes described above are used to prove the risk assessment method in this study. Huge amount of errors injected are required to ensure there is an
Phase 3 (risk Reduction): This phase is to develop a feasible risk-reduction approach by fault-tolerant design to improve the robustness of the critical components identified in Phase 2. The enhanced version then goes to Phase 2 to recheck whether the adopted risk-reduction approach can satisty the safety/robustness requirement or not. TTT.
, ...
----�-. -----�---...
VULNERABILITY ANALYSIS AND RISK ASSESSMENT
The fault-tolerant technology has matured and mainly implemented with redundancy technology to enhance the system robustness/reliability. By analyzing the vulnerability of the system or hardware components, the system robustness
628
adequate amount of statistical data for analysis to attain the reliable experimental results. C.
provide the capability to quickly handle the operation of fault injection campaigns and dependability analysis for the system design with Simulink. The core of the verification platform is the simulation-based fault lllJection tool under the environment of Simulink model-based design, and the vulnerability analysis and risk assessment tool. Combining the fault injection tool with vulnerability analysis and risk assessment tool, the verification platform can dramatically increase the efficiency of carrying out the system robustness validation and vulnerability analysis and risk assessment.
Fault injection Process
Software fault injection technique is a non-traditional software testing method. It uses specific failure mode, man caused, conscious methods to create faults and applies specific faults within the system, while the system errors and failure occurrences are also accelerated. Different targets such as hardware components, software components, and simulation components have their own respective fault injection method. A simulation-based fault injection process was developed in Simulink model-based design platform, and used for fault simulation and robustness/safety validation. In the Simulink environment, a fault set is built according to the FMEA process. Then the desired errors will be injected into the simulated modules from the fault set to investigate the resulting failure modes, hazards and risks. D.
fBBW sub-moclule 1
]·7
Vulnerability Analysis & Risk k;ressmcm
EBBW Sub-module 2
37
Specificotion of Safety goals
, , EBBW Sub-module n
, ,
riming errors comro'-jJ&W enon rirlIU r:Hur�'
--_.... -
Failure Mode Classification Procedure
Failure mode classification procedure is used to c1assity the brake-by-wire system failures caused by component failure. Figure 2 shows the fault injection process and failure mode classification. FMEA process is to find all possible failure modes of the brake-by-wire system and analyze the effects of failure modes on the system. Under normal circumstances, FMEA records every reason of failure and potential failure mode. Different types of brake-by-wire system failure modes would lead to different degrees of severity.
���� ....
'control loop: normally for simulation control, a controller uses an input value to form a set rule and calculation method to decide output amount, input, and output to form a control loop.
Figure 2. Fault Injection Process and Failure Mode Classification
V.
According to [7] the failure mode classification method is employed to classity the four types of software failure modes mentioned in section Ill-B. The fault set was used for fault injection. A specific component failure is used to observe the number of control loops that are affected by the faulty component. When the emergency brake system receives fault injection while in operation, if more than two control loops are affected, the failure is classified as severe. Tf two control loops are affected the classification is significant. Tn the case of one control loop affected, the classification is insignificant. No control loop affected stands for non-effective classification.
CASE STUDY: EMERGENCY BRAKE-BY-WIRE SYSTEM
The automotive emergency brake-by-wire (EBBW) system uses electric/electronic system to replace traditional mechanical and hydraulic systems. Traditional mechanical or hydraulic systems can be used as a backup to strengthen safety measure. The research in [9] proposes a simple electric/electronic brake-by-wire (BBY) system that does not have a backup mechanical system, creating new failure modes from the challenges faced by the electronic control systems. A safety-related BBY system with active emergency brake control strategy was developed to demonstrate the feasibility of the proposed SVRR process. This case study mainly uses dynamic software fault injection to simulate hardware failure behaviors. The fault injection campaigns were conducted to assess the degree of risk caused by each module and to assess the robustness of the entire BBY control system. The risk model mentioned in the third section is used. The safety verification platform mentioned above is used to inject errors to get the related risk parameters. Potential BBY system failure modes can be classified into severe, significant, insignificant or non-effective as found in the fault injection process. The top-down method is used to analyze the BBY system. Analysis of the failure modes were performed on the entire system by analyzing the failure effect of each component on the system.
Finally, according to the distribution probability of failure modes for each component, risk assessment is performed and verified. Then, the most vulnerable component is identified and protected by TMR scheme. We show that through the risk reduction by fault-tolerant design, the system robustness can be raised. The proposed safety process can identity and protect the vulnerable components and raise the system robustness and safety effectively. IV.
EJIIj
EJIIj
SYSTEM SAFETY VERIFICATION PLATFORM
We develop the proposed SVRR process in model-based design platform supported by NI and dSPACE. These organizations provide a series of hardware and software tools which have been widely used for system design, simulation, and verification in the automobile and robot control areas. We have created an effective safety verification platform to
629
A.
VI.
Experimental results
CONCLUSIONS
The fault injection campaigns were performed on the sensors (Anti-Collision and Speed Sensors), brake pedal, emergency brake control module and brake by wire module that are based on the fault set F {Start Time/ Timing/ Prototype/ Location}. Three time frames for fault injection are defined as the simulation time of the system within safe, warning, and braking distance, respectively. The errors in this research are presumed to be permanent errors. According to section TIT-B, when performing fault injection, the position of the error injected is in the module described above. Table 1 shows the probability distribution of failure modes of the system without fault-tolerant protection. From Table 1, we observe that once a fault occurs in the system, the system has 27.7% probability to suffer from the severe and significant failure modes. Clearly, the robustness of the system should be improved. Next, we need to identify the most vulnerable component to be protected. Due to the space limitation, Table 2 only lists the top three components that have the higher probability to produce the severe failure mode once the faults occur in the components as shown in Table 2. As can be seen from Table 2, the probability of the severe failure mode for radar sensor module is the highest among the components in the system. Therefore radar sensor module is the crucial component which is protected by fault-tolerant mechanism.
This study presents a valuable safety verification and risk reduction process under model-based development environment to verity and enhance the robustness/safety of the safety-related systems. We developed an EBBW system based on the SVRR process in NI and dSPACE model-based design platforms in order to verity the feasibility of the proposed SVRR process. The main contributions of this work are first to perform the dynamic software fault injection in model-based level to carry out the failure mode classification. Second, an EBBW system risk model was built to assess the risks that will occur due to faults. Third, the complete analysis of the vulnerability and risk assessment of the emergency brake-by wire system can help measure the reliability and safety of the system. These results can be used to investigate whether the system fits the safety standards. If not, the vulnerability analysis can be used to increase the overall safety of the system by using risk reduction methods. Vulnerability analysis offers an effective approach in improving component's robustness. Therefore investing in the right place, preventing failure design, allows fast implementation of system that fits the safety goal with lower cost. The presented safety process can dramatically increase the efficiency of system development and verification process for safety-critical systems.
To achieve functional safety requirement as mentioned in the SVRR process in Section II, fault-tolerant scheme must be added to decrease the risk and to increase the robustness of the system. This study uses the commonly used TMR redundancy technology [7] to protect the radar sensor module. Since the system adds two more anti-collision radar modules, using a polling mechanism allows sensor to tolerate the occurrence of one error. Finally, from Table 1 it can be seen under the protection of the fault-tolerant technique, the severe failure mode probability has improved by 7.2%, which shows the improvement of system robustness.
ACKNOWLEDGMENT
=
TABLE!.
REFERENCES
EBBW SYSTEM FAlLURE MODE PROBABILITY DISTRUTION
EBBWSystem
[1]
W. Xiang, P. C. Richardson, C. Zhao, and S. Mohammad, "Automobile Brake-by-Wire Control System Design and Analysis", IEEE TRANS. ON VEHICULAR TECHNOLOGY,VOL. 57,NO. 1, JAN. 2008.
[2]
ISO, "ISO 26262: Road vehicles -- Functional safety", International Standard ISO/FDIS 26262,2011.
[3]
S. H. Nggada, "Software Failure Analysis at Architecture Level using FMEA", International Journal of Software Engineering and Its Applications ,Vol. 6,No. I, January, 2012
[4]
M. Roland, A. Eric, L. Andrea, and S. Christian, "Automatic and optimal allocation of safety integrity levels", Reliability and Maintainability Symposium (RAMS),pp. 1-6,2012.
[5]
dSPACE. 2013. The web http://www.dspace.comlenlinc/home.cfin
[6]
NATlONAL INSTRUMENTS. http://taiwan.ni.com
[7]
R. Svenningsson, H. Eriksson, 1. Vinter, and M. T"orngren, "Model Implemented Fault Injection for Hardware Fault Simulation", 2010 Workshop on Model-Driven Engineering. Verification. and Validation, pp. 31-36,Oct. 2010.
Failure Mode Classification Severe
Significant
In-significant
NE
without fault tolerance
14.8%
12.9%
10.0%
62.3%
with fault tolerance
7.6%
TABLE II.
The authors acknowledge the support of the National Science Council, R.O.C., under Contract NSC 101-2221-E305-007.
12.9%
10.0%
69. 5%
EBBW SYSTEM FAlLURE MODE PROBABILITY DISTRUTION
Component Severe without fault tolerance number of times
2013.
pages The
web
of pages
dSPACE; of
NI;
Radar sensor Module
SV speed sensor Module
ECU Module
[8]
H. Chen and J. Tian,"Research on the Controller Area Network", Inti. Con] on Networking and Digital Society,pp. 251-254,2009.
48.39%
32.26%
19.35%
[9]
45
30
18
G. Michael and N. Andreas, "Component-based development and verification of safety critical software for a brake-by-wire system with synchronous software components", Software Engineering for Parallel and Distributed Systems,pp. 134-145,1999.
of fault llljectlOn campmgns IS 630, and the number of Severe Fmlure Mode is 93 within 630 fault injection campaigns I Number
"
630