Kenneth Bandhoe is the CEO of Baesis Automotive and an automotive functional safety expert. Jan Benders and Roel van den Boom serve as the program manager for control systems and a software and safety engineer, respectively, in the automotive research department at Hogeschool van Arnhem en Nijmegen. Geert Kwintenberg is the department manager for electronics and software engineering at E-Traction. Milan Luburic is the lead embedded software engineer at VSE Vehicle Systems Engineering. Bart Oosthoek and Marcel Romijn are an automotive functional safety expert and a project leader, respectively, at Brace Automotive.

13 May 2016

The Smartcode project is working towards a practical, publicly available recommended practice based on the ISO 26262 functional safety standard for road vehicles. The project partners explain why and how.

Modern systems are taking over more and more tasks from humans. Road vehicles include an increasing number of support systems, and it won’t take long for the fully autonomous vehicle to present itself. Robots have evolved from handy production tools into versatile value-adding solutions. As cobots, they even interact with humans, further expanding their usability.

Such applications pose a demanding set of requirements on control systems. As complexity increases, the safety aspect gains importance. At the same time the available development time is under pressure. Companies, especially SMEs, are challenged to master a growing set of competencies without losing focus on the actual product.

The Smartcode project aims to provide solutions for SMEs in two areas. First, it helps them to integrate a model-based workflow for control system development using dedicated software tools. Second, it addresses the functional safety of the products developed by project partners to minimize product liability.

Necessary guidance

Functional safety is a challenging subject, as indicated by the extensive body of standards that regulate it. In addition, developers quickly feel constrained because functional safety demands a formal, structural approach and also restricts the choice of developmental tooling and even programming language features. For this reason Smartcode is working towards a practical, publicly available recommended practice based on the ISO 26262 functional safety standard for road vehicles, with the ultimate aim to help SMEs develop safe products more efficiently.

ASML special

According to ISO 26262, functional safety is the absence of unreasonable risk due to hazards caused by malfunctioning behaviour of electrical and electronic systems. Typical examples in road vehicles are cruise control, electronic gas pedals and electric power steering. All of these systems have the potential to cause a hazard when they fail. Following a safety standard helps to minimize malfunction-related risk by urging the manufacturer to consider all the product’s safety-related aspects.

Several standards address the safety of objects that interact with humans. For a long time the automotive industry used the generic industrial safety standard for electronic and electrical systems, IEC 61508. Because this standard mainly addresses the interaction between operators and machinery, some adaptations had to be made for its use in the automotive industry. An automotive industry-specific safety standard based on IEC 61508 was finally released at the end of 2011: ISO 26262. Its scope is currently limited to the electrical and electronic systems in road vehicles up to 3500 kilograms. The second edition, expected to be released in 2018, will add in trucks, trailers and motorcycles.

Other sectors have their own derivatives of IEC 61508: railways (EN 50126/28/29), industrial processes (IEC 62511) and machine safety (IEC 62061 and ISO 13849), to name a few. These standards are very similar in their treatment of development procedures and risk analysis. Smartcode has chosen ISO 26262 because of the consortium’s many automotive project partners.

To design a recommended practice, it’s essential to gather input on consortium partners’ knowledge and practical experiences. Two partners are currently in the process of introducing ISO 26262 at their companies: VSE Vehicle Systems Engineering and E-Traction. The other two partners are specialized in the area of functional safety: Baesis and Brace. For the recommended practice, Han Automotive Research is capturing our experiences and lessons learned in templates and use-case-based examples of the required work products.

Combined with a central dashboard, these templates and examples provide the necessary guidance to those still at the very beginning of the safety integration process. The templates and examples are currently document-based. A next step is to model a basic case in a SysML modelling tool, such as Enterprise Architect or Topcased, ready to be used for a new project.

Smartcode dashboard
Top-level dashboard for Smartcode’s recommended practice

Use cases

One real-life use case covers the safety architecture for next-generation steering and suspension system control for trucks and trailers at VSE. VSE has completed the concept phase and is now in the development phase. A newly developed ISO 26262-compliant safety controller for the new truck/trailer advanced steering system is an integral part of its safety architecture. VSE-derived work products are added to the recommended practice, after the necessary removal of intellectual-property-related content.

Another real-life use case addresses the development of an in-wheel direct-drive electric powertrain at E-Traction. The company’s Themotion product range is currently subject to ISO 26262. E-Traction is at roughly the same stage as VSE, working in the development phase. It applies a model-based approach using Enterprise Architect as a modelling and documenting tool. Smartcode’s recommended practice enables E-Traction to develop close professional collaborations with other companies facing the same challenges. The shared methodology and the accompanying templates help them to efficiently incorporate ISO 26262 compliancy into their development processes.

In addition to these real-life use cases, the recommended practice also includes a use case that was originally intended as a proof of concept for a new methodology developed by Brace. This use case addresses a pre-ISO 26262 cruise control system to be validated and verified by applying the ISO 26262 analyses to the cruise control system while splitting its functional and technical levels. The advantage of this type of analysis is its potential reuse across different technologies and products. Brace created this methodology for a subset of its customers who are struggling to apply functional safety to low-volume production, for example off-highway mobile machines or niche cars such as 4×4 and electric vehicles.

To ensure quality and correctness, Baesis conducts a final review of the templates, use cases and recommendations. The company provides consultancy, training, coaching and system and software engineering tasks that are a valuable asset for our recommended practice. In addition to monitoring and troubleshooting quality in the recommended practice working group, it hosts weekly Q&A sessions to answer detailed questions arising from daily practice at Smartcode’s partners and external companies.

Well-informed choices

The project is now moving from the concept phase to the development phase. All material is currently maintained in a restricted-access wiki environment, to protect the intellectual-property-related content in the real-life use cases. After both phases have finished, the wiki environment will undergo a thorough update, including a clean-up of its IP-related parts. The goal is to publish the content in a public wiki that will serve as a user-friendly portal to the contents, providing a clear view on the topics. We hope to expand the knowledge base in the future to cover the complete V-model through templates, new use cases and best practices. However, this will require that new project partners join our team and either contribute a use case or run a joint functional safety project.

During the development of the recommended practice, we discovered that the introduction of functional safety at a company raises many questions due to the complexity and extent of ISO 26262, especially at SMEs that do not have a dedicated QA department to manage the process. Our consortium aims to add the considerations and lessons learned to the recommended practice knowledge base, to enable future users to make well-informed choices. Combined with existing resources such as the central dashboard, the templates and the recommendations, this information will speed up the process for companies just starting to explore functional safety. It does not, however, provide a one-stop shop covering the full complexity of functional safety, nor will it replace the experience and context awareness of a functional safety expert.

Edited by Nieke Roos