Forward collision avoidance system with autonomous braking Bond et al. The collision controller part A of the system is connected with the following system components: The collision controller is connected with the radar and the camera through the object detection system.
An object detection system could have more sensors or devices to detect an object in front of the vehicle. In this study, we suppose that it uses more than one motion sensors to complement the radar and the camera.
Failure Mode and Effects Analysis (FMEA) for Robust Design Case Study - SAE Training
The object detection system could be very simple or very complex but in this study, we consider the simple version. In the next sections, we will only refer to the object detection system instead of referring individually to the radar, camera, and sensors. The vehicle sensor complex is also connected with the collision controller that generates a signal and then sends it to the collision controller.
The vehicle sensor complex consists of several vehicle system sensors, such as a brake position sensor, throttle position sensor, steering sensor, suspension sensor, speed sensor, and seat belt sensor. The information from these sensors can either be used individually or together to complement the collision avoidance system. The warning indicator connected with the collision controller generates a collision warning signal in response to the collision assessment of the collision controller.
The collision controller gets input from the object detection system and the vehicle sensor complex when it performs the collision assessment.
The collision controller shown in part A works as follows: The vehicle and object status provider in the collision controller calculates and provides the current status of the object in front of the vehicle and the current status of the vehicle to the collision probability estimator. The collision probability estimator in the collision controller calculates the vehicle collision probability based on the received information.
This is known as collision detection, which is a passive safety system that just warns the vehicle operator. If the vehicle operator does not respond to the collision warning, then the system activates the collision avoidance system also known as the active safety autonomous brake. The collision controller uses an algorithm to estimate the risk of collision and generates a collision-assessment signal.
It is a critical component of the collision avoidance system, because both active safety and passive safety depend on the output of this component. It also calculates some other parameters, such as the time to collision that is going to happen, point of collision, and object identification. However, if the operator does not respond to the received warning, then the collision controller sends a collision-assessment signal with the object and vehicle status signals to the brake and engine torque controllers to apply autonomous brake.
The brake controller part B of the system works as follows: It receives the vehicle status signal, detected-object status signal, and collision-assessment signal from the collision controller. The brake controller has one brake pressure measurement or determination component that determines the required brake pressure for the current situation based on the received information from the collision controller and accelerator position sensor.
Failure Mode and Effects Analysis (FMEA)
After determining the required brake pressure, the brake controller sends an autonomous brake signal to the brake system and to the engine torque controller. The brake system has one brake pedal and one brake actuator that apply the autonomous brakes. Operator can increase the brake pressure by intervening the autonomous braking that also deactivates the collision avoidance system in that particular collision situation. The engine torque controller part C of the system works as follows: It reduces the torque to almost zero after receiving signals from the collision controller and brake controller during the application of autonomous braking by using different methods like by limiting air or fuel supply to engine, downshifting the transmission, and switching the engine off.
The accelerator position sensor is electrically coupled to the brake controller and the engine torque controller that indicates and provides the position of accelerator. There exist some studies that have compared different risk and hazard analysis methods. The MUC method was originally proposed for eliciting security requirements Sindre and Opdahl , but it has also been used for safety analysis.
Both methods were compared in an experiment to investigate which method is better than the other for identifying failure modes and if one of the methods was easier to learn and to use.
Yu et al. Ishimatsu et al. The additional factors include those that cannot be identified using fault tree analysis, including software and system design as well as system integration.
Fleming et al. NextGen is the next generation of air traffic management systems that contains In-Trail Procedures application. ITP is an application of Automatic Dependent Surveillance-Broadcast ADS-B that allows aircraft to change flight levels in areas where current radar separation standards would prevent desirable altitude changes Haissig and Brandao To summarize, ITP helps to increase operational efficiency and throughput in oceanic airspace Fleming et al.
In the comparison, the authors identified 19 safety requirements that were not in either of the two official NextGen analysis documents. According to the authors, bottom-up analysis techniques, FMEA, start by identifying all possible failures. This list can be very long if there are a lot of components and all the permutations and combinations of component failures are considered.
However, STPA only identifies the failures and other causes that can lead to a system hazard and does not start by identifying all possible failures. Moreover, in the top-down STPA analysis approach, the analyst can stop refining causes at the point where an effective mitigation can be identified and does not go down any further in detail. The analyst only has to continue refining causes if an acceptable mitigation cannot be designed. Furthermore, Nakao et al. The authors conclude that with STPA, it is possible to recognize safety requirements and constraints of the system before the detailed design.
Raspotnig and Opdahl compare risk identification techniques for safety and security requirements. Each technique is assessed based on several quality criteria addressing the context, the application area, and the application method as well as advantages and disadvantages of utilizing the technique. The assessment is based on evidence reported in the literature. The authors conclude that risk identification techniques for safety are more mature than for security and that they have found a balance between creativity and formalism, which is needed for identification process.
According to Leveson et al. Therefore, according to the authors, STPA is more effective because it is developed by considering system thinking that considers whole system as a single unit and finds more hazards. Moreover, previously, STPA is compared and evaluated with bottom-up methods e. Several authors Leveson ; Pereira et al.
However, the traditional methods are still in use in practice even though they are more than 50 years old for the analysis of safety critical systems in early design, development, and operational phases. This means that there is a need for further investigation of effectiveness of the STPA method compared to other traditional safety analysis methods that are used in industry. If further investigations find STPA as an effective method, then these results can help industry to shift to this new analysis method.
To summarize, it is interesting to investigate what are the main differences in STPA and other traditional methods in this case FMEA and also the types of hazards identified by them. The main objective of this study is to compare and investigate effectiveness of FMEA and STPA hazard analysis methods in the software-intensive safety-critical system domain.
Based on the comparison results, this study also investigates which method is more effective. Moreover, this study also evaluates the analysis process of both methods by using a qualitative criteria derived from the technology acceptance model TAM. The aforementioned research objective has been broken down in the following main research questions. What are the main differences between the selected hazard analysis methods regarding types of the identified hazards?
In our context, effectiveness is high if a large number of relevant hazards but only a small number of non-relevant hazards are identified. Five error types were defined based on the related studies Leveson et al. Furthermore, the classification of error types identified hazards is investigated to answer which method finds what types of hazards. RQ2 is answered by developing the qualitative criteria to evaluate the analysis process of both methods. The qualitative criteria were derived from the TAM to evaluate the analysis process considering ease of use and usefulness.
Then, the developed qualitative criteria were applied on both methods to analyze and evaluate them. It should be noted that, in this research, initiative hazard analysis of collision avoidance system is carried out using only the FMEA method. Step 1 denotes the steps carried out in the previous study Sulaman et al. After this, the identified inadequate control commands or events were analyzed for their causal factors. In step 2, the second author of this study applied the FMEA method on the same collision avoidance system to analyze operational hazards hazards that endanger the safety of the system, when it is operated in it.
The first author already knew the existing hazards in the selected system because he had applied STPA on the selected system in the previous study Sulaman et al. Therefore, to improve the research validity, it was decided that the first author would not apply the FMEA method; instead, the second author would carry out FMEA analysis as he has experience of analyzing safety critical systems.
Related design fmea case study
Copyright 2019 - All Right Reserved