Functional Safety for Autonomous Vehicles Is Not an Afterthought

Autonomous vehicles need safety-related functionality that can sense and react to hazardous situations. It’s an engineering process as critical as engineering the product itself.

The proliferation of autonomous vehicles has increased the need for Functional Safety as part of a vehicle's design process. Yet Functional Safety, as defined by a number of IEC and ISO documents, is viewed by many engineers as a document-centric clerical endeavor, rather than engineering work. For many engineers, one of the least pleasant parts of engineering is the time-consuming work to interpret documents, such as IEC 61508 and ISO 26262, and determine exactly what compliance steps must be performed.

DISTek Integration, autonomous vehicles, functional safety
Functional Safety for autonomous vehicles is comparable in complexity to designing the product itself. (Image source: DISTek Integration)

Safety for autonomous vehicles is a huge challenge for engineers, however. Many things can go wrong and all of them have to be incorporated into the vehicle’s safety. “Think of all the hazardous contingencies that an autonomous vehicle has to contend with—particularly in an urban environment. If you say, ‘I can’t do it; there are too many contingencies,’ then you see the point,” Daniel Aceituna, requirements/functional safety/test engineer at DISTek Integration, told Design News. “There are scenarios like the trolley problem, where autonomous vehicles are asked to make a human-like judgment. Scenarios such as these will need to be factored into the appropriate safety response.”

Aceituna will present the session, The Functional Safety in Autonomous Vehicles Is Not an Afterthought, at the Embedded System Conference in Minneapolis on Nov. 1.

Human/Vehicle Interactions

The interactions between autonomous vehicles and humans are a significant challenge for safety. “Accidents like the Tesla incident have shown that humans are not the best back-up contingencies to a vehicle at Level 2 or 3,” said Aceituna. “Even with advanced driver-assistance systems (ADAS), some studies have suggested that drivers may act more recklessly when they assume the vehicle’s safety features will cover for them.”

One of the safety challenges is the fact that autonomous vehicles behave differently from vehicles driven by humans. For one, the autonomous vehicles tend to be more cautious. “There are incidents where a crash is caused by human drivers interacting with an autonomous vehicle that occurs because the driver didn’t expect such a law-abiding vehicle in front of them,” said Aceituna. “More research in this area needs to be done in the lab before it’s conducted out in the world.”

The Swiss Cheese Scenario

One aspect of safety is particularly hard to capture in standards. That’s when more than one thing goes wrong at the same time. “James Reason introduced the Swiss cheese model as it applies to accidents. This is where several slices of Swiss cheese, each representing something that can go wrong, are stacked in such a way that it creates a hazardous path through lined-up holes,” said Aceituna.

Aceituna noted that there are real-world examples of accidents that occurred when multiple aspects of the product failed simultaneously. “The poster child for a Swiss cheese scenario is the Titanic, where more than six relatively innocent incident failures lined up to cause the ship’s sinking,” said Aceituna. “The FS standard has relatively little to say about dealing with Swiss cheese scenarios, yet most accidents are the result of several things going wrong at once.”

Safety Engineering Is as Challenging as Product Engineering

One of the biggest challenges in developing safety for autonomous vehicles is the need to anticipate a wide range of possible interactions between the vehicle and its environment. “To comply with FS standards, an engineer must anticipate what can go wrong when a product interacts with its environment (including us unpredictable humans) and conceive of a safety-related system,” said Aceituna. “The typical FS safety-related system loop has a sensor, logic, and actuation structure, consisting of subsystems that work together to detect a hazardous situation, react to that situation in a predetermined way, and place the system into an appropriate safe state. Add to this, further consideration of whether that safe state will itself result in a hazard.”

The complexity of developing safety can be as demanding as the engineering to create the product itself. “You need to make that safety loop’s integrity level such that it can be counted on to reliably react to that situation if and whenever called upon. With that, you have the makings of an engineering challenge comparable to the engineering of the product itself,” said Aceituna. “Some may argue that it is more challenging, since there is a human tendency to optimism and therefore a product is designed along happy paths of functionality. Thus, designing a system that assumes that many things can go wrong is cognitively counter intuitive, and therefore poses a bigger challenge for the engineer.”

True Engineering or Clerical Work?

While safety may require considerable documentation, it is still essentially engineering work. “I find a common sentiment that views Functional Safety or FS as additional overhead, document-centric, work, or more clerical than engineering in nature. This results in some lack of appeal to the Functional Safety process, and subsequent reluctance to implement it,” said Aceituna. “I found that one way to counter this is to view FS as an engineering endeavor, with some additional documentation associated with it, rather than view FS as strictly documentation work. After all, engineers would rather design than do documents. So viewing FS as additional engineering makes it seem more appealing.”

The equipment and technology involved in autonomous vehicles require an engineer’s experience and orientation. “Viewing FS as engineering is not hard to do when you consider that products that have a control system typically consist of sensors, logic, and actuators, whereas the typical FS safety-related system loop also consists of sensors, logic, and actuators,” said Aceituna. “Thus, FS is more of what is already being engineered—only with the emphasis on sensing and reacting to hazardous situations. This makes Functional Safety more than just filling out extra documents.”

Rob Spiegel has covered automation and control for 17 years, 15 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years, he was owner and publisher of the food magazine Chile Pepper.

Pacific Design and ManufacturingSAVE THE DATE FOR PACIFIC DESIGN & MANUFACTURING 2019!    
Pacific Design & Manufacturing   , North America’s premier conference that connects you with thousands of professionals across the advanced design & manufacturing spectrum, will be back at the Anaheim Convention Center February 5-7, 2019! Don’t miss your chance to connect and share your expertise with industry peers during this can't-miss event.    Click here to pre-register for the event today!


Comments (2)

Please log in or to post comments.
  • Oldest First
  • Newest First
Loading Comments...