The DeSCAS Methodology and Lessons Learned on Applying Formal Reasoning to Safety Domain Knowledge - Forms/Format 2010

Information Technology Reference

In-Depth Information

road marking while driving with a velocity of 120 km/h during daytime

in dry weather. They are annotated with the value for the probability

of exposure ( E ) in this situation. Combining the component's operations

with the environmental conditions automatically results in the respective

failure scenario , e.g. a faulty detection of the driving lane on normally

frequented highways while driving at 120 km/h during daytime in dry

weather conditions. As system independent failure scenarios are refer-

enced, the driver's controllability ( C ) in these scenarios can be specified

independent of the system to be developed and prior to a risk analysis.

The various types of possible accidents in the automotive domain are

quantified via the potential severity ( S ) of the possible accident. As the

LDWS observes the vehicle's position in the respective trac lane, acci-

dents resulting from unintentionally leaving the lane and colliding with

surrounding trac are possible in case of a potential component failure.

Considering the failure scenarios and the possible accident types, the rele-

vant hazards can be derived with the help of a generic hazard list that has

been compiled in [1] and integrated into the DeSCAS ontology models.

One of these hazards would be the possibility of undesired deviation from

the trac lane due to an error between set and actual value concerning

the detection of the trac lane.

3a. ASIL classification: Once all relevant system hazards have been identi-

fied, the risk class and thus the automotive safety integrity level ( ASIL )

of each hazard can be determined by means of the hazard analysis and

risk assessment of the ISO 26262. For this purpose, the three parame-

ters S (severity), C (controllability), and E (probability of exposure),

which can be derived from the accident types, failure scenarios and en-

vironmental conditions linked to the respective hazards, are evaluated.

The ASIL of all hazards is calculated using SWRL (Semantic Web Rule

Language 4 ). Overall, the safety integrity level of the component is deter-

mined within the DeSCAS ontologies by the highest ASIL of all identified

hazards (e.g. ASIL B ). This is accomplished by the OWL reasoner Pel-

let . There are four ASIL classes A, B, C, and D, where D represents the

highest safety integrity level. A fifth class - QM (quality management) -

does not impose any additional safety requirements on the system under

development, but rather demands a regular quality management during

the development process.

3b. Safety requirements: Applying the formalized ontology model of the ISO

26262 (see [7]), the calculated ASIL is further processed to infer trace-

ability links to the ASIL-related safety requirements which themselves

are associated with related safety methods and process phases and steps

(i.e. safety clauses ). In this case, a sample requirement of the system

design phase would be the system design verification for compliance and

completeness, which involves deductive analysis, highly recommended for

ASIL B obligation.

4 SWRL - http://www.w3.org/Submission/SWRL/

Forms/Format 2010

Search WWH ::

Custom Search

Home