Extending ISO26262 to an Operationally Complex System

Abstract

ISO 26262 is a tailored functional safety specification for electrical and electronic systems in passenger vehicles. Typical passenger vehicles have one controlling agent (the driver) and typically utilize simple fail-safe behaviors to notify the driver of significant system faults, such as activating a warning light. Developing advanced safety systems, with the ultimate goal of achieving Level 5 autonomy, has created a need to develop operationally complex passenger vehicles to test self-driving technology. One example of such a system is a Dual-Cockpit vehicle that has been specifically designed to enable human factors research for TRI's Guardian system. Toyota Guardian anticipates or identifies a pending incident and seamlessly intervenes to assist the human driver to form a mobility teammate.This paper presents a methodology to leverage ISO 26262 methodologies, which are well-established in the automotive industry, to be able to handle significant operational complexity. The methodology develops a Concept of Operations (ConOps) defining operational modes. Vehicle-level behaviors are then defined to achieve a safe state across all operational modes defined in the ConOps. The safe state behaviors are integrated into ISO 26262 work products such as the HazOp, HARA, and Functional Safety Concept, including Functional Safety Requirements. This generalized methodology: 1. facilitates systematic analysis of control authority arbitrations between multiple independent controlling agents, 2. helps ensure sufficient system redundancy across all operational modes, and 3. develops appropriate responses to bring the vehicle to a safe state in each operational mode. The methodology can be adapted to other complex systems with ease.