Add to collection(s) Add to saved
  1. No category
Uploaded by kirillov_kirill

Examination of Hazard Analysis and

advertisement 
Downloaded from SAE International by University of Wisconsin - Madison , Sunday, September 09, 2018
2016-32-0058
20168058
Published 11/08/2016
Copyright © 2016 SAE International
doi:10.4271/2016-32-0058
saepcelec.saejournals.org
Examination of Hazard Analysis and Risk Assessment and Exposure
Research in the Real Traffic Situation of ISO 26262 for Motorcycles
Makoto Hasegawa and Takanobu Kaneko
Japan Automobile Research Institute
ABSTRACT
ISO 26262, an international functional safety standard of electrical and/or electronic systems (E/E systems) for motor vehicles, was
published in November 2011 and it is expected that the scope will be extended to motorcycles in a second edition of ISO 26262 going
to be published in 2018. In order to apply ISO 26262 to motorcycle, proper estimation of Exposure, Controllability, and Severity are
key factors to determine Motorcycle Safety Integrity Level (MSIL). Exposure is a factor to indicate the probability of the state of an
operational situation that can be hazardous with the E/E system malfunction. And it is not easy to estimate the motorcycle Exposure
due to less availability of back ground data in actual operational situation compared to motor vehicle. Therefore real traffic situation
should be investigated in order to provide rationales for MSIL determination. In this study, we examined Hazard Analysis and Risk
Assessment (HARA) for motorcycle in accordance with ISO/PAS 19695 and identified motorcycle-specific operational situation. Then
we executed field survey for the acquisition of actual operational situation data and estimated Exposure. This paper shows motorcyclespecific issues for HARA and example of motorcycle travelling data useful for Exposure estimation.
CITATION: Hasegawa, M. and Kaneko, T., "Examination of Hazard Analysis and Risk Assessment and Exposure Research in the Real
Traffic Situation of ISO 26262 for Motorcycles," SAE Int. J. Passeng. Cars – Electron. Electr. Syst. 10(1):2017, doi:10.4271/2016-32-0058.
INTRODUCTION
be effective to support expert judgement to estimate Exposure, whose
back ground data in actual operational situation is less available
compared to motor vehicle.
ISO 26262 [1], an international functional safety standard of
electrical and/or electronic systems (E/E systems) for motor vehicles,
was published in November 2011 and it is applied to passenger car.
And it is expected that motorcycle will be included in its scope at the
next revision scheduled in 2018. Prior to its revision, Publicly
Available Specification, ISO/PAS 19695 [2] was published in 2015
and this PAS specifies the unique requirements to adapt ISO 26262 to
motorcycle. It is foreseen that the elements of ISO/PAS 19695 will
become the main contents of the revision of ISO 26262 regarding
motorcycle inclusion.
In this study we examined Hazard Analysis and Risk Assessment
(HARA) for motorcycle in accordance with ISO/PAS 19695 and
identified motorcycle-specific operational situation. Then we
executed field survey for the acquisition of actual operational
situation and estimated Exposure. Namely, we executed HARA for
items of Fuel Injection (FI) system, Anti-lock Brake System (ABS),
Combined Brake System (CBS) and Throttle-By-Wire (TBW)
system, which connect to the basic factors of motorcycle motion;
"braking, accelerating and turning" and getting popular E/E systems
of motorcycle, and examined potential concerns.
Motivation of this study is to examine Motorcycle Safety Integrity
Level (MSIL) determination in accordance with ISO/PAS 19695 for
the application of functional safety standard to motorcycle. Also
example of back ground data and method of its measurement to
estimate Exposure which is necessary for MSIL determination are
presented. There are few case studies of MSIL determination
available even though many case studies of Automotive Safety
Integrity Level (ASIL) for passenger car are available.
As a result, we assumed that Exposure of follow-up running situation
should be different between motorcycle and motor vehicle, which is
necessary to estimate it when we examine TBW system
malfunctioned situation. Therefore we chose the inter-vehicle time
between motorcycle and motor vehicle while motorcycle follow up a
preceding passenger car at constant speed on the urban road as a
research target and analysed follow-up running Exposure using video
data acquired by five video cameras on one of the heaviest traffic
road in Japan.
The factors to determine MSIL in accordance with ISO/PAS 19695
are Exposure (E), Controllability (C) and Severity (S). We previously
studied estimation procedure for Controllability and Severity [3][4].
And research of Exposure example in the real traffic situation should
95
Downloaded from SAE International by University of Wisconsin - Madison , Sunday, September 09, 2018
96
Hasegawa et al / SAE Int. J. Passeng. Cars – Electron. Electr. Syst. / Volume 10, Issue 1 (May 2017)
FUNCTIONAL SAFETY STANDARD FOR
MOTORCYCLE
ISO 26262:2011, an international functional safety standard of
electrical and/or electronic systems for motor vehicles is intended to
be applied to passenger car. Though it is expected that motorcycle
will be included in its scope at the next revision, it is considered that
there is a difficulty to apply existing ISO 26262 to motorcycle as it is,
because motorcycle have different characteristics from passenger car.
One of that kind of characteristics which should be taken into
consideration is the required level of safety measures to avoid
unreasonable risk defined by MSIL, and another is estimation method
of Exposure, Controllability and Severity in order to execute HARA
for motorcycle. Therefore ISO/PAS 19695 was created as functional
safety standard for motorcycle ahead of the revision of ISO 26262.
accelerating and turning" and getting popular E/E systems of
motorcycle. The results are described in following sections.
HARA for FI System
Item Definition for FI System
At the initiation of HARA for FI system, item definition was
executed. This activity is to understand the target item properly and
to enable to conduct subsequent phase activities smoothly. The
following is the result of item definition for FI system.
Target Systems
* FI system and related systems such as engine start system. See Figure 1.
Hazard Analysis and Risk Assessment (HARA)
HARA is a method defined by ISO 26262 and ISO/PAS 19695 to
identify and specify the hazardous event caused by malfunctioning
behaviour of E/E system and determine ASIL and MSIL and safety
goals. MSIL is determined by combination of Exposure,
Controllability, and Severity of the corresponding hazardous event of
each items composed of several E/E systems. Exposure indicates a
probability of the state of an operational situation that can be
hazardous with the E/E system malfunction. Controllability is an
ability to avoid a specified harm through the reactions of the persons
involved. Severity is an estimate of the extent of harm to individuals
that can occur in a potentially hazardous situation. These three factors
of MSIL are considered to have a huge difference between
motorcycle and passenger car in terms of estimated class because of
its vehicle characteristics and operational situations, and therefore
ISO/PAS 19695 shows motorcycle-specific example of these factors'
classification in Annex A.
To estimate Exposure, it is assumed that it is not appropriate to apply
same Exposure class as that of passenger car to motorcycle because
back ground data effectively support expert judgement is less
available compared to motor vehicle. Concerning Controllability and
Severity, those are also assumed not appropriate to apply because of
difference of vehicle characteristic in motion and feasibility of
evaluation test for Controllability, and availability of injury data
based on Abbreviated Injury Scale (AIS) used for passenger car for
Severity. Therefore motorcycle-specific methods were proposed as
mentioned previously.
Figure 1. Functional block diagram of target FI system
Functionality of the Item
* To detect rider operation and vehicle condition, and to control
necessary devices to generate adequate engine torque
Equipped Vehicle Specification
* Specification of vehicle equipped with defined item as in Table 1,
Table 1. Fundamental specification of the vehicle equipped with FI system.
In this study, we attempted to estimate motorcycle Exposure class
with acquiring motorcycle travelling data in the real traffic situation.
EXAMINATION OF HARA FOR
MOTORCYCLE
Following HARAs were conducted in accordance with ISO/PAS
19695 Clause 5 and Annex A. FI system, ABS, CBS and TBW
system were selected to the target items from a viewpoint that the
items connect to the basic factors of motorcycles motion; "braking,
Identification of Representative Failure Cause, Hazard
and Hazardous Event
As a next step representative failure cause occurred in FI system and
hazard were examined. Failures could occur in any functional blocks
and elements described in Figure 1, thus failure causes are numerous. It
is considered to be more important to examine what vehicle behaviour
would happen as an output from actuator because hazard is an
unintended behaviour of item resulting from failure which is the cause
of harm. As a result, representative hazards were classified as follows.
Downloaded from SAE International by University of Wisconsin - Madison , Sunday, September 09, 2018
Hasegawa et al / SAE Int. J. Passeng. Cars – Electron. Electr. Syst. / Volume 10, Issue 1 (May 2017)
1.
unintended loss of propulsion force
2.
unintended loss of additional propulsion force
3.
unintended generation of propulsion force
Case 1. a possible hazardous event is losing the propulsion force
and motorcycle speed decreases during travelling urban
road, and collided by following vehicle.
Case 2.
a possible hazardous event is losing the additional propulsion
force and motorcycle speed does not increase during
attempting to overtake preceding vehicle on urban road, and
colliding to the oncoming vehicle on the opposite lane.
97
HARA for ABS/CBS
Item Definition for ABS/CBS
The following is the result of item definition for ABS/CBS.
Target Systems
* ABS, CBS shown in Figure 2.
Case 3. a possible hazardous event is generating the propulsion
force and motorcycle speed increases during travelling
urban road, and colliding to preceding vehicle.
MSIL determinations for above representative hazardous events are
shown in below.
MSIL Determination
For the estimation of Exposure, Controllability and Severity to
determine MSIL, it is important to know how much acceleration and
deceleration could occur caused by concerned hazard. Our study
together with motorcycle manufactures is shown as below;
Case 1. a possible maximum deceleration is caused by engine stall
and it is still equivalent to the deceleration occurred by
engine braking during normal riding and rider could easily
and safely stop or evacuate from the lane, and following
vehicle driver could stop or avoid as well. (C class: C0 [3])
Case 2.
Case 3.
rider could easily recognise that motorcycle would not
accelerate as intended and cancel the overtaking manoeuvre
(C class: C0).
a possible maximum acceleration caused by FI system
without TBW system is what rider could easily control by
brake (C class: C0 [3]).
As a result representative HARA results are as shown in Table 2. In
each cases Controllability class was estimated as C0 and estimation
of Exposure or Severity was not required.
Table 2. Examples of FI system HARA
Figure 2. Functional block diagram of target ABS/CBS
Functionality of the Item
* To detect rider operation and vehicle condition, and to control
necessary devices to generate adequate brake force
Identification of Representative Failure Cause, Hazard
and Hazardous Event
Representative failure causes occurred in ABS/CBS and hazard were
examined. Basic idea is same as FI system examination and
representative hazards were classified as follows. In this paper situations
under which ABS/CBS would be activated, or effect of ABS/CBS
malfunction would be large, were chosen as representative situations.
1.
unintended reduction/loss of front wheel braking force
2.
unintended reduction/loss of rear wheel braking force
3.
unintended reduction/loss of braking force of both wheels
4.
unintended loss of front wheel ABS function
5.
unintended loss of rear wheel ABS function
6.
unintended loss of ABS function of both wheels
7.
unintended generation of braking force
8.
unintended loss of CBS function
Case 1.
a possible hazardous event is losing the front braking force
and motorcycle speed does not decrease during braking on
urban road, and colliding to preceding vehicle stopping at
traffic light.
Case 2. a possible hazardous event is losing the rear braking force
and motorcycle speed does not decrease during braking on
highway, and colliding to preceding vehicle stopping with
traffic congestion.
Downloaded from SAE International by University of Wisconsin - Madison , Sunday, September 09, 2018
98
Hasegawa et al / SAE Int. J. Passeng. Cars – Electron. Electr. Syst. / Volume 10, Issue 1 (May 2017)
Case 3. a possible hazardous event is losing the braking force of
both wheels and motorcycle speed does not decrease during
braking on urban road, and colliding to preceding vehicle
stopping at traffic light.
Case 4. a possible hazardous event is losing the front ABS function
and unintended front wheel lock occurs with the hard
braking on highway and falling down.
Case 5. a possible hazardous event is losing the rear ABS function
and unintended rear wheel lock occurs with the hard
braking on urban road and falling down.
Case 6. a possible hazardous event is losing ABS function of both
wheels and unintended wheel locks occur with the hard
braking on highway and falling down.
Controllability would be high. And probability of travelling highway
situation is high. Therefore Exposure would be high.
Case 8. a possible maximum effect is complete loss of CBS
function and it cause no brake application to front or rear wheel
depending on rider’s operation, but brake function of both wheels are
still available same as conventional brake. Therefore Controllability
would not be high.
As a result representative HARA results are as shown in Table 3.
Various MSILs were determined depending on the hazard and
scenario.
Table 3. Examples of ABS/CBS HARA
Case 7. a possible hazardous event is generating braking force and
unintended wheel locks occur during highway travelling
and falling down.
Case 8. a possible hazardous event is losing CBS function of both
wheels and motorcycle speed does not decrease during
braking on urban road, and colliding to preceding vehicle
stopping at traffic light.
MSIL determination for above representative hazardous events are
shown in below.
MSIL Determination
For determining MSIL, it is important to know how much braking
force could still remain in case for case 1, 2 and 3, and how much
braking force could occur in case for case 7 caused by concerned
hazard. And how often these rider assistance system would be
required to work. Our study together with motorcycle manufactures is
shown as below;
Case 1 and 2. a possible maximum effect is complete loss of front
or rear braking force and the other wheel's braking force is still
available. Therefore Controllability would not be high. Or probability
of the situation to require such a high deceleration which one of each
brake could generate is not sufficient to avoid collision, is not high.
Therefore Exposure would not be high.
Case 3. a possible maximum effect is complete loss of braking
force of both wheels and it is not possible to avoid the severe harm.
Case 4 and 6. a possible maximum effect is complete loss of front
or front/rear ABS function and it cause front wheel lock depending
on rider's operation, it is not easy to avoid falling down. Therefore
Controllability could be high. On the other hand probability of the
situation to require such a high deceleration which ABS need to work
to avoid wheel lock, is not high. Therefore Exposure would not be
high.
Case 5. a possible maximum effect is complete loss of rear
brake ABS function and it cause rear wheel lock depending on
rider's operation, and it is same as conventional brake and not
difficult to avoid falling down not like front wheel lock. Therefore
Controllability would not be high. And probability of the situation to
require such a high deceleration which ABS need to work to avoid
wheel lock is not high. Therefore Exposure would not be high.
Case 7. a possible maximum effect is generating high front and
rear braking force and it cause wheel lock of both wheels. Therefore
HARA for TBW System
Different from FI system and ABS/CBS mentioned above, we have
not concluded the result of HARA for TBW system yet in this study.
Because we found motorcycle-specific issue while we examined
identification of representative hazard and hazardous event, and
concentrated on that issue. The following is the issue we worked on.
Downloaded from SAE International by University of Wisconsin - Madison , Sunday, September 09, 2018
Hasegawa et al / SAE Int. J. Passeng. Cars – Electron. Electr. Syst. / Volume 10, Issue 1 (May 2017)
99
Identification of Representative Failure Cause, Hazard
and Hazardous Event
Representative hazards for TBW system are assumed as follows,
which are similar to hazards for FI system.
1.
unintended loss of propulsion force
2.
unintended generation of propulsion force
But generated acceleration would be much higher than that of FI
system malfunction because the failure cause would be different. In this
case it is important to know what kind of operational situation with
item malfunction could lead harm (Exposure), and how much
acceleration could occur (Controllability and Severity). As for
Exposure, probable scenario which could lead harm was identified as
such; motorcycle is following up a preceding vehicle and collide to it
due to unintended high acceleration. In this case Exposure could be
estimated in terms of probability of existence of motorcycle in each
inter-vehicle time (or distance) between preceding vehicle and
following motorcycle, and the inter-vehicle time affects estimation of
Controllability. It was assumed motorcycle should have its own
Exposure as its operational situation should be different from that of
passenger car and therefore existing inter-vehicle time data for
passenger car would not be applicable to motorcycle. Based on this
assumption we executed the field survey to research inter-vehicle time
between passenger car and motorcycle in the real traffic condition.
Figure 3. Image of follow-up running by motorcycle
Procedure and Method of Measurement
Then, we explain the measurement procedure and method. The data
acquisition was done using five set of video cameras, at weekday
8:00 to 18:00, on one of the heaviest traffic national road in Japan
(Route 20, Hatsudai, Tokyo, speed limit: 60 km/h). Four cameras
were set on the roadside to acquire inter-vehicle time data, and one
camera was set behind the vehicles to check if travelling scenes meet
definition 1. Frame rate of video camera is 60 fps. See Figure 4 and 5.
EXPOSURE RESEARCH IN THE REAL
TRAFFIC SITUATION
As mentioned previously, the object of this field survey was to
acquire inter-vehicle time between travelling passenger car in front of
motorcycle and follow-up running motorcycle. We defined follow-up
running as below to judge the validity of acquired data.
Figure 4. Image of speed measurement cameras allocation
Definition of Follow-Up Running
The followings are the definition of follow-up running in this study.
1.
Motorcycle is located within the middle position of 2 out of 4 of
preceding vehicle width against the vehicle centre longitudinal
axis. See Figure 3.
2.
Average vehicle speeds at measurement zones and vehicle speed
difference between preceding and following vehicles are within
+/-5 km/h. See Figure 4.
The definitions are to exclude the data of motorcycles which located
on the edge of preceding vehicle on the longitudinal line with
intentionally shortened inter-vehicle time and ready to avoid
preceding vehicle (for case 1), and which were accelerating to
overtake preceding vehicle and change the travelling lane (for case
2). In other words we assume common follow-up running is
motorcycle travelling behind the preceding vehicle and in the middle
position of the vehicle width in longitudinal, with constant speed. We
extracted corresponding motorcycle travelling scenes based on above.
Figure 5. Example of acquired scene
Measurement Result
Measurement results of inter-vehicle time for motorcycle in the real
traffic situation were as follows;
•
The number of identified motorcycle (total): 1,620 units
•
The number of follow-up running motorcycle: 104 units
•
90% coverage inter-vehicle time (cumulative):
0.52 s ≤ t90 < 1.63 s
•
99% coverage inter-vehicle time (cumulative):
0.37 s ≤ t99 < 1.87 s
Downloaded from SAE International by University of Wisconsin - Madison , Sunday, September 09, 2018
100
•
Hasegawa et al / SAE Int. J. Passeng. Cars – Electron. Electr. Syst. / Volume 10, Issue 1 (May 2017)
99.9% coverage inter-vehicle time (cumulative):
0.37 s ≤ t99.9 < 1.94 s
•
Motorcycle speed (range): 29.5 - 71.1 km/h
•
Motorcycle speed (average): 49 km/h
The distribution of motorcycle inter-vehicle time and vehicle speed
are in Figure 6 and 7.
the result shown in the tables and further discussion and consideration
would be needed to get how both factors be combined and used to
estimate final Exposure. Therefore those tables are still tentative.
And also, Controllability classification based on generated
acceleration was presented in our SETC2015 paper [3], examination
to estimate Controllability based on acceleration and inter-vehicle
time in case for follow-up running scenario should be addressed to
future issue.
Table 4. e1 and e2 Exposure table for follow-up running (tentative)
Figure 6. Distribution and frequency of inter-vehicle time
Table 5. e3 and e4 Exposure table for follow-up running (tentative)
Figure 7. Distribution and frequency of average motorcycle speed
As a result, Exposure of follow-up running motorcycle was estimated
as shown in Table 4 and 5, which was classified based on intervehicle time. Exposure of follow-up running passenger car is also
presented in the tables. As assumed initially, inter-vehicle time at
follow-up running was different between motorcycle and passenger
car, and necessity of motorcycle-specific Exposure estimation would
be suggested.
And we should underline that this Exposure was estimated from only
inter-vehicle time at follow-up running. As shown above, only 6%
(104 units) was recognised as doing "follow-up running" out of 1,620
units which were the total units of motorcycle recorded in the video.
It shows a probability of follow-up running situation is very low
against total operating time. It means eventual Exposure class of
follow-up running situation could be estimated one class lower than
SUMMARY
The following summarizes the main points in this study.
•
ISO 26262 is a standard intended to be applied to passenger car
and need an adjustment to apply to motorcycle. ISO/PAS 19695
was published for the adaptation to motorcycle.
•
HARAs in accordance with ISO/PAS 19695 were conducted
and MSILs were determined which very few case studies
currently exist. Though conducting HARAs for FI system and
Downloaded from SAE International by University of Wisconsin - Madison , Sunday, September 09, 2018
Hasegawa et al / SAE Int. J. Passeng. Cars – Electron. Electr. Syst. / Volume 10, Issue 1 (May 2017)
•
•
ABS/CBS were possible by using the methods of Controllability
and Severity estimation, precise HARA for TBW system could
be difficult with limited available knowledge and back ground
data depending on the hazardous event. It was suggested that
it would be necessary to execute the research on operational
situation in the real traffic situation to estimate Exposure.
ABBREVIATIONS
Measurement result showing inter-vehicle time at follow-up
running was different between motorcycle and passenger car
and thus our assumption was confirmed. Exposure example of
follow-up running motorcycle and its estimation method were
presented. Also it was shown that probability of follow-up
running situation would be low against total operation time.
CBS - Combined Brake System
Execution of precise HARA and determination of MSIL for
TBW system adopting the outcome of this study would be the
next step. And examination to identify other motorcycle-specific
operational situation, its Exposure, and corresponding field
survey would be also the next steps.
101
ABS - Anti-lock Brake System
AIS - Abbreviate Injury Scale
ASIL - Automotive Safety Integrity Level
C - Controllability
E - Exposure
FI - Fuel Injection
HARA - Hazard Analysis and Risk Assessment
MSIL - Motorcycle Safety Integrity Level
S - Severity
TBW - Throttle-By-Wire
QM - Quality Management
REFERENCES
1.
2.
3.
4.
ISO 26262:2011 "Road vehicles - Functional safety," Nov. 2011.
ISO/PAS 19695:2105 "Motorcycles - Functional safety" Dec. 2015.
Kawakoshi, M., Kobayashi, T., and Hasegawa, M., "ISO 26262
Controllability Evaluation Technique by Expert Riders," SAE Technical
Paper 2015-32-0746, 2015.
Arai, Y., Hasegawa, M., and Harigae, T., "Research on Method for
Classifying Injury Severity Using Motorcycle Accident Data for ISO
26262," SAE Int. J. Engines 9(1):397-404, 2016.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or
otherwise, without the prior written permission of SAE International.
Positions and opinions advanced in this paper are those of the author(s) and not necessarily those of SAE International. The author is solely responsible for the content of the paper.
Related documents
Avoid the possibility of GET ENDORSED!!
Avoid the possibility of GET ENDORSED!!
Handout 5 Error correction:
Handout 5 Error correction:
Day2 output SampangRheinjohn
Day2 output SampangRheinjohn
Ilikebannaas
Ilikebannaas
MATH
MATH
The motorcycle is an invention that saves me a lot... to the MRT station and it took me about 20...
The motorcycle is an invention that saves me a lot... to the MRT station and it took me about 20...
Philosophical Reflection
Philosophical Reflection
Safety starts with me Driving Safety:
Safety starts with me Driving Safety:
Download
advertisement