On Hazard Identification and Safety Cases In the Automotive Domain
Doctoral thesis, 2008
Since electronics is the enabling factor for functional growth in many automotive engineering areas, the electrical system of a vehicle is becoming increasingly important for every new vehicle generation. Many new functions implemented in electronics are safety related, which raises new requirements on how to ensure the safety of automotive electronic systems. The safety case approach, a well-known method for demonstrating the safety of a system, can potentially become an effective method for meeting these requirements but needs to be adapted to the automotive setting. This thesis addresses the problem of how to develop an efficient safety case for electronic systems in the automotive domain. Three specific research questions are addressed: i) how can evidence of safety be determined in early design phases, ii) what is the current view of the safety case approach in the automotive industry, and iii) how should an automotive safety case be designed to be efficient and cost-effective? The first question is addressed by proposing an actuator-centric hazard analysis method and by an experimental evaluation of two hazard identification methods. The quality of the use cases, which are the main inputs to the hazard identification, is investigated in a retrospective analysis. The second question is partially answered by an explorative case study based on interviews with ten stakeholders in three automotive companies. The study shows that there is a need for the safety case approach and that it can be utilized for a wide range of tasks in addition to certification. The interviews identified 18 drivers, 21 usage areas, ten issues and as many as 85 different requirements, primarily related to efficiency, for a safety case. The third question is addressed by proposing a framework for automotive safety cases, which demonstrates how the safety case approach can be adapted to the automotive industry. It includes: definition of scope, decomposition based on the domain structure in AUTOSAR, and a set of safety argumentation modules. The integration of the framework with a generic automotive development process and its relation to the ISO-26262 safety standard is also described.