Bringing Functional Safety to Prototype Vehicles

When looking at functional safety for series production road vehicles, the ISO 26262 standard provides a detailed outline of the development process. However, when developing a prototype or demonstrator vehicle, there really isn’t an applicable standard to follow. The development efforts included in ISO 26262 exceed the scope for a prototype build. 

So, what is an engineer to do? Functional safety still must be considered for a prototype or demonstrator vehicle to protect drivers, passengers and people in the vicinity of the vehicle safe from harm caused by a vehicle malfunction. 

That’s why FEV has developed a custom functional safety process for prototype vehicles. It’s based on the main tasks included in the concept phase of ISO 26262, but with reduced complexity so it’s applicable to a prototype vehicle. These tasks include:

• Preliminary item definition
• High-level hazard analysis and risk assessment (HARA)
• Definition of safety mechanisms

In addition to these, we’ve included an iteration loop (see Figure 1) to reassess the remaining risk in combination with the defined safety mechanisms.

Preliminary Item Definition
Let’s say we have a prototype in which we are transforming a conventional powertrain into a P2 hybrid powertrain. In addition to integrating a high-voltage system, modifying the powertrain to be electric has safety implications. In this situation, the preliminary item definition would describe all the functionalities, operating modes, interfaces and operating conditions of the P2 hybrid system. 

High-Level Hazard Analysis and Risk Assessment
The main steps in this task are the selection of relevant use cases for the prototype vehicle, the Functional Hazard Analysis (FHA) and the risk assessment of the resulting hazardous situations. Each function is assigned a standard malfunction from the FHA, and once combined with use cases, the malfunction results in a hazardous situation.

Here’s an example for the e-drive function using our sample prototype scenario:

• Function: Electric drive
• Use Case: Vehicle is stopped at a traffic light
• Malfunction: Unintended torque
• Hazardous Situation: Unintended vehicle movement, resulting in a collision

According to ISO 26262, the risk assessment would be based on three criteria: 

• Exposure: Frequency of the use case, not the hazardous situation
• Severity: The rating for the harm that could be caused to someone
• Controllability: The ability of the driver to intervene and avoid the hazard

But to provide an exact determination for these criteria would be extremely time consuming, so the FEV process includes a simplified, conservative rating catalog (see Figure 2). This is how the risk level is calculated, rather than using an Automotive Safety Integrity Level (ASIL) defined in ISO 26262.

In addition to these, we’ve included an iteration loop (see Figure 1) to reassess the remaining risk in combination with the defined safety mechanisms.

For our e-drive example, here’s what the rating would look like:

• Exposure for standing at traffic light = 3
• Severity for a crash with crossing traffic = 3
• Controllability for unintended movement = 2*

*Dependent on certain boundary conditions (e.g., maximum wheel torque < brake torque from the driver hitting the brake pedal)

Definition of Safety Measures
To get to an Acceptable risk level, safety measures for risk levels Low, Medium and High, must be defined. In our prototype example, we have a Medium risk level where Exposure + Controllability = 5 and Severity = 3 (see Figure 3). To get to an Acceptable level, we can take the following steps: 

1. Install an emergency stop button to switch off the electric propulsion system. This would take Controllability from a 2 to 1. 
2. Restrict the vehicle to drive cycles with less than 1% of operating time at a traffic light, bringing the Exposure rating from 3 to 2. 

By taking these steps, we would achieve an Acceptable risk level where Exposure (2) + Controllability (1) = 3 and Severity remains at 3.

In addition to these, we’ve included an iteration loop (see Figure 1) to reassess the remaining risk in combination with the defined safety mechanisms.

Of course, this is just one scenario for the prototype vehicle that needs to be considered. Other risks may rate as High, requiring further safety measures (e.g., monitoring algorithms). These additional measures could also be used for the mitigation of lower-rated risks, allowing for an avoidance of restrictions such as limitation of use cases or operation of the vehicle by trained drivers only. 

In addition to these, we’ve included an iteration loop (see Figure 1) to reassess the remaining risk in combination with the defined safety mechanisms.

Once defined, the safety measures must be implemented and tested before actual use of the prototype vehicle can start. 

While ISO 26262 creates a thorough road map for functional safety related to full vehicle production, there is nothing for prototype vehicle development. Alternative solutions, like the one created by FEV, can address this critical missing factor by providing a cost-effective approach to functional safety when developing a prototype vehicle.