COM00173M High-Integrity Systems Engineering
Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: daixieit
COM00173M
MSc, MEng Degree Examinations 2022-3
DEPARTMENT OF COMPUTER SCIENCE
High-Integrity Systems Engineering (HINT)
Open Assessment 1
Open Individual Assessment
The company you work for produces a car with a range of electric control units that help with driver satisfaction, driver safety and marketing. For a number of years the car had a collision detection system. Recently the collision detection system was extended to include collision avoidance. The whole collision detection system has been developed to integrity level ASIL C according to ISO 26262. ASIL C was justified despite a relatively high exposure (E3) and the severity being classed as life threatening (S3) as the failures were controllable (C3). In this context, controllable at C3 means it is expected and has been demonstrated neither the car or the driver were likely to take unnecessary avoidance actions.
Figure 1 illustrates the key components initially envisaged for the system and the principal interactions.
Figure 1: Component Diagram for the Collision Detection System
Below is a brief description of the components of the car and their interactions.
1. Collision Detection - Outputs to the communications link the number of objects detected, any details known about the objects (e.g type of object) and the distance to the object.
2. Collision Avoidance - Uses information from a range of sources, including collision detection, makes decisions about whether an intervention is needed in terms of the car’s speed, direction etc..
3. Communications link - Shares all information received from a component to all other components.
4. Determine appropriate action - Calculates whether collision avoidance is needed at a particular time and the appropriate action taken, i.e. the magnitude of any braking, steering or acceleration needed. For steering there is also direction, i.e. left or right.
5. Carry out appropriate action - Determines the appropriate signals to be sent to the communications link.
6. Health monitoring and maintenance - Determines whether the system has received erroneous information or has created erroneous information, and then logs the error codes accordingly.
7. Steering - Interprets signals from the communications link into an appropriate actuator signal to the steering system.
8. Brakes - Interprets signals from the communications link into an appropriate actuator signal to the braking system.
9. Throttle control - Interprets signals from the communications link into an appropriate actuator signal to the engine control system.
10. Cockpit display - Interprets signals from the communications link into an appropriate actuator signal to the in-car instrumentation system.
Whilst the system works adequately, it is recognised that the existing communications link based on the Controller Area Network (CAN) 2.0B protocol is nearing the end of its useful life in terms of the available bandwidth. In addition, there are future extensions to the collision detection system that might benefit from a lower latency communications link. You have been tasked with exploring how an ethernet-based communications link can be used to support the collision detection system of the car with a view that all the electronics could be supported in a longer term. It is important that any solution supports (or exceeds) the needs of certification given the ASIL C integrity level of the collision detection system. You are aware there is existing work that may be applicable both through industrial products and academic research that suggest a suitably safe mixed-criticality system can be developed that uses ethernet.
Throughout your answers to the following questions, please state any further assumptions needed.
Question 1 (50 marks)
Perform a hazard analysis for the system and then discuss how the outcome of this could guide the rest of the design.
• Q1(A) - Perform a hazard analysis on three components (9 marks). The three components are: the communications link; collision detection; and collision avoidance. The answer must follow a clear defined method, clearly describe and justify the resulting effects.
• Q1(B) - Discuss what integrity levels may be appropriate for each of the components in from Q1(A) (i.e. the communications link; collision detection; and collision avoidance) based on some defined criteria.
– The criteria and process used must be clearly defined and justified (9 marks).
– The integrity level is defined in a traceable way to the effects produced in Q1(A) (9 marks). The integrity levels can simply be high, medium and low criticality. Alternatively the components could be ranked in order of most critical to least critical.
• Q1(C) - Identify three Derived Safety Requirements related to (but not necessarily for) the communications link with justification (9 marks). The Derived Safety Requirements can either be direct requirements on the communications link or indirectly related as they have a clear traceable link to the communication link.
• Q1(D) - Review two potential communications link from both industry and academia. They should be clearly described, their selection justified and then critiqued against the needs of this collision detection system based on the answers from Q1(A), Q1(B) and Q1(C) (14
marks).
Question 2 (20 marks)
Perform a failure analysis of the system using failure mode effect analysis.
• Q2(A) - Present a suitable failure mode effect analysis with clear traceability to the model and components in Figure 1 (10 marks)
• Q2(B) - Explain the failure mode effect analysis (10 marks). The explanation should discuss how it has been derived including why it is correct and the insight gained from it.
Question 3 (30 marks)
Produce a safety argument using Goal Structuring Notation with the top-level claim being that a hazard is sufficiently mitigated. The hazard chosen can be any of the ones from the answer for Question 1(A).
• Q3(A) - Present a suitable safety argument with clear traceability to the model and components in Figure 1 (10 marks)
• Q3(B) - Explain the safety argument (10 marks). The explanation should discuss how it has been derived including why it is correct and the insight gained from it.
• Q3(C) - Define specific techniques that will gather the evidence to support the claims at the bottom level of the argument can be gathered (10 marks). The explanation should discuss any challenges that are expected when gathering the evidence.
2022-10-28