170 likes | 1.28k Views
Adaptive Cruise Control Ilana Davidi Margaret Stringfellow Herring Paul Wheeler Agenda Hazard Analysis Safety Constraints Partial STPA Completeness Criteria Requirements Changes High-Level Design Intent Specifications Design Limitations Hazard Analysis
E N D
Adaptive Cruise Control Ilana Davidi Margaret Stringfellow Herring Paul Wheeler
Agenda • Hazard Analysis • Safety Constraints • Partial STPA • Completeness Criteria • Requirements Changes • High-Level Design • Intent Specifications • Design Limitations
Hazard Analysis • Constructive way to learn ACC system • Tens of hazards stemmed from three • Rear end car in front • Hit by car in back • Lose vehicle control
Safety Constraints • Matched hazards with safety constraints • Natural outfalling of hazards to safety • Constraints kept simple but precise • Leads to high-level design requirements
Completeness Criteria Example • The system and software must start in a safe state. • Software initial state is “ACC off.” • No direct transitions to hazardous states from “ACC off” • Cannot transition out of “ACC off” state unless • The ignition is turned to the “on” position. • The driver has subsequently pushed the “ACC on” button. • The ACC system passes a self-diagnostic test for system faults • Brakes are not engaged • Speed is greater than 45 mph • ACC then transitions to “ACC standby” state. • There are further conditions to transition from “ACC standby” to “ACC Active”
Requirement Changes Examples • Minimum speed will be 45 mph instead of 25 mph • Alarm will sound during shutdown • Not only in response to driver disengagement from the steering wheel • Set speed is not retained in memory after coast button is pushed • Current speed is used as set speed
Partial STPA • Used control loops to discover states
High-Level Design Distance SP Speed SP Mode Brake SW 1 Actuate Acceleration Actuate Brakes Brake Control Module Engine Power Driver Accelerator Brake Pedal Acceleration Actuate Increasing Speed Of Car Closing Speed Distance Decreasing Speed Of Car Acceleration Distance to Car In Back Brake Lights Warning Decreasing Speed Of Car Distance to Car In Front Radar ACC State Target Speed Brake switch 1&2 Cruise switch Req Target Speed Engine Control Module CAN ACC Break Switch 2 ACC State Brake Request Target Speed Input to Display ACC Input to Display Instrument Cluster Vehicle Speed Brake Actuator Command ACC State
Intent Specification 1: Assumptions • A licensed driver is operating a car with no malfunctions or problems. • The road is smooth and unobstructed. • The road is continuous and does not suddenly terminate. • The ACC system will interface and communicate with five parts of the car • Braking system • Engine • Accelerator • Ignition • Steering Wheel
Design Limitations • Human behavior • Sudden lane changes • Human as cruise control monitor • Auto-off on steering wheel • Clamp • No system redundancy for radar
Lessons Learned • Documenting assumptions & decision reasoning • Generates single mental model across different people • Prevents loss of information over time • Safe systems can be achieved. • Rigorous approach to requirements generation • SpecTRM links hazards, constraints, and assumptions in one document • Provides visibility and traceability • Paul can consult on SpecTRM software • For a price.