Safety Analysis of Software-intensive Motion Control Systems

The auto industry has had decades of experience with designing safe vehicles. The introduction of highly integrated features brings new challenges that require innovative adaptations of existing safety methodologies and perhaps even some completely new concepts. In this paper, we describe some of the new challenges that will be faced by all OEMs and suppliers. We also describe a set of generic top-level potential hazards that can be used as a starting point for the Preliminary Hazard Analysis (PHA) of a vehicle software-intensive motion control system. Based on our experience with the safety analysis of a system of this kind, we describe some general categories of hazard causes that are considered for software-intensive systems and can be used systematically in developing the PHA. A comprehensive PHA for a software-intensive motion control system may reveal potential interactions of features that are not due to malfunctions of the features' individual components but that may lead to hazardous conditions. This insight and other lessons learned from our experience with such systems have influenced the drafting of ISO CD 26262. Finally, this paper reports on our preliminary experience with the method of risk assessment proposed for ISO CD 26262 Part 3, Concept Phase.