Controllability in ISO 26262 and driver model

Abstract

The standard, ISO 26262[1], aims for functional safety of automobile E/E systems, and it provides “a framework within which safety-related systems based on other technologies can be considered.” We focus on the hazard analysis and risk assessment (clause seven) in the concept phase of ISO 26262 part3. Usually, the risk is calculated from the probability of exposure and severity of harm, but in this standard we also have to consider the controllability of the driver for avoiding the harm. First of all, we'll present the DESH-G (driver, environment, software, hardware and goal) model as a framework. Then we show the driver model in detail, and it gives us the capability of the driver. We calculate the task demand from the situation-scenario matrix (SSM). If the task demand exceeds the driver capability or is in the neighbourhood, we regard it as the hazardous situation. Easiness of avoiding a dangerous condition is the controllability. The way to judge the degree of controllability is proposed using the driver capability and the task demand. In the system, such as the advanced driver assistance system (ADAS)[2], the part of the driver's task is done by the system. It is harder to the design system to decide the behaviour at the border between computer and driver. Our idea is also effective in the development under such situations.