Functional Safety
  • Functional safety creates safe vehicle level functions where the decisions are always appropriate based upon the  current driving environment.
  • QualSAT has the most powerful analysis and technical solution methods in the world.  7FM methods produce the best safety of the intended functions.
  • QualSAT has real world expertise in Functional Safety and knows how to model an entire system through L5 solutions.  We can determine each system level fault, its state, and how to detect the fault.  From this, risks are determined, time to detect is estimated, time to correct is estimated, and a safe fall back position is designed.  
  • 7FM generates a temporal fault state map.  this map identifies the first fault in in time and then activates of the best redundant software or hardware solution.  7FM provides clear guidance and mitigation.
  • Functional safety has five levels of consideration: FuSa 1: record anomaly for degradation analysis.  FuSa 2: change flow to a redundant function.  FuSa 3: de-rate speed and increase following distance.  FuSa 4: execute a safe exit and park outside the driving arena (e.g. not on an emergency strip).  FuSa 5: execute a safe emergency stop off the driving surface (e.g. emergency strip, shoulder of road) and when an off path option is not available, safely stop in lane.).
  • L1: Driver Assist: The human is responsible for awareness and driving.  It uses sensors to display warnings of the environment around the driver that would affect the driver’s choice to speed-up, slow-down, turn left/right, apply the brakes.
  • L2: The driver is responsible for monitoring the driving environment.  The system controls steering, acceleration/deceleration, and braking to maintains lane, centers lane, adapts velocity to maintain a safe distance to a forward vehicle, avoids collisions.
  • L3: The system monitors the environment and warns the driver to take control when threats are detected or safe solutions cannot be rendered.  The warning must provide sufficient lead time for the driver to become aware, assess the situation, and avoid hazards.  Perception must be able to see all objects and recognize hazards, solve safe path, determine solution to continue on path or to destination.  The system must be able to determine, with a safe lead time when the complexity of the environment exceeds its capabilities to determine a safe solution.
  • L4: This is a driver out within a defined operational domain solution.  The vehicle can go from point to point without a driver.  This requires perception, object recognition, object tracking, object attributes, vector predictions of all objects, object intent, path constraints, time to collision, safe trajectories, dynamic control, map, and vehicle control of all human vehicle level functions that are replaced by the system (acceleration, deceleration, turning, lights, HMI with the outer world.
  • L5: This is L4 with a broad domain.  Complexity minimizes L5 solutions.  Complexity can be affected by time of day, events, road changes, new traffic lights, different signage and lights, lane markings, road-work, lack of drivers following established rules of the road, and so on.  Small towns and cities can have L5 solutions.  At this time, the larger cities have a large number of internal differences and complexities and an L5 solution might have “no drive zones.”  The solution can drive from “here to there” but the route will avoid parts of the map where there is no current safe technical solution.
  • Mastery of functions requires that the vehicle level function’s capability is known.  Lateral variation must be known so objects can be missed with safe statistical certainty.  Longitudinal statistical capability  must be known so forward/backward objects can be missed with safe certainty.  When functions are applied simultaneously, their interactions must be known so safe maneuvers avoid instability.  Variations change with velocity and the change in variation must be known.  Safe stability levels change with velocity, environmental, and road conditions.  The system must be able to predict safe performance curves as conditions change.  Scenarios are constraints of time and distance.  Safe solutions that consider stability must be determined and no solutions must activate a predetermined safe escape path that avoids hazards.  When no safe escape path is available, derating speed and distance is required.  A safe stop in path or off the driving surface is required.  Degradation is of the environment and the system