Using Fault Tree Analysis to analyse software architecture in automotive design
Fault Tree Analysis can help keep your vehicle working, whether it is on Mars or in your neighbourhood.
“NASA administrator Dan Goldin said: ’To design systems that work correctly we often need to understand and correct how they can go wrong’,” points out Jakub Wróbel, software specialist at Etteplan. “FTA does this. It is a standardised methodology established by the military, aviation and space industries to analyse systems for defects. You can use it to see what went wrong – like the Challenger disaster – or to use it in the development phase to see what could go wrong and when you still have the ability to change decisions.”
How to keep a car safe during acceleration
Wróbel is an Etteplan expert on using FTA to assess and mitigate risks. By using FTA he can foresee what may go wrong in order to help customers in the auto industry make design improvements in software and systems to lower risk. He can use it to help optimise resources: certain events visualised with FTA will have more impact on an undesired event and can be prioritised.
“One example I’ve worked on is acceleration in automobiles,” says Wróbel. “Together with a customer we looked at sensors and software to process their readings. Where could a fault occur? Maybe a message won’t go through properly, a sensor won’t work or the software malfunctions. Car acceleration is important from a safety perspective so we are careful and follow the highest industry standards, such as ISO 26262.”
The analysis is tailor-made for a specific system and a specific adverse event. Small, logical steps are taken so as not to miss a potential event. The analyst makes decisions on what to include and what to leave out, based on experience, accepted principles and knowledge of the system.
“It is a great seeing a product in a shop and knowing you analysed its design and contributed to making it safe for the users,” says Wróbel. “It can be making sure a washing machine doesn’t unlock a door with hot water inside, a boiler doesn’t have too much pressure or a battery pack doesn’t dangerously malfunction.”
Wróbel gives a simplified example of how FTA could work to analyse why a car didn’t accelerate as expected. Was there an engine error? Was the position of the pedal misread? Did a sensor fail? This whole process can be visualised in a graphic.
Versatile and comprehensive analysis
“To complete the analysis we use computer tools to model the system, create diagrams of the fault tree and evaluate the analysis to get results,” Wróbel says.
FTA analysis can be applied at the system, software and hardware levels. It gives an overview of errors and allows the quality of the entire solution to be improved. For example, by using FTA you could learn you need to change the architecture, change hardware components, conduct additional testing or add more safety mechanisms at the design or production level.
“One cool project I worked on was an adaptive car suspension,” says Wróbel. “Sensors take various measurements about the car body. The system automatically stiffens or loosens the suspension based on the sport / comfort setting. During analysis we found safety-related software components needed to be better protected from non-related components. We also suggested some defensive programming techniques to increase robustness.”
FTA and Ingenuity
Wróbel lists a number of advantages to FTA. The analysis can be viewed as a graphic, making it easier to understand. It has a deductive, logical nature which can provide quantitative results. It is suitable even for complex systems. It also takes into account different types of errors, such as human or environment. Yet to properly use it one must also understand the disadvantages: Wróbel mentions that it is time consuming, hard to verify, difficult to model in some cases and only considers binary states of system elements.
If someone wants to see proof of the value of FTA, just look at Mars. It was used in the development process for the Ingenuity helicopter and Perseverance rover which are now exploring the red planet.
“I am fascinated by space technology and watched how NASA and other technology pioneers use FTA to see what I needed to learn,” Wróbel says. “It has helped me develop my design skills and analytical thinking as well as broaden my view on overall product safety. It is a great way to increase safety, not only on Mars but also here on Earth.”