ence Itamarch EeCi?b&irhment FOA repai-t E 30010-3.3 May 1988 pis& €1 LENK*E* ISSN 0281-9937 .- .-
-
.. ASSESSMENT OF CRUISE CONTROL Mats Gunnerhed
.
: TSV. ESltIN. HT15 300, 301, 314. 380 e Research Establiskenc Infermaion Tachnology
RISK ASSESSMENT OF CRUISE CONTROL
e wider use of electroiiic devices and systems in cars, the safety tioiis of electronic systems have become evident. According to reports Usr\. numerous lethal accidents have occurred due to sudden acceleration. dents in Sweden have also been reported.
At the request of the Svedish Road Safety Office, the Swedish Defence Research Establishment has carried out a risk assessment of a cruise control system Ln order to establish its safety performance. This system, made hv IIEku, is an optional device in many coimnon cars. It comprises electronic as vel1 es mechanical and pneumatic subsystems.
arts of reltability analysis methods such as Fault Tree Analvsis and s and Effects Analysis, some single-point-fault modes are
The risk assessment. verified In tests, shows rhat a single fault such as a h6d solder joint causes sudden acceleration. This means that the alleged cvctits are possible. This disclosed single-poiiit-fault litode estnhlishes an tipper limit for the safety of this cruise control.
risk analysis. cruise control. electronic, safety. irinle potnt fault mode. acceleration
bibliographic information Language English
an English version of FOA report E 30009-3.3 nets Cunnerhed Projektansvarig I IMats Cunnerlied
atts frin siikerbetssynpuiikt. Enligt rapporter, frdmst frh USA, stort anta1 olyckor Lntraffat p g a plotsligt accelererande bilnr.
Annlvsen liar ucf(irts med lijalp av metoder frAn oinrddet tillforlitlighets- tckiilk s6som "Feltrddsanalys" och "Feleffektanalps". hnnlyseii.~som komylctterats med praktinka prov. vlsar att det uiicker ntt mat3 fAr ett etida Eel fbr att blleii ska "skelin". Felinojligheten, som inte €r;irngfic BV elektronikscheiuat, ksn t e:; utgnras av en Jjlig lodniiig eller nv
Ite&€ecf. acceleration T
Page 4
EacE
1 2 Bccuaant sheet (Swedish) 3
1. BACKGROUND 5 2. RISK ASSESSMENT OF CRUlSE CONTROL 6 Introduction 6 Causes of malfunction 7 FAULT TREE ANALYSIS . 8 3.1 System description 8 3.2 Methods 10 3.3 Prerequisites 10 3.1, Start 11 3.5 Comments on top events 11 Fault tree for top event 1 12 Coimnents on top event 1 13 Fault tree for top event 2 14 3.7.1 Comments on top event 2 15 3.8 Comments on design 18 4. RESULTS OF THEORETICAL ANALYSIS 20 5. VERIFICATION 21 5.1 Nechonical and pneumatic subsystems 21 5.2 Electronic unit 22 6. TESTS 24 6.1 Slmulations 24 Driving expe r iment s 25 .1 Fnult existlng when engine is started 25 ,2 Fault occurring after engine is started 26 CWLVSIONS 27
hl+tllpui B. FAULT TREE SWWlS 28 A-IX 2. WRPOUS FWUT MODE 29 33 - Csr Wfacturers try to facilitate driving and to make driving safer. Today even advanced ideas can be realized at reasonable costs by means of modern electronic circuits.
use of sensible electronics in cars has become questioned. several mishaps due to cars suddenly accelerating have been so in Sweden, some events of this kind have occurred. Given und. the Swedish Road Safety Office, TSV, has assigned the ace Research Establishment to carry out a risk assessment of a cruise control in order to establish its safety level.
tells us that failures will occur in equipment as complex as ntrol. Most failures will certainly be harmless but some may ceptable consequences.
n be permanent or intermittent. Among the latter are ns caused by electromagnetic fields emanating from other the car or from the outside environment. Disturbances, however, will not be dealt with in this report.
A rough way to grade the safety of a system is to count the number of failures necessary to make the system break down in a way. If it can be shown that a single, credible, failure is r system failure, then the safety level of the system must be qwstiuned. A corresponding level of safety is not accepted for airpSanes . Thio assessment was aimed at defining system features which could affect road safety. The system investigated was made by HELIA and is an optional device in many cars of different manufacture.
: HELIA GR-Steurgeritt 12V 5GA 003 828-00
:-Schaltplan GR-SteurgerBt 12V 5GA 003 828-00, &31 907 3USC (A micro processor version exists, designated 5GA 004 397-00, 443 907 305. The two versions are fully interchangeable.)
-Pneumatic Cruise Control, Design and Function
cruise control holds the car at a preset speed. It is said in the ription of design and function that: "The automatic cruise control its long distance concentrated driving without getting tired. erefove it is no luxury but an essential safety factor."
This statement may be true when the system works as intended, but what will happen when it breaks down? Experience shows that it is unrealistic to expect technical equipment to work as intended for ever. Failures ill occur. Therefore the effects of failures on the cdnduct of the car ave been investigated. Faults may contribute to accidents.
This assessment was started from scratch i.e. it was not taken for granted that the system could create hazards at all. Is prillcipEe, there are two causes of malfunction:
1. COHPONENT FAULTS: Permanent or intermittent
2. DIS'PURBANCIES; From the car itself or from the environment
A system rluruld only be accepted if the following requirements are fulfilled:
1. The system design is such that any credible component fault will not eoult in traffic hazard.
gsrd to road safety, the system is insensitive to agnatic interference during its lifetime. -. nt: The EHI emission in society tends to grow. L'.
.- Tliis assessment only considers component faults.
tion that component failures will occur does not imply that is unsafe. Tln interesting matter is the consequences of i.e. the fault effects. Obviously. a fail-safe# behaviour is
# Dafi&tioii of fail-ssfe:
A drsi&ned Brapert)! of as& item which preveiits its failures from c isg in critical faults. Page 8
'lln investigated cruise control is based on pneumatics and electronic circuitry. The actuator, which consists of rubber bellows, is paeutristically controlled by an electric pump. The pump motor is cenwolled by means of an electronic regulator. See figure 1.
ise control is equipped with a 3-position switch; OFF, ON and (spring-loadeQ). There is also a SET switch. By pressing RESUME, red speed is resumed after brake pedal actuation.
mder to disclose possible wenklwsses in the cruise courrol. fntllt
', trees have been constructed. Fault Tree Aiia1.vsis Is ari iaportant. risk nrinZysis metliod. Starritlg out from a lrsznrdous event. possible ciluses vo rbis Top Event are searched for. The relationships are described Ilv arctiis of logic gate symbols. (For fault tree svwllols see AYF'ENDIS 1.) Tile,snalysis is continued down to n level where further dissolution is 11111: mot ivn ted .
AI1 s nssocinted wit.11 tlie objert iuiist be rovered bv top evruts. I p evaiit 110s to be analyzed separately.
~~ he assessment has been complemented hv Fault nodes and Effe.rts
I\ttnlysis. MEA is an iiiductive analysis that systeinatica1.1~det:nils. UII
a t'ninpiiiieiit-bv-roinpoiieiit basis. ill 1 possll~lef;wI t nodes ;III~~i&.ttr if ies
tlirir.resultiiig effects oii tlie system. Page 11
'J3w fu%Wing top evetits have been chosen:
€. Tho onrise control is not deactivated by braking
2. Unintended throttle increase
Top event 1, the cruise control is not deactivated by braking, can lead to il collision with other retarding vehicles or suddenly appearing obstocles due to cruise control counteraction vith the brakrs.(See 5. VERIFICATION. )
at 2. unintended throttle increase, requires that the cruise witch is ON. Unintended acceleration can lead to collision with e ahead or other obstacles if the driver does not ranage. to stop the car in time.
A particularly interesting case is when the cruise control uniiitendedly rates the car from standstill.
From general point of view, surprise must be considered hazardous in itself. Even if the driver always has the possibility to stop the car by dtpueesi~rgthe brake pedal. he might "freeze" and be unable to react in tLI. Page 12
., in the fault tree, either a stuck regulator rod or no air being thc bellows when depressing the brake pedal would be sufficient the top event.
cause8 to prevent air let into the bellows are stoppage in tube 1 or no air passing into the pneumatic system via any valve.
WheA.the brake pedal is depressed, the regulator valve is opened whereby the kellews are inflated even if the quick valve should be stuck. The crpacity of the regulator valve is not known. Therefore possible delay cannot be known either. Actual system behaviour should be tested. -~
Thq wick valve is not forced to open by the brake pedal. Thus. it can get stuek in closed position. Faults in the electronic regulator alone arrtlpot lead to the top event. If the system works as intended, the brake will override the cruise control.
in tube can be found at several positions in the fault tree. The most important tube is tube 1 close to the bellows, see figure 1. le causes are: tube bent, tube pinched or stoppage due to foreign leo, possibly ice.
e recommended to show whether top event 1 is hazardous or not. LT--lUnintenM throttle increase Page 15
Utkmra&d tkrottfe increase requires unintended pressure decrease in ttm bell&s. "his requires three conditions:
I. Statt'of pump motor
2. O+gulator valve closed
WriIig iiornol driving condition 3 is fulfilled. The driver doesn't ly rest his foot on the brake pedal. Therefore this condition is .~. ted with a "house" symbol vhich precisely designates a normally led condition.
nineetwled pressure decrease in the bellows consequently requires start otor and regulator valve closure. This valve closes when ly energized.
Tlius, the top event requires double faults; One fault in each of the and r.iglit branches of tlie tree. External grounding of two different ts is riot considered very likely.
nteresting are tlie two branches wliich contain the electronic iwrly, grounding of two separate outputs is required. but this state wlien the' cruise coiitrol is workiiig as intended in ncrease speed to the desired value. I will come back to this ti-1 fault aods in both branches is an erroneous sensor signal .Eke specdosetar. "his signal tells the electronic unit the actual . An erroneous skgnal causes the electronic unit to react
A completely missing speedometer signal is an example of a command .fault. However, the electronic unit has a "watch-dog" that requires a
colldrldered likely that only a fraction of the pulses should reach the cLLecCronic unit, thereby deceiving it to believe that the actual speed is lover than the desired speed, which would lead to increased throttle. Page 17
I- I I I
1 r f Page 18
It crwu)ot he excluded that the grounding of the pump motor may lead to incz&saed throEtle. The capacity of the regulator valve may he too low to counterect the pump. Tests are recomnended.(See 5. VERIFICATION.)
Faults in the electronic unit can cause increased throttle Examples :
st The speed-liiait controller V,in 224 is a critical circuit It LnrUcntes if the actual speed exceeds 35 km/h. If this circuit is stuck in the state corresponding to >35 hn/h. Lhe cruise control can he activated by touching RESWE even at standstill. A component fnult a human error are required. and ._
At speeds >35 h/h. one fault in the RESUME-circuits is enough to
COUSQ acceleration to the preset speed. This iiieaus that the crrlise control automatically takes over when the actual speed esceecls 35 kmfh and increases it to the preset value.
le electroiiic unit contiriuously compares actual speed with desired ed. The deslred value is-stored by the blnary counter LOLIIR The ctual value is derived via one of the four operational amplifiers 111 iC 224. The comparison is performed Iiy anotller operat.iono1 amplifier e IC 224.
lent fault that leads to a difference hetween arLun1 speed and eed will immediately cause increased ut- decreased tlirottle. hg to an
., ncpeii8e of the &sired value. The binary counter stores the desired by sortins 8 certain combination of its outputs high thereby
*tap 8 potelitid to the comparator corresponding to the desired value. A poor connection at some of these outputs may lead to hereased speed. One such fault has been tested. See APPENDIX 3.
.comparator (Ceschw - Ragler) is ano.ther critical circuit. A -point-fault# such as a bad solder join: in this circuitry may o the erroneous result of starting the pump motor. The faults can he. permanent or intermittent.
'Ihe fault modes mentioned above are sufficient for the fault effect: ~- UntAtqmded throttle increase. The system believes that the actual speed too low. Therefore the regulator valve does not open ei.ther.
c0-n safety desi&n requirement states that "no single-point fault 11 result in iiijury to personnel". It is equivalent to specifying t the system will still he safe after one failure although it may not be fuiictioiial. Thus a single-point-fault is a fault mode caused
: .by 1) single event, defect, or ei-ror whose consequence is defined as critlcol in the partlcular system. Page
..
hovretical amlysis shows that single-point-faults are sufficient Em' tlw following fault effects:
~. .-.cruise control is not deactivated by braking
ntended throttle increase
liiiical equipment will not work as intended for ever. Faults will ne to the type of equipment, faults may have unacceptable iices. If a single credible fault results in hazardous awes. tlioii the design must be cbnnged.
dr, Bbuuld be 11 design goal that the consequencies of aiiy credible fiiiilt ate' acceptable.
.lrrilques for achieving this goal are well known 111 Relhbilitv agy. lhls teclitiology is of vital importance for the design aid complex techlricd equipmen~t such as airplanes, spacecraft mil power stations.
Tiday.. relfnbility data are rentlily availnlile for most electronic
nts. VILh reference to. sttcli data lt cnii lie concludletl that among at iiumher of cars throughout the world equlpped with t.his cruise . s(tme. faults 11 nccordnnce to 1. nnd 2. ahove nre I.ikely tir
w&r, t.tw tlieorrticnl results sliould be ver'ificd in tests. ser wxr psbwgrl5repk. sa** of the results from the theoretical analysis have been verified on ar) automa%ic car.
shown that the brakes easily overcame the engine.
The twta also showed that the quick valve bas sufficient overcapacity. This 1M-s proved by depressing the brake pedal in order to open the quick valve while the pimp was running. The bellows inflated rapidly.
anochar test the quick valve was kept closed during braking. This that the electric switch mounted on the valve does not open . Yet, the bellows inflated fairly rapidly. This was because ."BREMSE" (brake) of the electronic unit, that should go high in order to deactivate the cruise control was forced high by the stop-lmps tch. Thfs stopped the pump and opened up the regulator valve.
e quick valve works as intended, input 3. goes high by means of istor R6 in the electronic unit. Therefore, an open circuit in it is fail-safe.
r.above have not disclosed any serious safety problems in the a% and pneumaticel subsystems.
Hevsuer, the tests show& that the car nay accelerate slowly if the .. -,rot- gets startect due te a groundin& fault. Ttie regulator valve ~wpaettyseems t~ be of the same maptitud. as the pup capacity. The lt-B+aand. 011 parklw'brske tiahtent- as well as idling speed. Page 22
Tests ahow tkrt necessary conditions for a pressure decrease in the leu+. are:
1. pII.a nmning
valve closed
ator valve closed
k valve is normally closed as the brake pedal is not depressed. The regulator valve closes when energized. This is a safety feature. -wen circuit in the volve magnet coil results in inflated bellows. The dsaign.is fail-safe with respect to this fault mode.
c,aimof this analysis has been to search for possible single-point- lult modes leading to traffic hazards. So, the question is: "Are there 9 single-point-fault modes in the electronic unit which lead to pump .<.eocorstart and closing of. the regulator valve?"
As shown in the circuit diagram, figure 2, the pump motor and the
at double faults are required at the outputs.
the analysis has disclosed a single critical point before the .. This consists of inputs 9 and 12 for the regulator valve and respactfveXy. af the operational amplifier which are inter-
nigungsraGer), there vilZ be no limiting of the acceleratiw. Page 23
‘igier connected to the resistor R61 is trying to lower this point W~wkcn-theactual speed is <35 krP/h.this attempt is counteracted by the tm dlodes D15 and D23. This means that two faults, e.g. open ctrwts in both diodes, are required for a pressure decrease. So, the cwise control is not safe if two failures occur, but this was expected. Indepandont double faults, however, are considered very unlikely.
cally the printed-circuit layout corresponds to the diagram. *less, from a reliability point of view, this is not the case. *,.ofthe circuit layout reveals a fault mode that has very severe
lis.ted under 6. TESTS.
t Pape 21
‘&e sir.0 system was set up in a 1abJratorT. The speedometar sensor was replaced hy a signal senerator. See ?icture 1 T:e s:fstem fault c?action vaa gimulaced.
In additin-., tests were carrrad out cn 3n automaci: car at ;:ands:l?l. in +LE case the speedometer was iri-’en by means of an *lec-.-ic drilling ,+achlne at variabla speed. Page 25
re- any doubts, an electronic unit with deliberately ft#ro&@ single-point-fault was tested during reel driving. According to these tests a single-point-fault as described in APPENDIX 2. will cansequences listed below. A necessary condition, however, is control main switch being set in the ON-position, but this is red a common habit with many drivers.
ct of the car at fault occurrence depends on the situation. the fault effects have been divided into two groups. .. I
Fau&s..can,be permanent or intermittent. In the latter case, the fault .nay depend on some environmental factor such as vibrations or changes in tempwature.
gear ieto drive or 2 results in full throttle. The cruise control can l~deactivatedby depr,essing the brake pedal, but as soon as the adal is released the car is accelerated again.
the cruise control is faulty when the engine is started, changing r into drive or 2 results in full throttle. If then. when speed cea& 35 kmkh, RESUME is pressed (but not SET), the cruise control deaactivated. However, as soon as speed falls below 35 h/h, the
geup fWo.drive or 2 results in full throttle. If then. when speed rd. 35 b/h. SET io pressed, the actual mdis stored in the . The cruise ccntrol works as intemded. hut depressing the .pedal and relemafng it again reaults in full throttle. By RESWE. stwed ,sped will be rcswd. !'R$F ;'6
C.&tie car is parked wltli idling eiifitne and gear Is drive 01' 2 wlirn
l..fw.fault WCUL'S. che result is full tlirotrle. The car wLll rlerate suddenly wen if tire parking hrake is tightened fi.rmly.
B If-drlviiig'nr any oped oti peac drive 01: 2 uitliuut. activated cruisr atrol when the fnult occurs. tlie cruise control is irctivared ant1 11 throttle results.
rivi.ng on gear drive or 2 and SET has been pressed in order to speed >3S b/h. nothtng happens. Tiin cruise cont.i-ol works. Bur
ns-tooti as tlie brnke prdail is deprrssrcl and released np,ai.ii 01- if teapornrily fnlla below 35 kn/li, tile rruisr i.oiitrol wil I IKI full throttle. By pressiiip KESUNE. tlie ilesirril speed is (1. Compare 6.2.1.
..
. Page 27
TwaWnt 2. the cmiaa control is not deactivated by braking. is not caukdared hazardous. Teats show that the brakes easily overcome the engkne .
However. top event 2, uuintended throttle increase. cannot be waved aside. Tssts show that:
single-point-fault mode that leads to sudden acceleration at
rovery means that an upper limit for the.. system safety level has
that there are a number of fault modes leading to an the desired speed during the drive. flowever, this fault t considered hazardous but it can certainly disturb the
We can couclude that the fault effects of the single-point-fault mode,
disclosed in this investigation, are ill accordance with the reported evetiti. llwrefore, the alleged events should be taken seriously.
The weaknesses disclosed in thls report may be the causes of malfunction in meof chis alleged cases. However, no conclusions should be made fros thts iwestigation concerning the causes of malfunction in any spwific cam.
.. Ik* rsdta of this investiytion indicate that HELLA has tried hard to IMM: wry high safety goals in this device. The designer has certainly b*cR wurc of the fnct tW some single-point-faults can lead to an irmcme ob the daskred speed. brrt ha has probably llot been aware of the fwt tht a btn&e-point-fault car1 cause sudden acceluretion. Event liane of the event Dercription Block
Basic Event. Event which will not be subdivided
...
House. Event which will happen with certainty
AND-gate. Output event occurs if all input events occur simultaneously
M-gat.. Output event occurs if any me of the input events occur Wis imettigation has been aimed at grading the HELM cruise control respect to safety. Therefore the work has been focused on finding RQM wuk point in the systsl.
electronic unit consists of both analog and digital circuits. No detailed functional deacriptions have been available for the analysis. rtheless. the main features of the design have been figured out.
analysis shows that there is at least one single-point-fault mode evere effects. Due to the printed circuit layout, a break in a ic connection leads to pump motor start and simultaneous closure of regulator valve.
ed single-point-fault mode consists of a bad solder joint at 1 9 of the op amp 224 on the component side of the board or a k in the thin foil connecting terminal 9 to the two diodes D15 and 023.
The investigation is herewith finislied but other hazardous fault modes cambe excluded.
e interesting part of the diagrau is shown in figure 3. The real h is electrically equivalent to the diagram. is e hazardous single-point-fault mode is depicted in 5. The prfnted circuit board is shown in picture 4. Figure 3. Part of diagraa.
i
4. Real design. Page 31
2. Electronic unit. . under 3.8 some vulnerable points in the -&ram were mentioned. An example was the binary counter 4040B, that the desired speed by setting an apropriate combination of its high. By doing this a voltage corresponding to the desired spend tad and fed to,the comparator. The resistors R13 - R23 are Puhtial for this function. The effect of an open circuit in R15 has baen,tested with the following results:
When t& cruise control was activated at
70 kra/h':spesd decreased to 55 km/h
$0 km/t~apeedincreased to 100 km/h
90 ka/h speed increased to 110 km/h
speed i.ncreased to 120 km/h
uits in other br,anches will lead to varying changes of speed. .&.%her the effect will be an increase or a decrease depends on the des speed value.