ASIL determination for m otorbike ’ s Electronics Throttle Control System ( ETCS ) mulfunction

Electronics Throttle Control System (ETCS) is the principal electronic unit in all fuel injection engine motorbike, augmenting the engine performance efficiency in comparison to the conventional carburetor based engine. ETCS is regarded as a safety-critical component, whereby ETCS malfunction can cause unintended acceleration or deceleration event, which can be hazardous to riders. In this study, Hazard Analysis and Risk Assessment, an ISO26262 functional safety standard analysis has been applied on motorbike’s ETCS to determine the required automotive safety integrity level. Based on the analysis, the established automotive safety integrity level can help to derive technical and functional safety measures for ETCS development.


Introduction
Motorbike is one of the vehicles that contribute towards air pollution.Many emissions standards focus on regulating air pollutants released by vehicles are adopted around the world and varies between countries.For example, currently, European Union countries implemented EURO3 emissions standards for two-wheel vehicles to reduce air pollutant emission [1].For instance, EURO3 standard outlines an average CO 2 emission of 2.3g/km from the motorbike and expected to be more stringent over the years.
In-line with this standard, fuel injection engine has been widely adopted for motorbike's engine that can reduce exhaust emissions and give greater control of the air/fuel ratio compared to a standard carburetor.There are two types of fuel injection system namely the Multipoint fuel injection (MPFI) and Direct fuel injection (DFI) system [2].The advantage of DFI system is better in fuel control that leads to improved fuel consumption efficiency and lower emission level.However, DFI system requires rugged engine to sustain higher heat and pressure in comparison to MPFI engine, resulting in higher overall cost.
The operation of fuel injection engine is controlled by Engine Management System (EMS) that is made of several main sub-systems such as fuel injection control system, ignition timing control system, air induction control system and others [28] [29].The air induction control system, also known as Electronics Throttle Control system (ETCS) comprises of dedicated sensors, actuators and engine control unit (ECU) [3], purposely to filter, meter and measure the intake air flow into the engine.The operation of ETCS involve with real-time data, fast transient responses and precise control [5][6] in order to achieve optimal air-fuel mixtures in the combustion chambers, thereby maximizing performance and fuel economy, and minimizing emissions [4].Thus, ETCS malfunction can cause large throttle plate opening that lead to unintended acceleration hazard, which may result in life-threatening injuries [7][8][9][10][11][12].
ISO 26262:2011 provides a standard approach to functional safety management of electrical and electronics (E/E) systems for road vehicles [26].By definition, functional safety means the absence of unreasonable risk due to hazards caused by the malfunctioning of E/E systems.These functional safety features form an integral part of each automotive product development phase, ranging from the specification to design, implementation, integration, verification, validation, and production release.The current standard addresses passenger cars with a maximum gross vehicle mass up to 3500kg and the scope will be extended to cover other vehicle types such as motorbikes, trucks and buses in the second edition.
Hazard Analysis and Risk Assessment (HARA) forms the basis of the entire functional safety activity in ISO26262, where first it determines the safety goals and its automotive safety integrity level (ASIL) for the system under design.There are four ASIL levels including A, B, C and D with the latter signifies increasing in risks and hazardous level to riders.Once the ASIL level has been established, functional safety and technical safety concepts for the system are derived, followed by applying ASIL-oriented and safety-oriented analysis to benchmark the derived concepts against the target ASIL.
Previous work in ASIL determination has been studied for various car sub-systems including airbag [13], power steering [14], battery management system [15] and electric vehicle inverter [17].Motorbike safety integrity level (MSIL) ISO19695:2015 has been studied for sub-systems such as anti-lock braking system (ABS), combined braking system and throttle-by-cable system [16].While throttle-by-wire system in many aspects is similar to ETCS, [16] has not concluded the finding on its MSIL level and no establishment of ASIL level either.
In this study, HARA has been applied on motorbike's ETCS to determine the required ASIL level for two types of hazard namely, unintended acceleration and deceleration.Hazardous events that comprise of hazards and operational scenarios (i.e.riding situation) have been derived.Finally, the combination of three parameters that are controllability, severity, and exposure for each hazardous event are analyzed to determine the required level of Automotive Safety ASIL level.
The next section outlines as follows.In Section II, we discussed on the methodology to determine ASIL level of ETCS functional safety by using hazard analysis and risk assessment.In section III, the ETCS's Automotive Safety Integrity Level is verified by comparing with other automotive subsystems.

Hazard analysis and risk assessment (HARA) for motorbike's ETCS
Hazard Analysis and Risk Assessment as stated in the ISO26262:2011 starts with hazard and operation scenario identification, followed by safety goal identification and finally the ASIL determination.For motorbike's ETCS, hazards can be in the form of unintended acceleration and unintended deceleration.
Two safety goals associated with the selected hazards are then identified as the following: The definition and classification of the each parameter is described as follows: Severity (Sx) is the estimation of the extent of harm (i.e.physical injury or damage to the health of person) to one or more individuals that can occur in a potentially hazardous event.The severity can be classified to one of the severity classes S0, S1, S2 or S3 where the class descriptions are, no injuries, light and moderate injuries, severity and life-threatening injuries with survival probable and life-threatening injuries with survival uncertain and fatal injuries, respectively.Exposure (Ex) is the state of being in an operational situation (i.e.scenario that can occur during a vehicle's life) that can be hazardous if coincident with the failure mode (i.e.manner in which an element or item) under analysis.The classes of probability of exposure regarding operational situations will be based on extremely unusual (E0), Very low probability (E1), Low probability (E2), Medium probability (E3) and High probability (E4).Controllability (Cx) is the ability to avoid a specific harm or damage through the timely reactions of the persons involved, possibly with support from external measures.The C classes were evaluated from C0 (control in general) to C3 (difficult to control or uncontrollable) depending on the speed level and road condition.Table 2 shows the ASIL determination of malfunction of motorbike's ETCS.Note that, ASIL determination of each hazardous event and type of accident will be based on worse case scenario of the result reported in [21], [17] and [18].Also, we assumed that the rider follows closely behind a car in all hazardous events.The results are divided based on unintended acceleration and deceleration.For unintended acceleration the result are as follows: i. Riding on expressway give two different ASIL (i.e. C and D) because of the probability of exposure for a driving situation for cruising and overtaking is different.ii.ASIL C is assigned for two different type of accident (i.e.rear-end and overtaking) of riding on country road due to similar probability of exposure.
iii.The ASIL for rear-end accident is higher than headon collision for similar operational scenario (i.e.riding on country road) because of higher severity class.iv.ASIL A is given for all type of accident for riding on town road because of low speed.
Meanwhile, the results of the deceleration hazards will be as follows: i. Riding on expressway give two different ASIL (i.e.QM and B) because of the probability of exposure to the driving situation for overtaking is higher compared to cruising.ii.Riding on the country road has similar ASIL A for both rear-end and head-on accident due to similar probability of exposure.iii.The operational scenario of riding on country road for rear-end and head-on accident is different which is ASIL A and ASIL B, respectively due to different controllability.iv.Riding on town road is not considered to comply with any ASIL due to lowest risk occurring.Turn left 10   Turn right 14 1 >70m circular radius road, 2 (eg.Expressway), 3 70m circular radius road, 4 (eg.country road), 5 20m circular radius road, 6 e.g town road), 7 Front-rear collision, 8 Side-side collision, 9 Front-front, Front-side, Side-front collision, 10 Front-side and side-side collision, 11 Front-front and front-side collision, Rear-front collision, 13 Rear-front collision, 14 Side-front collision, In all cases the distance between motorbike with vehicle is short.

Verification of motorbike's ETCS automotive safety integrity level
The result of ETCS's ASIL D requirement for motorbike is compared to other ASIL requirement for the automotive electronics systems equipped in car and motorbike as shown in Table III.The lowest and highest reported ASIL among the systems is QM and D respectively.The ASIL QM was established for ETCS-Drive by cable due to the maximum possible acceleration caused by fuel injector system can easily be controlled by the brake [16].In addition, the ISO26262 standard is only applicable to electrical and electronics in automotive system.The ASIL for car's ETCS is different with motorbike's ETCS because of the differences in severity and controllability to/of the driver and rider.Car driver exposure to harm during accident generally less harmful compared to motorbike rider due to protection from the car frame.While rider controllability is generally less than driver due to two-wheels and four wheels vehicle respectively.

Conclusion
In this paper, it is mainly focused on the malfunction analysis of motorbike's ETCS-Drive by wire based on unintended acceleration and unintended deceleration during overtaking hazard.The unintended deceleration in motorbike causes less risk with maximum level of ASIL A comparing to unintended acceleration.The motorbike's ETCS (i.e.Drive by wire) ASIL D was compared to the car's ETCS (Drive by wire) ASIL B whereby there were differences in severity and controllability to/of the driver and rider.The ASIL for motorbike must be appropriately evaluated because the vehicle dynamics and riding maneuvers of motorcycles differ from those of passenger cars even for similar hazardous event and type of accidents.The established automotive safety level can guide designer to equip the right safety measures for ETCS hardware development.Electric power steering [14] Power window [24] BMS [23] EV inverter [17] ETCS-Drive by wire [25]

Table 2 .
ASIL determination of malfunction of Motorbike's ETCS

Table 3 .
The Differences of ASIL determination between CAR and Motorbike