GB2591053A - Unintended control action (UCA) and causes within a machine - Google Patents

Unintended control action (UCA) and causes within a machine Download PDF

Info

Publication number
GB2591053A
GB2591053A GB2104303.9A GB202104303A GB2591053A GB 2591053 A GB2591053 A GB 2591053A GB 202104303 A GB202104303 A GB 202104303A GB 2591053 A GB2591053 A GB 2591053A
Authority
GB
United Kingdom
Prior art keywords
machine
uca
lifecycle
controller
level
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
GB2104303.9A
Other versions
GB202104303D0 (en
Inventor
Ashok Bongirwar Rajiv
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to GB2104303.9A priority Critical patent/GB2591053A/en
Publication of GB202104303D0 publication Critical patent/GB202104303D0/en
Publication of GB2591053A publication Critical patent/GB2591053A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C5/00Registering or indicating the working of vehicles
    • G07C5/08Registering or indicating performance data other than driving, working, idle, or waiting time, with or without registering driving, working, idle or waiting time
    • G07C5/0808Diagnosing performance data
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C5/00Registering or indicating the working of vehicles
    • G07C5/08Registering or indicating performance data other than driving, working, idle, or waiting time, with or without registering driving, working, idle or waiting time

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Testing And Monitoring For Control Systems (AREA)

Abstract

A method and a system for determining an Unintended Control Action (UCA) and causes thereof within a machine is disclosed. The system receives one or more features of a machine in order to analyse the machine. A System of Interest (SOI) and an Element of Interest (EOI) in the machine is defined based on the one or more features of the machine. The system identifies one or more lower-level elements within the EOI. Further, the system identifies a machine level risk in the SOI from a set of predefined list of risks. The system then configures a control structure for the one or more lower-level elements associated with a lifecycle of the machine. The control structure comprises a controller and a controlled element. Finally, the system determines at least an Unintended Control Action (UCA) in the control structure based upon a communication problem between the controller and the controlled element.

Description

Unintended Control Action (UCA) and Causes within a Machine
DESCRIPTION
PRIORITY INFORMATION
10011 The present application does not claim a priority from any other application.
TECHNICAL FIELD
10021 The present subject matter described herein, in general, relates to determining an Unintended Control Action (UCA) and causes thereof within a machine.
BACKGROUND
10031 ISO 26262 is the de facto standard for automotive functional safety, and every automotive Original Equipment Manufacturer (OEM) and electronic and software Tier 1 or component supplier is striving to ensure that a development process of an automobile (or its elements / components or systems) used on public roads is ISO 26262 compliant. ISO 26262 is a risk-based safety standard. ISO 26262 mandates both hazard analysis and risk assessment. Hazard analysis and Risk analysis for the automobile may be achieved using various methods like Hazard Analysis and Risk Assessment (HARA), HAZOP (Hazards and Operability Study), Systems Theoretic Process Analysis (STPA), Failure Modes and Effects Analysis (FMEA), Fault Tree Analysis (FTA) any alike. The STPA is a relatively new hazard analysis technique that promises to overcome limitations of traditional techniques. It may be noted that while STPA, first used since 2005, has a significant potential to identify hazards and safety requirements. However, use of the STPA in automotive has not been ubiquitous and data shows, it (along with other existing analysis techniques) has been ineffective in reducing vehicle recalls contributed by the electronics and the software which has been rising since 2009, reduced from 2016 to 2017 and increasing again steadily until 2019.
SUMMARY
10041 Before the present system(s) and method(s), are described, it is to be understood that this application is not limited to the particular system(s), and methodologies described, as there can be multiple possible embodiments which are not expressly illustrated in the present disclosures. It is also to be understood that the terminology used in the description is for the purpose of describing the particular implementations or versions or embodiments only and is not intended to limit the scope of the present application. This summary is provided to introduce aspects related to a system and a method for determining an Unintended Control Action (UCA) and causes thereof within a machine. This summary is not intended to identify essential features of the claimed subject matter nor is it intended for use in determining or limiting the scope of the claimed subject matter.
10051 In one embodiment, a method for determining an Unintended Control Action (UCA) and causes thereof within a machine is disclosed. The method may comprise receiving one or more features of a machine in order to analyse the machine. Further, the method may comprise defining a System of Interest (SOT), and an Element of Interest (EOI), in the machine based on the one or more features of the machine. It may be noted that the EOI may be a subset of the SOT. Subsequently, the method may comprise identifying one or more lower-level elements within the EOI. Further, the method may comprise identifying a machine level risk in the SOT from a set of predefined list of risks. The machine level risk may be caused due to an external or internal factor. The method further may comprise configuring a control structure for the one or more lower-level elements associated with a lifecycle of the machine. It may be noted that the control structure may comprise a controller and a controlled element. The controller may communicate with the controlled element. The controller may comprise an element model, and the element model may be a behaviour of the controlled element. It may be noted that the element model may be aligned with the lifecycle of the machine. Finally, the method may comprise determining at least an Unintended Control Action (UCA) in the control structure based upon a communication problem between the controller and the controlled element. Hence, identifying at least an element, from the one or more lower-level elements, or a cause responsible for the UCA leading to the machine level risk associated with the SOI. In one aspect, the aforementioned method for determining an Unintended Control Action (UCA) and causes thereof within a machine may be performed by a processor using programmed instructions stored in a memory.
10061 In another embodiment, a non-transitory computer-readable medium embodying a program executable in a computing device for determining an Unintended Control Action (UCA) and causes thereof within a machine is disclosed. The program may comprise a program code for receiving one or more features of a machine in order to analyse the machine. The program may comprise a program code for defining a System of Interest (SOT), and an Element of Tnterest (EOI), in the machine based on the one or more features of the machine. It may be noted that the EOI may be a subset of the SOT. Subsequently, the program may comprise a program code for identifying one or more lower-level elements within the EOI. The program may comprise a program code for identifying a machine level risk in the SOT from a set of predefined list of risks. The machine level risk may be caused due to an external or internal factor. Further, the program may comprise a program code for configuring a control structure for the one or more lower-level elements associated with a lifecycle of the machine. The control structure may comprise a controller and a controlled element. The controller may communicate with the controlled element. Further, the controller may comprise an element model, and the element model may be a behaviour of the controlled element. Tt may be noted that the element model may be aligned with the lifecycle of the machine. Finally, the program may comprise a program code for determining at least an Unintended Control Action (UCA) in the control structure based upon a communication problem between the controller and the controlled element. Hence, identifying at least an element, from the one or more lower-level elements, or a cause responsible for the UCA leading to the machine level risk associated with the SOL
BRIEF DESCRIPTION OF THE DRAWINGS
10071 The foregoing detailed description of embodiments is better understood when read in conjunction with the appended drawings. For the purpose of illustrating of the present subject matter, an example of a construction of the present subject matter is provided as figures, however, the invention is not limited to the specific method and system for determining an Unintended Control Action (UCA) and causes thereof within a machine disclosed in the document and the figures.
10081 The present subject matter is described in detail with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The same numbers are used throughout the drawings to refer to various features of the present subject matter.
10091 Figure 1 illustrates a network implementation for determining an Unintended Control Action (UCA) and causes thereof within a machine, in accordance with an embodiment of the present subject matter.
10101 Figure 2 illustrates a method for determining an Unintended Control Action (UCA) and causes thereof within a machine, in accordance with an embodiment of the present subject matter.
[OM Figure 3 illustrates a control structure, in accordance with an embodiment of the present subject matter.
10121 The figure depicts an embodiment of the present disclosure for purposes of illustration only. One skilled in the art will readily recognize from the following discussion that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the disclosure described herein,
DETAILED DESCRIPTION
10131 Some embodiments of this disclosure, illustrating all its features, will now be discussed in detail. The words "receiving," "defining," "identifying," "configuring," "determining," and other forms thereof, are intended to be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms "a," "an," and "the" include plural references unless the context clearly dictates otherwise. Although any system and methods similar or equivalent to those described herein can be used in the practice or testing of embodiments of the present disclosure, the exemplary, system and methods are now described.
10141 The disclosed embodiments are merely examples of the disclosure, which may be embodied in various forms. Various modifications to the embodiment will be readily apparent to those skilled in the art and the generic principles herein may be applied to other embodiments. However, one of ordinary skill in the art will readily recognize that the present disclosure is not intended to be limited to the embodiments described but is to be accorded the widest scope consistent with the principles and features described herein.
10151 The present subject matter discloses a method and a system for determining an Unintended Control Action (UCA) and causes thereof within a machine. Initially, the system receives one or more features related to the machine. In an example, the machine may be an automobile. In another example, the machine may be a subsystem or a subcomponent present in the automobile. The feature may be related to braking mechanism, headlamp system, steering system, and a like. Further, a System of Interest (SOT) and an Element of Interest (EDT) of the machine may be defined. In the example, the SOT and the EDT may be defined by a user. In another example, the system automatically defines the SOT and the EOI based on the one or more features of the machine. It may be noted that the uniqueness of the present subject matter lies in determining an Unintended Control Action (UCA). The UCA may be a control action in the control structure that leads to a loss or a detriment.
10161 Traditional STPA does not specify "how to" break down the controlled process into an E01 and the one or more lower-level elements that relate to the losses within the scope of analysis. Meaning, that the STPA may not find the lowest hierarchy of element (s) responsible for the UCA that resulted in a loss. On the other hand, the present invention is an improved method for determining the UCA and causes thereof within the machine. While aspects of described system and method for determining an Unintended Control Action (UCA) and causes thereof within the machine may be implemented in any number of different computing systems, environments, and/or configurations, the embodiments are described in the context of the following exemplary system.
10171 Referring now to Figure I, a network implementation 100 of a system 102 for determining an Unintended Control Action (UCA) and causes thereof within a machine is disclosed. Initially, the system 102 receives one or more features of a machine in order to analyse the machine. In an example, the software may be installed on a user device 104-I. It may be noted that the one or more users may access the system 102 through one or more user devices 104-2, 104-3...104-N, collectively referred to as user devices 104, hereinafter, or applications residing on the user devices 104. The system 102 receives one or more features of a machine in order to analyse the machine from one or more users 104. Further, the system 102 may also receive a feedback from a user using the user devices 104.
10181 Although the present disclosure is explained considering that the system 102 is implemented on a server, it may be understood that the system 102 may be implemented in a variety of computing systems, such as a laptop computer, a desktop computer, a notebook, a workstation, a virtual environment, a mainframe computer, a server, a network server, a cloud-based computing environment. It will be understood that the system 102 may be accessed by multiple users through one or more user devices 104-1, 104-2...104-N. In one implementation, the system 102 may comprise the cloud-based computing environment in which the user may operate individual computing systems configured to execute remotely located applications. Examples of the user devices 104 may include, but are not limited to, a portable computer, a personal digital assistant, a handheld device, and a workstation. The user devices 104 are communicatively coupled to the system 102 through a network 106.
10191 In one implementation, the network 106 may be a wireless network, a wired network, or a combination thereof The network 106 can be implemented as one of the different types of networks, such as intranet, local area network (LAN), wide area network (WAN), the interne, and the like. The network 106 may either be a dedicated network or a shared network. The shared network represents an association of the different types of networks that use a variety of standards, for example, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol/Internet Protocol (TCP/IP), Wireless Application Protocol (WAP), and the like, to communicate with one another. Further the network 106 may include a variety of network devices, including routers, bridges, servers, computing devices, storage devices, and the like.
1020] In one embodiment, the system 102 may include at least one processor 108, an input/output (I/0) interface 110, and a memory 112. The at least one processor 108 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, Central Processing Units (CPUs), state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the at least one processor 108 is configured to fetch and execute computer-readable instructions stored in the memory 112.
10211 The VO interface 110 may include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like. The I/0 interface 110 may allow the system 102 to interact with the user directly or through the client devices 104. Further, the I/O interface 110 may enable the system 102 to communicate with other computing devices, such as web servers and external data servers (not shown). The I/O interface 110 can facilitate multiple communications within a wide variety of networks and protocol types, including wired networks, for example, LAN, cable, etc., and wireless networks, such as WLAN, cellular, or satellite. The I/O interface 110 may include one or more ports for connecting a number of devices to one another or to another server.
1022] The memory 112 may include any computer-readable medium or computer program product known in the art including, for example, volatile memory, such as static random-access memory (SRAM) and dynamic random-access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, Solid State Disks (SSD), optical disks, and magnetic tapes. The memory 112 may include routines, programs, objects, components, data structures, etc., which perform particular tasks or implement particular abstract data types. The memory 112 may include programs or coded instructions that supplement applications and functions of the system 102. In one embodiment, the memory 112, amongst other things, serves as a repository for storing data processed, received, and generated by one or more of the programs or the coded instructions.
1023] As there are various challenges observed in the existing art, the challenges necessitate the need to build the system 102 for determining an Unintended Control Action (UC A) and causes thereof within a machine. At first, a user may use the user device 104 to access the system 102 via the I/0 interface 110. The user may register the user devices 104 using the I/O interface 110 in order to use the system 102. In one aspect, the user may access the I/0 interface 110 of the system 102. The detail functioning of the system 102 is described below with the help of figures.
1024] The present subject matter describes the system 102 may receive one or more features of a machine in order to analyse the machine. In an embodiment, the one or more features may comprise at least a feature related to components of the machine. In an example, the feature may be related to the braking system of the machine. It may be noted that machine may be set of components or subsystems that relates to at least a sensor, a controller, and an actuator. In an example, a machine may be considered as a vehicle or a braking system which is part of the vehicle.
1025] Upon receiving the one or more features, a System of Interest (SOT) and an Element of Interest (E0I) in the machine may be defined based on the one or more features of the machine. In an embodiment, a user may define the SOT and the FOT in the machine. It may be noted that the EOT may be a subset of the SOT. Further, the user may define a system boundary and an element boundary. The system boundary may be associated with the SOT, and the element boundary may be associated with the EOT. In an example, the SO1 may be an ego vehicle. Further, the EOT may be a Headlamp of the Ego Vehicle. Hence, the system boundary may be the ego vehicle and the element boundary may be the Headlamp of the ego vehicle.
10261 In an example, the 501 and the E01 may be defined by a user. In another example, the system may automatically define the SOT and the EOT based on the one or more features of the machine. The SOT and the EOT may be defined based on the Machine Learning (ML) Algorithms and Artificial Intelligence (AI). In an embodiment, the system may comprise prestored data related to the machine and data related to the features of the machine. Further, the SOT and the EOT are defined based on the prestored data in the system.
10271 Further to defining the SOT and the DDT, the system 102 may identify one or more lower-level elements within the EOT. In other words, the EOT may be further divided into lower-level elements. The element may comprise components (hardware or software), hardware parts, and software units. In the above example, the E01 (the Headlamp of the Ego Vehicle) may further comprise at least an Electronic Control Unit (ECU), a Headlamp Control Unit (HCU), and a LED Headlamp. The ECU may further comprise an Instrument Cluster (IC) and a Body Control Module (BCM).
10281 Further to identifying the lower-level elements, the system 102 may identify a machine level risk in the SOT from a set of predefined list of risks. The machine level risk may be caused due to an external or internal factor. The external factor may be a user or another machine interacting with the machine. The internal factor may be a defect in an element, or incorrect interactions between the lower-level elements.
10291 It may be noted that the machine level risk may be caused due to the one or more lower-level elements. In one embodiment, the system may refine the machine level risk by identifying and grouping the machine level risk of a similar nature. In an embodiment, the machine level risk may be referred by RI, R2, R3, ..., Rn.
10301 Considering the above example, the set of identified list of risks may comprise as below.
10311 R-1: Forward visibility of a road ahead not available to a driver of an ego vehicle (the ego vehicle loses forward illumination capability) when the ambient light intensity is below 1000 Lux (for an example, at night-time, in a tunnel or in a dark condition) 1032] R-2: The ego vehicle does not maintain a safe distance from pedestrians or a 'RU (Vulnerable Road User) 10331 R-3: The ego vehicle does not maintain a safe distance from other vehicles. 10341 R-4: The ego vehicle does not maintain a safe distance from other objects. 10351 R-5: The ego vehicle goes off road or outside the designated lane.
10361 R-6: The ego vehicle is no longer road legal.
10371 R-7: The ego vehicle glares a driver of an oncoming vehicle.
10381 Further, the system 102 may group the machine level risk of similar nature. In the above example, the machine level risk R2, R3, and R4 may be grouped together. It may be noted that the refined system level hazards are represented as (R I ', R2', R3', , Rn'). Hence, the refined system level hazards may be as below: [039] R-1 The ego vehicle loses forward illumination capability.
1040] R-2 The ego vehicle does not maintain a safe distance from other road users.
10411 R-2'-l': The ego vehicle does not maintain a safe distance from pedestrians or a 'RU (Vulnerable Road Users) [42] R-2'-2': The ego vehicle does not maintain a safe distance from other vehicles.
[43] R-2'-3': The ego vehicle does not maintain a safe distance from other objects.
[44] R-3 The ego vehicle goes off road or outside the designated lane. 10451 R-4': The ego vehicle is no longer road legal.
[46] R-5': The ego vehicle glares a driver of an oncoming vehicle.
[47] In an embodiment, the user may also define a machine level constraint based on the machine level risk. It may be noted that the machine level constraint is opposite of the machine level risk. Consider an example, the machine level risk is -The ego vehicle does not maintain a safe distance from other vehicles" then the machine level constraint may be "The ego vehicle must maintain a safe distance from other vehicles." [48] Further to identifying machine level risk, the system 102 may configure a control structure for the one or more lower-level elements associated with a lifecycle of the machine. The control structures may be configured for performing a comprehensive safety analysis of the machine. It may be noted that the control structure may comprise a controller and a controlled element. The controller may communicate with the controlled element. The controller may comprise an element model and the element model may indicate a behaviour of the controlled element. It may be noted that the element model may be aligned with the lifecycle of the machine. In an embodiment, the controller comprises a software which is running on a hardware. An example of the controller may include engine management system, an inverter, a Battery Management System (BMS), and the like 10491 The lifecycle of the machine may comprise system engineering processes including a design and development process, assembly process, manufacturing process, storage and transportation, operation, maintenance and decommissioning processes and artefacts related to the lifecycle of the machine.
10501 Further to configuring the control structure, the system 102 may determine at least an Unintended Control Action (UCA) in the control structure based upon a communication problem between the controller and the controlled element. Further, the system may identify at least an element, from the one or more lower-level elements, or a cause responsible for the UCA leading to the machine level risk associated with the SOI. It may be noted that the UCA is an outcome of the external factor or the internal factor or both. Further, the UCA may comprise an identifier, a source, a type, a control action, a context, and a link to the risk.
10511 The UCA may be a control action in the control structure that leads to a loss or a detriment. The UCA may be caused by incorrect feedback, inadequate requirements, design errors, and component failures or safe control actions provided but not followed or executed properly. It is important to note that the present invention aims to prevent the loss or detriment. In an example, the loss may be at least a Loss of human life or injury to people, Loss of or damage to an ego vehicle, Loss of or damage to other vehicle, Loss of or damage to transportation infrastructure, and Loss of mission (the ego vehicle no longer road legal or incapacitated and mission aborted).
10521 In an embodiment, the system may train the lifecycle of the machine based on the UCA determined and feedback associated to the UCA. The feedback may be received from a user. It may be noted that training is a continuous process. Further, the training may be performed using at least one of Machine Learning Algorithms and Deep Learning Algorithms, or manual update to the artefacts associated with the lifecycle based on human intelligence. In an embodiment, the training may be performed using a combination of one or more algorithms.
1053] Consider an example of a vehicle. The system receives one or more features of the vehicle. The one or more features may comprise a headlamp, a braking system, indicator functionality, and a like. Further, the SOI and the E01 may be defined based on the features of the vehicle. The 501 may be the vehicle and the E01 may be the braking system. Further, one or more lower-level elements may be identified in the EDI. The one or more lower-level elements present in the braking system may comprise wheel speed sensor, valves, and a pump. Further, the system may identify a machine (vehicle) level risk in the 501 from a set of predefined list of risks. Further, a control structure for the one or more lower-level elements associated with a lifecycle of the machine may be configured. In the example, a control structure may be configured between the braking system (controller) and the speed sensor (element). It may be noted that the braking system (controller) comprises an element model. Further, the element model is a behaviour of the controlled element. The element model is aligned with the lifecycle of the machine. Furthermore, the one or more lower-level elements are assigned responsibilities. In an example, the responsibility of the speed sensor may be to provide data related to speed (feedback) to the braking system. Further, the system determines at least an Unintended Control Action (UCA) in the control structure based upon a communication problem between the controller and the controlled element. In the example, when the speed sensor fails to provide feedback to the braking system the UCA is determined. Hence, the system identifies that the speed sensors (lower-level element) may be responsible for the UCA.
1054] in an embodiment, the method for determining an Unintended Control Action (UCA) and causes thereof within the machine may also be used for systems engineering perspective in Safety of the Intended Functionality (SOTIF -ISO PAS 21448).
[055] In another embodiment, the method for determining an Unintended Control Action (UCA) and causes thereof within a machine may also be used for security purposes in Cybersecurity -ISO DIS 21434 standards related to the lifecycle of vehicles or elements or components in the automotive industry.
10561 Further, the system 102 may also be extended to other industries, such as, for example, aerospace to comply with ARP 4754A (systems engineering perspective) and 4671 (safety assessment perspective) in the civil aviation sector and MIL Std 882E (system safety) or DO 178C / DO 254A for software and hardware perspective respectively in the defence sector for software and electronic hardware, respectively.
10571 Referring now to figure 2, a method 200 for determining an Unintended Control Action (UCA) and causes thereof within a machine is shown, in accordance with an embodiment of the present subject matter. The method 200 may be described in the general context of computer executable instructions. Generally, computer executable instructions can include routines, programs, objects, components, data structures, procedures, modules, functions, etc., that perform particular functions or implement particular abstract data types.
10581 The order in which the method 200 is described is not intended to be construed as a limitation, and any number of the described method blocks can be combined in any order to implement the method 200 or alternate methods for determining an Unintended Control Action (UCA) and causes thereof within a machine. Additionally, individual blocks may be deleted from the method 200 without departing from the scope of the subject matter described herein. Furthermore, the method 200 for determining an Unintended Control Action (UCA) and causes thereof within a machine can be implemented in any suitable hardware, software, firmware, or combination thereof. However, for ease of explanation, in the embodiments described below, the method 200 may be considered to be implemented in the above-described system 102.
[59] At block 202, one or more features of a machine may be received in order to analyse the machine. The one or more features are stored in the memory 112.
[60] At block 204, a System of Interest (SOH, and an Element of Interest (E0I), in the machine may be defined based on the one or more features of the machine. It may be noted that the E01 is a subset of the SOI. The SOI and E01 are stored in the memory 112 10611 At block 206, one or more lower-level elements may be identified within the EOI. The one or more lower-level elements are stored in the memory 112.
[62] At block 208, a machine level risk may be identified in the SOT from a set of predefined list of risks. The machine level risk is caused due to an external or internal factor. The machine level risk stored in the memory 112.
[63] At block 210, a control structure may be configured for the one or more lower-level elements associated with a lifecycle of the machine. The control structure may comprise a controller and a controlled element.
[64] At block 212, at least an Unintended Control Action (UCA) may be determined in the control structure based upon a communication problem between the controller and the controlled element. Hence, identifying at least an element, from the one or more lower-level elements, or a cause responsible for the UCA leading to the machine level risk associated with the SOI. The UCA may be stored in the memory 112.
[65] Referring now to figure 3, a control structure is shown in accordance with an embodiment of the present subject matter. The control structure may comprise a controller and a controlled element. Further, the controlled element may be one of the one or more lower-level elements. It may be noted that the controller communicates with the controlled element. The controller may communicate with the controlled element by sending and receiving signals. The controller may further comprise a control algorithm and an element model. The element model may be a behaviour of the controlled element. The element model may be aligned with the lifecycle of the machine. Further, the controller may provide at least a control action to the controlled element. Further, the controlled element may provide a feedback to the controller based on the control action. Further, the controlled element is one of the one or more lower-level elements.
10661 Exemplary embodiments discussed above may provide certain advantages. Though not required to practice aspects of the disclosure, these advantages may include those provided by the following features.
10671 Some embodiments of the system and the method enables to determine an Unintended Control Action (UCA) and causes thereof within a machine.
10681 Some embodiments of the system and the method helps to detect UCA in the lower-level elements of the FOI.
10691 Some embodiments of the system and the method enables identification and analysis of the machine level risk in an efficient manner.
10701 Some embodiments of the system and the method facilitates compliance of the 15026262, SOTIF (ISO PAS 21448) and Cybersecurity (ISO DIS 21434) standards related to the lifecycle of vehicles or elements or components in the automotive industry simultaneously.
1071] Some embodiments of the system and the method improves implementation of STPA and IS026262 standards for automotive, mission critical devices, and equivalent standards (ARP 4754A, ARP 4761, Mil STD 882E, DO 178C, DO 254A) for aerospace machines.
10721 Although implementations for methods and system for determining an Unintended Control Action (UCA) and causes thereof within a machine have been described in language specific to structural features and/or methods, it is to be understood that the appended claims are not necessarily limited to the specific features or methods described. Rather, the specific features and methods are disclosed as examples of implementations for determining an Unintended Control Action (UCA) and causes thereof within a machine.

Claims (15)

  1. CLAIMSI/ We Claim: 1. A method for determining an Unintended Control Action (UCA) and causes thereof within a machine, the method comprises: receiving, by a processor, one or more features of a machine in order to analyse the machine; defining, by the processor, a System of Interest (SOI), and an Element of Interest (EOI), in the machine based on one or more features of the machine, wherein the EOI is a subset of the SOT; identifying, by the processor, one or more lower-level elements within the EOI; identifying, by the processor, a machine level risk in the SOI from a set of predefined list of risks, wherein the machine level risk is caused due to an external or internal factor; configuring, by the processor, a control structure for the one or more lower-level elements associated with a lifecycle of the machine, wherein the control structure comprises a controller and a controlled element, and wherein the controller communicates with the controlled element, wherein the controller comprises an element model, and wherein the element model is a behaviour of the controlled element, and wherein the element model is aligned with the lifecycle of the machine, and determining, by the processor, at least an Unintended Control Action (UCA) in the control structure based upon a communication problem between the controller and the controlled element thereby identifying at least an element, from the one or more lower-level elements, or a cause responsible for the UCA leading to the machine level risk associated with the SOT.
  2. 2. The method as claimed in claim 1, further comprises training the lifecycle based on the UCA determined and feedback associated to the UCA, wherein the feedback is received from a user.
  3. 3. The method as claimed in claim I, wherein the UCA is an outcome of the external or internal factor or both.
  4. 4. The method as claimed in claim 1, wherein the UCA comprises an identifier, a source, a type, a control action, a context, and a link to the risk.
  5. 5. The method as claimed in claim 1, wherein the controlled element is one of the one or more lower-level elements.
  6. 6. The method as claimed in claim 1, wherein the lifecycle of the machine comprises system engineering processes including a design and development process, assembly process, manufacturing process, storage and transportation, operation, maintenance and decommissioning processes and artefacts related to the lifecycle of the machine.
  7. 7. The method as claimed in claim I, the machine comprises at least one of a SOT and one or more EOT interacting together to deliver a capability to the user.
  8. 8. A system for determining an Unintended Control Action (UCA) and causes thereof within a machine, the system comprising: a memory; and a processor coupled to the memory, wherein the processor is configured for: receiving one or more features of' a machine in order to analyse the machine; defining a System of Interest (S01), and an Element of Interest (E0I), in the machine based on the one or more features of the machine, wherein the E01 is a subset of the S01; identifying one or more lower-level elements within the EOT; identifying a machine level risk in the SOT from a set of predefined list of risks, wherein the machine level risk is caused due to an external or internal factor; configuring a control structure for the one or more lower-level elements associated with a lifecycle of the machine, wherein the control structure comprises a controller and a controlled element, and wherein the controller communicates with the controlled element, wherein the controller comprises an element model, and wherein the element model is a behaviour of the controlled element, and wherein the element model is aligned with the lifecycle of the machine; and determining at least an Unintended Control Action (UCA) in the control structure based upon a communication problem between the controller and the controlled element thereby identifying at least an element, from the one or more lower-level elements, or a cause responsible for the UCA leading to the machine level risk associated with the SOT.
  9. 9. The system as claimed in claim 8, further comprises training the lifecycle based on the UCA determined and feedback associated to the UCA, wherein the feedback is received from a user.
  10. 10. The system as claimed in claim 8, wherein the UCA is an outcome of the external or internal factor or both.
  11. 11 The system as claimed in claim 8, wherein the UCA comprises an identifier, a source, a type, a control action, a context, and a link to the risk.
  12. 12, The system as claimed in claim 8, wherein the controlled element is one of the one or more lower-level elements.
  13. 13, The system as claimed in claim 8, wherein the lifecycle of the machine comprises system engineering processes including a design and development process, assembly process, manufacturing process, storage and transportation, operation, maintenance and decommissioning processes and artefacts related to the lifecycle of the machine.
  14. 14. The system as claimed in claim 8, the machine comprises at least one of a SO1 and one or more EOI interacting together to deliver a capability to the user.
  15. 15. A non-transitory computer program product having embodied thereon a computer program for determining an Unintended Control Action (UCA) and causes thereof within a machine, the computer program product storing instructions, the instructions comprising instructions for: receiving one or more features of a machine in order to analyse the machine; defining a System of Interest (SOT), and an Element of Interest (EOI), in the machine based on the one or more features of the machine, wherein the EOI is a subset of the SOI; identifying one or more lower-level elements within the EDT; identifying a machine level risk in the SO1 from a set of predefined list of risks, wherein the machine level risk is caused due to an external or internal factor; configuring a control structure for the one or more lower-level elements associated with a lifecycle of the machine, wherein the control structure comprises a controller and a controlled element, and wherein the controller communicates with the controlled element, wherein the controller comprises an element model, and wherein the element model is a behaviour of the controlled element, and wherein the element model is aligned with the lifecycle of the machine; and determining at least an Unintended Control Action (UCA) in the control structure based upon a communication problem between the controller and the controlled element thereby identifying at least an element, from the one or more lower-level elements, or a cause responsible for the UCA leading to the machine level risk associated with the SOI.
GB2104303.9A 2021-03-26 2021-03-26 Unintended control action (UCA) and causes within a machine Pending GB2591053A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB2104303.9A GB2591053A (en) 2021-03-26 2021-03-26 Unintended control action (UCA) and causes within a machine

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB2104303.9A GB2591053A (en) 2021-03-26 2021-03-26 Unintended control action (UCA) and causes within a machine

Publications (2)

Publication Number Publication Date
GB202104303D0 GB202104303D0 (en) 2021-05-12
GB2591053A true GB2591053A (en) 2021-07-14

Family

ID=75783581

Family Applications (1)

Application Number Title Priority Date Filing Date
GB2104303.9A Pending GB2591053A (en) 2021-03-26 2021-03-26 Unintended control action (UCA) and causes within a machine

Country Status (1)

Country Link
GB (1) GB2591053A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6766230B1 (en) * 2000-11-09 2004-07-20 The Ohio State University Model-based fault detection and isolation system and method
US20090295559A1 (en) * 2008-06-02 2009-12-03 Gm Global Technology Operations, Inc. Integrated hierarchical process for fault detection and isolation
US20100057511A1 (en) * 2008-08-27 2010-03-04 Mansouri Ali R Integrated autonomous fleet management using self-aware vehicles
GB2586633A (en) * 2019-08-30 2021-03-03 Jaguar Land Rover Ltd Layered electrical architecture for vehicle diagnostics

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6766230B1 (en) * 2000-11-09 2004-07-20 The Ohio State University Model-based fault detection and isolation system and method
US20090295559A1 (en) * 2008-06-02 2009-12-03 Gm Global Technology Operations, Inc. Integrated hierarchical process for fault detection and isolation
US20100057511A1 (en) * 2008-08-27 2010-03-04 Mansouri Ali R Integrated autonomous fleet management using self-aware vehicles
GB2586633A (en) * 2019-08-30 2021-03-03 Jaguar Land Rover Ltd Layered electrical architecture for vehicle diagnostics

Also Published As

Publication number Publication date
GB202104303D0 (en) 2021-05-12

Similar Documents

Publication Publication Date Title
US11829750B2 (en) Orchestrator reporting of probability of downtime from machine learning process
CN111176556B (en) High reliability non-volatile memory using voting mechanism
US11423145B2 (en) Methods and arrangements for multi-layer in-vehicle network intrusion detection and characterization
US9558597B2 (en) Road emergency activation
JP2017138969A (en) Automobile correction system providing security support and fault tolerance support
US20110211845A1 (en) Method and apparatus for phostonic stack system for vehicle control/sense
US20210024088A1 (en) Robust autonomous drive design
CN115128974A (en) Controlled message error for message and electronic control unit mapping
GB2591053A (en) Unintended control action (UCA) and causes within a machine
Jena et al. On the suitability of multi-core processing for embedded automotive systems
EP3972217A1 (en) Ml-based voltage fingerprinting for ground truth and controlled message error for message and ecu mapping for can bus
US10157062B2 (en) Method for operating a microprocessor
CN213186571U (en) ECU security upgrading system applied to vehicle-mounted network
Koerner et al. Selective software updates with in situ monitoring of non-homogeneous automotive electronic control units
Gandhi et al. Techniques and measures for improving domain controller availability while maintaining functional safety in mixed criticality automotive safety systems
Peraldi-Frati et al. Modeling a bsg-e automotive system with the timing augmented description language
US20180025556A1 (en) Communication system for controlling or monitoring vehicle components
EP4064620B1 (en) Controlled message error for message and electronic control unit mapping
CN114968757A (en) Computer card for testing vehicle-mounted software
DE102023113779A1 (en) SECURE STORAGE ARCHITECTURES FOR COMPUTER DEVICES
Ruggeri et al. A High Functional Safety Performance Level Machine Controller for a Medium Size Agricultural Tractor
Lang High Degree of Integration of ADAS Functions into One Central Platform Controller