The modern braking system in the field today may be controlled by over a million lines of computer code and may feature several hundred moving parts. Although modern brake systems generally deliver performance, even with partial failures present in the system, that is well above regulatory minimums, they also have a level of complexity that extends well beyond what the authors of existing regulations had envisioned. Complexity in the braking system is poised for significant increases as advanced technologies such as self-driving vehicles are introduced, and as multiple systems are linked together to provide vehicle-level “features” to the driver such as deceleration (which can invoke service braking, regenerative braking, use of the parking brake, and engine braking). Rigorous safety-case analysis is critical to bring a new brake system concept to market but may be too tedious and rely on too many assumptions to be useful in the early architecting stages of new vehicle development. A set of requirements, and a method for applying these requirements, that are reasonably accurate but that lend themselves to relatively fast analysis, is very useful early in vehicle development. Architectural decisions such as “what tire traction is needed on an Autonomous Vehicle”, or “is a redundant control module needed here”, or conversely “what reliability needs to be engineered into this component to justify a lack of redundancy” can be answered by such a methodology. Similar logic can be applied in the case of Autonomous Vehicles to help determine what actions for the Autonomous Controller to take when faced with certain failed states in the brake system. This paper introduces a general set of requirements, relating braking performance (deceleration capability) to a corresponding reliability (measured by “Failures In Time”, or “FIT” rate), and a methodology for assessing a brake system to these requirements. Hypothetical case studies are used to illustrate how the proposed requirements and methodology may be applied to architecting a brake system early in the design process, and to determining what actions an Autonomous Vehicle controller should take in response to failures in the brake system.
