This paper is not complete in itself. The background to it is discussed in “Methods for Analysis of IVHS Safety: Final Report of MOU 19” (Hitchcock 1992a). Readers not familiar with the area are strongly advised to read the other report first. Yet shorter accounts of the background are found in Hitchcock 1991a and Hitchcock 1992b. Further, in this paper an automated freeway is the subject of a fault tree analysis. That automated freeway is specified in full in Hitchcock 1991b. It is a system with one automated lane, on which vehicles move in platoons. Its conforms to the constraints derived in Hitchcock 1991a. The specification of Hitchcock 1991b was created in order to provide an example of the way specifications should be constructed if a safety analysis should carry conviction. The way in which such a specification should be recorded was also demonstrated. Finally the specification provides a basis for a demonstration of how conformity to safety criteria can be demonstrated by fault tree analysis. This paper describes the fault tree analysis as demonstrated in one example. The conclusion is that the technique described for specification and safety analysis in the earlier papers is practical and valid through its qualitative stages. The analysis starts with definition of the hazards to be avoided. Here a hazard is defined as a precursor to a condition in which one further failure could lead to a catastrophe. A catastrophe is a high-delta-V collision between platoons. In such a collision, when platoons are involved, multiple deaths and injuries are likely. The qualitative safety criterion chosen is that two independent failures should have to occur before a catastrophic hazard arises. This means that three near-simultaneous independent failures are necessary to cause a high-delta-V collision. In the end, such criteria should be quantitative. Estimates would be made of the frequency of catastrophes. Alternatively estimates would be made of the reliability required to make this frequency small enough. This would require data on reliability of existing system components. These includes tires, automatic transmissions and vehicle presence sensors. This data is not immediately available. A ‘report on this topic is planned for later. In the meantime the present qualitative analysis can reveal whether or not a design concept is basically sound. The analysis points the way to the critical cases for quantitative analysis. (A)
Abstract