Breinstorm@HUMIQ - Automotive functionalsafety

7 april 2023 www.humiq.nl 1

Automotive Functional

SafetyM. Van der Cruijsen

Content

Introduction

Techniques

Practical examples



Domain

Infotainment• Audio/video• Entertainment• Information, navigation• Communication

Chassis• Stability systems• Suspension, damping• Steering• Braking• ACC

Powertrain• Engine Management• Hybrid Propulsion• Gearbox controller• Powertrain Management

Body• Gateway• Comfort systems

(climate control, sunroof, access control, adjustment systems)


Domain

Safety critical

Production Volume

Automotive Chassis-, Driveline systems

Automotive Body systems

Automotive Infotainment systems

Aerospace

Industrial automation

Consumer Electronics


What is functional safety?

Functional safetySafe implementation of functionality that could cause injury or death to people or damage to environment in case of malfunction.

Not (only) systems which product goal is safety(such as airbag).

Ensuring safety in case of malfunction in the entire system(e.g. a leak, defect sensor, memory error, “bit-flips” due to EMC, etc.)


Example

• Rear axle steering system– No mechanical link to driver (“steer-by-wire”)

• Why rear-axle steering?– Save fuel and less tire wear

• Why electro-hydraulic– Packaging problems on vehicle level

– ECU sets angle of rear axle basedon vehicle speed and front axle angle

ECU


Example

• Functional requirement #1– steer the rear axle based on front axle angle

(manually set by driver)

• Safety requirement #1:– Truck may not roll over, under any (abnormal)

circumstance or condition, due to spontaneous or incorrect steering

ECU


Example

Spontaneous steering could occur due to failures, causing a disaster

+ =


Why functional safety?

Accident prevention

Risk reduction

Growing complexity

But as well:Satisfaction of customers

Law

Reputation loss


Defines what has to be done & how to prove it.IEC 61508: Functional Safety of E/E/P electronic safety-related systems.

Safety Standards

Safety Standards (2)

IEC 61508 highlightsConsists of 7 parts.378 required & 141 highly recommended requirements.

126 general requirements.194 requirements on system and hardware199 requirements on software

Requirements coverage:Functional.Non-functional.Quality control at manufacturer.Consumer.Verification and Validation at manufacturerVerification and Validation by 3rd party

Informative:Abbreviations & DefinitionsMeasures & TechniquesImplementation Guidelines

Safety Integrity Level


Safety Lifecycle

Technical frameworkConcept / analysis phaseDevelopment phase

Hardware & SoftwareV-Cycle

After SOP

Scope:Concept / analysisSW development


Hazard & Risk Analysis

DefinitionsHazard

Potential source of harm (for human and environment).

RiskCombination of probability, and the severity (impact) of that harm.

Risk = Probability x Impact

Starting Point:Concept, e.g. premature requirement specification(s), etc.

Goal: Definition of safety requirements which can be allocated to hard and/or software components.


Hazard & Risk Analysis

Identification of hazards.As well as the event sequences leading to them.Well known methods:

FMEA (Failure Mode Effects Analysis)Fault Tree AnalysisEvent Tree Analysis

Identification of risk for each identified hazard.What is the risk and is it tolerable?

If not, risk reduction.Most commonly used:

ALARP (As Low As Reasonably Practical)


15

FMEA

Component oriented

Systematic

Focus on single failures.

Component Failure Mode Failure Effect MeasurementShort-Circuit to groundShort-Circuit to battery

Faulty front axle angle measurement will lead to unplausible nominal rear axle movement and spontaneous steering.

Short-circuit detection needs to be added, system must enter fail-safe state.

Noise Due to noise the front axle measurement is not accurate, illegal angle is determined which might lead to sponteanous steering of rear axle.

Signal filtering and conditioning must be added.

Wear of sensor AD measurement will deviate from the calibrated middle position and a front axle movement is detected which will lead to an unwanted movement of the rear axle.

Calibration of middle position during driving needed.

Front Axle Sensor

Battery

Rear Axle Sensor


Fault & Event Tree Analysis

Does take into account multiple errors.


Intolerableregion

Largelyacceptable

region

ALARP or tolerableregion

Risk

Negligible risk

Risk Analysis (ALARP)

3 RegionsALARP Region

Achieve justifiable residual risk.Risk ReductionCost vs. BenefitBenefit > Cost

Safety function (requirements)

Tolerable when no further reduction

possible, or costs are disproportionate to

improvement


ALARP region


Example

Scenario:Estimated cost in case of incident: € 10.000.000,-System life span = 20 YearsEstimated frequency = 6x10-4 per year.Measure: € 160.000,-

Solution:Cost = (6x10-4) x 20 x 10.000.000 = € 120.000

No measure (risk reduction), cost > benefit.


But… This is not only calculation also “common sense”

Safety Functions

A function of a safety related system to reduce the risk in an application with the goal to achieve a safe state.

For each identified hazard (Which will be implemented!)Create safety functions

Which achieves and maintains a safe state for the system.

Create the safety (system) requirements to accomplish the safety function.


Safety Integrity Level

Safety IntegrityProbability of performing the required safety functions!

Safety Integrity Level:Discrete level for specifying the software integrity!

Determined for each safety function!

Safety Integrity Levels (SIL) 1, 2, 3, 4.ASIL A, B, C, D for ISO 26262

Determination methods:Quantitative

Qualitative

Highest SIL level = System SIL level


Quantitative Example

Define tolerable risk frequencyFor example from ALARP.

Measure against risk frequencyAfter risk reduction!


Safety Integrity Requirements

Depending on the system SIL Level

Requirements for maintaining the SIL levelEnsure the system performs the safety function with the defined probability!

Partly available from standards!Measures & Techniques


24

s ys te m re quire m e ntsde ve lopm e nt

s ys te m archite cturalde s ign

SW re quire m e ntsde ve lopm e nt

SW archite cturede ve lopm e nt

SW de taile dde s ign

SW unit te s t

SW coding

s oftw areinte gration

SW te s ting

s ys te m inte grationte s ting

s ys te m te s t

Outcome: Safety Requirements

System RequirementsRequirement allocation.

Hardware & Software.

Planning & Realization according Safety Life Cycle

Safety Function & Integrity

Requirements

Safety Function & Integrity

Requirements

Safetyfunctions

Safetyfunctions


Realization

According Part 2 & 3 of IEC 61508

IEC 61508 requirement examples:


Measures & Techniques

Referenced from requirements.



Measures & Techniques

IEC 61508 architecture coverage


Practical Examples

Sensor error detectionEmergency shutdownSoftware channelsSoftware checks3-Ebene Concept

Common factor: Redundancy!Redundancy does not prevent systematic hardware & software design faults!


Sensor error detection(1)

Redundancy with 2 sensorsSensor input comparison by software on microcontroller(s).

Who is right?

Sensor 1 Sensor 2

COMPARISON(Software)


31

Redundancy with 3 sensors

Drawbacks:High Cost

Systematic Failures

Sensor 1 Sensor 3

VOTER(Software)

Sensor 2



32

Solution: Comparison to other (sensor) data!Front axle vs. rear axle angle.Crankshaft vs. camshaft speed.ABS speed vs. tacho speed.

COMPARISON(Software)

Sensor

Other Data



33

Emergency Shutdown

Pre-Condition: Static Fail-Safe State needed!If functional fail-safe controlled by SW fails!Example: Passive centering of rear axle in case of shutdown.

One or multiple µC solution possible.

ECU

Sensor

(Shutdown)Sensor

PrimarySystem

ShutdownSystem

Diagnosis ofShutdown

System

Actuator(s)


34

Open Loop Protected Single Channel (1)

Example:Read front & Rear axle sensorsCheck sensor dataDetermine rear axle valve positionsActuate valves

Data integrity checks by means of redundant sensor of other data!Drawback

Actuation errors not detected!

Primary System

DataAcquisition

DataProcessing

ActuatorControl

Sensor(s) Actuator(s)

DataIntegrity Checks

Other Data


Closed loop protected single channel(2)

Extra safety by directly measuring output.E.g. Valve:

PWM directly measured by ICU, and valve current by sensor and ADC.

Primary System

DataAcquisition

DataProcessing

ActuatorControl



Sensor(s)ActuatorMonitoring


Dual Closed-Loop Channels

On one or more µC’s.Most critical software parts.

Easier to meet requirements from standards.Different designs & Implementations prevents systematic errors!

DataAcquisition

DataProcessing

ActuatorControl



Sensor(s)ActuatorMonitoring

DataAcquisition

DataProcessing

ActuatorControl


ActuatorMonitoring

Comparison


37

3-Ebene Concept

Most common applied for “simple” SIL3 compliance.

ECU

Sensor(s)Actuator(s)

Sensor(s)

µC 1(Main controller)

ExternalWatchDog

µC 2(Safety controller)


Software & Microcontroller Checks

Dedicated software safety framework for:

Memory testCRC, Checkerboard

I/O testCAN, DIO, ADC

Instruction Set TestCheck basic µC ALU functionality.

Program Sequence MonitoringTest execution paths throughout the software.

And many more…


Summary

Base: IEC 615098 Sector-application standard(s)

Risk/Hazard analyses FMEA, Fault tree, Event tree

Safety Integrity Level (SIL) Highest SIL level = System SIL level


Mastertitelformat bearbeiten

Zweite Zeile

Mastertextformat bearbeiten

Zweite Ebene

Dritte Ebene

Vierte Ebene

Fünfte Ebene


Breinstorm@HUMIQ - Automotive functionalsafety

Automotive

nlsensor error

equipment

front axle

risk ofusing

rear axle

safety related

rear axle

rea axle