7 april 2023 www.humiq.nl 1
Automotive Functional
SafetyM. Van der Cruijsen
Content
Introduction
Techniques
Practical examples
7 april 2023 www.humiq.nl 2
7 april 2023 www.humiq.nl 3
Domain
Infotainment• Audio/video• Entertainment• Information, navigation• Communication
Chassis• Stability systems• Suspension, damping• Steering• Braking• ACC
Powertrain• Engine Management• Hybrid Propulsion• Gearbox controller• Powertrain Management
Body• Gateway• Comfort systems
(climate control, sunroof, access control, adjustment systems)
7 april 2023 www.humiq.nl 4
Domain
Safety critical
Production Volume
Automotive Chassis-, Driveline systems
Automotive Body systems
Automotive Infotainment systems
Aerospace
Industrial automation
Consumer Electronics
7 april 2023 www.humiq.nl 5
What is functional safety?
Functional safetySafe implementation of functionality that could cause injury or death to people or damage to environment in case of malfunction.
Not (only) systems which product goal is safety(such as airbag).
Ensuring safety in case of malfunction in the entire system(e.g. a leak, defect sensor, memory error, “bit-flips” due to EMC, etc.)
7 april 2023 www.humiq.nl 6
Example
• Rear axle steering system– No mechanical link to driver (“steer-by-wire”)
• Why rear-axle steering?– Save fuel and less tire wear
• Why electro-hydraulic– Packaging problems on vehicle level
– ECU sets angle of rear axle basedon vehicle speed and front axle angle
ECU
7 april 2023 www.humiq.nl 7
Example
• Functional requirement #1– steer the rear axle based on front axle angle
(manually set by driver)
• Safety requirement #1:– Truck may not roll over, under any (abnormal)
circumstance or condition, due to spontaneous or incorrect steering
ECU
7 april 2023 www.humiq.nl 8
Example
Spontaneous steering could occur due to failures, causing a disaster
+ =
7 april 2023 www.humiq.nl 9
Why functional safety?
Accident prevention
Risk reduction
Growing complexity
But as well:Satisfaction of customers
Law
Reputation loss
7 april 2023 www.humiq.nl 10
Defines what has to be done & how to prove it.IEC 61508: Functional Safety of E/E/P electronic safety-related systems.
Safety Standards
Safety Standards (2)
IEC 61508 highlightsConsists of 7 parts.378 required & 141 highly recommended requirements.
126 general requirements.194 requirements on system and hardware199 requirements on software
Requirements coverage:Functional.Non-functional.Quality control at manufacturer.Consumer.Verification and Validation at manufacturerVerification and Validation by 3rd party
Informative:Abbreviations & DefinitionsMeasures & TechniquesImplementation Guidelines
Safety Integrity Level
7 april 2023 www.humiq.nl 11
Safety Lifecycle
Technical frameworkConcept / analysis phaseDevelopment phase
Hardware & SoftwareV-Cycle
After SOP
Scope:Concept / analysisSW development
7 april 2023 www.humiq.nl 12
Hazard & Risk Analysis
DefinitionsHazard
Potential source of harm (for human and environment).
RiskCombination of probability, and the severity (impact) of that harm.
Risk = Probability x Impact
Starting Point:Concept, e.g. premature requirement specification(s), etc.
Goal: Definition of safety requirements which can be allocated to hard and/or software components.
7 april 2023 www.humiq.nl 13
Hazard & Risk Analysis
Identification of hazards.As well as the event sequences leading to them.Well known methods:
FMEA (Failure Mode Effects Analysis)Fault Tree AnalysisEvent Tree Analysis
Identification of risk for each identified hazard.What is the risk and is it tolerable?
If not, risk reduction.Most commonly used:
ALARP (As Low As Reasonably Practical)
7 april 2023 www.humiq.nl 14
15
FMEA
Component oriented
Systematic
Focus on single failures.
Component Failure Mode Failure Effect MeasurementShort-Circuit to groundShort-Circuit to battery
Faulty front axle angle measurement will lead to unplausible nominal rear axle movement and spontaneous steering.
Short-circuit detection needs to be added, system must enter fail-safe state.
Noise Due to noise the front axle measurement is not accurate, illegal angle is determined which might lead to sponteanous steering of rear axle.
Signal filtering and conditioning must be added.
Wear of sensor AD measurement will deviate from the calibrated middle position and a front axle movement is detected which will lead to an unwanted movement of the rear axle.
Calibration of middle position during driving needed.
Front Axle Sensor
Battery
Rear Axle Sensor
7 april 2023 www.humiq.nl 15
Fault & Event Tree Analysis
Does take into account multiple errors.
7 april 2023 www.humiq.nl 16
Intolerableregion
Largelyacceptable
region
ALARP or tolerableregion
Risk
Negligible risk
Risk Analysis (ALARP)
3 RegionsALARP Region
Achieve justifiable residual risk.Risk ReductionCost vs. BenefitBenefit > Cost
Safety function (requirements)
Tolerable when no further reduction
possible, or costs are disproportionate to
improvement
7 april 2023 www.humiq.nl 17
ALARP region
7 april 2023 www.humiq.nl 18
Example
Scenario:Estimated cost in case of incident: € 10.000.000,-System life span = 20 YearsEstimated frequency = 6x10-4 per year.Measure: € 160.000,-
Solution:Cost = (6x10-4) x 20 x 10.000.000 = € 120.000
No measure (risk reduction), cost > benefit.
7 april 2023 www.humiq.nl 19
But… This is not only calculation also “common sense”
Safety Functions
A function of a safety related system to reduce the risk in an application with the goal to achieve a safe state.
For each identified hazard (Which will be implemented!)Create safety functions
Which achieves and maintains a safe state for the system.
Create the safety (system) requirements to accomplish the safety function.
7 april 2023 www.humiq.nl 20
Safety Integrity Level
Safety IntegrityProbability of performing the required safety functions!
Safety Integrity Level:Discrete level for specifying the software integrity!
Determined for each safety function!
Safety Integrity Levels (SIL) 1, 2, 3, 4.ASIL A, B, C, D for ISO 26262
Determination methods:Quantitative
Qualitative
Highest SIL level = System SIL level
7 april 2023 www.humiq.nl 21
Quantitative Example
Define tolerable risk frequencyFor example from ALARP.
Measure against risk frequencyAfter risk reduction!
7 april 2023 www.humiq.nl 22
Safety Integrity Requirements
Depending on the system SIL Level
Requirements for maintaining the SIL levelEnsure the system performs the safety function with the defined probability!
Partly available from standards!Measures & Techniques
7 april 2023 www.humiq.nl 23
24
s ys te m re quire m e ntsde ve lopm e nt
s ys te m archite cturalde s ign
SW re quire m e ntsde ve lopm e nt
SW archite cturede ve lopm e nt
SW de taile dde s ign
SW unit te s t
SW coding
s oftw areinte gration
SW te s ting
s ys te m inte grationte s ting
s ys te m te s t
Outcome: Safety Requirements
System RequirementsRequirement allocation.
Hardware & Software.
Planning & Realization according Safety Life Cycle
Safety Function & Integrity
Requirements
Safety Function & Integrity
Requirements
Safetyfunctions
Safetyfunctions
7 april 2023 www.humiq.nl 24
Realization
According Part 2 & 3 of IEC 61508
IEC 61508 requirement examples:
7 april 2023 www.humiq.nl 25
Measures & Techniques
Referenced from requirements.
7 april 2023 www.humiq.nl 26
7 april 2023 www.humiq.nl 27
Measures & Techniques
IEC 61508 architecture coverage
7 april 2023 www.humiq.nl 28
Practical Examples
Sensor error detectionEmergency shutdownSoftware channelsSoftware checks3-Ebene Concept
Common factor: Redundancy!Redundancy does not prevent systematic hardware & software design faults!
7 april 2023 www.humiq.nl 29
Sensor error detection(1)
Redundancy with 2 sensorsSensor input comparison by software on microcontroller(s).
Who is right?
Sensor 1 Sensor 2
COMPARISON(Software)
7 april 2023 www.humiq.nl 30
31
Redundancy with 3 sensors
Drawbacks:High Cost
Systematic Failures
Sensor 1 Sensor 3
VOTER(Software)
Sensor 2
7 april 2023 www.humiq.nl 31
Sensor error detection(2)
32
Solution: Comparison to other (sensor) data!Front axle vs. rear axle angle.Crankshaft vs. camshaft speed.ABS speed vs. tacho speed.
COMPARISON(Software)
Sensor
Other Data
7 april 2023 www.humiq.nl 32
Sensor error detection(3)
33
Emergency Shutdown
Pre-Condition: Static Fail-Safe State needed!If functional fail-safe controlled by SW fails!Example: Passive centering of rear axle in case of shutdown.
One or multiple µC solution possible.
ECU
Sensor
(Shutdown)Sensor
PrimarySystem
ShutdownSystem
Diagnosis ofShutdown
System
Actuator(s)
7 april 2023 www.humiq.nl 33
34
Open Loop Protected Single Channel (1)
Example:Read front & Rear axle sensorsCheck sensor dataDetermine rear axle valve positionsActuate valves
Data integrity checks by means of redundant sensor of other data!Drawback
Actuation errors not detected!
Primary System
DataAcquisition
DataProcessing
ActuatorControl
Sensor(s) Actuator(s)
DataIntegrity Checks
Other Data
7 april 2023 www.humiq.nl 34
Closed loop protected single channel(2)
Extra safety by directly measuring output.E.g. Valve:
PWM directly measured by ICU, and valve current by sensor and ADC.
Primary System
DataAcquisition
DataProcessing
ActuatorControl
Sensor(s) Actuator(s)
DataIntegrity Checks
Sensor(s)ActuatorMonitoring
7 april 2023 www.humiq.nl 35
Dual Closed-Loop Channels
On one or more µC’s.Most critical software parts.
Easier to meet requirements from standards.Different designs & Implementations prevents systematic errors!
DataAcquisition
DataProcessing
ActuatorControl
Sensor(s) Actuator(s)
DataIntegrity Checks
Sensor(s)ActuatorMonitoring
DataAcquisition
DataProcessing
ActuatorControl
DataIntegrity Checks
ActuatorMonitoring
Comparison
7 april 2023 www.humiq.nl 36
37
3-Ebene Concept
Most common applied for “simple” SIL3 compliance.
ECU
Sensor(s)Actuator(s)
Sensor(s)
µC 1(Main controller)
ExternalWatchDog
µC 2(Safety controller)
7 april 2023 www.humiq.nl 37
Software & Microcontroller Checks
Dedicated software safety framework for:
Memory testCRC, Checkerboard
I/O testCAN, DIO, ADC
Instruction Set TestCheck basic µC ALU functionality.
Program Sequence MonitoringTest execution paths throughout the software.
And many more…
7 april 2023 www.humiq.nl 38
Summary
Base: IEC 615098 Sector-application standard(s)
Risk/Hazard analyses FMEA, Fault tree, Event tree
Safety Integrity Level (SIL) Highest SIL level = System SIL level
7 april 2023 www.humiq.nl 39
Mastertitelformat bearbeiten
Zweite Zeile
Mastertextformat bearbeiten
Zweite Ebene
Dritte Ebene
Vierte Ebene
Fünfte Ebene
7 april 2023 www.humiq.nl 40