Download - Review of automotive control and ISO26262
Review of automotive control and ISO26262
Paul King and Jonathan Woodley JLR Research
2
History of Functional Safety Standards & Guidelines
(1998) IEC 61508: Functional Safety of E/E/PE Safety-Related
Systems
Electrical, electronic and programmable electronic systems. Generic.
International standard.
(2007) MISRA: Guidelines for Safety Analysis of Vehicle Based
Programmable Systems
Based on IEC 61508 but seeks to address the issues of applying standard to
automotive applications. UK guidelines.
(2011) ISO 26262: Road Vehicle – Functional Safety
Adaptation of IEC 61508 that addresses the specific needs of developing
electrical and electronic systems for road vehicles.
International standard.
3
What is Functional Safety A Definition:
A definition of safety:
Safety is the freedom from unacceptable risk of physical
injury or of damage to the health or people, either directly,
or indirectly as a result of property/system damage.
A definition of functional safety:
Functional safety is part of the overall system safety that
allows systems or equipment to operate correctly in
response to its inputs.
Functional safety is not the same as health and safety. It is concerned
with developing a product that functions in a safe way
Functional safety should be designed into a product, not
bolted onto an existing system design
4
Functional Safety “Designed in” The Bow Tie Model
Hazard
Causes:
Locking of the
steering wheel
Loss of steering
function
Consequences :
Collision with
another vehicle
Mitigation (£)
Risk
Litigation
Investigation
Fines
Bad publicity
Brand damage
Product recall
5
Performing a Hazard Analysis What is a hazard?
• At the vehicle level we are interested in Hazards which reduce the
ability of the driver to control the vehicle
• If we look at some example vehicle hazards
Unintended
vehicle
acceleration
Unintended
vehicle
braking
Vehicle
under/over
steer
Driver impeded
Driver
distracted
Vehicle
unintended
steer
Unintended
vehicle
deceleration
Inadequate
vehicle
braking
Vehicle loses
grip
Vehicle roll
away
Vehicle wheels
lock
Vehicle wheels
lock
6
MSR (Motor Speed Regulator)
7
MSR Operation
ABS
ENGINE
AUTO
TRANSMISSION
DRIVEN
WHEELS
DRIVEN
WHEELS
UN-DRIVEN
WHEELS
UN-DRIVEN
WHEELS
ECU
• ABS detect speed difference
• ECU will accept Torque
requests from ABS
• ECU will limit maximum
Torque and set a maximum
application time
• Limits are based upon worse
cases vehicle tests in dry
conditions
8
Performing a Hazard Analysis ASIL levels
• The Hazard analysis will have then given you an ASIL for a hazardous event;
• QM – No safety issue but may need to be mitigated (Quality)
• ASIL A – Some safety mitigation is expected to prevent this
• ASIL B – Higher safety integration, normally monitoring and no single
point failure as a cause. (CRC checking on CAN etc)
• ASIL C – A significant safety risk, independent monitoring considered and
protection for two points of failure
• ASIL D – Very significant risk, lots of confidence needed of acceptable
safety.
• You then need to show a “Safety Goal” to mitigate each safety related
functional failure
• These ASIL levels do not give hard and fast safety requirements and you will
need more discussion and agreement on the expectation.
• They do show you where your efforts should be focused. (functional failures)
9
ASIL
Wet and Ice Conditions = C3, S3, E3
Dry Conditions = C2, S3, E4
10
ASIL C what does this mean
From ISO 26262 Part 5 suggests that your design needs to consider
detecting the following faults. Examples are
Harness Open Circuit, Short Circuit to Ground, Short Circuit to
Battery and Short Circuit between neighbouring pins
Sensors Out-of-range, Offsets and Stuck in range
Network Failure of communication peer, Message corruption
Message delay, Message loss Unintended message
repetition
So either need to make use of parts which have low failure rates or
combine parts/redundancy “AND” the probabilities
ASIL
Rating
Random Hardware
Failure Target Values
D < 10-8h-1
C < 10-7h-1
B < 10-7h-1
For a given safety goal we have
budget failure rate defined in the ISO
26262 Part 5 Table 6
11
MSR Operation
ABS
ENGINE
DRIVEN
WHEELS
DRIVEN
WHEELS
UN-DRIVEN
WHEELS
UN-DRIVEN
WHEELS
ECU
TCM
• MSR developed before ISO 26262
• For Fault Tolerance good practice is to utilise
redundancy/independence
• We can make use of the Output Shaft Speed
information from the TCM to determine the speed
of the Driven Wheels
12
Hazard and Safety Goals
Have chosen 3 example Functional Failures associated to EMS
1. ABS requests torque when not required
• Vehicle Speed from Output Shaft Speed ≈ 0
2. ABS request too much torque
• Vehicle Speed from Output Shaft Speed >> ABS Vehicle Speed of
Undriven Wheels
3. ABS doesn’t request enough torque
• Vehicle Speed estimate from Output Shaft Speed >> ABS Vehicle
Speed of Undriven Wheels
So the only fault on the ABS we are susceptible to is a failure of both
Undriven wheel sensors
So our Safety Goal
For MSR the Hazard is
“locked wheels leading to loss of direction stability (over or understeer)”
“maintain acceptable level dynamic handling facilitated by maintaining
wheel and road speed”
13
Safe State
If we detect this what does the EMS do ? How do we put the system into
a Safe State
In this case since there is no Hazard the Safe State is to :-
• Ignore the Torque Request
• Record a Fault Code
• Ignore other Torque requests for the rest of the ignition cycle ?
Next steps
• If we did this properly would need to identify all of the failure modes
• Have we made an ASIL C system ?
For the Functional Failure example
“ABS requests Torque when not required”
we have a means of detecting this failure mode
14
Check ASIL Rating
ABS
ENGINE
DRIVEN
WHEELS
DRIVEN
WHEELS
UN-DRIVEN
WHEELS
UN-DRIVEN
WHEELS
ECU
TCM
• Need to assess the ASIL rating for
each Module for that Failure Mode
• In ISO 26262 you can combine module
ASIL’s to achieve an overall rating
A+B = C
• So need additional checks on TCM to
get to ASIL A. We can check Engine
Speed and Gear Selected to check
Output Shaft Speed is plausible
C
B
QM
15 CONFIDENTIAL
Any Questions