Safety Lifecycle illustrated with exemplified EPS

(1)

TM

Freescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C-Ware,

September 2012

(2)

• Safety Lifecycle illustrated with exemplified EPS

−

Item Definition

−

Hazard Analysis & Risk Assessment

−

Functional Safety Concept

−

HW Level

−

SW level

−

Safety Validation

−

Further Steps

(3)

Product development at system level

Other

Technologies

In case of modification,

back to appropriate

lifecycle phase

Item definition

3-5

Planning

Management of functional safety

2-5 to 2-7

C

o

n

c

e

p

t

p

h

a

s

e

P

ro

d

u

c

t

d

e

v

e

lo

p

m

e

n

t

A

ft

e

r

re

le

a

s

e

fo

r

p

ro

d

u

c

ti

o

n

Hazard analysis and

risk assessment

3-7

Functional safety concept

3-8

4 Safety validation

4-9

Functional safety assessment

4-10

Release for production

4-11

Production

7-5

7-6

Operation, service &

decommissioning

HW level

5

6 SW level

7-6

7-5

Controllability

External

Measures

(4)

• Functional concept and scope defined

−

Functional concept:

“Specification of the intended functions and their interactions necessary to

achieve the desired behavior”

−

Example (exemplified EPS)

Torque assist functions (steering torque, dynamics, …), variable steering

ratio functions, dampening functions, return to zero functions, …

• Initial architecture defined

−

Architecture:

“representation of the structure of the item or functions or systems or

elements that allows identification of building blocks, their boundaries and

interfaces and includes the allocation of functions to HW and SW elements”

−

Example (exemplified EPS)

Type of motor (Asynchronous motor, Synchronous motor), sensors, …

(5)

• Next major step

−

Using clear functional model and

list of functions and their relations

−

Create list of potential malfunctions

and their relations

• Argumentation for integrity

−

Are all functions of the item

identified and documented?

−

Are all potential malfunctions of the

item identified and documented?

an argumentation of the integrity

of functions and malfunctions!

(6)

• provide an initial architecture

−

use of semi-formal modeling notations

−

models will be extended towards preliminary

safety architecture

(7)

Product development at system level

Other

Technologies

In case of modification,

back to appropriate

lifecycle phase

Item definition

3-5

Planning

Management of functional safety

2-5 to 2-7

C

o

n

c

e

p

t

p

h

a

s

e

P

ro

d

u

c

t

d

e

v

e

lo

p

m

e

n

t

A

ft

e

r

re

le

a

s

e

fo

r

p

ro

d

u

c

ti

o

n

Hazard analysis and

risk assessment

3-7

Functional safety concept

3-8

4 Safety validation

4-9

Functional safety assessment

4-10

Release for production

4-11

Production

7-5

7-6

Operation, service &

decommissioning

HW level

5

6 SW level

7-6

7-5

Controllability

External

Measures

(8)

Safety Case Management:

use of tool to manage development of

safety case with large numbers of

hazardous events

2.1 Hazard Analysis:

Malfunction (MF) identified using HAZOP

keywords applied to main function – e.g.

provide steering support BEFORE

required by driver (or self steering)

2.3. Risk Assessment:

assess severity, exposure and controllability

(S, E and C) of the HE for the driving condition

to determine ASIL level of safety goal

3. Safety Goal: define safety goal for HE

Item Definition:

identifies main system functions e.g.

‘Provide steering support as

required by driver’

2.2 Hazard Analysis:

describe hazardous event (HE)

occurring as a result of a malfunction of

the main system function at > 80 km/h

(9)

• use of catalogs

• malfunctions at vehicle level should be used in HARA

• establish traceability between functions, malfunctions, hazardous

(10)

Product development at system level

Other

Technologies

In case of modification,

back to appropriate

lifecycle phase

Item definition

3-5

Planning

Management of functional safety

2-5 to 2-7

C

o

n

c

e

p

t

p

h

a

s

e

P

ro

d

u

c

t

d

e

v

e

lo

p

m

e

n

t

A

ft

e

r

re

le

a

s

e

fo

r

p

ro

d

u

c

ti

o

n

Hazard analysis and

risk assessment

3-7

Functional safety concept

3-8

4 Safety validation

4-9

Functional safety assessment

4-10

Release for production

4-11

Production

7-5

7-6

Operation, service &

decommissioning

HW level

5

6 SW level

7-6

7-5

Controllability

External

Measures

(11)

• Functional Safety Concept should include

−

Functional Safety Requirements

−

Functional Safety Architecture

−

Allocation of Functional Safety Requirements to Functional Safety

Architecture

• How to identify Functional Safety Requirements?

• How to develop a Functional Safety Architecture?

(12)

• derive functional safety requirements

from functional safety goals

−

analyze the initial architecture and

functional model w.r.t. safety goals

−

find out which failures of elements will

lead to a violation of the safety goal

−

derive functional safety requirements to

prevent such failures

−

keep traceability between such

elements

provide an argumentation of the

integrity of identified functional safety

requirements!

a qualitative fault tree analysis is

suitable

safety goal

qualitative fault

tree analysis

initial

architecture

functional safety

requirements

(13)

safety goal

base event

(14)

safety goal

base event

functional

safety requirement

(15)

• traces between events in the fault tree and requirements are

helpful in argumentation

−

why has a functional safety requirement has been defined?

−

are all (base) events in the fault tree are covered?

(16)

Actuator

Control

Torque Assist

Requirements

Calculation 1

Power Stage

• Power Bridge

• Pre-driver

Power Relay

_Actuator

Isolator

Relay

Actuator

Monitoring

Rotor

Position 1

Rotor

Position 2

Torque Assist

Requirements

Calculation 2

Phase Current

Monitor 2

V

_BATT

Phase

Current

Monitor 1

Gate

Drive

Torque Sensor 1

Steering Angle Sensor 1

Steering Speed Sensor 1

Torque Sensor 2

Steering Angle Sensor 2

Steering Speed Sensor 2

Safe State OP2

(SSOP2)

Safe State OP1s

(SSOP1n)

System Monitoring

• power supply

• clock

• watchdog/supervisor

Motor control channel

• dedicated sensor inputs

Power channel

• deactivated in safe state

Actuator monitoring channel

• dedicated sensor inputs

• control of safe state

System monitoring channel

• control of safe state

Actuator

Power Stage

• Power Bridge

Torque/

Angle

Sensors

(17)

(18)

• traceability – from malfunction to hazardous event to safety goal

to safety requirement to allocation on element in safety

architecture

(19)

Product development at system level

Other

Technologies

In case of modification,

back to appropriate

lifecycle phase

Item definition

3-5

Planning

Management of functional safety

2-5 to 2-7

C

o

n

c

e

p

t

p

h

a

s

e

P

ro

d

u

c

t

d

e

v

e

lo

p

m

e

n

t

A

ft

e

r

re

le

a

s

e

fo

r

p

ro

d

u

c

ti

o

n

Hazard analysis and

risk assessment

3-7

Functional safety concept

3-8

4 Safety validation

4-9

Functional safety assessment

4-10

Release for production

4-11

Production

7-5

7-6

Operation, service &

decommissioning

HW level

5

6 SW level

7-6

7-5

Controllability

External

Measures

(20)

Definition of the Technical Safety Architecture (1)

• definition of the technical safety

architecture

−

based on the preliminary safety architecture

−

derive technical safety requirements from

functional safety requirements

−

allocation of technical safety requirements to

elements of the technical safety architecture

−

iterative process with analysis and evaluation

(21)

Definition of the Technical Safety Architecture (2)

• safety architecture integrated with

functional architecture

• apply ASIL decomposition

−

independence as explicit requirement

• specify Hardware/Software interface

in detail

−

use models!

• extend the functional safety

architecture towards a technical

safety architecture

• application of FTA, FMEDA/FMEA

and ISO Hardware Fault Metrics

during construction of the technical

safety architecture

(22)

Definition and Verification of the Technical Safety

Architecture (3)

definition of the technical

safety architecture

−

failure modes and

failure rates specified

for the elements of the

technical safety

architecture

−

failure rates can be

calculated or taken from

common catalogs such

as SN 29500

−

failure modes and

failure rates will be

used for quantitative

verification

(23)

V

_BATT

SBC

MC33907

MCU

MC5643L

V

_DCLINK

Predriver

MC33937A

Power

Bridge

FS0b

(SSOP2)

IO1

(SSOP1a)

Power

Switch

Motor

Actuator

Isolator

IO2

(SSOP1b)

Default: open

V

_DD

DSPI

Watchdog

Error

Monitor

IO3

(SSOP1c)

EN1

EN2

Supply

Monitor

FCCU

RST

GND

V

_DD

GND

• Power channel de-activation under control of

application (MCU) and system monitor (SBC)

• Motor control and actuator monitoring channels

implemented on MCU and pre-driver

(24)

Independent

Sensor Input

Independent

Sensor Input

Actuator Drive

Peripherals

Independent

Sensor Input

Safe State

Control

Safe State

Control

Safe Operating System

• calls independent control

and monitoring tasks

• support end-to-end

protection of communications

Control Task, part 1

• calculate required

torque assist

Monitoring Task, part 1

• re-calculate required

torque assist

• activate safe state if

different from CT

Control Task, part 2

• control actuator to

provide required

torque assist

Monitoring Task, part 2

• monitor actuator

• activate safe state if

control incorrect

Technical

SESSION

F0306

(25)

MCU

Core

IP

OP

OS

Passivator

Actuator

Sensor 1

Sensor 2

t

Dual-core

lockstep

From

PowerSBC

IP

SW

Thread A

SW

Thread B

Sufficiently

independent

IPC

Input

Interface

Output

Interface

Inter process

communicatio

n

(26)

Product development at system level

Other

Technologies

In case of modification,

back to appropriate

lifecycle phase

Item definition

3-5

Planning

Management of functional safety

2-5 to 2-7

C

o

n

c

e

p

t

p

h

a

s

e

P

ro

d

u

c

t

d

e

v

e

lo

p

m

e

n

t

A

ft

e

r

re

le

a

s

e

fo

r

p

ro

d

u

c

ti

o

n

Hazard analysis and

risk assessment

3-7

Functional safety concept

3-8

4 Safety validation

4-9

Functional safety assessment

4-10

Release for production

4-11

Production

7-5

7-6

Operation, service &

decommissioning

HW level

5

6 SW level

7-6

7-5

Controllability

External

Measures

(27)

Consistency between architecture and verification

system architecture

and design models

as single information

source

Fault

Tree

Analysis

Update

Derive

Review

ISO 26262

SPF & LF metrics

diagnostic coverage

FMEA & FMEDA

Review/Assesment

Checklists

(28)

• Safety Analysis is carried out during Concept and

Product Development Phases

• Objective of the analysis

-

examine consequences of faults and failures on the

system

-

provide information on conditions and causes that could

lead to violation of a safety goal

-

identification of new hazards not previously considered

• Qualitative and quantitative analyses are carried

out

-

Example: qualitative FTA demonstrating faults in

redundant sensors (SensorA and SensorB) needed to

lead to violation of safety goal ‘Prevent Self Steer’

-

Quantitative analysis such as FMEDA also required

(29)

Product development at system level

Other

Technologies

In case of modification,

back to appropriate

lifecycle phase

Item definition

3-5

Planning

Management of functional safety

2-5 to 2-7

C

o

n

c

e

p

t

p

h

a

s

e

P

ro

d

u

c

t

d

e

v

e

lo

p

m

e

n

t

A

ft

e

r

re

le

a

s

e

fo

r

p

ro

d

u

c

ti

o

n

Hazard analysis and

risk assessment

3-7

Functional safety concept

3-8

4 Safety validation

4-9

Functional safety assessment

4-10

Release for production

4-11

Production

7-5

7-6

Operation, service &

decommissioning

HW level

5

6 SW level

7-6

7-5

Controllability

External

Measures

(30)

• Functional safety concept requires clarity about the functional concept!

−

Identification of potential malfunctions requires knowledge of functions

• Hazard analysis and risk assessment to identify safety goals

−

Typically multiple safety goals exist for one item with different associated

ASILs!

−

traceability between functions, malfunctions, hazardous events and safety

goals to achieve and argue completeness

• Functional safety concept leads to allocation of functional safety

requirements to functional safety architecture

• Technical safety architecture considers failure modes and failure rates

for the elements

• Safety validation is a key step that can involve significant effort and even

impact safety concept and architecture decisions

• Usage of dedicated tools and components can significantly support the

(31)