September 2012 Freescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C-Ware, the Energy Efficient Solutions logo, Kinetis, mobilegt, PowerQUICC, Processor Expert, QorIQ, Qorivva, StarCore, Symphony and VortiQa are trademarks of Freescale Semiconductor, Inc., Reg. U.S. Pat. & Tm. Off. Airfast, BeeKit, BeeStack, CoreNet, Flexis, Layerscape, MagniV, MXC, Platform in a Package, QorIQ Qonverge, QUICC Engine, Ready Play, SafeAssure, the SafeAssure logo, SMAROS, TurboLink, Vybrid and Xtrinsic are trademarks of Freescale Semiconductor, Inc. All other product or service names are the property of their respective owners. 2012 Freescale Semiconductor, Inc.
Safety Lifecycle illustrated with exemplified EPS Item Definition Hazard Analysis & Risk Assessment Functional Safety Concept HW Level SW level Safety Validation Further Steps Summary 2
2-5 to 2-7 Management of functional safety 3-5 Item definition 3-7 3-8 Hazard analysis and risk assessment Functional safety concept Concept phase Planning 4 Product development at system level Controllability 7-6 7-5 5 HW level 6 SW level 4-9 Safety validation Other Technologies External Measures Product development 4-10 Functional safety assessment 4-11 Release for production 7-5 7-6 Production Operation, service & decommissioning In case of modification, back to appropriate lifecycle phase After release for production 3
Functional concept and scope defined Functional concept: Specification of the intended functions and their interactions necessary to achieve the desired behavior Example (exemplified EPS) Torque assist functions (steering torque, dynamics, ), variable steering ratio functions, dampening functions, return to zero functions, Initial architecture defined Architecture: representation of the structure of the item or functions or systems or elements that allows identification of building blocks, their boundaries and interfaces and includes the allocation of functions to HW and SW elements Example (exemplified EPS) Type of motor (Asynchronous motor, Synchronous motor), sensors, Functional safety concept requires clarity about the functional concept! 4
Next major step Using clear functional model and list of functions and their relations Create list of potential malfunctions and their relations Argumentation for integrity Are all functions of the item identified and documented? Are all potential malfunctions of the item identified and documented? HAZOP provides a structured approach an argumentation of the integrity of functions and malfunctions! 5
provide an initial architecture use of semi-formal modeling notations models will be extended towards preliminary safety architecture allocate functions to architectural elements 6
2-5 to 2-7 Management of functional safety 3-5 Item definition 3-7 3-8 Hazard analysis and risk assessment Functional safety concept Concept phase Planning 4 Product development at system level Controllability 7-6 7-5 5 HW level 6 SW level 4-9 Safety validation Other Technologies External Measures Product development 4-10 Functional safety assessment 4-11 Release for production 7-5 7-6 Production Operation, service & decommissioning In case of modification, back to appropriate lifecycle phase After release for production 7
Safety Case Management: use of tool to manage development of safety case with large numbers of hazardous events Item Definition: identifies main system functions e.g. Provide steering support as required by driver 2.3. Risk Assessment: assess severity, exposure and controllability (S, E and C) of the HE for the driving condition to determine ASIL level of safety goal 3. Safety Goal: define safety goal for HE 2.1 Hazard Analysis: Malfunction (MF) identified using HAZOP keywords applied to main function e.g. provide steering support BEFORE required by driver (or self steering) 2.2 Hazard Analysis: describe hazardous event (HE) occurring as a result of a malfunction of the main system function at > 80 km/h Typically multiple safety goals exist for one item with different associated ASILs! 8
use of catalogs malfunctions at vehicle level should be used in HARA establish traceability between functions, malfunctions, hazardous events and safety goals 9
2-5 to 2-7 Management of functional safety 3-5 Item definition 3-7 3-8 Hazard analysis and risk assessment Functional safety concept Concept phase Planning 4 Product development at system level Controllability 7-6 7-5 5 HW level 6 SW level 4-9 Safety validation Other Technologies External Measures Product development 4-10 Functional safety assessment 4-11 Release for production 7-5 7-6 Production Operation, service & decommissioning In case of modification, back to appropriate lifecycle phase After release for production 10
Functional Safety Concept should include Functional Safety Requirements Functional Safety Architecture Allocation of Functional Safety Requirements to Functional Safety Architecture How to identify Functional Safety Requirements? How to develop a Functional Safety Architecture? 11
derive functional safety requirements from functional safety goals analyze the initial architecture and functional model w.r.t. safety goals find out which failures of elements will lead to a violation of the safety goal derive functional safety requirements to prevent such failures keep traceability between such elements provide an argumentation of the integrity of identified functional safety requirements! a qualitative fault tree analysis is suitable initial architecture qualitative fault tree analysis safety goal functional safety requirements 12
from architecture to fault tree... safety goal base event 13
... and from fault tree to requirements safety goal base event 14 functional safety requirement
traces between events in the fault tree and requirements are helpful in argumentation why has a functional safety requirement has been defined? are all (base) events in the fault tree are covered? 15
Power channel deactivated in safe state V BATT Power Relay Power Stage Power Bridge Pre-driver Phase Current Monitor 2 Actuator Actuator Isolator Relay Motor control channel dedicated sensor inputs Torque Sensor 1 Steering Angle Sensor 1 Steering Speed Sensor 1 Torque Assist Requirements Calculation 1 Actuator Control Gate Drive Phase Current Monitor 1 Rotor Position 1 Torque/ Angle Sensors Actuator monitoring channel dedicated sensor inputs control of safe state Torque Sensor 2 Steering Angle Sensor 2 Steering Speed Sensor 2 Torque Assist Requirements Calculation 2 Actuator Monitoring Rotor Position 2 Safe State OP1s (SSOP1n) System monitoring channel control of safe state System Monitoring power supply clock watchdog/supervisor Safe State OP2 (SSOP2) 16
17
traceability from malfunction to hazardous event to safety goal to safety requirement to allocation on element in safety architecture derive ASIL of the elements in the safety architecture 18
2-5 to 2-7 Management of functional safety 3-5 Item definition 3-7 3-8 Hazard analysis and risk assessment Functional safety concept Concept phase Planning 4 Product development at system level Controllability 7-6 7-5 5 HW level 6 SW level 4-9 Safety validation Other Technologies External Measures Product development 4-10 Functional safety assessment 4-11 Release for production 7-5 7-6 Production Operation, service & decommissioning In case of modification, back to appropriate lifecycle phase After release for production 19
Definition of the Technical Safety Architecture (1) definition of the technical safety architecture based on the preliminary safety architecture derive technical safety requirements from functional safety requirements allocation of technical safety requirements to elements of the technical safety architecture iterative process with analysis and evaluation of variants 20
Definition of the Technical Safety Architecture (2) safety architecture integrated with functional architecture apply ASIL decomposition independence as explicit requirement specify Hardware/Software interface in detail use models! extend the functional safety architecture towards a technical safety architecture application of FTA, FMEDA/FMEA and ISO Hardware Fault Metrics during construction of the technical safety architecture not only for verification! 21
Definition and Verification of the Technical Safety Architecture (3) definition of the technical safety architecture failure modes and failure rates specified for the elements of the technical safety architecture failure rates can be calculated or taken from common catalogs such as SN 29500 failure modes and failure rates will be used for quantitative verification 22
Power Switch V BATT V DCLINK V DD Default: open FS0b (SSOP2) IO1 (SSOP1a) IO2 (SSOP1b) Actuator Isolator GND GND EN2 Power Bridge Motor Watchdog DSPI Error Monitor Supply Monitor RST V DD FCCU RST IO3 (SSOP1c) GND EN1 Power channel de-activation under control of application (MCU) and system monitor (SBC) SBC MC33907 MCU MC5643L Predriver MC33937A Motor control and actuator monitoring channels implemented on MCU and pre-driver System monitoring channel implemented on intelligent SBC 23
Technical SESSION F0306 Independent Sensor Input Independent Sensor Input Independent Sensor Input Safe Operating System calls independent control and monitoring tasks support end-to-end protection of communications Control Task, part 1 calculate required torque assist Safe State Control Monitoring Task, part 1 re-calculate required torque assist activate safe state if different from CT Actuator Drive Peripherals Control Task, part 2 control actuator to provide required torque assist Safe State Control Monitoring Task, part 2 monitor actuator activate safe state if control incorrect 24
Sufficiently independent Sensor 1 Sensor 2 Input Interface MCU Core Core IP SW Thread A IP IP IP IPC OS SW Thread B t Dual-core lockstep Inter process communicatio n OP Actuator OP Passivator Output Interface From PowerSBC 25
2-5 to 2-7 Management of functional safety 3-5 Item definition 3-7 3-8 Hazard analysis and risk assessment Functional safety concept Concept phase Planning 4 Product development at system level Controllability 7-6 7-5 5 HW level 6 SW level 4-9 Safety validation Other Technologies External Measures Product development 4-10 Functional safety assessment 4-11 Release for production 7-5 7-6 Production Operation, service & decommissioning In case of modification, back to appropriate lifecycle phase After release for production 26
Consistency between architecture and verification Fault Tree Analysis Update Derive system architecture and design models as single information source ISO 26262 SPF & LF metrics diagnostic coverage Update Review/Assesment Checklists Review Derive FMEA & FMEDA 27
Safety Analysis is carried out during Concept and Product Development Phases Objective of the analysis - examine consequences of faults and failures on the system - provide information on conditions and causes that could lead to violation of a safety goal - identification of new hazards not previously considered Qualitative and quantitative analyses are carried out - Example: qualitative FTA demonstrating faults in redundant sensors (SensorA and SensorB) needed to lead to violation of safety goal Prevent Self Steer - Quantitative analysis such as FMEDA also required 28
2-5 to 2-7 Management of functional safety 3-5 Item definition 3-7 3-8 Hazard analysis and risk assessment Functional safety concept Concept phase Planning 4 Product development at system level Controllability 7-6 7-5 5 HW level 6 SW level 4-9 Safety validation Other Technologies External Measures Product development 4-10 Functional safety assessment 4-11 Release for production 7-5 7-6 Production Operation, service & decommissioning In case of modification, back to appropriate lifecycle phase After release for production 29
Functional safety concept requires clarity about the functional concept! Identification of potential malfunctions requires knowledge of functions Hazard analysis and risk assessment to identify safety goals Typically multiple safety goals exist for one item with different associated ASILs! traceability between functions, malfunctions, hazardous events and safety goals to achieve and argue completeness Functional safety concept leads to allocation of functional safety requirements to functional safety architecture Technical safety architecture considers failure modes and failure rates for the elements Safety validation is a key step that can involve significant effort and even impact safety concept and architecture decisions Usage of dedicated tools and components can significantly support the application of ISO26262 and reduce the effort involved 30