European Conference on Nanoelectronics and Embedded Systems for Electric Mobility

Transcription

1 European Conference on Nanoelectronics and Embedded Systems for Electric Mobility ecocity emotion th September 2014, Erlangen, Germany Scalable Functional Safety Architecture for Electric Mobility Applications Michael Steindl Martin Winkler Christian Miedl AVL Software and Functions, Germany

2 Presentation Outline Introduction State of the art Hardware Architecture New approach: Hardware Qualifier Emergency Operation Scenario Standby Scenario Conclusion

3 Introduction Functional safety: Freedom of unacceptable risk due to hazards caused by an faulty E/E systems Examples for functional risks in electric cars: unintended acceleration unintended loss of braking capability Failures in E/E systems can be classified in two categories: Systematic failures (e.g. software bug, specification fault) Random failures (e.g. unpredictable HW fault) Source: AVL

4 Introduction Measures are necessary to deal with such failures: Systematic failures Use suitable development processes and methods Random failures Use high quality components (perfectness) Use redundancy Detection of errors Transition to safe state Error correction/ reconfiguration Source: AVL

5 Introduction Fail-safe system: Provides a safe state which can be achieved and maintained without the support of the Control Unit Individual and dependent failures that lead to a loss of service are safe Deactivation of service is generally safe Intended fault reaction Fail-operational system: Safe state can not be achieved and/or maintained without the support of the ECU Deactivation / loss of service is generally unsafe Source: Wikipedia

6 State of the art Hardware Architecture Hardware Architecture for Electronic throttle control (Fail-safe system) Analogue inputs ADC Check Input variables "Regular" XCU Functions Request for Failsafe Limitations MC XCU DRI DRI Disable to safety-relevant power stages (e.g., injection and throttle) Process Monitoring or Copy of Process Monitoring Processor Monitoring Question Answer Evaluation Processor Monitoring Reset MU Function (L1) Process Monitoring (L2) Copy of Process Monitoring (L2 ) Processor Monitoring (L3) Source: EGAS-AK

7 disable State of the art Hardware Architecture VCU Microcontroller Inverter Input (Acceleration Pedal) Application SW Com. Interface Torque Request Process Mon. Q/A AVL Monitoring Unit VCU Safe State request is indicated to the system by disabling CAN drivers Limitations: No communication possible in case of an error (debugging, re-flashing ) No distinction between error and normal system states with disabled safety mechanisms (e.g. start-up) Difficult to test during runtime (switch-off path check)

8 State of the art Hardware Architecture VCU Microcontroller Inverter Input (Acceleration Pedal) Application SW Com. Interface Torque Request Process Mon. disable Q/A AVL Monitoring Unit Limitations: Additional Hardware elements necessary costs VCU Safe State request is indicated to the system by additional switch off path

9 New approach: Hardware Qualifier VCU Microcontroller Inverter Input Application SW Com. Interface Regular Output + HW-Qualifier Process Mon. Q/A HW-Qualifier AVL Monitoring Unit Monitoring Unit determines µc HW-Status (HW-Qualifier) HW-Qualifier is communicated over existing interfaces to inverter via protected transfer Inverter evaluates received HW-Qualifier and selects suitable system reaction Advantages: No communication cut-off in case of an error No redundant switch off path Distinction between error and normal system states with disabled safety mechanisms Increased diagnostic capability of switch-off path Degraded fault reaction possible HW status can be easily provided to multiple control units

10 Standby Scenario VCU Input Microcontroller Application SW Process Mon. Output Com. Interface Regular Output Standby Output + HW-Qualifier BCU MC Q/A. Input AVL Monitoring Unit Standby - SW µc HW Status Standby Output Com. Interface Microcontroller is completely switched-off in certain operation modes (standby) Standby functionality is provided by MU Standby state is signaled to Inverter via HW Qualifier Advantages: Reduced system energy consumption Enhanced system wake-up concepts possible: Several sources possible, e.g.: Analog in Digital in CAN/Flexray/SPI/I²C Complex evaluation possible

11 Emergency Operation Scenario VCU Inverter Input Microcontroller Application SW Output Com. Interface Regular Output Process Mon. Backup Output + HW-Qualifier Q/A. Input AVL Monitoring Unit Redundant ASW HW- Qualifier Backup Output Com. Interface Monitoring Unit provides redundant ASW functionality Error state is signaled to inverter via HW Qualifier (Inverter limitation) Advantages: Increased system availability due to emergency operation functionality of Monitoring Unit in case of faulty main microcontroller Additional resources for nonsafety functionalities on Monitoring Unit available

12 Conclusion ECU error indication to System (Hardware Qualifier) Safe State request via CAN without disabling CAN drivers No additional hardware connections necessary Distinction between error and normal system states with disabled safety mechanisms possible Graded fault reaction possible Stand-by concept Operation without main µc Less quiescent current Wake-up concept Complex evaluation of arbitrary input sources possible Emergency Operation (Fault-tolerant system design) Limited functionality possible in case of an error

13 Conclusion Fully compliant to normative requirements (ISO26262, EGAS Concept) Cost efficient Scalable to customer requirements to provide enhanced functionality without additional hardware

14 Thank you for your attention! Contact Dr. Michael Steindl Martin Winkler Christian Miedl AVL Software and Functions GmbH Im Gewerbepark B27 D Regensburg