European Conference on Nanoelectronics and Embedded Systems for Electric Mobility

Similar documents
AUTOSAR stands for AUTomotive Open Systems ARchitecture. Partnership of automotive Car Manufacturers and their Suppliers

The Safe State: Design Patterns and Degradation Mechanisms for Fail- Operational Systems

Is This What the Future Will Look Like?

Fault-Injection testing and code coverage measurement using Virtual Prototypes on the context of the ISO standard

Riccardo Mariani, Intel Fellow, IOTG SEG, Chief Functional Safety Technologist

FMEDA-Based Fault Injection and Data Analysis in Compliance with ISO SPEAKER. Dept. of Electrical Engineering, National Taipei University

Frequently Asked Questions

Deriving safety requirements according to ISO for complex systems: How to avoid getting lost?

Autonomous Driving From Fail-Safe to Fail-Operational Systems

Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309

Securing the future of mobility

Software Architecture. Definition of Software Architecture. The importance of software architecture. Contents of a good architectural model

Scalable and Flexible Software Platforms for High-Performance ECUs. Christoph Dietachmayr Sr. Engineering Manager, Elektrobit November 8, 2018

Siemens Safety Integrated Take a safe step into the future

Functional Safety on Multicore Microcontrollers for Industrial Applications. Thomas Barth (h-da) Prof. Dr.-Ing. Peter Fromm (h-da)

ISO meets AUTOSAR - First Lessons Learned Dr. Günther Heling

10 th AUTOSAR Open Conference

European Conference on Nanoelectronics and Embedded Systems for Electric Mobility. HIL platform for EV charging and microgrid emulation

LION SAFE Remote I/O System. LÜTZE TRANSPORTATION GMBH Dimitrios Koutrouvis V00

MC33903/4/5 Block Diagram. Analog, Mixed-Signal and Power Management. Legend. MCU Voltage Regulator (V DD ) Internal CAN Regulator (V CAN )

Failure Diagnosis and Prognosis for Automotive Systems. Tom Fuhrman General Motors R&D IFIP Workshop June 25-27, 2010

What functional safety module designers need from IC developers

FSO Webnair FSO Safety Functions Module. ABB Group February 11, 2015 Slide 1

Entwicklung zuverlässiger Software-Systeme, Stuttgart 30.Juni 2011

Trusted Platform Modules Automotive applications and differentiation from HSM

Functional Safety on Multicore Microcontrollers for Industrial Applications

Taking the Right Turn with Safe and Modular Solutions for the Automotive Industry

Analysis and Development of Fail-Operational Automotive Mechatronic Systems

New developments about PL and SIL. Present harmonised versions, background and changes.

Welcome to the overview of ACS880 functional safety, FSO-11 Safety functions module.

SINAMICS SINAMICS G120. Frequency inverter with Control Units CU240E-2 CU240E-2 DP CU240E-2 F CU240E-2 DP-F. Function Manual Safety Integrated 07/2010

Functional Safety Architectural Challenges for Autonomous Drive

Migration of SES to FPGA Based Architectural Concepts

Functional Safety for Electronic Control

MASP Chapter on Safety and Security

EV2274A. (SBC) MC33CFS6500 microprocessor

Model Based Development and Code Generation for Automotive Embedded Systems. April 26, 2017 Dr. Gergely Pintér, Dr. Máté Kovács thyssenkrupp Steering

Drive Technology \ Drive Automation \ System Integration \ Services. Manual. Electronic Motor DRC Functional Safety

Create, Embed, Empower. Crevavi Technologies Company profile

Operator Station (V8.0) SIMATIC. Process Control System PCS 7 Operator Station (V8.0) Preface 1. The PCS 7 Operator Station

Introduction to Adaptive AUTOSAR. Dheeraj Sharma July 27, 2017

Servo drives. SafeMotion

Drive Technology \ Drive Automation \ System Integration \ Services. Manual. MOVITRAC MC07B Functional Safety

CAN application Driving controls in the cab of railway engines.

Solving functional safety challenges in Automotive with NOR Flash Memory

Process Historian Administration SIMATIC. Process Historian V8.0 Update 1 Process Historian Administration. Basics 1. Hardware configuration 2

Introduction to Safety PLCs GuardLogix & CIP Safety

Industrial Embedded Systems - Design for Harsh Environment - Dr. Alexander Walsch

Click ISO to edit Master title style Update on development of the standard

Virtualization of Heterogeneous Electronic Control Units Testing and Validating Car2X Communication

Formal Verification and Automatic Testing for Model-based Development in compliance with ISO 26262

SIMATIC. Process Control System PCS 7 Software update with utilization of new functions. Security information 1. Preface 2.

Enabling Increased Safety with Fault Robustness in Microcontroller Applications

Application Note. AC500-S Usage of AC500 Digital Standard I/Os in Functional Safety Applications up to PL c (ISO )

Drive Technology \ Drive Automation \ System Integration \ Services. Manual. MOVITRAC MC07B Functional Safety

Revision. MOVIPRO with EtherNet/IP or Modbus TCP Fieldbus Interface * _1017*

Handling Challenges of Multi-Core Technology in Automotive Software Engineering

Issues in Programming Language Design for Embedded RT Systems

EH2175A. Main Microprocessor Infineon Aurix TC MHz 4M Flash 472K SRAM Float Point Capability Dual Core Safety Check V Operating Voltage

A specification proposed by JASPAR has been adopted for AUTOSAR.

Welcome to the Safety functions training module for ACS880 cabinet-built industrial drives.

SIListra. Coded Processing in Medical Devices. Dr. Martin Süßkraut (TU-Dresden / SIListra Systems)

AVL ELECTRIFICATION TEST SOLUTIONS

Isolation of Cores. Reduce costs of mixed-critical systems by using a divide-and-conquer startegy on core level

How Microcontrollers help GPUs in Autonomous Drive

FUNCTIONAL SAFETY AND THE GPU. Richard Bramley, 5/11/2017

Certified Automotive Software Tester Sample Exam Paper Syllabus Version 2.0

SIMATIC. Safety Engineering in SIMATIC S7. Preface. Overview of Fail-safe Systems. Configurations and Help with Selection. Communication Options 3

Tools and Methods for Validation and Verification as requested by ISO26262

DI 8x24VDC ST digital input module SIMATIC. ET 200SP DI 8x24VDC ST digital input module (6ES7131-6BF00-0BA0) Preface. Documentation guide

VT System Smart HIL Testing

Automotive ECU Design with Functional Safety for Electro-Mechanical Actuator Systems

Software architecture in ASPICE and Even-André Karlsson

Drive Technology \ Drive Automation \ System Integration \ Services. Manual. Control Cabinet Inverter MOVITRAC B Functional Safety

Application of CIP Safety for functional safety in motion applications - analysis of CIP Safety motion application use case scenarios

Increasing Design Confidence Model and Code Verification

FOR IOT PRODUCT DEVELOPMENT

CIP Safety for Drives

Safety and Reliability of Software-Controlled Systems Part 14: Fault mitigation

MSK2. May 2012 Frankie Chan (IFAP ATV SMD SAE)

Intrinsically safe batch controller Batching Master 110i

Welcome to the safety functions configuration training module for ACS880 Cabinet-built industrial drives.

SINUMERIK Safety Integrated. Possible Encoder Connections

EXPERIENCES FROM MODEL BASED DEVELOPMENT OF DRIVE-BY-WIRE CONTROL SYSTEMS

ACT20X-(2)HTI-(2)SAO Temperature/mA converter. Safety Manual

Testing for the Unexpected Using PXI

ET 200SP distributed I/O system SIMATIC. ET 200SP ET 200SP distributed I/O system. Preface. Product overview. Application planning 2.

ST (6ES7132-6FD00-0BB1)

European Conference on Nanoelectronics and Embedded Systems for Electric Mobility. An OCPP Energy Service Platform based on IoT

SIMATIC. Process Control System PCS 7 Compendium Part D - Operation and Maintenance (V8.2) Security information 1. Preface 2

Notes U695. (1) Vehicle power supply must meet the normal operating voltage, such as

On Design for Reliability

SCADA Software. 3.1 SCADA communication architectures SCADA system

Operation and Settings of CPU & Power Modules, series 9440

Options for ABB drives. User s manual Emergency stop, stop category 0 (option +Q951) for ACS880-07/17/37 drives

IMPLEMENTATION OF SENSOR DIAGNOSIS BASED ON AUTOSAR

Intelligent Middleware. Smart Embedded Management Agent. Cloud. Remote Management and Analytics. July 2014 Markus Grebing Product Manager

STMicroelectronics Automotive MCU Technical Day

Drive Technology \ Drive Automation \ System Integration \ Services. Manual. CCU Universal Module Application Module

DEPENDABLE PROCESSOR DESIGN

Transcription:

European Conference on Nanoelectronics and Embedded Systems for Electric Mobility ecocity emotion 24-25 th September 2014, Erlangen, Germany Scalable Functional Safety Architecture for Electric Mobility Applications Michael Steindl Martin Winkler Christian Miedl AVL Software and Functions, Germany

Presentation Outline Introduction State of the art Hardware Architecture New approach: Hardware Qualifier Emergency Operation Scenario Standby Scenario Conclusion

Introduction Functional safety: Freedom of unacceptable risk due to hazards caused by an faulty E/E systems Examples for functional risks in electric cars: unintended acceleration unintended loss of braking capability Failures in E/E systems can be classified in two categories: Systematic failures (e.g. software bug, specification fault) Random failures (e.g. unpredictable HW fault) Source: AVL

Introduction Measures are necessary to deal with such failures: Systematic failures Use suitable development processes and methods Random failures Use high quality components (perfectness) Use redundancy Detection of errors Transition to safe state Error correction/ reconfiguration Source: AVL

Introduction Fail-safe system: Provides a safe state which can be achieved and maintained without the support of the Control Unit Individual and dependent failures that lead to a loss of service are safe Deactivation of service is generally safe Intended fault reaction Fail-operational system: Safe state can not be achieved and/or maintained without the support of the ECU Deactivation / loss of service is generally unsafe Source: Wikipedia

State of the art Hardware Architecture Hardware Architecture for Electronic throttle control (Fail-safe system) Analogue inputs ADC Check Input variables "Regular" XCU Functions Request for Failsafe Limitations MC XCU DRI DRI Disable to safety-relevant power stages (e.g., injection and throttle) Process Monitoring or Copy of Process Monitoring Processor Monitoring Question Answer Evaluation Processor Monitoring Reset MU Function (L1) Process Monitoring (L2) Copy of Process Monitoring (L2 ) Processor Monitoring (L3) Source: EGAS-AK

disable State of the art Hardware Architecture VCU Microcontroller Inverter Input (Acceleration Pedal) Application SW Com. Interface Torque Request Process Mon. Q/A AVL Monitoring Unit VCU Safe State request is indicated to the system by disabling CAN drivers Limitations: No communication possible in case of an error (debugging, re-flashing ) No distinction between error and normal system states with disabled safety mechanisms (e.g. start-up) Difficult to test during runtime (switch-off path check)

State of the art Hardware Architecture VCU Microcontroller Inverter Input (Acceleration Pedal) Application SW Com. Interface Torque Request Process Mon. disable Q/A AVL Monitoring Unit Limitations: Additional Hardware elements necessary costs VCU Safe State request is indicated to the system by additional switch off path

New approach: Hardware Qualifier VCU Microcontroller Inverter Input Application SW Com. Interface Regular Output + HW-Qualifier Process Mon. Q/A HW-Qualifier AVL Monitoring Unit Monitoring Unit determines µc HW-Status (HW-Qualifier) HW-Qualifier is communicated over existing interfaces to inverter via protected transfer Inverter evaluates received HW-Qualifier and selects suitable system reaction Advantages: No communication cut-off in case of an error No redundant switch off path Distinction between error and normal system states with disabled safety mechanisms Increased diagnostic capability of switch-off path Degraded fault reaction possible HW status can be easily provided to multiple control units

Standby Scenario VCU Input Microcontroller Application SW Process Mon. Output Com. Interface Regular Output Standby Output + HW-Qualifier BCU MC Q/A. Input AVL Monitoring Unit Standby - SW µc HW Status Standby Output Com. Interface Microcontroller is completely switched-off in certain operation modes (standby) Standby functionality is provided by MU Standby state is signaled to Inverter via HW Qualifier Advantages: Reduced system energy consumption Enhanced system wake-up concepts possible: Several sources possible, e.g.: Analog in Digital in CAN/Flexray/SPI/I²C Complex evaluation possible

Emergency Operation Scenario VCU Inverter Input Microcontroller Application SW Output Com. Interface Regular Output Process Mon. Backup Output + HW-Qualifier Q/A. Input AVL Monitoring Unit Redundant ASW HW- Qualifier Backup Output Com. Interface Monitoring Unit provides redundant ASW functionality Error state is signaled to inverter via HW Qualifier (Inverter limitation) Advantages: Increased system availability due to emergency operation functionality of Monitoring Unit in case of faulty main microcontroller Additional resources for nonsafety functionalities on Monitoring Unit available

Conclusion ECU error indication to System (Hardware Qualifier) Safe State request via CAN without disabling CAN drivers No additional hardware connections necessary Distinction between error and normal system states with disabled safety mechanisms possible Graded fault reaction possible Stand-by concept Operation without main µc Less quiescent current Wake-up concept Complex evaluation of arbitrary input sources possible Emergency Operation (Fault-tolerant system design) Limited functionality possible in case of an error

Conclusion Fully compliant to normative requirements (ISO26262, EGAS Concept) Cost efficient Scalable to customer requirements to provide enhanced functionality without additional hardware

Thank you for your attention! Contact Dr. Michael Steindl +49 941 63089 256 michael.steindl@avl.com Martin Winkler +49 941 63089 122 martin.winkler@avl.com Christian Miedl +49 941 63089 148 christian.miedl@avl.com AVL Software and Functions GmbH Im Gewerbepark B27 D-93059 Regensburg

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback