Failure Diagnosis and Prognosis for Automotive Systems. Tom Fuhrman General Motors R&D IFIP Workshop June 25-27, 2010

Similar documents
Functional Safety Architectural Challenges for Autonomous Drive

Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309

Deriving safety requirements according to ISO for complex systems: How to avoid getting lost?

Advanced Driver Assistance: Modular Image Sensor Concept

Safety and Reliability of Software-Controlled Systems Part 14: Fault mitigation

How Microcontrollers help GPUs in Autonomous Drive

Software architecture in ASPICE and Even-André Karlsson

FUNCTIONAL SAFETY AND THE GPU. Richard Bramley, 5/11/2017

The Safe State: Design Patterns and Degradation Mechanisms for Fail- Operational Systems

Taking the Right Turn with Safe and Modular Solutions for the Automotive Industry

Is This What the Future Will Look Like?

Experiences with CANoe-based Fault Injection for AUTOSAR

Automotive and Aerospace Synergies

Automotive Functional Safety

Functional safety in BATTERY MANAGEMENT SYSTEMS

Automotive ECU Design with Functional Safety for Electro-Mechanical Actuator Systems

Solving functional safety challenges in Automotive with NOR Flash Memory

Autonomous Driving From Fail-Safe to Fail-Operational Systems

ADAS: A Safe Eye on The Road

MATLAB Expo Simulation Based Automotive Communication Design using MATLAB- SimEvent. Sudhakaran M Anand H General Motors

Ethernet TSN as Enabling Technology for ADAS and Automated Driving Systems

Click ISO to edit Master title style Update on development of the standard

Standardized Tool Components for NRMM-Diagnostics

Quick Start Guide Pre-and Post-Scanning.

Communication Patterns in Safety Critical Systems for ADAS & Autonomous Vehicles Thorsten Wilmer Tech AD Berlin, 5. March 2018

Automotive Security: Challenges, Standards and Solutions. Alexander Much 12 October 2017

ISO meets AUTOSAR - First Lessons Learned Dr. Günther Heling

RTMS Solutions. Detection solutions to fit your city s needs.

Supplier Business Opportunities on ADAS and Autonomous Driving Technologies

Rear Drive Axle and Differential

ISO Functional Safety Management in the Autonomous Car industry and the overview of the required safety lifecycle.

12/2013. Installation Guide & User Manual

FSO Webnair FSO Safety Functions Module. ABB Group February 11, 2015 Slide 1

Functional Safety for Automotive Ethernet Networks

ISO/TS TECHNICAL SPECIFICATION. Transport information and control systems Traffic Impediment Warning Systems (TIWS) System requirements

New ARMv8-R technology for real-time control in safetyrelated

New developments about PL and SIL. Present harmonised versions, background and changes.

Safety Argument based on GSN for Automotive Control Systems. Yutaka Matsubara Nagoya University

USING SCAN TOOL MEMORY

Emergency Response: How dedicated short range communication will help in the future. Matthew Henchey and Tejswaroop Geetla, University at Buffalo

Can We Improve Autonomous Driving With IoT and Cloud?

Riccardo Mariani, Intel Fellow, IOTG SEG, Chief Functional Safety Technologist

Certified Automotive Software Tester Sample Exam Paper Syllabus Version 2.0

DEPENDABLE PROCESSOR DESIGN

Quick Start Guide Pre-and Post Scanning

Fault-Injection testing and code coverage measurement using Virtual Prototypes on the context of the ISO standard

SIP Automated Driving System SEIGO KUZUMAKI Program Director. Nov

Workpackage WP2.5 Platform System Architecture. Frank Badstübner Ralf Ködel Wilhelm Maurer Martin Kunert F. Giesemann, G. Paya Vaya, H.

Connected Car. Dr. Sania Irwin. Head of Systems & Applications May 27, Nokia Solutions and Networks 2014 For internal use

Examining future priorities for cyber security management

Designing a software framework for automated driving. Dr.-Ing. Sebastian Ohl, 2017 October 12 th

iobd2 MFi BT VAG Adapter User Manual

DEFINITIONS TO BE USED WITH THE ANSI B11 SERIES OF SAFETY STANDARDS FOR MACHINES

ISO/TS TECHNICAL SPECIFICATION. Transport information and control systems Traffic Impediment Warning Systems (TIWS) System requirements

What functional safety module designers need from IC developers

RazorMotion - The next level of development and evaluation is here. Highly automated driving platform for development and evaluation

Understanding SW Test Libraries (STL) for safetyrelated integrated circuits and the value of white-box SIL2(3) ASILB(D) YOGITECH faultrobust STL

Autonomous People Mover Phase II - Sensors P MSD 1 - FINAL DESIGN REVIEW

Functional Safety and Cyber Security Experiences and Trends

Cyber Security and Vehicle Diagnostics. Mark Zachos DG Technologies

Driving virtual Prototyping of Automotive Electronics

13W-AutoSPIN Automotive Cybersecurity

Introduction to Internet of Things Prof. Sudip Misra Department of Computer Science & Engineering Indian Institute of Technology, Kharagpur

Handling Challenges of Multi-Core Technology in Automotive Software Engineering

IMPROVING ADAS VALIDATION WITH MBT

Object Fusion for an Advanced Emergency Braking System (AEBS) Jonny Andersson

IEEE Frame Replication and Elimination for Reliability. Franz-Josef Goetz, Member of IEEE TSN TG, Siemens AG

MASP Chapter on Safety and Security

Company: Valeo Powertrain Systems Business Company: Valeo Powertrain Systems Business

Safety Driven Optimization Approach for Automotive Systems. Slim DHOUIBI, PhD Student, VALEO - LARIS

Hardware-In-Loop Test Setup Automation

OASIS TECHNICAL COMMITTEE FORMAT OF AUTOMOTIVE REPAIR INFORMATION

Release Date: September 4, 2014

CONTROLLER AREA NETWORK (CAN)

If you have any questions regarding this survey, please contact Marcell Reid at or Thank you for your support!

Automating Best Practices to Improve Design Quality

Multiple Views and Relationships for Quality Driven Architecture with AADL: A Multimodel for Software Product Lines

Executive summary. by Michel Bonnet, Maximilien Laforge, and Jean-Baptiste Samuel

Declaration X-100 PAD

SECONS SDI Diagnostics Interface Installation and Operation Manual

Service Technical Resources MUT-III. (Multi-Use Tester-III*) Quick Reference Guide

Industry 4.0 & Transport for Digital Infrastructure

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

NC1701 ENHANCED VEHICLE COMMUNICATIONS CONTROLLER

10 th AUTOSAR Open Conference

A Longitudinal Control Algorithm for Smart Cruise Control with Virtual Parameters

2009 E09PS E09PS E09PS E09PS E09PS E09PS38 IEEE 2009 E09PS39 E09PS40 E09PS41 E09PS42 E09PS43 IEEE 2008 E09PS44

10 th AUTOSAR Open Conference

Application. Diagnosing the dashboard by the CANcheck software. Introduction

Troubleshooter Quick Reference Guide

TraffiStar Series Superior technology for stationary red light monitoring and speed measurement

Disclaimer. Safety Precautions and Warnings. icarsoft English User s Manual

LAUNCH. X-431 PADII Product Introduction

Enabling Functional Safety ASIL Compliance for Autonomous Driving Software Systems

Cooperative Vehicles Opportunity and Challenges

Functional Safety Processes and SIL Requirements

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

Delphi Diagnostics DS100E user manual version 7.0 Software Version

SIMPLIFYING THE CAR. Helix chassis. Helix chassis. Helix chassis WIND RIVER HELIX CHASSIS WIND RIVER HELIX DRIVE WIND RIVER HELIX CARSYNC

Functional Safety for Electronic Control

Transcription:

Failure Diagnosis and Prognosis for Automotive Systems Tom Fuhrman General Motors R&D IFIP Workshop June 25-27, 2010

Automotive Challenges and Goals Driver Challenges Goals Energy Rising cost of petroleum fuels Non-renewability of fossil fuels Increasing gov t regulations for fuel economy Environment Impact of greenhouse gas emissions on the environment Increasing gov t regulations for emissions Safety 40K traffic fatalities annually in the US Connectivity Demand for connectivity to personal electronics devices Worsening traffic congestion Reduce fuel consumption Zero dependency on fossil fuels Zero greenhouse gas emissions Zero traffic fatalities Zero traffic congestion Safer roadways

Example Active Safety Systems Adaptive cruise control Forward collision warning Curve speed control Side blind zone alert Lane keeping / lane centering control Cross traffic collision avoidance SAV 2.0 Obstacle Detection Sensor Placement US-R F-SRR-R SBZA-R RCTCW-R R-SRR-R F-LRR F-CAM F-SRR-L US-L SBZA-L R-SRR-L RCTCW-L

Where does failure diagnosis fit in? Two main use cases: Off-line servicing / maintenance of the vehicle On-line safety architecture

Failure Diagnosis in Maintenance Well-established, mature area (since 1970 s) Current practice Diagnostic Trouble Codes (DTC) and Parameter IDs (PID) are generated by and stored within Electronic Control Units (ECUs) Some are required and standardized by government regulations, for emissions equipment, these are called OBD (On Board Diagnostics) Service tools plug into the Diagnostic Link Connector (DLC) and read out these codes (can also upload new calibrations and software code) Diagnostic procedures (flow charts) indicate additional tests and probes to troubleshoot a particular customer concern Far from perfect, needs to be continuously improved

Failure Diagnosis in Maintenance Customer satisfaction goals Never stranded ( walk-home ) Fix it right the first time (no repeat visits!) Warranty cost reduction Reduce No Trouble Founds (NTF) Focus on highest cost IPTV (Incidents Per Thousand Vehicles) and CPV (Cost Per Vehicle) Batteries Wiring harnesses and connectors Certain Electronic Control Units

Failure Prognosis in Maintenance Predict the remaining useful life of components that wear out (in progress) Batteries Brake pads Predict the failure of electronic components (future)

Failure diagnosis in the run-time safety architecture Process considerations Based on ISO 26262 Architecture considerations Fault detection and fault mitigation

Failure diagnosis in the run-time safety architecture Process considerations Based on ISO 26262 Architecture considerations Fault detection and fault mitigation

ISO 26262 and the Functional Safety Process ISO 26262 is the automotive specialization of IEC 61508 MISRA BNA FAKRA OEMs Suppliers Technical Services IEC 61508 other Safety Standards Quality Standards Engineering Standards Initial work of individual companies 2002 2003 Initiatives within national standardization bodies 1.2004 RESPONSE Automotive SPICE HIS First drafts of requirement specifications 9.2005 ISO TC22 SC3 WG16 11.2005 First WG16 Meeting

ISO 26262 Process Overview After SOP Concept phase Product development 3-4 Item definition 3-5 Initiation of the safety lifecycle 3-6 Hazard analysis and risk assessment 3-7 Functional safety concept 4 Product development: system level Most diagnostic requirements 7-5 Operation planning 7-4 Production planning 5 HW 6 SW level level Other technologies Controllability External measures 4-10 Product release 7-4 Production 7-5 Operation, service and decommissioning Back to appropriate lifecycle phase

ISO 26262 Process Overview After SOP Concept phase Product development 3-4 Item definition 3-5 Initiation of the safety lifecycle 3-6 Hazard analysis and risk assessment 3-7 Functional safety concept 4 Product development: system level 7-5 Operation planning 7-4 Production planning 5 HW 6 SW level level Other technologies Controllability External measures 4-10 Product release 7-4 Production 7-5 Operation, service and decommissioning Back to appropriate lifecycle phase

ISO 26262 Concept Phase For a given Product Item : 2) Perform a Hazard Analysis Determine ASIL 3) Identify Safety Goals ASIL A, B, C, D SAFETY GOALS 1) Identify relevant safety lifecycle steps 4) Identify Functional Safety Concept System Requirements System Requirement Functional Safety Concept Functional Safety Requirement

ISO 26262 Hazard Analysis and Determination of ASIL (Automotive Safety Integrity Level) S0 S1 S2 S3 No injuries Light and moderate injuries Severe and lifethreatening injuries (survival probable) Life-threatening injuries (survival uncertain), fatal injuries E0 E1 E2 E3 E4 Incredible Very low probability Low probability Medium Probability High Probability C0 C1 C2 C3 Controllable in general Simply controllable Normally controllable Difficult to control or uncontrollable

ISO 26262 Hazard Analysis and Determination of ASIL (Automotive Safety Integrity Level) C1 C2 C3 E1 QM QM QM S1 S2 S3 E2 QM QM QM E3 QM QM ASIL A E4 QM ASIL A ASIL B E1 QM QM QM E2 QM QM ASIL A E3 QM ASIL A ASIL B E4 ASIL A ASIL B ASIL C E1 QM QM ASIL A E2 QM ASIL A ASIL B E3 ASIL A ASIL B ASIL C E4 ASIL B ASIL C ASIL D

ISO 26262 Identification of Safety Goals Hazard A ASIL B Safety Goal M Through hazard analysis, ASIL and potential source faults are determined and Safety Goals are identified. Hazard B Fault X Fault Y Fault Y Fault Z ASIL C Safety Goal N Per analysis results, Fault Y is implicated for both Goals M and N but since Goal N is associated with a higher ASIL (C), safety mechanisms to cover for Fault Y must satisfy ASIL C failure rate targets.

ISO 26262 Process Overview After SOP Concept phase Product development 3-4 Item definition 3-5 Initiation of the safety lifecycle 3-6 Hazard analysis and risk assessment 3-7 Functional safety concept 4 Product development: system level 7-5 Operation planning 7-4 Production planning 5 HW 6 SW level level Other technologies Controllability External measures 4-10 Product release 7-4 Production 7-5 Operation, service and decommissioning Back to appropriate lifecycle phase

ISO 26262 System Level For a given Product Item : 1) Identify relevant safety lifecycle steps for item system engineering 2) Identify Technical Safety Concept System Requirements System Requireme nt Functional Safety Concept SAFETY GOALS Functional Safety Requirement Technical Safety Concept Technical Safety Requirement

ISO 26262 Process Overview After SOP Concept phase Product development 3-4 Item definition 3-5 Initiation of the safety lifecycle 3-6 Hazard analysis and risk assessment 3-7 Functional safety concept 4 Product development: system level 7-5 Operation planning 7-4 Production planning 5 HW 6 SW level level Other technologies Controllability External measures 4-10 Product release 7-4 Production 7-5 Operation, service and decommissioning Back to appropriate lifecycle phase

ISO 26262 Hardware Design For a given Hardware Item : 1) Identify relevant safety lifecycle steps for item hardware engineering 2) Identify Hardware safety requirements 3) Design hardware, protecting for safety concerns 4) Evaluate hardware mechanisms for fault handling 5) Assess residual, single and dual point faults for residual risk and violation of safety goals 6) Plan for Hardware safety integration and test 7) Define requirements for Hw/Sw interface to support Technical Safety Concept

ISO 26262 Hardware Design: Fault Model

ISO 26262 Hardware Design: Fault Definitions Safe fault: fault whose occurrence will not significantly increase the probability of violation of a safety goal Single point fault: fault in an element which is not covered by a safety mechanism and where the fault leads directly to the violation of a safety goal Residual fault: portion of a fault which by itself leads to the violation of a safety goal, occurring in a hardware element, where that portion of the fault is not covered by existing safety mechanisms Multiple point fault: one fault of several independent faults that in combination, leads to a multiple point failure (either detected, perceived, or latent) Latent fault: multiple point fault whose presence is not detected by a safety mechanism nor perceived by the driver

ISO 26262 Hardware Design: Fault Model

ISO 26262 Hardware Design: Fault Tree Representation Primary Element 1 (PE1) PE1 Top Event Cut Sets (PE1) (PE2-R) (PE2-DP&SM) Primary Element 2 (PE2) Safety Mechanism (SM) Single Point Fault Covered Not Covered PE2 -R Residual Fault Multi-Point Failure PE 2- DP Dual Point Fault SM Dual Point Fault

ISO 26262 Hardware Design: Fault Model

ISO 26262 Hardware Design: Fault Model

ISO 26262 Hardware Design: Diagnostic Coverage Metrics 1 st Order Safety Mechanism 2 nd Order Safety Mechanism Evaluates level of diagnostic coverage and safe faults vs. undetected faults Based on safety goal ASIL Single Point Failure Metric = Single Point & Residual Faults All Faults Primary Element (PE) Single Point Failure Metric Latent Failure Metric = Safety Mechanism 1 (SM1) Latent Failure Metric Safety Mechanism 2 (SM2) Dual Point Faults Based on Failure Rates of Faults that may lead to a violation of a safety goal

ISO 26262 Hardware Design: Diagnostic Coverage Metrics (Part 5 Annex D) Provides diagnostic coverage levels for typical diagnostics Can be used as basis for assessment of diagnostic coverage General Model Of A System Example Diagnostics & Their Coverage Levels

ISO 26262 Hardware Design: Fault Response Time Fault Tolerant Time Interval Sensor Fault Tolerant Time Interval Sensor Fault Diagnostic Test Interval ECU Error Time Time Actuator Error Safety Mechanism Fault Response Time Confirmation Time Fault Reaction Time Vehicle Error Fault Response Time Also Multiple point fault detection interval - time span to detect multiple point fault (1.77) before it may contribute to a multiple point failure Typically one to several driving cycles (power up / power down)? Fault Tolerant Time Interval

ISO 26262 Process Overview After SOP Concept phase Product development 3-4 Item definition 3-5 Initiation of the safety lifecycle 3-6 Hazard analysis and risk assessment 3-7 Functional safety concept 4 Product development: system level 7-5 Operation planning 7-4 Production planning 5 HW 6 SW level level Other technologies Controllability External measures 4-10 Product release 7-4 Production 7-5 Operation, service and decommissioning Back to appropriate lifecycle phase

ISO 26262 Software Design For a given Software Item : 1) Identify relevant safety lifecycle steps for item software engineering 2) Identify software safety requirements 3) Design software architecture, protecting for safety concerns 4) Design software units, protecting for safety concerns 5) Plan and conduct software unit testing 6) Plan and conduct software integration testing 7) Plan and conduct software safety verification testing

ISO 26262 Software Design

ISO 26262 Software Design

Failure diagnosis in the run-time safety architecture Process considerations Based on ISO 26262 Architecture considerations Fault detection and fault mitigation

Architecture Considerations For an imaginary autonomous steering & braking system Radar Camera Lidar ECU 1 ECU 2 EPS EBCM ECU = Electronic Control Unit EPS = Electric Power Steering EBCM = Electronic Brake Control Module

Architecture Considerations Radar Identify single-point sensor failures to be covered. How to detect? How to mitigate? (Redundant sensors? Virtual sensors? Sensor fusion?) Camera Lidar ECU 1 ECU 2 EPS EBCM ECU = Electronic Control Unit EPS = Electric Power Steering EBCM = Electronic Brake Control Module

Architecture Considerations Radar Identify single-point communication link failures to be covered. How to detect? How to mitigate? (Redundant communication path: alternate bus? dual-channel FlexRay?) Camera Lidar ECU 1 ECU 2 EPS EBCM ECU = Electronic Control Unit EPS = Electric Power Steering EBCM = Electronic Brake Control Module

Architecture Considerations Radar ECU 1 Camera ECU 2 Lidar Identify single-point control module failures to be covered. How to detect? How to mitigate? (Symmetric vs. asymmetric hardware? Watchdogs? Challenge-response architectures? Dual-core micros? Dual microcontrollers? Symmetric vs. asymmetric EPS software allocation?) EBCM ECU = Electronic Control Unit EPS = Electric Power Steering EBCM = Electronic Brake Control Module

Architecture Considerations Radar Camera Lidar Identify single-point actuator failures to be covered. How to detect? How to mitigate? (Single robust actuator with two independent electromagnetic paths, e.g., dual ECU 1 windings? identical replication, e.g., dual EPS actuators? reducedfunctionality / reduced-performance ECU 2 alternatives, e.g., use EBCM with differentual braking commands for steer-by-braking?) EPS EBCM ECU = Electronic Control Unit EPS = Electric Power Steering EBCM = Electronic Brake Control Module

Architecture Considerations Identify fail-safe vs. fail-operational requirements (per ISO) Identify faults to be considered (random hardware? software design?) Identify fault detection and fault mitigation approaches Conduct single-element fault analysis Evaluate alternative fault-tolerance strategies Redundancies for fault detection (watchdogs, etc.) Application-specific vs. generic/systematic approaches Physical vs. logical redundancies (model-based diagnosis) Symmetric vs. asymmetric redundancy Distributed vs. localized redundancy Fail operational patterns (dual-duplex? triple modular redundancy?)

Summary and Conclusions High level automotive challenges Energy Environment Safety Connectivity Role of failure diagnosis in Service / Maintenance Run-time safety Importance of fault metrics for detection coverage per ISO 26262 Single-point fault metric Latent fault metric Challenges Warranty cost and NTF Safety goal analysis for active safety and autonomous vehicle systems, in the presence of uncertainties in road conditions, traffic conditions, weather conditions, driver skill level, vehicle state of health

Thank-you for your attention! Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback