E-Gas 3 Level Monitoring Concept
March 20th, 2022, Issue no.32, ISO 26262
This series is dedicated to the absolute automotive functional safety beginners, system engineers or software engineers or anyone who wants to know about automotive functional safety ISO 26262 standard from ZERO. Disclaimer, this series and only expresses the author view to the ISO 26262 and not to the view of any company, institution or organization.
E-Gas Concept
Back to the 90's before ISO 26262, the E-Gas standard was created to demonstrate the state of the art of functional safety of gas engines. This concept can be extended to different item definitions not just e-gas engines.
What is E-Gas concept 3 level monitoring?
It is the monitoring levels of E-Gas system; it is divided into 3 sufficiently independent level for a better organization and development of FuSa processes.
Level 2
Therefore, you build your control function with QM integrity and add another independent layer on different core ( lockstep) with different algorithm/implementation.
This L2 checks L1 errors and go to safe state within L2_FTTI.
Level 3
Test controller reliability and check accumulated latent faults at the integrated safety mechanisms of the MCU's. This is BIST of the core check, ECC, clock monitor unit, power management controller, MPU, and lockstep which are allocated on the same MCU.
L3 is divided into two parts:
领英推荐
First part: inside the main MCU
Second part: can be another MCU, ASIC or SBC ( PMIC)
Reducing Hazardous Events
Why do you consider this E-Gas concept is useful?
Because we have an increasing number of complex automotive systems and we do need a concept to allocate the functional safety on different independent layers of protection.
If we are observing Safety provision 1, there might be a single point of fault that would let the fault to propagate to the next layer Safety provision 2. It is a low probability that the second layer would propagate the same fault in a similar way up to the interface on the vehicle level where an accident can occur.
Therefore, different independent layers are crucial to reduce the risk likelihood.
Hence, E-Gas concept provides a simple concept for safety layers that can be utilized in different automotive systems.
Conclusion
Adoption of E-Gas 3 level monitoring would help us to focus on the distribution of the safety mechanisms on the item definition. Next time, you would say, we have and an issue in a L3 safety mechanism.
Reference
Sr. Hardware / System Safety Engineer
15 小时前Thanks for the explanation. I also have a question: At which level would you introduce the voltage regulators that would feed, for example, gate drivers of a DCDC Converter? The OV/UV, EN, and PGs mainly. Thank you!
Functional Safety | Cybersecurity | Software Architecture | Process Design & Strategy | DevOps
2 年AbdelRahman Hassan thanks for the digit! I have a short question. What the rationale behind allocating QM(x) under L2 rather than L1. since QM(x) can be treated as intended functionality as per ASIL decomposition shouldn’t it allocated to L1 along with QM?
Sr Functional Safety Software Engineer @ Rivian | Automotive Functional Safety Expert
2 年Hi Abdel, Thanks for posting this article. I have seen lot of examples discussing level 3 to protect microcontroller related level 2 failures. Can this level 3 also be used for systematic sw protection for sw features and their monitors ? Level 1 implements feature Level 2 implements monitor Level 3 implements Self test for monitor Can this be a way of implementation?