The Functional Safety Mirror

Oct 12nd, 2019, Issue no.8, ISO 26262-3, Functional Safety Concept 3/5

This series is dedicated for the absolute functional safety beginners, system engineers or software engineers or anyone wants to know about automotive functional safety ISO 26262 standard from ZERO

Introduction

This article illustrates the functional safety requirements at clause 7 and demonstrates some examples of functional safety mechanisms. Before going to the ISO 26262-3 specs of the functional safety requirements, we need to know what is the safety mechanism ?

1) It is technical solution to detect/ avoid/ control failures or mitigate their harmful effects

2) Implemented by an E/E function or element or in other technology

3) The safety mechanism is able maintain item in a safe state or alert the driver to control the effect of the failure

The following example demonstrates an implementation of a safety mechanism using

E/E function: sense, logic and actuate

Figure 1. Safety Mechanism for Vehicle Headlamp

If the vehicle headlamp failed at night, the driver will notice. Yet, if the headlamp is ON by Error at the daytime, the driver will not notice so the red warning light will be ON to warn the driver to limit the exposure time of the Hazard exposure (E) as conducted at HARA. By implementing this safety mechanism on the function level, we will save battery consumption.

On the other hand, when we want to warn the driver at night if the failure mode of the headlamp is OFF by Error, we will change the logic to be NAND and hence the red warning will be active upon the failure of any of ( headlamp, switch, harness or battery). That being said, the logic AND is controller to be adapted according the driving time. Now, it's time to revisit the functional safety requirements.

Functional Safety Requirements Revisit

Before commenting on possible functional safety strategies, we need to make two terms clear:

1. Fail-Safe
2. Fail-Operational

The first means if the failure occurred you have to disable the functionality or degrade it(continuous operation with partial functionality) to mitigate the hazard

While the fail-operational is to maintain the availability of the function by supporting the functionality with redundancy; that being said, both of fail-safe and fail-operational are sort of safe-state.

Fail-Safe ---> Degraded Mode ---> Fail-Operational

The functional safety requirements shall specify strategies for the?nine points,?if applicable:

1.fault avoidance

• It is a process oriented concept seeks to prevent faults from being introduced into the system
• By carefully designing and manufacturing systems, faults can be avoided

2. faults detection

• Mechanisms to detect the faults when they are occurred

3. transition to a safe state, and if applicable, from a safe state

• You have to specify the entry point for the safe sate and how to exit from this safe state
• You can have multiple safe states for the same item definition

4. fault tolerance

• It is a product oriented concept which accepts faults in a limited capacity and masks their manifestation
• To make a system fault-tolerant, enable the system to operate regardless the occurrence of failure in part of the system

5. driver warnings to reduce risk exposure (E) time to an acceptable duration

• example: the airbag controller shall send a warning message to the instrumental panel if the airbag sensor is faulty.
• Notice, we didn't specify what are the types of faults to send warnings on as it is on the function level; you can list the potential faults in your functional safety concept document to be traced later in the technical safety concept( this is relative, you can list fault types)
• Driver can take the vehicle to the service, so that the risk exposure will be reduced and then ASIL Hazard will be QM

6. driver warnings to increase controllability ( go to lower C)by the driver

• When the failure of the item can be controllable if the driver get feedback immediately, so C parameter rating will be decreased due to the reaction of the driver to the certain fault.
• example: Automatic Emergency Braking fault shall be sent to the Cluster Display
• When the driver see the warning, he will never depend on AEB and will press brake pedal if there is an object in front of the vehicle , hence the warning message has increased his controllability, say it became C0, therefore, the Hazard will be QM

7. the degradation of the functionality in the presence of a fault and its interaction with 5) or 6)

• You need to describe the degraded function in case of fault occurrence
• example: Maintaining the vehicle in a limp-home mode until the ignition has been switched from "on"to "off"

8. define fault handling time to meet Fault Tolerant Time Interval (FTTI)

• Each safety goal has a FTTI so this interval shall be respected on the vehicle level
• Define the max handling time constrain to be less than the FTTI
• The depicted timeline illustrates that you must go to safe state before the FTTI time finishing; why? because after this time the hazard will occur and the safety goal will be violated
• If FTTI = 2 seconds and you entered the safe state at 2.5 sec then the safety goal is violated

9. avoidance/ mitigation of a hazardous event due to improper arbitration of multiple control request generated simultaneously by different functions.

• In the SbW system architecture, you notice that the Steer-by-Wire controller receives steering requests from multiple senders and shall arbitrate from which to execute the command, zoom in figure 3:

a) Braking Systems block(ESC,ABS),

b) Lane Keep Assist (LKA) function block

c) Human Driver

• If there are multiple requests from multiple senders, which sender will dominate the steering functionality? Umm, I bet LKA, Am I correct?
• Therefore, there shall be safety mechanism to be implemented to avoid any improper arbitration. For instance, safety mechanisms to monitor the ADAS state to make sure when the LKA requested the steering, it shall respond to it or not. Furthermore, it can assure driving current mode from different sources to check the LKA steering request plausibility. What is a plausibility? I will tell you in the next article because you are my friend :D

Figure 3: SbW System Architecture

According to the nine functional safety strategies you shall generate FSR for each strategy on the functional level. Furthermore, each functional safety requirement shall be specified by considering the following?five constraints, as applicable:

1.operating modes;

• ADAS, Drive-train, Standby, etc.

2. fault tolerant time interval;

• Append the FTTI to the FSR

3. safe states;

• Append the appropriate safe state to certain functional safety requirement if a fault occurred
• example: Steering-assist shall be available at low speeds, but is disabled at high speeds
• example: All steering-assist shall be disabled

4. emergency operation time interval; and

• Specify the emergency operation time; that being said, if the safe state can't be reached, the emergency operation shall be executed
• If safe state is to disable the functionality, then the emergency can to stop the vehicle or disable another dominant functionalities to mitigate the failure

5. functional redundancies (e.g. fault tolerance).

• Specify a redundant functionality if the primary function fails

We can add to the nine strategies, a strategy to ensure that the system elements are functioning correctly all the time. Finally, how should the functional safety concept looks like?

Functional Safety Concept

The function safety concept document shall include:

1. Preliminary system architecture; item definition
2. Safety Goals
3. Safety strategies

Use Case:

SG01: The EPS system shall prevent unintended self-steering in any direction under all

vehicle operating conditions (ASIL-D)

Unintended self-steering is defined as any steering that was not initiated by the driver

or other vehicle systems (which are assumed to be operating correctly) due to failures

that lead to:

a) Unintended initiation of steering

b) Electrical steering stuck at a non-zero torque output

c) Steering in the wrong direction

Note that, we set the safety goal and described it in an appropriate manner after that we will add functional safety strategies which expressed in requirements. But, how should the functional safety requirement that formulate certain strategy looks like?

model: < one of the 9 strategies> + < one of the 5 constrains, if applicable>

example: <detection strategy> + <FTTI + safe state>

<The EPS system shall perform Power On self-test and periodic tests to ensure the safety related signals are correct>+< and if there is a fault, the system shall go to safe state #2(All steering-assist shall be disabled within 2 secs)

FSR1: The EPS system shall perform Power On self-test and periodic tests to ensure the safety related signals are correct and if there is a fault, the system shall go to safe state #1 within 2 secs.

Safe State 1: All steering-assist shall be disabled

FTTI : 2 secs

The functional safety concept can be supported with safety analysis on the preliminary system architecture using Concept FMEA or FTA. That being said, you will determine the potential hazards at the function level and then you shall provide safety strategies to prevent/mitigate these hazards. Having said, there will be bunch of functional safety requirements are not directly derived from the safety goal but derived from the strategies that mitigate CFMEA/ FTA hazards output, see figure 2:

Figure 2. Functional Safety Concept Process

Thus, the safety concept is the strategies for ( safety goal, Concept FTA/ FMEA) then you write down atomic requirements to construct these strategies on the functional level. Note that, the functional safety strategies that shall cover the CFMEA or concept FTA hazards, will be general functional safety requirement and not hooked to a certain safety goal.

In addition, Functional safety requirement shall be at logical level. That being said, can be allocated to different HW architecture without detailed technicality. That being said, your concept will be valid for: supplier X, supplier Y and supplier Z.

Conclusion

What have we done so far?

We have revisited the functional safety specification that provide safety strategies to convert the ASIL hazards of the the corresponding safety goal into QM. What about the safety mechanisms that can be used?

We will answer this question in the next article through the error handling mechanisms in the AUTOSAR standard which can be used at both Functional Safety Concept & Technical Safety Concept.

Stay tuned!

References:

• Wikipedia
• ISO 26262:2018
• Google images
• The Functional Safety Mirror, previous issues.
• Ford FMEA Handbook