Sunday, 5 August 2018

ISO 26262 Part 3.7: Functional safety concept (FSC) - Detailed Explanation (Part 2/3)

ISO 26262 Part 3.7: Functional safety concept (FSC) - Detailed Explanation (Part 2/3)





Functional Safety Concepts:


  • The Functional Safety Concepts refers to the mapping/derivation of FSRs for following types of Architectural Elements or sources
    • E/E Systems
    • Systems of Other Technologies
    • External Measures

Elements of E/E Systems:


ISO 26262-3:2017(E) – Clause 7.4.2.8 :
*** Please refer this clause from originally procured licensed copy of ISO26262 Part 3*** 
  • The mapping of each FSR derived to a module (Architectural Elements like System/ Sub-System) can be termed as Functional Safety Concept. Apart from mapping ASIL allocation and other steps are also done in the FSC.
  • Each Safety Goal has an ASIL level. Based upon these ASIL level shall be assigned to each FSR considering other factors as below.
  • The ASIL allocated to Safety Goal is assigned to FSR. In case ASIL decomposition needs to be done further analysis has to be carried out.
  • Incase multiple FSR with different ASIL levels are assigned to a single Architectural Element, then the highest ASIL is assigned. Incase different ASIL levels needs to be assigned, freedom from interference analysis can be done to assign the ASIL levels.
  • If the Item has one or more E/E systems, then the FSR should be written for each of the E/E Systems and Interfaces within them.

Elements of Other Technologies:


ISO 26262-3:2017(E) – Clause 7.4.2.9 :
*** Please refer this clause from originally procured licensed copy of ISO26262 Part 3*** 

  • FSRs implemented by elements of other technologies shall be determined and allocated to these elements.
  • FSRs implemented by interfaces between elements of other technologies and elements of the E/E systems shall be specified.
  • Ensuring the implementation of FSRs by elements of other technologies is not under scope of ISO 26262.
  • No ASIL level should be allocated FSRs related to these elements.
  • An example of other technologies in ABS system can be the Master Cylinder, Accumulators etc. which are based upon Hydraulic technologies.

External Measures:

ISO 26262-3:2017(E) – Clause 7.4.10 :
*** Please refer this clause from originally procured licensed copy of ISO26262 Part 3*** 
  • External Measures is defined as measure that is separate and distinct from the item which reduces or mitigates the risks resulting from the item.
  • For example, if the ABS system is the item under analysis, in case Electronic Stability Control (ESC) is also present in the vehicle, then it would act as an external measure. It also assists in better controllability of the vehicle.
  • So, incase the external measures are also applicable then the FSRs related to it should also be derived.
  • The FSRs related to the interfaces should also be derived.
  • If the external measures are derived from one/more E/E systems, then FSRs shall be addressed using ISO 26262.

Sample Functional Safety Concepts for Antilock Braking System (ABS) Item

  • As already explained in the FSC, 
    • Assignment of properties of each FSR.
    • Identification of Systems or Sub Systems from Preliminary Architecture Diagram or Item Diagram.
    • Allocation of FSRs to Systems/Sub Systems.
  • The example for ABS Item is given below.

a) Assignment of FSR properties:

Notes:
#1 – Assuming the ABS is activated 15 times per second to avoid any lock situation. Hence the full cycle of Fault detection (Locking) and Fault Reaction (ABS activation) occurs approximately (1000msec/15 = 66.6 msec). That can be divided as Fault detection (Locking) – 30 msec and Fault Reaction (ABS activation) – 30 msec. So that (30 msec + 30 msec) < 66.6 msec.
#2 – These values may vary based upon OEM requirements and on road analysis.
#3 – The BCM is assumed to be main ECU which shall relay the failure status to Driver after receiving from ABS. (ABS -> BCM -> Driver Dash board). The appropriate choice of ECU shall be done by OEM.
#4 – It is assumed that the ABS failure LED on the dashboard shall be active within 100msec of ABS module failure detection. 

FSR ID
FSR Description
Safety Goal Allocation
ASIL Allocation
Operating Mode
Fault Tolerant Time Interval (FTTI)
Safe State
Type of Requirement
FSR_1
The ABS module shall use the
-       brake on/off activation signal
-       wheel speed signal
for engaging and disengaging the ABS functionality.
The ABS should be activated only brake is pressed and if the speed is more than 15mph#2.
SG1,
SG2
D
ABS Active,
ABS Inactive (Normal Condition)
< 30 msec#1
ABS Disabled
Fault Detection
FSR_2
The ABS module shall receive the brake on/off activation signal.
SG1,
SG2
D
ABS Active,
ABS Inactive (Normal Condition)
< 30 msec#1
ABS Disabled
Fault Detection
FSR_3
The ABS module shall be able to detect the 4-wheel speed signal from the 4-wheel speed sensors.
SG1,
SG2
D
ABS Active,
ABS Inactive (Normal Condition)
< 30 msec#1
ABS Disabled
Fault Detection
FSR_4
The ABS module shall be able to detect the deceleration in any of the 4-wheels. It shall also be able to detect any imminent wheel lock up scenario.
SG1,
SG2
D
ABS Active
< 30 msec#1
ABS Disabled
Fault Detection
FSR_5
In case of imminent wheel lock up scenario, then action shall be taken to prevent lock up.
SG1,
SG2
D
ABS Active
< 30 msec#1
ABS Disabled
Fault Reaction
FSR_6
The ABS module shall have mechanism to detect if any error is present in brake activation signal every time it is received.
SG3
D
ABS Active,
ABS Inactive (Normal Condition)
< 30 msec#1
ABS Disabled
Fault Detection
FSR_7
The ABS module shall have mechanism to detect if any error is present in 4-wheel speed signal every time it is received.
SG3
D
ABS Active,
ABS Inactive (Normal Condition)
< 30 msec#1
ABS Disabled
Fault Detection
FSR_8
The ABS module shall execute the diagnostics test sequence after ignition and determine any error present.
SG3
D
ABS Inactive (Normal Condition)
< 30 msec#1
ABS Disabled
Fault Detection
FSR_9
In case of any failure detected, the ABS module shall disengage the ABS and notify the BCM#3.
SG3
D
ABS Inactive (Normal Condition)
100 msec#4
ABS Disabled
Fault Reaction
FSR_10
In case of any error detection arising of any of the failure, the ABS module shall shut down and shall not affect normal braking of the vehicle.
SG3
D
ABS Inactive (Normal Condition)
100 msec#4
ABS Disabled
Fault Reaction

b) Identification of Systems or Sub Systems from Preliminary Architecture Diagram or Item Diagram

  • Considering the Item defined in the blog EmbeddedInEmbedded: ISO 26262 Part 3.5: Item Definition, the Item Diagram is further analysed to derive the System/ Sub Systems from this.
  • The System/ Sub Systems may or may not be Safety related (ASIL - A/B/C/D) or Non Safety Related (ASIL - QM).
  • It is generally better to have the Non Safety blocks in the ISO 26262 work products. This can be justified from following points:
    • Separate documentations need not have to be maintained for them. Based upon the QM requirements you may choose to skip the compliance at different stages of analysis of Non Safety units.
    • During the course of analysis, need may arise some non safety units getting converted into safety units and vice versa. By maintaining a common document, you can maintain the change history of such units.
  • The list of Sub Systems derived for the Antilock Brake System (ABS) Item are described below.
Sub System ID
Sub System Name
ASIL Level *
SS1
ABS Control Unit
D
SS2
Wheel Speed Sensing Unit
D
SS3
Brake Pedal Activation Sensing Unit
D
SS4
Inlet Pressure Sensing Unit
D
SS5
Outlet Pressure Sensing Unit
D
SS6
Accumulator Pressure Sensing Unit
D
SS7
ABS Warning Light Unit
D
SS8
Pump Motor Control Unit
D
SS9
Valve Control Unit
D
SS10
VEH CAN Module
D
SS11
Monitoring/Watchdog IC
D
NSS1
Diagnostics Module
QM
  • The interaction between the different Sub Systems in the ABS Item is shown as a SysML diagram.
  • The software used for preparation "StarUML", which is a free tool available for no for evaluation purpose. Please refer following link for details. StarUML
  • The signals/interfaces between each Sub Systems are shown at a high level. The type or number of interfaces will change during various stages of ISO 26262 life cycle.

c) Allocation of FSRs to System/Sub Systems:


  • Each of the FSR is then assigned to Sub Systems. By this it is checked whether every FSR has a corresponding unit for implementation and every unit of implementation is has a necessary FSR.
  • Continuing with the ABS Item, all the FSRs are tagged to respective Sub Systems.
  • The ASIL levels of the Sub Systems are derived from the assigned FSRs.
SR ID
FSR Description
Safety Goal Allocation
ASIL Allocation
Allocated to Sub System
FSR_1
The ABS module shall use the
-       brake on/off activation signal
-       wheel speed signal
for engaging and disengaging the ABS functionality.
The ABS should be activated only brake is pressed and if the speed is more than 15mph#2.
SG1,
SG2
D
SS1, SS2, SS3, SS11
FSR_2
The ABS module shall receive the brake on/off activation signal.
SG1,
SG2
D
SS1, SS3, SS11
FSR_3
The ABS module shall be able to detect the 4-wheel speed signal from the 4-wheel speed sensors.
SG1,
SG2
D
SS1, SS2, SS11
FSR_4
The ABS module shall be able to detect the deceleration in any of the 4-wheels. It shall also be able to detect any imminent wheel lock up scenario.
SG1,
SG2
D
SS1, SS11, SS2, SS3, SS4, SS5, SS6,
FSR_5
In case of imminent wheel lock up scenario, then action shall be taken to prevent lock up.
SG1,
SG2
D
SS1, SS11, SS4, SS5, SS6, SS8, SS9
FSR_6
The ABS module shall have mechanism to detect if any error is present in brake activation signal every time it is received.
SG3
D
SS1, SS11, SS3
FSR_7
The ABS module shall have mechanism to detect if any error is present in 4-wheel speed signal every time it is received.
SG3
D
SS1, SS11, SS2, SS4, SS5, SS6, SS8, SS9, SS10
FSR_8
The ABS module shall execute the diagnostics test sequence after ignition and determine any error present.
SG3
D
SS1, SS2, SS3,
FSR_9
In case of any failure detected, the ABS module shall disengage the ABS and notify the BCM#3.
SG3
D
SS1, SS11, SS10, SS7
FSR_10
In case of any error detection arising of any of the failure, the ABS module shall shut down and shall not affect normal braking of the vehicle.
SG3
D
SS1, SS11


(...Continued in Next Part)


Posted by at No comments:
Subscribe to: Posts (Atom)