Michael Steindl

Martin Winkler

Christian Miedl

AVL Software and Functions, Germany

Scalable Functional Safety Architecture for Electric Mobility Applications

“ecoCity eMotion” 24-25th September 2014, Erlangen, Germany

European Conference on Nanoelectronics and Embedded Systems for Electric Mobility

Presentation Outline

Introduction

State of the art Hardware Architecture

New approach: Hardware Qualifier

Emergency Operation Scenario

Standby Scenario

Conclusion

Introduction

Functional safety: Freedom of unacceptable risk due to

hazards caused by an faulty E/E systems”

Examples for functional risks in electric cars:

unintended acceleration

unintended loss of braking capability

Failures in E/E systems can

be classified in two categories:

Systematic failures

(e.g. software bug, specification fault)

Random failures

(e.g. unpredictable HW fault)

Source: AVL

Introduction

Measures are necessary to deal with such failures:

Systematic failures

Use suitable development processes and methods

Random failures

Use high quality components

(perfectness)

Use redundancy

Detection of errors

Transition to safe state

Error correction/

reconfiguration

Source: AVL

Introduction

Fail-safe system:

• Provides a safe state which can be achieved and maintained

without the support of the Control Unit

• Individual and dependent failures that lead to a loss of service are

safe

• Deactivation of service is generally safe Intended fault reaction

Fail-operational system:

• Safe state can not be achieved

and/or maintained

without the support of the ECU

• Deactivation / loss of service is

generally unsafe

Source: Wikipedia

State of the art Hardware Architecture

Hardware Architecture for Electronic throttle control

(Fail-safe system)

XCU MC

MU

Process Monitoring

Evaluation Processor Monitoring

"Regular" XCU Functions

Processor Monitoring

Disable

DRI

to safety-relevant power stages (e.g., injection and throttle)

Request for Failsafe Limitations

Reset

DRI

Input variables

Answer Question

or

Copy of Process Monitoring

ADC

Check

Analogue

inputs

Function (L1)

Process Monitoring (L2)

Processor Monitoring (L3)

Copy of Process Monitoring (L2’)

Source: EGAS-AK

State of the art Hardware Architecture

Q/A

Inverter VCU

AVL Monitoring Unit

Com.

Interface

Torque Request

Processor Mon.

Microcontroller

Input

(Acceleration

Pedal)

Application SW

Process Mon.

Processor Mon.

dis

ab

le

VCU Safe State request is

indicated to the system by

disabling CAN drivers

Limitations:

No communication possible in case

of an error

(debugging, re-flashing…)

No distinction between error and

normal system states with disabled

safety mechanisms

(e.g. start-up)

Difficult to test during runtime

(switch-off path check)

State of the art Hardware Architecture

Q/A

Inverter VCU

AVL Monitoring Unit

Com.

Interface

Torque Request

Processor Mon.

Microcontroller

Input

(Acceleration

Pedal)

Application SW

Process Mon.

Processor Mon.

disable

VCU Safe State request is

indicated to the system by

additional switch off path

Limitations:

Additional Hardware elements

necessary costs

New approach: Hardware Qualifier

Q/A

Inverter VCU

AVL Monitoring Unit

Com.

Interface

Regular Output

+ HW-Qualifier

HW-Qualifier

Processor Mon.

Microcontroller

Input

Application SW

Process Mon.

Processor Mon.

• Monitoring Unit determines µC HW-Status

(HW-Qualifier)

• HW-Qualifier is communicated over existing

interfaces to inverter via protected transfer

• Inverter evaluates received HW-Qualifier and

selects suitable system reaction

Advantages:

No communication cut-off in case of

an error

No redundant switch off path

Distinction between error and normal

system states with disabled safety

mechanisms

Increased diagnostic capability of

switch-off path

Degraded fault reaction possible

HW status can be easily provided to

multiple control units

Standby Scenario

Com.

Interface

µC HW

Status

Com.

Interface Standby

Output

Output

Microcontroller

Input

Application SW

Process Mon.

Processor Mon.

VCU

Q/A.

AVL Monitoring Unit

Processor Mon.

Standby - SW

Input

• Regular Output

• Standby Output

+ HW-Qualifier

• Microcontroller is completely switched-off in

certain operation modes (standby)

• Standby functionality is provided by MU

• Standby state is signaled to Inverter via HW

Qualifier

Advantages:

Reduced system energy

consumption

Enhanced system wake-up

concepts possible:

Several sources possible, e.g.:

Analog in

Digital in

CAN/Flexray/SPI/I²C

Complex evaluation possible

BCU MC MC

Emergency Operation Scenario

Inverter

Com.

Interface

HW-

Qualifier

Com.

Interface Backup

Output

Output

Microcontroller

Input

Application SW

Process Mon.

Processor Mon.

VCU

Q/A.

AVL Monitoring Unit

Processor Mon.

Redundant ASW

Input

• Regular Output

• Backup Output

+ HW-Qualifier

Advantages:

Increased system availability due

to emergency operation

functionality of Monitoring Unit in

case of faulty

main microcontroller

Additional resources for non-

safety functionalities on Monitoring

Unit available

• Monitoring Unit provides redundant ASW

functionality

• Error state is signaled to inverter via HW

Qualifier (Inverter limitation)

Conclusion

ECU error indication to System (Hardware Qualifier)

Safe State request via CAN without disabling CAN drivers

No additional hardware connections necessary

Distinction between error and normal system states with disabled

safety mechanisms possible

Graded fault reaction possible

Stand-by concept

Operation without main µC

Less quiescent current

Wake-up concept

Complex evaluation of arbitrary input sources possible

Emergency Operation (Fault-tolerant system design)

Limited functionality possible in case of an error

Conclusion

Fully compliant to normative requirements (ISO26262,

EGAS Concept)

Cost efficient

Scalable to customer requirements to provide enhanced

functionality without additional hardware

Thank you for your attention!

Contact

Dr. Michael Steindl

+49 941 63089 256

michael.steindl@avl.com

AVL Software and Functions GmbH

Im Gewerbepark B27

D-93059 Regensburg

Martin Winkler

+49 941 63089 122

martin.winkler@avl.com

Christian Miedl

+49 941 63089 148

christian.miedl@avl.com