Function Mapping and Quantified Concept Evaluation · c2 hvneg_ai_v m2 chassis_ai_v p4 p5 c p2 2 cal_ref_win_r p5 p2 str_isol_status t1 str_isol_res_r p4 str_isol_res_r d2 str_isol_res_r

© Copyright, Confidential, TMETC

Function Mapping andQuantified Concept Evaluation

Andy Williams Bsc (Hons), MSc, C.Eng, MIET

Lead Engineer –

System Integration & Functional Safety

Email [email protected]

UK Mob: +44 7775 030 777

26th January 2017

mailto:[email protected]


Agenda

2

• ISO26262 Mapping to Internal Process

• Process & Tools

• Features, Systems, Items, Functions & Interfaces

• Re-use

• Analysing conceptual architectures

• System descriptions

• Quantifying Plausibility Cross-checks (PCc)

• Comparing multiple architectures

• Applications & benefits


ISO26262 (OEM Level) cross reference to NPI / TCDS

3

8-5.5.3ProjectPlan

2-5.5.1Organisational-specific Rules and processes for Functional Safety

2-6.5.3Safety case

2-6.5.1Safety Plan

3-5.5Item Definition

2-6.5..5Functional Safety Audit

2-5.5.2Competence Analysis of Staff

2-5.5.3Quality Management System review

5-x.Hardware Design GuidelinesSpecification

5-x.Hardware Design GuidelinesSpecification

6-5.5.3Design & Coding GuidelinesSpecification

6-5.5.4 Software Tool Application Guidelines

3-6.5.1Impact Analysis

3-7.5.1Hazard Analysis& RiskAssessment

3-7.5.2Determinationof Safety Goals

3-7.5.3Hazard Analysisand Safety Goals VerificationReport

3-8.5.1Functional SafetyConcept(FSR’s)

3-8.5.1Functional SafetyConceptValidationSpecification

3-6.5.2FunctionalSafetyConceptVerificationReport

4-5.5.4Validation Plan(Validate safety goals)

4-6.4.6.2Validation Specification - Safety Goals & Functional Safety Requirements

4-9.4.3,4 Safety ValidationReport

4-6.5.1Technical Safety Requirements Specification

4-6.5.2Technical Safety Requirements Verification Report

4-5.5.3Item Integration and Test Plan(S)

4-7.5.2System Design Specification

4-7.5.5 Verification of System design

4-7.5.4Requirements for Prod Operation Service Test

System Integration

VehicleIntegration

4-10.5.1Functional Safety Assessment Report2-Annex E is Agenda

4-11.5.1Release for production Report

4-8.5.3 System Integration and TestingReport

4-8.5.3 Vehicle Integration and TestingReport

4-11.5,1Software and Hardware Baseline

2-6.5.4Functional Safety Assessment Plan

8-5.5.2Development Interface Agreement – Component #1

Supplier DevelopmentTML Audits

refer to 2-6.4.7.1 confirmation of2-6.5.3Safety Case

Q_L3_EE_012SystemSafetySOW

AndQMS 012_F1 System Safety

SOW Compliance V0.90

DR0 DR1 DR2

Supplier DIA Discussions

DR3 DR4

Hardware Software Integration

4-8.5.3Hardware-Software IntegrationReport

4-8.5.2Verification Specification - vehicle Integration and Test

4-8.5.2Verification Specification - System Integration and Test

FSwp_DIA_C#1

FSwp_Impact_A

FSwp_Item_Def

FSwp_Safety_Plan

FSwp_HARA

FSvr_HARA_SG

FScr_Safety_Plan

refer to 2-6.4.7.1 confirmation of2-6.5.1Safety Plan

FSwp_Safety_Goals

FSwp_Safety_Case

FSwp_Safety_Concept

refer to 2-6.4.7.1 Confirmation of 3-7.5.1HARA

FScr_HARA

FSwp_Technical_SR

FSvr_Safety_Concept

FSvr_Technical_SR

Refer to 2-6.4.7.1Confirmation of4-7.5.5System Design

FScr_System_Design

refer to 2-6.4.7.1 Confirmation of 4-5.5.3Item integration and test plan(s)

FScr_Item_Integration_Test_

Plan

FSwp_Vehicle_Verification_Spec

FSwp_System_Verification_Spec

refer to 2-6.4.7.1 Confirmation of 4-5.5.4Validation Plan

FSwp_Validation_Plan

FScr_Validation_Plan

FSwp_Validation_Spec

FSwp_HWSW_Integration_Report

FSwp_System_Integration_Report

FSwp_vehicle_Integration_Report

2-6.5.5Functional Safety Auditi.e. Confirmation Measure Reports

FScr_FS_Assessment_C#1

FScr_Safety_Case

2-6.5.5Functional Safety Auditi.e. Confirmation Measure Reports

FScr_FS_Assessment

FScr_Production_Release

4-7.5.6Safety AnalysisReport

4-7.5.1TechnicalSafetyConcept

ARTS CS NPITCDS

Task

Confirmation Review

Reference

Report

Plan

Specification

Input to Safety Case

Task from Safety Plan

Safety Case


Process and Tools

4

RMDV2 Feature

Requirements

PREEVISION

Function

Requirements

PREEVISION

Function

Verification

RMDV2 Feature

Validation

Validation

Verification


Vehicle Features to Vehicle Systems

5

Vehicle

FeaturesPowertrain

Engine

Gasoline

Diesel

Etc…

Transmission

Manual

PlatformPlatform X

X X+ X++

Etc….

Platform Y

Y Y+ Y++

Vehicle Systems

Gasoline ICE Engine System

Diesel ICE Engine System

Etc…..

Electric

Energy Storage

HV Energy Store

Etc…

HVES System


Vehicle Systems to Items (treated as ISO26262 SEooC)

6

SEooC - Safety Elements out of Context

Vehicle Systems

HV Energy Storage System Cell monitoring

Isolation monitoring

Item - Sub-Systems Functions

Cell voltage monitoring and control function

Cell temperature monitoring and control

HVESS Connect / Disconnect

Resistance monitoring and control

Pre-charge monitoring and control

Negative Contactor monitoring and control

Positive Contactor monitoring and control

Cell voltage interface

Cell temperature interface

Resistance Interface

Pre-charge interface

Negative Contactor Interface

Positive Contactor Interface


Re-Use

7

Vehicle:

Modified

Feature

Impact

Analysis

100%

Re-Use

Partial

Re-Use

No

Safety

Impact

Safety

Impact

Sounds

Simple?


Re-Use

8

ASIL B

Vehicle

Idea / Wishlist

TS

CS

AR

DR0

DR1

DR2

DR3

DR4

FSwp_Item_Def for Primary Brakes (PrB)

FSidf_PrB_fn_1 Brake Lights (ASIL B)

FSidf_PrB_fn_2 Interface Applied status (ASIL C)

X4

51

XE

X4

51

XM

X4

51

XT

X45

1 XT

+

X4

51

XZ

X45

2 XE

X4

52

XM

X45

2 X

T

X4

52

XT

+

X45

2 XZ

Peregrin?

Ve

hicl

e Fe

atu

res

Functions – x and x.y

QM qualified

ASIL A qualified

ASIL B qualified

ASIL C qualified

ASIL D qualified

Not Analysed

ASIL D

ASIL D

ASIL D

Not analysed

Not analysed

Not analysed

ASIL A

QM

Not analysed

ASIL D

ASIL D

FSwp_Item_Def for Electric park brake (EPB)

FSidf

Fsidf_EPB_fn_5 Visual Status

FSidf

FSidf_EPB_fn_1 Static Apply

FSidf_EPB_fn_1.2 Automatic Apply

FSidf_EPB_fn_1.1 Manual Application

Fsidf_EPB_fn_5.1 Applied / release status

FSidf_EPB_fn_1.1.1 Drive request – control device

FSidf_EPB_fn_1.2.2 Auto hold

FSidf

FSidf_EPB_fn_1.2.1 Auto Park

Fsidf_EPB_fn_5.2 Fault status

Powertrain

Engine

Au

to

Au

tom

ate

d M

an

ua

l

Gea

r Sel

ecti

on

Mo

du

le (

GSM

)

An

tilo

ck

Bra

kin

g (A

BS)

Elec

tro

nic

Sta

bili

ty P

rogr

am (

ESP)

Par

k B

rake

Veh

icle

Su

per

viso

ry c

on

tro

l un

it (V

SCU

)

Star

t Sto

p

Mo

tor

Co

ntr

ol

Emer

gen

cy S

top

Sig

nal

(p

anic

bra

ke)

No

t An

aly

sed

Pri

mar

y B

rake

s

TCD

SN

PIP

None of the ASIL ratings are correct – examples only to show principle

QM target

ASIL A target

ASIL B target

ASIL C target

ASIL D target

Function does not satisfy feature ASIL target

Function satisfies feature ASIL target

No

t An

aly

sed

No

t An

aly

sed

No

t An

aly

sed

No

t An

aly

sed

No

t An

aly

sed

No

t An

aly

sed

No

t An

aly

sed

No

t An

aly

sed

No

t An

aly

sed

No

t An

aly

sed

FSid

f_EP

B_

fn_1

Sta

tic

Ap

ply

(1

.1,1

.1.1

)

No

t An

aly

sed

FSid

f_EP

B_f

n_1

.2 A

utom

atic

App

ly (

1.2

.1,1

.2.2

)

No

t An

aly

sed

These need assessed attributes

-speed-acceleration

-mass-etc

Electric / Hybrid

Transmission

Chassis

Vehicle

Features

Etc…

Energy Storage

HV Energy Store

HVES System

Cell monitoring

Cell V mon & cntrl

Cell V i/f

Vehicle Features

Etc…

Energy Storage

HVES System

Etc…

Cell monitoring Etc…

Cell V mon & cntrl Cell V i/f Etc… Etc…

C

C

C C

ScopeScope

Scope

ScopeScopeScope


Areas of Interest

9

Functions

All major functions for

Monitoring

Control

Actuation

Interface / Boundaries

Item

Element

Functions

Battery

Management

System

Inverter / Motor

Instrument

Cluster

Max Discharge Current (A)

State of Charge (%)


Critical Points for Analysis

10

Connectors

Transducers –physical values to a voltage

Measurements – voltage measurement

Parameters – software variable to / from control algorithms

Data - signals between distributed systems

Outputs – the analogue or digital output from a controller

Actuators – physical control actuation


System Description

11

Transducer Output = f(Input) Driver Warning

CM AOP DT C

Connectors

Transducers –physical values to a voltage

Measurements – voltage measurement

Parameters – software variable to / from control algorithms

Data - signals between distributed systems

Outputs – the analogue or digital output from a controller

Actuators – physical control actuation


Resistance

Measurement

Isolation

MonitorDriver Warning

T M P D AOC C

Isolation Tester Example

Resistance

Measurement

Isolation

MonitorDriver Warning

T Misol_res_AI_MR P Disol_res_MR Afault_led_DO_VO

CAN Bus

D

D

isol_res_MR

D

isol_res_MR

In terms of

Signals /

Interface

Boundaries

Failure cannot violate safety goal

Failure could violate safety goal

12


Expanding the System

Pack Controller Power Distribution

pack_max_chg_V

pack_max_chg_A

D

D

D

D

pack_chg_en_DO_V

pack_max_chg_V

pack_max_chg_A

C

D

D

O

P

P

String

string1_V

string1_C

string1_SOC_pc

string’s’_V

string’s’_C

string’s’_SOC_pc

string1_pos_DO_V

string1_neg_DO_V

string’s’_pos_DO_V

string’s’_neg_DO_V

string1_dischg_en

String 2,3.....s

P

P

P

P

O

O

D

D

D

C

C

O

O

D

D

D

C

C

P

P

P

P

D

Dstring’s’_dischg_en

string1_chg_enP D

P Dstring’s’_chg_en

calc_pack_V

calc_pack_C

calc_pack_SOH_pc

pack_chg_en_DO_V

pack_dischg_en_DO_V

pack_max_dischg_A

pack_max_chg_V

pack_max_chg_A

D

D

D

D

D

D

D

D

P

P

P

P

P

P

P

P

calc_pack_SOC_pc DP

Inverter

pack_dischg_en_DO_V

pack_max_dischg_A

C

D

O

D

pack_V DP

Charger

meas_pack_AI_VM D

Isolation Monitor

T

O Afault_led_DO_V

Driver Warning

meas_HV_AI_VC M

A

A

A

A

M

isol_res_AI_MR DDP

pack_min_dischg_V DD

P

isol_res_AI_MR

13

Etc…….


Plausibility Cross-checks (PCc’s)

Isolation Monitor

M P DSTR_ISOL_RES_R

P

P

P

PCC

TEST_RES_EN

O

STR_ISOL_RES_R

DSTR_ISOL_STATUS

A

PCc – Prove the isolation resistance measurement

is correct by switching a known test resistance in

parallel with the nominal HV-chassis resistance

14


Best Architecture?

15

Test resistor output in isolation monitor

HVPOS_AI_VC1 M1

Connections StringIsolation Monitor

HVNEG_AI_VC2 M2

CHASSIS_AI_V

P4

P5

P2

PC

C2

CAL_REF_WIN_R

P5 P2

STR_ISOL_STATUS

T1

STR_ISOL_RES_R

P4STR_ISOL_RES_R

D2 D5STR_ISOL_RES_R

D3 D6STR_ISOL_STATUS

P7

P8

C3

P1 D1 D4STR_ISOL_HV_V P6STR_ISOL_HV_V

P

1

P

3

P

2

PC

C1

CAL_REF_WIN_V P

3

STR_ISOL_STATUS

STR_ISOL_HV_V

A1

HVNEG_AI_V

CHASSIS_AI_V

O1

PSU1 PSU2

P4

P9

P2

PC

C3TEST_RES_EN

STR_ISOL_RES_MR

STR_ISOL_STATUS


The ASIL Attribute

Item

Subsystem 1 Subsystem 2

Function 1.1 Function 2.1Function 1.2 Function 2.2

HARA Provides

ASIL for each

safety goal

Inherited ASIL

Inherited ASIL

Decomposition:

• Can be performed at a number of stages in the process

• Concept

• System Design

• Hardware Design

• Software architectural design

• Relies on independence / imposes additional requirements

16


ASIL Requirements Decomposition

18

Test resistor initiation moved to another controller

HVPOS_AI_VC1 M1

Connections StringIsolation Monitor

HVNEG_AI_VC2 M2

CHASSIS_AI_V

P4

P5

P2

PC

C2

CAL_REF_WIN_R

P5 P2

STR_ISOL_STATUS

T1

STR_ISOL_RES_R

P4STR_ISOL_RES_R

D2 D5STR_ISOL_RES_R

D3 D6STR_ISOL_STATUS

P7

P8

C3

P1 D1 D4STR_ISOL_HV_V P6STR_ISOL_HV_V

P

1

P

3

P

2

PC

C1

CAL_REF_WIN_V P

3

STR_ISOL_STATUS

STR_ISOL_HV_V

A1

HVNEG_AI_V

CHASSIS_AI_V

O1

P7

P9

P10

PC

C3

TEST_RES_EN

P9

STR_ISOL_RES_MR

TEST_MEAS_FAILED

P10

PSU1 PSU2

TEST_RES_EN

CHASSIS_AI_V C4

Can independence

be demonstrated?


Concept Architecture Analysis

Information required:

Failure Rate – lumped value / representative scaling

Failure Mode – generic - signals / main components

Failure Mode Distribution – signals / main components

Safety Criticality – impact / no impact on safety goal

Diagnostic Coverage – achievable estimate based on standard

Diagnostic Coverage Confidence Levels – relates to the number and

type of diagnostic techniques used

20


Diagnostic Coverage

21

Reference Failure Mode Distribution Full Claim PCc ClaimAvailable Techniques

Table D.1126262-5: 2011

100% 60% 59%

Electrical Elements- Sensors Including Signal Switches

Failure Detection by on-line

monitoringTest Pattern

Input Comparison Voting (1oo2, 2oo3

or better redundancy). Only

if data flow changes within diagnostic test

interval.

Sensor valid range Sensor CorrelationSensor rationality

Check

Low High High Low High Medium

Element See Table

Analysed Failure modes for low / medium / high Diagnostic Coverage

Failure Mode Distribution

Full Claim PCc Claim

60% 99% 99% 60% 99% 90%

D.2

.1.1

Use

d

D.2

.6.1

Use

d

D.2

.6.5

Use

d

D.2

.10

.1

Use

d

D.2

.10

.2

Use

d

D.2

.10

.3

Use

d

Low Medium High

60% 90% 99%

Sensors including Signal Switches

D.11

No generic Fault Model available.

Detaled Analysis necessary





40% 24.00% 23.52% y


D.11 Out of range Out of range Out of range 25% 15.00% 14.70% y


D.11 Offsets Offsets 10% 6.00% 5.88% y


D.11 Stuck in range Stuck in range Stuck in range 20% 12.00% 11.76% y


D.11 Oscillation 5% 3.00% 2.94% y

0% 0% 0% 60% 0% 0%

Maximum claim for technique is 60%



Table D.1126262-5: 2011

100% 99.00% 98.01%







interval.


Check


Element See Table




60% 99% 99% 60% 99% 90%

D.2

.1.1

Use

d

D.2

.6.1

Use

d

D.2

.6.5

Use

d

D.2

.10

.1

Use

d

D.2

.10

.2

Use

d

D.2

.10

.3

Use

d

Low Medium High

60% 90% 99%


D.11







40% 39.60% 39.20% y y


D.11 Out of range Out of range Out of range 25% 24.75% 24.50% y y


D.11 Offsets Offsets 10% 9.90% 9.80% y y


D.11 Stuck in range Stuck in range Stuck in range 20% 19.80% 19.60% y y


D.11 Oscillation 5% 4.95% 4.90% y y

0% 0% 99% 60% 0% 0%

Diagnostic Coverage

22

Maximum claim for technique is 99%Reduced confidence in PCc

as only 2 techniques used



Table D.1126262-5: 2011

100% 99.00% 98.51%







interval.


Check


Element See Table




60% 99% 99% 60% 99% 90%

D.2

.1.1

Use

d

D.2

.6.1

Use

d

D.2

.6.5

Use

d

D.2

.10

.1

Use

d

D.2

.10

.2

Use

d

D.2

.10

.3

Use

d

Low Medium High

60% 90% 99%


D.11







40% 39.60% 39.40% y y y


D.11 Out of range Out of range Out of range 25% 24.75% 24.63% y y y


D.11 Offsets Offsets 10% 9.90% 9.85% y y y


D.11 Stuck in range Stuck in range Stuck in range 20% 19.80% 19.70% y y y


D.11 Oscillation 5% 4.95% 4.93% y y y

0% 99% 99% 60% 0% 0%

Diagnostic Coverage

23

Maximum claim for technique is 99%Increased confidence in PCc

as additional techniques used


Reference Failure Mode Distribution Full Claim PCc ClaimSG Failure

Distribution Available Techniques

Table26262-5: 2011

100% 99.00% High 98.38% Medium 100.00%

Transducers






interval.


CheckVoltage or current

control (input)Voltage or current

control (output)

High High High Low High Medium Low High

ElementSee

Table



Full Claim PCc ClaimFailure Mode Leads

to Violation of Safety Goal

99% 99% 99% 60% 99% 90% 60% 99%

D.2

.1.1

Use

d

D.2

.6.1

Use

d

D.2

.6.5

Use

d

D.2

.10

.1

Use

d

D.2

.10

.2

Use

d

D.2

.10

.3

Use

d

D.2

.8.1

Use

d

D.2

.8.2

Use

d

Low Medium High

60% 90% 99%

Sensors including Signal

SwitchesD.11

Out of range Out of range Out of range 20% 20% 20% y y y

Offsets Offsets 10% 10% 10% y y y y

Stuck in range Stuck in range Stuck in range 30% 30% 30% y y y y

Oscillation 5% 5% 5% y y y

Power supply D.9

Under and Over Voltage

Under and Over Voltage

Under and Over Voltage 10% 10% 10% y y

DriftDrift & Oscillation 20% 20% 20% y y

Power Spikes 5% 5% 5% y y

64.35% 0.00% 0.00% 39.00% 39.60% 0.00% 0.00% 34.65%

PCc - Combines DC Analysis

24

For example: Transducer Analysis may cover signals and power supply


hv_pos_AI_VC M

Architecture 1)

Isolation

Monitoring

Stand Alone with

reference window

Connections Driver WarningPack ControllerIsolation Monitor

hv_neg_AI_VC M

chassis_AI_VC M

fault_led_DO_VO

A

Architecture 3)

Isolation

Monitoring

With Test

Resistance

Enable in Pack

Controller

hv_pos_AI_VC M isol_res_MRD D

A

hv_neg_AI_VC M

chassis_AI_VC M

fault_led_DO_VO

O

test_res_en_DO_V

OA

hv_pos_AI_V

chassis_AI_V

Architecture 5)

Isolation Tester

With Test

Resistance and

Independent

Timing Monitor

P

P

P

PC

C

test_res_en_DO_V

P

P

isol_res_MR

fault_led_DO_V

hv_pos_AI_VC M isol_res_MRD D P

A

hv_neg_AI_VC M

chassis_AI_VC M

fault_led_DO_VO

O

test_res_en_DO_VA

hv_pos_AI_V

chassis_AI_V

P

P

P

PC

C

test_res_en_DO_V

P

isol_res_MR

fault_led_DO_V

Monitor

P

P

O

PC

C

fault_led_DO_V

Pisol_res_MR

CAL_st_time_s

OP

Test Measure Failed

P Pisol_res_MR

OP

Test Measure

Failed

P

P

fault_led_DO_V

hv_pos_AI_VC M isol_res_MRP D

A

Architecture 2)

Isolation

Monitoring

With Test

Resistance

Enable in

Isolation Monitor

hv_neg_AI_VC M

chassis_AI_VC M

fault_led_DO_V

P

P

P

PC

C

CAL_ref_win_MR

P

M

fault_led_DO_V

O

P

fault_led_DO_V

P

P

P

PC

C

test_res_en_DO_VP

isol_res_MR

Test Measure Failed

T isol_res_MR

Pisol_res_MR

fault_led_DO_V

O

O

P

P

P

PC

C

P

M

P

fault_led_DO_V

Tisol_res_MR

P

isol_res_MR

isol_res_MR

P

CAL_ref_win_MR

P

P

P

P

PC

C

CAL_ref_win_MRP

M

P

fault_led_DO_V

T

isol_res_MR

Pisol_res_MR

OP

P

P

PC

C

CAL_ref_win_MRP

M

P

fault_led_DO_V

T

isol_res_MR

Pisol_res_MR DD

isol_

res_

MR

4) Not Shown

More Candidate PCc Architectures

25


PCC - SPFM Calculation Example

16 points to analyse using PCc as opposed to 172 components

26

Sign

al D

esc

rip

tio

n

Ele

me

nt

Cla

ssif

icat

ion

Ele

me

nt

Re

fere

nce

Failu

re R

ate

/FIT

Safe

ty C

riti

cal

com

po

ne

nt

Safe

ty C

riti

cal

Failu

re r

ate

Tab

le

Failu

re r

ate

dis

trib

uti

on

, %

Failu

re m

od

e t

hat

can

vi

ola

te s

afe

ty g

oal

w/o

sa

fety

me

chan

ism

s?

Safe

ty m

ech

anis

ms

allo

win

g to

pre

ven

t vi

ola

tio

n o

f Sa

fety

Go

al

Failu

re m

od

e c

ove

rage

w

rt v

iola

tio

n o

f Sa

fety

G

oal

, %

Re

sid

ual

or

Sin

gle

Po

int

failu

re r

ate

/FIT

Connections

HVPOS_AI_V Connection 1)C1 0.035325508 y 0.03532551 D.3 40% y 0.00% 0.01413

HVNEG_AI_V Connection 1)C2 0.035325508 y 0.03532551 D.3 40% y 0.00% 0.01413

Isolation Monitor Inputs

HVPOS_AI_V Measurement 1)M1 4.9 y 4.9 D.3 40% y 0.00% 1.96

HVNEG_AI_V Measurement 1)M2 4.9 Y 4.9 D.3 40% y 0.00% 1.96

CHASSIS_AI_V Connection 1)C3 0.035325508 Y 0.03532551 D.3 40% y 0.00% 0.01413

Isolation Monitor Internal

STR_ISOL_HV_VSTR_ISOL_RES_R

Transducer 1)T1 14.36735399 Y 14.367354 D.11 40% y 0.00% 5.746942

STR_ISOL_HV_V Parameter 1)P1 4.460886003 Y 4.460886 D.9 40% y PSU monitor 97.02% 0.053218

STR_ISOL_RES_R Parameter 1)P2 4.460886003 Y 4.460886 D.9 40% y PSU monitor 97.02% 0.053218

Power Supply General - PSU 1)PSU1 12 Y 12 D.9

40%

y

Micro monitor of supply 98.51% 0.07176

Isolation Monitor Outputs

STR_ISOL_HV_V Data 1)D1 1.999540997 Y 1.999541 D.11 40% y 0.00% 0.799816

STR_ISOL_RES_R Data 1)D2 1.999540997 Y 1.999541 D.11 40% y 0.00% 0.799816

String Inputs

STR_ISOL_HV_V Data 1)D3 1.999540997 Y 1.999541 D.11 40% y 0.00% 0.799816

STR_ISOL_RES_R Data 1)D4 1.999540997 Y 1.999541 D.11 40% y 0.00% 0.799816

String Internal

STR_ISOL_HV_V Parameter 1)P3 4.460886003 Y 4.460886 D.9 40% y PSU monitor 97.02% 0.053218

STR_ISOL_RES_R Parameter 1)P4 4.460886003 Y 4.460886 D.9 40% y PSU monitor 97.02% 0.053218

Power Supply General - PSU 1)PSU2 12 Y 12 D.9

40%

y

Micro monitor of supply 98.51% 0.07176

Total FR (FIT) 74.115 13.265

Single Point Fault Metric 82.1%


Metrics Calculation Comparison

27

ASIL SPFM LFM

B 90% 60%

C 97% 80%

D 99% 90%

Description

1 Stand Alone

2 Reference Window

3 Self Test

4 Independent Self Test

5 Independent Timed Self

Test

80.0%

82.0%

84.0%

86.0%

88.0%

90.0%

92.0%

94.0%

96.0%

98.0%

100.0%

0 1 2 3 4 5 6

PCc

FullDesign

84.0%

86.0%

88.0%

90.0%

92.0%

94.0%

96.0%

0 1 2 3 4 5 6

PCc

FullDesign

ASI

LSPFM

B 90%

C 97%

D 99%

ASI

LLFM

B 60%

C 80%

D 90%


Battery Management System

Complex system

Number of safety goals

Design ‘out of context’ – generic product

Isolation tester

Simple system

Known interface

Hybrid Bus

Complex System

Limited component / ECU data

Applied PCc across decomposed systems to analyse integrity

Applications

28


System Diagrams easily generated / understood

Facilitates discussions to be held with customers / suppliers to identify possible

PCcs

Allows multiple architectures to be compared quickly

Fast method to analyse at the system level prior to detailed design

Highlights architecture requirements early in the design process

Identifies use of independent controllers – useful for decomposition

Quantified approach so architecture comparison is straightforward

Accurate prediction of potential SPFM and LFM

PCc Analysis Benefits

29


Improving rules for diagnostic coverage allocation

Automatic linking of metrics based on attributes within function model

Define attributes into model based design and look to calculate architectural

metrics automatically from models

Further Work

30


Thank You

Andy Williams

[email protected]

31

Documents

Function Mapping and Quantified Concept Evaluation · c2 hvneg_ai_v m2 chassis_ai_v p4 p5 c p2 2 cal_ref_win_r p5 p2 str_isol_status t1 str_isol_res_r p4 str_isol_res_r d2 str_isol_res_r