21 oktober 2010 www.humiq.nl Automotive Functional Safety M. Van der Cruijsen
Content <ul><li>Introduction </li></ul><ul><li>Techniques </li></ul><ul><li>Practical examples </li></ul>21 oktober 2010 w...
Domain 21 oktober 2010 www.humiq.nl <ul><li>Infotainment </li></ul><ul><li>Audio/video </li></ul><ul><li>Entertainment </l...
Domain 21 oktober 2010 www.humiq.nl Safety critical Production Volume Automotive Chassis-,  Driveline systems Automotive B...
What is functional safety? <ul><li>Functional safety </li></ul><ul><ul><li>Safe implementation of functionality that could...
Example 21 oktober 2010 www.humiq.nl <ul><li>Rear axle steering system </li></ul><ul><ul><li>No mechanical link to driver ...
Example 21 oktober 2010 www.humiq.nl <ul><li>Functional requirement #1 </li></ul><ul><ul><li>steer the rear axle based on ...
Example 21 oktober 2010 www.humiq.nl Spontaneous steering could occur due to failures, causing a disaster + =
Why functional safety? <ul><li>Accident prevention </li></ul><ul><li>Risk reduction </li></ul><ul><li>Growing complexity <...
21 oktober 2010 www.humiq.nl <ul><li>Defines what has to be done & how to prove it. </li></ul><ul><ul><li>IEC 61508: Funct...
Safety Standards (2) <ul><li>IEC 61508 highlights </li></ul><ul><ul><li>Consists of 7 parts. </li></ul></ul><ul><ul><li>37...
Safety Lifecycle <ul><li>Technical framework </li></ul><ul><ul><li>Concept / analysis phase </li></ul></ul><ul><ul><li>Dev...
Hazard & Risk Analysis <ul><li>Definitions </li></ul><ul><ul><li>Hazard </li></ul></ul><ul><ul><ul><li>Potential source of...
Hazard & Risk Analysis <ul><li>Identification of hazards. </li></ul><ul><ul><li>As well as the event sequences leading to ...
FMEA <ul><li>Component oriented </li></ul><ul><li>Systematic </li></ul><ul><li>Focus on  single  failures. </li></ul>21 ok...
Fault & Event Tree Analysis <ul><li>Does take into account multiple errors . </li></ul>21 oktober 2010 www.humiq.nl
Risk Analysis (ALARP) <ul><li>3 Regions </li></ul><ul><li>ALARP Region </li></ul><ul><ul><li>Achieve justifiable residual ...
ALARP region 21 oktober 2010 www.humiq.nl
Example <ul><li>Scenario: </li></ul><ul><ul><li>Estimated cost in case of incident: € 10.000.000,- </li></ul></ul><ul><ul>...
Safety Functions <ul><li>A function of a safety related system to reduce the risk in an application with the goal to achie...
Safety Integrity Level <ul><li>Safety Integrity </li></ul><ul><ul><li>Probability of performing the required safety functi...
Quantitative Example <ul><li>Define tolerable risk frequency </li></ul><ul><ul><li>For example from ALARP. </li></ul></ul>...
Safety Integrity Requirements <ul><li>Depending on the system SIL Level </li></ul><ul><li>Requirements for maintaining the...
Outcome: Safety Requirements <ul><li>System Requirements </li></ul><ul><li>Requirement allocation. </li></ul><ul><ul><li>H...
Realization <ul><li>According Part 2 & 3 of IEC 61508 </li></ul><ul><li>IEC 61508 requirement examples: </li></ul>21 oktob...
Measures & Techniques <ul><li>Referenced from requirements. </li></ul>21 oktober 2010 www.humiq.nl
21 oktober 2010 www.humiq.nl Measures & Techniques
IEC 61508 architecture coverage 21 oktober 2010 www.humiq.nl
Practical Examples <ul><li>Sensor error detection </li></ul><ul><li>Emergency shutdown </li></ul><ul><li>Software channels...
Sensor error detection(1) <ul><li>Redundancy with 2 sensors </li></ul><ul><ul><li>Sensor input comparison by software on m...
<ul><li>Redundancy with 3 sensors </li></ul><ul><li>Drawbacks: </li></ul><ul><ul><li>High Cost </li></ul></ul><ul><ul><li>...
<ul><li>Solution: Comparison to other (sensor) data! </li></ul><ul><ul><li>Front axle vs. rear axle angle. </li></ul></ul>...
Emergency Shutdown <ul><li>Pre-Condition: Static Fail-Safe State needed! </li></ul><ul><ul><li>If functional fail-safe con...
Open Loop Protected Single Channel (1) <ul><li>Example: </li></ul><ul><ul><li>Read front & Rear axle sensors </li></ul></u...
Closed loop protected single channel(2) <ul><li>Extra safety by directly measuring output. </li></ul><ul><ul><li>E.g. Valv...
Dual Closed-Loop Channels <ul><li>On one or more µC’s. </li></ul><ul><ul><li>Most critical software parts. </li></ul></ul>...
3-Ebene Concept <ul><li>Most common applied for “simple” SIL3 compliance. </li></ul>21 oktober 2010 www.humiq.nl
Software & Microcontroller Checks <ul><li>Dedicated software safety framework for: </li></ul><ul><ul><li>Memory test </li>...
Summary <ul><li>Base: IEC 615098   Sector-application standard(s)  </li></ul><ul><li>Risk/Hazard analyses   FMEA, Fault ...
21 oktober 2010 www.humiq.nl
Upcoming SlideShare
Loading in …5
×

Breinstorm@HUMIQ - Automotive functionalsafety

987 views

Published on

Onze Breinstorm@HUMIQ op 14 september j.l. ging over de auto van de toekomst en de toekomst van de auto.

Published in: Automotive, Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
987
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
54
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Functional Safety is part of the overall safety that depends on a system or equipment operating correctly in response to it’s inputs. (per IEC 61508-0) Functional Safety is the way to evaluate and determine the risk of using complex and simple circuit to perform a safety function. The safety function must always be performed under normal/undisturbed conditions and under fault conditions (Fail Safe).
  • You can roughly split the automotive software domain into 4 different sub-domain. Infotainment: audio/video, naviation, communication Powertrain: engine managment, gearbox Chassis: breaking, steering, suspension applications Body: IVN gateway comort systems Infotainment is naar omvang de grootste, maar functional safety is vooral van toepassing op de andere 3 gebieden. Steeds meer verbindingen tussen de domeinen.: E-call: airbaig unit – comminicatie – navigatie.
  • Another way to look at this domain is characterizing prodution volume and the infuency on safety. A Car is a high volume consumer products, this means that there is similar pressure on cost-price and time-to-market as a CD-player. But some applications in a vehical have a direct impact on the safety of the passengers and the enviorment. Auto is het meest complexe consumenten product.
  • Functional Safety is part of the overall safety that depends on a system or equipment operating correctly in response to it’s inputs. (per IEC 61508-0) Functional Safety is the way to evaluate and determine the risk of using complex and simple circuit to perform a safety function. The safety function must always be performed under normal/undisturbed conditions and under fault conditions (Fail Safe).
  • The system can be described in only a few basic requirements. 1 functional requirment: The rea axle shall steer based on the front axle angle and speed. 1 safety requirement . Truck may not roll over, un any circumstance or condtion due to spontaneous or incorrect steering.
  • The system can be described in only a few basic requirements. 1 functional requirment: The rea axle shall steer based on the front axle angle and speed. 1 safety requirement . Truck may not roll over, un any circumstance or condtion due to spontaneous or incorrect steering.
  • Wrong steering actions are an immediat risk, especially for trucks transporting liquedes (like patrol). An accident with such a vehical on highway can have enourmous personal, enviormental and economical impact. Injuries of the truckdriver, leaking fluids, economical losses due to trafic jams etc.. All this can happen when a single bit is programmed wrong (e.g. positive/negative sign in a calculation).
  • Functional Safety is part of the overall safety that depends on a system or equipment operating correctly in response to it’s inputs. (per IEC 61508-0) Functional Safety is the way to evaluate and determine the risk of using complex and simple circuit to perform a safety function. The safety function must always be performed under normal/undisturbed conditions and under fault conditions (Fail Safe).
  • Part 1: General. Part 2: System &amp; Hardware, Part 3: Software, Part 4: Definitions, Part 5: Determination of SIL Level, Part 6: Application of Part 2 &amp; 3, Part 7: Measures &amp; Techniques.
  • IEC-61508 life cycle just as reference example. - Highlight
  • Hazard &amp; Risk Analysis are repeated when a requirement is changed. If needed risk can not be accepted, risk reduction needs to be done by means of safety systems, external facilities, etc.
  • Drawback: Focus on single failures, not combined failures.
  • * If risk can not be accepted, risk reduction needs to be done by means of safety systems, external facilities, etc. In the ALARP region: Risk is undertaken, only when a benefit is desired. Upper and lower ALARP regions are often chosen in probability of failure per year.
  • In orange: ALARP region to be analyzed!
  • * All depends on the needs of the customer and other related issues… This is just a guideine.
  • 3.5.1 safety function function to be implemented by an E/E/PE safety-related system, other technology safetyrelated system or external risk reduction facilities, which is intended to achieve or maintain a safe state for the EUC, in respect of a specific hazardous event (see 3.4.1) 3.5.2 safety integrity probability of a safety-related system satisfactorily performing the required safety functions under all the stated conditions within a stated period of time
  • RS: SIL Level 3. SIL level 4 normally not obtained within automotive  Nuclear factories etc.
  • Way in which a safety-related system is intended to be used, with respect to the frequency of demands made upon it, which may be either low demand mode: where the frequency of demands for operation made on a safety related system is no greater than one per year and no greater than twice the proof-test frequency. high demand or continuous mode: where the frequency of demands for operation made on a safety-related system is greater than one per year or greater than twice the proof-check frequency.
  • As well as for software architecture, design, etc. Also planning issues and processes. Mention referenced to tables.
  • If Sensor_1 = Sensor_2, no problems, little risk both are damaged. But what if Sensor_1 != Sensor_2, who is right….  3 sensors… (Next slide)
  • Both micro’s with safety framework, status exchange. Dual channel on first uC, single channel on second channel  Values are compared. Cyclic watchdog triggering
  • Self Diagnosis for each microcontroller.
  • Breinstorm@HUMIQ - Automotive functionalsafety

    1. 1. 21 oktober 2010 www.humiq.nl Automotive Functional Safety M. Van der Cruijsen
    2. 2. Content <ul><li>Introduction </li></ul><ul><li>Techniques </li></ul><ul><li>Practical examples </li></ul>21 oktober 2010 www.humiq.nl
    3. 3. Domain 21 oktober 2010 www.humiq.nl <ul><li>Infotainment </li></ul><ul><li>Audio/video </li></ul><ul><li>Entertainment </li></ul><ul><li>Information, navigation </li></ul><ul><li>Communication </li></ul><ul><li>Chassis </li></ul><ul><li>Stability systems </li></ul><ul><li>Suspension, damping </li></ul><ul><li>Steering </li></ul><ul><li>Braking </li></ul><ul><li>ACC </li></ul><ul><li>Powertrain </li></ul><ul><li>Engine Management </li></ul><ul><li>Hybrid Propulsion </li></ul><ul><li>Gearbox controller </li></ul><ul><li>Powertrain Management </li></ul><ul><li>Body </li></ul><ul><li>Gateway </li></ul><ul><li>Comfort systems (climate control, sunroof, access control, adjustment systems) </li></ul>
    4. 4. Domain 21 oktober 2010 www.humiq.nl Safety critical Production Volume Automotive Chassis-, Driveline systems Automotive Body systems Automotive Infotainment systems Aerospace Industrial automation Consumer Electronics
    5. 5. What is functional safety? <ul><li>Functional safety </li></ul><ul><ul><li>Safe implementation of functionality that could cause injury or death to people or damage to environment in case of malfunction. </li></ul></ul><ul><li>Not (only) systems which product goal is safety (such as airbag). </li></ul><ul><ul><li>Ensuring safety in case of malfunction in the entire system (e.g. a leak, defect sensor, memory error, “bit-flips” due to EMC, etc.) </li></ul></ul>21 oktober 2010 www.humiq.nl
    6. 6. Example 21 oktober 2010 www.humiq.nl <ul><li>Rear axle steering system </li></ul><ul><ul><li>No mechanical link to driver (“ steer-by-wire ”) </li></ul></ul><ul><li>Why rear-axle steering? </li></ul><ul><ul><li>Save fuel and less tire wear </li></ul></ul><ul><li>Why electro-hydraulic </li></ul><ul><ul><li>Packaging problems on vehicle level </li></ul></ul><ul><ul><li>ECU sets angle of rear axle based on vehicle speed and front axle angle </li></ul></ul>ECU
    7. 7. Example 21 oktober 2010 www.humiq.nl <ul><li>Functional requirement #1 </li></ul><ul><ul><li>steer the rear axle based on front axle angle (manually set by driver) </li></ul></ul><ul><li>Safety requirement #1: </li></ul><ul><ul><li>Truck may not roll over, under any (abnormal) circumstance or condition, due to spontaneous or incorrect steering </li></ul></ul>ECU
    8. 8. Example 21 oktober 2010 www.humiq.nl Spontaneous steering could occur due to failures, causing a disaster + =
    9. 9. Why functional safety? <ul><li>Accident prevention </li></ul><ul><li>Risk reduction </li></ul><ul><li>Growing complexity </li></ul><ul><li>But as well: </li></ul><ul><ul><li>Satisfaction of customers </li></ul></ul><ul><ul><li>Law </li></ul></ul><ul><ul><li>Reputation loss </li></ul></ul>21 oktober 2010 www.humiq.nl
    10. 10. 21 oktober 2010 www.humiq.nl <ul><li>Defines what has to be done & how to prove it. </li></ul><ul><ul><li>IEC 61508: Functional Safety of E/E/P electronic safety-related systems. </li></ul></ul>Safety Standards
    11. 11. Safety Standards (2) <ul><li>IEC 61508 highlights </li></ul><ul><ul><li>Consists of 7 parts. </li></ul></ul><ul><ul><li>378 required & 141 highly recommended requirements . </li></ul></ul><ul><ul><ul><li>126 general requirements. </li></ul></ul></ul><ul><ul><ul><li>194 requirements on system and hardware </li></ul></ul></ul><ul><ul><ul><li>199 requirements on software </li></ul></ul></ul><ul><ul><li>Requirements coverage: </li></ul></ul><ul><ul><ul><li>Functional. </li></ul></ul></ul><ul><ul><ul><li>Non-functional. </li></ul></ul></ul><ul><ul><ul><li>Quality control at manufacturer. </li></ul></ul></ul><ul><ul><ul><li>Consumer. </li></ul></ul></ul><ul><ul><ul><li>Verification and Validation at manufacturer </li></ul></ul></ul><ul><ul><ul><li>Verification and Validation by 3 rd party </li></ul></ul></ul><ul><ul><li>Informative: </li></ul></ul><ul><ul><ul><li>Abbreviations & Definitions </li></ul></ul></ul><ul><ul><ul><li>Measures & Techniques </li></ul></ul></ul><ul><ul><ul><li>Implementation Guidelines </li></ul></ul></ul><ul><ul><li>Safety Integrity Level </li></ul></ul>21 oktober 2010 www.humiq.nl
    12. 12. Safety Lifecycle <ul><li>Technical framework </li></ul><ul><ul><li>Concept / analysis phase </li></ul></ul><ul><ul><li>Development phase </li></ul></ul><ul><ul><ul><li>Hardware & Software </li></ul></ul></ul><ul><ul><ul><ul><li>V-Cycle </li></ul></ul></ul></ul><ul><ul><li>After SOP </li></ul></ul><ul><li>Scope: </li></ul><ul><ul><li>Concept / analysis </li></ul></ul><ul><ul><li>SW development </li></ul></ul>21 oktober 2010 www.humiq.nl
    13. 13. Hazard & Risk Analysis <ul><li>Definitions </li></ul><ul><ul><li>Hazard </li></ul></ul><ul><ul><ul><li>Potential source of harm (for human and environment). </li></ul></ul></ul><ul><ul><li>Risk </li></ul></ul><ul><ul><ul><li>Combination of probability, and the severity (impact) of that harm. </li></ul></ul></ul><ul><ul><ul><ul><li>Risk = Probability x Impact </li></ul></ul></ul></ul><ul><li>Starting Point: </li></ul><ul><ul><li>Concept, e.g. premature requirement specification(s), etc. </li></ul></ul><ul><li>Goal: </li></ul><ul><ul><li>Definition of safety requirements which can be allocated to hard and/or software components. </li></ul></ul>21 oktober 2010 www.humiq.nl
    14. 14. Hazard & Risk Analysis <ul><li>Identification of hazards. </li></ul><ul><ul><li>As well as the event sequences leading to them. </li></ul></ul><ul><ul><li>Well known methods: </li></ul></ul><ul><ul><ul><li>FMEA (Failure Mode Effects Analysis) </li></ul></ul></ul><ul><ul><ul><li>Fault Tree Analysis </li></ul></ul></ul><ul><ul><ul><li>Event Tree Analysis </li></ul></ul></ul><ul><li>Identification of risk for each identified hazard. </li></ul><ul><ul><li>What is the risk and is it tolerable? </li></ul></ul><ul><ul><ul><li>If not, risk reduction. </li></ul></ul></ul><ul><ul><li>Most commonly used: </li></ul></ul><ul><ul><ul><li>ALARP (As Low As Reasonably Practical) </li></ul></ul></ul>21 oktober 2010 www.humiq.nl
    15. 15. FMEA <ul><li>Component oriented </li></ul><ul><li>Systematic </li></ul><ul><li>Focus on single failures. </li></ul>21 oktober 2010 www.humiq.nl
    16. 16. Fault & Event Tree Analysis <ul><li>Does take into account multiple errors . </li></ul>21 oktober 2010 www.humiq.nl
    17. 17. Risk Analysis (ALARP) <ul><li>3 Regions </li></ul><ul><li>ALARP Region </li></ul><ul><ul><li>Achieve justifiable residual risk. </li></ul></ul><ul><ul><li>Risk Reduction </li></ul></ul><ul><ul><li>Cost vs. Benefit </li></ul></ul><ul><ul><li>Benefit > Cost </li></ul></ul><ul><ul><ul><li>Safety function (requirements) </li></ul></ul></ul>Tolerable when no further reduction possible, or costs are disproportionate to improvement 21 oktober 2010 www.humiq.nl Intolerable region Largely acceptable region ALARP or tolerable region Risk Negligible risk
    18. 18. ALARP region 21 oktober 2010 www.humiq.nl
    19. 19. Example <ul><li>Scenario: </li></ul><ul><ul><li>Estimated cost in case of incident: € 10.000.000,- </li></ul></ul><ul><ul><li>System life span = 20 Years </li></ul></ul><ul><ul><li>Estimated frequency = 6x10 -4 per year. </li></ul></ul><ul><ul><li>Measure: € 160.000,- </li></ul></ul><ul><li>Solution: </li></ul><ul><ul><li>Cost = (6x10 -4 ) x 20 x 10.000.000 = € 120.000 </li></ul></ul><ul><li>No measure (risk reduction), cost > benefit. </li></ul>21 oktober 2010 www.humiq.nl But… This is not only calculation also “common sense”
    20. 20. Safety Functions <ul><li>A function of a safety related system to reduce the risk in an application with the goal to achieve a safe state. </li></ul><ul><li>For each identified hazard (Which will be implemented!) </li></ul><ul><ul><li>Create safety functions </li></ul></ul><ul><ul><ul><li>Which achieves and maintains a safe state for the system. </li></ul></ul></ul><ul><ul><li>Create the safety (system) requirements to accomplish the safety function . </li></ul></ul>21 oktober 2010 www.humiq.nl
    21. 21. Safety Integrity Level <ul><li>Safety Integrity </li></ul><ul><ul><li>Probability of performing the required safety functions! </li></ul></ul><ul><li>Safety Integrity Level: </li></ul><ul><ul><li>Discrete level for specifying the software integrity! </li></ul></ul><ul><ul><li>Determined for each safety function! </li></ul></ul><ul><ul><li>Safety Integrity Levels (SIL) 1, 2, 3, 4. </li></ul></ul><ul><ul><ul><ul><li>ASIL A, B, C, D for ISO 26262 </li></ul></ul></ul></ul><ul><ul><li>Determination methods: </li></ul></ul><ul><ul><ul><li>Quantitative </li></ul></ul></ul><ul><ul><ul><li>Qualitative </li></ul></ul></ul><ul><li>Highest SIL level = System SIL level </li></ul>21 oktober 2010 www.humiq.nl
    22. 22. Quantitative Example <ul><li>Define tolerable risk frequency </li></ul><ul><ul><li>For example from ALARP. </li></ul></ul><ul><li>Measure against risk frequency </li></ul><ul><ul><li>After risk reduction! </li></ul></ul>21 oktober 2010 www.humiq.nl
    23. 23. Safety Integrity Requirements <ul><li>Depending on the system SIL Level </li></ul><ul><li>Requirements for maintaining the SIL level </li></ul><ul><ul><li>Ensure the system performs the safety function with the defined probability! </li></ul></ul><ul><li>Partly available from standards! </li></ul><ul><ul><li>Measures & Techniques </li></ul></ul>21 oktober 2010 www.humiq.nl
    24. 24. Outcome: Safety Requirements <ul><li>System Requirements </li></ul><ul><li>Requirement allocation. </li></ul><ul><ul><li>Hardware & Software. </li></ul></ul><ul><li>Planning & Realization </li></ul><ul><ul><li>according Safety Life Cycle </li></ul></ul>Safety Function & Integrity Requirements Safety functions 21 oktober 2010 www.humiq.nl
    25. 25. Realization <ul><li>According Part 2 & 3 of IEC 61508 </li></ul><ul><li>IEC 61508 requirement examples: </li></ul>21 oktober 2010 www.humiq.nl
    26. 26. Measures & Techniques <ul><li>Referenced from requirements. </li></ul>21 oktober 2010 www.humiq.nl
    27. 27. 21 oktober 2010 www.humiq.nl Measures & Techniques
    28. 28. IEC 61508 architecture coverage 21 oktober 2010 www.humiq.nl
    29. 29. Practical Examples <ul><li>Sensor error detection </li></ul><ul><li>Emergency shutdown </li></ul><ul><li>Software channels </li></ul><ul><li>Software checks </li></ul><ul><li>3-Ebene Concept </li></ul><ul><li>Common factor: Redundancy! </li></ul><ul><ul><li>Redundancy does not prevent systematic hardware & software design faults! </li></ul></ul>21 oktober 2010 www.humiq.nl
    30. 30. Sensor error detection(1) <ul><li>Redundancy with 2 sensors </li></ul><ul><ul><li>Sensor input comparison by software on microcontroller(s). </li></ul></ul><ul><li>Who is right? </li></ul>21 oktober 2010 www.humiq.nl
    31. 31. <ul><li>Redundancy with 3 sensors </li></ul><ul><li>Drawbacks: </li></ul><ul><ul><li>High Cost </li></ul></ul><ul><ul><li>Systematic Failures </li></ul></ul>Sensor error detection(2) 21 oktober 2010 www.humiq.nl
    32. 32. <ul><li>Solution: Comparison to other (sensor) data! </li></ul><ul><ul><li>Front axle vs. rear axle angle. </li></ul></ul><ul><ul><li>Crankshaft vs. camshaft speed. </li></ul></ul><ul><ul><li>ABS speed vs. tacho speed. </li></ul></ul>Sensor error detection(3) 21 oktober 2010 www.humiq.nl
    33. 33. Emergency Shutdown <ul><li>Pre-Condition: Static Fail-Safe State needed! </li></ul><ul><ul><li>If functional fail-safe controlled by SW fails! </li></ul></ul><ul><ul><li>Example: Passive centering of rear axle in case of shutdown . </li></ul></ul><ul><li>One or multiple µC solution possible. </li></ul>21 oktober 2010 www.humiq.nl
    34. 34. Open Loop Protected Single Channel (1) <ul><li>Example: </li></ul><ul><ul><li>Read front & Rear axle sensors </li></ul></ul><ul><ul><li>Check sensor data </li></ul></ul><ul><ul><li>Determine rear axle valve positions </li></ul></ul><ul><ul><li>Actuate valves </li></ul></ul><ul><li>Data integrity checks by means of redundant sensor of other data! </li></ul><ul><li>Drawback </li></ul><ul><ul><li>Actuation errors not detected! </li></ul></ul>21 oktober 2010 www.humiq.nl
    35. 35. Closed loop protected single channel(2) <ul><li>Extra safety by directly measuring output. </li></ul><ul><ul><li>E.g. Valve: </li></ul></ul><ul><ul><ul><li>PWM directly measured by ICU, and valve current by sensor and ADC. </li></ul></ul></ul>21 oktober 2010 www.humiq.nl
    36. 36. Dual Closed-Loop Channels <ul><li>On one or more µC’s. </li></ul><ul><ul><li>Most critical software parts. </li></ul></ul><ul><li>Easier to meet requirements from standards. </li></ul><ul><li>Different designs & Implementations prevents systematic errors! </li></ul>21 oktober 2010 www.humiq.nl
    37. 37. 3-Ebene Concept <ul><li>Most common applied for “simple” SIL3 compliance. </li></ul>21 oktober 2010 www.humiq.nl
    38. 38. Software & Microcontroller Checks <ul><li>Dedicated software safety framework for: </li></ul><ul><ul><li>Memory test </li></ul></ul><ul><ul><ul><li>CRC, Checkerboard </li></ul></ul></ul><ul><ul><li>I/O test </li></ul></ul><ul><ul><ul><li>CAN, DIO, ADC </li></ul></ul></ul><ul><ul><li>Instruction Set Test </li></ul></ul><ul><ul><ul><li>Check basic µC ALU functionality. </li></ul></ul></ul><ul><ul><li>Program Sequence Monitoring </li></ul></ul><ul><ul><ul><li>Test execution paths throughout the software. </li></ul></ul></ul><ul><ul><li>And many more… </li></ul></ul>21 oktober 2010 www.humiq.nl
    39. 39. Summary <ul><li>Base: IEC 615098  Sector-application standard(s) </li></ul><ul><li>Risk/Hazard analyses  FMEA, Fault tree, Event tree </li></ul><ul><li>Safety Integrity Level (SIL)  Highest SIL level = System SIL level </li></ul>21 oktober 2010 www.humiq.nl
    40. 40. 21 oktober 2010 www.humiq.nl

    ×