![Content ,[object Object],[object Object],[object Object],21 oktober 2010 www.humiq.nl](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommended
More Related Content
Similar to Breinstorm@HUMIQ - Automotive functionalsafety
Similar to Breinstorm@HUMIQ - Automotive functionalsafety (20)
Recently uploaded
Recently uploaded (20)
Breinstorm@HUMIQ - Automotive functionalsafety
- 1. 21 oktober 2010 www.humiq.nl Automotive Functional Safety M. Van der Cruijsen
- 4. Domain 21 oktober 2010 www.humiq.nl Safety critical Production Volume Automotive Chassis-, Driveline systems Automotive Body systems Automotive Infotainment systems Aerospace Industrial automation Consumer Electronics
- 8. Example 21 oktober 2010 www.humiq.nl Spontaneous steering could occur due to failures, causing a disaster + =
- 18. ALARP region 21 oktober 2010 www.humiq.nl
- 27. 21 oktober 2010 www.humiq.nl Measures & Techniques
- 28. IEC 61508 architecture coverage 21 oktober 2010 www.humiq.nl
- 40. 21 oktober 2010 www.humiq.nl
Editor's Notes
- Functional Safety is part of the overall safety that depends on a system or equipment operating correctly in response to it’s inputs. (per IEC 61508-0) Functional Safety is the way to evaluate and determine the risk of using complex and simple circuit to perform a safety function. The safety function must always be performed under normal/undisturbed conditions and under fault conditions (Fail Safe).
- You can roughly split the automotive software domain into 4 different sub-domain. Infotainment: audio/video, naviation, communication Powertrain: engine managment, gearbox Chassis: breaking, steering, suspension applications Body: IVN gateway comort systems Infotainment is naar omvang de grootste, maar functional safety is vooral van toepassing op de andere 3 gebieden. Steeds meer verbindingen tussen de domeinen.: E-call: airbaig unit – comminicatie – navigatie.
- Another way to look at this domain is characterizing prodution volume and the infuency on safety. A Car is a high volume consumer products, this means that there is similar pressure on cost-price and time-to-market as a CD-player. But some applications in a vehical have a direct impact on the safety of the passengers and the enviorment. Auto is het meest complexe consumenten product.
- Functional Safety is part of the overall safety that depends on a system or equipment operating correctly in response to it’s inputs. (per IEC 61508-0) Functional Safety is the way to evaluate and determine the risk of using complex and simple circuit to perform a safety function. The safety function must always be performed under normal/undisturbed conditions and under fault conditions (Fail Safe).
- The system can be described in only a few basic requirements. 1 functional requirment: The rea axle shall steer based on the front axle angle and speed. 1 safety requirement . Truck may not roll over, un any circumstance or condtion due to spontaneous or incorrect steering.
- The system can be described in only a few basic requirements. 1 functional requirment: The rea axle shall steer based on the front axle angle and speed. 1 safety requirement . Truck may not roll over, un any circumstance or condtion due to spontaneous or incorrect steering.
- Wrong steering actions are an immediat risk, especially for trucks transporting liquedes (like patrol). An accident with such a vehical on highway can have enourmous personal, enviormental and economical impact. Injuries of the truckdriver, leaking fluids, economical losses due to trafic jams etc.. All this can happen when a single bit is programmed wrong (e.g. positive/negative sign in a calculation).
- Functional Safety is part of the overall safety that depends on a system or equipment operating correctly in response to it’s inputs. (per IEC 61508-0) Functional Safety is the way to evaluate and determine the risk of using complex and simple circuit to perform a safety function. The safety function must always be performed under normal/undisturbed conditions and under fault conditions (Fail Safe).
- Part 1: General. Part 2: System & Hardware, Part 3: Software, Part 4: Definitions, Part 5: Determination of SIL Level, Part 6: Application of Part 2 & 3, Part 7: Measures & Techniques.
- IEC-61508 life cycle just as reference example. - Highlight
- Hazard & Risk Analysis are repeated when a requirement is changed. If needed risk can not be accepted, risk reduction needs to be done by means of safety systems, external facilities, etc.
- Drawback: Focus on single failures, not combined failures.
- * If risk can not be accepted, risk reduction needs to be done by means of safety systems, external facilities, etc. In the ALARP region: Risk is undertaken, only when a benefit is desired. Upper and lower ALARP regions are often chosen in probability of failure per year.
- In orange: ALARP region to be analyzed!
- * All depends on the needs of the customer and other related issues… This is just a guideine.
- 3.5.1 safety function function to be implemented by an E/E/PE safety-related system, other technology safetyrelated system or external risk reduction facilities, which is intended to achieve or maintain a safe state for the EUC, in respect of a specific hazardous event (see 3.4.1) 3.5.2 safety integrity probability of a safety-related system satisfactorily performing the required safety functions under all the stated conditions within a stated period of time
- RS: SIL Level 3. SIL level 4 normally not obtained within automotive Nuclear factories etc.
- Way in which a safety-related system is intended to be used, with respect to the frequency of demands made upon it, which may be either low demand mode: where the frequency of demands for operation made on a safety related system is no greater than one per year and no greater than twice the proof-test frequency. high demand or continuous mode: where the frequency of demands for operation made on a safety-related system is greater than one per year or greater than twice the proof-check frequency.
- As well as for software architecture, design, etc. Also planning issues and processes. Mention referenced to tables.
- If Sensor_1 = Sensor_2, no problems, little risk both are damaged. But what if Sensor_1 != Sensor_2, who is right…. 3 sensors… (Next slide)
- Both micro’s with safety framework, status exchange. Dual channel on first uC, single channel on second channel Values are compared. Cyclic watchdog triggering
- Self Diagnosis for each microcontroller.