SLYY183A january   2020  – january 2020 DRV3245Q-Q1 , TPS653853-Q1

PRODMIX  

  1.   1
  2.   Overview
  3.   Welcoming the by-wire era – this time with trust
  4.   “Fail-safe” systems transition to “fail-operational” systems
  5.   Electrification of the powertrain and the added considerations for functional safety
  6.   Functional safety in high-temperature applications
  7.   Human factors
  8.   Meeting the challenges of evolving functional safety systems
  9.   Related content

“Fail-safe” systems transition to “fail-operational” systems

As actuators move from using mechanical to electrical energy, safety architectures will need to evolve. Most electric actuators in safety systems today retain their original mechanical components for redundancy.

Take an electric braking system, for example, where the mechanical linkage of the pedal to the brake cylinder provides redundancy against failure of the electric system – albeit with a gargantuan stomp on the brake pedal. Electrical braking systems are architected as “fail-safe,” which means that if they were to fail, they would fail in a manner that would not impede the motion of any redundant measures (in this case, the stomp).

As autonomous architectures evolve, the reliance on mechanical redundancy diminishes because humans are removed from the control loop, leading to a whole new class of “fail-operational” systems. An example of a fail-operational system is this same braking system in an autonomous vehicle where the driver is unavailable for a period of time after the electrical brake actuation system has failed. The system (note, not the integrated circuits) is expected to continue operation in this event and brake the vehicle.

The main safety considerations for designing such a system are:

  • The fault tolerance and Automotive Safety Integrity Level (ASIL) of the system.
  • The allowable functional degradation of the system after the first fault has occurred.
  • The emergency function, driver warning and its emergency operational duration.
  • The required ASIL level for the system as it transitions to and from safe states.

In order to analyze the safety goals and safe states for fail- operational systems (using Figure 2 for guidance), we can refer to the second edition of International Organization for Standardization (ISO) ISO26262-3:2018 Clause 7, which states that a safety goal violation can be prevented by transitioning to or maintaining one or more “safe states.” A safe state can be interpreted as “maintained functionality in the case of failure over a defined time,” which fits well into the considerations I’ve discussed for fail-operational systems. This state, described in Figure 2 as “Safe state with reduced functionality,” requires consideration and analysis of the driver warning and the risk exposure time for the state. Additionally, ISO26262-5:2018,9.2 can be applied when analyzing the emergency operation and the emergency operation duration after the transition from one safe state to the next.

System designers have adopted several techniques in order to improve the intermediate safe states, risk exposure times and emergency operation time interval. Several of these techniques rely on electromechanical redundancy concepts like dual-winding motors. These new motors, also known as dual-stator or dual-inverter motors, are built with two individually driven stator coils and a single rotor. This design helps ensure that if one of the stators fails, a redundant stator – and hence the rotor – will remain active. In this case, the expected safety requirement of the failing path is in fact “designed to fail-safe,” so as to not impede the motion of the healthy stator path. In the context of Figure 2, this single stator operation would be classified as “Safe state with reduced functionality.”

GUID-223F6DCA-6ABF-40D2-969D-71CA6D301CDF-low.png Figure 2 The States of Operation of a Fail-operational System; the Light Red Boxes Show the Active Function, and the Light Grey Boxes Show the Inactive Function.

Other approaches to reduce the residual risk of a safety goal violation to the 1 FIT (Failure in Time) level include increasing this redundancy to encompass separate supply sources (batteries), separate communication channels, and even integrating systems with independent 12-V/48-V or 12-V/600-V power nets.