|注:文章转自汽车电子设计漫谈,仅供学习参考!
Functional Safety Design Philosophy for Hybrid Powertrain
In recent year s I got opportunity to work on a Hybrid Power Electronics project. During my work I came across EGAS standard architecture for torque control application. Any control system dealing with torque demand / torque conversion can take EGAS as a standard architecture to claim ISO26262 Functional Safety compliance. Though EGAS is based around drive-by-wire system but this can be referenced for any torque control system as well.
(相关资料图)
最近几年,我有机会从事混合动力电子项目。在工作期间,我遇到了用于扭矩控制应用的EGAS标准体系结构。任何处理扭矩需求/扭矩转换的控制系统都可以将EGAS作为标准体系结构,以符合ISO26262功能安全标准。尽管EGAS基于线控驱动系统,但是任何扭矩控制系统都可以参考该系统。
Based on the system definition, the system behavior in typical driving conditions was analyzed in the scope of a hazard analysis and risk assessment and the hazards caused by errors in the EGAS system were determined. An Invalid vehicle acceleration occurs in systems with only one torque source and propulsion engine respectively only due to a faulty torque demand / torque conversion.
根据系统定义,在危害分析和风险评估的范围内分析了典型驾驶条件下的系统行为,并确定了EGAS系统中的错误导致的危害。在仅具有一个扭矩源和推进发动机的系统中,仅由于错误的扭矩需求/扭矩转换而发生无效的车辆加速。
The safety goal “Prevention of unintended acceleration” shall be achieved by a functional safety concept. This concept shall monitor the permitted vehicle acceleration, respectively the permitted driving torque to bring the vehicle into a safe controllable state within an adequate fault-tolerance time.
安全目标“防止意外加速”应通过功能安全概念来实现。该概念应监视允许的车辆加速度或允许的驱动扭矩,以在足够的容错时间内使车辆进入安全可控状态。
The safety requirements are distributed to the following components:
Sensors (S1/S2)
A plausibility check can be applied to the sensor signals (e.g. Phase current, Rotor position, driver accelerator pedal demand etc) after capturing the signals.
安全要求已分发到以下组件:
传感器(S1 / S2)
在捕获信号之后,可以对传感器信号进行合理性检查(例如相电流,转子位置,驾驶员加速踏板需求等)。
Actuators (A)
A plausibility check can be applied to the actuator signals (e.g. Motor Gate drive PWMs, throttle position) after capturing the signals.
执行器(A)
捕获信号后,可以对执行器信号(例如,电机门驱动PWM,节气门位置)进行合理性检查。
Engine control unit (L)
- The engine control unit detects sensor faults.
- The engine control unit detects actuator faults.
- A safety concept is implemented in the engine control unit, which validates and detects a not permissible exceeding driving torque. The system fault reaction shall result in a safe state.
- The safety concept is based on the idea of a centralized functional monitoring architecture (level 2).
发动机控制单元(L)
-发动机控制单元检测传感器故障。
-发动机控制单元检测执行器故障。
-在发动机控制单元中实施了一种安全概念,该概念可验证并检测不允许的超出的驱动扭矩。系统故障反应将导致安全状态。
-安全概念基于集中式功能监视体系结构(级别2)的思想。
Central functional monitoring: 中央功能监控:
The functional monitoring level (level 2) shall calculate and monitor functions independently of the functional level (level 1). In case of error detection, a controllable (safe) state has to be adjusted.
功能监视级别(级别2)应独立于功能级别(级别1)计算和监视功能。在检测到错误的情况下,必须调整可控(安全)状态。
An independent development ensures that systematic errors do not have the same effect on the functional level (level 1) and on the monitoring level (level 2).
Additional measures shall be implemented into the control unit to verify the integrity of the applied ECU HW. It shall be ensured that errors which are located in level 1 and in the ECU-HW cannot have an undetected influence to level 2.
独立开发可确保系统错误不会对功能级别(级别1)和监视级别(级别2)产生相同的影响。应在控制单元中采取其他措施,以验证所用ECU硬件的完整性。应确保位于第1级和ECU-HW中的错误不会对第2级产生不可检测的影响。
The monitoring concept shall be designed in 3 levels:
Level 1
It is referred as functional level .
Level 1 contains the engine control functions, i.e. implementation of the requested engine torque, component monitoring, input / output variable diagnostic and to control the system reactions if a fault shall be detected.
Level 2
It is referred as function monitoring level .
Level 2 detects the defective process of level 1 functional software, e.g., by monitoring the calculated torque values or the vehicle acceleration. In case of fault, system reactions are triggered.
Level 3
It is referred as controller monitoring level .
The monitoring module shall be an independent part of the function controller (e.g. ASIC or controller), which tests the correctly executed program during the challenge-response process. In case of fault, system reactions are triggered independently of the function controller.
监控概念应分为三个级别:
1级 称为 功能级别 。
级别1包含发动机控制功能,即执行要求的发动机扭矩,组件监视,输入/输出变量诊断,以及在应检测到故障时控制系统反应。
2级 称为 功能监视级别 。
级别2例如通过监视计算出的扭矩值或车辆加速度来检测级别1功能软件的故障过程。发生故障时,将触发系统反应。
3级 称为 控制器监视级别 。
监视模块应是功能控制器(例如ASIC或控制器)的独立部分,该模块在质询响应过程中测试正确执行的程序。发生故障时,独立于功能控制器触发系统反应。
Level-3 Challenge & Response (CHA/RSP)
3级挑战与响应(CHA / RSP)
The physically independent monitoring module (L3_MM realized through separate hardware) communicates with the L3 monitoring software in the function controller (L3_SW in FC) via an interface. The L3_MM sends one challenge (CHA) cyclically to the L3_SW in the function controller FC from at least 10 different challenges; it monitors the reception of a cyclical test result, makes the assessment and in case of a fault initiates the fault reaction.
物理上独立的监视模块(通过单独的硬件实现的L3_MM)通过接口与功能控制器(FC中的L3_SW)中的L3监视软件进行通信。L3_MM从至少10个不同的挑战中周期性地向功能控制器FC中的L3_SW发送一个挑战(CHA)。它监视周期性测试结果的接收,进行评估,并在发生故障时启动故障反应。
The monitoring module can be performed as an ASIC or as a controller. When using the RAM/ROM components in L3_MM these components shall be cyclically tested at least once for each driving cycle.
监视模块可以作为ASIC或控制器执行。在L3_MM中使用RAM / ROM组件时,对于每个驱动周期,应对这些组件至少进行一次循环测试。
The clock of the monitoring module shall be separately implemented from the main computer.
L3 monitoring software of the function controller (L3_SW in FC) shall communicate with the L3_MM via interface. The interaction between L3_MM and L3_SW in FC is also described as Challenge/Response (CHA/RSP) communication.
监视模块的时钟应与主计算机分开实施。
功能控制器的L3监视软件(FC中的L3_SW)应通过接口与L3_MM通信。FC中L3_MM和L3_SW之间的交互也称为质询/响应(CHA / RSP)通信。
Monitoring with L3_MM
· The L3_MM expects an accurately defined response from the L3_SW in the function controller within a defined time period.
· In case of a fault the L3_MM provides an internal error counter and repeats the falsely answered challenge.
· If the error counters end is reached, the monitoring module shall switch off the actuator power output stages and triggers a limited number of SW resets by the function controller to increase the availability.
· If the L3_MM receives a response at the false moment, the same fault reaction shall be performed.
· The error counter processing in the L3_MM shall be designed so that fault detection states lead to a faster reaching of fault reaction threshold than to a detected fault-free state leading to “an error counter reset".
· The monitoring module shall not be subjected to development and modification cycles of a flash based control unit and shall be independent of the project or vehicle equipment.
· The challenges generated by the monitoring module are generic and determined already during the definition of the engine control system.
· The adjustment to the project-specific characteristics shall be performed by means of unique parameters on the function controller"s side.
使用L3_MM监视
· L3_MM期望功能控制器中的L3_SW在定义的时间段内准确定义的响应。
· 发生故障时,L3_MM提供一个内部错误计数器并重复错误回答的挑战。
· 如果到达错误计数器的末端,则监视模块应关闭执行器功率输出级,并通过功能控制器触发有限数量的软件复位,以提高可用性。
· 如果L3_MM在错误的时刻收到响应,则应执行相同的故障反应。
· L3_MM中的错误计数器处理应设计为,与导致“错误计数器复位”的检测到的无故障状态相比,故障检测状态导致故障反应阈值的更快达到。
· 监控模块不应接受基于flash的控制单元的开发和改装周期,并且应独立于项目或车辆设备。
· 监视模块所产生的挑战是通用的,并且已经在发动机控制系统的定义期间确定了。
· 对项目特定特性的调整应通过功能控制器侧的唯一参数来执行。
Monitoring with L3_SW of the Function Controller
· – The L3_SW in the FC expects a new challenge from the L3_MM within a defined time period and checks the fault-free operation of the L3_MM.
· – The test in the L3_SW in FC is initiated by the L3_SW in FC giving wrong responses at specific time intervals.
· – The next error counter status transmitted in combination with the challenge from the L3_MM is checked by the L3_SW in the FC to see if the fault detection is reflected in the error counter modification.
· – In case of a fault, the L3_SW in FC uses an internal error counter and transmits again a wrong response to the L3_MM.
· – If the error counters end is reached, the function controller switches off the actuator output stages and triggers a limited number of resets to increase the availability.
使用功能控制器的L3_SW进行监视
· – FC中的L3_SW希望L3_MM在定义的时间段内提出新的挑战,并检查L3_MM的无故障运行。
· – FC中的L3_SW中的测试由FC中的L3_SW启动,并在特定的时间间隔给出了错误的响应。
· – FC中的L3_SW检查与L3_MM发出的质询一起发送的下一个错误计数器状态,以查看错误计数器修改是否反映了故障检测。
· –发生故障时,FC中的L3_SW使用内部错误计数器,并再次向L3_MM发送错误响应。
· –如果到达错误计数器末尾,功能控制器将关闭执行器输出级并触发有限的复位次数以增加可用性。
Transferred from http://abhashr.blogspot.com/2014/03/functional-safety-design-for-hybrid.html?view=sidebar