Галерея 3170903

🛑 ПОДРОБНЕЕ ЖМИТЕ ЗДЕСЬ 👈🏻👈🏻👈🏻

Галерея 3170903

All Books Conferences Courses Journals & Magazines Standards Authors Citations
Emergency Operation in the Context of ISO 26262
Emergency Operation in Case of Cold Redundant Power Supply Systems
Within the graphical abstract, the timing properties according to ISO 26262 in the context of emergency operation are shown for an item implementing cold redundancy. The ... View more
Abstract: The automotive industry is currently driven by the megatrends electrification, automated driving, and connectivity. To cope with these trends, new functionalities and ele... View more
The automotive industry is currently driven by the megatrends electrification, automated driving, and connectivity. To cope with these trends, new functionalities and electric and/or electronic systems must be developed, which require a safe power supply by the power supply system. This leads to increased functional safety requirements for the power supply system, particularly regarding availability. Fault tolerance measures can be implemented to address a safety goal specifying a safety-related availability requirement. In this case, emergency operation (EO) may be necessary to reach a defined safe state. The definitions and examples provided in ISO 26262 focus on cold redundancy, whereby the backup system is not engaged during nominal operation. The objective of this paper is to evaluate EO in the context of ISO 26262 in detail and map the results to an exemplary power supply system architecture implementing cold redundancy. In general, the EO is considered to be free from unreasonable risk even though the actual automotive safety integrity level (ASIL) capability of the item is lower than the initially specified ASIL rating for the hazard due to its timing restrictions. To determine the maximum permissible duration of EO, not just random hardware faults shall be considered; additionally, systematic effects shall be considered. Furthermore, an EO may be entered due to transient faults potentially causing temporary EOs – introducing the necessity of an EO recording, e.g. by accumulating the time of all temporary EOs.
Published in: IEEE Access ( Volume: 10 )
Within the graphical abstract, the timing properties according to ISO 26262 in the context of emergency operation are shown for an item implementing cold redundancy. The ... View more
TABLE 1
Exemplary Evalution of Hazard “Sudden Loss of Steering Assist” [1]
TABLE 2
Relevant Variables for PMHF and EOTTI Calculations [6]
TABLE 3
Explanation of the Time Steps
t_{1}
to
t_{7}
From Fig. 5 [1], [6]
TABLE 4
Exemplary Failure Rates for the Architecture Shown in Fig. 4
P. Kilian, A. Kohler, P. Van Bergen, C. Gebauer, B. Pfeufer, O. Koller, et al., "Principle guidelines for safe power supply systems development", IEEE Access , vol. 9, pp. 107751-107766, 2021.
Steering System of Motor Vehicles. Basic Requirements, 2021.
P. Kilian, O. Koller, P. Van Bergen, C. Gebauer and M. Dazer, "Safety-related availability in the power supply domain", IEEE Access , 2022.
ISO, 26262-9:2018(E), "Road Vehicles—Functional Safety—Part 9: Automotive Safety Integrity Level (ASIL)-Oriented and Safety-Oriented Analyses", 2018.
ISO, 26262-1:2018(E), "Road Vehicles—Functional Safety—Part 1: Vocabulary", 2018.
ISO, 26262-10:2018(E), "Road Vehicles—Functional Safety—Part 10: Guidelines on ISO 26262", 2018.
ECE R 13-H Regulation No 13-H of the Economic Commission for Europe of the United Nations (UN/ECE)—Uniform Provisions Concerning the Approval of Passenger Cars With Regard to Braking, Geneva, Switzerland, 2015.
A. Birolini, Reliability Engineering: Theory and Practice, New York, NY, USA:Springer, 2017.
C. Gebauer, "Fail operational and ISO 26262 2nd edition", Safetronic , Nov. 2018.
F. Edler, M. Soden and R. Hankammer, Fehlerbaumanalyse in Theorie und Praxis—Grundlagen und Anwendung der Methode, Berlin, Germany:Springer, 2015.
B. Bertsche, Reliability in Automotive and Mechanical Engineering, Berlin, Germany:Springer, 2008.
ISO, 26262-5:2018(E), "Road Vehicles—Functional Safety—Part 5: Product Development at the Hardware Level", 2018.
ISO, 26262-3:2018(E), "Road Vehicles—Functional Safety—Part 3: Concept Phase", 2018.
VDA, 450, "VDA Empfehlung für Einen Mindestsicherheitsstandard der Energieversorgung und Deren Elemente im Rahmen der ISO-26262", 2021.
A. Köhler and B. Bertsche, "An approach of fail operational power supply for next generation vehicle powernet architectures", Proc. 30th Eur. Saf. Rel. Conf. 15th Probabilistic Saf. Assessment Manage. Conf. (ESREL-PSAM) , pp. 60-67, Nov.2020.

IEEE Account

Change Username/Password
Update Address



Purchase Details

Payment Options
Order History
View Purchased Documents



Need Help?

US & Canada: +1 800 678 4333
Worldwide: +1 732 981 0060

Contact & Support


The relevance of safety applications within the automotive industry is continuously increasing, particularly driven by the megatrends electrification, automated driving, and connectivity. Generally, the ISO 26262 series of standards – published by the international organization for standardization (ISO) – shall is applied to ensure the functional safety of safety-related electric and/or electronic (E/E) systems in the automotive industry. The power supply system is essential because it represents a shared resource for several safety-related E/E systems. Thereby, safety-related availability (SaRA) requirements are allocated to the power supply system, which cannot be realized using state-of-the-art fail-passive approaches. To standardize the safety process and improve its applicability in the power supply domain, ISO 26262 concepts for emergency operation (EO) are discussed in this paper.
In Section I , the general aspects of functional safety in the context of the power supply domain are discussed, and different implementations of redundancy are distinguished. In Section II , EO is discussed in the context of ISO 26262, focusing on cold redundancy. In Section III , EO is applied to an exemplary power supply architecture that implements cold redundancy. Furthermore, an outlook is presented on how these definitions can be adapted to warm redundancy. In Section IV , EO is summarized for items implementing cold redundancy.
Currently, there is no standard approach in the automotive industry to apply EO to fault-tolerant power supply systems. To fill this gap, EO, as defined in the second edition of ISO 26262, is discussed in detail and mapped to the power supply domain. Among others, the focus is on the general characteristics of EO, the definition of possible safe states, and the maximum permissible duration of an EO. In addition, an approach for coping with transient faults in the context of EO is presented.
Power supply systems are within the scope of ISO 26262 and must be functional safety compliant for homologations since 2022 [1] , [2] . The relevance of failures in power supply systems and the continuously rising functional safety requirements have been discussed in previous publications [1] , [3] . Power supply systems are considered as shared resources because they affect several other elements in the case of a malfunction [3] .
The main tasks of the power supply system are to provide a safe power feed and power distribution [1] . Additionally, freedom from interference shall be ensured to enable ISO 26262-compliant coexistence between the different elements of a E/E system [4] . Thus, cascading faults between elements, which are implemented with different integrity levels regarding their capability to prevent interference with the power supply, are avoided [1] , [3] . Otherwise, faults caused by elements with lower safety integrity potentially “directly or indirectly, violate any safety requirement” [4] of elements with higher integrity levels. This requirement applies to all elements that potentially affect the availability of the power supply, such as loads, wiring harness, energy sources and energy storages.
A widely discussed safety-related E/E system that allocates functional safety requirements to a power supply system is the steering entity [1] , [3] . Within this paper, the steering entity comprises the item “electrical power steering” (EPS) and the item “power supply system” [3] . In Table 1 , an exemplary use case for manual driving is introduced based on [1] – the safety goal (SG) is rated with automotive safety integrity level (ASIL) C. If the steering assist functionality is unavailable for longer than the fault tolerant time interval of the entity (FTTI Entity ) of 100 ms, a potentially hazardous event occurs. The FTTI is defined as the “minimum time-span from the occurrence of a fault in an item [respectively entity] to a possible occurrence of a hazardous event” [5] . Because a sudden loss of steering functionality can lead to a hazardous situation while driving, a SaRA requirement is specified for the steering entity regarding its steering-assist functionality. Thus, the SaRA requirement is allocated to the power supply system. If the availability of a function is safety-related, it depends mainly on the vehicle operating state (VOS) [3] , [6] . VOS is defined as the “operating mode in combination with the operational situation” [5] . Therefore, the following safety requirements are applicable only for specific VOSs.
The FTTI Entity of 100 ms shall be adapted to the power supply system. Among others, this exemplarily leads to an FTTI PSS of 100 \mu \text{s}
for the power supply system according to [3] , which is considered in the following. Because the FTTI is a “relevant attribute for safety goals” [5] and thus, defined on item respectively entity level, it shall be refined for the element level as maximum fault handling time interval (FHTI max ) to “support the functional safety concept” [1] , [5] . In this study, it is explicitly differentiated between the FHTI max – as a requirement – and the fault handling time interval (FHTI) – as an actual characteristic of a safety mechanism (SM) – according to [1] .
In general, fault tolerance measures to ensure SaRA requirements are implemented by redundancy. Redundancy may also be mandatory for homologations due to technical regulations [7] . Thereby, the performance of the backup system during fault-free operation can be integrated into the nominal mode in different ways, e.g., cold, warm, or hot redundancy [8] .
The differences between cold, warm, and hot redundancies were discussed in detail in [3] . For the purpose of this study, the definitions of cold and warm redundancies according to Birolini were considered [8] :

Cold redundancy: “Redundant elements are subjected to no load until they become operating; load sharing is possible for operating elements, but not considered in the case of independent elements, and the failure rate in reserve (standby) state is assumed to be zero.”
Warm redundancy: “Redundant elements are subjected to a lower load until they become operating; load sharing is possible, but not considered in the case of independent elements”; failure rate “is between active and standby.”
In this section, EO is introduced as defined in ISO 26262. Among others, the focus is on the general characteristics of EO, definition of possible safe states, and maximum permissible duration of EO. Additionally, transient faults are discussed in the context of EO.
SaRA requirements can be addressed by several safety measures, see [3] , [6] , or [9] for more details:

Fault avoidance: Faults shall be avoided through proper processes and/or dedicated measures. Thus, no failure shall occur at all.
Fault forecasting: Fault occurrence is predicted, and a hazard is prevented by not entering a safety-relevant VOS or leaving it before a failure occurs.
Fault tolerance: Faults occur, but specified functionality is provided “even in the presence of one or more faults” [6] . The function can be fully or partially maintained due to redundancy, typically with a reduced ASIL capability.
To achieve a certain ASIL capability, the safety requirements shall be fulfilled for systematic and random hardware faults. However, in the case of fault tolerance, the functionality is typically provided with a lower ASIL capability after the loss of the main system compared with the ASIL rating of the initial possible hazard:

Systematic faults: If ASIL decomposition is applied, at least one of the redundant systems only prevents and/or controls systematic faults with an ASIL lower than the hazard’s ASIL rating [3] .
Random hardware faults: Redundancy enables lower requirements for random hardware faults for each redundant system. After the loss of the main system, the stand-alone backup system typically does not comply with the initial target values for random hardware faults.
Within ISO 26262, EO is defined as “operating mode of an item, for providing safety after the reaction to a fault until the transition to a safe state is achieved” [5] . This is applied if a “safe state

cannot be maintained after the detection of a fault” [5] .
In general, the item is considered free from unreasonable risk during EO “even though the ASIL capability of the item is lower than the ASIL rating of the possible hazard” [6] . More precisely, the ASIL capability of an item after a fault is lower than the initially specified ASIL rating for the SG. As described in Section II-A , this may be the case after loss of the main system. If only fault avoidance measures are applied, no EO can be entered. EO can only be considered free from unreasonable risk because “the operating time in this state is limited, such that it is unlikely that an additional fault occurs which leads to a violation of the [SG]” [6] . Therefore, EO is only a timely limited state, that can be considered safe. However, the EO itself is not considered to be a safe state. EO is a temporary operating mode that enables a safe transition to a safe state, whereas a safe state is generally not limited in time. An SM is implemented to prevent entering possible VOSs in which the ASIL rating of the possible hazards exceeds the remaining ASIL capability after reaching a safe state [6] . According to ISO 26262-10:2018, 12.2.4.2 Note 6, this SM is implemented with the initial ASIL rating [6] .
The EO is designed in a way that a further sufficiently independent fault, which would result in an SG violation in combination with the already occurred fault, is sufficiently unlikely during this limited time. Thus, the probability of fault occurrence during EO is considered as part of the derivation of the EOTTI. The EO, and therefore the EOTTI, begins as soon as the transition to the backup system is completed. The actual “time-span during which [EO] is maintained” [5] is defined as emergency operation time interval (EOTI). EOTI shall not be longer than EOTTI [5] .
Therefore, the most relevant properties of EO are:

EO shall be restricted in time to avoid unreasonable risk.
EO is entered if the occurrence of a hazardous event is prevented within FTTI, but a safe state cannot be reached within FTTI.
EO starts after the completion of the immediate fault reaction, which is required to prevent the occurrence of a hazardous event, i.e. as soon as switching to the backup is completed.
EO starts as soon as the specified functionality is available again. However, from the occurrence of a fault until the start of EO, i.e. during FHTI, the specified functionality may not be available.
EO is maintained during EOTI, whereby the ASIL capability of the item is lower than the ASIL rating for the possible hazard.
EO relies solely on the backup system. Thus, during EOTI, a fault in the backup potentially leads directly to a violation of an SG.
EO is only a temporary operating mode without an unreasonable risk of a further fault until a safe state is reached within EOTTI. Thus, it can be considered safe.
In ISO 26262-10:2018, 12.2.4.2, two potential safe states are described [6] :

Safe state 1: “[VOS] in which the specified functionality is no longer needed for safety reasons,” i.e. permanently switching off the specified functionality until the item is repaired.
Safe state 2: “possible [VOSs] are limited in such a way that the ASIL rating of the hazardous events which can occur in the limited [VOSs] is equal to or lower than the ASIL capability of the remaining system,” i.e. providing the specified functionality without time restrictions for the limited VOS until the item is repaired.
To achieve safe state 1, the item “maintains the specified functionality after occurrence of a fault” [6] until the specified functionality is permanently switched off within EOTTI. During this time span, the “functionality is kept operating” [6] without a VOS limitation. The time being in a VOS without a SaRA requirement during EO, e.g., the vehicle standstill, is also considered as part of EOTI because a fault may occur and manifest during this time. Thus, the SG may be violated as soon as a VOS with a SaRA requirement is entered if it is not handled properly by prevention of (re-) entering a safety-relevant VOS with a SaRA requirement after the second fault occurred. After finally reaching a safe state within the EOTTI, the functionality is kept unavailable until the item is repaired.
To achieve safe state 2, the item “maintains the specified functionality after occurrence of a fault” [6] until the limited VOS are reached “within an allowable time interval” [6] , i.e. EOTTI. Within safe state 2, the vehicle function “is kept to the limited [VOS] without time limitation” [6] by the backup system. Thus, the vehicle function is provided after EO as well. Depending on the SG, one of the most obvious measures to limit the VOSs is, e.g., to limit vehicle speed. The SM implemented to restrict possible VOS inherits the initial ASIL of the SG according to ISO 26262-10:2018, 12.2.4.2 Note 6 [6] . Once the item is repaired, “possible [VOSs] will return to unlimited” [6] .
In its most generic way, the basic characteristics of how the safe states shall be achieved are equal [6] :

“item maintains the specified functionality after occurrence of a fault” and thus, the “functionality is kept operating” until the end of EOTTI, i.e. until a safe state is reached – without VOS limitation;
“item reaches the safe state,” i.e. ASIL rating of the possible hazard is not greater than the remaining ASIL capability of the item.
For safe state 1, the vehicle function is permanently switched off; however, for safe state 2, the vehicle function is kept operating afterwards. In both cases, the remaining possible VOSs are restricted such that the remaining ASIL rating of the possible hazard is not greater than the ASIL capability of the item. Whereas, for safe state 1, the possible VOSs are limited in such a way that no SaRA requirement is specified at all for those VOSs; for safe state 2, the possible VOS are limited in such a way that the resulting SaRA requirements are reduced regarding their integrity and thus adapted to the remaining ASIL capability of the backup system. Therefore, safe state 1 can be interpreted as special application of safe state 2. In practical applications, it may be easier to maintain safe state 1 than safe state 2. Nevertheless, the SM implemented to maintain the vehicle standstill, i.e. to restrict possible VOSs, is implemented with the initial ASIL rating according to ISO 26262-10:2018, 12.2.4.2 Note 6 [6] . In general, a system comprising multiple redundancies can include subsequent EOs.
If the item is repaired within the EOTTI, none of the described safe states are applicable. In this case, the possible VOSs are neither restricted until nor after repair. The initial ASI
Галерея 3245647
Белокурая модель из Словакии с силиконовыми сиськами
Раскрепощенная блондина в отпуске