The number of electronic/electrical systems on the car continues to increase. Some high-end luxury cars have more than 70 ECUs (Electronic Control Unit), including airbag systems, brake systems, chassis control systems, engine control systems, and lines. Control systems, etc. are all safety related systems. When the system fails, the system must go into a safe state or switch to the degraded mode to avoid system failure and cause casualties. Failure may be caused by errors in the normative human error, environmental impact, and so on. In order to realize the functional safety design of the electronic/electrical system on the vehicle, the road vehicle functional safety standard ISO 26262 was officially released in 2011, providing a guide for the development of automotive safety-related systems based on electronic/electrical/in any industry. Functional safety standard for programmable electronic systems IEC 61508.
In the ISO 26262 standard for functional safety design of the system, an important step in the early stage is to conduct a hazard analysis and risk assessment of the system, identify the hazard of the system and the risk level of the hazard - ASIL level (AutomoTIve Safety IntegraTIon Level, car safety) Integrity level) is evaluated. ASIL has four levels, A, B, C, and D, where A is the lowest level and D is the highest level. Then, at least one security goal is determined for each hazard, the security goal is the highest level of security requirements of the system, the security requirements are derived at the system level, and the security requirements are assigned to hardware and software. The ASIL level determines the requirements for system security. The higher the ASIL level, the higher the security requirements for the system. The higher the cost for achieving security, the higher the diagnostic coverage of the hardware and the stricter the development process. The development cost is increased, the development cycle is extended, and the technical requirements are strict. ISO 26262 proposes a method for reducing the ASIL level under the premise of meeting safety objectives - ASIL decomposition, which can solve the difficulties in the above development.
This paper first introduces the ASIL classification method in the hazard analysis and risk assessment phase of the ISO 26262 standard, and then introduces the principles of ASIL decomposition, with examples.
2. Hazard analysis and risk assessment
When performing functional safety design according to ISO 26262 standard, firstly identify the function of the system and analyze all possible functional faults (MalfuncTIon). The available analysis methods are HAZOP, FMEA, brainstorming, etc. If faults that are not identified at this stage are found at various stages of system development, return to this stage and update. Functional failures can cause casualties in specific driving situations, such as low beam systems. One of the malfunctions is that the lights are unexpectedly extinguished. If driving on a mountain road in a dark night, the driver cannot see the road conditions. Will fall into the cliff, causing the car to be destroyed; if this malfunction occurs during the day, it will not have any impact. Therefore, after performing functional fault analysis, a scenario analysis is performed to identify driving scenarios related to the fault, such as highway overtaking, garage parking, and the like. Analyze driving scenarios suggested from road types: national roads, urban roads, country roads, etc.; road conditions: such as slippery roads, snow and ice roads, dry roads; vehicle status: such as steering, overtaking, braking, acceleration, etc.; environmental conditions: : wind and snow, night, tunnel lights; traffic conditions: congestion, smooth, traffic lights, etc.; personnel: not as good as passengers, passers-by and so on. The combination of functional failure and driving scenarios is called a hazardous event. After the hazard event is determined, the risk level of the hazard event is assessed based on three factors—Severity, Exposure, and Controllability. - ASIL level. The severity refers to the degree of damage to the driver, occupant, or pedestrian, etc.; the exposure rate refers to the probability that the person is exposed to the system failure can cause harm; the controllability refers to the driver or other involved Insurers can avoid the possibility of accidents or injuries. The classification of these three factors is given in Table 1.
The ASIL rating is determined based on these three impact factors. Table 2 shows the ASIL determination method, where D represents the highest level, A represents the lowest level, and QM represents the quality management (Quality Management), indicating that the system is developed according to the quality management system or The function is sufficient, regardless of any safety-related design. Once the hazard ASIL level has been determined, at least one safety objective is identified for each hazard as a basis for functional and technical safety needs.
Table 2 ASIL rating
The following is an example of how to conduct a hazard analysis and risk assessment using the EPB (Electrical Park Brake) system as an example.
Compared with the traditional parking brake, the EPB has a dynamic starting assist function, an emergency braking function and an automatic parking function in addition to the parking function. Here we take the parking function as an example. When parking, the driver issues a braking request by button or other means. The EPB system applies braking force on the rear wheel of the car to prevent the car from unintended sliding. The hazards of this system are: unintended brake failure, unintended brake start. The same hazard is different in different scenarios, so we have to analyze different driving scenarios. In order to simplify the problem, here we only conduct a risk assessment of the functional failure of "unexpected brake failure". Table 3 gives the EPB risk assessment form, in which we consider the driving scenario where the car is parked on a slope and the driver is not in the car. If the driver is in the car, the driver can control the car to taxi by stepping on the brakes, and the controllability increases. The ASIL rating evaluated will be lower than the ASIL D in the table, but for the same safety target, if the ASIL rating is evaluated. If you don't have the same, choose the one with the highest ASIL rating.
Through the above analysis, the safety goal of the EPB system is: to prevent the brake failure, the ASIL level is D.
A power cord, line cord, or mains cable is an electrical cable that temporarily connects an appliance to the mains electricity supply via a wall socket or extension cord. The terms are generally used for cables using a power plug to connect to a single-phase alternating current power source at the local line voltage-(generally 100 to 240 volts, depending on the location). The terms power cable, mains lead, flex or kettle lead are also used. A lamp cord (also known as a zip cord) is a light-weight, ungrounded, single-insulated two-wire cord used for small loads such as a table or floor lamp.
Power Cord,Home Appliance Power Cord,Power Cable Cord
Dongguan YAC Electric Co,. LTD. , https://www.yacentercn.com