Functional Safety simulation using SaberRD
Michael McDermott/Thomas Hedges Electrical Simulation and Analysis
April 7, 2016
- Gasoline Direct Injection
- Diesel Fuel Injection Systems
- Fuel Economy & Performance
Technologies
- Hybrid & Electric Vehicle Technologies
- Active Safety Systems
- Driver State Alerts
- Safety Electronics
- Battery Disconnects
- Human Machine Interface
- Occupant Classification Systems
- Vehicle Infrastructure Interface (VII)
& Vehicle-to-Vehicle Interface
- Telematics
- Digital Receivers
- Connected Vehicle
- Satellite, Audio, Video & Data Systems
Safe Green
Megatrends drive our technology portfolio
Focused on solutions to customers’ problems
Connected
Delphi – the Innovation Inside your vehicle
1 Automated Driving
Features
2 Advanced Powertrain
Technologies
3 GDi Fuel System
4 Aluminum Cable
5 Safety Restraint System
Connectors
6 HEV/EV Power Systems
7 Electrical Architecture
6
2
3
1
5
4
7
The most sophisticated electronic device you own, your
vehicle, has more computing power than the Space
Shuttle, with up to 50 computers beneath its skin.
Insuring Product Safety
• Compliance to ISO26262
• Component Level DFMEA.
(Design Failure Mode Effects Analysis)
Automotive industry is requiring...
What is ISO26262 ?
• Component failures evaluated for impact on
safety goal
• Multiple faults per component
• Open/short/value change
• Analysis of Safety Measures
• Is fault detected by diagnostics?
Component Level DFMEA/DFMEDA
Design Failure Mode Effects Analysis/ Design Failure Mode
Effects and Diagnostic Analysis
• Component by component evaluation of system impact of fault.
• Evaluation of diagnostic strategy to detect the faulted component
• Requires evaluation of multiple faults per component
• (i.e. open, short, change in value...)
• Required for all components, not just functions with safety goals.
• Longer analysis and report
Example : DFMEDA Switched Mode Power Supply
• Is it a safe state ?
• Will component damage occur ?
• Can we detect it & compensate ?
• What other features/functions are
effected by this fault ?
Primary Function is to maintain 13V <= SMPS_OUT <= 15V
SMPS_OUT > 15V is a high-risk, unsafe state.
SMPS_OUT < 13V is a low-risk, undesirable but safe state.
12V
12V
12V
Power Rating
Exceeded Voltage
regulation
maintained.
Voltage
ratings not
exceeded.
The fault is
detectable &
can be
mitigated.
12V
• Typical automotive electronics module can
contain 3k+ components
• Components may have 3-7 failure modes
• Teams consists of Hardware, Software,
Mechanical, Systems, etc
• Assuming 5 minutes/ item, this task would
take about 1000 work-hours, (125 total
work days)
Resource requirements for fault analysis
This is a large task!
The Solution...
5V_LV
v_dc
5
U34B
nand2_l4
U34A
nand2_l4
nand2_l4
v ee
v c c
lm2903_3
U35
5V_LV
5V_LV
OC_TEST
HV_OUT_I_SENSE
HV_OUT_CURR_SENSE
HV_OUT_CURR_SENSE_RET
5V_LV
IDC_FDBK
12V_LV
12V_LV
v_dc
12
OVERCURRENT
BITSTREAM
prbit_l4
BITSTREAM
prbit_l4FLT_RESET
115
R321
0.005
115
R320
0.005
115
R32
0.005
115
R31
0.005
115
R30
0.005
499
R259
0.01
499
R261
0.01
750
R262
0.01
750
R263
0.01
1k
R260
0.001
1k
R577
0.05
10k
R268
0.05
4.7k
R255
0.05
1k
R265
0.01
1.78k
R171
0.01
4.7k
R256
0.05
1000k
R275
0.05
2k
R271
0.01
1k
R44
0.05
10k
R270
0.05
100
R266
0.05
1u
C166
0.1
10n
C112
0.1
100n
C22
0.1
100n
C19
0.1
100n
C18
0.1
1u
C99
0.1
100n
c16
0.1
baw
56
D77
bas45_sl
D36
v ee
v c c
lm2902_3
U36
d2var
conv_d2var
ControltoVoltage
+
-
var2v
ControltoVoltage
+
-
var2v
d2var
conv_d2var
sig_out_h:5
oct_en
f_rst
U37D
U37A
U37B
U37C
OVERCURRENT
OVERVOLTAGE
SET 1
1k
0.01
5V_LV
DCDC_ENABLE
DCDC_ENABLE
DCDC_IC_ENABLE
PFC_IC_ENABLE
i_pwl
pwl:[0,0,20m,0,20.001m,0.5,100m,0.5,100.001m,0,120m,0,120.1m,0.15,170m,0.15,170.1m,0.5,1,0.5]
u2_ip
u2_in
u2_o
d2var
conv_d2var
sig_out_h:1
d2var
conv_d2var
sig_out_h:1
d2var
conv_d2var
sig_out_h:1
OVERCURRENT Goes to the uP& indicates that a OC condition has been detected.TSR78: HVDC Output overcurrent shall be detected by software implementation within 2ms.
These signals go to the driver IC's to disable the hardware.TSR464: HVDC Output overcurrent shall be detected by hardware implementation.
The OC_Test is used to force the OVERCURRENT fault when the input current is zero.i.e. it verifies that the H/W OC detect is operational.
Transformer Primary CurrentNormal Operation : 1A to 15A +/-2%Overcurrent Fault : 20.1 A (Nom)The transformer has a ratio of 1:100.Overcurrent Detect CircuitNormal Operation : 10mA to 150mA +/-2%Overcurrent Fault : 201 mA (Nom)
Fault Reset is armed when high ('1') & requires a low pulse to clear the latched state.
Gain is 0.1725 V/A
asserted low
setN
resetN
buf_ l4
D FF
q
rc lk
sd
qn
SET 1
SET 1
Mimics softwareovercurrent testIf test fails, Driveris disabled.
tau=10ms
Simulate with
Functional Safety
Tool
2. Component Failures
Pass/Fail Results for
Each Failure Mode
3. Measures
Of results
4. Pass/Fail
Criteria
Fault Simulation Overview
1. Simulation
Design
Example: Current Measurement Circuit
Slid
e:
12
Safety Requirement is to shut down if load current is too high
for a certain period of time.
5V_LV
v_dc
5
U34B
nand2_l4
U34A
nand2_l4
nand2_l4
v ee
v c c
lm2903_3
U35
5V_LV
5V_LV
OC_TEST
HV_OUT_I_SENSE
HV_OUT_CURR_SENSE
HV_OUT_CURR_SENSE_RET
5V_LV
IDC_FDBK
12V_LV
12V_LV
v_dc
12
OVERCURRENT
BITSTREAM
prbit_l4
BITSTREAM
prbit_l4FLT_RESET
115
R321
0.005
115
R320
0.005
115
R32
0.005
115
R31
0.005
115
R30
0.005
499
R259
0.01
499
R261
0.01
750
R262
0.01
750
R263
0.01
1k
R260
0.001
1k
R577
0.05
10k
R268
0.05
4.7k
R255
0.05
1k
R265
0.01
1.78k
R171
0.01
4.7k
R256
0.05
1000k
R275
0.05
2k
R271
0.01
1k
R44
0.05
10k
R270
0.05
100
R266
0.05
1u
C166
0.1
10n
C112
0.1
100n
C22
0.1
100n
C19
0.1
100n
C18
0.1
1u
C99
0.1
100n
c16
0.1
baw
56
D77
bas45_sl
D36
v ee
v c c
lm2902_3
U36
d2var
conv_d2var
ControltoVoltage
+
-
var2v
ControltoVoltage
+
-
var2v
d2var
conv_d2var
sig_out_h:5
oct_en
f_rst
U37D
U37A
U37B
U37C
OVERCURRENT
OVERVOLTAGE
SET 1
1k
0.01
5V_LV
DCDC_ENABLE
DCDC_ENABLE
DCDC_IC_ENABLE
PFC_IC_ENABLE
i_pwl
pwl:[0,0,20m,0,20.001m,0.5,100m,0.5,100.001m,0,120m,0,120.1m,0.15,170m,0.15,170.1m,0.5,1,0.5]
u2_ip
u2_in
u2_o
d2var
conv_d2var
sig_out_h:1
d2var
conv_d2var
sig_out_h:1
d2var
conv_d2var
sig_out_h:1
OVERCURRENT Goes to the uP& indicates that a OC condition has been detected.TSR78: HVDC Output overcurrent shall be detected by software implementation within 2ms.
These signals go to the driver IC's to disable the hardware.TSR464: HVDC Output overcurrent shall be detected by hardware implementation.
The OC_Test is used to force the OVERCURRENT fault when the input current is zero.i.e. it verifies that the H/W OC detect is operational.
Transformer Primary CurrentNormal Operation : 1A to 15A +/-2%Overcurrent Fault : 20.1 A (Nom)The transformer has a ratio of 1:100.Overcurrent Detect CircuitNormal Operation : 10mA to 150mA +/-2%Overcurrent Fault : 201 mA (Nom)
Fault Reset is armed when high ('1') & requires a low pulse to clear the latched state.
Gain is 0.1725 V/A
asserted low
setN
resetN
buf_ l4
D FF
q
rc lk
sd
qn
SET 1
SET 1
Mimics softwareovercurrent testIf test fails, Driveris disabled.
tau=10ms
1. Capture Design
2. Create List of Component Faults
3. Create simulation ”Experiment”
4. Run Experiment and view results
4 Steps for performing fault simulation.
• Model features
• Current Measurement Circuit
• Hardware overcurrent shutdown
• Sofware overcurrent shutdown
• Circuit self-test during powerup
• This is the most time intensive part
of this process
Step 1: Capture Design
• Fault list can be auto-generated from
simulation schematic • For this example, faults were open, short, or ”stuck at”
• This example had 160 different faults.
Step 2. Create List of Component faults
Loop through
fault list Run transient
analysis Measurements
Pass/Fail criteria: 3 Scenerios identified.
Steps 3: Create Experiment
• Pass/fail criteria was defined 3 different ways
• 160 fault simulation created in a few seconds
4. Run Experiment and View Results
No safety
measure
Hardware
Detection
Software
Detection
• Functional Safety add-on tool also evaluated for
usefulness in determining the effects of failures
in creation of DFMEA document.
• Advantages
• Saves significant engineering time.
• Reduces subjectivity
• Reduces errors
• Can provide supporting data (measurement
log feature)
• Auto-generated report
DFMEA Study
• Fault simulation is quite useful for
compliance to ISO26262 and DFMEA
• Can greatly reduce engineering resources
while improving accuracy of results.
• Can be used to create data for functional
safety calculations
• Can automate part of generation of DFMEA
Summary