Function Mapping and Quantified Concept Evaluation Andy Williams Bsc (Hons), MSc, C.Eng, MIET Lead Engineer – System Integration & Functional Safety Email [email protected] UK Mob: +44 7775 030 777 26th January 2017 © Copyright, Confidential, TMETC Agenda • ISO26262 Mapping to Internal Process • Process & Tools • Features, Systems, Items, Functions & Interfaces • Re-use • Analysing conceptual architectures • System descriptions • Quantifying Plausibility Cross-checks (PCc) • Comparing multiple architectures • Applications & benefits © Copyright, Confidential, TMETC 2 FSwp_Safety_Case ISO26262 (OEM Level) cross reference to NPI / TCDS FScr_Safety_Case refer to 2-6.4.7.1 confirmation of 2-6.5.3 Safety Case 2-6.5.3 Safety case FScr_Validation_ Plan FSwp_Safety_Plan 8-5.5.3 Project Plan FScr_FS_ Assessment FScr_Item_ Integration_Test_ refer to 2-6.4.7.1 Plan refer to 2-6.4.7.1 Confirmation of 4-5.5.4 Validation Plan Task from Safety Plan Confirmation of 4-5.5.3 Item integration and test plan(s) 2-6.5.1 Safety Plan FScr_Production_ Release FScr_Safety_Plan refer to 2-6.4.7.1 confirmation of 2-6.5.1 Safety Plan FSwp_Item_Def 2-5.5.1 Organisational-specific Rules and processes for Functional Safety FSwp_Validation_ Plan 4-5.5.4 Validation Plan (Validate safety goals) 4-5.5.3 Item Integration and Test Plan(S) 3-5.5 Item Definition FSwp_Impact_A FSwp_HARA 3-6.5.1 Impact Analysis 2-6.5..5 Functional Safety Audit Input to Safety Case 2-6.5.5 Functional Safety Audit i.e. Confirmation Measure Reports FSwp_Safety_Goals 3-7.5.1 Hazard Analysis & Risk Assessment FSwp_Validation_ Spec FSwp_Safety_ Concept 3-7.5.2 Determination of Safety Goals 3-8.5.1 Functional Safety Concept (FSR’s) 3-8.5.1 Functional Safety Concept Validation Specification FSwp_Vehicle_ Verification_Spec FSwp_Technical_SR 4-6.4.6.2 Validation Specification Safety Goals & Functional Safety Requirements 4-6.5.1 Technical Safety Requirements Specification 2-6.5.4 Functional Safety Assessment Plan 4-7.5.1 Technical Safety Concept 4-7.5.2 System Design Specification 4-10.5.1 Functional Safety Assessment Report 2-Annex E is Agenda 4-11.5.1 Release for production Report 4-7.5.4 Requirements for Prod Operation Service Test Plan Vehicle Integration 4-8.5.2 Verification Specification vehicle Integration and Test FSwp_System_ Verification_Spec Specification FSvr_Technical_SR FScr_HARA FSvr_Safety_ Concept 2-5.5.2 Competence Analysis of Staff 2-5.5.3 Quality Management System review FSwp_vehicle_ Integration_Report FSvr_HARA_SG 4-6.5.2 Technical Safety Requirements Verification Report 4-9.4.3,4 Safety Validation Report refer to 2-6.4.7.1 Confirmation of 3-7.5.1 HARA 4-8.5.2 Verification Specification System Integration and Test 4-7.5.5 Verification of System design 3-6.5.2 Functional Safety Concept Verification Report 3-7.5.3 Hazard Analysis and Safety Goals Verification Report Safety Case 4-7.5.6 Safety Analysis Report System Integration Q_L3_EE_012 SystemSafetySOW And QMS 012_F1 System Safety SOW Compliance V0.90 4-8.5.3 Vehicle Integration and Testing Report 4-11.5,1 Software and Hardware Baseline Report FSwp_System_ Integration_Report 4-8.5.3 System Integration and Testing Report FSwp_DIA_C#1 Reference Supplier DIA Discussions 5-x. Hardware Design Guidelines Specification FScr_System_ Design 8-5.5.2 Development Interface Agreement – Component #1 Refer to 2-6.4.7.1 Confirmation of 4-7.5.5 System Design 5-x. Hardware Design Guidelines Specification Supplier Development TML Audits FSwp_HWSW_ Integration_Report 6-5.5.3 Design & Coding Guidelines Specification DR0 TS CS DR1 AR DR2 Hardware Software Integration Confirmation Review FScr_FS_ Assessment_C#1 2-6.5.5 Functional Safety Audit i.e. Confirmation Measure Reports Task 4-8.5.3 Hardware-Software Integration Report DR3 DR4 TCDS NPI 6-5.5.4 Software Tool Application Guidelines © Copyright, Confidential, TMETC 3 Process and Tools RMDV2 Feature Requirements PREEVISION Function Requirements Validation Verification RMDV2 Feature Validation PREEVISION Function Verification © Copyright, Confidential, TMETC 4 Vehicle Features to Vehicle Systems Vehicle Features Powertrain Engine Gasoline Diesel Electric Etc… Energy Storage HV Energy Store Etc… Transmission Manual Etc…. Platform Platform X X X+ X++ Platform Y Y Y+ Y++ Gasoline ICE Engine System Diesel ICE Engine System HVES System Etc….. Vehicle Systems © Copyright, Confidential, TMETC 5 Vehicle Systems to Items (treated as ISO26262 SEooC) Vehicle Systems Item - Sub-Systems Functions HV Energy Storage System Cell monitoring Cell voltage monitoring and control function Cell voltage interface Cell temperature monitoring and control Cell temperature interface Isolation monitoring Resistance monitoring and control Resistance Interface HVESS Connect / Disconnect Pre-charge monitoring and control Pre-charge interface Negative Contactor monitoring and control Negative Contactor Interface Positive Contactor monitoring and control SEooC - Safety Elements out of Context Positive Contactor Interface © Copyright, Confidential, TMETC 6 Re-Use Vehicle: Modified Feature Sounds Simple? Impact Analysis No Safety Impact 100% Re-Use Safety Impact Partial Re-Use © Copyright, Confidential, TMETC 7 Re-Use Vehicle Features Vehicle Features Energy Storage HVES System Cell monitoring Scope Cell V mon & cntrl Cell V i/f Scope Scope HVES System Energy Storage HV Energy Store Cell monitoring Etc… Cell V mon & cntrl Vehicle Antilock Braking (ABS) FSidf_EPB_fn_1.2 Automatic Apply (1.2.1,1.2.2) Emergency Stop Signal (panic brake) FSidf_EPB_fn_1 Static Apply (1.1,1.1.1) Park Brake Primary Brakes Gear Selection Module (GSM) Electronic Stability Program (ESP) Auto Automated Manu al Start Stop Motor Control Not An alysed Not An alysed Not An alysed Not An alysed X451 XE X451 XM X451 XT X451 XT+ X451 XZ X452 XE X452 XM X452 XT X452 XT+ X452 XZ Cell V i/f Not An alysed Not An alysed FSwp_Item_Def for Electric park brake (EPB) FSidf_EPB_fn_1 Static Apply FSidf_EPB_fn_1.1 Manual Application FSidf_EPB_fn_1.1.1 Drive request – control device FSidf_EPB_fn_1.2 Automatic Apply FSidf_EPB_fn_1.2.1 Auto Park FSidf_EPB_fn_1.2.2 Auto hold FSidf FSidf Fsidf_EPB_fn_5 Visual Status Fsidf_EPB_fn_5.1 Applied / release status Fsidf_EPB_fn_5.2 Fault status FSidf Chassis Not An alysed FSwp_Item_Def for Primary Brakes (PrB) FSidf_PrB_fn_1 Brake Lights (ASIL B) FSidf_PrB_fn_2 Interface Applied status (ASIL C) These need assessed attributes -speed -acceleration -mass -etc Not An alysed Function satisfies feature ASIL target Function does not satisfy feature ASIL target Not An alysed Peregrin Not An alysed ? Not An alysed Functions – x and x.y QM target ASIL A target ASIL B target ASIL C target ASIL D target Not An alysed Not Analysed QM qualified ASIL A qualified ASIL B qualified ASIL C qualified ASIL D qualified Not An alysed None of the ASIL ratings are correct – examples only to show principle Powertrain Engine Transmission Electric / Hybrid Vehicle Supervisory control unit (VSCU) Vehicle Features NPIP TCDS Idea / Wishlist TS CS AR DR0 DR1 DR2 DR3 DR4 C Scope C C Scope Scope Etc… Etc… Etc… Etc… Etc… C ASIL B ASIL D ASIL D ASIL D ASIL D ASIL D Not analysed Not analysed Not analysed ASIL A QM Not analysed © Copyright, Confidential, TMETC 8 Areas of Interest Functions All major functions for Monitoring Control Actuation Interface / Boundaries Item Battery Element Management System Functions Max Discharge Current (A) State of Charge (%) Inverter / Motor Instrument Cluster © Copyright, Confidential, TMETC 9 Critical Points for Analysis Connectors Transducers –physical values to a voltage Measurements – voltage measurement Parameters – software variable to / from control algorithms Data - signals between distributed systems Outputs – the analogue or digital output from a controller Actuators – physical control actuation © Copyright, Confidential, TMETC 10 System Description Transducer T M Output = f(Input) C P D Driver Warning C O A Connectors Transducers –physical values to a voltage Measurements – voltage measurement Parameters – software variable to / from control algorithms Data - signals between distributed systems Outputs – the analogue or digital output from a controller Actuators – physical control actuation © Copyright, Confidential, TMETC 11 Isolation Tester Example Resistance Measurement C Isolation Monitor T M P Driver Warning D O C A In terms of Signals / Interface Boundaries Resistance Measurement T Isolation Monitor isol_res_AI_MR M P isol_res_MR Driver Warning D O fault_led_DO_V A D D isol_res_MR isol_res_MR Failure cannot violate safety goal CAN Bus D Failure could violate safety goal © Copyright, Confidential, TMETC 12 Expanding the System String P Pack Controller string1_V D P P string1_C D P string1_SOC_pc D P string1_chg_en D P string1_dischg_en D A C string1_pos_DO_V O A C string1_neg_DO_V O String 2,3.....s Power Distribution Inverter calc_pack_V D P pack_V D P calc_pack_C D O pack_chg_en_DO_V C P calc_pack_SOC_pc D P pack_max_chg_V D P calc_pack_SOH_pc D P pack_max_chg_A D O pack_dischg_en_DO_V C P pack_dischg_en_DO_V D D pack_max_dischg_A D P pack_max_dischg_A D D pack_min_dischg_V D P pack_chg_en_DO_V D P pack_max_chg_V D P pack_max_chg_A D Charger P string’s’_V D D pack_max_chg_V D P string’s’_C D D pack_max_chg_A D P string’s’_SOC_pc D P string’s’_chg_en D P string’s’_dischg_en D A C string’s’_pos_DO_V O A C string’s’_neg_DO_V O M meas_pack_AI_V D Isolation Monitor C meas_HV_AI_V Etc……. M T M isol_res_AI_MR P D isol_res_AI_MR D Driver Warning P O fault_led_DO_V A © Copyright, Confidential, TMETC 13 Plausibility Cross-checks (PCc’s) PCc – Prove the isolation resistance measurement is correct by switching a known test resistance in parallel with the nominal HV-chassis resistance Isolation Monitor M P STR_ISOL_RES_R D STR_ISOL_RES_R PCC P P STR_ISOL_STATUS D P TEST_RES_EN A O © Copyright, Confidential, TMETC 14 Best Architecture? Isolation Monitor C1 HVPOS_AI_V M1 C2 HVNEG_AI_V M2 T1 STR_ISOL_HV_V STR_ISOL_HV_V P 1 P 3 PCC1 Connections String PSU1 P1 D1 STR_ISOL_HV_V D4 P6 D2 STR_ISOL_RES_R D5 P7 D3 STR_ISOL_STATUS D6 P8 PSU2 P 2 CAL_REF_WIN_V P 3 STR_ISOL_STATUS STR_ISOL_RES_R P4 STR_ISOL_RES_R P4 P5 PCC2 HVNEG_AI_V STR_ISOL_STATUS CAL_REF_WIN_R P5 A1 P2 STR_ISOL_RES_MR O1 P2 STR_ISOL_STATUS TEST_RES_EN CHASSIS_AI_V P4 C3 P9 PCC3 CHASSIS_AI_V P 2 Test resistor output in isolation monitor © Copyright, Confidential, TMETC 15 The ASIL Attribute HARA Provides ASIL for each safety goal Item Subsystem 1 Function 1.1 Function 1.2 Subsystem 2 Function 2.1 Function 2.2 Inherited ASIL Inherited ASIL Decomposition: • Can be performed at a number of stages in the process • Concept • System Design • Hardware Design • Software architectural design • Relies on independence / imposes additional requirements © Copyright, Confidential, TMETC 16 ASIL Requirements Decomposition Can independence be demonstrated? Isolation Monitor C1 HVPOS_AI_V M1 C2 HVNEG_AI_V M2 T1 STR_ISOL_HV_V STR_ISOL_HV_V P 1 P 3 PCC1 Connections String PSU1 P1 D1 STR_ISOL_HV_V D4 P6 D2 STR_ISOL_RES_R D5 P7 PSU2 P 2 CAL_REF_WIN_V P 3 STR_ISOL_STATUS STR_ISOL_RES_R P4 P5 CAL_REF_WIN_R P5 STR_ISOL_RES_MR P2 P7 STR_ISOL_STATUS P2 D3 STR_ISOL_STATUS D6 P8 P9 A1 CHASSIS_AI_V C3 CHASSIS_AI_V O1 P 10 TEST_MEAS_FAILED TEST_RES_EN HVNEG_AI_V CHASSIS_AI_V PCC3 P4 PCC2 STR_ISOL_RES_R P 10 P9 TEST_RES_EN C4 Test resistor initiation moved to another controller © Copyright, Confidential, TMETC 18 Concept Architecture Analysis Information required: Failure Rate – lumped value / representative scaling Failure Mode – generic - signals / main components Failure Mode Distribution – signals / main components Safety Criticality – impact / no impact on safety goal Diagnostic Coverage – achievable estimate based on standard Diagnostic Coverage Confidence Levels – relates to the number and type of diagnostic techniques used © Copyright, Confidential, TMETC 20 Diagnostic Coverage 100% 60% 59% D.11 Sensors including Signal Switches D.11 Sensors including Signal Switches D.11 Sensors including Signal Switches D.11 Sensors including Signal Switches D.11 High 99% Medium 90% Failure Mode Distribution Full Claim PCc Claim 40% 24.00% 23.52% y Used High 99% Used Medium 90% Low 60% Used Sensors including Signal Switches Low 60% High 99% D.2.6.5 See Table High 99% Used Element Low 60% D.2.6.1 Analysed Failure modes for low / medium / high Diagnostic Coverage Test Pattern Input Comparison Voting (1oo2, 2oo3 or better redundancy). Only Sensor rationality Sensor valid range Sensor Correlation if data flow Check changes within diagnostic test interval. D.2.10.1 Electrical Elements- Sensors Including Signal Switches Failure Detection by on-line monitoring Used Table D.11 26262-5: 2011 Available Techniques No generic Fault Model available. No generic Fault Model available. No generic Fault Model available. Detaled Analysis necessary Detaled Analysis necessary Detaled Analysis necessary Out of range Out of range Out of range 25% 15.00% 14.70% y Offsets Offsets 10% 6.00% 5.88% y Stuck in range Stuck in range 20% 12.00% 11.76% y 5% 3.00% 2.94% y Stuck in range Oscillation 0% 0% 0% 60% 0% Used PCc Claim D.2.10.3 Full Claim D.2.10.2 Failure Mode Distribution D.2.1.1 Reference 0% Maximum claim for technique is 60% © Copyright, Confidential, TMETC 21 Diagnostic Coverage 100% 99.00% 98.01% Sensors including Signal Switches D.11 Sensors including Signal Switches D.11 Sensors including Signal Switches D.11 Sensors including Signal Switches D.11 Medium 90% Failure Mode Distribution Full Claim PCc Claim 40% 39.60% 39.20% y y Used High 99% High 99% Used D.11 Medium 90% Low 60% D.2.10.1 Sensors including Signal Switches Low 60% High 99% Used See Table High 99% Used Element Low 60% D.2.6.1 Analysed Failure modes for low / medium / high Diagnostic Coverage Test Pattern Input Comparison Voting (1oo2, 2oo3 or better redundancy). Only Sensor rationality Sensor valid range Sensor Correlation if data flow Check changes within diagnostic test interval. D.2.6.5 Electrical Elements- Sensors Including Signal Switches Failure Detection by on-line monitoring Used Table D.11 26262-5: 2011 Available Techniques No generic Fault Model available. No generic Fault Model available. No generic Fault Model available. Detaled Analysis necessary Detaled Analysis necessary Detaled Analysis necessary Out of range Out of range Out of range 25% 24.75% 24.50% y y Offsets Offsets 10% 9.90% 9.80% y y Stuck in range Stuck in range 20% 19.80% 19.60% y y 5% 4.95% 4.90% y y Stuck in range Oscillation 0% Maximum claim for technique is 99% 0% 99% 60% 0% Used PCc Claim D.2.10.3 Full Claim D.2.10.2 Failure Mode Distribution D.2.1.1 Reference 0% Reduced confidence in PCc as only 2 techniques used © Copyright, Confidential, TMETC 22 Diagnostic Coverage 100% 99.00% 98.51% Sensors including Signal Switches D.11 Sensors including Signal Switches D.11 Sensors including Signal Switches D.11 Sensors including Signal Switches D.11 Medium 90% Failure Mode Distribution Full Claim PCc Claim 40% 39.60% 39.40% y y y Used High 99% High 99% Used D.11 Medium 90% Low 60% D.2.10.1 Sensors including Signal Switches Low 60% High 99% Used See Table High 99% D.2.6.5 Element Low 60% Used Analysed Failure modes for low / medium / high Diagnostic Coverage Test Pattern Input Comparison Voting (1oo2, 2oo3 or better redundancy). Only Sensor rationality Sensor valid range Sensor Correlation if data flow Check changes within diagnostic test interval. D.2.6.1 Electrical Elements- Sensors Including Signal Switches Failure Detection by on-line monitoring Used Table D.11 26262-5: 2011 Available Techniques No generic Fault Model available. No generic Fault Model available. No generic Fault Model available. Detaled Analysis necessary Detaled Analysis necessary Detaled Analysis necessary Out of range Out of range Out of range 25% 24.75% 24.63% y y y Offsets Offsets 10% 9.90% 9.85% y y y Stuck in range Stuck in range 20% 19.80% 19.70% y y y 5% 4.95% 4.93% y y y Stuck in range Oscillation 0% Maximum claim for technique is 99% 99% 99% 60% 0% Used PCc Claim D.2.10.3 Full Claim D.2.10.2 Failure Mode Distribution D.2.1.1 Reference 0% Increased confidence in PCc as additional techniques used © Copyright, Confidential, TMETC 23 PCc - Combines DC Analysis Low High Medium Low High 99% 99% 99% 60% 99% 90% 60% 99% Failure Mode Distribution Full Claim PCc Claim Failure Mode Leads to Violation of Safety Goal 20% 20% 20% y y y 10% 10% 10% y y y y 30% 30% 30% y y y y 5% 5% 5% y y y D.2.8.2 Used y Drift Drift & Oscillation 20% 20% 20% y y 5% 5% 5% y y 0.00% 34.65% Power Spikes 64.35% 0.00% 0.00% 39.00% Used Out of range Used Out of range Used y 99% Used 10% 90% Used 10% 60% Oscillation D.9 High 10% High Sensors Offsets Offsets including Signal D.11 Stuck in range Stuck in range Stuck in range Switches Power supply High Under and Over Voltage Medium Under and Over Voltage High Under and Over Voltage Low Out of range Test Pattern Used Analysed Failure modes for low / medium / high Diagnostic Coverage Failure Detection by on-line monitoring D.2.10.1 Transducers Input Comparison Voting (1oo2, 2oo3 or better redundancy). Only Sensor rationality Voltage or current Voltage or current Sensor valid range Sensor Correlation if data flow Check control (input) control (output) changes within diagnostic test interval. D.2.6.1 See Table Medium 100.00% Used Element 98.38% D.2.8.1 Table 26262-5: 2011 High Available Techniques D.2.10.3 99.00% SG Failure Distribution PCc Claim D.2.10.2 100% Full Claim D.2.6.5 Failure Mode Distribution D.2.1.1 Reference 39.60% 0.00% For example: Transducer Analysis may cover signals and power supply © Copyright, Confidential, TMETC 24 More Candidate PCc Architectures C Architecture 1) Isolation Monitoring Stand Alone with reference window Isolation Monitor hv_pos_AI_V M C chassis_AI_V M C hv_neg_AI_V M M T isol_res_MR Pack Controller P Monitor Driver Warning O fault_led_DO_V isol_res_MR P PCC Connections P P CAL_ref_win_MR fault_led_DO_V P P A O fault_led_DO_V isol_res_MR M C chassis_AI_V M C hv_neg_AI_V M Architecture 2) Isolation Monitoring With Test Resistance Enable in Isolation Monitor M isol_res_MR P P hv_pos_AI_V M O P O D P test_res_en_DO_V M fault_led_DO_V PCC Test Measure Failed fault_led_DO_V P P A isol_res_MR P D isol_res_MR D P T hv_pos_AI_V A chassis_AI_V M C hv_neg_AI_V M hv_pos_AI_V M P test_res_en_DO_V O P chassis_AI_V C P isol_res_MR isol_res_MR PCC C P isol_res_MR fault_led_DO_V CAL_ref_win_MR isol_res_MR P Architecture 3) Isolation Monitoring With Test Resistance Enable in Pack Controller P P P P P isol_res_MR T P fault_led_DO_V P P P CAL_ref_win_MR O Test Measure Failed PCC hv_pos_AI_V PCC C test_res_en_DO_V fault_led_DO_V P O P O P D P A fault_led_DO_V isol_res_MR hv_neg_AI_V isol_res_MR P D M M isol_ res_ MR D P isol_res_MR P test_res_en_DO_V P P P P P P P test_res_en_DO_V fault_led_DO_V O P O PCC O CAL_ref_win_MR C P isol_res_MR chassis_AI_V chassis_AI_V D isol_res_MR A C isol_res_MR T hv_pos_AI_V Architecture 5) Isolation Tester With Test Resistance and Independent Timing Monitor M PCC C PCC 4) Not Shown P fault_led_DO_V CAL_st_time_s P P Test Measure Failed P O fault_led_DO_V A fault_led_DO_V P O P fault_led_DO_V © Copyright, Confidential, TMETC 25 Power Supply Isolation Monitor Outputs STR_ISOL_HV_V STR_ISOL_RES_R String Inputs STR_ISOL_HV_V STR_ISOL_RES_R String Internal STR_ISOL_HV_V STR_ISOL_RES_R Power Supply Total FR (FIT) Residual or Single Point failure rate/FIT Failure mode coverage wrt violation of Safety Goal, % Safety mechanisms allowing to prevent violation of Safety Goal Failure mode that can violate safety goal w/o safety mechanisms? Failure rate distribution, % Safety Critical Failure rate Safety Critical component 1)C1 1)C2 0.035325508 0.035325508 y y 0.03532551 0.03532551 D.3 D.3 40% 40% y y 0.00% 0.00% 0.01413 0.01413 Measurement Measurement Connection 1)M1 1)M2 1)C3 4.9 4.9 0.035325508 y Y Y 4.9 4.9 0.03532551 D.3 D.3 D.3 40% 40% 40% y y y 0.00% 0.00% 0.00% 1.96 1.96 0.01413 Transducer 1)T1 14.36735399 Y 14.367354 D.11 40% y 0.00% 5.746942 Parameter Parameter 1)P1 1)P2 4.460886003 4.460886003 Y Y 4.460886 4.460886 D.9 D.9 40% 40% 40% y y 97.02% 97.02% 0.053218 0.053218 General - PSU 1)PSU1 12 Y 12 D.9 98.51% 0.07176 Data Data 1)D1 1)D2 1.999540997 1.999540997 Y Y 1.999541 1.999541 D.11 D.11 40% 40% y y 0.00% 0.00% 0.799816 0.799816 Data Data 1)D3 1)D4 1.999540997 1.999540997 Y Y 1.999541 1.999541 D.11 D.11 40% 40% y y 0.00% 0.00% 0.799816 0.799816 Parameter Parameter 1)P3 1)P4 4.460886003 4.460886003 Y Y 4.460886 4.460886 D.9 D.9 40% 40% 40% y y 97.02% 97.02% 0.053218 0.053218 General - PSU 1)PSU2 12 Y 12 D.9 98.51% 0.07176 Table Connection Connection Failure Rate/FIT Element Reference Connections HVPOS_AI_V HVNEG_AI_V Isolation Monitor Inputs HVPOS_AI_V HVNEG_AI_V CHASSIS_AI_V Isolation Monitor Internal STR_ISOL_HV_V STR_ISOL_RES_R STR_ISOL_HV_V STR_ISOL_RES_R Element Classification Signal Description PCC - SPFM Calculation Example y y PSU monitor PSU monitor Micro monitor of supply PSU monitor PSU monitor Micro monitor of supply 74.115 Single Point Fault Metric 16 points to analyse using PCc as opposed to 172 components 13.265 82.1% © Copyright, Confidential, TMETC 26 Metrics Calculation Comparison ASI L B C D SPFM 90% 97% 99% 100.0% ASIL SPFM LFM 98.0% B 90% 60% 96.0% C 97% 80% 94.0% D 99% 90% 92.0% 90.0% PCc 88.0% FullDesign 86.0% Description 84.0% 82.0% 1 Stand Alone 80.0% 0 1 2 3 4 5 6 2 Reference Window 96.0% 3 Self Test 94.0% ASI L B C D LFM 92.0% 60% 80% 90% 90.0% 4 Independent Self Test PCc FullDesign 88.0% 5 Independent Timed Self Test 86.0% 84.0% 0 1 2 3 4 5 6 © Copyright, Confidential, TMETC 27 Applications Battery Management System Complex system Number of safety goals Design ‘out of context’ – generic product Isolation tester Simple system Known interface Hybrid Bus Complex System Limited component / ECU data Applied PCc across decomposed systems to analyse integrity © Copyright, Confidential, TMETC 28 PCc Analysis Benefits System Diagrams easily generated / understood Facilitates discussions to be held with customers / suppliers to identify possible PCcs Allows multiple architectures to be compared quickly Fast method to analyse at the system level prior to detailed design Highlights architecture requirements early in the design process Identifies use of independent controllers – useful for decomposition Quantified approach so architecture comparison is straightforward Accurate prediction of potential SPFM and LFM © Copyright, Confidential, TMETC 29 Further Work Improving rules for diagnostic coverage allocation Automatic linking of metrics based on attributes within function model Define attributes into model based design and look to calculate architectural metrics automatically from models © Copyright, Confidential, TMETC 30 Thank You Andy Williams [email protected] © Copyright, Confidential, TMETC 31
© Copyright 2026 Paperzz