Philipp Kilian’s research while affiliated with University of Stuttgart and other places

To cope with the megatrends electrification, automated driving, and connectivity, new functionalities and electric and/or electronic systems must be developed, which require a safe power supply. This leads to increased functional safety requirements for the power supply system, particularly regarding availability. Fault tolerance measures can be implemented to comply with a safety goal (SG) specifying a safety-related availability requirement. To verify an architecture concerning the residual risk of an SG violation, several quantitative target values are provided in ISO 26262. This technical elaboration presents a systematic and holistic approach how to gain benefit in the quantitative evaluation from cyclic safety mechanisms (SMs) – in a fault tolerant item – which have a fault handling time interval (FHTI) longer than the fault tolerant time interval. Modelling cyclic SMs only based on conventional AND-gates is not sufficient. Instead, the fault sequence is differentiated to enable ISO 26262-compliance. Within this paper, an innovative approach including its mathematical background is presented how cyclic SMs can be modelled in a fault tree analysis – with focus on multiple-point faults. The results are verified by a Monte-Carlo-Simulation. Besides the scalability of the approach regarding the number of considered cyclic SMs, the relevant FHTI of each cyclic SM can be considered in a traceable and comprehensible manner.

To cope with the megatrends electrification, automated driving, and connectivity, new functionalities and E/E systems must be developed, which require a safe power supply. This leads to increased functional safety requirements for the power supply system, particularly regarding availability. Fault tolerance measures can be implemented to comply with an SG specifying a SaRA requirement. In this case, EO may be necessary to reach a defined safe state. However, there is some ambiguity in ISO 26262 regarding the necessary integrity with which the EO shall be implemented – this becomes in particular obvious in the case of warm redundancy. According to ISO 26262, the EO is entered once the failure of an element is controlled by an explicit fault handling, i.e., prevented from violating an SG, and the remaining ASIL capability of the item after the failure is lower than the required ASIL capability for the allowed VOS. However, in the context of warm redundancy, the EO can be automatically entered in the case of an element failure without an explicit fault handling. The objective of this paper is to transfer the concept of EO, as defined in ISO 26262, to warm redundancy use cases because warm-redundant power supply systems have a high level of market penetration. Besides a detailed evaluation of time dependencies, new guidelines concerning the required systematic integrity for SMs implementing EO are provided.

The automotive industry is currently driven by the megatrends electrification, automated driving and connectivity. To cope with these trends, new functionalities and electrical and/or electronic (E/E) systems need to be developed and deployed. Independent of the implementation of E/E systems, their power input shall be ensured by the power supply system as a shared resource – leading to increased functional safety requirements for power supply systems. If the loss of an item’s functionality can lead to a hazardous event, a safety goal (SG) specifying a safety-related availability (SaRA) requirement is derived. Thereby, switching to passive mode typically cannot be considered a safe state. To address an SG specifying a SaRA requirement, fault avoidance, fault forecasting and/or fault tolerance measures can be applied. In the case of fault tolerance measures implemented by redundancy, which leads to fail-active behavior, the performance of the backup system during nominal operation and after the first fault can be further refined. In this study, SaRA in the context of ISO 26262 is evaluated in detail and mapped to an example of the power supply domain.

The automotive industry is currently driven by the megatrends electrification, automated driving, and connectivity. To cope with these trends, new functionalities and electric and/or electronic systems must be developed, which require a safe power supply by the power supply system. This leads to increased functional safety requirements for the power supply system, particularly regarding availability. Fault tolerance measures can be implemented to address a safety goal specifying a safety-related availability requirement. In this case, emergency operation (EO) may be necessary to reach a defined safe state. The definitions and examples provided in ISO 26262 focus on cold redundancy, whereby the backup system is not engaged during nominal operation. The objective of this paper is to evaluate EO in the context of ISO 26262 in detail and map the results to an exemplary power supply system architecture implementing cold redundancy. In general, the EO is considered to be free from unreasonable risk even though the actual automotive safety integrity level (ASIL) capability of the item is lower than the initially specified ASIL rating for the hazard due to its timing restrictions. To determine the maximum permissible duration of EO, not just random hardware faults shall be considered; additionally, systematic effects shall be considered. Furthermore, an EO may be entered due to transient faults potentially causing temporary EOs – introducing the necessity of an EO recording, e.g. by accumulating the time of all temporary EOs.

The relevance of safety applications within the automotive industry is increasing continuously, for example due to vehicle automation and decreasing performance of mechanical backups. To cope with these trends, the power supply of safety-related electrical and/or electronic systems needs to be ensured. This leads to increasing functional safety requirements. Compliance with ISO 26262 will be more in focus in the future. Currently, the compliance with ISO 26262 may be used to argue the state of the art focusing on product liability – however, it will become mandatory for homologation in the future. Thereby, the power supply system is a crucial point since faults of the power supply system are currently the major contributor for vehicle breakdowns with increasing tendency. So far, there is no standard approach within the automotive industry how to ensure functional safety for power supply systems. To fill this gap, this technical elaboration evaluates functional safety with focus on power supply system development. Hence, guidelines on how to apply the ISO 26262 are provided based on discussions within the automotive industry and research institutes. The focus is on the concept phase, i.e. item definition, hazard analysis and risk assessment, and the functional safety concept. The functional safety concept is based on a structured hierarchical breakdown to systematically derive safety requirements from the item level down to the power supply system level. The essential requirement – beside the safe power feed and safe power distribution – is to assure the freedom from interference between the safety and non-safety relevant components.