Ensuring Vehicle Functional Safety: ISO 26262 and Advanced Power Electronics
Cars are becoming increasingly complex, with more electronics onboard. As the industry shifts to electric vehicles (EVs), manufacturers are working with higher voltages and larger batteries, which come with new challenges for electrical power systems.
The automotive industry is also under pressure to meet new safety targets, such as the Vision Zero[1] initiative, which aims to eliminate all road traffic fatalities. All aspects of in-car electronics must contribute to reducing and mitigating risk.
A standard for functional safety
With increasing reliance on advanced high-power electronics in vehicles, design engineers need to implement key safety aspects. To do this, they must understand the relevant automotive standards, in particular ISO 26262, which addresses the functional safety of electrical, electronic, and programmable electronic (E/E/PE) systems.
Functional safety relates to implementing measures that prevent or mitigate hazards to ensure safe operation. This includes random malfunctions (such as material defects) as well as systematic failures that could be due to errors in system design. The standard addresses active systems, such as a failsafe mechanism that shuts down the engine if the cooling system malfunctions. Additionally, functional safety focuses on reducing the risk of physical injury or damage to people’s health.
NEED SUPPORT? CONTACT OUR POWER EXPERTS
In this article, we will examine ISO 26262, the risks it addresses, and how the steps design engineers can take to help ensure compliance with the standard and safe operation of their systems.
What is ISO 26262?
The ISO 26262 standard provides guidance on hazard analysis, safety requirements, and safety mechanisms. It is closely related to the IEC 61508 standard, which addresses functional safety in industrial systems.
In power electronics, functional safety is most relevant in power devices that are controllable, normally through software, such as integrated motor drivers. It is less relevant in discrete power components without software control, such as MOSFETs.
Following ISO 26262 throughout the product development process can assure manufacturers that their products are free of unacceptable risks. The standard also enables engineers to gather the evidence and documentation to show compliance.
Component vendors provide support, training, and software to help designers meet ISO 26262's requirements. By using components developed in accordance with ISO 26262 principles, designers can reduce the time and cost required to develop compliant systems.
Classifying risks
Many risks can impact the safety of a vehicle and its occupants. At a basic level, this could include failures or faults in the power supply systems, which could bring the car to a halt or disable key subsystems.
As cars become more technologically advanced, there are more potential vectors for failure. For instance, the integration of self-driving capabilities using advanced driver assistance systems (ADAS) is a significant advancement in terms of vehicle and road safety. However, these systems are comprised of multiple cameras and sensors, as well as complex software platforms, that introduce susceptibility to failure.
ISO 26262 provides a framework and mechanisms for handling these risks throughout the entire product lifecycle and assessing and quantifying their impact. The standard defines a risk classification scheme for potential hazards, ranging from ASIL A (lowest) to ASIL D (highest).
Engineers should determine the ASIL level of a hazard based on three factors: severity, exposure (or likelihood of occurrence), and controllability (i.e. whether the driver can mitigate the hazard)
The ASIL level of a hazard dictates the safety measures required in response. As the lowest level of risks, ASIL A has the fewest requirements for safety measures, while ASIL D requires the most stringent measures. Examples of ASIL D would include critical systems such as anti-lock brakes, power steering and airbags.
Vendors offer many components that they describe as ‘ASIL compliant’. This means they have been developed following ISO 26262 processes and can, therefore, help design engineers save time when incorporating them into their systems.
For example, ST’s battery management system solution for automotive applications meets ASIL D compliance[2]. Based on a highly integrated battery management IC (L9963E) and its companion isolated transceiver (L9963T), the solution can monitor up to 14 stacked battery cells for 48 V and higher voltage systems. The L9963E provides an extended set of safety mechanisms, including diagnostics, integrity checks, and redundant fault notification.
Another example is onsemi’s LV8968BB three-phase BLDC pre-driver, which provides gate drive capability and has been designed to help systems meet ASIL B under ISO 26262[3]. The motor control algorithm used for testing employs field-oriented control (FOC) in conjunction with a current loop, allowing for a fast response and high efficiency.
Mitigating risks
A modern vehicle has several mechanisms designed to mitigate risks and maintain safety.
Firstly, the vehicle needs to be able to detect faults or failures so it can respond appropriately by moving to a safe state or resetting a subsystem or component. This could include a watchdog timer, which steps in if a component becomes unresponsive or acts outside expected parameters. In software, parity bits and other error detection codes can report problems and ensure data integrity.
Technology
Power: designing solutions with power at the core
We provide you with the right insights and expertise when you need it most, so you can make the right decisions for your product, and your business.
Understanding and complying with power safety regulations is critical. Visit our power safety and regulations overview to find articles on energy efficiency, ISO 26262, EMC & EMI, and IEC 61508.
SEE OVERVIEWThe car must also monitor the behaviour and performance of components and subsystems to minimise the chance of unexpected problems. In power electronics, this can include monitoring the temperature of power semiconductors, as thermal stress can reduce their lifetime and increase the likelihood of failures.
Safety features may be handled in a dedicated component for hardware. For example, the AEC-Q100-compliant FS65 system basis chip (SBC) from NXP provides power to MCUs and optimises energy consumption through DC/DC switching regulators and linear regulators. It includes a range of integrated safety features, such as monitoring critical analogue parameters, a fail-safe state machine, and an advanced watchdog[4].
A car includes redundant systems so that if one fails, another can take over. This applies to software with multiple components and processes and hardware with redundant devices, such as multiple braking circuits.
If a fault does occur and is detected, the car’s systems must move to a safe state, where there is no harm caused. This could mean that, for instance, if there is a problem with the throttle control in a self-driving car, the vehicle comes to a halt safely by the side of the road, and the residual electrical energy in the traction systems is discharged quickly to avoid the risk of electrocution. Devices can also be ‘fail-safe’, so if they do fail for any reason, they automatically go to a safe state – for example, shutting down when data problems are discovered.
Example application: EV traction inverter
Figure 1: Hardware architecture and chipset safety features of EV traction inverter (source: NXP presentation, “NEXT GENERATION OF NXP EV TRACTION INVERTER: SYSTEM FUNCTIONAL SAFETY CONCEPT & COLLATERALS”, Jérôme DIETSCH.)
One of the most important systems in an EV is the traction inverter. This converts DC voltage from a high-voltage (typically 400 V or 800 V) battery to an AC voltage to drive the vehicle’s main motor, which connects directly to the wheels.
From a functional safety perspective, the traction inverter is likely to be classified as ASIL C or ASIL D, as it is a key system with serious consequences if it fails. The inverter must provide the correct torque in response to requests from the vehicle to ensure safe driving. It must also be able to mitigate other problems, for example, slowly braking the vehicle to bring it to a stop from high speeds.
To achieve these goals, the traction inverter will include various functional safety mechanisms, including fault detection, out-of-range checks, and thermal monitoring. Data derived from sensors, such as the position and angular speed of the motor, is continuously analysed to check for problems that require action.
Today’s power electronics components, such as integrated gate drivers, include multiple safety features, including short-circuit protection, over-current detection, and gate-voltage monitoring. The traction inverter will also include safety-specific components, such as an independent watchdog.
Figure 1 shows an example hardware architecture for an EV traction inverter, with the safety features provided. This includes a system basis chip (SBC), which provides system safety monitoring and control for simplifying ASIL D compliant designs.
Conclusion
Modern vehicles rely on immensely complex electronic systems, controlled by software at almost every level. Safety is ever more important, and design engineers need to be sure they are following best practice throughout. At the same time, there is constant pressure to accelerate development timescales and to control costs.
For automotive applications, ISO 26262 provides a framework for handling functional safety in the design process. Avnet Silica can provide the expert advice and support you need to understand and apply ISO 26262 successfully.
References
- https://visionzeronetwork.org/
- https://www.st.com/en/applications/electro-mobility/automotive-battery-management-system-bms.html
- https://www.onsemi.com/products/motor-control/motor-drivers/motor-drivers-brushless/lv8968bbuwr2g
- https://www.nxp.com/products/FS6500
Other safety and regulatory articles
Working on a power project?
Our experts bring insights that extend beyond the datasheet, availability and price. The combined experience contained within our network covers thousands of projects across different customers, markets, regions and technologies. We will pull together the right team from our collective expertise to focus on your application, providing valuable ideas and recommendations to improve your product and accelerate its journey from the initial concept out into the world.
Like what you see?
Follow us on LinkedIn
Follow our dedicated power page on LinkedIn for the latest power updates and news from our team of power experts.