1- E-gas Introduction E-gas 简介
As a safety-related E/E system engineer in the automotive field, you must know the E-gas torque monitoring concept or the 3-level safety monitoring concept. 如果您是安全相关系统的汽车电子工程师,您一定知道E-gas扭矩监控概念或叫做三级安全扭矩安全监控。This concept comes from thestandard,《Standardized E-Gas Monitoring Concept for Gasoline and Diesel Engine Control Units》(V6.0 is the latest version released on 22nd September 2019), that is drafted and published by Audi, BMW, Daimler, Porsche and Volkswagen for guidelines of implementation of functional safety development of engine control unit. 该概念源自一个标准,即《汽油机/柴油机控制单元电子油门标准化监控概念》,该标准是由奥迪,宝马,戴姆勒,保时捷和大众共同起草并发布,主要用于指导发动机控制单元功能安全开发的实现和实施。As the state of art technology, the E-gas monitoring concept is widely used for the ISO 26262 compliance Automotive E/E system development like BMS, HCU, VCU, EMS,MCU and so on.作为领先技术,E-gas安全监控概念广泛应用于符合ISO 26262 的汽车电子系统的功能安全开发中,如动力电池控制单元,混合动力汽车控制单元,整车控制单元,发动机控制单元,动力电机控制单元等。
The E-gas concept separates the software elements of the safety-related automotive E/E system into three layers, the roles or functions of each layer are described below: E-gas安全监控概念将安全相关汽车电子系统的软件组件分解为三层,每一层的功能描述如下:
The functional layer (mission channel) includes the intended functionalities of the controller, power on and power off sequence control, input/output variable diagnostic, control of the system in case of error, etc.功能层包含控制层的目标功能,上下电时序控制,输入输出诊断,故障处理等。The main functionality of the function monitoring level (safety diagnostic channel) is to monitor the Level 1 behavior, i.e. detecting the defective sequence of Level 1 or aggressive output of the level 1 functionalities. In case of failures, system safety reactions will be triggered.功能监控层的主要功能是对功能层的行为进行监控,即监测功能层的时序错乱或危险的输出。一旦监测到异常,功能监控层会触发系统安全响应。This is the controller monitoring level (functional test supported by hardware), which checks if the microprocessor works correctly ornot by self-testing. Consequently, it ensures a correct Level 2 execution and reliable monitoring. Typically this is carried out by an additional hardware component (ASIC or controller) which is independent of the microprocessor.控制器监控层,主要通过自我测试来监测微控制器的工作是否正常。因此,他可以确保功能监控层的正确执行和可靠性监控。控制器监控层一般通过增加一个独立于微控制器的硬件部件(如微控制器或ASIC)。2- 1oo1D
As mentioned in my blog before, the 1oo1D system safety architecture is the hardware foundation of the implementation of E-gas monitoring concept. 正如我在之前的博文中提及的,1oo1D系统安全架构是E-gas安全监控概念实施的硬件基础。By using an additional safety diagnostic controller or ASIC, the E-gas monitoring concept could carry out the hardware monitoring or self-testing of the preliminary controller.通过增加一个安全监控控制器或ASIC,该概念可以对硬件监控或者对主控制单元进行自我测试。The controller monitoring is carried out by the level 3 according to E-gas monitoring concept,the software elements located in the diagnostic controller/ASIC are named as L3_MM, and the software for hardware monitoring located in the preliminary controller is named as L3_FC.控制器监控通常在E-gas安全监控概念的第三层进行,诊断监控控制单元或者ASIC的软件被称为L3_MM,位于主控制单元的控制器监控软件被称为L3_FC.
Some typical functions of the hardware monitoring in level 3 are demonstrated in the picture below.下图列举了一些控制器监控层的典型功能
As the 1oo1D architecture could only support the fail-safe safety concept, the system reactions of hardware monitoring are to reset/shut off the system or to deactivate the functions in case of any safety goal or safety requirement violation. 由于1oo1D系统安全架构仅支持fail-safe的安全概念,当出现违法功能安全目标或安全需求时,硬件监控的系统响应通常是重启或者关闭系统,或者关闭相关功能。3- ISO 26262 approaches ISO26262的措施
To implement the E-gas monitoring concept, the following two safety approaches of ISO 26262 areapplied:为了实现E-gas安全监控概念,E-gas应用了如下两个ISO 26262中的措施:3.1- ASIL decomposition汽车安全完整性等级分解
By using the ASIL decomposition, E-gas decompose the safety-related software into two parts:通过汽车安全完整性等级分解,E-gas安全监控概念将安全相关软件分解为如下两个部分:
Please be aware that the level 2 software elements could be further separated into different groups or sub-layers with respect to the ASIL ratings of the lements if applying the maximum ASIL level for all the elements is not a good choice.请注意,如果所有软件组件继承最高ASIL等级的方法不是一个很好的方案,功能监控层软件可以依据各自的ASIL等级再次进行分层。This safety approach are demonstrated in the picture below marked with a purple dotted circle. The approach of applying maximum ASIL rating for all level 2 elements are demonstrated with a green dotted circle,that means all the safety software elements with different ASIL ratings(ASIL X, ASIL Y) inherit the maximum ASIL rating(ASIL Y). 这种安全软件再分层的做法示意可以看下图的紫色圈中的部分。安全软件沿用最高ASIL等级的方法由下图的绿圈部分示意。
3.2- Coexistence of software elements软件的元素共存
Due to the Level 1 software elements and level 2 software elements located in the same controller with different ASIL ratings, the coexistence criteria of the software elements as required chapter 6 in ISO 26262-9:2018 shall be applied.由于QM的功能软件组件和安全相关的功能监控软件组件同时位于同一个控制器,需要满足ISO 26262 第九部分第6章节的元素共存准则要求。
When applying the E-gas monitoring concept, it shall be ensured that the level 1 software elements shall not interference the level 2 software elements maximum ASIL rating for all safety software elements applied. 当应用E-gas安全监控概念时,需要确保功能层的软件元素不会干扰采用最高ASIL等级的功能监控层的软件。Furthermore, if the level 2 software elements are mixed ASIL ratings which means the level 2 software elements are further separated into deffierent parts based on the ASIL ratings,the interference between lower ASIL elements and higher ASIL elements shall be avoided or controlled. 另外,如果采用了安全软件再分层的做法,需要确保低ASIL等级的软件组件不能干扰高ASIL等级的软件组件。In this case, the FFI (freedom from interference)between the software elements shall be carried out and further safety measures shall be applied with respect to the FFI results if necessary.这种情况下,需要开展软件组件的避免干扰分析,并依据结果增加额外的安全措施。
4- Level 2 software design method 功能监控层软件设计方法
The principle of E-gas monitoring in level 2 software is to monitor the actual system behaviors against the expected behaviors, in case of abnormal or aggressive system behaviors are found, the given safety measures or actions shall be taken.功能监控层软件的设计原则是对比期望的系统行为与实际的系统行为之间的差异,当发现异常或者危险的系统行为时,采取相关措施进行控制。Following this principle, the level 2 software with the E-gas monitoring concept is separated into four key steps below:依照该原则,功能监控层软件按照如下四个步骤进行设计。Step-1: Expected System Behavior or theoretical monitored setpoint期望的系统行为或者理论控制行为
This main function of this step is to calculate the expected system behavior by using the theoretical monitored control or setpoint value. 此步骤的主要功能是通过监控等控制设定值计算期望的系统行为。The monitored control value is calculated with a simplified algorithm. 该监控的系统控制行为可以通过一个简化的算法实现。For example,in the E-gas standard, the maximum permissible driver torque request in level 2 is calculated from the raw signals of the sensors (throttle position, vehicle speed, cruise control torque request, etc.).如在E-gas标准中最大允许驾驶员扭矩请求是通过传感器的raw值进行计算的(节气门位置,车速,巡航扭矩请求等)。This value could be the threshold value which could potentially lead to violating the safety goal of the system.这个值通常是可能导致违反功能安全目标的边界值。 Step-2: Monitored Actual Behavior反馈的实际系统行为
The main purpose of this step is to monitor the actual system behavior by validating and calculating the feedback value of the system. 该步骤的主要目的是通过验证和计算系统反馈的信息来判断系统的实际行为状态。For instance, the actual torque measured or received by the engine control unit, or the actual vehicle acceleration calculated from the vehicle speed signals for the acceleration monitoring of the engine control unit.例如发动机控制系统采集或者接收到的实际扭矩,或者发动机控制系统通过车速信号计算的车辆加速度。Step-3: Comparison of the expected behavior against monitored actual behavior.理论控制行为与实际反馈的系统行为的对比
The main purpose of this part is to check system behavior if it is abnormal or aggressive by comparison of the expected system behavior with the monitored actual system behavior. 这一步的主要目的是通过对比理论控制行为和实际反馈的系统行为来达到判断系统行为是否异常或危险的目的。In case of any aggressive system behavior that could lead to safety goal violation, the faults will be reported to the system safety reaction module after debouncing within the fault detection time interval.一旦任何可能导致违反功能安全目标的系统的异常或危险行为被发现,该故障会被上报给系统安全故障处理模块。Step-4: Safety actions:系统安全响应
In the case of the abnormal system behavior of the controller checked by the comparison function, the level 2 software will evaluate the degree of failure and trigger a corrective reaction with respect to the evaluation results.一旦对比功能模块探测出系统异常行为,功能监控软件会评估失效的等级并依据等级触发对应的措施。The system safety reactions mainly ensure the system enters into the safe states of the system by resetting or shutting off the controller, deactivating the output driver of the controller, warning the driver or just disabling the software output with respect to the safe states definition and the hardware. 依据硬件设计和安全状态定义,系统的安全响应主要通过采取重启或关闭控制器,关闭控制器驱动输出,警告驾驶员或者禁止软件输出等措施从而是确保系统可以在失效后进入安全状态。
[1] [Standardized E-Gas Monitoring Concept for Gasoline and Diesel Engine Control Units
[2] ISO-26262:2018 series standards
[3] Bing images
