Compliance of ISO 26262 Safety standard for Electric Power Assisted Steering System
ABSTRACT
This paper is an application of ISO 26262 functional safety standards for fail-safe design, development and validation of Electric Power Assisted Steering (EPAS) System.
As part of safety feature to save lives, prevent injuries, and reduce economic loss due to accidents, many research methods are working to ensure the safety and reliability of emerging safety-critical electronic control systems in motor vehicles. Advanced driver assistance systems and other emerging technologies are introduced into new motor vehicles, the overall safety of these advanced electronic systems relies in part on the safety of the underlying foundation systems, such as steering systems.
This paper outlines one approach of performing a Hazard Analysis and Risk Assessment (HARA) and developing a Functional Safety Concept. The approach incorporates several analysis methods, including Hazard and Operability study, Functional Failure Modes and Effects Analysis. This approach is then applied to the Electric Power Assisted Steering (EPAS) system to identify vehicle-level hazards, and derive safety goals and functional safety requirements.
This paper presents the vehicle-level hazards and safety goals derived from the analysis and includes a discussion of “fail-safe” and “fail-operational” needs, which may inform the derivation of functional safety requirements. The results of this study may serve as an example for how different analytical methods could be applied to develop a functional safety concept.
The remainder of the paper is arranged as follows:
Section II provides an overview of ISO 26262 standard and its need. It also gives the details of the EPAS system, its subsystems and child parts. Section III provides Vehicle level Hazard Analysis and Risk Assessment (HARA), Safety Goals for the EPAS system. Section IV provides the Application of Functional Safety Concept and Technical Safety Requirements; Section V elaborates the Performance parameters and Test Scenarios and Section VI concludes and presents directions for future work.
Risk Assessment and Safety Goals:
Risk for each hazard is evaluated by using Severity, Exposure and Controllability parameters and ASIL rating is assigned for EPAS System.
Identified potential vehicle-level hazards:
The potential vehicle level-hazards identified in this study along with the applicable EPAS system are:
1. Unintended Vehicle Lateral Motion / Unintended Yaw
2. Insufficient Vehicle Lateral Motion / Insufficient Yaw
3. Unintended Loss of Steering Assist
4. Reduced Responsiveness to the Driver’s Commands Due to Increased Rear Wheel Drag.
Based on the hazard analysis and risk assessment, the safety goals (i.e., vehicle-level safety requirements) are established as:
Safety Goal 1 -- The EPAS system is to prevent unintended self-steering in any direction under all vehicle operating conditions.
Safety Goal 2-- The EPAS system is to provide the correct level of steering-assist under all vehicle operating conditions
Safety Goal 3-- The EPAS system is to prevent the unintended loss of steering-assist under all vehicle operating conditions.
Safety Goal 4-- The EPAS system is to prevent rear-wheel drag under all vehicle operating conditions.
Application of Functional Safety Concept and Technical Safety Requirements:
Functional safety concept addresses the fault detection and failure mitigation, transitioning into safe state, fault tolerance mechanism and driver warning. Each safety goal requires at least one functional safety requirement (FSR) to prevent violation of the safety goal. To achieve functional safety for EPAS System and its subsystem, FSR and Technical safety requirements (TSR) are defined for safety goals.
EPAS Functional Safety Requirements:
Following the Concept Phase (Part 3) in the ISO 26262 standard, this study identifies various functional safety requirements for the EPAS system and its components.
1. General EPAS System
2. Steering Input Sensor
3. EPAS Control Module
4. Power-Assist Motor
5. Communication System
Some of the exercised functional safety requirements for the sub components of the EPAS system are as follows:
A) Functional Safety Requirements for the Power-Assist Motor:
Safety Requirements:
• The EPAS motor is to provide the required steering-assist torque commanded by the EPAS control module under all EPAS system operating conditions
• The EPAS motor rotor position is to be communicated to the EPAS control module in order to control the current
• In case of a fault in the EPAS motor that leads to violation of a safety goal, the EPAS motor is to communicate the fault to the EPS control module.
• The EPAS motor is to prevent locked rotor failures under all EPAS operating scenarios.
--In case a locked rotor failure occurs, the EPAS system is to transition to Safe State 3 within “ABC” ms, and a driver warning is to be issued (200 ms is considered by some manufacturers for similar safety goals).
--A DTC is to be triggered
B) Functional Safety Requirements for the Electronic Control Unit:
• The EPAS control module is to calculate the steering-assist based on the driver’s steering input (e.g., torque input) and the vehicle speed.
• The EPAS control module is to have an arbitration strategy for steering-assist requests from the driver and other vehicle systems.
• The EPAS control module is to qualify the steering wheel sensor inputs (e.g., torque input) for validity and correctness
• The time duration required to update the steering-assist command is not to result in violation of a safety goal.
--The time duration is to be reflected in the relevant software function’s execution time, and the transient response of the motor.
-- This time duration is dependent on the software architecture.
• In case of a fault in the steering-assist control algorithm that leads the controller to be unable to control the steering-assist, the EPS system is to transition into Safe State within the “TBD” ms time, and the red light driver warning is to be issued.
DTCs are to be set.
C) Functional Safety Requirements for the Steering Sensor:
• The torque measurement by the torque sensor is to be communicated to the EPAS control module
• The torque sensor input voltage is to be monitored for over and under voltage whenever the EPAS system is ON.
• The steering wheel angle sensor is to measure / detect the steering wheel angle resulting from the steering wheel input and the value is to be qualified.
Fail-safe – An Electronic system is “Fail-Safe” if the system transitions to a safe state to ensure safety of the system following one (or several) failure(s). Fail-safe EPAS system architecture would transition to a safe state, such as reverting to purely mechanical steering, following the detection of an electronic fault in the EPAS system.
Validation of failsafe strategies for EPAS System:
After development of EPAS system by considering ISO 26262 hardware, software and system level standards, it need to be validated. Validation for System level integration of EPAS system with its all sub-parts like Sensors, ECU, Motor and software has to be completed considering the worst-case scenarios.
Some of the test results of such scenarios are as below:
a. At different road conditions (Cement road, Tar road, Epoxy road conditions):
b. At different tyre pressure (Full tyre pressure, half tyre pressure) conditions:
c. At different drive conditions (LH / RH Turn, ‘U’ Turn, Figure of ‘8’, Straight drive condition):
d. Fail Safe Strategy: “EPAS Thermal Protection”:
Detect condition: Detected when meets conditions below
90A of Peak current for 210 sec (in case of temp is less than 40°C)
OR 180 sec (40°C ~70°C)
OR 95 sec (more than 70°C)
Action: Restored Thermal Protection condition immediately.
Fault Level C
After IGN OFF, ECU will alive until Over Heat Protection condition is terminated.