Safety Mechanisms for Electrical and Electronic
In this post, we will learn about Safety Mechanisms used in electrical and electronic elements. The Safety Mechanisms described in this post are based on ISO 26262-5:2018 Annex D.
D.2.1.1 Failure detection by on-line monitoring
On-line monitoring is a method of detecting faults by monitoring the normal operation of a system.
Aim
The main purpose of real-time monitoring is to detect faults by monitoring the operation of a system while the system is operating normally, that is, in an online state.
Description
- Conditional detection: Faults can be detected using the temporal behavior of the system under certain conditions. For example, if a particular switch does not change state at a time when it should be operating normally, it is considered a fault.
- Limitations of fault localization: It is usually difficult to accurately identify the location of a fault using this method. This is because monitoring detects the macroscopic behavior of the system.
- General application: Real-time monitoring is often implemented without specific hardware components. This is because it is designed to detect when the system exhibits abnormal behavior relative to normal activation conditions.
- Examples of abnormal behavior: If a parameter is inverted when the vehicle speed is not zero, a fault can be detected by detecting the discrepancy between this parameter and the vehicle speed.
Note
- Role of Hardware: Typically, no specific hardware component has a specific role to implement real-time monitoring. Instead, it is implemented as a software-based mechanism that detects when the system exhibits abnormal behavior based on set conditions.
- Condition-based Detection: Real-time monitoring detects faults by detecting abnormal behavior related to activation conditions. This is a way to infer faults through correlations with other elements of the vehicle, thereby identifying logical inconsistencies between different parameters of the system.
Example: Real-time monitoring related to vehicle speed
Let’s look at a case related to vehicle speed as an example of how to detect faults through real-time monitoring.
Case: Vehicle speed and engine parameter monitoring
- Situation: When the vehicle is driving, certain parameters of the engine should be within a normal range.
- Monitoring target: Engine temperature, fuel pressure, rotation speed, etc.
- Abnormality detection: If the engine temperature suddenly increases abnormally when the vehicle is traveling at 60 km/h, this is recognized as a fault. – Countermeasure: The system immediately issues a warning or takes safety measures such as limiting engine output.
D.2.1.2 Comparator
Comparator is a method for detecting faults early by detecting differences between independent elements of hardware and software.
Aim
- Early fault detection: The goal is to detect asynchronous faults in independent hardware or software as early as possible.
Description
- Compare independent systems: Periodically or continuously compare the output signals of independent hardware or output information of independent software.
- Fault messages: When differences are detected, fault messages are generated. For example, when two processing units exchange data (including results, intermediate results, and test data), the software in each unit compares the data and generates fault messages when differences are detected.
- Asynchronous faults: This mechanism focuses on detecting asynchronous faults that can occur when there is no synchronization.
Example
- Redundant processing system: Two CPUs operate independently of each other and perform the same task. Each CPU exchanges its computational results with the other CPU and compares its results with the other CPU. If the two results do not match, the system considers an anomaly and takes appropriate action.
- Independent sensor comparison: Two speed sensors mounted on the vehicle must measure the same speed. If the output values of these two sensors are compared periodically and a discrepancy occurs, a sensor fault can be detected.
Additional explanation: Components of a comparator
Independence of hardware and software
- Hardware: A hardware comparator is used when two independent hardware modules must produce the same output. For example, two independent circuits produce the same electrical signal and compare them to detect the difference.
- Software: A software comparator is used when two software processes process the same data and compare them. This often occurs in redundant processing or parallel processing environments.
Comparison method
- Periodic comparison: A method that compares the state or data of the system at set intervals. This can be advantageous in reducing the load on the system.
- Continuous comparison: A method that continuously compares the data of the system in real time, allowing for faster fault detection.
Fault Handling
- Generate Alert: If a difference is detected, an alert message is generated immediately to notify the operator or system administrator.
- Take Safety Action: If a fault is detected, the system immediately switches to safe mode or performs emergency procedures to ensure safety.
D.2.1.3 Majority voter
Majority Voter is a method to detect and mask faults while maintaining the availability of the system. This technique plays an important role in enhancing the safety and reliability of the system by using multiple channels.
Aim
- Fault Detection and Masking: The goal is to maintain the reliability of the system by detecting and masking faults that occur in one of three or more channels.
Description
- Majority Rule: Majority voter detects faults using the majority rule. It compares the results of multiple channels, typically using a configuration such as “2 out of 3”, “3 out of 4”, or “m out of n”.
- Fault Masking: According to the majority rule, even if a fault occurs in one channel, the majority decision of the remaining channels determines the final output of the system, so the fault does not affect the entire system.
Note
- Increased Availability: Majority voter technology increases the availability of the system by maintaining functionality even after one channel is lost. Unlike comparators, it ignores the faulty channel and follows the decisions of the remaining channels, allowing the system to continue to operate normally.
Additional Explanation: Majority Voter Components and How It Works
1. Components
- Multiple Channels: Consists of at least three independent channels. Each channel processes the same input data and produces an independent output.
- Voting Unit: Collects the outputs of each channel and determines the final output based on the majority rule.
2. How It Works
- Input Processing: Each channel receives the same input and processes it independently.
- Output Comparison: The processed results are compared in the voting unit. For example, if a “2 out of 3” configuration is used, if two of the three channels produce the same output, it is selected as the final output. – Fault Masking: If a fault occurs in one channel and a different output is generated, the output of the remaining two channels is ignored and adopted as the final output according to the majority rule.
3. Fault Handling
- Warning Message Generation: If a channel that deviates from the majority rule is found, the system generates a warning message to indicate that the channel has a fault.
- Safety Action Execution: If necessary, the system disables the faulty channel or takes maintenance measures.
Example: Majority Voter in Automotive Control Systems
The Majority Voter mechanism can be utilized in automotive control systems in the following ways:
Case: Electronic Steering Control System
- Situation: In an electronic steering control system, it is very important to accurately determine the steering angle. This system measures the steering angle using three independent sensors in different ways.
- Applying the Majority Rule: The results of each sensor are compared in the voting unit, and if two or more sensors show the same result, this is determined as the final steering angle. – Fault Detection and Masking: If one sensor measures an incorrect steering angle due to a fault, its result is ignored by the majority rule and the steering angle is determined based on the results of the remaining two sensors.
- Ensuring System Reliability: Even if a fault occurs, the vehicle’s steering system operates correctly to maintain safety.
D.2.2.1 Dynamic principles
Dynamic Principles is a method for detecting static faults by transforming static signals into dynamic signal processing methods.
Aim
- Static Fault Detection: The goal is to detect faults occurring in static signals through dynamic signal processing.
Description
- Forcing Signal Change: Detecting static faults by forcing a change in static signals internally or externally. This is typically related to electromechanical elements.
- Static Fault: Static signals within a system tend to remain in a fixed state, which can make it difficult to detect faults in such a state. Dynamic signal processing transforms this fixed state to make faults easier to detect.
Examples
- Dynamic Inspection of Electromechanical Elements: Electromechanical elements such as switches or sensors that maintain static signals can generate signals that do not change over time. By forcing a change in such signals, the state of the element can be dynamically evaluated and faults can be detected.
Additional Description: Implementation and Operation Principles of Dynamic Principles
1. Implementation Method
- Periodic Signal Change: Forcibly change the static signal within the system at regular intervals to verify the normal signal processing path.
- Test Signal Injection: Inject a specific test signal from outside the system to monitor the system’s response and detect faults.
2. Operation Principle
- Signal Change: Change the static signal at regular intervals or events, and monitor how the system responds to this change.
- Fault Detection: Analyze the system’s response to the signal change to determine whether there is a static fault. If the normal response is not provided, it is considered a fault.
3. Example: Utilization in the electronic system of a vehicle
- Brake System Inspection: Periodically change the static signal (e.g., the position of the brake pad) in the vehicle’s brake system to check whether the system responds normally. – Switch Status Monitoring: Periodically changes the status of various switches in the vehicle (e.g. door lock switch) and monitors the system’s response to each change to determine whether the switches are functioning normally.
D.2.2.2 Analogue monitoring of digital signals
Analogue Monitoring of Digital Signals is a method of detecting illegal signal levels by monitoring signals in an analog manner to improve the reliability of digital signals.
Aim
- Improving the reliability of measured signals: The goal is to improve the accuracy and reliability of digital signals.
Description
- Analogue evaluation of binary signals: This mechanism detects illegal signal levels by evaluating binary (digital) signals at an analog level. This method allows you to check whether the digital signal is within a defined range.
- Detecting illegal signals: Analog monitoring detects signals that are outside a predefined normal range, i.e., signals that are in an illegal state. This helps to ensure the integrity of the signal and enhance the safety of the system.
Example
- Switch status monitoring: When the switch is in the “closed” state, the signal appears as a high voltage (High), and when it is in the “open” state, it appears as a low voltage (Low). Analog monitoring monitors whether the output signal is within a predefined range. – Detection of abnormal signal levels: If the signal is connected to ground or supply voltage due to a short, or the connector is open, the signal level will change to an illegal state. This state will be detected by the monitoring system and a warning or action will be taken.
Additional explanation: Implementation and operation principle of Analogue Monitoring
1. Implementation method
- Use of signal converter: Use a signal converter that can convert a digital signal into analog form and evaluate it.
- Setting a defined signal range: Define the normal signal range for each digital signal at the analog level.
2. Operation principle
- Signal analysis: The digital signal is converted into an analog signal through an analog converter, and this signal is evaluated by the monitoring system.
- Range evaluation: Evaluate whether the converted analog signal is within the defined normal range. If it is out of range, it is considered an illegal signal and processed as a fault condition.
3. Fault Handling
- Generate Warning Message: If an illegal signal is detected, an alert message is generated immediately to notify the system operator or administrator.
- Activate Safe Mode: If necessary, the system switches to safe mode to prevent potential hazards.
Example: Analogue Monitoring in Automotive Electronic Systems
Case: Automotive Switch Monitoring
- Check Switch Status: Various switches in a car (e.g. door locks, window switches, etc.) operate within a certain voltage range.
- Normal Range: When the switch is closed, the voltage should be 4.5 V or higher, and when it is open, it should be 0.5 V or lower.
- Abnormal Condition Detection: If the voltage of the switch is measured as 2.5 V, it is detected as an abnormal condition caused by a short circuit or connector problem. In this case, the system generates an alert and instructs the switch to be inspected.
Case: Battery Voltage Monitoring
- Evaluate Battery Status: Monitor the vehicle battery voltage in analog mode to detect any condition that is out of the normal range. – Normal Range Setting: The battery voltage should be within 12V ± 0.5V, and any voltage outside this range is considered a fault.
- Fault Detection: For example, if the battery voltage is measured at 10V, this indicates that the battery charging status is abnormal, and the system will immediately issue a warning to prompt troubleshooting.
If you are interested in other articles about ISO 2626 Series, please refer to the links below!
[ISO 26262] #1. Part4-6 Technical Safety Concept (TSC)
[ISO 26262] #3. Safety Mechanism for Processing Unit
[ISO 26262] #4. Safety Mechanisms for IO units and Interfaces