[ISO 26262] #4. Safety Mechanisms for IO units and Interfaces

Safety Mechanisms for IO units and Interfaces

In this post, we will learn about Safety Mechanisms used in I/O units and Interfaces. The Safety Mechanisms described in this post are based on ISO 26262-5:2018 Annex D.

This image is generated by GPT using  key word Safety Mechanisms for IO units and Interfaces

D.2.4.1 Test pattern

The Test Pattern technique outlined in ISO 26262 is a diagnostic approach used to detect static failures and cross-talk in electronic systems. This method involves a cyclical test of input and output units, allowing for the identification of issues such as stuck-at faults and unintended interactions between signals (cross-talk). Here’s a detailed look at how this technique works, its purpose, and its practical application.

Aim

  • Early detection of static faults and cross-talk: Maintain the integrity and stability of the system by detecting stuck-at faults and unintended interference between signals (cross-talk) as early as possible.

Description

1. Test pattern definition:

  • Data independence: Perform cyclical tests independent of the data flow of the input and output devices.
  • Establish a test pattern that defines specific input and output conditions. For example, check the correctness of a signal using a specific bit sequence.

2. Periodic Test Execution:

  • Periodically apply test patterns to the input and output devices of the system and observe the results.
  • Compare the observed results with the predefined expected values.

3. Fault Detection:

  • Static Fault Detection: Detects static faults when the input or output is in a fixed state (e.g., stuck-at 0 or stuck-at 1).
  • Crosstalk Detection: Detects crosstalk that may occur due to interference between signals.

4. Error Reporting and Handling:

  • When a fault is detected, the system generates a warning message and initiates the appropriate error handling procedure.
  • In case of a serious fault, the system is put into safe mode or an action is taken to resolve the problem.

5. Independence of Test Patterns:

  • Importance of Independence: The greater the independence of test pattern information, reception, and evaluation, the greater the test coverage.
  • Test Coverage: The effectiveness of a test largely depends on the independence between the test pattern and the system.

6. Minimize impact on system function:

  • Design optimization: Design the test pattern to minimize its impact on the functional operation of the system so that it does not interfere with normal operation.

Examples

Example 1: Test pattern of an automotive electronic control unit (ECU)

  • Configuration: An automotive ECU monitors the inputs and outputs of sensors and actuators, and periodically applies test patterns to detect faults.
  • Operation principle:
    • The ECU periodically applies a specific bit pattern to the sensor signal, and observes the response of the actuator.
    • If a discrepancy with the expected value is detected, the ECU logs the fault and switches to safe mode.
  • Advantages:
    • Maintains the stability of the automotive system, and reduces the risk of incorrect sensor or actuator signals.

Example 2: Crosstalk detection in communications equipment

  • Configuration: Network routers use test patterns to detect interference between signals during data packet transmission. – Operating Principle:
    • The router periodically transmits a test pattern in a data packet and checks whether it matches the received pattern.
    • If the pattern is different from the expected one, it is considered that signal interference due to crosstalk has occurred.
  • Advantages:
    • It increases the reliability of the network and ensures the integrity of data transmission.

Limitations and Challenges

1. Limitations of Test Patterns

  1. Limited Coverage: Depending on the design and implementation of the test pattern, some faults may not be completely detected.

2. Performance Overhead

  • Performance Degradation Due to Periodic Checking: Periodic testing can affect the system performance and should be minimized through optimization.

3. Increased Design Complexity

  • Implementation in Complex Systems: In complex systems, the design and implementation of test patterns can be more complex and require thorough planning in the early design stages.


D.2.4.2 Code protection

The Code Protection technique is an essential measure outlined in ISO 26262 for safeguarding input and output dataflows against random hardware and systematic failures. This approach enhances the integrity and reliability of data by introducing redundancy and monitoring mechanisms, ensuring that any anomalies in data transmission are detected and addressed promptly.

Aim

  • Detecting Random Hardware and Systematic Faults: Enhances the safety and reliability of systems by detecting random hardware errors and systematic failures that may occur in input/output dataflows early.

Description

  • Data Protection:
    • Information Redundancy: Protects input and output information by overlaying redundant information to maintain data integrity.
    • Temporal Redundancy: Detects errors by checking data at multiple points in time.
  • Various techniques:
    • Carrier frequency signal: The carrier frequency signal is superimposed on the sensor output signal, and the logic unit checks the presence of the carrier frequency to verify the integrity of the data.
    • Redundant code bit: The redundant code bit is added to the output channel to monitor the validity of the signal between the logic unit and the final actuator.
  • Periodic inspection:
    • The system periodically checks the input and output data to check the presence and status of redundant information.
    • If a loss or inconsistency of redundant information is found, an error is considered detected.
  • Fault detection and reporting:
    • If an error is detected, the system immediately generates a warning message, logs the error, and notifies the administrator.
    • In case of a serious error, the system switches to safe mode or takes action to correct the error.
  • Automatic correction and response:
    • When an error occurs, the system automatically restores the data flow or corrects corrupted data to maintain system stability.

Example

Example 1: Code Protection of Automotive Sensor Data

  • Configuration: Uses code protection technology to detect random hardware and systematic faults in the sensor data flow of an automobile.
  • Operation Principle:
    • Superimpose a carrier frequency signal on the output signal of each sensor.
    • When the ECU receives sensor data, it checks the presence of the carrier frequency to verify the data integrity.
    • If the carrier frequency is not detected or there is a mismatch, it is considered a sensor error and issues a warning.
  • Advantages:
    • Ensures the integrity of sensor data and prevents incorrect decisions due to data errors.

Example 2: Redundant Code Bits in Communication Systems

  • Configuration: Use redundant code bits in network routers to improve the reliability of data transmission.
  • Operation Principle:
    • Add redundant code bits to each data packet and transmit it.
    • The receiving end checks the data packet to check whether the code bits match.
    • If the code bits do not match, it is considered a data error and requests the packet to be retransmitted.
  • Advantages:
    • Ensures integrity of data transmission and minimizes network errors to increase reliability.

Limitations and Challenges

1. Increased complexity

  • Complex implementation and maintenance: The process of creating and managing redundant information can be complex, and may place additional burden on the design and maintenance of the system.

2. Performance overhead

  • Performance degradation due to additional computation: The additional computation of processing redundant information may affect system performance, and optimization is required to minimize this.

3. Limited coverage

  • Limited coverage for all error types: Code protection provides effective coverage for certain types of errors, but cannot perfectly detect all errors.

4. Hardware dependency

  • Hardware requirements: Some protection mechanisms require specific hardware support, which may require system upgrades.


D.2.4.3 Multi-channel parallel output

The Multi-Channel Parallel Output technique, as outlined in ISO 26262, is a robust safety mechanism designed to detect various types of hardware failures by utilizing parallel data channels. This approach aims to enhance the reliability and safety of systems by identifying errors that may arise from both internal and external factors, including timing issues, addressing errors, and transient faults.

Aim

  • Detect various hardware faults: Increase the stability and reliability of the system by detecting random hardware errors (stack-at faults), errors due to external factors, timing errors, addressing errors, drift errors, and transient faults as early as possible.

Description

1. Multi-Channel Output Configuration:

  • The system transmits the same input data in parallel over multiple independent channels.
  • Each channel processes the signal in a different path to ensure the accuracy of the data.

2. Output Comparison:

  • An external comparator periodically checks the output of the parallel channels to check for consistency between all channels.
  • If a mismatch is detected, a fault is considered to have occurred.
  • Effective Error Detection: This measure is only effective when the data flow changes during the diagnostic test interval. Static data may be inefficient for detection.

3. Error Detection and Response:

  • Error Detection: If a fault is detected, the system immediately generates an error message and switches to safe mode if necessary.
  • System Shutdown: In case of a serious fault, the system is safely shut down to prevent further damage.

4. Automatic Correction and Recovery:

  • If the fault is correctable, the system automatically recovers the data or resets the damaged path.

Examples

Example 1: Multi-Channel Parallel Output in an Automotive Safety System

  • Configuration: Automotive safety systems (e.g. airbag control) use multi-channel parallel outputs to detect the integrity of the signal. – Operating Principle:
    • The output of the airbag sensor is transmitted in parallel through multiple channels.
    • An external comparator compares the outputs of all channels to check if the signals match.
    • If a mismatch is detected, the airbag system issues a warning and stops operating.
  • Advantages:
    • Enhances passenger safety by detecting vehicle safety system errors early.

Example 2: Multi-channel monitoring in industrial automation systems

  • Configuration: In industrial automation systems, multi-channel parallel outputs are used to ensure the reliability of various sensors and actuators.
  • Operating Principle:
    • Sensor data is transmitted in parallel through multiple channels and checked for consistency through an external comparator.
    • If a data mismatch occurs, the system automatically blocks the corresponding channel and switches to safe mode.
  • Advantages:
    • Increases the stability of the system and minimizes production interruptions.

Limitations and Challenges

1. Increased design complexity

  • Complex system implementation: Implementation of multi-channel parallel output can increase the complexity of the system and requires thorough planning in the early design stage.

2. Performance overhead

  • Additional computational requirements: Additional computation due to external comparators and multi-channel management can affect system performance.

3. Hardware dependency

  • Hardware requirements: Hardware such as external comparators are required and hardware upgrades may be required.

4. Limited coverage

  • Difficulty in detecting some types of errors: This method is effective for certain types of errors, but it cannot perfectly detect all errors.


D.2.4.4 Monitored outputs

The Monitored Outputs technique, as described in ISO 26262, is a critical safety measure aimed at detecting a wide range of failures in electronic systems. This technique leverages dataflow-dependent comparisons to ensure that outputs remain within a predefined tolerance range. By continuously monitoring outputs against independent inputs, this method helps to maintain system reliability and prevent erroneous operations.

Aim

  • Detection of individual errors, external errors, timing errors, addressing errors, drift errors in analog signals, and transient errors: Increases the safety and reliability of the system by detecting various types of errors at an early stage.

Description

1. Comparison of independent inputs:

  • The outputs of the system are compared with independent inputs to ensure compliance within a defined tolerance range (time, value).

2. Periodic inspection and evaluation:

  • The output signals are periodically checked and evaluated to determine whether they are within the expected time and value ranges. – For analog signals, evaluate whether the drift is within the acceptable range.

3. Error detection and response:

  • Error detection: An error is detected when the output is outside the acceptable range or does not match the expected range.
  • Error reporting and handling: When an error is detected, the system immediately generates a warning message and handles the error.

4. Automatic correction and recovery:

  • Automatically recovers data or resets damaged paths to maintain the integrity of the system when an error occurs.

5. Data flow changes required during diagnostic test intervals:

  • Effective error detection: Effective only when the data flow changes during the diagnostic test interval. Static data may be inefficient for detection.

Example

Example 1: Monitoring output of an automotive brake system

  • Configuration: An automotive brake system uses both analog and digital signals to control the braking force.
  • Operating principle:
    • The output of the brake sensor is compared to an independent input (e.g. vehicle speed).
    • It is verified that the output is within the expected braking range.
    • If the tolerance is exceeded, the system issues a warning and adjusts the braking force.
  • Advantages:
    • Maintains the reliability of the brake system and prevents accidents caused by abnormal braking behavior.

Example 2: Monitoring output of aircraft control system

  • Configuration: The aircraft’s flight control system uses various input signals to adjust the aircraft’s state.
  • Operating principle:
    • Flight control signals are compared with independent sensor inputs (e.g., altitude, speed).
    • Evaluates whether the signals are within the expected range and automatically adjusts them if they are out of range.
  • Advantages:
    • Improves flight safety and prevents abnormal flight behavior.

Limitations and Challenges

1. Difficulty in setting the tolerance range

  • Complexity in defining the range: It can be difficult to accurately define the tolerance range, and incorrect range setting can lead to false or no detection.

2. Increased design complexity

  • Complicated system implementation: Implementation of the comparison mechanism for various input and output signals can be complex.

3. Performance overhead

  • Additional computational requirements: The additional computation due to external comparators and periodic checks may impact system performance.

4. Limited coverage

  • Difficulty in detecting some types of errors: This method is effective for certain types of errors, but it cannot perfectly detect all errors.


D.2.4.5 Input comparison/voting

The Input Comparison/Voting technique described in ISO 26262 is a robust safety measure designed to detect a wide range of failures in electronic systems. This approach leverages dataflow-dependent comparisons and voting mechanisms to ensure that inputs remain within a predefined tolerance range. By using redundancy and comparison of independent inputs, this method helps maintain system reliability and prevent erroneous operations due to failures.

Aim

  • Early detection of multiple faults: Increases the safety and reliability of the system by detecting individual errors, external errors, timing errors, addressing errors, drift errors in analog signals, transient errors, etc. as early as possible.

Description

1. Dataflow-dependent comparison:

  • Independent input comparison: The system compares multiple independent inputs to ensure consistency within a defined tolerance range (time, value). – Verify Integrity of Input Signals: Maintains data integrity by verifying that the input signals are within the expected range.

2. Voting Mechanism:

  • Provide Redundancy: Evaluates input signals with 1 out of 2, 2 out of 3, or more redundancy.
  • Vote-based Decision: Determines the correct input by voting based on multiple inputs.

3. Error Detection and Response:

  • Error Detection: Errors are detected when inconsistencies between inputs are found.
  • Error Reporting and Handling: The system reports errors immediately and switches to a safe mode if necessary to prevent further damage.

4. Automatic Correction and Recovery:

  • Maintains system stability by automatically recovering data or reconfiguring damaged paths when errors occur.

5. Requires Data Flow Changes During Diagnostic Test Intervals:

  • Effective Error Detection: Effective only when data flows change during diagnostic test intervals. Static data may be inefficient for detection.

Example

Example 1: Input Comparison/Voting of an Automotive Engine Control Unit (ECU)

  • Configuration: An automotive ECU receives various sensor inputs to optimize engine performance.
  • Operation Principle:
    • The ECU collects inputs from various sensors, such as temperature, pressure, and airflow.
    • It compares each sensor input and uses the corresponding value only if multiple sensor inputs match.
    • If there is a mismatch between inputs, the ECU issues a warning and ignores the abnormal value.
  • Advantages:
    • It optimizes engine performance and prevents performance degradation due to incorrect sensor inputs.

Example 2: Input Voting Mechanism of an Aircraft Flight Control System

  • Configuration: An aircraft flight control system adjusts the aircraft status through various sensor inputs.
  • Operation Principle:
    • The flight control system collects and compares sensor inputs, such as altitude, speed, and position.
    • Using a 2 out of 3 voting mechanism, if two inputs match, the input is considered a reliable value.
    • If an inconsistency between inputs is detected, the system issues a warning and switches to safe mode.
  • Advantages:
    • Improves flight safety and prevents abnormal flight behavior.

Limitations and Challenges

1. Increased design complexity

  • Complex system implementation: Comparison and voting mechanism implementation for various input signals can be complicated.

2. Performance overhead

  • Additional computational requirements: Additional computation due to voting mechanism and periodic checks can affect system performance.

3. Limited coverage

  • Difficulty in detecting some error types: This method is effective for certain error types, but it cannot perfectly detect all errors.

4. Limitations of voting decisions

  • Vulnerability when the same error input occurs: If the same error occurs simultaneously on multiple inputs, the voting mechanism may fail.


[ISO 26262] #1. Part4-6 Technical Safety Concept (TSC)

[ISO 26262] #2. Safety Mechanisms for Electrical and Electronic

[ISO 26262] #3. Safety Mechanism for Processing Unit

Leave a Comment