Author | Panjiang
Produced by | Yanzhi
According to the different braking actuators, Brake-By-Wire (BBW) can be divided into Electro-Hydraulic Brake (EHB) and Electro-Mechanical Brake (EMB). Among them, EHB is based on the traditional hydraulic brake system, and uses electronic devices to replace some mechanical components, using brake fluid as the power transmission medium, and also equipped with a hydraulic backup braking system. It is currently the mainstream technical solution. Depending on the degree of integration, EHB can be divided into Two-box and One-box.
With the expansion of the new energy vehicle market, the “eBooster+ESC” combination has become the most mainstream Two-box solution on the market. In addition to achieving the basic brake assist function and stability control function, the system can also coordinate and ensure consistent pedal feel during the switching between electric braking and hydraulic braking while achieving brake energy recovery. Moreover, with the popularity of advanced driver assistance systems and automatic parking systems, “eBooster+ ESC” also plays a role in achieving brake redundancy.
On the other hand, the use of electronic devices to replace some mechanical components of the BBW system makes the safety of the system highly dependent on the safety and reliability of the electronic devices. Therefore, the functional safety development of the BBW system is particularly important.
Since the functional safety standard ISO 26262 was officially released in 2011 and will take effect from 2021, ISO 26262 focuses on the functional safety of electronic and electrical systems, evaluates the entire product lifecycle, and covers functional safety requirement planning, design, implementation, integration, verification, confirmation, and configuration, aiming to reduce the risk of automotive electronic and electrical system failures to the lowest level through a perfect development process. It is one of the admission thresholds for global electronic component suppliers to enter the automotive industry. Major mainstream automotive companies at home and abroad have successively integrated the requirements defined in ISO 26262 into their own R&D systems and processes.
In the previous articles (11, 12) of this series, the system architecture and brake function implementation of the “eBooster+ ESC” combination were introduced. Starting from this issue, the key links and points in the functional safety development of the “eBooster+ ESC” combination will be introduced. This article will focus on the methodology of hazard analysis and risk assessment.
## Introduction to Functional Safety and ISO 26262
In fact, “Functional Safety” is a concept that existed before the release of ISO 26262. With the development of technologies such as computers and integrated circuits, electronic/electrical safety and reliability requirements have become increasingly high in all industrial fields. The International Electrotechnical Commission’s standard, IEC 61508, “Functional Safety of Electrical/Electronics/Programmable Electronic Safety Systems,” officially released in May 2000, established a basic evaluation method for the overall safety lifecycle of electrical/electronic/programmable electronic components in industrial fields (automation, rail transportation, robotics, etc.).
However, the broad applicability and lack of introduction to the automotive industry during the standard formulation resulted in many limitations to the direct implementation of IEC 61508 in the automotive sector, which made it difficult for mainstream OEMs at home and abroad to explore and practice functional safety in automotive development and form an industry system.
On the other hand, with the development of computer and integrated circuit technologies, the constant emergence of passive and active safety systems in automobiles has not only saved countless lives but also has the potential risk of causing life-threatening injuries due to functional abnormalities (such as unintended activation of airbags). At the same time, as the wave of intelligentization sweeps through the automobile industry, the electrical and electronic systems (E/E system) on automobiles are becoming increasingly complex. The automotive industry urgently needs a universal safety evaluation system and safety development guidance system applicable to E/E systems in automobiles.
In this context, ISO 26262 was derived based on the theoretical framework of IEC 61508 and was formally released in 2011, with the aim of providing functional safety methods guidance for various stages of the automotive safety lifecycle (management, development, production, operation, service, and scrappage). Since then, based on the system guidance of ISO 26262, automotive functional safety has truly been gradually integrated into the development system of major mainstream OEMs at home and abroad.
China is also continuously promoting the implementation of functional safety in the automotive industry. The National Standardization Management Committee released GB/T 34590 Road Vehicles – Functional Safety based on the framework of ISO 26262 in 2017. The release of this standard has played a positive role in promoting the implementation of functional safety in the Chinese automotive industry.
Methodology of Hazard Analysis and Risk Assessment
The definition of functional safety is:No unreasonable risk shall result from potential malfunction of electronic and electrical systems.
To avoid “unreasonable risk,” the first step is to correctly identify hazards and risks. For hazard identification, ISO 26262 particularly emphasizes two points:
ISO 26262 part3,6.4.2.2
The hazards shall be determined systematically based on possible malfunctioning behavior of the item.
ISO 26262 part3,6.4.2.3
Hazards caused by malfunctioning behavior of the item shall be defined at the vehicle level.
According to GB T-34590 part3, 7.4.2.2.2:
Hazards caused by malfunctioning behavior of the item shall be attributed to vehicle level observable conditions or behaviors.
Since hazards are defined based on vehicle-level observable behaviors, it is necessary to understand all possible motion behaviors of the vehicle. From a whole vehicle dynamics perspective, the motion behaviors of an automobile can be accurately described by the motion coordinate system shown in the figure below.
Taking the eBooster system as an example, when there is an abnormal braking assist provided by the eBooster, it may cause abnormal performance of the vehicle in the longitudinal coordinate system.
It worth to mention that besides hazards identified by observable behaviors in motion coordinate systems, other types of hazards related to complex E/E systems and Human-Machine Interfaces (HMI) should be considered such as the failure of timely notifying the driver through HMI when a system fails or the delay of brake lights lighting up causing hazards for the driver behind.Back to the definition of functional safety, it focuses on unreasonable risks. Here, risks refer to the health injuries to drivers, pedestrians, or occupants in surrounding vehicles. So the question is:
- Will all the hazards of the entire vehicle cause unreasonable risks?
The answer is negative. Taking the hazards caused by eBooster as an example,
If the loss of braking power of the entire vehicle occurs in an empty parking lot with low speed, the driver will have enough time to take measures to stop the vehicle (such as low-speed collision with a wall) to avoid causing personal injury to the driver or pedestrians. However, if the loss of braking power of the entire vehicle happens at high speed, it is very likely to cause serious personal injury due to rear-end collision with the front vehicle.
From the example above, it can be seen that the hazards of the entire vehicle may not necessarily bring unreasonable risks. It depends on various factors such as the vehicle operating scenario, the performance of participants under the operating scenario, and the severity of personal injury caused by risks.
Therefore, when the hazards of the entire vehicle are identified, it is necessary to analyze whether the potential risks caused can be accepted by combining the hazard and the vehicle operating scenario at the time of the occurrence of the hazard. This activity is called “Classification of hazardous events”.
After all the combinations of relevant scenarios and hazards are listed, the next step is to classify and filter them, to determine which risks are acceptable and which are not. ISO 26262 provides a qualitative method for hazard event classification, and the screening indicators are divided into three dimensions:
- S (severity): The level of injury that the hazard occurrence will cause to drivers, passengers, pedestrians, or occupants in surrounding vehicles. The rating table is as follows:
-
E (Exposure): The probability of the operating scenario happening during daily driving. The rating table is as follows:
-
C (controllability): the probability that the driver or other people involved can control the harm to avoid injury. The rating table is as follows:
Based on these three dimensions, the ASIL (automotive safety integrity level) of the car can be determined. ASIL is divided into four levels in total, with D representing the highest strict level with the highest risk, and A representing the lowest strict level with the lowest risk.
If the hazard event rating corresponding to the relevant item is ASIL A or above, functional safety development should be considered; for QM (quality management), as long as it is developed according to the enterprise process, it is considered to meet the ISO 26262 requirements without the need for additional functional safety development.
Due to space limitations, in the next post, the methodology of hazard analysis and risk assessment introduced in this article will be systematically introduced with the ESC+eBooster system as the object.
This article is a translation by ChatGPT of a Chinese report from 42HOW. If you have any questions about it, please email bd@42how.com.