Intelligent Chassis Technology (13) | Hazard Analysis and Risk Identification of “ESC eBooster” Functional Safety (Part One)
Author | Ban Jiang
According to the different braking actuators, Brake-By-Wire (BBW) systems can be divided into Electro-Hydraulic Brake (EHB) systems and Electro-Mechanical Brake (EMB) systems. Among them, EHB is the mainstream technology scheme at present, which is based on traditional hydraulic braking system and replaces some mechanical components with electronic devices. EHB uses brake fluid as the power transmission medium and has a hydraulic backup braking system. Depending on the level of integration, EHB can be divided into Two-box and One-box schemes.
With the expansion of the new energy vehicle market, the “eBooster+ ESC” combination has become the most mainstream Two-box scheme in the market. In addition to realizing basic braking assistance and stability control functions, this scheme can also coordinate and ensure consistent pedal feeling for drivers during the switching between electric and hydraulic braking while realizing brake energy recovery. Moreover, with the popularization of advanced driver assistance systems and automatic parking systems, “eBooster+ ESC” also plays a role in realizing brake redundancy.
On the other hand, BBW systems replace some mechanical components with electronic devices, making the safety of the system highly dependent on the safety and reliability of electronic devices. Therefore, the functional safety development of BBW systems is particularly important.
Since the functional safety standard ISO 26262 was officially released in 2011 and focuses on the functional safety of electronic and electrical systems, evaluating the entire life cycle of products and covering requirements planning, design, implementation, integration, verification, confirmation, and configuration, the standard aims to minimize the risk of faults in automotive electronic and electrical systems through a sound development process. It is one of the admission thresholds for global electronic component suppliers to enter the automotive industry. Major mainstream automotive companies at home and abroad have successively integrated the requirements defined in ISO 26262 into their own R&D systems and processes.
In the previous article, the methodology of hazard analysis and risk assessment was introduced. This article will take the “eBooster+ESC” combination as the analysis object and apply this methodology in practice.
Vehicle Hazard Analysis
The goal of vehicle hazard analysis is to comprehensively identify potential abnormal behaviors at a vehicle level when functional anomalies occur in the researched E/E system. ISO 26262 recommends a systematic analysis method for the related hazards, known as HAZOP (Hazard and Operability Analysis). HAZOP provides developers with a systematic way of thinking, which is highly operable and is widely used in functional safety development in the automotive industry.
In simple terms, HAZOP comprehensively considers potential functional failure modes from the following aspects to identify all possible vehicle hazards caused by the function (the English explanation for HAZOP is retained here to avoid translation deviations):
- Loss of Function – function not provided when intended
- Function provided incorrectly when intended
- Incorrect Function-More than intended
- Incorrect Function-Less than intended
- Incorrect Function-Wrong direction
- Unintended Activation of Function – Function provided when not intended
- Output Stuck at a Value – Failure of the function to update as intended
Note: Not all the failure modes mentioned above have corresponding failure modes for a specific function. For example, there is no “wrong direction” functional failure for the braking function. In other words, specific functions need specific analysis.
In the previous articles, we provided a specific introduction to the “eBooster+ ESC” system. Here’s a summary of the functions:
- Function 1: Driver braking assistance function
- Function 2: External ECU brake request response function
- Function 3: Electronic stability control function (ABS/TCS/VDC)
- Function 4: Brake light control function
Next, a HAZOP analysis will be conducted on the malfunctioning of these functions and the potential hazards to the vehicle.
Driver Brake Assist Function
External ECU Brake Request Response Function
Electronic Stability Control Function
Brake Light Control Function
Based on the results of the HAZOP analysis, it can be seen that different function failures can result in the same hazards to the vehicle. To avoid duplication, the potential hazards caused by the abnormal function of the “eBooster+ESC” system are summarized in the table below.
Hazard Event Classification and Risk Analysis
After identifying the potential hazards to the vehicle, it is necessary to classify the hazard events based on the scenario, in order to identify the unreasonable risks that need to be considered in the development of functional safety.
Hazard event classification is mainly evaluated based on three dimensions:
-
S (Severity): The level of injury to the driver, passengers, pedestrians or surrounding vehicles caused by the hazard event.
-
E (Exposure): The probability of the hazard event occurring during daily driving scenarios.
-
C (Controllability): The probability of the driver or other personnel being able to control the hazards to avoid injury.# Further Classification of Hazardous Events and Risk Analysis Based on the Previous HAZOP Analysis Results
Note: The following analysis is for reference only and may differ from the analysis results in specific project development.
Unexpected Braking Due to No Braking Request from the Driver or External ECU Resulting in Wheel Lock
Excessive Deceleration Due to No Braking Request from the Driver or External ECU Resulting in Lateral Stability
Insufficient Deceleration When the Driver Requests Braking
Insufficient Deceleration When External ECU Requests Braking (Assisted Driving *)
*Under assisted driving, the driver needs to constantly pay attention to the operation and take over when necessary.
Insufficient Deceleration When External ECU Requests Braking (Autonomous Driving *)
*Under autonomous driving, the system is required to take over the vehicle when an exception occurs, but the driver is allowed not to take over the vehicle.
Loss of Vehicle Stability Due to Unexpected Intervention from Stability Control Function
Loss of Vehicle Stability Due to No Intervention or Improper Intervention from Stability Control Function
Brake Light Not Illuminated When the Vehicle is BrakingTranslate the following Markdown Chinese text into Markdown text in English, preserving the HTML tags inside Markdown, and outputting only the corrections and improvements in a professional manner.
Vehicle parking force too high (driver inside the vehicle)
Vehicle parking force too low (driver inside the vehicle)
Export functional safety goals
In short, HAZOP comprehensively considers the possible failure modes of functions from the following aspects in order to identify all possible hazards of the vehicle (to avoid translation deviations, here the English explanation of HAZOP is retained):
According to the results of hazard analysis and risk evaluation, the safety objectives of “eBooster+ ESC” can be exported.
This article is a translation by ChatGPT of a Chinese report from 42HOW. If you have any questions about it, please email bd@42how.com.