Part 2: Functional Safety Demonstration project - Cruise Control in panic mode

  • Nov. 18, 2015
  • Marcel Romijn

In this demonstration project BRACE has selected the Functional Safety competence as a central topic. In a cooperation with the HAN University of Applied Science a demonstration project has been setup. The project is executed by a thesis student of the HAN and an intern student of the TU/e.

The Challenge: Ensuring innovative and efficient development without compromising operational safety of existing systems

The Process:

The development and validation of the cruise control system is based on the guidelines provided in the concept phase of the ISO 26262 standard. The functionality provided by the cruise control to the vehicle is explained on a functional level in the Item Definition. Based on the item definition, selected failure modes (For example, malfunctioning of the speed sensor) are injected into a Simulink model of the cruise control and the possible hazards (Unintended acceleration or deceleration) that may arise due to the failure modes are identified. Together with the classification provided in the hazard, Automotive Safety Integrity Level (ASIL) is identified for each hazard and safety goals are formulated for prevention/mitigation of the hazard. From the safety goals, functional safety requirements have been formulated which will be translated to system design.

Integrated Simulink model:

For this project a Simulink model is used for testing the effects of failure injection. The system is split into two main subsystems. In the left subsystem the PID controller and the throttle is made, this block is called; “the controller”. The input of the controller is the reference speed (the desired speed of the driver) minus the real vehicle speed. The output of this system is the throttle position. This is then the input for the second subsystem block, namely the plant (car/vehicle). In this block several sub subsystems are located, the engine, disturbance and the body/vehicle. The input to the engine is the throttle position. The output of the engine is force. In the engine block are several components; the gearbox and the transition from throttle position to torque and then to output force. In the disturbance block several dynamics are used; roll friction, gradient and aero dynamics. The parameters of the engine and disturbance are the input to the vehicle block. The value of the disturbance will be a negative value because these values will work against the vehicle. So the input to the vehicle is engine output minus the disturbance output. It is important to keep the model as basic as possible.

Systematic Testing

To be sure that the plant model is working properly and reacts like the car (Volvo C30) we did a verification test where the response of the car was logged. By logging the throttle position and speed of the vehicle we could see how fast the car is accelerating and with which throttle position. This gave us an impression of the actual response of the CCS. We used this to compare to our response of the model. The following fault were introduced and simulated:

  • Noise on the speeds feedback signal (simulation the wheel sensors)

  • Delay in the speeds feedback signal

  • Delay in the throttle`s feedback signal

  • Different value in the speeds feedback signal

  • Different value in the throttle`s feedback signal

The test will be done on a proving ground. The aim is to see if the system is going to let the fault interrupt the system or will the CCS recognize the fault and shut the system off. To introduce the failure we will use a microcontroller with HANcoder software (see blogs on SMARTcode) and a CAN transceiver module. This way we can interfere with the CAN messages send to the CCS. There will be an emergency stop, what this does is cut the power to the injector, this way there will be less interference with other (safety)systems.

Functional Safety models are effective!

A glance at the simulation results and the functional HARA results show striking similarities and this innovative method aids in foreseeing higher ASIL ratings even before the actual development. The development and usage of a functional model based on the ISO 26262 standard o?ers robust traceability during the developmental stages of a passenger car and the resourcefulness of model based systems engineering in achieving the mentioned traceability. As a bonus, the functional models developed are reusable in other environments. An important finding is that the increased traceability and re-usability substantially reduce high development time and cost.


comment