mopdf.com

Downloaded from SAE International by Wolfgang Granig, Wednesday, May 03, 2017146Granig et al / SAE Int. J. Passeng. Cars – Electron. Electr. Syst. / Volume 10, Issue 1 (May 2017)The goal of this paper is to give a methodology to calculate the worstcase diagnostic coverage of safety-mechanisms mentioned in the ISO26262 for redundant sensor channels correlated via the measuredproperty including real world example quantities. The calculation ofthe physical sensed value X out of the sensor output value Y of eachchannel can be modeled as linear dependent function according toEquation 6 via a transfer-coefficient k and d (index n shows theaccording channel).Table 4. Example safety requirement broken down from a system safety goalSafety Mechanism(6)This paper focuses on the diagnostic coverage calculations related tore-calculated physical quantities Xn out of each sensor output value Yn.Table 3. Fault classification and used symbol for following equationsThis requirement is important to define a safety mechanism to detectthis failure and an according failure reaction in the safety-concept. Inour case we choose the proposal of ISO 26262 part 5:2011 ANNEXD2.10.2 [1] and define two independent measurement signal pathsusing different output signal slopes and different clamping limits forboth sensor signal channels. The independence of the channels has tobe proven using a DFA (Dependent Failure Analysis) which is not themain focus of this paper which concentrates on the quantification ofthe probabilistic figures. Further we define a safety-mechanism whichcompares the two sensor output signals and initiate a failure reactionin case that their difference exceeds a certain limit. In case ofindependent ideal sensors having no accuracy tolerance, residualtemperature dependence or lifetime-drifts, this safety mechanismwould provide a 100% diagnostic coverage since the independenceassures that a fault only appears in one of the channels. Consequentlywe could define a very small tolerable difference and any failure willbe either detected immediately by the difference check or nodeviation from the correct measurement is present. To reducedependencies between the channels opposite slopes are defined.Faults leading to a manipulation of both output signals synchronouslywill be detected by the output comparison. Even if there is a largedisturbance of both channels in one direction, the two independentdifferent clamping limits of channel 1 and 2 will cause a difference inthe output signals, which is detected by this comparison check.Definition of Sensor DeviationsDIAGNOSTIC FUNCTIONFirst we need to define a safety requirement as input for ourdiagnostic coverage calculation including clear pass and fail criteriaof this safety-requirement. Statistical accuracy figures of the tworedundant data paths have to be derived in order to allow calculatethe final detection-probability of random faults.Safety RequirementThe safety requirement must be broken down to the sensor elementfrom the system safety-goal which is an assumption for a SEooC. Atthe end safety requirements for redundant sensor system come downto a form like the ones shown in Table 4.In real life we have to consider the limited accuracy of both sensorsignal channels. We have to consider calibration inaccuracy, residualtemperature dependence after compensation, lifetime and any otherdrifts (example: chip package related drifts caused by humidity ormechanically induced chip-stress). These influences are collectivelydescribed by uncertainty-offsets which can be expressed in the modelEquation 7. X represents the sensor output in physical units, Xcalrepresents the ideal sensor output in physical units (could be alsoafter end-of-line calibration value), ΔXunc is the measurementuncertainty modeled as offset and ΔXfault the additive fault deviationin physical dimensions. The corresponding uncertainty-values ofthese deviations are usually specified as standard deviations in thedata sheet of the device. It shall be recognized that these effects areunavoidable parts of the behavior of a sensor in absence of any fault.(7)

Downloaded from SAE International by Wolfgang Granig, Wednesday, May 03, 2017Granig et al / SAE Int. J. Passeng. Cars – Electron. Electr. Syst. / Volume 10, Issue 1 (May 2017)147To fulfill the safety requirement the output-deviation to the idealtransfer-function is not allowed to be larger than the limit Δsafdefined in the safety-requirement coming from customers or from asafety architecture according to Equation 8 with Δsaf representing thesafety requirement limit. Obviously the effect of the deviationsdefined in Equation 7 has to be below the limit that infringes thesafety criterion. A visualization of this requirement is also shown inthe Venn-diagram in Figure 3 [5].(8)Figure 4. This overview shows all possible output situations of the mainsensor X1 and all possible situations in combination with the secondredundant sensor channel X2. We distinguish between ΔX1 smaller or largerthan the specification limit “Δspec”, ΔX1 smaller or larger than the safetylimit “Δsaf” and the difference between X1 and X2 (dX) smaller or larger thanthe diagnostic limit “dsml”. Case 4 is the dangerous fault which is notdetected and this is reducing the diagnostic coverage.Figure 3. This is a Venn-diagram of all sensor output possibilities. If the outputvalue-deviation is within the specification limit the output values are ok (Xok). If the output-value deviation is larger than the specification limit but lowerthan the safety limit these faults are safe (X fail safe). The lastpossibility is anoutput value-deviation exceeding the safety limit (X fail viol).Definition of Sensor Safety Mechanism DeviationsTo detect this deviation from the main sensor channel output X1 asecond redundant sensor X2 (Sensor 2 shown in Figure 1) is used tomeasure the difference dX of the two sensor outputs as shown inFigure 1, 2 and Equation 9. In case the difference of themeasurements delivered by both channels exceeds a safetymechanism-limit threshold (dsml) this should be indicated by a safetyreaction. For an initial approach the threshold of this safetymechanism limit is set equally to the safety limit (dssml: Δsaf).Equation 10 shows that inserting Equation 7 into Equation 9 resultsin dX only depending on the sensor uncertainties and faults.(9)(10)Figure 4 shows a tabular representation of the possible sensor outputvalues including the described safety-mechanism [5]. In thiscombination we also get deviations of the main channel 1 (ΔX1)larger than the safety-limit Δsaf which are not detected (CASE 4).There are also situations where faults are indicated and the deviationof X1 is smaller than the safety-limit, which represents a false-alarm(CASE 5 and 6).Figure 1 shows a real world implementation scenario for these twocorrelated sensor output signals for fault diagnostic reasons. Each ofthe individual signals consists of the ideal transfer-function withsuperimposed deviation-components modeled as offset contributioncaused by residual temperature-drifts, lifetime-drifts, end-of-linecalibration deviations and noise. Finally we can define a transferfunction band around the ideal transfer-function representing thereal-life deviations. This kind of setup uses two different sensorchannels with inverted output slope for easier detection of commoninfluences on both sensor-channels and different clamping limits toeasily detect short to VDD or GND of one or both sensor channels.In general we have to distinguish between the safety requirementslimit “Δsaf” which defines the maximum deviation of the sensormodule output channel, defined as allowed positive and negativedeviation from end of line calibration to fulfill the safety requirement.The used safety mechanism to compare both channel outputs also hasa limit called “dsml” (Safety Mechanism Limit). I is also defined aspositive and negative allowed tolerance between both channels (seeEquation 9). Now the measurement channels have specifieddeviations of temperature and lifetime-drifts. An overview of possiblecombinations out of actual measurement values of X1 and X2 shownin Figure 5 can be seen in Figure 6 and 7. There you can see theresulting tolerated failure deviation limits “d lim p” for the positiveallowed tolerance and “d lim n” for the negative allowed toleranceby the implemented safety mechanism (see Equation 11 and 12).These remaining tolerances are applied now to the deviation of X1(ΔX1) and we get the detection gap (see Equation 13) where thediagnostic mechanism does not react but the safey-limit is violated.We also get the diagnostic gap on the other side of the distributionmainly when ΔX2 gets negative (see Equation 14).

Downloaded from SAE International by Wolfgang Granig, Wednesday, May 03, 2017148Granig et al / SAE Int. J. Passeng. Cars – Electron. Electr. Syst. / Volume 10, Issue 1 (May 2017)Figure 5. This vector diagram shows the two possible situations of real X1 andreal X2 with deviations to the target-value ΔX1 and ΔX2. The differenceX1-X2 dX, which is the same as ΔX1 - ΔX2 dX shown in the next figures.Figure 7. This figure shows the specified sensor deviations similar to Figure 6but with negative specified deviation of channel 2.Since the diagnostic gap cannot get negative because this wouldmean that there is no detection gap, we need to select the casesaccording to the presence of a gap or not (see Equation 15 and 16).(15)Figure 6. This figure shows the specified sensor deviations with positivespecified deviation of channel 2 in combination with the safety-mechanism todetect the deviations larger than diagnostic mechanism limit “dsml” betweenboth channels resulting to d lim p and d lim n diagnostic limits. These limitsapplied to the target output signal generate a diagnostic mechanism detectiongap where the safety requirement limit is violated but the diagnosticmechanism is not activated and also an availability-gap, where the safetymechanism is activated but the deviation is smaller than the safetyrequirement limit.(11)(12)(13)(14)(16)This safety-mechanism is not able to detect a failure with 100%probability as long as the accumulation of the statistical deviationsbetween both channels is not limited to be smaller than the allowedsafety tolerance against the ideal field, which is not achievable underthe assumption of a normal distribution of the deviations.Consequently a quantization of the diagnostic coverage dependent onthe specification of the deviation figures is required. In order to stayas general as possible, the deviations ΔXunc are split in a combinationof systematical and statistical influences according to Equation 17.The systematic deviation ΔXsys can be caused by limitations of thecalibration function, neglecting higher order effects and systematicsignal drifts. While the statistical component may include fabricationspread, quantization of calibration coefficients, individual variationsof calibration conditions and of course noise. Equation 18 shows thestatistical accumulation of individual contributions to the finalstandard-deviations. σxoffs represents the offset related contribution,

Downloaded from SAE International by Wolfgang Granig, Wednesday, May 03, 2017Granig et al / SAE Int. J. Passeng. Cars – Electron. Electr. Syst. / Volume 10, Issue 1 (May 2017)σxgain the gain related contribution (handled as additive white noise)and σxnoise the random noise component. The statistical deviation isnot necessarily equal for both channels. In practical implementationone can define a redundant second sensor channel with lowerperformance resulting in higher systematic and/or statisticaldeviations. The resulting model for the deviation of both channels isgraphically visualized in Figure 8 assuming same systematicdeviations, but different statistical deviations caused by increasednoise due to a lower performant redundant channel 2. Deviations arealways expressed in % of full-scale-range (%FS).(17)(18)149and a better model for diagnostic coverage calculation considering allsystem-aspects this new value is more accurate and can be used asdiagnostic coverage figures for SPFM and LFM calculations.Basic Principle to Calculate Detection ProbabilityIn general we can distinguish between faults affecting in “analog” orin “digital” way. Internal “digital” faults lead to internal stuck-atfaults, bridging faults timing faults or open faults that can appear atany point of a digital signal processing path. Due to the poor amountof different occurrences the only way to address them in a safetyanalysis is a statistical approach. Even if the faults in a DSP or statemachine may lead to faults that will end up with failures that aredetectable on system level like e.g. no or corrupt communicationprotocol, illegal timing or signal out of range we can hardly specify afault model for the distribution of those failure classes over acomplex processing path in an early phase of a project thus a worstcase is taken into account. For this worst case it is assumed that allfaults lead to a valid sample communicated to the controller and thesamples to be equally distributed over the full scale measurementrange. “Analog” failures are even more difficult to specify since theireffect can differ from negligible to total malfunction depending onthe type of defect and circuit type that is affected. Again we need astatistical worst case model that allows delivering diagnosticcoverage estimates during the concept phase of a new development.Analog to the digital fault model we exclude faults that may easily bedetected on system level, like shorts to any kind of signals that areout of range (e.g. supplies) or the ones that raise current consumptionand let the supply break down below the reset level. In this case werefer to the fact that test statistics over large amounts of samples ofanalog circuitry can usually be approximated by normal distributions.For the fault model we define the standard deviation to be a variablethat will later be used to find the worst case of the diagnosticcoverage. The combination of “analog fault” and “digital fault”contributions is shown in Figure 9.Figure 8. This is an example probability density of two independentmeasurement channel output uncertainties ΔXunc 1.of channel 1 and ΔXunc 2 ofchannel 2. These figures show a ΔXsys1 0.5%FS and ΔXsys2 1.0%FSsystematic drift and statistically σx1 0.5%FS for channel 1 and σx2 1%FS forchannel 2 (1σ).Diagnostic Coverage FiguresThe ISO 26262 part 5:2011 ANNEX D in Table D.11 defines a highdiagnostic coverage when using Sensor Correlation D2.10.2, whichleads to 99% diagnostic coverage according to Table D.1. Howeverthis is only an indication and the standard also defines further, that“These guidelines do not address specific constraints that can bespecified in the safety concept in order to avoid the violation of thesafety goals” and even further: “Therefore Tables D.1 to D.14 can beused as starting-point to evaluate the diagnostic coverage of thesesafety mechanisms ”. This means when we have more informationFigure 9. This figure shows the potential output signal deviation probability ofanalog and digital faults including some easy to detect clamping-cases for thecase of an occurred fault. For worst-case diagnostic coverage calculationsthese easy to detect cases are not taken into account.Next step is to analyze the effectiveness of this safety mechanism andfind regions where we cannot guarantee a detection of a deviationlarger than the safety requirement limit Δsaf considering thesafety-mechanism limit dsml and the shift due to measurementtolerance dX. In Figure 10 and 11 we can see sensor-deviations after

Downloaded from SAE International by Wolfgang Granig, Wednesday, May 03, 2017150Granig et al / SAE Int. J. Passeng. Cars – Electron. Electr. Syst. / Volume 10, Issue 1 (May 2017)calibration of channel 1 and channel 2 after lifetime to calculate theworst-case. Besides visualizing the detection gap the figures alsoexplain the need to limit the amount of inadvertent activations of thesafety mechanism by introduction of an availability gap. Despite thesimplification in the drawing that uses discrete values for dX we needto keep in mind that these deviations of the specified function arestatistically distributed values themselves according to Figure 7.(19)(20)Figure 12. The unknown probability density function of deviations caused byanalog faults is modeled by a sweep of the standard-deviation (σf) to cover theworst-case in case.Figure 10. Probability density of possible output signal deviation with mostpositive specified deviation of channel 2 in case of a fault in the mainmeasurement channel 1. One can see the safe faults when the output signaldeviation is smaller than the safety-limit, the detected faults where thedeviation is detected for sure and the detection gap (“gap”) between bothareas. Also the region where a fault is indicated but the deviation is still withinthe tolerance-limit is shown (“availability gap”).Now we find the probabilities “Pnogap p” and “Pnogap n”, which arethe faults do not fall into the category of the undetected gap. To do sowe need to find the integrative probability of faults left of the gap andthe integrative probability right of the gap. The resulting probability“Pnogap p” for positive ΔX2 and “Pnogap n” for negative ΔX2having no gap is defined in Equation 21 and 22. This we need to scalealso with the analog and digital relationship, which is most usefuldone by weighting according to the chip-area. Since this gap canoccur on the left side or on the right side of the target value we wouldhave to sum up two times the same equation with half of theoverall-probability, which at the end cancel out and we only need tocalculate this probability on one side.(21)Figure 11. Same as Figure 10 but with maximum negative specified deviationof channel 2.In case of dsml Δsaf these two different cases get symmetrical andwe only need to analyze 1 of the 2 possible combinations ofdirections for dX, explicitly similar sign and opposite sign.When focusing on the diagnostic coverage we need to quantify thisdetection gap. However we do not know the exact fault distributionfunction of the analog faults in detail, so we need to find the worstpossible case by sweeping the standard-deviation σf of the analogfault-probability-density like shown in Figure 12. We use themathematical expression of the error function “erf” shown inequation 19 to get figures for the probability “Perf” of a failure withstandard-deviation “σ” being smaller than a certain limit “x” shownin equation 20.(22)Figure 13 and 14 show the resulting probability “Pnogap” of detectedfaults not falling into the gap. The characteristic shows the effect, thatwhen the standard-deviation is small faults do not violate the safetylimit and when the standard-deviation is very large most of the faultswill be detected. There is only a small region of σfault around 5%where the overall probability of detected and safe faults gets low withrespect to the demand of higher ASIL levels because a relatively largeamount of faults falls into the detection gap. The plot shows differentcurves for discrete sensor deviation values and integration

Downloaded from SAE International by Wolfgang Granig, Wednesday, May 03, 2017Granig et al / SAE Int. J. Passeng. Cars – Electron. Electr. Syst. / Volume 10, Issue 1 (May 2017)151multiplication of probabilities and the final probability of safe anddetected fault is calculated by the integral of those probabilitiesaccording to Equation 23.(23)The results of these calculations can be seen in Figure 15, oncalculation when channel 1 is used for the final target sensor signal independence on the overall systematic deviations with σx1 0.5%FSdeviation and channel 2 with ΔX2 1.0%FS deviation.Figure 13. Probability of detected or safe faults in channel 1 for differentsensor deviations depending on the analog fault standard-deviation variationwith positive ΔX2 according to Figure 10. These figures were calculated using20% digital and 80% analog faults distribution and Δsaf 5%FS safety limitand dsml 5%FS diagnostic safety-mechanism limit and ΔX2 1.0%FS.Figure 15. Probability of detected or safe faults including statistical variation ofthe sensor output signals which is used for further calculations These figureswere calculated using 20% digital and 80% analog faults distribution, safetyrequirement limit Δsaf 5.0%FS and safety mechanism limit dsml 5.0%FS.The probability that a fault will be detected by this signal comparisonas an example with a systematic sensor deviation ΔX1 1.0%FS,statistic sensor deviations of σx1 0.5%FS and ΔX2 1.0%FS, accuracyand safety tolerance limit Δsaf 5%FS and difference comparison limitdsml 5.0%FS and 20% digital and 80% analog fault distribution willbe 95.49%. Now we could change the sensor accuracy and standarddeviation of the measurement signal. The result is a two-dimensionalarray where one can find the minimum diagnostic coverage for hisindividual conditions which can be found in Figure 16.Figure 14. This is the probability of detected or safe faults similar to Figure 13but with negative ΔX2 when the detection gap occurs on the lower side of theGaussian fault distribution according to Figure 11.Detection Probability Calculation with Sensor DeviationsIn addition also the inaccuracy of the target sensor X1 signal has astatistic variation and needs to be considered. The mathematicallyrepresentation of this influence must be done by individualAnother view of these results can be generated with a look on theinfluence of the safety requirements limit and the safety mechanismlimit shown in Figure 17. In absence of any systematic failure thediagnostic coverage is monotonously increasing in case of largersafety-limits. This is caused by shifting more of the higher probabilitydensities of the Gaussian distribution of the analog faults into the safefault band. In case of increased systematic deviations the diagnosticcoverage is limited even if the sensor signal variation is zero.

Downloaded from SAE International by Wolfgang Granig, Wednesday, May 03, 2017152Granig et al / SAE Int. J. Passeng. Cars – Electron. Electr. Syst. / Volume 10, Issue 1 (May 2017)Equation 26 and 27 again resolve the cases where this availabilitygap becomes negative which means that there is no availability-gapand sets the according value to zero. In case of dsml Δsaf again thisavailability gap occurs on both sides of the distribution functionsymmetrically like the diagnostic gap.(24)(25)Figure 16. Diag

RF. are subtracted from the overall failure rate λ (3) The diagnostic coverage K. DC,RF. of a safety mechanism detecting a fault of a hardware-part is expressed in percentage using the residual failure-rate according to Equation 4. (4) The same diagnostic coverage can be calculated for the