According to the road vehicle function safety standard ISO26262, the concept stage design of the whole vehicle controller of pure electric vehicle is carried out. Firstly, the activities in the conceptual stage of the third chapter of ISO262 standard are analyzed. On this basis, the object definition of vehicle controller VCU is completed.
Hazard analysis and risk assessment are carried out for different scenarios, the safety objectives and corresponding ASIL grades are obtained, and FTA analysis is carried out, and the unexpected increase or decrease of vehicle torque is proposed. Functional security concept. As the core component of pure electric vehicle, vehicle controller is responsible for the transmission of power torque and energy recovery control of the whole vehicle. The safety and integrity of its function is related to the safety of the whole vehicle. ISO26262 standard provides the corresponding ideas for the design of vehicle electronic and electrical system. By referring to the main activities of the third chapter concept stage, the concept stage of functional safety for pure electric vehicle VCU is analyzed and designed. ISO26262 Functional Safety Standard was issued in 2011. It derives from IEC61508 standard in general industrial field. It aims at eliminating or reducing unreasonable safety risks caused by failure hazards of passenger car electronic and electrical systems under 3.5t. The whole standard process is shown in Figure 1, which contains 10 parts. In the conceptual design stage, based on the definition of the project and the safety life cycle of the project, combined with the operation of the vehicle, thermostatic element the potential functional safety risks are analyzed and the risk level is assessed. Then, according to the risk of functional security, the security objectives and the concept of functional security for each security objective are defined. The main flow of the conceptual phase is shown in Figure 2. The process of “Project Object Definition” needs to define and describe the analysis objects, as well as the interaction and dependence between the objects and other environments and other systems, in order to fully understand and master the system. The “Initialization of the Security Life Cycle” phase needs to be clear whether it is a new development or a change to an existing system. In the “Hazard Analysis and Risk Assessment” section, we should identify and classify the hazards caused by faults in the system, define the ASIL (Automotive Safety Integrity Level) level according to the hazard level, and formulate safety objectives to reduce hazards or avoid risks in order to avoid unreasonable risks. The concept of functional security needs to formulate functional security requirements according to security objectives and assign them to the primary structural elements or external risk reduction measures of the system to ensure the required functional security. The ISO 26262 specification stipulates that all risks that may affect the functional security of the system should be identified and identified, and that risk identification, assessment and continuous security improvement should be implemented. Among them, the main means of risk assessment is to determine the functional safety integrity level ASIL, as a reference standard for the follow-up process. This process does not require detailed product design, but only for the use of product functions. The specific three indicators and ASIL hierarchy query table are shown in Figure 3. ASIL is divided into four levels: A, B, C and D. Among them, QM indicates that there is no special functional security requirement and only needs to implement normal quality management process. ASIL D is the highest level of automotive safety and integrity, with the highest requirements for functional safety. In the subsequent design, there will be higher requirements for hardware architecture and diagnostic coverage, and the cost will also rise. Assessment of ASIL grade requires three elements: “severity”, “exposure” and “controllability”. Severity indicates the severity of injury to passengers or pedestrians on board when danger occurs, S0 indicates no injury, and S3 indicates fatal injury. According to the actual situation, the severity of the harm is analyzed. See Figure 4 for details. Controllability indicates the ability of drivers and other traffic participants to avoid danger or injury when failure occurs. It is divided into four grades C0-C4. C0 is usually controllable, C1 is more than 99% of the drivers can control, C2 is more than 90% of the drivers can control, C3 is less than 90% of the drivers can control, see Figure 5. Exposure level refers to the probability of the risk occurring in the actual application environment. This level does not take into account the probability of the actual occurrence of a risk, but the frequency of scenarios that will lead to the occurrence of hazard risk when a failure occurs. It can be divided into E0-E4 5 grades, refer to Fig. 6. Vehicle controller is the control core of pure electric vehicle, which is responsible for transmitting the torque signal of the vehicle and managing the battery of the vehicle. Vehicle controller collects analog signals of acceleration pedal and brake pedal, and analyses driver’s intention according to vehicle speed, gear, SOC of charging state, temperature of battery motor, key signal, etc., then decides the size of output torque and the choice of driving mode, and carries out energy optimization management. Considering that the operating conditions and factors of vehicle controller are different in China, for the convenience of subsequent design, the general domestic operating conditions of VCU are listed in Table 1.
Vehicles have no braking moment, etc. Hazardous incidents are listed in Table 2 and ASIL grade analysis is carried out. Some similar cases and lower ASIL grade cases are omitted due to space limitation. According to the analysis of dangerous events in Table 2, safety target requirements and ASIL levels can be obtained. Similar security targets can be merged into one security target, with the highest ASIL level. Table 3 lists the safety objectives of the vehicle controller.
FTA (Fault tree analysis) fault tree analysis is a top-down deductive method. It starts with a top-level failure and analyses it layer by layer. This method can enumerate all direct or indirect factors until the lowest level of non-decomposable failure. This paper takes “non-intentional braking moment” as the top-level event for analysis, as detailed in Figure 7. Figure 7 lists the causes of the “unintentional braking moment” event and decomposes them into deeper causes. It can be seen from the graph that there are about 13 kinds of basic faults which will lead to the occurrence of “unintentional braking moment” events.
Therefore, the possible causes and events leading to system faults can be understood at the design stage, so that single point faults and multiple point faults of the system can be avoided at the development stage. For SG_1, SG_2 and SG_3, referring to the results of FTA fault tree analysis, this paper designs the following functional security concepts: FSR-1 security requirements are proposed for analog output signals. FSR-4 and FSR-5 are proposed for the analog input of accelerating pedal and braking pedal. In view of VCU power supply and clock fault, the monitoring requirements of FSR-2 and FSR-3 are put forward. According to the information of CAN, the functional security requirement of FSR-6 is proposed. Detailed functional security requirements are listed in Table 4. ISO26262 provides process guidance and new thinking methods for the functional safety development of automotive electronic and electrical systems. According to the process suggestion of the third chapter concept development stage, this paper designs the VCU vehicle controller in the concept stage, completes the design of the concept requirement of the vehicle controller’s torque function safety, meets the ISO262 standard, and provides the basis for the subsequent hardware design and software development.