21/10/2020

Ordiate

A Class Of Its Own

Power inverter safety system concept for ISO 26262

One particular of the indeniable info about the automotive sector is that the total digital...

One particular of the indeniable info about the automotive sector is that the total digital technique information in autos is increasing.

As autos grow to be extra advanced and incorporate options that feeling, imagine and act for the driver, the type of digital information changes. In certain, there will be large expansion in hybrid electrical motor vehicle and electrical motor vehicle information, as well as for automatic generate functions.

However, a essential challenge that wants to be dealt with is that the recent business design for electrical autos is not worthwhile prolonged expression for OEMs. The typical believed price for base electrical autos is continue to a key worry.

OEMs will be on the lookout to shut this hole by bringing extra design again in-dwelling, or by bypassing Tier 1 suppliers to converse directly to IC suppliers. The disrupter right here will be to integrate embedded digital architectures by combining ECUs and clustering functions in a new way.

This is why NXP is operating closely with associates across the sector to accelerate how these constraints are achieved. One particular way is by building reference designs that incorporate our technique know-how with our security experience. This suggests that reference designs incorporate essential security technique components from the outset.

To build security ideas for technique reference designs, NXP has to be able to define the security objectives, notion and functions for the meant product to be able to identify the correct technique implementation into our technique design.

We do this by following the ISO 26262 progress method. This offers suggestions for each individual stage along the progress method for security technique merchandise with a V cycle challenge management instrument.

The V cycle teams each individual stage as a Portion and distinct get the job done merchandise are predicted at each individual level. IC suppliers like NXP can anticipate and build technique ECUs just like a Tier 1 supplier does. By carrying out this, we can pace progress time and supply standard deliverables that are of profit all over the progress chain.

The intention is not automatically to supply a remedy with the very same level of maturity that a Tier 1 could supply, rather to accelerate the progress of the get the job done merchandise for the Tier 1.

Let us think about as an case in point, how to build a security notion for a power inverter module as a SEooC for an EV application. As an IC supplier, we would get the job done via areas three, 4, five, six and seven of the V cycle and supply the get the job done merchandise affiliated to each individual aspect. We begin by defining the product in the target technique – i.e. what are the prospective hazards and security objectives that we want to implement to our reference design?

Figure 1: HV Inverter for EVs

As determine 1 displays, the power inverter is the principal traction technique of an electrical motor vehicle. It controls the vitality conversion involving the electrical vitality source and the mechanical shaft of the electrical motor, dependent on the torque request from the Car Regulate Unit (VCU).

The VCU interprets the driver wants into acceleration or deceleration of the electrical motor. The inverter interprets the torque request into stage currents heading into the traction motor.

In a battery electrical motor vehicle, this connection is commonly designed with a simple gearbox without a clutch. This is our initially assumption. It is critical to be distinct right here, because the security scenario would be distinctive if the motor vehicle has a clutch.
In our scenario, if a hazard really should occur, it is difficult for the driver or the electrical technique to cease the traction of the motor vehicle by merely opening the connection involving the electrical motor and the wheels of the automobile.

We also have to have to identify probable sources of EE malfunction – no matter whether due to driving or non-driving eventualities. These hazards are then rated by danger level in accordance to the ASIL stages laid out in ISO 26262. As proven in determine 2, in this scenario a security intention could be to prevent unintended acceleration if the motor vehicle is stopped.

Figure 2: Illustrations of hazards and security objectives for an EV HV inverter

These security objectives lead to a purposeful security architecture with purposeful specifications (FR) and purposeful security specifications (FSR) with affiliated ASIL stages and FTTI these types of as:

FR1 The Inverter shall evaluate the request from VCU, then command the following functions accordingly: traction, brake and battery regeneration. ASIL D FTTI
200 ms
FSR1 The inverter shall test the torque request from the VCU and alert in scenario of unanticipated value. ASIL D FTTI
200 ms

 

Figure three: Functional security architecture

Now that we have the purposeful security architecture, determine three, we have to have to reveal that the technique architecture will be able to fulfil the security specifications and design constraints.

To do this, we derived a technological security notion from the purposeful security notion. This brings together the components and software package sub-ingredient functions that will be applied to obtain the meant product and technique operation.

A security examination is then run to test that all probable technique failures have been discovered and that the suitable security mechanisms are in location. This may end result in new security specifications becoming allotted to the security architecture.

By carrying out this, the technological definition can supply the essential evidence that the suitable reactions have been discovered and that a protected condition can be realized in much less time than FTTI: thus that there is no violation of the security objectives of the product.

In our case in point, protected condition is sophisticated mainly because of the significant total of vitality flowing into the electrical motor. A protected condition right here suggests halting the propulsion of the motor vehicle, by opening or shorting the a few phases of the motor based on the pace of the motor.

As we progress via the V cycle, the get the job done merchandise are created to guarantee the security concerns a consumer may have are fulfilled. A components design is covered by the method in the very same way the security notion minimizes the progress and prototyping stage for consumers by a few to six months.

In the NXP reference design, the complete security architecture is designed out applying NXP ICs and diagnostics and response to protected condition are analyzed. The reference design assists to pace progress and offers a level of technological security architecture, along with evidence of the security integrity level as aspect of the total package.

Obtain out extra about the power inverter reference design right here.