How to Design a Diagnostic System for ASIL - D Compliance
As a provider of ASIL-D Functional Safety solutions, I understand the critical importance of designing a diagnostic system that meets the stringent requirements of ASIL - D (Automotive Safety Integrity Level D). ASIL - D represents the highest level of safety integrity in the automotive industry, and compliance is essential for systems where a failure could lead to life - threatening situations, such as Autonomous Braking and Chinese Intelligent Chassis Sci - tech.
Understanding ASIL - D Requirements
To design a diagnostic system for ASIL - D compliance, one must first have a deep understanding of the ASIL - D requirements. These requirements are defined in ISO 26262, the international standard for functional safety in road vehicles. ASIL - D mandates extremely low probabilities of hazardous failures. For instance, the probability of a single - point fault leading to a hazardous event must be less than 10⁻⁹ per hour, and the probability of a latent fault leading to a hazardous event must be less than 10⁻⁸ per hour.
One of the key aspects of ASIL - D is the need for comprehensive diagnostic coverage. This means that the diagnostic system must be able to detect and isolate faults in all critical components of the system. In addition, the diagnostic system must be able to respond to faults in a timely manner, either by activating a safe state or by providing a warning to the driver or other relevant systems.
System Architecture Design
The architecture of the diagnostic system plays a crucial role in achieving ASIL - D compliance. A common approach is to use a redundant architecture, where multiple independent channels are used to perform the same function. For example, in an autonomous braking system, two independent sensors could be used to measure the distance to the vehicle in front. If one sensor fails, the other can continue to provide the necessary information to the control unit.
In addition to hardware redundancy, software redundancy can also be implemented. This can involve using different algorithms or programming languages to perform the same function in different software modules. If one module fails, the other can take over, ensuring the continued operation of the system.
Another important aspect of the system architecture is the communication between different components. In an ASIL - D system, the communication network must be highly reliable and fault - tolerant. This can be achieved by using redundant communication links and error - correction techniques.
Fault Detection and Isolation
Fault detection is the first step in the diagnostic process. There are several techniques that can be used for fault detection in an ASIL - D system. One of the most common techniques is the use of sensors to monitor the physical parameters of the system, such as temperature, pressure, and voltage. If a sensor detects a value that is outside of the normal range, it can indicate a fault.
Another technique is the use of self - testing mechanisms within the components. For example, a microcontroller can perform a self - test of its internal memory and logic circuits at startup and during operation. If a fault is detected, the microcontroller can report it to the diagnostic system.
Once a fault is detected, the next step is to isolate the fault. This involves determining which component or subsystem is causing the fault. Fault isolation can be achieved by using a combination of diagnostic algorithms and fault - tree analysis. Diagnostic algorithms can analyze the sensor data and other system information to identify the source of the fault, while fault - tree analysis can help to identify all possible causes of a particular fault.
Diagnostic Coverage Analysis
Diagnostic coverage analysis is an essential part of the design process for an ASIL - D diagnostic system. This analysis involves determining the percentage of faults that the diagnostic system is able to detect and isolate. A high diagnostic coverage is required for ASIL - D compliance, typically greater than 99%.
To perform a diagnostic coverage analysis, a fault injection test can be conducted. In this test, faults are deliberately introduced into the system, and the diagnostic system is evaluated to see if it can detect and isolate these faults. Based on the results of the fault injection test, the diagnostic system can be improved to increase its diagnostic coverage.
Safety Mechanisms and Fault Response
In addition to detecting and isolating faults, the diagnostic system must also be able to respond to faults in a safe manner. This involves activating safety mechanisms to prevent the hazardous event from occurring. For example, in an autonomous braking system, if a fault is detected in the sensor that measures the distance to the vehicle in front, the system can activate an emergency braking function to stop the vehicle before a collision occurs.
The safety mechanisms can be either hardware - based or software - based. Hardware - based safety mechanisms include things like redundant power supplies, emergency switches, and fail - safe relays. Software - based safety mechanisms include things like emergency shutdown procedures and reconfiguration algorithms.
The fault response time is also a critical factor in an ASIL - D system. The diagnostic system must be able to detect and respond to faults within a very short time frame. The ISO 26262 standard defines specific requirements for the fault response time, depending on the nature of the hazardous event.
Validation and Verification
Once the diagnostic system is designed, it must be validated and verified to ensure that it meets the ASIL - D requirements. Validation involves testing the system in a real - world environment to ensure that it performs as expected. Verification involves checking that the system design meets the specified requirements.
Validation testing can include things like road tests, bench tests, and simulation tests. Road tests involve testing the system in a real vehicle on a test track or public roads. Bench tests involve testing individual components or subsystems in a laboratory environment. Simulation tests involve using computer models to simulate the behavior of the system under different conditions.
Verification can be performed using a variety of techniques, such as code reviews, static analysis, and dynamic analysis. Code reviews involve manually checking the source code of the software to ensure that it is free of errors and meets the specified requirements. Static analysis involves using tools to analyze the source code without actually executing it. Dynamic analysis involves executing the software and analyzing its behavior.
Conclusion
Designing a diagnostic system for ASIL - D compliance is a complex and challenging task. It requires a deep understanding of the ASIL - D requirements, a well - designed system architecture, effective fault detection and isolation techniques, high diagnostic coverage, reliable safety mechanisms, and thorough validation and verification.
As a ASIL-D Functional Safety provider, we have the expertise and experience to help you design and implement a diagnostic system that meets the highest standards of safety. If you are interested in learning more about our solutions or would like to discuss a specific project, we encourage you to contact us for procurement discussions.
References
- ISO 26262 - Road vehicles -- Functional safety.
- Automotive Safety - Critical Systems Design: Methods and Techniques for Road and Off - Road Vehicles.
- Proceedings of the International Conference on Functional Safety in Automotive Systems.