Power inverter safety system concept for ISO 26262

1 of the indeniable information about the automotive sector is that the in general digital method written content in motor vehicles is rising.

As motor vehicles develop into much more advanced and incorporate capabilities that perception, think and act for the driver, the type of digital written content improvements. In unique, there will be substantial advancement in hybrid electric auto and electric auto written content, as nicely as for automated generate capabilities.

Nevertheless, a vital issue that wants to be dealt with is that the recent business enterprise model for electric motor vehicles is not lucrative very long phrase for OEMs. The common estimated cost for base electric motor vehicles is still a major concern.

OEMs will be seeking to near this hole by bringing much more style and design back in-residence, or by bypassing Tier one suppliers to talk immediately to IC suppliers. The disrupter here will be to combine embedded digital architectures by combining ECUs and clustering capabilities in a new way.

This is why NXP is performing closely with partners across the sector to speed up how these constraints are achieved. 1 way is by developing reference designs that mix our method know-how with our security experience. This means that reference designs incorporate vital security method things from the outset.

To build security principles for method reference designs, NXP has to be ready to define the security goals, principle and capabilities for the intended item to be ready to establish the appropriate method implementation into our method style and design.

We do this by following the ISO 26262 improvement system. This presents suggestions for each and every action along the improvement system for security method products and solutions with a V cycle job administration resource.

The V cycle teams each and every action as a Portion and specific function products and solutions are envisioned at each and every amount. IC suppliers like NXP can anticipate and build method ECUs just like a Tier one supplier does. By performing this, we can speed improvement time and offer standard deliverables that are of benefit all over the improvement chain.

The aim is not essentially to offer a resolution with the identical amount of maturity that a Tier one could offer, rather to speed up the improvement of the function products and solutions for the Tier one.

Let’s think about as an case in point, how to build a security principle for a electricity inverter module as a SEooC for an EV application. As an IC supplier, we would function as a result of elements three, 4, five, six and 7 of the V cycle and offer the function products and solutions connected to each and every component. We start by defining the item in just the goal method – i.e. what are the prospective dangers and security goals that we want to use to our reference style and design?

Figure one: HV Inverter for EVs

As figure one displays, the electricity inverter is the major traction method of an electric auto. It controls the electricity conversion involving the electric electricity source and the mechanical shaft of the electric motor, dependent on the torque ask for from the Vehicle Command Device (VCU).

The VCU interprets the driver wants into acceleration or deceleration of the electric motor. The inverter translates the torque ask for into period currents heading into the traction motor.

In a battery electric auto, this connection is generally built with a simple gearbox without having a clutch. This is our to start with assumption. It is significant to be specific here, given that the security circumstance would be distinctive if the auto has a clutch.
In our circumstance, if a hazard should manifest, it is unattainable for the driver or the electrical method to prevent the traction of the auto by simply just opening the connection involving the electric motor and the wheels of the vehicle.

We also will need to establish feasible resources of EE malfunction – whether thanks to driving or non-driving scenarios. These dangers are then rated by chance amount in accordance to the ASIL degrees laid out in ISO 26262. As demonstrated in figure 2, in this circumstance a security aim could be to avoid unintended acceleration if the auto is stopped.

Figure 2: Examples of dangers and security goals for an EV HV inverter

These security goals lead to a functional security architecture with functional necessities (FR) and functional security necessities (FSR) with connected ASIL degrees and FTTI this sort of as:

FR1	The Inverter shall assess the ask for from VCU, then command the following capabilities appropriately: traction, brake and battery regeneration.	ASIL D	FTTI two hundred ms
FSR1	The inverter shall check the torque ask for from the VCU and alert in circumstance of unpredicted worth.	ASIL D	FTTI two hundred ms

 

Figure three: Practical security architecture

Now that we have the functional security architecture, figure three, we will need to exhibit that the method architecture will be ready to fulfil the security necessities and style and design constraints.

To do this, we derived a technological security principle from the functional security principle. This brings together the components and software package sub-aspect capabilities that will be employed to achieve the intended item and method features.

A security evaluation is then operate to check that all feasible method failures have been discovered and that the ideal security mechanisms are in position. This may perhaps consequence in new security necessities becoming allotted to the security architecture.

By performing this, the technological definition can offer the important proof that the ideal reactions have been discovered and that a safe and sound state can be realized in significantly less time than FTTI: hence that there is no violation of the security goals of the item.

In our case in point, safe and sound state is advanced because of the large total of electricity flowing into the electric motor. A safe and sound state here means halting the propulsion of the auto, by opening or shorting the a few phases of the motor dependent on the speed of the motor.

As we development as a result of the V cycle, the function products and solutions are created to be certain the security issues a client may perhaps have are fulfilled. A components style and design is lined by the system in the identical way the security principle cuts down the improvement and prototyping period for consumers by a few to six months.

In the NXP reference style and design, the complete security architecture is developed out utilizing NXP ICs and diagnostics and response to safe and sound state are examined. The reference style and design assists to speed improvement and presents a amount of technological security architecture, along with proof of the security integrity amount as component of the in general offer.

Find out much more about the electricity inverter reference style and design here.