Power inverter safety system concept for ISO 26262

One of the indeniable facts about the automotive industry is that the overall digital technique material in cars is increasing.

As cars become far more advanced and include functions that sense, assume and act for the driver, the kind of digital material changes. In unique, there will be substantial expansion in hybrid electric automobile and electric automobile material, as perfectly as for automatic drive features.

However, a vital problem that desires to be dealt with is that the present small business design for electric cars is not lucrative prolonged term for OEMs. The typical approximated value for base electric cars is nevertheless a main problem.

OEMs will be seeking to shut this gap by bringing far more layout back in-home, or by bypassing Tier one suppliers to speak right to IC suppliers. The disrupter here will be to combine embedded digital architectures by combining ECUs and clustering features in a new way.

This is why NXP is doing the job closely with companions across the industry to speed up how these constraints are met. One way is by producing reference layouts that incorporate our technique know-how with our protection expertise. This means that reference layouts include vital protection technique aspects from the outset.

To build protection principles for technique reference layouts, NXP has to be ready to define the protection plans, notion and features for the meant item to be ready to determine the right technique implementation into our technique layout.

We do this by subsequent the ISO 26262 growth process. This provides recommendations for just about every move together the growth process for protection technique merchandise with a V cycle job administration resource.

The V cycle teams just about every move as a Portion and distinct do the job merchandise are anticipated at just about every degree. IC suppliers like NXP can anticipate and build technique ECUs just like a Tier one supplier does. By executing this, we can velocity growth time and give regular deliverables that are of gain in the course of the growth chain.

The target is not necessarily to give a answer with the similar degree of maturity that a Tier one could give, somewhat to speed up the growth of the do the job merchandise for the Tier one.

Let us look at as an case in point, how to build a protection notion for a electric power inverter module as a SEooC for an EV software. As an IC supplier, we would do the job by pieces 3, four, five, 6 and 7 of the V cycle and give the do the job merchandise connected to just about every aspect. We begin by defining the item in just the concentrate on technique – i.e. what are the potential hazards and protection plans that we want to use to our reference layout?

Determine one: HV Inverter for EVs

As determine one displays, the electric power inverter is the primary traction technique of an electric automobile. It controls the power conversion involving the electric power source and the mechanical shaft of the electric motor, primarily based on the torque ask for from the Motor vehicle Control Unit (VCU).

The VCU interprets the driver desires into acceleration or deceleration of the electric motor. The inverter translates the torque ask for into section currents heading into the traction motor.

In a battery electric automobile, this link is commonly created with a straightforward gearbox with no a clutch. This is our first assumption. It is crucial to be distinct here, considering the fact that the protection case would be different if the automobile has a clutch.
In our case, if a hazard should manifest, it is not possible for the driver or the electrical technique to prevent the traction of the automobile by just opening the link involving the electric motor and the wheels of the automobile.

We also will need to determine feasible sources of EE malfunction – whether because of to driving or non-driving situations. These hazards are then rated by threat degree according to the ASIL stages laid out in ISO 26262. As proven in determine 2, in this case a protection target could be to avoid unintended acceleration if the automobile is stopped.

Determine 2: Illustrations of hazards and protection plans for an EV HV inverter

These protection plans lead to a functional protection architecture with functional requirements (FR) and functional protection requirements (FSR) with connected ASIL stages and FTTI these types of as:

FR1 The Inverter shall examine the ask for from VCU, then command the subsequent features appropriately: traction, brake and battery regeneration. ASIL D FTTI
two hundred ms
FSR1 The inverter shall test the torque ask for from the VCU and alert in case of unpredicted worth. ASIL D FTTI
two hundred ms


Determine 3: Functional protection architecture

Now that we have the functional protection architecture, determine 3, we will need to exhibit that the technique architecture will be ready to fulfil the protection requirements and layout constraints.

To do this, we derived a technical protection notion from the functional protection notion. This brings together the hardware and application sub-ingredient features that will be used to realize the meant item and technique functionality.

A protection investigation is then operate to test that all feasible technique failures have been determined and that the appropriate protection mechanisms are in area. This may well end result in new protection requirements being allocated to the protection architecture.

By executing this, the technical definition can give the necessary evidence that the appropriate reactions have been determined and that a protected point out can be realized in much less time than FTTI: for that reason that there is no violation of the protection plans of the item.

In our case in point, protected point out is sophisticated due to the fact of the higher amount of money of power flowing into the electric motor. A protected point out here means halting the propulsion of the automobile, by opening or shorting the 3 phases of the motor based on the velocity of the motor.

As we progress by the V cycle, the do the job merchandise are designed to make sure the protection concerns a purchaser may well have are fulfilled. A hardware layout is included by the process in the similar way the protection notion minimizes the growth and prototyping section for customers by 3 to six months.

In the NXP reference layout, the finish protection architecture is constructed out using NXP ICs and diagnostics and reaction to protected point out are tested. The reference layout allows to velocity growth and provides a degree of technical protection architecture, together with evidence of the protection integrity degree as aspect of the overall deal.

