Functional safety requirements of traction inverter in accordance to ISO 26262

With the improvement and development in the automotive, the safety related aspects are also becoming more important. Hence there is a stringent demand for the Functional Safety and reliability. In these years, most of the vehicles are made with electrical and electronic components and systems which include lots of Electronic Controller Units (ECUs), electronic sensors, bus systems with coding. Due to the complexity in application of these electrical, electronics and programmable electronics, it is necessary to analyze the potential risk of malfunction for automotive systems. Thus, ISO 26262 has been introduced for automotive electrical/electronic (E/E) systems which ensure the complete safety installation of all ECUs, E/E systems its technical as well as management issues. In this paper, functional safety in accordance with ISO 26262 Part 3 of an electric traction inverter is done, the Functional safety report is generated in MEDINI TOOL and the short circuit fault of traction inverter is considered for Functional safety using MATLAB/SIMULINK.


I. Introduction
ISO 26262, derived from the IEC 61508 ensures the Functional Safety of Electrical and Electronic systems. The Draft International Standard (DIS) of ISO 26262 was published in June 2009. As the automotive industries got advanced and resulted in change over from mechanical to electrical control systems. Electric powertrain, Braking Systems, Electronic Stability, Adaptive Cruise Control, Emergency Brake Assistant, Brake-By-Wire, and Steer-By-Wire, air bags, light control and tire pressure are some of the critical systems where electrical and electronic components and ECUs are highly involved. Therefore, Functional safety ensures the correct execution of the specific functions of the electrical and electronics involved in vehicles. The ISO 26262 is applicable for the passenger cars up to the gross weight of 3.5T [1]. In this paper the actual procedure involved in Functional Safety Concept -Part 3 for a traction Inverter is explained. The ISO 26262 is explained by V model as shown in the figure 1.  Power electronic converters are ranked as the most fragile components followed by gate drive circuits. The failure of the gate drive circuit, failure of Isolation leads to the failure and the miss operation of the traction inverter. The over current fault is the most common type which may occur in the inverter [2].

PART 3 : CONCEPT PHASE
The part 3 of ISO 26262 is a concept phase which emphasizes on Item definition, Safety lifecycle, Hazard Analysis and Risk assessment and Functional safety concept of the Item [3].

A. ITEM DEFINITION
It gives the introduction of item, the description, interfaces, Boundary, Functional and functional requirements, Vehicle level functions and Malfunction. The Boundary, Interfaces and the item description is explained in the below diagram.

Fig.2.Traction inverter Boundary and Interfaces
The above diagram shows the traction inverter operating Boundary, Interfaces it has and different components in the module.
The Boundary comprise of main MCU (Motor Control Unit) which receives the feedback from the EM and takes the torque command signal from VSC and generates the PWM signal according to the required output. Gate driver circuit will amplify the current signal in order to trigger the IGBTs. Isolation is provided between the High voltage DC and AC and HVDC and LVDC parts. Continuous temperature monitoring of Gate drive circuit, will be done by MCU.
While defining the boundary it is assumed that all the other interfaces out of the traction inverter boundary is working properly and giving the proper and correct inputs. The Malfunctions and hazards could only occur due to the miss operation of the components inside the traction inverter boundary.
The Item definition is summarized as follows:

B. HAZARD ANALYSIS AND RISK ASSESSMENT
The HARA analysis is the next step in the Concept phase, which requires the prerequisites of Item definition [1]. By taking the functions and Malfunctions from Item Definition the hazard analysis, Risk assessment is done and for particular malfunction ASIL will be assigned according to the severity, exposure and controllability of the Hazard. FTA will be drawn for the particular malfunction in order to know the root cause of failure at system level.
Later the safety goal and functional safety requirements will be drawn.
The detailed steps for HARA is given below, Fig.3. Detailed steps for HARA The ASIL determination of each malfunction and hazard is depended on the severity, exposure and controllability. The same table is shown below In the concept phase, the ASIL determination is done by the risk assessment of the potential hazard. That is by evaluating with three components: Severity, Probability of Exposure and Controllability. Table 1 shows the classes of these parameters. The ASIL D will provide the highest safety integrity level and the ASIL A the lowest. There is another class called QM which do not dictates any Functional Safety requirement, they can be handled in the normal way.
The Table 2 gives the ASIL level according to the S, E and C classes.

C. ASIL Determination and HARA
With the consideration of operating scenarios, the Malfunctions and hazards are listed for different scenarios of EV operation like, Acceleration, Deceleration and cursing.
Here the Table 3 gives the summary of HARA and ASIL determination for various Malfunctions at different operating scenarios.
The Unintended and Un-demanded acceleration is the hazard caused due to the malfunction of more torque production, similarly the Unintended and Undemanded deceleration is caused due to the Less Torque production.

Table 3.HARA and ASIL Determination
The highest ASIL rating is provided for Unintended Movement of vehicle from stationary condition which will take the highest severity of S3 as the Traffic participants may get fatal and survival difficult injuries, Exposure for the hazard will also be more as the vehicle will be stationary condition and the sudden movement with acceleration causes the increase in severity. The controllability will also be difficult extra maneuvering will be required from the driver. The same analysis is also done by taking the road conditions into consideration like, Low friction Wet or Icy road, Normal Paved road and Sand or Mud road. The ASIL rating is given for the hazards and malfunctions by taking these considerations.

D. Safety Goals
The safety goal for the all malfunctions and hazards are derived. For malfunctions with ASIL QM the functional safety will not be required and no safety goal will be derived [1]. Table 4 shows the Safety goal written for the Malfunctions of More Torque production, less torque production and incorrect AC-DC conversion.

Table 4.Safety goals for malfunctions and Hazards
According to the Safety goals written the Functional safety requirements will be drawn. Further FTA, the Top Down approach is done to know the root cause of the hazard at function level and to derive the functional safety requirements.

E. Fault Tree Analysis
Fault tree analysis is the Top down approach which goes on reasoning the cause of the hazard and malfunction occurred. It is done based on the logic gates. Figure 4 shows the FTA of Unintended Acceleration. Where the malfunction, Unintended Acceleration is taken in the Top level and other will be listed in the next level. Here OR gate is used to connect the reasons and causes [4]. In the Figure it tells that, the traction inverter may cause Unintended Acceleration with the Fault in power Electronic circuit OR Isolation Failure OR Fault in gate drive circuit OR due to MCU faults. In the next level the causes of these higher level interfaces will be listed. The Fault in Power electronic circuit will be due to the Hardware faults OR Interface failures. Further next level the Interface failure is may be due to Communication faults OR HVDC failure OR Incorrect PWM. Finally the incorrect PWM will be due to the fault in Gate drive circuits.
Similarly, for the Isolation Failure, MCU faults and Gate drive failure the causes to the function level will be written and the safety requirement will be written for each step.
The same type Bottom down approach of FTA is written for the Unintended Deceleration and Incorrect AC-DC conversion. Further the Functional Safety Requirements will be derived.

II. Simulation and Results
The Inverter model is simulated in the Matlab\Simulink environment. Different Malfunctions are listed in the table 3, in that one of the malfunctions of electric shock which can occur in any operating conditions is taken. The three phase inverter is taken fed by SPWM technique. The DC source is of 400V and connected to the three phase RLC load. The SPWM technique helps in producing the PWM signals to the IGBT gates [5]. Three Sine wave of power frequency with phase difference of 120 degree is compared with the high frequency wave of 1K hertz.   Fig.5(b). Phase to Phase three phase voltage at RLC load

Fig.5(c). Line Voltage and Line Current at RLC load
During normal operating condition, when there are no faults and the output is within the range as shown in Figure 5(b) and 5(c), the MCU will continue to work in the normal operating condition. This determines the vehicle in the safe operating level QM condition. Similarly, the same model is simulated for the IGBT short circuit condition and the raised in line current is observed. The current will increases from 40A to 90A which is twice the original current that the load can handle. Figure 6 shows the increase in line current As a result of this the torque will raises and leads to the unintended acceleration. Also it may cause the severe electric shock for the driver or the passengers. Once MCU detects the change in the output and the hazards event by the traction inverter, the Functional Safety concepts will be introduced into the Vehicle system according to the raised hazard and malfunction depending on the risk, severity and controllability of the hazard [6].

III. CONCLUSION
The Functional Safety Requirements for traction inverter is drawn in accordance to part 3-Concept phase of ISO 26262. The Item Definition, Hazard Analysis and Risk Assessment is derived for few faults and hazards in inverter and respective Safety goals are derived with the help of Fault Tree Analysis and came up with the safety requirements. The three phase Inverter model is simulated in the Matlab\Simulink environment for one of the malfunction and respective safety outcome is seen in concept phase.