Power inverter safety system concept for ISO 26262

Just one of the indeniable facts about the automotive sector is that the overall digital…

Just one of the indeniable facts about the automotive sector is that the overall digital technique content in automobiles is increasing.

As automobiles develop into much more innovative and incorporate features that perception, think and act for the driver, the sort of digital content variations. In specific, there will be large progress in hybrid electric powered car and electric powered car content, as perfectly as for automated push capabilities.

Nonetheless, a important issue that demands to be addressed is that the latest enterprise design for electric powered automobiles is not successful extended term for OEMs. The common approximated price for foundation electric powered automobiles is however a important issue.

OEMs will be hunting to shut this gap by bringing much more design and style back in-property, or by bypassing Tier one suppliers to talk immediately to IC suppliers. The disrupter in this article will be to combine embedded digital architectures by combining ECUs and clustering capabilities in a new way.

This is why NXP is functioning carefully with partners throughout the sector to speed up how these constraints are fulfilled. Just one way is by acquiring reference patterns that incorporate our technique know-how with our security experience. This indicates that reference patterns incorporate important security technique components from the outset.

To establish security concepts for technique reference patterns, NXP has to be able to outline the security goals, strategy and capabilities for the meant item to be able to recognize the correct technique implementation into our technique design and style.

We do this by next the ISO 26262 improvement method. This supplies suggestions for every action along the improvement method for security technique merchandise with a V cycle project management tool.

The V cycle groups every action as a Portion and precise get the job done merchandise are expected at every stage. IC suppliers like NXP can anticipate and establish technique ECUs just like a Tier one provider does. By doing this, we can pace improvement time and deliver conventional deliverables that are of advantage throughout the improvement chain.

The objective is not automatically to deliver a answer with the very same stage of maturity that a Tier one could deliver, instead to speed up the improvement of the get the job done merchandise for the Tier one.

Let’s contemplate as an example, how to establish a security strategy for a energy inverter module as a SEooC for an EV application. As an IC provider, we would get the job done by sections three, four, 5, 6 and seven of the V cycle and deliver the get the job done merchandise connected to every portion. We start out by defining the item inside the focus on technique – i.e. what are the possible dangers and security goals that we want to utilize to our reference design and style?

Figure one: HV Inverter for EVs

As determine one displays, the energy inverter is the major traction technique of an electric powered car. It controls the power conversion involving the electric powered power supply and the mechanical shaft of the electric powered motor, dependent on the torque ask for from the Auto Control Unit (VCU).

The VCU interprets the driver demands into acceleration or deceleration of the electric powered motor. The inverter interprets the torque ask for into stage currents going into the traction motor.

In a battery electric powered car, this link is generally built with a basic gearbox with out a clutch. This is our very first assumption. It is critical to be precise in this article, given that the security scenario would be different if the car has a clutch.
In our scenario, if a hazard must come about, it is impossible for the driver or the electrical technique to halt the traction of the car by simply just opening the link involving the electric powered motor and the wheels of the motor vehicle.

We also need to recognize possible resources of EE malfunction – irrespective of whether because of to driving or non-driving eventualities. These dangers are then rated by possibility stage according to the ASIL stages laid out in ISO 26262. As shown in determine two, in this scenario a security objective could be to prevent unintended acceleration if the car is stopped.

Figure two: Examples of dangers and security goals for an EV HV inverter

These security goals lead to a useful security architecture with useful prerequisites (FR) and useful security prerequisites (FSR) with connected ASIL stages and FTTI such as:

FR1 The Inverter shall examine the ask for from VCU, then command the next capabilities appropriately: traction, brake and battery regeneration. ASIL D FTTI
200 ms
FSR1 The inverter shall verify the torque ask for from the VCU and notify in scenario of unanticipated value. ASIL D FTTI
200 ms


Figure three: Purposeful security architecture

Now that we have the useful security architecture, determine three, we need to show that the technique architecture will be able to fulfil the security prerequisites and design and style constraints.

To do this, we derived a specialized security strategy from the useful security strategy. This brings together the components and computer software sub-ingredient capabilities that will be applied to realize the meant item and technique operation.

A security examination is then operate to verify that all possible technique failures have been identified and that the acceptable security mechanisms are in place. This may possibly final result in new security prerequisites becoming allotted to the security architecture.

By doing this, the specialized definition can deliver the required proof that the acceptable reactions have been identified and that a secure condition can be accomplished in fewer time than FTTI: hence that there is no violation of the security goals of the item.

In our example, secure condition is intricate since of the significant total of power flowing into the electric powered motor. A secure condition in this article indicates stopping the propulsion of the car, by opening or shorting the three phases of the motor based on the pace of the motor.

As we development by the V cycle, the get the job done merchandise are formulated to make certain the security problems a client may possibly have are fulfilled. A components design and style is coated by the method in the very same way the security strategy lessens the improvement and prototyping stage for prospects by three to six months.

In the NXP reference design and style, the comprehensive security architecture is built out making use of NXP ICs and diagnostics and response to secure condition are analyzed. The reference design and style can help to pace improvement and supplies a stage of specialized security architecture, along with proof of the security integrity stage as portion of the overall offer.

Locate out much more about the energy inverter reference design and style in this article.