为什么需要功能安全？
及浅谈电子电气架构
功能安全
博世工程技术中国区
功能安全专家
陈义礼
为什么要功能安全？
设计好的系统，一定会按照我们预想运行吗？
 锡须
 电子迁移
 普通CAN传输的比特误码率(Bit Error Rate):
 高能粒子翻转
 BER: 10^-5 ~ 10^-3
 当CAN传输速率为125Kbit/s时，几乎每秒都有传
输错误的发生
2
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
为什么要功能安全？
墨菲定律
« If anything can go
wrong, it will. »
Edward Murphy
3
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
为什么要功能安全？
避免安全风险！
如果安全相关的系统上，有一个电子件失效，会发生什么？
如果汽车工业能有信息工业一样的技术发展速度，我们开的车
就只要200法郎且百公里耗油只有0.5升
这句话说的很对。但是谁会想要一个一天崩溃两次的车呢
7
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
为什么要功能安全？
避免安全风险！
8
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
什么是功能安全？
功能安全的定义
ISO 26262 Part1 (GB/T 34590.1 术语)
功能安全 Function Safety
不存在由 电子电气系统 的功能异常表现
引起的危害而导致不合理的风险。
9
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
always
功能安全概念阶段
汽车安全完整性等级 (ASIL)
Frequency
Risk reduction due to
external measures e.g
Controllability by the driver
ASIL
Automotive Safety
Integrity Level
remote
Tolerable
Residual Risk
Probability of Exposure to
driving situation
Severity of possible accident
negligible
10
Severity
catastrophic
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
功能安全概念阶段
汽车安全完整性等级 (ASIL)
• ASIL 由三个因素进行确定：
•
严重度 – Severity (从S0到S3)
•
暴露度 – Exposure (从E0到E4)
•
可控度 - Controllability(从C0到C3)
S1
S2
• ASIL 等级从低到高为：
S3
11
C1
C2
C3
E3
QM
QM
A
E4
QM
A
B
E2
QM
QM
A
E3
QM
A
B
E4
A
B
C
E1
QM
QM
A
E2
QM
A
B
E3
A
B
C
E4
B
C
D
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
功能安全概念阶段
汽车安全完整性等级 (ASIL)
失效
系统性失效
流程措施
随机硬件失效
随ASIL等
级变化，工
作量也随之
变化
Effort
技术措施
文档化
(安全档案)
ASIL A
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
B
C
D
功能安全概念阶段
危害分析及风险评估(HARA)
• 车辆刹车丢失
Class
Description
S0
No injuries
Class
E1
Light and moderate
injuries
E2
S2
Severe and lifethreatening injuries
(survival probable)
E3
S3
Life-threatening injuries
(survival uncertain),
fatal injuries
E4
Description
Very low probability
Low probability
Medium probability
High probability
Definition of duration/
probability of exposure
Not specified
< 1% of average operating
time
1% - 10% of average
operating time
> 10% of average operating
time
Class
13
S1
C0
C1
C2
C3
Description
Controllable in general
Simply controllable
Normally controllable
Difficult to control or
uncontrollable
Definition
Distracting
More than 99% of average
drivers or other traffic
participants are usually
able to control the damage.
More than 90% of average
drivers or other traffic
participants are usually
able to control the damage.
The average driver or
other traffic participant is
usually unable, or barely
able, to control the
damage.
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
功能安全概念阶段
危害分析及风险评估(HARA)- 风险评估
Hazard
Situation
S
E
C
ASIL
Loss of brake
A braking vehicle in front
S3
E4
C3
D
…
..
..
..
..
• 安全目标: Avoid too low brake torque
• 安全状态: ？
14
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
- ASIL D
功能安全概念阶段
安全状态策略
Strategy C
刹车/转向/感知冗余…
Strategy B
降级所需时间
刹车/转向冗余
Strategy A
刹车冗余
Safe stop strategy:
紧急制动
Safe stop strategy:
当前车道停车
高等级自动驾驶功能启用时的车辆行驶速度
•
•
15
高等级的自动驾驶系统要求“Fail Operational”
为了满足“Fail Operational”的要求，相应的冗余系统是必须的
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
Safe stop strategy:
应急车道靠边停车
功能安全概念阶段
功能安全概念冗余电源
 示例：ASIL D低压电源拓扑
 两路ASIL B(D)的安全相关负载电
源分支
B(D)
隔离器
1
DC/DC
SR load
NSR
‒ 通过冗余降低相关部件的ASIL等级
要求
QM(D)
 通过两个安全隔离部件将整车基
础负载和安全性相关负载之间进
行有效隔离
隔离器
2
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
SR load
NSR: non-safety relevant/常规负载
‒ 如果一个安全相关电源支路或整车
基础负载支路发生故障，可以确保
另一个安全相关电源系统分支仍可
安全工作
16
EBS
B(D)
‒ 消除QM 级别的整车基础负载的影
响
‒ DCDC上没有额外的功能安全要求
Batt_1
Batt_2
EBS
功能安全
服务范围
危害分析及风险评估的咨询服务
功能安全概念设计的咨询服务
冗余电网的咨询服务
17
BEG/ESY1-CN | 2021-2-24
© Robert Bosch GmbH 2019. All rights reserved, also regarding any disposal, exploitation, reproduction, editing, distribution, as well as in the event of applications for industrial property rights.
18
THANK YOU!