Functional Safety: Predictable reactions in real-time (Part 2)

May 26, 2011 // By Jürgen Belz, Tapio Kramer, Ralf Münzenberger
Timing is a safety issue - this insight has consequences for the safety-relevant evaluation and even the design process. The authors describe a model-based methodology to achieve maximum functional safety. The second part of this article explains the challenges of integration.

The memory seat (as described in part one ) consists of hardware and software components that all have to be considered when designing and calculating the fault reaction:

  • switches: belong to the user interface. Pressing a switch leads to movement until the seat reaches one of its end positions. Releasing a switch stops any movement. For this example this switch shall be connected to the digital-input-output stage, even though this is not practice.The I/O ports will be read any 500 µs. Any port with a switch requires filtering which is a up-down counter in the same timeframe.
  • current sensor: is connected to the analog-digital converter and provides information about the motor current. It is part of the anti-pinch function and requires reading all 400 µs.
  • speed sensor: is the second part of the anti-pinch function. In principle it counts two pulses per revolution of the motor and is connected to the compare-capture unit of the microcontroller. The associated timer will be read all 400 µs
  • anti-pinch function: is a software that detects entrapment. In this case the seat moves a bit in the opposit direction. The function also runs with 400 µs period and is part of the application. The application does not have direct access to the hardware. An abstraction is implemented.
  • CAN: during driving only small corrections of the positions are allowed. Therefore the system requires speed information that is provided every 20 ms. The jitter in the message timing needs to be considered. A message is lost when it is not received within 50 ms.
  • Power stage: in principle it is an digital output in the IO-layer of the software.
  • Power drive protection interrupt: in case of a short circuit or open load condition of the power stage an interrupt shall lock the memory seat function.
  • Memory seat controller: is a state machine that takes care of all actions required. It uses all sensors and messages and drives the power stage.

Fault: Switch

Design category: