2013 International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering (QR2MSE) 2013 International Conference on Materials and Reliability (ICMR) 2013 International Conference on Maintenance Engineering (ICME)
Reliability Improvement of Electric Power Steering System Based on ISO 26262 Xuewu Ji, Jingguang Ge, Hongliang Tian State Key Laboratory of Automotive Safety and Energy Tsinghua University Beijing, China
[email protected] software program implementation will lead to negative effects which will directly influence the driver’s safety. Therefore, the EPS system should be designed and analyzed integrally to guarantee not only that it works as it was desired, but to prevent it from operating in any way that was not intended. As a safety-critical part, the safety and reliability or EPS system is of great significance.
Abstract—Electric power steering (EPS) systems have been more and more widely used in medium and large cars. As a safetycritical system, its safety and reliability are uttermost important. ISO 26262 adapted from IEC 61508 provides a V-model as a reference process model for different phases of product development. In this paper, DFMEA (design failure mode and effects analysis) and FTA (fault tree analysis) complied with ISO 26262 are taken to analyze the safety aspects of EPS so as to enhance the safety and reliability of EPS. Firstly, the EPS system is decomposed into subsystems and components, and the familiar failure modes and undesired top events are separately divided into several categories. Then a comprehensive DFMEA for every single potential failure mode is carried out without omission as far as possible. The qualitative FTA is put into practice to identify the weak link as well. Since the DFMEA and FTA for EPS are finished, countermeasures for each potential hazard should be taken to guarantee the safety and reliability of EPS which are always achieved by fault detection and fault isolation algorithms of EPS hardware and software. Besides, some preventive actions are also taken in the early design stage to find out the potential causes.
Figure 1. Schematic diagram of EPS control method [6].
Keywords-EPS; ISO 26262; DFMEA; system structure tree; FTA; preventive actions
The EPS is a typical feedback control system composed of PMSM (Permanent Magnet Synchronous Motor), an electronic control unit (ECU), sensors and other mechanical components. The electric motor applies assistant torque which is calculated by the ECU to the steering column via the reduction gear, thus it releases the driver’s effort to steer the steering wheel as depicted in Fig. 1.
Meanwhile, the ISO 26262 [7] (“Road Vehicles-Functional Safety”) provides a specific analysis method to determine the Automotive Safety Integral Level (ASIL) for each undesirable failure effect. ISO 26262 is a functional safety standard and it comprises the whole lifecycle of a product. The implementation of the EPS safety design with respect to ISO 26262 is a very complex and huge project. Though failure happening can’t be forbidden, proper fail-safe control strategies can be made in advance, which could be achieved through some qualitative and quantitive analysis methods such as DFMEA and FTA, which are also strongly recommended by ISO 26262. To improve the reliability and safety of EPS, measures should be taken to decrease the failure rates (such as taking highly durable and reliable electronic pieces) and improve the diagnostic coverage to mitigrate the risks based on careful analysis of failure which happened in the past or will potentially occur in the future.
Though EPS control logic has been studied by several literatures, the safety design process has not been extensively explored [2-5]. Any failure of these components or the
In this paper, we will focus on the EPS safety and reliability design using DFMEA and FTA to satisfy the ISO 26262 requirements.
I. INTRODUCTION The past few years have witnessed a great increase in the number and sophistication of EPS system, as it is more fuel efficient and enviromental friendly compared with the traditional hydraulic power steering (HPS) system [1]. Nowadays, the EPS has been a standard feature for most small and medium size cars.
129
Firstly, based upon severity, probability of exposure and controlability according to ISO 26262, EPS is ASIL D [8], which is the highest risk level as well as the most demanding to functional safety. Then, the corresponding specific safety goal should be determined according to the specific failure mode. Thirdly, to achieve the safety goal, we have to rely on the fault detection and failure isolation algorithms, which are implemented through ECU hardware and software, transitioning to a safe state. Finally, the functional safety requirements become the requirements of hardware and software that can be continued by inductive and deductive methods such as DFMEA and FTA.
II. ISO 26262, DFMEA AND FTA A. ISO 26262 The standard ISO 26262 consisits of 9 parts as shown in Fig. 2, providing an automotive-specific risk-based approach to determine ASIL used to specify applicable requirements of ISO 26262 so as to avoid risks. The shaded “V”s represent the interconnection among different parts. It offers a V-model as a reference process model to conduct the different phases of product development step by step.
Figure 2. Overview of ISO 26262.
past known failures. What’s more, each failure mode may be aroused by several causes and each of these causes should be analyzed and evaluated. The numbers of severity of the effects (S), likelyhood of detection (D) and probability of occurrence (O) are determined according to the DFMEA evaluation criteria suggested by Automotive Industry Action Group (AIAG) [9]. The risk priority number (RPN) used to rank and assess criticalality of differernt failure modes is calculated according to Eq. (1).
B. DFMEA Method FMEA born in the 1950s is a systematic method used to recognize and evaluate the potential failure of a product and the effects of the failure, specify actions that could mitigate risks or reduce the chance of the potential failure occurrence [9]. Timeliness is one of the key factors to implement an FMEA process so that the potential failure modes can be designed out in advance. There are two types of FMEA, i.e. DFMEA and PFMEA (process failure mode and effect analysis). The former one taken in this paper is applied in the design phase during product development process while the latter one is used for manufacturing.
RPN S D O
(1)
If the RPN (ranges between 0 and 1000) exceeds a preset threshhold, actions should be taken to reduce risk level to a permissive range. However, there is no definite threshold for the preset value, it is always determined through DFMEA team discussions. When the severity is 9 or 10, preventive
Fig. 3 briefly depicts the process of DFMEA. Aiming at a certain item of EPS, failure modes should be identified as many as possible based on group brainstorm or collection of
130
measures should be adopted as well regardless the RPN value. Once the corresponding actions have been taken the S and RPN values will be reassessed, until they are acceptable. This is a constantly optimized and iterative process.
each module in the tree consists of the function of the subsystem or component name and its potential malfunctions. As to the EPS system, the familiar failure modes are listed as follows which should be emphasized overall in the DFMEA process.In general, there are five main categories of potential causes of EPS failure modes:
Identify Design Item’s Function
(1) Faults in the DSP on the ECU. (2) Faults from steering torque sensor and steering angle sensor. (3) Faults aroused by the EPS actuator, PMSM. (4) Faults caused by power source. (5) CAN communication faults. In addition, each category is caused by varieties of specific problems. Take the fourth category for example, it includes over voltage, under voltage, short circuit, leakage current too high, and so on.
Identify Potential Failure
Identify Causes Effects of Failure Fault Detection Algorithm Severity of the Effects Likelihood of Detection
Failure Isolation Algorithm
Probability of Occurrence
Risk Priority Number (RPN)
Then, aiming at each module of the EPS structure tree, the potential failure modes based on the five kinds of faults are analyzed according to Figure 2 so as to avoid omission. The final analysis result forms a living document which should always be updated when improvement measures are taken or designs are changed. Part of the analysis results is shown in Fig. 5.
Actions to Mitigating Risks
Figure 3. DFMEA process.
A thoroughly DFMEA should consist of corrective and preventive actions; otherwise it will be difficult to be put in practice. C. FTA Method While the FMEA is a “bottom-up” approach, the FTA is a top-down process. FTA produces a fault tree; the fault tree is a graphical logic model that displays various parallel and sequential combinations of faults and failures that will result in the predefined top undesired event [10]. It’s made up of top undesired event, intermediate events and basic events which are connected by logic gates, for example, AND gate, and logic symbols. In this paper, we carry out the qualitative FTA for valid and reliable data related to the system are always difficult to be obtained.
B. FTA of EPS The FTA and DFMEA are complementary hazard analysis methods. In the EPS system, there are two kinds of undesired events. (1) PMSM produces an undesired torque. (2) PMSM doesn’t produce an required torque. On the one hand, if the PMSM produced an unintended torque, the vehicle may steer by itself when it were unnecessary or dangerous which could lead to terrible accidents. On the other hand, if the motor couldn’t provide assistance torque as required, it may decrease the drive pleasure of the driver, what’s worse, it may lead to his or her panic in some urgency situation, such as emergency obstacle avoidance. Both of these two types hazardous events can be placed emphasis for further testing, analysis and validation according to the FTA. We take the “steering is heavy” for example to implement FTA as depicted in Figure 6. In this way, we can identify the weakness and reasons leading to the top event so that we can prevent the top event by controlling the basic events especially the weak nodes.
III. APPLICATION OF DFMEA AND FTA IN EPS The application of DFMEA and FTA in EPS is part of the EPS safety design complying with the ISO 26262. Moreover, they can help us gain a full understanding of the EPS system as well as identify the causes of a failure and system weakness so as to take proper action to enhance the reliability and safety design of system. A. DFMEA of EPS Theoretically, all potential failure modes of EPS can be analyzed during the early development phase and have a RPN ranking list. If we control the failure causes or take measures to prevent the problem before it occurs, it is possible to decrease the high RPN number to a level that system can tolerate.
IV. CONCLUSION Safety and reliablity are two key factors in the EPS design phase, and they are the foundation for the normal working of EPS. And at the same time, the ISO 26262 has been officially published to instruct the design of electrical and/or electronic systems within road vehicles. It presents guidence to avoid
Thus, we must take every failure mode related to the EPS system, subsystems and components into consideration. First of all, to avoid leaving out any failure mode, we break down the EPS system and build an EPS structure tree, as shown in Fig. 4;
131
Figure 4. EPS structure tree.
Figure 5. DFMEA of EPS.
132
Steering is heavy
Mechanical steering system failure
Front tire pressure improper or tire wear
Front wheel alignment incorrect
Steering column wear
The assistance motor failure
Torque sensor failure
ECU failure
Power supply failure
Pinion and gear wear Internal winding partly open
Main signal open or short
Sub signal open or short
Rotor position sensor(resolver) malfunction
Software failure
Hardware error
Power voltage low
Poor contact between EPS and the power source
Torque sensor supply voltage low Wiring harness(EPS control module and resolver terminal)open or short
Poor connection at connectors
Failure in acquiring torque sensor signal
Execution error
Failure in delivery of current command to motor
Figure 6. Fault tree example.
risks by providing appropriate requirement and process. The FMEA and FTA are two frequently-used methods to satisfy the requirement of ISO 26262. Additionally, they can also help the design team to identify the system vulnerable
spots,define the hazards which need to be improved and draw up corresponding countermeasures, and evaluate the potential hazard effects. D. Mahendra, “Modelling and analysis of power steering system,” International Journal of Electric and Hybrid Vehicles, vol. 4, no. 8 , pp. 2911-2915, 2010. [6] T. Nozawa, Y. Shintani, T. Tamizumi, T. Hib, and H. Itamoto, Development of brushless EPS assist control for disconnection control, JTEKT Corporation Technical report, available at: http://eb-cat.dsnavi.co.jp/enu/jtekt/tech/ej/img/no1008e/1008e_09.pdf. [7] ISO 26262, Road Vehicles-Functional Safety, 2011. [8] P. O. Jacob, “Design & safety considerations for electric power steering (EPS) systems based on automotive safety integrity levels,” SAE Technical Paper, 2010. [9] Automotive Industry Action Group (AIAG), Potential Failure Mode and Effects Analysis (FMEA Third Edition), 2001. [10] W. E. Vesely and N. H. Roberts, Fault Tree Handbook. Nuclear Regulatory Commission, 1987.
[5]
REFERENCES [1] [2]
[3]
[4]
A. A. Badawy and F. Bolourchi, The design and benefits of electric power steering. SAE Technical Paper, 1997. F. Bolourchi and C. Etienne, “Active damping controls algorithm for an electric power steering application,” In Proceedings of 30th International Symposium on Automotive Technology & Automation, pp. 807-816, 1997. J. H. Kim and J. B. Song, “Control logic for an electric power steering system using assist motor,” Mechatronics, vol. 12, no. 3, pp. 447-459, 2002. C. H. Hu, “Modeling and simulation of automotive electric power steering system,” In Intelligent Information Technology Application, Second International Symposium, vol. 3, no. 2, pp. 436-439, 2008.
133
