Reliability Improvement of Electric Power Steering System Based on ISO 26262

Transcription

1 2013 International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering (QR2MSE) 2013 International Conference on Materials and Reliability (ICMR) 2013 International Conference on Maintenance Engineering (ICME) Reliability Improvement of Electric Power Steering System Based on ISO Xuewu Ji, Jingguang Ge, Hongliang Tian State Key Laboratory of Automotive Safety and Energy Tsinghua University Beijing, China Abstract Electric power steering (EPS) systems have been more and more widely used in medium and large cars. As a safetycritical system, its safety and reliability are uttermost important. ISO adapted from IEC provides a V-model as a reference process model for different phases of product development. In this paper, DFMEA (design mode and effects analysis) and FTA (fault tree analysis) complied with ISO are taken to analyze the safety aspects of EPS so as to enhance the safety and reliability of EPS. Firstly, the EPS system is decomposed into subsystems and components, and the familiar modes and undesired top events are separately divided into several categories. Then a comprehensive DFMEA for every single potential mode is carried out without omission as far as possible. The qualitative FTA is put into practice to identify the weak link as well. Since the DFMEA and FTA for EPS are finished, countermeasures for each potential hazard should be taken to guarantee the safety and reliability of EPS which are always achieved by fault detection and fault isolation algorithms of EPS hardware and software. Besides, some preventive actions are also taken in the early design stage to find out the potential causes. Keywords-EPS; ISO 26262; DFMEA; system structure tree; FTA; preventive actions I. INTRODUCTION The past few years have witnessed a great increase in the number and sophistication of EPS system, as it is more fuel efficient and enviromental friendly compared with the traditional hydraulic power steering (HPS) system [1]. Nowadays, the EPS has been a standard feature for most small and medium size cars. The EPS is a typical feedback control system composed of PMSM (Permanent Magnet Synchronous Motor), an electronic control unit (ECU), sensors and other mechanical components. The electric motor applies assistant torque which is calculated by the ECU to the steering column via the reduction gear, thus it releases the driver s effort to steer the steering wheel as depicted in Fig. 1. Though EPS control logic has been studied by several literatures, the safety design process has not been extensively explored [2-5]. Any of these components or the software program implementation will lead to negative effects which will directly influence the driver s safety. Therefore, the EPS system should be designed and analyzed integrally to guarantee not only that it works as it was desired, but to prevent it from operating in any way that was not intended. As a safety-critical part, the safety and reliability or EPS system is of great significance. Figure 1. Schematic diagram of EPS control method [6]. Meanwhile, the ISO [7] ( Road Vehicles-Functional Safety ) provides a specific analysis method to determine the Automotive Safety Integral Level (ASIL) for each undesirable effect. ISO is a functional safety standard and it comprises the whole lifecycle of a product. The implementation of the EPS safety design with respect to ISO is a very complex and huge project. Though happening can t be forbidden, proper fail-safe control strategies can be made in advance, which could be achieved through some qualitative and quantitive analysis methods such as DFMEA and FTA, which are also strongly recommended by ISO To improve the reliability and safety of EPS, measures should be taken to decrease the rates (such as taking highly durable and reliable electronic pieces) and improve the diagnostic coverage to mitigrate the risks based on careful analysis of which happened in the past or will potentially occur in the future. In this paper, we will focus on the EPS safety and reliability design using DFMEA and FTA to satisfy the ISO requirements. 129

2 II. ISO 26262, DFMEA AND FTA A. ISO The standard ISO consisits of 9 parts as shown in Fig. 2, providing an automotive-specific risk-based approach to determine ASIL used to specify applicable requirements of ISO so as to avoid risks. The shaded V s represent the interconnection among different parts. It offers a V-model as a reference process model to conduct the different phases of product development step by step. Firstly, based upon severity, probability of exposure and controlability according to ISO 26262, EPS is ASIL D [8], which is the highest risk level as well as the most demanding to functional safety. Then, the corresponding specific safety goal should be determined according to the specific mode. Thirdly, to achieve the safety goal, we have to rely on the fault detection and isolation algorithms, which are implemented through ECU hardware and software, transitioning to a safe state. Finally, the functional safety requirements become the requirements of hardware and software that can be continued by inductive and deductive methods such as DFMEA and FTA. Figure 2. Overview of ISO B. DFMEA Method FMEA born in the 1950s is a systematic method used to recognize and evaluate the potential of a product and the effects of the, specify actions that could mitigate risks or reduce the chance of the potential occurrence [9]. Timeliness is one of the key factors to implement an FMEA process so that the potential modes can be designed out in advance. There are two types of FMEA, i.e. DFMEA and PFMEA (process mode and effect analysis). The former one taken in this paper is applied in the design phase during product development process while the latter one is used for manufacturing. Fig. 3 briefly depicts the process of DFMEA. Aiming at a certain item of EPS, modes should be identified as many as possible based on group brainstorm or collection of past known s. What s more, each mode may be aroused by several causes and each of these causes should be analyzed and evaluated. The numbers of severity of the effects (S), likelyhood of detection (D) and probability of occurrence (O) are determined according to the DFMEA evaluation criteria suggested by Automotive Industry Action Group (AIAG) [9]. The risk priority number (RPN) used to rank and assess criticalality of differernt modes is calculated according to Eq. (1). RPN S D O (1) If the RPN (ranges between 0 and 1000) exceeds a preset threshhold, actions should be taken to reduce risk level to a permissive range. However, there is no definite threshold for the preset value, it is always determined through DFMEA team discussions. When the severity is 9 or 10, preventive 130

3 measures should be adopted as well regardless the RPN value. Once the corresponding actions have been taken the S and RPN values will be reassessed, until they are acceptable. This is a constantly optimized and iterative process. Effects of Failure Severity of the Effects Identify Design Item s Function Identify Potential Failure Identify Causes Fault Detection Algorithm Likelihood of Detection Risk Priority Number (RPN) Actions to Mitigating Risks Figure 3. DFMEA process. Failure Isolation Algorithm Probability of Occurrence A thoroughly DFMEA should consist of corrective and preventive actions; otherwise it will be difficult to be put in practice. C. FTA Method While the FMEA is a bottom-up approach, the FTA is a top-down process. FTA produces a fault tree; the fault tree is a graphical logic model that displays various parallel and sequential combinations of faults and s that will result in the predefined top undesired event [10]. It s made up of top undesired event, intermediate events and basic events which are connected by logic gates, for example, AND gate, and logic symbols. In this paper, we carry out the qualitative FTA for valid and reliable data related to the system are always difficult to be obtained. III. APPLICATION OF DFMEA AND FTA IN EPS The application of DFMEA and FTA in EPS is part of the EPS safety design complying with the ISO Moreover, they can help us gain a full understanding of the EPS system as well as identify the causes of a and system weakness so as to take proper action to enhance the reliability and safety design of system. A. DFMEA of EPS Theoretically, all potential modes of EPS can be analyzed during the early development phase and have a RPN ranking list. If we control the causes or take measures to prevent the problem before it occurs, it is possible to decrease the high RPN number to a level that system can tolerate. Thus, we must take every mode related to the EPS system, subsystems and components into consideration. First of all, to avoid leaving out any mode, we break down the EPS system and build an EPS structure tree, as shown in Fig. 4; each module in the tree consists of the function of the subsystem or component name and its potential malfunctions. As to the EPS system, the familiar modes are listed as follows which should be emphasized overall in the DFMEA process.in general, there are five main categories of potential causes of EPS modes: (1) Faults in the DSP on the ECU. (2) Faults from steering torque sensor and steering angle sensor. (3) Faults aroused by the EPS actuator, PMSM. (4) Faults caused by power source. (5) CAN communication faults. In addition, each category is caused by varieties of specific problems. Take the fourth category for example, it includes over voltage, under voltage, short circuit, leakage current too high, and so on. Then, aiming at each module of the EPS structure tree, the potential modes based on the five kinds of faults are analyzed according to Figure 2 so as to avoid omission. The final analysis result forms a living document which should always be updated when improvement measures are taken or designs are changed. Part of the analysis results is shown in Fig. 5. B. FTA of EPS The FTA and DFMEA are complementary hazard analysis methods. In the EPS system, there are two kinds of undesired events. (1) PMSM produces an undesired torque. (2) PMSM doesn t produce an required torque. On the one hand, if the PMSM produced an unintended torque, the vehicle may steer by itself when it were unnecessary or dangerous which could lead to terrible accidents. On the other hand, if the motor couldn t provide assistance torque as required, it may decrease the drive pleasure of the driver, what s worse, it may lead to his or her panic in some urgency situation, such as emergency obstacle avoidance. Both of these two types hazardous events can be placed emphasis for further testing, analysis and validation according to the FTA. We take the steering is heavy for example to implement FTA as depicted in Figure 6. In this way, we can identify the weakness and reasons leading to the top event so that we can prevent the top event by controlling the basic events especially the weak nodes. IV. CONCLUSION Safety and reliablity are two key factors in the EPS design phase, and they are the foundation for the normal working of EPS. And at the same time, the ISO has been officially published to instruct the design of electrical and/or electronic systems within road vehicles. It presents guidence to avoid 131

4 Figure 4. EPS structure tree. Figure 5. DFMEA of EPS. 132

5 Steering is heavy Mechanical steering system Torque sensor The assistance motor ECU Power supply Front tire pressure improper or tire wear Front wheel alignment incorrect Steering column wear Pinion and gear wear Internal winding partly open Rotor position sensor(resolver) malfunction Software Hardware error Power voltage low Poor contact between EPS and the power source Main signal open or short Sub signal open or short Torque sensor supply voltage low Wiring harness(eps control module and resolver terminal)open or short Poor connection at connectors Failure in acquiring torque sensor signal Execution error Failure in delivery of current command to motor Figure 6. Fault tree example. risks by providing appropriate requirement and process. The FMEA and FTA are two frequently-used methods to satisfy the requirement of ISO Additionally, they can also help the design team to identify the system vulnerable REFERENCES [1] A. A. Badawy and F. Bolourchi, The design and benefits of electric power steering. SAE Technical Paper, [2] F. Bolourchi and C. Etienne, Active damping controls algorithm for an electric power steering application, In Proceedings of 30th International Symposium on Automotive Technology & Automation, pp , [3] J. H. Kim and J. B. Song, Control logic for an electric power steering system using assist motor, Mechatronics, vol. 12, no. 3, pp , [4] C. H. Hu, Modeling and simulation of automotive electric power steering system, In Intelligent Information Technology Application, Second International Symposium, vol. 3, no. 2, pp , spots,define the hazards which need to be improved and draw up corresponding countermeasures, and evaluate the potential hazard effects. [5] D. Mahendra, Modelling and analysis of power steering system, International Journal of Electric and Hybrid Vehicles, vol. 4, no. 8, pp , [6] T. Nozawa, Y. Shintani, T. Tamizumi, T. Hib, and H. Itamoto, Development of brushless EPS assist control for disconnection control, JTEKT Corporation Technical report, available at: [7] ISO 26262, Road Vehicles-Functional Safety, [8] P. O. Jacob, Design & safety considerations for electric power steering (EPS) systems based on automotive safety integrity levels, SAE Technical Paper, [9] Automotive Industry Action Group (AIAG), Potential Failure Mode and Effects Analysis (FMEA Third Edition), [10] W. E. Vesely and N. H. Roberts, Fault Tree Handbook. Nuclear Regulatory Commission,