ITEC Asia-Pacific 2014 1569951601

Functional Safety Concept Design of Hybrid

Electric Vehicle following ISO 26262
Chen Tao
China Automotive Engineering Research Institute, Electric Vehicle Research & Development Center
E-mail:chentao@evchina.org
electronic systems have brought critical risks, it is a great
challenge to implement ISO 26262 for domestic automotive
electronics industry.
The ISO 26262 is composed of 9 parts which includes the
whole development and manufacture process, it is
complicated enough for a company to spend three or more
years to implement this standard. This paper focuses on the
implementation of the 3rd part-concept phase. The functional
safety concept of two-motor hybrid powertrain is proposed.
This paper is organized as follows. In section II, the
functionality of two-motor hybrid powertrain is first defined,
and hazard analysis and risk assessment (HARA) followed
the basic requirements of ISO 26262 is implemented. In
section III, the functional safety concept considering domestic
suppliers capabilities is designed. In section V, conclusions
are given.

Abstract-Considering the potential risks due to failure of

electronic system of the dual-motor hybrid electric powertrain,
this paper proposed a functional safety concept following the
ISO 26262 standard. Firstly, the configuration and operation
mode of the dual-motor hybrid powertrain was introduced.
Next, based on the functional safety standard, potential hazards
were analyzed and risks integrity level was assessed, then a
functional safety concept has been designed taking account of
the current developing capability of domestic powertrain
suppliers, and finally functional safety requirements of vehicle
controller unit which mainly responsible for the whole vehicle
safety were developed.

I.

INTRODUCTION

The improvement of automotive electronics technologies

greatly promoted the development of automobile industry.
The cost of automotive electronics in one electric vehicle is
expected to reach more than 40% of the total cost. However,
according to statistics, more than 50% defects and faults of
the whole vehicle are from the electronic control system[1],
which becomes a serious safety issue as the percentage of
automotive electronics rise. Safety of electronic system has
become one of the key factors that determine the safety of the
car. That find a quantitative method to ensure the safety of the
electronic system is the common concern to domestic and
foreign automobile OEMs.
The international standard ISO 26262 Road vehicles
Functional safety, published on 11 November 2011, is
applied to electrical and/or electronic systems. It addresses
possible hazards of electronic and electrical systems with
quasi-quantitative evaluation index caused by the
malfunctioning behaviour, and also proposes a set of strict
development procedures and technologies. It is said that ISO
26262 is expected to become the industry standard for the
European automotive electronic systems in 2018.
Almost all foreign OEMs and suppliers such as Mercedes,
GM, Nissan, Toyota, Bosch, Continental, Denso are
integrating ISO26262 into their own development processes,
especially with the electric drive motors, batteries and control
related areas[2-5]. In China, the functional safety has
achieved widespread attention, especially in the field of
electric vehicles. August 2012, the working group of Chinese
recommended national standard Road vehicles- Functional
safety was established. However, the application in China is
still in the initial phase [6-7]. Since electrical and/or

HAZARD ANALYSIS AND RISK ASSESSMENT

II.

A. System definition
The basic architecture of two-motor hybrid powertrain is
shown in figure 1. At present, this hybrid system is mainly
used for commercial buses, and normally rear-wheel drive. It
includes combustion engine, integrated starter generator
(ISG), traction motor (TM) and power battery. The engine
and ISG share the common output shaft, and connects to the
traction motor via clutch. This hybrid system can achieve
multiple drive modes such as pure electric drive, series drive
and parallel drive.
The control system is composed of vehicle
controller(VCU),
engine
controller(ECU),
motor
controller(combined ISG and TM), battery management
systemBMS, and so on. The vehicle controller is mainly
responsible for coordinating the engine, ISG, TM and battery,
as well as clutch.
BMS
Power
Battery
V
C
U
Engine

ISG

Clutch

ECU
MCU

TM

events under relative operational situation should be

estimated based on severity(S), probability of exposure(E),
and controllability(C)[9].(3) The Automotive Safety Integrity
Level (ASIL) and relative safety goals of each hazardous
event should be determined.
As shown in table 1, the ISO 26262 has defined
quantization indexes for severity(S), probability of exposure
(E), and controllability(C). Based on the defined indexes, four
ASILs are defined as shown in figure 3: ASIL A, ASIL B,
ASIL C and ASIL D, where ASIL A is the lowest safety
integrity level, and ASIL D the highest one[9].

Fig.1 Architecture of hybrid powertrain

B. Automotive safety lifecycle

The ISO 26262 standard defines automotive safety
lifecycle which encompasses the principal safety activities
during the concept phase, product development, production,
operation service and decommissioning. Each phase defined
in ISO 26262 has a rigorous development process and design
requirements as is shown in figure 2.
The concept phase mainly includes item definition,
initiation of the safety lifecycle, hazard analysis and risk
assessment, functional safety concept. The product
development phase mainly includes system design, hardware
design, software design, safety validation, safety assessment.
The processes after product release mainly includes product
manufacture, operation, maintenance and decommissioning.
In addition, to eliminate system fault, ISO26262 also
proposes the functional safety management requirements
related to safety culture, document management, change
management, supplier management, etc.
2-5 to 2-7 management of functional safety
3-5 Item definition
3-6 Initiation of
safety lifecycle

Product development
system level
5 HW
6 SW
level
level

4-9 Safety validation

4-10 Functional
assessment

safety

4-11
Release
production

for

7-5 Production
7-6
Operation,service
and decomissioning

E1

E2

E3

Concept phase

E4
Almost
every
drive on
average

Product development

safety

E0

Less
Once a
often A few
month or
Incredib
times
than
Description
more
le
once a a year
often
year
Controllability
C0
C1
C2
C3
Simpl Norma
Difficult
lly
y
Controll
Description
contro contro to control
able
llable llable
Severity
S0
S1
S2
S3
Severe
and
LifelifeLight
threate threatenin
and
ning g injuries
moder
No
injurie (survival
Description
ate
injuries
uncertain
s
injurie
), fatal
(survi
s
injuries
val
probab
le)

production
release

Probability of
exposure

the

3-7 Hazard analysis and

risk assessment
3-8 Functional
concept

TABLE 1
QUANTIZATION OF RISK ASSESSMENT

Fig.3 ASIL determination

C. HARA of hybrid powertrain

The main function of hybrid powertrain is to drive the
vehicle, thus this paper mainly addresses the hazardous
events related with propulsion and braking. On the other side,
considering the vehicle is rear-wheel drive, powertrain failure
can also cause stability problems. Taking above two points
into account, potential hazards of the hybrid powertrain
mainly consist of: (1) unintended acceleration; (2) unintended
deceleration; (3) unintended vehicle start; (4) vehicle sideslip.
To explain HARA process in more detail, the following takes

Fig.2 Safety lifecycle

In accordance with ISO26262 standards, the basic analysis

method of hazard analysis and risk assessment is as follows:
(1)The operational situations and operating modes in which
an item's malfunctioning behavior will result in a hazardous
event shall be analyzed, adequate techniques such as
brainstorming, FMEA should be used.(2) All hazardous

unintended vehicle start for an example. The hazardous event

of unintended vehicle start could happen in any driving
situation. And when evaluating this hazard, worst driving
scenarios are adopted.
First, the situation that bus enters the bus stop is selected.
This scenario is very common, so the probability of Exposure
is E4 according to ISO 26262. At the bus stop especially in
China, there are always a lot of pedestrians crossing the road,
thus the bus is very easy to crash into pedestrians when
unintended vehicle start happens. To properly evaluate the
Controllability(C) and Severity(S), the unintended maximum
acceleration and resulted distance and velocity are calculated
based on the hybrid powertrain architecture and relative
parameters.
For this specific hybrid powertrain, due to the permissible
lowest engine working speed, it could only start the vehicle at
TM pure electric drive mode. The worst case with unintended
maximum propulsion torque of TM is considered to evaluate
the hazardous event, where Tmax=2100Nm, vehicle mass M
= 12000kg, final drive ratio i = 6.17, the wheel radius r
=0.506. Such factors as rolling resistance, air resistance and
transmission losses are ignored. Based on the above
parameters, the maximum acceleration when started is given
by

amax =

iTmax
= 2.13m / s 2
Mr

also very common, so the probability of Exposure is E4, and

unintended vehicle start may lead to collisions between
preceding cars, due to the low speed when collision, the
Severity is rated S1 according to ISO 26262. The distance
between bus and preceding car may very small, so this
malfunction could be quite difficult to control, thus
Controllability is rated C2. Finally, the unintended vehicle
start at traffic lights is rated ASIL A. Basic HARA results of
unintended vehicle start are concluded in table 2.
TABLE 2
HARA OF UNINTENDED VEHICLE STAR
Driving

Event

situation

Unintende
d vehicle
start

probability
Severity

Exposure

Entering
bus stop
At traffic
lights

of

Controll
ability

ASIL

S3

E4

C2

S1

E4

C2

According to ISO 26262, the ASIL rating of the hazardous

event unintended vehicle start is C by choosing the higher
risk level between situations in table 2. Similar analyses on
the unintended vehicle acceleration, deceleration and sideslip
are implemented, and finally the HARA results of two-motor
hybrid powertrain with ASIL ratings and corresponding
safety goals are determined as shown in Table 3.

(1)

When the vehicle stops, driver may not be concentrated on

the unintended movement of vehicle. Consequently, the
response to unintended vehicle start could be quite slow. Set
the driver's reaction time is t= 1.5s, then the additional
distance during this time caused by unintended vehicle start is
given by

1
s = amax t 2 = 2.4m
2
v = amax t = 3.2 m / s = 11.5 km / h

Hazardous

TABLE 3
HARA OF TWO-MOTOR HYBRID POWERTRAIN
Hazardous Event

Safety goal

unintended acceleration Unintended acceleration should be avoided

unintended
deceleration

(2)

Unintended vehicle
start

Where s denotes the additional vehicle distance caused by

unintended vehicle start before driver presses brake pedal to
overcome the acceleration, and v denotes the velocity at the
time of driver begins brake.
From the calculated potential maximum acceleration,
distance and velocity when malfunction happens, we can see
that when the driver begins to react, the bus has already
moved 2.4 meters forward, and the velocity reached
11.5km/h. From the investigation results of Chinese bus
stops, the distance between bus and pedestrians could be less
than 2 meters, even 1 meter sometimes. Consequently, when
unintended vehicle start happens, the collision between bus
and pedestrians could be very dangerous and quite hard to
control and mitigate. Therefore, the Severity is rated S3, and
Controllability is rated C2. By looking up the table in figure
2, the unintended vehicle start at bus stop is rated ASIL C.
Other driving situations are also considered by
brainstorming. Similarly, the unintended vehicle start at
traffic lights is also evaluated. For this kind of scenario, it is

Unintended sideslip

III.

ASIL
A

Unintended deceleration should be avoided

Unintended vehicle start should be avoided

Unintended vehicle sideslip should be

avoided

FUNCTIONAL SAFETY CONCEPT DESIGN

Based on the HARA results of two-motor hybrid

powertrain in section 2, further functional safety concept can
be designed. According to ISO26262, basic processes are as
follows [9]:
(1) For each safety goal, safety analysis of each functional
level component should be conducted and all possible reasons
which could lead to violate safety goals should be obtained;
(2) Based on the results of safety analyses, design the
corresponding functional requirements related to each safety
goal;
(3) If several safety goals are allocated to the same
functional requirement, then the functional requirement shall
be developed in accordance with the highest ASIL for those
safety goals;

(4) For a functional requirement with high ASIL, the

decomposition method to reduce ASIL level with two
independent subsystem requirements should be considered.
In the case of independent subsystems, ASIL level
decomposition follows the basic principles as follows:
ASIL D= ASIL BD+ ASIL BD= ASIL AD+
ASIL CD=ASIL QMD+ ASIL DD
(3)
ASIL C= ASIL BC+ ASIL AC= ASIL QMC
+ ASIL CC
(4)
ASIL B= ASIL AB+ ASIL AB
(5)
Actually, if we analyse the hazardous events listed in table
3, it is found that the main causes for all the hazardous events
are lost control of propulsion torque. Therefore, from the
component level, it is very difficult to independently design
hardware or software for different safety goals. Based on the
independence requirements from ISO26262, the hybrid
powertrain control system is developed in accordance with
the highest ASIL C among all hazards, which could meet the
requirements of all safety goals.
For the hazard that lost control of propulsion torque, all
relative components of power transmission are analysed as
shown in figure 3. As we can see, all parts are connected in
series. If any part of the system is out of control, it could
result in the risk of lost control of propulsion torque. That is
to say, in order to realize ASIL C of whole hybrid powertrain
control system, every controller in figure 4 should be
designed in accordance with ASIL C, as is shown in figure 4.
As we can see in figure 5, to realize the ASIL C of the
whole control system, every controller on the torque
transmission paths such as engine and ECU, ISG and MCU,
TM and MCU,VCU and safety related input signals, CAN
buses, etc, should achieve ASIL C.

Fig.5 Functional safety architecture

However, the current application of ISO 26262 in China is

only at the initial stage, all components including engine and
ECU, motor and MCU, battery and BMS, clutches are not
developed in accordance with ISO26262, they could only
reach ASIL QM level. Consequently, the functional safety
concept shown in figure 5 cannot be achieved under the
present technology in China and it need to be improved.
Based on the ASIL decomposition principle of ISO26262,
the VCU is designed to monitor the torque risks of engine,
ISG and TM, and control the unexpected vehicle acceleration,
deceleration, unexpected start and side slip. ASIL
decomposition details are as follows:
Engine and ECU ASIL C= Engine and ECU ASIL QMC
+ECU monitored by VCU ASIL CC(6)
ISG & TM and MCU ASIL C=SG & TM and MCU ASIL
QMC+ MCU monitored by VCU ASIL CC(7)
Clutch ASIL C= Clutch ASIL QMC+ Clutch
monitored by VCU ASIL CC(8)
After the above ASIL decomposition, engine and ECU,
motor and MCU could maintain the original ASIL QM, and
only VCU should be redesigned in accordance with ISO
26262. On the other hand, for a single VCU to reach ASIL C
means expensive hardware design, software design, as well as
system test. Based on this point, the ASIL C of single VCU is
decomposed into one main control chip and sub-control chip,
and sub-control chip will redundantly monitoring the working
status of main chip and safety critical information.
VCU ASIL C= main control chip ASIL B(C)+ sub-control
chip ASIL A(C)
The optimized functional safety concept of two-motor
hybrid powertrain is shown in Figure 6. The engine and ECU,
ISG and MCU, TM and MCU remain designed in accordance
with ASIL QM, while collecting safety-related signals with
ASIL C. In order to ensure safety-related monitoring and
control, VCU is designed to reach ASIL C, while the main
control chip and sub-control chip of VCU are connected by
means of hardware signals, and they can both directly cut off
the engine, ISG, TM and clutch to maintain safety states
when malfunction.

Fig.4 Torque transmission paths

Main Control chip

Level 1
VCU
functions

Inputs
diagnosis

Inputs

Actuators

Level 2
Function monitoring
Program flow check
Level 3
Quest spec
test data Part
Question
Answer

Fig.6 Functional safety architecture-refined

Enable

Sub-control chip

Fig.7 Software-level monitoring architecture

In order to achieve a certain ASIL level, ISO 26262 defines

quantitative indicators, as shown in Tables 5 and 6 [11,12]. In
which, ASIL A level does not require hardware architecture
metric compliance, normal quality management is acceptable.

TABLE 4
SAFETY REQUIREMENTS OF VCU
Safety functions

TABLE 5
HARDWARE ARCHITECTURE METRICS IN ACCORDANCE WITH

The VCU should monitor the total wheel torque against

maximum and minimum limits
The VCU should monitor the actual clutch position

Singal point failure

metric
Latent point failure
metric

The VCU should monitor the actual torque of TM against the

request torque
The VCU should monitor the actual torque of ISG against the
request torque
Vehicle
Control
Unit(VCU)

Answer

Monitoring mudule

Inputs

To achieve the safety goals,the safety requirements are as

shown in table 4.

Control
unit

Link

ASIL B

ASIL C

ASIL D

>90%

>97%

>99%

>60%

>80%

>90%

TABLE 6
ERROR DETECTION AT THE SOFTWARE LEVEL IN ACCORDANCE
WITH ISO26262

The VCU should monitor the actual torque of engine against

the request torque
The VCU should monitor the actual gear position

ASIL

Methods

The VCU should monitor the actual accelerate pedal position

The VCU should monitor the actual brake pedal position
The VCU should monitor the ISG rotation direction
The VCU should monitor the TM rotation direction against
the gear position

1a

Range checks of input and

output data

1b

Plausibility checka

C
++

D
++

++

Detection of data errors

1d

External monitoring facilityc

++

1e

Control flow monitoring

++

++

1f

Diverse software design

++

The VCU should monitor the 24V power supply

The VCU should monitor the AD module

To achieve the above safety requirements, the software

architecture is designed as shown in figure 6, which refers to
the E-Gas monitoring concept that widely used in the ECU
software development by Bosch, BMW, Audi, VW,etc [10].
In this software architecture, the monitoring functions are
devided into three levels. The first level is descibed as
functional level, which contains normal functions and
diagnostic functions. The second level is function monitoring
level. It recognizes the defective sequence of level 1
functional software. The third level is controller monitoring
level, which contains a monitoring that is independent of the
function controller by the sub-control chip, and make sure
that the main control works correctly, and in case of error, the
system reactions are triggerd independently by the subcontrol chip.

B
++

1c

The VCU should test and monitor the memory module

A
++

a Plausibility checks can include using a reference model of the desired

behaviour, assertion checks, or comparing signals from different
sources.
b Types of methods that may be used to detect data errors include error
detecting codes and multiple data storage.
c An external monitoring facility can be, for example, an ASIC or
another software element performing a watchdog function.

IV.

CONCLUSIONS

In order to investigate a suitable method for ISO 26262

compliance for automotive industry, this paper focuses on the
functional safety concept design for two-motor hybrid
powertrain, the conclusions are as follows.
(1)Based on the basic requirements of ISO26262, potential
hazards combined with different driving scenarios of twomotor hybrid powertrain are analysed and estimated, and

relative functional safety goals and their assigned Automotive

Safety Integrity Level (ASIL) are determined.
(2)Considering the current functional safety development
capability of domestic suppliers and product development
costs, the functional safety concept with ASIL decomposition
complained with ISO26262 is developed, which mainly relies
on VCU safety monitoring and safety control. This concept
provides a strong technical basis for subsequent VCU
hardware and software design of hybrid electric vehicles.
ACKNOWLEDGMENT
The research work was supported by state 863 Program of
China, No. SQ2010AA1122649001.
REFERENCES
[1] Christof Ebert, Simon Burton, Amsler, Dieter Lederer, Introducing
automotive E/E safety engineering: Challenges and solutions, White
Paper of Vector Consulting Services, 2011.
[2] Sebastien Christiaens, Juergen Ogrzewalla and Stefan Pischinger,
Functional Safety for Hybrid and Electric Vehicles, SAE, 2012-01-0032.
[3] William Taylor and Jody J. Nelson, High-Voltage Battery System
Concepts for ISO26262 Compliance, SAE, 2013-01-0181.
[4] Fredrik Walderyd, Hazard identification and safety goals on power
electronics in hybrid vehicles. Sweden: Chalmers University of
Technology, 2010.
[5] Christophe Moure and Klaus Kersting, Development of Functional safety
in a Multi-motor control system for Electric Vehicles, SAE, 2009-010028.
[6] Jae Seung Cheon, Jongsung Kim, Jaehan Jeon, etc. Brake By Wire
Functional Safety Concept Design for ISO/DIS 26262, SAE, 2011-012357.
[7 Liu Jiaxi, Guo Hui, The functional safety standard ISO26262 for
automotive electronic/electrical system, Shanghai Auto,2011 11:57-61.
[8] Xiao Yan, method of monitoring pure electric vehicle, ZL:
201310220690.7.
[9] ISO 26262-3:2011 Road vehicles - Functional safety - Part3: Concept
phase.
[10] Standard E-Gas monitoring concept for engine management systems of
gasoline and diesel engines,2007
[11] ISO 26262-5:2011 Road vehicles - Functional safety Part5: Product
development_hardware level.
[12] ISO 26262-6:2011 Road vehicles - Functional safety Part6: Product
development_Software level.