ISO26262

The eCall System

Massimo Violante
Politecnico di Torino
Dip. Automatica e Informatica
Torino, Italy
The eCall idea

2
 The eCall ECU
n The eCall ECU is responsible for
n Detecting an incident: crash or a roll over of the car
n Sending the position of the vehicle to a service center
n Incident is detected by:
n Monitoring the vehicle CAN network looking for:
n Sudden deceleration
n Activation of the Airbag
n Change of sign in the reading of a 1-axis accelerometer
n The position is fixed using a GPS receiver
n The call is sent using a dedicated 3G modem

3
 The item

GPS

Microcontroller 3G Modem

Accelerometer

Vehicle Speed
Airbag Activation Flag
Body
Computer
Can Network
4
 Item definition
n Item: electronic control unit for eCall
n Elements of the item:
n Microcontroller (CPU + embedded memory+CAN ifc)
n GPS receiver
n Accelerometer
n 3G Modem
n Interactions of the item with other items:
n Vehicle CAN network for reading Vehicle Speed and
Airbag Activation Flag

5
 Item definition
n Provided functionality to environment or other
items:
n None
n Required functionality from the environment or
other items:
n Body computer shall provide vehicle speed and airbag
flag activation

6
 Hazard Analysis
n Situational analysis:
n Operation situation OS1: the car is experiencing an
incident with life-threatening injuries
n Hazard identification
n See the qualitative Failure Mode Effect Analysis reported
in the next slide

7
 The item
GPS is not able to fix the locationàH1: the item is not able
to provide position information

GPS

Microcontroller 3G Modem

Accelerometer

Vehicle Speed
Airbag Activation Flag
Body
Computer
Can Network
8
 The item

Accelerometer
GPS is not able to detect roll overàH2: the item
is not able to recognize the roll over condition
Microcontroller 3G Modem

Accelerometer

Vehicle Speed
Airbag Activation Flag
Body
Computer
Can Network
9
 The item

GPS
MCU is not able to operateàH3: the item is not able to
issue theMicrocontroller
emergency call 3G Modem

Accelerometer

Vehicle Speed
Airbag Activation Flag
Body
Computer
Can Network
10
 The item

Modem is not able to operateàH3: the item is not able to

issue the emergency call
GPS

Microcontroller 3G Modem

Accelerometer

Vehicle Speed
Airbag Activation Flag
Body
Computer
Can Network
11
 The item

GPS

Microcontroller 3G Modem
CAN is not able to operateàH4: the item is not able to
Accelerometer detect crash condition

Vehicle Speed
Airbag Activation Flag
Body
Computer
Can Network
12
The probability of exposure scale is the following:
Controllability C
nAvoidance of the specified harm or
The controllability scale is the following:
damage through
the timely reaction of the persons involved

ASIL shall be determined for each hazardous event using

proper combination of the previous parameters.

13
 Exposure
n Being of
probability in an operational
exposure situation
scale is thethat can be
following:
hazardous if coincident with the failure

controllability scale is the following:

L shall be determined for each hazardous event using

per combination of the previous parameters.
14
:.. Recommendations forSthe Hazard
Severity
Analysis and Risk Assessment (2/3)
n Measure of the extent of harm to an individual

The severity scale is the following:

The probability of exposure scale is the following:

The controllability scale is the following:

15
 Risk assessment

OS1 Notes
S=3 Assumption: incident with life-
H1: the item is not able to
E=1 threatening injuries
provide position information
C=3
H2: the item is not able to S=3 The exposure is very low
recognize the roll over E=1 probable, as during the normal
condition C=3 lifetime of a vehicle it is very
rare to undergo an incident with
S=3 life-threatening injuries
H3: the item is not able to
E=1
issue the emergency call
C=3 The controllability is difficult or
S=3 uncontrollable as the
H4: the item is not able to
E=1 driver/passenger cannot control
detect crash condition the item
C=3

16
ASIL determination

17
 Safety goals
n H1àSafety goal SG1: Item shall be able to provide
updated information about vehicle position, driver
shall be informed whether the item is not operating
correctly
n H1/H4 àSafety goal SG2: Item shall be able to
recognize incident occurrence
n H3 àSafety goal SG3: Item shall be able to issue
the emergency call, driver shall be informed
whether the item is not operating correctly

18
 Functional safety concept
n H1àSafety goal SG1: Item shall be able to provide
updated information about vehicle position, driver
shall be informed whether the item is not operating
correctly
n FSC1: Item shall combine GPS signal with
localization based on cellular network for
redundancy purposes
n FSC2: Item shall provide self testing capabilities to
identify failing components and to inform promptly
the vehicle user

19
 Functional safety concept
n H1/H4 àSafety goal SG2: Item shall be able to
recognize incident occurrence
n FSC3: Item shall use two accelerometers with
multiple axis to detect rollover condition and
sudden decelerations to validate data coming from
the CAN network
n FSC4: Item shall use a microphone to detect the
detonation of the airbag to validate information
coming from the CAN network

20
 Functional safety concept
n H3 àSafety goal SG3: Item shall be able to issue
the emergency call, driver shall be informed
whether the item is not operating correctly
n FSC2 applies

n Safe state: in case the self-test identifies failing

components, the item must be disabled and the
driver informed

21