E-gas Monitoring Concept - General part 1

EGAS working groups
EGAS working groups


Introduction


Have you ever heard the E-gas monitoring concept? You can find it out easily on the web. This concept had made by German automotive companies; Audi, BMW, Porche, VW, and Daimler. These companies are very familiar to us. They are a.k.a the symbol of advanced technology in automotive. many concept and design are originated from them. I sometimes feel like They seem to show us off only German can make cars. Anyway, they made a working group of monitoring concept, they undertook investigation about their engine systems (only diesel and gasoline engine), and they realized that their monitoring systems are almost similar to each. With this reason, they have agreed to standardize this as E-gas monitoring concepts that all companies, not only vehicle makers but also, suppliers, can use without any concerns of legal and patent.

Caution: This topic contains my opinion and omits a part of the original document. If you want to learn more, you'd better search for E-gas monitoring concept PDF file.
you can see the document here.

Developing guidelines and Basic principles


This paragraph is most from the EGAS document. according to the document, it gives us 17 guidelines and basic principles of monitoring concept. let's think about their guidelines and basic principles. I will make comments against them respectively.
  1. Protection of life has the highest priority.
    passenger and pedestrian are the most important.

  2. Reliability has higher priority than backup functions.
    They (the EGAS working group) don't recommend Plan B but, a more durable function.

  3. The monitoring shall be independent of the engine concept and as far as possible independent of the driver reaction.
    The monitoring unit must not influent anything to engine system and driver.

  4. Functions, in particular for system monitoring (also error reactions), shall be easy and manageable.
    Easy means less malfunction. 

  5. The system shall be designed so that single errors and single errors in combination with latent errors lead to controllable system reactions. The corresponding signal paths (sensors, actuators, functions) shall be monitored.
    Don't forget about the second sentence: The corresponding signal paths shall be monitored. All sensors, actuators, and functions are monitored by the Control Unit. Then, what about the Control Unit(the monitoring function I meant)?

  6. The system shall be designed so that double and dual faults lead to controllable system reaction as required as state-of-the-art.
    I agree with this guideline but, I am also curious about how to maintain "the state of the art system".

  7. In terms of high system availability, staged error reactions shall strive.
    The system can't stop or reset only at once, in case it is not a severe error.   

  8. A signal path shall be classified as "confirmed defected" after an explicit detection (e.g. after debouncing event or time) and before the reaction shall be activated. Previously the defect shall be classified as "assumed defect"
    For following the 7th guideline, it is needed.

  9. Appropriate reaction mechanisms shall be defined according to the function in the case of an "assumed defect" and "confirmed defect".
    For following the 7th guideline, it is needed.

  10. The reset of fault reactions shall be determined in individual cases and shall be performed controllable. Non-continuous transitions shall be avoided.
    "reset" event must be considerable determination. Cannot be abused. Also, the system must be stable even though reset occurs.

  11. Engine stop is permitted when no other controllable system reaction can be ensured.
    Turn Power off shall be a Final decision in the powertrain. It means the function is a full failure.

  12. The transmitter is responsible for the content of its initiated messages at the control unit interface. This means that e.g. external torque requests by the transmitting control unit shall be secured. The transmission path and the actuality of the messages shall be checked by the engine control system.
    Important signals must be secured and not be corrupted, and the condition of the transmission path shall be checked by ECU.  

  13. If errors happen in combination with the subsequent single errors cause unintended system reactions, the driver should be informed. (optically or by modifying the driving behavior).
    you can see many signs on your cluster. It seems that the driver must be able to control the vehicle.

  14. The monitoring of the function controller must be kept robust and simple. This includes a possible implementation with an ASIC.
    This is why suppliers supply controllers contained ASICs. It is a good solution to hide circuits and to follow the guideline.

  15. The effectiveness of the redundant shutoff paths shall be tested in each driving cycle.
    To prove and to check if redundant shutoff paths are available.

  16. Shutoff paths of the monitoring concept shall be robust if a defect power supply drifts. The power supply concept shall be monitored to avoid possible damage to components. Controllable failure reactions shall be initiated.
    The Power supply must monitor Short circuit to battery and short circuit to ground to protect components.

  17. The technical safety concept shall be implemented in accordance with the requirements of ISO26262.
    You will understand this easy concept if you know ISO26262 well.

What do you think about? If you have other ideas or if I have errors, feel free to talk.

I will keep posting the next general part. We will think about 3 topics as below.

System definition

Hazard and Risk Assessment

Functional safety concept

This contents, as you know, are about Functional safety. I will aim at technical stuff.
Thank you for attention.

Whiteberry

댓글

댓글 쓰기