Achieving Functional Safety
Hardware Safety Features
The system is designed to take full advantage of all the safety features of the OEM EPS. In case of any error, temporary or permanent, that leads to the transmission of unsafe sensor readings, the EPS detects the mismatch and disregards the faulty sensor. The EPS will then enter a fault state until the next power cycle. The EPS will take different actions depending on the error's severity such as disabling power steering, reducing power steering assistance, or activating the power steering fault light on the dashboard
All components AEC rated
PCB are 4-wire kelvin tested and flying probe tested
Double redundant MCU ancillary hardware
MCU is rated for ASIL-B+ safety-critical applications
Automotive grade wiring harness
PCB conformal coating
Communications are highly resistant to disturbance
ECC memory
Flash validation by the bootloader
Ram built-in self-test
Fail-safe clocks
Software Safety Features
The software is written to utilize the safety features provided by the chipset. This includes:
Hardware enabled Watch-dog timer (32ms)
RAM Memory Built-In Self-Test (MBIST) on reset.
Clock Monitor System with Backup Oscillator. Detects clock failure and uses backup.
Rate limits applied to LKAS command.
Absolute torque limits are based on driver torque input and hardcoded max values.
MISRA-C compliant code.
Bootloader checks for invalid code signature (CRC32) to protect against incomplete/corrupted code reflashing.
CRCs and checksums on CANBus
Each torque sensor frame contains a CRC which is checked before processing. The frame is also checked for correct timing. See Section 5.5 Error Handling of the SENT Module Peripheral datasheet. The OEM EPS does the same checks. If an error occurs and is detected by the MCU, it will set a violation to report the error and it may also change to the ERROR or CRITICAL_ERROR state depending on the severity. This information is transmitted over the CAN Bus.
Last updated