Emergency Operation in the Power Supply Domain Focusing on Warm Redundancy

To cope with the megatrends electrification, automated driving, and connectivity, new functionalities and E/E systems must be developed, which require a safe power supply. This leads to increased functional safety requirements for the power supply system, particularly regarding availability. Fault tolerance measures can be implemented to comply with an SG specifying a SaRA requirement. In this case, EO may be necessary to reach a defined safe state. However, there is some ambiguity in ISO 26262 regarding the necessary integrity with which the EO shall be implemented – this becomes in particular obvious in the case of warm redundancy. According to ISO 26262, the EO is entered once the failure of an element is controlled by an explicit fault handling, i.e., prevented from violating an SG, and the remaining ASIL capability of the item after the failure is lower than the required ASIL capability for the allowed VOS. However, in the context of warm redundancy, the EO can be automatically entered in the case of an element failure without an explicit fault handling. The objective of this paper is to transfer the concept of EO, as defined in ISO 26262, to warm redundancy use cases because warm-redundant power supply systems have a high level of market penetration. Besides a detailed evaluation of time dependencies, new guidelines concerning the required systematic integrity for SMs implementing EO are provided.