Automotive meets Electronics  12. – 13.03.

2019 Â Dortmund

Reliability Assessment of a Redundant 12V On-board Power Supply

Using Solid-state Safety Relays
Fabian Schipperges, M.Sc., Dr. Ing. h.c. F. Porsche AG, Weissach, Deutschland, fabian.schipperges{at}porsche.de
Felix Jialei Luo, M.Sc., Universität Stuttgart, Stuttgart, Deutschland
József Gábor Pázmány, M.Sc., Dr. Ing. h.c. F. Porsche AG, Weissach, Deutschland
Prof. Dr.-Ing. Bernard Bäker, Institut für Automobiltechnik Dresden - IAD, Dresden, Deutschland

Abstract
The first part of this paper presents a new fault-tolerant and redundant on-board power supply concept for the supply of
safety-relevant electronic control units (ECU). Solid-state mosfet-based safety switches guarantee the protection of the
battery cells. Likewise, these switches are deployed to isolate and tolerate electrical system faults. Fault-tolerant and
redundant power supply systems are necessary to meet the requirements of the functional safety for automated driving.
ISO 26262 provides methods and metrics to ensure the functional safety of electronic systems in vehicles. These in-
clude different fault metrics for a quantitative evaluation. To determine these metrics, FMEDAs and FTAs are usually
applied. Additionally, ISO 26262 mentions Markov models as a further, but less widespread, quantitative evaluation
method. The Markovian approach allows the calculation of probabilistic ratios and the evaluation of any system state.
Therefore, in the second part of this paper, a Markov model is developed considering a safety function of the presented
power supply concept. Using this Markov model, we assess the impact of the failure rates and the diagnostic coverages
of the safety function on the system reliability.

same technological characteristics and mosfet-based safe-

ty switches. According to ISO 26262, this system is capa-
1 Introduction ble of achieving relevant ASIL D safety goals and sup-
The development of driver assistance systems and extents ports the implementation of at least Level 3 functions [2].
of automated driving (AD) requires the development of
fault-tolerant on-board power supplies in order to fulfill
functional safety requirements. The on-board power sup-
2 System Description
ply must be reliable to ensure supply to the safety relevant
functions and systems, e.g. electrical power steering or 2.1 Redundant Architectures
monitoring of the driving environment. Malfunctions of Redundant supply structures are common in aviation, en-
these safety relevant functions due to a supply blackout ergy supply systems and elsewhere. Generally, a differen-
must be avoided. The related safety goals are of utmost tiation must be made between active and passive redun-
importance and according to ISO 26262 they are rated up dancy. For example, a diesel generator is a passive redun-
to the highest level. To meet these safety goals, redundan- dancy, which guarantees an emergency supply that was
cy concepts are required. not active up to the point in time when the main power
The ISO 26262 provides different fault metrics for the supply fails. The design of a redundancy concept depends
evaluation of these safety goals [1]. The first part of sec- on the reliability, availability and safety goals. Further-
tion 3 of this paper recapulates these metrics. However, more, the choice of technologies is determined by the op-
this work focuses on the evaluation method using Markov erating location, the operating conditions and the scopes
models, so the second part of section 3 clarifies the prin- of maintenance.
cipals of this approach. This inductive evaluation method
is less common in application than the method of Fault
Tree Analysis (FTA) and Failure Mode, Effect and Diag-
nosis Coverage Analysis (FMEDA). Nevertheless, the
ISO 26262 mentions it as a quantitative analysis as well.
In section 4, we apply this approach using the example of
a safety mechanism. The safety function must detect
overcurrents and consequently interrupt them by trigger-
ing a safety switch. If this safety mechanism fails during a
short circuit, a dangerous undervoltage can occur. Hence, Figure 1: Reliability functions of one-item (singular) and
the proper supply voltage of the safety-relevant systems is active redundancies (1-out-of-2, 1-out-of-3).
no longer guaranteed.
To achieve a trade-off within the requirements, in a vehi-
The safety function is part of a power supply concept in-
cle, active parallel redundancies are to be expected. Re-
troduced in section 2. It provides a redundant power sup-
dundancy of parallel active systems can be generalized as
ply for safety-relevant electronic control units (ECUs) and
k-out-of-n redundancy. Birolini calculates the reliability
is built of two 12V lithium-ion battery storages with the

ISBN 978-3-8007-4877-8 59 © VDE VERLAG GMBH  Berlin  Offenbach

Authorized licensed use limited to: KIT Library. Downloaded on December 05,2023 at 22:11:54 UTC from IEEE Xplore. Restrictions apply.
 Automotive meets Electronics  12. – 13.03.2019  Dortmund
HV/48 DC/
DC
12V A protection
distr., Diag
sfty.,
prot. S1
S2
Safety μC+
fct 1 BMS
fct 2
B1
...
ASIL compliant power net 1
Figure 2: Redundant and fault-tolerant 12V on-board power supply. The safety switches ensure fault isolation and bat-
tery protection. fct1/fct2 and fct1red/fct2red represent equivalent and redundant safety-relevant ECUs
functions of ideal items (nonrepairable, constant failure
rates, identical and independent elements, ideal failure
detection and switch) [3]. Even if the assumptions made
in a theoretical calculation are not attainable in a realistic
system, the principal influence of active parallel redun-
dant elements on reliability is easily visible in Figure 1.
2.2 Fault-tolerant and Redundant 12V
Power Supply Concept Using Safety
Switches
The on-board power supply concept, in this work, pro-
vides an active parallel 1-out-of-2 redundancy of the en-
ergy and power supply and takes ISO 26262 as well as
legal regulations [4; 5] into account. Safety-relevant func-
tions can be implemented accordingly with 1-out-of-2 re-
dundant ECUs. Such automotive power supply topologies
have already been discussed in a wide variety of designs
[6–9].
In comparison to other concepts, the one presented in
Figure 2 is characterized by a lean design using two equal
battery storages protected and connected by four mosfet-
based switches. The design of the system is based on the
following premises:
x Minimization of construction space, weight and
costs by redundant lithium-ion-iron-phosphate-
based battery storages at same operating voltage.
Thus no converter system (12V DC/DC) is re-
quired.
x Mosfet-based safety switches provide a com-
bined protection of the batteries and the electri-
cal system including the wiring harness.
x The system is suitable for BEV, HEV, PHEV
and ICE.
The dotted lines in Figure 2 denote system boundaries and
imply two independent battery storage systems. However,
under the consideration of the above mentioned premises,
maximum synergy effects and savings are achieved by
merging into an integrated system.
For the development of system functionalities the top ve-
hicle operation modes driving, idle mode and charge
mode (vehicle with electrified powertrain) must be con-
sidered. However, as the system is particularly character-
ISBN 978-3-8007-4877-8
Authorized licensed use limited to: KIT Library. Downloaded on December 05,2023 at 22:11:54 UTC from IEEE Xplore. Restrictions apply.
distribution,
Diag distr., ...
sfty.,
S4
prot.
S3
Safety μC+
BMS fct 1 red.
fct 2 red.
B2
...
ASIL compliant power net 2
ized by its fault tolerance for AD applications, we focus
the explanations on only the functions for driving mode:
x Normal operation mode, switches S1-S4 are
closed/conducting, batteries connected and
working at the same voltage level. fct1/fct2 and
fct1_red/fct2_red represent equivalent and re-
dundant safety-relevant ECUs. A DC/DC or al-
ternator supplies all loads and charge the batter-
ies.
x Fail-operational mode with two battery storages,
a failure occurred outside of the ASIL compliant
power net 1/2, switches S2 and S3 are non-
conducting, the two batteries supply the related
ASIL compliant power net 1/2.
x Fail-operational mode with two battery storages,
a failure occurred inside of one of the ASIL com-
pliant power net 1/2, opening S1 or S4, respec-
tively, isolating the faulty branch, the supply of
one set of the safety relevant ECUs is guaranteed
by one battery storage (at least) or both battery
storages.
x Fail-operational mode with one battery storage, a
failure occurred inside of one of the ASIL com-
pliant power net 1/2, opening S1/S2 or S3/S4, re-
spectively, protect the battery of the faulty ASIL
compliant power net, the supply of one set of the
safety relevant ECUs is guaranteed at least by
the related battery storage.
As a simplification, in the case of fail-operational, only
the first moment of the fault occurrence is considered.
Depending on the system states and diagnosis infor-
mation, the above descripted fail-operational modes can
be extended.
For a more transparent representation, Figure 3 shows the
structural analysis of the presented concept. The blocks
already represent top gates of subsystems. As will be
shown in section 4, this is a helpful approach to reduce
the state space of the Markov model. Additionally, it in-
creases the transparency during the analysis process. The
creator freely determines the definition of the blocks and
the structure. It depends on the focus of the analysis. This
structural analysis is the first step of the analysis process
carried out in section 4.
60 © VDE VERLAG GMBH  Berlin  Offenbach
 Automotive meets Electronics  12. – 13.03.2019  Dortmund

Redundant and
fault-tolerant
Powernet 1 power supply Powernet 2

BMS+ Monitor. + Clamp BMS + Monitor. + Clamp

Batt. 1 Batt. 2
safety μC 1 HW Prtct. 1 30_1 safety μC 2 HW Prtct. 2 30_2

Switch 1 Switch 2 Switch 3 Switch 4

Sens. 1 Sens. 2 Sens. 3 Sens. 4
(Mosfets (Mosfets (Mosfets (Mosfets
volt./curr. volt./curr. volt./curr. volt./curr.
+ Driver) + Driver) + Driver) + Driver)

Figure 3: Structural analysis of the proposed power supply concept. The blocks represent top gates of subsystems.

cally FTA and FMEDA. Additionally, all failure rates

have to be determined. Table 1 summarizes possible tar-
3 Quantitative Evaluation Metrics get values for these fault metrics.
According to ISO26262
A hazard and risk analysis of functions for high- or fully 3.2 Theory of Markov
automated driving results in safety requirements up to Besides FTA and FMEDA, it is recommended to use an
ASIL D, the maximum rated safety level according to ISO additional quantitative Markov-Analysis. With Markov-
26262. Theses safety goals must also be achieved by the models, it is possible to model and probabilistically eval-
electrical power supply and the power net, since they en- uate states of subsystems and degraded system states.
sure the supply of safety-relevant ECUs. For the electrical Moreover, dynamic structural changes, repairs and se-
power supply, this means a high degree of reliability and quential multiple faults can be modeled. Below, the most
availability. ISO 26262 provides three fault metrics to important characteristics of homogenous and continuous-
quantify safety objectives with respect to the ASIL safety time Markov-models are stated. Norris provides a com-
goals [1]. prehensive and detailed description [10].
The basic requirement, using the Markov-model, is a ex-
3.1 SPFM, PMHF und LFM ponentially distributed stochastic process X(t). We as-
sume homogenous failure rates λ(t):
The Single Point Fault Metric (SPFM) incorporates sin-
gle-point faults (SF) and residual faults (RF) that lead di-
( ) = const. ∀ > 0
rectly to a violation of safety objectives. These faults are
not covered by a safety mechanism due to a missing, in-
A Markov-process is a stochastic process that is charac-
sufficient or finite diagnostic coverage. A high percentage
terized by its memoryless property. Future states depend
implies a robust system regarding these faults. The Latent
only upon the present state.
Fault Metric (LFM) describes the influence of latent mul-
In this paper, we use a continuous-time Markov-model
tiple-point faults that are not covered by a safety mecha-
with a finite state space S. The fundamental state infor-
nism or recognized by the driver. A low percentage im-
mation is contained in matrix Q:
plies that the proportion of latent faults is high and vice
versa.
=( ) , ∈
The Probabilistic Metric of random Hardware Faults
(PMHF) is an absolute measure for the evaluation of safe-
The Matrix Q has properties as follows:
ty goal violations due to random hardware faults. It con-
sists of two parts. One part is related to the SPFM and
o ≤0∀ ∈
contains the sum of single-point failure rates and residual
o ≥ 0 ∀ , ∈ mit ≠
failure rates. The second part is related to the LFM and
o ∑∈ =0∀ ∈
contains the sum of latent multiple-point fault failure
rates.
A first order differential equation represents the Markov-
model:
Table 1: Target values according to ISO 26262 [1]
̇( ) = ⋅ ( )
ASIL PMHF SPFM LFM Details
A - - - -
The solution to the differential equation can be obtained
B < 10-7h-1 ≥ 90% ≥ 60% recommended
with Laplace transformations. The state space transfer is
C < 10-7h-1 ≥ 97% ≥ 80% required
conducted with following transformation:
D < 10-8h-1 ≥ 99% ≥ 90% required
ℒ: ( ⋅ − )
In order to determine the necessary numerical values, in-
ductive and deductive analysis methods are applied, typi-

ISBN 978-3-8007-4877-8 61 © VDE VERLAG GMBH  Berlin  Offenbach

Authorized licensed use limited to: KIT Library. Downloaded on December 05,2023 at 22:11:54 UTC from IEEE Xplore. Restrictions apply.
 Automotive meets Electronics  12. – 13.03.2019  Dortmund
By multiplying with the initial condition and following
the re-transformation, we obtain state probability P(t) at
given time t.
( ) = {[( ⋅ − ) ⋅ ]→ℒ } fault propagation. The related safety mechanism SM1
To obtain the reliability R(t) of a defined state class, we
accumulate all state probabilities representing this state
class:
( )=∑ ( )
The failure distribution is calculated from subtracting the
reliability from 1:
( )=1− ( )
Hence, both parameters are complementary. The mean
time to failure is calculated via the integral of the reliabil-
ity:
∞
MTTF = ( )d
4 Probabilistic Analysis Using
Markov-Models
In this section, we demonstrate the application of a Mar-
kov analysis. The results of the calculations are presented
graphically.
Markov models were used in literature to assess automo-
tive on-board power supplies, as follows. Abele presents a
comparison of different reliability analysis methods and a
comprehensive description of how to model systems us-
ing Markov chains. He develops and introduces a com-
bined method for systematic fault identification and de-
duced modelling [11]. Dominguez-Garcia et al. also ex-
amine a dual battery power net architecture. They apply a
so-called dependability rate adopted from the Federal
Aviation Administration (FAA) regulations [9]. Münzing
et al. combine the probabilistic evaluation of the different
system states with related results of a physical behavior
model [12]. Cherfi et al. consider a safety-relevant system
and analyze the variation of failure rates and diagnostic
coverage related to the probability of failure of the system
[13].
The presented work is founded in the mentioned litera-
ture. The developed and employed model allows for a full
symbolic calculation of the state probabilities. Thus, pa-
rameter variations and dependences can be studied effi-
ciently. This work uses homogenous Markov models. The
failure rates are assumed to be time constant. They are
estimated by using a similar well-trusted database and ex-
pert knowledge.
4.1 Case Study: Safety Mechanism for
Overcurrent Protection (OCP)
The safety function Overcurrent protection (OCP) of
ASIL compliant power net I, as shown in Figure 2, is con-
ISBN 978-3-8007-4877-8
Authorized licensed use limited to: KIT Library. Downloaded on December 05,2023 at 22:11:54 UTC from IEEE Xplore. Restrictions apply.
sidered as an example. A failure outside this partial power
net can cause a dangerous overcurrent and, as a result, an
unacceptable undervoltage inside this partial power net.
The mosfet-based safety switch, Switch 2, prevents this
consists of two components; one component provides the
overcurrent detection and the second one ensures the
switch-off mechanism. The subcomponents in this exam-
ple originate from the structural analysis, as shown in
Figure 3, and form a subsystem. The mentioned safety
function OCP consists of a first (SM1), second (SM2) and
third (SM3) order safety mechanism. Each of them has its
own diagnostic mechanism and the related diagnostic
coverage DC1, DC2 and DC3, respectively. SM3 and
DC3 are mentioned for completeness, they are not absent
in the Markov model. Figure 4 shows the subcomponents
of the safety function OCP. Table 2 explains the safety
mechanisms and the diagnostic coverages.
Figure 4: The safety function Overcurrent Protection
consists of different safety mechanisms (SM1-SM3).
Table 2: Description of the safety mechanisms (SM1-
SM3) and the diagnostic coverages (DC1-DC3).
SM1 detection of overcurrent and switch-off
DC1 diagnostic coverage detect overcurrent, the
quality is determined by SW(μC) and
HW(sens., HWP) implementations
SM2 monitoring (SW) the State of Health of mosfets
and drivers, Escalation in case of impermissi-
ble conditions
DC2 diagnostic coverage functional capability
mosfet devices, the quality is determined by
SW(μC) and HW(sens., HWP) implementa-
tions
SM3 μC watchdog, μC reset
DC3 determined by implementation
First, for the Markov analysis, a simplified FMEDA at
system level was performed. We assumed six states for
initial failure occurrence and considered the DCs and an
accumulated failure rate for the occurrence of a short cir-
cuit. For step two and step three we correlated the initial
failures with themselves twice. The model consists of 39
62 © VDE VERLAG GMBH  Berlin  Offenbach
 Automotive meets Electronics  12. – 13.03.2019  Dortmund

DC1 !
1.L_e.1

0.1.1 1-DC1

λ1 1.A.1
DC2
!
Z0 λ2 0.1.2 1.L_e.2

1-DC2
!
1.L_u.1
λ3
0.1.3 DC3 !
1.L_e.3

1-DC3 !
1.L_u.2

Figure 5: Markov graph of the safety function Overcurrent Protection (left)

and a more detailed representation of states 1-10 (right).

states after excluding inadmissible states, these states en-

compass correlations of the same failures or senseless 4.2 Influence of Failure Rates and Diagnos-
combinations regarding the technical background. Figure tic Coverage
5 shows a visual representation of the Markov graph. The
The safety function OCP is both a safety mechanism and
dashed portion of the left image is illustrated in more de-
an intended function of the described system. The behav-
tails one the right. This part represents the assumed initial
ior of SM1 and DC1 have a significant impact on the
failures. λ1 represents the accumulated failure rate for the
probability that the ASIL compliant power net I fails due
occurrence of a short circuit, λ2 represents the failure rate
to a relevant failure. The symbolic Markov model helps to
of SM1 and λ3 represents the failure rate of SM2. The
examine, evaluate und visualize the impact of failure rates
states 0.1.1, 0.1.2 and 0.1.3 serve as transition states and
and diagnostic coverages. Figure 7 indicates the impact
have no relevance in the following evaluation. The corre-
of λSM considering 50 FIT, 100 FIT and 500 FIT. The
sponding diagnostic coverage levels convert them into
shown reliability functions account the state probabilities
valid system states. DCx indicates a detected failure,
that lead to a system breakdown if OCP failed. For t=106
hence DCx-1 indicates the complementary case. Figure 6
hours the probability functions differ significantly. With
indicates the visual representation of the calculated relia-
λSM= 500 FIT the probability of ASIL compliant power
bility functions. The impact of the mentioned safety
net I failed already amounts to approximately 6.8%. For
mechanism on the accumulated state classes fault-free op-
λSM= 50 FIT it is only approximately 0.9%.
eration, detected/undetected latent fault, fail-operational
and system failed is shown. While the probability of fault-
free operation drops rapidly, the probabilities of fail-
operational and detected/undetected latent fault avoid a
system breakdown. Even after 106 hours, there is little
probability of system failed. Note that the calculations re-
fer to ASIL compliant power net I. Since ASIL compliant
power net II behaves very similar, the overall system is
robust against system breakdowns related to overcurrent
failures.
Figure 7: Failure probabilities as a function of different
failure rates λSM1.

Finally, the Markov model helps to observe the impact of

the diagnostic coverage levels. Figure 8 explains the im-
pact of DC1 and DC2 on the reliability, for t=106 hours,
of the state classes system failed (left) and fail-operational
(right). If the safety function OCP fails, due to an insuffi-
cient DC1 in the case of an overcurrent event, there is a
high probability that the system will also fail. DC1 has a
Figure 6: Reliability functions of important state classes.
greater impact than DC2. For DC1=0.6 and DC2=0.6 the
Latent fault represents detected and undetected faults.
probability that the system fails already amounts to ap-
proximately 4%. Figure 8 (left) clarifies this context by
the influence of DC1.

ISBN 978-3-8007-4877-8 63 © VDE VERLAG GMBH  Berlin  Offenbach

Authorized licensed use limited to: KIT Library. Downloaded on December 05,2023 at 22:11:54 UTC from IEEE Xplore. Restrictions apply.
 Automotive meets Electronics  12. – 13.03.2019  Dortmund
Figure 8: Influence of the diagnostic coverages DC1 and DC2 on the reliability functions of state classes breakdown
(left) and fail-operational (right), for t=106 h.
For a controlled fail-operational mode, failures have to be
known and detected. Therefore, a higher DCx leads to an
increased probability to be in state fail-operational in the
case of relevant failures. Figure 8 (right) illustrates this
context.
5 Conclusion
In the first part of this work, we presented a new fault-
tolerant and redundant on-board power supply concept for
the supply of safety-relevant ECUs. The system provides
a simple design and with the chosen technologies, it coun-
teracts the trend towards increasing construction space,
weight and system costs in future redundant power supply
systems. A quantitative and probabilistic evaluation of a
subsystem was performed in the second part. The proba-
bilistic reliability evaluation of electronic systems using
Markov models offers an extension to the quantitative
fault metrics of ISO 26262. Markov models help to evalu-
ate the reliability of degraded system states as well as ac-
cumulated state classes. We analyzed the safety function,
Overcurrent Protection, to present the advantages of the
Markovian approach. For this purpose, we developed and
calculated a symbolic Markov model. Using this model,
we examined the impact of failures rates and diagnostic
coverage levels on the probability of different state clas-
ses. The quality of the evaluation depends on the chosen
failure rates, assumptions and abstractions. However, this
also applies to other quantitative methods. The Markov
approach is an elaborate method. Nevertheless, much of
the necessary information is already available from the
methods for evaluating the quantitative fault metrics ac-
cording to ISO 26262. The presented method assists com-
prehensive studies on the failure behavior of electronic
systems.
6 Literature
[1] International Organization for Standardization, 2018. ISO
26262-5:2018 Road vehicles — Functional safety — Part 5:
Product development at the hardware level.
ISBN 978-3-8007-4877-8
Authorized licensed use limited to: KIT Library. Downloaded on December 05,2023 at 22:11:54 UTC from IEEE Xplore. Restrictions apply.
[2] SAE International, 2014. J3016: Taxonomy and Definitions
for Terms Related to On-Road Motor Vehicle Automated Driv-
ing Systems.
[3] BIROLONI, Alessandro, 2017. Reliability engineering: Theo-
ry and practice.8th Edition. Berlin: Springer. ISBN 978-3-662-
54209-5 (eBook)
[4] Economic Commission for Europe of the United Nations
(UN/ECE), 2006. Regulation No 79: Uniform provisions con-
cerning the approval of vehicles with regard to steering
equipment.
[5] Economic Commission for Europe of the United Nations
(UN/ECE), 2015. Regulation No 13-H: Uniform provisions
concerning the approval of passenger cars with regard to
braking.
[6] SCHUMI, S., Graf, A., 2018. Energy and Supply Concepts for
Automated Driving. In: 9th GMM-Symposium AmE. Dort-
mund, 07.-08.03.2018. Berlin: VDE Verlag. ISBN 978-3-
8007-4524-1
[7] AUGIER, J-L. et al., 2016. Efficient, Safe and Reliable
Powernet for AD. In: EEHE 2016. Wiesloch, 08.-09.06.2016.
Renningen: Expert Verlag. ISBN 978-3-8169-3346-5
[8] HORN, M. et al., 2015. Development of safe and reiiable
Powernets for new vehicle functions - using the example Start-
Stop-Coasting. In: EEHE 2015. Bad boll, 22.-23.04.2015.
Renningen: Expert Verlag.
[9] DOMINGUEZ-GARCIA, AD. et al., 2006. Reliability evalua-
tion of the power supply of an electrical power net for safety-
relevant applications. In: Reliability Engineering & System
Safety., 91(5):505–514. ISSN 0951-8320
[10] NORRIS, JR, 1997. Markov Chains. Cambridge: Cambridge
University Press. doi:10.1017/CBO97805118 10633
[11] ABELE, M., 2008. Modellierung und Bewertung hochzuver-
lässiger Energiebordnetz-Architekturen für sicherheitsrele-
vante Verbraucher in Kraftfahrzeugen. Kassel: kassel univer-
sity press. ISBN 978-3-89958-388-5
[12] MÜNZING, P. et al., 2017. Sichere Energieversorgung für
autonome Fahrzeuge. Bewertung funktionaler Sicherheit für
automatisierte Fahrfunktionen. In: QZ Qualität und Zuverläs-
sigkeit. 2017/12:28–32.
[13] CHERFI, A. et al., 2014. Modeling automotive safety mecha-
nisms. A Markovian approach. In: Reliability Engineering &
System Safety, 130:42–49. ISSN 0951-8320
64 © VDE VERLAG GMBH  Berlin  Offenbach