登陆
注册
首页> 知识> Fusa_025_自动驾驶系统的故障操作设计

Fusa_025_自动驾驶系统的故障操作设计

来源:公众号“功能安全沙龙”
2020-10-21
3045
In my previous wechat article《Fusa_017_System Safety Concept_Fail-safe vs Fail-operational》,I addressed what is the meaning of the fail-safe/ fail-operational and what is the difference between them. Today we are talking about the fail operational design of automated driving or ADAS system.

As we all know that the functional safety is to make sure the system is absence of the unreasonable risk caused by the failure of E/E system. Thus,the key point of functional safety is to ensure that E/E systems operate safely even if they fail, which means they are still capable of entering into a controlled safe operation mode. For the fail-safe systems, they could enter into the safe operation mode by shutdown some functions or the system and transfer the vehicle control to the driver. However, for the ADAS system higher than L1 following the definition of SAE J3016, the driver ( or the passenger of L4 and L5 automated driving vehicle)may not have enough time to take over the control of vehicle in case that some systems goes wrong and enter into fail-safe mode. Thus, starting from L2, it is very important to make sure that  ADAS or ADS/HAD system could still operate for some limited time even if one failure occurs on the system level. in other words, they need their system fail-operational.

 


  • Fail-Operational Design On E/E Architecture Level.

The fail-operational design shall be started when doing the E/E architecture of automated vehicle.  In order to achieve the fail-operational, redundancy of braking/steering/ADS platform/LV power supply shall be considered in the architecture.



  • Fail-Operational Design On System level - Braking

On the normal vehicle without any advanced assistant function, the braking function redundancy is implemented by a fail-safe electric braking system and the hydraulic braking system. however, for the L2 and higher ADAS/ADS system, the hydraulic maybe not available as the driver may not have enough time to pressed the brake pedal or even no driver to press it. In order to achieve fail-operational, I-booster is used in stead of the brake vacuum booster as redundancy of ESC system.



  • Fail-Operational Design On System Level -Steering

For the automated driving system, a fail - operational Electric Power Steering system is needed. In this article, I list three examples with different architecture.

One of the well-known fail-operational EPS system is designed by Nissan with TMR architecture(2oo3 voting architecture), its architecture is below.


 

Another possible solution is provided by Infineon using a 2oo2DFS architecture with two independent masters as shown in the picture below.

 


In some cases, two motors are not available due to installation space limitation in the vehicle. Thus, bosch provide a solution with dual-windings motor, the system structure is demonstrated in the picture below. Due to the two windings sharing one stator, the size of the motor is small and cost is cut down. 



  • Fail-Operational Design On System Level - ADS Computing Platform 

One of the fail-operational solution for the ADS computing platform is used by BWM, the architecture is shown in the picture below.



Reference

[1]    Images from infineon and bosch official website

[2] Scalable,safe and multi-OEM capable architecture for autonomous driving - BWM


收藏
点赞
上一篇:Fusa_019_ISO 26262 VS Functional Safety Certification 下一篇:EMC For Functional Safety
2000
评论

沪公网安备31010702008313号 沪ICP备18019345号-2 © 2019 上海工业控制安全创新科技有限公司 保留所有权利