A paradigm shift for highly automated driving
Is this driver likely to ever read a magazine behind the wheel again when she gets her vehicle back from the repair shop? Hardly. Not only must the scenario we’ve described never happen, it also illustrates the paradigm shift that highly automated driving implies for many of the components in the vehicle. If a safety-relevant error occurs in the world of the non-autonomous car driver – in electronic stability control (ESC) or power steering, for example – then system availability is reduced but the underlying mechanical functionality is unaffected. Taking ESC as an example, this would mean that despite the loss of vehicle stabilization due to the electronically controlled braking of individual wheels, it would still be possible for the driver to reduce the vehicle’s speed by manual intervention via the hydraulic dual-circuit brake. Although the driver would no longer benefit from the electromechanical steering assistance, they could still use the steering bar to point the vehicle in the right direction. This is termed a “fail-safe”, and in the world to date this has offered a strategy where the system is simply switched off to resolve the problem.
If we look at highly automated driving, however, we see a key difference from SAE Level 3 (fig. 3) onwards: this fail-safe is no longer an option. This is a real paradigm shift – at this level of automation, the vehicle not only provides assistance by handling longitudinal and lateral steering but the driver may even opt to stop actually ‘driving’ altogether. Even if a system error occurs, there is a clearly defined timespan in which the driver must take control, with proposed values ranging from 10 to 30 seconds. During this time, the system must remain fully functional and must not simply and suddenly fail. This is termed ‘fail-operational’ and is a new safety strategy within autonomous driving.
Alongside elements such as steering, braking and the powertrain, this principle also applies to the high-performance computers and in-vehicle communications infrastructure required by highly automated driving. As with a modern cloud-based data center, this system – made up of processors, sensors, actuators, and the interconnecting communications infrastructure – simply must not fail.
Safety from the inside
The precise details of implementation for this principle are defined by the concept of ‘functional safety’. Unlike IT security, for example, which aims to keep systems safe from outside attacks (by hackers, for example), functional safety describes how each individual system in the vehicle is designed to ensure that it cannot produce an unacceptable level of risk if it malfunctions. Functional safety is regulated by the ISO 26262 standard. Measures use the ‘ASIL’ (Automotive Safety Integrity Level) classification, which takes into account the danger to the user (‘severity’), the frequency of occurrence (‘exposure’), and the ability to control the error (‘controllability’).
Strategies for 100% availability
In highly automated driving, there are three key measures that are able to secure the required level of functional safety. The first measure is redundant system design. In terms of sensors, this may mean that the front-facing camera is supplemented by two surround cameras mounted on the side mirrors. For the power wiring system, the simplest kind of redundancy is to ensure that key components are equipped with not one but two power supply cables, which are also then connected via two separate plugs. Or the vehicle can be fitted with intelligent cables featuring integrated sensors: these monitor themselves actively to offer a higher level of failover protection. Measure number two is diversity. To scan the vehicle’s immediate environment, for example, more than one kind of sensor is used: instead of just a camera, the vehicle may therefore use camera, lidar, and radar systems. This approach can also be applied to cables and plugs, by ensuring that different designs and production batches are installed. Diversity can also mean using separate component layouts or physically separating components so they are exposed to different environmental factors. The third and last measure concerns the components themselves: they must be selected for their capabilities in terms of durability and performance. Thermal fuses in the wiring system offer an example here: their reaction times are too slow to meet these requirements and they also offer no options for diagnosing their rate of ageing – a key criterion to be met by the wiring system for highly automated driving. These fuses must be replaced by fast power semiconductors with an intelligent monitoring and control system, which is also able to form the basis of an intelligent power distribution system.
Last but by no means least: whatever the electrical and electronic architecture chosen by the vehicle engineer, the safe power distribution system must be integrated into the architecture – and the earlier, the better. Using proven models for redundancy, diversity, and the right components, LEONI Wiring Systems helps automotive manufacturers to guarantee functional safety in the wiring systems for their highly automated vehicles.