Page 54 - SAEINDIA Magazine December 2020
P. 54

TECHNOLOGY



        Trends






         a                                                    b









                                                               
                      Fig 15. a) Distributed Star Topology (Ref. [6])               Fig 15. b) Unidirectional Redundant Ring Structure (Ref. [6])

        redundant bus-guardians and encapsulated sub-systems.   compared against a reference dataset provided by the
        The distributed ring architecture is shown in Fig 15 b)   attached host and to determine the majority agreement
        offers very high robustness against local, mechanical   within the network. In case of failure of one ECU that
        or electrical failures. Unidirectional wires can be routed   cannot detect its own faultiness, this network feature
        separately, such that a loss of any single connection and   allows preventing the commanding of actuation with data
        many combinations of multiple cuts do not cause any loss   from such faulty node.
        of information.
                                                              Summary
        The distributed BBW architecture as implemented       Functional Safety in Automotive Systems as per ISO
        in a vehicle is shown in Figure 16 wherein multiple   26262 standard is an increasingly necessary requirement
        displacement sensors and force sensor are connected   due to higher levels of features and associated HW and
        to the wheel nodes to capture driver intent. Each wheel   SW architecture complexity in vehicles. Though ISO
        node calculates the actuation commands for all four   26262 standard is a generalized document to ensure
        wheels. These commands are communicated via the       Functional Safety, it needs to be interpreted appropriately
        network so each of the four-wheel nodes can compare   for specific systems such as BMS, steering systems,
        their own actuation commands with those calculated    drivetrain, brakes etc. As Functional Safety standards
        by the other wheel nodes. The voting mechanism in the   evolved from IEC 61508 towards ISO 26262, avoiding
        network layer of each wheel node can then disable the   SPFs through structured analysis and safety mechanisms
        power to individual actuators in case of a fault. If a node   is still the underlying design philosophy. To achieve ASIL
        needs to be shut down the brake force is redistributed   D level compliance, decomposition into independent and
        to prevent the vehicle from yawing. The advanced brake   redundant ASIL B(D) systems is a crucial tool to avoid
        functions are executed in the two front-wheel nodes. If   all types of errors. The SPFM is almost 100% because
        the front wheel nodes do not calculate the same output   no random failures lead directly to violation of a safety
        commands for these advanced brake functions, the      goal. For Functional Safety applications on BMS, high
        function will be deactivated. This provides a fail-safe   levels of LFM are achieved through fault detection and
        operation. The dependable power supply is provided    communication through CAN between systems such as
        by two 42V batteries. Each battery is connected to    BMS and PTC. The HAM should be performed at the Safety
        a distribution box that protects the 42V net from     Goal level before decomposition to comply with ASIL D.
        short circuits. Each wheel node is connected to each
        distribution box providing a redundant power supply.   The use of more ADAS applications in the EPS and
        The communication system is itself failure tolerant. The   the continuous need for increased torque and better
        computation and control are distributed to the available   manoeuvrability of vehicles has been posing new
        resources that verify against each other over the network   challenges for Electric Power Steering (EPS) systems
        with appropriate network support. Value domain        in the form of higher forces at the steering rack and
        encapsulation using a mutual distributed exclusion    increased ADAS functionalities. Recent trends indicate
        protocol feature is one further measure to allow detection   the design of highly available EPS system architecture
        of failures in the value domain across the network and   with FIT is significantly reduced to be in line with ASIL
        without further software interaction. The communication   C requirements (PMHF < 100 FIT) using control logic
        protocol allows to have the incoming datasets to be   paths utilizing redundancy concepts. ASIL C mitigation

        52    DECEMBER 2020                                                                MOBILITY ENGINEERING
   49   50   51   52   53   54   55   56   57   58   59