Building a future with safer, smarter, cleaner roads
11 December 2015
The automotive industry is driving towards a zero accidents and zero emissions world, an exciting paradigm shift that could be a reality in just 20-30 years.
Currently, more than 90% of all car accidents are caused by human error, and congestion is set to cost the US and European economies $4.4trillion between 2013 and 2030 (according to the Centre for Economics and Business Research). Connected, self-driving vehicles can help to curb both of these, reducing human error and congestion through smarter mobility.
A number of technologies already exist to enable the shift to (semi) autonomous driving. These technologies can be summarised under the umbrella terms:
• Car-to-X: car-to-car, car-to-infrastructure, and car-to-‘other’ communications (Figure 1);
• X-by-Wire: Throttle-by-Wire, Brake-by-Wire, Steer-by-Wire, and other advancements;
• Advanced Driver Assistance Systems (ADAS): Systems Adaptive Cruise Control (ACC), Lane Departure Warning and Blind Spot Detection Systems, and more.
All three technology systems already exist, and will grow rapidly in the mid-to-long term and will ultimately become commoditised. There is no doubt that the combination of the three systems stands to make autonomous driving a reality in years to come.
The zero emission ambitions of the automotive industry, shared by governments and driven by the dwindling amount of recoverable oil worldwide, will be realised in the longer term; first with hybrid vehicles and then with ethical vehicles that use renewable energy to recharge batteries.
Minimising safety risks
In a world where cars are autonomous, the electronic systems controlling vehicles must have failsafe reliability and security. Any failure could be life threatening, and standards such as ISO26262 have an important role to play.
Minimising the risk to security caused by possible vulnerability to hacking in X-by-Wire, ADAS and especially Car-to-X Systems is also critical. Currently, vulnerability to hacking is not covered by ISO26262; efforts to address the inclusion of security vulnerability related to hacking, and the current role of ISO26262, will be discussed later in this article.
Electrical and hybrid vehicles face a different safety challenge, which is also being addressed. The high voltage board net that is introduced in these vehicles, in conjunction with the 12V board net and high voltage batteries need special safety measures to remove the risk of explosions or fire.
Initially the automotive industry was implementing safety-related applications according to the IEC61508 standard. However, this umbrella standard was designed to be used as a platform for individual industries to build their own standards, as has been demonstrated by mechanical engineering and the nuclear power industry.
For the automotive industry, it was quickly realised that the ‘catastrophic events’ covered by IEC61508 don’t apply. It is also not possible for the automotive industry to distinguish between one and more fatal injuries, as defined in the IEC61508 standard. Finally, the Safety Integrity Levels (SILs) as defined in the IEC61508 needed adjustment; the automotive systems often needed a safety classification between SIL2 and SIL3.
The ISO26262, released in November 2011, was designed specifically for the automotive industry, applying to passenger cars and light utility vehicles. The standard defines Automotive Safety Integrity Levels (ASILs) from ASIL A to ASIL D with ASIL D being the highest safety level.
The levels represent an acceptable residual risk level. The targeted/required ASIL level is achieved by the reduction of systematic and random failures. Systematic failures are caused by human error and can be prevented by a proper design process. Random failures, for example those caused by aging or thermal wear-out, can be detected in the system by introducing redundancy, monitoring, and self-tests.
Building a compliant safety system
Figure 3 shows a generic solution that can be applied in systems to comply with ISO26262. The overall ASIL level that needs to be fulfilled determines the system architecture as well as the definition of the individual components.
The safety switch in Figure 3 is required to achieve a failsafe state in systems with an ASIL B level or higher.
The microcontroller (MCU) is available in many different types. In most cases it contains two cores that execute the same code in lockstep mode. A compare unit compares the calculation results of the two cores. In case of a difference, the MCU_error_n signal is activated and the system is put in failsafe state, while the safety switch is now opened and actuators cannot be (erroneously) triggered.
However, this approach still has a weak spot; common cause failures that affect both cores will not be detected by the compare unit. Additional measures like an external watchdog, temperature sensors and special layout rules are also necessary to achieve the highest Safety Integrity Levels.
System-Basis-Chips (SBCs) form the basis of many electronic control units. The safety elements implemented in the SBC are; the Watchdog (WD), monitoring correct operation of the MCU; the Voltage Monitor (VM) which can detect whether voltage supply to the MCU is over or under; and a temperature monitor. When any of these elements detect an error, the SBC_error_n signal is activated and the system is put in a failsafe state. The Safety Switch is then activated by the SBC. In most cases, a warning light to inform the driver is also turned on when the switch is activated (not shown in Figure 3).
The power devices as well as the drivers in the safety switch also contain diagnostics for safety purposes.
While integrating the SBC, power devices and drivers into one piece of silicon can save costs, care must be taken to ensure the safety system (especially the part that activates the safety switch) is functional and available under all conditions.
The automotive industry is on the brink of a zero accident and zero emission revolution. Exciting developments in technologies driving the design of (semi) autonomous vehicles will help reduce the 90% of car accidents caused by human error. While hybrid vehicles and the evolution towards electrical vehicles that use renewable energy will help address dwindling oil supplies.
Safety is critical to the realisation of a zero accident and zero emission vision. The introduction of ISO26262 is an important step towards addressing safety, while further efforts will help to answer the increased need for security in ‘Car-to-X’ implementations. The journey towards safety is ongoing, and will need to continue in the mid-to-long term.
Contact Details and Archive...