Adaptation Mechanisms for Electronic Architectures of Fully Electric Vehicles

Nowadays, automotive systems are facing a revolutionary era full of changes for the traditional automotive domain. New trends such as autonomous driving or full electric vehicles request a complete new approach to the design. The ISO 26262 automotive functional safety standard has been introduced in the market to provide guidelines and accepted best practices for the safety design of the electric/electronic systems on board. It pushes the whole industry to improve their systems regarding safety and dependability. So far, different vehicle systems have been able to reach their safe state by shutting down when a malfunction arises following the so-called fail-silent approach. This state tends to switch off the affected system and stop the vehicle in a safe way using alternative systems. This is no longer valid with full electric system such as the named drive-by-wire system such as steer-by-wire or brake-by-wire. In these cases there is no mechanical fall-back. Similarly in autonomous driving the driver is no longer in the loop but the own system is the one in charge of driving decisions.

Automotive domain is evolving into a more sophisticated functional safety concepts providing fail-operational behaviour at system level for certain vehicle functions. This fail-operational functionality makes the system to go through different states when a failure is detected by providing availability without compromising system safety. Solutions such as 2oo3 redundant patterns have been designed with this in mind. In this case the system is replicated three times. When one of the systems produces an output different from the other two, then it is considered that is not working correctly and is switched off, but the functionality is still offered by the other two. However this solution is not suitable in the automotive domain. The main reason behind is that they are too costly solutions in contradiction with avionics domain where these patterns are accepted.

In the EU-funded SafeAdapt (Safe Adaptive Software for Fully Electric Vehicles) project where our team has been working, we have pursued the design of a new E/E architecture to improve safety and dependability, providing affordable fail-operational services and at the same time aligned with the ISO 26262 practices. These concepts reduce the complexity of the system by generic, system-wide fault and adaptation handling. In this work, the safety concept has been determined in form of a Generic Adaptation Mechanism (GAM). Self-adaptation poses as a feasible option to handle system failures while it allows further operation of a smart car. For instance, in case of the breakdown of one Electronic Control Unit (ECU), another ECU can be adapted to take over the execution of the critical functionality.

One of the main aims of our research has been to provide an ISO 26262 compliant GAM developed as a Safety Element out of Context (SEooC). The reason why we wanted to design the GAM as a SEooC was to improve the reusability. A SEooC is an element which is designed without knowing where it will end up being deployed. We define the constraints for a future deployed at the time of design and it could end up being integrated with different hardware or in different types of vehicles. We have already proved it within two different hardware ECUs. Another important topic was the safety analysis done to the software system. And to improve the design lifecycle our team has worked on a highly-integrated model-based tool chain. This will help future developers on their tasks for early verification and validation of the design. Furthermore, the main issues related to safety certification of these kinds of systems have been addressed as well.

Share this post