Autonomous vehicles can rely on these chassis functions
Autonomous driving is bringing a whole new set of challenges for engineering teams in the area of functional safety of chassis functions. As soon as there is no longer a human driver, all of the safety related processes have to work completely independently at all times. Technical measures such as the heterogeneous redundancy already known from aircraft and continuous safety monitoring enable possibilities for disruption-free operation.
HEAT: Practical experience in a big city
The HEAT (Hamburg Electric Autonomous Transportation) project may offer these kinds of new approaches. In the project, IAV and partners teamed up to develop an autonomous shuttle for use in a major urban city. HEAT is currently operating with a vehicle attendant who monitors the shuttle’s behavior, but it incorporates many level 4 functions, which already allows the shuttle to move around independently in traffic today. “This allowed us to gain valuable practical experience, but that wasn’t all. We also developed an in-depth understanding of functional safety in systems like these,” says Martin Gebhardt, head of the Steering department at IAV.
«Working with our customers, we are already making the leap from level 2 to level 4 in the chassis segment, while also supplying detailed cost-benefit analyses on specific safety solutions.»
— Abteilungsleiter Steering bei IAV
One reasonable possible solution to move toward automation level 4 is redundancy: If one controller fails due to a hardware fault, for example, then a different one steps in and takes over. “Safety-critical systems in aircraft have multiple redundancies, and if there is any discrepancy, the majority of the systems decides,” explains Dr. Marcus Perner, technical consultant for Functional Safety at IAV. However, that would be a very costly solution for mass-produced vehicles. Defining an optimized safety concept is essential. Diagnoses measures and safety mechanisms form the core here. A successive approach and identification of safety measures can help to pinpoint where redundancies are needed.
“Heterogeneous redundancy” is a useful approach here – for example in the event that a sensor in the steering system no longer works correctly. The implausible sensor data could cause the steering actuator to behave uncontrollably, which could then lead to a dangerous driving situation. Diagnostics would identify the faulty data from the sensor. As a result, logic for further operation switches to the secondary sensor. The crucial point here is that the second sensor must be different from the primary one in technological terms to significantly lower the likelihood of the same malfunction occurring again. In this kind of scenario, the error cannot have the same effects.
A three-level concept for improving safety
Another effective safety element is an adjusted three-level monitoring concept. It is based on the standardized E-Gas monitoring concept, from which the testing concept has been adopted. The actual function is found on the lowest level. The monitoring level is positioned above that, identifying errors at the functional level and initiating remedial action. The first and second levels run on the same functional control unit, but work independently of each other. The third level works on both the functional and monitoring control unit.
One of its key functions is monitoring the correct functioning of the monitoring level. Passengers in future level 4 vehicles will have nothing to worry about: “Studies show that statistically speaking, technology already makes far fewer errors than humans,” Perner explains. “Nevertheless, the public has higher demands on technology – that is the reason why it is so important to ensure functional safety of chassis functions in all situations.”
The article appeared in automotion 03/2021, IAV’s automotive engineering magazine. You can order automotion free of charge here.
