From Manual to Assisted Driving (ADAS):
The activity of driving has witnessed a remarkable transformation over the past several decades. From traditional manual control, where drivers performed all driving tasks, to the introduction of assisted driving systems, vehicles have undergone significant advancements. In turn, this has also changed the human experience while in the vehicle.
In earlier days, mechanical and hydraulic systems were the backbone of vehicle operations, controlling braking, steering, and acceleration.
However, with the advent of E/E systems, driving experiences were enhanced through assisted driving E/E systems, expected to support the driver in accelerating, braking, and steering (e.g., lane keeping, electronic power steering, emergency braking). In case of a failure detected in the assisted driving system, the system’s impact into the driving operations is limited, or the system is completely switched off. The mechanical system is still in place and will be used as the reliable solution.
These assisted driving systems are called fail-safe systems. In this case, it’s enough for the system to detect such safety-relevant failures, as a fail-safe system relies on the human as part of the safety concept. Drivers still needed to provide the actuation force to maintain a possibly degraded level of control until the vehicle was in a safe state in the event of an electrical/electronic system failure.
This transition marked a new era in automotive technology and the software used to make it a reality.
Shifting to autonomous driving:
As the automotive industry moves toward the era of autonomous driving, when all driver’s tasks are completely performed by automated driving E/E systems, new challenges and opportunities emerge. Improving and maintaining the safety of the cars, along with reducing vehicle weight are among the major challenges the Automotive OEMs must deal with.
Traditional mechanical and hydraulic connections once relied upon for sending vehicle acceleration, braking, and steering commands, prove inadequate for the demands of autonomous driving.
Instead, more sophisticated x-by-wire systems are gradually replacing them for such operations, contributing also to improved safety and reduced vehicle weight. These systems, built on electronic sensors and actuators, play a disruptive role in achieving autonomous functionality, paving the way for a future where vehicles are capable of driving themselves.
As losing operation of the x-by-wire systems is not acceptable inside the car, they shall provide highly reliable and correct execution.
While the mechanical fallback will no longer be an option in case of a safety-relevant failure of the electronic system, some performance degradation might also be acceptable until a safe state is reached (e.g., safe vehicle stop), but switching off or immediate handing over to the driver are no longer valid options, therefore fail-safe systems are not enough for x-by-wire and autonomous driving functionality compliant with SAE Levels 3 -> 5.
In the pursuit of truly autonomous vehicles, fail-operational systems become indispensable. Unlike fail-safe systems, which rely on human intervention during system failures, fail-operational systems must maintain continuous and reliable operation. They ensure autonomous vehicles can operate safely and reliably across all domains. Fail-operational systems provide a robust safety net, enabling the vehicle to detect and respond to failures while maintaining operational integrity.
Why software is a game-changer for the fail-operational systems?
Software assumes a critical role in enabling fail-operational systems and their successful integration into autonomous vehicles.
- What should a fail-operational system ensure?
- Software implications for fail-operational systems
The fail-operational systems must maintain highly reliable execution of application software to give guarantees for continuous service delivery.
Additionally, the execution of communication software is essential to ensure highly reliable communication in processing the x-by-wire control command.
A fail-operational system is usually built with 2 fully redundant sub-systems operating in active redundancy. Both are designed to be fail-silent, delivering either correct operation or no service at all to avoid impacting the other sub-system in case of a failure.
Each sub-system is able to control the system as long as it operates properly. In the event of a failure in one sub-system, the other takes over seamlessly, ensuring continuous and reliable operation.
Usually redundancy and fault-tolerance on hardware level are needed as well, for the ability to give guarantees for continuous service delivery. The system shall be ‘hardened’ against failures in the processing environment (e.g., by software executing on another core of the same MCU).
To achieve fail-operational requirements, the software implementing the intended safety-related functionality must be highly reliable, therefore its complexity and size should be reduced to the absolute minimum.
To prevent unintended service interruption, the critical software must be hardened against failures in non-critical software, which is executed on the same MCU by using proper mechanisms to ensure freedom from interference and by using specific reliable communication mechanisms between the software partitions.
Diverse redundancy helps to avoid dependent failures in the primary and secondary communication channel. Homogenous redundancy is legitimate in case the software is developed according to increased quality standards (ASIL D instead of ASIL B).
Braking-, steering-, and acceleration-by-wire are currently the typical use cases for x-by-wire control systems that play a key role in the autonomous vehicles.
Nowadays, almost all electronic controlling units inside such systems are developed using the Classic AUTOSAR software stack. To speed up their upgrade towards x-by-wire technology (without mechanical fallback), many Automotive Tier1s and OEMs are requesting quick, easy, and flexible adoption of improved Classic AUTOSAR based software that should be able to fulfill the fail-operational systems requirements.
Software solutions are at the center of enabling fail-operational systems, ensuring continuous and reliable service delivery. As autonomous vehicles become a reality, the development of fail-operational software becomes paramount to ensure the safety, reliability, and efficiency of these advanced vehicles.
The Automotive software suppliers should quickly find innovative ways to extend their existing Classic AUTOSAR software offering to meet such crucial requirements and to have a competitive offering for tomorrow’s trends in the Automotive market.
By harnessing the power of software solutions, fail-operational systems will become the bedrock of transportation, revolutionizing mobility, enhancing safety, and transforming the way we experience driving the open road.
Related content:
Webinar – Software for fail-operational systems – a game-changer for tomorrow’s autonomous vehicles
Author
Lucian Badescu
Product Manager Automotive Networks, Elektrobit
