This requires a paradigm shift in automobile safety concepts. It no longer requires a "fail silent" approach, meaning the system shuts down when an error occurs. Instead, the keyword is "fail operational," which means that when a fault occurs, the function or the ECU must continue to work until the vehicle can be brought to a safe operational state. Although avionic systems rely on multiple redundancy, this approach cannot simply be ported over to automotive platforms because of the high cost. A new approach is therefore needed.
Increased safety, lower development costs
This type of concept is the focus of the SafeAdapt project funded by the EU. More precisely, SafeAdapt involves the development of a new, flexible architecture that provides system-wide or generic fail-operational functionality. In other words, this feature will not be implemented for each function on an individual basis, rather for the system as a whole, thus reducing the effort and costs. The foundation of this concept is referred to as safe and controlled adaptation, an approach that rectifies faults by dynamically reallocating the functions and adapting the vehicle system to current situations at runtime. This also includes the possibility of reconfiguration through heterogeneous ECUs in order to implement flexible problem resolution in systems that are subject to strict safety demands.
More specifically, the objective of the SafeAdapt project is to reduce the development costs for future electric vehicles by establishing a generic problem resolution and expansion mechanism, thus ensuring functional safety. The SafeAdapt approach furthermore reduces material costs because it eliminates the need for functional redundancy. Finally, shifting the functions to existing ECUs reduces the overall number of ECUs that are required, thus improving energy efficiency.
Generic fault management
The foundation of the SafeAdapt approach is the interaction between the hardware and software. The presumption is that future vehicles have access to the sensors and actuators without having to rely on the actual control units. These intelligent sensors and actuators can be addressed directly or via network gateways. To ensure that a periphery component fault does not impact the functionality of the entire system, redundancy must be available. This applies to the individual sensors and actuators, as well to the existing communication paths. In order to reliably rectify individual faults, that means at least two communication paths must exist between all communication partners. The figure illustrates a vehicle architecture with two Ethernet paths between each of the individual participants. This ensures the participants can continue to communicate if an individual component or communications link fails.
Since the control units operate on a common time basis, appropriate synchronization and real-time mechanisms must be available, which can be enabled via time-triggered Ethernet or time-sensitive networking as an example.