Search Results

The performance of environment perceiving sensors such as e.g. lidar, radar, camera and ultrasonic sensors is safety critical for automated driving vehicles. Therefore, one has to assess the sensors’ performance to assure the automated driving system’s safety. The performance of these sensors is however to some degree sensitive towards adverse weather conditions. A challenge is to quantify the effect of adverse weather conditions on the sensor’s performance early in the development of an automated driving system. This challenge is addressed in this work for lidar sensors. The lidar equation was previously employed in this context to derive estimates of a lidar’s maximum range in different weather conditions. In this work, we present a stochastic simulation framework based on a probabilistic extension of the lidar equation, to quantify the effect of adverse rainfall conditions on a lidar’s raw detection performance.

This study deals with the experimental investigation of the mechanical properties of a lithium-ion pouch cell and its modelling in an explicit finite element simulation code. One can distinguish between ‘macroscopic’ and ‘microscopic’ modelling approaches. In the ‘macroscopic’ approach, one material model approximates the behaviour of multiple inner cell layers. In the ‘microscopic’ approach, which is used in the present study, all layers and their interactions are modelled separately. The cell under study is a pouch-type lithium-ion cell with a liquid electrolyte. With its cell chemistry, design, size and capacity it is usable for automotive applications and can be assembled into traction batteries. One cell sample was fully discharged and disassembled, and its components (anode, cathode, separator and pouch) were examined and measured by electron microscopy. Components were also tensile tested.

The trend towards even more sophisticated driver assistance systems and growing automation of driving sets new requirements for the robustness and availability of the involved automotive systems. In case of an error, today it is still sufficient that safety related systems just fail safe or silent to prevent safety related influence of the driving stability resulting in a functional deactivation. But the reliance on passive mechanical fallbacks in which the human driver taking over control, being inevitable in such a scenario, is expected to get more and more insufficient along with a rising degree of driving automation as the driver will be given longer reaction time. The advantage of highly or even fully automated driving is that the driver can focus on other tasks than controlling the car and monitoring it’s behavior and environment.

Electronic Control Units of safety critical systems require constant monitoring of the hardware to be able to bring the system to a safe state if any hardware defects or malfunctions are detected. This monitoring includes memory checking, peripheral checking as well as checking the main processor core. However, checking the processor core is difficult because it cannot be guaranteed that the error will be properly detected if the monitor function is running on a processing system which is malfunctioning. To circumvent this issue, several previously presented monitoring concepts (e.g. SAE#2006-01-0840) employ a second external microprocessor to communicate with the main processor to check its integrity. The addition of a second microcontroller and the associated support circuitry that is required adds to the overall costs of the ECU, increases the size and creates significant system complexity.

With increasing levels of driving automation, the perception provided by automotive environment sensors becomes highly safety relevant. A correct assessment of the sensors’ perception reliability is therefore crucial for ensuring the safety of the automated driving functionalities. There are currently no standardized procedures or guidelines for demonstrating the perception reliability of the sensors. Engineers therefore face the challenge of setting up test procedures and plan test drive efforts. Null Hypothesis Significance Testing has been employed previously to answer this question. In this contribution, we present an alternative method based on Bayesian parameter inference, which is easy to implement and whose interpretation is more intuitive for engineers without a profound statistical education. We show how to account for different environmental conditions with an influence on sensor performance and for statistical dependence among perception errors.

This paper describes how a safety-oriented software development could look like as soon as an appropriate standard exists which is applicable for the automotive industry. Such a standard is currently being developed which is a tailoring of the safety standard IEC61508. The IEC61508 is generic and not specific for any industry. It allows tailoring of the complete safety lifecycle for specific domains. This paper focuses mainly on the software lifecycle of the evolving standard for the automotive industry. With regard to the development process the objectives of each phase are explained and it is described how these can be achieved by using certain techniques and measures.

The anti-lock braking system (ABS) is a widespread driver assistance system which allows a short braking distance while simultaneously maintaining the stability and steerability of the car. Vehicles with electric single-wheel drive offer many possibilities of improving the energy efficiency and the braking performance during ABS braking. In this paper, two different ways of including the electric machines in the ABS are analyzed in detail: the damping of torsional drive train vibrations in combination with recuperation and the dynamic split of the braking torque, where the hydraulic braking torque is kept constant and the dynamic modulation of the braking torque is performed by the electric machines. The damping algorithm is developed on the basis of a linearized model of the drive train and the tire-road contact by using state feedback and pole placement methods. Simulation results with a detailed multi-body system show the effectiveness of the control algorithms.

Starting from the USA and followed by the European Union, legal requirements concerning “Tire Pressure Monitoring Systems” (TPMS) for passenger cars and light trucks will be introduced in China as well and therefore in the third of the three largest automobile markets worldwide. Changes of pressure dependent physical tire properties such as dynamic roll radius and a certain tire eigenfrequency, which are included in the ESC-wheel speed signals, indicates pressure loss in an indirect manner. Systems with corresponding working principles are called “indirect Tire Pressure Monitoring System” (iTPMS). Since the tire is a structural element with varying characteristics according to the design parameters, the roll radius and frequency behavior due to pressure loss is variable as well. As a consequence, tires have to be evaluated regarding there compatibility to iTPMS during the vehicle development process.

In open jet wind tunnels with high blockage ratios a sharp rise in drag is observed for models approaching the nozzle exit plane. The physical background for this rise in drag will be analyzed in the paper. Starting with a basic analysis of the dependencies of the effect on model and wind tunnel properties, the key parameters of the problem will be identified. It will be shown using a momentum balance and potential flow theory that interaction between model and nozzle exit can result in significant tunnel-induced gradients at the model position. In a second step, a CFD-based investigation is used to show the interaction between nozzle exit and a bluff body. The results cover the whole range between open jet and closed wall test section interaction. The model starts at a large distance from the nozzle, then moves towards the nozzle, enters the nozzle and is finally completely inside the nozzle.

Driven by the growing internet and remote connectivity of automobiles, combined with the emerging trend to automated driving, the importance of security for automotive systems is massively increasing. Although cyber security is a common part of daily routines in the traditional IT domain, necessary security mechanisms are not yet widely applied in the vehicles. At first glance, this may not appear to be a problem as there are lots of solutions from other domains, which potentially could be re-used. But substantial differences compared to an automotive environment have to be taken into account, drastically reducing the possibilities for simple reuse. Our contribution is to address automotive electronics engineers who are confronted with security requirements. Therefore, it will firstly provide some basic knowledge about IT security and subsequently present a selection of automotive specific security use cases.

The development of highly automated driving functions (AD) recently rises the demand for so called Fail-Operational systems for native driving functions like steering and braking of vehicles. Fail-Operational systems shall guarantee the availability of driving functions even in presence of failures. This can also mean a degradation of system performance or limiting a system’s remaining operating period. In either case, the goal is independency from a human driver as a permanently situation-aware safety fallback solution to provide a certain level of autonomy. In parallel, the connectivity of modern vehicles is increasing rapidly and especially in vehicles with highly automated functions, there is a high demand for connected functions, Infotainment (web conference, Internet, Shopping) and Entertainment (Streaming, Gaming) to entertain the passengers, who should no longer occupied with driving tasks.

More and more high-level algorithms are emerging to improve the existing systems in a car. Often these algorithms only need a platform with a bus connection and some resources such as CPU time and memory space. These functions can easily be integrated into existing systems that have free resources. This paper describes some encapsulation techniques and mechanisms that can be used in the automotive domain. The discussion also takes into account the additional resources consumed on the microcontroller to meet these requirements and by the software to implement the encapsulation mechanisms. Overviews of some general concepts of software-architectures that provide encapsulation are also shown.

This paper proposes end-to-end protection mechanisms to be added to a generic FlexRay network in order to achieve fault detection and integrity levels sufficient for a SIL3 fail safe communication system. The mechanisms are derived from the random hardware failure modes to be considered for communication controllers according to IEC 61508. Mechanisms provided by the FlexRay protocol are pointed out. Additional features necessary to fulfil the requirements are discussed. It is shown how to calculate the failure rate probabilities of the CRC used as a safety code with respect to EN 50159.

The increased pressure for power, space, and cost reduction in automotive applications together with the availability of high performance, automotive qualified multicore microcontrollers has lead to the ability to engineer Domain Controller ECUs that can host several separate applications in parallel. The standard automotive constraints however still apply, such as use of AUTOSAR operating system, support for legacy code, hosting OEM supplied code and the ability to determine warranty issues and responsibilities between a group of Tier 1 and Tier 2 vendors who all provide Intellectual Property to the final production ECU. Requirements for safety relevant applications add even more complexity, which in most current approaches demand a reconfiguration of all basic software layers and a major effort to redesign parts of the application code to enable co-existence on the same hardware platform. This paper outlines the conflicting requirements of hosting multiple applications.

Electronic Control Units of safety critical systems require constant monitoring of the hardware to be able to bring the system to a safe state if any hardware defects or malfunctions are detected. This monitoring includes memory checking, peripheral checking as well as checking the main processor core. However, checking the processor core is difficult because it cannot be guaranteed that the error will be properly detected if the monitor function is running on a processing system which is malfunctioning. To circumvent this issue, several previously presented monitoring concepts (e.g. SAE#2006-01-0840) employ a second external microprocessor to communicate with the main processor to check its integrity. This paper will present a concept which maps the functions of the external monitoring unit into an internal second processing core which are frequently available on modern, 32bit, monolithic, dual-core microcontrollers.

The German funded project ARAMiS included work on several demonstrators one of which was a multicore approach on large scale software integration (LSSI) for the automotive domain. Here BMW and Audi intentionally implemented two different integration platforms to gain both experience and real life data on a Hypervisor based concept on one side as well as using only native AUTOSAR-based methods on the other side for later comparison. The idea was to obtain figures on the added overhead both for multicore as well as safety, based on practical work and close-to-production implementations. During implementation and evaluation on one hand there were a lot of valuable lessons learned about multicore in conjunction with safety. On the other hand valuable information was gathered to make it finally possible to set up a cost model for estimation of potential overhead generated by different integration approaches for safety related software functions.

Advanced safety features and new services in connected cars depend on the security of the underlying vehicle functions. Due to the interconnection with the outside world and as a result of being an embedded system a modern vehicle is exposed to both, malicious activities as faced by traditional IT world systems as well as physical attacks. This introduces the need for utilizing hardware-assisted security measures to prevent both kinds of attacks. In this paper we present a survey of the different classes of hardware security devices and depict their different functional range and application. We demonstrate the feasibility of our approach by conducting a case study on an exemplary implementation of a function-on-demand use case. In particular, our example outlines how to apply the different hardware security approaches in practice to address real-world security topics. We conclude with an assessment of today’s hardware security devices.

A main challenge when developing next generation architectures for automated driving ECUs is to guarantee reliable functionality. Today’s fail safe systems will not be able to handle electronic failures due to the missing “mechanical” fallback or the intervening driver. This means, fail operational based on redundancy is an essential part for improving the functional safety, especially in safety-related braking and steering systems. The 2-out-of-2 Diagnostic Fail Safe (2oo2DFS) system is a promising approach to realize redundancy with manageable costs. In this contribution, we evaluate the reliability of this concept for a symmetric and an asymmetric Electronic Power Steering (EPS) ECU. For this, we use a Markov chain model as a typical method for analyzing the reliability and Mean Time To Failure (MTTF) in majority redundancy approaches. As a basis, the failure rates of the used components and the microcontroller are considered.

Developing automotive chassis applications is becoming increasingly complex due to cross-functional system interactions and the inherent safety critical nature of the systems involved. One consequence is the need for a rapid prototyping platform, targeted and tailored to meet the specific needs of the chassis domain. This paper describes an example of such an architecture for a chassis rapid prototyping system incorporating several Infineon TriCore embedded microcontrollers and Emulation Devices (ED), networked together by the Micro Link Interfaces (MLI). It also discusses how using such a development platform can lead to a significant reduction in the overall development time of a production intent chassis system.

ISO 26262 is the actual standard for Functional Safety of automotive E/E (Electric/Electronic) systems. One of the challenges in the application of the standard is the distribution of safety related activities among the participants in the supply chain. In this paper, the concept of a Safety Element out of Context (SEooC) development will be analyzed showing its current problematic aspects and difficulties in implementing such an approach in a concrete typical automotive development flow with different participants (e.g. from OEM, tier 1 to semiconductor supplier) in the supply chain. The discussed aspects focus on the functional safety requirements of generic hardware and software development across the supply chain where the final integration of the developed element is not known at design time and therefore an assumption based mechanism shall be used.