Search Results

The trend towards even more sophisticated driver assistance systems and growing automation of driving sets new requirements for the robustness and availability of the involved automotive systems. In case of an error, today it is still sufficient that safety related systems just fail safe or silent to prevent safety related influence of the driving stability resulting in a functional deactivation. But the reliance on passive mechanical fallbacks in which the human driver taking over control, being inevitable in such a scenario, is expected to get more and more insufficient along with a rising degree of driving automation as the driver will be given longer reaction time. The advantage of highly or even fully automated driving is that the driver can focus on other tasks than controlling the car and monitoring it’s behavior and environment.

Electronic Control Units of safety critical systems require constant monitoring of the hardware to be able to bring the system to a safe state if any hardware defects or malfunctions are detected. This monitoring includes memory checking, peripheral checking as well as checking the main processor core. However, checking the processor core is difficult because it cannot be guaranteed that the error will be properly detected if the monitor function is running on a processing system which is malfunctioning. To circumvent this issue, several previously presented monitoring concepts (e.g. SAE#2006-01-0840) employ a second external microprocessor to communicate with the main processor to check its integrity. The addition of a second microcontroller and the associated support circuitry that is required adds to the overall costs of the ECU, increases the size and creates significant system complexity.

The anti-lock braking system (ABS) is a widespread driver assistance system which allows a short braking distance while simultaneously maintaining the stability and steerability of the car. Vehicles with electric single-wheel drive offer many possibilities of improving the energy efficiency and the braking performance during ABS braking. In this paper, two different ways of including the electric machines in the ABS are analyzed in detail: the damping of torsional drive train vibrations in combination with recuperation and the dynamic split of the braking torque, where the hydraulic braking torque is kept constant and the dynamic modulation of the braking torque is performed by the electric machines. The damping algorithm is developed on the basis of a linearized model of the drive train and the tire-road contact by using state feedback and pole placement methods. Simulation results with a detailed multi-body system show the effectiveness of the control algorithms.

Cooling drag is the increase in the total drag due to the internal flow in the cooling system. Because of the high flow resistance in the heat exchanger the momentum of the fluid needed for engine cooling usually is dissipated nearly completely. The resulting drag penalty can be approximated by the so called ram drag. For ground vehicles the cooling drag is typically lower than this approximation due to positive interference of the cooling flow with the general flow around the vehicle. Different mechanisms for the positive interference have been described in the literature. Inlet interference as well as outlet interference can result in significant reduction of the share of the cooling drag. Positive outlet interference is obtained, when the remaining kinetic energy of the cooling flow contributes significant thrust to the overall momentum balance.

Today, body vibration energy of passenger cars gets dissipated by linear working shock absorbers. A new approach substitutes the damper of a passenger car by a cardanic gimbaled flywheel mass. The constructive design leads to a rotary damper in which the vertical movement of the wheel carrier leads to revolution of the rotational axis of the flywheel. In this arrangement, the occurring precession moments are used to control damping moments and to store vibrational energy. Different damper characteristics are achieved by different induced precession. From almost zero torque output to high torque output, this damper has a huge spread. Next to the basic principal, in this paper an integration in the chassis, including a constructive proposal is shown. A conflict with high torque and high angular velocity leads to a special design. Moreover concepts to deal with all vehicle situations like yawing, rolling and pitching are shown.

The increased pressure for power, space, and cost reduction in automotive applications together with the availability of high performance, automotive qualified multicore microcontrollers has lead to the ability to engineer Domain Controller ECUs that can host several separate applications in parallel. The standard automotive constraints however still apply, such as use of AUTOSAR operating system, support for legacy code, hosting OEM supplied code and the ability to determine warranty issues and responsibilities between a group of Tier 1 and Tier 2 vendors who all provide Intellectual Property to the final production ECU. Requirements for safety relevant applications add even more complexity, which in most current approaches demand a reconfiguration of all basic software layers and a major effort to redesign parts of the application code to enable co-existence on the same hardware platform. This paper outlines the conflicting requirements of hosting multiple applications.

Electronic Control Units of safety critical systems require constant monitoring of the hardware to be able to bring the system to a safe state if any hardware defects or malfunctions are detected. This monitoring includes memory checking, peripheral checking as well as checking the main processor core. However, checking the processor core is difficult because it cannot be guaranteed that the error will be properly detected if the monitor function is running on a processing system which is malfunctioning. To circumvent this issue, several previously presented monitoring concepts (e.g. SAE#2006-01-0840) employ a second external microprocessor to communicate with the main processor to check its integrity. This paper will present a concept which maps the functions of the external monitoring unit into an internal second processing core which are frequently available on modern, 32bit, monolithic, dual-core microcontrollers.

In ride comfort as well as driving dynamics, the behavior of the vehicle is affected by several subsystems and their properties. When analyzing the suspension, especially the characteristics of the main spring and damper but also rubber bushings are of main importance. Still, the properties of the different components are dependent on the present operating conditions. Concerning rubber bushings, several effects have already been investigated, e.g. dependencies of the transfer function of frequency, amplitude or load history. In this context influences of changes in temperature are often neglected. However, in the following research, the focus specifically lies on determination and analysis of the temperature dependency of rubber bushings. For this purpose, initially the relationship between properties of pure rubber and rubber bushings is described, which serves as a basis for correlating respective temperature dependencies.

Advanced safety features and new services in connected cars depend on the security of the underlying vehicle functions. Due to the interconnection with the outside world and as a result of being an embedded system a modern vehicle is exposed to both, malicious activities as faced by traditional IT world systems as well as physical attacks. This introduces the need for utilizing hardware-assisted security measures to prevent both kinds of attacks. In this paper we present a survey of the different classes of hardware security devices and depict their different functional range and application. We demonstrate the feasibility of our approach by conducting a case study on an exemplary implementation of a function-on-demand use case. In particular, our example outlines how to apply the different hardware security approaches in practice to address real-world security topics. We conclude with an assessment of today’s hardware security devices.

A main challenge when developing next generation architectures for automated driving ECUs is to guarantee reliable functionality. Today’s fail safe systems will not be able to handle electronic failures due to the missing “mechanical” fallback or the intervening driver. This means, fail operational based on redundancy is an essential part for improving the functional safety, especially in safety-related braking and steering systems. The 2-out-of-2 Diagnostic Fail Safe (2oo2DFS) system is a promising approach to realize redundancy with manageable costs. In this contribution, we evaluate the reliability of this concept for a symmetric and an asymmetric Electronic Power Steering (EPS) ECU. For this, we use a Markov chain model as a typical method for analyzing the reliability and Mean Time To Failure (MTTF) in majority redundancy approaches. As a basis, the failure rates of the used components and the microcontroller are considered.

ISO 26262 is the actual standard for Functional Safety of automotive E/E (Electric/Electronic) systems. One of the challenges in the application of the standard is the distribution of safety related activities among the participants in the supply chain. In this paper, the concept of a Safety Element out of Context (SEooC) development will be analyzed showing its current problematic aspects and difficulties in implementing such an approach in a concrete typical automotive development flow with different participants (e.g. from OEM, tier 1 to semiconductor supplier) in the supply chain. The discussed aspects focus on the functional safety requirements of generic hardware and software development across the supply chain where the final integration of the developed element is not known at design time and therefore an assumption based mechanism shall be used.

In the context of the ARAMiS project, AUDI AG contributed the development of a multi-core demonstrator based on car functions already in production. For this demonstrator, these legacy car functions were ported from single-core platforms to a multi-core platform to gain real world close-to-production experience while utilizing the new technology. For complex functions with high demands for computational resources, it may be necessary to distribute computation over several cores. In this context, we investigated the parallelization of a legacy sequential AUTOSAR function. A main contribution of this work is an analysis of mechanisms provided by AUTOSAR, their limitations and, possible remedy. This paper will point out observations and experiences during the development of this demonstrator and show practical solutions for parallelization in an AUTOSAR environment.

The increasing complexity of automotive functions which are necessary for improved driving assistance systems and automated driving require a change of common vehicle architectures. This includes new concepts for E/E architectures such as a domain-oriented vehicle network based on powerful Domain Control Units (DCUs). These highly integrated controllers consolidate several applications on different safety levels on the same ECU. Hence, the functions depend on a strictly separated and isolated implementation to guarantee a correct behavior. This requires middleware layers which guarantee task isolation and Quality of Service (QoS) communication have to provide several new features, depending on the domain the corresponding control unit is used for. In a first step we identify requirements for a middleware in automotive DCUs. Our goal is to reuse legacy AUTOSAR based code in a multicore domain controller.