Continental is adding a further safety level to highly automated driving in the form of a specific electronics architecture. In addition to a central control unit for automated driving – the Assisted & Automated Driving Control Unit – the technology company uses a Safety Domain Control Unit (SDCU) as a fallback path in order to stop the vehicle safely, even in the event of a functional failure in the primary automation path. As such, Continental is systematically using the principle of redundancy and diverse design that has already proven itself in the aviation sector. There are one or more fallback paths for every central system and they are independent of each other. Since the SDCU also acts as the airbag control unit, its priority availability – including energy reserve and a crashproof installation location in the vehicle – is guaranteed.
With the additional fallback path of the SDCU, Continental ensures that the vehicle can still be brought to a safe stop if the main automation functionality fails. Conventional safety-relevant systems currently in use have been designed with fail-safe in mind. This means that if the system malfunctions, safety is maintained by identifying the fault and putting the faulty system out of operation. This approach is possible because the driver is still at hand as a fail-safe to brake and steer manually, for example, if required. “It is precisely this fallback path that may not be available in highly automated vehicles, since the driver is allowed to focus on other things and cannot be requested, in a fraction of a second, to take control of the vehicle immediately after a possible failure,” said Maged Khalil, Head of Advanced Systems Architecture Design at Systems & Technology in the Chassis & Safety division. Every highly automated vehicle must therefore be able to stop automatically. Level 4 vehicles such as the Cruising Chauffeur from Continental are prepared for this.
If, despite being requested, the driver does not take action, the car performs a minimum risk maneuver. This means that the vehicle automatically drives to the breakdown lane and stops there. If there is no breakdown lane or if it is blocked, it stops in the lane with the hazard lights on or it drives on, slowing down gently until it finds a suitable place, where it can stop safely.
If the driver is not available to take control of the vehicle, the system must switch over from a “fail-safe” to a “fail-operational” mode by maintaining functionality with a high degree of reliability in every case. “With the fallback path of a second independent control unit, which is also able to stop the car, a highly automated vehicle has a safety net,” continues Khalil. “If a fault occurs, this means the vehicle can still come to a safe stop even without any driver intervention. This element of trust is key to the acceptance of automated driving.”
Two automation paths – one goal: safe stop
The vehicle must come to a safe stop if it detects an unsafe state in the system and the driving function cannot be maintained either by the primary automation path or by the driver. “The primary automation path must also be able to switch off without impairing safety,” explained Bardo Peters, Head of Innovation Management Occupant Safety & Inertial Sensors in the Passive Safety & Sensorics business unit. “Only by means of genuine redundancy can all possible failure scenarios be covered.” The SDCU is completely independent of the central control unit such as the Assisted & Automated Driving Control Unit, and features an automation solution that has been designed for the job of the minimum risk maneuver.
Both the central control unit and the SDCU monitor each other continuously with regard to availability and functionality. If just one path is no longer capable of controlling the vehicle or perform the minimum risk maneuver safely, the other path initiates the safe stop in an emergency. “This permanent monitoring detects if a path is no longer available. For this reason, the other path would then perform the minimum risk maneuver in such situations,” added Dr. Lutz Kühnke, Head of Segment Occupant Safety & Inertial Sensors in the Passive Safety & Sensorics business unit. The fallback path intervenes in accordance with a finely graduated degradation concept, depending on the severity of the problem detected. For self-monitoring as well as mutual monitoring of the paths, Continental uses innovative software functions such as effective fault management and intelligent monitoring of the signal consistencies.