Power Distribution and Functional Safety
in the Context of Highly Automated Driving
Dr. Peter Grabs, Intedis GmbH&Co. KG
Udo Hornfeck, LEONI Bordnetz-Systeme GmbH
The Quality Connection
Outline
 Automated Driving Functions
 Hazard Analysis and Risk Assessment (HRA) for Highway Assist
 Functional Safety Concept
 Concepts for Energy Distribution
 Impact on Energy Distribution System
 Summary
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
2
Outline
 Automated Driving Functions
 Hazard Analysis and Risk Assessment (HRA) for Highway Assist
 Functional Safety Concept
 Concepts for Energy Distribution
 Impact on Energy Distribution System
 Summary
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
3
Automated Driving Functions
NVIDIA
 Automated driving is one of the main trends
 Every company in the automotive industry is working on this
4
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
4
Automated Driving Functions
Priority use cases:
 Parking
 Traffic Jam
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
 Highway
 …
5
Outline
 Automated Driving Functions
 Hazard Analysis and Risk Assessment (HRA) for Highway Assist
 Functional Safety Concept
 Concepts for Energy Distribution
 Impact on Energy Distribution System
 Summary
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
6
Highly Automated Highway Driving
 Highway driving
 V= 130 kph
 Curve radius min> 900 m 1); typical ~2000m
 Highly automated driving  ~ 5s takeover
time to regain vehicle control
 Distance travelled  181m
 Lateral deviation for curves 18m (R=900m);
8m (R=2000m)
1) http://tu-dresden.de/die_tu_dresden/fakultaeten/vkw/ivs/gsa/dateien/raa_studenten.pdf
2)
Hackenberg, Bennewald, Othersen VW; Bongartz Carmeq “Licht oder Sound? Evaluation von diffusen Modalitäten zur Fahrerunterstützung
während des teilautomatischen Fahrens“, VDI Kongress ‘Elektronik im Fahrzeug‘, Baden-Baden, Germany, 16th – 17th November 2013
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
7
Concept phase activities (HRA)
HRA = Hazard analysis and risk assessment
 Method to identify and categorize hazardous events of items and to specify safety
goals and ASILs related to the prevention or mitigation of the associated hazards in
order to avoid unreasonable risk. (ISO 26262-1)
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
8
Severity
 Percentage classifications of the potential direct and cascaded / propagated
injuries
S0
S1
S2
S3
Description
No injuries
Light and
moderate
injuries
Severe injuries,
possibly lifethreatening,
survival
probable
Life-threatening
injuries (survival
uncertain) or
fatal injuries
Reference for
single injuries
(from AIS scale)
AIS 0 and less
than 10%
probability of
AIS 1-6
more than 10%
probability of
AIS 1-6 (and
not S2 or S3)
more than 10%
probability of
AIS 3-6 (and
not S3)
more than 10%
probability of
AIS 5-6
ISO26262-3: Table B.1:
Rear/front collision with another passenger car with medium speed  S=3
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
9
Exposure
 Probability of a human‘s exposure to a hazard in terms of time and location in
particular scenarios during expectable (mis-)use cases.
E0
E1
E2
E3
E4
Description
Incredible
Very low
probability
Low
probability
Medium
probability
High
probability
Frequency of
situation
Not specified
Less often
than once a
year
A few times a
year
Once a
month or
more often
Almost
every drive
Duration (%
of average
operating
time)
Not specified
Not specified
< 1% of
average
operating time
1% -10% of
average
operating
time
> 10%
 NOT: Probability of product fault/failure occurrences that lead to the hazard
ISO26262-3: Table B.2: Highway drive  E=4
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
10
Controllability
 Probability of being able to withdraw oneself from the severity impact, thereby
avoiding or alleviating the injury, once exposed to a hazard.
May not reflect: warning concepts, implementations of safety goals
C0
Description
Controllable in
general
C1
C2
C3
Simply
controllable
Normally
controllable
Difficult to
control or
uncontrollable
99% or more of
all drivers
90% or more of
all drivers
Less than 90%
of all drivers
Average driver needs > 5s!  C=3
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
11
HRA for Highly Automated Highway Driving
 Hazard: Loss of lateral control
 Severity
 Controllability
 Exposure
 S3
 C3
 E4
Controllability
C1
C2
 ASIL D
C3
Exposure
S0
Severity
S1
S2
S3
E1
QM
QM
QM
QM
E2
QM
QM
QM
QM
E3
E4
QM
QM
QM
QM
QM
A
A
B
E1
QM
QM
QM
QM
E2
QM
QM
QM
A
E3
E4
QM
QM
QM
A
A
B
B
C
E1
QM
QM
QM
A
E2
QM
QM
A
B
E3
QM
A
B
C
E4
QM
B
C
D
 Safety Goal:
Prevent loss of lateral control for highly automated driving!
Fail safe  fail operational
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
12
Outline
 Automated Driving Functions
 Hazard Analysis and Risk Assessment (HRA) for Highway Assist
 Functional Safety Concept
 Concepts for Energy Distribution
 Impact on Energy Distribution System
 Summary
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
13
ASIL D Requirements
An awful lot of process requirements!
Some requirements related to technical realization (Not all are listed here!):
 ISO 26262-5 Table 4 & 5 — Possible source for the derivation of the target “singlepoint fault metric” value & “latent-fault metric” value
Single-point fault metric
Latent-fault metric
ASIL B
≥ 90 %
≥ 60 %
ASIL C
≥ 97 %
≥ 80 %
ASIL D
≥ 99 %
≥ 90 %
Redundancy!
 ISO 26262-5 Table 6 — Possible source for the derivation of the random hardware
failure target values
ASIL
D
Random hardware failure target values
-8 -1
< 10 h
 ….
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
Challenge!
14
Functional Safety Concept
 Derive safety concept
 Transfer safety concept into system architecture
No loss of lateral control
ASIL D
No loss of actuators
ASIL D
No loss of power supply
ASIL D
Actuator 1
?
…
ASIL D
Allocation of safety
requirements to
system elements
Actuator 2
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
15
Outline
 Automated Driving Functions
 Hazard Analysis and Risk Assessment (HRA) for Highway Assist
 Functional Safety Concept
 Concepts for Energy Distribution
 Impact on Energy Distribution System
 Summary
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
16
Concepts for Energy Distribution
- Strategies Mechanical Fall-back
 Driver is out of the loop!
 No longer feasible!
Duplication
 Two power sources, storages and wiring
harnesses
 Additional weight and components
 Freedom from interference to be shown!
Failure isolation
 One power distribution system
 Switching elements needed
 Can be combined with decentralized
power distribution
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
17
Concepts for Energy Distribution
- Isolation Topologies Linear
 Direct connection between battery
(trunk) and current source
(engine compartment)
PDN
Front
Right
PDN
Rear
Right
PDN
Front
Left
PDN
Rear
Left
PDN
Engine
DC
DC
PDN
Engine
PDN
Front
PDN
Middle
PDN
Rear
DC
DC
Ring
 Connection between battery (trunk) and current
source (engine compartment)
 Ring shape to reduce individual wire diameter
 Inherent redundancy for loss of one connection
Triangle, Pentagram, Chaos, etc.
DC
DC
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
?
18
Outline
 Automated Driving Functions
 Hazard Analysis and Risk Assessment (HRA) for Highway Assist
 Functional Safety Concept
 Concepts for Energy Distribution
 Impact on Energy Distribution System
 Summary
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
19
Impact on Energy Distribution System
- Idea to Vehicle Vehicle Integration
Requirements
HIL Test
Simulation
Model Test
HW-Prototype
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
20
Impact on Energy Distribution System
- Simulation Results Simulation
 Matlab/Simulink model using Intedis Energy Simulation
 Utilizing generic models for loads, wires, battery, and
DC/DC converter
 Worst Case Scenario + AES maneuver
Results
 Low voltage due to internal resistance
in battery
 High voltage drop between PDNs due
to reversed current path
 Use Li-Ion battery
 Reduce base load
 Increase wire diameter
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
21
Impact on Energy Distribution System
- Model Testing -
22
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
22
Impact on Energy Distribution System
- Model Testing Model Test
 1:5 model
 Fault injection of shorts to ground in main wires
Results
 Results fit very well to
expected behaviour
23
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
23
Outline
 Automated Driving Functions
 Hazard Analysis and Risk Assessment (HRA) for Highway Assist
 Functional Safety Concept
 Concepts for Energy Distribution
 Impact on Energy Distribution System
 Summary
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
24
Summary
 Highly automated driving imposes fault tolerance requirements
 Relevant for energy distribution system as well
 Presented a power distribution concept answering these challenges




Utilizing power redundancy
Fault tolerance by isolation of failures
Flexible ring-topology with inherent redundancy
Lower extra cost and weight
 Holistic concept needed and mandatory for platform-wide rollout of
automated driving functions
© Intedis GmbH & Co. KG / LEONI Bordnetz-Systeme GmbH / All rights reserved
25
Thank you for your attention!
26