CN112849262A

CN112849262A - Functional safety concept stage analysis method for intelligent vehicle transverse control system

Info

Publication number: CN112849262A
Application number: CN202110187503.4A
Authority: CN
Inventors: 赵健; 卜纯研; 朱冰; 杜金朋; 孟鹏翔; 姜景文; 靳万里
Original assignee: Jilin University
Current assignee: Jilin University
Priority date: 2021-02-08
Filing date: 2021-02-08
Publication date: 2021-05-28

Abstract

The invention discloses a functional safety concept stage analysis method for an intelligent vehicle transverse control system, which comprises the following steps: firstly, defining system functions and related items; secondly, analyzing an operation scene; thirdly, analyzing the damage; fourthly, risk assessment is carried out; fifthly, exporting a safety target; and sixthly, requiring functional safety. The invention has the beneficial effects that: the invention considers the whole vehicle level function safety technology of the intelligent vehicle transverse control system, sets out a function safety target according to a function fault and a function failure mode from the function safety definition, considers the architecture design of the system, decomposes the function safety target of the system to each electronic and electrical component through fault tree analysis to form the function safety requirement of each component, fills the blank of the related safety technical field, and ensures the reasonable design of the subsequent safety control strategy and the fault-tolerant control algorithm, thereby achieving the purpose of effectively ensuring the life and property safety of passengers and other traffic participants.

Description

Functional safety concept stage analysis method for intelligent vehicle transverse control system

Technical Field

The invention relates to a control system functional safety concept stage analysis method, in particular to an intelligent vehicle transverse control system functional safety concept stage analysis method.

Background

In recent years, a major trend in the automotive industry is to continuously increase the level of automation of vehicles, and in the long term, to achieve fully automated driving of vehicles. In order to ensure the safety of the automatic driving vehicle and promote the benign development of the automatic driving automobile industry, the society of automotive engineers (SAE for short) in the united states classifies the automatic driving technology into six grades of 0, 1, 2, 3, 4 and 5. Wherein 0 belongs to traditional driving, namely manual driving; 1 and 2 belong to assisted driving, i.e. the system provides driving assistance to the driver; 3, the vehicle can realize the automatic driving of most road conditions under the condition of automatic driving; 4. and 5, belonging to an automatic driving system, namely the vehicle can realize unmanned driving.

It can be seen from the automatic driving traffic accidents occurring in recent years from companies such as Uber, Google, tesla, etc., that as the automatic driving level increases, the compensation effect of the driver in the safety concept gradually disappears, and higher requirements are also put on the functional safety of the whole product life cycle of the vehicle, before the vehicle reaches the level L2, the driver usually uses the input of the driver and the mechanical or hydraulic connection between the wheels to compensate or alleviate the fault behavior during the vehicle running process as the compensation strategy in the safety concept, when the vehicle reaches the level L4, the compensation strategy of the level L5 disappears, and similarly, when the vehicle reaches the level L3, the driver takes over the control of the vehicle only after a defined period of time. Thus, more new hazards and risks are presented in the context of autonomous driving.

At present, the ISO26262 standard is applied to develop and design practical function systems, and no relevant research aiming at the functional safety technology of the whole vehicle level is developed by an intelligent vehicle automatic driving auxiliary system, while functional safety concept stage analysis is the premise of functional safety design of the whole system, and reasonable concept stage analysis is beneficial to formulation of a subsequent safety control strategy and development of a fault-tolerant control algorithm, so that the functional safety concept stage analysis of the intelligent vehicle transverse control system is effectively developed, and the method has great significance for ensuring personal and property safety of passengers and other traffic participants.

Disclosure of Invention

The invention aims to provide a functional safety concept stage analysis method of an intelligent vehicle transverse control system, which aims to effectively perform functional safety concept stage analysis of the intelligent vehicle transverse control system so as to ensure personal and property safety of passengers and other traffic participants.

The invention provides a functional safety concept stage analysis method of an intelligent vehicle transverse control system, which comprises the following steps:

first step, system function and related item definition: defining and describing related items, including functions, components, working modes and interaction with other related items at the vehicle level, and specifically comprises the following steps:

step one, describing functions of related items: the intelligent vehicle transverse control mainly comprises a decision-making part and an execution part, wherein the decision-making part mainly refers to a top layer controller, namely a path tracking controller, the execution part refers to an EPS system, an upper layer automatic driving controller plans a vehicle running path according to road information and vehicle state information on a highly structured road, the information is input to the vehicle path tracking controller, the path tracking controller obtains a deviation between a vehicle and an expected path according to input vehicle condition information and the planned path, and then calculates a steering wheel turning angle quantity required by path tracking, and the EPS system controls an EPS system power-assisted motor to drive a mechanical execution mechanism according to an error between an expected steering wheel turning angle signal and a turning angle measured value input by the top layer controller, so that the transverse motion control of the vehicle is realized;

step two, defining the range of related items: the related items of the transverse control system mainly comprise a path tracking control unit, an EPS subsystem and an input/output interface which interacts with a human-computer interaction system, an automatic driving system, a power supply system and vehicle state information;

step three, defining system functions and interfaces: the component layer functions of the related item internal interface comprise providing steering wheel angle information; providing steering torque information; providing motor position information; collecting information of each module for calculation, and outputting a current control signal; controlling the motor according to a current control signal output by the EPS control unit; providing expected rotation angle information; the external interface component layer has the functions of providing vehicle speed and vehicle position and posture state information; providing vehicle gear information; providing expected planned path information of the vehicle; providing system function switch information; supplying power to components in the system; sending system fault information;

step four, the working mode is as follows: the main working modes of the transverse control system comprise failure, inhibition, standby, activation and exit;

secondly, analyzing the operation scene: setting the intelligent vehicle to automatically run along a lane line of the expressway under the conditions of good road and traffic conditions;

thirdly, hazard analysis: adopting an analysis method of hazard and maneuverability analysis, carrying out hazard analysis on functions of a transverse control system, and considering the running scene of an automatic driving vehicle running along a lane on an expressway to obtain a possibly generated hazard event on the whole vehicle level, wherein the unexpected lateral movement causes the vehicle to deviate from a planned running path;

fourthly, risk assessment: carrying out automobile integrity safety grade analysis on the hazard events through the severity, the exposure probability and the controllability to obtain the highest grade of the hazard events of the whole automobile layer, wherein the hazard events are ASIL D grades;

fifthly, deriving a safety target, namely determining the ASIL D grade safety target of the system through the analysis to avoid the deviation of the vehicle from the lane caused by unexpected lateral movement;

considering the architecture design of the system, decomposing the functional safety target of the system to each electronic and electrical component through fault tree analysis to form the functional safety requirements of each component, and combining to obtain the functional safety requirements of the transverse control system, wherein the functional safety requirements comprise the following aspects:

FSR 1: to ensure that the path tracking control unit which would cause a violation of the safety target SG1 works properly;

FSR 2: to ensure that the motor position signal that would result in a breach of the safety goal SG1 is correct;

FSR 3: to ensure that the torque signal that would result in a breach of the safety goal SG1 is correct;

FSR 4: to ensure that the steering wheel angle signal that would result in a violation of the safety target SG1 is correct;

FSR 5: to ensure that the EPS control unit that would result in a violation of the safety target SG1 is functioning properly;

FSR 6: to ensure that the motor drive unit that would cause a violation of the safety goal SG1 is functioning properly;

FSR 7: ensuring that the booster motor which can cause violation of the safety target SG1 works normally;

the FSR8 ensures that the CAN bus which CAN cause the violation of the safety target SG1 works normally;

FSR 9: to ensure that the system function switch signal that would result in a breach of the safety goal SG1 is correct;

FSR 10: to ensure that the system power supply that would result in a breach of the safety goal SG1 is normal;

FSR 11: to ensure that the shift signal that would result in a violation of the safety target SG1 is correct;

FSR 12: to ensure that the expected path information that would result in a breach of the security objective SG1 is correct;

FSR 13: to ensure that the vehicle status signal that would result in a breach of the safety target SG1 is correct; :

FSR 14: the system can be detected in a short time after a fault occurs, and a corresponding fault code is output;

FSR 15: the system can send out warning and remind the driver to pay attention when the fault is detected;

FSR 16: the redundant fault-tolerant measures are required to ensure that the vehicle is transited to a safe state when the system fails;

FSR 17: the system is ensured to enable the vehicle to transition to a safe state within a fault tolerance time interval;

FSR 18: ensuring that the maximum transverse error of the vehicle deviating from the planned path is less than an X value;

FSR 19: hazards resulting from multiple control requests being arbitrated improperly resulting from different functions concurrently are avoided or mitigated.

The invention has the beneficial effects that:

the invention considers the whole vehicle level function safety technology of the intelligent vehicle transverse control system, sets out a function safety target according to a function fault and a function failure mode from the function safety definition, considers the architecture design of the system, and decomposes the function safety target of the system to each electronic and electrical component through fault tree analysis to form the function safety requirement of each component, fills the blank of the related safety technical field, and ensures the reasonable design of the subsequent safety control strategy and the fault-tolerant control algorithm, thereby achieving the purpose of effectively ensuring the life property safety of passengers and other traffic participants.

Drawings

Fig. 1 is a schematic diagram of an initial architecture of a related item of the intelligent vehicle lateral control system according to the invention.

FIG. 2 is a logic diagram of a first case of fault tree analysis according to the present invention.

FIG. 3 is a logic diagram of a second scenario of fault tree analysis according to the present invention.

FIG. 4 is a logic diagram of a third scenario of fault tree analysis according to the present invention.

FIG. 5 is a logic diagram illustrating a fourth scenario of fault tree analysis according to the present invention.

FIG. 6 is a logic diagram of a fifth scenario of fault tree analysis according to the present invention.

Detailed Description

Please refer to fig. 1 to 6:

step one, describing functions of related items: the intelligent vehicle transverse control mainly comprises a decision-making part and an execution part, wherein the decision-making part mainly refers to a top layer controller, namely a path tracking controller, and the execution part refers to an EPS system. On a highly structured road, an upper-layer automatic driving controller plans a vehicle running path according to road information and vehicle state information, the information is input to a vehicle path tracking controller, the path tracking controller obtains deviation between a vehicle and an expected path according to the input vehicle condition information and the planned path, and accordingly calculates steering wheel turning angle quantity required by path tracking, and an EPS system controls an EPS system power motor to drive a mechanical execution mechanism according to an error between an expected steering wheel turning angle signal and a turning angle measured value input by a top-layer controller, so that transverse motion control of the vehicle is realized.

Step two, defining the range of related items: as shown in fig. 1, the related items of the lateral control system mainly include a path tracking control unit, an EPS subsystem, and an input/output interface for interacting with a human-computer interaction system, an automatic driving system, a power supply system, and vehicle state information.

Step three, defining system functions and interfaces: the specific functions of the system and the definition of the internal and external interfaces are shown in the following table I, wherein the interfaces comprise two parts, namely a system external interface and a system internal interface, 1-6 in the table are internal interfaces, and 7-12 in the table are external interfaces.

Table one, system function and interface definition

Step four, the working mode is as follows: the main operating modes of the lateral control system include fail, inhibit, standby, activate and exit operating conditions for the specific respective operating modes as shown in table two below.

TABLE II System mode of operation

Secondly, analyzing the operation scene: the intelligent vehicle is set to automatically run along the lane line of the expressway under the condition of good road and traffic conditions.

Thirdly, hazard analysis: the method for analyzing the damage and maneuverability analysis (HAZOP) is adopted, and referring to HAZOP research-application guide, IEC61882:2001, the following 5 guide words are listed to carry out damage analysis on the functions of the transverse control system and consider the operation scene that the automatic driving vehicle runs along the lane on the expressway, and each abnormal function is further analyzed to show the possible damage events on the whole vehicle level, as shown in the table three

TABLE III transverse control system hazard analysis

Fourthly, risk assessment: the severity (E), exposure probability (S), controllability (C) were used to perform an analysis of the safety integrity class (ASIL) of the hazard event as shown in Table four below.

TABLE IV ASIL evaluation

Fifthly, exporting the safety target: through the analysis, the safety target of the system and the related attribute value thereof can be obtained as shown in the following table five.

TABLE V safety goals

Considering the architecture design of the system, decomposing the functional safety target of the system to each electronic and electrical component through fault tree analysis shown in fig. 2 to 6 to form functional safety requirements of each component, and combining to obtain the Functional Safety Requirement (FSR) of the transverse control system, wherein the Functional Safety Requirement (FSR) comprises the following aspects:

Claims

1. A functional safety concept stage analysis method for an intelligent vehicle transverse control system is characterized by comprising the following steps: the method comprises the following steps:

step one, describing functions of related items: the intelligent vehicle transverse control mainly comprises a decision-making part and an execution part, wherein the decision-making part mainly refers to a top layer controller, namely a path tracking controller, the execution part refers to an EPS system, an upper layer automatic driving controller plans a vehicle running path according to road information and vehicle state information on a highly structured road, the information is input to the vehicle path tracking controller, the path tracking controller obtains the deviation between a vehicle and an expected path according to the input vehicle condition information and the planned path, so as to calculate the steering wheel turning angle quantity required by path tracking, and the EPS system controls an EPS system power-assisted motor to drive a mechanical execution mechanism according to the error between an expected steering wheel turning angle signal and a turning angle measurement value input by the top layer controller, so that the transverse motion control of the vehicle is realized;

step two, defining the range of related items: the related items of the transverse control system mainly comprise a path tracking control unit, an EPS subsystem and an input/output interface for interacting with a man-machine interaction system, an automatic driving system, a power supply system and vehicle state information;

step three, defining system functions and interfaces: the component layer functions of the related item internal interface comprise providing steering wheel angle information; providing steering torque information; providing motor position information; collecting information of each module to calculate, and outputting a current control signal; controlling the motor according to a current control signal output by the EPS control unit; providing expected rotation angle information; the external interface component layer has the functions of providing vehicle speed and vehicle pose state information; providing vehicle gear information; providing expected planned path information of the vehicle; providing system function switch information; supplying power to components in the system; sending system fault information;

thirdly, hazard analysis: adopting an analysis method of hazard and maneuverability analysis, carrying out hazard analysis on functions of a transverse control system, and considering an operation scene that an automatic driving vehicle runs along a lane on an expressway to obtain a possible hazard event on the whole vehicle layer, wherein the vehicle deviates from a planned running path due to unexpected lateral motion;