The statements in this section merely provide background information related to the present disclosure and may not constitute prior art.
Modern vehicles nowadays are equipped with over 100 control devices, 1000 plug connections and up to 4 km of cable in the on-board electrical system. For this reason, the on-board electrical system and its components pose a risk as far as the likelihood of failure is concerned. In addition, new functions are being introduced into vehicles, posing an increased hazard to the occupants and to the environment in the event of a failure. Thus, safety-relevant vehicle functions in particular must be viewed from the perspective of functional safety, i.e. the impact of a failure on the vehicle function is already taken into consideration during the concept and development phases. Autonomous driving systems are functions relevant to functional safety and must be given special attention in future safety concepts.
Partially autonomous functions such as automated steering in the parking function are already in existence in today's road traffic. These functions are designed as fail-safe functions. This means that after a fault (fail) has occurred, the “off” state (safe) is assumed and the driver is informed via visual/acoustic instruments. Therefore, consideration of the functional safety of such functions nowadays often ends at the connector of the control device, since an interruption or failure of the power supply leads directly to the safe “switched off” status. Thus, there is no need for a safety concept at the power supply level that connects various components together.
Automated driving systems on the other hand must be designed as “fail-operational” with a fault status transition to the safe “on” state. The failure of the power supply (supply line) or communications (bus line) for this function may result in a direct endangerment of passengers and people from the surroundings. This safe “on” or “switched-on” state must be maintained and executed in an appropriate safety mode for as long as it takes for the vehicle to be brought to a stop in a safe location or until the driver can take over control of the vehicle.
The vital functions of highly automated driving such as steering and braking are classified by vehicle manufacturers (OEMs) at the highest safety level (ASIL D) due to their possible damaging effects and the occupants' low fault controllability. In this connection, a classification is implemented taking the gravity of the fault into account as well as the endangerment of the user or of the environs (severity), the likelihood of occurrence (exposure), i.e. the interaction of malfunction and operational condition, and control over the fault (controllability). This is then referred to as the ASIL classification, which distinguishes between four levels of ASIL (automotive safety integrity level) A to D, with ASIL D being the highest safety level at a required failure probability of less than 10−8/hour.
Against the background of the damage and risk analysis assessment and ASIL classification according to ASIL D, OEMs are currently developing safety architectures for a safe power supply in the on-board electrical system. The approaches taken can be summarized as follows:
1. redundant electric power supply for aggregates; and/or
2. providing a large number of sensors with functional overlap, so that individual sensors can fail but their function is taken over by the other sensors.