Continental adds fallback path for safe stop of autonomous vehicles
Continental is adding a further safety level to highly automated driving in the form of a specific electronics architecture. In addition to a central control unit for automated driving – the Assisted & Automated Driving Control Unit – the technology company uses a Safety Domain Control Unit (SDCU) as a fallback path to stop the vehicle safely, even in the event of a functional failure in the primary automation path.
Continental is using the principle of redundancy and diverse design that has proven itself in the aviation sector. There are one or more fallback paths for every central system and they are independent of each other. Since the SDCU also acts as the airbag control unit, its priority availability – including energy reserve and a crashproof installation location in the vehicle – is guaranteed. With the additional fallback path of the SDCU, Continental ensures that the vehicle can still be brought to a safe stop if the main automation functionality fails. Conventional safety-relevant systems currently in use have been designed with fail-safe in mind. This means that if the system malfunctions, safety is maintained by identifying the fault and putting the faulty system out of operation. This approach is possible because the driver is still at hand as a failsafe to brake and steer manually, for example, if required.
“It is precisely this fallback path that may not be available in highly automated vehicles, since the driver is allowed to focus on other things and cannot be requested, in a fraction of a second, to take control of the vehicle immediately after a possible failure,” Maged Khalil, Head of Advanced Systems Architecture Design at Systems and Technology in the Chassis and Safety Division, said. Every highly automated vehicle must therefore be able to stop automatically. Level 4 vehicles such as the Cruising Chauffeur from Continental are prepared for this. If, despite being requested, the driver does not take action, the car performs a minimum risk maneuver. This means that the vehicle automatically drives to the breakdown lane and stops there. If there is no breakdown lane or if it is blocked, it stops in the lane with the hazard lights on or it drives on, slowing down gently until it finds a suitable place, where it can stop safely.
If the driver is not available to take control of the vehicle, the system must switch over from a “fail-safe” to a “fail-operational” mode by maintaining functionality with a high degree of reliability in every case. “With the fallback path of a second independent control unit, which is also able to stop the car, a highly automated vehicle has a safety net, if a fault occurs, this means the vehicle can still come to a safe stop even without any driver intervention. This element of trust is key to the acceptance of automated driving,” Khalil said.
Safe stop
The vehicle must come to a safe stop if it detects an unsafe state in the system and the driving function cannot be maintained either by the primary automation path or by the driver. “The primary automation path must also be able to switch off without impairing safety. Only by means of genuine redundancy can all possible failure scenarios be covered,” Bardo Peters, Head of Innovation Management
Occupant Safety and Inertial Sensors in the Passive Safety and Sensorics Business Unit, said. SDCU is completely independent of the central control unit such as the Assisted and Automated Driving Control Unit, and features an automation solution that has been designed for the job of the minimum risk maneuver.
Both the central control unit and the SDCU monitor each other continuously with regard to availability and functionality. If just one path is no longer capable of controlling the vehicle or perform the minimum risk maneuver safely,
the other path initiates the safe stop in an emergency.
“This permanent monitoring detects if a path is no longer available. For this reason, the other path would then perform the minimum risk maneuver in such situations,” Lutz Kühnke, Head of Segment Occupant Safety and Inertial Sensors in the Passive Safety and Sensorics Business Unit, said. The fallback path intervenes in accordance with a finely graduated degradation concept, depending on the severity of the problem
detected. For self-monitoring as well as mutual monitoring of the paths, Continental uses innovative software functions such as effective fault management and intelligent monitoring of the signal consistencies.