Based on the requirement of vehicle functional safety standard, the concept design of electric vehicle controller is carried out. On this basis, the hazard analysis and risk assessment of vehicle controller are completed, and the safety grade and safety target are determined. The simulation model of the vehicle controller is built and the driving performance of the vehicle is tested. The test results show that the design meets the functional safety standards and specifications, and achieves the functional safety design of the vehicle controller, which has guiding significance for the safe development of the vehicle controller. The rapid development of integration of electronic technology and its extensive application in automobiles have greatly promoted the development of automotive industry. While automobiles rely more and more on electronic technology, the safety problems caused by automotive electronic and electrical products become more and more important. For example, steam is constantly appearing due to the software and hardware failures of various automotive electronic control systems. Car recall.
As the control unit of the electric vehicle, the vehicle controller is the core of the whole vehicle control system, which is responsible for transmitting the power of the whole electric vehicle, ensuring the power of the vehicle in the driving process and controlling and managing the energy of the whole vehicle. Therefore, in order to ensure the safety of complex systems, the ISO26262 road vehicle functional safety standard came into being. ISO 26262 has been formally formulated since November 2005. After about six years, it was formally promulgated in November 2011 and became an international standard. The road vehicle functional safety standards are divided into 10 parts: terminology, functional safety management, concept stage, product development-system layer, product development-hardware layer, product development-software layer, production and operation, support process, vehicle safety integrity level guidance and safety-oriented analysis, guide [1]. The specific architecture is shown in Figure 1.
Vehicle controller is the core of vehicle control system, which is responsible for transmitting the power of the whole electric vehicle, ensuring the power of the vehicle in the driving process and controlling and managing the energy of the whole vehicle. Vehicle control system takes VCU as the core and gateway of Powertrain control, including battery management system BMS, motor control system MCU and so on. The main functions of the vehicle controller are to monitor the current, voltage, temperature and SOC of the battery, collect the status of accelerator pedal and brake pedal sensor, analyze the torque and regenerate the brake according to the status of accelerator pedal and brake pedal sensor. The system architecture diagram is shown in Figure 2.
According to the relevant content of ISO26262 project definition, the working environment of vehicle controller is mainly divided into vehicle driving, turning, avoidance, overtaking, and in different weather conditions such as sunny day, rain and snow, wet and slippery road surface, etc. The realization function is the vehicle controller to detect and control the operation of various electronic devices, fault alarm and processing to protect the driver’s driving safety [3]. The function of hazard analysis and risk assessment of vehicle controller is to identify the possible hazards, determine the possible risks, and determine the safety level ASIL and safety objectives. In ISO26262, a method to determine the functional security level (ASIL) is proposed. The security level ranges from A, B, C and D. Among them, ASIL A has the lowest security level and ASIL D has the highest security level. In the design of vehicle and system electronics, it is necessary to determine the scope of the design project [4]. Based on the definition of the project, determine the security objectives of the project and avoid unreasonable risks. ASIL uses three parameters to assess: the severity of the injury caused by the hazard to drivers or other traffic participants S, the probability of the occurrence of the hazard in the working condition E, and the ability of drivers and other traffic participants involved in the hazard to take timely control actions to avoid specific injuries C [5]. The classification is shown in Table 1-4. In the vehicle control system, the main faults are excessive acceleration and unintentional braking force (motor cooling system failure), unintentional direction driving force.
Excessive acceleration. Seriousness: Excessive acceleration leads to excessive motor torque, motor temperature rise leads to motor failure, if driving in normal conditions is likely to occur collision, causing personal injury to the driver is defined as the severity of S3. The probability of overacceleration is defined as E2 because it does not occur very frequently in normal driving situations. Controllability acceleration leads to failure. It is difficult for drivers to control panic effectively after being informed.
Controllability is C3. Unintended braking force occurs. Seriousness: Unintentional braking in normal driving conditions is likely to cause behind vehicles to dodge in time, resulting in collision endangering the driver’s life. The definition of severity is S3. When the cooling system fails, it will promptly remind the driver to locate E2. Controllability When the fault occurs, the driver should deal with it in time to avoid the occurrence of dangerous controllable location C2. The direction of the unintentional intention is driven. Seriousness: The unintentional directional driving force may cause the vehicle to deviate from the normal trajectory and collide with the surrounding vehicles or rush to the green belt, which will cause the driver to have a certain life risk defined as S3. The smaller probability of occurrence under normal driving condition is E1. When the driving force of controllable unintentional intention occurs, it is usually difficult for the driver to react in time, which is defined as C3. After hazard analysis and risk assessment, safety objectives are obtained as shown in Table 5. Functional security requirements are obtained through functional security objectives, and then allocated to the initial structure and external quantities of the project. Mainly includes fault detection instructions, mitigation of failure, the highest safety level of vehicle controller is ASILB, which is designed according to the safety level in the design of vehicle controller, thermostatic element so as to reduce the loss to the lowest [6]. Specific safety measures are as follows. VCU carries out self-examination. If the self-check fails, store the fault code. If VCU is closed without fault, VCU monitors battery management system, motor control system and high voltage system. Increase the redundancy design of the system, reduce the failure rate and achieve the safety goal. According to the development process of vehicle electronic V model, it is necessary to model and simulate the conceptual design of vehicle controller. With the help of MATLAB/Simulink, this paper provides a powerful graphical modeling service to build the model of the electric vehicle controller. By collecting digital signals such as switch and gear switch, as well as analog signals such as accelerating pedal and brake pedal [7]. Comprehensive judgment of the corresponding mode, according to the current status of the fault processing to send torque commands to drive or brake the vehicle. Firstly, we should establish simulation models for the simulation of the whole vehicle controller, including IO port data acquisition system, mode conversion (start mode, brake mode, drive mode), vehicle control system and fault handling system as shown in Figure 3. IO port is mainly responsible for collecting digital signals such as switches and gears, as well as analog signals such as accelerating pedals and brake pedals. According to the collected signals, the mode of electric vehicle can be judged. The vehicle controller is mainly responsible for monitoring the changes of motor torque, temperature, battery charging status and temperature. If there is a fault, the fault will be displayed and caused by the fault. Processing system processing returns normal values. Start-up mode: The driver does not step on the acceleration pedal and brake pedal. The output torque of the motor according to the demand torque command of the vehicle controller is that the electric vehicle remains stationary or at a low speed. Driving mode: In the normal driving of electric vehicles, if the driver stepped on the acceleration pedal, the vehicle will enter the normal driving mode. Driver’s demand for driving moment is reflected in accelerating pedal operation. Brake mode: As long as the brake pedal opening is not 0, it will enter the brake energy recovery mode, and the brake energy recovery is only a supplement to recover part of the brake energy. The performance of the vehicle controller is validated by fault injection method. The fault is injected through IO port. The multi-acceleration, unintentional braking force, unintentional direction driving force and other faults are tested. The test data are shown in Table 6. Among them, the controllability ratio is the number of fault handling times/the number of fault injection times.
According to the test data in Table 6, the vehicle controller can detect the injection fault, and handle the fault through related operation, so as to minimize the loss caused by the failure, meet the ISO26262 road safety standard, and realize the functional safety design of the vehicle controller in the conceptual stage. In order to verify whether the vehicle controller VCU can accurately and effectively receive the real signals of accelerator pedal and brake pedal, it can control the motor to output the correct required torque. In this paper, the performance of vehicle control VCU is judged by simulating the state of vehicle during acceleration, starting and braking, so as to determine whether the vehicle controller VCU reaches the design goal. Start test: The ignition switch is in Start state at the beginning of the test, and the brake pedal is pushed down at 9 seconds, so that the brake pedal opening reaches 100%. The whole vehicle’s gear position reaches the forward gear D. When the brake pedal is loosened, if the accelerator pedal is not pushed down at this time, the vehicle enters creeping state (that is, the vehicle does not step on the accelerator and travels at a certain low speed). As can be seen in Figure 4, when the brake pedal is loosened for 14 seconds, the output torque of the motor increases gradually, and the speed of the vehicle increases accordingly.
When the speed reaches 4 km/h, the maximum output torque of the motor is 35 Nm. When the speed exceeds 4 km/h, the output torque of the motor decreases gradually. Finally, the vehicle runs at a constant speed, and the motor runs at a constant speed. The stable output torque is about 6 Nm, which meets the design requirements. Acceleration test: Acceleration test is mainly to verify the power performance of the vehicle, which can control the output torque of the motor well. At 32 seconds, the opening of the brake pedal reaches 100%. At this time, the output torque of the motor increases rapidly, and after reaching the maximum output torque, it falls into the constant power zone. At 50 seconds, the acceleration pedal is loosened. When the vehicle enters the taxiing state, the motor outputs very small negative torque at this time, and the speed of the vehicle decreases gradually. According to the results of acceleration test, it is concluded that the VCU of vehicle controller meets the requirements of acceleration design. Brake test: In 88 s, the brake pedal opening is 100% when the brake pedal is pressed, and the motor outputs a larger negative torque. The vehicle enters the brake energy recovery.
With the decrease of the vehicle speed, the motor output torque also decreases. When the vehicle speed drops to zero, the motor output torque also changes to 0. When the speed of the vehicle drops to zero, the brake pedal is loosened and the vehicle enters creeping mode. According to the results of braking test, it is concluded that the VCU of vehicle controller meets the requirements of acceleration design. The test simulation curve is shown in Figure 4. ISO26262 provides new ideas and methods for automobile-related research and development institutions and production enterprises, especially in the rapid development trend of automotive electronic products, performance is particularly important. In this context, based on ISO26262, the project definition, risk analysis and evaluation of vehicle controller are carried out, and the ASIL level B of the system is determined, and the functional safety requirements and safety objectives are put forward.
Simulink software is used to simulate the vehicle controller, and fault injection method is used to test the vehicle controller. The test data show that it meets the ISO road safety standard.