CN116089151A - Failure processing method and device for intelligent driving system of vehicle, vehicle and medium - Google Patents
Failure processing method and device for intelligent driving system of vehicle, vehicle and medium Download PDFInfo
- Publication number
- CN116089151A CN116089151A CN202310158613.7A CN202310158613A CN116089151A CN 116089151 A CN116089151 A CN 116089151A CN 202310158613 A CN202310158613 A CN 202310158613A CN 116089151 A CN116089151 A CN 116089151A
- Authority
- CN
- China
- Prior art keywords
- failure
- analysis
- vehicle
- fault
- intelligent driving
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 18
- 238000004458 analytical method Methods 0.000 claims abstract description 145
- 238000012545 processing Methods 0.000 claims abstract description 93
- 238000000034 method Methods 0.000 claims abstract description 28
- 230000006870 function Effects 0.000 claims description 41
- 238000004891 communication Methods 0.000 claims description 33
- 238000004590 computer program Methods 0.000 claims description 13
- 238000003745 diagnosis Methods 0.000 claims description 12
- 230000008447 perception Effects 0.000 claims description 9
- 230000004927 fusion Effects 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims description 8
- 238000005192 partition Methods 0.000 claims description 8
- 238000012360 testing method Methods 0.000 claims description 8
- 230000005540 biological transmission Effects 0.000 claims description 5
- 230000002093 peripheral effect Effects 0.000 claims description 3
- 230000007246 mechanism Effects 0.000 abstract description 15
- 230000008569 process Effects 0.000 abstract description 7
- 238000012216 screening Methods 0.000 abstract 1
- 238000011161 development Methods 0.000 description 8
- 230000018109 developmental process Effects 0.000 description 8
- 230000008878 coupling Effects 0.000 description 7
- 238000010168 coupling process Methods 0.000 description 7
- 238000005859 coupling reaction Methods 0.000 description 7
- 238000012423 maintenance Methods 0.000 description 7
- 238000004364 calculation method Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 5
- 230000007613 environmental effect Effects 0.000 description 5
- 238000009434 installation Methods 0.000 description 5
- 230000003993 interaction Effects 0.000 description 5
- 238000004519 manufacturing process Methods 0.000 description 5
- 230000009897 systematic effect Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000032683 aging Effects 0.000 description 3
- 230000001133 acceleration Effects 0.000 description 2
- 230000036461 convulsion Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000007257 malfunction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000295 complement effect Effects 0.000 description 1
- 230000007797 corrosion Effects 0.000 description 1
- 238000005260 corrosion Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 239000000428 dust Substances 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000008014 freezing Effects 0.000 description 1
- 238000007710 freezing Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 230000003449 preventive effect Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0706—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
- G06F11/0736—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function
- G06F11/0739—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function in a data processing system embedded in automotive or aircraft systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0751—Error or fault detection not based on redundancy
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0766—Error or fault reporting or storing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/079—Root cause analysis, i.e. error or fault diagnosis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0793—Remedial or corrective actions
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
The invention discloses a failure processing method and device of an intelligent driving system of a vehicle, the vehicle and a medium. The method comprises the steps of obtaining a minimum cut set by adopting a fault tree analysis method according to a fault event related to the failure of the intelligent driving system of the vehicle, wherein the minimum cut set comprises a minimum set of fault events which cause the failure of the intelligent driving system of the vehicle; for each minimum cut set, acquiring a target class from a related failure analysis (DFA) analysis class library to analyze the current minimum cut set; and matching system failure processing measures according to the target category and the analysis result, and performing relevant failure processing on the intelligent driving system of the vehicle through the system failure processing measures. The invention realizes the screening of reasonable generalized analysis indexes to perform related failure analysis, avoids redundant analysis process generated by the uncorrelation between the safety mechanism of latent faults and the safety mechanism of single points, reduces repeated analysis work, reduces the workload of related failure analysis and improves analysis efficiency.
Description
Technical Field
The invention relates to the technical field of vehicle testing, in particular to a failure processing method and device of an intelligent driving system of a vehicle, the vehicle and a medium.
Background
As intelligent driving technologies are applied to more and more vehicles, the possibility of failure or failure of the intelligent driving system is increased, and the analysis of related failure of the intelligent driving system is also a necessary vehicle testing means.
For the product of ASIL C, D, FTA (fault tree analysis) analysis is performed, and the lowest layer of the FTA analysis is the element with the smallest granularity of the hierarchy, and the elements with relevance form individual cut sets. While DFA (Dependent Failure Analysis, related failure analysis) is being analyzed directly with reference to these cut sets. If cut set=1, indicating that there is a single point of failure, a new security requirement is set forth in FTA; when cut set=2, the DFA analyzes whether there is a correlation failure between the two to prove that the single point failure has been covered, and diagnosis of the latent failure may be required at this time; for cut set.gtoreq.3, it is theoretically a safety fault at this time, but it should still be proved by DFA analysis that there is no correlation failure between the multiple points, otherwise there may be systematic failure to cause multiple points to fail simultaneously.
However, in the above manner, elements needing to avoid related failures are screened out through the FTA, and then the relationship between every two elements is analyzed, so that many elements need to be analyzed in a combined mode, the analysis workload is huge, and the analysis efficiency of the phase failure is affected.
Disclosure of Invention
The invention provides a failure processing method and device for an intelligent driving system of a vehicle, the vehicle and a medium, which can reduce the workload of related failure analysis and improve the analysis efficiency.
According to an aspect of the present invention, there is provided a failure processing method of an intelligent driving system of a vehicle, including:
obtaining a minimum cut set by adopting a fault tree analysis method according to a fault event related to the failure of the intelligent driving system of the vehicle, wherein the minimum cut set comprises a minimum set of fault events causing the failure of the intelligent driving system of the vehicle;
for each minimum cut set, acquiring a target category from a related failure analysis (DFA) analysis category library to analyze the current minimum cut set;
and matching system failure processing measures according to the target category and the analysis result, and performing relevant failure processing on the intelligent driving system of the vehicle through the system failure processing measures.
According to another aspect of the present invention, there is provided a failure processing apparatus of an intelligent driving system of a vehicle, the apparatus comprising:
the system comprises a cut-set determining module, a fault tree analysis module and a fault tree analysis module, wherein the cut-set determining module is used for obtaining a minimum cut-set according to a fault event related to the failure of the intelligent driving system of the vehicle, and the minimum cut-set comprises a minimum set of fault events causing the failure of the intelligent driving system of the vehicle;
the cut set analysis module is used for obtaining a target class from the related failure analysis (DFA) analysis class library for each minimum cut set to analyze the current minimum cut set;
and the failure processing module is used for matching system failure processing measures according to the target category and the analysis result, and performing relevant failure processing on the intelligent driving system of the vehicle through the system failure processing measures.
According to another aspect of the present invention, there is provided a vehicle including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the failure processing method of the intelligent driving system of a vehicle according to any one of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the failure processing method of the intelligent driving system of a vehicle according to any one of the embodiments of the present invention when executed.
According to the technical scheme, the minimum cut sets are obtained through a fault event related to the failure of the intelligent driving system of the vehicle by adopting a fault tree analysis method, the target types in the DFA analysis class library are selected to analyze the minimum cut sets, and the system failure processing measures are matched according to the target classes and the analysis results so as to perform related failure processing on the intelligent driving system of the vehicle through the system failure processing measures. According to the invention, through carrying out related failure result analysis on different components of the intelligent driving system according to different types of related failures of the safety system, reasonable generalized analysis indexes are screened out to carry out related failure analysis, a redundant analysis process generated by the uncorrelation between a latent failure safety mechanism and a single-point safety mechanism is avoided, repeated analysis work is reduced, the workload of related failure analysis is reduced, and the analysis efficiency is improved.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a failure processing method of an intelligent driving system of a vehicle according to an embodiment of the present invention;
FIG. 2 is a flowchart of another method for processing failure of an intelligent driving system of a vehicle according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a failure handling device of an intelligent driving system for a vehicle according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "comprises" and "comprising," along with any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.
Fig. 1 is a flowchart of a failure processing method of a vehicle intelligent driving system according to an embodiment of the present invention, where the method may be performed by a failure processing device of the vehicle intelligent driving system, and the processing device of the vehicle intelligent driving system may be implemented in hardware and/or software, and the processing device of the vehicle intelligent driving system may be configured in a vehicle. As shown in fig. 1, the method includes:
s110, acquiring a minimum cut set by adopting a fault tree analysis method according to a fault event related to the failure of the intelligent driving system of the vehicle.
Wherein the minimum cutset comprises a minimum set of fault events that cause failure of the vehicle intelligence system.
The fault tree analysis method FTA refers to a design analysis method and an evaluation method for improving the reliability of a system by analyzing various reasons (including hardware, software, environment, human factors and the like) possibly causing the system fault in the system design or improvement process, drawing a logic block diagram (i.e. a fault tree) so as to determine various possible combination modes of the system fault reasons and occurrence probability thereof, and calculating the fault probability of the system according to the possible combination modes and the occurrence probability.
The purpose of fault tree analysis is to find the cause event of the top event and the combination of the cause events (minimal cut set), discover potential faults, to guide fault diagnosis, and to improve use and maintenance schemes. A cutset is a collection of bottom events in a fault tree, where top events must occur when these bottom events occur simultaneously. If any bottom event contained in the cutset is removed, the cutset is not changed into the cutset any more, and the cutset is the minimum cutset.
It should be noted that the failure of the intelligent driving system of the vehicle includes a correlation failure, where the correlation failure includes a common cause failure and a cascade failure. The related failure analysis DFA can be implemented 1. By analyzing potential reasons or trigger conditions, the functional safety mechanism design of the system components of different ASIL grades is confirmed to fully meet the required independence or avoid interference. 2. If necessary, to derive new security measures to reduce the impact of the associated failure.
And S120, for each minimum cut set, acquiring a target class from a related failure analysis (DFA) analysis class library, and analyzing the current minimum cut set.
It should be noted that there is no explicit analysis flow or universal template of DFA at present, and it is a practical practice to analyze the coupling factors requiring analysis in the standard one by one. The independent DFA analysis templates are established for analysis or are accomplished through a process of security analysis, such as by adding analysis of the impact of a component failure on other components and adding to the review sheet whether correlations between failures are considered. DFA, like security analysis, needs to consider the scenario of different life cycles. The potential failure causes may be random hardware failure or systematic failure.
Illustratively, obtaining a target class from a related failure analysis, DFA, analysis class library analyzes the current minimal cut set, including:
acquiring target categories in a related failure analysis (DFA) analysis category library;
analyzing failure reasons of the current minimum cut set according to the target category, wherein the failure reasons comprise common cause failure and cascade failure;
and according to the current minimum cut set, carrying out failure result analysis on the common cause failure and the cascade failure.
For example, the categories of failure causes that DFA needs to consider include:
random hardware failure: hardware components such as chip and clock
Developing faults: development flow/personnel (requirements, design, implementation), development tool
Production failure: production flow, software flashing, EOL test
Installation faults, namely planning wire harnesses, faults of adjacent devices and faults of interchangeable devices
Maintenance failure: a maintenance flow, interchangeable device failures,
environmental factors: temperature, humidity, electromagnetic interference, vibration, pollution, corrosion, air pressure
Common external resources and information failure: power supply, data exchange
Pressure in a particular scenario: high load, external system requests, instrument impact, thermal influence aging and loss: and a relay, an ageing device such as an Eeprom and the like which can be rapidly disabled.
It should be noted that the coupling relation that may exist between two or more elements is systematically analyzed according to the following 7 categories:
first, resources are shared, such as libraries, drivers, hardware resources. The categories of failure causes associated therewith include random hardware failures, common external resources and information failures.
Second, inputs are shared, such as shared constants or variables, the same data sources. The categories of failure causes associated therewith include random hardware failures.
Third, communication between each other, such as global variable data streams, messages, function calls. The categories of failure causes associated therewith include random hardware failures, development failures, installation failures, maintenance failures, aging and wear-out.
Fourth, the same device (type, principle) is used, such as the source code of the system. The categories of failure causes associated therewith include random hardware failures, development failures.
Fifth, systematic coupling, such as the same error sources in the same software tool, program or compiler. The categories of failure causes related thereto include development failures, production failures, installation failures, maintenance failures, pressures in specific scenarios.
Sixth, the environmental interference resistance is insufficient, as affected by the same external environmental interference. The categories of failure causes associated therewith include environmental factors, pressures in specific scenarios.
Seventh, unintended effects, such as the same memory space. The types of failure causes related to this include random hardware failures, development failures, installation failures, pressures in specific scenarios.
In an embodiment of the present invention, the method for systematically analyzing possible coupling relationships between two or more elements is classified as follows:
the shared resources mainly comprise a CPU, a clock, a storage, a transmission path, a software library, a software module, a software calibration parameter, a connector and the like.
Shared inputs refer primarily to input signals, electrical signals, global variables or constants, etc. of functional requirements.
The communication between two components refers to whether communication exists between the two components, and whether the realized function needs the output of the other component as input, such as electric signal interaction, CAN signal interaction or global variable interaction.
The use of the same device (type, principle) refers to whether the same chip is used, macro definition (repeated expansion of the same code segment), etc.
Systematic coupling refers to coupling relationships between production flows, maintenance flows or development tools.
Insufficient resistance to environmental interference: EMC, vibration, humidity (water), temperature (fire), ESD, dust, particles.
Unexpected effects: the two elements are out of sync resulting in failure, cross talk of the electrical signal, memory leakage and unintended memory overwriting.
The invention analyzes and checks the possible coupling relation between two or more elements through systematic classification summarization, can reversely check the analysis omission of the complementary FTA, and provides the comprehensiveness and accuracy of analysis.
And S130, matching system failure processing measures according to the target category and the analysis result, and performing relevant failure processing on the intelligent driving system of the vehicle through the system failure processing measures.
In some embodiments of the present invention, in a case that the target class is an unexpected influence class related failure, the matching the system failure processing measure according to the target class and the analysis result includes:
if the analysis result is that the CPU fails to cause the function failure, the system failure processing measure is that the CPU is configured with a lockstep;
if the analysis result is that the functional safety software module and the non-functional safety software module share the RAM, and the non-functional safety software module mistakenly modifies the system failure caused by the data used by the functional safety software module, the system failure processing measure is to partition the RAM according to the functional safety software module and the non-functional safety software module, and/or configure a microprocessor MPU in the RAM partition corresponding to the functional safety software module.
In other embodiments of the present invention, in a case that the target class is a shared resource class related failure, the matching the system failure processing measure according to the target class and the analysis result includes:
if the analysis result is a system failure caused by the failure of the memory chip, the system failure processing measure is to perform power-on self-test on the memory chip;
if the analysis result is that the system fails due to the OS running fault of the operating system, the system failure processing measure is to monitor the operating system through a watchdog;
and if the analysis result is that a plurality of specific functions fail due to the chip faults, the system failure processing measure is to monitor the corresponding chip.
In still other embodiments of the present invention, in a case that the target class is a shared input class related failure, the matching the system failure processing measure according to the target class and the analysis result includes:
if the analysis result is that the sensing failure and a plurality of specific functions fail due to the fault of the shared input node, the system failure processing measure is that the shared input node is monitored through a watchdog;
if the analysis result is a perception failure and a plurality of specific function failures caused by the failure of the safety-related vehicle signals, the system processing measures are that the safety-related vehicle signals are monitored through a bus monitoring CANMONITOR module;
if the analysis result is fusion failure and a plurality of specific functional failures caused by radar faults, the system processing measures are that the radar reporting faults are detected through a diagnosis module;
and if the analysis result is control failure caused by functional failure or control parameter overrun and a plurality of specific functional failures, the system processing measure is to monitor the functional failure or the control parameter overrun through a safety verifier safe valve module.
In still other embodiments of the present invention, in the case that the target class is a communication class related failure, the matching the system failure processing measure according to the target class and the analysis result includes:
if the analysis result is that the perceived data transmission failure and a plurality of specific functions are invalid due to SPI communication failure of the serial peripheral interface, the system processing measure is that the SPI communication data is monitored periodically by the SPI module;
if the analysis result is that the V-CAN communication fault causes a plurality of specific functional failures, the system processing measures are that the diagnosis module detects the V-CAN communication fault and the end-to-end communication protection E2E fault of the vehicle body signal on the V-CAN;
if the analysis result is that the R-CAN communication fault leads to fusion failure and a plurality of specific function failures, the system processing measures are that the radar reporting fault and the E2E fault are detected through the diagnosis module.
Specifically, for different components of the intelligent driving control system, according to different types of related failures of the safety system, related failure result analysis is performed, and a related failure processing system comprising a safety mechanism or preventive measures is designed as follows:
1. unexpected impact class-related failures
CPU: when the CPU fails to cause the function failure, the safety mechanism also fails; correspondingly designing safety measures: the CPU configures lockstep.
RAM (MCU): the functional safety software module and the nonfunctional safety software module share the RAM, and the nonfunctional safety software module can mistakenly modify the data used by the functional safety software module; correspondingly designing safety measures: 1) Functional secure and non-functional secure RAM partition 2) a secure partition configuration MPU.
2. Shared resource class related failures
RAM (MCU): when the RAM fails to cause the function failure, the safety mechanism also fails; correspondingly designing safety measures: 1) RAM configuration ECC, EDC 2) performs RAM test at initialization.
DDR (SoC): DDR error, causing original image data to have problems/SoC operation faults; correspondingly designing safety measures: DDR power-on self-test.
EMMC: the failure of the EMMC leads to the failure of the system, and the failure of a safety mechanism; correspondingly designing safety measures: the EMMC is powered on for self-checking.
SoC OS: the security mechanism is also disabled when the function is disabled due to the operation failure of the SoC OS; correspondingly designing safety measures: soC watchdog monitoring.
MCU OS: the MCU OS fails in operation, so that the safety mechanism fails at the same time; correspondingly designing safety measures: MCU watchdog monitoring.
DMU: DMU failure, resulting in multiple functional failures; correspondingly designing safety measures: SRI process integrity monitoring.
DMA: DMA failure, resulting in multiple functional failures; correspondingly designing safety measures: DMA error detection and management.
NVM: NVM failure, resulting in multiple functional failures; correspondingly designing safety measures: device configuration data backup requirements, NVM security configuration data protection, NVM super access monitoring.
IR: IR failure, resulting in multiple functional failures; correspondingly designing safety measures: IR error monitoring.
SBCU (System Peripheral Bus Control Unit): SBCU failure, leading to multiple functional failures; correspondingly designing safety measures: SBCU error monitoring, write monitoring, override request monitoring, configuration data protection and security configuration data protection.
Clock PLL: clock failure, resulting in multiple functional failures; correspondingly designing safety measures: crystal oscillator, PLL and Clock monitoring are designed.
STM: STM failure, resulting in multiple functional failures; correspondingly designing safety measures: STM system timer monitoring.
3. Shared input class related failures
Cameranode: the camera has low visual field definition, camera shielding, camera picture freezing, camera shifting, camera visibility low and sunlight diffraction state, so that the sensing is invalid and a plurality of functions of LKA/ACC/SACC are also invalid; correspondingly designing safety measures: the image diagnosis module monitors.
Cameranode: the camera image is lost, the camera image acquisition delay and the camera node operation fault cause the perception failure and simultaneously cause the failure of a plurality of functions of LKA/ACC/SACC; correspondingly designing safety measures: and monitoring the periodical execution of the subsequent processing module through the SoC watchdog.
Dnnnnode: the DnnNode operation fault/calculation error causes the perception failure and simultaneously causes the multiple functions of LKA/ACC/SACC to be also failed; correspondingly designing safety measures: soC watchdog monitoring.
Rt alignment mentnode: the running fault of the Rt alignment mentnode causes the real-time calibration failure of the sensor, causes the sensing failure and causes the failure of a plurality of functions of LKA/ACC/SACC; correspondingly designing safety measures: soC watchdog monitoring.
VPNode: the VPnode operation fault/calculation error causes the perception failure and simultaneously causes the multiple functions of LKA/ACC/SACC to be also failed; correspondingly designing safety measures: soC watchdog monitoring.
Lanenode: the Lanenode operation fault/calculation error causes the perception failure and simultaneously causes the multiple functions of LKA/ACC/SACC to be also failed; correspondingly designing safety measures: the spinitor module periodically monitors its output.
Pedstriannode: the Pedstriannode operation fault/calculation error causes the perception failure and simultaneously causes the multiple functions of LKA/ACC/SACC to also fail; correspondingly designing safety measures: the spinitor module periodically monitors its output.
Vehicclenode: the VehicleNode operation fault/calculation error causes the perception failure and simultaneously causes the multiple functions of LKA/ACC/SACC to be failed; correspondingly designing safety measures: the spinitor module periodically monitors its output.
Safety-related vehicle signals (vehicle speed, wheel speed, yawrate, ESC, ABS, TCS, etc.): the failure of the safety-related vehicle signals leads to incapability of normally calculating the vehicle state, thereby effectively sensing and controlling, and finally leading to failure of a plurality of functions of LKA/ACC/SACC; correspondingly designing safety measures: the canonitor module will monitor the received safety-related vehicle signals error, invalid.
Radar information: the radar fault causes fusion failure and simultaneously causes multiple functions of LKA/ACC/SACC to be failed; correspondingly designing safety measures: the diagnostic module may detect a radar report fault.
Vehicle lateral control: unexpected output requests, wrong torque direction and other functional faults lead to control failure and finally lead to failure of a plurality of functions of LKA/ACC/SACC; correspondingly designing safety measures: the safetyvalidizer module may monitor for a malfunction.
Vehicle lateral control: faults such as lateral acceleration, excessive jerk and the like lead to control failure, and finally lead to failure of a plurality of functions of the LKA/ACC/SACC; correspondingly designing safety measures: the safetyvalidizer module may monitor for control parameter overrun, etc.
Vehicle longitudinal control: the unexpected output request and other functional faults lead to control failure and finally lead to failure of a plurality of functions of LKA/ACC/SACC; correspondingly designing safety measures: the safetyvalidizer module may monitor for a malfunction.
Vehicle longitudinal control: the faults of longitudinal acceleration, excessive jerk, deceleration, excessive deceleration reduction and the like lead to control failure and finally lead to failure of a plurality of functions of LKA/ACC/SACC; correspondingly designing safety measures: the safetyvalidizer module may monitor for control parameter overrun, etc.
4. Failure associated with communication class
SPI: SPI communication failure causes failure of perceived data transmission, and causes failure of a plurality of functions of LKA/ACC/SACC; correspondingly designing safety measures: the SPI module periodically monitors SPI communication data.
V-CAN communication: the V-CAN communication fault causes that the vehicle signal cannot be normally received, meanwhile, the effective control output of the actuating mechanism cannot be carried out, and a plurality of functions of LKA/ACC/SACC are also disabled; correspondingly designing safety measures: the diagnostic module may detect a V-CAN communication failure (busoff, node loss, etc.) and an E2E failure of the body signal on the V-CAN.
R-CAN communication: the R-CAN communication fault causes that radar signals cannot be normally received, fusion failure is caused, and meanwhile, multiple functions of LKA/ACC/SACC are also caused to be failed; correspondingly designing safety measures: the diagnostic module may detect radar reporting faults and E2E faults. .
In the embodiment of the invention, after the system failure processing measures are determined, the related failure processing is carried out on the components related to the related failure of the intelligent driving system of the vehicle according to the system failure processing measures.
It should be noted that if the system failure handling measure is not defined in the TSC (Technical Safety Concept ), the TSC needs to be modified according to the system failure handling measure.
Fig. 2 is a flowchart of another failure processing method of an intelligent driving system of a vehicle, where the method specifically includes the following steps:
s210, acquiring a minimum cut set based on the FTA.
S220, selecting specific categories from the DFA analysis category library for relevant failure analysis according to the specific engineering stage.
The engineering stage comprises a development stage, a production stage, an installation stage or a maintenance stage and the like.
S230, unfolding, classifying and analyzing the failure reasons according to the specific security system related failure categories.
S240, analyzing all common cause failures and cascade failure results for each CutSet.
S250, determining specific solving measures and safety mechanisms aiming at common cause failure and cascade failure.
S260, if the newly determined resolution and security mechanism are not defined in the TSC, updating the TSC.
The embodiment of the invention provides a failure processing method of an intelligent driving system of a vehicle, which is characterized in that a fault event related to the failure of the intelligent driving system of the vehicle is used for acquiring a minimum cut set by adopting a fault tree analysis method, a target type in a DFA analysis class library is selected for analyzing each minimum cut set, and a system failure processing measure is matched according to the target class and an analysis result so as to perform related failure processing on the intelligent driving system of the vehicle by the system failure processing measure. According to the invention, through carrying out related failure result analysis on different components of the intelligent driving system according to different types of related failures of the safety system, reasonable generalized analysis indexes are screened out to carry out related failure analysis, a redundant analysis process generated by the uncorrelation between a latent failure safety mechanism and a single-point safety mechanism is avoided, repeated analysis work is reduced, the workload of related failure analysis is reduced, and the analysis efficiency is improved.
Fig. 3 is a schematic structural diagram of a failure handling device of an intelligent driving system for a vehicle according to an embodiment of the present invention. The device can execute the failure processing method of the intelligent driving system of the vehicle according to any embodiment of the invention.
As shown in fig. 3, the apparatus includes: a cutset determination module 310, a cutset analysis module 320, and a failure processing module 330.
A cut-set determining module 310, configured to obtain a minimum cut-set according to a fault event associated with a failure of the intelligent driving system of the vehicle by using a fault tree analysis method, where the minimum cut-set includes a minimum set of fault events that cause the failure of the intelligent driving system of the vehicle;
the cut set analysis module 320 is configured to obtain, for each of the minimum cut sets, a target class from a relevant failure analysis DFA analysis class library, and analyze the current minimum cut set;
and the failure processing module 330 is configured to match the system failure processing measure according to the target class and the analysis result, and perform related failure processing on the intelligent driving system of the vehicle through the system failure processing measure.
Optionally, the cutset analysis module 320 is specifically configured to:
acquiring target categories in a related failure analysis (DFA) analysis category library;
analyzing failure reasons of the current minimum cut set according to the target category, wherein the failure reasons comprise common cause failure and cascade failure;
and according to the current minimum cut set, carrying out failure result analysis on the common cause failure and the cascade failure.
Optionally, in the case that the target class is an unexpected impact class-related failure, the failure processing module 330 is specifically configured to:
if the analysis result is that the CPU fails to cause the function failure, the system failure processing measure is that the CPU is configured with a lockstep;
if the analysis result is that the functional safety software module and the non-functional safety software module share the RAM, and the non-functional safety software module mistakenly modifies the system failure caused by the data used by the functional safety software module, the system failure processing measure is to partition the RAM according to the functional safety software module and the non-functional safety software module, and/or configure a microprocessor MPU in the RAM partition corresponding to the functional safety software module.
Optionally, in the case that the target class is a shared resource class related failure, the failure processing module 330 is specifically configured to:
if the analysis result is a system failure caused by the failure of the memory chip, the system failure processing measure is to perform power-on self-test on the memory chip;
if the analysis result is that the system fails due to the OS running fault of the operating system, the system failure processing measure is to monitor the operating system through a watchdog;
and if the analysis result is that a plurality of specific functions fail due to the chip faults, the system failure processing measure is to monitor the corresponding chip.
Optionally, in the case that the target class is a shared input class related failure, the failure processing module 330 is specifically configured to:
if the analysis result is that the sensing failure and a plurality of specific functions fail due to the fault of the shared input node, the system failure processing measure is that the shared input node is monitored through a watchdog;
if the analysis result is a perception failure and a plurality of specific function failures caused by the failure of the safety-related vehicle signals, the system processing measures are that the safety-related vehicle signals are monitored through a bus monitoring CANMONITOR module;
if the analysis result is fusion failure and a plurality of specific functional failures caused by radar faults, the system processing measures are that the radar reporting faults are detected through a diagnosis module;
and if the analysis result is control failure caused by functional failure or control parameter overrun and a plurality of specific functional failures, the system processing measure is to monitor the functional failure or the control parameter overrun through a safety verifier safe valve module.
Optionally, in the case that the target class is a communication class related failure, the failure processing module 330 is specifically configured to:
if the analysis result is that the perceived data transmission failure and a plurality of specific functions are invalid due to SPI communication failure of the serial peripheral interface, the system processing measure is that the SPI communication data is monitored periodically by the SPI module;
if the analysis result is that the V-CAN communication fault causes a plurality of specific functional failures, the system processing measures are that the diagnosis module detects the V-CAN communication fault and the end-to-end communication protection E2E fault of the vehicle body signal on the V-CAN;
if the analysis result is that the R-CAN communication fault leads to fusion failure and a plurality of specific function failures, the system processing measures are that the radar reporting fault and the E2E fault are detected through the diagnosis module.
Optionally, the failure processing module 330 is specifically configured to:
and performing related failure processing on components related to the related failure of the intelligent driving system of the vehicle according to the system failure processing measures.
The failure processing device of the intelligent vehicle driving system provided by the embodiment of the invention can execute the failure processing method of the intelligent vehicle driving system provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
The vehicle includes: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores a computer program executable by the at least one processor, so that the at least one processor can execute the failure processing method of the intelligent driving system of the vehicle.
In some embodiments, the failure handling method of the vehicle intelligent driving system may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as a storage unit. In some embodiments, part or all of the computer program may be loaded and/or installed onto the vehicle via the ROM and/or the communication unit. When the computer program is loaded into RAM and executed by the processor, one or more steps of the failure handling method of the intelligent driving system of a vehicle described above may be performed. Alternatively, in other embodiments, the processor may be configured to perform the failure handling method of the vehicle intelligent driving system in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above can be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; a user such as a button may provide input to the electronic device through the keyboard and the pointing device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. A failure processing method of an intelligent driving system of a vehicle is characterized by comprising the following steps:
obtaining a minimum cut set by adopting a fault tree analysis method according to a fault event related to the failure of the intelligent driving system of the vehicle, wherein the minimum cut set comprises a minimum set of fault events causing the failure of the intelligent driving system of the vehicle;
for each minimum cut set, acquiring a target category from a related failure analysis (DFA) analysis category library to analyze the current minimum cut set;
and matching system failure processing measures according to the target category and the analysis result, and performing relevant failure processing on the intelligent driving system of the vehicle through the system failure processing measures.
2. The method of claim 1, wherein the obtaining the target class from the relevant failure analysis DFA analysis class library analyzes the current minimal cut set, comprising:
acquiring target categories in a related failure analysis (DFA) analysis category library;
analyzing failure reasons of the current minimum cut set according to the target category, wherein the failure reasons comprise common cause failure and cascade failure;
and according to the current minimum cut set, carrying out failure result analysis on the common cause failure and the cascade failure.
3. The method of claim 1, wherein, in the case where the target class is an unexpected impact class-related failure, the matching the system failure handling measure according to the target class and the analysis result comprises:
if the analysis result is that the CPU fails to cause the function failure, the system failure processing measure is that the CPU is configured with a lockstep;
if the analysis result is that the functional safety software module and the non-functional safety software module share the RAM, and the non-functional safety software module mistakenly modifies the system failure caused by the data used by the functional safety software module, the system failure processing measure is to partition the RAM according to the functional safety software module and the non-functional safety software module, and/or configure a microprocessor MPU in the RAM partition corresponding to the functional safety software module.
4. The method according to claim 1, wherein in the case that the target class is a shared resource class related failure, the matching the system failure handling measure according to the target class and the analysis result includes:
if the analysis result is a system failure caused by the failure of the memory chip, the system failure processing measure is to perform power-on self-test on the memory chip;
if the analysis result is that the system fails due to the OS running fault of the operating system, the system failure processing measure is to monitor the operating system through a watchdog;
and if the analysis result is that a plurality of specific functions fail due to the chip faults, the system failure processing measure is to monitor the corresponding chip.
5. The method according to claim 1, wherein in case the target class is a shared input class related failure, the matching the system failure handling measure according to the target class and the analysis result comprises:
if the analysis result is that the sensing failure and a plurality of specific functions fail due to the fault of the shared input node, the system failure processing measure is that the shared input node is monitored through a watchdog;
if the analysis result is a perception failure and a plurality of specific function failures caused by the failure of the safety-related vehicle signals, the system processing measures are that the safety-related vehicle signals are monitored through a bus monitoring CANMONITOR module;
if the analysis result is fusion failure and a plurality of specific functional failures caused by radar faults, the system processing measures are that the radar reporting faults are detected through a diagnosis module;
and if the analysis result is control failure caused by functional failure or control parameter overrun and a plurality of specific functional failures, the system processing measure is to monitor the functional failure or the control parameter overrun through a safety verifier safe valve module.
6. The method according to claim 1, wherein in the case that the target class is a communication class related failure, the matching the system failure handling measure according to the target class and the analysis result includes:
if the analysis result is that the perceived data transmission failure and a plurality of specific functions are invalid due to SPI communication failure of the serial peripheral interface, the system processing measure is that the SPI communication data is monitored periodically by the SPI module;
if the analysis result is that the V-CAN communication fault causes a plurality of specific functional failures, the system processing measures are that the diagnosis module detects the V-CAN communication fault and the end-to-end communication protection E2E fault of the vehicle body signal on the V-CAN;
if the analysis result is that the R-CAN communication fault leads to fusion failure and a plurality of specific function failures, the system processing measures are that the radar reporting fault and the E2E fault are detected through the diagnosis module.
7. The method according to any one of claims 3-6, characterized in that the related failure handling of the intelligent driving system of the vehicle by the system failure handling measure comprises:
and performing related failure processing on components related to the related failure of the intelligent driving system of the vehicle according to the system failure processing measures.
8. A failure processing apparatus of an intelligent driving system for a vehicle, comprising:
the system comprises a cut-set determining module, a fault tree analysis module and a fault tree analysis module, wherein the cut-set determining module is used for obtaining a minimum cut-set according to a fault event related to the failure of the intelligent driving system of the vehicle, and the minimum cut-set comprises a minimum set of fault events causing the failure of the intelligent driving system of the vehicle;
the cut set analysis module is used for obtaining a target class from the related failure analysis (DFA) analysis class library for each minimum cut set to analyze the current minimum cut set;
and the failure processing module is used for matching system failure processing measures according to the target category and the analysis result, and performing relevant failure processing on the intelligent driving system of the vehicle through the system failure processing measures.
9. A vehicle, characterized in that the vehicle comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the failure processing method of the vehicle intelligent driving system according to any one of claims 1 to 7.
10. A computer-readable storage medium storing computer instructions for causing a processor to execute the failure processing method of the intelligent driving system of a vehicle according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310158613.7A CN116089151A (en) | 2023-02-23 | 2023-02-23 | Failure processing method and device for intelligent driving system of vehicle, vehicle and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310158613.7A CN116089151A (en) | 2023-02-23 | 2023-02-23 | Failure processing method and device for intelligent driving system of vehicle, vehicle and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116089151A true CN116089151A (en) | 2023-05-09 |
Family
ID=86199204
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310158613.7A Pending CN116089151A (en) | 2023-02-23 | 2023-02-23 | Failure processing method and device for intelligent driving system of vehicle, vehicle and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116089151A (en) |
-
2023
- 2023-02-23 CN CN202310158613.7A patent/CN116089151A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200216083A1 (en) | Vehicle diagnosis apparatus, vehicle diagnosis system, and vehicle diagnosis program | |
| JP7438205B2 (en) | Parametric data modeling for model-based reasoners | |
| Pike et al. | Copilot: monitoring embedded systems | |
| Lanigan et al. | Diagnosis in automotive systems: A survey | |
| CN110955571B (en) | Fault management system for functional safety of vehicle-specification-level chip | |
| Güdemann et al. | Probabilistic model-based safety analysis | |
| Leitner-Fischer et al. | Probabilistic fault tree synthesis using causality computation | |
| CN105426680A (en) | Characteristic configuration-based fault tree generation method | |
| CN110245085B (en) | Embedded real-time operating system verification method and system by using online model inspection | |
| US20150261660A1 (en) | Computer having self-monitoring function and monitoring program | |
| Lüttgen et al. | Analyzing mode confusion via model checking | |
| Zhao et al. | Safety assessment of the reconfigurable integrated modular avionics based on STPA | |
| JP5680514B2 (en) | Computer having self-diagnosis function, software creation method, and software creation device | |
| Schumann et al. | Bayesian software health management for aircraft guidance, navigation, and control | |
| US8359577B2 (en) | Software health management testbed | |
| Jockenhovel-Barttfeld et al. | Reliability Analysis of Digital I&C Systems within the Verification and Validation Process | |
| Oveisi et al. | A new approach to promote safety in the software life cycle | |
| CN116089151A (en) | Failure processing method and device for intelligent driving system of vehicle, vehicle and medium | |
| Robinson et al. | Applying model-based reasoning to the fdir of the command and data handling subsystem of the international space station | |
| Preschern et al. | Catalog of safety tactics in the light of the IEC 61508 safety lifecycle | |
| Kobayashi et al. | The effectiveness of D-Case application knowledge on a safety process | |
| Zug et al. | An approach supporting fault-propagation analysis for smart sensor systems | |
| CN111679646A (en) | Formalization-based automobile electronic system safety target confirmation method | |
| Molnár et al. | Model checking-based software-FMEA: Assessment of fault tolerance and error detection mechanisms | |
| Elmqvist et al. | Formal support for quantitative analysis of residual risks in safety-critical systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |