Search

EP-4742039-A1 - SYSTEM AND METHOD FOR PROVIDING FUNCTIONAL SAFETY OF CONTROLLERS IN A SOFTWARE DEFINED VEHICLE

EP4742039A1EP 4742039 A1EP4742039 A1EP 4742039A1EP-4742039-A1

Abstract

A system and method for providing functional safety in a software defined vehicle (SDV) is disclosed. The system includes a Central Controller (CC), a plurality of Zonal Controllers (ZCs) coupled with the CC, an Emergency Controller (EC) coupled to the CC and each of the plurality of ZCs. The CC or one of the plurality of ZCs is dynamically configurable as a shadow-VSM (SVSM), based on a determination of one of a plurality of modes of the SDV. The VSM is configured to monitor the EC and the plurality of ZCs and the SVSM is configured to monitor the VSM to determine the one of the plurality of modes of the SDV.

Inventors

  • SARKAR, ARNIK
  • GHOSH, SAYANSHREE

Assignees

  • Wipro Limited

Dates

Publication Date
20260513
Application Date
20250227

Claims (13)

  1. A system for providing functional safety of controllers in a software defined vehicle, SDV, comprising: a Central Controller, CC; a plurality of Zonal Controllers, ZCs, coupled with the CC; and an Emergency Controller, EC, coupled to the CC and each of the plurality of ZCs, wherein the CC or one of the plurality of ZCs is dynamically configurable as a Vehicle Safety Monitor, VSM, and one of the plurality of ZCs is dynamically configurable as a shadow-VSM, SVSM, based on a determined mode of the SDV, the determined mode being one of a plurality of modes of the SDV, and wherein the VSM is configured to monitor the EC and the plurality of ZCs, and the SVSM is configured to monitor the VSM, to determine the mode.
  2. The system of claim 1, wherein the mode is determined to be a normal mode upon detection of the EC, the CC and the plurality of ZCs as operational, and wherein in the normal mode, the CC is dynamically configured as the VSM, and one of the plurality of ZCs is dynamically configured as the SVSM.
  3. The system of any preceding claim, wherein each of the plurality of ZCs are categorized into one of a set of zones of the SDV, wherein the mode is determined to be an emergency mode based on one of: detection of the EC as faulty, wherein in the emergency mode, the CC is dynamically configured as the EC and the VSM, and one of the plurality of ZCs is dynamically configured as the SVSM; or detection of all ZCs corresponding to one zone from the set of zones as faulty, wherein in the emergency mode, the CC is dynamically configured as the VSM, and one of the plurality of ZCs corresponding to remaining zones from the set of zones is dynamically configured as the SVSM.
  4. The system of claim 3, wherein the mode is determined to be a degraded mode upon detection of one ZC corresponding to each of the set of zones as faulty, and wherein in the degraded mode, the CC is dynamically configured as the VSM, and one of operational ZCs corresponding to each of the set of zones is dynamically configured as the SVSM.
  5. The system of any of claims 1-4, wherein the mode is determined to be a fault-operational mode based on one of: detection of the CC as faulty, wherein in the fault-operational mode, one of the plurality of ZCs is dynamically configured as the VSM, and one of remaining ZCs from the plurality of ZCs is dynamically configured as the SVSM; or detection of the CC and the EC as operational and one of the plurality of ZCs as faulty, wherein in the fault-operational mode, where the one of the plurality of ZCs configured as SVSM as faulty, the CC is dynamically configured as the VSM and one of remaining ZCs from the plurality of ZCs is dynamically configured as the SVSM.
  6. The system of any of claims 1-5, wherein the VSM is configured to periodically receive heartbeat signals from each of the plurality of ZCs and the EC in order to monitor the plurality of ZCs and the EC, wherein the SVSM is configured to periodically receive heartbeat signals from the VSM in order to monitor the VSM, and wherein the mode of the SDV is determined based on: not receiving the heartbeat signals by the VSM from at least one of: each of the plurality of ZCs or the EC, or not receiving the heartbeat signals by the SVSM from the VSM.
  7. A method for providing functional safety of controllers in a software defined vehicle, SDV, the method comprising: determining a mode of the SDV from one of a plurality of modes based on: monitoring, by a Vehicle Safety Monitor, VSM, an Emergency Controller, EC, and a plurality of Zonal Controllers, ZCs, of the SDV; and monitoring, by a Shadow-VSM, SVSM, the VSM, wherein the SDV comprises a Central Controller, CC, wherein the plurality of ZCs are coupled with the CC, wherein the EC is coupled to the CC and each of the plurality of ZCs, and wherein the CC or one of the plurality of ZCs is dynamically configured as the VSM and one of the plurality of ZCs is dynamically configured as the SVSM, based on the determined mode.
  8. The method of claim 7, wherein the mode is determined to be a normal mode upon detection of the EC, the CC, and the plurality of ZCs as operational, and wherein in the normal mode, the CC is dynamically configured as the VSM, and one of the plurality of ZCs is dynamically configured as the SVSM.
  9. The method of any of claims 7-8, wherein each of the plurality of ZCs are categorized into one of a set of zones of the SDV, wherein the mode is determined to be an emergency mode based on one of: detection of the EC as faulty, wherein in the emergency mode, the CC is dynamically configured as the EC and the VSM, and one of the plurality of ZCs is dynamically configured as the SVSM; or detection of all ZCs corresponding to one zone from the set of zones as faulty, wherein in the emergency mode, the CC is dynamically configured as the VSM, and one of the plurality of ZCs corresponding to remaining zones from the set of zones is dynamically configured as the SVSM.
  10. The method of claim 9, wherein the mode is determined to be a degraded mode upon detection of one ZC corresponding to each of the set of zones as faulty, and wherein in the degraded mode, the CC is dynamically configured as the VSM, and one of the operational ZCs corresponding to each of the set of zones is dynamically configured as the SVSM.
  11. The method of any of claims 7-10, wherein the mode is determined to be a fault-operational mode based on one of: detection of the CC as faulty, wherein in the fault-operational mode, one of the plurality of ZCs is dynamically configured as the VSM, and one of remaining ZCs from the plurality of ZCs is dynamically configured as the SVSM; or detection of the CC and the EC as operational and one of the plurality of ZCs as faulty, wherein in the fault-operational mode, where the one of the ZCs configured as SVSM is faulty, the CC is dynamically configured as the VSM and one of remaining ZCs from the plurality of ZCs is dynamically configured as the SVSM.
  12. The method of any of claims 7-11, wherein the VSM is configured to periodically receive heartbeat signals from each of the plurality of ZCs and the EC in order to monitor the plurality of ZCs and the EC, wherein the SVSM is configured to periodically receive heartbeat signals from the VSM in order to monitor the VSM, and wherein the mode is determined based on: not receiving the heartbeat signals by the VSM from at least one of: each of the plurality of ZCs or the EC, or not receiving the heartbeat signals by the SVSM from the VSM.
  13. A non-transitory computer-readable medium storing computer-executable instructions for providing functional safety of controllers in a software defined vehicle, SDV, wherein the computer-executable instructions when executed by at least one processor, cause the method of any of claims 7 to 12 to be performed at the SDV.

Description

This application is a Non-Provisional Application, which claims priority to the Indian provisional patent application No. 202441087228, filed November 12, 2024, entitled "SYSTEM AND METHOD FOR ENSURING FUNCTIONAL SAFETY IN A SOFTWARE DEFINED VEHICLE." TECHNICAL FIELD This disclosure relates generally to operation of software defined vehicles, and more particularly to system and method for providing functional safety of controllers in a software defined vehicle. BACKGROUND In recent years, modern automobiles have become increasingly dependent on embedded electronic systems which incorporate numerous Electronic Control Units (ECUs), sensors, bus systems, and advanced technologies such as cameras, radar, and lidar. These components collectively manage various vehicle functions, from essential control systems to sophisticated features like adaptive cruise control, collision avoidance, and automated parking, etc. In modern vehicles, there can be numerous ECUs, each dedicated to specific tasks. However, with the rise of high-performance computers (HPC) in the automotive industry, this traditional architecture is evolving. Instead of being managed by a multitude of ECUs, new vehicle architectures consolidate these functionalities into a number of HPCs which leads to a significant shift towards software-defined vehicles (SDVs). Despite these advancements, providing the functional safety of SDVs presents new challenges. SDVs employ increased use of automation, connectivity, and electrification, and integrate data-center-level capabilities to support advanced features such as autonomous driving, infotainment systems, and real-time mapping, etc. The transition to software-defined architectures, where vehicle features are broken down into micro-services deployed on location-agnostic controllers, creates new points of potential failure. As vehicle functions become more dependent on complex software, the need for robust fault detection and recovery mechanisms grows significantly. Existing fail-safe systems focus primarily on fail-safe methods that ensure stopping of the vehicle in an event of a fault. However, such fail-safe methods lack a fault-operational approach that would allow continued safe operation after a fault is detected. Existing fail-safe systems for fault management in autonomous and software-defined vehicles may fall short in several critical areas. They often fail to provide sufficient redundancy across controllers and other essential components. Therefore, there is a need for an efficient methodology to provide functional safety of controllers in a software defined vehicle. SUMMARY OF THE INVENTION In an embodiment, a system for providing functional safety of controllers in a software defined vehicle (SDV) is disclosed. The system may include a Central Controller (CC). The system may further include a plurality of Zonal Controllers (ZCs) coupled with the CC. The system may further include an Emergency Controller (EC) coupled to the CC and each of the plurality of ZCs. In an embodiment, the CC or one of the plurality of ZCs may be dynamically configurable as a Vehicle Safety Monitor (VSM) and one of the plurality of ZCs may be dynamically configurable as a shadow-VSM (SVSM), based on a determination of one of a plurality of modes of the SDV. In an embodiment, the VSM may be configured to monitor the EC and the plurality of ZCs and the SVSM may be configured to monitor the VSM to determine the one of the plurality of modes of the SDV. In another embodiment, a method for providing functional safety of controllers in a software defined vehicle (SDV) is disclosed. The method may include determining one of a plurality of modes of the SDV based on monitoring, by a Vehicle Safety Monitor (VSM), an Emergency Controller (EC) and a plurality of Zonal Controllers (ZCs) of the SDV. The method may further include determining one of a plurality of modes of the SDV based on monitoring, by a Shadow-VSM (SVSM), the VSM. In an embodiment, the SDV may include a Central Controller (CC). In an embodiment, the plurality of ZCs may be coupled with the CC. In an embodiment, the EC may be coupled to the CC and each of the plurality of ZCs. In an embodiment, the CC or one of the plurality of ZCs may be dynamically configurable as the VSM and one of the plurality of ZCs may be dynamically configurable as the SVSM, based on the determination of the one of the plurality of modes of the SDV. In yet another embodiment, a non-transitory computer-readable medium storing computer-executable instructions for providing functional safety of controllers in a software defined vehicle (SDV) is disclosed. The computer-executable instructions configured for dynamically configuring a Central Controller (CC) or one of a plurality of Zonal Controllers (ZCs) as a Vehicle Safety Monitor (VSM) and dynamically configuring one of the plurality of ZCs as a shadow-VSM (SVSM), based on a determination of one of a plurality of modes of the SDV. The computer