Search

EP-4742040-A1 - SYSTEM AND METHOD FOR PROVIDING FUNCTIONAL SAFETY IN A SOFTWARE DEFINED VEHICLE

EP4742040A1EP 4742040 A1EP4742040 A1EP 4742040A1EP-4742040-A1

Abstract

A software defined vehicle (SDV) is disclosed. The SDV includes controller system that includes a set of controllers. A sensor system that includes a plurality of sets of sensors. A network system that includes a first network bus and a second network bus. One of the set of controllers is dynamically configurable to determine one of a plurality of modes of the SDV based on a monitoring of each of the controller system, the sensor system, and the network system. Each of the set of controllers is communicatively coupled with one or more of remaining of the set of controllers via one of the first network bus and the second network bus. Each of the set of controllers are dynamically configured to receive sensor data from at least one of set of sensors from the plurality of sets of sensors.

Inventors

  • SARKAR, ARNIK
  • GHOSH, SAYANSHREE

Assignees

  • Wipro Limited

Dates

Publication Date
20260513
Application Date
20250227

Claims (15)

  1. A software defined vehicle, SDV, comprising: a controller system comprising a set of controllers; a sensor system comprising a plurality of sets of sensors; and a network system comprising a first network bus and a second network bus; wherein one of the set of controllers is dynamically configurable to determine one of a plurality of modes of the SDV based on monitoring each of: the controller system, the sensor system, and the network system, wherein each of the set of controllers is communicatively coupled with one or more of remaining of the set of controllers via one of: the first network bus or the second network bus, based on the determined mode of the SDV, the determined mode being one of the plurality of modes of the SDV, and wherein each of the set of controllers is dynamically configured to receive sensor data from at least one set of sensors of the plurality of sets of sensors based on the determined mode.
  2. The SDV of claim 1, wherein the set of controllers comprises: a Central Controller, CC; a plurality of Zonal Controllers, ZCs, communicably coupled with the CC via the first network bus, wherein each of the plurality of ZCs corresponds to one of a plurality of zones of the SDV; and an Emergency Controller, EC, communicably coupled to the CC and each of the plurality of ZCs via the second network bus, wherein the CC or one of the plurality of ZCs is dynamically configurable as a Vehicle Safety Monitor, VSM, and one of remaining of the plurality of ZCs is dynamically configurable as a shadow-VSM, SVSM, based on the determined mode, and wherein the VSM is configured to monitor the EC and the plurality of ZCs and the SVSM is configured to monitor the VSM to determine the mode.
  3. The SDV of claim 2, wherein the plurality of sets of sensors comprises: a set of Primary Sensors, PSs, each of the set of PSs corresponds to one of the plurality of zones and coupled to a corresponding ZC of that zone; a set of Secondary Sensors, SSs, each of the set of SSs corresponds to one of the plurality of zones and coupled to a corresponding ZC of another zone; and a set of Tertiary Sensors, TSs, each of the set of TSs corresponds to one of the plurality of zones and is coupled to the EC, wherein the EC or the plurality of ZCs are dynamically configured to receive sensor data from one of: the set of PSs, the set of SSs, or the set of TSs, based on the determined mode, wherein the mode is determined based on monitoring the set of PSs or the set of SSs corresponding to the plurality of zones, and wherein each of the plurality of ZCs is configured to monitor the corresponding PS from the corresponding zone and the corresponding SS from the other zone based on a plausibility score determined for the received sensor data.
  4. The SDV of claim 3, wherein the VSM is configured to periodically receive heartbeat signals from: each of the plurality of ZCs via the first network bus and the EC via the second network bus to monitor the plurality of ZCs, the EC, the first network bus and the second network bus, wherein the SVSM is configured to periodically receive heartbeat signals from the VSM to monitor the VSM via the first network bus, and wherein the mode is determined based on: not receiving the heartbeat signals by the VSM from at least one of: at least one of the plurality of ZCs or the EC, or not receiving the heartbeat signals by the SVSM from the VSM.
  5. The SDV of claim 4, wherein the mode is determined to be a normal mode upon detection of: the EC, the CC, and the plurality of ZCs as operational, and each of the set of PSs as operational; and wherein, in the normal mode: the CC is dynamically configured as the VSM, and one of the plurality of ZCs is dynamically configured as the SVSM, and each of the plurality of ZCs is dynamically configured to receive the sensor data from the corresponding PS from the corresponding zone.
  6. The SDV of claim 5, wherein the mode is determined to be a fault-operational mode based on one of: detection of the CC as faulty, detection of the CC and the EC as operational and one of the plurality of ZCs as faulty, or detection of one of the set of PSs as faulty; and wherein, in the fault-operational mode: if the CC is detected as faulty: one of the plurality of ZCs is dynamically configured as the VSM, and one of remaining ZCs from the plurality of ZCs is dynamically configured as the SVSM, and each of the plurality of ZCs is dynamically configured to receive the sensor data from the corresponding SS from the other zone; and if the one of the ZCs configured as SVSM is detected as faulty and the CC and the EC are detected as operational: the CC is dynamically configured as VSM and one of remaining ZCs from the plurality of ZCs is dynamically configured as the SVSM, and each of the plurality of ZCs is dynamically configured to receive the sensor data from the corresponding SS from the other zone.
  7. The SDV of claim 6, wherein the mode is determined to be an emergency mode based on one of: detection of the EC as faulty, detection of all ZCs corresponding to one zone from the plurality of zones as faulty, or detection of one of the set of PSs and one of the set of SSs as faulty, wherein, in the emergency mode: if the EC is detected as faulty: the CC is dynamically configured as the EC and the VSM, and one of the plurality of ZCs is dynamically configured as the SVSM, and the EC is dynamically configured to receive the sensor data from the set of TSs; and if all ZCs corresponding to the one zone are detected as faulty: the CC is dynamically configured as the VSM, and the EC is dynamically configured to receive the sensor data from the set of TSs.
  8. A method of providing functional safety in a software defined vehicle (SDV), the method comprising: monitoring each of: a controller system, a sensor system, and a network system of the SDV; determining one of a plurality of modes of the SDV based on the monitoring, wherein the controller system comprises a set of controllers, wherein the sensor system comprises a plurality of sets of sensors, wherein the network system comprises a first network bus and a second network bus, and wherein each of the set of controllers is communicatively coupled with one or more of remaining of the set of controllers via one of: the first network bus or the second network bus, based on the determined mode of the SDV, the determined mode being one of the plurality of modes of the SDV; and dynamically receiving, by each of the set of controllers, sensor data from at least one set of sensors of the plurality of sets of sensors based on the determined mode.
  9. The method of claim 8, wherein the set of controllers comprises: a Central Controller, CC; a plurality of Zonal Controllers, ZCs, communicably coupled with the CC via the first network bus, wherein each of the plurality of ZCs correspond to one of a plurality of zones of the SDV; and an Emergency Controller, EC, communicably coupled to the CC and each of the plurality of ZCs via the second network bus, wherein, based on the determined mode, the CC or one of the plurality of ZCs is dynamically configured as a Vehicle Safety Monitor, VSM, and one of the plurality of ZCs is dynamically configured as a shadow-VSM, SVSM, and wherein the monitoring comprises: monitoring, by the VSM, the EC and the plurality of ZCs; and monitoring, by the SVSM, the VSM.
  10. The method of claim 9, wherein the plurality of sets of sensors comprises: a set of Primary Sensors, PSs, each of the set of PSs corresponds to one of the plurality of zones and coupled to a corresponding ZC of that zone; a set of Secondary Sensors, SSs, each of the set of SSs corresponds to one of the plurality of zones and coupled to a corresponding ZC of another zone; and a set of Tertiary Sensors, TSs, each of the set of TSs corresponds to one of the plurality of zones and is coupled to the EC, wherein, based on the determined mode, the EC or the plurality of ZCs are dynamically configured to receive the sensor data from one of: the set of PSs, the set of SSs, or the set of TSs, wherein the mode is determined based on monitoring of the set of PSs or the set of SSs corresponding to the plurality of zones, and wherein each of the plurality of ZCs is configured to monitor the corresponding PS from the corresponding zone and the corresponding SS from the other zone based on a plausibility score determined for the received sensor data.
  11. The method of claim 10, wherein the VSM is configured to periodically receive heartbeat signals from: each of the plurality of ZCs via the first network bus and the EC via the second network bus to monitor the plurality of ZCs, the EC, the first network bus and the second network bus, wherein the SVSM is configured to periodically receive heartbeat signals from the VSM to monitor the VSM via the first network bus, and wherein the mode is determined based on: not receiving the heartbeat signals by the VSM from at least one of: at least one of the plurality of ZCs or the EC, or not receiving the heartbeat signals by the SVSM from the VSM.
  12. The method of claim 11, comprising: determining the mode as a normal mode upon detection of: the EC, the CC, and the plurality of ZCs as operational, and each of the set of PSs as operational, wherein, in the normal mode: the CC is dynamically configured as the VSM, and one of the plurality of ZCs is dynamically configured as the SVSM, and each of the plurality of ZCs is dynamically configured to receive the sensor data from the corresponding PS from the corresponding zone.
  13. The method of claim 12, comprising: determining the mode as a fault-operational mode upon detection of one of: the CC as faulty, or the CC and the EC as operational and one of the plurality of ZCs as faulty, or one of the set of PSs as faulty, wherein, in the fault-operational mode: if the CC is detected as faulty: one of the plurality of ZCs is dynamically configured as the VSM, and one of remaining ZCs from the plurality of ZCs is dynamically configured as the SVSM, and each of the plurality of ZCs is dynamically configured to receive the sensor data from the corresponding SS from the other zone; and if the one of the ZCs configured as SVSM is detected as faulty and the CC and the EC are detected as operational: the CC is dynamically configured as the VSM and one of remaining ZCs from the plurality of ZCs is dynamically configured as the SVSM, and each of the plurality of ZCs is dynamically configured to receive the sensor data from the corresponding SS from the other zone.
  14. The method of claim 13, comprising: determining the mode as an emergency mode upon detection of one of: the EC as faulty, all ZCs corresponding to one zone from the plurality of zones as faulty, or one of the set of PSs and one of the set of SSs as faulty, wherein, in the emergency mode: if the EC is detected as faulty: the CC is dynamically configured as the EC and the VSM, and one of the plurality of ZCs is dynamically configured as the SVSM, and the EC is dynamically configured to receive the sensor data from the set of TSs; and if all ZCs corresponding to the one zone are detected as faulty: the CC is dynamically configured as the VSM, and the EC is dynamically configured to receive the sensor data from the set of TSs.
  15. A computer-readable medium storing computer-executable instructions for providing functional safety in a software defined vehicle, SDV, the computer-executable instructions, when executed by at least one processor, cause the method of any of claims 8 to 14 to be performed at the SDV.

Description

This application is a Non-Provisional Application, which claims priority to the Indian provisional patent application No. 202441087228, filed November 12, 2024, entitled "SYSTEM AND METHOD FOR ENSURING FUNCTIONAL SAFETY IN A SOFTWARE DEFINED VEHICLE". TECHNICAL FIELD This disclosure relates generally to operation of software defined vehicles, and more particularly to system and method for providing functional safety in a software defined vehicle. BACKGROUND In recent years, modern automobiles have become increasingly dependent on embedded electronic systems which incorporate numerous Electronic Control Units (ECUs), sensors, bus systems, and advanced technologies such as cameras, radar, and lidar. These components collectively manage various vehicle functions, from essential control systems to sophisticated features like adaptive cruise control, collision avoidance, and automated parking, etc. In modern vehicles, there can be numerous ECUs, each dedicated to specific tasks. However, with the rise of high-performance computers (HPC) in the automotive industry, this traditional architecture is evolving. Instead of being managed by a multitude of ECUs, new vehicle architectures consolidate these functionalities into a number of HPCs which leads to a significant shift towards software-defined vehicles (SDVs). Despite these advancements, ensuring the functional safety of SDVs presents new challenges. SDVs employ increased use of automation, connectivity, and electrification, and integrate data-center-level capabilities to support advanced features such as autonomous driving, infotainment systems, and real-time mapping, etc. The transition to software-defined architectures, where vehicle features are broken down into micro-services deployed on location-agnostic controllers, creates new points of potential failure. As vehicle functions become more dependent on complex software, the need for robust fault detection and recovery mechanisms grows significantly. Current solutions focus primarily on fail-safe methods that ensure stopping of the vehicle in an event of a fault. However, such fail-safe methods lack a fail-operational approach that would allow continued safe operation after a fault is detected. Existing systems for fault management in software-defined vehicles may fall short in several critical areas. They often fail to provide sufficient redundancy across sensors, controllers, communication buses, and other essential components. Existing systems may also lack specialized emergency arrangements, which are only activated in emergency modes for executing safe stop plans. As a result, existing systems may be prone to entering fail-safe modes prematurely without attempting operational recovery which limits the vehicle's ability to continue functioning in degraded modes. Therefore, there is a need for an efficient methodology to provide functional safety in a software defined vehicle. SUMMARY OF THE INVENTION In an embodiment, a software defined vehicle (SDV) is disclosed. The SDV may include a controller system that may include a set of controllers. The SDV may include a sensor system that may include a plurality of sets of sensors. The SDV may include a network system that may include a first network bus and a second network bus. In an embodiment, one of the set of controllers may be dynamically configurable to determine one of a plurality of modes of the SDV based on a monitoring of each of the controller system, the sensor system, and the network system. In an embodiment, each of the set of controllers may be communicatively coupled with one or more of remaining of the set of controllers via one of the first network bus and the second network bus based on the determination of the one of the plurality of modes. In an embodiment, each of the set of controllers may be dynamically configured to receive sensor data from at least one set of sensors from the plurality of sets of sensors based on the determination of the one of the plurality of modes. In another embodiment, a method of providing functional safety in a software defined vehicle (SDV) is disclosed. The method may include monitoring each of a controller system, a sensor system, and a network system of the SDV. The method may further include determining one of a plurality of modes of the SDV based on the monitoring. In an embodiment, the controller system may include a set of controllers. In an embodiment, the sensor system may include a plurality of sets of sensors. In an embodiment, the network system may include a first network bus and a second network bus. In an embodiment, each of the set of controllers may be communicatively coupled with one or more of remaining of the set of controllers via one of the first network bus and the second network bus based on the determination of the one of the plurality of modes. The method may include dynamically receiving, by each of the set of controllers, sensor data from at least one set of sensors from the plura