Search

EP-4742041-A1 - SOFTWARE DEFINED VEHICLE WITH FUNCTIONALLY SAFE CONTROLLER AND METHOD OF PROVIDING FUNCTIONAL SAFETY THEREOF

EP4742041A1EP 4742041 A1EP4742041 A1EP 4742041A1EP-4742041-A1

Abstract

A software defined vehicle (SDV) with functionally safe controller and method of providing functional safety is disclosed. The SDV includes a plurality of controllers. Each of the plurality of controllers includes a safety island configurable to perform a plurality of services corresponding to one or more automotive safety integrity levels (ASILs) from a plurality of ASILs. A performance island configurable to perform a plurality of micro-services corresponding to one or more remaining ASILs from the plurality of ASILs. The performance island includes at least one node that includes at least one container configurable to perform one or more of the plurality of micro-services.

Inventors

  • SARKAR, ARNIK
  • Sayanshree, GHOSH

Assignees

  • Wipro Limited

Dates

Publication Date
20260513
Application Date
20250227

Claims (15)

  1. A software defined vehicle, SDV, comprising: a plurality of controllers, each comprising: a safety island configurable to perform a plurality of services corresponding to one or more automotive safety integrity levels, ASILs, of a plurality of ASILs; and a performance island configurable to perform a plurality of micro-services corresponding to one or more remaining ASILs of the plurality of ASILs, wherein the performance island comprises: at least one node comprising: at least one container configurable to perform one or more of the plurality of micro-services, wherein one of the plurality of controllers is dynamically configurable as a Vehicle Safety Monitor, VSM, and a voter based on a predefined priority order, wherein the VSM is configured to dynamically select a set of controllers from remaining controllers of the plurality of controllers based on a determined mode of the SDV, and wherein the set of controllers are configured to simultaneously perform at least one micro-service of the plurality of micro-services.
  2. The SDV of claim 1, wherein the safety island comprises a master fault manager, wherein the performance island comprises a slave fault manager communicatively coupled to the master fault manager, wherein the at least one container comprises a container fault manager communicatively coupled to the slave fault manager, wherein the container fault manager is configured to: monitor a first operability status of each of the one or more micro-services based on a set of key performance indicators, KPIs, and transmit the first operability status to the slave fault manager based on the monitoring of the first operability status, wherein the slave fault manager is configured to: monitor a second operability status of the performance island based on: a first set of tests performed by the slave fault manager at predefined instances and the reception of the first operability status; and transmit the second operability status to the master fault manager based on the monitoring of the second operability status; wherein the master fault manager is configured to: monitor a third operability status of the safety island based on: a second set of tests performed by the master fault manager at the predefined instances and the reception of the second operability status, and transmit the third operability status to the VSM based on the monitoring of the third operability status.
  3. The SDV of claim 2, wherein the slave fault manager is configured to relaunch the at least one container a predefined number of times where the first operability status is determined as faulty, and wherein the master fault manager is configured to relaunch the corresponding controller from the plurality of controllers where the second operability status is determined as faulty.
  4. The SDV of claim 3, wherein where the one of the plurality of controllers is determined as faulty based on the third operability status, one of the remaining of the plurality of controllers is configured as the VSM and the voter based on the predefined priority order, and where one of the set of controllers is determined as faulty based on the third operability status, the VSM is configured to dynamically update the set of controllers from rest of the remaining controllers based on the determined mode.
  5. The SDV of claim 4, wherein the plurality of services comprises a plurality of critical services, a set of sensor services and a shadow-VSM service, and wherein the plurality of micro-services comprises a data acquisition service, a perception service, and a decision-making service, wherein the performance island of the one of the plurality of controllers is configurable to implement the voter, wherein the voter is configured to compare outputs of the at least one of the plurality of micro-services simultaneously performed by each of the set of controllers, wherein the determined mode is a normal mode where the outputs from each of the set of controllers are the same, wherein the mode is a degraded mode where output of one of the set of controllers is not the same as the outputs of rest of the set of controllers, and wherein the mode is an emergency mode where each of the outputs of the set of controllers are not the same; optionally wherein in the degraded mode, where one of the set of remaining controllers is determined as faulty, the VSM is configured to dynamically select one of the rest of the remaining controllers to replace the faulty controller in the set of controllers.
  6. The SDV of any of claims 1-5, wherein the one or more ASILs at which the plurality of services are performed by the safety island are of higher priority than the one or more remaining ASILs at which the plurality of micro-services are performed by the performance island.
  7. A functionally safe automotive controller of a software defined vehicle, SDV, the controller comprising: a safety island configurable to perform a plurality of services corresponding to one or more automotive safety integrity levels, ASILs, of a plurality of ASILs; and a performance island configurable to perform a plurality of micro-services corresponding to one or more remaining safety levels of the plurality of ASILs, wherein the performance island comprises: at least one node comprising: at least one container configurable to perform one or more of the plurality of micro-services.
  8. The controller of claim 7, wherein the safety island comprises a master fault manager, wherein the performance island comprises a slave fault manager communicatively coupled to the master fault manager, wherein the at least one container comprises a container fault manager communicatively coupled to the slave fault manager, wherein the container fault manager is configured to: monitor a first operability status of each of the one or more of the plurality of micro-services based on a set of key performance indicators, KPIs, and transmit the first operability status to the slave fault manager based on the monitoring of the first operability status, wherein the slave fault manager is configured to: monitor a second operability status of the performance island based on: a first set of tests performed by the slave fault manager at predefined instances and the reception of the first operability status; and transmit the second operability status to the master fault manager based on the monitoring of the second operability status; and wherein the master fault manager is configured to: monitor a third operability status of the safety island based on: a second set of tests performed by the master fault manager at the predefined instances and the reception of the second operability status.
  9. The controller of claim 8, wherein the slave fault manager is configured to relaunch the at least one container a predefined number of times where the first operability status is determined as faulty, and wherein the master fault manager is configured to relaunch the controller where the second operability status is determined as faulty, optionally wherein: the plurality of services comprises a plurality of critical services, a set of sensor services, a Vehicle Safety Monitor, VSM, service and a shadow-VSM service; and the plurality of micro-services comprises a data acquisition service, a perception service, and a decision making service, wherein the performance island of the controller is configurable as a voter, wherein the voter is configured to compare output of the controller with outputs of a plurality of external controllers, and wherein the SDV is determined to be in one mode of a plurality of modes based on the comparison.
  10. The controller of any of claims 7-9, wherein the one or more ASILs at which the plurality of services are performed by the safety island are of higher priority than the one or more remaining ASILs at which the plurality of micro-services are performed by the performance island.
  11. A method of providing functional safety of a controller of a software defined vehicle, SDV, the method comprising: dynamically configuring one of a plurality of controllers as a Vehicle Safety Monitor, VSM, and a voter based on a predefined priority order; dynamically selecting, by the VSM, a set of controllers from remaining of the plurality of controllers based on a determined mode of the SDV, wherein each of the plurality of controllers comprises: a safety island configurable to perform a plurality of services corresponding to one or more automotive safety integrity levels, ASILs, from a plurality of ASILs; and a performance island configurable to perform a plurality of micro-services corresponding to one or more remaining ASILs from the plurality of ASILs, wherein the performance island comprises: at least one node comprising: at least one container configurable to perform one or more of the plurality of micro-services, and wherein the set of controllers are configured to simultaneously perform at least one of the plurality of micro-services.
  12. The method of claim 11, wherein the safety island comprises a master fault manager, wherein the performance island comprises a slave fault manager communicatively coupled to the master fault manager, wherein the at least one container comprises a container fault manager communicatively coupled to the slave fault manager, wherein the method comprises: monitoring, by the container fault manager, a first operability status of each of the one or more of the plurality of micro-services based on a set of key performance indicators, KPIs; transmitting, by the container fault manager, the first operability status to the slave fault manager based on the monitoring of the first operability status; and monitoring, by the slave fault manager, a second operability status of the performance island based on: a first set of tests performed by the slave fault manager at predefined instances and the reception of the first operability status; transmitting, by the slave fault manager, the second operability status to the master fault manager based on the monitoring of the second operability status; monitoring, by the master fault manager, a third operability status of the safety island based on: a second set of tests performed by the master fault manager at the predefined instances and the reception of the second operability status; and transmitting, by the master fault manager, the third operability status to the VSM based on the monitoring of the third operability status.
  13. The method of claim 12, comprising: relaunching, by the slave fault manager, the at least one container a predefined number of times where the first operability status is determined as faulty; and relaunching, by the master fault manager, the corresponding controller from the plurality of controllers where the second operability status is determined as faulty, optionally wherein: where the one of the plurality of controllers is determined as faulty based on the third operability status, one of the remaining plurality of controllers is configured as the VSM and the voter based on the predefined priority order, and where one of the set of controllers is determined as faulty based on the third operability status, the VSM is configured to dynamically update the set of controllers from the rest of the remaining controllers based on the determination of one of the plurality of modes.
  14. The method of any of claims 11-13, wherein the one or more ASILs at which the plurality of services are performed by the safety island are of higher priority than the one or more remaining ASILs at which the plurality of micro-services are performed by the performance island.
  15. A non-transitory computer-readable medium storing computer-executable instructions for providing functional safety of a controller of a software defined vehicle (SDV), the computer-executable instructions, when executed by at least one processor, cause the method of any of claims 11-14 to be performed at the SDV.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a Non-Provisional Application, which claims priority to the Indian provisional patent application No. 202441087228, filed November 12, 2024, entitled "SYSTEM AND METHOD FOR ENSURING FUNCTIONAL SAFETY IN A SOFTWARE DEFINED VEHICLE." Technical Field This disclosure relates generally to operation of software defined vehicles, and more particularly to software defined vehicle with functionally safe controller and method of providing functional safety thereof. BACKGROUND In recent years, modern automobiles have become increasingly dependent on embedded electronic systems which incorporate numerous Electronic Control Units (ECUs), sensors, bus systems, and advanced technologies such as cameras, radar, and lidar. These components collectively manage various vehicle functions, from essential control systems to sophisticated features like adaptive cruise control, collision avoidance, and automated parking, etc. In modern vehicles, there can be numerous ECUs, each dedicated to specific tasks. However, with the rise of high-performance computers (HPC) in the automotive industry, this traditional architecture is evolving. Instead of being managed by a multitude of ECUs, new vehicle architectures consolidate these functionalities into a number of HPCs which leads to a significant shift towards software-defined vehicles (SDVs). Despite these advancements, providing the functional safety of SDVs presents new challenges. SDVs employ increased use of automation, connectivity, and electrification, and integrate data-center-level capabilities to support advanced features such as autonomous driving, infotainment systems, and real-time mapping, etc. The transition to software-defined architectures, where vehicle features are broken down into micro-services deployed on location-agnostic controllers, creates new points of potential failure. As vehicle functions become more dependent on complex software, the need for robust fault detection and recovery mechanisms grows significantly. Existing fail-safe systems focus primarily on fail-safe methods that ensure stopping of the vehicle in an event of a fault. However, such fail-safe methods lack a fault-operational approach that would allow continued safe operation after a fault is detected. Existing fail-safe systems for fault management in autonomous and software-defined vehicles may fall short in several critical areas. They often fail to provide sufficient redundancy across controller platform level and other essential components. Therefore, there is a need for a functionally safe controller and a methodology to provide functional safety of the controller. SUMMARY OF THE INVENTION In an embodiment, a software defined vehicle (SDV) is disclosed. The SDV may include a plurality of controllers. Each of the plurality of controllers may include a safety island configurable to perform a plurality of services corresponding to one or more automotive safety integrity levels (ASILs) from a plurality of ASILs. Each of the plurality of controllers may further include a performance island configurable to perform a plurality of micro-services corresponding to one or more remaining ASILs from the plurality of ASILs. In an embodiment, the performance island may include at least one node that may include at least one container configurable to perform one or more of the plurality of micro-services. In an embodiment, the one of the plurality of controllers may be dynamically configurable as a Vehicle Safety Monitor (VSM) and a voter based on a predefined priority order. In an embodiment, the VSM may be configured to dynamically select a set of controllers from remaining of the plurality of controllers based on a determination of one of a plurality of modes of the SDV. In an embodiment, the set of controllers may be configured to simultaneously perform at least one of the plurality of micro-services. In another embodiment, a functionally safe automotive controller of a software defined vehicle (SDV) is disclosed. The controller may include a safety island configurable to perform a plurality of services corresponding to one or more automotive safety integrity levels (ASILs) from a plurality of ASILs. The controller may further include a performance island configurable to perform a plurality of micro-services corresponding to one or more remaining safety levels from the plurality of ASILs. In an embodiment, the performance island may include at least one node that may include at least one container configurable to perform one or more of the plurality of micro-services. In another embodiment, a method of providing functional safety of a controller of a software defined vehicle (SDV) is disclosed. The method may include dynamically configuring one of a plurality of controllers as a Vehicle Safety Monitor (VSM) and a voter based on a predefined priority order. The method may further include dynamically selecting, by the VSM, a set of controllers