HW-SW Concept

The design is driven by the requirement that even with the occurrence of one major failure the system shall perform in a safe way. The central control platform is built up on a redundant duo duplex platform which combines a high degree of integrity together with high availability. In order to increase performance, each computational unit consists of two coprocessors. Two basic control-functionalities are performed:

Decision Control and Powertrain Control

The two functionalities are executable on any one of the duplex-controllers. This enables the introduction of a reconfiguration mechanism such that the failure of up to two out of four computational resources does not degrade the functionality of the vehicle (fail-operational mode). If three out of four resources fail, the driver has a direct access to the powertrain controller and will be able to manoeuvre the vehicle without assistant towards a safe state (fail-safe mode).

Each computational unit has two lanes which, again, are subdivided in two parts. Each of these parts contains one microcontroller. The first one runs the operating system which manages the redundancy functions, i.e comparing the states of both lanes and updating the system matrix. The system matrix is the essential storage device where all data is collected and updated accordingly. From the viewpoint of the application processor, it constitutes a single and well-defined source of data.