Continental’s new standby tech to further safeguard autonomous driving

German-technology major Continental is adding a further safety level in its highly automated driving technology in the form of specific electronics architecture. The company is using a Safety Domain Control Unit (SDCU) as fallback path in automated driving.

In addition to a central control unit for automated driving – the Assisted and Automated Driving Control Unit – the company uses SDCU as a fallback path in order to stop the vehicle safely, even in the event of a functional failure in the primary automation path. As such, it is systematically using the principle of redundancy and diverse design that has already proven itself in the aviation sector. This translates to having one or more fallback paths for every central system which are independent of each other.

The company says since the SDCU also acts as the airbag control unit, its priority availability – including energy reserve and a crashproof installation location in the vehicle – is guaranteed.

The Safety Domain Control Unit adds a further safety level to highly automated driving.

With the additional fallback path of the SDCU, Continental will ensure that the vehicle can still be brought to a safe stop if the main automation functionality fails. It says conventional the safety-relevant systems currently in use have been designed with fail-safe in mind, which means if the system malfunctions, safety is maintained by identifying the fault and putting the faulty system out of operation.

This approach is possible because the driver is still at hand as a fail-safe to brake and steer manually, if required. “It is precisely this fallback path that may not be available in highly automated vehicles, since the driver is allowed to focus on other things and cannot be requested, in a fraction of a second, to take control of the vehicle immediately after a possible failure,” said Maged Khalil, head of Advanced Systems Architecture Design at Systems and Technology in the Chassis and Safety division.

The company says that every highly automated vehicle must therefore be able to stop automatically in case of system issues its level 4 vehicles such as the Cruising Chauffeur are capable for doing this. If, despite being requested, the driver does not take action, the car performs a minimum risk manoeuvre. The vehicle automatically drives to the breakdown lane and stops there. If there is no breakdown lane or if it is blocked, it stops in the lane with the hazard lights on or it drives on, slowing down gently until it finds a suitable place, where it can stop safely.

Continental states that if the driver is not available to take control of the vehicle, the system must switch over from a ‘fail-safe’ to a ‘fail-operational’ mode by maintaining functionality with a high degree of reliability in every case. “With the fallback path of a second independent control unit, which is also able to stop the car, a highly automated vehicle has a safety net,” continues Khalil. “If a fault occurs, this means the vehicle can still come to a safe stop even without any driver intervention. This element of trust is key to the acceptance of automated driving.”

Two paths – one goal; safe stop

Continental states that the vehicle must come to a safe stop if it detects an unsafe state in the system and the driving function cannot be maintained either by the primary automation path or by the driver. “The primary automation path must also be able to switch off without impairing safety,” said Bardo Peters, head of Innovation Management Occupant Safety and Inertial Sensors in the Passive Safety and Sensorics business unit. “Only by means of genuine redundancy can all possible failure scenarios be covered.” It says the SDCU is completely independent of the central control unit such as the Assisted and Automated Driving Control Unit, and features an automation solution that has been designed for the job of the minimum risk manoeuvre.

Both the central control unit and the SDCU monitor each other continuously with regard to availability and functionality. If just one path is no longer capable of controlling the vehicle or perform the minimum risk manoeuvre safely, the other path initiates the safe stop in an emergency. “This permanent monitoring detects if a path is no longer available. For this reason, the other path would then perform the minimum risk manoeuvre in such situations,” added Dr. Lutz Kühnke, Head of Segment Occupant Safety and Inertial Sensors in the Passive Safety and Sensorics business unit.

The fallback path intervenes in accordance with a finely graduated degradation concept, depending on the severity of the problem detected. For self-monitoring as well as mutual monitoring of the paths, Continental says it uses innovative software functions such as effective fault management and intelligent monitoring of the signal consistencies.