Energy and Supply Concepts for Automated Driving

Automated driving faces many challenges until its legal and actual deployment. The power distribution of the electric powered functions is a key enabler for automated driving. It has to be fail operational. Several diagnosis tasks, supply sources and switches at key positions have to be implemented to achieve fail-operation-ability for the different levels of automation. This leads to a higher complexity of the electronic circuitry of the switches. Concepts for the power distribution and the electronic circuitry for a semiconductor switch are being shown.


I. INTRODUCTION
Lot of trends are disrupting the automotive industry.The standard combustion car will vanish in due time and only hybrids and electric cars will be seen.While in the 1980s only a few electronic controlled units have been in the car, there a up to 100 in todays vehicles.For all the electric, electronic and programmable electronic units the functional safety has to be ensured, which is in the standard ISO 26262 since 2011.Automated driving will rely even more on this standard because all the sensors and computational units are electronic units.Their function is to drive humans safely to the place desired by the passenger.To achieve this goal a lot of effort has to be invested into the electrical wiring, harness, switching and supply to achieve a highly reliable and fail operational power supply for automated driving.

II. CHALLENGES
Cars have a safe state which is the stopped car.This state can be reached easily for a sane human driver by braking.The brakes are hydraulic brakes in most passenger cars up to now, which have two independent hydraulic systems.Even more, a third seperate braking system is available, the electric park brake or emergency brake.More than two failures have to occure to loose control of the braking.
At automated driving, the human driver may not interact with the system at all.Either the human is asleep, not trained or not present at all, the electric/electronic system must be available.A failing part should be fail silent while the overall system has to be redundant and working.The ISO 26262 does give guidance how seldom failures to the loss of functions should be [1], [2].The stringest level of this standard has to be applied to the automated driving function.
The driving task includes the steering, braking, accelerating, sensing, fusion and control.First three actions have been already partly shifted to electronic systems.Steering does still have the mechanical connection as a backup if the electronic part fails.Braking has its three independent systems and accelerating is not safety relevant in this case.The latter three parts have been and will be integrated in newer cars to assist the human and even replace him in the highest autonomy.Changes will be made for the steering because a turning steering wheel in automated mode is not acceptable.Unintended braking should be prevented too.Therefore, both systems will change to a by-Wire System, such that unwanted input by the human is neglected.
Both by-Wire Systems are highly redundant as provided by [3] and [4], such that these systems can operate in their defined specifications.Fail-operational safety systems are required for automated driving.In case for the electric energy supply the following points have to be considered.
Stopping a car from 100km/h down to 0km/h takes about 4 seconds under perfect conditions.Depending on the tire condition, road surface and condition and others this time can easily be extended.However, this time must be covered by an additional supply at least if the primary does fail during automated driving.Because the human doesn't have to watch the system in automated mode at all times, he may do other tasks.For this reason a considerable time should be reserved that the human can take over.Depending on the side task this take-over-time is between 15 seconds and 15 minutes.Studies have shown that people just woken up do require some time to operate at their best [5] and [6].
At any electrical fault of the automated system certain loads still have to be supplied to stop the car safely.To achieve this, the vehicle control unit, the brakes and the steering system as well as the sensors have to be supplied.Additional features such as lights to warn other traffic participants and the infotainment to display the error could be supplied.Lastly, the engine and gearbox management should be supplied in nonemergency cases, especially at the SAE Level 4 and 5, because a stopped car in the wrong place can be hazardous.The mentioned loads have been put together in table I with their average and peak power.Their consumptions have been taken from [3], [7] and [8], and estimations of current technologies, trends and discussions.From equation 1 and 2 it can be seen that a respectable amount of stored energy (eq.3) should be available.This energy consumption is even higher during normal operation.
As stated above in due time there will be mostly hybrid and electric cars on the road.High voltage systems must be electrically isolated from the standard board net.Applying the functional safety for the high voltage supply imposes much more problems.Therefore, this supply will not be used for fail-operational power supply.This includes the current trend of 48V and does affect the generation of electricity.In 48V and high-voltage hybrids the alternator will be shifted to the higher level due to efficiency and required power.

III. POSSIBLE CONCEPTS
For L3 a secondary battery should be sufficient.The probability of reliability can be calculated by equation 4, with n parallel elements and R i = exp −λit .
The current assumption is to stop the car safely in 30 seconds (15s ToR + 15s breaking).While the failure-in-time (FIT) rate is considered to be 10 (=1 failure in 10 8 hours / ASIL D) for the function, it can be assumed that if one battery fails the secondary battery will work onwards in these 30 seconds.The human can take over and may be able to drive to a safe place.However, considerations towards X-by-Wire should be made.If one supply fails, the system is only relying on one supply at L3.The probability that the second supply will fail is still given.Even if a human is driving, he may not steer and brake anymore.A hydraulic or mechanical system as backup level would still make sense at this level, or more redundant supplies should be used.Driving for long time is not suggested if only one power supply is present.The chance of a fault in the secondary power supply is very low in between of the 30s, as seen in equation 4 n is reduced by 1.For an ASIL D function (e.g.emergency brake) the probability must not fall below the single-point fault metric of 99% and latent fault metric of 90% [2].
In contrary L4 and L5 the human may not take over.Driving to a safe spot requires a redundant/fail operational supply, for the actuators and the VCU.Therefore, if the driver does not respond and one battery fails, at least two remaining supply sources must be working.As mentioned before, the alternator may not deliver power due to the connection to the shutdown combustion engine.Furthermore, the 48V supply source of mild hybrids and the high voltage battery pack may not be used for safety applications because of their disconnection at failure.If the 48V supply system would be currently used in fail operational applications, this would infringe the safety standard for L4 and L5 because the 48V system may be shut down at any time.It may be used for L3, because the human driver can take over fast, but it would be an intermediate solution on the way to L4 and L5.Using the existing topology for the power distribution of cars with an SAE level 2, the board net can be expanded by a secondary wiring to the safety critical automated driving (AD) applications for L3 (Figure 1).Mandatory between the two paths to the fail operational applications (FOA) has to be a switch, the DCDC is optional.Otherwise any short circuit would pull down all loads within the system such that they do not work anymore.The supply concept would be "single" supplied because of their static connection.While closing of the switch is not that stringent, the opening is safety critical.Li-Ion batteries are monitored with a BMS and if one is losing power, the partial automation of L3 will not be enabled.The BMS itself should have detection for cell breakdown and a disconnection possibility.A simple diode is not sufficient for this purpose, otherwise the battery cannot be charged.A bidirectional switch is required (being marked yellow in the figures 1-6) but they are not mandatory.All loads can still be working and the redundant supply path is still being kept, at any failure of the battery.Another benefit is the protection of the battery to rapid discharge in caase of a short circuit in the wiring and other misuse.The green switches (figures 1-6) are mandatory to have a fail operational power supply.
Including the trend of the 48V mild hybrid the supply concept is getting more complex (Figure 2).A DCDC to recharge the 12V batteries is required.This DCDC will have a safety switch such that any short circuit from 48V to 12V can be avoided.The switch to disconnect the redundant paths is still required.For any failure in the 48V net, the battery has to be disconnected, even if the 48V battery is fully operational.
Both architectures (Figure 1 and Figure 2) will meet the safety requirements for L3.At short circuit or failure of any battery or wire harness path the vehicle control unit does have the possibility to decelerate and safely stop the car.These architectures cannot be used for L4 and L5 because the duration of the TOR is much longer or even not given (L5).Driving automated and relying only on a single 12V backup supply is hazardous.For a failure in the non-relevant path a switch can be used to throw these loads off (figure 3).Usually more failures occur in this region.For L4 and L5 a triple supply source improves the reliablity 4 that the vehicle can drive safely to a nearby parking place at any incident in the supply system.Precise detection, identification and localization of the failure is required in any case.
This L4/L5 concept can still be optimized regarding relia-

Switch Switch
No AD Loads This DCDC does have to have a high power rating, because of the high power demand of all 12V loads.For considering the AD loads this makes up to 3.5kW at least.Due to the fact that during automated driving the passengers are going to use other electronic equipment the power demand is higher.This architecture can be improved by using a second DCDC.Two 12V zones are possible (e.g.: one in the back and one in the front).The load of the single DCDC decreases and the overall system is getting more efficient and robust.The power can be transmitted via the 48V line to the 12V zone.Connection between the two 12V zones is suitable with two disconnection switches in series.If one switch breaks down another is required to disconnect.If the secondary switch is not present, redundancy of the paths to the fail operational applications is not given.The connection inside of the "High Availability" area allows the system to charge the redundant path at failure in the non-relevant load path (Figure 5).Furthermore, the shut off function of a DCDC can easily modified by the green switch to reach the ASIL D level.To optimize the power transfer function for the same level is more complex.The dual DCDC supply concept is feasible but the DCDCs will be in that case quite large.Miniaturization is difficult for a system with a power conversion of 3.5kW at least.Even at an efficiency of 97% such a system is dissipating 100W.Highly efficient semiconductors, microcontrollers and an optimized control strategy are required to operate this system.A compromise of miniaturization, efficiency, safety and reliability would be a backbone structure as proposed in [9].This is a far more radical approach to the energy supply in vehicles.In [10] the backbone was evaluated with just two batteries, for automated driving this is not sufficient.Multiple batteries may reduce the voltage drops and stabilize the overall system.A zonal architecture is easily possible with a high redundancy of the overall system.Many failures have to occur that automated driving is not possible anymore in degraded mode.The DCDCs could be optimized for the region they are supplying and increasing thereby efficiency.In Figure 6 such a backbone structure with three safety zones is being shown.The used batteries may be small with enough energy for the AD relevant loads for the safety goal.The DCDC include the safety switch from the other supply concepts, thereby reducing effort of the functional safety for a complex multiphase DCDC.

IV. REQUIRED SWITCHES
In the previous concepts different switches have been marked.These switches have different functions, such as disconnect at various faults or keep closed, withstand voltages from both directions or prevent over currents.For latter ones, standard fuses have been used until now.In an automated vehicle opening at overload is not safe under all circumstances; such would do a melting fuse.A relay can keep closed but has some disadvantages compared to semiconductors like the MOSFET.They are bigger and require more power than MOSFETs.Even worse they are affected by acceleration in any direction and their reaction time is slower, resulting in a missing or difficult failure mode diagnosis.On the contrary MOSFETs have an integrated diode, which is reverse conducting, because of ther physical structure.Two MOSFETs are required back to back (Figure 7) that the diode is not conducting if the switch should be opened.If the switch is powered through a failing battery it will disconnect automatically if the threshold voltage is not reached anymore.In any other case the "switch open" function can be classified as an higher ASIL level to ensure the redundancy of the fail operational power supply.On the contrary the switch has to open at fault that the voltage in the fail operational application is not dropping below the limit.Because there is a redundant supply path, the safety function for "switch close" can be classified as ASIL A or lower.The BMS will always be able to inform about low charge of the battery.Automated Driving will be limited by the stored capacity and safety is given.Switches drawn next to the DCDC ensure that there will never be a short circuit from a higher voltage to 12V which is safety critical.Making a whole Multiphase DCDC available for a high ASIL level is quite impossible; using the switching function of an additional component is feasible.Lastly the switches between the redundant paths have to open under fault such that a failing redundant path is not interfering with the functional one.The connection could be excluded but charging of the battery might not be possible anymore and would limit the range of AD at failure.Therefore, the switches connecting the redundant supply paths have to perform at high reliability.A single power MOSFET has a FIT rate of 60 if the SN29500 [11]  A stuck close MOSFET is problematic but it is only related to overstress of the device.To detect this fault the electric circuitry has to perform additional diagnosis tasks.Those tasks are measuring key parameters of the MOSFET such as the drain-source voltage voltage (V DS ), the gate voltage (V GS ), the gate current (I G ), the drain current (I D ), and the case temperature (T C ).The latter two parameters are necessary for the control loop to avoid overstress of the device and stay below the maximum ratings.On potential and very critical failure mode of MOSFETs is the drain-source short.In most cases this defect is triggered by electrical overstress and leads to a total destruction of the MOSFET cell structure.This means, besides the drain-source path also the gate-source path is destroyed and high gate currents are a consequence.Therefore either the gate currents or the capacitances have to be measured in the application or the parameters defining these (V GS and I G ) have to be tracked.Furthermore, the circuitry for the switch itself has to take care of transient overloads, that the switch and the driver cannot be overstressed which would lead to a short circuit of VDS.Maximum ratings should be kept, in which case I D and T C come in place.Usually, R ds,on increases with higher temperature and I D decreases.Still high temperatures damage the transistor.Exceeding the limits must be avoided and the switch has to be turned off in case the cooling is not sufficient anymore.An error signal to the vehicle control unit should be sent.

V. CONCLUSION AND OUTLOOK
Automated driving is pushing manufacturers and Tier 1 to their limits in terms of perception, sensor fusion and decision making.Even more, automated driving is disruptive for the core functions of the car.AD relevant loads and functions have to be supplied at all times while others might be thrown off to reach the safety goals.A fail operational power supply is mandatory and difficult to reach.The shown concepts can overcome the obstacles.The necessity of more than two independent supply sources has been explained for L4 and L5.Future trends in mind, there will be easily up to four supply sources in the vehicle.Connecting them could be done by standard relays but they have some drawbacks in comparison to semiconductors.A possible solution for a fault-tolerant semiconductor switch has been discussed.If it comes into play is a decision by standards and manufacturer.The amount of electronic systems in the future vehicle will rise.The safety assessment and reliability will be getting harder to reach.How to organize the sub-distribution for the specific applications is currently in research.

Fig. 7 .
Fig. 7. Anti-serial MOSFET switch with additional diagnosis pins (yellow) is used, and the safety function is: open if needed.To lower the FIT rate for AD, failure mode diagnosis is needed.MOSFETs can have two failure modes.Either it is stuck open or stuck closed.Unintended conduction due to acceleration (like relays) is not possible for semiconductors.There are various failure mechanism which can lead to either stuck open or stuck close.Examples of failures of the MOSFET are: bond wire lift off, faulty solder joint, foreign particles inside the package, the MOSFET can blow or it can short due to overstress and others.While foreign particles are the only mechanism which do not change over time, the other failure mechanism do change due to aging and usage.A stuck open MOSFET is not safety critical while a stuck close MOSFET is.If the switch is open the car has to act accordingly to the resulting redundancy and energy supply.