【China Commercial Vehicle Forum】Su Xiannian: Brake-by-wire redundancy design based on integrated chassis

From March 26 to 28, 2024, the 2024 China Commercial Vehicle Forum was held in Shiyan City, Hubei Province. Hosted by the China Association of Automobile Manufacturers, with the theme of "New Pace, New Results, New Improvement, Helping the High-quality Development of the Commercial Vehicle Industry", this forum is based on the high-quality development requirements of the industry, the realization of the national "double carbon" goal, the transformation and innovation needs of the automobile industry, and promotes reform, transformation and development with innovation, so as to help the high-quality development of the commercial vehicle industry. Among them, on the morning of March 28, at the "Theme Forum II: Intelligent Network Technology Empowerment and Accelerating the Development of the Commercial Vehicle Industry", Su Xiannian, a first-class expert of Dongfeng Motor Group Co., Ltd., delivered a wonderful speech. The following is a transcript of the speech:

Hello everyone, the topic of my speech today is: Brake-by-wire redundancy design based on integrated chassis.

There are three aspects, the first is the background introduction.

This is the skateboard chassis that we developed in the first two years of Dongfeng Co., Ltd., and this skateboard chassis can be equipped with buses or trucks. The physical picture on the left is a display of our display on many occasions in China. High-level automatic driving, the redundant design of the brake-by-wire chassis is the premise, we normally have no problem in perception, planning, and decision-making, but if we are in a certain failure situation, at this time we have redundant sensors and brake-by-wire redundancy, and the steering redundancy of the brake-by-wire to minimize the safety risk of our vehicle.

This is our communication, usually our human-computer interaction, guidance, decision-making, this is determined by the upper layer, we solve the control part, the information delivery between the actuators, I want to accept the autonomous driving domain controller, or there is a driver in the case of the command can respond, agree can send a torque request to the power system. This is our lateral execution, four indicators, that is, steering angle jump, low-speed return to normal, steering angle pulse, and most importantly, steady-state rotation characteristics, to judge whether the vehicle is understeered, neutral steering or transition steering. This is the longitudinal execution, and the longitudinal execution is mainly in acceleration control and deceleration control, that is, we usually say that we have to control the amount of throttle and brake. We often build longitudinal models and do a lot of test calibration, which can actually equate deceleration control with acceleration control. So the acceleration and deceleration control accuracy is actually reflected in the stability and accuracy of the vehicle speed control, generally our acceleration and deceleration accuracy is controlled at 0.01g, this is the redundant structure of our wire-controlled chassis, is in the case of skateboarding, our car chassis and the body are separated, our pedals and chassis have been physically separated, at this time how to solve our redundancy? According to the regulations, this car must have both electronic redundancy and mechanical redundancy, at this time, two sensors are added to the brake pedal simulator, one is an angular displacement sensor, and one is a force sensor to solve its mechanical redundancy.

This is an overall redundancy scheme for our brake-by-wire, for the controller and actuator, the redundancy design must be carried out, and we are also based on the hierarchical structure as the architecture to ensure the ability to resist potential risks in the process of signal acquisition, signal processing and execution. Our system, our algorithm, if in the face of abnormal situations, in the face of noise, this anti-interference ability is the key to the survival of our BBW system, so we must do redundancy to do it more securely.

For the selection of the driver and the control mode, we judge what kind of braking control strategy should be used by receiving analog signals, switching signals and pulse signals to determine what kind of braking control strategy should be used in my car, whether it is wire control, active safety or energy recovery, usually by monitoring our power module, communication module, and finally monitoring which level of fault the car braking should be, we make a judgment. This is the correspondence of our ASIL, the automotive integrity level, we have A, B, C, D, a total of four levels, D level is the most serious. Usually the brakes are locked, the system cannot build pressure, these are the most serious, it is impossible to accept, we define it as D. Usually we have a lengthy time of 1 second.

This is a redundancy of our wire-controlled dynamic components, our component redundancy should emphasize the separation of strong and weak electricity, this is relative, it is 12 volts and 5 volts, and the power chip controls the logic circuit on the left and the motor drive circuit on the right. The motor drive circuit burnout does not affect the logic circuit on the left, so in the event of a failure, I can send the logic information to proceed to the next step of fault resolution. This is a strong electric voltage, current monitoring, voltage has a power chip monitoring, what to do with the current?through the PID closed-loop control method one of the integral ∫ methods to adjust and stabilize the output of the system, judge whether the temperature of my controller has risen to the limit I want, if not, OK, my motor runs automatically, if there is a problem, this is sorry, to limit the current. The current limit should be accompanied by a fault alarm.

This is the redundancy of the pressure sensor, if the sensor fails or the signal is limited, at this time it really can not reflect our real physical quantity value, this time to ensure redundancy and safety, we have the main control and auxiliary chip, through the comparison to determine the fault state, if I collect my analog signal it did not collect, at this time I will time it 5 milliseconds, and then at this time the fault has not disappeared, I will use the auxiliary chip instead, at the same time I generate a fault code for it, and send alarm information, if it is normal, follow the normal procedure on it。

This is the redundancy of the displacement sensor, the same failure can not feedback the real physical quantity value, the displacement sensor is a double signal feedback, the same sensor has two loops, each other is redundant signal, so at this time itself can also ensure redundancy safety. Similarly, if we can't collect the pulse width modulation signal in the main control chip, the timing is 10 milliseconds, and the fault does not disappear, and we want to analyze it as the two loops have equal acquisition values, we will generate a fault code and send an alarm message. This is our decision-making module, and the decision-making module is our master controller and auxiliary controller, usually the master controller is working, and the auxiliary controller is not involved in the work. When the main controller fails, my auxiliary controller takes over, and the software of the auxiliary controller is the same as that of the main controller. This is a redundancy of the execution layer, mainly the hydraulic double circuit, for example, our circuit 1, the front circuit, the rear circuit, any circuit fails, the other circuit can take over, and we have a pressure sensor in each circuit to detect the status of the hydraulic circuit. This is the design of the double winding of the motor, which is mainly a regulation of the pump volume of the hydraulic pump and the control of the motor speed. The motor we use is a series closed-loop control of speed loop + current loop, which is output through the signal, so that we have a position detection calculation on the top road, a position detection calculation on the bottom, and a fault on the other side can be taken over as a backup.

This is our mechanical backup, to prevent the circuit failure after pedaling, the schematic diagram is slightly similar to the front, mainly after the hydraulic pump of the brake pedal is pressed into the normally closed valve, to provide a more comfortable pedal feeling. If the system fails, the normally closed valve isolates the low-pressure accumulator from the master cylinder, and at this time sends a signal, and the amount of liquid pumped out is stepped on and directly flows into the wheel cylinder, which can be used as a mechanical backup. Through the above, in fact, we have done several levels of safety redundancy design, we are to ensure the safety of autonomous vehicles, wire-controlled chassis braking, divided into four levels, each level can solve the difficulties.

The first level, which must be met by the regulations, is completely powered off, and the deceleration of 0.25g can be met through mechanical devices. In the second stage, the electronic power assist system loses the ability to assist braking, and the ESC actively brakes, which can achieve a deceleration of 0.4g.

In the third stage, the braking ability of the electronic power assist system has some decline, but it can achieve deceleration, and there can be a certain residual braking efficiency at this time.

Fourth, the failure that does not affect the braking function will be alarmed and repaired.

Thank you.

(Note: This article is based on on-site shorthand and has not been reviewed by the speaker)

Source: China Commercial Vehicle Forum