VDA450：满足自动驾驶系统与线控系统的整车电网功能安全设计指南

VDA 450特别针对满足SAE J3016:2021中定义的level 3–Level 5级别的自动驾驶系统对冗余供电网络的功能安全要求展开设计建议与指导；同时，该建议也适用于的完全线控系统（如线控制动，线控转向），完全线控系统在取消了机械（或液压或气压）备份的同时对供电网络提出了冗余要求。另外，该指南中提到的一些要点对Level 3以下的智能驾驶系统的供电网络的设计也是有参考性的。

图片来自VDA 450

3、关键术语说明

除了ISO 26262中定义的术语外，VDA 450中补充了对组成供电网络的部件的定义。此处做一个筛选性的摘抄与解释，方便理解文章后面的内容。

• AQ: Active Source (e.g. DCDC converter). 主动源如DCDC。

• PQ: Passive Source (e.g. battery). 被动源如12v蓄电池。

• PTV: Passive separating and connecting Elements (e.g. fuses). 被动分离和连接元件

• EBN: Energiebordnetz - Electrical Power Supply System - The Electrical Power Supply System comprises the storage, conversion and distribution of the electricity in the vehicle to the loads (e.g. ECUs, sensors, actuators) and the isolation / separation of faulty Elements from the rest of the EBN. The power interface of the consumers constitutes the limits of the EBN. The loads are therefore not part of the EBN but place certain requirements on the EBN within the scope of the Conditions of Use (e.g. energy, power). 供电系统，包含电力的存储，转换与分配到负载（如ECU, 传感器，执行器等），同时具备切断以避免故障元件对供电系统上其他元件的能力。

• EBN Channel: Electrical power supply channel which feeds Loads. 为负载供电的供电通道。

• QM-Load: A QM-Load is an electrical consumer that is supplied with power and energy for its functionality but does not place safety-relevant availability requirements on the power supply. An example of a QM-Load is a load that implements a Fail-Passive function or a non SR-Function. 不对电源提出安全相关可用性要求的负载。例如，提供fail-passive功能的负载，供电故障后功能关闭即为安全状态。

• SR-Load: A safety-relevant load is an electrical consumer that implements a subfunction of a Fail-Active SR-Vehicle-Function, such as braking, steering or environment detection. Therefore, the SR-Load allocates a safety-relevant availability requirement to the power supply. 对电源提出安全相关可用性要求的负载。例如提供fail-active功能的负载（制动功能，转向功能等），供电故障后系统需要有备份供电确保fail-active功能的可用性，保障车辆能达到安全状态。

• SR-EBN Channel: Safety-Relevant electrical power supply channel to which at least one SR-Load is allocated which places a safety-relevant availability requirement on the power supply. 功能安全相关的电源通道，该通道上至少有一个SR-load。

• QM-EBN Channel: Safety-Relevant electrical power supply channel to which at least one SR-Load is allocated which places a safety-relevant availability requirement on the power supply. 非功能安全相关的电源通道，该通道上全部是QM-load。

• ATV: Active Separating and Connecting Element (switches that separate or connect electrical systems). 主动分离和连接元件 （分离或连接电气系统的开关）。

除此之外，自动驾驶领域被广泛应用的MRM概念也被VDA 450引用。

• MRM: The MRM (Minimal Risk Maneuver) is a procedure automatically performed by the Automated Driving System to place the vehicle in a minimal risk condition in a manner that avoids unreasonable risks in traffic. (From FRAV-09-05). 最小风险操作。在驾驶员没有响应接管请求时，自动驾驶系统主动执行安全操作以避免不合理的风险。

值得注意的是，VDA 450在ISO 26262定义的术语基础上还拓展了一些新的概念，这些概念细化了对多点故障的故障处理时间、故障探测时间及故障响应时间的描述，可以参考ISO 26262定义的FHTI/FDTI/FRTI来理解。这里也做一个摘抄，强烈推荐功能安全工程师关注。这些术语目前只在VDA 450中被正式使用，但是可以预见这些概念将会被更广泛地使用。

• MPFHTI: Multiple-Point Fault Handling Time Interval – Sum of Multiple-Point Fault Detection Time Interval and Multiple-Point Fault Reaction Time Interval. The time interval specifies the maximum time-span of a concrete Safety Mechanism for a reaction to a Multiple-Point Fault (first fault of a multiple-point failure).

• MPFHTTI: Multiple-Point Fault Handling Tolerance Time Interval – The time interval specifies the maximum permissible time-span of a Safety Mechanism for a reaction to a Multiple-Point Fault (first fault of a Multiple-Point Failure). The MPFHTTI specifies the maximum time value of the MPFHTI.

• MPFRTI: Multiple-Point Fault Reaction Time Interval – Maximum time-span during which a Safety Mechanism shall react to a Multiple-Point Fault (first fault of a Multiple-Point Failure).

图片来自VDA 450