Functional safety mechanism development of creep monitoring in automatic transmission

Abstract

Functional safety one of the most of important feature of new development lifecycle of the vehicle systems. ISO 26262 is known as "Road vehicles – Functional safety" which is an international standard for functional safety of electrical and/or electronic systems of road vehicles. This definition comes from International Organization for Standardization (ISO) in 2011 and revised in 2018. In today's powertrains, mostly modern automatic transmissions are used for road vehicles. Those transmissions have electronic systems that supports driver activities in better way. I.e., in manual transmission, driver has to control 3 pedal (clutch, acceleration and brake) and gear lever while driving but with help of automatic transmission, driver only controls 2 pedal (acceleration and brake) and usually gear lever always stay in D (Drive) or R (Reverse) based on which direction driver wants to move. In automatic transmissions, clutch pedal is controlled by electronic control units such as transmission control unit. One of the functional safety responsibilities is controlling these electronic control unit activities via different safety mechanism whether they work in proper and safety way. Because in case of wrong detections, wrong calculations in electronic control units or wrong requests of drivers might cause very dangerous severities. In this thesis, it is aimed to develop a functional safety mechanism that monitors the creep/Creep function of the automatic transmission and takes the necessary measures before the accidents caused by this function. Before starting of modelling this safety mechanism monitoring these functions in MATLAB/Simulink, firstly some functional safety concept development has to be done to define procedures. In this study, functional safety development is done based on V-model. Firstly, Item definition is done to define specification of item which is investigated. Since transmission control unit was our main item, all specifications that includes gear ratios, transmission maximum torque, clutch engagement information to transmit torque, communications with other electronic control units and also since transmission control unit is related to vehicle also operational driving and vehicle movement states are given. Then hazard analysis and risk assessment (HARA) is done to define potential hazards and operational situation which can be seen during creep function is investigated and safety goals are determined derived from ASIL. After safety goal determination, functional safety concept that includes safety mechanisms is done by defining functional safety requirements to fulfill safety goals. Before start on development of safety mechanism monitoring, all technical safety requirements are set with hardware and software with including architecture of system. To monitor creep function, in a first-place automatic transmission plant model which includes engine, transmission, vehicle, gear shift mechanism, and CAN/HW state model is implemented in MATLAB/Simulink platform. This plant model also includes a creep function to be monitored. In the plant model development phase, the transmission gear ratio is selected from the item and all other vehicle parameters as engine inertia, and engine and torque converter characteristic values are taken from the vehicle that is thought of as a concept. After functional safety concept development and plant model development, the safety mechanism of creep function monitoring is implemented based on defined safety requirements. The safety mechanism of creep monitoring is responsible for detecting high creep torque errors mainly for driver torque demand, engine torque from plant model, engine speed, and vehicle velocity. During creep, the transmission control unit can request increased engine idle speed/torque if needed or unintentionally close the lockup clutch. Both cases might cause unintended acceleration. The safety mechanism receives the engine torque from the plant model and calculates the consumed by the engine based on engine inertia and engine speed. The safety mechanism of creep monitoring checks the difference between engine torque from the plant model and consumed engine torque. This difference is accepted as creep torque which is the torque transmitted to wheels during creeping. If torque transfer is higher than the defined safety torque threshold for the allowed fault reaction time interval, then safe state which leads to force to bring the vehicle to a standstill via setting gearbox torque to zero is triggered. Therefore, the safety mechanism of the creep function is implemented by considering these conditions. After all these development processes, testing of specific driving test scenarios is simulated to check that if the plant model works as intended then specific functional safety fault injection test cases are simulated to see if the safe state which is defined based on safety goals works as intended to prevent severe accidents.