General Fail-Safe Emergency Stopping for Highly Automated Vehicles

From SAE level 3 onwards, automated vehicles must be able to resolve sudden system failures without driver intervention, including failure modes that are difficult or impossible to address by redundancy alone. Causes of hazardous multiple-point faults-beyond internal failures-include lightning strikes or deliberate attacks by electromagnetic pulses. Stopping the vehicle under such conditions is challenging: A full braking maneuver may risk rear-end collisions or loss of traction; likewise, any other constant braking profile will pose considerable risk of not achieving a true ""safe state"". This paper presents an emergency stopping system to execute a situation-dependent braking maneuver that can resolve system failures up to(but not limited to) a full electrics/electronics failure, with the aim of providing a baseline safety solution for all failure modes (short of mechanical failures) for which no dedicated solution is available. The system is composed of an electronic planning unit and a hydraulic/mechanical subsystem, both of which are implemented and tested in simulated and in real environments.