Mitigating Unintended Acceleration and Deceleration Hazards by Defining Drive Torque Command Tolerance Criteria for Commercial Truck Electric Motor Propulsion Control Systems 2023-01-0548

A commercial truck electric motor propulsion control system may require hundreds of inputs to optimize the drive torque command. As a safety-related signal, the drive torque command requires protections ensuring its integrity. Similarly, the inputs used by the control system to determine the drive torque command also require protections. To define these protections, the ISO 26262:2018 series of standards prescribe the development of safety requirements and associated Automotive Safety Integrity Levels (ASILs). Safety requirements ensure safe system output, in part, by protecting system inputs. Satisfying these safety requirements to their ASILs adds complexity and cost to commercial truck electric motor propulsion control systems. The greater the safety-related signal count, the greater the complexity and cost added.

This paper introduces a standardized 5-step approach to defining tolerances for the drive torque command within which drive torque causes neither unintended acceleration nor unintended deceleration hazards. First, derive a simplified drive torque calculation (SDTC) as the basis for the tolerance. The SDTC utilizes only a small subset of the inputs used to determine the optimized drive torque command (ODTC). Second, determine the maximum difference between optimized and simplified drive torque during un-faulted truck operation using model-in-the-loop (MIL) simulations. Third, determine the ODTC error required for the onset of unintended acceleration and unintended deceleration hazards using vehicle-level simulations. Fourth, express the drive torque command tolerance formulaically using results from steps 1 through 3. Fifth and finally, validate the drive torque command tolerance by determining truck acceleration and deceleration during vehicle-level fault insertion testing. Using the simplified drive torque calculation as the basis for drive torque command tolerance supports ISO 26262 compliance while reducing the number of safety-related input signals. Thereby, this standardized method reduces the complexity and cost for implementing safe commercial truck electric motor propulsion control systems.