Next Article in Journal
Suspension-Type of Flywheel Energy Storage System Using High Tc Superconducting Magnetic Bearing (SMB)
Previous Article in Journal
Flying State Sensing and Estimation Method of Large-Scale Bionic Flapping Wing Flying Robot
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Actuators
Volume 11
Issue 8
10.3390/act11080214
actuators-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Short Review of EMB Systems Related to Safety Concepts

by
Simon Schrade
1,*,
Xi Nowak
1,
Armin Verhagen
1 and
Dieter Schramm
2
1
Robert Bosch GmbH—Corporate Research, Robert-Bosch-Campus 1, 71272 Renningen, Germany
2
Faculty of Engineering, University of Duisburg-Essen, 47057 Duisburg, Germany
*
Author to whom correspondence should be addressed.
Actuators 2022, 11(8), 214; https://doi.org/10.3390/act11080214
Submission received: 4 July 2022 / Revised: 28 July 2022 / Accepted: 29 July 2022 / Published: 31 July 2022
(This article belongs to the Section Actuators for Land Transport)
Browse Figures
Versions Notes

Abstract

:
A growing interest in Electromechanical Brakes (EMBs) is discernible in the automotive industry. Nevertheless, no EMBs have ever been deployed for series production, although countless publications have been made, and patents have been filed. One reason for this is the need for the optimization of functional safety. Due to the missing mechanical/hydraulic link between the driver and the actuator, sophisticated concepts need to be elaborated upon. This paper presents the current state of the art of safety concepts for EMB systems (only publicly available publications are reviewed). An analysis of current regulatory and safety requirements is conducted to provide a base for design options. These design options are explored on the basis of an extensive patent and literature research. The various discovered designs are summarized and analyzed according to their (a) EMB actuators; (b) control topology; (c) energy supply; and (d) communication architecture. This paper concludes by revealing the weak points of the current systems.

1. Introduction

The automobile industry is currently facing two simultaneous challenges. The first challenge is the progression of automated driving. The newly promoted Mercedes-Benz S-Class can be cited in this context, supporting automated driving (SAE Level 3) up to a speed of 60 km/h in specific contexts [1]. The second major challenge is decarbonization: the shift from internal combustion engines (ICE) towards electric driving. Both challenges are driving factors for the introduction of Electromechanical Service Brakes (EMBs) into series production [2].
In 2015, the presentation of the Audi R8 e-tron equipped with two EMBs at the rear axle for the 24 h in Le Mans race can be highlighted as a milestone towards series production [3]. However, to date, no programs towards series production have been announced to the public by any OEM, leaving the state of EMBs as being ‘under research’.
The introduction of EMBs is linked to Brake-by-Wire (BBW) systems, which are characterized by the capability of controlling the brake actuators electronically, and which promise diverse possible advantages:
  • Reduced weight [4,5];
  • Easy assembly [4,6];
  • Modularization [6];
  • Lower power consumption [5];
  • Enhanced vehicle stability (dynamic brake force distribution, faster brake response, etc.) [4,7,8];
  • Easier cooperative regenerative braking [8].
BBW systems currently on the market typically consist of a pedal simulator, a control unit, electrically actuated brake actuators, and a mechanical/hydraulic backup actuated directly by pedal [8,9].
EMB systems are systems that usually have neither mechanical nor hydraulic links between driver and brake actuator. However, this raises significant reliability and security concerns for the E/E architecture that need to be addressed [9].
However, today’s E/E architectures are the result of continuous evolution and the permanent appending of functions and electronic control units (ECUs). This evolution has led to complex topologies with over 100 distributed ECUs (at the vehicle level). Another topic of concern is the processing and exchange of potentially safety-critical and redundant signals between those ECUs [10,11,12,13,14]. The issues concerning safety and the E/E architectures of EMBs are well known to the scientific community. Many different and concurrent approaches have been presented trying to resolve the aforementioned problems, and these are reviewed in this paper.
The scope of this paper is to give a brief overview of relevant topics concerning future EMB systems, concentrating on the functional E/E architecture and disregarding the precise mechanical attributes. First, general requirements for braking systems are presented in Section 2. Section 3 highlights the current state of the art (SoA) of EMB actuators and explains their sub-components, as well. The foreseen future concepts for E/E architectures concerning EMB systems are addressed in Section 4. This paper concludes by pointing out current inadequacies that are not appropriately addressed and that might be researched in future.

2. Safety

2.1. Regulations for Braking Systems

2.1.1. Introduction to Regulations

The European Union, the United States of America, China, and India accounted for 71% of worldwide car sales in 2020 [15]. Regulations in these four regions are considered in this paper [16,17,18,19,20]. Additionally, the regulations of Canada [21] were analyzed, because they explicitly address electrically actuated brakes (in addition to hydraulic ones). The aim is rather to give a holistic set of requirements that must be met than to analyze the regulations in their detail.
An organization to be noted in the context of vehicle regulation is the United Nations Economic Commission for Europe (UNECE), which includes 56 member states in Europe, North America, and Asia. One of its purposes is the development of regulation and norms, resulting in UNECE-R13H, which is implemented in the European Union and similarly in the United States as the certification specification for braking systems [22]. China and India do not take part in the UNECE. Nevertheless, they have implemented specifications that are comparable albeit on a lower performance level.

2.1.2. Common Subsets of Legislation

The most relevant requirements for certifying an EMB service braking system are summarized in the following tables, specifying only the most performant requirements with respect to various performances requested in different regions. A distinction is drawn between design (see Table 1), performance (see Table 2), performance of the degraded system (see Table 3), and degradation of the design (see Table 4), while noting the specific paragraph that requests a given feature. The numbers listed in the right columns beneath the requirements refer to the paragraphs of the legislative documents. If the letter ‘A’ precedes a number, the relevant requirement can be found in the Annex.
The following summary shows that certain design principles are to be followed, as the braking system must actuate all four wheels of a vehicle (D.05), and certain redundancies are to be implemented (D.14). However, a degree of degradation is allowed, reducing the required mean deceleration from 6.63 m/2 (P.01) to a minimum of 2.6 m/s2 (P.11) resulting from single failure [22]. It needs to be highlighted that Canada explicitly addresses that electrically actuated brakes are to decelerate according to nominal required performance in the case of any 1st E/E failure.

2.2. Functional Safety for Braking

In general, every braking system can be regarded as being safety-critical. The state-of-the-art means of compliance for safety-critical E/E architectures of road vehicles is ISO 26262. Detailed information on how items and safety concepts are defined, as well as how safety assessments are conducted, is explained in [23]. The following paragraphs focus on the consequences for service braking systems and their actuators analyzed in the literature after showing how ASILs (Automotive Safety Integrity Level) are determined in general.

2.2.1. ASIL Determination in General

ASIL is an indicator of the safety impact of the malfunction of a certain system. The highest ASIL (D) reflects a major impact, where the lowest ASIL (A) reflects a minor impact on the safety of the vehicle. It is to be determined by the superposition of the following three factors [23]:
  • Exposure: refers to the probability of occurring in a driving scenario [24].
  • Severity: refers to the potential harm to passengers and other road users based on the Abbreviated Injury Scale (AIS).
  • Controllability: refers to the share of drivers who could handle the situation while avoiding hazards.
It is important to note that a malfunction of the vehicle resulting in an event that is uncontrollable by any driver (C3) and fatal to all occupants (S3) might be classified as either ASIL A or D only on the basis of whether the related driving situation might happen more or less frequently. The determined ASIL of an item informs the development process that is to be followed and certain random hardware fault metrics that must be tolerated by the allocated systems [25,26].
After the ASIL determination, an ASIL decomposition might be conducted, following the rules of [27]. ASIL decomposition is the allocation of one item to several elements, resulting in a lower ASIL for each element. However, the hurdle that the elements must be ‘sufficiently independent’ is to be ensured. Ref. [28] describes common faults in ASIL decomposition.

2.2.2. Applied ASIL Determination

The ASIL of an item is independent of the architecture of the linked systems. Furthermore, it can be seen as the starting point for deriving architectural concepts that comply with the required safety (Section 3 and Section 4).
In the literature, ASIL assessments are rarely given, because they are the know-how of the OEMs. However, a few reviews have been published. Table 5 provides an overview of the ASILs for various malfunctions of braking functionality, as generalized by [29], that have been published in literature. Table 5 illustrates that with increasing degradation of the braking system, the increase in uncommanded deceleration or yaw motion of the vehicle could result in rising ASIL ratings for the braking system. However, it has also been shown that the same degree of degradation might result in different ASIL ratings as a result of the source or the context [2,9,30].
Two classes of reliability requirements can be derived from Table 5. The first class is the availability of the function ‘deceleration’ in several degradation levels. The second class is the integrity, which is, at least in a fail-silent manner, required by the regulation (D.11), as well [31]. Whereas fail-silent behavior must be ensured for every single wheel, it is still possible to decompose the availability requirement between the different wheels or axles, possibly resulting in an adjusted brake force distribution [9,32].

2.3. Principles of Reliability Engineering

The requirements listed in the preceding sections can often only be met by applying reliability engineering. Therefore, that topic shall be highlighted briefly.
Reliability, itself, can be defined as “the ability of a product or system to perform as intended (i.e., without failure and within specified performance limits) for a specified time in its life cycle conditions” [33]. For certain applications, such as braking systems, for instance, adequate reliability can be achieved by introducing redundancy.
In general, redundancy can be distinguished between active redundancy and standby redundancy. The pivotal difference between these two concepts is that a standby-redundant system incorporates a switch that changes the command from one unit (failed) to another unit that then takes over control, either from idling (hot standby) or from a non-operative (cold standby) state. In contrast, active-redundant systems incporporate several entities that work simultaneously in parallel. If a failure in one of the units occurs, the same functionality is still available without any switching elements. One important concept in this context is the so-called (majority) voting, where a failed unit is simply overruled by the intact entities [34].

3. Electro-Mechanical Brake Actuators

This section provides a brief overview of the components that comprise an EMB actuator. Additionally, redundancy concepts for the actuators are presented. One basis for this section is an extensive patent research (all relevant patents are listed below the References) related to electromechanical brake actuation.

3.1. Components of EMB Actuators

In general, an EMB actuator or at least the EMB actuation function, comprises at a minimum one sensor, one control unit, and one electric motor with rotation-to-translation gear, in accordance with the input–process–output (IPO) model. Figure 1 shows schematically an EMB actuator for a parking brake. The (sub-)components that are discussed in this section are marked in bold and red.

3.1.1. Sensors

Sensors can be implemented in the actuator to (a) measure the drive dynamic behavior of the vehicle and to (b) monitor the actuator itself (i.e., uncommanded actuation). While this paper focuses on the measurands themselves, descriptions of the physical measuring principles and possible sensor types are reviewed in [36,37,38].
The patent research showed that the most common measurands required by the actuators are:
  • Brake force or pressure;
  • Wheel speed;
  • Rotational angle of motor (of EMB).
It should benoted that a brake force sensor can correspond to costs of up to USD 15 in mass production, considering the sensor, the amplifier, and connections [39]. As a result, it could be profitable to avoid the force sensor by using the model-based estimated force, also referred to as analytical redundancy. Model-based estimation takes advantage of the fact that the measurements of different physical attributes of a single process are correlated with one another. Therefore, it is possible to derive one measurement from another [35].
Schwarz et al. [40] first proposed measuring the brake pad position by measuring motor rotor position and motor current. Many others followed, showing that a force sensor can be saved by measuring the electric attributes of the motor and its position [39,41,42,43,44].

3.1.2. Control Unit

The purpose of an ECU, in the context of an EMB system, consists in the conversion of a brake request to an explicit actuation of the brake motor.
Following a specific braking request by the driver or an automated driving function, various applications such as ASS (Anti-Skid System) or ESC (Electronic Stability Control) are executed to ensure vehicle stability, determining the braking force required at each wheel.
The controller allocated to the ECU finally compares the estimated and the required braking force at each wheel and drives the motor using a closed control loop [8]. The described function of the control unit may be accomplished by different control entities connected by communication links. In general, a control unit consists of a central power unit (CPU), a memory unit, a power supply unit, and a communication interface [45].

3.2. Redundancy Concepts for EMB Actuators

As mentioned in the introduction, EMB systems usually have neither mechanical nor hydraulic links between the driver and the brake actuator. This means that the driver is no longer—as in conventional BBW systems—the backup solution if the EMB system does not work as desired. A suitable and optimal redundancy concept is one of the biggest challenges presented in EMB development.
Redundancy concepts concern the E/E architecture considering E-Supply, ECU topology, or sensor concepts. This contribution focuses on redundancy concepts for the electromechanical components of a single EMB actuator.
Section 2 shows that certain reliability requirements for EMB actuators exist, starting from ASIL B items that need to achieve failure rates of λ ≤ 10−7 1/h [25]. With reference to [46] citing [47], an electric motor by itself possesses a failure rate of approximately λ = 9 ×10−6 1/h, disregarding its periphery as there are gears (λ = 4.7 × 10−6 1/h) and related wiring (λ = 10−6 1/h). Eventually, it is obvious that a certain redundancy could be necessary to comply with the required failure rate. Table 6 shows four different redundancy concepts found in the studied patents, exemplarily shown as disk brake configurations.

3.2.1. Redundant Single Entity

This option increases reliability by adding two stator assemblies to a single rotor, as realized in the patent [48]. However, it is key that no interdependence between the different stators exists, as this would lead to common cause failures.

3.2.2. Independent Pads

According to Table 5, a degradation of the service braking system can be tolerated by ASIL A if its magnitude is small enough. Following this approach, patents describe an EMB actuator that has two independent brake systems (motor, translation, pad) [49,50]. A failure (in a silent manner) of a single motor leads to a reduction in braking power by half. An uncommanded activation failure of a single motor eventually results in a low uncommanded deceleration of the vehicle, causing only a small safety impact.

3.2.3. Addition Gear

A failure of one motor leads to a performance degradation of the actuator if the motors are not oversized. A significant difference compared to independent pads is that an uncommanded movement of one motor can be absorbed by being counteracted by another motor using an addition gear. However, the disadvantage is that the addition gear and the shaft exist as common components. This could possibly result in common cause failures of the actuator. Another embodiment of this approach is the series [51] or parallel connection [50] of the motors. Our research showed that this approach is often mentioned in inventions and patent applications [52,53,54,55,56,57,58].

3.2.4. Parking Brake for Integrity

The functionality of the parking brake is to lock the wheel while the vehicle is in standstill and to provide a certain deceleration in case of an emergency at low vehicle velocity [15]. However, the locking functionality can be used to lock the service brake against uncommanded movement. This locking functionality can provide integrity to the service brake. Some inventions are designed to be able to take advantage of this effect [57,59,60,61,62,63,64,65].

3.3. Thermal Safety

The actuation of an EMB is produced by an electric motor. This motor requires certain temperature conditions in order to be able operate well. Depending on the motor insulation class, the maximum allowable temperature of commonly available electric motors can range from 105 °C (Tolerance Class A) to 180 °C (Tolerance Class H) [66]. If the motor is operated outside these conditions, it will be derated, leading to a degradation of available brake performance and a decrease in component lifetime.
On the other hand, the EMB is situated in a very harsh environment, where disc brakes may easily reach temperatures of approximately 400 °C during strong braking [67,68]. This heat might be radiated, dissipated, or conducted to the EMB motor during braking maneuvers. A potential threat would exist if the temperature of the motor rose above its limitations due to heat transfer.
No publications could be found that address this topic explicitly. However, several publications investigate the decrease of brake disk temperature due the introduction of venting holes [67,68,69]. Another approach is to tolerate the failure of one stator assembly due to overheating by applying a 2 × 3 phase electric motor, as presented in Section 3.2.1 [70].

4. EMB Systems

This section discusses current developments in EMB systems on a topological level. Both architectures the explored in Section 3 as well as the requirements investigated in Section 2 will be considered for the system. Figure 2 shows a schematic diagram of the X circuit topology of an EMB system. The topics addressed in this sections are highlighted in color, and are: control topology, E-supply (-) and communication ( Actuators 11 00214 i020).

4.1. Power Supply

The power supply generally has the task of storing the energy (from the recuperation or public charging network) and safely delivering the energy (the focus of this paper) to consumers if necessary [71].

4.1.1. Reliable Power Supply

Due to the availability requirements, a redundant power supply is necessary [31,72,73,74,75]. This is already in place for electric and hybrid cars, which possess a higher voltage network (up to 400 V) for propulsion and a low-voltage (12 V or 48 V) supply for standard consumers [31,76]. Providing a highly available power supply realized within a single network can be ensured by implementing decentralized backup power storage where necessary [77].

4.1.2. Power Supply in the EMB Context

Conventional hydraulic brake systems use two brake circuits in an X or H arrangement. Many EMB system inventions have been presented that revert to this design by replacing the hydraulic lines with power lines of an equivalent voltage [46,72,78,79,80,81,82,83,84]. Alternatives have also been proposed. Bosch [82], Audi [85], and Kipping et al. [73] provided full redundancy by connecting every EMB to two equivalent supplies. Full redundancy as described in these references is advantageous if a redundant actuator is in place where a single power supply represents the threat of a single point failure. Continental [86] and BYD [87] developed this full redundancy further by using the conventional X or H arrangement for the low-voltage network and taking advantage of a high-voltage network that was additionally connected to every EMB. In contrast, [56] described an EMB system with a simplex power supply, adding local power storage to every EMB actuator, as proposed in [77]. A similar approach is to use the kinetic energy of the wheel to power a generator that can act as a backup power supply for the EMB [88]. Table 7 gives an overview of the described topologies.

4.2. Communication

The communication system has the purpose of providing a means to exchange data between differently located control entities [89,90]. It must satisfy very high standards of availability and reliability, as well as possess real-time properties for safety-critical functions [14].

4.2.1. Ethernet as the Future

Intelligent driving requires the processing and exchange of high amounts of data, resulting in a rising demand for bandwidth. The demand for bandwidth is added on top of the aforementioned general requirements [91,92]. Automotive Ethernet complies with all of these requirements [91,93], while also being low cost [13,94]. As a result, it is forecast to be the next automotive standard technology [13,14,91,93].

4.2.2. Topologies

Ethernet, as it is expected to be the future communication standard, only allows for point-to-point connections. Eventually, star-and-ring topologies could be implemented in future EMB communication systems. The advantage of a bidirectional ring topology is the per se failure tolerance of a failed wire or communication entity by using the ‘other direction’ of the ring to exchange data [73,95]. A star configuration, in contrast, is axiomatically not failure tolerant, considering the central switch as a potential single point failure [10]. However, the physical redundancy of the switch, resulting in alternate network routing, exists in the case of a failure [89]. The aviation industry has deployed AFDX (Avionics Full-Duplex Switched Ethernet), applying this principle [72].

4.3. Control

As mentioned in the Introduction, the control architecture of cars has undergone a steady growth in terms of functions and the number of ECUs, leading to an amount of over 100 ECUs, nowadays. Therefore, it is necessary to discuss strategies to counteract that development while nonetheless achieving safety.

4.3.1. Integration Concepts

The key to the reduction of ECUs and, eventually, complexity is the integration of different functions on a single controller [95]. The real-time operating system (RTOS) is the enabler for this development. In this sense, the main requirements for RTOS are [96]:
  • Resource management (e.g., CPU, memory, disc drives);
  • Service execution and provision for application software;
  • Timing.
Partitioning refers to the prevention of interference between different applications related to timing (temporal partitioning) or resources (spatial partitioning) [96]. This enables the integration of applications with mixed criticality on a single controller [95]. The aviation industry has already implemented this function integration with the rollout of the A380 in 2005, incorporating ‘IMA’ (Integrated Modular Avionics) [97]. IMA is based on the ARINC 653 standard, which defines its interfaces [96]. AUTOSAR reflects a similar approach in the automobile industry [98].

4.3.2. Fault-Tolerant Control Strategies

The commonly known fault-tolerance strategies include duplex, triplex and quadruplex redundancy [99].
The duplex topology consists of two (=duo) entities. The first entity is responsible for the command of the actuators, whereas the second entity is only responsible for the monitoring of the command entity. If the monitor detects a discrepancy, it shuts the whole duplex module down, and thus cares for the integrity and the fail-silent behavior of the module (see EGAS) [31,72]. Another implementation of a duplex behavior is the so-called ‘lockstep controller’, which incorporates both command and monitoring, which are run on two separated cores [75,100]. Duplex redundancy might be used for systems with a safety level up to ASIL C [75]. The disadvantage of this topology is that a fail-operational behavior (see Requirement D.14) cannot be provided [99,100]. Nevertheless, it is of course possible to implement several duplex modules in parallel, providing fail-operational behavior [100].
The other topologies consist of three (triplex) or four (quadruplex) entities. If one entity fails, the other modules can detect this and eventually shut the affected entity down in order to realize fail-operational behavior, representing a permutated system.

4.4. Embedding EMB Actuators into the System

A strong minority of systems can be found that surrender the use of controllers in the EMB actuator itself, reducing the complete control to a centralized duplex module. If the entities of the duplex modules have no capacity for self-monitoring, these systems reflect fail-silent systems [87,101]. Mando [102] considered this challenge when stating that if the monitoring entity detected a failure in the command entity, it would take over control by itself. More common are systems that use so-called ‘smart’ actuators, which incorporate their own control unit, as presented in Section 3. This section focuses on this implementation.
A design pattern that can be found repeatedly is the use of the conventional two brake circuits (cf. Section 4.1), with each brake circuit having its own central control unit that commands the responding EMB actuators [48,82,83,103,104]. The fault tolerance consists of the fact that if one control unit fails, the second brake circuit can still operate properly. However, a degradation in total braking performance needs to be tolerated.
In contrast, [80,86,105] describe a triplex topology for the centralized control modules that can withstand at least a first failure. Eventually, full braking capability will be available even after this first failure.
Refs. [106,107] add another control unit to improve the failure tolerance further, implementing a quadruplex system. The fact that the vehicle operates four wheels is capitalized on by simply using the smart actuators mutually as a quadruplex system. Centralized functions such as ESC are simply deployed on every single actuator, so that each calculates the command for every wheel [31,73]. In addition to its strong failure tolerance, this topology might be very cost-efficient [73].
Finally, Refs. [79,99,108] went one step further in merging the presented wheel-node quadruplex system with a central module (duplex or simplex). The central module incorporates the higher control functions, such as ESC and ASS. If this module fails, however, the smart actuators receive their braking commands directly from the driver pedal. Although a degradation can be noticed due to the missing higher functions, the braking system is still capable of deploying the full braking force in the case of degradation. Table 8 gives an overview of the discussed control topologies.

5. Summary and Outlook

A review of EMB systems related to safety concepts (requirements, E/E architecture, redundancy, degradation strategies) was provided in this contribution. Although there is existing literature related to this topic, not much research has been published investigating the safety criticality of different malfunctions of the braking system. Furthermore, no distinct evaluation exists on that specific topic. Therefore, attention needs to be devoted to this specific topic, with represents the starting point for EMB systems.
Additionally, only a small number of publications have been found that harmonize the design of the EMB actuator with the complete EMB system. This volume is minimized again when considering the challenges posed by electric, automated driving vehicles for such a system. Synergies thereof need to be taken in account, as well.
Finally, a universal set of Key Performance Indicators must be found to be able to evaluate different options and to find superior design solutions.

6. Patents

DE102006010713 B4; CN111873958 A; CN106347339 A; KR20100030010 A; WO21122214 A1; US2016339897 AA; DE102019217601; WO09007505 A1; KR20110060260 A; US2006061210 AA; US6272421 BA; US2005167212 AA; DE102019128742 A1; KR20040022900 A; KR20210002011 A; KR20210002010 A; KR20090119486 A; KR20090064732 A; DE102006053617 A1; US6189981 BA; FR2855611 A1; US6317675 BA; US6397981 BA; WO21139954 A1; CN113110238 A; CN112550189 A; US2016009260 AA; KR20120027613 A; DE102015203717 A1; CN209146188 U; DE102019128741 A1; US2001020562 AA; US2010007199 AA; US6536562 BA; US6213256 BA; US2010147633 AA; CN107150674 A; WO20193420 A1; DE10319082 B3; EP1174322 A1; US6279690 BA; US2009278401 AA; WO9736116A1; CN209852287 U; CN111319596 A; KR20120000838 A; CN113389828 A; KR101721654 B1; DE102009046231 A1; US2021108692 AA; WO0037818 A1; US2009107740 AA; US2020180582 AA; DE102009046238 A1; US6774595 BA; FR2952011 A1; US2005006948 AA; US2014214269 AA; KR20100030012 A; KR20040022885 A; WO21047910 A1; KR20160103465 A; US2009223752 AA; US2010243388 AA; US2005127749 AA; CN109899422 A; KR20200098219 A; DE10312822 A1; FR2952886 A1; US2004040799 AA; CN211550350 U; WO09124810 A1; DE102011076424 A1,; KR20140057893 A; WO03054412 A1; KR20100008413 A; DE102020213916A1; CN102180163 A; US2019176789 AA; CN112721884 A; CN211202695 U; KR20130037018 A; DE102007001371 A1; DE102006027206 A1; KR20210002280 A; WO21158022 A1; US6340077 BA; DE102018218472 A1.

Author Contributions

Conceptualization, S.S., X.N., A.V. and D.S.; investigation, S.S.; writing—original draft preparation, S.S.; writing—review and editing, D.S. and X.N.; visualization, S.S.; supervision, X.N. and D.S. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding. The APC was funded by Robert-Bosch GmbH.

Informed Consent Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviation

AFDX Avionics Full-Duplex Switched Ethernet
ESCElectronic Stability Program
AIS Abbreviated Injury Scale
ICEInternal Combustion Engine
ASIL Automotive Safety and Integrity Level
IMAIntegrated Modular Avionics
ASS Anti-Skid System
IPOInput–Process–Output
BBW Brake-by-Wire
OEMOriginal Equipment Manufacture
CPU Central Processing Unit
RTOSReal-Time Operating System
E/E Electric and Electronic
UNECEUnited Nations Economic Commission for Europe
EMB Electromechanical Brake

References

  1. Unknown. Autopilot Review. 2021. Available online: https://www.autopilotreview.com/2020-mercedes-benz-s-class-to-offer-eyes-off-level-3-autonomous-driving/ (accessed on 31 December 2021).
  2. Auguste, A. Hitachi ASTEMO. In Autonomous Driving and Safety Requirements for Braking Systems for Different Automation Levels; China Automotive Steering & Braking Summit 2021: Shanghai, China, 2021. [Google Scholar]
  3. Diehl, P. Elektromechanische Bremse: Schraubzwinge. Auto Service Praxis, Internet. 2015. Available online: https://www.autoservicepraxis.de/naachrichten/autotechnik/elektromechanische-betriebsbremse-schraubzwinge-2520511 (accessed on 31 December 2021).
  4. Xiang, W.; Richardson, P.C.; Zhao, C.; Mohammad, S. Utomobile Brake-by-Wire Control System Design and Analysis. IEEE Trans. Veh. Technol. 2008, 57, 138–145. [Google Scholar] [CrossRef]
  5. Sababha, B.H.; Alqudah, Y.A. A Reconfiguration-Based Fault-Tolerant Anti-Lock Brake-by-Wire System. ACM Trans. Embed. Comput. Syst. 2018, 17, 1–13. [Google Scholar] [CrossRef]
  6. Schriek, J. Challenge of Change—Reliability and Safety of Innovative E/E-Systems for X-by-wire Features. In SAE Technical Paper Series; SAE World Congress & Exhibition: Detroit, MI, USA, 2004. [Google Scholar]
  7. Lee, K.J.; Ki, Y.H.; Cheon, J.S.; Hwang, G.; Ahn, H.S. Approach to functional safety-compliant ECU design for electro-mechanical brake systems. Int. J. Automot. Technol. 2014, 15, 325–332. [Google Scholar] [CrossRef]
  8. Cheon, J.S. Brake By Wire System Configuration and Functions using Front EWB (Electric Wedge Brake) and Rear EMB (Electro-Mechanical Brake) Actuators. In SAE Technical Paper Series; SAE World Congress & Exhibition: Detroit, MI, USA, 2010. [Google Scholar]
  9. Cheon, J.S.; Kim, J.; Jeon, J.; Lee, S.M. Brake By Wire Functional Safety Concept Design for ISO/DIS 26262. In SAE Technical Paper Series; SAE World Congress & Exhibition: Detroit, MI, USA, 2011. [Google Scholar]
  10. Möller, D.P.F.; Haas, R.E. Automotive E/E and Automotive Software Technology. In Guide to Automotive Connectivity and Cybersecurity; Springer International Publishing: Cham, Switzerland, 2019; pp. 83–169. [Google Scholar]
  11. Johansson, L.-Å.; Lindahl, M.; Sivencrona, H.; Törngren, M. ODEEP—Open Dependable Electrical and Electronics Platform—Concept and Projects. In SAE Technical Paper Series; SAE World Congress & Exhibition: Detroit, MI, USA, 2005. [Google Scholar]
  12. Rieth, P.E.; Raste, T. Future Integration Concepts for ADAS. In Handbook of Driver Assistance Systems; Springer International Publishing: Cham, Switzerland, 2015; pp. 1399–1411. [Google Scholar]
  13. Bello, L.L. The case for ethernet in automotive communications. ACM SIGBED Rev. 2011, 8, 7–15. [Google Scholar] [CrossRef]
  14. Chakraborty, S.; Lukasiewycz, M.; Buckl, C.; Fahmy, S.; Chang, N.; Park, S.; Kim, Y.; Leteinturier, P.; Adlkofer, H. Embedded systems and software challenges in electric vehicles. In Proceedings of the 2012 Design, Automation & Test in Europe Conference & Exhibition (DATE), Dresden, Germany, 12–16 March 2012. [Google Scholar]
  15. Kords, M. statista.com. Statista GmbH. 2021. Available online: https://de.statista.com/statistik/daten/studie/734067/umfrage/anzahl-verkaufter-automobile-nach-laendern-weltweit/ (accessed on 1 January 2022).
  16. European Union. Regulation No 13-H of the Economic Commission for Europe of the United Nations (UN/ECE)—Uniform Provisions Concerning the Approval of Passenger Cars with Regard to Braking [2015/2364]; European Union: Brussels, Belgium, 2015. [Google Scholar]
  17. U.S. Department of Transportation. Laboratory Test Procedure For FMVSS 135 Light Vehicle Brake Systems; U.S. Department of Transportation: Washington, DC, USA, 2005.
  18. General Administration of Quality Supervision, Inspection and Quarantine of People’s Republic of China. Technical Requirements and Testing Methods for Commercial Vehicle and Trailer Braking Systems GB 12676-2014; General Administration of Quality Supervision, Inspection and Quarantine of People’s Republic of China: Beijing, China, 2014. [Google Scholar]
  19. Bureau of Indian Standards. Automotive Vehicles—Brakes and Braking Systems: Part 2 General Functions and Features; Bureau of Indian Standards: New Delhi, India, 2004. [Google Scholar]
  20. Bureau of Indian Standards. Automotive Vehicles—Brakes and Braking Systems: Part 9 Requirements for Vehicles equipped with Anti-Lock Braking Systems; Bureau of Indian Standards: New Delhi, India, 2003. [Google Scholar]
  21. Transport Canada. Technical Standards Document No. 105, Revision 5—Hydraulic and Electric Brake Systems; Transport Canada: Ottowa, ON, Canada, 2015. [Google Scholar]
  22. UN ECE. United Nations Economic Commission for Europe. Available online: https://unece.org/mission (accessed on 1 January 2022).
  23. International Standard Organisation. ISO 26262-3: Road Vehicles—Functional Safety—Part 3: Concept Phase; International Standard Organisation: Geneva, Switzerland, 2018. [Google Scholar]
  24. Verband der Automobilindustrie. VDA 702: Situationskatalog E-Parameter nach ISO 26262-3; Dokumentation Kraftfahrwesen: Berlin, Germany, 2015. [Google Scholar]
  25. International Standard Organisation. ISO 26262-5: Road Vehicles—Functional Safety—Part 5: Product Development at the Hardware Level; International Standard Organisation: Geneva, Switzerland, 2018. [Google Scholar]
  26. International Standard Organisation. ISO 26262-8: Road Vehicles—Functional Safety—Part 8: Supporting Processes; International Standard Organisation: Geneva, Switzerland, 2018. [Google Scholar]
  27. International Standard Organisation. ISO 26262-9: Road Vehicles—Functional Safety—Part 9: Automotive Safety Integritey Level (ASIL)-Oriented and Safety-Oriented Analyses; International Standard Organisation: Geneva, Switzerland, 2018. [Google Scholar]
  28. Ward, D.D.; Crozier, S.E. The uses and abuses of ASIL decomposition in ISO 26262. In Proceedings of the 7th IET International Conference on System Safety, incorporating the Cyber Security Conference 2012, Edinburgh, UK, 15–18 October 2012. [Google Scholar]
  29. Sinha, P. Architectural design and reliability analysis of a fail-operational brake-by-wire system from ISO 26262 perspectives. Reliab. Eng. Syst. Saf. 2011, 96, 1349–1359. [Google Scholar] [CrossRef]
  30. Parker, D.; Godof, A.; Papadopoulos, Y.; Saintis, L. A Study of Automatic Allocation of Automotive Safety Requirements in Two Modes: Components and Failure Modes. In SAE Technical Paper Series; SAE World Congress & Exhibition: Detroit, MI, USA, 2018. [Google Scholar]
  31. MPutz, H.; Seifert, H.; Zach, M.; Peternel, J. Functional Safety (ASIL-D) for an Electro Mechanical Brake. In SAE Technical Paper Series; SAE World Congress & Exhibition: Detroit, MI, USA, 2016. [Google Scholar]
  32. Liu, H.; Deng, W.; He, R.; Wu, J.; Zhu, B. Fault-Tolerant Control of Brake-by-Wire Systems Based on Control Allocation. In SAE Technical Paper Series; SAE World Congress & Exhibition: Detroit, MI, USA, 2016. [Google Scholar]
  33. Kapur, K.C.; Pecht, M. Reliability Engineering; John Wiley & Sons: Hoboken, NJ, USA, 2014. [Google Scholar]
  34. Department of Defence, USA. MIL-HDBK-338B, Military Handbook—Electronic Reliability Design Handbook; Department of Defence, USA: Fort Belvoir, VA, USA, 1998. [Google Scholar]
  35. Muenchhof, M.; Beck, M.; Isermann, R. Fault Diagnosis and Fault Tolerance of Drive Systems: Status and Research. Eur. J. Control. 2009, 15, 370–388. [Google Scholar] [CrossRef]
  36. Zabler, E.; Finkbeiner, S.; Welsch, W.; Kittel, H.; Bauer, C.; Noetzel, G.; Emmerich, H.; Hopf, G.; Konzelmann, U.; Wahl, T.; et al. Automotive Sensors. In Bosch Automotive Electrics and Automotive Electronics; Springer Fachmedien Wiesbaden: Wiesbaden, Germany, 2014; pp. 208–231. [Google Scholar]
  37. Zabler, E.; Finkbeiner, S.; Welsch, W.; Kittel, H.; Bauer, C.; Noetzel, G.; Emmerich, H.; Hopf, G.; Konzelmann, U.; Wahl, T.; et al. Sensor Measuring Principles. In Bosch Automotive Electrics and Automotive Electronics; Springer Fachmedien Wiesbaden: Wiesbaden, Germany, 2014; pp. 232–309. [Google Scholar]
  38. Zabler, E.; Finkbeiner, S.; Welsch, W.; Kittel, H.; Bauer, C.; Noetzel, G.; Emmerich, H.; Hopf, G.; Konzelmann, U.; Wahl, T.; et al. Sensor Types. In Bosch Automotive Electrics and Automotive Electronic; Springer Fachmedien Wiesbaden: Wiesbaden, Germany, 2014; pp. 310–353. [Google Scholar]
  39. Putz, M.H.; Seifert, H.; Zach, M.; Schiffer, M.; Peternel, J. Accuracy of Sensor-Less Control of an Electro-Mechanical Brake. In SAE Technical Paper Series; SAE World Congress & Exhibition: Detroit, MI, USA, 2015. [Google Scholar]
  40. Schwarz, R.; Isermann, R.; Böhm, J.; Nell, J.; Rieth, P. Clamping Force Estimation for a Brake-by-Wire Actuator. In SAE Technical Paper Series; SAE World Congress & Exhibition: Detroit, MI, USA, 1999. [Google Scholar]
  41. Ki, Y.-H.; Ahn, H.-S.; Cheon, J.S. Fault-Tolerant Control of EMB Systems. SAE Int. J. Passeng. Cars Electron. Electr. Syst. 2012, 5, 579–589. [Google Scholar] [CrossRef]
  42. Hoseinnezhad, R.; Saric, S.; Bab-Hadiashar, A. Estimation of Clamp Force in Brake-by-Wire Systems: A Step-by-Step Identification Approach. In SAE Technical Paper Series; SAE World Congress & Exhibition: Detroit, MI, USA, 2006. [Google Scholar]
  43. Schmidt, P.B.; Gasperi, M.L.; Ray, G.; Wijenayake, A.H. Initial rotor angle detection of a nonsalient pole permanent magnet synchronous machine. In Proceedings of the IAS’97. Conference Record of the 1997 IEEE Industry Applications Conference Thirty-Second IAS Annual Meeting, New Orleans, LA, USA, 5–9 October 1997. [Google Scholar]
  44. Hwang, W.; Han, K.; Huh, K. Fault detection and diagnosis of the electromechanical brake based on observer and parity space. Int. J. Automot. Technol. 2012, 13, 845–851. [Google Scholar] [CrossRef]
  45. Kaiser, M.; Aue, A. Steuergerät. In Kraftfahrtechnisches Taschenbuch; Springer Fachmedien: Wiesbaden, Germany, 2019; pp. 1420–1429. [Google Scholar]
  46. Isermann, R. Fehlertolerante mechatronische Systeme, Teil 1 (Fault-tolerant Mechatronic Systems, Part 1). at-Autom. 2007, 55, 170–179. [Google Scholar]
  47. U.S. Department of Defence. MIL-HDBK-217F: Reliablity Prediction of Electronic Equipment; U.S. Department of Defence: Washington, DC, USA, 1991.
  48. Weiberle, R. Elektrisches Bremssystem, Insbesondere Elektromechanisches Bremssystem. Germany Patent DE102009046238B4, 4 November 2021. [Google Scholar]
  49. Bei, S.; Zhang, L.; Lai, X.; Wang, Z.; Tong, X.; Bian, J.; Ma, Z.; Wang, K. Self Power Supply Type Double-Motor Brake Execution Mechanism of Automobile Electro-Mechanical Brake System. China Patent CN106347339A, 25 January 2017. [Google Scholar]
  50. Takahashi, H.; Takahashi, K. Electric Brake. U.S. Patent US7806241B2, 5 October 2010. [Google Scholar]
  51. Fu, Y.; Qin, C.; Liu, Q.; Gao, Q.; Shu, X. Electromechanical Brake Device and Vehicle with Same. China Patent CN211202695U, 7 August 2020. [Google Scholar]
  52. Nuesse, D. Elektromechanische Bremsvorrichtung für ein Fahrzeug. Germany Patent DE102018218472A1, 3 April 2020. [Google Scholar]
  53. Gohbrandt, J.; Stroschein, J. Verfahren zum Erkennen von Schäden an Mechanischen Bauteilen einer Elektromechanischen Bremse, Elektronisch Gesteuertes Bremssystem, Computerprogrammprodukt, Steuergerät und Kraftfahrzeug. Germany Patent DE102019128742A1, 29 April 2021. [Google Scholar]
  54. Martin, S. Elektromechanische Bremse zum Abbremsen einer Sich Drehenden Komponente und Bremsanlage mit Einer Elektromechanischen Bremse. Germany Patent DE10319082 B3, 16 December 2004. [Google Scholar]
  55. Schumann, F. Elektromechanische Bremsvorrichtung. Germany Patent WO9736116A1, 2 October 1997. [Google Scholar]
  56. Kim, S. Disk Break Apparatus For Electromechanical Brake System. U.S. Patent US2009223752A1, 10 September 2009. [Google Scholar]
  57. Hartmann, H.; Schautt, M. Fail-Safe Concept for an Electromechanical Brake. U.S. Patent US7748793B2, 26 November 2004. [Google Scholar]
  58. Sim, G.; Jian, J. Electro-Mechanical Brake System and Method for Operating Same. Korea Patent WO2021158022A1, 12 August 2021. [Google Scholar]
  59. Saitner, M.; Keller, R. Elektrisch betreibbare Parksperrenvorrichtung für ein Fahrzeuggetriebe. Germany Patent DE102009028858A1, 3 March 2011. [Google Scholar]
  60. Schade, K.; Linhoff, P. Elektromechanische Bremse und zugehöriges Betriebsverfahren. Germany Patent DE102011076424A1, 29 November 2012. [Google Scholar]
  61. Keski-Luopa, M. Sähkömekaaninen Seisontajarrujärjestely. Finland Patent FI119855B, 6 July 2007. [Google Scholar]
  62. Yang, L.; Liu, S.; Ma, F.; Miao, F. Electromechanical Brake Cylinder with Parking Function and Brake System. China Patent CN111319596 A, 23 June 2020. [Google Scholar]
  63. Laxhuber, T.; Baumgartner, H.; Pahle, W. Device and Method for Monitoring a Brake-Applying Electromechanical Device for Vehicle Brakes. U.S. Patent US6774595B1, 10 August 2004. [Google Scholar]
  64. Friesen, U. Electromechanical Brake Applying Device. U.S. Patent US2005006948A1, 13 January 2005. [Google Scholar]
  65. Schaffer, W. Electromechanical Wheel Brake System. U.S. Patent US6340077 BA, 27 May 1999. [Google Scholar]
  66. The Engineering Toolbox. NEMA Insulation Classes. 2004. Available online: https://www.engineeringtoolbox.com/nema-insulation-classes-d_734.html. (accessed on 21 July 2022).
  67. Belhocine, A.; Bouchetara, M. Thermal–Mechanical Coupled Analysis of a Brake Disk Rotor. ASM Int. 2013, 49, 167–176. [Google Scholar]
  68. Najmi, H.; Kumar, N.; Singh, A.; Singh, R.; Kumar, S. Thermal analysis of brake disc of an automobile. In Proceedings of the International Conference on Futuristic and Sustainable Aspects in Engineering and Technology (FSAET 2020), Mathura, India, 18–19 December 2020; IOP Conference Series: Materials Science and Engineering. Volume 1116, pp. 1–14. [Google Scholar]
  69. Jian, Q.; Wang, L.; Shui, Y. Thermal analysis of ventilated brake disc based on heat transfer. Int. J. Therm. Sci. 2020, 155, 106356. [Google Scholar] [CrossRef]
  70. Hwang, K.Y.; Song, B.K.; Kwon, B.I.K. Asymmetric dual winding three-phase PMSMfor fault tolerance of overheat in electricbraking system of autonomous vehicle. IET Electr. Power Appl. 2019, 13, 1891–1898. [Google Scholar] [CrossRef]
  71. Fassnacht, J. Bordnetze für Hybrid- und Elektrofahrzeuge. In Kraftfahrtechnisches Taschenbuch; Springer Fachmedien: Wiesbaden, Germany, 2019; pp. 1304–1309. [Google Scholar]
  72. Bergmiller, P. Design and Safety Analysis of a Drive-by-Wire Vehicle. In Automotive Systems Engineering; Springer: Berlin/Heidelberg, Germany, 2013; pp. 147–202. [Google Scholar]
  73. Kelling, N.A.; Heck, W. The BRAKE Project—Centralized Versus Distributed Redundancy for Brake-by-Wire Systems. In SAE Technical Paper Series; SAE World Congress & Exhibition: Detroit, MI, USA, 2002. [Google Scholar]
  74. Koehler, A.; Bertsche, B. An Approach of Fail Operational Power Supply for Next Generation Vehicle Powernet Architectures. In Proceedings of the 30th European Safety and Reliability Conference and 15th Probabilistic Safety Assessment and Management Conference (ESREL2020-PSAM15), Venice, Italy, 1–5 November 2020. [Google Scholar]
  75. Ross, H.-L. System Engineering for Development of Requirements and Architecture. In Functional Safety for Road Vehicles; Springer International Publishing: Cham, Switzerland, 2016; pp. 75–199. [Google Scholar]
  76. Gebert, J.; Bauer, F.; Chamas, M.; Meseth, M.; Michel, H.-U.; Singh, G.; Traub, M. HiBord: Hochverfügbare und Intelligente Bordnetztopologien für Automatisierte Fahrzeuge; BMW AG: Munich, Germany, 2020. [Google Scholar]
  77. Kilian, P.; Kohler, A.; Bergen, P.V.; Gebauer, C.; Pfeufer, B.; Koller, O.; Bertsche, B. Principle Guidelines for Safe Power Supply Systems Development. IEEE Access 2021, 9, 107751–107766. [Google Scholar] [CrossRef]
  78. Nilsson, A.; Linidqvist, A. An Electromechanical Brake System. China Patent WO2021122214A1, 24 June 2021. [Google Scholar]
  79. Niedermeier, E. Brake system for a motor vehicle. U.S. Patent US6189981B1, 20 February 2001. [Google Scholar]
  80. Stoelzl, S.; Giers, B.; Oehler, R.; Willimowski, P.; Boehm, J.; Nell, J.; Hoffmann, O. Electromechanical Brake System. U.S. Patent US6317675B1, 1 September 2000. [Google Scholar]
  81. Yan, L.; Hao, Z.; Sui, Q. EMB Redundancy Control System and Method. China Patent CN113110238A, 13 July 2021. [Google Scholar]
  82. Weiberle, R. Elektrisches Bremssystem, Insbesondere Elektromechanisches Bremssystem. Germany Patent DE102009046231A1, 5 May 2011. [Google Scholar]
  83. Doericht, M.; Schmid, R. Elektromechanische Kraftfahrzeug-Bremsvorrichtung. Germany Patent WO0037818A1, 29 June 2000. [Google Scholar]
  84. Weiberle, R.; Mueller, B.; Hassdenteufel, F. Electric Brake System i.e., Electromechanical Brake System, for Motor Vehicle, Has Brake Circuits Provided with Control Apparatuses, and Rolling Dynamics Control Unit Integrated in Each Control Apparatus. France Patent FR2952011A1, 6 May 2011. [Google Scholar]
  85. Winkler, J. Bordnetz für ein Fahrzeug und Verfahren zur Energieversorgung eines Sicherheitsrelevanten Verbrauchers eines Bordnetzes. Germany Patent DE102006010713B4, 1 April 2010. [Google Scholar]
  86. Holzwarth, J.; Krausen, L. System zur Aktorsteuerung, Insbesondere Bremssystem. Germany Patent DE102006053617A1, 15 May 2008. [Google Scholar]
  87. Liu, Q.; Qin, C.; Fu, Y.L.D.; Liao, K. Vehicle Electromechanical Brake System and Vehicle with Same. China Patent CN112550189A, 26 March 2021. [Google Scholar]
  88. Gehring, O.; Heilmann, H.; Schwarzhaupt, A.; Spiegelberg, G.; Sulzmann, A. Verfahren und Anordnung zur Regelung einer Bremsanordnung mit redundantem Energiepfad zur Energieversorgung der Regelungseinrichtung. Germany Patent DE102004014623A1, 13 October 2005. [Google Scholar]
  89. Basic Principles of Networking. In Bosch Automotive Electrics and Automotive Electronics; Springer Fachmedien Wiesbaden: Wiesbaden, Germany, 2014; pp. 70–81.
  90. Weiler, H.; Lorenz, W.; Prelle, O.; Thoss, D. Vernetzung im Kfz, Busse im Kfz. In Kraftfahrtechnisches Taschenbuch; Springer Fachmedien: Wiesbaden, Germany, 2019; pp. 1450–1458. [Google Scholar]
  91. Zhu, H.; Zhou, W.; Li, Z.; Li, L.; Huang, T. Requirements-Driven Automotive Electrical/Electronic Architecture: A Survey and Prospective Trends. IEEE Access 2021, 9, 100096–100112. [Google Scholar] [CrossRef]
  92. Haas, W.; Langjahr, P. Cross-domain vehicle control units in modern E/E architectures. In Internationales Stuttgarter Symposium; Springer Fachmedien Wiesbaden: Wiesbaden, Germany, 2016; pp. 1619–1627. [Google Scholar]
  93. Abendroth, S. Automotive Ethernet as enabler for flexible EE architectures. In Proceedings of the 4th International Conference Advanced Chassis and Safety Architecture, Stuttgart, Germany, 13 May 2013. [Google Scholar]
  94. Hager, M.; Gromala, P.; Wunderle, B.; Rzepka, S. Affordable and Safe High Performance Vehicle Computers with Ultra-Fast On-Board Ethernet for Automated Driving. In Advanced Microsystems for Automotive Applications 2018; Springer International Publishing: Cham, Switzerland, 2018; pp. 56–68. [Google Scholar]
  95. Sommer, S.; Camek, A.; Becker, K.; Buckl, C.; Zirkler, A.; Fiege, L.; Armbruster, M.; Spiegelberg, G.; Knoll, A. RACE: A Centralized Platform Computer Based Architecture for Automotive Applications. In Proceedings of the 2013 IEEE International Electric Vehicle Conference (IEVC), Santa Clara, CA, USA, 23–25 October 2013. [Google Scholar]
  96. Ross, H.-L. System Safety Engineering. In Safety for Future Transport and Mobility; Springer International Publishing: Cham, Switzerland, 2020; pp. 159–265. [Google Scholar]
  97. Schmidt, D. The Airbus A380—Towards a New Futre for Air Transport; Airbus: Samara, Russia, 2007. [Google Scholar]
  98. Autosar. Autosar. 2022. Available online: https://www.autosar.org/standards/classic-platform/ (accessed on 1 January 2022).
  99. Isermann, R.; Schwarz, R.; Stölzl, S. Fault-tolerant drive-by-wire systems. IEEE Control Syst. 2002, 22, 64–81. [Google Scholar]
  100. Ross, H.-L. Automated Driving and Control. In Safety for Future Transport and Mobility; Springer International Publishing: Cham, Switzerland, 2020; pp. 307–390. [Google Scholar]
  101. Nillson, A.; Lindqvist, A.; Dong, X. A Brake System For a Vehicle. China Patent WO2021139954A1, 15 June 2021. [Google Scholar]
  102. Kim, J.G. Brake System For Vehicle. U.S. Patent US2010007199A1, 14 January 2010. [Google Scholar]
  103. Huang, S.; Zhou, C.; Yang, L.; Qin, Y.; Huang, X.; Hu, B. Transient fault tolerant control for vehicle brake-by-wire systems. Reliab. Eng. Syst. Saf. 2016, 149, 148–163. [Google Scholar] [CrossRef]
  104. Weiberle, R.; Mueller, B.; Kriso, S. Electrical Brake System i.e., Electromechanical Brake System, for Motor Vehicle, Has Brake System Controlling CPU Transmitting Signal by Communication System of Brake Circuit, and Seizing Unit Directly Connected to Controller. France Patent FR2952886A1, 27 May 2011. [Google Scholar]
  105. Holzwarth, J. Electromechanical Brake System with a Failsafe Energy Supply and Method for Failsafe Energy Supply in an Electromechanical Brake System For Vehicles. U.S. Patent US2010243388A1, 30 September 2010. [Google Scholar]
  106. Choi, H.R.; Hyun, D.Y. Electromechanical Brake System having Suspension Control Function. U.S. Patent US2021108692A1, 15 April 2021. [Google Scholar]
  107. Fijalkowski, B.T. Anti-Lock EFMB or EPMB BBW AWB Dispulsion Mechatronic Control Systems. In Automotive Mechatronics: Operational and Practical Issues; Springer: Dordrecht, The Netherlands, 2010; pp. 463–495. [Google Scholar]
  108. Molfetta, D.; Ringlstetter, M.; Zelger, C. Redundante Übermittlung von Bremsanweisungen. Germany Patent DE102007001371A1, 10 July 2008. [Google Scholar]
Actuators 11 00214 g001 550
Figure 1. Scheme of an EMB actuator for a parking brake, based on [25,35].
Figure 1. Scheme of an EMB actuator for a parking brake, based on [25,35].
Actuators 11 00214 g001
Actuators 11 00214 g002 550
Figure 2. Scheme of an EMB system; shown is an exemplary X circuit topology.
Figure 2. Scheme of an EMB system; shown is an exemplary X circuit topology.
Actuators 11 00214 g002
Table
Table 1. Sections of the standard documents related to the design requirements for intact EMB service braking systems.
Table 1. Sections of the standard documents related to the design requirements for intact EMB service braking systems.
IDRequirementEU + UKUSAChinaIndiaCanada
D.01Two independent energy reserves5.2.2
5.2.4		-4.2.24.2.1-
D.02Two independent energy transmissions5.2.2
5.2.4		-4.2.24.2.1-
D.03Each energy reserve must be connected to two or more wheels5.2.2-4.2.24.2.1-
D.04Each energy transmission must be connected to two or more wheels5.2.2-4.2.24.2.1-
D.05All 4 wheels shall be actuated by brakes5.2.614.244.2.74.2.15.1
D.06Regenerative braking is allowed to be applied alone5.2.7----
D.08ESC (Electronic Stability Program) shall apply braking torque to the wheels individuallyUN ECE
R140		FMVSS 126--TSD
126
D.09Brake shall return to OFF position when released5.2.2----
Table
Table 2. Sections of the standard documents related to the performance requirements for intact EMB service braking systems.
Table 2. Sections of the standard documents related to the performance requirements for intact EMB service braking systems.
IDRequirementEU + UKUSAChinaIndiaCanada
P.01Provide more than 6.43 m/s² deceleration with the engine disconnectedA3.214.75.2.14.1.15.1.1
P.02Provide more than 5.67 m/s² deceleration with the engine connectedA3.214.85.2.14.1.15.1.1
P.03Energy reserve must be dimensioned to halt vehicle 10 times from 100 km/h5.2.4
5.2.20		14.18-4.2.15.1.2.2
P.04Energy supply must be dimensioned to halt vehicle according to P.115.2.4- 4.2.5
4.2.14		4.2.1-
P.05Transmission delay must be less than 0.6 sA3.3-5.4.14.3.1-
Table
Table 3. Sections of the standard documents related to the performance requirements for degraded EMB service braking systems.
Table 3. Sections of the standard documents related to the performance requirements for degraded EMB service braking systems.
IDFailureRequirementEU + UKUSAChinaIndiaCanada
P.111st CircuitProvide more than 2.6 m/s² decelerationA3.214.145.2.14.1.25.1.2.1
P.12ASSProvide more than 5.15 m/s² decelerationA6.414.12-9.5.45.5.2
P.13Brake Distr.Provide more than 3.86 m/s² deceleration with the engine disconnectedA5.414.13
14.17		A6--
P.14Power Brake UnitPerformance of P.11-14.18--5.1.3.1
P.15BoosterPerformance of P.11-14.215.2.3-5.1.3.1
P.16Any 1st E/EPerformance of P.01 must still be available----5.1.3.5
Table
Table 4. Sections of the standard documents related to the design requirements concerning failure tolerance of EMB service braking systems.
Table 4. Sections of the standard documents related to the design requirements concerning failure tolerance of EMB service braking systems.
IDFailureRequirementEU + UKUSAChinaIndiaCanada
D.11anyNo unintended application5.2.9----
D.12E-SupplyE-reserves must tolerate it5.2.15----
D.13TransmissionNo unintended application of parking brake5.2.19----
D.14Any 1stApplication still possible5.2.20----
P.15BoosterPerformance of P.11-14.215.2.3-5.1.3.5
Table
Table 5. ASIL classifications of malfunctions of service braking systems.
Table 5. ASIL classifications of malfunctions of service braking systems.
MalfunctionRange [m/s2 or °]ASIL
fromtoDCBA
Alarm to DriveDegradation of deceleration106.5 [2]
Degradation of deceleration6.52.44 [30][2]
Degradation of deceleration2.440[2,9,29,30][9][9]
Unintended activation02.44[31]
Unintended activation2.446.5[31] [2]
Unintended activation6.510[31][2]
No AlarmDegradation of deceleration106.5 [2]
Degradation of deceleration6.52.44 [2,30]
Degradation of deceleration2.440[2,9,29,30][9][9]
Unintended yaw15180[2]
Unintended yaw015 [2]
Incorrect brake torque--[30]
Unintended activation of actuator--[31]
Passivation of one actuator-- [31]
Table
Table 6. EMB actuator redundancy concepts exemplarily shown as disk brake configurations.
Table 6. EMB actuator redundancy concepts exemplarily shown as disk brake configurations.
Actuators 11 00214 i001 Actuators 11 00214 i002 Actuators 11 00214 i003 Actuators 11 00214 i004 Actuators 11 00214 i005
No Redundancy
(for Comparison)		Redundant
single Entity		Independent PadsAddition GearParking Brake for Integrity
Legend: Actuators 11 00214 i006 Actuators 11 00214 i007 Actuators 11 00214 i008 Actuators 11 00214 i009
Table
Table 7. Overview of power supply topologies.
Table 7. Overview of power supply topologies.
Actuators 11 00214 i010 Actuators 11 00214 i011 Actuators 11 00214 i012 Actuators 11 00214 i013 Actuators 11 00214 i014
X-CircuitsH CircuitFull RedundancyX Circuit +
High-Voltage
Redundancy		Local Energy
Supplies as Backup
Table
Table 8. Overview of Control Topologies.
Table 8. Overview of Control Topologies.
Actuators 11 00214 i015 Actuators 11 00214 i016 Actuators 11 00214 i017 Actuators 11 00214 i018 Actuators 11 00214 i019
X-CircuitH-CircuitTriplex-TopologyQuadruplex-
Topology		Hybrid Topology
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Schrade, S.; Nowak, X.; Verhagen, A.; Schramm, D. Short Review of EMB Systems Related to Safety Concepts. Actuators 2022, 11, 214. https://doi.org/10.3390/act11080214

AMA Style

Schrade S, Nowak X, Verhagen A, Schramm D. Short Review of EMB Systems Related to Safety Concepts. Actuators. 2022; 11(8):214. https://doi.org/10.3390/act11080214

Chicago/Turabian Style

Schrade, Simon, Xi Nowak, Armin Verhagen, and Dieter Schramm. 2022. "Short Review of EMB Systems Related to Safety Concepts" Actuators 11, no. 8: 214. https://doi.org/10.3390/act11080214

APA Style

Schrade, S., Nowak, X., Verhagen, A., & Schramm, D. (2022). Short Review of EMB Systems Related to Safety Concepts. Actuators, 11(8), 214. https://doi.org/10.3390/act11080214

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop