VDA 450特別針對滿足SAE J3016:2021中定義的level 3–Level 5級別的自動駕駛系統(tǒng)對冗余供電網(wǎng)絡的功能安全要求展開設計建議與指導；同時，該建議也適用于的完全線控系統(tǒng)（如線控制動，線控轉向），完全線控系統(tǒng)在取消了機械（或液壓或氣壓）備份的同時對供電網(wǎng)絡提出了冗余要求。另外，該指南中提到的一些要點對Level 3以下的智能駕駛系統(tǒng)的供電網(wǎng)絡的設計也是有參考性的。

圖片來自VDA 450

3、關鍵術語說明

除了ISO 26262中定義的術語外，VDA 450中補充了對組成供電網(wǎng)絡的部件的定義。此處做一個篩選性的摘抄與解釋，方便理解文章后面的內容。

• AQ: Active Source (e.g. DCDC converter). 主動源如DCDC。

• PQ: Passive Source (e.g. battery). 被動源如12v蓄電池。

• PTV: Passive separating and connecting Elements (e.g. fuses). 被動分離和連接元件

• EBN: Energiebordnetz - Electrical Power Supply System - The Electrical Power Supply System comprises the storage, conversion and distribution of the electricity in the vehicle to the loads (e.g. ECUs, sensors, actuators) and the isolation / separation of faulty Elements from the rest of the EBN. The power interface of the consumers constitutes the limits of the EBN. The loads are therefore not part of the EBN but place certain requirements on the EBN within the scope of the Conditions of Use (e.g. energy, power). 供電系統(tǒng)，包含電力的存儲，轉換與分配到負載（如ECU, 傳感器，執(zhí)行器等），同時具備切斷以避免故障元件對供電系統(tǒng)上其他元件的能力。

• EBN Channel: Electrical power supply channel which feeds Loads. 為負載供電的供電通道。

• QM-Load: A QM-Load is an electrical consumer that is supplied with power and energy for its functionality but does not place safety-relevant availability requirements on the power supply. An example of a QM-Load is a load that implements a Fail-Passive function or a non SR-Function. 不對電源提出安全相關可用性要求的負載。例如，提供fail-passive功能的負載，供電故障后功能關閉即為安全狀態(tài)。

• SR-Load: A safety-relevant load is an electrical consumer that implements a subfunction of a Fail-Active SR-Vehicle-Function, such as braking, steering or environment detection. Therefore, the SR-Load allocates a safety-relevant availability requirement to the power supply. 對電源提出安全相關可用性要求的負載。例如提供fail-active功能的負載（制動功能，轉向功能等），供電故障后系統(tǒng)需要有備份供電確保fail-active功能的可用性，保障車輛能達到安全狀態(tài)。

• SR-EBN Channel: Safety-Relevant electrical power supply channel to which at least one SR-Load is allocated which places a safety-relevant availability requirement on the power supply. 功能安全相關的電源通道，該通道上至少有一個SR-load。

• QM-EBN Channel: Safety-Relevant electrical power supply channel to which at least one SR-Load is allocated which places a safety-relevant availability requirement on the power supply. 非功能安全相關的電源通道，該通道上全部是QM-load。

• ATV: Active Separating and Connecting Element (switches that separate or connect electrical systems). 主動分離和連接元件 （分離或連接電氣系統(tǒng)的開關）。

除此之外，自動駕駛領域被廣泛應用的MRM概念也被VDA 450引用。

• MRM: The MRM (Minimal Risk Maneuver) is a procedure automatically performed by the Automated Driving System to place the vehicle in a minimal risk condition in a manner that avoids unreasonable risks in traffic. (From FRAV-09-05). 最小風險操作。在駕駛員沒有響應接管請求時，自動駕駛系統(tǒng)主動執(zhí)行安全操作以避免不合理的風險。

值得注意的是，VDA 450在ISO 26262定義的術語基礎上還拓展了一些新的概念，這些概念細化了對多點故障的故障處理時間、故障探測時間及故障響應時間的描述，可以參考ISO 26262定義的FHTI/FDTI/FRTI來理解。這里也做一個摘抄，強烈推薦功能安全工程師關注。這些術語目前只在VDA 450中被正式使用，但是可以預見這些概念將會被更廣泛地使用。

• MPFHTI: Multiple-Point Fault Handling Time Interval – Sum of Multiple-Point Fault Detection Time Interval and Multiple-Point Fault Reaction Time Interval. The time interval specifies the maximum time-span of a concrete Safety Mechanism for a reaction to a Multiple-Point Fault (first fault of a multiple-point failure).

• MPFHTTI: Multiple-Point Fault Handling Tolerance Time Interval – The time interval specifies the maximum permissible time-span of a Safety Mechanism for a reaction to a Multiple-Point Fault (first fault of a Multiple-Point Failure). The MPFHTTI specifies the maximum time value of the MPFHTI.

• MPFRTI: Multiple-Point Fault Reaction Time Interval – Maximum time-span during which a Safety Mechanism shall react to a Multiple-Point Fault (first fault of a Multiple-Point Failure).

圖片來自VDA 450