Electro-mechanical brakes, fail-operation and mechanical fail-safe behaviour

Ensuring safety with reversible EMB systems

Since the pioneering days of the automotive industry, the failure behavior of automotive brakes has been to release braking pressure. If all four wheel brakes are controlled from the same actuator, this would result in an overall loss of ability to decelerate and stop the vehicle. Mechanical systems using cable, and later hydraulic, systems have redundancy to mitigate the risk of total loss of function. Usually two wheels are coupled, providing backup braking capability on one axle (H-split), or diagonally (X-split).

The traditional thinking in designing a vehicle brake system is that balanced underbraking is preferable to unbalanced, unintended braking. With new brake technology such as electromechanical braking (EMB) just around the corner, several questions need to be addressed: How can legacy brake system behavior be replicated on newer generation actuators? How can we ensure this operation to be reliable and guaranteed across different conditions, throughout the vehicle’s lifespan? Can the status quo be challenged based on considerations specific to highly automated electric vehicles, and open the door to a different brake actuator design approach?

Options to replicate traditional braking behavior with EMB

Two options are possible to ensure an EMB system will safely release in the event of a braking failure: a fail-active and a mechanical fail-safe approach.

In the first case, a redundant electric system enables degraded operation and the capability to actively release after a single point electronics system failure. This does not put any constraints on the mechanical transmission system design—the actuation motor torque always acts as the input and the designer is free to pick the gearbox technology based considerations such as packaging and cost. There is also no need for a locking mechanism to enable the parking function.

In the latter case, the electric system will shut down after a single point failure. Therefore, the brake actuation system needs to be designed to “spring back,” based on the load from the mechanical caliper clamping on the brake rotor and pads. The transmission system needs to be designed to operate both with torque or force acting as an input, referred to as a “back-driveable” or “reversible” transmission system. In addition, a secondary mechanism must be added to hold the clamping force in a parking state when the vehicle ignition is turned off.

The first generation of Astemo EMB “Smart Brake” has been designed assuming EMB-equipped cars would be fitted with higher levels of ADAS, and hence be equipped with safety redundant power net and zone controllers. They would also require first-fault transparency in terms of achievable deceleration, which would drive fail-operational actuators. With this assumption, no constraints were set for transmission system back-driveability; overall EMB packaging size was optimized by eliminating the need for a latch device. With the need of EMBs for wet/dry brake system (“hybrid” EMB only on rear axle only) and mass-market L3/L4 AD/ADAS shifting to a more distant future, we are taking a more traditional approach toward reversible transmission.

Now, requirements have to be derived from vehicle considerations to each subsystem, in order to guarantee consistent fail-safe behavior of mechanical elements across manufacturing variations, operating conditions and mission profile. System analysis & simulation have been used to analyze effects of key design parameters on reversibility, and to find the most practical formulation for an actuator-level black-box requirement.

How can the reversible behavior of an EMB be specified?

First of all, let’s formulate simplified equations for a linear mechanical actuator. An electric motor is converting electrical power into rotary motion, itself converted into linear motion by a gearbox/ball screw mechanism. This displacement is deforming the caliper casting which “pinches” or “clamps” on the brake rotor and pads. The motor is actively controlled to apply the required clamp force dynamics, based on the need of deceleration—either from the driver or the ADAS system. In the case of a slow application and release, inertial effects are negligible, and the system behavior can be modeled as such.

The two charts below show a time-based representation, and a motor torque/clamp force representation. In the case of applying force, torque is the input, and force is the output, while it is the opposite in the slow-release phase, where the mechanical efficiency factor is applied first to torque, second to force. The result is the “Tornado curve” profile seen on the right side, which helps us understand why release current is lower than apply current, by of factor of efficiency squared.

Looking closely at the behavior of the actuator at lower forces, it’s apparent the current required to slowly unclamp the actuator goes from positive (holding motion) to negative (driving motion) below a certain clamping force. That indicates the actuator needs to be actively pulled back below the threshold and will not spontaneously release based on caliper spring load. With this observation, we understand that an actuator cannot be described just as “reversible” or “irreversible,” but that its self-retained force threshold needs to be considered, which will be affected by overall mechanical friction, efficiency and ratios—the first two being subject to significant variations.

The next step in a structured system engineering approach is to:

• Deduce measurable black-box requirements from these observations
• Understand exposure, by mapping the actuator behavior with vehicle mission profile
• Analyze the impact of variation of each influencing factors to define drawing tolerances and process control limits
• Investigate potential failure electrical mode impact

Black-box requirements

From a solid understanding of a reversible actuator behavior, we can deduce the specification needs to revolve around the maximum self-retained force, itself deriving from vehicle stability considerations and assessment of thermal hazards resulting from drag torque on a single wheel brake. Beyond the simple static analysis, dynamic modelling shows that above the maximum self-retained force, a zone of partial back-drive exists, where retained force is lower than applied clamp force when failure occurs, but yet caliper clamp force won’t be fully released. Above a higher threshold, mechanical inertia will help the system back-drive, potentially beyond its zero-force point. Based on these observations, the decision is made to specify the EMB’s back-drive behavior on a two-axis chart, with “applied force @ torque” in the X-axis and “self-retained force” in the Y-axis. Maximum self-retained force and minimum fully release force are the two pivot points of this chart and will serve as black-box requirements.

Self-retained force and mission profile

Analysis of brake system usage data over the life of a vehicle shows that about 90 percent of brake events occur below 0.4 g deceleration. Based on the typical ideal brake distribution of a two-ton EV, it implies that front and rear brake actuators will spend most of their operating time at lower force levels (approximately 15 to 20 percent of their maximum rated force). When assessing the ASIL level of residual force hazard event, we can therefore conclude that the exposure of the actuator failing in the “no back-drive” or “partial back-drive” zones of the requirement chart above will be significant.

Variation analysis

System simulation can be used efficiently to run design optimization studies and understand the impact of variation of a given characteristics to a requirement element—such as self-retained force. In our case, the ratio between “force @ failure” and self-retained force was found to be a practical metric for simulation. We conducted thorough analysis using the design of the experiment to analyze the respective impact of motor friction torque, gear ratio, efficiency and inertia on dispersion and absolute value of the retained force ratio. The results are used to develop drawing tolerances and evaluate the implications of operating conditions.

Electrical drive circuit failure implications

The observation that motor friction has a predominant effect on self-retained force ratio raises one concern regarding implication of electrical failure modes on back-drive performance. Indeed, 6-Phase brushless motor driver can be subject to field-effect transistor (FET) failures, in most cases FETs failing short. In this case, an inductive loop is created, and an externally applied rotation of the motor shaft, such as what would happen during EMB actuator passive back-drive, would generate a back-electro-motive torque opposing the movement. This would aggravate the occurrence of residual drag torque after fault, which needs to be taken into account when assessing ASIL levels of safety critical events of an EMB braking system.

Conclusion

Firstly, it’s apparent that it isn’t sufficient to state that an EMB actuator should be reversible or not. Its behavior can be specified in terms of “maximum residual force,” or “residual force ratio.”

Acceptable level of residual force can be derived from vehicle level safety goals such as unintended yaw motion, path deviation, or thermal events. Proving the consistency of an EMB’s back-drive behavior poses challenges considering manufacturing variations, operating conditions and evolution over time. Furthermore, implications of specific electronics hardware failure mandate a tailored functional safety approach to evaluate whether hardware countermeasures, mechanical or electrical, are necessary to mitigate occurrence of partial back-drive.

Lastly, assuming “fail-operation” and therefore actuation redundancy being driven by vehicle level safety concept at the brake corner level, an irreversible brake actuation concept could still be an attractive long-term solution, since it:

• Enables to formally prove that the brake can be released in all necessary conditions.
• Eliminates the complexity and safety considerations driven by a park latch mechanism.