A vehicle global safety state management method and related device

By generating actual and predicted safety status reports and using a dynamic failure rate index for collaborative safety decision arbitration, the traditional binary diagnostic approach has been found to lack quantitative prediction capabilities and systemic risk protection, thus achieving efficient safety status management of automotive electronic and electrical systems.

CN122308197APending Publication Date: 2026-06-30ANHUI ZHIJIE NEW ENERGY VEHICLE CO LTD +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
ANHUI ZHIJIE NEW ENERGY VEHICLE CO LTD
Filing Date
2026-03-31
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Traditional binary diagnostic methods suffer from a lack of quantitative predictive capabilities, isolated decision-making in monitoring mechanisms, and insufficient protection against systemic risks after ASIL decomposition, resulting in complexity and safety hazards in the functional safety of automotive electronic and electrical systems.

Method used

By adopting a vehicle global safety status management approach, actual safety status reports and predicted safety status reports are generated. The dynamic failure rate index is used for collaborative safety decision arbitration to achieve quantitative assessment and prediction of component failure probability trends. The decision-making of various monitoring agents is centrally coordinated to improve systemic risk protection.

Benefits of technology

It enables predictive analysis of component degradation trends, solves the decision-making conflicts and resource competition problems caused by fragmented monitoring mechanisms, improves the quantitative prediction capability of safety status assessment and systemic risk protection, and ensures the functional safety of automotive electronic and electrical systems.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122308197A_ABST
    Figure CN122308197A_ABST
Patent Text Reader

Abstract

This invention belongs to the field of automotive electronic functional safety and expected functional safety technology. It discloses a method and related device for managing the overall safety status of a vehicle. By integrating real-time diagnostic results output from a hard diagnostic mechanism with a dynamic failure rate index calculated based on performance parameters, it generates an actual safety status report and a predicted safety status report that quantifies the failure probability trend. Based on these two reports, it performs collaborative safety decision arbitration to output safety instructions. This method utilizes the dynamic failure rate index to transform traditional binary diagnostics into a continuous quantitative assessment model, enabling predictive analysis of component degradation trends. Simultaneously, the collaborative arbitration mechanism dynamically adjusts decision weights based on the actual diagnostic channel status and predicted hazard level, promoting the integration of real-time and predictive information. This method effectively solves the decision conflict and resource competition problems caused by fragmented monitoring mechanisms, improves the quantitative predictive capability of safety status assessment, and enhances comprehensive protection against systemic risks.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of automotive electronic functional safety and expected functional safety technology, and particularly relates to a method and related device for vehicle global safety status management. Background Technology

[0002] With the development of intelligent and connected vehicles, automotive electronic and electrical systems are evolving towards domain-centralized architectures, with domain controllers becoming the core computing platform. Their high integration brings system complexity, and functional safety has become a core challenge for the industry. Currently, the industry mainly follows the ISO 26262 standard to build a safety protection system.

[0003] Existing technologies have significant shortcomings: fragmented monitoring mechanisms can easily lead to decision-making conflicts and resource competition; safety status assessment is a binary model that cannot quantify degradation trends and lacks predictive capabilities; and it is insufficient in protecting against systemic risks such as common-cause failures after ASIL (Automotive Safety Integrity Level) decomposition.

[0004] It is evident that the traditional binary diagnostic approach suffers from problems such as lack of quantitative predictive capabilities, isolated decision-making in the monitoring mechanism, and insufficient protection against systemic risks after ASIL decomposition. Summary of the Invention

[0005] This invention provides a method and related device for global vehicle safety status management. This method can effectively solve the problems of lack of quantitative prediction capability, isolated decision-making of monitoring mechanism and insufficient systemic risk protection after ASIL decomposition in the existing traditional binary diagnostic method.

[0006] To achieve the above objectives, the present invention adopts the following technical solution: A method for managing the global safety status of a vehicle includes: A real-time safety status report is generated based on the real-time diagnostic results of various vehicle components output by the hard diagnostic mechanism. The dynamic failure rate index is calculated based on the performance parameters of each vehicle component; the dynamic failure rate index is used to quantify the failure probability trend of the component. Based on the trend analysis results of the dynamic failure rate index, a predictive safety status report is generated. Based on actual security status reports and predicted security status reports, collaborative security decision arbitration is conducted, and collaborative security instructions are output. The specific execution strategy for collaborative security decision arbitration is as follows: When under normal conditions, the actual safety status report will be used as the primary basis for decision-making, while the predicted safety status report will be used as a secondary basis for decision-making. When the actual diagnostic channel fails, increase the decision weight of the predicted safety status report; When the predicted safety status report is at the critical level, the predicted safety status report will be used as the primary basis for decision-making.

[0007] Furthermore, the dynamic failure rate index calculated based on the performance parameters of each vehicle component includes: The performance parameters of each component of the vehicle are collected as raw indicators; the performance parameters include CPU utilization, ECC error count, communication bit error rate, motor current harmonics, and task execution time deviation. The collected raw indicators are input into a pre-built evaluation model to calculate the dynamic failure rate index; wherein, the evaluation model assigns a corresponding weight to each performance parameter to reflect the contribution of this performance parameter to the overall risk. The specific formula for calculating the dynamic failure rate index λ_local is as follows:

[0008] In the formula, λ_base is the base failure rate; M_j(t) is the multidimensional index; H_j(t) is the historical window statistical feature of the multidimensional index; W_j is the weight of the multidimensional index; and F_j is the health decay contribution function, which is used to map the original index value to the health decay contribution.

[0009] Furthermore, after calculating the dynamic failure rate index based on the performance parameters of each vehicle component, the method further includes: The dynamic failure rate index is transmitted through periodic reporting to perform trend analysis based on the collected dynamic failure rate index. If the actual local security status changes, an event-driven emergency report will be triggered immediately.

[0010] Furthermore, the trend analysis results based on the dynamic failure rate index generate a predicted safety status report, including: The pre-built failure rate prediction and assessment module employs a multi-level fusion algorithm to perform trend analysis on the dynamic failure rate index, obtaining trend analysis results. Based on these results, a predicted safety status report is generated, using the following formula:

[0011] Where λ_i(t) is the dynamic failure rate index of the i-th monitoring agent; ξ_i is the severity weight of the failure impact related to the ASIL level; G_i is the trend prediction function for the failure mode of this type of component; Δ(t) is the common cause risk increment based on correlation analysis; and t is time. The results are trend analysis results; the monitoring agent is used to collect the performance parameters of various vehicle components and calculate and report the dynamic failure rate index.

[0012] Furthermore, after the collaborative security decision arbitration based on the actual security status report and the predicted security status report, and the output of the collaborative security instruction, it also includes: The collaborative security instructions are broadcast via the security instruction bus, so that the monitoring agent can decode and execute the received collaborative security instructions; the collaborative security instructions include the target agent ID, action code, parameters, and expected completion time. Specifically, the system records the issuance time and expected completion time of each collaborative security instruction. If a successful confirmation message is received before the timeout, the monitoring of the corresponding collaborative security instruction is turned off. If the timeout occurs or a failure confirmation message is received, the security instruction is deemed to have failed to execute, and a higher-level global fault handling process is immediately triggered.

[0013] Furthermore, after the collaborative security decision arbitration based on the actual security status report and the predicted security status report, and the output of the collaborative security instruction, it also includes: The performance parameters, dynamic failure rate index, decision-making basis, collaborative safety instructions, and execution feedback results of each vehicle component are all recorded in the protected safety event black box; the safety event black box is used to retrain and optimize the evaluation model, and the evaluation model is used to calculate the dynamic failure rate index.

[0014] Furthermore, the vehicle global safety status management method also includes: Once the transient fault disappears or the hardware is repaired, security restrictions are gradually lifted according to the collaborative security decision arbitration execution strategy to complete the function reset.

[0015] A vehicle global safety status management system, comprising: The first generation module is used to generate an actual safety status report based on the real-time diagnostic results of various vehicle components output by the hard diagnostic mechanism. The calculation module is used to calculate the dynamic failure rate index based on the performance parameters of each component of the vehicle; the dynamic failure rate index is used to quantify the failure probability trend of the components. The second generation module is used to generate a predicted safety status report based on the trend analysis results of the dynamic failure rate index. The decision-making module is used to conduct collaborative security decision arbitration based on actual security status reports and predicted security status reports, and output collaborative security instructions; the specific execution strategy of collaborative security decision arbitration is as follows: When under normal conditions, the actual safety status report will be used as the primary basis for decision-making, while the predicted safety status report will be used as a secondary basis for decision-making. When the actual diagnostic channel fails, increase the decision weight of the predicted safety status report; When the predicted safety status report is at the critical level, the predicted safety status report will be used as the primary basis for decision-making.

[0016] A vehicle global safety status management device, comprising: Memory, used to store computer programs; A processor is used to implement the above-described vehicle global safety state management method when executing the computer program.

[0017] A computer-readable storage medium storing a computer program, which, when executed by a processor, is used to implement the above-described vehicle global safety state management method.

[0018] Compared with the prior art, the present invention has the following beneficial effects: This invention provides a method for managing the global safety status of vehicles. By integrating real-time diagnostic results from a hard diagnostic mechanism with a dynamic failure rate index calculated based on performance parameters, it generates an actual safety status report and a predicted safety status report that quantifies failure probability trends. Based on these two reports, it performs collaborative safety decision arbitration to output safety instructions. This method utilizes the dynamic failure rate index to transform traditional binary diagnostics into a continuous quantitative assessment model, enabling predictive analysis of component degradation trends. Simultaneously, the collaborative arbitration mechanism dynamically adjusts decision weights based on the actual diagnostic channel status and predicted hazard level, promoting the integration of real-time and predictive information. This method effectively solves the decision-making conflicts and resource competition problems caused by fragmented monitoring mechanisms, improves the quantitative predictive capability of safety status assessment, and enhances comprehensive protection against systemic risks. Attached Figure Description

[0019] Figure 1 This is a schematic diagram illustrating the implementation principle of a vehicle global safety status management method provided in an embodiment of the present invention. Figure 2 This is a core flowchart of a vehicle global safety status management method provided in an embodiment of the present invention; Figure 3 This is a schematic diagram of a vehicle global safety status management system provided in an embodiment of the present invention. Detailed Implementation

[0020] To further understand the content of this invention, the invention will be described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the embodiments are merely illustrative and not limiting of the invention.

[0021] The technical terms involved in this invention are explained as follows: ASIL stands for Automotive Safety Integrity Level, a functional safety risk classification system defined in the ISO 26262 standard. It is used to quantitatively assess the risk level of unreasonable personal injury or property damage caused by the failure of automotive electronic and electrical systems (E / E systems).

[0022] As mentioned in the background section, with the rapid development of automotive intelligence and connectivity technologies, traditional distributed electronic and electrical architectures are facing bottlenecks in areas such as computing power collaboration, wiring harness costs, and flexibility in functional upgrades. Therefore, the automotive industry is undergoing a profound evolution towards domain-centralized and even centrally computed E / E architectures. In this context, domain controllers have become the core computing platform integrating the functions of multiple ECUs within a specific functional domain. They typically employ heterogeneous hardware, including MCUs and SoCs, and rely on virtualization technology and middleware such as adaptive AUTOSAR to support hybrid critical systems with varying safety levels and real-time requirements. While this high level of integration improves efficiency and flexibility, it also brings unprecedented complexity, with multi-layered and highly coupled interactions between hardware resources, basic software, and upper-level applications within the system. Therefore, ensuring the functional safety of the entire system—that is, avoiding unreasonable risks caused by electrical or electronic system failures—has become one of the core challenges facing the industry. Currently, automotive functional safety design primarily follows the ISO 26262 international standard. This standard provides a complete methodology for the safety lifecycle of automotive electronic systems, covering everything from risk assessment and safety goal setting in the concept phase, to the decomposition of technical safety requirements and design of safety mechanisms in the product development phase, and finally to maintenance requirements in the production and operation phase. At the hardware level, microprocessors with lockstep cores are used to achieve instantaneous fault detection, and error correction codes are applied to storage units to protect against data corruption. Furthermore, physical or logical redundancy and other safety technologies are implemented for critical communication buses. At the software and system level, periodic program flow monitoring, multi-level watchdog timers, end-to-end data protection protocols, and hybrid critical operating systems based on time and space isolation are commonly used to ensure that critical tasks are not interfered with by non-critical tasks. These technologies together constitute the current infrastructure and common practices supporting the functional safety of automotive domain controllers. However, existing technical solutions based on the ISO 26262 standard have the following limitations: First, the fragmented monitoring mechanism leads to decision-making conflicts and resource contention. Domain controllers contain multiple heterogeneous computing cores, operating system partitions, and numerous software components, and their security mechanisms, such as watchdogs and logical monitoring, are mostly designed in isolation. When different monitors independently trigger security responses based on local information, they may generate conflicting action commands. The lack of a central coordinator for global arbitration easily leads to suboptimal decisions. Simultaneously, these isolated security actions compete for shared resources such as the bus and memory, causing response delays.

[0023] Secondly, the security status assessment model is crude and lacks predictive capabilities. The traditional binary diagnostic model, which relies on pass / fail, cannot quantify the progressive degradation trend of parameters such as CPU load rate and memory ECC error accumulation. As a result, the system cannot perform predictive maintenance or gradual degradation before complete functional failure, and can only take abrupt reset or shutdown after a hard failure occurs, which seriously damages the system's availability and user experience.

[0024] Finally, there is insufficient protection against systemic risks after ASIL decomposition. After distributing high security requirements to multiple components through ASIL decomposition, existing solutions lack effective runtime monitoring for common-cause failures. A single failure of shared resources such as clocks, power supplies, and basic software services may simultaneously affect multiple low-ASIL components, thus implicitly jeopardizing the security objectives of high-ASIL functions. Decentralized monitoring mechanisms struggle to implement effective collaborative safeguards.

[0025] It is evident that the traditional binary diagnostic model cannot quantitatively assess the progressive degradation trend of components and lacks predictive early warning capabilities. At the same time, it overcomes the command conflicts and resource competition caused by the decision isolation of multiple independent safety monitoring mechanisms, and addresses the common failures and cascading failures caused by ASIL decomposition and resource sharing.

[0026] In view of this, this embodiment provides a vehicle global safety status management method. This method is applied to a highly integrated domain controller and provides a collaborative monitoring, decision-making and management method for safety status that integrates real-time diagnosis and predictive assessment. This method effectively solves the problems of traditional binary diagnostic mode being unable to quantitatively assess the progressive degradation trend of components and lacking predictive early warning capabilities, and can provide effective systemic runtime monitoring and collaborative protection barriers.

[0027] For example, such as Figure 2 As shown, this embodiment provides a method for managing the global safety status of a vehicle, including: A real-time safety status report is generated based on the real-time diagnostic results of various vehicle components output by the hard diagnostic mechanism. The dynamic failure rate index is calculated based on the performance parameters of each vehicle component; the dynamic failure rate index is used to quantify the failure probability trend of the component. Based on the trend analysis results of the dynamic failure rate index, a predictive safety status report is generated. Based on actual security status reports and predicted security status reports, collaborative security decision arbitration is conducted, and collaborative security instructions are output. The specific execution strategy for collaborative security decision arbitration is as follows: When under normal conditions, the actual safety status report will be used as the primary basis for decision-making, while the predicted safety status report will be used as a secondary basis for decision-making. When the actual diagnostic channel fails, increase the decision weight of the predicted safety status report; When the predicted safety status report is at the critical level, the predicted safety status report will be used as the primary basis for decision-making.

[0028] Therefore, this embodiment provides a vehicle global safety status management method, applied to a highly integrated domain controller. The controller includes a central safety coordination and prediction decision unit (core decision unit) and a monitoring agent. Based on a master-slave collaboration and backup decision mechanism, this method constructs a dual-drive status input system of actual and predictive. First, it generates discrete actual safety status reflecting the current fault based on real-time results of hard diagnostic mechanisms such as watchdog timers, ECC verification, and end-to-end protection that conform to the ISO 26262 standard, which serves as the dominant basis for decision-making. Then, by continuously collecting and analyzing performance parameters such as load rate, error count, and timing deviation of each component, a dynamic failure rate index is calculated to quantify its failure probability trend. Based on the trend analysis of this index, a forward-looking predicted safety status is generated as an aid and backup input for decision-making. Ultimately, the designed central safety coordination and predictive decision-making unit receives and integrates the actual safety status and failure rate index from each monitoring agent, forming a global view of the actual and predicted safety situation. Under normal circumstances, preset collaborative safety states are triggered strictly based on the actual safety status. When specific situations occur, such as actual monitoring channel failure, high-risk warnings for critical single-point non-redundant components, or detection of cross-component common-cause risk symptoms, the decision weight of the predicted safety status is increased. When the predicted risk is confirmed to be high-risk, the system switches to a system dominated by the predicted safety status, triggering the highest level of preventative safety measures. This includes early transfer of control, initiation of redundancy preparation, and implementation of performance limitations to ensure vehicle functional safety. In addition, by continuously analyzing the temporal and logical correlations of the failure rate indices of different components through the central unit, potential common failure modes can be proactively identified, and targeted collaborative isolation or hardening strategies can be triggered to form a systemic risk barrier.

[0029] For example, a specific implementation application of the vehicle global safety status management method provided in this embodiment has been carried out, combined with... Figure 1 As shown, the specific implementation process is as follows: S1. System Initialization and Deployment. The implemented domain controller hardware platform typically includes one or more ASIL-D compliant security cores (MCUs) and performance cores (SoCs). The software environment encompasses a real-time operating system on the security core and a hypervisor-based hybrid system on the performance core. Monitoring agents are deployed as software components across the hardware layers, including CPU cores, memory controllers, and communication buses. The system software layer includes key nodes of various braking and steering control algorithm modules such as OS tasks, hypervisors, middleware execution management, and application layers. Each agent is responsible for monitoring the status of its assigned entity. The central unit runs independently on the security core as a highest-priority security task, ensuring the determinism and reliability of its decisions. Upon system startup, each agent registers with the central unit. The central unit loads the security policy library, fault prediction model parameters, and system topology dependency graph, and establishes connections with all agents through a dedicated secure communication link with end-to-end protection, completing the architecture setup.

[0030] S2. Periodic Data Acquisition and Local Preprocessing. After the system enters the operational state, each monitoring agent works continuously at fixed short cycles. Within each cycle, the agent performs two core tasks in parallel: calculating the dynamic failure rate index (local failure rate index) and determining the actual local safety status. First, the agent collects raw indicators M_j reflecting the operating status of its monitored objects, such as CPU utilization, ECC error count, communication bit error rate, motor current harmonics, and task execution time deviation. Then, the agent uses a pre-built model to fuse these multi-dimensional indicators into a one-dimensional dynamic failure rate index λ_local. This index is a continuous value, and its core concept is to fuse and transform multiple discrete and different monitoring indicators, such as temperature, error count, and latency, into a unified, quantifiable scalar. The calculation process is not a simple threshold comparison, but is accomplished through an embedded, configurable evaluation model. This model assigns corresponding weights to each monitoring indicator to reflect its contribution to the overall risk. In addition, the model also considers the changing trend of the indicators, not just the current instantaneous value. The higher the final calculated index value, the greater the probability of functional failure of the component in the near future. Importantly, this process can detect and quantify risks in advance by observing the slow degradation of performance parameters before a hard failure occurs. Its core calculation formula is:

[0031] Where λ_base is the base failure rate, which is the collected multidimensional index M_j(t) and its historical window statistical features H_j(t). W_j is the weight of index M_j(t), and F_j is a function that maps the original index value to the contribution of health decay. An increase in the index value indicates an increasing trend in the probability of functional failure of the component. At the same time, the agent uses its built-in hardware diagnostic module that conforms to the ISO 26262 standard. This module directly interfaces with the hardware self-test circuit and software security mechanism. When a clear and unrecoverable fault such as a checksum error or voltage over-limit is detected, it immediately generates a local actual safety state and triggers an immediate safety response through deterministic discrete states such as normal, degraded, or failed.

[0032] S3. Data Reporting and Centralized Fusion Analysis. After completing local calculations, the monitoring agent reports the results to the central unit. To optimize communication efficiency and real-time performance, continuously changing data such as the dynamic failure rate index are reported periodically; however, any change in the local actual security status triggers an event-driven emergency report immediately. All reported data is transmitted through a secure channel to ensure its integrity and authenticity. The two modules of the central unit receive the data respectively. The prediction and evaluation module stores the received λ_local sequence into the corresponding circular historical buffer according to the agent ID. The central fusion unit then immediately updates the status of the corresponding nodes in the system topology dependency graph based on the event messages. After receiving data from multiple parties, it starts its global fusion and analysis system. Its key module is the global security status fusion center. This system performs intelligent correlation analysis on the reported discrete fault states based on the system's operating status, instantly obtaining the related upstream and downstream functions, thereby generating a comprehensive report on the actual security status of the system that illustrates the impact chain.

[0033] The system failure rate prediction and assessment module processes continuous failure rate index data and achieves prediction and assessment through a multi-level fusion algorithm. First, based on the different functional safety levels of each component, the indices from them are weighted to obtain a system predictive failure rate index, reflecting the overall risk of the system. Second, by analyzing the historical trends of each component's index, it attempts to predict its short-term trajectory, enabling the system to anticipate future risks. Furthermore, the module uses correlation analysis technology to detect whether there are abnormal synchronous increases in the risk indices of different components. If a sudden high correlation is found between the risk indices of two functionally unrelated components, it can immediately indicate a problem with a shared underlying resource that was not individually monitored, thus triggering a common-cause failure warning. The core calculation formula is:

[0034] Wherein, λ_i(t) is the dynamic failure rate index of the i-th agent, ξ_i is the severity weight of the failure impact related to the ASIL level, G_i is the trend prediction function for the failure mode of this type of component, and Δ(t) is the common cause risk increment based on correlation analysis. This module maps the complex index and trend analysis results into predictive safety states that are easy to use for decision-making, such as predicting stability, predicting early warning, or predicting crisis.

[0035] S4. Collaborative Security Decision Arbitration. The collaborative security decision-maker is responsible for the final arbitration of all the above information and making the globally optimal collaborative decision. Its decision-making logic follows a three-layer rule system: Layer 1 (Normal Dominance): The decision-maker mainly acts based on the actual security status report of the system. Layer 2 (Condition Escalation): When a critical actual diagnostic channel is confirmed to be faulty, the predicted risk of a high-risk component in the system without design redundancy begins to increase significantly, or special conditions such as the system detecting a clear common-cause failure warning signal are triggered, the decision-maker will increase the decision weight of the predictive security status. Layer 3 (Prediction Dominance): When the above escalation conditions are met and the predictive security status of the system has jumped to the "critical" level, the decision-maker will decisively switch to a prediction-driven mode. At this time, even if the hard diagnosis has not yet reported complete failure, the decision-maker will preemptively trigger the highest level of preventive security measures based on the strong risk signal given by the prediction model. For example, if the predictive model determines that the main brake motor has a very high probability of overheating and jamming a few seconds later, the decision-maker will immediately instruct the system to smoothly and seamlessly switch the braking control to the preheated redundant motor before the actual failure occurs, while limiting the speed of the entire vehicle, thereby completely avoiding an accident.

[0036] S5. Security Command Distribution, Execution, and Closed-Loop Verification. The collaborative decision-maker broadcasts the command set via an independent security command bus. First, each command includes the target agent ID, action code, parameters, and expected completion time. The monitoring agent listens to the command bus and, upon receiving a command matching its own ID, immediately decodes and executes it. Second, all actions required by the command must be completed within the expected completion time. After execution, the agent must send an execution confirmation message to the central unit via a secure communication link. The message includes the command sequence number, execution result, and the current actual status after execution. Third, the central unit establishes a command execution watchdog to record the issuance time and expected completion time of each command. If a successful confirmation message is received before the timeout, monitoring of that command is disabled. If a timeout occurs or a failure confirmation is received, it is determined as a "security command execution failure," a serious event that will immediately trigger a higher-level global fault handling process.

[0037] S6. Data Closed Loop and Model Self-Evolution. All key activities of the system, including raw indicators, calculated indices, decision-making basis, issued instructions, and execution feedback, are precisely timestamped and recorded in a protected security event black box. This provides an immutable data chain for post-event security audits, accountability, and problem diagnosis. Furthermore, this invention possesses the ability to learn from real-world failures, thereby enabling the model to self-evolve. Whenever an actual hardware or software failure is confirmed, the system automatically extracts all relevant data from the black box for the period preceding the failure—complete change curves of various monitoring indicators, system load at the time, ambient temperature, etc.—forming a valuable failure case package. This real-world case data becomes the parameters for retraining and optimizing the predictive evaluation model offline or online. Through this continuous, real-data-based iterative learning, the system's predictive accuracy and timely warnings will continuously improve over time.

[0038] S7. System Self-Recovery and Reset. Once the transient fault disappears or the hardware is repaired, the status of the relevant monitoring agents will return to normal, and λ_local will decrease accordingly. The central unit updates the global view, and the decision-maker can gradually remove security restrictions according to the policy, restoring full functionality. After the vehicle restarts, the system will load the latest model parameters, optimized through learning, and restart the entire cycle described above.

[0039] like Figure 3 As shown, this embodiment also provides a vehicle global safety status management system, including: a first generation module, used to generate an actual safety status report based on the real-time diagnostic results of various vehicle components output by a hard diagnostic mechanism; The calculation module is used to calculate the dynamic failure rate index based on the performance parameters of each component of the vehicle; the dynamic failure rate index is used to quantify the failure probability trend of the components. The second generation module is used to generate a predicted safety status report based on the trend analysis results of the dynamic failure rate index. The decision-making module is used to conduct collaborative security decision arbitration based on actual security status reports and predicted security status reports, and output collaborative security instructions; the specific execution strategy of collaborative security decision arbitration is as follows: When under normal conditions, the actual safety status report will be used as the primary basis for decision-making, while the predicted safety status report will be used as a secondary basis for decision-making. When the actual diagnostic channel fails, increase the decision weight of the predicted safety status report; When the predicted safety status report is at the critical level, the predicted safety status report will be used as the primary basis for decision-making.

[0040] The present invention also provides a vehicle global safety status management device, comprising: a memory for storing a computer program; and a processor for executing the computer program to implement the steps of the vehicle global safety status management method.

[0041] The present invention also provides a computer program product, including a computer program / instructions, which, when executed by a processor, implement the steps of the vehicle global safety state management method.

[0042] When the processor executes the computer program, it implements the above-mentioned steps for global vehicle safety status management, such as generating an actual safety status report based on the real-time diagnostic results of each vehicle component output by the hard diagnostic mechanism. The dynamic failure rate index is calculated based on the performance parameters of each vehicle component; the dynamic failure rate index is used to quantify the failure probability trend of the component. Based on the trend analysis results of the dynamic failure rate index, a predictive safety status report is generated. Based on actual security status reports and predicted security status reports, collaborative security decision arbitration is conducted, and collaborative security instructions are output. The specific execution strategy for collaborative security decision arbitration is as follows: When under normal conditions, the actual safety status report will be used as the primary basis for decision-making, while the predicted safety status report will be used as a secondary basis for decision-making. When the actual diagnostic channel fails, increase the decision weight of the predicted safety status report; When the predicted safety status report is at the critical level, the predicted safety status report will be used as the primary basis for decision-making.

[0043] For example, the computer program can be divided into one or more modules / units, which are stored in the memory and executed by the processor to complete the present invention. The one or more modules / units can be a series of computer program instruction segments capable of performing preset functions, wherein the instruction segments describe the execution process of the computer program in the vehicle global safety status management device. For example, the computer program can be divided into a first generation module, a calculation module, a second generation module, and a decision module; the specific functions are as follows: the first generation module is used to generate an actual safety status report based on the real-time diagnostic results of each vehicle component output by the hard diagnostic mechanism; the calculation module is used to calculate a dynamic failure rate index based on the performance parameters of each vehicle component; the dynamic failure rate index is used to quantify the failure probability trend of the component; the second generation module is used to generate a predicted safety status report based on the trend analysis results of the dynamic failure rate index; the decision module is used to perform collaborative safety decision arbitration based on the actual safety status report and the predicted safety status report, and output collaborative safety instructions; wherein, the execution strategy of collaborative safety decision arbitration is as follows: when in a normal state, the actual safety status report is used as the primary decision basis, and the predicted safety status report is used as the secondary decision basis; when the actual diagnostic channel fails, the decision weight of the predicted safety status report is increased; when the predicted safety status report is at a critical level, the predicted safety status report is used as the primary decision basis.

[0044] The vehicle global safety status management device can be a computing device such as a desktop computer, laptop, handheld computer, or cloud server. The vehicle global safety status management device may include, but is not limited to, a processor and memory. Those skilled in the art will understand that the above are examples of vehicle global safety status management devices and do not constitute a limitation on the vehicle global safety status management device. It may include more components than described above, or combine certain components, or different components. For example, the vehicle global safety status management device may also include input / output devices, network access devices, buses, etc.

[0045] The processor can be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor, or any conventional processor. This processor is the control center for the vehicle's global safety status management, connecting various parts of the entire vehicle global safety status management equipment via various interfaces and lines.

[0046] The memory can be used to store the computer program and / or module. The processor implements various functions of the vehicle global safety status management device by running or executing the computer program and / or module stored in the memory and calling the data stored in the memory.

[0047] The memory may primarily include a program storage area and a data storage area. The program storage area may store the operating system and at least one application program required for a function (such as sound playback, image playback, etc.). The data storage area may store data created based on the use of the mobile phone (such as audio data, phonebook, etc.). Furthermore, the memory may include high-speed random access memory and non-volatile memory, such as hard disks, RAM, plug-in hard disks, smart media cards (SMC), secure digital cards (SD cards), flash cards, at least one disk storage device, flash memory device, or other volatile solid-state storage devices.

[0048] The present invention also provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the steps of the vehicle global safety state management method.

[0049] If the modules / units integrated in the vehicle global safety status management system are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium.

[0050] Based on this understanding, the present invention can implement all or part of the processes in the above-described vehicle global safety status management method, or it can be accomplished by a computer program instructing related hardware. The computer program can be stored in a computer-readable storage medium, and when executed by a processor, it can implement the steps of the above-described vehicle global safety status management method. The computer program includes computer program code, which can be in the form of source code, object code, executable file, or a preset intermediate form, etc.

[0051] The computer-readable storage medium may include: any entity or device capable of carrying the computer program code, recording media, USB flash drive, portable hard drive, magnetic disk, optical disk, computer memory, read-only memory (ROM), random access memory (RAM), electrical carrier signal, telecommunication signal, and software distribution medium, etc.

[0052] It should be noted that the content contained in the computer-readable storage medium may be appropriately increased or decreased according to the requirements of legislation and patent practice in the jurisdiction. For example, in some jurisdictions, according to legislation and patent practice, the computer-readable storage medium does not include electrical carrier signals and telecommunication signals.

[0053] Compared with existing vehicle global safety status management methods, this invention provides a vehicle global safety status management method and related device, which have the following advantages: First, this invention achieves global fusion and arbitration of independent security monitoring information within the domain controller through a central security coordination and predictive decision-making approach. It can generate conflict-free system-level collaborative security commands, fundamentally solving the decision-making contradictions and resource competition problems caused by isolated monitoring in traditional solutions, and ensuring the orderly and optimal system response under complex faults.

[0054] Secondly, by innovatively introducing a dynamic failure rate index, the system can achieve continuous quantitative assessment and early risk warning of the progressive degradation trend of component performance, promoting the safety mechanism to shift from passive post-failure response to proactive pre-failure prediction and smooth handling, significantly improving the system's availability and safety redundancy.

[0055] Third, this invention enhances the proactive identification and collaborative protection capabilities for systemic failures caused by ASIL decomposition and resource sharing through common-cause failure correlation analysis and state-driven decision-making rules, thereby improving the overall resilience of the integrated architecture. Furthermore, the unified quantitative state model, clear collaborative decision-making logic, and end-to-end data traceability provide solid data and logical support for functional safety case demonstrations, root cause analysis, and continuous strategy optimization.

[0056] The above embodiments are merely one of the implementation methods for achieving the technical solution of the present invention. The scope of protection claimed by the present invention is not limited to this embodiment, but also includes any variations, substitutions and other implementation methods that can be easily conceived by those skilled in the art within the scope of the technology disclosed in the present invention.

[0057] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit it. Although the present invention has been described in detail with reference to the above embodiments, those skilled in the art should understand that modifications or equivalent substitutions can still be made to the specific implementation of the present invention. Any modifications or equivalent substitutions that do not depart from the spirit and scope of the present invention should be covered within the protection scope of the present invention.

Claims

1. A method for managing the global safety status of a vehicle, characterized in that, include: A real-time safety status report is generated based on the real-time diagnostic results of various vehicle components output by the hard diagnostic mechanism. The dynamic failure rate index is calculated based on the performance parameters of each vehicle component. The dynamic failure rate index is used to quantify the failure probability trend of components. Based on the trend analysis results of the dynamic failure rate index, a predictive safety status report is generated. Based on actual security status reports and predicted security status reports, collaborative security decision arbitration is conducted, and collaborative security instructions are output. The specific execution strategy for collaborative security decision arbitration is as follows: When under normal conditions, the actual safety status report will be used as the primary basis for decision-making, while the predicted safety status report will be used as a secondary basis for decision-making. When the actual diagnostic channel fails, increase the decision weight of the predicted safety status report; When the predicted safety status report is at the critical level, the predicted safety status report will be used as the primary basis for decision-making.

2. The vehicle global safety status management method according to claim 1, characterized in that, The dynamic failure rate index, calculated based on the performance parameters of various vehicle components, includes: The performance parameters of each component of the vehicle are collected as raw indicators; the performance parameters include CPU utilization, ECC error count, communication bit error rate, motor current harmonics, and task execution time deviation. The collected raw indicators are input into a pre-built evaluation model to calculate the dynamic failure rate index; wherein, the evaluation model assigns a corresponding weight to each performance parameter to reflect the contribution of this performance parameter to the overall risk. The specific formula for calculating the dynamic failure rate index λ_local is as follows: In the formula, λ_base is the base failure rate; M_j(t) is the multidimensional index; H_j(t) is the historical window statistical feature of the multidimensional index; W_j is the weight of the multidimensional index; and F_j is the health decay contribution function, which is used to map the original index value to the health decay contribution.

3. The vehicle global safety status management method according to claim 1, characterized in that, After calculating the dynamic failure rate index based on the performance parameters of each vehicle component, the method further includes: The dynamic failure rate index is transmitted through periodic reporting to perform trend analysis based on the collected dynamic failure rate index. If the actual local security status changes, an event-driven emergency report will be triggered immediately.

4. The vehicle global safety status management method according to claim 1, characterized in that, The trend analysis results based on the dynamic failure rate index generate a predicted safety status report, including: The pre-built failure rate prediction and assessment module employs a multi-level fusion algorithm to perform trend analysis on the dynamic failure rate index, obtaining trend analysis results. Based on these results, a predicted safety status report is generated, using the following formula: Where λ_i(t) is the dynamic failure rate index of the i-th monitoring agent; ξ_i is the severity weight of the failure impact related to the ASIL level; G_i is the trend prediction function for the failure mode of this type of component; Δ(t) is the common cause risk increment based on correlation analysis; and t is time. The results are trend analysis results; the monitoring agent is used to collect the performance parameters of various vehicle components and calculate and report the dynamic failure rate index.

5. The vehicle global safety status management method according to claim 1, characterized in that, After the collaborative security decision arbitration based on the actual security status report and the predicted security status report, and the output of the collaborative security instruction, it also includes: The collaborative security instructions are broadcast via the security instruction bus, so that the monitoring agent can decode and execute the received collaborative security instructions; the collaborative security instructions include the target agent ID, action code, parameters, and expected completion time. Specifically, the system records the issuance time and expected completion time of each collaborative security instruction. If a successful confirmation message is received before the timeout, the monitoring of the corresponding collaborative security instruction is turned off. If the timeout occurs or a failure confirmation message is received, the security instruction is deemed to have failed to execute, and a higher-level global fault handling process is immediately triggered.

6. The vehicle global safety status management method according to claim 1, characterized in that, After the collaborative security decision arbitration based on the actual security status report and the predicted security status report, and the output of the collaborative security instruction, it also includes: The performance parameters, dynamic failure rate index, decision-making basis, collaborative safety instructions, and execution feedback results of each vehicle component are all recorded in the protected safety event black box; the safety event black box is used to retrain and optimize the evaluation model, and the evaluation model is used to calculate the dynamic failure rate index.

7. The vehicle global safety status management method according to claim 1, characterized in that, The vehicle global safety status management method also includes: Once the transient fault disappears or the hardware is repaired, security restrictions are gradually lifted according to the collaborative security decision arbitration execution strategy to complete the function reset.

8. A vehicle global safety status management system, characterized in that, include: The first generation module is used to generate an actual safety status report based on the real-time diagnostic results of various vehicle components output by the hard diagnostic mechanism. The calculation module is used to calculate the dynamic failure rate index based on the performance parameters of various vehicle components; The dynamic failure rate index is used to quantify the failure probability trend of components. The second generation module is used to generate a predicted safety status report based on the trend analysis results of the dynamic failure rate index. The decision-making module is used to conduct collaborative security decision arbitration based on actual security status reports and predicted security status reports, and output collaborative security instructions; the specific execution strategy of collaborative security decision arbitration is as follows: When under normal conditions, the actual safety status report will be used as the primary basis for decision-making, while the predicted safety status report will be used as a secondary basis for decision-making. When the actual diagnostic channel fails, increase the decision weight of the predicted safety status report; When the predicted safety status report is at the critical level, the predicted safety status report will be used as the primary basis for decision-making.

9. A vehicle global safety status management device, characterized in that, include: Memory, used to store computer programs; A processor, configured to implement the vehicle global safety state management method according to any one of claims 1-7 when executing the computer program.

10. A computer-readable storage medium storing a computer program, characterized in that, When the computer program is executed by the processor, it is used to implement the vehicle global safety status management method according to any one of claims 1-7.