Autonomous System Beginners Guide 2023/2024

Martin Stollberger / Mathias Gebhardt

Nicolas Velz / Alexander Wischnewski / Moritz Hörsch
2023-10-18

Contents
Changelog 2

Autonomous System Beginners Guide 2023/2024 3

1 Remote Emergency System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Shutdown Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3 Autonomous System Master Switch . . . . . . . . . . . . . . . . . . . . . . . . 4
4 System Critical Signals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5 Autonomous System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
6 Autonomous System Status Indicator . . . . . . . . . . . . . . . . . . . . . . . 6
7 Autonomous Mission Indicator . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
8 Autonomous System Brake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9 Autonomous System Brake reference design . . . . . . . . . . . . . . . . . . . 7
10 Steering system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
11 Actuator Decoupling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
12 Sensors & Electrical Components Mounting . . . . . . . . . . . . . . . . . . . . 14
13 Manual driving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
14 Startup procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
15 Data logger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
16 Autonomous System Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
17 Technical Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Version 1.0 1 / 16 Send Feedback 2023-10-18

Changelog

Section Version Change

1.0 Updated references and links to FS-Rules 2024 v1.0
1.1 1.0 Added further hint that re-runs are only granted for autonomous runs
and that an EBS bypass is recommended
6 1.0 Added reference to new rule concerning ASSI visibility
9.7 1.0 Added additional hint concerning rollover protection envelope
14 1.0 Provide additional and updated details on startup procedure

Abstract

This document is intended to give you – as a team – a reference for implementing the Au-
tonomous System (AS) and Autonomous System Brake (ASB) rules. Following this guideline
eases the design of your vehicle and helps to review the safety of your design faster. Fol-
lowing this guide does not solely ensure that your design will pass the Autonomous System
Form (ASF) review or technical inspection. This guide only provides some suggestions for
your design. More complex solutions are still welcome. Finally it is still your responsibility
to ensure a safe design and explain how the safety concept works. Be prepared for criti-
cal reviewer questions. This document does not replace or extend the rules. In case of a
discrepancy, the rules always supersede this document.

Introduction

The references in this document are mainly based on the Formula Student Rules 2024 Ver-
sion 1.0. Its main focus is to give a general overview on the different AS parts and especially
on the implementation of the ASB. This document also gives a short introduction on fail-
ure detection and failure handling during startup and operation, see T 15.3. Furthermore,
some suggestions are made on how to design the system to be redundant. In addition, the
testability during technical inspection is discussed. As the ASB signals are part of the Au-
tonomous System, they are considered to be System Critical Signals (SCSs), see T 14.5.1
and therefore require some additional measures to be taken that are also discussed in this
document.
Note: All references to the rules and abbreviations are linked to the rules document. This
link might only work if the browser integrated PDF viewer is used. Tested with Firefox,
Chrome and Edge.

Version 1.0 2 / 16 Send Feedback 2023-10-18

Autonomous System Beginners Guide 2023/2024

1 Remote Emergency System RES 1

Vehicle SDC
The Remote Emergency System (RES) is con-
sidered the most basic safety feature of the
Driverless vehicle. It consists of a remote

Mechanical
device that is connected to an on-board re-
ASMS

Link
ceiver unit, which is directly hard-wired into
the shutdown circuit, see T 14.3.4. Once the
shutdown button on the Remote Emergency
System (RES) is pressed or a signal loss oc-
curs, the Tractive System (TS) is disabled
and the Emergency Brake System (EBS) gets
activated. It is developed to meet the high-
est safety standards (SIL3). Details on its
application within the vehicle can be found
in Figure 6. Bypass Relay
In addition, the RES is used to send the go-
Figure 1: RES bypass circuit
Signal via an additional button to the vehi-
cle. The RES receiver in the vehicle forwards
this signal to the CAN-Bus. The AS is only mended to do some range tests for any ve-
allowed to activate Ready-to-drive (R2D), if hicle orientation to find the optimal location
the go-signal is received after a safety delay for the RES-antenna. This will help to avoid
of five seconds, see Figure 2 in chapter 5. problems during the competition, as the dis-
tances and obstacles in between the RES re-
mote device and the vehicle may differ from
1.1 RES-Bypass (T 14.3.5) the ones that are present at the test area.
As re-runs due to a signal loss of the RES
can only be granted for autonomous runs,
see D 2.7.6, and to avoid any other problems 2 Shutdown Circuit
during manual driving because the RES is
always required to close the Shutdown Cir-
cuit (SDC), it is permitted and highly recom- The SDC is the main control line for the TS
mended to deactivate the RES in this case. within the vehicle. For a schematic overview
Due to the safety problems which may arise see the figures 21 (CV) and 22 (EV) in the
from this bypass the rules only permit one rules. Closing it is a key step to get the ve-
solution, which is shown in Figure 1. This hicle Ready-to-drive (R2D). Therefore, it is
circuit needs to be implemented thoroughly important that all safety critical checks are
to avoid a non-functional RES. Due to the passed before closing the SDC (and thus ac-
safety criticality, only safety certified relays tivating the TS). In addition to the vehicle
with forcibly guided or a mirrored contacts specific requirements for CV and EV vehicles,
are permitted. This certification ensures that the following has to be considered, also see
both contacts are never closed at the same T 14.4.1:
time. Solutions relying on software are not Manual Mode: The AS has checked that the
allowed. Autonomous System Master Switch (ASMS)
is switched “Off” and the ASB is not ener-
gized and cannot interact with the brake
1.2 Antenna mount system in any possible way. Activation of
the EBS during manual driving may cause
As one of its safety features the RES will also serious danger to the driver and might lead
open the SDC, if the signal strength that is to uncontrolled vehicle behavior.
received at the receiver unit drops below a Once all required conditions are met the TS
certain threshold. Thus, it is strongly rec- might be activated by the driver from inside
ommended to place the RES-antenna away the cockpit, see EV 4.11 and T 14.1.2.
from metal parts and with the least obstruc-
tions from any direction. It is also recom-

Version 1.0 3 / 16 Send Feedback 2023-10-18

Autonomous System Beginners Guide 2023/2024

Autonomous Mode: The ASMS is switched loading a new software to the control units
“On” and the AS has checked that the EBS or performing calibration activities) or in the
is energized. Only if all these required case of erratic software behavior.
conditions are met, the TS might be acti-
vated by the Autonomous System Responsi-
ble (ASR) via the external activation button,
see EV 4.11.3/CV 1.2.2.
4 System Critical Signals
Once the SDC is closed the vehicle is able to
start moving, thus it needs to be ensured Signal monitoring is an essential part of ev-
that the brake system is working properly. ery well-engineered system. It is required to
Opening the SDC is a safety critical oper- achieve functional safety goals and prevents
ation that must always be performed in a uncontrolled behavior of the AS.
reliable way. It transitions the vehicle to a Concerning the functional safety goals, the
safe state as it includes: system must transition to the safe state as
shutdown of the TS, i.e. soon as it cannot ensure a fully redundant
- [EV ONLY] Accumulator Isolation Relays emergency brake maneuver. In case of a sig-
(AIRs) are opened nal failure, it might not be possible to prop-
- [CV ONLY] the fuel supply to the engine erly diagnose the system. Therefore the safe
and ignition is cut state has to be entered. This could be either
EBS is activated which leads the vehicle to a broken wire, a faulty sensor with out-of-
either come to a safe stop and/or prevent range data, or a signal distorted by electro-
it from moving (again). magnetic inferences.
By this it is ensured that it is safe to ap-
proach the vehicle again, i.e. to retire the Concerning the high-level parts of the AS
vehicle, and therefore the Autonomous Sys- that rely on a variety of different sensor in-
tem Status Indicator (ASSI) might indicate puts, the system shall detect, if any of those
a safe state, see chapter 6. is malfunctioning. If the proper vehicle op-
eration cannot be ensured (e.g. loss of envi-
ronmental perception) the system shall react
by activating the EBS immediately. This sig-
3 Autonomous System Master nificantly decreases the time between a fail-
Switch ure and the brake maneuver compared to a
brake maneuver that is manually triggered
via the RES. This may protect the vehicle
The Autonomous System Master Switch from crashing and thus should be in every
(ASMS), see T 14.6, is an additional master team’s own interest to implement such a di-
switch, see T 11.2, that is a hardwired (non- agnosis properly.
programmable) solution intended to ensure
that all actuators of the AS can be safely de- The signals that require such a monitoring
activated. are called System Critical Signals (SCSs).
Therefore the supply of the actuators has to The respective monitorings for the EBS and
be directly controlled by the ASMS. This is ei- the AS shall be implemented as described
ther achieved by directly routing the supply above.
through the ASMS (like it is done for the Low
Voltage Master Switch (LVMS)) or by using
a non-programmable logic, such as a relay. 5 Autonomous System Status
In this case, all used components must be
rated to the corresponding maximum oper-
ating conditions (including current and tem- In order to create a common and efficient
perature). wording within the rules and during discus-
The ASMS shall be kept in the “Off” position sions related to the AS a set of Autonomous
whenever possible so that no actuation of System statuses has been defined in T 14.9.
the steering or braking system can happen These target to represent a certain internal
during manual driving (for details see chap- status of the AS based on the status of its rel-
ter 13), while work is carried out at the vehi- evant subsystems, e.g. ASB (including EBS),
cle (such as (dis-) mounting of wheels, down- TS or R2D state. In conjunction with the

Version 1.0 4 / 16 Send Feedback 2023-10-18

Autonomous System Beginners Guide 2023/2024

ASSI the statuses are a part of the overall “AS Emergency”: The EBS has been acti-
safety concept. vated, see T 14.9.1. This can be either
Definition: caused by opening the SDC (e.g. by press-
The definition and determination of the cur- ing the shutdown button on the RES remote
rent AS Status is described within a flowchart device) or in case the vehicle has detected
that can be found in Figure 17 of the rules. an internal failure. After coming to a full
Along with this definition one can think of the stop the vehicle must be retrieved by the
AS statuses as described in the following: ASR and an additional team member imme-
“AS Off”: This status shows that the AS is diately after approval from the officials.
not fully functional (yet) e.g. after switch- “Manual Driving”: The vehicle is operated
ing the LVMS to “On”. in manual mode. This is only possible, if
In order to know, if it is safe for anyone all actuators are switched off via the ASMS
to approach the vehicle, the ASMS shall be and the AS has checked that the ASB cannot
checked to be in “Off” position and the TS interact with the brake system.
shall be switched off ([EV ONLY] TSAL lights
up green/[CV ONLY] Engine is not running). Implementation:
In any other case the vehicle might be about The definition of the AS statuses does not re-
to either change its status to “AS ready”, quire any information on the previous status
see below, or is about to be driven manu- the AS has shown. Therefore, the implemen-
ally, see chapter 13. tation for determining the AS status can be
“AS Ready”: This status usually follows af- done by transforming the flowchart given in
ter “AS Off”, if the ASB is checked to be op- the rules into a simple set of nested if-else
erational, the ASMS has been switched “On” statements that is called with its required in-
and the TS is activated by the ASR via the puts during every software execution cycle.
external TS activation button. The computed result will then be passed to
The vehicle is prepared to be launched soon the ASSI, see chapter 6 and the data logger,
but it is ensured that the brakes are still see chapter 15.
closed. Being in close distance to the ve- Safety delay (5 s):
hicle is only allowed for the ASR and the of-The safety delay required by T 14.9.3 intends
ficials. The time the vehicle remains in “AS to provide a time frame for the ASR and the
Ready” should be kept to the possible mini- officials to leave the area nearby the vehicle
mum required due to the event procedure. as soon as it reaches the status “AS Ready”.
During this time frame the vehicle shall not
“AS Driving”: The vehicle has been
change its status to “AS Driving” even in case
launched via the go signal sent by the
the go signal has been sent by accident.
RES (considering the safety delay of 5 s,
see Figure 2) and is allowed to execute its AS Driving

mission. It has to be expected that the ve-

AS Ready
hicle moves suddenly or conducts any other
dangerous behavior. It is strictly forbidden AS Off
for anyone to approach the vehicle. AS State 1 2

“AS Finished”: The AS considers the mis-

sion to be completed, the vehicle has Go signal
reached standstill and changed its status to 5s safety delay t
“AS Finished” on its own behalf.
Any of the driverless dynamic events is only Figure 2: Example timing sequence for the
considered to be successfully completed, if safety delay
the vehicle comes to a stop in the desig-
nated area and enters “AS Finished” (no Un- An example timing sequence that visualizes
safe Stop (USS)). The vehicle must be re- how the safety delay shall work is shown in
trieved by the ASR and an additional team Figure 2: The delay starts as soon as the AS
member immediately after approval from reaches “AS Ready” and lasts for 5 s. During
the officials. this time period the AS must not accept but
reject any go signal from the RES, see ⃝.
1 To
start the selected mission (Status “AS Driv-

Version 1.0 5 / 16 Send Feedback 2023-10-18

Autonomous System Beginners Guide 2023/2024

ing”) a (new) go signal needs to be sent to LED

the vehicle after the time period of the safety
delay has elapsed, see ⃝.2 Acceleration
Skidpad
Selected Mission Autocross
Trackdrive
6 Autonomous System Status EBS Test
Inspection
Indicator Manual Driving
Mission Label
The Autonomous System Status Indicator
(ASSI) reflects the current status of the AS
Figure 3: Schematic example of a simple
and is used by team members and the offi-
AMI
cials for assessing the current behavior of the
vehicle, see chapter 5. It includes three color
indicators (usually LED lights) at the vehicle’s ically shown in Figure 3. As an alternative
sides and rear end, see T 14.10.2. Addition- a display integrated into the vehicle’s dash-
ally a sound generator is required to indicate board might also be considered to be used
the status “AS Emergency”, see T 14.10.5. as an AMI, given that the SCS requirements
The ASSI is part of the overall safety concept can be fulfilled. If persistent displays like E-
and will be checked during technical inspec- Ink are used for the AMI, please consider a
tion. This includes the correct illumination moving element on the screen to show that
with respect to the AS status, see T 14.10.1, the display is still up to date.
the visibility, see T 14.10.3, and the sound
level.

8 Autonomous System Brake

7 Autonomous Mission Indicator
The term Autonomous System Brake (ASB)
covers all aspects that are related to au-
As its name already states, the purpose of tonomous brake actuation. One major part
the Autonomous Mission Indicator (AMI) is to of the ASB is the Emergency Brake System
indicate the currently selected autonomous (EBS), which performs emergency brake ma-
mission as specified in T 14.11. It is used neuvers, if its power is cut (T 15.1.1).
by the ASR and the officials to be aware of
the autonomous mission which the AS will ASB
be executing upon releasing the vehicle at
the starting line. This aims to avoid inci- Deactivation Supervisor Common
dents where a wrong mission is selected by Points Fault detection Energy source
accident and the vehicle e.g. applies algo-
EBS Redundant System
rithms designed for the Skidpad event to
Energy - Duplicate of the EBS circuit
an Autocross track layout. Hence, the Au- - Electrical brake actuator
tonomous Mission Indicator (AMI) is consid- Storage
(e.g. a linear motor)
ered to be a SCS and shall be visibly checked EBS - Controlled pressure actuator
to show the correct autonomous mission Valve - ect.
prior every dynamic event.
EBS
In order to serve its purpose well the AMI Actuator
needs to be able to convey its indicated mis- Link to the brake system
sion to any untrained person. Therefore its
position in the vehicle is restricted to either
the dashboard or the proximity of the ASMS. Figure 4: Hierarchical Overview of the ASB
In addition it must be easy to read (e.g. also
visible in bright sunlight) and to understand Figure 4 visualizes the structure of the ASB.
(e.g. no complicated sequence of numbers Requirements like deactivation and failure
or patterns) for anyone. A quite simple pro- monitoring are valid for the whole brake sys-
posal for the design of an AMI is schemat- tem. A major element within the ASB is the

Version 1.0 6 / 16 Send Feedback 2023-10-18

Autonomous System Beginners Guide 2023/2024

EBS which additionally needs to fulfill T 15.2. In the following sections the above men-
The other major element is a second, in- tioned parts and some more detailed design
dependent system to ensure the functional aspects regarding the rules will be described.
safety requirements. This system might be
a duplicate of the EBS or something com-
pletely different like an electrical linear ac- 9.2 EBS Supply concept
tuator. This second system does not need to
Figure 6 shows the EBS supply concept as
fulfill T 15.2 but still needs to be monitored
required by Rule T 15.2.2 (green path). Ad-
for failures.
ditionally figure 6 shows how the relay has
The following chapter will provide a more de- to be integrated into the SDC (orange path).
tailed look into the implementation of the Important for the SDC implementation is
ASB. that the EBS relay must not be delayed when
the SDC opens. The system must be de-
signed in a way that ensures that the de-
lay mentioned in EV 6.1.5 is only applied
9 Autonomous System Brake to the AIRs and not to the EBS relay. Fi-
reference design nally the supply concept includes two Pow-
erstages/MOSFETs (blue parts). These addi-
tional switches are required to fulfill T 15.3
9.1 System Overview and enable the supervisor to test both actua-
Figure 5 shows a rough overview of a pos- tion paths independently and ensure that the
sible ASB implementation. The RES is di- system is working redundantly.
rectly integrated in the SDC (depicted in or-
ange) and the EBS actuator supply (depicted
in green) with its relay output, as required by 9.3 Supervisor
T 14.3.4 and T 15.2.2. As previously mentioned, the supervisor:
The ASB itself consists of the following main 1. Monitors the system to detect failures.
parts: 2. Transitions the system to a safe state in
Supervisor: The supervisor monitors the case of a single failure (T 15.3.3).
status of the ASB and performs the initial 3. Provides EBS status signals to the Au-
checks for the system. In case of failure the tonomous System.
CPU activates the EBS and/or its redundant For this purpose it needs sensors in the me-
system (T 15.3.3). chanical part of the EBS to monitor the sta-
tus of the system. Sensor signals could be
SDC logic part: The SDC’s logic was previ- for example:
ously used to latch the SDC open, but since Hydraulic brake line pressure (e.g. for ini-
the 2023 rules, this is not required for the tial checkup)
AS anymore. In this example it contains Pneumatic tank pressure (e.g. for system
only a HW-Watchdog which is used to open continuous monitoring)
the SDC in case of CPU stalls. Etc.
Mechanical part: The mechanical part of
the ASB is defined as the connection be- Supervising the supervisor:
tween the electrical system and the vehi- The supervisor is monitoring the system for
cle’s brake system. It stores the energy for failures to fulfill T 15.3.3. As it is a critical
emergency brake activation and releases it part it becomes also a single point of fail-
to the brake system in case of an activated ure and thus needs monitoring. Common ap-
EBS (T 15.2.1). It may also contain addi- proaches for the supervisor supervision are:
tional actuators to provide dosed braking External Watchdog (recommended): A
during operation. good solution is the use of an external
Depending on the system it also must in- watchdog as in the example. It cannot
clude some sensors for monitoring and the be deactivated by SW and can easily be
initial check sequence (T 15.3.1). checked at startup for proper function.
Internal Watchdog: Using the internal
watchdog is not recommended and only

Version 1.0 7 / 16 Send Feedback 2023-10-18

Autonomous System Beginners Guide 2023/2024

AS_close_SDC
CPU for monitoring
SDC logic SDC_status ASSI
Watchdog
WD_is_ready

Vehicle
SDC
RES 1

TS_Activation_Button
External / Cockpit

TSMS EBS EBS Redundant

(Interlocks)
[EV only] Relay Actuator Actuator
Sensor data
for monitoring
Mechanical part
LVMS ASMS RES 2 of
EBS

Figure 5: General ASB overview

LV Supply “AS_close_SDC” is used to enable the acti-

vation of the TS via the TS activation but-
LVMS Vehicle SDC ton, see EV 4.11.3, after all system checks
are done and the system is ready.
ASMS “Watchdog” is mandatory to ensure the su-
RES 1
pervisor is still alive. This signal must be
AS connected to the CPU and periodically tog-
RES 2
(SDC Latch) gled by software to maintain a keep alive
TSMS
signal. Otherwise the SDC gets opened.
[EV only] This signal can also be used to open the
SDC in case of a detected failure. (e.g.
by switching the corresponding CPU output
EBS Redundant (Interlocks)
Actuator Actuator
PIN to tristate, or by stop toggling)
AIRS +
“WD_is_ready” is used to monitor the in-
Precharge
or ternal state of the logic and to perform an
Fuel Pump/ initial check to ensure that the watchdog is
Ignition working fine.
“SDC_status” is used to monitor the status
Figure 6: Realization of Rule T 15.2.2: EBS of the SDC.
supply
Initial Checkup Sequence:
An initial checkup sequence is necessary
possible if a watchdog event will lead to an (T 15.3.2) to determine all kind of failures
open SDC. Furthermore, it needs to be en- which could not be detected during opera-
sured in the SW design that it is not deac- tion without applying the brakes. These kind
tivated accidentally. of failures specifically include failures due to
Second CPU: A second CPU in the vehicle wrong assembly e.g. missing connection to
can be used, if it can communicate with the brake pedal. For redundant systems this
the supervisor and if it is able to open the checkup sequence has to be performed in a
SDC independently of the supervisor. In way that ensures both systems are working
this case a heartbeat is sent between both independently e.g. activate brake through
CPUs. If one fails the other one needs to system 1, deactivate brake, activate brake
open the SDC. through system 2 and check both for built
up brake pressure. The following steps are
Example Signals: an short example for a initial EBS checkup
In this reference design the supervisor routine:
needs to handle the interface with the SDC 1. Start toggling watchdog.
logic part. The following signals are used:

Version 1.0 8 / 16 Send Feedback 2023-10-18

Autonomous System Beginners Guide 2023/2024

Shutdown_circuit SDC_status

WD_is_ready
Watchdog Watch-
dog
&
<100ms

To_SDC_relay
AS_close_SDC &
Figure 7: SDC logic diagram

2. Wait for watchdog to respond Brake transfer function

(“WD_is_ready” is high). State of the RES via CAN
3. Stop toggling watchdog. etc.
4. Check “WD_is_ready” goes low. Else =>
failure
5. Start toggling watchdog again. 9.4 SDC Logic
6. Check that the EBS energy storage is
Preface: The implementation of the logic
filled.
here is just an example.
7. Check that the brake pressure is built up
correctly. As the Non-programmable Logic was re-
8. Enable TS activation through moved in the 2023 rules, there is no logic
“AS_close_SDC”. in the AS required by the rules. The for-
9. Wait for TS being activated. mer latching function is also covered in the
10. Disable EBS actuator 1 (blue MOSFET fig- TS activation rules (EV 4.11.4). Nevertheless
ure 6). this reference design still contains some logic
11. Check that the brake pressure is still built around an external watchdog, shown in Fig-
up correctly. ure 7. But as this circuit is trivial, there is
12. Enable EBS actuator 1 again. only one thing to be mentioned: For reading
13. Disable EBS actuator 2 (blue MOSFET fig- the status of the watchdog, it should never
ure 6). be connected to the CPU directly because in
14. Check that the brake pressure is still built case of a CPU failure the output of the watch-
up correctly. dog might be overdriven by the CPU. To avoid
15. Enable EBS actuator 2 again. this, either a logic gate or a sufficiently large
16. Transition to ready state resistance should be added in between.

Continuous Monitoring:
Continuous monitoring is required during op- 9.5 Mechanical Part
eration (T 15.3.2) to detect typical failures The mechanical part must be designed in
like cable or pneumatic line ruptures. The such a way that the stored brake energy for
typical values for monitoring are the energy the EBS is released without the aid of electri-
storage of the mechanical part and the state cal power (T 15.2.1), in order to ensure the
of RES. In case of an activated EBS the func- performance of the EBS in case of a power
tion of the EBS must be checked as well. If failure. The energy storage can be realized
sufficient brake line pressure is not built up, by e.g. springs, pneumatic pressure or hy-
the redundant system must be activated (if draulics.
the systems are not activated together, as
the example in figure 6). A good way to activate the EBS is releas-
Example values for continuous monitoring ing a counter pressure which works against
are: the stored brake energy. For normal op-
Monitor the storage of brake energy. e.g. eration/brake release, this energy storage
pneumatic tank pressure must be detachable e.g. by a mechanical
Brake line pressure disconnect or deactivatable by pressure re-
Mechanical state of valves lease (T 14.6.5 / T 15.1.7). As this storage is
Plausibility of sensor signals a critical part of the EBS, its status must be
monitored continuously while driving.

Version 1.0 9 / 16 Send Feedback 2023-10-18

Autonomous System Beginners Guide 2023/2024

9.6 Redundancy removed, or the tank must be mechanically

disconnected.
To avoid common cause failures the redun-
SDC logic CPU for monitoring dant system consists of two independent but
identical systems. The only common part
is the connection to the vehicles brake sys-
ing
or
o nit tem (brake pedal). This connection must be
u sm
nti
no designed in a way that ensures a sufficient
Co
safety factor in all possible cases.
Powerstage
Mechanically redundant SDC
EBS Mechanical disconnect
Must be checked for manual driving mode
during startup
Pressure source Normally colsed Normally closed Cylinder Brake pedal/system Spring
3/2 valve 3/2 valve

Figure 8: Schematic overview for a fully re- Power stage 1

Redundancy
dundant EBS
Power stage 2 Spring

Fully-redundant ASB:
A fully redundant EBS means that there are Figure 10: Removal of counterforce, which
two independent systems fulfilling the EBS keeps the brakes opened
requirements in parallel. Thus, the system
is still able to come to a safe state, even if a
2. Removal of counterforce:
single failure occurs (T 15.3.3). On the elec-
Figure 10 shows an ASB with permanently
trical side redundancy can be ensured by aapplied brakes e.g. by redundant springs.
second output stage which enables the mon-The application of energy is needed to re-
itoring CPU to activate the EBS even if the
lease the brakes. This could be done
SDC is failing. In case of failure of the moni-
by pneumatic or hydraulic pressure. For
toring CPU the EBS is activated automatically
this system no explicit pressure storage is
by the watchdog. needed as a loss of pressure results in a
On the mechanical side redundancy depends safe state. Only the springs and the pres-
on the chosen system. The following exam- sure release valves must be designed redun-
ple distinguishes between two scenarios: dant. The mechanical connection between
the springs and the brake system must be
Power stage 1
designed in a way that ensures a sufficient
safety factor in all possible cases.
Pressure storage Normally open 3/2 valve Cylinder Brake pedal/system
To get into manual driving mode the springs
must be mechanically detachable or, in case
Mechanical disconnect
for manual driving mode SDC of gas-springs, the pressure must be re-
Redundancy leasable (keep T 14.8 in mind). The state of
Pressure storage Normally open 3/2 valve Cylinder the springs might be monitored through the
brake pressure built up when brakes are en-
Power stage 2 gaged. For gas-springs with releasable pres-
sure, the pressure itself must be monitored.
Figure 9: Actively applied braking energy Non EBS actuator as Redundancy:
If the vehicle is equipped with other actua-
1. Actively applied braking energy: tors for dosed braking that do not fulfill the
Figure 9 shows an ASB with actively applied EBS requirements, it is possible to use them
braking energy. In terms of a pneumatic sys- as redundancy for the EBS too. As these ac-
tem, the braking energy is stored in a pres- tuators are part of the ASB, they must be
sure tank and is released to the brake system monitored for all failures as well and activate
via a normally open valve and a cylinder. The the EBS in case of malfunction. A sufficient
brakes are only released if electrical power way for continuous monitoring is a transfer
is applied to the valve. To get into manual function check (brake pressure vs. actuation
driving mode either the pressure has to be force), if the actuator is regularly used dur-
ing operation.

Version 1.0 10 / 16 Send Feedback 2023-10-18

Autonomous System Beginners Guide 2023/2024

over valves with an adjustable one. For a

SDC logic CPU for monitoring fixed threshold checking the datasheet is suf-
ficient. For an adjustable threshold the cur-
ing
rent value that is set needs to be demon-
or
onit Continous monitoring strated during technical inspection.
sm
nou e.g. by transferfunction
nti
Co

9.8 Examples
Mechanical part
Secondary
of Redundancy system Caution: The renderings in this section
EBS
have been drawn by an electrical engineer
;). They are just for visualization pur-
Figure 11: Schematic overview with sec- poses and not meant to be a 1:1 blue print
ondary system as redundancy for your own constructions.
This section shall give a rough overview on
9.7 Testability / Technical Inspection how the implementation of the ASB may look
like. It focues on the mechanical part as the
This section should give you some hints how
electrical requirements have already been
to speed up the technical inspection as there
handled on the past sections.
will be limited time for each inspection slot.
If it takes too long to sufficiently test the sys- Pneumatic system:
tem you will need to requeue. Figure 12 shows an example implementation
of the pneumatic part of the ASB. It consists
SCS:
of the common energy source (denoted in or-
As all signals of the ASB are considered to
ange) including its overpressure protection
be SCS, it must be possible to bypass these
(FL1, also see T 9), the EBS (denoted in blue)
signals during technical inspection and ma-
and its redundancy (denoted in green). The
nipulate them. This could either be done by
systems actuates the brake pedal through
using a single connector for each signal or
two fluidic muscles (MM1, MM2). The re-
by providing a breakout box for technical in-
dundancy is ensured by the two indepen-
spection if using a multi pin connector.
dent pressure tanks CM1 and CM2, which
Accessibility: are decoupled by the check valves RM1 and
All parts of the ASB should be easily acces- RM2. Each pressure tank must at least con-
sible without excessively disassembling the tain enough energy to perform an emergency
vehicle. Especially all mechanical ASB rele- brake maneuver. Using only one tank is not
vant parts and all hydraulic/pneumatic parts sufficient as a failure to a single tank may
beside the vehicles brake system. also decrease the pressure on the source
All parts must be properly attached to the which may not provide enough energy for the
vehicle. brake maneuver. As both paths have one en-
EBS activation: ergy storage, both need a deactivation mech-
During the inspection your EBS will be acti- anism. In this case the deactivation is done
vated multiple times. To get this tests done by a manual valve (SJ1, SJ2) which discon-
as fast as possible, your system should be nects the pressure source and vents the tank.
able to perform multiple EBS tests in a row Both tanks are equipped with pressure sen-
or you should be able to quickly refill your sors (BP1, BP2) to ensure that sufficient pres-
system. sure is available to perform the emergency
brake maneuvers. If one pressure drops be-
Rollover protection envelope (T 1.1.16): low its limit, the SDC needs to be opened to
Make sure that your system complies with activate the EBS. This activation will happen
T 15.1.2 since issues concerning this aspect by QM1, which fulfills the EBS supply require-
of the rules are typically quite hard to fix. ments. QM2 may be actuated in parallel to
Overpressure protection (T 9): QM1 or may also be actuated separately as it
Typcially a pressure relief valve is used to im- does not need to fulfill the EBS requirements.
plement the overpressure protection mecha- It could also be a pressure control valve for
nism. Valves with a non-adjustable (fixed) dosed braking.
relief pressure threshold are recommended For supplying the whole circuit, there are var-

Version 1.0 11 / 16 Send Feedback 2023-10-18

Autonomous System Beginners Guide 2023/2024

3 1
FL1

3 1

2
2
1 3
1 3

2
Figure 12: Pneumatic diagram example

ious different options. One common option

is, to use high pressure paintball bottles. Anti-Blocking Slots
Another option is to fill the pressure tanks by
a small compressor inside the vehicle. But
here you need to make sure that the com-
pressor is supplied by the ASMS and that it
does not need too much time to fill the tanks,
as you only got 1 min.
For the implementation inside the vehicle it
is important to always make sure that the
pneumatic system fulfills T 9.
Certification:
In the rules it is required that especially Brake Pedal
the high pressure equipment and the tanks
are certified and labeled accordingly. There- Figure 13: Two ASB actuators directly con-
fore, you should make sure that the pres- nected to the brake pedal
sure tanks fulfill the legal requirements, are
rated properly and are not expired. This will
be checked during the competition and may or manual braking operation. Thus, mecha-
cause you a lot of trouble. Keep also in mind nisms as the shown anti-blocking slots are
that it is not allowed to transport filled paint- highly recommended.
ball bottles on public ground in Germany, if
they are not “PI” certified.
Connection to the brake system:
Second Master
On the mechanical interconnection between Brake Cylinder
the pneumatic part and the vehicle’s brake
system, multiple solutions are possible. This
guide shows three possibilities:
a.) Via the brake pedal (Figure 13)
b.) Via a second master cylinder (Figure 14)
c.) Via a direct pressure transducer (Figure
15)
The most obvious and simplest solution is, to
connect the ASB actuators directly to the ex-
isting brake pedal as shown in figure 13. The
only things which have to be kept in mind
are: The mechanical design must be suffi-
Figure 14: Brake actuation through an addi-
ciently strong to guarantee that no failure
tional master cylinder
will arise from it. It must be impossible by
design that the actuators block each other

Version 1.0 12 / 16 Send Feedback 2023-10-18

Autonomous System Beginners Guide 2023/2024

Another option is to decouple the ASB actua- Additionally the AS shall not perform any ac-
tors from the brake pedal, see figure 14. This tuation of the steering system that would
is quite helpful if there is not much space be- lead to a movement of the steering rack
hind the pedal. In its easiest version the while the vehicle is not R2D, see T 14.7.1, so
actuation consists of a pneumatic cylinder that it is still safe to be around the vehicle
which acts on an additional master cylinder. while the ASMS is already switched to the
To handle the redundancy and both brake cir- “On” position. Nevertheless, once the vehi-
cuits two master cylinders need to be used. cle is R2D the AS is allowed to actuate the
This also allows to actuate both brake circuits steering system in any manner even though
with different pressures for optimized brak- the vehicle might still be in standstill. It
ing balance. Special care must be taken on needs to be considered that the torque re-
the integration into the brake system. This quired to move the steering rack will be quite
can be done by an Shuttle(Or)-Valve. In any high in that case. Thus, it is strongly recom-
case it must be ensured, that the manual mended to not use steering actuators that
braking operation is always possible. need to perform a steering actuation for cal-
ibration purposes at startup (e.g. in order
Inlet Port
Venting Hole
from reservoir
O-Ring to determine a reference angle for straight
driving). One exception regarding steering
Outlet Port
only being allowed while R2D applies during
to Brake Caliper
an emergency brake maneuver (EBS is acti-
vated) where the vehicle is not R2D anymore
due to the open SDC: It is allowed (but not
Pressure Inlet required) to perform a steering actuation un-
Return Spring Port
til the vehicle reaches standstill, see T 14.7.2,
Transducer Piston
to maintain a stable driving condition.
Brake Fluid resistant
Sealing In addition to the precautions mentioned
above, the steering system also needs to
Figure 15: Brake actuation through a pres-
be designed in a way that the manual actu-
sure transducer
ation of the steering system is possible at
the steering wheel whenever the ASMS is
Taking the previous solution one step further, switched to the “Off” position. This is espe-
there is also the possibility to combine the cially required during manual driving (for de-
pneumatic and the hydraulic cylinder into a tails see chapter 13) and in case the vehicle
single transducer. As this usually requires a breaks down during the dynamic events and
completely self built part, this option should quickly needs to be removed from the track
only be taken if you exactly know what you by the officials. Especially in the second case
are doing. The potential of getting failures is only the ASMS will be switched to the “Off”
quite high. Special care must also be taken position prior to moving the vehicle in order
when choosing the materials, as they need to not delay the dynamic events much fur-
to be brake fluid resistant. Thus, especially ther.
the material of the sealing must be stated in
the ASF.

11 Actuator Decoupling
10 Steering system
In order to ease up the design process it is al-
lowed to disconnect the actuators of the AS
As the steering system is controlled by the
while driving manually. As manual braking
AS some safety precautions are required in
must always be possible, see T 15.1.4, this
order to avoid unintended actuation:
mainly targets the steering actuator in or-
The supply of the steering system (or its
der to enable lower steering forces for man-
power stages) needs to be directly controlled
ual driving. It must always be ensured that
by the ASMS, for details see chapter 3. This
the decoupling adds no additional hazard for
will especially protect the driver from experi-
the driver. Thus, the steering wheel must al-
encing an unintended steering actuation by
ways stay connected and it must be avoided
the AS during manual driving.

Version 1.0 13 / 16 Send Feedback 2023-10-18

Autonomous System Beginners Guide 2023/2024

that the decoupling mechanism moves while The ASMS is switched off (actuators are not
driving, see T 14.8. It should also be con- supplied). This could easily be evaluated
sidered to implement the mechanism in a by measuring the supply voltage on the ac-
way that avoids an unintended actuation by tuator side of the ASMS.
the driver. This is not required by the rulesThe ASB cannot interact with the brake sys-
but might cause issues during technical in- tem. This needs to be ensured by a check,
spection, if there are doubts regarding the see T 14.4.1, that makes use of appropriate
driver’s safety. In addition it might be ben-ASB sensor signals.
eficial to implement an easy to check indi- Manual actuation of the steering wheel is
cator that provides a feedback of the currentpossible.
position of the decoupling mechanism (either
All in all, the vehicle should behave compara-
mechanical or electrical) that can be checked
ble to a vehicle that is not equipped with an
AS but still conducts some additonal supervi-
right at the starting line before activating the
AS. sion. All parts of the AS that do not interfere
Implementation hint: For decoupling the with manual driving (especially the process-
steering system, an electromagnetic clutch ing units and sensors) are allowed to be ac-
supplied by the ASMS might be a simple and tive.
robust option.

14 Startup procedure
12 Sensors & Electrical
To run the dynamic events as efficiently
Components Mounting as possible, a common startup procedure
(D 2.6) has been defined which also limits
As per T 11.11 sensors and electrical compo- the time to get to “AS Ready”. Thus, every
nents must be properly mounted and located team should aim at minimizing the prepara-
within a restricted area, see figures 3 and 16 tion time required in the queue or directly at
of the rules. The area depicted by both fig- the starting line. This is not only a benefit to
ures combined defines possible positions for the event organization, but also reduces the
all electrical components including the sen- likelihood of failures.
sors used by the AS. It specifies a maximum
A typical startup may be performed (by the
design area to prevent exaggerated designs.
ASR) as follows:
Exceptions are granted for antennas in order
1. Check and fill the energy storage of the
to allow a technically reasonable positioning.
ASB already inside the pit.
To enable a safe operation in manual mode,
2. Move the vehicle to the dynamic area
none of the sensors and electrical compo-
with the ASMS and LVMS in “Off” po-
nents is allowed to come into contact with the
sition and the ASB detached/decoupled
drivers helmet to avoid protrusions in case
(e.g. by shut-off valves).
of a crash. This is typically checked with the
3. Turn on the LVMS and check/setup the
tallest driver during technical inspection.
AS once the vehicle arrives in the prepa-
ration area.
4. Select the autonomous mission to be ex-
13 Manual driving ecuted (must be possible without the use
of an external device, see T 14.11.3).
5. Select the proper RES mode (practice or
The manual driving mode intends to avoid in-
race) depending on the “e-key” you are
juries caused by any activation of the actua-
planning to use, also see below.
tors based on the commands from the AS. By
6. Queue and wait to approach the starting
selecting the mission “Manual driving”, the
line. The LVMS may remain in “On” posi-
system is aware that a driver is seated in
tion.
the vehicle and shall conduct the appropri-
7. Make sure that the correct “e-key” is in-
ate checks. To prevent human errors and to
serted into the RES:
increase overall safety the system needs to
practice-key for technical inspection
ensure that the following conditions are ful-
and testing
filled:

Version 1.0 14 / 16 Send Feedback 2023-10-18

Autonomous System Beginners Guide 2023/2024

race-key for dynamic events (will be The ASF is a comprehensive documentation

provided by the officials) of the AS which has to be uploaded prior to
8. Once the vehicle is properly aligned at the competition. Its main purpose is to de-
the starting line, attach/arm the ASB tect failures which are hard to correct before
(e.g. by operating the shut-off valves) the competition starts.
after the approval of the officials. Thus, the ASF focuses on the implementation
9. Double check that the steering actuator of the ASB as its implementation is the most
is connected to the steering system. complex and prone to failures.
10. Check that the correct mission (AMI) and To ensure that all the other parts of the AS,
RES mode has been selected. that have not been reviewed, are working as
11. Turn on the ASMS and activate the TS intended, it is always recommended to check
after the approval of the officials. (Hint: all the checklist items of the technical inspec-
Shutdown buttons and RES remote de- tion in advance (see Last years Inspection
vice shall be checked in advance.) Sheet).
12. Leave the area nearby the vehicle and Another purpose of the ASF is to provide
proceed to the area designated for the a proper documentation in order to identify
ASR carrying the RES remote device. test cases for the ASB in advance and to ease
13. Wait for the vehicle to reach “AS Ready” up technical inspection. To generate this doc-
and send the go-signal after the approval umentation the ASF consists of multiple doc-
of the officials. uments which need to be prepared in a cer-
tain format. To generate a common under-
standing of the documents and to unify the
15 Data logger documentation, some rules have to be fol-
lowed. These rules and some examples are
part of the ASF example documents. These
The intention of the data logger is to under-
can be found throughout the year with a lot
stand and reproduce the system state in case
of additional information on the ASF at the
of failure, e.g. EBS is activated due to range
hands on ASF page.
loss of the RES. To achieve this, a basic set
of signals defined in the competition hand-
book and a set of vehicle-individual signals
that have to be monitored by the ASB are to 17 Technical Inspection
be recorded by the data logger. To be able to
evaluate the recorded data, each team needs The technical inspection intends to check the
to provide a DBC file that includes a definition rules compliance of the vehicle. Most of the
for all the signals mentioned above. Further rules aim at making the competition, but
hints regarding the data logger can be found also the whole season, safe and efficient for
in the competition handbook. the team and the officials. Furthermore, the
rules ensure that certain features of the ve-
hicle are equivalent to achieve a fair and ex-
16 Autonomous System Form citing competition. During the technical in-
spection most of the safety-relevant features
will be checked. Nevertheless, passing tech-
ASF nical inspection does not fully certify the ve-
EBS hicle’s rules compliance and therefore further
Concept checks during and after the dynamic events
Overview
may be conducted, see IN 12.1.1. If the vehi-
cle violates any of the rules, it may receive a
Disqualified (DQ) or penalty points, also see
EBS EBS Actuator IN 12.1.4.
Mechanical Supervision Power
System Implementation Supply The AS related parts of the technical inspec-
tion are part of the mechanical and electri-
Figure 16: Overview of the ASF cal inspection. The former takes care of sen-
sor positions, mechanical ASB design and
mountings. The latter checks all other as-

Version 1.0 15 / 16 Send Feedback 2023-10-18

Autonomous System Beginners Guide 2023/2024

pects of the AS, such as the overall ASB con-

cept, sensor diagnosis or the inspection mis-
sion. The inspection mission is used to sim-
ulate a fully operational AS in the technical
inspection area, while using a minimum set
of required inputs such as sensor signals. It
should not depend on the availability of all
perception sensors or valid GPS signals. This
mission e.g. allows to check a correct ASSI
functionality and other safety features. The
main focus is the ASB where especially the
handling of functional safety is checked to
avoid critical failures which make the whole
ASB unable to work. During this test, several
sensors and actuators will be disconnected in
order to evaluate the system’s response.
Details on the procedure can be taken from
the inspection sheets which can be down-
loaded from the FSG website prior to the
competition. Throughout the season one
might refer to last years inspection sheet as
a preliminary source of information.
The final part of the technical inspection con-
cerning the AS is the EBS brake test. It
checks that the vehicle delivers the required
brake performance, see T 15.4.2, under dy-
namic conditions. The details of the test are
described in IN 11.2.

Version 1.0 16 / 16 Send Feedback 2023-10-18