Abstract: The domain controller is a controller that integrates multiple electronic control units. It makes the overall vehicle cost lower and control more efficient. Integrating the functions of the vehicle control unit (VCU) into the domain controller helps optimize and enhance functions such as torque control and fault diagnosis. The main purpose of torque control is to control the motor output torque safely to meet the driver's demands. This paper mainly proposes a torque monitoring strategy for the domain controller based on the E-GAS three-layer safety architecture to separate the torque control and torque monitoring functions. At the same time, based on the fault tree analysis (FTA) method, a safety tree analysis of the torque control function is conducted to derive relevant safety measures for development. Finally, in response to program flow monitoring failure, occasional watchdog short-term feeding anomalies, failure to send application messages, and loss of vehicle power, it is proposed to store snapshots of key application layer data in random access memory (RAM). When the watchdog function is restored, the application layer gradually returns to normal operation based on the snapshot data and input data. After bench testing, the results show that this architecture design can achieve torque control functions and enter a safe state in a timely manner in failure modes, and meet safety goals.

Key words: domain controller; functional safety; torque control; monitoring strategy

摘要： 域控制器是集成多个电子控制单元的控制器，它使整车成本更低、控制更高效。将整 车控制器（VCU）的功能集成到域控制器内，有助于优化提升扭矩控制、故障诊断等功能。 扭矩控制主要目的是为满足驾驶员需求控制电机输出安全扭矩。文章主要针对非预期的异常 扭矩输出问题，提出一种基于 E-GAS 三层安全架构的域控制器扭矩监控策略，实现扭矩控制 与扭矩监控功能分离。同时基于故障树分析（FTA）方法，在对扭矩控制功能进行安全树状 分析的同时，推导出用于开发的相关安全措施。最后，针对程序流监控失效，偶发看门狗短 时喂狗异常，应用报文无法发出，整车动力丢失情况，提出随机存取存储器（RAM）存储应 用层关键数据快照，当喂狗功能恢复后，应用层基于快照数据及输入数据逐步恢复正常状态 运行。经过台架测试，结果显示该架构设计能够实现扭矩控制功能，并在失效模式下及时进 入安全状态，达到安全目标。

关键词: 域控制器；功能安全；扭矩控制；监控策略