The design of safe automotive electronic The design of safe - - PowerPoint PPT Presentation

SLIDE 1

The design of safe automotive electronic The design of safe automotive electronic systems systems

Some problems, solutions and open issues Some problems, solutions and open issues

Françoise Simonot Françoise Simonot-

• Lion

Lion

(Francoise.Simonot@loria.fr) (Francoise.Simonot@loria.fr)

Nancy Université Nancy Université -

• LORIA (UMR 7503)

LORIA (UMR 7503) EPFL Summer Reserach Institute 2007 July 3-21 2007

SLIDE 2

Françoise Simonot-Lion Nancy Université 1 EPFL July 2007 Summer Research Institute

General General Context Context

• Automotive

Automotive industry industry: the : the most most important important economic economic sector sector for the for the next next 10 10 years years

(Mercer Management Consulting)

• Automotive

Automotive electronics electronics

(Strategy Analytics, McKinsey)

• In

In vehicle vehicle embedded embedded systems systems

• Electronic components 50%
• Software components

50% -

1,1 KBytes (1980) → → 2MBytes (2000) → → 10MBytes (2004)

• Software

Software technology technology

• New services are

New services are easily easily developped developped

• Customers

Customers requirements requirements: : cost cost, , comfort comfort, , safety safety

• Carmakers

Carmakers or

• r suppliers

suppliers requirements requirements: : cost cost, time to , time to market market

Electronic systems = 90% innovation (Daimler Chrysler)

• Mandatory

Mandatory for for some some functions functions (control of (control of exhaust exhaust emission emission) )

Cost of Electronic Embedded systems / Cost of a car 1% (1980) = 20% (2005) 40% (2015)

SLIDE 3

Françoise Simonot-Lion Nancy Université 2 EPFL July 2007 Summer Research Institute

Problems Problems

• Architectural

Architectural complexity complexity

Airbags

Doors ctl Steering Wheel -ctl

ABS

Power Train Lights ctl Climate ctl Radio ... Amplifier

ISU ISU

Comfort Network Comfort Network Body Network Body Network

ECU ECU (Electronic

Component Unit)

PSA communication service

Chassis Chassis -

• Power Train Network

Power Train Network

Critical Critical Functions Functions Complex Communication Complex Communication Architecture Architecture

VW Phaeton

Jürgen Leohold IEEE WFCS 2004, Vienna, Austria

• 11 136 electrical devices
• 61 ECUs, 3 CAN networks, sub-

networks, 1 bus multimedia

• 2500 signals exchanged between

ECUs in 250 CAN messages

SLIDE 4

Françoise Simonot-Lion Nancy Université 3 EPFL July 2007 Summer Research Institute

Problems Problems

• Functional

Functional complexity complexity

• Number

Number of I/O

• f I/O signals

signals -

• Size of the state

Size of the state vector vector ( (external external/ /internal internal data) data)

• Integration

Integration of

• f critical

critical and not and not critical critical functions functions

• Interaction

Interaction between between functions functions -

• Functional

Functional modes modes

• Safety

Safety requirements requirements: :

• Values

Values

• Performances / time

Performances / time constraints constraints

• Development

Development process process

• Shared

Shared between between several several actors actors: : Suppliers Suppliers ( (subcontractors subcontractors) / Car ) / Car makers makers

• Interaction

Interaction between between partners partners

• Black boxes / White boxes / Grey boxes

Black boxes / White boxes / Grey boxes -

• Intellectual

Intellectual property property

• Process

Process

• Top

Top – – Down / Down / Bottom Bottom -

• Up (

Up (reusability reusability) )

• Standards

Standards

Under constraints: Cost, Quality, Variants, Safety

SLIDE 5

Françoise Simonot-Lion Nancy Université 4 EPFL July 2007 Summer Research Institute

Outline Outline

• Context

Context and and general general problems problems

• Automotive

Automotive domains domains

• An open issue: the

An open issue: the safety safety assessment assessment

• Example

Example: a : a steer steer-

• by

by-

• wire

wire system system

• Impact of the communication system

Impact of the communication system

• Priority

Priority-

• based

based protocol protocol

• TDMA

TDMA-

• based

based protocol protocol

• Conclusions

Conclusions

SLIDE 6

Françoise Simonot-Lion Nancy Université 5 EPFL July 2007 Summer Research Institute

Powertrain Powertrain domain domain

Constraints driving facilities fuel consumption exhaust pollution Climate controller ESP controller

…

Motor controller

accelerator pedal brake pedal

SLIDE 7

Françoise Simonot-Lion Nancy Université 6 EPFL July 2007 Summer Research Institute

Powertrain Powertrain domain domain

• Functional

Functional point of point of view view

• Complex

Complex control control laws laws

• Multi

Multi-

• variables

variables

• Different

Different sampling sampling periods periods

• Cyclic

Cyclic ( (motor motor times) times) -

• Periodic

Periodic ( (other

• ther systems

systems) )

• Operational

Operational point of point of view view

• High computation power (

High computation power (floating

floating point point coprocessors coprocessors) )

• Multi

Multi-

• tasks

tasks ( (different different activation activation rules rules) )

• Compromise

Compromise cost cost / / resolution resolution of

• f sensors

sensors

Stringent time constraints (response time,

freshness)

~ 100 µs ~ 1 ms

SLIDE 8

Françoise Simonot-Lion Nancy Université 7 EPFL July 2007 Summer Research Institute

Chassis Chassis

Other systems Forces ground, wind

Constraints comfort safety Wheel – suspension - … controller (ABS – ESP – ASC – 4WD - …)

Steering column brake pedal

SLIDE 9

Françoise Simonot-Lion Nancy Université 8 EPFL July 2007 Summer Research Institute

Chassis Chassis

~1 ms

• Functional

Functional point of point of view view

• Complex

Complex control control laws laws

• Operational

Operational point of point of view view

• High computation power (

High computation power (floating floating point point coprocessors coprocessors) )

• Multi

Multi-

• tasks

tasks ( (different different activation activation rules rules) )

• Compromise

Compromise cost cost / / resolution resolution of

• f sensors

sensors

• Distribution

Distribution

Stringent time constraints (response time,

freshness, temporal consistency) Critical domain for the safety

X-by-Wire

SLIDE 10

Françoise Simonot-Lion Nancy Université 9 EPFL July 2007 Summer Research Institute

Body Body domain domain

wipers lights mirrors doors, windows, seats, ...

Other systems

controllers Drivers Passengers

Innovation Innovation

SLIDE 11

Françoise Simonot-Lion Nancy Université 10 EPFL July 2007 Summer Research Institute

Body Body domain domain

• Functional

Functional point of point of view view

• Numerous

Numerous functions functions

• Reactive

Reactive systems systems

• Operational

Operational point of point of view view

• Highly

Highly distributed distributed

• Hierarchical

Hierarchical distributed distributed system system

Time constraints (response time, temporal

consistency)

• Central Body Unit (

Central Body Unit (critical critical entity entity) )

• Optimal

Optimal scheduling scheduling of

• f tasks

tasks

• Optimal

Optimal scheduling scheduling of messages

• f messages

s a s

LIN LIN

CAN CAN …

Central Body Electronic Other domains

> 1 s

SLIDE 12

Françoise Simonot-Lion Nancy Université 11 EPFL July 2007 Summer Research Institute

Telematic Telematic, , multimedia multimedia domain domain

Telediagnostic

… …

Human Machine Interface Multimedia applications Communication

Driver Passengers Other systems

SLIDE 13

Françoise Simonot-Lion Nancy Université 12 EPFL July 2007 Summer Research Institute

Telematic Telematic, , multimedia multimedia domain domain

• Operational

Operational point of point of view view

• Upgradable

Upgradable devices devices, applications , applications

• «

« Plug and Plug and play play » »

• Properties

Properties: : security security, , multimedia multimedia QoS QoS

• Resource sharing

Resource sharing

• Fluid

Fluid data data streams streams

• Bandwith

Bandwith

SLIDE 14

Françoise Simonot-Lion Nancy Université 13 EPFL July 2007 Summer Research Institute

Driver assistance Driver assistance Active Active safety safety

• Night vision support

Night vision support

• Pedestrian

Pedestrian object

• bject recognition

recognition

• ACC

ACC

• Lane

Lane keeping keeping assistant assistant

• Collision

Collision avoidance avoidance

Complexity

• f the

closed loop

SLIDE 15

Françoise Simonot-Lion Nancy Université 14 EPFL July 2007 Summer Research Institute

Domain Domain characteristics characteristics

Application type Application type Constraints Constraints Specification Specification Power train Power train Hybrid systems Hybrid systems Hard real time Hard real time Matlab/Simulink Matlab/Simulink Chassis Chassis Hybrid systems Hybrid systems Hard real time Hard real time (safety) (safety) Matlab/Simulink Matlab/Simulink Body Body Discrete event Discrete event systems systems Real time Real time State machine State machine (SDL, (SDL, Statecharts Statecharts) ) Telematic Telematic -

• HMI

HMI Multimedia data Multimedia data flow processing flow processing Soft real time Soft real time – – Security Security – – QoS QoS ? ?

Deterministic Deterministic guarantees guarantees safety and safety and performance performance Probabilistic Probabilistic guarantees guarantees

SLIDE 16

Françoise Simonot-Lion Nancy Université 15 EPFL July 2007 Summer Research Institute

Outline Outline

• Context

Context and and general general problems problems

• Automotive

Automotive domains domains

• An open issue: the

An open issue: the safety safety assessment assessment

• Example

Example: a : a steer steer-

• by

by-

• wire

wire system system

• Impact of the communication system

Impact of the communication system

• Priority

Priority-

• based

based protocol protocol

• TDMA

TDMA-

• based

based protocol protocol

• Conclusions

Conclusions

SLIDE 17

Françoise Simonot-Lion Nancy Université 16 EPFL July 2007 Summer Research Institute

An open issue: An open issue: safety safety assessment assessment

• Design for

Design for cost cost, performance , performance

• Design for

Design for safety safety

• Reliability

Reliability of

• f electronic

electronic devices devices: : difficult difficult to to evaluate evaluate formally formally

• Perturbation due to

Perturbation due to environment environment: not : not completly completly known known

• Models

Models for for dependability dependability evaluation evaluation: : difficult difficult to to build build, , what what level level of

• f accuracy

accuracy, , difficult difficult to to analyze analyze

• Emergence of X

Emergence of X-

• by

by-

• Wire

Wire systems systems ( (electronic electronic technology technology): ): required required stringent stringent safety safety properties properties

SLIDE 18

Françoise Simonot-Lion Nancy Université 17 EPFL July 2007 Summer Research Institute

An open issue: An open issue: safety safety assessment assessment

Example Example: a : a Steer Steer-

• by

by-

• Wire

Wire system system

Drivers’request Filtering, … Control law

SLIDE 19

Françoise Simonot-Lion Nancy Université 18 EPFL July 2007 Summer Research Institute

An open issue: An open issue: safety safety assessment assessment

Example Example: a : a Steer Steer-

• by

by-

• Wire

Wire system system

micro micro-

• controllers

controllers

Filtering, … Filtering, … Control law Control law

Connected Connected on

• n

communication communication networks networks

SLIDE 20

Françoise Simonot-Lion Nancy Université 19 EPFL July 2007 Summer Research Institute

• Regulatory

Regulatory laws laws

• Internal

Internal recommendations recommendations, , TüV TüV

• Standards

Standards

• DO 178B, C (

DO 178B, C (avionic avionic), EN 50128 ( ), EN 50128 (railway railway industry industry) )

• MISRA

MISRA (

(Motor Motor Industry Industry Software Software Reliability Reliability Association) Association)

• IEC 61 508 (

IEC 61 508 (generic generic) )

• OSI 26 262 (

OSI 26 262 (draft draft 2005, 2005, forecasted forecasted publication 2007) publication 2007)

( (Automotive Automotive) ) Safety Safety Integrity Integrity Level Level SIL1 .. SIL4 / SIL1 .. SIL4 / ASILx ASILx

An open issue: An open issue: safety safety assessment assessment

SLIDE 21

Françoise Simonot-Lion Nancy Université 20 EPFL July 2007 Summer Research Institute

An open issue: An open issue: safety safety assessment assessment

• OSI 26 262

OSI 26 262

• Identification of scenario, situation

Identification of scenario, situation

• Frequency

Frequency ( (often

• ften,

, quite quite often

• ften,

, sometimes sometimes, rare , rare events events) )

• Severity

Severity ( (death death of

• f persons

persons, , severe severe, light, no injuries) , light, no injuries)

• Driver

Driver controllability controllability (no, >1/100, >1/10) (no, >1/100, >1/10)

• Determination

Determination of

• f function

function ASIL ASIL

• ASIL A, …, ASIL D

ASIL A, …, ASIL D

• ASILx

ASILx corresponds to corresponds to safety safety integrity integrity attributes attributes

• Functional

Functional (no (no wrong wrong signals signals) )

• Quantitative

Quantitative Probability Probability for a for a critical critical failure failure to to occur

• ccur in one

in one hour hour < < 10

10-

• n

n

SLIDE 22

Françoise Simonot-Lion Nancy Université 21 EPFL July 2007 Summer Research Institute

An open issue: An open issue: safety safety assessment assessment

Example Example: a : a Steer Steer-

• by

by-

• Wire

Wire system system

micro micro-

• controllers

controllers

Filtering, … Filtering, … Control law Control law

Connected Connected on

• n

communication communication networks networks

Probability Probability of a

• f a critical

critical failure failure occurrence < 10

• ccurrence < 10-
• 9

9

SLIDE 23

Françoise Simonot-Lion Nancy Université 22 EPFL July 2007 Summer Research Institute

An open issue: An open issue: safety safety assessment assessment

• A

A steer steer-

• by

by-

• wire

wire: : safety safety evaluation evaluation

• On hardware components/architecture

On hardware components/architecture

• On software components (proof, code

On software components (proof, code inspection, test inspection, test cover cover, etc.) , etc.)

• On the

On the operational

• perational architecture

architecture

• Behavioral aspects (tasks, frames)

Behavioral aspects (tasks, frames)

• Vehicle response time

Vehicle response time

• Embedded systems response time

Embedded systems response time

• Behavior

Behavior under transient faults under transient faults (EMI perturbations, (EMI perturbations,

• verload situation, …)
• verload situation, …)

SLIDE 24

Françoise Simonot-Lion Nancy Université 23 EPFL July 2007 Summer Research Institute

An open issue: An open issue: safety safety assessment assessment

System to control Discrete controller (control law)

Actuator (amplifier)

Network

reference Reference production Sensors

Computer Computer System safety Transient failures

SLIDE 25

Françoise Simonot-Lion Nancy Université 24 EPFL July 2007 Summer Research Institute

t Front axle position

Hand Hand wheel wheel command command Driver Driver requirement requirement In In fact fact

delay

An open issue: An open issue: safety safety assessment assessment

SLIDE 26

Françoise Simonot-Lion Nancy Université 25 EPFL July 2007 Summer Research Institute

• Safety

Safety parameters parameters

Hand wheel ECU Network Front axle ECU

Delay

t Hand wheel position

Interval between 2 commands

An open issue: An open issue: safety safety assessment assessment

SLIDE 27

Françoise Simonot-Lion Nancy Université 26 EPFL July 2007 Summer Research Institute

• Safety

Safety parameters parameters

Interval between 2 commands

t Hand wheel position Hand wheel ECU Front axle ECU Network

radar

An open issue: An open issue: safety safety assessment assessment

SLIDE 28

Françoise Simonot-Lion Nancy Université 27 EPFL July 2007 Summer Research Institute

Technological Technological standards standards

• Networks and

Networks and protocols protocols -

• paradigms

paradigms

• Event

Event-

• triggered

triggered Transmission of messages Transmission of messages only

• nly when

when an an event event occurs

• ccurs

+ +

• minimisation of bandwith

consumption incremental design verification of temporal constraints detection of failed nodes

+ +

• predictability

detection of failed nodes network utilisation (aperiodic messages) flexibility

CAN CAN TTP/C TTP/C TTCAN TTCAN FTTCAN FTTCAN FlexCAN FlexCAN FlexRay FlexRay

• Time

Time-

• triggered

triggered Transmission of message Transmission of message at at predetermined predetermined points in time points in time

SLIDE 29

Françoise Simonot-Lion Nancy Université 28 EPFL July 2007 Summer Research Institute

Outline Outline

• Context

Context and and general general problems problems

• Automotive

Automotive domains domains

• An open issue: the

An open issue: the safety safety assessment assessment

• Example

Example: a : a steer steer-

• by

by-

• wire

wire system system

• Impact of the communication system

Impact of the communication system

• Priority

Priority-

• based

based protocol protocol

• TDMA

TDMA-

• based

based protocol protocol

• Conclusions

Conclusions

SLIDE 30

Françoise Simonot-Lion Nancy Université 29 EPFL July 2007 Summer Research Institute

CAN CAN – – format of the frame format of the frame

SOF

Start of Frame (SOF) / synchronisation

1bit

Header

En-tête 18 bits - CAN standard (2.0A) 38 bits - CAN étendu (2.0B)

Application data

Données 0..8 bytes

CRC field

Détection d’erreur 15 bits

Acknowledgement field

Ack 3 bits

End of frame (EOF), Intermission frame (Inter)

EOF 7 bits Inter 3 bits

Idle …

… Idle

Arbitration field

1 1 1 11 4

CAN standard (2.0A)

SLIDE 31

Françoise Simonot-Lion Nancy Université 30 EPFL July 2007 Summer Research Institute

CAN CAN – – Priority Priority-

• based

based arbitration arbitration

• Arbitration

Arbitration – – bit dominant (0) / bit dominant (0) / recessive recessive (1) (1)

• Frame identifier

Frame identifier

• Example

Example : 3 : 3 nodes nodes try try to to emit emit at at the the same same time time 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

1 1 1 1 1 1 1 listen listen Node 1 Node 2 Node 3 Signal

• n the

bus Node 3 gain access to the bus

SLIDE 32

Françoise Simonot-Lion Nancy Université 31 EPFL July 2007 Summer Research Institute

CAN CAN – – response response time time evaluation evaluation

• Without error

Without error

• Periodic / sporadic emission of frames

Periodic / sporadic emission of frames

• Period T

Period Tm

m (seconds)

(seconds)

• Length of application data

Length of application data s sm

m (bytes)

(bytes)

• Bounded jitter on frame emission

Bounded jitter on frame emission

• Jitter

Jitter J Jm

m (seconds)

(seconds)

• Constraint

Constraint

• Relative deadline D

Relative deadline Dm

m (seconds)

(seconds)

SLIDE 33

Françoise Simonot-Lion Nancy Université 32 EPFL July 2007 Summer Research Institute

CAN CAN – – response response time time evaluation evaluation

• Frames are

Frames are scheduled scheduled on the bus

• n the bus according

according to to a a Fixed Fixed Priority Priority Non Non Premptive Premptive(FPNP) (FPNP) scheduling scheduling policy policy

• The

The worst worst case case response response time of a frame time of a frame is is given given by (K. by (K. Tindell Tindell, 1994): , 1994):

m m m m

R J w C = + +

Emission jitter Worst waiting time to gain access to the bus Worst (physical) transmission time

m m

R D ≤

SLIDE 34

Françoise Simonot-Lion Nancy Université 33 EPFL July 2007 Summer Research Institute

CAN CAN – – response response time time evaluation evaluation

• Worst

Worst ( (physical physical) transmission time ) transmission time (11 (11 bits identifier) bits identifier)

34 8 47 8 4

m m m bit

s C s τ + ⎛ ⎞ ⎢ ⎥ = + + ⎜ ⎟ ⎢ ⎥ ⎣ ⎦ ⎝ ⎠

Length of applicative data (bytes) Bit time duration (1μs for a 1Mbit/s. bus) Overhead due to stuffing

SLIDE 35

Françoise Simonot-Lion Nancy Université 34 EPFL July 2007 Summer Research Institute

CAN CAN – – response response time time evaluation evaluation

• Worst

Worst waiting waiting time time

( ) m j bit m m j j hp m j

w J w B C T τ

∀ ∈

⎡ ⎤ + + = + ⎢ ⎥ ⎢ ⎥ ⎢ ⎥

∑

Worst blocking time due to frames of lower priority (no preemption) Set of frames of lower priority than m Emission period

• f frame j

( )

( )

max

m k k lp m

B C

∀ ∈

=

Set of frames of higher priority than m Worst blocking time due to frames of higher priority

SLIDE 36

Françoise Simonot-Lion Nancy Université 35 EPFL July 2007 Summer Research Institute

CAN CAN – – response response time time evaluation evaluation

• Recurrent

Recurrent algorithm algorithm

1 ( ) ( )

( )

max

n m j bit n m k j k lp m j hp m j m

w J w C C T w τ

− ∀ ∈ ∀ ∈

⎡ ⎤ + + = + ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ =

∑

SLIDE 37

Françoise Simonot-Lion Nancy Université 36 EPFL July 2007 Summer Research Institute

CAN CAN – – response response time time evaluation evaluation

• Under errors

Under errors

• Periodic / sporadic emission of frames

Periodic / sporadic emission of frames

• Period

Period T Tm

m(seconds

(seconds) )

• Length of application data

Length of application data s sm

m (bytes)

(bytes)

• Bounded jitter on frame emission

Bounded jitter on frame emission

• Jitter

Jitter J Jm

m(seconds

(seconds) )

SLIDE 38

Françoise Simonot-Lion Nancy Université 37 EPFL July 2007 Summer Research Institute

CAN CAN – – response response time time evaluation evaluation

• Error model 1 (K.

Error model 1 (K. Tindell Tindell, 1994) , 1994)

∀ ∀ t, in [0,t] t, in [0,t]

• 0 or 1 burst of errors

0 or 1 burst of errors

• Size of the burst:

Size of the burst: n nerrors

errors

• Minimal

Minimal interarrival interarrival of two consecutive errors:

• f two consecutive errors: Τ

Τerrors

errors

Worst case Worst case – – maximum number of errors in maximum number of errors in [0,t] [0,t]: :

( 1)

error error

t n T ⎡ ⎤ + − ⎢ ⎥ ⎢ ⎥

SLIDE 39

Françoise Simonot-Lion Nancy Université 38 EPFL July 2007 Summer Research Institute

CAN CAN – – response response time time evaluation evaluation

• Overhead

Overhead due to one due to one error error

• Error

Error frame frame emission emission 23 23 τ

τbits

bits ( (worst worst case) case)

• Retransmission of the

Retransmission of the erroneous erroneous frame frame

• ccurrence of all the
• ccurrence of all the errors

errors at at the last bit of the the last bit of the longuest longuest frame frame that that is is able to able to be be transmitted transmitted ( (worst worst case) case)

SLIDE 40

Françoise Simonot-Lion Nancy Université 39 EPFL July 2007 Summer Research Institute

CAN CAN – – response response time time evaluation evaluation

1 1 ( ) ( )

( ) ( )

max

n m j bit n n m m m m k j k lp m j hp m j m

w J w E w C C C T w τ

− − ∀ ∈ ∀ ∈

⎡ ⎤ + + = + + + ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ =

∑

Worst waiting time to gain access to the bus (without errors) Overhead due to the errors occurring in

1 n m m

w C

−

⎡ ⎤ + ⎣ ⎦

( )

( ) ( 1).(23 max ( )

m error bit j j hp m error

t E t n C T τ

∈

⎡ ⎤ = + − + ⎢ ⎥ ⎢ ⎥

SLIDE 41

Françoise Simonot-Lion Nancy Université 40 EPFL July 2007 Summer Research Institute

CAN CAN – – response response time time evaluation evaluation

• Error model 2 (N.

Error model 2 (N. Navet Navet, , 1999) 1999)

the inter-arrival of errors is given by

exp(λ),

the length of a burst (number of errors)

is given by u,

when an error occurs, a is the

probability that this error is a burst and 1-a that it is a single error

t * * * * * * * * * * * * * + + + * * * Burst of errors Single errors Inter-arrival time : exp(λ) Length of the burst :u

The number of errors in [0 t] is a random variable The number of errors in [0 t] is a random variable X(t X(t) )

SLIDE 42

Françoise Simonot-Lion Nancy Université 41 EPFL July 2007 Summer Research Institute

CAN CAN – – response response time time evaluation evaluation

1 ( ) ( )

( ) ( ) ( ) ( ) ( )

max

n m j bit n m m k j k lp m j hp m j m

w i J w i i C C T w i τ ε

− ∀ ∈ ∀ ∈

⎡ ⎤ + + = + + ⎢ ⎥ ⎢ ⎥ ⎢ ⎥ =

∑

Worst waiting time to gain access to the bus Overhead due to i errors

( )

( ) .(23 max ( )

m bit j j hp m

t i C ε τ

∈

= + max{ | ( ) }

m m m

n N R n D η = ∈ ≤

worst worst-

• case deadline failure probability

case deadline failure probability

[ ( ( )) ]

m m m

P X R η η >

SLIDE 43

Françoise Simonot-Lion Nancy Université 42 EPFL July 2007 Summer Research Institute

Outline Outline

• Context

Context and and general general problems problems

• Automotive

Automotive domains domains

• An open issue: the

An open issue: the safety safety assessment assessment

• Example

Example: a : a steer steer-

• by

by-

• wire

wire system system

• Impact of the communication system

Impact of the communication system

• Priority

Priority-

• based

based protocol protocol

• TDMA

TDMA-

• based

based protocol protocol

• Conclusions

Conclusions

SLIDE 44

Françoise Simonot-Lion Nancy Université 43 EPFL July 2007 Summer Research Institute

TDMA TDMA-

• based

based protocol protocol

• Principles

Principles

t TDMA round 1 TDMA round 1 TDMA round 2 TDMA round 2 TDMA round 3 TDMA round 3 cycle cycle slot slot

Node A Node A X X X X X X Node B Node B X X X X X X Node C Node C X X X X X X Node D Node D X X X X X X

SLIDE 45

Françoise Simonot-Lion Nancy Université 44 EPFL July 2007 Summer Research Institute

TDMA TDMA-

• based

based protocol protocol

• Probability

Probability for the system to for the system to reach reach a a critical critical failure failure mode ( mode (Wilwert Wilwert, 2005) , 2005)

External fault (EMI perturbation) Failure at communication system level (erroneous frame) Fault at the controller level (loss of a reference) Failure at system level (the system is no more safe)

SLIDE 46

Françoise Simonot-Lion Nancy Université 45 EPFL July 2007 Summer Research Institute

An open issue: An open issue: safety safety assessment assessment

System to control Discrete controller (control law)

Actuator (amplifier)

Network

reference Reference production Sensors

Computer Computer System safety Transient failures

SLIDE 47

Françoise Simonot-Lion Nancy Université 46 EPFL July 2007 Summer Research Institute

TDMA TDMA-

• based

based protocol protocol

• Models

Models

Control law Control law + + implementation model implementation model

Matlab Matlab / / Simulink Simulink model model SimulinkCar SimulinkCar model model

Parameters (cycle length, Parameters (cycle length, etc.) etc.) Fault injection Fault injection Indicators Indicators

SLIDE 48

Françoise Simonot-Lion Nancy Université 47 EPFL July 2007 Summer Research Institute

Which Which reference reference for for each each control control law law execution execution? ?

Control law System actuation Network

TDMA cycle T

Control law synchronized with the TDMA cycle Reference production

p

Bounded delay

SLIDE 49

Françoise Simonot-Lion Nancy Université 48 EPFL July 2007 Summer Research Institute

Which Which reference reference for for each each control control law law execution execution? ?

Fail silence

• f the

producers Spatial redundancy (two buses) Temporal redundancy (FTU = 2 producer nodes) Reference production

p

Network

T TDMA cycle

SLIDE 50

Françoise Simonot-Lion Nancy Université 49 EPFL July 2007 Summer Research Institute

What What reference reference for for each each control control law law execution execution? ?

Fail silence

• f the

producers Spatial redundancy (two buses) Temporal redundancy (FTU = 2 producer nodes) Reference production

p

Network

T TDMA cycle

The probability of non-detection by the controller of an erroneous reference is negligible

SLIDE 51

Françoise Simonot-Lion Nancy Université 50 EPFL July 2007 Summer Research Institute

Role Role of the

• f the controller

controller

External fault

KO

Failure at the « slot » level

SLIDE 52

Françoise Simonot-Lion Nancy Université 51 EPFL July 2007 Summer Research Institute

Role Role of the

• f the controller

controller

KO KO OK KO KO KO OK OK OK OK OK KO KO KO KO KO KO OK KO KO

Failure at the TDMA-cycle level = Fault for the controller Fault tolerance of the controller: recovery mechanism (compensation)

SLIDE 53

Françoise Simonot-Lion Nancy Université 52 EPFL July 2007 Summer Research Institute

Role Role of the

• f the controller

controller

• Failure of the controller:

the controller is able to control the system in a safe mode if and only if there are less than k consecutive faults The system is therefore no more safe!

SLIDE 54

Françoise Simonot-Lion Nancy Université 53 EPFL July 2007 Summer Research Institute

KO KO OK KO KO KO OK OK OK OK OK KO KO KO KO KO KO OK KO KO

Characterization Characterization of a perturbation

• f a perturbation

Length of the perturbation Tz (s) Length of the perturbation n (TDMA cycles) – worst case

2

z

T n T ⎡ ⎤ = + ⎢ ⎥ ⎢ ⎥

How long?

SLIDE 55

Françoise Simonot-Lion Nancy Université 54 EPFL July 2007 Summer Research Institute

Characterization Characterization of a perturbation

• f a perturbation

How?

pi

probability for the ith TDMA cycle in a sequence of n cycles to be fully corrupted

p1 p2 pn

. . . . . .

SLIDE 56

Françoise Simonot-Lion Nancy Université 55 EPFL July 2007 Summer Research Institute

Problem Problem To determine the probability to have more than k consecutive corrupted cycles when the system is under a perturbation whose duration is Tz and whose effect is given by the function P (p1, p2, …, pn) Pfail(k, Tz, P)

SLIDE 57

Françoise Simonot-Lion Nancy Université 56 EPFL July 2007 Summer Research Institute

Technical Technical solutions solutions

• Similar

Similar to « to « consecutive consecutive-

• k

k-

• out
• ut-
• of
• f-
• n:F

n:F » » systems systems -

• C(k,n:F)

C(k,n:F)

• System =

System = ordered

• rdered sequence

sequence of

• f n

n components components

• The system

The system fails fails if and if and only

• nly if more

if more than than k k consecutive consecutive components components fail fail

• L

Ln

n:

: number number of

• f consecutive

consecutive failed failed components components

(n 1) /(k 1) m mk m 1 m

n m k n mk R(n,k;p) ( 1) p q q m 1 m

+ + ⎢ ⎥ ⎣ ⎦ − =

⎛ ⎞ − − ⎛ ⎞ ⎛ ⎞ = − + ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ − ⎝ ⎠ ⎝ ⎠ ⎝ ⎠

∑

w ith 1 q p = − ( ) ( , ; )

n

P L k R k n p < =

[Burr,1961], [Lambridis,1985], [Hwang,1986]

Efficient algorithm (ETFA05)

p1 = p2 = … = pn= p

SLIDE 58

Françoise Simonot-Lion Nancy Université 57 EPFL July 2007 Summer Research Institute

Technical Technical solution for solution for P P variable? variable?

• Recurrent

Recurrent relation: relation: Given Given a a probability probability profile P = (p profile P = (p1

1, p

, p2

2, …,

, …, p pn

n )

)

1 1 1 2

( ) ( ) ( ) ( ) for +1 ( ) 1 for 0 1 ( ) 1 ( ) ( ) ... for with 1 and 1

m m m m k m k k m m k m k m k m m m

u k u k k u k k m n u k m k u k k k q p p p m k q q p λ λ λ

− − − − − + − +

= − ≤ ≤ = ≤ ≤ − = − = ≥ = = −

Pfail(k,Tz,P) = 1-un (k), with

2

z

T n T ⎡ ⎤ = + ⎢ ⎥ ⎢ ⎥

SLIDE 59

Françoise Simonot-Lion Nancy Université 58 EPFL July 2007 Summer Research Institute

Case Case study study: a : a Steer Steer-

• by

by-

• Wire

Wire system system

Drivers’request Filtering, … Control law

• Extreme

Extreme situation situation

• vehicle

vehicle speed (90 km/h) speed (90 km/h)

• sharp

sharp turning turning

• Perturbated

Perturbated area area Tz Tz = 1.5 s = 1.5 s

• Matlab

Matlab/ /Simulink Simulink model model

• Controller +

Controller + Vehicle Vehicle

• Fault

Fault injection / simulation injection / simulation

• controller

controller tolerance tolerance k k = maximum = maximum tolerated tolerated number number of

• f

consecutive consecutive corrupted corrupted TDMA TDMA-

• cycles

cycles

SLIDE 60

Françoise Simonot-Lion Nancy Université 59 EPFL July 2007 Summer Research Institute

Case Case study study: a : a Steer Steer-

• by

by-

• Wire

Wire system system

• Perturbation profile: radio

Perturbation profile: radio transmitter transmitter

0,1 0,2 0,3 0,4 0,5 0,6 0,7

1 21 41 61 81 101 121 141 161 TDMA cycles Fault occurrence probability

Example for: n = 169

2

10 1 20 2

i

p n i = + ⎛ ⎞ − + ⎜ ⎟ ⎝ ⎠

SLIDE 61

Françoise Simonot-Lion Nancy Université 60 EPFL July 2007 Summer Research Institute

Case Case study study: a : a Steer Steer-

• by

by-

• Wire

Wire system system

2

10 1 20 2

i

p n i = + ⎛ ⎞ − + ⎜ ⎟ ⎝ ⎠

Perturbation duration n (TDMA cycles) Tolerance of the controller k (TDMA cycles) System failure probability Pfail 377 217 152 10 5 4 2.2 10-8 1.6 10-3 0.8 10-2 TDMA cycle T (ms) 4 7 10

SLIDE 62

Françoise Simonot-Lion Nancy Université 61 EPFL July 2007 Summer Research Institute

Conclusions Conclusions

• Automotive

Automotive industry industry is is dependent dependent of software

• f software-
• based

based embedded embedded systems systems

• Emergence of X

Emergence of X-

• by

by-

• Wire

Wire systems systems

• Technological

Technological standards standards – – communication communication networks networks

• Safety

Safety assessments assessments

• Standard

Standard ISO 26 262 ISO 26 262

• Integration

Integration of

• f several

several points of points of view view

Timing, dependability annotations Certification, verification Muli-competencies experts

SLIDE 63

Françoise Simonot-Lion Nancy Université 62 EPFL July 2007 Summer Research Institute

References References

• K.
• K. Tindell

Tindell, H. , H. Hanssmon Hanssmon, A. J. , A. J. Wellings Wellings, , Analysing Real Analysing Real-

• Time Communications: Controller Area Network

Time Communications: Controller Area Network (CAN) (CAN), IEEE Real , IEEE Real-

• Time Systems Symposium 1994: 259

Time Systems Symposium 1994: 259-

• 263

263

• K.
• K. Tindell

Tindell, A. Burns, A. J. , A. Burns, A. J. Wellings Wellings, , An Extendible Approach for Analyzing Fixed Priority Hard Real An Extendible Approach for Analyzing Fixed Priority Hard Real-

• Time

Time Tasks Tasks, Real , Real-

• Time Systems 6(2): 133

Time Systems 6(2): 133-

• 151 (1994)

151 (1994)

• K.
• K. Tindell

Tindell, J. Clark, , J. Clark, Holistic Holistic schedulability schedulability analysis for distributed hard real analysis for distributed hard real-

• time systems

time systems, Microprocessors , Microprocessors and Microprogramming, vol. 40, pp. 117 and Microprogramming, vol. 40, pp. 117– –134, 1994. 134, 1994.

• A. Burns, K.
• A. Burns, K. Tindell

Tindell, A. J. , A. J. Wellings Wellings, , Effective Analysis for Engineering Real Effective Analysis for Engineering Real-

• Time Fixed Priority Schedulers

Time Fixed Priority Schedulers, , IEEE Trans. Software Eng. 21(5): 475 IEEE Trans. Software Eng. 21(5): 475-

• 480 (1995)

480 (1995)

• K.
• K. Tindell

Tindell, A. Burns, A.J. , A. Burns, A.J. Wellings Wellings, Calculating controller area network (CAN) message response tim , Calculating controller area network (CAN) message response times, es, Control Engineering Practice, vol. 3, no. 8, pp. 1163 Control Engineering Practice, vol. 3, no. 8, pp. 1163– –1169, 1995. 1169, 1995.

• N. C.
• N. C. Audsley

Audsley, Alan Burns, R. I. Davis, K. , Alan Burns, R. I. Davis, K. Tindell Tindell, , A.y A.y J.

• J. Wellings

Wellings, , Fixed Priority Pre Fixed Priority Pre-

• emptive Scheduling: An

emptive Scheduling: An Historical Perspective Historical Perspective, Real , Real-

• Time Systems 8(2

Time Systems 8(2-

• 3): 173

3): 173-

• 198 (1995)

198 (1995)

• K.
• K. Tindell

Tindell, A. Burns, A. J. , A. Burns, A. J. Wellings Wellings, , Analysis of Hard Real Analysis of Hard Real-

• Time Communications

Time Communications, Real , Real-

• Time Systems 9(2):

Time Systems 9(2): 147 147-

• 171 (1995)

171 (1995)

• S.
• S. Poledna

Poledna, , Fault Fault-

• Tolerant Real

Tolerant Real-

• Time Systems: The Problem of Replica Determinism

Time Systems: The Problem of Replica Determinism, , Kluwer Kluwer Academic Academic Publishers, 1996. Publishers, 1996.

• H.
• H. Kopetz

Kopetz, , Real Real-

• Time Systems: Design Principles for Distributed Embedded Applica

Time Systems: Design Principles for Distributed Embedded Applications tions, , Kluwer Kluwer Academic Academic Publishers, 1997. Publishers, 1997.

• M. Krug, A. V.
• M. Krug, A. V. Schedl

Schedl, , New demands for in New demands for in-

• vehicle networks

vehicle networks, in Proceedings of the 23rd EUROMICRO , in Proceedings of the 23rd EUROMICRO Conference’97, Budapest, Hungary, July 1997, pp. 601 Conference’97, Budapest, Hungary, July 1997, pp. 601– –605. 605.

• X

X-

• by

by-

• Wire Project,

Wire Project, Brite Brite-

• EuRam

EuRam 111 Program, 111 Program, X X-

• By

By-

• Wire

Wire -

• safety related fault tolerant systems in vehicles,

safety related fault tolerant systems in vehicles, final Report final Report, 1998. , 1998.

• S.
• S. Poledna

Poledna, W. , W. Ettlmayr Ettlmayr, M. Novak, , M. Novak, Communication bus for automotive applications Communication bus for automotive applications, in Proceedings of the , in Proceedings of the 27th European Solid 27th European Solid-

• State Circuits Conference,

State Circuits Conference, Villach Villach, Austria, September 2001. , Austria, September 2001.

• N.
• N. Navet

Navet , Y. , Y.-

• Q. Song,
• Q. Song, Validation of real

Validation of real-

• time in

time in-

• vehicle applications

vehicle applications, Computers in Industry, vol. 46, no. 2, pp. , Computers in Industry, vol. 46, no. 2, pp. 107 107– –122, November 2001. 122, November 2001.

SLIDE 64

Françoise Simonot-Lion Nancy Université 63 EPFL July 2007 Summer Research Institute

References References

• H. Pfeifer, F.W. von Henke,
• H. Pfeifer, F.W. von Henke, Formal Analysis for Dependability Properties: the Time

Formal Analysis for Dependability Properties: the Time-

• Triggered Architecture

Triggered Architecture Example Example, in Proceedings of the 8th IEEE International Conference on Eme , in Proceedings of the 8th IEEE International Conference on Emerging Technologies and Factory rging Technologies and Factory Automation (ETFA 2001), October 2001, pp. 343 Automation (ETFA 2001), October 2001, pp. 343– –352. 352.

• G.
• G. Leen

Leen, D. Heffernan, , D. Heffernan, Expanding automotive electronic systems Expanding automotive electronic systems, , IEEE Computer IEEE Computer, vol. 35, no. 1, January , vol. 35, no. 1, January 2002. 2002.

• P.
• P. Koopman

Koopman, , Critical embedded automotive networks Critical embedded automotive networks, IEEE Micro, Special Issue on Critical Embedded , IEEE Micro, Special Issue on Critical Embedded Automotive Networks, vol. 22, no. 4, pp. 14 Automotive Networks, vol. 22, no. 4, pp. 14– –18, July 18, July-

• August 2002.

August 2002.

• L.

L.-

• B.
• B. Fredriksson

Fredriksson, , CAN for critical embedded automotive networks CAN for critical embedded automotive networks, , IEEE Micro IEEE Micro, vol. 22, no. 4, July , vol. 22, no. 4, July-

• August

August 2002. 2002.

• G. Lima, A. Burns,
• G. Lima, A. Burns, Timing

Timing-

• independent safety on top of CAN

independent safety on top of CAN, in Proceedings of the 1st International , in Proceedings of the 1st International Workshop on Real Workshop on Real-

• Time LANs in the Internet Age, Vienna, Austria, 2002.

Time LANs in the Internet Age, Vienna, Austria, 2002.

• G. Lima A. Burns,
• G. Lima A. Burns, A consensus protocol for CAN

A consensus protocol for CAN-

• based systems

based systems, in Proceedings of the 24th Real , in Proceedings of the 24th Real-

• time

time Systems Symposium, 2003, pp. 420 Systems Symposium, 2003, pp. 420– –429. 429.

• G. Rodriguez
• G. Rodriguez-
• Navas

Navas, M. , M. Barranco Barranco, and J. , and J. Proenza Proenza, , Harmonizing dependability and real time in CAN networks Harmonizing dependability and real time in CAN networks, , in 2nd International Workshop on Real in 2nd International Workshop on Real-

• Time LANs in the internet Age, Porto, Portugal, 2003.

Time LANs in the internet Age, Porto, Portugal, 2003.

• L.M.

L.M. Pinho Pinho, F. , F. Vasques Vasques, , Reliable real Reliable real-

• time communication in CAN networks

time communication in CAN networks, IEEE Transactions on , IEEE Transactions on Computers, vol. 52, no. 12, pp. 1594 Computers, vol. 52, no. 12, pp. 1594– –1607, 2003. 1607, 2003.

• J.
• J. Rushby

Rushby, , A comparison of bus architecture for safety A comparison of bus architecture for safety-

• critical embedded systems

critical embedded systems, Technical Report , Technical Report NASA/CR NASA/CR-

• 2003

2003-

• 212161, NASA, March 2003.

212161, NASA, March 2003.

• A. Albert,
• A. Albert, Comparison of event

Comparison of event-

• triggered and time

triggered and time-

• triggered concepts with regards to distributed control

triggered concepts with regards to distributed control systems systems, in Proceedings of Embedded World 2004, , in Proceedings of Embedded World 2004, Nürnberg Nürnberg, February 2004. , February 2004.

• M.
• M. Ayoubi

Ayoubi, T. , T. Demmeler Demmeler, H. , H. Leffler Leffler, P. , P. Köhn Köhn, , X X-

• by

by-

• Wire functionality, performance and infrastructure

Wire functionality, performance and infrastructure, in , in Proceedings of Convergence 2004 Proceedings of Convergence 2004, Detroit, Michigan, 2004. , Detroit, Michigan, 2004.

• P.
• P. Bühring

Bühring, , Safe Safe-

• by

by-

• Wire Plus: Bus communication for the occupant safety system

Wire Plus: Bus communication for the occupant safety system, in , in Proceedings of Proceedings of Convergence 2004 Convergence 2004, Detroit, Michigan, 2004. , Detroit, Michigan, 2004.

SLIDE 65

Françoise Simonot-Lion Nancy Université 64 EPFL July 2007 Summer Research Institute

References References

• R. Santos Marques, F. Simonot
• R. Santos Marques, F. Simonot-
• Lion, N.

Lion, N. Navet Navet, Development of an in , Development of an in-

• vehicle communication middleware,

vehicle communication middleware, Object Oriented Object Oriented Modeling Modeling of Embedded Real

• f Embedded Real-
• Time Systems, Post

Time Systems, Post-

• proceedings of OMER 3, Heinz

proceedings of OMER 3, Heinz-

• Nixdorf

Nixdorf Institute publisher, 2005. Institute publisher, 2005.

• N.
• N. Navet

Navet, F. Simonot , F. Simonot-

• Lion, Fault Tolerant Services for Safe In

Lion, Fault Tolerant Services for Safe In-

• Car Embedded Systems, in The Embedded

Car Embedded Systems, in The Embedded Systems Handbook, CRC Press, 2005. Systems Handbook, CRC Press, 2005.

• C.
• C. Wilwert

Wilwert, N. , N. Navet Navet, Y. , Y.-

• Q. Song, F. Simonot
• Q. Song, F. Simonot-
• Lion,

Lion, Design of Automotive X Design of Automotive X-

• by

by-

• Wire Systems

Wire Systems, in The Industrial , in The Industrial Communication Technology Handbook, CRC Press, 2005. Communication Technology Handbook, CRC Press, 2005.

• B.
• B. Gaujal

Gaujal, N. , N. Navet Navet, , Maximizing the Robustness of TDMA Networks with Applications to Maximizing the Robustness of TDMA Networks with Applications to TTP/C TTP/C, Real , Real-

• Time

Time Systems, Systems, Kluwer Kluwer Academic Publishers, Academic Publishers, vol vol 31, n°1 31, n°1-

• 3, pp5

3, pp5-

• 31, December 2005.

31, December 2005.

• N.
• N. Navet

Navet, Y. , Y.-

• Q. Song, F. Simonot
• Q. Song, F. Simonot-
• Lion, C.

Lion, C. Wilwert Wilwert, , Trends in Automotive Communication Systems Trends in Automotive Communication Systems, , Proceedings of the IEEE, special issue on Industrial Communicati Proceedings of the IEEE, special issue on Industrial Communications Systems, invited paper,

• ns Systems, invited paper, vol

vol 96, n°6, 96, n°6, pp1204 pp1204-

• 1223, 2005.

1223, 2005.

• N.
• N. Navet

Navet, Y , Y-

• Q. Song, F. Simonot,
• Q. Song, F. Simonot, Worst

Worst-

• Case Deadline Failure Probability in Real

Case Deadline Failure Probability in Real-

• Time Applications

Time Applications Distributed over CAN (Controller Area Network) Distributed over CAN (Controller Area Network), Journal of Systems Architecture, Elsevier Science, vol. 46, , Journal of Systems Architecture, Elsevier Science, vol. 46, n°7, 2000. n°7, 2000.

• F. Simonot
• F. Simonot-
• Lion, Y.

Lion, Y.-

• Q. Song,
• Q. Song, Design and validation process of in

Design and validation process of in-

• vehicle embedded electronic systems

vehicle embedded electronic systems in in The Embedded Systems Handbook, CRC Press The Embedded Systems Handbook, CRC Press -

• Taylor&Francis

Taylor&Francis (Ed.) (2005) (Ed.) (2005)

• F.Simonot

F.Simonot, F. Simonot , F. Simonot-

• Lion, Y.

Lion, Y.-

• Q. Song,
• Q. Song, Dependability Evaluation of Real

Dependability Evaluation of Real-

• Time Applications Distributed on

Time Applications Distributed on TDMA TDMA-

• Based Networks,

Based Networks, in 6th IFAC International Conference on in 6th IFAC International Conference on Fieldbus Fieldbus Systems and their Applications Systems and their Applications -

• FeT'2005 (2005)

FeT'2005 (2005)

• F. Simonot
• F. Simonot-
• Lion,

Lion, F.Simonot F.Simonot, Y. , Y.-

• Q. Song, C.
• Q. Song, C. Wilwert

Wilwert, , Quantitative Evaluation of the Safety of X Quantitative Evaluation of the Safety of X-

• by

by-

• Wire

Wire Architecture subject to EMI Perturbations, Architecture subject to EMI Perturbations, in 10th IEEE International Conference on Emerging Technologies in 10th IEEE International Conference on Emerging Technologies and Factory Automation and Factory Automation -

• ETFA'2005 1 (2005) 755

ETFA'2005 1 (2005) 755-

• 762

762

• R. I. Davis, A. Burns, R. J.
• R. I. Davis, A. Burns, R. J. Bril

Bril, J. J. , J. J. Lukkien Lukkien, , Controller Area Network (CAN) Controller Area Network (CAN) schedulability schedulability analysis: Refuted, analysis: Refuted, revisited and revised revisited and revised, Real , Real-

• Time Systems 35(3): 239

Time Systems 35(3): 239-

• 272 (2007)

272 (2007)

SLIDE 66

Thank Thank you you