the design of safe automotive electronic systems · the design of safe automotive electronic...

The design of safe automotive electronic The design of safe automotive electronic systemssystems

Some problems, solutions and open issuesSome problems, solutions and open issues

Françoise SimonotFrançoise Simonot--LionLion

([email protected])([email protected])

Nancy Université Nancy Université -- LORIA (UMR 7503)LORIA (UMR 7503)

EPFLSummer Reserach Institute 2007

July 3-21 2007

Françoise Simonot-Lion Nancy Université 1

EPFL July 2007 Summer Research Institute

General General ContextContext

AutomotiveAutomotive industryindustry: the : the mostmost important important economiceconomic sectorsector for the for the nextnext 10 10 yearsyears(Mercer Management Consulting)

AutomotiveAutomotive electronicselectronics(Strategy Analytics, McKinsey)

In In vehiclevehicle embeddedembedded systemssystemsElectronic components 50%

Software components 50% - 1,1 KBytes (1980) →→ 2MBytes (2000) →→ 10MBytes (2004)

Software Software technologytechnologyNew services are New services are easilyeasily developpeddevelopped

CustomersCustomers requirementsrequirements: : costcost, , comfortcomfort, , safetysafetyCarmakersCarmakers or or supplierssuppliers requirementsrequirements: : costcost, time to , time to marketmarket

Electronic systems = 90% innovation (Daimler Chrysler)

MandatoryMandatory for for somesome functionsfunctions (control of (control of exhaustexhaust emissionemission))

Cost of Electronic Embedded systems / Cost of a car1% (1980)

= 20% (2005)40% (2015)



ProblemsProblems

Architectural Architectural complexitycomplexity

AirbagsDoors ctl

Steering Wheel -ctl

ABS Power Train

Lights ctl

Climate ctl

Radio ...

AmplifierISUISU

Comfort Network Comfort Network

Body Network Body Network ECU ECU (Electronic Component Unit)

PS

A c

omm

unic

atio

n se

rvic

e

Chassis Chassis -- Power Train Network Power Train Network

Critical Critical FunctionsFunctions

Complex Communication Complex Communication ArchitectureArchitecture

VW PhaetonJürgen Leohold

IEEE WFCS 2004, Vienna, Austria

•11 136 electrical devices

•61 ECUs, 3 CAN networks, sub-networks, 1 bus multimedia

•2500 signals exchanged betweenECUs in 250 CAN messages



ProblemsProblems

FunctionalFunctional complexitycomplexityNumberNumber of I/O of I/O signalssignals -- Size of the state Size of the state vectorvector ((externalexternal//internalinternal data)data)

IntegrationIntegration of of criticalcritical and not and not criticalcritical functionsfunctions

Interaction Interaction betweenbetween functionsfunctions -- FunctionalFunctional modesmodes

SafetySafety requirementsrequirements::

ValuesValuesPerformances / time Performances / time constraintsconstraints

DevelopmentDevelopment processprocessSharedShared betweenbetween severalseveral actorsactors: : SuppliersSuppliers ((subcontractorssubcontractors) / Car ) / Car makersmakers

Interaction Interaction betweenbetween partnerspartnersBlack boxes / White boxes / Grey boxes Black boxes / White boxes / Grey boxes -- IntellectualIntellectual propertyproperty

ProcessProcessTop Top –– Down / Down / BottomBottom -- Up (Up (reusabilityreusability))

StandardsStandards Under constraints:Cost, Quality, Variants, Safety



OutlineOutline

ContextContext and and generalgeneral problemsproblems

AutomotiveAutomotive domainsdomains

An open issue: the An open issue: the safetysafety assessmentassessmentExampleExample: a : a steersteer--byby--wirewire systemsystem

Impact of the communication systemImpact of the communication system

PriorityPriority--basedbased protocolprotocol

TDMATDMA--basedbased protocolprotocol

Conclusions Conclusions



PowertrainPowertrain domaindomain

Constraints

driving facilities

fuel consumption

exhaust pollution

Climate controller

ESP controller…Motor controller

acceleratorpedal

brakepedal



PowertrainPowertrain domaindomain

FunctionalFunctional point of point of viewviewComplexComplex control control lawslaws

MultiMulti--variablesvariablesDifferentDifferent samplingsampling periodsperiods

CyclicCyclic ((motormotor times) times) -- PeriodicPeriodic ((otherother systemssystems))

OperationalOperational point of point of viewviewHigh computation power (High computation power (floatingfloating pointpoint coprocessorscoprocessors))MultiMulti--taskstasks ((differentdifferent activation activation rulesrules))Compromise Compromise costcost / / resolutionresolution of of sensorssensorsStringent time constraints (response time, freshness)

~ 100 µs

~ 1 ms



ChassisChassis

Othersystems

Forcesground, wind

Constraintscomfortsafety

Wheel – suspension - … controller

(ABS – ESP – ASC – 4WD - …)

Steeringcolumn

brakepedal



ChassisChassis

~1 msFunctionalFunctional point of point of viewview

ComplexComplex control control lawslawsOperationalOperational point of point of viewview

High computation power (High computation power (floatingfloating pointpointcoprocessorscoprocessors))MultiMulti--taskstasks ((differentdifferent activation activation rulesrules))Compromise Compromise costcost / / resolutionresolution of of sensorssensorsDistribution Distribution Stringent time constraints (response time, freshness, temporal consistency)

Critical domain for the safetyX-by-Wire



Body Body domaindomain

wipers

lights

mirrors

doors,

windows,

seats, ...

Othersystems

controllers

DriversPassengers

InnovationInnovation



Body Body domaindomain

FunctionalFunctional point of point of viewviewNumerousNumerous functionsfunctionsReactiveReactive systemssystems

OperationalOperational point of point of viewviewHighlyHighly distributeddistributedHierarchicalHierarchical distributeddistributed systemsystemTime constraints (response time, temporal consistency)Central Body Unit (Central Body Unit (criticalcritical entityentity))

Optimal Optimal schedulingscheduling of of taskstasksOptimal Optimal schedulingscheduling of messagesof messages

s a s

LINLIN

CANCAN

…

Central Body Electronic

Other domains

> 1 s



TelematicTelematic, , multimediamultimedia domaindomain

Telediagnostic……

Human Machine InterfaceMultimedia applications

Communication

DriverPassengers

Othersystems



TelematicTelematic, , multimediamultimedia domaindomain

OperationalOperational point of point of viewviewUpgradableUpgradable devicesdevices, applications, applications«« Plug and Plug and playplay »»PropertiesProperties: : securitysecurity, , multimediamultimedia QoSQoS

Resource sharingResource sharingFluidFluid data data streamsstreamsBandwithBandwith



Driver assistance Driver assistance Active Active safetysafety

Night vision supportNight vision supportPedestrian Pedestrian objectobject recognitionrecognition

ACCACCLaneLane keepingkeeping assistantassistant

Collision Collision avoidanceavoidance

Complexityof the

closed loop



Domain Domain characteristicscharacteristics

Application typeApplication type Constraints Constraints Specification Specification

Power trainPower train Hybrid systemsHybrid systems Hard real time Hard real time Matlab/SimulinkMatlab/Simulink

ChassisChassis Hybrid systemsHybrid systems Hard real time Hard real time (safety)(safety)

Matlab/SimulinkMatlab/Simulink

BodyBody Discrete event Discrete event systemssystems

Real timeReal time State machine State machine (SDL, (SDL,

StatechartsStatecharts))TelematicTelematic --HMIHMI

Multimedia data Multimedia data flow processingflow processing

Soft real time Soft real time ––Security Security –– QoSQoS

??

Deterministic Deterministic guarantees guarantees safety and safety and performanceperformance

Probabilistic Probabilistic guaranteesguarantees



OutlineOutline










An open issue: An open issue: safetysafety assessmentassessmentDesign for Design for costcost, performance, performance

Design for Design for safetysafety

ReliabilityReliability of of electronicelectronic devicesdevices: : difficultdifficult to to evaluateevaluateformallyformally

Perturbation due to Perturbation due to environmentenvironment: not : not completlycompletlyknownknown

ModelsModels for for dependabilitydependability evaluationevaluation: : difficultdifficult to to buildbuild, , whatwhat levellevel of of accuracyaccuracy, , difficultdifficult to to analyzeanalyze

Emergence of XEmergence of X--byby--WireWire systemssystems ((electronicelectronictechnologytechnology): ): requiredrequired stringentstringent safetysafety propertiesproperties



An open issue: An open issue: safetysafety assessmentassessmentExampleExample: a : a SteerSteer--byby--WireWire systemsystem

Drivers’request

Filtering, …

Control law




micromicro--controllerscontrollers

Filtering, …

Filtering, …

Control law

Control law

ConnectedConnected on on communication communication networksnetworks



RegulatoryRegulatory lawslawsInternalInternal recommendationsrecommendations, , TüVTüV

StandardsStandardsDO 178B, C (DO 178B, C (avionicavionic), EN 50128 (), EN 50128 (railwayrailway industryindustry))MISRA MISRA ((MotorMotor IndustryIndustry Software Software ReliabilityReliability Association)Association)

IEC 61 508 (IEC 61 508 (genericgeneric))

OSI 26 262 (OSI 26 262 (draftdraft 2005, 2005, forecastedforecasted publication 2007)publication 2007)

((AutomotiveAutomotive) ) SafetySafety IntegrityIntegrity LevelLevelSIL1 .. SIL4 / SIL1 .. SIL4 / ASILxASILx

An open issue: An open issue: safetysafety assessmentassessment



An open issue: An open issue: safetysafety assessmentassessmentOSI 26 262OSI 26 262

Identification of scenario, situationIdentification of scenario, situationFrequencyFrequency ((oftenoften, , quitequite oftenoften, , sometimessometimes, rare , rare eventsevents))SeveritySeverity ((deathdeath of of personspersons, , severesevere, light, no injuries), light, no injuries)Driver Driver controllabilitycontrollability (no, >1/100, >1/10)(no, >1/100, >1/10)

DeterminationDetermination of of functionfunction ASILASILASIL A, …, ASIL DASIL A, …, ASIL D

ASILxASILx corresponds to corresponds to safetysafety integrityintegrity attributesattributesFunctionalFunctional (no (no wrongwrong signalssignals))Quantitative Quantitative

ProbabilityProbability for a for a criticalcritical failurefailure to to occuroccur in one in one hourhour << 1010--nn




micromicro--controllerscontrollers

Filtering, …

Filtering, …

Control law

Control law

ConnectedConnected on on communication communication networksnetworks

ProbabilityProbability of a of a criticalcriticalfailurefailure occurrence < 10occurrence < 10--99




A A steersteer--byby--wirewire: : safetysafety evaluationevaluationOn hardware components/architectureOn hardware components/architectureOn software components (proof, code On software components (proof, code inspection, test inspection, test covercover, etc.), etc.)On the On the operationaloperational architecturearchitecture

Behavioral aspects (tasks, frames)Behavioral aspects (tasks, frames)Vehicle response timeVehicle response timeEmbedded systems response timeEmbedded systems response time

BehaviorBehavior under transient faults under transient faults (EMI perturbations, (EMI perturbations, overload situation, …)overload situation, …)




System to

control

Discretecontroller

(control law)

Actuator(amplifier)

Network

referenceReferenceproduction

SensorsComputer

Computer

System safety

Transientfailures



t

Front axleposition Hand Hand wheelwheel

commandcommand

Driver Driver requirementrequirement

In In factfact

delay




SafetySafety parametersparameters

Hand wheelECU

Network

Front axleECU

Delay

t

Hand wheelposition

Intervalbetween 2 commands




SafetySafety parametersparameters

Intervalbetween 2 commands

t

Hand wheelposition

Hand wheelECU

Front axleECU

Network

radar




TechnologicalTechnological standardsstandardsNetworks and Networks and protocolsprotocols -- paradigmsparadigms

EventEvent--triggeredtriggeredTransmission of messages Transmission of messages onlyonly whenwhen an an eventevent occursoccurs

++ --minimisation of bandwithconsumptionincremental design

verification of temporal constraintsdetection of failed nodes

++ --

predictabilitydetection of failed nodes

network utilisation (aperiodicmessages)flexibility

CANCAN

TTP/CTTP/C

TTCANTTCANFTTCAN FTTCAN FlexCANFlexCANFlexRayFlexRay

TimeTime--triggeredtriggeredTransmission of message Transmission of message atat predeterminedpredetermined points in timepoints in time



OutlineOutline










CAN CAN –– format of the frameformat of the frame

SOF

Start of Frame (SOF) / synchronisation

1bit

Header

En-tête

18 bits - CAN standard (2.0A)38 bits - CAN étendu (2.0B)

Application data

Données

0..8 bytes

CRC field

Détection d’erreur

15 bits

Acknowledgement field

Ack

3 bits

End of frame (EOF), Intermission frame (Inter)

EOF

7 bits

Inter

3 bits

Idle …… Idle

Arbitration field

1 1 111 4

CAN standard (2.0A)



CAN CAN –– PriorityPriority--basedbased arbitrationarbitration

Arbitration Arbitration –– bit dominant (0) / bit dominant (0) / recessiverecessive (1)(1)Frame identifier Frame identifier ExampleExample : 3 : 3 nodesnodes trytry to to emitemit atat the the samesame timetime

11 11 00 00 11 00 11 11 11 00 11 1111 11 00 00 11 11 00 00 11 00 11 0011 11 00 00 11 00 11 11 00 11 00 11

1 1 0 0 1 1 1 1 0 10

listen

0

listenNode 1

Node 2

Node 3

Signal on the bus

Node 3 gain access to the bus



CAN CAN –– responseresponse time time evaluationevaluation

Without errorWithout error

Periodic / sporadic emission of framesPeriodic / sporadic emission of framesPeriod TPeriod Tm m (seconds)(seconds)Length of application data Length of application data ssmm (bytes)(bytes)

Bounded jitter on frame emissionBounded jitter on frame emissionJitter Jitter JJmm (seconds)(seconds)

ConstraintConstraintRelative deadline DRelative deadline Dm m (seconds)(seconds)



CAN CAN –– responseresponse time time evaluationevaluationFrames are Frames are scheduledscheduled on the bus on the bus accordingaccording to to a a FixedFixed PriorityPriority Non Non PremptivePremptive(FPNP) (FPNP) schedulingscheduling policypolicyThe The worstworst case case responseresponse time of a frame time of a frame isisgivengiven by (K. by (K. TindellTindell, 1994):, 1994):

m m m mR J w C= + +

Emission jitter

Worst waiting time to gain access to the bus

Worst (physical) transmission time

m mR D≤




WorstWorst ((physicalphysical) transmission time ) transmission time (11 (11 bits identifier)bits identifier)

34 8 47 84

mm m bit

sC s τ+⎛ ⎞⎢ ⎥= + +⎜ ⎟⎢ ⎥⎣ ⎦⎝ ⎠

Length of applicative data (bytes)

Bit time duration(1μs for a 1Mbit/s. bus)

Overhead due to stuffing




WorstWorst waitingwaiting timetime

( )

m j bitm m j

j hp m j

w Jw B C

Tτ

∀ ∈

⎡ ⎤+ += + ⎢ ⎥

⎢ ⎥⎢ ⎥∑

Worst blocking time due to frames of lower priority(no preemption)

Set of frames of lower priority than m

Emission periodof frame j

( )( )maxm k

k lp mB C

∀ ∈=

Set of frames of higher prioritythan m

Worst blocking time due to frames of higherpriority




RecurrentRecurrent algorithmalgorithm

1

( ) ( )

0

( )

0

maxnm j bitn

m k jk lp m j hp m j

m

w Jw C C

T

w

τ−

∀ ∈ ∀ ∈

⎡ ⎤+ += + ⎢ ⎥

⎢ ⎥⎢ ⎥

=

∑




Under errorsUnder errors

Periodic / sporadic emission of framesPeriodic / sporadic emission of framesPeriod Period TTmm(seconds(seconds))Length of application data Length of application data ssmm (bytes)(bytes)

Bounded jitter on frame emissionBounded jitter on frame emissionJitter Jitter JJmm(seconds(seconds))




Error model 1 (K. Error model 1 (K. TindellTindell, 1994), 1994)∀∀ t, in [0,t]t, in [0,t]

0 or 1 burst of errors0 or 1 burst of errorsSize of the burst: Size of the burst: nnerrorserrors

Minimal Minimal interarrivalinterarrival of two consecutive errors: of two consecutive errors: ΤΤerrorserrors

Worst case Worst case –– maximum number of errors in maximum number of errors in [0,t][0,t]: :

( 1)errorerror

tnT⎡ ⎤

+ −⎢ ⎥⎢ ⎥




OverheadOverhead due to one due to one errorerrorErrorError frame frame emissionemission

23 23 ττbitsbits ((worstworst case)case)

Retransmission of the Retransmission of the erroneouserroneous frame frame occurrence of all the occurrence of all the errorserrors atat the last bit of thethe last bit of thelonguestlonguest frame frame thatthat isis able to able to bebe transmittedtransmitted ((worstworstcase)case)




11

( ) ( )

0

( ) ( )

0

maxnm j bitn n

m m m m k jk lp m j hp m j

m

w Jw E w C C C

T

w

τ−−

∀ ∈ ∀∈

⎡ ⎤+ += + + + ⎢ ⎥

⎢ ⎥⎢ ⎥

=

∑

Worst waiting time to gain accessto the bus (without errors)

Overhead due to the errors occurring in

10 nm mw C−⎡ ⎤+⎣ ⎦

( )( ) ( 1).(23 max ( )m error bit jj hp m

error

tE t n CT

τ∈

⎡ ⎤= + − +⎢ ⎥

⎢ ⎥




Error model 2 (N. Error model 2 (N. NavetNavet, , 1999)1999)

the inter-arrival of errors is given by exp(λ),

the length of a burst (number of errors) is given by u,

when an error occurs, a is the probability that this error is a burst and 1-a that it is a single error

t

* * * * *

* * * * *

* * *

+ + +

* * *

Burst of errors

Single errors

Inter-arrival time :exp(λ)

Length of the burst :u

The number of errors in [0 t] is a random variable The number of errors in [0 t] is a random variable X(tX(t))




1

( ) ( )

0

( )( ) ( ) ( )

( ) 0

maxnm j bitn

m m k jk lp m j hp m j

m

w i Jw i i C C

T

w i

τε

−

∀ ∈ ∀ ∈

⎡ ⎤+ += + + ⎢ ⎥

⎢ ⎥⎢ ⎥

=

∑

Worst waiting time to gain accessto the bus

Overhead due to i errors

( )( ) .(23 max ( )m bit jj hp mt i Cε τ

∈= +

max{ | ( ) }m m mn N R n Dη = ∈ ≤

worstworst--case deadline failure probability case deadline failure probability [ ( ( )) ]m m mP X R η η>



OutlineOutline











PrinciplesPrinciples

t

TDMA round 1TDMA round 1 TDMA round 2TDMA round 2 TDMA round 3TDMA round 3

cyclecycle

slotslot

Node ANode A

XX XX XX

Node BNode B

XX XX XX

Node CNode C

XX XX XX

Node DNode D

XX XX XX




ProbabilityProbability for the system to for the system to reachreach a a criticalcriticalfailurefailure mode (mode (WilwertWilwert, 2005), 2005)

External fault (EMI perturbation)

Failure at communication system level (erroneous frame)

Fault at the controller level (loss of a reference)

Failure at system level (the system is no more safe)




System to

control

Discretecontroller

(control law)

Actuator(amplifier)

Network

referenceReferenceproduction

SensorsComputer

Computer

System safety

Transientfailures




ModelsModels

Control law Control law + +

implementation modelimplementation model

MatlabMatlab / / SimulinkSimulinkmodelmodel

SimulinkCarSimulinkCar modelmodel

Parameters (cycle length, Parameters (cycle length, etc.)etc.)

Fault injectionFault injectionIndicatorsIndicators



WhichWhich referencereference for for eacheach control control lawlawexecutionexecution??

Control law

System actuation

NetworkTDMA cycle

T

Control lawsynchronized with the

TDMA cycle

Referenceproduction

p

Boundeddelay



WhichWhich referencereference for for eacheach control control lawlawexecutionexecution??

Fail silence of the

producers

Spatial redundancy(two buses)

Temporal redundancy(FTU = 2 producer

nodes)

Referenceproduction

p

Network

T

TDMA cycle



WhatWhat referencereference for for eacheach control control lawlawexecutionexecution??

Fail silence of the

producers

Spatial redundancy(two buses)

Temporal redundancy(FTU = 2 producer

nodes)

Referenceproduction

p

Network

T

TDMA cycle

The probability of non-detectionby the controller of an erroneousreference is negligible



RoleRole of the of the controllercontrollerExternalfault

KO

Failure at the « slot » level



RoleRole of the of the controllercontroller

KO KO OK KO KO KO OK OKOK OKOK KO KO KO KO KO KO OK KOKO

Failure at the TDMA-cycle level

=Fault for the

controller

Fault tolerance of the controller:recovery mechanism(compensation)



RoleRole of the of the controllercontroller

Failure of the controller: the controller is able to control the system in a safe mode if and only if there are less than k consecutive faults

The system is therefore no more safe!



KO KO OK KO KO KO OK OKOK OKOK KO KO KO KO KO KO OK KOKO

CharacterizationCharacterization of a perturbationof a perturbation

Length of the perturbation Tz (s)

Length of the perturbation n (TDMA cycles) – worst case

2zTnT

⎡ ⎤= +⎢ ⎥⎢ ⎥

How long?



CharacterizationCharacterization of a perturbationof a perturbation

How?

pi probability for the ith TDMA cycle in a sequence of n cycles to be fully corrupted

p1 p2 pn. . .. . .



ProblemProblem

To determine the probability to have more than k consecutive corrupted cycles when the system is under a perturbation whose duration is Tz and whose effect isgiven by the function P (p1, p2, …, pn)

Pfail(k, Tz, P)



TechnicalTechnical solutionssolutionsSimilarSimilar to «to « consecutiveconsecutive--kk--outout--ofof--n:Fn:F » » systemssystems -- C(k,n:F)C(k,n:F)

System = System = orderedordered sequencesequence of of nn componentscomponentsThe system The system failsfails if and if and onlyonly if more if more thanthan kkconsecutiveconsecutive components components failfailLLnn: : numbernumber of of consecutiveconsecutive failedfailed componentscomponents

(n 1) /(k 1)m mk m 1

m 0

n m k n mkR(n,k;p) ( 1) p q q

m 1 m

+ +⎢ ⎥⎣ ⎦ −

=

⎛ ⎞− −⎛ ⎞ ⎛ ⎞= − +⎜ ⎟⎜ ⎟ ⎜ ⎟⎜ ⎟−⎝ ⎠ ⎝ ⎠⎝ ⎠

∑

w ith 1q p= −

( ) ( , ; )nP L k R k n p< =

[Burr,1961], [Lambridis,1985], [Hwang,1986]

Efficient algorithm(ETFA05)

p1 = p2 = … = pn= p



TechnicalTechnical solution for solution for PP variable?variable?

RecurrentRecurrent relation:relation:GivenGiven a a probabilityprobability profile P = (pprofile P = (p11, p, p22, …, , …, ppnn ))

1 1

1 2

0

( ) ( ) ( ) ( ) for +1( ) 1 for 0 1( ) 1 ( )

( ) ... for with 1 and 1

m m m m k

m

k k

m m k m k m k m

m m

u k u k k u k k m nu k m ku k k

k q p p pm k q q p

λ

λ

λ

− − −

− − + − +

= − ≤ ≤= ≤ ≤ −= −

=≥ = = −

Pfail(k,Tz,P) = 1-un (k), with 2zTnT

⎡ ⎤= +⎢ ⎥⎢ ⎥



Case Case studystudy: a : a SteerSteer--byby--WireWire systemsystem

Drivers’request

Filtering, …

Control law

ExtremeExtreme situationsituationvehiclevehicle speed (90 km/h)speed (90 km/h)sharpsharp turningturning

PerturbatedPerturbated area area TzTz = 1.5 s= 1.5 s

MatlabMatlab//SimulinkSimulink modelmodelController + Controller + VehicleVehicleFaultFault injection / simulationinjection / simulation

controllercontroller tolerancetolerancekk = maximum = maximum toleratedtolerated numbernumber of of consecutiveconsecutive corruptedcorrupted TDMATDMA--cyclescycles




Perturbation profile: radio Perturbation profile: radio transmittertransmitter

0

0,1

0,2

0,3

0,4

0,5

0,6

0,7

1 21 41 61 81 101 121 141 161TDMA cycles

Faul

t occ

urre

nce

prob

abili

ty

Example for:n = 169

210

1 202

ipn i

=+⎛ ⎞− +⎜ ⎟

⎝ ⎠




210

1 202

ipn i

=+⎛ ⎞− +⎜ ⎟

⎝ ⎠

Perturbation duration

n (TDMA cycles)

Tolerance of thecontroller

k (TDMA cycles)

System failure

probabilityPfail

377

217

152

10

5

4

2.2 10-8

1.6 10-3

0.8 10-2

TDMA cycle T (ms)

4

7

10




AutomotiveAutomotive industryindustry isis dependentdependent of softwareof software--basedbased embeddedembedded systemssystems

Emergence of XEmergence of X--byby--WireWire systemssystems

TechnologicalTechnological standards standards –– communication communication networksnetworks

SafetySafety assessmentsassessments

Standard Standard ISO 26 262ISO 26 262

IntegrationIntegration of of severalseveral points of points of viewview

Timing, dependabilityannotations

Certification, verification

Muli-competenciesexperts



ReferencesReferences•• K. K. TindellTindell, H. , H. HanssmonHanssmon, A. J. , A. J. WellingsWellings, , Analysing RealAnalysing Real--Time Communications: Controller Area Network Time Communications: Controller Area Network

(CAN)(CAN), IEEE Real, IEEE Real--Time Systems Symposium 1994: 259Time Systems Symposium 1994: 259--263263•• K. K. TindellTindell, A. Burns, A. J. , A. Burns, A. J. WellingsWellings, , An Extendible Approach for Analyzing Fixed Priority Hard RealAn Extendible Approach for Analyzing Fixed Priority Hard Real--Time Time

TasksTasks, Real, Real--Time Systems 6(2): 133Time Systems 6(2): 133--151 (1994)151 (1994)•• K. K. TindellTindell, J. Clark, , J. Clark, Holistic Holistic schedulabilityschedulability analysis for distributed hard realanalysis for distributed hard real--time systemstime systems, Microprocessors , Microprocessors

and Microprogramming, vol. 40, pp. 117and Microprogramming, vol. 40, pp. 117––134, 1994.134, 1994.•• A. Burns, K. A. Burns, K. TindellTindell, A. J. , A. J. WellingsWellings, , Effective Analysis for Engineering RealEffective Analysis for Engineering Real--Time Fixed Priority SchedulersTime Fixed Priority Schedulers, ,

IEEE Trans. Software Eng. 21(5): 475IEEE Trans. Software Eng. 21(5): 475--480 (1995)480 (1995)•• K. K. TindellTindell, A. Burns, A.J. , A. Burns, A.J. WellingsWellings, Calculating controller area network (CAN) message response tim, Calculating controller area network (CAN) message response times, es,

Control Engineering Practice, vol. 3, no. 8, pp. 1163Control Engineering Practice, vol. 3, no. 8, pp. 1163––1169, 1995.1169, 1995.•• N. C. N. C. AudsleyAudsley, Alan Burns, R. I. Davis, K. , Alan Burns, R. I. Davis, K. TindellTindell, , A.yA.y J. J. WellingsWellings, , Fixed Priority PreFixed Priority Pre--emptive Scheduling: An emptive Scheduling: An

Historical PerspectiveHistorical Perspective, Real, Real--Time Systems 8(2Time Systems 8(2--3): 1733): 173--198 (1995)198 (1995)•• K. K. TindellTindell, A. Burns, A. J. , A. Burns, A. J. WellingsWellings, , Analysis of Hard RealAnalysis of Hard Real--Time CommunicationsTime Communications, Real, Real--Time Systems 9(2): Time Systems 9(2):

147147--171 (1995)171 (1995)•• S. S. PolednaPoledna, , FaultFault--Tolerant RealTolerant Real--Time Systems: The Problem of Replica DeterminismTime Systems: The Problem of Replica Determinism, , KluwerKluwer Academic Academic

Publishers, 1996. Publishers, 1996. •• H. H. KopetzKopetz, , RealReal--Time Systems: Design Principles for Distributed Embedded ApplicaTime Systems: Design Principles for Distributed Embedded Applicationstions, , KluwerKluwer Academic Academic

Publishers, 1997.Publishers, 1997.•• M. Krug, A. V. M. Krug, A. V. SchedlSchedl, , New demands for inNew demands for in--vehicle networksvehicle networks, in Proceedings of the 23rd EUROMICRO , in Proceedings of the 23rd EUROMICRO

Conference’97, Budapest, Hungary, July 1997, pp. 601Conference’97, Budapest, Hungary, July 1997, pp. 601––605.605.•• XX--byby--Wire Project, Wire Project, BriteBrite--EuRamEuRam 111 Program, 111 Program, XX--ByBy--Wire Wire -- safety related fault tolerant systems in vehicles, safety related fault tolerant systems in vehicles,

final Reportfinal Report, 1998., 1998.•• S. S. PolednaPoledna, W. , W. EttlmayrEttlmayr, M. Novak, , M. Novak, Communication bus for automotive applicationsCommunication bus for automotive applications, in Proceedings of the , in Proceedings of the

27th European Solid27th European Solid--State Circuits Conference, State Circuits Conference, VillachVillach, Austria, September 2001., Austria, September 2001.•• N. N. NavetNavet , Y., Y.--Q. Song, Q. Song, Validation of realValidation of real--time intime in--vehicle applicationsvehicle applications, Computers in Industry, vol. 46, no. 2, pp. , Computers in Industry, vol. 46, no. 2, pp.

107107––122, November 2001.122, November 2001.



ReferencesReferences•• H. Pfeifer, F.W. von Henke, H. Pfeifer, F.W. von Henke, Formal Analysis for Dependability Properties: the TimeFormal Analysis for Dependability Properties: the Time--Triggered Architecture Triggered Architecture

ExampleExample, in Proceedings of the 8th IEEE International Conference on Eme, in Proceedings of the 8th IEEE International Conference on Emerging Technologies and Factory rging Technologies and Factory Automation (ETFA 2001), October 2001, pp. 343Automation (ETFA 2001), October 2001, pp. 343––352.352.

•• G. G. LeenLeen, D. Heffernan, , D. Heffernan, Expanding automotive electronic systemsExpanding automotive electronic systems, , IEEE ComputerIEEE Computer, vol. 35, no. 1, January , vol. 35, no. 1, January 2002.2002.

•• P. P. KoopmanKoopman, , Critical embedded automotive networksCritical embedded automotive networks, IEEE Micro, Special Issue on Critical Embedded , IEEE Micro, Special Issue on Critical Embedded Automotive Networks, vol. 22, no. 4, pp. 14Automotive Networks, vol. 22, no. 4, pp. 14––18, July18, July--August 2002.August 2002.

•• L.L.--B. B. FredrikssonFredriksson, , CAN for critical embedded automotive networksCAN for critical embedded automotive networks, , IEEE MicroIEEE Micro, vol. 22, no. 4, July, vol. 22, no. 4, July--August August 2002.2002.

•• G. Lima, A. Burns, G. Lima, A. Burns, TimingTiming--independent safety on top of CANindependent safety on top of CAN, in Proceedings of the 1st International , in Proceedings of the 1st International Workshop on RealWorkshop on Real--Time LANs in the Internet Age, Vienna, Austria, 2002.Time LANs in the Internet Age, Vienna, Austria, 2002.

•• G. Lima A. Burns, G. Lima A. Burns, A consensus protocol for CANA consensus protocol for CAN--based systemsbased systems, in Proceedings of the 24th Real, in Proceedings of the 24th Real--time time Systems Symposium, 2003, pp. 420Systems Symposium, 2003, pp. 420––429.429.

•• G. RodriguezG. Rodriguez--NavasNavas, M. , M. BarrancoBarranco, and J. , and J. ProenzaProenza, , Harmonizing dependability and real time in CAN networksHarmonizing dependability and real time in CAN networks, , in 2nd International Workshop on Realin 2nd International Workshop on Real--Time LANs in the internet Age, Porto, Portugal, 2003.Time LANs in the internet Age, Porto, Portugal, 2003.

•• L.M. L.M. PinhoPinho, F. , F. VasquesVasques, , Reliable realReliable real--time communication in CAN networkstime communication in CAN networks, IEEE Transactions on , IEEE Transactions on Computers, vol. 52, no. 12, pp. 1594Computers, vol. 52, no. 12, pp. 1594––1607, 2003.1607, 2003.

•• J. J. RushbyRushby, , A comparison of bus architecture for safetyA comparison of bus architecture for safety--critical embedded systemscritical embedded systems, Technical Report , Technical Report NASA/CRNASA/CR--20032003--212161, NASA, March 2003.212161, NASA, March 2003.

•• A. Albert, A. Albert, Comparison of eventComparison of event--triggered and timetriggered and time--triggered concepts with regards to distributed control triggered concepts with regards to distributed control systemssystems, in Proceedings of Embedded World 2004, , in Proceedings of Embedded World 2004, NürnbergNürnberg, February 2004., February 2004.

•• M. M. AyoubiAyoubi, T. , T. DemmelerDemmeler, H. , H. LefflerLeffler, P. , P. KöhnKöhn, , XX--byby--Wire functionality, performance and infrastructureWire functionality, performance and infrastructure, in , in Proceedings of Convergence 2004Proceedings of Convergence 2004, Detroit, Michigan, 2004., Detroit, Michigan, 2004.

•• P. P. BühringBühring, , SafeSafe--byby--Wire Plus: Bus communication for the occupant safety systemWire Plus: Bus communication for the occupant safety system, in , in Proceedings of Proceedings of Convergence 2004Convergence 2004, Detroit, Michigan, 2004., Detroit, Michigan, 2004.



ReferencesReferences•• R. Santos Marques, F. SimonotR. Santos Marques, F. Simonot--Lion, N. Lion, N. NavetNavet, Development of an in, Development of an in--vehicle communication middleware, vehicle communication middleware,

Object Oriented Object Oriented ModelingModeling of Embedded Realof Embedded Real--Time Systems, PostTime Systems, Post--proceedings of OMER 3, Heinzproceedings of OMER 3, Heinz--Nixdorf Nixdorf Institute publisher, 2005.Institute publisher, 2005.

•• N. N. NavetNavet, F. Simonot, F. Simonot--Lion, Fault Tolerant Services for Safe InLion, Fault Tolerant Services for Safe In--Car Embedded Systems, in The Embedded Car Embedded Systems, in The Embedded Systems Handbook, CRC Press, 2005.Systems Handbook, CRC Press, 2005.

•• C. C. WilwertWilwert, N. , N. NavetNavet, Y., Y.--Q. Song, F. SimonotQ. Song, F. Simonot--Lion, Lion, Design of Automotive XDesign of Automotive X--byby--Wire SystemsWire Systems, in The Industrial , in The Industrial Communication Technology Handbook, CRC Press, 2005.Communication Technology Handbook, CRC Press, 2005.

•• B. B. GaujalGaujal, N. , N. NavetNavet, , Maximizing the Robustness of TDMA Networks with Applications to Maximizing the Robustness of TDMA Networks with Applications to TTP/CTTP/C, Real, Real--Time Time Systems, Systems, KluwerKluwer Academic Publishers, Academic Publishers, volvol 31, n°131, n°1--3, pp53, pp5--31, December 2005. 31, December 2005.

•• N. N. NavetNavet, Y., Y.--Q. Song, F. SimonotQ. Song, F. Simonot--Lion, C. Lion, C. WilwertWilwert, , Trends in Automotive Communication SystemsTrends in Automotive Communication Systems, , Proceedings of the IEEE, special issue on Industrial CommunicatiProceedings of the IEEE, special issue on Industrial Communications Systems, invited paper, ons Systems, invited paper, volvol 96, n°6, 96, n°6, pp1204pp1204--1223, 2005.1223, 2005.

•• N. N. NavetNavet, Y, Y--Q. Song, F. Simonot, Q. Song, F. Simonot, WorstWorst--Case Deadline Failure Probability in RealCase Deadline Failure Probability in Real--Time Applications Time Applications Distributed over CAN (Controller Area Network)Distributed over CAN (Controller Area Network), Journal of Systems Architecture, Elsevier Science, vol. 46, , Journal of Systems Architecture, Elsevier Science, vol. 46, n°7, 2000. n°7, 2000.

•• F. SimonotF. Simonot--Lion, Y.Lion, Y.--Q. Song, Q. Song, Design and validation process of inDesign and validation process of in--vehicle embedded electronic systemsvehicle embedded electronic systems in in The Embedded Systems Handbook, CRC Press The Embedded Systems Handbook, CRC Press -- Taylor&FrancisTaylor&Francis (Ed.) (2005)(Ed.) (2005)

•• F.SimonotF.Simonot, F. Simonot, F. Simonot--Lion, Y.Lion, Y.--Q. Song, Q. Song, Dependability Evaluation of RealDependability Evaluation of Real--Time Applications Distributed on Time Applications Distributed on TDMATDMA--Based Networks,Based Networks, in 6th IFAC International Conference on in 6th IFAC International Conference on FieldbusFieldbus Systems and their Applications Systems and their Applications --FeT'2005 (2005) FeT'2005 (2005)

•• F. SimonotF. Simonot--Lion, Lion, F.SimonotF.Simonot, Y., Y.--Q. Song, C. Q. Song, C. WilwertWilwert, , Quantitative Evaluation of the Safety of XQuantitative Evaluation of the Safety of X--byby--Wire Wire Architecture subject to EMI Perturbations,Architecture subject to EMI Perturbations, in 10th IEEE International Conference on Emerging Technologies in 10th IEEE International Conference on Emerging Technologies and Factory Automation and Factory Automation -- ETFA'2005 1 (2005) 755ETFA'2005 1 (2005) 755--762 762

•• R. I. Davis, A. Burns, R. J. R. I. Davis, A. Burns, R. J. BrilBril, J. J. , J. J. LukkienLukkien, , Controller Area Network (CAN) Controller Area Network (CAN) schedulabilityschedulability analysis: Refuted, analysis: Refuted, revisited and revisedrevisited and revised, Real, Real--Time Systems 35(3): 239Time Systems 35(3): 239--272 (2007)272 (2007)

ThankThank youyou

the design of safe automotive electronic systems · the design of safe automotive electronic...

Documents