EXPERIENCES FROM MODEL BASED DEVELOPMENT OF DRIVE-BY-WIRE CONTROL SYSTEMS

Similar documents
On Communication Requirements for Control-by-Wire Applications. R. Johansson, Chalmers University College, Goteborg, Sweden

Communication Networks for the Next-Generation Vehicles

AVS: A Test Suite for Automatically Generated Code

AUTOMOBILE APPLICATIONS USING CAN PROTOCOL

Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309

A Model-Based Reference Workflow for the Development of Safety-Related Software

A CAN-Based Architecture for Highly Reliable Communication Systems

Diagnosis in the Time-Triggered Architecture

Chapter 39: Concepts of Time-Triggered Communication. Wenbo Qiao

FlexRay International Workshop. Protocol Overview

Building Safer UGVs with Run-time Safety Invariants

MATLAB Expo Simulation Based Automotive Communication Design using MATLAB- SimEvent. Sudhakaran M Anand H General Motors

Understanding SW Test Libraries (STL) for safetyrelated integrated circuits and the value of white-box SIL2(3) ASILB(D) YOGITECH faultrobust STL

Testing for the Unexpected Using PXI

Field buses (part 2): time triggered protocols

Amrita Vishwa Vidyapeetham. ES623 Networked Embedded Systems Answer Key

Is This What the Future Will Look Like?

The House Intelligent Switch Control Network based On CAN bus

Safety and Reliability of Software-Controlled Systems Part 14: Fault mitigation

LabVIEW FPGA in Hardware-in-the-Loop Simulation Applications

Fault-Injection testing and code coverage measurement using Virtual Prototypes on the context of the ISO standard

Introduction to Control Systems Design

Designing a software framework for automated driving. Dr.-Ing. Sebastian Ohl, 2017 October 12 th

FlexRay The Hardware View

In-Vehicle Network Architecture for the Next-Generation Vehicles SAE TECHNICAL PAPER SERIES

10 th AUTOSAR Open Conference

DEVELOPMENT OF DISTRIBUTED AUTOMOTIVE SOFTWARE The DaVinci Methodology

DO-254 Implementation of CAN for Mil-Aero/ Safety Critical Applications

Issues in Programming Language Design for Embedded RT Systems

Experiences with CANoe-based Fault Injection for AUTOSAR

Distributed Embedded Systems and realtime networks

ISO INTERNATIONAL STANDARD. Road vehicles FlexRay communications system Part 1: General information and use case definition

New ARMv8-R technology for real-time control in safetyrelated

Embedded Real-Time Systems. Facts and figures. Characteristics


CAN bus switch panels mounted either on the dash or the steering wheel allow for vastly simplified wiring and reduced weight.

SCADA Software. 3.1 SCADA communication architectures SCADA system

Automated Freedom from Interference Analysis for Automotive Software

Developing Algorithms for Robotics and Autonomous Systems

DISTRIBUTED REAL-TIME SYSTEMS

Fault tolerant TTCAN networks

LIN Protocol-Emerging Trend in Automotive Electronics

Safety Driven Optimization Approach for Automotive Systems. Slim DHOUIBI, PhD Student, VALEO - LARIS

Static Analysis of Embedded Systems

FlexRay and Automotive Networking Future

Reliable Statements about a Fault-Tolerant X-by-Wire ecar. Reliable Statements about a Fault-Tolerant X-by-Wire ecar Unrestricted 2017 Siemens AG

Product Information Embedded Operating Systems

Sichere Intelligente Mobilität - Testfeld Deutschland. Safe Intelligent Mobility Field Test Germany

Lessons Learned Implementing an IEC based Microgrid Power- Management System. K.A. GRAY, J.J. MRAZ* POWER Engineers, Inc.

TM2.0 Enabling vehicle interaction with traffic management. TF3 Principles for data. Report

Operating Systems, Concurrency and Time. real-time communication and CAN. Johan Lukkien

Design of Serial Interface for Neuron Base Smart Sensors

Driving virtual Prototyping of Automotive Electronics

Functional Safety Architectural Challenges for Autonomous Drive

Deriving safety requirements according to ISO for complex systems: How to avoid getting lost?

Verification and Validation of High-Integrity Systems

ICS Regent. Monitored Digital Input Modules 24 VDC (T3411) PD-6031

Workpackage WP2.5 Platform System Architecture. Frank Badstübner Ralf Ködel Wilhelm Maurer Martin Kunert F. Giesemann, G. Paya Vaya, H.


Distributed Deadlock

Model-Based Synthesis of Fault Trees from Matlab - Simulink models

Rensselaer Polytechnic Institute

An Encapsulated Communication System for Integrated Architectures

Failure Diagnosis and Prognosis for Automotive Systems. Tom Fuhrman General Motors R&D IFIP Workshop June 25-27, 2010

Riccardo Mariani, Intel Fellow, IOTG SEG, Chief Functional Safety Technologist

EP A1 (19) (11) EP A1 (12) EUROPEAN PATENT APPLICATION. (43) Date of publication: Bulletin 2012/45

This project has received funding from the European Union s Horizon 2020 research and innovation programme under grant agreement No

16 Time Triggered Protocol

Node-level Fault Tolerance for Fixed Priority Scheduling. Project proposal submitted to ARTES

Distributed Scheduling for the Sombrero Single Address Space Distributed Operating System

Software Architecture. Lecture 4

Distributed System Control with FlexRay Nodes in Commercial Vehicles

Components & Characteristics of an Embedded System Embedded Operating System Application Areas of Embedded d Systems. Embedded System Components

This document is a preview generated by EVS

TU Wien. Fault Isolation and Error Containment in the TT-SoC. H. Kopetz. TU Wien. July 2007

Don t Judge Software by Its (Code) Coverage

qb - Distributed Real Time Control System in UAV design

REALISATION OF AN INTELLIGENT AND CONTINUOUS PROCESS CONNECTION IN SUBSTATIONS

Error Detection by Code Coverage Analysis without Instrumenting the Code

Control System Consideration of IR Sensors based Tricycle Drive Wheeled Mobile Robot

Click ISO to edit Master title style Update on development of the standard

LASERMET LS-20 INSTRUCTION MANUAL

PROJECT FINAL REPORT

Integrating Mechanical Design and Multidomain Simulation with Simscape

PROJECT HIGHLIGHTS, EXPECTED IMPACT & FUTURE DIRECTIONS

Enabling Increased Safety with Fault Robustness in Microcontroller Applications

802.1CB Failure Mode Considerations

SIMULATION ENVIRONMENT

A cyber physical safety principle for autonomous and C-ITS Towards efficient traffic flow under safety conditions.

Electromechanical Braking (Brake By-Wire)

Turn Indicator Model Overview

Mixed-Criticality Systems based on a CAN Router with Support for Fault Isolation and Selective Fault-Tolerance

Functional Safety Processes and SIL Requirements

MONTE CARLO SIMULATIONS OF PRODUCTION COSTS IN DISCRETE MANUFACTURING. Kathrine Spang, Christina Windmark, Jan-Eric Ståhl

The Safe State: Design Patterns and Degradation Mechanisms for Fail- Operational Systems

Compass4D Working towards deployment of C-ITS. Pierpaolo Tona, Project Manager

Telecommunication System for the I-GARMENT Project

Traditional Approaches to Modeling

MASP Chapter on Safety and Security

Real and Virtual Development with SystemDesk

Transcription:

EXPERIENCES FROM MODEL BASED DEVELOPMENT OF DRIVE-BY-WIRE CONTROL SYSTEMS Per Johannessen 1, Fredrik Törner 1 and Jan Torin 2 1 Volvo Car Corporation, Department 94221, ELIN, SE-405 31 Göteborg, SWEDEN; 2 Chalmers University of Technology, Computer Engineering, SE-412 96 Göteborg, SWEDEN Abstract: Key words: Research in distributed dependable control systems within the automotive industry is of high importance today. One reason is the introduction of more mechatronical systems. Volvo Car Corporation and the Royal Institute of Technology initiated a joint project in October 2002 to target this technology change. The project was named FAR, which stands for Function and ARchitecture integration. FAR focused on the development of drive-by-wire systems using model based development. The deliveries from the project were a tool chain for automatic code generation from Matlab Simulink and Matlab Stateflow models and also a prototype vehicle in scale 1:5. It was a very successful project and the result was delivered to Volvo Cars in June 2003. The project deliveries have been further developed at Volvo Cars since then. Primarily, a new hazard analysis method has been developed and new fault tolerance mechanisms have been implemented. dependable systems; drive-by-wire; model based development; hazard analysis; redundancy; fault tolerance; electrical architecture; time-triggered CAN; case study. 1. INTRODUCTION The automotive industry faces new challenges as more functionality is implemented using mechatronical solutions. At the same time, challenges as increased complexity and high dependability requirements must be handled. The dependability requirements will be in the same order as for fly-by-wire systems. It is also crucial to meet low development costs, short development time, high degree of reusability, and quality targets.

104 Per Johannessen, Fredrik Törner and Jan Torin Therefore, the automotive industry needs new approaches in product development and engineers skilled to develop mechatronical system. These were the main reasons for initiating this project. In the FAR project, Volvo Cars and the Royal Institute of Technology reached these objectives in a successful cooperation. There were many lessons learned and valuable outcomes from the FAR project. The model based development used, allowed the project to handle the complexity of the given task. The prototype car that was developed has been used to implement and evaluate several design concepts like a fault tolerant electrical architecture and redundancy strategies. Further, the car implemented the time triggered CAN protocol, TTCAN. TTCAN gave the required support to synchronize the nodes in the cluster. When the first phase of the FAR project was finished, the prototype moved to Volvo Cars in Gothenburg. At Volvo Cars, the main research was in the area of electrical architectures. It is mainly this work that is presented in this paper. Particularly the focus has been on an actuator based hazard analysis and fault tolerance mechanisms that uses inherent redundancy. This hazard analysis was used to guide the design of the implementation. The paper starts with a short introduction to the dependability approach including hazard analysis and fault tolerance mechanisms in Section 2. Section 3 describes different architecture views that were developed and implemented in the prototype. The prototype is described in Section 4 and Section 5 summarizes the conclusions from the project. 2. DEPENDABILITY APPROACH The development of safety critical mechatronical products require structured design methods to assure system dependability. In this work, the focus was on an actuator based hazard analysis and specific redundancy strategies for fault tolerance. 2.1 Actuator Based Hazard Analysis In the early stages in the design process, an actuator based hazard analysis was performed. The method used has been developed from the work by Johannessen (2001) and Papadopoulos (1999). Since it is the actuators that affect the system s environment, this actuator based approach is the logical approach for an early hazard analysis.

Experiences from Model Based Development 105 The failure classes used in this analysis are; omission, commission, and stuck. These classes are the worst case failures for any mechanical actuator. The class omission is interpreted as no energy is available at the actuator, commission is interpreted as maximum energy is applied to the actuator, and stuck is interpreted as a mechanical locking. The chosen failure classes represent the three main failures of an actuator. Therefore, the analysis can indicate which state is the preferred fail state. For instance, if a brake failing in an omission state is less severe than both the commission and stuck states, then omission is the preferred fail state for the brake actuator. All failure classes are applied to each actuator and the system effect is analyzed. The used severity levels are described in IEC-61508 (IEC 1998). They are Catastrophic, Critical, Marginal, and Negligible. These failure classes are used in a unique criticality ranking where the distribution between the severity levels for each failure class is considered. The sum of the distribution terms is 100%. This can be seen in the example in Table 1. To be able to do a quantitative analysis, each severity level is assigned a weight, as shown in parenthesis in Table 1. The weights are application dependent, e.g. Negligible is of higher importance in a consumer product than for an industry product. The product of the severity level and the distribution numbers are added to a criticality number for each failure class. The hazards that have a criticality that exceeds a predetermined threshold need to be handled. This method also supports a solvability analysis, where different design solutions are compared with each other. The analysis gives an indication of the best soultion. In the FAR project, this hazard analysis gave valuable input to the design and implementation, particularly for fault handling concepts at the actuator level.

106 Per Johannessen, Fredrik Törner and Jan Torin 2.2 Redundancy Strategies for Fault Tolerance The redundancy strategies used are described by Johannessen (2003) and Forsberg (2003) and include inherent redundancy, scalable software redundancy and local redundancy. These redundancy strategies are implemented in a top down approach starting with the most cost efficient strategy, which is the inherent redundancy. The most expensive approach, local redundancy, is used to fulfill fault tolerance requirements of permanent faults when inherent redundancy is impossible. The inherent redundancy requires fail-silent actuators to be efficient. In FAR this is achieved by using wheel nodes that monitor each other by a fault handler module. The front and rear wheel nodes are grouped together to achieve a more dynamically stable system. The disable signals are directly connected to the actuators and are activated by the monitoring node to avoid unintended behavior. It is vital that the signal is an active action by the monitoring node. This approach requires a sane node to shut down the controlled node. A schematic of this solution is shown in Figure 2. An alternative solution that was implemented was to reset the controlling node instead of disabling the actuator. However, this approach was analyzed to be less safe since a reseted node has to reintegrate in the system. Therefore, it was used as a secondary fault handling mechanism. Figure 1. The monitoring node concept used to achieve fail-silent actuators. 3. ARCHITECTURE VIEWS The FAR architecture is a further development of the Sirius 2001 architecture (Johannessen 2003) and the conceptual study of a distributed JAS 39 Gripen architecture (Forsberg 2003). This updated FAR architecture contains several different views. In this section, the functional, logical, hardware, software, deployment, and TTCAN views are described.

Experiences from Model Based Development 107 To capture the requirements of the system, a functional view is first developed. The logical view is highly integrated with the vehicles dynamic functionality developed in Matlab Simulink and Matlab Stateflow. One further step towards the implementation is the software view that integrates all software components in the complete system. The hardware view describes the target system onto which the functions developed in the Matlab tools will execute. To integrate the functional, software and hardware systems, a deployment view is needed. This view is also important when implementing fault tolerance and redundancy. The TTCAN view describes the communication system used in the project. 3.1 Functional View UML Use cases were used in the early design phases to capture the requirements of the project. Figure 1 shows the project s Use case diagram. This diagram includes three users; the Project Stakeholder, the Driver of the car, and the System Developer. The Project Stakeholder is interested in the project as a whole, for visualizing new technology, education and research activities and also for marketing purposes. Both the Project Stakeholder and the System Developer can be a Driver, who operates the prototype vehicle. The System Developer is the engineer that develops the system and uses it for experiments. Figure 2. The FAR UML Use case diagram

108 Per Johannessen, Fredrik Törner and Jan Torin 3.2 Logical View The logical view shown in Figure 3 is the basis in the scalable software redundancy strategy described by Johannessen (2003). Further, many control-by-wire systems can be modeled and designed according to the model in Figure 3. The global control functionality considers vehicle dynamics and the local control functionality handles loop closure for all actuators. All objects should be designed with as few dependencies as possible to support reusability and reduce complexity. 3.3 Software View Figure 3. The logical view of the FAR architecture. The software view in Figure 4 is the base for automatic code generation from Matlab Simulink and Matlab Stateflow using dspace TargetLink. Further, the clock tick from the TTCAN controller is used for distributed node synchronization. By separating the application code from the low level code such as I/O and scheduling, it was possible to automatically generate and modify application code for the target hardware. Figure 4. The software view of the FAR project.

Experiences from Model Based Development 109 3.4 Hardware View The hardware view in Figure 5 shows the hardware components used in the system. There are six Motorola 68340 microcontrollers connected with a TTCAN network. The microcontrollers run at 25 MHz and are equipped with external A/D and D/A converters. Each wheel has a dedicated node and there is one node for environment sensors. To coordinate the whole system there is one driver node that is connected through a radio link to a HMI node. The HMI node is further connected to a joystick or a steering wheel and pedals. 3.5 Deployment View Figure 5. The Hardware view of the FAR car The deployment view in Figure 6 is vital for implementing redundancy strategies and fault tolerance concepts described in section 2.2. In the scalable software redundancy concept, several instances of the global control calculations are executed in the distributed system and the results are shared in the cluster using a broadcast communication system. Since all results from the global calculations are broadcasted, all nodes have a consistent view of the system. These broadcasted results are voted on in each wheel node, which gives a high degree of fault tolerance for transient faults. Further, the par-wise monitoring and fault handler in Figure 2 was implemented. This applies to the brake, steer and drive actuators. Figure 6 shows these mechanisms for the front right node denoted FR. The other nodes are symmetrically identical.

110 Per Johannessen, Fredrik Törner and Jan Torin Figure 6. The deployment view of the FAR project with fault handling strategies for the front right wheel node. 3.6 TTCAN View The communication protocol that was implemented in the FAR platform was TTCAN (ISO 2003). TTCAN was chosen since it is a potential protocol for the automotive industry that would fulfill the system s requirements. The protocol supports both time triggered and event triggered operation. Event triggered operation is implemented in the protocol using standard CAN arbitration mechanisms. TTCAN is particularly useful in distributed control systems since the TTCAN controllers can provide a clock tick. These clock ticks can be used to synchronize the nodes in the cluster. All clocks in a TTCAN cluster are synchronized by CAN messages distributed by redundant time masters. Further, time triggered communication is predictable in the time domain. The FAR car uses time triggered operation and approximately 20% of the available bandwidth. However, the communication could be further optimized. The cycle time of the communication system was 32 ms and consequently the global cycle frequency was 31 Hz.

Experiences from Model Based Development 111 4. PROTOTYPE The developed car prototype has four-wheel steering, individual braking and four-wheel drive, with a total of three actuators per wheel. The car, shown in Figure 7 can be programmed into several modes of operation, including three different types of steering and three different types of wheel drive. This prototype will be valuable as a basis for future projects with drive-by-wire research. Figure 7. The developed prototype vehicle in scale 1:5. 5. CONCLUSIONS This project allowed us to verify some concept in the development of drive-by-wire systems. Primarily, many dependability increasing concepts were validated, both to provide fault tolerance and also to be implementable in an embedded system. The developed hazard analysis method also proved useful in the development process. It efficiently identifies real and critical failures that need to be handled. This is a requirement in the development of safety critical systems. By combining criticality and distribution of criticality for each failure class, valuable information could be obtained. The use of TTCAN gave valuable insights. It is a highly interesting protocol, not only as a replacement of traditional CAN, but also as a communication protocol for safety critical real-time systems. The developed prototype vehicle has shown to be as useful as expected. It is always preferred to have a real system when demonstrating new functionality or implementing new concepts to increase understandability.

112 Per Johannessen, Fredrik Törner and Jan Torin It is also important to consider the teams developing the drive-by-wire systems. These mechatronical systems have a very high degree of complexity and also many degrees of freedom that give a larger possible solution space. The designers need some form of tools to handle the complexity. In this project the complexity was handled using several architectural views. Since each view considered only one aspect the complexity was manageable by the designers. ACKNOWLEDGEMENTS We wish to thank Professor Törngren and his students at the Royal Institute of Technology who built the FAR car and developed the framework for the automatic code generation. Further, we wish to thank Roger Johansson at Chalmers University of Technology for his support on the hardware used. The project was funded by The Program Board for the Swedish Automotive Research Program at VINNOVA, the Swedish Agency for Innovation Systems. REFERENCES Forsberg, K., Design Principles of Fly-By-Wire Architectures, PhD. Thesis, Dept. of Computer Engineering, Chalmers University of Technology, Goteborg, Sweden, 2003. IEC, IEC-61508: Functional safety of electrical/electronic/programmable electronic safetyrelated Systems, International Electro-technical Commission, 1998. ISO, Working Draft ISO 11898-4 - Road Vehicles Controller Area Network (CAN) Part 4: Time Triggered Communication, International Organization for Standardization, 2003. Johannessen, P., System Safety Design of the SIRIUS 2001 Drive-by-Wire Car In Retrospect, Proceedings of the International System Safety Conference 2003, Ottawa, Canada, 2003. Johannessen, P., Grante, C., Alminger, A., Eklund, U., and J. Torin, Hazard Analysis in Object Oriented Design of Dependable Systems, Proceedings of the 2001 International Conference on Dependable Systems and Networks, Goteborg, 2001, pp. 507-512. Papadopoulos, Y. and McDermid, J., Hierarchically Performed Hazard Origin and Propagation Studies, Proceedings of SAFECOMP 99, 18th International Conference on Computer Safety, Reliability and Security, Toulouse, 1999.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback