550 likes | 1.13k Views
Agenda. Historical PerspectiveNeed for fault tolerance in AutomotivesFault tolerant X-by-wire-systemsFault tolerance in Automotive softwareSensors and actuatorsAutomotive Communication SystemsConclusion. About a 100 years back !. Amount of electronic components = ?Fuel efficiency = ?ECUs = ?
E N D
1. Fault Tolerance in automotive Systems Adithya H. Krishnamurthy and Ramkumar Ravikumar
2. Agenda Historical Perspective
Need for fault tolerance in Automotives
Fault tolerant X-by-wire-systems
Fault tolerance in Automotive software
Sensors and actuators
Automotive Communication Systems
Conclusion
3. About a 100 years back ! Amount of electronic components = ?
Fuel efficiency = ?
ECUs = ?
Software = ?
Navigation system = ?
Airbags = ?
X-by-wire = ?
4. And now !! Amount of electronic components = comparable to a PC
Fuel efficiency = Hybrids
ECUs = ~100-200
Software = ~100 MB
Navigation system = Yes !
Airbags = Mandatory
X-by-wire = Common
5. Need for Fault tolerance in Automotive Industry Advancements in the field of automotive electronics have helped in realizing the potential of sophisticated vehicular control systems.
Can be considered as a safety-critical field
Failure in a component may lead to catastrophic effects.
If not dangerous, certain failures might degrade vehicle performance.
Solution : Bring in Fault tolerant design practices !
6. X-by-Wire Motivation:
Replace mechanical and hydraulic components with an electronic solution.
Steering, Braking and Acceleration.
Electronic solutions offer distinct advantages.
7. Types of X-by-Wire Systems X-by-Wire – A generic name.
Fly-by-Wire: Initially adopted by the Aviation Industry.
Drive-by-Wire: Followed by the Automobile Industry.
Brake-by-Wire.
Steer-by-Wire.
Throttle-by-Wire.
8. X-by-Wire: With Back-Up Initially with mechanical backup
First generation of SbW
BbW systems – EHB and EMB.
Complex mechanical backup’s are cost prohibitive.
Upon failure, switch to mechanical backup.
Redundancy.
X-by-Wire backup for X-by-Wire?
9. X-by-Wire: Without Back-Up Systems without back up should guarantee high reliability and fault tolerance at all times.
Fail Operational until a safe state.
Safety Integrity Level 4.
Should tolerate a single failure.
Probability of encountering a safety critical failure should not exceed 10^(-9) per hour.
“Your car has performed an illegal operation and must immediately shut down”.
10. 14 ? 42 ? Integration of more electrical components
Demand for higher peak power
11. 14 ? 42? Several problems associated with migration:
Contact switches vaporize.
Manufacturers of electronic components should migrate to the new standard.
Dual voltage in operation.
Toyota uses a 42 Volt bus.
Renault provided dual voltage
12. Conventional Steering System (CSS)
13. Steer-by-Wire System
14. CSS ? SbW
15. CSS ? SbW
16. CSS ? SbW
17. CSS ? SbW
18. CSS ? SbW
19. Steer-by-Wire System
20. SbW – Operational Architecture
21. Fault Classification Byzantine Faults
Coherent Faults
Fail-Silent Nodes
Flexible Failure Model (b,c,s)
22. Redundancy Based on Fault Classification
HW & FAA ECU’s – 2 each, Work in parallel.
HW & RPS Sensor’s – 3 each, chosen using TMR
HW & FAA Motors – 2 each, Active redundancy (Hot Standby)
TDMA Buses – 2
23. Fault Tolerance Strategy Failure Recovery
Redundant ECU’s will work upon failure of primary ECU.
Failure detection must be quick and reliable.
Failure Compensation
ECU’s work in parallel.
Suitable for real time constraints.
24. Common Mode Failures A fault may affect all redundant units under identical conditions
Design fault in redundant copies.
EMI, Temperature.
Avoid common mode failures:
Hardware manufactured by different suppliers.
Software realized by different teams.
Redundant TDMA channels to be placed far apart.
25. TTP/C
26. TTP/C Network
27. TTP/C Node Host – Runs apps.
CNI – Contains Message Descriptor List.
TTP/C Controller – Interfaces node with network.
Bus Guardian – Portal to Bus. Enables bus driver only during transmission slot.
28. TDMA Protocol / Scheduling
29. TDMA Protocol / Scheduling
30. Node Membership Vector A status register containing a single bit per node.
1 – Node functions properly.
0 – Node malfunctioning.
Vector is updated by analyzing the CRC fields in the received messages.
Informs of node failures to all the other nodes.
Identifies faulty components and isolates them from the system.
31. Summary Replace mechanical and hydraulic components by an electronic solution.
Provide system level fault tolerance through redundancy.
Time triggered protocol – To communicate between nodes.
32. Fault tolerance in Automotive Software
33. Why Fault Tolerance in Automotive Software ? Software amounts to about 100 MB of binary code in most modern vehicles.
Total value of software in cars has risen from 4% to 13% by 2010. (Mostly due to Entertainment systems).
Software targeted at safety-critical applications such as Pedestrian Detection System [Volvo s60]
Absence of fault tolerance techniques might lead to catastrophic effects
34. Automotive Software Classification Multimedia, telematics, and HMI software
Body/Comfort software
Software for safety electronics
Powertrain and chassis control software
Infrastructure software
Fault tolerance mechanisms should handle detected faults locally without propagation to other SW-components.
35. Current Approaches Fault Tolerant architecture based on ‘Computational Reflection’.
36. Current Approaches (Contd..) Providing Fault tolerance in the middleware
Watchdog based monitoring and other techniques
37. Fault tolerant Sensors Sensor systems with static redundancy realized with a triplex system and a voter.
A configuration with dynamic redundancy needs at least two sensors and fault detection for each sensor.
38. Fault tolerant sensors (Contd..) The steering angle sensor is fault tolerant since it can tolerate the loss of one or two sensor elements
Can diagnose failed sensor elements
39. Fault tolerant Actuators Fault-tolerant actuators can be designed by using multiple complete actuators in parallel, with either static redundancy or dynamic redundancy with cold or hot standby.
Another possibility is to limit the redundancy to parts of the actuator that have the lowest reliability. Static redundancy
Dynamic redundancy with hot standby
Dynamic redundancy with cold standbyStatic redundancy
Dynamic redundancy with hot standby
Dynamic redundancy with cold standby
40. Fault tolerant Actuators (Contd..) When both sensor and actuator failures occur at the same time, their mutual effects on residuals make fault isolation difficult.
Use a hexadecimal decision table to relate all possible failure patterns to the residual code.
Detection and isolation of multiple sensor and actuator failures in automotive engines is achieved.
41. Fault tolerant Communication Systems Communication between several components in the vehicle
42. Fault tolerant Communication Systems (Contd..) Event-triggered vs. Time-triggered protocols.
Event-triggered means messages transmitted to signal occurrence of a key event (door is closed)
In Time-triggered systems, frames are transmitted in predetermined intervals of time
Combination of Time-triggered and Event-triggered mechanisms in TTCAN, FTT-CAN and FlexRay
43. Controller Area Network (CAN) Most widely used in-vehicle network
Provides several mechanisms for error detection
Check for CRC transmitted and CRC received
Station detecting an error transmits an error message on the bus
Provides Fault-confinement mechanisms
Identify permanent failures due to hardware dysfunctioning.
Error counters are increased / decreased according to events.
CAN is not well suited for X-by-wire applications
Selective Fault tolerance on CAN
44. Time Triggered Controller Area Network (TTCAN) TTCAN requires that the controllers have the possibility to disable automatic retransmission of frames upon transmission errors.
The key idea is to propose a flexible time-triggered/event-triggered protocol.
TT-CAN supports the coexisting of event- and time-triggered traffic together .
However, it does not provide the same level of fault tolerance as TTP and FlexRay.
45. FlexRay FlexRay allows both time-triggered and event-triggered communication.
The FlexRay network is very flexible with regard to topology and transmission support redundancy.
FlexRay provides fault tolerance by distributed time-triggered synchronization (clock synchronization).
FlexRay is expected to be the de-facto communication standard for high-speed automotive control applications.
46. Overview of Protocols
47. Recent Work A simulation study for fault-tolerant sensor networks for cars’ on-board control.
All sensors (sources of traffic), actuators (sinks of traffic) and the controller (PC) are connected over the Ethernet to form a Networked Control System (NCS).
The number of sensors is 3 times more than the number of actuators.
This increase in the number of sensors is made to test the possibility to build triple-modular redundancy (TMR) on the sensors’ level for fault-tolerance
48. Recent Work (contd..) A methodology of interconnecting the automotive bus networks in a fault tolerant way is discussed.
When combining these bus systems, FlexRay is considered to be the de-facto communication protocol since it can provide time-triggered and event-triggered message transmissions.
The integrated system supports fault tolerance using redundant networks.
Bus systems are combined with extra redundant units to send multiple messages to clients.
49. Conclusion Several fault tolerant design techniques followed in automotive industry have been discussed
Key challenges include
Operating conditions for X-by-wire systems
Handling huge volume of datasets in automotive software
Security challenges
Fault tolerance in Bluetooth, ZigBee and MOST
Ample scope for research for engineers from varied backgrounds
50. Thank you Fault tolerance in Automotive Systems