1 / 18

Drive by Wire

A Membership Service for a Distributed, Embedded System Based on a Time-Triggered FlexRay Network Martin Mitzlaff Rüdiger Kapitza, Michael Lang, Wolfgang Schröder-Preikschat In golstadt I nstitute of the F riedrich- A lexander U niversity Erlangen-Nuremberg martin.mitzlaff@ini.fau.de.

philana-candice
Download Presentation

Drive by Wire

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Membership Service for a Distributed, Embedded System Based on a Time-Triggered FlexRay NetworkMartin MitzlaffRüdiger Kapitza, Michael Lang, Wolfgang Schröder-PreikschatIngolstadt Institute of theFriedrich-Alexander University Erlangen-Nurembergmartin.mitzlaff@ini.fau.de

  2. Drive by Wire • A non functional state is not tolerable. • Most parts are time-triggered • Hard real-time • Dependable • Single units not dependable enough • Redundancy, Fault masking • Important to know which units are online • Need for a Membership ServiceProvides a consistent view of the fault-free units Martin Mitzlaff -- EDCC 2010 Industrial Track

  3. ECU1 ECU2 ECU3 ECU4 ECU5 Brake-by-wire Brake! Martin Mitzlaff -- EDCC 2010 Industrial Track

  4. Agenda • FlexRay • Membership Service • Verification • Evaluation Martin Mitzlaff -- EDCC 2010 Industrial Track

  5. FlexRay • High-speed time-triggered bussystem • De-facto standard time-triggered bussystem in the automotive industry • Node structure: Node Host CommunicationController Transceiver wire Martin Mitzlaff -- EDCC 2010 Industrial Track

  6. FlexRay - Features • Cycle-based communication: • Synchronized clocks • Central bus guardian in the active star • No membership service … Cycle 63 Cycle 0 Cycle 1 Cycle 2 Slot 29 Slot 1 Slot 2 … Slot 0 Slot 30 Slot 31 32 33 34 Static Part Dynamic Part Idle Martin Mitzlaff -- EDCC 2010 Industrial Track

  7. Using FlexRay • Interrupts to synchronize access to message buffers • Interrupts disturb the application Application Send_Confimation() Fill_Sendbuffer() Receive() Send() 2000 Macrotick 2700 700 FlexRay cycle Martin Mitzlaff -- EDCC 2010 Industrial Track

  8. Current approaches • Membership protocols for synchronous systems already exist: • F. Cristian 1988 • S. Katz, P. Lincoln and J.M. Rushby 1997 • R. Barbosa and J. Karlsson 2006 • But all are slot based • Not possible in a FlexRay system • TTP/C includes a membership service (in hardware) Martin Mitzlaff -- EDCC 2010 Industrial Track

  9. Round-based Approach • Slot based: • Round based: • Sending and receiving in one interval • No timing requirements inside the interval • Calculation only at one point in the round Send Receive Calculate Martin Mitzlaff -- EDCC 2010 Industrial Track

  10. What’s a view? • View: Just a bit vector; One bit for one node • Local view: • Node’s current opinion of fault-free nodes • Interchanged with other nodes • Global view • Former local view • Verified by the local views of other nodes ECU 1 ECU 2 ECU 8 Martin Mitzlaff -- EDCC 2010 Industrial Track

  11. ECU1 ECU2 ECU3 ECU4 ECU5 Integration G G G L L L Round: 1 0 3 2 L L G G Martin Mitzlaff -- EDCC 2010 Industrial Track

  12. ECU1 ECU2 ECU3 ECU4 ECU5 Faulty node G G G L L L Round: 1 0 3 2 L L G G Martin Mitzlaff -- EDCC 2010 Industrial Track

  13. Verification • Need for a fault hypothesis • For FlexRay nothing published • Each node and each logical communication-channel are a Fault-Containment Region • Active star guarantees that the message is transmitted to all or no node by the communication system. [see TTP/C] • Important to detect invalid messages • Further CRC, including cycle counter • A faulty host does not send membership messages. • Different fault modes can be mapped to just three faults:sending, receiving or sending&receiving fault • At most one fault in two cycles • Formal proof of the latency • Result: two rounds can be guarantied Martin Mitzlaff -- EDCC 2010 Industrial Track

  14. Model checking • Modeling using PROMELA • Verifying the model using SPIN • Used results for decreasing number of states • Only possible with small networks • Results: • Absence of Livelocks • Absence of Deadlocks • New nodes do not disturb • Latency of two rounds Martin Mitzlaff -- EDCC 2010 Industrial Track

  15. Evaluation • Using • TTTech Multi-Purpose ECU • TriCore TC1796 • Freescale MFR4300 • TTTech AUTOSAR FlexRay-Stack • Vector VN3600 • Special active star Martin Mitzlaff -- EDCC 2010 Industrial Track

  16. Evaluation Results • CPU Load: • Maximal 2,4% CPU-Load caused by membership service • 2.6 kbyte ROM Martin Mitzlaff -- EDCC 2010 Industrial Track

  17. Conclusion • FlexRay is the bus for drive-by-wire applications • But lacks a membership service • Our Contribution:Membership service for FlexRay • Key features: • Round-based approach • minimal CPU load • Transparent to the application • Verification by different techniques • Even outside the fault hypothesis, coming back to a consistent global view Martin Mitzlaff -- EDCC 2010 Industrial Track

  18. Thank you for your attention! Any questions? Martin Mitzlaff -- EDCC 2010 Industrial Track

More Related