1 / 49

Fault Tolerance in automotive Systems

Agenda. Historical PerspectiveNeed for fault tolerance in AutomotivesFault tolerant X-by-wire-systemsFault tolerance in Automotive softwareSensors and actuatorsAutomotive Communication SystemsConclusion. About a 100 years back !. Amount of electronic components = ?Fuel efficiency = ?ECUs = ?

onan
Télécharger la présentation

Fault Tolerance in automotive Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Fault Tolerance in automotive Systems Adithya H. Krishnamurthy and Ramkumar Ravikumar

    2. Agenda Historical Perspective Need for fault tolerance in Automotives Fault tolerant X-by-wire-systems Fault tolerance in Automotive software Sensors and actuators Automotive Communication Systems Conclusion

    3. About a 100 years back ! Amount of electronic components = ? Fuel efficiency = ? ECUs = ? Software = ? Navigation system = ? Airbags = ? X-by-wire = ?

    4. And now !! Amount of electronic components = comparable to a PC Fuel efficiency = Hybrids ECUs = ~100-200 Software = ~100 MB Navigation system = Yes ! Airbags = Mandatory X-by-wire = Common

    5. Need for Fault tolerance in Automotive Industry Advancements in the field of automotive electronics have helped in realizing the potential of sophisticated vehicular control systems. Can be considered as a safety-critical field Failure in a component may lead to catastrophic effects. If not dangerous, certain failures might degrade vehicle performance. Solution : Bring in Fault tolerant design practices !

    6. X-by-Wire Motivation: Replace mechanical and hydraulic components with an electronic solution. Steering, Braking and Acceleration. Electronic solutions offer distinct advantages.

    7. Types of X-by-Wire Systems X-by-Wire A generic name. Fly-by-Wire: Initially adopted by the Aviation Industry. Drive-by-Wire: Followed by the Automobile Industry. Brake-by-Wire. Steer-by-Wire. Throttle-by-Wire.

    8. X-by-Wire: With Back-Up Initially with mechanical backup First generation of SbW BbW systems EHB and EMB. Complex mechanical backups are cost prohibitive. Upon failure, switch to mechanical backup. Redundancy. X-by-Wire backup for X-by-Wire?

    9. X-by-Wire: Without Back-Up Systems without back up should guarantee high reliability and fault tolerance at all times. Fail Operational until a safe state. Safety Integrity Level 4. Should tolerate a single failure. Probability of encountering a safety critical failure should not exceed 10^(-9) per hour. Your car has performed an illegal operation and must immediately shut down.

    10. 14 ? 42 ? Integration of more electrical components Demand for higher peak power

    11. 14 ? 42? Several problems associated with migration: Contact switches vaporize. Manufacturers of electronic components should migrate to the new standard. Dual voltage in operation. Toyota uses a 42 Volt bus. Renault provided dual voltage

    12. Conventional Steering System (CSS)

    13. Steer-by-Wire System

    14. CSS ? SbW

    15. CSS ? SbW

    16. CSS ? SbW

    17. CSS ? SbW

    18. CSS ? SbW

    19. Steer-by-Wire System

    20. SbW Operational Architecture

    21. Fault Classification Byzantine Faults Coherent Faults Fail-Silent Nodes Flexible Failure Model (b,c,s)

    22. Redundancy Based on Fault Classification HW & FAA ECUs 2 each, Work in parallel. HW & RPS Sensors 3 each, chosen using TMR HW & FAA Motors 2 each, Active redundancy (Hot Standby) TDMA Buses 2

    23. Fault Tolerance Strategy Failure Recovery Redundant ECUs will work upon failure of primary ECU. Failure detection must be quick and reliable. Failure Compensation ECUs work in parallel. Suitable for real time constraints.

    24. Common Mode Failures A fault may affect all redundant units under identical conditions Design fault in redundant copies. EMI, Temperature. Avoid common mode failures: Hardware manufactured by different suppliers. Software realized by different teams. Redundant TDMA channels to be placed far apart.

    25. TTP/C

    26. TTP/C Network

    27. TTP/C Node Host Runs apps. CNI Contains Message Descriptor List. TTP/C Controller Interfaces node with network. Bus Guardian Portal to Bus. Enables bus driver only during transmission slot.

    28. TDMA Protocol / Scheduling

    29. TDMA Protocol / Scheduling

    30. Node Membership Vector A status register containing a single bit per node. 1 Node functions properly. 0 Node malfunctioning. Vector is updated by analyzing the CRC fields in the received messages. Informs of node failures to all the other nodes. Identifies faulty components and isolates them from the system.

    31. Summary Replace mechanical and hydraulic components by an electronic solution. Provide system level fault tolerance through redundancy. Time triggered protocol To communicate between nodes.

    32. Fault tolerance in Automotive Software

    33. Why Fault Tolerance in Automotive Software ? Software amounts to about 100 MB of binary code in most modern vehicles. Total value of software in cars has risen from 4% to 13% by 2010. (Mostly due to Entertainment systems). Software targeted at safety-critical applications such as Pedestrian Detection System [Volvo s60] Absence of fault tolerance techniques might lead to catastrophic effects

    34. Automotive Software Classification Multimedia, telematics, and HMI software Body/Comfort software Software for safety electronics Powertrain and chassis control software Infrastructure software Fault tolerance mechanisms should handle detected faults locally without propagation to other SW-components.

    35. Current Approaches Fault Tolerant architecture based on Computational Reflection.

    36. Current Approaches (Contd..) Providing Fault tolerance in the middleware Watchdog based monitoring and other techniques

    37. Fault tolerant Sensors Sensor systems with static redundancy realized with a triplex system and a voter. A configuration with dynamic redundancy needs at least two sensors and fault detection for each sensor.

    38. Fault tolerant sensors (Contd..) The steering angle sensor is fault tolerant since it can tolerate the loss of one or two sensor elements Can diagnose failed sensor elements

    39. Fault tolerant Actuators Fault-tolerant actuators can be designed by using multiple complete actuators in parallel, with either static redundancy or dynamic redundancy with cold or hot standby. Another possibility is to limit the redundancy to parts of the actuator that have the lowest reliability. Static redundancy Dynamic redundancy with hot standby Dynamic redundancy with cold standbyStatic redundancy Dynamic redundancy with hot standby Dynamic redundancy with cold standby

    40. Fault tolerant Actuators (Contd..) When both sensor and actuator failures occur at the same time, their mutual effects on residuals make fault isolation difficult. Use a hexadecimal decision table to relate all possible failure patterns to the residual code. Detection and isolation of multiple sensor and actuator failures in automotive engines is achieved.

    41. Fault tolerant Communication Systems Communication between several components in the vehicle

    42. Fault tolerant Communication Systems (Contd..) Event-triggered vs. Time-triggered protocols. Event-triggered means messages transmitted to signal occurrence of a key event (door is closed) In Time-triggered systems, frames are transmitted in predetermined intervals of time Combination of Time-triggered and Event-triggered mechanisms in TTCAN, FTT-CAN and FlexRay

    43. Controller Area Network (CAN) Most widely used in-vehicle network Provides several mechanisms for error detection Check for CRC transmitted and CRC received Station detecting an error transmits an error message on the bus Provides Fault-confinement mechanisms Identify permanent failures due to hardware dysfunctioning. Error counters are increased / decreased according to events. CAN is not well suited for X-by-wire applications Selective Fault tolerance on CAN

    44. Time Triggered Controller Area Network (TTCAN) TTCAN requires that the controllers have the possibility to disable automatic retransmission of frames upon transmission errors. The key idea is to propose a flexible time-triggered/event-triggered protocol. TT-CAN supports the coexisting of event- and time-triggered traffic together . However, it does not provide the same level of fault tolerance as TTP and FlexRay.

    45. FlexRay FlexRay allows both time-triggered and event-triggered communication. The FlexRay network is very flexible with regard to topology and transmission support redundancy. FlexRay provides fault tolerance by distributed time-triggered synchronization (clock synchronization). FlexRay is expected to be the de-facto communication standard for high-speed automotive control applications.

    46. Overview of Protocols

    47. Recent Work A simulation study for fault-tolerant sensor networks for cars on-board control. All sensors (sources of traffic), actuators (sinks of traffic) and the controller (PC) are connected over the Ethernet to form a Networked Control System (NCS). The number of sensors is 3 times more than the number of actuators. This increase in the number of sensors is made to test the possibility to build triple-modular redundancy (TMR) on the sensors level for fault-tolerance

    48. Recent Work (contd..) A methodology of interconnecting the automotive bus networks in a fault tolerant way is discussed. When combining these bus systems, FlexRay is considered to be the de-facto communication protocol since it can provide time-triggered and event-triggered message transmissions. The integrated system supports fault tolerance using redundant networks. Bus systems are combined with extra redundant units to send multiple messages to clients.

    49. Conclusion Several fault tolerant design techniques followed in automotive industry have been discussed Key challenges include Operating conditions for X-by-wire systems Handling huge volume of datasets in automotive software Security challenges Fault tolerance in Bluetooth, ZigBee and MOST Ample scope for research for engineers from varied backgrounds

    50. Thank you Fault tolerance in Automotive Systems

More Related