Auto Safety Sot Ware

8/6/2019 Auto Safety Sot Ware

1/48

The design of safe automotive electronicThe design of safe automotive electronicsystemssystems

Some problems, solutions and open issues Some problems, solutions and open issues

Franoise SimonotFranoise Simonot --LionLion

([email protected]) ([email protected])

Nancy UniversitNancy Universit -- LORIA (UMR 7503)LORIA (UMR 7503)

IES2006IEEE Symposium on Industrial Embedded Systems

Antibes Juan-Les-Pins, FranceOctober 18-20, 2006


2/48

Franoise Simonot-LionNancy Universit 2 IEEE IES'2006

GeneralGeneral ContextContext

AutomotiveAutomotive industryindustry : the: the mostmost importantimportanteconomiceconomic sectorsector for thefor the nextnext 1010 yearsyears

(Mercer Management Consulting)

AutomotiveAutomotive electronicselectronics

(Strategy Analytics, McKinsey)

Cost of Electronic Embedded systemsCost of a car

1% (1980)

= 20% (2005)40% (2015)


3/48


GeneralGeneral contextcontext

InIn vehiclevehicle embeddedembedded systemssystemsElectronic components 50%

Software components 50%1,1 KBytes (1980) 2MBytes (2000) 10MBytes (2004)

SoftwareSoftware technologytechnologyNew services areNew services are easilyeasily developpeddevelopped

CustomersCustomers requirementsrequirements :: costcost ,, comfortcomfort ,, safetysafetyCarmakersCarmakers oror supplierssuppliers requirementsrequirements :: costcost , time to, time to marketmarket

Electronic systems = 90% innovation (Daimler Chrysler)

MandatoryMandatory forfor somesome functionsfunctions (control of(control of exhaustexhaust emissionemission ))


4/48


OutlineOutline

ContextContext

GeneralGeneral problemsproblems

AutomotiveAutomotive domainsdomains

ElementsElements of solutionof solutionStandardsStandards

EfficientEfficient developmentdevelopment processprocess

Open issuesOpen issuesConclusionsConclusions


5/48


ProblemsProblems

ArchitecturalArchitectural complexitycomplexity

AirbagsDoorsctl

SteeringWheel -ctl

ABS PowerTrain

Lightsctl

Climatectl

Radio...

AmplifierISUISU

Comfort Network Comfort Network

Body Network Body Network ECUECU (Electronic Component Unit)

P S A c o m m u n i c a

t i o n s e r v

i c e

Chassis Chassis - - Power Train Network Power Train Network

CriticalCriticalFunctionsFunctions

Complex Communication

ArchitectureComplex CommunicationComplex CommunicationArchitectureArchitecture


6/48


ProblemsProblems

ArchitecturalArchitectural complexitycomplexity exampleexampleJrgen Jrgen Leohold Leohold (IEEE WFCS 2004, Vienna,(IEEE WFCS 2004, Vienna, Austria Austria ) )

VWVW PhaetonPhaeton11 13611 136 electricalelectrical devicesdevices

6161 ECUsECUs , 3 CAN networks,, 3 CAN networks, subsub --networks, 1 busnetworks, 1 busmultimediamultimedia

25002500 signalssignals exchangedexchanged betweenbetween ECUsECUs in 250in 250CAN messagesCAN messages


7/48


ProblemsProblems

FunctionalFunctional complexitycomplexity

NumberNumber of I/Oof I/O signalssignals -- Size of the stateSize of the state vectorvector

((externalexternal //internalinternal data)data)

IntegrationIntegration ofof criticalcritical and notand not criticalcritical functionsfunctions

InteractionInteraction betweenbetween functionsfunctions

FunctionalFunctional modesmodes

SafetySafety requirementsrequirements ::

ValuesValues

Performances / timePerformances / time constraintsconstraints


8/48


ProblemsProblems

DevelopmentDevelopment processprocessSharedShared betweenbetween severalseveral actorsactors

SuppliersSuppliers ((subcontractorssubcontractors ) / Car) / Car makersmakers

InteractionInteraction betweenbetween partnerspartners

Black boxes / White boxes / Grey boxesBlack boxes / White boxes / Grey boxesIntellectualIntellectual propertyproperty

ProcessProcessTopTop DownDownBottomBottom -- Up (Up ( reusabilityreusability ))

StandardsStandards

Under constraints:CostQualityVariantsSafety


9/48


OutlineOutline

ContextContext







10/48


PowertrainPowertrain domaindomain

Constraints

driving facilities fuel consumption

exhaust pollution

Climate controller

ESP controller

Motor controller

acceleratorpedal

brakepedal


11/48


PowertrainPowertrain domaindomain

FunctionalFunctional point ofpoint of viewviewComplexComplex controlcontrol lawslaws

MultiMulti --variablesvariablesDifferentDifferent samplingsampling periodsperiods

CyclicCyclic ((motormotor times)times) -- PeriodicPeriodic ((otherother systemssystems ))

OperationalOperational point ofpoint of viewviewHigh computation power (High computation power ( floating floating point point coprocessors coprocessors ) ) MultiMulti --taskstasks ((differentdifferent activationactivation rulesrules ))

CompromiseCompromise costcost // resolutionresolution ofof sensorssensorsStringent time constraints (response time,freshness)

~ 100 s

~ 1 ms


12/48


ChassisChassis

Othersystems

Forces ground, wind

Constraints comfort

safety

Wheel suspension - controller

(ABS ESP ASC 4WD - )

Steeringcolumn

brakepedal


13/48


ChassisChassis

~1 msFunctionalFunctional point ofpoint of viewview

ComplexComplex controlcontrol lawslaws

OperationalOperational point ofpoint of viewviewHigh computation power (High computation power ( floating floating point point coprocessors coprocessors ) ) MultiMulti --taskstasks ((differentdifferent activationactivation rulesrules ))CompromiseCompromise costcost // resolutionresolution ofof sensorssensors

DistributionDistributionStringent time constraints (response time,freshness, temporal consistency)

Critical domain for the safetyX-by-Wire


14/48


BodyBody domaindomain

wipers

lights

mirrorsdoors,

windows,

seats,...

Other

systems

controllers

Drivers

Passengers

InnovationInnovation


15/48


BodyBody domaindomain

FunctionalFunctional point ofpoint of viewviewNumerousNumerous functionsfunctions

ReactiveReactive systemssystemsOperationalOperational point ofpoint of viewview

HighlyHighly distributeddistributedHierarchicalHierarchical distributeddistributed systemsystemTime constraints (response time, temporalconsistency)Central Body Unit (Central Body Unit ( criticalcritical entityentity ))

OptimalOptimal schedulingscheduling ofof taskstasks

OptimalOptimal schedulingscheduling of messagesof messages

s a s

LINLIN

CANCAN

Central BodyElectronic

Other domains

> 1 s


16/48


TelematicTelematic ,, multimediamultimedia domaindomain

Telediagnostic

Human Machine InterfaceMultimedia applications

Communication

DriverPassengers

Other

systems


17/48


TelematicTelematic ,, multimediamultimedia domaindomain

OperationalOperational point ofpoint of viewviewUpgradableUpgradable devicesdevices , applications, applications

Plug andPlug and playplay PropertiesProperties :: securitysecurity ,, multimediamultimedia QoSQoS

Resource sharingResource sharingFluidFluid datadata streamsstreamsBandwithBandwith


18/48


Driver assistanceDriver assistance ActiveActive safetysafety

Night vision supportNight vision supportPedestrianPedestrian objectobject recognitionrecognition

ACCACC

LaneLane keepingkeeping assistantassistant

CollisionCollision avoidanceavoidance

Complexity

of theclosed loop


19/48


DomainDomain characteristicscharacteristics

Application type Application type Constraints Constraints Specification Specification

Power trainPower train Hybrid systemsHybrid systems Hard real timeHard real time Matlab/SimulinkMatlab/Simulink

ChassisChassis Hybrid systemsHybrid systems Hard real timeHard real time(safety)(safety)

Matlab/SimulinkMatlab/Simulink

BodyBody Discrete eventDiscrete eventsystemssystems

Real timeReal time State machineState machine(SDL,(SDL,

StatechartsStatecharts ))

TelematicTelematic --HMIHMI

Multimedia dataMultimedia dataflow processingflow processing

Soft real timeSoft real time SecuritySecurity QoSQoS

??

DeterministicDeterministicguaranteesguarantees

safety and safety and performance performance

ProbabilisticProbabilisticguaranteesguarantees


20/48


OutlineOutline

ContextContext







21/48


The design ofThe design of safesafe automotiveautomotive embeddedembeddedsystemssystems

EfficientEfficient developmentdevelopment processprocessDedicated Dedicated components components System System

ReusabilityReusabilityComponentsComponents -- IntegrationIntegrationPortabilityPortability -- InteroperabilityInteroperability

TraceabilityTraceability ,, upgradeabilityupgradeabilityConsistent abstractionConsistent abstraction levelslevels

SafeSafe embeddedembedded systemsystemPropertiesPropertiesV&VV&V analysisanalysisModelsModels

StandardsStandards

SafeSafe & optimal& optimal system system


22/48


StandardsStandards

Embedded system architectureEmbedded system architecture

Component identificationComponent identification

Component interface standardisationComponent interface standardisation

(how to use (how to use them them ) )

DataData

DiagnosticDiagnostic

DataData providedprovided byby sensorssensors

Architecture DescriptionArchitecture Description LanguageLanguage

technologytechnology

genericitygenericitystructurestructure

formalformal

descriptiondescription


23/48


TechnologicalTechnological standardsstandards

Networks andNetworks and protocolsprotocolsClass A (10 Kbps), Class B (>= 100Kbps), Class C (>= 1Mbps)Class A (10 Kbps), Class B (>= 100Kbps), Class C (>= 1Mbps)SAE SAE

RequirementsRequirements // domaindomain

BodyBody

100100 kBpskBps

PowerPower --train ,train ,chassischassis500 kbps500 kbps

SafetySafety criticalcritical(X(X--byby --WireWire ))>= 5>= 5 MbpsMbps

TelematicTelematic ,,multimediamultimedia>=25>=25 MbpsMbps

Class BClass B Class CClass C

CANCAN lowlow speedspeed CANCAN highhigh speedspeedTTP/CTTP/C

TTP/CTTP/CFlexRayFlexRay

MOSTMOST

Class CClass C

Class A: LIN, TTP/AClass A: LIN, TTP/A


24/48



Networks andNetworks and protocolsprotocols -- paradigmsparadigmsEventEvent --triggeredtriggeredTransmission of messagesTransmission of messages onlyonly whenwhen anan eventevent occursoccurs

++ --minimisation of bandwithconsumption

incremental design

verification of temporalconstraints

detection of failed nodes

++ --

predictability

detection of failed nodes

network utilisation (aperiodicmessages)flexibility

CANCAN

TTP/CTTP/C

TTCANTTCANFTTCANFTTCANFlexCANFlexCAN

FlexRayFlexRay

TimeTime --triggeredtriggeredTransmission of messageTransmission of message atat predeterminedpredetermined points in timepoints in time


25/48



OperatingOperating systemssystems and middlewareand middlewareOSEK/VDX OS and OSEK/VDX ComOSEK/VDX OS and OSEK/VDX Com

OSEKtimeOSEKtime OS and OSEK/VDXOS and OSEK/VDX FTComFTCom

Windows CE,Windows CE, VXWorksVXWorks ((multimediamultimedia ,, telematicstelematics ))

DiagDiag on CAN, KWP 2000 (diagnostic)on CAN, KWP 2000 (diagnostic)CCP (calibration)CCP (calibration)

Hardware abstraction layer: I/OHardware abstraction layer: I/OHIS IO LibraryHIS IO Library

HIS Display Data ProtocolHIS Display Data Protocol


26/48


Architecture standardsArchitecture standards

AUTOSARAUTOSARReferenceReference

architecturearchitecture..modularitymodularity..configurabilityconfigurability

MiddlewareMiddlewarespecificationspecification

hardwarehardware independenceindependenceportabilityportabilityreusabilityreusabilityinteroperabilityinteroperability ofofcomponentscomponents

http://www.autosar.org/

Application software

components

Basic software componentsBasic software components

Hardware components

Common interface (virtual bus)


27/48


OutlineOutline

ContextContext







28/48


EfficientEfficient

developmentdevelopment

processprocess

FunctionalFunctionalSpecificationSpecification

DesignDesignsoftwaresoftwarehardwarehardwaredistributiondistribution

implementationimplementation

Software / hardwareSoftware / hardwareintegrationintegration

System integrationSystem integrationModel consistency Model consistency Functional validation Functional validation Safety verification Safety verification

Model consistency Model consistency Schedulability Schedulability Performance evaluation Performance evaluation

Safety verification Safety verification

TestTest

Code verification, Code verification,


29/48


30/48



FunctionalFunctionalSpecificationSpecification

DesignDesignsoftwaresoftwarehardwarehardwaredistributiondistribution

implementationimplementation

Software / hardwareSoftware / hardwareintegrationintegration

System integrationSystem integrationMatlab / Simulink Petri Nets, Automata Temporal logic MSC

FMEA, fault trees Timed automata Temporal Petri Nets Queuing systems Stochastic models

Code inspection

HIL

IntegrationTest

UnitTest

Architecture(s)description

Architecture DescriptionLanguage


31/48



DomainDomain orientedoriented languagelanguageSyntaxSyntax :: domaindomain dependentdependent

SemanticsSemantics : V&V and design model: V&V and design model dependentdependentDeclarativeDeclarative languagelanguage (~UML Profile)(~UML Profile)

Architecture DescriptionArchitecture Description LanguageLanguage

AADL, AADL, EASTEAST --ADLADL http://www.easthttp://www.east --eea.net/eea.net/

ATESSTATESST http://www.atesst.orghttp://www.atesst.org

RepresentationRepresentation of anof an embeddedembedded systemsystem atat eacheach levellevelofof itsits developmentdevelopment

TraceabilityTraceability ,, consistencyconsistency betweenbetween modelsmodels

AutomaticAutomatic generationgeneration ofof formalformal modelsmodels


32/48


OutlineOutline

ContextContext






Open issuesOpen issues


33/48


Open issuesOpen issuesPortabilityPortability versusversus interoperabilityinteroperability

AutosarAutosar and theand the interoperabilityinteroperability objectiveobjective

Syntactic characteristics- input / output specification

Traceability, derivation, transformation

Interoperability?Interoperability?Timing annotation of ADL?

Dependability annotation of ADL?Composition rules: how to ensure a predictable composition?

schedulability, resource sharing, safety, dependability

http://www.easis http://www.easis - - online.org/ online.org/


34/48

Open issuesOpen issues -- 11


35/48


Open issuesOpen issues 11DeploymentDeployment of aof a safesafe systemsystem

11

ASC#1 ASC#3ASC#2

ASC#4SS 11

S 2 11Software Architecture

- Software components- Signals

Operational Architecture

112222

33

11 1122

1122

- Logical tasks- Signals

Logical architectureSS 11

SS

22

- - Non functional requirements Non functional requirements

Non functional requirements Non functional requirements

ECU#1ECU#1 ECU#2 ECU#2

Technical ArchitectureTechnical Architecture

-- OS TasksOS Tasks

OSOS --TaskTask#A#A

OSOS --TaskTask#C#C

OSOS --TaskTask#B#B

OSOS --TaskTask#D#D

111133

2222 22111122

-- Frames / RoundFrames / Round

Frame#1Frame#1 SS 11 SS 22

-- MiddlewareMiddlewareconfigurationconfiguration

middlewaremiddleware7 561211

10

8 4

21

9 3

The challengeThe challenge isis toto findfind a solution:a solution:-- thatthat respectsrespects

. all the. all the functionalfunctional requirementsrequirements ,,

. all the performance. all the performance requirementsrequirements ,,

. all the. all the safetysafety requirementsrequirements ,,

. all the timing. all the timing requirementsrequirements-- and optimisesand optimises

.. ECUsECUs memorymemory size,size,

. CPU, network. CPU, network bandwithbandwith consumptionconsumption

.. costcost , maintenance, maintenance costcost ,, wireswires lengthlength , etc., etc.

NP-Complete problemheuristics



36/48


Open issuesOpen issues 11DeploymentDeployment of aof a safesafe systemsystem

FaultFault tolerancetolerancerecoveryrecovery mechanismsmechanisms ,,

hardware, softwarehardware, software redundancyredundancy , timing, timing redundancyredundancy((sampling / over sampling sampling / over sampling ))

TimeTime triggeredtriggered vs.vs. eventevent triggeredtriggered

Overload

Flexibility

Determinism

Event triggeredapproach

Time triggeredapproach



37/48


Open issuesOpen issues - 22Design forDesign for costcost , performance, performance Design forDesign for safetysafety

ReliabilityReliability ofof electronicelectronic devicesdevices :: difficultdifficult toto

evaluateevaluate formallyformally

Perturbation due toPerturbation due to environmentenvironment : not: notcompletlycompletly knownknown

Emergence of XEmergence of X --byby --WireWire systemssystems ((electronicelectronictechnologytechnology ):): requiredrequired stringentstringent safetysafetypropertiesproperties



38/48


Open issuesOpen issues 22Design forDesign for costcost ,, performanceperformance Design forDesign for safetysafety

AvionicAvionic vs.vs. AutomotiveAutomotiveOperatorsOperators

high high qualification qualification / / no qualification no qualification MaintenanceMaintenance

stringent stringent requirements requirements / / no no formal formal requirement requirement

HardwareHardware redudancyredudancymassive massive / / few, impossible few, impossible

SystemSystem evolutivityevolutivity

stable stable / / continuous continuous evolution evolution

Proof, certification of software componentsProof, certification of software components

standards + standards + regulatory regulatory laws laws / few / few elements elements for the for the present present



39/48


RegulatoryRegulatory lawslawsInternalInternal recommendationsrecommendations ,, TVTV

StandardsStandardsDO 178B, C (DO 178B, C ( avionicavionic ), EN 50128 (), EN 50128 ( railwayrailway industryindustry ))MISRAMISRA ((MotorMotor IndustryIndustry SoftwareSoftware ReliabilityReliability Association)Association)IEC 61 508 (IEC 61 508 ( genericgeneric ))

OSI 26 262 (OSI 26 262 ( draftdraft 2005,2005, forecastedforecasted publication 2007)publication 2007)

((AutomotiveAutomotive )) SafetySafety IntegrityIntegrity LevelLevelSIL1 .. SIL4 /SIL1 .. SIL4 / ASILxASILx

Open issuesp 2Design forDesign for costcost , performance, performance Design forDesign for safetysafety


40/48

Open issuesOpen issues - 33


41/48


Open issuesOpen issues -- 33Design forDesign for safetysafety : how to: how to proveprove itit??

AA steersteer --byby --wirewire

C r

d i t p

h o

t o g r a p

h i q u e

P S A P e

u g e o

t

C r

d i t p h o

t o g r a p

h i q u e

P S A P e

u g e o

t - -

C i t r o

n

C i t r o

n

1CriticalCriticalfunctionsfunctions

ImplementedImplemented ononECUsECUs ((redundantredundant ))

ConnectedConnected onon

networknetwork((redundantredundant ))



42/48


Open issuesOpen issues -- 33Design forDesign for safetysafety : how to: how to proveprove itit??

AA steersteer --byby --wirewire

C r

d i t p h o

t o g r a p

h i q u e

P S A P e

u g e o

t

C r

d i t p h o

t o g r a p

h i q u e

P S A P e u g e o

t - -

C i t r o

n

C i t r o

n

1CriticalCriticalfunctionsfunctions

ImplementedImplemented ononECUsECUs ((redundantredundant ))

ConnectedConnected onon

networknetwork((redundantredundant ))

ProbabilityProbability of aof a criticalcriticalfailurefailure occurrence < 10occurrence < 10 --99



43/48


Open issuesOpen issues - 33Design forDesign for safetysafety : how to: how to proveprove itit??

AA steersteer --byby --wirewire :: safetysafety evaluationevaluation

On hardware components/architectureOn hardware components/architectureOn software components (proof, codeOn software components (proof, codeinspection, testinspection, test covercover , etc.), etc.)OnOn operationaloperational architecturearchitecture

Behavioral aspects (tasks, frames)Behavioral aspects (tasks, frames)

Vehicle response timeVehicle response timeEmbedded systems response timeEmbedded systems response time

BehaviorBehavior under transient faults under transient faults (EMI(EMI

perturbations, overload situation, )perturbations, overload situation, )



44/48


pDesign forDesign for safetysafety : how to: how to proveprove itit??

t

Front axle position

HandHand wheelwheel

commandcommand

DriverDriverrequirementrequirement

InIn factfact

delay


45/48


46/48

ConclusionsConclusions


47/48


ConclusionsConclusions

AutomotiveAutomotive industryindustry isis dependentdependent of softwareof software --basedbased embeddedembedded

systemssystems


AUTOSAR AUTOSAR

MBDMBD

SafetySafety assessmentsassessments

StandardStandard ISO 26 262ISO 26 262

IntegrationIntegration ofof severalseveral points ofpoints of viewview

Tools (editors, modeltransformations)

Timing, dependabilityannotations

Certification, verification

Muli-competencies

experts


48/48

ThankThank youyou

Documents

Auto Safety Sot Ware