All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop Trial of multiple ECU co-simulation and fault injection using virtual ECU - vECU-MBD WG activity example introduction - Japan Virtual Microcontroller Initiative vECU-MBD WG Yoshihiro Miyazaki Technology Development Div. Hitachi Automotive Systems, Ltd. Takashi Abe Basis Electronics R&D Div. Denso Corp. July 14, 2014 The 15th Car-Electronics Research Workshop @ Jidosha Kaikan (Tokyo / Ichigaya) 1
48
Embed
The 15th Car-Ele Research Workshop - vECU - multiple ECU ... · (Car –ECU –semiconductor –development tool) is necessary for realization of model based design using virtual
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Trial of multiple ECU co-simulation and fault injection
using virtual ECU
- vECU-MBD WG activity example introduction -
Japan Virtual Microcontroller Initiative
vECU-MBD WG
Yoshihiro Miyazaki Technology Development Div. Hitachi Automotive Systems, Ltd.
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Today's presentation contents
1. Establishment background and activity summary of vECU-MBD
working group
2. Activity example introduction (1): Multiple ECU co-simulation
3. Activity example introduction (2): Fault injection
4. Conclusion
2
[Notes]
ECU: Electronic Control Unit
vECU: Virtual ECU
MBD: Model Based Development
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
1. Establishment background and activity summary
of vECU-MBD working group
3
* Progress and subject of MBD
* Virtual microcontroller (MCU) and virtual ECU
* The goal image to be aimed
* Summary of vECU-MBD WG
2. Activity example introduction (1): Multiple ECU co-simulation
3. Activity example introduction (2): Fault injection
4. Conclusion
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Progress of the MBD utilization
4
Utilize model for result prediction in later development process
Man-hour
time
Background of Automotive Product Development
• Development of high-functionality & high-quality product to respond product
performance
• Shortening turn-around time for early release to the market
Increased load to S/W development engineer by electronic control of automotive
part
Test &verification Design &
implementation
Additional Spec.
design
Result prediction
of additional
Spec. is difficult
• Engine and break etc., i.e individual function is getting large & complex
• Assigning adjustment among functions is getting complex by network connection of
functions
Man-hour increase
In lower process
(implementation,
test, verification)
Can't they shift to
upper process
(system design,
specification
design) ?
Application of MBD for electronic control system is expanding
From:
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
What is a model in MBD?
5
Models enable simulation in virtual system
From:
Optimize System Organization by Model Based Development
ECU model
Real ECU
S/W cntrlmodel
H/W circuit model
H/W circuit model
Sensor model
Actuatormodel
Mechanical model
Control target model
Real target
System Design Phase (Virtual System Design & Test) • Clarification of input and output of a control target and a control device• Clarification of each composition module• Clarification of a total test and individual module tests
Additionalspec. design
ModelingVerification
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Subject of a future system test
6
HILSB-CAN
F-CAN
In-Vehicle Test
Large scale HILS Test of a whole-vehicle
Early detection of software errors is difficult, because test of application & platform & network is executed only after completion of real unit.
Electronic controlsystem
In-vehicleLAN
High-performance
FusionHigh-
technology
Complicated
Enginecontrol
Brakecontrol
Bodycontrol
Steeringcontrol
Aroundmonitor
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Virtual MCU and virtual ECU
7
Virtual ECU (ECU model):
A model of ECU targeted for implementation. The model (virtual
microcontroller) of a processor targeted for implementation is included.
(1)User support guide to consider introduction & Glossary
(2)Experimental example (system integration and evaluation)
◆ Important activity theme of 2013FY:
(1) multiple ECU co-simulation, (2) fault injection test
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Activity Roadmap
13
◆Considering importance and difficulty, three activity phases have been planned. TF activities started from 2011.◆2013FY~: Model supply chain TF were closed because its purpose were almost achieved. Virtual HILS TF
were newly established.
Phase1(2011FY~ 2012FY)
Phase2(2013FY~20xxFY)
Phase3(20xxFY~20yyFY)
Model Supply Chain TF
Standardization and mechanism for model
distribution
—Model development of use case
—Definition of development process and
model supply chain business process
Virtual HILS TF
(TBD): Cloud supporting, co-operation in
business field supporting
Basic Technology Environment for High Efficiency Large Scale, High Availability
Microcontroller Model TF
Standardization in business field, Supporting
model and tool
-Fault injection
-Interface model connecting multiple ECUs
-Co-simulation of multiple ECUs
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
from User Support Guide to Consider Introduction of Virtual ECU
edited by vECU-MBD WG
30
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
2012FY WG activity report
Fault injection tests in virtual microcontroller show effectiveness of verification
2012FY
Activity
Experiment: Added circuit fault injection
Standardization of fault injection requirement specification and fault injection model
Pick up of fault mode, Experiment of fault injection inside virtual MCU
Automatic test of exhaustive fault injection, calculation of coverage
Automatic judgment of FMEA
Effectiveness of virtual microcontroller is evaluated by experiment of fault injection test and FMEA on virtual test environment* Fault injection test using target object code is feasible* Fault mode effect analysis is feasible even if the fault mode is difficult to be tested on real machine* Both the observation of the effect on system in case of a fault injection inside microcontroller, and the
observation of the internal status of the microcontroller when the fault occurs, are feasible.
New development environment is tried in which multiple companies integrate each models on cloud without constructing each company's environment.
Fault Injection on Experimental Example (Power Window System with Virtual Microcontroller)
Plan
from 2012FY WG activity report
31
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Difficulties for actual environment
Fault injection test for actual product
1. Fault injection flexibility: Fault point, timing, etc.
2. Waveform observation: Any point w/ destructive measurement
3. Short TAT: Long verification time w/ actual device
ECUSwitch
BOX
Vehicles
model
HILS
Verification methods: short circuit & wiring disconnection of ECU
ECU Unit
ECU Eva. board
IC
-> limitation of reproducible methodologies
Actual product verification environments
Virtual environment systems can lead to high test coverage
for complex safety requirements.
32
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Issue analysis for virtual environment
Applic
ation
The bottlenecks are fault injection methodologies & modeling
1. Possibility fault injection: Any point & any timing
2. Early detection & short verification time w/o actual
product
3. Verification available w/o destructive measurement
■ Advantage
Case 1
Engine ECU motif:
Drive IC trouble
Case 2
FlexRay motif:
ECU clock trouble
Case 3
Case : A power window
Fault injection in RAM at microcontroller
1. Fault injection Mode / Point
2. Fault injection model design
3. Number of test results become enormous
-> Man-hours for judgment increase
■ Issues of the virtual system
Virtual environment
Virtual ECU
System levelLAN
ECU ECU ECU
Plant
Model
Virtual ECU simulator
McUModel
Circuit Model
Application
Software
Circuit Model
ECU + Plant
Modeling on PC
33
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Requirements for standardizationVirtual environment
■ Requirements to fault injection method
- Fault level, mode & Injection point- Target-independent fault injection methodologies- Easy judgment of the results⇒ Proposal of the standardization specifications (plan)
■ Goal image
Virtual ECU
Plant
Model
Circuit Model
Circuit Model
MCU model
Core model
Application software
Peripheral models
Fault injection
Scenario
Target point,
fault mode,
Timing, etc.
Interface
Expectation Sim
ResultOK/NG
FeasibilityAssumed faults can be
simulated
VersatilityKeep original application or
function
Validity Easy judgment of the results
Short
Open
Stuck at H/L
Change of the function block is not desirable -> Only I/F expansion of fault model
機能ブロック
フォールトモデル
Report -1
Simulation result OK / NG
It is desirable to be determined
from results to OK/NG
System ECU ECU ECU
ECU / MCU / circuit parts
The fault injection / modeling methodologies is not standardized, and it is not efficient. ⇒ Proposal of standardization specifications (plan) is desirable
■ Current status
Input OutputFunction
level
a+b=c
Function block model
Function
block
Fault model
Report -2
Report -3
Analysis : Faults assumed in virtual ECU
-> Propose fault level / injection point
-> Propose fault mode
34
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Standardization
• Fault level & injection point
• Fault mode
• Fault injection methodologies
• Judgment methodologies
35
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Report 1: Fault level / Injection point
Proposal : The fault level & Injection point for the feasibility
Chip level ECU / MCU / ASIC level System level
Stuck low
Stuck high
Drift
Oscillation, etc.
Power & clock off
Incorrect R/W at ROM/RAM
Incorrect Output from I/O
Miss interrupt timing etc.
Parity error
Frame error
Overflow
Timing error, etc.
■ Fault level
■ Injection point System levelLAN
ECU ECU ECU
Virtual ECU
Plant
Model
Circuit Model
Circuit Model
MCU model
Core model
Application software
Peripheral models
Hardware Pin of MCU & ASIC
Pin of Electronic parts on ECU
(Resistor, Capacitor, Transistor, etc.)
ROM/RAM/Register in MCU & ASIC
Communication
network
Inter communication (UART etc.)
Outer communication (CAN, LIN etc.)
36
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Case study
Case: Power window system (MCU +HW circuit + plant)
Assumed faults were extracted from the example of power window ECU
Block diagram
■ Study of the fault level / mode / injection point
Input circuit Output circuitMCU
MCUInput circuit Output circuit
Motor
model
Mechanical
model
37
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Report 2: Fault mode
Block The fault which is derived Cause Cause / mechanism Mode
Input detect circuit Wrong detection / miss detection(pulse signals, etc.)
Pull-down resistor is short-circuit and stuck at Lo Stuck at Hi/Lo by the short-circuit of the part
1 stuck at Hi/Lo
Pull-up resistor of an open collector is open Open-circuit of the part
Function to prevent overcurrent
Abnormal input data from the sensor(Repetition of L ⇔ H)
A/D port of the MCU is shorten to P-RUN port Short-circuit between the adjacent terminals
2 bridge
Input detect circuit Wrong detection / miss detection Stuck at Lo due to malfunction of the port register Wrong data change in register 3 wrong data change
Input recognition function
Wrong output RAM wrong data Wrong data change
PWM drive circuit Abnormal input data from the sensor
Dynamic change of the sensor output Dynamic change (drift) 4 drift
Input recognition function
Slow reaction Delay of the interrupt in the MCU Delay 5 delay
Function to measure number of revolutions
Wrong detection Oscillation of the IC output Oscillation 6 oscillations
■ Category of the fault mode (Excerpt)
■ Fault modes have been selected according to the injection point
Hardware * Terminals of MCU, ASIC Stuck at Hi/Lo
Short-circuit between the adjacent terminals
* Terminals of electronic parts on ECU
(resistor, capacitor, transistor, etc.)
- Resistance: Open (and middle value fault)
- Capacitor: Open / short (and middle value fault)
- Transistor: Open of each terminal
Short-circuit between the adjacent terminals
* ROM/RAM/Register in MCU or ASIC Wrong data change of ROM/RAM/ register
Communication
network
* Internal communication (UART etc.)
* Outside communication (CAN, LIN etc.)
Wrong data change of frame data
Interrupt delay
Proposal : The six fault mode for the feasibility
38
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
MCU model
Report 3: Fault injection methodolgies
■ Standard I/F
The WG discussed the necessity of the fault injection methodologies & versatility.
Fault injection
Scenario
Target point,
fault mode,
Timing, etc.
Virtual ECU
Plant
Model
Input /
Output
Circuit
Model
Core model
Application
Software
Peripheral model
Environment in theWG
Register I/F
Signal / value I/FMCU model
Virtual ECU
Plant
Model
Input /
Output
Circuit
Model
Core model
Application
Software
Peripheral model
* Change the original object code & circuit.
* Modeling for the each target system.
* Keep the original object code & circuit by the two
standard I/F (Register & Signal, Value).
⇒ Fault scenario / model can be re-used.
Signal I/F Value (physical value) I/F
Conventional environment
39
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Application case
■ Contents
– Case1 : Failsafe verification of memory fault
• RAM data for number of motor revolutions is stuck at 0.
– Case2 : Failsafe verification of H/W circuit fault
• Resistor value of the switch input / output circuit is stuck at Lo.
40
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Fail-safe verification of memory fault
■ Overview
Fault
scenario image
[Software specification]
Motor overcurrent : Over 3A
If the motor overcurrent continues 200ms, it is
determined abnormally, and a motor stops.
Fail-safe function verification of the
overcurrent detection to occur at the time of
MCU inside memory fault
Fail-safe function of memory fault has been verified.
MCU model
TIMER
ADCPORT
MEMCPU
MEM
Register I/F
CPU
Time Object Address Trouble level
■ Image of the fault injection
■ Verification
time[ms] Target Command address val
400 MEM Change 0x******** 0x0000
Injected fault: Change memory data
Command
Fault injection model
Fault injection model
Reading 0 fixation of the number of
revolutions
RAM
(number of
revolutions)CPU
RAM monitor (image)400[ms]
Simulation execution screen
Note: Normal behavior waveform
Window speed
Motor current
UP Switch Monitor
UP Switch Signal
Motor drive Current stop
Overcurrent detection
Window positionWindow top deadposition arrival
Window speed
Motor current
UP Switch Monitor
UP Switch Signal
Window position
Switch input signal
Switch input Comparison signal
200[ms]
injection model example
41
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Fail-safe verification of H/W circuit fault
Input circuit models
Signal I/FUP/DOWN switch
Input detect circuit
■ VerificationTest environment:
Circuit : SaberRD 2013.12
(Synopsys)
MCU: No1 system simulator Ver2.2
(Gaio Technology )
Control system: Matlab R2012a
(MathWorks)
Run environment: wCloud
■ Overview
[software specification]
If the comparison result of two input signals is
unmatched, it is determined abnormally, and a
motor stops.
Fail-safe function verification of the input un-
match detection to occur at the time of the
H/W circuit fault
■ Image of the fault injection
Injected fault: Resistor stuck at Lo
Microco
ntroller
UP/DOWN switch
monitor circuit
MCU
Time
Resistor
value
t1
Window Stop time
Motor drive current stop
Window speed
Motor current
UP Switch Monitor
UP Switch Signal
Switch signal stuck at Lo
Switch input comparison signal
Fault injection model
Simulation execution screen
UP/DOWN switch input detect circuit
Fault injection model
injection model example
Input output
R3
R2
R1
Time
output
1000[ms]
Window position
Fail-safe function of input H/W circuit fault has been verified.
42
All Rights Reserved by Japan Virtual Microcontroller Initiative / vECU-MBD WG The 15th Car-Electronics Research Workshop
Effectiveness
MCU Resistor Capacitor Diode OP AMP CMOS logic MOS-FET