The design of safe automotive electronic The design of safe automotive electronic systems systems Some problems, solutions and open issues Some problems, solutions and open issues Françoise Simonot Françoise Simonot - - Lion Lion ([email protected]) ([email protected]) Nancy Université Nancy Université - - LORIA (UMR 7503) LORIA (UMR 7503) EPFL Summer Reserach Institute 2007 July 3-21 2007
66
Embed
The design of safe automotive electronic systems · The design of safe automotive electronic systems Some problems, solutions and open issues Françoise Simonot-Lion ([email protected])
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The design of safe automotive electronic The design of safe automotive electronic systemssystems
Some problems, solutions and open issuesSome problems, solutions and open issues
AutomotiveAutomotive industryindustry: the : the mostmost important important economiceconomic sectorsector for the for the nextnext 10 10 yearsyears(Mercer Management Consulting)
Software Software technologytechnologyNew services are New services are easilyeasily developpeddevelopped
CustomersCustomers requirementsrequirements: : costcost, , comfortcomfort, , safetysafetyCarmakersCarmakers or or supplierssuppliers requirementsrequirements: : costcost, time to , time to marketmarket
Electronic systems = 90% innovation (Daimler Chrysler)
MandatoryMandatory for for somesome functionsfunctions (control of (control of exhaustexhaust emissionemission))
Cost of Electronic Embedded systems / Cost of a car1% (1980)
= 20% (2005)40% (2015)
Françoise Simonot-Lion Nancy Université 2
EPFL July 2007 Summer Research Institute
ProblemsProblems
Architectural Architectural complexitycomplexity
AirbagsDoors ctl
Steering Wheel -ctl
ABS Power Train
Lights ctl
Climate ctl
Radio ...
AmplifierISUISU
Comfort Network Comfort Network
Body Network Body Network ECU ECU (Electronic Component Unit)
PS
A c
omm
unic
atio
n se
rvic
e
Chassis Chassis -- Power Train Network Power Train Network
Critical Critical FunctionsFunctions
Complex Communication Complex Communication ArchitectureArchitecture
VW PhaetonJürgen Leohold
IEEE WFCS 2004, Vienna, Austria
•11 136 electrical devices
•61 ECUs, 3 CAN networks, sub-networks, 1 bus multimedia
•2500 signals exchanged betweenECUs in 250 CAN messages
Françoise Simonot-Lion Nancy Université 3
EPFL July 2007 Summer Research Institute
ProblemsProblems
FunctionalFunctional complexitycomplexityNumberNumber of I/O of I/O signalssignals -- Size of the state Size of the state vectorvector ((externalexternal//internalinternal data)data)
IntegrationIntegration of of criticalcritical and not and not criticalcritical functionsfunctions
OperationalOperational point of point of viewviewHigh computation power (High computation power (floatingfloating pointpoint coprocessorscoprocessors))MultiMulti--taskstasks ((differentdifferent activation activation rulesrules))Compromise Compromise costcost / / resolutionresolution of of sensorssensorsStringent time constraints (response time, freshness)
~ 100 µs
~ 1 ms
Françoise Simonot-Lion Nancy Université 7
EPFL July 2007 Summer Research Institute
ChassisChassis
Othersystems
Forcesground, wind
Constraintscomfortsafety
Wheel – suspension - … controller
(ABS – ESP – ASC – 4WD - …)
Steeringcolumn
brakepedal
Françoise Simonot-Lion Nancy Université 8
EPFL July 2007 Summer Research Institute
ChassisChassis
~1 msFunctionalFunctional point of point of viewview
ComplexComplex control control lawslawsOperationalOperational point of point of viewview
High computation power (High computation power (floatingfloating pointpointcoprocessorscoprocessors))MultiMulti--taskstasks ((differentdifferent activation activation rulesrules))Compromise Compromise costcost / / resolutionresolution of of sensorssensorsDistribution Distribution Stringent time constraints (response time, freshness, temporal consistency)
Critical domain for the safetyX-by-Wire
Françoise Simonot-Lion Nancy Université 9
EPFL July 2007 Summer Research Institute
Body Body domaindomain
wipers
lights
mirrors
doors,
windows,
seats, ...
Othersystems
controllers
DriversPassengers
InnovationInnovation
Françoise Simonot-Lion Nancy Université 10
EPFL July 2007 Summer Research Institute
Body Body domaindomain
FunctionalFunctional point of point of viewviewNumerousNumerous functionsfunctionsReactiveReactive systemssystems
OperationalOperational point of point of viewviewHighlyHighly distributeddistributedHierarchicalHierarchical distributeddistributed systemsystemTime constraints (response time, temporal consistency)Central Body Unit (Central Body Unit (criticalcritical entityentity))
Optimal Optimal schedulingscheduling of of taskstasksOptimal Optimal schedulingscheduling of messagesof messages
OperationalOperational point of point of viewviewUpgradableUpgradable devicesdevices, applications, applications«« Plug and Plug and playplay »»PropertiesProperties: : securitysecurity, , multimediamultimedia QoSQoS
Resource sharingResource sharingFluidFluid data data streamsstreamsBandwithBandwith
Françoise Simonot-Lion Nancy Université 13
EPFL July 2007 Summer Research Institute
Driver assistance Driver assistance Active Active safetysafety
Night vision supportNight vision supportPedestrian Pedestrian objectobject recognitionrecognition
ACCACCLaneLane keepingkeeping assistantassistant
Collision Collision avoidanceavoidance
Complexityof the
closed loop
Françoise Simonot-Lion Nancy Université 14
EPFL July 2007 Summer Research Institute
Domain Domain characteristicscharacteristics
Application typeApplication type Constraints Constraints Specification Specification
Power trainPower train Hybrid systemsHybrid systems Hard real time Hard real time Matlab/SimulinkMatlab/Simulink
ChassisChassis Hybrid systemsHybrid systems Hard real time Hard real time (safety)(safety)
Multimedia data Multimedia data flow processingflow processing
Soft real time Soft real time ––Security Security –– QoSQoS
??
Deterministic Deterministic guarantees guarantees safety and safety and performanceperformance
Probabilistic Probabilistic guaranteesguarantees
Françoise Simonot-Lion Nancy Université 15
EPFL July 2007 Summer Research Institute
OutlineOutline
ContextContext and and generalgeneral problemsproblems
AutomotiveAutomotive domainsdomains
An open issue: the An open issue: the safetysafety assessmentassessmentExampleExample: a : a steersteer--byby--wirewire systemsystem
Impact of the communication systemImpact of the communication system
PriorityPriority--basedbased protocolprotocol
TDMATDMA--basedbased protocolprotocol
Conclusions Conclusions
Françoise Simonot-Lion Nancy Université 16
EPFL July 2007 Summer Research Institute
An open issue: An open issue: safetysafety assessmentassessmentDesign for Design for costcost, performance, performance
Design for Design for safetysafety
ReliabilityReliability of of electronicelectronic devicesdevices: : difficultdifficult to to evaluateevaluateformallyformally
Perturbation due to Perturbation due to environmentenvironment: not : not completlycompletlyknownknown
ModelsModels for for dependabilitydependability evaluationevaluation: : difficultdifficult to to buildbuild, , whatwhat levellevel of of accuracyaccuracy, , difficultdifficult to to analyzeanalyze
Emergence of XEmergence of X--byby--WireWire systemssystems ((electronicelectronictechnologytechnology): ): requiredrequired stringentstringent safetysafety propertiesproperties
Françoise Simonot-Lion Nancy Université 17
EPFL July 2007 Summer Research Institute
An open issue: An open issue: safetysafety assessmentassessmentExampleExample: a : a SteerSteer--byby--WireWire systemsystem
Drivers’request
Filtering, …
Control law
Françoise Simonot-Lion Nancy Université 18
EPFL July 2007 Summer Research Institute
An open issue: An open issue: safetysafety assessmentassessmentExampleExample: a : a SteerSteer--byby--WireWire systemsystem
micromicro--controllerscontrollers
Filtering, …
Filtering, …
Control law
Control law
ConnectedConnected on on communication communication networksnetworks
StandardsStandardsDO 178B, C (DO 178B, C (avionicavionic), EN 50128 (), EN 50128 (railwayrailway industryindustry))MISRA MISRA ((MotorMotor IndustryIndustry Software Software ReliabilityReliability Association)Association)
An open issue: An open issue: safetysafety assessmentassessment
Françoise Simonot-Lion Nancy Université 20
EPFL July 2007 Summer Research Institute
An open issue: An open issue: safetysafety assessmentassessmentOSI 26 262OSI 26 262
Identification of scenario, situationIdentification of scenario, situationFrequencyFrequency ((oftenoften, , quitequite oftenoften, , sometimessometimes, rare , rare eventsevents))SeveritySeverity ((deathdeath of of personspersons, , severesevere, light, no injuries), light, no injuries)Driver Driver controllabilitycontrollability (no, >1/100, >1/10)(no, >1/100, >1/10)
DeterminationDetermination of of functionfunction ASILASILASIL A, …, ASIL DASIL A, …, ASIL D
ASILxASILx corresponds to corresponds to safetysafety integrityintegrity attributesattributesFunctionalFunctional (no (no wrongwrong signalssignals))Quantitative Quantitative
ProbabilityProbability for a for a criticalcritical failurefailure to to occuroccur in one in one hourhour << 1010--nn
Françoise Simonot-Lion Nancy Université 21
EPFL July 2007 Summer Research Institute
An open issue: An open issue: safetysafety assessmentassessmentExampleExample: a : a SteerSteer--byby--WireWire systemsystem
micromicro--controllerscontrollers
Filtering, …
Filtering, …
Control law
Control law
ConnectedConnected on on communication communication networksnetworks
ProbabilityProbability of a of a criticalcriticalfailurefailure occurrence < 10occurrence < 10--99
Françoise Simonot-Lion Nancy Université 22
EPFL July 2007 Summer Research Institute
An open issue: An open issue: safetysafety assessmentassessment
A A steersteer--byby--wirewire: : safetysafety evaluationevaluationOn hardware components/architectureOn hardware components/architectureOn software components (proof, code On software components (proof, code inspection, test inspection, test covercover, etc.), etc.)On the On the operationaloperational architecturearchitecture
Behavioral aspects (tasks, frames)Behavioral aspects (tasks, frames)Vehicle response timeVehicle response timeEmbedded systems response timeEmbedded systems response time
BehaviorBehavior under transient faults under transient faults (EMI perturbations, (EMI perturbations, overload situation, …)overload situation, …)
Françoise Simonot-Lion Nancy Université 23
EPFL July 2007 Summer Research Institute
An open issue: An open issue: safetysafety assessmentassessment
System to
control
Discretecontroller
(control law)
Actuator(amplifier)
Network
referenceReferenceproduction
SensorsComputer
Computer
System safety
Transientfailures
Françoise Simonot-Lion Nancy Université 24
EPFL July 2007 Summer Research Institute
t
Front axleposition Hand Hand wheelwheel
commandcommand
Driver Driver requirementrequirement
In In factfact
delay
An open issue: An open issue: safetysafety assessmentassessment
Françoise Simonot-Lion Nancy Université 25
EPFL July 2007 Summer Research Institute
SafetySafety parametersparameters
Hand wheelECU
Network
Front axleECU
Delay
t
Hand wheelposition
Intervalbetween 2 commands
An open issue: An open issue: safetysafety assessmentassessment
Françoise Simonot-Lion Nancy Université 26
EPFL July 2007 Summer Research Institute
SafetySafety parametersparameters
Intervalbetween 2 commands
t
Hand wheelposition
Hand wheelECU
Front axleECU
Network
radar
An open issue: An open issue: safetysafety assessmentassessment
Françoise Simonot-Lion Nancy Université 27
EPFL July 2007 Summer Research Institute
TechnologicalTechnological standardsstandardsNetworks and Networks and protocolsprotocols -- paradigmsparadigms
EventEvent--triggeredtriggeredTransmission of messages Transmission of messages onlyonly whenwhen an an eventevent occursoccurs
++ --minimisation of bandwithconsumptionincremental design
verification of temporal constraintsdetection of failed nodes
CAN CAN –– responseresponse time time evaluationevaluation
Without errorWithout error
Periodic / sporadic emission of framesPeriodic / sporadic emission of framesPeriod TPeriod Tm m (seconds)(seconds)Length of application data Length of application data ssmm (bytes)(bytes)
Bounded jitter on frame emissionBounded jitter on frame emissionJitter Jitter JJmm (seconds)(seconds)
ConstraintConstraintRelative deadline DRelative deadline Dm m (seconds)(seconds)
Françoise Simonot-Lion Nancy Université 32
EPFL July 2007 Summer Research Institute
CAN CAN –– responseresponse time time evaluationevaluationFrames are Frames are scheduledscheduled on the bus on the bus accordingaccording to to a a FixedFixed PriorityPriority Non Non PremptivePremptive(FPNP) (FPNP) schedulingscheduling policypolicyThe The worstworst case case responseresponse time of a frame time of a frame isisgivengiven by (K. by (K. TindellTindell, 1994):, 1994):
m m m mR J w C= + +
Emission jitter
Worst waiting time to gain access to the bus
Worst (physical) transmission time
m mR D≤
Françoise Simonot-Lion Nancy Université 33
EPFL July 2007 Summer Research Institute
CAN CAN –– responseresponse time time evaluationevaluation
WorstWorst ((physicalphysical) transmission time ) transmission time (11 (11 bits identifier)bits identifier)
34 8 47 84
mm m bit
sC s τ+⎛ ⎞⎢ ⎥= + +⎜ ⎟⎢ ⎥⎣ ⎦⎝ ⎠
Length of applicative data (bytes)
Bit time duration(1μs for a 1Mbit/s. bus)
Overhead due to stuffing
Françoise Simonot-Lion Nancy Université 34
EPFL July 2007 Summer Research Institute
CAN CAN –– responseresponse time time evaluationevaluation
WorstWorst waitingwaiting timetime
( )
m j bitm m j
j hp m j
w Jw B C
Tτ
∀ ∈
⎡ ⎤+ += + ⎢ ⎥
⎢ ⎥⎢ ⎥∑
Worst blocking time due to frames of lower priority(no preemption)
Set of frames of lower priority than m
Emission periodof frame j
( )( )maxm k
k lp mB C
∀ ∈=
Set of frames of higher prioritythan m
Worst blocking time due to frames of higherpriority
Françoise Simonot-Lion Nancy Université 35
EPFL July 2007 Summer Research Institute
CAN CAN –– responseresponse time time evaluationevaluation
RecurrentRecurrent algorithmalgorithm
1
( ) ( )
0
( )
0
maxnm j bitn
m k jk lp m j hp m j
m
w Jw C C
T
w
τ−
∀ ∈ ∀ ∈
⎡ ⎤+ += + ⎢ ⎥
⎢ ⎥⎢ ⎥
=
∑
Françoise Simonot-Lion Nancy Université 36
EPFL July 2007 Summer Research Institute
CAN CAN –– responseresponse time time evaluationevaluation
Under errorsUnder errors
Periodic / sporadic emission of framesPeriodic / sporadic emission of framesPeriod Period TTmm(seconds(seconds))Length of application data Length of application data ssmm (bytes)(bytes)
Bounded jitter on frame emissionBounded jitter on frame emissionJitter Jitter JJmm(seconds(seconds))
Françoise Simonot-Lion Nancy Université 37
EPFL July 2007 Summer Research Institute
CAN CAN –– responseresponse time time evaluationevaluation
Error model 1 (K. Error model 1 (K. TindellTindell, 1994), 1994)∀∀ t, in [0,t]t, in [0,t]
0 or 1 burst of errors0 or 1 burst of errorsSize of the burst: Size of the burst: nnerrorserrors
Minimal Minimal interarrivalinterarrival of two consecutive errors: of two consecutive errors: ΤΤerrorserrors
Worst case Worst case –– maximum number of errors in maximum number of errors in [0,t][0,t]: :
( 1)errorerror
tnT⎡ ⎤
+ −⎢ ⎥⎢ ⎥
Françoise Simonot-Lion Nancy Université 38
EPFL July 2007 Summer Research Institute
CAN CAN –– responseresponse time time evaluationevaluation
OverheadOverhead due to one due to one errorerrorErrorError frame frame emissionemission
23 23 ττbitsbits ((worstworst case)case)
Retransmission of the Retransmission of the erroneouserroneous frame frame occurrence of all the occurrence of all the errorserrors atat the last bit of thethe last bit of thelonguestlonguest frame frame thatthat isis able to able to bebe transmittedtransmitted ((worstworstcase)case)
Françoise Simonot-Lion Nancy Université 39
EPFL July 2007 Summer Research Institute
CAN CAN –– responseresponse time time evaluationevaluation
11
( ) ( )
0
( ) ( )
0
maxnm j bitn n
m m m m k jk lp m j hp m j
m
w Jw E w C C C
T
w
τ−−
∀ ∈ ∀∈
⎡ ⎤+ += + + + ⎢ ⎥
⎢ ⎥⎢ ⎥
=
∑
Worst waiting time to gain accessto the bus (without errors)
Overhead due to the errors occurring in
10 nm mw C−⎡ ⎤+⎣ ⎦
( )( ) ( 1).(23 max ( )m error bit jj hp m
error
tE t n CT
τ∈
⎡ ⎤= + − +⎢ ⎥
⎢ ⎥
Françoise Simonot-Lion Nancy Université 40
EPFL July 2007 Summer Research Institute
CAN CAN –– responseresponse time time evaluationevaluation
Error model 2 (N. Error model 2 (N. NavetNavet, , 1999)1999)
the inter-arrival of errors is given by exp(λ),
the length of a burst (number of errors) is given by u,
when an error occurs, a is the probability that this error is a burst and 1-a that it is a single error
t
* * * * *
* * * * *
* * *
+ + +
* * *
Burst of errors
Single errors
Inter-arrival time :exp(λ)
Length of the burst :u
The number of errors in [0 t] is a random variable The number of errors in [0 t] is a random variable X(tX(t))
Françoise Simonot-Lion Nancy Université 41
EPFL July 2007 Summer Research Institute
CAN CAN –– responseresponse time time evaluationevaluation
1
( ) ( )
0
( )( ) ( ) ( )
( ) 0
maxnm j bitn
m m k jk lp m j hp m j
m
w i Jw i i C C
T
w i
τε
−
∀ ∈ ∀ ∈
⎡ ⎤+ += + + ⎢ ⎥
⎢ ⎥⎢ ⎥
=
∑
Worst waiting time to gain accessto the bus
Overhead due to i errors
( )( ) .(23 max ( )m bit jj hp mt i Cε τ
∈= +
max{ | ( ) }m m mn N R n Dη = ∈ ≤
worstworst--case deadline failure probability case deadline failure probability [ ( ( )) ]m m mP X R η η>
Françoise Simonot-Lion Nancy Université 42
EPFL July 2007 Summer Research Institute
OutlineOutline
ContextContext and and generalgeneral problemsproblems
AutomotiveAutomotive domainsdomains
An open issue: the An open issue: the safetysafety assessmentassessmentExampleExample: a : a steersteer--byby--wirewire systemsystem
Impact of the communication systemImpact of the communication system
WhichWhich referencereference for for eacheach control control lawlawexecutionexecution??
Control law
System actuation
NetworkTDMA cycle
T
Control lawsynchronized with the
TDMA cycle
Referenceproduction
p
Boundeddelay
Françoise Simonot-Lion Nancy Université 48
EPFL July 2007 Summer Research Institute
WhichWhich referencereference for for eacheach control control lawlawexecutionexecution??
Fail silence of the
producers
Spatial redundancy(two buses)
Temporal redundancy(FTU = 2 producer
nodes)
Referenceproduction
p
Network
T
TDMA cycle
Françoise Simonot-Lion Nancy Université 49
EPFL July 2007 Summer Research Institute
WhatWhat referencereference for for eacheach control control lawlawexecutionexecution??
Fail silence of the
producers
Spatial redundancy(two buses)
Temporal redundancy(FTU = 2 producer
nodes)
Referenceproduction
p
Network
T
TDMA cycle
The probability of non-detectionby the controller of an erroneousreference is negligible
Françoise Simonot-Lion Nancy Université 50
EPFL July 2007 Summer Research Institute
RoleRole of the of the controllercontrollerExternalfault
KO
Failure at the « slot » level
Françoise Simonot-Lion Nancy Université 51
EPFL July 2007 Summer Research Institute
RoleRole of the of the controllercontroller
KO KO OK KO KO KO OK OKOK OKOK KO KO KO KO KO KO OK KOKO
Failure at the TDMA-cycle level
=Fault for the
controller
Fault tolerance of the controller:recovery mechanism(compensation)
Françoise Simonot-Lion Nancy Université 52
EPFL July 2007 Summer Research Institute
RoleRole of the of the controllercontroller
Failure of the controller: the controller is able to control the system in a safe mode if and only if there are less than k consecutive faults
The system is therefore no more safe!
Françoise Simonot-Lion Nancy Université 53
EPFL July 2007 Summer Research Institute
KO KO OK KO KO KO OK OKOK OKOK KO KO KO KO KO KO OK KOKO
CharacterizationCharacterization of a perturbationof a perturbation
Length of the perturbation Tz (s)
Length of the perturbation n (TDMA cycles) – worst case
2zTnT
⎡ ⎤= +⎢ ⎥⎢ ⎥
How long?
Françoise Simonot-Lion Nancy Université 54
EPFL July 2007 Summer Research Institute
CharacterizationCharacterization of a perturbationof a perturbation
How?
pi probability for the ith TDMA cycle in a sequence of n cycles to be fully corrupted
p1 p2 pn. . .. . .
Françoise Simonot-Lion Nancy Université 55
EPFL July 2007 Summer Research Institute
ProblemProblem
To determine the probability to have more than k consecutive corrupted cycles when the system is under a perturbation whose duration is Tz and whose effect isgiven by the function P (p1, p2, …, pn)
System = System = orderedordered sequencesequence of of nn componentscomponentsThe system The system failsfails if and if and onlyonly if more if more thanthan kkconsecutiveconsecutive components components failfailLLnn: : numbernumber of of consecutiveconsecutive failedfailed componentscomponents
(n 1) /(k 1)m mk m 1
m 0
n m k n mkR(n,k;p) ( 1) p q q
m 1 m
+ +⎢ ⎥⎣ ⎦ −
=
⎛ ⎞− −⎛ ⎞ ⎛ ⎞= − +⎜ ⎟⎜ ⎟ ⎜ ⎟⎜ ⎟−⎝ ⎠ ⎝ ⎠⎝ ⎠
∑
w ith 1q p= −
( ) ( , ; )nP L k R k n p< =
[Burr,1961], [Lambridis,1985], [Hwang,1986]
Efficient algorithm(ETFA05)
p1 = p2 = … = pn= p
Françoise Simonot-Lion Nancy Université 57
EPFL July 2007 Summer Research Institute
TechnicalTechnical solution for solution for PP variable?variable?
RecurrentRecurrent relation:relation:GivenGiven a a probabilityprobability profile P = (pprofile P = (p11, p, p22, …, , …, ppnn ))
1 1
1 2
0
( ) ( ) ( ) ( ) for +1( ) 1 for 0 1( ) 1 ( )
( ) ... for with 1 and 1
m m m m k
m
k k
m m k m k m k m
m m
u k u k k u k k m nu k m ku k k
k q p p pm k q q p
λ
λ
λ
− − −
− − + − +
= − ≤ ≤= ≤ ≤ −= −
=≥ = = −
Pfail(k,Tz,P) = 1-un (k), with 2zTnT
⎡ ⎤= +⎢ ⎥⎢ ⎥
Françoise Simonot-Lion Nancy Université 58
EPFL July 2007 Summer Research Institute
Case Case studystudy: a : a SteerSteer--byby--WireWire systemsystem
controllercontroller tolerancetolerancekk = maximum = maximum toleratedtolerated numbernumber of of consecutiveconsecutive corruptedcorrupted TDMATDMA--cyclescycles
Françoise Simonot-Lion Nancy Université 59
EPFL July 2007 Summer Research Institute
Case Case studystudy: a : a SteerSteer--byby--WireWire systemsystem
Perturbation profile: radio Perturbation profile: radio transmittertransmitter
0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
1 21 41 61 81 101 121 141 161TDMA cycles
Faul
t occ
urre
nce
prob
abili
ty
Example for:n = 169
210
1 202
ipn i
=+⎛ ⎞− +⎜ ⎟
⎝ ⎠
Françoise Simonot-Lion Nancy Université 60
EPFL July 2007 Summer Research Institute
Case Case studystudy: a : a SteerSteer--byby--WireWire systemsystem
210
1 202
ipn i
=+⎛ ⎞− +⎜ ⎟
⎝ ⎠
Perturbation duration
n (TDMA cycles)
Tolerance of thecontroller
k (TDMA cycles)
System failure
probabilityPfail
377
217
152
10
5
4
2.2 10-8
1.6 10-3
0.8 10-2
TDMA cycle T (ms)
4
7
10
Françoise Simonot-Lion Nancy Université 61
EPFL July 2007 Summer Research Institute
Conclusions Conclusions
AutomotiveAutomotive industryindustry isis dependentdependent of softwareof software--basedbased embeddedembedded systemssystems
Emergence of XEmergence of X--byby--WireWire systemssystems
TechnologicalTechnological standards standards –– communication communication networksnetworks
SafetySafety assessmentsassessments
Standard Standard ISO 26 262ISO 26 262
IntegrationIntegration of of severalseveral points of points of viewview
Timing, dependabilityannotations
Certification, verification
Muli-competenciesexperts
Françoise Simonot-Lion Nancy Université 62
EPFL July 2007 Summer Research Institute
ReferencesReferences•• K. K. TindellTindell, H. , H. HanssmonHanssmon, A. J. , A. J. WellingsWellings, , Analysing RealAnalysing Real--Time Communications: Controller Area Network Time Communications: Controller Area Network
(CAN)(CAN), IEEE Real, IEEE Real--Time Systems Symposium 1994: 259Time Systems Symposium 1994: 259--263263•• K. K. TindellTindell, A. Burns, A. J. , A. Burns, A. J. WellingsWellings, , An Extendible Approach for Analyzing Fixed Priority Hard RealAn Extendible Approach for Analyzing Fixed Priority Hard Real--Time Time
TasksTasks, Real, Real--Time Systems 6(2): 133Time Systems 6(2): 133--151 (1994)151 (1994)•• K. K. TindellTindell, J. Clark, , J. Clark, Holistic Holistic schedulabilityschedulability analysis for distributed hard realanalysis for distributed hard real--time systemstime systems, Microprocessors , Microprocessors
and Microprogramming, vol. 40, pp. 117and Microprogramming, vol. 40, pp. 117––134, 1994.134, 1994.•• A. Burns, K. A. Burns, K. TindellTindell, A. J. , A. J. WellingsWellings, , Effective Analysis for Engineering RealEffective Analysis for Engineering Real--Time Fixed Priority SchedulersTime Fixed Priority Schedulers, ,
IEEE Trans. Software Eng. 21(5): 475IEEE Trans. Software Eng. 21(5): 475--480 (1995)480 (1995)•• K. K. TindellTindell, A. Burns, A.J. , A. Burns, A.J. WellingsWellings, Calculating controller area network (CAN) message response tim, Calculating controller area network (CAN) message response times, es,
Control Engineering Practice, vol. 3, no. 8, pp. 1163Control Engineering Practice, vol. 3, no. 8, pp. 1163––1169, 1995.1169, 1995.•• N. C. N. C. AudsleyAudsley, Alan Burns, R. I. Davis, K. , Alan Burns, R. I. Davis, K. TindellTindell, , A.yA.y J. J. WellingsWellings, , Fixed Priority PreFixed Priority Pre--emptive Scheduling: An emptive Scheduling: An
Historical PerspectiveHistorical Perspective, Real, Real--Time Systems 8(2Time Systems 8(2--3): 1733): 173--198 (1995)198 (1995)•• K. K. TindellTindell, A. Burns, A. J. , A. Burns, A. J. WellingsWellings, , Analysis of Hard RealAnalysis of Hard Real--Time CommunicationsTime Communications, Real, Real--Time Systems 9(2): Time Systems 9(2):
147147--171 (1995)171 (1995)•• S. S. PolednaPoledna, , FaultFault--Tolerant RealTolerant Real--Time Systems: The Problem of Replica DeterminismTime Systems: The Problem of Replica Determinism, , KluwerKluwer Academic Academic
Publishers, 1996. Publishers, 1996. •• H. H. KopetzKopetz, , RealReal--Time Systems: Design Principles for Distributed Embedded ApplicaTime Systems: Design Principles for Distributed Embedded Applicationstions, , KluwerKluwer Academic Academic
Publishers, 1997.Publishers, 1997.•• M. Krug, A. V. M. Krug, A. V. SchedlSchedl, , New demands for inNew demands for in--vehicle networksvehicle networks, in Proceedings of the 23rd EUROMICRO , in Proceedings of the 23rd EUROMICRO
Conference’97, Budapest, Hungary, July 1997, pp. 601Conference’97, Budapest, Hungary, July 1997, pp. 601––605.605.•• XX--byby--Wire Project, Wire Project, BriteBrite--EuRamEuRam 111 Program, 111 Program, XX--ByBy--Wire Wire -- safety related fault tolerant systems in vehicles, safety related fault tolerant systems in vehicles,
final Reportfinal Report, 1998., 1998.•• S. S. PolednaPoledna, W. , W. EttlmayrEttlmayr, M. Novak, , M. Novak, Communication bus for automotive applicationsCommunication bus for automotive applications, in Proceedings of the , in Proceedings of the
27th European Solid27th European Solid--State Circuits Conference, State Circuits Conference, VillachVillach, Austria, September 2001., Austria, September 2001.•• N. N. NavetNavet , Y., Y.--Q. Song, Q. Song, Validation of realValidation of real--time intime in--vehicle applicationsvehicle applications, Computers in Industry, vol. 46, no. 2, pp. , Computers in Industry, vol. 46, no. 2, pp.
107107––122, November 2001.122, November 2001.
Françoise Simonot-Lion Nancy Université 63
EPFL July 2007 Summer Research Institute
ReferencesReferences•• H. Pfeifer, F.W. von Henke, H. Pfeifer, F.W. von Henke, Formal Analysis for Dependability Properties: the TimeFormal Analysis for Dependability Properties: the Time--Triggered Architecture Triggered Architecture
ExampleExample, in Proceedings of the 8th IEEE International Conference on Eme, in Proceedings of the 8th IEEE International Conference on Emerging Technologies and Factory rging Technologies and Factory Automation (ETFA 2001), October 2001, pp. 343Automation (ETFA 2001), October 2001, pp. 343––352.352.
•• G. G. LeenLeen, D. Heffernan, , D. Heffernan, Expanding automotive electronic systemsExpanding automotive electronic systems, , IEEE ComputerIEEE Computer, vol. 35, no. 1, January , vol. 35, no. 1, January 2002.2002.
•• P. P. KoopmanKoopman, , Critical embedded automotive networksCritical embedded automotive networks, IEEE Micro, Special Issue on Critical Embedded , IEEE Micro, Special Issue on Critical Embedded Automotive Networks, vol. 22, no. 4, pp. 14Automotive Networks, vol. 22, no. 4, pp. 14––18, July18, July--August 2002.August 2002.
•• L.L.--B. B. FredrikssonFredriksson, , CAN for critical embedded automotive networksCAN for critical embedded automotive networks, , IEEE MicroIEEE Micro, vol. 22, no. 4, July, vol. 22, no. 4, July--August August 2002.2002.
•• G. Lima, A. Burns, G. Lima, A. Burns, TimingTiming--independent safety on top of CANindependent safety on top of CAN, in Proceedings of the 1st International , in Proceedings of the 1st International Workshop on RealWorkshop on Real--Time LANs in the Internet Age, Vienna, Austria, 2002.Time LANs in the Internet Age, Vienna, Austria, 2002.
•• G. Lima A. Burns, G. Lima A. Burns, A consensus protocol for CANA consensus protocol for CAN--based systemsbased systems, in Proceedings of the 24th Real, in Proceedings of the 24th Real--time time Systems Symposium, 2003, pp. 420Systems Symposium, 2003, pp. 420––429.429.
•• G. RodriguezG. Rodriguez--NavasNavas, M. , M. BarrancoBarranco, and J. , and J. ProenzaProenza, , Harmonizing dependability and real time in CAN networksHarmonizing dependability and real time in CAN networks, , in 2nd International Workshop on Realin 2nd International Workshop on Real--Time LANs in the internet Age, Porto, Portugal, 2003.Time LANs in the internet Age, Porto, Portugal, 2003.
•• L.M. L.M. PinhoPinho, F. , F. VasquesVasques, , Reliable realReliable real--time communication in CAN networkstime communication in CAN networks, IEEE Transactions on , IEEE Transactions on Computers, vol. 52, no. 12, pp. 1594Computers, vol. 52, no. 12, pp. 1594––1607, 2003.1607, 2003.
•• J. J. RushbyRushby, , A comparison of bus architecture for safetyA comparison of bus architecture for safety--critical embedded systemscritical embedded systems, Technical Report , Technical Report NASA/CRNASA/CR--20032003--212161, NASA, March 2003.212161, NASA, March 2003.
•• A. Albert, A. Albert, Comparison of eventComparison of event--triggered and timetriggered and time--triggered concepts with regards to distributed control triggered concepts with regards to distributed control systemssystems, in Proceedings of Embedded World 2004, , in Proceedings of Embedded World 2004, NürnbergNürnberg, February 2004., February 2004.
•• M. M. AyoubiAyoubi, T. , T. DemmelerDemmeler, H. , H. LefflerLeffler, P. , P. KöhnKöhn, , XX--byby--Wire functionality, performance and infrastructureWire functionality, performance and infrastructure, in , in Proceedings of Convergence 2004Proceedings of Convergence 2004, Detroit, Michigan, 2004., Detroit, Michigan, 2004.
•• P. P. BühringBühring, , SafeSafe--byby--Wire Plus: Bus communication for the occupant safety systemWire Plus: Bus communication for the occupant safety system, in , in Proceedings of Proceedings of Convergence 2004Convergence 2004, Detroit, Michigan, 2004., Detroit, Michigan, 2004.
Françoise Simonot-Lion Nancy Université 64
EPFL July 2007 Summer Research Institute
ReferencesReferences•• R. Santos Marques, F. SimonotR. Santos Marques, F. Simonot--Lion, N. Lion, N. NavetNavet, Development of an in, Development of an in--vehicle communication middleware, vehicle communication middleware,
Object Oriented Object Oriented ModelingModeling of Embedded Realof Embedded Real--Time Systems, PostTime Systems, Post--proceedings of OMER 3, Heinzproceedings of OMER 3, Heinz--Nixdorf Nixdorf Institute publisher, 2005.Institute publisher, 2005.
•• N. N. NavetNavet, F. Simonot, F. Simonot--Lion, Fault Tolerant Services for Safe InLion, Fault Tolerant Services for Safe In--Car Embedded Systems, in The Embedded Car Embedded Systems, in The Embedded Systems Handbook, CRC Press, 2005.Systems Handbook, CRC Press, 2005.
•• C. C. WilwertWilwert, N. , N. NavetNavet, Y., Y.--Q. Song, F. SimonotQ. Song, F. Simonot--Lion, Lion, Design of Automotive XDesign of Automotive X--byby--Wire SystemsWire Systems, in The Industrial , in The Industrial Communication Technology Handbook, CRC Press, 2005.Communication Technology Handbook, CRC Press, 2005.
•• B. B. GaujalGaujal, N. , N. NavetNavet, , Maximizing the Robustness of TDMA Networks with Applications to Maximizing the Robustness of TDMA Networks with Applications to TTP/CTTP/C, Real, Real--Time Time Systems, Systems, KluwerKluwer Academic Publishers, Academic Publishers, volvol 31, n°131, n°1--3, pp53, pp5--31, December 2005. 31, December 2005.
•• N. N. NavetNavet, Y., Y.--Q. Song, F. SimonotQ. Song, F. Simonot--Lion, C. Lion, C. WilwertWilwert, , Trends in Automotive Communication SystemsTrends in Automotive Communication Systems, , Proceedings of the IEEE, special issue on Industrial CommunicatiProceedings of the IEEE, special issue on Industrial Communications Systems, invited paper, ons Systems, invited paper, volvol 96, n°6, 96, n°6, pp1204pp1204--1223, 2005.1223, 2005.
•• N. N. NavetNavet, Y, Y--Q. Song, F. Simonot, Q. Song, F. Simonot, WorstWorst--Case Deadline Failure Probability in RealCase Deadline Failure Probability in Real--Time Applications Time Applications Distributed over CAN (Controller Area Network)Distributed over CAN (Controller Area Network), Journal of Systems Architecture, Elsevier Science, vol. 46, , Journal of Systems Architecture, Elsevier Science, vol. 46, n°7, 2000. n°7, 2000.
•• F. SimonotF. Simonot--Lion, Y.Lion, Y.--Q. Song, Q. Song, Design and validation process of inDesign and validation process of in--vehicle embedded electronic systemsvehicle embedded electronic systems in in The Embedded Systems Handbook, CRC Press The Embedded Systems Handbook, CRC Press -- Taylor&FrancisTaylor&Francis (Ed.) (2005)(Ed.) (2005)
•• F.SimonotF.Simonot, F. Simonot, F. Simonot--Lion, Y.Lion, Y.--Q. Song, Q. Song, Dependability Evaluation of RealDependability Evaluation of Real--Time Applications Distributed on Time Applications Distributed on TDMATDMA--Based Networks,Based Networks, in 6th IFAC International Conference on in 6th IFAC International Conference on FieldbusFieldbus Systems and their Applications Systems and their Applications --FeT'2005 (2005) FeT'2005 (2005)
•• F. SimonotF. Simonot--Lion, Lion, F.SimonotF.Simonot, Y., Y.--Q. Song, C. Q. Song, C. WilwertWilwert, , Quantitative Evaluation of the Safety of XQuantitative Evaluation of the Safety of X--byby--Wire Wire Architecture subject to EMI Perturbations,Architecture subject to EMI Perturbations, in 10th IEEE International Conference on Emerging Technologies in 10th IEEE International Conference on Emerging Technologies and Factory Automation and Factory Automation -- ETFA'2005 1 (2005) 755ETFA'2005 1 (2005) 755--762 762
•• R. I. Davis, A. Burns, R. J. R. I. Davis, A. Burns, R. J. BrilBril, J. J. , J. J. LukkienLukkien, , Controller Area Network (CAN) Controller Area Network (CAN) schedulabilityschedulability analysis: Refuted, analysis: Refuted, revisited and revisedrevisited and revised, Real, Real--Time Systems 35(3): 239Time Systems 35(3): 239--272 (2007)272 (2007)