Safety framework and platform for functions of future automotive E/E systems
Safety framework and platform for functions of future automotive E/E systems
Jelena Frtunikj 0 1
0 fortiss GmbH, An-Institut Technische Universita ̈t Mu ̈nchen , Guerickestr. 25, 80805 Munich , Germany
1 & Jelena Frtunikj
This paper proposes a new safety framework and platform for the functions of future electrical/electronic (E/ E) systems. The framework aims to cope with the increasing complexity of the E/E systems, and to enhance their flexibility, but retain the safety properties and keep low engineering costs. A domain-specific meta-model is used to specify relevant aspects of the system such as component interface requirements and function descriptions. The meta-model is used in a tool that generates data structures, which are then used to configure the faultmanagement layer of the run-time environment. The faultmanagement layer preserves the safety properties of the system at run-time, by facilitating error detection and faulthandling mechanisms, and supporting controlled adaptation. By reusing already developed safety measures for different systems and functions, future development costs for non-functional qualities can be saved.
Adaptation; Automotive; Fault-tolerance; Run-time environment; Safety
1 Introduction
Today’s E/E systems consist of growing number of
interconnected and interacting computer subsystems. The
increase in safety–critical software-based functions in these
systems (e.g., increased software-based automated
selfdriving operation in vehicles), the growing networking
subsystems and functions to each other (e.g., up to 100
interacting control units, sensors, actuators in a vehicle)
lead to a continuous increase of system complexity.
Integrating existing and new subsystems or system functions
drive engineering costs. System failures in these safety–
critical systems mainly arise in the interactions among
subsystems rather than the failure of individual subsystems.
To cope with the complexity of these systems in the
future, and to increase their flexibility and extensibility but
retain the safety properties and keep low engineering costs,
these systems have to be supported with a suitable
development approach and extended to contain a run-time
environment including configurable fault-management
safety mechanisms. A model-based approach and a
faultmanagement layer for a run-time environment, targeting
the automotive domain is offered as a solution to the
mentioned problems.
This paper is structured as follows. In Sect. 2, a short
overview of the main features of a new scalable
fault-tolerant E/E architecture that aims at targeting the
beforementioned problems is given. Section 3 presents the safety
framework by explaining the meta-model and the
faultmanagement of the run-time environment that is also part of
the new E/E architecture. An evaluation of the presented
approach and a rationale for the made assumptions is given
in Sect. 4. Section 5 compares the approach against
available solutions provided by industry and scientific
community. The last section provides a brief summary and outlook.
2 Foundations of the new E/E platform-RACE
The challenges, mentioned before force a change of the
E/E system architecture. A new architecture was developed
in the robust and reliant automotive computing
environment for future eCars1 project [
1
]. In RACE, the
existing system architecture is replaced by a centralized
platform computer (CPC) that executes all high-level
functionalities (Fig. 1). In this architecture, sensors and
actuators become smart but still responsible for the low
level control tasks. These sensors and actuators are
executing high-level control commands calculated by
applications deployed on vehicle control-computers (VCCs), the
electronic control units (ECUs) of the central platform
computer. The interconnection of these smart components
and the VCCs is done by a high-bandwidth Ethernet
communication. One type of vehicle control computer is a
duplex control computer (DCC). The main task of the DCC
is to execute control functionality. To guarantee fail–safe, a
DCC has two execution channels and both channels
monitor input and output data mutually. In case of channel
inconsistency, the faulty DCC backs out to not jeopardize
the operation of a RACE system. A fail-operational
behavior is guaranteed when at least a second DCC is
provided that takes over the control tasks after the first one
failed. Fail-operational behavior requires a redundant
power supply (Fig. 1, blue and red) and redundant
communication infrastructure for the redundant DCC
controllers.
1 http://www.projekt-race.de/.
The software architecture of the centralized platform
computer containing the run-time environment is designed
with different components including the ones of the
faultmanagement layer (Fig. 2, monitoring, detection, handling
components). A data-centric approach, used by the
runtime environment, enables the decoupling of applications
from the infrastructure components i.e., the DCCs.
Di (...truncated)