Safety framework and platform for functions of future automotive E/E systems

Automotive and Engine Technology, Jul 2016

This paper proposes a new safety framework and platform for the functions of future electrical/electronic (E/E) systems. The framework aims to cope with the increasing complexity of the E/E systems, and to enhance their flexibility, but retain the safety properties and keep low engineering costs. A domain-specific meta-model is used to specify relevant aspects of the system such as component interface requirements and function descriptions. The meta-model is used in a tool that generates data structures, which are then used to configure the fault-management layer of the run-time environment. The fault-management layer preserves the safety properties of the system at run-time, by facilitating error detection and fault-handling mechanisms, and supporting controlled adaptation. By reusing already developed safety measures for different systems and functions, future development costs for non-functional qualities can be saved.

A PDF file should load here. If you do not see its contents the file may be temporarily unavailable at the journal website or you do not have a PDF plug-in installed and enabled in your browser.

Alternatively, you can download the file locally and open with any standalone PDF reader:

https://link.springer.com/content/pdf/10.1007%2Fs41104-016-0007-z.pdf

Safety framework and platform for functions of future automotive E/E systems

Safety framework and platform for functions of future automotive E/E systems Jelena Frtunikj 0 1 0 fortiss GmbH, An-Institut Technische Universita ̈t Mu ̈nchen , Guerickestr. 25, 80805 Munich , Germany 1 & Jelena Frtunikj This paper proposes a new safety framework and platform for the functions of future electrical/electronic (E/ E) systems. The framework aims to cope with the increasing complexity of the E/E systems, and to enhance their flexibility, but retain the safety properties and keep low engineering costs. A domain-specific meta-model is used to specify relevant aspects of the system such as component interface requirements and function descriptions. The meta-model is used in a tool that generates data structures, which are then used to configure the faultmanagement layer of the run-time environment. The faultmanagement layer preserves the safety properties of the system at run-time, by facilitating error detection and faulthandling mechanisms, and supporting controlled adaptation. By reusing already developed safety measures for different systems and functions, future development costs for non-functional qualities can be saved. Adaptation; Automotive; Fault-tolerance; Run-time environment; Safety 1 Introduction Today’s E/E systems consist of growing number of interconnected and interacting computer subsystems. The increase in safety–critical software-based functions in these systems (e.g., increased software-based automated selfdriving operation in vehicles), the growing networking subsystems and functions to each other (e.g., up to 100 interacting control units, sensors, actuators in a vehicle) lead to a continuous increase of system complexity. Integrating existing and new subsystems or system functions drive engineering costs. System failures in these safety– critical systems mainly arise in the interactions among subsystems rather than the failure of individual subsystems. To cope with the complexity of these systems in the future, and to increase their flexibility and extensibility but retain the safety properties and keep low engineering costs, these systems have to be supported with a suitable development approach and extended to contain a run-time environment including configurable fault-management safety mechanisms. A model-based approach and a faultmanagement layer for a run-time environment, targeting the automotive domain is offered as a solution to the mentioned problems. This paper is structured as follows. In Sect. 2, a short overview of the main features of a new scalable fault-tolerant E/E architecture that aims at targeting the beforementioned problems is given. Section 3 presents the safety framework by explaining the meta-model and the faultmanagement of the run-time environment that is also part of the new E/E architecture. An evaluation of the presented approach and a rationale for the made assumptions is given in Sect. 4. Section 5 compares the approach against available solutions provided by industry and scientific community. The last section provides a brief summary and outlook. 2 Foundations of the new E/E platform-RACE The challenges, mentioned before force a change of the E/E system architecture. A new architecture was developed in the robust and reliant automotive computing environment for future eCars1 project [ 1 ]. In RACE, the existing system architecture is replaced by a centralized platform computer (CPC) that executes all high-level functionalities (Fig. 1). In this architecture, sensors and actuators become smart but still responsible for the low level control tasks. These sensors and actuators are executing high-level control commands calculated by applications deployed on vehicle control-computers (VCCs), the electronic control units (ECUs) of the central platform computer. The interconnection of these smart components and the VCCs is done by a high-bandwidth Ethernet communication. One type of vehicle control computer is a duplex control computer (DCC). The main task of the DCC is to execute control functionality. To guarantee fail–safe, a DCC has two execution channels and both channels monitor input and output data mutually. In case of channel inconsistency, the faulty DCC backs out to not jeopardize the operation of a RACE system. A fail-operational behavior is guaranteed when at least a second DCC is provided that takes over the control tasks after the first one failed. Fail-operational behavior requires a redundant power supply (Fig. 1, blue and red) and redundant communication infrastructure for the redundant DCC controllers. 1 http://www.projekt-race.de/. The software architecture of the centralized platform computer containing the run-time environment is designed with different components including the ones of the faultmanagement layer (Fig. 2, monitoring, detection, handling components). A data-centric approach, used by the runtime environment, enables the decoupling of applications from the infrastructure components i.e., the DCCs. Di (...truncated)


This is a preview of a remote PDF: https://link.springer.com/content/pdf/10.1007%2Fs41104-016-0007-z.pdf

Jelena Frtunikj. Safety framework and platform for functions of future automotive E/E systems, Automotive and Engine Technology, 2016, pp. 93-105, Volume 1, Issue 1-4, DOI: 10.1007/s41104-016-0007-z