Learning Center
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Fault Tolerance in automotive Systems - PowerPoint



  Adithya H. Krishnamurthy and Ramkumar Ravikumar

   Historical Perspective
   Need for fault tolerance in Automotives
   Fault tolerant X-by-wire-systems
   Fault tolerance in Automotive software
   Sensors and actuators
   Automotive Communication Systems
   Conclusion
About a 100 years back !

   Amount of electronic components = ?
   Fuel efficiency = ?
   ECUs = ?
   Software = ?
   Navigation system = ?
   Airbags = ?
   X-by-wire = ?
And now !!

   Amount of electronic components = comparable to a PC
   Fuel efficiency = Hybrids
   ECUs = ~100-200
   Software = ~100 MB
   Navigation system = Yes !
   Airbags = Mandatory
   X-by-wire = Common
Need for Fault tolerance in Automotive Industry

   Advancements in the field of automotive electronics have
    helped in realizing the potential of sophisticated vehicular
    control systems.
   Can be considered as a safety-critical field
   Failure in a component may lead to catastrophic effects.
   If not dangerous, certain failures might degrade vehicle
   Solution : Bring in Fault tolerant design practices !

   Motivation:
     Replace mechanical and hydraulic components with an
      electronic solution.

       Steering, Braking and Acceleration.

       Electronic solutions offer distinct advantages.
Types of X-by-Wire Systems

   X-by-Wire – A generic name.

       Fly-by-Wire: Initially adopted by the Aviation Industry.

       Drive-by-Wire: Followed by the Automobile Industry.
         Brake-by-Wire.
         Steer-by-Wire.
         Throttle-by-Wire.
X-by-Wire: With Back-Up

   Initially with mechanical backup
      First generation of SbW

      BbW systems – EHB and EMB.

      Complex mechanical backup‟s are cost prohibitive.

   Upon failure, switch to mechanical backup.

   Redundancy.

   X-by-Wire backup for X-by-Wire?
X-by-Wire: Without Back-Up

   Systems without back up should guarantee high reliability and
    fault tolerance at all times.
     Fail Operational until a safe state.

   Safety Integrity Level 4.
     Should tolerate a single failure.
     Probability of encountering a safety critical failure should not
      exceed 10^(-9) per hour.

   “Your car has performed an illegal operation and must
    immediately shut down”.
14  42 ?

   Integration of more electrical components
      Demand for higher peak power
14  42?

   Several problems associated with migration:
     Contact switches vaporize.

     Manufacturers of electronic components should migrate to the
      new standard.
     Dual voltage in operation.

   Toyota uses a 42 Volt bus.

   Renault provided dual voltage
Conventional Steering System (CSS)
  Steer-by-Wire System

Two Critical Functions :

- Steering according to the               Drivers’ Request
  drivers‟ request

- Force feedback to the steering
                            Control law
Steer-by-Wire System
SbW – Operational Architecture
Fault Classification

   Byzantine Faults

   Coherent Faults

   Fail-Silent Nodes

   Flexible Failure Model (b,c,s)
Redundancy Based on Fault Classification

   HW & FAA ECU‟s – 2 each, Work in parallel.

   HW & RPS Sensor‟s – 3 each, chosen using TMR

   HW & FAA Motors – 2 each, Active redundancy (Hot Standby)

   TDMA Buses – 2
Fault Tolerance Strategy

   Failure Recovery
     Redundant ECU‟s will work upon failure of primary ECU.

     Failure detection must be quick and reliable.

   Failure Compensation
     ECU‟s work in parallel.

     Suitable for real time constraints.
Common Mode Failures

   A fault may affect all redundant units under identical
     Design fault in redundant copies.

     EMI, Temperature.

   Avoid common mode failures:
     Hardware manufactured by different suppliers.

     Software realized by different teams.

     Redundant TDMA channels to be placed far apart.

• TTP - Time Triggered Protocol.

• Belongs to Class C of SAE Protocols – Safety Critical.

• Based on TDMA – Bus access is granted to nodes at specific
  time slots.

    One TDMA Round

       A       B   C     A         B   C    A    ……

TTP/C Network
TTP/C Node

   Host – Runs apps.
   CNI – Contains Message
    Descriptor List.
   TTP/C Controller – Interfaces
    node with network.
   Bus Guardian – Portal to Bus.
    Enables bus driver only during
    transmission slot.
TDMA Protocol / Scheduling

• Slot: Time interval for the node to send data.
• Round (cycle): A sequence of slots allowing each node to send
  only once.

             Node       Node         Node          Node
              A          B            C             D
              a             b         c             d

       Bus    a     b   c       d                                 t
slot                round                 round
TDMA Protocol / Scheduling

• Slot: Time interval for the node to send data.
• Round (cycle): A sequence of slots allowing each node to send
  only once.

             Node       Node            Node         Node
              A          B               C            D
              a             b            c            d

       Bus    a     b   c       d   a        b   c   d            t
slot                round                    round
Node Membership Vector

   A status register containing a single bit per node.
     1 – Node functions properly.

     0 – Node malfunctioning.

   Vector is updated by analyzing the CRC fields in the received

   Informs of node failures to all the other nodes.

   Identifies faulty components and isolates them from the system.

   Replace mechanical and hydraulic components by an electronic

   Provide system level fault tolerance through redundancy.

   Time triggered protocol – To communicate between nodes.
Fault tolerance in Automotive Software
Why Fault Tolerance in Automotive Software ?

   Software amounts to about 100 MB of binary code in most
    modern vehicles.

   Total value of software in cars has risen from 4% to 13% by
    2010. (Mostly due to Entertainment systems).

   Software targeted at safety-critical applications such as
    Pedestrian Detection System [Volvo s60]

   Absence of fault tolerance techniques might lead to
    catastrophic effects
Automotive Software Classification

   Multimedia, telematics, and HMI software
   Body/Comfort software
   Software for safety electronics
   Powertrain and chassis control software
   Infrastructure software

   Fault tolerance mechanisms should handle detected faults
    locally without propagation to other SW-components.
Current Approaches

   Fault Tolerant architecture based on „Computational Reflection‟.
Current Approaches (Contd..)

   Providing Fault tolerance in the middleware

   Watchdog based monitoring and other techniques
Fault tolerant Sensors

   Sensor systems with static redundancy realized with a triplex
    system and a voter.
   A configuration with dynamic redundancy needs at least two
    sensors and fault detection for each sensor.
Fault tolerant sensors (Contd..)

   The steering angle sensor is fault tolerant since it can tolerate
    the loss of one or two sensor elements
   Can diagnose failed sensor elements
Fault tolerant Actuators

   Fault-tolerant actuators can be designed by using multiple
    complete actuators in parallel, with either static redundancy or
    dynamic redundancy with cold or hot standby.
   Another possibility is to limit the redundancy to parts of the
    actuator that have the lowest reliability.
Fault tolerant Actuators (Contd..)

   When both sensor and actuator failures occur at the same time,
    their mutual effects on residuals make fault isolation difficult.
   Use a hexadecimal decision table to relate all possible failure
    patterns to the residual code.
   Detection and isolation of multiple sensor and actuator failures
    in automotive engines is achieved.
Fault tolerant Communication Systems

   Communication between several components in the vehicle
Fault tolerant Communication Systems (Contd..)

   Event-triggered vs. Time-triggered protocols.
       Event-triggered means messages transmitted to signal occurrence of
        a key event (door is closed)
       In Time-triggered systems, frames are transmitted in predetermined
        intervals of time
   Combination of Time-triggered and                    Event-triggered
    mechanisms in TTCAN, FTT-CAN and FlexRay
Controller Area Network (CAN)

   Most widely used in-vehicle network
   Provides several mechanisms for error detection
       Check for CRC transmitted and CRC received
       Station detecting an error transmits an error message on the bus
   Provides Fault-confinement mechanisms
       Identify permanent failures due to hardware dysfunctioning.
       Error counters are increased / decreased according to events.
   CAN is not well suited for X-by-wire applications
   Selective Fault tolerance on CAN
Time Triggered Controller Area Network (TTCAN)

    TTCAN requires that the controllers have the possibility to
     disable automatic retransmission of frames upon transmission
    The key idea is to propose a flexible time-triggered/event-
     triggered protocol.
    TT-CAN supports the coexisting of event- and time-triggered
     traffic together .
    However, it does not provide the same level of fault tolerance
     as TTP and FlexRay.

   FlexRay allows both time-triggered and event-triggered
   The FlexRay network is very flexible with regard to topology
    and transmission support redundancy.
   FlexRay provides fault tolerance by distributed time-triggered
    synchronization (clock synchronization).
   FlexRay is expected to be the de-facto communication
    standard for high-speed automotive control applications.
Overview of Protocols

                  USAGE   CAN    TTCAN   FlexRay

Chassis                   YES     YES      NO

Airbags                   YES     NO       NO

Powertrain                YES     YES    SOME

X-by-wire                 SOME    YES     YES

Multimedia                NO      NO       NO

Telematics                NO      NO       NO

Diagnostics               YES    SOME    SOME

REQUIREMENTS              CAN    TTCAN   FlexRay

Fault tolerance           SOME   SOME     YES

Determinism               YES     YES     YES

Bandwidth                 SOME   SOME     YES

Flexibility               YES     YES     YES

Security                  NO      NO       NO

PROPERTY                  CAN    TTCAN   FlexRay

Max Bit Rate (MBPS)        1       1       10

Cost                       L       L       M
Recent Work

   A simulation study for fault-tolerant sensor networks for cars‟
    on-board control.
   All sensors (sources of traffic), actuators (sinks of traffic) and
    the controller (PC) are connected over the Ethernet to form a
    Networked Control System (NCS).
   The number of sensors is 3 times more than the number of
   This increase in the number of sensors is made to test the
    possibility to build triple-modular redundancy (TMR) on the
    sensors‟ level for fault-tolerance
Recent Work (contd..)

   A methodology of interconnecting the automotive bus networks
    in a fault tolerant way is discussed.
   When combining these bus systems, FlexRay is considered to
    be the de-facto communication protocol since it can provide
    time-triggered and event-triggered message transmissions.
   The integrated system supports fault tolerance using redundant
   Bus systems are combined with extra redundant units to send
    multiple messages to clients.

   Several fault tolerant design techniques followed in automotive
    industry have been discussed

   Key challenges include
       Operating conditions for X-by-wire systems
       Handling huge volume of datasets in automotive software
       Security challenges
       Fault tolerance in Bluetooth, ZigBee and MOST

   Ample scope for research for engineers from varied

Fault tolerance in Automotive Systems

To top