Safety Evaluation of Controlled Systems distributed on TTA Architecture
Jumel Fabrice, Godary Karen and Augé-Blum Isabelle
CITI, INSA de Lyon, Bât L. De Vinci, 21 av Jean Capelle, 69621 Villeurbanne, France
fabrice.jumel,karen.godary,isabelle.auge-blum@insa-lyon.fr
Abstract :
This paper presents a method to quantify the safety of a critical function in the automotive domain. With the arrival of
“X-by-wire”, these functions will be made of mechatronic systems (composed by sensors, actuators and calculators),
distributed over a communication network. Our study shows the feasibility of the link between the network's behavior
(in presence of faults like lost of samples) and the implanted function, and allows to evaluate the probability of a wrong
car's behavior.
We illustrate our method with a brake function, implanted over Time Triggered Architecture (TTA) and we quantify,
with an initial speed for the car, the probability to stop it in a given duration.
Keywords : fault-tolerant, safety modeling, vehicle control system, real time distributed architecture
I. INTRODUCTION
Electronic aspects take a more and more important place
in the vehicle's area. In the future, all the critical
functions of the car would be entirely electronically (for
instance the brake, direction and suspension functions).
To permit this evolution, the developed solution, “X-bywire”
architecture, is based on communication network
as the Time-Triggered Architecture (TTA (TTech 2002))
studied here. The inevitable presence of faults on the
communication's medium (for instance, due to magnetic
perturbations) can corrupt the data exchange. An
important problem is to prove the safety of these critical
functions mapped on such architectures. It means that
switching the different mechanical parts of the
transmission of information with distributed solutions
does not lead to an important risk of service’s
degradation.
To prove this, we need a formalism to model the critical
function and to determine how errors on data used by
control application can appear for a given architecture.
An important characteristic of these faults are to be nonpermanent.
Therefore, they cannot be modeled with
usual representation as AMDEC or HAZOP (McDermid
et al 1995). In order to take into account this type of
transitory fault, different types of models have been
proposed ((Sha et al 1996) and (Gäfvert et al 2003)).
Some important studies give a basic way to represent
their apparition and their possible propagation on a
complex architecture (for example a distributed one
(Cristaldi et al 2002)).
In previous studies (Jumel et al 2003 a and b), we have
proposed to integrate this type of model of faults with a
model of the critical function. A hybrid representation
has been proposed, which take into account the
specificity of the controlled system and of the electronic
architecture. Combining with the useful formalism of the
Markov's chains it allows calculating some important
safety properties of controlled system. In this paper we
try to use this methodology for the case of automotive
application distributed on a communication network.
Therefore, we have to take into account the specificities
of the communication protocols, particularly in terms of
fault-tolerance mechanisms.
The first section presents the context of the study, the
second quickly presents a model of the behavior of TTA
in presence of faults, which allows presenting in the last
section an effective way to compute some safety
properties for a vehicle’s critical function.
II. CONTEXT OF THE STUDY
The critical functions are typically mechatronic systems
composed by sensors, actuators and the control law
(algorithm implanted on a calculator). The entire system
includes also the physical behavior of the car whose
characteristics involves in the response of the function
(mass, speed …).
The quality of this type of functions is generally defined
on the physical behavior of the car. It is for example,
“the distance before stop” for a brake function and “the
ability to fit a trajectory” for the steer or the suspension
functions.
A general solution to model this type of system is to split
the system in two parts. The first one models all the
continuous views of the system (in particular physical
dynamics: hydraulic, mechanical and electrical aspects).
The second one models the discrete part of the system,
more precisely the algorithms, which control the system.......