Electric vehicle drive-by-wire solution for distributed steering, braking and throttle control

Thesis (M. Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2010.Cataloged from PDF version of thesis.Includes bibliographical references.In this paper, we propose CityCarControl, a system to manage the steering, braking, and throttle of a new class of intra-city electric vehicles. These vehicles have a focus on extreme light-weight and a small parking footprint. In order to maximize maneuverability within a city environment, we show the feasibility of omnidirectional steering, and the integration of a folding chassis. Furthermore, we apply traditionally programming best-practice techniques to simplify the design of the control system. Specifically, we present the concept of a modular, fail-silent wheel-robot with a standardized API responsible for controlling steering, braking and throttle within the vehicle.by Thomas B. Brown.M.Eng

Fault Tolerant Services for Safe In-Car Embedded Systems

http://www.taylorandfrancis.com/Due to the increasing criticality of the functions in terms of safety, embedded automotive systems must now respect stringent dependability constraints despite the faults that may occur in a very harsh environment. In a context where critical functions are distributed over the network, the communication system plays a major role. First, we discuss the main services and functionalities that a communication system should offer for easying the design of fault-tolerant applications in the automotive context. Then, we review the features of the protocols that are currently considered for being used and, finally, we highlight areas where developments are still needed

Design of automotive X-by-Wire systems

http://www.taylorandfrancis.com/X-by-Wire is a generic term referring to the replacement of mechanical or hydraulic systems, such as braking or steering, by electronic ones. In this chapter, we analyze the real-time and dependability constraints of X-by-Wire systems, review the fault-tolerant services that are needed and the communication protocols (TTP/C, FlexRay and TTCAN) considered for use in such systems. Using a Steer-by-Wire case-study, we detail the design principles and verification methods that can be used to ensure the stringent constraints of X-by-Wire systems

A framework and methods for on-board network level fault diagnostics in automobiles

A significant number of electronic control units (ECUs) are nowadays networked in automotive vehicles to help achieve advanced vehicle control and eliminate bulky electrical wiring. This, however, inevitably leads to increased complexity in vehicle fault diagnostics. Traditional off-board fault diagnostics and repair at service centres, by using only diagnostic trouble codes logged by conventional onboard diagnostics, can become unwieldy especially when dealing with intermittent faults in complex networked electronic systems. This can result in inaccurate and time consuming diagnostics due to lack of real-time fault information of the interaction among ECUs in the network-wide perspective. This thesis proposes a new framework for on-board knowledge-based diagnostics focusing on network level faults, and presents an implementation of a real-time in-vehicle network diagnostic system, using case-based reasoning. A newly developed fault detection technique and the results from several practical experiments with the diagnostic system using a network simulation tool, a hardware- in-the- loop simulator, a disturbance simulator, simulated ECUs and real ECUs networked on a test rig are also presented. The results show that the new vehicle diagnostics scheme, based on the proposed new framework, can provide more real-time network level diagnostic data, and more detailed and self-explanatory diagnostic outcomes. This new system can provide increased diagnostic capability when compared with conventional diagnostic methods in terms of detecting message communication faults. In particular, the underlying incipient network problems that are ignored by the conventional on-board diagnostics are picked up for thorough fault diagnostics and prognostics which can be carried out by a whole-vehicle fault management system, contributing to the further development of intelligent and fault-tolerant vehicles

An efficient byzantine fault tolerant agreement protocol for distributed realtime systems

Der Einsatz von verteilten (Echtzeit-) Systemen ist in vielen Bereichen der Industrie nicht mehr wegzudenken, wie etwa in der Medizintechnik, der Kraftfahrzeugtechnik, der Flug-technik oder Automatisierungstechnik. Weiterhin kann man davon ausgehen, dass sich im Zuge der fortschreitenden Technologieentwicklung der Einsatzbereich von verteilten (Echtzeit-) Systemen auch in anderen Bereichen der Industrie weiter ausdehnen wird. Da in solchen Systemen jederzeit Fehler auftreten können, welche die Zuverlässigkeit und Sicherheit beeinträchtigen, müssen geeignete Fehlertoleranz-Verfahren entwickelt und eingesetzt werden. Ferner unterliegen viele sicherheitskritische Anwendungen harten Echtzeitanforderungen und zugleich deutlichen Kostenrestriktionen. In solchen Anwendungen spielt für die praktische Umsetzbarkeit nicht einzig die Fehlertoleranzfähigkeit eine entscheidende Rolle, sondern ebenfalls der von Fehlertoleranzverfahren verursachte Kommunikationsaufwand in Form von Nachrichten-, Knoten- und Speicheroverhead. Das Byzantinische Übereinstimmungsproblem stellt eines der wichtigsten zu lösenden Probleme in fehlertoleranten verteilten Systemen dar. Obwohl das Byzantinische Übereinstimmungsproblem gut erforscht ist und viele Lösungen unter verschiedenen Systemmodellannahmen existieren, stellt die Entwicklung effizienter Lösungen bis heute eine anspruchsvolle Aufgabe dar, die abhängig vom Fehler- und Timing-Modell sowie von den Aufwands- und Kostengrenzen alles andere als trivial zu lösen ist. Die vorliegende Arbeit untersucht Techniken und Strategien zur Entwicklung effizienter Übereinstimmungsprotokolle für verteilte (vorwiegend drahtlose) Echtzeitsysteme, und stellt hierzu zwei Lösungen vor. Im ersten Lösungsansatz wird ein neuartiges rundenbasiertes Übereinstimmungsprotokoll – ESSEN genannt – vorgestellt, das für synchrone verteilte Systeme effizient erbeitet. ESSEN löst das Byzantinische Übereinstimmungsproblem in Anwesenheit von bis zu f willkürlichen Fehlern (kooperierende Byzantinische Fehler inbegriffen). Hierzu benötigt ESSEN mindesten n >= 3f + max(0,f-2) Knoten. Außerdem stellt das Übereinstimmungsprotokoll ESSEN den ersten Lösungsansatz dar, welcher das Byzantinische Übereinstimmungsproblem unab-hängig von der Anzahl der zu tolerierenden Fehler in einer Runde löst. Obwohl ESSEN eine effiziente Lösung darstellt, lag die Vermutung nahe, dass durch den Einsatz eines geeigneten Signaturverfahrens eine weitere Verbesserung bzgl. der Kommuni-kationskomplexität erzielt werden kann. Folglich wurde im zweiten Teil der Arbeit ein weiterer Lösungsansatz entwickelt, mit dessen Hilfe sich die Kommunikationskomplexität von Übereinstimmungsprotokollen weiter reduzieren lässt (von ESSEN abweichende Übereinstimmungsprotokolle eingeschlossen). Im zweiten Lösungsansatz wurde zur Verbesserung der Kommunikationskomplexität von ESSEN ein neuartiges Verfahren zur Erzeugung und Prüfung von Signaturen (kurz: Signatur-verfahren) – SigSeam genannt – vorgestellt, welches mehrere Signaturen zu einer einzigen Signatur zusammenfasst, ohne die Nachrichtengröße hierdurch zu verändern. Im Rahmen der Arbeit konnte gezeigt werden, dass das Signaturverfahren SigSeam in der Lage ist, die Kommunikationskomplexität von Übereinstimmungsprotokollen signifikant zu reduzieren. Dies betrifft sowohl die Nachrichtenlänge wie auch die Nachrichtenanzahl, die beide reduziert werden können. Allerdings benötigt SigSeam im Vergleich zu herkömmlichen Signatur-verfahren für eine einzelne Signatur eine um ca. 25 Prozent höhere Informationsredundanz, wenn eine gleich gute Fehlerfassung wie bei diesen erzielt werden soll. Insgesamt konnte mit den beiden Lösungen ESSEN und SigSeam das Ziel der Effizienz-steigerung von Übereinstimmungsprotokollen für verteilte (Echtzeit-) Systeme erreicht werden. Weiterhin konnte gezeigt werden, dass das Prinzip der Signaturverschmelzung zur Reduzierung der Kommunikationskomplexität prinzipiell auf einen Großteil der existierenden Übereinstimmungsprotokolle angewendet werden kann.Using distributed (real-time) systems has become an integral part of industrial applications such as medical technology, automotive engineering, aeronautics and automation engineering. Along with the progress of technological development, it can be expected that the field of distributed (real-time) systems extends to other areas of industrial applications. This is a result of continuous technological advances. Given the fact that malfunctions in a distributed system (which can compromise the reliability and safety of systems) cannot be completely avoided, fault-tolerant mechanisms have to be developed and applied. Furthermore, many safety-critical applications are hard real-time applications and subject to cost restrictions. Therefore, for the practical usability of a distributed system with real-time requirements all of the following properties can become crucial: the fault tolerance capability, the communication complexity in terms of the number of required nodes, overall communication overhead as well as the overhead caused by the message storage. The Byzantine agreement problem has been exposed as one of the most fundamental issues to be solved. However, solving the Byzantine agreement problem in an efficient way in terms of communication complexity is still a challenging task. The following thesis deals with techniques and strategies for designing efficient fault-tolerant Byzantine agreement protocols primarily for wireless distributed real-time applications. In this paper two new solutions are presented, evaluated, and proven as correct. In the first approach, a novel synchronous single-round-based agreement protocol – called ESSEN – is presented, which copes with f arbitrary faults (including cooperative Byzantine faults) using at least n >= 3 f + max(0, f-2) nodes. Moreover, this is the first approach which solves the Byzantine agreement problem in a single broadcast round independent of the number of tolerated faults. Following this, we present a novel signature generation technique, called SigSeam, to merge several signatures into a single one, which is the topic of the second part of this thesis. This advantage opens a design space for agreement protocols with significantly reduced message overhead. Moreover, the new signature technique can also be applied to existing agreement and/or consensus protocols without affecting the fault tolerance properties of the protocol.Within the framework of this thesis it could be shown that the proposed signature technique with merging functionality significantly improves the efficiency of agreement protocols. However, to achieve a fault coverage comparable to conventional signature techniques, SigSeam requires approximately 25 percent more information redundancy. Altogether, the goal of improving the efficiency of agreement protocols has been achieved

Tolerância a falhas em sistemas de comunicação de tempo-real flexíveis

Nas últimas décadas, os sistemas embutidos distribuídos, têm sido usados em variados domínios de aplicação, desde o controlo de processos industriais até ao controlo de aviões e automóveis, sendo expectável que esta tendência se mantenha e até se intensifique durante os próximos anos. Os requisitos de confiabilidade de algumas destas aplicações são extremamente importantes, visto que o não cumprimento de serviços de uma forma previsível e pontual pode causar graves danos económicos ou até pôr em risco vidas humanas. A adopção das melhores práticas de projecto no desenvolvimento destes sistemas não elimina, por si só, a ocorrência de falhas causadas pelo comportamento não determinístico do ambiente onde o sistema embutido distribuído operará. Desta forma, é necessário incluir mecanismos de tolerância a falhas que impeçam que eventuais falhas possam comprometer todo o sistema. Contudo, para serem eficazes, os mecanismos de tolerância a falhas necessitam ter conhecimento a priori do comportamento correcto do sistema de modo a poderem ser capazes de distinguir os modos correctos de funcionamento dos incorrectos. Tradicionalmente, quando se projectam mecanismos de tolerância a falhas, o conhecimento a priori significa que todos os possíveis modos de funcionamento são conhecidos na fase de projecto, não os podendo adaptar nem fazer evoluir durante a operação do sistema. Como consequência, os sistemas projectados de acordo com este princípio ou são completamente estáticos ou permitem apenas um pequeno número de modos de operação. Contudo, é desejável que os sistemas disponham de alguma flexibilidade de modo a suportarem a evolução dos requisitos durante a fase de operação, simplificar a manutenção e reparação, bem como melhorar a eficiência usando apenas os recursos do sistema que são efectivamente necessários em cada instante. Além disto, esta eficiência pode ter um impacto positivo no custo do sistema, em virtude deste poder disponibilizar mais funcionalidades com o mesmo custo ou a mesma funcionalidade a um menor custo. Porém, flexibilidade e confiabilidade têm sido encarados como conceitos conflituais. Isto deve-se ao facto de flexibilidade implicar a capacidade de permitir a evolução dos requisitos que, por sua vez, podem levar a cenários de operação imprevisíveis e possivelmente inseguros. Desta fora, é comummente aceite que apenas um sistema completamente estático pode ser tornado confiável, o que significa que todos os aspectos operacionais têm de ser completamente definidos durante a fase de projecto. Num sentido lato, esta constatação é verdadeira. Contudo, se os modos como o sistema se adapta a requisitos evolutivos puderem ser restringidos e controlados, então talvez seja possível garantir a confiabilidade permanente apesar das alterações aos requisitos durante a fase de operação. A tese suportada por esta dissertação defende que é possível flexibilizar um sistema, dentro de limites bem definidos, sem comprometer a sua confiabilidade e propõe alguns mecanismos que permitem a construção de sistemas de segurança crítica baseados no protocolo Controller Area Network (CAN). Mais concretamente, o foco principal deste trabalho incide sobre o protocolo Flexible Time-Triggered CAN (FTT-CAN), que foi especialmente desenvolvido para disponibilizar um grande nível de flexibilidade operacional combinando, não só as vantagens dos paradigmas de transmissão de mensagens baseados em eventos e em tempo, mas também a flexibilidade associada ao escalonamento dinâmico do tráfego cuja transmissão é despoletada apenas pela evolução do tempo. Este facto condiciona e torna mais complexo o desenvolvimento de mecanismos de tolerância a falhas para FTT-CAN do que para outros protocolos como por exemplo, TTCAN ou FlexRay, nos quais existe um conhecimento estático, antecipado e comum a todos os nodos, do escalonamento de mensagens cuja transmissão é despoletada pela evolução do tempo. Contudo, e apesar desta complexidade adicional, este trabalho demonstra que é possível construir mecanismos de tolerância a falhas para FTT-CAN preservando a sua flexibilidade operacional. É também defendido nesta dissertação que um sistema baseado no protocolo FTT-CAN e equipado com os mecanismos de tolerância a falhas propostos é passível de ser usado em aplicações de segurança crítica. Esta afirmação é suportada, no âmbito do protocolo FTT-CAN, através da definição de uma arquitectura tolerante a falhas integrando nodos com modos de falha tipo falha-silêncio e nodos mestre replicados. Os vários problemas resultantes da replicação dos nodos mestre são, também eles, analisados e várias soluções são propostas para os obviar. Concretamente, é proposto um protocolo que garante a consistência das estruturas de dados replicadas a quando da sua actualização e um outro protocolo que permite a transferência dessas estruturas de dados para um nodo mestre que se encontre não sincronizado com os restantes depois de inicializado ou reinicializado de modo assíncrono. Além disto, esta dissertação também discute o projecto de nodos FTT-CAN que exibam um modo de falha do tipo falha-silêncio e propõe duas soluções baseadas em componentes de hardware localizados no interface de rede de cada nodo, para resolver este problema. Uma das soluções propostas baseiase em bus guardians que permitem a imposição de comportamento falhasilêncio nos nodos escravos e suportam o escalonamento dinâmico de tráfego na rede. A outra solução baseia-se num interface de rede que arbitra o acesso de dois microprocessadores ao barramento. Este interface permite que a replicação interna de um nodo seja efectuada de forma transparente e assegura um comportamento falha-silêncio quer no domínio temporal quer no domínio do valor ao permitir transmissões do nodo apenas quando ambas as réplicas coincidam no conteúdo das mensagens e nos instantes de transmissão. Esta última solução está mais adaptada para ser usada nos nodos mestre, contudo também poderá ser usada nos nodos escravo, sempre que tal se revele fundamental.Distributed embedded systems (DES) have been widely used in the last few decades in several application fields, ranging from industrial process control to avionics and automotive systems. In fact, it is expectable that this trend will continue over the years to come. In some of these application domains the dependability requirements are of utmost importance since failing to provide services in a timely and predictable manner may cause important economic losses or even put human life in risk. The adoption of the best practices in the design of distributed embedded systems does not fully avoid the occurrence of faults, arising from the nondeterministic behavior of the environment where each particular DES operates. Thus, fault-tolerance mechanisms need to be included in the DES to prevent possible faults leading to system failure. To be effective, fault-tolerance mechanisms require an a priori knowledge of the correct system behavior to be capable of distinguishing them from the erroneous ones. Traditionally, when designing fault-tolerance mechanisms, the a priori knowledge means that all possible operational modes are known at system design time and cannot adapt nor evolve during runtime. As a consequence, systems designed according to this principle are either fully static or allow a small number of operational modes only. Flexibility, however, is a desired property in a system in order to support evolving requirements, simplify maintenance and repair, and improve the efficiency in using system resources by using only the resources that are effectively required at each instant. This efficiency might impact positively on the system cost because with the same resources one can add more functionality or one can offer the same functionality with fewer resources. However, flexibility and dependability are often regarded as conflicting concepts. This is so because flexibility implies the ability to deal with evolving requirements that, in turn, can lead to unpredictable and possibly unsafe operating scenarios. Therefore, it is commonly accepted that only a fully static system can be made dependable, meaning that all operating conditions are completely defined at pre-runtime. In the broad sense and assuming unbounded flexibility this assessment is true, but if one restricts and controls the ways the system could adapt to evolving requirements, then it might be possible to enforce continuous dependability. This thesis claims that it is possible to provide a bounded degree of flexibility without compromising dependability and proposes some mechanisms to build safety-critical systems based on the Controller Area Network (CAN). In particular, the main focus of this work is the Flexible Time-Triggered CAN protocol (FTT-CAN), which was specifically developed to provide such high level of operational flexibility, not only combining the advantages of time- and event-triggered paradigms but also providing flexibility to the time-triggered traffic. This fact makes the development of fault-tolerant mechanisms more complex in FTT-CAN than in other protocols, such as TTCAN or FlexRay, in which there is a priori static common knowledge of the time-triggered message schedule shared by all nodes. Nevertheless, as it is demonstrated in this work, it is possible to build fault-tolerant mechanisms for FTT-CAN that preserve its high level of operational flexibility, particularly concerning the time-triggered traffic. With such mechanisms it is argued that FTT-CAN is suitable for safetycritical applications, too. This claim was validated in the scope of the FTT-CAN protocol by presenting a fault-tolerant system architecture with replicated masters and fail-silent nodes. The specific problems and mechanisms related with master replication, particularly a protocol to enforce consistency during updates of replicated data structures and another protocol to transfer these data structures to an unsynchronized node upon asynchronous startup or restart, are also addressed. Moreover, this thesis also discusses the implementations of fail-silence in FTTCAN nodes and proposes two solutions, both based on hardware components that are attached to the node network interface. One solution relies on bus guardians that allow enforcing fail-silence in the time domain. These bus guardians are adapted to support dynamic traffic scheduling and are fit for use in FTT-CAN slave nodes, only. The other solution relies on a special network interface, with duplicated microprocessor interface, that supports internal replication of the node, transparently. In this case, fail-silence can be assured both in the time and value domain since transmissions are carried out only if both internal nodes agree on the transmission instant and message contents. This solution is well adapted for use in the masters but it can also be used, if desired, in slave nodes

The Virtual Bus: A Network Architecture Designed to Support Modular-Redundant Distributed Periodic Real-Time Control Systems

The Virtual Bus network architecture uses physical layer switching and a combination of space- and time-division multiplexing to link segments of a partial mesh network together on schedule to temporarily form contention-free multi-hop, multi-drop simplex signalling paths, or 'virtual buses'. Network resources are scheduled and routed by a dynamic distributed resource allocation mechanism with self-forming and self-healing characteristics. Multiple virtual buses can coexist simultaneously in a single network, as the resources allocated to each bus are orthogonal in either space or time. The Virtual Bus architecture achieves deterministic delivery times for time-sensitive traffic over multi-hop partial mesh networks by employing true line-speed switching; delays of around 15ns at each switching point are demonstrated experimentally, and further reductions in switching delays are shown to be achievable. Virtual buses are inherently multicast, with delivery skew across multiple destinations proportional to the difference in equivalent physical length to each destination. The Virtual Bus architecture is not a purely theoretical concept; a small research platform has been constructed for development, testing and demonstration purposes