10 research outputs found
Electric vehicle drive-by-wire solution for distributed steering, braking and throttle control
Thesis (M. Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2010.Cataloged from PDF version of thesis.Includes bibliographical references.In this paper, we propose CityCarControl, a system to manage the steering, braking, and throttle of a new class of intra-city electric vehicles. These vehicles have a focus on extreme light-weight and a small parking footprint. In order to maximize maneuverability within a city environment, we show the feasibility of omnidirectional steering, and the integration of a folding chassis. Furthermore, we apply traditionally programming best-practice techniques to simplify the design of the control system. Specifically, we present the concept of a modular, fail-silent wheel-robot with a standardized API responsible for controlling steering, braking and throttle within the vehicle.by Thomas B. Brown.M.Eng
Fault Tolerant Services for Safe In-Car Embedded Systems
http://www.taylorandfrancis.com/Due to the increasing criticality of the functions in terms of safety, embedded automotive systems must now respect stringent dependability constraints despite the faults that may occur in a very harsh environment. In a context where critical functions are distributed over the network, the communication system plays a major role. First, we discuss the main services and functionalities that a communication system should offer for easying the design of fault-tolerant applications in the automotive context. Then, we review the features of the protocols that are currently considered for being used and, finally, we highlight areas where developments are still needed
Design of automotive X-by-Wire systems
http://www.taylorandfrancis.com/X-by-Wire is a generic term referring to the replacement of mechanical or hydraulic systems, such as braking or steering, by electronic ones. In this chapter, we analyze the real-time and dependability constraints of X-by-Wire systems, review the fault-tolerant services that are needed and the communication protocols (TTP/C, FlexRay and TTCAN) considered for use in such systems. Using a Steer-by-Wire case-study, we detail the design principles and verification methods that can be used to ensure the stringent constraints of X-by-Wire systems
A framework and methods for on-board network level fault diagnostics in automobiles
A significant number of electronic control units (ECUs) are nowadays networked
in automotive vehicles to help achieve advanced vehicle control and eliminate
bulky electrical wiring. This, however, inevitably leads to increased complexity in
vehicle fault diagnostics. Traditional off-board fault diagnostics and repair at
service centres, by using only diagnostic trouble codes logged by conventional onboard
diagnostics, can become unwieldy especially when dealing with intermittent
faults in complex networked electronic systems. This can result in inaccurate and
time consuming diagnostics due to lack of real-time fault information of the
interaction among ECUs in the network-wide perspective.
This thesis proposes a new framework for on-board knowledge-based
diagnostics focusing on network level faults, and presents an implementation of a
real-time in-vehicle network diagnostic system, using case-based reasoning. A
newly developed fault detection technique and the results from several practical
experiments with the diagnostic system using a network simulation tool, a
hardware- in-the- loop simulator, a disturbance simulator, simulated ECUs and real
ECUs networked on a test rig are also presented. The results show that the new
vehicle diagnostics scheme, based on the proposed new framework, can provide
more real-time network level diagnostic data, and more detailed and self-explanatory
diagnostic outcomes. This new system can provide increased diagnostic capability when compared with conventional diagnostic methods in
terms of detecting message communication faults. In particular, the underlying
incipient network problems that are ignored by the conventional on-board
diagnostics are picked up for thorough fault diagnostics and prognostics which can
be carried out by a whole-vehicle fault management system, contributing to the
further development of intelligent and fault-tolerant vehicles
An efficient byzantine fault tolerant agreement protocol for distributed realtime systems
Der Einsatz von verteilten (Echtzeit-) Systemen ist in vielen Bereichen der Industrie nicht mehr wegzudenken, wie etwa in der Medizintechnik, der Kraftfahrzeugtechnik, der Flug-technik oder Automatisierungstechnik. Weiterhin kann man davon ausgehen, dass sich im Zuge der fortschreitenden Technologieentwicklung der Einsatzbereich von verteilten (Echtzeit-) Systemen auch in anderen Bereichen der Industrie weiter ausdehnen wird. Da in solchen Systemen jederzeit Fehler auftreten können, welche die Zuverlässigkeit und Sicherheit beeinträchtigen, müssen geeignete Fehlertoleranz-Verfahren entwickelt und eingesetzt werden. Ferner unterliegen viele sicherheitskritische Anwendungen harten Echtzeitanforderungen und zugleich deutlichen Kostenrestriktionen. In solchen Anwendungen spielt für die praktische Umsetzbarkeit nicht einzig die Fehlertoleranzfähigkeit eine entscheidende Rolle, sondern ebenfalls der von Fehlertoleranzverfahren verursachte Kommunikationsaufwand in Form von Nachrichten-, Knoten- und Speicheroverhead. Das Byzantinische Übereinstimmungsproblem stellt eines der wichtigsten zu lösenden Probleme in fehlertoleranten verteilten Systemen dar. Obwohl das Byzantinische Übereinstimmungsproblem gut erforscht ist und viele Lösungen unter verschiedenen Systemmodellannahmen existieren, stellt die Entwicklung effizienter Lösungen bis heute eine anspruchsvolle Aufgabe dar, die abhängig vom Fehler- und Timing-Modell sowie von den Aufwands- und Kostengrenzen alles andere als trivial zu lösen ist. Die vorliegende Arbeit untersucht Techniken und Strategien zur Entwicklung effizienter Übereinstimmungsprotokolle für verteilte (vorwiegend drahtlose) Echtzeitsysteme, und stellt hierzu zwei Lösungen vor. Im ersten Lösungsansatz wird ein neuartiges rundenbasiertes Übereinstimmungsprotokoll – ESSEN genannt – vorgestellt, das für synchrone verteilte Systeme effizient erbeitet. ESSEN löst das Byzantinische Übereinstimmungsproblem in Anwesenheit von bis zu f willkürlichen Fehlern (kooperierende Byzantinische Fehler inbegriffen). Hierzu benötigt ESSEN mindesten n >= 3f + max(0,f-2) Knoten. Außerdem stellt das Übereinstimmungsprotokoll ESSEN den ersten Lösungsansatz dar, welcher das Byzantinische Übereinstimmungsproblem unab-hängig von der Anzahl der zu tolerierenden Fehler in einer Runde löst. Obwohl ESSEN eine effiziente Lösung darstellt, lag die Vermutung nahe, dass durch den Einsatz eines geeigneten Signaturverfahrens eine weitere Verbesserung bzgl. der Kommuni-kationskomplexität erzielt werden kann. Folglich wurde im zweiten Teil der Arbeit ein weiterer Lösungsansatz entwickelt, mit dessen Hilfe sich die Kommunikationskomplexität von Übereinstimmungsprotokollen weiter reduzieren lässt (von ESSEN abweichende Übereinstimmungsprotokolle eingeschlossen). Im zweiten Lösungsansatz wurde zur Verbesserung der Kommunikationskomplexität von ESSEN ein neuartiges Verfahren zur Erzeugung und Prüfung von Signaturen (kurz: Signatur-verfahren) – SigSeam genannt – vorgestellt, welches mehrere Signaturen zu einer einzigen Signatur zusammenfasst, ohne die Nachrichtengröße hierdurch zu verändern. Im Rahmen der Arbeit konnte gezeigt werden, dass das Signaturverfahren SigSeam in der Lage ist, die Kommunikationskomplexität von Übereinstimmungsprotokollen signifikant zu reduzieren. Dies betrifft sowohl die Nachrichtenlänge wie auch die Nachrichtenanzahl, die beide reduziert werden können. Allerdings benötigt SigSeam im Vergleich zu herkömmlichen Signatur-verfahren für eine einzelne Signatur eine um ca. 25 Prozent höhere Informationsredundanz, wenn eine gleich gute Fehlerfassung wie bei diesen erzielt werden soll. Insgesamt konnte mit den beiden Lösungen ESSEN und SigSeam das Ziel der Effizienz-steigerung von Übereinstimmungsprotokollen für verteilte (Echtzeit-) Systeme erreicht werden. Weiterhin konnte gezeigt werden, dass das Prinzip der Signaturverschmelzung zur Reduzierung der Kommunikationskomplexität prinzipiell auf einen Großteil der existierenden Übereinstimmungsprotokolle angewendet werden kann.Using distributed (real-time) systems has become an integral part of industrial applications such as medical technology, automotive engineering, aeronautics and automation engineering. Along with the progress of technological development, it can be expected that the field of distributed (real-time) systems extends to other areas of industrial applications. This is a result of continuous technological advances. Given the fact that malfunctions in a distributed system (which can compromise the reliability and safety of systems) cannot be completely avoided, fault-tolerant mechanisms have to be developed and applied. Furthermore, many safety-critical applications are hard real-time applications and subject to cost restrictions. Therefore, for the practical usability of a distributed system with real-time requirements all of the following properties can become crucial: the fault tolerance capability, the communication complexity in terms of the number of required nodes, overall communication overhead as well as the overhead caused by the message storage. The Byzantine agreement problem has been exposed as one of the most fundamental issues to be solved. However, solving the Byzantine agreement problem in an efficient way in terms of communication complexity is still a challenging task. The following thesis deals with techniques and strategies for designing efficient fault-tolerant Byzantine agreement protocols primarily for wireless distributed real-time applications. In this paper two new solutions are presented, evaluated, and proven as correct. In the first approach, a novel synchronous single-round-based agreement protocol – called ESSEN – is presented, which copes with f arbitrary faults (including cooperative Byzantine faults) using at least n >= 3 f + max(0, f-2) nodes. Moreover, this is the first approach which solves the Byzantine agreement problem in a single broadcast round independent of the number of tolerated faults. Following this, we present a novel signature generation technique, called SigSeam, to merge several signatures into a single one, which is the topic of the second part of this thesis. This advantage opens a design space for agreement protocols with significantly reduced message overhead. Moreover, the new signature technique can also be applied to existing agreement and/or consensus protocols without affecting the fault tolerance properties of the protocol.Within the framework of this thesis it could be shown that the proposed signature technique with merging functionality significantly improves the efficiency of agreement protocols. However, to achieve a fault coverage comparable to conventional signature techniques, SigSeam requires approximately 25 percent more information redundancy. Altogether, the goal of improving the efficiency of agreement protocols has been achieved
Tolerância a falhas em sistemas de comunicação de tempo-real flexíveis
Nas últimas décadas, os sistemas embutidos distribuídos, têm sido usados em
variados domínios de aplicação, desde o controlo de processos industriais até
ao controlo de aviões e automóveis, sendo expectável que esta tendência se
mantenha e até se intensifique durante os próximos anos.
Os requisitos de confiabilidade de algumas destas aplicações são
extremamente importantes, visto que o não cumprimento de serviços de uma
forma previsível e pontual pode causar graves danos económicos ou até pôr
em risco vidas humanas.
A adopção das melhores práticas de projecto no desenvolvimento destes
sistemas não elimina, por si só, a ocorrência de falhas causadas pelo
comportamento não determinístico do ambiente onde o sistema embutido
distribuído operará. Desta forma, é necessário incluir mecanismos de
tolerância a falhas que impeçam que eventuais falhas possam comprometer
todo o sistema.
Contudo, para serem eficazes, os mecanismos de tolerância a falhas
necessitam ter conhecimento a priori do comportamento correcto do sistema
de modo a poderem ser capazes de distinguir os modos correctos de
funcionamento dos incorrectos.
Tradicionalmente, quando se projectam mecanismos de tolerância a falhas, o
conhecimento a priori significa que todos os possíveis modos de
funcionamento são conhecidos na fase de projecto, não os podendo adaptar
nem fazer evoluir durante a operação do sistema. Como consequência, os
sistemas projectados de acordo com este princípio ou são completamente
estáticos ou permitem apenas um pequeno número de modos de operação.
Contudo, é desejável que os sistemas disponham de alguma flexibilidade de
modo a suportarem a evolução dos requisitos durante a fase de operação,
simplificar a manutenção e reparação, bem como melhorar a eficiência usando
apenas os recursos do sistema que são efectivamente necessários em cada
instante. Além disto, esta eficiência pode ter um impacto positivo no custo do
sistema, em virtude deste poder disponibilizar mais funcionalidades com o
mesmo custo ou a mesma funcionalidade a um menor custo.
Porém, flexibilidade e confiabilidade têm sido encarados como conceitos
conflituais.
Isto deve-se ao facto de flexibilidade implicar a capacidade de permitir a
evolução dos requisitos que, por sua vez, podem levar a cenários de operação
imprevisíveis e possivelmente inseguros. Desta fora, é comummente aceite
que apenas um sistema completamente estático pode ser tornado confiável, o
que significa que todos os aspectos operacionais têm de ser completamente
definidos durante a fase de projecto.
Num sentido lato, esta constatação é verdadeira. Contudo, se os modos como
o sistema se adapta a requisitos evolutivos puderem ser restringidos e
controlados, então talvez seja possível garantir a confiabilidade permanente
apesar das alterações aos requisitos durante a fase de operação.
A tese suportada por esta dissertação defende que é possível flexibilizar um
sistema, dentro de limites bem definidos, sem comprometer a sua
confiabilidade e propõe alguns mecanismos que permitem a construção de
sistemas de segurança crítica baseados no protocolo Controller Area Network
(CAN). Mais concretamente, o foco principal deste trabalho incide sobre o
protocolo Flexible Time-Triggered CAN (FTT-CAN), que foi especialmente
desenvolvido para disponibilizar um grande nível de flexibilidade operacional
combinando, não só as vantagens dos paradigmas de transmissão de
mensagens baseados em eventos e em tempo, mas também a flexibilidade
associada ao escalonamento dinâmico do tráfego cuja transmissão é
despoletada apenas pela evolução do tempo.
Este facto condiciona e torna mais complexo o desenvolvimento de
mecanismos de tolerância a falhas para FTT-CAN do que para outros
protocolos como por exemplo, TTCAN ou FlexRay, nos quais existe um
conhecimento estático, antecipado e comum a todos os nodos, do
escalonamento de mensagens cuja transmissão é despoletada pela evolução
do tempo.
Contudo, e apesar desta complexidade adicional, este trabalho demonstra que
é possível construir mecanismos de tolerância a falhas para FTT-CAN
preservando a sua flexibilidade operacional.
É também defendido nesta dissertação que um sistema baseado no protocolo
FTT-CAN e equipado com os mecanismos de tolerância a falhas propostos é
passível de ser usado em aplicações de segurança crítica.
Esta afirmação é suportada, no âmbito do protocolo FTT-CAN, através da
definição de uma arquitectura tolerante a falhas integrando nodos com modos
de falha tipo falha-silêncio e nodos mestre replicados.
Os vários problemas resultantes da replicação dos nodos mestre são, também
eles, analisados e várias soluções são propostas para os obviar.
Concretamente, é proposto um protocolo que garante a consistência das
estruturas de dados replicadas a quando da sua actualização e um outro
protocolo que permite a transferência dessas estruturas de dados para um
nodo mestre que se encontre não sincronizado com os restantes depois de
inicializado ou reinicializado de modo assíncrono.
Além disto, esta dissertação também discute o projecto de nodos FTT-CAN
que exibam um modo de falha do tipo falha-silêncio e propõe duas soluções
baseadas em componentes de hardware localizados no interface de rede de
cada nodo, para resolver este problema. Uma das soluções propostas baseiase
em bus guardians que permitem a imposição de comportamento falhasilêncio
nos nodos escravos e suportam o escalonamento dinâmico de tráfego
na rede. A outra solução baseia-se num interface de rede que arbitra o acesso
de dois microprocessadores ao barramento. Este interface permite que a
replicação interna de um nodo seja efectuada de forma transparente e
assegura um comportamento falha-silêncio quer no domínio temporal quer no
domínio do valor ao permitir transmissões do nodo apenas quando ambas as
réplicas coincidam no conteúdo das mensagens e nos instantes de
transmissão. Esta última solução está mais adaptada para ser usada nos
nodos mestre, contudo também poderá ser usada nos nodos escravo, sempre
que tal se revele fundamental.Distributed embedded systems (DES) have been widely used in the last few
decades in several application fields, ranging from industrial process control to
avionics and automotive systems. In fact, it is expectable that this trend will
continue over the years to come.
In some of these application domains the dependability requirements are of
utmost importance since failing to provide services in a timely and predictable
manner may cause important economic losses or even put human life in risk.
The adoption of the best practices in the design of distributed embedded
systems does not fully avoid the occurrence of faults, arising from the nondeterministic
behavior of the environment where each particular DES operates.
Thus, fault-tolerance mechanisms need to be included in the DES to prevent
possible faults leading to system failure.
To be effective, fault-tolerance mechanisms require an a priori knowledge of
the correct system behavior to be capable of distinguishing them from the
erroneous ones.
Traditionally, when designing fault-tolerance mechanisms, the a priori
knowledge means that all possible operational modes are known at system
design time and cannot adapt nor evolve during runtime. As a consequence,
systems designed according to this principle are either fully static or allow a
small number of operational modes only. Flexibility, however, is a desired
property in a system in order to support evolving requirements, simplify
maintenance and repair, and improve the efficiency in using system resources
by using only the resources that are effectively required at each instant. This
efficiency might impact positively on the system cost because with the same
resources one can add more functionality or one can offer the same
functionality with fewer resources.
However, flexibility and dependability are often regarded as conflicting
concepts. This is so because flexibility implies the ability to deal with evolving
requirements that, in turn, can lead to unpredictable and possibly unsafe
operating scenarios. Therefore, it is commonly accepted that only a fully static
system can be made dependable, meaning that all operating conditions are
completely defined at pre-runtime.
In the broad sense and assuming unbounded flexibility this assessment is true,
but if one restricts and controls the ways the system could adapt to evolving
requirements, then it might be possible to enforce continuous dependability.
This thesis claims that it is possible to provide a bounded degree of flexibility
without compromising dependability and proposes some mechanisms to build
safety-critical systems based on the Controller Area Network (CAN).
In particular, the main focus of this work is the Flexible Time-Triggered CAN
protocol (FTT-CAN), which was specifically developed to provide such high
level of operational flexibility, not only combining the advantages of time- and
event-triggered paradigms but also providing flexibility to the time-triggered
traffic. This fact makes the development of fault-tolerant mechanisms more
complex in FTT-CAN than in other protocols, such as TTCAN or FlexRay, in
which there is a priori static common knowledge of the time-triggered message
schedule shared by all nodes. Nevertheless, as it is demonstrated in this work,
it is possible to build fault-tolerant mechanisms for FTT-CAN that preserve its
high level of operational flexibility, particularly concerning the time-triggered
traffic. With such mechanisms it is argued that FTT-CAN is suitable for safetycritical
applications, too.
This claim was validated in the scope of the FTT-CAN protocol by presenting a
fault-tolerant system architecture with replicated masters and fail-silent nodes.
The specific problems and mechanisms related with master replication,
particularly a protocol to enforce consistency during updates of replicated data
structures and another protocol to transfer these data structures to an
unsynchronized node upon asynchronous startup or restart, are also
addressed.
Moreover, this thesis also discusses the implementations of fail-silence in FTTCAN
nodes and proposes two solutions, both based on hardware components
that are attached to the node network interface. One solution relies on bus
guardians that allow enforcing fail-silence in the time domain. These bus
guardians are adapted to support dynamic traffic scheduling and are fit for use
in FTT-CAN slave nodes, only. The other solution relies on a special network
interface, with duplicated microprocessor interface, that supports internal
replication of the node, transparently. In this case, fail-silence can be assured
both in the time and value domain since transmissions are carried out only if
both internal nodes agree on the transmission instant and message contents.
This solution is well adapted for use in the masters but it can also be used, if
desired, in slave nodes
The Virtual Bus: A Network Architecture Designed to Support Modular-Redundant Distributed Periodic Real-Time Control Systems
The Virtual Bus network architecture uses physical layer switching and a combination of space- and time-division multiplexing to link segments of a partial mesh network together on schedule to temporarily form contention-free multi-hop, multi-drop simplex signalling paths, or 'virtual buses'. Network resources are scheduled and routed by a dynamic distributed resource allocation mechanism with self-forming and self-healing characteristics. Multiple virtual buses can coexist simultaneously in a single network, as the resources allocated to each bus are orthogonal in either space or time. The Virtual Bus architecture achieves deterministic delivery times for time-sensitive traffic over multi-hop partial mesh networks by employing true line-speed switching; delays of around 15ns at each switching point are demonstrated experimentally, and further reductions in switching delays are shown to be achievable. Virtual buses are inherently multicast, with delivery skew across multiple destinations proportional to the difference in equivalent physical length to each destination. The Virtual Bus architecture is not a purely theoretical concept; a small research platform has been constructed for development, testing and demonstration purposes