Tim Maurice Julitz,Antoine Tordeux,Manuel Löwer

DOI: https://doi.org/10.48550/arXiv.2210.04040

2022-10-08

Computers and Society

Abstract:Automated driving functions at high levels of autonomy operate without driver supervision. The system itself must provide suitable responses in case of hardware element failures. This requires fault-tolerant approaches using domain ECUs and multicore processors operating in lockstep mode. The selection of a suitable architecture for fault-tolerant vehicle systems is currently challenging. Lockstep CPUs enable the implementation of majority redundancy or M-out-of-N ($M$oo$N$) architectures. In addition to structural redundancy, diversity redundancy in the ECU architecture is also relevant to fault tolerance. Two fault-tolerant ECU architecture groups exist: architectures with one ECU (system on a chip) and architectures consisting of multiple communicating ECUs. The single-ECU systems achieve higher reliability, whereas the multi-ECU systems are more robust against dependent failures, such as common-cause or cascading failures, due to their increased potential for diversity redundancy. Yet, it remains not fully understood how different types of architectures influence the system reliability. The work aims to design architectures with respect to CPU and sensor number, $M$oo$N$ expression, and hardware element reliability. The results enable a direct comparison of different architecture types. We calculate their reliability and quantify the effort to achieve high safety requirements. Markov processes allow comparing sensor and CPU architectures by varying the number of components and failure rates. The objective is to evaluate systems' survival probability and fault tolerance and design suitable sensor-CPU architectures. The results show that the system architecture strongly influences the reliability. However, a suitable system architecture must have a trade-off between reliability and self-diagnostics that parallel systems without majority redundancies do not provide.

PANG Mao,ZHOU Xiao-jun,HU Hong-wei,MENG Qing-hua

DOI: https://doi.org/10.3969/j.issn.1004-1699.2006.02.066

2006-01-01

Abstract:Software development based on modular method can improve the reuse rate of the code, but the possibility increases that the same faults occur in each system. In order to improve the reliability of software, Fault-tolerant is applied to the development of test and control system software based on modular method. According to the characteristic of these systems, the method of fault-avoiding and fault-tolerant is discussed from four aspects: data, operation, hardware and software. The application in the software of the driving-axle synthesis performance test bed that we developed indicates that it can raise the reuse rate of the code, reduce the development period, and also improve the reliability of the software obviously.

Hua Zhang,Jun Liang,Zhiyuan Zhang

DOI: https://doi.org/10.1109/ACCESS.2020.2964947

IF: 3.9

2020-01-01

IEEE Access

Abstract:Vehicle-borne millimeter wave radar sensor may malfunction during signal acquisition and transmission process, which will affect the decision of adaptive cruise control (ACC) system and the safe driving of vehicles. However, adding other redundant environment-aware devices will increases costs. Therefore, in this paper, an active fault tolerant control of ACC system considering vehicle-borne millimeter wave radar sensor failure is proposed. Sensor faults are taken as discrete events, and the mixed logical dynamical (MLD) model of ACC upper control system is built which includes both the fault-free dynamics and the fault dynamics of the system. Then, the active fault tolerant control model of ACC system is established based on model predictive control (MPC) framework. Compared with the existing researches, this work emphasizes on the active fault tolerant control without adding other redundant environment-aware devices, which has not been fully revealed by the existing researches and is important to the industrial application. Moreover, the active fault tolerant control method can be easily ported to other driver assistance system besides ACC. The simulation results show that the vehicle equipped with the active fault tolerant ACC system can still drive safely and smoothly without being affected by radar sensor failures, which demonstrates its great significance to improve vehicle's own intelligence and ensure the safe driving instead of relying entirely on sensors.

Wang Shuai,Ji Yindong,Dong Wei,Yang Shiyuan

DOI: https://doi.org/10.1016/s1007-0214(07)70095-0

2007-01-01

Tsinghua Science & Technology

Abstract:This paper presents a fault-tolerant computer system. It is designed as a double 2-out-of-2 architecture based on component redundant technique. Also, a quantitative probabilistic model is presented for evaluating the reliability, availability, maintainability and safety （RAMS） of this architecture. Hierarchical modeling method and Markov modeling method are used in RAMS analysis to evaluate the system characteristics. The double 2-out-of-2 system is compared with the other two systems, all voting triple modular redundancy （AVTMR） system and dual-duplex system. According to the result, the double 2-out-of-2 system has the highest dependability. Especially, the system can satisfy the safety integrity level （SIL） 4, which means the system’s probability of catastrophic failure less than or equal to 10-8 per hour, therefore, it can be applied to life critical systems such as high-speed railway systems.

Ramesh Krishnamoorthy,Bharatiraja Chokkalingam,Josiah Lange Munda

DOI: https://doi.org/10.3390/en16165923

IF: 3.2

2023-08-11

Energies

Abstract:The increasing number of electrical components and sensors in modern vehicles makes network design more challenging. The development of automotive electronics through multiple communication protocols brings out the importance of a hybrid network that is both optimal and fault-tolerant. In order for a vehicle to communicate with electronic components like engine management systems, stability control units, braking systems, and door functions, a CAN (controller area network) is developed. In order to create a hierarchical vehicle network gateway for quality fortification and cost reduction of vehicles, the CAN and LIN (local interconnect network) are considered. This standardisation will reduce the variety of low-end multiplex solutions currently available for automotive electronics' development costs, production rates, service fees, and logistics costs. The implementation of a gateway in these electronic devices is made possible with the proposed hybrid architecture. This system effectively shows the high-speed and low-speed applications relevant to crucial ECUs in the network by using two distinct CAN and LIN gateways to send sensor data between the ECUs (electronic control units).

energy & fuels

Hanfei Chen,Jingxiang Dong,Youxian Sun

DOI: https://doi.org/10.1109/wcica.2004.1342251

2004-01-01

Abstract:Design of ultra-reliable real-time fault-tolerant multiprocessor systems is complexity and time-consumed. Previous systems mainly rely on special hardware and special operating systems. Current commercial real time operating systems can't satisfy the requirement of ultra-reliable systems, we present the approach to the design of fault-tolerant operating system, which based on COTS software and hardware. By introducing the redundant mechanism on multiprocessor systems into the COTS operating system's kernel, our fault-tolerant operating system completely supports the ultra-reliable real time application.

Junsung Kim,Praful Puranik,Ragunathan Rajkumar,Ragunathan (Raj) Rajkumar

DOI: https://doi.org/10.1145/2583687.2583695

2013-12-01

ACM SIGBED Review

Abstract:Advances in real-time, embedded and distributed systems along with control and communication theory have catalyzed the rapid emergence of cyber-physical systems such as a self-driving car. The importance of fault-tolerance support on a cyber-physical system (CPS) has been greatly emphasized by recent research due to the nature of CPS that senses its surroundings, processes sensor data, and reacts using its actuators. In order to tackle this challenge, we proposed SAFER (System-level Architecture for Failure Evasion in Real-time Applications) in our previous work. SAFER is able to tolerate fail-stop processor and/or task failures for distributed embedded real-time systems. One of its limitations, however, is that SAFER is not capable of tolerating a failure of a processor with a dedicated connection to an actuator. This paper provides a method that relaxes this limitation by (1) deploying a small piece of hardware to avoid a dedicated connection between a processor and an actuator, (2) adding a software module that monitors and controls the hardware, and (3) enhancing the failure detection and recovery mechanisms of SAFER to support these changes. The detailed implementation and evaluation of the SAFER extension is on-going work.

Thomas Drage,Kai Li Lim,Joey En Hai Koh,David Gregory,Craig Brogle,Thomas Bräunl,Thomas Braunl

DOI: https://doi.org/10.1109/iv48863.2021.9575662

2021-07-11

Abstract:This paper presents an approach to specifying a modularised safety system which comprehensively addresses the safety requirements for highly autonomous (SAE Level 3+) road vehicles featuring advanced sensing and automated navigation. As these requirements are often overlooked in similar autonomous driving system proposals, we present a method of hazard and risk analysis which investigates hardware failures, environmental perception limitations, human interaction and functional requirements for artificial intelligence. We then define a system design which implements the required safeguards and examines the application on two electric autonomous vehicle testbeds: a race car and a shuttle bus. The close-coupling of a safety-oriented architecture and multi-regime Hazard and Risk Assessment process was tested to measure the system's ability to detect and react to pedestrian stimuli, resulting in accurate detections and reactions, thereby confirming its ability to design safety systems for autonomous research vehicles in a scalable and easily assured fashion.

Wei-Dong Xu,Xiang-Gui Guo,Jian-Liang Wang,Huaicheng Yan,Zheng-Guang Wu

DOI: https://doi.org/10.1109/tits.2024.3431012

IF: 8.5

2024-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:This paper proposes a fault-tolerant and intrusion-tolerant control strategy for a two-dimensional (2-D) planar vehicular platoon system subject to unknown limitless reversals in fault directions (ULRFDs) and stochastic false data injection attacks (FDIAs). An algorithm is also proposed to realize some actual traffic scenarios such as multi-lane vehicle merging and a single vehicle joining or exiting a platoon. In contrast to the existing results, under stochastic FDIAs, the considered fault directions can be unknown, time-varying, and limitless continuously transformed, as well as the fault frequency is not limited. A novel Nussbaum function with a bounded and adjustable amplitude is constructed using the idea of time-elongation (instead of amplitude-elongation) to attenuate the control input shocks caused by the amplitude-elongation Nussbaum function and to solve the ULRFD problem effectively. Furthermore, two Zeno-free event-triggered mechanisms (ETMs) respectively for velocity and angular velocity are constructed to reduce the communication cost on the controller-actuator channels. It is worth mentioning that a passive intrusion-tolerant method without introducing any additional learning parameter is adopted to solve stochastic FDIAs on the controller-actuator channels. This simplifies our controller structure and reduces the online computational load. Finally, simulation results validate the effectiveness and supremacy of the proposed control strategy and algorithm.

Ralf Stetter

DOI: https://doi.org/10.3390/s22124648

IF: 3.9

2022-06-21

Sensors

Abstract:Researchers around the globe have contributed for many years to the research field of fault-tolerant control; the importance of this field is ever increasing as a consequence of the rising complexity of technical systems, the enlarging importance of electronics and software as well as the widening share of interconnected and cloud solutions. This field was supplemented in recent years by fault-tolerant design. Two main goals of fault-tolerant design can be distinguished. The first main goal is the improvement of the controllability and diagnosability of technical systems through intelligent design. The second goal is the enhancement of the fault-tolerance of technical systems by means of inherently fault-tolerant design characteristics. Inherently fault-tolerant design characteristics are, for instance, redundancy or over-actuation. This paper describes algorithms, methods and tools of fault-tolerant design and an application of the concept to an automated guided vehicle (AGV). This application took place on different levels ranging from conscious requirements management to redundant elements, which were consciously chosen, on the most concrete level of a technical system, i.e., the product geometry. The main scientific contribution of the paper is a methodical framework for fault-tolerant design, as well as certain algorithms and methods within this framework. The underlying motivation is to support engineers in design and control trough product development process transparency and appropriate algorithms and methods.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Stefan Orf,Sven Ochs,Jens Doll,Albert Schotschneider,Marc Heinrich,Marc René Zofka,J. Marius Zöllner

2024-11-15

Abstract:Fault diagnosis is crucial for complex autonomous mobile systems, especially for modern-day autonomous driving (AD). Different actors, numerous use cases, and complex heterogeneous components motivate a fault diagnosis of the system and overall system integrity. AD systems are composed of many heterogeneous components, each with different functionality and possibly using a different algorithm (e.g., rule-based vs. AI components). In addition, these components are subject to the vehicle's driving state and are highly dependent. This paper, therefore, faces this problem by presenting the concept of a modular fault diagnosis framework for AD systems. The concept suggests modular state monitoring and diagnosis elements, together with a state- and dependency-aware aggregation method. Our proposed classification scheme allows for the categorization of the fault diagnosis modules. The concept is implemented on AD shuttle buses and evaluated to demonstrate its capabilities.

Robotics

Caspar Antonius Jacobus Hanselaar,Emilia Silvas,Andrei Terechko,W.P.M.H. Heemels

DOI: https://doi.org/10.1109/tits.2024.3352829

IF: 8.5

2024-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:To enable highly automated vehicles where the driver is no longer a safety backup, the vehicle must deal with various Functional Insufficiencies (FIs). Thus-far, there is no widely accepted functional architecture that maximizes the availability of autonomy and ensures safety in complex vehicle operational design domains. In this paper, we present a survey of existing methods that strive to prevent or handle FIs. We observe that current design-time methods of preventing FIs lack completeness guarantees. Complementary solutions for on-line handling cannot suitably increase safety without seriously impacting availability of journey continuing autonomous functionality. To fill this gap, we propose the Safety Shell, a scalable multi-channel architecture and arbitration design, built upon preexisting functional safety redundant channel architectures. We compare this novel approach to existing architectures using numerical case studies. The results show that the Safety Shell architecture allows the automated vehicle to be as safe or safer compared to alternatives, while simultaneously improving availability of vehicle autonomy, thereby increasing the possible coverage of on-line functional insufficiency handling.

engineering, electrical & electronic,transportation science & technology, civil

Yuqing Tang,Yujie Yuan,Yan Liu

DOI: https://doi.org/10.1016/j.micpro.2020.103507

IF: 3.503

2021-11-01

Microprocessors and Microsystems

Abstract:<p>New generation of automotives has become a typical Cyber-Physical System, including various sensors, complex communication networks and distributed computing devices. Manufacturers pay great attention to functional safety and cost control of automotive. High-end computing devices such as electronic control units (ECU) that can perform multiple tasks bring higher reliability and also lead to soaring costs. In this paper, we propose an efficient scheduling algorithm that satisfies cost and functional reliability constraints under multifunctional mixed-criticality task replication execution scenarios. Using the proposed fault-tolerant hardware cost-aware multifunctional safety assurance (FT_HCMSA) algorithm can reduce the deadline miss ratio (DMR) of high-criticality function significantly while meeting the autumotive functional safety and hardware cost constraints. FT_HCMSA uses a fine-grained ECU replacement strategy to optimize task allocation. Our experiments validate that FT_HCMSA can reduce the DMR of high-criticality level functions while meet the requirements of safety and cost.</p>

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

J. Fabian,Stephan Reinhofer,Markus Ernst,Adam Schnellbach

DOI: https://doi.org/10.17758/ur.u0915115

2015-09-07

Abstract:Ongoing advances in mechatronic components and power electronics help to improve control systems within automotive applications. New developed or designed components enable more efficient system architectures and control. The management of several parameters of future drive architectures, such as high torque and power output, high system efficiency, low mass, low energy consumption, very low exhaust gas emissions, and low costs is essential for future propulsion concepts. Based on these development trends, mechatronic systems within automotive engineering are gaining more and more importance. At the same time, quality and safety requirements become challenging for automotive manufacturers as well as their suppliers regarding the reduction of the initial risk and increase of component reliability in a high degree. Therefore, safety-relevant aspects in the development of modern mechatronic systems have to be considered thoroughly. The high number of technical properties and complex connections of mechatronics systems in the development of modern vehicles are very challenging for state-of-the-art analysis methods. For this reason, new and innovational safety concepts are required to optimize existing safety concepts using conventional components and methods in combination. This paper includes a detailed comparison of different analysing methods to identify systematic and random failures, as well as safety standards such as IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-related Systems) and ISO 26262 (Road vehicles - Functional safety). To fulfil safety standards nowadays for complex mechatronic systems, several different analysis methods have to be applied. Only the connection of a safe fault recognition with a safe fault reaction enables a system to avoid harmful consequences. Regarding product development, there is an ongoing change from routine tests (durability tests) to testing selected parts of a safety function (fault injection tests). How action is taken is changing, with a trend towards a further development of IT tools, supporting functional safe systems holistically, including hazard analysis and risk assessment, integrated system analysis of systematic and random failures, and hardware metrics. The publication closes with an overview of a functional safety concept and presents an outlook to future trends of safety systems analysis

Engineering

Manar N. Shaker,Ahmed Hussien,Hassanein Amer,Beatrice Shokry,Hassanein H. Amer

DOI: https://doi.org/10.1109/access.2024.3369585

IF: 3.9

2024-03-06

IEEE Access

Abstract:FPGAs are currently being used in many applications due to their flexibility and re-programmability. Some of these applications operate in harsh environments. One such environment is space. Focusing on space applications, these FPGAs are subjected to soft and hard faults. For newer technology nodes, in addition to the harsh space environment, these errors are more severe. This paper investigates several fault-tolerant architectures to mitigate Single Event Upsets (SEUs), Double Event Upsets (DEUs), Triple Event Upsets (TEUs) as well as hard faults. Conventionally, for TEUs, seven copies of a module are required (7MR). Therefore, a modified 7MR architecture is studied along with two other architectures with six redundant modules: a modified 6MR architecture and a modified Triple Duplex architecture. Using Continuous Time Markov Chains (CTMCs), it is proven that, in many of the cases studied in this article, the modified Triple Duplex architecture has a higher reliability than the modified 7MR architecture. This is a counter-intuitive result. It is also proven that the modified 6MR architecture always has a lower reliability than the modified Triple Duplex architecture even though they both require six redundant modules. The ratio between the relative rates of SEUs, DEUs and TEUs plays an important role in determining the most reliable architecture. Furthermore, the Xilinx Vivado tool with the Kintex7, 7k410tfbg676 device is used to implement the modified 7MR and modified Triple Duplex voters to estimate the area and power consumed by these techniques.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tong Wang,Xi Chen,Zhikai Cai,Junnan Mi,Xiaomin Lian

DOI: https://doi.org/10.1177/0954407018755613

2019-01-01

Abstract:In order to ensure safety and reliability, some safety-related electrical and electronic (E/E) systems in vehicles need to be designed as a whole-redundancy system. Although ISO 26262 provides guidance for the analysis of random hardware failure, the problem of estimating whether the safety-related E/E systems, especially whole-redundancy system can meet the index of the ASIL level in ISO 26262 is still unsolved. Fault tree analysis (FTA) is one of the basic methods to analyze random hardware failure of a vehicle's E/E systems quantitatively. In generic FTA, the quantitative analysis of dynamic logic gates, which usually exist in the fault tree of whole-redundancy system, cannot be calculated. Meanwhile, Markov chain can solve the problem of quantitative calculation of dynamic fault tree, but brings a side-effect of complicating the calculation of static logic gates in fault trees. In order to evaluate random hardware failure of a vehicle E/E system more concisely and effectively, and to estimate if a new safety-related E/E system's random hardware failure rate can meet the index demand in ISO 26262, this study proposed a mixed model based on FTA and Markov chain. First, the definition of random hardware failure and fault classification were clarified. Then, a mixed model based on FTA and Markov chain was proposed. Finally, a whole-dual-redundancy steer by wire system was used as an example to test the validity of the mixed model. This study not only proposed a new mixed model based on FTA and Markov chain for the calculation of a whole-redundancy system's random hardware failure rate, but also provided a new quantitative validation method for safety-related E/E systems in vehicles that need to meet the reliability index requirement in ISO 26262.

Yuting Fu,Andrei Terechko,Jan Friso Groote,Arash Khabbaz Saberi

DOI: https://doi.org/10.4271/12-05-01-0002

2022-01-17

SAE International Journal of Connected and Automated Vehicles

Abstract:Modern Automated Driving (AD) systems rely on safety measures to handle faults and to bring the vehicle to a safe state. To eradicate lethal road accidents, car manufacturers are constantly introducing new perception as well as control systems. Contemporary automotive design and safety engineering best practices are suitable for analyzing system components in isolation, whereas today’s highly complex and interdependent AD systems require a novel approach to ensure resilience to multiple-point failures. We present a holistic and cost-effective safety concept unifying advanced safety measures for handling multiple-point faults. Our proposed approach enables designers to focus on more pressing issues such as handling fault-free hazardous behavior associated with system performance limitations. To verify our approach, we developed an executable model of the safety concept in the formal specification language mCRL2. The model behavior is governed by a four-mode degradation policy-controlling distributed processors, redundant communication networks, and virtual machines (VMs). To keep the vehicle as safe and cost effective as possible, our degradation policy can reduce driving comfort or AD system’s availability using additional low-cost driving channels. We formalized five safety requirements in the modal μ-calculus and proved them against our mCRL2 model, which is intractable to accomplish exhaustively using traditional road tests or simulation techniques. In conclusion, our formally proven safety concept defines a holistic and cost-effective design pattern for AD systems.

Chien-Fu Cheng,Gautam Srivastava,Jerry Chun-Wei Lin,Ying-Chen Lin

DOI: https://doi.org/10.1109/tits.2020.3043729

IF: 8.5

2021-06-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:Due to the rapid development of the Internet of Things, cloud computing, big data, and software-defined networks technologies, vehicular ad hoc networks have evolved into software-defined Internet of Vehicles (IoV). In software-defined IoV, messages transmitted by vehicles are transferred using wireless communication technology, so attackers can easily attack specific vehicles and Road-Side Units (RSUs) within the wireless communication range. When any vehicle or RSU is under attack or control, the entire network may collapse and produce incorrect computing results, which in the worst case, can lead to car accidents. Therefore, building a highly reliable and fault-tolerant software-defined IoV is of high importance. In this paper, we visit the consensus problem in software-defined IoV. Software-defined IoV is built with infrastructures, that is, RSUs. RSUs have a backhaul capacity and a powerful computing capacity. Thus, in software-defined IoV, we will focus on how to use RSUs to assist vehicles in reaching a consensus.

engineering, electrical & electronic,transportation science & technology, civil

Ao Lu,Guangyu Tian

DOI: https://doi.org/10.3390/act13100407

IF: 2.6

2024-10-09

Actuators

Abstract:Four-wheel independent drive and four-wheel independent steering (4WID-4WIS) vehicles provide increased redundancy in fault-tolerant control (FTC) schemes, enhancing heterogeneous fault-tolerant capabilities. This paper addresses the challenge of maintaining vehicle safety and maneuverability in the presence of actuator faults in autonomous vehicles, focusing on 4WID-4WIS systems. A novel unified hierarchical active FTC strategy is proposed to handle various actuator failures. The strategy includes an upper-layer motion controller that determines resultant force requirements based on trajectory tracking errors and a middle-layer allocation system that redistributes tire forces to fault-free actuators using fault information. This study, for the first time, considers multi-fault scenarios involving longitudinal and lateral coupling, calculating FTC boundaries for each fault type. Additionally, a fault tolerance index is introduced for 256 fault scenarios, using singular value decomposition to linearly represent the vehicle attainable force domain. Based on this, an adaptive velocity planning strategy is developed to balance safety and maneuverability under fault conditions. Matlab 2021a/Simulink and Carsim 2019 co-simulation results validate the proposed strategies, demonstrating significant improvements in fault-tolerant performance, particularly in complex and emergency scenarios.

engineering, mechanical,instruments & instrumentation