Auto Safety Sot Ware
-
Upload
stephen-chen -
Category
Documents
-
view
215 -
download
0
Transcript of Auto Safety Sot Ware
-
8/6/2019 Auto Safety Sot Ware
1/48
The design of safe automotive electronicThe design of safe automotive electronicsystemssystems
Some problems, solutions and open issues Some problems, solutions and open issues
Franoise SimonotFranoise Simonot --LionLion
([email protected]) ([email protected])
Nancy UniversitNancy Universit -- LORIA (UMR 7503)LORIA (UMR 7503)
IES2006IEEE Symposium on Industrial Embedded Systems
Antibes Juan-Les-Pins, FranceOctober 18-20, 2006
-
8/6/2019 Auto Safety Sot Ware
2/48
Franoise Simonot-LionNancy Universit 2 IEEE IES'2006
GeneralGeneral ContextContext
AutomotiveAutomotive industryindustry : the: the mostmost importantimportanteconomiceconomic sectorsector for thefor the nextnext 1010 yearsyears
(Mercer Management Consulting)
AutomotiveAutomotive electronicselectronics
(Strategy Analytics, McKinsey)
Cost of Electronic Embedded systemsCost of a car
1% (1980)
= 20% (2005)40% (2015)
-
8/6/2019 Auto Safety Sot Ware
3/48
Franoise Simonot-LionNancy Universit 3 IEEE IES'2006
GeneralGeneral contextcontext
InIn vehiclevehicle embeddedembedded systemssystemsElectronic components 50%
Software components 50%1,1 KBytes (1980) 2MBytes (2000) 10MBytes (2004)
SoftwareSoftware technologytechnologyNew services areNew services are easilyeasily developpeddevelopped
CustomersCustomers requirementsrequirements :: costcost ,, comfortcomfort ,, safetysafetyCarmakersCarmakers oror supplierssuppliers requirementsrequirements :: costcost , time to, time to marketmarket
Electronic systems = 90% innovation (Daimler Chrysler)
MandatoryMandatory forfor somesome functionsfunctions (control of(control of exhaustexhaust emissionemission ))
-
8/6/2019 Auto Safety Sot Ware
4/48
Franoise Simonot-LionNancy Universit 4 IEEE IES'2006
OutlineOutline
ContextContext
GeneralGeneral problemsproblems
AutomotiveAutomotive domainsdomains
ElementsElements of solutionof solutionStandardsStandards
EfficientEfficient developmentdevelopment processprocess
Open issuesOpen issuesConclusionsConclusions
-
8/6/2019 Auto Safety Sot Ware
5/48
Franoise Simonot-LionNancy Universit 5 IEEE IES'2006
ProblemsProblems
ArchitecturalArchitectural complexitycomplexity
AirbagsDoorsctl
SteeringWheel -ctl
ABS PowerTrain
Lightsctl
Climatectl
Radio...
AmplifierISUISU
Comfort Network Comfort Network
Body Network Body Network ECUECU (Electronic Component Unit)
P S A c o m m u n i c a
t i o n s e r v
i c e
Chassis Chassis - - Power Train Network Power Train Network
CriticalCriticalFunctionsFunctions
Complex Communication
ArchitectureComplex CommunicationComplex CommunicationArchitectureArchitecture
-
8/6/2019 Auto Safety Sot Ware
6/48
Franoise Simonot-LionNancy Universit 6 IEEE IES'2006
ProblemsProblems
ArchitecturalArchitectural complexitycomplexity exampleexampleJrgen Jrgen Leohold Leohold (IEEE WFCS 2004, Vienna,(IEEE WFCS 2004, Vienna, Austria Austria ) )
VWVW PhaetonPhaeton11 13611 136 electricalelectrical devicesdevices
6161 ECUsECUs , 3 CAN networks,, 3 CAN networks, subsub --networks, 1 busnetworks, 1 busmultimediamultimedia
25002500 signalssignals exchangedexchanged betweenbetween ECUsECUs in 250in 250CAN messagesCAN messages
-
8/6/2019 Auto Safety Sot Ware
7/48
Franoise Simonot-LionNancy Universit 7 IEEE IES'2006
ProblemsProblems
FunctionalFunctional complexitycomplexity
NumberNumber of I/Oof I/O signalssignals -- Size of the stateSize of the state vectorvector
((externalexternal //internalinternal data)data)
IntegrationIntegration ofof criticalcritical and notand not criticalcritical functionsfunctions
InteractionInteraction betweenbetween functionsfunctions
FunctionalFunctional modesmodes
SafetySafety requirementsrequirements ::
ValuesValues
Performances / timePerformances / time constraintsconstraints
-
8/6/2019 Auto Safety Sot Ware
8/48
Franoise Simonot-LionNancy Universit 8 IEEE IES'2006
ProblemsProblems
DevelopmentDevelopment processprocessSharedShared betweenbetween severalseveral actorsactors
SuppliersSuppliers ((subcontractorssubcontractors ) / Car) / Car makersmakers
InteractionInteraction betweenbetween partnerspartners
Black boxes / White boxes / Grey boxesBlack boxes / White boxes / Grey boxesIntellectualIntellectual propertyproperty
ProcessProcessTopTop DownDownBottomBottom -- Up (Up ( reusabilityreusability ))
StandardsStandards
Under constraints:CostQualityVariantsSafety
-
8/6/2019 Auto Safety Sot Ware
9/48
Franoise Simonot-LionNancy Universit 9 IEEE IES'2006
OutlineOutline
ContextContext
GeneralGeneral problemsproblems
AutomotiveAutomotive domainsdomains
ElementsElements of solutionof solutionStandardsStandards
EfficientEfficient developmentdevelopment processprocess
Open issuesOpen issuesConclusionsConclusions
-
8/6/2019 Auto Safety Sot Ware
10/48
Franoise Simonot-LionNancy Universit 10 IEEE IES'2006
PowertrainPowertrain domaindomain
Constraints
driving facilities fuel consumption
exhaust pollution
Climate controller
ESP controller
Motor controller
acceleratorpedal
brakepedal
-
8/6/2019 Auto Safety Sot Ware
11/48
Franoise Simonot-LionNancy Universit 11 IEEE IES'2006
PowertrainPowertrain domaindomain
FunctionalFunctional point ofpoint of viewviewComplexComplex controlcontrol lawslaws
MultiMulti --variablesvariablesDifferentDifferent samplingsampling periodsperiods
CyclicCyclic ((motormotor times)times) -- PeriodicPeriodic ((otherother systemssystems ))
OperationalOperational point ofpoint of viewviewHigh computation power (High computation power ( floating floating point point coprocessors coprocessors ) ) MultiMulti --taskstasks ((differentdifferent activationactivation rulesrules ))
CompromiseCompromise costcost // resolutionresolution ofof sensorssensorsStringent time constraints (response time,freshness)
~ 100 s
~ 1 ms
-
8/6/2019 Auto Safety Sot Ware
12/48
Franoise Simonot-LionNancy Universit 12 IEEE IES'2006
ChassisChassis
Othersystems
Forces ground, wind
Constraints comfort
safety
Wheel suspension - controller
(ABS ESP ASC 4WD - )
Steeringcolumn
brakepedal
-
8/6/2019 Auto Safety Sot Ware
13/48
Franoise Simonot-LionNancy Universit 13 IEEE IES'2006
ChassisChassis
~1 msFunctionalFunctional point ofpoint of viewview
ComplexComplex controlcontrol lawslaws
OperationalOperational point ofpoint of viewviewHigh computation power (High computation power ( floating floating point point coprocessors coprocessors ) ) MultiMulti --taskstasks ((differentdifferent activationactivation rulesrules ))CompromiseCompromise costcost // resolutionresolution ofof sensorssensors
DistributionDistributionStringent time constraints (response time,freshness, temporal consistency)
Critical domain for the safetyX-by-Wire
-
8/6/2019 Auto Safety Sot Ware
14/48
Franoise Simonot-LionNancy Universit 14 IEEE IES'2006
BodyBody domaindomain
wipers
lights
mirrorsdoors,
windows,
seats,...
Other
systems
controllers
Drivers
Passengers
InnovationInnovation
-
8/6/2019 Auto Safety Sot Ware
15/48
Franoise Simonot-LionNancy Universit 15 IEEE IES'2006
BodyBody domaindomain
FunctionalFunctional point ofpoint of viewviewNumerousNumerous functionsfunctions
ReactiveReactive systemssystemsOperationalOperational point ofpoint of viewview
HighlyHighly distributeddistributedHierarchicalHierarchical distributeddistributed systemsystemTime constraints (response time, temporalconsistency)Central Body Unit (Central Body Unit ( criticalcritical entityentity ))
OptimalOptimal schedulingscheduling ofof taskstasks
OptimalOptimal schedulingscheduling of messagesof messages
s a s
LINLIN
CANCAN
Central BodyElectronic
Other domains
> 1 s
-
8/6/2019 Auto Safety Sot Ware
16/48
Franoise Simonot-LionNancy Universit 16 IEEE IES'2006
TelematicTelematic ,, multimediamultimedia domaindomain
Telediagnostic
Human Machine InterfaceMultimedia applications
Communication
DriverPassengers
Other
systems
-
8/6/2019 Auto Safety Sot Ware
17/48
Franoise Simonot-LionNancy Universit 17 IEEE IES'2006
TelematicTelematic ,, multimediamultimedia domaindomain
OperationalOperational point ofpoint of viewviewUpgradableUpgradable devicesdevices , applications, applications
Plug andPlug and playplay PropertiesProperties :: securitysecurity ,, multimediamultimedia QoSQoS
Resource sharingResource sharingFluidFluid datadata streamsstreamsBandwithBandwith
-
8/6/2019 Auto Safety Sot Ware
18/48
Franoise Simonot-LionNancy Universit 18 IEEE IES'2006
Driver assistanceDriver assistance ActiveActive safetysafety
Night vision supportNight vision supportPedestrianPedestrian objectobject recognitionrecognition
ACCACC
LaneLane keepingkeeping assistantassistant
CollisionCollision avoidanceavoidance
Complexity
of theclosed loop
-
8/6/2019 Auto Safety Sot Ware
19/48
Franoise Simonot-LionNancy Universit 19 IEEE IES'2006
DomainDomain characteristicscharacteristics
Application type Application type Constraints Constraints Specification Specification
Power trainPower train Hybrid systemsHybrid systems Hard real timeHard real time Matlab/SimulinkMatlab/Simulink
ChassisChassis Hybrid systemsHybrid systems Hard real timeHard real time(safety)(safety)
Matlab/SimulinkMatlab/Simulink
BodyBody Discrete eventDiscrete eventsystemssystems
Real timeReal time State machineState machine(SDL,(SDL,
StatechartsStatecharts ))
TelematicTelematic --HMIHMI
Multimedia dataMultimedia dataflow processingflow processing
Soft real timeSoft real time SecuritySecurity QoSQoS
??
DeterministicDeterministicguaranteesguarantees
safety and safety and performance performance
ProbabilisticProbabilisticguaranteesguarantees
-
8/6/2019 Auto Safety Sot Ware
20/48
Franoise Simonot-LionNancy Universit 20 IEEE IES'2006
OutlineOutline
ContextContext
GeneralGeneral problemsproblems
AutomotiveAutomotive domainsdomains
ElementsElements of solutionof solutionStandardsStandards
EfficientEfficient developmentdevelopment processprocess
Open issuesOpen issuesConclusionsConclusions
-
8/6/2019 Auto Safety Sot Ware
21/48
Franoise Simonot-LionNancy Universit 21 IEEE IES'2006
The design ofThe design of safesafe automotiveautomotive embeddedembeddedsystemssystems
EfficientEfficient developmentdevelopment processprocessDedicated Dedicated components components System System
ReusabilityReusabilityComponentsComponents -- IntegrationIntegrationPortabilityPortability -- InteroperabilityInteroperability
TraceabilityTraceability ,, upgradeabilityupgradeabilityConsistent abstractionConsistent abstraction levelslevels
SafeSafe embeddedembedded systemsystemPropertiesPropertiesV&VV&V analysisanalysisModelsModels
StandardsStandards
SafeSafe & optimal& optimal system system
-
8/6/2019 Auto Safety Sot Ware
22/48
Franoise Simonot-LionNancy Universit 22 IEEE IES'2006
StandardsStandards
Embedded system architectureEmbedded system architecture
Component identificationComponent identification
Component interface standardisationComponent interface standardisation
(how to use (how to use them them ) )
DataData
DiagnosticDiagnostic
DataData providedprovided byby sensorssensors
Architecture DescriptionArchitecture Description LanguageLanguage
technologytechnology
genericitygenericitystructurestructure
formalformal
descriptiondescription
-
8/6/2019 Auto Safety Sot Ware
23/48
Franoise Simonot-LionNancy Universit 23 IEEE IES'2006
TechnologicalTechnological standardsstandards
Networks andNetworks and protocolsprotocolsClass A (10 Kbps), Class B (>= 100Kbps), Class C (>= 1Mbps)Class A (10 Kbps), Class B (>= 100Kbps), Class C (>= 1Mbps)SAE SAE
RequirementsRequirements // domaindomain
BodyBody
100100 kBpskBps
PowerPower --train ,train ,chassischassis500 kbps500 kbps
SafetySafety criticalcritical(X(X--byby --WireWire ))>= 5>= 5 MbpsMbps
TelematicTelematic ,,multimediamultimedia>=25>=25 MbpsMbps
Class BClass B Class CClass C
CANCAN lowlow speedspeed CANCAN highhigh speedspeedTTP/CTTP/C
TTP/CTTP/CFlexRayFlexRay
MOSTMOST
Class CClass C
Class A: LIN, TTP/AClass A: LIN, TTP/A
-
8/6/2019 Auto Safety Sot Ware
24/48
Franoise Simonot-LionNancy Universit 24 IEEE IES'2006
TechnologicalTechnological standardsstandards
Networks andNetworks and protocolsprotocols -- paradigmsparadigmsEventEvent --triggeredtriggeredTransmission of messagesTransmission of messages onlyonly whenwhen anan eventevent occursoccurs
++ --minimisation of bandwithconsumption
incremental design
verification of temporalconstraints
detection of failed nodes
++ --
predictability
detection of failed nodes
network utilisation (aperiodicmessages)flexibility
CANCAN
TTP/CTTP/C
TTCANTTCANFTTCANFTTCANFlexCANFlexCAN
FlexRayFlexRay
TimeTime --triggeredtriggeredTransmission of messageTransmission of message atat predeterminedpredetermined points in timepoints in time
-
8/6/2019 Auto Safety Sot Ware
25/48
Franoise Simonot-LionNancy Universit 25 IEEE IES'2006
TechnologicalTechnological standardsstandards
OperatingOperating systemssystems and middlewareand middlewareOSEK/VDX OS and OSEK/VDX ComOSEK/VDX OS and OSEK/VDX Com
OSEKtimeOSEKtime OS and OSEK/VDXOS and OSEK/VDX FTComFTCom
Windows CE,Windows CE, VXWorksVXWorks ((multimediamultimedia ,, telematicstelematics ))
DiagDiag on CAN, KWP 2000 (diagnostic)on CAN, KWP 2000 (diagnostic)CCP (calibration)CCP (calibration)
Hardware abstraction layer: I/OHardware abstraction layer: I/OHIS IO LibraryHIS IO Library
HIS Display Data ProtocolHIS Display Data Protocol
-
8/6/2019 Auto Safety Sot Ware
26/48
Franoise Simonot-LionNancy Universit 26 IEEE IES'2006
Architecture standardsArchitecture standards
AUTOSARAUTOSARReferenceReference
architecturearchitecture..modularitymodularity..configurabilityconfigurability
MiddlewareMiddlewarespecificationspecification
hardwarehardware independenceindependenceportabilityportabilityreusabilityreusabilityinteroperabilityinteroperability ofofcomponentscomponents
http://www.autosar.org/
Application software
components
Basic software componentsBasic software components
Hardware components
Common interface (virtual bus)
-
8/6/2019 Auto Safety Sot Ware
27/48
Franoise Simonot-LionNancy Universit 27 IEEE IES'2006
OutlineOutline
ContextContext
GeneralGeneral problemsproblems
AutomotiveAutomotive domainsdomains
ElementsElements of solutionof solutionStandardsStandards
EfficientEfficient developmentdevelopment processprocess
Open issuesOpen issuesConclusionsConclusions
-
8/6/2019 Auto Safety Sot Ware
28/48
Franoise Simonot-LionNancy Universit 28 IEEE IES'2006
EfficientEfficient
developmentdevelopment
processprocess
FunctionalFunctionalSpecificationSpecification
DesignDesignsoftwaresoftwarehardwarehardwaredistributiondistribution
implementationimplementation
Software / hardwareSoftware / hardwareintegrationintegration
System integrationSystem integrationModel consistency Model consistency Functional validation Functional validation Safety verification Safety verification
Model consistency Model consistency Schedulability Schedulability Performance evaluation Performance evaluation
Safety verification Safety verification
TestTest
Code verification, Code verification,
-
8/6/2019 Auto Safety Sot Ware
29/48
-
8/6/2019 Auto Safety Sot Ware
30/48
Franoise Simonot-LionNancy Universit 30 IEEE IES'2006
EfficientEfficient developmentdevelopment processprocess
FunctionalFunctionalSpecificationSpecification
DesignDesignsoftwaresoftwarehardwarehardwaredistributiondistribution
implementationimplementation
Software / hardwareSoftware / hardwareintegrationintegration
System integrationSystem integrationMatlab / Simulink Petri Nets, Automata Temporal logic MSC
FMEA, fault trees Timed automata Temporal Petri Nets Queuing systems Stochastic models
Code inspection
HIL
IntegrationTest
UnitTest
Architecture(s)description
Architecture DescriptionLanguage
-
8/6/2019 Auto Safety Sot Ware
31/48
Franoise Simonot-LionNancy Universit 31 IEEE IES'2006
EfficientEfficient developmentdevelopment processprocess
DomainDomain orientedoriented languagelanguageSyntaxSyntax :: domaindomain dependentdependent
SemanticsSemantics : V&V and design model: V&V and design model dependentdependentDeclarativeDeclarative languagelanguage (~UML Profile)(~UML Profile)
Architecture DescriptionArchitecture Description LanguageLanguage
AADL, AADL, EASTEAST --ADLADL http://www.easthttp://www.east --eea.net/eea.net/
ATESSTATESST http://www.atesst.orghttp://www.atesst.org
RepresentationRepresentation of anof an embeddedembedded systemsystem atat eacheach levellevelofof itsits developmentdevelopment
TraceabilityTraceability ,, consistencyconsistency betweenbetween modelsmodels
AutomaticAutomatic generationgeneration ofof formalformal modelsmodels
-
8/6/2019 Auto Safety Sot Ware
32/48
Franoise Simonot-LionNancy Universit 32 IEEE IES'2006
OutlineOutline
ContextContext
GeneralGeneral problemsproblems
AutomotiveAutomotive domainsdomains
ElementsElements of solutionof solutionStandardsStandards
EfficientEfficient developmentdevelopment processprocess
Open issuesOpen issuesConclusionsConclusions
Open issuesOpen issues
-
8/6/2019 Auto Safety Sot Ware
33/48
Franoise Simonot-LionNancy Universit 33 IEEE IES'2006
Open issuesOpen issuesPortabilityPortability versusversus interoperabilityinteroperability
AutosarAutosar and theand the interoperabilityinteroperability objectiveobjective
Syntactic characteristics- input / output specification
Traceability, derivation, transformation
Interoperability?Interoperability?Timing annotation of ADL?
Dependability annotation of ADL?Composition rules: how to ensure a predictable composition?
schedulability, resource sharing, safety, dependability
http://www.easis http://www.easis - - online.org/ online.org/
-
8/6/2019 Auto Safety Sot Ware
34/48
Open issuesOpen issues -- 11
-
8/6/2019 Auto Safety Sot Ware
35/48
Franoise Simonot-LionNancy Universit 35 IEEE IES'2006
Open issuesOpen issues 11DeploymentDeployment of aof a safesafe systemsystem
11
ASC#1 ASC#3ASC#2
ASC#4SS 11
S 2 11Software Architecture
- Software components- Signals
Operational Architecture
112222
33
11 1122
1122
- Logical tasks- Signals
Logical architectureSS 11
SS
22
- - Non functional requirements Non functional requirements
Non functional requirements Non functional requirements
ECU#1ECU#1 ECU#2 ECU#2
Technical ArchitectureTechnical Architecture
-- OS TasksOS Tasks
OSOS --TaskTask#A#A
OSOS --TaskTask#C#C
OSOS --TaskTask#B#B
OSOS --TaskTask#D#D
111133
2222 22111122
-- Frames / RoundFrames / Round
Frame#1Frame#1 SS 11 SS 22
-- MiddlewareMiddlewareconfigurationconfiguration
middlewaremiddleware7 561211
10
8 4
21
9 3
The challengeThe challenge isis toto findfind a solution:a solution:-- thatthat respectsrespects
. all the. all the functionalfunctional requirementsrequirements ,,
. all the performance. all the performance requirementsrequirements ,,
. all the. all the safetysafety requirementsrequirements ,,
. all the timing. all the timing requirementsrequirements-- and optimisesand optimises
.. ECUsECUs memorymemory size,size,
. CPU, network. CPU, network bandwithbandwith consumptionconsumption
.. costcost , maintenance, maintenance costcost ,, wireswires lengthlength , etc., etc.
NP-Complete problemheuristics
Open issuesOpen issues -- 11
-
8/6/2019 Auto Safety Sot Ware
36/48
Franoise Simonot-LionNancy Universit 36 IEEE IES'2006
Open issuesOpen issues 11DeploymentDeployment of aof a safesafe systemsystem
FaultFault tolerancetolerancerecoveryrecovery mechanismsmechanisms ,,
hardware, softwarehardware, software redundancyredundancy , timing, timing redundancyredundancy((sampling / over sampling sampling / over sampling ))
TimeTime triggeredtriggered vs.vs. eventevent triggeredtriggered
Overload
Flexibility
Determinism
Event triggeredapproach
Time triggeredapproach
Open issuesOpen issues -- 22
-
8/6/2019 Auto Safety Sot Ware
37/48
Franoise Simonot-LionNancy Universit 37 IEEE IES'2006
Open issuesOpen issues - 22Design forDesign for costcost , performance, performance Design forDesign for safetysafety
ReliabilityReliability ofof electronicelectronic devicesdevices :: difficultdifficult toto
evaluateevaluate formallyformally
Perturbation due toPerturbation due to environmentenvironment : not: notcompletlycompletly knownknown
Emergence of XEmergence of X --byby --WireWire systemssystems ((electronicelectronictechnologytechnology ):): requiredrequired stringentstringent safetysafetypropertiesproperties
Open issuesOpen issues -- 22
-
8/6/2019 Auto Safety Sot Ware
38/48
Franoise Simonot-LionNancy Universit 38 IEEE IES'2006
Open issuesOpen issues 22Design forDesign for costcost ,, performanceperformance Design forDesign for safetysafety
AvionicAvionic vs.vs. AutomotiveAutomotiveOperatorsOperators
high high qualification qualification / / no qualification no qualification MaintenanceMaintenance
stringent stringent requirements requirements / / no no formal formal requirement requirement
HardwareHardware redudancyredudancymassive massive / / few, impossible few, impossible
SystemSystem evolutivityevolutivity
stable stable / / continuous continuous evolution evolution
Proof, certification of software componentsProof, certification of software components
standards + standards + regulatory regulatory laws laws / few / few elements elements for the for the present present
Open issuesOpen issues -- 22
-
8/6/2019 Auto Safety Sot Ware
39/48
Franoise Simonot-LionNancy Universit 39 IEEE IES'2006
RegulatoryRegulatory lawslawsInternalInternal recommendationsrecommendations ,, TVTV
StandardsStandardsDO 178B, C (DO 178B, C ( avionicavionic ), EN 50128 (), EN 50128 ( railwayrailway industryindustry ))MISRAMISRA ((MotorMotor IndustryIndustry SoftwareSoftware ReliabilityReliability Association)Association)IEC 61 508 (IEC 61 508 ( genericgeneric ))
OSI 26 262 (OSI 26 262 ( draftdraft 2005,2005, forecastedforecasted publication 2007)publication 2007)
((AutomotiveAutomotive )) SafetySafety IntegrityIntegrity LevelLevelSIL1 .. SIL4 /SIL1 .. SIL4 / ASILxASILx
Open issuesp 2Design forDesign for costcost , performance, performance Design forDesign for safetysafety
-
8/6/2019 Auto Safety Sot Ware
40/48
Open issuesOpen issues - 33
-
8/6/2019 Auto Safety Sot Ware
41/48
Franoise Simonot-LionNancy Universit 41 IEEE IES'2006
Open issuesOpen issues -- 33Design forDesign for safetysafety : how to: how to proveprove itit??
AA steersteer --byby --wirewire
C r
d i t p
h o
t o g r a p
h i q u e
P S A P e
u g e o
t
C r
d i t p h o
t o g r a p
h i q u e
P S A P e
u g e o
t - -
C i t r o
n
C i t r o
n
1CriticalCriticalfunctionsfunctions
ImplementedImplemented ononECUsECUs ((redundantredundant ))
ConnectedConnected onon
networknetwork((redundantredundant ))
Open issuesOpen issues -- 33
-
8/6/2019 Auto Safety Sot Ware
42/48
Franoise Simonot-LionNancy Universit 42 IEEE IES'2006
Open issuesOpen issues -- 33Design forDesign for safetysafety : how to: how to proveprove itit??
AA steersteer --byby --wirewire
C r
d i t p h o
t o g r a p
h i q u e
P S A P e
u g e o
t
C r
d i t p h o
t o g r a p
h i q u e
P S A P e u g e o
t - -
C i t r o
n
C i t r o
n
1CriticalCriticalfunctionsfunctions
ImplementedImplemented ononECUsECUs ((redundantredundant ))
ConnectedConnected onon
networknetwork((redundantredundant ))
ProbabilityProbability of aof a criticalcriticalfailurefailure occurrence < 10occurrence < 10 --99
Open issuesOpen issues -- 33
-
8/6/2019 Auto Safety Sot Ware
43/48
Franoise Simonot-LionNancy Universit 43 IEEE IES'2006
Open issuesOpen issues - 33Design forDesign for safetysafety : how to: how to proveprove itit??
AA steersteer --byby --wirewire :: safetysafety evaluationevaluation
On hardware components/architectureOn hardware components/architectureOn software components (proof, codeOn software components (proof, codeinspection, testinspection, test covercover , etc.), etc.)OnOn operationaloperational architecturearchitecture
Behavioral aspects (tasks, frames)Behavioral aspects (tasks, frames)
Vehicle response timeVehicle response timeEmbedded systems response timeEmbedded systems response time
BehaviorBehavior under transient faults under transient faults (EMI(EMI
perturbations, overload situation, )perturbations, overload situation, )
Open issuesOpen issues -- 33
-
8/6/2019 Auto Safety Sot Ware
44/48
Franoise Simonot-LionNancy Universit 44 IEEE IES'2006
pDesign forDesign for safetysafety : how to: how to proveprove itit??
t
Front axle position
HandHand wheelwheel
commandcommand
DriverDriverrequirementrequirement
InIn factfact
delay
-
8/6/2019 Auto Safety Sot Ware
45/48
-
8/6/2019 Auto Safety Sot Ware
46/48
ConclusionsConclusions
-
8/6/2019 Auto Safety Sot Ware
47/48
Franoise Simonot-LionNancy Universit 47 IEEE IES'2006
ConclusionsConclusions
AutomotiveAutomotive industryindustry isis dependentdependent of softwareof software --basedbased embeddedembedded
systemssystems
TechnologicalTechnological standardsstandards
AUTOSAR AUTOSAR
MBDMBD
SafetySafety assessmentsassessments
StandardStandard ISO 26 262ISO 26 262
IntegrationIntegration ofof severalseveral points ofpoints of viewview
Tools (editors, modeltransformations)
Timing, dependabilityannotations
Certification, verification
Muli-competencies
experts
-
8/6/2019 Auto Safety Sot Ware
48/48
ThankThank youyou