Drive by Wire

A Membership Service for a Distributed, Embedded System

Based on a Time-Triggered FlexRay Network

Martin MitzlaffRüdiger Kapitza, Michael Lang, Wolfgang Schröder-Preikschat

Ingolstadt Institute of theFriedrich-Alexander University Erlangen-Nuremberg

[email protected]

230.04.2010Martin Mitzlaff -- EDCC 2010 Industrial Track

Drive by Wire

A non functional state is not tolerable. Most parts are time-triggered

Hard real-time Dependable

Single units not dependable enough Redundancy, Fault masking

Important to know which units are onlineNeed for a Membership Service

Provides a consistent view of the fault-free units


ECU5

ECU1

ECU4

ECU2 ECU3

Brake-by-wire

Brake!


Agenda

FlexRay Membership Service Verification Evaluation


FlexRay

High-speed time-triggered bussystem De-facto standard time-triggered bussystem in the

automotive industry

Node structure:

Transceiver

CommunicationController

Host

wire

Node


Cycle-based communication:

Synchronized clocks Central bus guardian in the active star No membership service

FlexRay - Features

Cycle 0 Cycle 1 Cycle 2

Slot 0

Static Part

Slot 31 32 34

Dynamic Part Idle

33

… Cycle 63

Slot 1 Slot 2 Slot 30… Slot 29


Using FlexRay

Interrupts to synchronize access to message buffers

Interrupts disturb the applicationcycle

Application

700

Receive()

Send()2000

Fill_Sendbuffer()

2700

Send_Confimation()

Macrotick

FlexRay


Current approaches

Membership protocols for synchronous systems already exist: F. Cristian 1988 S. Katz, P. Lincoln and J.M. Rushby 1997 R. Barbosa and J. Karlsson 2006

But all are slot based Not possible in a FlexRay system

TTP/C includes a membership service (in hardware)


Round-based Approach

Slot based:

Round based:

Sending and receiving in one interval No timing requirements inside the interval

Calculation only at one point in the round

Send

Receive

Calculate


What’s a view?

View: Just a bit vector; One bit for one node

Local view: Node’s current opinion of fault-free nodes Interchanged with other nodes

Global view Former local view Verified by the local views of other nodes

ECU 1 ECU 2 ECU 8


ECU5

ECU1

ECU4

ECU2 ECU3

Integration

L

G

LL

L L

G

G G G

Round: 0123


Faulty node

ECU5

ECU1

ECU4

ECU2 ECU3

L

G

LL

L L

G

G G G

Round: 0123


Verification

Need for a fault hypothesis For FlexRay nothing published Each node and each logical communication-channel are a Fault-

Containment Region Active star guarantees that the message is transmitted to all or no

node by the communication system. [see TTP/C] Important to detect invalid messages

- Further CRC, including cycle counter A faulty host does not send membership messages. Different fault modes can be mapped to just three faults:

sending, receiving or sending&receiving fault At most one fault in two cycles

Formal proof of the latency Result: two rounds can be guarantied


Model checking

Modeling using PROMELA Verifying the model using SPIN Used results for decreasing number of states Only possible with small networks Results:

Absence of Livelocks Absence of Deadlocks New nodes do not disturb Latency of two rounds


Evaluation

Using TTTech Multi-Purpose ECU

- TriCore TC1796- Freescale MFR4300- TTTech AUTOSAR FlexRay-Stack

Vector VN3600 Special active star


0

2

4

6

8

10

12

3,5 5 10

cycle-time in [ms]

CPU

-Loa

d in

[%]

2 nodes plain2 nodes MS4 nodes plain4 nodes Ms

Evaluation Results

CPU Load:

Maximal 2,4% CPU-Load caused by membership service 2.6 kbyte ROM


Conclusion

FlexRay is the bus for drive-by-wire applications But lacks a membership service

Our Contribution:Membership service for FlexRay

Key features: Round-based approach minimal CPU load Transparent to the application

Verification by different techniques Even outside the fault hypothesis, coming back to a

consistent global view


Thank you for your attention!

Any questions?

Drive by Wire

Documents

Transcript of Drive by Wire