Landgraf-Georg-Str. 4, D-64283 Darmstadt, Germany. Schwarz is · electromechanical actuators, a...

utomotive systems are increasingly being devel-oped with integrated electronic sensors, actua-

tors, microcomputers, information processingfor single components, and engine, drive-

train, suspension, and brake systems. Thesehave matured to mechatronic systems that

are characterized by the integration of components (hard-ware) and signal-based functions (software), resulting in au-

tonomous functionality. Examples of first steps towardmechatronic systems for automobiles were the arrival of digi-tally controlled combustion engines with fuel injection in 1979and digitally controlled antilock brake systems (ABS) in 1978.Today’s combustion engines are completely microcomputercontrolled, typically with five electrical, electrohydraulic, orelectropneumatic actuators and several measured outputvariables, taking into account different operating phasessuch as startup, warming up, idling, and normal operation.The only input from the driver is generated by the accelera-tor pedal and transferred to the throttle (spark-ignition en-gines) or the injection pump (diesel engines)

This article begins with a review of electronic driver as-sisting systems such as ABS, traction control (TCS), elec-

64 IEEE Control Systems Magazine October 20020272-1708/02/$17.00©2002IEEE

©1994 PHOTODISC, INC.

Isermann ([email protected]) is with the Institut fuerAutomatisierungstechnik Technische, Universitaet DarmstadtLandgraf-Georg-Str. 4, D-64283 Darmstadt, Germany. Schwarz iswuth Continental Teves, Frankfurt 60488, Germany. Stölzl is withA.T. Kearney Gmbh, Frankfurt 60327,Germany.

tronic stability control (ESP), and brake assistant (BA). Wethen review drive-by-wire systems with and without me-chanical backup. Drive-by-wire systems consist of an oper-ating unit (steering wheel, brake pedal) with an electricaloutput, haptic feedback to the driver, bus systems, micro-computers, power electronics, and electrical actuators.For their design safety, integrity methods such as reliabil-ity, fault tree and hazard analysis, and risk classificationare required. Different fault-tolerance principles with vari-ous forms of redundancy are considered, resulting infail-operational, fail-silent, and fail-safe systems. Fault-de-tection methods are discussed for use in low-cost compo-nents, followed by a review of principles for fault-tolerantdesign of sensors, actuators, and communication. We eval-uate these methods and principles and show how they canbe applied to low-cost automotive components anddrive-by-wire systems. A recently developed brake-by-wiresystem with electronic pedal and electric brakes is thenconsidered in more detail, showing the design of the com-ponents and the overall architecture. Finally, we presentconclusions and an outlook for further development ofdrive-by-wire systems.

Recent DevlopmentsElectronic Driver-Assisting SystemsThe development of mechatronic systems for the engineand the drive train was paralleled by driver-assisting elec-tronic braking functions such as ABS, TCS (1986), ESP [1], andBA; see also [2]. In these cases the hydraulic pressure gener-ated by the driver’s brake pedal and pneumatic booster ismodulated to control the slip of single wheels (ABS) or tocontrol the drift angle of the vehicle by individual wheelbraking (ESP). If the electronic control fails, the brake sys-tems behave like conventional purely hydraulic ones. Since1945, power steering was realized by hydraulic supportingenergy, but electrical power steering for lightweight vehi-cles that came on the market in 1996 no longer required spe-cial hydraulic circuits and auxiliary pumps [3]. In all cases,the direct mechanical linkage with the steering wheel andthe driver action was retained.

Drive-by-Wire Systemswith Mechanical BackupSince 1986, the engine has been increasingly manipulatedby an electronic pedal and electrically driven throttle orinjection [4], [5], representing the first drive-by-wire com-ponents. In this case, a “limp home” function after elec-tronic failure is possible because the throttle springsystem provides a reduced engine speed (e.g., 1,200rpm). Hence, the system is rendered fail-safe by the me-chanics. Other mechatronic units within the power trainwere developed for the automatic transmission with hy-draulic torque converter and microcomputer-controlledgear shift.

Drive-by-Wire SystemsWithout Mechanical BackupThe approaches taken for successful fly-by-wire systems andthe positive experience with the automotive drive-by-wiresystems with mechanical backup for the engine and drivetrain and the electronic driver assistance systems for brakingand power steering are the basis for the development of com-plete drive-by-wire systems without mechanical backup forbraking, steering, and higher-level driver-assisting functions.The disadvantages of mechanical backup systems are thatthey are costly, heavy, passive safety-critical (steering col-umn, brake pedal), and do not provide enough freedom to tapthe potential of the electrical systems. Drive-by-wire systemswithout mechanical backup generate electrical commandsthrough the driver and transfer them to computer-controlledelectromechanical actuators, a scheme that is usually notfail-safe but has fault-tolerant properties.

Higher-Level Automotive ControlA recent development in higher-level control is adaptivecruise control (ACC), also called intelligent cruise control(ICC), where the vehicle either follows a preceding vehiclewith distance measurement and control or follows adriver-set reference value as in classical speed control (see[6] and [7]). In this case electrical commands have to begiven to an electrical throttle or to the brake booster. Sev-eral research automobiles have sensors to assess the roadsituation (e.g., cameras) and computerized autopilots [8],or for automatic platooning systems, like those pioneeredin the California PATH program [9], [10].

This short summary of recent developments shows thatfrom the viewpoints of increased active safety and auto-mated driving, there is a clear demand for drive-by-wire sys-tems, which include the powertrain, braking, and steering.These systems are also called x-by-wire systems, where xstands for the commanded action. Fig. 1 shows the hazard se-verity of failures for different electronic (and electrical) driv-ing systems [11]. Clearly, the hazard severity of drive-by-wirecontrol systems for vehicles increases considerably.

Drive-by-Wire Structures with andWithout Mechanical BackupThe progression from drive-by-wire systems with mechani-cal backup to those without mechanical backup or fail-safeby mechanics is a large one because of the lower reliabilityand different fault behavior of electronic and electrical com-ponents compared to mechanical components. Therefore,fault-tolerant electronic systems have to be incorporated tomeet the high safety requirements.

Fig. 2 shows the general signal flow diagram of adrive-by-wire system in more detail. The driver’s operatingunit (steering wheel, braking pedal) has a mechanical input(e.g., torque or force) and an electrical output (e.g., bus pro-tocol). The system contains sensors and switches for posi-tion and/or force, microelectronics, and either a passive

October 2002 IEEE Control Systems Magazine 65

(spring-damper) or active (electrical actuator) feedback togive the driver haptic information (“pedal feel”) on the ac-tion. A bus connects to the brakes or steering control sys-tem. This control system consists of power electronics,electrical actuators, brake or steer mechanics, with sensorsor reconstructed variables and a microcomputer for actua-tor control, brake or steer function control, supervision,and various types of management (e.g., fault tolerance withreconfiguration, optimization).

Each of the sensors, electronics, buses, power electron-ics, high-power actuators, and microcomputers must befault tolerant with regard to at least one safety-critical fail-ure. Therefore, a safety integrity analysis and methods offault tolerance are basic issues for drive-by-wire systems.

Safety Integrity Analysis MethodsDrive-by-wire systems are safety-related systems. Therefore,all aspects of reliability, availability, maintainability, andsafety (RAMS) have to be considered because they are rele-vant for manufacturer liability and customer acceptability.To meet safety requirements, special procedures were devel-oped in technical disciplines such as railway, aircraft, space,military, and nuclear systems. These procedures are coveredby the terms system integrity or system dependability.

The various kinds of safety requirements lead to differentlevels of integrity of safety-related systems, from the lowestto highest requirements. In this context, “integrity” is moreprecisely termed “safety integrity” with the following defini-tion: “Safety integrity is the probability of a safety-related

system satisfactorily performing the required safety func-tions under all the stated conditions within a stated periodof time” [12].

Safety and reliability are generally achieved by a combi-nation of

• fault avoidance• fault removal• fault tolerance• fault detection and diagnosis• automatic supervision and protection.Fault avoidance and removal has to be accomplished

mainly during the design and testing phase. For investigat-ing the effect of faults on the reliability and safety during thedesign phase and also for type certification, a range of analy-sis methods have been developed. They include

• reliability analysis• event tree analysis (ETA) and fault tree analysis (FTA)• failure mode and effects analysis (FMEA)• hazard analysis (HA)• risk classification.

For details see [12]-[14].These known methods can now be combined appropri-

ately. Fig. 3 shows an overall scheme. The FMEA identifies allcomponents, failures, causes, and effects. The single fail-ures proceed to an FTA to determine the causes and theirlogical interconnections on a component level. The failurecauses are then used to design the overall reliability. Re-maining failures that cannot be avoided are then classifiedand the maintenance procedure determined.

Based on the FMEA, the hazardanalysis extracts safety-criticalfailures. Their presentation in a(reduced) fault tree determinesthe causes with logical intercon-nections [15] (i.e., dangerousfaults leading to hazards). Basedon this, the safety system at lowerlevels can be designed. The re-maining dangerous failures thenundergo a risk classification andsupervision and safety methodsto reduce the risk to an acceptablemeasure are determined.

Herewith a hazard risk number

R C F FH OP= × ×

can be used, where C is the con-sequence (severity) of hazard,FH is the frequency (probability)of hazard, and FOP is the fre-quency of operation state (com-pare [12], [16]).

In general, fault-tolerancemethods have to be implemented

66 IEEE Control Systems Magazine October 2002

High

HazardSeverityof Failure

Low

Medium

Autopilot

Copilot

Pilot

SBW CA

ABS

ASRTBWEPS

ESP

EPStEHB

ACCBA

EMB

ABSACCBACAEHBEMBESP

1970 1980 1990 2000 2010 Year

Antilock BrakingAdaptive Cruise ControlBrake AssistCollision AvoidanceElectrohydraulic Brake SystemElectromechanical Brake SystemElectronic Stability ProgramElectric Driver-Assisting Systems

Higher-Level Control System

EPSEPStSBWTBWTCS/ASR

Electropneumatic Shifting (Trucks)Electrical Power SteeringSteer-by-WireThrottle-by-WireTraction Control System

Drive-by-Wire-Systems

Figure 1. Hazard severity of failures (qualitative) in electronic driver-assisting systems,drive-by-wire systems, and higher-level control systems.


Mechanical/ElectronicPedal

HapticActuator

DriverMechan.Pedal/Wheel

Electr.Power 1

Electr.Power 2

Sensors

HapticFeedback

Pedal/Wheel

Electronics

Low Energy Level

High Energy Level

Manage-ment

Supervisor

Brake/Steer

Control

ActuatorControl

Bus-System

Microcomputer

Brake/SteerControlSystem

Sensors

PowerElectronics

Electr.Actuator

Brake/Steer

Mechan.Vehicle

TD TA TWωD ωA ωW

UI

Figure 2. Basic signal flow diagram of drive-by-wire systems.

Failure Modesand EffectsAnalysis for AllComponents(Detection ofPossible ComponentFailure andTheir Consequencesfor the System)

FMEA

ReliabilityFault-Tree Analysis

R-FTA

ReliabilityDesign

ReliabilityClassification

MaintenanceProcedures

Hazard AnalysisHA

SafetyFault-Tree Analysis

S-FTA

SafetyDesign

Lower Levels

Risk Classification(Accidents)

Supervisory andSafety Methods(Higher Levels)

All PossibleSystem Failures

All ComponentFaultsCausingUnreliability

RemainingFailures

UnavoidableFailures

FaultTolerantDesign

Safety-CriticalSystem Failures

All ComponentFaultsCausingHazards

RemainingDangerousFailures

UnavoidableDangerousFailures

Extraction ofSafety-CriticalFailures fromFMEA

Extraction ofSafety-CriticalFailures withLogic Causalities

Designand

TestingPhase

OperationPhase

Figure 3. Integrated design procedures for system reliability and safety to result in high system integrity.

at the component and unit levels to improve both reliabilityand safety, especially by reducing FH . Fig. 3 summarizes theintegrated reliability and safety procedure during the designand testing phases.

The unavoidable failures have to be covered by mainte-nance and online supervision and safety methods duringoperation, including fault tolerance, protection and super-vision with fault detection and diagnosis, and appropriatesafety actions. These methods are discussed in the follow-ing sections.

Fault-Tolerant DesignAfter applying reliability and safety analysis methods dur-ing design and testing, as well as corresponding quality con-trol methods during manufacturing, certain faults andfailures still cannot be avoided totally. Therefore, theyshould be tolerated by additional design efforts. Hence,high-integrity systems must have, to the extent possible,the ability for fault tolerance. This means that faults arecompensated in such a way that they do not lead to systemfailures. The most obvious way to reach this goal is redun-dancy in components, units, or subsystems. However, theoverall systems then become more complex and costly. Inthis section various types of fault-tolerant methods are re-viewed briefly.

Fault Tolerance for ComponentsFault-tolerance methods generally use redundancy. Thismeans that in addition to the considered module, one ormore modules are connected, usually in parallel. These re-dundant modules are either identical or diverse. Such re-dundant schemes can be designed for hardware, software,information processing, and mechanical and electrical com-

ponents (sensors, actuators, microcomputers, buses,power supplies, etc.).

Basic Redundant StructuresThere are two basic approaches for fault tolerance: static re-dundancy and dynamic redundancy. The correspondingconfigurations are first considered for electronic hardwareand then for other components.

Fig. 4(a) shows a scheme for static redundancy. It usesthree or more parallel modules that have the same input sig-nal and are all active. Their outputs are connected to a voterthat compares these signals and decides by majority whichsignal value is the correct one. If a triple-redundant modularsystem is applied, and a fault in one of the modules gener-ates a wrong output, this faulty module is masked (i.e., nottaken into account) by the two-out-of-three voting. Hence, asingle faulty module is tolerated without any effort for spe-cific fault detection. n redundant modules can tolerate( ) /n −1 2 faults (n odd).

Dynamic redundancy requires fewer modules at the costof more information processing. A minimal configurationconsists of two modules, Fig. 4(b) and (c). One module isusually in operation, and if it fails, the standby or backupunit takes over. This requires fault detection to observe ifthe operational modules become faulty. Simple fault-detec-tion methods use the output signal only for consistencychecking (range of the signal), comparison with redundantmodules, or use of information redundancy in computerssuch as parity checking or watchdog timers. After fault de-tection, it is the task of the reconfiguration to switch to thestandby module and to remove the faulty one.

In Fig. 4(b) the standby module is continuously operating,a method called “hot standby.” This results in a short transfer

time, but at the cost of operational aging(wear-out) of the standby module.

Dynamic redundancy, where thestandby system is out of function anddoes not wear, is shown in Fig. 4(c) andis called “cold standby.” This arrange-ment requires two additional switchesat the input and more transfer time dueto a startup procedure. For bothschemes, the performance of the faultdetection is essential.

Redundant schemes similar to thosefor electronic hardware exist for soft-ware fault tolerance. Here we mean tol-erance against mistakes in coding orerrors in calculation. The simplest formof static redundancy is repeated run-ning ( )n ≥ 3 of the same software andmajority voting for the result. However,this is only suitable for some transientfaults. As software faults generally aresystematic and not random, duplica-


Modules

Modules

1

2

3

n

xi

xi

xi

(a)

Voterxo

xo

xo

Modules

1

2

FaultDetection

FaultDetection

Recon-figuration

Recon-figuration

(b)

1

2

(c)

Figure 4. Fault-tolerant schemes for electronic hardware. (a) Static redundancy: multipleredundant modules with majority voting and fault masking, m out of n systems (all modulesare active); (b) dynamic redundancy: standby module that is continuously active (hotstandby); and (c) dynamic redundancy: standby module that is inactive (cold standby).

tion of the same software is not sufficient. Therefore, the re-dundancy must include diversity of software, such as otherprogramming teams, other languages, or other compilers.With n ≥ 3 diverse programs, a multiple redundant systemcan be established, followed by majority voting, as in Fig.4(a). However, if only one processor is used, calculation timeis increased, and using n processors may be too costly.

Dynamic redundancy using standby software with di-verse programs can be realized by using recovering blocks.This means that, in addition to the main software module,other diverse software modules exist [13], [17].

Fault tolerance can also be designed for purely mechani-cal and electrical systems. Static redundancy is often usedin all types of homogeneous and inhomogeneous materials(e.g., metals and fibers) and in special mechanical construc-tions such as lattice structures, spoke-wheels, and dualtires, or in electrical components with multiple wiring, mul-tiple coil windings, multiple brushes for dc motors, and mul-tiple contacts for potentiometers. This natural built-in faulttolerance is generally characterized by a parallel configura-tion. However, the inputs and outputs are not signals butforces, electrical currents, or energy flows, and a voter doesnot exist. All elements operate in parallel, and if one elementfails (e.g., by breakage), the others take over a higher forceor current, following the physical laws of compatibility orcontinuity. Hence, this is a kind of “stressful degradation.”Mechanical and electrical systems with dynamic redun-dancy, as depicted in Fig. 4(b) and (c), can also be built. Forthe most part, only cold standby is meaningful.

Fault tolerance with dynamic redundancy and coldstandby is especially attractive for mechatronic systemswhere more measured signals and embedded computersare already available, and therefore fault detection can beimproved considerably by applying process-model-basedapproaches. Table 1 summarizes the appropriate fault-toler-ance methods for the case of electronic hardware.

Redundant Structures forDrive-by-Wire ComponentsMainly because of cost, space, and weight, a suitable com-promise between the degree of fault tolerance and the num-

ber of redundant components has to be found for automo-tive drive-by-wire systems. In contrast to fly-by-wire sys-tems, only a single failure must be tolerated (presently) forhazardous cases [18], mainly because a safe state can bereached easier and faster. This means that not all compo-nents require stringent fault-tolerance requirements. Thefollowing degradation steps are distinguished.

• Fail-operational (FO): One failure is tolerated (i.e., thecomponent stays operational after one failure). Thisis required if no safe state exists immediately after thecomponent fails.

• Fail-safe (FS): After one (or several) failure(s), thecomponent directly reaches a safe state (passivefail-safe, without external power) or is brought to asafe state by a special action (active fail-safe, with ex-ternal power).

• Fail-silent (FSIL): After one (or several) failure(s), thecomponent exhibits quiet behavior externally (i.e.,stays passive by switching off) and therefore does notwrongly influence other components.

For vehicles, it is proposed to subdivide FO into “longtime” and “short time.” Considering these degradationsteps for various components, one must first check if a safestate exists. For automobiles (usually), a safe state isstandstill (or low speed) at a nonhazardous place. For auto-mobile components, a fail-safe status is (usually) a mechani-cal backup (i.e., a mechanical or hydraulic linkage) fordirect manipulation by the driver. Passive fail-safe is thenreached after the failure of electronics if independent of theelectronics the vehicle comes to a stop (e.g., by a closingspring in the throttle or by actions of the driver via mechani-cal backup). However, if no mechanical backup exists afterfailure of the electronics, only an action by other electronics(switch to a still-operating module) can bring the vehicle (inmotion) to a safe state (i.e., to reach a stop through activefail-safe). This requires the availability of electric power.

Generally, graceful degradation is envisaged where lesscritical functions are dropped to maintain the more criticalfunctions, based on priorities [12]. Table 1 shows degrada-tion steps to fail-operational for different redundant struc-tures of electronic hardware. As the fail-safe status depends


Static Redundancy Dynamic Redundancy

Structures Number ofElements

ToleratedFaults

Fail Behavior ToleratedFailures

Fault Behavior DiscrepancyDetection

Duplex 2 0 F 0 F two comparators

1 FO-F fault detection

Triplex 3 1 FO-F 2 FO-FO-F fault detection

Quadruplex 4 1 FO-F 3 FO-FO-FO-F fault detection

Duo-Duplex 4 1 FO-F — — —

FO: fail-operational; F: fail.

on the controlled system and the kind of components, it isnot considered here.

For flight-control computers, a triplex structure with dy-namic redundancy (hot standby) is typically used, whichleads to FO-FO-FS, such that two failures are tolerated and athird one allows the pilot to operate manually. If the fault tol-erance has to cover only one fault to stay fail-operational(FO-F), a triplex system with static redundancy or a duplexsystem with dynamic redundancy is appropriate. If fail-safecan be reached after one failure (FS), a duplex system withtwo comparators is sufficient. However, if one fault has to betolerated to continue fail-operational and after asubsequent fault it is possible to switch to fail-safe (FO-FS),either a triplex system with static redundancy or a duo-du-plex system may be used. The duo-duplex system has theadvantages of simpler failure detection and modularity.

Fault Tolerance for Control SystemsFor automatically controlled systems, the appearance offaults and failures in the actuators, the process, and the sen-sors will usually affect the operating behavior. Withfeedforward control, generally all small or large faults influ-ence the output variables and thus the operation.

If the system operates with feedback control, small additiveor multiplicative faults in the actuator or process are coveredby the controller because of usual robustness properties. This

property is therefore a passive controller fault tolerance. How-ever, additive and gain sensor faults will immediately lead todeviations from the reference values. For large changes in ac-tuators, process, and sensors, the dynamic control behaviorbecomes either too sluggish, too underdamped, or even unsta-ble. Then either a very robust control system or an activefault-tolerant control system is required to save the operation.In the latter case, it consists of fault-detection methods and re-configuration mechanisms that modify the controller. De-pending on the type of faults, the reconfiguration may changethe structure and/or parameters of the controller. This canalso include changes to other manipulated variables or actua-tors or sensors, if available.

Examples include fault-tolerant flight control with recon-figuration to other control surfaces after failure of actuatorsor ailerons, elevators, and rudders (see [19]-[22]). For fail-ures in the satellite altitude control system, see [23]. Fail-ures in heat exchangers are treated in [24] and fault-tolerantcontrol for lateral vehicle control in [25].

Fault Detection for Sensors,Actuators, and MechatronicServo SystemsFault-detection methods based on measured signals can beclassified as follows:


Signal-BasedFault Detection

ActuatorsU

Faults

Process Sensors

N

Y

ProcessModel

FeatureGeneration

ThresholdPlausibility

Check

VibrationSignalModels

Process-Model-Based

Fault Detection

Change DetectionNormal Behavior

r x, , FeaturesΘ

Fault Diagnosis

s Analytical Symptoms

f Diagnosed Faults

Figure 5. General scheme of process-model-based and signal-based fault detection.

• limit value checking(thresholds) and plau-sibility checks (ranges)of single signals

• signal -model -basedmethods for single pe-riodic or stochasticsignals

• process-model-basedmethods for two or morerelated signals.

Fig. 5 shows a scheme forthese methods. For a descrip-tion of the various methods,refer to the literature (e.g.,the special section in [26] or[27]-[29]).

To obtain specific symp-toms, it is necessary to havemore than one input and oneoutput signal for parity equa-tions or output observers.For parameter estimation,one input and one output maybe sufficient. Because of thevarious properties, different methods should be combinedto obtain broad fault detection coverage [30], [31]. Some ap-plication cases of fault detection and diagnosis are:

1) online testing in manufacturing (quality control)2) online testing during service3) online, real-time supervision during operation

(on-board).The first two cases generally require a detailed fault diag-

nosis with classification or inference methods and can beapplied if computationally feasible. However, for the thirdcase, fault-detection capability usually is sufficient forfault-tolerant systems. A fault diagnosis is not necessarilyrequired. However, diagnosis capability is advantageous forgeneral online supervision. Especially for on-board applica-tions in automobiles, the allowable computations are verylimited, which restricts the fault detection to methods withfewer computations on microcomputers; see [32]. Further-more, the fault-detection methods must be transparent andeasy to understand, must function reliably for the differentoperating conditions, must use only few measured signals,and must require little effort for modeling. Maintenance ef-fort and easy transfer to modified components are also im-portant issues.

Fault-Tolerant Components forDrive-by-Wire SystemsThe discussion of high-integrity systems and drive-by-wiresystems shows that a comprehensive overall fault-tolerancedesign can be obtained by fault-tolerant components andfault-tolerant control. This means designing fault-tolerant

• sensors• actuators• process parts• computers• communication (bus systems)• control algorithms.Examples of components with multiple redundancy exist

for aircraft, space, and nuclear power systems. However,


X1

X1

X0X0

X0

X1

X1

X1

X1

X1

(a)

Voter

Sensor1

Sensor1

Sensor1

Sensor2

Sensor2

Sensor2

Sensor3

PlausibilityCheck

FaultDetection

Recon-figuration

Recon-figuration

(c)

(b)

Figure 6. Fault-tolerant sensors with hardware redundancy. (a) Triplex system with staticredundancy and hot standby, (b) duplex system with dynamic redundancy, and (c) duplex system withdynamic redundancy, hot standby, and plausibility checks.

u

u

G1

G1

GM1

G2

(a)

Sensory1

Sensory2

Sensory1

y1

y2

y1

^y1

^y1u

GM 1

GM 2

Sensoru

Process

Process

(b)

Process Model

Process Models

Figure 7. Sensor fault tolerance for one output signal y1 (mainsensor) through analytical redundancy by process models (basicschemes): (a) two measured outputs, no measured input and (b) onemeasured input and one measured output.

lower cost components with built-infault tolerance have to be developed.The following sections describe exam-ples from the automotive area, in addi-tion to examples from other fields.

Fault-Tolerant SensorsA fault-tolerant sensor configurationshould be at least fail-operational (FO)for one sensor fault. This can be ob-tained by hardware redundancy withthe same type of sensors or by analyti-cal redundancy with different sensorsand process models.

Hardware Sensor RedundancySensor systems with static redundancyare realized with a triplex system and avoter (Fig. 6(a)). A configuration withdynamic redundancy needs at least twosensors and a fault detection for eachsensor (Fig. 6(b)). Usually only hotstandby is feasible. Another less power-ful possibility is to use plausibilitychecks for two sensors, as well as usingsignal models (e.g., variance) to selectthe more plausible one.

The fault detection can be per-formed by self-tests (e.g., by applying aknown measurement value to the sen-sor). Another way is to use self- validat-ing sensors [33], [34], where thesensor, transducer, and a microproces-sor form an integrated, decentralizedunit with self-diagnostic capability.The self-diagnosis takes place withinthe sensor or transducer and uses sev-eral internal measurements. The out-put consists of the sensor’s bestestimate of the measurement and a va-lidity status, such as good, suspect, im-paired, bad, or critical.

Analytical SensorRedundancyAs a simple example, we consider a pro-cess with one input and one main outputy1 and an auxiliary output y2 (see Fig.7(a)). Assuming the process input signalu is not available but two output signalsy1 and y2, which both depend on u, areavailable, one of the signals (e.g., $y1) canbe reconstructed and used as a redun-dant signal if process models GM 1 andGM 2 are known and significant distur-bances do not appear (ideal cases).


Process

Process

u

u

G1

G1

G2

G2

Sensoru

Sensoru

GM1

GM1

GM2

Sensory1

Sensory1

Sensory2

Sensory2

y2

y2

y1

y1

^y1

^y1u

^y1u

^y2u

^y1

GM 1

GM 1

GM 2

GM 2

ProcessModels

ProcessModels

ProcessModel

Votery1FT

y1FT

y2FT

u3FT

(a)

(b)

Residual Generation andDecision Logic

r1

r2

r3

+

+

+

–

–

–

Figure 8. Fault-tolerant sensors with combined analytical redundancy for two measuredoutputs and one measured input through (analytical) process models: (a) y1 is mainmeasurement, y u2, are auxiliary measurements (combination of Fig. 7(a) and (b)) and (b)y y1 2, , and u are measurements of same quality (parity equation approach).

Ui

Ui

U1

U1

U2

U2

U3

U3

Uo

Uo

SensorUo

SensorUo

SensorU3

SensorU3

SignalTransformer(Amplifier)

ActuationConverter

(Motor)

ActuationTransformer

(Gear)

ActuationElement(Valve)

(a)

Motor 1

Motor 2(b)

Figure 9. Fault-tolerant actuator: (a) common actuator and (b) actuator with duplex drive.

For a process with only one output sensor y1 and one in-put sensor u, the output $y1 can be reconstructed if the pro-cess model GM 1 is known (Fig. 7(b)). In both cases, therelationship between the signals of the process are used andexpressed in the form of analytical models.

To obtain one usable fault-tolerant measurement valuey FT1 , at least three different values for y (e.g., the measuredone and two reconstructed ones) must be available. Thiscan be obtained by combining the schemes of Fig. 7(a) and(b) as shown in Fig. 8(a). A sensor fault y1 is then detectedand masked by a majority voter, and either $y1 or $y u1 is usedas a replacement, depending on afurther decision. (Also, single sen-sor faults in y2 or u are toleratedwith this scheme.)

One example of this combinedanalytical redundancy is the yawrate sensor for the ESP, where thesteering wheel angle is also used asinput to reconstruct the yaw ratethrough a vehicle model, as in Fig.7(b), and the lateral accelerationand the wheel speed differencebetween the right and left wheels(no slip) are used to reconstruct theyaw rate according to Fig. 7(a) [35].

A more general fault-tolerant sen-sor system can be designed if twooutput sensors and one input sensoryield measurements of same quality.Then, according to the schemeshown in Fig. 8(b), three residualscan be generated, and by decisionlogic, fault-tolerant outputs can beobtained in the case of single faults ofany of the three sensors. The residu-als are generated based on parityequations. In this case, state observ-ers can be used for residual genera-tion; compare, for example, thededicated observers of [36]. (Notethat all schemes assume ideal cases.For realizibility constraints of the in-verted models, additional filtershave to be considered.)

If possible, a faulty sensor shouldbe fail -silent (i.e. , should beswitched off); however, this requiresadditional switches, which lowersthe reliability. For both hardwareand analytical sensor redundancywithout fault detection for individ-ual sensors, at least three measure-ments must be available to makeone sensor fail-operational. How-

ever, if the sensor (system) has built-in fault detection (inte-grated self-test or self-validation), two measurements areenough and a scheme like the one in Fig. 6(b) can be applied.(This means that by methods of fault detection, one elementcan be saved.)

Fault-Tolerant ActuatorsActuators generally consist of different parts: input trans-former, actuation converter, actuation transformer, and actua-tion element (e.g., dc amplifier, dc motor, gear and valve, asshown in Fig. 9(a)). The actuation converter converts one type


Spring

GearCommutator Permanently Excited

dc Motor

ManipulatedVariable(Armature Voltage)

Throttle Valve

PotentiometersElectricalConnector

MeasuredVariables

A

ϕ1Kϕ2K

UA

Figure 10. Scheme of an electromechanical throttle valve actuator.

Table 2. Process parameter deviations for different actuator faults.

Features→ Parameter Estimates

Faults↓ RA Ψ c e0 J cf M R 1 M R 0

F1 incr. spring pretension 0 0 0 0 0 0 +

F2 decr. spring pretension 0 0 0 0 0 0 −

F3 commutator shortcut − − 0 + + + 0

F4 arm. winding shortcut 0 − 0 + + + 0

F5 arm. winding break + − 0 0 + + +

F6 add. serial resistance + 0 0 0 0 0 0

F7 add. parallel resistance − − 0 0 + + 0

F8 increased gear friction 0 0 0 + + + 0

F9 offset fault U A 0 0 +/− 0 0 0 0

F10 offset fault I A 0 0 +/− 0 0 0 −/+

F11 offset fault ϕk 0 0 0 0 0 0 −/+

F12 scale fault U A +/− +/− +/− +/− +/− +/− +/−

F13 scale fault I A −/+ 0 0 +/− +/− +/− +/−

F14 scale fault ϕk 0 −/+ 0 −/+ −/+ −/+ −/+

0: no significant change; +: large increase; −: large decrease.

of energy (e.g., electrical or pneumatic) into another (e.g., me-chanical or hydraulic). Available measurements are frequentlythe input signalUi, manipulated variableU0 , and intermediatesignal U3.

Fault-tolerant actuators can be designed by using multi-ple complete actuators in parallel, with either static redun-dancy or dynamic redundancy with cold or hot standby(Fig. 4). One example of static redundancy is hydraulic ac-tuators for fly-by-wire aircraft, where at least two inde-pendent actuators operate with two independent hydraulicenergy circuits.

Another possibility is to limit the redundancy to parts ofthe actuator that have the lowest reliability. Fig. 9(b) shows

a scheme where the actuation converter (motor) is split intoseparate parallel parts. Examples with static redundancyare two servo valves for hydraulic actuators [37] or threewindings of an electrical motor (including power electron-ics) [38]. Within electromotor-driven throttles for spark-ig-ition engines, only the slider is doubled to make thepotentiometer position sensor static redundant.

An example of dynamic redundancy with cold standby isthe cabin pressure flap actuator in aircraft, where two inde-pendent dc motors exist and act on one planetary gear [32].

As cost and weight generally are higher for them than forsensors, actuators with fail-operational duplex configurationare preferred. Then either static redundant structures, where

both parts operate continu-ously (Fig. 4(a)), or dynamicredundant structures with hot(Fig. 4(b)) or cold standby(Fig. 4(c)) can be chosen. Fordynamic redundancy, fault-de-tection methods for the actua-tor parts are required [39].One goal should always bethat the faulty part of the actu-ator fails silent, i.e., has no in-fluence on the redundantparts. Fault-tolerant commu-nication systems are treatedin [40]-[43].

Example of theDiagnosis andSensor FaultTolerance of anElectrical ThrottleActuatorThe described methodologyfor fault detection and faulttolerance will now be demon-strated for an electrome-chanical throttle valve, oneof the first drive-by-wire com-ponents introduced.

Fault Detection andDiagnosis of theActuatorFig. 10 shows the scheme of athrottle-valve actuator. A per-manently excited dc motorwith gear acts on the throttleagainst a spring. The motor isdriven by a pulsewidth-modu-lated (PWM) armature voltageU A and armature current I A.The angular position ϕk is re-


UG11 G12

SensorUA

ArmatureCircuit Sensor

IA

Electro-mechanics

Sensorϕk1

Sensorϕk2

GM1

IA

UAProcessModel

Residual Generationand Decision Logic

ϕ1k

ϕ2k

^1ϕ k

ϕ1kFT

ϕ2kFT

ddt

+–

+–

r1

r2

Figure 11. Fault-tolerant double position sensors for an electromechanical throttle valve.

Failure of Sensor ϕ1K

Control with ϕ1K Control with ϕ2K

100

50

0

Ref

eren

ceV

aria

ble

Con

trol

Var

iabl

e

ϕϕ

ϕ°

KW

KK

,,

[]

12

Adaptive Threshold[ ( )]ƒ ϕKW t

0

0

0

0

0.5

0.5

0.5

0.5

1

1

1

1

1.5

1.5

1.5

1.5

2

2

2

2

2.5

2.5

2.5

2.5

3

3

3

3

Control Var. ϕ1KControl Var. ϕ1K

Control Var. ϕ2K Ref. Var. ϕKW

(Stuck)

10

5

0

0

–10

–5

0

–20

–40

Arm

atur

eV

olta

ge [V]

UA

Res

idua

l–

[V]

r 2

ϕϕ °

12

1K –

K[

]r

Adaptive Threshold

r Unfiltered

Time [s]100 ms

Figure 12. Closed-loop position control behavior after stuck fault of the first sensor ϕ1k, faultdetection, and reconfiguration with the second sensor ϕ2k.

dundantly measured by twopotentiometers, ϕK 1 and ϕK 2,within 0-90°. Three measuredvariables U tA( ), I tA( ), andϕK t( ) are available. Two differ-ential equations are used.

Armature circuit:

U t R I t tA A A A( ) ( ) ( )= + Ψω(1)

Electromechanical part:

ν ω

νϕ

ω

J t I t

c t M

M

k A

F k

R A

& ( ) ( )

– ( ( ) )

– .

=

+

Ψ1

0

1 (2)The symbols used areω ϕk k= & : throttle angular

speedJ: ratio of motor inertiaRA: armature resistancecF : spring constantΨ: flux linkageM 0 :CoulombfrictiontorqueM R 1: viscous frictiontorque.By applying continuous-

time parameter estimationwith state-variable filtering to obtain the signal derivatives,the following model parameters were estimated:

p R c J c M MA F R= [ , , , , , , ]ψ oe 1 0 , (3)

where coe is a dc value.In addition to fault detection by parameter estimation,

two parity equations are used for fault detection of the sen-sors ϕ1k and ϕ2k :

r t t tk k1 1 2( ) ( ) ( )= −ϕ ϕ (4)

r t t

t U t R I tt k k

k A A A

2 1 1

1

( ) [& ( ) &$ ( )]

& ( ) ( ) ( )

= −

= − +

Ψ

Ψ

ν ϕ ϕ

νϕ . (5)

The first residual r1 directly indicates discrepancies be-tween the potentiometer outputs, and r2 uses analytical redun-dancy through the electromagnetic dc motor model to predictthe output &$ϕ1k based on measurements U tA( ) and I tA( ).

Table 2 shows the obtained parameter deviations assymptoms through parameter estimation with excitation ofthe closed-loop position control using a pseudo-random bi-nary signal (PRBS). Nearly all faults generate different symp-tom patterns, except F11 and F1, F2. The symptom patternsfor the process parameter faults F1 through F8 show betterisolation than for the offset sensor faults. Therefore, faultsF1 through F8 are detected by parameter estimation andsensor faults F9 through F14 by parity equations. Hence, by

combining both fault-detection methods, many differentfaults are detectable; see [31].

For fault diagnosis, a fault-symptom tree based on fuzzy-logic decision was developed. A special test signal with full-range slow inputs and fast input changes (PRBS) is used totest all types of faults within a time period of about 8 s [44].

Fault-Tolerant Position SensorsThe two parity equations are now used to obtain a fault-tol-erant position sensor system for the actuator. Fig. 11 depictsthe applied fault detection and sensor fault-tolerancescheme, which corresponds to Fig. 8(b). Based on the resid-ual deviations indicated in Table 3, sensor offset faults ofboth potentiometers can be isolated. This is used to con-nect the healthy sensor to the position controller. (Note thathere, in contrast to Fig. 6(a), two redundant sensors areused and a third sensor output is calculated from the sensorsignals U tA( ) and I tA( ) of the dc motor applying analytical


WheelFR

WheelFL

WheelFR

WheelRR

ωWheel FR

ωWheel FL ωWheel RL

ωWheel RR

Fail-Safe WheelBrake Module FR

Fail-Safe WheelBrake Module RR

Fail-Safe WheelBrake Module FL

Fail-Safe WheelBrake Module RL

Fail-SilentWheel Brake

C FLµ


C RRµ


C FLµ


C RLµ

Actuator FL Actuator RL

Actuator FR Actuator RR

Power 2

Power 1

Power 1

Power 1

Power 2

CockpitPower 1

Power 2

RedundantCommunication

MasterControllerModule

Fail-SilentMaster

Controller

Fault-TolerantPedal

Electronics

WheelRL

Brake PedalModule

PS 1 PS 2 PS 3

Figure 13. Brake-by-wire architecture.

Table 3. Residual deviations for parity equations.

Residuals→ r1 r2

Faults↓

Offset sensor +∆ϕ1k + +

Offset sensor +∆ϕ2k − 0

Faults in armature circuit 0 +/−

redundancy.) Table 3 shows that if only r2 changes, faults inthe armature circuit can be detected.

In Fig. 12, the closed-loop position control behavior withthe throttle valve is shown for the case where sensor ϕ1k

sticks at t = 0 2. s during a ramp change of the position refer-ence variable. Residuals r1 and r2 both deviate, indicating afault in sensor ϕ1k . After 100 ms, the residual r2 exceeds the(adaptive) threshold, the controller is switched to sensorϕ2k , and after an additioanl 200 ms, the throttle anglereaches its reference variable again [44]. In practice, thiswould mean a short additional increase in vehicle speed andan alarm to the driver with further hints (e.g., to visit a ser-vice station).

An Example Brake-by-Wire SystemA brake-by-wire system without mechanical backup is de-scribed as an example of the development of fault toleranceand supervisory functions for a drive-by-wire system. Theversion illustrated is a prototype electrical brake system, re-cently developed by Continental Teves, Frankfurt, Germany,partially in cooperation with the authors [45], [46]; see also[47] and [48].

The brake-by-wire system consists of four electrome-chanical wheel brake modules with local microcomputers,an electromechanical brake pedal module, a duplex commu-nication bus system, and a central brake management com-puter (Fig. 13).

The chosen overall structure is the result of an FMEA andhazard analysis. Fault tolerance with duplex systems is im-plemented for the wheel brake controllers, the bus commu-nication, the brake management computer, and the powersupply; however, the brake pedal contains internally higherredundancy because of its central function.

Electromechanical BrakeThe design of the electromechanical wheel brake is drivenby the demand for high electromechanical efficiency, mini-mized space, lightweight construction, and robustnessagainst rough environmental conditions. Fig. 14 shows thebasic construction [45].

A generalized four-pole model of the electromechanicalbrake (EMB) is depicted in Fig. 15. The current is controlledby power electronics. The dc motor’s torque is convertedby the spindle gear into a friction force at the disk, which re-sults in a braking force. To compensate for the large parame-


dc Motor

Caliper

Brake Pad

Spindle

Figure 14. Prototype of an electromechanically actuated wheelbrake by Continental Teves.

TemperatureWear

TemperatureWear

TemperatureWear

Medium

TemperatureAbrasionMedium

Electromechanical Parameter(e.g., Coil Resistance,

Friction)

Mechanical Parameter(e.g., Friction,

Stiffness)

Mechanical Parameters(e.g., Friction,

Stiffness)

Mechanical Parameters(e.g., Friction)

( -Slip Parameters)µEffects

Influencing Variables

U

I

ElectromechanicalActuator Gear

FrictionBrake

Tire/RoadVehicle

PV1 PV2 PV3 PV4F1 F2 F3

F4

.z1

.z2

.z3

.z4

Figure 15. Generalized four-pole models of an electromechanical disk brake. U I, : voltage, current; Pvi: power losses; &,z F: speed, forceor torque.

ter variations (and changing efficiency) in the whole EMB, aclosed-loop control of the clamping force or brake torque isused in a cascaded loop system, with current and speedcontrollers as slave controllers. However, this requires spe-cial sensors. As an alternative, the clamping force or thebraking torque can be reconstructed by measuring onlyvoltage, current, and position of the dc motor using adap-tive dynamic models of the EMB [46].

The corresponding control and other algorithms, suchas parameter estimation, clamping force reconstruction,and clearance-contact point detection, are implemented inthe brake module microcomputer system. It is designed as aduplex system and connected to the brake control manage-ment computer and the brake pedal via a duplex controlarea network (CAN)-bus system.

Electromechanical Brake PedalThe driver’s input to the pedal is measured by a proper com-bination of position (and force) sensors. The measured ana-log signals are then transmitted to microcontrollers. Aftersignal processing, the brake pedal information is given to theCAN-bus system. Because the pedal represents a central partof the brake system, its design must be highly fault tolerant.

An integrated FMEA and hazard analysis as summarizedin Fig. 3 was therefore applied to the pedal unit. Major haz-ards of the EMB determined in [15] and [47] are

1) no braking after brake command from the driver2) braking without brake command from the driver3) braking with wrong deceleration4) one-sided braking5) braking with unacceptable time delay.


No BrakingAlthough

Brake Demand

OR

FailurePower

System

FailureTransmission

Failure BrakePedal Module

Ped_Mod

Power

AND

FailureCommunication

System

Failure MasterControllerModule

Comm_Sys Master

Failure WheelBrake Modules

AND

Failure WheelBrake

Module 1

Failure WheelBrake

Module 2

Failure WheelBrake

Module 3

Failure WheelBrake

Module 4

WBM 1 WBM 2 WBM 3 WBM 4

Figure 16. A fault tree for hazard 1 (no braking after brake command).

Fig. 16 shows the hazard analysis of the electromechani-cal brake for hazard 1 (no braking after brake command) byusing a safety fault tree. The fault tree transfer symbols (∆)represent further fault trees (subtrees). The top events ofthe subtrees in Fig. 16 are the causes of hazard 1: failed brakepedal module, failed power system, failed transmission, orfailed wheel brake modules. Therefore, all of the four wheelbrake modules have to fail before the hazard “No braking al-though brake command” occurs.

The subtrees are constructed until basic or primaryevents are reached. The circle symbols in Fig. 17 representthe basic events. In this example, each of the events (FailureSensor Electronics 1, Failure Sensor Cable 1, Failure PowerSupply 1, Failure Sensor Element 1, or Failure Sensor Con-nection 1) results directly in the event “Failure Clamping-Force Sensor 1” because of the OR-connection, and togetherthey represent the causes of that event. However, all of thethree wheel brake sensors have to fail before event “FailureWheel Brake Module 1” occurs because the brake controloperates with only one of these sensors.

From this FMEA and hazard analysis the following recom-mendations were derived:

• overdimensioned pedal mechanics• fault-tolerant pedal electronics• fault-tolerant touchless pedal sensors• two independent power supplies• two independent plug connectors for communication• two separate boxes with sufficient protection (EMC)

and cooling• avoidance of common-mode failures.The most sensitive parts, such as electronics and sensors,

were found to have triple or quadruple modular redundancy.Fig. 18 shows the design of the resulting overall structure.

It represents a fault-tolerant and distributed real-time systemthat consists of three different kinds of modules: one brakepedal module, one central controller module, and four wheelbrake modules. The real-time communication system and thepower system have dynamic redundancy with hot standby.The pedal module must be fail-operational after one failure inthe sensors, electronics, or plug connections. The higher-level brake functions such as ABS, TCS, ESP, and the mastersupervision functionality of the brake-by-wire system aremainly implemented in the integrated software of the fail-si-lent central controller module. The wheel brake modules can


Failure WheelBrake

Sensor 1

AND

OR

FailureClamping-Force

Sensor 1

FailureMotor Current

Sensor 1

Failure MotorRotor Position

Sensor 1

Curr_Sen1 Pos_Sen1

Failure SensorElectronics 1

Failure SensorCable 1

Failure SensorPower

Supply 1

Failure SensorElement 1

Failure SensorConnection 1

Sen_Elec1 Sen_Cab1 Sen_Pow1 Sen_Elem1 Sen_Con1

Figure 17. Sub-fault-tree of hazard 1 (Fig. 16) with sub-top-event “failure pedal sensor.”

detect whether the brake management controller is workingcorrectly or has transferred to a silent state after a failure inthis unit has occurred.

Fig. 19 shows the electronic hardware architecture of thepedal module. To obtain the fail-operational behavior, one tri-plex system or a duo-duplex system are alternatives. Theduo-duplex system was chosen because it is easier to realizeand can be contained in two differenthousings. Each sensor duplex unit con-tains two diverse angle sensor elements;thus, four sensor signals are used toidentify the driver’s brake commandand to supervise the brake pedal mod-ule. Electronic hardware or sensor fail-ures are detected within a duplex unitwith a redundant voter, which comparestwo application-specific integrated cir-cuit (ASIC) outputs (including their twosensor signals). If the outputs differ toomuch, a fault is assumed and one duplexunit is switched off (fails silent).

A further task of the central con-troller module is to detect and locatepedal sensor failures for the case thatthe ASICs in the pedal unit and twobuses work correctly. Here, a model-based fault detection with parityequations is implemented. Fig. 20shows a brake pedal sensor configura-tion with three different pedal sensors

and three residuals. The pedal sensors may be diverse(e.g., one angle sensor, one travel sensor, and one forcesensor). The residuals are the difference between one sen-sor signal value and the reconstructed value from anothersensor through an analytical pedal model. If using fourbrake pedal sensors, this parity equation is expanded tocalculate six residuals [15].


Vehicle Electric System

Brake Pedal Module(Fail-Operational)

Pedal Sensors andElectronics:Duo-Duplex

SensorElement 1

SensorElement 2

SensorElement 3

SensorElement 4

Switch 1

Switch 2

ASIC(Duplex 1)

DuplexBox 1

ASIC(Duplex 2)

DuplexBox 2

EMB Bus

Direct Signals

EMB ElectricPower Supply

Battery 1

Bus 1

Bus 2

Con

nect

.C

onne

ct.

Battery 2

Connect.

Connect. Connect.

Connect. Connect. Connect.

Central ControllerModule (Fail-Silent)Central Controller

(Duplex)

Wheel BrakeController 3

(Duplex)


(Duplex)


(Duplex)


(Duplex)

WheelBrake

Actuator 3

WheelBrake

Actuator 4

WheelBrake

Actuator 1

WheelBrake

Actuator 2

Wheel BrakeModule 3(Fail-Safe)




Vehicle Bus

Figure 18. Scheme of the fault-tolerant electromechanical brake system.

PedalMechanics

Sensor 1

Sensor 2

Sensor 3

Sensor 4

Driver’sBrake

Command

Duplex 1

Duplex 2

SensorDuplex 1

SensorDuplex 2

Power 1

ASIC 1:Processing andSending Sensor

Signals 1 & 2


Signals 1 & 2


Signals 3 & 4


Signals 3 & 4

RedundantVolter

RedundantVolter

Duplex Unit1 of PedalElectronics

Duplex Unit2 of PedalElectronics

Bus 1

Bus 2

Power 2

Figure 19. Duo-duplex architecture for the pedal module.

Conclusion and OutlookReliability and safety are of major importance to the intro-duction of drive-by-wire systems. Their required high safetyintegrity necessitates that all electronic and electrome-chanical components, units, and subsystems be fault toler-ant with regard to failures in electronic hardware, software,and electrical and mechanical parts. Fault-tolerant proper-ties can be obtained primarily by static or dynamic redun-dancy, the latter with cold or hot standby, leading tosystems that are fail-operational for at least one failure.Fault detection is a basic issue for fault-tolerant systemswith redundant modules. However, at present onlycomputationally simple and reliable methods can be used,for reasons of software reliability and testability and the lim-itations of small microcontrollers. Compared to static re-dundancy, the use of fault-detection methods for dynamicredundancy saves at least one module.

An engineering challenge is to design mass-produciblefault-tolerant sensors, actuators, microcomputers, andbus communication systems with hard-real-time require-ments for a reasonable cost. Especially attractive are com-ponents with built-in redundancy for mass production. Forseveral years, throttle-by-wire, shift-by-wire, and elec-tronic driver-assisting systems have proven to be highlyreliable and safe. Drive-by-wire systems with higher hazardseverity for failures are currently being developed.Electrohydraulic brake systems came on the market in2001, and it is expected that electromechanical brakes willfollow in about six to eight years. Steer-by-wire will takelonger because of the higher hazard severity and the re-duced inherent fault-tolerance possibilities through twofront wheels (instead of four wheels, as for braking). Thedevelopment of drive-by-wire systems will therefore pro-ceed in steps to achieve highly reliable and fault-tolerantsensors, microcomputers, and electromechanical compo-

nents or, in other words, to build ex-tremely safe mechatronic systems.

AcknowledgmentsWe appreciate the cooperation of Con-tinental Teves, Frankfurt, during thedevelopment of the brake-by-wire sys-tem. We are also indebted to the sup-port of research projects on faultdiagnosis of actuators, hydraulicbrakes, and vehicles through DeutscheForschungsgemeinschaft (DFG) andDeutsche Forschungsgesellschaft fürdie Anwendung der Mikroelektronike.V. (DFAM).

References[1] H.-M. Streib and H. Bischof, “Electronic throt-tle control (ETC): A cost effective system for im-proved emissions, fuel economy, anddriveability,” SAE Technical Paper Series, no.

960338, in R.K. Jurgen, Ed., “Electronic engine control technologies,”Warrendale, PA, Society of Automotive Engineers, PT-73, pp. 165-172, 1998.[2] R.K. Jurgen, Ed., Electronic Engine Control Technologies. Warrendale, PA:Soc. Automotive Engineers, SAE PT-73, 1998.[3] A.T. van Zanten, R. Erhardt, and G. Pfaff, “VDC, the vehicle dynamics con-trol system of Bosch,” SAE Technical Paper Series, no. 950759, in R.K. Jurgen,Ed., “Electronic braking, traction, and stability control,” Warrendale, PA: Soc.Automotive Engineers, SAE: PT-76, pp. 395-412, 1999.[4] R.K. Jurgen, Ed., “Electronic braking, traction, and stability control,” Soci-ety of Automotive Engineers, Warrendale, PA, SAE: PT-76, 1999.[5] B. Connor, “Electric power assisted steering—An alternative to hydraulicand electro-hydraulic systems,” Automobiltechnische Zeitschrift, vol. 98, nos.7/8, p. 407, 1996.[6] S. Germann and R. Isermann, “Nonlinear distance and cruise control forpassenger cars,” in First IFAC-Workshop Advances in Automotive Control,Ascona, Switzerland, 1995, pp. 203-208.[7] H. Fritz, “Model-based neural speed control of vehicles” (in German),Automatisierungstechnik, vol. 44, no. 5, pp. 252-257, 1996.[8] E.D. Dickmanns, “Road vehicle eyes for high precision navigation,” in HighPrecision Navigation, Linkwitz, Ed. Bonn, Germany: Dümmler Verlag, 1995, pp.329-336.[9] W.B. Stevens, “The automated highway system program: A progress re-port,” in Proc. 13th World Congr. IFAC, San Francisco, CA, 1996, pp. 25-33.[10] M. Tomizuka, “Automated highway systems—An intelligent transporta-tion system for the next century,” in Proc. IEEE/ASME Int. Conf. Advanced Intel-ligent Mechatronics ‘97, Tokyo, Japan, 1997, p. 1.[11] P. Rieth, “Electronic driver assistance” (in German), in VDA-TechnischerKongress, Frankfurt, Germany, 1999, pp. 119-136.[12] Functional Safety of Electrical/Electronic/Programmable Electronic Sys-tems, Version 4.0, Part 1-7, Standard IEC 61508, 1997.[13] N. Storey, Safety-Critical Computer Systems. Essex, U.K.: Addison WesleyLongman Ltd., 1996.[14] M.J. Schneider, “Use of a hazard and operability study for evaluation ofABS control logic,” SAE Technical Paper Series, no. 970815, in ElectronicBraking, Traction, and Stability Control, R.K. Jurgen, Ed. Warrendale, PA: Soci-ety of Automotive Engineers, SAE: PT-76, 1988, pp. 65-93[15] S. Stölzl, “Fault-tolerant pedal unit of an electromechanical brake sys-tem” (in German), Fortschr.-Ber. VDI-Verlag, Düsseldorf, Germany, Reihe 12,no. 426, 2000.[16] Prometheus, “Report on recommended practice of safety and reliabilityengineering of future automotive system,” Eureka Prometheus European Pro-ject, Germany, 1998.[17] N. Leveson, Safeware. System Safety and Computer. Reading, MA: Addi-son-Wesley, 1995.


Residual 1

Residual 2

Residual 3

Pedal Sensor 1

Pedal Sensor 3

Pedal Sensor 2

Pedal Sensor 1

Pedal Sensor 3

Pedal Sensor 2

Ele

ctro

mec

hani

cal B

rake

Ped

al fo

r B

rake

-by-

Wire

MathematicalPedal Model



PS 1= f (PS 3)1

PS 2= f (PS 1)2

PS 3= f (PS 2)3

–

–

–

Figure 20. Sensor fault detection with parity equations for three different sensor signals.

[18] W.-D. Jonner, H. Winner, L. Dreilich, and E. Schunck, “Electrohydraulicbrake system—The first approach to brake-by-wire technology,” SAE Techni-cal Paper Series, no. 960991, in Electronic Braking, Traction, and Stability Con-trol, R.K. Jurgen, Ed. Warrendale, PA: Society of Automotive Engineers, SAE:PT-76, pp. 221-228, 1999.[19] H.E. Rauch, “Autonomous control reconfiguration,” IEEE Control Syst.Mag., vol. 15, no. 6, pp. 37-48, 1995.[20] P.R. Chandler, “Reconfigurable flight control at Wright Laboratory,”Neuilly-sur-Seine, France, vol. III, AGARD Advisory Rep. 360, Aerospace 2020,1997.[21] R.J. Patton, “Fault-tolerant control: The 1997 situation,” in Proc. IFACSymp. Fault Detection, Supervision and Safety for Technical Processes(SAFEPROCESS), vol. 2. Kingston Upon Hull, U.K.: Elsevier, 1997, pp.1033-1055.[22] J. Chen, R.J. Patton, and Z. Chen, “Active fault-tolerant flight control sys-tems design using the linear matrix inequality method,” Trans. Inst. Meas.Control, vol. 21, no. 2/3, pp. 77-84, 1999.[23] M. Blanke, R. Izadi-Zamanabadhi, S.A. Bogh, and C.P. Lunau, “Fault-toler-ant control systems—A holistic view,” Control Eng. Practice, vol. 5, no. 5, pp.693-702, 1997.[24] P. Ballé, M. Fischer, D. Füssel, O. Nelles, and R. Isermann, “Integrated con-trol, diagnosis and reconfiguration of a heat exchanger,” IEEE Control Syst.Mag., vol. 18, no. 3, pp. 52-63, 1998.[25] S. Suryanaryanan and M. Tomizuka, “Fault-tolerant lateral control of au-tomated vehicles based on simultaneous stabilization,” in 1st IFAC Conf.Mechatronic Systems, Darmstadt, Germany, 2000, pp. 899-923.[26] R. Isermann, Ed.“Tutorial Workshop IFAC Congress 1996,” IFAC J. ControlEng. Practice, Special Section on Supervision, Fault Detection and Diagnosisof Technical Processes, vol. 5, no. 5, pp. 637-719, 1996.[27] J.J. Gertler, Fault Detection and Diagnosis on Engineering Systems. NewYork: Marcel Dekker, 1999.[28] J. Chen and R.J. Patton, Robust Model-Based Fault Diagnosis for DynamicSystems. Boston, MA: Kluwer, 1999.[29] R. Isermann, Supervision and Fault Diagnosis (in German). Düsseldorf,Germany: Springer/VDI-Verlag, 1994.[30] R. Isermann, “Integration of fault detection and diagnosis methods,” inIFAC Symp. Fault Detection, Supervision and Safety for Technical Processes(SAFEPROCESS), Espoo, Finland, 1994, pp. 597-612.[31] T. Pfeufer, “Application of model-based fault detection and diagnosis tothe quality assurance of an automotive actuator,” Control Eng. Practice, vol. 5,no. 5, pp. 703-708, 1997.[32] O. Moseler, T. Heller, and R. Isermann, “Model-based fault detection foran actuator driven by a brushless dc motor,” in Proc. 14th IFAC World Congr.,vol. P. Beijing, China: 1999, pp. 193-198.[33] M.P. Henry and D.W. Clarke, “The self-validating sensor: Rationale, defini-tions, and examples,” Control Eng. Practice, vol. 1, no. 2, pp. 585-610, 1993.[34] D.W. Clarke, “Sensor, actuator, and loop validation,” IEE Control Syst., vol.15, pp. 39-45, Aug. 1995.[35] A.T. van Zanten, R. Erhardt, K. Landesfeind, and G. Pfaff, “VDC systemsdevelopment and perspective,” SAE Technical Paper Series, no. 980235, inElectronic Braking, Traction, and Stability Control, R.K. Jurgen, Ed. Warrendale,PA: Society of Automotive Engineers, SAE: PT: PT-76, pp. 373-394, 1999.[36] R.N. Clark, “State estimation schemes for instrument fault detection,” inFault Diagnosis in Dynamic Systems, R.J. Patton, J. Chen, and R.N. Clark, Eds.New York: Prentice-Hall, 1989.[37] R. Oehler, A. Schoenhoff, and M. Schreiber, “Online model-based fault de-tection and diagnosis for a smart aircraft actuator,” in Proc. IFAC Symp. FaultDetection, Supervision and Safety for Technical Processes (SAFEPROCESS),vol. 2. Kingston upon Hull, U.K., 1997, pp. 591-596.[38] A. Krautstrunk and P. Mutschler, “Remedial strategy for a permanent mag-net synchronous motor drive,” in Proc. EPE’99, Lausanne, Switzerland, 1999.[39] R. Isermann and U. Raab, “Intelligent actuators—Ways to autonomousactuating systems,” Automatica, vol. 29, no. 5, pp. 1315-1331, 1993.[40] G. Heiner and T. Thurner, “Time-triggered architecture for safety relateddistributed real-time systems in transportation systems,” in Fault-TolerantComputing (FTCD 28), Munich, Germany, 1998.[41] H. Kopetz, Real-Time Systems. Boston, MA: Kluwer, 1997.

[42] “X-by-wire, safety related fault-tolerant systems in vehicles,” Final reportof EU Project Brite-EuRam III, 3.B.5, 3.B.6, Prog. no. BE 95/1329, ContractBRPR-CT95-0032, 1998.[43] S. Poledna and G. Kroiss, “TTD: Towards drive-by-wire,” Elektonik, no.14, pp. 36-43, 1999.[44] T. Pfeufer, “Model-based fault detection and diagnosis for an automotiveactuator” (in German), Düsseldorf, Germany, VDI-Verlag, Fortschr.-Ber. VDIReihe 8, no. 764, 1999.[45] R. Schwarz, R. Isermann, J. Böhm, J. Nell, and P. Rieth, “Modeling and con-trol of an electro-mechanical disk brake,” SAE Technical Paper Series, vol.SP-1339, no. 980600 pp. 177-189, 1998.[46] R. Schwarz, “Rekonstruktion der Bremskraft bei Fahrzeugen mitelektromechanisch betätigten Radbremsen,” Düsseldorf, Germany,VDI-Verlag, Fortschr.-Ber. VDI Reihe 12, no. 393, 1999.[47] S. Stölzl, R. Schwarz, R. Isermann, J. Böhm, J. Nell, and P. Rieth, “Controland supervision of an electromechanical brake system,” in FISITA World Auto-motive Congr., 2nd Century of the Automobile, Paris, France, 1998, pp. 154-155 .[48] J. Balz, K. Bill, J. Böhm, P. Scheerer, and M. Semsch, “Advanced brake sys-tem with highest flexibility,” Automobiltechnische Zeitschrift, vol. 98, no. 6, pp.328-333, 1996.

Rolf Isermann received the Dipl.-Ing degree in mechanicalengineering in 1962 from the University of Stuttgart and theDr.-Ing. degree in 1965. In 1968, he became “Privatdozent” forautomatic control at the University of Stuttgart and, since1972, has been a Professor in Control Engineering. Since 1977he has been a Professor at the Darmstadt University of Tech-nology and head of the Laboratory of Control Engineeringand Process Automation at the Institute of Automatic Con-trol. He received the Dr. h.c. (honoris causa) fromL’Université Libre de Bruxelles and from the Polytechnic Uni-versity in Bucharest. In 1996, he was awarded theVDE-Ehrenring, the highest scientific award from Verbandder Elektrotechnik und Informationstechnik. His current re-search concentrates in the fields of identification with neuralnetworks, nonlinear digital control, intelligent control, andmodel based methods of process fault diagnosis with appli-cations for hydraulic and pneumatic servo systems, combus-tion engines, automobiles, and mechatronic systems.

Ralf Schwarz received the Dipl.-Ing. degree in electrical en-gineering in 1994. He received the Dr.-Ing. degree in elec-tronic mechanical brakes in 1998 from the DarmstadtUniversity of Technology. In 1999, he worked in the ABS/ESPdevelopment for electromechanical brakes at ContinentalTeves AG, Frankfurt. Since 2000, he has been responsible forglobal chassis control development.

Stefan Stölzl studied electrical engineering at the Univer-sity of Karlsruhe to obtain the Dipl.-Ing. degree in 1994.From 1995 to 2000, he was with Continental Teves AG andwas responsible for program management for ABS and ESP.Then he joined the Darmstadt University of Technology toperform research on a fault-tolerant pedal unit forbrake-by-wire systems. After obtaining the Dr.-Ing. degree,he returned to Continental Theves AG. Since 2001, he hasbeen a manager in the global automotive praxis at A.T.Kearney GmbH.


Landgraf-Georg-Str. 4, D-64283 Darmstadt, Germany. Schwarz is · electromechanical actuators, a...

Documents

Transcript of Landgraf-Georg-Str. 4, D-64283 Darmstadt, Germany. Schwarz is · electromechanical actuators, a...