A Practical Approach to the Simulation of Safety-Critical Automotive Control Systems Considering Complex Data Flows
Embedded systems highly contribute to the efficiency, safety, and usability of today’s means of transportation such as cars and airplanes. Due to the possible hazards and risks involved, safety standards like DO-178C for avionics and ISO 26262 for automotive recommend the application of state-of-the-art methods and tools. Functional safety requirements imposed on hardware and software imply the detection of malfunctions and taking corrective actions, before hazards actually may occur. Among the key challenges is the prediction and verification of the system’s timing behavior.
We describe a model-based approach for real-time simulation, focusing on complex end-to-end data flows typically encountered in safety-critical automotive control applications. Based on first-hand experiences gained in the development of an electrical power steering control system, we illustrate how real-time simulation models can be utilized to guide design decisions, and help to achieve safety goals defined at system level. Furthermore, we discuss the issues of response time analysis for dynamic state-dependent data flows considering different semantics for communication in the context of the AUTOSAR standard.
Case Study: Electronic Power Steering
The research results presented in the following are based on the observations and experiences made by the authors during the development of an electronic power steering (EPS) system at Hella Engineering in Toulouse, France. Due to the safety and hard real-time requirements for this system, a model-based approach using SysML at logical architecture level, and AUTOSAR methodology at technical architecture level was implemented.
For the simulation, visualization, and exploration of various design alternatives, methods and tools provided by INCHRON were also used from the very beginning of this project.
The electronic power steering system in our case study as depicted in the figure uses a brushless motor to assist the driver in steering his vehicle. Position and torque of the steering column are permanently measured by sensors and processed by the steering control module (SCM), which calculates an assistive torque that is applied depending on different driving conditions.
A major challenge during the development of embedded systems such as the electronic power steering is the verification of end-to-end latency requirements. The difficulty lays in the fact that these systems feature many different functional and dysfunctional modes of operation with corresponding hard real-time requirements for monitoring, error detection, and error handling. Depending on the required safety level, the implementation of these safety mechanisms in addition to the actual control functionality, drastically increases the complexity of the data and control flow. As a consequence for the EPS system development, following a classical integration and test approach solely based on measurements on the target hardware, seemed not feasible. In order to reduce the time and effort, that it takes to find resource bottlenecks, timing errors, and eventually to verify the real-time requirements, it was one of our main objectives in this case study to apply state-of-the-art methods and tools, aiming at a virtual integration of the system in earlier development phases.
Event Chains With Hard Real-Time Latency Requirements
A temporally ordered sequence of correlated events, that can be observed or measured in a system, is referred to as a chain of events, or event chain. Applied to embedded real-time systems, the concept of an event chain can be used to specify a sequence of function executions and (communication) data flows between them, which are subject to safety and real-time requirements. The figure shows an example for such an event chain in the SCM, starting with the sampling of the torque sensor and ending with the control of the motor realizing the steering assistance.
The event chain concept is a very useful abstraction in order to describe the scope of an end-to-end latency requirement from the perspective of a control or system engineer, considering the influence of both the hardware and the software.
End-to-End FTTI Requirements
Event chain definitions for the functional and dysfunctional operation states of the system can be described in a common model, using the same data and control flow concepts. For this paper, we have selected two (dysfunctional) event chains, in order to demonstrate the application of our approach for the verification of end-to-end FTTI (Fault Tolerant Time Interval) requirements. The figure shows the sequence of process executions for each event chain similar to the definition in the simulation tool.
Simulation and Optimization
Using the INCHRON chronSUITE we performed several simulation runs in order to compare alternative scheduling configurations for the SCM. The traces generated by the simulation were evaluated according to the following quality criteria:
- Deadline violations
- Response time distribution
- CPU peak load in certain averaging intervals
- Start-to-start jitter
- End-to-end latencies of dedicated event chains
Extended Timing-Aware Co-Design Methodology
Based on the experiences made in the case study, we have enhanced our development process for the verification of safety-critical event chains with hard real-time requirements. A seamless workflow as depicted in the figure combining timing measurements on the target hardware with model-based timing simulation was defined, and feasibility of the approach was tested using the commercial tools chronVIEW and chronSIM developed by INCHRON.
Following the practical approach described in this paper, we have shown how state-of-the-art model-based simulation techniques can be used to support the dynamic architecture design of complex automotive control systems. Although, it may appear that adjusting the scheduling configuration in the presented examples is not too complicated, and the proposed solutions may seem obvious, one should consider the number and complexity of the entire event chains in the SCM.
In reality, system engineers and software architects responsible for integration and testing, have to achieve many different competing, and sometimes contradicting design goals, especially concerning the dynamic behavior of the system. Model-based simulation and statistical analysis tools as provided by INCHRON greatly help to detect possible realtime requirement violations, and furthermore offer guidance in order to adjust and optimize an existing system configuration.