Search Results

Automotive electronic systems are becoming safety related causing a need for more systematic and stringent approaches for demonstrating the functional safety. The safety case consists of an argumentation, supported by evidence, of why the system is safe to operate in a given context. It is dependent on referencing and aggregating information which is part of the EAST-ADL2, an architecture description language for automotive embedded systems. This paper explores the possibilities of integrating the safety case metamodel with the EAST-ADL2, enabling safety case development in close connection to the system model. This is done by including a safety case object in EAST-ADL2, and defining the external and internal relations.

Volvo Car Corporation has developed a Reference Architecture for PAG1 Infotainment Systems. A Reference Architecture is an architecture scoping over more than a single system, i.e. an architecture aimed for a family of systems. The Infotainment Reference Architecture has since 2001 been successfully applied for the PAG family which so far covers the infotainment systems of Volvo XC90, Volvo S40/V50, Jaguar XK, Aston Martin DB9 and the brand new Volvo S80. In 1999, the system design departments started up with the clear objective to develop a system solution aiming for the PAG infotainment system family. The work was carried out according to the established development process at Volvo Cars. A year later a discouraging design review was performed. The number of involved functions, the level of function interaction and the distribution of functionalities between ECUs resulted in a non-manageable system solution.

A design method for ultra-dependable control-by-wire systems is presented here. With a top-down approach, exploiting the system's intrinsic redundancy combined with a scalable software redundancy, it is possible to meet dependability requirements cost-effectively. The method starts with the system's functions, which are broken down to the basic elements; task, sensor or actuator. A task graph shows the basic elements interrelationships. Sensor and actuator nodes form a non-redundant hardware architecture. The functional task-graph gives input when allocating software on the node architecture. Tasks are allocated to achieve low inter-node communication and transient fault tolerance using scalable software redundancy. Hardware is added to meet the dependability requirements. Finally, the method describes fault handling and bus scheduling. The proposed method has been used in two cases; a fly-by-wire aircraft and a drive-by-wire car.