Search Results

The new generation of drive-by-wire systems currently under development has demanding requirements on the electronic architecture. Functions such as brake-by-wire or steer-by-wire require continued operation even in the presence of component failures. The electronic architecture must therefore provide fault-tolerance and real-time response. This in turn requires the operating system and the communication layer to be predictable, dependable and composable. It is well known that this properties are best supported by a time-triggered approach. A consortium consisting of German and French car manufacturers and suppliers, which aims at becoming a working group within the OSEK/VDX initiative, the OSEKtime consortium, is currently defining a specification for a time-triggered operating system and a fault-tolerant communication layer.1 The operating system and the communication layer are based on applicable interfaces of the OSEK/VDX standard.

This paper discusses a methodology for calculating the probability of a redundant system to fail in a specified time interval after a first fault has occurred. That probability is first derived in general and then specified for a system consisting of independent components having exponential failure rate densities. Four different redundant system configurations of a safety relevant automotive control system are discussed and compared with respect to their reliability characteristics. The four configurations differ in system topologies as well as the intelligence of the system components with respect to self-monitoring.