Search Results

Electronic Control Units of safety critical systems require constant monitoring of the hardware to be able to bring the system to a safe state if any hardware defects or malfunctions are detected. This monitoring includes memory checking, peripheral checking as well as checking the main processor core. However, checking the processor core is difficult because it cannot be guaranteed that the error will be properly detected if the monitor function is running on a processing system which is malfunctioning. To circumvent this issue, several previously presented monitoring concepts (e.g. SAE#2006-01-0840) employ a second external microprocessor to communicate with the main processor to check its integrity. The addition of a second microcontroller and the associated support circuitry that is required adds to the overall costs of the ECU, increases the size and creates significant system complexity.

Electronic Control Units of safety critical systems require constant monitoring of the hardware to be able to bring the system to a safe state if any hardware defects or malfunctions are detected. This monitoring includes memory checking, peripheral checking as well as checking the main processor core. However, checking the processor core is difficult because it cannot be guaranteed that the error will be properly detected if the monitor function is running on a processing system which is malfunctioning. To circumvent this issue, several previously presented monitoring concepts (e.g. SAE#2006-01-0840) employ a second external microprocessor to communicate with the main processor to check its integrity. This paper will present a concept which maps the functions of the external monitoring unit into an internal second processing core which are frequently available on modern, 32bit, monolithic, dual-core microcontrollers.

More and more high-level algorithms are emerging to improve the existing systems in a car. Often these algorithms only need a platform with a bus connection and some resources such as CPU time and memory space. These functions can easily be integrated into existing systems that have free resources. This paper describes some encapsulation techniques and mechanisms that can be used in the automotive domain. The discussion also takes into account the additional resources consumed on the microcontroller to meet these requirements and by the software to implement the encapsulation mechanisms. Overviews of some general concepts of software-architectures that provide encapsulation are also shown.

Increasing demand for dynamically controlled safety features, passenger comfort, and operational convenience in upper class automobiles requires an intensive use of electronic control units including software portions. Modeling, simulation, rapid prototyping, and verification of the software need new technologies to guarantee passenger security and to accelerate the time-to-market of new products. This paper presents the state-of-the-art of the design methods for the development of electronic control unit software at BMW. These design methods cover both discrete and continuous system parts, smoothly integrating the respective methods not merely on the code level, but on the documentation, simulation, and design level. In addition, we demonstrate two modeling and prototyping tools for discrete and continuous systems, namely Statemate and MatrixX, and discuss their advantages and drawbacks with respect to necessary prototyping demands.

The permanently increasing number of convenience and safety functions leads to higher complexity of in-car electronics and the rapidly growing amount of sensors, actuators and electronic control units places higher demands on high- speed data communication protocols. Safety-critical systems need deterministic protocols with fault-tolerant behavior. The need for on-board diagnosis calls for flexible use of bandwidth and an ever-increasing number of functions necessitates a flexible means of extending the system. None of the communication solutions available on the market until now (like CAN or TTP) have been able to fulfill all these demands. To solve these problems, BMW together with several semiconductor companies has developed a new protocol for safety-critical applications in automotive vehicles.

The performance of environment perceiving sensors such as e.g. lidar, radar, camera and ultrasonic sensors is safety critical for automated driving vehicles. Therefore, one has to assess the sensors’ performance to assure the automated driving system’s safety. The performance of these sensors is however to some degree sensitive towards adverse weather conditions. A challenge is to quantify the effect of adverse weather conditions on the sensor’s performance early in the development of an automated driving system. This challenge is addressed in this work for lidar sensors. The lidar equation was previously employed in this context to derive estimates of a lidar’s maximum range in different weather conditions. In this work, we present a stochastic simulation framework based on a probabilistic extension of the lidar equation, to quantify the effect of adverse rainfall conditions on a lidar’s raw detection performance.

The development of highly automated driving functions (AD) recently rises the demand for so called Fail-Operational systems for native driving functions like steering and braking of vehicles. Fail-Operational systems shall guarantee the availability of driving functions even in presence of failures. This can also mean a degradation of system performance or limiting a system’s remaining operating period. In either case, the goal is independency from a human driver as a permanently situation-aware safety fallback solution to provide a certain level of autonomy. In parallel, the connectivity of modern vehicles is increasing rapidly and especially in vehicles with highly automated functions, there is a high demand for connected functions, Infotainment (web conference, Internet, Shopping) and Entertainment (Streaming, Gaming) to entertain the passengers, who should no longer occupied with driving tasks.