Search Results

This paper presents the conceptual model and the fundamental mechanisms for software development in the context of the Brite-EuRam project Safety Related Fault Tolerant Systems in Vehicles (nick-named X-By-Wire). The objective of the X-By-Wire project is to achieve a framework for the introduction of safety related fault tolerant electronic systems without mechanical backup in vehicles. To achieve the required level of fault-tolerance, an X-By-Wire system must be designed as a distributed system comprising a number of fault-tolerant units connected by a reliable real-time communication system. For the communication system, the time-triggered TTP/C real-time communication protocol was selected. TTP/C provides fault-tolerance message transfer, state synchronization, reliable detection of node failures, a global time base, and a distributed membership service. Redundancy is used for masking failures of individual processor nodes and hardware peripherals.

The new generation of drive-by-wire systems currently under development has demanding requirements on the electronic architecture. Functions such as brake-by-wire or steer-by-wire require continued operation even in the presence of component failures. The electronic architecture must therefore provide fault-tolerance and real-time response. This in turn requires the operating system and the communication layer to be predictable, dependable and composable. It is well known that this properties are best supported by a time-triggered approach. A consortium consisting of German and French car manufacturers and suppliers, which aims at becoming a working group within the OSEK/VDX initiative, the OSEKtime consortium, is currently defining a specification for a time-triggered operating system and a fault-tolerant communication layer.1 The operating system and the communication layer are based on applicable interfaces of the OSEK/VDX standard.

Actual research results in the automotive field show that there is a big potential in increasing active and passive safety by implementing intelligent driver assisting systems. Realizing such safety related system functions requires an electronic system without mechanical or hydraulic backup to de-couple the human interface from the vehicle functions, e.g., steering and braking. Safety critical functions without mechanical backup enforce new requirements in system design. Any faulty behavior of a component within the system must not lead to a malfunction of the overall system. Consequently in the system design fault-tolerance mechanisms in real time must be introduced. Active replication of a functional node is a proper solution to guarantee this real time fault-tolerance. Redundancy management of the functional nodes can be implemented by fail-silent replicas, i.e. a node behaves correctly or does not produce any output at all.