Search Results

With the ever increasing amount of available software processing resources in a vehicle, more and more high-level algorithms are emerging to improve the existing systems in a car. Often these algorithms only need a platform with a bus connection and some resources such as processing power and memory space. These functions are predestined to be integrated into existing systems that have free resources. This paper will examine the role of time protection in these multi-algorithm systems and describe what timing protection means and why it is required. The processing time will be partitioned to the different processing levels like interrupts, services and tasks. The problems of timing protection will be illustrated as well as its limitations. The conflict between real-time requirements and timing protection will be shown. Finally Autosar will be examined with focus on timing protection and applicability in actual development projects.

The increasing complexity of automotive functions which are necessary for improved driving assistance systems and automated driving require a change of common vehicle architectures. This includes new concepts for E/E architectures such as a domain-oriented vehicle network based on powerful Domain Control Units (DCUs). These highly integrated controllers consolidate several applications on different safety levels on the same ECU. Hence, the functions depend on a strictly separated and isolated implementation to guarantee a correct behavior. This requires middleware layers which guarantee task isolation and Quality of Service (QoS) communication have to provide several new features, depending on the domain the corresponding control unit is used for. In a first step we identify requirements for a middleware in automotive DCUs. Our goal is to reuse legacy AUTOSAR based code in a multicore domain controller.

The company Schnupp GmbH + Co. Hydraulik KG, Bogen, has developed a new type of press for sheet metal hydroforming. The advantages of this machine are derived from its new cinematic characteristics, with spacers inserted between the machine frame and press ram during the forming process. These spacers transmit the high forces to the press frame via positive engagement. The nominal press force is generated by 100 short-stroke cylinder which are located underneath the table plate. These short-stroke cylinders, which can be switched on or off individually, are divided into six independent control circuits. Thus it is possible to influence the blankholder force locally during the forming process. A system of this kind has already found its successful application at AUDI AG, Ingolstadt, for the sheet metal hydroforming.

Audi's new full scale aeroacoustic wind tunnel is under full operation now. The new facility is designed for full scale automotive testing of aerodynamics and aeroacoustics for vehicles up to 3 m2 frontal area at wind speeds up to 300 kph. The highlights are the unique ground simulation system with boundary layer suction and a 5-belt-system, and the extremely low background noise of only 60 dB(A) at 160 kph. First the background of the project is illustrated and the need for the special features of the tunnel is deduced form the industrial requirements. Then an overview of the facility design is given with a detailed description of the key technical components. The calibration of the self-correcting test section will be discussed and the physical background for it will be examined more closely. For the calibrated wind tunnel the results of two correlation tests including open jet as well as closed wall wind tunnels show a reasonable conformity.

Multicore-based ECUs are increasingly used in embedded automotive software systems to allow more demanding automotive applications at moderate cost and energy consumption. Using a high number of parallel processors together with a high number of executed software components results in a practically unmanageable number of deployment alternatives to choose from. However correct deployment is one important step for reaching timing goals and acceptable latency, both also a must to reach safety goals of safety-relevant automotive applications. In this paper we focus at reducing the complexity of deployment decisions during the phases of allocation and scheduling. We tackle this complexity of deployment decisions by a mixed constructive and analytic approach.

In the context of the ARAMiS project, AUDI AG contributed the development of a multi-core demonstrator based on car functions already in production. For this demonstrator, these legacy car functions were ported from single-core platforms to a multi-core platform to gain real world close-to-production experience while utilizing the new technology. For complex functions with high demands for computational resources, it may be necessary to distribute computation over several cores. In this context, we investigated the parallelization of a legacy sequential AUTOSAR function. A main contribution of this work is an analysis of mechanisms provided by AUTOSAR, their limitations and, possible remedy. This paper will point out observations and experiences during the development of this demonstrator and show practical solutions for parallelization in an AUTOSAR environment.

ISO 26262 is the actual standard for Functional Safety of automotive E/E (Electric/Electronic) systems. One of the challenges in the application of the standard is the distribution of safety related activities among the participants in the supply chain. In this paper, the concept of a Safety Element out of Context (SEooC) development will be analyzed showing its current problematic aspects and difficulties in implementing such an approach in a concrete typical automotive development flow with different participants (e.g. from OEM, tier 1 to semiconductor supplier) in the supply chain. The discussed aspects focus on the functional safety requirements of generic hardware and software development across the supply chain where the final integration of the developed element is not known at design time and therefore an assumption based mechanism shall be used.

Developing automotive chassis applications is becoming increasingly complex due to cross-functional system interactions and the inherent safety critical nature of the systems involved. One consequence is the need for a rapid prototyping platform, targeted and tailored to meet the specific needs of the chassis domain. This paper describes an example of such an architecture for a chassis rapid prototyping system incorporating several Infineon TriCore embedded microcontrollers and Emulation Devices (ED), networked together by the Micro Link Interfaces (MLI). It also discusses how using such a development platform can lead to a significant reduction in the overall development time of a production intent chassis system.

Longitudinal models are used to evaluate different vehicle-engine concepts with respect to driving behavior and emissions. The engine is generally map-based. An explicit calculation of both fluid dynamics inside the engine air path and cylinder combustion is not considered due to long computing times. Particularly for dynamic certification cycles (WLTC, US06 etc.), dynamic engine effects severely influence the quality of results. Hence, an evaluation of transient engine behavior with map-based engine models is restricted to a certain extent. The coupling of detailed 1D-engine models is an alternative, which rapidly increases the model computation time to approximately 300 times higher than that of real time. In many technical areas, the Fourier transformation (FT) method is applied, which makes it possible to represent superimposed oscillations by their sinusoidal harmonic oscillations of different orders.

A main challenge when developing next generation architectures for automated driving ECUs is to guarantee reliable functionality. Today’s fail safe systems will not be able to handle electronic failures due to the missing “mechanical” fallback or the intervening driver. This means, fail operational based on redundancy is an essential part for improving the functional safety, especially in safety-related braking and steering systems. The 2-out-of-2 Diagnostic Fail Safe (2oo2DFS) system is a promising approach to realize redundancy with manageable costs. In this contribution, we evaluate the reliability of this concept for a symmetric and an asymmetric Electronic Power Steering (EPS) ECU. For this, we use a Markov chain model as a typical method for analyzing the reliability and Mean Time To Failure (MTTF) in majority redundancy approaches. As a basis, the failure rates of the used components and the microcontroller are considered.

Advanced safety features and new services in connected cars depend on the security of the underlying vehicle functions. Due to the interconnection with the outside world and as a result of being an embedded system a modern vehicle is exposed to both, malicious activities as faced by traditional IT world systems as well as physical attacks. This introduces the need for utilizing hardware-assisted security measures to prevent both kinds of attacks. In this paper we present a survey of the different classes of hardware security devices and depict their different functional range and application. We demonstrate the feasibility of our approach by conducting a case study on an exemplary implementation of a function-on-demand use case. In particular, our example outlines how to apply the different hardware security approaches in practice to address real-world security topics. We conclude with an assessment of today’s hardware security devices.

For the aerodynamic development of an aircraft the induced drag is an important quantity and it has a significant impact on the design of the wing. The induced drag corresponds to the power requirement of the wing to generate the necessary lift. In many cases this is the dominant source of drag for aircraft. In ground vehicle aerodynamics the concept of induced drag up to now has attracted much less attention. This is partly due to the fact, that vehicle aerodynamicists usually optimize the vehicles to generate little or no lift. The second reason is that it is much more difficult for a ground vehicle to separate the total drag into the different contributions. During wind tunnel tests of vehicles with and without ground simulation some astonishing results were found, especially when comparing results for different rear end shapes.

The German funded project ARAMiS included work on several demonstrators one of which was a multicore approach on large scale software integration (LSSI) for the automotive domain. Here BMW and Audi intentionally implemented two different integration platforms to gain both experience and real life data on a Hypervisor based concept on one side as well as using only native AUTOSAR-based methods on the other side for later comparison. The idea was to obtain figures on the added overhead both for multicore as well as safety, based on practical work and close-to-production implementations. During implementation and evaluation on one hand there were a lot of valuable lessons learned about multicore in conjunction with safety. On the other hand valuable information was gathered to make it finally possible to set up a cost model for estimation of potential overhead generated by different integration approaches for safety related software functions.

Electronic Control Units of safety critical systems require constant monitoring of the hardware to be able to bring the system to a safe state if any hardware defects or malfunctions are detected. This monitoring includes memory checking, peripheral checking as well as checking the main processor core. However, checking the processor core is difficult because it cannot be guaranteed that the error will be properly detected if the monitor function is running on a processing system which is malfunctioning. To circumvent this issue, several previously presented monitoring concepts (e.g. SAE#2006-01-0840) employ a second external microprocessor to communicate with the main processor to check its integrity. This paper will present a concept which maps the functions of the external monitoring unit into an internal second processing core which are frequently available on modern, 32bit, monolithic, dual-core microcontrollers.

Helmholtz-resonators are discussed in technical acoustics normally in conjunction with attenuation of sound, not with amplification or even production of sound. On the other hand everybody knows the sound produced by a bottle, when someone blows over the orifice. During the investigation of the sound produced in body gaps it was found that the underlying flow physics are closely related to the Helmholtz-resonator. But different from the typical Helmholtz-resonator generated noise – as for example the blown bottle or, from the automotive world, the sun roof buffeting – there is no fluid resonance involved in the process. For body gaps the random pressure fluctuation of the turbulent boundary layer is sufficient to excite the acoustic resonance in the cavity. The sound generation is characterized by a continuous rise in sound pressure level with increasing velocity, the rise is proportional to U with varying exponents.

The increased pressure for power, space, and cost reduction in automotive applications together with the availability of high performance, automotive qualified multicore microcontrollers has lead to the ability to engineer Domain Controller ECUs that can host several separate applications in parallel. The standard automotive constraints however still apply, such as use of AUTOSAR operating system, support for legacy code, hosting OEM supplied code and the ability to determine warranty issues and responsibilities between a group of Tier 1 and Tier 2 vendors who all provide Intellectual Property to the final production ECU. Requirements for safety relevant applications add even more complexity, which in most current approaches demand a reconfiguration of all basic software layers and a major effort to redesign parts of the application code to enable co-existence on the same hardware platform. This paper outlines the conflicting requirements of hosting multiple applications.

A region with floor boundary-layer suction upstream of the vehicle to remove the oncoming boundary layer is often used in automotive wind tunnels. These suction systems inevitably change the empty-tunnel pressure gradient. In this paper, the empty-tunnel pressure gradient created by the use of boundary layer suction and its effect on measured drag are investigated. By using excess suction - more suction than necessary to remove the floor boundary layer – it was possible to show experimentally that the major part of the drag increase due to boundary layer suction is created by unintended gradient effects. Only a minor part of the drag increase is due to the increased flow velocities at the lower parts of the vehicle, or in other words, due to the improved ground simulation. A theoretical model, using the concept of horizontal buoyancy to predict the gradient effect, is proposed. The model is compared to the experimental results as well as to CFD calculations.

Structural component testing is essential for the development process to have an early knowledge of the real world behaviour of critical structural components in crash load cases. The objective of this work is to show the development for a self-sufficient structural component test bench, which can be used for different side impact crash load cases and can reflect the dynamic behaviour, which current approaches are not able. An existing basic system is used, which includes pneumatic cylinders with a controlled hydraulic brake and was developed for non-structural deformable applications only (mainly occupant assessments). The system is extended with a force-distance control. The method contains the analysis of a whole vehicle FEM simulation to develop a methodology for controlled force transmission with the pneumatic cylinders for a structural component test bench.

One main goal of the automotive industry is to reduce the aerodynamic drag of passenger vehicles. Therefore, a deeper understanding of the flow field is necessary. Time-resolved data of the flow field is required to get an insight into the complex unsteady flow phenomena around passenger vehicles. This data helps to understand the temporal development of wake structures and enables the analysis of the formation of vortical structures. Numerical simulations are an efficient method to analyze the time-resolved data of the unsteady flow field. The analysis of the steady and unsteady numerical data is only relevant for aerodynamic developments in the wind tunnel, if the predicted temporal evolving structures of a passenger vehicle’s simulated flow field correspond to the structures of the flow field in the wind tunnel. In this study, time-resolved measurements of the empty wind tunnel and a notchback passenger vehicle in the wind tunnel are conducted.

This paper proposes end-to-end protection mechanisms to be added to a generic FlexRay network in order to achieve fault detection and integrity levels sufficient for a SIL3 fail safe communication system. The mechanisms are derived from the random hardware failure modes to be considered for communication controllers according to IEC 61508. Mechanisms provided by the FlexRay protocol are pointed out. Additional features necessary to fulfil the requirements are discussed. It is shown how to calculate the failure rate probabilities of the CRC used as a safety code with respect to EN 50159.