Search Results

A design method for ultra-dependable control-by-wire systems is presented here. With a top-down approach, exploiting the system's intrinsic redundancy combined with a scalable software redundancy, it is possible to meet dependability requirements cost-effectively. The method starts with the system's functions, which are broken down to the basic elements; task, sensor or actuator. A task graph shows the basic elements interrelationships. Sensor and actuator nodes form a non-redundant hardware architecture. The functional task-graph gives input when allocating software on the node architecture. Tasks are allocated to achieve low inter-node communication and transient fault tolerance using scalable software redundancy. Hardware is added to meet the dependability requirements. Finally, the method describes fault handling and bus scheduling. The proposed method has been used in two cases; a fly-by-wire aircraft and a drive-by-wire car.

Many automotive electronic systems must be developed using a safety process. A preliminary hazard analysis is a first and an important step in such a process. This experimental study evaluates two methods for hazard identification using an electrical steering column lock system. Both methods are found to be applicable for hazard identification in an automotive context. It is also concluded that the induction with the failure modes method is less time consuming and easier to use than the method based on induction with generic low level hazards. Further, two proposals are presented to improve efficiency and consistency, reuse of generic hazards by component profiles and a domain specific catalogue of vehicle phases.

Model based development promises to facilitate the development of embedded control systems, including design, early verification and validation as well as implementation. Existing tools are beginning to support the development of distributed control systems. There are however still challenges when it comes to integration with mechanics and methodologies for such interdisciplinary systems.

This paper describes results from fault injection experiments using heavy ions in the time-triggered communication protocol for safety critical distributed systems (TTP/C, C1 implementation). The observed results show that arbitrary faults in one erroneous node could cause inconsistencies in the cluster and thus jeopardize correctly working nodes and the whole communication system. The described inconsistencies resulted from either asymmetric value faults or slightly out of specification timing faults. This system behavior can be partly explained by too strict constraints on the fault handling algorithms using the membership agreement protocol.