Search Results

Thermal Management Systems Symposium industry discusses latest regulatory impacts, applications to reduce engine emissions, conserve energy, reduce noise, improve the cabin environment, increase overall vehicle performance passenger, commercial vehicle industry.

Safety is a requirement concerning an increasing number of automotive applications. Recent safety standards set requirements for designing safety-critical systems. Among others, these specifications include a comprehensive detection and handling of hardware faults. Currently emerging dual-core microcontrollers provide a cost-effective opportunity to fulfill these requirements. In this paper we analyze a safety-critical application example and discuss two different approaches, an application-specific approach and a generic approach for implementing functional safety requirements on a dual-core microcontroller. An investigation of the associated concepts called function monitoring architectures and generic architectures reveals their differences and at the same time advantages and disadvantages. Besides effects on safety, effects on reliability, modifiability and costs are evaluated and presented graphically.

Hazard analysis plays an important role in the development of safety-critical systems. Hazard analysis techniques have been used in the development of conventional automotive systems. However, as future automotive systems become more sophisticated in functionality, design, and applied technology, the need for a more comprehensive hazard analysis approach has arisen. In this paper, we describe a comprehensive hazard analysis approach for system safety programs. This comprehensive approach involves applying a number of hazard analysis techniques and then integrating their results. This comprehensive approach attempts to overcome the narrower scope of individual techniques while obtaining the benefits of all of them.

Ground vehicle dynamic stability, including spinout and rollover, is highly dependent on maneuvering conditions and the nonlinear force response characteristics of tires. Depending on vehicle configuration, unstable behavior requires high, sustained lateral acceleration, and some maneuver induced excitation of the roll and yaw mode dynamics. Dynamic instability in some vehicles can be induced by a steering reversal maneuver that involves sustained limit performance lateral acceleration. Using a validated vehicle dynamics simulation, analysis is presented to illustrate what constitutes a critical stability sensitive maneuver. Two example test cases are used to show that a critical stability sensitive maneuver must be more severe than a single lane change. Even reaching tire saturation limits during an aggressive single lane change does not give the sustained lateral acceleration required to provoke instability conditions.

With the growing complexity and integration of systems as satellites, automobiles, aircrafts, turbines, power controls and traffic controls, as prescribed by SAE-ARP-4754A Standard, the time de-synchronization can cause serious or even catastrophic failures. Time synchronization is a very important aspect to achieve high performance, reliability and determinism in networked control systems. Such systems operate in a real time distributed environment which frequently requires a consistent time view among different devices, levels and granularities. So, to guarantee high performance, reliability and determinism it is required a performance evaluation of time synchronization of the overall system. This time synchronization performance evaluation can be done in different ways, as experiments and/or model and simulation.

Avionics Systems are increasingly used to perform safety-critical functions at high altitudes. But their increasing capacity and concentration of memory and logics leads to more frequent occurrences of single event upsets, especially in high altitudes. In this work we discuss the effects and mitigation of single event upsets on avionics systems to help in developing future requirements. To do that we initially present the concepts of radiation environment of the atmosphere, radiation induced errors, single event upsets, etc. Then, we discuss some of their effects on avionic systems and ways of mitigation. Finally, we discuss provisions to demand the adoption of such mitigation measures, and their sufficiency. This will help in developing future requirements to accomplish the objectives of a safe operation of civil transportation aircraft.

Avionics Systems are increasingly used to perform safety-critical functions at high altitudes. But their increasing capacity and concentration of memory and logics leads to more frequent occurrences of single event upsets, especially in high altitudes. In this work we discuss the process of eliciting and validating requirements to handle single events upsets in avionic systems. To do that we initially summarize and update the concepts of radiation environment of the atmosphere, radiation induced errors, single event upsets, etc. presented in a previous paper. Then, we discuss some of their effects on avionic systems and ways of mitigation, reported in the literature. Finally, we discuss provisions to demand the adoption of such mitigation measures, and their sufficiency by transforming them into requirements, according to recommendations of compliance described in standards as SAE ARP 4754A and RTCA DO-254.

The introduction of drive-by-wire systems into modern vehicles has generated new challenges for the designers of embedded systems. These systems, based primarily on microcontrollers, need to achieve very high levels of reliability and availability, but also have to satisfy the strict cost and packaging constraints of the automotive industry. Advances in VLSI technology have allowed the development of single-chip systems, but have also increased the rate of intermittent and transient faults that come as a result of the continuous shrinkage of the CMOS process feature size. This paper presents a low-cost, fault-tolerant system-on-chip architecture suitable for drive-by-wire and other safety-related applications, based on a triple-modular-redundancy configuration at the processor execution pipeline level.

There is an increasing demand to educate students on systems thinking and systems approaches at undergrad and graduate levels in colleges in India. Efforts are being made by industry, academia, and professional societies to join hands to bridge the gap. Specifically, there is significant emphasis on providing wholistic “live” case studies and examples to students to get their “hands dirty” on actual systems. One of the inhibitors on this aspect being faced, in the aerospace domain, is that actual examples are not available in the open literature as they are considered proprietary and/or confidential. This paper illustrates a framework for educating students on systems approaches and systems thinking in a near “live” scenario through a case of safety critical control system embedded with Artificial Intelligence (AI). With the recent advances in AI and increasing demands on embedding AI in complex aerospace systems, certification of such systems poses many hurdles and challenges.

The integration of safety-critical and major power-consuming electrical systems presents a challenge for the development of future automotive electrical networks. Both reliability and performance must be enhanced in order to guarantee the power supply to essential electrical consumers at a sufficient degree of power quality. Often, in order to cope with these requirements, merely an upgrade of the existing wiring harness design is used, resulting in additional complexity, weight, and cost [3]. A characterization of the wiring harness and its electrical consumers facilitates a systematic optimization approach aimed at designing new automotive power networks [1, 5]. Measurement and analysis methods to characterise the thermal behaviour of the wiring harness have been presented and discussed in a previous paper [4] This paper presents and compares two methods aimed at modeling the electrical behavior of consumers at various voltages and temperatures.

Functional safety requirements and solutions are more expensive when it comes to lower cost machines with less power but same functionalities with respect to big machines. The paper will show a real Electronic Control Unit (ECU) design of a machine controller, controlling both engine working point, transmission, and other utilities like PTO, 4WD, brakes and Differential Lock; the ECU was designed in accordance to ISO 25119 regulation, to meet AgPL = C or even D for some functionalities. The unit is a fully redundant electronic control unit with two CAN networks and some special safe state oriented mechanism, that allow the Performance Level C with less software analysis requirements compared with traditional solutions. All safety critical sensors are redounded and singularly diagnosable, all command effects are directly observable and most of commands are directly diagnosable.

Modern aircraft systems employ numerous processors to achieve system functionality. In particular, engine controls and power distribution subsystems rely heavily on software to provide safety-critical functionality, and are expected to move toward multicore architectures. The computing hardware-layer of avionic systems must be able to execute many concurrent workloads under tight deterministic execution guarantees to meet the safety standards. Single-chip multicores are attractive for safety-critical embedded systems due to their lightweight form factor. However, multicores aggressively share hardware resources, leading to interference that in turn creates non-deterministic execution for multiple concurrent workloads. We propose an approach to remove on-chip interference via a set of methods to spatio-temporally partition shared multicore resources.

Development of any safety critical software applications such as in the aerospace industry needs to comply to specific standards (DO-178) to meet airworthiness requirements. This standard is applicable to all airborne software. As such, the software development needs to perform certain verification activities to comply to the standard objectives. One of the verification activities is source code inspection or review to check that the implementation meets the specification captured in the form of requirements and other aspects such as coding style guidelines and documentation, such as, indentation used in code, sufficient comments or notes in the code files etc. Generally, this activity is carried out manually, supplemented by tools which are deployed to check errors and standards in the code by means of static analysis and practices such as test-driven development (TDD), wherein, the testing and analysis is done prior to the reviews.

In the paper at hand a model-based development approach for a diagnostic system for a multifunctional fuel cell system architecture will be presented. The approach consists primarily of four parts. The first part is a description of general steps needed to build an accurate component-based model of the system using a state of the art model-based diagnostic reasoning tool. As a first result there will be a static simulation model for nominal system behavior. The second part of the approach deals with the identification of safety critical failure conditions (SCFC) at a system level, e.g. low Power. The SCFCs are then mapped into the model. This means that categorized physical quantities and monitoring executives are chosen, that are appropriate for representing the specific SCFCs, e.g. low voltage at outlet of DC-DC converter module. According to step two there will be conflicts, meaning discrepancies between the simulated nominal and the mapped behavior.

During the last years there has been an explosion of functionality embedded within automotive vehicles, leading to a dramatic increase in the number of in vehicle ECUs. The transition from a federated to an integrated architecture would provide multiple economic benefits such as the reduction in the number of ECUs and wiring. However, software code is not composable by itself and it is difficult to proof the time and value correctness of safety-critical and non-safety-critical applications running within the same execution unit. In addition to this, the x-by-wire systems deployment will soon push the automotive industry in the area of safety-critical systems. This paper describes the “Time-Triggered Modelware” (TTM) novel approach for the design, development and execution of safety-critical embedded-systems that is based on a composable, efficient and deterministic (time and value domain correctness) execution environment.

Driver safety and Advanced Driver Assistance Systems (ADAS) is gaining lot of importance these days. In some countries, there are strict regulations in place which mandate the use of certain ADAS features in automobiles. However, as the need for these safety critical systems increases, the challenges associated also increase. These challenges can arise due to technology, human factors or due to nature. In countries like India, where one can expect different weather conditions with changing geography, the associated challenges are mainly due to the natural factors like haze, fog, rain and smoke. This poses a challenging problem in terms of visibility for the drivers as well as in vision based ADAS; thereby, leading to many fatal road accidents. In this paper, a novel pre-processing technique, which addresses the interesting problem of enhancing the perceptual visibility of an image that is degraded by atmospheric haze, is proposed.

Forged components to be used in high strength applications have traditionally been heat treated after forging. This processing route unfortunately suffers from many technical and economical shortcomings. The first attempt to overcome these difficulties led to the development of medium carbon microalloyed steels for bar applications in the early 1970's. While these steels did not require heat treatment, their strengths were limited. Furthermore, the notch toughness of these steels was rather poor. The limitation on strength and toughness have hindered their acceptance as a substitute for the conventional QT steels, especially in safety critical components. In addition, these shortcomings eliminate the possibility of downsizing through redesign. Since the tempered martensite and the microalloyed ferrite-pearlite steels have obvious limitations, an alternative microstructure had to be developed.

Recent developments in a NIST sponsored program on Design, Non-Destructive Evaluation and the Manufacturing Sciences (being conducted at Iowa State and Northwestern Universities) have led to the realization of a new paradigm for the design of safety critical components made by metal casting. The paradigm is based on the simultaneous integration of design for casting, design for fatigue performance and design for inspection. In a concurrent environment, foundry process simulation is used to predict an array of porosity related defects in the subject casting. The probability of detection of these defects is investigated with a radiographic inspection simulation tool (XRSIM). The likelihood that the predicted array of defects will lead to a failure is determined by a fatigue crack growth simulation. When properly utilized, this kind of system gives visibility to casting manufacturing, performance, and inspectability issues during the earliest stages of product definition.

Software certification guidelines, such as RTCA DO-178C, mandate the analysis of data and control coupling (DC/CC) in safety-critical avionics software using requirement-based testing. The intention of this analysis is to ensure correctness in the interactions and dependencies between software components. The shift from confirming the coupling (as in DO-178B) to verifying the exercising of the coupling (as introduced in DO-178C) transitions the DC/CC objective from an analytical exercise against the test design to a measurement exercise against the test execution. Current methodologies for measuring Data Coupling and Control Coupling (DC/CC) rely on source code instrumentation, which embeds code to record coverage information during requirements-based testing. However, this approach has significant drawbacks. Primarily, it necessitates executing tests on both the instrumented and non-instrumented versions of the code, ensuring their outputs match.