Dependability Services in the EASIS Software Platform

Transcription

Electronic Architecture and System Engineering
for Integrated Safety Systems
Dependability Services in the EASIS Software Platform
Martin Hiller
Volvo Technology Corporation
[email protected]
Workshop on Architecting Dependable Systems
June 27, 2006
Philadelphia, USA
Workshop on Architecting Dependable Systems, June 27, 2006
Outline
Background
> ”The Virtual Safety Belt”
> Project data
> Related projects
> Results overview
Software platform
> Layered architecture
> Fault management framework
> Dependability support
> Security support
Martin Hiller, Volvo | © EASIS Consortium
2
The Virtual Safety Belt
ctio
e
s
r
Inte
ed
t
h
g
esi
r
o
F
ety
f
a
ns
g
vin
i
r
D
W
g&
n
i
arn
ms
e
t
s
Sy
e
nc
a
t
sis
As
, ems
s
tem Syst
s
Sy ion
h
s ect
a
r
t
e-c Pro
r
P le
b
rsi
e
v
Re
l
ua
t
r
Vi
e
Th
fe t
a
S
elt
B
y
3
Issues for integrated safety systems
> Integration of domain (cabin, chassis, powertrain, …) overlapping
safety functions with high dependability
> Handling of high system complexity
> Integration and multi-usage of environment sensing
> Integration of telematics services for safety systems
4
Project data
Coordinator:
Starting Date:
Ending Date:
Budget Total/Funding:
Web site:
DaimlerChrysler (Dr. Vera Lauer)
01.01.2004
28.02.2007
9,4 M€ / 5 M€
www.easis.org
22 partners
OEM’s
Automotive
suppliers
Tool
suppliers
Research
institutes
5
Related projects (Integrated Safety Programme defined by EUCAR*)
Ongoing Projects
Common, agreed adaptive HMI
Common, agreed adaptive HMI
interface
interface
Common E/E
Common E/E
architecture for vehicles
architecture for vehicles
“AIDE”
“AIDE”
“EASIS”
“EASIS”
AB
ABVolvo
Volvo
DaimlerChrysler
DaimlerChrysler
Systems for passenger
Systems for passenger
protection
protection
Systems for post accident
Systems for post accident
rescue
rescue
“APROSYS”
“APROSYS”
“GST”
“GST”
Systems for accident
Systems for accident
prevention
prevention
“PReVENT”
“PReVENT”
DaimlerChrysler
DaimlerChrysler
TNO
TNO
Recently Started
Connecting
Connecting
intelligent vehicle
intelligent vehicle
and infrastructure for
enhanced SAFETY
enhanced SAFETY
Connecting
Connecting
intelligent vehicle
intelligent vehicle
enhanced EFFICIENCY
enhanced EFFICIENCY
“SAFESPOT”
“SAFESPOT”
“CVIS”
“CVIS”
CRF
CRF
ERTICO
ERTICO
ERTICO
ERTICO
Methodology for accident
Methodology for accident
causation analysis
causation analysis
“TRACE”
“TRACE”
Renault
Renault
Vehicle-to-Vulnerable road
Vehicle-to-Vulnerable road
user cooperative technologies
user cooperative technologies
to improve safety
to improve safety
“Watch-Over”
“Watch-Over”
CRF
CRF
Software for Traffic Efficiency
Software for Traffic Efficiency
and Safety
and Safety
“ATESST”
“ATESST”
*European Council on Automotive R&D
AB
ABVolvo
Volvo
6
(AUTomotive Open System ARchitecture)
AUTOSAR
> Standardized, openly disclosed interfaces
> HW independent SW layer
> Transferability of functions
AUTOSAR RTE
> By specifying interfaces and their communication
mechanisms, the applications are decoupled from
the underlying HW and basic SW, enabling the
realization of Standard Library Functions
Consortium of over 100 members (and growing)
> Partners from Europe, US, Japan
> No public funding
Check www.autosar.org for more information.
7
Expected final results
EASIS will provide enabling technologies for the introduction of future
integrated safety systems
> Software platform providing common
> Methods and techniques for handling
services for cooperation between safety
critical dependability-related parts of the
systems
development lifecycle
> Dependable electronics hardware
> Engineering process and tool chain
infrastructure, which supports the
supporting the development of
requirements of these systems in a cost
cooperating safety systems
effective manner
8
Overall software topology
L5
L4
Application software
(including ISS components)
Application interface
L3
Common services
and abstractions
L2
Microcontroller abstraction
and device drivers
L1
Microcontroller hardware
9
Scalable EASIS hardware architecture
GW
node
unit
GW
node
DRIVERS
Gateway
INPUT LOGIC
Power Supply
MAIN
PROCESSOR
SUPER
VISOR
-
INTERFACE
Time Triggered Bus
FS
FO
INPUT LOGIC
DRIVERS
Power Supply
FS
MAIN
PROCESSOR
FS
SUPER
VISOR
-
INTERFACE
Time Triggered Bus
10
EASIS framework for dependability
Identification of hazards
Development
and design of
Classification of
Hazard occurrence
the integrated
hazards
analysis
safety system
Establishment of dependability-related
requirements
Verification and
validation of
dependabilityrelated
Final dependability assessment
requirements
11
EASIS engineering process
Basic Function
(“inner loop”)
ISS Function
(“outer loop”)
12
Validation / Proof of concept
SAFELANE
(PReVENT)
FS
Unit
FS
Unit
Central Node
Validator 1: Telematics
gateway validator to prove
EASIS SW & HW architecture
FS
Unit
FS
Unit
FS
Unit
FS
Unit
Steering wheel
sensor
S3
S4
S1
S2
M2
M1
Vehicle dynamic
simulator
Telematics
Gateway
Steering wheel
feedback actuator
Validator 2: Commercial vehicle
Hardware In the Loop testbench to
prove EASIS dependability
guidelines and development process
13
Outline
Background
> Project data
> Related projects
> Results overview
Software platform
> Security support
14
Overall software topology
L5
L4
Application software
(including ISS components)
Application interface
L3
Common services
and abstractions
L2
Microcontroller abstraction
and device drivers
L1
Microcontroller hardware
15
Basic software platform – assumptions

EASIS will not primarily focus on defining basic services
>
However, we will specify which services we require, and assume that these services are defined or being
defined elsewhere

Basic services
>
Communication managers (CAN, LIN, FlexRay, etc.)
>
High-level protocols
•
Basic network specific transport protocols (e.g. ISO 15765, LIN TP)
•
Calibration protocols (e.g. XCP)
•
…
>
Network management
>
Diagnostic interfaces
•
E.g. ISO 14229 or ISO 14230
>
NVRAM manager
>
Operating system
>
…
16
Dependability services
A set of services and mechanisms concerning dependability has been defined.
These are to support the following
> Fault tolerant communication
•
OSEK/VDX FTCom – same as used in AUTOSAR
> Voting/Agreement protocol
> Watchdog management
> Reconfiguration of applications
> Replication of application components
> Gateway
> Firewall
17
Fault management framework

Dependability and diagnosis services are part of a larger framework for on-board diagnosis
Æ Fault management framework

Main goals
>
To give a global view of the fault management issue
>
To ensure the consistency of the fault management strategies
>
To define central software artifacts for in-vehicle fault management and dependability
Focus of activities
>
Act upon error detection notification
>
Trace and identify faults
>
Tolerate faults
>
Other dependability activities
The structure which “glues” those different elements together
>
Note that not all parts of the framework are necessarily implemented software artifacts
18
Fault management framework – current modular view
Application 1
Application 2
...
Application n
Application Interface
Logging
Fault State Manager
Device and
network
managers
Drivers
Supervision
Reconfiguration
NVRAM
OS / System
System
monitoring
scheduling
memory
19
Agreement (and voting)

Byzantine faults may occur
> Sender malfunctioning
> Communication medium faulty
> …

Based on Signed Message Protocol
• Sensor value
• Actuator command
•…
S(1) S(2) … S(n)
S(1)
Voter
Receiver 1
S(FT)
Status
S(0)
S(2)
S(1) S(2) … S(n)
Receiver 2
Sender
Voter
S(FT)
Status
…
S(n)
S(1) S(2) … S(n)
Receiver n
Voter
S(FT)
Status
20
Watchdog
A1
Error detection at two levels
A2
A3
Nominal case: all tasks are executed without problems and all deadlines are met
Time
> Task level
Error case – example 1: a task crashes during execution – application is unavailable
•
Crashing tasks
•
Hanging tasks
Time
Error case – example 2: a task crashes during execution – all applications are unavailable
Time
> Runnable level
•
Faulty execution order
R1
Runnables are the smallest
schedulable/mappable entities.
Illegal branch
R2
R3
R4
21
Software watchdog – The solution (part I)
ALIVE-signals/heartbeat from application components
Application component malfunctions (crash, incorrect
control flow, etc.)
Time
The malfunction is detected and recovery actions
can be initiated (e.g. restart or reconfiguration).
Execution time monitoring of application components
START from application
component
FINISH
START
Time
Execution time budget
Execution time budget exceeded.
Recovery actions can be initiated.
22
Software watchdog – The solution (part II)
R1
Illegal branch
R2
Heartbeats
indicate source
Runnable
Successors
R1
R2
R2
R3, R4
R3
R4
R4
…
…
…
R3
R4
R3 ∉ SUCC(R1) = {R2}
Error detected!
23
Reconfiguration of applications
Reconfiguration can be triggered by the FMF
Three levels
> Reconfiguration of active task set
•
Switch between predefined task sets
•
Puts some constraints on mapping of runnables to tasks
> Functional inhibition
•
Passive w.r.t. platform Æ application receives info and has to act on this
> ECU level reset
•
If all else fails Æ Ctrl-Alt-Del the ECU
24
Replication of application components at the task level
Basic support required:
> Input provider service
> Output collector service
> Synchronization service
C1
IN
C2
OUT
C3
25
The Communicating Vehicle
Workshops and other
service providers
Other vehicles
Infrastructure
External
communication
Handheld devices
Other sources…
Internal
communication
26
Gateway – relaying information from source to destination
Vehicle wide transport protocol: EASIS Common Transport Protocol (CTP)
> Every ECU has a global alias
> Routing tables in the gateways ensure proper delivery
27
Firewall – Protection against malicious attackers
Platform support contains firewall-based access control
Application level firewalls have to be implemented by the application developers
> Thus, the platform will not check contents of messages – this is the responsibility
of the applications
28
Outline
Background
> Project data
> Related projects
> Results overview
Software platform
> Fault Management Framework
> Security support
29
Thank you for your attention!
Get more info on www.easis.org or get your copy of the project folder