logging in or signing up simonot Naples Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 111 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: September 14, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Quantitative Evaluation of the Safety of X-by-Wire Architectures subject to EMI Perturbations: Quantitative Evaluation of the Safety of X-by-Wire Architectures subject to EMI Perturbations Cédric Wilwert Françoise Simonot-Lion, Ye-Qiong Song François Simonot 3rd Nancy-Saarbrücken Workshop on Logic, Proofs and Programs Nancy, 13-14 October 2005 X-by-Wire and Safety assessment: which issue?: X-by-Wire and Safety assessment: which issue? Critical functions Steering according to the drivers’ request Force feedback to the steering wheel Steering system X-by-Wire and Safety assessment: which issue?: X-by-Wire and Safety assessment: which issue? Steer-by-Wire - Steering function Drivers’ request X-by-Wire and Safety assessment: which issue?: X-by-Wire and Safety assessment: which issue? TDMA-based protocol TDMA protocol (Time Division Multiplexed Access)TTP/C: TDMA protocol (Time Division Multiplexed Access) TTP/C Slot: time interval for a node to send a message (frame) Round (cycle): a sequence of slots such as each node sends one and only one time (TTP/C) TDMA protocol (Time Division Multiplexed Access)TTP/C: TDMA protocol (Time Division Multiplexed Access) TTP/C Slot: time interval for a node to emit a message (frame) Round: a sequence of slots such as each node emit one and only one time (TTP/C) TDMA protocol - Fault Tolerant Unit (FTU): TDMA protocol - Fault Tolerant Unit (FTU) FTU: redundant nodes perform identical computations message redundancy in each TDMA round a1 a2 t Bus round FTU TDMA protocol for X-by-Wire systems: TDMA protocol for X-by-Wire systems Deterministic response time Fault detection (heart beat) Impact of EMI perturbation on a TDMA-based communication system: Impact of EMI perturbation on a TDMA-based communication system OK OK KO KO KO OK Quality, performances dependability of the system ? Safety of the vehicle ? Standard and Certification: Standard and Certification A Steer-by-Wire system is a Safety Critical System Probability to have a critical failure in one hour andlt; 10-8 (IEC 61508 / SIL4) Verification on an Operational Architecture? Regulatory laws Certification and standard Quantitative evaluation of the safety -Mechanical / hydraulical components - architectures -Electronic devices - ???? Behavior of software architecture (tasks, messages) A contribution to the safety assement of X-by-Wire systems: A contribution to the safety assement of X-by-Wire systems Quantitative evaluation of a failure probability extreme situation for the vehicle (worst case) focus on the communication and EMI perturbations TDMA-based protocol Granularity: one TDMA cycle transient faults (EMI perturbations): from transient faults to vehicle failure metric and means for safety evaluation Outline: Outline Introduction Key points for the safety assessment of X-by-Wire system Technical solutions Case study Conclusions Leading angles of the method: Leading angles of the method Robustness of the control law System possibly perturbated How? How long? Robustness of the control law: Robustness of the control law Control law used as a black box Matlab / Simulink model of the vehicle (SimulinkCar – PSA Peugeot-Citroën) of the control law for an « extreme » situation of the vehicle (worst case) Fault injection + Simulations 2 results Acceptable length of the TDMA cycle Maximal number of consecutive lost TDMA cycles - hmax How is a TDMA cycle affected by a perturbation?: How is a TDMA cycle affected by a perturbation? Error model Obtained by measurement Know-how of PSA Peugeot-Citroën result Perr, probability for a TDMA cycle to be fully corrupted when the network is submitted to a perturbation How long is a perturbation?: How long is a perturbation? Electric field level of a reference road Based on the results of a French project Measured on board Assuming a tolerance level of embedded electronic components How long is a perturbation?: How long is a perturbation? How long is a perturbation?: How long is a perturbation? Outline: Outline Problem Key points for the safety assessment of X-by-Wire system Technical solutions Case study Conclusions Technical solutions: Technical solutions Given: hmax : tolerance (consecutive corrupted TDMA cycles) hwc : length of the perturbation (TDMA cycles) - extreme situation for the vehicle, worst case of perturbation cover Perr: probability for one TDMA cycle to be corrupted Problem: determine the probability to have more than hmax consecutive corrupted cycles in hwc cycles (under Perr): Pfail(hmax,hWC,Perr) Technical solutions: Technical solutions Similar to « consecutive-k-out-of-n:F » systems - C(k,n:F) System = ordered sequence of n components The system fails if and only if more than k consecutive components fail Ln: number of consecutive failed components Technical solution: Technical solution Recurrent relation: Outline: Outline Problem Key points for the safety assessment of X-by-Wire system Technical solutions Case study Conclusions Case study: a Steer-by-Wire system: Case study: a Steer-by-Wire system -extreme situation vehicle speed (90 km/h) sharp turning perturbated area = 2s -robustness hmax = 7 TDMA cycles -impact of the EMI perturbation Perr = 5 10-3 -duration of the possibly perturbated area hWC = 336 TDMA cycles Pfail(hmax,hWC,Perr) = 2.87 10-8 Case study: configuration of a system: Case study: configuration of a system Perr TDMA cycle (ms) (hWC, hmax) Outline: Outline Problem Key points for the safety assessment of X-by-Wire system Technical solutions Case study Conclusions Conclusions: Conclusions A contribution to the dependability evaluation of an embedded system Transient fault at communication level to safety property at vehicle level Mathematical evaluation / simulation Generalisation Perr variable (error pattern, Markov process) Other systems (e.g., dependability for application based on wireless networks) You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
simonot Naples Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 111 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: September 14, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Quantitative Evaluation of the Safety of X-by-Wire Architectures subject to EMI Perturbations: Quantitative Evaluation of the Safety of X-by-Wire Architectures subject to EMI Perturbations Cédric Wilwert Françoise Simonot-Lion, Ye-Qiong Song François Simonot 3rd Nancy-Saarbrücken Workshop on Logic, Proofs and Programs Nancy, 13-14 October 2005 X-by-Wire and Safety assessment: which issue?: X-by-Wire and Safety assessment: which issue? Critical functions Steering according to the drivers’ request Force feedback to the steering wheel Steering system X-by-Wire and Safety assessment: which issue?: X-by-Wire and Safety assessment: which issue? Steer-by-Wire - Steering function Drivers’ request X-by-Wire and Safety assessment: which issue?: X-by-Wire and Safety assessment: which issue? TDMA-based protocol TDMA protocol (Time Division Multiplexed Access)TTP/C: TDMA protocol (Time Division Multiplexed Access) TTP/C Slot: time interval for a node to send a message (frame) Round (cycle): a sequence of slots such as each node sends one and only one time (TTP/C) TDMA protocol (Time Division Multiplexed Access)TTP/C: TDMA protocol (Time Division Multiplexed Access) TTP/C Slot: time interval for a node to emit a message (frame) Round: a sequence of slots such as each node emit one and only one time (TTP/C) TDMA protocol - Fault Tolerant Unit (FTU): TDMA protocol - Fault Tolerant Unit (FTU) FTU: redundant nodes perform identical computations message redundancy in each TDMA round a1 a2 t Bus round FTU TDMA protocol for X-by-Wire systems: TDMA protocol for X-by-Wire systems Deterministic response time Fault detection (heart beat) Impact of EMI perturbation on a TDMA-based communication system: Impact of EMI perturbation on a TDMA-based communication system OK OK KO KO KO OK Quality, performances dependability of the system ? Safety of the vehicle ? Standard and Certification: Standard and Certification A Steer-by-Wire system is a Safety Critical System Probability to have a critical failure in one hour andlt; 10-8 (IEC 61508 / SIL4) Verification on an Operational Architecture? Regulatory laws Certification and standard Quantitative evaluation of the safety -Mechanical / hydraulical components - architectures -Electronic devices - ???? Behavior of software architecture (tasks, messages) A contribution to the safety assement of X-by-Wire systems: A contribution to the safety assement of X-by-Wire systems Quantitative evaluation of a failure probability extreme situation for the vehicle (worst case) focus on the communication and EMI perturbations TDMA-based protocol Granularity: one TDMA cycle transient faults (EMI perturbations): from transient faults to vehicle failure metric and means for safety evaluation Outline: Outline Introduction Key points for the safety assessment of X-by-Wire system Technical solutions Case study Conclusions Leading angles of the method: Leading angles of the method Robustness of the control law System possibly perturbated How? How long? Robustness of the control law: Robustness of the control law Control law used as a black box Matlab / Simulink model of the vehicle (SimulinkCar – PSA Peugeot-Citroën) of the control law for an « extreme » situation of the vehicle (worst case) Fault injection + Simulations 2 results Acceptable length of the TDMA cycle Maximal number of consecutive lost TDMA cycles - hmax How is a TDMA cycle affected by a perturbation?: How is a TDMA cycle affected by a perturbation? Error model Obtained by measurement Know-how of PSA Peugeot-Citroën result Perr, probability for a TDMA cycle to be fully corrupted when the network is submitted to a perturbation How long is a perturbation?: How long is a perturbation? Electric field level of a reference road Based on the results of a French project Measured on board Assuming a tolerance level of embedded electronic components How long is a perturbation?: How long is a perturbation? How long is a perturbation?: How long is a perturbation? Outline: Outline Problem Key points for the safety assessment of X-by-Wire system Technical solutions Case study Conclusions Technical solutions: Technical solutions Given: hmax : tolerance (consecutive corrupted TDMA cycles) hwc : length of the perturbation (TDMA cycles) - extreme situation for the vehicle, worst case of perturbation cover Perr: probability for one TDMA cycle to be corrupted Problem: determine the probability to have more than hmax consecutive corrupted cycles in hwc cycles (under Perr): Pfail(hmax,hWC,Perr) Technical solutions: Technical solutions Similar to « consecutive-k-out-of-n:F » systems - C(k,n:F) System = ordered sequence of n components The system fails if and only if more than k consecutive components fail Ln: number of consecutive failed components Technical solution: Technical solution Recurrent relation: Outline: Outline Problem Key points for the safety assessment of X-by-Wire system Technical solutions Case study Conclusions Case study: a Steer-by-Wire system: Case study: a Steer-by-Wire system -extreme situation vehicle speed (90 km/h) sharp turning perturbated area = 2s -robustness hmax = 7 TDMA cycles -impact of the EMI perturbation Perr = 5 10-3 -duration of the possibly perturbated area hWC = 336 TDMA cycles Pfail(hmax,hWC,Perr) = 2.87 10-8 Case study: configuration of a system: Case study: configuration of a system Perr TDMA cycle (ms) (hWC, hmax) Outline: Outline Problem Key points for the safety assessment of X-by-Wire system Technical solutions Case study Conclusions Conclusions: Conclusions A contribution to the dependability evaluation of an embedded system Transient fault at communication level to safety property at vehicle level Mathematical evaluation / simulation Generalisation Perr variable (error pattern, Markov process) Other systems (e.g., dependability for application based on wireless networks)