Fault Tolerant Design of Distributed Automotive Systems Claudio
Fault Tolerant Design of Distributed Automotive Systems Claudio Pinello (pinello@eecs. berkeley. edu), Prof. Sangiovanni-Vincentelli, UC Berkeley Programming model: Fault-tolerant Dataflow applications • Execution is synchronous and periodic: at each period all tasks are executed (data driven or time triggered), satisfying precedence constraints • Inputs and Arbiters have partial firing rules Introduction Designing cost-sensitive real-time control systems for safety-critical applications requires a careful analysis of the cost/fault-coverage trade-offs. This further complicates the tasks of deploying the corresponding embedded SW on the execution platform, typically distributed around the plant. We propose a synthesis-based design methodology that relieves designers from specifying how to tolerate execution platform faults and involves them in the definition of the overall fault-tolerance strategy: how to address plant faults (adaptive control algorithms), selection of a cost-effective execution platform. Verification tools analyze the solution to extract timing and to check the fault behavior (replica determinism, coverage, etc. ). Finally a run-time library is being developed for the deployment of the resulting distributed system. Sens Coarse CTRL Arbiter Best Output Fine CTRL • Architecture faults (channels, ECUs) – hardware redundancy – software replication – redundancy management 9/9/2020 Act – estimation and control algorithms • Application faults: bugs – can be reduced by disciplined coding – code generation from formal models – simulation – formal verification Fault. Behavior Sens Input Coarse CTRL Arbiter Best Act Merge. exe ECU 0 Sens Act Coarse. CTRL CH 0 ECU 1 ECU 2 ECU 0 Sens Input Coarse. CTRL Arbiter. Best Output Sens Input Fine. CTRL Arbiter. Best Output Act Schedule. exe Coarse CTRL Sens Act CH 0 ECU 1 Sens Input Coarse CTRL Arbiter Best Sens Input Fine CTRL Arbiter Best Output CH 1 ECU 2 Act ECU 0 Sens Act ECU 1 ECU 2 Syn. DEx CH 1 dynamic (shown) and time-triggered execution Sens Design space exploration Parse. exe Timing analysis: Sens Act ECU 0 ECU 1 ECU 2 Act Output Fine CTRL Sens Output Act Timing Verification • Verification provides timing + coverage • If not satisfactory? – change architecture • more/fewer components, • vary the mix of performance – change algorithms • introduce pipelining, reduce/increase granularity – change fault behavior • degrade sooner/later – provide hints to the synthesis tool • replicate some actors, mapping constraints, precedence constraints Case Studies: BMW, GM Vehicle Level Data-Flow Architecture • Plant Faults (plant, sensors, actuators) Sens Input • Failure patterns Pi Arch – subsets of Arch graph that may fail simultaneously (in a same iteration) • For each Pi specify which functionalities must be guaranteed – typically functionality chosen based on criticality • Sample fault behavior: – {}: all actors – {ECU 0} or {ECU 1} or {ECU 2}: only critical actors Driver Interface System Faults Sens • Metropolis library to model FTDF netlists • Support for simulation, fault injection and visualization • Early assessment of closed loop behavior in degraded modes • Connectivity: • Performance: – bipartite graph Arch – matrix of actor/ECU execution times • ECUs (Electronic Control Units) – matrix of data/channel transmission times • channels • Actuator/Sensor location Specification • Actors: have criticality, inputs may have fanin from redundant sources (replicas) Fault Behavior Mapping Drive-by-Wire Architecture Synthesis Motivation Design flow Brake by wire Sensor Input Steering Position le hic e n. V o ed pli p sa e rc Vehicle Speed Fo Torque req/ack Power Unit Coordinator Conclusions Supervisory Control Directional and Stability Signals Steer By Wire k To r e qu re ac q/ Actuator Vehicle Output Dynamics • Proposed design flow enables – greater separation of concerns • application, architecture, fault behavior – formal specification and verification of fault tolerant systems – design space exploration C. Pinello, L. P. Carloni, and A. L. Sangiovanni-Vincentelli "Fault-Tolerant Deployment of Embedded Software for Cost-Sensitive Real-Time Feedback-Control Applications, " Proc. Conf. Design, Automation and Test in Europe (DATE), February 2004
- Slides: 1