Documente Academic
Documente Profesional
Documente Cultură
Safety-related design
in microprocessor-based
automotive applications
Designers of increasingly complex automotive control systems are considering
ways to maintain the safety record of these systems. In this feature three contributors
consider hardware and formal methods-based software approaches to this problem
Sources of failure
The use of computers in safety-related applications has
increased greatly in the last five years. Wider awareness and Random failures. Random failures of electrical com-
public concern and the implications of various govern- ponents, connections, wiring and mechanical devices are
ment directives have placed safety-critical assessment high
amenable to statistical prediction. Although the task is
on the agenda of computing design. At a recent lEE not simple, due to the number of components and in
colloquium on 'Safety critical software in vehicle and traffic some cases the lack of data on which to base the
control" (London, UK, 13 February 1990) some of the key predictions, failure probabilities can be produced. These
issues on this agenda were raised within the particular
figures together with an FMEA analysis can be used to
context of automotive and traffic control applications. To
estimate the hazard potential and hence the acceptability
widen this debate this topical feature presents edited
of the system. Improved computer assistance with these
extracts from three presentations given at the colloquium processes together with a pool of freely available
which focus on the use of microprocessors in such predicted and achieved reliability data would be of
systems: one a hardware architectural approach, and two benefit.
advocating the use of formal methods for the design of Systematic errors. Systematic errors can occur in the
'correct" software. system requirements, the hardware design orthe software
microsystems safety-criticalcomputing automotivecontrol design. They are not random: given the same input
software design formalmethods conditions the same incorrect behaviour will occur. They
are the result of human error in the design process or the
design of the tools used in the process, and therefore
SYSTEM ARCHITECTURES FOR SAFETY render the supplier morally and legally liable for any
CRITICAL AUTOMOTIVE APPLICATIONS consequences. There is no adequate method for pre-
dicting the probability of such failures in typical auto-
John M i l l w a r d motive control systems and it is therefore a question of
engineering judgement as to how much effort, and hence
Microprocessor-based control systems are now common-
cost, is incurred in trying to prevent their occurrence. This
place in vehicles. They have traditionally been employed
judgement may have to be defended (in court), causing
in systems where a failure will cause inconvenience but
pressure to always use the best possible practices
the consequential hazard potential is low (except perhaps
regardless of the immunity of the system to random and
automatic braking systems). These systems usually have a
interference type failures. The adoption of an inter-
well defined safe state. Many manufacturers and com- nationally agreed standard on classification of systems (for
ponent suppliers are now experimenting with systems
example by hazard analysis) and the procedures necessary
whose failure can have much more serious consequences
for each class seems the best current option. Adherence
such as: control by wire and supervisory systems, which to these standards would then be cited as a defence in
can override the driver's inputs; and complex inter- liability claims.
connected systems where one failure can effect several Intermittent failures. Intermittent failures, particularly
others. The safety record of automotive electronic
those caused by EMC problems are difficult to predict and
systems has been very good, but to maintain this situation
also depend on factors outside the supplier's control,
the safety and reliability attained by these systems must
such as the environment in which the vehicle will operate.
increase at a rate equal to their complexity.
Again an internationally agreed test standard, adherence
Lucas Automotive, Advanced Engineering Centre, Dog Kennel Lane, to which can be used as a defence in liability claims,
Shirley, Solihull, West Midlands B90 4JJ, UK seems the best current solution.
0141-9331/90/05318-7 © 1990 Buttena/orth-Heinemann Ltd
Inp•uts
safe state
Actuator
The classic approach to achieving the required system
safety level is to provide redundancy in some form. This ControlMicro2
improves safety at the expense of reliability. A typical SafetyCritical
architecture for a dual redundant system is shown in
Figure 1. Figure 1. Duplex processor system
This system uses two identical channels, each of which
performs exactly the same function. The outputs of the
two channels are then compared and if they are found to
be different the system is shut down into its fail-safe state. Inputs ControlMicro ts Fail-Safe
NonSafetyCritical Actuator
This architecture is very effective at identifying com-
ponent failures within the ECU. It will also identify
Interrogation ~ ~
intermittent faults which affect only one channel, but Bus
since the channels are identical there is a significant risk of
a common mode type of failure. A systematic fault in the - WatchdogMicro /
SafetyCritical ..........
hardware design will produce identical but incorrect
outputs on both channels and hence will not be
detected. The same argument is true for software errors
and errors in the system specification. This type of
architecture can give the fastest and most reliable POWER
detection of random component failures but its use Figure 2. Main and monitor system
places very high demands on the integrity of all stages of
the system design.
A variation on this architecture is to use different types
of microprocessor for each channel. The software for each two channels communicate to exchange data and to
channel can also be written by different teams, thus check that each channel is functional.
reducing, although not eliminating, the possibility of The second channel monitors both the system inputs,
common software errors. This architecture reduces the outputs and as many intermediate variables as are
likelihood of common mode failures but since the considered necessary to provide acceptable failure
internal processing of the data may be different, thus detection time. The safety processor does not repeat the
preventing direct comparison of intermediate results, control calculations of the main processor, but determines
both the time taken and the reliability of failure detection from its input data whether or not the system is in a safe
can be adversely affected. It is for this reason that some state. For example, in a closed-loop throttle control
very high integrity systems (e.g. A320 fly-by-wire system) system the main processor will determine the required
use a combination of both architectures. It is important to actuator drive signal, whereas the safety processor could
note that this architecture offers no protection against an ensure that the direction of the drive signal is appropriate
error in the original system requirements or specifications; and that the integral of the error signal is below a certain
in this case both channels will agree on the incorrect threshold.
action. The task of specifying the function and the unsafe
It is this author's belief that specification error is the states for the safety processor is not simple, but it is a
most serious problem facing the designers of future valuable task for checking the requirements for the
automotive systems. Improvements have taken place main processor. The functionality required from the safety
in the translation of specifications into hardware and processor should be less than that required from the main
software but the problems of specifying the correct processor since it may not need to perform all the control
outputs, for every combination of inputs, in every calculations. More importantly, the safety processor will
possible scenario, of complex interconnected systems be easier to design as a deterministic synchronous system
have still to be resolved. since the precise timing constraints required for control
An altemative architecture is shown in Figure 2. This can be relaxed. This could allow formal methods to be
architecture has two dissimilar channels. Moreover these used effectively in its design and implementation. The
channels perform very different functions, as is explained precise mathematical notation of formal methods appear
below, and therefore the chance of a common mode well suited to the task of describing states and behaviour
specification, software, hardware or interference failure that a system should not exhibit.
should be greatly reduced. This diversity is obtained by To prove that such a system is safe, it would be
dedicating each channel to a different task. The main necessary to prove that the operation of the safety
processor is designed to carry out the control function, in processor was logically correct and that all random errors
the same way as a single channel system, whilst the in the safety processor could be detected by the main
second channel, or 'safety processor', is used to monitor processor. Logical proof of the control function is not
the system and ensure it never enters an unsafe state. The necessary for safety, although of course it is necessary for
v Sa|elyCritical tLs•
)u Fail-Safe
Voter ~ Actuator functionality than the main control system. In this way the
integrity of these systems can be kept high at a reasonable
cost.
L, 1
I SaletyCritical
ON THE DEVELOPMENT OF A F O R M A L
Figure 3. Triplex dependable system M E T H O D S - B A S E D SOFTWARE DESIGN
M E T H O D O L O G Y FOR A U T O M O T I V E
POWER APPLICATIONS
tw....oo, f
SafetyCdtcal ....
,
1
POWER
N Software is the key to a successful or disastrous micro-
processor-based circuit design. Poorly developed software