1. No category

Reliable statements about a fault-tolerant x-by

Reliable Statements about a
Fault-Tolerant X-by-Wire eCar
Reliable Statements about a Fault-Tolerant X-by-Wire eCar
Unrestricted ©2017 Siemens AG
Reliable Statements about a
Fault-Tolerant X-by-Wire eCar
Joachim Fröhlich, Florian Krautwurm, Stefan Rothbauer
Unrestricted © Siemens AG 2017
Siemens Corporate Technology
Reliable statements about a
fault-tolerant x-by-wire eCar
Secrets behind reliable statements at a glance
 Reliable statements from tests of testable systems
 Probe in each system node by design, permanently, in lab and field
 Non-intrusive monitoring, data-seeding & testing
 Invariants on cyclic1) signals, states and data flows
1) Time-triggered system for deterministic behavior and statements
Unrestricted © Siemens AG 2017
Page 3
May 3, 2017
Florian Krautwurm | Corporate Technology
Reliable statements about a
fault-tolerant x-by-wire eCar
Overview
Reliable statements?
Safe fail-over during a trip
Test with non-intrusive fault-injection
System testability measures
Unrestricted © Siemens AG 2017
Page 4
May 3, 2017
Florian Krautwurm | Corporate Technology
Reliable statements about a
fault-tolerant x-by-wire eCar
Overview
Reliable statements?
Safe fail-over during a trip
Test with non-intrusive fault-injection
System testability measures
Unrestricted © Siemens AG 2017
Page 5
May 3, 2017
Florian Krautwurm | Corporate Technology
Road users rely on the vehicle’s safety
Can we rely on these system properties?
Critical properties …
The eCar steers safely when
 a redundant component of the
central control unit fails permanently
 a redundant steering wheel sensor
sends incorrect data temporarily
 the redundant power circuit fails
… hold during operation?1)
1) Source: Project RACE (Reliable Automation and Control Environment)
Unrestricted © Siemens AG 2017
Page 6
May 3, 2017
Florian Krautwurm | Corporate Technology
Cooperating humans rely on the robot’s safety
Can we rely on these statements, and on the related system properties?
Critical properties …
The mobile assembly robot1)
 does not extend the manipulator
beyond the base when its speed is
greater than V m/s
 executes an
emergency brake
before becoming
too fast
… hold during operation?2)
1) See also: J. Fröhlich, et al. (2017): Component Systems in the Field: Integrating and Controlling Operation Services easily using Connectors. SATURN
2) Source: Machin et al. (2014): Specifying Safety Monitors for Autonomous Systems Using Model-Checking. LNCS 8666
Unrestricted © Siemens AG 2017
Page 7
May 3, 2017
Florian Krautwurm | Corporate Technology
Reliable statements about a
fault-tolerant x-by-wire eCar
Overview
Reliable statements?
Safe fail-over during a trip
Test with non-intrusive fault-injection
System testability measures
Unrestricted © Siemens AG 2017
Page 8
May 3, 2017
Florian Krautwurm | Corporate Technology
Ensure availability of critical system functions
Redundant component of the central control unit fails permanently
safe
dangerous
vulnerable
2
1
1
Phase 1
Phase 2
Phase 3
Unrestricted © Siemens AG 2017
Page 9
May 3, 2017
Florian Krautwurm | Corporate Technology
On the road …
… and under the hood?
Sensor
Actuator
Steering
(Function)
Phase 1
Primary-C.1) n3
n4
α
n1
n7
n2
n6
Backup-C.2)
n5
2
n8
β
β
1), 2) Components of
2 twin nodes each
Unrestricted © Siemens AG 2017
Page 10
May 3, 2017
Florian Krautwurm | Corporate Technology
A central component
fails permanently …
… and under the hood?
Sensor
Actuator
Steering
(Function)
Phase 2
Primary-C.1) n3
n4
α
n1
n7
n2
n6
Backup-C.2)
n5
1
n8
β
β
1), 2) Components of
2 twin nodes each
Unrestricted © Siemens AG 2017
Page 11
May 3, 2017
Florian Krautwurm | Corporate Technology
Redundant component
takes control in time …
… and under the hood?
Sensor
Actuator
Steering
(Function)
Phase 3
Primary-C.1) n3
n4
α
n1
n7
n2
n6
Primary-C.2)
n5
1
n8
β
β
1), 2) Components of
2 twin nodes each
Unrestricted © Siemens AG 2017
Page 12
May 3, 2017
Florian Krautwurm | Corporate Technology
Reliable statements about a
fault-tolerant x-by-wire eCar
Overview
Reliable statements?
Safe fail-over during a trip
Test with non-intrusive fault-injection
System testability measures
Unrestricted © Siemens AG 2017
Page 13
May 3, 2017
Florian Krautwurm | Corporate Technology
Testable requirements for
reliable statements from reliable tests
Critical system property as testable requirements for the central control unit
Critical property …
The eCar steers safely when a
redundant component of the
central control unit fails permanently
safe
dangerous
vulnerable
… testable requirements
Req 1 Critical app1) runs on max 1 primary
component in each cycle
Req 2 In safe mode, critical app runs on
min 2 components in each cycle
Req 3 In dangerous mode, critical app
runs without primary c. for max Y cycles2)
Req 4 In vulnerable mode, critical app
runs on only 1 component, which is the
primary
1) Application: Uses platform services; is one of perhaps several parts of a critical system function. For example, the application Steering Control is the
central part of the steering function. 2) Y depends on, e.g., task of the application, system state and system environment (situation).
Unrestricted © Siemens AG 2017
Page 14
May 3, 2017
Florian Krautwurm | Corporate Technology
System under test
Distributed system with built-in (non-intrusive) test probes
2
Primary component
Phase 1
Backup component
tp = test probe
n1, n2 … n8 = nodes of the (distributed) system under test
Unrestricted © Siemens AG 2017
Page 15
May 3, 2017
Florian Krautwurm | Corporate Technology
A safe steering test with fault injection
The basic test idea
Test scope
Primary component
n3, n4
Test with fault injection
2
n3.SteeringCtrl.Authority == primary
n5.SteeringCtrl.Authority == backup
n3.State = 0xDEAD
1
n5.SteeringCtrl.Authority == primary
n5, n6
Backup component
1
Unrestricted © Siemens AG 2017
Page 16
May 3, 2017
Florian Krautwurm | Corporate Technology
A safe steering test with fault injection
1st try: Invalid as the test ignores the time needed for fault detection & handling
Test parameter
Test procedure1)
01:
02:
03:
04:
TEST Critical app continues
WHEN primary fails
AND backup is available
WITH App = SteeringCtrl
05:
06:
07:
08:
09:
Node1 = n3, Node2 = n5,
TestPoint = State,
Fault = 0xDEAD
X = 10, For = 3,
Stop = 100
10:
11:
12:
13:
14:
15:
16:
17:
18:
DEFINE IsPrimary(N, A) AS N.A.Authority == primary
DEFINE IsBackup(N, A) AS N.A.Authority == backup
DEFINE HasPrimary(A) AS
IsPrimary(Node1, A) XOR IsPrimary(Node2, A))
TRIGGER IsPrimary(Node1, App)
INVARIANT HasPrimary(App)
CYCLE
FROM X TO X + For - 1 DO Node1.TestPoint = Fault
UNTIL Stop
1) ALFHA: Assertion Language for Fault-Hypothesis Arguments, J. Fröhlich et al. (2016): Testing Safety Properties of Cyber-Physical Systems with
Non-Intrusive Fault Injection – An Industrial Case Study, LNCS 9923
Unrestricted © Siemens AG 2017
Page 17
May 3, 2017
Florian Krautwurm | Corporate Technology
A safe steering test with fault injection
2nd try: OK, but the test allows the backup component to stuck (violates Req 3)
Test parameter
Test procedure1)
01:
02:
03:
04:
TEST Critical app continues
WHEN primary fails
AND backup is available
WITH App = SteeringCtrl
05:
06:
07:
08:
09:
Node1 = n3, Node2 = n5,
TestPoint = State,
Fault = 0xDEAD
X = 10, For = 3,
Stop = 100
10:
11:
12:
13:
14:
15:
16:
17:
18:
DEFINE IsPrimary(N, A) AS N.A.Authority == primary
DEFINE IsBackup(N, A) AS N.A.Authority == backup
DEFINE HasPrimary(A) AS
IsPrimary(Node1, A) XOR IsPrimary(Node2, A))
TRIGGER IsPrimary(Node1, App)
INVARIANT HasPrimary(App) OR IsBackup(Node2, App)
CYCLE
FROM X TO X + For - 1 DO Node1.TestPoint = Fault
UNTIL Stop
1) ALFHA: Assertion Language for Fault-Hypothesis Arguments, J. Fröhlich et al. (2016): Testing Safety Properties of Cyber-Physical Systems with
Non-Intrusive Fault Injection – An Industrial Case Study, LNCS 9923
Unrestricted © Siemens AG 2017
Page 18
May 3, 2017
Florian Krautwurm | Corporate Technology
A safe steering test with fault injection
3rd try: OK, but the test allows the new primary to become again backup
Test parameter
Test procedure1)
01:
02:
03:
04:
TEST Critical app continues
WHEN primary fails
AND backup is available
WITH App = SteeringCtrl
05:
06:
07:
08:
09:
10:
Node1 = n3, Node2 = n5,
TestPoint = State,
Fault = 0xDEAD
X = 10, For = 3,
Detect = 2, Switch = 3,
Stop = 100
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
DEFINE IsPrimary(N, A) AS N.A.Authority == primary
DEFINE IsBackup(N, A) AS N.A.Authority == backup
DEFINE HasPrimary(A) AS
IsPrimary(Node1, A) XOR IsPrimary(Node2, A))
TRIGGER IsPrimary(Node1, App)
INVARIANT HasPrimary(App) OR IsBackup(Node2, App)
CYCLE
FROM X TO X + For - 1 DO Node1.TestPoint = Fault
AT X + Detect + Switch DO IsPrimary(Node2, App)
UNTIL Stop
1) No of cycles for fault detection Detect and fault handling Switch (to redundant comp.) must be less or equal to Y, the max number of cycles a critical
app can run without a primary component (Req 3).
Unrestricted © Siemens AG 2017
Page 19
May 3, 2017
Florian Krautwurm | Corporate Technology
Reliable statements about a
fault-tolerant x-by-wire eCar
Overview
Reliable statements?
Safe fail-over during a trip
Test with non-intrusive fault-injection
System testability measures
Unrestricted © Siemens AG 2017
Page 20
May 3, 2017
Florian Krautwurm | Corporate Technology
Independent test system with distributed test probes
Point-to-point links between test probes (tp) and test probe control (tc)
System under test
Test view on the system under test
Unrestricted © Siemens AG 2017
Page 21
May 3, 2017
Florian Krautwurm | Corporate Technology
Multiple measures provide system testability
Measure
Benefit
a Time-triggered system
Deterministic tests
b Data store per node: states, signals, msgs
(encapsulated memory region)
Decoupling modules enables test probe
to observe and control system internals
c Data in multiple stages per cycle
Test dataflow in each cycle
d Test probe built-into each node, by design
Non-intrusive tests
e Exclusive SW/HW-resources
Non-intrusive tests
f Test probe is an ordinary module
Homogeneous architecture
g Test probe runs in node cycle, at cycle end
Accuracy in every cycle
h Test probe is programmable
Accuracy in every cycle
l N test probes linked to 1 test controller
Test systems with replicated elements
Unrestricted © Siemens AG 2017
Page 22
May 3, 2017
Florian Krautwurm | Corporate Technology
Multiple measures provide system testability
e l
d f g
h
a
b c
n3
n4
Unrestricted © Siemens AG 2017
Page 23
May 3, 2017
Florian Krautwurm | Corporate Technology
Reliable statements about a
fault-tolerant x-by-wire eCar
Secrets behind reliable statements at a glance
 Reliable statements from tests of testable systems
 Probe in each system node by design, permanently, in lab and field
 Non-intrusive monitoring, data-seeding & testing
 Invariants on cyclic1) signals, states and data flows
1) Time-triggered system for deterministic behavior and statements
Unrestricted © Siemens AG 2017
Page 24
May 3, 2017
Florian Krautwurm | Corporate Technology
Reliable Statements about a
Fault-Tolerant X-by-Wire eCar
Joachim Fröhlich
Florian Krautwurm
Stefan Rothbauer
Otto-Hahn-Ring 6
81739 Munich
+49 (173) 6628557
[email protected]
siemens.com/corporate-technology
Unrestricted © Siemens AG 2017
Page 25
May 3, 2017
Florian Krautwurm | Corporate Technology
Reliable Statements about a
Fault-Tolerant X-by-Wire eCar
Reliable Statements about a Fault-Tolerant X-by-Wire eCar
Unrestricted ©2017 Siemens AG

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz