SafeAdapt enables fail-operational automotive E/E systems

SafeAdapt enables fail-operational automotive E/E systems

Technology News |
By Christoph Hammerschmidt

Highly automated driving assumes the vehicle can rectify faults on its own until the driver is in a position to intervene. That means guaranteeing the fault tolerance of critical functions in the vehicle E/E system. To date for example, a mechanical brake has usually served as a backup whenever the electric motor takes over the braking system. Although a temporary solution, from a long-term perspective one must come to the conclusion that this approach is not only costly, but also makes the vehicle unnecessarily heavy. This approach is also at odds with the concept of energy efficiency, and in the end leads to an extremely complex vehicle with many parts.

With this in mind, in future vehicles it would be advantageous for the electric motor to take over the braking system by itself through interaction with the vehicle E/E system and software. This places other demands on safety however, particularly in the case of highly automated driving. The German Association of Automobile Manufacturers (VDA) defines this degree of automation as stage 3 because the driver is no longer required to constantly monitor the vehicle and traffic, which is the case with partially-automated driving. The vehicle thus acts as the first fallback level, rectifying the error until the driver takes over again. For example, when an electronic control unit (ECU) fails, the vehicle must initially compensate and notify the driver so that he can take over the wheel again. Until that happens however, the vehicle must continue to drive more or less autonomously for several seconds.

This requires a paradigm shift in automobile safety concepts. It no longer requires a “fail silent” approach, meaning the system shuts down when an error occurs. Instead, the keyword is “fail operational,” which means that when a fault occurs, the function or the ECU must continue to work until the vehicle can be brought to a safe operational state. Although avionic systems rely on multiple redundancy, this approach cannot simply be ported over to automotive platforms because of the high cost. A new approach is therefore needed.

Increased safety, lower development costs

This type of concept is the focus of the SafeAdapt project funded by the EU. More precisely, SafeAdapt involves the development of a new, flexible architecture that provides system-wide or generic fail-operational functionality. In other words, this feature will not be implemented for each function on an individual basis, rather for the system as a whole, thus reducing the effort and costs. The foundation of this concept is referred to as safe and controlled adaptation, an approach that rectifies faults by dynamically reallocating the functions and adapting the vehicle system to current situations at runtime. This also includes the possibility of reconfiguration through heterogeneous ECUs in order to implement flexible problem resolution in systems that are subject to strict safety demands.

More specifically, the objective of the SafeAdapt project is to reduce the development costs for future electric vehicles by establishing a generic problem resolution and expansion mechanism, thus ensuring functional safety. The SafeAdapt approach furthermore reduces material costs because it eliminates the need for functional redundancy. Finally, shifting the functions to existing ECUs reduces the overall number of ECUs that are required, thus improving energy efficiency.


Generic fault management


The foundation of the SafeAdapt approach is the interaction between the hardware and software. The presumption is that future vehicles have access to the sensors and actuators without having to rely on the actual control units. These intelligent sensors and actuators can be addressed directly or via network gateways. To ensure that a periphery component fault does not impact the functionality of the entire system, redundancy must be available. This applies to the individual sensors and actuators, as well to the existing communication paths. In order to reliably rectify individual faults, that means at least two communication paths must exist between all communication partners. The figure illustrates a vehicle architecture with two Ethernet paths between each of the individual participants. This ensures the participants can continue to communicate if an individual component or communications link fails.


Two separate Ethernet data paths connect the subsystems to ensure fail-safe operation

Since the control units operate on a common time basis, appropriate synchronization and real-time mechanisms must be available, which can be enabled via time-triggered Ethernet or time-sensitive networking as an example.

The Safe Adaptation Platform Core (SAPC) is built on this basis. This mechanism decides which configuration is established when a fault occurs. Only single faults in the system are considered as usual. The same concept also applies to energy optimization. That means the SAPC can activate one of the energy-efficient configurations that is adapted to the situation. The SAPC is a software program developed for use with different operating systems on various hardware platforms. It’s executed on all core platforms and creates a new local configuration after recognizing the need to adapt after an error condition arises. To do this, each core platform periodically shares so-called health vectors with all other platforms. They contain information about the status of the core platform, including currently running applications. Since all core platforms receive this status information from all others on a regular basis, each one is capable of decentrally determining the overall system status. If a core platform fails for example, the other platforms recognize the situation based on the missing health vectors and activate a local configuration predefined for this particular error condition. Because the system maintains redundant real-time communication paths, the assumption is that no single error can cause the disappearance of a health vector. Instead, the assumption is that the fault is related to the corresponding core platform.

The SAPC thus allows the system to reliably shift functions from a faulty component to a working component to ensure continuous vehicle operation. To make this work, the SAPC is designed as an AUTOSAR component in the so-called ARXML format. This creates a condition in which the SAPC can run without having to adapt to various ECUs with different hardware. That means only the corresponding AUTOSAR-compliant interface has to be implemented on the platforms in order to utilize the SAPC.


Project goal: testing on real vehicle


The project will conclude by evaluating and analyzing the new process on demonstrators. Particular attention will be paid to ISO26262, the standard for functional vehicle safety. A concrete goal of the project is the development of an e-vehicle prototype for demonstrating usability and ease-of-integration with heterogeneous technology and real-time Ethernet communication. For this purpose, a sports car from automotive manufacturer Roding – equipped with the Siemens RACE E/E architecture – will be enhanced with technologies from the SafeAdapt partners. Specifically, a RACE ECU and the TrustedMulti-Domain Platform from Delphi will be connected via TT-Ethernet. The same SAPC will be integrated into both platforms, thus enabling fail-operational steering using the fault management approach described above.

Furthermore, the Dynacar driving simulator from Tecnalia will serve as a virtual test environment. That means the SafeAdapt technologies will also be integrated into the simulator in order to demonstrate an energy efficiency application. If less battery capacity is available after a certain distance for instance, the system can independently deactivate non-safety critical functions such as comfort and convenience features. The driver-in-the-loop simulator can also be used to evaluate the impact of adaptive safety mechanisms on the handling characteristics of the vehicle. This has an impact on issues such as the maximum duration of the steer-by-wire adaptation so that the driver can keep the vehicle under control.

Fraunhofer ESK is researching how the SafeAdapt approach can be used in an E/E architecture with conventional AUTOSAR platforms. Using a model vehicle, researchers are examining the fail-operational capability of critical driving functions in an AUTOSAR system.

The SafeAdapt project not only involves the design of a new E/E vehicle architecture. The project team is also looking at design and validation methods for such an architecture in order to enable development in line with the ISO26262 functional safety standard. This norm describes what must be done during the development of automobile components and systems to ensure the functional safety of the system. This standard can already be used to develop simple fail-operation functions through adaptation. In particular, the modular qualification approach of the standard, the so-called Safety-Element-out-of-Context concept, is used in order to utilize the SAPC as a reusable safety component in various platforms.

These functions, plus the architecture, must be specified before developing the vehicle functions. The system design must correspond to the safety concept, so that the appropriate measures are taken in the identified error situations. In these instances, the system architect can indicate which functions have to be available in the system and their fail-operational behavior.

The project also uses descriptions in the EAST-ADL and AUTOSAR architecture description languages. The SafeAdapt tool chain can be used to generate robust fault-tolerant system configurations, which automatically take into account all of the required characteristics, such as redundant standby versions of critical functions. This automated process makes it possible to generate configurations for every type of error condition, which would be near impossible to carry out manually given the numerous potential scenarios. This also makes it possible to guarantee that only valid system configurations are utilized. That means all requirements, such as the timely execution of functional chains, will be fulfilled.

The configurations can then be further used in the system design model or for real applications. This allows developers to generate AUTOSAR ARXML-compliant configurations and source code that can be incorporated into the ECU software directly during development. Together with automatically-generated information that can be used as a basis for the SAPC, system-wide error handling can be implemented. This approach can be used in ECUs with conventional AUTOSAR operating systems, as well as with more powerful real-time operating systems in future adaptive platforms.

SafeAdapt is a three-year project that will conclude in mid-2016. Apart from Fraunhofer ESK, the project partners include CEA LIST (France), Delphi (Germany), DuraCar (Netherlands), Fico Mirrors (Spain), Tecnalia Research & Innovation (Spain), Pininfarina (Italy), Siemens (Germany) and TTTech Computertechnik (Austria).

About the Author:

Dr Gereon Weiss is Group Manager and Deputy Manager of the Automotive business unit at Fraunhofer Institute for Embedded Systems and Communication Technologies ESK.

Having joined Fraunhofer ESK in 2007, Weiss was appointed head of the Automotive Software research group in 2011. From 2014 on, he also holds the position of deputy manager of Fraunhofer ESK’s Automotive business unit. In addition, he is responsible for the core competencies Dependable Software and Adaptive Systems.

Gereon Weiss studied computer science at the University of Karlsruhe with focus on of embedded systems design and telematics in which he graduated in 2006. Since then he has been active in the applied research field of model-driven engineering for distributed embedded systems, both as author of numerous publications and as reviewer. In 2014 he gained his PhD at the University of Augsburg in the area of designing self-adaptation in distributed embedded systems.

He can be reached via gereon.weiss(at)

If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :    eeNews on Google News


Linked Articles