Safety first: How safety ECUs can be tested at an early stage
The requirements of ISO 26262 (“Road Vehicles – Functional Safety”), which primarily apply to safety-relevant electronic systems in motor vehicles, are relevant in this context. Other important requirements are those established by the Euro NCAP organization, as their evaluation plays a major role in the consumers’ acceptance of vehicles.
On the technological side, solutions for increasingly challenging performance requirements have to be found as well. This requires highly complex sensors and the sharing of information from these sensors across various ECUs.
The following look at vehicle safety shows the importance of this topic and illustrates that this major development trend will continue in the future.
Requirements for safety ECUs
The number and complexity of test cases are without doubt increasing in the field of vehicle safety as well. By means of various crash sensors installed in different places of the vehicle (see schematic depiction in Figure X) airbag control units have to decide if, when, and if so, which of the airbags should be ignited for deployment.
Another typical question that arises in this context is the optimization of the ignition timing for airbag inflators. Decisions derived on the basis of sensor information and the determination of the optimum safety response can have far-reaching consequences and may make the difference between life and death.
Interaction of safety systems and advanced driver assistance systems
To satisfy relevant safety requirements, a large number of ECUs and sensors that analyze the environment are installed in modern vehicles, a trend that will continue to grow. Advanced driver assistance systems (ADAS) are used to recognize dangerous situations early in order to avoid accidents. Passive safety systems such as belt tensioners and airbags serve to mitigate the consequences of accidents. In contrast to passive systems, active safety systems such as the emergency brake assist intervene with the vehicle’s operation at an early stage in order to avoid a collision.
Advanced driver assistance systems obtain their environmental information from various sensor sources. The fusion of environment and crash sensors (see Figure 1) and the exchange of radar, lidar, camera, ultrasound and vehicle dynamics data, for example, open up completely new possibilities in the field of safety.
Figure 1: Exemplary demonstration of location of crash sensors
By means of ADAS, critical scenarios can be detected and classified in advance. This results in a valuable gain of time which can be used to initiate preliminary safety responses even before the crash sensors are able to detect anything.
But even in scenarios that do not involve the deployment of airbags, such as rear-end collisions in urban traffic, occupant protection measures can be initiated by means of belt tensioners. They restrain the occupant in an optimal position prior to contact with another vehicle and thus help to mitigate the consequences of an accident.
However, as sensor information becomes increasingly interlinked, manufacturers of safety-relevant ECUs are confronted with growing complexity. This implies increasing efforts to be invested in testing and, as a result, reduces the time that is available for performing individual tests. Consequently, this raises the question of how such complex developments can be managed. An example of such an ADAS sensor is shown in the following Figure.
For seamless testing of all these requirements the newly developed ReSiMa (Replay, Simulate, Manipulate) system can be used. Two research projects (VISAPS I + II) were conducted in collaboration with Continental Regensburg and the Ingolstadt University of Applied Sciences in the past four years with ReSiMa being the resulting product from this joint research. Customers use the test system to validate ECUs at the highest safety level (ASIL Level D) in the context of ISO 26262.
Architecture and functional principle of the ReSiMa test system
ReSiMa makes it possible to replicate real-world crash scenarios in the laboratory without risk of personal injury or major damage to material. Recorded data is retrieved from the so-called crash data base, loaded and output again in real time (see Figure 3). The ReSiMa test framework provides the test engineer with the tools required to define test cases across various ECUs, bus- and sensor systems.
The defined test scenarios are executed in real time on IPG Automotive’s powerful Xpack4 hardware platform. For this purpose, the real-time application first reads all bus and sensor data into memory and then outputs the data synchronously to the interfaces involved after the test has been started. Typically, bus systems such as CAN, LIN and FlexRay, as well as PSI5 and SPI sensor interfaces, are used in such a test system.
The modular hardware architecture of such an Xpack4 system provides high flexibility regarding the components used and can easily be extended by additional modules.
By linking ReSiMa with the hardware platform the user gets a modular and scalable hardware system – in combination with a powerful real time application. The test cases are reproducible and can be carried out at an early stage of the development process by frontloading. This approach significantly reduces the required investment of time and material.
The acronym ReSiMa reflects the three central tasks performed by the system and are described in more detail below.
Replay – feeding of real-world crash data
Data of real-world accidents of the kind that occur in everyday traffic situations can be fed in by means of the ReSiMa replay functionality in real time. The synchronous availability with millisecond accuracy of all the information is one of the major advantages of this functionality.
The objective is to reproduce realistic scenarios in a largely true-to-original manner. This achieves a high level of authenticity and reduces the effort to be invested in the test set-up. Recorded bus traces can be completely read this way and synchronously replayed with the related sensor data that has been recorded. This provides the advantage that tests which have been defined once can be repeated as often as desired and carefully analyzed without having to run a new crash test for a vehicle every time.
ReSiMa makes it possible to feed all types of data, whether from real-world accidents, replicated situations, crash tests or synthetically generated laboratory signals into the system. The utilization of real-world data achieves an optimum approximation of reality. In contrast, it is hardly possible to cover all aspects of complex real world scenarios in simple crash tests, particularly because conventional crash tests always lead to the destruction of the unit under test, resulting in considerable testing and material costs. The requirement of performing reproducible tests can only be partially met by real-world crash tests as well because every test is different even when the tests have been set up identically.
Simulation of bus systems and sensors
By using a powerful simulation software such as RealtimeMaker it is possible to simulate the environment in such a way that the unit under test – in this case the airbag control unit – does not recognize any difference from reality. To reach this goal the electronic control unit is supplied with all the bus data and ECU information it requires to operate properly. Therefore the initialization stages and internal states of the crash sensors have to be simulated or emulated in a true-to-original manner. This is done by implementing the original sensor communication protocols which are used between the sensor and the ECU.
As soon as the test has been started, which also triggers the replay, all the required data is retrieved from the recorded bus and sensor trace files. Dynamic data however, such as the calculation of CRC codes or the update of counter values, is still provided by the simulation.
Frontloading by means of simulation not only saves time and money but also makes it possible to test ECUs and their software releases in the total vehicle context even before a physical prototype is available. Once test scenarios have been set up, they can be repeated and reused as often as desired. By means of test automation it is possible to run automated tests of software releases with real-world scenarios for efficient validation of ECU functions.
Manipulation – making targeted modifications
Replaying bus and sensor traces alone offer a wide range of possible test cases, but by the fact that all sensor channels and bus signals are individually accessible and rewritable, additional value and flexibility is achieved. Particularly for analyzing complex scenarios it is crucial that the test scenarios which have been set up deliver reproducible results and can be easily modified. All data and signals can be overridden on all communication buses involved.
In addition to pure ‘value’ manipulations, ReSiMa offers the possibility to manipulate characteristics of bus messages. For instance, it is also possible to modify a CAN message or its CRC value. Table 1 provides an overview of possible manipulations.
To be able to define tests across various bus systems it is necesary to have appropriate manipulation possibilities as well. This is achieved by using so-called real-time expressions. Real-time expressions are logical expressions that can be used to trigger manipulations, which makes it possible to combine signals of different bus systems with each other. For instance, if a certain value of a CAN bus signal is exceeded, a manipulation can be activated on the LIN bus, which subsequently will be responsible for activating the seatbelt tensioner. This concept makes it possible to set up complex test scenarios across various interfaces. These tests can subsequently be used to fine-tune algorithms or to investigate the optimization of airbag inflator ignition timing.
Current fields of research
To achieve further increases in occupant safety, also the vehicle interior has to be monitored. Because in case of an accident this additional information allows the airbag algorithms to take more sophisticated decisions. At the moment, IPG Automotive is working on the development of an occupant model (see Figure 4) that can be used to investigate such issues as well. In the environment of airbag and safety control units, the position of the head at the time of the impact is of particular interest, as well as tracking the orientation and position of the occupants’ extremities and torsos. Based on this additional information, more intelligent decisions can be made and the effects or severity of injuries minimized for the occupants.
Conclusion
The field of application described in this article can be further extended by integrating test cases from the domains of vehicle dynamics and advanced driver assistance. This can be achieved by linking the ReSiMa test framework with the powerful CarMaker integration and test platform. Such an approach holds great potential for creating additional test cases in the context of virtual test driving.
The utilization of virtual testing methods results in an efficient development process that enables an early evaluation of safety functions and leaves enough time to optimize the relevant systems and to coordinate their functions. Active and passive safety systems play a major role in pursuing the objective of automated driving and their consistent optimization marks another step towards making ‘Vision Zero’ reality.
About the author:
Dipl.-Inf Marc Greger has studied computer sciences at HS Karlsruhe and since has been active in the field of software development. From 2012 to 2014, Greger was software developer for airbag controllers at IPG Automotive. At present he is product manager for Embedded Systems at IPG Automotive (Karlsruhe, Germany).
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
