Towards Functional Safety in Drive-By Wire Vehicles by Peter Johannes Bergmiller

Peter Johannes Bergmiller
Towards
Functional
Safety in
Drive-by-Wire
Vehicles
Towards Functional Safety
in Drive-by-Wire Vehicles
www.TechnicalBooksPDF.com
Towards Functional Safety

This dissertation was submitted to and accepted
at Technische Universität Braunschweig,
Braunschweig, Germany
123
Institut für Regelungstechnik
TU Braunschweig
Braunschweig, Bayern
Germany
ISBN 978-3-319-17484-6 ISBN 978-3-319-17485-3 (eBook)

DOI 10.1007/978-3-319-17485-3
Library of Congress Control Number: 2015939166
Springer Cham Heidelberg New York Dordrecht London

© Springer International Publishing Switzerland 2015
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part
of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations,
recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission
or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar
methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this
publication does not imply, even in the absence of a specific statement, that such names are exempt from
the relevant protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this
book are believed to be true and accurate at the date of publication. Neither the publisher nor the
authors or the editors give a warranty, express or implied, with respect to the material contained herein or
for any errors or omissions that may have been made.
Printed on acid-free paper
Springer International Publishing AG Switzerland is part of Springer Science+Business Media

(www.springer.com)
v
vi
I. I NTRODUCTION
II. A SSISTING THE D EVELOPMENT OF EE S YSTEMS
vii
III. A N OVEL EE A RCHITECTURE FOR D RIVE - BY-W IRE
IV. E NABLING F UNCTIONAL S AFETY E FFICIENTLY
viii
V. E VALUATION
ix
xi
xiii
xiv
1
719, 535
Increasing
complexity
351 of modern
20 vehicles
New
functionality
vs. safety
Ó Springer International Publishing Switzerland 2015 3

P.J. Bergmiller, Towards Functional Safety in Drive-by-Wire Vehicles,
DOI 10.1007/978-3-319-17485-3_1
The vehicle
as one
system
2
Automotive
systems
engineering
Process
models

DOI 10.1007/978-3-319-17485-3_2
The V-Model
The
V-model for
mechatronic
systems
Requirements Installation,
specification acceptance test
System System
specification validation
Architectural System
design integration and test
Subsystem Subsystem
design integration and test
Module Module
design testing
Coding
Methods
Customer demands Customer acceptance
Syst
vel
System requirement 1 System acceptance
em le
analysis test
em le
3 System integration
Syst
System design and test
vel
2
IT- IT-integration
requirement
analy
and test
Sub
l
leve
t
analysis &
d tes
Mec nd des
design
sis a
n an s
syst
ic
tem
hanic ign
integ echan
em le
and tegr.
HW- sign
SW- esign
and tegr
bsys
ratio
test
test
& de
&d
s
M
in
analy
in
analy
HW
vel
Su
SW
s. detaile
s.
test nent
test .
SW
p
SW
Boa
layo
draft
com
Deta hanics
st
mec
po
com chanics
Com
el
nt te
rd la gram
ut dia
com
t lev
illing
SW
pone
yout,
pone
implement. HW
onen
Me
of
Manufacture
nt le
p
Prototypes
Com
vel
Build production Build mechanics

equipment modules
Standards,
legislation
1
Method
1
< may contain
< may contain

1
< contains *
Principle
1 *
follows >
Process Heuristics
may contain >
1 *
Tools and
solutions
Toolchain
A novel
system
architecture
10
System 3 Toolchain for integration testing Degradation
architecture and hierarchical approach to and 6
Fault
derivation safety evaluation 2 , 4 intervention
V-Model based Monitoring and action derivation 5

development Provision for safe operation 7
Plan maintenance Perform maintenance
Evaluate customer Repair the

needs 1 system
Vehicle development Vehicle operation
Mechanisms
and
methods
Summary of
Contribu-
tions
11

12
I Introduction
1 Vehicle Electronics: A Challenge for the Automotive Industry
Redesigning Vehicle Electronics: A Systems Engineering Approach

Objective 1: Provide a tool- Objective 2: Propose a system
2
chain for vehicle level develop- architecture for flexible Drive-
ment and rapid prototyping by-Wire vehicles
II Assisting the Development of EE III A Novel EE Architecture for

Systems Drive-by-Wire
Experimental Vehicles as EE Architecture of the Experimental
3 5
Development Tools Vehicle MOBILE
Structure and Elements A Tailored Approach to Functional

4 6
of the Toolchain Safety Evaluation
IV Enabling Functional Safety Efficiently

7 Tactical Safety Measures 8 Strategic Failure Prevention
V Evaluation
9 Functional Safety of MOBILE
A Step Towards Functional Safety in Drive-by-Wire Vehicles

Result 1: An operational and Result 2: A novel system archi-
10
applicable toolchain for tecture and means for cost effi-
development cient & flexible Drive-by-Wire
13
3
Commonly
used tools

DOI 10.1007/978-3-319-17485-3_3
Need for
flexible
vehicles
Goal of this
chapter
RWTH
Aachen
18
280
Mercedes
Benz
Porsche AG
19
Nissan
2.5
3 3.3
TU
München
254
Stanford
University
20
Universität
Paderborn
280 60
2.2
The Chinese
University of
Hong Kong
160 90 DLR
2.05 Kanagawa
Institute of
612 Technology
General
Motors
Melbourne
University
21
NHTSA
Volvo,
Chalmers
University
Volkswagen
AG
2
4
BMW AG
6
7
AUDI AG,
Vehicle-in-
the-Loop
22
Construction
and
actuators
Trends in
the design
23
Conclusion
24
4
Structure of
the toolchain
15

DOI 10.1007/978-3-319-17485-3_4
→
Electric
drive
26
100
Four-wheel
steering
40
40
27
43
130
Electro-
mechanical
braking
1
2.1
Power 300
supply
400
48 12
48
12 →
→
28
User
interface
Differentiation
of MOBILE
15
29
Pi-Theorem
1 4.86 15
Restrictions
30
0.4 1.94 1.75 4.86
0.56 2.72 2.72 4.86
16 2000 2000 125
11 53 44 4.86
0.14 0.68 0.64 4.86
ψ̇ ψ̇ ψ̇
β β β
2
5 24.3 10 4.86
250 151875 607.5
2
· 0.44 1299 2952, 45
230 285
762
Set-up of
MAX
31
→ →
32
Code
generation
Evaluation
2008 4.0 AUTOSAR
Monitoring
and
visualization
33
15
34
Position Calculation Track Data
cur. coordinates, ref. coordinates,
cur. orientation ref. orientation
Virtual Driver
Speed profile generator Orientation Lateral displacement
controller controller
Speed controller Dynamic weighting
torque steering angle
Driving Performance System

Single track model as reference
Longitudinal
Torque
Speed accel- Yaw rate Side slip
vectoring
controller leration controller controller
controller
controller
Dynamic Dynamic
weighting weighting
Torque
distribution
wheel torques wheel steering angles

Virtual Vehicle
Double track
Drive train model Tire model
model
wheel speeds, accelerations, yaw rate, etc.

State Acquisition
Slip estimation (longitudinal and lateral)

Measurement
Speed estimation
unit
Filtering of yaw rate and accelerations
35
Double track
vehicle
model
Approach
100
36
l0...4: Position along the optical lever relative to the vehicle
e0: Yaw angle error
e1...4: Lateral displacement at a given position
Optical lever
e4
Vehicle l1 l2 l3
e0 e e e l4
1 2 3
l0
Reference trajectory
Tuning the
driver
Evaluation
37
Side slip
Speed
15
38
5
Flexibility vs.
safety
Structured
architecture
derivation
1
2

DOI 10.1007/978-3-319-17485-3_5
Derive requirements
1
and constraints
Derive mechanical and

2
actuator set-up
Iterate through all hierarchical layers

Architecture
definition for Define functional/soft-
3
the EE system ware architecture on layer
Derive hardware architec-

4
ture on layer
Iteration no
5
finished?
yes
Define additional aspects

6
for software architecture
7 Validate goal achievement
3 5
42
Vehicle
layer
System layer
(axle control system)
Subsystem layer
(primary axle control system)
Component layer
(acceleration sensor evaluation)
Elementary functions
(calculate average value function)
(....): examples of functional systems at the given hierarchical layer
System
structure

43
System structure, degree of redundancy 1
Actuator control User interface
ECU design, 2
fault tolerant units
Sensors & ECU 1 ECU 1 Sensors &

actuators actuators
ECU 2 ECU 2
Functional 6
4 Inter-ECU Sensor data 3
redundancy 5
acquisition and
communication Operating
actuator control
system
Power
Power supply
supply 7
Diagnostic algorithms/system
Diagnostic system, fault handling 8
Knowledge
Knowledge base
representation 9
Redundant
local
controllers

44
Network
centric
approaches
Sensor and
actuator
redundancy

45
Network

17.6
Operating
systems

Functional
redundancy

Power
supply

100
46
Online
diagnostics,
degradation

Knowledge
base

Differentiation
of MOBILE
47
SIRIUS
2001
SPARC
project
Lessons
learned
48
Control Commands
inputs Vehicle control to actuators
Feedback function Sensor data
Vehicle
Driver
35
49
Vehicle control function
Emergency run
Control driving function Stability
inputs control Access Commands
Vehicle state control to actuators
acquisition
Diagnostic
function
Prototype Sensor
Feedback data
driving function
Functional
architecture
50
Front axle User Rear axle
control system interface control system
Data bus
Inertial meas. Stability Power supply

system control system system
Power supply
Hardware
structure
Merging
views
51
User Front axle Rear axle Power Stability Inertial
interface control control supply control meas. sys.
Emergency run driving function Stability Vehicle
control state
Prototype driving function
acquis.
Access control
Diagnostic function
Driving
functions
State
estimation
Stability
control
Diagnostic
system
52
Emergency run
Emergency run driving function driving function
Control
Local data Data Actuator
inputs
acquisition processing control
Switch Commands
to actuators
Access control Prototype
Vehicle state acquisition Stability control
driving function
Inertial Sensor State Reference Control Safety
algorithm guard Actuator
measurm. data fusion estimation generation
control
Safety
monitoring
Prototype driving function
Local data Data Safety

acquisition Processing reference
Feedback Feedback Diagnostic function
control
Global data Diagnostic Hardware
acquisition fusion monitoring
Sensor
data
53
Access
control
Power
supply
Stability
controller
54
Fault
tolerant
units
Merging
views
55
56
Primary front axle controller Primary rear axle controller Primary user interface controller Primary power supply controller
Local data Data Actuator Local data Data Actuator Local data Data Actuator
acquisition processing control acquisition processing control acquisition processing control
Hardware Hardware Hardware Global data Diagnostic Hardware

monitoring monitoring monitoring acquisition fusion monitoring
Safety Safety Safety Safety Safety Safety

guard guard guard reference monitoring guard
Feedback
control
Secondary front axle controller Secondary rear axle controller Secondary user interface controller Secondary power supply controller
Local data Data Actuator Local data Data Actuator Local data Data Actuator
acquisition processing control acquisition processing control acquisition processing control
Diagnostic Hardware Diagnostic Hardware Diagnostic Hardware Global data Diagnostic Hardware
fusion monitoring fusion monitoring fusion monitoring acquisition fusion monitoring
Safety Safety Safety Safety Safety Safety Safety Safety Safety Safety Safety Safety
reference monitoring guard reference monitoring guard reference monitoring guard reference monitoring guard
Stability controller Inertial measurement controller
Vehicle state acquisition
Reference Control Inertial Sensor State
generation algorithm measurm. data fusion estimation
Diagnostic function
Diagnostic Hardware Diagnostic Hardware

fusion monitoring fusion
Safety system and emergency operation
Safety
guard Prototype driving function
57
Application
interface
58
59
Assumptions
and future
challenges
Summary
60
6

DOI 10.1007/978-3-319-17485-3_6
Functional
redundancy
62
Unit 1
Emergency-off function
Unit 2 Unit 3 ... Unit N
Propulsion sub-function
Driver
Actuators
inputs Steering sub-function
Braking sub-function
Hardware units Functions
63
system
of the
Perception
64
Functional system architecture
and hardware constraints
Drive
... ...
Layers for
functionality
(vehicle level)
Elementary functions
hierarchical abstraction
Goal orientation
Hardware orientation
Vehicle as one system
Requirements
Failure probabilities
Result
Vehicle layer
layer
System layer
Detailed
(axle control system)
in this
Subsystem layer work
(primary axle control system)
Component layer
(acceleration sensor evaluation) Assumed
Elementary functions inputs
(calculate average value function)
(....): examples of functional systems at the given hierarchical layer
Hierachical
layering in
research
65
Input: safety requirements
Architecture
analysis 1 Define hierarchical layers
2 Define virtual systems
Component
analysis Identify generalized
Adapt if needed
Iterate through all hierarchical layers

3
failure states top-down
Static failure analysis

4
no systems
of virtual
Dynamic failure analysis

5
of virtual systems
Iteration no
6
finished?
yes
Top-level
functional Derive cut sets for
7
safety relevant failure scenarios
evaluation
8 Derive failure rate
9 Derive diagnostic coverage
66
Virtual systems and
interfaces
Existing architecture
and interfaces
Examples
Critique
67
3
Definition
process
68
In Out
C1 C2 C3 C4
C5
Failure of Generalized failure state

C1 | C4 | ( C5 & (C2 | C3) ) Total loss of system
C2 | C3 Emergency operation
No failure | C5 Regular operation
Full operation: , Emergency operation: ,

Logic "or": | , Logic "and": & , Component x: Cx
Related
work
69
70
1
p21 p12
p31
p13 p11
2 p22
p33
p23 p32
3
pij i
j
pij = P (Xt+1 = sj |Xt = si ).
Xt si
X i
pij
71
6
72
Failure states 1 to 11 Abstraction
(step a) (step b)
Generalized failure states
Repeat process on next

higher level based on
generalized failure states
for each system in the
current layer
(step c)
73
6
74
Hierarchical layer
(1...L)
Cut set counter for
each layer (1...I) Single- or dual-point fault based cut set
l
i s d
Cl l C
1
12 C12 s
Example
Cil{s/d} = Cjg{s/d} ∀ i = j ∧ l = g,
Cils ∩ Cjgd =∅ ∀ i, j, l, g.
l g i j
Result:
cut sets
75
Result layer / layer 1
Faulty part of the system
Layer 2
Layer 3
External
Layer 4
λli
i l
TM
P (Cils ) = 1 − e−λi ·TM ≈ λli · TM

l
.
λ1 λ2
p
1
p = 2 · λ1 · λ2 · (TM · TSS − · T 2 ),
2 SS
76
Both systems
operable
Failure of one
system
1-c c
Total system failure One system operable

(failure not detected) (failure detected)
Failure rate of unit one

Failure rate of unit two
Diagnostic coverage Total system failure
(both units defect)
TSS
f (Δt) = 1 − e−λΔt
f (Δt) = λΔt λ
Δt
1
P (Cild ) = 2 · λli,1 · λli,2 · (TM · TSS − · T 2 ).
2 SS
λli,1 λli,2
i
l
77
l

I
P (C l ) =(+1) · P (Cil{s/d} )
i=0

i=I−1 j=I
(−1) · P (Cil{s/d} ∩ Cjl{s/d} ) } (λ3 ) ≈ 0
i=0 j=i+1
j=I−1
i=I−2 k=I
(+1) · P (Cil{s/d} ∩ Cjl{s/d} ∩ Ckl {s/d} ) } (λ4 ) ≈ 0
i=0 j=i+1 k=j+1
...
(−1) I+1
· P (C1l {s/d} ∩ C2l {s/d} ∩ ... ∩ CIl{s/d} ) } (λI+1 ) ≈ 0.
I j k
i (·)
λ
λ
i j
P (Cild ∩ Cjld ) = P (Cild ) · P (Cjld |Cild ) ∝ λli,1 · λli,2 · λlj,2 } λ3 .
λli,1 λlj,1
λ2
8 F
P (C l )

l=L
F = P (C l ).
l=1
78
DC
λdd
DC = .
λdd + λdu
λdd λdu
Calculation
process
λdu DC
λdu
λdd
79
Fields of
application
Contributions
80
81
Outlook
82
7
“Zebra
tactics” for
MOBILE

DOI 10.1007/978-3-319-17485-3_7
86
Requirements
Solution
strategy
→ →
→
→
→
87
→
→
→
Core
contributions
(1) System
structures
88
(2) Deriving
symptoms
1970
(3)
Determining
actions
89
Cause-
symptom
correlation
Fuzzy Logic
1960
Bayesian
Networks
90
Neural
Networks
1943 1980
91
(4) Relating
PFDH
→
→
<4
→
→ →
S Ns

92
Controller
11 1 11 2 3
21 21 Symptom 1
Input
... Signal
...
signals
N1 N1
group p1
1
12 12
22 22 Signal Symptom 2 Action
Input Action
Monitoring
...
...
signals group p2 derivation
N2 unit N2 unit
2
1S 1S
2S 2S Symptom S
Input Signal
...
...
signals
NS NS group pS
S
93
ps

n=Ns
n=1 (hs,n · psn )
ps = max n=Ns
, Es , s ∈ {1..S}, n ∈ {1..Ns }, hs,n ∈ R+ ,
n=1 (hs,n )
hsn n s
Ns psn n Es
(A) - Error
perpetrator
s ps
Ps ( s ∩ s )=
ps · Ps ( s | s ).
Ps ( s s )
0.5
Ps ( s ∩
s ) s
s
(B) - Signal
group error
probability
e S
vectors
(C) - Cause
identification
94
R
S cer,s
1 0
cr
c = (c1 , .., cR )T
s=S
s=1 cer,s · es
cr = s=S
.
s=1 cer,s
c
(D) - Action
derivation
G R
acg,r g r
ag

r=R
ag = (acg,r · cr + (1 − cr )).
r=1
(1 − cr )
g (acg,r · cr )
a = (a1 , .., aG )T
(E) - Action
weighting
95
No fault Weighted costs
Vehicle operable
after application of
an action
fault relative weighting
ug
wg
wg
r=R
r=1 acg,r · (1 − cr )
wg = r=R ,
maxg ( r=1 acg,r · (1 − cr ))
ug

r=R
ug = wg · (1 − cr ).
r=1
ug u a u
v = a − u g
vg
(F) - Time
dependency
g
g
96
c (th )
th
c (th ) c
c (th ) = c (th−1 ) + (1 − c (th−1 )) · c(th ).
c(th ) c h
c
c (th )
c(th )− = 0
c (th )
97
User inputs
(gas + steering),
sensor information
FlexRay A FlexRay B
Output
Input Secondary units
units node Input
units
Actuator
Input Primary Output
Sensor data commands
units node units
98
n
p sn = 0 ps n = 1
4
2 10
Internal
health
monitoring
99
Prop
Limit
Prop
Limit
Del
Del
DelayMon X O O ... No action 0 0 0 ...
PropMon O X O ... SW reset 0.5 0.5 0.5 ...
FrequMon O O O ... HW reset 0.8 0.8 0.8 ...
...
...
...
...
...
...
CE of SN AC
IntSysTim
CANAFail
DevSW
Prop
Limit
Del ...
DevSW X X X No action 0 0 0 ...
IntSysTim X X O ... SW reset 0.2 0.8 0.1 ...
CANAFail O O O ... Power off 1 1 1 ...
...
...
...
CE of PN ACof PN
2 10
Matrices
100
250
101
10% 33%
pdel 33% 100% 33% 0% 100% 0%

pprop 0% 0% 33% 33% 0% 66%
t1
t2
t3
t4
pdel /pprop
p 1 p2 p3 0 0.10
102
1 1
Probability values Probability values
Action probability
Action probability
0 OR 0.10 0 OR 0.30
0.5 0.5
0 0
1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
Cycle Cycle
1 1
Probability values Probability values
Action probability
Action probability
0 OR 0.60 0 OR 0.90
0.5 0.5
0 0
1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
Cycle Cycle
SN&PN NoAction
SN SW−Reset
SN HW−Reset
SN PowerOff
PN SW−Reset
PN PowerOff
p1 p2 p3
(0, 0, 0)
Discussion
of simulation
results
103
4
104
1 1
Cycle #1 Cycle #2
Action probability
Action probability
0.5 0.5
0 0
0 0.5 1 0 0.5 1
Probability input Probability input
SN & PN NoAction
SN SW−Reset
SN HW−Reset
SN PowerOff
PN SW−Reset
PN PowerOff
PFDH and
Bayesian
Networks
147
105
SG
SG1 SG2 ... SGN
1
ASG ASG ASG ASG ASG ASG

... ...
SN1 SN2 SNN PN1 PN2 PNN
SN
CoF CoF CoF CoF
... PN
...
SN1 SNR PN1 PNT
AS1,1 CS1,1 AS1,1 CS1,1 AP1,1 CP1,1 AP1,1 CP1,1

AS1,2 CS1,2 AS1,2 CS1,2 AP1,2 CP1,2 AP1,2 CP1,2
AS1,G CM
CS1,G
1,G ... ASR,G CSR,G AP1,Z CM
CP1,Z
1,G ... APT,Z CPT,Z
ASr,g / APt,z : efficiency of action g/z to address r/t -th cause on the
secondary/primary node
CSr,g / CPt,z : costs generated by action g/z on cause r/t on the
CoF SN/PNr,t : r/t-th cause of failure on the monitoring/development node
ASG SN/PNr,t: signal group failure rate associated to the
SGn: probability of failure detected by signal group n
25%
97%
3%
106
107
108
Increase
benefits,
reduce costs
109
Model-
following
controller
Controller
onboard
15
MAX
100%
110
5
Measured acceleration
Acceleration (m/s²), speed (m/s)
4 Reference acceleration
Measured speed
Reference speed
3
−1
0 5 10 15 20 25 30 35 40 45 50
Time (s)
Failure com-
pensation
111
2
Yaw rate (rad/s), side slip angle (rad)
−1
Measured yaw rate
Reference yaw rate
−2
Measured side slip angle
Reference side slip angle
−3
0 5 10 15 20 25 30 35 40 45 50
Time (s)
Conclusion
112
113
8
Strategic
mechanisms
for MOBILE

DOI 10.1007/978-3-319-17485-3_8
Limitations
of the
current
approaches
116
Requirements
Solution
strategy
117
Critical wear level 1 without optimization
Proportional wear
2 with optimization
(wear balancing)
3 with optimization
(overall wear
reduction)
Comp. 1 Comp. 2 Comp. 3 Comp. 4
118
Need for
coordination
Modeling
components
Impact
factors on
tire wear
119
Δm = f1 · W f2 .
f1 f2
Learning
from mea-
surements
W = FL · (Ω · R · cos(α) − ω · r) + FT · Ω · R sin(α).
FL FT
Ω·R
α ω·r
Modeling
camber
120
Pressure
distribution Trapezoid due to camber
Slices to derive local tire wear
Non-
isotropic
shear forces
Optimizing
tire load
121
μ
→ →
Integrating
the optimizer
122
Driver
Constraints
commands
Low execution
frequency
Optimizer
High execution
frequency
Drive Distribution Vehicle
controller unit (actuators)
Execution
frequency
The driver
Functional
safety
p1 pQ
123
Optimizer results
Basic constraint
Drive controller commands

monitoring
Commands to actuators
Access control
Fall-back
p1
p2
...
pQ
min z = f (x),
gi (x) ≤ 0; hj (x) = 0; xl ≤ x ≤ xu ;

i{1, ..., I}; j{1, ..., J}
124
x = (x1 , x2 , ..., xG ).
min z
f x
gi hj I J xu
xl x
min z = (f1 (x), f2 (x), ..., fN (x)).
f1 fN N
Evaluation
Evolutionary
algorithms
125
NSGA-II
x
126
Gradient
based
algorithms
min z
fn (x) n
n

N
min z = (|fn (x) − n| · n ).
n=1

N 1/p
min z = lim (fn (x))p .
p→∞
n=1
SQP
127
Tmax
p1 pQ
xg
128
nM (t) t
g=G
Mset (t) − g=1 Mg (t)
nM (t) = ,
Mset (t)
Mg (t) g G
Mset (t)
129
F Ni i = 1..4
sl,i
sr,i
sr,i = |sin(αi )|.

αi
μ {r,l},i
= min(C · s{r,l},i , μ ).
μ μ {r,l},i
Pi
vl,i vr,i
130
i Pr,i Pl,i
Pr,i = μ r,i
· FNi · vr,i ,
Pl,i = μ l,i
· FNi · vl,i ,
Pi = Pr,i + Pl,i .
Pi Wi
Wi (t)
Wi (t) − Wmin (t)
nWi (t) = 0.1 + 0.9 · .
Wmax (t) − Wmin (t)
Wmax (t) Wmin (t)
t
t
T (t)
T (t + Δt) M Δt
T (t + Δt) − Tlow
nT (t) = .
Tmax − Tlow
Tlow Tmax
13 − 15
131
2
1.8
Weight (−)
1.6
1.4
1.2
1
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Input (−)
nB
Vmax − Vmeas (t)

nB (t) = .
Vmax − Vmin
Vmax Vmin Vmeas (t)

0
1
1
(η) = 1 + η .
e−(K1 · 100 −K2 ) + K3
K1 K2 K3
η
K1 = 10 K2 = 8
K3 = 0.86
132
1
1 + K3
1 2
0 1
=1
25
nM = 50 − 25 · max({ }).
133
60
50
Y coordinate (m)
40
30
20
10 Start at (0,0) in
counterclockwise
direction
0
−70 −60 −50 −40 −30 −20 −10 0 10 20
X coordinate (m)
1.1
20
0.15 0.1
1.6
134
6
5
Speed (m/s)
0
0 50 100 150 200 250 300 350
Track (m)
80
100 36
0.15
Measure-
ments with
MAX

∀i w(i)
1−5
σ̄
σ̄
Ŵ
135
Steering angle
0.35
0.3
Steering angle (rad)
0.25
0.2
Left (Ackermann)
0.15 Right (Ackermann)
0.1 Left (optimizer)
Right (optimizer)
0.05
0
0 5 10 15 20 25 30 35
Track (m)
Wear of tires (front left, front right, mean value of rear axle)
350
Tire wear, energy estimate (J)
300
250
200
Tire wear with optimizer
150 Tire wear with Ackermann steering
100
0 5 10 15 20 25 30 35
Track (m)
100
56
2
4 3.5
136

∀i w(i) σ̄ σ̄ Ŵ

∀i w(i) σ̄ σ̄
Ŵ
350
6.5
30
25
70
137
Speed
6
Speed (m/s)
4
Reference
Without optimizer
2
With optimizer
0
0 50 100 150 200 250 300 350 400
Track (m)
Torque front and rear axle
100
Torque without optimizer front/rear
Torque command (%)
80 Torque with optimizer front

Torque with optimizer rear
60
40
20
0
0 50 100 150 200 250 300 350 400
Track (m)
25
70
260
138
Temperatures
100
80
Temperature (°C)
60
Without optimizer front
40 Without optimizer rear
With optimizer front
20 With optimizer rear
Critical temperature
0
0 50 100 150 200 250 300 350 400
Track (m)
States of Charge
100
Without optimizer front
State of Charge (%)
80 Without optimizer rear

With optimizer front
60 With optimizer rear
40
20
0
0 50 100 150 200 250 300 350 400
Track (m)
v̄
¯
|d|
T̄
Total wear
139
Temperatures
100
Without optimizer
80 With optimizer front
Temperature (°C)
With optimizer rear

60
40
20
0
0 50 100 150 200 250 300 350
Track (m)
Tire wear energy estimate (J)

3500
Tire wear, energy estimate (J)
Tire wear front left, front right, and rear axle (Ackermann)
3000
Tire wear front left, front right, and rear axle (optimizer)
2500
2000
1500
1000
500
0
0 50 100 150 200 250 300 350
Track (m)
96
105
15
9 131
140
¯
∀i w(i) σ̄ σ̄ Ŵ v̄ |d| T̄
+10
+10

∀i w(i) σ̄ σ̄
Ŵ v̄
¯
|d| T̄
93
95 Driver inputs
Standard
deviation of
wear
141
Peak wear 10
and temper-
atures
6 8
Failure
scenarios
Unequal
wear 1.1 10
Ŵ
10
Summary
for complex
track
142
400
350
Standard deviation relative to
non−optimized driving (%)
300
250
200
150
100
Measurements
50 Vehicle with Ackermann steering (reference)
0
0 0.5 1 1.5 2 2.5
Period between optimizer executions (s)
0.2
0.4
143
Optimization
Strategy
Limitations
of the
system
Possible
further de-
velopments
144
Self-
concept
145
Self-esteem
10
146
Wisdom Further abstraction, understanding principles
Knowledge Interconnection, abstraction, pragmatism

Information Context, perception by recipient
Data Syntax
Signs
Self-repre-
sentation
Further
definitions
Data
147
Information
Knowledge
148
Abilities and
skills
149
Behav-
ioral skills
Action skills Skills
Bas kil s
kil s
Act kil s
iora av-
s
ic s
ls
Beh
ion
Basic skills
e
tis Abilities
er
s
ie
xp
ilit
fe
ilit tive
ab
lo
M s
ie
ab gni
or
ve
ot
Le
o
C
Transfer to a
vehicle
Hierarchical
abstraction
150
Level of expertise Self esteem
of the vehicle
Self concept Vehicle Driver
Cognitive abilities
Behav- Experts
Navigation
ioral skills
Action skills Guidance
Motor abilities Basic skills Control

Vehicle abilities Vehicle skills Driver-vehicle system
Skills contributing to the self-concept, Driving tasks introduced by
adapted from Siedersberger [2003] Donges [2012] taken over
by the driver-vehicle system
Relating
results
151
152
Summary of
Contribu-
tions
Universität
der Bundes-
wehr
München
153
Project
“Stadtpilot”
Project
SPARC
154
BMW-Group
Applied
Research
Laboratory
155
Autonomous
robots
Motor and
perceptual
schemas
Cognitive
automobiles
156
Summary
157
Requirements
Solution
strategy
Information
base
158
→
→
→
Knowledge
→ base
159
... Onboard Offboard
Device 1 Device N
Data bus (FlexRay) 4

Data and value types, Info base
1 association to modules config tool
Information
base Dependencies, effects 3
Fuzzy
on vehicle handling,
Logic
2 diagnostic information
Knowledge
base
Self-concept
→ →
Core
contributions

160

Information
base
161

Configuring
the
information
base
Knowledge
base
162
al
ior
h av
Be s Fuzzy Fuzzy
ill
Sk
n
tio
Ac s Fuzzy Fuzzy Fuzzy Fuzzy
k ill
S
s ic
Ba s Fuzzy Fuzzy Fuzzy Fuzzy Fuzzy
ill
Sk d
he
ric on
En mati
o r
f on
in ati
f o rm
In
se
ba
Diagnostic information Proposed improvements
163
A fuzzy way
to determine
skill levels
Evaluation
164
Sharp inputs Fuzzy Logic in a skill node
(measurements, Sharp output
other skills etc.) Fuzzify Inference Defuzzify of skill level
165
Behavioral skills
City driving
Demo Highway ...
driving driving
Action skills
Stop&go
Lane
following
Maneuver-
ing
Lane
change
High-speed ...
driving
Basic skills
Set driving
Standstill Decelerate Accelerate
direction
Provide Provide
Parking Rotate
power energy
Implementa-
tion
166
Technical
facts
4 20
0.5 1
Concept:
information
base
Concept:
knowledge
base
167
Outlook
Tooling
168
Transfer to
series
vehicles
Conclusion
169
9
Safe state

DOI 10.1007/978-3-319-17485-3_9
Hazard
definition
Note:
Remark for
series
vehicles
174
1
6 6
7 10
5 6
13.9 50
6 10
0.6
0.35 0.09
20
175
≤ 50
176
30
30
30
160 44
4
30
177
2 9
31
702
60
“Subsystem
layer”
100
178
Lower layers
Link
between
layers
Summary
1140
179
5,5E-08
5E-08
Faillure rate (1/h)
4,5E-08
Failure rate on
vehicle level
4E-08
3,5E-08
3E-08
114
171
228
285
342
399
456
513
570
627
684
741
798
855
912
969
1026
1083
1140
0
57
Vehicle age (days)

0,012
Failure rate on
vehicle level
0,01
ailure rate (1/h)
0,008
Failure rate on
0,006 system level
Fa
0 004
0,004
Failure rate on
0,002 subsystem level
0
171
228
285
342
399
456
513
570
627
684
741
798
855
912
969
1026
1083
0
57
114
1140
Vehicle age (days)
180
10
System
architecture
Tactical
mechanisms

DOI 10.1007/978-3-319-17485-3_10
mechanisms
Strategic
182
A hierarchical approach to
functional safety evaluation
Optimal wear and load

balancing
Self-representation
Strategic measures
of the ego vehicle
Integrated vehicle
control to exploit
Deriving a system
architecture top-down
functional redundanies
Highly flexible Drive-by-Wire vehicles

Probabilistic Fault
Detection and
Tactical measures
Handling Algorithm
Functional requirements in terms of application and safety
A toolchain to support system

design and implementation
Assisting
tools and
methods
15 Validation
and
verification
Summary
183
Erratum to: Towards Functional Safety
Erratum to:
P.J. Bergmiller, Towards Functional Safety
in Drive-by-Wire Vehicles,
DOI 10.1007/978-3-319-17485-3
The original version of this book was inadvertently published without

the dissertation text on the title page.
The online version of the original book can be found under

DOI 10.1007/978-3-319-17485-3
P.J. Bergmiller (&)

Institut für Regelungstechnik, TU Braunschweig, Braunschweig, Bayern, Germany
e-mail: bergmiller@ifr.ing.tu-bs.de
Ó Springer International Publishing Switzerland 2015 E1

DOI 10.1007/978-3-319-17485-3_11
A

DOI 10.1007/978-3-319-17485-3
European
Union
Economic
Commission
for Europe
407/2011
ISO, IEC,
ITU, EN and
DIN
Legislation
in Germany
823
186
25
187
188
Π
Π
Π
Ψ̇
mv β̇ + (mv 2 + cαf lf − cαr lr ) + (cαf + cαr )β = cαf δf + cαr δr
v
Ψ̇
ΘΨ̈ + (cαf lf2 + cαr lr2 ) + (cαf lf − cαr lr )β = cαf lf δf − cαr lr δr
v
13
10 Π
m
m kg v s
Θ kgm2 δf /r rad
rad
β rad β̇ s
Ψ̇ rad
s
Ψ̈ rad
s2
lf /r m
kgm
cf /r s2 rad
189
Π
β̇lf
Π1 =
v
Ψ̇lf
Π2 =
v
Ψ̈lf2
Π3 =
v2
Π4 = β
Π5 = δf
Π6 = δr
Θ
Π7 =
lf2 m
cf l
Π8 =
v2m
cr l
Π9 =
v2m
lr
Π10 =
lf
Π
190
P
s| r)
P( r| x ∩ ...∩ y ))
191
192
193
p
N ∈ N
n pn
1 1 1
p = · p1 + · p2 + · · · + · pn .
N N N
N =1
1
p = p1
1
194
N =2
w1
w1 +w2
w2
w1 +w2
w 1 , w2 ∈ N
p1 p2 p
w1
w1 +w2
w2
w1 +w2
p
w1 w2
p = p1 · p2 + · p1 · (1 − p2 ) + · (1 − p1 ) · p2
w 1 + w2 w 1 + w2
w1 w2
= · p1 + · p2 .
w 1 + w2 w 1 + w2
w1 = 1, w2 = 1 w1 + w 2 = N = 2
1 1
p = · p1 + · p2
2 2
n→n+1
w1 w2prelimn
p = · p1 + · p2prelimn ,
w1 + w2prelimn w1 + w2prelimn
p2prelimn
w2 w3
p2prelimn = · p2 + · p3 ,
w 2 + w3 w 2 + w3
w2 + w3 = w2prelimn
N
w1 w2 + w3 w2 w3
p = · p1 + ·( · p2 + · p3 )
w 1 + w2 + w3 w 1 + w2 + w3 w 2 + w3 w2 + w3
w1 w2 w3
= · p1 + · p2 + · p3 .
w 1 + w2 + w3 w 1 + w2 + w3 w 1 + w 2 + w3
195
= 1
n n+1
N
1 1 1
p = · p1 + · p2 + · · · + · pN
N N N
N
p1 p2 ··· pN p
w1new +w2new +···+wNnew
{0, 1} {0, 1} · · · {0, 1} w1 +w2 +···+wN
wnnew 0 pn wn
i=N
w n ∈ R+ i=1 wi =
N p
w1 w2 wN
p = · p1 + · p2 + · · · + · pN .
N N N
N
2N
N
2N 2N − 1
N N −1
196
N ∈N
N + (N − 1) > (N − 1) ∗ 2N + (2N − 1)
N ∈N
30
Operations per node
(N−1)*2N+(2N−1)
20
10
0 N+(N−1)
0 1 2 3
Number of parents (N)
40
197
1.5 2.7
1.6 100
0 100 10
100 40
Fuzzify
Inference
0 1
198
too very too
low low low medium high high
1
Membership
0.5
0
Minimal Maximal
value value
not little best

available available acceptable available possible
1
Membership
Rule 1
0.5
Rule 2
Merged
results
0
25 50 75 100
Skill level
Defuzzify
0 25 50 75 100 75
199
High-voltage
components
200
Electronics
12 48
Vehicle
frame
Integration
201
Summary
202
36 8
Future
extensions
2.4
203
B

DOI 10.1007/978-3-319-17485-3
206
207
208
C

DOI 10.1007/978-3-319-17485-3
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233

Towards Functional Safety in Drive-By Wire Vehicles by Peter Johannes Bergmiller

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Towards Functional Safety in Drive-By Wire Vehicles by Peter Johannes Bergmiller

Caricato da

Copyright:

Formati disponibili

Peter Johannes Bergmiller

Towards Functional Safety

ISBN 978-3-319-17484-6 ISBN 978-3-319-17485-3 (eBook)

Library of Congress Control Number: 2015939166

Springer Cham Heidelberg New York Dordrecht London

Printed on acid-free paper

Springer International Publishing AG Switzerland is part of Springer Science+Business Media

II. A SSISTING THE D EVELOPMENT OF EE S YSTEMS

IV. E NABLING F UNCTIONAL S AFETY E FFICIENTLY

Ó Springer International Publishing Switzerland 2015 3

Ó Springer International Publishing Switzerland 2015 5

Build production Build mechanics

< may contain

< may contain

V-Model based Monitoring and action derivation 5

Evaluate customer Repair the

Vehicle development Vehicle operation

Redesigning Vehicle Electronics: A Systems Engineering Approach

II Assisting the Development of EE III A Novel EE Architecture for

Structure and Elements A Tailored Approach to Functional

IV Enabling Functional Safety Efficiently

A Step Towards Functional Safety in Drive-by-Wire Vehicles

Ó Springer International Publishing Switzerland 2015 17

Ó Springer International Publishing Switzerland 2015 25

2008 4.0 AUTOSAR

Driving Performance System

wheel torques wheel steering angles

wheel speeds, accelerations, yaw rate, etc.

Slip estimation (longitudinal and lateral)

Ó Springer International Publishing Switzerland 2015 41

Derive mechanical and

Iterate through all hierarchical layers

Derive hardware architec-

Define additional aspects

7 Validate goal achievement

(....): examples of functional systems at the given hierarchical layer

Sensors & ECU 1 ECU 1 Sensors &

Inertial meas. Stability Power supply

Local data Data Safety

Hardware Hardware Hardware Global data Diagnostic Hardware

Safety Safety Safety Safety Safety Safety

Diagnostic Hardware Diagnostic Hardware

Ó Springer International Publishing Switzerland 2015 61

Unit 2 Unit 3 ... Unit N

Vehicle control function

Hardware units Functions

Vehicle as one system

(....): examples of functional systems at the given hierarchical layer

2 Define virtual systems

Iterate through all hierarchical layers

Static failure analysis

Dynamic failure analysis

8 Derive failure rate

9 Derive diagnostic coverage

Failure of Generalized failure state

Full operation: , Emergency operation: ,

pij = P (Xt+1 = sj |Xt = si ).

Repeat process on next

P (Cils ) = 1 − e−λi ·TM ≈ λli · TM

Total system failure One system operable

Failure rate of unit one

P (Cild ∩ Cjld ) = P (Cild ) · P (Cjld |Cild ) ∝ λli,1 · λli,2 · λlj,2 } λ3 .

Ó Springer International Publishing Switzerland 2015 85

c (th ) = c (th−1 ) + (1 − c (th−1 )) · c(th ).

gi (x) ≤ 0; hj (x) = 0; xl ≤ x ≤ xu ;

min z = (f1 (x), f2 (x), ..., fN (x)).