Dependability Services in the EASIS Software Platform
Transcription
Dependability Services in the EASIS Software Platform
Electronic Architecture and System Engineering for Integrated Safety Systems Dependability Services in the EASIS Software Platform Martin Hiller Volvo Technology Corporation martin.hiller@volvo.com Workshop on Architecting Dependable Systems June 27, 2006 Philadelphia, USA Workshop on Architecting Dependable Systems, June 27, 2006 Outline Background > ”The Virtual Safety Belt” > Project data > Related projects > Results overview Software platform > Layered architecture > Fault management framework > Dependability support > Security support Martin Hiller, Volvo | © EASIS Consortium 2 Workshop on Architecting Dependable Systems, June 27, 2006 The Virtual Safety Belt ctio e s r Inte ed t h g esi r o F ety f a ns g vin i r D W g& n i arn ms e t s Sy e nc a t sis As , ems s tem Syst s Sy ion h s ect a r t e-c Pro r P le b rsi e v Re l ua t r Vi e Th Martin Hiller, Volvo | © EASIS Consortium fe t a S elt B y 3 Workshop on Architecting Dependable Systems, June 27, 2006 Issues for integrated safety systems > Integration of domain (cabin, chassis, powertrain, …) overlapping safety functions with high dependability > Handling of high system complexity > Integration and multi-usage of environment sensing > Integration of telematics services for safety systems Martin Hiller, Volvo | © EASIS Consortium 4 Workshop on Architecting Dependable Systems, June 27, 2006 Project data Coordinator: Starting Date: Ending Date: Budget Total/Funding: Web site: DaimlerChrysler (Dr. Vera Lauer) 01.01.2004 28.02.2007 9,4 M€ / 5 M€ www.easis.org 22 partners OEM’s Automotive suppliers Tool suppliers Research institutes Martin Hiller, Volvo | © EASIS Consortium 5 Workshop on Architecting Dependable Systems, June 27, 2006 Related projects (Integrated Safety Programme defined by EUCAR*) Ongoing Projects Common, agreed adaptive HMI Common, agreed adaptive HMI interface interface Common E/E Common E/E architecture for vehicles architecture for vehicles “AIDE” “AIDE” “EASIS” “EASIS” AB ABVolvo Volvo DaimlerChrysler DaimlerChrysler Systems for passenger Systems for passenger protection protection Systems for post accident Systems for post accident rescue rescue “APROSYS” “APROSYS” “GST” “GST” Systems for accident Systems for accident prevention prevention “PReVENT” “PReVENT” DaimlerChrysler DaimlerChrysler TNO TNO Recently Started Connecting Connecting intelligent vehicle intelligent vehicle and infrastructure for and infrastructure for enhanced SAFETY enhanced SAFETY Connecting Connecting intelligent vehicle intelligent vehicle and infrastructure for and infrastructure for enhanced EFFICIENCY enhanced EFFICIENCY “SAFESPOT” “SAFESPOT” “CVIS” “CVIS” CRF CRF ERTICO ERTICO ERTICO ERTICO Methodology for accident Methodology for accident causation analysis causation analysis “TRACE” “TRACE” Renault Renault Vehicle-to-Vulnerable road Vehicle-to-Vulnerable road user cooperative technologies user cooperative technologies to improve safety to improve safety “Watch-Over” “Watch-Over” CRF CRF Software for Traffic Efficiency Software for Traffic Efficiency and Safety and Safety “ATESST” “ATESST” *European Council on Automotive R&D Martin Hiller, Volvo | © EASIS Consortium AB ABVolvo Volvo 6 Workshop on Architecting Dependable Systems, June 27, 2006 (AUTomotive Open System ARchitecture) AUTOSAR > Standardized, openly disclosed interfaces > HW independent SW layer > Transferability of functions AUTOSAR RTE > By specifying interfaces and their communication mechanisms, the applications are decoupled from the underlying HW and basic SW, enabling the realization of Standard Library Functions Consortium of over 100 members (and growing) > Partners from Europe, US, Japan > No public funding Check www.autosar.org for more information. Martin Hiller, Volvo | © EASIS Consortium 7 Workshop on Architecting Dependable Systems, June 27, 2006 Expected final results EASIS will provide enabling technologies for the introduction of future integrated safety systems > Software platform providing common > Methods and techniques for handling services for cooperation between safety critical dependability-related parts of the systems development lifecycle > Dependable electronics hardware > Engineering process and tool chain infrastructure, which supports the supporting the development of requirements of these systems in a cost cooperating safety systems effective manner Martin Hiller, Volvo | © EASIS Consortium 8 Workshop on Architecting Dependable Systems, June 27, 2006 Overall software topology L5 L4 Application software (including ISS components) Application interface L3 Common services and abstractions L2 Microcontroller abstraction and device drivers L1 Microcontroller hardware Martin Hiller, Volvo | © EASIS Consortium 9 Workshop on Architecting Dependable Systems, June 27, 2006 Scalable EASIS hardware architecture GW node unit GW node DRIVERS Gateway INPUT LOGIC Power Supply MAIN PROCESSOR SUPER VISOR - INTERFACE Time Triggered Bus FS FO INPUT LOGIC DRIVERS Power Supply FS MAIN PROCESSOR FS SUPER VISOR - INTERFACE Time Triggered Bus Martin Hiller, Volvo | © EASIS Consortium 10 Workshop on Architecting Dependable Systems, June 27, 2006 EASIS framework for dependability Identification of hazards Development and design of Classification of Hazard occurrence the integrated hazards analysis safety system Establishment of dependability-related requirements Verification and validation of dependabilityrelated Final dependability assessment Martin Hiller, Volvo | © EASIS Consortium requirements 11 Workshop on Architecting Dependable Systems, June 27, 2006 EASIS engineering process Basic Function (“inner loop”) Martin Hiller, Volvo | © EASIS Consortium ISS Function (“outer loop”) 12 Workshop on Architecting Dependable Systems, June 27, 2006 Validation / Proof of concept SAFELANE (PReVENT) FS Unit FS Unit Central Node Validator 1: Telematics gateway validator to prove EASIS SW & HW architecture FS Unit FS Unit FS Unit FS Unit Steering wheel sensor S3 S4 S1 S2 M2 M1 Vehicle dynamic simulator Telematics Gateway Steering wheel feedback actuator Validator 2: Commercial vehicle Hardware In the Loop testbench to prove EASIS dependability guidelines and development process Martin Hiller, Volvo | © EASIS Consortium 13 Workshop on Architecting Dependable Systems, June 27, 2006 Outline Background > ”The Virtual Safety Belt” > Project data > Related projects > Results overview Software platform > Layered architecture > Fault management framework > Dependability support > Security support Martin Hiller, Volvo | © EASIS Consortium 14 Workshop on Architecting Dependable Systems, June 27, 2006 Overall software topology L5 L4 Application software (including ISS components) Application interface L3 Common services and abstractions L2 Microcontroller abstraction and device drivers L1 Microcontroller hardware Martin Hiller, Volvo | © EASIS Consortium 15 Workshop on Architecting Dependable Systems, June 27, 2006 Basic software platform – assumptions EASIS will not primarily focus on defining basic services > However, we will specify which services we require, and assume that these services are defined or being defined elsewhere Basic services > Communication managers (CAN, LIN, FlexRay, etc.) > High-level protocols • Basic network specific transport protocols (e.g. ISO 15765, LIN TP) • Calibration protocols (e.g. XCP) • … > Network management > Diagnostic interfaces • E.g. ISO 14229 or ISO 14230 > NVRAM manager > Operating system > … Martin Hiller, Volvo | © EASIS Consortium 16 Workshop on Architecting Dependable Systems, June 27, 2006 Dependability services A set of services and mechanisms concerning dependability has been defined. These are to support the following > Fault management framework > Fault tolerant communication • OSEK/VDX FTCom – same as used in AUTOSAR > Voting/Agreement protocol > Watchdog management > Reconfiguration of applications > Replication of application components > Gateway > Firewall Martin Hiller, Volvo | © EASIS Consortium 17 Workshop on Architecting Dependable Systems, June 27, 2006 Fault management framework Dependability and diagnosis services are part of a larger framework for on-board diagnosis Æ Fault management framework Main goals > To give a global view of the fault management issue > To ensure the consistency of the fault management strategies > To define central software artifacts for in-vehicle fault management and dependability Focus of activities > Act upon error detection notification > Trace and identify faults > Tolerate faults > Other dependability activities The structure which “glues” those different elements together > Note that not all parts of the framework are necessarily implemented software artifacts Martin Hiller, Volvo | © EASIS Consortium 18 Workshop on Architecting Dependable Systems, June 27, 2006 Fault management framework – current modular view Application 1 Application 2 ... Application n Application Interface Logging Fault State Manager Device and network managers Drivers Supervision Reconfiguration NVRAM OS / System Martin Hiller, Volvo | © EASIS Consortium System monitoring scheduling memory 19 Workshop on Architecting Dependable Systems, June 27, 2006 Agreement (and voting) Byzantine faults may occur > Sender malfunctioning > Communication medium faulty > … Based on Signed Message Protocol • Sensor value • Actuator command •… S(1) S(2) … S(n) S(1) Voter Receiver 1 S(FT) Status S(0) S(2) S(1) S(2) … S(n) Receiver 2 Sender Voter S(FT) Status … S(n) S(1) S(2) … S(n) Receiver n Voter S(FT) Status Martin Hiller, Volvo | © EASIS Consortium 20 Workshop on Architecting Dependable Systems, June 27, 2006 Watchdog A1 Error detection at two levels A2 A3 Nominal case: all tasks are executed without problems and all deadlines are met Time > Task level Error case – example 1: a task crashes during execution – application is unavailable • Crashing tasks • Hanging tasks Time Error case – example 2: a task crashes during execution – all applications are unavailable Time > Runnable level • Faulty execution order R1 Runnables are the smallest schedulable/mappable entities. Illegal branch R2 R3 R4 Martin Hiller, Volvo | © EASIS Consortium 21 Workshop on Architecting Dependable Systems, June 27, 2006 Software watchdog – The solution (part I) ALIVE-signals/heartbeat from application components Application component malfunctions (crash, incorrect control flow, etc.) Time The malfunction is detected and recovery actions can be initiated (e.g. restart or reconfiguration). Execution time monitoring of application components START from application component FINISH START Time Execution time budget Martin Hiller, Volvo | © EASIS Consortium Execution time budget exceeded. Recovery actions can be initiated. 22 Workshop on Architecting Dependable Systems, June 27, 2006 Software watchdog – The solution (part II) R1 Illegal branch R2 Heartbeats indicate source Runnable Successors R1 R2 R2 R3, R4 R3 R4 R4 … … … R3 R4 Martin Hiller, Volvo | © EASIS Consortium R3 ∉ SUCC(R1) = {R2} Error detected! 23 Workshop on Architecting Dependable Systems, June 27, 2006 Reconfiguration of applications Reconfiguration can be triggered by the FMF Three levels > Reconfiguration of active task set • Switch between predefined task sets • Puts some constraints on mapping of runnables to tasks > Functional inhibition • Passive w.r.t. platform Æ application receives info and has to act on this > ECU level reset • If all else fails Æ Ctrl-Alt-Del the ECU Martin Hiller, Volvo | © EASIS Consortium 24 Workshop on Architecting Dependable Systems, June 27, 2006 Replication of application components at the task level Basic support required: > Input provider service > Output collector service > Synchronization service C1 IN C2 OUT C3 Martin Hiller, Volvo | © EASIS Consortium 25 Workshop on Architecting Dependable Systems, June 27, 2006 The Communicating Vehicle Workshops and other service providers Other vehicles Infrastructure External communication Handheld devices Other sources… Internal communication Martin Hiller, Volvo | © EASIS Consortium 26 Workshop on Architecting Dependable Systems, June 27, 2006 Gateway – relaying information from source to destination Vehicle wide transport protocol: EASIS Common Transport Protocol (CTP) > Every ECU has a global alias > Routing tables in the gateways ensure proper delivery Martin Hiller, Volvo | © EASIS Consortium 27 Workshop on Architecting Dependable Systems, June 27, 2006 Firewall – Protection against malicious attackers Platform support contains firewall-based access control Application level firewalls have to be implemented by the application developers > Thus, the platform will not check contents of messages – this is the responsibility of the applications Martin Hiller, Volvo | © EASIS Consortium 28 Workshop on Architecting Dependable Systems, June 27, 2006 Outline Background > ”The Virtual Safety Belt” > Project data > Related projects > Results overview Software platform > Layered architecture > Fault Management Framework > Dependability support > Security support Martin Hiller, Volvo | © EASIS Consortium 29 Thank you for your attention! Get more info on www.easis.org or get your copy of the project folder