Dependability Services in the EASIS Software Platform

Transcription

Dependability Services in the EASIS Software Platform
Electronic Architecture and System Engineering
for Integrated Safety Systems
Dependability Services in the EASIS Software Platform
Martin Hiller
Volvo Technology Corporation
martin.hiller@volvo.com
Workshop on Architecting Dependable Systems
June 27, 2006
Philadelphia, USA
Workshop on Architecting Dependable Systems, June 27, 2006
Outline
„ Background
> ”The Virtual Safety Belt”
> Project data
> Related projects
> Results overview
„ Software platform
> Layered architecture
> Fault management framework
> Dependability support
> Security support
Martin Hiller, Volvo | © EASIS Consortium
2
Workshop on Architecting Dependable Systems, June 27, 2006
The Virtual Safety Belt
ctio
e
s
r
Inte
ed
t
h
g
esi
r
o
F
ety
f
a
ns
g
vin
i
r
D
W
g&
n
i
arn
ms
e
t
s
Sy
e
nc
a
t
sis
As
, ems
s
tem Syst
s
Sy ion
h
s ect
a
r
t
e-c Pro
r
P le
b
rsi
e
v
Re
l
ua
t
r
Vi
e
Th
Martin Hiller, Volvo | © EASIS Consortium
fe t
a
S
elt
B
y
3
Workshop on Architecting Dependable Systems, June 27, 2006
Issues for integrated safety systems
> Integration of domain (cabin, chassis, powertrain, …) overlapping
safety functions with high dependability
> Handling of high system complexity
> Integration and multi-usage of environment sensing
> Integration of telematics services for safety systems
Martin Hiller, Volvo | © EASIS Consortium
4
Workshop on Architecting Dependable Systems, June 27, 2006
Project data
Coordinator:
Starting Date:
Ending Date:
Budget Total/Funding:
Web site:
DaimlerChrysler (Dr. Vera Lauer)
01.01.2004
28.02.2007
9,4 M€ / 5 M€
www.easis.org
22 partners
OEM’s
Automotive
suppliers
Tool
suppliers
Research
institutes
Martin Hiller, Volvo | © EASIS Consortium
5
Workshop on Architecting Dependable Systems, June 27, 2006
Related projects (Integrated Safety Programme defined by EUCAR*)
Ongoing Projects
Common, agreed adaptive HMI
Common, agreed adaptive HMI
interface
interface
Common E/E
Common E/E
architecture for vehicles
architecture for vehicles
“AIDE”
“AIDE”
“EASIS”
“EASIS”
AB
ABVolvo
Volvo
DaimlerChrysler
DaimlerChrysler
Systems for passenger
Systems for passenger
protection
protection
Systems for post accident
Systems for post accident
rescue
rescue
“APROSYS”
“APROSYS”
“GST”
“GST”
Systems for accident
Systems for accident
prevention
prevention
“PReVENT”
“PReVENT”
DaimlerChrysler
DaimlerChrysler
TNO
TNO
Recently Started
Connecting
Connecting
intelligent vehicle
intelligent vehicle
and infrastructure for
and infrastructure for
enhanced SAFETY
enhanced SAFETY
Connecting
Connecting
intelligent vehicle
intelligent vehicle
and infrastructure for
and infrastructure for
enhanced EFFICIENCY
enhanced EFFICIENCY
“SAFESPOT”
“SAFESPOT”
“CVIS”
“CVIS”
CRF
CRF
ERTICO
ERTICO
ERTICO
ERTICO
Methodology for accident
Methodology for accident
causation analysis
causation analysis
“TRACE”
“TRACE”
Renault
Renault
Vehicle-to-Vulnerable road
Vehicle-to-Vulnerable road
user cooperative technologies
user cooperative technologies
to improve safety
to improve safety
“Watch-Over”
“Watch-Over”
CRF
CRF
Software for Traffic Efficiency
Software for Traffic Efficiency
and Safety
and Safety
“ATESST”
“ATESST”
*European Council on Automotive R&D
Martin Hiller, Volvo | © EASIS Consortium
AB
ABVolvo
Volvo
6
Workshop on Architecting Dependable Systems, June 27, 2006
(AUTomotive Open System ARchitecture)
„ AUTOSAR
> Standardized, openly disclosed interfaces
> HW independent SW layer
> Transferability of functions
„ AUTOSAR RTE
> By specifying interfaces and their communication
mechanisms, the applications are decoupled from
the underlying HW and basic SW, enabling the
realization of Standard Library Functions
„ Consortium of over 100 members (and growing)
> Partners from Europe, US, Japan
> No public funding
Check www.autosar.org for more information.
Martin Hiller, Volvo | © EASIS Consortium
7
Workshop on Architecting Dependable Systems, June 27, 2006
Expected final results
EASIS will provide enabling technologies for the introduction of future
integrated safety systems
> Software platform providing common
> Methods and techniques for handling
services for cooperation between safety
critical dependability-related parts of the
systems
development lifecycle
> Dependable electronics hardware
> Engineering process and tool chain
infrastructure, which supports the
supporting the development of
requirements of these systems in a cost
cooperating safety systems
effective manner
Martin Hiller, Volvo | © EASIS Consortium
8
Workshop on Architecting Dependable Systems, June 27, 2006
Overall software topology
L5
L4
Application software
(including ISS components)
Application interface
L3
Common services
and abstractions
L2
Microcontroller abstraction
and device drivers
L1
Microcontroller hardware
Martin Hiller, Volvo | © EASIS Consortium
9
Workshop on Architecting Dependable Systems, June 27, 2006
Scalable EASIS hardware architecture
GW
node
unit
GW
node
DRIVERS
Gateway
INPUT LOGIC
Power Supply
MAIN
PROCESSOR
SUPER
VISOR
-
INTERFACE
Time Triggered Bus
FS
FO
INPUT LOGIC
DRIVERS
Power Supply
FS
MAIN
PROCESSOR
FS
SUPER
VISOR
-
INTERFACE
Time Triggered Bus
Martin Hiller, Volvo | © EASIS Consortium
10
Workshop on Architecting Dependable Systems, June 27, 2006
EASIS framework for dependability
Identification of hazards
Development
and design of
Classification of
Hazard occurrence
the integrated
hazards
analysis
safety system
Establishment of dependability-related
requirements
Verification and
validation of
dependabilityrelated
Final dependability assessment
Martin Hiller, Volvo | © EASIS Consortium
requirements
11
Workshop on Architecting Dependable Systems, June 27, 2006
EASIS engineering process
Basic Function
(“inner loop”)
Martin Hiller, Volvo | © EASIS Consortium
ISS Function
(“outer loop”)
12
Workshop on Architecting Dependable Systems, June 27, 2006
Validation / Proof of concept
SAFELANE
(PReVENT)
FS
Unit
FS
Unit
Central Node
Validator 1: Telematics
gateway validator to prove
EASIS SW & HW architecture
FS
Unit
FS
Unit
FS
Unit
FS
Unit
Steering wheel
sensor
S3
S4
S1
S2
M2
M1
Vehicle dynamic
simulator
Telematics
Gateway
Steering wheel
feedback actuator
Validator 2: Commercial vehicle
Hardware In the Loop testbench to
prove EASIS dependability
guidelines and development process
Martin Hiller, Volvo | © EASIS Consortium
13
Workshop on Architecting Dependable Systems, June 27, 2006
Outline
„ Background
> ”The Virtual Safety Belt”
> Project data
> Related projects
> Results overview
„ Software platform
> Layered architecture
> Fault management framework
> Dependability support
> Security support
Martin Hiller, Volvo | © EASIS Consortium
14
Workshop on Architecting Dependable Systems, June 27, 2006
Overall software topology
L5
L4
Application software
(including ISS components)
Application interface
L3
Common services
and abstractions
L2
Microcontroller abstraction
and device drivers
L1
Microcontroller hardware
Martin Hiller, Volvo | © EASIS Consortium
15
Workshop on Architecting Dependable Systems, June 27, 2006
Basic software platform – assumptions
„
EASIS will not primarily focus on defining basic services
>
However, we will specify which services we require, and assume that these services are defined or being
defined elsewhere
„
Basic services
>
Communication managers (CAN, LIN, FlexRay, etc.)
>
High-level protocols
•
Basic network specific transport protocols (e.g. ISO 15765, LIN TP)
•
Calibration protocols (e.g. XCP)
•
…
>
Network management
>
Diagnostic interfaces
•
E.g. ISO 14229 or ISO 14230
>
NVRAM manager
>
Operating system
>
…
Martin Hiller, Volvo | © EASIS Consortium
16
Workshop on Architecting Dependable Systems, June 27, 2006
Dependability services
„ A set of services and mechanisms concerning dependability has been defined.
These are to support the following
> Fault management framework
> Fault tolerant communication
•
OSEK/VDX FTCom – same as used in AUTOSAR
> Voting/Agreement protocol
> Watchdog management
> Reconfiguration of applications
> Replication of application components
> Gateway
> Firewall
Martin Hiller, Volvo | © EASIS Consortium
17
Workshop on Architecting Dependable Systems, June 27, 2006
Fault management framework
„
Dependability and diagnosis services are part of a larger framework for on-board diagnosis
Æ Fault management framework
„
„
„
Main goals
>
To give a global view of the fault management issue
>
To ensure the consistency of the fault management strategies
>
To define central software artifacts for in-vehicle fault management and dependability
Focus of activities
>
Act upon error detection notification
>
Trace and identify faults
>
Tolerate faults
>
Other dependability activities
The structure which “glues” those different elements together
>
Note that not all parts of the framework are necessarily implemented software artifacts
Martin Hiller, Volvo | © EASIS Consortium
18
Workshop on Architecting Dependable Systems, June 27, 2006
Fault management framework – current modular view
Application 1
Application 2
...
Application n
Application Interface
Logging
Fault State Manager
Device and
network
managers
Drivers
Supervision
Reconfiguration
NVRAM
OS / System
Martin Hiller, Volvo | © EASIS Consortium
System
monitoring
scheduling
memory
19
Workshop on Architecting Dependable Systems, June 27, 2006
Agreement (and voting)
„
Byzantine faults may occur
> Sender malfunctioning
> Communication medium faulty
> …
„
Based on Signed Message Protocol
• Sensor value
• Actuator command
•…
S(1) S(2) … S(n)
S(1)
Voter
Receiver 1
S(FT)
Status
S(0)
S(2)
S(1) S(2) … S(n)
Receiver 2
Sender
Voter
S(FT)
Status
…
S(n)
S(1) S(2) … S(n)
Receiver n
Voter
S(FT)
Status
Martin Hiller, Volvo | © EASIS Consortium
20
Workshop on Architecting Dependable Systems, June 27, 2006
Watchdog
A1
„ Error detection at two levels
A2
A3
Nominal case: all tasks are executed without problems and all deadlines are met
Time
> Task level
Error case – example 1: a task crashes during execution – application is unavailable
•
Crashing tasks
•
Hanging tasks
Time
Error case – example 2: a task crashes during execution – all applications are unavailable
Time
> Runnable level
•
Faulty execution order
R1
Runnables are the smallest
schedulable/mappable entities.
Illegal branch
R2
R3
R4
Martin Hiller, Volvo | © EASIS Consortium
21
Workshop on Architecting Dependable Systems, June 27, 2006
Software watchdog – The solution (part I)
ALIVE-signals/heartbeat from application components
Application component malfunctions (crash, incorrect
control flow, etc.)
Time
The malfunction is detected and recovery actions
can be initiated (e.g. restart or reconfiguration).
Execution time monitoring of application components
START from application
component
FINISH
START
Time
Execution time budget
Martin Hiller, Volvo | © EASIS Consortium
Execution time budget exceeded.
Recovery actions can be initiated.
22
Workshop on Architecting Dependable Systems, June 27, 2006
Software watchdog – The solution (part II)
R1
Illegal branch
R2
Heartbeats
indicate source
Runnable
Successors
R1
R2
R2
R3, R4
R3
R4
R4
…
…
…
R3
R4
Martin Hiller, Volvo | © EASIS Consortium
R3 ∉ SUCC(R1) = {R2}
Error detected!
23
Workshop on Architecting Dependable Systems, June 27, 2006
Reconfiguration of applications
„ Reconfiguration can be triggered by the FMF
„ Three levels
> Reconfiguration of active task set
•
Switch between predefined task sets
•
Puts some constraints on mapping of runnables to tasks
> Functional inhibition
•
Passive w.r.t. platform Æ application receives info and has to act on this
> ECU level reset
•
If all else fails Æ Ctrl-Alt-Del the ECU
Martin Hiller, Volvo | © EASIS Consortium
24
Workshop on Architecting Dependable Systems, June 27, 2006
Replication of application components at the task level
„ Basic support required:
> Input provider service
> Output collector service
> Synchronization service
C1
IN
C2
OUT
C3
Martin Hiller, Volvo | © EASIS Consortium
25
Workshop on Architecting Dependable Systems, June 27, 2006
The Communicating Vehicle
Workshops and other
service providers
Other vehicles
Infrastructure
External
communication
Handheld devices
Other sources…
Internal
communication
Martin Hiller, Volvo | © EASIS Consortium
26
Workshop on Architecting Dependable Systems, June 27, 2006
Gateway – relaying information from source to destination
„ Vehicle wide transport protocol: EASIS Common Transport Protocol (CTP)
> Every ECU has a global alias
> Routing tables in the gateways ensure proper delivery
Martin Hiller, Volvo | © EASIS Consortium
27
Workshop on Architecting Dependable Systems, June 27, 2006
Firewall – Protection against malicious attackers
„ Platform support contains firewall-based access control
„ Application level firewalls have to be implemented by the application developers
> Thus, the platform will not check contents of messages – this is the responsibility
of the applications
Martin Hiller, Volvo | © EASIS Consortium
28
Workshop on Architecting Dependable Systems, June 27, 2006
Outline
„ Background
> ”The Virtual Safety Belt”
> Project data
> Related projects
> Results overview
„ Software platform
> Layered architecture
> Fault Management Framework
> Dependability support
> Security support
Martin Hiller, Volvo | © EASIS Consortium
29
Thank you for your attention!
Get more info on www.easis.org or get your copy of the project folder