tum, jan 2014 race ecar · tum, jan 2014 race dr. ludger fiege, siemens ag ... get rid of position...

© Siemens AG 2014. All rights reserved

TUM, Jan 2014

RACE

Dr. Ludger Fiege, Siemens AG

ECAR

Seite 1 Jan 2014 projekt-race.de L. Fiege, Siemens AG

Three independent development

paths leading to the Smart eCar

Smart eCar

autonomous driving

© Photo: Nissan

New ergonomic concepts

through mechatronic integr.

ADAS horizontally

integrated with strategy

level

ADAS* vertically

integrated

Function development

Zero Accidents with

intervening decision

E-Motor

Brake

Damping

Steering

Electro mechanical integration

*Advanced Driver Assistant Systems

RACE platform development

Robust and reliable Automotive Computing Environment

for future eCars


Agenda

■ Motivation

■ RACE setup

■ System Overview

■ RACE Runtime Environment


Project RACE Robust and reliant Automotive Computing Environment for future eCars

■ Funded by BMWi

■ Project time: January 2012 – December 2014

http://www.projekt-race.de

■ Project based on study „Mehr Software (im) Wagen“

http://www.fortiss.org/ikt2030

gefördert durch:









To discover the full potential of electric vehicles

a new E/E architecture is mandatory

Symbolic pictures

Energy

Mgmt. Sys.

Transmission

ABS

Acc.

Pedal

Brake

Pedal

ImmobilizerImmobilizer

Radio

Combi

HVACHVAC

ESPESP Suspension

Steering

Wheel

Power

SteeringSuspension

Steering

Wheel

Power

Steering

WU WU

WU WU

Brake

WU WU

WU WU

Brake

DisplayDisplay

Access Doors/RoofAccess Doors/Roof

Hybrid

Controller

DC / DC

Hybrid

Controller

DC / DC

Tire guardTire guard

ACCACC

Lane KeepingLane Keeping

AutoParkAutoPark

NavigationNavigation

MP3 / Phone

iPad

MP3 / Phone

iPad

Passive safety

Get rid of position oriented partitioning

Well defined information flow

Hierarchical decision making

Information Presentation

(ergonomy)

Information Presentation

(ergonomy)

Lane Detection

sensor

Distance

sensorUS sensors

E-horizon

data base

Situation Recognition

(sensor fusion)

Lane Detection

sensor

Distance

sensorUS sensors

E-horizon

data base

Situation Recognition

(sensor fusion)

Strategy Generation

Pedal

Pedal

Steering

Wheel

Driver´s Decisions

Pedal

Pedal

Steering

Wheel

Driver´s Decisions

Cinematic Execution Level

BMS with cells

DC / DC

AC / DC Inverter

with E-Motor

(1-,2- or 4-times)

Brake

Actuator

Power Steering

Actuator

Suspension

Actuator

Gear Box

Smart actuators

Smart sensors

Less controller

Likely less copper

Less different connector


RACE Platform Idea

Main Project objectives:

• Aim 1: Reduction of complexity of ICT-Architecture by

homogeneous and open basis platform

• Aim 2: Support if new complex functional vehicle features

• Aim 3: Plug & Play capability of ICT-Architecture

• Aim 4: Ability to certify the ICT-Architecture

• Aim 5: Show an migration path to the new architecture

Main Principles: • Centralized ICT-Architecture

• Central-Platform-Computer, mixed critical features

• Data-centric approach: All data about Sensors and

Actuators is accessible everywhere

• Communication

• Switched Ethernet

• Publish/Subscribe communication pattern

• Fail-Operational vehicle features

HM

I


Agenda

■ Motivation

■ RACE setup

■ System Overview


■ Safety Aspects

■ Outlook


Ethernet-based redundant communication

as data backbone

En

terta

inm

en

t

Gateway

Sensor /

Actuator

connector

Sensor /

Actuator

connector

Sensor /

Actuator

connector

Electric

braking

Electric

steering

Energy

source

Drivetrain

Sensor /

Actuator

connector

Vehicle

Control

Computer 2

Vehicle

Control

Computer 1


Realization of the Multipath Network

Parallel redundant bus:

Shared medium on each bus

Two physically independent busses

- High cabling effort

- „Slightly of specification“ failures possible

Switched Ethernet alternative 1:

redundant star architecture (AFDX)

- High cabling effort

+ Physically independent disjoint paths

Switched Ethernet alternative 2:

ring topology (industry automation)

+ Disjoint paths

+ Low cabling effort

- Physical independence of paths is lost additional effort


Ringtopologie

Vorteile:

■ unabhängige Pfade

(Ringrichtungen links und rechts)

■ keine gemeinsamen Geräte

■ unabhängige Punkt zu Punkt

Verbindungen (Switched Ethernet)

■ Trennung auf logischer Ebene

■ Mixed Criticality möglich

■ vermeidet doppelte Verkabelung

■ ermöglicht Vermaschung

Nachteile

■ Ringschluss

■ Energieversorgung muss explizit

berücksichtigt werden

■ „Babbling Idiot“ Szenario komplizierter

■ Exotische Ethernetvariante

■ Jeweils ein kurzer und ein langer Weg

A

B


Fail-tolerant architecture: N-Duplex

core idea:

– pair of compute nodes monitor each other

– sensors and actuators don‘t need system know-how

& are independent of scalability of platform core

N-Duplex Platform:

– duplex unit

guarantee integrity

– duo duplex

fail-operational availability

– N-duplex

scalability w.r.t. availability, mission time, performance

Sender

Compute node

CPU

lane a

CPU

lane b

voting voting

Eth-Sw Eth-Sw

Receiver

Compute node

lane b voting voting

CPU

lane a

CPU

lane b

Eth-Sw Eth-Sw

Compute node:

CPU, RAM plus communication-HW


DCC 2


CPU

lane a

CPU

lane b

Consistent Communication in the Platform

coding a / coding b

cwd/acwd direction

DCC 1

CPU

lane a

CPU

lane b

Ethernet

Switch

DCC 3


CPU

lane a

CPU

lane b

monitoring monitoring

…

Sn

ap

sho

t!

Ethernet

Switch

Ethernet

Switch


Agenda

■ Motivation

■ RACE setup

■ System Overview


■ Safety Aspects

■ Outlook


Basic information flow

Data capture

Data

Fusion Arbitration

Function

Output

Function Function

Function

processing

Sensor raw data Vehicle Data Model Actuator Data

Analyze Act Perceive Analyze Act

de

taili

ng

Imp

lem

enta

tion

co

nce

pt


Simplex application development

CPU

lane a

CPU

lane b

Eth-Sw Eth-Sw

App App

applications

• developed for single channel deployment

• without dealing with redundancy

OS / MW function

• compare IO

• detect failures,

• identify fault containment region unanimously

in distributed system

platform failures

• detected (masked) in platform

• offers “correct” RTE

duplex control computer


RTE: Data flow

physical sensing. +

processing Actuator control App

DCC Sensor Actuator

RACE Ethernet

Signal

data flow

RTE

data flow

IO

Management

Data

Monitoring

Fusion

IO

Management

Data

Demux

Arbitrierung

IO

Management IO

Management

Data

Monitoring


Data-oriented communication

physical sensing. +

processing Actuator control App

DCC Sensor Actuator

RACE Ethernet

IO

Management

Data

Monitoring

Fusion

IO

Management

Data

Demux

Arbitrierung

IO

Management

Data

Monitoring DB Testserver

Security

Check / Audit

Signal

data flow

RTE

data flow


cyclic execution

10ms cyclic read / write

10ms cyclic execution

local control loop local control loop

long-running, event-triggered

not considered here


Partitioning in RACE

Hardware

PikeOS (Separation Kernel)

RTE

Adaptor RTE

Adaptor

RTE

Adaptor

RTE DB

Applications … Applications

I/O Mgmt.

Bootloader PSP

PSSW CAN Ethernet File I/O …

Partition Services

(Muxa,

Montitoring, …)

Error handling

separate applications from each other and RTE


Time Partitioning

using PikeOS scheduling (ARINC 653 + priority based)

RTE

Adaptor RTE

Adaptor

RTE

Adaptor

RTE DB

… A5

I/O Mgmt.

RTE Scheduler

PAF

Local Scheduler

A1 A3

A2

Time Partition1 TP N TP2 TP4 TP3 TP3

best effort background tasks

long running background tasks are always active

high priority fault handling tasks


inter partition communication (RTE – App)

RTE

Adaptor

RTE

DB

Anwendungen

I/O Mgmt.

Partition Services

(Muxa,

Montitoring, …)

Error handlng

shared mem

separated shared mem segment for each partition facilitates:

access control, auditability


Agenda

■ Motivation

■ RACE setup

■ System Overview


■ Safety Aspects

■ Outlook


Application of the ISO within RACE

hazard & risk (H&R) assessment

ASIL ≥ A

Acc. To TÜV SGS -

documents

measures to avoid systematic faults measures to manage systematic and

probabilitsic faults

safety-management and supporting

processes

technical measures

(functionality, system, subsystem, hw,

sw)

no

yes

development acc.

to standard-

process

Severity

Probability

additional risk-reduction measures have to be applied


Application of the ISO within RACE

hazard & risk (H&R) assessment

ASIL ≥ A

Acc. To TÜV SGS -

documents

measures to avoid systematic faults measures to manage systematic and

probabilistic faults

safety-management and supporting

processes

technical measures

(functionality, system, subsystem, hw,

sw)

n

o

ye

s

development acc.

to standard-

process

Severity

Probability

additional risk-reduction measures have to be applied Adressed in RACE


Failure ooC Scenario E C S ASIL Safe state Fault-tolerance

time (loss / invalid)

Uncontrolled

command-output

(incl. no output)

Highway E4 C3 S3 D None 50ms / 10ms

Secondary

road

D None 50ms / 10ms

Country

road

D None 50ms / 10ms

Assumed requirements

on central platform:

Req.: Execute any driver

assistance functionality up

to automated driving

Example

Relation to SEooC (ISO 26262-10, Figure 17)

Assumed requirements

Assumptions on design external

to SEooC

SEooC requirements

SEooC design

New ICT as safety-element out of context (SEooC)

RunTime Environment to manage

execution of vehicle functions

Central Platform Computer

communication network


Agenda

■ Motivation

■ RACE setup

■ System Overview


■ Safety Aspects

■ Outlook


The vision of the future ICT system platform

The future ICT system platform facilitates fully automated driving and dynamic

extensibility in field.

The concept is based on an enlarged modularisation *) concept that leads to less end-

to-end interface complexity.

AutoSAR

Generic safety

up to

fail-operational

Plug & Play + +

= future ICT system platform

RACE project

Vehicle

Control-

computers +

*) to further reduce the dependancy from automotive functions to HW, topology, communication links but

also to SW-functionality ensuring non-functional qualities.


the road ahead

not mentioned, but part of the project

■ network protocols and Ethernet AVB Gen2 prototype

■ ECU board design and low-level drivers

■ test framework

■ automotive functions …

R&D topics not addressed currently

■ sensor fusion (how to boil data down)

■ scale IO and processing bandwith

■ car2X

■ BYOD

■ …

Join and make it happen!


Questions?

Ludger Fiege

[email protected]

tum, jan 2014 race ecar · tum, jan 2014 race dr. ludger fiege, siemens ag ... get rid of position...

Documents