Professional Documents
Culture Documents
ESDA2006-95660
ESDA 2006-95660
ABSTRACT complete brake by wire system and a real time platform running
The main goal of brake by wire technology is the development the same vehicle model used during previous phase. Finally,
of compact, cheap and flexible braking systems. Since neither vehicle testing phases complete the evaluation in the real
brake fluid nor hydraulic lines are used, brake by wire electro- environment and allows the system control development and
mechanical actuation is a favourable solution both for tuning toward performances and subjective aspects. In each
production process and environmental aspect, and offer a phase the system is tested both in normal and faulty conditions;
precise control of braking torque amplitude. One of the most a fault injection campaign was carried on to verify system
critical aspect is the lack of traditional link between brake pedal response to fault with respect to the expected one. The process
and brakes (calliper); this mean a potential safety problem to be is cyclical, and a new loop has to be activated for each changes
correctly managed through the system architecture, in the system. At the same time, testing complexity increases in
redundancies, diagnosis and recoveries. During CRF brake by order to guarantee the system safety.
wire system development several architectures were deeply
analysed using PHA, FMEA, and FTA methodology to identify
the best configuration for production intent. The selected one is INTRODUCTION
a fault-tolerant architecture based on a time-triggered Recently, ten years after aeronautical and industrial
communication network connecting fail-silent nodes. From applications, in automotive research centre a lot of resources are
safety analysis were defined critical events and system devoted to the exploration of X-by wire technology based on
diagnosis and recovery requirements specifications. This paper electromechanical actuation. The goal of these studies is the
describes the steps followed in the brake by wire software development of compact, cheap and flexible systems with high
development, and its validation with respect to safety needs. For integration potentiality.
this purpose a three levels design and validation process was Actually, in modern car, we can already found expression of
exploited. First of all, it was defined the complete simulation both electromechanical and by-wire technologies. For example
template including calliper electro-mechanical actuators and in mass production vehicles by FIAT, Toyota, BMW, Honda,
theirs ECU, time-triggered communication network and vehicle Peugeot, Opel, etc, the EPS (Electric Power Steering), is taking
control ECU. The brake by wire system was interfaced to a the place of the conventional hydraulic power steering systems
complete vehicle dynamics model specifically developed for with advantages in costs, fuel consumption and with enhanced
control design and validation purpose. Within this environment capabilities of integration with other system like the brake
the control software was developed and the strategies were stability control (ESP).
verified applying Software In the Loop technique. Then the By-wire technology is also used in production car. In several
ECU software was automatically generated using a customised vehicle the gas pedal is linked to the engine control ECU by
tool chain based on Real Time Workshop Embedded Coder. electrical connections decoupling the driver request from actual
Than, Hardware In the Loop testing was adopted to deeply engine generated torque. This degree of freedom is used to
verified high level software (application), low level software
(OS, API, drivers,…) and hardware. HIL bench include the
Critical
The concept of safety is connected to the notion of risk. Risk is component faults Process definition
Recovery design
To solve these problems standard methodologies, such PHA System Analysis in System Control
(Preliminary Hazard Analysis) FMEA (Failure Mode and Faulty Condition
Fault Management
System Recovery Design
The Brake-by-Wire system developed in CRF is based on Safety analysis sets guidelines for the SW control development
electromechanical technologies: structured in the following subsystems:
• Electromechanical Braking Corner: • Brake Control Task:
- No more oil; - Vehicle Dynamics Control task (Normal condition)
- Easy to assembly; • Base brake;
- Fine torque control. • Electrical Parking Brake;
• X-By-wire architecture: • Electronic Brake Distribution;
- Decoupling driver request from torque • . . . . .;
actuation; - Braking Function (Faulty Condition);
- Integration with the other vehicle dynamics • Recovery Action;
control. • Transient Management;
• Diagnosis Task:
A Brake-by-Wire system, because of the lack of the hydraulic - Software algorithm for Fault Detection Identification
and mechanical links between brake pedal and callipers, needs and Recovery;
more safety requirements than a traditional electro-hydraulic - Finite State Machine for the system State
braking system. Management;
Therefore developing the control of a Brake-by-Wire system
needs a structured methodology to guarantee safety This paper describes the methodology used to develop and
requirement. The safety design must be integrated with the validate the control software with respect to safety (Diagnosis
control design in an iterative process where the output is the and Recovery) requirement by checking step by step the control
tested and certificated control SW. software and system functionality.
The first step consists in checking the Control Software in a
Starting from safety analysis, performed with the above virtual environment on simulation platform. Then the complete
mentioned standard methodologies, diagnosis and recovery brake-by-wire system with the actual hardware is tested on a
requirement are defined. bench. Finally the system and its integration with other system
The most critical events for a braking systems, derived from is tested on the prototype. With this procedure only tested and
PHA (Preliminary Hazard Analysis), are:
RHF RHR
EMB2_RHF EMB4_RHR
Power A
Power BUS
TTP-BUS
CANService-BUS
Power B
BCU1_LHF BCU3_LHR
EMB1_LHF BRK1
WSpeed
BRK3 EMB3_LHRWSpeed
LHF LHF LHR LHR
certified software is used on the vehicle, saving time and • System Diagnostic:
money. Driver and vehicle safety is improved as well. - Fault Detection;
- Fault Identification and isolation;
ARCHITECTURE - Recovery management.
The Brake-by-Wire architecture include the following parts
(Figure 2): The local layer implements the following functions:
• Four electro-mechanical actuators: each actuator is • Brake Control
composed by an electro-mechanical calliper with its - The purpose of this function is to control the
own sensors, wheel speed sensor and the ECU, for the braking of each single wheel, according to the
local corner management; brake torque set points aligned with the vehicle
• ECU for the Vehicle Dynamic Control and integration control system. The function is responsible to
with the other vehicle systems; provide proper braking force.
• HMI (Human Machine Interface), where are installed • Parking Brake drive:
brake command sensors; - The purpose of this function is to activate /
• Time Triggered Communication Net; deactivate the parking brake.
• Redundant power supply • System Diagnosis:
- The purpose of this function is to continuously
The Brake-by-Wire system is subdivided into two functional perform the diagnostics of the system, its
layer: components and its interfaces. There are a number
• Vehicle Layer, which includes the Vehicle Control of sub-functions performed:
functions; - Fault detection
• Local Layer, which includes the EMBs functions. - Fault information storage and management
- Information to the Vehicle Control Layer
A distributed software architecture allows a deep integration • System self-test.
between Local Layer and Vehicle Layer and guarantees a safe
braking action though a functional redundancy. SAFETY REQUIREMETS
As more and more automotive systems can no longer relay on
The vehicle layer implements the following functions: mechanical backup, they have to provide deterministic
• Vehicle Dynamic Control: behaviour even in the presence of faults. While today approach
- Vehicle State Estimations; toward fail-safe operation is based on each system unit (ECU)
- Brake Management; redundancies, Brake-by-Wire uses the inherent distributed
- Electrical Parking Brake Strategies; redundancy of the brake system in order to provide fail-
- Control Strategies in recovery states; safe/fault tolerant operation.
Modelling
Identification Revision
Phase Safety assessment
(eg. Fault injection)
Recovery Design
Code Generation
Using this distributed redundancy opportunity it is possible to BRK3_LHR Brake Component for X
obtain a Fail Safe System dealing with fail operational mode Wheel "Left Hand Rear":.
BRK4_RHR Brake Component for X
and an appropriate system architecture. Wheel "Right Hand
Rear":.
Brake-by-wire systems belong to the category of the Safety VCS_A Vehicle Control System A. X
Critical System (SCS). These systems must guarantee their
functionality when a fault occurs. The SCS components have HMI (1) Human Machine Interface X
(1): Sensors Blocks
been divided into two classes of “fault robustness”:
Test on
SIL HIL
Track Test on Track
Test on Tarck
HW - Long Execution Test
Enviroment Simulated - + Real ++
Real - Prototype Validation
- High Cost
Data Analysis
Test Flexibility High + High + Low -
Data
Low - Good + High ++ Figure 4: SIL, HIL, Test on Track iteration phases
Reliability
Timings and
Low ++ Low + High -
costs
Test
SIL
High ++ High + Low -
Repeatability Software in the Loop validation method needs a platform to
Scene Low High
simulation
No limits ++
limits
+
Limits
- simulate manoeuvres and fault injections.
Operator This platform is made by:
High ++ High + Low -
Safety • Vehicle Model;
• Brake-by-Wire System Model;
The choice of a validation method depends on the validations • Fault Injection Generator Box Model;
process goals. Figure 4 shows the iterative steps used in the Vehicle model used in our Simulation in the Loop is a
validation processes. functional modular model for control design purpose.
Software in the Loop Simulation: it’s the first and the more
frequently used method since does not need the actual
Hardware. It’s useful in the preliminary phase when hardware
and architecture is not yet defined. Through this analysis is
possible to explore different architectures and hardware
solutions and debug control software on a PC platform.
OUTPUT
DIAGNOSIS
can be stored, recalled, and combined with other events so that - Interface devices from Hardware in the Loop to
a whole suite of tests can be run using the automated testing Real time software (i.e. Brake Force Sensor);
features of the HIL. At the end of these phase the engineers - Interface devices from Real-Time Software to
have grown a deep knowledge on brake by wire system and they Hardware in the Loop (i.e. Wheel Speed Sensor
can precisely plan the final track tests Emulator);
While the tests are running, interactive signal analysis as well as - Brake Request Emulation.
real-time vehicle animation are available to monitor and • Data computation and visualization:
evaluate the experiment. - Experiment panel built with dSpace Control Desk
- Matlab
The HIL method has allowed to validate control software on
brake-by-wire hardware. In this way all the brake-by-wire
system are tested in an environment similar to real one The HIL Benchmark phase
test bench designed for the brake-by-wire control software
validation is composed by: One of the goal of the Brake-by-Wire project is to develop a
Brake System at least having the same features and the same
• complete Brake-by-wire system with all the
performances of the traditional Electro-Hydraulic Brake
components, power system and communication
System.
net;
In order to objectively classify its characteristics a braking
• Real-Time simulation model, the key enabler for
system has to be probe in a large panel of tests. Furthermore, if
the HIL virtual vehicle simulation is the real-time
is needed a comparison with other similar system a strong
simulation hardware.
repeatability is mandatory. For these tasks HIL is most suitable
The CRF Brake-by-Wire HIL bench test utilises as
approach. Using the same virtual vehicle and the same group of
real time processor a dSpace Micro Autobox
manoeuvres it was possible to compare Brake-by-Wire system
fulfilling the following tasks:
with the traditional one. To do that a HIL bench with the
- Vehicle Model calculation;
standard electro-hydraulic brake control hardware has been
- Vehicle CAN network emulation;
built (Figure 8).
- I/O analog and digital management;
- sensors emulation;
• Bench tools:
FMEA defines:
Figure 9: Braking on µ-jump friction - methods for injecting faults;
The Figure 10 shows how EBD works during a braking - diagnosis subset that must be activated by the fault
maneuver when ABS is in fault (Wheel Speed LHF Sensor - item identification (if possible)
switched off). - recovery to be taken (timings and system state
The Figure 11 shows how EBD works during a braking evolution towards safe state have to be defined as
maneuver with a double fault of the two rear Wheel Speed well)
sensors (Wheel Speed LHR and RHR Sensors are switched off).
Although EBD is ON (is possible to see an initial modulation In order to speed up data post processing, software tools have
on the rear axle), electro-hydraulic modulator can’t avoid the been developed which automatically acquire data, comparing
blockage of the rear axle. actual state with FMEA expected results
These examples shows how is easy to simulate a lot of scenarios
to check system functionalities using HIL method. Fault injection approach was used both in SIL and HIL phases.
SENSORS SIGNALS
SENSORS
STATUS
BRAKE SENSORS
FAULT INJECTION VALIDATION BLOCK
BOX
FAULT
PARAMETERS
Figure 12: SIL - Fault Injection Box Figure 13: Rear Right EMB behaviour
During HIL development phase, a step ahead is performed: Vehicle behaviour is analyzed during the transition from normal
verified software from previous phase is coupled to the status to recovery status.
hardware which mainly consists in ECUs, sensors and
actuators, in order to test the correct system behaviour on a real
bench which is just one step below the final vehicle set-up.
Here, fault injection is focuses onto the hardware: electrical
faults (open circuits, short circuits to ground and power supply,
…) are injected into the system and the hardware behaviour,
together with software fault detection capability is considered
(verified).
REFERENCES
1. A.T. van Zanten, et al : “Simulation for the
Development of the Bosch-VDC”, SAE Paper
No.960486;
2. A.T. van Zanten : “Bosch ESP Systems: 5 Years of
Experience”, SAE Paper No.2000-01-1633;
3. K. Ahlström, J. Torin, P. Johannessen, “Design
Method for Conceptual Design of By-Wire Control:
Two Case Studies”, Proceedings of the Seventh IEEE
International Conference on Engineering of Complex
Computer Systems, Skövde, 2001, pp.133-143.
4. H. Kopetz, M. Braun, C. Ebner, A. Kruger, D. Millinger,
R. Nossal, and A. Schedl, “The design of large real-
time systems: the time-triggered approach”,
Proceedings of 16th IEEE Real-Time Systems
Symposium, 1995, pp 182 -187.