GB2599707A - Safety checker system generator tool - Google Patents

Safety checker system generator tool Download PDF

Info

Publication number
GB2599707A
GB2599707A GB2016061.0A GB202016061A GB2599707A GB 2599707 A GB2599707 A GB 2599707A GB 202016061 A GB202016061 A GB 202016061A GB 2599707 A GB2599707 A GB 2599707A
Authority
GB
United Kingdom
Prior art keywords
safety checker
safety
tool
checker
configuration data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
GB2016061.0A
Other versions
GB202016061D0 (en
Inventor
Faugiana Daniele
David Hill Russell
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jaguar Land Rover Ltd
Original Assignee
Jaguar Land Rover Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jaguar Land Rover Ltd filed Critical Jaguar Land Rover Ltd
Priority to GB2016061.0A priority Critical patent/GB2599707A/en
Publication of GB202016061D0 publication Critical patent/GB202016061D0/en
Publication of GB2599707A publication Critical patent/GB2599707A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code
    • G06F8/36Software reuse
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3089Monitoring arrangements determined by the means or processing involved in sensing the monitored data, e.g. interfaces, connectors, sensors, probes, agents
    • G06F11/3093Configuration details thereof, e.g. installation, enabling, spatial arrangement of the probes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code

Abstract

Aspects of the present invention relate to a tool (14) for generating a safety checker system for monitoring an application on a vehicle or a vehicle sensor. The safety checker system comprising at least one safety checker module. The tool is configured to receive configuration data (11) relating to the at least one safety checker module and to select a template safety checker system comprising the at least one safety checker module in dependence on the received configuration data. Furthermore the tool is configured to configure operational parameters of the at least one safety checker module in dependence on the received configuration data and to generate a skeleton code (36) which when executed generates the safety checker system for deployment on the vehicle.

Description

SAFETY CHECKER SYSTEM GENERATOR TOOL
TECHNICAL FIELD
The present disclosure relates to a safety checker system generator tool. Aspects of the invention relate to a tool for generating a safety checker system, to a method of generating a safety checker system, to a safety checker system and to a vehicle comprising a safety checker system.
BACKGROUND
It is known to provide safety checker systems within vehicles to monitor the integrity and reliability of applications, components or processes on the vehicle. Safety checker systems may be deployed on a vehicle control system to ensure it is operating correctly and to alert the control system to any errors in the operation of any components, applications or processes within the vehicle control system. If an error is detected within the vehicle control system then the vehicle control system may take action to transition the vehicle to a safe state or to inhibit the process on the vehicle in which the error was detected.
In general, safety checker systems on vehicles are modular and built using three main types of checkers, namely: timing checkers, redundancy checkers and plausibility checkers. Timing checkers, also known as watchdog modules, are used to monitor applications subscribed to the safety checker system to protect against timeout failures in the subscribed applications. The redundancy checker is a redundant processor or satellite processor, often arranged in parallel with the main vehicle processor, with sufficient computational power to execute the same algorithm as the main processor in the vehicle control system. The results of the main processor and redundant processor may be compared and action may be taken by the vehicle control system if the results are not comparable. Finally, the plausibility checker may be a subsystem with limited computational power that executes a simple expression on the result from the main processor to verify the plausibility of the results of the algorithm. For example, the plausibility checker may compare the result from the main processor with an expected range of results.
Safety checker systems are often designed and built bespoke for each application that is required to be monitored in the vehicle control system. However, modern vehicles often have multiple applications, processes or components that are required to be monitored by a safety checker system to ensure they are operating reliably.
Furthermore, the applications that are required to be monitored may be distributed across a complex network in the vehicle which may comprise multiple control systems and as such designing a reliable safety checker system to monitor each application across the network is complex.
It is an aim of the present invention to address one or more of the disadvantages
associated with the prior art.
SUMMARY OF THE INVENTION
Aspects and embodiments of the invention provide a tool for generating a safety checker system, a method of generating a safety checker system, a safety checker system generated using the tool or in accordance within the method and a vehicle comprising the safety checker system as claimed in the appended claims According to an aspect of the present invention there is provided a tool for generating a safety checker system for monitoring an application on a vehicle or a vehicle sensor, the safety checker system comprising at least one safety checker module, the tool being configured to: receive configuration data relating to the at least one safety checker module, select a template safety checker system comprising the at least one safety checker module in dependence on the received configuration data, configure operational parameters of the at least one safety checker module in dependence on the received configuration data; and generate a skeleton code which when executed generates the safety checker system for deployment on the vehicle.
Beneficially, the tool automatically generates a skeleton code which when executed generates a safety checker system for deployment on the vehicle. The user of the tool may specify operational parameters of the safety checker system in the configuration data which the tool may use to automatically generate the safety checker system. As such, a user of the tool may quickly generate a safety checker system for a vehicle without the requirement to manually create the code for the safety checker system. Furthermore, the template safety checker systems stored in the library may be tested prior to being added to the library to ensure that they meet the required standards and that there are no errors in the template safety checker systems. This beneficially improves the quality and reliability of the safety checker systems deployed on the vehicle.
In an embodiment the tool may be configured to select the template safety checker system from a library of template safety checker systems in dependence on the received configuration data. The library of template safety checker systems may comprise different safety checker systems each having differing numbers and combinations of safety checker modules. For example, one template safety checker system may contain only watchdog modules and another template safety checker system may comprise a combination of watchdog modules and redundancy checkers. Beneficially, the user of the tool may specify the type and number of safety checker modules in the configuration data and the tool may select a suitable template checker system from the library in dependence on the received configuration data.
In another embodiment the tool may be configured to generate a test suite for testing the generated skeleton code. The tool may test the generated skeleton code before it is integrated in a compiler. This is beneficial as it allows a user of the tool to check that the safety checker system is functioning as expected and the performance or operational parameters of the safety checker modules within the safety checker system may be modified in the test suite before the skeleton code is compiled. In one embodiment, the generation of the skeleton code may be static, and the test suite may be configured to perform a static code analysis on the generated skeleton code.
In an embodiment the configuration data may comprise operational parameters of the at least one safety checker module. The operational parameters of the safety checker module are parameters that specify how the safety checker module should function.
For example, in the case of a watchdog module the operational parameters may include one or more of: a timeout value for applications or components subscribed to the watchdog module, the applications or components that should subscribe to the watchdog module and to the actions that should be taken if a Hmeout error is detected.
In the case of a plausibility checker module the operational parameters may include one or more of: a type of comparison between incoming data values and reference values, reference values to be used as boundaries, thresholds or limits in the comparison, the applications or components that should subscribe to the plausibility checker and actions to be taken if an error is detected by the plausibility checker.
In the case of a redundancy checker the operational parameters may include one or more of: the type of comparison to be made between incoming values and reference values, the applications or components that should subscribe to the redundancy checker, the fimestamp information implementation and the actions to be taken if an error is detected by the redundancy checker.
In an embodiment the configuration data may comprise at least one configuration file, a database or a section of a database comprising operational parameters corresponding to the at least one safety checker system. The configuration data may be modular with a configuration file relating to each type of safety checker module required in the safety checker system. The modular arrangement of the operational parameters beneficially corresponds to the modularity of the safety checker modules in the safety checker system. This beneficially allows the user to activate or deactivate types of safety checker module in the generated safety checker system. In the case where there are more than one of the same type of safety checker module the configuration data may comprise sub-modules or sub-files corresponding to each safety checker module required in the safety checker system thereby allowing the user of the tool to configure each safety checker in the system independently.
The skilled reader will understand that the configuration data may be in the form of a database or a data file comprising operational parameters relating to the at least one safety checker module. The configuration data may comprise data files or a section of a database each corresponding to a safety checker module within the safety checker system. A front-end interface may be provided to the tool to allow a user to populate configuration data using a human readable language. The front-end interface may allow a user of the tool to activate or deactivate safety checker modules within the configuration data. Furthermore, the front-end interface may allow a user of the tool to specify the number and type of safety checker modules required within the system.
In another embodiment the configuration data may specify the type and/or number of safety checker modules required in the safety checker system. This is beneficial as the user of the tool may specify the type and number of each safety checker module required in the system and the tool may select a template software checker system from the library based on the received configuration data. The tool may activate or deactivate safety checker modules in the selected template safety checker system in dependence on the received configuration data. Furthermore, the tool may configure the safety checker modules contained within the template safety checker system in dependence on the received configuration data.
In one embodiment the skeleton code comprises a generic interface for receiving a software adaptor. The generic interface may be a standard application programming interface (API) or adaptor which applications or components subscribed to safety checker modules within the safety checker system may call. The configuration data may comprise data indicative of the software adaptor to be used with the skeleton code in the compiler. The generic interface beneficially allows the generated code to be used with a variety of application programming interfaces (API's) when fitted with the appropriate software adaptor. The software adaptors may be standard adaptors that allow the generated skeleton code to interact with a variety of different operating systems such as Linux or AUTOSAR.
In an embodiment the at least one safety checker module may be one of: a watchdog module (also known as a timing checker), a redundancy checker and a plausibility checker. The safety checker system may comprise any number or combination of each type of safety checker module depending on the requirements of the safety checker system.
According to a further aspect of the present invention there is provided a method of generating a safety checker system for monitoring an application on a vehicle, the safety checker system comprising at least one safety checker module, the method comprising: receiving configuration data relating to the at least one safety checker module; selecting a template safety checker system comprising the at least one safety checker module in dependence on the received configuration data; configuring operational parameters of the at least one safety checker module in dependence on the received configuration data; and generating a skeleton code which when executed generates the safety checker system for deployment on the vehicle.
In an embodiment the method may be preceded by configuring operational parameters in the configuration data. The operational parameters may be stored in at least one configuration file within the configuration data corresponding to the at least one safety checker system. In another embodiment configuring the at least one configuration file may comprise specifying operational parameters relating to the at least one safety checker module.
In another embodiment configuring the at least one configuration file comprises specifying a number and/or type of safety checker modules required in the safety checker system.
In an embodiment the method may comprise generating a test suite for testing the generated skeleton code. The method may comprise testing the generated skeleton code. In one embodiment the method may comprise modifying operational parameters of the at least one safety checker module based on the testing of the skeleton code in the test suite. The method may comprise subsequently testing the code after modifying the operational parameters.
In one embodiment the method may comprise inputting the skeleton code into a compiler and inputting data indicative of a software adaptor to the compiler to generate a binary file from the skeleton code. In an embodiment the configuration data may comprise the data indicative of the software adaptor. The generated skeleton code may comprise a generic interface for receiving the software adaptor and the method may comprise filling the generic interface with the software adaptor.
According to a further aspect of the present invention there is provided a safety checker system generated using the tool or method in any one of the aforementioned aspects or embodiments of the present invention.
According to a yet further aspect of the present invention there is provided a vehicle comprising the safety checker system generated using the tool or method in any one of the aforementioned aspects or embodiments of the present invention.
Within the scope of this application it is expressly intended that the various aspects, embodiments, examples and alternatives set out in the preceding paragraphs, in the claims and/or in the following description and drawings, and in particular the individual features thereof, may be taken independently or in any combination. That is, all embodiments and/or features of any embodiment can be combined in any way and/or combination, unless such features are incompatible. The applicant reserves the right to change any originally filed claim or file any new claim accordingly, including the right to amend any originally filed claim to depend from and/or incorporate any feature of any other claim although not originally claimed in that manner.
BRIEF DESCRIPTION OF THE DRAWINGS
One or more embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings, in which: Figure 1 shows a vehicle comprising a sensor, an actuator and a vehicle control system connected to a safety checker build tool according to an embodiment of the invention; Figure 2 shows a schematic block diagram of the vehicle control system, sensor and actuator of Figure 1; Figure 3 shows a schematic block diagram of the safety checker build tool of Figure 1; Figure 4 shows a flow chart outlining a workflow of steps for testing and building a safety checker system; and Figure 5 shows a flow chart outlining a method of building a safety checker system.
DETAILED DESCRIPTION
In general terms embodiments of the invention relate to a tool (a safety checker build tool) for generating a safety checker system for monitoring, for example, an application, component or process on a vehicle. The safety checker system generated by the tool is configured to monitor the operation of the application to ensure it is operating correctly and reliably as well as to detect errors in the vehicle control system. The safety checker system typically comprises at least one safety checker module for monitoring the performance of the application. If the safety checker system detects an error or abnormality in the operation of the application the safety checker system may take action to inhibit the application.
The tool is configured to receive configuration data from a user of the tool. The configuration data input to the tool is indicative of at least one safety checker module of the safety checker system. Upon receipt of the configuration files or configuration data the tool is configured to select a template safety checker system, comprising the at least one safety checker module in dependence on the received configuration data, from a library of template safety checker systems. Upon selection of the template safety checker system the tool configures the operational parameters of the template code in dependence on the received configuration data. Once the template code is configured the tool generates a skeleton code or source file which when executed generates the safety checking system for deployment on the vehicle.
The tool beneficially allows an engineer to specify the operational parameters of one or more safety checker modules in configuration data and for the tool to generate a safety checker system that is suitable for monitoring or validating results output from a processor on a vehicle. The tool beneficially improves the reliability of the safety checker system by building the safety checker system from template code that meets the required standards. The tool may be configured to generate a test suite to test the generated safety checker system before the safety checker system is deployed on the vehicle. Furthermore, the tool allows the safety checker system to be built quickly and adapted easily for bespoke vehicle applications.
To place embodiments of the invention in a suitable context, reference will firstly be made to Figure 1 which shows a vehicle 10 comprising a vehicle control system 12 connected to a sensor 16 and an actuator 18. The sensor 16 may be, for example a RADAR, a LIDAR or the like and the actuator 18 may be a system on the vehicle 10 that is configured to respond to data gathered by the sensor 16, for example the vehicle's propulsion system, the braking system or the steering system. The vehicle control system 12 is connected to the sensor 16 and the actuator 18 such that data generated by the sensor 16 may be processed by the control system 12 and a suitable response may be output to the actuator 18.
As shown in Figure 1, the control system 12 is connected to a safety checker build tool 14, referred to simply as the "tool" herein. The tool 14 is configured to receive configuration data 11 from a user and to generate a safety checker system 15, in dependence on the received configuration data 11, for deployment on the vehicle control system 12. The tool 14 is connected to the control system 12 such that the safety checker system built by the tool 14 may be transmitted to and deployed on the vehicle control system 12. This is typically performed when the vehicle 10 is being manufactured. However, the tool 14 may be connected to the vehicle 10 after manufacture to update the safety checkers in the vehicle control system 12. The skilled reader will understand that the build tool 14 may be connected to the vehicle 10 wirelessly such that, for example, the safety checker system may be updated wirelessly as part of a software update.
The control system 12 further comprises a safety checker system 15 built by the tool 14.
The safety checker system 15 is deployed on the vehicle control system 12 to ensure the reliability and integrity of the vehicle control system 12. The safety checker system 15 is built by the tool 14 in dependence on configuration data 11 input to the tool 14. The tool 14 builds the safety checker system 15 such that it can be deployed on the control system 12. The skilled reader will appreciate that a vehicle control system 12 may comprise multiple safety checker systems 15 each being configured to monitor an application, component or process in the vehicle control system 12.
The safety checker system 15 is configured to ensure the reliability and integrity of the vehicle control system 12. As will be discussed in further detail below, the safety checker system 15 is a modular system and comprises one or more safety checker modules (not shown in Figure 1). The tool 14 configures the safety checker modules in dependence on the received configuration data and the tool 14 further deploys the safety checker modules on the control system 12.
Turning now to Figure 2, the vehicle control system 12 comprising a safety checker system generated by the tool 14 is shown schematically in further detail. The control system 12 comprises a processor 20 and two satellite processors 22, 24. The processor 20 is coupled to each satellite processor 22, 24 to form a lockstep system. The satellite processors 22, 24 are connected to the processor 20 to introduce redundancy into the control system 12. The processor 20 is coupled to the satellite processors 22, 24 such that the processor 20 may receive data from the sensor 16 and transmit the data to each satellite processor 22, 24 for processing in parallel. Each satellite processor 22, 24 processes the received sensor data before returning the processed data to the processor 20. The results output from the satellite processors 22, 24 and the main processor 20 may be compared to allow for the detection of errors in the system. The satellite processors 22, 24 forming the lockstep system are examples of a safety checker module, in particular, the satellite processors 22, 24 are redundancy checker modules.
In the example safety checker system shown in Figure 2 the safety checker system comprises three different types of safety checker modules. As mentioned above the safety checker system comprises two satellite processors 22, 24 which are examples of redundancy checker modules. Furthermore, the system comprises two watchdog modules 26, 28 and one plausibility checker 27. The watchdog modules 26, 28 and plausibility checker 27 are two further examples of types of safety checker modules that may be deployed on the vehicle control system 12 within a safety checker system.
In the example safety checker system deployed on the control system 12 of Figure 2, a first watchdog module 26 is positioned at the input 21 of the processor 20 and a further watchdog module 28 is positioned at the output 23 of the processor 20. The watchdog modules 26, 28 are examples of safety checker modules that are configured to detect timeout errors in the system 12. In the example shown the watchdog module 26 monitors the output of the sensor 16 to check that the sensor 16 is providing sensor data to the processor 20 as expected. If the sensor times out or stops transmitting data to the processor 26 the watchdog module 26 may flag a warning to the processor 20 and action may be taken by the vehicle control system 12, for example, to transition the vehicle 10 to a safe mode. Similarly, the watchdog module 28 is positioned at the output 23 of the processor 20. A feedback loop from the actuator 18 to the watchdog module 28 may allow the watchdog module 28 to monitor both the processor 20 and the actuator 18 for timeout errors.
The plausibility checker 27 is a type of safety checker module configured to check that the data output from the processor 20 or sensor 16 is within an expected or plausible range. As shown in Figure 2, the plausibility checker 27 of the safety checker system is positioned between the output 23 of the processor 20 and the actuator 18 such that the data output 23 from the processor may be compared to an expected value or range of values by the plausibility checker 27. In the example shown, the watchdog module 28 is positioned between the output 23 and the plausibility checker 27 such that timeout errors may be detected by the watchdog module 28 before the data is passed to the plausibility checker 27. If the data output from the processor 20 is outside the expected range the vehicle control system 12 may take action to transition the vehicle 10 to an alternative state or to inhibit certain functionality of the vehicle 10 associated with the processor 10.
The safety checker system shown in Figure 2 is a simplified example of a safety checker system generated by the tool 14 that has been deployed on a vehicle control system 12. The skilled reader will understand that the safety checker system may be distributed across a network within a vehicle 10 having multiple processors carrying out multiple safety critical applications that all require a checker system to monitor the reliability and integrity of the system.
The safety checker system deployed on the vehicle control system 12 in Figure 2 comprises three different types of safety checker module, namely: redundancy checkers 22, 24, watchdog modules 26, 28 and plausibility checker 27. However, the tool 14 is configured to generate safety checker systems that may comprise any combination or number and type of safety checker modules as specified by the user in the configuration data 11. For example, the safety checker system may only comprise watchdog modules 26, 28 or may comprise a combination of watchdog modules 26, 28 and plausibility checkers 27. The user of the tool 14 may specify the number and type of safety checker modules required when configuring the configuration data 11.
Turning now to Figure 3 a schematic diagram of the tool 14 is shown in further detail. The tool 14 comprises a processor 34 connected to a memory module 32. The tool 14 is configured to receive configuration data 11 from a user of the tool 14 and to output skeleton code 36 generated by the tool 14 which when executed by the vehicle controller 12 generates the safety checking system.
The configuration data 11 is configured by a user of the tool 14 to specify operational parameters of the safety checker modules within the safety checker system. Configuring the configuration data 11 is static meaning the user of the tool 14 defines the operational parameters of the safety checker modules in the configuration data 11 before it is input to the tool 14 and the skeleton code 36 is generated.
The configuration data 11 shown in Figure 3 may be in the form of a database comprising operational parameters corresponding to the safety checker modules in the safety checker system or the configuration data 11 may be a set of data files that may be read by the tool 14. For example, the configuration data may comprise three configuration files 31, 33, 35 corresponding to each type of safety checker module in the safety checker system, namely: the watchdog modules 26, 28, the plausibility checker 27 and the redundancy checkers or satellite processors 22, 24 respectively. The configuration data 11 is modular and the user of the tool 14 can activate one or more of the safety checker modules within the safety checking system by configuring or populating the operational parameters within each of the configuration files31, 33, 35 in the configuration data 11. Alternatively, the user of the tool 14 may populate a database contained within the configuration data 11.
Each configuration file 31, 33, 35 in the configuration data 11 comprises operational parameters, defined by the user of the tool 14. The configuration data 11 is input to the processor 34 in the tool 14 and the processor 34 determines the requirements of the safety checker system in dependence on the received configuration data 11. Based on the safety checker system requirements the processor 34 selects a template safety checker system from the memory 32. The template safety checker system comprises safety checker modules. However, the operational parameters in the template safety checker system have not yet been specified. The processor 34 modifies the template safety checker system selected from the memory 32 to specify the operational parameters of each safety checker module based on the operational parameters specified in the configuration data 11.
The configuration file 31 comprises operational parameters relating to the watchdog modules 26, 28. When configuring the configuration file 31 the user of the tool 14 may specify operational parameters of the watchdog modules, 26, 28 such as the frequency the watchdog module 26, 28 should check it is receiving data, a fimeout value, the applications, sensors and processors within the control system 12 that should subscribe to the watchdog modules 26, 28, the number of watchdog modules 26, 28 required and the actions to be taken if a fimeout is detected by the watchdog modules 26, 28. The user may vary the operational parameters within the configuration file 31 depending on the type of application the watchdog module 26, 28 is monitoring. For example, if the application is safety critical then the user may specify more stringent timeout values than a less critical application.
Configuration file 33 comprises operational parameters relating to the plausibility checker 27. The operational parameters in the configuration file 33 may relate to, the type of comparison that should be made between incoming values to the plausibility checker 27 and reference values. For example, the comparison may specify that incoming data values must match the reference values exactly or may specify a tolerance within which the incoming values should be. Furthermore, the operational parameters may comprise values to be used as boundaries, thresholds, or limits in the comparison of the plausibility checker 27. The configuration file 33 may further comprise data specifying the applications and/or sensors that need to be plausibility checked. In Figure 2 the plausibility checker 27 only has one application subscribed to it. However, the skilled reader will understand that the plausibility checker 27 may perform plausibility checks on multiple applications throughout the control system 12 and vehicle 10.
Configuration file 35 comprises operational parameters indicative of the configuration of the redundancy checkers or satellite processors 22, 24 within the safety checker system. The operational parameters in the configuration file 35 may include the type of comparison to be made between data processed by the satellite processors 22, 24 and the processor 20, the number of satellite processors 22, 24 required in the system, the applications that should be subscribed to the satellite processors 22, 24 and the timestamp information implementation.
All three configuration files 31, 33, 35 may further comprise data specifying the actions that should be taken by the control system 12 if any one of the safety checking modules detects an error in the system. For example, if a safety checker module detects an error in an application within the control system 12 the control system 12 may inhibit the application that is deemed to be malfunctioning or the control system 12 may transition the state the vehicle 10 is operating to a new state. For example, if the vehicle 10 is operating in an autonomous state and an error is detected the vehicle 10 may notify the driver of the error and transition control of the vehicle 10 to the driver.
The processor 34 in the tool 14 is configured to receive the configuration data 11 and to select a template safety checker system from the memory 32. The memory 32 comprises a library of different template safety checker systems indicative of safety checker systems that may be deployed on the vehicle control system 12. The template safety checker systems stored in the memory 32 may be selected by the processor 34 in dependence on the received configuration data 11 and the processor 34 may configure the template safety checker system in dependence on the received configuration data 11. For example, the processor 34 may activate one or more safety checker modules within the template safety checker system and further may configure the operational parameters of the safety checker modules within the template safety checker system in dependence on the received configuration data 11.
Selecting a template safety checker system from a library and configuring it in dependence on a user's requirements improves the efficiency of generating a safety checker system for a vehicle. Furthermore, the template safety checker systems stored in the library may be tested and validated prior to being stored in the library such that the generated safety checker systems are generated reliably and conform to the relevant standards.
Once the tool 14 has selected and configured the template safety checker system the tool 14 outputs skeleton code 36 which when executed generates the safety checker system. The skeleton code 36 generated by the tool 14 has a generic interface that is exposed upon generation of the skeleton code 36. The generic interface beneficially allows the skeleton code 36 to receive a software adaptor such that the skeleton code 36 may be used with a variety of standard application programming interfaces (API).
The tool 14 also generates and outputs a test suite 40 which may be used to test the skeleton code 36 generated by the tool 14. The test suite 40 allows the generated code 36 to be statically tested prior to being executed and deployed on the vehicle control system 12. The skeleton code 36 may be tuned or adjusted when it is being tested by the test suite 40 such that the performance of the skeleton 36 matches the requirements of the safety checker system.
Figure 4 shows a workflow associated with building a safety checker system using the tool 14. As mentioned above, initially the configuration data 11 is input into the tool 14.
The tool 14 then selects a template safety checker system from a library of template safety checker systems based on the received configuration data 11 of the safety checker system as specified in the configuration data 11. The tool 14 then configures the safety checker modules within the selected template safety checker system in dependence on the received configuration data 11. The tool 14 generates the skeleton code 36 from the configured template safety checker system and the tool 14 further generates a test suite 40 for testing the generated skeleton code 36. The generation of the skeleton code 36 is static, meaning it is not executed when generated by the tool.
The skeleton code 36 is fed into the test suite 40 to create a testing environment 41. The tool 14 generates the tests to verify the skeleton code 36 which is tested in the testing environment 41. The test suite 40 may emulate the vehicle control system 12 that the safety checker system is to be deployed on. When the skeleton code 36 is input to the test suite 40 the testing environment 41 replicates the deployed safety checker system on the vehicle control system 12.
Known test values may be input into the testing environment 41 to test that the generated skeleton code 36 is functioning as expected. For example, a first test value that is expected to pass the safety checks performed by the safety checker system may be input to the test environment 41 in which the safety checker modules within the skeleton code 36 should take no action against. A second test value that is expected to fail the checks performed by the safety checker system may also be input into the test environment 41 and the safety checker modules should detect that there is an error in the system. Furthermore, a third test value having a value within an acceptable tolerance threshold may also be input to the test environment 41 to determine if the safety checker modules within the skeleton code 36 are functioning as expected.
The tests performed in the testing environment 41 may be a static code analysis. The tool 14 may further perform component tests 42 on the generated skeleton code 36 to test the application programming interface (API) of the skeleton code 36. The results of the test are output in the component test 42 and the engineers are able to verify the results of the test and tune the performance of the skeleton code 36 to ensure that the safety checker system will operate as expected when the skeleton code 36 is executed and deployed on a vehicle 10.
If the skeleton code 36 satisfies the testing requirements of the testing environment 41 the skeleton code 36 may be compiled in the compiler 45. The compiler 45 receives the skeleton code 36 from the tool 14 and furthermore receives the software adaptors 44 or inter-process communication (IPC) method to be used. The type of software adaptors 44 to be used may be specified by the user in the configuration files 11.
The compiler 45 takes the input skeleton code 36, software adaptors 44 and information indicative of the application or system manager 43 that will control the operation of the safety checker system and generates the binary files 46 to be deployed on the vehicle 10. The binary files 46 may be tested further in integration tests 47 prior to deploying the safety checker system on the vehicle 10.
Figure 5 shows a flowchart outlining a method for generating a safety checker system for deployment on a vehicle control system 12 using the tool 14. In Step 301 the user of the tool 14 configures the configuration data 11 that are input to the tool 14. When configuring the configuration data 11 the user may specify operational parameters of each safety checker module within the safety checker system. As mentioned above the safety checker system is a modular system and comprises modular safety checkers which are configured based on the received configuration data 11. Similarly, the configuration data 11 is modular and each configuration file 31, 33, 35 within the configuration data 11 corresponds to a type of safety checker in the safety checker system. For example, the configuration data 11 may comprise three configuration files 31, 33, 35 relating to the watchdog modules 26,28, the plausibility checker 27 and the redundancy checkers 22, 24 respectively.
In Step 302 a set of source files or skeleton code 36 is generated by manipulating a template safety checker system based on the configuration data 11 generated by the user of the tool 14. The template safety checker system may be selected from a library of template checker systems based on the received configuration data 11. Manipulating the safety checker modules within a template safety checker system based on the received configuration data 11 beneficially reduces the time it takes to generate the skeleton code 36 and ultimately to generate the safety checker system. Furthermore, the template safety checker systems stored in the library may be tested to ensure they meet the required standards before being loaded into the library such that the generated safety checker system also complies with the relevant standards.
In Step 303 the generated skeleton code 36 is integrated by defining the inter-process communication (IPC) method to be used. For example, POSIX (Portable Operating System Interface) queues on a single machine. Furthermore, the threading method is also defined. For example, POSIX threading. The skeleton code 36 generated by the tool 14 exposes a generic interface which an integrator may use to fill with software adaptors 44 in dependence on the vehicle control system 12 that the safety checker system generated by the tool 14 is to be deployed on. This is beneficial as it allows the generated skeleton code 36 to be used by vehicle control systems 12 operating with a variety of operating systems.
In Step 304 the generated skeleton code 36 is tested in the test suite 40. The test suite 40 is generated automatically by the tool 14 to test and verify the generated skeleton code 36. The user of the tool 14 may tune or modify operational parameters of the safety checker modules within the generated skeleton code 36 to optimise the performance of the safety checker system. In Step 305 the generated skeleton code 36 is executed to generate the safety checker system which may be deployed on the vehicle control system 12.
It will be appreciated that various changes and modifications can be made to the present invention without departing from the scope of the present application.

Claims (5)

  1. CLAIMS1. A tool for generating a safety checker system for monitoring an application on a vehicle or a vehicle sensor, the safety checker system comprising at least one safety checker module, the tool being configured to: receive configuration data relating to the at least one safety checker module; select a template safety checker system comprising the at least one safety checker module in dependence on the received configuration data; configure operational parameters of the at least one safety checker module in dependence on the received configuration data; and generate a skeleton code which when executed generates the safety checker system for deployment on the vehicle.
  2. 2. A tool as claimed in any preceding claim, wherein the tool is configured to select the template safety checker system from a library of template safety checker systems in dependence on the received configuration data.
  3. 3. A tool as claimed in Claim 1 or Claim 2, wherein the tool is configured to generate a test suite for testing the generated skeleton code.
  4. 4. A tool as claimed in Claim 3, wherein the generation of the skeleton code is static and the test suite is configured to perform a static code analysis on the generated skeleton code.
  5. 5. A tool as claimed in any preceding claim, wherein the configuration data comprises operational parameters of the at least one safety checker module.A tool as claimed in Claim 5, wherein the configuration data comprises at least one configuration file comprising operational parameters corresponding to the at least one safety checker system A tool as claimed in any preceding claim, wherein the configuration data specifies the type and/or number of safety checker modules required in the safety checker system.A tool as claimed in any preceding claim, wherein the skeleton code comprises a generic interface for receiving a software adaptor.A tool as claimed in any preceding claim, wherein the at least one safety checker module is one of: a watchdog module, a redundancy checker and a plausibility checker.A method of generating a safety checker system for monitoring an application on a vehicle, the safety checker system comprising at least one safety checker module, the method comprising: receiving configuration data relating to the at least one safety checker module; 6. 7. 8. 9. 10.selecting a template safety checker system comprising the at least one safety checker module in dependence on the received configuration data; configuring operational parameters of the at least one safety checker module in dependence on the received configuration data; and generating a skeleton code which when executed generates the safety checker system for deployment on the vehicle.11. A method as claimed in Claim 10, preceded by configuring operational parameters stored in at least one configuration file in the configuration data corresponding to the at least one safety checker system.12. A method as claimed in Claim 11, wherein configuring the at least one configuration file comprises specifying operational parameters relating to the at least one safety checker module.13. A method as claimed in Claim 11 or 12, wherein configuring the at least one configuration file comprises specifying a number and/or type of safety checker modules required in the safety checker system.14. A method as claimed in any one of Claims 10 to 13, comprising generating a test suite for testing the generated skeleton code.15. A method as claimed in Claim 14, comprising testing the generated skeleton code in the test suite.16. A method as claimed in Claim 15, comprising modifying operational parameters of the at least one safety checker module in dependence on the testing of the generated skeleton code.17. A method as claimed in any one of Claims 10 to 16, comprising inputting the skeleton code into a compiler and inputting data indicative of a software adaptor to the compiler to generate a binary file from the skeleton code.18. A method as claimed in Claim 17, wherein the configuration data comprises the data indicative of the software adaptor.19. A method as claimed in Claim 17 or Claim 18, wherein the generated skeleton code comprises a generic interface for receiving the software adaptor and the method comprises filling the generic interface with the software adaptor.20. A safety checker system generated using the tool as claimed in any one of Claims 1 to 9 or using the method as claimed in any one of Claims 10 to 19.21. A vehicle comprising the safety checker system as claimed in Claim 20.
GB2016061.0A 2020-10-09 2020-10-09 Safety checker system generator tool Pending GB2599707A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
GB2016061.0A GB2599707A (en) 2020-10-09 2020-10-09 Safety checker system generator tool

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB2016061.0A GB2599707A (en) 2020-10-09 2020-10-09 Safety checker system generator tool

Publications (2)

Publication Number Publication Date
GB202016061D0 GB202016061D0 (en) 2020-11-25
GB2599707A true GB2599707A (en) 2022-04-13

Family

ID=73460449

Family Applications (1)

Application Number Title Priority Date Filing Date
GB2016061.0A Pending GB2599707A (en) 2020-10-09 2020-10-09 Safety checker system generator tool

Country Status (1)

Country Link
GB (1) GB2599707A (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140059517A1 (en) * 2012-08-23 2014-02-27 Cognizant Technology Solutions India Pvt. Ltd. Method and system for facilitating rapid development of end-to-end software applications
US20160132309A1 (en) * 2014-11-06 2016-05-12 IGATE Global Solutions Ltd. Efficient Framework for Deploying Middleware Services

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140059517A1 (en) * 2012-08-23 2014-02-27 Cognizant Technology Solutions India Pvt. Ltd. Method and system for facilitating rapid development of end-to-end software applications
US20160132309A1 (en) * 2014-11-06 2016-05-12 IGATE Global Solutions Ltd. Efficient Framework for Deploying Middleware Services

Also Published As

Publication number Publication date
GB202016061D0 (en) 2020-11-25

Similar Documents

Publication Publication Date Title
US8442702B2 (en) Fault diagnosis device and method for optimizing maintenance measures in technical systems
KR20130119452A (en) Microprocessor system having fault-tolerant architecture
US20190278647A1 (en) Fault tree analysis for technical systems
US9612922B2 (en) Computer system and method for comparing output signals
US20100218047A1 (en) Method and device for error management
CN111694702B (en) Method and system for secure signal manipulation
JP7202448B2 (en) Automated system for monitoring safety-critical processes
Preschern et al. Building a safety architecture pattern system
US7801702B2 (en) Enhanced diagnostic fault detection and isolation
Ruiz et al. A safe generic adaptation mechanism for smart cars
JP2020506472A (en) Redundant processor architecture
CA2449605A1 (en) Automatic development of software codes
US7181644B2 (en) Method for synchronizing data utilized in redundant, closed loop control systems
GB2599707A (en) Safety checker system generator tool
US20120078575A1 (en) Checking of functions of a control system having components
Iliasov et al. Verifying mode consistency for on-board satellite software
KR102195968B1 (en) Method and system for failure monitoring of flying object
Morel Model-based safety approach for early validation of integrated and modular avionics architectures
Seebach et al. Designing self-healing in automotive systems
CN111044826B (en) Detection method and detection system
Kobayashi et al. The effectiveness of D-Case application knowledge on a safety process
US20240045854A1 (en) Method for checking a processing of payload data
US20170023935A1 (en) Method and Control System
US20160011932A1 (en) Method for Monitoring Software in a Road Vehicle
US11354132B2 (en) Load balancing of two processors when executing diverse-redundant instruction sequences