KR102534450B1 - Use of a signal integrity in embedded systems - Google Patents

Abstract

The present invention relates to a method and apparatus for determining signal integrity, in which case the flow of effects through a system is used directly for integrity determination. Effect streams are determined by physical relationships or physical effects, and integrity requirements are adjusted during system operation. Integrity determination may apply signal integrity determination according to the ASIL-level.

Description

The use of signal integrity within embedded systems {USE OF A SIGNAL INTEGRITY IN EMBEDDED SYSTEMS}

The present invention relates to a method for using signal integrity in conjunction with signal quality requirements to properly support security concepts. Also, a control program that performs this method during its own execution is described. Also described is a control system for handling signal integrity, particularly an automotive control system.

Within modern automobiles, more and more control units are integrated and more and more functions are implemented. As networking and complexity increase, functional safety implementations are becoming increasingly complex as well.

Additionally, with the development trend toward autonomous vehicles, the requirements for functional safety are strongly increasing. While hitherto often the driver has to make the final decision in a safety-related situation, this decision is increasingly being transferred to the vehicle or to the vehicle controls themselves by the use of numerous driver assistance systems.

Another important aspect is that functional safety implementations have historically focused almost exclusively on putting the system into inactive ("fail safe") when a system fault is detected. However, in systems for autonomous vehicles, it becomes strongly necessary to implement much more complex error responses in order to reach the lowest risk ("fail operational") state of the vehicle. This may result in cases where, for example, instead of stopping the vehicle as quickly as possible in the event of a fault, it may first have to be accelerated again in order to move the vehicle away from the rail, for example when crossing a level crossing.

Further considerations may be transferred to the development of (embedded) systems in general, although they relate to system development of complex technological systems, in particular vehicle control systems.

One important aspect within the framework of the development of vehicle controls is the implementation of functional safety. Functional safety is used to increase the safety of technical systems in order to reduce risks when using the system. For vehicles operating on roads, functional safety according to ISO 26262 is specified.

The implementation of signal integrity in corresponding software functions enables, on the one hand, consistent realization of the required integrity and, on the other hand, a dynamic and flexible adaptation to the operating state of the system. This situation is supported by encapsulated system elements.

Depending on the controllability and impact of errors, ISO 26262 "Automotive Safety Integrity Level" (ASIL) defines specific levels or "levels" that establish requirements for the integrity of specific signals.

This integrity level (ASIL) must be met by all system elements involved. In this case, the level of integrity required for a system element or signal within a related system depends on how the system element is classified within the overall system and how it contributes to the functioning of the overall system.

In modern vehicles, more and more control units are integrated and more and more functions are implemented. As networking and complexity increase, it becomes increasingly difficult to ascertain the required level of integrity for the individual system elements and system signals involved. However, choosing the correct ASIL-classification for an individual element is crucial for determining overall system safety and for reaching the required safety for the overall system. A false level classification that appears too low can have catastrophic effects.

Such a situation applies in autonomous operating systems, where the safest state above all else is no longer fail safe, but rather fail operational is the lowest risk state. This may result in cases where, for example, instead of stopping the vehicle as quickly as possible in the event of a fault, it may first have to be accelerated again in order to move the vehicle away from the rail, for example when crossing a level crossing.

In autonomous vehicles, since the controllability of the system by the driver is significantly reduced, the required ASIL-level also tends to shift within a further higher range. On the other hand, the chosen integrity level or integrity requirements have a significant impact on the cost and development complexity of the system, and for this reason an excessively high ASIL-level classification should be avoided.

In order to implement the requirements raised for the development process in ISO 26262, this development process is often structured according to the specifications of "ISO 15288 - Systems and Software Engineering". At this point, one important aspect within the framework of systems engineering is the process of dealing with requirements engineering.

The requirements (needs) raised for the system are subdivided and detailed during the development process, for example hierarchically or along an effect flow. Effect flow means the flow through which an effect is delivered, or, in the principle of a thread, a flow that describes where something produces an effect from where to where. The effect can be mechanical, electrical or thermal, for example. The mechanical effects chain or flow of effects within a vehicle will be through the wheels, shafts, hubs, differentials, shafts and transmissions. This is always done where an effect is passed from one element to another via a corresponding interface.

Inside an element, an effect chain is described through the element's transfer function.

Hereby, the transfer function of the effect flow characterizing the individual system can be subdivided and described in detail. At this time, one requirement emerges from the ASIL-classification of the system to be developed. This signal integrity requirement changes within the system depending on the requirements for the individual system elements and signals and as the system is subdivided or decomposed. The individual integrity requirements placed on signals are not independent of each other, but rather influence each other through physical relationships within the system along the system effect chain (effect chain of effect streams).

In accordance with the present invention, if requirements engineering for a system is carried out together with architectural development for the system, the flow of effects through the system, e.g. physical relationships, can be used directly to determine signal integrity (ASIL-level). This makes it possible to determine signal integrity in an automated state.

The implementation of such signal integrity in the corresponding software function enables, on the one hand, the consistent realization of the required integrity and, on the other hand, dynamic and flexible adaptation to the operating state of the system within the encapsulated system elements. make it possible An implementation can be made, for example, through the transmission of the required ASIL-level or through the transmission of a corresponding physical value (eg for ASIL B; a failure probability of less than 10 to 7/hour; or 100 Fit). At this time, the transmission of physical values enables much more accurate transmission than is possible with ASIL-level alone.

For example, by dynamically adjusting the signal integrity in the vehicle, the requirements for signal integrity of the brake light switch may be lower during standstill than during driving.

Such dynamically adjusted integrity requirements will make it possible to switch on or off additional sensor systems, among other things, in certain operating situations and thereby optimize, for example, the energy efficiency or service life of components.

For example, when recording a sensor signal, the sensor signal may be provided by the sensor with different signal accuracy under various operating conditions. For lambda probes, for example, the accuracy of the determined value depends on the operating temperature of the sensor. Even when a signal is transmitted between two control devices, the quality or signal accuracy of the transmitted signal differs depending on the communication state between the control devices.

For functional safety concepts of the future, especially for systems that are becoming more and more autonomous, it is increasingly important to activate or deactivate the necessary diagnostic functions in a highly targeted manner in order to optimize the response to errors that occur and thereby the availability of the system. It's getting done. In particular, within the framework of "fail operational" systems, diagnostic capabilities and increased availability of the system are required.

In conventional solutions for implementing functional safety within vehicles, or within engine control units and drive train control units, safety-related functions have been redundantly mapped, for example at a parallel level. In the case of systematic or random errors detected from the monitoring level, a corresponding error response is triggered. By way of example, a safe state of the system may be activated. Hereby, if an error is detected when collecting the accelerator pedal position, for example to prevent unintentional acceleration, the throttle valve is moved to the emergency drive position or the injection is deactivated.

Within the framework of functional safety, functions used to monitor the system can be activated or deactivated depending on the operating situation, in order to avoid groundless false reactions. In this way, the plausibility check for the driver request moment can be deactivated in order to avoid erroneous triggering of an error response in the case of an abrupt change of forward/reverse motion, for example during a parking procedure.

For functional safety concepts of the future, especially for increasingly highly automated systems, not only recognizing faults but also arriving at qualitative statements about fault cases and being able to make quantitative statements about the effects of faults and It may also be necessary to adapt the vehicle's error response to a corresponding error.

The use of integrity requirements allows, on the one hand, increased system availability through optimized activation or deactivation of monitoring functions, but on the other hand, when an error response is required, it is also faster and more goal-oriented. can be triggered, since with a more targeted activation and deactivation of the monitoring function the limit values for error cases can be defined much more precisely.

This fact represents an obvious added value when implementing safety concepts, especially for autonomous vehicles, since the availability of the system is very important in such cases. In addition, the safe state sought in the event of a fault cannot be limited to stopping the operation of the system, but rather a precisely adapted reaction to this fault, i.e. to the operating and environmental conditions in which the system is placed at the time of the fault. this is expected The fact that higher level control functions can react specifically to system state according to integrity requirements is important.

Integrity values can be used within the framework of a functional safety concept to determine information about the state of sensors and actuators necessary for evaluating the state of the system (particularly safety-related), whereby a valid or erroneous signal It is no longer necessary, as hitherto, for numerous other information or signals to be used at a higher system level, in order to indirectly obtain information about .

Accordingly, the object of the present invention is to increase functional safety in a vehicle which has a large number of signals and which signals are evaluated taking into account the integrity requirements in this case.

A method for determining signal integrity is proposed, in which case the effect flow through the system is directly used to determine integrity. Effect streams can be determined by physical relationships, and integrity requirements can be adjusted during system operation.

In the drawing:
1 shows a schematic block circuit diagram of various functional blocks for calculating an overall accuracy signal from a plurality of individual accuracy signals;
Figure 2 shows the evolution of integrity requirements along the chain of effects; and
Figure 3 shows an overview of the ASIL-concept.

1 is a schematic diagram of various functional blocks for performing the above-described method for monitoring control signals for one or more signal processing components of a control system consuming control signals, taking into account signal accuracy and accuracy requirements; Shows the in-block circuit diagram. Such systems can be found in automobiles, for example.

The functional blocks shown in Figure 1 are, for example, part of an implementation inside a control system or distributed over a communication control system.

First, a plurality of control signals 1a and 1b and a plurality of accuracy signals 2a and 2b of a specific type are generated. This generation takes place in the area of the signal generation component (I) of the control system. The individual accuracy signals 2a and 2b represent the signal accuracy of the corresponding control signals 1a and 1b, respectively. This means that the accuracy signal 2a represents the signal accuracy of the control signal 1a, while the accuracy signal 2b represents the signal accuracy of the control signal 1b.

The signal generating component (I) operates as an evaluation unit for evaluating measurement signals generated, for example, by means of a plurality of measurement signal generating units, in which case the signal generating component (I) receives a control signal from the collected measurement signals. (1a and 1b) and the accuracy signals 2a and 2b of these control signals, respectively. Figure 1 shows the determination of the engine oil temperature by way of example, in which case, for example, a temperature sensor is used as the first measurement signal generation unit and a system model is used as the second measurement signal generation unit. The temperature sensor generates a first measurement signal and the system model generates a second measurement signal. Thereby, two signal sources are used (in this embodiment for determining the engine oil temperature), each providing an alternative measuring signal of a specific type. The signal generating component (I) generates a first control signal (1a) from a first measurement signal of the temperature sensor and a second control signal (1b) from a measurement signal of the system model. For example, the individual control signals 1a and 1b are obtained as temperature signals from a temperature sensor or an electrical voltage signal of a system model.

The individual generation of the signal integrity values 2a and 2b is made, for example, on the basis of a system model by the signal generating component I or knowledge of the state or behavior of the temperature sensor. For example, the integrity value 2a or 2b can be obtained from the characteristic curve behavior of a temperature sensor or system model known to the signal generating component I.

Then, the two integrity values 2a and 2b are evaluated with respect to their reliability. For this purpose, the effect flow through the system or physical relationship is directly used to determine the signal integrity (ASIL-level). Thus, it becomes possible to determine signal integrity in an automated manner.

The evaluation block monitors the determined integrity value and checks the signal with reference to the integrity requirements. The integrity requirements may be the same for the two signals, or the integrity requirements may be established for each signal individually. In one embodiment, the integrity requirements for each signal are not tightly coupled and are proportional to each other.

The selection of the ASIL-level for individual system elements in the vehicle or in the engine control unit and drive train control unit is made through threat analysis and risk analysis. In the field of function development for drive control units and engine control units, the selected ASIL level for a signal is such that, for example, the signal for a function with a higher ASIL level has a higher level of integrity (safety against failures, reliability). ) acts to provide This work often occurs in parallel or separately from requirements engineering and system architecture development, and is associated with many additional tasks. Additionally, this approach introduces a high risk of inconsistency between requirements, system architecture and ASIL classification.

Requirements related to signal integrity are addressed during the development process at the system level, since the system function caused by the error behavior actually determines the potential damage (severity). Whether the system is organized hierarchically or along an effect flow, the effects of impairment are detailed and detailed. The ASIL classification of the system to be developed can be used as a reference value or target, in which case fulfillment of the target level is mandatory. Integrity requirements can still be communicated by reference to transfer functions that characterize individual systems.

In Figure 2, the effect of signal integrity requirements along the effect chain is shown. Two systems 200 in the vehicle use information about the braking process. Brake light 240 is controlled with reference to a signal from brake pedal switch 220 . The ESP control unit 230 also uses the signal of the brake pedal switch, but also the signal of the hydraulic switch 210 . In this way, for example, the "activation of the braking light dependent on the braking process" function is achieved via a brake pedal switch that is activated from a specific pedal position. For this function, a low ASIL-level (ASIL B) has been established. For vehicle dynamics functions that are performed according to the braking process (eg ESP) and must fulfill a higher ASIL-level (ASIL C), information about the braking process with higher integrity must be provided. Therefore, for these functions, information on the braking process is determined not only via the brake pedal switch, but also via the hydraulic pressure in the brake line. However, implementations such as these are independent of the chosen system architecture and requirements engineering, and in retrospect it is often not clear why a signal with ASIL C-quality or ASIL B-quality is needed.

Once the architecture development and requirements engineering is done within a suitable program, and the parameters of the requirements for integrity are entered in a machine-readable way, the physical relationship or transfer function of the existing integrity requirements and subsystems, e.g. Another integrity requirement or integrity level can be determined in an automated manner, for example by means of (error)-playback calculations (see DE 10 2017 218 755 and DE 10 2017 216 749).

The effect flow through the system can be used directly for integrity determination as soon as the effect flow through the physical relationship is determined.

In one embodiment of the invention, integrity requirements are adjusted during system operation. Signal integrity or ASIL-level dependencies must be considered within the framework of requirements engineering in order to correctly determine the requirements at the corresponding point. Based on the requirements for signal integrity established during requirements engineering and system architecture development, integrity must be realized within the implementation (SW, HW, ...).

Because of this, there is also the possibility within the software to transmit the required signal integrity and thus dynamically adapt to the system configuration or operating state.

For example, if the transfer function of one system from the system architecture is used within the framework of requirements engineering, then for the subsystem "braking light" a different ASIL-level compared to "lane keeping assistance" based on classification and effect flow is obtained. As it appears automatically, the corresponding ASIL-level can be determined automatically, for example for the subsystem “Lane Keeping Assist”, with reference to the configuration in the system and in the effect flow. In this way, the requirements on the brake pedal switch 220 can be reduced, for example, if the ESP control unit 230 does not place higher integrity requirements on the signal. Thereby, in the implementation of a stationary vehicle, for example, only ASIL-B is necessary, while ASIL-C is required during driving operation. Integrity requirements for signals that are used multiple times always correspond to the highest of all possible requirements, ie to the highest required safety or ASIL-level.

In Fig. 3, an ASIL-concept 300 is schematically shown. The impact of the error, or "severity", is displayed as 311 on the vertical axis, and the control options or "controllability" are displayed on the horizontal axis. Thus, overall integrity requirements, e.g. ASIL-C, appear not only for "high probability" and "generally controllable" but also for "medium probability" and "difficult to control".

The required signal integrity changes within the system as the system requirements for individual system elements and signals are elaborated or decomposed. The individual integrity requirements for signals are not independent of each other, but rather affect each other through physical relationships within the system along the chain of system effects (effect chain of effect streams).

In response to the verification of signal integrity and integrity requirements, a decision about the control signal source may be made or established. The decision of the evaluation block 5 controls the changeover switch 6a and the changeover switch 6b respectively. Depending on the decision of the evaluation block 5, the control signal 1a obtained from the temperature sensor or the control signal 1b obtained from the system model is selected by the changeover switch 6a. In Fig. 1, control signal 1a has illustratively been selected for further processing by transfer switch 6a. Due to this, the control signal 1a is transmitted as a selected control signal 3 of one or a plurality of signal processing elements III consuming the control signal 3 . Alternatively or additionally, a tailored error response may be triggered based on faulty signal integrity.

If the measurement signal generating unit is a sensor model or a system model, the signal generating component can infer a specific operation or specific state of the sensor model or the system model, for example from model variables or model parameters known to it, and thus In conjunction, it is also possible to infer specific measurement accuracy or measurement inaccuracy, disturbance variable behavior, etc. This state or such an operation of the measurement signal generating unit is, on the one hand, used to generate a control signal from the measurement signal transmitted by the measurement signal generating unit, and on the other hand, generated in parallel and the control signal It is used to generate an accuracy value representing signal accuracy.

The essential factor determining signal integrity can be influenced by the computational method or even established by the tendency of the probability of failure of the computational method in particular to be close to zero. Correspondingly, in the field of function development for drive units and engine control units, signals can be provided for functions with higher ASIL-level requirements, ie higher integrity (fail safe, reliability).

Integrity requirements can change or adjust accordingly depending on whether the use of the measurement signal or the state or operation of the measurement signal generating unit changes over time. For example, in a sensor exhibiting temperature-dependent characteristics, when the operating temperature changes, the state or behavior of the sensor also changes, which affects the signal integrity provided by the sensor. For example, the voltage signal provided by the sensor increases proportionally as the temperature at the sensor increases. It is also conceivable that the sensor has a temperature dependent measurement accuracy. Thus, as the temperature increases, the signal accuracy of the measurement signal provided by the sensor also changes, thereby in turn altering the signal integrity of the control signal determined from the measurement signal. This change in signal integrity is taken into account when checking whether integrity requirements are met.

Signal transmission can take place using a control bus, eg a CAN-bus or other field bus, or using one or several networks. For example, the signal generating component is installed in a first control device of the control system, while said one or more signal processing components are installed in a second control device. Between these control devices, signal transmission takes place via one or more transmission paths mentioned above.

In various implementations of the method, a plurality of control signals are generated by the signal generating component or by a plurality of signal generating components. In this case, each integrity requirement may correspond to one signal or control signal, or one integrity requirement may correspond to a plurality of signals or control signals.

Claims (10)

A method for providing signal integrity for a control system of a vehicle system, comprising:
The signal integrity is determined for a control signal of the control system, an effect flow passing through the vehicle system is directly used for determining the signal integrity, and the effect flow is determined by one or more physical relationships or physical effects. wherein each determination of signal integrity includes a determination of an ASIL level;
wherein the signal integrity of each control signal and the integrity requirements of signal processing components consuming each control signal are verified, and the integrity requirements of the signal processing components are adjusted during system operation. How to. 2. The method of claim 1, wherein one physical effect is related to moving or stopping the vehicle. The method of claim 1 , wherein the one physical relationship involves mechanical shifting of a transmission or drive train. 2. The method of claim 1, wherein the integrity requirements are established with reference to a functional safety profile. A control program stored on a computer readable medium for execution on one or a plurality of control systems,
A control program stored on a computer readable medium, wherein the control program, when executed, executes the method according to any one of claims 1 to 4. As a control system of a vehicle system,
- configured to determine signal integrity for a control signal of the control system, wherein an effect stream passing through the vehicle system is used directly for the determination of the signal integrity, the effect stream having one or more physical relationships or physical effects where each determination of signal integrity includes a determination of an ASIL level; also,
- a vehicle configured to verify the signal integrity of each said control signal and the integrity requirements of a signal processing component consuming each said control signal, wherein said integrity requirements of said signal processing component are adjusted during operation of the system. system's control system. delete delete delete delete

Images