CEDES cost efficient dependable electronic systems

CEDES – cost efficient dependable

electronic systems

The IVSS Programme

The IVSS programme was set up to stimulate research and development for the road safety of the future. The end result will probably be new, smart technologies and new IT systems that will help reduce the number of traffic-related fatalities and serious injuries.

IVSS projects shall meet the following three criteria: road safety, economic growth and commercially marketable technical systems.

Three interacting components - for better safety, growth and competitiveness:

The human being

Preventive solutions based on the vehicle’s most important component.

The road

Intelligent systems designed to increase security for all road users.

The vehicle

Active safety through pro-active technology.

•

Injury prevention

•

Crash avoidance

•

Business growth

on a global market

•

Product excellence

•

Premium requirements

•

Cost

IVSS

3

Summary

A SE projcect

Tech and meth for the design, construction, validation and verification of cost eff dep el syst in road veh

Top eight

Sammanfattning

Näringspolitiska mål

• Ny teknik och metodik för kostnadseffektiv elektronik i vägfordon

• Konkurrenskraft och tillväxt hos underleverantörer Kommersiella mål

• Säkerhet är ett kärnvärde för svensk fordonsindustri

• Aktiva säkerhetssystem ger fortsatt internationell framgång Transportpolitiska mål

• Trafikskadorna skall minskas - nollvisionen är målet

• Aktiva säkerhetssystem kräver avancerade styrfunktioner

• Avancerade styrfunktioner realiseras med avancerad elektronik

Vision and needs Functional requirements analysis System design Detailed design Construction Component test System integration test Function test Acceptance test

Hazard identification in early stages of system development

Lightweight process evaluation and improvement for requirements engineering in the automotive industry

Aspect oriented programming as a method for implementing fault handling mechanisms in software

Deductive verification extended with symbolic fault injection

An infrastructure for computing dependences, relations, and impact. A process membership agreement service for a network using TT/ET communication

Prototypic tool for deductive verification of C programs Program-level derating of soft errors

in brake-by-wire systems

Title of the report: CEDES final report

Author : Håkan Edler

Reference number: AL80 A2004: 10537 Publication date: 21 jan 2010

5

Table of contents

1. Project goals and contribution to IVSS ... 6

1.1. Goal... 6

1.2. Contribution ... 6

2. The CEDES task ... 8

3. Facts about CEDES ... 9

3.1. Economy ... 9

3.2. People... 11

3.3. Publications... 13

3.4. Diploma work ... 13

3.5. Seminars... 14

4. Conclusions and recommendations... 16

5. Seminars ... 17

1.

Project goals and contribution to IVSS

IVSS is taking a needs–driven / problem–oriented approach and has identified three key problem areas for avoiding major road accidents:

• Impaired drivers” or drivers with reduced capability as regards the primary driving task

• Speed – Sense, alert and respond” or the driver’s ability to adapt to the current or expected traffic situation. Increase driver/vehicle system ability to respond by

• Just before the unavoidable” – crashworthiness / mitigation & biomechanics.

To support these three problem areas, IVSS has identified the following three functions / systems:

• Sensor–rich embedded systems.

• Communication platforms & digital road maps/infrastructure

• Dependable, fault–tolerant systems

CEDES is a support project in dependable, fault-tolerant systems.

1.1.

Goal

Based on industrial de-facto standards for architecture in vehicle electronics CEDES will:

• Develop new, cost-efficient basic technology for components in safety-critical systems.

• Educate and examine eight new PhDs in safety-critical electronic systems in road vehicles. CEDES is a project in software engineering.

1.2.

Contribution

CEDES has conducted research in technology for cost efficient dependable electronic systems and in methodology for the design, construction, validation and verification of such systems. Research in CEDES ha s contributed to the goals of IVSS in the following way:

Road safety

The goal of Vision Zero is to eliminate fatalities and serious injuries by the year 2020. An important way to avoid accidents is to have active safety systems as standard equipment in all road vehicles. Active safety systems assist the driver in dangerous situations and can even take the command when needed. Active safety systems require advanced control, which requires advanced electronics and software.

Standard vehicles require low cost components, which applies also to electronic parts, whose share of the manufacturing cost increases..

Technical systems for a global market

Automotive industry in Sweden always needs competitive technology for commercial success on a global market. Future electronic systems in road vehicles will require very high dependability and in particular fault-tolerance. Since long safety is a core value for Swedish road vehicle manufacturers and new technology is needed for the rapidly increasing demand of active safety systems.

Active safety systems with dependable and cost-efficient electronic systems will enable continued international success.

7

Automotive industry in the whole supply chain needs attractive products with high reliability and competitive prices. The market for electronic systems for road vehicles is expected to grow dramatically in the near future. With new technology and methodology Swedish automotive industry can grow and create new job opportunities in existing and new companies.

CEDES has developed new technology for cost-efficient fault-tolerant mechanisms and new methodology for efficient development of dependable electronic systems in road vehicles.

2.

The CEDES task

Can we trust software?

• A new program has on average 50 faults / kLoC (thousand lines of code).

• Commercial software normally has 3 – 5 faults / kLoC.

• A majority of failures in new cars depend on faults in the electrical system.

• An investigation made in 1984 on failures of the IBM mainframe operating systems revealed that 1/3 of all failures had occurred only once at only one customer => MTTF 5000 years.

• Some software engineering journals regularly reports spectacular failures caused by software faults.

The problem

• The probability of failure in a component of a safety critical system must be < 10-7 / h according to IEC 61508.

• Software testing can never show the absence of faults, it may show the presence of faults

• Software development is a complicated process with few metrics

• Software is an abstract product

The solution

• Build safety critical systems to be fault tolerant. They must tolerate

• Faults in input, operation and design

• Failures in hardware

• Hence the software system must automatically

• Detect

• Confine

• Diagnose faults

• Recover from erroneous state

• This requires

• Redundancy – more than one unit for a certain function

• Diversity – the function is implemented differently in each unit

The CEDES solution

• Each electronic unit is associated with a manufacturing cost

• Instead of electronic units use software for the necessary redundancy and diversity

Workin CEDES is interdisciplinary

• Methods to analyse models of software to early identify critical parts

• Techniques to build fault tolerant parts in software

• Techniques to analyse software with mathematical formalism

• Methods to control work in development of software

• Methods to measure progress and quality in suppliers’ work

• Experiments on real system to verify research results

9

3.

Facts about CEDES

3.1.

Economy

Progress in CEDES was tracked with the aid of score cards on:

• Cost

• Credits achieved by PhD students

• Publications accepted

• Diploma work finished

• Attendees at seminars

The last versions of these score card accompany the text in this report. The goals in the were set at the beginning of the project and never changed.

3.1.1.

Key facts

44 MSEK total budget for the project. 21.5 MSEK grants from VINNOVA.

22.5 MSEK investment by industrial partners.

1000 credits finished by PhD students in Dec 2008. 1 credit here = 1.5 hec. 31 articles published at conferences or in journals.

24 diploma work with 39 students in total. 29 seminars with 1033 attendees in total.

CEDES was projected to last from Oct 2004 to Sep 2008. As it took time for Chalmers to recruit PhD students their part of CEDES continues until Dec 2010. All other partners finished their part of the project in 2008.

3.1.2.

Partners

Volvo Car Corporation

Volvo Technology Corporation Autoliv Electronics AB

Chalmers University of Technology, dept. of Computer Science and Engineering SP Technical Research Institute of Sweden.

3.1.3.

Accumulated cost 2004 – 2008

Project costs has mainly followed budget. VCC put more effort into the project initially to give it a good start. Chalmers took some time to find PhD students; hence they had at the end of 2008 not consumed grants in the planned rate and will continue the project until the end of 2010.

CEDES t o m 2008 kv 4 0 5 000 10 000 15 000 20 000 25 000 30 000 35 000 40 000 45 000 50 000

Totalt VCC VTEC Autoliv Chalmers SP

kS EK Beviljat Budget Utfall CEDES kostnader 0 5 000 10 000 15 000 20 000 25 000 30 000 35 000 40 000 45 000 50 000 20 04 k v 4 20 05 k v 1 20 05 k v 2 20 05 k v 3 20 05 k v 4 20 06 k v 1 20 06 k v 2 20 06 k v 3 20 06 k v 4 20 07 k v 1 20 07 k v 2 20 07 k v 3 20 07 k v 4 20 08 k v 1 20 08 k v 2 20 08 k v 3 20 08 k v 4 Utfall Budget

11

3.1.4.

Organisation

Håkan Edler. SP, was the project leader and Peter Öhman, Chalmers, was the technical leader.

Work in CEDES was controlled by a steering committee with members:

• Olle Bridal, VTEC

• Jakob Axelsson, VCC

• Kent Pettersson initially and later Lars Faber Autoliv

• Peter Öhman, Chalmers and

• Håkan Edler, SP, chairman

The steering committee met twice a year.

All people working in CEDES met once a year in a project conference, where current results were presented and future directions of research in the project discussed.

All PhD students, the technical leader and the project leader met every Monday to report last weeks work, discuss it and plan work to be done. These meetings proved to be very efficient, as all PhD students had to report their work and became aware of all other’s work. Many fruitful discussions and co-operation between the students were some results of these weekly meetings.

3.2.

People

3.2.1.

PhD students

Licentiate PhD

Founded by IVSS: year year

Martin Ivarsson 2007 2009

Fredrik Pettersson 2007 -

Daniel Skarin 2008 2010

Daniel Larsson, 2007 -

Gustav Munkby 2009 2010

Founded by Chalmers University of Technology:

Ruben Alexandersson 2007 2009

Founded in part by industry:

Carl Bergenhem, SP 2003 2010

Fredrik Törner, VCC 2006 2008

All eight PhD-students have achieved their licentiate degree. Two left the project and went to industry after the licentiate degree. The remaining six will have achieved their PhD degree by the end of 2010.

In total the CEDES PhD students have achieved 1000 credit by the end of 2008. The value of these credits are according to an old system in use when CEDES started. 1 old credit has the value of 1.5 hec – higher education credits. 1 old credit correspond to 1 weeks work, so 40 old

credits correspond to a full years study. 160 credits are required for the degree of PhD, 40 for courses and 120 for publications.

PhD students from other project in software engineering participated in our work and attended the weekly meetings. They are:

Ana Magazinovic Johan Magnusson Tord Holmqvist Joakim Pernstål Ali Shahrokni Sammanställning doktorander 0 200 400 600 800 1000 1200 janu ar i 200 5 a p ril 20 05 ju li 20 05 ok to be r 2 0 0 5 janu ar i 200 6 a p ril 20 06 ju li 20 06 ok to be r 2 0 0 6 janu ar i 200 7 a p ril 20 07 ju li 20 07 ok to be r 2 0 0 7 janu ar i 200 8 a p ril 20 08 ju li 20 08 ok to be r 2 0 0 8 janu ar i 200 9 a p ril 20 09 ju li 20 09 ok to be r 2 0 0 9 janu ar i 201 0 a p ril 20 10 ju li 20 10 ok to be r 2 0 1 0 janu ar i 201 1 a p ril 20 11 a p ril 20 11 Utfall Mål

3.2.2.

Key people

Mr Håkan Edler, SP, project leader

Dr Peter Öhman, Chalmers, technical leader and supervisor Dr Jakob Axelsson, VCC, member of the steering committee Dr Olle Bridal, VTEC, member of the steering committee Mr Lars Faber, Autoliv, member of the steering committee Mr Kent Pettersson, Autoliv, member of the steering committee

Dr Roger Johansson, Chalmers, responsible for the development of an experiment system Prof Johan Karlsson, Chalmers, supervisor and examiner

Prof Reiner Hähnle, Chalmers, supervisor and examiner Doc Sibylle Schupp, Chalmers, supervisor and examiner

13

In addition to these people a large number of engineers from partner companies have been involved in the project. They have both participated in the work of the PhD students and worked with in-house project, where technology from CEDES was applied.

3.3.

Scentific work and publications

Här lägger vi en kort beskrivning av vad varje doktorand arbetat med.

31 articles are accepted at conferences and journals with a referee system.

Antal artiklar 0 10 20 30 40 50 60 70 80 ja nu ar i 20 05 ap ril 20 05 ju li 2 0 0 5 o k to be r 20 05 ja nu ar i 20 06 ap ril 20 06 ju li 2 0 0 6 o k to be r 20 06 ja nu ar i 20 07 ap ril 20 07 ju li 2 0 0 7 o k to be r 20 07 ja nu ar i 20 08 ap ril 20 08 ju li 2 0 0 8 o k to be r 20 08 ja nu ar i 20 09 ap ril 20 09 ju li 2 0 0 9 o k to be r 20 09 ja nu ar i 20 10 ap ril 20 10 ju li 2 0 1 0 o k to be r 20 10 ja nu ar i 20 11 ap ril 20 11 Accepterade Inskickade Mål

3.4.

Diploma work

39 students at Chalmers University of Technology have worked with sub-project in CEDES as their diploma work. 35 of the projects were work for a master’s degree and 4 for a Bachelor’s degree.

16 of the projects built an experiment system for CEDES intended for tests of research results in the project. The system they built is a model of a distributed ABS-system, where each brake is a node in a distributed computer control system. All control modules are modelled in Simulink, which are directly compiled to executables in the nodes. These projects together built the system, where one project could use the results from earlier projects. They addressed a wide area of subjects:

• Distributed control systems

• Dependable systems

• FlexRay and TTCAN

• Fault injection in executable model

• Simulation

• Autosar

4 of the projects worked with formal methods for specification and verification of software and the tool KeY for work with these methods. 2 projects investigated what cost efficiency means in development, manufacturing and use of electronic system for road vehicles. 2 projects worked with different methods for factoring out fault handling mechanism from application code: Aspect oriented programming and exception handling.

Wheel 1 Wheel 2

Power-train

Wheel 3 Wheel 4 Traffic Driver Driver controls ACC PT control Brake 4 Brake 3 Brake 2 Brake 1 Vehicle control Brake control

Electronic control units in GAST-nodes

xPC – environment simulator

Analogue and digital signals between GAST-units and xPC interfaces FlexRay / TTP / TTCan

3.5.

Seminars

The first Thursday in each month during Chalmers’ semester time CEDES gave a seminar for the dissemination of results from the project. Target groups were automotive engineers and other researchers working with dependable electronic systems. Invitations were sent to all automotive engineers in Sweden and to all suppliers to the automotive industry. CEDES gave 29 seminars and in total 1033 people attended the seminars.

15

Ackumulerat antal deltagare på seminarier

0 200 400 600 800 1000 1200 1400 1600 200 5 k v 1 200 5 k v 2 200 5 k v 3 200 5 k v 4 200 6 k v 1 200 6 k v 2 200 6 k v 3 200 6 k v 4 200 7 k v 1 200 7 k v 2 200 7 k v 3 200 7 k v 4 200 8 k v 1 200 8 k v 2 200 8 k v 3 200 8 k v 4 200 9 k v 1 200 9 k v 2 200 9 k v 3 200 9 k v 4 201 0 k v 1 201 0 k v 2 201 0 k v 3 201 0 k v 4 201 1 k v 1 201 1 k v 2 Utfall Mål

4.

Conclusions and recommendations

CEDES conducts research in new technology and new methodology for development of cost efficient, dependable electronic systems in road vehicles. The research will give the automotive industry eight new engineers with knowledge in dependable systems and their knowledge lies in the front line of current research. The industrial partners have already used research results from CEDES in their product development projects.

Top eight specific results

• Hazard identification in early stages of system development

• Lightweight process evaluation and improvement for requirements engineering in the automotive industry

• Aspect oriented programming as a method for implementing fault handling mechanisms in software

• An infrastructure for computing dependences, relations, and impact.

• A process membership agreement service for a network using TT/ET communication

• Program-level derating of soft errors in brake-by-wire systems

• Prototypic tool for deductive verification of C programs

• Deductive verification extended with symbolic fault injection

An experiment system Dissemination

Research results from CEDES and knowledge from the project is disseminated in several ways:

• Eight new researchers

• Technology and methodology in use at the project’s partners’

• Seminars for automotive engineers and other researchers

• Diploma work for university students

• Articles at conferences and in journals

17

5.

Seminars

12 May 2005 Martin Ivarsson and Fredrik K F Pettersson, Förbättrad styrning i fordonsindustrins leverantörskedja

2 Jun 2005 Roger Johansson, Schemaläggning av tids- och händelsestyrd kommunikation på CAN-bussen

15 Sep 2005 Sibylle Schupp, Generic software libraries: Design once, run anywhere

13 Oct 2005 Ruben Alexandersson, Aspektorienterad programmering

3 Nov 2005 Reiner Hähnle, Formal verification of source code

1 Dec 2005 Martin Hiller, Propagering av fel i programvara

2 Feb 2006 Carl Bergenhem, Teknisk implementering av ett FlexRaysystem

2 Mar 2006 Jonny Vinter, Feltolerant programvara för styrsystem

17 Mar 2006 Paul Raistrick, Scade for automotive applications

6 Apr 2006 Gustav Munkby, Exception safety

4 May 2006 Daniel Larsson, Symbolisk felinjicering

17 May 2006 Kavi Arya, The Use of a Data Recorder for Driver Rating

1 Jun 2006 Josef Nilsson and Robert Hammarström, En jämförande studie av kodgeneratorer för Simulink

7 Sep 2006 Camilla Lindström, Hur förbättra tidsestimering av mjukvaruprojekt

5 Oct 2006 Fredrik Törner, Hazard identification in early system design phases

2 Nov 2006 Peter Öhman, Agile software development

1 Feb 2007 Daniel Skarin, Kostnadseffektiv feltolerans för reglersystem

1 Mar 2007 Patrik Palo, Funktionstillväxt kontra säkerhet i bil m h a integration och interaktionskoncept

12 Apr 2007 Olle Bridal, Principer för utveckling av säkerhetskritiska system - Slutsatser från EASIS

7 Jun 2007 Halvdagskonferens

7Jun 2007 Fredrik Pettersson and Martin Ivarsson, Light-Weight Software Process Assessment and Improvement Planning

4 Oct 2007 Ana Magasinovic, Qualitative research concerning cost estimation and manufacturing of vehicles with focus on development of software based systems in the automotive domain

1 Nov 2007 Reiner Hähnle, Generating Unit Tests from Formal Proofs

6 Dec 2007 Carl Bergenhem, Redundanshantering med membership

12 Jun 2008 Halvdagseminarium

4 Sep 2008 Jan Jacobson, Active safety functions – can we evaluate their excellence?

2 Oct 2008 Kristina Forsberg, FoU kring IMA, Integrerad Modulär Avionik

6 Nov 2008 Erik Fröstad and Jakob Tivell, Kostnadseffektiv bilelektronik - Vad är det?