Automotive Electronics Design for Safe and Reliable OperationStepping on the accelerator pedal of a modern automobile indicates the driver's intent to increase the engine speed, but there is no mechanical connection between the pedal and the engine throttle. Similarly, in most cases, turning the key to the "off" position simply sends a signal to the engine control module requesting that the engine be shut down. The ultimate control of the engine operation is handled by one or more computers; and the driver's intentions are one of many inputs these computers use to make decisions about how the vehicle should respond. On average, allowing computers to control the engine and other automotive systems has helped to make today's cars and trucks safer, more fuel efficient and even more reliable. However, as the number of electronic components capable of taking control of the throttle, brakes and other safety-critical systems increases, it is more important than ever to be sure that these components will work together in a safe and predictable manner. They must be immune to electromagnetic interference and when they eventually fail, they must fail in a manner that does not risk the safety of the vehicle occupants. One of the most significant vulnerabilities of automotive electronic systems is their unpredictable response to unanticipated inputs. Power glitches, electrostatic discharge events, intermittent connections, ambient electromagnetic fields and many other noise sources can cause the microprocessors used in automotive systems to become confused and behave unpredictably. Since these noise sources can never be completely eliminated, it is important to be able to anticipate them and respond to them in a safe and predictable manner. It is not sufficient to design each vehicle system to be independently safe. The safe and reliable integration of electronic systems in an automobile requires that the response of each system be predictable and repeatable in any situation. For example, Antilock Braking Systems (ABS) respond to direct input from the driver through the position of the brake pedal. Drivers apply the brakes to all four wheels simultaneously, and the ABS system pulses them when they sense a wheel is starting to skid. Electronic Stability Control (ESC) systems sense when a driver is about to lose vehicular control. Adaptive Cruise Control (ACC) systems determine when to accelerate and decelerate. These systems can selectively brake one or more wheels while adjusting the throttle and other controls. Consider a scenario that requires the subsystems to work in conjunction. For example, when a car exits a road with heavy traffic and the ACC begins to decelerate automatically, the curve of the ramp requires the driver to apply brakes. However, as this occurs, the driver also hits a patch of ice, which then engages either the ABS or the ESC system. In such a combination of events, while the interdependent systems collaborate to protect the occupants, total safety is not assured. Because these systems and their software are often designed independently, they can make unspecified or unjustified assumptions about the behavior of other automotive systems. Ideally, the interfaces of subsystems would capture the assumptions and guarantees properly, and the supervisory system that manages the individual subsystems would manage them to work seamlessly and safely. However, this is rarely the case. Because these collaborative paradigms were not built into the overall software during system development, appropriate models to regulate automotive system behaviors, like our example above, are non-existent. Clemson researchers propose to address this cyber-physical challenge using formal contracts and verification as an alternative to traditional “simulate and test” approach. |