Tim Förster, Product Engineer Real-Time Test & Development Solutions, dSPACE GmbH
Practical trials in real vehicles and in real traffic situations are as indispensable for testing and validating prototype functionalities as they ever were. Whether functions are being developed for (partly) autonomous driving, for driver assistance systems, or for the control of electric motors or combustion engines, simulations cannot yet replace all aspects of test drives.
Our MicroAutoBox III has been designed from the ground up so that its extensive functional safety features provide a high degree of safety during in-vehicle function prototyping.
Three-layer functional safety concept (based on the EGAS safety concept).
To make sure they do, a three-stage safety concept was implemented on the MicroAutoBox III, analogous to the E-GAS Monitoring Concept.
It begins at the hardware monitoring level with a dedicated safety chip that runs regular alive checks monitoring the operation of the real-time processor, the FPGA, and all functional safety components, and which responds when an error occurs. The chip supplements the ECC RAM – which itself is able to correct 1-bit errors – by additionally monitoring the integrity of the real-time processor’s stack and heap to be best prepared for any memory errors. And to be capable of responding even in critical situations, the safety chip also has its own separate voltage supply.
At the next level, the function monitoring level, sophisticated challenge-response mechanisms allow for monitoring the correct execution of functions with a fine resolution. A function has to respond to a challenge in the form of a specified date by outputting a correctly computed reply within a defined timeframe. If this response does not match the expected value, or is not made within the specified time window, it is assumed that the function is behaving incorrectly, and the system can respond appropriately.
The highest level of the safety concept, the function level, safeguards the required functions. Here, dSPACE enables developers to solve functional safety errors straight from the model. Information on the implemented functions makes it possible to assess whether the values of input and output signals, intermediate results, and so on, are plausible, and to respond appropriately if an error occurs. Unlike the function monitoring level, this not only makes sure that functions are executed as intended, but also that critical signal values stay within the value range specified for them. This prevents unexpected behavior and ensures that the MicroAutoBox III always works in a defined, safe operating state.
To ensure safety on test tracks and in road traffic, the system’s response to undesired behavior can be configured freely: There are numerous options, from persistent logging to overwriting specific, implausible signals, to restarting the application, or even performing an entire emergency shutdown.
These different response options make it easy to cover the requirements for functional safety from the beginning of the modeling phase onwards. At the start of development work especially, errors frequently occur in safety-critical functions. When a functional safety error occurs during initial tests in the laboratory or on a test bench, it makes sense to simply make log entries that will help identify the sources of errors. For fast identification of causes, a dedicated functional safety LED additionally provides information on the safety chip’s intervention. As the functions grow in maturity in later phases, system behavior can be modified stepwise with very little effort so that it always matches the current state of development.
If an error ever occurs that necessitates the complete shutdown of the system, a device such as a backup ECU can be activated via the integrated safety relay to take over control from that point on.
Here too, there is a log in which each of the system’s responses can be retraced.
Thus, the MicroAutoBox III gives developers the best possible assistance to ensure the functional safety of their prototyping system in every phase of development and testing.