Non-Intrusive System-Level Fault Tolerance for an Electronic Throttle Controller

This paper describes the methodology used to add nonintrusive system-level fault tolerance to an electronic throttle controller. The original model of the throttle controller is a hybrid system created at a major automotive company. We use Gurkh as a framework within which we translate the hybrid model into a set of timed automata and perform analysis using formal methods. The first step of the translation process is to transform the hybrid model and its static schedule into Gurkh’s preemptive tasking paradigm. Using the UPPAAL tool, we then check the correctness of the resulting set of timed-automata by formally verifying reachability and timing properties. We also propose a method for quantifying the quality of the translation by estimating the amount of jitter thence introduced. The final step is the implementation of a Monitoring Chip based on the formal system model. The chip provides non-intrusive "out-of-path" and timing error detection which in turn allows for fault tolerance at a system level.

[1]  Thomas A. Henzinger,et al.  The Algorithmic Analysis of Hybrid Systems , 1995, Theor. Comput. Sci..

[2]  A. Tiwari Formal Semantics and Analysis Methods for Simulink Stateflow Models , 2001 .

[3]  Anna Silbovitz,et al.  The Ravenscar-compliant hardware run-time (Ravenhart) kernel , 2004 .

[4]  Pravin Varaiya,et al.  What's decidable about hybrid automata? , 1995, STOC '95.

[5]  Theodore P. Baker,et al.  The cyclic executive model and Ada , 2006, Real-Time Systems.

[6]  Emmanuel Touloupis,et al.  Safety-Critical Architectures for Automotive Applications , 2003 .

[7]  Alan Burns,et al.  Putting fixed priority scheduling theory into engineering practice for safety critical applications , 1996, Proceedings Real-Time Technology and Applications.

[8]  Wang Yi,et al.  UPPAAL - a Tool Suite for Automatic Verification of Real-Time Systems , 1996, Hybrid Systems.

[9]  Tullio Vardanega Development of on-board embedded real-time systems: an engineering approach , 1998 .

[10]  Frederick M. Proctor,et al.  Timing Studies of Real-Time Linux for Control , 2002 .

[11]  Carl Nehme,et al.  The VAT tool : automatic transformation of VHDL to timed automata , 2004 .

[12]  Paul G. Griffiths Embedded Software Control Design for an Electronic Throttle Body , 2002 .

[13]  Kristina Lundqvist,et al.  The Gurkh project: a framework for verification and execution of mission critical applications , 2003, Digital Avionics Systems Conference, 2003. DASC '03. The 22nd.

[14]  Lars Asplund,et al.  SafetyChip: a time monitoring and policing device , 2005, SigAda '05.

[15]  Lars Asplund,et al.  A Ravenscar-Compliant Run-time Kernel for Safety-Critical Systems* , 2004, Real-Time Systems.

[16]  Gustaf Naeser Transforming Timing Skeletons to Timed Automata , 2005 .

[17]  Sébastien Gorelov A non-intrusive fault tolerant framework for mission critical real-time systems , 2005 .

[18]  Wang Yi,et al.  New Generation of UPPAAL , 1998 .

[19]  Sanjoy K. Baruah,et al.  Scheduling periodic task systems to minimize output jitter , 1999, Proceedings Sixth International Conference on Real-Time Computing Systems and Applications. RTCSA'99 (Cat. No.PR00306).

[20]  Alongkrit Chutinan,et al.  Model Composition and Analysis Challenge Problems , 2001 .