38中英文雙語外文文獻(xiàn)翻譯成品 汽車應(yīng)用領(lǐng)域的單片機三模冗余分集_第1頁
已閱讀1頁,還剩22頁未讀 繼續(xù)免費閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報或認(rèn)領(lǐng)

文檔簡介

1、<p>  外文標(biāo)題:Towards Single-Chip Diversity TMR for Automotive Applications</p><p>  外文作者:Omar Hiari, Waseem Sadeh, and Osamah Rawashdeh</p><p>  文獻(xiàn)出處:IEEE International Conference on Electro/

2、information Technology,2012,1-6</p><p>  英文4589單詞, 24706字符,中文6989漢字。</p><p>  此文檔是外文翻譯成品,無需調(diào)整復(fù)雜的格式哦!下載之后直接可用,方便快捷!只需二十多元。</p><p>  Towards Single-Chip Diversity TMR for Automotive A

3、pplications</p><p>  Omar Hiari, Waseem Sadeh, and Osamah Rawashdeh</p><p>  Electrical and Computer Engineering Department</p><p>  Oakland University Rochester, Michigan</p>

4、<p>  omhiari@oakland.edu, wasadeh@oakland.edu, rawashd2@oakland.ed</p><p>  Abstract—The continuous requirement to provide safe, low- cost, compact systems makes applications such as automotive more

5、prone to increasing types of faults. This may result in increased system failure rates if not addressed correctly. While some of the faults are not permanent in nature, they can lead to malfunctioning in complex circuits

6、 and/or software systems. Moreover, automotive applications have recently adopted the ISO26262 to provide a standard for defining functional safety. One of t</p><p>  Keywords-component; TMR; DTMR; SEUs; ISO

7、26262; Functional Safety; Fault Tolerance;</p><p>  I.INTRODUCTION</p><p>  In recent times, Triple Modular Redundancy (TMR) has become one of the common effective error mitigation methods used

8、 to increase system reliability. TMR has been used in both aeronautic and ground systems. In aviation system applications, such as the Boeing 777, TMR is implemented across all systems to ensure reliable operation [16].

9、In addition, as automotive systems are moving towards safety critical x-by-wire systems, fault tolerant methods such as TMR are needed due to high reliability requ</p><p>  Two of the main constraints in aut

10、omotive are cost and size. The nature of the automotive industry being focused on mass produced products makes it more cost driven. Size is also critical to reduce the overall vehicle weight. Nevertheless, TMR has tradit

11、ionally been obtained by triplication of hardware functionality to reduce effects of common mode errors. Traditional approaches therefore are not the most cost or size effective for applications such as automotive. In ad

12、dition, memory, power, and</p><p>  As functional safety is becoming more prevalent in automotive applications, challenges are increasing to address the different environment effects to maintain highly relia

13、ble systems. Functional safety standards, such as the ISo 26262, have been developed to establish a baseline, which applications are required to meet. The reliability of an embedded system unit involves many different as

14、pects such as; sensors and/or actuators, software, environment and EMC, integrated circuits, and verification</p><p>  Automotive Safety Integrity Levels (ASILs) have been introduced as part of the recently

15、released ISo26262 standard to evaluate the safety of automotive systems. System electronic modules are assigned an ASIL to indicate the level of safety a module can provide. ASIL D is the rating for the most dependable s

16、ystems and ASIL A for the least dependable systems. Therefore to meet a certain ASIL level, a component design must incorporate all necessary fault detection and mitigation techniques required</p><p>  In th

17、e ISo26262 TMR, among other fault mitigation methods, is highlighted as one of the methods recommended to increase reliability of a system. TMR masks out faults by introducing three redundant copies of a system that are

18、continuously voted on. As a result, TMR reduces the probability of having system failure if one of the blocks fails. However, given that circuits are identical, and TMR in its simplest form, does not have the capability

19、to handle multiple failures, common mode faults remain </p><p>  Faults could be due to design faults in the redundant copies, Electromagnetic Interference (EMI), or even temperature. Depending on the faults

20、 of concern, some of the methods utilized in reducing common mode errors include using hardware manufactured by different suppliers, developing software for every block by different teams, or placing the different blocks

21、 physically far apart from each other. Existing methods therefore might increase the cost or size of systems required.</p><p>  Recent advancements in system-on-chip solutions have allowed the design of mixe

22、d signal implementations on a single chip. System on Chip (SoC) designs can be flexible to allow good separation between designs as required while keeping the cost and size at a minimum. However, the reliability of such

23、TMR designs needs to be further studied. Especially their tolerance to common mode faults.</p><p>  We investigate the capabilities of a Programmable System on Chip (PSoC), with its diverse mixed signal reso

24、urces, to provide lower cost TMR that is more immune to common mode faults. We use the Cypress PSoC3 platform to implement our work. </p><p>  II. CONCEPT</p><p>  The proposed scheme implemente

25、d to enhance tolerance of common mode faults is diversity triple-modular- redundancy (DTMR) [8]. As shown in Figure 1, the idea of traditional TMR is to increase system reliability by feeding three identical circuits int

26、o a “voter” which masks out the faulty circuit. The goal of TMR is to isolate the fault containment regions in between the different implementations. To maximize isolation of fault containment regions, traditional TMR me

27、thods usually call for the use</p><p>  TMR is categorized as an M-of-N system with a voter. An M-of-N system is one that consists of N redundant blocks that need at least M of them to be operational. Theref

28、ore, TMR would qualify as a 2-of-3 system. The reliability of any M-of-N system without a voter can be represented as [17]</p><p>  Where R(t) is the reliability that presents the probability that a block is

29、 still operational at time t and,</p><p>  For a 2-of-3 system this reduces to</p><p>  In the case the three blocks are affected by a common mode fault with a probability FCM then the reliabili

30、ty becomes</p><p>  Adding the reliability of a voter Rvoter(t) to represent a TMR system the expression becomes</p><p>  The focus of our work essentially is to keep the value of FCM at a minim

31、um in compact, low cost systems. Determining the value of FCM nevertheless requires long hour testing that we preserve for future work. What will be proven on the other hand is that DTMR can potentially enhance the value

32、 of FCM and thus qualify it for long hour testing. It can also be seen from the expression that the reliability of the voter is critical to proper operation of TMR as it is a single point of failure. However,</p>

33、<p>  Sources of common-mode failures are faults that cause redundant copies to fail under identical conditions. In the case of identical TMR systems, faults affecting the three system blocks could be identical. The

34、refore, for increased system reliability we explore the effect of diversifying the design of the TMR concept by implementing TMR in three different design versions: digital hardware, analog hardware, and software.</p&

35、gt;<p>  Table I demonstrates the characteristic differences between different design implementation domains. The main characteristic advantage that the analog design domain carries over the digital domain is it h

36、aving continuous signal types. Continuous signal types have the advantage of preventing dramatic change in state. For example, in a digital system a direction variable can change from East to West due to a bit flip error

37、. In an analog system, however, the change would be more gradual if an error</p><p>  In the case of random noise for analog designs, the quality of filtering would determine how well circuit performs. Gener

38、ally it would be hard for a filter to keep out a large range of frequencies; therefore, the design could be more adversely affected. This assumes, however, that proper design guidelines have been followed. Digital domain

39、 implementations, including software, can be affected equally by random noise where tachometer edges can be missed. In digital hardware and software implementa</p><p>  SEU immunity is critical as semiconduc

40、tor packages keep on shrinking for digital devices. Therefore, as SEUs are more involved with bit flipping in memory then analog devices should be less prone to that effect if implemented external to the integrated devic

41、e. SEUs are effectively what affects the remainder of speed measurement operations in digital domain operations. The rate at which SEUs occur is generally determined by what ASIL requirement level is needed for a system

42、in automotive applicat</p><p>  The last of the remaining characteristics is signal monitoring. Periodic type, interrupt driven monitoring in software implementations make it more likely for signals to be ei

43、ther missed or readings delayed. As a result, periodic type monitoring can potentially provide inaccurate readings. As demonstrated so far, collectively all the different characteristics of the different design implement

44、ations make it less likely for one type of error to affect all DTMR copies in a similar manner. </p><p>  A Programmable System on Chip (PSoC) development board from Cypress Semiconductors is used for the D-

45、TMR implementation of the speed sensing application. The PSoC provides a mixed signal platform that includes a CPU, a digital configurable block defined by a hardware description language, and an analog block allowing th

46、e containment of most of all three diverse design blocks using a single chip. In the analog version, minimal external components are still required given that the SoC analog imple</p><p>  The application ch

47、osen to implement our diversity TMR concept is a speed sensor monitor. We chose this application because sensor applications exist widely in automotive systems and are an essential part of almost any control system. Spee

48、d sensing applications are common in many safety critical embedded systems making the results of this study of wide interest.</p><p>  Our implementation consists of four main parts: the software version, th

49、e analog hardware version, the digital hardware version, and the voter. Figure 2 shows the entire block diagram implementation of the DTMR system. The three copies of the TMR structure all feed into a voter, which is imp

50、lemented in software that produces the “voted” compare value to a UART block to feed the data to a PC that collects the data. A fan tachometer that produces 2 pulses per revolution is used to detect speed. Th</p>

51、<p>  Software Version</p><p>  The tachometer output, which is the current fan speed, is fed to an interrupt pin that is triggered at every rising edge of the tachometer signal. Another interrupt is al

52、so generated internally that triggers every rising edge of a 120kHz clock signal. The interrupt service routine saves the count and provides the period to the main loop. The main software loop then converts the count int

53、o an RPM value and stores it into a variable that is collected by the Voter algorithm.</p><p>  Digital Hardware Version</p><p>  As mentioned earlier, the PSoC platform allows the implementatio

54、n of digital logic using hardware description language. Hence, the digital copy of our DTMR implementation is implemented in Verilog. As can be observed in Figure 3, the tachometer feedback signal is fed back directly to

55、 the digital block. The digital block maintains a count value that is incremented with every clock rising edge. In addition, at every rising edge of the tachometer signal, the count value is stored to a different reg<

56、/p><p>  C.Analog Hardware Version</p><p>  The analog version is implemented using an external frequency to voltage converter and a voltage scaling circuit. Fully integrating the analog block can

57、be achieved as PSoCs further develop their analog capability. For the mean time, an external frequency to voltage converter is needed to convert the tachometer signal to a constant voltage that is proportional to the per

58、iod of the signal, and thus the speed of the motor. The F/V output voltage is then scaled appropriately ahead of feeding into t</p><p><b>  D. Voter</b></p><p>  Similar to the work

59、done by G. Borges et al., the voter design was implemented in software because the majority of signals were already in digital format [1]. Therefore, only the analog block output had to be converted to a digital value. D

60、ue to the different execution times of the different implementations, the output signals of the blocks could potentially be out of sync. Therefore, a method had to be determined to take timing differences between the thr

61、ee copies into account. Voter synchroniz</p><p>  been classified in the past into three types [12]: </p><p>  Independent Accurate Time Bases: The blocks would synchronize for a short period of

62、 time. Then, the separate blocks would each rely on the accuracy of their own time base.</p><p>  Common External Reference: The various blocks would share a common reference.</p><p>  Mutual Fe

63、edback: The blocks have no common feedback and would have to synchronize with each other.</p><p>  Given that there is not common time base between the three different versions it was decided to maintain syn

64、chronization by mutual feedback. In our implementation of mutual feedback, the voter synchronizes the conversions by maintaining two signals. The voter receives a READY signal from each block and in the same time feeds a

65、 common GO signal to each of them. The GO signal is triggered by the voter as a signal for every block to start its conversion and/or calculation. The READY signal provided</p><p>  The voter is implemented

66、in software because two of the blocks are already providing digital outputs. After receiving all the output values from the different blocks, the voter algorithm compares each of the received output values to each other.

67、 If a block output value drifts away from an acceptable range of the other two RPM signals, then it will be considered the faulty output and will be masked out. If there is no fault, then the voter output would default t

68、o one of the block outputs. Otherwi</p><p>  EXPERIMENT SETUP</p><p>  In this work we consider failure modes of sensor elements as defined in the ISO26262 standard. There are 4 types of faults

69、defined; out-of-range, stuck-in-range, oscillation (or noise), and offset. In our case oscillation and offset are the type of faults considered to be definite contributors to common mode failures. The out-of-range and st

70、uck-in-range faults are not considered in this work because they are less likely to cause common mode failures and can be protected for by alternate methods.</p><p>  We use another separate PSoC development

71、 board to inject the faults into the system. The PSoC platform has the capability to generate a random noise signal and/or a voltage offset. The generated signals are then coupled to the sensor output thus providing a “f

72、aulty” sensor output. In this evaluation the three different implementation outputs in addition to the voter output are checked separately and</p><p>  compared to each other. </p><p>  Three ty

73、pes of faults are injected on the sensor signal separately for every test. The sensor output is a 0-5 V square wave signal running at a frequency reflecting the rpm of the fan (Figure 3a). The three types of tests are:&l

74、t;/p><p>  Offset Injection: A voltage offset from 0 to 3 V that increases linearly over the period of the test. The period of the test is selected to be 24 hours (1440 min). Figure 3b shows an example of the s

75、ensor signal with a 1 V offset added to it.</p><p>  Noise Injection: 4 random noise signals with different maximum amplitudes are injected to the sensor signal. The maximum bandwidth of the noise signal is

76、100 kHz. The 4 different amplitudes considered are; 48 mVpp, 240 mVpp, 1 Vpp, and 2 Vpp. The test was run and failures monitored for duration of 240 minutes per each amplitude level. Figure 3c shows an example of the sen

77、sor signal with 1Vpp noise signal added to it.</p><p>  Offset and Noise Injection: This test is a combination the previous two tests. The noise level is fixed at 1 Vpp and the offset is increased linearly o

78、ver the 24h period of the test. Figure 3d shows an example of the sensor signal with offset and noise added to it.</p><p>  TEST RESULTS</p><p>  The entire speed range for the sensor is from 10

79、00 rpm to 3000 rpm. In each of the test cases the fan speed is set to operate at 1250 rpm during the tests. The speed reading is considered to be out of range (failure occurred) if the reading exceeds ± 150 rpm of t

80、he required operating speed.</p><p>  In the case of offset injection (Figure 4), the results showed that the analog implementation had the lowest failure rates until after 720 minutes. After 720 minutes the

81、 failure rate of the analog implementation exceeded the other two implementations. In addition, the test was stopped at 730 minutes because all of the implementations were reporting failures. The digital hardware and sof

82、tware implementations’ failure rates showed a comparable gradual increase in failures as the offset increased o</p><p>  however, reported fewer failures than two of the other implementations.</p><

83、;p>  For the noise injection test, voter output failures were not reported until the noise maximum amplitude was increased to 1Vpp. Figure 5 shows the number of failures reported over the period of the test for every

84、noise amplitude level. In this test also the analog implementation reported fewer failures than the other two implementations as the noise level increased. The voter output failure rate was constantly less than two of th

85、e other implementations.</p><p>  In the last test a similar result to the first case of offset injection was observed. The main difference is that the test had to be stopped at 450 minutes due to all implem

86、entations reporting failures. Figure 6 shows the results of the commenced test. It can be notices that there are larger jumps in failure rates over the duration of the test. That is due to the randomness in the amplitude

87、 of the injected noise signal.</p><p>  For the type of faults injected in this work the analog hardware implementation has shown the lowest failure rate followed by the digital hardware and then the softwar

88、e implementation. We note from the results that the voter output has always shown a better failure rate than the software and digital hardware implementations. The better failure rate of the voter output is driven by the

89、 low failure rate of the analog implementation. As a result, it can be seen that if the software or digital imple</p><p>  RELATED WORK</p><p>  In this work we adopt a Diversity TMR concept sim

90、ilar to the one presented by G. Borges et al. [1]-[3]. They have implemented a low-pass filter using the D-TMR concept on a PSoC platform. The filter circuitry was completely implemented on one chip. However, true separa

91、tion was not achieved due to certain peripherals being shared between the different copies.. In addition, the voter was implemented in software and compared only the differences in amplitude between the output signals pa

92、ssing throu</p><p>  As opposed to filters a constant output measurement, similar to the one in this work, would result in a better platform for reliability assessment. Filters impose more of a difficulty fo

93、r voter implementations given that the gain of the filter might not match over the whole frequency response of each filter copy. As a result, in a filter DTMR implementation some true failures would not be detected.</

94、p><p>  Other work has addressed TMR in SoCs by implementing multiple processor SoC designs that can tolerate faults by using a low-level voting scheme [7]. Some others have addressed the problem by using multi

95、ple microprocessors [5,6]. In contrast, we concentrate more on replicating functions for SoCs with a single core rather than multiple cores. This would result in more compact implementations that are more cost effective&

96、lt;/p><p>  VII. FUTURE WORK</p><p>  In this work so far, we have provided a new architecture and implementation for a DTMR system that would serve automotive cost demands. The next step in our re

97、search is to continue the fault injection campaign by additionally introducing SEU type errors and commencing long hour tests. We are currently working on creating a test bed for injecting multiple type faults into a DTM

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 眾賞文庫僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

最新文檔

評論

0/150

提交評論