Automotive Embedded Systems

The Beginning
• First electronic fuel injection (EFI) system
developed by Bendix Corporation in 1957
• Offered by America Motors Corporation
• Only used in pre-production cars
• Less horsepower, expensive, suffered in cold
temps.
 The Beginning contd.
• D-Jetronic system developed by Bosch
• Volkswagen Type 3 – 1967 The system sensed
manifold pressure, and engine temp. Turned
injectors on and off
 First Electronic Control Unit
• First seen in 1975 Chevrolet Cosworth Vega
• Received information from 10 sensors
• Pre-programmed to monitor engine and
deliver fuel to cylinders
• Developed to adhere to stringent emission
control requirements
• Still analog
 TerraMax
• Oshkosh Corporation
• 6x6 autonomous tactical cargo hauler
• Uses 64 lasers, 3 forward looking camera, 2
GPS systems
 Google’s car
• To be released in the next 5 years
• Realistically 2020
• Issues
– Lane markers in snow
– Un-mapped road changes
– Traffic officers
– Performance standard
– Price
IN THE DRIVING SEAT:-

• Embedded systems can be used to

implement features ranging from adjustment
of the suspension to suit road conditions and
the octane content in the fuel to anti lock
braking systems (ABS) and security systems.
 THE DOCTOR WILL SEE YOU
NOW

• Embedded technology advances are pointing towards the

use of pace makers that can be transplanted in or near the
heart itself. The pacemaker will be able to monitor
parameters like blood pressure, blood flow, pulse rate,
temperature, etc, using micro sensors planted in various
parts of the body.
 Easier Diagnostics
• Each module communicates errors to a central
module
• Can communicate errors to a diagnostic tool
Car functions

14
15
 Basic Calculation
• Base Pulse Width – function of Load and RPM
• RPM = 2K Load = 4
• BPW = 8 milliseconds
• A = coolant temp = 100
• B = oxygen level = 3

• pulse width = (base pulse width) x (factor A) x (factor

B)
• PW = 8 x .8 x 1 =6.4 milliseconds
 Automotive functional domains
• powertrain, e.g.
– engine control, transmission and gear control;
• chassis, e.g.
– ABS (Antilock Braking System), ESP (Electronic Stability Program), ASC
(Automatic Stability Control), ACC (Adaptive Cruise Control);
• body (comfort), e.g.
– air conditioning and climate control, dash board, wipers, lights, doors,
seats, windows, mirrors, cruise control, park distance control;
• telematics/wireless, e.g.
– multimedia, infotainment, GPS and in-vehicle navigation systems,
CD/DVD players, rear-seat entertainment;
• passive safety (emerging), e.g.
– rollover sensors, airbags, belt pretensioners.
 Automotive domains
Powertrain Chassis Body Telematics Passive
safety
Program size 2 MB 4.5 MB 2.5 MB 100 MB 1.5 MB
Number of ECUs 3-6 6-10 14-30 4-12 11-12
Number of 36 180 300 660 20
messages
Bus topology Bus Bus Bus Ring star
Bandwidth 500 Kb/s 500 Kb/s 100 Kb/s 22 Mb/s 10 Mb/s
Cycle time 10 ms – 10 10 ms – 10 50 ms 2 20 ms 0 5 50 ms
s s s s
Safety High High Low Low Very high
requirements
 Other modules

• Antilock Brakes • Brake assist

• Airbags • Stability control
• Anti-collision
• Security systems
• Reverse assist
• Keyless entry • Traction control
• Media center • Self-parking
• Cruise control
• Seat position
and temperature
 Engine control
• Task of engine control:
– calculate amount of fuel and
– exact moment of injection
• Dependencies:
– pedal (driver)
– load of the engine
– temperature
– etc.
• Sensors and actuators: Crankshaft (red), pistons (grey) in their
– position of crankshaft cylinders (blue), and flywheel (black)
– valves
• Relevance:
– avoid mechanical damage
– provide quality of control (e.g. fuel efficiency)

21
 Engine control
• Real-time requirements for fuel injection:
– Keep the fuel intake valve open for f(x) μs at x rpm
– Crankshaft position accuracy: 0.1 degree
• At 100 rps  3s temporal accuracy
• Challenges:
– latency between sending “close” command to valve and the actual
time when the valve closes
• Communication latency
• Environmental conditions (e.g. temperature)
• Approach:
– compensate for latency:
• sensor signal indicates when valve closes
• latency is measured during every engine cycle
• determine when “close” command must be sent

22
 Anti-lock Braking System
3. Wheel disc
2. Pressure
brakes
passed to the
squeezed
brake fluid

1. Brake
pedal
pushed

5. Controller
releases the
pressure on 6. The fluid is
the discs by pumped back to 4. If the brake pedal is
releasing repeat the pushed too hard, the
some brake pressure on the wheel will lock  a
fluid in a discs sensor detects this and
container notifies the controller

Controller

7. Entire process is repeated about 15 times/sec

(by courtesy of Damir Isovic)

23
 Anti-lock Braking System
• Electronic system:
– Sensor: detects that the wheel will lock
– Actuator: release and repeat the pressure on the
discs
– Controller: requires an ECU
• Distributed:
– Controller, sensors, and actuators at different
locations
– Requires wires or a network
• Embedded and invisible to the driver
 Pre-crash system
• Reduce severity of head-to-tail crash
 Pre-crash system
Collision avoidance zone
• Stage 1 (~2.6s to impact):
– Provide visual and audible collision warning
• shine lights and sound
• Stage 2 (~1.6s to impact):
– Automatically initiate partial braking at 4m/s2
– Move the front passenger seat to safe position
• Height, fore/aft adjustment, backrest angle
• Inflate air-chambers inside seat for better support
– If skidding: close front windows and sunroof
• Stage 3 (~0.6s to impact):
– Tighten the seatbelts (e.g. fire pyrotechnics or pulleys)
– Prepare airbagsDamage mitigation zone
for deployment
 Pre-crash system
• Relies on several subsystems
– Radar for detecting potential collision
– Anti-lock Braking System to apply partial braking
– Traction Control to identify if skidding
– Window Control System to close windows
–…
 Fighting complexity: modular design
• Complexity is due to the many dependencies
– E.g. communication
• Communication is expensive
– Surface area, power consumption, latency, ability to
understand system behavior, …
• Modular design:
– Divide an integrated system into independent modules
– Define interfaces between the modules
– Keep the interfaces thin!
• Advantages
– Separation of concerns
– Flexibility
– Maintainability
– Security
 ECU components
• 8-32bit 40 MHz microprocessor
• Analog-digital converter
• High-level digital outputs
• Digital-analog converter
• Signal conditioner
• Communication chips
– controller-area-networking, 500 Kbps
 Instrument Cluster
• Displays data about the vehicle in its current
state
• Various modules send data to ECU
• ECU send a packet of info
• Cluster module looks for specific headers
• Cluster is updated
 CAN Bus
• Controller Area Network (CAN)
• Reference: SLOA101A–August 2002–Revised July 2008
Introduction to the Controller Area Network (CAN)
• The CAN bus was developed by BOSCH as a multi-master,
message broadcast system that specifies a maximum signaling
rate of 1 megabit per second (bps).
• Unlike a traditional network such as USB or Ethernet, CAN
does not send large blocks of data point-to-point from node A
to node B under the supervision of a central bus master.
• In a CAN network, many short messages like temperature or
RPM are broadcast to the entire network, which provides for
data consistency in every node of the system.
 CAN Bus (contd.)
• The specification calls for high immunity to
electrical interference and the ability to self-
diagnose and repair data errors.
• These features have led to CAN’s popularity in a
variety of industries including building automation,
medical, and manufacturing.
• See figure 1 for architecture: this is a good example
for the architecture of your term project.
• See figure 2 for standard CAN message format
• See figure 3 extended CAN message format
 Distinctive features of CAN Bus
• Inverted (voltage) logic
• The allocation of priority to messages in the identifier is a feature of
CAN that makes it particularly attractive for use within a real-time
control environment.
• Automatic arbitration based on the priority, in case more than one
transmission is encountered.
• Details of the CAN bus figure 6: CAN Device (DSP/Microcontroller),
CAN controller, CAN Transceiver, CAN Bus lines (CANL…CANH)
• The High-Speed ISO 11898 Standard specifications are given for a
maximum signaling rate of 1 Mbps with a bus length of 40 m with a
maximum of 30 nodes.
• Different types of messages.
• Payload semantics: advantage.
 CAN can communicate?
• CAN is ideally suited in applications requiring a large number of short
messages with high reliability in rugged operating environments. Because
CAN is message based and not address based, it is especially well suited
when data is needed by more than one location and system-wide data
consistency is mandatory.

• Fault confinement is also a major benefit of CAN. Faulty nodes are

automatically dropped from the bus, which prevents any single node from
bringing a network down, and ensures that bandwidth is always available for
critical message transmission. This error containment also allows nodes to
be added to a bus while the system is in operation, otherwise known as hot-
plugging.

• Has wide practical application in a number of industries other than

automobile.
 How about scalability?
• How about bandwidth for communications?
• How about different types for different systems? Kind of hybrid?
• Flexray?
• Lin?
• MOST?
• CAN-FD?
• Ethernet?
• See this paper… lets read and understand..
• D. Thiele, P. Axer, R. Ernst, J. Diemer, and K. Richter, “Cooperating on real-time
capable ethernet architecture in vehicles,” in Proc. Of Internationaler Kongress
Elektronik im Fahrzeug, oct 2013. https://ece.uwaterloo.ca/~
sfischme/rate/S1P2.pdf
• (Afterall, the ECUs are moving an automobile towards a computign system, why
not use the bus that is so sucessful in general computer communications?)
 DON’T KEEP YOUR EYES ON
THE ROAD:-

• Embedded systems can also

make driverless vehicle control a
reality. Major automobile
manufacturers are already
engaged in work on these
concepts. One such technology is
Adaptive Cruise Control (ACC).
 ADAPTIVE CRUISE CONTROL (A.C.C.)

• ACC allows cars to keep safe distances from

other vehicles on busy highways. The driver can
set the speed of his car and the distance
between his car and others. When traffic slows
down, ACC alters vehicle speed using moderate
braking
Each car with ACC has a micro wave radar unit or laser
transceiver fixed in front of it to determine the distance
and relative speed of any vehicle in the path
 THE WORKING PRINCIPLE OF
ADAPTIVE CRUISE CONTROL:-

• As each car with ACC have a micro

wave radar unit fixed in front of it to
determine the distance and relative
speed of any vehicle in it’s path. The
principle behind the working of this
type of radar is- THE DOPPLER
EFFECT
DOPPLER EFFECT:-
Doppler Effect is the change in
frequency of the waves when there is
a relative motion between the
transmitting and receiving units. The
Doppler Effect can be categorize in
two ways:-
1. Higher Pitch Sound
2. Lower Pitch Sound
1. HIGHER PITCH SOUND

• In this case the vehicle is speeding towards the

stationary listener. The distance between the
listener and the car is decreasing. Then the
listener will hear a higher pitch sound from the car,
which means the frequency of sound, is increased
LOWER PITCH SOUND:-

• In this case the vehicle is moving away from the

listener. The distance between and the car is
increasing. Then the listener will hear a lower
pitch sound from the car, which means the
frequency of sound, is decreased. So that is the
Doppler Effect in case of sound waves.
WORKING OF A.C.C.:-

• In the above case, the gun transmits the waves at

a given frequency toward an oncoming car.
Reflecting waves return to the gun at a different
frequency, depending on how fast the car being
tracked is moving. A device in the gun compares
the transmission frequency to the received
frequency to determine the speed of the car.
We can design the chip or ACC having an algorithm such that
it will give output only when the input signals are less than the
corresponding safe distance value. So only when the between
the car and the object in front of it is less then the same
distance value the embedded system will give output to the
breaking and the accelerating units. Thus the safe distance
will be kept always. That’s how the ACC works.
 ABOUT THE BEAUTY OF
ADAPTIVE CRUISE CONTROL

• At a safe distance behind, your car settles to a speed matching

that of the driver in front of you. That’s too slow, so after a look
in your rear view mirror you pull into the empty outside lane and
feel the acceleration as your car speeds up to the preset cruising
speed. You still haven’t press the accelerator pedal. That’s the
beauty of this racing star of the auto industry, a millimeter- wave
radar technology that promises to make driving easier.
 Internet of Things
• Devising sensors and algorithms to handle the
front- and back-ends of the IoT are the easy part.
• Securing/protecting the IoT from the hackers
(malicious attacks) and inadvertent
misuse/interference are critical issues to be
addressed.
• Yet to be explored: The middleware between the
sensors in things at the edge of the internet, and
the data collection and analysis on the cloud.
 Modeling software systems
• When investigating the root causes for traffic
jams in a city, it is infeasible to consider the
interactions between molecules comprising
the car or the driver’s brain.
• A model is an abstraction of the key elements
which are relevant for achieving a given goal
– Example: traffic in a city can be modeled by means
of a queue network representing the streets, and
Markov chains describing the arrival of cars
 System architecture
• A system is a set of interacting components
forming an integrated whole
• Architecture is a description of the individual
components and their interactions
– Collection of models describing the system from
different views
 4+1 Architectural View Model *
• Describes the architecture of
software-intensive systems
– Logical view: functionality that the
system provides to end-users
– Development view: implementation
from programmers perspective
– Process view: runtime behavior
(tasks and how they communicate)
– Physical view: mapping of the
software onto physical layer
– Scenarios: illustrates the
architecture description based on
several use cases
 Internet of Things
• Devising sensors and algorithms to handle the
front- and back-ends of the IoT are the easy part.
• Securing/protecting the IoT from the hackers
(malicious attacks) and inadvertent
misuse/interference are critical issues to be
addressed.
• Yet to be explored: The middleware between the
sensors in things at the edge of the internet, and
the data collection and analysis on the cloud.
 Network architecture of a car

• Electronic Control Unit (ECU)

– Sensors and actuators Sensor-CAN AFS-CAN

CAN Diagnose
– Microcontroller CAN
Kombi

Gateway

– Software CAN Antrieb

CAN Infotainment
LIN LIN

• Bus CAN Komfort

– Connects individual ECUs LIN

CAN Komfort

• Interconnect between buses

 Electronic Control Unit (ECU)

• Controls one or more car functions

• Types of electronic control units
– Airbag (ACU), Engine (ECU), Transmission (TCU), …
• 70 – 100 ECUs inside a car (nearly as many as
inside Airbus A380)
• Microprocessor-based
 An ECU and its interfaces

Power
Debug port Digital and Analog
CAN port FlexRay port I/O ports
 Example ECU (Freescale board EVB9512XF)
Power

CAN controller
CAN port FlexRay port
Reset button
Digital and
Debug port Analog
I/O ports

Microcontroller
(CPU + memory)

LEDs
 Bus
• Connects individual ECUs
• Examples: CAN, FlexRay, I2C, IEEE 802.11p
Diagnose

Gateway

K-CAN MOST K-CAN SI-BUS PT-CAN

System Periphery (Byteflight)
 Outline
• Functional domains
• Network architecture of a car
• Requirements for function realizations
Requirements for function realizations
• Also referred to as “non-functional requirements” or
“extra-functional requirements”
– Timeliness/Predictability
• Hard timing requirements: functional
• Firm/soft timing requirements: non-functional (can be traded for
others, e.g. a bit later but much cheaper to realize)
– Dependability
– Maintainability: ability for software to undergo modifications
and repairs
– Scalability: ability to scale a metric with changing architecture
• Example: maintainability will decrease when increasing number of
ECUs in a car
– Security
Timeliness requirements
 Timeliness requirements
• Example: inflation of an air bag
– real-time  fast
– real time: fulfill specific timing requirements
 Timeliness requirements
• Example: Software controlling the deployment
of airbags has 15 to 40 milliseconds to
determine which and in what order to activate
• Specification:
– Lower and upper bounds on the response time
• Metrics:
– Worst-case response time
– Tardiness
 Dependability requirements
• Specification in 3 dimensions:
– Availability: readiness for correct service
• Metric: probability of the system being ready to use
– Mean Time To Failure (MTTF), Mean Time To Repair (MTTR)
– Availability: MTTF/(MTTF+MTTR)
– Reliability: continuity of correct service
• Metric: expected time until not being available
– Safety: absence of catastrophic consequences on
the user and the environment
• Metric: catastrophic states are not reachable
 Dependability requirements
• In 2005, Toyota recalled 160 000 Prius hybrids,
because of software causing car to stall and
shutdown.
– Fix required 90 min per car = 240 000 man hours
• In 2008, VW recalled 6500 cars, because of
software causing unexpected increase in RPM
when air-conditioning is turned on.
 Safety requirements
• The controlled system must remain safe
– hazardous states unreachable (e.g., extremely
high temperatures)
– even in erroneous conditions, safety must be
maintained (no “error exit”)
• Certification: approval by independent agency
 Security requirements
• Security: when the system is open to external
observation and control (e.g., via Internet)
– confidentiality, integrity and non-repudiation
• validation of privileges (authentication, authorization)
• secure protocols to make intrusion impossible
A typical real-time embedded system

68
 Car example
• Mission: Reaching the destination safely.

• Controlled System: Car.

• Operating environment: Road conditions.

• Controlling System
- Human driver: Sensors - Eyes and Ears of the driver.
- Computer: Sensors - Cameras, Infrared receiver, and Laser
telemeter.

• Controls: Accelerator, Steering wheel, Break-pedal.

• Actuators: Wheels, Engines, and Brakes.

69
 Car example (contd)

• Critical tasks: Steering and breaking.

• Non-critical tasks: Turning on radio.

• Cost of fulfilling the mission → Efficient solution.

• Reliability of the driver → Fault-tolerance needs to be

considered.

70
 Real-Time Tasks
• Periodic tasks
- Time-driven. Characteristics are known a priori
- Task Ti is characterized by (pi, ci)
E.g.: Task monitoring temperature of a patient.

• Aperiodic tasks
- Event-driven. Characteristics are not known a priori
- Task Ti is characterized by (ai, ri, ci, di)
E.g.: Task activated upon detecting change in patient’s condition.

• Sporadic Tasks
– Aperiodic tasks with known minimum inter-arrival time.

pi : task period ai : arrival time ri : ready time

di : deadline ci : worst case execution time.

71
 Task constraints

• Deadline constraint

• Resource constraints
– Shared access
– Exclusive access

• Precedence constraints
– T1  T2: Task T2 can start executing only after T1 finishes its
execution

• Fault-tolerant requirements
– To achieve higher reliability for task execution
– Redundancy in execution
72
 Computing systems
Uniprocessor, multiprocessor, distributed system

73
 Notion of Predictability
• The most common denominator that is expected from a real-time system
is predictability.

– The behavior of the real-time system must be

predictable which means that with certain
assumptions about workload and failures, it
should be possible to show at design time that
all the timing constraints of the application
will be met.

• For static systems, 100% guarantees can be given at design time.

•
• For dynamic systems, 100% guarantee cannot be given since the
characteristics of tasks are not known a priori.

• In dynamic systems, predictability means that once a task is admitted into

the system, its guarantee should never be violated as long as the
assumptions under which the task was admitted hold.

74
 Common Misconceptions

• Real-time computing is equivalent to fast computing.

• Real-time programming is assembly coding, priority

interrupt programming, and writing device drivers.

• Real-time systems operate in a static environment.

• The problems in real-time system design have been

solved in other areas of computer science and
engineering.

75