Method and apparatus for operational-level functional and degradation fault analysis

Technical Field

The invention relates to a method in a motor vehicle or other complex system of providing fault tolerance in the method and apparatus for analysis.

Background Art

As the electronic equipment and software as a motor vehicle and other complex of constructing the module within the system, has been gradually became the basic fault-tolerant design requirements. Therefore, research and development that even in the system layer of the electronic, communication and/or processing component when an error exists in that can still maintain its functional system. In some electronic components may be caused by the trouble of the system layer of a state change. For example, as compared with the mechanical type of defect, is suitable for use in on-line control steering of the motor vehicle system to provide electronic signals in a fixed fault state in the microprocessor at the output may be caused by the steering torque change is relatively large. Furthermore, vehicle system must follow a strict the industrial requirement, including the particular fault tolerance requirements.

System failure of the electronic component and component defect may be due to the degradation of service life and associated. Chip, sensor, power supply and an electromechanical actuator may be permanent or transient failure or simply become more and more over time is not accurate. Furthermore, hardware and software errors may cause temporary and permanent fault, the fault itself may be shown as the system layer of the error in the output of the control device, and ultimately is shown as arranged in the system error in the function of any actuator. Various components such as a sensor, the software module, a hardware module may be from the signal track will introduce range drift to error transient output incidentaloma quality failure, this may cause signal loss of precision.

Content of the invention

Therefore, the invention provides a computer-based method and apparatus or the host computer, or other motor vehicle system can be a relatively complex system of fault-tolerant (feet) analysis is carried out in, for example, an early stage in the design of a mandrel of the analysis and/or design/modelling stage on to do so. The overall framework and provides logic quality analysis, and also allows for future reliability analysis expansion. In addition to analysis of the forgiveness of the motor vehicle system, the invention also are as follows wherein the various fault-tolerant motor vehicle system to design choice is " what   if? " Analysis or assumptions. Therefore, the method and apparatus of this invention is able to detect the trouble of quality, this can contribute to the corresponding hardware and software component have a loss of precision in the restorative system.

Proposed method comprises two kinds of analysis method or steps, one is static, and the other one is based on artificial, combined use of these two kinds of methods to assess the error tolerance of a designated system. Feet of the invention has the advantages that the analysis method is through all the operations are or a mandrel of the operation of the application program, for example, the state model using Simulink, MATRIXx or other modeling software to realize, with respect to the conventional method is therefore potentially reduces the analysis cost.

Specifically, a capacity for analysis system feet method of access by the host computer includes the entity definition of the function of recording medium on the requirements of the statute of the set of feet; to generate system model using host machine; component sets in the system, automatic extraction or characteristic of the state of the translated into discrete lookup table (LUT), as shown by the model; and by use of the host and function through the discrete of the statute of the LUT to processing or analysis system capacity feet. Analysis system analysis capabilities include feet fault and the system logic the reservation set of quality faults.

The present invention has offered a kind of device used for analytic system capacity feet. The device comprises a host computer, the host computer and is provided with a solid medium used for carrying out the algorithm of the above-mentioned method.

Programme 1: one kind is used for analyzing method (feet) capacity of the system to be fault-tolerant, said method comprising:

Access by the host computer of the entity can be recorded on the medium for the system definition of the function of the standard feet of the statute of the set of requirements;

Generating system by using a mandrel of a host computer model;

In the system, the state of the component sets is automatically translated into discrete lookup table (LUT), as shown by the model; and

By use of the host function by discrete lookup table and the ability to analyze the system's feet;

Wherein the analysis system of the analysis system capacity, including feet fault and the quality of the logic of a predetermined set of the trouble.

Programme 2: such as the programme 1 said method, further includes:

Will be used for system selectable design of the scene recorded in the entity medium; and

The function of the host utilizes the look-up table and can be selected to the statute of the scene design of automatic analysis.

Proposal 3: such as the programme 1 said method, further includes:

As the 1st set of steps, through the host computer in the statute examine the input and function of all of the possible failure of the combination of the scene; and

As a 2nd set of steps, through the host computer to the system by utilizing the lookup table in a standard test examples and the feet under fault scene set state.

Programme 4: such as the programme 1 said method, further includes:

During the 1st group of steps for determining the presence of a violation of feet; and

In the model in the 2nd of said breach to set the state of the system.

Programme 5: such as the programme 1 said method, further includes:

Characterizing quality state of the component is stored in a lookup table; and

Using the host computer processing look-up table in order to determine the quality of the system.

Programme 6: such as the programme 1 said method, further includes:

Simulation method of use and based on a lookup table based on discrete lookup table in the static analysis method of at least one of detecting counterexamples; and

The counterexamples automatically replicating in the statute in feet;

Wherein the counterexamples described in the different element of the component sets the fault values, wherein the fault value to cause system to violations of feet to performance requirements such a manner.

Scheme 7: such as the programme 6 the method, including the use of the static analysis method based on lookup table, based on a lookup table using the static analysis method including the use of the following method in at least one of: the model checking, Boolean satisfiability solving, the theoretical solution and thereafter the search algorithm.

Programme 8: such as the programme 1 said method, further includes: each test case, fault-tolerant requirements and fault scene are input to the host computer in the statute, wherein:

The position of the scene is in the form of a fault, fault type and the triad set of the measured value;

Fault affected by said position signal; and

And the measured value of the fault type is that the type of the error and the measured values.

Scheme 9: such as the programme 1 of the method, wherein the model selection module including feet, the method further including the use of feet to the selection module without fault detection and choice of the input and the input is transmitted to the feet without failure the output of the selection module.

Scheme 10:a suitable for use in the analysis of the device of the system to be fault-tolerant capabilities (feet), the device comprises:

Host computer; and

By the host access entity medium, and recording medium the entities defining the fault-tolerant (feet) the function of the requirements of the statute of the formalized set;

Suitable for use in the host computer:

A mandrel by use of the host of the system model is generated;

The model is in the state of the component sets into discrete lookup table (LUT); and

Use of discrete lookup table and a function of the system the ability to analyze feet, wherein the analysis system of the analysis system capacity, including feet fault and the quality of the logic of a predetermined set of the trouble.

Scheme 11: such as the programme 10 the device, further comprises:

Recorded in the entity medium access by the host computer and is an optional design scene, suitable for use in the host computer utilizes the look-up table and the function of automatic analysis can be selected to the statute of the scene.

Scheme 12: such as the programme 10 the device, wherein the host is configured for:

As the 1st set of steps, the statute examine the input and function of all of the possible faults in the combination of the scene; and

As a 2nd set of steps, to inspection system by utilizing the lookup table in a standard test examples and the feet under fault scene set state.

Scheme 13: such as the programme 10 the device, wherein the host is configured for:

During the 1st group of steps for determining the presence of a violation of feet; and

In the model of the mandrel to set the state of the system of the violation.

Programme 14: such as the programme 10 the device, wherein the host is configured for:

Each electronic in the system software and mechanical the quality of the component state characterization;

Characterizing the quality of the state stored in the at least one lookup table; and

Processing the stored information to determine the quality of the system.

Scheme 15: such as the programme 10 the device, wherein the host is configured for:

Simulation method of use and based on a lookup table based on discrete lookup table in the static analysis method of at least one of detecting counterexamples; and

A mandrel the counterexamples copied to the model;

Wherein the counterexamples described in the different element of the system fault values, the fault value to cause system to violations of feet to performance requirements such a manner.

Scheme 16: such as the programme 15 the device, wherein the host is suitable for using static analysis method based on lookup table, based on a lookup table and the static analysis method comprises the following method in at least one of: the model checking, Boolean satisfiability solving, the theoretical solution and thereafter the search algorithm.

Scheme 17: such as the programme 16 the device, wherein the host is suitable for each kind of the test case, fault-tolerant requirements and failure of the statute of the scene are recorded in the entity medium, and wherein:

The position of the scene is in the form of a fault, fault type and the triad set of the measured value;

Fault affected by said position signal; and

And the measured value of the fault type is that the type of the error and the measured values.

The invention of the above features and advantages and other features and advantages of the will be according to the following in conjuction with the best embodiment of this invention detailed descriptions of and become obvioulsy.

Description of drawings

Figure 1 can be used for the implementation of the motor vehicle or other system fault-tolerant analysis model and a mandrel of a schematic diagram of the host computer;

Figure 2A of this method is the assessment of the 1st type signal error curve;

Figure 2B of this method is the assessment of the 2nd type signal error curve;

Figure 2C can be by the method of the evaluation of the signal error 3rd type graph;

Figure 2D can be by the method of the evaluation of the signal error types 4th curve;

Figure 2E can be by the method of the evaluation of the signal error types 5th graph;

Figure 2F can be by the method of the evaluation of the signal error types 6th curve;

Fig. 3 is used for the introduction of error in the signal a schematic diagram of the fault injection mechanism;

Figure 4 according to one embodiment of the system on the basis of the center of mass a schematic diagram of the simulation analysis;

Figure 5A is static analysis center of mass in the framework a schematic diagram of the 1st step;

Figure 5B is static analysis center of mass in the framework a schematic diagram of the 2nd step;

Figure 5C is static analysis center of mass in the framework a schematic diagram of the 3rd step;

Figure 6A is that the input signal relative to a time curve;

Figure 6B is the output signal relative to a time curve;

Figure 6C can be used for the method lookup table; and

Figure 7 is used for the map 5A-5C in the qualitative analysis of a mandrel of a model a schematic diagram of the Boolean circuit.

Mode of execution

With reference to the attached drawing, wherein the Figure from the marker indicating similar to that of Figure 1 in various view of the component of the same or similar, a mandrel of a model 10 can utilize the host computer 15 generating, wherein the host machine can 15 designated fault-tolerant operation of the system automatic circuit analysis (feet). The host computer 15 comprises a statute recorded with feet 20 entity medium. Using the host computer 15 and method described in the text, other motor vehicle and is able to carry out a complex system analysis feet.

The host computer 15 can be set to the digital computer, typically includes a microprocessor or central processing unit, read-only memory (ROM), random access memory (RAM), electrically erasable programmable read-only memory (EEPROM), high speed clock, analog-to-digital conversion (A/D) and digital-to-analog conversion circuit and (D/A) input/output circuit and equipment (I/O), also with appropriate signal modulation and a buffer circuit. Residing in the host 15 or can access an arbitrary algorithm so can be stored in a recording medium and can be made from the host computer to execute in order to offer the corresponding function.

The host computer 15 also provides for various system design options for " what   if? " Analysis or assumption that the capacity of the design modification. As used herein, " what   if? " Analysis of a design allows to adopt a designer on the design work is corrected with a view to improving the design of the feet. In order to confirm that in fact effective, designers must inspection system is feet increased or reduced. Therefore allow a designer to explore if the design, these change what will happen. With the method proposed by this from the feet of the designer of the prediction problem. It should be noted that there can be other tool is used for predicting according to, for example, power consumption to perform "what   if" analysis.

Figure 1 in the model 10 includes a sensor 12, an actuator 14, with different software operation 17 the control logic of the model physical layer 16 and 18. Simulink modeling language, for example, a mandrel, such as MATRIXx can be used to provide to the universal frame of the motor vehicle and other systems all aspects and the extracted feature modeling. The resulting model not only can said function layer model of the motor vehicle system, but also can represent the operation of the motor vehicle system according to some of the details of the platform structure, for example, mapped to the processor, the buffer, bus.

The control logic 16 can include a variety of software operations or to associated, e.g. FIG 1 OP1-5. in the Entity model 18 can be designated system (such as, for example, relative complex motor vehicle system, for example, according to one feasible embodiment of the steer-by-wire or brake device) or of various interconnection in the mathematical dynamic model of the mechanical component, however, in the scope of protection of the present invention can be analyzed in non-motor vehicle system.

Model 10 includes an operation 17, wherein each kind of operation has an input port and an output port, also includes into the input port 21 of the input signal within the 13 and from the output port 23 of the output signal out 13A. Signal 13, 13A said virtual connection between different operation, and may be combined with a physical quantity generated by the filter, for example, corresponding to the output voltage of, or may correspond to the data values generated by the software module.

Figure 1 in operation for each of the 17 are corresponding to the diagnosis of the function of the particular system in the component, wherein the functional component covered a full range of the sensor 12, software code module and analog components. In the present text the semantic envisaged as a discrete event of several operating 17 are mapped to the software component, that is, the discrete steps in the operation of the sampling signal. Each signal 13 have expressed in every time slot "source" by the value of the update operation.

Figure 1 shows a kind of feasible model, the model broadly similar to several of the motor vehicle system illustrative of the model that a mandrel. Model 10 in operation for each of the 17 are corresponding to the particular control application program, sensor operation, the actuator is operated in the corresponding to a given task or by the model 18 in that mechanical parts of the entity/component. Each kind of operation 17 can be made from a logical or arithmetic function, state machine, such as finite state machine (FSM) 24 or mixed I/O automaton 22 expressed. Model 10 based on the value of the LUT estimate the module 19 using a lookup table (LUT) in. Selection module feet 11 selection input, such as in the Figure 1 embodiment is from the OP5 and based on the estimation of the LUT module 19 are selected, and the value transmitted to the output end. In order to carry out this kind of choice, selection module feet 11 according to the user-defined criteria for detecting whether the two input in a wrong, for example, check whether the input value falls within a certain range, and then select the input of the error-free. If two input there is no error, then selection module feet 11, for example, in selecting OP5 of predetermined input from the input. Should be noted that the LUT-based estimate the module 19 does not involve characterizing steps described below the quality of the construct in the LUT. In in many motor vehicle system, is used for LUT A according to different from the signal to estimate the value of the signal "A". This would contribute to the failure of the signal A under the condition of the source of the feet of the system.

In most interest in the system of the motor vehicle, the control logic 16 is almost all of the software-based, thereby the signal 13 can be immediately converted to as the input provided to the control data of the software component. Moreover, many control component can be a time-triggered, in order to make them in the particular moment the operation start or resume. For example, fig. 1 of in OP4 can be set to, for example, only in a predetermined time period elapsed from the start of operation, for example, 5ms implementation only after, the input can be obtained even if this is also true at an earlier date. Figure 1 marked as in OP1, OP2, OP3 and OP5 the other operating 17 can be according to the model 10 in the manner similar or different. The connection between the operation of the virtual function that is between them, the output of the operation will be the same source used for target mapping the trajectory of the input track operation.

The method for fault-tolerant analysis

Still with reference to Figure 1, provides for the host computer 15 designated feet automatic analysis method of system, such as a motor vehicle system. The method includes two kinds of analysis for use in conjunction with a set of methods or steps, the motor vehicle system in order to test various logical and quality fault restorative : (    ) Static analysis step, and( ) A mandrel of a fault injection and the simulation step. Static analysis of the set of the predetermined fault scene similar to the assessment of but rapid. Subsequently, for each fault scene and lead to violations standard feet of the required inputs and, based on simulation of the validation step of verifying the authenticity of this kind.

Usually models and analysis of a mandrel in achieving layer only. This requires the layer suitably extracting to a mandrel of a wrong, and the relevant details of the realization of a mandrel of the appropriate modeling in the model. In the discussion below of the various type of fault is extracted as a mandrel of appropriate form in the performance of the model. This method does not focus on the analysis of the center of mass, and is helpful to introduce such as failure of the injection system the state of the motor vehicle in a motor vehicle system to replace the deviation of the orbit of the signal. Based on simulation framework provides no fault and fault injection of the tracking deviation between the state of the system. On the other hand, static analysis step only is the introduction of the quality or quantity of the signal error and not the details of the actual signal trajectory.

The simulation model is based on the analysis of a mandrel of a

Still with reference to Figure 1, most of the analysis and synthesis steps are in a mandrel of a model such as the model 10 of the on, is used for the spacer layer in the higher and play the role of the analysis time more quickly. Fault simulation framework of a mandrel in one of the most important is the requirement of extracting the mandrel to various quality and logic fault modeling. The origin of the fault or distribution layer usually lies in the realization of the circuit in detail. For example, software error in the memory unit or register caused by the instantaneous bit reversal, or a sensor in a power supply will be caused by the drift of the temperature induced drift of the output signal. These faults are extracted into the mandrel of a model such as the model 10 in the level of the, while still retaining the substantial impact on the way of the signal value.

A mandrel can be the model e.g. FIG 1 of the model 10 in the impact of the various types of faults. For example, extraction can be : (1) the noise of the output is added to the output of signal traces and adds drift of the sensor fault, such as noise and drift failure ; (2) loss of data from the sensors, in certain time slots in the output of the sensors in or spikes at random, for example lost from the example of the data of the camera ; (3) will not in every time out operation procedure of a software defect and hardware error can be considered to be in their training fault a spike in a certain time slot. These peak fault because the endogenous in the DS used for the signal to the maximum possible value and exaggerated by the defect/wrong fault caused; and (4) loss of precision in the software component as a track drift is modeling. These drift may be due to error type conversion of the platform as the embedded motor vehicle and port control software may not support too many high-precision and floating-point operation.

Can also extract the : (5) in the hardware layer of the appropriate component detects in order to enable to realize the fault silence logic fault. Operation is assumed to be strumentazione operation so that if there is any failure of the main of an input signal indicating silence, then the operation of the it is a fault of silence ; (6) clock/pulse of the delay caused by offset/time delay fault, the delay fault is shown as the time line distortion of the output signal associated with the timer and the time delay of the change. Software tasks running time delay in the change of the sampling and may also be caused by the change of the signal generation rate, thus leading to delay fault; and (7) a soft error recovery of the hardware, is shown as signal peak that is the change of the sudden and short, such as peak fault.

In the above-mentioned trouble and non-derived from a portion of the software in the motor vehicle system control member. However, because the fault propagation, their influence among other factors can still be in various software control component observed in the output of the. Therefore, any analysis method from the above-mentioned trouble should be concerned about the entity model 18 to the different types of software, hardware and the mechanical component is the propagation.

With reference to Figure in turn 2A-2F, each can be one type of quality degradation and used for expressing quality degradation degree that is correlating appropriate measurement of the error. Figure 2A expressed "original" or no failure of the signal 30. Figure 2B to represent the signal 30 in the drift error of the signal traces, wherein, the mass by the signal 30 and signal 30A in all the time the signal value of the maximum deviation between the expressed. Figure 2C said signal-to-noise, wherein, the mass is composed of superimposed additional noise signal 30B that the amplitude of, additional noise signal 30B comprises white noise, such as Gaussian noise.

Continue to reference picture 2D, peak 30C hardware recovery is due to a soft error, software defect, instantaneous hardware error and/or instantaneous sensor error, for example, caused by the loss of sensor data. Quality by the spike 30D that the number of. If the signal is a digital signal, then the peak 30D to be the peak value of the operating range or data type restriction of the ceiling. Figure 2E generating said appropriate signal 30D delay, wherein the measurement of the deterioration of the quality or value in the time delay of the positive or negative.

Delay fault often Figure 2F shown in a spike or due to the introduction of the random noise. As shown in Figure 1 shown in the, if until t_pre through per unit of time (OP1) of a operation and subsequently by another operation (OP2) generates a signal track, then there may occur such a situation. For example, assume that OP1 because of delay in fault on t_pre-τ completed within a time unit OP2 and suppose the operation until the has been t_pre start only after a unit of time. In this case, in the t_pre-τ to t_pre a period of time there will be no operation will produce the signal, and hence the signal track within the time interval may be random or is a group of the spike.

Fault-tolerant analysis based on simulation of the frame there are three input, that is, (1) the test case, (2) and the fault of the scene (3) feet of the statute requirements. The test case usually describe a group of which consists of a motor vehicle of the implementation of the system and of typical sequence of operation or work key. Furthermore, the test case is generated can also be used for carrying out analysis of the orientation of the motor vehicle system. Usually, through these test examples from a user of the modeling of the sensor input. If only a part of the test the system, then from by fig. 1 the entity in the model 18 of the "entity" from some other sub-system in response to the control signal and generation of the certain signal is also included in the test procedure.

Simulation-based fault injection of 2nd of the framework of the description of the input is a fault of the scene, the scene must be under this fault analysis of the system. Fault scene can be bound through the list of the fault set to clearly described. In the event of a fault in the quality, in addition to the outside which fault information, quality degradation of the measured value must be set also. Scene is due to faults in the form of ternary set (position, fault type, measured value), wherein the position of the fault affected by said signal, and wherein the fault type and the measured value of the indicated that the type of the error and the measured values. It is necessary to pay attention to is the logical fault unrelated to the measured value. For example, fault scene can be particularly described as "the most five spike, that is through all of the software component can be introduced and the measured value of the type of".

The specific descriptions of the fault of the scene for the analysis of the input of the frame at the same time, note the correlation between various faults is also very important. Clearly, mapping to the same processor software of the processor task would be generated by a number of common fault. Similarly, a manufacturer of the sensor from the same will usually also the similar trouble, the power supply will be at the same time all the sensor to trigger the power supply of a number of relevant noise and signal drift failure. These correlation must be collected in any of the analytical framework feet. If 0 to 1 or the correlation coefficient between 0% to 100% correlation between the correlation between the to describe the failure, then it can be, as known in the field to perform a plurality of Monte carlo fault simulation used for analysis.

In addition to the trouble of the outside scene description clear, the fault of the scene is described another way is by setting a time in the system during operation of the lower limit of the occurrence probability of the fault set to implicitly described. If individual fault probability of correlation between the fault and known, then the probability of the fault set can be calculated. Subsequently probability border will described in which the above-mentioned calculation of the probability of all fault scene beyond the border. Such probability border usually with the safety requirements of the motor vehicle system (for example according to IEC the safety integrity level) the relevant.

It may be noted that in the event of a fault in the quality, must not only to provide the probability of failure, but also must provide the obtained measured value of the probability of deterioration of the quality. In fact, the probability of the trouble of quality can be expressed by the following function: P_quality: measured value → [0, 1], the deterioration of the quality of the mapping of the measured value with the measured value of the probability of the occurrence of failures. The measured value is zero (0) that there is no failure. In the generation of test examples of analysis used in the directed feet, is not only the operation of the test case (such as the sensor input) variables to be generated, but the corresponding fault scene also needs to generate. Furthermore, regular to the "correct" control signal and the fault the difference between the signals rather than a separate analysis of the fault signal to feet. These factors for the feet of the test analysis adds additional embodiment the dimensionality of the problem.

Failure analysis based on simulation of the 3rd input set was the framework of the system must be to meet the set requirements for the feet. These feet even if the system requirements in the presence of a fault must also to comply with the statute. There are various ways for designated feet. A designated system logic and time design intent can be is used to act on the nature of feet of the statute of analysis steps. In addition can be designated is used for checking the characteristics of the boundary, for example, deterioration of the quality of the upper limit volume superimposition chirp. Furthermore, the more can be written in the nature of to, wherein the acceptable quality degradation is a function of time.

Analytical framework to the feet three input, based on simulation of the fault injection mechanism includes the feet, corresponding to a mandrel of a model simulation and testing requirements for judging the nature of feet. Therefore the introduced into the signal presented here (and more) different type errors "fault injection" of operation. According to these errors and failure of the analysis of the scene corresponding to each kind of operation failure. The operation will be used for each of the different types of quality fault of the fault type and quality degradation of the quality of the measurement value as an input.

Furthermore, also on the logical fault information is "fault injection" operation as input. According to the analysis of the specific failure scene to obtain the quantized the trouble of quality in the specific signals and specify whether there is a logic fault of these input. "Fault injection" operation according to the operation input of the subsequent to introduce quality failure and a logic fault. It may be noted that not every types of signals can be introduced in the trouble of quality of all the types. For example, the software component produces a representation of the floating-point number changes with time of the signal (data signal) usually will not be seriously limited to the sensor and an analog the quality of the component failure, for example, the impact of the "noise". However, if the call in a time slot of the software defect, then such a signal may be subject to the impact of the "peak" fault. In addition such a signal in transplant to the embedded platform because the floating-point to fixed-point conversion or because of the type conversion error in case of loss of precision may be subjected the impact of the fault of "drift".

With reference to Figure 3, show the operation of the fault injection 40 an example. Fault injection mechanism 40 to the signal line or output 42 and the noise error is introduced in the drift error. This operation is the input of the output signal line 42, the fault type 44, the amount of deviation 46 and noise amplitude 48. Input fault type of control is introduced into the signal of the error type, the error type can be the noise or drift or two error have or two error are not. Input and the amount of deviation of the amplitude of the noise that is introduced into and the drift quantity of the amplitude of the superimposed noise signal. Therefore, the designer can control the precision of the is introduced into the signal in the type and quantity of the error. "Fault injection" operation will be the selected error is superposed on the signal in order to produce "output" on "the output of the error is injected" 49. The "injected into the output of the error" 49 may then become the input of some other operation, the propagation of the error.

According to one embodiment, each signal is set up a kind of "fault injection" operation, introduced by the failure of the basic structure can be correspondent to the any user-defined fault scene. With a modeling language for example these Simulink "fault injection" mandrel of a model written in operation. Subsequently, with the test example and the fault scene as the input, using the appropriate mandrel of a simulation framework for the simulation Figure 1 in the model 10 in order to make the fault simulation to be carried out. By the simulation framework provides a verification procedure, or through the storage and analysis in the discrete time steps in the record of the collection to the judgment of the signal value.

With reference to Figure 4, in the motor vehicle system is shown diagrammatically in the quality of the analysis based on simulation of the centre 50, the system includes a sensor 12, an actuator 14 and a control operation. In Figure 4 is shown the upper part of the "ideal model" 50A, is shown in the lower part of the fault injection model 50B. In different signals on the fault injection in order to obtain the impact of the component failure. Access to and out of the orbit relative to the non-fault model of difference.

As mentioned above, in addition to the fault injection for the analysis of the mandrel outside the framework of the model, we are also concerned about the implementation analysis center of mass. Introduction of signal quality analysis center of mass rather than the true value of the signal. Therefore, we are concerned by the fault system is under a no-fault signal produced by the system is generated by the deviation of the signal traces. To this can be used at the same time in the simulation settings of the native/ideal model 50A and fault injection model 50B simulation, through differential operation and 52 to obtain the signal 54A, 54B the difference between.

The difference 56 said fault signal 54B and fault-free signal 54A the deviation of the between. Signal quality that is introduced with the fault-free state judgment program of deviation between subsequent examination operation as a differential 52 is obtained from the output of the recording. The definition of the fault signal for deviation differential operation and 52 depending on the analysis of the type of the fault type. The most widely used in Simulink of the differential operation of the semantic "subtraction" operation, and, in a mandrel according to this realization in the model.

This semantic can be made of as a "differential" operation input is given to an exemplary discrete signal, in order to make it (δ) has the same time step, the time step and t_i respectively in the amplitude of the signal is and . The output of this operation is a kind of orbit, for δ with time step, and in each time step t_i has the signal amplitude are two input signal in step t_i difference of amplitude . This type of differential is operating in a derive drift, noise (screening used) and peak error is very effective. Another type of differential operation carried out in the frequency domain analysis of the signal deviation, in order to derive the delay fault. According to the scope of the analysis and requirements may also use a number of other types of differential operation and does not deviate from the scope of protection of this invention.

Whether quality or other types, arbitrary based on simulation in the arrangement of an important part of the provision of the test procedure is based on simulation verification coverage evaluation method. On the basis of inspection access state or code coverage, conversion or branch covering and method for conventional coverage variables may not be sufficient for fault-tolerant analysis. The above-mentioned coverage method often can only provide including non-fault and fault recovery to be measured is the general situation of the running environment. However, these methods are not sufficient to estimate the actual remaining simulation work, the reason is that many test operation and fault scene may be fault-tolerant requirements of the analysis of the equivalent modulus.

By containing the fault type, the position of the fault value and failure to express of triad fault degradation. A failure simulation flow in different during the simulation with the fault signal (position) of the quality degradation associated with sets of triplets. A mandrel of a different operation in the model because the causal relations between, these triplets in the causal relationship also exists between (for example, to the input signal I and the output signal O operation, since the signal I error B it will cause signal O error A). Coverage can be defined as the error during the simulation of the deterioration of the quality of the triplets causal relationship exists between the number of such. Other similar technology can also be used, such as the counting of the failure of triad is another method of measuring coverage. If a number of triplets for a given error type and position or in the other standard having a similar on the basis of the error value, then these triplets can be considered to be equivalent. In this case, can be appropriately amended causal relationship between the triplets.

A mandrel of a static analysis of the model

With reference to Figure 5A-5C, fault-tolerant system design method of one of the is the rapid analysis of an important part of all fault scene and to user-specified level of extracting the test process static analysis method of the embodiment. This kind of static analysis method is method for analysis of center of mass, is introduced because of the degradation of the quality of the signal and is not the actual signal trajectory. Figure 5A-5C a SUMMARY of this analysis step of the method.

Static analysis method is divided into two steps, that is, the characterization step (Figure 5B) and symbol analysis step (Figure 5C). In Figure 5B in the characterization step, in the marching for e.g. FIG 5A OP1-OP4 of the test example to the different changes in the input signal and the quality of the simulation error, the record at the same time degradation of the quality of the output signal. Through is introduced in the output signal quality error and change the input signal quality error introduced in to carry on other characterization simulation.

The quality of the input and output signal degradation through Figure 5C shown in the symbol lookup table 60A-60D that is quantized and by referencing the LUT. This record will be able to bring the quality of the input and the output of the LUT is expressed as. Therefore, after the characterizing, each of the state of operation is through LUT   60A-60D extracted, thereby only according to chart 5A introduce quantization operation input quality and output quality.

With reference to Figure 6A-6C, in Figure 6C for shown in the drift error of the example documents LUT, for track drift of said various input quality, to the saturation operation of the triangular wave input (respectively in Figure 6A and 6B shown in) output quality. Saturated operation of the cut-off the input signal 6A the user-defined limit in 57. In this embodiment, taking into account the saturation operation is implemented as a software component. As to this kind of software implementation, discretization of the track can be made of appropriate sequence of fixed-point/floating-point number, each expressed in certain discrete time slot place (amplitude) of the signal value.

Consider Figure 6A with amplitude in 57 of the triangular track of the (ideal) input signal is expected, and the error of the input signal is provided with greater than amplitude 57 to different levels of amplitude of the triangular track. Therefore, the error of the input signal has deviated from an ideal input trajectory drift, it is characteristic of the error signal and the ideal signal the maximum difference between the amplitude. Can make use of different symbols to the amplitude of the encoded quantized drift, is a quality of the input signal in order to show that the. For example, if the amplitude drift in the 0 to 10 between, then symbol " 1 the said [...] can be used in this situation. Similarly, "the 2 can be used for representing [...] 10 to 20 drift between the," 3 the said [...] 20 to 30 of the drift, and the like between.

For example, chart 6A of the input signal in the "deviation of the 1 with [...] 20 to 30 the amplitude between the drift, and is therefore characterized as symbol" the 3 [...]. For the saturation module example, the ideal output should be and with amplitude 57 of the triangular wave input the same. However, the amplitude has an amplitude larger than 57 the level of the error input signal is saturated operation cut-off. In this case, the pattern 6B crimper in the 65 shown for the error in amplitude of the output signal of the greatest drift. Through the use of symbols to said that these drift, as the input signal of the, various errors can be obtained by the quality of the output track. For example, corresponding to the input signal "deviation of the 1 [...] (quality" the 3 [...]) in the amplitude of the output signal of the and have the desired output in the drift of between 10 to 20 between, and thus has the quality of " the 2 [...].

Therefore, the quality of the input "the 3 [...] , the quality of output signal" the 2 [...]. Specific symbol " 0 the said [...] the ideal input/output has no drift. Figure 6C lookup table in the 60 comprises from the input to the output quality of the mapping, for the user-defined corresponding to the quantized amplitude drift all the input quality. For Figure 6A-6C in the example, the quality of the uniform quantization symbols ideal signal and the error signal on the basis of amplitude drift between selected. This kind of unified quantization including the amplitude drift is divided into the size is 10 interval, such as interval [10, 20].

However, usually, uniform quantization may not be the basis for constructing LUT. For example, amplitude drift can be in the [0, 10] is quantized between the five level in [10, 20] is quantized only between the two levels. This non-uniform quantization levels can be required by the fault-tolerant analysis to guide. Analysis of the center of mass with another important aspect of the signal quality from the output of the operation is determined not only by the input signal quality but also depends on the signal type (for the current example is "triangular wave") and an operation condition (such as reconfigurable operation of the various structure) facts.

Therefore, is is known as another kind of attribute is used to distinguish between different types of the input signal and the operating state. For example, "triangular wave" is used for the map 6A-C in the example of the input feature. Used for this kind of type a quality of the input signal is different from a number of other type signal LUT (for example square-wave signal) the quality of the LUT. The LUT memory used for the different characteristics of the quality of input-output. Although in order to characterization module may be a single operation must be carried out a number of simulation process, however, the characterization of the work of the steps is disposable, and can be obtained in different LUT repeated use in the design of the. Once complete characterization step of, for a given fault of the scene and the test case a series of a look-up table operation analysis center of mass.

With reference to Figure 7, the quality degradation (the deviation of the intended state) is divided into a plurality of section, each LUT that all of the symbols to the ownership of that section for encoding. Therefore, after the quantization, the LUT mapped to symbols of the symbol input output item , and can accept the mathematical analysis. Through symbol coding for boolean logical value , can utilize booleans circuit 70 for each modeling a look-up table. The operation of the model comprises a mandrel of the connection between the operation and, therefore, complete the quality of the model of a driven state can be expressed as Boolean circuit 70, and includes branch of the LUT are appropriately connected between them.

In the quantization interval of all fault scene and the test case can be through the strike a satisfiability to carry out inspection, that is the quality of the model used for modeling a mandrel of a state of the Boolean circuit 70 of the solution SAT. In addition to static outside of the analysis based on the SAT, can be understood in the field of articles in the theoretical (SMT solutions) or based on simulation method also can be used, as long as each kind of operation can be the characterization and the quality can be said that the LUT. Within the framework of a mandrel of a model of the implementation of this kind of analysis is by Simulink provides a method for the replacement operation and subsequent LUT for the quality of the model of the simulation.

Quantization reduces the analysis precision, and hence the booleans analysis of the error process is found in the index must be tested in the model. Therefore, it is necessary to have caused the fault scene error process (including each a fault measured value) and the test case. The quality of these entities is the modeling of the state of the input of a Boolean circuit and is provided for solving the SAT procedure can be satisfied. So through SAT analysis of the detected error procedure can be reproduced in the simulation is a mandrel.

Still with reference to Figure 7, on the frame a problem is to provide the quantization will always be over-estimated error of the evidence. In this case, if the static analysis cannot find the error process, so that a mandrel can be no error in the model of the process. In the Figure 7 circuit 70 in, Figure 5A the operation OP1, OP2, OP3 and OP4 of the look-up table is expressed as branch QC-OP1,   QC-OP2, QC-OP3 and QC-OP4. Characterization of the entity model is expressed as the circuit QC-entity. Complete circuit has six input, also the quality of that is input, input feature, op1 fault, op2 fault, op3 fault and op4 fault.

Signal input quality and input respectively of the input sensor (symbol) and the quality of the test example to be analyzed. Initial input of the sensor is assumed to be ideal, and therefore each have a quality of the input signal is pre-designated as a constant " the 0 [...]. Possible different types of input of signal traces corresponding to a different test case, is assumed to be known in advance, and therefore "input feature" can be set as a limited set of any one of, wherein each symbol represents a kind of signal type. For example, the amplitude can be expressed α "1 the sine-wave [...] , β can be expressed by an amplitude of" the 1 [...] the cosine wave, at the same time can be expressed γ amplitude is " 2 the sine-wave [...].

In most design, similar to that of Figure and the discussion herein 5A and Figure 7 in the situation shown, the output of the from the entity to the sensor input can be a feedback loop. The center of mass of the feedback loop can be removed for analysis, the reason is that the quality is the complete simulation window (the time period for performing simulations)-defined, based on a lookup table and the analysis of any feedback without the need for covering the case of the analysis of the simulation window. The scene to be analyzed is the trouble of the input of the circuit, and is used for each of the operation of the fault set by inputting op1 fault, op2 fault, op3 fault and op4 distribution fault. These inputs are respectively directed through the operation OP1, OP2, OP3 and OP4 manifestations of error type and strength.

If the a number is mapped to the operation in single processor, then in each kind of operation experienced by a correlation between the fault type. This can be through the additional booleans to restrain to modeling. In addition to the operation of the system corresponding to the circuit module for motor vehicle outside, there are also two additional circuit module to ensure that the fault scene for reasonably be expected, the output of any kind will be found. 1st module verifies whether the quality of the final output is lower than the user-determined limit (module output is true). 2nd module (program fault validity check) test whether the analyzed fault is of concern to designers of scene fault scene.

For example, (under safety integrity level) consideration to the analysis is provided, wherein the malfunction of the motor vehicle system expected probability exerting boundary, and clear the probability of different failure occurs, it is assumed that a fault and no correlation to clearly defined fault scene. In this case, fault validity testing procedures can be used for verification failure scene is greater than the probabilities of occurrence of the fault occurrence probability of the system expected (P_system). In order to construct the exemplary failure in the program module validity check, it is assumed that a fault has no relevance, any operation to first obtain the most small probability of failure (p_smallest). Furthermore, for each fault type f, computing count_f = [Sp_f/p_smallest], wherein S > 1 as a proportional factor. Subsequently, for each circuit evaluation, "fault validity testing procedures" are directed against all the effective fault f to calculate all count_f and. Then test the upper limit is less than the sum:

[SP_system/p_smallest] (Σfisenabled^count_f < [SP_system/p_smallest]). If the conditions set up, then the "fault validity check program" to output to indicate that the fault really given scene, can be allowed. It may be noted that although [Sp_f/p_smallest] underestimated Sp_f/p_smallest value, but from [SP_system/p_smallest] provides SP_system/p_smallest estimate is too high. So as to ensure through the above-mentioned method of the this portion of the analysis is too high the estimated.

The overall motor vehicle system fault-tolerant

The quality of the operation state is extracted as symbol lookup table provides a plurality of possible to design the motor vehicle for fault-tolerant comprehensive algorithm of the system. As mentioned above, each of the quality of the operation condition can be modeling to form a circuit, can also be used to derive the modeling a scene occurrence probability of failure of the mechanism. This allows our circuit synthesis method will be available to be applied to the branch corresponding to the different operations (and for deriving fault scene of probabilities of occurrence for the branch) to establish a circuit. If can be set with the desired output quality of the circuit to be comprehensive, integrated mechanism for so, the introduced in corresponding to the topological structure of the operation of extracting a lookup table to replace the quality required for the branch can be obtained in the fault-tolerant motor vehicle system model of the functional layer.

The above-mentioned method allows the use of the LUT-based based on discrete LUT simulation and static analysis method of one or two to detect counterexamples, and also allows duplication chart 1 of the statute of the feet in 20 the counterexamples. Counterexamples described in the different element of the system fault values, wherein the fault value contrary to the statute of the feet to 20 feet of the requirements listed in the performance in such a manner. The LUT-based static analysis method can include using the model checking, Boolean satisfiability solving, theoretical solution of the die, such as the search algorithm.

As used herein, the term "counterexamples" in the context of the feet in the component refer to different fault values, e.g. FIG 1 the sensor 12 of the amplitude of the noise in the, drift and/or peak number, Figure 1 model 10 in different software module in the number of the peak, they will be caused in order to breach system is assessed as a function of the requirements of the statute of feet to obtain performance in such a manner. For example, if in fig. 1, a sensor 1 with the output of the 5% of the noise level, in the same Figure and OP5 has on the output of the 1% of the drift, so the final output will be 12% of the drift. If the feet is the function of the requirements of the statute of the triplets < outputs finally aodirenc, 10%, drift >, said drift of the "final output" amplitude should be less than 10%, so 12% on the drift of the violation of this request. Example of this is the "sensor 1 output is 5% noise and OP5 output is 1% of the drift", the condition of driving to the system requirements by the feet of the fault state. When the copy counterexamples the primary model, counterexamples can be used for the discrete model to the mandrel extracting the state of the precision of the LUT.

Despite the details of the best mode of the invention, however, familiar with the field of this invention relates to the technical personnel should be able to in the accompanying claims is used for realizing the scope of protection of the present invention with various selectable design programmes and embodiment.