utomotive systems are increasingly being devel-oped with integrated electronic sensors, actua-
tors, microcomputers, information processingfor single components, and engine, drive-
train, suspension, and brake systems. Thesehave matured to mechatronic systems that
are characterized by the integration of components (hard-ware) and signal-based functions (software), resulting in au-
tonomous functionality. Examples of first steps towardmechatronic systems for automobiles were the arrival of digi-tally controlled combustion engines with fuel injection in 1979and digitally controlled antilock brake systems (ABS) in 1978.Today’s combustion engines are completely microcomputercontrolled, typically with five electrical, electrohydraulic, orelectropneumatic actuators and several measured outputvariables, taking into account different operating phasessuch as startup, warming up, idling, and normal operation.The only input from the driver is generated by the accelera-tor pedal and transferred to the throttle (spark-ignition en-gines) or the injection pump (diesel engines)
This article begins with a review of electronic driver as-sisting systems such as ABS, traction control (TCS), elec-
64 IEEE Control Systems Magazine October 20020272-1708/02/$17.00©2002IEEE
©1994 PHOTODISC, INC.
Isermann ([email protected]) is with the Institut fuerAutomatisierungstechnik Technische, Universitaet DarmstadtLandgraf-Georg-Str. 4, D-64283 Darmstadt, Germany. Schwarz iswuth Continental Teves, Frankfurt 60488, Germany. Stölzl is withA.T. Kearney Gmbh, Frankfurt 60327,Germany.
tronic stability control (ESP), and brake assistant (BA). Wethen review drive-by-wire systems with and without me-chanical backup. Drive-by-wire systems consist of an oper-ating unit (steering wheel, brake pedal) with an electricaloutput, haptic feedback to the driver, bus systems, micro-computers, power electronics, and electrical actuators.For their design safety, integrity methods such as reliabil-ity, fault tree and hazard analysis, and risk classificationare required. Different fault-tolerance principles with vari-ous forms of redundancy are considered, resulting infail-operational, fail-silent, and fail-safe systems. Fault-de-tection methods are discussed for use in low-cost compo-nents, followed by a review of principles for fault-tolerantdesign of sensors, actuators, and communication. We eval-uate these methods and principles and show how they canbe applied to low-cost automotive components anddrive-by-wire systems. A recently developed brake-by-wiresystem with electronic pedal and electric brakes is thenconsidered in more detail, showing the design of the com-ponents and the overall architecture. Finally, we presentconclusions and an outlook for further development ofdrive-by-wire systems.
Recent DevlopmentsElectronic Driver-Assisting SystemsThe development of mechatronic systems for the engineand the drive train was paralleled by driver-assisting elec-tronic braking functions such as ABS, TCS (1986), ESP [1], andBA; see also [2]. In these cases the hydraulic pressure gener-ated by the driver’s brake pedal and pneumatic booster ismodulated to control the slip of single wheels (ABS) or tocontrol the drift angle of the vehicle by individual wheelbraking (ESP). If the electronic control fails, the brake sys-tems behave like conventional purely hydraulic ones. Since1945, power steering was realized by hydraulic supportingenergy, but electrical power steering for lightweight vehi-cles that came on the market in 1996 no longer required spe-cial hydraulic circuits and auxiliary pumps [3]. In all cases,the direct mechanical linkage with the steering wheel andthe driver action was retained.
Drive-by-Wire Systemswith Mechanical BackupSince 1986, the engine has been increasingly manipulatedby an electronic pedal and electrically driven throttle orinjection [4], [5], representing the first drive-by-wire com-ponents. In this case, a “limp home” function after elec-tronic failure is possible because the throttle springsystem provides a reduced engine speed (e.g., 1,200rpm). Hence, the system is rendered fail-safe by the me-chanics. Other mechatronic units within the power trainwere developed for the automatic transmission with hy-draulic torque converter and microcomputer-controlledgear shift.
Drive-by-Wire SystemsWithout Mechanical BackupThe approaches taken for successful fly-by-wire systems andthe positive experience with the automotive drive-by-wiresystems with mechanical backup for the engine and drivetrain and the electronic driver assistance systems for brakingand power steering are the basis for the development of com-plete drive-by-wire systems without mechanical backup forbraking, steering, and higher-level driver-assisting functions.The disadvantages of mechanical backup systems are thatthey are costly, heavy, passive safety-critical (steering col-umn, brake pedal), and do not provide enough freedom to tapthe potential of the electrical systems. Drive-by-wire systemswithout mechanical backup generate electrical commandsthrough the driver and transfer them to computer-controlledelectromechanical actuators, a scheme that is usually notfail-safe but has fault-tolerant properties.
Higher-Level Automotive ControlA recent development in higher-level control is adaptivecruise control (ACC), also called intelligent cruise control(ICC), where the vehicle either follows a preceding vehiclewith distance measurement and control or follows adriver-set reference value as in classical speed control (see[6] and [7]). In this case electrical commands have to begiven to an electrical throttle or to the brake booster. Sev-eral research automobiles have sensors to assess the roadsituation (e.g., cameras) and computerized autopilots [8],or for automatic platooning systems, like those pioneeredin the California PATH program [9], [10].
This short summary of recent developments shows thatfrom the viewpoints of increased active safety and auto-mated driving, there is a clear demand for drive-by-wire sys-tems, which include the powertrain, braking, and steering.These systems are also called x-by-wire systems, where xstands for the commanded action. Fig. 1 shows the hazard se-verity of failures for different electronic (and electrical) driv-ing systems [11]. Clearly, the hazard severity of drive-by-wirecontrol systems for vehicles increases considerably.
Drive-by-Wire Structures with andWithout Mechanical BackupThe progression from drive-by-wire systems with mechani-cal backup to those without mechanical backup or fail-safeby mechanics is a large one because of the lower reliabilityand different fault behavior of electronic and electrical com-ponents compared to mechanical components. Therefore,fault-tolerant electronic systems have to be incorporated tomeet the high safety requirements.
Fig. 2 shows the general signal flow diagram of adrive-by-wire system in more detail. The driver’s operatingunit (steering wheel, braking pedal) has a mechanical input(e.g., torque or force) and an electrical output (e.g., bus pro-tocol). The system contains sensors and switches for posi-tion and/or force, microelectronics, and either a passive
October 2002 IEEE Control Systems Magazine 65
(spring-damper) or active (electrical actuator) feedback togive the driver haptic information (“pedal feel”) on the ac-tion. A bus connects to the brakes or steering control sys-tem. This control system consists of power electronics,electrical actuators, brake or steer mechanics, with sensorsor reconstructed variables and a microcomputer for actua-tor control, brake or steer function control, supervision,and various types of management (e.g., fault tolerance withreconfiguration, optimization).
Each of the sensors, electronics, buses, power electron-ics, high-power actuators, and microcomputers must befault tolerant with regard to at least one safety-critical fail-ure. Therefore, a safety integrity analysis and methods offault tolerance are basic issues for drive-by-wire systems.
Safety Integrity Analysis MethodsDrive-by-wire systems are safety-related systems. Therefore,all aspects of reliability, availability, maintainability, andsafety (RAMS) have to be considered because they are rele-vant for manufacturer liability and customer acceptability.To meet safety requirements, special procedures were devel-oped in technical disciplines such as railway, aircraft, space,military, and nuclear systems. These procedures are coveredby the terms system integrity or system dependability.
The various kinds of safety requirements lead to differentlevels of integrity of safety-related systems, from the lowestto highest requirements. In this context, “integrity” is moreprecisely termed “safety integrity” with the following defini-tion: “Safety integrity is the probability of a safety-related
system satisfactorily performing the required safety func-tions under all the stated conditions within a stated periodof time” [12].
Safety and reliability are generally achieved by a combi-nation of
• fault avoidance• fault removal• fault tolerance• fault detection and diagnosis• automatic supervision and protection.Fault avoidance and removal has to be accomplished
mainly during the design and testing phase. For investigat-ing the effect of faults on the reliability and safety during thedesign phase and also for type certification, a range of analy-sis methods have been developed. They include
• reliability analysis• event tree analysis (ETA) and fault tree analysis (FTA)• failure mode and effects analysis (FMEA)• hazard analysis (HA)• risk classification.
For details see [12]-[14].These known methods can now be combined appropri-
ately. Fig. 3 shows an overall scheme. The FMEA identifies allcomponents, failures, causes, and effects. The single fail-ures proceed to an FTA to determine the causes and theirlogical interconnections on a component level. The failurecauses are then used to design the overall reliability. Re-maining failures that cannot be avoided are then classifiedand the maintenance procedure determined.
Based on the FMEA, the hazardanalysis extracts safety-criticalfailures. Their presentation in a(reduced) fault tree determinesthe causes with logical intercon-nections [15] (i.e., dangerousfaults leading to hazards). Basedon this, the safety system at lowerlevels can be designed. The re-maining dangerous failures thenundergo a risk classification andsupervision and safety methodsto reduce the risk to an acceptablemeasure are determined.
Herewith a hazard risk number
R C F FH OP= × ×
can be used, where C is the con-sequence (severity) of hazard,FH is the frequency (probability)of hazard, and FOP is the fre-quency of operation state (com-pare [12], [16]).
In general, fault-tolerancemethods have to be implemented
66 IEEE Control Systems Magazine October 2002
High
HazardSeverityof Failure
Low
Medium
Autopilot
Copilot
Pilot
SBW CA
ABS
ASRTBWEPS
ESP
EPStEHB
ACCBA
EMB
ABSACCBACAEHBEMBESP
1970 1980 1990 2000 2010 Year
Antilock BrakingAdaptive Cruise ControlBrake AssistCollision AvoidanceElectrohydraulic Brake SystemElectromechanical Brake SystemElectronic Stability ProgramElectric Driver-Assisting Systems
Higher-Level Control System
EPSEPStSBWTBWTCS/ASR
Electropneumatic Shifting (Trucks)Electrical Power SteeringSteer-by-WireThrottle-by-WireTraction Control System
Drive-by-Wire-Systems
Figure 1. Hazard severity of failures (qualitative) in electronic driver-assisting systems,drive-by-wire systems, and higher-level control systems.
October 2002 IEEE Control Systems Magazine 67
Mechanical/ElectronicPedal
HapticActuator
DriverMechan.Pedal/Wheel
Electr.Power 1
Electr.Power 2
Sensors
HapticFeedback
Pedal/Wheel
Electronics
Low Energy Level
High Energy Level
Manage-ment
Supervisor
Brake/Steer
Control
ActuatorControl
Bus-System
Microcomputer
Brake/SteerControlSystem
Sensors
PowerElectronics
Electr.Actuator
Brake/Steer
Mechan.Vehicle
TD TA TWωD ωA ωW
UI
Figure 2. Basic signal flow diagram of drive-by-wire systems.
Failure Modesand EffectsAnalysis for AllComponents(Detection ofPossible ComponentFailure andTheir Consequencesfor the System)
FMEA
ReliabilityFault-Tree Analysis
R-FTA
ReliabilityDesign
ReliabilityClassification
MaintenanceProcedures
Hazard AnalysisHA
SafetyFault-Tree Analysis
S-FTA
SafetyDesign
Lower Levels
Risk Classification(Accidents)
Supervisory andSafety Methods(Higher Levels)
All PossibleSystem Failures
All ComponentFaultsCausingUnreliability
RemainingFailures
UnavoidableFailures
FaultTolerantDesign
Safety-CriticalSystem Failures
All ComponentFaultsCausingHazards
RemainingDangerousFailures
UnavoidableDangerousFailures
Extraction ofSafety-CriticalFailures fromFMEA
Extraction ofSafety-CriticalFailures withLogic Causalities
Designand
TestingPhase
OperationPhase
Figure 3. Integrated design procedures for system reliability and safety to result in high system integrity.
at the component and unit levels to improve both reliabilityand safety, especially by reducing FH . Fig. 3 summarizes theintegrated reliability and safety procedure during the designand testing phases.
The unavoidable failures have to be covered by mainte-nance and online supervision and safety methods duringoperation, including fault tolerance, protection and super-vision with fault detection and diagnosis, and appropriatesafety actions. These methods are discussed in the follow-ing sections.
Fault-Tolerant DesignAfter applying reliability and safety analysis methods dur-ing design and testing, as well as corresponding quality con-trol methods during manufacturing, certain faults andfailures still cannot be avoided totally. Therefore, theyshould be tolerated by additional design efforts. Hence,high-integrity systems must have, to the extent possible,the ability for fault tolerance. This means that faults arecompensated in such a way that they do not lead to systemfailures. The most obvious way to reach this goal is redun-dancy in components, units, or subsystems. However, theoverall systems then become more complex and costly. Inthis section various types of fault-tolerant methods are re-viewed briefly.
Fault Tolerance for ComponentsFault-tolerance methods generally use redundancy. Thismeans that in addition to the considered module, one ormore modules are connected, usually in parallel. These re-dundant modules are either identical or diverse. Such re-dundant schemes can be designed for hardware, software,information processing, and mechanical and electrical com-
ponents (sensors, actuators, microcomputers, buses,power supplies, etc.).
Basic Redundant StructuresThere are two basic approaches for fault tolerance: static re-dundancy and dynamic redundancy. The correspondingconfigurations are first considered for electronic hardwareand then for other components.
Fig. 4(a) shows a scheme for static redundancy. It usesthree or more parallel modules that have the same input sig-nal and are all active. Their outputs are connected to a voterthat compares these signals and decides by majority whichsignal value is the correct one. If a triple-redundant modularsystem is applied, and a fault in one of the modules gener-ates a wrong output, this faulty module is masked (i.e., nottaken into account) by the two-out-of-three voting. Hence, asingle faulty module is tolerated without any effort for spe-cific fault detection. n redundant modules can tolerate( ) /n −1 2 faults (n odd).
Dynamic redundancy requires fewer modules at the costof more information processing. A minimal configurationconsists of two modules, Fig. 4(b) and (c). One module isusually in operation, and if it fails, the standby or backupunit takes over. This requires fault detection to observe ifthe operational modules become faulty. Simple fault-detec-tion methods use the output signal only for consistencychecking (range of the signal), comparison with redundantmodules, or use of information redundancy in computerssuch as parity checking or watchdog timers. After fault de-tection, it is the task of the reconfiguration to switch to thestandby module and to remove the faulty one.
In Fig. 4(b) the standby module is continuously operating,a method called “hot standby.” This results in a short transfer
time, but at the cost of operational aging(wear-out) of the standby module.
Dynamic redundancy, where thestandby system is out of function anddoes not wear, is shown in Fig. 4(c) andis called “cold standby.” This arrange-ment requires two additional switchesat the input and more transfer time dueto a startup procedure. For bothschemes, the performance of the faultdetection is essential.
Redundant schemes similar to thosefor electronic hardware exist for soft-ware fault tolerance. Here we mean tol-erance against mistakes in coding orerrors in calculation. The simplest formof static redundancy is repeated run-ning ( )n ≥ 3 of the same software andmajority voting for the result. However,this is only suitable for some transientfaults. As software faults generally aresystematic and not random, duplica-
68 IEEE Control Systems Magazine October 2002
Modules
Modules
1
2
3
n
xi
xi
xi
(a)
Voterxo
xo
xo
Modules
1
2
FaultDetection
FaultDetection
Recon-figuration
Recon-figuration
(b)
1
2
(c)
Figure 4. Fault-tolerant schemes for electronic hardware. (a) Static redundancy: multipleredundant modules with majority voting and fault masking, m out of n systems (all modulesare active); (b) dynamic redundancy: standby module that is continuously active (hotstandby); and (c) dynamic redundancy: standby module that is inactive (cold standby).
tion of the same software is not sufficient. Therefore, the re-dundancy must include diversity of software, such as otherprogramming teams, other languages, or other compilers.With n ≥ 3 diverse programs, a multiple redundant systemcan be established, followed by majority voting, as in Fig.4(a). However, if only one processor is used, calculation timeis increased, and using n processors may be too costly.
Dynamic redundancy using standby software with di-verse programs can be realized by using recovering blocks.This means that, in addition to the main software module,other diverse software modules exist [13], [17].
Fault tolerance can also be designed for purely mechani-cal and electrical systems. Static redundancy is often usedin all types of homogeneous and inhomogeneous materials(e.g., metals and fibers) and in special mechanical construc-tions such as lattice structures, spoke-wheels, and dualtires, or in electrical components with multiple wiring, mul-tiple coil windings, multiple brushes for dc motors, and mul-tiple contacts for potentiometers. This natural built-in faulttolerance is generally characterized by a parallel configura-tion. However, the inputs and outputs are not signals butforces, electrical currents, or energy flows, and a voter doesnot exist. All elements operate in parallel, and if one elementfails (e.g., by breakage), the others take over a higher forceor current, following the physical laws of compatibility orcontinuity. Hence, this is a kind of “stressful degradation.”Mechanical and electrical systems with dynamic redun-dancy, as depicted in Fig. 4(b) and (c), can also be built. Forthe most part, only cold standby is meaningful.
Fault tolerance with dynamic redundancy and coldstandby is especially attractive for mechatronic systemswhere more measured signals and embedded computersare already available, and therefore fault detection can beimproved considerably by applying process-model-basedapproaches. Table 1 summarizes the appropriate fault-toler-ance methods for the case of electronic hardware.
Redundant Structures forDrive-by-Wire ComponentsMainly because of cost, space, and weight, a suitable com-promise between the degree of fault tolerance and the num-
ber of redundant components has to be found for automo-tive drive-by-wire systems. In contrast to fly-by-wire sys-tems, only a single failure must be tolerated (presently) forhazardous cases [18], mainly because a safe state can bereached easier and faster. This means that not all compo-nents require stringent fault-tolerance requirements. Thefollowing degradation steps are distinguished.
• Fail-operational (FO): One failure is tolerated (i.e., thecomponent stays operational after one failure). Thisis required if no safe state exists immediately after thecomponent fails.
• Fail-safe (FS): After one (or several) failure(s), thecomponent directly reaches a safe state (passivefail-safe, without external power) or is brought to asafe state by a special action (active fail-safe, with ex-ternal power).
• Fail-silent (FSIL): After one (or several) failure(s), thecomponent exhibits quiet behavior externally (i.e.,stays passive by switching off) and therefore does notwrongly influence other components.
For vehicles, it is proposed to subdivide FO into “longtime” and “short time.” Considering these degradationsteps for various components, one must first check if a safestate exists. For automobiles (usually), a safe state isstandstill (or low speed) at a nonhazardous place. For auto-mobile components, a fail-safe status is (usually) a mechani-cal backup (i.e., a mechanical or hydraulic linkage) fordirect manipulation by the driver. Passive fail-safe is thenreached after the failure of electronics if independent of theelectronics the vehicle comes to a stop (e.g., by a closingspring in the throttle or by actions of the driver via mechani-cal backup). However, if no mechanical backup exists afterfailure of the electronics, only an action by other electronics(switch to a still-operating module) can bring the vehicle (inmotion) to a safe state (i.e., to reach a stop through activefail-safe). This requires the availability of electric power.
Generally, graceful degradation is envisaged where lesscritical functions are dropped to maintain the more criticalfunctions, based on priorities [12]. Table 1 shows degrada-tion steps to fail-operational for different redundant struc-tures of electronic hardware. As the fail-safe status depends
October 2002 IEEE Control Systems Magazine 69
Static Redundancy Dynamic Redundancy
Structures Number ofElements
ToleratedFaults
Fail Behavior ToleratedFailures
Fault Behavior DiscrepancyDetection
Duplex 2 0 F 0 F two comparators
1 FO-F fault detection
Triplex 3 1 FO-F 2 FO-FO-F fault detection
Quadruplex 4 1 FO-F 3 FO-FO-FO-F fault detection
Duo-Duplex 4 1 FO-F — — —
FO: fail-operational; F: fail.
on the controlled system and the kind of components, it isnot considered here.
For flight-control computers, a triplex structure with dy-namic redundancy (hot standby) is typically used, whichleads to FO-FO-FS, such that two failures are tolerated and athird one allows the pilot to operate manually. If the fault tol-erance has to cover only one fault to stay fail-operational(FO-F), a triplex system with static redundancy or a duplexsystem with dynamic redundancy is appropriate. If fail-safecan be reached after one failure (FS), a duplex system withtwo comparators is sufficient. However, if one fault has to betolerated to continue fail-operational and after asubsequent fault it is possible to switch to fail-safe (FO-FS),either a triplex system with static redundancy or a duo-du-plex system may be used. The duo-duplex system has theadvantages of simpler failure detection and modularity.
Fault Tolerance for Control SystemsFor automatically controlled systems, the appearance offaults and failures in the actuators, the process, and the sen-sors will usually affect the operating behavior. Withfeedforward control, generally all small or large faults influ-ence the output variables and thus the operation.
If the system operates with feedback control, small additiveor multiplicative faults in the actuator or process are coveredby the controller because of usual robustness properties. This
property is therefore a passive controller fault tolerance. How-ever, additive and gain sensor faults will immediately lead todeviations from the reference values. For large changes in ac-tuators, process, and sensors, the dynamic control behaviorbecomes either too sluggish, too underdamped, or even unsta-ble. Then either a very robust control system or an activefault-tolerant control system is required to save the operation.In the latter case, it consists of fault-detection methods and re-configuration mechanisms that modify the controller. De-pending on the type of faults, the reconfiguration may changethe structure and/or parameters of the controller. This canalso include changes to other manipulated variables or actua-tors or sensors, if available.
Examples include fault-tolerant flight control with recon-figuration to other control surfaces after failure of actuatorsor ailerons, elevators, and rudders (see [19]-[22]). For fail-ures in the satellite altitude control system, see [23]. Fail-ures in heat exchangers are treated in [24] and fault-tolerantcontrol for lateral vehicle control in [25].
Fault Detection for Sensors,Actuators, and MechatronicServo SystemsFault-detection methods based on measured signals can beclassified as follows:
70 IEEE Control Systems Magazine October 2002
Signal-BasedFault Detection
ActuatorsU
Faults
Process Sensors
N
Y
ProcessModel
FeatureGeneration
ThresholdPlausibility
Check
VibrationSignalModels
Process-Model-Based
Fault Detection
Change DetectionNormal Behavior
r x, , FeaturesΘ
Fault Diagnosis
s Analytical Symptoms
f Diagnosed Faults
Figure 5. General scheme of process-model-based and signal-based fault detection.
• limit value checking(thresholds) and plau-sibility checks (ranges)of single signals
• signal -model -basedmethods for single pe-riodic or stochasticsignals
• process-model-basedmethods for two or morerelated signals.
Fig. 5 shows a scheme forthese methods. For a descrip-tion of the various methods,refer to the literature (e.g.,the special section in [26] or[27]-[29]).
To obtain specific symp-toms, it is necessary to havemore than one input and oneoutput signal for parity equa-tions or output observers.For parameter estimation,one input and one output maybe sufficient. Because of thevarious properties, different methods should be combinedto obtain broad fault detection coverage [30], [31]. Some ap-plication cases of fault detection and diagnosis are:
1) online testing in manufacturing (quality control)2) online testing during service3) online, real-time supervision during operation
(on-board).The first two cases generally require a detailed fault diag-
nosis with classification or inference methods and can beapplied if computationally feasible. However, for the thirdcase, fault-detection capability usually is sufficient forfault-tolerant systems. A fault diagnosis is not necessarilyrequired. However, diagnosis capability is advantageous forgeneral online supervision. Especially for on-board applica-tions in automobiles, the allowable computations are verylimited, which restricts the fault detection to methods withfewer computations on microcomputers; see [32]. Further-more, the fault-detection methods must be transparent andeasy to understand, must function reliably for the differentoperating conditions, must use only few measured signals,and must require little effort for modeling. Maintenance ef-fort and easy transfer to modified components are also im-portant issues.
Fault-Tolerant Components forDrive-by-Wire SystemsThe discussion of high-integrity systems and drive-by-wiresystems shows that a comprehensive overall fault-tolerancedesign can be obtained by fault-tolerant components andfault-tolerant control. This means designing fault-tolerant
• sensors• actuators• process parts• computers• communication (bus systems)• control algorithms.Examples of components with multiple redundancy exist
for aircraft, space, and nuclear power systems. However,
October 2002 IEEE Control Systems Magazine 71
X1
X1
X0X0
X0
X1
X1
X1
X1
X1
(a)
Voter
Sensor1
Sensor1
Sensor1
Sensor2
Sensor2
Sensor2
Sensor3
PlausibilityCheck
FaultDetection
Recon-figuration
Recon-figuration
(c)
(b)
Figure 6. Fault-tolerant sensors with hardware redundancy. (a) Triplex system with staticredundancy and hot standby, (b) duplex system with dynamic redundancy, and (c) duplex system withdynamic redundancy, hot standby, and plausibility checks.
u
u
G1
G1
GM1
G2
(a)
Sensory1
Sensory2
Sensory1
y1
y2
y1
^y1
^y1u
GM 1
GM 2
Sensoru
Process
Process
(b)
Process Model
Process Models
Figure 7. Sensor fault tolerance for one output signal y1 (mainsensor) through analytical redundancy by process models (basicschemes): (a) two measured outputs, no measured input and (b) onemeasured input and one measured output.
lower cost components with built-infault tolerance have to be developed.The following sections describe exam-ples from the automotive area, in addi-tion to examples from other fields.
Fault-Tolerant SensorsA fault-tolerant sensor configurationshould be at least fail-operational (FO)for one sensor fault. This can be ob-tained by hardware redundancy withthe same type of sensors or by analyti-cal redundancy with different sensorsand process models.
Hardware Sensor RedundancySensor systems with static redundancyare realized with a triplex system and avoter (Fig. 6(a)). A configuration withdynamic redundancy needs at least twosensors and a fault detection for eachsensor (Fig. 6(b)). Usually only hotstandby is feasible. Another less power-ful possibility is to use plausibilitychecks for two sensors, as well as usingsignal models (e.g., variance) to selectthe more plausible one.
The fault detection can be per-formed by self-tests (e.g., by applying aknown measurement value to the sen-sor). Another way is to use self- validat-ing sensors [33], [34], where thesensor, transducer, and a microproces-sor form an integrated, decentralizedunit with self-diagnostic capability.The self-diagnosis takes place withinthe sensor or transducer and uses sev-eral internal measurements. The out-put consists of the sensor’s bestestimate of the measurement and a va-lidity status, such as good, suspect, im-paired, bad, or critical.
Analytical SensorRedundancyAs a simple example, we consider a pro-cess with one input and one main outputy1 and an auxiliary output y2 (see Fig.7(a)). Assuming the process input signalu is not available but two output signalsy1 and y2, which both depend on u, areavailable, one of the signals (e.g., $y1) canbe reconstructed and used as a redun-dant signal if process models GM 1 andGM 2 are known and significant distur-bances do not appear (ideal cases).
72 IEEE Control Systems Magazine October 2002
Process
Process
u
u
G1
G1
G2
G2
Sensoru
Sensoru
GM1
GM1
GM2
Sensory1
Sensory1
Sensory2
Sensory2
y2
y2
y1
y1
^y1
^y1u
^y1u
^y2u
^y1
GM 1
GM 1
GM 2
GM 2
ProcessModels
ProcessModels
ProcessModel
Votery1FT
y1FT
y2FT
u3FT
(a)
(b)
Residual Generation andDecision Logic
r1
r2
r3
+
+
+
–
–
–
Figure 8. Fault-tolerant sensors with combined analytical redundancy for two measuredoutputs and one measured input through (analytical) process models: (a) y1 is mainmeasurement, y u2, are auxiliary measurements (combination of Fig. 7(a) and (b)) and (b)y y1 2, , and u are measurements of same quality (parity equation approach).
Ui
Ui
U1
U1
U2
U2
U3
U3
Uo
Uo
SensorUo
SensorUo
SensorU3
SensorU3
SignalTransformer(Amplifier)
ActuationConverter
(Motor)
ActuationTransformer
(Gear)
ActuationElement(Valve)
(a)
Motor 1
Motor 2(b)
Figure 9. Fault-tolerant actuator: (a) common actuator and (b) actuator with duplex drive.
For a process with only one output sensor y1 and one in-put sensor u, the output $y1 can be reconstructed if the pro-cess model GM 1 is known (Fig. 7(b)). In both cases, therelationship between the signals of the process are used andexpressed in the form of analytical models.
To obtain one usable fault-tolerant measurement valuey FT1 , at least three different values for y (e.g., the measuredone and two reconstructed ones) must be available. Thiscan be obtained by combining the schemes of Fig. 7(a) and(b) as shown in Fig. 8(a). A sensor fault y1 is then detectedand masked by a majority voter, and either $y1 or $y u1 is usedas a replacement, depending on afurther decision. (Also, single sen-sor faults in y2 or u are toleratedwith this scheme.)
One example of this combinedanalytical redundancy is the yawrate sensor for the ESP, where thesteering wheel angle is also used asinput to reconstruct the yaw ratethrough a vehicle model, as in Fig.7(b), and the lateral accelerationand the wheel speed differencebetween the right and left wheels(no slip) are used to reconstruct theyaw rate according to Fig. 7(a) [35].
A more general fault-tolerant sen-sor system can be designed if twooutput sensors and one input sensoryield measurements of same quality.Then, according to the schemeshown in Fig. 8(b), three residualscan be generated, and by decisionlogic, fault-tolerant outputs can beobtained in the case of single faults ofany of the three sensors. The residu-als are generated based on parityequations. In this case, state observ-ers can be used for residual genera-tion; compare, for example, thededicated observers of [36]. (Notethat all schemes assume ideal cases.For realizibility constraints of the in-verted models, additional filtershave to be considered.)
If possible, a faulty sensor shouldbe fail -silent (i.e. , should beswitched off); however, this requiresadditional switches, which lowersthe reliability. For both hardwareand analytical sensor redundancywithout fault detection for individ-ual sensors, at least three measure-ments must be available to makeone sensor fail-operational. How-
ever, if the sensor (system) has built-in fault detection (inte-grated self-test or self-validation), two measurements areenough and a scheme like the one in Fig. 6(b) can be applied.(This means that by methods of fault detection, one elementcan be saved.)
Fault-Tolerant ActuatorsActuators generally consist of different parts: input trans-former, actuation converter, actuation transformer, and actua-tion element (e.g., dc amplifier, dc motor, gear and valve, asshown in Fig. 9(a)). The actuation converter converts one type
October 2002 IEEE Control Systems Magazine 73
Spring
GearCommutator Permanently Excited
dc Motor
ManipulatedVariable(Armature Voltage)
Throttle Valve
PotentiometersElectricalConnector
MeasuredVariables
A
ϕ1Kϕ2K
UA
Figure 10. Scheme of an electromechanical throttle valve actuator.
Table 2. Process parameter deviations for different actuator faults.
Features→ Parameter Estimates
Faults↓ RA Ψ c e0 J cf M R 1 M R 0
F1 incr. spring pretension 0 0 0 0 0 0 +
F2 decr. spring pretension 0 0 0 0 0 0 −
F3 commutator shortcut − − 0 + + + 0
F4 arm. winding shortcut 0 − 0 + + + 0
F5 arm. winding break + − 0 0 + + +
F6 add. serial resistance + 0 0 0 0 0 0
F7 add. parallel resistance − − 0 0 + + 0
F8 increased gear friction 0 0 0 + + + 0
F9 offset fault U A 0 0 +/− 0 0 0 0
F10 offset fault I A 0 0 +/− 0 0 0 −/+
F11 offset fault ϕk 0 0 0 0 0 0 −/+
F12 scale fault U A +/− +/− +/− +/− +/− +/− +/−
F13 scale fault I A −/+ 0 0 +/− +/− +/− +/−
F14 scale fault ϕk 0 −/+ 0 −/+ −/+ −/+ −/+
0: no significant change; +: large increase; −: large decrease.
of energy (e.g., electrical or pneumatic) into another (e.g., me-chanical or hydraulic). Available measurements are frequentlythe input signalUi, manipulated variableU0 , and intermediatesignal U3.
Fault-tolerant actuators can be designed by using multi-ple complete actuators in parallel, with either static redun-dancy or dynamic redundancy with cold or hot standby(Fig. 4). One example of static redundancy is hydraulic ac-tuators for fly-by-wire aircraft, where at least two inde-pendent actuators operate with two independent hydraulicenergy circuits.
Another possibility is to limit the redundancy to parts ofthe actuator that have the lowest reliability. Fig. 9(b) shows
a scheme where the actuation converter (motor) is split intoseparate parallel parts. Examples with static redundancyare two servo valves for hydraulic actuators [37] or threewindings of an electrical motor (including power electron-ics) [38]. Within electromotor-driven throttles for spark-ig-ition engines, only the slider is doubled to make thepotentiometer position sensor static redundant.
An example of dynamic redundancy with cold standby isthe cabin pressure flap actuator in aircraft, where two inde-pendent dc motors exist and act on one planetary gear [32].
As cost and weight generally are higher for them than forsensors, actuators with fail-operational duplex configurationare preferred. Then either static redundant structures, where
both parts operate continu-ously (Fig. 4(a)), or dynamicredundant structures with hot(Fig. 4(b)) or cold standby(Fig. 4(c)) can be chosen. Fordynamic redundancy, fault-de-tection methods for the actua-tor parts are required [39].One goal should always bethat the faulty part of the actu-ator fails silent, i.e., has no in-fluence on the redundantparts. Fault-tolerant commu-nication systems are treatedin [40]-[43].
Example of theDiagnosis andSensor FaultTolerance of anElectrical ThrottleActuatorThe described methodologyfor fault detection and faulttolerance will now be demon-strated for an electrome-chanical throttle valve, oneof the first drive-by-wire com-ponents introduced.
Fault Detection andDiagnosis of theActuatorFig. 10 shows the scheme of athrottle-valve actuator. A per-manently excited dc motorwith gear acts on the throttleagainst a spring. The motor isdriven by a pulsewidth-modu-lated (PWM) armature voltageU A and armature current I A.The angular position ϕk is re-
74 IEEE Control Systems Magazine October 2002
UG11 G12
SensorUA
ArmatureCircuit Sensor
IA
Electro-mechanics
Sensorϕk1
Sensorϕk2
GM1
IA
UAProcessModel
Residual Generationand Decision Logic
ϕ1k
ϕ2k
^1ϕ k
ϕ1kFT
ϕ2kFT
ddt
+–
+–
r1
r2
Figure 11. Fault-tolerant double position sensors for an electromechanical throttle valve.
Failure of Sensor ϕ1K
Control with ϕ1K Control with ϕ2K
100
50
0
Ref
eren
ceV
aria
ble
Con
trol
Var
iabl
e
ϕϕ
ϕ°
KW
KK
,,
[]
12
Adaptive Threshold[ ( )]ƒ ϕKW t
0
0
0
0
0.5
0.5
0.5
0.5
1
1
1
1
1.5
1.5
1.5
1.5
2
2
2
2
2.5
2.5
2.5
2.5
3
3
3
3
Control Var. ϕ1KControl Var. ϕ1K
Control Var. ϕ2K Ref. Var. ϕKW
(Stuck)
10
5
0
0
–10
–5
0
–20
–40
Arm
atur
eV
olta
ge [V]
UA
Res
idua
l–
[V]
r 2
ϕϕ °
12
1K –
K[
]r
Adaptive Threshold
r Unfiltered
Time [s]100 ms
Figure 12. Closed-loop position control behavior after stuck fault of the first sensor ϕ1k, faultdetection, and reconfiguration with the second sensor ϕ2k.
dundantly measured by twopotentiometers, ϕK 1 and ϕK 2,within 0-90°. Three measuredvariables U tA( ), I tA( ), andϕK t( ) are available. Two differ-ential equations are used.
Armature circuit:
U t R I t tA A A A( ) ( ) ( )= + Ψω(1)
Electromechanical part:
ν ω
νϕ
ω
J t I t
c t M
M
k A
F k
R A
& ( ) ( )
– ( ( ) )
– .
=
+
Ψ1
0
1 (2)The symbols used areω ϕk k= & : throttle angular
speedJ: ratio of motor inertiaRA: armature resistancecF : spring constantΨ: flux linkageM 0 :CoulombfrictiontorqueM R 1: viscous frictiontorque.By applying continuous-
time parameter estimationwith state-variable filtering to obtain the signal derivatives,the following model parameters were estimated:
p R c J c M MA F R= [ , , , , , , ]ψ oe 1 0 , (3)
where coe is a dc value.In addition to fault detection by parameter estimation,
two parity equations are used for fault detection of the sen-sors ϕ1k and ϕ2k :
r t t tk k1 1 2( ) ( ) ( )= −ϕ ϕ (4)
r t t
t U t R I tt k k
k A A A
2 1 1
1
( ) [& ( ) &$ ( )]
& ( ) ( ) ( )
= −
= − +
Ψ
Ψ
ν ϕ ϕ
νϕ . (5)
The first residual r1 directly indicates discrepancies be-tween the potentiometer outputs, and r2 uses analytical redun-dancy through the electromagnetic dc motor model to predictthe output &$ϕ1k based on measurements U tA( ) and I tA( ).
Table 2 shows the obtained parameter deviations assymptoms through parameter estimation with excitation ofthe closed-loop position control using a pseudo-random bi-nary signal (PRBS). Nearly all faults generate different symp-tom patterns, except F11 and F1, F2. The symptom patternsfor the process parameter faults F1 through F8 show betterisolation than for the offset sensor faults. Therefore, faultsF1 through F8 are detected by parameter estimation andsensor faults F9 through F14 by parity equations. Hence, by
combining both fault-detection methods, many differentfaults are detectable; see [31].
For fault diagnosis, a fault-symptom tree based on fuzzy-logic decision was developed. A special test signal with full-range slow inputs and fast input changes (PRBS) is used totest all types of faults within a time period of about 8 s [44].
Fault-Tolerant Position SensorsThe two parity equations are now used to obtain a fault-tol-erant position sensor system for the actuator. Fig. 11 depictsthe applied fault detection and sensor fault-tolerancescheme, which corresponds to Fig. 8(b). Based on the resid-ual deviations indicated in Table 3, sensor offset faults ofboth potentiometers can be isolated. This is used to con-nect the healthy sensor to the position controller. (Note thathere, in contrast to Fig. 6(a), two redundant sensors areused and a third sensor output is calculated from the sensorsignals U tA( ) and I tA( ) of the dc motor applying analytical
October 2002 IEEE Control Systems Magazine 75
WheelFR
WheelFL
WheelFR
WheelRR
ωWheel FR
ωWheel FL ωWheel RL
ωWheel RR
Fail-Safe WheelBrake Module FR
Fail-Safe WheelBrake Module RR
Fail-Safe WheelBrake Module FL
Fail-Safe WheelBrake Module RL
Fail-SilentWheel Brake
C FLµ
Fail-SilentWheel Brake
C RRµ
Fail-SilentWheel Brake
C FLµ
Fail-SilentWheel Brake
C RLµ
Actuator FL Actuator RL
Actuator FR Actuator RR
Power 2
Power 1
Power 1
Power 1
Power 2
CockpitPower 1
Power 2
RedundantCommunication
MasterControllerModule
Fail-SilentMaster
Controller
Fault-TolerantPedal
Electronics
WheelRL
Brake PedalModule
PS 1 PS 2 PS 3
Figure 13. Brake-by-wire architecture.
Table 3. Residual deviations for parity equations.
Residuals→ r1 r2
Faults↓
Offset sensor +∆ϕ1k + +
Offset sensor +∆ϕ2k − 0
Faults in armature circuit 0 +/−
redundancy.) Table 3 shows that if only r2 changes, faults inthe armature circuit can be detected.
In Fig. 12, the closed-loop position control behavior withthe throttle valve is shown for the case where sensor ϕ1k
sticks at t = 0 2. s during a ramp change of the position refer-ence variable. Residuals r1 and r2 both deviate, indicating afault in sensor ϕ1k . After 100 ms, the residual r2 exceeds the(adaptive) threshold, the controller is switched to sensorϕ2k , and after an additioanl 200 ms, the throttle anglereaches its reference variable again [44]. In practice, thiswould mean a short additional increase in vehicle speed andan alarm to the driver with further hints (e.g., to visit a ser-vice station).
An Example Brake-by-Wire SystemA brake-by-wire system without mechanical backup is de-scribed as an example of the development of fault toleranceand supervisory functions for a drive-by-wire system. Theversion illustrated is a prototype electrical brake system, re-cently developed by Continental Teves, Frankfurt, Germany,partially in cooperation with the authors [45], [46]; see also[47] and [48].
The brake-by-wire system consists of four electrome-chanical wheel brake modules with local microcomputers,an electromechanical brake pedal module, a duplex commu-nication bus system, and a central brake management com-puter (Fig. 13).
The chosen overall structure is the result of an FMEA andhazard analysis. Fault tolerance with duplex systems is im-plemented for the wheel brake controllers, the bus commu-nication, the brake management computer, and the powersupply; however, the brake pedal contains internally higherredundancy because of its central function.
Electromechanical BrakeThe design of the electromechanical wheel brake is drivenby the demand for high electromechanical efficiency, mini-mized space, lightweight construction, and robustnessagainst rough environmental conditions. Fig. 14 shows thebasic construction [45].
A generalized four-pole model of the electromechanicalbrake (EMB) is depicted in Fig. 15. The current is controlledby power electronics. The dc motor’s torque is convertedby the spindle gear into a friction force at the disk, which re-sults in a braking force. To compensate for the large parame-
76 IEEE Control Systems Magazine October 2002
dc Motor
Caliper
Brake Pad
Spindle
Figure 14. Prototype of an electromechanically actuated wheelbrake by Continental Teves.
TemperatureWear
TemperatureWear
TemperatureWear
Medium
TemperatureAbrasionMedium
Electromechanical Parameter(e.g., Coil Resistance,
Friction)
Mechanical Parameter(e.g., Friction,
Stiffness)
Mechanical Parameters(e.g., Friction,
Stiffness)
Mechanical Parameters(e.g., Friction)
( -Slip Parameters)µEffects
Influencing Variables
U
I
ElectromechanicalActuator Gear
FrictionBrake
Tire/RoadVehicle
PV1 PV2 PV3 PV4F1 F2 F3
F4
.z1
.z2
.z3
.z4
Figure 15. Generalized four-pole models of an electromechanical disk brake. U I, : voltage, current; Pvi: power losses; &,z F: speed, forceor torque.
ter variations (and changing efficiency) in the whole EMB, aclosed-loop control of the clamping force or brake torque isused in a cascaded loop system, with current and speedcontrollers as slave controllers. However, this requires spe-cial sensors. As an alternative, the clamping force or thebraking torque can be reconstructed by measuring onlyvoltage, current, and position of the dc motor using adap-tive dynamic models of the EMB [46].
The corresponding control and other algorithms, suchas parameter estimation, clamping force reconstruction,and clearance-contact point detection, are implemented inthe brake module microcomputer system. It is designed as aduplex system and connected to the brake control manage-ment computer and the brake pedal via a duplex controlarea network (CAN)-bus system.
Electromechanical Brake PedalThe driver’s input to the pedal is measured by a proper com-bination of position (and force) sensors. The measured ana-log signals are then transmitted to microcontrollers. Aftersignal processing, the brake pedal information is given to theCAN-bus system. Because the pedal represents a central partof the brake system, its design must be highly fault tolerant.
An integrated FMEA and hazard analysis as summarizedin Fig. 3 was therefore applied to the pedal unit. Major haz-ards of the EMB determined in [15] and [47] are
1) no braking after brake command from the driver2) braking without brake command from the driver3) braking with wrong deceleration4) one-sided braking5) braking with unacceptable time delay.
October 2002 IEEE Control Systems Magazine 77
No BrakingAlthough
Brake Demand
OR
FailurePower
System
FailureTransmission
Failure BrakePedal Module
Ped_Mod
Power
AND
FailureCommunication
System
Failure MasterControllerModule
Comm_Sys Master
Failure WheelBrake Modules
AND
Failure WheelBrake
Module 1
Failure WheelBrake
Module 2
Failure WheelBrake
Module 3
Failure WheelBrake
Module 4
WBM 1 WBM 2 WBM 3 WBM 4
Figure 16. A fault tree for hazard 1 (no braking after brake command).
Fig. 16 shows the hazard analysis of the electromechani-cal brake for hazard 1 (no braking after brake command) byusing a safety fault tree. The fault tree transfer symbols (∆)represent further fault trees (subtrees). The top events ofthe subtrees in Fig. 16 are the causes of hazard 1: failed brakepedal module, failed power system, failed transmission, orfailed wheel brake modules. Therefore, all of the four wheelbrake modules have to fail before the hazard “No braking al-though brake command” occurs.
The subtrees are constructed until basic or primaryevents are reached. The circle symbols in Fig. 17 representthe basic events. In this example, each of the events (FailureSensor Electronics 1, Failure Sensor Cable 1, Failure PowerSupply 1, Failure Sensor Element 1, or Failure Sensor Con-nection 1) results directly in the event “Failure Clamping-Force Sensor 1” because of the OR-connection, and togetherthey represent the causes of that event. However, all of thethree wheel brake sensors have to fail before event “FailureWheel Brake Module 1” occurs because the brake controloperates with only one of these sensors.
From this FMEA and hazard analysis the following recom-mendations were derived:
• overdimensioned pedal mechanics• fault-tolerant pedal electronics• fault-tolerant touchless pedal sensors• two independent power supplies• two independent plug connectors for communication• two separate boxes with sufficient protection (EMC)
and cooling• avoidance of common-mode failures.The most sensitive parts, such as electronics and sensors,
were found to have triple or quadruple modular redundancy.Fig. 18 shows the design of the resulting overall structure.
It represents a fault-tolerant and distributed real-time systemthat consists of three different kinds of modules: one brakepedal module, one central controller module, and four wheelbrake modules. The real-time communication system and thepower system have dynamic redundancy with hot standby.The pedal module must be fail-operational after one failure inthe sensors, electronics, or plug connections. The higher-level brake functions such as ABS, TCS, ESP, and the mastersupervision functionality of the brake-by-wire system aremainly implemented in the integrated software of the fail-si-lent central controller module. The wheel brake modules can
78 IEEE Control Systems Magazine October 2002
Failure WheelBrake
Sensor 1
AND
OR
FailureClamping-Force
Sensor 1
FailureMotor Current
Sensor 1
Failure MotorRotor Position
Sensor 1
Curr_Sen1 Pos_Sen1
Failure SensorElectronics 1
Failure SensorCable 1
Failure SensorPower
Supply 1
Failure SensorElement 1
Failure SensorConnection 1
Sen_Elec1 Sen_Cab1 Sen_Pow1 Sen_Elem1 Sen_Con1
Figure 17. Sub-fault-tree of hazard 1 (Fig. 16) with sub-top-event “failure pedal sensor.”
detect whether the brake management controller is workingcorrectly or has transferred to a silent state after a failure inthis unit has occurred.
Fig. 19 shows the electronic hardware architecture of thepedal module. To obtain the fail-operational behavior, one tri-plex system or a duo-duplex system are alternatives. Theduo-duplex system was chosen because it is easier to realizeand can be contained in two differenthousings. Each sensor duplex unit con-tains two diverse angle sensor elements;thus, four sensor signals are used toidentify the driver’s brake commandand to supervise the brake pedal mod-ule. Electronic hardware or sensor fail-ures are detected within a duplex unitwith a redundant voter, which comparestwo application-specific integrated cir-cuit (ASIC) outputs (including their twosensor signals). If the outputs differ toomuch, a fault is assumed and one duplexunit is switched off (fails silent).
A further task of the central con-troller module is to detect and locatepedal sensor failures for the case thatthe ASICs in the pedal unit and twobuses work correctly. Here, a model-based fault detection with parityequations is implemented. Fig. 20shows a brake pedal sensor configura-tion with three different pedal sensors
and three residuals. The pedal sensors may be diverse(e.g., one angle sensor, one travel sensor, and one forcesensor). The residuals are the difference between one sen-sor signal value and the reconstructed value from anothersensor through an analytical pedal model. If using fourbrake pedal sensors, this parity equation is expanded tocalculate six residuals [15].
October 2002 IEEE Control Systems Magazine 79
Vehicle Electric System
Brake Pedal Module(Fail-Operational)
Pedal Sensors andElectronics:Duo-Duplex
SensorElement 1
SensorElement 2
SensorElement 3
SensorElement 4
Switch 1
Switch 2
ASIC(Duplex 1)
DuplexBox 1
ASIC(Duplex 2)
DuplexBox 2
EMB Bus
Direct Signals
EMB ElectricPower Supply
Battery 1
Bus 1
Bus 2
Con
nect
.C
onne
ct.
Battery 2
Connect.
Connect. Connect.
Connect. Connect. Connect.
Central ControllerModule (Fail-Silent)Central Controller
(Duplex)
Wheel BrakeController 3
(Duplex)
Wheel BrakeController 4
(Duplex)
Wheel BrakeController 1
(Duplex)
Wheel BrakeController 2
(Duplex)
WheelBrake
Actuator 3
WheelBrake
Actuator 4
WheelBrake
Actuator 1
WheelBrake
Actuator 2
Wheel BrakeModule 3(Fail-Safe)
Wheel BrakeModule 4(Fail-Safe)
Wheel BrakeModule 1(Fail-Safe)
Wheel BrakeModule 2(Fail-Safe)
Vehicle Bus
Figure 18. Scheme of the fault-tolerant electromechanical brake system.
PedalMechanics
Sensor 1
Sensor 2
Sensor 3
Sensor 4
Driver’sBrake
Command
Duplex 1
Duplex 2
SensorDuplex 1
SensorDuplex 2
Power 1
ASIC 1:Processing andSending Sensor
Signals 1 & 2
ASIC 2:Processing andSending Sensor
Signals 1 & 2
ASIC 3:Processing andSending Sensor
Signals 3 & 4
ASIC 4:Processing andSending Sensor
Signals 3 & 4
RedundantVolter
RedundantVolter
Duplex Unit1 of PedalElectronics
Duplex Unit2 of PedalElectronics
Bus 1
Bus 2
Power 2
Figure 19. Duo-duplex architecture for the pedal module.
Conclusion and OutlookReliability and safety are of major importance to the intro-duction of drive-by-wire systems. Their required high safetyintegrity necessitates that all electronic and electrome-chanical components, units, and subsystems be fault toler-ant with regard to failures in electronic hardware, software,and electrical and mechanical parts. Fault-tolerant proper-ties can be obtained primarily by static or dynamic redun-dancy, the latter with cold or hot standby, leading tosystems that are fail-operational for at least one failure.Fault detection is a basic issue for fault-tolerant systemswith redundant modules. However, at present onlycomputationally simple and reliable methods can be used,for reasons of software reliability and testability and the lim-itations of small microcontrollers. Compared to static re-dundancy, the use of fault-detection methods for dynamicredundancy saves at least one module.
An engineering challenge is to design mass-produciblefault-tolerant sensors, actuators, microcomputers, andbus communication systems with hard-real-time require-ments for a reasonable cost. Especially attractive are com-ponents with built-in redundancy for mass production. Forseveral years, throttle-by-wire, shift-by-wire, and elec-tronic driver-assisting systems have proven to be highlyreliable and safe. Drive-by-wire systems with higher hazardseverity for failures are currently being developed.Electrohydraulic brake systems came on the market in2001, and it is expected that electromechanical brakes willfollow in about six to eight years. Steer-by-wire will takelonger because of the higher hazard severity and the re-duced inherent fault-tolerance possibilities through twofront wheels (instead of four wheels, as for braking). Thedevelopment of drive-by-wire systems will therefore pro-ceed in steps to achieve highly reliable and fault-tolerantsensors, microcomputers, and electromechanical compo-
nents or, in other words, to build ex-tremely safe mechatronic systems.
AcknowledgmentsWe appreciate the cooperation of Con-tinental Teves, Frankfurt, during thedevelopment of the brake-by-wire sys-tem. We are also indebted to the sup-port of research projects on faultdiagnosis of actuators, hydraulicbrakes, and vehicles through DeutscheForschungsgemeinschaft (DFG) andDeutsche Forschungsgesellschaft fürdie Anwendung der Mikroelektronike.V. (DFAM).
References[1] H.-M. Streib and H. Bischof, “Electronic throt-tle control (ETC): A cost effective system for im-proved emissions, fuel economy, anddriveability,” SAE Technical Paper Series, no.
960338, in R.K. Jurgen, Ed., “Electronic engine control technologies,”Warrendale, PA, Society of Automotive Engineers, PT-73, pp. 165-172, 1998.[2] R.K. Jurgen, Ed., Electronic Engine Control Technologies. Warrendale, PA:Soc. Automotive Engineers, SAE PT-73, 1998.[3] A.T. van Zanten, R. Erhardt, and G. Pfaff, “VDC, the vehicle dynamics con-trol system of Bosch,” SAE Technical Paper Series, no. 950759, in R.K. Jurgen,Ed., “Electronic braking, traction, and stability control,” Warrendale, PA: Soc.Automotive Engineers, SAE: PT-76, pp. 395-412, 1999.[4] R.K. Jurgen, Ed., “Electronic braking, traction, and stability control,” Soci-ety of Automotive Engineers, Warrendale, PA, SAE: PT-76, 1999.[5] B. Connor, “Electric power assisted steering—An alternative to hydraulicand electro-hydraulic systems,” Automobiltechnische Zeitschrift, vol. 98, nos.7/8, p. 407, 1996.[6] S. Germann and R. Isermann, “Nonlinear distance and cruise control forpassenger cars,” in First IFAC-Workshop Advances in Automotive Control,Ascona, Switzerland, 1995, pp. 203-208.[7] H. Fritz, “Model-based neural speed control of vehicles” (in German),Automatisierungstechnik, vol. 44, no. 5, pp. 252-257, 1996.[8] E.D. Dickmanns, “Road vehicle eyes for high precision navigation,” in HighPrecision Navigation, Linkwitz, Ed. Bonn, Germany: Dümmler Verlag, 1995, pp.329-336.[9] W.B. Stevens, “The automated highway system program: A progress re-port,” in Proc. 13th World Congr. IFAC, San Francisco, CA, 1996, pp. 25-33.[10] M. Tomizuka, “Automated highway systems—An intelligent transporta-tion system for the next century,” in Proc. IEEE/ASME Int. Conf. Advanced Intel-ligent Mechatronics ‘97, Tokyo, Japan, 1997, p. 1.[11] P. Rieth, “Electronic driver assistance” (in German), in VDA-TechnischerKongress, Frankfurt, Germany, 1999, pp. 119-136.[12] Functional Safety of Electrical/Electronic/Programmable Electronic Sys-tems, Version 4.0, Part 1-7, Standard IEC 61508, 1997.[13] N. Storey, Safety-Critical Computer Systems. Essex, U.K.: Addison WesleyLongman Ltd., 1996.[14] M.J. Schneider, “Use of a hazard and operability study for evaluation ofABS control logic,” SAE Technical Paper Series, no. 970815, in ElectronicBraking, Traction, and Stability Control, R.K. Jurgen, Ed. Warrendale, PA: Soci-ety of Automotive Engineers, SAE: PT-76, 1988, pp. 65-93[15] S. Stölzl, “Fault-tolerant pedal unit of an electromechanical brake sys-tem” (in German), Fortschr.-Ber. VDI-Verlag, Düsseldorf, Germany, Reihe 12,no. 426, 2000.[16] Prometheus, “Report on recommended practice of safety and reliabilityengineering of future automotive system,” Eureka Prometheus European Pro-ject, Germany, 1998.[17] N. Leveson, Safeware. System Safety and Computer. Reading, MA: Addi-son-Wesley, 1995.
80 IEEE Control Systems Magazine October 2002
Residual 1
Residual 2
Residual 3
Pedal Sensor 1
Pedal Sensor 3
Pedal Sensor 2
Pedal Sensor 1
Pedal Sensor 3
Pedal Sensor 2
Ele
ctro
mec
hani
cal B
rake
Ped
al fo
r B
rake
-by-
Wire
MathematicalPedal Model
MathematicalPedal Model
MathematicalPedal Model
PS 1= f (PS 3)1
PS 2= f (PS 1)2
PS 3= f (PS 2)3
–
–
–
Figure 20. Sensor fault detection with parity equations for three different sensor signals.
[18] W.-D. Jonner, H. Winner, L. Dreilich, and E. Schunck, “Electrohydraulicbrake system—The first approach to brake-by-wire technology,” SAE Techni-cal Paper Series, no. 960991, in Electronic Braking, Traction, and Stability Con-trol, R.K. Jurgen, Ed. Warrendale, PA: Society of Automotive Engineers, SAE:PT-76, pp. 221-228, 1999.[19] H.E. Rauch, “Autonomous control reconfiguration,” IEEE Control Syst.Mag., vol. 15, no. 6, pp. 37-48, 1995.[20] P.R. Chandler, “Reconfigurable flight control at Wright Laboratory,”Neuilly-sur-Seine, France, vol. III, AGARD Advisory Rep. 360, Aerospace 2020,1997.[21] R.J. Patton, “Fault-tolerant control: The 1997 situation,” in Proc. IFACSymp. Fault Detection, Supervision and Safety for Technical Processes(SAFEPROCESS), vol. 2. Kingston Upon Hull, U.K.: Elsevier, 1997, pp.1033-1055.[22] J. Chen, R.J. Patton, and Z. Chen, “Active fault-tolerant flight control sys-tems design using the linear matrix inequality method,” Trans. Inst. Meas.Control, vol. 21, no. 2/3, pp. 77-84, 1999.[23] M. Blanke, R. Izadi-Zamanabadhi, S.A. Bogh, and C.P. Lunau, “Fault-toler-ant control systems—A holistic view,” Control Eng. Practice, vol. 5, no. 5, pp.693-702, 1997.[24] P. Ballé, M. Fischer, D. Füssel, O. Nelles, and R. Isermann, “Integrated con-trol, diagnosis and reconfiguration of a heat exchanger,” IEEE Control Syst.Mag., vol. 18, no. 3, pp. 52-63, 1998.[25] S. Suryanaryanan and M. Tomizuka, “Fault-tolerant lateral control of au-tomated vehicles based on simultaneous stabilization,” in 1st IFAC Conf.Mechatronic Systems, Darmstadt, Germany, 2000, pp. 899-923.[26] R. Isermann, Ed.“Tutorial Workshop IFAC Congress 1996,” IFAC J. ControlEng. Practice, Special Section on Supervision, Fault Detection and Diagnosisof Technical Processes, vol. 5, no. 5, pp. 637-719, 1996.[27] J.J. Gertler, Fault Detection and Diagnosis on Engineering Systems. NewYork: Marcel Dekker, 1999.[28] J. Chen and R.J. Patton, Robust Model-Based Fault Diagnosis for DynamicSystems. Boston, MA: Kluwer, 1999.[29] R. Isermann, Supervision and Fault Diagnosis (in German). Düsseldorf,Germany: Springer/VDI-Verlag, 1994.[30] R. Isermann, “Integration of fault detection and diagnosis methods,” inIFAC Symp. Fault Detection, Supervision and Safety for Technical Processes(SAFEPROCESS), Espoo, Finland, 1994, pp. 597-612.[31] T. Pfeufer, “Application of model-based fault detection and diagnosis tothe quality assurance of an automotive actuator,” Control Eng. Practice, vol. 5,no. 5, pp. 703-708, 1997.[32] O. Moseler, T. Heller, and R. Isermann, “Model-based fault detection foran actuator driven by a brushless dc motor,” in Proc. 14th IFAC World Congr.,vol. P. Beijing, China: 1999, pp. 193-198.[33] M.P. Henry and D.W. Clarke, “The self-validating sensor: Rationale, defini-tions, and examples,” Control Eng. Practice, vol. 1, no. 2, pp. 585-610, 1993.[34] D.W. Clarke, “Sensor, actuator, and loop validation,” IEE Control Syst., vol.15, pp. 39-45, Aug. 1995.[35] A.T. van Zanten, R. Erhardt, K. Landesfeind, and G. Pfaff, “VDC systemsdevelopment and perspective,” SAE Technical Paper Series, no. 980235, inElectronic Braking, Traction, and Stability Control, R.K. Jurgen, Ed. Warrendale,PA: Society of Automotive Engineers, SAE: PT: PT-76, pp. 373-394, 1999.[36] R.N. Clark, “State estimation schemes for instrument fault detection,” inFault Diagnosis in Dynamic Systems, R.J. Patton, J. Chen, and R.N. Clark, Eds.New York: Prentice-Hall, 1989.[37] R. Oehler, A. Schoenhoff, and M. Schreiber, “Online model-based fault de-tection and diagnosis for a smart aircraft actuator,” in Proc. IFAC Symp. FaultDetection, Supervision and Safety for Technical Processes (SAFEPROCESS),vol. 2. Kingston upon Hull, U.K., 1997, pp. 591-596.[38] A. Krautstrunk and P. Mutschler, “Remedial strategy for a permanent mag-net synchronous motor drive,” in Proc. EPE’99, Lausanne, Switzerland, 1999.[39] R. Isermann and U. Raab, “Intelligent actuators—Ways to autonomousactuating systems,” Automatica, vol. 29, no. 5, pp. 1315-1331, 1993.[40] G. Heiner and T. Thurner, “Time-triggered architecture for safety relateddistributed real-time systems in transportation systems,” in Fault-TolerantComputing (FTCD 28), Munich, Germany, 1998.[41] H. Kopetz, Real-Time Systems. Boston, MA: Kluwer, 1997.
[42] “X-by-wire, safety related fault-tolerant systems in vehicles,” Final reportof EU Project Brite-EuRam III, 3.B.5, 3.B.6, Prog. no. BE 95/1329, ContractBRPR-CT95-0032, 1998.[43] S. Poledna and G. Kroiss, “TTD: Towards drive-by-wire,” Elektonik, no.14, pp. 36-43, 1999.[44] T. Pfeufer, “Model-based fault detection and diagnosis for an automotiveactuator” (in German), Düsseldorf, Germany, VDI-Verlag, Fortschr.-Ber. VDIReihe 8, no. 764, 1999.[45] R. Schwarz, R. Isermann, J. Böhm, J. Nell, and P. Rieth, “Modeling and con-trol of an electro-mechanical disk brake,” SAE Technical Paper Series, vol.SP-1339, no. 980600 pp. 177-189, 1998.[46] R. Schwarz, “Rekonstruktion der Bremskraft bei Fahrzeugen mitelektromechanisch betätigten Radbremsen,” Düsseldorf, Germany,VDI-Verlag, Fortschr.-Ber. VDI Reihe 12, no. 393, 1999.[47] S. Stölzl, R. Schwarz, R. Isermann, J. Böhm, J. Nell, and P. Rieth, “Controland supervision of an electromechanical brake system,” in FISITA World Auto-motive Congr., 2nd Century of the Automobile, Paris, France, 1998, pp. 154-155 .[48] J. Balz, K. Bill, J. Böhm, P. Scheerer, and M. Semsch, “Advanced brake sys-tem with highest flexibility,” Automobiltechnische Zeitschrift, vol. 98, no. 6, pp.328-333, 1996.
Rolf Isermann received the Dipl.-Ing degree in mechanicalengineering in 1962 from the University of Stuttgart and theDr.-Ing. degree in 1965. In 1968, he became “Privatdozent” forautomatic control at the University of Stuttgart and, since1972, has been a Professor in Control Engineering. Since 1977he has been a Professor at the Darmstadt University of Tech-nology and head of the Laboratory of Control Engineeringand Process Automation at the Institute of Automatic Con-trol. He received the Dr. h.c. (honoris causa) fromL’Université Libre de Bruxelles and from the Polytechnic Uni-versity in Bucharest. In 1996, he was awarded theVDE-Ehrenring, the highest scientific award from Verbandder Elektrotechnik und Informationstechnik. His current re-search concentrates in the fields of identification with neuralnetworks, nonlinear digital control, intelligent control, andmodel based methods of process fault diagnosis with appli-cations for hydraulic and pneumatic servo systems, combus-tion engines, automobiles, and mechatronic systems.
Ralf Schwarz received the Dipl.-Ing. degree in electrical en-gineering in 1994. He received the Dr.-Ing. degree in elec-tronic mechanical brakes in 1998 from the DarmstadtUniversity of Technology. In 1999, he worked in the ABS/ESPdevelopment for electromechanical brakes at ContinentalTeves AG, Frankfurt. Since 2000, he has been responsible forglobal chassis control development.
Stefan Stölzl studied electrical engineering at the Univer-sity of Karlsruhe to obtain the Dipl.-Ing. degree in 1994.From 1995 to 2000, he was with Continental Teves AG andwas responsible for program management for ABS and ESP.Then he joined the Darmstadt University of Technology toperform research on a fault-tolerant pedal unit forbrake-by-wire systems. After obtaining the Dr.-Ing. degree,he returned to Continental Theves AG. Since 2001, he hasbeen a manager in the global automotive praxis at A.T.Kearney GmbH.
October 2002 IEEE Control Systems Magazine 81