Download Hardware Synthesis of Automated Electrical Fault Testing in

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
Document related concepts

Electronic engineering wikipedia , lookup

Electrical ballast wikipedia , lookup

Distributed control system wikipedia , lookup

History of electric power transmission wikipedia , lookup

Control system wikipedia , lookup

Portable appliance testing wikipedia , lookup

Electromagnetic compatibility wikipedia , lookup

Three-phase electric power wikipedia , lookup

Ohm's law wikipedia , lookup

Rectifier wikipedia , lookup

Variable-frequency drive wikipedia , lookup

Islanding wikipedia , lookup

Transistor wikipedia , lookup

Ground (electricity) wikipedia , lookup

Pulse-width modulation wikipedia , lookup

Protective relay wikipedia , lookup

Two-port network wikipedia , lookup

Resistive opto-isolator wikipedia , lookup

Voltage regulator wikipedia , lookup

Power electronics wikipedia , lookup

Current source wikipedia , lookup

Electrical substation wikipedia , lookup

Switched-mode power supply wikipedia , lookup

Voltage optimisation wikipedia , lookup

Surge protector wikipedia , lookup

Distribution management system wikipedia , lookup

Alternating current wikipedia , lookup

Buck converter wikipedia , lookup

Stray voltage wikipedia , lookup

Earthing system wikipedia , lookup

Current mirror wikipedia , lookup

Fault tolerance wikipedia , lookup

Mains electricity wikipedia , lookup

Immunity-aware programming wikipedia , lookup

Opto-isolator wikipedia , lookup

Transcript 
Hardware Synthesis of Automated
Electrical Fault Testing in Trucks
MARTIN ORRE
Degree Project in
Electrical Measurement Technology
Advanced level, 30 ects credits
Stockholm, Sweden 2015
XR-EE-MST 2015:001
Hardware Synthesis of Automated
Electrical Fault Testing in Trucks
Martin Orre
Master thesis
Electrical Measurement Technology
February 26, 2015
Abstract
In modern trucks there is a number of control units, which tasks are varying;
control of the engine, brakes, gearbox, etc. In order to ensure that these devices
work properly, they must be thoroughly tested under normal conditions but also
when they are exposed to stresses such as electrical faults (short circuit, breaks,
etc.). A breakout box, BOB, is a type of test equipment used to stress test a
controller by inducing electrical fault on its cables. It is done manually and is
time consuming.
The aim of this thesis is to develop an ABOB (Automated BreakOut Box). It
should be placed in the driver’s cab. It was designed in three different versions.
Electrical faults are simulated. They along with a test program verify that no
serious events occur for the vehicle. Literature studies of earlier works with
automated electrical faults were made initially as a background for the selection
of the automation method.
The faults that have been implemented for the prototype of the ABOB is
short circuit with different supply voltages (including earth) and breakage. This
report describes the development from a simple functional model to prototype
with a focus on the hardware. The ABOB can run automatically without human
interaction except at boot time. The ignition needs only to be switched on and
the device can work in the evening and at night. The results were that the
implemented ABOB could simulate the given electrical faults with verification.
The automation method proved feasible.
The work has been done in cooperation with Anna Bladh. This report
takes up the hardware of the prototype for the three versions. Anna’s report
describes the software in the System design of automated test equipment for
electrical control units into trucks.
I
Sammanfattning
I moderna lastbilar sitter ett flertal styrenheter, vars uppgifter varierar; styrning
av motor, bromsar, växellåda osv. För att säkra att dessa enheter fungerar som
de ska måste de testas noggrant - dels under normala förhållanden men också
då de utsätts för påfrestningar såsom elektriska fel (kortslutning, avbrott osv.).
En breakout box, BOB, är en typ av testutrustning som används för att stress
testa en styrenhet genom att inducera elektriska fel på dess kablage. Det görs
manuellt och är tidskrävande.
Syftet med det här examensarbetet är att ta fram en ABOB (Automatiserad
BreakOut Box). Den ska placeras i förarhytten. Under arbetets gång designades
ABOB:en i tre olika utföranden. Elektriska fel simuleras. De tillsammans med
ett här framtaget testprogram verifierar att inga händelser inträffar för fordonet.
Litteraturstudier av tidigare arbeten med automatiserade elektriska fel gjordes
inledningsvis som bakgrund för valet av automatiseringsmetod.
Felen som har implementerats för ABOB-prototypen är kortslutning med
annan matningsspänning (inklusive jord) och avbrott. Denna rapport beskriver
utvecklingen från en enkel funktionsmodell till färdig prototyp med fokus på
hårdvaran. ABOB:n kan köras automatiskt utan att tillsyn erfordras utom vid
uppstarten. Tändningen behöver bara slås på och enheten kan arbeta kvälls- och
nattetid. Resultaten blev att den implementerade ABOB:en kunde simulera de
givna elektriska felen med verifiering. Den framtagna automatiseringsmetoden
visade sig genomförbar.
Arbetet har skett i samarbete med Anna Bladh. Den här rapporten tar upp
prototypens hårdvara för de tre versionerna. Annas rapport beskriver mjukvaran i System design of automated test equipment for electrical control units in
trucks.
II
Acknowledgement
I would like to thank our examiner Hans Sohlström at KTH for his feedback.
Grateful thanks to Daniel Frykman for his willingness to give his time and
support has been very much appreciated. Thanks to Peter Samuelsson, head
of Scania ECU Support Tools for making this thesis possible. I am particularly
grateful for the assistance given by Tommy Andersson at Scania for providing
with software and mechanical tools for prototyping. Their support and my
other contacts at the Scania Concern have given me the possibility to learn
about the truck automotive technology and its electrical components by summer
jobs and the performance of this thesis. I would like to express my very great
appreciation to my thesis partner Anna Bladh for her great contributions in this
thesis project. Also special thanks to my parents Bengt and Grazyna Orre for
supporting me through my entire studies at KTH.
III
Abbreviations
ABOB Automated BreakOut Box
ABS
Anti-lock braking System
ADC
Analog to Digital Converter
ASIC Application Specific Integrated Circuit
BJT
Bipolar Junction Transistor
BOB
Break Out Box
CAD
Computer Aided Design
CAN
Controller Area Network
CNC
Computer Numerical Control
CS
Chip Select
DAC
Digital to Analog Converter
DTC
Diagnostic Trouble Codes
DVM Digital Voltage Meter
ECU
Electronic Control Unit
EMS
Engine Management System
ENOL ENable Or Latch
ENW ENable Write
FPGA Field Programmable Gate Array
HIL
Hardware-in-the-Loop
HWIFI HardWare Implemented Fault Injection
I2P
a Network within a Network
IO
In/Out
ISP
Internet Service Provider
LED
Lightning Emitting Diode
IV
MCU Micro Controller Unit
MCU Microcontroller unit
MOSFET Metal Oxide Semiconductor Field Effect Transistor
MUX MUltipleXer
NE
The department NE (Powertrain Control System) at Scania
NEVE The division (Powertrain Control Sys.Engine) at Scania
NTC
Negative Temperature Coefficient
OBD
On Board Diagnostic System
OP
OPerational Amplifier
PCB
Printed Circuit Board
PIC
Peripheral Interface Controller
PTC
Positive Temperature Coefficient
PWM Pulse Width Modulation
RAM Random Access Memory
RISC Reduced Instruction Set Computing
SFI
Simulated Fault Injection
SPI
Serial Peripheral Interface
SRAM Static Random Access Memory
SWIFI Software Implemented Fault Injection
TRACO Manufacturer of power supply
USB
Universal Serial Bus
WR
WRite
V
List of Figures
2.1
2.2
3.1
3.2
3.3
3.4
3.5
A model of the ECU connected to the sensors and actuators of
a vehicle. The ”Process” block represents the vehicle while the
ECU handles A/D and D/A conversion, sample and hold and the
computational tasks[7]. . . . . . . . . . . . . . . . . . . . . . . . .
The control units are connected to the CAN network through
which they communicate parameters between each other. Diagnostic messages are also transported via CAN . . . . . . . . . .
The BOB is connected between the ECU and the system it controls. It allows the user to have access to the wiring and connect
external devices in serial or parallel to the I/O of the ECU. In
this example the user has (from the top); 1) connected an external voltage source (potentially causing a short circuit), 2) left
out wiring (causing open load), 3) added a potentiometer to manipulate sensor values, 4) connected a multimeter to monitor the
signals in the wire . . . . . . . . . . . . . . . . . . . . . . . . . .
A previous model of an ABOB. On the right hand side of the
picture the relays E-H are used to supply the rail with a variable
voltage (making it a short circuit source). On the left hand side,
additional relays are used to 1) disconnect the load and 2) connect/disconnect the rail from the ECU’s I/O ports. (Source: H.
W. Daniel Frykman, Automation of electrical testing of powertrain software in heavy vehicles, Master’s thesis, KTH, 2013.) .
A grid structure to control the relays. To control the relay at
row 1 and column 2, GPIO R1 and GPIO C2 must be activated.
However, it is not possible to simultaneously control the relay at
row 2 and column 1 (activate GPIO R2 and GPIO C1 ) without
involuntarily activating the relays at row 1, column 1 and row
2, column 2. The grid structure decreases the amount of needed
control signals at the cost of losing the ability to control the relays
independently. (Source: H. W. Daniel Frykman, Automation of
electrical testing of powertrain software in heavy vehicles, Master’s thesis, KTH, 2013.) . . . . . . . . . . . . . . . . . . . . . . .
Patent US 5214582 A. (Source: Moshe Gray, US5177447 A) . . .
Patent US 5177447 A. (Source: Joseph A. Marino, Raymond H.
Niemetschek, patent US 5177447 A) . . . . . . . . . . . . . . . .
VI
6
7
11
12
13
14
15
4.1
Principle schematic for ABOB. Showing N number of fault units
connected between ECU and sensors/actuators. They are controlled by a Microcontroller from a data distribution system. . .
4.2 Principles of control signals latches. . . . . . . . . . . . . . . . . .
4.3 The hardware structure consisting of a microcontroller connected
to a RAM memory in latching principle. The Ram and microcontroller are connected to the data distribution system (Latch0Latch3). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.4 Simple model of fault induction unit inducing an open load fault.
4.5 Simplified electrical model of analog voltage sensor (left of ECU),
inductive sensor (bottom of ECU) and resistive sensor connected
(right of ECU) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.6 Exemplifies how the transistors are connected to ECU for inducing faults. Points (1-6) are control signals . . . . . . . . . . . . .
4.7 Block scheme for inducing electrical faults . . . . . . . . . . . . .
4.8 Realisation of block scheme into circuit . . . . . . . . . . . . . . .
4.9 Schematic to measure current with amplification . . . . . . . . .
4.10 Block scheme for inducing electrical faults and verification on one
pin with the relays in upper position . . . . . . . . . . . . . . . .
5.1
5.2
5.3
5.4
5.5
6.1
6.2
19
20
21
22
25
26
28
29
32
34
Block diagram resembling the difference between new (last) and
old (second) version . . . . . . . . . . . . . . . . . . . . . . . . .
Arduino slave microcontroller with two fault units realized as
block diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Schematic showing +30V and -10V voltage supply, where PWS
is a Traco DC-DC converter . . . . . . . . . . . . . . . . . . . .
Scheme with an Arduino master connected to USB. An external
interrupt and I2C bus where rest of the slave units are connected
to. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Soldered slave unit on PCB . . . . . . . . . . . . . . . . . . . . .
38
39
Pic16f877a microcontroller connected to a data distribution system soldered on the prototype board . . . . . . . . . . . . . . .
Soldered slave unit on PCB . . . . . . . . . . . . . . . . . . . . .
41
42
VII
35
37
38
Contents
Abstract
I
Sammanfattning
II
Acknowledgement
III
List of Figures
VI
1 Introduction
1.1 Purpose . . . . . . .
1.2 Problem formulation
1.3 Restrictions . . . . .
1.4 Method . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1
2
2
3
3
2 Automotive Control Systems
2.1 ECU . . . . . . . . . . . . . . . . . .
2.2 Diagnostics . . . . . . . . . . . . . .
2.3 ECU testing . . . . . . . . . . . . . .
2.4 Fault injection (under ECU testing)
2.5 HIL testing . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5
5
7
8
8
9
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3 Break-out box
10
3.1 Breakout box automation . . . . . . . . . . . . . . . . . . . . . . 10
3.2 Fault injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3 Measurements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4 Introductory studies and implementation
4.1 The concept . . . . . . . . . . . . . . . . .
4.2 Hardware . . . . . . . . . . . . . . . . . .
4.3 Microcontroller . . . . . . . . . . . . . . .
4.4 Carrying out the ABOB princple . . . . .
4.5 External memory . . . . . . . . . . . . . .
4.6 Multiplexing . . . . . . . . . . . . . . . .
4.7 Fault induction units . . . . . . . . . . . .
4.8 MOSFET transistor . . . . . . . . . . . .
4.9 First version . . . . . . . . . . . . . . . . .
4.10 Analog voltage sensor . . . . . . . . . . .
4.11 Resistive sensor . . . . . . . . . . . . . . .
4.12 Frequency sensor . . . . . . . . . . . . . .
VIII
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
16
16
17
18
19
20
21
21
22
23
23
24
24
4.13
4.14
4.15
4.16
4.17
4.18
4.19
4.20
4.21
Prototyping first version .
Evaluating first version . .
The second version . . . .
Robustness . . . . . . . .
Hardware design . . . . .
Measurement . . . . . . .
Current measurements . .
Verification . . . . . . . .
Prototype second version
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
26
26
27
28
29
31
31
33
34
5 Last version
35
5.1 Master node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.2 Prototype last version . . . . . . . . . . . . . . . . . . . . . . . . 37
6 Results
40
6.1 First version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.2 Second version . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
6.3 Last version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7 Conclusion and future work
43
7.1 Suggestions for future work . . . . . . . . . . . . . . . . . . . . . 44
Bibliography
44
IX
X
Chapter 1
Introduction
Vehicles of today are far from only mechanical constructions. Advanced electrical systems are used to monitor and control various parts - the engine, the
gearbox, the brakes etc. As the complexity of control systems in vehicles increases, the need for rigorous testing becomes important and decisive for the
validation of the design.
An ECU (Electrical Control Unit) is a device which has the task to control
a part of the vehicle. It monitors sensor values (oil pressure, temperature etc.)
and manages actuators. It can transmit messages to other intelligent systems
over the CAN (Controller Area Network) bus. Within Scania there are currently
20 different ECU:s, specialized on engines, gearboxes, brakes, steering, etc[1].
What would happen if a wire connected to the ECU becomes short circuited or breaks? If the hardware and software in the ECU are functioning as
intended, a dangerous situation should not occur. To ensure this behaviour,
comprehensive testing is needed whenever a modification of the ECU has been
made. While methodologies such as software unit testing are powerful, they are
not sufficient to cover unexpected electrical faults. To simulate malfunctioning
hardware, it is necessary to induce the possible faults. One way of doing this
is to use a BOB (Break Out Box). It is a manually manouvered device which
can generate the desired faults by using switches, potentiometers etc. However,
conducting a manual test is a time consuming process, potentially vulnerable
to mistakes caused by the human factor. Could an automated process be used
to perform the tests? This master thesis aims to investigate the advantages
and drawbacks of an ABOB (Automated Break Out Box) design and is finally
implementing it and evaluating its performance.
Scania is a company that develops and manufactures trucks, buses and industrial and marine engines. It was founded in 1900 in Malmö, Sweden, and
eleven years later was joined with the railcar, car and truck manufacturer Vabis
(founded 1891) with headquarters in Södertälje Sweden. It is owned by
Volkswagen since 2014.
This thesis project is carried out at Scania, Södertälje at the department
NE (Powertrain Control System) within the division NEVE. The latter is responsible for the testing of the gearbox and for the development of PC-tools for
diagnostics of the electrical control systems in vehicles.
Cooperation has been carried out with Anna Bladh. This report takes up
the hardware of the prototype for the three versions. Anna’s report describes
1
the software. Chapter 1 (introduction) and portions of Chapter 2 (literature
review) are similar in both reports. The interested reader is advised to read
also the report System design of automated test equipment for electrical control
units in trucks by Anna Bladh for additional information about the software.
1.1
Purpose
The objective of this thesis is to develop a device which can facilitate the testing
process of ECU:s in vehicles. Test equipment which is reliable and that offers
a high degree of coverage is desirable not only for the well-functioning of the
vehicle but also, more importantly with the ABOB, for the safety of the driver
and other road-users exposed to it.
By applying standardized test sequences each time an update of the control
system has been made (typically in software), the chances of catching unwanted
bugs increases. With automatized methods - computer controlled testing - the
tests are guaranteed to be executed in a structured manner. This diminishes
the risk of missing a case and allows comparison between identical tests that
have been carried out on different ECU software and hardware versions.
Automatized tests allows engineering resources to be put on developing test
cases and/or algorithms for auto-generation of tests instead of on manual management of tests.
1.2
Problem formulation
The main content of this thesis is to design the test equipment for the electrical
control units in a truck, a so called ABOB. It will be a computer controlled
hardware device which can induce a predefined set of electrical faults - simulating
a real situation when a wire is short-circuited or a sensor gives a faulty value etc.
The requirements are set to guarantee an automated and robust system which
can be used as a complement to today’s testing techniques and to partially
replace the manual testing. The design requirements to be fulfilled are the
following:
• The device should be portable and possible to plug in between an electrical
control unit and the sensors/actuators/communication buses connected to
it.
• All pins on the ECU should be reachable and controllable simultaneously
and independently of each other.
• The device should be compatible with all Scania’s ECU:s.
• The faults that should be possible to generate are: Short circuits to a
variable voltage source (0-24 V), open loads and simulation of a faulty
analog sensor values.
• The system must run autonomously without the need for human supervision, except during startup. Only the vehicle ignition needs to be turned
on. (No driver required, the car system with the ABOB can operate during
night times.)
2
• The system must make measurements (of currents/voltages) to ensure that
the faults that are supposed to be induced, actually are induced.
• The system should act as a number of passive wires when not in operation
(no faults induced), i.e. it should not affect the nominal environment of
the ECU.
• The system should be manageable from computer based test scripts.
• The system should be modularized, which makes it easy to replace parts
and to extend the design.
1.3
Restrictions
The ABOB is a computer aided testing device which can be used as a supplement
to manual testing. It is automatized, but not intelligent - i.e. it executes faults
specified in a manually written test script. It is particularly well suited for long
test runs (e.g. during night times) on a vehicle that is not in motion. However,
many tests still require human interaction - an example could be ”bad choice of
gear when ascending a hill”. For a realistic testing of this, driving up a hill is
obviously preferable!
There are numerous faults that can occur on the wiring connected to the
ports of the ECU and all of them are not covered in this thesis. Focus is put
on common faults such as a loose cable (generating a short circuit or an open
load) or a broken sensor.
The concept is tested on one of Scania’s ECU:s and its performance is evaluated. However, the design is duplicable (only a remapping of the ports and
the changing of contacts should be necessary when switching ECU).
The verification of the design is limited. If considering full coverage when
all the faults that can be induced are executed in all different combinations, the
number of test cases will exceed what is reasonable to achieve ( 140 pins, several
faults per pin). A smaller set of test cases is used to evaluate the prototype.
The design uses current limitation which prevents an induced fault to become
a full-scale short circuit of the vehicle battery. This however means that this
kind of fault is not fully simulated.
1.4
Method
The design of the ABOB consists mainly of two parts: one is the design of the
hardware which creates the induced faults and the second is the software that
controls the system.
This report describes the hardware architecture of the automated breakout
box. The thesis: System design of automated test equipment for electrical control
units in trucks by Anna Bladh describes the same system but from a software
point of view.
The content of the introducing chapters 2 and 3 in this report with information that is important to understand the whole picture is more or less common
for both reports.
The approach applied is to base the ABOB functionality on a pre-study,
which contains a practical part and a literature part. The practical part is
3
to participate in a test drive with a manual BOB, operated by the driver of
the truck. From this, the strengths and the weaknesses of the manual testing
concept can be identified and the desired functionality of the ABOB will be
stated. The literature part covers topics such as: Testing methods currently in
use, previous designs with focus on automation and general descriptions of the
relevant systems, needed for the understanding of the problem (the ECU is one
example).
When the overall design is ready, the implementation is straightforward: The
PCB:s (Printed Circuit Boards) are designed, a computer interface is made and
the algorithm for error induction is put in a micro-controller. The verification
is done by comparing the faults that the computer asked the micro-controller to
induce to the faults that were actually detected by the embedded measurement
system.
This thesis report is describing at first the automotive control system. Then a
study of the literature is presented. After that the work from idea to prototypes
in two development stages is described. Version three of the prototype (last
version) is then the result of the project.
4
Chapter 2
Automotive Control
Systems
From the early days of automotive industry until today’s vehicles, the on-board
systems have grown to be numerous and complex - from being strictly mechanical/electrical constructions to containing intelligent control systems for many
types of functionalities. A modern car has at least 30 microprocessors, which
are used for various purposes: to increase safety, reduce emissions, improve
comfort, to monitor and keep diagnostics of the state of the vehicle or to supply
the driver with entertainment and other luxuries to further improve the trip
experience[2][3][4].
The intelligence is embedded in the ECU:s, each one responsible for a part of
the vehicle (brakes, gearbox, engine, lights etc.). Although controlled by their
unique ECU, the parts cannot be considered as isolated but instead as integrated
in a larger system and in need for a network to communicate information between each other. The CAN bus, Controller Area Network, is a communication
link used for distributing information between ECU:s and devices connected
to it, allowing for example the gearbox to receive knowledge about activated
brakes or an accelerating engine (making it possible to automatically adjust to
an appropriate gear if the functionality is implemented) etc.
2.1
ECU
The number of ECU:s in an automotive system and the functionality they provide differ between vehicles. The EMS, Engine Management System, is a control
unit that concerns the engine. It controls fuel injection, ignition timing, emission levels, cooling fan etc. It directly monitors airflow, engine temperature,
oil pressure and throttle position through sensors[5][6]. Brakes, airbags, cruise
control, battery, automatic transmission, seats and doors are other examples of
components in a modern car which are monitored and controlled by ECU:s[5].
The ECU has a set of inputs given by sensor values and switches etc, through
which it monitors the current state of the vehicle. It produces output in form of
signals to actuators, switches and messages on the CAN bus. Typical outputs
are[4][5]:
5
Figure 2.1: A model of the ECU connected to the sensors and actuators of a
vehicle. The ”Process” block represents the vehicle while the ECU handles A/D
and D/A conversion, sample and hold and the computational tasks[7].
• Digital signals (switching a cooling fan on/off, open/close fuel injectors)
• Supply voltage to analog sensors.
• PWM/analog voltages (variable duty cycle for fuel injection etc.)
• Frequency (stepper motors etc.)
Typical inputs are [4] [5]:
• Analog inputs (oil pressure, coolant temperature etc.)
• Digital inputs (switches)
• Frequency (camshaft,crankshaft position etc)
The ECU can be modelled as a hybrid control system: A system operating
in both the time continuous and the discrete domain. It collects time continuous
values through the sampling of sensor values and calculates discrete output to
feed the actuators[7]. It is a closed-loop control system, i.e. it uses feedback data
from the sensors to determine the next step’s output values to the actuators[8].
A simplified model is seen in Figure 2.1.
A system controlled by the ECU is fuel injection as a function of how hard
the driver presses the accelerator. As the ECU observes that the throttle valve
opens, it increases the fuel rate[9]. Another example is the antilock braking
system (ABS) which uses information about wheel speed, vehicle speed, brake
position etc. to control each wheel separately by feeding the appropriate input
to the different actuators[8].
Several ECUs cooperate via the CAN network[7]. The model of the control unit as a single block controlling a subsystem of the vehicle is therefore
expanded: Each ECU also takes input from other units and can based upon
the received data regulate its own system. The CAN bus is also used for transmitting diagnostic messages with trouble codes and operating parameters see
Figure 2.2
6
Figure 2.2: The control units are connected to the CAN network through which
they communicate parameters between each other. Diagnostic messages are also
transported via CAN
2.2
Diagnostics
When the oil level is too low or the ABS is not working properly, a light pops
up on the dashboard to inform the driver that something is wrong. Since the
1980’s a vehicle contains an On-Board Diagnostic system, OBD, built out of a
library of DTC:s (Diagnostic Trouble Codes). Whenever a fault is detected by
a control unit, the code is transmitted via the communication network - with
the possibility to not only convey the information to the dashboard and other
internal components of the vehicle, but also to an off-board diagnostic tool (if
activated). This gives the technician the possibility to access diagnostics reports
and efficiently troubleshoot the system[4].
The diagnostic system was originally limited to displaying a fault code once
a failure had already occurred, i.e. a sensor gives a value which is out of range
of what is acceptable. However, this implies that the damage might already
be done. The first OBD system was upgraded to be more extensive and complex: OBD-II. In the second version, the system is continuously surveyed and
the gradual degradation of components can be noticed before a severe fault
actually occurs[10]. The format of the DTC:s in OBD-II follows the standard
SAE J2012: A five character long code with separate fields for deciding the
character of the fault. The fields are divided into: Type of fault(powertrain,
communication network, chassis, body), indication if the fault code is generic
or manufacturer specific, the system from which the fault origins (fuel and air
metering, transmission etc.) and at last the identification number of the specific
fault[10][11].
7
2.3
ECU testing
To ensure a safe and predictable behaviour of the vehicle, it is necessary that
the control units are working properly - the hardware and software need to
deliver the intended behaviour. An important part in the development of new
functionality for the ECU is testing. Before the release of new software, thorough
testing must be conducted to confirm that requirements are met, that previous
functionality remains intact and that the new features do not jeopardize the
safety of the ride. The verification process includes pure software testing (such
as unit testing), tests in vehicles and/or simulators and stress tests. The latter
means to expose the ECU to harsh conditions - extreme temperatures, vibration,
short circuits, communication failure etc[12]. The ECU passes the tests when
both hardware and software behave as supposed to and that no safety critical
incidents happened during the process.
During a vehicle ride, the inputs and outputs of the the ECU will vary
with factors such as speed, temperature, terrain, driving style, time in motion
etc. The input values fed to the controller will continuously change and the
algorithms in charge of the feedback should hence update output signals with
suitable values for the actuators. If an unexpected fault occurs, such as an
electrical fault (two wires of different polarity causing a short circuit, a wire
breaking etc.), the vehicle should respond in a controlled manner to avoid safety
issues and permanent damage to the hardware. It must let the driver maintain
control over the vehicle even when there’s electrical fault, safely taking it to the
roadside. To realistically be able to test the ECU behaviour under both normal
and abnormal conditions, physical input and output that act like the real vehicle
must be provided. A simulator or the vehicle itself can be used for this purpose.
To test the response of the ECU:s when exposed to electrical faults, the test
equipment that can induce the faults should be used.
During a test session, data from CAN will reveal the values of different
sensors and the trouble codes that become active. An efficient way to evaluate
the outcome of tests on a vehicle/simulator is to check that the DTC log and
the parameter values produced during the test session matches the expected.
2.4
Fault injection (under ECU testing)
A fault-tolerant and robust system should, apart from behaving as specified
during normal operation, handle stress conditions safely. The testing process
must therefore be designed to cover different types of abnormal operating circumstances, among which are electrical faults. A widely adopted approach is
to expose the object under test to intentional fault injection.
A fault is an abnormal deviation from the expected behaviour. A fault might
lead to failure: An event that occurs as a consequence of the abnormal operating
state. To test how the system system respones to faults, methods for inserting
the actual faults are applied[13].
System testing under the injection of deliberate faults is used in several fields:
Software, hardware and during simulation[13][14]. In SWIFI (Software Implemented Fault Injection) faults that can occur during the execution of hardware
and/or software are created programmatically. In HWIFI (HardWare Implemented Fault Injection) the actual physical faults are induced (which requires a
8
prototype). SFI (Simulated Fault Injection) injects simulated faults to estimate
the behaviour of the system before a prototype is available[13].
Different types of fault injecting techniques exist. In languages such as
SystemC or VHDL, common methods are[13][15][16]:
• Saboteurs: Additional components added to the system with the sole
purpose to sabotage signals etc
• Mutants: Components that replace other components of the system but
exhibit another behaviour.
• Simulator commands: Parameters of the system which can be directly
manipulated in a simulator.
Although being often mentioned in programming contexts, the approach is
applicable for other types of systems as well. The fault injecting breakout box
is an example of a type of saboteur, i.e. an extra module added only to disturb
the system.
2.5
HIL testing
HIL (Hardware In the Loop) is a technique used for testing control systems
under simulation of the physical environment it is normally integrated in. In an
automotive context, the HIL simulator models a part of or the entire vehicle.
The simulator emulates the sensors and actuators of the actual system and
respond in real-time to the changes that the connected ECU might impose on
the signals (i.e. an actuator stimuli from the ECU should trigger the simulator to
update sensor values accordingly)[8][17]. A well-made simulator closely imitates
the reality and can be used to replace tests that otherwise would have to be
performed on the actual hardware. It can also be used to apart from simulating
the hardware under normal conditions to simulate electrical failure or similar
malfunction of the system[18].
HIL simulators are widely used in the automotive industry - almost all manufacturers apply the test method. The automation of test cases and the simplicity
of reproducing the same test sequence repeatedly makes the equipment a powerful tool for finding errors in the ECU design (values, short circuits)[19]. A
BOB can be connected to a HIL simulator or to the real hardware.
9
Chapter 3
Break-out box
A BreakOut Box, BOB, is a testing tool that permits direct access the I/O
ports of the ECU. The term breakout refers to the insertion of the device between two electric components which normally are connected only by wires (i.e.
performing a breakout on the wiring)[20]. During the testing phase, the box is
mounted between the ECU and its sensors/actuators. It allows eavesdropping
on and manipulation of the signals passing through the cables. It can be used
to verify that the signals act according to the specifications (by adding external
measurement equipment or to integrate it in the box itself) and/or to generate
external stimuli (false sensor values, ruptures, short circuits). A breakout box
can be connected to a HIL simulator or to the real hardware.
The BOB can be operated manually by using switches, potentiometers etc.
for signal generation and multimeters, oscilloscopes etc. for monitoring and
verification. The outcome of the tests is retrieved by inspection of the DTC
log, measurements and the observed behaviour of the hardware. The BOB can
easily be used in a vehicle instead of in a simulator, and thus it is guaranteed
to achieve the accurate behaviour of the hardware under test. However, the
generation of test cases and the management of the test object (driving the
vehicle) must be done by a human see Figure 3.1.
The breakout box can also be automated, i.e. controlled from a computer
application. By letting the test cases be script based, the BOB can operate
autonomously and without human supervision. This is typically useful when
performing long test runs (e.g. night time) without the need for the vehicle to
be in motion. Some of the tests normally executed in a HIL simulator could be
replaced by an automated breakout box (electrical failure, faulty sensor values).
Compatibility with scripting frameworks used for HIL testing facilitates the use
of both techniques.
3.1
Breakout box automation
The automation of breakout out boxes for automobile applications has previously been studied, with a set of different implementations as outcome. As
earlier mentioned, the term breakout box refers to a device which gives access
to the signals of normally isolated/intact wires, but its usage is more ambiguous.
Automated, just like manual, BOBs can be used for different purposes: Often
10
Figure 3.1: The BOB is connected between the ECU and the system it controls.
It allows the user to have access to the wiring and connect external devices in
serial or parallel to the I/O of the ECU. In this example the user has (from
the top); 1) connected an external voltage source (potentially causing a short
circuit), 2) left out wiring (causing open load), 3) added a potentiometer to
manipulate sensor values, 4) connected a multimeter to monitor the signals in
the wire
fault injection or voltage measurements. Some earlier implementations of both
types will be presented in this chapter, where the first type is closely related
to the core of the thesis problem formulation (how to induce faults), and the
second type to the verification of the system (how to verify that a fault was
induced).
3.2
Fault injection
A fault injecting breakout box is a unit added to the system to sabotage the
signals from/to the ECU. There already exists studies on these types of BOB:s.
This thesis project is a continuation of an earlier project at Scania. The previous prototype was designed to induce electrical faults on the ECU wiring from
a computer based Python script. The faults that could be induced were: Open
load and short circuit to a variable voltage source with connected or disconnected load (with the possibility to limit the short circuit current to a value
that could be set by a potentiometer).
The device is seen in Figure 3.2. It contained one rail - a conductor which
could deliver different voltages depending on the configuration of four relays,
one potentiometer and one digital-to-analog converter (displayed on the right
hand of the rail in Figure 3.2 ). The rail is shared between all the connected
ports of the ECU.
For every additional wire connected to the ABOB, the principle requires one
relay responsible for connecting/disconnecting the load from the short circuit
11
Figure 3.2: A previous model of an ABOB. On the right hand side of the picture
the relays E-H are used to supply the rail with a variable voltage (making it
a short circuit source). On the left hand side, additional relays are used to
1) disconnect the load and 2) connect/disconnect the rail from the ECU’s I/O
ports. (Source: H. W. Daniel Frykman, Automation of electrical testing of
powertrain software in heavy vehicles, Master’s thesis, KTH, 2013.)
source (the rail). This corresponds to relay B and C, used for wires 1 respectively
2 in Figure 3.2. To disconnect the load from the ECU, another relay is used,
seen as relay A and D in the same figure.
This concept requires two relays per connected cable and four additional
(shared) relays to supply the rail with the correct voltage. The design rapidly
becomes large and the amount of control signals needed soon exceeds the number
of I/O ports on a microprocessor. To solve the I/O problem, the relays were
arranged in a grid, see Figure 3.3. The grid structure decreases significantly
the amount of I/O ports needed: Each relay is now controlled by two signals,
but the signals are shared between several relays. A grid with the dimensions
m x n allows m + n control signals to control m x n relays, but they cannot be
controlled independently.
From the first version of the ABOB some strengths and weaknesses were
identified and later used to form a basis for this thesis project. Clear strengths
were the diversity of faults the BOB could induce (covering well the requested
behaviour) and the robustness it offered (using components for high power applications). A drawback of the clever mechanism used for accessing many relays
with few I/O ports of the microcontroller was the limitation it put on the number of faults that could be induced simultaneously (one or possibly several,
where the latter requires that the corresponding relays are placed in the same
row or column of the grid structure). The same holds for the variable voltage
source - since the rail is shared between all relays, only one voltage can be supplied per test case. Another shortcoming of the first version of the ABOB was
that if something goes wrong during the induction of a fault (due to a defective component, a communication fault etc.) the user of the system will not be
informed.
12
Figure 3.3: A grid structure to control the relays. To control the relay at
row 1 and column 2, GPIO R1 and GPIO C2 must be activated. However,
it is not possible to simultaneously control the relay at row 2 and column 1
(activate GPIO R2 and GPIO C1 ) without involuntarily activating the relays
at row 1, column 1 and row 2, column 2. The grid structure decreases the
amount of needed control signals at the cost of losing the ability to control the
relays independently. (Source: H. W. Daniel Frykman, Automation of electrical
testing of powertrain software in heavy vehicles, Master’s thesis, KTH, 2013.)
Two new requirements were thus added in this project: 1) the connected
ECU cables should be controllable independently, 2) a verification system to
confirm that faults are actually executed should be implemented. The functionality of the BOB should however remain similar.
3.3
Measurements
Another type of breakout box is one that allows eavesdropping on signals in
order to provide diagnostics information to for example a technician. A manual
BOB would require equipment such as multimeters and oscilloscopes, while the
ABOB could do the measurements automatically and either return the raw
data to the operator or perform the analysis itself and return a report. Several
ABOBs with the purpose of facilitating the process of troubleshooting vehicles
have been patented. Two examples are the patents US 5177447 A (1993) and
US 5214582 A (1993) which both discuss: To allow a script to execute test cases
on selected points in the wiring.
The breakout box in patent US 5214582 A is described as an active BOB. It
consists primarily of two parts: Surveillance of the signals passing through the
wiring and a system for actively controlling the network of sensors/actuators of
the vehicle. The BOB can, except for measuring voltages in the normal operating state of the vehicle, also manipulate the inputs of the ECU and actuators.
It can provide false ECU input by disconnecting a regular sensor and replacing
its output by a generated signal, or false input to actuators by disconnecting
13
Figure 3.4: Patent US 5214582 A. (Source: Moshe Gray, US5177447 A)
the ECU and generating a fake stimuli. The behaviour of the ECU can hence
be tested and diagnosed under both real circumstances (when the ECU and
sensors/actuators work as intended and the BOB only performs measurements)
and under a partly simulated test sequence (a sensor value is replaced by a fake
one etc.). The breakout box is seen in Figure 3.4.
Following the numbering in the figure 3.4: The ECU is seen in (10) and the
sensors/actuators in (35). A breakout of the wiring is done in (20) and (16), and
the BOB is plugged in with contacts (50) and (48). An enlarged image of the, by
the BOB modified, wiring is seen in (40). The two vertical ”rails” represent; (to
the left) the ECU side of the wiring, (to the right) the sensor/actuator side of
the wiring. To disconnect an ECU port from a sensor/actuator, simply open the
corresponding switch, seen in between the rails. To connect an external stimuli,
use one of the switches outside of the rails - they connect a D/A converter which
is controlled by the BOB application to the ECU ports or actuators. The wires
are continuously monitored by the application. A multiplexer (59) selects a
cable on which A/D conversion (58) is performed before the measurement data
is fed to the CPU (52). The BOB is controlled by a script (60).
The BOB in US 5177447 A is designed to strictly perform measurements of
voltage and resistance. It accesses different points in the ECU wiring by the
use of script controlled multiplexers. When scanning a vehicle for faults, it can
be of importance to measure the resistance between a pair of pins on the ECU
(detecting short circuits, open circuits etc.) as well as voltage measurements of
the signals. The circuitry for performing these measurements is seen in Figure
3.5.
Following the numbering in figure 3.5: The points in the ECU wiring
on which measurements should be performed are selected (according to a test
14
Figure 3.5: Patent US 5177447 A. (Source: Joseph A. Marino, Raymond H.
Niemetschek, patent US 5177447 A)
script) by multiplexer circuits (70), (72), (82) and (84). The top two multiplexers (70) and (72) connect two arbitrary pins to an active circuit. The resistance
between the selected pair of pins is seen as Rx in the picture. The active circuit
consists of an external voltage source (56) and two known resistances R1 and
R2 which are connected in series to the selected load Rx . Applying a predefined voltage over the circuit containing Rx , R1 and R2 will cause a voltage
division between the components. Multiplexers (82) and (84) connect Rx to a
DVM (Digital Voltage Meter) for registration of measurement data. By using
the ratio between the voltages over Rx and the known resistances, the value of
Rx can be calculated.
15
Chapter 4
Introductory studies and
implementation
Designing and prototyping a fully functional system was a big objective in this
thesis and the following section will shortly summarise how The ABOB was
developed. This is a complex system due to a large amount of components and
different technologies cooperating with each other, such as analog, digital and
high power electronics. In order to achieve this goal of a working prototype it
is important to have a simple and structured design.
The entire system was divided into three modules, power module, fault induction unit and control unit. This will help to make this problem more transparent and simplified when it comes to prototyping. The design process began
with a simple version of the prototype and then an extension of extra functionally was made to fit all constraints. This thesis covers linearly how this device
was designed, from a first idea to a fully working prototype.
It was not straightforward to develop and create an ABOB. Two major
design changes were performed after the first version in order to get a working
concept. The final prototype contained two boards, a power/master- and slave
board. The changes were made to make the ABOB more generic and more
modular. More information about all three modules will be given in the following
sections.
When the main hardware structure is ready the detailed hardware design
and the implementation of the control system remains. Several different ABOB
systems were developed during the project and will be presented in chronological
order in the thesis starting from a simple system and ending with the last
design which also became the final product. The results of the thesis were from
the testing of three different development stages (versions) of the prototype on
one truck. The first version was giving results that were evaluated before new
solutions were implemented to the next version of the prototype. The same
procedure was repeated before the designing of the last version.
4.1
The concept
A test device is intended to be connected to the ECU that will cause electrical
faults as controlled by a computer application. The application is developed in
16
the Python language. A test engineer then writes a test script defining which
IO-pins should be tested with electrical faults and what type of faults. This
system should be compatible with all power-train ECU:s and old test sequences
can be saved and edited in the application as a test-file for future usage. This will
make it easy for the engineers to reuse old test sequence and edit the current test
cases. The computer application can communicate with the ABOB control unit
through USB-transmission while the control unit is sending commands to the
fault induction unit which is connected to IO-pins on the ECU. The control unit
will take measurements on the induction unit to verify that a fault actually is
occurring and send back the information to the application, giving a verification
that all faults are actually induced.
As the time goes more things will be controlled by software and the embedded system research will develop more advanced units. New ECU models will
replace the old ones with different hardware architecture, the computer technology and number of IO-ports might increase, therefore it is important that this
system is scalable and generic.
The possibility of dividing the system into modules prototyped as separate
circuit boards was adopted from the start and kept throughout the project. In
this way the ABOB is more simple to design in modules namely; the control,
fault induction and power board units. The first is the control board where most
of the logic is placed. It will handle the communication to the computer while
it will send control signal to the fault induction unit which is the second board.
The fault induction unit will take these control signals as input and create fault
on the pin it is connected to. The control unit should have flexibility to control
different number of pins. The third board is the power supply, feeding the
system with all necessary voltages.
Additionally this structure allows the system to be easily scaled by adding
or removing one fault induction unit board to the control unit. In prototyping
this system the decision must be taken on how many pins one fault induction
board should handled. This is important for the control unit design. More
pins will require more components and this will make it harder to validate the
prototype. Less pins, however, will require more units and this fact will also
have drawbacks. More boards will require more space and a more advanced
communication protocol while on the other hand it will go much faster to prove
that this concept is working.
The first prototype fault induction board is able to induce faults on 8 ECU
pins. 18 boards will then be needed to fully control the ECU with most pins
in Scania (EMS). This concept will be assembled like a server rack where the
control board is on the bottom with board connectors facing up and the fault
induction units will be attached perpendicular to the control board.
4.2
Hardware
To design hardware there are different technologies available to implement from
fully custom circuit to micro-controllers.
For custom circuits there is a possibility to manufacture an ASIC (Application Specific Integrated Circuit). They are optimized for their tasks with best
performance in terms of speed and energy consumption. The design process is
hierarchical, beginning with writing code in a hardware description language,
17
followed by synthesis in hardware blocks and finally translated into logic gates.
From here logic tests can be made on the gate level. Digital gates will then be
mapped as transistor cells and placed on the chip area. Also verification that
the clock is distributed evenly through the whole chip is required for proper
functionality. The material used at the manufacture is silicon. An ASIC is time
consuming to design and expensive for small quantities. If the manufacture is
in a large scale then the cost is reasonable. This alternative is not well suited
for prototyping[21].
For prototyping FPGA (Field Programmable GateArray) is a better choice.
Both ASIC and FPGA are written in hardware description language. FPGA has
logic blocks and programmable interconnections speeding up the whole design
process. For ASIC the logic blocks must be placed on the chip. The interconnections between the blocks must be verified with a tool. The conclusion is that
the FPGA application is easier for prototyping. This technology is very efficient
if parallel computation is required and if the result needs to be executed within
the same clock cycle. The ABOB can with advantage be used to induce faults
or make measurements on multiple pins withing the same clock cycle[21].
A micro-controller is a small computer with all necessary components inside
the chip such as a memory and IO-ports. A program can be loaded into the
chip. The program is usually written in a programming language such as C or
Assembler. It is a set of machine instructions and these will be executed one at
a time in a sequence.
If the design has requirements to induce faults, make synchronous measurements or heavy parallel calculations, a FPGA would be a better choice than a
micro-controller. It takes, however, longer time to develop the testing process
with FPGA. In our concept the hardware is sending a signal that is unique
for each fault and each pin to the induction unit and is handling the communication to the computer. This application does not have high computational
demands or require strict syncronization as long as it can send control signals in
a few clock cycles. Assume an engineer wants to see if the system is functioning
properly when more than one cable is going to fall off from the ECU and meet
short circuit to other contacts in the truck. This short circuiting, could occur to
different voltages. In real life, it is unlikely that all cables come into contact in
the short time a few clock cycles. For this prototype a micro-controller is thus
considered as a good option with respect to the requirements above, the possibility to handle the short circuiting process in a simple way and the suitability
for the developer.
4.3
Microcontroller
In this section a selection is made of the used microcontroller. There are various types of microcontroller in the market and for this task many pins are
required, this prototype is therefore based on a PIC16f877a (Peripheral Interface Controller) that is a mid-range (up to 20 MHz) processor from Microchip
Technology. This processor has been in the market for many years and is not
as fast or advanced as the newer ones. Why use this old processor when there
are newer ones? It was decided to use a PIC processor of mid-range type because both the hardware and system designer had experience with this type
of micro-controller from courses at the university. This choice speeded up the
18
Figure 4.1: Principle schematic for ABOB. Showing N number of fault units
connected between ECU and sensors/actuators. They are controlled by a Microcontroller from a data distribution system.
implementation of the prototype since the hardware and programming environment were known. For this application most micro-controllers would work as
long as they have enough IO-ports, AD-converters and built-in timers.
The PIC16f877A is an 8-bit RISC (Reduced Instruction Set Computation)
micro-controller with 368 byte ram and with 8 channels with 10 bit resolution
ADC (Analog to Digital Converter). The ADC will be useful to measure and
verify when a fault is induced. There are 3 built-in timers and one of them is
used as a watchdog timer [22]. The other two timers are used for generating
a stable PWM signal. This PWM signal will be useful for creating an analog
voltage.
4.4
Carrying out the ABOB princple
The control unit is the central part in this system and it is communicating
with the computer through USB-transmission and sends commands to the fault
units. One microcontroller is executing the test program by controlling the fault
units and also is collecting data for verification. A data distribution system is
required to control all fault units and do the measurements systematically see
Figure 4.1.
19
Figure 4.2: Principles of control signals latches.
4.5
External memory
There will be a lot of data collected, and assuming there will be some measurement points for each pin data needs to be stored temporarily before it will be
sent to the computer. As mentioned in the previous section our micro-controller
has 386 bytes of internal RAM and that is too little. An external SRAM (Static
Random Access Memory) is used to increase the memory address space. In
comparison to a RAM it can execute read and write operations very fast. The
drawback is that it consumes more power than the slower ones. Lower power
consumption is not an important requirement in this design since it will use external power supply. Memories are byte addressed which means that there is an
unique address for each byte. A 32 KiB SRAM of model LY62256PL-55LL from
Lyontek is used for pointing out each address, 15 individual wires are required.
The number of IO ports is a limited resource for hardware designers, a
technique to reduce the need for ports is to have a multiplexed data and address
bus. This means that at first the lower address byte (A0-A7) is sent followed by
the higher address (A8-A14). To separate them a D-Latch or D-Flip flop can be
used[23]. Figure 4.2 shows the latch solution. The difference between the two
solutions is that a latch is transparent when the enable pin is logic high, this
will let the output have the same value as input and when the enable pin sets
logic low it goes into latch mode saving the current state as output. D-flip flop
has instead a clock input and it stores value on the transition of the clock signal.
The storage will occur on the rising or the falling edge. Latches are preferable
for bus multiplexing[23].
The memory has three control signals, the first of them is Chip Select (CS).
This enables the memory and is useful if more external memories than one is
used. For our purpose one RAM memory of this size is enough so this pin can be
tied to ground. The WR (Write Pin) control signal will store the value digital
output currently has on that address. The RE (REad) Pin reads then the value
of that address and put it as an output[24]. Normally it would require 25 pins
on the micro-controller in order to get the external memory to work( 15 adress,
8 data and control signal WR and RE). With latches this will be reduced to 12
pins. The common data-bus requires 8 pins together with two enable signals for
20
Figure 4.3: The hardware structure consisting of a microcontroller connected
to a RAM memory in latching principle. The Ram and microcontroller are
connected to the data distribution system (Latch0-Latch3).
Latch and two control signals for the RAM memory, see Figure 4.3.
4.6
Multiplexing
This version of ABOB should be able to induce electrical fault on all pins independently at the same time. Still the number of IO pins is a limited resource.
Multiplexing means that each IO Port has access to more than one connection[1].
This can be achived with matrix multiplexing or with digital circuits. Another
way of multiplexing is to use latches to increase the number of control signals[23].
For collecting data, multiplexers can greatly decrease number of AD converters required. For instance 8-1 multiplexers can handle 8 inputs to the ADconverter. The multiplexer requires a 3-bit data-bus to select the measuring
point[25]. Just two control signals can theoretically control an unlimited number of IO pins by using shift registers.
A shift register is a digital circuit which is a cascade of D flip-flops sharing
the same clock. Shift registers are of two types, SISO or SIPO. SIPO Shift
registers have a single data input. For each clock cycle the data will be shifted
to the next bit position. This is useful to convert data from a single connection
to parallel format for multiple control signals. A combination of multiplexer,
latches and shift registers is used in the first two versions of the ABOB. The
third version does not use multiplexing.
4.7
Fault induction units
The faults that will be induced are open load, short circuit to ground and short
circuit to variable voltage. Figure 4.4 shows one connection between ECU and
a load when an open load fault occured. There are two switches, S1 is normally
closed and is connected serially. This will ensure that a connection between the
21
Figure 4.4: Simple model of fault induction unit inducing an open load fault.
ECU and the sensor is full-filled.
When control signal one is sent to S1 it will change its state to an open state,
this will cause the sensor to be disconnected from the ECU system. For short
circuit to variable voltage there is a switch S2 which is normally open and will
not affect the system. When control signal two is applied, the ABOB will close
the switch S2, this will cause short circuit to a variable voltage. (How a type
of variable voltage supply will be designed can be seen in next section). S1 will
be open just before S2 is closing to disconnect it and protect the sensors from
being damaged due to short circuits while testing on trucks.
4.8
MOSFET transistor
The design of the ABOB requires implementations of switches using transistors.
There are mainly two types of transistors, BJT (Bipolar Junction Transistor)
and MOSFET (Metal Oxide Semiconductor Field Effect Transistor). The BJT
transistor is current controlled while the MOS type is controlled by an electric
voltage. In integrated circuits and in combined analog and digital circuits the
MOSFET technology is most used.
A short circuit of a pin on the ECU can cause a high current in the system.
The MOSFET transistor has higher current capability and will be used in this
task, because the currents may be high at the short circuit simulations. This
type of transistor has three terminals, the drain, the source and the gate. The
current from the source to the drain can be controlled by an applied voltage
between the gate and source terminals. There are two types of MOSFET:s
namely the P- or the N-channel transistor. In a N-channel, the charge carriers
are negative electrons while for P type they are positive holes[26].
The voltage drop between the gate and the source needs to be above a
certain threshold in order to create an inversion layer for the transistor to start
conducting.
Depending on which condition is fullfilled the MOSFET:s have three modes, off,
22
linear and saturated, these conditions are given by the relations 4.1 - 4.4.
UGS < UT
(4.1)
UGS > UT
(4.2)
0 < UDS < UGS − UT
(4.3)
UDS > UGS − UT
(4.4)
Relation 4.1 describes a transistor in its off state due to the fact that the
voltage drop across gate source UGS is lower than the threshold voltage UT .
Relation 4.2 shows when UGS is greater than UT and the drain source voltage
is full-filled by Relation 4.3. The transistor is now in its linear region. In this
region the transistor works as a resistance, the current through drain will increase linearly with the drain source voltage. This is due to how fast the charges
are moving inside the transistor channels. When the conditions in Relation 4.2
and 4.4 are full-filled, the charges cannot go faster and the current cannot increase much more and it is approximately constant with respect to UDS . This
saturation is called pinch-off.
4.9
First version
The first version of the ABOB was rather simple and it was used to test a
part of the requirements. Having a simple version which is fast to develop will
give an early hands-on experience in testing ECU:s, which is good for future
development.
There are different connections to the ECU such as actuators, sensors, fuel
injectors, CAN-communication etc. A majority of the connections of the ECU:s
are sensors. Designing an unit that can induce faults on these type of sensors
would cover most of the connections on ECU:s. First the design will cause
electrical faults based on that the connection is a sensor and after that design for
rest of the connections. There are mainly three types of sensors for automobile
application analog, resistive and frequency sensors.
4.10
Analog voltage sensor
For automobile application it is important for the system to know many physical
parameters, for instance the level of the engine oil, the pressure of the oil and
the temperature of the cooling water.
Analog sensors need to be supplied with a voltage and give out a voltage proportional to the magnitude of the measurement. ECU:s uses ADC:s to convert
analog voltage to a digital representation, see figure 4.5.
23
4.11
Resistive sensor
The resistive sensor is used to measure the temperatures in many places of
the automobile and often consists of a thermistor which changes resistance as
a function of the temperature. For instance this type of sensor is used for
measuring the temperatures of the engine, air and oil temperatures.
Thermistors are made of semiconductors and are of two kinds, PTC thermistor (Positive Temperature Coefficient) and NTC (Negative Temperature Coefficient). A thermistor of the PTC type will increase its resistance with temperature while on the other hand the NTC thermistor decreases its resistance as a
function of the temperature[27].
The resistance as a function of the temperature is usually a nonlinear function. In ECU:s there is a resistor connected in series with the thermistor and its
ADC will measure the voltage across the series resistor. To improve the linearity
of the thermistors they can be linearized around their working point with help
of a resistor see Figure 4.5[28]. There are also possibilities to compensate in
software if the thermistor function is known.
4.12
Frequency sensor
Frequency sensors are used to measure various kinds of speed in the engine for
instance fan, turbine, waterpump, camshaft and engine speed etc. The camshaft
is using a hall effect sensor and the flywheel is using an inductive sensor. On the
flywheel there are teeth and each tooth is made of magnetic material and a fixed
magnet is placed near to magnetize the teeth. When the wheel is spinning each
magnetized tooth will move across the coil. According to Lenz law a voltage is
produced that will tend to prevent the magnet from this move. This will cause
current spikes for each tooth, which will be detected by the ECU. The processor
inside the ECU then calculates the time between these peaks and thus estimates
the rotation rate.
Diesel engine works normally between between 0-5000 rpm but in the trucks
the software will prevent it from going above 3500 rpm. Measurements shows
that the flywheel sensor can produce voltages up to 200V peak to peak.
The camshaft is working in the same way, the sensor is placed near the teeth
of the metallic camshaft wheel having an applied magnetic field and the wheel
in between. When the wheel is spinning the teeth will pass through the air gap
and a change in the magnetic field will induce an electrical signal. These voltage
peaks are much lower than the induced voltages for the flywheel, they are about
20-40 V.
The three types of sensors; analog voltage, resistive and inductive are connected to the ECU, their connections are shown in figure 4.5. As mentioned in
the previous section the analog sensor needs to be connected with a supply and
ground to produce an output voltage that is possible to measure see Figure 4.6.
To induce short circuit to ground a MOSFET transistor will be connected to
an analog supply with transistors drain to analog supply, source connected to
ground and a control signal to gate. When the gate is grounded it will not
lead any electricity and everything will work as intended but when a voltage is
applied to the gate, it will cause a current to flow from drain to source. A short
circuit is the consequences of that see Figure 4.6.
24
Figure 4.5: Simplified electrical model of analog voltage sensor (left of ECU),
inductive sensor (bottom of ECU) and resistive sensor connected (right of ECU)
For the open load fault it is required that no current will go through the
sensor and by having a transistor in series with the drain connected to the
sensors ground connection and source to the actual ground. When a voltage is
applied to the gate the MOSFET transistor starts to lead that gives a closed
circuit. When the control signal is zero the current will be reduced until no
current is passing and this will cause an open load failure on the analog sensor
see Figure 4.6.
The resistive sensor can be connected almost in the same way as the analog
sensors since the system is giving an analog voltage. This voltage is connected
to the drain of the FET with its source to ground. When a voltage is applied
to the gate of the MOSFET it will short circuit the voltage divider. To induce
open load fault on temperature sensor is to not let the current pass in a closed
circuit, this will cause no voltage drop on R2 and the voltage divider will have
the same potential as supply voltage. To block the current a transistor with
its drain and source shall be connected in series with the thermistor see Figure
4.6.
Figure 4.6 shows the model for the inductive sensor, which gives the rotation
rate, where a resistor R1 (sensor 1) is in parallel to the coil. The ECU will
measure the voltage across this resistor. This model is simplified because there
is a protection diode and a low pass filter at the terminals of the ECU (not
shown in the figure 4.6). These components will cut off the voltage if it is too
high and filters it to reduce some noises.
To cause electrical faults on inductive sensors is more complicated than for
the analog resistive sensors. First thing is the voltage peak generated from the
inductive load can be very high. The MOSFET should not be damaged due
to these high peaks, so therefore transistors are required with correct rating.
To create an open load fault on an inductive load the transistor should prevent
the current running in a closed loop. According to the law of electromagnetic
induction a change in voltage will cause an opposite emk, there’s a risk that it
25
Figure 4.6: Exemplifies how the transistors are connected to ECU for inducing
faults. Points (1-6) are control signals
will cause voltage spikes from the coil when a control voltage is applied to the
transistors gate. A transistor solution to induce fault on flywheel can be hard
to create.
4.13
Prototyping first version
For prototyping the first model a small scale prototype was developed with help
of breadboard.
The next step was to build the first version on a lab card. A lab card
is basically a board with grids of holes where components and cables can be
soldered. This makes it more reliable than the bredboard. Four fault units were
prototyped in this way.
4.14
Evaluating first version
The first version was tested on a heavy vehicle. The results indicated that it was
possible to induce short circuit to ground and to induce open load on the analog
and temperature sensors. By sending different control signal, faults could be
observed on Scania’s own diagnostic tool by showing a fault code related to this
fault. In the truck a service message appeared on the dashboard letting the
driver understand a fault activity. After successfully inducing faults on analog
and resistive sensors, a continuation would require special electronic for every
type of load. Therefore it was decided to change to a more generic design.
26
4.15
The second version
The second version of the fault induction unit is more generic, with a single
solution for every connection. This is in contrast to the first version that only
had a model for inducing faults such as short circuit and open load on sensors of
analog and resistive type. There was no concept for the rest of the connections
like CAN-bus, alternator, injectors, etc. In summary, the first version had the
following properties:
• Might easily induce open load and short circuit to sensors with minimal
amount of components.
• Could not induce fault by short circuiting to another voltage.
• Makes the fault induction unit depending on the kind of connection.
• There is a risk that the complete unit might not be compatible with future ECU:s because they might use different hardware configurations and
different type of connection.
A generic solution that is compatible with the electrical changes on pins,
conductors and voltage supplies will have following properties:
• Would require more components for short circuit and open load faults.
• A single solution for connecting to a simple load like a resistive sensor will
have the same requirements as an highly inductive electric engine and will
have same dimensions.
• Makes ABOB independent on what kind of load is connected.
• The assembled hardware will most likely be compatible with all ECU:s
in the future as long as the number of pins is the same and rest of the
electrical constraints such as voltage peaks and max current will be the
same.
It will be a problem to just transfer the implementation from the first version to the second version, with just having N-MOSFET transistors connected
as figure 4.6. The N-MOSFET was connected with its drain to a higher potential than the source. Therefore the first version could only induce short circuit
to ground and open load. First step in designing the second version is to dimensioning a variable voltage supply with driving capabilities to short circuit
the pin to different voltages. Having a pair of N- and P-MOSFET can manage
that. How the MOSFET:s are connected will be explained in following section.
The connection can be sensor input, ground, supply voltage or something
else. It may also be unknown how the pins are connected. These above mentioned connections are the functional requirements to get a fully generic design
for the induction unit although there will be some more other requirements but
these will be explained below.
The purpose of having a variable voltage supply is for simulating a connector coming into contact with another voltage source. The voltage amplitude
should be between 0-24 V and be controlled by a microcontroller. There are
different ways to produce an analog voltage, either by a microcontroller or with
27
Figure 4.7: Block scheme for inducing electrical faults
an external circuitry. To induce electrical faults on all ECU pins independently
will require many variable voltage supplies. To fully test an EMS, 140 voltage
sources are then needed. To keep the complexity down the microcontroller will
create analog voltages with PWM (Pulse Width Modulation). PWM signals
have a predefined frequency and the on and and off time within one period can
be set. PWM is a popular method to generate analog voltage to drive slow
loads, such as lamps and it will be used in this design.
Figure 4.7 shows how an analog voltage can be generated from a PWM
source. The square wave is smoothed out after the PWM source with help of a
first order RC low pass filter. After that the analog voltage needs to be amplified.
The PWM output can at max produce 5V with 100 percent duty-cycle and the
system should be able to induce short circuits up to 24V. Amplification by six
times and a supply voltage of 30V should be sufficient to ensure an output
capability of 24V. The amplified voltage will then simulate the short circuit. A
power stage after the amplifier is required to drive high current without breaking
due to the high power dissipation.
4.16
Robustness
To reduce the downtime for test engineers due to maintaining the ABOB, robustness is an important thing to consider in this design. The ABOB should
be designed to induce short circuit without breaking its internal components.
Most ECU:s have an internal short circuit protection on their IO pins and would
normally reduce the current to some tens of mA when a failure occurs. This is
to minimize the damage of the hardware. An important aspect is also to give
the possibility for the driver to maintain the control over the vehicle as long as
possible.
One of the purposes with testing is to see that the software works correctly
and the ECU internal circuitry works as specified. In case the hardware protection does not work as intended a high current might flow in the system. A
protection from damaging the components of the ABOB are necessary here.
There are different ways to protect the system from over-current by help of
fuses, termistors, and current limiting circuits.
Fuses come also in various speeds from slow to super fast. Slow fuses will
take longer time to break when the current exceeds the rated current while super
fast melts more quickly. A fuse is a easy solution to protect the circuit from
over- current despite the fact that it sacrifices itself and a new fuse needs to be
attached in order to get the system working again.
Thermistors of PTC types can be used as current limiters. In normal working
condition the current in PTC is low. When a fault appears and the current
28
Figure 4.8: Realisation of block scheme into circuit
increases the PTC starts to heat up, increasing the resistance, thus blocking
the current. It cycles back to conductive state when the system is turned off,
acting as a resettable fuse. A resettable fuse does not need to be changed, the
system does not need to be opened for maintaining and that is a good thing[29].
A drawback is that PTC fuses are slow and can take seconds to fully limit the
current[30]. There are also active current limiters using two transistors and a
resistance to safety protect the system from short circuits[1].
All these solutions can be used for this application, however in terms of complexity an active short-circuit solution could cause economic and space problem
due to the number of components will increase. In this application a PTC thermistor can be too slow to protect the internal components inside the ABOB.
The easiest solution is the fuse and would fit this ABOB best if the fuse won’t
break so often.
4.17
Hardware design
This section will describe how the hardware synthesis was made of the error
induction unit based on the block diagram in figure 4.7. The PWM signal is
generated by the microcontroller and then smoothed out by a first order RC
filter. The signal ripple and the settling time are key parameters for the design.
The amplification is done by a non-inverting operational amplifier stage.
The power stage should have unity gain and force the output to have the
same voltage as the amplifier output. For instance a 5V connection can be short
circuited to ground and short circuited to a 24V battery. To simulate this, the
current must be able to flow in both directions. This can be achieved by having
two MOSFET transistors, one of P- and one of N-channel. Figure 4.8 shows
the circuit diagram of this design.
The PWM signal can be transferred to a DC representation after the first
order low pass filter if the cutoff frequency is below the PWM:s own frequency.
A low cutoff frequency will reduce the overlayed DC ripples however it then takes
29
longer time to reach its target voltage (settling time). The filtered signal will
then go into the non-inverted input on the operational amplifier. The output
of the operational amplifier is connected to a semiconductor relay. It works
exactly in the same way as a mechanical relay but instead of having a coil and a
mechanical switch a LED will transmit light to a light sensitive transistor which
will then start to conduct. There is a galvanic separation between the control
signal and the relay itself. These kind of relays are cheap and small but it is
not designed to switch high current. R7 is protecting the diode from too high
current.
After the relay a resistor R3 is connected to the gate of MOSFET Q1 and
Q2 (Q1 is P-channel and Q2 is N-channel). Two Zener diodes are connected
in serie in opposite directions between the gate and the source of the transistor
see Figure 4.8. They are there to protect the transistors Q1 and Q2 from too
high voltage drop between drain and source of the transistor. If the transistors
voltage drop between the drain and source is above the maximum, (20 V for
transistor of type IRF9540N and IRFZ44V), this might cause damage[31][32].
The diodes have 18V breakdown voltage. This yields that the diodes will conduct when the gate and source voltage is above 18V, protecting the transistors
from overvoltage.
After the transistors there is a resistance R2 of 0.47 ohm of high power type
to protect the both transistors from too much current. R5 and R6 are feedback
resistors for the operational amplifier and are dimensioned to give 6 times amplification, moreover the capacitor CY2 is there to prevent self oscillation. Note
also how the feedback is connected. This will compensate for the voltage drop
of the MOSFET:s which is about 2.6V.
The operational amplifier needs to drive both positive and negative voltage
to control the transistors appropriately, taking into consideration the transistor
voltage drops. It needs about 24V+2.6V to drive the output to 24V and -2.6
V to simulate a short circuit to ground. The amplifier cannot drive a load to
rail. Therefore the operational amplifier needs a dual supply voltage of +30V
and -10V. This yields a voltage supply in total of 40V rail to rail. Not many
amplifiers on the market support for such a wide supply voltage. OP275 is a
dual amplifier that can use such a wide supply voltage[33].
The photo-MOSFET relay is used to decouple the connection between the
operational amplifiers output and the gates of the MOSFET transistors. The
gates will not reach above the threshold voltage, causing both transistors to be
off. The output enters a high impedance state. However since MOSFET has
high resistance and capacitance, the transistor will keep conducting even if both
gates are open. R4 is connected between the gate and source to force the same
voltage between the transistors gate and source. Then both transistors will be
off.
In conclusion this design is capable of introducing simulated short circuits between 24V to 0V using two control signals. One to control the photo-MOSFET
relay and one to generate the PWM signal. Next step is to develop a way to
measure on our system for verification.
30
4.18
Measurement
Verification is an important part in this thesis project and to reach this requirements, measurements are needed. The system needs to make measurements
when a fault is induced on the ECU. From the results it is then possible to infer
which fault actually occurred. As mentioned earlier, the processor has built-in
ADC (Analog to Digital Converter) and it will be used for measuring an analog
value and store it as binary number. The question here is if the ADC is good
enough to detect the fault as a binary number.
There are three important properties in ADC:s that must be taken into
consideration, input stage impedance, conversion time and resolution. If the
input resistance for the ADC is too low it will affect the voltage it is measuring,
causing measurement errors. If that is the case an analog voltage buffer may be
connected to the AD:s input. A voltage buffer has a high in-impedance and a
low output impedance.
The ADC:s quantizes the signal to a time-discrete signal. Resolution of
converters comes in number of bits. A n-bit ADC has 2n values and each step
V
where Vref is the reference
in the value correspond to a voltage shift of 2ref
n
voltage.
For instance the 16f877a PIC processor has an internal 10-bit successive
approximation ADC, using the internal reference voltage of 5V yields 48mV per
value[22]. How fast it can decode a continuous signal is important here, the
information between two conversions will be lost. If the ECU is faster than our
ADC some signals might not be detected. There are three major conversion
technologies for AD conversion, dual ramp, successive approximation and flash.
Dual ramp AD converters can provide conversions with good accuracy but they
are slow.
Successive approximation ADC finds the digital representation of the continuous signal by using a binary search algorithm. The conversion time for a
n-bit successive approximation for the ADC is equal to n cycles[28].
Flash ADC:s are the fastest converters and they use a set of comparators
sensing the unknown voltage and a logic network converting it to a binary
number. The conversion is very fast.
How fast the ECU responses to a short circuit is not known and to keep the
complexity down the PIC:s internal ADC is used. If the AD converter are too
slow after testing this prototype, its possible to speed it up with a flash ADC.
4.19
Current measurements
There are different ways to measure currents for instance by measuring the
magnetic flux around the wire. A well known way is to measure voltage drop
across a shunt resistor in series with the load. The voltage drop between the
shunt resistor can be achieved with a amplifier connected as figure 4.9. The
amplifiers output is then connected to the AD converter. The resistance of the
shunt resistor is known and the current across it can be determined from Ohm’s
law.
The resistance will bias the system and should be as low as possible, however
decreasing the resistance will also decrease the voltage drop. This might cause
problems for the ADC to measure it. An operational amplifier can be used to
31
Figure 4.9: Schematic to measure current with amplification
amplify the voltage drop see Figure 4.9 [34]. According to the figure it is a
differential stage which amplifies the voltage difference between A and B where
R1 is the shunt resistor. Resistors R2 -R5 will determine the amplification factor.
Assume R2 = R4 and R3 = R5 the output voltage from the amplifier Vout is
R2
2
given by following relation Vout = R
(V A − V B ) = R
R1 R1 I , where I is the
1
current.
Here the fault induction unit is inducing a fault and measuring how much
current is passing through the shunt resistor. For instance if a supply pin on
ECU is short-circuited to ground, the system can measure the current and if it
exceeds a predefined upper threshold the system can verify that a fault actually
occurred. The same thing would work if the pin is open and the current flowing
is under the limit.
There is a problem with using this kind of current measurement and it is
that the ECU has an internal short circuit protection. It will work fine for
open load fault however when a short circuit is induced the ECU will regulate
it down. Measurement was done with ampere meter to see how large the short
circuit protection was. A sensor 5V supply pin tied to ground delivered about
60 mA. Is 60 mA considered as a short circuit current? A truck has a 16A
fuse and theoretically a short circuit up to 16A could be delivered even though
a protection prevents it. Some pins might draw more current than 60 mA
in working condition, for instance some heating element, water pump or fan.
Therefore the verification should be able to detect a short circuit even though
the ECU prevents it.
The system should be able to monitor 140 pins. Having for instance 4
measurement points will require more than 500 measurements from the ADC.
The processor needs to do all the encoding, which is time consuming. Here
time is an important factor if the system should detect a fault before the ECU
short circuit protection sets in. Therefore it is better to develop another method
which makes the verification static.
32
4.20
Verification
A way to statically verify that the fault occured is by checking if the control
signal and the relay actually are closed.
Verifying that the fault is actually induced from the unit could be done by
feeding back the photo relay control signal to the microcontroller. It is enough
to measure if it is high or low, so a digital IO pin is enough for measurement
M0 see Figure 4.10.
Figure 4.10 shows block diagram for the implemented fault induction unit
with measurement points for statical verification. The yellow squares are control and PWM signals while the purple squares are measurement points for
verification. On the ECU side between M2 and M3 is a fuse that protects the
MOSFET voltage buffer stage. The transistors are rated for 115W and if there
is no short circuit protection on the ECU a maximum current flow of 4.8A is
allowed[31][32]. The assumption was made that the short circuit can in worst
case be 24V and the heat sink is mounted to cool the transistor. It is better to
have some margin so the fuse between M2 and M3 is dimensioned for 2A.
Since all pins will require one fuse and to reduce the downtime for the engineering using this device, a verification for the fuse is necessary. Measurement
points M2 and M3 are there to check if the fuse is broken or not. To check if
the fuse needs to be changed the points M2 and M3 is connected to an ADC, if
the value is equal the fuse is intact but if not it is broken.
On the right side of the voltage buffer is a switch for coupling or decoupling
the load connected to the ECU. The switch is a double switching relay and
will normally be in down position ensuring there is a closed circuit between
the ECU and all the sensors. This is good because if the ABOB power is off,
all the connections between the ECU and the load are closed and will work as
intended. Both switches will move in the upper position as seen in figure 4.10
when the control signal ”EN OL” (ENable Open Load) is high. This will open
the connection between the ECU and the load causing an open load fault.
The contact moves into its second state to another circuitry. Here is a 5V
power supply connected to a resistor and a measurement point M1 see figure 4.10. To verify that an open load actually is induced is to see in which state
the relay switches are. If the relay is in upper position the 5V supply is in a
closed circuit, this will let the measurement M1 to be grounded and the micro
controller will detect it as a logic 0. When the relay is in the normal state it
will open the connection 5V supply. M1 will now have a 5V potential and can
be measured as a logic 1.
Most of the measurements are done on our device biasing the normal system
as little as possible. The verification is designed to see if the photo relay is
actually on and if the relay switched its state. This is to ensure a verification
reliable even if the ECU turns off due to the short circuit protection. However
this verification assumes that all parts are in their working conditions. This
implementation cannot see if the photo relay or the transistors are broken. For
the mechanical relay it is just known that it has switched from the upper state
and that the relay is not connected between the ECU and the sensors.
There is a risk that these parts can break and then the system will give the
wrong verification even though this risk is considered to be small.
33
Figure 4.10: Block scheme for inducing electrical faults and verification on one
pin with the relays in upper position
4.21
Prototype second version
This prototype is more complicated than the first version and for that reason
a set of CAD-tools (Computer Aided Design) was used here. National Instruments Multisim tool was used to draw the schematic. The schematic was then
transferred into a circuit board pattern. Then the components are placed with
Ultiboard and wires are connected between them.
Since there was some problem to manufacture the prototype due to the
complexity of it, a more modular based design is used in the next version (last
version).
34
Chapter 5
Last version
The second version is using one microcontroller with some external components
see left in figure 5.1. The microcontroller handles a lot of things in the system,
sending control signal to the fault units and the data distribution system (enable
system) and it takes measurements on the analog MUX:s (MUltipleXer) output.
In additional the data is stored in the RAM memory and the communication
to the computer is handled through the USB. A lot of processing on MCU
(Micro Control Unit) is required but also a lot of logic needs to be verified. For
instance all logic to read from memory, write in the memory, the control signals
logic together with the enable system and the analog MUX:s needs to have its
functionality verified.
There is however a need to make the ABOB a more modular based system
that will require less components. On the right side on figure 5.1 shows the new
improved design. The same structure for the fault unit will be used, however
they will be organised in two fault units instead of eight, each pair is controlled
by a microcontroller. This unit is called slave unit and it is connected with more
of these units in a communication network. The Master unit is connected to this
network telling the other units what to do and handles the USB communication.
The positive thing by having a microcontroller for each pair is;
The microcontroller can control its own fault units and also take measurements
Figure 5.1: Block diagram resembling the difference between new (last) and old
(second) version
35
for verification. More measurements can be made and the internal memory of
each microcontroller will be sufficient to save samples from the two fault units,
so the last version does not need any external RAM. No external logic would
be necessary anymore. A prototype of master and three slave nodes is created
in this project. If this concept is working, the system will work for 140 pins as
long there is a communication protocol supporting it. The difference between
the slave units will be a parameter programmed into the hardware making the
system more modular.
An Arduino microcontroller is used instead of the PIC16f877a. Arduino
is an enviroment with open source code and there are libraries for different
communication protocols such as SPI (Serial Peripheral Interface) and I2C[35].
These libaries are usefull for implementating the last version of ABOB.
I2C protocol is letting multiple devices communicate with each other. The
communication needs only 2 wires, one for serial data and one for serial clock.
The data is clocked from the master which means no strict baudrate. The data
is clocked in as a number of bytes and each slave has an unique identification.
I2C supports up to 128 identifications (7 bits) while the last bit tells if it is a
read or write operation. Having two fault units for each microcontroller will
support ABOB controlling up to 256 pins[23].
Figure 5.2 shows the principle of the final solution with an Arduino slave
connected with 2 fault units. As mentioned before the fault units need control
signals and they are now connected directly to the Arduino digital IO-port, the
measurements are handled by the Arduinos own ADC. On the left side of the
Arduino there are I2C wires. All units are connected to the I2C bus. One
extra cable (external interrupt) is used for synchronisation purpose for fulfilling
a requirement to induce several faults at the same time.
When a test case is going to be launched, the master unit is sending command
information through the I2C bus to the slave units which is supposed to make
the faults. This information is sent one at the time in a sequence. When a slave
receives the information, it will idle waiting for the external interrupt wire to
change til logic one. When the master has sent all the faults to the slave units
it will turn on the external interrupt, activating all slave units to induce faults
until the master is turning off the wire. Then the microcontroller is requesting
data from the slave units.
5.1
Master node
To make the prototyping even more easier, the master node and power board
are merged into one PCB. The master board will have the master processor and
all power supplies. The slave units needs to be powered by the supply voltages
+24V,+30V,-10V and +5V. As mentioned earlier the +5V is on the board of
the slave unit with help of a linear voltage regulator, the 24V will be taken from
the battery of the truck. A DC-DC converter with a galvanically separated
ground is used to generate the +30V and the -10V. The Traco TEN-12-2421
+/-5V (1000 mA) converter is used. It has an internal short circuit and heat
protection.
Figure 5.3 shows how the the +30V and the -10V are generated. L1 and C1
are working as a LC-filter to remove ripples from the battery of the truck. After
the filter a zener diode D1 is connected in parallel, preventing voltage spikes
36
Figure 5.2: Arduino slave microcontroller with two fault units realized as block
diagram
above 36V to reach the input voltage of the DC-DC converter. The resistors
R1 −R4 are connected in parallel to each DC-DC converter input supply voltage,
discharging slowly the capacitors when the system is turned off due to safety
reasons.
All PCB traces and wires are assumed to be low resistive, namely wide
enough and the truck battery is fused for 16A. The DC-DC converters can at
maximum deliver 1000 mA for the +30V and the -10V. These voltages are only
for driving the operational amplifier. OP275 has a supply current of max 5 mA.
The master node can power 200 units which is sufficient.
Arduino master processor is connected according to figure 5.4. The USB
cable is connected to Arduino’s transmit and receive pins (Tx and Rx ). I2C:s
SDA and SCL lines are connected with a pull-up resistor. The communication
pins SDA, SCL and ExtInt are connected to all slave units see figure 5.4
5.2
Prototype last version
The same design tools were used as in the previous version. National Instruments Multisim and Ultiboard was used to CAD printed circuit boards. Instead
of milling the board CAD files were sent for manufacturing to shrink down the
prototype time as much as possible and to get boards of higher quality.
The slave unit boards were designed to be two layers 100x100 mm with
through hole components with 0.3 mm wires. In fact it would require even wider
wires between some connections to give lower voltage drops along them[36].
However this prototype will be used to prove that the concept works rather
than be considered as an end product.
After all connections were routed with the tool, a power plane was created
on each side of the PCB. The remaining copper on the board will merge into one
wire (24V on top and ground on bottom). This will ensure the same potential
for all components placed on the PCB. Also there is some reservoir capacitor
to smooth out ripples for the integrated circuits. The manufactured PCB was
37
Figure 5.3: Schematic showing +30V and -10V voltage supply, where PWS is
a Traco DC-DC converter
Figure 5.4: Scheme with an Arduino master connected to USB. An external
interrupt and I2C bus where rest of the slave units are connected to.
38
Figure 5.5: Soldered slave unit on PCB
soldered and verified, see the finished slave unit figure 5.5.
Point 1 on the PCB see figure 5.5 shows a MOSFET transistor with a heat
sink, point 2 is a dual switching power relay, 3 is the socket for Atmega328p-pu
micro controller, 4 operational amplifier OP275, 5 is the semiconductor relay, 6
is the fuse to protect the system if a short circuit occurs (between measure point
4 and 5 see figure 4.10 ). Point 7 shows two contacts, (ingoing and outgoing)
from each unit, point 8 is a 16 MHz crystal, point 9 is a BJT transistor to drive
the coil of the dual switching relay, point 10 shows the connector for the cable
to the ECU. The Master board was soldered and assembled with 3 slave units
to test out the 6 pins on ECU. The system is compatible with up to 256 units
but that would require more slave units for that.
39
Chapter 6
Results
In total there were three types of versions that have been covered in this thesis.
In this chapter the results will be given.
6.1
First version
The first version is the simplest one and consists of two transistors for each load.
A prototype on the small scale was made on the breadboard and prototype
board. The data distribution system was prototyped on a separate board and
was compatible with four connections. The prototype was firstly tested on bench
with an ECU connected with a diagnostic tool for monitoring DTC codes.
The bench test was made on four pins, two analog and two resistive sensors
were tested. The unit was capable of inducing short circuit and open load on
four pins simultaneously. The faults could be verified by the DTC code, showing
either a short circuit or an open load fault code. The built-in protection of the
ECU is limiting the short circuit current. This yields a negligible heat dissipation
in the transistors.
Tests were made on a real truck. At this time the unit was connected to
the battery of the truck. The transistors were connected to the real sensors and
the diagnostic tool was connected to the ECU of the truck. When a fault was
induced a warning lamp was lit at the dashboard of the truck. In addition to
the lamp a message appeared on the dashboard giving some information. For
instance it showed: High emission. More information about the fault could be
seen from DTC codes.
The design was changed quite early in the development process to make it
more generic. The prototype for data distribution system in the second system
used a PIC microcontroller with three latches. The prototype used a 4-bit data
bus, LED’s were used for debugging purpose see Figure 6.1.
This version was capable to:
• Induce short circuit to ground
• Induce open load
• Be controlled from a computer
40
Figure 6.1: Pic16f877a microcontroller connected to a data distribution system
soldered on the prototype board
6.2
Second version
Even though most of the effort was on the second version, a final prototype to
control an entire EMS could not be prototyped. The prototype was too complex
to manufacture with two layers using CNC milling.
A small scale prototype with four fault units could be tested using the data
distribution system, which was prototyped from the first version, see Figure
6.1. This system was tested in a small scale on bench, where fault induction
and verification worked as intended. Appropriate DTC fault code was shown
and the computer verified the faults correctly.
However this system is time consuming for the microcontroller. The system
must perform the measurement on each fault unit one at a time in a sequence.
There might be some difficulties concerning the measurement, when the number
of fault units increases. This version was capable of the following:
• Inducing short circuit to another voltage (including ground) and open load
faults.
• Inducing faults simultaneously on multiple pins.
• Connecting or disconnecting loads which are sensitive to short circuit.
• Controlled from a computer
• Verify that a fault actually occurred and could send results back to the
computer.
41
Figure 6.2: Soldered slave unit on PCB
6.3
Last version
The last version might have a possibility to cover an entire EMS. Three slave
units were assembled six fault induction units on PCB. Testes were made on
bench and could generate the same result as the second version. All six fault
units could induce faults simultaneously and send back reports to the computer.
Tests were also performed on a truck, faults could be simultaneously induced.
Testing an open load fault worked flawlessly on truck. Testing short circuit on
the truck caused a serious damage to the circuit board and transistors. The
assembled prototype is seen on figure 6.2
42
Chapter 7
Conclusion and future work
The test results proved a working concept for automated testing on the bench
and the truck. However, testing the last prototype on truck caused PCB traces
and the transistors to break. The possible explanation to this is the fact that
on the bench it is powered by a short circuit protected power supply (10A). A
truck is fused for 16A and is a non ideal environment as real actuators, sensors
and solenoids are connected to it.
The traces were broken due to heat dissipation caused by the short circuit
current. It was already known that the traces were too small to handle a high
current. A fuse was used to prevent this but it was too slow and the current
destroyed some components before the fuse broke the current. Increasing the
trace width is a way to make the fault induction unit more robust. Electronic
overcurrent protection together with more resilient components could be an
additional thing to make the ABOB more robust.
Today the prototype takes a lot of space for just six fault units, 70 slave cards
are required to cover an EMS. This will make it very large and not portable. The
size of the PCB boards can be shrunken down if surface mounted components are
used instead of the current through hole type. Manufacturing it with quadruple
layers would significantly decrease the size.
More improvements on this prototype to increase its robustness, were planned
to be implemented as well. However, due to delays in the prototyping, this could
not be achieved in the project.
In retrospect, a more newer and more advanced microcontroller should already have been used in the first version. A faster microcontroller can do more
operations and contains more memory storage. This yields that an external
RAM together with an external peripheral to control write and read operation
would not be needed anymore. This would make the system less complex and
reduced the amount of components on the PCB. This would be to simplify the
prototyping. Focusing more on making a more modular solution has in this
work proved to be successful for the second and third versions. This made the
prototype much easier to design and to build.
Sending the PCB:s for manufacturing was found to save prototyping time
and gave a much better quality. Manufacturing a card with CNC mill took
about three hours. The soldering, assembling and verifying took one week.
Despite the time it took the developments step by step in this project has
given very useful experience and results. They show that it is entirely possible
43
to design and build an ABOB for use on trucks.
7.1
Suggestions for future work
For future work, a next iteration of the prototype is proposed to be done with
improvements of the robustness and the size. The number of fault units should
be increased to allow test of an EMS. A thesis project has demonstrated the
use of relays for inducing electrical faults on trucks.[1]. Relays are more robust
and a combined relay/transistor solution is suggested.
44
Bibliography
[1] W. H. Frykman Daniel, “Automation of electrical testing of powertrain
software in heavy vehicles,” Master’s thesis, KTH, 2013.
[2] J. Motavalli, “The dozens of computers that make modern cars go (and
stop),” February 2010. [Online]. Available:
http://www.nytimes.com/2010/02/05/technology/05electronics.html
[3] R. N. Charlette, “This car runs on code,” February 2009. [Online].
Available:
http://spectrum.ieee.org/transportation/systems/this-car-runs-on-code
[4] K. Nice, “How car computer works.” [Online]. Available:
http://auto.howstuffworks.com/under-the-hood/trends-innovations/carcomputer.htm
[5] “Ecu designing and testing using national instruments products, available
at,” November 2009. [Online]. Available:
http://www.ni.com/white-paper/3312/en/toc2
[6] “Scania engine management.” [Online]. Available:
http://www.scania.com/products-services/trucks/maincomponents/engines/engine-technology/scania-engine-management/
[7] D. Dimarogonas, “Hybrid and embedded control systems, lecture 1,”
January 2014. [Online]. Available:
https://www.kth.se/social/upload/52d66e1af276543ce7f42c63/lec01 VT14.pdf
[8] C. Washington, “Hil simulation boosts automotive design efficiency,”
September 2007. [Online]. Available:
http://www.eetimes.com/document.asp?doc id=1272817
[9] “How fuel injection systems work.” [Online]. Available:
http://auto.howstuffworks.com/fuel-injection2.htm
[10] K. McCord, Automotive Diagnostic Systems: Understanding OBD I and
OBD II, North Branch. CarTech, 2011.
[11] “Anatomy of the dtc.” [Online]. Available:
http://www.obdii.com/dtcanatomy.html
[12] S. Bain, “How to automate stress tests.” [Online]. Available:
http://www.embedded.com/design/prototyping-anddevelopment/4024894/How-to-automate-stress-tests
45
[13] A.-a. M. P. A. Perez, Jon, Codesign and Simulated Fault Injection of
Safety-Critical Embedded Systems Using SystemC. Technology Research
Centre Mondragon, Spain, 2010.
[14] R. Svenningsson, “Model-implemented fault injection for robustness
assessment,” Master’s thesis, KTH, 2011.
[15] V.-H. T. S. A. Misera, Silvio, “Fault injection techniques and their
accelerated simulation in systemc,” IEEE, 2007.
[16] A. Benso, Automotive Fuels and Emissions, New York, Thompson
Delmar Learning. Springer, 2003.
[17] “What is hil testing?, available at: 2014-08-03.” [Online]. Available:
http://www.hil-simulation.com/home/hil-testing.html
[18] “Ecu testing with dspace hil systems, available at: 2014-08-03.” [Online].
Available:
https://www.dspace.com/en/pub/home/products/systems/ecutest.cfm
[19] “Hil testing.” [Online]. Available:
https://www.dspace.com/en/pub/home/applicationfields/automotive/ecu testing.cfm
[20] B. Hollembeak, Automotive Fuels and Emissions, New York, Thompson
Delmar Learning. Cengage Learning, 2005.
[21] H. Ahmed, “Embedded hardware design in asic and fpga.” [Online].
Available:
http://www.ict.kth.se/courses/IL2225/Lec/IL2200Introduction2012.pdf
[22] Microchip, “Pic16f87xa data sheet.” [Online]. Available:
http://ww1.microchip.com/downloads/en/DeviceDoc/39582b.pdf
[23] T. Starecki, “Microprocessor systems.” [Online]. Available:
http://www.ise.pw.edu.pl/impuls/emisy/emisy.pdf
[24] Lyontek, “Datasheet ly62256.” [Online]. Available:
http://www.alldatasheet.com/datasheetpdf/pdf/552704/LYONTEK/LY62256PL-55LL.html
[25] J. Marino and R. Niemetschek, “Automated breakout box for automotive
testing,” Jan. 5 1993, uS Patent 5,177,447. [Online]. Available:
http://www.google.com/patents/US5177447
[26] B. Molin, Analog elektronik.
Studentlitteratur, 2010.
[27] T. C. University, “Temperature sensors.” [Online]. Available:
http://www.cvel.clemson.edu/auto/sensors/temperature.html
[28] W. Sandqvist, “Basic digital theory with pic-processor.” [Online].
Available: http://www.ict.kth.se/courses/IL131V/ntclin.ppt
[29] “Littlefuse, fuses vs ptcs.” [Online]. Available:
http://www.littelfuse.com/technical-resources/education-center/fuses-vsptcs.aspx
46
[30] “Littlefuse, datasheet poly-fuse resettable ptcs.” [Online]. Available:
http://www.littelfuse.com/products/resettable-ptcs.aspx
[31] “International rectifier ,datasheet irfz44vpbf.” [Online]. Available:
https://www1.elfa.se/data1/wwwroot/assets/datasheets/irfz44vpbf eng tds.pdf
[32] “International rectifier, datasheet irf9540n.” [Online]. Available:
https://www1.elfa.se/data1/wwwroot/assets/datasheets/exIRF9540N Data E.pdf
[33] “Analog device, datasheet op275.” [Online]. Available:
http://www.analog.com/static/imported-files/data sheets/OP275.pdf
[34] G. Petersson, Elkretsanalys.
Elektrotekisk teori och kontruktion, 2006.
[35] “Arduino libraries.” [Online]. Available:
http://arduino.cc/en/Reference/Libraries
[36] “Ansi pcb trace width calculator.” [Online]. Available:
http://www.desmith.net/NMdS/Electronics/TraceWidth.html
47
Related documents
Power Amplifier - IHMC Public Cmaps (3)
Power Amplifier - IHMC Public Cmaps (3)
electric current jigsaw A
electric current jigsaw A
VDI Snorkel Installation Instructions
VDI Snorkel Installation Instructions
Workshop Materials
Workshop Materials
ch 16 Electricity Essential Questions
ch 16 Electricity Essential Questions
Problem 3.2 Apply nodal analysis to determine Vx in the circuit of Fig
Problem 3.2 Apply nodal analysis to determine Vx in the circuit of Fig
7.5 Design the circuit in Fig. P7.5 to obtain a dc voltage of +0.2V at
7.5 Design the circuit in Fig. P7.5 to obtain a dc voltage of +0.2V at
Electricity - science
Electricity - science
Problem 3.3 Use nodal analysis to determine the current Ix and
Problem 3.3 Use nodal analysis to determine the current Ix and
9-10 - Worksheet - Series Circuit Problems
9-10 - Worksheet - Series Circuit Problems
Chapter 4 Presentation
Chapter 4 Presentation
r -5 sin (37"/r+ 40")
r -5 sin (37"/r+ 40")