Modern cars comprise different Electronic Computer Units that are interconnected by shared communication medias. This architecture enables a better apprehension of the environment and results in improved car behavior. At the same time, the resulting system complexity and further, the introduction of electronics for safety-critical applications raises dependability problems; human life and health are depending on the correct operation of the car. The time-triggered architecture has been introduced in this context to cope with the growing complexity and to support highly dependable systems. While this architecture substantially eases system design and development, it does not explicitly support verification and maintenance operations.
This work is focused on the network, since this resource has been quickly recognized as playing a central role in maintaining the system in a safe state. Our intention is to provide an approach to test the reliability (continuity of correct services) of the communication system as well as the availability (readiness for correct services) of the associated error detection mechanisms. We propose a new test approach that is generic (not rely on dedicated services), non-intrusive (no modification of the system), and transparent (to avoid deviation of normal service delivery). This last attribute enables test operation to be performed concurrently to normal operation, and thus decreases the test period, even if the system can not be halted for maintenance. This in turn minimizes the probability of system failure due to fault accumulation.
Our test approach is first based on the monitoring of the bus traffic.
This is because the deterministic behavior of time-triggered communication systems provides a-priori known properties that can be efficiently checked for correctness. This pure monitoring approach is further complemented by a subtle stimulation of the clock synchronization mechanisms to test the error detection mechanisms within the nodes' receive path. This second approach exploits the tolerance boundaries of the clock correction and drives the system into a non-natural but still correct state. Since this state can only be reached and maintained with correct operation of the tester, the node reaction therefore provides information whether the tester frames have been correctly processed. A main concern of this work is to prove the transparency of our approach. More especially, we introduce deterministic replay operation as a technique to remotely control the nodes' clock correction and prove that our method results in no threats for the system operation.
Moreover, we show that the nodes' logical clocks always return within the accuracy of their underlaying oscillators. This property provides information about the current forces within the system and more especially on whether the additional test frames have been received or not. The theses presented in this work focus on the TTP/C and FlexRay communication protocols and the results are supported by simulations and experimental evaluations.