（注：本文是譯文，original author: Daniel Wanner）

A typical active FTC structure (Figure 1) includes: 一個典型的主動FTC結(jié)構(gòu)包括：

• easy reconfigurable controller,
• a highly sensitive, but robust fault detection and diagnosis scheme,
• reconfiguration mechanism that ultimately achieves the pre-fault performance,
• a reference governor.
• 易于重構(gòu)控制器
• 一個高度敏感但魯棒的故障檢測和診斷方案，
• 重新配置機制，最終實現(xiàn)故障前的性能

One critical issue is the limited amount of time for FDD and control system reconfiguration. From that, the two main design objectives can be derived. First of all, a precise FDD scheme shall be provided, which delivers information about a fault (time, type and magnitude) and the post-fault model. Secondly, the compensation of the fault-induced changes within new reconfigured control scheme shall be designed, so that the stability and acceptable closed-loop system performance can be maintained. Therefore the parameters of the controllers and, what is even more important, the structure of the new controllers (in terms of order, numbers and types) might have changed.

一個關(guān)鍵的問題是FDD和控制系統(tǒng)重新配置的時間有限。由此，可以導(dǎo)出兩個主要的設(shè)計目標(biāo)。首先，提供一個精確的FDD方案，它提供關(guān)于故障（時間、類型和大?。┖凸收虾竽Ｐ偷男畔?。其次，對新配置控制方案中的故障引起的變化進(jìn)行補償，使系統(tǒng)的穩(wěn)定性和可接受的閉環(huán)系統(tǒng)性能得以維持。因此，控制器的參數(shù)，甚至更重要的是，新控制器的結(jié)構(gòu)（按順序、數(shù)量和類型）可能發(fā)生了變化。

Other than that, the FTC strategies are often derived from other domains. Recently more attention is brought to it through by-wire vehicles. A hybrid active FTC approach is presented by [65]. Dynamical systems often consist of a continuous and a discrete time process, where these two are connected with logical or decision-making processes, are called hybrid systems. Different hybrid systems are presented and analysed in simulation and tested in a prototype vehicle. A combination of the linear quadratic control method and the control Lyapunov function technique are applied. Four different failure modes are analysed; complete break-down of a wheel torque controller, deterioration of wheel torque controller gain, complete break-down of a steering controller and deterioration of steering controller gain.

除此之外，F(xiàn)TC策略經(jīng)常來自其他領(lǐng)域。近年來，越來越多的關(guān)注有線車輛。提出了一種混合主動FTC方法。動態(tài)系統(tǒng)通常由連續(xù)的和離散的過程組成，其中兩個過程與邏輯或決策過程相聯(lián)系，稱為混合系統(tǒng)。不同的混合動力系統(tǒng)在仿真中被提出和分析，并在原型車輛中進(jìn)行測試。將線性二次型控制方法與控制李雅普諾夫函數(shù)法相結(jié)合。分析了四種不同的失效模式：車輪扭矩控制器的完全分解、車輪扭矩控制器增益的降級、轉(zhuǎn)向控制器的完全分解和轉(zhuǎn)向控制器增益的降級。

Fault detection and diagnosis

故障檢測與診斷

A fault-tolerant control structure incorporates a fault detection and diagnosis system. The fault detection shall make a decision whether a fault has occurred or not. This objective is achieved by different types of methods that can be classified into analytical and heuristic symptom generation. The first is based on quantifiable information like measured process parameters (e.g. limit value checking and signal analysis of direct, measure-able signals as well as process analysis by using mathematical process models), while the latter are based on qualitative information such as statistical data gained from experience (former faults, repairs, wear, load measures, etc.). Fault diagnosis consists of the fault isolation and fault identification and determines the type, size and location of a fault, as well as its time of detection [11, 71]. In order to process the detected fault two kinds of fault diagnosis and evaluation methods can be used. The heuristic classification methods include statistical and geometrical methods, neural networks or fuzzy logic. The second type is inference methods based on explicit conditions and conclusions, e.g. fault-tree analysis.

容錯控制結(jié)構(gòu)結(jié)合了故障檢測和診斷系統(tǒng)。故障檢測應(yīng)判定是否發(fā)生故障。這一目標(biāo)是通過不同類型的方法，可分為分析和啟發(fā)式癥狀生成。第一種是基于可量化的信息，如測量的過程參數(shù)（例如，極限值檢查和信號分析，可測量的信號，以及過程分析，數(shù)學(xué)過程模型），而后者是基于定性信息，如統(tǒng)計。從經(jīng)驗獲得的數(shù)據(jù)（以前的故障、修理、磨損、負(fù)載措施等）。故障診斷包括故障隔離和故障識別，確定故障的類型、大小和位置，以及故障的檢測時間。為了對檢測到的故障進(jìn)行處理，可以采用兩種故障診斷和評估方法。啟發(fā)式分類方法包括統(tǒng)計和幾何方法、神經(jīng)網(wǎng)絡(luò)或模糊邏輯。第二類是基于前述條件和結(jié)論的推理方法，例如故障樹分析。

Automotive network systems

汽車網(wǎng)絡(luò)系統(tǒng)

The shift towards integrated control leads to new requirements for the control architecture in order to cope with the changed complexity. Besides smart actuators, smart sensors and fault-tolerant control, the communication architecture has also to be dependable to achieve a fault-tolerant over-all system.

向集成控制的轉(zhuǎn)變導(dǎo)致對控制體系結(jié)構(gòu)的新要求，以應(yīng)對變化的復(fù)雜性。除了智能執(zhí)行器、智能傳感器和容錯控制之外，通信體系結(jié)構(gòu)也可以是可靠的，以實現(xiàn)對所有系統(tǒng)的容錯。

Control architecture

控制體系結(jié)構(gòu)

The fault cycle and vehicle control are embedded in the vehicle control architecture. The structure of this architecture has evolved from a decentralized coexistent control, where each function is controlled independently from each other, to a centralized supervisory control, where all function are managed from one master controller and assigned to the appropriate subsystem.

故障周期和車輛控制被嵌入到車輛控制體系結(jié)構(gòu)中。這種體系結(jié)構(gòu)已經(jīng)從分散的共存控制演變而來，其中每個功能彼此獨立地控制，到集中監(jiān)控，其中所有功能由一個主控制器管理并分配給適當(dāng)?shù)淖酉到y(tǒng)。

Communication architecture

通信體系結(jié)構(gòu)

On the physical and data link layer depend-able communication systems have to be provided in real-time. Their dependability includes deterministic and time-triggered behaviour, support for distributed control, fault-tolerant services and fast data transfer [75]. The event-triggered CAN protocol does not fulfil these requirements. Protocols with time-triggered behaviour and a global synchronized time are implemented instead. Messages describing the cur-rent state (e.g. ”brake pressure 50%”) instead of an event (e.g. ”deceleration started”) and the time slot allocation, which results in less time delays at fluctuating load conditions, enables an exact prediction of the time delay of each state message [75–77]. Communication protocols for fault-tolerant systems are designed according to the fault hypothesis, which have certain requirements describing number, type and arrival rate of tolerated faults [78]. A methodology for the development and analysis of time-triggered sys-tems is established for existing software development process of the automotive industry [79].

在物理鏈路和數(shù)據(jù)鏈路層上，必須實時地提供可依賴的通信系統(tǒng)。它們的可靠性包括確定性和時間觸發(fā)行為、支持分布式控制、容錯服務(wù)和快速數(shù)據(jù)傳輸。事件觸發(fā)CAN協(xié)議不滿足這些要求。相反，具有時間觸發(fā)行為和全局同步時間的協(xié)議被實現(xiàn)。描述電流狀態(tài)的消息（例如“制動壓力50%”）而不是事件（例如“減速啟動”）和時隙分配，這導(dǎo)致波動負(fù)載條件下的時間延遲減少，使得能夠準(zhǔn)確預(yù)測每個狀態(tài)消息的時間延遲。容錯系統(tǒng)的通信協(xié)議是根據(jù)故障假設(shè)來設(shè)計的，它對容忍故障的數(shù)量、類型和到達(dá)率有一定的要求。針對汽車行業(yè)現(xiàn)有軟件開發(fā)過程，建立了時間觸發(fā)系統(tǒng)的開發(fā)與分析方法。

TTCAN

The Time-Triggered CAN protocol is essentially built upon the event-triggered CAN structure with the difference that all data is sent within a time-triggered system matrix. A redundant time master ensures the deterministic behavior [80, 81]. The system matrix consists of several basic cycles that can have different amounts of deterministic and non-deterministic windows. TTCAN supports no dependability services, but implementation as middleware is possible [81]. Different TTCAN buses can be synchronized to achieve fault-tolerant TTCAN networks [82]. Transfer rates are limited to the typical CAN bandwidth of 1 Mbit/s.

時間觸發(fā)CAN協(xié)議本質(zhì)上是建立在事件觸發(fā)的CAN結(jié)構(gòu)上，不同的是，所有數(shù)據(jù)都是在時間觸發(fā)的系統(tǒng)矩陣內(nèi)發(fā)送的。冗余時間主機確保確定性行為。系統(tǒng)矩陣由數(shù)個基本循環(huán)組成，可具有不同數(shù)量的確定性和非確定性窗口。TTCAN不支持可靠性服務(wù)，但可以作為中間件。不同的TTCAN總線可以同步以實現(xiàn)容錯TTCAN網(wǎng)絡(luò)。傳輸速率僅限于1兆比特/秒的典型CAN帶寬。

TTP/C

The Time Triggered Protocol (TTP/C) is a pure time-triggered protocol. Safety is its main objective, thus strict deterministic sequential order leads to a low flexibility. Redundancy on two channels is given. Dependability services such as bus guardian, the group membership algorithm, clique avoidance algorithm and the support for mode changes are available directly in the protocol without the need of middleware [75, 80, 83]. The fault hypothesis for TTP/C is well defined and restrictive as faults have to arrive at least two rounds apart. Outside the fault hypothesis the recovery strategy is well defined with a ”never gives up” strategy as well [78, 80]. A degraded mode is then activated for keeping the system operational.

時間觸發(fā)協(xié)議（TTP/C）是一種純時間觸發(fā)協(xié)議。安全是其主要目標(biāo)，因此嚴(yán)格的確定性順序?qū)е铝说挽`活性。給出了兩個通道的冗余度?？煽康姆?wù)，如總線監(jiān)護(hù)，組成員算法，團避免算法和模式改變的支持，可直接在協(xié)議中不需要中間件。TTP/C的故障假設(shè)是明確的和限制性的，因為故障必須至少到達(dá)兩個回合。在故障假設(shè)之外，恢復(fù)策略被明確定義為“永不放棄”策略。然后激活降級模式以保持系統(tǒng)運行。

Middleware

中間件

Dependability services for x-by-wire applications are achieved by middleware, a software layer located above the platform. The automotive industry has developed a modularized architecture called AUTOSAR (AUTomotive Open Sys-tem Architecture) [86]. This standardized and open software architecture enables an easy integration and update of new software and hard-ware modules into an existing structure. Hence prospective safety requirements for vehicles can be met, so that a high E/E system reliability is given.

X -線控應(yīng)用的可靠性服務(wù)是通過中間件，一個位于平臺之上的軟件層來實現(xiàn)的。汽車工業(yè)已經(jīng)開發(fā)了一種模塊化的體系結(jié)構(gòu)，稱為AutoSar（汽車開放系統(tǒng)體系結(jié)構(gòu)）。這種標(biāo)準(zhǔn)化和開放的軟件體系結(jié)構(gòu)使新軟件和硬件模塊易于集成和更新成現(xiàn)有結(jié)構(gòu)。因此，可以滿足對車輛的預(yù)期安全要求，從而給出了高的E/E系統(tǒng)可靠性。