Microprocessors and Microsystems 35 (2011) 453–461

Contents lists available at ScienceDirect

Microprocessors and Microsystems

journal homepage: www.elsevier .com/locate /micpro

A fuzzy predictive redundancy system for fault-tolerance of x-by-wire systems

Man Ho Kim a, Suk Lee a, Kyung Chang Lee b,⇑a School of Mechanical Engineering, Pusan National University, Busan, South Koreab Department of Control and Instrumentation Engineering, Pukyong National University, Busan, South Korea

a r t i c l e i n f o a b s t r a c t

Article history:Available online 30 April 2011

Keywords:Safety critical systemsFault-tolerant systemx-by-wire systemsIntelligent vehicleFuzzy predictive redundancy systemFault-detection algorithmThreshold prediction methodThreshold level calculation methodEmbedded microcontroller unit

0141-9331/$ - see front matter � 2011 Elsevier B.V. Adoi:10.1016/j.micpro.2011.04.003

⇑ Corresponding author. Tel.: +82 51 629 6332; faxE-mail address: gclee@pknu.ac.kr (K.C. Lee).

Safety issues and the dependence of numerous systems on electronics are rapidly increasing the concernover fault-tolerance. As an example, an intelligent vehicle with electronically controlled x-by-wire sys-tems composed of dynamically configurable electronic elements instead of rigid mechanical componentsmust be fault tolerant because a devastating failure could occur without warning. In particular, a safety-related malfunction of the brakes, throttle, or steering system could lead to serious injury or death anddamage the manufacturer’s reputation. If there is a warning it may not be as devastating as one couldprevent it or mitigate it. Therefore, fault-tolerance is the primary focus of x-by-wire systems develop-ment. To address this concern, this paper presents a fuzzy predictive redundancy system that can removemost erroneous faults with a fault-detection algorithm. This paper also introduces a prototype of the sys-tem using an embedded microcontroller unit to show that it outperforms well-known average and med-ian voters. The experimental results show that fuzzy predictive redundancy can be an appropriate choicefor fault-tolerance in the x-by-wire systems such as steer-by-wire system or brake-by-wire system ofintelligent vehicle.

� 2011 Elsevier B.V. All rights reserved.

1. Introduction

Recent interest has focused on intelligent vehicles that offer thepotential of significantly enhanced safety and convenience for bothdrivers and passengers [1,2]. As a component of an intelligent vehi-cle, in-vehicle network (IVN) systems, in which electronic compo-nents such as window motors and switches are connected to anelectronic control unit (ECU) through a shared network cable[3,4], are widely used in automobiles, trucks, public transportation,and industrial vehicles. Especially, x-by-wire systems, which arereplacing rigid mechanical components with dynamically configu-rable electronic elements and digital communication networks, arebeing developed to expand the application of IVN systems toreal-time components such as brakes, throttle, and steering sys-tems [5–7]. These drive-by-wire or x-by-wire systems expand theintelligent functions of safety algorithms, including adaptive cruisecontrol systems and lane-keeping assist systems.

However, x-by-wire systems require a higher level of fault-tolerance than traditional systems based on mechanical links, be-cause mechanical systems can provide drivers with some warningfeedback of their status while electronic systems tend to failabruptly without any warning. Because a safety-related malfunc-tion of the brakes, throttle, or steering wheel could lead to injuriesor deaths of the vehicle occupants and damage the manufacturer’s

ll rights reserved.

: +82 51 629 6309.

reputation, fault-tolerance is the principal focus of x-by-wiresystems [7–9].

The design of fault-tolerant functions generally includes redun-dant systems that duplicate several modules such as actuators,microcontrollers, and sensors with the same function. In general,a redundant system is classified into hardware redundancy, analyt-ical redundancy (so called software redundancy), and informationredundancy [10,11]. The hardware redundancy is to add an extraembedded hardware with the same functions implemented inthe original hardware [12–20]. The analytical redundancy consistsof a hardware module and multiple model-based analytical modelsthat execute a given set of functions of the original hardware[21–23]. The information redundancy is to add extra informationsuch as a parity bit to detect any fault. Among these approaches,due to downward trend of microcontroller costs, the hardwareredundancy has been the center of research for many fault-tolerantsystems such as intelligent vehicles.

Hardware redundancy systems can be classified according tothe architecture and function: static hardware redundancy, dy-namic hardware redundancy, and hybrid hardware redundancy[11]. A static redundancy system requires a voter that determinesthe final output of the system using the majority [12,13], median[14], mid-value [15], average, or a weighted rule [16,17] as itsfault-masking algorithm to isolate any faulty inputs. However, sta-tic redundancy tends to cost more because it requires at least threeparallel modules and detecting faults is difficult when two or moremodules are faulty. A dynamic redundancy system achieves

454 M.H. Kim et al. / Microprocessors and Microsystems 35 (2011) 453–461

fault-tolerance by having fault detection and reconfiguration func-tions instead of a voter. In general, a dynamic redundancy systemcan be classified as hot or cold depending on whether all modulesare always operating. A hot standby dynamic redundancy systemuses two modules to determine outputs, and the fault detectordetermines which module is correct and the reconfigurator selectseither of the two modules using an output switch. A cold standbydynamic redundancy system uses only one module at a time, andthe reconfiguration module controls two switches to block the sig-nal from the faulty module. By combining the two approaches, ahybrid redundancy system using techniques such as self-purgingredundancy [18] or a smoothing voter [19] can mask a fault justlike the static approach, but it can also detect a fault and reconfig-ure the system just like the dynamic approach using a switch and afault-detection algorithm [17,20]. A hybrid redundancy system issimpler than a dynamic redundancy system because it requiresno reconfiguration algorithm, and it is more cost effective than astatic redundancy system because it requires fewer extra modules.

In order to implement more effective and cost efficient hard-ware type of the hybrid redundancy system, this paper presentsa fuzzy predictive redundancy system. Also, this paper suggests afault-detection algorithm to detect and isolate faulty elementsfrom a signal by forecasting the change from the last value of theinput signal using the threshold prediction and threshold level cal-culation method. Because many sensor signals or the control out-put of a controller may follow a trend such as a sine wave orstep response in real industrial applications such as x-by-wire sys-tems, and will change abruptly when it fails [23], fault-detectionalgorithms based on the threshold prediction and threshold levelcalculation method may be appropriate for detecting and isolatingfaulty signals. Finally, to verify the feasibility of fuzzy predictiveredundancy system, we developed an experimental fuzzy predic-tive redundancy system using an embedded microcontroller unitwith an experimental setup to simulate a redundant brake pedalsignal, and compared the performance of the fuzzy predictiveredundancy.

The remainder of this paper is organized as follows. Section 2describes the structure of the fuzzy predictive redundancy systemalong with the fault-detection algorithm using the threshold pre-diction and threshold level calculation method. Section 3 describesthe implementation details and experimental results of the fuzzypredictive redundancy system using an embedded microcontrollerunit. Section 4 presents the conclusions.

2. Structure of the fuzzy predictive redundancy system

2.1. Schematic diagram of the fuzzy predictive redundancy system

We propose the fuzzy predictive redundancy system shown inFig. 1 to enhance the redundancy of an x-by-wire system of intel-

Fig. 1. Schematic diagram of the fuzz

ligent vehicle. The rationale for having this type of structure is thatwe cannot afford many redundant sensors on a system such as apassenger car. Therefore, the cost and complexity of static orn-modular redundancy with spares are difficult to justify.However, we can consider the hybrid of hot standby dynamicredundancy and static redundancy along with some capability todetect faulty elements. The fuzzy predictive redundancy systemmakes use of a powerful microcontroller to detect fault from thelast value of the system output using the threshold predictionand threshold level calculation method. The threshold predictionmethod is used to determine if a fault exists in the current valueof the sensor signals by checking whether the new inputs lie withinthe predicted interval. The threshold level calculation method isused to determine the appropriate threshold levels of the fault-detection algorithm dynamically. The fuzzy predictive redundancysystem is based on the assumption that the variables beingmeasured change relatively gradually without large fluctuations.

Fig. 1 shows the schematic diagram of the fuzzy predictiveredundancy system with five modules: a threshold predictor, athreshold level calculator, a fault detector, an exception handler,and a voter. First, the threshold predictor forecasts a thresholdFT(k), which is essentially the expected change in the output signal.This threshold is calculated using the exponential smoothingmethod, which is explained later. Second, the threshold level calcu-lator computes a threshold levels bi and bj, which is essentially theexpected threshold range in the output signal. This threshold levelis computed using the fuzzy logic, which is explained later. Third,the fault detector decides whether a fault exists in the two inputvalues ai(k) and aj(k) using the fault-detection algorithm. Here, ifan input value lies within an interval centered on the system out-put in the previous step a(k � 1), it decides that the input is error-free. Fourth, the exception handler, determines an output valuea(k) when the fault detector decides that both input values areunreliable. When some unexpected external disturbance affectsthe system, the fault detector decides that both inputs are errone-ous and that a valid output is unavailable. When that happens, theexception handler synthesizes a plausible output value by incre-menting the last valid output value to prevent abnormal operationdue to the absence of an actual output value. Finally, the votercalculates the output value using an averaging method.

2.2. Functions of sub-modules for the fuzzy predictive redundancysystem

The threshold predictor must first forecast a threshold for deter-mining whether a fault exists in the values supplied to the faultdetector. The double exponential smoothing method, which is arepresentative method of time-series forecasting methodology,was chosen to forecast such a threshold in the fuzzy predictiveredundancy system. The double exponential smoothing method

y predictive redundancy system.

Fig. 2. Fuzzy membership functions.

Fig. 3. Mamdani’s min–max inference procedure and center average defuzzifier.

M.H. Kim et al. / Microprocessors and Microsystems 35 (2011) 453–461 455

removes variations, and shows trends and cyclic components inforecasting [24]. Since the encoder output signal or the actuator in-put signal of x-by-wire system may follow a trend such as a sinewave or step response in real industrial applications, the doubleexponential smoothing method may be appropriate for forecastingthe patterns of these signals [24]. For forecasting the kth thresholdFT(k) of a fuzzy predictive redundancy system, the double expo-nential smoothing method can be expressed as follows:

FT ½1�ðkÞ ¼ aRTðkÞ þ ð1� aÞFT ½1�ðk� 1Þ;FT ½2�ðkÞ ¼ aFT ½1�ðkÞ þ ð1� aÞFT ½2�ðk� 1Þ;

FTðkÞ ¼ 2þ a1� a

� �FT ½1�ðkÞ � 1þ a

1� a

� �FT ½2�ðkÞ;

where RTðkÞ ¼ aðk� 1Þ � aðk� 2Þ;

ð1Þ

where FT[1](k) and FT[2](k) are the first and second step forecastthresholds, respectively, determined using the exponential smooth-ing method in the kth cycle, and RT(k) is the real threshold in the kthcycle. In addition, a(k) is an output value in the kth cycle, and a isthe double exponential smoothing parameter generally selected tobe in the range 0.05–0.30. From trial-and-error simulations, wehave chosen the value of 0.25 for double exponential smoothingparameter a. FT(k) is the forecast change in the input signals, whichis used as a threshold to determine whether a fault exists in the val-ues input to the fault detector in the kth cycle using FT[1](k) andFT[2](k). Here, a(�1), a(�2), FT[1](0), and FT[2](0) are initialized tozero; a(0) is assumed to be the average of the first input values ofthe two modules and is assumed to be error-free.

Fuzzy logic was used to compute the appropriate threshold lev-els bi and bj of the threshold level calculator dynamically. The basicprinciples of fuzzy logic lie in the definition of a set, where any ele-ment can belong to a set with a certain degree of membership. Un-der this idea, the knowledge of an expert can be expressed in arelatively simple form, and the inference for given inputs can beimplemented very efficiently. The fuzzy logic to compute appropri-ate threshold levels consists of three parts: fuzzifier, inference en-gine, and defuzzifier [25]. First, the fuzzifier converts the differencebetween the real input values (ai(k) and aj(k)), the forecasted val-ues (FT(k)), and the difference between the two input values intolinguistic values. Second, the inference engine creates the fuzzyoutput using fuzzy rules generated from expert experience. Finally,the defuzzifier calculates appropriate threshold levels from the in-ferred results.

Fig. 2 shows the membership functions of the input and outputlinguistic variables. Triangular fuzzy numbers are selected asmembership functions to increase the computation speed of thefuzzy predictive redundancy system. Under these assumptions, se-ven fuzzy linguistic variables are defined: small, medium, large,most critical, critical, less critical, and non-critical. The fuzzy inputsof membership are the difference between the kth two inputvalues, dij(k) = |ai(k) � aj(k)|, the difference between the kth inputvalue ai(k) and forecasted value di(k) = |ai(k) � FT(k)|, and thedifference between the kth input value aj(k) and forecasted valuedj(k) = |aj(k) � FT(k)|. In the figure, the membership function forinputs is expressed in terms of Tmax, the tolerance of the sensoroutput range to the desired sensor specification. For example, ifthe sensor specification has a 0–5 V sensor output range with a5% tolerance, Tmax is 0.25 V (5 V � 0.05). The output membershipfunction is determined by several trial-and-error experiments witha simulation method under the proposed fuzzy predictive redun-dancy system scheme, and is expressed as bi(k) and bj(k).

Also, Mamdani’s min–max inference method [26] and the cen-ter average defuzzifier were used for faster execution of the fuzzypredictive redundancy system. The center average defuzzifier cal-culates the output by taking an average of the vertex values of

the triangular membership functions weighted by their firingstrength, as shown in Fig. 3.

We can formulate the fuzzy rules for selecting the appropriatethreshold based on expert knowledge; this consists of 17 rulesshown in Table 1. If the difference between both input valuesand the forecast value exceeds a reliable range, we assign a thresh-old close to zero. Conversely, if the difference between both inputvalues and the forecast value is within a reliable range, we assign athreshold close to 0.5. In particular, if the difference between bothinput values and the forecast value is within a large linguistic var-iable range, we assign the threshold close to zero regardless of thedifference between the two input values.

Table 1Fuzzy rules for the fuzzy hybrid redundancy system.

Input membership function Output membership function

di(k) dj(k) dij(k) bi(k) bj(k)

1 Small Small Small Non-critical Non-critical2 Small Small Medium Less critical Less critical3 Small Small Large Critical Critical4 Small Medium Small Non-critical Less critical5 Small Medium Medium Non-critical Critical6 Small Medium Large Less critical most critical7 Medium Small Small Less critical Non-critical8 Medium Small Medium Critical Non-critical9 Medium Small Large most critical Less critical10 Medium Medium Small Less critical Less critical11 Medium Medium Medium Critical Critical12 Medium Medium Large Most critical Most critical13 Small Large � Non-critical most critical14 Large Small � Most critical Most critical15 Medium Large � Critical Most critical16 Large Medium � Most critical Critical17 Large Large � Most critical Most critical

456 M.H. Kim et al. / Microprocessors and Microsystems 35 (2011) 453–461

After forecasting the threshold FT(k) in the threshold predictorand computing the threshold level bi(k) and bj(k) in the thresholdlevel calculator, the fault detector determines whether a fault ex-ists in the input values from the two input modules using thefault-detection algorithm, as shown in Fig. 4. The two input valuesare captured by the fuzzy predictive redundancy system. Then, ifthe difference between the kth input value ai(k) and the (k � 1)thoutput value a(k � 1) is in the range [(1 � bi)FT(k), (1 + bi)FT(k)],the fault detector decides that ai(k) is error-free. Conversely, ifai(k) � a(k � 1) exceeds a permitted limit of the range [(1 �bi)FT(k), (1 + bi)FT(k)], the corresponding input ai(k) is considerederroneous. In addition, if the difference between the kth input va-lue aj(k) and the (k � 1)th output value a(k � 1) is in the range[(1 � bj)FT(k), (1 + bj)FT(k)], the fault detector decides that aj(k) iserror-free. Conversely, if aj(k) � a(k � 1) exceeds a permitted limitof the range [(1 � bj)FT(k), (1 + bj)FT(k)], the corresponding inputaj(k) is considered erroneous. If at least one of the ai(k) or aj(k) in-puts is determined to be error-free, the voter is called upon to gen-erate the kth output value a(k) of the fuzzy predictive redundancysystem. Here, an appropriate threshold level (bi and bj) is selecteddynamically using fuzzy logic in the threshold level calculator. Ifboth input values are determined to be erroneous, the fault detec-

Fig. 4. Fault-detect

tor calculates dij(k), which is defined as the difference between thekth values of the inputs ai(k) and aj(k) from the two input modules.Here, if dij(k) is within the forecast threshold range [�FT(k),+FT(k)],the two input values are regarded as error-free and the voter iscalled upon to calculate a(k). That is, if both inputs exceed a per-mitted limit of the range and the difference between the two in-puts is smaller than an allowable error threshold range[�FT(k),+FT(k)], the two inputs are considered to be varying rapidlydue to some unexpected external disturbance. Conversely, if dij(k)exceeds the forecast threshold range [�FT(k),+FT(k)], the two inputvalues are considered erroneous, and the exception handler iscalled upon to determine a feasible output value from the twoerroneous input values.

When the fault detector determines that the two input valuesare erroneous, the exception handler calculates a plausible outputvalue to prevent malfunction of the fuzzy predictive redundancysystem. To determine the output value a(k), the exception handlercalculates the difference between the (k � 1)th output value andthe (k � 2)th output value. If a(k � 1) � a(k � 2) is positive, theexception handler decides that the input value is increasing anddeclares the output value to be a(k � 1)+FT(k). If a(k � 1) � a(k � 2)is negative, the output value is declared to be a(k � 1) � FT(k).Since the output can be set to the second-best value even if bothinputs are erroneous, the double smoothing method makes it ispossible to prevent any abnormal operation of the system thatmay occur due to the absence of a valid output.

As a result, if at least one input value is error-free, the fuzzy pre-dictive redundancy system may determine the appropriate outputvalue by averaging the input values in the voter. Fortunately, sincethe failure probability of automotive sensors is low due to the highlevel of automakers’ quality assurance programs, the performanceof the proposed system is very reliable. However, when two mod-ules are faulty or one module is slowly degrading, our system maynot find these conditions.

3. Performance evaluation of the fuzzy predictive redundancysystem

3.1. Feasibility test using MATLAB simulation model

To verify the feasibility of the fuzzy predictive redundancy sys-tem, simulation model of the fuzzy predictive redundancy system

ion algorithm.

0

1

2

3

4

5

0 100 200 300 400 500 600 700 800 900 1000sampling time (ms)

0 100 200 300 400 500 600 700 800 900 1000sampling time (ms)

0 100 200 300 400 500 600 700 800 900 1000sampling time (ms)

brak

e pe

dal s

igan

l (V

)

(a) simulated signal without fault

0

1

2

3

4

5

brak

e pe

dal s

igan

l (V

)

(b) simulated signal with transient and intermittent fault

0

1

2

3

4

5

brak

e pe

dal s

igan

l (V

)

(c) simulated signal with permanent fault

Fig. 5. Simulated signal for MATLAB simulation model.

0

1

2

3

4

5

0 100 200 300 400 500 600 700 800 900 1000

brak

e pe

dal s

igan

l (V

)

sampling time (ms)(a) when two inputs have transient type fault

0

1

2

3

4

5

0 100 200 300 400 500 600 700 800 900 1000sampling time (ms)

brak

e pe

dal s

igan

l (V

)

(b) when one input has permanent type fault and the other input has transient fault

Fig. 6. Simulation model output of fuzzy hybrid redundancy.

M.H. Kim et al. / Microprocessors and Microsystems 35 (2011) 453–461 457

was implemented using Mathworks MATLAB Simulink software,and simulated brake pedal signal, as shown in Fig. 5a, was gener-ated by using MATLAB Simulink. In addition, we generated twotypes of faulty signals: (1) faulty signal with transient and inter-mittent type fault (Fig. 5b), and (2) faulty signal with permanenttype fault (Fig. 5c) [11].

Fig. 6a shows the simulation model output when two inputsare transient fault signals as shown in Fig. 5b. After being pro-cessing by the fuzzy predictive redundancy system, the outputappears identical to the original simulated signal shown inFig. 5a. Fig. 6b shows the simulation model output when one in-put has permanent fault and the other input is transient fault sig-nal. In the figure, we can see that the fuzzy predictive redundancyeliminated these faults when one input has permanent fault. This

simulation indicates that fuzzy predictive redundancy can be anappropriate algorithm for safety critical systems because theexception handler determines a plausible output for safeoperation.

3.2. Experimental evaluation using embedded system

This section describes the performance of the fuzzy predictiveredundancy system and the implementation details for theexperimental setup (test bed) using the embedded microcontrol-ler unit shown in Fig. 7a. This setup was intended to represent aredundant brake pedal module with two potentiometers formeasuring the angular displacement of the pedal in the fuzzypredictive redundancy system. In a conventional hydraulic brakepedal system, the pedal is connected to a hydraulic brake boos-ter. In our experimental setup, electrical potentiometers were at-tached to the brake pedal axis to measure the angulardisplacement of the pedal. A fault injector was connected tothe signal lines of the potentiometers to simulate potentiometerfaults.

Fig. 7b shows the implementation details for the experimentalsetup. A 10 kX potentiometer (J45S, Copal Electronics) was usedto measure the displacement of the brake pedal [27], and a Free-scale MC9S12XDP512 microcontroller kit (SK-S12XDP512-A, Sof-Tec Microsystems) was used for the fuzzy predictive redundancymodule [28,29]. A notebook computer running Vector’s CANoesoftware was connected to the module via a controller area net-work to monitor the output of the fuzzy predictive redundancymodule [30]. The fuzzy predictive redundancy system being imple-mented using Mathworks MATLAB Simulink software converted

Fig. 7. Experimental setup of the fuzzy predictive redundancy system.

458 M.H. Kim et al. / Microprocessors and Microsystems 35 (2011) 453–461

into C language code using Mathworks Real-Time Workshop, anddownloaded to the MC9S12XDP512 microcontroller using Metro-werks CodeWarrior [31]. Because pressing on the brake pedal ina uniform manner was necessary to compare experimental resultsin this setup, we added a direct current (DC) motor with a limitsensor to the brake pedal axis to emulate consistent movementof the pedal.

For comparison with general redundancy systems, we attachedanother potentiometer to the brake axis and implemented an aver-age and a median voter using a MC9S12XDP512 microcontrollerand Real-Time Workshop; such a system is commonly used in tri-ple modular redundancy (TMR) systems. The average and medianvoters are the most common static redundancy systems, and areused in various application areas such as ground vehicles and air-craft [32]. Two voters are often used for comparison among theother voters [8].

We defined the integral of the absolute magnitude of the error(IAE) performance index as follows to compare the performance ofthree voters [33]:

IAE ¼Xn

k¼1

DT � jeðkÞj ð2Þ

where e(k) is the difference between the original brake pedal valueand the fault-masked brake pedal value, and DT is the samplingtime of the brake pedal signal.

Fig. 8a shows an example of the brake pedal signal caused byactivating the DC motor and captured from a potentiometer. Thepotentiometer voltage was 1.4 V when the brake pedal was

released, and increased to 2.6 V when the brake pedal was slowlypressed. Fig. 8b shows an example of the brake pedal signal pro-duced by a potentiometer with a fault. We used the fault injectorshown in Fig. 7a to add an impulse fault to the normal potentiom-eter signal and eliminate the need for a faulty potentiometer. Thisfault signal could appear and disappear within a very short periodof time due to white noise or impulse noise in the electric circuit orsensor elements, and included transient and intermittent type faultcharacteristics [11]. The fault injector inserted a Gaussian-distrib-uted random signal with a range of ±5 V, a mean of 0, and standarddeviation of 1, based on the number of injected faults [8]. Forexample, the 354th sample of the brake pedal signal in Fig. 8awas 2.61 V while the value in Fig. 6b was changed to 3.80 V by add-ing 1.19 V.

Fig. 9 shows the brake pedal signal of the average voter, med-ian voter, and fuzzy predictive redundancy systems for 4000 in-jected faults. Fig. 9a shows that after processing by the averagevoter using three different signals with faults, the output signalstill included a great deal of instantaneous fluctuation comparedto the original signal shown in Fig. 8a. This is because the averagevoter always uses all the signals, even if they contain faults.Fig. 9b shows that the median voter partly eliminated thesefaults. The IAE performance index for the median voter (14.7)was better than that of the average voter (18.67), but many faultsstill affected the output when two or more values were faulty.This may not be suitable for fault-tolerance of safety criticalapplications like vehicle x-by-wire systems. Fig. 9c shows the sys-tem output of the fuzzy predictive redundancy system. It appearsalmost identical to the original signal. As expected, the IAE

0

1

2

3

4

5

0 100 200 300 400 500 600 700sampling time (10ms)

brak

e pe

dal o

utpu

t (V

)

(a) brake pedal signal from a potentiometer without a fault

0

1

2

3

4

5

0 100 200 300 400 500 600 700sampling time (10ms)

brak

e pe

dal o

utpu

t (V

)

(b) brake pedal signal from a faulty potentiometer

Fig. 8. Examples of brake pedal signals from a potentiometer.

0

1

2

3

4

5

0 100 200 300 400 500 600 700sampling time (10ms)

brak

e pe

dal o

utpu

t (V

)

(a) pedal signal from the average voter

0

1

2

3

4

5

0 100 200 300 400 500 600 700sampling time (10ms)

brak

e pe

dal o

utpu

t (V

)

(b) pedal signal from the median voter

0

1

2

3

4

5

0 100 200 300 400 500 600 700sampling time (10ms)

brak

e pe

dal o

utpu

t (V

)

(c) pedal signal using fuzzy predictive redundancy

Fig. 9. Brake pedal signal with the average voter, median voter, and fuzzypredictive redundancy, with 4000 faults injected.

M.H. Kim et al. / Microprocessors and Microsystems 35 (2011) 453–461 459

performance index was 0.195, far better than for the average andmedian voters.

Fig. 10 shows the IAE performance indices of the average vo-ter, median voter, and fuzzy predictive redundancy system forvarious numbers of injected faults. The IAE performance indexof the average and median voters increased linearly to 18.67and 14.7, respectively, as the number of injected faults increased.However, the IAE performance index of the fuzzy predictiveredundancy system remained relatively low, and reached a max-imum of only 0.292 for 3000 faults. These results indicate that theperformance of the fuzzy predictive redundancy system is supe-rior to those of the average and median voters. In addition, sincethe average and median voters use three sensors while the fuzzypredictive redundancy system only requires two, it is possible toimplement a redundant system with fewer redundant sensors.This may result in a less-expensive system because a sensormay cost more than the microprocessor required to execute thealgorithm.

4. Summary and conclusions

This paper presented a fuzzy predictive redundancy system anda fault-detection algorithm for an x-by-wire system. To verify thefeasibility of the fuzzy predictive redundancy system, we devel-oped an experimental system using an embedded microcontrollerunit to simulate redundant brake pedal signals, and compared theperformance of the fuzzy predictive redundancy system with thatof the average and median voters. The conclusions derived fromthis research are as follows.

First, the experimental results showed that the fuzzy predictiveredundancy system could eliminate faults far better than the gen-eral voting method used for a TMR system. The fault-masked signalwas very similar to the original signal without faults because of theexception handler, even if both input values were erroneous. Theexperiment demonstrated that the fuzzy predictive redundancysystem could be very effective for x-by-wire systems.

Second, because general voting methods such as average andmedian voters require more than three sensors while the fuzzypredictive redundancy system needs only two, it may be possibleto implement a redundancy system more cost effectively. Thefuzzy predictive redundancy system can be applied to variousindustrial systems that are very sensitive to cost because of thelow cost of microcontrollers and the superior design.

0

5

10

15

20

25

1000 2000 3000 4000fault rate

IAE

inde

x

average votermedian voterfuzzy predictive redundancy

Fig. 10. IAE performance index for various numbers of injected faults.

460 M.H. Kim et al. / Microprocessors and Microsystems 35 (2011) 453–461

This paper was a pilot study to find more cost-effective redun-dancy methods to improve the safety of x-by-wire systems. Eventhough automakers are currently moving towards x-by-wire sys-tems, safety remains a major issue because x-by-wire vehicles relyheavily on electronic and electric sensors and actuators that tendto fail abruptly. The concept proposed in this paper enables auto-makers to use a smaller number of redundant components, whichwill reduce the price of x-by-wire systems.

However, enhancing the applicability of the proposed systemsrequire further theoretical and practical research. First, a naturalextension of this research would be to compare the performanceof the fuzzy predictive redundancy system with those of other dy-namic and hybrid methods, along with an experimental demon-stration of its efficiency. Second, derivation of a precise faultmodel and analysis of the safety and reliability of the system areimportant. Finally, implementation of the complete x-by-wireredundancy system, including sensors, actuators, and the commu-nication network, is essential to evaluate its performance.

Acknowledgment

This work was supported by the Grant of the Korean Ministry ofEducation, Science and Technology (The Regional Core ResearchProgram/Institute of Logistics Information Technology).

References

[1] G. Leen, D. Heffernan, TTCAN: a new time-triggered controller area network,Microprocessors and Microsystems 26 (2) (2002) 77–94.

[2] R. Isermann, R. Schwarz, S. Stolzl, Fault-tolerant drive-by-wire systems, IEEEControl Systems Magazine 22 (5) (2002) 64–81.

[3] K.C. Lee, M.H. Kim, S. Lee, H.H. Lee, IEEE-1451-based smart module for in-vehicle networking systems of intelligent vehicles, IEEE Transactions onIndustrial Electronics 51 (6) (2002) 1150–1158.

[4] D. Ayavoo, M.J. Pont, M. Short, S. Parker, Two novel shared-clock schedulingalgorithms for use with Controller Area Network and related protocols,Microprocessors and Microsystems 31 (5) (2007) 326–334.

[5] M.H. Kim, S. Lee, K.C. Lee, Predictive hybrid redundancy using exponentialsmoothing method for safety critical systems, International Journal of Control,Automation and Systems 6 (1) (2008) 126–134.

[6] S. Haggag, D. Alstrom, S. Cetinkunt, A. Egelja, Modeling, control, and validationof an electro-hydraulic steer-by-wire system for articulated vehicleapplications, IEEE Transactions on Mechatronics 10 (6) (2005) 688–692.

[7] H. Ryouhei, H. Masayasu, K. Sadahiro, N. Shirou, K. Hiromitsu, Fault-tolerantautomobile steering based on diversity of steer-by-wire, braking andacceleration, Reliability Engineering and System Safety 95 (1) (2010) 10–17.

[8] M.H. Kim, S. Lee, K.C. Lee, Kalman predictive redundancy system for faulttolerance of safety-critical systems, IEEE Transactions on Industrial Informatics6 (1) (2010) 46–53.

[9] O. Rooksa, M. Armbrusterb, A. Sulzmannc, G. Spiegelbergc, U. Kiencke, Duoduplex drive-by-wire computer system, Reliability Engineering and SystemSafety 89 (1) (2005) 71–80.

[10] G.L. Shabgahi, J.M. Bass, S. Bennett. A taxonomy for software voting algorithmused in safety-critical systems, IEEE Transactions on Reliability 53 (3) (2004)319–328.

[11] B.W Johnson, Design and Analysis of Fault-tolerant Digital Systems, Addison-Wesley, Publishing Company, 1989.

[12] J.L. Garcia-Lapresta, A general class of simple majority decision rules based onlinguistic opinions, Information Sciences 176 (4) (2006) 352–365.

[13] K. Goeva-Popstojanova, A. Grnarov, N version programming with majorityvoting decision: dependability modeling and evaluation, Microprocessing andMicroprogramming 38 (1) (1993) 811–818.

[14] G.L. Shabgahi, J.M. Bass, S. Bennett. Efficient implementation of inexactmajority and median voters, Electronics Letters 36 (15) (2000) 1326–1328.

[15] M.D. Krstic, M.K. Stojcev, G.Lj. Djordjevic, I.D. Andrejic, A mid-value selectvoter, Microelectronics and Reliability 45 (3) (2005) 733–738.

[16] G. Levitin, Weighted voting systems: reliability versus rapidity, ReliabilityEngineering and System Safety 89 (2) (2005) 177–184.

[17] G.L. Shabgahi, A novel algorithm for weighted average voting used in faulttolerant computing systems, Microprocessors and Microsystems 28 (7) (2004)357–361.

[18] C.W. Chiou, T.C. Yang, Self-purging redundancy with adjustable threshold fortolerating multiple module failures, Electronics Letters 31 (11) (1995) 930–931.

[19] G.L. Shabgahi, S. Bennett, J.M. Bass, Smoothing voter: a novel algorithm forhandling multiple errors in fault-tolerant control systems, Microprocessorsand Microsystems 27 (7) (2003) 303–313.

[20] G.L. Shabgahi, A.J. Hirst, A fuzzy voting scheme for hardware and software faulttolerant systems, Fuzzy Set and Systems 150 (3) (2005) 579–598.

[21] R.J. Patton, Fault detection and diagnosis in aerospace systems usinganalytical redundancy, Computing and Control Engineering Journal 2 (3)(1991) 127–136.

[22] P. M. Frank, Fault diagnosis in dynamic systems using analytical andknowledge-based redundancy-a survey and some new results, Automatica26(3) 1990 459-474.

[23] S. Anwer, L. Chen, An analytical redundancy-based fault detection andisolation algorithm for a road-wheel control subsystem in a steer-by-wiresystem, IEEE Transaction on vehicular Technology 56 (5) (2007) 2859–2869.

[24] E.S. Gardner, Exponential smoothing: the state of the art—Part II, InternationalJournal of Forecasting 22 (4) (2006) 637–666.

[25] C.C. Lee, Fuzzy logic in control systems: fuzzy logic controller—Parts I andII, IEEE Transactions on Systems, Man, and Cybernetics 20 (2) (1990) 419–435.

[26] K.C. Lee, S. Lee, M.H. Lee, Remote fuzzy logic control of networked controlsystem via Profibus-DP, IEEE Transactions on Industrial Electronics 50 (4)(2003) 784–792.

[27] Wirewound Single Turn Type-J Series, Copal Electronics, 2005.[28] MC9S12XDP512 Data Sheet, Freescale Semiconductor, 2007.[29] SK-S12XDP512-A Starter Kit User’s Manual, SofTec Microsystems, 2007.[30] CANoe Data Sheet, Vector, 2006.[31] J.B. Dabney, T.L. Harman, Mastering SIMULINK, Prentice Hall, 2004.[32] H.K. Kim, H.T. Lee, K.S. Lee, The design and analysis of AVTMR (all voting triple

modular redundancy) and dual-duplex system, Reliability Engineering andSystem Safety 88 (3) (2005) 291–300.

[33] K. Astrom, T. Haqqlund, PID controller: theory, design and tuning,International Society for Measurement and Control (1995).

Man Ho Kim received the B.S. degree from Donga Uni-versity, Busan, Korea, in 2001, and the M.S. and Ph.D.degrees from Pusan National University, Busan, Korea, in2003 and 2008, respectively. He is a research professor inthe Institute of Logistics Information Technology, PusanNational University, Busan, Korea. Prior to joining PusanNational University, he was a Research in the DaeguGyeongbuk Institute of Science and Technology (DGIST),from 2006 to 2010. From 2010 to 2011, he was a Post-docin the School of Mechanical Engineering, Pusan NationalUniversity, Busan, Korea. His research interests includefault-tolerant system with hardware redundancy struc-

ture, in-vehicle networking system, embedded microcontroller system design, anddriving behavior and workload analysis of driving vehicle. Dr. Kim is a member ofKorean Society of Automotive Engineers, Korean Society of Precision Engineers, and

Institute of Control, Robot, and Systems Engineers.

nd Microsystems 35 (2011) 453–461 461

Suk Lee received the B.S. degree from Seoul National

University, Seoul, Korea, in 1984, and the M.S. and Ph.D.degrees from The Pennsylvania State University, Uni-versity Park, in 1985 and 1990, respectively. He is aprofessor in the School of Mechanical Engineering,Pusan National University, Busan, Korea. Prior to joiningPusan National University, he was a Research AssistantProfessor in the Center for Advanced ManufacturingSystems, University of Cincinnati, Cincinnati, OH. Hisresearch interests are industrial network, in-vehiclenetwork, and home network. Dr. Lee is a member ofInstitute of Electrical and Electronics Engineers, Korean

Society of Mechanical Engineers, Korean Society of Precision Engineers, and Insti-tute of Control, Robot, and Systems Engineers.

M.H. Kim et al. / Microprocessors a

Kyung Chang Lee received the B.S., M.S., and Ph.D. degreesfrom Pusan National University, Busan, Korea, in 1996,1998, and 2003, respectively. He is an assistant professorin the Department of Control and Instrumentation Engi-neering, Pukyong National University, Busan, Korea. Priorto joining Pukyong National University, he was a ResearchAssociate in the Network-based Automation ResearchCenter, University of Ulsan, Ulsan, Korea, from 2003 to2004. From 1997 to 2003, he was a Research in theMechanical Engineering and Technology Research Infor-mation Center, Busan, Korea. His research interests areembedded network system, industrial network, in-vehicle

network, home network, wireless sensor network, and networked control system. Dr.Lee is a member of Institute of Electrical and Electronics Engineers, Korean Society ofAutomotive Engineers, and Institute of Control, Robot, and Systems Engineers.