See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/261152569

Early model-based verification of automotive control system implementation

Conference Paper  in  Proceedings of the American Control Conference · June 2012

DOI: 10.1109/ACC.2012.6314852

CITATIONS READS
15 5,521

3 authors, including:

Mahdi Shahbakhti
Michigan Technological University
118 PUBLICATIONS   1,268 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Model-based control of RCCI engine View project

Easily Verifiable Model-Based Controller Design View project

All content following this page was uploaded by Mahdi Shahbakhti on 09 July 2015.

The user has requested enhancement of the downloaded file.

 Early Model-Based Verification
of Automotive Control System Implementation
Mahdi Shahbakhti, Jimmy Li and J. Karl Hedrick

Abstract— Controller Software Verification (CSV) is the

critical process used to avoid mismatch between a designed
and implemented controller. Common CSV practice in the
automotive industry is to test a controller after its software
is fully implemented. In this paper, an early model-based CSV
methodology is proposed to reduce the development time and
improve the robustness of automotive controllers.
The application of the proposed methodology is demon-
strated on a “Cold Start Emission” control problem in pas-
senger cars. A non-linear model-based controller is designed
to reduce cold start hydrocarbon emissions from a mid-size
modern passenger car. The controller robustness is analyzed
by testing the controller against the major steps occurring
during the software implementation process of a controller. The
main focus is on the imprecision from sampling, quantization Fig. 1. Typical V-cycle for the design of automotive controllers. (ECU:
and fixed-precision arithmetic. The results from the robustness Electronic Control Unit; SIL: Software-in-the-Loop; HIL: Hardware-in-the-
analysis are used to specify requirements for the controller Loop.)
implementation for passing current North American ULEV
emission standard.

I. INTRODUCTION reachable set, providing easier verification of a controller [5];

Validation and Verification (V&V), shown in Figure 1, are (5) developing tools for model-based verification of con-
essential stages in the design cycle of automotive controllers. trollers [6]-[7]; (6) model-based calibration of controllers to
V&V assures that (1) the implemented controller in an reduce V&V required time [8]-[9]. A large number of errors
ECU accurately represents the conceptual description and detected during independent V&V are introduced during the
specifications of the designed controller; (2) the designed initial stages of a controller development and it will cost 10
controller fulfills intended control targets. The traditional times less if those errors are identified and fixed during the
V&V process is complex and time consuming, due to the early stages of a controller software design [10]. This paper
multiple SIL and HIL iterations needed for verification of centers on early model-based verification during a controller
various ECU functions. Imprecision caused by approxima- design. A methodology is proposed and implemented on an
tions in the process of implementing a controller’s software automotive control problem to perform V&V in the early
is one of the main sources of error in a V&V cycle. The stages of the controller development process.
software implementation process involves issues such as This paper is organized as follows. A methodology for
sampling, quantization, ECU scaling, fixed-point arithmetic, early verification of controller design is proposed at the
saturation, and operating system adjustments – all of these beginning of Section II. The rest of the paper centers on
can cause mismatch between the original designed controller demonstrating the proposed methodology on an automotive
and the final implemented controller. controller case study. To this end, a model-based cold start
A large number of studies have been conducted to im- controller is designed after the cold start plant model is
prove software verification in the V&V process of complex briefly explained. Next the controller is implemented in
embedded control systems such as automotive ECUs. Some a fixed-point domain and simulated results are used to
of the recent studies include: (1) developing methods of determine requirements for successful implementation of the
model-based SIL [1]-[2]; (2) automatic verification of a controller. Finally conclusions are reached in Section III and
controller by stability analysis through using a model of future steps to extend this study are listed in Section IV.
implementation errors in a controller design [3]; (3) develop- II. EARLY MODEL BASED VERIFICATION OF
ing techniques for verification of a controller’s software [4]; CONTROLLER DESIGN
(4) analytical methods to accurately compute a controller’s
A. Methodology
This work was supported by Toyota Company and NSERC of Canada. The proposed methodology and typical time-consuming
Authors are with the Department of Mechanical Engi- process of Verification and Validation (V&V) for automotive
neering, University of California, Berkeley, CA 94720-1740,
USA.(email: [email protected]; controllers are shown in Figure 2. This study proposes
[email protected]; [email protected]) an early model-based V&V before launching the process
of controller implementation, which will serve to reduce temperature (i.e. 200-300◦C). Control of cold start emissions
the time spent in the typical V&V process. While using is a well recognized challenge, with increasing importance, in
a minimum-order model-based controller will simplify the moving towards green vehicles. This challenge is mainly due
calibration and verification stages, the early V&V can help to highly non-linear behavior of automotive engines during
identify and avoid the errors that will occur later in the cold start, while reliable data from Air-Fuel Ratio (AFR) and
controller implementation process. exhaust temperature sensors are not available.
Here, a cold start emission model is used to design a
sliding mode controller for reducing vehicle tailpipe HC
emissions during cold start operation.

1) Cold start model: A physical-empirical model from

[14] is used to estimate tailpipe HC emissions during cold
start. The model is parameterized for a 2.4L, 4-cylinder,
DOHC 16 valve Toyota 2AZ-FE engine and a three-way
catalyst exhaust aftertreatment system. The experimental
validation of different components of the model is found
in [15]-[16]. The inputs to the model are ṁai , air mass flow
rate into the intake manifold, ṁf c , commanded fuel mass
flow rate, and ∆, spark timing ATDC. The model includes
five states, indicated with the following dynamic equations:
ẋ1 = ṁa = ṁai − ṁao (ma , ωe ) = fma (1)
1
ẋ2 = ω̇e = [TE (ma , ωe )] = fωe (2)
J
1
ẋ3 = m̈f = [ṁf c − ṁf ] = fṁf (3)
τf
1
Fig. 2. Proposed model-based V & V methodology.
ẋ4 = Ṫcat = [Qgen + Qin − Qout ] = fTcat (4)
mCp
1
ẋ5 = Ṫexh = [SI(∆).AI(ma , ωe , ṁf ) − Texh ] = fTexh
The early V&V is divided into early SIL and virtual HIL τe
testing steps. First, an early SIL testing is performed by (5)
measuring the controller’s robustness against main impre- The five states are the mass of air inside the intake
cisions arising during the software implementation process. manifold (ma ), the engine speed (ωe ), fuel mass flow rate
The controller robustness is determined by how sensitive into the cylinders (ṁf ), the catalyst temperature (Tcat ), and
the controller’s performance is to sampling rate, quantization the exhaust temperature (Texh ). Details of the functions and
level, and fixed-precision arithmetic requirements in an ECU. constants in equations (1) to (5) are found in the Appendix.
Second, a virtual HIL testing is performed using sufficient The HC production rate from the engine (HC ˙ eng ) is calcu-
fidelity models for ECU and feedback sensors. Both early lated along with the catalytic converter efficiency (ηcat ) to
SIL and virtual HIL testings are done in a simulation give the HC emission rate out of the tailpipe (HC ˙ tp ). The
environment as a part of the ECU design process. final output of the model is the cumulative HC generated
during the cold phase (HCcum ).
Identified control design defects and implementation de-   n 
fects during the early SIL and virtual HIL processes in ˙ rc − 1 θevo − θ0 (∆)
HC eng = ṁf exp −a (6)
Figure 2 can result in a simpler and less time-consuming rc δθ(ma , ωe , ṁf )
V&V process for automotive controllers. This study centers
on demonstrating the application of the early SIL testing on   !15 
AF R
a cold start emission control problem. AF Rst − 0.7
ηcat = 0.98 1 − exp −5  (7)
0.3
B. Case Study: Cold Start Emission Control "  5 #!
Cold start emissions account for over 80% of the total Tcat − 30
. 1 − exp −0.2
Hydrocarbons (HC) and Carbon Monoxide (CO) emissions 150
in standard driving cycles [12]-[13]. Poor air-fuel mixture
formation and low efficiency of exhaust catalytic converters ˙ tp = HC
HC ˙ eng (1 − ηcat ) (8)
are two main causes of high emission levels of passenger
cars during the cold start operation. The critical cold phase where, AFRst is the AFR at stoichiometric condition and
is the 2-5 minute time period between the cold start and rc is the compression ratio. δθ, θ0 and θevo are fuel burn rate
the moment the catalytic converter reaches its operating function and parameters which are detailed in the Appendix.
 As suggested in Figure 2, a plant model with a minimum of 650◦C is chosen for Texh,d using available experimental
order is desirable to simplify the design and verification of a data for the engine [16].
controller. Here, the order of the 5-state cold start model is The control system shown in Figure 4 is used to
reduced using a balanced truncation technique. The details of implement the designed control structure from Figure 3.
the model reduction process are found in [11]. The resulting The control system centers on a model-based controller
reduced cold start model is a model with three new state (z)
equations:
zė = Te−1 F (9)

where, Te is the truncated coordinate transformation matrix

from x space to z space and F is a vector including original
nonlinear state functions in x space.
Te−1 =
 
−0.170 −0.009 0.007 −2.21e−5 −1.73e−8
 0.086 0.005 1.23e − 4 9.11e−5 1.28e−7 
0.031 −0.045 −2.66e − 5 2.50e−4 3.28e−7
 
f ma
 f ωe 
 
F = fṁf


 fT 
cat
fTexh Fig. 4. Schematic of the cold start emission control system in this work.

Values of coefficients in Te−1 indicate the new z states

are mainly functions of fma , fωe , and fṁf . Thus variations which uses three sensors and three actuators to reduce cold
in the exhaust temperature and the catalyst temperature have start tailpipe emissions. Three artificial sensors (observers)
the minimum effect on the system states during the cold measure the exhaust temperature, AFR and engine speed.
start phase. The controller adjusts the engine inputs including intake
air mass flow rate, injection fuel mass flow rate and spark
2) Control system configuration: The main control objec- timing. These required inputs are implemented on the engine
tive is to minimize HCcum . This objective requires not only using the intake air throttle, fuel injectors and spark plugs.

3) Controller design: The reduced order cold start model

is used to design a Multi-Input Multi-Output (MIMO) Sliding
Mode Controller (SMC) which ensures obtaining the desired
AFRd , Texh,d , and ωe,d trajectories. The control law of
the MIMO SMC is derived based on an affine transformed
model:
ẋp = fp (x) + gu (10)
where, the coefficient matrix g is a non-singular square
matrix and fp (x) is the part of f (x, u) which does not depend
on the inputs. fp (x) and g are found using equations (1) to
(5) from the physical model.
The sliding surfaces to obtain the control law in the
reduced state-space model are defined as:
S = ze − zed (11)
Fig. 3. Structure of the designed controller.
Ṡ = −λS (12)

reducing raw HC ˙ eng but also quickly heating up catalyst to zė = −λ(e
z − zed ) + zėd (13)
shorten the catalyst light-off period. AFR and ωe influence Where zed is the desired reduced order state and is calcu-
both HC ˙ eng and Tcat , while Texh directly influences Tcat . lated using the desired AFRd , Texh,d , and ωe,d trajectories.
Thus three control trajectories (AFRd , ωe,d , and Texh,d ) are Using Equation (9), the relation between the control law and
defined to minimize HCcum , as shown in Figure 3. AFRd the state equations in the affine description is:
and ωe,d control trajectories are taken from the engine control
unit of the Toyota 2AZ-FE engine. The exhaust temperature z − zed ) + zėd = Tep−1 f (x) + Tep−1 gu
−λ(e (14)
 Where, Tep is the part of T , in which the column associated trajectories (λ = 10). Simulation results for the controller
with Tcat is taken away. The final control law is given by are shown in Figure 5. The results indicate the catalyst has
h i reached the light-off temperature (i.e. 225◦ C) in less than
u = g −1 Tep −λ(e z − zed ) + zėd − Tep−1 f (x) (15) 30 seconds. In addition, a catalyst conversion efficiency of
over 90% is obtained in the first 40 seconds without using
C. Results any external heating energy sources (e.g. heater, after burner
Performance of the designed controller is tested on the or secondary air injection). HCcum is 1.8 g, which can meet
cold start 5-state model in MATLAB Simulink. The gradient the minimum required HC emission level in the current North
of the sliding surfaces are determined to provide desired America standard for Ultra Low Emission Vehicles (ULEV)
− assuming: (1) over 80% of total HC emissions occur in the
(a) cold start phase of standard driving cycles [12]-[13], (2) 1.8 g
300 100
accounts for the majority of the total HC emissions in the
cold start phase since ηcat has reached over 90%.

ηcat [%]
Tcat [°C]

200
50
100 1) Robustness to implementation imprecision: The robust-
ness of the cold start controller is evaluated against three
0 0 main causes of imprecisions in the controller implementation
0 10 20 30 40
(b) process. In particular, the controller is tested against varia-
HC Flow Rate [g/sec]

Cumulative HC [g]
2 tions in sampling rates, quantization levels, and processor
0.6 HCengine
HCtailpipe
data type sizes. A fixed-point processor is used in this study
0.4 HCcum= 1.8 g
1 as it is commonly used for engine control to reduce ECU
0.2 memory demand. A baseline condition for the controller
software implementation is selected in consultation with the
0 0 Toyota Technical Center in North America. Table I shows
0 10 20 30 40
Time [sec] the baseline condition characterizing sample specifications
for an ECU processor.
Fig. 5. Cold Start Performance of the Designed Controller: (a) Temperature,
Conversion Efficiency of the Catalytic Converter; (b) Engine and Tailpipe
HC Emissions.

AFR Control Texh Control ωe Control

(a1) 12−bit word (b1) 12−bit word (c1) 12−bit word
18 800
2500
16
14 600 2000
12 1500
10 400 1000
8
0 20 40 0 20 40 0 20 40
(a2) 16−bit word (baseline) (b2) 16−bit word (baseline) (c2) 16−bit word (baseline)
18 800
2500
16
14 600 2000
12 1500
10 400 1000
Texh [°C]

8
AFR [−]

ωe [RPM]

0 20 40 0 20 40 0 20 40
(a3) 32−bit word (b3) 32−bit word (c3) 32−bit word
18 800
2500
16
14 600 2000
12 Desired 1500
10 400 Engine output 1000
8
0 20 40 0 20 40 0 20 40
(a4) Ideal (b4) Ideal (c4) Ideal
18 800
2500
16
14 600 2000
12 1500
10 400 1000
8
0 20 40 0 20 40 0 20 40
Time [sec] Time [sec] Time [sec]

Fig. 6. Effect of fixed-point data type (word length) on the tracking performance of the cold start controller. “Ideal” results in this Figure represent the
performance of the controller with no implementation imprecision.
 The designed controller is modified for running in a fixed- 12 bit respectively. This can be caused due to signal aliasing
point simulation domain using Simulink Fixed-Point Advi- and distorted input data to the controller. However high
sor. Tracking performance of the fixed-point implemented sampling frequency and high quantization level increase the
controller is shown in Figure 6 for different processor data controller’s computation load and memory storage require-
type sizes. ment. Results in Figure 8 show running the controller with
12-bit A-to-D can lead to relatively similar results as that of
TABLE I
running the controller with the computationally demanding
BASELINE C ONDITION U SED IN THE ROBUSTNESS A NALYSIS . 16-bit A-to-D.
Condition Value (a) Quantization effect
ECU update rate 8 ms
10−bit
Sampling rate 8 ms 6 12−bit (baseline)
Quantization level 12 bit 16−bit
Ideal
Data type Fixed point - signed 32 bit 4
Processor type Embedded micro

Cumulative HC [g]
2

Results in Figure 6 show how the tracking performance 0

0 10 20 30 40
of the controller degrades as the word length of the data (b) Sampling effect
decreases. But one benefit from decreasing the word length 10
10 ms
of fixed-point data is the reduction in the storage and 8 8 ms (baseline)
computation load in the ECU processor. A compromise 4 ms
6 Ideal
between precision and computation load can be decided
4
by calculating the amount of HCcum . Simulated values for
HCcum are shown in Figure 7 for the cold start controller 2
running with different data types. It is found that the fixed- 0
0 10 20 30 40
point controller requires at least data with 16-bit precision to Time [sec]
meet the HC level in the ULEV emission standard. HCcum
results from both 16-bit and 32-bit fixed-point controllers Fig. 8. Effect of quantization levels and sampling rates on the performance
of the cold start controller.
are the same. Thus the fixed-point controller with 16-bit data
should provide enough precision while this controller is more
computationally efficient than a 32-bit controller. 2) Recommendations for controller implementation: Re-
sults from the previous section can be used to determine
8 12−bit word the minimum requirements for the controller implementation.
16−bit word (baseline) For instance if the cold start controller targets on passing
7 32−bit word
Ideal
the ULEV emission standard, specifications in Table II are
recommended for the ECU implementation process. The
Cumulative HC [g]

5 TABLE II
4 M INIMUM REQUIRED SPECIFICATIONS FOR THE IMPLEMENTATION OF
THE COLD START CONTROLLER FOR ULEV EMISSION STANDARD1 .
3

2 Option Sampling rate Quantization level Data word length

I 8 ms 12 bit 16 bit
1 II 4 ms 10 bit 16 bit
0
0 10 20 30 40
Time [sec] values in Table II are based on the aforementioned assump-
tions at the beginning of Section C. Current ULEV emission
Fig. 7. Cold start HCcum tailpipe emissions for the controllers running standard for light-duty vehicles allows a maximum of 0.41
on the processors with different data types (word length).
g/mile for the total HC in the 11-mile FTP driving cycle [17].
An HCcum limit of 3.6 g can be determined to ensure the
An ECU typically works with signals which are discrete cold start controller meets the required total HC limit for the
both in time and in value. Sampling rates and quantization ULEV emission standard. The performance of the suggested,
levels in A-to-D converters should be chosen properly to minimally implemented controller is confirmed in Figure 9
provide the ECU with sufficient data resolution. Performance where the HCcum is less than the ULEV limit.
of the cold start fixed-point controller for different sampling
rates and signal quantization levels is shown in Figure 8. A III. CONCLUSIONS
dramatic change is observed in HCcum when the sampling Early identification of implementation errors during the
frequency and quantization level are lower than 125 Hz and design process is expected to reduce the debugging efforts
 (a)
18 [5] M. Althoff, C. Le Guernic and B. H. Krogh, Reachable Set Computa-
16 tion for Uncertain Time-Varying Linear Systems, Int. Conference on
AFR [−] 14
12
Hybrid Systems: Computation and Control, 2011.
10 Desired [6] B. Murphy, A. Wakefield, and J. Friedman, Best Practices for Verifi-
Engine output
8 cation, Validation, and Test in Model-Based Design, SAE Paper No.
0 5 10 15 20 25 30 2008-01-1469, 2008.
(b)
[7] T. Erkkinen and M. Conrad, Verification, Validation, and Test with
2500 Model-Based Design, SAE Paper No. 2008-01-27093, 2008.
ωe [rpm]

2000 [8] K. Lang and M. Kropinski, Virtual Powertrain Calibration at GM

1500 Becomes a Reality, SAE Paper No. 2010-01-2323, 2010.
1000 [9] R. Diewald, T. Cartus, M. Schüßler and H. Bachler, Model Based
0 5 10 15 20 25 30 35 40 Calibration Methodology, SAE Paper No. 2009-01-2837, 2009.
(c) [10] J.B. Dabney, G. Barber, and D. Ohi, Estimating Direct Return on In-
800
vestment of Independent Verification and Validation using COCOMO-
Texh [°C]

600 II, Software Engineering Applications, 2006.

[11] S. Asami, A. Cranmer, M. Shahbakhti and J. K. Hedrick, Model-
400 Based Control Via Balanced Realization For Automotive Cold Start
0 5 10 15 20 25 30 35 40 Hydrocarbon Reduction, ASME DSC Conference, 2011.
(d) [12] P. Bielaczyc and J. Merkisz, EURO III/EURO IV Emissions - A Study
3
of Cold Start and Warm up Phases with a SI Engine, SAE Paper No.
HCcum [g]

2 1999-01-1073, 1999.
1 HCcum= 2.5 g [13] M. Weilenmann, J. Faveza and R. Alvareza, Cold-Start Emissions of
Modern Passenger Cars at Different Low Ambient Temperatures and
0
0 5 10 15 20 25 30 35 40 Their Evolution Over Vehicle Legislation Categories, J. of Atmospheric
Time [sec] Environment, vol. 43, 2009, pp. 2419-2429.
[14] Byron Shaw II, Modelling and Control of Automotive Coldstart
Fig. 9. Performance of the minimally implemented controller (option I in Hydrocarbon Emissions, Ph.D. Dissertation, UC Berkeley, 2002.
Table II). [15] P. R. Sanketi, J. C. Zavala, J. K. Hedrick, M. Wilcutts and T. Kaga,
A Simplified Catalytic Converter Model for Automotive Coldstart
Applications with Adaptive Parameter Fitting, Int. Symp. on Advanced
in the controller’s V&V cycle. An early model-based veri- Vehicle Control, 2006.
fication methodology was proposed to identify unacceptable [16] P. R. Sanketi, Coldstart Modeling and Optimal Control Design for
imprecision errors in implementing the controller. An early Automotive SI Engines, Ph.D. Dissertation, UC Berkeley, 2009.
[17] EPA Emission Standard, http://www.epa.gov/otaq/standards/light-
SIL platform was used to test the controller robustness to duty/ld-cff.htm, 2011.
three main implementation imprecisions, including fixed-
precision arithmetic, quantization level, and sampling rate. A PPENDIX
The proposed methodology was demonstrated on a MIMO Parameters of Plant Model
SMC automotive controller which was designed to reduce A) Constants
cold start emissions in a passenger car. Analysis results J= 0.1454 [s/m2 kg]; τf = 0.06 [1/sec]
from the proposed methodology could determine minimum mCp = 1250 [J/K]; a= -2, n= 5; θevo = 110 ATDC; rc = 9
requirements for implementing the controller for a certain
emission target. B) Functions
IV. FUTURE WORK SI = 7.5 ∆ + 600 (16)
Future work includes testing the designed fixed-point con- AI = cos (0.13(AF R − 13.5)) (17)
troller on a real ECU in real-time. In addition, mathematical
models will be developed to characterize imprecisions in TE = 30000 ma − 0.4 ωe − 100 (18)
implementing the controller. These models are incorporated τe = 2 π / ωe (19)
in the controller design to increase the controller’s robustness
to the implementation errors.
Qin = 16(Texh − Tcat ) (20)
V. ACKNOWLEDGMENTS Qout = 0.642(Tcat − Tatm ) (21)
Dr. Ken Butts and Dr. Chris Vermillion from Toyota Tech- ˙ eng
Qgen = 22.53(ṁao + ṁf ).ηcat .HC (22)
nical Center are gratefully acknowledged for their helpful
comments during this study.
ṁao = 0.0254(ma ωe ηvol ) (23)
R EFERENCES 2 2
ηvol = ma (−0.1636 ωe − 7.093 ωe − 1750) (24)
[1] K. J. Mitts, K. Lang, T. Roudier and D. L. Kiskis, Using a Co- 2
+ ma (0.0029 ωe − 0.4033 ωe + 85.38)
simulation Framework to Enable Software-in-the-Loop Powertrain
System Development, SAE Paper No. 2009-01-0520, 2009. − (1.06e − 5 ωe 2 − 0.0021 ωe − 0.2719)
[2] V. Jaikamal, Model-based ECU development An Integrated MiL-SiL-
HiL Approach, SAE Paper No. 2009-01-0153, 2009.
[3] A. Anta, R. Majumdar, I. Saha and P. Tabuada, Automatic Verification θ0 = ∆ + 10 (25)
of Control System Implementations, Int. Conference on Embedded (
Software, 2010. 0.1(16.2 − AF R)2 + 80 AF R > AF Rst
[4] J. Kapinski, A. Donze, F. Lerda, H. Maka, S. Wagner, and B. H. Krogh, δθ = (26)
Control Software Model Checking Using Bisimulation Functions for 0.4(16.2 − AF R)2 + 80 AF R ≤ AF Rst
Nonlinear Systems, IEEE Conference on Decision and Control, 2008.

View publication stats