2.3.1. MiL-Based Fault Injection
Based on a system model that simulates the behavior of a controlled system with a control system, model-based techniques have attracted much attention from academic and industrial researchers to analyze, verify and validate system behavior in the early stage of system development [
36]. One of the first examples of using models to simulate hardware fault behavior, based on the FI approach, is presented in [
37,
38], where the executable model of the system was executed using existing commercial tools, e.g., Simulink or SCADE. To combine the advantages of hardware-based FI and software-based FI, Moradi et al. [
10] proposed model-implemented hybrid tools using Simulink as the modeling environment. However, the proposed framework is limited to injecting a single fault per model. In addition to this, to ensure the real-time behavior of the system, slack parameters are required as further manual steps to determine the slack time and the number of additional blocks to be added to the system model. Our framework allows for the injection of both single and multiple faults, enabling mixing and simultaneous faults to be activated. Moreover, the faults are injected programmatically without modification of the original system model.
In the automotive domain, some authors have developed FI techniques to be used to verify safety objectives or safety mechanisms in accordance with ISO 26262 in early design phases [
39,
40]. In 2019, Saraoglu et al. presented a FI-based testing simulation framework called MOBATsim implemented on Simulink behavioral models [
41]. This framework allows for the injection of hardware faults into the model to evaluate the safety of autonomous driving systems at different levels, i.e., component, vehicle and traffic levels. However, the proposed simulation framework is designed at the simulation level without considering the real-time characteristics of the control task. Our FI framework, however, is implemented in the real-time simulation platform, enabling precise analysis in real time. Similarly, Juez et al. [
42] investigated the applicability of a simulation-based FI framework called Sabotage using the vehicle simulator dyanacar. The focus of the proposed work was to determine the most appropriate safety concept and early safety assessment of the lateral control system of a vehicle according to ISO 26262 at the simulation level. Although the authors considered the whole vehicle system for safety analysis, model blocks are added to the system model to represent failure modes, which is not effective in a complex system and results in violating the real-time system behavior. Our proposed framework is based on programmatically manipulating the sensors signals while ensuring real-time properties.
In addition to the above mentioned works, several publications have appeared in recent years documenting model-based FI tools in the area of a safety and reliability assessment of automotive software systems, such as Kayotee [
43], ErrorSim [
44], AVFI [
45], FIEEV [
46], SIMULTATE [
47] and EQUITAS [
28]. Although there are many studies focusing on the development of FI methods and tools at the simulation level for various domains, there are many problems in the existing research in representing the proper effects of faults considering real-time constraints. However, in our study, we used a real-time simulator with a real-time control system to develop our proposed framework, offering high fault coverage along with high fidelity simulations for complex system behavior analysis.
2.3.2. HiL-Based Fault Injection
Despite the fact that the HiL simulation has been traditionally used for the design and development of new ECUs in the automotive industry [
11], academic scholars have made great efforts to investigate the development of automotive control software based on the HiL platform. For example, Palladino et al. proposed a portable electronic environmental system called a micro-HiL system [
48]. It aims to evaluate the engine control software strategies and diagnose its functions on a CAN bus utilizing the 1.6-liter Fiat gasoline engine as a case study. In [
49], a new concept for the development of advanced driver assistance systems is proposed based on vehicle HiL simulation. In the railway field, Conti et al. [
50] investigated the analysis of a railway braking system under degraded adhesion conditions based on a HiL approach, highlighting the advantages of the proposed approach in terms of both the testing cost and reproducibility, especially for analyzing the system behavior under good and degraded adhesion conditions during the braking of a railway vehicle.
Along with the advances in the HiL real-time simulation for embedded control development and automated testing, an analysis of complex software systems’ behavior under abnormal conditions has attracted much attention in the last decade. Several methods addressing this issue have been described in the literature. For example, Poon et al. [
51] have conducted a study to demonstrate the capability of a HiL platform with FI in testing electrical vehicle drive systems. Three different operating and fault conditions are used in the proposed study to validate the fidelity of the real-time simulation, where the real drive system of an electric vehicle and the real-time simulation have been compared. However, FI in this study is limited to specific fault modes in the drive systems and is employed to validate the fidelity of the proposed HiL platform, but our study focuses on the development and design of an effective real-time FI framework with high fault coverage for complex software systems analysis. Yang et al. [
52] proposed a multiprocessor HiL FI strategy that aims to simulate various faults in the traction control system (TCS). In the proposed platform, three fault scenarios are used for real-time FI in the HiL simulation, i.e., an open-switch fault of the power transistor, a stuck fault of the three-phase current sensor and a broken rotor bar fault of the traction motor. Although the proposed FI method is developed using a physical traction control unit (TCU) and a real-time simulator, the FI unit is designed in FPGA based on the logical operators to satisfy the time constraint, which leads to an increase in the manual effort in terms of the injection point in a complex system. However, to inject the faults, our framework is based on manipulating the signals accessed on the CAN bus in accordance with the user’s specifications in terms of the location, time and type. Concerning the same area, to evaluate the risks in railway traction drive and to analyze its behavior, an improvement of FMEA using a HiL-based FI approach was proposed in [
53]. In the proposed research, the focus was on improving the FMEA methodology to provide a quantitative analysis using FI with the purpose of creating failure scenarios. However, to implement the failure modes, the system model was extended, which, in turn, affects the real-time system behavior; however, in our framework, this issue has been addressed by treating both the plant model and the control system model as a black box without modification. In the context of automotive sensor networks, Elgharbawy et al. proposed a real-time functional robustness verification framework for multi-sensor data fusion algorithms applied to radar and camera sensors in advanced driver assistance systems (ADAS) [
54]. HiL co-simulation with run-time-implemented FI has been used to simulate sensor faults involving latency, detection errors and false one-to-many object labeling. However, though the conducted study is limited to the investigation of certain critical driving situations by focusing only on imaging sensors and range sensors to verify the robustness of the fusion algorithms, in our framework, all sensors signals accessed via the CAN bus can be manipulated, which increases the fault locations coverage for analysis objectives.
Online condition monitoring and fault diagnosis in a real-time environment based on the HiL simulation are other areas where the FI approach can be used. For example, recent research in [
55] proposes that a short-circuit FI model can be used to realize online switching between healthy and faulty states of induction motors, with the aim of determining the trend of the change in fault characteristics, as well as the fault level. Although the fault source modeling in the proposed work reduces the modeling effort, it is limited to one fault mode, i.e., the stator interturn short-circuit fault, which is activated by changing the induction motor parameters and switching between the operating states. However, in our proposed framework, not only the healthy state but also nine different fault types that can be injected as a faulty state in the online simulation can be realized. Garramiola et al. [
56] have used the FI approach to develop a hybrid sensor fault diagnosis methodology in railway traction drives using the HiL platform. This is accomplished by injecting gain and offset sensor faults into the DC link voltage and catenary current sensor using a FI signal so that the dynamic response and robustness under fluctuations, as well as the sensitivity of the fault reconstructions, can be analyzed. In the mentioned study, FI has been investigated from the point of view of developing and verifying a fault diagnosis system; therefore, the application is different. However, our study focuses on the development of real-time FI as a testing method during the system development phases.
Safety verification during design at the component and system levels is of growing interest in the automotive industry, as it is critical for confirming safety properties and identifying safety faults. To address this issue, many researchers have proposed FI frameworks and tools as a measure to verify vehicle functional safety. For example, a retargetable vehicle-level FI framework capable of automatically injecting various faults into the processor, memory or IO at the runtime was proposed in [
57]. The proposed framework has been validated and demonstrated using an experimental HIL test for autonomous driving, i.e., EcoTwin truck platooning. Compared to our proposed framework, this framework was developed using a software-based FI approach, whereas our framework relies on signal modification as the basis for FI. In addition, the target components of the SUT in this study are processor registers, memory, IO and OS kernel, but, in our framework, the sensors and control signals of actuators are the target components for FI. Park et al. [
58] have also proposed a FI method for software (SW) unit/integration testing during the ECU software development process of automotive open system architecture (AUTOSAR)-based automotive software. Potential software faults in AUTOSAR-based automotive software, such as data, program flow, access, asymmetric and timing faults, were defined in the proposed study, and injected using the proposed tool. The applicability and performance of the proposed method have been demonstrated utilizing a set of actual automotive software, and the results were compared with other FI tools. Although the proposed research analyzes and compares various aspects of FI testing in the SW unit/integration testing phase, significant differences from our proposed framework exist. They developed the method for SW unit/integration testing phase focusing on software faults, whereas our proposed framework is developed to be used in the system integration testing phase during the development process. In addition, our proposed framework enables the injection of hardware faults that occur in the sensor and actuator control signals. Moreover, in our study, the entire vehicle system model has been considered to enable effective and precise testing at the system level. An overview of the related works is given in
Table 1. It includes the FI approach used, the application domain, the ability to inject multiple faults, the number of fault types injected, real-time constraints consideration and the assessment in terms of manual effort, fault coverage and fidelity simulations.
According to the above observations in the previous works, the majority of the proposed research is limited to the adaptation of the FI approach for specific objectives, focusing on certain operation and fault conditions. Additionally, the development of experimentally based test methods for the dynamic behavior analysis of automotive software systems during a system integration testing phase of the V-Model has not been well explored. Specifically, a real-time FI method capable of covering a wide range of potential sensor faults in the vehicle system and considering the whole system model. Therefore, this study attempts to fill this gap in the literature by proposing a HiL-based FI framework toward analyzing the effects of faults on the automotive system in real time during the deployment process.