It is a challenge not only to the automobile industry to meet the increasing demands for safety and reliability while at the same time shortening product development cycles. These boundary conditions make it necessary to take into account safety considerations at a very early point in time during product development. A short period of time from the start of planning until market introduction represents a decisive competitive advantage in establishing a product on the market before the competition. Taking a safety analysis into account in an early phase of product development should reduce and in the ideal case prevent tedious iterations for testing and improving the product in an advanced stage of product development. In an early development phase, a system is handled in an abstract manner, i.e., it is known which functions the system should fulfill and how these functions interact, but it is not known how these functions will be implemented (e.g., hardware, software, mechanics). This abstract approach may be represented by the CARTRONIC® structuring concept which is non-specific to the automobile manufacturer or supplier. This structuring concept forms the basis for the CARTRONIC®-based safety analysis.
The increasing complexity of the motor vehicle system in particular lies in the increasing complexity and number of individual subsystems but is also influenced to a significant extent by their increasing interconnection. The complexity of the motor vehicle system is mastered through the structuring of the subsystems according to CARTRONIC®, taking into account the interactions with other subsystems.
The CARTRONIC® structuring concept (see T. Bertram, R. Bitzer, R. Mayer, A. Volkhart, 1998, CARTRONIC—An Open Architecture for Networking the Control Systems of an Automobile, Detroit, Mich., USA, SAE 98200) is based on an object-oriented approach. The motor vehicle system is structured in logic function units which communicate with one another over standardized interfaces.
CARTRONIC® is a structuring concept for all the control and regulating systems of a vehicle. This concept contains modular and expandable architectures for “function” and “safety” based on agreed upon formal structuring and modeling rules.
The term “architecture” as used here is understood to refer to the structuring system (rules) as well as its implementation in a concrete structure. The function architecture includes all control and regulating functions that occur in the vehicle. The tasks of the system are assigned to functional components which define the interfaces of the components (functional interfaces) and their interaction. The safety architecture expands the function architecture by including elements which ensure reliable operation of the system.
Another form of representation is obtained by mapping into UML (Unified Modeling Language) which also facilitates porting onto a computer system. Mapping of a CARTRONIC® functional structure into a UML model is described in P. Torre Flores, A. Lapp, W. Hermsen, J. Schirmer, M. Walther, T. Bertram, J. Petersen, 2001, Integration of a Structuring Concept for Vehicle Control Systems into the Software Development Process Using UML Modeling Methods, Detroit, Mich., USA, SAE 2001-01-0066.
The basic unit for structuring is the functional component. A functional component represents a function in the motor vehicle system. For the sake of a compact presentation, instead of the term “functional component” the following discussion will use only the term “component.” The components may be refined (increased detail) in the course of development with the higher-level function remaining as a shell. The higher-level function is in turn composed of components within the refinement (detailing) representing individual parts of the higher-level function. Three different types of components are differentiated in the structuring concept:                components having mainly coordinating and distributing functions,        components having mainly operative and executing functions and        components that only generate and provide information.        
In the communication relationships, a distinction is made between an order (with acknowledgment), an inquiry (with a reference) and a request. The order is characterized by the obligation to execute; in the event it is not fulfilled, the contractor receiving the order must send an acknowledgment to the requestor describing the reason for failure to execute. The inquiry is to acquire information for execution of an order. For the case when a component is unable to supply the requested information, it sends an instruction to the inquiring component. A request describes a “wish” for a function to be executed by another component. However, the request is not linked to the obligation for fulfillment, which is taken into account in the case of competing requests, for example. Table 1 summarizes the structural elements.
TABLE 1Structural elementBrief descriptionFunctional componentFunction unit with clearly defined(abbreviated: component)taskSystemA system has multiple functionalcomponents, i.e., (sub) systems(“view from the inside to theoutside”). The detailed functionalcomponent forwards the communicationrelationships to the subcomponentsas expressed by an “is part of”relationship (“view from the outsideto the inside”).OrderInstruction for action to a(with acknowledgment)functional component with theobligation to executeInquiryInformation inquiry to a functional(with instruction)componentRequestRequest to a functional componentwithout the obligation to executeRuleRules for:  relationships  modeling patterns
The structuring rules describe allowed communication relationships within the architecture of the vehicle as a whole. A distinction is made between structuring rules which define the communication relationships on the same abstraction level and at higher and lower levels, taking into account the given boundary conditions. Furthermore, the structuring rules clarify the forwarding of communication relationships into detailing of another functionality.
A structure developed according to the rules of structuring and modeling is characterized by the following features:                agreed-upon uniform rules of structuring and modeling at all abstraction levels,        hierarchical order flows,        high responsibility of the individual components,        operating elements, sensors and estimators are equivalent information sources and        encapsulation which represents each component as visibly as necessary for the other components and as invisibly as possible.        