Fault-tolerant design For increasing the reliability oF an autonomous driving gear shiFting system

The reliability of technical systems can be greatly reduced if possible faults cannot be accommodated but lead to system shut-down with sometimes catastrophic consequences. The algorithms and systems of fault-tolerant control were developed in the last years into a powerful tool to accommodate such faults. Additionally, it became obvious that the design of a technical system can ease or hinder the application of these tools and can also lead to the accommodation of faults be itself. This kind of design – fault-tolerant design – and its components are presented in this paper on the example of a shifting system for the gear box an autonomous driving race car. This race car competes in the well-known formula student driverless competition; in such competitions the reliability of the car and the capability to accommodate not avoidable faults is of paramount importance. The different elements of fault-tolerance incorporated in the design of the gear shifting system are explained on the basis of an established model of product concretization.


Introduction
This paper is focusing on the methods and tools of fault-tolerant design applied to a gear shifting system.This application is explained and reflected for a concrete representation of this concept.The main objective of the strategies, methods, tools and algorithms as well as general insights of fault-tolerant design is the support of engineers in the development of technical systems, which are fault-tolerant as a consequence of their controllability and diagnosability but also as a consequence of their inherent fault-tolerant design qualities [50].Reliability is the probability that a technical system is able to perform its intended function for a specified period of time under specified operating conditions (e.g.loads, temperatures) [43].Current research aimed at increasing the reliability of technical systems is addressing dynamic analyses of multi-state systems [27], reliability management systems [35], non-direct determination of system deterioration [54] fuzzy logic for vulnerability assessment [55] and structure learning algorithms [29].The research outcomes with this objective were already successfully applied in many cases such as in a reliability estimation for momentum wheel bearings [24], for load-sharing failures in parallel systems [61], the level adjustment of quadruped robots [13] and the operational reliability of rail vehicles [33].The development of reliable cognitive technical systems presents a continuous challenge for research teams [40].A new direction is the evaluation of the reliability of technical systems already in the conceptual design phase based on effect chains [8].
It is important to note that it is impossible for current complex technical systems to avoid faults completely.The accommodation of these faults can be a decisive approach to increase the reliability of the systems.Firstly, this accommodation can be based on the numerous research works concerning fault-tolerant control (a concise overview is given by Blanke et al. [6]).Current developments in this area include adaptive control schemes that are robust to parameter uncertainties, disturbances and saturation [1], virtual sensors based on sciENcE aNd tEchNology quadratic boundedness [51] and adaptive sliding mode observer based fault-tolerant control [37].Zhang et al. also propose tolerance measures for systems with sensor failures [60].An important prerequisite for active fault-tolerant control are elaborate fault detection and fault diagnosis algorithms (compare [11]).In recent years, several novel fault detection algorithms were proposed such as time synchronous resample and adaptive variational mode decomposition [62] or convolutional neural networks with global average pooling [30].
Secondly, the emerging field of fault-tolerant design can be employed.It is important to note that this field is strongly connected with fault-tolerant control, as fault-tolerant design can be an important enabler for these algorithms and systems.These two concepts in combination have the potential to enhance to fault-tolerance and with this the reliability on many levels.
As mentioned above, faults cannot be totally avoided in complex technical systems.They can be defined as an unwanted deviation of at least one parameter or property of the respective technical system from the satisfactory, regular condition (compare [28]), e.g. a sensor malfunction leading to the inability of this sensor to measure an important system parameter.Faults can be distinguished from failures, which can be defined as permanent interruptions of the capability of a product to perform the planned functionality; a failure indicates a complete breakdown of the product.Fault-tolerant technical systems are able to accommodate certain faults; i.e. to enable a degraded but still satisfactory performance of the system in the case of a fault.The main contribution of this paper is an in-depth exploration of design aspects which can increase the fault-tolerance of technical systems.On the one hand, these design aspects enable and ease fault-tolerant control.On the other hand, these design aspects increase the faulttolerance independently, e.g. by adding redundant elements.These activities can be summaries with the notion "fault-tolerant design".The paper provides a novel structure for fault-tolerant design based on levels of product concretization, presents several concrete measuresdesign aspects -for enhancing the fault-tolerance and explains these measures on a real-life case -the design of a gear-shifting system of a race-car.Concrete design characteristics are described in this paper, which either increase the controllability or diagnosability of the gear shifting system or directly increase its fault-tolerance.In order to have a background for the detailed explanation of these design characteristics, the next section describes the essence of fault-tolerant design and presents a model to structure the later discussion.The newly developed gear shifting system for the formula student driverless competition is explained in Section 3. Section 4 discusses the distinct design characteristics.The last section concludes the discussion and gives an outlook on future research activities.

Fault-tolerant design
Faults are unwanted deviations of one or more parameters or properties of a technical system, which may lead to a considerable reduction of the reliability of this system.It is possible to differentiate faults analysing their behaviour over time.Permanent faults are sudden alterations, which lead to an on-going change of physical parameters of the technical system or its structures [56].Drift-like faults are evolving over time, but lead after a certain delay also to an on-going change of physical parameters of the technical system or its structures.Intermittent faults are deviations which appear and disappear again and again and exhibit commonly a rather short duration.The different behaviour over time is shown in Figure 1.
The quality of a system to allow the accommodation of consequences of any kind of fault and to ensure a still safe operation with only slightly degraded performance may be subsumed under the notion "fault-tolerance" (compare Rouissi and Hoblos [47] and Dubrova [15]).In recent years, especially active fault-tolerant control approaches have exhibited convincing performance, which use a fault detection and identification system and realise the fault handling based on the results of this system [59].
Fault-tolerant design can, on the one side, ease active fault-tolerant control approaches, because it aims, amongst others, at enabling far-reaching monitoring possibilities, thus supporting fault detection and identification activities.On the other side, fault-tolerant design can strengthen the inherent fault-tolerant design characteristics of a technical system, for instance through the application of robust physical effects (compare [50]).Rouissi and Hoblos [47] underline the significance of fault-tolerant design; they highlight that the capability of a system to accommodate faults is directly linked to the design quality.As stated above, this capability has an enormous influence on the reliability of a complex technical system.So far, only a small amount of research is directly concerning fault-tolerant design.A future methodology may be built on the vast amount of research concerning systematic design and product development (Ehrlenspiel and Meerkamm [15], Ponn and Lindemann [44], Pahl et al. [42]).The research outcomes concerning "Design for Monitoring" (DfM), "Design for Control" (DfC) and "Design for Diagnosis" (DfD) may also serve as a basis for building this methodology.The research results concerning "computational design synthesis" (CDS) [38], the application of graph based design languages based on UML [58], the development and modelling of cyber-physical systems [63], a development methodology for mechatronic systems based on SysML [3] and safety analysis based on SysML [36] may expand this basis and allow a digital integration in current engineering processes.
Up to today, a rather small number of research activities can be identified, which are already directly focusing on fault-tolerant design.Additionally, they usually only cover a specific field.Oh et al. [41]) are proposing, amongst others, voting logic and redundant actuation devices in order to increase the fault-tolerance of nuclear power plants.Further authors aim to increase the fault-tolerance of technical systems: of wide-area networks [31], of wireless sensor networks [49], of microelectronics [26] and of frequency converters [57].The applied approaches include analysis methods such as "reliability modelling" and "redundancy analysis" [57] and design proposals such as "Triple Modular Redundancy" (an intended design of a part of a chip is copied twice and a voter always choses the outcome of at least two designs) [26].A novel fault-tolerant strategy for distributed actuators is the application of a consensus protocol for fuzzy multiagent systems; this is described by Chen et al. [9].In automotive applications, systems such as active steering systems are modelled and analysed in order to evaluate their fault-tolerance [20].Similar modelling approaches were also applied to rail systems [14].Fault-tolerant design is also addressed for improving the reliability of airplanes.A fault-tolerant interior permanent motor for an electrical power steering is presented by Bianchi et al. [5].Brando et al. [7] propose a faulttolerant design of redundant axial-flux motors for the electric steering of aircraft nose landing gears.The research of Nie et al. [39] focuses on the fault-tolerant design of electronic power converters, this work is continued by Tian et al. [53].Additional challenges are distributed control structures for electric transformers; fault-tolerant control structures are addressed by Saeed et al. [48].An adjacent field concerns damage-tolerant design [52]; the point of main emphasis is on fatigue and fracture investigations in computational mechanics, but sciENcE aNd tEchNology some damage-tolerance approaches have a potential to be integrated in a fault-tolerant design methodology.Another adjacent field is system reliability design and some approaches such as the active disturbance rejection control (ADRC) method (early approaches reported by Gao [21] and Han [22], current applications e.g. by Ramirez-Neria et al. [45]) also dispose of considerable potential to increase the faulttolerance of technical systems.
It can be concluded that several elements for a fault-tolerant design methodology are already existing.However, only the implementation of elements and tools is not sufficient for the development of performant, reliable and safe mechatronic systems [3].It is important to note that the early stages of product development are essential and that currently there are no common methods with computational support for these stages [8].Additionally, an increase of the tolerance of technical systems requires a deep understanding of potential failure modes [52].Further challenges arise with the distributed control schemes of modular systems; the design of distributed control structures is not trivial [48] and a conscious design of the modular structure is inevitable.It is consequently of vital importance for the development of knowledge and the support of design and control engineers to investigate the models, algorithms and methods which allow a conscious and holistic fault-tolerant design.These models, algorithms and methods need to connect the different phases of design, the different levels of abstraction and the disciplines [14]; through this they can then contribute to increasing the reliability of technical systems.
An initial defining structure for this future methodology was so far presented by Stetter [50].It is based on the well-known models of product concretization which are widely used in systematic design and product development (compare e.g.Ponn and Lindemann [44]).The four levels of this model are shown in Figure 2.
The basis for any successful development is the requirement level.Requirements are the objectives, goals and specifications which describe the functionality and intended or required characteristics of the technical system under development.In industrial system development processes, requirements are a decisive factor (compare e. g.Bernard and Irlinger [1]) and nearly fifty percent of the top risks are connected to this factor (Hruschka [25]).Like other characteristics and functionalities of a technical system, also the intended fault-tolerance should be defined in the early stages of a project.This definition should include the intended level of fault-tolerance as well as possible and probable faults [50].The exploration of faults can be supported by methods such as fault tree analysis (FTA), failure mode and effects analysis (FMEA) and benchmarking as well as by model-based requirements management (compare Holder et al. [20]).
The second level in Figure 2 is the most concrete level of product description and contains the product structure and geometry as well as the detailed material choice.The modular structure of the product is also situated on this level.A large body of research covers the placement of sensors and actuators; the results are methods and algorithms which ensure optimised geometrical placement [46].The most prominent measure to increase fault-tolerance are redundant sensors or actuators.However, the application of concrete redundant elements can lead to considerable disadvantages in terms of cost, weight and required space [50].Additionally, concrete redundant elements are sensitive to the same problems and faults.Consequently, it may happen that two or more redundant elements fail at the same time.It is therefore extremely important to include the more abstract levels into a holistic fault-tolerant design.Other approaches on the most concrete level are "over-actuation" (stronger or more actuators than necessary for the direct functionality; the excessive actuation potential can lead to better controllability and allow fault accommodation) and "overlap" (sensor overlap are zones which more than one sensor covers -the comparison of the sensor readings for the same area can be used for calibration purposes and for sensor fault detection).In general, the established concepts of "Design for Safety" (DfS) such as "Safe-Life" (compare e.g.[52]) and "Fail-Safe" lead to an increase of faulttolerance; the approaches for "inherently safe design" can be adapted to fault-tolerant design (compare [50]).

Fig. 2. Fault-tolerant design on different levels
The "physical structure" of a product describes the physical phenomena which realize the functionality of a product.A conscious design on this level can support the application of fault-tolerant control, e.g. when effects are used which can easily be monitored.For this purpose, methods and tools of design science can be adopted which support modelling and synthesis on this level, such as the use of demarcated physical effects (compare [17]).Very important on the level is the possibility to include physical diversity into redundant elements.For instance, if redundant sensors are used, it can be very advantageous to base them on different physical effects.In this case, certain faults such as extreme fog would only influence one of the sensors.
On the "functional level" of a product, the operations are described which take place in order to transform the state of an entity of the technical system into another state.For instance, the function that an electrical motor performs, is to transform electrical energy at the input connectors (input state) into mechanical energy at the output shaft (output state).Elaborate approaches to model the functions of technical systems were developed in the last years, e.g. the integrated function modelling framework (IFM - [17]) or the integration in an engineering framework based on graph-based design languages [58].It is important to note that the highest and most independent form of redundancy can be achieved through diversity on the functional level.For instance, a physical sensor could be replaced by a virtual sensor based on an analytic redundancy.This sensor would work differently even on the function level.
On the different levels, fault-tolerant design characteristics were developed which were applied to a gear shifting system for a formula student driverless race car.These characteristics influence the reliability of the race car in multiple ways.In this competition, the success of a racing team is ultimately determined by its innovative capabilities and the skills to realize reliable solutions.A car with the potential to win the competition needs to be light-weight, energy-efficient and extremely reliable.Indeed, robustness and fault-tolerance is very important, as most of the evaluation points are directly or indirectly linked with the enduring of longer parts of the event.Also the maintainability is an important requirement, as the possibilities and time for maintenance are limited at the events of the competition.In order to meet these requirements, a gear shifting system was developed, which is explained in the next section sciENcE aNd tEchNology tively heavy and rather slow.With this gear shifting system shifting times of approx.300ms can be achieve (for comparison: the later developed electromechanical system, which is described in the next section, is able to achieve 45ms).Because of the disadvantages in terms of space, weight and switching velocity, the team made the decision to develop a new gear shifting system.On the basis of literature reviews and benchmarking it was found out that an electromechanical solution has the potential to address all three disadvantages.The newly developed gear shifting system is shown in Figure 4.This gear shifting system centres on an electrical motor equipped with an incremental encoder.This incremental encoder allows obtaining the exact rotary position of the shaft of the electrical motor, if a predefined initialization run is carried out (e.g. for the first gear a position value of 22100 inc is assigned -this matches 138,7° at the gear exit and 60° at the shift drum).By means of a long shaft and a pair of spur gears the motion of the output shaft of the electrical motor is transferred to the modified shift drum.This shift drum causes a movement of the gear sleeves that allow the selection of a gear; this corresponds to the original situation in the motor-bike gear set.This shift drum also is connected to a potentiometer, located at the end opposite of the pair of spur gears.This potentiometer delivers an analogous resistance which is depending of the rotary position of the shifting drum.
In the next section, the design aspects which lead to an increase of the fault-tolerance of the gear shifting system are explained in detail.

Fault-tolerant design of the shifting system
This section discusses the design aspects which increase the fault-tolerance; the structure follows the levels of product concretization shown in Figure 2. The basis for any successful development is the requirement level, which describes the design objectives; design aspects on this level are described in Section 4.1.The most concrete level of product description contains the product structure and geometry as well as the detailed material choice.This level describes the technical system in detail; Section 4.2 describes design aspects on this level.The more abstract level "physical structure" describes the physical phenomena which realize the functionality of a product; design aspects on this level are contained in Section 4.3.Even more abstract is the "functional level" of a product, within which the operations are described which take place in order to transform the states of entities of the technical system into other states; Section 4.4 summarizes the design aspects on this level.A conscious fault-tolerant design takes place on all of these levels of product concretization and a link to fault-tolerant control is also possible and sensible on all these levels.For instance, over-actuation on the geometry level can enhance the possibilities of a fault-tolerant controller to accommodate faults and a virtual redundancy on the functional level can enable to fault detection and identification block of a fault-tolerant control scheme.The subsequent subsection will explain concrete measures of faulttolerant design applied to the gear shifting system.

Automated shifting system
The gear box of the race cars of the Ravensburg-Weingarten University (RWU) is the integrated sequential gear box belonging to the four-cylinder in line motorcycle engine (Honda CBR 600), which is also used in the race-car -both the autonomous and the conventional combustion car.In a motor-bike, this gear-box is manually operated through a foot lever.Obviously, this is not possible for a driverless vehicle, therefore an automated shifting system is required.Initially the team developed a pneumatic shifting system, which is shown in Figure 3.The pneumatic gear system consists of an air reservoir for compressed air, a two-stage pressure regulator, an air cylinder for gear changing, an air cylinder for clutch actuation and magnetic valves.Though this system was working in the race car, it still disposed of several disadvantages.The system consumed too much space, is rela-

Design aspects on the requirements level
As stated above, the requirement level is extremely important for successful product development processes.In the given project, the initial step -search for requirements -contained a detailed analysis of the rules, which are each year published by the different formula student competitions; an important one is published by Formula Student Germany (FSG) and has a length of 133 pages.It is important to identify explicit requirements in this kind of large document and to make them traceable.Further requirements result from a conscious analysis of all possible driving, production and maintenance scenarios of the race-car.Such activities lead to a large number of requirements.This large number reduces the risk of failure caused by unknown or forgotten requirements, but requires a conscious management.Today, several software solutions for requirements management are available; Eclipse ProR is an open source option.Figure 5 shows requirements concerning the automated gear shifting system modelled in Eclipse ProR.
For fault-tolerant design, an identification of possible and probable faults needs to be performed.Similar to the collection of requirements, a conscious analysis of all possible driving, production and maintenance scenarios of the race-car can offer a basis for this activity.The most important identified faults for the gear shifting system were a tooth-on-tooth situation of the gear wheels, which will prohibit a gear shift and a loss of the position information of the shift drum.

Design aspects on the structure, geometry and material level
Obviously, it is possible to raise the fault-tolerance of the gear shifting system on the most concrete level "structure, geometry and material".In the current development, two cases of redundancy and the principle "over-actuation" could be integrated in the final design.The important elements of the gear shifting system are shown in Figure 6.
The electrical BLDC (brushless, direct current) motor (maxon EC-I 30), which is equipped with hall sensors, a gear system for increased torque (maxon GP 32 C) and an incremental encoder (maxon ENX 16 EASY), drives the gear shifting system.The controller of this motor is an electronic position control (maxon EPOS4).The output of the gear system is connected to a long shaft that transfers the torque to the other side of the gear system.The end of the shaft at this side is connected to a spur gear.This spur gear is contact with another spur gear, which is connected to the shift drum.At this point of connection, also a module is connected which consists of an element formed like a star and a roller which is pressed against this stare by means of a spring.This module is forcing the shift drum to certain, equally distributed rotary positions.Each of these position corresponds to a position of the shift drum within which a gear is exactly engaged.In this kind of gear systems, the shift drum disposes of geometrical entities (similar to a ditch) which are moving shift forks; those entities are visible in Figure 6.The shift forks connect the gear wheel of a given gear to one of the shafts of the gear systems, thus allowing a torque flow through the gear system.At the end of the shift drum another set of spur gears is located, which drive a potentiometer.Therefore, this potentiometer is able to monitor the angular position of the shift drum.
Obviously, this potentiometer is a second means to determine the angular position of the shift drum, because this information can also be deduced from the information given by the incremental encoder at the drive motor.This redundancy is the first aspect of fault-tolerant design that could be realised in the gear shifting system.It is important to note that these two means of measurement rely on totally different physical principles.Therefore, they can be understood as located on a higher level of fault-tolerant design and will be discussed in the following section.
The module, which consists of the star element, the roller and the spring and supports a precise and stable angular position of the shift drum, is also a redundant elements, as the angular position could Fig. 5. Requirements of a electromechanical gear shifting system in Eclipse ProR Fig. 6.Detail view of the shifting system sciENcE aNd tEchNology also be achieved by the electrical motor alone.In the original application of the gear system -the motor bike -the module is necessary for maintaining an optimum angular position for each gear.In the novel system, the motor is equipped with a self-looking gear (maxon GP 32 C -ration 14:1); theoretically this self-looking gear assures an exact positioning after a gear was properly engaged by the controlled motor.Still, during drive testing it became obvious that the control quality and gear engagement speed are both not affected by this redundant element and that the engaged gear is held even more stable and safely.Furthermore, the module supports the teaching of the position of the shift drum during the initial run, because it achieves optimum angular positions for each gear mechanically.Additionally, energy can be saved because of this module, since it allows to energize the shifting motor only temporarily.
The notion "over-actuation" can have two meanings [50]: on the one hand, it can indicate the employment of more actua-• tors than ultimately necessary for realizing the given functionality and on the other hand, it can indicate the employment of stronger • actuators than ultimately necessary for realizing the given functionality.
The main advantages of over-actuated systems are both an improved controllability and the capability to accommodate faults.This capability is an effect of the fact that the over-actuation potential can be employed for compensating the consequences of one or more faults [50].Consequently, over-actuation can be a means to increase the fault-tolerance of a technical system.In the novel gear shifting system, over-actuation could be realised in the electrical motor.Initially, the necessary torque for turning the system of shaft and shift drum was found be using a wrench for actuation and measuring the applied torque.It became obvious that about 1.5 Nm are necessary for this turning operation.The chosen electrical motor with the gear system is able to generate a torque of up to 6 Nm (only for a short time; however, this time is in any case long enough for one or more gear engagement processes).The later testing lead to the insight that this over-actuation leads to fast shifting times and also a superior control quality.

Design aspects on the physical level
The physical level connects the concrete solutions in terms of structure, geometry and material with the abstract solution description on the function level.Since several years, a conscious development of the physical level is advised in design science (e.g.[15]), because it allows innovative solutions.During an analysis of so-called "breakthrough products", i.e. product which are innovative to such an extent that their successor products are immediately outdated, lead to the observation that nearly all break-through products dispose of altered physical phenomena for realising the central functionality.Additionally, an in-depth occupation with the physical phenomena which realize the numerous functions of a technical system can support a better system understanding.Current research activities intend to expand the analysis of physical phenomena by means of including uncertainties in form of disturbances [34] and to integrate representations of physical phenomena in a holistic engineering framework.The outcome of an analysis of the physical phenomena (or "effects") is a chain of physical effects; Figure 7 shows an example of an incremental encoder, as used in the given project.

Fig. 7. Physical effect chain incremental encoder
The physical effects that enable the function of the incremental encoder are depicted in this effect chain.The angle of a shaft is transferred by means or the two physical effects "lever" and "cohesion of rigid bodies (CRB) to a trigger wheel.The Hall Effect and the counting of changes in a hall effect sensor leads to a digital information concerning the angle of the shaft.The experiences in the underlying project lead to the insight that the analysis of physical phenomena leads to a deepening of the understanding and assists communication processes.
A central possibility on this level to increase fault-tolerance is the design principle "physical diversity".This principle describes the conscious application of system entities that employ different physical phenomena for the achievement of given objectives [50].Examples for physical diversity are given in aircraft industry, where an increase level of fault-tolerance is achieved by employing both hydraulic power lines with hydraulic actuators and electric power lines with electric actuators [7].In the last section, one example of physical diversity was already initially described: the application of two sensors with one identical goal -the monitoring of the angular position of the shift drum.This monitoring result is extremely important for enabling a position control of the motor and for assuring that the gears are safely engaged.
As described above, the electrical motor is equipped with a gear system (transmission ratio 14:1).This enables the incremental encoder to distinguish 57.344 angular positions (1024 (pulses per channel per revolution) * 4 (resolution) * 14 (gear reduction)) of the shift drum.The information delivered by the motor position control unit (EPOS 4) are shown in Figure 8.It is important to note that this information are on the one hand resulting from the incremental encoder, on the other from the hall sensors in the motor, which are necessary for the control the brushless motor.
In Figure 8 upper part, the position demand and two kinds of actual positions (case without fault and case with fault) are shown.Similarly, the middle part shows the velocity demand and two kinds of actual velocity (case without fault and case with fault).The lower part concerns the current.For both the nominal case and the faulty case the actual current and the average actual current are shown.The essential content of Figure 8 is the investigation of an error during the engagement of the first gear (corresponding to an encoder reading of 22100 inc) from neutral (corresponding to an encoder reading of 0 inc).As can be seen in Figure 8, a certain amount of redundancy is already present because of the combination of electrical motor, incremental encoder and motor position control.The position control is able to determine a motor angular position; for this the information from the encoder is used.It is additionally able to determine the velocity of the motor at certain instances of time, by means of combined information from the encoder applying numerical differentiation and from the hall sensors of the motor (the presence of the hall sensors in the motor is also a form of redundancy).Furthermore, the position control is able to determine the current, which it is delivering to the motor when trying to achieve an intended angular position.This current is a result of the PID controller implemented within the motor control as a low level control loop.
In the developed design, a further sensor was included -the potentiometer mentioned above -that also has the intention to monitor the angular position of the shift drum.The measurable resistance of this potentiometer is not assessed by the position control but by the superordinate control unit of the race-car.As a consequence of this constellation, in superordinate control unit the engaged gear will be known, even in the case of a fault concerning the electrical motor or the motor position control.In such cases, the race-care would be able to finish the race in the gear which was engaged when the fault occurred.The superordinate control unit could open the clutch for speeds which are too low for this engaged gear (in such cases the mo-sciENcE aNd tEchNology tor could be forced into very low speeds and could stall, if the clutch is not opened).Even a standstill of the car would be possible in this situation, because with an adapted clutch characteristic the race-car can start form standstill also in the 2 nd and 3 rd gear (most competitions are carried out on nearly even race tracks; this allows start in higher gears).As mentioned above, it is of paramount importance to finish a course in case of a fault, because otherwise no points are awarded.This example shows clearly, which advantages in a competition can be achieved with an increased fault-tolerance leading to an increase reliability.It is important to note that a sensor redundancy enables the application of sensor fusion techniques.These techniques apply algorithms such as the least squares method or the Kalman filter, which can lead to higher accuracy and credibility [2].In the realised system, up to now, only a plausibility check was applied; sensor fusion techniques will be incorporated in the next development generation.

Design aspects on the function level
In the last years new powerful tools were developed for function modelling, most notably the integrated function modelling framework (IFM - [17]), which can also be integrated in current engineering frameworks [19].Figure 9 shows a function model of the gear shifting system modelled in IFM.
In this modelling framework, information is presented in associated views.The state view (upper left part of the IFM) represents states of actors and operands as well as their change.The process flow view (upper right part of the IFM) represents the flow of transformation and interaction processes.This two views are accompanied by an interaction view and an actor view (lower part of the IFM).This framework fosters a holistic view on the functional level.For instance, in the IFM redundancy of incremental encoder and potentiometer is clearly visible.Two main operands "energy" and "signal" are modelled; their flow through the system is also obvious in the IFM.
As mentioned in Section 4.1, one prominent fault is a "tooth-on-tooth" situation, when a gear should be engaged; this fault is a main focus of the design aspects for increased fault-tolerance on this level.The position control of the electrical motor can deliver crucial information for the accommodation of this fault; these information are shown in Figure 10.It is possible to use these information together with an analytical model for the detection of this fault and its accommodation.
Essentially this fault appears, when the side surfaces of the gear that should be moved to engage a gear are aligned and consequently do not allow this engaging movement, which is initiated by the shift forks.When looking at the information presented in Figure 10, it is apparent that this fault can be detected, if the both the velocity over position and the current over position reach certain regions (visible in red hatched in Figure 10).Thus, the red hatched zones represent the fault signature of this fault.In the case that both redundant information are present (velocity over position and current over position), it is clear that the fault "tooth-on-tooth" is present.In the given case it was satisfactory to detect certain regions in the velocity -position diagram and the current -position diagram, i.e. certain combinations of these parameters which indicate this fault.In more complex cases other algorithms such as the well-known observer-based fault detection method could allow the detection and identification of the fault [18].sciENcE aNd tEchNology

Conclusions and outlook
The international competition "formula student" has gained enormous attention over the last years.The demands concerning performance and reliability are immense.As a consequence of the inclusion of the capability to drive autonomous, the complexity of the cars and especially the control systems has increased dramatically.This leads to additionally fault possibilities and the importance of fault-tolerance has also increased immensely.The same is true for complex technical systems produced in industrial companies.The research activities concerning fault-tolerant control address these issues since several years; in the last years also a focus on fault-tolerant design is visible.Fault-tolerant design pursues two main goals: … to allow and ease effective fault-tolerant control by means of • conscious design aspects.… to integrate design aspects which by themselves increase the • fault-tolerance (e.g.inherently fault-tolerant design aspects).
The focus of this paper is an in-depth discussion of the methods and tools of fault-tolerant design.This discussion as based on the conscious development of fault-tolerant design aspect for an automated shifting system for a formula student race car.A model, which allows a distinction of the level of abstraction of the models of the technical system under development, served for structuring this discussion.On all levels, concrete measures are explained that improve the faulttolerance of the race-care and, through this, its reliability.Some of the measures had the additional effect to optimise the performance of the race-car.Interestingly, the implemented measures only lead to the addition of one element (a potentiometer) and they did not lead to nega-For accommodating this fault it is possible to let the electrical motor for gear shifting reverse for a few degree and then to make another attempt to move the shift drum, which moves the shift fork, which may engage the gear.The testing showed that, in a large share of the cases when this fault occurred, this simple manoeuvre was sufficient to enable the engagement of the gear.In these cases, only a small amount of time is lost (10 to 20 ms) and the shifting is still very fast.A combined possible measure for the accommodation of this fault is a short engagement of the clutch (induced by the superordinate control system of the race car), which can realize a small rotation of the gears which may resolve the "tooth-on-tooth" situation.
Furthermore, the elaborate control and diagnosis system can also lead to an improved overall performance of the race-car as a consequence of further decreased shifting times.In the earlier cars, the ignition was cut-off during the whole shifting process until the gear was definitely engaged (this ignition cut-off is needed to have smaller contact forces on the gears and to allow shifting).In the new system, it is possible to be definitely sure that a gear will be engaged, even before the final position is achieved, because of the integrated monitoring of position and current.In this case, the superordinate control may reconnect the ignition and increase the injection quantity quite a bit earlier.In the moment, when the gear is finally engaged, the engine will again be able to deliver its full torque, leading to optimised performance.In such cases, the superordinate control will overrule the gear-ignition-cut control.It is important to note that the measures are based on an intelligent mechanical and electromechanical design in combination with an elaborate diagnosis and control systems.It was possible to identify a positive influence resulting from the application of the methods and tools of design science, for instance integrated function modelling and a conscious analysis of physical phenomena.Future research activities in this promising field need to expand the methodical basis of fault-tolerant design.These activities need to include technical systems with different sets of requirements, application scenarios and levels of complexity.

Fig. 9 .
Fig. 9. IFM model of the gear shifting system