Autonomous Driving From Fail-Safe to Fail-Operational Systems

Similar documents
The Safe State: Design Patterns and Degradation Mechanisms for Fail- Operational Systems

Scalable and Flexible Software Platforms for High-Performance ECUs. Christoph Dietachmayr Sr. Engineering Manager, Elektrobit November 8, 2018

Adaptive AUTOSAR: Infrastructure Software for Advanced Driver Assistance. Chris Thibeault June 7, 2016

Introduction to Adaptive AUTOSAR. Dheeraj Sharma July 27, 2017

10 th AUTOSAR Open Conference

Software integration challenge multi-core experience from real world projects

Designing a software framework for automated driving. Dr.-Ing. Sebastian Ohl, 2017 October 12 th

Functional Safety Architectural Challenges for Autonomous Drive

Software Architecture for Secure ECUs. Rudolf Grave EB TechDay-June 2015

SW-Update. Thomas Fleischmann June 5 th 2015

Failure Diagnosis and Prognosis for Automotive Systems. Tom Fuhrman General Motors R&D IFIP Workshop June 25-27, 2010

AUTOSAR proofs to be THE automotive software platform for intelligent mobility

10 th AUTOSAR Open Conference

Realizing Automated Driving Systems using Ethernet TSN and Adaptive AUTOSAR

1000BASE-T1 from Standard to Series Production

Automated Driving Necessary Infrastructure Shift

The Adaptive Platform for Future Use Cases

How Security Mechanisms Can Protect Cars Against Hackers. Christoph Dietachmayr, CIS Solution Manager EB USA Techday, Dec.

Arccore AB 2017, all rights reserved. Accelerating innovation

Is This What the Future Will Look Like?

ISO meets AUTOSAR - First Lessons Learned Dr. Günther Heling

Adaptive AUTOSAR. Ready for Next Generation ECUs V

Adaptive AUTOSAR Extending the Scope of AUTOSAR-based Embedded Software

Securing the future of mobility

Virtual Hardware ECU How to Significantly Increase Your Testing Throughput!

Communication Patterns in Safety Critical Systems for ADAS & Autonomous Vehicles Thorsten Wilmer Tech AD Berlin, 5. March 2018

November 16, TTTech Computertechnik AG / TTTech Auto AG Copyright TTTech Auto AG. All rights reserved

MATLAB Expo Simulation Based Automotive Communication Design using MATLAB- SimEvent. Sudhakaran M Anand H General Motors

Current status and Future of AUTOSAR. Markus Bechter 7 th AUTOSAR Open Conference Oct. 22 nd -23 rd 2014, Detroit

Taking the Right Turn with Safe and Modular Solutions for the Automotive Industry

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

Software architecture in ASPICE and Even-André Karlsson

Adaptive AUTOSAR Extending the Scope of AUTOSAR-based Embedded Software

Handling Challenges of Multi-Core Technology in Automotive Software Engineering

Agenda. > AUTOSAR Overview. AUTOSAR Solution. AUTOSAR on the way

ARM processors driving automotive innovation

How Microcontrollers help GPUs in Autonomous Drive

Automotive Anomaly Monitors and Threat Analysis in the Cloud

10 th AUTOSAR Open Conference

10 th AUTOSAR Open Conference

Security and Performance Benefits of Virtualization

Driving virtual Prototyping of Automotive Electronics

Open Source in Automotive Infotainment

PREEvision Technical Article

An Encapsulated Communication System for Integrated Architectures

European Conference on Nanoelectronics and Embedded Systems for Electric Mobility

Isolation of Cores. Reduce costs of mixed-critical systems by using a divide-and-conquer startegy on core level

2oo4D: A New Design Concept for Next-Generation Safety Instrumented Systems 07/2000

AUTOSAR Overview and Classic Platform

A specification proposed by JASPAR has been adopted for AUTOSAR.

Consolidated Financial Results for Fiscal 2016 (As of March 2017)

A NEW CONCEPT IN OTA UPDATING FOR AUTOMOTIVE

Reliable Statements about a Fault-Tolerant X-by-Wire ecar. Reliable Statements about a Fault-Tolerant X-by-Wire ecar Unrestricted 2017 Siemens AG

CAN FD - Flexible Tools for Flexible Data Rates

VT System Smart HIL Testing

Countermeasures against Cyber-attacks

SIMPLIFYING THE CAR. Helix chassis. Helix chassis. Helix chassis WIND RIVER HELIX CHASSIS WIND RIVER HELIX DRIVE WIND RIVER HELIX CARSYNC

Design and Implementation of Android-based MobileSecond Platform Architecture & its Smart Care Service

AUTOBEST: A microkernel-based system (not only) for automotive applications. Marc Bommert, Alexander Züpke, Robert Kaiser.

Software and Hardware Tools for Driver Assistance & Automated Driving Chris Thibeault Head of US Product Expert Group Elektrobit November 8, 2018

Virtualization of Heterogeneous Electronic Control Units Testing and Validating Car2X Communication

Mentor Automotive. Vehicle Network Design to meet the needs of ADAS and Autonomous Driving

Architecture concepts in Body Control Modules

Sicherheitsaspekte für Flashing Over The Air in Fahrzeugen. Axel Freiwald 1/2017

ELEC 5260/6260/6266 Embedded Computing Systems

Components & Characteristics of an Embedded System Embedded Operating System Application Areas of Embedded d Systems. Embedded System Components

Trusted Platform Modules Automotive applications and differentiation from HSM

Using DDS with TSN and Adaptive AUTOSAR. Bob Leigh, Director of Market Development, Autonomous Vehicles Reinier Torenbeek, Systems Architect

Autorama, Connecting Your Car to

TU Wien. Fault Isolation and Error Containment in the TT-SoC. H. Kopetz. TU Wien. July 2007

Conquering Complexity: Addressing Security Challenges of the Connected Vehicle

Smart Antennas and Hypervisor: Enabling Secure Convergence. July 5, 2017

The House Intelligent Switch Control Network based On CAN bus

Real and Virtual Development with SystemDesk

Mixed-Criticality Systems based on a CAN Router with Support for Fault Isolation and Selective Fault-Tolerance

10 th AUTOSAR Open Conference

Safety and Security for Automotive using Microkernel Technology

Automobile Design and Implementation of CAN bus Protocol- A Review S. N. Chikhale Abstract- Controller area network (CAN) most researched

ARM Moves Further Into Automotive with NXP's Launch of S32K Series to the General Market

AMDC 2017 Liviona Multi-Core in Automotive Powertrain and Next Steps Towards Parallelization

Infotainment Solutions. with Open Source and i.mx6. mentor.com/embedded. Andrew Patterson Business Development Director Embedded Automotive

Vehicle Connectivity in Intelligent Transport Systems: Today and Future Prof. Dr. Ece Güran Schmidt - Middle East Technical University

Standardization for efficient testing of Automotive Ethernet ECUs

Ethernet Design Challenges The requirements and use of Ethernet with AUTOSAR

Autonomous Driving needs Safety & Security. Embedded World 2018 Dr. Ciwan Gouma

Riccardo Mariani, Intel Fellow, IOTG SEG, Chief Functional Safety Technologist

AUTOSAR Method. Webinar

Automotive Security An Overview of Standardization in AUTOSAR

OTA and Remote Diagnostics

SPC5 MCAL overview. ZHANG Livia

Impact of Platform Abstractions on the Development Workflow

Automotive Security: Challenges, Standards and Solutions. Alexander Much 12 October 2017

Advanced IP solutions enabling the autonomous driving revolution

AUTOBEST: A United AUTOSAR-OS And ARINC 653 Kernel. Alexander Züpke, Marc Bommert, Daniel Lohmann

Linux and AUTOSAR Vector Informatik Congress, Stuttgart,

A Data-Centric Approach for Modular Assurance Abstract. Keywords: 1 Introduction

The case for a Vehicle Gateway.

PENETRATION TESTING OF AUTOMOTIVE DEVICES. Dr. Ákos Csilling Robert Bosch Kft., Budapest HUSTEF 15/11/2017

EB TechPaper. EB Assist Car Data Recorder Innovative test drive support. automotive.elektrobit.com

Platform modeling and allocation

Transcription:

Autonomous Driving From Fail-Safe to Fail-Operational Systems Rudolf Grave December 3, 2015

Agenda About EB Automotive Autonomous Driving Requirements for a future car infrastructure Concepts for fail-operational systems Summary 2

About EB Automotive In-car infrastructure solutions We provide products and engineering services for in-car infrastructures to address your projectspecific electronic control unit (ECU) requirements Architecture development and software integration for ECUs FullAUTOSAR support with one basic software stack and one tool environment Tailor-made products, services, and support for all leading OEMs Meeting latest automotivetechnologies like functional safety, security, Ethernet Extensivepartner ecosystem: car manufacturers, 3rd party tool vendors, and microcontroller manufacturers 3

Agenda About EB Automotive Autonomous Driving Requirements for a future car infrastructure Concepts for fail-operational systems Summary 4

Autonomous driving Valet Parking High automation Vision of transport Partial automation High automation with fun Pictures taken from http://www.bmwblog.com/ 5

Levels of Autonomous Driving (AD) degree of automation Driver Automation Source: SAE, NHTSA, VDA 6

Agenda About EB Automotive Autonomous Driving Requirements for a future car infrastructure Concepts for fail-operational systems Summary 7

Requirements for a future car infrastructure Main drivers Automated Driving Car-2-X applications Requirements High computing power High data rates High availability, fail-operational systems Update over the air 8

Requirements for a future car infrastructure High Level Requirements Technical Concepts High computing power High Performance Controllers and GPUs High data rates Ethernet (1 GigE, 10 GigE) High availability, fail-operational systems Car-2-X communication, update over the air Redundancy Concept Service oriented architecture (SOA) Dependable Communication Software System Engineering Reliable Security mechanisms, concepts and infrastructure 9

Contemporary car infrastructure Basic software mostly based on AUTOSAR or similar proprietary system Pro: Efficient on small microcontrollers Well suited for time-critical, safe and secure applications Contra: Only proprietary solutions for fail-over and redundant functionality Fixed, inflexible communication mechanisms App ECU 1 AUTOSAR Cpu App OBD Connector Gateway App ECU 2 App AUTOSAR Cpu ECU 3 ECU 4 10

Future architecture of a car infrastructure Split up ECUs in low performance IO Controller and high performance controller Establish a service oriented architecture (SOA) Cloud Gateway Performance Controller High computation power Widespread, POSIX-like Operating System (e.g. Linux), Adaptive AUTOSAR PF PF IO Controller Provide Sensor and Actuator Services Deeply embedded, real-time Operating System (e.g. Classic AUTOSAR) IO IO IO IO IO IO 11

How to divide the functionalities? Performance Controller calculations driver assistant functions non-high speed functions Software varies on available functions IO Controller physics high speed functions filter processing Calculation with strong timing constraints (e.g. no jitter) Software varies on attached sensors/actuators 12

Benefit of performance controller Performance Controller Ethernet Request Data IO Controller physics Software movement Performance Controller Network connected sensors (e.g. camera) Performance Controller request IOs/data on demand (SOME/IP) can be updated over the air (new functions, bug fixing, function on demand) substitute each other (fail-operational) 13

Requirements for a future car infrastructure HighLevel Requirements Technical Concepts Technologies High computing power High Performance Controllers and GPUs Autosar Adaptive Platform, Hypervisor High data rates High availability, failoperational systems Car-2-X communication, update over the air Elektrobit (EB), 2015 / Ethernet (1 GigE, 10 GigE) Dependable Communication Redundancy Concept Service oriented architecture Software System Engineering Reliable Security mechanisms, concepts and infrastructure Fault-tolerant Communication QoS and Timesync Safe & Secure Communication 2oo3, 1oo2D, (Semi-) dynamic reconfiguration Secure Onboard Communication & Key management Crypto Algorithms, Security HW Secure Separation 14

Agenda About EB Automotive Autonomous Driving Requirements for a future car infrastructure Concepts for fail-operational systems Summary 15

Fault Propagation in Systems Environment System Component A Component B Hazard Accident Not-Safe system Internal Dormant Fault Error Failure Failure Detection/ Reaction Failure Fail-Safe system Detection/ Compensation Detection/ Compensation Fault-tolerant system Fail-operational system Basic Concepts and Taxonomy of Dependable and Secure Computing, Avizienis et al., 2004 16

Current Systems (usually fail-safe) Failure Detected? Deactivate / degrade function Safe State Inform the driver Report a diagnostic error Standard approach in many safety relevant systems: Airbag, ESP, air conditioning, battery charging, Driver assistant functions such as adaptive cruise control, lane assist, Some functions provide a degraded mode, sometimes limited in time: Electronic Power Steering Braking 17

From Fail safe to Fail operational Driver only Assisted Partial autom. Conditional autom. High autom. Full autom. Fail safe Fail operational Safe State means: Continue driving until driver is in the loop approx. 7-15s for conditional autonomous driving Several minutes for high and full autonomous driving Perform an autonomous safe-stop (stand-still at a non-hazardous place) Main issue is to get the driver attention focused on the situation Several minutes, depending on the situation 18

1 st approach: 2 channels with comparison ECU 1 Input Data = Output Data ECU 2 Two ECUs working on the input data and compare the output data 19

1 st approach: 2 channels with comparison ECU 1 Input Data = Output Data ECU 2 shutdown Two ECUs working on the input data and compare the output data A 2 channels with comparison-system is simply fail-safe and since it is not possible to distinguish between ECU1 not ok and ECU2 not ok. The safe state is a complete system shutdown, which is not acceptable for autonomous driving 20

Improving Availability by Redundancy Aerospace domain Space Shuttle: 5 identical general purpose digital computers ECU 1 Saturn V: triple redundancy Avionics Boing 777: triple triplex ECU 2 Voter/ Switch ECU Airbus: Triple redundancy plus software diversity ECU n 21

2 nd approach: 2oo3 systems ECU 1 Input Data ECU 2 V O T E R Output Data ECU 3 A well established pattern If one of the ECUs fails, the system can continue with the remaining two ECUs. Failures in the input data can be detected by an Input-Voter. 22

2 nd approach: 2oo3 systems ECU 1 Input Data ECU 2 V O T E R Output Data still.. ECU 3 The 2 out of 3 system approach is a well established pattern If one of the ECUs fails, the system can continue with the remaining two ECUs. Failures in the input data can be detected by an Input-Voter. 23

Avionics vs Automotive Domain Taining der Benutzer Gewicht Ausfallschweregrad 10 8 6 4 2 0 Zeit zur Überführung in den sicheren Zustand Umfang der Stichprobe Komplexität des Verkehrs Missionsdauer Gewichtung der Stückkosten Automotive: Time to reach safe state < 5min It is assumed unlikely that a further independent failure occurs, whereas in avionics time to reach safe state several hours Wartung Avionics Automotive 24

2oo3 systems applicable for automotive? More ECUs More wiring More weight More power consumption More complexity Key question: What does it mean to the car driver? According to 2 independent studies by KPMG 2013 and autelligence2015, customers would pay 1500 3000$ more for an autonomous driving car (mid-size) -> 2oo3 can be hardly realized due to costs issues. 25

3 rd approach: 1oo2D System Input Logic Output Input Data Diagnostics Diagnostics Enable Output Enable Output Output Data Input Logic Output High diagnostic coverage needed to detect failures in one channel If a component fails in one of the two channels, the system does not shut down The system continues to operate with one channel 26

3 rd approach: 1oo2D System Input Data Input Diagnostics Diagnostics Logic Output Enable Output Enable Output Output Data or Input Logic Output High diagnostic coverage needed to detect failures in one channel If a component fails in one of the two channels the system does not shut down The system continues to operate with one channel Common sense: It s not best policy to operate a highly safety critical system on a single channel but it s sufficient for a certain period of time, the so called hand-over-time to the car driver 27

Outlook: Reconfiguration for rebuilding 1oo2D error occurred 1 channel Still Operational Handover to driver Failure recovery Internal recovery 1oo2D* Rebuilding 2- channelsystem Disabling of comfort functions < 10s 28

1oo2D - Normal operation 1oo2D system Func2 Func1 Func3 Diagnostics Func2 Func1 Func3 Diagnostics Fault tolerant Ethernet Func5 Func3 Func4 Func1 Func6 Sensors /Actuators critical noncritical disabled

1oo2D 1 channel 1oo2D system Func2 Func1 Func3 Diagnostics Func2 Func1 Func3 Diagnostics Fault tolerant Ethernet Func5 Func3 Func4 Func1 Func6 Sensors /Actuators critical noncritical disabled

1oo2D* 1oo2D system Func2 Func1 Func3 Diagnostics Func2 Func1 Func3 Diagnostics Fault tolerant Ethernet Func5 Func3 Func4 Func1 Func6 Requirements for Reconfiguration Req. 1: Functions can be dynamically relocated Req. 2: Sensor/Actuators are redundant or accessible via network as a service Sensors /Actuators critical noncritical disabled

Req. 1: Reconfiguration in classic AUTOSAR systems Application information based on AUTOSAR xml description available Runtime environment (RTE) supporting starting and stopping of software components Threads can started/stopped in EB tresos Safety OS via partitions FailOpManager Monitoring of own health status Monitoring of foreign health status Triggering of reconfiguration 32

Req. 2: Sensor/Actuators are redundant or accessible via network Redundant Sensor/Actuators Duplication and higher costs Only limited reconfiguration of vehicle lifetime due to hardwired sensors Sensor/Actuators are accessible via network Service orientated communication (SOME/IP and Service Discovery) Multi-cast fault-tolerant Ethernet 33

Agenda About EB Automotive Autonomous Driving Requirements for a future car infrastructure Concepts for fail-operational systems Summary 34

Summary Re-use of available integrity mechanisms from fail-safe systems is the basis for building failoperational systems. Software systems that are designed to achieve a high diagnostic coverage are available today Fault tolerant Automotive Ethernet is available today. Established concepts for fail-operational system are available and can be reused in automotive systems with cost constraints. Let s build the next generation software systems for autonomous driving! 35

Contact us! automotive.elektrobit.com Rudolf.Grave@elektrobit.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback