The Safe State: Design Patterns and Degradation Mechanisms for Fail- Operational Systems

Similar documents
Autonomous Driving From Fail-Safe to Fail-Operational Systems

Software integration challenge multi-core experience from real world projects

Software Architecture for Secure ECUs. Rudolf Grave EB TechDay-June 2015

ISO meets AUTOSAR - First Lessons Learned Dr. Günther Heling

Functional Safety Architectural Challenges for Autonomous Drive

Scalable and Flexible Software Platforms for High-Performance ECUs. Christoph Dietachmayr Sr. Engineering Manager, Elektrobit November 8, 2018

Taking the Right Turn with Safe and Modular Solutions for the Automotive Industry

10 th AUTOSAR Open Conference

Communication Patterns in Safety Critical Systems for ADAS & Autonomous Vehicles Thorsten Wilmer Tech AD Berlin, 5. March 2018

Automated Driving Necessary Infrastructure Shift

Introduction to Adaptive AUTOSAR. Dheeraj Sharma July 27, 2017

Failure Diagnosis and Prognosis for Automotive Systems. Tom Fuhrman General Motors R&D IFIP Workshop June 25-27, 2010

Agenda. > AUTOSAR Overview. AUTOSAR Solution. AUTOSAR on the way

Is This What the Future Will Look Like?

IMPROVING ADAS VALIDATION WITH MBT

Arccore AB 2017, all rights reserved. Accelerating innovation

A specification proposed by JASPAR has been adopted for AUTOSAR.

Adaptive AUTOSAR: Infrastructure Software for Advanced Driver Assistance. Chris Thibeault June 7, 2016

Designing a software framework for automated driving. Dr.-Ing. Sebastian Ohl, 2017 October 12 th

AUTOBEST: A microkernel-based system (not only) for automotive applications. Marc Bommert, Alexander Züpke, Robert Kaiser.

Model Based Development and Code Generation for Automotive Embedded Systems. April 26, 2017 Dr. Gergely Pintér, Dr. Máté Kovács thyssenkrupp Steering

Current status and Future of AUTOSAR. Markus Bechter 7 th AUTOSAR Open Conference Oct. 22 nd -23 rd 2014, Detroit

Experiences with CANoe-based Fault Injection for AUTOSAR

Driving virtual Prototyping of Automotive Electronics

November 16, TTTech Computertechnik AG / TTTech Auto AG Copyright TTTech Auto AG. All rights reserved

Software architecture in ASPICE and Even-André Karlsson

AUTOMATIC FUNCTIONALITY ASSIGNMENT TO AUTOSAR MULTICORE DISTRIBUTED ARCHITECTURES

European Conference on Nanoelectronics and Embedded Systems for Electric Mobility

SW-Update. Thomas Fleischmann June 5 th 2015

10 th AUTOSAR Open Conference

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

Automotive Networks Are New Busses and Gateways the Answer or Just Another Challenge? ESWEEK Panel Oct. 3, 2007

Isolation of Cores. Reduce costs of mixed-critical systems by using a divide-and-conquer startegy on core level

Adaptive AUTOSAR Extending the Scope of AUTOSAR-based Embedded Software

AUTOSAR proofs to be THE automotive software platform for intelligent mobility

Hardening Attack Vectors to cars by Fuzzing

Introducing a new temporal partitioning scheme to AUTOSAR OS

Ethernet TSN as Enabling Technology for ADAS and Automated Driving Systems

ADAS: A Safe Eye on The Road

10 th AUTOSAR Open Conference

Automotive and Aerospace Synergies

Virtual Hardware ECU How to Significantly Increase Your Testing Throughput!

New ARMv8-R technology for real-time control in safetyrelated

Riccardo Mariani, Intel Fellow, IOTG SEG, Chief Functional Safety Technologist

Adaptive AUTOSAR Extending the Scope of AUTOSAR-based Embedded Software

Handling Challenges of Multi-Core Technology in Automotive Software Engineering

AMDC 2017 Liviona Multi-Core in Automotive Powertrain and Next Steps Towards Parallelization

A Secure Update Architecture for High Assurance Mixed-Criticality System Don Kuzhiyelil Dr. Sergey Tverdyshev SYSGO AG

Welcome Note. Dr. Thomas Scharnhorst, AUTOSAR Spokesperson 10 th AUTOSAR Open Conference 8 th Nov 2017, Mountain View, California

Components & Characteristics of an Embedded System Embedded Operating System Application Areas of Embedded d Systems. Embedded System Components

SPC5 MCAL overview. ZHANG Livia

Automated Configuration of Time-Critical Multi-Configuration AUTOSAR Systems

Design and Implementation of Android-based MobileSecond Platform Architecture & its Smart Care Service

1000BASE-T1 from Standard to Series Production

AUTOSAR Overview and Classic Platform

Examining future priorities for cyber security management

10 th AUTOSAR Open Conference

Automotive Security: Challenges, Standards and Solutions. Alexander Much 12 October 2017

AUTOBEST: A United AUTOSAR-OS And ARINC 653 Kernel. Alexander Züpke, Marc Bommert, Daniel Lohmann

KSAR Support. for. ST s SPC5 32-bit Automotive MCUs

Testing of automated driving systems

VT System Smart HIL Testing

Solving functional safety challenges in Automotive with NOR Flash Memory

Mixed-Criticality Systems based on a CAN Router with Support for Fault Isolation and Selective Fault-Tolerance

PREEvision Technical Article

SIMPLIFYING THE CAR. Helix chassis. Helix chassis. Helix chassis WIND RIVER HELIX CHASSIS WIND RIVER HELIX DRIVE WIND RIVER HELIX CARSYNC

AUTOSAR Method. Webinar

Cooperative Vehicles Opportunity and Challenges

Using Fault Injection to Verify an AUTOSAR Application According to the ISO 26262

Fault-Injection testing and code coverage measurement using Virtual Prototypes on the context of the ISO standard

STMicroelectronics Automotive MCU Technical Day

Functional Safety on Multicore Microcontrollers for Industrial Applications. Thomas Barth (h-da) Prof. Dr.-Ing. Peter Fromm (h-da)

Self-driving vehicles and their impact on the efficiency and safety of future transport

Advanced Driver Assistance: Modular Image Sensor Concept

Automotive ECU Design with Functional Safety for Electro-Mechanical Actuator Systems

Real and Virtual Development with SystemDesk

How Microcontrollers help GPUs in Autonomous Drive

Safety and Security for Automotive using Microkernel Technology

Virtualization of Heterogeneous Electronic Control Units Testing and Validating Car2X Communication

Automotive Functional Safety

A Safe Basis. Safety Functions Status and Challenge V

Countermeasures against Cyber-attacks

Securing the future of mobility

ARM processors driving automotive innovation

Platform modeling and allocation

Cybersecurity Challenges for Connected and Automated Vehicles. Robert W. Heller, Ph.D. Program Director R&D, Southwest Research Institute

Automotive Anomaly Monitors and Threat Analysis in the Cloud

Arm Technology in Automotive Geely Automotive Shanghai Innovation Center

STMicroelectronics Automotive MCU Technical Day 意法半导体汽车微控制器技术日 2017 年 ST 汽车 MCU 技术日 2017 年 6 月 6 日, 上海 2017 年 6 月 8 日, 深圳 2017 年 6 月 13 日, 北京

Software Architecture. Lecture 4

The Adaptive Platform for Future Use Cases

10 th AUTOSAR Open Conference

Adaptive AUTOSAR. Ready for Next Generation ECUs V

Experiences with AUTOSAR compliant Autocode generation using TargetLink

Safety Argument based on GSN for Automotive Control Systems. Yutaka Matsubara Nagoya University

Future Implications for the Vehicle When Considering the Internet of Things (IoT)

Autonomous Driving needs Safety & Security. Embedded World 2018 Dr. Ciwan Gouma

MATLAB Expo Simulation Based Automotive Communication Design using MATLAB- SimEvent. Sudhakaran M Anand H General Motors

Techday Mobile Electronics Open, connected, scalable With BODAS into the digital future

Frequently Asked Questions

Transcription:

The Safe State: Design Patterns and Degradation Mechanisms for Fail- Operational Systems Alexander Much 2015-11-11

Agenda About EB Automotive Motivation Comparison of different architectures Concept for an 1oo2D software systems Summary 2

The Safe State: Design Patterns and Mechanisms for Fail-Operational Systems EB: Software and Services

Agenda About EB Automotive Motivation Comparison of different architectures Concept for an 1oo2D software systems Summary 4

Different Types of Systems According to Laprie (1992) Hazard Accident Failure Error Fail-safe Systems Fault Fault-tolerant Systems Perfect Systems Error-tolerant Systems Dependable Systems Fail-Operational Systems Safe Systems 5

Current Automotive Systems are Fail-Safe Failure Detected? Deactivate / degrade function Safe State Inform the driver Report a diagnostic error Standard approach in many safety relevant systems: Airbag, ESP, air conditioning, battery charging, Driver assistant functions such as adaptive cruise control, lane assist, Some functions provide a degraded mode, sometimes limited in time: Electronic Power Steering Braking 6

Levels of Autonomous Driving (AD) degree of automation Driver Automation driver in the loop yes (required) not required time to take control back - ~ 1s several seconds couple of minutes other activities while driving not allowed specific all (even sleeping) examples FCW, LDW ACC, LKA Traffic Jam Assistant Highway Chauffeur Valet Parking Robot car FCW Forward Collosion Warning LDW Lane Departure Warning ACC Adaptive Cruise Control LKA Lane Keeping Assistant Source: SAE, NHTSA, VDA 7

Goal: Autonomous driving Driver only Assisted Partial autom. Conditional autom. High autom. Full autom. Fail safe Fail operational Safe State could mean: Continue driving until driver is in the loop approx. 7-15s for conditional autonomous driving Several minutes for high and full autonomous driving Precondition: driver monitoring including a black-box Perform an autonomous safe-stop (stand-still at a non-hazardous place) Main issue is to get the driver attention focused on the situation Several minutes, depending on the situation Precondition: legal acceptance, approved and certified black-box 8

Agenda About EB Automotive Motivation Comparison of different architectures Concept for an 1oo2D software systems Summary 9

2 channels with comparison ECU 1 Input Data = ECU 2 Output Data Redundant ECUs calculate using redundant data, output is compared. A 2 channels with comparison system is fail-safe since you cannot distinguish between ECU1 not ok and ECU2 not ok. The safe state is a complete system shutdown. 10

2oo3 Systems ECU 1 Input Data ECU 2 V O T E R Output Data ECU 3 Three redundant ECUs calculate on redundant data, output data is voted upon If one of the ECUs fails the system can continue with the remaining two ECUs. Failures in the input data can be detected by an Input-Voter. 11

2oo3 Systems and the Automotive Domain Applicable for automotive? More ECUs More wiring More weight More power consumption Higher complexity to manage Will we as a customer accept that? Different opinions and market studies Referring to several studies, customer will pay 1500-3000 more for autonomous driving car (mid-size car). Source: KPMG(2013), autelligence (2015) 12

2oo3: An Example (Nissan Steer-by-Wire) Source: http://www.caranddriver.com/features/electric-feel-nissan-digitizes-steering-but-the-wheel-remains-feature 13

Agenda About EB Automotive Motivation Comparison of different architectures Concept for an 1oo2D software systems Summary 14

1oo2D Systems Input Logic ECU 1 Output Input Data Diagnostics Diagnostics Input ECU 2 Logic Output Enable Output Enable Output Output Data If an ECU fails in one of the two channels, the system does not shut down but continues to operate with only one channel The best policy is not to operate on a single channel for a long period of time. Controlling this time and matching it with complete system behavior is the key. Precondition: very high diagnostic coverage needed for each ECU to detect failures. 15

Microkernel QM Functions The Safe State: Design Patterns and Mechanisms for Fail-Operational Systems From Detection to Prevention Integrity mechanisms: Memory partitioning Data protection Temporal protection Software Engineering: Plausibility checks Functional monitoring Defensive programming Semantic analysis Robustness Car Infrastructure: Fault tolerant Ethernet Service orientated communication Memory Partitions Safety OS AUTOSAR OS BSW Safety OS Data Protection Stack Protection Context Protection OS Protection Hardware Error management QM SW-Cs OEM modules MCAL Safety RTE Safety E2E Protection Safe communication ASIL SW-C ASIL CDD MCAL (ASIL) QM CDD Safety E2E Protection Safety TimE Protection Wdg Safety TimE Protection Alive supervision Deadline Monitoring Control flow monitoring 16

Dynamic 1oo2D 1oo2D Normal operation 1oo2D* 1 channel Still Operational Handover to driver Failure recovery Internal recovery Rebuilding 2 channel system Disabling of comfort functions < 10s 17

1oo2D - Normal operation 1oo2D system ECU1 Func2 Func1 Func3 Diagnostics ECU2 Func2 Func1 Func3 Diagnostics Fault tolerant Ethernet ECU3 Func5 Func3 Func4 Func1 Func6 Sensors /Actuators critical noncritical disabled

1002D 1 channel 1oo2D system ECU1 Func2 Func1 Func3 Diagnostics ECU2 Func2 Func1 Func3 Diagnostics Fault tolerant Ethernet ECU3 Func5 Func3 Func4 Func1 Func6 Sensors /Actuators critical noncritical disabled

1002D* 1oo2D system ECU1 Func2 Func1 Func3 Diagnostics ECU2 Func2 Func1 Func3 Diagnostics Fault tolerant Ethernet ECU3 Func5 Func3 Func4 Func1 Func6 Requirements for Reconfiguration Sensors /Actuators Req. 1: Functions can be dynamically relocated Req. 2: Sensor/Actuators are redundant or accessible via network critical noncritical disabled

Dynamic Re-Configuration Req. 1: Functions can be dynamically relocated Application information based on AUTOSAR xml description available Runtime environment (RTE) supporting reconfigurable software components OS_App1 Data Task1 Data Stack OS Data Task2 Data Stack OS_App2 Data Task3 Data Stack ISR1 Data Stack Stack Threads can restarted with e.g. Safety OS Req. 2: Sensor/Actuators are redundant or accessible via network Service orientated communication Multi-cast fault-tolerant Ethernet 21

Agenda About EB Automotive Motivation Comparison of different architectures Concept for an 1oo2D software systems Summary 22

Summary Re-use of available integrity mechanisms from fail-safe systems is the basis for building failoperational systems. Software systems that are designed to achieve a high diagnostic coverage are available today and can be extended to fail-operational. Fault tolerant Automotive Ethernet is available today. Established concepts for fail-operational system are available and can be reused in automotive systems with budget constraints. Let s build the next generation software systems for autonomous driving! 23

Contact us! http://automotive.elektrobit.com alexander.much@elektrobit.com rudolf.grave@elektrobit.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback