Safety-related challenges and opportunities for GPUs in the automotive domain

GPUs have been shown to cover the computing performance needs of autonomous driving (AD) systems. However, since the GPUs used for AD build on designs for the mainstream market, they may lack fundamental properties for correct operation under automotive's safety regulations. In this paper, we analyze some of the main challenges in hardware and software design to embrace GPUs as the reference computing solution for AD, with the emphasis in ISO 26262 functional safety requirements.Authors would like to thank Guillem Bernat from Rapita Systems for his technical feedback on this work. The research leading to this work has received funding from the European Re-search Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement No. 772773). This work has also been partially supported by the Spanish Ministry of Science and Innovation under grant TIN2015-65316-P and the HiPEAC Network of Excellence. Jaume Abella has been partially supported by the Ministry of Economy and Competitiveness under Ramon y Cajal postdoctoral fellowship number RYC-2013-14717. Carles Hernández is jointly funded by the Spanish Ministry of Economy and Competitiveness and FEDER funds through grant TIN2014-60404-JIN.Peer ReviewedPostprint (author's final draft

Formal verification of automotive embedded UML designs

Software applications are increasingly dominating safety critical domains. Safety critical domains are domains where the failure of any application could impact human lives. Software application safety has been overlooked for quite some time but more focus and attention is currently directed to this area due to the exponential growth of software embedded applications. Software systems have continuously faced challenges in managing complexity associated with functional growth, flexibility of systems so that they can be easily modified, scalability of solutions across several product lines, quality and reliability of systems, and finally the ability to detect defects early in design phases. AUTOSAR was established to develop open standards to address these challenges. ISO-26262, automotive functional safety standard, aims to ensure functional safety of automotive systems by providing requirements and processes to govern software lifecycle to ensure safety. Each functional system needs to be classified in terms of safety goals, risks and Automotive Safety Integrity Level (ASIL: A, B, C and D) with ASIL D denoting the most stringent safety level. As risk of the system increases, ASIL level increases and the standard mandates more stringent methods to ensure safety. ISO-26262 mandates that ASILs C and D classified systems utilize walkthrough, semi-formal verification, inspection, control flow analysis, data flow analysis, static code analysis and semantic code analysis techniques to verify software unit design and implementation. Ensuring software specification compliance via formal methods has remained an academic endeavor for quite some time. Several factors discourage formal methods adoption in the industry. One major factor is the complexity of using formal methods. Software specification compliance in automotive remains in the bulk heavily dependent on traceability matrix, human based reviews, and testing activities conducted on either actual production software level or simulation level. ISO26262 automotive safety standard recommends, although not strongly, using formal notations in automotive systems that exhibit high risk in case of failure yet the industry still heavily relies on semi-formal notations such as UML. The use of semi-formal notations makes specification compliance still heavily dependent on manual processes and testing efforts. In this research, we propose a framework where UML finite state machines are compiled into formal notations, specification requirements are mapped into formal model theorems and SAT/SMT solvers are utilized to validate implementation compliance to specification. The framework will allow semi-formal verification of AUTOSAR UML designs via an automated formal framework backbone. This semi-formal verification framework will allow automotive software to comply with ISO-26262 ASIL C and D unit design and implementation formal verification guideline. Semi-formal UML finite state machines are automatically compiled into formal notations based on Symbolic Analysis Laboratory formal notation. Requirements are captured in the UML design and compiled automatically into theorems. Model Checkers are run against the compiled formal model and theorems to detect counterexamples that violate the requirements in the UML model. Semi-formal verification of the design allows us to uncover issues that were previously detected in testing and production stages. The methodology is applied on several automotive systems to show how the framework automates the verification of UML based designs, the de-facto standard for automotive systems design, based on an implicit formal methodology while hiding the cons that discouraged the industry from using it. Additionally, the framework automates ISO-26262 system design verification guideline which would otherwise be verified via human error prone approaches

Exploring the impact of different cost heuristics in the allocation of safety integrity levels

Contemporary safety standards prescribe processes in which system safety requirements, captured early and expressed in the form of Safety Integrity Levels (SILs), are iteratively allocated to architectural elements. Different SILs reflect different requirements stringencies and consequently different development costs. Therefore, the allocation of safety requirements is not a simple problem of applying an allocation "algebra" as treated by most standards; it is a complex optimisation problem, one of finding a strategy that minimises cost whilst meeting safety requirements. One difficulty is the lack of a commonly agreed heuristic for how costs increase between SILs. In this paper, we define this important problem; then we take the example of an automotive system and using an automated approach show that different cost heuristics lead to different optimal SIL allocations. Without automation it would have been impossible to explore the vast space of allocations and to discuss the subtleties involved in this problem

Analysis of ISO 26262 Compliant Techniques for the Automotive Domain

The ISO 26262 standard denes functional safety for automotive E/E systems. Since the publication of the rst edition of this standard in 2011, many dierent safety techniques complying to the ISO 26262 have been developed. However, it is not clear which parts and (sub-) phases of the standard are targeted by these techniques and which objectives of the standard are particularly addressed. Therefore, we carried out a gap analysis to identify gaps between the safety standard objectives of the part 3 till 7 and the existing techniques. In this paper the results of the gap analysis are presented such as we identied that there is a lack of mature tool support for the ASIL sub-phase and a need for a common platform for the entire product development cycle

Analysis of ISO 26262 Compliant Techniques for the Automotive Domain

The ISO 26262 standard denes functional safety for automotive E/E systems. Since the publication of the rst edition of this standard in 2011, many dierent safety techniques complying to the ISO 26262 have been developed. However, it is not clear which parts and (sub-) phases of the standard are targeted by these techniques and which objectives of the standard are particularly addressed. Therefore, we carried out a gap analysis to identify gaps between the safety standard objectives of the part 3 till 7 and the existing techniques. In this paper the results of the gap analysis are presented such as we identied that there is a lack of mature tool support for the ASIL sub-phase and a need for a common platform for the entire product development cycle

Toward the application of ISO 26262 for real-life embedded mechatronic systems

International audienceThe document ISO 26262 entitled ‘Road vehicles – Functional Safety’ [1] is a standard being issued by the TC22/SC3/WG16 working group of the International Standard Organization. Its scope is the functional safety of electric and electronic (E/E) embedded systems installed in automotive vehicles

Workflow between ISO 26262 and ISO 21448 Standards for Autonomous Vehicles

Assuring safety is important in autonomous vehicles. The safety related to autonomous vehicles can be primarily viewed from two perspectives: the functional safety (FuSa) perspective and the safety of the intended functionality (SOTIF) perspective. While FuSa ensures the system has an acceptable risk with respect to malfunctions of electrical and electronic components, SOTIF ensures the system has an acceptable risk with respect to functional insufficiencies and performance limitations. ISO 26262 and ISO 21448 are the state-of-the-art international standards used to ensure compliance with FuSa and SOTIF for autonomous automotive systems, respectively. The ISO 21448 standard mentions the need for alignment of ISO 26262 activities with the ISO 21448 activities and describes the mapping at a very high level. However, given the iterative nature of SOTIF activities in ISO 21448, the workflow between the two standards is not a direct one-toone mapping. Hence, we need a clear understanding how we can align ISO 26262 and ISO 21448 activities, and on how analysis done in one standard can impact the other. To achieve this, in this paper we propose a detailed workflow between ISO 26262 and ISO 21448 standards. We discuss guidelines on how to find if a change to design due to SOTIF modification can affect FuSa analysis and vice versa. We also discuss the aspects we need to consider for agile development when we want to ensure the system bein

A Model-Based Reference Workflow for the Development of Safety-Critical Software

International audienceModel-based software development is increasingly being used to develop software for electronic control units (ECUs). The automatic conversion of models into program code for ECUs plays a major role in this because it ensures efficientimplementation, providing considerable savings potential and short development cycles. This paper introduces a model-based reference workflow for the development of safety-critical software conforming to relevant safety-standards such as IEC 61508 and ISO 26262. The reference workflow provides guidance for meeting the safety requirements to develop software up to and including SIL 3 and/or ASIL D. Furthermore the paper shows how such a reference workflow can help address the issue of software tool qualification