Introducing ASIL inspired dynamic tactical safety decision framework for automated vehicles

Existing automotive Hazard Analysis and Risk Assessment (HARA) process as discussed by the international standard ISO 26262 is static in nature. While the standard describes a systematic process to incorporate functional safety in the development process of Electrical & Electronic (E/E) systems, it fails to address the needs of Advanced Driver Assistance Systems (ADAS) and Automated Driving (AD) systems. In order to ensure the safety of ADAS and AD systems, it is important to incorporate the changing nature of interactions between the system and the environment, in the safety analysis process for ADAS and AD systems. In this paper, the authors argue the need for a dynamic approach for automotive safety analysis by adapting the tactical safety for ADAS and AD systems depending on the real-time operational capability and real-time ASIL (Automotive Safety Integrity Level) rating of a situation, and discuss a framework for this process. The novelty and therefore contribution of this paper lies in the proposed ASIL inspired dynamic tactical safety framework, which evaluates the severity, controllability and exposure ratings in real-time based on the real time values of the various vehicle and environment parameters. These ratings are used to assign a real-time ASIL value which is used to determine the tactical decisions in order to lower the ASIL value in real-time by altering the functional (operational) capability of the system. Furthermore, the framework is explained with the help of a case study based on a combined Adaptive Cruise Control (ACC) and Autonomous Emergency Braking (AEB) system

Towards increased reliability by objectification of Hazard Analysis and Risk Assessment (HARA) of automated automotive systems

Hazard Analysis and Risk Assessment (HARA) in various domains like automotive, aviation, process industry etc. suffer from the issues of validity and reliability. While there has been an increasing appreciation of this subject, there have been limited approaches to overcome these issues. In the automotive domain, HARA is influenced by the ISO 26262 international standard which details functional safety of road vehicles. While ISO 26262 was a major step towards analysing hazards and risks, like other domains, it is also plagued by the issues of reliability. In this paper, the authors discuss the automotive HARA process. While exposing the reliability challenges of the HARA process detailed by the standard, the authors present an approach to overcome the reliability issues. The approach is obtained by creating a rule-set for automotive HARA to determine the Automotive Safety Integrity Level (ASIL) by parametrizing the individual components of an automotive HARA, i.e., severity, exposure and controllability. The initial rule-set was put to test by conducting a workshop involving international functional safety experts as participants in an experiment where rules were provided for severity and controllability ratings. Based on the qualitative results of the experiments, the rule-set was re-calibrated. The proposed HARA approach by the creation of a rule- set demonstrated reduction in variation. However, the caveat lies in the fact that the rule-set needs to be exhaustive or sufficiently explained in order to avoid any degree of subjective interpretation which is a source of variation and unreliability

Towards a Common Software/Hardware Methodology for Future Advanced Driver Assistance Systems

The European research project DESERVE (DEvelopment platform for Safe and Efficient dRiVE, 2012-2015) had the aim of designing and developing a platform tool to cope with the continuously increasing complexity and the simultaneous need to reduce cost for future embedded Advanced Driver Assistance Systems (ADAS). For this purpose, the DESERVE platform profits from cross-domain software reuse, standardization of automotive software component interfaces, and easy but safety-compliant integration of heterogeneous modules. This enables the development of a new generation of ADAS applications, which challengingly combine different functions, sensors, actuators, hardware platforms, and Human Machine Interfaces (HMI). This book presents the different results of the DESERVE project concerning the ADAS development platform, test case functions, and validation and evaluation of different approaches. The reader is invited to substantiate the content of this book with the deliverables published during the DESERVE project. Technical topics discussed in this book include:Modern ADAS development platforms;Design space exploration;Driving modelling;Video-based and Radar-based ADAS functions;HMI for ADAS;Vehicle-hardware-in-the-loop validation system

Review of Fault Mitigation Approaches for Deep Neural Networks for Computer Vision in Autonomous Driving

The aim of this work is to identify and present challenges and risks related to the employment of DNNs in Computer Vision for Autonomous Driving. Nowadays one of the major technological challenges is to choose the right technology among the abundance that is available on the market. Specifically, in this thesis it is collected a synopsis of the state-of-the-art architectures, techniques and methodologies adopted for building fault-tolerant hardware and ensuring robustness in DNNs-based Computer Vision applications for Autonomous Driving

Timing in Technischen Sicherheitsanforderungen für Systementwürfe mit heterogenen Kritikalitätsanforderungen

Traditionally, timing requirements as (technical) safety requirements have been avoided through clever functional designs. New vehicle automation concepts and other applications, however, make this harder or even impossible and challenge design automation for cyber-physical systems to provide a solution. This thesis takes upon this challenge by introducing cross-layer dependency analysis to relate timing dependencies in the bounded execution time (BET) model to the functional model of the artifact. In doing so, the analysis is able to reveal where timing dependencies may violate freedom from interference requirements on the functional layer and other intermediate model layers. For design automation this leaves the challenge how such dependencies are avoided or at least be bounded such that the design is feasible: The results are synthesis strategies for implementation requirements and a system-level placement strategy for run-time measures to avoid potentially catastrophic consequences of timing dependencies which are not eliminated from the design. Their applicability is shown in experiments and case studies. However, all the proposed run-time measures as well as very strict implementation requirements become ever more expensive in terms of design effort for contemporary embedded systems, due to the system's complexity. Hence, the second part of this thesis reflects on the design aspect rather than the analysis aspect of embedded systems and proposes a timing predictable design paradigm based on System-Level Logical Execution Time (SL-LET). Leveraging a timing-design model in SL-LET the proposed methods from the first part can now be applied to improve the quality of a design -- timing error handling can now be separated from the run-time methods and from the implementation requirements intended to guarantee them. The thesis therefore introduces timing diversity as a timing-predictable execution theme that handles timing errors without having to deal with them in the implemented application. An automotive 3D-perception case study demonstrates the applicability of timing diversity to ensure predictable end-to-end timing while masking certain types of timing errors.Traditionell wurden Timing-Anforderungen als (technische) Sicherheitsanforderungen durch geschickte funktionale Entwürfe vermieden. Neue Fahrzeugautomatisierungskonzepte und Anwendungen machen dies jedoch schwieriger oder gar unmöglich; Aufgrund der Problemkomplexität erfordert dies eine Entwurfsautomatisierung für cyber-physische Systeme heraus. Diese Arbeit nimmt sich dieser Herausforderung an, indem sie eine schichtenübergreifende Abhängigkeitsanalyse einführt, um zeitliche Abhängigkeiten im Modell der beschränkten Ausführungszeit (BET) mit dem funktionalen Modell des Artefakts in Beziehung zu setzen. Auf diese Weise ist die Analyse in der Lage, aufzuzeigen, wo Timing-Abhängigkeiten die Anforderungen an die Störungsfreiheit auf der funktionalen Schicht und anderen dazwischenliegenden Modellschichten verletzen können. Für die Entwurfsautomatisierung ergibt sich daraus die Herausforderung, wie solche Abhängigkeiten vermieden oder zumindest so eingegrenzt werden können, dass der Entwurf machbar ist: Das Ergebnis sind Synthesestrategien für Implementierungsanforderungen und eine Platzierungsstrategie auf Systemebene für Laufzeitmaßnahmen zur Vermeidung potentiell katastrophaler Folgen von Timing-Abhängigkeiten, die nicht aus dem Entwurf eliminiert werden. Ihre Anwendbarkeit wird in Experimenten und Fallstudien gezeigt. Allerdings werden alle vorgeschlagenen Laufzeitmaßnahmen sowie sehr strenge Implementierungsanforderungen für moderne eingebettete Systeme aufgrund der Komplexität des Systems immer teurer im Entwurfsaufwand. Daher befasst sich der zweite Teil dieser Arbeit eher mit dem Entwurfsaspekt als mit dem Analyseaspekt von eingebetteten Systemen und schlägt ein Entwurfsparadigma für vorhersagbares Timing vor, das auf der System-Level Logical Execution Time (SL-LET) basiert. Basierend auf einem Timing-Entwurfsmodell in SL-LET können die vorgeschlagenen Methoden aus dem ersten Teil nun angewandt werden, um die Qualität eines Entwurfs zu verbessern -- die Behandlung von Timing-Fehlern kann nun von den Laufzeitmethoden und von den Implementierungsanforderungen, die diese garantieren sollen, getrennt werden. In dieser Arbeit wird daher Timing Diversity als ein Thema der Timing-Vorhersage in der Ausführung eingeführt, das Timing-Fehler behandelt, ohne dass sie in der implementierten Anwendung behandelt werden müssen. Anhand einer Fallstudie aus dem Automobilbereich (3D-Umfeldwahrnehmung) wird die Anwendbarkeit von Timing-Diversität demonstriert, um ein vorhersagbares Ende-zu-Ende-Timing zu gewährleisten und gleichzeitig in der Lage zu sein, bestimmte Arten von Timing-Fehlern zu maskieren

Development and experimental validation of high performance embedded intelligence and fail-operational urban surround perception solutions of the PRYSTINE project

Automated Driving Systems (ADSs) commend a substantial reduction of human-caused road accidents while simultaneously lowering emissions, mitigating congestion, decreasing energy consumption and increasing overall productivity. However, achieving higher SAE levels of driving automation and complying with ISO26262 C and D Automotive Safety Integrity Levels (ASILs) is a multi-disciplinary challenge that requires insights into safety-critical architectures, multi-modal perception and real-time control. This paper presents an assorted effort carried out in the European H2020 ECSEL project—PRYSTINE. In this paper, we (1) investigate Simplex, 1oo2d and hybrid fail-operational computing architectures, (2) devise a multi-modal perception system with fail-safety mechanisms, (3) present a passenger vehicle-based demonstrator for low-speed autonomy and (4) suggest a trust-based fusion approach validated on a heavy-duty truck.</p

Robust and secure resource management for automotive cyber-physical systems

2022 Spring.Includes bibliographical references.Modern vehicles are examples of complex cyber-physical systems with tens to hundreds of interconnected Electronic Control Units (ECUs) that manage various vehicular subsystems. With the shift towards autonomous driving, emerging vehicles are being characterized by an increase in the number of hardware ECUs, greater complexity of applications (software), and more sophisticated in-vehicle networks. These advances have resulted in numerous challenges that impact the reliability, security, and real-time performance of these emerging automotive systems. Some of the challenges include coping with computation and communication uncertainties (e.g., jitter), developing robust control software, detecting cyber-attacks, ensuring data integrity, and enabling confidentiality during communication. However, solutions to overcome these challenges incur additional overhead, which can catastrophically delay the execution of real-time automotive tasks and message transfers. Hence, there is a need for a holistic approach to a system-level solution for resource management in automotive cyber-physical systems that enables robust and secure automotive system design while satisfying a diverse set of system-wide constraints. ECUs in vehicles today run a variety of automotive applications ranging from simple vehicle window control to highly complex Advanced Driver Assistance System (ADAS) applications. The aggressive attempts of automakers to make vehicles fully autonomous have increased the complexity and data rate requirements of applications and further led to the adoption of advanced artificial intelligence (AI) based techniques for improved perception and control. Additionally, modern vehicles are becoming increasingly connected with various external systems to realize more robust vehicle autonomy. These paradigm shifts have resulted in significant overheads in resource constrained ECUs and increased the complexity of the overall automotive system (including heterogeneous ECUs, network architectures, communication protocols, and applications), which has severe performance and safety implications on modern vehicles. The increased complexity of automotive systems introduces several computation and communication uncertainties in automotive subsystems that can cause delays in applications and messages, resulting in missed real-time deadlines. Missing deadlines for safety-critical automotive applications can be catastrophic, and this problem will be further aggravated in the case of future autonomous vehicles. Additionally, due to the harsh operating conditions (such as high temperatures, vibrations, and electromagnetic interference (EMI)) of automotive embedded systems, there is a significant risk to the integrity of the data that is exchanged between ECUs which can lead to faulty vehicle control. These challenges demand a more reliable design of automotive systems that is resilient to uncertainties and supports data integrity goals. Additionally, the increased connectivity of modern vehicles has made them highly vulnerable to various kinds of sophisticated security attacks. Hence, it is also vital to ensure the security of automotive systems, and it will become crucial as connected and autonomous vehicles become more ubiquitous. However, imposing security mechanisms on the resource constrained automotive systems can result in additional computation and communication overhead, potentially leading to further missed deadlines. Therefore, it is crucial to design techniques that incur very minimal overhead (lightweight) when trying to achieve the above-mentioned goals and ensure the real-time performance of the system. We address these issues by designing a holistic resource management framework called ROSETTA that enables robust and secure automotive cyber-physical system design while satisfying a diverse set of constraints related to reliability, security, real-time performance, and energy consumption. To achieve reliability goals, we have developed several techniques for reliability-aware scheduling and multi-level monitoring of signal integrity. To achieve security objectives, we have proposed a lightweight security framework that provides confidentiality and authenticity while meeting both security and real-time constraints. We have also introduced multiple deep learning based intrusion detection systems (IDS) to monitor and detect cyber-attacks in the in-vehicle network. Lastly, we have introduced novel techniques for jitter management and security management and deployed lightweight IDSs on resource constrained automotive ECUs while ensuring the real-time performance of the automotive systems

Testing automated driving systems to calibrate drivers’ trust

Automated Driving Systems (ADSs) offer many potential benefits like improved safety, reduced traffic congestion and lower emissions. However, such benefits can only be realised if drivers trust and make use of such systems. The two challenges explored in this thesis are: 1) How to increase trust in ADSs? 2) How to identify the test scenarios to establish the true capabilities and limitations of ADSs? Firstly, drivers’ trust needs to be calibrated to the “appropriate” level to prevent misuse (due to over trust) or disuse (due to under trust) of the system. In this research, a method to calibrate drivers’ trust to the appropriate level has been created. This method involves providing knowledge of the capabilities and limitations of the ADSs to the driver. However, there is a need to establish the capabilities and limitations of the ADSs which form the knowledge to be imparted to the driver. Therefore, the next research contribution lies in the development of a novel method to establish the knowledge of capabilities and limitations of ADSs (used to calibrate trust) in a reliable manner. This knowledge can be created by testing ADSs. However, in literature, an unanswered research question remains: How to identify test scenarios which highlight the limitations of ADSs? In order to identify such test scenarios, a novel hazard based testing approach to establish the capabilities and limitations of ADSs is presented by extending STPA (a hazard identification method) to create test scenarios. To ensure reliability of the hazard classification (and of the knowledge), the author created a novel objective approach for risk classification by creating a rule-set for risk ratings. The contribution of this research lies in developing a method to increase trust in ADSs by creating reliable knowledge using hazard based testing approach which identifies how an ADS can fail

Trajectory planning based on adaptive model predictive control: Study of the performance of an autonomous vehicle in critical highway scenarios

Increasing automation in automotive industry is an important contribution to overcome many of the major societal challenges. However, testing and validating a highly autonomous vehicle is one of the biggest obstacles to the deployment of such vehicles, since they rely on data-driven and real-time sensors, actuators, complex algorithms, machine learning systems, and powerful processors to execute software, and they must be proven to be reliable and safe. For this reason, the verification, validation and testing (VVT) of autonomous vehicles is gaining interest and attention among the scientific community and there has been a number of significant efforts in this field. VVT helps developers and testers to determine any hidden faults, increasing systems confidence in safety, security, functional analysis, and in the ability to integrate autonomous prototypes into existing road networks. Other stakeholders like higher-management, public authorities and the public are also crucial to complete the VTT process. As autonomous vehicles require hundreds of millions of kilometers of testing driven on public roads before vehicle certification, simulations are playing a key role as they allow the simulation tools to virtually test millions of real-life scenarios, increasing safety and reducing costs, time and the need for physical road tests. In this study, a literature review is conducted to classify approaches for the VVT and an existing simulation tool is used to implement an autonomous driving system. The system will be characterized from the point of view of its performance in some critical highway scenarios.O aumento da automação na indústria automotiva é uma importante contribuição para superar muitos dos principais desafios da sociedade. No entanto, testar e validar um veículo altamente autónomo é um dos maiores obstáculos para a implantação de tais veículos, uma vez que eles contam com sensores, atuadores, algoritmos complexos, sistemas de aprendizagem de máquina e processadores potentes para executar softwares em tempo real, e devem ser comprovadamente confiáveis e seguros. Por esta razão, a verificação, validação e teste (VVT) de veículos autónomos está a ganhar interesse e atenção entre a comunidade científica e tem havido uma série de esforços significativos neste campo. A VVT ajuda os desenvolvedores e testadores a determinar quaisquer falhas ocultas, aumentando a confiança dos sistemas na segurança, proteção, análise funcional e na capacidade de integrar protótipos autónomos em redes rodoviárias existentes. Outras partes interessadas, como a alta administração, autoridades públicas e o público também são cruciais para concluir o processo de VTT. Como os veículos autónomos exigem centenas de milhões de quilómetros de testes conduzidos em vias públicas antes da certificação do veículo, as simulações estão a desempenhar cada vez mais um papel fundamental, pois permitem que as ferramentas de simulação testem virtualmente milhões de cenários da vida real, aumentando a segurança e reduzindo custos, tempo e necessidade de testes físicos em estrada. Neste estudo, é realizada uma revisão da literatura para classificar abordagens para a VVT e uma ferramenta de simulação existente é usada para implementar um sistema de direção autónoma. O sistema é caracterizado do ponto de vista do seu desempenho em alguns cenários críticos de autoestrad