Novel Validation Techniques for Autonomous Vehicles

L'abstract è presente nell'allegato / the abstract is in the attachmen

Novel Validation Techniques for Autonomous Vehicles

The automotive industry is facing challenges in producing electrical, connected, and autonomous vehicles. Even if these challenges are, from a technical point of view, independent from each other, the market and regulatory bodies require them to be developed and integrated simultaneously. The development of autonomous vehicles implies the development of highly dependable systems. This is a multidisciplinary activity involving knowledge from robotics, computer science, electrical and mechanical engineering, psychology, social studies, and ethics. Nowadays, many Advanced Driver Assistance Systems (ADAS), like Emergency Braking System, Lane Keep Assistant, and Park Assist, are available. Newer luxury cars can drive by themselves on highways or park automatically, but the end goal is to develop completely autonomous driving vehicles, able to go by themselves, without needing human interventions in any situation. The more vehicles become autonomous, the greater the difficulty in keeping them reliable. It enhances the challenges in terms of development processes since their misbehaviors can lead to catastrophic consequences and, differently from the past, there is no more a human driver to mitigate the effects of erroneous behaviors. Primary threats to dependability come from three sources: misuse from the drivers, design systematic errors, and random hardware failures. These safety threats are addressed under various aspects, considering the particular type of item to be designed. In particular, for the sake of this work, we analyze those related to Functional Safety (FuSa), viewed as the ability of a system to react on time and in the proper way to the external environment. From the technological point of view, these behaviors are implemented by electrical and electronic items. Various standards to achieve FuSa have been released over the years. The first, released in 1998, was the IEC 61508. Its last version is the one released in 2010. This standard defines mainly: • a Functional Safety Management System (FSMS); • methods to determine a Safety Integrated Level (SIL); • methods to determine the probability of failures. To adapt the IEC61508 to the automotive industry’s peculiarity, a newer standard, the ISO26262, was released in 2011 then updated in 2018. This standard provides guidelines about FSMS, called in this case Safety Lifecycle, describing how to develop software and hardware components suitable for functional safety. It also provides a different way to compute the SIL, called in this case Automotive SIL (ASIL), allowing us to consider the average driver’s abilities to control the vehicle in case of failures. Moreover, it describes a way to determine the probability of random hardware failures through Failure Mode, Effects, and Diagnostic Analysis (FMEDA). This dissertation contains contributions to three topics: • random hardware failures mitigation; • improvementoftheISO26262HazardAnalysisandRiskAssessment(HARA); • real-time verification of the embedded software. As the main contribution of this dissertation, I address the safety threats due to random hardware failures (RHFs). For this purpose, I propose a novel simulation-based approach to aid the Failure Mode, Effects, and Diagnostic Analysis (FMEDA) required by the ISO26262 standard. Thanks to a SPICE-level model of the item, and the adoption of fault injection techniques, it is possible to simulate its behaviors obtaining useful information to classify the various failure modes. The proposed approach evolved from a mere simulation of the item, allowing only an item-level failure mode classification up to a vehicle-level analysis. The propagation of the failure modes’ effects on the whole vehicle enables us to assess the impacts on the vehicle’s drivability, improving the quality of the classifications. It can be advantageous where it is difficult to predict how the item-level misbehaviors propagate to the vehicle level, as in the case of a virtual differential gear or the mobility system of a robot. It has been chosen since it can be considered similar to the novel light vehicles, such as electric scooters, that are becoming more and more popular. Moreover, my research group has complete access to its design since it is realized by our university’s DIANA students’ team. When a SPICE-level simulation is too long to be performed, or it is not possible to develop a complete model of the item due to intellectual property protection rules, it is possible to aid this process through behavioral models of the item. A simulation of this kind has been performed on a mobile robotic system. Behavioral models of the electronic components were used, alongside mechanical simulations, to assess the software failure mitigation capabilities. Another contribution has been obtained by modifying the main one. The idea was to make it possible to aid also the Hazard Analysis and Risk Assessment (HARA). This assessment is performed during the concept phase, so before starting to design the item implementation. Its goal is to determine the hazards involved in the item functionality and their associated levels of risk. The end goal of this phase is a list of safety goals. For each one of these safety goals, an ASIL has to be determined. Since HARA relies only on designers expertise and knowledge, it lacks in objectivity and repeatability. Thanks to the simulation results, it is possible to predict the effects of the failures on the vehicle’s drivability, allowing us to improve the severity and controllability assessment, thus improving the objectivity. Moreover, since simulation conditions can be stored, it is possible, at any time, to recheck the results and to add new scenarios, improving the repeatability. The third group of contributions is about the real-time verification of embedded software. Through Hardware-In-the-Loop (HIL), a software integration verification has been performed to test a fundamental automotive component, mixed-criticality applications, and multi-agent robots. The first of these contributions is about real-time tests on Body Control Modules (BCM). These modules manage various electronic accessories in the vehicle’s body, like power windows and mirrors, air conditioning, immobilizer, central locking. The main characteristics of BCMs are the communications with other embedded computers via the car’s vehicle bus (Controller Area Network) and to have a high number (hundreds) of low-speed I/Os. As the second contribution, I propose a methodology to assess the error recovery system’s effects on mixed-criticality applications regarding deadline misses. The system runs two tasks: a critical airplane longitudinal control and a non-critical image compression algorithm. I start by presenting the approach on a benchmark application containing an instrumented bug into the lower criticality task; then, we improved it by injecting random errors inside the lower criticality task’s memory space through a debugger. In the latter case, thanks to the HIL, it is possible to pause the time domain simulation when the debugger operates and resume it once the injection is complete. In this way, it is possible to interact with the target without interfering with the simulation results, combining a full control of the target with an accurate time-domain assessment. The last contribution of this third group is about a methodology to verify, on multi-agent robots, the synchronization between two agents in charge to move the end effector of a delta robot: the correct position and speed of the end effector at any time is strongly affected by a loss of synchronization. The last two contributions may seem unrelated to the automotive industry, but interest in these applications is gaining. Mixed-criticality systems allow reducing the number of ECUs inside cars (for cost reduction), while the multi-agent approach is helpful to improve the cooperation of the connected cars with respect to other vehicles and the infrastructure. The fourth contribution, contained in the appendix, is about a machine learning application to improve the social acceptance of autonomous vehicles. The idea is to improve the comfort of the passengers by recognizing their emotions. I started with the idea to modify the vehicle’s driving style based on a real-time emotions recognition system but, due to the difficulties of performing such operations in an experimental setup, I move to analyze them offline. The emotions are determined on volunteers’ facial expressions recorded while viewing 3D representa- tions showing different calibrations. Thanks to the passengers’ emotional responses, it is possible to choose the better calibration from the comfort point of view

A simulation-based methodology for aiding advanced driver assistance systems hazard analysis and risk assessment

The increasing complexity of the Advanced Driver Assistance Systems (ADAS) is making more difficult to perform the Hazard Analysis and Risk Assessment (HARA). These items require high-performance Electronic Control Units (ECU) with extensive software functionalities. To correctly operate they interact with the driver, environment and other vehicle functions through high-speed in-vehicle networks, as well as a wide range of sensors and actuators. As a result, they implement complex behaviors whose outcome in presence of faults is not trivial to identify and classify as requested by the concept phase included in the most recent functional safety standards. In this paper we present a simulation-based methodology to perform the HARA of a vehicle function by mixing the usual industrial approach, based on the designers' knowledge, with one that makes use of a vehicle-level simulator. The simulation-based approach provides an automatic and systematic method to assess the complex interaction of the item under analysis with other vehicle functions in possibly complex operational situations, thus making the prediction of hazards easier. We choose to demonstrate the approach by applying it to a well-known automotive industry case study: an Advanced Emergency Braking System (AEBS). In this way, it is possible to analyze the effects of the function provided by the item, keeping into account the simulations results and comparing them to similar situations analysis available in literature. Thanks to the obtained simulation-based results, safety engineers can formulate a more objective hypothesis, in particular during the hazard classification subphase

A Novel ISO 26262-Compliant Test Bench to Assess the Diagnostic Coverage of Software Hardening Techniques against Digital Components Random Hardware Failures

This paper describes a novel approach to assess detection mechanisms and their diagnostic coverage, implemented using embedded software, designed to identify random hardware failures affecting digital components. In the literature, many proposals adopting fault injection methods are available, with most of them focusing on transient faults and not considering the functional safety standards requirements. This kind of proposal can benefit developers involved in the automotive market, where strict safety and cost requirements make the adoption of software-only strategies convenient. Hence, we have focused our efforts on compliance with the ISO 26262 automotive functional safety standard. The approach concerns permanent faults affecting microcontrollers and it provides a mapping between the failure mode described in part 11 of the Standard and the chosen fault models. We propose a test bench designed to inject permanent failures into an emulated microcontroller and determine which of them are detected by the embedded software. The main contribution of this paper is a novel fault injection manager integrated with the open-source software GCC, GDB, and QEMU. This test bench manages all the assessment phases, from fault generation to fault injection and the ISA emulation management, up to the classification of the simulation results

Novel Control Flow Checking Implementations for Automotive Software

Safety-critical applications shall be implemented on highly dependable systems, and a part of their reliability is based on checking if the software is executed correctly. Various techniques are available for this purpose, like Control Flow Checking (CFC). Many CFC algorithms can be found in the literature, but their detection performances are assessed in theoretical scenarios, when implemented in Assembly language. The international standard on functional safety for automotive applications is ISO26262. It mandates to develop using high-level programming languages and the computation of the Diagnostic Coverage (DC). The DC measures the effectiveness of the chosen hardening method, in order to detect various Failure Modes (FMs). This paper discusses two alternative solutions, one software-only, and the other involving customized hardware, for these concerns: (i) address the FMs affecting the computation units described by Table 30 of part 11 of the ISO26262 (ii) guarantee the Freedom From Interference between the hardening method and the monitored entity

Use of Facial Expressions to Improve the Social Acceptance of Level 4 and 5 Automated Driving System Equipped Vehicles

According to the World Health Organization (WHO), more than one million people die yearly from car accidents. At the same time, between 20 and 50 million people suffer non-fatal injuries, which can also lead to permanent disabilities. Recently, vehicles equipped with SAE level 3, 4, and 5 Automated Driving System (ADS) have become one of the hottest topics in the automotive industry. In fact, their main expected benefit is that they could significantly reduce the number of road accidents. Their actual success will depend on how people react to their introduction: considering that the absence of the steering wheel and pedals is possible for levels 4 and 5, will people trust these advanced forms of driving automation? In this regard, the authors of this paper have proposed two different ideas. The first, which can be implemented during the proactive phase, consists in calibrating the driving algorithm of the vehicle based on the volunteers’ reaction to simulations of common driving situations. The second, which can be implemented during the reactive phase, consists in dynamically adapting the driving style of the vehicle based on the average feeling inside the vehicle. Both of these ideas could help improve social acceptance and facilitate the transition to vehicles equipped with SAE level 4 and 5 ADS

Multilevel Simulation Methodology for FMECA Study Applied to a Complex Cyber-Physical System

Complex systems are composed of numerous interconnected subsystems, each designed to perform specific functions. The different subsystems use many technological items that work together, as for the case of cyber-physical systems. Typically, a cyber-physical system is composed of different mechanical actuators driven by electrical power devices and monitored by sensors. Several approaches are available for designing and validating complex systems, and among them, behavioral-level modeling is becoming one of the most popular. When such cyber-physical systems are employed in mission- or safety-critical applications, it is mandatory to understand the impacts of faults on them and how failures in subsystems can propagate through the overall system. In this paper, we propose a methodology for supporting the failure mode, effects, and criticality analysis (FMECA) aimed at identifying the critical faults and assessing their effects on the overall system. The end goal is to analyze how a fault affecting a single subsystem possibly propagates through the whole cyber-physical system, considering also the embedded software and the mechanical elements. In particular, our approach allows the analysis of the propagation through the whole system (working at high level) of a fault injected at low level. This paper provides a solution to automate the FMECA process (until now mainly performed manually) for complex cyber-physical systems. It improves the failure classification effectiveness: considering our test case, it reduced the number of critical faults from 10 to 6. The remaining four faults are mitigated by the cyber-physical system architecture. The proposed approach has been tested on a real cyber-physical system in charge of driving a three-phase motor for industrial compressors, showing its feasibility and effectiveness

Automatic Emotion Recognition for the Calibration of Autonomous Driving Functions

The development of autonomous driving cars is a complex activity, which poses challenges about ethics, safety, cybersecurity, and social acceptance. The latter, in particular, poses new problems since passengers are used to manually driven vehicles; hence, they need to move their trust from a person to a computer. To smooth the transition towards autonomous vehicles, a delicate calibration of the driving functions should be performed, making the automation decision closest to the passengers’ expectations. The complexity of this calibration lies in the presence of a person in the loop: different settings of a given algorithm should be evaluated by assessing the human reaction to the vehicle decisions. With this work, we for an objective method to classify the people’s reaction to vehicle decisions. By adopting machine learning techniques, it is possible to analyze the passengers’ emotions while driving with alternative vehicle calibrations. Through the analysis of these emotions, it is possible to obtain an objective metric about the comfort feeling of the passengers. As a result, we developed a proof-of-concept implementation of a simple, yet effective, emotions recognition system. It can be deployed either into real vehicles or simulators, during the driving functions calibration

Effectiveness of Control Flow Checking Algorithms Using a Model-Based Software Design Approach: An Empirical Study

Many software-implemented control flow error de- tection techniques have been proposed over the years. However, applying these approaches can be difficult because their respec- tive literature gives little guidance on the practical implemen- tation in high-level programming languages, and they have to be implemented in low-level code, e.g., assembly. Moreover, the current trend in the automotive industry is to adopt the so-called Model-Based Software Design, where an executable algorithm model is automatically translated into C or C++ source code. This paper presents experimental data, compliant with the ISO26262 automotive functional safety standard, on the capabilities of Control Flow Checking (CFC) algorithms, implemented in the model and then automatically generated. The assessment was performed using a novel fault injection environment targeting a RISC-V (RV32I) microcontroller