functional safety for autonomous · pdf filefunctional safety: a technical term the objective...
TRANSCRIPT
![Page 1: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/1.jpg)
Dr. Justyna Zander, NVIDIA | January 30, 2017
IS&T Int. Symposium on Electronic Imaging 2017; Autonomous Vehicles and Machines 2017; 29 January - 2 February, 2017 • Burlingame, CA, USA
FUNCTIONAL SAFETY FOR AUTONOMOUS DRIVING
![Page 2: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/2.jpg)
Prototypical
Autonomy ERA
Automated Driving
Assistance Systems ERA
Machine monitors human Self-driving prototypes AI-based machine in control
Great Very limited in use Amazing!
Safe and Certified
Autonomous Driving ERA
FULL AUTONOMY WITH FUNCTIONAL SAFETY
![Page 3: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/3.jpg)
FUNCTIONAL SAFETY: A TECHNICAL TERM
The objective of functional safety is freedom from unacceptable risk of physical injury or
of damage to the health of people either directly or indirectly (through damage to property
or to the environment).
Functional safety is intrinsically end-to-end in scope in that it has to treat the function of a
component or subsystem as part of the function of the whole system.
Functional Safety is the absence of unreasonable risk due to hazards caused by
malfunctioning behavior of electrical and electronic systems.
Source: ISO 26262-1:2011, “Road vehicles - Functional safety - Part 1: Vocabulary.”
![Page 4: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/4.jpg)
FUNCTIONAL SAFETY HIGHLIGHTS
Traceable processes and certifiable coding are complex
Tools require ISO26262 qualification
Safety design must be included in the system-level design
Development
Process
Classified
Tools
Functional
Safety Design
Source: ISO 26262-1-10:2011/2012, “Road vehicles - Functional safety - Part 3 Part 10.”
![Page 5: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/5.jpg)
LOCALIZE
MAP
AUTONOMOUS DRIVING PIPELINE
CONTROLSENSE
PLAN
PERCEIVE
![Page 6: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/6.jpg)
END-TO-END DEEP LEARNING PLATFORMFOR SELF-DRIVING CARS
NVIDIA® DRIVE™ PX 2 | NVIDIA® XavierNVIDIA® DGX-1™NVIDIA® DIGITS
NVIDIA® DriveWorks
Localization
Planning
Visualization
Perception
DRIVEWORKS
![Page 7: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/7.jpg)
COMBO: 3D VEHICLE, LANES, OPEN ROAD
![Page 8: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/8.jpg)
Courtesy of Audi
VEHICLE DETECTION IN BAD WEATHER
based on modified CityScapes dataset
![Page 9: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/9.jpg)
NVIDIA® DRIVE™ PX 212 CPU cores | Pascal GPU | 8 TFLOPS | 24 DL TOPS | 16nm FF | 250W
World’s First AI Supercomputer for Self-Driving Cars
![Page 10: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/10.jpg)
Cameras
Other Sensors
NVMEDIA OpenGL ES, CUDA
cuDNNComputer Vision PrimitivesDriveWorks
SAL
DriveWorks Modules, NVDRIVENET
DriveWorks Dataflow Layer
Autonomous Driving Applications
DriveWorksTools
NVIDIA DRIVEWORKS SOFTWARE STACK
HW V4L SDK DriveWorks Applications
![Page 11: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/11.jpg)
UNINTENDED ACCELERATION
Sudden unintended acceleration is the unintended, unexpected, uncontrolledacceleration of a vehicle, often accompanied by an apparent loss of brakingeffectiveness.
It may be caused by mechanical, electrical, or electronic problems, driver error(e.g., pedal misapplication), or some combination of these factors.
Case Study
![Page 12: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/12.jpg)
UNINTENDED ACCELERATIONCase Study
![Page 13: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/13.jpg)
Hazard: Unintended acceleration and loss of braking effectiveness.
Safety goal: Mitigate the risk of an unintended acceleration.
Safety requirements: ???
UNINTENDED ACCELERATIONCase Study
![Page 14: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/14.jpg)
Unintended
Acceleration
Braking
system
failure
Throttle
system
failure
Brake
pedal
failure
Brake
switch
failure
Throttle
pedal
failure
Incorrect
throttle
angle
calculation
OR
OR OR
FAULT TREE
![Page 15: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/15.jpg)
Hazard: Unintended acceleration and loss of braking effectiveness.
Safety goal: Mitigate the risk of an unintended acceleration.
Safety requirements:
Vehicle longitudinal acceleration shall not exceed driver demand by 1.3 m/s2 for longer than 1s (ASIL B).
UNINTENDED ACCELERATIONCase Study
![Page 16: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/16.jpg)
SAFETY DESIGN PATTERN
Detect
FailureReact:
Mitigate | Heal
ASIL
assignment
Signal
Plausibility
Check
Fallback Strategy
throttle angle
longitudinal acceleration
1 second … Timing!
![Page 17: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/17.jpg)
Hazard: Unintended acceleration and loss of braking effectiveness.
Safety goal: Mitigate the risk of an unintended acceleration.
Safety requirements:
Vehicle longitudinal acceleration shall not exceed driver demand by 1.3 m/s2 for longer than 1s (ASIL B).
Within time budget of 1.001s detect the scenario where the vehicle positive longitudinal acceleration exceeds driver demand by 1.3 m/s2 for longer than 1s.
Within time budget of 0.1s mitigate to safe state, where safe state is: shut off the acceleration by shutting down the throttle (ASIL B).
UNINTENDED ACCELERATIONCase Study
![Page 18: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/18.jpg)
Determine the
acceleration request
Calculate the
acceleration value
Determine
the throttle angle
Position the output
throttle angle
Determine the
acceleration request
using additional signal
Determine the throttle
angle using additional
signal source
Calculate the
acceleration value
Shut down
throttle
Compare the
acceleration
calculation results
SAFETY DESIGN EXAMPLE FOR UNINTENDED ACCELERATION
Functionality Safety Design Hardware
Sensor A
Control chip
Sensor B
Safety chip
Power
switch
ADC1 ADC2
![Page 19: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/19.jpg)
WHAT IS NEXT?
![Page 20: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/20.jpg)
8 Core Custom ARM64 CPU
512 Core Volta GPU
Designed for ASIL D Functional Safety
30 TOPS DL | 30W
XAVIER
![Page 21: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/21.jpg)
SOFTWARE STACK – 30,000’ ROADMAPCommon foundation | OS agnostic VM services | OEM Guest OSs
Com
m S
erv
ices
Securi
ty S
erv
ices
Natu
ral Language
Gest
ure
& F
acia
l
Surr
ound V
iew
Auto
Pilot
Vir
tual M
irro
rs
AI Co-P
ilot
Foundation - Hypervisor
Andro
id G
uest
QN
X G
uest
Lin
ux G
uest
Foundati
on S
erv
ices
More
serv
ices.
..
DRIVE CX 2Moonracer
DRIVE PX 2AutoChauffeur
DRIVE PX 2AutoCruise
DRIVE CX 2Sunstreaker
Xavier + Volta
Tegra & dGPUTegra
Capabilities scale with performance
SoC
Safe
ty S
erv
ices
Functi
onal Safe
ty D
esi
gns
![Page 22: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/22.jpg)
European New Car Assessment Program(EURO NCAP) 2018
![Page 23: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/23.jpg)
WHAT ELSE IS NEXT?
“YOUR TIME IS COMING. DO NOT BE LATE!”
![Page 24: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/24.jpg)
IHVs
OEMs
ISVs
Tier 1sResearchers
SW Companies
Technology Provider(NVIDIA)
AUTONOMOUS DRIVING ECOSYSTEM
![Page 25: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/25.jpg)
Dr. Urs Muller
![Page 27: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/27.jpg)
NVIDIA DRIVEWORKS SOFTWARE STACK
NVIDIA DRIVEWORKS SDK
PERCEPTION
Autonomous Driving Applications
LOCALIZATION VISUALIZATIONPLANNING
Segmentation
Sensor Fusion
Objects (NVDRIVENet)
GPS Trilateration
Map Fusion
Landmarks (NVDRIVENet)
Mission
Trajectory
Behavior (NVDRIVENet)
NVIDIA System Software
![Page 28: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/28.jpg)
Researchers
AUTONOMOUS DRIVING ECOSYSTEM
Demand Gen
CUSTOMERSDEVELOPERS
ISVs
IHVsValue
Creation
Drive PX
DriveWorks SDK
OEMs
SW Companies
Tier 1s
Drive PX
![Page 29: FUNCTIONAL SAFETY FOR AUTONOMOUS · PDF fileFUNCTIONAL SAFETY: A TECHNICAL TERM The objective of functional safety is freedom from unacceptable risk of physical injury or of damage](https://reader031.vdocuments.net/reader031/viewer/2022030412/5a9e1d4c7f8b9a21488beb80/html5/thumbnails/29.jpg)