the importance of safety on the way to automated driving · 2018-11-16 · driving –software and...

October 23, 2018

TTTech Auto AG

The importance of Safety on the way to

Automated DrivingEric Schmidt

Teamleader ‘Lead Engineering & Safety’

[email protected]

Manufacturing

Off-Highway

Energy

Automotive

The technology leader in robust

networked safety controls

Transfers proven aerospace network

technology to mass markets like

automotive and manufacturing

Aerospace & Space

The innovator of Deterministic Ethernet

and the driving force behind the IEEE

TSN standard and SAE Time-Triggered

Ethernet standard

TTTech Group

23.10.2018 TTTech Auto AG – Confidential and Proprietary Information 2

Why are we heading for Autonomous Driving?


23.10.2018 TTTech Auto AG – Confidential and Proprietary Information

is something we want to have

in all aspects of life

especially when thinking

about transportation

and even more when thinking

about our beloved ones

SAFETY

4



safety needs to cover all potential

risks

✓

✓

✓to save lives / prevent physical harm to

humans

to minimize risk

to receive customer / public acceptance

but…

faults can always happen

safety needs to be designed into the

product from the very beginning and

needs to be proven

!

!

!

Why Safety is so important

5


What is Safety?


✓ Safety = absence of unreasonable risk(Source: Definition from ISO 26262, Part 1)

Disciplines of Safety:

✓ Safety of use

✓ Functional Safety (FuSa)

✓ Safety of the Intended Functionality (SOTIF)

✓ Security

misuse

malfunction

misperception

deliberate

manipulation

6

ISO 26262

From Fail-silent to Fail-operational Systems

Fail-operational = continue operation after a fault

Design assurance standards are similar across various industries

DO 178C / 254EN/ISO 13849IEC 61508

Fail-operational

Fail-silent



Levels of automation and system architectures

L1driver

assistance

L2partial

automation

L3conditional

automation

L4high

automation

L5high

automation

Control Driver Vehicle Vehicle Vehicle Vehicle

Monitoring Driver Driver Vehicle Vehicle Vehicle

FallbackDriver Driver

Driver (after take-over time)

Vehicle (in defined use case)

Vehicle

B

Fail-silent system designs Fail-operational system design options

B

D

B B B

D

B B

D

B

D

B B

D

BCSystem Layout

and

ASILs

8


The Challenges for Automated Driving

Complexity Customer Acceptance Legislation

Cost Compute Performance Safety

9

23.10.2018

Non-functional Requirements towards Automated Driving – Software and Safety Architecture

ISO 26262 - ASIL D Safety

Combing high-performance

computing SoC’s with automotive

µC’s to achieve ASIL-D.

Fail-Operational

Keep up safe operation for

Level 3-5 automated driving

even after failure of a

component.

Scalability

Scale architecture from basic

functionality to high-end.

Scale autonomy from Level 2

to Level 5.

Real-Time

Ensure end-to-end timing

requirements for all critical

processing paths

(e.g., emergency braking).

TTTech Auto AG – Confidential and Proprietary Information 10


The Automated Driving Challenge Heatmap

Feasibility of Safety vs. Complexity /

Performance / Requirements

SensorsPre-Processing

ClassificationFusion

Trajectory

PlanningActuators

Actuator

Control

Cameras

Radars

Ultrasonics

Nano Radars

Lidars Map Fusion

Object Fusion

Road-Graph

Parking

Traffic Jam

Highway

Parkhouse

Suburban

City (Multi-Agent

Planning)

Longitudinal

Lateral

Vertical

Powertrain

Braking

Steering

Suspension

Safety Architecture, safe computation (random HW faults, design faults @ SW & HW)

How to safeguard complex (AI) algorithms? Fail-Operational Approach

11

The safety mastermind for

automated driving and beyond.

Series-proven. Open. Scalable.



AD Domain ECU Reference Architecture

Control(ASIL C/D)

Sensor Processing / Fusion(ASIL B/C)

HD Vision(ASIL A/B, QM)

Safety

µC

Performance

SoC

Performance

SoC

(GPU)

Vision SoC

(GPU, NPU)

Fle

xR

ay

CA

N

Eth

ern

et

Eth

ern

et

Deterministic Ethernet SwitchCommunication Synchronization

Safety Software Platform

13

01Integration of platform without configuring

execution frames.

02Applications are integrated and tested

individually by APP suppliers without any

timing restrictions.

03All applications are integrated by the SW-

integrator on the platform; conflicts start

immediately as it is not clear who is causing

problems and why.

23.10.2018

Software Integration of Complex Real-Time Systems

04Conflicts are reported back to function SW suppliers, applications have to be modified

to meet the system‘s timing restrictions


01Platform configuration includes execution

boundaries for the applications.

02Applications are integrated and tested

individually by the APP suppliers into their

respective execution boundaries.

03All applications are integrated and are

immediately able to run together; violations

by APPs are detected easily.

23.10.2018

MotionWise: Robust Parallel Integration Process

Robustness

through clear allocation and

monitoring of resources (memory,

CPU, comm.)

Complete software integrated

for functional testing

Parallel Integration

to speed-up software

development of multiple-

software suppliers


www.tttech.com

What is already possible? Example Nissan

23.10.2018 TTTech Auto AG – Confidential and Proprietary Information 16Source: https://www.youtube.com/watch?v=cfRqNAhAe6c

https://www.youtube.com/watch?v=cfRqNAhAe6c


Why aren‘t there so many autonomously drivingcars out yet?

The technology is not reliable enough and quite expensive Answer

17

Source: https://www.youtube.com/watch?v=-2ml6sjk_8c

https://www.youtube.com/watch?v=-2ml6sjk_8c


Unusual and complex situations must be mastered

18

23.10.2018

Artificial Intelligence (AI) to the rescue?



Scene segmentation based on „Deep Learning“

Source: Motovis

20

23.10.2018

AI usage in general system architecture

Sensors Preprocessing Actuation

Power Train

Brake

Steering

Data Fusion Path Planning Control

Prediction

Behaviour

Trajectory

Cluster

PP

PP

PP

PP

PP

Object Fusion

Localization

Road Graph

Grid Fusion

Motion

Control

HMI

Sensors Preprocessing Actuation

Power Train

Brake

Steering

Data Fusion Path Planning Control

Prediction

Behaviour

Trajectory

Cluster

PP

PP

PP

PP

PP

Object Fusion

Localization

Road Graph

Grid Fusion

Motion

Control

HMI

Approach #1:

Use AI for specific parts of the

problem

• E.g. object detection and classification

• Widely accepted

• Modular verification approach possible

Approach #2:

AI as an end-to-end algorithm

• Requires end-to-end validation approach→ Massive simulation and testing unavoidable

• Corner cases (algorithm failures) are

inherently unpredictable and never ruled

out→ Parallel safety supervision needed


Automated Driving will become a reality soon …

starting with limited use cases (evolutionary approach) …

for full autonomy in all scenarios there is a lot to solve.

Diversity (in sensors/algorithms/chips) helps

to make it safe.


the importance of safety on the way to automated driving · 2018-11-16 · driving –software and...

Documents