Upload
trandieu
View
220
Download
2
Embed Size (px)
Citation preview
Internet of Things Group 4ICRI-CARS kick-off
Autonomous syStems: computing platform
Intelligent eyes Vision.
Intelligent & powerful brain Perception and fusion. Modeling and planning. Decision making. Machine learning.
We need high-performance computing, flexibility, and programmability.
Internet of Things Group 5ICRI-CARS kick-off
Autonomous systems: e2e
GATEWAY
NETWORKINFRASTRUCTURE DATA CENTER/
CLOUDTHINGS
Internet of Things Group 7ICRI-CARS kick-off
…but can we trust autonomous systems ?
H/W and S/W complexity is expected to growth at least by a factor 20 in the next few years, so higher risk of failures....
Connectivity brings security threats....
...and autonomous systems are expected to detect & controlfailures !
I’m sorry Dave. I’m afraid I CAN’T do that.
Internet of Things Group 8ICRI-CARS kick-off
The design space of autonomous systems
H/W and S/W complexity is expected to growth at least by a factor 20 in the next few years, so higher risk of failures....
Connectivity brings security threats....
...and autonomous systems are expected to detect & controlfailures !
H/W failures
S/W bugs
Security threats
Unintented functionality
Ris
kFault-free function
Internet of Things Group 9ICRI-CARS kick-off
the path to trust
Agent Independent Safety (FuSa) at element
level
Multi-agent formal-based
safety + SOTIF
Anomaly
detection and
reaction
Adaptive Learning
Se
curi
ty
Internet of Things Group 10ICRI-CARS kick-off
We need functional safetyThe absence of unreasonable risk due to hazards caused by
malfunctioning behaviour of E/E systems
Random H/W failures(permanent faults, transient faults occurring while using the system)
Systematic failures(Bugs in S/W, H/W design and Tools)
IEC
61508
ISO 26262
Automotive
IEC 61511 Process Sector
IEC 61513 Nuclear Sector
ISO 62061
Machinery
IEC 61800-Electr. Drives
EN 50128 Railway
applicationsIEC 50156 Furnaces
…..etc.
Ruled by International Standardssetting the “state of art” (for liability)
Internet of Things Group 11ICRI-CARS kick-off
Automotive requirements (iso 26262)
ASIL A
e.g.
60% faults detected and controlled
ASIL B
e.g.
90% faults detected and controlled,≤ 100 FIT
ASIL C
e.g.
97% faults detected and controlled, ≤ 100 FIT
ASIL D
e.g.
99% faults detected and controlled,≤ 10 FIT
ADAS,ADS/W Defined cockpit,
VISION, Com link1 FIT = 1 «failure in time» = 1 failure in 1 billion of hours
SW defined cockpitVision
Central brain
5G
Internet of Things Group 12ICRI-CARS kick-off
Not just automotive.....
DronesFusa is a concern for both
Consumer andIndustrial drones
IndustrialIt is expected 70% of s/w
defined industrial systems will require fusa in 2020
ROBOTICSHuman robotic as the next
frontIer of the human-machine interaction
Internet of Things Group 14ICRI-CARS kick-off
High performancecluster
Vision accel.
F
P
G
A
High performancecluster
Vision accel.
F
P
G
A
Safety architectures trend – HW LEVEL
100% H/W-based FuSa (e.g. Dual core lock step).
S/W-based redundancy (e.g. Loosely coupled lock step).
Heterogeneousand reconfigurable systems supported by FuSa hooks in H/W.
Safety for high-performance high-safety systems
High performancecluster
Specialized
F
P
G
A
MCU (actuation)
Safety «island», i.e. central brain for FuSa (for error detection and control)
Time Sensitive Network
Internet of Things Group 15ICRI-CARS kick-off
ISO 26262-10, clause 12.2.5.5
ISO 26262 2nd edition hot topics – fail operational
«Guidance for system development with safety-related availability requirements», i.e.fail operational systems including the possibility of degrading to a lower ASIL in case of a fault...
fault
reaction
safe state
Internet of Things Group 16ICRI-CARS kick-off
ISO 26262-10, clause 4.4.2.2
ISO 26262 2nd edition hot topics – FTTI
Time to detection and time to reaction are important characteristics of the safety architecture
Internet of Things Group 17ICRI-CARS kick-off
ISO 26262 2nd edition:>180 pages guideline on how to apply Fusa to semiconductors
ISO 26262 2nd edition hot topics – HWTrending toward an holistic H/W level view, from ECU down to System On Chip, e.g.:
Identifying link between fault-error-failures.
Performing fault injection at different level of abstractions (safe vs dangerous, soft errors vulnerability,...).
Etc...
Internet of Things Group 18ICRI-CARS kick-off
ISO 26262 2nd edition hot topics – Dependent failuresIS
O 2
62
62
-11
, clau
se 4
.7.6
ISO 26262-11 has a chapter dedicated to dependent failures of semiconductor devices.
Internet of Things Group 19ICRI-CARS kick-off
ISO 26262 2nd edition hot topics – fault injection
Fault injection at different abstraction level...
ISO 26262-11, clause 4.8
Internet of Things Group 20ICRI-CARS kick-off
ISO 26262-10, clause 13
ISO 26262 2nd edition hot topics – tools
Confidence in the use of software tools is crucial for autonomous systems
Internet of Things Group 21ICRI-CARS kick-off
Safety architectures trend – SW LEVEL
A full stack of S/W components from front-end to back-end...... + FuSa.
Need to support multiple and heterogeneous programming models.
Complex OS compliant with Functional Safety standards.
Internet of Things Group 22ICRI-CARS kick-off
ISO 26262 2nd edition:New examples on ASIL decomposition
ISO 26262 2nd edition hot topics – SWTrending toward a combination of different techniques to achieve Functional Safety of S/W components, e.g.:
Failure mode and effects analysis (FMEA) at least at S/W architecture level. ASIL/SIL decomposition and/or sand-boxing (e.g. for legacy F/W). S/W statistical analysis. Etc...
Note: QM+QMcannot lead to
ASIL
Internet of Things Group 23ICRI-CARS kick-off
Autonomous systems that rely on sensing, can miss their goal and cause safety violations in absence of H/W or S/W failure…
ISO WD PAS 21448 1Safety of Intended Functionality (SOTIF)
Safety of intended functionality
Causal factor of hazard with example Scope
System E/E System failures ISO 26262
Unintended behaviour without
fault or failure (including E/E
System performance limit)
SOTIF guidance
Foreseeable user misuses SOTIF Annex
External factor Security violation Mentioned as necessary to ensure a
safe behaviour, but not addressed in
this document (See ISO21434:XXXX
or SAE J3061)
Impact from active Infrastructure
and/or vehicle to vehicle
communication.
Can be necessary for a safe behaviour
but not fully addressed in this
document (ISO 20077 can be
considered)
Impact from car surroundings
(other users, “passive”
infrastructure, environment:
weather, EMC…)
Included in SOTIF scope
Internet of Things Group 24ICRI-CARS kick-off
ISO
WD
PA
S 2
14
48
1S
afe
ty o
f In
ten
de
d F
un
ctio
na
lity
(S
OT
IF)
ISO 26262 2nd edition hot topics – SOTIF
Internet of Things Group 25ICRI-CARS kick-off
ISO
WD
PA
S 2
14
48
1S
afe
ty o
f In
ten
de
d F
un
ctio
na
lity
(S
OT
IF)
ISO 26262 2nd edition hot topics – SOTIF
Scene: snapshot of the environment including the scenery and dynamic elements, as well as all actors’ and observers’ self-representations, and the relationships among those entities
Situation: selection of an appropriate behaviour pattern at a particular point of time
Example: critical situation analysis • Weather conditions • Mechanical
disturbance • EMC disturbance • Acoustic
disturbance • Bad reflection
Internet of Things Group 26ICRI-CARS kick-off
ISO
WD
PA
S 2
14
48
1S
afe
ty o
f In
ten
de
d F
un
ctio
na
lity
(S
OT
IF)
ISO 26262 2nd edition hot topics – SOTIF• The use cases in which it is activated;• The sensing and arbitration concept and technologies;• The level of authority over the vehicle dynamics; and• The interfaces with the other systems and functions of the vehicle and the road
infrastructure.
• Severity and controllability are considered to determine thescenario for which a credible harm can result from thesituation misinterpretation. For controllability, a delayedreaction may need to be considered
• System improvement to avoid or reducethe risk which leads to a safety violationas a result of encountering a criticaloperational situation
• Functional restriction to reduce ormitigate critical operational situationeffects
• Handing over the authority from asystem to a driver to improve thecontrollability of critical operationalsituation effects
• Reduction or mitigation of foreseeablemisuse effects
Internet of Things Group 27ICRI-CARS kick-off
ISO 26262 2nd edition hot topics – SOTIFISO WD PAS 21448 1 Annex E
Internet of Things Group 28ICRI-CARS kick-off
ISO 26262 2nd edition hot topics – SOTIFISO WD PAS 21448 1 clause 10.2
Internet of Things Group 29ICRI-CARS kick-off
SAE J3101 - Requirements for Hardware-Protected Security for Ground Vehicle Applications
Secure Boot.
Secure Storage.
Secure Execution Environment.
OTA, authentication.
...
SAE J3061 - Cybersecurity Guidebook for Cyber-Physical Vehicle Systems
Attacks enumeration.
Threat analysis.
Reduction of attacks surface.
Security testing.
...
We need securityThe prevention of risks related to malicious intrusions,
through computer and/or communication networks
Internet of Things Group 31ICRI-CARS kick-off
ISO 26262 2nd edition hOT TOPICS – safety & securityISO 26262-4 :2018Cybersecurity related changes
Internet of Things Group 32ICRI-CARS kick-off
We need self-adaptable systems
Failure and threat analytics, combined with autonomous mission anomaly detection and control, are a great opportunity to build anomaly-aware and self-adaptable systems in cooperation with Machine Learning and AI.
Failure analyticsfrom silicon level «sentinels»
Attack warnings from security «sentinels»
Detection of mission anomalies
Internet of Things Group 33ICRI-CARS kick-off
ISO 26262 2nd edition hot topics – SOTIFISO WD PAS 21448 1 Annex I
Off-line Machine Learning Process Flow
Internet of Things Group 34ICRI-CARS kick-off
Call to action – key topics for researchH/W How to implement cost effective fault tolerant concepts tuned to new fault models
S/W How to make modern & complex S/W systems safe
SOTIF How to fill the gap between «ultimate» and «our» reality
Automation How to implement a Design for Safety & Security automated flow
AI How to use AI/DL/ML for mission anomaly detection
Internet of Things Group 35ICRI-CARS kick-off
Legal notices and disclaimersIntel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at intel.com.
Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
*Other names and brands may be claimed as the property of others.
© 2017 Intel Corporation