David Nickel, AVL Deutschland GmbH

• Abstract

  The complexity of automotive electrical/electronic (E/E) architectures is growing rapidly. Future E/E architectures will have to integrate highly automated and autonomous driving technologies, extensive infotainment systems, connectivity solutions, and electrification. At the same time, SW and HW release cycles are being decoupled, leading to more frequent SW releases. These trends necessitate robust virtual verification and validation methods to master the complexity as well as to enable reduced development and release times.
  Software in the Loop (SiL) represents the state of the art in industry for testing control functions at design time. In SiL environments, the embedded software is compiled for and runs in a pure virtual PC environment. Here, mainly the functional behavior of the software is tested, typically neglecting the complex timing effects due to the real-time embedded hardware, such as execution times, jitters, and input-output latencies. Conversely, performance simulations to ascertain efficient use of hardware resources (e.g., optimizing scheduling, distribution of tasks and memory footprint on multi-cores) are performed neglecting the functional behavior of the software. This separation results in e.g., incorrect functional simulation results, inadequate dimensioning of hardware resources, missed key functional requirements, and most importantly, prevents a credible virtual testing and validation of time-critical systems.
  In this talk, we discuss and propose a modular tool architecture that couples real-time performance and functional simulation methods in a co-simulation, to enable a timing-aware functional simulation of automotive software. This method ensures that when a SiL simulation is performed in a virtual PC environment, complex real-world timing effects are also reflected in the simulation results. Our approach makes use of the novel Functional Mockup Interface (FMI) 3.0 standard, which enables an effective event driven co-simulation of functional models from different physical domains, while also promoting portability and re-usability of the software components.
  A case study including standardized interfaces is presented to show an implementation of the proposed architecture integrating a commercial timing simulation tool. An AMALTHEA system model is used for modeling of the target architecture for the timing simulation combined with virtual Engine Control Unit (vECU) code wrapped in a Functional Mockup Unit (FMU).

Vortragsfolien (passwortgeschützt)

Dr. Laura Beermann, Robert Bosch GmbH

• Abstract

  Durch die Automatisierung der Fahraufgabe werden neue Rollenverteilungen zwischen Mensch und Fahrzeug möglich. Dabei zeigt sich, dass sowohl zuwenig als auch zuviel Vertrauen der Nutzer in die Automation zu Problemen führen kann. Die Messung des aktuellen Vertrauens der Nutzer stellt daher eine wichtige Grundlage dar. Die Gestaltung der Interaktion zwischen Automation und Nutzer beeinflusst maßgeblich die Entwicklung des individuellen Vertrauens. Der Beitrag geht auf grundlegende Modelle ein, die diese Zusammenhänge beschreiben und zeigt mögliche Mess- und Erhebungsverfahren.

Vortragsfolien (passwortgeschützt)

Dr. Marc Zeller, Siemens AG

• Abstract

  In order to assess AI/ML-based systems in terms of safety, is it not sufficient to assure the system in terms of possible failure but also consider functional weaknesses/insufficiencies of the used algorithms according to Safety Of The Intended Functionality (SOTIF). Therefore, we introduce the concept of the so-called Component Fault and Deficiency Tree (CFDT). With this extension of the Component Fault Tree (CFT) methodology cause-effect-relationships between individual failures as well as functional insufficiencies and system hazards of the specified system can be described. Hence, it is possible to conduct safety analysis to apply for AI/ML-based systems. Thereby, we are able to show that all risks have been sufficiently mitigated and document efficiently the various mitigation schemes on different system levels.

Vortragsfolien (passwortgeschützt)

 Tobias Dörr, Karlsruher Institut für Technologie - KIT

• Abstract

  Safety-critical embedded systems, as they are used for autonomous driving or Urban Air Mobility (UAM), need to fulfill a wide range of requirements. Due to the direct interaction with their physical surroundings, compliance with applicable functional safety standards is necessary. At the same time, systems of this kind are characterized by a significant degree of external communication, steadily increasing reliance on Artificial Intelligence (AI), a growing need for computational performance, and accelerated software integration cycles. State-of-the-art design methods are able to address these requirements only to a limited extent. A design methodology tailored to such environments, as it is proposed by the EU-funded research project XANDAR, tackles this challenge using a holistic system model and a high degree of automation. The approach developed in the project combines the model-based description of relevant requirements with the X-by-Construction concept from literature. The goal of the XANDAR toolchain is to generate an implementation that is functionally correct and provides the user with guarantees regarding the fulfillment of safety, security and real-time requirements. A particular approach to achieve this goal is the automatic deployment of safety mechanisms based on an extensible library of pre-verified safety patterns. In this presentation, two examples from the pattern library of XANDAR are discussed: an approach to achieve model-based on-chip isolation on heterogeneous multicore platforms and a method for runtime monitoring of AI algorithms. Based on a use case from the field of UAM, the practical relevance of the proposed methods is illustrated. 

Vortragsfolien (passwortgeschützt)

Dr. Kim Grüttner, Gregor Nitsche, Deutsches Zentrum für Luft- und Raumfahrt -DLR

• Abstract

  Safety-critical systems face an increase in critical software functions that require high-performance hardware platforms. This situation fosters - also in the automotive domain - an ongoing trend away from many small towards few but powerful processing elements. It inevitably comes with a concentration of the deployed functionality, which imposes challenges to the system design. A major issue in designing safety-critical system is to ensure segregation and isolation of the individual system functions of mixed-criticalities (w.r.t. different Design Assurance Levels (DAL) or Safety Integrity Levels (SIL)), which becomes more costly and harder to achieve the more functionality is executed at the same platform. At the same time, Over-The-Air Software Updates (OTASU) become necessary for modern embedded systems as updates and feature enhancements, safety and security fixes, or adaptations to other components become inevitable during their lifetime. Ensuring compliance with safety regulations thus requires an ever-increasing effort up to the point where it is economically not feasible anymore. The talk gives an overview of a domain-independent software paradigm for the development and integration of software applications on mixed-critical cyber-physical systems along the product lifecycle, which enables modular certification and supports secure OTASU. This paradigm is implemented and demonstrated through a new proof-of-concept software architecture and development process that enables remote deployment of updated as well as new applications on heterogeneous computing platforms. In addition, we provide a strategy for future certification of the approach with respect to safety (e.g., IEC-61508, ISO 26262) and security (IEC-62443, ISO 21434) through specific concepts that build on composability, modularity, and observability as key properties to enable dynamic validation of safety and security properties after deployment in the operational environment.

Vortragsfolien (passwortgeschützt)

Dr. Mohammed Abuteir, TTTech Auto AG

• Abstract

  The evolution of E/E architectures drives also complexity by demanding the integration of more applications into less targets (central computers). Whereas more applications required for increasing levels of autonomy drive complexity and performance requirements (more sensor inputs, more bandwidth required for those powerful sensors, impact on fusion algorithms complexity, new vehicle mode changes to be supported, ...).

  In this complex system, Safety and Security remain non-negotiables. From L3+, the transition from fail-silent to fail-operational systems pose new challenges and paradigm changes in system design on its own.

  In this talk we would discuss the how the solution shall take the form of a horizontal platform that supports an extended development, integration and V&V lifecycle expected in future SW-defined vehicles.

Tiziano Munaro, fortiss GmbH

• Abstract

  Safety mechanisms – technical solutions responsible for maintaining the intended functionality (fail-operational) or transition to a safe state in the presence of hardware and software faults (fail-safe) – ensure the functional safety of cyber-physical systems (cf. ISO 26262, Part 1). An example for a safety mechanism used to meet fail-operational safety goals is run-time task reconfiguration: By deploying copies of a software unit to different processing elements, the loss of one or more of these hardware elements can be tolerated.
  Considering their high impact on a system's hardware and software architectures, early validation of safety mechanisms is crucial to reduce engineering and operation costs. However, while the real-time behavior or safety mechanisms is as crucial to their effectiveness as the correctness of their implementation, analytical safety analysis techniques applied to date (e.g., FMEA and STPA) support only coarse time models and do not provide explicit guidance for considering systemic real-time properties. The consequence is that neither technique is able to determine when, for instance, a run-time task reconfiguration is not sufficiently fast to control a fault within the system- and context-specific fault-tolerant time interval. By the time such defects become apparent, the cost of addressing these issues has grown in magnitude.
  To address this challenge, we introduce a simulation-based fault injection framework to identify problematic real-time properties in safety concepts. As the simulation replicates the integrated electrical/electronic (E/E) architecture of the system under test, the propagation of faults across the system can be reproduced accurately. Moreover, we leverage the Functional Mock-up Interface (FMI) standard for black-box co-simulation to overcome intellectual property concerns in distributed supply chains and to account for heterogeneous tool landscapes while providing the controllability and observability necessary for the simulation of both loss and erroneous behavior of arbitrary hardware and software components. Finally, using an industry-oriented use case, we exemplify how the simulation's validity for a specific use case can be determined by means of statistical analysis.
  Encouraged by the promising results, we are currently taking the next steps towards the continuous engineering of safety-critical cyber-physical systems: As the simulation's configuration and execution can be automated, and the necessary Functional Mock-up Units (FMUs) can be generated from development artefacts, we are working on leveraging the here presented approach in the context of iterative development and maintenance processes with automated integration and deployment mechanisms.

Vortragsfolien (passwortgeschützt)

Dr. Thomas Waschulzik, Siemens Mobility

Vortragsfolien (passwortgeschützt)