Automotive Functional Safety Standard ISO26262 and Design Verification Technology

Transcription

1 CREST "Platform Technology of Dependable VLSI Systems" DVLSI Program Review Panel Session 1 "Design Verification, Test" Automotive Functional Safety Standard ISO26262 and Design Verification Technology Contents 1. Company profile 2. Development technology trends of the automotive electronic system 3. Automotive Functional Safety Standard ISO Virtual ECU application technology June 8, 2012 Yoshihiro Miyazaki Executive Chief Engineer, Electronic Platform Technology GM R&D Div. Hitachi Automotive Systems, Ltd.

2 1.. Company profile Company profile Hitachi Hitachi advanced advanced into into domestic domestic production production of of automotive automotive electric electric parts parts in in Having Having years years history history in in the the automotive automotive industry, industry, Hitachi Hitachi Automotive Automotive Systems, Systems, Ltd., Ltd., was was established established on on July July 1st, 1st, by by the the split-off split-off from from Hitachi, Hitachi, Ltd. Ltd. Name Hitachi Automotive Systems, Ltd. Business Representative Established Headquarter Capital Development, manufacture, sales and services of automotive components, transportation related components, industrial machines and systems, etc Kunihiko Ohnuma President and Chief Executive Officer July 1, 2009 Shin-Otemachi Bldg. 2-1, Otemachi 2-chome, Chiyoda-ku, Tokyo, Japan 15,000 million yen (Wholly-owned subsidiary of Hitachi, Ltd) Revenues billion yen Year ended March 31, 2012, Consolidated basis 2

3 1. Company profile Product summary Environ ment Engine Management Systems Safety Drive Control Systems Stereo Camera High pressure fuel pump Hydraulic cylinder for roll control Image processing camera Control Unit Variable valve event and lift control system Electronic throttle body Airflow Sensor Brake actuation ADAS Control Unit VDC Brake Caliper Air leveling system Injector Suspension Valve timing control Balancer Power steering Piston Millimeter wave radar Environ ment Informat ion Electric Powertrain Systems Propeller Shaft Car Information Systems Vehicle maintenance /Diagnosis Inverter Auto insurance Motor Lithium-ion battery Hitachi Vehicle Energy) Entertainment VDC: Vehicle Dynamics Control ADAS: Advanced Driver Assistance System Logistics for delivery vehicles Proving car Satellite broadcasting /communication Digital broadcasting Mobile communication networks ETC,VICS traffic control system Traffic information center Traffic forecast & information Telematics service Audio Navigation system PND* Car information unit for job oriented service Rear view monitor Camera Electronic HEV* control unit Millimeter wave radar Engine/Brakes/Steering Starter *PND:Portable Navigation Device *HEV: Hybrid Electric Vehicles 3

4 2. Development technology trends of the automotive electronic system stem Definition of the electronic platform With With enlargement and and advancement of of the the in-vehicle in-vehicle software, software, forming forming the the common common basis basis from from the the base base of of each each software software is is becoming becoming much much effective effective and and it it is is named named as as electronic platform. platform. [In a wide sense] Electronic platform [In a narrow sense] Electronic platform (Implementation platform) Microcomputer, in-vehicle LAN, the basic OS, BIOS, communication software, etc. Development platform Methods and tools such as control model description, programming, verification, etc. Software architecture Electronic platform (implementation platform) ECU for engines Application Software Base software (the basic OS, communication software) Base hardware (microcomputers) ECU for AT Application software Base software Base hardware In-vehicle network (LAN) ECU for brakes Application software Base software Base hardware Software development process Concept Control design Software design Implementation Development platform Design,test methodss and tools supporting the development process Conformity with vehicle/ its verification Software test 4

5 2. Development technology trends of the automotive electronic system stem Approach to measures of in-vehicle software development in recent years Many problems come to the front with progress of applying electronic control Increase of the in-vehicle controller number Enlargement of the in-vehicle controller software Complexity, advancement of the control Keeping & improvement of reliability Measures approach 1: 1: Reduce things to to be be developed Electronic platform (implementation platform) standardization, high-level function Standardization of of software hierarchical structure specifications Standardization of of basic software specifications Standardization of of applications software data interface specifications industry standardization :: AUTOSAR, JasPar Measures approach 2: 2: Ease Ease and and facilitate development work work (abstraction, automation) Development platform advancement, standardization "model based development method" Control model description language, tool tool Modeling and and simulation for for the the controller and and the the control target Automatic cord cord generation (programming-less) industry standardization: JMAAB, the the Society of of Instrument and and Control Engineers 5

6 2. Development technology trends of the automotive electronic system stem Advancement / complexity of the in-vehicle control Evolution from aggregate of the single function control to integrated control Difficulty increase to verify Outside recognition system In-vehicle information system The outside world Information Camera Radar Other sensors Extract information Target information Map information Position information Infrastructure information Outside a car Commu nication ITS integration control Control target decision Drive control system Battery control HEV control Energy management Vehicle dynamics control Coordination of actuation systems/ Regenerative brake systems, etc Suspension control Engine control Motor control Brake control Steering control User attentions to safety of the electronic control system becoming higher Further advancement, complexity of the electronic control function Correspondence to functional safety standard ISO26262 (2011/Nov. established) [Notes] ITS: Intelligent Transport Systems, HEV: Hybrid Electric Vehicle Remarkable improvement in safety/efficiency/quality for verification is required 6

7 3. Automotive Functional Safety Standard ISO26262 Characteristics of ISO26262 Automotive functional safety standard ISO26262 inherits characteristics from the higher level standard i.e. functional safety standard IEC It also adds the adaptation for the automotive field shown below. 1 Introduction of Automotive Safety Integrity Level SIL in IEC61508: recognized as the property of the target failure rate ASIL in ISO26262: defined as the integrated safety requirement level with both random failure and systematic failure (including software bugs, etc.) ASIL A (lower level)~asil D (higher level) 2 Definition of H&R(Hazard analysis & Risk assessment) for the ASIL derivation Evaluated by three factors shown below E(Exposure) : frequency of cases exposed at the event or assumed driving status C(Controllability) : possibillity or difficulty of avoidance S(Severity) : severity of damage or injury S1 Light and moderate S2 Severe Severe S3 fatal fatal E1 very low E2 low low E3 medium medium E4 high high E1 very low E2 low low E3 medium medium E4 high high E1 very low E2 low low E3 medium medium E4 high high C1 Simpl Simple C2 Normal Normal C3 Difficult Difficult A A B A A B A B C A A B A B C B C D * : Quality Management (no requirement to comply with ISO 26262) 7

8 3. Automotive ISO26262 Functional Safety Standard ISO26262 Overview of ISO Vocabulary 2. Management of functional safety Concept phase 4. Product development at the system level 5. Product development at the hardware level 6. Product development at the software level 8. Supporting processes 9. ASIL-oriented and safety-oriented analyses 10. Guideline for ISO understanding Production and operation 8

9 3. Automotive ISO26262 Functional Safety Standard ISO26262 Activities in Japan related to ISO ISO JSAE Society of Automotive Engineers of Japan, Inc deliberations 5 engineers registered for internatinal meeting 1 engineer from my company JAMA Japan Automobile Manufacturers Association, Inc. DIS translation general information guidebook deliberations of the standard ISO26262 guidebook FDIS translation guidebook IS JASPAR* JARI Japan Automobile Research Institute Microcontroller standardization TF Functional Safety related WGs Guidebook software, Microcontroller demonstration experiment ISO26262Joint Research Functional Safety related WGs * JASPAR (Japan( Automotive Software Platform and ARchitecture) [the establishment] September, 2004 (the establishment of the standardization consortium by three Japan car makers) [activity contents] the non-competition domains such as in-vehicle LAN elemental technology, middleware, the software base by cooperation in Japanese makers [Activity ] Functional safety WG newly established: Formulation and evaluation of the functional safety requirement about the automotive electronic platform [Activity ] "Evaluation of transient fault effect" newly added as one of the activities 9

10 3. Automotive ISO26262 Functional Safety Standard ISO26262 Difference between ISO26262 and conventional development A lot of requirements of ISO26262 are similar to those of conventional quality management. But some requirements not included in the conventional ways are added. It is required to show evidence of design and verification based on the view point of functional safety. Report information necessary for audit, etc. shall be submitted.) ted.) Not (yes or no) judgment but quantitative judgment is required. (Example: diagnostic coverage) Requirement level by conventional quality management Requirement direction is partly different Safety integrity level complied by ISO ASIL B ASIL A ASIL D ASIL C 10

11 3. Automotive ISO26262 Functional Safety Standard ISO26262 Metrics evaluation complied by ISO26262 Hardware Architecture Metrics metrics for the assessment of the effectiveness of the hardware architecture with respect to safety Safe faults Latent Multiple Point faults n Single Point Fault Metric SPFM Latent Fault Metric LFM Single Point or Residual faults 1 Detected Multiple or Perceived Multiple Point faults 2 Σ( Fault ) ASIL SPFM ASIL D 99% LFM 90% ASIL C 97% 80% BaumKuchen Model representation ASIL B ( 90%) ( 60%) 11

12 3. Automotive ISO26262 Functional Safety Standard ISO26262 Methodology of Approach to ISO Analyze gaps against one's company's conventional development process and extract the lacked parts (gap analysis) 2Focus attention on "highly recommended" (++) or higher level in ISO26262 at gap analysis (consider "highly recommended" (++) to be covered in principle) 3keep conventional level if the level of the conventional process is higher than ISO26262 requirement (The level may be lowered from the view point of ISO But do not lower the level consciously) Customer Standard Coding Rule ECU Software Design Standard ECU Software Safety/Quality Standard Product development System level Hardware lebel Software level ISO26262 ASIL decided as for each component one's company's standard development process/workout Coding Rule ECU Software Design Standard ECU Software Safety/Quality Standard Gap Analysis Coding Rule ECU Software Design Standard ECU Software Safety/Quality Standard Add ISO26262 requirement to conventional process 12

13 3. Automotive ISO26262 Functional Safety Standard ISO26262 Application of Development Technologies and Development Tools Correspondence work for ISO26262 (man-hour increase): Traditional Japanese sprit of fight with bamboo spears can not win global business race Apply recent development technologies and development tools Achieve more efficient and higher quality development process ISO26262 standard describes recommendation to apply various development technologies and tools ISO26262 MUST requirement Requirements management & traceability management and support tools (as for safety) Quantification of test coverage and support tools ISO26262 WANT requirement Formal verification and support tools Virtual ECU simulator Virtual HILS 13

14 4. Virtual ECU simulator application technology What is virtual ECU simulator? Control plant model Microcomputer model Control software + base software (implementation cord) New development New applying (combination) A microcomputer, peripheral hardware Cooperative simulation New applying (combination) Application of the virtual ECU simulator System, control: Implementation-related evaluation (execute time, operation load) of the electronic control system, necessary operational precision, error influence, implementation cost) Hardware: Microcomputer design (or selection), ECU design, ASIC development Network: Communication error injection, network delay, decentralized control Software: Run time task analysis, CPU load factor evaluation, the OS, middle software performance evaluation, FMEA test,exhaustive timing test (interrupts), HILS substitute Tools Example Example Synopsys Inc./CoMET CoMET GAIO TECHNOLOGY CO., LTD./No.1 System Simulator, etc. 14

15 4. Virtual ECU ECU application technology An application example: Virtual HILS(vHILS) Target product system: ADAS controller Ranging with radar and Keeping safe distance against proceeding vehicles ahead (ACC function), etc. Virtual HILS (vhils) 1ECU Model ADAS ECU 2CAN Model CAN Bus Monitor Engine Body Safe distance HMI Radar Sensor Speed up/down 3Vehicle Model Vehicle Road Condition ADAS: Advanced Driver Assistance Systems ACC: Adaptive Cruise Control Note: Conventionally HILS with real ECU is used 4Event Processor Display Input HILS: Hardware-in-the-loop simulator Test Specs The processing throughput by 3 parallel computing -> evaluated result: equal to a real machine more than a real machine to be feasible by N parallel processing 15

16 4. Virtual ECU ECU application technology The future of the software verification: V2Cloud Cloud computing for software verification Test vectors described in a spreadsheet Large-scale VM environment: Facilitates sharing and management of the simulation Complete automation: Scalable environment Without having fixed assets, it is possible to enjoy the necessary target system configuration and test performance when needed User test vector Engine Test Brake Test Body Test Network Test Test Queries Result result X Front-end Query Processor Task Distributer VM Controller Trace Collector Vehicle Virtual HILS Interlocking movement Controller ECU MCU Peri CPU pheral vhils vhils vhils vhils vhils vhils vhils vhils Fail Test X Large-scale computer environment Expectation (example): Massive regression tests or fault injection tests HILS : several days -> parallel VHILS on V2Cloud : one night only! VM: Virtual Machine 16

17 [Appendix] References JMAAB jmaab.mathworks.jp/ ISO26262 S.Oho et al, Advanced Model-based Development Techniques Applied to Automotive Engine Management Systems, Hitachi Hyoron,, Vol. 91, no.10, pp , 57, 2009 Y.Sugure, et.al.,., "Virtual Engine System Prototyping with High-Resolution FFT for Digital Knock Detection Using CPU Model-Based Hardware/Software Co-simulation," SAE Paper Y. Ito et al, "A Model Based Software Validation for Automotive Control Systems", International Conference on Control, Automation and Systems (ICCAS), pp.102, 2010 Y. Ito, et al., "VIRTUAL HILS : A Model-Based Control Software Validation Method", SAE Paper Y.Miyazaki Platform Development Trends for Automotive Electronic System Issues and Solution Cases, 2011 CAR- ELE JAPAN Technical Conference (CAR-10) 17

18