safetronic_2016_model based safety analyses using altarica 3.0_application on advanced driver...

Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 1 Property of Valeo. Duplication prohibited

Confidential

SAFETRONIC Conference : 8th of November 2016

Property of Valeo. Duplication prohibited

Confidential

Model Based Safety Analyses using AltaRica 3.0 : Application on Advanced Driver Assistance Systems

Florent MEURVILLE [email protected] Functional Safety & Modeling Expert Valeo Group Electronics Expertise & Development Services


Confidential

The Agenda

The Motivation

Model Based Safety Analysis

The AltaRica 3.0 formal language

Example of application on a Level 3 Traffic Jam Chauffeur architecture

Conclusions and Perspectives

Questions & Answers


Confidential

ADAS of Level 3 or above are a

breakthrough in terms of complexity !!

The Motivation

Levels of automation of ADAS according to SAE

Fail-Silent Fail-Operational

Driver

only

Assisted Partial

automation

Conditional

automation

High

automation

Driver required during

normal operation

Driver not required

during normal operation

Full

automation


Confidential

The Motivation

Fail-Operational

architecture

More interaction

with other systems

SGxx

ASILD SGzz

ASILD

Residual

Risk Availability

Redundancy Dynamic

reconfiguration +

Need help for

safety analyses !!

Safety engineer


Confidential

One Solution : Model Based Safety Analysis

Model Based Safety Analysis (MBSA) aims to provide a model to automatically generate safety analyses.

Recommended practice in the avionic safety standard (ARP4754) as an alternative technique to generate technical documents for certification.

with a special focus on the AltaRica language.

MBSA is used with success for more than 10 years in the aeronautics, railway, nuclear, space, military domains...

Why not using MBSA in the automotive domain

and especially on self driving cars ?


Confidential

The AltaRica language at a glance

AltaRica is a high level formal language dedicated to safety analyses

That generalizes both Boolean formalisms (e.g. RBD, FTA) and state/transition formalisms (e.g.

Petri nets, Markov)

For modeling both combinatorial and dynamic aspects of failure propagation,

In a hierarchical and modular way,

From functional to physical abstraction levels.


Confidential



1st version designed in late 90’s at University of Bordeaux (LaBRI team), France

Very powerful but too resource consuming for industrial-scale systems


Confidential




2nd evolution (Data-Flow ; 2002) is still the core of several current industrial tools :

SIMFIA (APSYS) ; Safety Designer (Dassault Systèmes)

Used with success for more than 10 years

Drawback : difficulty to handle looped systems


Confidential




2nd evolution (Data-Flow ; 2002) is still the core of several current industrial tools :

3rd evolution of AltaRica (2013) of the language :

New underlying mathematical model that permits to handle looped systems

New construct to structure model using component libraries : prototyped based language

Free evolving Eclipse platform available


Confidential

Output

flows

How does AltaRica 3.0 work?

An AltaRica 3.0 class or block with inputs/outputs is made of three parts :

transition

State1 State2 State3

event1

event2

event3

Input

flows

Declaration of variables for flows / states with their

initialization and events

event : Guard (inputs, states) -> Action on state variables

assertion

Outputs = f(Inputs, States)


Confidential

class Command //State PhysicalState HealthState (init=WORKING); //Output Data Output (reset=DATA_TRUE); //Parameters parameter Real lambda = 0.000000300; // 300 FIT parameter Real lambda2 = 0.000000030; // 30 FIT //Events event failure_no_output (delay = exponential(lambda)); event failure_erroneous (delay = exponential(lambda2)); transition failure_no_output : HealthState==WORKING -> HealthState:= FAILED_NO_OUTPUT; failure_erroneous : HealthState==WORKING -> HealthState:= FAILED_ERRONEOUS; assertion Output := if HealthState==WORKING then DATA_TRUE else if HealthState==FAILED_NO_OUTPUT then NO_DATA else if HealthState==FAILED_ERRONEOUS then DATA_ERRONEOUS else UNDEFINED; end



Confidential

Instantiation of blocks from library classes

Local AltaRica models

S1

S2

ECU1 A1

class Sensor … end

class ECU … end

class Actuator … end

block MySystem Sensor S1,S2; ECU ECU1; Actuator A1; end



Confidential



S1

S2

ECU1 A1


Connection of blocks through assertion

+ Specific observer to trigger

Global AltaRica model S1

S2

ECU1 A1

block MySystem … observer Boolean SG1_isViolated = ECU1.output == false;

assertion ECU1.input1 := S1.output; ECU1.input2 := S2.output; A1.input := ECU1.output; end


Confidential



S1

S2

ECU1 A1


Connection of blocks through assertion

+ Specific observer to trigger

Global AltaRica model S1

S2

ECU1 A1

FTAs Generation


Confidential

From a tool platform perspective

AltaRica 3.0

model

.alt

AltaRica

compiler Model consistency

check & flattening

.alt.xml

OpenPSA

format .alt.opsa

FTA

generator

for debugging

or replay

a failure scenario

Step-wise

simulator

Calculation of cut sets

using XFTA free tool XFTA free

engine


Confidential

Example of application on a Traffic Jam Chauffeur architecture

TJC activation possible when :

Dual carriage ways

Target vehicle in front

Vehicle speed below

TJC is managing mainly :

Longitudinal control

Limited lateral control to keep the vehicle in the way

In case of failure detection in the TJC, a takeover request is sent to the driver

If the driver does not takeover the control of the car after 10s then emergency brake in the way

Level 3 System


Confidential

Which Fail-Operational architecture is the

most suitable to maximize the TJC

availability and minimize its residual risk

to send an erroneous command ?


Triple Modular Redundancy

Duo Duplex with Comparator Duo Duplex with Fault Detector


Confidential

Voter

2oo3

Takeover Request

or Safe Stop Request

Command

If none, emergency

brake upstream

Command1

Command2

Command3



If two of the inputs are similar

then the value is propagated

through command

If one of the input is fail silent

then take over request

If all inputs are different

then no command

Voter 2oo3 behavior


Confidential

Voter

2oo3

Takeover Request

or Safe Stop Request

Command

If none, emergency

brake upstream

Command1

Command2

Command3

failure_no_output 300 FIT

failure_erroneous 30 FIT

Command class failure_no_output 10FIT

failure_erroneous 10FIT

class 2oo3



Numerical values for failure

rates and diagnostics were

arbitrary selected for the

presentation

(theoretical use case)


Confidential

Example of application on a Traffic Jam Chauffeur architecture Duo Duplex with Comparator


Confidential


If comparator1 only detects an error

then reconfiguration for selecting

the backup channel. A takeover

request is sent to the driver.

If comparator2 only detects an error

then a takeover request is sent to

the driver.

If comparator1 and comparator2

both detect an error then opening of

the Output Switch.

General behavior Duo Duplex with Comparator


Confidential


If one of the inputs is fail silent

then an error is detected.

If one of the inputs is erroneous

then an error is detected

according to a certain diagnostic

coverage.

If two of the inputs are erroneous

then no error detected.

Comparator behavior Duo Duplex with Comparator


Confidential

Example of application on a Traffic Jam Chauffeur architecture Duo Duplex with Comparator

failure_no_reconfig 10FIT

failure_err_reconfig 10FIT

failure_no_line_cutoff 10FIT

failure_err_line_cutoff 10FIT

class Reconfig

failure_no_output 10FIT


Detecting 95%

Not_Detecting 5%

class Comparator

4 new classes needed : Selector

Switch class stuck_position_1 20FIT

stuck_position_2 20FIT

Output

Switch class stuck_open 50FIT

stuck_closed 50FIT


Confidential

Example of application on a Traffic Jam Chauffeur architecture Duo Duplex with Fault Detector

Similar general behavior than the Duo Duplex with Comparator architecture


Confidential

Example of application on a Traffic Jam Chauffeur architecture Duo Duplex with Fault Detector

If one of the inputs is fail silent

then an error is detected.

If one of the inputs is erroneous

then an error is detected

according to a certain diagnostic

coverage.

Fault Detector behavior


Confidential


failure_no_output 10FIT


Detecting 90%

Not_Detecting 10%

class

Fault

Detector

1 new class needed :

Duo Duplex with Fault Detector


Confidential


TJC availability during mission time

Lis

t o

f cu

t sets

fo

r TA

KE

OV

ER

_R

EQ

UE

ST

Voter 2oo3 : Triple Modular Redundancy :

Command1.failure_no_output



Main Contributors

Duo Duplex with Fault Detector :



Command1.failure_erroneous FD1.Detect

Command3.failure_erroneous FD2.Detect

RC.failure_err_reconfig

FD21.failure_no_output

FD22.failure_no_output

Main Contributors

Duo Duplex with Comparator :





Command1.failure_erroneous Comparator1.Detect




RC.failure_err_reconfig

Comparator1.failure_no_output

Comparator2.failure_no_output

Main

Contributors


Confidential


Residual risk to send an erroneous command

Lis

t o

f cu

t sets

fo

r D

ATA

_E

RR

ON

EO

US

Voter 2oo3 : Triple Modular Redundancy : 4 cut sets (order 2 max)

Voter_2oo3.failure_erroneous Command1.failure_erroneous Command2.failure_erroneous

Command1.failure_erroneous Command3.failure_erroneous

Command2.failure_erroneous Command3.failure_erroneous

Main Contributors

Duo Duplex with Fault Detector : Out of 34 cut sets (order 6 max)

Command1.failure_erroneous FD1.NotDetect Command1.failure_erroneous SELS.stuck_position1

Command1.failure_erroneous FD1.Detect FD1.failure_erroneous

Command1.failure_erroneous FD1.Detect RC.failure_no_reconfig

Command1.failure_no_output Command3.failure_erroneous FD2.Notdetect

Command2.failure_no_output Command3.failure_erroneous FD2.Notdetect

Main Contributors

Duo Duplex with Comparator : Out of 81 cut sets (order 7 max)

Command1.failure_erroneous Comparator1.NotDetect Command1.failure_erroneous Command2.failure_erroneous

Command1.failure_erroneous SELS.stuck_position1

Command1.failure_erroneous Comparator1.Detect Comparator1.failure_erroneous

Command1.failure_erroneous Comparator1.Detect RC.failure_no_reconfig

Command1.failure_no_output Command3.failure_erroneous Comparator2.NotDetect

Command2.failure_no_output Command3.failure_erroneous Comparator2.NotDetect

Main

Contributors


Confidential


Remember our initial goal :

Which Fail-Operational architecture is the

most suitable to maximize the TJC

availability and minimize its residual risk

to send an erroneous command ?

Duo Duplex

with Fault Detector

Duo Duplex

with Comparator

Best to maximize

TJC availability

Best to minimize

the residual risk


Confidential


A good compromise is a Duo Duplex Hybrid architecture :

After 10000h :

TJC availability ~ 99%

Residual risk to send an erroneous command = 1,56E-9 failure / hour


Confidential


A possible physical implementation of the Duo Duplex Hybrid architecture :


Confidential


FrontCrash : if (ExtScene.NeedToBrake==true)

and (EgoCar.Braking ==false) then true else false;

RearCrash : if (ExtScene.NeedToBrake==false)

and (EgoCar.Braking ==true) then true else false;

Setup of two observers for post-treatment

External Scene setup

NeedToBrake==true NeedToBrake==false

What the vehicle in front is doing !


Confidential

Example of application on a Traffic Jam Chauffeur architecture Front Crash == true:

Order 1 : Bus1.failure_erroneous


Order 2 : ECU1.Command1.failure_erroneous ECU1.Comparator1.NotDetect

Order 2 : ECU1.Command1.failure_erroneous ECU1.Command2.failure_erroneous

Order 2 : S1.failure_erroneous S2.failure_erroneous



Order 2 : ECU2.SELS.stuck_position_1 ECU1.Command1.failure_erroneous

Order 3 : ECU1.Command1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect

Order 3 : ECU1.Command2.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect

Order 3 : ECU1.Command1.failure_erroneous ECU1.Comparator1.Detect ECU1.Comparator1.failure_erroneous

Order 3 : ECU1.Command1.failure_erroneous ECU1.Comparator1.Detect ECU2.RC.failure_no_reconfig

Order 3 : ECU2.RC.failure_err_reconfig ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect

Order 3 : ECU1.Comparator1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect

Order 3 : ECU1.Command2.failure_no_output ECU2.RC.failure_no_reconfig ECU1.Command1.failure_erroneous

Order 3 : ECU1.Comparator1.failure_no_output ECU2.RC.failure_no_reconfig ECU1.Command1.failure_erroneous

Order 4 : ECU1.Command2.failure_erroneous ECU1.Comparator1.Detect ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect

Order 4 : ECU1.Command1.failure_erroneous ECU1.Comparator1.Detect ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect

Order 4 : ECU1.Command1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU2.OS.stuck_closed

Order 4 : ECU1.Command2.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU2.OS.stuck_closed

Order 4 : ECU1.Command1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU1.FD2.failure_erroneous

Order 4 : ECU1.Command2.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU1.FD2.failure_erroneous

Order 4 : ECU1.Comparator1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU2.OS.stuck_closed

Order 4 : ECU2.RC.failure_err_reconfig ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU1.FD2.failure_erroneous

Order 4 ECU1.Comparator1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU1.FD2.failure_erroneous

Order 4 : ECU1.Command1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.failure_no_output ECU2.OS.stuck_closed

Order 4 : ECU1.Command2.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.failure_no_output ECU2.OS.stuck_closed

Partial list of cut-sets

leading potentially to

a front crash


Confidential

Example of application on a Traffic Jam Chauffeur architecture RearCrash == true:

Order 1 : ECU2.OS.stuck_open

Order 1 : ECU2.RC.failure_err_line_cutoff

Order 1 : Bat1.failure_no_output



Order 1 : Bus1.failure_no_output

Order 1 : Bus3.failure_no_output

Order 2 : ECU1.Command1.failure_erroneous ECU1.Comparator1.NotDetect

Order 2 : ECU1.Command1.failure_erroneous ECU1.Command2.failure_erroneous




Order 2 : ECU1.Command3.failure_no_output Dr.driverFallingAsleep



Order 2 : ECU2.RC.failure_err_reconfig Dr.driverFallingAsleep

Order 2 : ECU1.FD2.failure_no_output Dr.driverFallingAsleep

Order 2 : ECU1.Comparator1.failure_no_output Dr.driverFallingAsleep

Order 2 : ECU1.Command2.failure_no_output ECU1.Command3.failure_no_output

Order 2 : ECU1.Command1.failure_no_output ECU1.Command3.failure_no_output

Order 2 : ECU1.Command2.failure_no_output ECU1.FD2.failure_no_output

Order 2 : ECU1.Command1.failure_no_output ECU1.FD2.failure_no_output

Order 2 : ECU1.Command3.failure_no_output ECU1.Comparator1.failure_no_output

Order 2 : ECU1.Comparator1.failure_no_output ECU1.FD2.failure_no_output

Order 3 : ECU1.Command2.failure_erroneous ECU1.Comparator1.Detect Dr.driverFallingAsleep

Order 3 : ECU1.Command1.failure_erroneous ECU1.Comparator1.Detect Dr.driverFallingAsleep

Order 3 : ECU1.Command3.failure_erroneous ECU1.FD2.Detect Dr.driverFallingAsleep

Order 3 : ECU1.Command2.failure_erroneous ECU1.Comparator1.Detect ECU1.FD2.failure_no_output

Order 3 : ECU1.Command1.failure_erroneous ECU1.Comparator1.Detect ECU1.FD2.failure_no_output

Partial list of cut-sets

leading potentially to

a rear crash


Confidential

Conclusions

Benefits :

Quick assessment of an architecture :

Quantified targets allocation for failure rates and diagnostic coverage

Library components can be easily validated, maintained and reused,

Ensure exhaustiveness of the safety analyses,

Permits to model safety requirements in a formal way.

Drawbacks :

FTAs generated are difficult to read (need to focus on cut-sets),

Sequence generator missing,

No graphical display.


Confidential

Perspectives / Next Steps

Interface the OpenAltaRica platform with automotive safety tools,

Carry on building component libraries with more details,

Evaluate the new modules coming from the OpenAltaRica platform,

Investigate “exotic” architectures for Level4/Level5 systems.


Confidential

Want to know more ?

[1] : AVL Presentation, “Hardware architectures for fail operational systems in vehicle ‐ possibilities and requirements for future microcontrollers”, Dr. M. Steindl, C. Miedl, Safetronic 2015

[2] : OpenAltaRica platform

[3] : AltaRica 3.0: a Model-Based approach for Safety Analysis. T. Prosvirnova, Ecole Polytechnique, France

[4] : Toward a mode-based approach of ISO26262 using AltaRica, F. Meurville and all, Valeo, France

[5] : The Open PSA Model Exchange Format

http://openaltarica.fr/

https://tel.archives-ouvertes.fr/tel-01119730v2/document



http://altarica-association.org/ressources/ARBib/MQB14_LM19_com_7C-4_091_F_Meurville.pdf



http://www.open-psa.org/joomla1.5/index.php?option=com_content&view=category&id=4&Itemid=19




Confidential

Thanks a lot for your attention !!

Any questions ?


Confidential

safetronic_2016_model based safety analyses using altarica 3.0_application on advanced driver...

Documents