Functional safety challenges and innovations in the smart car industry
Latest update time:2021-06-06
Reads:
For every functional safety player, functional safety standards are an essential piece of equipment.
As we all know, the parent standard of functional safety standards is IEC61508. Whether it is
ISO26262
in the automotive industry
,
EN
series standards
in the rail transit field
, or functional safety standards in industrial control, nuclear power, medical and other industries, they are all derived from the parent standard, and they are Like brothers and sisters, they have things in common and some specific differences.
However, any functional safety standard can be summarized into three aspects:
technical requirements, process requirements, organizational and personnel requirements.
Since I was engaged in functional safety in the rail transit industry ten years ago, under the background of that time, I usually accumulated functional safety experience through hard work in projects, and then simultaneously reviewed the standards to correct or upgrade my own practices. I’m very puzzled by a common phenomenon in the automotive industry today. Most people learn standards first and then do projects. They even never do a complete project after learning standards. The advantage of this method is that it is more theoretical, but the disadvantage is that it first uses a standard cage to frame oneself. It pursues too much superficial theoretical rules and regulations and cannot deeply explore one's own thoughts and initiative.
The ISO26262 functional safety standard for the automotive industry can be summarized as a three-
V
model.
The essence of the
V
model lies in layer-by-layer progression and layer-by-layer traceability. The current pain point in the functional safety industry lies in the differences in everyone’s perceptions, which need to be unified:
-
Functional safety is not paper work , it is not just about documentation. Documentation is just the embodiment of design and process;
-
Functional safety is a full life cycle activity, and products that only consider functional safety in some stages cannot be called safe;
-
Functional safety is a requirement of the entire industry chain. Any device or link in a functional serial chain is an indispensable guarantee for functional safety;
-
Functional safety is not just a kind of auxiliary analysis work, but through forward design and reverse analysis, safety can be more comprehensively guaranteed;
-
The process and technology of functional safety are two equally important aspects, and partial subjects will not achieve good results in the end;
-
We expend manpower, material, financial, and time to work hard on functional safety, not just for a certificate!
The core of functional safety is to reduce risks to an acceptable level.
Traditional functional safety focuses on failure, mainly because when functional safety originated, it was not thought that in addition to failure, there are so many non-failure complex situations that can also cause risks.
At that time, so many industrial equipment failed that a large amount of data and experience were accumulated, and the prototype of functional safety theory was slowly formed, and then a methodology was formed to reduce the risk of failure.
Therefore, functional safety relies on data and experience, and is committed to reducing the risks caused by random failures and systematic failures; however, this traditional functional safety methodology also has the limitations of being step-by-step, and currently the functional safety assessment requirements are gradually derived into certification and credential pursuits.
To sum up, the current functional safety is to "remain unchanged in response to ever-changing conditions":
-
Safety is not enough, redundancy is needed;
-
If redundancy is not enough, diversification is needed to make up for it;
-
Diversity is not enough, diagnosis is needed;
-
Diagnosis is not enough, the process will make up;
-
If the above is not enough, I recommend it to SOTIF .
SOTIF should not draw a clear boundary with functional safety. It itself is a part of functional safety that was once lost. Now it is found that it was lost and found. It should form an overall complete system and should not be separated.
Corresponding to the "unchanged response to ever-changing" trend of functional safety, the smart car industry is undergoing disruptive changes. With the advent of the era of software-defined cars, the car has gradually evolved into a mobile phone that can run. The product architecture of the car has evolved to consist of hardware, operating system
OS
and application software.
Among them, the hardware and operating system OS form an intelligent computing basic platform. In
the intelligent computing On the basis of the basic computing platform, various application software can be developed quickly and flexibly to realize complex functions. With the development of network-connected cloud control, the shift from single-vehicle intelligence to multi-vehicle intelligence has gradually led to the emergence of vehicle-road-cloud collaborative computing. These new technologies and new fields have brought about earth-shaking changes in the form of automotive products.
The traditional automobile electronic and electrical architecture is also undergoing changes. It has evolved from hundreds of distributed ECU architectures in traditional automobiles to a centralized domain controller architecture. In the future, it will gradually transform into a centralized control architecture, and the functions of the car will be implemented in the cloud. .
These changes have brought about increasingly complex software architectures and increasingly larger amounts of code, posing unprecedented challenges to functional safety.
And the topic that cannot be avoided in the functional safety of smart cars is the uncertainty of artificial intelligence. This uncertainty is mainly divided into model fuzziness and data uncertainty. Model uncertainty such as the error rate of neural networks, data Uncertainties such as incompleteness of training data, distribution deviations, and differences from the actual environment. With the application of artificial intelligence algorithms, some data noise is enough to make huge differences in the recognition results, so these difficult problems cannot be answered in today's traditional definition of functional safety.
To sum up, functional safety is like a waning old man, moving forward slowly with a conservative attitude, while the smart car industry is like a vigorous teenager, running with all his strength, so functional safety cannot currently catch up with smart cars. pace.
Do people who are engaged in the field of smart car functional safety feel like this? They feel a little overwhelmed at work. We complete various activities in accordance with the functional safety requirements, but we still feel that it is not fulfilling enough, like beating a strong person with our fists and embroidered feet. Han's feeling was that all the efforts were in vain.
The functional safety of the smart car industry is in urgent need of breakthroughs and innovations, and safety problems cannot be truly solved by sticking to the past.
This picture is the vehicle-mounted intelligent computing platform reference architecture 1.0 that we jointly compiled and released with the China Software Evaluation Center and many companies. From the reference architecture, we can see that the vehicle-mounted intelligent computing basic platform is divided into heterogeneous distributed hardware and autonomous driving operating system software. Autonomous driving operating system software is divided into system software and functional software. Taking our product practice as an example, our core product of Guoqi Intelligent Control, the intelligent vehicle basic brain
IVBB
, is based on this reference architecture and has cross-model, cross-platform, unified
OS
, application customization, elastic scalability, full ecological support, etc. Features: Our product form is based on this architecture to form an
ICT
digital base plus
SDK
method. The digital base is composed of a hardware platform, system software, a platform abstraction layer for functional software, a general framework for functional software and a general model for intelligent driving.
The SDK
is the Provides interfaces for rapid application development.
This is a huge platform system, including algorithm content and Linux content. If we strictly follow the rigid requirements of traditional functional safety, these two parts must be avoided. However, without these two parts, there are still changes in our smart car era. Meaning? Therefore, when facing problems, the first thing should not be to escape, but to think about solutions.
Smart cars are in a period of rapid change. Products face trade-offs in three aspects: time, function, and quality. Only by balancing the three aspects can products be guaranteed. Compared with the traditional automobile industry, in the research and development process of the smart car industry, we must not only pay attention to the product itself , we must also pay attention to application scenarios. Different scenarios may produce completely different decision-making controls. We must also pay more attention to performance, simulation testing, and actual vehicle testing. With the development of Chelu Cloud, we must also pay attention to the construction of information security systems.
To sum up, the breakthrough points urgently needed for functional safety in the smart car industry are:
-
Break through the scale of software and achieve security assurance for large-scale complex software;
-
Break through the deterministic requirements of functional safety and ensure safety under algorithm uncertainty;
-
Break through the constraints of traditional real-time operating systems and study the security of Linux;
-
Break through the traditional functional safety failure thinking and adopt a systems engineering way of thinking;
-
Break through the boundaries of functional safety and form a "composite safety" system with mechanical safety and information security;
-
Break through the limitations of European standards and establish Chinese independent smart car functional safety standards;
-
Break through the certificate-oriented model and focus on the true security of smart cars.
So how to break through?
Today, I would like to share some personal thoughts. I also hope that colleagues in the industry can discuss in depth together in the future:
For large-scale complex software and systems, we must first
"prioritize"
, implement mandatory security requirements for key functions, and set up safety guarantee functions; the development process must not only be standardized but also efficient and streamlined, but important process links cannot be omitted. ; Testing is always a powerful line of defense for software control, and safety design experience must be continuously summarized and accumulated from actual vehicle testing; problem libraries, scenario libraries, and databases must be established, and data-driven technology can truly ensure the security of large-scale software, algorithms, and systems.
For algorithm security assurance, the core must be
refined
development. Refinement is embodied in: the process is the same as software. A standardized development process should be established to reduce the risk of systemic failure, and the algorithm should be designed to improve the interpretability design and increase the risk of systematic failure. Adversarial training, to improve labeling accuracy and establish a comprehensive evaluation system, also needs to be data-driven, establish databases, scene libraries, increase training sets, and test sets; in addition, you can also consider adding a failsafe mode at the input and output ends.
Regarding the security of Linux, there are currently some alliances in the industry that are conducting intensive research, hoping to reduce its risks through standardized development processes and meet
the security goals of
ASILB
. My personal view is
the
ALARP
principle
.
On the road to functional safety
in
Linux
, we must consider cost-effectiveness and subdivide the internal functions and modules
of Linux
. If the cost of converting a certain function into functional safety is higher than the benefits obtained, then you can accept this risk.
For functional safety thinking, establish an
overall view
and analyze based on systems engineering thinking, focusing not only on failure analysis, but also on demand analysis and process analysis.
Regarding security, I would like to propose a concept of "
composite security
" that weakens the boundaries of functional security,
SOTIF
, information security, mechanical security, etc., truly pays attention to security itself, conducts integrated and comprehensive analysis in the system, and establishes an integrated system, and not only Pay attention to security, but also pay attention to reliability, availability, maintainability and other aspects.
The most important thing is that the smart car industry should accelerate the
implementation of
Chinese standards
. In the process of establishing Chinese standards for functional safety, we must adopt an attitude of learning from others rather than blindly following them, accumulate Chinese data and information, and base on the characteristics and application examples of Chinese smart cars. Create your own standards.
Finally, in the field of smart car functional safety, we should shift from exam-oriented education that focuses on certificates to quality education that focuses on safety. What this requires is to establish a real
safety culture
and strengthen safety recognition, audit, verification, confirmation and safety within the organization. Evaluate.
So to summarize, what elements are needed to maintain stability in the security triangle? Massive data, security analysis and testing
are essential
. The accumulation of these requires the efforts of the entire industry.
Regarding the functional safety development path of the smart car industry, I think I can advocate here today. There is no superman who can accomplish everything. What is needed is an industry-wide alliance to jointly explore and innovate, build a win-win ecosystem, share data, share experience, and share case, only if everyone works together to create Chinese standards for smart cars can we truly break through all the stuck problems and truly become a powerful automobile nation.
Reply to AES03 in the background to obtain the high-definition PDF data.
Submission cooperation: 18918250345 (WeChat)
京公网安备 11010802033920号