safe human machine interface (hmi) requirements of the
Post on 17-Apr-2022
5 Views
Preview:
TRANSCRIPT
1Copyright © 2019 Arm TechCon, All rights reserved.Copyright © 2019 Arm TechCon, All rights reserved.
#ArmTechCon
Digital Cockpit Platform ManagerArm, Inc.Daniel Bernal
Safe Human Machine Interface (HMI) Requirements of theDigital Cockpit
VP, Business DevelopmentCore Avionics & Industrial Inc.Lee Melatti
2Copyright © 2019 Arm TechCon, All rights reserved.
Abstract
Vehicle cockpits are under a technology revolution. Additional sensors and displays with safety relevant data are the new normal. This presentation will examine the requirements of new vehicle cockpit workloads and the challenges it presents when architecting cockpit controller platforms that must present safety relevant data to the operator.
3Copyright © 2019 Arm TechCon, All rights reserved.
Topics
• Automotive Safety• Lessons Learned from other Safety Relevant Markets• Safety Stacking Principles• Safety Critical Graphics and Compute Solutions• Current Vehicle Cockpit Safety HMI Designs• Trends in Digital Cockpit Architectures• Future Vehicle Cockpit Safe HMI Architectures
4Copyright © 2019 Arm TechCon, All rights reserved.
Automotive Safety
5Copyright © 2019 Arm TechCon, All rights reserved.
The Automotive Safety Problem
6Copyright © 2019 Arm TechCon, All rights reserved.
Software Complexity in Automotive will Only Increase
Source: https://www.aasdn.com.au/driven-by-code/
7Copyright © 2019 Arm TechCon, All rights reserved.
Hardware and Software Reliability Relationship
8Copyright © 2019 Arm TechCon, All rights reserved.
Lessons Learned from other Safety Relevant Markets
9Copyright © 2019 Arm TechCon, All rights reserved.
Aviation Safety History
10Copyright © 2019 Arm TechCon, All rights reserved.
Aviation Safety
It is estimated that 40 million commercial flights will occur worldwide in 2019.
• The fatal accident rate for large commercial passenger flights in 2018 was 0.36 per million flights, or one fatal accident for every 3 million flights
• That is up from 2017’s 0.06 per million flight rate and above the most recent five-year average of 0.24 per million flights
• Recent B737 Max 8 events underscore the need for safety certification process, oversite and most importantly, culture
• Safety events trigger large scale investigations that typically result in broad safety modifications and industry improvements
11Copyright © 2019 Arm TechCon, All rights reserved.
Safety Applications
12Copyright © 2019 Arm TechCon, All rights reserved.
Safety StackingPrincipals
13Copyright © 2019 Arm TechCon, All rights reserved.
Safety Critical Stacking
Hardware
Driver
Hypervisor
Operating Systems
Application
FunctionalErrors
Safety CriticalConstraints
14Copyright © 2019 Arm TechCon, All rights reserved.
Safety Principals Create Constraint
• Deterministic
• Bounded (in space and time)
• Non blocking code (no semaphores)
• Interrupts challenge time boundaries
• Error/failure detecting
• Defining what is an error or failure
15Copyright © 2019 Arm TechCon, All rights reserved.
Safety CriticalGraphics and Compute
16Copyright © 2019 Arm TechCon, All rights reserved.
Safety Critical Graphics and Compute
OpenGL SC1.0 OpenGL SC2.0OpenCL SC
VULKAN SC
GP
U G
P/G
PU
Un
its
Avionics & Defense
AutomotiveDigital Twin
(Internet of Manufacturing)
RTCA DO-178C
EUROCAE ED-12C
Avionics
IEC 60880
EN 50128
17Copyright © 2019 Arm TechCon, All rights reserved.
What makes an API safety critical?
The Vulkan SC working group is in the early stages of developing a safety critical API based on Vulkan, but…
…in general, safety will likely focus on:
Deterministic Execution (predictable execution times and results, e.g. offline compilationwith Vulkan SC ingesting compiled shader ISA binaries)
Robustness (removing ambiguity, clarifying undefined behavior)
Simplification(changes made to reduce certification effort and challenges)
18Copyright © 2019 Arm TechCon, All rights reserved.
What Vulkan Safety Critical Offers
• First safety critical compute open standard
• Allows development of a multi-use platform of safety certifiable applications through graphics and computer hardware abstraction
• Improves GPU performance on a per watt basis and reduces impact on the CPU, thereby lowering system cost for similar performance
• Supports graphics and compute in a single interface, increasing functionality and flexibility from a given hardware platform
• Gives access to more advanced graphics functions than either OpenGL SC 1.0 or 2.0 such as geometry shaders and multiple render targets
19Copyright © 2019 Arm TechCon, All rights reserved.
What is Safe, Very Safe, and Safe Enough?
• First development priority, every day and everyone
• Management and communication of risk is imperative, high reliability organizations begin and end with safety as a culture
• Safety critical demands “fit for purpose” consideration at the system level
• Standards and certification practices make safety more transparent and allows demonstrable adherence; this increases portability and lowers risk
• Goals for safety critical implementations:
• Efficient• Effective• Risk Reducing
20Copyright © 2019 Arm TechCon, All rights reserved.
Current Vehicle Cockpit Safety HMI Designs
21Copyright © 2019 Arm TechCon, All rights reserved.
RTOS
Safe HMIs in the CockpitSafety Workload Runs on Safety Microcontroller
2D/3DGfx
MCU(Cortex M/R)
DisplayProcessing
Memory System
Display
Render AppSafety
MonitorSW Render
Safety relevant IP in red.
DOC
Safety Domain (ASIL B)
22Copyright © 2019 Arm TechCon, All rights reserved.
Safe HMIs in the CockpitSafety Workload Runs on Safety Island
Linux RTOS
GPU
DisplayProcessing
Memory System
Display
Render App SafetyMonitor
Safety relevant IP in red.
CPUDOC
OpenGL ES / Vulkan
MCUCortex R(or M)
Safety Domain (ASIL B)
Non-Safety Domain (ASIL QM)
23Copyright © 2019 Arm TechCon, All rights reserved.
Trends inDigital Cockpit Architectures
24Copyright © 2019 Arm TechCon, All rights reserved.
Cockpit Technology TrendsConsolidation
Increase In Complexity of Systems:• Vehicle Architecture Changes• More powerful SoCs• Mixed-Criticality• Software Defined Architectures• Service Oriented Architectures (SOA)
ECU
25Copyright © 2019 Arm TechCon, All rights reserved.
Cockpit Technology TrendsSafety Workloads Changing
Today’s Safety Workloads:• Current safety applications are
very small footprint safety application monitors.
Future Safety Workloads:• Safety application processing
will run on application class processors.
CoreLink CMN-600
Cortex-A
Mali GPU
CoreLink GIC-600
Y clusters
CoreLinkMMU-600
Safety Island
Cortex-R52
X clusters
Cortex-A
X clusters
Mali-D77
CoreLinkMMU-600
26Copyright © 2019 Arm TechCon, All rights reserved.
Image Source: nvidia
Cockpit Technology TrendsSafety Content is Increasing
Today’s Safety Content:• Instrument Cluster• Tell Tales & Gear Position
Future Safety Content:• AR-HUD• Increased Intelligence / ADAS• Enhanced Vision Displays• Advanced Backup Cameras
Image Source: WayRay AG
Image Source: Mercedes-Benz
27Copyright © 2019 Arm TechCon, All rights reserved.
Future Vehicle Cockpit Safe HMI Architectures
28Copyright © 2019 Arm TechCon, All rights reserved.
Future Vehicle Cockpit ArchitecturesSoCs w/Safety Relevant IP
Advanced Cockpit Controllers:• Fit for Purpose• Mixed-Criticality Workloads• Compute Flexibility• Faster path to Safety Cert
Fabric
Cortex-A
Mali GPU
GIC
Y clustersMMU
Safety Island
Cortex-R52
Cortex-A
X clusters
Safety Domain (ASIL B)
Mali-D77
CoreLinkMMU-600
29Copyright © 2019 Arm TechCon, All rights reserved.
Safe HMIs in the CockpitSafety HMI = Safety Rendering + Safe Display
Linux VM RTOS VM
GPU
Memory System
Display
Hypervisor
Render App
GPU/DPUSafety
Monitor
CPUVideo
OutputChecker
OpenGL ES / Vulkan
GPU/DPUBIT
Vulkan API / GPU Driver
GL SC API
Safe RenderingApplication
DisplayDriver
SafeCompositor
GPU Driver
Safety Domain (ASIL B)Non-Safety Domain
(ASIL QM)
ASIL B
DPUGPUCPU
30Copyright © 2019 Arm TechCon, All rights reserved.
Future Vehicle Cockpit ArchitecturesSafety HMIs
Rate Monotonic Scheduling (RMS)• Deterministic deadlines• No resource sharing• Static Priorities• Math Model Provable
31Copyright © 2019 Arm TechCon, All rights reserved.
Safe HMIs in the CockpitSafety HMI = Safety Rendering + Safe Display
Linux VM RTOS VM
GPU
Memory System
Display
Hypervisor
Render App
GPU/DPUSafety
Monitor
CPUVideo
OutputChecker
OpenGL ES / Vulkan
GPU/DPUBIT
Vulkan API / GPU Driver
GL SC API
Safe RenderingApplication
DisplayDriver
SafeCompositor
GPU Driver
Safety Domain (ASIL B)Non-Safety Domain
(ASIL QM)
ASIL B
DPUGPUCPU
32Copyright © 2019 Arm TechCon, All rights reserved.
Safety Applications Leverage:• Fit for purpose IP• IP designed with Robust Functional Safety
Processes• System and IP Evidence of Compliance• Supporting Functional Safety Docs• Ecosystem of pre-certified SW elements
Safe Application Workloads
Fit for Purpose Safety IP
Safety Certifiable OS
GPU
Memory System
NPU
Safe ContentRendering
SafeComposition
Safety Application Workloads
SafetyDomain
DPUCPU
Safe ContentDisplay
SafeCompute
(ADAS)
OpenGL SC API Vulkan Safety Critical API Other Safety APIs
33Copyright © 2019 Arm TechCon, All rights reserved.
Key Take-Aways
34Copyright © 2019 Arm TechCon, All rights reserved.
Evolution of Safety in the Cockpit
Safe Rendering + Health Monitor
• Safety certify SW that renders and displays safety content
• Migrate only the SW that renders safety content to a safe domain.
• Leverage safety relevant IP and ecosystem of pre-certified SW elements
Safety Monitor Designs
• Video output checker hardware• Safety content is pre-rendered• Real-time validation (via CRC checks)
of simple safety content• Open Source is key to innovation and
fast prototyping
Focus on Safety Monitoring
Today’s Designs Future Designs
Focus on Systematics
of Software
35Copyright © 2019 Arm TechCon, All rights reserved.
Thank You
top related