Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Architecting Safe Automated Driving with Legacy Platforms
KTH, School of Industrial Engineering and Management (ITM), Machine Design (Dept.), Mechatronics.ORCID iD: 0000-0001-9314-545x
2018 (English)Licentiate thesis, comprehensive summary (Other academic)
Abstract [en]

Modern vehicles have electrical architectures whose complexity grows year after year due to feature growth corresponding to customer expectations. The latest of the expectations, automation of the dynamic driving task however, is poised to bring about some of the largest changes seen so far. In one fell swoop, not only does required functionality for automated driving drastically increase the system complexity, it also removes the fall-back of the human driver who is usually relied upon to handle unanticipated failures after the fact. The need to architect thus requires a greater rigour than ever before, to maintain the level of safety that has been associated with the automotive industry.

The work that is part of this thesis has been conducted, in close collaboration with our industrial partner Scania CV AB, within the Vinnova FFI funded project ARCHER. This thesis aims to provide a methodology for architecting during the concept phase of development, using industrial practices and principles including those from safety standards such as ISO 26262. The main contributions of the thesis are in two areas. The first area i.e. Part A contributes, (i) an analysis of the challenges of architecting automated driving, and serves as a motivation for the approach taken in the rest of this thesis, i.e. Part B where the contributions include, (ii) a definition of a viewpoint for functional safety according to the definitions of ISO 42010, (iii) a method to systematically extract information from legacy components and (iv) a process to use legacy information and architect in the presence of uncertainty to provide a work product, the Preliminary Architectural Assumptions (PAA), as required by ISO 26262. The contributions of Part B together comprise a methodology to architect the PAA.  

A significant challenge in working with the industry is finding the right fit between idealized principles and practical utility. The methodology in Part B has been judged fit for purpose by different parts of the organization at Scania and multiple case studies have been conducted to assess its usefulness in collaboration with senior architects. The methodology was found to be conducive in both, generating the PAA of a quality that was deemed suitable to the organization and, to find inadequacies in the architecture that had not been found earlier using the previous non-systematic methods. The benefits have led to a commissioning of a prototype tool to support the methodology that has begun to be used in projects related to automation at Scania. The methodology will be refined as the projects progress towards completion using the experiences gained.

A further impact of the work is seen in two patent filings that have originated from work on the case studies in Part B. Emanating from needs discovered during the application of the methods, these filed patents (with no prior publications) outline the future directions of research into reference architectures augmented with safety policies, that are safe in the presence of detectable faults and failures. To aid verification of these ideas, work has begun on identifying critical scenarios and their elements in automated driving, and a flexible simulation platform is being designed and developed at KTH to test the chosen critical scenarios.

Abstract [sv]

Efterfrågan på nya funktioner leder till en ständigt ökande komplexitet i moderna fordon, speciellt i de inbyggda datorsystemen. Införande av autonoma fordon utgör inte bara det mest aktuella exemplet på detta, utan medför också en av de största förändringar som fordonsbranschen sett. Föraren, som ”back-up” för att hantera oväntade situationer och fel, finns inte längre där vid höggradig automation, och motsvarande funktioner måste realiseras i de inbyggda system vilket ger en drastisk komplexitetsökning. Detta ställer systemarkitekter för stora utmaningar för att se till att nuvarande nivå av funktionssäkerhet bibehålls.

Detta forskningsarbete har utförts i nära samarbete med Scania CV AB i det Vinnova (FFI)-finansierade projektet ARCHER. Denna licentiatavhandling har som mål att ta fram en metodik för konceptutveckling av arkitekturer, förankrat i industriell praxis och principer, omfattande bl.a. de som beskrivs i funktionssäkerhetsstandards som ISO 26262.

Avhandlingen presenterar resultat inom två områden. Det första området, del A, redovisar, (i) en analys av utmaningar inom arkitekturutveckling för autonoma fordon, vilket också ger en motivering för resterande del av avhandlingen. Det andra området, del B, redovisar, (ii) en definition av en ”perspektivmodell” (en s.k. ”viewpoint” enligt ISO 42010) för funktionssäkerhet, (iii) en metod för att systematiskt utvinna information från existerande komponenter, och (iv) en process som tar fram en arbetsprodukt för ISO 26262 – Preliminära Arkitektur-Antaganden (PAA). Denna process använder sig av information från existerande komponenter – resultat (iii) och förenklar hantering av avsaknad/osäker information under arkitekturarbetet. Resultaten från del B utgör tillsammans en metodik för att ta fram en PAA.

En utmaning i forskning är att finna en balans mellan idealisering och praktisk tillämpbarhet. Metodiken i del B har utvärderats i flertalet industriella fallstudier på Scania i samverkan med seniora arkitekter från industrin, och har av dessa bedömts som relevant och praktiskt tillämpningsbar. Erfarenheterna visar att metodiken stödjer framtagandet av PAA’s av   lämplig kvalitet och ger ett systematiskt sätt att hantera osäkerhet under arkitekturutvecklingen. Specifikt så gjorde metoden det möjligt att identifiera komponent-felmoder där arkitekturen inte var tillräcklig för åstadkomma önskad riskreducering, begränsningar som inte hade upptäckts med tidigare metoder. Ett prototypverktyg för att stödja metodiken har utvecklats och börjat användas på Scania i projekt relaterade till autonoma fordon. Metodiken kommer sannolikt att kunna förfinas ytterligare när dessa projekt går mot sitt slut och mer erfarenheter finns tillgängliga.

Arbetet i del B har vidare lett till två patentansökningar avseende koncept som framkommit genom fallstudierna. Dessa koncept relaterar till referensarkitekturer som utökats med policies för personsäkerhet (Eng. ”safety”) för att hantera detekterbara felfall, och pekar ut en riktning för framtida forskning. För att stödja verifiering av dessa koncept har arbete inletts för att identifiera kritiska scenarios för autonom körning. En flexibel simuleringsplattform håller också på att designas för att kunna testa kritiska scenarios.

Place, publisher, year, edition, pages
Stockholm, Sweden: KTH Royal Institute of Technology, 2018. , p. 76
Keywords [en]
architectures, automated driving, autonomous vehicles, methods, processes, tools, functional safety, ISO 26262, diagnostic specifications, platform based design, legacy integration, functional safety concept, preliminary architectural assumptions, uncertainty management, design decisions
National Category
Embedded Systems Computer Systems
Identifiers
URN: urn:nbn:se:kth:diva-223687Local ID: TRITA-ITM-AVL 2018:3ISBN: 978-91-7729-693-5 OAI: oai:DiVA.org:kth-223687DiVA, id: diva2:1186486
Presentation
2018-03-08, Gladan, Brinellvägen 83, Stockholm, 10:00 (English)
Opponent
Supervisors
Projects
Vinnova-FFI funded Project ARCHER
Funder
VINNOVA, F6255Available from: 2018-03-01 Created: 2018-02-28 Last updated: 2018-03-01Bibliographically approved
List of papers
1. ATRIUM - Architecting Under Uncertainty for ISO 26262 compliance
Open this publication in new window or tab >>ATRIUM - Architecting Under Uncertainty for ISO 26262 compliance
Show others...
2017 (English)In: 2017 11TH ANNUAL IEEE INTERNATIONAL SYSTEMS CONFERENCE (SYSCON), IEEE , 2017, p. 786-793Conference paper, Published paper (Refereed)
Abstract [en]

The ISO 26262 is currently the dominant functional safety standard for electrical and electronic systems in the automotive industry. The Functional Safety Concept sub-phase in the standard requires the Preliminary Architectural Assumptions (PAA) for allocation of functional safety requirements. This paper justifies the need for, and defines a process ATRIUM, for consistent design of the PAA. ATRIUM is subsequently applied in an industrial case study for a function enabling highly automated driving at one of the largest heavy vehicle manufacturers in Europe, Scania CV AB. The findings from this study, which contributed to ATRIUM's institutionalization at Scania, are presented. The benefits of ATRIUM include (i) a fast and flexible way to refine the PAA, and a framework to (ii) incorporate information from legacy systems into safety design and (iii) rigorously track and document the assumptions and rationale behind architectural decisions under uncertain information. The contributions of this paper are (i) the analysis of the problem (ii) the process ATRIUM and (iii) findings and the discussion from the case study at Scania.

Place, publisher, year, edition, pages
IEEE, 2017
Series
Annual IEEE Systems Conference, ISSN 1944-7620
Keywords
ISO 26262, functional safety, HCV, HGV, architectures, automated driving, ATRIUM, decision making, architecting, uncertainty management, risk management
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:kth:diva-210967 (URN)10.1109/SYSCON.2017.7934819 (DOI)000403403400111 ()2-s2.0-85021446492 (Scopus ID)978-1-5090-4623-2 (ISBN)
Conference
11th Annual IEEE International Systems Conference (SysCon), APR 24-27, 2017, Montreal, CANADA
Note

QC 20170712

Available from: 2017-07-12 Created: 2017-07-12 Last updated: 2018-02-28Bibliographically approved
2. A Method towards the Systematic Architecting of Functionally Safe Automated Driving- Leveraging Diagnostic Specifications for FSC design
Open this publication in new window or tab >>A Method towards the Systematic Architecting of Functionally Safe Automated Driving- Leveraging Diagnostic Specifications for FSC design
2017 (English)In: SAE technical paper series, ISSN 0148-7191, Vol. 2017-March, no MarchArticle in journal (Refereed) Published
Abstract [en]

With the advent of ISO 26262 there is an increased emphasis on top-down design in the automotive industry. While the standard delivers a best practice framework and a reference safety lifecycle, it lacks detailed requirements for its various constituent phases. The lack of guidance becomes especially evident for the reuse of legacy components and subsystems, the most common scenario in the cost-sensitive automotive domain, leaving vehicle architects and safety engineers to rely on experience without methodological support for their decisions. This poses particular challenges in the industry which is currently undergoing many significant changes due to new features like connectivity, servitization, electrification and automation. In this paper we focus on automated driving where multiple subsystems, both new and legacy, need to coordinate to realize a safety-critical function. This paper introduces a method to support consistent design of a work product required by ISO 26262, the Functional Safety Concept (FSC). The method arises from and addresses a need within the industry for architectural analysis, rationale management and reuse of legacy subsystems. The method makes use of an existing work product, the diagnostic specifications of a subsystem, to assist in performing a systematic assessment of the influence a human driver, in the design of the subsystem. The output of the method is a report with an abstraction level suitable for a vehicle architect, used as a basis for decisions related to the FSC such as generating a Preliminary Architecture (PA) and building up argumentation for verification of the FSC. The proposed method is tested in a safety-critical braking subsystem at one of the largest heavy vehicle manufacturers in Sweden, Scania C.V. AB. The results demonstrate the benefits of the method including (i) reuse of pre-existing work products, (ii) gathering requirements for automated driving functions while designing the PA and FSC, (iii) the parallelization of work across the organization on the basis of expertise, and (iv) the applicability of the method across all types of subsystems.

Place, publisher, year, edition, pages
SAE International, 2017
National Category
Vehicle Engineering
Identifiers
urn:nbn:se:kth:diva-216543 (URN)10.4271/2017-01-0056 (DOI)2-s2.0-85018386707 (Scopus ID)
Conference
SAE World Congress Experience, WCX 2017, Cobo CenterDetroit, United States, 4 April 2017 through 6 April 2017
Note

QC 20171124

Available from: 2017-11-24 Created: 2017-11-24 Last updated: 2018-02-28Bibliographically approved
3. Challenges in architecting fully automated driving; With an emphasis on heavy commercial vehicles
Open this publication in new window or tab >>Challenges in architecting fully automated driving; With an emphasis on heavy commercial vehicles
Show others...
2016 (English)In: Proceedings - 2016 Workshop on Automotive Systems/Software Architectures, WASA 2016, Institute of Electrical and Electronics Engineers (IEEE), 2016, p. 2-9Conference paper, Published paper (Refereed)
Abstract [en]

Fully automated vehicles will require new functionalities for perception, navigation and decision making - an Autonomous Driving Intelligence (ADI). We consider architectural cases for such functionalities and investigate how they integrate with legacy platforms. The cases range from a robot replacing the driver - with entire reuse of existing vehicle platforms, to a clean-slate design. Focusing on Heavy Commercial Vehicles (HCVs), we assess these cases from the perspectives of business, safety, dependability, verification, and realization. The original contributions of this paper are the classification of the architectural cases themselves and the analysis that follows. The analysis reveals that although full reuse of vehicle platforms is appealing, it will require explicitly dealing with the accidental complexity of the legacy platforms, including adding corresponding diagnostics and error handling to the ADI. The current fail-safe design of the platform will also tend to limit availability. Allowing changes to the platforms, will enable more optimized designs and fault-operational behaviour, but will require initial higher development cost and specific emphasis on partitioning and control to limit the influences of safety requirements. For all cases, the design and verification of the ADI will pose a grand challenge and relate to the evolution of the regulatory framework including safety standards.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2016
Keywords
architecture, automotive, autonomy, commercial vehicles, dependability, full automation, functional safety, heavy vehicles, HGV, ISO 26262, modularity, platform migration, SAE L5, variability, verification
National Category
Embedded Systems
Identifiers
urn:nbn:se:kth:diva-194545 (URN)10.1109/WASA.2016.10 (DOI)000386759300002 ()2-s2.0-84978198875 (Scopus ID)978-150902571-8 (ISBN)
Conference
Workshop on Automotive Systems/Software Architectures, WASA 2016, Venice, Italy, 5 April 2016 through
Note

QC 20161031

Available from: 2016-10-31 Created: 2016-10-31 Last updated: 2018-02-28Bibliographically approved

Open Access in DiVA

Licentiate_Thesis_Naveen_Mohan(2741 kB)209 downloads
File information
File name FULLTEXT01.pdfFile size 2741 kBChecksum SHA-512
9668a63486467e054693132ce7c88fbdfaa6721b1501b2a4851ad60ab872f1d8b5730755b1ee5d633abaa23891f21bfeb6c2555563736842b3e037671c2bfb95
Type fulltextMimetype application/pdf

Authority records BETA

Mohan, Naveen

Search in DiVA

By author/editor
Mohan, Naveen
By organisation
Mechatronics
Embedded SystemsComputer Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 209 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 629 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf