SlideShare a Scribd company logo

Safetronic_2016_Model Based Safety Analyses using AltaRica 3.0_Application on Advanced Driver Assistance_FINAL_VALEO

F
Florent MEURVILLE
1 of 39
Download to read offline
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 1Property of Valeo. Duplication prohibited Confidential SAFETRONIC Conference : 8th of November 2016 Property of Valeo. Duplication prohibited Confidential Model Based Safety Analyses using AltaRica 3.0 : Application on Advanced Driver Assistance Systems Florent MEURVILLE florent.meurville@valeo.com Functional Safety & Modeling Expert Valeo Group Electronics Expertise & Development Services
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 2Property of Valeo. Duplication prohibited Confidential The Agenda The Motivation Model Based Safety Analysis The AltaRica 3.0 formal language Example of application on a Level 3 Traffic Jam Chauffeur architecture Conclusions and Perspectives Questions & Answers
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 3Property of Valeo. Duplication prohibited Confidential ADAS of Level 3 or above are a breakthrough in terms of complexity !! The Motivation Levels of automation of ADAS according to SAE Fail-Silent Fail-Operational  Driver only  Assisted Partial automation  Conditional automation  High automation Driver required during normal operation Driver not required during normal operation  Full automation
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 4Property of Valeo. Duplication prohibited Confidential The Motivation Fail-Operational architecture More interaction with other systems SGxx ASILD SGzz ASILD Residual Risk Availability Redundancy Dynamic reconfiguration+ Need help for safety analyses !! Safety engineer
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 5Property of Valeo. Duplication prohibited Confidential One Solution : Model Based Safety Analysis Model Based Safety Analysis (MBSA) aims to provide a model to automatically generate safety analyses. Recommended practice in the avionic safety standard (ARP4754) as an alternative technique to generate technical documents for certification. with a special focus on the AltaRica language. MBSA is used with success for more than 10 years in the aeronautics, railway, nuclear, space, military domains... Why not using MBSA in the automotive domain and especially on self driving cars ?
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 6Property of Valeo. Duplication prohibited Confidential The AltaRica language at a glance AltaRica is a high level formal language dedicated to safety analyses That generalizes both Boolean formalisms (e.g. RBD, FTA) and state/transition formalisms (e.g. Petri nets, Markov) For modeling both combinatorial and dynamic aspects of failure propagation, In a hierarchical and modular way, From functional to physical abstraction levels.
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 7Property of Valeo. Duplication prohibited Confidential The AltaRica language at a glance AltaRica is a high level formal language dedicated to safety analyses 1st version designed in late 90’s at University of Bordeaux (LaBRI team), France Very powerful but too resource consuming for industrial-scale systems
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 8Property of Valeo. Duplication prohibited Confidential The AltaRica language at a glance AltaRica is a high level formal language dedicated to safety analyses 1st version designed in late 90’s at University of Bordeaux (LaBRI team), France 2nd evolution (Data-Flow ; 2002)is still the core of several current industrial tools : SIMFIA (APSYS) ; Safety Designer (Dassault Systèmes) Used with success for more than 10 years Drawback : difficulty to handle looped systems
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 9Property of Valeo. Duplication prohibited Confidential The AltaRica language at a glance AltaRica is a high level formal language dedicated to safety analyses 1st version designed in late 90’s at University of Bordeaux (LaBRI team), France 2nd evolution (Data-Flow ; 2002)is still the core of several current industrial tools : 3rd evolution of AltaRica (2013)of the language : New underlying mathematical model that permits to handle looped systems New construct to structure model using component libraries : prototyped based language Free evolving Eclipse platform available
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 10Property of Valeo. Duplication prohibited Confidential Output flows How does AltaRica 3.0 work? An AltaRica 3.0 class or block with inputs/outputs is made of three parts : transition State1 State2 State3 event1 event2 event3 Input flows Declaration of variables for flows / states with their initialization and events event : Guard (inputs, states) -> Action on state variables assertion Outputs = f(Inputs, States)
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 11Property of Valeo. Duplication prohibited Confidential class Command //State PhysicalState HealthState (init=WORKING); //Output Data Output (reset=DATA_TRUE); //Parameters parameter Real lambda = 0.000000300; // 300 FIT parameter Real lambda2 = 0.000000030; // 30 FIT //Events event failure_no_output (delay = exponential(lambda)); event failure_erroneous (delay = exponential(lambda2)); transition failure_no_output : HealthState==WORKING -> HealthState:= FAILED_NO_OUTPUT; failure_erroneous : HealthState==WORKING -> HealthState:= FAILED_ERRONEOUS; assertion Output := if HealthState==WORKING then DATA_TRUE else if HealthState==FAILED_NO_OUTPUT then NO_DATA else if HealthState==FAILED_ERRONEOUS then DATA_ERRONEOUS else UNDEFINED; end How does AltaRica 3.0 work?
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 12Property of Valeo. Duplication prohibited Confidential Instantiation of blocks from library classes Local AltaRica models S1 S2 ECU1 A1 class Sensor … end class ECU … end class Actuator … end block MySystem Sensor S1,S2; ECU ECU1; Actuator A1; end How does AltaRica 3.0 work?
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 13Property of Valeo. Duplication prohibited Confidential Instantiation of blocks from library classes Local AltaRica models S1 S2 ECU1 A1 How does AltaRica 3.0 work? Connection of blocks through assertion + Specific observer to trigger Global AltaRica model S1 S2 ECU1 A1 block MySystem … observer Boolean SG1_isViolated = ECU1.output == false; assertion ECU1.input1 := S1.output; ECU1.input2 := S2.output; A1.input := ECU1.output; end
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 14Property of Valeo. Duplication prohibited Confidential Instantiation of blocks from library classes Local AltaRica models S1 S2 ECU1 A1 How does AltaRica 3.0 work? Connection of blocks through assertion + Specific observer to trigger Global AltaRica model S1 S2 ECU1 A1 FTAs Generation
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 15Property of Valeo. Duplication prohibited Confidential From a tool platform perspective AltaRica 3.0 model .alt AltaRica compiler Model consistency check & flattening .alt.xml OpenPSA format .alt.opsa FTA generator for debugging or replay a failure scenario Step-wise simulator Calculation of cut sets using XFTA free tool XFTA free engine
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 16Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture TJC activation possible when : Dual carriage ways Target vehicle in front Vehicle speed below TJC is managing mainly : Longitudinal control Limited lateral control to keep the vehicle in the way In case of failure detection in the TJC, a takeover request is sent to the driver If the driver does not takeover the control of the car after 10s then emergency brake in the way Level 3 System
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 17Property of Valeo. Duplication prohibited Confidential Which Fail-Operational architecture is the most suitable to maximize the TJC availability and minimize its residual risk to send an erroneous command ? Example of application on a Traffic Jam Chauffeur architecture Triple Modular Redundancy Duo Duplex with Comparator Duo Duplex with Fault Detector
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 18Property of Valeo. Duplication prohibited Confidential Voter 2oo3 Takeover Request or Safe Stop Request Command If none, emergency brake upstream Command1 Command2 Command3 Triple Modular Redundancy Example of application on a Traffic Jam Chauffeur architecture If two of the inputs are similar then the value is propagated through command If one of the input is fail silent then take over request If all inputs are different then no command Voter 2oo3 behavior
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 19Property of Valeo. Duplication prohibited Confidential Voter 2oo3 Takeover Request or Safe Stop Request Command If none, emergency brake upstream Command1 Command2 Command3 failure_no_output 300 FIT failure_erroneous 30 FIT Commandclass failure_no_output 10FIT failure_erroneous 10FIT class 2oo3 Triple Modular Redundancy Example of application on a Traffic Jam Chauffeur architecture Numerical values for failure rates and diagnostics were arbitrary selected for the presentation (theoretical use case)
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 20Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture Duo Duplex with Comparator
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 21Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture If comparator1 only detects an error then reconfiguration for selecting the backup channel. A takeover request is sent to the driver. If comparator2 only detects an error then a takeover request is sent to the driver. If comparator1 and comparator2 both detect an error then opening of the Output Switch. General behaviorDuo Duplex with Comparator
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 22Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture If one of the inputs is fail silent then an error is detected. If one of the inputs is erroneous then an error is detected according to a certain diagnostic coverage. If two of the inputs are erroneous then no error detected. Comparator behaviorDuo Duplex with Comparator
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 23Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture Duo Duplex with Comparator failure_no_reconfig 10FIT failure_err_reconfig 10FIT failure_no_line_cutoff 10FIT failure_err_line_cutoff 10FIT class Reconfig failure_no_output 10FIT failure_erroneous 10FIT Detecting 95% Not_Detecting 5% class Comparator 4 new classes needed : Selector Switchclass stuck_position_1 20FIT stuck_position_2 20FIT Output Switchclass stuck_open 50FIT stuck_closed 50FIT
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 24Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture Duo Duplex with Fault Detector Similar general behavior than the Duo Duplex with Comparator architecture
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 25Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture Duo Duplex with Fault Detector If one of the inputs is fail silent then an error is detected. If one of the inputs is erroneous then an error is detected according to a certain diagnostic coverage. Fault Detector behavior
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 26Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture failure_no_output 10FIT failure_erroneous 10FIT Detecting 90% Not_Detecting 10% class Fault Detector 1 new class needed : Duo Duplex with Fault Detector
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 27Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture TJC availability during mission time ListofcutsetsforTAKEOVER_REQUEST Voter 2oo3 : Triple Modular Redundancy : Command1.failure_no_output Command2.failure_no_output Command3.failure_no_output Main Contributors Duo Duplex with Fault Detector : Command1.failure_no_output Command3.failure_no_output Command1.failure_erroneous FD1.Detect Command3.failure_erroneous FD2.Detect RC.failure_err_reconfig FD21.failure_no_output FD22.failure_no_output Main Contributors Duo Duplex with Comparator : Command1.failure_no_output Command2.failure_no_output Command3.failure_no_output Command4.failure_no_output Command1.failure_erroneous Comparator1.Detect Command2.failure_erroneous Comparator1.Detect Command3.failure_erroneous Comparator2.Detect Command4.failure_erroneous Comparator2.Detect RC.failure_err_reconfig Comparator1.failure_no_output Comparator2.failure_no_output Main Contributors
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 28Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture Residual risk to send an erroneous command ListofcutsetsforDATA_ERRONEOUS Voter 2oo3 : Triple Modular Redundancy : 4 cut sets (order 2 max) Voter_2oo3.failure_erroneous Command1.failure_erroneous Command2.failure_erroneous Command1.failure_erroneous Command3.failure_erroneous Command2.failure_erroneous Command3.failure_erroneous Main Contributors Duo Duplex with Fault Detector : Out of 34 cut sets (order 6 max) Command1.failure_erroneous FD1.NotDetect Command1.failure_erroneous SELS.stuck_position1 Command1.failure_erroneous FD1.Detect FD1.failure_erroneous Command1.failure_erroneous FD1.Detect RC.failure_no_reconfig Command1.failure_no_output Command3.failure_erroneous FD2.Notdetect Command2.failure_no_output Command3.failure_erroneous FD2.Notdetect Main Contributors Duo Duplex with Comparator : Out of 81 cut sets (order 7 max) Command1.failure_erroneous Comparator1.NotDetect Command1.failure_erroneous Command2.failure_erroneous Command1.failure_erroneous SELS.stuck_position1 Command1.failure_erroneous Comparator1.Detect Comparator1.failure_erroneous Command1.failure_erroneous Comparator1.Detect RC.failure_no_reconfig Command1.failure_no_output Command3.failure_erroneous Comparator2.NotDetect Command2.failure_no_output Command3.failure_erroneous Comparator2.NotDetect Main Contributors
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 29Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture Remember our initial goal : Which Fail-Operational architecture is the most suitable to maximize the TJC availability and minimize its residual risk to send an erroneous command ? Duo Duplex with Fault Detector Duo Duplex with Comparator Best to maximize TJC availability Best to minimize the residual risk
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 30Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture A good compromise is a Duo Duplex Hybrid architecture : After 10000h : TJC availability ~ 99% Residual risk to send an erroneous command = 1,56E-9 failure / hour
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 31Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture A possible physical implementation of the Duo Duplex Hybrid architecture :
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 32Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture FrontCrash : if (ExtScene.NeedToBrake==true) and (EgoCar.Braking ==false) then true else false; RearCrash : if (ExtScene.NeedToBrake==false) and (EgoCar.Braking ==true) then true else false; Setup of two observers for post-treatment External Scene setup NeedToBrake==true NeedToBrake==false What the vehicle in front is doing !
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 33Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture Front Crash == true: Order 1 : Bus1.failure_erroneous Order 1 : Bus3.failure_erroneous Order 2 : ECU1.Command1.failure_erroneous ECU1.Comparator1.NotDetect Order 2 : ECU1.Command1.failure_erroneous ECU1.Command2.failure_erroneous Order 2 : S1.failure_erroneous S2.failure_erroneous Order 2 : S1.failure_erroneous S3.failure_erroneous Order 2 : S2.failure_erroneous S3.failure_erroneous Order 2 : ECU2.SELS.stuck_position_1 ECU1.Command1.failure_erroneous Order 3 : ECU1.Command1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect Order 3 : ECU1.Command2.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect Order 3 : ECU1.Command1.failure_erroneous ECU1.Comparator1.Detect ECU1.Comparator1.failure_erroneous Order 3 : ECU1.Command1.failure_erroneous ECU1.Comparator1.Detect ECU2.RC.failure_no_reconfig Order 3 : ECU2.RC.failure_err_reconfig ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect Order 3 : ECU1.Comparator1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect Order 3 : ECU1.Command2.failure_no_output ECU2.RC.failure_no_reconfig ECU1.Command1.failure_erroneous Order 3 : ECU1.Comparator1.failure_no_output ECU2.RC.failure_no_reconfig ECU1.Command1.failure_erroneous Order 4 : ECU1.Command2.failure_erroneous ECU1.Comparator1.Detect ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect Order 4 : ECU1.Command1.failure_erroneous ECU1.Comparator1.Detect ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect Order 4 : ECU1.Command1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU2.OS.stuck_closed Order 4 : ECU1.Command2.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU2.OS.stuck_closed Order 4 : ECU1.Command1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU1.FD2.failure_erroneous Order 4 : ECU1.Command2.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU1.FD2.failure_erroneous Order 4 : ECU1.Comparator1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU2.OS.stuck_closed Order 4 : ECU2.RC.failure_err_reconfig ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU1.FD2.failure_erroneous Order 4 ECU1.Comparator1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU1.FD2.failure_erroneous Order 4 : ECU1.Command1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.failure_no_output ECU2.OS.stuck_closed Order 4 : ECU1.Command2.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.failure_no_output ECU2.OS.stuck_closed Partial list of cut-sets leading potentially to a front crash
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 34Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture RearCrash == true: Order 1 : ECU2.OS.stuck_open Order 1 : ECU2.RC.failure_err_line_cutoff Order 1 : Bat1.failure_no_output Order 1 : Bus1.failure_erroneous Order 1 : Bus3.failure_erroneous Order 1 : Bus1.failure_no_output Order 1 : Bus3.failure_no_output Order 2 : ECU1.Command1.failure_erroneous ECU1.Comparator1.NotDetect Order 2 : ECU1.Command1.failure_erroneous ECU1.Command2.failure_erroneous Order 2 : S1.failure_erroneous S2.failure_erroneous Order 2 : S1.failure_erroneous S3.failure_erroneous Order 2 : S2.failure_erroneous S3.failure_erroneous Order 2 : ECU1.Command3.failure_no_output Dr.driverFallingAsleep Order 2 : ECU1.Command2.failure_no_output Dr.driverFallingAsleep Order 2 : ECU1.Command1.failure_no_output Dr.driverFallingAsleep Order 2 : ECU2.RC.failure_err_reconfig Dr.driverFallingAsleep Order 2 : ECU1.FD2.failure_no_output Dr.driverFallingAsleep Order 2 : ECU1.Comparator1.failure_no_output Dr.driverFallingAsleep Order 2 : ECU1.Command2.failure_no_output ECU1.Command3.failure_no_output Order 2 : ECU1.Command1.failure_no_output ECU1.Command3.failure_no_output Order 2 : ECU1.Command2.failure_no_output ECU1.FD2.failure_no_output Order 2 : ECU1.Command1.failure_no_output ECU1.FD2.failure_no_output Order 2 : ECU1.Command3.failure_no_output ECU1.Comparator1.failure_no_output Order 2 : ECU1.Comparator1.failure_no_output ECU1.FD2.failure_no_output Order 3 : ECU1.Command2.failure_erroneous ECU1.Comparator1.Detect Dr.driverFallingAsleep Order 3 : ECU1.Command1.failure_erroneous ECU1.Comparator1.Detect Dr.driverFallingAsleep Order 3 : ECU1.Command3.failure_erroneous ECU1.FD2.Detect Dr.driverFallingAsleep Order 3 : ECU1.Command2.failure_erroneous ECU1.Comparator1.Detect ECU1.FD2.failure_no_output Order 3 : ECU1.Command1.failure_erroneous ECU1.Comparator1.Detect ECU1.FD2.failure_no_output Partial list of cut-sets leading potentially to a rear crash
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 35Property of Valeo. Duplication prohibited Confidential Conclusions Benefits : Quick assessment of an architecture : Quantified targets allocation for failure rates and diagnostic coverage Library components can be easily validated, maintained and reused, Ensure exhaustiveness of the safety analyses, Permits to model safety requirements in a formal way. Drawbacks : FTAs generated are difficult to read (need to focus on cut-sets), Sequence generator missing, No graphical display.
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 36Property of Valeo. Duplication prohibited Confidential Perspectives / Next Steps Interface the OpenAltaRica platform with automotive safety tools, Carry on building component libraries with more details, Evaluate the new modules coming from the OpenAltaRica platform, Investigate “exotic” architectures for Level4/Level5 systems.
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 37Property of Valeo. Duplication prohibited Confidential Want to know more ? [1] : AVL Presentation, “Hardware architectures for fail operational systems in vehicle ‐ possibilities and requirements for future microcontrollers”, Dr. M. Steindl, C. Miedl, Safetronic 2015 [2] : OpenAltaRica platform [3] : AltaRica 3.0: a Model-Based approach for Safety Analysis. T. Prosvirnova, Ecole Polytechnique, France [4] : Toward a mode-based approach of ISO26262 using AltaRica, F. Meurville and all, Valeo, France [5] : The Open PSA Model Exchange Format
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 38Property of Valeo. Duplication prohibited Confidential Thanks a lot for your attention !! Any questions ?
Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 39Property of Valeo. Duplication prohibited Confidential

Recommended

Valeo
ValeoValeo
ValeoEITESANGO
 
Investment In Turkey
Investment In TurkeyInvestment In Turkey
Investment In TurkeyLalit Sharma
 
Asean a community of opportunities (overview ppt) jan2015
Asean a community of opportunities (overview ppt) jan2015Asean a community of opportunities (overview ppt) jan2015
Asean a community of opportunities (overview ppt) jan2015Channy Leang
 
Valeo 0 (1)
Valeo 0 (1)Valeo 0 (1)
Valeo 0 (1)chermiti_imen
 
Techniques and Tools for Rich Internet Applications Testing
Techniques and Tools for Rich Internet Applications TestingTechniques and Tools for Rich Internet Applications Testing
Techniques and Tools for Rich Internet Applications TestingPorfirio Tramontana
 
01 overview of_industrial_automation_sp15
01 overview of_industrial_automation_sp1501 overview of_industrial_automation_sp15
01 overview of_industrial_automation_sp15John Todora
 
Aircraft Finite Element Modelling for structure analysis using Altair Products
Aircraft Finite Element Modelling for structure analysis using Altair ProductsAircraft Finite Element Modelling for structure analysis using Altair Products
Aircraft Finite Element Modelling for structure analysis using Altair ProductsAltair
 
Gianfranco Burzio (CRF), a subjective Field Test on Lane Departure Warning Fu...
Gianfranco Burzio (CRF), a subjective Field Test on Lane Departure Warning Fu...Gianfranco Burzio (CRF), a subjective Field Test on Lane Departure Warning Fu...
Gianfranco Burzio (CRF), a subjective Field Test on Lane Departure Warning Fu...euroFOT
 

Recommended

Valeo
ValeoValeo
ValeoEITESANGO
 
Investment In Turkey
Investment In TurkeyInvestment In Turkey
Investment In TurkeyLalit Sharma
 
Asean a community of opportunities (overview ppt) jan2015
Asean a community of opportunities (overview ppt) jan2015Asean a community of opportunities (overview ppt) jan2015
Asean a community of opportunities (overview ppt) jan2015Channy Leang
 
Valeo 0 (1)
Valeo 0 (1)Valeo 0 (1)
Valeo 0 (1)chermiti_imen
 
Techniques and Tools for Rich Internet Applications Testing
Techniques and Tools for Rich Internet Applications TestingTechniques and Tools for Rich Internet Applications Testing
Techniques and Tools for Rich Internet Applications TestingPorfirio Tramontana
 
01 overview of_industrial_automation_sp15
01 overview of_industrial_automation_sp1501 overview of_industrial_automation_sp15
01 overview of_industrial_automation_sp15John Todora
 
Aircraft Finite Element Modelling for structure analysis using Altair Products
Aircraft Finite Element Modelling for structure analysis using Altair ProductsAircraft Finite Element Modelling for structure analysis using Altair Products
Aircraft Finite Element Modelling for structure analysis using Altair ProductsAltair
 
Gianfranco Burzio (CRF), a subjective Field Test on Lane Departure Warning Fu...
Gianfranco Burzio (CRF), a subjective Field Test on Lane Departure Warning Fu...Gianfranco Burzio (CRF), a subjective Field Test on Lane Departure Warning Fu...
Gianfranco Burzio (CRF), a subjective Field Test on Lane Departure Warning Fu...euroFOT
 
TechnoAware VTrack 4.0 (English)
TechnoAware VTrack 4.0 (English)TechnoAware VTrack 4.0 (English)
TechnoAware VTrack 4.0 (English)Roberto Sancho Espiau
 
T89 introductiontofunctionalsafetyformachinery
T89 introductiontofunctionalsafetyformachineryT89 introductiontofunctionalsafetyformachinery
T89 introductiontofunctionalsafetyformachineryVo Quoc Hieu
 
SATCE Presentation for WATS 2016 Goodman
SATCE Presentation for WATS 2016 GoodmanSATCE Presentation for WATS 2016 Goodman
SATCE Presentation for WATS 2016 GoodmanJeremy Goodman
 
[Capella Day Toulouse] ATL2 modernization: when MBSE keeps its promises
[Capella Day Toulouse] ATL2 modernization: when MBSE keeps its promises[Capella Day Toulouse] ATL2 modernization: when MBSE keeps its promises
[Capella Day Toulouse] ATL2 modernization: when MBSE keeps its promisesObeo
 
Breinstorm@HUMIQ - Automotive functionalsafety
Breinstorm@HUMIQ - Automotive functionalsafetyBreinstorm@HUMIQ - Automotive functionalsafety
Breinstorm@HUMIQ - Automotive functionalsafetyipebesma
 
Erica The European Tiltrotor
Erica The European TiltrotorErica The European Tiltrotor
Erica The European Tiltrotorahmad bassiouny
 
OMA LwM2M Workshop - Antonio Jara, OMA LabKit
OMA LwM2M Workshop - Antonio Jara, OMA LabKitOMA LwM2M Workshop - Antonio Jara, OMA LabKit
OMA LwM2M Workshop - Antonio Jara, OMA LabKitOpen Mobile Alliance
 
FIWARE Global Summit - The Future of FIWARE 4 Industry - New Technology Trend...
FIWARE Global Summit - The Future of FIWARE 4 Industry - New Technology Trend...FIWARE Global Summit - The Future of FIWARE 4 Industry - New Technology Trend...
FIWARE Global Summit - The Future of FIWARE 4 Industry - New Technology Trend...FIWARE
 
New industrial networks in cars
New industrial networks in cars New industrial networks in cars
New industrial networks in cars Wissam Kafa
 
Assess security from sensors to api c4 i 20151126
Assess security from sensors to api c4 i 20151126Assess security from sensors to api c4 i 20151126
Assess security from sensors to api c4 i 20151126Denis Rousset
 
Research on UVM Verification Platform Based on AXI4 Protocol Intellectual Pro...
Research on UVM Verification Platform Based on AXI4 Protocol Intellectual Pro...Research on UVM Verification Platform Based on AXI4 Protocol Intellectual Pro...
Research on UVM Verification Platform Based on AXI4 Protocol Intellectual Pro...IJRESJOURNAL
 
Le Bourget 2017 - Air Service Operator
Le Bourget 2017 - Air Service OperatorLe Bourget 2017 - Air Service Operator
Le Bourget 2017 - Air Service OperatorLeonardo
 
Introduction to reliability theories
Introduction to reliability theoriesIntroduction to reliability theories
Introduction to reliability theoriesFlorent Brissaud
 
Windows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock KernelWindows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock KernelHardway Hou
 
Functional and non-functional testing with IoT-Testware
Functional and non-functional testing with IoT-TestwareFunctional and non-functional testing with IoT-Testware
Functional and non-functional testing with IoT-TestwareAxel Rennoch
 
Presentation
PresentationPresentation
PresentationAhmed Bilal
 
OMA LwM2M - HOP Ubiquitous
OMA LwM2M - HOP UbiquitousOMA LwM2M - HOP Ubiquitous
OMA LwM2M - HOP UbiquitousAntonio J. Jara
 
La programmation concurrente par flux de données
La programmation concurrente par flux de donnéesLa programmation concurrente par flux de données
La programmation concurrente par flux de donnéesMicrosoft
 
Project Reportfinal-black & white
Project Reportfinal-black & whiteProject Reportfinal-black & white
Project Reportfinal-black & whitearnab mitra
 
Rtos By Avanish Agarwal
Rtos By Avanish AgarwalRtos By Avanish Agarwal
Rtos By Avanish AgarwalAvanish Agarwal
 

More Related Content

Similar to Safetronic_2016_Model Based Safety Analyses using AltaRica 3.0_Application on Advanced Driver Assistance_FINAL_VALEO

T89 introductiontofunctionalsafetyformachinery
T89 introductiontofunctionalsafetyformachineryT89 introductiontofunctionalsafetyformachinery
T89 introductiontofunctionalsafetyformachineryVo Quoc Hieu
 
SATCE Presentation for WATS 2016 Goodman
SATCE Presentation for WATS 2016 GoodmanSATCE Presentation for WATS 2016 Goodman
SATCE Presentation for WATS 2016 GoodmanJeremy Goodman
 
[Capella Day Toulouse] ATL2 modernization: when MBSE keeps its promises
[Capella Day Toulouse] ATL2 modernization: when MBSE keeps its promises[Capella Day Toulouse] ATL2 modernization: when MBSE keeps its promises
[Capella Day Toulouse] ATL2 modernization: when MBSE keeps its promisesObeo
 
Breinstorm@HUMIQ - Automotive functionalsafety
Breinstorm@HUMIQ - Automotive functionalsafetyBreinstorm@HUMIQ - Automotive functionalsafety
Breinstorm@HUMIQ - Automotive functionalsafetyipebesma
 
Erica The European Tiltrotor
Erica The European TiltrotorErica The European Tiltrotor
Erica The European Tiltrotorahmad bassiouny
 
OMA LwM2M Workshop - Antonio Jara, OMA LabKit
OMA LwM2M Workshop - Antonio Jara, OMA LabKitOMA LwM2M Workshop - Antonio Jara, OMA LabKit
OMA LwM2M Workshop - Antonio Jara, OMA LabKitOpen Mobile Alliance
 
FIWARE Global Summit - The Future of FIWARE 4 Industry - New Technology Trend...
FIWARE Global Summit - The Future of FIWARE 4 Industry - New Technology Trend...FIWARE Global Summit - The Future of FIWARE 4 Industry - New Technology Trend...
FIWARE Global Summit - The Future of FIWARE 4 Industry - New Technology Trend...FIWARE
 
New industrial networks in cars
New industrial networks in cars New industrial networks in cars
New industrial networks in cars Wissam Kafa
 
Assess security from sensors to api c4 i 20151126
Assess security from sensors to api c4 i 20151126Assess security from sensors to api c4 i 20151126
Assess security from sensors to api c4 i 20151126Denis Rousset
 
Research on UVM Verification Platform Based on AXI4 Protocol Intellectual Pro...
Research on UVM Verification Platform Based on AXI4 Protocol Intellectual Pro...Research on UVM Verification Platform Based on AXI4 Protocol Intellectual Pro...
Research on UVM Verification Platform Based on AXI4 Protocol Intellectual Pro...IJRESJOURNAL
 
Le Bourget 2017 - Air Service Operator
Le Bourget 2017 - Air Service OperatorLe Bourget 2017 - Air Service Operator
Le Bourget 2017 - Air Service OperatorLeonardo
 
Introduction to reliability theories
Introduction to reliability theoriesIntroduction to reliability theories
Introduction to reliability theoriesFlorent Brissaud
 
Windows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock KernelWindows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock KernelHardway Hou
 
Functional and non-functional testing with IoT-Testware
Functional and non-functional testing with IoT-TestwareFunctional and non-functional testing with IoT-Testware
Functional and non-functional testing with IoT-TestwareAxel Rennoch
 
OMA LwM2M - HOP Ubiquitous
OMA LwM2M - HOP UbiquitousOMA LwM2M - HOP Ubiquitous
OMA LwM2M - HOP UbiquitousAntonio J. Jara
 
La programmation concurrente par flux de données
La programmation concurrente par flux de donnéesLa programmation concurrente par flux de données
La programmation concurrente par flux de donnéesMicrosoft
 
Project Reportfinal-black & white
Project Reportfinal-black & whiteProject Reportfinal-black & white
Project Reportfinal-black & whitearnab mitra
 

Similar to Safetronic_2016_Model Based Safety Analyses using AltaRica 3.0_Application on Advanced Driver Assistance_FINAL_VALEO (20)

TechnoAware VTrack 4.0 (English)
TechnoAware VTrack 4.0 (English)TechnoAware VTrack 4.0 (English)
TechnoAware VTrack 4.0 (English)
 
T89 introductiontofunctionalsafetyformachinery
T89 introductiontofunctionalsafetyformachineryT89 introductiontofunctionalsafetyformachinery
T89 introductiontofunctionalsafetyformachinery
 
SATCE Presentation for WATS 2016 Goodman
SATCE Presentation for WATS 2016 GoodmanSATCE Presentation for WATS 2016 Goodman
SATCE Presentation for WATS 2016 Goodman
 
[Capella Day Toulouse] ATL2 modernization: when MBSE keeps its promises
[Capella Day Toulouse] ATL2 modernization: when MBSE keeps its promises[Capella Day Toulouse] ATL2 modernization: when MBSE keeps its promises
[Capella Day Toulouse] ATL2 modernization: when MBSE keeps its promises
 
Breinstorm@HUMIQ - Automotive functionalsafety
Breinstorm@HUMIQ - Automotive functionalsafetyBreinstorm@HUMIQ - Automotive functionalsafety
Breinstorm@HUMIQ - Automotive functionalsafety
 
Erica The European Tiltrotor
Erica The European TiltrotorErica The European Tiltrotor
Erica The European Tiltrotor
 
OMA LwM2M Workshop - Antonio Jara, OMA LabKit
OMA LwM2M Workshop - Antonio Jara, OMA LabKitOMA LwM2M Workshop - Antonio Jara, OMA LabKit
OMA LwM2M Workshop - Antonio Jara, OMA LabKit
 
FIWARE Global Summit - The Future of FIWARE 4 Industry - New Technology Trend...
FIWARE Global Summit - The Future of FIWARE 4 Industry - New Technology Trend...FIWARE Global Summit - The Future of FIWARE 4 Industry - New Technology Trend...
FIWARE Global Summit - The Future of FIWARE 4 Industry - New Technology Trend...
 
New industrial networks in cars
New industrial networks in cars New industrial networks in cars
New industrial networks in cars
 
Assess security from sensors to api c4 i 20151126
Assess security from sensors to api c4 i 20151126Assess security from sensors to api c4 i 20151126
Assess security from sensors to api c4 i 20151126
 
Research on UVM Verification Platform Based on AXI4 Protocol Intellectual Pro...
Research on UVM Verification Platform Based on AXI4 Protocol Intellectual Pro...Research on UVM Verification Platform Based on AXI4 Protocol Intellectual Pro...
Research on UVM Verification Platform Based on AXI4 Protocol Intellectual Pro...
 
Le Bourget 2017 - Air Service Operator
Le Bourget 2017 - Air Service OperatorLe Bourget 2017 - Air Service Operator
Le Bourget 2017 - Air Service Operator
 
Introduction to reliability theories
Introduction to reliability theoriesIntroduction to reliability theories
Introduction to reliability theories
 
Windows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock KernelWindows Filtering Platform And Winsock Kernel
Windows Filtering Platform And Winsock Kernel
 
Functional and non-functional testing with IoT-Testware
Functional and non-functional testing with IoT-TestwareFunctional and non-functional testing with IoT-Testware
Functional and non-functional testing with IoT-Testware
 
Presentation
PresentationPresentation
Presentation
 
OMA LwM2M - HOP Ubiquitous
OMA LwM2M - HOP UbiquitousOMA LwM2M - HOP Ubiquitous
OMA LwM2M - HOP Ubiquitous
 
La programmation concurrente par flux de données
La programmation concurrente par flux de donnéesLa programmation concurrente par flux de données
La programmation concurrente par flux de données
 
Project Reportfinal-black & white
Project Reportfinal-black & whiteProject Reportfinal-black & white
Project Reportfinal-black & white
 
Rtos By Avanish Agarwal
Rtos By Avanish AgarwalRtos By Avanish Agarwal
Rtos By Avanish Agarwal
 

Safetronic_2016_Model Based Safety Analyses using AltaRica 3.0_Application on Advanced Driver Assistance_FINAL_VALEO

  • 1. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 1Property of Valeo. Duplication prohibited Confidential SAFETRONIC Conference : 8th of November 2016 Property of Valeo. Duplication prohibited Confidential Model Based Safety Analyses using AltaRica 3.0 : Application on Advanced Driver Assistance Systems Florent MEURVILLE florent.meurville@valeo.com Functional Safety & Modeling Expert Valeo Group Electronics Expertise & Development Services
  • 2. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 2Property of Valeo. Duplication prohibited Confidential The Agenda The Motivation Model Based Safety Analysis The AltaRica 3.0 formal language Example of application on a Level 3 Traffic Jam Chauffeur architecture Conclusions and Perspectives Questions & Answers
  • 3. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 3Property of Valeo. Duplication prohibited Confidential ADAS of Level 3 or above are a breakthrough in terms of complexity !! The Motivation Levels of automation of ADAS according to SAE Fail-Silent Fail-Operational  Driver only  Assisted Partial automation  Conditional automation  High automation Driver required during normal operation Driver not required during normal operation  Full automation
  • 4. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 4Property of Valeo. Duplication prohibited Confidential The Motivation Fail-Operational architecture More interaction with other systems SGxx ASILD SGzz ASILD Residual Risk Availability Redundancy Dynamic reconfiguration+ Need help for safety analyses !! Safety engineer
  • 5. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 5Property of Valeo. Duplication prohibited Confidential One Solution : Model Based Safety Analysis Model Based Safety Analysis (MBSA) aims to provide a model to automatically generate safety analyses. Recommended practice in the avionic safety standard (ARP4754) as an alternative technique to generate technical documents for certification. with a special focus on the AltaRica language. MBSA is used with success for more than 10 years in the aeronautics, railway, nuclear, space, military domains... Why not using MBSA in the automotive domain and especially on self driving cars ?
  • 6. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 6Property of Valeo. Duplication prohibited Confidential The AltaRica language at a glance AltaRica is a high level formal language dedicated to safety analyses That generalizes both Boolean formalisms (e.g. RBD, FTA) and state/transition formalisms (e.g. Petri nets, Markov) For modeling both combinatorial and dynamic aspects of failure propagation, In a hierarchical and modular way, From functional to physical abstraction levels.
  • 7. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 7Property of Valeo. Duplication prohibited Confidential The AltaRica language at a glance AltaRica is a high level formal language dedicated to safety analyses 1st version designed in late 90’s at University of Bordeaux (LaBRI team), France Very powerful but too resource consuming for industrial-scale systems
  • 8. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 8Property of Valeo. Duplication prohibited Confidential The AltaRica language at a glance AltaRica is a high level formal language dedicated to safety analyses 1st version designed in late 90’s at University of Bordeaux (LaBRI team), France 2nd evolution (Data-Flow ; 2002)is still the core of several current industrial tools : SIMFIA (APSYS) ; Safety Designer (Dassault Systèmes) Used with success for more than 10 years Drawback : difficulty to handle looped systems
  • 9. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 9Property of Valeo. Duplication prohibited Confidential The AltaRica language at a glance AltaRica is a high level formal language dedicated to safety analyses 1st version designed in late 90’s at University of Bordeaux (LaBRI team), France 2nd evolution (Data-Flow ; 2002)is still the core of several current industrial tools : 3rd evolution of AltaRica (2013)of the language : New underlying mathematical model that permits to handle looped systems New construct to structure model using component libraries : prototyped based language Free evolving Eclipse platform available
  • 10. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 10Property of Valeo. Duplication prohibited Confidential Output flows How does AltaRica 3.0 work? An AltaRica 3.0 class or block with inputs/outputs is made of three parts : transition State1 State2 State3 event1 event2 event3 Input flows Declaration of variables for flows / states with their initialization and events event : Guard (inputs, states) -> Action on state variables assertion Outputs = f(Inputs, States)
  • 11. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 11Property of Valeo. Duplication prohibited Confidential class Command //State PhysicalState HealthState (init=WORKING); //Output Data Output (reset=DATA_TRUE); //Parameters parameter Real lambda = 0.000000300; // 300 FIT parameter Real lambda2 = 0.000000030; // 30 FIT //Events event failure_no_output (delay = exponential(lambda)); event failure_erroneous (delay = exponential(lambda2)); transition failure_no_output : HealthState==WORKING -> HealthState:= FAILED_NO_OUTPUT; failure_erroneous : HealthState==WORKING -> HealthState:= FAILED_ERRONEOUS; assertion Output := if HealthState==WORKING then DATA_TRUE else if HealthState==FAILED_NO_OUTPUT then NO_DATA else if HealthState==FAILED_ERRONEOUS then DATA_ERRONEOUS else UNDEFINED; end How does AltaRica 3.0 work?
  • 12. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 12Property of Valeo. Duplication prohibited Confidential Instantiation of blocks from library classes Local AltaRica models S1 S2 ECU1 A1 class Sensor … end class ECU … end class Actuator … end block MySystem Sensor S1,S2; ECU ECU1; Actuator A1; end How does AltaRica 3.0 work?
  • 13. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 13Property of Valeo. Duplication prohibited Confidential Instantiation of blocks from library classes Local AltaRica models S1 S2 ECU1 A1 How does AltaRica 3.0 work? Connection of blocks through assertion + Specific observer to trigger Global AltaRica model S1 S2 ECU1 A1 block MySystem … observer Boolean SG1_isViolated = ECU1.output == false; assertion ECU1.input1 := S1.output; ECU1.input2 := S2.output; A1.input := ECU1.output; end
  • 14. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 14Property of Valeo. Duplication prohibited Confidential Instantiation of blocks from library classes Local AltaRica models S1 S2 ECU1 A1 How does AltaRica 3.0 work? Connection of blocks through assertion + Specific observer to trigger Global AltaRica model S1 S2 ECU1 A1 FTAs Generation
  • 15. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 15Property of Valeo. Duplication prohibited Confidential From a tool platform perspective AltaRica 3.0 model .alt AltaRica compiler Model consistency check & flattening .alt.xml OpenPSA format .alt.opsa FTA generator for debugging or replay a failure scenario Step-wise simulator Calculation of cut sets using XFTA free tool XFTA free engine
  • 16. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 16Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture TJC activation possible when : Dual carriage ways Target vehicle in front Vehicle speed below TJC is managing mainly : Longitudinal control Limited lateral control to keep the vehicle in the way In case of failure detection in the TJC, a takeover request is sent to the driver If the driver does not takeover the control of the car after 10s then emergency brake in the way Level 3 System
  • 17. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 17Property of Valeo. Duplication prohibited Confidential Which Fail-Operational architecture is the most suitable to maximize the TJC availability and minimize its residual risk to send an erroneous command ? Example of application on a Traffic Jam Chauffeur architecture Triple Modular Redundancy Duo Duplex with Comparator Duo Duplex with Fault Detector
  • 18. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 18Property of Valeo. Duplication prohibited Confidential Voter 2oo3 Takeover Request or Safe Stop Request Command If none, emergency brake upstream Command1 Command2 Command3 Triple Modular Redundancy Example of application on a Traffic Jam Chauffeur architecture If two of the inputs are similar then the value is propagated through command If one of the input is fail silent then take over request If all inputs are different then no command Voter 2oo3 behavior
  • 19. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 19Property of Valeo. Duplication prohibited Confidential Voter 2oo3 Takeover Request or Safe Stop Request Command If none, emergency brake upstream Command1 Command2 Command3 failure_no_output 300 FIT failure_erroneous 30 FIT Commandclass failure_no_output 10FIT failure_erroneous 10FIT class 2oo3 Triple Modular Redundancy Example of application on a Traffic Jam Chauffeur architecture Numerical values for failure rates and diagnostics were arbitrary selected for the presentation (theoretical use case)
  • 20. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 20Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture Duo Duplex with Comparator
  • 21. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 21Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture If comparator1 only detects an error then reconfiguration for selecting the backup channel. A takeover request is sent to the driver. If comparator2 only detects an error then a takeover request is sent to the driver. If comparator1 and comparator2 both detect an error then opening of the Output Switch. General behaviorDuo Duplex with Comparator
  • 22. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 22Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture If one of the inputs is fail silent then an error is detected. If one of the inputs is erroneous then an error is detected according to a certain diagnostic coverage. If two of the inputs are erroneous then no error detected. Comparator behaviorDuo Duplex with Comparator
  • 23. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 23Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture Duo Duplex with Comparator failure_no_reconfig 10FIT failure_err_reconfig 10FIT failure_no_line_cutoff 10FIT failure_err_line_cutoff 10FIT class Reconfig failure_no_output 10FIT failure_erroneous 10FIT Detecting 95% Not_Detecting 5% class Comparator 4 new classes needed : Selector Switchclass stuck_position_1 20FIT stuck_position_2 20FIT Output Switchclass stuck_open 50FIT stuck_closed 50FIT
  • 24. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 24Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture Duo Duplex with Fault Detector Similar general behavior than the Duo Duplex with Comparator architecture
  • 25. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 25Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture Duo Duplex with Fault Detector If one of the inputs is fail silent then an error is detected. If one of the inputs is erroneous then an error is detected according to a certain diagnostic coverage. Fault Detector behavior
  • 26. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 26Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture failure_no_output 10FIT failure_erroneous 10FIT Detecting 90% Not_Detecting 10% class Fault Detector 1 new class needed : Duo Duplex with Fault Detector
  • 27. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 27Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture TJC availability during mission time ListofcutsetsforTAKEOVER_REQUEST Voter 2oo3 : Triple Modular Redundancy : Command1.failure_no_output Command2.failure_no_output Command3.failure_no_output Main Contributors Duo Duplex with Fault Detector : Command1.failure_no_output Command3.failure_no_output Command1.failure_erroneous FD1.Detect Command3.failure_erroneous FD2.Detect RC.failure_err_reconfig FD21.failure_no_output FD22.failure_no_output Main Contributors Duo Duplex with Comparator : Command1.failure_no_output Command2.failure_no_output Command3.failure_no_output Command4.failure_no_output Command1.failure_erroneous Comparator1.Detect Command2.failure_erroneous Comparator1.Detect Command3.failure_erroneous Comparator2.Detect Command4.failure_erroneous Comparator2.Detect RC.failure_err_reconfig Comparator1.failure_no_output Comparator2.failure_no_output Main Contributors
  • 28. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 28Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture Residual risk to send an erroneous command ListofcutsetsforDATA_ERRONEOUS Voter 2oo3 : Triple Modular Redundancy : 4 cut sets (order 2 max) Voter_2oo3.failure_erroneous Command1.failure_erroneous Command2.failure_erroneous Command1.failure_erroneous Command3.failure_erroneous Command2.failure_erroneous Command3.failure_erroneous Main Contributors Duo Duplex with Fault Detector : Out of 34 cut sets (order 6 max) Command1.failure_erroneous FD1.NotDetect Command1.failure_erroneous SELS.stuck_position1 Command1.failure_erroneous FD1.Detect FD1.failure_erroneous Command1.failure_erroneous FD1.Detect RC.failure_no_reconfig Command1.failure_no_output Command3.failure_erroneous FD2.Notdetect Command2.failure_no_output Command3.failure_erroneous FD2.Notdetect Main Contributors Duo Duplex with Comparator : Out of 81 cut sets (order 7 max) Command1.failure_erroneous Comparator1.NotDetect Command1.failure_erroneous Command2.failure_erroneous Command1.failure_erroneous SELS.stuck_position1 Command1.failure_erroneous Comparator1.Detect Comparator1.failure_erroneous Command1.failure_erroneous Comparator1.Detect RC.failure_no_reconfig Command1.failure_no_output Command3.failure_erroneous Comparator2.NotDetect Command2.failure_no_output Command3.failure_erroneous Comparator2.NotDetect Main Contributors
  • 29. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 29Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture Remember our initial goal : Which Fail-Operational architecture is the most suitable to maximize the TJC availability and minimize its residual risk to send an erroneous command ? Duo Duplex with Fault Detector Duo Duplex with Comparator Best to maximize TJC availability Best to minimize the residual risk
  • 30. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 30Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture A good compromise is a Duo Duplex Hybrid architecture : After 10000h : TJC availability ~ 99% Residual risk to send an erroneous command = 1,56E-9 failure / hour
  • 31. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 31Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture A possible physical implementation of the Duo Duplex Hybrid architecture :
  • 32. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 32Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture FrontCrash : if (ExtScene.NeedToBrake==true) and (EgoCar.Braking ==false) then true else false; RearCrash : if (ExtScene.NeedToBrake==false) and (EgoCar.Braking ==true) then true else false; Setup of two observers for post-treatment External Scene setup NeedToBrake==true NeedToBrake==false What the vehicle in front is doing !
  • 33. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 33Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture Front Crash == true: Order 1 : Bus1.failure_erroneous Order 1 : Bus3.failure_erroneous Order 2 : ECU1.Command1.failure_erroneous ECU1.Comparator1.NotDetect Order 2 : ECU1.Command1.failure_erroneous ECU1.Command2.failure_erroneous Order 2 : S1.failure_erroneous S2.failure_erroneous Order 2 : S1.failure_erroneous S3.failure_erroneous Order 2 : S2.failure_erroneous S3.failure_erroneous Order 2 : ECU2.SELS.stuck_position_1 ECU1.Command1.failure_erroneous Order 3 : ECU1.Command1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect Order 3 : ECU1.Command2.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect Order 3 : ECU1.Command1.failure_erroneous ECU1.Comparator1.Detect ECU1.Comparator1.failure_erroneous Order 3 : ECU1.Command1.failure_erroneous ECU1.Comparator1.Detect ECU2.RC.failure_no_reconfig Order 3 : ECU2.RC.failure_err_reconfig ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect Order 3 : ECU1.Comparator1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect Order 3 : ECU1.Command2.failure_no_output ECU2.RC.failure_no_reconfig ECU1.Command1.failure_erroneous Order 3 : ECU1.Comparator1.failure_no_output ECU2.RC.failure_no_reconfig ECU1.Command1.failure_erroneous Order 4 : ECU1.Command2.failure_erroneous ECU1.Comparator1.Detect ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect Order 4 : ECU1.Command1.failure_erroneous ECU1.Comparator1.Detect ECU1.Command3.failure_erroneous ECU1.FD2.NotDetect Order 4 : ECU1.Command1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU2.OS.stuck_closed Order 4 : ECU1.Command2.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU2.OS.stuck_closed Order 4 : ECU1.Command1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU1.FD2.failure_erroneous Order 4 : ECU1.Command2.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU1.FD2.failure_erroneous Order 4 : ECU1.Comparator1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU2.OS.stuck_closed Order 4 : ECU2.RC.failure_err_reconfig ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU1.FD2.failure_erroneous Order 4 ECU1.Comparator1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.Detect ECU1.FD2.failure_erroneous Order 4 : ECU1.Command1.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.failure_no_output ECU2.OS.stuck_closed Order 4 : ECU1.Command2.failure_no_output ECU1.Command3.failure_erroneous ECU1.FD2.failure_no_output ECU2.OS.stuck_closed Partial list of cut-sets leading potentially to a front crash
  • 34. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 34Property of Valeo. Duplication prohibited Confidential Example of application on a Traffic Jam Chauffeur architecture RearCrash == true: Order 1 : ECU2.OS.stuck_open Order 1 : ECU2.RC.failure_err_line_cutoff Order 1 : Bat1.failure_no_output Order 1 : Bus1.failure_erroneous Order 1 : Bus3.failure_erroneous Order 1 : Bus1.failure_no_output Order 1 : Bus3.failure_no_output Order 2 : ECU1.Command1.failure_erroneous ECU1.Comparator1.NotDetect Order 2 : ECU1.Command1.failure_erroneous ECU1.Command2.failure_erroneous Order 2 : S1.failure_erroneous S2.failure_erroneous Order 2 : S1.failure_erroneous S3.failure_erroneous Order 2 : S2.failure_erroneous S3.failure_erroneous Order 2 : ECU1.Command3.failure_no_output Dr.driverFallingAsleep Order 2 : ECU1.Command2.failure_no_output Dr.driverFallingAsleep Order 2 : ECU1.Command1.failure_no_output Dr.driverFallingAsleep Order 2 : ECU2.RC.failure_err_reconfig Dr.driverFallingAsleep Order 2 : ECU1.FD2.failure_no_output Dr.driverFallingAsleep Order 2 : ECU1.Comparator1.failure_no_output Dr.driverFallingAsleep Order 2 : ECU1.Command2.failure_no_output ECU1.Command3.failure_no_output Order 2 : ECU1.Command1.failure_no_output ECU1.Command3.failure_no_output Order 2 : ECU1.Command2.failure_no_output ECU1.FD2.failure_no_output Order 2 : ECU1.Command1.failure_no_output ECU1.FD2.failure_no_output Order 2 : ECU1.Command3.failure_no_output ECU1.Comparator1.failure_no_output Order 2 : ECU1.Comparator1.failure_no_output ECU1.FD2.failure_no_output Order 3 : ECU1.Command2.failure_erroneous ECU1.Comparator1.Detect Dr.driverFallingAsleep Order 3 : ECU1.Command1.failure_erroneous ECU1.Comparator1.Detect Dr.driverFallingAsleep Order 3 : ECU1.Command3.failure_erroneous ECU1.FD2.Detect Dr.driverFallingAsleep Order 3 : ECU1.Command2.failure_erroneous ECU1.Comparator1.Detect ECU1.FD2.failure_no_output Order 3 : ECU1.Command1.failure_erroneous ECU1.Comparator1.Detect ECU1.FD2.failure_no_output Partial list of cut-sets leading potentially to a rear crash
  • 35. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 35Property of Valeo. Duplication prohibited Confidential Conclusions Benefits : Quick assessment of an architecture : Quantified targets allocation for failure rates and diagnostic coverage Library components can be easily validated, maintained and reused, Ensure exhaustiveness of the safety analyses, Permits to model safety requirements in a formal way. Drawbacks : FTAs generated are difficult to read (need to focus on cut-sets), Sequence generator missing, No graphical display.
  • 36. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 36Property of Valeo. Duplication prohibited Confidential Perspectives / Next Steps Interface the OpenAltaRica platform with automotive safety tools, Carry on building component libraries with more details, Evaluate the new modules coming from the OpenAltaRica platform, Investigate “exotic” architectures for Level4/Level5 systems.
  • 37. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 37Property of Valeo. Duplication prohibited Confidential Want to know more ? [1] : AVL Presentation, “Hardware architectures for fail operational systems in vehicle ‐ possibilities and requirements for future microcontrollers”, Dr. M. Steindl, C. Miedl, Safetronic 2015 [2] : OpenAltaRica platform [3] : AltaRica 3.0: a Model-Based approach for Safety Analysis. T. Prosvirnova, Ecole Polytechnique, France [4] : Toward a mode-based approach of ISO26262 using AltaRica, F. Meurville and all, Valeo, France [5] : The Open PSA Model Exchange Format
  • 38. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 38Property of Valeo. Duplication prohibited Confidential Thanks a lot for your attention !! Any questions ?
  • 39. Florent MEURVILLE [SAFETRONIC] 8th of Nov. 2016 I 39Property of Valeo. Duplication prohibited Confidential