Automated Driving Systems with Model-Based Design for ISO 26262:2018 and SOTIF

Transcription

1 Automated Driving Systems with Model-Based Design for ISO 26262:2018 and SOTIF Konstantin Dmitriev The MathWorks, Inc. Certification and Standards Group 2018 The MathWorks, Inc. 1

2 Agenda Use of simulation to satisfy ISO SOTIF objectives Model-Based Design methods to satisfy ISO :2018 Confidence in the use of the tools 2

3 ISO SOTIF Safety of the Intended Functionality Deal with system limitations not related to failures Insufficient robustness of sensor Incomplete system requirements Supplement ISO Known Safe Scenarios Unknown Safe Scenarios Unknown Unsafe Scenarios Know Unsafe Scenarios 3

4 SOTIF vs ISO SOTIF Risks Identification Functional Improvement and SOTIF V&V Strategy Functional Description HARA and Functional Safety Concept Vehicle Validation Tests SOTIF Validation SOTIF: system limitations not related to system failures Technical Safety Concept System Verification Tests SOTIF Verification ISO 26262: systematic and random system failures Software and Hardware Development 4

5 SOTIF Verification and Validations Environment for VnV MIL - Model-in-the-loop SIL - Software-in-the-loop PIL Processor-in-the-loop HIL - Hardware-in-the-loop Vehicle-level testing On selected scenarios SOTIF Hazard Identification and Evaluation Requirements-Based Testing Known Unsafe Scenarios Unknown Unsafe Scenarios Known Safe Scenarios Unknown Safe Scenarios Stochastic Testing / Simulation 5

6 Driving Scenarios with MathWorks Automated Driving Toolbox + + ROADS ACTORS ENVIRONMENTAL RANDOMIZATION 6

7 Model-Based Design Methods to Satisfy ISO 26262:2018 7

8 ISO Functional Safety Standard Significant process rigor and engineering effort Modern methods including Model-Based Design (MBD) Second edition is coming in

9 ISO Methods and Model-Based Design Supported by MBD ++ Highly Recommended + Recommended o No Recommendation T-1 T-2 T-3 T-4 T-5 T-6 T-7 T-8 T-9 T-10 T-11 T-12 T-13 T-14 T-15 a o o b c d e f g h i j k ++ l ++ m ++ n ++ 9

10 Advanced Simulink-Based Workflow for ISO

11 MBD for Modelling and Coding Guidelines T-1 T-2 T-3 T-4 T-5 T-6 T-7 T-8 T-9 T-10 T-11 T-12 T-13 T-14 T-15 a o o b c d e f g h i j k ++ l ++ m ++ n ++ ISO Table 1: MISRA CERT-C Language Subsets Low Complexity Strong Typing Naming Conventions Style Guides 11

12 MBD for Software Architecture and Unit Design Notation T-1 T-2 T-3 T-4 T-5 T-6 T-7 T-8 T-9 T-10 T-11 T-12 T-13 T-14 T-15 a o o b c d e f g h i j k ++ l ++ m ++ n ++ ISO Tables 2 & 5: Natural Language Informal Notation Semi-Formal Notation 12

13 MBD for SW Architecture and Unit Design Principles T-1 T-2 T-3 T-4 T-5 T-6 T-7 T-8 T-9 T-10 T-11 T-12 T-13 T-14 T-15 a o o b c d e f g h i j k ++ l ++ m ++ n ++ ISO Tables 3 & 6: Hierarchical structure Restricted size and complexity Restricted use of interrupts No dynamic objects No multiple name use No recursion 13

14 MBD for Verification of Software Architecture, Units and Integration T-1 T-2 T-3 T-4 T-5 T-6 T-7 T-8 T-9 T-10 T-11 T-12 T-13 T-14 T-15 a o o b c d e f g h i j k ++ l ++ m ++ n ++ Tables 4, 7 & 10: Simulation (MIL), inspection, walkthrough Testing Requirements-based Back-to-back with SIL and PIL Fault injection Static Code Analysis Semi-formal and formal verification Control and data flow analysis 14

15 MBD for Methods for Deriving Tests and Structural Coverage Metrics T-1 T-2 T-3 T-4 T-5 T-6 T-7 T-8 T-9 T-10 T-11 T-12 T-13 T-14 T-15 a o o b c d e f g h i j k ++ l ++ m ++ n ++ ISO Tables 8, 9, 11 & 12: Analysis of requirements Analysis of boundary values Analysis of equivalence classes Structural coverage Statement, Branch, MCDC Functions, Calls 15

16 MBD for Testing of Embedded SW T-1 T-2 T-3 T-4 T-5 T-6 T-7 T-8 T-9 T-10 T-11 T-12 T-13 T-14 T-15 a o o b c d e f g h i j k ++ l ++ m ++ n ++ ISO :2018 Tables Requirements-based tests Fault injection tests Test deriving with Analysis of requirements Analysis of boundary values Analysis of equivalence classes Hardware-in-the-loop 16

17 Example of Automation with Qualified MathWorks Toolchain Test Automation Static Model Analysis Interactive Model Coverage Requirements Linking Structural Coverage Summary 17

18 ISO 26262:2018 Highlights Evaluated ISO 26262:2018 updates with TÜV SÜD The certified versions of Simulink Test are suitable to be used in safety critical development regarding the draft of the second edition of ISO Clarifications of some Model-Based Design aspects SW design review at model level Coverage analysis at model level More focus on static verification Testing -> Verification 18

19 ISO :2018 and Model-Based Simulink Workflow T-1 T-2 T-3 T-4 T-5 T-6 T-7 T-8 T-9 T-10 T-11 T-12 T-13 T-14 T-15 a o o b c d e f g h i j k ++ l ++ m ++ n ++ ISO Methods Model-Based Workflow 19

20 Confidence in the Tools Use for ISO Pre-qualification based on reference use cases / workflows Independent Assessment Certification Kit Tool User Project-specific adaptation 20

21 ISO Tool Qualification Methods 21

22 ISO Tool Certification Artifacts Reference workflow with conformance demonstration template Evidences of independent assessment Assessment certification report Certificate Pre-filled templates for qualification artifacts Conformance Demonstration Template Tool Qualification Package Validation test suite setup files 22

23 Summary Simulation is the key technology to comply with SOTIF objectives Model-Based Design enables you to comply with ISO 26262:2018 automating development and verification T-1 T-2 T-3 T-4 T-5 T-6 T-7 T-8 T-9 T-10 T-11 T-12 T-13 T-14 T-15 a o o b c d e f g h i j k ++ l ++ m ++ n ++ ISO tools qualification process provides confidence in the use of the tools 23