FUNCTIONAL SAFETY FOR AUTONOMOUS DRIVING

Dr. Justyna Zander, NVIDIA | January 30, 2017

IS&T Int. Symposium on Electronic Imaging 2017; Autonomous Vehicles and Machines 2017; 29 January - 2 February, 2017 • Burlingame, CA, USA

FUNCTIONAL SAFETY FOR AUTONOMOUS DRIVING

Prototypical

Autonomy ERA

Automated Driving

Assistance Systems ERA

Machine monitors human Self-driving prototypes AI-based machine in control

Great Very limited in use Amazing!

Safe and Certified

Autonomous Driving ERA

FULL AUTONOMY WITH FUNCTIONAL SAFETY

FUNCTIONAL SAFETY: A TECHNICAL TERM

The objective of functional safety is freedom from unacceptable risk of physical injury or

of damage to the health of people either directly or indirectly (through damage to property

or to the environment).

Functional safety is intrinsically end-to-end in scope in that it has to treat the function of a

component or subsystem as part of the function of the whole system.

Functional Safety is the absence of unreasonable risk due to hazards caused by

malfunctioning behavior of electrical and electronic systems.

Source: ISO 26262-1:2011, “Road vehicles - Functional safety - Part 1: Vocabulary.”

FUNCTIONAL SAFETY HIGHLIGHTS

Traceable processes and certifiable coding are complex

Tools require ISO26262 qualification

Safety design must be included in the system-level design

Development

Process

Classified

Tools

Functional

Safety Design

Source: ISO 26262-1-10:2011/2012, “Road vehicles - Functional safety - Part 3 Part 10.”

LOCALIZE

MAP

AUTONOMOUS DRIVING PIPELINE

CONTROLSENSE

PLAN

PERCEIVE

END-TO-END DEEP LEARNING PLATFORMFOR SELF-DRIVING CARS

NVIDIA® DRIVE™ PX 2 | NVIDIA® XavierNVIDIA® DGX-1™NVIDIA® DIGITS

NVIDIA® DriveWorks

Localization

Planning

Visualization

Perception

DRIVEWORKS

COMBO: 3D VEHICLE, LANES, OPEN ROAD

Courtesy of Audi

VEHICLE DETECTION IN BAD WEATHER

based on modified CityScapes dataset

NVIDIA® DRIVE™ PX 212 CPU cores | Pascal GPU | 8 TFLOPS | 24 DL TOPS | 16nm FF | 250W

World’s First AI Supercomputer for Self-Driving Cars

Cameras

Other Sensors

NVMEDIA OpenGL ES, CUDA

cuDNNComputer Vision PrimitivesDriveWorks

SAL

DriveWorks Modules, NVDRIVENET

DriveWorks Dataflow Layer

Autonomous Driving Applications

DriveWorksTools

NVIDIA DRIVEWORKS SOFTWARE STACK

HW V4L SDK DriveWorks Applications

UNINTENDED ACCELERATION

Sudden unintended acceleration is the unintended, unexpected, uncontrolledacceleration of a vehicle, often accompanied by an apparent loss of brakingeffectiveness.

It may be caused by mechanical, electrical, or electronic problems, driver error(e.g., pedal misapplication), or some combination of these factors.

Case Study

UNINTENDED ACCELERATIONCase Study

Hazard: Unintended acceleration and loss of braking effectiveness.

Safety goal: Mitigate the risk of an unintended acceleration.

Safety requirements: ???


Unintended

Acceleration

Braking

system

failure

Throttle

system

failure

Brake

pedal

failure

Brake

switch

failure

Throttle

pedal

failure

Incorrect

throttle

angle

calculation

OR

OR OR

FAULT TREE



Safety requirements:

Vehicle longitudinal acceleration shall not exceed driver demand by 1.3 m/s2 for longer than 1s (ASIL B).


SAFETY DESIGN PATTERN

Detect

FailureReact:

Mitigate | Heal

ASIL

assignment

Signal

Plausibility

Check

Fallback Strategy

throttle angle

longitudinal acceleration

1 second … Timing!



Safety requirements:

Vehicle longitudinal acceleration shall not exceed driver demand by 1.3 m/s2 for longer than 1s (ASIL B).

Within time budget of 1.001s detect the scenario where the vehicle positive longitudinal acceleration exceeds driver demand by 1.3 m/s2 for longer than 1s.

Within time budget of 0.1s mitigate to safe state, where safe state is: shut off the acceleration by shutting down the throttle (ASIL B).


Determine the

acceleration request

Calculate the

acceleration value

Determine

the throttle angle

Position the output

throttle angle

Determine the

acceleration request

using additional signal

Determine the throttle

angle using additional

signal source

Calculate the

acceleration value

Shut down

throttle

Compare the

acceleration

calculation results

SAFETY DESIGN EXAMPLE FOR UNINTENDED ACCELERATION

Functionality Safety Design Hardware

Sensor A

Control chip

Sensor B

Safety chip

Power

switch

ADC1 ADC2

WHAT IS NEXT?

8 Core Custom ARM64 CPU

512 Core Volta GPU

Designed for ASIL D Functional Safety

30 TOPS DL | 30W

XAVIER

SOFTWARE STACK – 30,000’ ROADMAPCommon foundation | OS agnostic VM services | OEM Guest OSs

Com

m S

erv

ices

Securi

ty S

erv

ices

Natu

ral Language

Gest

ure

& F

acia

l

Surr

ound V

iew

Auto

Pilot

Vir

tual M

irro

rs

AI Co-P

ilot

Foundation - Hypervisor

Andro

id G

uest

QN

X G

uest

Lin

ux G

uest

Foundati

on S

erv

ices

More

serv

ices.

..

DRIVE CX 2Moonracer

DRIVE PX 2AutoChauffeur

DRIVE PX 2AutoCruise

DRIVE CX 2Sunstreaker

Xavier + Volta

Tegra & dGPUTegra

Capabilities scale with performance

SoC

Safe

ty S

erv

ices

Functi

onal Safe

ty D

esi

gns

European New Car Assessment Program(EURO NCAP) 2018

WHAT ELSE IS NEXT?

“YOUR TIME IS COMING. DO NOT BE LATE!”

IHVs

OEMs

ISVs

Tier 1sResearchers

SW Companies

Technology Provider(NVIDIA)

AUTONOMOUS DRIVING ECOSYSTEM

Dr. Urs Muller

Thank you!

[email protected]

mailto:[email protected]

NVIDIA DRIVEWORKS SOFTWARE STACK

NVIDIA DRIVEWORKS SDK

PERCEPTION

Autonomous Driving Applications

LOCALIZATION VISUALIZATIONPLANNING

Segmentation

Sensor Fusion

Objects (NVDRIVENet)

GPS Trilateration

Map Fusion

Landmarks (NVDRIVENet)

Mission

Trajectory

Behavior (NVDRIVENet)

NVIDIA System Software

Researchers

AUTONOMOUS DRIVING ECOSYSTEM

Demand Gen

CUSTOMERSDEVELOPERS

ISVs

IHVsValue

Creation

Drive PX

DriveWorks SDK

OEMs

SW Companies

Tier 1s

Drive PX

Documents

FUNCTIONAL SAFETY FOR AUTONOMOUS DRIVING