Safe Human Machine Interface (HMI) Requirements of the

1Copyright © 2019 Arm TechCon, All rights reserved.Copyright © 2019 Arm TechCon, All rights reserved.

#ArmTechCon

Digital Cockpit Platform ManagerArm, Inc.Daniel Bernal

Safe Human Machine Interface (HMI) Requirements of theDigital Cockpit

VP, Business DevelopmentCore Avionics & Industrial Inc.Lee Melatti

2Copyright © 2019 Arm TechCon, All rights reserved.

Abstract

Vehicle cockpits are under a technology revolution. Additional sensors and displays with safety relevant data are the new normal. This presentation will examine the requirements of new vehicle cockpit workloads and the challenges it presents when architecting cockpit controller platforms that must present safety relevant data to the operator.

3Copyright © 2019 Arm TechCon, All rights reserved.

Topics

• Automotive Safety• Lessons Learned from other Safety Relevant Markets• Safety Stacking Principles• Safety Critical Graphics and Compute Solutions• Current Vehicle Cockpit Safety HMI Designs• Trends in Digital Cockpit Architectures• Future Vehicle Cockpit Safe HMI Architectures

4Copyright © 2019 Arm TechCon, All rights reserved.

Automotive Safety

5Copyright © 2019 Arm TechCon, All rights reserved.

The Automotive Safety Problem

6Copyright © 2019 Arm TechCon, All rights reserved.

Software Complexity in Automotive will Only Increase

Source: https://www.aasdn.com.au/driven-by-code/

7Copyright © 2019 Arm TechCon, All rights reserved.

Hardware and Software Reliability Relationship

8Copyright © 2019 Arm TechCon, All rights reserved.

Lessons Learned from other Safety Relevant Markets

9Copyright © 2019 Arm TechCon, All rights reserved.

Aviation Safety History

10Copyright © 2019 Arm TechCon, All rights reserved.

Aviation Safety

It is estimated that 40 million commercial flights will occur worldwide in 2019.

• The fatal accident rate for large commercial passenger flights in 2018 was 0.36 per million flights, or one fatal accident for every 3 million flights

• That is up from 2017’s 0.06 per million flight rate and above the most recent five-year average of 0.24 per million flights

• Recent B737 Max 8 events underscore the need for safety certification process, oversite and most importantly, culture

• Safety events trigger large scale investigations that typically result in broad safety modifications and industry improvements

11Copyright © 2019 Arm TechCon, All rights reserved.

Safety Applications

12Copyright © 2019 Arm TechCon, All rights reserved.

Safety StackingPrincipals

13Copyright © 2019 Arm TechCon, All rights reserved.

Safety Critical Stacking

Hardware

Driver

Hypervisor

Operating Systems

Application

FunctionalErrors

Safety CriticalConstraints

14Copyright © 2019 Arm TechCon, All rights reserved.

Safety Principals Create Constraint

• Deterministic

• Bounded (in space and time)

• Non blocking code (no semaphores)

• Interrupts challenge time boundaries

• Error/failure detecting

• Defining what is an error or failure

15Copyright © 2019 Arm TechCon, All rights reserved.

Safety CriticalGraphics and Compute

16Copyright © 2019 Arm TechCon, All rights reserved.

Safety Critical Graphics and Compute

OpenGL SC1.0 OpenGL SC2.0OpenCL SC

VULKAN SC

GP

U G

P/G

PU

Un

its

Avionics & Defense

AutomotiveDigital Twin

(Internet of Manufacturing)

RTCA DO-178C

EUROCAE ED-12C

Avionics

IEC 60880

EN 50128

17Copyright © 2019 Arm TechCon, All rights reserved.

What makes an API safety critical?

The Vulkan SC working group is in the early stages of developing a safety critical API based on Vulkan, but…

…in general, safety will likely focus on:

Deterministic Execution (predictable execution times and results, e.g. offline compilationwith Vulkan SC ingesting compiled shader ISA binaries)

Robustness (removing ambiguity, clarifying undefined behavior)

Simplification(changes made to reduce certification effort and challenges)

18Copyright © 2019 Arm TechCon, All rights reserved.

What Vulkan Safety Critical Offers

• First safety critical compute open standard

• Allows development of a multi-use platform of safety certifiable applications through graphics and computer hardware abstraction

• Improves GPU performance on a per watt basis and reduces impact on the CPU, thereby lowering system cost for similar performance

• Supports graphics and compute in a single interface, increasing functionality and flexibility from a given hardware platform

• Gives access to more advanced graphics functions than either OpenGL SC 1.0 or 2.0 such as geometry shaders and multiple render targets

19Copyright © 2019 Arm TechCon, All rights reserved.

What is Safe, Very Safe, and Safe Enough?

• First development priority, every day and everyone

• Management and communication of risk is imperative, high reliability organizations begin and end with safety as a culture

• Safety critical demands “fit for purpose” consideration at the system level

• Standards and certification practices make safety more transparent and allows demonstrable adherence; this increases portability and lowers risk

• Goals for safety critical implementations:

• Efficient• Effective• Risk Reducing

20Copyright © 2019 Arm TechCon, All rights reserved.

Current Vehicle Cockpit Safety HMI Designs

21Copyright © 2019 Arm TechCon, All rights reserved.

RTOS

Safe HMIs in the CockpitSafety Workload Runs on Safety Microcontroller

2D/3DGfx

MCU(Cortex M/R)

DisplayProcessing

Memory System

Display

Render AppSafety

MonitorSW Render

Safety relevant IP in red.

DOC

Safety Domain (ASIL B)

22Copyright © 2019 Arm TechCon, All rights reserved.

Safe HMIs in the CockpitSafety Workload Runs on Safety Island

Linux RTOS

GPU

DisplayProcessing

Memory System

Display

Render App SafetyMonitor

Safety relevant IP in red.

CPUDOC

OpenGL ES / Vulkan

MCUCortex R(or M)

Safety Domain (ASIL B)

Non-Safety Domain (ASIL QM)

23Copyright © 2019 Arm TechCon, All rights reserved.

Trends inDigital Cockpit Architectures

24Copyright © 2019 Arm TechCon, All rights reserved.

Cockpit Technology TrendsConsolidation

Increase In Complexity of Systems:• Vehicle Architecture Changes• More powerful SoCs• Mixed-Criticality• Software Defined Architectures• Service Oriented Architectures (SOA)

ECU

25Copyright © 2019 Arm TechCon, All rights reserved.

Cockpit Technology TrendsSafety Workloads Changing

Today’s Safety Workloads:• Current safety applications are

very small footprint safety application monitors.

Future Safety Workloads:• Safety application processing

will run on application class processors.

CoreLink CMN-600

Cortex-A

Mali GPU

CoreLink GIC-600

Y clusters

CoreLinkMMU-600

Safety Island

Cortex-R52

X clusters

Cortex-A

X clusters

Mali-D77

CoreLinkMMU-600

26Copyright © 2019 Arm TechCon, All rights reserved.

Image Source: nvidia

Cockpit Technology TrendsSafety Content is Increasing

Today’s Safety Content:• Instrument Cluster• Tell Tales & Gear Position

Future Safety Content:• AR-HUD• Increased Intelligence / ADAS• Enhanced Vision Displays• Advanced Backup Cameras

Image Source: WayRay AG

Image Source: Mercedes-Benz

27Copyright © 2019 Arm TechCon, All rights reserved.

Future Vehicle Cockpit Safe HMI Architectures

28Copyright © 2019 Arm TechCon, All rights reserved.

Future Vehicle Cockpit ArchitecturesSoCs w/Safety Relevant IP

Advanced Cockpit Controllers:• Fit for Purpose• Mixed-Criticality Workloads• Compute Flexibility• Faster path to Safety Cert

Fabric

Cortex-A

Mali GPU

GIC

Y clustersMMU

Safety Island

Cortex-R52

Cortex-A

X clusters

Safety Domain (ASIL B)

Mali-D77

CoreLinkMMU-600

29Copyright © 2019 Arm TechCon, All rights reserved.

Safe HMIs in the CockpitSafety HMI = Safety Rendering + Safe Display

Linux VM RTOS VM

GPU

Memory System

Display

Hypervisor

Render App

GPU/DPUSafety

Monitor

CPUVideo

OutputChecker

OpenGL ES / Vulkan

GPU/DPUBIT

Vulkan API / GPU Driver

GL SC API

Safe RenderingApplication

DisplayDriver

SafeCompositor

GPU Driver

Safety Domain (ASIL B)Non-Safety Domain

(ASIL QM)

ASIL B

DPUGPUCPU

30Copyright © 2019 Arm TechCon, All rights reserved.

Future Vehicle Cockpit ArchitecturesSafety HMIs

Rate Monotonic Scheduling (RMS)• Deterministic deadlines• No resource sharing• Static Priorities• Math Model Provable

31Copyright © 2019 Arm TechCon, All rights reserved.

Safe HMIs in the CockpitSafety HMI = Safety Rendering + Safe Display

Linux VM RTOS VM

GPU

Memory System

Display

Hypervisor

Render App

GPU/DPUSafety

Monitor

CPUVideo

OutputChecker

OpenGL ES / Vulkan

GPU/DPUBIT

Vulkan API / GPU Driver

GL SC API

Safe RenderingApplication

DisplayDriver

SafeCompositor

GPU Driver

Safety Domain (ASIL B)Non-Safety Domain

(ASIL QM)

ASIL B

DPUGPUCPU

32Copyright © 2019 Arm TechCon, All rights reserved.

Safety Applications Leverage:• Fit for purpose IP• IP designed with Robust Functional Safety

Processes• System and IP Evidence of Compliance• Supporting Functional Safety Docs• Ecosystem of pre-certified SW elements

Safe Application Workloads

Fit for Purpose Safety IP

Safety Certifiable OS

GPU

Memory System

NPU

Safe ContentRendering

SafeComposition

Safety Application Workloads

SafetyDomain

DPUCPU

Safe ContentDisplay

SafeCompute

(ADAS)

OpenGL SC API Vulkan Safety Critical API Other Safety APIs

33Copyright © 2019 Arm TechCon, All rights reserved.

Key Take-Aways

34Copyright © 2019 Arm TechCon, All rights reserved.

Evolution of Safety in the Cockpit

Safe Rendering + Health Monitor

• Safety certify SW that renders and displays safety content

• Migrate only the SW that renders safety content to a safe domain.

• Leverage safety relevant IP and ecosystem of pre-certified SW elements

Safety Monitor Designs

• Video output checker hardware• Safety content is pre-rendered• Real-time validation (via CRC checks)

of simple safety content• Open Source is key to innovation and

fast prototyping

Focus on Safety Monitoring

Today’s Designs Future Designs

Focus on Systematics

of Software

35Copyright © 2019 Arm TechCon, All rights reserved.

Thank You