Safe Human Machine Interface (HMI) Requirements of the

1Copyright © 2019 Arm TechCon, All rights reserved.Copyright © 2019 Arm TechCon, All rights reserved.

#ArmTechCon

Digital Cockpit Platform ManagerArm, Inc.Daniel Bernal

Safe Human Machine Interface (HMI) Requirements of theDigital Cockpit

VP, Business DevelopmentCore Avionics & Industrial Inc.Lee Melatti

2Copyright © 2019 Arm TechCon, All rights reserved.

Abstract

Vehicle cockpits are under a technology revolution. Additional sensors and displays with safety relevant data are the new normal. This presentation will examine the requirements of new vehicle cockpit workloads and the challenges it presents when architecting cockpit controller platforms that must present safety relevant data to the operator.


Topics

• Automotive Safety• Lessons Learned from other Safety Relevant Markets• Safety Stacking Principles• Safety Critical Graphics and Compute Solutions• Current Vehicle Cockpit Safety HMI Designs• Trends in Digital Cockpit Architectures• Future Vehicle Cockpit Safe HMI Architectures


Automotive Safety


The Automotive Safety Problem


Software Complexity in Automotive will Only Increase

Source: https://www.aasdn.com.au/driven-by-code/

https://www.aasdn.com.au/driven-by-code/


Hardware and Software Reliability Relationship


Lessons Learned from other Safety Relevant Markets


Aviation Safety History


Aviation Safety

It is estimated that 40 million commercial flights will occur worldwide in 2019.

• The fatal accident rate for large commercial passenger flights in 2018 was 0.36 per million flights, or one fatal accident for every 3 million flights

• That is up from 2017’s 0.06 per million flight rate and above the most recent five-year average of 0.24 per million flights

• Recent B737 Max 8 events underscore the need for safety certification process, oversite and most importantly, culture

• Safety events trigger large scale investigations that typically result in broad safety modifications and industry improvements


Safety Applications


Safety StackingPrincipals


Safety Critical Stacking

Hardware

Driver

Hypervisor

Operating Systems

Application

FunctionalErrors

Safety CriticalConstraints


Safety Principals Create Constraint

• Deterministic

• Bounded (in space and time)

• Non blocking code (no semaphores)

• Interrupts challenge time boundaries

• Error/failure detecting

• Defining what is an error or failure


Safety CriticalGraphics and Compute


Safety Critical Graphics and Compute

OpenGL SC1.0 OpenGL SC2.0OpenCL SC

VULKAN SC

GP

U G

P/G

PU

Un

its

Avionics & Defense

AutomotiveDigital Twin

(Internet of Manufacturing)

RTCA DO-178C

EUROCAE ED-12C

Avionics

IEC 60880

EN 50128


What makes an API safety critical?

The Vulkan SC working group is in the early stages of developing a safety critical API based on Vulkan, but…

…in general, safety will likely focus on:

Deterministic Execution (predictable execution times and results, e.g. offline compilationwith Vulkan SC ingesting compiled shader ISA binaries)

Robustness (removing ambiguity, clarifying undefined behavior)

Simplification(changes made to reduce certification effort and challenges)


What Vulkan Safety Critical Offers

• First safety critical compute open standard

• Allows development of a multi-use platform of safety certifiable applications through graphics and computer hardware abstraction

• Improves GPU performance on a per watt basis and reduces impact on the CPU, thereby lowering system cost for similar performance

• Supports graphics and compute in a single interface, increasing functionality and flexibility from a given hardware platform

• Gives access to more advanced graphics functions than either OpenGL SC 1.0 or 2.0 such as geometry shaders and multiple render targets


What is Safe, Very Safe, and Safe Enough?

• First development priority, every day and everyone

• Management and communication of risk is imperative, high reliability organizations begin and end with safety as a culture

• Safety critical demands “fit for purpose” consideration at the system level

• Standards and certification practices make safety more transparent and allows demonstrable adherence; this increases portability and lowers risk

• Goals for safety critical implementations:

• Efficient• Effective• Risk Reducing


Current Vehicle Cockpit Safety HMI Designs


RTOS

Safe HMIs in the CockpitSafety Workload Runs on Safety Microcontroller

2D/3DGfx

MCU(Cortex M/R)

DisplayProcessing

Memory System

Display

Render AppSafety

MonitorSW Render

Safety relevant IP in red.

DOC

Safety Domain (ASIL B)


Safe HMIs in the CockpitSafety Workload Runs on Safety Island

Linux RTOS

GPU

DisplayProcessing

Memory System

Display

Render App SafetyMonitor

Safety relevant IP in red.

CPUDOC

OpenGL ES / Vulkan

MCUCortex R(or M)


Non-Safety Domain (ASIL QM)


Trends inDigital Cockpit Architectures


Cockpit Technology TrendsConsolidation

Increase In Complexity of Systems:• Vehicle Architecture Changes• More powerful SoCs• Mixed-Criticality• Software Defined Architectures• Service Oriented Architectures (SOA)

ECU


Cockpit Technology TrendsSafety Workloads Changing

Today’s Safety Workloads:• Current safety applications are

very small footprint safety application monitors.

Future Safety Workloads:• Safety application processing

will run on application class processors.

CoreLink CMN-600

Cortex-A

Mali GPU

CoreLink GIC-600

Y clusters

CoreLinkMMU-600

Safety Island

Cortex-R52

X clusters

Cortex-A

X clusters

Mali-D77

CoreLinkMMU-600


Image Source: nvidia

Cockpit Technology TrendsSafety Content is Increasing

Today’s Safety Content:• Instrument Cluster• Tell Tales & Gear Position

Future Safety Content:• AR-HUD• Increased Intelligence / ADAS• Enhanced Vision Displays• Advanced Backup Cameras

Image Source: WayRay AG

Image Source: Mercedes-Benz


Future Vehicle Cockpit Safe HMI Architectures


Future Vehicle Cockpit ArchitecturesSoCs w/Safety Relevant IP

Advanced Cockpit Controllers:• Fit for Purpose• Mixed-Criticality Workloads• Compute Flexibility• Faster path to Safety Cert

Fabric

Cortex-A

Mali GPU

GIC

Y clustersMMU

Safety Island

Cortex-R52

Cortex-A

X clusters


Mali-D77

CoreLinkMMU-600


Safe HMIs in the CockpitSafety HMI = Safety Rendering + Safe Display

Linux VM RTOS VM

GPU

Memory System

Display

Hypervisor

Render App

GPU/DPUSafety

Monitor

CPUVideo

OutputChecker

OpenGL ES / Vulkan

GPU/DPUBIT

Vulkan API / GPU Driver

GL SC API

Safe RenderingApplication

DisplayDriver

SafeCompositor

GPU Driver

Safety Domain (ASIL B)Non-Safety Domain

(ASIL QM)

ASIL B

DPUGPUCPU


Future Vehicle Cockpit ArchitecturesSafety HMIs

Rate Monotonic Scheduling (RMS)• Deterministic deadlines• No resource sharing• Static Priorities• Math Model Provable


Safe HMIs in the CockpitSafety HMI = Safety Rendering + Safe Display

Linux VM RTOS VM

GPU

Memory System

Display

Hypervisor

Render App

GPU/DPUSafety

Monitor

CPUVideo

OutputChecker

OpenGL ES / Vulkan

GPU/DPUBIT

Vulkan API / GPU Driver

GL SC API

Safe RenderingApplication

DisplayDriver

SafeCompositor

GPU Driver

Safety Domain (ASIL B)Non-Safety Domain

(ASIL QM)

ASIL B

DPUGPUCPU


Safety Applications Leverage:• Fit for purpose IP• IP designed with Robust Functional Safety

Processes• System and IP Evidence of Compliance• Supporting Functional Safety Docs• Ecosystem of pre-certified SW elements

Safe Application Workloads

Fit for Purpose Safety IP

Safety Certifiable OS

GPU

Memory System

NPU

Safe ContentRendering

SafeComposition

Safety Application Workloads

SafetyDomain

DPUCPU

Safe ContentDisplay

SafeCompute

(ADAS)

OpenGL SC API Vulkan Safety Critical API Other Safety APIs


Key Take-Aways


Evolution of Safety in the Cockpit

Safe Rendering + Health Monitor

• Safety certify SW that renders and displays safety content

• Migrate only the SW that renders safety content to a safe domain.

• Leverage safety relevant IP and ecosystem of pre-certified SW elements

Safety Monitor Designs

• Video output checker hardware• Safety content is pre-rendered• Real-time validation (via CRC checks)

of simple safety content• Open Source is key to innovation and

fast prototyping

Focus on Safety Monitoring

Today’s Designs Future Designs

Focus on Systematics

of Software


Thank You

Documents

Safe Human Machine Interface (HMI) Requirements of the