The main objective of the PANORover called demonstrator is to provide real-world application cases for the assessment, optimization and final validation of the model-based methodology developed in PANORAMA project1 in the context of Siemens’ related modeling and design software tools. In order to be able to address the main engineering challenges related to complex heterogeneous hardware/software systems, an exemplary development of a self-driving toy vehicle (the PANORover) shall be shown. As the development of modern complex systems is usually undertaken in the context of an embedded development process with multiple levels of modeling abstraction and various development stages, the demonstrator shall also cover the integration chain of various design artifacts such as requirements, safety models, various types of architecture models, analysis results, and implementations. Thus, the most important aspects to be highlighted during the development of the PANORover can be represented in terms of the following areas: requirements management, embedded system architecture modeling, software architecture, heterogeneous hardware, timing and safety analyses.

In this demonstration, we will focus on the safety analysis of the heterogeneous hardware/software platform of the PANORover to show how complex, heterogenous systems incorporating AI-based functions can be assessed in terms of safety.

PANOROVER

The rover vehicle (see Fig. 1) realizes an automated braking and collision avoidance ADAS (Advanced Driver Assistance Systems) use-case with some elements of Autonomous Driving

Fig. 1. Hardware setup of self-driving rover platform (AD). A driver can control the vehicle remotely by issuing steering, acceleration, and deceleration commands. Whereas the rover vehicle detects approaching obstacles and traffic sings in the direction of its current movement and it reacts autonomously either by automated braking or by adjusting its current speed accordingly in a reasonable time. Such an autonomous reaction of the rover overrides any contradicting control commands of the driver.

Along with an appropriate mechanical and electrical setup the rover vehicle comprises a composite embedded hardware architecture based on two control units (CUs). The CUs are implemented on separate processor boards that are interconnected via CAN bus as shown in Fig. 2: Low-Level Control Unit (LLCU) and Collision Avoidance Electronic Control Unit (CA-ECU) implementing the ADAS/AD scenario.

The LLCU realizes rudimental control functions to interpret the incoming driver’s commands and accordingly to generate pulse-width modulated signals to independently drive two pairs of connected DC motors. One pair of DC motors is equipped with incremental encoders that allow the LLCU software to measure the actual speed of the rover. Furthermore, the distance to approaching objects can be measured using two triples of infrared sensors (IRSs) each placed on the front and on the back sides of the vehicle. The LLCU captures the IRSs signals, combines the values together with the received driver’s commands and the estimated actual speed, and transmits then the aggregated setpoint data packed into respective CAN messages to the CA-ECU.

The CA-ECU emulates behavior of a centralized ECU with a heterogeneous hardware architecture. Its main task is to continuously derive an appropriate autonomous reaction based on the continuously sensed environment model of the rover and to communicate the reaction commands back to the LLCU to be safely executed there. Additionally to the setpoint data prepared by the LLCU, a dedicated (AI-based) object detection module shall use visual data captured by the front camera in order to recognize traffic signs and to detect other types of larger distance objects, that hardly can be detected by the IRSs from the low-level control. The perception tasks are realized as AI functions using a Deep Neutral Network (DNN). The multiple sources of sensed information are sampled with various periodicities, that shall be merged by means of sensor fusion functionality to obtain a more confident representation model of the environment. Based on the outputs of the object detection and sensor fusion functions the planner module then computes the actual reaction command which is then translated into lower-level speed and turn limits that can be directly realized by low-level control.

In order to assess complex, heterogeneous embedded systems such as the PANORover in terms of safety, we use a modular and hierarchical approach to specify and analyze the failure behavior of the system.

With Component Fault Trees (CFTs) there is a model- and component-based methodology for fault tree analysis [ 1 ], [ 2 ], which supports reuse by a modular and compositional safety analysis strategy. CFTs are Boolean models associated with system development elements such as components [ 3 ], [ 4 ]. It has the same expressive power as classic fault trees. Like classic fault trees, CFTs are used to model failure behavior of a system. This failure behavior, including their appearance rate, is used to document the absence of unreasonable risk of the overall system. In CFTs, a separate so-called CFT element is related to a component [ 3 ]. Failures that are visible at the outport of a component are modeled using Output Failure Modes which are related to the specific outport. To model how specific failures propagate from an inport of a component to the outport, Input Failure Modes are used. The internal failure behavior that also influences the output failure modes is modeled using Boolean gates such as OR, AND and M-outof-N as well as so-called Basic Events. Basic Events model failure modes that originate within a component. Each Basic Event can be assigned a failure rate, e.g. the Mean Time Between Failures (MTBF) or the Failure In Time (FIT).

Furthermore, to analyze heterogeneous embedded systems incorporating AI functions the Safety Of The Intended Functionality (SOTIF) (ISO 21448 [ 5 ]) must be considered in additon to functional safety (accoding to ISO 26262 [ 6 ]). SOTIF is defined as the absence of unreasonable risk due to hazards resulting from functional insufficiencies of the intended functionality. In order to assess the safety of systems incorporating AI, hazards coming from failures as well as hazards resulting from functional insufficiencies of the intended functionality must be mitigated sufficiently. Therefore, we need to extend safety analysis techniques in order to create cause-effectrelationships for individual failures as well as for functional insufficiencies and system hazards for the specified system. In a CFT model both failures and functional insufficiencies can be represented. Hence, with the CFT methodology we are able to describe cause-effect-relationships and mitigation schemes on different system levels for individual failures as well as functional insufficiencies and system hazards for the specified heterogeneous embedded system. Hence, we can analyze a system qualitatively in order to show that all hazards are mitigated sufficiently.

We demonstrate this safety analysis approach in the PANORover demo scenario, in which a Capella2 model of the system architecture of the PANORover is enriched with a CFT model to conduct an analysis of the system in terms of safety and to check, if all safety requirements are fulfilled by the system design.

The research leading to these results has received funding from the Federal Ministry for Education and Research (BMBF) under grant agreement 01IS18047D and by Vinnova under registration number 2018-02228 in the context of the ITEA3 EU-Project PANORAMA.