Enabling Efficient Development of Safe and Certified Software ...
Transcript of Enabling Efficient Development of Safe and Certified Software ...
© 2020 Apex.AI, Inc. Confidential.
Enabling Efficient Development of Safe and Certified Software
for Automated Driving Applications —
From Open Source to Safety-Certified Software
Jan BeckerPresident, CEO, Co-Founder Apex.AI, Inc.
Managing Director Apex.AI GmbHDirector on the Board of the Autoware Foundation
Lecturer at Stanford University
© 2020 Apex.AI, Inc. All Rights Reserved.
© 2020 Apex.AI, Inc. All Rights Reserved.
Content
2
My background
How we developed automotive-grade, safety-certified software from open-source
Why open-source makes sense in automotive
How we are contributing back to open-source
© 2020 Apex.AI, Inc. All Rights Reserved.
Background Jan Becker
1997-2001 2007-2010
2016-2017
2002-2006
2011-2013 2016-2017
2002-2006
2014-2015
2010-2014 2010-20142009- 2010-
3
© 2020 Apex.AI, Inc. All Rights Reserved.
Apex.AI
4
Our Vision
Our Mission
Our Expertise
Our Products
Safe and reliable autonomous systems
Safe and certified SDK’s based on open API’s
Autonomous and robotic systems software Modern C++ for realtime and embedded systems Functional safety certification of modern C++ software
Apex.OS • The automotive-grade, real-time, safety-certified ROS 2-compatible SDK• Can be used
• out-of-the-box as a plug-in-replacement for ROS or• white-labelled and integrated into OEM/Tier 1 operating systems
Apex.Automony • 3D lidar processing library and more • Automotive-grade, real-time, safety-certified lidar SDK• Can be integrated into autonomy software or embedded in lidar sensorsMARV.Automotive • A powerful, configurable, extensible platform for analytics of log data
© 2020 Apex.AI, Inc. All Rights Reserved.
From Open-Source to Safety-Certified Software (and Back)
5
ROS
2010 -
ROS 2
2017 -
Apex.OS
2017 - 2020
Apex.OS Cert
Apex.Autonomy
2018 -
Autoware.Auto
2019 -
open source proprietary
Apex.Autonomy Cert
2021 -
proprietary
safety-certified
Framework SW
Algorithmic SW
© 2020 Apex.AI, Inc. All Rights Reserved.
Complexity of the Autonomous Mobility Stack
2D+3D Perception,Tracking, Class.
AI/ML based Scene Understanding Localization Route Planning,
Decision MakingMotion Planningand Control
GNSS INS/IMU Lidar Camera Radar
User Experience Interior Interaction Design
Exterior Interaction Design
Interfaces to: Drive Train Braking System Steering System Electronics
DevelopmentEnvironment Visualization Simulation
Topological Layer Relational Layer Physical Layer
Data Recording Data Playback Data Annotation Data Managementand Analytics
Creation Annotation Update Distribution
Fleet Management Fleet Routing Tele-Operation Diagnostics OTA Update
Scheduler DriverKernel
Testing
Functional Safety
Operating System
Full
Stac
k
Components
Sensors
Maps
Hardware Stack
On-Board Software
Product
Vehicle
Methodologies
Off-Board Software and Data
Design
Development Tools
Mapping
Data Processing
Operations
Algorithmic Software
Cloud Connectivity In-VehicleConnectivity Data RecorderComputing Data Storage
Unit tests Regression Tests Vehicle TestsIntegration Tests SIL/HIL Tests
Framework Software
User Application
Regulations,Homologation Security ValidationSafety Verification
System Integration Application Release
Middleware Security Support DiagnosticsSafety SupportAbstraction of hardware, middleware, OS, interfaces
6
© 2020 Apex.AI, Inc. All Rights Reserved.
ROS
Linux
ROS 1
Linux
ROS 2
Components
SensorsHardware
StackVehicle
Off-Board Software and Data
Maps
Development Tools
Mapping
Data Processing
Operations
Testing
Functional Safety
Methodologies
Design
Operating System
On-Board Software
Algorithmic Software
Framework Software
Product User ApplicationFu
ll St
ack
7
ROS 1 ROS 2
ROS 1 → ROS 2 • Improved code quality• Smaller, more optimized code• Standardized middleware• Improved testing and documentation
© 2020 Apex.AI, Inc. All Rights Reserved.
What is ROS?
8
* http://download.ros.org/downloads/metrics/metrics-report-2019-07.pdf
© 2020 Apex.AI, Inc. All Rights Reserved.
What is ROS?
9
Ecosystem>> 200,000 users *
* http://download.ros.org/downloads/metrics/metrics-report-2019-07.pdf
Capabilities
Plumbing Tools
message passinghardware abstraction device control computational graph model …
visualization simulationrecordingplay backbuild systemlaunch …
AutowareNavigationManipulationComputer VisionPoint Cloud Processing…
© 2020 Apex.AI, Inc. All Rights Reserved.
What is ROS?
10
message passinghardware abstraction device control computational graph model …
visualization simulationrecordingplay backbuild systemlaunch …
AutowareNavigationManipulationComputer VisionPoint Cloud Processing…
* http://download.ros.org/downloads/metrics/metrics-report-2019-07.pdf
>> 200,000 users *
© 2020 Apex.AI, Inc. All Rights Reserved.
Apex.OS
Linux
ROS 1
Linux
ROS 2 Apex.OS
Real-Time Linux / QNX
Apex.OS Cert
QNX for Safety 2.0
Components
SensorsHardware
StackVehicle
Off-Board Software and Data
Maps
Development Tools
Mapping
Data Processing
Operations
Testing
Functional Safety
Methodologies
Design
Operating System
On-Board Software
Algorithmic Software
Framework Software
Product User ApplicationFu
ll St
ack
11
ROS 1
ROS 2 → Apex.OS • Real-time execution • Real-time data logging• Deterministic execution • Tests, tests, tests• Support for automotive hardware• More tools • 24/7 customer support
ROS 2
© 2020 Apex.AI, Inc. All Rights Reserved.
Examples of Real-Time Gaps in ROS 2
Deterministic resource usage and runtime is necessary for a safety-critical system with respect to
• no resource allocation occurs during runtime,• all operations are finite and bounded,• all potentially blocking calls have timeouts.
To bridge the gap to real-time, Apex.OS ensures that
1. Memory• Allocation on subscription• std::string • std::vector • std::exception
2. Blocking calls, e.g. fprintf, fwrite3. Non-realtime DDS
ROS 2 is too dynamic for hard real-time
12
• Memory• Threads• Blocking calls
© 2020 Apex.AI, Inc. All Rights Reserved.
Real-Time Gaps in ROS 2
Real-Time Gaps
Non static mem operations Standard threading
Blocking calls/deadlocksThread priorities, scheduling, pinning
No control (std::thread)
Higher risk of dead locks since
no tooling
Scheduling based on readiness of data (executor)
Increased thrashing
Standard containers
Runtime mem allocation
Mem fragmentation
Standard exceptions
Exception throw causes mem
allocation
Handler lookup non-deterministic due to inheritance
ROS 2 exhibits the following gaps to enable real-time performance.
Non Real-Time DDS
13
© 2020 Apex.AI, Inc. All Rights Reserved.
Real-Time Solution in Apex.OS and Apex.OS Cert
Real-Time
static mem operations apex::threading
Blocking calls/deadlocksapex::threading ::thread
Better control over thread priorities,
scheduling, and pinning
Advanced tools: Thread sanitizer,
clang, thread safety analysis, helgrind
Reliance on OS scheduler vs executor
Reduced thrashing
apex::containers
apex::string apex:: map/set
Standard exceptions, but
Tuning of compiler to
allocate mem in pre-defined
pools (WIP) (not in heap)
Handler lookup made real-time (e.g. no dynamic
cast)
Apex.OS addresses the following gaps to achieve real-time performance.
Real-Time DDS
apex::vector
14
© 2020 Apex.AI, Inc. All Rights Reserved.
Apex.OS Integration with AUTOSAR Adaptive
15
ara::com
SOME/IP binding
Apex.OS
Apex.OS application
node
Apex.OS application
node
DDSApex.OS binding
AUTOSAR Adaptive
application
AUTOSAR Adaptive
application
© 2020 Apex.AI, Inc. All Rights Reserved.
Apex.OS Cert Development and Certification Lifecycle (simplified)
Automotive Stakeholder Require-ments (ASR)
Feature set reduction
Apply real-time and determinism constraints
1. Memory static 2. Remove blocking calls and recursions
Requirements Architecture Unit Design V&V Conf. Reviews
Elicitation, Safety Concept, SW Safety Requirements
UML (unified modeling language), FMEA
SCA (Static Code Analysis), SW practices outline, coverage, FMEA
Req, arch, unit, integration, system, performance, fault injection tests
Safety manual, Restrictions, Traceability Apex.OS Cert
ISO 26262/SEooC/part3,part6…. processes
16
© 2020 Apex.AI, Inc. All Rights Reserved.
Apex.Autonomy Cert
Components
SensorsHardware
StackVehicle
Off-Board Software and Data
Maps
Development Tools
Mapping
Data Processing
Operations
Testing
Functional Safety
Methodologies
Design
Operating System
On-Board Software
Algorithmic Software
Framework Software
Product User ApplicationFu
ll St
ack
Linux
ROS 1
Linux
ROS 2
Autoware.AI Autoware.Auto Apex.Autonomy
Apex.OS
Real-Time Linux / QNX
Apex.OS Cert
QNX for Safety 2.0
Apex.Autonomy Cert
04 Apex.Autonomy 17
ROS 1 ROS 2
© 2020 Apex.AI, Inc. All Rights Reserved.
Apex.AI co-founded the Autoware Foundation in 12/2018
Components
SensorsHardware
StackVehicle
Off-Board Software and Data
Maps
Development Tools
Mapping
Data Processing
Operations
Testing
Functional Safety
Methodologies
Design
Operating System
On-Board Software
Algorithmic Software
Framework Software
Product User ApplicationFu
ll St
ack
Apex.Autonomy
Apex.OS
Real-Time Linux / QNX
Apex.OS Cert
QNX for Safety 2.0
Apex.Autonomy Cert
04 Apex.Autonomy 18
ROS 1 ROS 2
Open Source Robotics Foundation
Linux Foundation
Autoware Foundation
© 2020 Apex.AI, Inc. All Rights Reserved.
Autoware Foundation Members 08/2020
Academic & Non-Profit Members
Industrial Members
Premium Members
19
Affiliated Organizations
© 2020 Apex.AI, Inc. All Rights Reserved.
Autoware Foundation Projects
Linux
ROS 1
Linux
ROS 2
Components
SensorsHardware
StackVehicle
Off-Board Software and Data
Maps
Development Tools
Mapping
Data Processing
Operations
Testing
Functional Safety
Methodologies
Design
Operating System
On-Board Software
Algorithmic Software
Framework Software
Product User ApplicationFu
ll St
ack
The original Autoware project built on ROS 1. Launched as a R&D platform for autonomous driving technology.
Autoware.AutoAutoware.AI
Autoware reimagined. Based on ROS 2. With a redesigned and clean software architecture.
Autoware.IO
An interface project for Autoware to be extended with proprietary software and third-party libraries in a reliable manner. Examples include device drivers for sensors, by-wire controllers for vehicles, and hardware-dependent programs for SoC boards.
Autoware.Auto is the keystone project of the Autoware Foundation, creating a reference architecture and an open source implementation of the functional autonomous mobility software.
Apex.Autonomy
Apex.OS
Real-Time Linux / QNX
Apex.OS Cert
QNX for Safety 2.0
Apex.Autonomy Cert
04 Apex.Autonomy 20
© 2020 Apex.AI, Inc. All Rights Reserved.
Autoware.Auto AVP
21
1. AVP = Autonomous Valet Parking
2. Scope: Automatically drive a car from a drop-off location (such as a carpark entrance) to a specified park, park the car, and then drive to a pick-up location upon request. This functionality will be performed at Level 4 autonomy, meaning a driver will not need to be present in the car.
3. Contributions from Apex.AI, Arm, AutonomouStuff, AWF, Embotech, LGSVL, Linaro, Mapless, Parkopedia, Silexica, Ternaris, Tier IV.
4. all in open-source: https://autowarefoundation.gitlab.io/autoware.auto/AutowareAuto/index.html
© 2020 Apex.AI, Inc. All Rights Reserved.
Autoware.Auto AVP
22
1. AVP = Autonomous Valet Parking
2. Scope: Automatically drive a car from a drop-off location (such as a carpark entrance) to a specified park, park the car, and then drive to a pick-up location upon request. This functionality will be performed at Level 4 autonomy, meaning a driver will not need to be present in the car.
3. Contributions from Apex.AI, Arm, AutonomouStuff, AWF, Embotech, LGSVL, Linaro, Mapless, Parkopedia, Silexica, Ternaris, Tier IV.
4. all in open-source: https://autowarefoundation.gitlab.io/autoware.auto/AutowareAuto/index.html
5. All planing and execution in the open: https://gitlab.com/autowarefoundation/autoware.auto/AutowareAuto/-/milestones
© 2020 Apex.AI, Inc. All Rights Reserved.
Autoware.Auto AVP
23
1. AVP = Autonomous Valet Parking
2. Scope: Automatically drive a car from a drop-off location (such as a carpark entrance) to a specified park, park the car, and then drive to a pick-up location upon request. This functionality will be performed at Level 4 autonomy, meaning a driver will not need to be present in the car.
3. Contributions from Apex.AI, Arm, AutonomouStuff, AWF, Embotech, LGSVL, Linaro, Mapless, Parkopedia, Silexica, Ternaris, Tier IV.
4. all in open-source: https://autowarefoundation.gitlab.io/autoware.auto/AutowareAuto/index.html
5. All planing and execution in the open: https://gitlab.com/autowarefoundation/autoware.auto/AutowareAuto/-/milestones
6. Autoware.Auto commit history: Project is becoming self-sustaining
© 2020 Apex.AI, Inc. All Rights Reserved.
Autoware.Auto AVP
24
1. AVP = Autonomous Valet Parking
2. Scope: Automatically drive a car from a drop-off location (such as a carpark entrance) to a specified park, park the car, and then drive to a pick-up location upon request. This functionality will be performed at Level 4 autonomy, meaning a driver will not need to be present in the car.
3. Contributions from Apex.AI, Arm, AutonomouStuff, AWF, Embotech, LGSVL, Linaro, Mapless, Parkopedia, Silexica, Ternaris, Tier IV.
4. all in open-source: https://autowarefoundation.gitlab.io/autoware.auto/AutowareAuto/index.html
5. All planing and execution in the open: https://gitlab.com/autowarefoundation/autoware.auto/AutowareAuto/-/milestones
6. Autoware.Auto commit history: Project is becoming self-sustaining
7. Result1. Common architecture based on ROS 2 and Autoware.Auto2. Common interface3. Common tooling4. Development environment
© 2020 Apex.AI, Inc. All Rights Reserved.25
We take ROS from an open-source framework to a commercial, supported, and certified product based on open APIs: Apex.OS
• ROS software does not run in realtime.
• ROS is not sufficient for use in safety-critical products.
• ROS-based software is not certifiable.
• Software frameworks enable modern modular software development.
• ROS (Robot Operating System) is the pre-dominantly used software framework for robotics and autonomous driving.
• ROS is open source with open API’s.
• ROS is great for prototyping.
Problem SolutionSituation
Prototyping in ROS can directly transition to product development+ Simplified workflows + Much faster and
cheaper to market
ROS APIs and toolchain can be reused+ Employees knowing
ROS do not need to be retrained
+ Faster and cheaper to market
+ Easier to find qualified employees
+ Makes you more attractive to candidates
ROS-based code can be certified + Much faster and
cheaper to safety-certified products
Benefits Apex.OS
Abstraction of underlying hardware, middleware, RTOS, and dependencies into simple-to-use APIs+ Real-time and
embedded applications can be developed much easier
+ Addresses shortage of experts; easier to find suitable employees
+ Removes hardware, middleware, and RTOS vendor lock-in
Execution
Enabling Efficient Development of Safe and Certified Software for Automated Driving Applications Summary
© 2020 Apex.AI, Inc. All Rights Reserved.
Take Away
26
Automotive-grade, safety-certified software can be developed open-source • Proven architecture• Open interfaces and APIs• Reuse of existing best-in-class tooling• Awesome developer experience
Contributing back to open-source makes sense • Proven architecture• Open interfaces and APIs• Reuse of existing best-in-class tooling• Awesome developer experience
Real-time, safety-certified, ROS-compatible software is available • Apex.OS, Apex.OS Cert (ISO 26262, SEooC, ASIL-D)• Apex.Autonomy • www.apex.ai , [email protected]
Open-source is available • https://gitlab.com/autowarefoundation/autoware.auto• https://gitlab.com/ApexAI