Safety Driven Optimization Approach for Automotive Systems

Safety Driven Optimization Approach for Automotive Systems

Mohamed Slim Dhouibi, Eng, VALEO Laurent Saintis, PhD, Université d’Angers Mihaela Barreau, PhD, Université d’Angers Jean-Marc Perquis, Eng, VALEO

Key Words: Functional Safety, Architecture Optimization, Automotive,

SUMMARY & CONCLUSIONS

In this paper, we propose an approach for system design and architecture optimization driven by safety and cost constraints. It consists of an architecture synthesis and mapping approach that takes into account the safety constraints in the ISO 26262 context. It allows, at one hand, to reach a system preliminary architecture by choosing the best component that reduce the overall cost. On the other hand, it leads to a mapping that respects the safety constraints related to safety levels and to dependent failures.

We use exhaustive and genetic algorithm based approaches for the optimization. The use of these two approaches depends on the size of the considered problem. We demonstrate that these approaches can be used efficiently to reach an optimal design.

1 INTRODUCTION

The design cost is a crucial parameter for any project and particularly for automotive embedded systems. During the design process, the architectural choices and decisions are, often, guided by their impact on the overall cost. For critical systems, safety constraints are having an increasing influence on the design and cost. In the context of ISO 26262[1], the safety levels (ASILs) allocations and decompositions choices have a considerable impact on the architecture. These choices can be translated into functional decompositions at functional level and as a mapping and redundancies choices at physical level. These choices could lead to lowering the development cost or to incurring unnecessary extra-costs. It is necessary, today, to take, efficiently, these constraints into consideration during the design process to reach a compliant and competitive solution.

Currently, finding the solution that makes a compromise between the different constraints (functional, safety and cost) is based on the engineer expertise. Since, such approach remains error prone and does not guarantee the optimality of the retained solution; an automated approach is, in our opinion, needed to reach alternative cost optimal solutions.

In this article, we propose an optimization approach driven by safety and cost. It aims at reaching a compliant design without incurring unnecessary costs.

The paper is organized as follows: first, we discuss the state of the art and the related works. In the third section, we fix the objective of the approach presented in this paper. In the following section, we focus on the proposed design space exploration approaches. A use case example is presented in the fifth section. The paper ends with a conclusion and the future works.

2 RELATED WORKS

The design optimization motivated multiple works.

Multiple approaches have been proposed to reach optimal design taking into account various parameters such as cost, reliability and safety. These approaches target different industries.

Some of the approaches targeted the System-On-Chip and they are referred to as Electronic System-Level (ESL) synthesis approaches. They aim at providing and supporting with tools a design process leading to generating SOC architecture: “The task of ESL synthesis is then the process of selecting an appropriate platform architecture, determining a mapping of the behavioral model onto that architecture, and generating a corresponding implementation of the behavior running on the platform”. We may cite for example Daedalus[2], SystemCoDesigner[3], System-On-chip Environment [4] . Based on a functional model and using design exploration approach, these approaches reach a mapping of the functional architecture on a platform. The platform is consisting of processing elements, communication elements and bus databases. The reader can refer to [5] for a detailed description of these approaches and detailed comparison between them. As far as we are concerned, these approaches cannot be used for automotive systems. The approach remains domain specific, mainly for System-on-a- Chip (SOC) or Multiprocessor System-On-a-chip (MPSOC).

In the automotive domain context, Archeopterix [6] adopted a slightly similar approach to ESL synthesis methodologies. It aims at finding a cost optimal mapping of Software functions on a network of ECUs. The approach takes into account multiple parameters such as CPU load, network bandwidth, reliability. The safety constraints are, though, not taken into account. Co-localization constraints, that could be used to

express a safety constraint, were introduced in the approach amongst the mapping constraints. But we are convinced that using a Co-localization constraint will not be enough to express all the safety constraints. For example, it is not possible to verify the conditions for mixed ASIL levels cohabitation requirements or independency requirements in respect to the standard.

While the approaches presented above focus on optimizing the mapping, the approach proposed by HIP-HOPS [7] focus on the redundancies introduction and the ASIL allocation as an optimization approach. It is more ISO 26262 oriented than the previously presented works. But, it can be applied at a single level: functional or physical. Since, it does not support the link between the two levels; it is often used at the physical level.

ASIL are allocated to the failures modes of the components and different redundancy patterns are used. Unfortunately, redundancy at this level is not often an efficient solution for automotive systems designs. When applied at functional level, a mapping approach is needed to reach the preliminary physical architecture.

The proposed approach takes efficiently the safety constraints and covers the functional and physical level. It is inspired from the works on ESL approaches in the way architecture is generated and a mapping is specified. It differs by taking into account the safety levels. On the other hand, while it may still introduce redundancies in the architecture, it remains different from HIP-HOPS approach since the redundancies are not systematically introduced but results from the combination of functional decomposition, ASIL allocation and functions mapping onto architectural elements.

3 OBJECTIVE

We aim to demonstrate that the problem of finding the best preliminary system architecture, i.e. finding a suitable architecture and its corresponding ASIL allocations and mapping, can be solved jointly and correctly.

During the safety lifecycle, the design choices taken at the early steps have a deep impact on the final architecture of the system. These decisions are almost final and any changes can turn out to be expensive and time consuming afterwards. The choices we are interested in, are: the ASIL allocation, the architecture main elements and the mapping of the functionalities on the architecture.

The main challenge is to find the best compromise between the mentioned choices that remains compliant and cost efficient.

We consider that the architecture we aim at reaching is described through the set of subsystems and components it contains as well as the bus network. The goal is, thus, to reach, starting from a functional architecture, an ASIL allocation and functions and flows mapping that respects the available resources and the safety constraints and optimize the cost of the used elements.

The problem can be described as follows:

The joint ASIL allocation choice, preliminary architecture synthesis and function mapping problem consists of finding

for each function the best choice that would lead to a compliant architecture with the best cost.

The solution determines:

 The best ASIL allocation

 For each function, its mapping to an element and a subsystem

 For each flow, its mapping to bus

We propose a simple formalization of the problem allowing exploring the design space and finding the optimal solution. We use two different approaches: an exhaustive and a genetic algorithm based.

4 OPTIMIAZATION APPROACH 4.1 Overview

The approach flow corresponds to the design flow that is applied in manual process. The difference though is that when manually done, few alternatives are checked. The retained solution is often based on the designer expertise and predictions. The approach, as shown in Figure 1, covers a part of the design process that is often manually done allowing the exploration of different alternatives and eventually reaching an optimal design. It consists of five main steps: Functional architecture, SIL allocation and Safety constraints extraction, architecture synthesis and mapping and cost estimation. The first steps are described in further details in [8].

Figure 1- Approach Overview

The first step consists of modeling the functional architecture as a set of services which are modeled using a data flow graph. An approach described in [9] allows to identify the possible ASIL allocations and the resulting independence constraints. These requirements along with the ASIL allocations and the set of possible hosts (architecture elements or components) and subsystems specified for each function drive the process of optimization. The cost is approached as the total cost of the architecture elements.

In order to illustrate the use of the approach, we give, here, an example of application on a small fictive example.

Figure 2 describes the functional architecture. The functional redundancy introduced in the architecture could be used for an ASIL decomposition. This decomposition could be made using different patterns leading to three ASIL allocation scenarios. These scenarios are identified by the Table 1.

The figure 3 represents a potential solution. It consists of a possible mapping corresponding to the second ASIL allocation scenario defined in the table.

4.2 Safety Constraints

In order to take into account the safety constraints, we decided to focus on the ASIL value and the ASIL decomposition requirements. Thus, we ensure that the mapping respects the adequacy between the function’s ASIL and its mapping (host’s asil).

In the case decomposition is applied, our main concern is to ensure the absence of common cause failures (CCF) that could lead to the violation of the safety goal. Checking the CCF requires a prior knowledge of the failures modes of the hosts and their possible causes. But since the decomposition choices are made at functional level, an approach to simply link the two levels is proposed.

Our approach to checking the CCF is based on a description of the hosts’ failure modes and their impact on functional flows. The hosts’ failures modes are pre-determined

in a FMEA like approach. Each identifies both its causes and its effect on the concerned functional flow types. This allows linking the failure modes at host level to the failure modes in

the functional level. The main objective is to transform the MCS used for ASIL allocation at functional level into MCS at hardware level. Checking the absence of CCF is, in this case, a comparison of the sets of causes of the corresponding failure modes. An example on how the needed information are collected are described through an example in the Table 2 and Table 3.

In the first table, the failures modes of the host are specified along with their causes and the perceived impact on the output flows. In the second, we specify each function the failures modes and the impact on the output functional flows.

The checking algorithm is described below. The input is the set of functions and the failure modes over which the decomposition is done. The output is the result of the mapping check.

Since the independency constraints does concerns also the flows, the allocation to buses process is also concerned by the independency constraints. The same approach is, thus, used to check the flows allocation in order to ensure the absence of CCF.

Figure 2- Functional Architecture Example

Table 2- Host Level Failure Modes

Failure Mode Flow type Effect Causes

Mode 1 Data Bad value C1,C2

Mode 2 Data Omission C1,C3

Table 3- Functional Level Failure Modes Functions Flow Type Failure mode effect

F1 Data Mode a Bad value

F2 Data Mode b Bad value

Table 1-ASIL allocation alternatives

Figure 2- ASIL allocation alternatives ASIL allocation

scenario

Acquisition 1 Acquisition 2 Process Send

I A A B B

II B QM B B

III QM B B B

Figure 3- Potential Mapping and Architecture

4.3 Solving approach

In order to find the optimal architecture, the design space is explored and different combinations are checked in order to find the best solution. We propose in this paragraph two approaches for the design space exploration. The first is an improved “naïve” exhaustive exploration approach. The second is a genetic algorithm based approach for bigger size examples.

a - Exhaustive approach

In case the number of combination is limited, we used an exhaustive approach to explore the design space allowing finding the top cost optimal solution.

The algorithm is detailed as follows:

As can be seen in the algorithm, in order to reduce the treated combinations, we ignored the similar solutions with higher cost. We compare the solutions and evaluate how similar they are. If a similarity limit value is not reached, the solutions are considered not similar. Some potential solution can consequently be ignored safely. If the processed combination has a higher cost than a previous similar solution, it is ignored and not processed any further. We aim at retaining only the lowest cost architectures.

If the architecture is not eliminated by the previous similarity and cost check, it is checked for safety constraints.

As mentioned earlier, this step checks the adequacy of the elements choice and the respect of the independency constraints.

The exhaustive approach is efficient in finding the best solutions for small and medium size examples. But, with the larger examples, we noted greater computation times. In order to cope with the combinatorial issues, we investigated the use of genetic algorithms as described in the following paragraph.

b – Genetic algorithm approach

The size of the examples where the processing time using the exhaustive approach becomes very high encourages us to look into an alternative approach. We decided to use a genetic algorithm based strategy for the design space exploration.

Genetic algorithms (GA's) are search algorithms that work via the process of natural selection. They begin with an initial population of potential solutions which then evolves toward a set ofmore optimal solutions. Within the population, solutions that are poor tend to die out while better solutions mate and propagate their advantageous traits.

Implementing the algorithm for an optimization problem requires modeling the solution as chromosome. It allows the expression of the different parameters that defines a potential solution. It requires a fitness function as well that helps rating the solutions.

 Chromosomes

The chromosomes define a solution as a set of choices that defines an individual of the population. The chromosome is composed by a set of genes. Each describes a part of the solution.

In our case, the chromosomes are coded as described by figure 4. It allows describing the needed information to identify the allocated ASIL and the mapping of the elements of the functional architecture. The number of genes in the chromosome is, thus, defined by the number of functions to be

allocated and mapped.

 Genes

As can be seen in figure 4, the chromosome has two types of genes. The first allows specifying the ASIL allocation through the choice of the scenario to be applied. The second type of genes allows determines the mapping of the corresponding functions. It defines the mapping with a couple of values determining the host and the subsystems to which it is allocated.

 Fitness Function

The fitness function is an objective function that helps to identify how close a solution is to achieving the set goals. It is responsible for performing the evaluation of the solution. The fitness score reflects how optimal the solution is. For our case, the key evaluation parameters are the cost and the safety constraints. The cost is considered as the score of the solution where it consists of the sum of the used elements costs. Lower costs correspond to higher fitness score. On the other hand, to take into account in this score the safety constraints, we add penalties representing the violation of these constraints. The penalties tend to lower the fitness score of the non-compliant solutions which favors the evolution towards respecting the constraints. We used for our implementation three penalties for ASIL allocation correctness, host choice and independence constraints respect.

For the simulation, we decided to use an already existing While ASIL allocations left not checked loop {

While subsystems mapping combinations left not checked loop{

Add the subsystems to the physical architecture Allocate the functions to the subsystems

While hosts mapping combinations left not checked loop { Add the hosts to the subsystems

Allocate the functions to the corresponding host If similar or higher cost {

Go to newt combination }

If the constraints are not all verified { Go to next combination

}

While flows allocation combinations left not checked loop { Allocate the flows to Bus

Add the Bus to the architecture

If the flows allocation don’t respect all constraints { Go to next combination

}

Estimate the cost of the physical architecture Add to the solution set

} } }

tool provided as a java library for easier implementation.

JGAP [10] is a configurable tool to implementing and applying genetic algorithms to optimization problems.

Although it is capable of doing all the evolutionary simulation in a relatively generic manner, it cannot decide either how the solution is coded or how to define the fitness of the potential solution. These should be specified by the user depending on the application. In general in order to use the library, the problem needs to be formalized through a coding and a fitness and evaluation strategy. The coding determines which information are needed to describe a potential solution. These are coded as a chromosome. The fitness function, on the other hand, to evaluate the potential solutions and rate them to retain the most fitted. The aim is to reach a solution that reduces the cost without incurring penalties.

In JGAP, the chromosomes are instantiated during the simulation based on a provided sample chromosome. As shown in figure 4, the sample chromosome is an array of composite genes. The size of the array corresponds to the number of functions.

The genes are described as integers with limited range depending on the number of available alternatives for each value.

Gene[] sampleGenes = new Gene[number_functions+1];

for (int i = 0; i < number_functions; i++) {

CompositeGene compositeGene = new CompositeGene(conf);

IntegerGene host = new IntegerGene(conf, 0, number_possible_hosts-1);

IntegerGene subsystem = new IntegerGene(conf, 0,

number_possible_subs-1);

compositeGene.addGene(host);

compositeGene.addGene(subsystem);

sampleGenes[i] = compositeGene;

}

IntegerGene scenario = new IntegerGene(conf, 0, number_scenarios-1);

sampleGenes[number_functions]= scenario ;

5 STUDY CASE

In this section we illustrate the approach on a use case example. For this purpose, we use a simple example inspired from a real case system. It consists of two services and two safety goals rated ASIL D and ASIL A. The system’s main functionalities are to correctly drive an actuator and to display information about the system state. The bad actuation is rated

ASIL D. As for the omission of the display, it is rated ASIL A.

The functional architecture proposed is described by the following figure:

Figure 5- Study Case Functional Architecture

The system consists of a set of 9 functions and 8 flows.

We provide a set of 7 hosts with their failure modes and their causes and 3 potential subsystems. We introduced CCFs between some of the hosts and the buses to check the efficiency of the approach in respecting the independency constraints.

The decomposition from the first functionality resulted in 16 independence constraints to be verified. Since, ASIL decomposition is made over the two channels, all the function of both channels must be implemented by independent elements e.g.: acquisition 1 and acquisition 2 must be implemented by independent elements verifying that no common cause failures will lead to failures modes associated to a “bad value”.

The ASIL allocation and the possible hosts for each function are as follows:

The hosts’ properties are specified in the next table. It is to be noted that the failures modes and their causes are not presented in details.

Figure 4- Chromosome Encoding

Table 4- Function possible hosts and subsystems Function Possible hosts Possible

subsystems Acquisition 1 S1,S2,S3 SS1 Acquisition 2 S1,S2,S3 SS1

Data Processing 1

C1,C2,C3 SS2,SS3 Data

Processing 2

C1,C2,C3 SS2,SS3 Decision 1 C1,C2,C3 SS2,SS3 Decision 2 C1,C2,C3 SS2,SS3

Command C1,C2,C3 SS2,SS3

Enable C1,C2,C3 SS2,SS3

Drive C4 SS3

Check condition

C1,C2,C3 SS2

Display C1,C2,C3 SS2

Table 5- Hosts Cost

The chromosomes are encoded as specified in section 5 where n=12 with 3 possible scenarios.

The genetic algorithm is left at the default configuration where:

 Top 90 % of the generation are cloned

 The Crossover rate is population size x 0.35

 Mutation rate is number of genes in population /12

 The initial population size is100

 The number of generations is 200

By applying both methods, we obtained closely similar results. The obtained solution is shown in the figure 6. It consists of 3 subsystems and 6 main components communicating using two types of buses to ensure the absence of CCF. The choice of the components ensures, also, the availability of the required interfaces for the chosen types of buses. Conducted on a laptop equipped with Intel I5 and 4 gb of RAM, the computation time is reduced from 84 seconds to 3 seconds thanks to the use of the genetic algorithms.

The solutions obtained from the two approaches did not, though, always coincide. The genetic algorithm approach failed sometimes to reach the global optimal found by the exhaustive approach. The fitness function ensured, thanks to the constraint violation penalty, that the solutions respected all the constraints. But, it led sometimes to solutions that are in a 5% cost difference range from the global optimal solution.

The obtained solutions could be explained by the heuristic nature of the genetic algorithms and the need to a more effective cost estimation approach. The algorithm could be

also enhanced and fully adapted instead of using a general purpose library such as JGAP.

On a second level, the approach, in the current state,

could lead towards from-scratch solutions with only hardware cost in mind. The solutions from scratch are though not encouraged in the ISO 26262 logic since reused and mastered designs are preferred. The reuse of components, as we introduced it here, might not be enough in this case. The approach need to capitalize more the knowledge from the previous projects to reach the optimal design. We propose to develop a more refined cost estimation model. The solutions cost should not only be estimated based on the components cost but also on the needed development effort. The solutions inspired from previous designs often require less development effort unlike the from-scratch solutions. Taking into consideration this parameter efficiently through an adapted cost estimation model, would allow us to rejoin the preferred reuse logic of the standard.

6 CONCLUSION

In this paper we proposed an approach to deal with the joint problem of preliminary architecture optimization and function mapping. We first investigated an exhaustive approach to parse the potential solutions. At a second level, in order to deal with bigger size problems, we proposed a genetic algorithm based approach.

The approach is applied on a study case to assess its advantages and limits. Based on the observed results and limits, we find the approach promising but could be enhanced.

The next works will focus on the solution evaluation. A more adapted and improved cost model can be used to take into account the development cost. This could favor the reuse of previous solutions and avoid from the scratch-solutions that could imply higher risks.

REFERENCES

1. ISO 26262: Road Vehicles - Functional safety, International Organization for Standardization (2011) 2. H. Nikolov and M. Thompson, “Daedalus: toward

composable multimedia MP-SoC design". Proceedings of the 45th annual Design Automation Conference. ACM, 2008. p. 574-579.

3. J. Keinert, M. Streubūhr, T. Schlichter, J. Falk, J.

Gladigau, C. Haubelt, J. Teich, and M. Meredith,

“SystemCoDesigner—an automatic ESL synthesis approach by design space exploration and behavioral synthesis for streaming applications,” ACM Trans. Des.

Autom. Electron. Syst., vol. 14, no. 1, pp. 1–23, Jan. 2009.

4. R. Dömer, A. Gerstlauer, J. Peng, D. Shin, L. Cai, H. Yu, S. Abdi, and D. Gajski, “System-on-Chip Environment: A SpecC-Based Framework for Heterogeneous MPSoC Design,” EURASIP J. Embed. Syst., vol. 2008, no. 1, p.

647953, 2008.

5. A. Gerstlauer and C. Haubelt, "Electronic system-level synthesis methodologies". Computer-Aided Design of Integrated Circuits and Systems, IEEE Transactions on, 2009, vol. 28, no 10, p. 1517-1530.

6. A. Aleti and S. Bjornander, “ArcheOpterix: An extendable tool for architecture optimization of AADL

Host ASIL max Cost

S1 C 10

S2 B 8

S3 B 6

C1 A 8

C2 B 10

C3 C 15

C4 - 10

Figure 6- Obtained Solution

models", Model-Based Methodologies for Pervasive and Embedded Software, 2009. MOMPES'09. ICSE Workshop on. IEEE, 2009. p. 61-71.

7. Y. Papadopoulos, M. Walker, D. Parker, E. Rüde, R.

Hamann, A. Uhlig, U. Grätz, and R. Lien, “Engineering failure analysis and design optimisation with HiP-HOPS,”

Eng. Fail. Anal., vol. 18, no. 2, pp. 590–608, Mar. 2011.

8. M. Dhouibi, J. Perquis, L. Saintis, and M. Barreau," An Optimization Approach for Automotive Systems Architecture Driven by Safety and Cost", Accepted Paper, Lambda Mu 19, 2014

9. M. Dhouibi, J. Perquis, L. Saintis, and M. Barreau,

“Automatic Decomposition and Allocation of Safety Integrity Level Using System of Linear Equations,” … Complex Syst. …, no. c, pp. 1–5, 2014.

10. K. Meffert, N. Rotstan, C. Knowles, and U. Sangiorgi,

“Jgap-java genetic algorithms and genetic programming package,” URL http//jgap. sf. net, 2012.

BIOGRAPHIES

Mohamed Slim DHOUIBI, VALEO

76 Rue Auguste Perret Creteil, 94046, FRANCE e-mail: [email protected]

Mohamed Slim DHOUIBI is an engineer and PhD student in safety and systems engineering. He received a master degree of engineering in avionics from the “École Nationale Supérieure de Mécanique et d'Aérotechnique”. His research activities are focused on system engineering and functional safety.

Laurent Saintis, PhD

ISTIA, Université d’Angers 62, avenue notre dame du lac Angers, 49000, FRANCE

e-mail: [email protected]

Laurent Saintis received a PhD in Applied Mathematics and Mechanical Engineering. He is currently an associate professor at University of Angers (France). He works on complex systems modeling for dependability evaluation and reliability testing.

Mihaela Barreau, PhD ISTIA, Université d’Angers 62, avenue notre dame du lac Angers, 49000, FRANCE

e-mail: [email protected]

Mihaela Barreau is engineer and PhD in automatic control and computer science. She is associate professor in the Quality and Dependability Engineering Department of ISTIA engineering school of the University of Angers since 1998. Her interest areas are modeling and optimization methods, reliability testing and mechatronic systems dependability.

Jean-Marc PERQUIS, VALEO

76 Rue Auguste Perret Créteil, 94046, FRANCE

e-mail: [email protected]

Jean-Marc PERQUIS is a software design leader and software safety expert at VALEO. He works in automotive embedded software development since 1989. He is interested in the software intensive systems safety development methodology and design.