table of Contents
Original Awa Jun Apollo developer community 2018-12-20
last issue, we released the open source Apollo modules explain (on). This issue, we will continue to open-source module of Apollo explain, and we discuss what is the main ISO-26262 .
Ado, welcome to the developer went into the Advanced Course III.
ISO-26262 Overview
First to introduce the most basic aspects of a security module ISO-26262. ISO-26262 is a very complex, highly structured standards. For example, if the hardware has reached a level requirements ASIL D, its failure rate is Fit 10 (the In the Failures Time, in hours of One-Billion Operation Device) , i.e. 1,000,000,000 hours once inside the fault. This probability is much lower failure rate than the windows blue screen.
From English speaking, there are two words safety: Safety and Security . Safety comprises two aspects: systematic faults and random failures Systematic Faults Faults the Random .
Systemic failure is that I existed in the design of the car defects. Every time you run, you will find the problem. Software and hardware are there may be a systemic failure.
Random failures are failures caused by uncontrollable factors, will not necessarily occur, such as road a bit bumpy. Under normal circumstances, only the random hardware failures occur.
Security and their own problems involved not the car, but the system by others captured. You have to fall before a car is a very difficult thing, there is no physical connection and no internet access. But with unmanned technology in the future, and the car is always connected to the network, so that cars become particularly vulnerable to attack.
ISO-26262 is an industry standard method, rather than one case, only covers Safety, Security does not cover . But we are doing unmanned, you must consider security.
ISO-26262 certification process
By ISO-26262 is a particularly careful authentication process.
First you need to define what features and functions car with which to complete the parts. Secondly, it is necessary to consider whether a car for each function will fail, if there are problems is what level of problems.
There are two problems, such as do car acceleration system: for a problem is the car accelerated in the consciousness of people is not the case. Another is the need to accelerate the vehicle when it is not accelerating. We need to put these issues into specific scenarios to consider, the most serious problem is which one. For determining whether a serious problem, ISO-26262 to the three criteria: Exposure, Controllable, Separately .
- Separately means that cars and people separated, how much will the probability of casualties after an accident.
- Exposure refers to whether or not this thing common.
- Controllable means the car there is a problem, whether the driver a chance to take over.
ISO-26262 certification process is a "V-type." First of all it depends on what the development environment, level and secondly to analyze the problem is how. If it is a high level of probability need to determine how much of this problem. Then consider how to solve this specific problem. That is, do first High Level level, then Function level, and then to Technique level.
Technique involving software and hardware level. Software and hardware to ensure the security, the back-up to do the verification. For more demanding level ISO-26262, it requires a lot of Redundant system. If the current system is broken, there is a system below. If a problem occurs, the system has additional mechanisms it came to a stop.
ISO-26262 advantages and disadvantages
ISO-26262 on behalf of the automotive industry in terms of safety limit can be done in the automotive industry has a high prestige.
First, it is a guide to technology. There is no doubt it will make cars safer. Second, it has a high commercial value. Through this certification car is the most German cars, German cars the price is much higher than peers. Third, it involves the legal rights and responsibilities.
The automotive industry is a complex industry. Car depot should assemble, need to ask for a variety of suppliers mention. Once the car appeared security concerns, supply hardware components if they meet safety requirements, the depot must bear responsibility. The cars are generally billion dollar recall of this magnitude. So this certification Although it is not legal, but it is particularly useful when litigation.
ISO-26262, but also have disadvantages. It's very complicated certification process (Very Heavy Process), does not meet the needs of agile development. ISO-26262 is a certain document each layer are ready, we can do the next level.
We might do a APP in months iteration are considered slow, but the car may need to do a decade of planning, we now open the car may be their plan out a decade ago.
﹏﹏﹏﹏﹏﹏﹏﹏ END ﹏﹏﹏﹏﹏﹏﹏﹏
