After 2021, the intelligence of automobiles has become an indisputable fact in the industry, and "mass production" has become the hottest keyword of the year in the autonomous driving circle.
In the past year, whether it is in Robotaxi (unmanned rental), Robotruck (unmanned truck) or other tracks, including Baidu Apollo, Xiaoma Zhixing, Wenyuan Zhixing, Mo Mo Zhixing, Youdao Zhitu, Mainline Technology, Yinche Technology and other autonomous driving companies have all pointed to the mass production of unmanned vehicles.
In the field of passenger cars, auto OEMs such as Weilai, Xiaopeng, Ideal, WM, Gaohe, Lotus, and Jidu have also put high-level intelligent driving mass production models on the agenda and have begun or will soon be delivered in batches.
HiPhi Z
Just recently, Tesla said in the vehicle safety report for the fourth quarter of 2021: Autopilot makes driving safety reach 8.9 times the US average, which has once again aroused heated discussion in the circle.
With the imminent mass production of high-level autonomous driving, car safety has indeed become a topic of concern for more and more people.
But are self-driving cars really safe?
Nowadays, the penetration of intelligent driving and intelligent cockpits in new cars is increasing, and smart cars are becoming more and more like large "mobile phones" with four wheels.
However, the process of consumer electronics of automobiles itself has also introduced more electronic and electrical components to vehicles. Compared with traditional fuel vehicles, the number of electronic components in electric vehicles has increased by about 15 times.
These new components are very different from the mechanically oriented components of traditional vehicles: no matter how precise the electronic and electrical components, there is a certain random failure probability (random failure refers to the time of occurrence can not be determined, follow the probability distribution and the occurrence of hardware failure, such as open resistance, short circuit, resistance value drift, etc.).
The traditional fuel vehicle is controlled by people, and in the future, when the machine replaces the person to drive, once the failure occurs, the person cannot control, and the consequences will be very serious.
As the probability of random failure due to the increase in electrical and electronic components increases, the overall safety characteristics of vehicles will be more and more affected.
First of all, smart driving systems are becoming more and more complex. Whether it is braking or steering power and other systems, intelligent driving vehicles have more electronic control and wire control components.
Second, the number of smart sensors is increasing. The stronger the intelligent driving ability of the vehicle, the more complex the software and hardware of its intelligent driving system.
From the traditional L1 to L4 level autonomous driving, the number of sensors has evolved from one or two to dozens, and higher requirements have been put forward for computing power.
High-level autonomous driving functions enable electronic and electrical systems to intervene in the control of vehicles in more time periods and more scenarios, but their random failures threaten life safety, and the safety systems of traditional cars encounter challenges in the face of new failure methods.
If you want to ensure the safety of smart cars, the safety requirements, safety design and test verification process of the whole vehicle need to change, and an important part of the problem of random failure of electronic and electrical components is functional safety.
01
A lesson in the blood and tears of automotive functional safety: Toyota brake doors
In general, vehicle safety includes passive safety, mechanical safety, chemical safety, driving behavior safety, etc., and after a large number of electronic and electrical systems have joined, active safety, electrical safety, functional safety, expected functional safety, driving behavior safety, network security and other elements have been added, and there are parallel or intersecting between these elements, making the vehicle safety intricate.
While introducing new technologies in intelligent connected vehicles, it is also equivalent to introducing functional safety, expected functional safety and network security, of which the problem of functional safety may be the earliest to be highlighted.
Take the throttle in a car engine, for example, the throttle is the throat of the engine. The greater the opening of the throttle, the greater the intake of the engine, the stronger the power, and the faster the vehicle accelerates. The earliest throttles were mechanically connected directly to the accelerator pedal.
Around 1988, electronic throttles appeared, which eliminated the mechanical connection between the accelerator pedal and the throttle, instead using sensors to detect the depth of the accelerator pedal, and then through the car system to control the throttle opening.
Due to the elimination of the direct connection between the accelerator pedal and the throttle, the electronic throttle makes the car have a variety of rich driving modes such as economy and sports, improving the driving experience and the playability of the vehicle.
But new problems arise. Around 2000-2010, toyota learned a painful lesson precisely because of inadequate safety design for electronic throttles — eventually recalling 700,000 cars, paying a settlement fee of more than a billion dollars, and killing 89 people in accidents related to Toyota's models.
This case was the famous "Toyota brake door" at that time. Although the incident was "reversed" during the investigation, in the end, the NHSTA investigation in the United States showed that the main reason for Toyota's brake doors was the lack of protection for key variables in the software that controlled the electronic throttle valves at that time, or the lack of redundancy.
An automotive functional safety engineer explained to us that, for example, some variables become incorrect values when exposed to external interference (such as gamma rays), which can lead to uncontrollable acceleration of the vehicle.
Toyota has paid a terrible price for the "brake doors", and across the industry, this case has also promoted the construction of automotive functional safety, especially the development of software security.
02
Smart cars that don't pay attention to functional safety are naked
The essence of automotive functional safety is to identify and analyze safety risks through a set of systems, and to promote the product development process in the design, production, and after-sales links to avoid personal injury caused by system failure - in layman's terms, the probability of causing danger is reduced to a low enough.
The vehicle's unintended acceleration and deceleration, the inability to steer, the car's airbags popping up when they shouldn't... These are the serious consequences that may be caused by the failure to do a good job in the functional safety of automobiles.
A senior auto industry insider vividly compared functional safety work to intelligent networked car companies to "laying the foundation": if the foundation is not stabilized, the higher the building built on it, the more serious the consequences when the building collapses.
First of all, the functional safety work needs to start at the stage of product architecture design and device selection, otherwise even if safety design defects are found in the future, there is no opportunity to completely rectify them. Companies will be subject to a variety of challenges such as design change feasibility, supply chain stability, production consistency, and verifiability.
Secondly, even if the company is lucky that there is no serious accident similar to the "Toyota brake door", there is zero tolerance for safety accidents in the automotive field. Once functional safety is left, the smart connected car is like a wild horse that has lost its reins, and the higher the sales, the more it may make the management unable to sleep.
Because everyone knows that there are risks, the better they sell over time, the more they worry, and the greater the price paid for "making up for the dead". Who knows when the next accident will happen?
In other words, smart cars that do not attach importance to functional safety cannot be guaranteed, which is no different from "naked running".
So how to reduce the probability of risk through functional safety design? At present, the main approach is to disassemble risk factors through various analytical means.
Find the point in the vehicle's electrical and electronic system that may cause safety problems (such as sensors, perception algorithms, actuators, etc.), and continuously detect and monitor the point, once the point is found to be invalid, the system enters "safe mode", such as reminding the user not to use the vehicle or pull over.
The analysis and assessment of unreasonable risks is the first link in the design and development process of functional safety, called HARA (Hazard Analysis and Risk Assessment), and the degree of hazard, exposure and controllability of risks will jointly determine the level of risk, which we will expand later.
This set of logic of fault detection-fault response-safety status is the basic principle of functional safety.
It is precisely because in recent years in the automotive industry, functional safety has been paid more and more attention by car companies, so that a special industry authoritative standard - ISO 26262 was born.
In the automotive industry, we generally refer to "functional safety", which means that the development of the corresponding system must comply with the standard requirements of ISO 26262 both at the process level and at the technical level.
03
Do a good job in the functional safety of key components
It is the first link for the safe driving of the car
In the autonomous driving chain, perception is the first link in the entire technology stack. Perception sensors play the role of the "eyes" of autonomous vehicles, and once there is a problem with the sensors, the subsequent decision-making and execution of the autonomous vehicle system will be greatly affected.
For high-level automatic driving, functional safety requires that its core sensors have functions such as self-test, fault diagnosis, and alarm.
Let's use lidar as an example for risk analysis. As a device that emits laser light and receives echoes, the following are several possible problems with lidar:
Blind line: there is an object in front of you, but no object is detected, which can lead to an autonomous vehicle colliding with a missed target;
Ghost: There is no object in front of you, but an object is detected, which can lead to "unexpected braking" of the autonomous vehicle;
Data bias: The detected data deviates from the (x, y, z) coordinates of the real object.
Further analysis shows that in one of the cases where there is a "blind line", the component part of the lidar may exist: the transmitter side part is not working properly; the receiver side part is not working properly; or the communication part is not working properly.
Further, the failure of the transmitter end may be caused by some short circuits, open circuits, etc. on the transmission trigger circuit.
The point cloud in the upper figure shows that there are actually vehicles, but the point cloud in the lower figure is missing several lines.
The vehicle is invisible, this situation is the "blind line"
According to this risk analysis (fault tree analysis), the failure of lidar can be decomposed into the failure of tens of thousands of components.
The design of functional safety will monitor the components on the entire link such as transmitter, receiver and communication circuit, and if the components of the lidar sensor are found to be invalid, the sensor will issue an alarm to the automatic driving system, and the system may reduce the confidence level of the lidar input information or choose to exit from the automatic driving state, or enter the minimum risk state, reduce the speed and stop.
In this process, functional safety development should cover more than 10 different levels of requirements including vehicle level, system level, software system level, software architecture level, software unit level, software interface level, hardware system level, hardware architecture level, hardware unit level, hardware interface level, etc.
From the perspective of industrial division of labor, oem OEMs usually cover the development and test verification of functional safety requirements at the vehicle level and component concept level, and Tier 1 and Tier 2 are respectively responsible for the functional safety development and verification of their corresponding systems and software and hardware levels.
The severity, exposure and controllability of the risk mentioned earlier will jointly determine the level of risk, and the functional safety design requirements cover the corresponding risk levels, which are QM, ASIL A, ASIL B, ASIL C and ASIL D.
The level of functional safety represents the degree of importance of the electrical and electronic system in the safety of automobile driving, and also corresponds to the complexity of the safety activities of this product in the development process.
For example, a camera for reversing assistance, the corresponding ASIL level is the highest is ALSO ASIL A;
As one of the important environmental perception sensors of automatic driving systems, lidar is required by general car companies to reach ASIL B level;
Components such as motor controllers, which directly determine the speed of the car during the safe driving of the car, must reach the ASIL D level.
The automatic driving system of a high-end intelligent driving car must also meet the ASIL D level as a whole.
Although many car companies have put high-end intelligent driving mass production on the agenda in 2021, and even some flagship models will officially release L3 and L4 automatic driving systems in 2022, a large part of the cameras, millimeter wave radar, lidar and other sensors on the market as a whole are still very lacking in perfect functional safety design, and such products that can pass the ASIL safety certification of authoritative institutions are even rarer.
From the public information, we can see that a small number of domestic and foreign manufacturers have taken action in the field of functional safety:
In the field of cameras, ON semiconductor has developed in-house a complete process for functional safety. According to its public information, its CURRENT CMOS sensors, automotive multi-output power management ICs, infrared LED lighting controllers and other products are in line with functional safety standards.
In the field of millimeter-wave radar, the domestic Gatland Microelectronics Alps series millimeter-wave radar SoC obtained the ISO 26262 functional safety product certification last year. According to Gatland, this is the first chip product in China that fully complies with the ISO 26262 standard and has obtained third-party certification, reaching the ASIL B level.
In the field of lidar, Hesai Technology's Pandar128 won the German SGS-T? V ISO 26262 ASIL B certified for functional safety products, becoming the world's first ASIL B-certified lidar.
In the field of computing platforms, Huawei MDC got the T? V ASIL D Functional Safety Certification for MDC 610 issued by SÜD. Horizon also announced in July 2021 that its Journey 5 chip's functional safety architecture and specific design have been certified to ISO 26262 ASIL B products.
Huawei MDC 610
04
Domestic and foreign car companies are paying more and more attention, and functional safety has become a hard battle
In fact, both autonomous driving companies and OEM OEMs are paying more and more attention to functional safety. In the domestic and foreign markets, functional safety has become an uphill battle that must be fought before autonomous driving lands in mass production.
Large international car companies have accumulated relatively deep technical know-how through the development of technologies such as Sanden. For the functional safety of components, there are often very deep and systematic requirements.
For example, when GM examines parts suppliers, it regards whether it has an "independent safety team" as an important basic criterion for supplier selection.
A former GM engineer told us that GM's requirements for suppliers for functional safety of parts are actually higher than ISO 26262.
At the same time, domestic car companies have also increased their attention and investment in functional safety in recent years.
Zhao Yihong, an engineer at the internationally renowned certification body SGS, told the heart of the car that represented by the domestic Geely, SAIC, GAC, Great Wall and other head independent brands and head new forces car companies, the current understanding of functional safety by car companies has been very profound, and the current domestic automotive industry is ushering in a period of rapid growth in the demand for functional safety of intelligent driving products/parts.
The new track opened up by smart cars has intensified the product competition between car companies to a certain extent, and many car companies hope to develop more functional and better experience car products in a shorter period. Jidu Automobile, which is backed by Baidu and Geely, is one of the representatives.
Jidu Automobile's first concept car design,
The jump lights on the left and right sides of the front are designed as lidar
Jidu Auto told the heart of the car that Jidu shortens the development cycle and improves development efficiency by decoupling software and hardware to develop in parallel.
In terms of intelligent driving, Jidu will deliver in 2023 to provide a leading, safe and reliable autonomous driving experience, rather than relying on subsequent OTAs. Therefore, the development of its intelligent driving software has done a lot of front-loading work.
For intelligent driving and intelligent cockpit parts, Jidu requires that the chips and sensors related to the smart cabin must reach at least the ASIL B functional safety level, and the intelligent driving related hardware must reach the ASIL D functional safety level at least.
As an actuator for intelligent driving, the chassis by wire has the highest level of ASIL D requirements for the safety redundancy design and the safety level of the actuator itself. In addition, the safety and reliability of the interaction between the intelligent driving system and the chassis actuator by wire need to be considered.
Parts suppliers must have very deep technical accumulation and practical experience in parts research and development and mass production. Especially on the hardware carrier, through the update iteration, the product is more stable and reliable.
We also learned from Hesai Technology, a lidar technology company, that its high emphasis on functional safety stems from the practical needs of its customers.
For example, a new force car company has previously put forward more than 40 major functional safety requirements for Hesai's vehicle-grade semi-solid-state lidar, including avoiding the perception distance being greater than the actual distance, avoiding lost points, avoiding ghosting, avoiding abnormal data delays, etc., and having the ability to monitor and report to the vehicle in time when various abnormalities occur.
At present, the design goal of the intelligent driving system of car companies is generally L2+ level, and many head autonomous driving companies have put forward higher requirements for parts and components with the goal of developing L4 level automatic driving system.
Waymo, Nuro, Baidu Apollo and other companies have successively released self-driving safety white papers, which have clear requirements for functional safety in system design.
It is not difficult to see that in the future, auto parts need to invest more energy in functional safety and achieve the corresponding functional safety ASIL level in order to continue to be recognized by car companies.
05
Nearly 10,000 failure analyses, 28 months iteration,
Only to create a "certified job"
Since functional safety is so important, why are there still a few parts and components that have obtained authoritative certifications so far? In simple terms, the cost of functional safety development is enormous.
The industry generally believes that reaching ASIL B increases the cost of the project by 30%, and reaching ASIL D increases the cost of the project by 60%. Obviously, this process is time-consuming, laborious and costly, and must be paid attention to by the company's senior management in order to be carried out smoothly.
Roughly calculated, the cost includes but is not limited to:
Hardware costs. ASIL level of functional safety often needs to increase redundancy and detection components, that is, increase hardware components, core chips also need to be functional safety certification, and often more than one chip; random hardware failure probability measurement is not up to standard, need to replace higher reliability / lower failure efficiency / existing functional safety design of chips or electronic components and so on.
Software costs. The need to develop new software that undertakes functional safety; the introduction of measures such as software partitioning may have a great impact on the original software architecture; the coverage index of white box testing (a test case design method) is very demanding, and it needs to be reworked if it is not reached; adding security mechanisms may cause software instability, require a lot of time to debug, modify, and verify, and affect usability as little as possible while ensuring security.
Toolchain costs. Requirements management tools; security analysis tools; software development tools; software testing tools, etc
Manage costs. The establishment of the process system requires manpower; the project safety management needs to invest manpower; the functional safety audit needs to invest manpower; and the functional safety assessment needs to invest manpower.
A functional safety engineer assessed, "(For a car company, investing from scratch) to develop a complete functional safety system, it is conservatively estimated that it will cost hundreds of millions of yuan."
In addition, new electronic and electrical components have also introduced unknowns and challenges to the construction of automotive functional safety.
Taking lidar as an example, the person in charge of safety of Hesai Technology System told the heart of the car that because lidar is a high-precision, high-real-time sensor, its functional safety design and certification are more complex than the functional safety certification of most parts on the car in the past. Roughly estimated, the certification of lidar is more than 1.5 times more complex than millimeter-wave radar and cameras.
Hesai Pandar128 high-performance lidar
It is understood that pandar128 has 6095 components, which is roughly equivalent to the number of electronic components on a mid-range fuel vehicle. The security requirements are not only assigned to the software and hardware level of the system, but also to the FPGA to implement monitoring and feedback on lidar safety-related failures.
In addition, in order to comply with functional safety and achieve procedural justice, Hesai also introduced a third-party authoritative certification company to conduct in-depth investigation of the whole process of the product, and after nearly 10,000 failure analyses, more than 300 work results, and 28 months of iteration, Pandar128 became the world's first LIDAR to obtain ASIL B product certification.
Even at great cost, functional safety is a necessary task.
Jidu Auto said that when selecting a parts supplier, the first thing to look at is whether the supplier can provide a file that meets the corresponding ASIL functional safety level to prove that the relevant safety requirements have been landed and verified.
At the same time, information from car companies and certification bodies shows that in 2021, a large number of parts companies, especially intelligent driving parts companies, are developing and certifying the functional safety of corresponding products.
Since the current intelligent driving system is still in the stage of development and rapid iteration, this means that intelligent driving components are also rapidly iterating, which further affects the functional safety design of products.
For car companies, when selecting intelligent driving electrical components, the certification of a third-party authority with rich experience in functional safety is equivalent to double insurance, while reducing the time cost of visiting suppliers.
06
The car of the future is a competition for intelligence and a competition for safety
With the entry of new forces and the beginning of Internet giants, the automotive industry is becoming more and more involved. The competition in the future industry is not only intelligent competition, but also safe competition.
In addition to functional safety, expected functional safety and network security are also safety requirements that are strongly related to automotive electrical and electronic components. Sometimes, these three types of safety requirements are also called "smart car safety three musketeers", one of which is indispensable.
For example, the expected functional safety problems caused by sensor performance limitations may trigger car accidents such as Tesla.
The network security problems caused by the reference of new technologies such as open source/third-party software, OTA technology, and network connection technology may cause accidents such as GM Onstar being breached and hackers directly driving away.
This means that the future of intelligent connected vehicles need to solve all the risks related to functional safety, network security, and expected functional safety before they can be quantitatively delivered and used in large quantities. The integrated development of the three security systems is another dimension than the functional safety alone.
These three types of security are independent and interdependent, but at the same time have an impact on product design. Therefore, the most ideal way is that when enterprises develop products, they must carry out system construction of multiple security systems, otherwise the construction of various security systems will interfere with each other, but reduce efficiency.
For example, in order to network security in information transmission, a new encryption chip is introduced, and the new encryption chip also needs to meet the functional safety design.
In fact, in order to maximize the integration of the three types of safe systems and architecture designs, the standards ISO 21434 and ISO 21448 themselves are designed based on the ISO 26262 framework, and the three have a high degree of similarity.
In this way, as long as multiple safety designs can be considered at the beginning of product development, designers can efficiently carry out these three types of safety work in parallel according to mutually integrated safety standards.
In the case of lidar, as an indispensable perception sensor for intelligent networked vehicles, it is natural to solve the three safety risks caused by lidar:
For example, functional safety issues caused by laser damage, network security problems caused by point cloud data tampering, and expected functional security problems caused by reticle stolen stolen data.
Examples of cybersecurity attacks:
The communication between the radar and the vehicle was replayed by hackers, replacing a person's point cloud (left) with a pre-recorded unmanned point cloud (right), which could lead to a collision with pedestrians
As a leading manufacturer of lidar, Hesai Technology is also a pioneer in the field of sensor security.
At a time when some enterprises may not even achieve functional safety, Hesai Technology has entered the "three-in-one" stage of functional security, expected functional security and network security.
According to the person in charge of system security of Hesai Technology, the system security strategy of Hesai is to solve the functional safety caused by the failure of lidar electronics and electrical, and at the same time carry out technical pre-research on network security and expected functional safety; in the system construction and architecture design, the integration of "three-in-one" and the integration of traditional product development processes have been completed.
In terms of product safety technology, as Pandar128 obtains the world's first ASIL B lidar product certification, the development and certification of network security and expected functional safety will also be completed.
At present, Hesai's super factory "Maxwell" intelligent manufacturing center in Shanghai will be put into use this year, with a design annual production capacity of one million units. The construction of the security system is complete, and it is also a strong support behind the million sales.
The Maxwell Super Factory is under construction
As the goal of mass production of high-level automatic driving by head car companies is approaching, the large-scale mass production of vehicle-grade lidar is also on the string. Taking the three Wei Xiaoli as an example, its next-generation flagship models NIO ET7, Xiaopeng G9 and Ideal X01 will all be equipped with lidar.
Jidu Cars and Xiaomi Cars, which are backed by giants, are also poised to go: Jidu announced that new cars will be released this year and delivered in 2023, and Xiaomi has also publicly announced that it will release its first model in 2024.
Under the background of the rapid expansion of the penetration rate of new energy vehicles and the rapid expansion of the number and scale of head players of smart cars, intelligent driving has been given more expectations by consumers.
Under such high expectations, any small security problem will be magnified several times, causing great impact. Therefore, for the entire industry, the construction of a security system around intelligent technology is more and more important and urgent.
As competition for cars has intensified, the typical 3-5-year development cycle for a model has now generally been compressed to 24-36 months.
All this means that it is necessary to carry out comprehensive safety development and verification of more and more complex automotive intelligent functions in a shorter period of time, and the entire industry chain must increase investment in safety and accelerate the accumulation of experience in developing mass production.
Only in this way can autonomous driving truly make cars safer. After all, "no security is not smart", safety is the first condition of everything.