[PPT] - A safety-oriented engineering process for autonomous robotic systems PowerPoint Presentation

SLIDE 1

A safety-oriented engineering process for autonomous robotic systems

Italian Workshop on Embedded Systems Siena, Italy, September 13-14 2018

Fabio Federici, Giulio Mosé Mancuso

Created at UTRC-ALES UTC PROPRIETARY - This document contains no USA or EU export controlled technical data.

SLIDE 2

Overview

UTC: BU needs and supporting capabilities
Certification issues
Proposed design flow
Technology Evaluation
Open points

UTC PROPRIETARY – This page does not contain any export controlled technical data

SLIDE 3

UTC and intelligent systems

UTC Business Units

UTC Aerospace Systems

Actuation & Propeller Systems
Air Management Systems
Landing Systems
Electric Systems
Engine Systems
Sensors & Integrated Systems

UTC Climate, Controls and Security

Intelligent building Technologies
Heating & Cooling
Fire Safety & Security
Refrigeration

Pratt & Whitney

Commercial and Military Aircraft

Engines

Auxiliary Power Units
Helicopter Engines

OTIS

Elevators
Escalators
Moving Walkways

3D Reconstruction Dense Mapping Visual Inspection Perception Navigation Autonomous Exploration Manipulation Activity Prediction Inspection Assembly Manipulation Grinding Deburring Welding Mapping Autonomous Transportation

Use Cases Capabilities

UTC PROPRIETARY – This page does not contain any export controlled technical data

SLIDE 4

Focus area

HW Platform OS / Middleware Application HW Platform Low-level Control Software Robot Frame COTS robotic platform OS / Middleware / Middleware interface Sensors Actuators Sensors Higher-level control platform Personal Computer OS / Middleware User Application User/Base Platform Environment

Example

Ground Control Station High-level Controller Flight Controller/ Quadcopter Frame

UTC PROPRIETARY – This page does not contain any export controlled technical data

SLIDE 5

Relevant standards

Safety related certification

IEC 61508: Functional safety of Electrical/Electronic/Programmable

Electronic Safety-related Systems

SAE ARP 4765A: Guidelines For Development Of Civil Aircraft and Systems
RTCA DO 254
RTCA DO 178C
ISO 10218-1: Safety requirements for industrial robots - Part 1: Robots
ISO 10218-2: Safety requirements for industrial robots -- Part 2: Robot

systems and integration

ISO 13482: Safety requirements for personal care robots

UTC PROPRIETARY – This page does not contain any export controlled technical data

SLIDE 6

CARVE (CONTRACT BASED DESIGN)

Design and verification flow

HW/SW PLATFORM DESIGN FLOW

Feature Requirements System Requirements Development/Modeling Concept Development System Architecture Model Development PLATFORM LEVEL SYSTEM LEVEL MODULE LEVEL

REQUIREMENTS DESIGN CODING DEPLOYEMENT REQUIREMENTS & ARCHITECTURE (MODEL) IMPLEMENTATION (PHYSICAL)

VALIDATION VALIDATION HAZARD ANALYSIS PRELIMINARY SYSTEM SAFETY ASSESSMENT, CCA PRELIMINARY MODULE SAFETY ASSESSMENT, CCA

RobMoSys

UTC PROPRIETARY – This page does not contain any export controlled technical data

MIL SYSTEM INTEGRATION & TEST ITEM INTEGRATION & TEST FUNCTION INTEGRATION & TEST

LOW-LEVEL TESTING SW-SW INTEGRATION HW-SW INTEGRATION

SIL VPIL

SLIDE 7

HW/SW Platform Design Flow

Hardware Safety Requirement Specification Software Safety Requirement Specification System Safety Requirements Specification Hardware Architecture Software Architecture System Architecture Specification/Design Module Design Module Development Module Testing Module Integration Testing HW/SW Integration Testing Hardware Design Software Design Integration Testing Validation Testing Re-use Safety Cases (Platform, Kernel, Fault Domains)

UTC PROPRIETARY – This page does not contain any export controlled technical data

Architectural Patterns Fault Hazard Analysis

Functions

SLIDE 8

Robotics Architecture Design Patterns

MISSION TASK SKILL SERVICE FUNCTION EXECUTION CONTAINER OS/MIDDLEWARE HARDWARE SKILL LAYER SEQUENCING LAYER DELIBERATIVE LAYER

CARVE: use of behavior trees Internal research investigation

UTC PROPRIETARY – This page does not contain any export controlled technical data →

? ?

SLIDE 9

Development of HW/SW Platform

Hypervisor

RTOS Task/Skill Layer

Robotic Middleware/ Bridge

Health Monitoring Functions General Purpose OS Robotic Middleware Mission Layer Task Layer

Multicore CPU GPU FPGA I/O Interfaces Current collaborations:

UTC PROPRIETARY – This page does not contain any export controlled technical data

RTOS I/O Server

Robotic Middleware/ Bridge

SLIDE 10

Heterogeneous platforms

Goal: use of COTS heterogeneous devices

Low-cost
Short time to market

Problems:

Sophisticated (obfuscated) components
Greater complexity
Resource sharing potentially jeopardizing safety

NVIDIA Jetson TX2 System-on-Module

Quad-core ARM Cortex A-57
Dual-core NVidia Denver 2
NVidia Pascal GPU w. 256 CUDA cores

Zynq UltraScale+ MPSoC

Quad-core ARM Cortex A-53
Dual-core ARM Cortex-R5
ARM Mali 400 MP2 GPU
16 nm FinFET+ Programmable Logic

TARGET PLATFORMS

Multicore CPU GPU FPGA I/O Interfaces

UTC PROPRIETARY – This page does not contain any export controlled technical data

SLIDE 11

Need for efficient middlewares

Open-source, meta-operating system for robots Hardware abstraction,

Low-level device control,
Commonly-used functionality,
Message-passing between processes,
Package management.

Pros:

Widely adopted
Large community
Out of the box support for devices
Algorithms & Libraries

Cons:

Lack of determinism
Not well fit for safety critical systems

Pros:

Real-time, deterministic
Support for multiple communication

middlewares

Compatibility with ROS

Cons:

Maturity level
Adoption

Fork

f

ROS based

n

the Data Distribution Service (DDS).

DDS is suitable for real-time distributed

embedded systems due to its various transport configurations (e.g., deadline and fault-tolerance) and scalability.

UTC PROPRIETARY – This page does not contain any export controlled technical data

SLIDE 12

Jailhouse partitioning hypervisor

Pros:

Native support for the Linux kernel
Low latencies, good performance
Open Source (GPL v2)
Ported on several embedded platforms (Xilinx Zynq, Nvidia

Jetson TX1/TX2) Limitations:

System boot depends on the Linux Kernel
No partition scheduling, only static resource assignment
Limited maturity

CPU CPU CPU CPU Linux Kernel CPU CPU CPU CPU Jailhouse Linux Kernel Jailhouse Linux Kernel CPU CPU CPU CPU Jailhouse Linux Kernel CPU CPU CPU CPU RTOS Root Cell Root Cell Init

Jailhouse:

Partitioning Hypervisor based on Linux.
Able

to run bare-metal applications

r

(adapted)

perating systems.
Originally developed by Siemens
Released as Free Software (GPLv2) since November 2013

UTC PROPRIETARY – This page does not contain any export controlled technical data

SLIDE 13

Ongoing activity on demo Platform

Jailhouse ARM Cortex-A57 ROS ARM Cortex-A57 Nvidia Denver 2 ARM Cortex-A57 ARM Cortex-A57 Nvidia Denver 2 Pascal GPU Linux NVIDIA Jetson TX2 RT-Linux IO Management/ Control app ICP

Root cell running ROS executed on the

Denver Cluster

GPU accelerated ICP:
KinectFusion algorithm
Around 108 Hz execution speed

UTC PROPRIETARY – This page does not contain any export controlled technical data

SLIDE 14

Summary and Open Points

Activities

Definition of a safety oriented flow for robotics systems
Analysis and design of a robotic hardware/software architecture
Assessment of open-source technologies

TODOs & Open points

Consolidation of MBD flow
Bringing in RobMoSys approach
Additional isolation mechanism to be introduced in Jailhouse
Long-term need: mature, certifiable hypervisor
Verification

UTC PROPRIETARY – This page does not contain any export controlled technical data

SLIDE 15

Questions?

UTC PROPRIETARY – This page does not contain any export controlled technical data