A safety-oriented engineering process for autonomous robotic systems - PowerPoint PPT Presentation

Italian Workshop on Embedded Systems Siena, Italy, September 13-14 2018 A safety-oriented engineering process for autonomous robotic systems Fabio Federici, Giulio Mosé Mancuso Created at UTRC-ALES UTC PROPRIETARY - This document contains no USA or EU export controlled technical data.

Overview  UTC: BU needs and supporting capabilities  Certification issues  Proposed design flow  Technology Evaluation  Open points UTC PROPRIETARY – This page does not contain any export controlled technical data

UTC and intelligent systems UTC Business Units UTC Aerospace Systems UTC Climate, Controls and Security Pratt & Whitney OTIS  Actuation & Propeller Systems  Commercial and Military Aircraft  Intelligent building Technologies  Elevators  Air Management Systems  Heating & Cooling Engines Escalators   Landing Systems  Fire Safety & Security  Auxiliary Power Units  Moving Walkways  Electric Systems  Helicopter Engines  Refrigeration  Engine Systems  Sensors & Integrated Systems Use Cases Inspection Assembly Manipulation Grinding Autonomous Deburring Welding Mapping Transportation 3D Dense Visual Capabilities Perception Reconstruction Mapping Inspection Autonomous Activity Navigation Manipulation Exploration Prediction UTC PROPRIETARY – This page does not contain any export controlled technical data

Focus area Higher-level control platform COTS robotic platform User/Base Platform Low-level Control User Application Application Software OS / Middleware / OS / Middleware OS / Middleware Middleware interface Personal Computer HW Platform HW Platform Sensors Sensors Actuators Robot Frame Environment Example Flight Ground High-level Controller/ Control Controller Quadcopter Station Frame UTC PROPRIETARY – This page does not contain any export controlled technical data

Relevant standards Safety related certification  IEC 61508: Functional safety of Electrical/Electronic/Programmable Electronic Safety-related Systems  SAE ARP 4765A: Guidelines For Development Of Civil Aircraft and Systems  RTCA DO 254  RTCA DO 178C  ISO 10218-1: Safety requirements for industrial robots - Part 1: Robots  ISO 10218-2: Safety requirements for industrial robots -- Part 2: Robot systems and integration  ISO 13482: Safety requirements for personal care robots UTC PROPRIETARY – This page does not contain any export controlled technical data

Design and verification flow MIL SIL VPIL Feature Requirements VALIDATION Concept Development PLATFORM FUNCTION INTEGRATION & HAZARD LEVEL TEST ANALYSIS System Requirements RobMoSys Development/Modeling SYSTEM SYSTEM INTEGRATION & PRELIMINARY System Architecture LEVEL VALIDATION TEST SYSTEM SAFETY CARVE ASSESSMENT, Model Development CCA ITEM INTEGRATION & (CONTRACT TEST BASED DESIGN) MODULE REQUIREMENTS HW-SW LEVEL INTEGRATION SW-SW INTEGRATION HW/SW PRELIMINARY DESIGN MODULE SAFETY PLATFORM REQUIREMENTS & ASSESSMENT, CCA ARCHITECTURE (MODEL) DESIGN CODING LOW-LEVEL FLOW TESTING DEPLOYEMENT IMPLEMENTATION (PHYSICAL) UTC PROPRIETARY – This page does not contain any export controlled technical data

HW/SW Platform Design Flow Functions Fault Hazard Analysis Validation System Safety Requirements Specification Testing Hardware Safety Software Safety Requirement Requirement Specification Specification Integration Testing System Architecture Specification/Design HW/SW Hardware Software Integration Architecture Architecture Testing Architectural Hardware Software Patterns Module Design Design Integration Testing Safety Cases Re-use (Platform, Kernel, Fault Domains) Module Module Design Testing Module Development UTC PROPRIETARY – This page does not contain any export controlled technical data

Robotics Architecture Design Patterns DELIBERATIVE MISSION LAYER → TASK SEQUENCING CARVE: use of ? ? LAYER behavior trees SKILL SERVICE FUNCTION SKILL EXECUTION LAYER CONTAINER Internal OS/MIDDLEWARE research investigation HARDWARE UTC PROPRIETARY – This page does not contain any export controlled technical data

Development of HW/SW Platform Mission Layer I/O Server Task/Skill Layer Task Layer Robotic Robotic Middleware/ Robotic Middleware Middleware/ Bridge Health Bridge Monitoring RTOS RTOS General Purpose OS Functions Hypervisor GPU Multicore CPU FPGA I/O Interfaces Current collaborations: UTC PROPRIETARY – This page does not contain any export controlled technical data

Heterogeneous platforms Goal: use of COTS heterogeneous devices  Low-cost GPU FPGA  Short time to market Multicore CPU Problems:  Sophisticated (obfuscated) components I/O Interfaces  Greater complexity  Resource sharing potentially jeopardizing safety TARGET PLATFORMS NVIDIA Jetson TX2 System-on-Module Zynq UltraScale+ MPSoC  Quad-core ARM Cortex A-57  Quad-core ARM Cortex A-53  Dual-core NVidia Denver 2  Dual-core ARM Cortex-R5  NVidia Pascal GPU w. 256 CUDA cores  ARM Mali 400 MP2 GPU  16 nm FinFET+ Programmable Logic UTC PROPRIETARY – This page does not contain any export controlled technical data

Need for efficient middlewares Pros:  Widely adopted Open-source, meta-operating system for  Large community robots Hardware abstraction,  Out of the box support for devices  Low-level device control,  Algorithms & Libraries  Commonly-used functionality,  Message-passing between processes, Cons: Package management.   Lack of determinism  Not well fit for safety critical systems Pros:  Real-time, deterministic  Support for multiple communication Fork of ROS based on the Data middlewares Distribution Service (DDS).  Compatibility with ROS  DDS is suitable for real-time distributed embedded systems due to its various Cons:  Maturity level transport configurations (e.g., deadline and fault-tolerance) and scalability.  Adoption UTC PROPRIETARY – This page does not contain any export controlled technical data

Jailhouse partitioning hypervisor Jailhouse: Linux Kernel  Partitioning Hypervisor based on Linux. CPU CPU CPU CPU  Able to run bare-metal applications or (adapted) operating systems.  Originally developed by Siemens Linux Kernel Init  Released as Free Software (GPLv2) since November 2013 Jailhouse CPU CPU CPU CPU Pros: Linux Kernel  Native support for the Linux kernel Jailhouse  Low latencies, good performance CPU CPU CPU CPU  Open Source (GPL v2) Root Cell  Ported on several embedded platforms (Xilinx Zynq, Nvidia Jetson TX1/TX2) Linux Kernel RTOS Limitations: Jailhouse  System boot depends on the Linux Kernel CPU CPU CPU CPU  No partition scheduling, only static resource assignment Root Cell  Limited maturity UTC PROPRIETARY – This page does not contain any export controlled technical data

Ongoing activity on demo Platform  Root cell running ROS executed on the Denver Cluster  GPU accelerated ICP: ICP  KinectFusion algorithm  Around 108 Hz execution speed IO Management/ ROS Control app Linux RT-Linux Jailhouse Nvidia Denver 2 ARM Cortex-A57 ARM Cortex-A57 Nvidia Denver 2 ARM Cortex-A57 ARM Cortex-A57 Pascal GPU NVIDIA Jetson TX2 UTC PROPRIETARY – This page does not contain any export controlled technical data

Summary and Open Points Activities  Definition of a safety oriented flow for robotics systems  Analysis and design of a robotic hardware/software architecture Assessment of open-source technologies  TODOs & Open points  Consolidation of MBD flow  Bringing in RobMoSys approach Additional isolation mechanism to be introduced in Jailhouse   Long-term need: mature, certifiable hypervisor  Verification UTC PROPRIETARY – This page does not contain any export controlled technical data

Questions? UTC PROPRIETARY – This page does not contain any export controlled technical data