ArchitectECA2030 - Papers

Wireless Threats Against V2X Communication

2021-01-19T12:46:41+00:00

Axel Boström, Franz Wotawa

Abstract: As the automotive industry increasingly relies on wireless technologies, a new attack surface emerges, pos- ing significant security threats to modern cars. This paper investigates the vulnerabilities and risks of wireless vehicle attacks, including eavesdropping, message tampering, spoof- ing, and jamming. It highlights vulnerabilities in the CAN bus communication interface. By exploring these attacks and their potential consequences, this paper aims to shed light on the urgent need for robust security measures to safeguard the safety and privacy of vehicle owners. The focus is on under- standing the evolving landscape of wireless threats in the au- tomotive industry, providing valuable insights for researchers, practitioners, and stakeholders involved in developing effective countermeasures and enhancing overall vehicle security. In contrast to other research articles, this paper presents the ISO/SAE DIS 21434 standard, which offers a systematic and structured approach to enhance cybersecurity in the automotive industry, even in the face of emerging wireless threats. In addition, this paper highlights notable examples of attacks on modern cars, where researchers gained access to vehicle systems through wireless vulnerabilities, demonstrating the potential dangers of interconnected car systems to illustrate the real-world implications.

Analysing Residual Risks when Introducing Monitoring and Diagnosis into Systems

2021-01-19T12:46:41+00:00

Thomas Hirsch, Franz Wotawa

Abstract: Systems under operation come with risks, i.e., a likelihood that a fault causes unwanted events or even harm. In the case of safety-critical systems like cars or airplanes, identifying and mitigating risks is essential for avoiding such critical events. Measures for mitigation, including monitoring and property checking, also come with risks. Not being able to classify a failure correctly or coming up with errors or warnings without reason may cause trouble, too. Therefore, it is evident to analyze the remaining risks (i.e., the residual risks) and compare them with the original ones. This paper presents a framework for analyzing such risks, show their application when introducing monitoring and mitigation, and presents a case study using concrete values

Reduction of empiricism in the solder joint reliability assessment of QFN packages by using thermo-mechanical simulations

2021-01-19T12:46:41+00:00

M. van Soestbergen; R. Roucou; M. Rebosolan; J.J. M Zaal

Abstract: To ensure sufficient field life of solder joints, standardized stress tests are performed during the development phase of products, where calibrated thermo-mechanical simulations are frequently used to ensure a potentially sufficient robustness margin. In this work we show how simulations are calibrated for the QFN (Quad Flat No leads) package family. Using thorough failure analysis, we found that for QFN packages two types of solder joint failure modes can occur. The first failure mode is a brittle fracture through the intermetallic region near the solder interface, the other mode is a crack through the bulk of the solder. In the simulations we handle both failure modes using two different failure metrics. For the brittle fractures we analyzed the volumetric strain energy density in a thin region near the interface. For bulk fails we computed the volume-averaged inelastic strain energy density across the whole solder joint. Using both metrics we found a correlation between simulation and experimental results, where Miner’s rule was used to correlate the results of any non-functional anchor joint to the experimental results of the functional joints. The correlation can be used to predict the solder performance upfront in the design phase, and thus reduce the experimental effort during product development.

Impact of Temperature Cycling Conditions on Board Level Vibration for Automotive Applications

2021-01-19T12:46:41+00:00

Varun Thukral, Irene Bacquet, Michiel van Soestbergen, Jeroen Zaal, Romuald Roucou, Rene Rongen, Willem D. Van Driel, GuoQi Zhang

Abstract: Board level vibration testing is a commonly used method to predict the solder joint reliability of surface-mounted components seated onto printed circuit boards (PCB). Current board level vibration test methods are mainly developed from a solely mechanical stress application standpoint. This makes such stress tests one dimensional in nature and translation from experimentally obtained test results to the field life of components experiencing combined stress environments become ambiguous. This investigation provides insights to develop a highly accelerated vibration test approach to cover simultaneous vibration and temperature loading situations in the field. In this paper, test board layouts from the board level drop test method, JESD22-B111 (rectangular PCB), and JESD22-B111A (square PCB), prescribed by the Joint Electronic Device Engineering Council (JEDEC), are used to understand the combined stress applied to the solder interconnects. The evaluation process is carried out by means of simulations, supported by targeted experiments on ball grid array (BGA) packages with dimensions sizing from 12x12mm to 15x15mm. The results on rectangular test board assembly show reduced characteristic lifetime of solder joints when stressed under combined temperature-vibration test conditions. On the other hand, the square-shaped board type exhibits a different acceleration factor with a longer solder fatigue lifetime than that of the rectangular-shaped PCB type. Finite element simulation results complement well with this finding.

A Semiparametric Transition Model for Lifetime Drift of Discrete Electrical Parameters in Semiconductor Devices

2021-01-19T12:46:41+00:00

Lucas Sommeregger, Horst Lewitschnig

Abstract: In automotive industry, quality and safety are of high importance. Especially with the upcoming development of autonomous vehicles, the topics of predictive health management and estimation of residual useful life have become topics of interest. Semiconductor manufacturers in this area have to guarantee a high standard of quality in shipped devices over their whole lifetime. Electrical parameters of these devices are specified in data sheets and have to be kept within specified limits over the devices’ expected usage time. To simulate the real lifetime, accelerated stress tests are performed on a random sample of parts. During these tests, electrical parameters may drift over time. This is called lifetime drift. To control for lifetime drift, tighter test limits are introduced at production testing. The goal of these limits is to guarantee quality levels in shipped devices while maximizing manufacturers’ yields. The areas between specified limits and test limits are called guard bands. Statistical models for drift calculation and guard banding parameter drift can be used to identify parameters indicating gradual degradation processes and to estimate the expected remaining useful life of the device. Random samples are put to environmental stress tests. In this way, longitudinal data are generated. Several lifetime drift models for continuous parameters have been developed in the past [1], [2]. However, for discrete parameters (logic vectors, bit-flips, counts etc.) these models are not universally applicable. Furthermore, existing models are currently too computationally expensive to monitor parameters in real time in self-driving vehicles. We propose a semiparametric and distribution-free mixed Markov transition model for discrete parameters based on interval estimation of transition probabilities from sparse data. Drift group formation is considered via clustering and mixture modelling. The method assumes homogenous behavior in the distribution of differences between successive readout points and can be extended to cover several types of interpolating behaviours. The guard banding algorithm is performed using efficient matrix multiplication with intelligent warm starts for the two-dimensional integer optimization problem. For the calculation of residual useful life, we propose one model based on interval estimations from quantile regression on the whole sample and further show how to extend the transition Markov chain model into unobserved time periods. The results are verified via simulation studies and compared to adapted state-of-the-art models for continuous parameters. The work has been performed in the project ArchitectECA2030 under grant agreement No 877539. The project is co- funded by grants from Germany, Netherlands, Czech Republic, Austria, Norway and - Electronic Component Systems for European Leadership Joint Undertaking (ECSEL JU). All ArchitectECA2030 related communication reflects only the author’s view and ECSEL JU and the Commission are not responsible for any use that may be made of the information it contains.

Simulation of Foreign Object Detection Using Passive Inductive Sensors in a Wireless Charging System for Electric Vehicles

2021-01-19T12:46:41+00:00

Uwe Hentschel, Martin Helwig, Anja Winkler, Niels Modler

Abstract: During wireless charging of the traction battery of electrically powered vehicles, the active area between the ground and vehicle assemblies must be monitored for inductive power transfer. If metallic foreign objects enter this area, they interact with the magnetic field and can heat up strongly, and thus become a potential source of hazard. To detect such foreign objects, measurements based on passive inductive sensors have already been carried out in advance. However, a large number of factors influence the detectability of metallic foreign objects, such as the characteristics of the magnetic field of the ground assembly coil, the size, shape, position, orientation, and material composition of the foreign objects, or the design of the sensor coils. The related practical testing effort can be reduced if the characteristics of the charging system and the foreign object detection system can be simulated. Therefore, simulation models were developed within the scope of this work and validated with the help of practical measurements. These models were used in the next step to analyze new test arrangements that had not yet been investigated by measurement. In the simulations described here, precision in the range of 1 mV could be achieved. Cumulatively, many influencing factors can be easily investigated, and results can be generated in a largely automated manner and typically in a wider variety than with practical measurements.

Bits, Flips and RISCs

2021-01-19T12:46:41+00:00

Nicolas Gerlin, Endri Kaja, Fabian Vargas, Li Lu, Anselm Breitenreiter, Junchao Chen, Markus Ulbricht, Maribel Gomez, Ares Tahiraga, Sebastian Prebeck, Eyck Jentzsch, Milos Krstic, Wolfgang Ecker

Abstract: Electronic systems can be submitted to hostile environments leading to bit-flips or stuck-at faults and, ultimately, a system malfunction or failure. In safety-critical applications, the risks of such events should be managed to prevent injuries or material damage. This paper provides a comprehensive overview of the challenges associated with designing and verifying safe and reliable systems, as well as the potential of the RISC-V architecture in addressing these challenges.We present several state-of-the-art safety and reliability verification techniques in the design phase. These include a highly-automated verification flow, an automated fault injection and analysis tool, and an AI-based fault verification flow. Furthermore, we discuss core hardening and fault mitigation strategies at the design level. We focus on automated SoC hardening using model-driven development and resilient processing based on sensing and prediction for space and avionic applications.By combining these techniques with the inherent flexibility of the RISC-V architecture, designers can develop tailored solutions that balance cost, performance, and fault tolerance to meet the requirements of various safety-critical applications in different safety domains, such as avionics, automotive, and space. The insights and methodologies presented in this paper contribute to the ongoing efforts to improve the dependability of computing systems in safety-critical environments.

Smart Monitoring for Safety-Assurance in Autonomous Driving

2021-01-19T12:46:41+00:00

Georg Stettinger, Franz Wotawa

Abstract: Monitoring the functionality of systems during opera- tion is vital for detecting faults and preventing their conse- quences. In autonomous driving, monitoring is even more critical because of hardly being able to verify all imple- mented functionality. Today, systems comprise many inter- acting components making centralized monitoring less fea- sible and hard to handle. Hence, we suggest a distributed but connected monitoring system that reflects the system’s conceptual structure. In this paper, we outline the foun- dations of a monitoring system, present some applications and show how we use concepts like the operational design domain and requirements for obtaining the required mon- itoring knowledge in the application area of autonomous driving.

A Continuously Updated Package-Degradation Model reflecting Thermomechanical Changes at Different Thermo-Oxidative Stages of Moulding Compound

2021-01-19T12:46:41+00:00

Adwait Inamdar, Michiel van Soestbergen, Amar Mavinkurve, Willem van Diel, GuoQi Zhang

Abstract: Moulding compounds used for encapsulating electronics typically occupy a large portion of package volume and are most exposed to the external environment. Under harsh conditions such as high temperature, humidity, and mechanical vibrations, constituent materials of electronic components degrade, resulting in a change in their thermal, mechanical, electrical, and chemical behaviour. High-temperature ageing of electronic packages causes the oxidation of epoxy moulding compounds (EMC), forming a layer exhibiting significantly different thermomechanical properties. This reflects in the modified mechanical behaviour of the entire package, which accelerates certain failure modes and affects component reliability. Thus, it is crucial to consider gradual degenerative changes in EMC for a more accurate estimation of the component lifetime. This paper proposes a three-step modelling approach to replicate thermo-chemical changes in package encapsulation. A parametric geometry of a test package was incorporated with the ageing stage-dependent changes in thermomechanical properties of the oxidized layer. The mechanical behaviour of oxidized EMC at multiple stages of thermal ageing (at 150°C for up to 3000 hours) was first experimentally characterized and then validated using warpage measurements on thermally aged test packages and Finite Element (FE) simulations. Lastly, a trend-based interpolation of material model parameters for intermediate stages of ageing was followed, and a continuously updated degradation model (physics-based Digital Twin) was achieved. The proposed model is capable of reproducing degraded stages of the test package under thermal ageing along with its modified thermomechanical behaviour. Its limitations and significance in the domain of health monitoring of microelectronics are also discussed.

Risk Monitoring and Mitigation for Automated Vehicles: A Model Predictive Control Perspective

2021-01-19T12:46:41+00:00

Kilin Tong, Fengwei Guo, Selim Solmaz, Martin Steinberger, Martin Horn

Abstract: Despite recent advances in algorithms and technology, self-driving vehicles are still susceptible to errors that can have severe consequences. As a result, effective risk monitoring and mitigation measures for autonomous driving systems are in high demand. To overcome this issue, several specifications and standards have been developed. However, a theoretical framework for dealing with autonomous vehicle hazards has rarely been presented. This study suggests a risk modeling method inspired by ideas from control theory and introduces a Model Predictive Control (MPC) Framework to deal with risks in general. Two application examples are presented. The first example shows how MPC parameters may affect the aggressiveness of the response. In the second example, our proposed risk monitoring and mitigation module is integrated into a visionbased Adaptive Cruise Control (ACC) system. Simulation results indicate a significant improvement in collision avoidance rate (from 0% to 47% in edge scenarios) during the Euro NCAP ACC Car-to-Car tests with a stationary target, which demonstrates the utility of our approach for addressing various types of hazards faced by autonomous vehicles. Index Terms—automated vehicles, model predictive control, risk monitoring, risk mitigation, functional safety

Residual Risk Management Strategies at System Level presented for ACC/LKA Behavioural Competencies

2021-01-19T12:46:41+00:00

Selin Solmaz, Georg Stettinger, Franz Wottawa

Abstract: Automated Vehicles (AVs) are designed to enhance road safety by utilizing Automated Driving Systems (ADS) that leverage behavioral competencies within the targeted Operational Design Domain (ODD). However, operation within the current ODD always carries a residual risk that must be kept within acceptable limits to ensure safe and robust operation. This paper proposes a system-level residual risk management strategy for ACC/LKA behavioral competencies, which comprises a receive- monitor-transmit concept for hierarchical monitoring functional- ities, a system-level residual risk management strategy, and fault injection campaigns to challenge the implemented multi-layer monitoring functionalities. The proposed strategy is implemented ACC/LKA-driven benchmark example, which demonstrates the efficient and effective handling of residual risks at the system level. The study concludes that targeted ODD and/or related behavioral competence reductions are a promising approach to maintaining the residual risk within acceptable limits. Index Terms—residual risk, operational design domain, be- haviour competence, monitoring, health status, fault-injection

Real-Time Autonomous Vehicle Sensor Performance Assessment in Adverse Weather Conditions

2021-01-19T12:46:41+00:00

Stanislav Svediroh, Ludek Zalud

Abstract: The future of the automotive industry appears to be intricately linked to Advanced Driver Assistance Systems (ADAS) and various levels of Automated Driving Systems (ADS). Over the years, numerous companies have incorporated sensors into their vehicles, however, none have yet achieved the development of a completely robust and self-aware system capable of operating safely in adverse weather conditions. To guarantee safety, the vehicle must possess an awareness of its environment and the current performance of its sensors. This includes the ability to detect not only current weather conditions such as rain, fog, haze, and snow, but also smoke, soiling from various sources, and extreme lighting conditions such as glare or low light. It is crucial for the vehicle to detect these conditions in real-time without delaying decision-making systems. This study summarises the effects of various environmental threats on commonly used sensors in ADAS or ADS and proposes algorithms to detect degrading sensor performance, which can then be integrated into the sensor fusion framework utilised in the creation of the vehicle’s local map. The ultimate aim of such a system is to accurately detect and report sensor degradation, enabling subsequent sensor fusion and path-planning algorithms to modify the vehicle’s behaviour and minimise unreasonable risk. Index Terms—ADAS, ADS, Adverse Weather, Sensor Performance Assessment

Which Components to Blame? Integrating Diagnosis into Monitoring of Technical Systems

2021-01-19T12:46:41+00:00

Franz Wotawa

Abstract: System monitoring is essential for detecting failures during operation and ensuring reliability. A monitoring system obtains observations and checks their consistency concerning requirements formalized as properties. However, finding property violations does not necessarily mean finding the causes. In this paper, we contribute to the latter and suggest introducing model-based diagnosis for root cause identification. We do this by adding information regarding the source of observations. Furthermore, we suggest implementing properties using ordinary programming languages from which we can obtain a formal model directly. Finally, we explain the process of integrating diagnosis into monitoring and show its value using a case study from the automotive domain.

Verifying Collision Risk Estimation using Autonomous Driving Scenarios Derived from a Formal Model.

2021-01-19T12:46:41+00:00

Jean-Baptiste Horel, Philippe Ledent, Lina Marsso, Lucie Muller, Christian Laugier, Radu Mateescu, Anshul Paigwar, Alessandro Renzaglia, Wendelin Serwe

Abstract: Verifying Collision Risk Estimation using Formally Derived Scenarios use formal conformance test generation tools to derive, from a verified formal model, sets of scenarios to be run in a simulator. Second, we model check the traces of the simulation runs to validate the probabilistic estimation of collision risks. Using formal methods brings the combined advantages of an increased confidence in the correct representation of the chosen configuration (temporal logic verification), a guarantee of the coverage and relevance of automatically generated scenarios (conformance testing), and an automatic quantitative analysis of the test execution (verification and statistical analysis on traces).

Finding Critical Scenarios for Automated Driving Systems: A Systematic Literature Review

2021-01-19T12:46:41+00:00

Xinhai Zhang, Jianbo Tao, Kaige Tan, Martin Törngren, Jose Manuel Gaspar Sanchez, Muhammad Rusyadi Ramli, Xin Tao, Magnus Gyllenhammar, Franz Wotawa, Member, Naveen Mohan, Member, Mihai Nica and Hermann Felbinger

Abstract: Scenario-based approaches have been receiving a huge amount of attention in research and engineering of automated driving systems. Due to the complexity and uncertainty of the driving environment, and the complexity of the driving task itself, the number of possible driving scenarios that an ADS or ADAS may encounter is virtually infinite. Therefore it is essential to be able to reason about the identification of scenarios and in particular critical ones that may impose unacceptable risk if not considered. Critical scenarios are particularly important to support design, verification and validation efforts, and as a basis for a safety case. In this paper, we present the results of a systematic literature review in the context of autonomous driving. The main contributions are: (i) introducing a comprehensive taxonomy for critical scenario identification methods; (ii) giving an overview of the state-of-the-art research based on the taxonomy encompassing 86 papers between 2017 and 2020; and (iii) identifying open issues and directions for further research. The provided taxonomy comprises three main perspectives encompassing the problem definition (the why), the solution (the methods to derive scenarios), and the assessment of the established scenarios. In addition, we discuss open research issues considering the perspectives of coverage, practicability, and scenario space explosion

Robust perception systems for automated, connected, and electrified vehicles: Advances from EU project ArchitectECA2030

2021-01-19T12:46:41+00:00

Jakob Reckenzaun; Thomas Goelles; Selim Solmaz; Marc Hilbert; Daniel Weimer, Peter Mayer, Adam Chromy, Uwe Hentschel, Niels Modler, Mate Toth, Marcus Hennecke

Abstract: The perception supply chain (SC1) of the ArchitectECA2030 project investigates failure modes, fault detection, and residual risk in perception systems of electrified, connected, and automated (ECA) vehicles. This accounts for the needs of a reliable understanding of the surrounding environment. The three demonstrators of SC1, described in this paper, address steps of a typical ECA usage cycle: charge - drive - restart charging. The foreign object detection (FOD) demonstrator improves safety within a wireless charging system. The robust physical sensors demonstrator creates a more robust perception by detecting failures within fused and single sensor data. The position enhancement demonstrator improves vehicle localization in areas with reduced GNSS signal coverage. All demonstrators are linked to the challenges that occur during the ECA vehicle usage cycle

A Generic Risk Assessment Methodology and its Implementation as a Run-time Monitoring Device for Automated Vehicles

2021-01-19T12:46:41+00:00

Kailin Tong; Selim Solmaz; Haris Sikic; Jakob Reckenzaun

Abstract: In this paper, a generic run-time risk evaluation methodology utilizing sensor status and data quality metrics is proposed. The suggested risk quantification method is then utilized as a basis for a run-time monitoring device (MonDev) concept for automated vehicles. The MonDev concept utilizes an aggregation function of a set of risk factors associated with each sensor. A data-driven SVM method is used to generate weighting factors in the aggregation function. The implementation of the MonDev concept and the corresponding results are demonstrated using two example use cases in a simulation framework.

A Search-based Motion Planner utilizing a Monitoring Functionality for Initiating Minimal Risk Maneuvers

2021-01-19T12:46:41+00:00

Kailin Tong; Selim Solmaz; Martin Horn

Abstract: A reliable automated driving system (ADS) needs to perform a minimal risk maneuver (MRM) in disrupting normal driving tasks, e.g., when its perception system fails or is unreliable. One way to achieve this is by utilizing a run-time monitoring device/functionality to supervise the automated driving system status to initiate an MRM. Unlike previous research on MRM planning or safe-stop planning, where a redundant planner is running, we solve this problem in a different direction. We propose a motion planning framework for MRM by extending the directed-graph map for normal driving conditions. In our implementation, the Monitoring device supervises sensors' health and data quality and decides whether an MRM should be initiated. If an MRM is triggered, no additional planner is required, but only one additional backup search graph for MRM is utilized. Hence, the planner redundancy is no longer necessary, and the computation resources can be potentially relieved. We evaluated our approach in normal driving and conditions with perception fault injections leading to MRM. Simulations utilizing the Autoware (architecture proposal) software stack [1] indicate that the proposed framework fulfills the deadline of 30 ms and provides increased reliability in ADS.

ViF-GTAD: A new Automotive Dataset with Ground Truth for ADAS/AD Development, Testing and Validation

2021-01-19T12:46:41+00:00

Sarah Haas, Selim Solmaz, Jakob Reckenzaun, Simon Genser

Abstract: A new dataset for automated driving, which is the subject matter of this paper, identifies and addresses a gap in existing similar perception datasets. While most state-of-the-art perception datasets primarily focus on the provision of various onboard sensor measurements along with the semantic information under various driving conditions, the provided information is often insufficient since the object list and position data provided include unknown and time-varying errors. The current paper and the associated dataset describe the first publicly available perception measurement data that include not only the on-board sensor information from the camera, Lidar, and radar with semantically classified objects but also the high precision ground-truth position measurements enabled by the accurate RTK-assisted GPS localization systems available on both the ego vehicle and the dynamic target objects. This paper provides insight on the capturing of the data, explicitly explaining the metadata structure and the content, as well as the potential application examples where it has been, and can potentially be, applied and implemented in relation to automated driving and environmental perception systems development, testing, and validation

Applying CT-FLA for AEB Function Testing: A Virtual Driving Case Study

2021-01-19T12:46:41+00:00

Ludwig Kampel, Michael Wagner, Dimitris E. Simos, Mihai Nica, Dino Dodig, David Kaufmann, Franz Wotawa

Abstract: The advancements of automated and autonomous vehicles requires virtual verification and validation of automated driving functions, in order to provide necessary safety levels and to increase acceptance of such systems. The aim of our work is to investigate the feasibility of combinatorial testing fault localization (CT-FLA) in the domain of virtual driving function testing. We apply CT-FLA to screen parameter settings that lead to critical driving scenarios in a virtual verification and validation framework used for automated driving function testing. Our first results indicate that CT-FLA methods can help to identify parameter-value combinations leading to crash scenarios. Index Terms—Combinatorial testing, Combinatorial fault lo- calization, AEB, autonomous driving, test scenario generation