Back to Blog

Blog

How Swift Brought Automotive Safety to the Cloud

James Tidd
James Tidd
Vice President of Systems Engineering
Skylark achieves ISO 26262 certification

The automotive industry is rapidly embracing cloud computing to enhance the driving experience. Navigation systems augmented with real-time traffic, usage-based insurance, and connected infotainment systems are all examples of cloud-based technologies in use today. While these are significant leaps forward, they’re still a far cry from the futuristic vision of city streets filled with autonomous vehicles navigating complex situations with human-like ease.

For autonomous vehicles to safely and reliably operate on a large scale, precise sensors and an incredible amount of processing power are required. The software defined vehicles of today must rely on the cloud, where massive amounts of data can be processed and shared in real-time.

As the industry moves rapidly toward the cloud, it is critical that regulations keep pace with technological advancements.

ISO 26262 is a globally recognized automotive functional safety standard that sets strict requirements for electrical and electronic components within road vehicles. It is designed to ensure vehicles function safely even when systems malfunction, and defines procedures for identifying hazards and eliminating risks during the development and validation process. However, this standard was not written for applications running in cloud environments, where different mechanisms exist to ensure the safety and reliability of the application. For instance, unlike software running inside a vehicle that only has to support the systems inside that vehicle, cloud-based applications must support millions of simultaneous users globally. Redundancy, scalability, and cybersecurity of both the application and the cloud architecture become critically important considerations.

Skylark Precise Positioning Service is the first real-time cloud-based application to become ISO 26262 certified

Swift Navigation’s Skylark Precise Positioning Service is a cloud-based GNSS corrections service that delivers uniform, centimeter accurate positioning to enable precise navigation, ADAS, and vehicle autonomy. Critically, Skylark provides high integrity positioning, meaning it can guarantee a particular level of accuracy with exceedingly high confidence. This integrity concept, built upon a foundation of functional safety, is what allows Skylark to be used in safety-critical systems.

Learn more about accuracy vs integrity

Skylark is the first real-time cloud-based application of any kind to be certified for ISO 26262. Skylark is certified to the ASIL B(D) level. ASIL (Automotive Safety Integrity Level) is a risk classification system for functional safety of road vehicles defined by the ISO 26262 standard.

This achievement elevates the role of GNSS positioning in the automotive sensor suite and sets a design pattern for the development of cloud-based applications in safety-relevant use cases.

So how did we do it? Certifying Skylark for ISO 26262 required three key components:

  1. Designing the models and algorithms to measure positioning integrity
  2. Establishing robust engineering process, documentation, and reporting
  3. Demonstrating how Swift’s architecture using cloud infrastructure meets ISO 26262 standards

High integrity positioning

To achieve ISO 26262 certification, the risk of error in Skylark’s data must be reduced to infinitesimally small levels (as low as 10-7 errors/hour in some instances), and sufficient evidence must be demonstrated to guarantee this level of confidence. The acceptable amount of risk is so low that incredibly rare conditions that could lead to positioning errors must be accounted for. Providing sufficient evidence that Skylark successfully monitors and mitigates errors in these rare conditions are some of the most challenging aspects of certifying the solution.

We designed integrity fault monitors to detect changes or anomalies in satellite signal characteristics and put them to the test against 11 feared event types. These feared events include:

  • Satellite issues - clock step, clock drift, code carrier interference, unexpected maneuver, ephemerides error, inter-frequency bias
  • Atmospheric irregularities - moving front, large TEC gradient, scintillation event
  • Station errors - multipath, station failure

These monitors also capture irregularities in the data which could come from internal faults in the management, storage and computation steps of the processing.

Atmospheric irregularities are the most problematic types of feared events for a high integrity positioning solution because they are rare, unpredictable, and can cause a unique error pattern in the satellite signal.

This chart shows the effects of a volcanic eruption that sent ripples through the earth’s ionosphere. You can see the impact on the satellite signals moving from the epicenter of the eruption outward, and how those signals change over time.

Total Electron Content Units After Volcanic Eruption

Source: NASA Applied Sciences Program

To prove Skylark’s effectiveness during all types of feared events, we capture the radio frequency (RF) signals from our antennas and a slew of outputs from our GNSS receivers, and then replay the signals to racks of devices in a hardware-in-the-loop test as well as a cloud-based software-in-the-loop test that enable us to simulate millions of test hours monthly. We also injected over 1,000 faults into each integrity fault monitor to ensure sufficient testing against the rarer feared event types.

Skylark leverages a robust fault tree analysis to identify and quantify errors, and then implements monitors for these faults and communicates their magnitude and occurrence to the vehicle’s positioning engine. When used in conjunction with a compatible positioning engine such as Swift’s Starling Positioning Engine, the end-to-end system can optimize for accuracy, availability and integrity to deliver exceedingly high confidence in the correctness of the positioning output. Starling is also designed to comply with ISO 26262 standards, making the combined solution an incredibly effective component of a safe autonomous vehicle system.

Process, documentation, and reporting

Much of the ISO certification process is simply having comprehensive procedures in place to demonstrate the absence of software bugs or vulnerabilities and the completeness of test cases. Swift uses proven frameworks and methodologies to comply with automotive development standards, including the “v-model” for product development that underpins ISO 26262 as well as other standards such as the Automotive Software Process Improvement Capability Determination (ASPICE) standard. This framework calls for upfront safety and risk analyses prior to development, and iterative validation throughout the development process.

ISO 26262 V Model

Source: ISO 26262-9:2018

Swift has also adopted a model-based systems engineering (MBSE) approach to accelerate development and validation. With MBSE, a system model, or a live representation of a system or product, allows for simulation of behaviors as well as full traceability from requirement to validated solution. This approach has enabled Swift to streamline the application of the v-model in our product development, creating the robust processes and audit trails to demonstrate compliance with ISO 26262 standards.

Leveraging AWS infrastructure for resiliency

Although ISO 26262 was not written for products deployed in the cloud, cloud infrastructure provides many features that align well with the requirements of the standard. Nonetheless, the very nature of cloud services does create the need for a different approach to demonstrate compliance. While automotive in-vehicle software operates within the confines of the vehicle’s onboard systems and only needs to support a single vehicle, cloud-based services must support multiple customers simultaneously. This leads to a set of potential malfunctions that must be accounted for, such as the scalability of the cloud infrastructure, as safety cannot be compromised if millions of vehicles are connected to the service.

Skylark is hosted on Amazon Web Services (AWS), the leading provider of cloud computing services. Skylark leverages several AWS service features to demonstrate scalability, availability, and security:

  • Diversified infrastructure environments using Amazon EC2 Graviton (ARM) and x86 instances
  • Fault tolerance and isolation using multiple Availability Zones
  • Highly available and auto-scalable deployments
  • Real-time monitoring of issues and incident management
  • Tools for security and compliance to help Swift’s customers collect certification information

Learn more about Swift’s collaboration with AWS

Elevating the role of GNSS in the automotive sensor suite

Skylark’s ISO 26262 certification enables new options for OEMs. Autonomous systems rely on a suite of sensors to determine the precise location of the vehicle to ensure safe operations, including cameras, radar, LiDAR, ultrasound, and GNSS. While the overall system must meet the highest functional safety requirements defined by the ISO standard, autonomous system engineers strive to optimize system design by integrating the sensor suite in such a way as to achieve maximum safety while minimizing hardware and compute costs.

GNSS tends to be one of the most affordable components of the sensor suite. Automotive engineers have historically been hesitant to rely heavily on GNSS for safety-critical systems because of a lack of confidence in the integrity of GNSS positioning data. Skylark’s certification puts these concerns to rest and provides engineers with much greater flexibility in autonomous system design. With Skylark certified to the ASIL B(D) level, GNSS can be relied on as a central component of the sensor suite, providing a localization modality differentiated from perception sensors at minimal additional expense.

Implications for other automotive applications

The frameworks and processes Swift followed to achieve ISO 26262 certification for Skylark are replicable by other automotive software providers. This certification sets a design pattern for developing automotive applications for safety-related use cases in the cloud.

The largest category of safety-related use cases that require cloud computing is vehicle-to-everything (V2X). V2X entails real-time communication between vehicles and infrastructure, where safety-critical data is processed in the cloud and shared to other road users. With Swift demonstrating the feasibility of running safety-related services in the cloud, we can expect to see many V2X applications follow in the near future.

Want to learn more about Swift’s automotive precise positioning solution? Get in touch with us to speak to an automotive GNSS expert.