Author: Yan Zhizhi Cars
At the “First Yan Zhizhi Cars Annual Conference”, Song Weijin, Chief Security Officer of Zhixing Technology Systems presented on the topic of “Security Integration – Actively Responding to New Challenges in the Intelligent Driving Field”. He introduced Zhixing Technology’s automatic driving front-loading solution, shared his experiences and lessons learned during the development process, focusing on system integration requirements to meet development efficiency and safety needs.
Specializing in Automatic Driving Front-Loading
Song Weijin first introduced the basic situation of Zhixing Technology. The company is a system supplier specializing in providing front-loading solution for the automatic driving field. Their vision is to become the most trusted intelligent driving partner for Chinese car manufacturers.
The company’s business direction mainly consists of two parts: product development, i.e. mass-produced products for automatic driving, mainly intelligent front cameras and domain controllers for automatic driving, and providing system solution cooperation services, engineering schemes and functional safety services for OEMs and some partners corresponding to L1 to L4 automatic driving.
According to the introduction, Zhixing Technology was established at the end of 2016, reached a strategic cooperation with well-known visual algorithm supplier Mobileye in 2018; the visual perception chip used in the current products is from Mobileye. During the same year, Zhixing Technology won the first mass-production project for L2, and in July, it had its own manufacturing factory; in September 2018, it reached a strategic cooperation with TUV South Germany.
In March 2019, they obtained the L4 logistic vehicle project. In the third quarter of 2020, they started providing L2 mass-production products. In September 2020, they won another L2 mass-production project. The difference between these two projects is that the first project uses the first-generation platform, and the second project is the second-generation platform, which improves against the new regulation requirement for pedestrian crossing recognition. Currently, Zhixing Technology’s main solution is a 100-degree front camera. Another notable project is the L2++ project, an 8 million pixel project that the industry is paying close attention to, and is about to start mass production in the third quarter.
Song Weijin mentioned that currently Zhixing Technology has about 200 people in R&D and production, with the headquarters and manufacturing located in Suzhou, and a testing base in Changshu, including regulatory and simulation testing. The company also has an R&D center in Germany, mainly focusing on cutting-edge research such as pedestrian behavior prediction and traffic flow analysis.
Zhixing’s main customers currently include Wuling, Geely and other car manufacturers. The currently operational projects include the L2++ automatic driving solution, L3 automatic driving solution, and L2 level automatic driving products.
System solution for front-loading mass productionAccording to the implemented projects and established routes, Zhixing Technology currently has two product series. One product series is the front camera, with several generations planned. The first generation has been mass-produced and is the IFC with a FOV of 52 degrees. Currently, the main promotion is the 2.0 platform, with 1.7 million pixels and a FOV of 100 degrees, which mainly meets regulatory requirements.
There is also a special solution that provides customers with an additional DVR lens and camera in one box according to their requirements. IFC 3.0 is currently in the planning stage, with a horizontal viewing angle of 120 degrees.
Regarding domain controller related products, the first generation domain controller is only a design that separates the camera and control parts. The second and third generations of domain controller designs integrate different cameras, as well as different millimeter wave radars, to meet corresponding WA and NOP solutions. The fourth generation is still under planning and will be used for highly automated driving. It is also possible to consider installing sensors such as LiDAR.
The aforementioned two product series have roughly three configuration options. The first configuration is the L2 product system, which is the highway solution. The second configuration adds corresponding corner radars to the first configuration to achieve lane change control. The last configuration is the NOP system solution, including corresponding cameras, forward radars, high-precision maps, and corresponding perception and driver monitoring systems.
Song Weijin pointed out that the three series solutions seem to be increasingly complex, but also bring new problems, and there are more and more risks encountered by the entire system. First is functional safety. Originally, only failure or foreseeable human error was considered. However, since the development of intelligent driving functions, it is necessary to consider the limitations of the entire system or design defects that will cause the entire vehicle to encounter risks when the system replaces human to make a part of the decision.
On the other hand, the entire vehicle manufacturer now considers using high-precision maps and on-site devices, including corresponding software, which will lead to another problem: network attacks. That is to say, in addition to the factors related to functional safety that the system originally needed to consider, other factors such as network security and expected functional safety also need to be considered. Relatively speaking, the requirements and challenges faced by the system solution are also increasing.
Song Weijin said that there are already some corresponding regulations for safety requirements, and product development is also based on regulations. Because no matter what, regulations are fundamental. Without these foundations, developing products based on pure imagination is just building castles in the air.Currently, there are several standards and regulations to consider in the automotive industry with regards to cybersecurity, functional safety and expected safety, such as the ISO21434 standard for cybersecurity regulations, the ISO26262 standard for functional safety, the GB/T34590, and the expected safety ISO21448 standard. It is also important to consider the state of the art level that can be achieved from a technological perspective.
Compliance with multiple regulations is the first challenge, and the implementation requirements of these regulations are the second challenge. For instance, the functional safety ISO26262 standard is well known, but it was first published in 2011 and a second edition was released in 2018. Similarly, GB/T 34590 was first published in 2017, and a second edition is currently being planned for release this year or next year. At the same time, work is underway on the third edition of ISO26262, with new requirements being continuously introduced.
Although functional safety is not a mandatory standard, it is highly valued in the intelligent driving industry as safety is of utmost importance. Moreover, guidelines such as GB standards on components like brakes and steering include requirements for functional safety. In terms of expected safety, research on the entire standard started in 2019 or earlier, but an official version has not been released as of 2021.
Lastly, information security or cybersecurity is a relatively new topic for many companies, with most lacking sufficient experience to address such concerns. Nonetheless, there is no room for complacency as regulations such as the ISO21434 DIS version were released last year, with the FDIS version expected to be released this year. Additionally, the European Union has mandated that all newly marketed vehicles must meet cybersecurity requirements by 2022, as stipulated by WP.29. Companies must also consider incorporating these regulations in their product development efforts if they have foreign customers.
Starting from Development Management Process and Architecture Responsibility
Regulations such as ISO 26262 and ISO 21434 are not only testing and design standards, but they also encompass requirements for the entire lifecycle from management, development, design, verification, and after-sales. Therefore, they contain a considerable amount of content. So, how can small companies cope with these challenges and urgent implementation deadlines?
According to Song Weijin, ZSYT Technology (Zhixing Technology) has analyzed the regulations in great detail, sorted and merged the corresponding standards and processes, and integrated all functional safety management and network security management into the project management. Only one relevant item definition is made during the entire development process, which includes considerations for all three aspects. After that, hazard analysis is conducted, and functional safety and expected security are taken into account for the threat analysis of network security attacks.
Based on this process, corresponding functional safety and network security concepts are formed, and the guidance for system design as well as guidance for hardware and software development are developed. Under this situation, from corresponding testing of hardware and software to comprehensive testing of safety considerations as well as network security in the system stage, safety confirmation and network security confirmation are carried out respectively. In addition to the development of these standards and processes, ZSYT Technology also plans to obtain ASPICE L2 certification in June of this year.
She said that the aforementioned is the merger of the process, and smaller companies have an advantage in that they can turn quickly. ZSYT Technology also divided its departmental responsibilities. All functional safety construction, including expected function construction, as well as information network security construction, are implemented in the system department to be responsible for rule formulation, to effectively control process requirements, and to improve relevant implementation efficiency. The audit part is independent to meet the independence requirements for compliance.
Regarding the hazard analysis of functional safety and expected functional safety, previously, functional safety HARA analysis design was conducted. Later, it was found that many contents can be reused to a certain extent, which greatly reduces the burden of the entire analysis.During the development process, customer requirements may change, for example, the ACC Stop&Go function, which was originally defined as the vehicle waiting for 3 seconds after stopping to ensure that no pedestrians cross. However, the customer now feels that this experience is not ideal because the function exits directly after the 3-second wait and requires the driver to take over. The customer asks if the wait time can be changed to 30 seconds. This introduces a new scenario where pedestrians may cross between cars during the wait period. This requires corresponding functional safety and expected functional safety analysis. The corresponding scenarios can be listed, and a strict scenario where a person crosses right next to the car was selected. In this case, if the car experiences a misstart, the severity and control results for this scenario are greater than 0, which is related to expected functional safety. Of course, this analysis has a low rate of occurrence, so it can be considered functional safety-related.
Now that it is known to be related to expected safety and functional safety, further analysis can be done. Fault tree analysis is usually used for analysis. The reason for the vehicle misstart and the reason why the target was not detected need to be analyzed. From the expected safety perspective, one reason the system may be limited is due to blind spots. In this case, the blind spot issue needs to be analyzed. By classifying different installation heights, positions, and people passing by, cameras installed at 1.2 to 1.8 meters are suitable for adults, but children still have some blind spots. In order to minimize blind spots or reduce harm to a lower degree, requirements are proposed for these installation positions and allocation of upper and lower visibility, as well as the first visible point, to avoid the risks related to expected functional safety. Because expected functional safety cannot be completely avoided by improving the design, it also explains the hazardous scenarios and tries to minimize the range of unknown areas with harmful potential.
The above scenario is not related to functional safety. If it is related to functional safety, the system’s failure needs to be considered, for example, the camera may fail. In this case, internal safety mechanisms need to be developed to control and eliminate the corresponding risks.There may be corresponding threats to network security, such as counterfeiting, tampering, etc. These will affect security, integrity, authorization, confidentiality, etc. Therefore, TARA analysis is required to determine the severity of the situation and the measures needed to avoid it. First, the entire system architecture needs to be clarified, including network nodes, such as downloading software, configuring, and diagnostics through other vehicle ECUs. Check for possible attack paths from the perspective of the required functions and services, such as the likelihood of OBD interface being attacked or data pollution caused by OTA software updates.
In the above case, it is necessary to consider how to control and avoid pollution and how to protect against it. One type of pollution may be the loss of data integrity, which coincides with the situation of data integrity loss considered in functional safety, and thus a mechanism can be used to protect it. For example, end-to-end protection can be used to prevent communication integrity loss problems, thereby avoiding redundant design. Integrate all design and analysis together, and then form a strategy in the system, which can be transmitted to software and hardware.
Finally, Song Weijin emphasized that no matter how technology develops, safety always remains the top priority.
This article is a translation by ChatGPT of a Chinese report from 42HOW. If you have any questions about it, please email bd@42how.com.