Apex.OS Cert – „How ROS 2 was Safety-Certified for Automotive“
Last week, Apex.AI presented their Apex.OS Cert, an ASIL-D certified ROS 2 distribution intended for highly-automated driving. Other than previously stated in the invitation, the presentation took only 1 hour, providing a rough overview of what Apex.AI undertook in order to get their ROS 2 flavor certified. Slides are not yet released, but were told to be shared soon. The slides from Apex.AI’s presentation at the Embedded World 2021 in March are very close, though (slide 9 ff.).
From my point of view these were the main aspects touched by the presentation:
- Technical framework aspects they had to solve within ROS 2 that would have prevented certification. They call these the real-time gaps, see image below. This is mainly: runtime memory allocation, exception handling, real-time capable middleware, threading, and scheduling. Apex.AI fixed these issues by plugging in own versions of the allocator, a threading library, their own middleware, scheduler, etc.. Apex.AI Cert is also relying on a safe OS, e.g., QNX., see right-most column in the image above.
- For 24(!) ROS 2 C++ packages that Apex.AI considers „safety-related“, they performed a hazard and risc analysis, wrote ~300 requirements, and performed FMEAs. According to Apex.AI, they spent roughly 14 person years to do so and to add the according tests and traceability to reach 100% MC/DC coverage (required by ISO 26262 for ASIL-D).
- A tool qualification process for code generators, etc., that are for example part of the middleware layer.
- For issues identified during the FMEAs that could not be mitigated on a code level, they provide a safety manual with usage restrictions that need to be adhered to when relying on the certification of Apex.OS Cert.
All of this took 5 iterations with TÜV Nord, resulting in roughly ~200 A4 pages submitted as a safety case. With that, Apex.AI provides a blueprint on how to certify an existing open-source community project for ASIL-D with the approval by TÜV Nord. This might be worth considering for application of further open-source software in safety-critical context.
While the process doesn’t seem to involve any magic, it saves Apex.AI’s customers roughly 14 person years in doing it on their own.